Clavister Firewall Changes from v8.40.04 to v8.50.00

Release date: 2004-12-20 [ISO]

Users upgrading from v7.0x or earlier should read changes-7.0x.xx-to-8.00.02.html first.

Version 8.50.00 contains a number of major changes, and also a number of gotcha's. The most notable changes and gotcha's are highlighted here:
» Dynamic routing introduced: OSPF and route failover. This carries with it a number of changes, such as Security/Transport equivalent interface groups, which are necessary in order for connections to be able to move from one interface to another.
» Single-admin Virtual System/Router support enables the creation of logical units with separate routing tables and, to some extent, rulesets, under the same administrative scope.
» PPTP and L2TP clients and servers.
» H.323 Application Layer Gateway implemented.
» Gotcha: Order of rule lookups changed. Policy-based routing rules are now consulted before other rulesets. As a result, destination interface filtering is now done according to the PBR table in use. Also, Proxy ARP will now obey PBR.
» Gotcha: The "Secure" rule flag was removed. Changes brought on by dynamic routing meant that the "Secure" rule flag, which forces traffic through a matching IPsec tunnel, had to be removed. As of v8.20.00, the (better) alternative is to simply route traffic over IPsec tunnels.
» Gotcha: Given that the number of PBR routing tables equal the number of Virtual Systems / Routers supported, the number of PBR tables allowed is now controlled by the license. Most licenses allow 5 routing tables, though some of the larger appliance models allow more than that by default. Support for additional Virtual Systems may be purchased as add-ons to your existing license.
» Gotcha: HA: Upgrading directly to v8.50.00 from versions prior to v8.40.01 will lead to loss of state synchronization.
» New "miniature" firewall core in distribution. The two core flavors distributed are now: a "-full" version, with all functionality in it, and the new "-mini" version, with a number of disk-space-consuming options removed.
» Clavister Firewall Logger for Linux is now included in the distribution.

 

Contents of this document

Version 8.50.00 contains bug fixes to the Firewall Core and the Firewall Manager. This document outlines bug fixes as well as improvements for each component.

The upgrade procedures in this document refers to upgrades from earlier v8.0x installations.
  • Files installed by v8.50.00
  • How to upgrade earlier v8.0x firewalls to v8.50.00
  • How to upgrade v6.0x/v7.0x firewalls to v8.0x
  • HA upgrade procedure
  • Firewall Manager
    		•  [Changes [Bug Fixes  
  • Firewall Core
    		•  [Changes] [Bug Fixes] [Known Problems / Bugs

    For future reference: This document is stored in the "Docs" sub-folder of your Firewall Manager install folder.

    Change logs / release notes for earlier versions of Clavister Firewall are available in the release notes section of www.clavister.com/support.



     Summary of changes and bug fixes                

    Firewall Manager
      Change: Namespace "firewall core version" logic changed
      Change: Network objects and services are no longer rearranged
      Change: Service groups may now be members of service groups
      Bug fix: Log analyzer would show broken ethernet headers for non-ethernet packets
      Bug fix: Firewalls set as DNS names could not revert back to numeric IP address

    Firewall Core
      Change: H.323 Application Layer Gateway implemented
      Change: PPTP and L2TP clients and servers implemented
      Change: IPsec: The "Secure" rule flag was removed
      Change: Local user database added
      Change: PPP: IP addresses and remote networks may now be configured per user
      Change: Hosts and ranges may now be excluded from network objects
      Change: IPsec: Transport mode may now be selected per tunnel
      Change: "All-to-One" mappings for SAT rules rewriting the destination
      Change: Allow two windows machines to ping each other simultaneously
      Change: PPPoE client can now request a "preferred IP" from server
      Change: IPsec: The "ikesnoop" command can now filter IP addresses
      Change: RTL8139 (Realtek) NIC performance enhanced
      Change: Buffered log sending implemented
      Change: DHCP Server: "next server" field now configurable
      Change: FTP ALG: List of known and disallowed commands updated
      Change: IPsec: XAuth client support added
      Change: IPsec: Full draft-beaulieu-ike-xauth-02 support
      Change: DHCP Relayer and Server now support DHCPINFORM messages
      Change: Packets from originator is now enough to keep non-TCP states alive
      Change: New advanced setting: IPOPT_RTRALT
      Change: DHCP client will now include options 12, 60 and 61 in requests
      Change: "-verbose" switch added to arpsnoop console command
      Change: ARP section: IP addresses may now be published on multiple interfaces at once
      Change: Single-Admin Virtual Systems now configurable
      Change: The OSPF routing protocol implemented
      Change: Rule lookup order changed: PBR rules are now consulted first
      Change: Route failover via status monitoring implemented
      Change: "Security/Transport Equivalent" interface groups added
      Change: Connections over different interfaces are now always treated as separate
      Change: ARP related functionality will now obey PBR rules
      Change: New mode PBR table mode: "Only"
      Change: Interfaces may now be set as "members" of a PBR table
      Change: "ping" command enhanced to aid in routing troubleshooting
      Change: IPsec interfaces will now auto-add routes according to PBR table membership
      Change: DHCP Relayer will now obey PBR
      Bug fix: HTTP ALG problems with Microsoft Windows Update and some other sites
      Bug fix: FTP ALG problems with PBR
      Bug fix: Deselecting ALGs from a service would require a reboot
      Bug fix: Crash if DNS client was making a query during a config re-read
      Bug fix: Reject responses (TCP RST / ICMP unreach) would not obey PBR
      Bug fix: IPsec: DES/3DES/AES performance problem on SG31xx appliances
      Bug fix: Automatic IPsec keepalives would not work with 0.0.0.0/0 as local or remote net
      Bug fix: IPsec: Auto-adding routes would fail intermittently
      Bug fix: IPsec data lifetimes higher than 4194304KB (4GB) would be misinterpreted
      Known problem: IPsec: Compatibility issue with MS IPsec NAT Traversal
      Bug fix: HA: Incorrect behavior of Route Local IPs on inactive node
      Known problem: HA: No state synchronization for ALGs
      Known problem: HA: Tunnels unreachable from inactive node
      Known problem: HA: No state synchronization for L2TP and PPTP



     Files installed by v8.50.00                
    This is a list of files that are new to the v8.50.00 release. All paths are relative to your Firewall Manager install folder.
    » Cores/fwc-8.50.00-full.cfx
    This is the v8.50.00 full firewall core. Upload it to your existing firewall, or create new boot media with it. It contains all available functionality.
    » Cores/fwc-8.50.00-mini.cfx
    This is a version of the v8.50.00 core with certain features removed. It is less than half the size of the full version. The features removed are:
    - IPsec VPN
    - The H.323 Application Layer Gateway
    - OSPF
    » Docs/changes-8.40.04-to-8.50.00.html
    This document.
    » FWMgr8.exe
    This is the v8.50.00 Firewall Manager. Earlier version 8 Firewall Managers will be backed up with the extensions ".old1" and ".old2".


     How to upgrade earlier v8.0x firewalls to v8.50.00                
    Upgrading a previous v8.0x firewall to v8.50.00 is completely straightforward.
    Simply upload the new core, "fwc-8.50.00-full.cfx", to your firewall and restart it.
    (Alternatively, upload the "-mini" version if the removed functionality is not required.)

     HA upgrade procedure                
    Note: For upgrades from v7.x HA clusters, first follow the HA upgrade procedures outlined in changes-7.0x.xx-to-8.00.02.html.

    Note: Upgrades from versions prior to v8.40.01: Upgrading directly to v8.50.00 or later from a version prior to v8.40.01 will lead to loss of state synchronization. All open states will be closed as a result of the upgrade. If this is acceptable, continue with the upgrade as described below. Otherwise, first upgrade to v8.40.01 or a later v8.4x core and then upgrade to vNEWVER.

    Simply upload the new firewall core file to the firewalls in your cluster and make sure that the first upload and restart is successful before uploading to the second firewall.

    We recommend beginning with the firewall that is currently active, even though this will necessitate two failovers. The reason for this is that ALG sessions are not synchronized.

      The "immediate availability" method
    • Upload the core to the currently active firewall ("firewall A") and restart it.
    • Issue a 'reconfigure' on the firewall B to rapidly fail back to the now upgraded firewall A. Make sure firewall A functions properly.
    • Upload the core to firewall B and restart it.
    • End result: Firewall A is now the active node, just as it was before the upgrade procedure.

    Note that this leaves the second firewall untested, even though it most likely will work just as well as the first firewall. If you want to specifically test the second firewall, you can:
    1) cause two failovers manually,   or
    2) connect to it via e.g. the remote console just to make sure it's running,   or
    3) if ALG and tunnel synchronization is not a concern, follow this procedure:

      The "long-term safe" procedure:
    • Upload the core to the currently inactive firewall ("firewall B") and restart it.
    • Issue a 'reconfigure' on firewall A. This causes failover to firewall B. Make sure firewall B functions properly.
    • Upload the core to firewall A and restart it.
    • Issue a 'reconfigure' on firewall B to fall back to firewall A. Make sure firewall A functions properly.
    • End result: Firewall A is now the active node, just as it was before the upgrade procedure.
    Note that the "availability" issues affect only synchroniziation of ALGs and tunnels; there is more information about this in the     Known Problems section. All other states are, as usual, fully synchronized and not affected in either procedure.

     Firewall Manager Changes                
    Namespace "firewall core version" logic changed
        Issue: Extensions to existing functionality is normally shown only for firewalls versions that support such functionality. The same logic is present in namespaces.
        Change: As of v8.50.00, configuration objects in a namespace will assume support for the version of the oldest firewall (or sub-namespace) inside it. Previously, all namespaces were assumed to be v8.00.00.

    Network objects and services are no longer rearranged
        Issue: Previously, the Firewall Manager would rearrange network objects and services so that groups appeared at the bottom of the listing. This was done because members of groups need to be defined before the group that includes them.
        Change: As of v8.50.00, groups are no longer automatically moved to the bottom of the list.

    Service groups may now be members of service groups
        Change: As of v8.50.00, a group of services may be selected as a member of another group. Note that such groups must be defined before the group that includes them.



     Firewall Manager Bug Fixes                
    Log analyzer would show broken ethernet headers for non-ethernet packets
        Issue: For non-ethernet packets, e.g. packets received through IPsec tunnels, the log analyzer would still show ethernet headers, with nonsensical contents.
        Affects: Firewall Manager v8.00.00 and up.
        Fix: As of v8.50.00, the log analyzer will not show an ethernet header if the packet did not actually have one.

    Firewalls set as DNS names could not revert back to numeric IP address
        Issue: In order to facilitate remote management of firewalls without fixed IP addresses, the Firewall Manager may be told to connect to the firewall using a DNS hostname.
        Problem: Reverting to using a numeric IP address would not work. The firewall manager would keep trying to resolve the previously given DNS name.
        Results: If the DNS name would not resolve, or would resolve to the wrong IP address, remote management of the firewall would be impossible.
        Affects: Firewall Manager v8.00.00 and up.
        Fix: Fixed in v8.40.05 and v8.50.00.



     Firewall Core Changes                
    Clavister Firewall v8.50.00 changes many aspects of routing, and especially policy-based routing as a result of the virtual system/ router support. In this document, all routing-related changes have been moved to its own section directly beneath this section.

    H.323 Application Layer Gateway implemented
        Issue: The H.323 conferencing (VoIP, video, whiteboard, etc) protocol, used by most IP telephones, and also by Microsoft NetMeeting, makes heavy use of dynamic datachannels in both directions, and has previously only been able to pass through firewalls with all ports above 1024 open in both directions between peers involved in the H.323 call.
        Change: As of v8.50.00, there is an H.323 ALG capable of handling peer-to-peer H.323 calls, as well as listening in on H.323 "gatekeeper" communication in order to automatically allow calls to protected hosts that register with the gatekeeper.
        Note: Note that H.323 is a fairly complex protocol, and that applications such as Microsoft NetMeeting allow remote control of computers running it. Clavister generally does not recommend allowing H.323 directly from unsecured networks such as the Internet to network segments with high security requirements. This is an application where making use of Clavister Firewall's network segmentation capabilities could be of immense help.

    PPTP and L2TP clients and servers implemented
        Change: As of v8.50.00, Clavister Firewall supports both PPTP and L2TP clients and servers. Multiple PPTP and L2TP servers may be run simultaneously, getting user authentication information from either local user databases or from RADIUS servers.
        L2TP over IPsec as well as L2TP with MPPE is supported.

    IPsec: The "Secure" rule flag was removed
        Issue: Before Clavister Firewall v8.20.00, the "Secure" rule flag was the only way to cause plaintext traffic to be sent over an IPsec tunnel. As of v8.20.00 however, traffic could be routed across IPsec tunnels just as with any other interface type.
        Change: As of v8.50.00, the "Secure" flag had to be removed as a result of the changes caused by the new dynamic routing functionality.
        Rules flagged as "Secure" encountered in the configuration will now result in a configuration warning, and the rule will be transformed to an explicit "Drop".
        Also note that before v8.50.00, any connection arriving over an IPsec tunnel would result in return traffic automatically being sent back over the same tunnel. As of v8.50.00, this is no longer the case. If there is no route back through the VPN tunnel, the connection will simply not open.
    The most likely place for this happening is with roaming client tunnels, where connections back through the tunnel are seldom required, so the lack of a return route would not have shown before v8.50.00.
        Remedy: "Secure" rule usage: Most often associated with lan-to-lan tunnels. Make sure there are routes to the remote networks over the appropriate tunnel interfaces. Remove the "Secure" flag from the affected rules.
        Remedy: Return traffic to roaming users: Enable the "Automatically Add Route to Remote Network" setting on roaming user tunnels.
       
    » This change is also documented as KB #10072.

    Local user database added
        Issue: Previously, Clavister Firewall has been able to authenticate users using remote RADIUS servers.
        Change: As of v8.50.00, a local user database has been added, which can be used for the same purposes as RADIUS servers.
    Multiple user databases may be configured; selecting between them is done in the User Authentication ruleset.
        Note that passwords are stored in the firewall configuration using reversible cryptography. This is in order to be compatible with various challenge-response authentication methods such as CHAP, MS-CHAP, and so forth, where passwords stored using non-reversible cryptography (such as hashing) would be unusable.

    PPP: IP addresses and remote networks may now be configured per user
        Issue: In PPP-based protocols such as L2TP and PPTP, remote network information is not exchanged in the same way that e.g. IPsec does. Therefore, there must be some other mechanism to control which IP spans get routed to which user connecting to an L2TP or PPTP server.
        Change: As of v8.50.00, each user may be given a fixed IP address and one or more "remote networks", which will be routed to the user. These settings are used by the L2TP and PPTP servers.
        Both IP addresses and remote networks may be configured in local user databases. IP addresses may also be configured in RADIUS servers, in the "Framed-IP-Address" attribute. Support for the RADIUS "Framed-Route" attribute may be implemented in a future version.

    Hosts and ranges may now be excluded from network objects
        Issue: In may cases, it is useful to be able to take a large network, or a previously defined network objects, and exclude a number of networks, ranges or hosts.
        Change: As of v8.50.00, it is possible to make exclusions in network objects. Exclusions are shown as "-" prefixed to the exclusion.
        Note: Double exclusions are encapsulated according to standard mathematical perceptions. Consider the following three network objects:
        object1: 192.168.2.0/24, -192.168.2.5
        object2: 192.168.0.0/16
        object3: object2, -object1
        "object3" will contain the following ranges:
        192.168.0.0 -- 192.168.1.255
        192.168.2.5
        192.168.3.0 -- 192.168.255.255

    IPsec: Transport mode may now be selected per tunnel
        Issue: IPsec is most commonly used in Tunnel mode, where the original packet is placed inside IPsec encapsulation and another, outer, IP header.
    In Transport mode, IPsec encapsulation is done after the original header, thus saving 20 bytes per packet. It is, however mostly useful for client-to-single host tunnels.
        Change: As of v8.50.00, transport mode may be selected on a per-tunnel basis. In the IPsec proposal editor, transport or tunnel mode may also be selected on a per-proposal basis, although the default is to use the same mode that the tunnel uses.

    "All-to-One" mappings for SAT rules rewriting the destination
        Issue: Previously, SAT rules have normally done "transposition" mappings, i.e. if you translate "192.168.0.0/24" to the new destination "172.16.0.0", it would translate 192.168.0.0 to 172.16.0.0, 192.168.0.1 to 172.16.0.1, etc. The one exception to this was cases when the destination network was 0.0.0.0/0, in which case all addresses would be rewritten to the same destination address.
        Change: As of v8.50.00, "All-to-One" mappings may be configured, resulting in any destination address being rewritten into the same single destination address, regardless of the original network size.

    Allow two windows machines to ping each other simultaneously
        Issue: All OSes except Windows will select unique ICMP IDs for each ping, which Clavister Firewall uses to differentiate pings. Windows however will always use "512". If such a ping was active in one direction, Clavister Firewall would drop pings with the same ID in the reverse direction, triggering "LogReverseOpen" log events.
        Change: As of v8.50.00, Clavister Firewall rewrites ICMP IDs (if they are set to 512) on behalf of the misbehaving senders in order to make them unique.

    PPPoE client can now request a "preferred IP" from server
        Issue: PPP clients can requested a "preferred IP address" from the server. The server may or may not grant the request. If not it will respond with a different address to use.
        Change: As of v8.50.00, the PPPoE (and PPTP and L2TP) client in Clavister Firewall may request a "preferred IP" from a PPPoE/PPTP/L2TP server.
    This is controlled via setting the host object that receives the IP address from the server, e.g. "ip_mypppiface", to something other than 0.0.0.0. The address set will be requested from the server.

    IPsec: The "ikesnoop" command can now filter IP addresses
        Issue: Enabling IKE snooping on a busy IPsec gateway may lead to excessive amounts of output.
        Change: As of v8.50.00, the "ikesnoop" command can take an optional IP address parameter. If used, only IKE traffic involving that IP address is shown.

    RTL8139 (Realtek) NIC performance enhanced
        Issue: The RTL8139 NIC has a maximum transmit ring size of 4 packets, while nearly every other chip allows transmit rings of 128 packets or greater. This causes packetloss problems when traffic arrives in bursts at or near 100Mbit/s linespeed.
        Change: As of v8.50.00, there is an extra buffer in software which queues packets before handing them to the chip. This improves resilience to traffic bursts.

    Buffered log sending implemented
        Issue: The syslog protocol as well as Clavister's proprietary logging protocol both use UDP for delivery. It is the nature of UDP to perform no buffering and rather attempt to send each message immediately. If hundreds of log messages were sent during the same fraction of a millisecond, interface TX rings would be overwhelmed, and log event loss would occur.
        Change: As of v8.50.00, Clavister Firewall will buffer log events and send only 100 messages every 10 milliseconds, for a maximum of 10 000 events each second. The buffer size may be up to 2 MB if enough RAM is available, which is enough to accomodate approximately one second's worth of log events during maximum rate.
        Note however that the maximum amount of log messages sent each second is still limited by the LogSendPerSec advanced setting.
        Change: As of v8.50.00, the LogSendPerSec default value is increased from 500 events per second to 2000 events per second. This equals a network load of about 4 Mbit/s, or about 2GB of data per hour.
        Change: If the rate of events is throttled for some reason, e.g. if the send buffer fills up, or if the LogSendPerSec limit is exceeded, a "SYSTEM" category log message including a count of dropped events will now be generated when logging can resume.
        Note that log events may still be lost due to reasons outside the firewall's control, for instance due to network saturation, excessive log server load, or other reasons. Such loss will not result in warning events in the logs.

    DHCP Server: "next server" field now configurable
        Issue: In more complex boot setups, such as some PXE configurations use, one DHCP server can use the "next server" field to point to another server that the client should talk to in order to complete the boot process.
        Change: As of v8.50.00, the "Next server" field is configurable under the "Options" tab of the DHCP Server properties.

    FTP ALG: List of known and disallowed commands updated
        Issue: The FTP ALG keeps a list of commands that are "known" and hence allowed through it. By default, everything else is disallowed. However, it is possible to tell it to "Allow Unknown Commands", in which case there is a list of explicitly disallowed commands that is still used. The reason for the latter list is that they won't work through the ALG anyway.
        Change: As of v8.40.05 and v8.50.00, the following commands have been added to the "known commands" list: "XMKD", "XRMD", "XPWD", "XCUP" and "XCWD".
        Two commands have been added to the "disallowed commands" list: "MLST" and "MLSD". The reason is that MLSD uses data channels that would not work without explicit support in the FTP ALG anyway. Support for this may be added in a future release.

    IPsec: XAuth client support added
        Change: As of v8.50.00, Clavister Firewall can act as an XAuth when originating IPsec tunnels and authenticate to the remote gateway with a username and password.

    IPsec: Full draft-beaulieu-ike-xauth-02 support
        Issue: Although support for authenticating IPsec clients via XAuth has existed for some time, XAuthInit* notifications were not sent. Some IPsec clients have been confused by this behavior.
        Change: As of v8.50.00, XAuthInit* notifications are sent.

    DHCP Relayer and Server now support DHCPINFORM messages
        Issue: In situations where a client already has an IP address, for example when PPP LCP is used, but the client wants to learn other IP configuration parameters, the client will use DHCPINFORM messages.
        Change: As of v8.50.00, the DHCP Relayer will relay DHCPINFORM messages. The IP address that the client uses is still validated against the "Allowed IP span" in the DHCP relayer rule.
        Change: As of v8.50.00, the DHCP Server will answer DHCPINFORM messages in accordance with the DHCP server ruleset.

    Packets from originator is now enough to keep non-TCP states alive
        Issue: The state engine normally keeps separate timeouts in each direction, so that packets only in one direction will not be enough to keep a state alive, which makes sense, since the majority of protocols are bi-directional.
        Change: As of v8.50.00, packets from the originator only will be enough to keep a stateless (UDP, Raw IP, Ping) connection alive. Closing it while the originator is active is pointless since another packet from the originator will open it right back up again; it was, after all, allowed by the ruleset to begin with.

    New advanced setting: IPOPT_RTRALT
        Issue: Many H.323 applications make use of the RSVP protocol, which sets the IP option "RTRALT" in the IP header. Previously, IPOPT_RTRALT would trigger IPOPT_Other, which defaults to "Drop and log", causing excessive log activity while the H.323 call was active.
        Change: As of v8.50.00, there is a separate setting for the "RTRALT" IP option, which defaults to "Validate, log only if bad". Clavister Firewall itself does not obey RTRALT options nor the RSVP protocol, but it will now pass through the firewall if the policy allows it.

    DHCP client will now include options 12, 60 and 61 in requests
        Issue: Some DHCP servers require options 12 (Host Name), 60 (Class Identifier) and 61 (Client Identifier) to be set in DHCP requests. Although requiring optional data in this manner could be considered a violation of the DHCP RFC, measures have been taken in the DHCP client in Clavister Firewall.
        Change: As of v8.40.05 and v8.50.00, the above options are included in all DHCP requests. The host name is constructed from the MAC address of the interface in question.

    "-verbose" switch added to arpsnoop console command
        Change: As of v8.50.00, a "-verbose" switch is added to the arpsnoop command. It displays the results of PBR rule lookups, route lookups, whether or not something is published due to Proxy ARP being enabled on a route, or if Local IP is in use, and plenty of additional behind-the-scenes information that is useful in troubleshooting complex routing situations.

    ARP section: IP addresses may now be published on multiple interfaces at once
        Change: As of v8.50.00, a group of interfaces, and even "Any", may be specified as the interface in a "Publish" in the ARP section. This results in the address being published on multiple interfaces at once.



     Firewall Core - Routing Specific Changes                
    Clavister Firewall v8.50.00 brings with it the concept of "Single-admin virtual systems/routers", where traffic may be passed between logically separate systems contained in the same unit, all under the same administrative control.

    Also, support for the OSPF routing protocol as well as more basic metric-based route failover, using link status and ARP resolution monitoring has been added.

    These three features bring with them a number of additional changes, some of them affecting backwards compatibility in some areas.

    Single-Admin Virtual Systems now configurable
        Issue: Clavister Firewall may now use a combination of policy- based routing and loopback interfaces to create "Single-Admin Virtual Systems / Routers".
    This is a logical construct building mainly on already- existing functionality, though a number of changes were made in order to fully virtualize the systems. These changes are all described in "Routing Specific Changes" section of this document.
        Change: The key change in enabling virtual systems in v8.50.00 is pairs of loopback interfaces. Such pairs are the conduits between different virtual routers in the same physical unit.
        Result: Using PBR rules or the new Interface PBR Membership setting, traffic arriving on different physical and/or loopback interfaces may use different routing tables.
        Also, as traffic arriving on different physical and/or loopback interfaces may be treated differently in the ruleset, each virtual system may use a completely different policy. Note however the change of rule lookup ordering described below.
        Virtual systems / routers are highly usable in ISP scenarios where they allow different customers to re-use the same IP spans, and also use a high degree of per-customer policy customization without needing to maintain difficult all-to-all combinations of PBR rules and address translation rules. POINT The "Single-Admin Virtual Systems / Routers" concept is described in more detail in the Routing section of the User's Guide.

    The OSPF routing protocol implemented
        Change: As of v8.50.00, Clavister Firewall implements the Open Shortest Path First routing protocol. Using a highly granular dynamic routing ruleset, interactions with the OSPF AS and the firewall's routing tables can be tightly controlled.
        Multiple OSPF processes may be executed simultaneously, each interacting with different PBR tables.

    Rule lookup order changed: PBR rules are now consulted first
        Issue: Previously, PBR rules were among the last to be consulted. As a consequence, the "Destination Interface" filter present in all rule lists was only relevant for the main routing table.
        Change: As of v8.50.00, the PBR ruleset (and per-interface PBR table membership) is the first ruleset to be consulted. As a result, the destination interface is now looked up in the correct routing table. Also, PBR rules are consulted before automatic source IP validation as well as for ARP packets.
        Note however that in the PBR ruleset itself, the destination interface is looked up in the main routing table. In most scenarios, it makes most sense to leave the destination interface as "Any" in PBR rules.
        Gotcha: If you have been using destination interface filters other than "Any" for PBRed traffic, it is likely that those filters will have to be changed.

    Route failover via status monitoring implemented
        Change: As of v8.50.00, the "metric" of routes may be configured. Lower-cost routes will be picked before high-cost ones. Note however that smaller, more specific, routes will still be picked before larger, more general ones.
        Also, two modes of monitoring have been implemented:
    » Link status monitoring. The exact method used differs for different types of interfaces; carrier detection for Ethernet interfaces, negotiation/SA status for IPsec, etc. Note that raw GRE tunnels have no link status and will therefore always be considered to be "up".
    » Gateway ARP resolution. Routes that have a configured gateway IP may use high-frequency ARP resolution monitoring in order to determine if the gateway is functional. Single-host routes may be monitored in the same way if the gateway is set to the destination IP address.
    Normally, the narrowest route with the lowest metric is used to reach a given destination. If that route is flagged as non-functional as a result of the above monitoring, the next larger or higher-metric route will be used.

    "Security/Transport Equivalent" interface groups added
        Issue: As of v8.50.00, dynamic routing can cause an already-open connection to be re-routed over different interfaces when a route fails. In order to avoid inadvertent security problems, the firewall must be explicitly told whether or not connection failover from one interface to another is allowed.
        Change: Interface groups now have a "Security/Transport Equivalent" setting. A connection is allowed to move between interfaces in such a group when route failover occurs. If a new route points through any other interface, the connection will close.
    Other changes as a result of interface equivalence:
    » Automatic source IP validation (reverse route lookup) will take equivalence into account.
    » In load-balanced routing scenarios, where packets belonging to the same route may arrive on multiple interfaces, they will be accepted as long as the interfaces are equivalent.
    » Fragment reassembly will accept fragments belonging to the same reassembly arriving on multiple interfaces, as long as they are equivalent.
        Note that an interface cannot be a member of more than one S/T Equivalent interface group. Doing so would be illogical - if an interface is the equivalent of two other interfaces, those two other interfaces are, by definition, also equivalent.
        Also note the implications for the firewall policy. Writing rules involving just one interface may have farther-reaching consequences if that interface is a member of a security/transport equivalent group.

    Connections over different interfaces are now always treated as separate
        Issue: Previously, a connection was uniquely identified by its IP addresses, protocol and ports. If a new connection attempt was made using the same identifying tuples, but over a different interface, it would be rejected and logged.
        Change: As of v8.50.00 the interfaces involved is part of the identity of a connection. Hence, connections using the exact same IP addresses, protocol and ports, but over different interfaces, are now treated as separate connectionns. This a requirement for Virtual Router scenarios, where it is not uncommon for two networks behind two different routers to use the same IP span.
        Note that "different" in this context means "not equivalent"; see "Security / Transport Equivalent interface groups", above.

    ARP related functionality will now obey PBR rules
        Change: As of v8.50.00, incoming ARP packets are looked up against the PBR ruleset, using IP protocol 0 in the lookup, since ARP is a non-IP protocol.
    The following ARP-related functions obey the result of this lookup:
    » Proxy ARP will use the forward routing table of the matching rule.
    » Responses to queries for route local IPs will use the return routing table of the matching rule.
    » Automatic source IP validation will use the return routing table of the matching rule, as is done with regular source IP validation.
    » In order to find which route local IP to use when sending queries, a reverse lookup is done in the PBR ruleset, simulating a received query. The return routing table will be used when looking up the destination IP. If the resulting route has a Local IP configured, it will be used as source IP in the query.
    In summary, in Virtual Router scenarios, ARP should behave as one would expect for each VR.

    New mode PBR table mode: "Only"
        Issue: Previously, there have been two ordering modes for policy-based routing tables:
    » "Default": First look in the main routing table. If the only default route matches, the PBR table will be consulted instead.
    » "First": First look in the PBR table. If there is no match, the main routing table will be consulted instead.
        Change: As of v8.50.00, a new mode is introduced:
    » "Only": only the given PBR table will be consulted; nothing else.
    This mode makes the most sense for virtual router scenarios. Hence, it is now also the default for new PBR tables.

    Interfaces may now be set as "members" of a PBR table
        Change: As of v8.50.00, there is a "PBR Table Membership" setting in the interface configuration. This setting controls two things:
    » In which routing table to add "core" routes for the interface IP address. The default is to add such routes in all tables, which was the behavior prior to v8.50.00.
    » If there is no PBR rule matching a given connection, it will instead be routed according to the PBR table membership setting for the interface that the connection arrived on. The same table will be used in both directions.
    It is entirely possible to control policy-based routing via PBR rules as before. The benefit of using the PBR table membership setting is mostly visible in virtual router scenarios, where it will keep interface IPs in different VRs from cluttering each other's routing tables.
        From a PBR rule standpoint, PBR Table Membership may be viewed as appending rules after the user-configured rules, stating "Anything received on <myiface>, regardless of addresses or protocol: use <mytable> in both directions".

    "ping" command enhanced to aid in routing troubleshooting
        Change: As of v8.50.00, there are two new switches to the "ping" command:
    » "-p <pbrtable>": Use the specified PBR routing table when routing the ping.
    » "-v": Verbose - display a lot more information about how the ping is routed and what is going on behind the scenes.

    IPsec interfaces will now auto-add routes according to PBR table membership
        Issue: IPsec, and now also the PPTP and L2TP servers, have the capability of auto-adding routes to IP addresses of incoming clients. Previously, such routes have always been added in the main routing table.
        Change: As of v8.50.00, client routes are added according to the tunnel interface's PBR table membership setting.

    DHCP Relayer will now obey PBR
        Change: As of v8.50.00, the DHCP Relayer will now obey policy-based routing rules when forwarding requests to the server and relaying replies back to the client.
    This makes the DHCP Relayer usable in Virtual Router scenarios.



     Firewall Core Bug Fixes                
    HA: Incorrect behavior of Route Local IPs on inactive node
        Problem: If a route had a "Local IP" configured, the inactive node would use it, along with the shared MAC address, as source address when sending ARP queries for IP addresses in that route.
        Results: Depending on the switches in the network, two things could happen:
    » The inactive node would get no reply at all to queries for addresses covered by that route
    » OR communications through the active node would be disrupted for a short period of time until the switches re-learn that the shared MAC address actually belongs to the active node.
        Affects: Clavister Firewall v8.00.00 and up
        Fix: As of v8.00.08, v8.10.03, v8.20.02, v8.30.02, v8.40.05 and v8.50.00, the inactive node will ignore "Local IP" settings in routes and always use its unique interface address in ARP queries.
        Note: The fix may result in problems communicating with the inactive node, given that the "Local IP" setting was likely configured for a good reason. However, due to the way that the ARP protocol works, having the inactive node source ARP queries from an IP address currently "owned" by the active node would always result in disruptions of one sort or another.

    IPsec: DES/3DES/AES performance problem on SG31xx appliances
        Problem: The SG31xx appliance series would perform below spec for DES, 3DES and AES encrypted tunnels.
        Affects: Clavister SG31xx appliances running v8.40.00--.04
        Fix: Fixed in v8.40.05 and v8.50.00.

    HTTP ALG problems with Microsoft Windows Update and some other sites
        Issue: In some cases, the HTTP ALG would believe that a HTTP response was invalid and refuse to pass it to the client.
        Results: The connection would be closed to the client, leading to an empty page being displayed. Or, in the case of Windows Update, the update process stalling before downloads begin.
        Affects: Clavister Firewall v8.40.00--.04.
        Fix: Fixed in v8.40.05 and v8.50.00.

    FTP ALG problems with PBR
        Issue: There was a problem in the FTP ALG related to policy-based routing.
        Results: The command channel would work, but one of the transfer modes (passive or active FTP) would not work, depending on the routing scenario.
        Affects: Clavister Firewall v8.40.01--.04.
    FTP sessions using the main routing table only were not affected.
        Fix: Fixed in v8.40.05 and v8.50.00.
    The fix has also been available as a pre-release: v8.40.05-pre002.

    Deselecting ALGs from a service would require a reboot
        Issue: If an Application Layer Gateway previously had been selected for a service, and then was deselected from the service, the change would not be picked up by the firewall.
        Results: The ALG would remain active on the service until the firewall was rebooted, or the service deleted or renamed.
        Affects: Clavister Firewall v8.00.00 and up.
        Fix: Fixed in v8.40.05 and v8.50.00.

    Automatic IPsec keepalives would not work with 0.0.0.0/0 as local or remote net
        Problem: The ICMP echo packets used inside the tunnel would be sent from 0.0.0.1, and be dropped by the Block0Net setting at the receiving end.
        Results: The packets would still be enough to trigger the tunnel to activate, but the keepalive logic would never see any responses. This would lead it to (correctly) assuming that there is something wrong with the keepalives, and it would never tear down the tunnel, regardless of whether it worked properly or not.
        Affects: Clavister Firewall v8.20.00--.01, v8.30.00--.01 and v8.40.00--.04.
        Fix: As of v8.20.02, v8.30.02, v8.40.05 and v8.50.00, the "Auto" mode will stay away from the 0.0.0.0/8 net and pick 1.0.0.1 or .2 instead.

    Crash if DNS client was making a query during a config re-read
        Issue: If the DNS client was making a query during the time of a configuration re-read, it could lead to a crash and subsequent re-start.
        Results: The configuration re-read would, in the end, result in a restart instead. The configuration would be successfully re-read.
        Affects: Clavister Firewall v8.40.00--.04.
        Fix: Fixed in v8.40.05 and v8.50.00.

    IPsec: Auto-adding routes would fail intermittently
        Issue: IPsec tunnels have the capability of auto-adding routes to IP addresses of incoming clients. This is useful in roaming user scenarios where DHCP over IPsec is not used (in which case the route would be added by the DHCP relayer).
        Problem: In some configurations, the automatic route addition would sometimes fail.
        Results: Connections back to the client would be impossible. Connections from the client could also be denied, depending on source IP validation policy. If however connections from the client were allowed, they would work due to the fact that connections originated from an IPsec tunnel would always send return traffic back through the same tunnel.
        Affects: Clavister Firewall v8.20.00 and up.
        Fix: Fixed in v8.40.05 and v8.50.00.

    Reject responses (TCP RST / ICMP unreach) would not obey PBR
        Issue: "Reject" rules result in a TCP RST packet or ICMP unreachable message in response to the attempted connection.
        Problem: The RST/unreach would not obey PBR rules, and would be routed according to the main routing table.
        Result: The most user-visible result would be a ~30-60 second delay when connecting over a PBR table to FTP servers that attempt to use the "ident" protocol (port 113/TCP). Reverse ident lookups are commonly Rejected in order to speed up logins to such FTP servers.
        Affects: Clavister Firewall v8.00.00 and up.
        Fix: As of v8.50.00, TCP RST and ICMP Unreachable packets sent in response to Reject rules will be routed over the same PBR table that the inbound connection would have used.

    IPsec data lifetimes higher than 4194304KB (4GB) would be misinterpreted
        Issue: Due to an internal conversion error, data lifetimes higher than 4GB could not be handled.
        Results: Bit masking would occur, translating values just above 4GB to very low values, 5GB to 1GB, 6GB to 2GB, and so forth until wrapping occurs again.
        Affects: Clavister Firewall v5.1 and up.
        Fix: As of v8.40.05 and v8.50.00, values up to 4 terabytes are handled correctly, which is the upper limit supported by IPsec.



     Firewall Core Known Problems                
    HA: No state synchronization for ALGs
        Problem: No aspect of ALGs are state synchronized
        Results: This means that all traffic handled by ALGs will freeze when the cluster fails over to the other peer. If, however, the cluster fails back over to the original peer within approximately half a minute, frozen sessions (and associated transfers) should begin working again.
    Note that such failover (and consequent fallback) occurs each time a new configuration is uploaded.

    HA: Tunnels unreachable from inactive node
        Problem: The inactive node in a HA cluster cannot communicate over IPsec, PPTP, L2TP and GRE tunnels, as such tunnels are established to/from the active node.
        Results:
    » Inactive HA member cannot send log events over tunnels.
    » Inactive HA member cannot be managed / monitored over tunnels.
    » OSPF: If the cluster members do not share a broadcast interface so that the inactive node can learn about OSPF state, OSPF failover over tunnels uses normal OSPF failover rather than accelerated (<1s) failover. This means 20-30 seconds with default settings, and 3-4 seconds with more aggressively tuned OSPF timings.

    HA: No state synchronization for L2TP and PPTP
        Problem: There is no state synchronization for L2TP and PPTP tunnels.
        Results: On failover, incoming clients will re-establish their tunnels after the tunnels are deemed non-functional. This timeout is typically in the 30 -- 120 second range.

    IPsec: Compatibility issue with MS IPsec NAT Traversal
        Problem: Microsoft's IPsec NAT traversal is incompatible with the NAT traversal implementation in Clavister Firewall.
        Results: Microsoft's IPsec client would fail to establish an IPsec tunnel to a Clavister Firewall if there was a NATing gateway in between.
        This will be resolved in a future release of Clavister Firewall.