Amaranten Firewall Changes from v8.50.02 to v8.60.02

8.60.00 release date: 2005-09-14 [ISO]

Users upgrading from v7.0x or earlier should read changes-7.0x.xx-to-8.00.02.html first.

Version 8.60.02 contains a number of new features which are highlighted here:


»	Transparent Mode support enables automatic creation of routes for hosts moving between different interfaces within the same group of transparent interfaces.

»	Server Load Balancing (SLB) support enables distribution of traffic load across multiple servers to scale beyond the capacity of one single server, and to tolerate a server failure.

»	Radius Accounting support enables accounting capabilities for authenticated users.

»	RADIUS Interim Accounting support enables interim accounting updates for logged in users.

»	GRE Session Keys support enables the possibility to identify tunnels by ID.

Contents of this document

Version 8.60.02 contains fixes to problems in the Firewall Core and the Firewall Manager. This document outlines problems solved as well as improvements for each component.

The upgrade procedures in this document refers to upgrades from earlier v8.0x installations.

· Files installed by v8.60.02

· How to upgrade earlier v8.0x firewalls to v8.60.02

· How to upgrade v6.0x/v7.0x firewalls to v8.0x

· HA upgrade procedure

For future reference: This document is stored in the "Docs" sub-folder of your Firewall Manager install folder.

Change logs / release notes for earlier versions of Amaranten Firewall are available in the release notes section of www.amaranten.com/support.

Summary of changes and problems solved

Firewall Manager

Change:	Simplified IPsec configuration
Change:	Dialog for adding switchroutes has been changed
Change:	Two new default proposal lists added
Problem solved:	Netobject groups can not be included when creating a new netobject group
Problem solved:	CRL setting for CA certificates overwritten by manager
Problem solved:	Real-time Logger and Remote Console may crash in Firewall Manager.
Problem solved:	The firewall manager crashes if a user clicks in the authentication column for a IPsec tunnel
Problem solved:	Firewall Manager cannot remove integrity algorithms from proposal lists
Problem solved:	It is not possible to add routes to the "core" interface
Problem solved:	IPSec/IKE Proposals are written down to configuration file in the wrong order
Problem solved:	Problems with switchroutes in PBR tables
Problem solved:	Erroneous warning displayed
Problem solved:	IPsec Config Mode pools in global namespace does not work
Problem solved:	Not possible to configure null encryption in IPsec proposals

Firewall Core

Change:	Transparent Mode implemented
Change:	Server Load Balancing implemented
Change:	Radius Accounting support implemented
Change:	Support for server-side IKE Configuration Mode
Change:	Misc. IPsec changes
Change:	Conn command modified
Change:	ARP timeout setting limit decreased
Change:	New synrelayer available
Change:	New "routemon" console command
Change:	HTTP ALG now allows compressed data
Change:	Packets with disallowed source Ethernet addresses are now dropped when using Transparent Mode
Change:	New advanced settings for forwarded ARP traffic when Transparent Mode is used
Change:	RADIUS Interim Accounting supported
Change:	GRE session keys supported
Change:	IPSec NAT-traversal behaviour changed
Problem solved:	HTTP ALG might cause the Firewall to crash in some situations
Problem solved:	Interfaces are taken down during reconfiguration
Problem solved:	IPsec: Compatibility issue with MS IPsec NAT Traversal
Problem solved:	HA: Shared MAC addresses are not unique on all interfaces
Problem solved:	Multiple entries may be added in the layer 3 cache for a host if Transparent Mode is configured
Problem solved:	L2TP client/server does not send a unique hostname during negotiations
Problem solved:	SLB monitoring problems
Problem solved:	Promiscuous mode is enabled by default on all interfaces
Problem solved:	Calling the shutdown console command does not always restart the core
Problem solved:	Transparent Mode feature can cause memory leakage
Problem solved:	ARP handling in Transparent Mode incompatible with Microsoft Network Load Balancing
Problem solved:	Filtered "conn" console command displays wrong number of not shown connections
Problem solved:	The "ping" command will ignore the interface PBR setting when the "-r " parameter is used
Problem solved:	Problems administrating a Firewall over netcon on a virtual router interface
Problem solved:	Problems terminating a L2TP session inside a virtual router
Problem solved:	L2TP server may stop to listen for incoming connection attempts
Problem solved:	The L2TP engine may use 0 as session ID, which is not allowed according to RFC 1661
Problem solved:	IPsec engine runs out of internal states
Problem solved:	IPSec Config Mode IP pool problem
Problem solved:	Problems with reconfiguration when using a license allowing only a few IPSec tunnels
Problem solved:	Certificate setting to not validate with CRL is lost after reconfiguration
Problem solved:	MTU problems over IPSec interfaces
Problem solved:	Problems sending LDAP traffic over IPSec tunnels
Problem solved:	IPSec keepalive does not work
Problem solved:	IPSec tunnels using ID-lists may fail to be re-authenticated after being taken down
Problem solved:	Firewall does not complain if private key file is not understood
Problem solved:	IPSec re-keying fails
Problem solved:	IPSec re-configuration problems

Files installed by v8.60.02

This is a list of files that are new to the v8.60.02 release. All paths are relative to your Firewall Manager install folder.

»	Cores/fwc-8.60.02-full.cfx This is the v8.60.02 full firewall core. Upload it to your existing firewall, or create new boot media with it. It contains all available functionality.
»	Cores/fwc-8.60.02-mini.cfx This is a version of the v8.60.02 core with certain features removed. It is less than half the size of the full version. The features removed are: - IPsec VPN - The H.323 Application Layer Gateway - OSPF
»	Docs/changes-8.50.02-to-8.60.02.html This document.
»	FWMgr8.exe This is the v8.60.02 Firewall Manager. Earlier version 8 Firewall Managers will be backed up with the extensions ".old1" and ".old2".

How to upgrade earlier v8.0x firewalls to v8.60.02

Upgrading a previous v8.0x firewall to v8.60.02 is completely straightforward.
Simply upload the new core, "fwc-8.60.02-full.cfx", to your firewall and restart it.
(Alternatively, upload the "-mini" version if the removed functionality is not required.)

HA upgrade procedure

Note: For upgrades from v7.x HA clusters, first follow the HA upgrade procedures outlined in changes-7.0x.xx-to-8.00.02.html.

Note: Upgrades from versions prior to v8.40.01: Upgrading to directly v8.50.00 or later from a version prior to v8.40.01 will lead to loss of state synchronization. All open states will be closed as a result of the upgrade. If this is acceptable, continue with the upgrade as described below. Otherwise, first upgrade to v8.40.01 or a later v8.4x core and then upgrade to v8.60.02.

Simply upload the new firewall core file to the firewalls in your cluster and make sure that the first upload and restart is successful before uploading to the second firewall.

We recommend beginning with the firewall that is currently active, even though this will necessitate two failovers. The reason for this is that ALG sessions are not synchronized.

The "immediate availability" method

Upload the core to the currently active firewall ("firewall A") and restart it.
Issue a 'reconfigure' on the firewall B to rapidly fail back to the now upgraded firewall A. Make sure firewall A functions properly.
Upload the core to firewall B and restart it.
End result: Firewall A is now the active node, just as it was before the upgrade procedure.

Note that this leaves the second firewall untested, even though it most likely will work just as well as the first firewall. If you want to specifically test the second firewall, you can:
1) cause two failovers manually, or
2) connect to it via e.g. the remote console just to make sure it's running, or
3) if ALG and tunnel synchronization is not a concern, follow this procedure:

The "long-term safe" procedure:

Upload the core to the currently inactive firewall ("firewall B") and restart it.
Issue a 'reconfigure' on firewall A. This causes failover to firewall B. Make sure firewall B functions properly.
Upload the core to firewall A and restart it.
Issue a 'reconfigure' on firewall B to fall back to firewall A. Make sure firewall A functions properly.
End result: Firewall A is now the active node, just as it was before the upgrade procedure.

Firewall Manager Changes

Simplified IPsec configuration
Change:	As of v8.60.02, all properties for a proposal list are defined in one place, and the Firewall Manager will autogenerate the configuration from all possible proposal combinations.

Dialog for adding switchroutes has been changed
Change:	As of v8.60.02, the dialog for adding switchroutes has been modified. The possibility to add a default gateway for a switchroute has been removed and it is no longer possible to configure monitoring on a switchroute.
Reason:	The reason for these changes is that a default gateway on a switchroute cannot be used, and monitoring on switchroutes does not work.

Two new default proposal lists added
Change:	As of v8.60.02, two new proposal lists, ike-default and esp-default, are added in the list of default proposal lists. To get these new proposal lists, a new installation of the Firewall Manager is needed.
Reason:	These proposal lists are more fine-tuned to the refined IPSec engine than the old default proposal lists.

Firewall Manager Problems Solved

Netobject groups can not be included when creating a new netobject group
Problem:	When creating a new netobject group it is not possible to select other groups and add them to the new netobject group.
Affects:	Firewall Manager v8.00.00 and up.
Fix:	Fixed in v8.60.02

Real-time Logger and Remote Console may crash in Firewall Manager.
Issue:	The firewall manager may crash when text output from the Real-time Logger or Remote Console is copied to clipboard and the window contains lots of data.
Results:	The firewall manager may crash.
Affects:	Firewall Manager v8.00.00 and up
Solution:	Solved in v8.60.02

It is not possible to add routes to the "core" interface
Issue:	It is not possible to add a route to the "core" interface via the Security Editor.
Results:	Cannot add or choose the "core" interface for a route.
Affects:	Firewall Manager v8.00.00 and up
Solution:	Solved in v8.60.02
Note:	A user can add a single-host route via the "core" interface to enable the firewall to respond to an extra ARP published IP.

Firewall Core Changes

Transparent Mode implemented
Issue:	The Transparent Mode feature aims at simplifying the deployment of firewall appliances into the existing network topology, to strengthen security. It helps to ease the administration work in a way that there is no need to reconfigure all the settings for the nodes within the current network, when a firewall is introduced into the communication flow. Also, the Transparent Mode feature enables hosts to move between different interfaces within the same group of transparent interfaces.
Change:	As of v8.60.02, there is an new route type called SwitchRoute that is used to define a group of transparent interfaces to act in a transparent manner within the same transparent "switch".

Server Load Balancing implemented
Issue:	Server Load Balancing (SLB) is a mechanism dealing with distribution of traffic load across multiple servers to scale beyond the capacity of one single server, and to tolerate a server failure.
Change:	As of v8.60.02, there is an new SLB_SAT rule type capable of dealing with distribution of traffic load across multiple servers.
Note:	The new SLB_SAT rule is apart from the SLB specific settings, handled like a normal SAT rule. This means that a secondary Allow or NAT rule is needed.

Radius Accounting support implemented
Issue:	Radius Accounting can be used to keep track of usage statistics for logged in users, such as session time, number of packets sent and received during the session and the total amount of data sent and received.
Change:	As of v8.60.02, there is an new Radius Accounting configuration option for user authentication rules.
Note:	The Radius Accounting feature can be used together with either the local user authentication database or another radius server for authentication. The accounting feature is separated from the authentication, thus the authentication source/server and accounting server does not have to be the same.

Support for server-side IKE Configuration Mode
Issue:	Support for server-side IKE Configuration Mode (cfg-mode) has been added to allow assigning e.g. IP address and DNS information to VPN (IPsec) clients.
Change:	As of v8.60.02, IPsec tunnels can be configured to support server-side Configuration Mode.

RADIUS Interim Accounting supported
Issue:	RADIUS interim update messages can now be sent to the accounting server at an interval specified in the configuration of the Firewall or the RADIUS Accounting server. This allows the RADIUS Accounting server to be continuously updated with user statistics.
Change:	As of v8.60.02, RADIUS Interim Accounting is supported by the Firewall.

GRE session keys supported
Issue:	A GRE session key can now be configured on GRE tunnels to specify an ID for the tunnel.
Change:	As of v8.60.02, GRE tunnels support session keys.

Misc. IPsec changes
Issue:	IKE Dead Peer Detection (DPD) can now be controlled through the firewall configuration. Support for automatically establishing IPsec tunnels at system startup has been added.
Change:	As of v8.60.02, the IKE Dead Peer Detection can be controlled per tunnel through the firewall configuration. Support has been added for configuration of automatic establishment of IPsec tunnels at system startup.

Conn command modified
Issue:	The conn command can now be used to close connections.
Change:	As of v8.60.02, the conn command has been extended with a "-close" switch.

ARP timeout setting limit decreased
Issue:	The ARP timeout setting was limited to a minimum value of 10 seconds.
Change:	As of v8.60.02, the ARP timeout setting can now be configured as low as one second.
Note:	It is not recommended that the ARP timeout interval should be set lower than 10 seconds, however, in some scenarios a lower timeout setting may be needed.

New synrelayer available
Issue:	A new and improved synrelayer is available.
Change:	As of v8.60.02, a new synrelayer is available that handles TCP MSS options.
Note:	To enable the new synrelayer instead of the old one, enable the "TCPNewSynProtect" advanced setting.

New "routemon" console command
Issue:	A new "routemon" console command is available.
Change:	As of v8.60.02, a new "routemon" console command is available that can be used to list information about all monitored routes.

HTTP ALG now allows compressed data
Issue:	The HTTP ALG always asked the web server not to send compressed data as this does not work with content stripping.
Change:	As of v8.60.02, the HTTP ALG will allow the server to send compressed data as long as the HTTP ALG isn't configured to do content stripping.
Note:	This means that compressed data is allowed as long as the HTTP ALG isn't configured to perform stripping of ActiveX objects, Java Applets and Javascripts/VBScripts.

Firewall Core Problems Solved

HTTP ALG might cause the Firewall to crash in some situations
Problem:	In some scenarios when the HTTP ALG handles a lot of traffic with chunked encoded data, it might cause the Firewall to crash.
Results:	The Firewall will crash and will then automatically reboot.
Affects:	Amaranten Firewall v8.40.00 and up
Solution:	Solved in v8.60.02.

IPsec: Compatibility issue with MS IPsec NAT Traversal
Problem:	Microsoft's IPsec NAT traversal was incompatible with the NAT traversal implementation in Amaranten Firewall.
Results:	Microsoft's IPsec client would fail to establish an IPsec tunnel to a Amaranten Firewall if there was a NATing gateway in between.
Affects:	Amaranten Firewall v8.00.00 and up
Solution:	Solved in v8.60.02.

HA: Shared MAC addresses are not unique on all interfaces
Problem:	All interfaces in a HA cluster use the same shared MAC address.
Results:	When running a HA-cluster with more than one interface connected to the same switch which is segmented by VLAN, the switch may get confused and not allow the ethernet-address on more than one segment.
Affects:	Amaranten Firewall v8.00.00 and up
Solution:	Solved in v8.60.02.
Note:	This behaviour will have to be enabled by the "HAUseUniqueSharedMacPerIface" advanced setting.

Interfaces are taken down during reconfiguration
Problem:	Interfaces are taken down during reconfiguration.
Results:	During reconfiguration the interfaces will restart link negotiation. This can confuse some switches running the Spanning-Tree algorithm.
Affects:	Amaranten Firewall v8.00.00 and up
Solution:	Solved in v8.60.02.
Note:	If an interface needs to be taken down and reinitialized, the command "ifstat -restart " can be used.

L2TP server may stop to listen for incoming connection attempts
Problem:	If the load is high on the Firewall and the concurrent connection limit has been reached, the Firewall may stop to listen on incoming L2TP connection attempts.
Results:	Once the limit has been reached, the Firewall will start to flush old connections. The listening connection for the L2TP server may be subject of being flushed, which means that the L2TP server may stop to listen on incoming connection attempts.
Affects:	Amaranten Firewall v8.50.00 and up
Solution:	Solved in v8.60.02.

The L2TP engine may use 0 as session ID, which is not allowed according to RFC 1661
Problem:	The L2TP engine may use a session ID value of 0, which is not allowed according to RFC 1661.
Results:	Some clients/servers reacts to this RFC violation and refuses to set up a new session.
Affects:	Amaranten Firewall v8.50.00 and up
Solution:	Solved in v8.60.02.

Problems terminating a L2TP session inside a virtual router
Problem:	If a Firewall is configured to accept incoming L2TP connections on an interface inside a virtual router, connections from clients will fail.
Results:	It is not possible for clients to connect to a L2TP server that is configured to listen on an interface inside a virtual router.
Affects:	Amaranten Firewall v8.50.00 and up
Solution:	Solved in v8.60.02.

Problems administrating a Firewall over netcon on a virtual router interface
Problem:	If a Firewall is administrated via the manager and the management interface of the Firewall is inside a virtual router, connection problems may occour.
Results:	It is not possible to use for instance a remote console on a Firewall if the management interface is inside a virtual router.
Affects:	Amaranten Firewall v8.50.00 and up
Solution:	Solved in v8.60.02.

The "ping" command will ignore the interface PBR setting when the "-r " parameter is used
Problem:	The "ping" console command will ignore the PBR setting for an interface when the "-r " parameter is supplied to the console command.
Results:	The "ping" command will not use the correct routing table.
Affects:	Amaranten Firewall v8.50.00 and up
Solution:	Solved in v8.60.02.

Filtered "conn" console command displays wrong number of not shown connections
Problem:	When using a filtered "conn" console command, the printout of the number of not shown connections is wrong.
Results:	The number of not shown connections is not the number of not shown filtered connections, but the total number of connections not shown.
Affects:	Amaranten Firewall v8.50.00 and up
Solution:	Solved in v8.60.02.

L2TP client/server does not send a unique hostname during negotiations
Problem:	L2TP client/server sent an empty hostname during negotiation with the other peer.
Results:	L2TP clients/servers that rely on the other peer to send a unique hostname may have problems negotiating with Amaranten Firewalls.
Affects:	Amaranten Firewall v8.50.00 and up
Solution:	Solved in v8.60.02.
Note:	The hostname can be configured using the advanced setting SNMPSysName.