WatchGuard Fireware v12.1 released


WatchGuard have released Fireware 12.1 on 18 December 2017. This replaces the previous version of 12.0.2.

Full release notes can be found here. Please read them before upgrading! Your Firebox must be running, XTM v11.7.5, v11.8.4 or v11.9 or higher before upgrading.

Fireware v12.x is not supported on Firebox X 5 Series devices, models 505, 510, 520 or 530.

There is a new Gateway AV Engine in Fireware 12.0 and beyond, so the first time you upgrade to 12.0.x a new signature definition will need to be downloaded which can take 7-10 minutes, future definitions are incremental and much quicker.

The software can be downloaded from here.

Enhancements and resolved issues in 12.1 (source: Fireware Release Notes)


  • This release adds new Access Portal functionality. [FBX-98]
  • Web UI users who log in with IE no longer see a 500 internal server error when their management session times out. [FBX-8202]
  • Multi-word Policy Tags are now displayed correctly in Web UI. [FBX-7577]
  • Users are longer redirected to the Web UI >Front Panel when they select options to add or remove a Policy Tag. [FBX-7576]
  • This release resolves an issue that caused a crash resulting in a “scheduling while atomic: fqdnd” message. [FBX-6664]
  • Hotspot Guest Accounts are now included in Firebox backup files. [FBX-8507]
  • This release resolves an issue in which certain public IP addresses were not correctly identified by the Geolocation service. [FBX-7353]
  • You can now import and export lists of FQDNs, host IP addresses, network IP addresses, and host ranges for aliases. [42310, FBX-5207]
  • Intra-VLAN traffic can now be applied to firewall policies as an option on external interfaces. [FBX-3764]
  • This release improves the performance of the Web UI Front Panel and FireWatch when a Firebox is under heavy load. [FBX-8510]
  • Error messages related to Trusted Platform Module, or TPM, no longer appear for Firebox models that do not have TPM. [FBX-8776]
  • The Firebox log process, loggerd, no longer crashes when the Log Server configuration contains an FQDN. [FBX-8555]
  • You can now configure a wildcard IP address in an alias. [FBX-4280]
  • OID values for a PPPoE interface no longer change when the interface refreshes. [FBX-6109]
  • The Firebox no longer adds the internal IP address in a Static NAT to the blocked sites list when the connection matches a Domain Name block action. [FBX-8802]

Proxies and Services

  • In Web UI, when polices are manually ordered, the Certificate Portal policy no longer moves to the bottom when you modify the HTTPS proxy with content inspection enabled. [FBX-6873]
  • The Quovadis SHA256 Root CA Certificate has been added to the Trusted CA for Proxies store. [FBX-8409]
  • This release adds * to the default HTTP proxy exceptions. [FBX-7874]
  • When you configue WebBlocker through the Proxy Action in Fireware Web UI, it now displays the Advanced Tab. [90763, FBX-3183]
  • The Explicity proxy now selects the correct redirect IP address for authentication for clients that connect through a BOVPN Tunnel. [FBX-7570]
  • The iTunes application now works better through the HTTPS proxy with Content Inspection. [FBX-7930]
  • The Feature Key Compliance tool now correctly removes all WebBlocker actions from your configuration. [FBX-7494]
  • SMTP proxy log messages now include the TLS version when TLS Encryption is enabled. [FBX-4116]
  • The IMAP proxy now correctly handles ACL extensions. [FBX-7025]
  • The IMAP proxy now supports IMAPS, or IMAP over TLS. [FBX-6941]
  • You can now exempt some or all domains and applications in a predefined list from HTTPS Content Inspection. [FBX-6217]
  • The WebBlocker action configuration now uses the term Deny instead of Block for WebBlocker categories. [FBX-3430]


  • This release resolves an issue in which 1-to-1 NAT rules ignore multi-WAN failover order. [FBX-5702]
  • The Host Mapping table for Drop-in mode is no longer cleared of data when you edit it. [FBX-6312]
  • When you enable Link Aggregation, it now correctly resets the default LA interface MTU to 1500. [FBX-8435]
  • This release resolves an issue in which the Global DNAT rule fails when the “Set Source IP” matches the Loopback interface and that interface is disabled. [FBX-6401]
  • You can now completely disable Link Monitoring for Multi-Wan. [FBX-4430]
  • The Loopback interface configuration now correctly checks for overlapping IP addresses. [FBX-6400]
  • TCP MSS Control Auto Adjustment no longer unexpectedly reduces the MSS value. [78916, FBX-2431]
  • This release resolves an issue in which Policy Manager removes VLAN, Bridge or LAG interfaces when you make other changes to the Multicast Setup configuration. [FBX-9221]
  • Firebox Cloud for AWS now supports multiple Elastic IPs and secondary IP addresses on external interfaces. [FBX-6906, FBX-6903]
  • Firebox Cloud for AWS now supports manually configured static routes. [FBX-7611]
  • An issue where traffic management did not correctly throttle traffic on XTM 2 and Firebox T series devices has been resolved. [FBX-8885, FBX-8027]
  • This release includes support for the Verizon USB730L and AT&T MF861 USB modems. [FBX-7800, FBX-7801]
  • You can now configure a modem as an interface, rather than as a failover option. [FBX-3667]
  • You can now configure /31 and /32 subnet masks for Secondary IP addresses. [68645, FBX-8464, FBX-8465]


  • MAC override is now automatically disabled on each interface when you enable FireCluster. [FBX-6166]

Centralized Management

  • In Management Server, you can now view historical configurations for a Firebox with a dynamic external IP address. [FBX-7010]


  • The Firebox now correctly sends an Inform Delete message for a Branch Office VPN when you change the Phase 2 configuration. [FBX-7988]
  • You can now create Branch Office VPNs over TLS instead of IPSec. [FBX-5253]
  • This release introduces Mobile VPN with IKEv2. [FBX-9044]


  • The SSO connection error message Check Firewall has been updated to Check host firewall and connectivity for greater clarity. [92777]
  • The SSO Agent Configuration Tool now provides a connection status for Event Log Monitor and Exchange Monitor. [83378]
  • This release resolves an issue in which users from different authentication servers with the same user name could not simultaneously log in because of the configured login limit. [FBX-2626]
  • The Firebox can now correctly retrieve group information for users who authenticate with FireClient. [FBX-8620]


  • The WG-Cloud-Managed-WiFi policy template now includes port 80 for firmware downloads. [FBX-3565]
  • The WG-Cloud-Managed-WiFi policy template now includes port 3852 for CIP functionality. [FBX-9036]
  • GWC timeout values have been adjusted to avoid continuous AP status changes seen when many APs are connected. [FBX-9332]
  • This release introduces Smart Steering and minimum RSSI, which replaces the Fast Handover functionality. [AP-48]
  • You can now use Gateway Wireless Controller to manage an AP325 local mode. [FBX-6688]

For more detailed information see the presentation below.
What’s New in Fireware v12.1

Related Posts:

1.WatchGuard: How to resolve “Response denied by WatchGuard HTTP Proxy – Reason: header-line too large”

2. How to display external bandwidth reports in WatchGuard Dimension

3. How to renew the WatchGuard default self signed web certificate

4. WatchGuard Dimension: How to change the Logging Encryption Key


Leave a Reply

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.