Clavister Firewall Changes from v8.30.01 to v8.40.00

Release date: 2004-04-22 [ISO]

Users upgrading from v7.0x and earlier versions should read changes-7.0x.xx-to-8.00.02.html first. It contains the list of major changes from v7.0x, and also instructions on how to upgrade; the upgrade procedure from v7 to v8 differs markedly from the normal procedure. Once the firewall is upgraded to 8.0, you can follow the procedures in this document.

Version 8.40.00 is a new major version. It is available for all license holders with a software subscription covering 2004-04-01. The major new features are:
» HTTP Application Layer Gateway with active content/cookie stripping and pattern-based URL white/blacklisting.
» Schedules for controlling firewall policy, traffic shaping and routing.
» GRE - Generic Routing Encapsulation support.

Version 8.40.00 also contains bug fixes to the Firewall Core and the Firewall Manager. This document outlines bug fixes as well as improvements for each component.

The upgrade procedures in this document refers to upgrades from earlier v8.0x installations.

  • New files installed by v8.40.00
  • How to upgrade earlier v8.0x firewalls to v8.40.00
  • How to upgrade v6.0x/v7.0x firewalls to v8.0x
  • HA upgrade procedure
  • Firewall Manager
    		•  [Changes [Bug Fixes  
  • Firewall Core
    		•  [Changes] [Bug Fixes]  
  • Firewall Core - VPN specific  
    		• [Changes  
  • Firewall Core - HA specific
    		•  [Changes   [Known Bugs / Problems]

    For future reference: This document is stored in the "Docs" sub-folder of your Firewall Manager install folder.

    Change logs / release notes for earlier versions of Clavister Firewall are available in the release notes section of www.clavister.com/support.



     Summary of changes and bug fixes                
    All changes and bug fixes affecting the standard firewall core also affect VPN and HA cores, unless explicitly stated otherwise.

    Firewall Manager
      Change: Added configuration validator in plain-text editor
      Change: Log query wizard now supports queries on exported files
      Bug fix: Unprovoked name collisions in IPsec lifetimes fixed
      Bug fix: Log export column header and line feed fixes

    Firewall Core
      Change: HTTP Application Layer Gateway implemented
      Change: Generic Routing Encapsulation support
      Change: Schedules implemented
      Change: Auto-selection of VPN interface addresses improved
      Change: Support for more transparent tracerouting
      Change: DNS server IP addresses may now be learned via DHCP/PPPoE
      Change: DHCP server now supports custom (user-specified) DHCP options
      Change: Support for time synchronization via SNTP
      Change: Time servers may now be given using DNS names
      Change: Option to remove own interface IPs from PBR tables
      Change: Support for local time zone time conversion
      Change: Interface health monitor for Intel e1000 NICs implemented
      Change: Changed DHCP client default: use 0.0.0.0 rather than 169.254.x.x
      Change: Connection byte counters now only include IP headers+data
      Change: Added statistics for DHCP server
      Change: Screen saver / status bar disabled (software firewalls only)
      Change: Changes to "httpposter" console command
      Bug fix: DHCP relayer fails to forward plain BOOTP

    Firewall Core - VPN specific
      Change: Cipher key sizes for variable-length ciphers now configurable
      Change: NULL cipher support
      Change: VPN cores too large for floppies (software only)
      Change: MTU of VPN interfaces may now be configured

    Firewall Core - HA specific
      Change: DHCP Relayer will now source queries from shared IP
      Change: Active cluster member will now source pings from shared IP
      Known bug: No state synchronization for ALGs



     New files installed by v8.40.00                
    This is a list of the files that are new to the v8.40.00 release. All paths are relative to your Firewall Manager install folder.
    » Cores/fwc-8.40.00-full.cfx
    This is the v8.40.00 full firewall core. Upload it to your existing firewall, or create new boot media with it. It contains VPN as well as HA functionality.
    » Cores/fwc-8.40.00-novpn.cfx
    This is a version of the v8.40.00 core without VPN support. It is roughly half the size of the full version.
    » Cores/fwcoreup8.exe
    This is the core used to remotely upgrade v7.0x and earlier firewalls. It will install a "8.00.02-full" core.
    » Docs/Changes-8.30.01-to-8.40.00.html
    This document.
    » FWMgr8.exe
    This is the v8.40.00 Firewall Manager. Earlier version 8 Firewall Managers will be overwritten. Version 7 Firewall Managers (if installed) will not be overwritten, as they are named "FWMgr7.exe", and are also typically installed in a different directory.


     How to upgrade earlier v8.0x firewalls to v8.40.00                
    Upgrading a previous v8.0x firewall to v8.40.00 is completely straightforward.
    Simply upload the new core, "fwc-8.40.00-full.cfx", to your firewall and restart it.
    (Alternatively, upload the "-novpn" version if you do not wish VPN functionality.)

     HA upgrade procedure                
    Note: For upgrades from v7.x HA clusters, first follow the HA upgrade procedures outlined in changes-7.0x.xx-to-8.00.02.html.

    There are no incompatibilities in the HA synchronization protocol between 8.40.00 HA cores and earlier v8.0x HA cores. No special procedures are required.

    Simply upload the new firewall core file to the firewalls in your cluster and make sure that the first upload and restart is successful before uploading to the second firewall.

    We recommend beginning with the firewall that is currently active, even though this will necessitate two failovers. The reason for this is that ALG sessions are not synchronized.

      The "immediate availability" method
    • Upload the core to the currently active firewall ("firewall A") and restart it.
    • Issue a 'reconfigure' on the firewall B to rapidly fail back to the now upgraded firewall A. Make sure firewall A functions properly.
    • Upload the core to firewall B and restart it.
    • End result: Firewall A is now the active node, just as it was before the upgrade procedure.

    Note that this leaves the second firewall untested, even though it most likely will work just as well as the first firewall. If you want to specifically test the second firewall, you can:
    1) cause two failovers manually,   or
    2) connect to it via e.g. the remote console just to make sure it's running,   or
    3) if ALG synchronization is not a concern, follow this procedure:

      The "long-term safe" procedure:
    • Upload the core to the currently inactive firewall ("firewall B") and restart it.
    • Issue a 'reconfigure' on firewall A. This causes failover to firewall B. Make sure firewall B functions properly.
    • Upload the core to firewall A and restart it.
    • Issue a 'reconfigure' on firewall B to fall back to firewall A. Make sure firewall A functions properly.
    • End result: Firewall A is now the active node, just as it was before the upgrade procedure.
    Again, note that the "availability" issues only affect ALGs. All other states are, as usual, fully synchronized and not affected in either procedure.

     Firewall Manager Changes                
    Added configuration validator in plain-text editor
        Issue: When making changes via the plain-text configuration editor, it is hard to tell if the changes are syntactically correct.
        Change: As of v8.40.00, there is a "Validate" command in the "File" menu, which validates the configuration currently being edited and reports back any errors and warnings.

    Log query wizard now supports queries on exported files
        Issue: It has previously been possible to perform log queries on exported .fwl files via direct LQL queries.
        Change: As of v8.40.00, the GUI query wizard now also supports log queries on exported .fwl files via the "File..." source and selecting which file to query.



     Firewall Manager Bug Fixes                
    Unprovoked name collisions in IPsec lifetimes fixed
        Issue: Internally, IPsec/IKE lifetimes have names that are automatically generated by the firewall manager. Under some circumstances, it would generate names that collided.
        Results: Upon check-in, the Firewall Manager would sometimes present an error message about the name conflict. Attempting to check in the same configuration again without making any changes would however often work.
        Affects: FWMgr v8.0x, v8.1x, v8.2x, v8.3x.
        Fixed: Fixed in FWMgr v8.40.00.

    Log export column header and line feed fixes
        Issue: The ASCII log exporter would not include the "Severity" column header in its output, and would erronously terminate each line with CR-CR-LF rather than CR-LF.
        Results: For the first issue, the headers past the missing Severity column would not match up with the actual data. The results of the second issue depend on the application reading the exported log data. In Microsoft Excel, the CR-CR-LF line feeds would result in empty lines before each log entry.
        Affects: FWMgr v8.0x, v8.1x, v8.2x, v8.30.00--.01.
        Fixed: Fixed in FWMgr v8.30.02 and v8.40.00.



     Firewall Core Changes                
    HTTP Application Layer Gateway implemented
        Change: As of v8.40.00, Clavister Firewall includes an HTTP ALG, which supports:
    » Stripping javascript/vbscript
    » Stripping java applets
    » Stripping ActiveX components (including flash)
    » Stripping cookies
    » Pattern-based URL blacklisting
    » Pattern-based URL whitlisting (exclusion from all above checks)
    The new "http-outbound" service uses the HTTP ALG by default.

    Generic Routing Encapsulation support
        Change: As of v8.40.00, Clavister Firewall supports GRE tunnels, which is a standardized way of encapsulating, among other things, IP packets inside IP packets. There are no security benefits of doing so, but GRE may aid in certain routing situations.
        Note: This does not mean that Clavister Firewall supports PPTP. Even though PPTP makes use of GRE for parts of its functionality, PPTP encompasses much more functionality than just encapsulation.

    Schedules implemented
        Change: As of v8.40.00, schedules may be created to control different aspects of the firewall - firewall policy, routing and traffic shaping. A schedule contains a start and stop date, and may also be configured on a per-hour-per-weekday basis.
        Note: It may be advisable to set up time synchronization on the firewall, and also to make sure that the local time zone settings are correct, before making use of schedules.

    Auto-selection of VPN interface addresses improved
        Issue: As with all other interfaces, VPN interfaces also have IP addresses. They are used as source address when the firewall itself is communicating over the tunnel, as source address in automatic NAT rules, and may also be used to communicate with the firewall (ping, remote administration, etc.).
        The IP address of VPN interfaces may be configured manually, or picked automatically. Previously, the auto-select function has been restricted to attempting to pick IP addresses of other firewall interfaces, which in some cases would mean picking and address outside of the local network, which could not be used in communicating across the tunnel.
        Change: As of v8.40.00, the auto-select function will always pick the first IP address of the local network, plus one. Auto-selected addresses will however not be reachable; they are only used as source addresses. Hence, they will never block someone from reaching the host that actually has the address that the firewall picked.
        Manual configuration of the VPN interface IP address is still possible, and will result in the firewall becoming reachable on that address.

    Support for more transparent tracerouting
        Issue: As a protection against firewalking, Clavister Firewall has previously refused to set the "TTLMin" setting below 2, and has refused to send ICMP errors of its own.
        Change: As of v8.30.02 / v8.40.00, the "TTLMin" setting can be set to 1, and for traffic passing through rules/services with the "Pass returned ICMP error messages from destination" flag set, the firewall will also generate ICMP TIME_EXCEEDs for packets whose TTL reach 0 when passing through the firewall.
    These two changes, when used in combination, enables completely transparent tracerouting through the firewall.
        Note: If "TTLMin" is lowered below the depth of the internal network (plus 1), and ICMP errors are allowed outbound (by e.g. allowing inbound pings via the "ping-outbound" serviec), it will be possible to use firewalking to map out the structure of private networks. Use with care.

    DNS server IP addresses may now be learned via DHCP/PPPoE
        Change: As of v8.40.00, the DHCP and PPPoE clients can now assign received DNS IP addresses to symbolic names, which may then be used in the settings section to tell the firewall which DNS servers to use, as well as in other places in the configuration.

    DHCP server now supports custom (user-specified) DHCP options
        Change: As of v8.40.00, the DHCP server supports configuration of custom DHCP options -- in other words, any existing and future DHCP option may be configured without needing specific support in the firewall manager.

    Support for time synchronization via SNTP
        Change: As of v8.40.00, the firewall time sync client supports the SNTP protocol in addition to time/udp, which allows synchronization against a wider range of time servers.

    Time servers may now be given using DNS names
        Change: As of v8.40.00, the addresses of time servers (both types), may be given using DNS names, given that the DNS client of the firewall is configured.

    Option to remove own interface IPs from PBR tables
        Issue: In "virtual firewall" scenarios, it may be useful to remove the firewall's own IP addresses from a (policy-based) routing table, so that it does not occupy address space that may be in use elsewhere in the network.
        Change: As of v8.40.00, each policy-based routing table has a "Remove Interface IP Routes" option. Checking it means that the firewall is completely transparent to connections using that PBR table.
        Note: To specifically make the firewall reachable on certain IP addresses, add single-host routes via the "core" interface in that PBR table (with no gateway set). Publishing such routes via proxy ARP on relevant interfaces may also be useful.

    Support for local time zone time conversion
        Issue: Local time on the firewall itself has previously been somewhat unimportant, as its clock was only used to stamp shutdown messages. However, with the advent of schedules (see above), keeping correct local time is important.
        Change: As of v8.40.00, local time zone data (base offset, DST offset, start and end) may be configured under "Advanced Settings" -> "Timesync".

    Interface health monitor for Intel e1000 NICs implemented
        Issue: It has come to our attention that, in some setups, Intel e1000 NICs experience intermittent packet loss problems. This would manifest itself as the NIC working fine for anywhere between a few hours or several few weeks, and then suddenly causing 10% packet loss or worse. As far as we can tell, it only affects a minority of users. We have not been able to ascertain specific reasons for this occurence, and have implemented the health monitor as a countermeasure.
        Change: As of v8.30.02 / v8.40.00, an interface health monitor has been implemented, currently targetting only e1000 NICs. It works by measuring the sent/received packet rates compared to the input/output error rate.
        Details: The "IfaceMon" advanced settings section controls the details of the monitor and defaults to triggering if the error rate exceeds 20% outbound or 7% inbound for 10 consecutive seconds. If triggered, the interface health monitor will emit a log entry with category "IFACEMON" and reset the NIC. The log message is also repeated after 10 seconds.

    Changed DHCP client default: use 0.0.0.0 rather than 169.254.x.x
        Issue: DHCP clients are allowed to use 169.254.x.x addresses before they have received a lease. This has been the default mode of operation in Clavister Firewall until now. It has however come to our attention that this default causes problems with some DHCP relayers, and that 0.0.0.0 is more likely to work.
        Change: As of v8.40.00, the default for Advanced Settings -> DHCP Client -> DHCP_UseLinkLocalIP is NO, meaning that the default is for the firewall to use 0.0.0.0 until it has gotten a DHCP lease.

    Connection byte counters now only include IP headers+data
        Issue: Previously, the connection byte counters (sent/received) shown in the logs have included all plaintext data that the state engine sees. For data received on physical interfaces, this has included the Ethernet header. For data received via VPN tunnels, it has only included the IP header and data.
        Change: As of v8.40.00, the connection byte counts only include IP headers and data, not media layer headers.
        Note: Note that for small packets sent on Ethernets, the bandwidth discrepancy can be as high as 50% since the minimum Ethernet packet size is 60 bytes. Per-interface statistics for physical interfaces however do still include media layer headers and padding.

    Added statistics for DHCP server
        Change: As of v8.40.00, the built-in DHCP server provides a full array of statistics values that may be viewed via the Real-Time Monitor or accessed via fwctl.

    Screen saver / status bar disabled (software firewalls only)
        Change: As of v8.40.00, the screen saver and status bar (viewable only by software firewall users) are disabled by default, as this gives a noticeable increase in zero-loss throughput. The new settings "ScrSave" and "StatusBar" in the "Misc" setting section control this behavior.

    Changes to "httpposter" console command
        Change: As of v8.40.00, the "httpposter" console command will show the time remaining until the next URL re-post. A new switch "-repost" has also been added to force a re-post ahead of time.



     Firewall Core Bug Fixes                
    DHCP relayer fails to forward plain BOOTP
        Issue: The DHCP relayer has a special mode to deal with units using BOOTP rather than DHCP, called "bootpfwd", which passes BOOTP packets back and forth without keeping lease state.
        Problem: The DHCP relayer fails to identify BOOTP packets as BOOTP and refuses to forward them.
        Results: The DHCP relayer fails to forward BOOTP.
        Affects: FWCore v8.00.00 -- v8.30.01.
        Fix: Fixed in v8.30.02 and v8.40.00.



     Firewall Core - VPN Specific Changes                
    Cipher key sizes for variable-length ciphers now configurable
        Change: As of v8.40.00, the cipher key sizes for variable-length ciphers (AES, Twofish, Blowfish) are configurable: a preferred key size as well as a minimum and maximum acceptable size may be specified.

    NULL cipher support
        Change: As of v8.40.00, NULL ciphers may be specified for IPsec tunnels, resulting in an authenticated-only ESP tunnel. This is functionally equivalent to AH tunnels with a few more bytes of overhead.

    VPN cores too large for floppies (software only)
        Issue: As of v8.40.00, VPN-enabled firewall cores are too large for floppies no matter how small the configuration is. We recommend that only "-novpn" cores be placed on floppies and then transferred to fixed media. The core may then be remotely upgraded to a VPN-enabled core.
        Change: An automatic check of firewall core sizes vs free disk space has been implemented in the boot media creation process to notify users about this problem ahead of time.

    MTU of VPN interfaces may now be configured
        Issue: Previously, the MTU of VPN interfaces has been 65535. The net result is that rather than fragmenting the plaintext data, the IPsec packets get fragmented and reassembled at the remote gateway.
        Change: It is now possible to manually configure the MTU of VPN interfaces. The default for new tunnels is 1424 bytes, which will prevent IPsec fragmentation on Ethernet and PPPoE media regardless of cipher and NAT traversal mode.
        Note: Note that as long as Advanced Settings -> TCP -> TCPMSSAutoClamping is enabled (the default), the TCP MSS will be clamped according to the MTU of the (VPN) interface, and hence fragmentation will not occur for TCP even if the VPN interface MTU is lowered.



     Firewall Core - HA Changes                
    DHCP Relayer will now source queries from shared IP
        Change: As of v8.30.02 / v8.40.00, the DHCP relayer will pick the shared IP of the sending interface pair as the source IP in relayed queries in situations where it previously would have picked the unique IP address.

    Active cluster member will now source pings from shared IP
        Change: As of v8.40.00, pings generated by an active cluster member will be sourced from the shared IP address. The inactive cluster member will still source them from the inactive IP address.



     Firewall Core - HA Known Bugs / Problems                
    No state synchronization for ALGs
        Problem: No aspect of the FTP or HTTP ALGs are state synchronized
        Results: This means that all traffic handled by ALGs will freeze when the cluster fails over to the other peer. If, however, the cluster fails back over to the original peer within approximately half a minute, frozen sessions (and associated transfers) should begin working again.
    Note that such failover (and consequent fallback) occurs each time a new configuration is uploaded.