BorderWare Firewall Server 7.1. Release Notes



Similar documents
Firewall Server 7.2. Release Notes. What's New in Firewall Server 7.2

Borderware Firewall Server Version 7.1. VPN Authentication Configuration Guide. Copyright 2005 CRYPTOCard Corporation All Rights Reserved

NETASQ MIGRATING FROM V8 TO V9

Configuring IPSec VPN Tunnel between NetScreen Remote Client and RN300

Understanding the Cisco VPN Client

eprism Security Appliance 6.0 Release Notes What's New in 6.0

How to Add Domains and DNS Records

SonicOS 5.9 / / 6.2 Log Events Reference Guide with Enhanced Logging

Chapter 6 Configuring the SSL VPN Tunnel Client and Port Forwarding

How To Monitor Cisco Secure Pix Firewall Using Ipsec And Snmp Through A Pix Tunnel

PIX/ASA 7.x with Syslog Configuration Example

Government of Canada Managed Security Service (GCMSS) Annex A-1: Statement of Work - Firewall

Barracuda Link Balancer

Use Shrew Soft VPN Client to connect with IPSec VPN Server on RV130 and RV130W

Create a VPN on your ipad, iphone or ipod Touch and SonicWALL NSA UTM firewall - Part 1: SonicWALL NSA Appliance

F-Secure Messaging Security Gateway. Deployment Guide

Architecture and Data Flow Overview. BlackBerry Enterprise Service Version: Quick Reference

Appendix A: Configuring Firewalls for a VPN Server Running Windows Server 2003

Barracuda Link Balancer Administrator s Guide

McAfee Firewall Enterprise System Administration Intel Security Education Services Administration Course

HP A-IMC Firewall Manager

Chapter 8 Router and Network Management

Funkwerk UTM Release Notes (english)

Understanding Windows Server 2003 Networking p. 1 The OSI Model p. 2 Protocol Stacks p. 4 Communication between Stacks p. 13 Microsoft's Network

Configuration Guide BES12. Version 12.2

Cisco RV 120W Wireless-N VPN Firewall

Configuration Guide. BlackBerry Enterprise Service 12. Version 12.0

Click Studios. Passwordstate. Installation Instructions

Security Technology: Firewalls and VPNs

Fireware How To VPN. Introduction. Is there anything I need to know before I start? Configuring a BOVPN Gateway

Deploying F5 with Microsoft Dynamics CRM 2011 and 2013

OVERVIEW OF TYPICAL WINDOWS SERVER ROLES

Firewall Defaults, Public Server Rule, and Secondary WAN IP Address

How To - Configure Virtual Host using FQDN How To Configure Virtual Host using FQDN

Before deploying SiteAudit it is recommended to review the information below. This will ensure efficient installation and operation of SiteAudit.

Configuration Guide BES12. Version 12.1

BlackBerry Enterprise Service 10. Version: Configuration Guide

Multi-Homing Gateway. User s Manual

Guideline for setting up a functional VPN

108Mbps Super-G TM Wireless LAN Router with XR USER MANUAL

Deploying F5 with VMware View and Horizon View

How to configure VPN function on TP-LINK Routers

Cisco SA 500 Series Security Appliance

Viewing VPN Status, page 335. Configuring a Site-to-Site VPN, page 340. Configuring IPsec Remote Access, page 355

iguring an IPSec Tunnel Cisco Secure PIX Firewall to Checkp

Deploying F5 with Microsoft Active Directory Federation Services

Juniper NetScreen 5GT

Firewalls and VPNs. Principles of Information Security, 5th Edition 1

Lab Configure a PIX Firewall VPN

Innominate mguard Version 6

Borderware MXtreme. Secure Gateway QuickStart Guide. Copyright 2005 CRYPTOCard Corporation All Rights Reserved

Virtual private network. Network security protocols VPN VPN. Instead of a dedicated data link Packets securely sent over a shared network Internet VPN

Firewall Defaults and Some Basic Rules

I N S T A L L A T I O N M A N U A L

How to configure VPN function on TP-LINK Routers

Load Balance Router R258V

Apliware firewall. TheGreenBow IPSec VPN Client. Configuration Guide.

Step-by-Step Configuration

Click Studios. Passwordstate. Installation Instructions

It should be noted that the installer will delete any existing partitions on your disk in order to install the software required to use BLËSK.

Watchguard Firebox X Edge e-series

P and FTP Proxy caching Using a Cisco Cache Engine 550 an

Chapter 4: Security of the architecture, and lower layer security (network security) 1

Hosting more than one FortiOS instance on. VLANs. 1. Network topology

LevelOne WBR-3405TX. User`s Manual. 11g Wireless AP Router

VPN SECURITY POLICIES

Chapter 6 Virtual Private Networking Using SSL Connections

Astaro Security Gateway V8. Remote Access via L2TP over IPSec Configuring ASG and Client

This chapter describes how to set up and manage VPN service in Mac OS X Server.

Planet CS TheGreenBow IPSec VPN Client. Configuration Guide.

Configuring an IPSec Tunnel between a Firebox & a Check Point FireWall-1

This section provides a summary of using network location profiles to identify network connection types. Details include:

Application Note. SIP Domain Management

Configuring an IPSec Tunnel between a Firebox & a Cisco PIX 520

HP IMC Firewall Manager

Securing Networks with PIX and ASA

Configuring SSL VPN on the Cisco ISA500 Security Appliance

21.4 Network Address Translation (NAT) NAT concept

Chapter 4 Managing Your Network

Cisco ASA, PIX, and FWSM Firewall Handbook

Firewall VPN Router. Quick Installation Guide M73-APO09-380

Setting Up Scan to SMB on TaskALFA series MFP s.

Deploying the BIG-IP LTM and APM with Citrix XenApp or XenDesktop

IP Filtering for Patton RAS Products

DEPLOYMENT GUIDE Version 1.2. Deploying F5 with Oracle E-Business Suite 12

Lesson Plans Managing a Windows 2003 Network Infrastructure

Using RADIUS Agent for Transparent User Identification

Creating a Gateway to Gateway VPN between Sidewinder G2 and Linux

A Guide to New Features in Propalms OneGate 4.0

Implementing and Managing Security for Network Communications

Firewall. FortiOS Handbook v3 for FortiOS 4.0 MR3

Appendix D: Configuring Firewalls and Network Address Translation

MCSE Core exams (Networking) One Client OS Exam. Core Exams (6 Exams Required)

Vantage Report. User s Guide. Version /2006 Edition 1

How To Configure A Kiwi Ip Address On A Gbk (Networking) To Be A Static Ip Address (Network) On A Ip Address From A Ipad (Netware) On An Ipad Or Ipad 2 (

EE Easy CramBible Lab DEMO ONLY VERSION EE F5 Big-Ip v9 Local Traffic Management

BT Business Broadband

Linksys RV042. TheGreenBow IPSec VPN Client. Configuration Guide.

NMS300 Network Management System

Configuration Guide BES12. Version 12.3

Transcription:

BorderWare Firewall Server 7.1 Release Notes BorderWare Technologies is pleased to announce the release of version 7.1 of the BorderWare Firewall Server. This release includes following new features and improvements. New Features and Improvements Operating System The operating system kernel has been updated to FreeBSD 4.7 Alarms and SNMP Alarms now generate an SNMP trap The SNMP community string has been changed to BTI from public. Proxy Server The proxy server has been upgraded to Squid 2.5 stable1 All logs can now be forwarded to a remote syslogd server Mail Server The SMTP mail server has been changed from Zmailer to Postfix. Mail routing now has a KeepOpen option to keep open mail routes to frequently used mail servers. Enabling this option will give priority to local servers. There is no longer the ability for routing mail for all subdomains only. Any previous mail routes configured as subdomain only will need to be reconfigured to route mail for this domain and all subdomains. FTP You can now enforce a disk space quota for the FTP area. This prevents anonymous FTP users from filling up the FTP disk space area. 1

DNS The following features and improvements have been added to the DNS server: BIND Upgrade: DNS has been upgraded to BIND 8.4.4. Dynamic DNS on Internal Interface: Support for Dynamic DNS on the internal interface has been added. Access control lists (ACL) can be used to limit access for dynamic DNS updates. Recursive Query ACL: You can now control what hosts can perform recursive query on an external DNS server via a configurable access control lists (ACL). External DNS Server Cache Inquiry ACL: ACLs can be set up to restrict which hosts are allowed to perform queries to the external DNS server cache. All zones hosted on the firewall will allow anyone to query them but the external DNS server's cache can no longer be queried. SOA Serial Number Increments: The SOA serial number increment behavior can be modified. When this option is enabled, the serial number increments for each zone in your DNS, resulting in a different serial number for each zone. When disabled, the serial number increments only once for all zones in a particular domain type (such as Internal-Forward), so that each zone in a domain has the same serial number, resulting in less serial numbers per update. Internationalized Domain Names (IDN): Through BWClient, you can configure internationalized DNS domain names. This feature will convert a domain name specified in a local language to ASCII format for use with internationalized DNS. SPF Support: SPF (Sender Policy Framework) allows you to validate the sender of an email message by comparing the Envelope-from part of the address to the sending domain s DNS record. This prevents spammers from sending forged emails. For each domain or individual host in your DNS server, you can specify the SPF TXT record. The DNS cache can be cleared without rebooting the firewall. This can only be performed from the Firewall console. DNS servers on a HALO backup system can now perform DNS queries. 2

HALO Load Optimization HALO (High Availability for Parallel Firewalls) now features load optimization abilities. The MASTER system can be configured to offload specific network traffic and ports to a BACKUP system, and also configure what network traffic and ports to accept if the current master system is in BACKUP mode. For example, you can assign the MASTER system to accept connections for HTTP port 80 traffic, but offload any FTP traffic to the BACKUP system. The MASTER Firewall Server will still accept all traffic, but any offloaded services will be forwarded to the BACKUP firewall. If the BACKUP system is not available, the MASTER can takeover these services again as part of the failover process. If a HALO system is in BACKUP mode, it will allow connections on 441, 442 (for BWClient), and port 161 (for SNMP). This allows you to examine the status of a BACKUP system in a HALO cluster. UDP Session Support Support for UDP sessions includes double the previous number of allowed connections. Previous maximum for one UDP proxy was 3975 sessions. It has been increased to 8192 if the high port range (49152-65535) is chosen. It will remain at 3975 sessions when the normal port range (1024-5000) is chosen. If multiple UDP proxies pick the same range, the ports will be shared, one port per session on a first come, first serve basis. Direct Packet Option The following features and improvements have been added to the Direct Packet Option: NAT support has been added for protocols other than TCP, UDP, and ICMP. To use other protocols, such as ESP (IPSec), the firewall s private networks (Internal, SSN, AUX) must use a routable IP address. Destination NAT has been added for SSN-to-INT traffic. This provides the same behavior as the SSN-to-INT proxy, and allows optional destination NAT for all directions. Inbound Ping (ICMP) traffic is now supported. Note that NAT is not supported for this feature. FTP has been added as a predefined service. Note that EPASV is not supported, and clients must disable this feature for FTP. 3

IPSec VPN Option The following features and improvements have been added to the IPSec VPN Option: Policies: This feature allows ciphers, encryption, and other IPSec connection options to be defined in a policy that can be applied to several connections, instead of configuring these options for each individual connection. Dynamic Remote Gateway: You can now configure dynamic server-to-server VPN connections. Previously, these connections could only be static. Internal IPSec: A local gateway can be configured to protect traffic between internal (SSN or AUX) hosts and the firewall server. Bypass Only: This setting can be used to allow ESP traffic to be processed by the Direct Packet option bypassing IPSec. LDAP ID Support: You can now use LDAP distinguished name format to specify connection authentication IDs. Multiple Remote Authentication IDs: Authentication IDs are required to identify a remote client. You can now set multiple Remote Authentication IDs for one connection. This feature allows you to create one connection with several authenticated IDs, rather than having to make separate connections for each one. XAUTH Support: Support has been added for Extended Authentication (XAUTH), which allows you to select SecurID and RADIUS via PAM as options for secure authentication instead of just clear text passwords. Forward Packets: This option allows packets that exit a tunnel to be forwarded through the firewall if the destination is on the other side of the firewall. This option is required when a remote site needs to access the Internal External proxies on the firewall, even though these packets originate from the Internet and returns to the Internet. For example, and external client may want to use the firewall's proxy server for accessing HTTP over the Internet. The traffic would be sent back to the external interface of the firewall to be filtered through its application level proxies. Deny Packets: This feature, if enabled, will prevent non-ipsec encrypted traffic from leaving the firewall. This is typically used with Responder Only type connections. Priority: The order of priority for IPSec connections can be modified. SA Granularity: Administrators can configure the granularity of SA (Security Associations) such as by network, host, port, and protocol. 4

IP Compression: Support for IP compression has been added to improve performance over slow network connections. Path MTU Discovery: MTU is the size restriction for packets during a transmission. This option helps performance by sending the largest packets possible through MTU discovery. If a smaller MTU is encountered it will decrease the size accordingly. If disabled, there will be no path MTU discovery used for packet delivery. Responder Only: If enabled, the local end of the VPN will never initiate a VPN tunnel. If the tunnel is dynamic, and the FQDN of the remote gateway can be reliably resolved, this can be disabled. If the remote gateway is null, this feature should be enabled. Virtual IP Address: The client can specify a virtual local address when connecting to a VPN. The address must appear in the Local addresses in the server-side configuration. The Proxy server is available via an IPSec tunnel. This allows a remote user connecting via a client-server or server-server connection to be routed through the proxy server. If changes are made to IPSec via BWClient, an IPSec restart is no longer required. BWClient Enhancements The following features and improvements have been added to the BWClient administration utility: BWClient access is now supported on the AUX interfaces. BWClient now includes a management console, which provides an easy way to view all Firewall Servers in your network and group them together into Management Groups. Creating management groups allows you to manage several Firewall Servers from a single console, including the ability to copy the configuration from one Firewall Server to another. You can also view real-time statistics on each Firewall, such as CPU and network interface utilization. Enhanced Remote Administration Multiple client IP addresses can administer the firewall via a Server-to-Server IPSec VPN tunnel. 5

Enhanced Text Configuration File The text configuration file now includes information on the following items: Squid proxy server HTTP Direct Packet IPSec VPN URLfilter Security Connection Website redirections XML Configuration File You can now perform a restore using a modified backup XML configuration file. 6

Installation and Upgrade Notes If this is an initial installation of the Firewall Server, please see the Firewall Server Installation Guide for instructions. If you are upgrading the Firewall Server from a previous version, you must be running version 6.1.2 or later. Recommended Upgrade Procedure As a general precaution, customers should keep text copies of their BorderWare Firewall configuration and make multiple copies of their backups. It is also recommended that you make both a diskette and an XML backup, if possible. Upgrade Procedure from 6.1.2 or later to version 7.1. 1. Create configuration backup(s). 2. Install BFS 7.1. 3. Install options (such as SmartGate, IPSec), if any. 4. Restore the configuration (preferably via XML). Version 7.1 will correctly read backup files created by versions 6.1.2 and later. Important Upgrade Information The following describes important configuration information for certain firewall server components after the upgrade to 7.1. SMTP Proxy Internal External For upgrades for 6.1.2x to 7.1, you cannot use a backup configuration from diskette, it must be from the XML file. If you are using diskette, you must contact BorderWare technical support to ensure this feature works properly after an upgrade. Mail Routing After upgrading to version 7.1, you must examine your mail routes to ensure they are configured properly. The Deliver via Host field must be filled in with your mail server hostname or IP address (if not using DNS). Manual VPN Connections and Policies Manual VPN connections that are upgraded to 7.1 are automatically assigned the default base policy. This policy s defaults for hashes and ciphers are for IKE, and all options are selected. You must create another policy for your manual connections to specify one hash, one cipher, and one HMAC setting. 7

Client to Server and Responder Only Option If upgrading from 6.1.2x, or 6.5 and 6.5a with IPSec version 1, any Client to Server connections must have the Responder Only option enabled. This setting can be found under the Miscellaneous tab in the VPN connection settings. VPN Connection Priorities When upgrading from a previous version, you must ensure that the VPN connection priorities are listed in the proper order. New connections can be assigned starting from 10000 to 31999. The priority order is from lowest to highest. The following describes the order in which your connection should appear (after the predefined default connections): 1. a) Main-mode connections with remote gateway. b) Main-mode connections with NAT-traversal connection with a known NAT Device IP address. 2. Aggressive connections with remote gateway IP address and the Remote Authentication IDs using an IP address. 3. a) Main-mode connections without a remote gateway. b) Phase 1 connection should appear before the responder. c) Phase 2 connections. d) Connections with specific remote addresses should appear before those with a remote address (0.0.0.0/0). 4. Aggressive mode connections with specific remote-addresses. 5. Aggressive mode connections with remote addresses (0.0.0.0/0). How to Contact Us BorderWare Technical Support Telephone: Toll free (USA and Canada): 1-877-814-7900 Europe : +44 208-577-1024 All other locations: 905-804-1855 (Canada) Email: support@borderware.com 8

2026 © DocPlayer.net Privacy Policy | Terms of Service | Feedback  | Do Not Sell My Personal Information