Clavister Firewall Changes from v8.10.01 to v8.20.00

Release date: 2003-06-26 [ISO]

Users upgrading from v7.0x and earlier versions should read changes-7.0x.xx-to-8.00.02.html first. It contains the list of major changes from v7.0x, and also instructions on how to upgrade; the upgrade procedure from v7 to v8 differs markedly from the normal procedure. Once the firewall is upgraded to 8.00.02, you can follow the procedures in this document.

Version 8.20.00 is a new major version. It is available for all license holders with a software subscription covering 2003-06-01. The major new features are:
» DHCP relaying over IPsec (LAN-to-LAN as well as roaming client "virtual IP")
» "Always-up" VPN tunnels with improved keepalives
» Automated HTTP URL poster for e.g. dyndns registration or logon to broadband networks
» VPN policy can now be determined by routing / policy routing, which also enables logging over VPNs
» Link monitor for HA clusters as well as standalone firewalls

Version 8.20.00 also contains bug fixes to the Firewall Core and the Firewall Manager. This document outlines bug fixes as well as improvements for each component.

The upgrade procedures in this document refers to upgrades from earlier v8.0x installations.

  • New files installed by v8.20.00
  • How to upgrade earlier v8.0x firewalls to v8.20.00
  • How to upgrade v6.0x/v7.0x firewalls to v8.0x
  • HA upgrade procedure
  • Firewall Manager
    		•  [Changes [Bug Fixes  
  • Firewall Core
    		•  [Changes] [Bug Fixes]  
  • Firewall Core - VPN specific  
    		• [Changes [Bug Fixes] [Known Bugs / Problems
  • Firewall Core - HA specific
    		•  [Changes   [Known Bugs / Problems]

    For future reference: This document is stored in the "Docs" sub-folder of your Firewall Manager install folder.

    Change logs / release notes for earlier versions of Clavister Firewall are available in the release notes section of www.clavister.com/support.



     Summary of changes and bug fixes                
    All changes and bug fixes affecting the standard firewall core also affect VPN and HA cores, unless explicitly stated otherwise.

    Firewall Manager
      Change: Warning state added for firewalls that use default management keys
      Change: Full-screen editing mode implemented
      Change: Log export in binary (.fwl) format
      Bug fix: Netobject name changes do not propagate to comma-separated lists
      Bug fix: Copying service groups causes FWMgr to freeze
      Bug fix: Status icon of folders etc not updated when firewall status changes
      Bug fix: "Upload HTML Banner Files" ignores folder names with upper case letters

    Firewall Core
      Change: Link monitor implemented
      Change: Boot menu: Use of DHCP in initial setup now possible
      Change: Log events now emitted for NetconBeforeRules/SNMPBeforeRules/IPsecBeforeRules
      Change: New TCP ECN "Nonce Sum" flag now handled the same way as other ECN flags
      Change: Console 'ping' command extended to use the ruleset in the outbound direction
      Change: DHCP client: implemented server / lease filtering
      Change: "HTTPPoster" for automatic web-based logon implemented
      Change: Web based user auth: "404 not found" page can now be customized
      Bug fix: Packet loss problems with VLANs and (primarily) Realtek r8139 NICs

    Firewall Core - VPN specific
      Change: VPN policy can now be determined via routing
      Change: "Always-up" VPN tunnels with improved keepalives
      Change: Multiple VPN tunnels using the same local/remote networks now possible
      Change: IPsec NAT traversal made controllable
      Known bug: Interoperability problem with 7.0x gateways (unstable tunnels)

    Firewall Core - HA specific
      Known bug: No state synchronization for FTP ALG



     New files installed by v8.20.00                
    This is a list of the files that are new to the v8.20.00 release. All paths are relative to your Firewall Manager install folder.
    » Cores/fwc-8.20.00-full.cfx
    This is the v8.20.00 full firewall core. Upload it to your existing firewall, or create new boot media with it. It contains VPN as well as HA functionality.
    » Cores/fwc-8.20.00-novpn.cfx
    This is a version of the v8.20.00 core without VPN support. It is roughly half the size of the full version.
    » Cores/fwcoreup8.exe
    This is the core used to remotely upgrade v7.0x and earlier firewalls. It will install a "8.00.02-full" core.
    » Docs/Changes-8.10.01-to-8.20.00.html
    This document.
    » FWMgr8.exe
    This is the v8.20.00 Firewall Manager. Earlier version 8 Firewall Managers will be overwritten. Version 7 Firewall Managers (if installed) will not be overwritten, as they are named "FWMgr7.exe", and are also typically installed in a different directory.


     How to upgrade earlier v8.0x firewalls to v8.20.00                
    Upgrading a previous v8.0x firewall to v8.20.00 is completely straightforward.
    Simply upload the new core, "fwc-8.20.00-full.cfx", to your firewall and restart it.
    (Alternatively, upload the "-novpn" version if you do not wish VPN functionality.)

     HA upgrade procedure                
    Note: For upgrades from v7.x HA clusters, first follow the HA upgrade procedures outlined in changes-7.0x.xx-to-8.00.02.html.

    There are no incompatibilities in the HA synchronization protocol between 8.20.00 HA cores and earlier v8.0x HA cores. No special procedures are required.

    Simply upload the new firewall core file to the firewalls in your cluster and make sure that the first upload and restart is successful before uploading to the second firewall.

    We recommend beginning with the firewall that is currently active, even though this will necessitate two failovers. The reason for this is that ALG sessions are not synchronized.

      The "immediate availability" method
    • Upload the core to the currently active firewall ("firewall A") and restart it.
    • Issue a 'reconfigure' on the firewall B to rapidly fail back to the now upgraded firewall A. Make sure firewall A functions properly.
    • Upload the core to firewall B and restart it.
    • End result: Firewall A is now the active node, just as it was before the upgrade procedure.

    Note that this leaves the second firewall untested, even though it most likely will work just as well as the first firewall. If you want to specifically test the second firewall, you can:
    1) cause two failovers manually,   or
    2) connect to it via e.g. the remote console just to make sure it's running,   or
    3) if ALG synchronization is not a concern, follow this procedure:

      The "long-term safe" procedure:
    • Upload the core to the currently inactive firewall ("firewall B") and restart it.
    • Issue a 'reconfigure' on firewall A. This causes failover to firewall B. Make sure firewall B functions properly.
    • Upload the core to firewall A and restart it.
    • Issue a 'reconfigure' on firewall B to fall back to firewall A. Make sure firewall A functions properly.
    • End result: Firewall A is now the active node, just as it was before the upgrade procedure.
    Again, note that the "availability" issues only affect ALGs. All other states are, as usual, fully synchronized and not affected in either procedure.

     Firewall Manager Changes                
    Warning state added for firewalls that use default management keys
        Issue: When a firewall is reset to factory defaults, it will use a default set of keys that is the same for all Clavister firewalls. Using these keys on a production firewall is less than a good idea.
        Change: The Firewall Manager now has a warning state (yellow exclamation mark icon) for firewalls that use the default set of keys. To get rid of this warning and negotiate new management keys, use Action -> Communication -> Change Remote Managment Keys.

    Full-screen editing mode implemented
        Issue: Some configuration sections have more columns than will readily fit on a normal-sized screen together with the leftmost toolbar and the tree view in the security editor.
        Change: A full-screen mode, reachable by pressing F11 or selecting "Full Screen" from the "View" menu, will expand the Firewall Manager to maximum size and hide everything but the config section itself and the main menu bar. Hitting F11 again restores the view to its previous look.

    Log export in binary (.fwl) format
        Change: Log data may now be exported in binary (.fwl) format in addition to CSV format. The .fwl format is the same format that the Firewall Logger itself uses, which means that all available fields, incuding packet dumps, is exported.

    These log files may later be displayed via raw LQL statements, e.g.:
    select binary from file x:\path\to\logfile.fwl



     Firewall Manager Bug Fixes                
    Netobject name changes do not propagate to comma-separated lists
        Issue: It is possible to use lists of netobject directly in the rules section and other places without creating a netobject group and then using this group.
        Problem: If a netobject is renamed, the name change would not propagate to such lists where it is used. A netobject could be deleted even though being in use.
        Result: The configuration would most likely fail to parse and could not be saved.
        Affects: FWMgr v8.00.00-8.00.06, v8.10.00-v8.10.01.
        Fixed: Fixed in v8.00.07, v8.10.02 and v8.20.00.

    Copying service groups causes FWMgr to freeze
        Problem: Attempting to make a copy of a service group would cause FWMgr to freeze and consume 100% CPU.
        Affects: FWMgr v8.00.00-8.00.06, v8.10.00-v8.10.01.
        Fixed: Fixed in v8.00.07, v8.10.02 and v8.20.00.

    Status icon of folders etc not updated when firewall status changes
        Issue: When the status of a firewall changes (e.g. from 'up and running' to 'unreachable'), the status of its parent folder / namespace / cluster should change with it.
        Problem: This change would not occur until the folder / namespace / cluster in question was clicked.
        Affects: FWMgr v8.00.00-8.00.06, v8.10.00-8.10.01.
        Fixed: Fixed in v8.00.07, v8.10.02 and v8.20.00.

    "Upload HTML Banner Files" ignores folder names with upper case letters
        Issue: It is possible to customize the HTML pages displayed when doing user authentication via HTML forms. It is possible to customize the look of these pages on a per-rule basis by using separate directories.
        Problem: The upload procedure would ignore folder names containing upper case letters.
        Result: The firewall would display a warning about the designated folder missing, and revert to using the built-in page set.
        Affects: FWMgr v8.10.00-8.10.01.
        Fixed: Fixed in v8.10.02 and v8.20.00.



     Firewall Core Changes                
    Link monitor implemented
        Change: As of v8.20.00, the "ping monitor" has been implemented as a bona fide feature, with full support in the firewall manager.
    The link monitor can monitor groups of IP addresses to detect NIC/link problems and issue a 'reconfigure' to reset all interfaces. For standalone firewalls, this in and of itself may resolve the problem. For HA clusters, it also means that the cluster fails over to the other unit.

    Boot menu: Use of DHCP in initial setup now possible
        Change: As of v8.20.00, the initial setup procedure now has a "Use DHCP" option for configuration of the management interface. Among other things, this is useful for emergency reinstalls of remotely managed firewalls that use DHCP to configure the external interface.

    Log events now emitted for NetconBeforeRules/SNMPBeforeRules/IPsecBeforeRules
        Issue: As of v8.00.00, there are settings for allowing Netcon (firewall remote control), SNMP and IPsec directly to the firewall without examining the ruleset.
        Change: As of v8.00.06, v8.10.02 and v8.20.00, log events are now emitted for all connections permitted by these settings. If logging is not wanted, simply disable the settings and write own rules for the respective traffic types with logging disabled.

    New TCP ECN "Nonce Sum" flag now handled the same way as other ECN flags
        Issue: The TCP Explicit Congestion Notification mechanism has previously only been using two TCP flags: ECE and CWR (previously known as the XMAS/YMAS flags). A new extension to the ECN mechanism will add a third flag, "NS". This flag must be handled the same way as the original two flags.
        Change: As of 8.00.07, 8.10.02 and 8.20.00, the following changes are made:
    » The "TCPECN" setting now works on three flags : the original two, plus the new "NS" flag.
    » The "TCPRF" setting, which previously worked on four unused flags in the TCP header now only works on three flags, as one of them was used by the new "NS" flag.
    » TCP flag dumps generated by the firewall (e.g. syslog events) will display the flag as "ns=1".
    » TCP flag dumps were also revised to show "ece=1" and "cwr=1" rather than "xmas=1" and "ymas=1".
        Note: As the "TCPECN" and "TCPRF" settings both default to "Strip", there is no difference for configurations where these values have been left unchanged.
    However, for configurations where ECN has been allowed (TCPECN = Ignore), it will soon become necessary to upgrade, or make sure that TCPECN and TCPRF are set the same way. The former is more preferable.

    Console 'ping' command extended to use the ruleset in the outbound direction
        Change: Two new switches have been added to the 'ping' console command:
      -r <recvif>
      -s <srcip>
    The "-r" switch causes the ping to be passed through the ruleset, just as if it had been received on <recvif>. The "-s" switch can be used to customize the look of the ping further.
        Enables: These two switches can be used together for e.g. troubleshooting VPN connections or policy routing from the firewall itself, which is useful in remote management scenarios.

    DHCP client: implemented server / lease filtering
        Change: To work around quirky networks with multiple (rogue) DHCP servers where only one hands out desired information, filters for server and lease IPs have been implemented. These filters are available in the "DHCP advanced" tab of the Interface configuration in the Firewall Manager.

    "HTTPPoster" for automatic web-based logon implemented
        Change: The HTTP poster is a small automatic utility that automatically and periodically posts up to three individual URLs. The URLs to post and the time between repetitions are specified in Advanced Settings -> HTTPPoster.
        Enables: Among other things, this enables:
    » Automatic registration with web-based dynamic DNS services like dyndns.org, cjb.net, etc.
    » Logon to broadband networks that require authentication via HTTP.
    » Logon to other Clavister Firewalls that require authentication via HTTP.
        See: See KB #10030 for examples.

    Web based user auth: "404 not found" page can now be customized
        Change: In 8.1x firewall cores, all web pages used for user authentication may be customized, except for the "404 not found" page.
    As of 8.20.00, this page may be customized also.
        Enables: It is possible to set up web based user authentication to intervene in all unauthenticated HTTP traffic through a SAT rule that redirects all unauthenticated HTTP traffic to the firewall itself.
    The problem has been that if an unauthenticated user attempts to browse to e.g. http://www.clavister.com/some/path/inside/the/site, they'd be presented with an unhelpful "404 not found" page that did not lead anywhere.
    By customizing the 404 page so that it redirects to "/", they'll immediately be presented with the logon page.



     Firewall Core Bug Fixes                
    Packet loss problems with VLANs and (primarily) Realtek r8139 NICs
        Problem: The transmit queue of r8193 NICs is extraordinarily small.
    When packets were sent on VLANs, the transmit queue was not despooled quickly enough.
        Results: The transmit queue could become full, with packet loss as a result.
    This would be especially noticeable when the firewall itself is generating traffic, which is the case with remote administration traffic such as statistics polling and file transfers.
    Other NICs have transmit queue sizes 10 to 50 times larger; we believe that the effects were negligible for VLAN operation over non-r8193 NICs.
        Affects: v8.00.00-8.00.06 and v8.10.00-8.10.01.
        Fixed: Fixed in v8.00.07, v8.10.02 and v8.20.00.



     Firewall Core - VPN Specific Changes                
    VPN policy can now be determined via routing
        Change: Before v8.20.00, the only way to tell the firewall that a particular connection should be encrypted, was to use the "Secure" flag in the ruleset.
    As of v8.20.00, it is also possible to specify VPN tunnels as destination interfaces in the routing table(s).
        Enables: In addition to the configuration becoming more intuitive in the common case, this change also enables the following:
    » Logging through VPN connections
    However, note that directing log data over VPN tunnels means that all log events that occur while the VPN tunnel is down will be lost.
    » Automatic Access list handling for VPNs Routed VPN connections are automatically included in automatic Access list lookups just like any other route -- no need to manually add Accept/Expect rules for routed VPN connections.
    » DHCP relaying over LAN-to-LAN tunnels.
    Simply create relaying rules in the DHCP relayer like you would for normal interfaces. It is even possible to use the same local and remote network and let the relayer add proxy ARPed routes.
    » "Virtual IP" (DHCP over IPsec) for VPN clients.
    In addition to creating DHCP relaying rules, check the "Allow DHCP over IPsec for single-host clients" checkbox in the VPN properties dialog. This second step is needed because DHCP needs a separate tunnel for the initial IP address "0.0.0.0".
    » Ruleset filtering using VPN destination interfaces.
    The same way that it is possible to filter on physical destination interfaces, it is possible to filter on VPN destination interfaces, as long as routing is used rather than "Secure" rules.
    » Connections back to roaming clients.
    With a route pointing back to the client, either through routes created by the DHCP relayer, or through routes automatically created when the client connects (see VPN tunnel properties -> routing), it is possible to allow connections back to roaming clients even though one does not know their IP addresses. Just filter on the destination VPN interface in the ruleset.
        Note: When you route traffic through a VPN tunnel, you should not use the "Secure" flag in the ruleset for this traffic. Doing so will work, but will bypass the routing information and attempt to figure out which tunnel to use by looking in the VPN connections list, just like it used to before 8.20.00.
        Hint: To make an exception for traffic that is normally routed over a VPN tunnel, simply use policy based routing to specify different routing information for the traffic in question.

    "Always-up" VPN tunnels with improved keepalives
        Change: New keepalive options have been added for VPN tunnels, that monitor the health of the actual IPsec tunnel. If the tunnel is non-operational for some reason (i.e. the remote peer has rebooted and lost all SAs), the tunnel will quickly be closed and re-established.
    This is implemented through pinging an IP address on the other side of the tunnel, preferably the IP address of the remote gateway. When both gateways are Clavister Firewall v8.20+, the addresses can be computed automatically. When other gateways are involved, they can be specified manually.
        Enables: Since this form of keepalives always ensures that the tunnel is operational, it can be enabled on roaming gateways to always ensure connectivity from the main network to the remote network without having to resort to DNS resolution and DynDNS registration of the roaming gateway; tunnels never need to be initiated by the main gateway to the roaming gateway.

    Enabling keepalives on all lan-to-lan tunnels is likely also a good idea in general, to avoid problems that can otherwise result when e.g. one of the gateways is rebooted.

    Multiple VPN tunnels using the same local/remote networks now possible
        Issue: When using certificate based authentication, it may be desirable to have multiple VPN tunnels (with the same local and remote network settings) for purposes of logical separation in the ruleset.
    This is a non-issue with PSK based authentication, as there is no way to separate which peer should use which tunnel.
        Change: As of v8.20.00, having multiple VPN connections with the same local/remote networks is possible.

    IPsec NAT traversal made controllable
        Issue: When NAT traversal was implemented, we assumed that automatic sensing of whether or not it was needed (and supported by the other end) would be enough. This has not not been the case.
    » Many broadband routers and other NATing gateways implement special "IPsec passthrough" NAT code which assumes that only plain ESP encapsulation is used, and will misbehave fatally when UDP encapsulation is actually used. This is ironic, seeing as how IPsec UDP encapsulation is specifically designed to traverse NATing gateways without requiring the gateway to have specific knowledge of IPsec.
    This scenario is solved by disabling NAT-T for such tunnels.
    » Some IPsec gateways become confused when they see a peer that advertises NAT traversal support, but deems its use unnecessary, and does not request NAT-T. Sonicwall gateways reportedly have this problem.
    This scenario is solved by either disabling NAT-T, or forcing it to on.
        Change: As of v8.10.02 and v8.20.00, there is a setting in the VPN tunnel properties dialog, which allows NAT traversal to be configured as follows:
    » Always off, even if a NAT is detected.
    » On, if a NAT is detected, and the peer supports it (this is the default).
    » On, regardless of the presence of a NAT, as long as the peer supports it.



     Firewall Core - VPN Specific Bug Fixes                


     Firewall Core - VPN Specific Known Problems                
    Interoperability problem with 7.0x gateways (unstable tunnels)
        Problem: We have received reports of tunnel instability problems between 7.0x and 8.x VPN gateways. We are currently investigating these reports; it is possible, albeit not certain, that these problems are linked to IKE SAs having lifetimes over four hours.
        Action: Please report any such problems to support@clavister.com, and, if possible, the results of lowering the IKE lifetime to four hours or less.



     Firewall Core - HA Changes                


     Firewall Core - HA Bug Fixes                


     Firewall Core - HA Known Bugs / Problems                
    No state synchronization for FTP ALG
        Problem: No aspect of the FTP ALG is state synchronized
        Results: This means that control channels as well as data channel established through the FTP ALG will freeze when the cluster fails over to the other peer. If, however, the cluster fails back over to the original peer within approximately half a minute, frozen sessions (and associated transfers) should begin working again.
    Note that such failover occurs each time a new configuration is uploaded.