Release date: 2001-11-21 [ISO]

The major new features of Clavister Firewall v7.01 are:

• Cores/fwc_701.exe
  This is the v7.01.00 standard firewall core. Upload it to your existing (standard) firewall, or create new boot media with it.
  Note: VPN firewalls should, as always, use the VPN core file, below.

• Cores/fwc_701v.exe
  This is the v7.01.00 VPN firewall core. Upload it to your existing (VPN) firewall, or create new boot media with it.
  Note: This file is not installed by the standard installation package, as only licensed users have access to it. Rather, it is available as a separate installation package (typically a Clavister Upgrader package).

• Docs/Changes-7.00.02-to-7.01.00.htm
  This document.

• FWMgr7.exe
  This is the v7.01.00 Firewall Manager. Version 6 Firewall Managers (if installed) will not be overwritten, as they are named "FWMgr6.exe".

• New 'require all include statements to match' option in log wizard
  A new option: "require all include statements ot match" has been added to the log wizard. By default, only one "include" statement needs to trigger in order for a log entry to be displayed. With this option enabled, all include statements need to match for an entry to be displayed.
  As always, queries more advanced than what the log wizard permits can be constructed by directly editing the query language expression directly.

• Log result view: 'save to file' command added
  The log result viewer can now save its output to a text file through the context menu Save to file command.
  Please note that this output is not meant for automatic processing or detailed examination; its level of detail is nowhere near that kept by the fwlogger system or by syslog events.

• Save/upload dialog will now correctly set the user name field
  Issue: The save/upload dialog should set the user name to the user name of the logged in user by default. It was erroneously being left empty.
  Affects: Firewall Manager v7.00.02.
  Fix: This has been resolved in v7.01.00.

• 'Open specific version' dialog sort order
  Issue: The "Open specific version" dialog should sort its configuration version list according to the version number. It was not being sorted at all. Usually, it would end up being correct, simply because the file system directory entries were ordered chronologically, but this is not always the case.
  Affects: Firewall Manager v6.00 -- v7.00.02.
  Fix: This has been resolved in v7.01.00.

• Configuration: tabbing out of a host/net cell won't always work
  Tabbing out of a host/net cell (ones having a drop-down menu while still allowing you to type your own text) with the drop-down menu still visible will cause the changes to the cell to be lost.
  Affects: Firewall Manager v7.00.00 -- v7.01.00
  Workaround: Click your way out of the cell, using the mouse, or hide the drop-down menu using Alt+down arrow before tabbing out of the cell.

• Statistics 'plot' menu gets truncated
  The "Plot" menu is capable of displaying several thousand statistics values. This is an order of magnitude more than what is required by a normal configuration. However, with several thousand VLAN interfaces and/or rules, the menu will become truncated. First, it will only display about a screenful of entries in each sub menu. Second, the total limit of statistics values may come into effect.
  This will be addressed in a future release by replacing the menu with something able to display more values efficiently.
  Affects: Firewall Manager v7.00.00 -- v7.01.00. Earlier versions have the same limit, but as they do not support VLANs, the problem will not appear.
  Possible workaround: Setting the same name for two or more rules will make them use the same statistics value. This may reduce the number of statistics values somewhat.

• Firewall Manager silently truncates configurations larger than 512 KB
  The Firewall Manager will silently truncate a configuration file larger than 512 KB, which will either cause it to fail to parse in the manager itself, or fail to parse in the firewall when uploaded.
  Configuration files are normally 10--40 KB in size, but when several thousand interfaces, routes and/or rules are added, the size will sooner or later increase past the critical limit.
  This will be addressed in a future release.

• Support for Intel EtherExpress PRO/100 adapters
  Clavister Firewall now has a built-in driver for the Intel EtherExpress PRO/100 series adapters.

• Separate 'warnings' count for the Settings section
  The configuration parser limits the number of warnings displayed to ten warnings.
  However, the settings section can generate numerous warnings when parsed; especially when the firewall is managed by a Firewall Manager of a different version.
  The configuration parser will now keep a separate warning count for the settings section so that numerous warnings regarding settings won't hide warnings regarding the rest of the configuration.

• 'prio=n' field added to syslog
  Syslog entries will now be prefaced with a 'prio=n' field for events regarding Rules and Access. The priority ranges from 0 to 7, with 0 being the lowest priority ("debug") and 7 being the highest priority ("emergency").

• Serial console support
  The Firewall Core now has console support via serial line.
  This support is disabled by default. It may be enabled by adding the following command-line argument to fwcore.exe:
      -s baudrate
  COM1 will always be used; there is no way to use another port.
  To enable serial support by default in created boot disks, edit autoexec.bat in your Images/FWCore folder (relative to your Firewall Manager installation folder).

• State engine is overly strict during TCP initial handshake
  Issue: The state engine currently requires strict conformance to the "SYN", "SYN/ACK", "ACK" initial TCP handshake pattern (possibly with resends). However, some operating systems will respond to resent SYNs with a plain "ACK", which the state engine will not accept.
  Affects: All Firewall Cores, from v5.1
  Results: This may lead to failed connections between certain operating systems, if packet loss occurs in the "right" place during the handshake. The firewall will also send "LogStateViolations" log events regarding "SYN ACK" flags at a later point in the handshake.
  Fix: This problem will be addressed in a future release.

• 'Memory' console command missing
  The 'memory' console command has been temporarily removed. It will be re-implemented in a future release.

• DEC/Intel Tulip driver may fail to attach during high traffic
  The DEC/Intel Tulip chipset NIC driver may fail to attach on some systems if it receives a large number packets during the attach phase.
  The matter is being researched.

• 3com 3c905 driver autonegotiate problems
  The 3com 3c905 driver has problems in the autonegotiate phase. A link that should be 100Mbps full duplex may end up being 10Mbps and/or half duplex.
  Generally speaking, it appears to work well against switches and hubs. The problems are mostly apparent when a 3c905 adapter is connected directly to another computer or router.

• 'Roaming gateways' could not connect
  Issue: Remote VPN gateways can "roam" the same way remote users can. In such situations, the configuration of the main VPN gateway does not know its IP address.
  Problem: The main VPN gateway assumed that a roaming gateway was in fact a "roaming client", and tried to respond directly to the first IP address of the remote network without going through the remote gateway.
  Results: The VPN connection would never be formed.
  Affects: All VPN gateways v5.11 -- v7.00.01.
  Fix: Fixed in v7.01.00. The main VPN gateway will now remember if the inbound IPsec session came from a gateway, and respond to the gateway address.

• Fragmented IKE packets are dropped
  If an IKE packet sent to the VPN gateway is fragmented, either during transport, or by the originator, it will be dropped.
  Typically, this is not a problem, as IKE packets tend to be only a few hundred bytes of length - well below the MTU of commonly used network types. However, it will be addressed in a future release.
  Workaround: If this behavior causes problems, you may try decreasing the size of your proposal lists, which will decrease the IKE UDP datagram size.