Firewarev12.6.4Update1ReleaseNotes SupportedDevices FireboxT20,T40,T80,M270,M370,M400,M440,M470, M500,M570,M670,M4600,M4800,M5600,M5800 FireboxV,FireboxCloud,WatchGuardAP
Watchguard.com All Software
Fireware v12.6.4 Update 1 Release Notes Supported Devices Release Date Release Notes Revision Fireware OS Build WatchGuard System Manager Build WatchGuard AP Firmware Firebox T20, T40, T80, M270, M370, M400, M440, M470, M500, M570, M670, M4600, M4800, M5600, M5800 FireboxV, Firebox Cloud, WatchGuard AP 12.6.4: 2 February 2021 12.6.4 Update 1: 31 March 2021 21 April 2021 12.6.4: 635642 12.6.4 Update 1: 638640 634890 AP120, AP320, AP322: 8.8.3-12 AP125, AP225W, AP325, AP327X, AP420: 9.0.1-14.3 Introduction Introduction On 31 March 2021 we released Fireware v12.6.4 Update 1 as a maintenance update for Firebox T20, T40, T80, Firebox M Series (except M200 and M300), FireboxV, and Firebox Cloud appliances. For details on the issues resolved in this update release, see Resolved Issues in Fireware v12.6.4 Update 1. Fireware v12.6.4 is a maintenance release for Firebox T20, T40, T80, Firebox M Series (except M200 and M300), FireboxV, and Firebox Cloud appliances. This release includes enhancements to support Firebox configuration and management in WatchGuard Cloud and important bug fixes. For a full list of the enhancements in this release, see Enhancements and Resolved Issues or review the What's New in Fireware v12.6.4 PowerPoint. Fireware v12.6.x is based on Linux kernel 4.14. On some Firebox models, Linux kernel 4.14 does not provide sufficient quality and performance. Because of this, Fireware v12.6.x is not currently available for Firebox T10, T15, T30, T35, T55, T70, M200, and M300. For more information, see this Knowledge Base article. 2 WatchGuard Technologies, Inc. Before You Begin Before You Begin Before you install this release, make sure that you have: l A supported WatchGuard Firebox. This device can be a WatchGuard Firebox T20, T40, T80, M270, M370, M400, M440, M470, M500, M570, M670, M4600, M4800, M5600, M5800, Firebox Cloud, or FireboxV. You cannot install Fireware v12.6.4 Update 1 on any other Firebox model. l The required hardware and software components as shown below. If you use WatchGuard System Manager (WSM), make sure your WSM version is equal to or higher than the version of Fireware OS installed on your Firebox and the version of WSM installed on your Management Server. l Feature key for your Firebox -- If you upgrade your device from an earlier version of Fireware OS, you can use your existing feature key. If you do not have a feature key for your device, you can log in to the WatchGuard website to download it. l If you are upgrading to Fireware v12.x from Fireware v11.10.x or earlier, we strongly recommend you review the Fireware v11.12.4 release notes for important information about significant feature changes that occurred in Fireware v11.12.x release cycle. l Some Known Issues are especially important to be aware of before you upgrade, either to or from specific versions of Fireware. To learn more, see Release-specific upgrade notes. Note that you can install and use WatchGuard System Manager v12.x and all WSM server components with devices running earlier versions of Fireware. In this case, we recommend that you use the product documentation that matches your Fireware OS version. If you have a new Firebox, make sure you use the instructions in the Quick Start Guide that shipped with your device. If this is a new FireboxV installation, make sure you carefully review Fireware Help in the WatchGuard Help Center for important installation and setup instructions. We also recommend that you review the Hardware Guide for your Firebox model. The Hardware Guide contains useful information about your device interfaces, as well as information on resetting your device to factory default settings, if necessary. Product documentation for all WatchGuard products is available on the WatchGuard web site at https://www.watchguard.com/wgrd-help/documentation/overview. Release Notes 3 Resolved Issues in Fireware v12.6.4 Update 1 Resolved Issues in Fireware v12.6.4 Update 1 l The Firebox proxy module no longer caches the server timeout action for sites when the WebBlocker Server is unavailable. [FBX-21307] l This release resolves an issue that caused some web pages to fail to load and generated a URI normalization failed log when an HTTPS-proxy policy is configured with IPS enabled. [FBX-20526] l Allowed WebBlocker categories are no longer incorrectly denied when multiple WebBlocker actions are configured. [FBX-21036] l SMTP proxy auto detection no longer detects application/x-pkcs7-signature as binary. [FBX-15726] l Traffic is no longer delayed when Google Safe Browsing is enabled with HTTPS content inspection and Application Control. [FBX-20731] l When the IMAP proxy Enable content type auto detection option is selected, the configured action is now correctly performed on the value stated in the Content-Type header. [FBX-20409] l The Firebox no longer generates the proxy debug log message pxy_is_sndbuf_saturated at the Error log level. [FBX-21175] l Application Control no longer blocks all traffic and the Firebox no longer generates large numbers of log messages when the IPS/Application Control engine is accessed. [FBX-20840] l This release resolves an FQDND process crash when domain names were longer than 64 bytes. [FBX- 21096] l This release resolves an issue that disconnected Mobile VPN with SSL users while a Firebox saves a configuration. [FBX-21183] l NAT is no longer applied to Mobile VPN with IPSec traffic when that traffic is sent between Mobile VPN clients. [FBX-20960] l Branch office VPNs that use IKEv2 now connect correctly to third-party endpoints when the Start Phase 1 tunnel when Firebox starts option is enabled. [FBX-21065] l An issue that caused the Firebox to respond to ARP requests on the wrong interface is resolved. [FBX- 21044] l OSPF default route distribution logic is improved. [FBX-21032, FBX-21033] l Interface link status is now updated correctly when you use Multi-WAN with FireCluster. [FBX-20984] l Link monitoring no longer prevents valid traffic from passing over an active VPN connection. [FBX- 20868] l DHCP relay packets are now correctly delivered through VPN tunnels after a FireCluster failover event. [FBX-19805] l You can now edit policies that use VIF from Fireware Web UI. [FBX-21280] l Dynu.com dynamic DNS registration now works correctly. [FBX-20970] l This release resolves an issue that caused a kernel warning stack trace related the refcount_error_ report. [FBX-20819] l This release removes expired Trusted Proxy CA certificates. [FBX-21003] Enhancements and Resolved Issues in Fireware v12.6.4 General l Access Portal and Mobile VPN with SSL no longer respond to an HTTP request sent to an HTTPS port. [FBX-20502] l FSM now connects to the Firebox when a third-party web certificate is issued by an Elipitical Curve (EC) signed CA. [FBX-20512] 4 WatchGuard Technologies, Inc. Enhancements and Resolved Issues in AP Firmware Update 9.0.1-14.3 l In the Management Server > Device Properties dialog box, the Show Passphrase check box is no longer disabled for users with the Device Administrator role. [FBX-20377] l Logins to the Guest Administration portal page (https://firebox-ip:8080/wirelessguest) no longer fail after you configure a hotspot. [FBX-19326] l This release resolves an issue where the firewalld process crashed when you added or updated an alias. [FBX-19520] l This release resolves a firewalld process crash. [FBX-20627] Policies and Services l When you add an IP protocol to a custom policy template, the Protocol Number text box now appears in the Add Protocol dialog box when the OS Compatibility setting is 12.6 or higher. [FBX-20811] l This release resolves an issue where Geolocation redirects caused the Firebox to not respond or crash. [FBX-18282] l This release resolves an issue that caused traffic to be mishandled when policies used auto-order mode. [FBX-20697] l For traffic routed correctly through a BOVPN tunnel that also matches a BOVPN virtual interface policy, the traffic log now shows the correct BOVPN tunnel policy instead of the BOVPN virtual interface policy. [FBX-20778] Networking l You can now use the new ip dns cache enable CLI command to enable and disable the DNS cache. [FBX-20905] l The Firebox no longer replies to ARP requests for an IP address from the wrong interface. [FBX-21044] l The DHCPv6 Server no longer restarts repeatedly when a DHCP reservation exists. [FBX-20782] l The Ping diagnostic task now uses the specified interface in multi-WAN Failover mode. [FBX-20063] l You can now successfully edit an SD-WAN action after you rename two or more External type VLANs in Policy Manager. [FBX-20719] l Traffic Management interface bandwidth limits are no longer applied after you add the interface to a link aggregation (LA) interface. [FBX-18465] l This release resolves an issue where BOVPN traffic was denied even though the tunnel was added to the BOVPN-Allow policies. [FBX-20815] l This release resolves an issue that caused the Firebox to not assign IP addresses when the DHCP pool contained only reserved IP addresses. [FBX-20810] FireCluster l In an active/passive FireCluster, DNSWatch no longer fails when the active cluster member has an expired DNSWatch license and the passive cluster member has an unexpired DNSWatch license. [FBX17093] l This release resolves a FireCluster issue that caused the sslvpn_firecluster process to use high CPU on the backup master when no Mobile VPN with SSL client was connected. [FBX-20962] l An interface disconnected from a FireCluster no longer causes a fault report. [FBX-20143] Enhancements and Resolved Issues in AP Firmware Update 9.0.1-14.3 This update release maintains compatibility for the latest AP firmware across all WatchGuard AP platforms and cloud services. Release Notes 5 Known Issues and Limitations Known Issues and Limitations Known issues for Fireware v12.6.4 Update 1 and its management applications, including workarounds where available, can be found on the Technical Search > Knowledge Base tab. To see known issues for a specific release, from the Product & Version filters you can expand the Fireware version list and select the check box for that version. Some Known Issues are especially important to be aware of before you upgrade, either to or from specific versions of Fireware. To learn more, see Release-specific upgrade notes. 6 WatchGuard Technologies, Inc. Download Software Download Software You can download software from the WatchGuard Software Downloads Center. There are several software files available for download with this release. See the descriptions below so you know what software packages you will need for your upgrade. WatchGuard System Manager With this software package you can install WSM and the WatchGuard Server Center software: WSM_12_6_4.exe -- Use this file to install WSM v12.6.4 or to upgrade WatchGuard System Manager from an earlier version. Fireware OS You can upgrade the Fireware OS on your Firebox automatically from the Fireware Web UI System > Upgrade OS page or from WatchGuard Cloud. If you prefer to upgrade from Policy Manager, or from an earlier version of Fireware, you can download the Fireware OS image for your Firebox. Use the .exe file if you want to install or upgrade the OS using WSM. Use the .zip file if you want to install or upgrade the OS manually using Fireware Web UI. Use the .ova or .vhd file to deploy a new FireboxV device. The file name for software downloads will always include the product group, such as T20_T40 for the Firebox T20 or T40. Release Notes 7 Download Software If you have... Firebox M270/M370/M470/M570/M670 Firebox M400/M500 Firebox M440 Firebox M4600/M5600 Firebox M4800/M5800 Firebox T20/T40 Firebox T80 FireboxV All editions for VMware FireboxV All editions for Hyper-V Firebox Cloud Select from these Fireware OS packages Firebox_OS_M270_M370_M470_M570_M670_12_6_4_U1.exe firebox_M270_M370_M470_M570_M670_12_6_4_U1.zip Firebox_OS_M400_M500_12_6_4_U1.exe firebox_M400_M500_12_6_4_U1.zip Firebox_OS_M440_12_6_4_U1.exe firebox_M440_12_6_4_U1.zip Firebox_OS_M4600_M5600_12_6_4_U1.exe firebox_M4600_M5600_12_6_4_U1.zip Firebox_OS_M4800_M5800_12_6_4_U1.exe firebox_M4800_M5800_12_6_4_U1.zip Firebox_OS_T20_T40_12_6_4_U1.exe Firebox_OS_T20_T40_12_6_4_U1.zip Firebox_OS_T80_12_6_4_U1.exe Firebox_OS_T80_12_6_4_U1.zip FireboxV_12_6_4_U1.ova Firebox_OS_FireboxV_12_6_4_U1.exe firebox_FireboxV_12_6_4_U1.zip FireboxV_12_6_4_U1_vhd.zip Firebox_OS_FireboxV_12_6_4_U1.exe Firebox_FireboxV_12_6_4_U1.zip FireboxCloud_12_6_4_U1.zip Firebox_OS_FireboxCloud_12_6_4_U1.exe 8 WatchGuard Technologies, Inc. Download Software Additional Firebox Software The files in the list below are not directly used by the Firebox or for Firebox management, but are necessary for key features to work. In most cases, the file name includes the Fireware version that was current at the time of release. Filename Description Updated in this release WG-Authentication-Gateway_12_5_ Single Sign-On Agent software - required for Single No 4.exe Sign-On and includes optional Event Log Monitor for clientless SSO WG-Authentication-Client_12_5_ Single Sign-On Client software for Windows No 4.msi WG-SSOCLIENT-MAC_12_5_ Single Sign-On Client software for macOS No 4.dmg SSOExchangeMonitor_x86_12_ Exchange Monitor for 32-bit operating systems No 0.exe SSOExchangeMonitor_x64_12_ Exchange Monitor for 64-bit operating systems No 0.exe TO_AGENT_SETUP_11_12.exe WG-MVPN-SSL_12_6_3.exe WG-MVPN-SSL_12_6_3.dmg Terminal Services software for both 32-bit and 64-bit No systems. Mobile VPN with SSL client for Windows5 No Mobile VPN with SSL client for macOS5 No WG-Mobile-VPN_Windows_x86_ WatchGuard IPSec Mobile VPN Client for Windows No 1411_48297.exe1 (32-bit), powered by NCP 2 WG-Mobile-VPN_Windows_x86-64_ WatchGuard IPSec Mobile VPN Client for Windows No 1411_48297.exe1 (64-bit), powered by NCP 2 WG-Mobile-VPN_macOS_x86-64_ WatchGuard IPSec Mobile VPN Client for macOS, No 400_46079.dmg1 powered by NCP 2 Watchguard_MVLS_Win_x86-64_ 200_rev19725.exe1 WatchGuard Mobile VPN License Server (MVLS) v2.0, No powered by NCP 3 Release Notes 9 Download Software 1 The version number in this file name does not match any Fireware version number. 2 There is a license required for this premium client, with a 30-day free trial available with download. 3 Click here for more information about MVLS. If you have a VPN bundle ID for macOS, it must be updated on the license server to support the macOS 3.00 or later client. To update your bundle ID, contact WatchGuard Customer Support. Make sure to have your existing bundle ID available to expedite the update. 4 SSO Agent v12.5.4 supports Fireware v12.5.4 or higher only. Before you install SSO Agent v12.5.4, you must upgrade the Firebox to Fireware v12.5.4 or higher. If you install SSO Agent v12.5.4, we recommend that you upgrade all SSO Clients to v12.5.4. You cannot use SSO Client v12.5.4 with versions of the SSO Agent lower than v12.5.4. Fireware v12.6.4 supports previous versions of the SSO Agent. 5 Not supported on ARM processor architecture. 10 WatchGuard Technologies, Inc. Upgrade to Fireware v12.6.4 Update 1 Upgrade to Fireware v12.6.4 Update 1 Important information about the upgrade process: l You can use WatchGuard Cloud, Fireware Web UI, or Policy Manager to upgrade your Firebox. l We strongly recommend that you save a local copy of your Firebox configuration and create a Firebox backup image before you upgrade. l If you use WatchGuard System Manager (WSM), make sure your WSM version is equal to or higher than the version of Fireware OS installed on your Firebox and the version of WSM installed on your Management Server. Also, make sure to upgrade WSM before you upgrade the version of Fireware OS on your Firebox. l In Fireware v12.6.2 or higher, Fireware Web UI prevents the addition of users with reserved user names to the Firebox-DB authentication server. We recommend that you delete or replace any user with a reserved name before you upgrade to Fireware v12.6.2 or higher. For more information, see Reserved Firebox-DB authentication server user names. Back Up Your WatchGuard Servers It is not usually necessary to uninstall your previous server or client software when you upgrade to WSM v12.x. You can install the v12.x server and client software on top of your existing installation to upgrade your WatchGuard software components. We do, however, strongly recommend that you back up your WatchGuard Servers (for example, your WatchGuard Management Server) to a safe location before you upgrade. You will need these backup files if you ever want to downgrade. For instructions on how to back up your Management Server configuration, see Fireware Help. Upgrade to Fireware v12.6.4 Update 1 from WatchGuard Cloud From WatchGuard Cloud, you can upgrade the firmware for a Firebox that runs Fireware v12.5.2 or higher. To upgrade from WatchGuard Cloud, see Upgrade Firmware from WatchGuard Cloud in WatchGuard Cloud Help. Upgrade to Fireware v12.6.4 Update 1 from Web UI You can upgrade the Fireware OS on your Firebox automatically from the System > Upgrade OS page. To upgrade manually, see Upgrade Fireware OS or WatchGuard System Manager in Fireware Help. If your Firebox runs Fireware v11.9.x or lower, follow the steps in this knowledge base article. If you have installed another release of this OS version on your computer, you must run the installer twice (once to remove the previous release and again to install this release). Upgrade to Fireware v12.6.4 Update 1 from WSM/Policy Manager To upgrade from WSM/Policy Manager, see Upgrade Fireware OS or WatchGuard System Manager in Fireware Help. If you have installed another release of this OS version on your computer, you must run the installer twice (once to remove the previous release and again to install this release). Release Notes 11 Upgrade to Fireware v12.6.4 Update 1 If you like to make updates to your Firebox configuration from a saved configuration file, make sure you open the configuration from the Firebox and save it to a new file after you upgrade. This is to make sure that you do not overwrite any configuration changes that were made as part of the upgrade. 12 WatchGuard Technologies, Inc. Update Access Points Update Access Points All AP firmware is managed by the Gateway Wireless Controller on your Firebox. The Gateway Wireless Controller automatically checks for new AP firmware updates and enables you to download the firmware directly from WatchGuard servers. AP Firmware Upgrade To manage AP firmware and download the latest AP firmware to your Firebox: n From Fireware Web UI, select Dashboard > Gateway Wireless Controller. From the Summary tab, click Manage Firmware. n From Firebox System Manager, select the Gateway Wireless Controller tab, then click Manage Firmware. If you have enabled automatic AP firmware updates in Gateway Wireless Controller, your APs are automatically updated between midnight and 4:00am local time. To manually update firmware on your APs: 1. On the Access Points tab, select one or more APs. 2. From the Actions drop-down list, click Upgrade. 3. Click Yes to confirm that you want to upgrade the AP. About AP Firmware and Fireware Versions You must upgrade your APs to firmware version 8.6.0 or higher before you upgrade to Fireware v12.5.4 or higher to remain compatible with the latest versions of Fireware. Important Steps for Upgrades from Fireware v12.0 or Lower If you have not previously upgraded to Fireware v12.0.1 or higher and the latest AP firmware, you must perform these steps: 1. Make sure all your APs are online. You can check AP status from Fireware Web UI in Dashboard > Gateway Wireless Controller on the Access Points tab, or from Firebox System Manager, select the Gateway Wireless Controller tab. 2. Make sure you are not using insecure default AP passphrases such as wgwap or watchguard. Your current AP passphrase must be secure and at least 8 characters in length. You can change your AP passphrase in Network > Gateway Wireless Controller > Settings. If you do not have a secure passphrase correctly configured before the upgrade, you will lose the management connection with your deployed APs. If this occurs, you must physically reset the APs to factory default settings before you can manage the APs from Gateway Wireless Controller. Release Notes 13 Update Access Points Depending on the version of Fireware you upgrade from, you may need to mark APs as trusted after the upgrade to Fireware v12.0.1 or higher. You can mark APs as trusted from Fireware Web UI in Dashboard > Gateway Wireless Controller on the Access Points tab, or from Firebox System Manager, select the Gateway Wireless Controller tab. 14 WatchGuard Technologies, Inc. Upgrade your FireCluster to Fireware v12.6.4 Update 1 Upgrade your FireCluster to Fireware v12.6.4 Update 1 You can upgrade Fireware OS for a FireCluster from Policy Manager or Fireware Web UI. To upgrade a FireCluster from Fireware v11.10.x or lower, we recommend you use Policy Manager. As part of the upgrade process, each cluster member reboots and rejoins the cluster. Because the cluster cannot do load balancing while a cluster member reboot is in progress, we recommend you upgrade an active/active cluster at a time when the network traffic is lightest. For information on how to upgrade your FireCluster, see this Help topic. Release Notes 15 Fireware v12.6.4 Update 1 Operating System Compatibility Matrix Fireware v12.6.4 Update 1 Operating System Compatibility Matrix Last reviewed 24 February 2021 WSM/ FirewareComponent WatchGuard System Manager WatchGuard Servers For information on WatchGuard Dimension, see the Dimension Release Notes. Single Sign-On Agent (Includes Event Log Monitor)1 Single Sign-On Client Microsoft Windows 8.1, 10 Microsoft Windows Server 2012& 2012R2 Microsoft Windows Server 2016 & 2019 macOS v10.14, v10.15, & v11.x Android 7.x, 8.x, 9.x, 10.x, & 11.x iOS v9, v10, v11, v12, v13, & v14 4 Single Sign-On Exchange Monitor2 Terminal Services Agent3 Mobile VPN with IPSec 4,5 5 5 Mobile VPN with SSL9 4, 8 6 6 Mobile VPN with IKEv2 4 7 Mobile VPN with L2TP 5 Notes about Microsoft Windows support: l Windows 8.x support does not include Windows RT. l Documentation might include references and examples for Windows OS versions that are no longer supported. This is provided to assist users with those OS versions, but we cannot guarantee compatibility. The following browsers are supported for both Fireware Web UI and WebCenter (Javascript required): l IE 11 l Microsoft Edge42 l Firefox v82 16 WatchGuard Technologies, Inc. Fireware v12.6.4 Update 1 Operating System Compatibility Matrix l Safari 13 l Safari iOS 14 l Safari (macOS Catalina) l Safari (macOS Big Sur) l Chrome v86 1The Server Core installation option is supported for Windows Server 2016. 2Microsoft Exchange Server 2010 SP3 and Microsoft Exchange Server 2013 is supported if you install Windows Server 2012 or 2012 R2 and .NET Framework 3.5. 3Terminal Services support with manual or Single Sign-On authentication operates in a Microsoft Terminal Services or Citrix XenApp 6.0, 6.5, 7.6, or 7.12 environment. 4On 11 November 2019, WatchGuard released multiple new client applications for macOS. These releases add support for macOS Catalina 10.15, and require macOS High Sierra 10.13 or later. To learn more about client support for macOS Catalina, see macOS Catalina 10.15 software compatibility. To learn more about client support for macOS Big Sur 11.x, see macOS Big Sur 11.x software compatibility. The WatchGuard Mobile VPN with IPSec client does not currently support macOS Big Sur 11.x and does not support Mac devices that have the ARM-based Apple M1 processor. 5Native (Cisco) IPSec client is supported for all recent versions of macOS and iOS. 6OpenVPN is supported for all recent versions of Android and iOS. 7StrongSwan is supported for all recent versions of Android. 8In macOS 10.15 (Catalina) or higher, you must install v12.5.2 or higher of the WatchGuard Mobile VPN with SSL client. 9Both v12.5.3 and v12.6.3 of the WatchGuard Mobile VPN with SSL client are compatible with both Fireware v12.5.7 and Fireware v12.6.4 on supported versions of Windows and macOS. Authentication Support This table gives you a quick view of the types of authentication servers supported by key features of Fireware. Using an authentication server gives you the ability to configure user and group-based firewall and VPN policies in your Firebox or XTM device configuration. With each type of third-party authentication server supported, you can specify a backup server IP address for failover. Fully supported by WatchGuard - Not supported by WatchGuard Release Notes 17 Fireware v12.6.4 Update 1 Operating System Compatibility Matrix Mobile VPN with IPSec for iOS, Windows, and macOS Mobile VPN with IPSec for Android Mobile VPN with SSL Mobile VPN with IKEv2 for Windows Mobile VPN with L2TP Built-in Web Page on Port 4100 and 8080 Access Portal AuthPoint Active Directory LDAP RADIUS SecurID Firebox (Firebox-DB) Local Authentication SAML 1 1 AD Single Sign-On Support (with or without client software) Terminal Services Manual Authentication Terminal Services Authentication with Single Sign-On 18 WatchGuard Technologies, Inc. Fireware v12.6.4 Update 1 Operating System Compatibility Matrix 1 Active Directory authentication methods are supported only through a RADIUS server. System Requirements Minimum CPU Minimum Memory Minimum Available Disk Space Minimum Recommended Screen Resolution If you have WatchGuard System Manager client software only installed Intel Core or Xeon 2GHz 1 GB 250 MB 1024x768 If you install WatchGuard System Manager and WatchGuard Server software Intel Core or Xeon 2GHz 2 GB 1 GB 1024x768 FireboxV System Requirements A WatchGuard FireboxV virtual machine can run on: l VMware ESXi 6.0, 6.5, 6.7, or 7.0 l Windows Server or Hyper-V Server 2012 R2, 2016, or 2019 l Linux KVM The hardware requirements for FireboxV are the same as for the hypervisor environment it runs in. Each FireboxV virtual machine requires 5 GB of disk space. CPU and memory requirements vary by model: FireboxV Model Small Minimum Total Memory 2048 MB1 Recommended Memory Maximum vCPUs 4096 MB 2 Medium 4096 MB 4096 MB 4 Large 4096 MB 8192 MB 8 Extra Large 4096 MB 16384 MB 16 1 4096 MB is required to enable Access Portal and IntelligentAV, and to use the Full signature set for IPS/Application Control Release Notes 19 Fireware v12.6.4 Update 1 Operating System Compatibility Matrix Firebox Cloud System Requirements Firebox Cloud can run on Amazon Web Services (AWS) and Microsoft Azure cloud computing platforms. Firebox Cloud CPU and memory requirements: l Minimum CPU cores: 2 l Minimum total memory: 2048 MB1 l Recommended minimum total memory: 4096 MB 1 4096 MB is required to enable Access Portal and IntelligentAV, and to use the Full signature set for IPS/Application Control WatchGuard recommends an instance that has at least 1024 MB of memory for each CPU core. For example, if the instance has four CPU cores, we recommend a minimum total memory of 4096 MB. Refer to the AWS and Azure documentation to identify instances that meet these requirements. For Firebox Cloud with a BYOL license, the Firebox Cloud model determines the maximum number of CPU cores. For more information, see Firebox Cloud License Options in Help Center. 20 WatchGuard Technologies, Inc. Downgrade Instructions Downgrade Instructions Downgrade from WSM v12.6.4 If you want to revert from WSM v12.6.4 to an earlier version, you must uninstall WSM v12.6.4. When you uninstall, choose Yes when the uninstaller asks if you want to delete server configuration and data files. After the server configuration and data files are deleted, you must restore the data and server configuration files you backed up before you upgraded to WSM v12.6.4. Next, install the same version of WSM that you used before you upgraded to WSM v12.6.4. The installer should detect your existing server configuration and try to restart your servers from the Finish dialog box. If you use a WatchGuard Management Server, use WatchGuard Server Center to restore the backup Management Server configuration you created before you first upgraded to WSM v12.6.4. Verify that all WatchGuard servers are running. Downgrade from Fireware v12.6.4 Update 1 If you want to downgrade from Fireware v12.6.4 Update 1 to an earlier version of Fireware, the recommended method is to use a backup image that you created before the upgrade to Fireware v12.6.4 Update 1. With a backup image, you can either: l Restore the full backup image you created when you upgraded to Fireware v12.6.4 Update 1 to complete the downgrade; or l Use the USB backup file you created before the upgrade as your auto-restore image, and then boot into recovery mode with the USB drive plugged in to your device. If you need to downgrade a Firebox without a backup file after you complete the upgrade to Fireware v12.x, we recommend you Downgrade with Web UI. This process deletes the configuration file, but does not remove the device feature keys and certificates. After you downgrade the Firebox, you can use Policy Manager to Save the Configuration File to the Firebox. If you use the Fireware Web UI or CLI to downgrade to an earlier version, the downgrade process resets the network and security settings on your device to their factory-default settings. The downgrade process does not change the device passphrases and does not remove the feature keys and certificates. See Fireware Help for more information about these downgrade procedures, and information about how to downgrade if you do not have a backup image. Downgrade Restrictions See this Knowledge Base article for a list of downgrade restrictions. When you downgrade the Fireware OS on your Firebox, the firmware on any paired AP devices is not automatically downgraded. We recommend that you reset the AP device to its factory-default settings to make sure that it can be managed by the older version of Fireware OS. Release Notes 21 Technical Assistance Technical Assistance For technical assistance, contact WatchGuard Technical Support by telephone or log in to the WatchGuard Portal on the Web at https://www.watchguard.com/wgrd-support/overview. When you contact Technical Support, you must supply your registered Product Serial Number or Partner ID. Phone Number U.S. End Users 877.232.3531 International End Users +1 206.613.0456 Authorized WatchGuard Resellers 206.521.8375 22 WatchGuard Technologies, Inc. Localization Localization This release includes updates to the localization for the management user interfaces (WSM application suite and Web UI) through Fireware v12.5.2. UI changes introduced since v12.5.2 might remain in English. Supported languages are: l French (France) l Japanese l Spanish (Latin American) Note that most data input must still be made using standard ASCII characters. You can use non-ASCII characters in some areas of the UI, including: l Proxy deny message l Wireless hotspot title, terms and conditions, and message l WatchGuard Server Center users, groups, and role names Although some other Web UI and Policy Manager fields might accept Unicode characters, problems can occur if you enter non-ASCII characters in those fields. Any data returned from the device operating system (e.g. log data) is displayed in English only. Additionally, all items in the Fireware Web UI System Status menu and any software components provided by third-party companies remain in English. Fireware Web UI The Web UI will launch in the language you have set in your web browser by default. WatchGuard System Manager When you install WSM, you can choose what language packs you want to install. The language displayed in WSM will match the language you select in your Microsoft Windows environment. For example, if you use Windows 10 and want to use WSM in Japanese, go to Control Panel > Language and select Japanese as your Display Language. Dimension, WebCenter, Quarantine Web UI, and Wireless Hotspot These web pages automatically display in whatever language preference you have set in your web browser. Documentation The latest version of localized Fireware Help is available from WatchGuard Help Center. In the top-right of a Fireware Help page, click the Globe icon and select your language from the drop-down list. Release Notes 23 Localization Release Notes 24madbuild