WatchGuard Fireware v11.12.4 released


Note: Fireware v12.1 is now available, see here for details.

WatchGuard Fireware v11.12.4 was released on 7th June. This replaces the previous version of 11.12.2 Update 2.

Full release notes can be found here. Please read them before upgrading! Your Firebox must be running, XTM v11.7.5, v11.8.4 or v11.9 or higher before upgrading.

The software can be downloaded from here.

Enhancements and resolved issues in 11.12.4 (source: Fireware Release Notes)


  • This release resolves an issue that caused Policy Manager to fail to save configurations to the Firebox with the error message INTERNAL_ERROR:Element ‘stp-port’: This element is not expected. [FBX-5410]
  • The Port Scan and IP Scan options now correctly indicate that thresholds are per-second in Policy Manager and Web UI. [FBX-2097, FBX-2274]
  • This release resolves an issue with Management Server Templates in which only the first configured object in GeoLocation Exceptions would apply.[FBX-4959]
  • This release resolves a memory leak in Management Server during the template save operation to a Fully Managed appliance. [FBX-5626]
  • This release resolves a kernel crash on XTM 2500 series appliances that could cause the appliance to lock up for a short period of time. [FBX-5661]
  • Dimension Command can now manage Firebox Cloud instances. [FBX-2339]
  • Dimension now shows an accurate error message when Firebox connection fail because of an encryption key mismatch. [FBX-2077, 93010]

Proxies and Services

  • Failed authentication attempts to an FTP server are now correctly translated by the Explicit Proxy. [FBX-2625]
  • Content Inspection now allows SSL scanners to establish connections at the highest accepted protocol version. [FBX-2643]
  • When OCSP certificate validation is enabled, the HTTPS proxy now correctly disables certificates when the responder requires that requests include Host Header information. [FBX-5060]
  • Log messages for the HTTPS and SMTP proxies now indicate if PFS is configured.[FBX-2095]
  • You can now select a Server Region for APT Blocker requests. This enables customers in the European Union to comply with regulatory requirements and keep customer data in the EU. [FBX-1302, 91270]
  • The Quick Setup Wizard now sets the default IPS scan mode to Full. [FBX-4704]
  • TLS 1.3 connections now operate correctly when a Firebox HTTPS proxy policy has content inspection disabled and is configured to allow non-compliant SSL connections. [93174]
  • The DNS proxy now supports all query types, with possible values from 1 through 65535. [92649]

Authentication and Single Sign-On (SSO)

  • With this release, the Start Time for authenticated users in Firebox System Manager and the Web UI is now labeled Elapsed Time. [FBX-2774]
  • This release adds SSO Agent/ELM support for Win2016 Core Server. [FBX-5247]
  • This release resolves an issue where unexpected restarts of the admd process on a FireCluster caused Single Sign-On to fail. [FBX-5083]
  • This release resolves an issue that caused FireCluster to stop communicating with the SSO agent. [FBX-5444]


  • Mobile VPN with SSL now includes VLAN Secondary Networks in routing configuration when you select Allow access to all Trusted, Optional, and Custom networks. [FBX-2642]
  • This release resolves an error that caused IPSec VPNs to fail after you converted from an older configuration files. [FBX-5377, FBX-2649, 92606]
  • Policy Based Routing no longer fails for VIF Tunnels if the VIF name exceeds 15 characters.[FBX-5443]
  • BOVPN tunnels are no longer interrupted when you globally disable modem failover. [FBX-2746,93044]
  • You can now use Web UI to modify an IKEv2 Branch Office VPN Gateway endpoint when more than one endpoint is configured on the Branch Office VPN Gateway. [FBX-5430]
  • If you change one pre-shared key to an incorrect value in a Branch Office VPN Virtual Interface with Amazon AWS configuration, the Virtual Interface now correctly fails over to the connection with a correct pre-shared key. [FBX-5278]


  • AP120, AP320, and AP322 devices no longer reboot as a result of SSID configuration changes. [FBX-5422]
  • When you pair a new AP device with Gateway Wireless Controller, it is now automatically trusted if the Trust Store is enabled. [FBX-5191]
  • If an untrusted AP device is paired with your Firebox, the Web UI displays a warning message. [FBX-5186]
  • A FireCluster failover no longer causes an AP device managed through Gateway Wireless Controller to restart. [FBX-3407,92455]
  • When you upgrade the Firebox to a new OS version, the Firebox no longer includes AP firmware in storage. You can install AP firmware on your Firebox manually. [FBX-1674]

Networking and Modem Support

  • This release improves PPPoE over VLAN performance with driver support for NIC VLAN offloading on Firebox T Series devices . [FBX-2683]
  • Policy Manager no longer displays null in the PBR column when a Firebox has Link Aggregation configured with external VLANs. [FBX-4962]
  • When you have Link Aggregation configured on your Firebox and have a network loop, it no longer causes Firebox kernel panic. [FBX-2741]
  • A driver error has been resolved that prevented Ethernet interfaces from working correctly under heavy load on XTM 800 and XTM 5 Series appliances. [FBX-5232, FBX-2444,85091]
  • Static NAT policies that include UDP 5060 no longer fail after a Firebox reboot. [FBX-5655]
  • This release resolves an issue that caused DynDNS to fail to update the IP address for a Firebox that had DynDNS configured before Fireware v11.12.2. [FBX-5609]


  • This release resolves a crash that could cause a FireCluster failover.[FBX-4952]

For more detailed information see the presentation below.
What’s New in Fireware v11.12.4

Related Posts:

1.WatchGuard: How to resolve “Response denied by WatchGuard HTTP Proxy – Reason: header-line too large”

2. How to display external bandwidth reports in WatchGuard Dimension

3. How to renew the WatchGuard default self signed web certificate

4. WatchGuard Dimension: How to change the Logging Encryption Key


Leave a Reply

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.