NETASQ multi-function firewall version 9

Transcription

1 NETASQ multi-function firewall version 9 Upgrade Lowest version required: 8.1 Hardware compatibility: U, NG and VM ranges Lowest H.A version required: / (H.A will be disrupted during the upgrade) NOTE Version 9 is not compatible with products in the F range. WARNING Version 9 Before performing any upgrade, you are strongly advised to read the chapter on known issues carefully. WARNING Version 8 During the upgrade, the configuration will not be fully converted. Please refer to the document Migrating from v8 to v9 for further information. Highlights Features covered New configuration interface Filter policy High availability Operating system Proxy Intrusion prevention Level of modification Major Major Major Major Major Major

2 Version Resolved vulnerabilities Bug fixes Known issues Features Resolved vulnerabilities Bug fixes Bug fixes Resolved vulnerabilities Bug fixes Bug fixes Features Resolved vulnerabilities Bug fixes Resolved vulnerabilities Bug fixes Resolved vulnerabilities Bug fixes Features Resolved vulnerabilities Bug fixes Bug fixes Features Bug fixes Resolved vulnerabilities Bug fixes Features Resolved vulnerabilities Bug fixes Features Bug fixes Explanations on usage 2

3 Resolved vulnerabilities System XSS security flaw Support reference A validation flaw within the authentication portal, (plain.html), could potentially be exploited by a XSS (cross-site scripting) type of attack during an authenticated log-in with an username and password (LDAP, RADIUS or Kerberos) Bug fixes Intrusion prevention Fragmentation Support reference A summary control calculation error, (checksum) TCP, occurred specifically during a protocol IP fragmentation (Impose MTU limit), that raised the alarm; Wrong TCP Checksum. The verification process is now working properly.. System Active Update Support reference In case a Firewall IPS (contextual protection signatures) database has never been updated example no internet connection the following problem occurred. After a version update, access to the Alarms module provoked a disconnection to the administration interface. This irregularity is now fixed. Network Interfaces Support reference A firewall connection via the web administration interface, HTTTPS, passing through a Modem or a Vlan interface, no longer prevents the modifications to the configuration of the Interfaces module. Proxies Proxy HTTP Support reference The reload of the filtering policy no longer causes the loss of connections passing through the specific HTTP proxy. 3

4 NAT Support reference When the HTTP proxy is configured globally to apply the translation out address (Keep original source IP address option), the dynamic NAT allocation port range are not released properly at the end of the connections, with time refuses of new connections. This bug is now fixed. Web administration interface Antivirus Support reference If the Kapersky antivirus was not subscribed, the antivirus setting for ClamAV was not available. This problem is now solved. Known issues Intrusion prevention SSL scan Support references When packets are lost on an SSL connection, the firewall stores packets while waiting for unreceived packets to be re-sent. This causes traffic to slow down. A possible workaround is to disable the SSL scan or to declare the filter rule in firewall mode. System Logs Logs of traffic scanned by an implicit proxy do not indicate the right outgoing IP address, i.e., the translated address. IPsec VPN Support reference IPSec VPN tunnels cannot be switched by links on which load balancing has been enabled. Support reference Quality of Service (QoS) preferences and routing type (Policy Based Routing) are not taken into account during IPSec data encryption. These data applied to plaintext traffic are not sent to the encrypted traffic (ESP traffic). 4

5 Network Routing Support reference Load balancing does not function if the high availability link option has been disabled. Dynamic objects Network objects with automatic (dynamic) DNS resolution, for which the DNS server offers round-robin load balancing, cause the configuration of modules to be reloaded only if the current address is no longer present in responses Features Intrusion prevention Asymmetrical routing Support reference In Firewall mode, TCP sessions with asymmetrical routing (only traffic in one direction passes through the firewall) can now be tracked with the following restrictions: - The packet that initiates the connection (SYN) has to pass through the firewall, - The analysis of TCP sequence numbers will be disabled. Kaspersky scan Support reference Detection of the protocol dedicated to Kaspersky antivirus services has been added. The new plugin dedicated to this traffic (kaspersky_ksn) makes it possible to avoid raising Desynchronization state for TCP traffic (dead stalled 2) alarms during the SSL scan. IPsec VPN Support reference The mechanism that protects against replays on encrypted traffic can now be configured in CLI. The size of the window, 32 packets by default, can be stretched to "2040" (in steps of 8). IPSec VPN policies now allow editing their configurations in Global mode. To enable the option, select Display global policies in the Preferences screen. Note that there is no specific privilege for "vpn_global". Web administration interface The administration interface is now available in Chinese. 5

6 9.0.5 Resolved vulnerabilities DHCP CVE , CVE Several anomalies that could cause the DHCP server to suddenly shut down and two memory leaks have been resolved (in particular CVE , CVE ) Bug fixes Intrusion prevention Filtering Support reference If the SIP application protocol scan is selected for this rule, filtering will now be correctly applied regardless of the destination port(s) specified. Application inspection Support reference Application inspection (Antivirus, Antispam, URL filtering, etc.) is no longer applicable in non-tcp filter rules. An error message appears in the checking window when the rule is being edited. DHCP relay Support reference In the case of a DHCP relay passing through a bridge, the source of the IP address request is now correctly relayed to the DHCP server, via the option "Circuit-ID" (82) on DHCP. The DHCP server must also support the option Circuit-ID (RFC3046). Support references Implicit rules that allow access to the authentication portal, SSL VPN and the administration interface have been enhanced. This allows in particular avoiding redundancies in the rules that are generated. Support references In the case of rules that block a type of application protocol that does not specify a port, some connections that should not have been affected by this filter were deleted when the filter policy was being reloaded. This issue has since been fixed. Support references When a 6 th object is added to a filter rule in the administration interface, a message will clearly suggest creating a group to contain the selected objects. 6

7 Support reference Migrations from an 8 version to a 9 version are no longer blocked by the following factors: - A filter rule with log as its only action, - Some filter rules with a routing or load balancing option (Qos), - An object name used by NAT containing a special character. For the migration of a global filter configuration without rules in version 8, the delegation rule "deleg from any to any" is no longer systematically added. During the scan by protocol plugins, the DSCP field relating to quality of service (TOS) was not rewritten in the packets modified or inserted by the ASQ engine. This flaw has been fixed. As MSDN s download application AKAMAI requires the use of partial downloads (range), the URL *.msdn.microsoft.com/* has been added by default to the group that bypasses the proxy s antivirus scan (antivirus_bypass). Cookies from certain sites exceeding 4 KB caused a memory buffer overflow and repeatedly generated alarms. The maximum size of the cookie was increased on the internet profile to 8 KB. Support references Some browsers do not correctly encode the URLs of certain sites, which may raise the alarm "Invalid HTTP protocol (8bit in request)". To avoid having to disable this alarm (and to lower the level of protection on the HTTP plugin), a specific alarm has been added for the scan of URL encoding (id 256=" The URL contains some non ASCII characters"). System Active Update Support reference Host headers in HTTP requests sent by the Active Update service now use the FQDN instead of the IP address of servers. Objects Support reference Objects beginning with the prefix "global" can now be created. The prefix "global_" however, remains reserved. 7

8 CLI In CLI, invalid syntax in the parameter of the command SYSTEM TIMEZONE SET would log off the user. An error message is now sent. DHCP The DHCP relay service did not shut down correctly when the service was disabled. This flaw has been fixed. 3G modem Support reference The configuration of the modem requires a number to be dialed even if the client s service provider does not provide it. This field is now filled in by default with the value "*99#". Support references On 1 GB and 100 GB network interfaces on firewalls in the NG range or the S models in the U Series, certain specific fragmented packets arriving on a VLAN interface could cause the appliance to freeze. This issue has since been fixed. Network objects Support reference Following the replacement of RFC 3330 with RFC 5735, the group of network objects predefined for the RFC 3330 has been updated and a new group for RFC 5735 has been added. PKI Support reference To configure a secure connection (SSL/TLS) to an external LDAP server, CA certificates can now be selected. Support reference Users whose certificates have been deleted could not be deleted from the LDAP base. This anomaly has been fixed. Support reference The RADIUS authentication method is now available for RADIUS servers with IP addresses between x.x.x.224 and x.x.x.239 inclusive. 8

9 Proxies SMTP proxy Support reference It is now possible to disable the line size restriction for the scanning of messages by the SMTP proxy. The default limit of 1000 characters (RFC2821) may be stretched to 2048 characters. Deleting the limit allows scanning messages with lines exceeding 2048 characters. WARNING The SMTP protocol analysis also complies with a limitation of 4kb per line. In instances, when non-standards and more powerful SMTP connections lines are used, it is mandatory to disable the connection analysis. To do this, select the TCP (IP protocol) for the impacted connections in the Filter policy. It is not recommended to disable the global SMTP analysis. HTTP proxy Support reference HTTP headers that contain invalid characters caused the HTTP proxy to cancel connections. Unencoded characters are now supported. Support reference The HTTP Connect method enabled without a connection port (connectport) specified could cause the proxy to freeze. In this case, the port dedicated to HTTPS traffic will be systematically assigned. Support reference The proxy service (tproxyd) could restart while processing a malformed response. The parameter block partial downloads is correctly applied, regardless of the order of the HTTP headers. Corrections have been made to memory leaks in the proxy service linked to the SSL, HTTP, FTP and POP3 protocols. SSL VPN Support reference Access via SSL to a remote firewall could sometimes potentially block authentication to the administration interface. This problem has been solved. 9

10 Network Routing Support reference If a dynamic object is used as test equipment on a gateway, changing its IP address no longer causes the network configuration to be reloaded. Support reference For certain specific needs, it is now possible to define a gateway with an IP address that is not in the interface s address range. A warning message will still be sent to the administrator. Support reference When router IDs configured for load balancing are changed, the current connection table is now correctly updated. The connections no longer freeze in these exceptional cases. Interfaces Support reference Bridges can now be created with a VLAN via the administration interface without getting blocked. The wizards for adding bridges, VLANs or modems now check that the name of the object is not already in use in the web objects database. It is now possible to add several IP addresses (alias) in the same address range on an interface. Authentication Support reference Certificates renewed by users on the authentication portal are now correctly published in the LDAP base. Support reference A problem with the display of enrolment forms on certain browsers has been fixed. Support reference An explicit error message warns the administrator that in order to publish a user certificate in the LDAP directory, the associated user has to be registered in the same database. High availability A resource leak in the HA communication service (Corosync) has been fixed. Support reference

11 Support references The Maintenance module now displays all information on the active and passive firewalls. Some information may be missing (N/A), especially on high-end products. The CLI command HA INFO is no longer relayed as an error in logs. Support reference High availability clusters without backup partitions can now be upgraded correctly. When upgrading an appliance with a backup partition, the option Save the active partition on the backup partition before upgrading the firewall will be inaccessible. Filtering Support reference Filtering with a destination port criterion different from a port range now operates correctly. Authentication Support reference Rules generated by the wizard for creating authentication rules now have the option IPSec VPN tunnel enabled in the advanced properties of the source. This therefore allows a remote user to be redirected via an IPSec tunnel to the authentication portal. Support reference A redirection rule to the authentication portal filtered on a port group (web_srv, for example) instead of only on the HTTP port, now functions correctly. Support reference For rules originating from the explicit HTTP proxy, filtering cannot be applied on the destination interface as the received connection is going towards the firewall. During evaluation, the outgoing interface is not known. The destination interface can therefore no longer be specified on traffic coming from the explicit HTTP proxy. An error message will appear in the policy s checking window. Support reference34053 Access to the authentication portal was blocked for all users due to access via an SSL VPN tunnel configured with an invalid server. This anomaly has been fixed. Support reference When using an ICAP server, certain HTTP requests could be blocked with an error Request too long. This issue has been fixed. 1

12 In version , reloading a filter policy would shut down active connections from filter rules that performed redirections, routing by policy or load balancing. This flaw has been fixed. Support reference A global policy can now be disabled by a button on the right side of the settings bar. The administration interface is now accessible with Internet Explorer 10. SSL inspection rule The wizard offered a default destination ssl port that is invalid. The pre-defined value is now "ssl_srv". NAT Support reference Static NAT rules (bimap) that define a virtual IP address now function correctly for ICMP traffic. SSL VPN SSL proxy Support references Two former authorities renewed by VeriSign (Root CA Class3 G5 - Root CA Cert Class 3) have been added to the list of public certificate authorities. IPsec VPN Support reference Implicit rules are now generated for the configuration of IPSec VPN tunnels in global mode, as is the case for local mode. These rules make it possible to authorize ISAKMP negotiations and encrypted traffic (ESP). Support reference In the installation wizard of a site-to-site tunnel, the selection of all as a local traffic endpoint is correctly validated. Support reference When enabling tunnels, a network of an interface without IP address is now ignored as a local traffic endpoint. This allows avoiding problems with activating the IPSec configuration in this case. 1

13 PPTP VPN MPPE option Support reference The stateless MPPE option is now enabled by default. This feature is required in particular for a PPTP tunnel to function with Apple devices. It can nonetheless be disabled in CLI. Web administration interface Connection Support references Opening sessions on the administration portal could sometimes generate error messages and require the service to be rebooted. This anomaly has since been fixed. Dashboard Support reference The License component on the dashboard displays the various expiry dates of the license. In the case of high availability, the information column for the local firewall now displays dates for the passive firewall. Interface Support reference Editing an element in the configuration of a 3G modem no longer generates an error. Objects Support reference When editing an object, a MAC address saved in the clipboard can be pasted using the drop-down menu that appears by right-clicking. Certificates Support references The effective validity limit of a CRL of a maximum of 365 days is now correctly entered. Authentication Support reference The fields for sending files are correctly displayed in Internet Explorer 8 / 9 and in Chrome. The authentication portal can now be customized from these browser versions. Support reference34729 When migrating from a lower version, the configuration of a customized logo on the authentication portal would generate an error. This flaw has been fixed. Implicit rules Support references The title of the implicit rule allowing access to the web administration interface has been modified. It no longer indicates port 443 and the protected interfaces as the implicit rules are generated on the port defined in the configuration and on all interfaces. 1

14 Global Administration Support reference In the French version, during the deployment of objects to other firewalls, the option for including generated objects belonging to groups has been correctly translated. Support reference The link to the NETASQ Real Time Monitor application from the administration interface is now back to working order. Support reference The deployment of configurations or policies to firewalls in version 8.2 is now taken into account. Real Time Monitor Support reference The size of the graphs' x-axis (Interfaces, Quality of Service, etc.) is automatically adjusted when the window is resized. Support reference Interface colors correspond to those selected by the administrator in the administration portal. Support reference The display of connections for a host now references all connections relating to it and more particularly to connections initiated by it. Support references The memory percentage displayed in the dashboard corresponds to the memory used by protected hosts and no longer the memory used by all hosts. 1

15 Bug fixes Intrusion prevention Support reference In firewall inspection mode, the interface associated with a host will systematically be associated with the last receiving interface, even if IP address spoofing has been detected. Support references During an inspection in IDS mode, raising a TCP alarm on a desynchronized connection (rewriting of data by the plugin) could cause the plugin to resend packets too many times. This may create an overload on the appliance if the problem arises on several connections simultaneously. System HTTP Proxy Support references Reloading the filter policy may cause some of the proxy s outgoing connections to be lost, especially since some of them may no longer correspond to the new rules. This situation arose when a source interface was specified. This issue has since been resolved. FTP Proxy Support reference If the antivirus inspection was enabled on FTP, certain FTP downloads could cause the appliance to freeze. This flaw has been fixed. SNMP Agent Support reference Querying the SNMP agent (only authorized by access that has been configured) on elements not included in NETASQ MIB tables no longer causes the agent to reboot. NAT Support references For the translation of a connection s source, the source port is now selected by a systematic rotation in the allocated range (round-robin). Previously, the firewall would systematically select the first free port, which could lead to the premature reuse of a port that the server has not yet released. In the case of policy-based routing (PBR) and traffic translation, reloading the filter policy could cause connections concerned with this configuration to be shut down. This anomaly has been fixed. Support reference If a Connection limit has been defined in a filter rule, translated traffic exceeding this limit could potentially cause the firewall to reboot. This anomaly has been fixed. 1

16 Resolved vulnerabilities DHCP CVE , CVE Several anomalies that could cause the DHCP server to suddenly shut down and two memory leaks have been resolved (in particular CVE , CVE ). NOTE The DHCP server can only be contacted from a protected interface. It cannot be reached from a public interface Bug fixes Migrating from V8 to V9 Proxy configuration Support reference Modifying a proxy configuration with NETASQ Unified Manager V8 no longer causes migration to fail. This issue, which arises from the addition of quotation marks when the proxy configuration in version 8 is changed, has been fixed. Filtering Support reference In a few particular cases, some rules were not correctly migrated and prevented the policy from being enabled after migration. Rules combining the following options are affected: - A QID specified in the Quality of Service or the Log action enabled, - An ASQ configuration with a profile specified or one of the options Do not attach plugin / No contextual signatures selected. This flaw has been fixed. Intrusion prevention TCP scan TCP connections exceeding 2 GB, which resynchronize during the transfer, could be blocked then shut down. The following alarm would appear each time the packet is resent, beyond the first two GB sent: Desynchronization state for TCP traffic (ACK before window). SSL scan A problem in the SSL scan that could potentially cause the firewall to reboot unexpectedly has been fixed. 1

17 SIP scan Support reference A problem in the SIP scan on TCP that could potentially cause the firewall to freeze has been fixed. System Proxy and authentication Support reference As traffic to the firewall can no longer be redirected to the authentication portal, authentication on a rule to the explicit http proxy was not applied. This issue will be fixed in this version. DNS cache proxy Support reference The exceptional use of the transparent mode (DNS cache proxy) that intercepts all DNS requests sent by authorized clients now functions correctly for clients that use the firewall as a DNS server. Authentication The use of a Microsoft Active Directory and the LDAP method in realbind mode no longer allowed authentication without a password. The firewall accepted the authorization of Microsoft AD authentication servers, as these servers consider this type of authentication as an anonymous user. This anomaly has since been fixed. NAT Support reference When several routing gateways are used with the load balancing option by source address, the address translation is now carried out correctly. This is because connections of secondary links used the outgoing IP address associated with the link used and no longer the IP address of the primary link. H323 support Support reference In an H323 session with address translation, the translation was not applied on all dynamically-opened data flows. 1

18 Bug fixes Intrusion prevention For filter policies with routing (action) and load balancing enabled on TCP/UDP connections (Protocols and applications), the reassessment of connections when the filter policy is reloaded no longer gives rise to a potential reboot of the firewall. This problem only occurred with connections that were not translated by a NAT rule (nonat) which kept the traffic's original IP addresses (source and/or destination) Features Migrating from V8 to V9 The process of migrating from version 8 to version 9 has been enhanced. Most of the modules now keep their configuration settings as well as their statuses. The migration of a network configuration allows in particular keeping the settings of your interfaces. Your network objects and your user database (LDAP) are also kept during upgrades. To perform this upgrade and to get the full list of modules that will be kept, please refer to the NETASQ document Migration from V8 to V9. Proxy Translation on scanned traffic By default, outgoing traffic scanned by an implicit proxy obtains the outgoing interface address of the firewall. In a NAT policy where the option Apply the NAT rule on scanned traffic has been selected, address translation will be applied on such traffic after the proxy scan. This option can be enabled in the global configuration of HTTP, SMTP, POP3 and SSL protocols, and thus applies to all inspection profiles. This option is not applied for translation on the destination. NOTE This feature does not function in certain particular configurations of the FTP traffic scan. 1

19 Certificates Intermediate certificate authorities (CA) of GlobalSign and StartCom have been added to the list of trusted authorities for SSL scans. Network objects The following services have been embedded in the network objects database: ldap udp ldap_udp 389/udp Active Directory LDAP GC ldap-gc 3268/tcp Active Directory LDAP GC SSL ldap-gcssl 3269/tcp Active Directory 2003 dynamic ports ad2003-dyn_tcp 1025:5000/any Active Directory 2008 dynamic ports ad2008-dyn_tcp 49152:65535/any Active Directory File Replication microsoft-dfs 5722/tcp Active Directory DS Web Services microsoft-adsoap 9389/tcp madcap protocol madcap 2535/udp The ActiveDirectory2003 and ActiveDirectory2008 service groups have also been added to the Objects database. Intrusion prevention Microsoft NetBIOS DGM scan As the DGM protocol scan may under certain conditions cause the appliance to hang, the scan has been temporarily disabled in this version and in the factory settings. NAT Automatic entry of interfaces in NAT rules To prevent the creation of rules with action fields that are too wide, the rule table and rule creation wizard now automatically select the interface to which the rule applies. - Creating a dynamic rule with a translated port (Dynamic PAT) During the selection of a source to translate, the wizard selects as the destination interface, the interface corresponding to the network of this source after translation. - Redirect NAT rule In a standard rule, the choice of a translated destination automatically defines the source interface with the interface corresponding to the network of the destination before the translation of the rule. - Creating a static NAT rule (bimap) During the selection of the virtual IP address, the corresponding interface will be automatically selected and will be used as the source interface for the redirection rule and as the destination interface for rewrite rules from the source (Dynamic PAT). 1

20 Captive portal Bulgarian The captive portal is now available in Bulgarian. Web administration interface Authentication The advanced properties of the captive portal allow you to customize the authentication interface. You can now select an image to display in the captive portal s header and import a new style sheet in css, which will override the portal s graphics. Real-Time Monitor Address book The Real-Time Monitor s address book replaces the feature that was present in the Manager view in NETASQ Unified Manager. Address books in Manager (.gap) format can also be imported from the monitor Resolved vulnerabilities Upgrade to ClamAV version The ClamAV engine is not enabled in the default configuration on NETASQ firewalls. If this feature is used, you are advised to upgrade it. This new version enhances the behavior of the ClamAV antivirus engine against possible attempts to evade the antivirus scan Bug fixes Intrusion prevention SSL scan Support references For users connected with writing privileges, the configuration window of the SSL plugin is now accessible again (Application protection > Protocols and applications menu). DNS scan Support reference The alarm 53 - DNS query mismatch is no longer generated during updates of DNS zones with servers that do not send checksums. This check is now disabled and no longer causes the transfer of DNS zone updates to be blocked. 2

21 HTTP scan Support reference The alarm Invalid HTTP protocol no longer blocks HTTP connections with headers containing more than one space between the HTTP character string and the announced version. Unidirectional UDP connection timeout Support references UDP pseudo-connections with information that is transmitted in only one direction, now no longer expire after 2 minutes of activity. This limit did not affect RTP and RTCP connections opened via SIP, MGCP and H323 scans. Translation of SIP communications Support reference The SIP scan now allows correctly translating traffic by modifying the contact field in the body of SIP requests. SIP request lifetime parameters Support references 33654, When a call control server sent expiry information about the communication in a timeframe longer than the default lifetime of an SIP request, the firewall no longer accepted the response that allowed the SIP communication to be correctly shut down. The lifetime of SIP sessions, set to 60 seconds by default, can be adjusted from 10s to 3600s, by modifying the configuration file using NETASQ commands in the serverd CLI. SMTP: protection from brute force attacks Support reference Similarly to the FTP scan, a counter keeps count of the number of authentication failures within the same connection. If the limit is reached, an alarm will be raised and the connection will be interrupted. SYN proxy protection Support reference Enabling SYN-Proxy protection may sometimes cause high latency in TCP connections. During the setup of connections, acknowledgment packets were generated with a wrong sequence number. System Support reference The process of updating the DNS registry, which allows keeping a directory of updated dynamic IP addresses (of dynamic objects or objects which receive an IP address issued by an ISP), is now conducted correctly in HTTPS. Support reference Logs sent by syslog, using load balancing by connection, are correctly sent to the dedicated server. 2

22 Network Support references Updating the configuration of an interface on which a large volume of traffic passes may in rare cases cause the firewall to suddenly shut down. This problem has since been resolved. Firewall name The name of the firewall can now contain the special characters. and -. Improvement to SSH protocol security The encryption mode AES-256-CBC has been disabled to give way to AES-256-CTR. Users A user attached to several departments, for example, may now belong to more groups. Previously limited to 20, the maximum number is now 50 groups per user. Authentication Support reference In the case of a user already authenticated on a workstation, another user attempting to authenticate on the same workstation will now receive an explicit error message. Since two users cannot authenticate with the same IP address, the message will indicate that another user is already connected. Support reference In the case of an authentication by Kerberos without the cookie mode and with a login in uppercase letters, user logout was impossible. This anomaly has been fixed. Support reference The customization settings of the captive portal are now migrated when the firmware is upgraded. High availability Upgrade of the HA communication service (Corosync 1.4.3) As the HA stability issues that appeared in and have been fixed, the HA communication service has been integrated again into its most recent version. This removes the notifications regarding the unexpected loss of HA links and the incomplete information on the status of HA. Modification of the default values of HA availability tests To prevent the possible loss of links that could cause firewalls to switch, the total duration of tests on the HA communication service (Corosync) previously set to 1 second, has been raised to 5 seconds. This new setting has also been applied to the default configuration. 2

23 JavaScript scan In the event High availability is used, the JavaScript scan on the default inspection profile (01) applied to outgoing traffic has been disabled during the upgrade of the firmware. If the total duration of tests on the HA communication service was 1 second, the load induced by this JavaScript scan could cause unexpected switches. This setting is also available in the default configuration. Time synchronization The reliability of the algorithm that ensures the synchronization of time between the active and passive firewalls has been enhanced. The time lag is no longer calculated on the timestamps of packets from the HA link, but is indicated through a dedicated message. This makes it possible to stop depending on network latencies and to avoid lags that could cause unexpected time changes on the passive firewall. Support reference A NAT rule that was too generic, without a specified outgoing interface for example, could translate traffic on the link that allowed firewalls to communicate. An implicit rule is now generated in order to prevent the translation of this traffic. Support reference Synchronizing a firewall cluster now keeps the name of a firewall that has been renamed in the configuration window. Filtering SSL filtering Support reference If the first parameter of an SSL filter rule is the action Block without decrypting, the block page would only appear during the first request, that is, when the IP address of the server was not yet in the SSL scan s cache. Subsequently, the site would be blocked but without displaying a block page. This anomaly has been fixed. SSL decryption Support reference A substitute certificate, based on the header of the original certificate, is generated by the SSL proxy to reformulate encrypted requests. However, this process was blocked if the login of the certificate (CN) contained characters encoded in UTF-8. This issue has since been fixed. Certificate checks have been completed by a test of the validity of the certificate type. This option allows, for example, authorizing traffic when the type of certificate presented does not comply. It is available in the Proxy tab of the SSL Protocol module. 2

24 NAT ARP publication Support references When a bidirectional translation rule is edited, the ARP publication option is now assigned to the original destination (traffic before translation), whose IP address is indeed published, and no longer to the translated destination. HTTP proxy ICAP Reqmod method During the scan of a POST request in HTTP version 1.0 by the ICAP reqmod method, the proxy no longer returns the error "HTTP/ new requests are rejected". ICAP Respmod method obsolete The scan all data mode (Response Mode) has become obsolete from this version onwards and can no longer be configured. IPsec VPN Support reference The IPSec VPN configuration is correctly updated after the dynamic or manual modification of a peer s or tunnel endpoint s IP address. Support references In the list of peers, any object that followed a peer with any as the value of the remote gateway had this same value displayed. The configuration of this remote gateway is precisely indicated. In the Encryption profiles tab, under the option Create a profile, Phase 2 profiles now offer the correct list of encryption algorithms. SSL VPN Support reference Rewriting pages containing hash tables written in JavaScript no longer generate errors. Web administration interface Support reference The page for connecting to the management interface sometimes returned an error message, due to information missing from the firewall s management interface, mainly for the administration of virtual firewalls or firewalls administered by a dialup. This page can now be correctly accessed. 2

25 Support reference If an administrator other than the admin account user connects to the web administration interface in read-only mode, he will now be able to access the link allowing him to obtain writing privileges. Dashboard Support reference The Network component on the dashboard displays the correct data format for incoming and outgoing throughput values. This value is expressed in Kilobits /seconds and not in Kilobytes. In Internet Explorer 9, moving dashboard components would tamper with the occupation of columns. This anomaly has been fixed. Interfaces Support reference Changes to the parent interface of a modem via the management interface are now correctly applied in the firewall s configuration. Routing Support reference In the advanced properties of a default gateway (router), the removal of an appliance dedicated to availability tests is now effective. Support reference In the Routing module, when a Destination network workstation of a static route is edited, only an IP address, and no longer the network mask, is now offered. Filtering and NAT Support reference In a Filter and NAT policy containing several pages and positioned on a page other than the first, searches were conducted only on the current page. In order to perform searches on the whole policy, searches were returned to the first page of rules. In Internet Explorer 7, if a rule contains a user and a host in the source column, both objects no longer overlapped in the display. (Only in the French version) The SSL inspection rule creation wizard displays all instead of any in the drop-down menu of the interfaces to refer to any interface. If All is selected, the command no longer fails. Similarly to objects and application inspections, interfaces can be deleted by clicking on the red cross that appears when scrolling over the cell with the mouse. Antispam Support reference Updating the antispam s blacklisted domains no longer disables the status of RBL servers in the antispam module s advanced properties. 2

26 SNMP agent A message informs the user that in order to enable the SNMPv3 module, a user name (securityname) and an authentication password must be defined to access alerts sent to the SNMP server. Optimizing the use of the browser s cache Resources used by the web administration interface in the browser are now correctly cached. For U70 firewalls in version only and with a factory (temporary) license, seven Ethernet interfaces were detected instead of six. This issue, which appears only before the permanent license is imported, has since been fixed Resolved vulnerabilities System XSS security flaw A flaw within the authentication portal could potentially be exploited by an XSS (crosssite scripting) type of attack during a redirection (302) on the authentication portal on certain browsers Bug fixes Intrusion prevention Support references The retransmission of packets, sometimes necessary in order to guarantee that a scan is performed, could sometimes cause memory corruption, which occurred at various levels in the TCP/IP stack or in the Layer 7 protocol (example: HTTP). This issue has been resolved. IDS inspection Support reference If certain protocol scans (plugins) are disabled in a policy and the security inspection is in IDS or firewall mode, this would cause the firewall to reboot in certain particular cases. This malfunction has been fixed. 2

27 Proxies For traffic decrypted by the SSL proxy, if data to be sent was not quickly released from memory on the connection interface (socket), the connection would be considered an error and will be shut down. These particular cases are now correctly managed. High availability ICMP monitoring Support reference When a passive firewall could not be contacted, the active firewall s ping would significantly increase the consumption of the memory allocated for ICMP tracking. This could generate "Possible attack on resources (ICMP)" alarms and cause the firewall to block ICMP traffic. Prolonging the duration of the test after 3 attempts would fix this memory overload. Configuration Support reference Adding a second link to an existing high availability cluster is now possible again. The inability to add this link occurred only in versions and Instability of the high availability module Support references In version 9.0.3, members of a high availability cluster (HA) may encounter instability that causes an excessive load on the active firewall (stated). This situation may cause the communication link to be lost between members of the cluster (conflict of the "active" status). This anomaly has since been resolved. Nonetheless, please refer to the chapter on Known Issues to find out about incidents observed in high availability Resolved vulnerabilities System OpenSSL CVE A vulnerability in the OpenSSL library (reading of DER/ASN.1 files) that could potentially be exploited when SCEP requests or corrupted certificates are imported on a malicious server has been fixed. Net-SNMP CVE A vulnerability that could cause a denial of service attack in the SNMP agent has been resolved. This vulnerability required prior access to MIBs in read-only mode. 2

28 Bug fixes Intrusion prevention Filtering, NAT and IPSEC Support reference Reloading a filter policy could delete connections in IPSec tunnels, if these connections had been covered by a NAT rule. This operation now takes place normally. Syn-Proxy protection Support reference Enabling SYN-Proxy protection could duplicate SYN packets and impose an unnecessary load on the server. As the function does not take into consideration packets re-sent by the client, this decreased its efficiency. This issue has been fixed. TCP connection Support references The loss of an acknowledgment packet in a TCP connection could block transmission. The connection s de-synchronization function now allows it to be re-sent. Generic NAT (filtering) Support reference Resetting the parameter LockTimeout could cause the ASQ engine to freeze and lead to Watchdog being rebooted if it has been enabled on the appliance. This advanced parameter was used in versions earlier than to alleviate the lack of stateful management of GRE/PPTP connections. SMTP analysis Support references The SMTP protocol scan has been moderated in order to allow carrying on with a transaction without having to shut down the connection in case authentication fails or an error using the code 421 is returned. MSN analysis Possible failure of the ASQ engine when loading connections associated with communications sent by the Microsoft Live Messenger (MSN) application. System Support references When the IP address of a dynamic object changes, the ARP cache table would automatically be purged and MAC addresses would be republished. This would cause possible disruptions if a dynamic object frequently changed its address resolution. Proxies The maximum number of connections to proxies from the same host was automatically reduced to 50% of the proxies capacities. This limit has been adjusted to 90% in order to allow better performance when a series of proxies is used. 2

29 IPsec VPN Support reference When a new policy is being loaded while an encryption policy optimization search (SPD cache) is being used, the encryption of certain packets would be deterred. Furthermore, this feature could no longer be disabled in the encryption policy. This issue has since been resolved. Web administration interface Support references The link for downloading a file from the administration interface would sometimes fail to display, depending on the browser s resolution and zoom intensity. This mainly affected the backup and certificate download functions. High availability Support reference The initial synchronization of the ASQ engine s status between members of a HA cluster could fail if it contained too much information. This feature has been enhanced to avoid this failure Features System Automatic license upgrade In preparation for the imminent expiry of a large number of licenses, a feature has been added to the firewall s startup process. For licenses that are to expire on May 12 th, 2012, the firewall will automatically attempt to upgrade this license on NETASQ s servers (licencex.netasq.com). Please be reminded that this expiry concerns all licenses, whether it involves an additional paid option or not. Upon their expiry, features on modules of the firewall that are subject to these licenses will stop operating. WARNING If the high availability option is used, the automatic download of the license is only possible for starting up the ACTIVE firewall and therefore excludes rebooting the passive firewall after an upgrade, for example. NOTE In the event the automatic upgrade fails, you are highly advised to perform this operation manually. You can download a renewed license from your client area and insert it via the License module or perform a search for the new license in the same module. 2

30 PKI SCEP The Firewall can now request a certificate signature from an external PKI (public key infrastructure) via the SCEP protocol. This feature is only available in the CLI. Filtering and NAT Filtering The filter policy allows setting a new limit on application requests and no longer only on TCP and UDP connections. The maximum number of application requests is calculated per second and concerns HTTP and DNS protocols. This allows restricting the occurrence of denial of service attacks on these protocols. This option can be accessed in the Quality of Service tab in the action column of the Filter module. NAT Users can now choose the hash by connection (source port + source IP address) as a load balancing method in their NAT rules. This allows connections from one source to the same server to be distributed according to the source port and source IP address. Installation wizard Enhancement of the initial installation wizard, with the possibility of configuring a Microsoft Active Directory. Intrusion prevention The Protocol and applications module offers a new parameter for HTTP scans. It is now possible to restrict the number of data ranges requested in the client request. SSL Proxy Certificate checks are now more complete with the addition of a validity test on the name of the certificate. This option allows for example, allowing traffic when the name of the certificate presented does not comply with the FQDN format. It can be accessed in the Proxy tab in the SSL Protocol module. Hardware USB keyboards are now supported. Web administration interface The administration interface is now available in Hungarian. 3

31 Global Administration Administration mode on a NETASQ firewall in "Firewall Manager mode" has been removed since the web administration interface is now available. Global Administration" mode remains the ideal tool for easily managing certain administration actions over a group of NETASQ products from a central point. Real Time Monitor In the Hosts screen, the Connections tab now displays a Source interface and Destination interface column Resolved vulnerabilities System DHCP CVE , CVE , CVE Several vulnerabilities that could cause a denial of service attack on the DHCP server have been resolved Bug fixes Intrusion prevention SMTP plugin Support reference The SMTP session is no longer reinitialized now when clients respond to HELO commands after EHLO commands sent back by the server. Support reference A potential problem that could arise when rereading a filter configuration containing a rule that imposed a specific routing method (Policy Based Rule - PBR) to an uncontactable router, has been fixed. Support reference The Firewall s memory could be corrupted if users who are members of more than 20 groups authenticated. This problem has been fixed. Alarms Reactions of protocol alarms (send an , quarantine) would systematically use the configuration of the inspection profile "(0) Config. This anomaly has been fixed. Support reference Writing of all logs could be interrupted when a module that generates logs shut down unexpectedly. This process now runs correctly. 3

32 Support reference Implicit rules are now always generated without the options log, count, route, qos, rate, proto http and tos. Support reference When the firmware is upgraded from version 8 to version 9, the port group "ssl_srv" is added to the configuration. This makes it possible to avoid causing errors with the SSL inspection rule that was created with the installation wizard. Support reference The validity of a network object s mask is now correctly checked when it is created. Support references Changes to IP addresses of dynamically resolved objects are now correctly applied to active policies. Support reference New licenses can now be installed, even if the current license is unreadable (corrupted file, expired license, etc). Support reference During a migration from version 8 to version 9, the migration of the external LDAP s configuration is correctly carried out. An issue that could generate corrupted configuration backups has been fixed. Support reference PKI Support reference The automatic update of an imported certificate authority s revocation list is now correctly programmed when a distribution point (CRLDP) is configured. Proxies When a proxy is shut down, active connections are stopped immediately, thereby fully releasing session information. Explicit HTTP proxy Support reference During authentication, the use of a user name containing uppercase letters no longer creates authentication in loop. Support reference When the name of the Firewall is changed, the address that redirects to the authentication portal is correctly updated. Support reference In version 9.0.2, the use of redirection rules to a proxy could cause errors. This problem has been fixed. 3

33 SSL proxy In the firewall s Administration module, if access to the firewall s administration pages has been allowed for "any", enabling the SSL proxy could prevent access to the web administration interface. This problem has been fixed. A possible SSL proxy memory leak has been fixed. Support reference Support reference The joint use of a voluminous personalized URL group and the Optenet database could prevent any web browsing. This anomaly has been fixed. Requests sent with an unknown method no longer cause the proxy to reboot. Support reference Filtering and NAT The following rules are no longer allowed in policies: - Address translation via the SSL proxy in a filter rule. - A decryption rule with one of the firewall s interface as its destination. Support reference NAT Support reference A anomaly that could prevent traceroute or any similar tool from operating through the firewall has been fixed. Routing Support reference Some IP addresses used in checking groups from a gateway could be truncated when they are used. Users Support reference The last member of a user group can now be deleted via the web administration interface. High availability Support reference When a VLAN interface is used for High availability, the VLAN s MAC address is now reset to the original value (hardware) of the parent interface in order to avoid a conflict of MAC addresses on the High availability link. Support reference The IP address of the High availability cluster is correctly updated when the High availability wizard is launched a second time. 3

34 Support reference The synchronization of Firewalls in High availability could generate warning messages. This problem has been fixed. Support references The problem of High availability freezing when the kernel has a heavy load has been resolved. Support reference Updating the passive firewalls after the active firewall no longer generates an error. IPsec VPN Support reference The configuration of two VPN policies with the same traffic endpoint, in which one of the policies uses config mode, no longer causes unexpected reboots. Support reference During an authentication by server certificate, the system will no longer look up the user via his address in the LDAP base. Support reference If a backup peer is removed from a configuration while it is in use, a switch to the main peer will be correctly applied when the configuration is reactivated. Support reference During the negotiation of an IPsec VPN tunnel, with the Authentication option "authenticate directly on the directory with the user account, an error would occur. Users who authenticate in Hybrid or "Certificate and Xauth" mode, and via an external LDAP account or a Microsoft Active Directory account, would receive an error when checking their identities. This problem has been fixed. SSL VPN Support reference Some special HTML-encoded characters used in a URL could cause the rewriting of the Javascript to fail. Sending voluminous HTTP (POST) requests may sometimes be slowed down. Support reference Support reference Lotus Domino Web Access version now runs through SSL VPN tunnels, without having to enable the compatibility option, which has been deleted since it has become redundant. 3

35 Support reference Changes to the captive portal s listening port are now applied correctly to SSL VPN. Installation wizard The deployment of the configuration via the initial installation wizard has been simplified when the client workstation is in DHCP. It is no longer necessary to configure a static IP address on this workstation during the step Updating network parameter. Web administration interface Support reference Some download extensions installed in the browser end up corrupting the file to be downloaded. A warning message now informs the user of this incompatibility before proceeding to download. Dashboard Support reference In the Network component, the information bubble that appears when the mouse is moved over the interfaces mentioned the TCP statistics in the section Network packets twice. The second entry, which sets out information on UPD statistics, is now correctly displayed. Objects Support reference During the creation of NAT or filter rules, object names may now contain up to 256 characters instead of 64 in earlier versions. Support reference Changing the name of an IP address range object no longer generates error messages. Maintenance Support references In High availability, if a user wishes to update both firewalls, this update will be sent to both firewalls but will only be applied to the remote firewall. A confirmation message will now inform the user of this action and describe the procedure for updating the active firewall. Network Interface names may contain more special characters including / and -. Support reference Routing Support reference When dynamic routing (ZebOS) is enabled, an error message will indicate that a backup gateway cannot be configured. Dynamic DNS Support reference The status of the Dynamic DNS profile can now be reinitialized using the "Reinitialize" button via the web administration interface s configuration module. 3

36 Filtering and NAT - IPsec VPN Support reference When two separators are created in a table, when the color of the second separator is changed, it would adopt the color of the first separator. This anomaly has been fixed. Filtering and NAT Support reference When an ICMP rule is dragged and dropped and a message type is selected, the message will be retrieved in the target field. Support reference When a global object is added to a filter rule, the application no longer returns an error message. This did not occur if the user entered the prefix "Global_" or if the object was dragged and dropped. Support reference On MacOS and under Firefox, the filter table correctly displays rule numbers that have more than two digits. IPsec VPN Support reference The error message that appears when the object <ANY> is chosen as a local endpoint in combination with config mode is now more explicit. PPTP Support reference Logins can now be entered in uppercase letters. Certificates The 'downloads' menu now allows exporting certificate revocation lists (CRL). Support reference Global Administration Support references A system reboot command was executed after a license upgrade was downloaded. This reboot is no longer systematically launched. Support reference For appliances in versions or of the firmware and higher, a restoration of the whole configuration (administrative tasks) was immediately activated if no reboots were necessary. For earlier versions, any full restoration would require a reboot. For all versions, the option "Reboot if necessary" has to be enabled in order to apply a restoration that would require rebooting. nsrpc Support reference User passwords containing the character "@" are now correctly interpreted by the nsrpc.exe executables on Windows platforms and nsrpc in Linux. 3

37 Bug fixes Intrusion prevention The Javascript scans on certain web pages no longer caused unexpected reboots. Support reference A potential problem in the Netbios-DGM traffic scan has been fixed. Support reference Filtering and NAT NAT Support reference Address translation on IP protocols (like GRE) without status tracking could sometimes cause a reboot. This type of translation now runs correctly. High availability Support reference In the High Availability module and in advanced configuration, when two firewalls have the same status, changing the active firewall no longer causes an error message. This situation also arose during the synchronization of the configuration after changes have been made to Network or High Availability settings. Support reference On NG-series modules, if the Network configuration had been modified, the High Availability feature could become unstable. Proxies Support reference In version 9.0.2, using redirection rules to a proxy could cause errors. This problem has been fixed. 3

38 9.0.2 Features Filtering and NAT Non TCP/UDP protocols The status of IP connections can now be tracked for protocols other than TCP, UDP or ICMP. For example, connection status tracking (stateful mode) can be enabled for the GRE protocol, which is used in PPTP tunnels. Thanks to this tracking tool, the source (map), destination (redirection) or both (bimap) can be translated. However, it will be impossible to differentiate 2 connections that share the same source and destination addresses. In concrete terms, this means that when the firewall translates a source N -> 1 (map), only one simultaneous connection to a PPTP server can be made. Connection status tracking on IP protocols can be enabled in the protocol column in the relevant filter rule. NAT An option has been added so that an ARP publication can be specified when a filter rule with a NAT operation is used on the destination. Intrusion prevention SSL scan Detection of THC-SSL-DOS attacks with the addition of a maximum number of renegotiation attempts within the same TLS session. HTTP scan Protection from the denial of service attack CVE has been added, based on the hijack of partial HTTP downloads (Partial-content / Ranges) in order to cause the excessive consumption of Apache memory resources. The maximum number of partial download ranges has been set to 200 by default for the incoming profile (00), which protects servers, and 1024 for the outgoing profile (01). Installation wizard The initial installation wizard has been enhanced, with the possibility of defining a simple security policy. In order to use this wizard, the firewall has to be in its default configuration. It can be reached at the URL: IPsec VPN For mobile users, a DNS server can now be defined and areas in which this server is used can be specified. These indications are indispensable, for example, in the event an Apple mobile client is used (iphone, ipad). This feature is tied up with the config mode, and is not used by all VPN clients on the market. 3

39 Authentication for sending alerts A login and password can be defined for sending via the firewall (Menu Notifications > alerts ). System SNMP can now be configured so that the name of the firewall instead of its serial number is used for SysName. Real Time Monitor The latest VPN and SYSTEM events can be viewed on firewalls that have no hard disk. A window containing additional information on the 3G link has been added Bug fixes Intrusion prevention The alarm 134 that is generated every time a telephone in SIP sends ACK messages will no longer be raised unexpectedly. The scan of the option utimeout has been added to the TFTP protocol inspection. Implicit PPTP rules are now correctly inserted when the PPTP server is enabled. Support references User groups containing spaces in the filter policy can now be used again. Support reference Support references The default values for the Buffer Overflow alarm in HTTP inspection have been increased. Support reference FTP inspection rules containing a specific gateway (PBR) are now correctly routed in the case of data connections initiated by the firewall (passive FTP). 3

40 Support references The SMTP scan will no longer shut down the connection if a RSET command is sent before the MAIL FROM command. Support reference The source IP address used by the HTTP proxy in rules that define a specific routing gateway (PBR) is now correct with regards to the interface on which the router is located. Support reference The TCP alarm for out-of-sequence packets ( outside window ) will not be raised for a TCP keepalive packet containing 1 byte. Support references An error that could cause the system to unexpectedly reboot has been fixed in the SIP scan if it has been associated via a filter rule in firewall mode. The list of default ports is now applied with the inclusion of the last element. Support reference NAT NAT can be performed on TFTP when the source port is translated. Support reference Support reference NAT connections will no longer be interrupted during the reinitialization of a configuration containing rules with the fields from or to in user groups, or with the operator NOT. Network Routing by bounce on the same interface of a bridge with an alias has been fixed. Support reference Static routes can now be added on an IPSec interface. Support reference

41 High availability The stability of an internal high availability process (corosync) has been enhanced. Support reference Support reference Errors occurring when members of a cluster do not have the same software versions (firmware) have been corrected. Support reference A member of a cluster can be forced to be the active firewall, even if members of the group have differing firmware versions. Support reference Disabled network interfaces no longer appear in the high availability quality calculations. Vulnerability management (NETASQ Vulnerability Manager) Support reference Information concerning unmonitored hosts when using the explicit proxy will no longer be displayed. Proxies Support reference The firewall now uses the correct IP address for outgoing packets when they use the proxy and PBR at the same time. The CONNECT method in HTTPS using the explicit proxy has been fixed. Support reference Problems with downloads passing through the FTP proxy have been fixed. Support reference Support reference Users will now be entered in web logs when they use the explicit proxy and the option several users per IP address. An error relating to the explicit HTTP proxy has been fixed. Support reference

42 Support reference Trusted CAs have been added to the SSL proxy for GlobalSign and Verisign. System Support reference The authentication portal no longer needs to be rebooted when changes are made to the SSL VPN user access policy. UTF-8 characters are allowed for the authentication of LDAP users. Support reference Support reference In the authentication portal, the link to the web administration interface will take into account the port if it is not 443/TCP. Support reference Rules for accessing the web administration interface are kept when the software version (firmware) is upgraded. The list of time zones has been updated. Support reference Support reference When no IPSec interface has been defined in the network configuration file, some configuration modules may not be accessible. Support reference The Accept-Encoding empty fields in HTTP requests are now accepted on the captive portal (sld). Support reference The problem arising during the partial restoration of configurations of the categories IPS Protection and Web objects has been fixed. 4

43 IPsec Support reference In the event packets are lost, those corresponding to the Config Mode will be sent in order to prevent negotiation failures. Support reference Only the first three DNSs configured in Config Mode will be taken into account from now on. Support references AES256 support with regards to hardware acceleration in the NG series has been corrected. Web administration interface Dashboard The License widget has been enhanced to offer a view by expiry date. Routing With version 9, a default routing gateway has to be entered in order to allow intrusion prevention (ASQ) to send packets correctly when it desynchronizes connections. Filtering A Collapse/Expand button has been added for filter rules. Support reference The logo of version 9 is now systematically displayed when you authenticate in read only mode. Support reference Users DNs can now be displayed, allowing a proper display for the Mac OS X LDAP server. Support reference You will no longer be asked to delete the active URL database when you select the existing URL database. 4

44 Support reference When a user does not have writing privileges, he can neither group his filter rules nor extend his VPN. Support reference The numbers of DH and Modp groups will be displayed for Diffie-Hellman groups in the IPSec configuration. Support references Renaming an interface causes the name of objects to be changed in the whole configuration. The option Keep initial routing can be defined on a bridge. Support reference Refresh the list of peers configured in Phase 2 of creation with the peer None. Support reference Support reference The registration of the DynDNS server in the associated profile no longer needs to be imposed if it has not been explicitly selected. Support reference A trusted CA can be added to the configuration when you use the IPSec installation wizard. Support reference All hosts in a selected rule will be added when the filter suggests creating a group. The characters '_' are allowed in the domain name for the LDAP installation wizard. Support reference Support reference Configuring an IPSec peer has been made easy with fields being completed during entry. Global Administration Support reference A new option has been added to avoid deleting objects generated from groups when they are deployed on firewalls. 4

45 Support reference An authentication error that could arise when you attempt to connect simultaneously to several firewalls has been fixed. A potential error that arises when locking/unlocking a session has been corrected. Support reference Real Time Monitor A decryption error in the address book has been fixed. Support reference QoS counters are displayed in the right order. Support reference After a DHCP request, anonymous/ will no longer appear in the Host section. Support reference In the logs section, Seismo has been replaced with Vulnerability Manager. Support reference A problem with the display of graphs has been fixed. Support reference Reporter Connection to firewalls with the admin password allowed by default. Support reference

46 Resolved vulnerabilities System CVE The error relating to OpenLDAP has been fixed. Upgrade of ClamAV to version Bug fixes Intrusion prevention An error that may arise when using load balancing and the IPSec VPN together has been fixed. Netbios CIFS A false positive triggered by implementation of SMB OSX Lion has been fixed. NAT Support references An error that may arise within the kernel after the expiry of a NAT session has been fixed. TCP sessions no longer get lost when NAT rules are reloaded. Support references System Support reference The network configuration would not reload correctly when a bridge was missing from the configuration but referenced by an interface. Support reference An error that may arise during the configuration of a dynamic DNS client has been fixed. An issue with the rotation of filter logs (l_filter) has been fixed. Support reference Cryptography A problem with RC4 encryption (ARCFOUR) on models and NG-1000 and NG-5000 has been fixed. It could impact the authentication module, the SSL proxy and SSL VPN. 4

47 9.0.1 Features New configuration interface The web interface is now compatible with Internet Explorer 9 and is available in Polish. Many screens have changed and a wizard for the initial installation has been added in order to simplify the launch of your firewall s configuration. Objects DNS A DNS resolution tool has been added to Objects: when an object is added/modified, a window appears. If the URL of an object is entered in the field Object name and if you click on the magnifying glass icon, you will obtain the IP address of the object, which can be seen in the IP address field. Focus When you go to the Objects tab in the menu directory on the left, the focus is now directly on the search field. Alarms An instant search field has been added to both views of the module, in order to more easily filter profiles and contexts without having to press Enter. Dashboard The Alarms section in the dashboard contains a new button that allows you to Clear screen, or in other words, erase information logs. The Hardware section sets out information on the current HA version and in the event a disk is faulty or missing, it will display a warning alarm in the RAID option. Cisco WAN A new alarm has been added to detect Cisco WAN Optimizer traffic. The alarm blocks this traffic by default, but it can be allowed (tcpudp: 247). WARNING Once this traffic is allowed, this type of traffic will not go through protocol scans. Filtering and NAT Filter and NAT rules can now be moved by dragging and dropping. If you click quickly 10 times on the Up button, you will see that the rule moves up but the waiting window will only appear when you leave the button for 2 or 3 seconds. And at the end, only a single command will be executed. NOTE Rules can be moved more much fluidly as such. 4

48 Users When a user is deleted, the administrator will be prompted to revoke his certificate. HTTP A parameter has been added in order to allow certain HTTP headers to ignore buffer overflow protections to avoid false positives with headers that are particularly long. By default, only Proxy-Authorization will be on this list. The parameter AllowOverflow (HTTP profile) can be configured in the CLI. NAT policy Source address translation manages stateless IP protocols (GRE) but with the following restriction: If two clients go through the same firewall, they will not be able to connect to the same server at the same time. NETASQ S intrusion prevention engine will block packets received by the second client. After 5 minutes, the intrusion prevention engine will deem the session too old and will allow the second client to take over. System 3G USB An external 3G modem can now be connected to the USB port and can be configured in the Interfaces menu. Dynamic routing Major upgrade of dynamic routing modules (ZebOS version ). IPv6 Routing of IPV6 packets is now supported by NETASQ multi-function firewall. This option is disabled by default and can only be configured in the CLI. Kaspersky Major upgrade of the Kaspersky antivirus engine. This engine adds a complementary heuristic analysis. CRL You can now add CRLDP (CRL distribution points) for CAs imported via the GUI. SSL authentication The subject field of the certificate that will be used in searching for a user in the LDAP can be modified. The LDAP field used for the search can also be modified. The address is used by default in both cases. These parameters can be set in the CLI. 4

49 VLAN The appliance no longer needs to be systematically rebooted whenever a VLAN is deleted. Intrusion prevention Protection methods have been added for the following SCADA protocols: dnp3 modbus realwin datahub netb genbroker (tcp) hicp (udp) QoS ACK and low delay packets are now treated with a higher default priority (in order to speed up the transfer of data through limited bandwidth). 4

50 9.0.1 Resolved vulnerabilities System CVE , CVE OpenSSL has been upgraded to version 1.0.0e. CVE , CVE Two flaws that could cause denial of service attacks in the DHCP server have been resolved. NOTE The DHCP server is not enabled in the default configuration. CVE ClamAV has been upgraded to version This version fixes the vulnerability CVE NOTE The ClamAV engine is not enabled in the default configuration SSL Proxy The certificates provided by the Dutch company DigiNotar have been compromised, and have therefore been deleted from the list of certificate authorities supported by the NETASQ SSL proxy Bug fixes System Web 2.0 The performance and stability of the Web 2.0 analysis engine have been enhanced. Filtering and NAT In certain configuration contexts, an expected reboot of the appliance could occur, following these modifications: - when the filter policy is reloaded - when the status of a filter rule is changed by a time object PKI The process of importing and deleting certificates has been enhanced. 5

51 General configuration Modem The addresses of DNS servers are correctly retrieved during the connection of a modem interface (predefined objects Firewall_ <dialup>_dnsx). Daemons Date changes are now better handled by daemons. License When a new license is available, the difference with the current license is now correctly displayed. Proxies SSL Proxy Several stability issues have been fixed. HTTPS sessions decrypted by the SSL proxy were systematically logged with as the client s IP address. The firewall will no longer send its own certificate to the server. Trusted authorities selected in the SSL authentication module are no longer considered trusted by the SSL proxy. HTTP Proxy A memory leak has been fixed. Partial downloads are now allowed. SMTP Proxy s that reach the maximum size for the antivirus scan are now correctly sent. FTP Proxy A potential reboot of the proxy when the connection limit is reached has been fixed. ClamAV The stability of proxies and the ClamAV antivirus has been enhanced. General points Load balancing Load balancing when proxies are enabled has been repaired. Support reference The configuration reset button was unable to react correctly on U30 and U70 models. Support reference Correction of a problem with the hardware acceleration of AES encryption on NG models, which could cause the corruption of packets in certain configurations. 5

52 Active Update Support reference Correct refreshment of the Active Update module when a new license is inserted. PPTP Support reference The characters _, -, and. are allowed for PPTP user names. SYSLOG Support reference The categorization for the sending of messages via Syslog has been corrected: kernel becomes user. Support reference The BindAddr parameter, which allows imposing the sending IP address for the Syslog module, is in working condition again. Antispam Support reference Correction of error messages that could appear during the configuration of antispam lists following a migration from version 8 to version 9. CRL Support reference The maximum lifetime of certificates has been increased to ten years. Authentication Links added to the authentication portal in version 9 have been translated into all the supported languages. Support reference The access control list (ACL) for access to the web interface is now correctly refreshed when an interface is updated in DHCP. Support reference ISO characters (including ) are allowed for administrator passwords. Support reference Multiple authentication with the same IP address is possible again on the explicit HTTP proxy. 5

53 SSL VPN SSO When the authentication duration expires or access to the SSL VPN is denied, the user will be redirected to the transparent authentication page (SSO) if this method is available. Support references The JavaScript parser has been rewritten in order to correct the restrictions of the former version with regards to rewriting web links. IPSec VPN The negotiation mode (main or aggressive), when it is imposed, is kept when the configuration of an IPSec peer is modified. X-auth X-auth mode without Mode-Config has been fixed. Failover The tunnel switching mechanism has been enhanced. Support reference The parameter cfg_domain has been added to the configuration of IPSec peers, so that it can distribute a domain name in Mode-Config. This parameter, which can be configured in the CLI, was necessary for iphone compatibility. Support reference IPSec negotiations with X-auth have been enhanced to be better supported on less reliable networks (slowness, loss of packets). Network Load balancing Load balancing is correctly applied on connections sent by the firewall. NAT/ Load balancing Types of load balancing other than connection hashing can now be selected with a range of destination ports. Support reference If a migration to version 9 is carried out from version 8, access to web management is allowed from any IP address so that users can reconnect remotely after the update. 5

54 Support reference The problem that arose during the reinitialization of all interfaces when modifications are made in the network screen has been fixed. Now only modified interfaces will be reconfigured. The FTP proxy in active mode is now better supported. Support reference High Availability The stability of HA has been enhanced. Switchover time An option has been added to reduce the time surrounding appliances take to take into account a switch in the cluster in bridge mode. If the option has been enabled, interfaces on the bridge will be reinitialized at the moment of the switch in order to force users connected to the firewall to renew their ARP tables. Synchronization The passive firewall in a HA cluster no longer needs to be rebooted when objects are synchronized. Support reference The upgrade of the passive firewall is no longer blocked when the versions of the firewalls are different. Intrusion prevention Certain TCP keepalive packets may be blocked by the TCP scan. Support reference Banners of FTP servers that contain line feeds are no longer blocked. Support reference The SSL scan s detection of unencrypted packets has been enhanced. Support reference The stability of HTML and JavaScript context scans has been fixed. Support reference Support reference Filter/NAT rules established with a port but without a defined protocol now only apply to TCP and UDP traffic. Support reference The alarm Invalid SMTP protocol (ClientInputWaitingBlankAuthLine) raised as an alarm and which can be raised by the command SMTP AUTH LOGIN has been fixed. 5

55 NAT A port range can be allowed for the destination in a NAT load balancing rule, unlike a port group. Support reference NAT rules can no longer affect the proper operation of HA and apply to the traffic between both firewalls of the same cluster. MTU An error that arose during the refreshment of the MTU in an IP profile has been fixed. Security policy Routing policy / Load balancing The ID of the router is now correctly restored when a connection is retrieved (after a HA switch or reboot of the firewall). SSL Some SSL sessions did not correctly shut down after the joint use of the SSL plugin and proxy. New configuration interface General configuration The web interface is now available in Polish. Information on the backup partition is now correctly displayed. A JavaScript error that appears during a request to reboot the firewall from the web interface has been fixed. The stability of network configuration screens has been enhanced. Support reference Support reference The characters * + and,- are no longer allowed in URLs (Internet Explorer 7 and 8). The quarantine duration of a host is displayed in minutes. Support reference Disabled interfaces will be displayed on the dashboard. Support reference

56 Support reference The selection of a certificate imported for the authentication portal has been fixed. A warning message will appear when an interface is renamed. Support reference NOTE Renaming an interface does not migrate references to it especially in configuration items that use generated objects such as "Network_in". Support reference The error message that appears during the creation of a load balancing configuration has been fixed. Security policy Support reference The management of colors during the creation of separators has been enhanced. Support reference A Javascript error that could arise in the explicit proxy configuration wizard has been fixed. Support reference none can be selected as a sender in the module Security policy \SMTP filtering. Support reference The error that appears on certain actions in the filter rules during dragging and dropping has been fixed. The value of the tooltip in the filter screen has been corrected. Support reference Support reference Objects will only be displayed in the menu directory upon connection in modules that have been deemed relevant. Filtering and NAT You can now copy and paste the separator from one location to another. The Down button has been repaired. An issue with the display of rules when the global filter policy is being edited has been fixed. 5

57 QoS The ability to select a default queue has been removed from the web configuration interface (but is still available on the CLI console). Indeed, this rule applies to all traffic, which is seldom the desired configuration. High availability The pop-up suggesting the synchronization of a cluster in read-only mode has been removed. Certificates/PKI The pop-up informing that a change has been made to the configuration (when this is not the case) has been removed. The JavaScript error that appears during the display of the CRL of a CA imported with its private key, has been fixed. Preferences Global objects are now correctly handled in the URLs in the SSL VPN module. SSL VPN A problem with the display of fields for entering pre-shared keys in Internet Explorer 7 has been fixed. IPSec VPN Support reference The pre-shared key confirmation field in the IPSec installation wizard, used with Internet Explorer 7, has been fixed. High availability Support reference The display of the firmware version on the secondary or backup partition has been fixed. Access to the HA screen is possible regardless of the module s status. Support reference

58 Access privileges Support reference A search field has been added to the tab Access policy. Unified Manager The pop-up announcing a disconnection has been fixed (the firewall name was missing). 5

59 9.0.0 Features New configuration interface Main points The new configuration interface on NETASQ multi-function firewalls is now accessible via a web browser and benefits from the latest breakthroughs in user-friendliness and ease of use. It is compatible with the following browsers: Internet Explorer 7, 8 Firefox 3.6 and + Compatibility with Internet Explorer 9 is in the process of being finalized. During the connection to the interface and to the various modules, the user will first have an overview of his product s configuration via the dashboard. By browsing through the modules, the basic settings will be directly accessible. The Advanced properties mode is collapsed for better readability. The dashboard The dashboard provides an overview of the information relating to the firewall s activity and its configuration. The following modules are displayed in different tables: Active Update; Alarms; Interfaces; License; Hardware; Properties; Resources; Network; Services; For example, the Licenses table displays the expiry dates of the various licenses currently valid on the firewall. User friendliness The web interface consists of 3 sections: