RELEASE NOTES. StoneGate Firewall/VPN v2.2.11 for IBM zseries



Similar documents
Remote Firewall Deployment

StoneGate Firewall/VPN How-To Evaluating StoneGate FW/VPN in VMware Workstation

Using Microsoft Active Directory Server and IAS Authentication

StoneGate IPsec VPN Client Release Notes for Version 4.3.0

VPNC Interoperability Profile

Release Notes for Version

StoneGate SSL VPN Technical Note Adding Bundled Certificates

StoneGate SSL VPN Technical Note Setting Up BankID

Intrusion Detection and Analysis for Active Response - Version 1.2. Installation Guide

version 1.0 Installation Guide

StoneGate SSL VPN Technical Note Setting Up WPA Authentication

StoneGate SSL VPN Technical Note Setting Up SSO with Citrix Presentation Server

StoneGate SSL VPN Technical Note Setting Up Sygate On-Demand

F IREWALL/VPN INSTALLATION GUIDE

STONEGATE 5.2 I NSTALLATION GUIDE I NTRUSION PREVENTION SYSTEM

F IREWALL/VPN INSTALLATION GUIDE

StoneGate Installation Guide

FW-310. Appliance Installation Guide

StoneGate. High Availability Firewall and Multi-Link VPN. Security Availability Manageability Scalability

Tagesordnung WIN/IP-Forum

Backup Exec Cloud Storage for Nirvanix Installation Guide. Release 2.0

VPN CLIENT ADMINISTRATOR S GUIDE

VPN CLIENT USER S GUIDE

SMC INSTALLATION GUIDE

By the Citrix Publications Department. Citrix Systems, Inc.

Virtual Networking with z/vm Guest LAN and Virtual Switch

StoneGate SSL VPN Technical Note Setting up ActiveSync

Management Software. Web Browser User s Guide AT-S106. For the AT-GS950/48 Gigabit Ethernet Smart Switch. Version Rev.

HP Intelligent Management Center v7.1 Virtualization Monitor Administrator Guide

Stonesoft Firewall/VPN 5.4 Windows Server 2008 R2

Veritas Cluster Server Database Agent for Microsoft SQL Configuration Guide

AT-S84 Version ( ) Management Software for the AT-9000/24 Gigabit Ethernet Switch Software Release Notes

50. DFN Betriebstagung

User Manual. Page 2 of 38

Management Software. User s Guide AT-S84. For the AT-9000/24 Layer 2 Gigabit Ethernet Switch. Version Rev. B

STONEGATE IPSEC VPN 5.1 VPN CONSORTIUM INTEROPERABILITY PROFILE

Intel Active Management Technology with System Defense Feature Quick Start Guide

High Availability Configuration Guide Version 9

2.0 HOW-TO GUIDELINES

About Recovery Manager for Active

Virtual Networking with z/vm Guest LANs and the z/vm Virtual Switch

Projetex 9 Workstation Setup Quick Start Guide 2012 Advanced International Translations

Microsoft File and Print Service Failover Using Microsoft Cluster Server

Dell Recovery Manager for Active Directory 8.6. Quick Start Guide

System i and System p. Customer service, support, and troubleshooting

McAfee SMC Installation Guide 5.7. Security Management Center

AT-S63 Version Patch 5 Management Software for the AT-9400 Basic Layer 3 Gigabit Ethernet Switches Software Release Notes

McAfee NGFW Installation Guide for Firewall/VPN Role 5.7. NGFW Engine in the Firewall/VPN Role

Integrated Citrix Servers

Placing the BlackBerry Enterprise Server for Microsoft Exchange in a demilitarized zone

axsguard Gatekeeper Internet Redundancy How To v1.2

Strong Authentication for Microsoft TS Web / RD Web

Transparent Identification of Users

Apache CloudStack 4.x (incubating) Network Setup: excerpt from Installation Guide. Revised February 28, :32 pm Pacific

High Availability. FortiOS Handbook v3 for FortiOS 4.0 MR3

Strong Authentication for Microsoft SharePoint

Symantec Endpoint Protection 11.0 Architecture, Sizing, and Performance Recommendations

Best Practices for Installing and Configuring the Hyper-V Role on the LSI CTS2600 Storage System for Windows 2008

Application Note: GateManager Internet requirement and port settings

Starting a Management Session

vsphere Networking ESXi 5.0 vcenter Server 5.0 EN

StreamServe Persuasion SP5 Control Center

Stonesoft Guide. 3G Modem Guide

Virtualization: TCP/IP Performance Management in a Virtualized Environment Orlando Share Session 9308

Hyper-V Installation Guide. Version 8.0.0

Dell Statistica Statistica Enterprise Installation Instructions

AT-S95 Version AT-8000GS Layer 2 Stackable Gigabit Ethernet Switch Software Release Notes

Using Virtualization to Help Move a Data Center

Funkwerk UTM Release Notes (english)

1.6 HOW-TO GUIDELINES

Strong Authentication for Juniper Networks SSL VPN

Clustering. Configuration Guide IPSO 6.2

AXIS Camera Station Quick Installation Guide

SA Server 2.0. Application Note : Evidian SafeKit 7.0.4, Failover

IBM Lotus Protector for Mail Encryption

Dell One Identity Cloud Access Manager How to Configure for High Availability

Server Sentinel Monitored Server

User Manual. Onsight Management Suite Version 5.1. Another Innovation by Librestream

Installation Guide. Squid Web Proxy Cache. Websense Enterprise Websense Web Security Suite. v for use with

How To Configure The Fortigate Cluster Protocol In A Cluster Of Three (Fcfc) On A Microsoft Ipo (For A Powerpoint) On An Ipo 2.5 (For An Ipos 2.2.5)

Symantec Database Security and Audit 3100 Series Appliance. Getting Started Guide

HP Virtual Connect Ethernet Cookbook: Single and Multi Enclosure Domain (Stacked) Scenarios

Software Activation. high security remote access. NCP Secure Entry Client

The Tor VM Project. Installing the Build Environment & Building Tor VM. Copyright The Tor Project, Inc. Authors: Martin Peck and Kyle Williams

Web Security Firewall Setup. Administrator Guide

Secure Web Gateway Version 11.7 High Availability

INSTALLATION GUIDE. AXIS Camera Station

Astaro Deployment Guide High Availability Options Clustering and Hot Standby

Intel Entry Storage System SS4000-E

StarWind iscsi SAN Software: Providing shared storage for Hyper-V's Live Migration feature on two physical servers

Cyberoam Configuration Guide for VPNC Interoperability Testing using DES Encryption Algorithm

SteelEye Protection Suite for Windows Microsoft Internet Information Services Recovery Kit. Administration Guide

HP Load Balancing Module

Foglight Experience Monitor and Foglight Experience Viewer

Strong Authentication for Juniper Networks

DOWNTIME CAN SPELL DISASTER

Remote Filtering Software

AT-S105 Version Management Software Release Notes AT-FS750/24POE and AT-FS750/48 Fast Ethernet WebSmart Switches

Internet Redundancy How To. Version 8.0.0

Transcription:

RELEASE NOTES StoneGate Firewall/VPN v2.2.11 for IBM zseries Copyright 2006 Stonesoft Corp. All rights reserved. All trademarks or registered trademarks are property of their respective owners. Disclaimer: Although every precaution has been taken to prepare this document, Stonesoft assumes no responsibility for errors, omissions, or resulting damages from the use of the information contained in this document. All information contained in this document is subject to changes at any time.

TABLE OF CONTENTS What s New........................................................ page 3 System Requirements................................................. page 5 Build Version....................................................... page 6 Compatibility....................................................... page 6 Installation Instructions............................................... page 7 Upgrade Instructions.................................................. page 8 Known Limitations................................................... page 9 Known Issues...................................................... page 10 RELEASE NOTES 2

WHAT S NEW New Features Active-active Clustering StoneGate Firewall/VPN v2.2.11 for zseries utilizes z/vm 5.1 layer 2 functionality in order to provide active-active clustering. In a clustered firewall configuration, each firewall node handles and processes traffic individually, and traffic is balanced between the nodes dynamically. In case a firewall node in a cluster should fail or be taken offline for maintenance, traffic is automatically redistributed between the other online nodes. The active-active clustering is implemented using dispatch CVI mode, in which one cluster node receives all the traffic sent to the cluster IP address. The receiving firewall node forwards the traffic to the other nodes for processing. The existing IP takeover CVI mode is still supported, and it can be used when the firewall cluster is run in standby mode. Fixes Problems described in the table below have been fixed since StoneGate Firewall/VPN v2.2.10. A workaround solution is presented for earlier versions where available. Synopsis Static ARP does not work with OSA cards (#6356) Static NAT changes the port of FTP data connection (#10645) Description Static ARP defined in StoneGate configuration does not update the OSA card s ARP cache. The port of FTP data connection is changed even though static NAT is used. This may cause some FTP data connections to fail if hundreds of simultaneous connections are established. Workaround for previous versions Decreasing TCP_TIME_WAIT value may help to get more FTP data connections established but make sure the timeout value is same on the firewall and on the FTP server. RELEASE NOTES 3

Synopsis Description Workaround for previous versions Log files may be moved to the "corrupted" directory even though the files are not corrupted (#11672) Backup heartbeat may not work (#12449) TCP Reset packets that StoneGate sends do not affect already established connections. (#12605) NAT does not work properly with RSH, H.323 and Oracle Protocol agents Policy rollback may not work (#17315) After five failed attempts to send the log information to log server, the sendlogd daemon stores the log files to the "corrupted" directory even if the information is not corrupted. This may cause the engine to store a lot of information in the /spool/log/corrupted/ directory. Joining into the multicast group may fail in the backup heartbeat interface, and thus the firewall does not receive any heartbeat messages from the other nodes if the primary heartbeat link fails. The TCP Reject response does not always use proper TCP sequence numbers, and thus they do not affect already established connections. NAT fails when RSH, H.323 or Oracle Protocol agent is used. The failed connections are logged with "Requested NAT cannot be done" error messages. Policy rollback may fail with the following log messages: Rollback timeout, policy rollback failed: -1. RELEASE NOTES 4

SYSTEM REQUIREMENTS Hardware Requirements StoneGate Firewall/VPN v2.2.11 can run either as a z/vm guest or natively on a Logical Partition (LPAR)* on the following mainframe platforms: zseries 990 zseries 890 zseries 900 (* zseries 800 (* Each StoneGate Firewall/VPN instance requires the following hardware resources: at least one shared control processor. Symmetric multiprocessing (SMP) and IFL processors are supported. allocated memory depending on usage; 128 megabytes recommended minimum. two CMS minidisks (1 gigabyte recommended for each dependent upon memory allocation) or two dedicated DASD block devices (2,3 gigabytes each) For more information about StoneGate for IBM zseries mainframe platform please see: http://www.stonesoft.com/products/ibm_zseries/ Supported Networking Options OSA-Express Fast Ethernet (OSAX-FE) and Gigabit Ethernet (OSAX-GE) OSA-Express2 Fast Ethernet (OSA2-FE) Virtual Switch (VSWITCH) Hipersockets * Guest LAN * Channel-to-Channel (CTC) adapter ** z/vm Inter-User Communication Vehicle (IUCV) ** * Active-active clustering is not supported ** Clustering is not supported RELEASE NOTES 5

Supported z/vm Versions z/vm 4.4 * z/vm 5.1 * Active-active clustering is not supported BUILD VERSION The StoneGate Firewall/VPN v2.2.11 for IBM zseries build version is 1079. COMPATIBILITY Caution StoneGate Firewall/VPN v2.2.11 for IBM zseries requires SMC v3.2.0 or later. StoneGate Firewall/VPN v2.2.11 is recommended to be used with the following StoneGate component versions: StoneGate Management System v3.2.3 StoneGate VPN Client v2.6.1 StoneGate Server Pool Monitoring Agent v2.6.2 RELEASE NOTES 6

INSTALLATION INSTRUCTIONS The main installation steps for StoneGate Firewall/VPN are as follows: 1. Install the Management Server, the Log Server(s), and the Management Client. The Monitoring Server needs to be installed if Monitoring Clients are used. 2. Add the following line into SGClientConfiguration.txt in user home directory on the Management Client computer: FWPropertiesForS390=True 3. Configure the Firewall element using the Management Client. 4. Generate an initial configuration for the engines by right-clicking the Firewall element and selecting Save Initial Configuration from the menu that opens. 5. Prepare the StoneGate VM guest user or LPAR for native installation. 6. Install the firewall engine by running the SGINST EXEC script 7. Configure the network cards and make the initial connection from the engines to the Management Server using the one-time password from step 4. 8. Create and upload a policy on the engine using the Managemement Client. 9. Command the nodes online by right-clicking the firewall and selecting Commands Go Online from the menu that opens. Detailed instructions for completing the steps above can be found in the StoneGate Installation Guide. For instructions on the day-to-day configuration and management of StoneGate, refer to the online help of the Management Clilent (or its PDF version, the StoneGate Administrator s Guide). For background information on how the system and its features work, consult the Reference Guide. PDF versions of the documentation are included on the installation CD-ROM and all guides are also available for download at www.stonesoft.com/support. RELEASE NOTES 7

UPGRADE INSTRUCTIONS Note! Firewall engine may hang after upgrading it from an earlier version if the guest s initial address space is too small (e.g., 64M). Make sure the address space is 128M before upgrading the engine. StoneGate Firewall/VPN v2.2.11 requires an updated license, if upgrading from StoneGate v2.1.x. The license upgrade can be requested on our Web site at https://my.stonesoft.com/license/. Activate the new license in the Administration Client before upgrading the software. To upgrade the firewall engine from version 2.x, use the remote upgrade feature. Detailed instructions can be found in the StoneGate Installation Guide. RELEASE NOTES 8

KNOWN LIMITATIONS Known limitations and restrictions of StoneGate Firewall and VPN v2.2.11 are described in the table below. Synopsis Description Workaround New IPsec certificate not immediately used. (#2543) VLAN tagged interface cannot be used for heartbeat. (#4044) Connections are not dropped when validity time has elapsed. (#4251) Only first eight characters of the root password are effective. (#5171) User authentication does not work for user names that contain an accentuated character. (#6230) Failover may take a long time when using dedicated OSA express cards (#8821) After creating or changing Security Gateway IPsec certificates, firewall nodes must be rebooted to start using thecertificates. VLAN tagged interface cannot be configured as primary or secondary heartbeat interface. New connections are not accepted after validity time of the rule has elapsed but old connections remain active. The sg-reconfigure firewall engine configuration wizard allows entering a long password for root but only the first eight characters are effective. If user name contains accentuated characters (for example: å, ä, ö), user authentication will fail. When using dedicated OSA cards for the firewall cluster nodes instead of one shared OSA card, the cluster MAC address changes in failover. After the failover, StoneGate notifies the surrounding network devices of the changed MAC address by sending a gratuitous ARP message. However, an OSA card sends the ARP messages very slowly (5 sec interval) and this may result in a long failover time if many proxy ARP entries are used, for example, for NATing purposes. Reboot the firewall node after creating or changing its certificate. Use a native (non-vlan tagged) interface for heartbeat. Operative traffic interfaces can be used for heartbeat. RELEASE NOTES 9

KNOWN ISSUES The updated list of known issues can be found from our Web site at http://www.stonesoft.com/ support/stonegate/known_issues/. RELEASE NOTES 10

Trademarks and Patents Stonesoft, the Stonesoft logo and StoneGate are all trademarks or registered trademarks of Stonesoft Corporation. Multi-link technology, multi-link VPN, and the StoneGate clustering technology-as well as other technologies included in StoneGate-are protected by patents or pending patent applications in the U.S. and other countries. All other trademarks or registered trademarks are property of their respective owners. Copyright and Disclaimer Copyright 2000 2006 Stonesoft Corporation. All rights reserved. These materials, Stonesoft products and related documentation are protected by copyright and other laws, international treaties and conventions. All rights, title and interest in the materials, Stonesoft products and related documentation shall remain with Stonesoft and its licensors. All registered or unregistered trademarks in these materials are the sole property of their respective owners. No part of this document or related Stonesoft products may be reproduced in any form, or by any means without written authorization of Stonesoft Corporation. Stonesoft provides these materials for informational purposes only. They are subject to change without notice and do not represent a commitment on the part of Stonesoft. Stonesoft assumes no liability for any errors or inaccuracies that may appear in these materials or for incompatibility between different hardware components, required BIOS settings, NIC drivers, or any NIC configuration issues. Use these materials at your own risk. Stonesoft does not warrant or endorse any third party products described herein. THESE MATERIALS ARE PROVIDED "AS-IS." STONESOFT MAKES NO WARRANTIES, EXPRESS OR IMPLIED, AS TO, THE INFORMATION CONTAINED HEREIN. IN ADDITION, STONESOFT MAKES NO EXPRESS OR IMPLIED WAR- RANTIES OF MERCHANTABILITY OR FITNESS FOR A PARTICULAR PURPOSE OR USE WITH RESPECT THE INFOR- MATION CONTAINED IN THESE MATERIALS. IN NO EVENT SHALL STONESOFT BE LIABLE FOR ANY INDIRECT, SPECIAL, CONSEQUENTIAL OR INCIDENTAL DAMAGES, INCLUDING, BUT NOT LIMITED TO, LOST PROFITS OR LOSS OR DAMAGE TO DATA ARISING FROM THE USE OF THESE MATERIALS, EVEN IF ADVISED IN ADVANCE OF THE POSSIBILITY OF SUCH DAMAGES. Revision: RLNT-SG2.2.11-20060322 International Headquarters Stonesoft Corp. Itälahdenkatu 22a FIN-00210 Helsinki, Finland +358-9-4767 11 tel. +358-9-4767 1234 fax. info.emea@stonesoft.com Business ID: 0837548-0 VAT number: FI08375480 Americas Headquarters Stonesoft Inc. 1050 Crown Pointe Parkway Suite 900 Atlanta, GA 30338 USA 770 668-1125 tel. 770 668-1131 fax. info.americas@stonesoft.com Asia Pacific Headquarters Stonesoft Corp. 90 Cecil Street #13-01 069531 Singapore +65 63251390 tel. +65 63251399 fax. info.asiapacific@stonesoft.com

2024 © DocPlayer.net Privacy Policy | Terms of Service | Feedback  | Do Not Sell My Personal Information