Amaranten Firewall Changes from v8.00.01 to v8.00.02

Release date: 2002-12-03 [ISO]

Version 8.00.02 contains bug fixes to the Firewall Core and the Firewall Manager. This document outlines bug fixes as well as improvements for each component.

The upgrade procedures in this document refers to upgrades from earlier v8.0x installations.

For future reference: This document is stored in the "Docs" sub-folder of your Firewall Manager install folder.

Change logs / release notes for earlier versions of Amaranten Firewall are available in the release notes section of www.Amaranten.com/support.

 Summary of changes and bug fixes

All changes and bug fixes affecting the standard firewall core also affect VPN and HA cores, unless explicitly stated otherwise.

Firewall Manager

·  Change: License files are now automatically written to boot media

·  Bug fix: Log receivers in underlying namespace might not get imported

·  Bug fix: "fwcore.cfg" would not be written to boot media for HA members

·  Bug fix: PBR Table "Ordering" field was always set to "Default"

·  Bug fix: X.509 certificates with "complex" file names could not be imported

·  Bug fix: "Expected source address" for a firewall could not be altered in log receiver properties

·  Bug fix: Manager would not test for management IP address in VLAN section

Firewall Core

·  Change: Added "license -remove" console command

·  Change: HA masters without licenses will now run in demo mode

·  Change: More diagnostic output regarding license problems

·  Bug fix: FTP ALG sessions could fail due to early port re-use

·  Bug fix: FTP ALG could fail to transfer files from some FTP server types

·  Bug fix: SNMP traffic to the firewall would cause "LocalUndelivered" log entries

·  Bug fix: Interface index 1 presented as "blank" in SNMP

·  Bug fix: Hexadecimal PSKs would get treated as passphrases

Firewall Core - VPN specific

Firewall Core - HA specific

·  Known bug: No state synchronization for FTP ALG

 New files installed by v8.00.02

This is a list of the files that are new to the v8.00.02 release. All paths are relative to your Firewall Manager install folder.

• Cores/fwc-8.00.02-full.cfx
  This is the v8.00.02 full firewall core. Upload it to your existing (standard) firewall, or create new boot media with it. It contains VPN as well as HA functionality.
  Note: VPN firewalls should, as always, use the VPN core file, below.
• Cores/fwc-8.00.02-novpn.cfx
  This is a version of the v8.00.02 core without VPN support. It is roughly half the size of the full version.
• Cores/fwcoreup8.exe
  This is the core used to remotely upgrade v7.0x and earlier firewalls. It will install a "8.00.02-full" core.
• Docs/Changes-8.00.01-to-8.00.02.htm
  This document.
• FWMgr8.exe
  This is the v8.00.02 Firewall Manager. Earlier version 8 Firewall Managers will be overwritten. Version 7 Firewall Managers (if installed) will not be overwritten, as they are named "FWMgr7.exe", and are also typically installed in a different directory.

 How to upgrade earlier v8.0x firewalls to v8.00.02

Upgrading a previous v8.0x firewall to v8.00.02 is completely straightforward.
Simply upload the new core, "fwc-8.00.02-full.cfx", to your firewall and restart it. (Alternatively, upload the "-novpn" version if you do not wish VPN functionality.)
 

 HA upgrade procedure

There are no incompatibilities in the HA synchronization protocol between 8.00.02 HA cores and earlier v8.0x HA cores. No special procedures are required.

Simply upload the new firewall core file to the firewalls in your cluster and make sure that the first upload and restart is successful before uploading to the second firewall.
We recommend beginning with the firewall that is currently NOT active (not necessarily the slave firewall), as this will lead to only one fail-over. Starting the upgrade procedure with the currently active firewall necessitates two fail-overs.  

 Firewall Manager Changes

• License files are now automatically written to boot media
  When new boot media is created (through "Save to Boot Media" or "Create Boot Media"), and a license is bound to the firewall, the license file "license.lic" will automatically be created on the boot media. Manual upload of the license after the firewall has been booted is no longer required.

 Firewall Manager Bug Fixes

• Log receivers in underlying namespace might not get imported
  Issue: As with all other shared resources, log receivers specified in an underlying namespace should be imported in the firewall configuration and made available to the running firewall on configuration upload.
  Problem: Unless a log receiver was explicitly named in the firewall configuration, it would not be imported.
  Results: Wildcard log settings such as "All log receivers" could yield unexpected results. In the extreme case, if no log receivers were specified locally in the firewall's configuration, and all log statements were wildcards, no log receivers would be imported, and hence the firewall would send no log events.
  Fixed: Fixed in v8.00.02. All log receiver definitions from underlying namespaces are now uploaded to the firewall, regardless of whether they are used or not.
  Affects: v8.00.00 - v8.00.01.
  
  
  
• "fwcore.cfg" would not be written to boot media for HA members
  Issue: When boot media is created for a fully functional firewall, the configuration file, "fwcore.cfg", should be written to the media.
  Problem: The configuration file was not written to the boot media for HA members.
  Results: HA members, when booted from this boot media, would not work. One could however enter the setup phase and create a new minimal configuration that the firewall could start from, and then upload the correct configuration from the firewall manager.
  Fixed: Fixed in v8.00.02.
  Affects: v8.00.00 - v8.00.01.
  
  
  
• PBR Table "Ordering" field was always set to "Default"
  Issue: The Firewall Manager would always parse Policy Based Routing Table ordering as "Default" on configuration reads; "First" ordering could not be used.
  Fixed: Fixed in v8.00.02.
  Affects: v8.00.00 - v8.00.01.
  
  
  
• X.509 certificates with "complex" file names could not be imported
  Issue: X.509 certificates with spaces in the file name, or a file name longer than 31 characters could not be imported.
  Fixed: Fixed in v8.00.02. Spaces in file names will now be converted to underscores when the file is imported, and length truncation is carried out properly.
  Affects: v8.00.00 - v8.00.01.
  
  
  
• "Expected source address" for a firewall could not be altered in log receiver properties
  Issue: Amaranten Firewall Log Receivers are configured with the IP address of firewalls allowed to send log entries to them. By default, this IP address is the same address as the firewall manager uses for communication with the firewall. However, if the log receiver is located off of another interface, this address might need to be changed.
  Problem: The "expected source address" could not be changed in the log receiver properties; changes would not be accepted.
  Results: In situations where the IP address needed to be changed, the log receiver would refuse to accept log entries from the firewall, and emit event log entries on the server in question:
  "Unauthorized send from IP 123.123.123.123 occured 234 time(s)"
  Fixed: Fixed in v8.00.02.
  Affects: v8.00.00 - v8.00.01.
  
  
  
• Manager would not test for management IP address in VLAN section
  Issue: When the Firewall Manager uploads a new configuration to a firewall, it tests whether the IP address it is configured to communicate with is actually available on the firewall in order to detect changes. If it does not find this IP address, it will prompt the user for which address to attempt communication with.
  Problem: The Manager would not compare the current management IP address to addresses specified in the VLAN section.
  Results: If the Manager was set to communicate with the IP address of a VLAN interface, it would always prompt the user for which address to attempt communication with.
  Fixed: Fixed in v8.00.02.
  Affects: v8.00.00 - v8.00.01.

 Firewall Core Changes

• Added "license -remove" console command
  A license file installed on a firewall can now be removed from the firewall through the "license -remove" console command.
  This can be helpful if an erroneous license is uploaded, which results in the firewall entering "local lockdown mode", where only administrative traffic to the firewall itself is allowed.
  With the license removed, the firewall will instead run in 2-hour evaluation mode, which allows normal operation during that time.
  
  
  
• HA masters without licenses will now run in demo mode
  Normal firewalls without licenses run in 2-hour demo mode.
  HA setups, however, are normally not allowed to run in demo mode, since, with a HA setup, one could, for all intents and purposes, bypass the 2-hour restriction.
  However, this also means that one could not connect to the internet to retrieve a working license file through a cluster without licenses.

Hence, an exception has now been made for HA masters; if they have no license file, they will now run in 2-hour demo mode, just like normal firewalls.

• More diagnostic output regarding license problems
  The license parser will now emit a lot more diagnostic output if there was a problem parsing the license file.
  If there was a problem, the "license" console command will also remember this output and display the exact cause of the problem rather than a generic "this license is currently not in use".

 Firewall Core Bug Fixes

• FTP ALG sessions could fail due to early port re-use