Clavister Security Gateway changes from v8.60.02 to v8.70.00

Clavister Security Gateway changes from v8.60.02 to v8.70.00

8.70.00 Release date: 2006-08-18 [ISO]

Please Note: The Clavister Loader MUST be upgraded before Clavister CorePlus is upgraded to version 8.70.00!

Version 8.70.00 contains a number of new features and some major changes. Here is a list with the most notable changes:


»	Clavister Firewall Manager has been renamed to Clavister FineTune as part of Clavister's new marketing strategy.

»	Clavister FWCore is renamed to Clavister CorePlus as part of Clavister's new marketing strategy..

»	Intrusion Detection & Prevention (IDP) introduced. Clavister’s Intrusion Detection & Prevention System (IDP) provides comprehensive and easy to use protection against current and emerging threats at both the network and the application layer. The access to IDP signature updates provided by the Clavister Service Provisioning Network is restricted by the license. To obtain the Signature Update Service for your license, please contact your local Clavister Certified Partner or Clavister Sales Office.

»	Web Content Filtering introduced. Clavister Web Content Filtering is a highly efficient yet low-maintenance service provided to you by the Clavister Service Provisioning Network (CSPN). With Web Content Filtering you can easily monitor and manage the usage of your organizations internet resources. The access to the web content classification service provided by the Clavister Service Provisioning Network is restricted by the license. To obtain the Web Content Filtering Service for your license, please contact your local Clavister Certified Partner or Clavister Sales Office.

»	Threshold Rules introduced. The Threshold Rules feature provides you with an active and dynamic protection mechanism which makes it possible to apply the necessary counter measures when a given rate or event has occurred.

»	IGMPv3 and Multicast forwarding introduced. This feature makes it possible for multicast traffic such as streaming audio and video to securely pass through the Clavister Security Gateway.

»	High Availability support for SG50 series introduced.

»	SNMP2c Trap support introduced.

»	Refined Log System. The new log format is more comprehensive and better structured, thus making it easier for both the end user and third-party applications to use log data generated by Clavister Security Gateways.

»	Dynamic IP Blacklisting introduced. It is now possible to dynamically blacklist a certain host/network if an attack is detected or a connection establishing threshold is overridden.

»	Hardware Monitoring introduced. The Clavister Security Gateway can now monitor vital hardware values such as fan-speed and CPU temperature and report these values.

»	NOTE: In HA setups, Radius servers used by the Security Gateway might have to be reconfigured to accept traffic from the shared IP instead of the unique IPs. The reason is that the Security Gateway as of v8.70.00 uses the shared IP when connecting to Radius servers. See HA: Radius messages are not sent from shared IP for more information about this.

»	NOTE: If CorePlus is upgraded from earlier versions, the configuration regarding old log settings will be converted in order to meet the new log system requirements. If one or more log receivers is selected in, for example, an IP rule, logging is turned ON for that rule. This means that the message generated when that rule is triggered will be sent to all configured log receivers. See Refined Log System for more information about this.

Contents of this document

Version 8.70.00 contains fixes to problems in CorePlus and FineTune. This document outlines problems fixed as well as improvements for each component.

The upgrade procedures in this document refer to upgrades from earlier v8.0x installations.

Summary of changes and problems fixed in v8.70.00

Files installed by v8.70.00

How to upgrade earlier v8.0x releases to v8.70.00

How to upgrade v6.0x/v7.0x releases to v8.0x

HA upgrade procedure

Clavister FineTune
[Changes] [Problems Fixed]

Clavister CorePlus
[Changes] [Problems Fixed] [Considerations]

For future reference: This document is stored in the "Docs" sub-folder of your Clavister FineTune installation folder.

Change logs / release notes for earlier versions of Clavister Security Gateway are available in the release notes section of www.clavister.com/support.

Summary of changes and problems fixed

FineTune

  Change: Possibility to filter real-time log output added.

  Problem solved: Loopback interface pairs end up with the wrong net objects.

  Problem solved: Missing logsection for dynamic routing rules.

CorePlus

  Change: Intrusion Detection & Prevention (IDP) implemented.

  Change: Web Content Filtering implemented.

  Change: Threshold Rules implemented.

  Change: SG50 High Availability Support implemented.

  Change: SNMP2c Trap support implemented.

  Change: Refined Log system

  Change: Dynamic IP Blacklisting implemented.

  Change: Support for Hardware Monitoring implemented.

  Change: IGMPv3 Support

  Change: Multicast Forwarding

  Change: New Ethernet Interface Setting

  Change: Multicast Advanced Settings Section

  Change: Routing Table support for Radius servers.

  Change: Custom timeouts per service implemented

  Change: Possibility to configure a HA cluster not to failover during a reconfigure.

  Problem solved: HA: Radius messages are not sent from shared IP.

  Problem solved: IPSec: Xauth password gets truncated.

  Problem solved: TCP connections to the Security Gateway itself (Netcon, ALGs, PPTP) do not obey received TCP MSS.

  Problem solved: IPsec: CorePlus hangs when a IPsec tunnel is removed under certain circumstances.

  Problem solved: Impossible to configure the use of UDP source port 0.

  Problem solved: DHCP Server faulty associates DHCP leases with MAC addresses instead of a client provided identifier.

  Problem solved: PPTP server sometimes fails to send any traffic at all through a newly connected tunnel.

  Problem solved: The Dynamic Routing function logs the wrong metric on SG50 appliances.

  Problem solved: HA: Problem with OSPF and HA failover

  Problem solved: HA: Problem with OSPF and area default stub summary

  Known problem: HA: Transparent Mode won't work in HA mode

  Known problem: HA: No state synchronization for ALGs

  Known problem: HA: Tunnels unreachable from inactive node

  Known problem: HA: No state synchronization for L2TP and PPTP

  Known problem: HA: No state synchronization for IDP signature scan states.

Files installed by v8.70.00

This is a list of files that are new to the v8.70.00 release. All paths are relative to your Clavister FineTune installation folder.


»	Cores/sgc-8.70.00-full.cfx This is the full v8.70.00 of CorePlus. Upload it to your existing Security Gateway, or create new boot media with it. It contains all available functionality.

»	Cores/sgc-8.70.00-mini.cfx This is a version of the v8.70.00 CorePlus with certain features removed. It is less than half the size of the full version. The features removed are: - IPsec VPN - The H.323 Application Layer Gateway - OSPF

»	Cores/sgc-8.70.00-sg50.cfx This is the v8.70.00 CorePlus for the SG50 appliance. Upload it to your existing Security Gateway. It contains all available functionality.

»	Docs/changes-8.60.02-to-8.70.00.html This document.

»	Docs/Clavister EULA.pdf The Clavister End User License Agreement.

»	Docs/Clavister_CorePlus_Admin_Guide_8_70.pdf The Clavister CorePlus administration guide for the v8.70.00 release.

»	Docs/Clavister_FineTune_Admin_Guide_8_70.pdf The Clavister FineTune administrators guide for the v8.70.00 release.

»	Docs/Clavister_Log_Reference_Guide_8_70.pdf The log reference guide for the v8.70.00 release.

»	Docs/SG50_Installation_Setup.pdf Installation and Setup guide for the SG50 series platform.

»	Docs/SG3100_Installation_Setup.pdf Installation and Setup guide for the SG3100 series platform.

»	Docs/SG4200_Installation_Setup.pdf Installation and Setup guide for the SG4200 series platform.

»	Docs/SG4400_Installation_Setup.pdf Installation and Setup guide for the SG4400 series platform.

»	FineTune.exe This is the v8.70.00 Clavister FineTune executable.

»	SNMP/Clavister-Traps.mib This is the Clavister v8.70.00 SNMP Traps MIB.

»	SNMP/Clavister-SMI.mib This is the Clavister v8.70.00 SNMP Structure of Management Information file.

How to upgrade earlier v8.0x releases to v8.70.00

Please Note: The Clavister Loader MUST be upgraded before Clavister CorePlus is upgraded to version 8.70.00!

Upgrading a previous v8.0x release to v8.70.00 is completely straightforward.
First upload the new Clavister Loader, followed by the new CorePlus, "sgc-8.70.00-full.cfx" (or "sgc-8.70.00-sg50.cfx" for the SG50 Series), to your Security Gateway and restart it.
(Alternatively, upload the "-mini" version if the removed functionality is not required.)

HA upgrade procedure

Note: For upgrades from v7.x HA clusters, first follow the HA upgrade procedures outlined in changes-7.0x.xx-to-8.00.02.html.

Note: Upgrades from versions prior to v8.40.01: Upgrading to directly v8.50.00 or later from a version prior to v8.40.01 will lead to loss of state synchronization. All open states will be closed as a result of the upgrade. If this is acceptable, continue with the upgrade as described below. Otherwise, first upgrade to v8.40.01 or a later v8.4x core and then upgrade to v8.70.00.

Simply upload the new CorePlus file to the Security Gateways in your cluster and make sure that the first upload and restart is successful before uploading to the second Security Gateway.

We recommend beginning with the Security Gateway that is currently active, even though this will necessitate two failovers. The reason for this is that ALG sessions are not synchronized.

The "immediate availability" method

Upload the core to the currently active Security Gateway ("Security Gateway A") and restart it.
Issue a 'reconfigure' on the Security Gateway B to rapidly fail back to the now upgraded Security Gateway A. Make sure Security Gateway A functions properly.
Upload the core to Security Gateway B and restart it.
End result: Security Gateway A is now the active node, just as it was before the upgrade procedure.

Note that this leaves the second Security Gateway untested, even though it most likely will work just as well as the first Security Gateway. If you want to specifically test the second Security Gateway, you can:
1) cause two failovers manually, or
2) connect to it via e.g. the remote console just to make sure it's running, or
3) if ALG and tunnel synchronization is not a concern, follow this procedure:

The "long-term safe" procedure:

Upload the core to the currently inactive Security Gateway ("Security Gateway B") and restart it.
Issue a 'reconfigure' on Security Gateway A. This causes failover to Security Gateway B. Make sure Security Gateway B functions properly.
Upload the core to Security Gateway A and restart it.
Issue a 'reconfigure' on Security Gateway B to fall back to Security Gateway A. Make sure Security Gateway A functions properly.
End result: Security Gateway A is now the active node, just as it was before the upgrade procedure.

Note that the "availability" issues affect only synchronization of ALGs and tunnels; there is more information about this in the Considerations section. All other states are, as usual, fully synchronized and not affected in either procedure.

FineTune Changes

Possibility to filter real-time log output added.
Change:	As of v8.70.00 it is now possible to filter the realtime log output in Clavister FineTune.

FineTune Problems Fixed

Loopback interface pairs end up with the wrong net objects.
Issue:	When creating loopback interface pairs, the two interfaces will be configured with the same net object.
Results:	Impossible to create loopback interface pairs with the GUI.
Affects:	v8.60.02
Solution:	Fixed in v8.70.00

Missing logsection for dynamic routing rules.
Issue:	In the security gateway configuration you can specify log receivers to enable logging when a dynamic routing rule is matched. This is not possible to configure in FineTune.
Results:	FineTune could not configure log receivers for dynamic routing rules.
Affects:	v8.50.00 - v8.60.00
Solution:	Fixed in v8.70.00

CorePlus Changes

Intrusion Detection & Prevention (IDP) implemented.

Change:

As of 8.70.00 a Intrusion Detection & Prevention engine is implemented. Featuring amongst other the following major features:

»	Component based signatures.
»	Automatic signature updates through CSPN (Clavister Service Provisioning Network).
»	Pseudo TCP Reassembly for seamless inspection of TCP streams.
»	Insertion and Evasion attack protection.
»	State aware pattern matching.

Note:

You need to configure at least one DNS server (Advanced Settings/DNSClient) so that the Clavister Security Gateway can access the IDP Signature update server within the Clavister Service Provisioning Network.

Web Content Filtering implemented.
Change:	As of 8.70.00 the Web Content Filtering capability is implemented as an integral part of the HTTP Application Layer Gateway. The Clavister Security Gateway will query the Clavister Service Provisioning Network for categorization of requested web content.
Note:	You need to configure at least one DNS server (Advanced Settings/DNSClient) so that the Clavister Security Gateway can access the Web Content Filtering server within the Clavister Service Provisioning Network.

Threshold Rules implemented.
Change:	As of 8.70.00 it is now possible to accomplish connection rate limiting through Threshold Rules, making it possible to either drop connections that exceeds the threshold or dynamically add them to a blacklist.

SG50 High Availability Support implemented.
Issue:	Earlier versions have not supported the use of HA synchronization, causing problems on small sites where high availability is crucial.
Change:	As of 8.70.00 HA synchronization is supported for the SG50 platform.

SNMP2c Trap support implemented.
Change:	Clavister Security Gateway can now be configured to generate and distribute SNMP Traps for any type of event that has occured in the system.

Refined Log system

Change:

As of 8.70.00 the log system have been refined in order to meet requirements for unique identification and classification of fault and events and to allow the possibility to, via configuration, change severity of events and log messages. The log system has been updated with the following features:

»	All log messages are now identified with a unique ID.
»	The severity of each log message can be overridden, and a new severity level can be specified for each log receiver.
»	It is now possible to granularly control which log messages that will or will not be sent to each log receiver.
»	A Log reference guide will help you interpret and understand the meaning of each log message.

Dynamic IP Blacklisting implemented.
Change:	As of 8.70.00 it is possible to make other subsystems dynamically blacklist hosts if they pose a "threat" against the network. Both the IDP engine and Threshold Rules have this functionality.

Support for Hardware Monitoring implemented.
Issue:	Support for hardware monitoring has been added in order to monitor the health of the system.
Change:	As of v8.70.00 hardware monitoring can be used to get valuable status information about the hardware environment.

IGMPv3 Support
Change:	IGMPv3 is supported by two modes of operation, IGMP Snooping and Proxying.

Multicast Forwarding
Change:	Multicast forwarding is supported by using a newly introduced SAT Multiplex rule.
Note:	The netobject all-nets 0.0.0.0/0, includes the multicast IP range 224.0.0.0-239.255.255.255. Rules configured using all-nets netobject will also apply to multicast packets.

New Ethernet Interface Setting
Change:	The reception of multicast packets can be turned on and off directly on the Ethernet interface. This makes it possible to tweak the Security Gateway according to network topology and needs. Default behaviour of the new setting is 'Auto'.

Multicast Advanced Settings Section
Change:	Several multicast related settings have been added to the advanced settings section. The two most important ones are AutoAddMulticastCoreRoutes and IGMPBeforeRules.

Routing Table support for Radius servers.
Change:	As of 8.70.00 it is possible to specify what Routing Table that should be used for each Radius server.

Custom timeouts per service implemented
Issue:	In some scenarios it might be handy to configure custom timeouts per service instead of globally for all services.
Change:	As of 8.70.00 it is possible to configure custom timeouts per service.

Possibility to configure a HA cluster not to failover during a reconfigure.
Change:	As of 8.70.00 it is possible to configure the High Availability cluster to not fail over to the inactive node when a reconfiguration takes less than the configured amount of time.

CorePlus Problems Fixed

HA: Radius messages are not sent from shared IP.
Problem:	When a Security Gateway running High Availability communicates with Radius servers it uses the unique IP of the active member as source IP. The shared IP should be used instead. This is mainly a problem for Radius Accounting, the behaviour is however the same for Radius Authentication.
Results:	A High Availability failover might result in the Accounting Start and Accounting Stop messages being sent from different High Availability nodes. This in turn will make it hard for the Radius server and/or end user to associate the two messages with each other.
Affects:	v8.60.02 and earlier
Solution:	Fixed in v8.70.00
Note:	This change might require reconfiguration of Radius servers used by Security Gateways running High Availability. This is true for radius servers configured to only accept traffic from specific IPs. Until now, the unique IP of one of the High Availability nodes has been used as the source IP. Both nodes are now using the shared IP.

IPSec: Xauth password gets truncated.
Problem:	The password sent to the Radius server is truncated to the length of the username.
Results:	This will cause the Radius server to reject the password if the password originally is longer than the username.
Affects:	v8.60.02
Solution:	Fixed in v8.70.00

TCP connections to the Security Gateway itself (Netcon, ALGs, PPTP) do not obey received TCP MSS.
Problem:	The Clavister Security Gateway ignores incoming TCP MSS settings and uses only the configured MSS value. This is faulty since the lower of these two values should be used.
Results:	This bug can result in loss of TCP data.
Affects:	v8.60.02 and earlier
Solution:	Fixed in v8.70.00

IPsec: CorePlus hangs when a IPsec tunnel is removed under certain circumstances.
Problem:	A dead-lock occurs under some circumstances when an IPsec tunnel is removed. This can happen when for example an IPsec tunnel is removed because a remote peer received a new IP address from a DHCP server or the IPsec tunnel is reconfigured manually.
Results:	The Security Gateway hangs and become unresponsive until CorePlus reboots the system.
Affects:	v8.60.02 and earlier
Solution:	Fixed in v8.70.00

Impossible to configure the use of UDP source port 0.
Problem:	The Security Gateway faulty assumes that UDP source port 0 is not allowed; causing problems with some UDP packets that are missing the source port information and hence specifies 0 as source port.
Results:	The Security Gateway faulty applies the action configured under Advanced Settings/Misc/Port0 to UDP packets with a source port set to 0. This will cause all such packets to be dropped.
Affects:	v8.60.02 and earlier
Solution:	Fixed in v8.70.00
Note:	A new setting (Advanced Settings/Misc/UDPSrcPort0) have been added to be able to specify the action for these packets. By default the setting is DropLog. The old setting (Advanced Settings/Misc/port0) has been changed to exclude UDP packets with source port 0.

DHCP Server faulty associates DHCP leases with MAC addresses instead of a client provided identifier.
Problem:	The DHCP Server tracks the clients by their MAC addresses which cause problems if the same client (MAC address) requests more than one DHCP lease.
Results:	The security gateway won't be able to handle multiple DHCP leases from the same MAC address.
Affects:	v8.60.02 and earlier
Solution:	Fixed in v8.70.00

PPTP server sometimes fails to send any traffic at all through a newly connected tunnel.
Problem:	When connecting from a PPTP client to the PPTP server in the Security Gateway it is sometimes not possible to communicate through the tunnel. Packets can only be sent from the client to the server, not from the server to the client.
Results:	The PPTP client might have to be reconnected to the PPTP server one or more times before packets can be sent in both directions through the tunnel.
Affects:	v8.60.02 and earlier
Solution:	Fixed in v8.70.00

The Dynamic Routing function logs the wrong metric on SG50 appliances.
Problem:	When a FWLog receiver is used in combination with a SG50 appliance it will cause the wrong metric to be logged for Dynamic Routing events.
Results:	A faulty metric will be logged in the FWLog receiver
Affects:	Clavister Security Gateway SG50-series, CorePlus v8.60.02 and earlier
Solution:	Fixed in v8.70.00

HA: Problem with OSPF and HA failover
Problem:	The self originated Link State Acknowledgments (LSA) doesn't get their refresh timer updated correctly at HA failover.
Results:	An LSA can reach its maximum allowed age and be discarded resulting in some networks being unreachable.
Affects:	v8.60.02 and earlier
Solution:	Fixed in v8.70.00

HA: Problem with OSPF and area default stub summary
Problem:	Area default stub summary are only built once.
Results:	If the summary for some reason are flushed it will never be rebuilt resulting in unreachable networks.
Affects:	v8.60.02 and earlier
Solution:	Fixed in v8.70.00

CorePlus Considerations

HA: Transparent Mode won't work in HA mode
Problem:	There is no state synchronization for Transparent Mode and there is no loop avoidance.
Results:	Transparent Mode won't work in HA mode. There is no state synchronization and loop avoidance is not in place.

HA: No state synchronization for ALGs
Problem:	No aspect of ALGs are state synchronized
Results:	This means that all traffic handled by ALGs will freeze when the cluster fails over to the other peer. If, however, the cluster fails back over to the original peer within approximately half a minute, frozen sessions (and associated transfers) should begin working again. Note that such failover (and consequent fallback) occurs each time a new configuration is uploaded.

HA: Tunnels unreachable from inactive node

Problem:

The inactive node in a HA cluster cannot communicate over IPsec, PPTP, L2TP and GRE tunnels, as such tunnels are established to/from the active node.

Results:

»	Inactive HA member cannot send log events over tunnels.
»	Inactive HA member cannot be managed / monitored over tunnels.
»	OSPF: If the cluster members do not share a broadcast interface so that the inactive node can learn about OSPF state, OSPF failover over tunnels uses normal OSPF failover rather than accelerated (<1s) failover. This means 20-30 seconds with default settings, and 3-4 seconds with more aggressively tuned OSPF timings.

HA: No state synchronization for L2TP and PPTP
Problem:	There is no state synchronization for L2TP and PPTP tunnels.
Results:	On failover, incoming clients will re-establish their tunnels after the tunnels are deemed non-functional. This timeout is typically in the 30 -- 120 second range.

HA: No state synchronization for IDP signature scan states.
Problem:	No aspect of the IDP signature states are synchronized
Results:	This means that there is a small chance that the IDP engine causes false negatives during a HA failover.