Amaranten Firewall Changes from v8.30.01 to v8.40.00

Release date: 2004-04-22 [ISO]

Version 8.40.00 is a new major version. It is available for all license holders with a software subscription covering 2004-04-01. The major new features are:

» 

HTTP Application Layer Gateway with active content/cookie stripping and pattern-based URL white/blacklisting.

» 

Schedules for controlling firewall policy, traffic shaping and routing.

» 

GRE - Generic Routing Encapsulation support.

Version 8.40.00 also contains bug fixes to the Firewall Core and the Firewall Manager. This document outlines bug fixes as well as improvements for each component.

The upgrade procedures in this document refers to upgrades from earlier v8.0x installations.

·  New files installed by v8.40.00

·  How to upgrade earlier v8.0x firewalls to v8.40.00

·  HA upgrade procedure

·  Firewall Manager

[Changes

[Bug Fixes]

[Known Bugs / Problems]

·  Firewall Core

[Changes]

[Bug Fixes]

[Known Bugs / Problems]

·  Firewall Core - VPN specific  

[Changes

[Bug Fixes]

[Known Bugs / Problems]

·  Firewall Core - HA specific

[Changes

[Bug Fixes]

[Known Bugs / Problems]

For future reference: This document is stored in the "Docs" sub-folder of your Firewall Manager install folder.

Change logs / release notes for earlier versions of Amaranten Firewall are available in the release notes section of www.Amaranten.com/support.

 

 

 Summary of changes and bug fixes

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

All changes and bug fixes affecting the standard firewall core also affect VPN and HA cores, unless explicitly stated otherwise.

Firewall Manager

  Change: 

Added configuration validator in plain-text editor

  Change: 

Log query wizard now supports queries on exported files

  Bug fix: 

Unprovoked name collisions in IPsec lifetimes fixed

  Bug fix: 

Log export column header and line feed fixes

Firewall Core

  Change: 

HTTP Application Layer Gateway implemented

  Change: 

Generic Routing Encapsulation support

  Change: 

Schedules implemented

  Change: 

Auto-selection of VPN interface addresses improved

  Change: 

Support for more transparent tracerouting

  Change: 

DNS server IP addresses may now be learned via DHCP/PPPoE

  Change: 

DHCP server now supports custom (user-specified) DHCP options

  Change: 

Support for time synchronization via SNTP

  Change: 

Time servers may now be given using DNS names

  Change: 

Option to remove own interface IPs from PBR tables

  Change: 

Support for local time zone time conversion

  Change: 

Changed DHCP client default: use 0.0.0.0 rather than 169.254.x.x

  Change: 

Connection byte counters now only include IP headers+data

  Change: 

Added statistics for DHCP server

  Change: 

Screen saver / status bar disabled (software firewalls only)

  Change: 

Changes to "httpposter" console command

  Bug fix: 

DHCP relayer fails to forward plain BOOTP

Firewall Core - VPN specific

  Change: 

Cipher key sizes for variable-length ciphers now configurable

  Change: 

NULL cipher support

  Change: 

VPN cores too large for floppies (software only)

  Change: 

MTU of VPN interfaces may now be configured

Firewall Core - HA specific

  Change: 

DHCP Relayer will now source queries from shared IP

  Change: 

Active cluster member will now source pings from shared IP

  Known bug: 

No state synchronization for ALGs

 

 New files installed by v8.40.00

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

This is a list of the files that are new to the v8.40.00 release. All paths are relative to your Firewall Manager install folder.

» 

Cores/fwc-8.40.00-full.cfx
This is the v8.40.00 full firewall core. Upload it to your existing firewall, or create new boot media with it. It contains VPN as well as HA functionality.

» 

Cores/fwc-8.40.00-novpn.cfx
This is a version of the v8.40.00 core without VPN support. It is roughly half the size of the full version.

» 

Cores/fwcoreup8.exe
This is the core used to remotely upgrade v7.0x and earlier firewalls. It will install a "8.00.02-full" core.

» 

Docs/Changes-8.30.01-to-8.40.00.html
This document.

» 

FWMgr8.exe
This is the v8.40.00 Firewall Manager. Earlier version 8 Firewall Managers will be overwritten. Version 7 Firewall Managers (if installed) will not be overwritten, as they are named "FWMgr7.exe", and are also typically installed in a different directory.

 

 How to upgrade earlier v8.0x firewalls to v8.40.00

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

Upgrading a previous v8.0x firewall to v8.40.00 is completely straightforward.
Simply upload the new core, "fwc-8.40.00-full.cfx", to your firewall and restart it.
(Alternatively, upload the "-novpn" version if you do not wish VPN functionality.)

 

 HA upgrade procedure

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

There are no incompatibilities in the HA synchronization protocol between 8.40.00 HA cores and earlier v8.0x HA cores. No special procedures are required.

Simply upload the new firewall core file to the firewalls in your cluster and make sure that the first upload and restart is successful before uploading to the second firewall.

We recommend beginning with the firewall that is currently active, even though this will necessitate two failovers. The reason for this is that ALG sessions are not synchronized.

The "immediate availability" method

  • Upload the core to the currently active firewall ("firewall A") and restart it.
  • Issue a 'reconfigure' on the firewall B to rapidly fail back to the now upgraded firewall A. Make sure firewall A functions properly.
  • Upload the core to firewall B and restart it.
  • End result: Firewall A is now the active node, just as it was before the upgrade procedure.

Note that this leaves the second firewall untested, even though it most likely will work just as well as the first firewall. If you want to specifically test the second firewall, you can:
1) cause two failovers manually,   or
2) connect to it via e.g. the remote console just to make sure it's running,   or
3) if ALG synchronization is not a concern, follow this procedure:

The "long-term safe" procedure:

  • Upload the core to the currently inactive firewall ("firewall B") and restart it.
  • Issue a 'reconfigure' on firewall A. This causes failover to firewall B. Make sure firewall B functions properly.
  • Upload the core to firewall A and restart it.
  • Issue a 'reconfigure' on firewall B to fall back to firewall A. Make sure firewall A functions properly.
  • End result: Firewall A is now the active node, just as it was before the upgrade procedure.

Again, note that the "availability" issues only affect ALGs. All other states are, as usual, fully synchronized and not affected in either procedure.

 

 Firewall Manager Changes

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

Added configuration validator in plain-text editor

    Issue:

When making changes via the plain-text configuration editor, it is hard to tell if the changes are syntactically correct.

   Change:

As of v8.40.00, there is a "Validate" command in the "File" menu, which validates the configuration currently being edited and reports back any errors and warnings.

 

Log query wizard now supports queries on exported files

    Issue:

It has previously been possible to perform log queries on exported .fwl files via direct LQL queries.

   Change:

As of v