Amaranten Firewall Changes from v8.50.00 to v8.50.01

Release date: 2005-02-22 [ISO]

Version 8.50.01 contains bug fixes to the Firewall Core and the Firewall Manager. This document outlines bug fixes as well as improvements for each component.

The upgrade procedures in this document refers to upgrades from earlier v8.0x installations.

·  Files installed by v8.50.01

·  How to upgrade earlier v8.0x firewalls to v8.50.01

·  HA upgrade procedure

·  Firewall Manager

[Changes

[Bug Fixes

[Known Problems / Bugs]

·  Firewall Core

[Changes]

[Bug Fixes]

[Known Problems / Bugs

For future reference: This document is stored in the "Docs" sub-folder of your Firewall Manager install folder.

Change logs / release notes for earlier versions of Amaranten Firewall are available in the release notes section of www.Amaranten.com/support.

 

 

 Summary of changes and bug fixes

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

Firewall Manager

  Change: 

Passwords, user names, PSKs etc may now contain backslashes and quotes

  Bug fix: 

OSPF "Aggregate Network" field would only accept single hosts

  Bug fix: 

L2TP/PPTP servers could not specify VLAN interfaces in Proxy ARP settings

  Bug fix: 

Rules: Changing service from "All" to something else via [...] button would cause crash

Firewall Core

  Bug fix: 

Configuring overly large IP address pool in L2TP/PPTP server would cause crash

  Bug fix: 

Unable to log in via serial / physical console

  Bug fix: 

User authentication timeouts not reset by traffic passing through FwdFast rules

  Bug fix: 

PPPoE tunnels failing to establish might cause tunnel limit to be reached

  Bug fix: 

DSA certificates would not work in IPsec

  Known problem: 

IPsec: Compatibility issue with MS IPsec NAT Traversal

  Bug fix: 

PPTP and L2TP tunnels not usable in HA setups

  Bug fix: 

Loopback interfaces not usable in HA setups

  Known problem: 

HA: No state synchronization for ALGs

  Known problem: 

HA: Tunnels unreachable from inactive node

  Known problem: 

HA: No state synchronization for L2TP and PPTP

 

 Files installed by v8.50.01

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

This is a list of files that are new to the v8.50.01 release. All paths are relative to your Firewall Manager install folder.

» 

Cores/fwc-8.50.01-full.cfx
This is the v8.50.01 full firewall core. Upload it to your existing firewall, or create new boot media with it. It contains all available functionality.

» 

Cores/fwc-8.50.01-mini.cfx
This is a version of the v8.50.01 core with certain features removed. It is less than half the size of the full version. The features removed are:
- IPsec VPN
- The H.323 Application Layer Gateway
- OSPF

» 

Docs/changes-8.50.00-to-8.50.01.html
This document.

» 

FWMgr8.exe
This is the v8.50.01 Firewall Manager. Earlier version 8 Firewall Managers will be backed up with the extensions ".old1" and ".old2".

 

 How to upgrade earlier v8.0x firewalls to v8.50.01

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

Upgrading a previous v8.0x firewall to v8.50.01 is completely straightforward.
Simply upload the new core, "fwc-8.50.01-full.cfx", to your firewall and restart it.
(Alternatively, upload the "-mini" version if the removed functionality is not required.)

 

 HA upgrade procedure

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

Note: Upgrades from versions prior to v8.40.01: Upgrading to directly v8.50.00 or later from a version prior to v8.40.01 will lead to loss of state synchronization. All open states will be closed as a result of the upgrade. If this is acceptable, continue with the upgrade as described below. Otherwise, first upgrade to v8.40.01 or a later v8.4x core and then upgrade to v8.50.01.

Simply upload the new firewall core file to the firewalls in your cluster and make sure that the first upload and restart is successful before uploading to the second firewall.

We recommend beginning with the firewall that is currently active, even though this will necessitate two failovers. The reason for this is that ALG sessions are not synchronized.

The "immediate availability" method

  • Upload the core to the currently active firewall ("firewall A") and restart it.
  • Issue a 'reconfigure' on the firewall B to rapidly fail back to the now upgraded firewall A. Make sure firewall A functions properly.
  • Upload the core to firewall B and restart it.
  • End result: Firewall A is now the active node, just as it was before the upgrade procedure.

Note that this leaves the second firewall untested, even though it most likely will work just as well as the first firewall. If you want to specifically test the second firewall, you can:
1) cause two failovers manually,   or
2) connect to it via e.g. the remote console just to make sure it's running,   or
3) if ALG and tunnel synchronization is not a concern, follow this procedure:

The "long-term safe" procedure:

  • Upload the core to the currently inactive firewall ("firewall B") and restart it.
  • Issue a 'reconfigure' on firewall A. This causes failover to firewall B. Make sure firewall B functions properly.
  • Upload the core to firewall A and restart it.
  • Issue a 'reconfigure' on firewall B to fall back to firewall A. Make sure firewall A functions properly.
  • End result: Firewall A is now the active node, just as it was before the upgrade procedure.

Note that the "availability" issues affect only synchroniziation of ALGs and tunnels; there is more information about this in the Known Problems section. All other states are, as usual, fully synchronized and not affected in either procedure.

 

 Firewall Manager Changes

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

Passwords, user names, PSKs etc may now contain backslashes and quotes

  Change:

As of v8.50.00, passwords, user names and PSKs may contain backslashes and quotes. This was previously not allowed.

   

This is particularily useful in situations when the firewall needs to interact with Microsoft Active Directories without a configured "default domain", in which case one often needs to use a "DOMAIN\username" syntax in user names.



 

 Firewall Manager Bug Fixes

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

OSPF "Aggregate Network" field would only accept single hosts

  Problem:

The "Aggregate Network" field in the OSPF configuration is used to combine several small routes matching the given aggregate. route into a single announcement for that aggregate. This parameter could only be given as a single host.

  Affects:

Firewall Manager v8.50.00

    Fix:

Fixed in v8.50.01

 

L2TP/PPTP servers could not specify VLAN interfaces in Proxy ARP settings