Clavister Firewall Changes from v8.50.02 to v8.60.00

Clavister Firewall Changes from v8.50.02 to v8.60.00

8.60.00 release date: 2005-09-14 [ISO]

Users upgrading from v7.0x or earlier should read changes-7.0x.xx-to-8.00.02.html first.

Version 8.60.00 contains a number of new features which are highlighted here:

» Transparent Mode support enables automatic creation of routes for hosts moving between different interfaces within the same group of transparent interfaces.
» Server Load Balancing (SLB) support enables distribution of traffic load across multiple servers to scale beyond the capacity of one single server, and to tolerate a server failure.
» Radius Accounting support enables accounting capabilities for authenticated users.

Contents of this document

Version 8.60.00 contains fixes to problems in the Firewall Core and the Firewall Manager. This document outlines problems solved as well as improvements for each component.

The upgrade procedures in this document refers to upgrades from earlier v8.0x installations.

Files installed by v8.60.00

How to upgrade earlier v8.0x firewalls to v8.60.00

How to upgrade v6.0x/v7.0x firewalls to v8.0x

HA upgrade procedure

Firewall Manager
[Changes] [Problems Solved]

Firewall Core
[Changes] [Problems Solved] [Known Problems]

For future reference: This document is stored in the "Docs" sub-folder of your Firewall Manager install folder.

Change logs / release notes for earlier versions of Clavister Firewall are available in the release notes section of www.clavister.com/support.

Summary of changes and problems solved

Firewall Manager

Change: Simplified IPsec configuration

Problem solved: Netobject groups can not be included when creating a new netobject group

Firewall Core

  Change: Transparent Mode implemented

  Change: Server Load Balancing implemented

  Change: Radius Accounting support implemented

  Change: Support for server-side IKE Configuration Mode

  Change: Misc. IPsec changes

  Change: Conn command modified

  Change: ARP timeout setting limit decreased

  Change: New synrelayer available

  Change: New "routemon" console command

  Change: HTTP ALG now allows compressed data

  Problem solved: HTTP ALG might cause the Security Gateway to crash in some situations

  Problem solved: Interfaces are taken down during reconfiguration

  Problem solved: IPsec: Compatibility issue with MS IPsec NAT Traversal

  Problem solved: HA: Shared MAC addresses are not unique on all interfaces

  Known problem: HA: Transparent Mode won't work in HA mode

  Known problem: HA: No state synchronization for ALGs

  Known problem: HA: Tunnels unreachable from inactive node

  Known problem: HA: No state synchronization for L2TP and PPTP

Files installed by v8.60.00

This is a list of files that are new to the v8.60.00 release. All paths are relative to your Firewall Manager install folder.

»	Cores/fwc-8.60.00-full.cfx This is the v8.60.00 full firewall core. Upload it to your existing firewall, or create new boot media with it. It contains all available functionality.
»	Cores/fwc-8.60.00-mini.cfx This is a version of the v8.60.00 core with certain features removed. It is less than half the size of the full version. The features removed are: - IPsec VPN - The H.323 Application Layer Gateway - OSPF
»	Docs/changes-8.50.02-to-8.60.00.html This document.
»	FWMgr8.exe This is the v8.60.00 Firewall Manager. Earlier version 8 Firewall Managers will be backed up with the extensions ".old1" and ".old2".

How to upgrade earlier v8.0x firewalls to v8.60.00

Upgrading a previous v8.0x firewall to v8.60.00 is completely straightforward.
Simply upload the new core, "fwc-8.60.00-full.cfx", to your firewall and restart it.
(Alternatively, upload the "-mini" version if the removed functionality is not required.)

HA upgrade procedure

Note: For upgrades from v7.x HA clusters, first follow the HA upgrade procedures outlined in changes-7.0x.xx-to-8.00.02.html.

Note: Upgrades from versions prior to v8.40.01: Upgrading to directly v8.50.00 or later from a version prior to v8.40.01 will lead to loss of state synchronization. All open states will be closed as a result of the upgrade. If this is acceptable, continue with the upgrade as described below. Otherwise, first upgrade to v8.40.01 or a later v8.4x core and then upgrade to v8.60.00.

Simply upload the new firewall core file to the firewalls in your cluster and make sure that the first upload and restart is successful before uploading to the second firewall.

We recommend beginning with the firewall that is currently active, even though this will necessitate two failovers. The reason for this is that ALG sessions are not synchronized.

The "immediate availability" method

Upload the core to the currently active firewall ("firewall A") and restart it.
Issue a 'reconfigure' on the firewall B to rapidly fail back to the now upgraded firewall A. Make sure firewall A functions properly.
Upload the core to firewall B and restart it.
End result: Firewall A is now the active node, just as it was before the upgrade procedure.

Note that this leaves the second firewall untested, even though it most likely will work just as well as the first firewall. If you want to specifically test the second firewall, you can:
1) cause two failovers manually, or
2) connect to it via e.g. the remote console just to make sure it's running, or
3) if ALG and tunnel synchronization is not a concern, follow this procedure:

The "long-term safe" procedure:

Upload the core to the currently inactive firewall ("firewall B") and restart it.
Issue a 'reconfigure' on firewall A. This causes failover to firewall B. Make sure firewall B functions properly.
Upload the core to firewall A and restart it.
Issue a 'reconfigure' on firewall B to fall back to firewall A. Make sure firewall A functions properly.
End result: Firewall A is now the active node, just as it was before the upgrade procedure.

Note that the "availability" issues affect only synchroniziation of ALGs and tunnels; there is more information about this in the Known Problems section. All other states are, as usual, fully synchronized and not affected in either procedure.

Firewall Manager Changes

Simplified IPsec configuration
Change:	As of v8.60.00, all properties for a proposal list are defined in one place, and the Firewall Manager will autogenerate the configuration from all possible proposal combinations.

Firewall Manager Problems Solved

Netobject groups can not be included when creating a new netobject group
Problem:	When creating a new netobject group it is not possible to select other groups and add them to the new netobject group.
Affects:	Firewall Manager v8.00.00 and up.
Fix:	Fixed in v8.60.00

Firewall Core Changes

Transparent Mode implemented
Issue:	The Transparent Mode feature aims at simplifying the deployment of firewall appliances into the existing network topology, to strengthen security. It helps to ease the administration work in a way that there is no need to reconfigure all the settings for the nodes within the current network, when a firewall is introduced into the communication flow. Also, the Transparent Mode feature enables hosts to move between different interfaces within the same group of transparent interfaces.
Change:	As of v8.60.00, there is an new route type called SwitchRoute that is used to define a group of transparent interfaces to act in a transparent manner within the same transparent "switch".

Server Load Balancing implemented
Issue:	Server Load Balancing (SLB) is a mechanism dealing with distribution of traffic load across multiple servers to scale beyond the capacity of one single server, and to tolerate a server failure.
Change:	As of v8.60.00, there is an new SLB_SAT rule type capable of dealing with distribution of traffic load across multiple servers.
Note:	The new SLB_SAT rule is apart from the SLB specific settings, handled like a normal SAT rule. This means that a secondary Allow or NAT rule is needed.

Radius Accounting support implemented
Issue:	Radius Accounting can be used to keep track of usage statistics for logged in users, such as session time, number of packets sent and received during the session and the total amount of data sent and received.
Change:	As of v8.60.00, there is an new Radius Accounting configuration option for user authentication rules.
Note:	The Radius Accounting feature can be used together with either the local user authentication database or another radius server for authentication. The accounting feature is separated from the authentication, thus the authentication source/server and accounting server does not have to be the same.

Support for server-side IKE Configuration Mode
Issue:	Support for server-side IKE Configuration Mode (cfg-mode) has been added to allow assigning e.g. IP address and DNS information to VPN (IPsec) clients.
Change:	As of v8.60.00, IPsec tunnels can be configured to support server-side Configuration Mode.

Misc. IPsec changes
Issue:	IKE Dead Peer Detection (DPD) can now be controlled through the firewall configuration. Support for automatically establishing IPsec tunnels at system startup has been added.
Change:	As of v8.60.00, the IKE Dead Peer Detection can be controlled per tunnel through the firewall configuration. Support has been added for configuration of automatic establishment of IPsec tunnels at system startup.

Conn command modified
Issue:	The conn command can now be used to close connections.
Change:	As of v8.60.00, the conn command has been extended with a "-close" switch.

ARP timeout setting limit decreased
Issue:	The ARP timeout setting was limited to a minimum value of 10 seconds.
Change:	As of v8.60.00, the ARP timeout setting can now be configured as low as one second.
Note:	It is not recommended that the ARP timeout interval should be set lower than 10 seconds, however, in some scenarios a lower timeout setting may be needed.

New synrelayer available
Issue:	A new and improved synrelayer is available.
Change:	As of v8.60.00, a new synrelayer is available that handles TCP MSS options.
Note:	To enable the new synrelayer instead of the old one, enable the "TCPNewSynProtect" advanced setting.

New "routemon" console command
Issue:	A new "routemon" console command is available.
Change:	As of v8.60.00, a new "routemon" console command is available that can be used to list information about all monitored routes.

HTTP ALG now allows compressed data
Issue:	The HTTP ALG always asked the web server not to send compressed data as this does not work with content stripping.
Change:	As of v8.60.00, the HTTP ALG will allow the server to send compressed data as long as the HTTP ALG isn't configured to do content stripping.
Note:	This means that compressed data is allowed as long as the HTTP ALG isn't configured to perform stripping of ActiveX objects, Java Applets and Javascripts/VBScripts.

Firewall Core Problems Solved

HTTP ALG might cause the Security Gateway to crash in some situations
Problem:	In some scenarios when the HTTP ALG handles a lot of traffic with chunked encoded data, it might cause the Security Gateway to crash.
Results:	The Security Gateway will crash and will then automatically reboot.
Affects:	Clavister Firewall v8.40.00 and up
Solution:	Solved in v8.60.00.

IPsec: Compatibility issue with MS IPsec NAT Traversal
Problem:	Microsoft's IPsec NAT traversal was incompatible with the NAT traversal implementation in Clavister Firewall.
Results:	Microsoft's IPsec client would fail to establish an IPsec tunnel to a Clavister Firewall if there was a NATing gateway in between.
Affects:	Clavister Firewall v8.00.00 and up
Solution:	Solved in v8.60.00.

HA: Shared MAC addresses are not unique on all interfaces
Problem:	All interfaces in a HA cluster use the same shared MAC address.
Results:	When running a HA-cluster with more than one interface connected to the same switch which is segmented by VLAN, the switch may get confused and not allow the ethernet-address on more than one segment.
Affects:	Clavister Firewall v8.00.00 and up
Solution:	Solved in v8.60.00.
Note:	This behaviour will have to be enabled by the "HAUseUniqueSharedMacPerIface" advanced setting.

Interfaces are taken down during reconfiguration
Problem:	Interfaces are taken down during reconfiguration.
Results:	During reconfiguration the interfaces will restart link negotiation. This can confuse some switches running the Spanning-Tree algorithm.
Affects:	Clavister Firewall v8.00.00 and up
Solution:	Solved in v8.60.00.
Note:	If an interface needs to be taken down and reinitialized, the command "ifstat -restart " can be used.

Firewall Core Known Problems

HA: Transparent Mode won't work in HA mode
Problem:	There is no state synchronization for transparent mode and loop avoidance is not in place
Results:	Transparent Mode won't work in HA mode. There is no state synchronization and loop avoidance is not in place.

HA: No state synchronization for ALGs
Problem:	No aspect of ALGs are state synchronized
Results:	This means that all traffic handled by ALGs will freeze when the cluster fails over to the other peer. If, however, the cluster fails back over to the original peer within approximately half a minute, frozen sessions (and associated transfers) should begin working again. Note that such failover (and consequent fallback) occurs each time a new configuration is uploaded.

HA: Tunnels unreachable from inactive node

Problem:

The inactive node in a HA cluster cannot communicate over IPsec, PPTP, L2TP and GRE tunnels, as such tunnels are established to/from the active node.

Results:

»	Inactive HA member cannot send log events over tunnels.
»	Inactive HA member cannot be managed / monitored over tunnels.
»	OSPF: If the cluster members do not share a broadcast interface so that the inactive node can learn about OSPF state, OSPF failover over tunnels uses normal OSPF failover rather than accelerated (<1s) failover. This means 20-30 seconds with default settings, and 3-4 seconds with more aggressively tuned OSPF timings.

HA: No state synchronization for L2TP and PPTP
Problem:	There is no state synchronization for L2TP and PPTP tunnels.
Results:	On failover, incoming clients will re-establish their tunnels after the tunnels are deemed non-functional. This timeout is typically in the 30 -- 120 second range.