Clavister Firewall Changes from v7.01.00 to v7.01.01

Release date: 2001-12-17 [ISO]

The major new features of Clavister Firewall v7.01 from v7.00 are:

  • State-synchronized High Availability option released
  • Built-in Intel EtherExpress PRO/100 drivers

    Version 7.01.01 contains a number of minor improvements and bug fixes. However, there are no major changes to existing functionality.

    This document outlines bug fixes as well as improvements for each component.

  • New files installed by v7.01.01
  • How to upgrade a v6.xx/v7.00 firewall to v7.01.01
  • Firewall Manager
    		•  [Changes] [Bug Fixes] [Known Bugs / Problems]
  • Firewall Core
    		•  [Changes] [Bug Fixes] [Known Bugs / Problems]
  • VPN Core
    		•    [Bug Fixes] [Known Bugs / Problems]

    For future reference: This document is stored in the "Docs" sub-folder of your Firewall Manager install folder.

    Change logs / release notes for earlier versions of Clavister Firewall are available in the release notes section of www.clavister.com/support.  


    •  New files installed by v7.01.01           

    This is a list of the files that are new to the v7.01.01 release. All paths are relative to your Firewall Manager install folder.

    • Cores/fwc_701.exe
      This is the v7.01.01 standard firewall core. Upload it to your existing (standard) firewall, or create new boot media with it. It will overwrite earlier 7.01.00 cores, if installed.
      Note: VPN firewalls should, as always, use the VPN core file, below.

    • Cores/fwc_701v.exe
      This is the v7.01.00 VPN firewall core. Upload it to your existing (VPN) firewall, or create new boot media with it.
      Note: This file is not installed by the standard installation package, as only licensed users have access to it. Rather, it is available as a separate installation package (typically a Clavister Upgrader package).

    • Docs/Changes-7.01.00-to-7.01.01.htm
      This document.

    • FWMgr7.exe
      This is the v7.01.01 Firewall Manager. Earlier version 7 Firewall Managers will be overwritten. Version 6 Firewall Managers (if installed) will not be overwritten, as they are named "FWMgr6.exe".
     


     How to upgrade a v6.xx/v7.00 firewall to v7.01.01           

    Upgrading a v6.xx or v7.00 firewall to v7.01.01 is completely straightforward; a version 7 core parses all configuration items that a version 6 core uses.
    Simply upload the new core, "fwc_701.exe", to your firewall and restart it.

    Note: VPN firewalls should use the VPN core, "fwc_701v.exe". Uploading a standard core to a VPN firewall will, as always, disable VPN functionality and very likely render the firewall unable to operate, as it will not understand its configuration file.  


     Firewall Manager Changes           

    • Set-up of HA firewalls simplified
      An existing firewall may now be converted into a slave firewall by selecting "Firewall" -> "Database" -> "Convert to slave". This merges all configuration data regarding interfaces into the configuration of the (to-be) HA master firewall.
      Above all else, this greatly simplifies set-up of HA appliances.
    Change logs / release notes for earlier versions of Clavister Firewall are available in the release notes section of www.clavister.com/support.      


     Firewall Manager Bug Fixes           

    • Configurations larger than 512KB are no longer silently truncated
      Issue: The Firewall Manager will not store configurations larger than 512 KB. Normally, this limit has no effect, as the average configuration is about 10--40KB. However, with several thousand VLANs and the accompanying bulk of rules and routes, the configuration size may exceed 512 KB.
      Problem: The Firewall Manager would truncate configurations larger than 512KB without displaying a warning.
      Affects: Firewall Manager v7.00.00 -- v7.01.00. Earlier versions have the same limit, but for all practical purposes, they are unaffected as they do not support VLANs.
      Fix: As of v7.01.01, a warning box will be displayed when the configuration size exceeds 512KB, letting the user return to the configuration view.

    • Tabbing out of a host/net cell would sometimes invalidate changes
      Issue: Host/network cells in the configuration grid are combo boxes; they may be edited manually by typing in the new value, as well as through selecting an entry from the drop-down box.
      Problem: If changes were made manually (by pressing F2 or clicking inside the cell to edit existing data), and the user used the tab key to exit the cell, while the drop-down box was still expanded, the changes would be lost. Overwriting (not editing) the data manually, selecting an option from the drop-down box, or using the mouse to click out of the cell, would not exhibit the same behavior.
      Affects: Firewall Manager v7.00.00 -- v7.01.00.
      Fix: Fixed in v7.01.01.
     


     Firewall Manager Known Bugs / Problems           

    • Statistics 'plot' menu gets truncated
      The "Plot" menu is capable of displaying several thousand statistics values. This is an order of magnitude more than what is required by a normal configuration. However, with several thousand VLAN interfaces and/or rules, the menu will become truncated. First, it will only display about a screenful of entries in each sub menu. Second, the total limit of statistics values may come into effect.
      This will be addressed in a future release by replacing the menu with something able to display more values efficiently.
      Affects: Firewall Manager v7.00.00 -- v7.01.01. Earlier versions have the same limit, but as they do not support VLANs, the problem is mitigated.
      Possible workaround: Setting the same name for two or more rules will make them use the same statistics value. This may reduce the number of statistics values somewhat.
     


     Firewall Core Changes           

    • Decreased per-packet processing overhead
      The per-packet processing overhead has been decreased. Official throughput results of this change will be published at a later time.
      Initial observations indicate that a firewall running on a PII/233MHz system gains about a 130% performance boost on small (60-byte) packets. That is, a system previously capable of handling about 28000 small packets per second would now be capable of handling about 64000 small packets per second.
      These improvements are likely not as extreme on faster hardware, as the PCI buses rather than the CPU tend to be the bottleneck for large packet streams in such set-ups. Again:
      Official test results will be published at a later time.
    Change logs / release notes for earlier versions of Clavister Firewall are available in the release notes section of www.clavister.com/support.      


     Firewall Core Bug Fixes           

    • 3com 3c905 auto-negotiate problems
      Issue: The 3com 3c905 drivers previously used a combination of IEEE 802.3u auto-negotiation and manual probing. Most of the media detection problems experienced so far have been related to the manual probing, due to the fact that the 802.3u auto-negotiation protocol, by definition, is disabled during manual probing.
      Affects: All versions of the Firewall Core up to 7.01.01.
      Fix: In version 7.01.01, the 3c905 drivers will only use the IEEE 802.3u auto-negotiation protocol, in combination with the built-in media sensing in the 905B/C ASICs. This produces better results all-round, with the usual exception of connecting to units forced to full duplex with the 802.3u protocol switched off, a situation in which full duplex can never be reliably detected.
     


     Firewall Core Known Bugs / Problems           

    • State engine is overly strict during TCP initial handshake
      Issue: The state engine currently requires strict conformance to the "SYN", "SYN/ACK", "ACK" initial TCP handshake pattern (possibly with resends). However, some operating systems will respond to resent SYNs with a plain "ACK", which the state engine will not accept.
      Affects: All Firewall Cores, from v5.1
      Results: This may lead to failed connections between certain operating systems, if packet loss occurs in the "right" place during the handshake. The firewall will also send "LogStateViolations" log events regarding "SYN ACK" flags at a later point in the handshake.
      Fix: This problem will be addressed in a future release.

    • 'Memory' console command missing
      The 'memory' console command has been temporarily removed. It will be re-implemented in a future release.

    • DEC/Intel Tulip driver may fail to attach during high traffic
      The DEC/Intel Tulip chipset NIC driver may fail to attach on some systems, especially ones with poor PCI buses, if the network card receives a large number of packets during the attach phase.
      The matter is being researched.
     


     VPN Gateway Bug Fixes           

    • Connections through VPN tunnels would sometimes be dropped
      Issue: Statefully tracked connections through VPN tunnels would sometimes be dropped when the configuration is re-read. When/if this occurs, it would usually be on the first reconfiguration after power-up, or when the configuration was substantially changed.
      Results: The lost connection(s) would have to be re-initiated after the reconfiguration. The VPN tunnels / SA pairs themselves were not affected.
      Affects: VPN gateways v7.00.00 -- v7.01.00.
      Fix: Fixed in v7.01.01.
     


     VPN Gateway Known Bugs / Problems           

    • Fragmented IKE packets are dropped
      If an IKE packet sent to the VPN gateway is fragmented, either during transport, or by the originator, it will be dropped.
      Typically, this is not a problem, as IKE packets tend to be only a few hundred bytes of length - well below the MTU of commonly used network types. However, it will be addressed in a future release.
      Workaround: If this behavior causes problems, you may try decreasing the size of your proposal lists, which will decrease the IKE UDP datagram size.