Stormshield Network Firewall. Upgrade. Highlights RELEASE NOTE V1

Transcription

1 Stormshield Network Firewall RELEASE NOTE V1 Upgrade Lowest version required: Stormshield Network 1.x and NETASQ 9.1.x Hardware compatibility: SN150, SN200, SN300, SN500, SN700, SN900, SN2000, SN3000 and SN6000 NETASQ U30S, U70S, U150S, U250S, U500S, U800S, NG1000-A and NG5000-A Stormshield Network and NETASQ Virtual Appliances NOTE Before any upgrade, you are strongly advised to read the chapter on Explanations on usage carefully and to back up the configuration. Highlights Features covered SSL VPN IPv6 support Activity Report Log Network interfaces Intrusion prevention engine Cloud backup Guest authentication HTTP proxy Level of modification Major Major Major Major Major Minor Minor Minor Page 1 / snenrno_firewall-version Copyright Netasq 2014

2 Version This release note contains the description of the main modifications made to the various versions of the same major version. You are advised to apply the latest version in order to benefit from the most recent developments and bug fixes Features Resolved vulnerabilities Bug fixes Known issues Bug fixes Features Bug fixes Features Resolved vulnerabilities Features Explanations on usage Managing the life cycle of versions According to the terms of the document Product Life Cycle Stormshield Network Security, the maintenance of firmware versions of the 1.x branch is guaranteed up to 03/07/2015. In the absence of a more recent version, support will be provided for this version and version Precautions before a migration The NSRPC binary (Windows executable) allows logging on remotely to firewalls and executing CLI commands sequentially. Since version 1.0, communications have been authenticated via HMAC-SHA2, so the NSRPC client must be upgraded. This can be done in the client and partner areas. Dynamic objects In versions of Netasq firmware lower than 9.0.6, configurations may contain dynamic objects with an IP address equal to Such values could cause conflicts during the ASQ engine s processing, so you are advised to look for such objects and replace the value with a valid IP address before the migration. ARP entries If the configuration of the number of ARP entries had been customized (MaxEntries field in the file ConfigFiles / arp), it will be reinitialized during a migration operation. This number will need to be customized again when the version is changed (MaxARPEntries and MaxNDPEntries fields in the file ConfigFiles / ether). Page 2 /24 snenrno_firewall-version Copyright Netasq 2014

3 1.2.0 Features Intrusion prevention Support reference The intrusion prevention engine recognizes and analyzes both of the new encryption suites (ChaCha20 and Poly1305) embedded in Google servers (*.google.*) and recent versions of the Chrome browser. Two additional types of Microsoft RPC (DCE/RPC) traffic are analyzed by the intrusion prevention engine (Protocols module). These are the Microsoft Exchange EMSMDB interface and the Microsoft Exchange Async EMSMDB interface. System Firewalls can now log on to external LDAP directories using a posixgroup schema (users are saved with their user names instead of their DNs [Distinguished Name]). The LDAP directory can only be chosen via CLI commands for the moment. On SN6000 high-end models, the LCD screen successively displays a set of information relating to the system or to certain features when they are enabled: the firewall s name or serial number, the firmware version of the main partition, high availability status (HA), RAID status, and IP address of the IPMI (Intelligent Platform Management Interface). Web administration interface In order to strengthen the security of connections to the web administration interface, the encryption suites based on the hash algorithm SHA1 are no longer authorized. Only the suites based on SHA2 can now be used. As a result, for some older versions of web browsers (e.g.: Microsoft Internet Explorer v9), the TLS v1.2 protocol must be enabled. Dashboard The statuses of disks and any RAID volumes (high-end SN3000 and SN6000 firewalls) as well as power supply modules (high-end SN3000 and SN6000 firewalls) are now displayed in the Hardware window on the Dashboard. Web objects Comments can now be added to each element belonging to a customized URL category, or to a customized category of certificate names. Application inspections: FTP An option now allows restricting the use of the FTP protocol to certain user accounts, by defining a list of authorized users and/or list of blocked users. This option is available from the FTP users tab in the FTP Protocol module. Page 3 /24 snenrno_firewall-version Copyright Netasq 2014

4 SSL VPN tunnel The listening port of the SSL VPN tunnel server can now be configured (the default value suggested remains port TCP/443). Do note that certain reserved ports (e.g.: http_proxy) cannot be used. Authentication portal Users authenticated via the firewall s portal can now log off from this portal without having to re-enter their logins and passwords, thanks to the authentication cookie. Virtual firewalls The Ethernet network pilot on Stormshield Network virtual firewalls (vmx) has been updated, thereby allowing them to reach throughputs of up to 10Gb/s. Stormshield Network Real-Time Monitor The statuses of internal disks and any RAID volumes (high-end SN3000 and SN6000 firewalls) as well as power supply modules (high-end SN3000 and SN6000 firewalls) are now displayed in the Hardware module in SN Real-Time Monitor Resolved vulnerabilities SSL and TLS security flaw Vulnerabilities that can cause Man in the Middle (MITM) attacks or Denials of Service have been resolved following the upgrade of the OpenSSL cryptographic library to version 1.0.1j. The list of these vulnerabilities is as follows: - SRTP Memory Leak (CVE ), - Session Ticket Memory Leak (CVE ), - SSL 3.0 Fallback, - Build option no-ssl3 is incomplete (CVE ). FreeBSD security flaw A vulnerability regarding TCP packet treatment (FreeBSD-SA-14:19 Denial of service in the treatment of TCP packets) has been resolved by the application of a FreeBSD security fix. Page 4 /24 snenrno_firewall-version Copyright Netasq 2014

5 1.2.0 Bug Fixes Intrusion prevention Support reference The use of the SIP protocol within a NAT rule specifying the destination port would generate an anomaly in address translation for the Contact field. This malfunction has been fixed. Support reference In the contact field of a SIP packet going through the firewall, the presence of commas within a character string may be incorrectly interpreted by the intrusion prevention engine, thereby preventing the telephone from being saved on a SIP server. This anomaly has been fixed. Support reference Traffic from WAN optimization tools developed by Riverbed Technology going through a filter rule defined in firewall mode could prevent the intrusion prevention engine from running correctly due to the specific TCP syntax used by these appliances. This issue has been resolved. System Support reference When a connection to a firewall is made through a PPTP tunnel which was interrupted then set up again, certain network packets may be re-sent continuously, potentially causing the firewall to freeze. This issue has been fixed. Support reference Whenever the language configuration file contained an empty or invalid Keyboard field, the menu System > Configuration may no longer be accessible and cause a disconnection from the administration interface. This issue has been resolved. File system Support reference The firewall could potentially write data on the disk sector bearing the label of a partition. This partition would then be detected by the system as corrupted and irreparable. This issue has been resolved with the adoption of the UFS (Unix File System) disk partitioning system. Interfaces Support reference The modem creation wizard selected by default the type of connection if there is traffic (on demand), which could cause the modem to malfunction. This reaction has been modified, and the permanent connection type is now the predefined choice. Page 5 /24 snenrno_firewall-version Copyright Netasq 2014

6 DHCP Support reference On a firewall that already has a DHCP address range associated with a gateway, a second routed DHCP range could not be created. This anomaly has been fixed. Support reference In configurations containing a DHCP address range as well as a static route on the same protected interface, the DHCP server could potentially stop adhering to the address range for this interface, thereby distributing unadapted IP addresses. This issue has been resolved. Support reference For configurations containing a very large number of DHCP reservations, the configuration file generated could not be fully read by the DHCP server, which may then fail to restart correctly. This anomaly has been fixed. Support reference When remote clients were connected via PPTP, the DHCP server could no longer be started as it would then attempt to listen to DHCP requests on the virtual interface dedicated to these PPTP tunnels. This issue has been resolved. Authentication Support reference When an authentication rule contained several methods including authentication via SSO Agent, the method listed just after it could potentially stop being applied, therefore causing authentication problems. This issue has been resolved. Filtering and NAT Support reference In certain configurations of filter rules (routing on a gateway other than the default gateway, the use of automatic protocol detection and value of the protocol field forced to TCP ), packets sent by the firewall could bear a wrong source IP address (address of the interface connected to the default gateway). This issue has been resolved. Policy Based Routing Support reference When gateways are specified in filter rules (Policy Based Routing), their availability is systematically tested by a monitoring mechanism (ICMP echo request message). In configurations that use two (or more) dialup gateways on a single ISP (internet service provider), the ISP would present the same remote IP address for both appliances, which was incompatible with the gateway monitoring mechanism. This issue has been resolved. Some environments do not allow pings to internet access gateways (dialup). During the implementation of routing to dialup gateways in filter rules (PBR: Policy Based Routing), the availability monitoring mechanism could wrongly consider these gateways as unreachable. This detection mechanism has been enhanced in order to fix this issue. Logs Support reference Following the migration of a configuration from v9.1.x to v1.1.0 with log file rotation enabled (menu Configuration > Notifications > Logs syslog), only the oldest file in each log category was deleted. As the size of these files could reach 20M in version 1.x (as opposed to only 5M in version 9.1.x), the partition reserved for the storage of these files could then Page 6 /24 snenrno_firewall-version Copyright Netasq 2014

7 become saturated. The method for calculating the disk space needed for each log category has been reviewed in order to fix this problem. SSL Proxy The use of the SSL proxy on SN150 Firewalls could potentially prevent or alter the display of HTTPS pages. This issue has been resolved. Software update via USB key Support reference In the context of an upgrade via USB key, the firewall would reboot before installing the firmware version downloaded from the key. If the USB key was still plugged in after this reboot, the firewall would detect it again and attempt to download this upgrade a second time. In order to allow the USB key to be ejected and therefore prevent the installation of an identical upgrade, this reboot has been replaced by a shutdown. The installation will eventually be preceded again by a simple reboot and this issue has been resolved by the detection of the upgrade version on the key. Web administration interface Software updates When a firmware upgrade was indicated as unavailable in the System update tab in the Maintenance module, the download link could fail to work. This anomaly has been fixed. Support reference During a search for firmware upgrades, a message indicating No information available could mistakenly appear. This issue has been resolved. Routing Support reference When adding a static route using the IPSec VPN interface, an error message would indicate that this interface could not be found. This anomaly has been fixed. LDAP directory Support reference When the Organization field in the LDAP directory contained square brackets [ ], users in the directory were not visible in the Users menu on the firewall. This issue has been resolved. Filtering and NAT Support reference Filter rules that use proxies (through a URL inspection for example), and a destination port combined with a comparison operator (!=, > or <), could wrongly be indicated as invalid. This anomaly has been fixed. Support reference The use of groups containing more than 256 objects in a filter rule would generate warning messages when the filter policy is loaded, and the storage of these messages could cause the partition dedicated to logs to fill up. This behavior has been corrected. Page 7 /24 snenrno_firewall-version Copyright Netasq 2014

8 PKI and certificates Support reference The creation of a certificate for a user with an address identical to that of a user already configured on the firewall would cause an error message to appear, displaying the password of the associated CA. This anomaly has been fixed. Objects Support reference When an empty group was created on a firewall using only IPv4 addressing, this group could not be displayed (list of network objects) or selected in the administration interface (in a filter rule, for example). This anomaly has been fixed. User Access Control (UAC) Support reference Following the migration of a configuration containing VPN access privilege rules from v9.x to v1.1.0, these privileges could no longer be modified. This issue has been resolved. IPSec VPN Support reference The wizard for creating an IPSec Mobile Config mode policy did not allow the use of the all object in the Local network field. This behavior has been modified. Notifications Support reference In the settings of the SMTP server that sends notifications, the DNS domain field offered the value netasq.com by default. This field is now left empty. The template used for sending alarm reports has been modified. Support reference SSL VPN tunnel Support reference During the installation of the Stormshield Network SSL VPN Client software, the associated Windows service (Stormshield SSL VPN Service) was configured in manual startup mode. This service is now installed in automatic startup mode. Support reference Users with passwords that contain the character % were unable to log on through the Stormshield Network SSL VPN Client. This anomaly has been fixed. Support reference The installation of the Stormshield Network SSL VPN Client by a standard user via the privilege elevation option ( Run as administrator ) failed with the message the folder does not exist. This issue has been resolved. Support reference When an error arose during the installation of the Stormshield SSL VPN Client, this application could then no longer be uninstalled correctly. This issue has been fixed. Page 8 /24 snenrno_firewall-version Copyright Netasq 2014

9 VMWare virtualization Support reference The virtual disk (vmdk file) included in the disk images on firewalls (ova format) presented compatibility issues with the latest upgrades of the VMware ESXi virtualization software (versions 5.0 and 5.1 only). This issue has been resolved and new disk images have been published in your secure area. Stormshield Network SSO Agent During a quick change of an authenticated user s connection type (e.g.: the end of a wire connection relayed immediately by a wireless connection), the SN SSO Agent could consider the user as logged off. This behavior has been corrected. Stormshield Network Real-Time Monitor Support reference Adding a firewall to an empty address book made this address book inaccessible in SN Real-Time Monitor, and would cause the following message to display: The address book cannot be opened. File does not exist or you don t have the appropriate access rights. This issue has been resolved. Stormshield Network Administration Suite Support reference The Stormshield Network Administration Suite installation wizard offered the wrong URL for product registration. This anomaly has been fixed. Support reference The contact address and link to the Stormshield website have been modified in the welcome screens on SN Administration Suite applications (SN Real-Time Monitor, SN Unified Manager and SN Event Reporter). Stormshield Network Unified Manager Support reference In the SN Unified Manager welcome menu, the description of the option allowing the user to quit the application was truncated. This display flaw has been fixed. Support reference The option for importing an address book has been deleted from the File menu in the Stormshield Network Unified Manager application. Page 9 /24 snenrno_firewall-version Copyright Netasq 2014

10 Support reference The pop-up menu that allows adding external tools did not function for appliances other than firewalls (servers, workstations, etc.). This issue has been resolved. Known issues Intrusion prevention Support reference In the configurations of filter rules combining address translation and inspection in firewall or IDS mode, connections using a protocol that requires packets to be rewritten (FTP for example) can be altered. As such, TCP packets presenting a sequence number outside the expected TCP window will stop the protocol scan (plugin attached due to the type of protocol). As the TCP window rewrites packets, interrupting it will therefore distort the associated NAT. System A vulnerability has been detected on the firewall s FTP client. For it to be exploited, the FTP client would need to execute FTP commands that redirect to malicious HTTP URLs by leaving out the output file ( -o FTP option). E.g.: ftp In its native state, this flaw cannot be exploited as the firewall never uses this FTP client for file transfers. However, to prevent any risk of the exploitation of this vulnerability, you are advised against executing scripts that would implement this FTP client on the firewall. Interfaces The connection type if there is traffic (on demand), prevented a modem from operating correctly. Therefore, during the creation of a modem in the wizard, the permanent connection option is now selected by default. On U30S and SN200 models, several VLANs can now be created within a bridge via the web administration interface. However, you are strongly advised against performing this operation which is not supported as it can lead to flaws in the transmission of responses to ARP requests received on these VLANs to the other interfaces of the bridge. Page 10 /24 snenrno_firewall-version Copyright Netasq 2014

11 1.1.3 Bug fixes System Support reference The automated procedure for updating a firewall by booting on a USB key is once again operational. Network Support reference The implementation of a VLAN on models in the higher end of the Stormshield Network firewall range (SN2000, SN3000 and SN6000) did not function properly. This issue has been fixed. Intrusion prevention A problem with the calculation of the TCP sequence number when rewriting data could potentially cause the firewall to freeze. This anomaly has been fixed Features Support for high-range models Version is now compatible with the whole range of Stormshield Network firewalls, in particular the high-range model SN Bug fixes System If the option Enable log storage had been disabled, it would not have been possible to reactivate it subsequently. This problem was due to a detection error on the partition hosting the logs. This anomaly has been fixed. Network VLANs attached to a single interface (VLAN endpoint) could no longer be created or modified from the web administration interface in version 1. Indeed, interfaces could not be selected, thereby preventing the modification of this parameter for an existing VLAN or the validation of the creation of a VLAN through the wizard. This issue has been fixed. Page 11 /24 snenrno_firewall-version Copyright Netasq 2014

12 1.1.0 Features Support for high-range models Version now provides support for high-range models of Stormshield Network firewalls SN2000 and SN3000. Global Administration Deployment For firewalls on which high availability has been enabled, wizards for object deployment and the filter policy now offer an option that allows synchronizing the members of the cluster at the end of the deployment Resolved vulnerabilities SSL and TLS security flaw A vulnerability that could cause a Man-in-the-middle (MITM) attack has been patched with the upgrade of the OpenSSL cryptographic library in version 1.0.1h. This protects the user from potential complex attacks during TLS negotiation (CVE ) Bug fixes Web administration interface Dashboard Support reference For firewalls with redundant disks, the status of the RAID volume was not correctly displayed in the Hardware window in the Dashboard module ( no RAID available message). This anomaly has since been fixed, and the properties of each disk belonging to a RAID cluster are displayed (identification of the disk, occupation of RAID volume and status of the disk). Page 12 /24 snenrno_firewall-version Copyright Netasq 2014

13 1.0.0 Features SSL VPN SSL VPN allows remote users to safely access the company s internal resources: shared networks, databases, applications, intranet, etc. All communications between the remote user and the central site will then be encapsulated and protected through a tunnel encrypted in SSL. This solution therefore guarantees authentication, confidentiality, integrity and non-repudiation. From the client s point of view, the way the SSL VPN works is similar to how an IPSec VPN client works in XAUTH mode, but has the advantage of a simplified configuration. Furthermore, it uses only TCP port 443, and therefore offers easy access from networks that filter internet access (hotels, public WiFi, 3G connection, etc.). This operating mode based on Open VPN open source technology (OpenVPN is licensed under GPL version 2) makes it accessible on any type of terminal (Windows, IOS, Android, etc.) through the SSL VPN client or an OpenVPN client, which has become a necessity in BYOD (Bring Your Own Device) environments. Network traffic that goes through an SSL VPN tunnel also benefits from advanced firewall features such as authentication, URL filtering and intrusion prevention IPv6 support Support for IPv6, offered in this new version, enables firewalls to be integrated into IPv4 and/or IPv6 infrastructures. Networking features (interfaces and routing), filtering, VPN and Administration are compatible with IPv6. This support is optional and can be enabled in the Configuration module. The web administration interface can then be accessed whether in IPv6 or IPv4 as the firewall s network interfaces can only have a static IPv6 address or an address as a complement to an IPv4 address (double stack). Moreover, static routes and gateways can now be entered in IPv6. The SLAAC (StateLess Address AutoConfiguration) mechanism has been implemented on the firewall in order to manage Router Advertisements (RA), which allow the automatic configuration of hosts on the network by distributing the IPv6 prefixes to use. These advertisements also allow communicating DNS parameters (RDNSS support - RFC 6106) and defining the firewall as the default gateway. The firewall s DHCPv6 relay or server service may complement this mechanism in order to obtain, for example, the reservation of addresses in IPv6. Page 13 /24 snenrno_firewall-version Copyright Netasq 2014

14 Network objects (hosts, networks and IP address ranges) may be addressed in IPv6, or in a hybrid of versions. Filter policies can therefore be applied to IPv6 objects and can use security inspection (customizable inspection profiles). However, application inspection features (Antivirus, Antispam and URL, SMTP, FTP and SSL filtering) are not available in this version. Likewise, network address translation (NAT) cannot be performed on IPv6 objects. NOTE For interfaces addressed in IPv6 and which belong in a bridge, in Advanced properties, the option for routing without an IPv6 protocol scan must be unselected, in order to authorize filtering on traffic. IPSec tunnels are also compatible with IPv6. Tunnels can therefore be set up between two IPv6 endpoints and allow IPv4 or IPv6 traffic to go through. Conversely, IPv6 traffic can also go through IPv4 IPSec tunnels. Built-in Bird dynamic routing is also compatible with IPv6. Activity reports Logs Activity reports now allow you to monitor and use logs generated by appliances and stored locally. It is now easier to browse them in views by alarms, connection, web logs, etc. Filtering criteria available in advanced search mode allow a detailed analysis of logs. Activity reports In the Vulnerabilities category, 3 new "Top 10" reports display vulnerabilities with a Client or Server target, as well as a report on the most vulnerable applications. Collaborative security For more collaborative security, based on vulnerability reports generated by Vulnerability Manager, the level of protection on a machine identified as vulnerable can now be raised in just a single click. As such, when critical vulnerabilities are detected, you will now be able to add affected machines to a group created earlier, and to assign a strengthened protection profile or specific filter rules to it (quarantine zones, restricted access, etc.). Page 14 /24 snenrno_firewall-version Copyright Netasq 2014

15 Network Link aggregation NG models For the purposes of performance and the availability of physical links, the new version introduces the LACP (Link Aggregation Control Protocol) feature. Therefore, the physical ports of several appliances can be grouped together to be considered a single interface with the aim of increasing throughput by load balancing or to be used as a relay in the event of a failure (redundancy). This feature is only available on SN2000, SN3000, SN6000, NG1000 and NG5000 models. DHCP through IPSec VPN Local users can now benefit from the automatic configuration of the IP parameters of a remote DHCP server through an IPSec tunnel. To do this, the parameter IP address used to relay DHCP queries in the DHCP relay options must be entered and the IPSec interface in the listening interfaces must be selected. TCP-MD5 support for BIRD Support for TCP-MD5 authentication in BIRD dynamic routing allows protecting BGP sessions through the authentication of frames in the TCP header (RFC2385). Intrusion prevention FastPath mode For rules with inspection in firewall mode, traffic has been optimized and throughput multiplied. This enhancement has been applied to IPv4 traffic, without NAT and without scans that open dynamic connections (e.g.: FTP). This mode is recommended if traffic is dedicated to data backups or replication or for access to a main firewall s satellite VPN sites if this firewall already scans traffic. Multi-context signatures This version applies a significant enhancement of the intrusion prevention engine. To counter complex attacks, the IPS engine is now able to correlate signatures in different contexts. Anti-evasion protection mechanisms have also been strengthened. MS-RPC scan In order to secure Microsoft RPC traffic, based on the DCE/RPC standard, this standard will be fully scanned. A new entry in the Protocol module offers to authorize or reject traffic using this protocol, described in detail by the Microsoft service (Microsoft Exchange, for example). A tooltip will show the UUID (Universal Unique Identifier) of each service when you roll your mouse over its name. A blacklist allows unreferenced services to be blocked by entering their UUIDs. Page 15 /24 snenrno_firewall-version Copyright Netasq 2014

16 EPMAP scan and NetBios CIFS and NetBios SSN inspections As the DCE/RPC protocol can be integrated into NetBios CIFS and NetBios SSN protocols, a new option allows you to inspect it. The options for the EPMAP protocol, which is used to relay access to services, allow restricting relays. Dynamic connections can also be opened on EPMAP (portmapper). MAC addresses Source MAC addresses are now notified in all connection logs for machines that belong to the same network. Authorized Google services and accounts An option enables the restriction of access to services and accounts provided by Google. By entering the domains with which your company is registered with Google Apps, as well as any secondary domains, access to Google services will be restricted to these authorized domains. This option is available via the HTTP protocol module. Cloud backup The Cloud backup option is a service range that allows securely performing regular backups of your firewall s configuration. These backups can be stored on a local server, a server hosted by a partner or within the Cloud backup Service infrastructure. Authentication Guest method This mode allows identification without authentication for access to a public WiFi network, for example. By default, this method enables the display of the conditions of use for internet access, which can be customized in the Captive portal tab. When these guest users log in, it will be recorded in the logs with the addition of the source MAC addresses. HTTP proxy HTTP protocol An option makes it possible to allow or deny the use of the IP address as a URL, meaning accessing to a site via the user s IP address instead of his domain name. Indeed, using the URL in this way may bypass the URL filter. As this block is applied after the evaluation of the filter rules, an internal server can still be contacted through its IP address, if its access is explicitly authorized in the filter policy. HTTP proxy cache Thanks to the HTTP proxy cache s storage of resources in memory, web browsing performance can be enhanced in low-bandwidth internet links or for access to a limited Page 16 /24 snenrno_firewall-version Copyright Netasq 2014

17 number of websites. Users therefore benefit from optimized response times when visiting websites, and bandwidth is saved as well. NOTE This feature is available only on models that have a hard disk. It applies to HTTP(S) traffic in the filter policy, as a security inspection option. The tracking of resources stored in memory and the management of the cache can be viewed in Realtime Monitor (dashboard). Explicit HTTP proxy To enable a policy on a firewall hosted in the cloud to be similar to a policy on a physical appliance, the listening port on an explicit HTTP proxy can now be configured in the filter policy (destination port). This may therefore be different from the default port (8080/TCP). For more information on how to create a policy in this mode, please refer to the Technical Note Hybrid mode Cloud Firewall - Appliance. Web administration interface Filtering and NAT Single window for editing rules To facilitate the entry of the various parameters of a NAT or filter rule, a single window opens when you double-click on the rule. This window will then allow you to edit the various parameters offered in each column. Statistics on the use of rules In the active policy, each enabled filter and NAT rule displays a use counter. When you roll the mouse over the icon, a tooltip will indicate the exact number of times this rule was executed. The 4 levels of use correspond to the values 0, 0 2, 2 20 and % of the total use of the rule that has been used the most. To obtain a new indicator, a button Reinitialize rule statistics will start a new count. Comments Comments relating to new rules indicate the date the rule was created and the user who created it if it was not the admin account. Dashboard: Properties An entry now informs you of any new firmware upgrade available. The version number displayed contains a link that allows downloading the upgrade file. To install it, go to the Maintenance module, in the System update tab. Page 17 /24 snenrno_firewall-version Copyright Netasq 2014

18 Real Time Monitor SSL VPN The VPN tunnels module now differentiates tunnels set up via IPSec VPN and via SSL VPN in two separate tabs. The new tab SSL VPN tunnels logs communications between the remote user and the central site through SSL VPN tunnels. Available information includes the user name, his original IP and VPN IP addresses, duration, amount of data sent and received and the port used. HTTP proxy cache The storage of resources in memory may improve web browsing performance for lowbandwidth internet links or for access to a limited number of websites. Resources stored in memory can be tracked and managed in the Dashboard, in the form of 3 diagrams. Two of them indicate the percentage of data stored in memory according to the total number of requests and their total weight, and the third presents memory use. Collaborative security In the Events, Hosts and Vulnerability management modules, it is now possible to save in the Network objects database a host displayed in the table and add it to a group. As such, when critical vulnerabilities are detected, you will now be able to assign a strengthened protection profile or specific filter rules to these hosts (quarantine zones, restricted access, etc.). Diagrams All the diagrams embedded in the various modules of the interface present a new graph. Page 18 /24 snenrno_firewall-version Copyright Netasq 2014

19 Explanations on usage IPv6 support In version 1.0, the following are the main features that will not be available for IPv6 traffic: - IPv6 address translation (NATv6), - Application inspections (Antivirus, Antispam, HTTP cache, URL filtering, SMTP filtering, FTP filtering, SSL filtering), - Use of the explicit proxy, - DNS cache, - SSL VPN tunnel portal, - SSL VPN tunnels, - Authentication via Radius or Kerberos, - Vulnerability management. High availability In the event the firewall is in high availability and IPv6 has been enabled on it, the MAC addresses of interfaces in IPv6 (other than those in the HA link) must be defined in advanced configuration. Indeed, as local IPv6 link addresses are derived from the MAC address, these addresses are different, causing routing issues during a switch. Migration Interfaces When an original configuration does not contain all the expected Ethernet interfaces due to a manual deletion in the network configuration file, these interfaces will be recreated in the target configuration during migration. During this operation, the names of the recreated interfaces will be their original names (e.g.: Ethernet2), but the administration interface would not recognize them as valid. This issue may be resolved by modifying the name of the interface concerned (e.g.: dmz1 instead of Ethernet2). System The version 9.2 upgrade of the FreeBSD system contains a vulnerability known for its inability to support the latest version of NTP (CVE ). This vulnerability however cannot be exploited on the firewall as the configuration is secured by default. Software update After adopting the UFS (Unix File System) partitioning system from version 1.2.0, the upgrade tool on the administration interface did not allow backtracking to a 1.1.x or older firmware version on a firewall in version To perform this operation, only a restoration Page 19 /24 snenrno_firewall-version Copyright Netasq 2014

20 of the firewall via USB key is possible. This procedure is described in the Technical Note Software restoration by USB key available in your secure area. Furthermore, backtracking to a major firmware version older than the current version of the firewall requires a prior reset of the firewall to factory settings (defaultconfig). Therefore for example, this operation is necessary for migrating a firewall from a 1.x version to a 9.1.x version. Configuration Support reference The NTP client on firewalls supports synchronization only with servers using version 4 of the protocol. Backup restoration If a configuration has been backed up on a firewall whose system version is lower than the current version, this configuration cannot therefore be restored. For example, a configuration backed up in version cannot be restored if the current version of the firewall is la Dynamic objects Network objects with automatic (dynamic) DNS resolution, for which the DNS server offers round-robin load balancing, cause the configuration of modules to be reloaded only if the current address is no longer present in responses. Watchdog SN150 models do not have the hardware watchdog feature. Activity Reports Reports are generated based on logs saved by the firewall, which are generated when connections are shut down. As a result, connections that remain active (e.g. IPSec tunnel with translation) will not be shown in the statistics displayed by Activity Reports. Logs generated by the firewall depend on the type of traffic as objects may not be named in the same way (srcname and dstname). To avoid having multiple representations of the same object in reports, you are advised to give the object created in the firewall s database the same name as the one associated via DNS resolution. Intrusion prevention HTML analysis The rewritten html code is not compatible with all web services (apt-get, Active Update) as the Content-Length header has been deleted. Page 20 /24 snenrno_firewall-version Copyright Netasq 2014

21 Instant messaging NAT is not supported on instant messaging protocols. Preserve initial routing Support reference The option that allows preserving the initial routing on an interface is not compatible with features for which the ASQ engine has to create packets: - Reinitialization of connections during the detection of a blocking alarm (sending a RESET packet), - SYN proxy protection, - The detection of the protocol by plugins (filter rules without a specified protocol), - Rewriting of data by certain plugins such as web 2.0, FTP with NAT, SIP with NAT and SMTP. NAT Support reference Status management for the GRE protocol is based on source and destination addresses. Two connections to the same server at the same time, either with the same client or sharing a common source address, therefore cannot be differentiated (when "map" is used). H323 support The H323 protocol's support for address translation operations is rudimentary, in particular: it does not support NAT bypass by gatekeepers (announcement of any address other than the connection's source and destination). Proxies SSL proxy Support reference The SSL (Secure Sockets Layer) protocol, which became Transport Layer Security (TLS) in 2001, is supported in version 3 (1996). Sites that use an older version (which may present security flaws) or that do not support the start of a negotiation in TLS will be blocked. Internet Explorer in version 7 or 8 does not enable by default, support for the protocol TLS 1.0. For security reasons, you are advised to enable TLS 1.0 support via an Active Directory object that defines host configurations (group policy object or GPO). FTP proxy Support reference If the option Keep original source IP address has been enabled on the FTP proxy, reloading the filter policy causes disruptions to FTP transfers in progress (both uploads and downloads). Page 21 /24 snenrno_firewall-version Copyright Netasq 2014

22 Filtering Outgoing interface If a filter rule specifies an outgoing interface included in a bridge which is not the first interface of this bridge, it will not be executed. Multi-user filtering It is possible to allow multi-user authentication for a network object (several users authenticated on the same IP address) by entering the object in the list of Multi-user Objects (Authentication > Authentication policy). Filter rules with a user@object source type (except any or unknown@object), and with a protocol other than HTTP, do not apply to this object category. This behavior is inherent in the packet treatment mechanism used by the intrusion prevention engine. The explicit message that warns the administrator of this restriction is: This rule cannot identify users who are logged on to a multi-user object. URL filtering Support reference Filtering by authenticated users cannot be carried out within the same URL filter policy. However, it is possible to apply particular filter rules (application inspection) for each user. Network On the SN150 models, configurations containing several VLANs in a bridge are not supported. IPsec VPN PKI The presence of a certificate revocation list (CRL) is not required. If no CRL has been found for the certificate authority (CA), the negotiation will be allowed. DPD (Dead Peer Detection) Support reference The VPN feature known as DPD (Dead Peer Detection) allows checking whether a peer is still operational by sending availability test requests. If a firewall is the responder in an IPSec negotiation in main mode and has set DPD to inactive, this parameter will be forced to passive in order to keep up with the peer s DPD demands. Indeed, during this IPSec negotiation, DPD is negotiated before identifying the peer, and therefore before knowing whether DPD requests can be ignored for this peer. This parameter is not modified when the firewall is the initiator of the negotiation or in aggressive mode as in this case DPD is negotiated when the peer has already been identified. Page 22 /24 snenrno_firewall-version Copyright Netasq 2014

23 IPv6 keepalive For site-to-site IPSec tunnels, the additional keepalive option, which allows artificially maintaining these tunnels, cannot be used with traffic endpoints with IPv6 addresses. For traffic endpoints configured in double stack (IPv4 and IPv6 addresses), only IPv4 traffic will have the use of this feature. Authentication SSO Agent The SSO Agent authentication method is based on authentication events collected by Windows domain controllers. As these do not indicate the source of the traffic, the authentication policy cannot be specified with interfaces. Support reference The SSO agent does not handle user names containing the following special characters: " <tab> & ~ = * < >! ( ) \ $ %? ' <space>. The firewall therefore will not receive notifications of connections and disconnections relating to these users. CONNECT method Multi-user authentication on the same host in cookie mode does not support the CONNECT method (HTTP). This method is generally used with an explicit proxy for HTTP connections. For this type of authentication, the use of transparent mode is recommended. For further information, please refer to the online help at documentation.netasq.com, chapter Authentication. Conditions of use The Conditions of use for Internet access on the captive portal may not display correctly in Internet Explorer v9 with IE Explorer 7 compatibility mode. Users The creation of several users with the same login is allowed, but is not compatible with user authentication. Spaces in user logins are not supported. Logging off An authentication session can only be logged off using the same method used during authentication. For example, if a user had authenticated using the SSO agent method, he will not be able to log off through the authentication portal, as the user will need to provide a cookie in order to log off, which does not exist in this case. Page 23 /24 snenrno_firewall-version Copyright Netasq 2014

24 High availability Interaction of H.A. in bridge mode and switches In an environment with a firewall cluster configured in bridge mode, it has been observed that the traffic switchover took about 10 seconds. This duration is related to the switchover time of 1 second, to which the time taken for switches to relearn MAC addresses will be added. Routing by policy The connection router ID is not transferred to the passive firewall. As a result, a session routed by the filter policy may be lost when the cluster switches. Models High availability based on a cluster of firewalls in different models is not supported. Furthermore, a cluster with one firewall using 32-bit firmware and the other using 64-bit firmware is not allowed. Vulnerability manager Support reference The application inventory carried out by Vulnerability Manager is based on the IP address of the host that initiates traffic in order to index applications. For hosts that have an IP address shared by several users, for example an HTTP proxy, a TSE server or even a router that performs dynamic NAT on the source may cause a significant load on the module. You are therefore advised to place the addresses of these hosts in an exclusion list (unsupervised elements). Real Time Monitor Support reference The CLI command MONITOR FLUSH SA ALL was initially intended for disabling IPSec tunnels in progress by deleting their security associations (SA). However, since Bird dynamic routing also uses this type of SA, this command would degrade the Bird configuration and prevent any connections from being set up. This problem also arises with the Reinitialize all tunnels feature offered in the Real Time Monitor interface. To resolve this issue, simply restart the Bird service. Page 24 /24 snenrno_firewall-version Copyright Netasq 2014