WatchGuard Fireware v11.12 released


Note: Fireware v12.1 is now available, see here for details.

WatchGuard Fireware v11.12  and WatchGuard System Manager v11.12 was released on 17th November, 2016. This replaces the previous version of 11.11.4 Update 2.

Full release notes can be found here. Please read them before upgrading! Your Firebox must be running, XTM v11.7.5, v11.8.4 or v11.9 or higher before upgrading.

The software can be downloaded from here.

New features and functions include:

  • ConnectWise Integration
  • Threat Detection and Response
  • Geolocation Service
  • Dynamic VPN Tunnels to Azure
  • IPv6 Support in Services and Proxies
  • Services and Proxies Enabled by Default
  • Gateway Wireless Controller
  • FireCluster with DHCP on External Interface
  • X-forwarded Information from Header in Logs and Dimension

For more detailed information see the presentation below.
What’s New in Fireware v11.12

Enhancements and Resolved Issues include (soucre: Fireware Release Notes) :


  • The number of blocked sites you can enter has been increased from 1000 to 8192 for Firebox models that have 1GB of memory or more. [92149]
  • The wgagent process no longer crashes when you run the Configuration Report from Fireware Web UI. [92451]
  • An issue that caused the oss-daemon process to crash has been resolved in this release. [92166]
  • An issue that caused SFP interfaces on Firebox M400 and M500 devices to hang has been resolved. [92047]
  • OpenSSL has been updated to version 1.0.2j to address several critical security vulnerabilities. [92161, 92178]
  • DNS traffic from clients behind the Firebox now uses a random source port, and is no longer vulnerable to CVE-2008-1447. [91517]
  • The Linux kernel has been patched to address a bug in the handling of TCP challenge ACK segments that could allow a remote attacker to hijack TCP sessions (CVE-2016-5696). [91902]
  • The behavior of Policy Manager in a dual-monitor environment has been improved. [92188]
  • Feature key auto-update functionality has been improved so the Firebox checks more frequently for feature key updates for services that are set to expire in a week or less. [92328]
  • Firebox System Manager no longer truncates the list of interface IP addresses on the Status Report tab when a large number of secondary IP addresses are configured. [81234]
  • Feature key expirations now take effect at the end of the specified day, instead of at the beginning of the day. [91590]
  • The Firebox no longer provides any response on port 9032 unless configured to do so. [91575]
  • This release resolves an issue that caused the Firebox to automatically block the source of unhandled packets after an upgrade. [92373]

Proxies and Security Subscriptions

  • With the new Geolocation service, you can now configure the Firebox to deny connections to or from a particular country. [35643, 73433]
  • This release provides an improvement to the behavior of the HTTP proxy when it receives a response from an HTTP server that does not include an HTTP response header. [91900]
  • You can now use all Firebox proxy actions and signature services with connections over IPv6. [65040]
  • The maximum file size for Advanced Persistent Threat scan has been increased from 8 megabytes to 10. [91993]
  • WebBlocker with WebSense can now perform lookups through an external proxy server. [72847]
  • The Firebox Status Report now contains the current number of connections for each type of proxy, such as HTTP, HTTPS, and DNS. [63913]
  • Gateway AV will now classify Potentially Unwanted Programs (PUPs) as malware. [92014]
  • The default non-allowed characters rule in the SMTP proxy action now allows email addresses with all RFC-standard characters. [91005]
  • This release resolves an issue that caused the Firebox to fail to import intermediate certificates as Trusted CA for proxies. [81517, 82401]
  • A rare issue that prevented the Proxy Authority Certificate from regenerating after it was deleted has been resolved in this release. [92467]
  • This release resolves an issue that caused the Firebox to incorrectly create the Certificate Portal policy when you configure an SMTP policy with Content Inspection for TLS. [92270]
  • This release resolves an issue that caused the Quarantine Server to fail to send scheduled notifications when the admin passphrase contained the percent (%) character. [91869]


  • An issue that caused the ETH6/ETH7 interface to bounce on Firebox M400/M500 devices has been resolved. [92243]
  • The Firebox now supports failover to the Huawei E3372 USB LTE Modem Variant (E3372s-153; VID: 12d1 PID:14dc) [90185]
  • This release resolves an issue where VLAN IDs would persist after being changed or removed from the configuration. [92319]
  • When you configure policies that use Policy-Based Routing using Fireware Web UI, the Firebox now correctly drops connections when all selected external interfaces are down. [92280]


  • The Active Directory server configuration no longer allows you to input unnecessary Searching User information when using the sAMAccountName Login attribute. [90546]
  • You can now configure exceptions for the forced redirect for External Guest Authentication Hotspot. Connections to these exceptions will not be redirected. [79129]
  • Users authenticated by Firebox Hotspot Guest Services are now synchronized between FireCluster members. [83130]
  • Custom logos used for the Firebox Hotspot Page now correctly appear when you uploaded the logos with Fireware Web UI and when the Hotspot is removed from an interface. [92121, 91139]
  • You can now configure a domain name or IP address as the authentication URL for an external guest authentication hotspot. [82974]
  • This release resolves an issue that slowed web browsing performance when using the TO Agent. [92069]


  • A log message is now generated when Firebox connections to the Log Server fail. [61456]
  • The Firebox now correctly validates the server certificate of a WatchGuard Log Server or Dimension when it initiates a connection to send log data. [84177]
  • Quarantine Server now creates a log message for the success or failure of attempts to send email with the configured SMTP server. [91922]


  • You can now configure a Branch Office VPN to Microsoft Azure with IKEv2 and a dynamic tunnel configuration. [89072]
  • The Firebox now supports Branch Office VPNs that connect to a Cisco Virtual Tunnel Interface, or VTI. [88140]
  • You can now successfully build a VPN tunnel initiated from AWS Cloud. [92196]
  • The maximum length of Pre-Shared Keys has been increased from 63 characters to 79 characters. [92275]
  • An issue that resulted in a memory allocation error that caused low memory and tunnel traffic to fail has been resolved. [92374]
  • The cookies used to store user credentials for the Mobile VPN with SSL and manual user authentication portal now correctly set the HTTPONLY and Secure attributes. [88687]
  • Mobile VPN with SSL now uses SHA-256 for authentication and AES-256 for encryption by default. [91506]
  • The Mobile VPN with IPSec UI now prevents unnecessary tunnel routes from being added when you use the Force All Traffic Through Tunnel option. [90530]
  • The Firebox no longer automatically adds Any-External to the WatchGuard Authentication policy when you enable Mobile VPN with SSL. [67543]
  • When you allow access to the Authentication Portal for Mobile VPN with SSL, external hosts are no longer automatically able to also access the Firebox Authentication Portal. [67545]
  • When you use the Mobile VPN with IPSec NCP client, Policy Manager now generates the client profile with the configured value for the Phase 1 lifetime instead of it always being set to 8 hours. [91678]


  • You can now configure a FireCluster external interface as DHCP. [41637]
  • An issue that caused the systemd process to crash when using FireCluster has been resolved. [92115]
  • Policy Manager now reports status more accurately during the FireCluster OS upgrade process. [91971]

Centralized Management

  • WatchGuard Server Center now requires text in the comment field when you save a Policy Template change. [92078]

WatchGuard AP Devices and Gateway Wireless Controller

  • The Gateway Wireless Controller can now automatically change the channel assignments for your AP devices to reduce channel conflicts with nearby devices. [84570]
  • When the operating region of an AP device is not known, the Gateway Wireless Controller configuration will display Unknown instead of World. [92249]