Clavister Firewall Changes from v8.40.00 to v8.40.01

Release date: 2004-05-25 [ISO]

Users upgrading from v7.0x and earlier versions should read changes-7.0x.xx-to-8.00.02.html first. It contains the list of major changes from v7.0x, and also instructions on how to upgrade; the upgrade procedure from v7 to v8 differs markedly from the normal procedure. Once the firewall is upgraded to 8.0, you can follow the procedures in this document.

Version 8.40.01 contains bug fixes to the Firewall Core and the Firewall Manager. This document outlines bug fixes as well as improvements for each component.

The upgrade procedures in this document refers to upgrades from earlier v8.0x installations.

  • New files installed by v8.40.01
  • How to upgrade earlier v8.0x firewalls to v8.40.01
  • How to upgrade v6.0x/v7.0x firewalls to v8.0x
  • HA upgrade procedure
  • Firewall Manager
    		•    [Bug Fixes  
  • Firewall Core
    		•  [Bug Fixes]  
  • Firewall Core - VPN specific  
    		•      
  • Firewall Core - HA specific
    		•      [Known Bugs / Problems]

    For future reference: This document is stored in the "Docs" sub-folder of your Firewall Manager install folder.

    Change logs / release notes for earlier versions of Clavister Firewall are available in the release notes section of www.clavister.com/support.



     Summary of changes and bug fixes                
    All changes and bug fixes affecting the standard firewall core also affect VPN and HA cores, unless explicitly stated otherwise.

    Firewall Manager
      Bug fix: Erronous name collisions in IPsec proposal lists
      Bug fix: FWMgr would erronously set MTU for new VPN tunnels for pre-8.4 firewalls
      Bug fix: FWMgr could not create new radius server connections for pre-8.4 firewalls

    Firewall Core
      Bug fix: FTP ALG would not work correctly over VPN tunnels

    Firewall Core - VPN specific

    Firewall Core - HA specific
      Known bug: No state synchronization for ALGs



     New files installed by v8.40.01                
    This is a list of the files that are new to the v8.40.01 release. All paths are relative to your Firewall Manager install folder.
    » Cores/fwc-8.40.01-full.cfx
    This is the v8.40.01 full firewall core. Upload it to your existing firewall, or create new boot media with it. It contains VPN as well as HA functionality.
    » Cores/fwc-8.40.01-novpn.cfx
    This is a version of the v8.40.01 core without VPN support. It is roughly half the size of the full version.
    » Cores/fwcoreup8.exe
    This is the core used to remotely upgrade v7.0x and earlier firewalls. It will install a "8.00.02-full" core.
    » Docs/Changes-8.40.00-to-8.40.01.html
    This document.
    » FWMgr8.exe
    This is the v8.40.01 Firewall Manager. Earlier version 8 Firewall Managers will be overwritten. Version 7 Firewall Managers (if installed) will not be overwritten, as they are named "FWMgr7.exe", and are also typically installed in a different directory.


     How to upgrade earlier v8.0x firewalls to v8.40.01                
    Upgrading a previous v8.0x firewall to v8.40.01 is completely straightforward.
    Simply upload the new core, "fwc-8.40.01-full.cfx", to your firewall and restart it.
    (Alternatively, upload the "-novpn" version if you do not wish VPN functionality.)

     HA upgrade procedure                
    Note: For upgrades from v7.x HA clusters, first follow the HA upgrade procedures outlined in changes-7.0x.xx-to-8.00.02.html.

    There are no incompatibilities in the HA synchronization protocol between 8.40.01 HA cores and earlier v8.0x HA cores. No special procedures are required.

    Simply upload the new firewall core file to the firewalls in your cluster and make sure that the first upload and restart is successful before uploading to the second firewall.

    We recommend beginning with the firewall that is currently active, even though this will necessitate two failovers. The reason for this is that ALG sessions are not synchronized.

      The "immediate availability" method
    • Upload the core to the currently active firewall ("firewall A") and restart it.
    • Issue a 'reconfigure' on the firewall B to rapidly fail back to the now upgraded firewall A. Make sure firewall A functions properly.
    • Upload the core to firewall B and restart it.
    • End result: Firewall A is now the active node, just as it was before the upgrade procedure.

    Note that this leaves the second firewall untested, even though it most likely will work just as well as the first firewall. If you want to specifically test the second firewall, you can:
    1) cause two failovers manually,   or
    2) connect to it via e.g. the remote console just to make sure it's running,   or
    3) if ALG synchronization is not a concern, follow this procedure:

      The "long-term safe" procedure:
    • Upload the core to the currently inactive firewall ("firewall B") and restart it.
    • Issue a 'reconfigure' on firewall A. This causes failover to firewall B. Make sure firewall B functions properly.
    • Upload the core to firewall A and restart it.
    • Issue a 'reconfigure' on firewall B to fall back to firewall A. Make sure firewall A functions properly.
    • End result: Firewall A is now the active node, just as it was before the upgrade procedure.
    Again, note that the "availability" issues only affect ALGs. All other states are, as usual, fully synchronized and not affected in either procedure.

     Firewall Manager Bug Fixes                
    Erronous name collisions in IPsec proposal lists
        Problem: When checking out a namespace inside the global namespace which contains firewalls that make use of proposal lists from the global namespace, there would, erronously, always be "name collisions".
        Affects: FWMgr v8.40.00.
        Fixed: Fixed in v8.40.01. This fix was also available in the 8.40.01-pre001 pre-release.

    FWMgr would erronously set MTU for new VPN tunnels for pre-8.4 firewalls
        Problem: As of v8.40.00, the MTU of VPN tunnels may be manually configured. However, the FWMgr would erronously include the MTU setting for new tunnels when generating configurations for pre-8.4 firewalls, causing config errors on upload. Existing tunnels would not be affected.
        Affects: FWMgr v8.40.00 when used with pre-8.4 firewalls.
        Fixed: Fixed in v8.40.01. This fix was also available in the 8.40.01-pre001 pre-release.

    FWMgr could not create new radius server connections for pre-8.4 firewalls
        Problem: As of v8.40.00, the retry timeout for radius server connections may be manually configured. However, the retry timeout field was left disabled and empty when managing pre-8.4 firewalls, which the fwmgr would not accept when the dialog was submitted - and, as the field was disabled, there was no way to correct the problem.
        Affects: FWMgr v8.40.00 when used with pre-8.4 firewalls.
        Fixed: Fixed in v8.40.01. This fix was also available in the 8.40.01-pre001 pre-release.



     Firewall Core Bug Fixes                
    FTP ALG would not work correctly over VPN tunnels
        Problem: The FTP ALG failed to establish a new session if a VPN tunnel was involved in the FTP connection.
        Affects: FWCore v8.40.00.
        Fixed: Fixed in v8.40.01.



     Firewall Core - HA Known Bugs / Problems                
    No state synchronization for ALGs
        Problem: No aspect of the FTP or HTTP ALGs are state synchronized
        Results: This means that all traffic handled by ALGs will freeze when the cluster fails over to the other peer. If, however, the cluster fails back over to the original peer within approximately half a minute, frozen sessions (and associated transfers) should begin working again.
    Note that such failover (and consequent fallback) occurs each time a new configuration is uploaded.