11.2 is a major release. It contains a new Intrusion Prevention implementation and major reporting changes.
Reports have been re-designed from the top-down to be the best reports on any firewall in the industry. They are fully customizable and give the administrator full access to all data included in the database in any way imaginable.
Unlike the old reports, which are generated nightly, the new reports are completely dynamic and interactive.
- This allows for "drilling down" on any aspect of the data, including hosts, users, policies, domain, or literally any column on the any table.
- Reports are now also shown in the administrator UI in addition to a special the reports interface.
- Completely custom reports entries can be created and saved.
- Event logs (now live in the "Reports" tab) have restructured to work just like the reports viewer.
- Event logs also support conditions on any column allowing for easy "drilling down" by any column. For example, viewing only a single hosts' events.
- Many new built-in "report entries" have been added.
Under the covers major changes have taken place.
- Table have been partitioned into daily partitions so that inserts remain a constant time regardless of how many days are keep in the data. This means you can store far more data in the database without degrading insert performance. As such, the limit of data retention has been changed (for now) from 65 days to 366 days. Beware that running queries (viewing reports) against a huge number of days can still be expensive if the server is busy.
- Bypassed sessions are now stored in the sessions table, including information on the # of bytes. This allows for more accurate bandwidth reporting and more visibility. Additionally the byte counts on layer-7 sessions now includes the packet overhead for consistency with bypassed sessions.
The "old" reports remain in place for now, but will likely be removed in 12.0 once all the use cases have been covered by the new reports.
The "old" intrusion prevention has been removed. It has been replaced with a new (still free) "Intrusion Prevention" app. Users will need to install the new Intrusion Prevention, if desired, after upgrade. The new app lives in "Services" and scans all non-bypassed traffic in the system. The new Intrusion Prevention uses the snort engine and updates automatically to the newest available VRT signature set.
Intrusion Prevention now has a wizard to help configure an appropriate ruleset for your site and server size. The new signature set currently contains ~34,000 signatures, which is significantly more than the ~2,500 signatures in the old Intrusion Prevention. Also now supports heuristic signatures to detect behaviors like port scans.
MAC address support has been added. Rules can now match on the MAC address of the client or server as well as the MAC address "vendor" which is pulled from the latest included OUI database (https://standards.ieee.org/develop/regauth/oui/public.html). This information is also shown in the Host Viewer. If the MAC address is not known for the client or server the condition will not match. It will not match against the latest hop MAC address, which should help avoid misconfigurations.
- New cookie-based persistent login to avoid frequent logins
- New option to "require" HTTPS cert installation before logging in.
- New option to redirect to the HTTPS login page (instead of HTTP).
- Built in capture pages are now mobile friendly
- An OpenVPN chromebook deployer has been added for easy chromebook support
- Updated OpenVPN windows client distributed in OpenVPN (webfool contribution)
- OpenVPN events have been rewritten for consistency
- The UI now uses ExtJS v5.1.1
- OVA files are now automatically built for easier VM deployment
- New windows installer deploying the CA cert.
- New host table update events
- IPv6 filter rules have been added
- IPsec tunnel traffic is now not bypassed by default.
- Can now view client associated to a wireless interface
- Other wireless fixes
- Added a banner setting to Branding Manager for display on the admin login
- Directory Connector now uses a secure (SSL) connection to the Active Directory server.
- INVALID packets (packets not associated with a session) are now blocked by default
- There is a new setting to block new sessions while reconfiguring the network in Config > Network > Advanced
- Quota Attainment Ratio condition has been added for rules based on the percentage of the quota currently used (or overused)
- Multiple FTP/NAT handler fixes for scanned and bypassed traffic.
- Added the IP protocol field to the sessions table
- Database names are now consistent and fully publicly documented
- New Application Control signatures.
- New event for settings changes so all admin settings changes can be reviewed.
- Tons of other fixes and minor improvements.