Release date: 2002-12-03 [ISO]

Users upgrading from v7.0x and earlier versions should read changes-7.0x.xx-to-8.00.02.html. It contains the list of major changes from v7.0x, and also instructions on how to upgrade; the upgrade procedure from v7 to v8 differs markedly from the normal procedure.

Version 8.00.02 contains bug fixes to the Firewall Core and the Firewall Manager. This document outlines bug fixes as well as improvements for each component.

The upgrade procedures in this document refers to upgrades from earlier v8.0x installations.

New files installed by v8.00.02
How to upgrade earlier v8.0x firewalls to v8.00.02
How to upgrade v6.0x/v7.0x firewalls to v8.00.02
HA upgrade procedure
Firewall Manager		[Bug Fixes]
Firewall Core	[Changes]	[Bug Fixes]
Firewall Core - VPN specific		[Bug Fixes]
Firewall Core - HA specific			[Known Bugs / Problems]

For future reference: This document is stored in the "Docs" sub-folder of your Firewall Manager install folder.

Change logs / release notes for earlier versions of Clavister Firewall are available in the release notes section of www.clavister.com/support.

Firewall Manager

• Cores/fwc-8.00.02-full.cfx
  This is the v8.00.02 full firewall core. Upload it to your existing (standard) firewall, or create new boot media with it. It contains VPN as well as HA functionality.
  Note: VPN firewalls should, as always, use the VPN core file, below.

• Cores/fwc-8.00.02-novpn.cfx
  This is a version of the v8.00.02 core without VPN support. It is roughly half the size of the full version.

• Cores/fwcoreup8.exe
  This is the core used to remotely upgrade v7.0x and earlier firewalls. It will install a "8.00.02-full" core.

• Docs/Changes-8.00.01-to-8.00.02.htm
  This document.

• FWMgr8.exe
  This is the v8.00.02 Firewall Manager. Earlier version 8 Firewall Managers will be overwritten. Version 7 Firewall Managers (if installed) will not be overwritten, as they are named "FWMgr7.exe", and are also typically installed in a different directory.

• License files are now automatically written to boot media
  When new boot media is created (through "Save to Boot Media" or "Create Boot Media"), and a license is bound to the firewall, the license file "license.lic" will automatically be created on the boot media. Manual upload of the license after the firewall has been booted is no longer required.

• Log receivers in underlying namespace might not get imported
  Issue: As with all other shared resources, log receivers specified in an underlying namespace should be imported in the firewall configuration and made available to the running firewall on configuration upload.
  Problem: Unless a log receiver was explicitly named in the firewall configuration, it would not be imported.
  Results: Wildcard log settings such as "All log receivers" could yield unexpected results. In the extreme case, if no log receivers were specified locally in the firewall's configuration, and all log statements were wildcards, no log receivers would be imported, and hence the firewall would send no log events.
  Fixed: Fixed in v8.00.02. All log receiver definitions from underlying namespaces are now uploaded to the firewall, regardless of whether they are used or not.
  Affects: v8.00.00 - v8.00.01.
  
  

• "fwcore.cfg" would not be written to boot media for HA members
  Issue: When boot media is created for a fully functional firewall, the configuration file, "fwcore.cfg", should be written to the media.
  Problem: The configuration file was not written to the boot media for HA members.
  Results: HA members, when booted from this boot media, would not work. One could however enter the setup phase and create a new minimal configuration that the firewall could start from, and then upload the correct configuration from the firewall manager.
  Fixed: Fixed in v8.00.02.
  Affects: v8.00.00 - v8.00.01.
  
  

• PBR Table "Ordering" field was always set to "Default"
  Issue: The Firewall Manager would always parse Policy Based Routing Table ordering as "Default" on configuration reads; "First" ordering could not be used.
  Fixed: Fixed in v8.00.02.
  Affects: v8.00.00 - v8.00.01.
  
  

• Network card driver "ST-201" option unavailable
  Issue: The option to select the "ST-201" network card driver was missing from the driver configuration dialog. This is the driver used by, among others, the D-Link DFE580TX 4-port card.
  Results: Upgrades from earlier versions would work. However, the GUI could not be used to select the ST-201 driver; the configuration file would have to be edited manually.
  Fixed: Fixed in v8.00.02.
  Affects: v8.00.00 - v8.00.01.
  
  

• X.509 certificates with "complex" file names could not be imported
  Issue: X.509 certificates with spaces in the file name, or a file name longer than 31 characters could not be imported.
  Fixed: Fixed in v8.00.02. Spaces in file names will now be converted to underscores when the file is imported, and length truncation is carried out properly.
  Affects: v8.00.00 - v8.00.01.
  
  

• "Expected source address" for a firewall could not be altered in log receiver properties
  Issue: Clavister Firewall Log Receivers are configured with the IP address of firewalls allowed to send log entries to them. By default, this IP address is the same address as the firewall manager uses for communication with the firewall. However, if the log receiver is located off of another interface, this address might need to be changed.
  Problem: The "expected source address" could not be changed in the log receiver properties; changes would not be accepted.
  Results: In situations where the IP address needed to be changed, the log receiver would refuse to accept log entries from the firewall, and emit event log entries on the server in question:
  "Unauthorized send from IP 123.123.123.123 occured 234 time(s)"
  Fixed: Fixed in v8.00.02.
  Affects: v8.00.00 - v8.00.01.
  
  

• Manager would not test for management IP address in VLAN section
  Issue: When the Firewall Manager uploads a new configuration to a firewall, it tests whether the IP address it is configured to communicate with is actually available on the firewall in order to detect changes. If it does not find this IP address, it will prompt the user for which address to attempt communication with.
  Problem: The Manager would not compare the current management IP address to addresses specified in the VLAN section.
  Results: If the Manager was set to communicate with the IP address of a VLAN interface, it would always prompt the user for which address to attempt communication with.
  Fixed: Fixed in v8.00.02.
  Affects: v8.00.00 - v8.00.01.
  

• Added "license -remove" console command
  A license file installed on a firewall can now be removed from the firewall through the "license -remove" console command.
  This can be helpful if an erroneous license is uploaded, which results in the firewall entering "local lockdown mode", where only administrative traffic to the firewall itself is allowed.
  With the license removed, the firewall will instead run in 2-hour evaluation mode, which allows normal operation during that time.
  
  

• HA masters without licenses will now run in demo mode
  Normal firewalls without licenses run in 2-hour demo mode.
  HA setups, however, are normally not allowed to run in demo mode, since, with a HA setup, one could, for all intents and purposes, bypass the 2-hour restriction.
  However, this also means that one could not connect to the internet to retrieve a working license file through a cluster without licenses.

  Hence, an exception has now been made for HA masters; if they have no license file, they will now run in 2-hour demo mode, just like normal firewalls.
  
  

• More diagnostic output regarding license problems
  The license parser will now emit a lot more diagnostic output if there was a problem parsing the license file.
  If there was a problem, the "license" console command will also remember this output and display the exact cause of the problem rather than a generic "this license is currently not in use".
  

• Tulip network card driver could cause crashes
  Issue: A bug in the Tulip network card driver could cause crashes when the configuration file was (re-)read. Normally, this results in the firewall core restarting after a few seconds.
  The "Tulip" driver is used, among others, for the D-Link DFE570TX 4-port cards.
  Affects: Firewall cores v8.00.00 - v8.00.01.
  Fixed: Fixed in v8.00.02.
  
  

• FTP ALG sessions could fail due to early port re-use
  Issue: The FTP ALG could re-use ports of dynamic data channels too soon. The random port allocation algorithm did not allow for the required delay after recently using a port. It should also be noted that this is, in part, dependent on the implementation of the FTP server and its sensitivity to early re-use of port numbers.
  Results: Single file transfers would always succeed, but with increasing numbers of files transferred / directories listed in rapid succession, the risk of the session failing would increase.
  Affects: Firewall cores v8.00.00 - v8.00.01.
  Fixed: Fixed in v8.00.02. The port selection algorithm will now refrain from re-using recently used port numbers.
  
  

• FTP ALG could fail to transfer files from some FTP server types
  Issue: All FTP commands should, according to the FTP RFC, be terminated by a carriage return followed by a line feed. The FTP ALG terminated "PORT" commands using only a line feed.
  Results: Most servers accept improperly terminated commands, but it can cause some servers to freeze the command channel shortly after the login sequence.
  This behavior was observed with the Serv-U FTPd.
  Affects: Firewall cores v8.00.00 - v8.00.01.
  Fixed: Fixed in v8.00.02.
  
  

• SNMP traffic to the firewall would cause "LocalUndelivered" log entries
  Issue: Every (allowed) SNMP packet to the firewall would cause a "LocalUndelivered" log entry.
  Affects: Firewall cores v8.00.00 - v8.00.01.
  Fixed: Fixed in v8.00.02.
  
  

• Interface index 1 presented as "blank" in SNMP
  Issue: The interface list, as presented through SNMP, would always contain a blank interface on position 1.
  Affects: Firewall cores v8.00.00 - v8.00.01.
  Fixed: Fixed in v8.00.02. Note that SNMP polling setups using interface numbers generated from 8.00.00/8.00.01 cores will have to be adjusted.
  

• Hexadecimal PSKs would get treated as passphrases
  Issue: Hexadecimal Pre-Shared Keys would get treated as passphrases rather than hexadecimal numbers, e.g. a key 1A2B3C4D would literaly be treated as the passphrase "1A2B3C4D".
  Results: Affected version are able to interoperate with eachother using "hexadecimal" PSKs. However, they would not be able to interoperate with other VPN gateways.
  No security vulnerability arises out of this behavior; the actual entropy (effective key space) remains exactly the same.
  Affects: Firewall cores v8.00.00 - v8.00.01.
  Fixed: Fixed in v8.00.02. Note that fixing the problem, by necessity, breaks compatibility with earlier v8.0x cores.
  

• No state synchronization for FTP ALG
  No aspect of the FTP ALG is state synchronized.

  This means that control channels as well as data channels established through the FTP ALG will freeze when the cluster fails over to the other peer. If, however, the cluster fails back over to the original peer within approximately half a minute, frozen session (and associated transfers) should begin working again.
  Note that such failover occurs each time a new configuration is uploaded.