Clavister Firewall Changes from v8.00.05 to v8.00.06

Release date: 2003-05-21 [ISO]

Users upgrading from v7.0x and earlier versions should read changes-7.0x.xx-to-8.00.02.html first. It contains the list of major changes from v7.0x, and also instructions on how to upgrade; the upgrade procedure from v7 to v8 differs markedly from the normal procedure. Once the firewall is upgraded to 8.00.02, you can follow the procedures in this document.

Version 8.00.06 contains bug fixes to the Firewall Core and the Firewall Manager. This document outlines bug fixes as well as improvements for each component.

The upgrade procedures in this document refers to upgrades from earlier v8.0x installations.

  • New files installed by v8.00.06
  • How to upgrade earlier v8.0x firewalls to v8.00.06
  • How to upgrade v6.0x/v7.0x firewalls to v8.0x
  • HA upgrade procedure
  • Firewall Manager
    		•    [Bug Fixes  
  • Firewall Core
    		•  [Changes] [Bug Fixes]  
  • Firewall Core - VPN specific  
    		• [Changes [Bug Fixes] [Known Bugs / Problems
  • Firewall Core - HA specific
    		•  [Changes   [Known Bugs / Problems]

    For future reference: This document is stored in the "Docs" sub-folder of your Firewall Manager install folder.

    Change logs / release notes for earlier versions of Clavister Firewall are available in the release notes section of www.clavister.com/support.



     Summary of changes and bug fixes                
    All changes and bug fixes affecting the standard firewall core also affect VPN and HA cores, unless explicitly stated otherwise.

    Firewall Manager
      Bug fix: "0.0.0.0/0" gets replaced by the first comment row in the "Hosts & Networks" section
      Bug fix: Collision resolution fails for IKE/IPsec proposal lists in nested namespaces
      Bug fix: Manager misparses single-host aliases as groups
      Bug fix: DHCP client "preferred lease time" defaults to 1 minute

    Firewall Core
      Change: "Safe mode" config parsing implemented
      Change: New setting allows Checkpoint SecuRemote UDP encapsulation through CFW
      Change: Ping monitor with automatic config re-read (NIC reset) implemented
      Change: FTP ALG now emits log entries if the configured "max line length" is exceeded
      Change: Log events now emitted for NetconBeforeRules/SNMPBeforeRules/IPsecBeforeRules
      Bug fix: Turning ICMPRet/SYNRelay off for a service doesn't take effect until after reboot
      Bug fix: If enabled, the DHCP relayer will tamper with DHCP packets it should not touch
      Bug fix: ST201 NIC (DFE-550/580TX) transceiver hang bug

    Firewall Core - VPN specific
      Change: Config parser will now allow missing certificates
      Change: Public key precalculations removed
      Bug fix: IKE delete messages not sent on config re-read
      Bug fix: VPN tunnels between HA clusters and some gateway types would fail
      Bug fix: "Local nets" consisting of netobject groups would not work properly
      Known bug: Interoperability problem with 7.0x gateways (unstable tunnels)

    Firewall Core - HA specific
      Change: Cluster Heartbeats changed to avoid reflected duplicates (extraneous logs)
      Change: ARP queries are now sent from the shared IP (from the active cluster member)
      Change: Relayed DHCP requests now use the shared IP as "gateway identifier"
      Bug fix: Erroneous "This rule will never trigger" warnings
      Known bug: No state synchronization for FTP ALG



     New files installed by v8.00.06                
    This is a list of the files that are new to the v8.00.06 release. All paths are relative to your Firewall Manager install folder.
    » Cores/fwc-8.00.06-full.cfx
    This is the v8.00.06 full firewall core. Upload it to your existing firewall, or create new boot media with it. It contains VPN as well as HA functionality.
    » Cores/fwc-8.00.06-novpn.cfx
    This is a version of the v8.00.06 core without VPN support. It is roughly half the size of the full version.
    » Cores/fwcoreup8.exe
    This is the core used to remotely upgrade v7.0x and earlier firewalls. It will install a "8.00.02-full" core.
    » Docs/Changes-8.00.05-to-8.00.06.html
    This document.
    » FWMgr8.exe
    This is the v8.00.06 Firewall Manager. Earlier version 8 Firewall Managers will be overwritten. Version 7 Firewall Managers (if installed) will not be overwritten, as they are named "FWMgr7.exe", and are also typically installed in a different directory.


     How to upgrade earlier v8.0x firewalls to v8.00.06                
    Upgrading a previous v8.0x firewall to v8.00.06 is completely straightforward.
    Simply upload the new core, "fwc-8.00.06-full.cfx", to your firewall and restart it.
    (Alternatively, upload the "-novpn" version if you do not wish VPN functionality.)

     HA upgrade procedure                
    Note: For upgrades from v7.x HA clusters, first follow the HA upgrade procedures outlined in changes-7.0x.xx-to-8.00.02.html.

    There are no incompatibilities in the HA synchronization protocol between 8.00.06 HA cores and earlier v8.0x HA cores. No special procedures are required.

    Simply upload the new firewall core file to the firewalls in your cluster and make sure that the first upload and restart is successful before uploading to the second firewall.

    We recommend beginning with the firewall that is currently active, even though this will necessitate two failovers. The reason for this is that ALG sessions are not synchronized.

      The "immediate availability" method
    • Upload the core to the currently active firewall ("firewall A") and restart it.
    • Issue a 'reconfigure' on the firewall B to rapidly fail back to the now upgraded firewall A. Make sure firewall A functions properly.
    • Upload the core to firewall B and restart it.
    • End result: Firewall A is now the active node, just as it was before the upgrade procedure.

    Note that this leaves the second firewall untested, even though it most likely will work just as well as the first firewall. If you want to specifically test the second firewall, you can:
    1) cause two failovers manually,   or
    2) connect to it via e.g. the remote console just to make sure it's running,   or
    3) if ALG synchronization is not a concern, follow this procedure:

      The "long-term safe" procedure:
    • Upload the core to the currently inactive firewall ("firewall B") and restart it.
    • Issue a 'reconfigure' on firewall A. This causes failover to firewall B. Make sure firewall B functions properly.
    • Upload the core to firewall A and restart it.
    • Issue a 'reconfigure' on firewall B to fall back to firewall A. Make sure firewall A functions properly.
    • End result: Firewall A is now the active node, just as it was before the upgrade procedure.
    Again, note that the "availability" issues only affect ALGs. All other states are, as usual, fully synchronized and not affected in either procedure.

     Firewall Manager Bug Fixes                
    "0.0.0.0/0" gets replaced by the first comment row in the "Hosts & Networks" section
        Issue: A numeric "0.0.0.0/0" anywhere but the "Hosts & Networks" section would get replaced by the contents of the first comment row in the "Hosts & Networks" section. If, however, there are no comment rows, the bug would not trigger.
        Result: The firewall manager would most likely refuse to save the configuration.
        Fix: Fixed in v8.00.06 and v8.10.00
        Affects: v8.00.00 - v8.00.05

    Collision resolution fails for IKE/IPsec proposal lists in nested namespaces
        Issue: IKE and IPsec proposal lists for firewalls in a namespace that resides inside a second namespace, where the proposal lists are defined, would always be reported as "colliding" each time the firewall's configuration was opened.
        Fix: Fixed in v8.00.06 and v8.10.00
        Affects: v8.00.00 - v8.00.05

    Manager misparses single-host aliases as groups
        Issue: It is possible to alias one host as another host, e.g. having "ip_ext=1.2.3.4" and then "wwwsrv-pub=ip_ext".
        Problem: This results in two problems:
    » Such host aliases could not be used in ranges, e.g.
    "host1=1.2.3.4, host2=2.3.4.5, range1=host1 - host2" would work, but
    "alias1=host1, alias2=host2, range2=alias1 - alias" would not.
    » If host aliases were used as interface IP addresses, the manager would always pop up the "Select management interface IP" dialog on config upload, asking for what IP address to talk to.
        Fix: Fixed in v8.00.06 and v8.10.00
        Affects: v8.00.00 - v8.00.05

    DHCP client "preferred lease time" defaults to 1 minute
        Issue: The "preferred lease time" defaults to 1 minute when DHCP is enabled on an interface.
        Results: Most likely none, except the DHCP lease will be renewed unnecessarily often. You may want to change existing setups to use a higher preferred lease time, or clear the field to have the DHCP client obey what the server says.
        Fix: Fixed in v8.00.06 and v8.10.00. The new default is "no preferred lease time" - obey what the server says.
        Affects: v8.00.00 - v8.00.05 (only the default value)



     Firewall Core Changes                
    "Safe mode" config parsing implemented
        Issue: If a configuration fails due to an out-of-memory condition, it may be the case that the firewall will never be able to successfully parse it. This could, for instance, happen after a new core is uploaded that consumes slightly more memory than the previous version did.
        Change: If the current configuration fails to parse, another attempt will now be made in "safe mode", where all known RAM consuming settings are forced to an absolute minimum. In "safe mode", only administrative traffic is allowed, i.e. the firewall runs in "local lockdown mode".
    While the firewall is effectively "down" as far as users are concerned, remote administration of the firewall is now possible, and the underlying problem can be corrected remotely.
        See: KB #10027 for more information.

    New setting allows Checkpoint SecuRemote UDP encapsulation through CFW
        Issue: Checkpoint's SecuRemote UDP encapsulation (NAT traversal) uses UDP in a non-standard way, which Clavister Firewall blocks.
        Change: Enabling the new setting "SecuRemoteUDPEncapCompat" weakens the UDP layer consistency checks somewhat and allows SecuRemote's UDP encapsulation through the firewall.
        See: KB #10020 for more information.

    Ping monitor with automatic config re-read (NIC reset) implemented
        Change: As an experimental version of dead interface/link detection, a "ping monitor" that causes a config-re-read (NIC reset) on link problems has been implemented.
        See: KB #10019 for more information.

    FTP ALG now emits log entries if the configured "max line length" is exceeded
        Change: It was previously hard to determine if a configured "max line length" was sufficient. The FTP ALG will now emit detailed log entries if the limit is exceeded.
        Note: The "max line length" setting currently defaults to 128 characters. As of 8.10.00, the default will be 256 characters. We recommend that you review your line length settings and, unless there is a good reason not to, increase them to 256.

    Log events now emitted for NetconBeforeRules/SNMPBeforeRules/IPsecBeforeRules
        Issue: As of v8.00.00, there are settings for allowing Netcon (firewall remote control), SNMP and IPsec directly to the firewall without examining the ruleset.
        Change: As of v8.00.06 and v8.10.02, log events are now emitted for all connections permitted by these settings. If logging is not wanted, simply disable the settings and write own rules for the respective traffic types with logging disabled.



     Firewall Core Bug Fixes                
    Turning ICMPRet/SYNRelay off for a service doesn't take effect until after reboot
        Issue: Turning the "Return ICMP errors" or "SYN relay" options off for a service wouldn't take effect until after a reboot.
        Fix: Fixed in v8.00.06 and v8.10.00
        Affects: v8.00.00 - v8.00.05

    If enabled, the DHCP relayer will tamper with DHCP packets it should not touch
        Issue: If the DHCP relayer was enabled, it would tamper with DHCP packets that its ruleset says it should not touch ("Ignore" actions) in such a way that the checksum breaks.
        Results: If the DHCP relayer is enabled and if there are DHCP packets routed through the firewall that the DHCP relayer is told to ignore, those packets will become broken (bad checksum) and will hence be dropped by the destination (server, most likely).
        Fix: Fixed in v8.00.06 and v8.10.00. The DHCP relayer now properly ignores DHCP packets that it is told to ignore.
        Affects: v8.00.00 - v8.00.05

    ST201 NIC (DFE-550/580TX) transceiver hang bug
        Issue: The transceiver of st201-based NICs, e.g. DFE 550/580, could hang under heavy load. Especially in half duplex 100Mbit/s environments.
        Fix: Fixed in v8.00.06 and v8.10.00
        Affects: v7.03.00 - v8.00.05.



     Firewall Core - VPN Specific Changes                
    Config parser will now allow missing certificates
        Issue: Previously, using non-existant certificates in the configuration file would result in config errors. Since the certificate storage is separate from the configuration file, and since it is not created when the Firewall Manager creates new boot media, this behavior has now been changed.
        Change: Missing certificates now result in warnings, allowing the config file to parse successfully although, obviously, tunnels relying the missing certificates can not be opened.

    Public key precalculations removed
        Issue: VPN gateways have spent a certain amount of time after startup pre-calculating Diffie-Hellman group (public key crypto) data. This quite CPU-intense task has been spread out in small batches over quite a long time, resulting in regularly occuring (every 15 seconds or so) spikes in CPU load.
        Change: These precalculations have been removed. While not a problem in the majority of scenarios, they could affect throughput somewhat in heavily loaded systems; and were especially cumbersome in zero-loss performance tests where one had to wait until the precalculations were done.



     Firewall Core - VPN Specific Bug Fixes                
    IKE delete messages not sent on config re-read
        Issue:
    » When the configuration of a VPN tunnel changes, it must be closed so that all parameters can be re-negotiated. Closing a tunnel is done through IKE delete messages.
    » Clavister Firewall currently cannot track VPN tunnel changes individually. All tunnels after the first difference are considered "changed", and are thus closed.
        Problem: IKE delete messages cannot be sent during the config re-read.
        Result: All "changed" tunnels would become disfunctional until a new negotiation took place for those tunnels. This means:
    » If packets were sent from behind the gateway that re-read its configuration, it would immediately negotiate a new tunnel and there would be no disruption.
    » However, packets from behind the other gateway would not result in re-negotiation, as that gateway believed it already had a working tunnel. Communication would be disrupted until the next re-keying time, or the tunnel was otherwise torn down.
        Fix: As of v8.00.06 and v8.10.00, IKE delete messages are queued and sent after the config has finished parsing.
        Affects: v8.00.00 - v8.00.05.

    VPN tunnels between HA clusters and some gateway types would fail
        Issue: HA clusters were using their unique IP addresses as phase 1 IKE IDs. Some VPN gateways (one known is Dlink DL-804) refuse to set up such tunnels.
        Fix: FWCore v8.00.06 and v8.10.00 picks the shared IP for its phase 1 IKE ID
        Affects: v8.00.00 - v8.00.05 HA VPN clusters.

    "Local nets" consisting of netobject groups would not work properly
        Issue: VPN tunnels using a group of networks as their "local net" would not work properly. Everything should work fine for the first network in the group, but after changes to the VPN section, tunnels to other networks in the group might cease working until the next reboot.
        Fix: Fixed in v8.00.06 and v8.10.00.
        Affects: v8.00.00 - v8.00.05.



     Firewall Core - VPN Specific Known Problems                
    Interoperability problem with 7.0x gateways (unstable tunnels)
        Problem: We have received reports of tunnel instability problems between 7.0x and 8.00.04(-pre) VPN gateways. We are currently investigating these reports; it is possible, albeit not certain, that these problems are linked to IKE SAs having lifetimes over four hours.
        Action: Please report any such problems to support@clavister.com, and, if possible, the results of lowering the IKE lifetime to four hours or less.



     Firewall Core - HA Changes                
    Cluster Heartbeats changed to avoid reflected duplicates (extraneous logs)
        Issue: Cluster heartbeats are sent to a multicast ethernet address. The layer 3 (IP) destination address was previously the shared IP address of the cluster. However, some misbehaving layer 3 switches and routers are prone to picking up such packets, in spite of the multicast layer 2 destination address, and re-sending them. The cluster would then receive duplicates of its heartbeat packets, but destined to the wrong hardware address, due to the normal routing applied to the packet by the misbehaving units.
        Results: The duplicate heartbeats would not be picked up as heartbeats due to the mismatching hardware address. Instead, they would be picked up by the normal ruleset and then be dropped and logged. This is merely a nuisance, and has no negative impact on the cluster's function.
        Change: Heartbeats are now sent to the broadcast IP address. It is less likely that misbehaving units will reflect such datagrams.

    ARP queries are now sent from the shared IP (from the active cluster member)
        Issue: HA firewalls with (VLAN?) interfaces where only the shared IP is a legal local IP have had problems with certain network units that refuse to process ARP queries sent from non-local IP addresses.
    Though it has been possible to work around such problems by setting "LocalIP" for the affected routes, the default behavior is now changed.
        Change: The active cluster member will now default to sending ARP queries from the shared IP address. The inactive member, however, will still send ARP queries from its unique IP address - not doing so would cause network units to direct their traffic to the wrong cluster member.

    Relayed DHCP requests now use the shared IP as "gateway identifier"
        Issue: In a scenario with e.g. multiple VLAN interfaces where only the shared IP is a legal local IP, and the unique IP addresses of the VLAN interfaces are left unmodified (same as the physical interface's), a DHCP server would not be able to distinguish between requests relayed from different VLANs. It would be benefitial to use the shared IP address instead.
        Change: The "gateway identifier" filled out in relayed DHCP requests is now taken from the shared IP address rather than the unique IP address.



     Firewall Core - HA Bug Fixes                
    Erroneous "This rule will never trigger" warnings
        Issue: In the Firewall Manager, any rule with the destination set to the shared IP or slave IP would, erronously, cause "This rule will never trigger" warnings.
        Fix: Fixed in Firewall Manager v8.00.06 and v8.10.00.
        Affects: HA configurations in v8.00.00 - v8.00.05.



     Firewall Core - HA Known Bugs / Problems                
    No state synchronization for FTP ALG
        Problem: No aspect of the FTP ALG is state synchronized
        Results: This means that control channels as well as data channel established through the FTP ALG will freeze when the cluster fails over to the other peer. If, however, the cluster fails back over to the original peer within approximately half a minute, frozen session (and associated transfers) should begin working again.
    Note that such failover occurs each time a new configuration is uploaded.