Clavister Security Gateway changes from v8.70.02 to v8.70.03

Clavister Security Gateway changes from v8.70.02 to v8.70.03

8.70.03 Release date: 2007-01-24 [ISO]

Please Note: If upgrading from versions prior to 8.70.00, the Clavister Loader MUST be upgraded before Clavister CorePlus!

Contents of this document

Version 8.70.03 contains fixes to problems in CorePlus and FineTune. This document outlines problems fixed as well as improvements for each component.

The upgrade procedures in this document refer to upgrades from earlier v8.0x installations.

Summary of changes and problems fixed in v8.70.03

Files installed by v8.70.03

How to upgrade earlier v8.0x releases to v8.70.03

How to upgrade v6.0x/v7.0x releases to v8.0x

HA upgrade procedure

Clavister FineTune
[Problems Fixed]

Clavister CorePlus
[Problems Fixed] [Known Issues]

Installations
[Problems Fixed]

For future reference: This document is stored in the "Docs" sub-folder of your Clavister FineTune installation folder.

Change logs / release notes for earlier versions of Clavister Security Gateway are available in the release notes section of www.clavister.com/support.

Summary of changes and problems fixed

FineTune

  Problem fixed: HTTP ALG root directory on HA

  Problem fixed: Usage-tab problem.

  Problem fixed: Multicast configuration

CorePlus

  Problem fixed: HA heartbeats are not sent often enough if many interfaces are configured.

  Problem fixed: HA synchronization on SG50 appliances.

  Problem fixed: IPsec and DNS.

  Problem fixed: BUFF CLI command and SG50 appliance.

  Problem fixed: DHCPServer on SG50 appliances.

  Problem fixed: Crypto-accelerator on the SG4200 and SG4400 series appliances.

  Problem fixed: Pattern-matching on security gateways with more than 128MB memory.

  Known problem: HA: Transparent Mode won't work in HA mode

  Known problem: HA: No state synchronization for ALGs

  Known problem: HA: Tunnels unreachable from inactive node

  Known problem: HA: No state synchronization for L2TP, PPTP and IPsec.

  Known problem: HA: No state synchronization for IDP signature scan states.

Files installed by v8.70.03

This is a list of files that are new to the v8.70.03 release. All paths are relative to your Clavister FineTune installation folder.


»	Cores/sgc-8.70.03-full.cfx This is the full v8.70.03 of CorePlus. Upload it to your existing Security Gateway, or create new boot media with it. It contains all available functionality.

»	Cores/sgc-8.70.03-sg50.cfx This is the v8.70.03 CorePlus for the SG50 appliance. Upload it to your existing Security Gateway. It contains all available functionality.

»	Cores/sgc-8.70.03-mini.cfx This is a version of v8.70.03 CorePlus with certain features removed. It is less than half the size of the full version. This version should be used if you would like to start the system on a floppy before copying it over to another media.

»	Docs/changes-8.70.02-to-8.70.03.html This document.

»	Docs/Clavister EULA.pdf The Clavister End User License Agreement.

»	Docs/Clavister_CorePlus_Admin_Guide_8_70.pdf The Clavister CorePlus administration guide for the v8.70.03 release.

»	Docs/Clavister_FineTune_Admin_Guide_8_70.pdf The Clavister FineTune administrators guide for the v8.70.03 release.

»	Docs/Clavister_Log_Reference_Guide_8_70.pdf The log reference guide for the v8.70.03 release.

»	Docs/SG50_Installation_Setup.pdf Installation and Setup guide for the SG50 series platform.

»	Docs/SG3100_Installation_Setup.pdf Installation and Setup guide for the SG3100 series platform.

»	Docs/SG4200_Installation_Setup.pdf Installation and Setup guide for the SG4200 series platform.

»	Docs/SG4400_Installation_Setup.pdf Installation and Setup guide for the SG4400 series platform.

»	Docs/SG5500_Installation_Setup.pdf Installation and Setup guide for the SG5500 series platform.

»	FineTune.exe This is the v8.70.03 Clavister FineTune executable.

»	SNMP/Clavister-Traps.mib This is the Clavister v8.70.03 SNMP Traps MIB.

»	SNMP/Clavister-SMI.mib This is the Clavister v8.70.03 SNMP SMI file.

How to upgrade earlier v8.0x releases to v8.70.03

Please Note: If upgrading from versions prior to 8.70.00, the Clavister Loader MUST be upgraded before Clavister CorePlus!

Upgrading a previous v8.x release to v8.70.03 is completely straightforward.
First upload the new Clavister Loader, followed by the new CorePlus, "sgc-8.70.03-full.cfx" (or "sgc-8.70.03-sg50.cfx" for the SG50 Series), to your Security Gateway and restart it.

HA upgrade procedure

Note: For upgrades from v7.x HA clusters, first follow the HA upgrade procedures outlined in changes-7.0x.xx-to-8.00.02.html.

Note: Upgrades from versions prior to v8.40.01: Upgrading directly to v8.50.00 or later from a version prior to v8.40.01 will lead to loss of state synchronization. All open states will be closed as a result of the upgrade. If this is acceptable, continue with the upgrade as described below. Otherwise, first upgrade to v8.40.01 or a later v8.4x core and then upgrade to v8.70.03.

Simply upload the new CorePlus file to the Security Gateways in your cluster and make sure that the first upload and restart is successful before uploading to the second Security Gateway.

We recommend beginning with the Security Gateway that is currently active, even though this will necessitate two failovers. The reason for this is that ALG sessions are not synchronized.

The "immediate availability" method

Upload the core to the currently active Security Gateway ("Security Gateway A") and restart it.
Issue a 'reconfigure' on the Security Gateway B to rapidly fail back to the now upgraded Security Gateway A. Make sure Security Gateway A functions properly.
Upload the core to Security Gateway B and restart it.
End result: Security Gateway A is now the active node, just as it was before the upgrade procedure.

Note that this leaves the second Security Gateway untested, even though it most likely will work just as well as the first Security Gateway. If you want to specifically test the second Security Gateway, you can:
1) cause two failovers manually, or
2) connect to it via e.g. the remote console just to make sure it's running, or
3) if ALG and tunnel synchronization is not a concern, follow this procedure:

The "long-term safe" procedure:

Upload the core to the currently inactive Security Gateway ("Security Gateway B") and restart it.
Issue a 'reconfigure' on Security Gateway A. This causes failover to Security Gateway B. Make sure Security Gateway B functions properly.
Upload the core to Security Gateway A and restart it.
Issue a 'reconfigure' on Security Gateway B to fall back to Security Gateway A. Make sure Security Gateway A functions properly.
End result: Security Gateway A is now the active node, just as it was before the upgrade procedure.

Note that the "availability" issues affect only synchronization of ALGs and tunnels; there is more information about this in the Known Issues section. All other states are, as usual, fully synchronized and not affected in either procedure.

Installations Problems Fixed

The mini core is too big to fit on a floppy.
Problem:	The previous version of the mini core is too big to fit on a floppy.
Results:	An earlier mini core version must be used to be able to transfer the system to a floppy disk.
Affects:	Clavister CorePlus v8.70.00.
Solution:	Fixed in v8.70.03.

FineTune Problems Fixed

HTTP ALG root directory on HA
Problem:	Unable to configure the "HTTP ALG Webpages" setting in a High Availability scenario.
Affects:	Clavister CorePlus v8.70.02.
Solution:	Fixed in v8.70.03.

Usage-tab problem.
Problem:	Removing an item that is currently showing on a Usage-tab can cause FineTune to misbehave.
Affects:	Clavister CorePlus v8.70.02.
Solution:	Fixed in v8.70.03.

Multicast configuration
Problem:	A minor problem with the multicast configuration parser caused excessive memory to be used.
Affects:	Clavister CorePlus v8.70.02.
Solution:	Fixed in v8.70.03.

CorePlus Problems Fixed

HA heartbeats are not sent often enough if many interfaces are configured.
Problem:	HA cluster heartbeats are not sent often enough on each interface on security gateways with many configured interfaces which could result in an unstable system if there are connection problems between the gateways.
Affects:	Clavister CorePlus v8.70.02
Solution:	Fixed in v8.70.03.

HA synchronization on SG50 appliances.
Problem:	HA synchronization of IPsec tunnel information did not work correctly on SG50 appliances, leading to problems renegotiating tunnels after an HA hand-over.
Affects:	Clavister CorePlus v8.70.00, v8.70.01 and v8.70.02.
Solution:	Fixed in Clavister CorePlus v8.70.03.

IPsec and DNS.
Problem:	A problem with the DNS functionality caused problems when used together with an IPsec tunnel.
Affects:	Clavister CorePlus v8.60.03 and v8.70.02.
Solution:	Fixed in Clavister CorePlus v8.70.03.

BUFF CLI command and SG50 appliance.
Problem:	A problem with the BUFF CLI command prevented it from showing the correct information on an SG50 appliance.
Affects:	Clavister CorePlus v8.60.04 and v8.70.02.
Solution:	Fixed in Clavister CorePlus v8.70.03.

DHCPServer on SG50 appliances.
Problem:	A problem with the DHCPServer can cause the SG50 appliance to malfunction under some circumstances.
Affects:	Clavister CorePlus v8.70.02.
Solution:	Fixed in Clavister CorePlus v8.70.03.

Crypto-accelerator on the SG4200 and SG4400 series appliances.
Problem:	A problem with the crypto-accelerator can cause the SG4200 and SG4400 appliance series to malfunction under some rare circumstances.
Affects:	Clavister CorePlus v8.60.04 and v8.70.02
Solution:	Fixed in Clavister CorePlus v8.70.03.

Pattern-matching on security gateways with more than 128MB memory.
Problem:	A problem with the pattern-matching engine could cause some patterns to be missed on security gateways with more than 128MB of memory.
Affects:	Clavister CorePlus v8.70.02
Solution:	Fixed in Clavister CorePlus v8.70.03.

CorePlus Known Issues

HA: Transparent Mode won't work in HA mode
Problem:	There is no state synchronization for Transparent Mode and there is no loop avoidance.
Results:	Transparent Mode won't work in HA mode. There is no state synchronization and loop avoidance is not in place.

HA: No state synchronization for ALGs
Problem:	No aspect of ALGs are state synchronized
Results:	This means that all traffic handled by ALGs will freeze when the cluster fails over to the other peer. If, however, the cluster fails back over to the original peer within approximately half a minute, frozen sessions (and associated transfers) should begin working again. Note that such failover (and consequent fallback) occurs each time a new configuration is uploaded.

HA: Tunnels unreachable from inactive node

Problem:

The inactive node in an HA cluster cannot communicate over IPsec, PPTP, L2TP and GRE tunnels, as such tunnels are established to/from the active node.

Results:

»	Inactive HA member cannot send log events over tunnels.
»	Inactive HA member cannot be managed / monitored over tunnels.
»	OSPF: If the cluster members do not share a broadcast interface so that the inactive node can learn about OSPF state, OSPF failover over tunnels uses normal OSPF failover rather than accelerated (<1s) failover. This means 20-30 seconds with default settings, and 3-4 seconds with more aggressively tuned OSPF timings.

HA: No state synchronization for L2TP, PPTP and IPsec.
Problem:	There is no state synchronization for L2TP, PPTP and IPsec tunnels.
Results:	On failover, incoming clients will re-establish their tunnels after the tunnels are deemed non-functional. This timeout is typically in the 30 -- 120 second range.

HA: No state synchronization for IDP signature scan states.
Problem:	No aspects of the IDP signature states are synchronized.
Results:	This means that there is a small chance that the IDP engine causes false negatives during a HA failover.