User guide

ManualsBrandsWatchguard ManualsNetworkingV10

WATCHGUARD SYSTEM MANAGER AND FIREWARE WSM/FIREWARE 10.2.7

RELEASE NOTES JANUARY 22, 2009 PAGE 9

 The default managed VPN tunnel configuration does not enable NAT-Traversal. [23756]

 When you use the default route VPN tunnel feature, all traffic from the remote networks will

match the default ‘ANY’ policy created by the Management Server. This prevents remote

BOVPN traffic from matching other firewall policies configured at the central location. To force

traffic to match specific policies at the central location, VPN templates must be used. The VPN

template on the Management Server must include ports that match all traffic through the

BOVPN tunnel except traffic that should match firewall policies at the central location.

[21965]

Firebox System Manager (FSM)

 When Firebox System Manager is connected to a Firebox for hours, there can be a small

memory leak on the Firebox.

[15518]

 The status of a managed BOVPN tunnel between a Firebox X Core or Peak running Fireware

v10.x and a Firebox X Edge running v10.x may not show correctly in Firebox System Manager.

[23413]

WatchGuard System Manager (WSM)

 After you install WSM 10.2.x the Start Menu > All Programs display continues to show

WatchGuard System Manager 10.2.

 When you upgrade from v9.x to v10.2.x, the

Setup > Logging > Advanced Diagnostics >

Set all sub-categories to same level of detail

check box is cleared. [27514]

 WSM does not show the status of a PPPoE-based WAN interface if the Firebox is configured

for multi-WAN.

[19564]

 The NetMeeting packet filter does not work. Use the H.323 proxy policy to allow NetMeeting

traffic to pass through the Firebox.

[24281]

 When your Firebox is configured in drop-in mode, the Status Report incorrectly shows the

external interface subnet mask as 255.255.255.0 regardless of the actual drop-in network

subnet.

[21458]

Networking

 If you have a static NAT rule that uses the alias of an interface, the static NAT rule does not

work if you change the interface IP address.

[23502]

Workaround

Remove the static NAT rule from the policy and replace it with one that uses the IP

address of the interface alias.

 When a DHCP lease renewal occurs, some unusual log messages can appear. The lease

renewal succeeds and the log messages can be ignored. The log message shows as:

Deny

x.x.x.x x.x.x.x icmp-Dest_Unreach code(3) 1-Trusted Firebox icmp

error with data src_ip=x.x.x.x dst_ip=x.x.x.x pr=dhcp/bootp-client/udp

src_port=67 dst_port=68 src_intf='1-Trusted' dst_intf='0' cannot

match any flow, drop this packet 176 128 (internal policy) rc="104"

[27364]

 When you use the DHCP server with secondary networks, the DHCP server IP address given

to DHCP clients is the primary interface IP address and not the secondary interface IP

address.

[10365]

 There is a compatibility issue between Firebox X Peak models 5000, 6000, and 8000 using

Intel's CSA bus-based MAC (i82547) and the Marvell PCI bus-based MAC (88E8001). Network

interfaces may sometimes negotiate at 100MB instead of 1000MB.

[13659]