Release date: 2001-10-02 [ISO]

The major new features of Clavister Firewall v7.00 are:

• Cores/fwc_700.exe
  This is the v7.00 standard firewall core. Upload it to your existing (standard) firewall, or create new boot media with it.
  Note: VPN firewalls should, as always, use the VPN core file, below.

• Cores/fwc_700v.exe
  This is the v7.00 VPN firewall core. Upload it to your existing (VPN) firewall, or create new boot media with it.
  Note: This file is not installed by the standard installation package, as only licensed users have access to it. Rather, it is available as a separate installation package (typically a Clavister Upgrader package).

• Docs/Changes-6.01-to-7.00.htm
  This document.

• FWMgr7.exe
  This is the v7.00 Firewall Manager. Version 6 Firewall Managers (if installed) will not be overwritten, as they are named "FWMgr6.exe".

• Separator (comment) rows in configuration
  Comment rows may now be inserted in any configuration tab. They provide full-length space for comments, regardless of column sizes, and make for a great way of separating logical sections of complex configurations.

• Version tracking improved
  When saving configurations, the user name and time are tracked in the version history. A comment field is also available, which gets saved along with the above information.
  As in 6.x versions, you can retreive previous configuration versions by opening the configuration and using the "Open Specific Version" command in the "File" menu.

• Tooltips for symbolic host/net names
  Tooltips containing numerical IP addresses/ranges are now displayed for symbolic host/net names used throughout the configuration.

• Console and Real-time log views enhanced
  Line wrapping is now adapted to the width of the window, rather than always wrapping at column 80. For both views, the font may be changed, and it is now possible to select and copy arbitrary sections of the output. (Previously, only the entire window could be copied).

• Saving Real-time log viewer output to a text file
  The Real-time log viewer output can now be saved to a text file through the "Save to File" command in the "File" menu. Output will be continue to be saved until the window is closed. If the file already exists, it will be appended to rather than overwritten.
  Note that we do not recommend using the Real time logger output as a permanent means of logging firewall events. Rather, send your log data to a Clavister Firewall Logger, or a syslog receiver.

• Sliding averages in statistics view
  A "Sliding average" column has been added to the legend section of the statistics view. It will display a sliding window average of the associated statistics value, over a configurable number of seconds.
  The sliding average window size may be adjusted through the "Sliding average" command in the "View" menu.
  The sliding average value is not plotted in the graph.

• Netcon keys (security.bin) may be read from anywhere
  Previously, netcon keys could only be imported from a diskette in drive A:. Now, they may be imported from anywhere by simply selecting another location in the "Load Encryption Keys" dialog.

• Log query wizard 'include' statements have changed
  Previously, all 'include' statements had to be matched for a log entry to be displayed. This was not what was originally intended. Now, matching any 'include' statement is sufficient. As before, 'exclude' statements take effect after all include statements have been processed, and may be used to limit the amount of output.
  In essence, the wizard now generates the query "(name1=value1 OR name2=value2)" where it previously generated "name1=value1 AND name2=value2".

• Proxy ARP dialog changed
  What was previously a multi-selection list has now become a list with checkboxes, which is more easily navigated without a mouse. Also, a new "Always select ALL interfaces" checkbox has been added. This has two uses:
  - The number of interfaces that may be selected via the list is limited to 64. If you wish to publish your route on more interfaces than that, the "Always all" checkbox might be an alternative.
  - The "Always ALL" checkbox will automatically include interfaces added to your configuration at a later point in time, which may be desirable in some circumstances.

• Pipe limits are now "base 1000" rather than "base 1024"
  Pipe limits were previously configured using "base 1024" exponents, that is, 1 kbps equaled 1024 bits per second. Network bandwidth is not calculated this way. The limits are now calculated as "1 kbps equals 1000 bps", which is the correct way. This means that previous configurations will have their limits slightly lowered; most likely to what they should have been in the first place.

• Statistics are now "base 1000" rather than "base 1024"
  Statistics, counters as well as bandwidth figures, were previously using "base 1024" exponents. That is, 1 kbps equaled 1024 bps and 1 mbps equaled 1048576 bps. Network bandwidth is not calculated this way. All statistics values now use "base 1000" exponents. This means that your statistics will display as slightly higher than they did before.

• Log viewer "last full hours/days" statements were displaying too much
  Issue: The log viewer time statements "last full hours" and "last full days" should only display full hours and days. I.e. a log search initiated on january 3rd for "last full days 2" should only return events from january 1st, 00:00:00, to january 2nd, 23:59:59.
  Problem: The "last full hours/days" statements erronously displayed messages from the starting point up to the current time, rather than stopping at the previous hour/day limit.
  Fix: This has been resolved in FWMgr 7.00.00. There was no problem with the logged data, only with the viewer. Searches on old logs will now also yield correct results.

• FWMgr 7.00.00 cannot configure VPN firewalls
  The first Firewall Manager in the v7 series, version 7.00.00, cannot handle VPN configurations. A firewall manager capable of handling VPN configurations will, of course, ship with the VPN core.

• Statistics 'plot' menu gets truncated
  The "Plot" menu is capable of displaying several thousand statistics values. This is an order of magnitude more than what is required by a normal configuration. However, with several thousand VLAN interfaces and/or rules, the menu will become truncated. First, it will only display about a screenful of entries in each sub menu. Second, the total limit of statistics values may come into effect.
  This will be addressed in a future release by replacing the menu with something able to display more values efficiently.
  Possible workaround: Setting the same name for two or more rules will make them use the same statistics value. This may reduce the number of statistics values somewhat.

• Cannot use scrollbar ruler to drag past configuration row 1600
  The scrollbar ruler of the configuration grid cannot be used to scroll past (approximately) row 1600. This will be addressed in a future release.
  Workaround: The scrollbar up/down arrows, the arrow keys, and the page up/down keys still work properly past the critical row.

• Firewall Manager silently truncates configurations larger than 512 KB
  The Firewall Manager will silently truncate a configuration file larger than 512 KB, which will either cause it to fail to parse in the manager itself, or fail to parse in the firewall when uploaded.
  Configuration files are normally 10--40 KB in size, but when several thousand interfaces, routes and/or rules are added, the size will sooner or later increase past the critical limit.
  This will be addressed in a future release.

• Support for gigabit ethernet adapters
  Clavister Firewall now supports the Intel PRO/1000 fiber and copper adapters, yielding multi-gigabit throughput. Please note that the hardware, especially the PCI buses, are crucial in acheiving maximal throughput in these speeds. Do not hesitate to contact the Clavister support at firewall-support@clavister.com for advise on selecting appropriate hardware, or perhaps consider buying a ready-made appliance; see www.clavister.com for more information.

• Support for statistics polling and monitoring via SNMP
  Clavister Firewall now supports polling of a limited set of the SNMP MIB-II information base. Recognizing how the SNMP protocol has only limited security properties, the information available through SNMP is limited to only that which is "non-critical" from a security perspective. For instance, the routing table and the ARP cache is not exposed.
  Also, SNMP is by default turned off, and access to it may be granted to limited IP spans and through specific interfaces.
  Note: Clavister Firewall does not, and will not implement control through SNMP, as it is not nearly as secure as what we require of a remote firewall management protocol.

• Most static limits on configuration lists removed
  Previously, a number of configuration sections have had limits on how far they could grow. Most of these limits are now removed. The configuration sections that are still using static limits are:
  - The "Interfaces" section -- max 64 physical interfaces
  - The "Hosts" section -- max 256 symbolic host names
  - The "Nets" section -- max 256 symbolic net/range names
  

• Pipe limits are now "base 1000" rather than "base 1024"
  Pipe limits were previously configured using "base 1024" exponents, that is, 1 kbps equaled 1024 bits per second. Network bandwidth is not calculated this way. The limits are now calculated as "1 kbps equals 1000 bps", which is the correct way. This means that previous configurations will have their limits slightly lowered; most likely to what they should have been in the first place.

• Allowing 'ALL' didn't allow everything
  Issue: "Allow", "NAT" and "FwdFast" rules regarding the protocol "ALL" should pass all 256 possible IP protocols. This was not the case. Only TCP, UDP, ICMP, AH and ESP were actually passed.
  Affects: Firewall Core v6.00 -- v6.01
  Results: Allowing "ALL" and expecting, for instance, "GRE" to be passed, failed. One had to add an explicit rule to pass IP protocols other than the above.
  Fix: Allowing "ALL" protocols will now pass all possible 256 IP protocols. Also fixed in version 6.02.

• Spurious freezes/crashes on file access fixed
  Issue: Some systems have occasionally frozen or crashed when the file system is accessed after the firewall core has been operational. The likelihood of this occuring increased with time since last reboot, traffic load, and a few other factors. Fortunately, Clavister Firewall does not access its file system during uninterrupted operation; it only does so during configuration uploads and restarts, a fact which has mitigated the problem for affected users.
  Affects: Firewall Core v6.00 -- v6.01
  Fix: This problem has been resolved in v7.00 and v6.02

• Typo in 'event=unexpected_tcp_flags' syslog message
  Issue: Values in Clavister Firewall syslog messages should, if they contain spaces, be quoted by double quotes. The "flags" value in the "event=unexpected_tcp_flags" event was erronously quoted using single quotes:
      event=unexpected_tcp_flags flags='syn ack'
  Affects: Firewall Core v6.00 -- v6.01
  Results: None, unless you've written your own syslog parser that doesn't understand single-quoted values.
  Fix: Firewall Cores v7.00 and v6.02 now use double quotes when quoting this value.

• Erronous 'usage' values reported via syslog
  Interface throughput values in 'usage' syslog messages have been completely wrong.
  Affects: Firewall Cores before v6.02
  Results: Most likely none, unless you've written your own syslog parser to do further processing on usage entries
  Fix: Firewall Cores v7.00 and v6.02 report correct interface throughput values in usage entries.

• State engine is overly strict during TCP initial handshake
  Issue: The state engine currently requires strict conformance to the "SYN", "SYN/ACK", "ACK" initial TCP handshake pattern (possibly with resends). However, some operating systems will respond to resent SYNs with a plain "ACK", which the state engine will not accept.
  Affects: All Firewall Cores, from v5.1
  Results: This may lead to failed connections between certain operating systems, if packet loss occurs in the "right" place during the handshake. The firewall will also send "LogStateViolations" log events regarding "SYN ACK" flags at a later point in the handshake.
  Fix: This problem will be addressed in a future release.

• 'Memory' console command missing
  The 'memory' console command has been temporarily removed. It will be re-implemented in a future release.

• DEC/Intel Tulip driver may fail to attach during high traffic
  The DEC/Intel Tulip chipset NIC driver may fail to attach on some systems if it receives a large number packets during the attach phase.
  We currently do not know the exact circumstances during which this may occur. The matter is being researched.