Amaranten Firewall Changes from v8.10.01 to v8.20.00

Release date: 2003-06-26 [ISO]

Version 8.20.00 is a new major version. It is available for all license holders with a software subscription covering 2003-06-01. The major new features are:

»	DHCP relaying over IPsec (LAN-to-LAN as well as roaming client "virtual IP")
»	"Always-up" VPN tunnels with improved keepalives
»	Automated HTTP URL poster for e.g. dyndns registration or logon to broadband networks
»	VPN policy can now be determined by routing / policy routing, which also enables logging over VPNs
»	Link monitor for HA clusters as well as standalone firewalls

Version 8.20.00 also contains bug fixes to the Firewall Core and the Firewall Manager. This document outlines bug fixes as well as improvements for each component.

The upgrade procedures in this document refers to upgrades from earlier v8.0x installations.

· New files installed by v8.20.00
· How to upgrade earlier v8.0x firewalls to v8.20.00
· HA upgrade procedure
· Firewall Manager	[Changes]	[Bug Fixes]	[Known Bugs / Problems]
· Firewall Core	[Changes]	[Bug Fixes]	[Known Bugs / Problems]
· Firewall Core - VPN specific	[Changes]	[Bug Fixes]	[Known Bugs / Problems]
· Firewall Core - HA specific	[Changes]	[Bug Fixes]	[Known Bugs / Problems]

For future reference: This document is stored in the "Docs" sub-folder of your Firewall Manager install folder.

Change logs / release notes for earlier versions of Amaranten Firewall are available in the release notes section of www.Amaranten.com/support.

Summary of changes and bug fixes

All changes and bug fixes affecting the standard firewall core also affect VPN and HA cores, unless explicitly stated otherwise.

Firewall Manager

Change:	Warning state added for firewalls that use default management keys
Change:	Full-screen editing mode implemented
Change:	Log export in binary (.fwl) format
Bug fix:	Netobject name changes do not propagate to comma-separated lists
Bug fix:	Copying service groups causes FWMgr to freeze
Bug fix:	Status icon of folders etc not updated when firewall status changes
Bug fix:	"Upload HTML Banner Files" ignores folder names with upper case letters

Firewall Core

Change:	Link monitor implemented
Change:	Boot menu: Use of DHCP in initial setup now possible
Change:	Log events now emitted for NetconBeforeRules/SNMPBeforeRules/IPsecBeforeRules
Change:	New TCP ECN "Nonce Sum" flag now handled the same way as other ECN flags
Change:	Console 'ping' command extended to use the ruleset in the outbound direction
Change:	DHCP client: implemented server / lease filtering
Change:	"HTTPPoster" for automatic web-based logon implemented
Change:	Web based user auth: "404 not found" page can now be customized

Firewall Core - VPN specific

Change:	VPN policy can now be determined via routing
Change:	"Always-up" VPN tunnels with improved keepalives
Change:	Multiple VPN tunnels using the same local/remote networks now possible
Change:	IPsec NAT traversal made controllable

Firewall Core - HA specific

Known bug:

No state synchronization for FTP ALG

New files installed by v8.20.00

This is a list of the files that are new to the v8.20.00 release. All paths are relative to your Firewall Manager install folder.

»	Cores/fwc-8.20.00-full.cfx This is the v8.20.00 full firewall core. Upload it to your existing firewall, or create new boot media with it. It contains VPN as well as HA functionality.
»	Cores/fwc-8.20.00-novpn.cfx This is a version of the v8.20.00 core without VPN support. It is roughly half the size of the full version.
»	Cores/fwcoreup8.exe This is the core used to remotely upgrade v7.0x and earlier firewalls. It will install a "8.00.02-full" core.
»	Docs/Changes-8.10.01-to-8.20.00.html This document.
»	FWMgr8.exe This is the v8.20.00 Firewall Manager. Earlier version 8 Firewall Managers will be overwritten. Version 7 Firewall Managers (if installed) will not be overwritten, as they are named "FWMgr7.exe", and are also typically installed in a different directory.

How to upgrade earlier v8.0x firewalls to v8.20.00

Upgrading a previous v8.0x firewall to v8.20.00 is completely straightforward.
Simply upload the new core, "fwc-8.20.00-full.cfx", to your firewall and restart it.
(Alternatively, upload the "-novpn" version if you do not wish VPN functionality.)

HA upgrade procedure

There are no incompatibilities in the HA synchronization protocol between 8.20.00 HA cores and earlier v8.0x HA cores. No special procedures are required.

Simply upload the new firewall core file to the firewalls in your cluster and make sure that the first upload and restart is successful before uploading to the second firewall.

We recommend beginning with the firewall that is currently active, even though this will necessitate two failovers. The reason for this is that ALG sessions are not synchronized.

The "immediate availability" method

Upload the core to the currently active firewall ("firewall A") and restart it.
Issue a 'reconfigure' on the firewall B to rapidly fail back to the now upgraded firewall A. Make sure firewall A functions properly.
Upload the core to firewall B and restart it.
End result: Firewall A is now the active node, just as it was before the upgrade procedure.

Note that this leaves the second firewall untested, even though it most likely will work just as well as the first firewall. If you want to specifically test the second firewall, you can:
1) cause two failovers manually, or
2) connect to it via e.g. the remote console just to make sure it's running, or
3) if ALG synchronization is not a concern, follow this procedure:

The "long-term safe" procedure:

Upload the core to the currently inactive firewall ("firewall B") and restart it.
Issue a 'reconfigure' on firewall A. This causes failover to firewall B. Make sure firewall B functions properly.
Upload the core to firewall A and restart it.
Issue a 'reconfigure' on firewall B to fall back to firewall A. Make sure firewall A functions properly.
End result: Firewall A is now the active node, just as it was before the upgrade procedure.

Again, note that the "availability" issues only affect ALGs. All other states are, as usual, fully synchronized and not affected in either procedure.

Firewall Manager Changes

Warning state added for firewalls that use default management keys
Issue:	When a firewall is reset to factory defaults, it will use a default set of keys that is the same for all Amaranten firewalls. Using these keys on a production firewall is less than a good idea.
Change:	The Firewall Manager now has a warning state (yellow exclamation mark icon) for firewalls that use the default set of keys. To get rid of this warning and negotiate new management keys, use Action -> Communication -> Change Remote Managment Keys.

Full-screen editing mode implemented
Issue:	Some configuration sections have more columns than will readily fit on a normal-sized screen together with the leftmost toolbar and the tree view in the security editor.
Change:	A full-screen mode, reachable by pressing F11 or selecting "Full Screen" from the "View" menu, will expand the Firewall Manager to maximum size and hide everything but the config section itself and the main menu bar. Hitting F11 again restores the view to its previous look.

Log export in binary (.fwl) format
Change:	Log data may now be exported in binary (.fwl) format in addition to CSV format. The .fwl format is the same format that the Firewall Logger itself uses, which means that all available fields, incuding packet dumps, is exported. These log files may later be displayed via raw LQL statements, e.g.: select binary from file x:\path\to\logfile.fwl

Firewall Manager Bug Fixes