Clavister Firewall Changes from v7.00.00 to v7.00.01

Clavister Firewall Changes from v7.00.00 to v7.00.01

Release date: 2001-10-25 [ISO]

Clavister Firewall Core v7.00.01 is a minor update from v7.00.00.

For changes from v6.01 to v7.00.00, please see changes-6.01-to-7.00.html.

This document outlines bug fixes as well as improvements for the v7.00.01 core.

New files installed by v7.00.01

How to upgrade a v7.00.00 firewall to v7.00.01

Firewall Core
[Changes] [Bug Fixes] [Known Bugs / Problems]

For future reference: This document is stored in the "Docs" sub-folder of your Firewall Manager install folder.

New files installed by v7.00.01

This is a list of the files that are new to the v7.00.01 release. All paths are relative to your Firewall Manager install folder.

Cores/fwc_700.exe
This is the v7.00.01 standard firewall core. Upload it to your existing (standard) firewall, or create new boot media with it.
Your previous v7.00.00 core (also named fwc_700.exe) is overwritten.
Note: VPN firewalls should, as always, use the VPN core file, below.
Cores/fwc_700v.exe
This is the v7.00.01 VPN firewall core. Upload it to your existing (VPN) firewall, or create new boot media with it.
Note: This file is not installed by the standard installation package, as only licensed users have access to it. Rather, it is available as a separate installation package (typically a Clavister Upgrader package).
Docs/Changes-7.00.00-to-7.00.01.htm
This document.
FWMgr7.exe
This is the v7.00.01 Firewall Manager. Version 6 Firewall Managers (if installed) will not be overwritten, as they are named "FWMgr6.exe".

How to upgrade a v7.00.00 firewall to v7.00.01

Upgrading a v7.00.00 firewall to v7.00.01 is completely straightforward; no changes in configuration compatibility have been made. Simply upload the new core, "fwc_700.exe", to your firewall and restart it.

Note: VPN firewalls should use the VPN core, "fwc_700v.exe". Uploading a standard core to a VPN firewall will, as always, disable VPN functionality and very likely render the firewall unable to operate, as it will not understand its configuration file.

Firewall Core Changes

None.

Firewall Core Bug Fixes

Some statistics values weren't correctly updated
Issue: The statistics values for "IP errors", "Send fails", and fragment reassembly weren't correctly updated.
Affects: v7.00.00.
Fixed: in v7.00.01.

The SNMP 'bytesIn' counter wasn't updated for ODI interfaces
Issue: The SNMP 'bytesIn' counter wasn't updated at all for ODI interfaces. However, it was correctly updated for all other interface types.
Affects: v7.00.00 SNMP data, if enabled
Fixed: in v7.00.01.

ARP cache problem fixed
Issue: Firewall interfaces passing traffic to (through) a single IP address, f.i. the external interface speaking to a default gateway only, would sometimes refuse to resolve the IP address in question, after having resolved it once.
Results: The IP address in question, once it stops resolving, won't resolve until one attempts to speak to another IP address, or flushes the ARP cache (f.i. through "arp -flush" or by re-reading the firewall configuration).
Affects: v7.00.00 cores.
Fixed: in v7.00.01.

Firewall Core Known Bugs / Problems

State engine is overly strict during TCP initial handshake
Issue: The state engine currently requires strict conformance to the "SYN", "SYN/ACK", "ACK" initial TCP handshake pattern (possibly with resends). However, some operating systems will respond to resent SYNs with a plain "ACK", which the state engine will not accept.
Affects: All Firewall Cores, from v5.1
Results: This may lead to failed connections between certain operating systems, if packet loss occurs in the "right" place during the handshake. The firewall will also send "LogStateViolations" log events regarding "SYN ACK" flags at a later point in the handshake.
Fix: This problem will be addressed in a future release.