WatchGuard Releases FireWare 12.0

Today, WatchGuard releases their latest and most powerful version of FireWare OS, 12.0.  This is the first major release of their OS since 2009 when 11.0 was released.  With a strong focus on performance and security, the latest version of FireWare OS is the most capable version of the Operating System ever released, with features and capabilities that will enhance your XTM or Firebox device and protect you from the latest threats.

Gateway Antivirus

One of the changes that’s taken place in 12.0 is with Gateway Antivirus.  Up until now, WatchGuard has used AVG as the back-end scanning engine for GAV.  As of 12.0, this engine will change to using Bitdefender.  This change is happening for several reasons, but the primary being that Bitdefender has the highest detection rate, and offers better performance and more frequent signature updates.  With the change to Bitdefender, signature updates to GAV will now be faster, and all will be incremental.

For this new engine to work, no changes will need to be made to the configuration of Gateway Antivirus on the firewall.  Once the firmware on the firewall is upgraded, the old AVG signatures will be removed and replaced with the new Bitdefender signatures.  It’s recommended that the firmware upgrade take place after-hours, as this signature change may take several minutes.

The other important thing to note with this new change to Gateway Antivirus is that this will impact any devices that reach end-of-life in December of 2017.  As of January of 2018, these devices will no longer be receiving signature updates to GAV.  If you are currently running one of these devices, please contact JSCM Group so that we can work with you on a hardware trade-up.


A new IMAP proxy has been implemented with the 12.0 release.  The IMAP proxy actions will be similar to POP3, but will have some more complex settings included.  The IMAP proxy will support the implementation of some of the Subscription Services, including App Control, IPS, GAV, spamBlocker and APT Blocker.

OS Compatibility

With 12.0, there is a new option for OS Compatibility.  OS Compatibility is what tells the firewall policy what features it has access to, based on the firmware of the firewall.  If you are upgrading the firmware of your firewall to 12.0, this setting will change automatically.  If you are migrating a policy from a firewall with older firmware to one with 12.0, you will need to ensure that this is set manually.

Gateway Wireless Controller

New enhancements for WatchGuard’s Gateway Wireless Controller is in the 12.0 release.  Firmware updates to the access points will be available that will include stability and security enhancements.  There will also be improvements to the time it takes for the discovery and pairing of the AP120, AP320, AP322 and AP420.  Additionally, you will now be able to configure separate upload and download rate limits for each SSID and for each user in an SSID configuration.


With the 12.0 release, the PPTP mobile VPN has been removed.  This is due to the fact that the PPTP VPN is not a secure option.  If you are currently utilizing the PPTP VPN, you will want to transition to one of the other versions (IPSec, SSL or L2TP) before upgrading your firmware.

Default VPN Settings

In 12.0 the default security settings used for the mobile VPNs and branch-office VPNs have been updated.  These settings will include more secure options as part of the baseline configuration for encryption, authentication, and Diffie Hellman.  This change will not affect any BOVPNs or mobile VPNs that are currently built, but will be included on any new VPNs.  It is recommended that any current VPNs be updated with these increased settings to improve security.

APT Blocker

With the 12.0 firmware upgrade, APT Blocker will now be able to detect and scan JavaScript files in email attachments.  Improvements are also being made to the way APT Blocker scans email attachments, making it more suited to identify zero-day threats that may be included.


WebBlocker lookup requests from the Firebox to Websense (now known as Forcepoint) will now be encrypted over HTTPS.  WebBlocker will also now be able to store recent URL lookups on a local cache on the firewall.  This will improve performance of the device, and will speed up the URL category processing.

Intrusion Prevention

WatchGuard’s Intrusion Prevention Service (IPS) is now includes a larger signature set for certain firebox models.  This allows better identification of threats coming into a network, and will help stop more attacks.

As you can see, 12.0 is a major release packed with new features and capabilities. You will have questions and we are here to provide assistance, we strongly urge you to reach out, get training scheduled, and we’ll help in any way we can.