Clavister Security Gateway changes from v8.70.00 to v8.70.01

8.70.01 Release date: 2006-10-25 [ISO]

Please Note: If upgrading from versions prior to 8.70.00, the Clavister Loader MUST be upgraded before the Clavister CorePlus upgrade to version 8.70.01!

Contents of this document

Version 8.70.01 contains fixes to problems in CorePlus and FineTune. This document outlines problems fixed as well as improvements for each component.

The upgrade procedures in this document refer to upgrades from earlier v8.0x installations.

  • Summary of changes and problems fixed in v8.70.01
  • Files installed by v8.70.01
  • How to upgrade earlier v8.0x releases to v8.70.01
  • How to upgrade v6.0x/v7.0x releases to v8.0x
  • HA upgrade procedure
  • Clavister FineTune
    		•    [Problems Fixed  
  • Clavister CorePlus
    		•  [Changes [Problems Fixed] [Known Issues

    For future reference: This document is stored in the "Docs" sub-folder of your Clavister FineTune installation folder.

    Change logs / release notes for earlier versions of Clavister Security Gateway are available in the release notes section of www.clavister.com/support.



     Summary of changes and problems fixed                       

    FineTune
      Problem fixed: The SPAM Web Content Filtering category is not configurable to be used in FineTune.

    CorePlus
      Change: Gratious ARPs will be sent after a route failover to notify surrounding systems
      Change: It is now possible to force a gratious ARP to be sent from the Security Gateway
      Change: The Security Gateway now tries to limit the impact of IP address collisions
      Problem fixed: Windows update does not work with Web Content Filtering enabled
      Problem fixed: Relayed DHCP packets can no longer pass through the gateway ruleset
      Problem fixed: DHCP Server/Relayer persistant leases doesn't work on the SG50 appliance
      Problem fixed: The L2TP server cannot handle multiple L2TP over IPSec clients that are located behind the same NAT gateway
      Problem fixed: IPSEC RSA-vulnerability
      Problem fixed: Web Content Filtering anomalies
      Problem fixed: Configuration restrictions for the IP-Pool regarding prefetch and maxfree are inverted
      Known problem: HA: Transparent Mode won't work in HA mode
      Known problem: HA: No state synchronization for ALGs
      Known problem: HA: Tunnels unreachable from inactive node
      Known problem: HA: No state synchronization for L2TP and PPTP
      Known problem: HA: No state synchronization for IDP signature scan states.



     Files installed by v8.70.01                       
    This is a list of files that are new to the v8.70.01 release. All paths are relative to your Clavister FineTune installation folder.
    » Cores/sgc-8.70.01-full.cfx
    This is the full v8.70.01 of CorePlus. Upload it to your existing Security Gateway, or create new boot media with it. It contains all available functionality.
    » Cores/sgc-8.70.01-sg50.cfx
    This is the v8.70.01 CorePlus for the SG50 appliance. Upload it to your existing Security Gateway. It contains all available functionality.
    » Cores/sgc-8.60.02-mini.cfx
    This is a version of v8.60.02 CorePlus with certain features removed. It is less than half the size of the full version. This version should be used if you would like to start the system on a floppy before copying it over to another media.

    » Docs/changes-8.70.00-to-8.70.01.html
    This document.
    » Docs/Clavister EULA.pdf
    The Clavister End User License Agreement.
    » Docs/Clavister_CorePlus_Admin_Guide_8_70.pdf
    The Clavister CorePlus administration guide for the v8.70.01 release.
    » Docs/Clavister_FineTune_Admin_Guide_8_70.pdf
    The Clavister FineTune administrators guide for the v8.70.01 release.
    » Docs/Clavister_Log_Reference_Guide_8_70.pdf
    The log reference guide for the v8.70.01 release.
    » Docs/SG50_Installation_Setup.pdf
    Installation and Setup guide for the SG50 series platform.
    » Docs/SG3100_Installation_Setup.pdf
    Installation and Setup guide for the SG3100 series platform.
    » Docs/SG4200_Installation_Setup.pdf
    Installation and Setup guide for the SG4200 series platform.
    » Docs/SG4400_Installation_Setup.pdf
    Installation and Setup guide for the SG4400 series platform.
    » FineTune.exe
    This is the v8.70.01 Clavister FineTune executable.
    » SNMP/Clavister-Traps.mib
    This is the Clavister v8.70.01 SNMP Traps MIB.
    » SNMP/Clavister-SMI.mib
    This is the Clavister v8.70.01 SNMP Structure of Management Information file.


     How to upgrade earlier v8.0x releases to v8.70.01                       

    Please Note: If upgrading from versions prior to 8.70.00, the Clavister Loader MUST be upgraded before the Clavister CorePlus upgrade to version 8.70.01!

    Upgrading a previous v8.x release to v8.70.01 is completely straightforward.
    First upload the new Clavister Loader, followed by the new CorePlus, "sgc-8.70.01-full.cfx" (or "sgc-8.70.01-sg50.cfx" for the SG50 Series), to your Security Gateway and restart it.

     HA upgrade procedure                       
    Note: For upgrades from v7.x HA clusters, first follow the HA upgrade procedures outlined in changes-7.0x.xx-to-8.00.02.html.

    Note: Upgrades from versions prior to v8.40.01: Upgrading directly to v8.50.00 or later from a version prior to v8.40.01 will lead to loss of state synchronization. All open states will be closed as a result of the upgrade. If this is acceptable, continue with the upgrade as described below. Otherwise, first upgrade to v8.40.01 or a later v8.4x core and then upgrade to v8.70.01.

    Simply upload the new CorePlus file to the Security Gateways in your cluster and make sure that the first upload and restart is successful before uploading to the second Security Gateway.

    We recommend beginning with the Security Gateway that is currently active, even though this will necessitate two failovers. The reason for this is that ALG sessions are not synchronized.

      The "immediate availability" method
    • Upload the core to the currently active Security Gateway ("Security Gateway A") and restart it.
    • Issue a 'reconfigure' on the Security Gateway B to rapidly fail back to the now upgraded Security Gateway A. Make sure Security Gateway A functions properly.
    • Upload the core to Security Gateway B and restart it.
    • End result: Security Gateway A is now the active node, just as it was before the upgrade procedure.

    Note that this leaves the second Security Gateway untested, even though it most likely will work just as well as the first Security Gateway. If you want to specifically test the second Security Gateway, you can:
    1) cause two failovers manually,   or
    2) connect to it via e.g. the remote console just to make sure it's running,   or
    3) if ALG and tunnel synchronization is not a concern, follow this procedure:

      The "long-term safe" procedure:
    • Upload the core to the currently inactive Security Gateway ("Security Gateway B") and restart it.
    • Issue a 'reconfigure' on Security Gateway A. This causes failover to Security Gateway B. Make sure Security Gateway B functions properly.
    • Upload the core to Security Gateway A and restart it.
    • Issue a 'reconfigure' on Security Gateway B to fall back to Security Gateway A. Make sure Security Gateway A functions properly.
    • End result: Security Gateway A is now the active node, just as it was before the upgrade procedure.
    Note that the "availability" issues affect only synchronization of ALGs and tunnels; there is more information about this in the Known Issues section. All other states are, as usual, fully synchronized and not affected in either procedure.

     FineTune Problems Fixed                       
    The SPAM Web Content Filtering category is not configurable to be used in FineTune.
        Problem: As FineTune is not aware of the SPAM category, it is impossible to allow sites within the SPAM category.
        Results: Sites that have been categorized in the SPAM category were never allowed by the Content Filtering service.
        Affects: Clavister CorePlus v8.70.00.
        Solution: Fixed in v8.70.01.



     CorePlus Changes                       
    Gratious ARPs will be sent after a route failover to notify surrounding systems
        Change: The Security Gateway sends gratious ARPs when a route fails in route failover.
        Note: The reason for this is to notify the surrounding systems about the route change. This behaviour can be controlled by the RFO_GratuitousARPOnFail advanced setting.

    It is now possible to force a gratious ARP to be sent from the Security Gateway
        Change: The ARP console command has been extended to support forced generation of gratious ARP messages.

    The Security Gateway now tries to limit the impact of IP address collisions
        Change: In order to minimize the impact of IP address collisions the Security Gateway will send out gratious ARPs every time it hears a gratious ARP with the same IP from another system on the network. This will notify the other system that the IP address is already in use.



     CorePlus Problems Fixed                       
    Windows update does not work with Web Content Filtering enabled
        Problem: Updating the Windows operating system via Windows Update does not work when Web Content Filtering is enabled.
        Results: The Windows Update feature will not work.
        Affects: Clavister CorePlus v8.70.00.
        Solution: Fixed in v8.70.01.

    Relayed DHCP packets can no longer pass through the gateway ruleset
        Problem: DHCP packets that the DHCP relayer does not handle, cannot be passed through the ruleset.
        Results: These DHCP packets will be dropped.
        Affects: Clavister CorePlus v8.70.00.
        Solution: Fixed in v8.70.01.

    DHCP Server/Relayer persistant leases doesn't work on the SG50 appliance
        Problem: The DHCP server and relayer cannot store information about leases on the SG50 appliance in a persistant manner.
        Results: If the SG50 appliance is rebooted, the lease information will be lost.
        Affects: Clavister CorePlus v8.60.02 and v8.70.00.
        Solution: Fixed in v8.70.01.

    The L2TP server cannot handle multiple L2TP over IPSec clients that are located behind the same NAT gateway
        Problem: The L2TP server cannot handle incoming L2TP client requests sent over IPSec if the clients are located behind the same NAT gateway.
        Results: Only one of the clients can be connected to the L2TP server at the same time.
        Affects: Clavister CorePlus v8.50.00 and up.
        Solution: Fixed in v8.70.01.

    IPSEC RSA-vulnerability
        Problem: The IPSec engine is vulnerable as described in http://www.imc.org/ietf-openpgp/mail-archive/msg14307.html
        Results: An attacker may potentially use this vulnerability to its advantage.
        Affects: Clavister CorePlus v8.60.00 and up.
        Solution: Fixed in v8.70.01.

    Web Content Filtering anomalies
        Problem: The Web Content Filering URL cache does not work as intended when multiple HTTP-ALG:s are used.
        Results: Websites may not be blocked or unblocked as per configuration.
        Affects: Clavister CorePlus v8.70.00.
        Solution: Fixed in v8.70.01.

    Configuration restrictions for the IP-Pool regarding prefetch and maxfree are inverted
        Problem: The IP-Pool configuration settings regarding prefetch and maxfree values are interpreted in a reverse manner in CorePlus.
        Results: The prefetch and maxfree settings will not be interpreted by CorePlus as intended when configured.
        Affects: Clavister CorePlus v8.70.00.
        Solution: Fixed in v8.70.01.



     CorePlus Known Issues                       
    HA: Transparent Mode won't work in HA mode
        Problem: There is no state synchronization for Transparent Mode and there is no loop avoidance.
        Results: Transparent Mode won't work in HA mode. There is no state synchronization and loop avoidance is not in place.

    HA: No state synchronization for ALGs
        Problem: No aspect of ALGs are state synchronized
        Results: This means that all traffic handled by ALGs will freeze when the cluster fails over to the other peer. If, however, the cluster fails back over to the original peer within approximately half a minute, frozen sessions (and associated transfers) should begin working again.
    Note that such failover (and consequent fallback) occurs each time a new configuration is uploaded.

    HA: Tunnels unreachable from inactive node
        Problem: The inactive node in a HA cluster cannot communicate over IPsec, PPTP, L2TP and GRE tunnels, as such tunnels are established to/from the active node.
        Results:
    » Inactive HA member cannot send log events over tunnels.
    » Inactive HA member cannot be managed / monitored over tunnels.
    » OSPF: If the cluster members do not share a broadcast interface so that the inactive node can learn about OSPF state, OSPF failover over tunnels uses normal OSPF failover rather than accelerated (<1s) failover. This means 20-30 seconds with default settings, and 3-4 seconds with more aggressively tuned OSPF timings.

    HA: No state synchronization for L2TP and PPTP
        Problem: There is no state synchronization for L2TP and PPTP tunnels.
        Results: On failover, incoming clients will re-establish their tunnels after the tunnels are deemed non-functional. This timeout is typically in the 30 -- 120 second range.

    HA: No state synchronization for IDP signature scan states.
        Problem: No aspect of the IDP signature states are synchronized
        Results: This means that there is a small chance that the IDP engine causes false negatives during a HA failover.