WatchGuard Fireware v11.12 Update 2 released


Note: Fireware v12.1 is now available, see here for details.

WatchGuard Fireware v11.12 Update 2 was released on 11th April 2017. This replaces the previous version of 11.12.1.

Full release notes can be found here. Please read them before upgrading! Your Firebox must be running, XTM v11.7.5, v11.8.4 or v11.9 or higher before upgrading.

The software can be downloaded from here.

Enhancements and resolved issues in 11.12 Update 2 (source: Fireware Release Notes)


  • Single TCP stream now provides the expected throughput on a Firebox M440. [FBX-380]
  • This release includes improvements to reduce CPU usage when Management Tunnels are established over SSL. [FBX-2087, FBX-2085, 93080]
  • This release resolves an issue that caused IKED to crash after internal hash table corruption. [FBX-1906, 92942]
  • Various process crashes have been fixed in this release. [92706, FBX-2751, 92684]
  • ConnectWise now creates new tickets when a user removes the default “Quick Response” priority type. [FBX-1821]
  • This release resolves a kernel crash that occurred after a FireCluster failover. [92667, 92230]
  • A Certd process crash has been fixed. [FBX-1167, 92526]
  • A problem that caused some websites to fail to load with a “content decoding error” has been resolved in this release. [FBX-2410]
  • Policies that include a VLAN name in the From or To field no longer fail after you change the VLAN name. [92966]
  • The Firebox XML-RPC agent no longer returns different responses to login requests that contain valid and invalid usernames. [FBX-1654]
  • This release resolves an issue that caused wgagent to crash while processing an invalid XML-RPC request. [FBX-1765]

Proxies and Services

  • Perfect Forward Secrecy (PFS) ciphers are now available in HTTPS and SMTP proxies for Firebox T10, T30, T50, XTM 25/26, and XTM 33 models. [FBX-2020, 93045]
  • The Blocked Sites Exceptions list now includes default FQDN exceptions for servers required for WatchGuard products and subscription services. To review the list of added exceptions, see What’s New in Fireware v11.12.2. [FBX-1416, 92658]
  • The HTTP proxy process no longer crashes when inflating data from web pages with content-encoding set to gzip or deflate. [93220, FBX-2729]

Authentication and Single Sign-On (SSO)

  • You can now configure lockout settings for all user accounts that use Firebox authentication to protect user accounts from brute force attempts to find the user account login credentials. [FBX-417, 45021, 67544, 45551]
  • You can now limit the number of devices that can connect to a Hotspot at the same time for each guest user account. [FBX-433, 82879]
  • The SSO client for Mac OS now supports nested groups. [FBX-1484, 92726]
  • WatchGuard Single Sign-On and Terminal Services components are now officially supported on Windows Server 2016. [FBX-1153, 92398]
  • The SSO Client installer now creates a Windows firewall exception. [FBX-1763, 91373]
  • Terminal Services support for manual Single Sign-On authentication now includes Citrix XenApp 7.12. [FBX-1628, 90170]
  • When you associate a user with more than 256 authentication groups, the Firewalld process no longer crashes. [93152, FBX-2681]


  • BOVPN Virtual Interface now supports an IPSec VPN tunnel to an Amazon AWS virtual private cloud (VPC). [FBX-110, 41534]
  • You can now specify a different pre-shared key for each gateway endpoint for the same branch office VPN gateway. [FBX-1290, FBX-1292]
  • In Fireware Web UI, the VPN Statistics System Status page has a new Statistics tab that shows bandwidth and tunnel statistics over time. [FBX-1728]
  • The Global VPN setting Enable TOS for IPSec is now correctly applied to BOVPN traffic configured to use a Virtual Interface (VIF). [FBX-2349]
  • Mobile VPN with IPSec no longer fails to reconnect after a non-graceful disconnection. [92935, FBX-2195]
  • The use of many BOVPN Virtual Interfaces no longer causes a kernel crash. [93193, FBX-2755]
  • This release resolves an issue with Mobile VPN with SSL that caused incorrect DNS resolution on Windows 10 clients. [88918]
  • This release updates the Mobile VPN with IPSec client for Mac OS X to add support for Mac OS Sierra.
  • This release updates the Mobile VPN with IPSec client to resolve an issue related to missing DNS server IP address information. [90324]


  • Gateway Wireless Controller now supports management of AP322 outdoor AP devices. [FBX-100, FBX-1270]
  • The default wireless security mode for AP devices locally managed by a Gateway Wireless Controller and wireless-capable Firebox devices is now WPA2-only (PSK) with AES encryption. [FBX-1974, 93047]
  • This release includes several other important security-related enhancements to Gateway Wireless Controller. See the Upgrade Notes topic for important information related to these enhancements. [FBX-111]

Networking and Modem Support

  • In the Dynamic DNS configuration, you can select to have DynDNS use the IP address from your router or NAT device. [FBX-1998, 92780]
  • You can now enable conditional DNS forwarding from Fireware Web UI and Policy Manager. [FBX-559, 58214]
  • In Bridge Mode, you can now configure the Firebox to use DHCP to get an IP address. [FBX-375]
  • This release includes support for two new USB modems:
    • Franklin U772 4G USB modem [FBX-1232]
    • NetGear Beam 3G/4G USB modem [FBX-1676]
  • This release adds support for Spanning Tree Protocol support for VLAN interfaces. For specific information on supported scenarios, see Fireware Help or What’s New in Fireware v11.12.2. [FBX-753, 61035]
  • This release add spanning tree protocol support in Bridge mode. [FBX-991, 56764]
  • A dynamic routing daemon crash has been fixed. [92930, FBX-1744]
  • The PPPoE daemon now remains stable when Link Monitor probing cannot resolve a domain name. [92024]
  • The BGP routing process no longer crashes when MD5 encryption is used. [93038, FBX-1886]
  • BGP routes are now added correctly to the routing table after a FireCluster failover. [FBX-2749, 93095]

For more detailed information see the presentation below.
What’s New in Fireware v11.12.2

Related Posts:

1. How to display external bandwidth reports in WatchGuard Dimension

2. How to renew the WatchGuard default self signed web certificate

3. WatchGuard: How to resolve “Response denied by WatchGuard HTTP Proxy – Reason: header-line too large”

4. WatchGuard Dimension: How to change the Logging Encryption Key