Stonesoft Management Center. Release Notes for Version 5.6.1

Stonesoft Management Center Release Notes for Version 5.6.1 Updated: January 9, 2014

Table of Contents What s New... 3 Fixes... 3 System Requirements... 6 Basic Management System Hardware Requirements... 6 Operating Systems... 6 Build Version... 7 Compatibility... 7 Minimum... 7 Native Support... 7 Installation Instructions... 8 Upgrade Instructions... 8 Known Issues... 9

What s New Fixes The problems described in the table below have been fixed since Stonesoft Management Center version 5.6.0. A workaround solution is presented for earlier versions where available. Synopsis Description Workaround for Previous Versions Management Server connectivity information may display Unknown: 3 as peer in HA environment (#87659) Remote upgrade to Security Engine version 5.4 or higher fails when upgrade is started from Engine Upgrades > Firewall (#91528) License error after moving Firewall between Domains (#98628) IPS Report Sections empty after upgrading SMC and IPS engines to version 5.4 (#98820) In an environment with multiple Management Servers, the Connectivity tab in the Info panel of the Management Server Status View may display Unknown: 3 as a peer. Even if the peer is not resolved, the connection status should appear green, as does the connection status of the Log Server. When a remote upgrade to Security Engine version 5.4 or higher is started from the Other Elements > Engine Upgrades > Firewall branch of the Administration Configuration view, the upgrade fails. When a Firewall is moved from one Domain to another, policy installation in the new Domain will fail due to a license error. The Firewall license is moved to the same Domain as the Firewall element, but the license does not appear as bound to Firewall element in the Licenses view. Some IPS statistics items do not show data after upgrading the SMC and IPS engines to version 5.4. The following statistics items do not show data for engines in the IPS or Layer 2 Firewall role: - Lost traffic, IPS FW IF (Bits) - Received traffic, IPS FW IF (Bits) - Allowed inspected TCP connections, IPS FW IF (Connections) - Allowed inspected UDP connections, IPS FW IF (Connections) - Allowed uninspected TCP connections, IPS FW IF (Connections) - Allowed uninspected UDP connections, IPS FW IF (Connections) - Discarded TCP connections, IPS FW IF (Connections) - Discarded UDP connections, IPS FW IF (Connections) The following statistics items are obsolete for engines in the IPS or Layer 2 Firewall role in versions 5.4 and higher: - Received traffic by source IP address, IPS FW IF (Bits) - Received traffic by destination IP address, IPS FW IF (Bits) - Received traffic by logical interface (Bits) - Received traffic by destination TCP port (Bits) - Received traffic by destination UDP port (Bits) Start the upgrade from the Other Elements > Engine Upgrades > Security Engine branch of the Administration Configuration view. Restart the Management Server service. 3 Stonesoft Management Center Release Notes for Version 5.6.1

Synopsis Description Workaround for Previous Versions Creating a new Firewall may fail or the routing for it may not be correct (#98855) If a network element has both IPv4 and IPv6 networks defined, this may prevent configuring a new Firewall with an Interface that has an address from that network. Saving the Firewall properties may fail with the following error: "Network element X is already referenced in the routing view". Alternatively, the Routing view may show a deleted route. If possible, use the network elements that are automatically created when an Interface is created. Management Server backup size continues to increase (#99711) The Management Server backup size continues to increase due to Snapshots not being deleted according to configuration. You can use the MAX_NB_SNAPSHOTS parameter in the <SGHOME>/data/SGConfiguration.txt file to specify the maximum number of stored Snapshots. However, Snapshots that exceed the set limit are not deleted. Contact Stonesoft Support for a workaround. Acknowledging active alerts does not always work (#99781) When administrator password enforcement is enabled, reauthentication is not possible with external authentication (#99912) Logging Profiles with more than 15 rows of logging patterns do not work correctly (#99999) In the Active Alerts view, acknowledging alerts by pressing the space bar or selecting the Acknowledge option in the alert's right-click menu may not work. As a result, the alert remains visible in the Active Alerts view. Administrators who use external RADIUS authentication cannot re-authenticate when password enforcement is enabled. After idle time, the administrator is logged out of the Management Client and asked to re-enter the password. Login works only for local administrators. Editing and saving a Logging Profile element that contains more than 15 rows of logging patterns in the same section causes the order of the rows to become mixed. As a result, the matching of received third-party logs against the patterns may not work correctly. Wait some time and acknowledge the active alert again. Open a new Management Client connection and log in with the password. Same rule tag may appear in both Inspection and Exception rules after restoring backup (#100091) Rule tags should be unique identifiers for each rule. After restoring a backup, the same rule tag may appear in both Inspection and Exception rules. Copy the Exception rule and paste the Exception rule before or after the rule that has the same rule tag. Management Server does not use valid FQDN name when forwarding Reports to SMTP server (#100148) Forwarding Reports to an SMTP server may fail if the SMTP server does not accept the Helo command due to the fully qualified domain name (FQDN) that the Management Server uses. Virtual engine conversion may fail if there is an existing DHCP configuration (#100235) Virtual engine conversion fails if DHCP options have been enabled for more than one interface. This includes, for example, setups where a DHCP server is configured on an Aggregated Link Interface or DHCP relay is configured for several VLANs of a single interface. 4 Stonesoft Management Center Release Notes for Version 5.6.1

Synopsis Description Workaround for Previous Versions Opening Active Alerts view may result in licenses appearing unassigned (#100283) Opening the Active Alerts view consumes more system resources than is required. As a result, licenses may be shown as unassigned in the Licenses view. Restart the Management Server and use the "Get DMI Info" command to rebind the licenses if needed. To prevent the problem from re-occurring, view alerts in the Logs view instead of the Active Alerts view. To do this, select Alert in the Query panel of the Logs view. Multi-Link NAT may fail if a range of IP addresses is used and an IP address overlaps with the CVI IP address (#100346) In a Multi-Link setup, outbound connections using NAT may fail if a range of IP addresses is used and an IP address overlaps with the CVI IP address. This does not occur when NAT on a NetLink is done with a single IP address, whether it is a CVI address or not. In the properties of the Multi-Link element, change the Selected Range for the NetLink element either to a single IP address or an IP address range that does not overlap with the CVI IP address. Another option is to add a manual proxy ARP entry for non-cvi NAT pool addresses. Missing reports for Web Portal Users after Web Portal Server restart when there are a large number of reports (#100355) Web Portal Users may be unable to view some Reports that should be available to them after the Web Portal Server is restarted. This may happen when a large number of Reports has been defined. Administrators with unrestricted permissions can correctly view the Reports in the Web Portal. After a Web Portal Server restart, log in to the Web Portal as a Web Portal User that has permissions to view all of the Reports. You may need to create a new Web Portal User with these permissions. View a list of all Reports. It may take a long time to load the complete list. After this, the list of all reports is stored in the Web Portal Server cache and other Web Portal Users can access the Reports without delays. Sites tab in Security Gateway Properties may fail to display Sites with very large VPN configurations (#100903) In large VPN configurations that contain hundreds of Security Gateway elements, the Sites tab in the Security Gateway Properties dialog may fail to display the configured Sites. The same Sites are correctly displayed when expanding the Security Gateways list in the VPN configuration. This is only a display issue. The issue does not affect the functionality of the VPN. Active alert details may open slowly (#100927) When you try to open alert details in the Active Alerts view by double-clicking an alert, the details may open slowly. The following error may also be displayed: "Connecting to server". Instead of double-clicking the alert, select the alert and click the Details button in the toolbar. Route-Based VPN configuration issue when using different encryption modes (#101782) Route-Based VPN configuration is generated incorrectly for the engine when different encryption options have been selected for different VPN tunnels in a Route-Based VPN configuration. The result is that the same encryption option is used for all tunnels. Use the same encryption option for all Route- Based VPN tunnels. Generating certificate for User Agent fails (#101833) Generating a certificate for a User Agent fails. The following error message is displayed: "Error during certificate generation". 5 Stonesoft Management Center Release Notes for Version 5.6.1

Synopsis Description Workaround for Previous Versions Management Server may report node count exceeding limit by a fraction of a unit (#100987) The Management Server may report the node count exceeding the limit by a fraction of a unit. For example, a message similar to the following may be displayed: "The current Management Server license allows 2.0 engine licensing units, but the current number of engines in the system requires 2.0000002 engine licensing units". This issue is most likely to occur with an SMC-2 license used to manage more than 2 elements. Generate an evaluation license for the Management Server for temporary use if all managed elements use a POS-bound license. Otherwise, contact Stonesoft Support. System Requirements Basic Management System Hardware Requirements Intel Core family processor or higher recommended, or equivalent on a non-intel platform A mouse or pointing device (for Management Client only) SVGA (1024x768) display or higher (for Management Client only) Disk space for Management Server: 6 GB Disk space for Log Server: 50 GB Memory requirements for 32-bit operating systems: o 2 GB RAM for Server (3 GB minimum if all components are installed on the same server) o 1 GB RAM for Management Client Memory requirements for 64-bit operating systems: o 6 GB RAM for Server (8 GB minimum if all components are installed on the same server) o 2 GB RAM for Management Client Operating Systems Stonesoft Management System supports the following operating systems and versions: Microsoft Windows Server 2008 SP2 and R2 (32-bit and 64-bit)* Microsoft Windows 7 SP1 (32-bit and 64-bit)* Microsoft Windows Vista SP2 (32-bit and 64-bit)* Microsoft Windows Server 2003 SP2 (32-bit)* CentOS 6 (for 32-bit and 64-bit x86)** Red Hat Enterprise Linux 6 (for 32-bit and 64-bit x86)** SUSE Linux Enterprise 11 SP1 (for 32-bit and 64-bit x86)** Ubuntu 12.04 LTS (for 64-bit x86)** *) Only the U.S. English language version has been tested, but other locales may work as well. **) 32-bit compatibility libraries lib and libz are needed on all Linux platforms. 6 Stonesoft Management Center Release Notes for Version 5.6.1

Build Version Stonesoft Management Center version 5.6.1 build version is 8613. This release contains Stonesoft Dynamic Update package 558. Compatibility Minimum Stonesoft Management Center version 5.6 is compatible with the following Stonesoft component versions: Stonesoft Firewall engine version 5.1.0 or higher Stonesoft IPS engine version 5.2.100 or higher Stonesoft SSL VPN version 1.5.0 or higher Native Support To utilize all the features of Stonesoft Management Center version 5.6, the following Stonesoft component versions are required: Stonesoft Security Engine version 5.6 or higher Stonesoft Firewall engine version 5.6 or higher Stonesoft IPS engine version 5.6 or higher Stonesoft SSL VPN version 1.5 or higher 7 Stonesoft Management Center Release Notes for Version 5.6.1

Installation Instructions Note The sgadmin user is reserved for Stonesoft use on Linux, so it must not exist before the Stonesoft Management Center is installed for the first time. The main installation steps for the Stonesoft Management Center and the Firewall, IPS, or Layer 2 Firewall engines are as follows: 1. Install the Management Server, the Log Server(s), and optionally the Web Portal Server(s) and the Authentication Server(s). 2. Import the licenses for all components (you can generate licenses on our web site at https://my.stonesoft.com/managelicense.do). 3. Configure the Firewall, IPS, or Layer 2 Firewall elements with the Management Client using the Security Engine Configuration view. 4. Generate initial configurations for the engines by right-clicking each Firewall, IPS, or Layer 2 Firewall element and selecting Save Initial Configuration. 5. Make the initial connection from the engines to the Management Server and enter the one-time password provided during Step 4. 6. Create and upload a policy on the engines using the Management Client. The detailed installation instructions can be found in the product-specific installation guides. For a more thorough explanation of using the Stonesoft Management Center, refer to the Management Client Online Help or the Stonesoft Administrator s Guide. For background information on how the system works, consult the Stonesoft Management Center Reference Guide. All guides are available for download at https://www.stonesoft.com/en/customer_care/documentation/current/. Upgrade Instructions Note Stonesoft Management Center (Management Server, Log Server, Web Portal Server, and Authentication Server) must be upgraded before the engines are upgraded to the same major version. Stonesoft Management Center version 5.6.1 requires an updated license if upgrading from version 5.5 or earlier. Unless the automatic license updates functionality is in use, request a license upgrade on our website at https://my.stonesoft.com/managelicense.do and activate the new license using the Stonesoft Management Client before upgrading the software. To upgrade an earlier version of the Stonesoft Management Center to Stonesoft Management Center version 5.6.1, we strongly recommend that you stop all the Stonesoft services and take a backup before continuing with the upgrade. After taking the backup, run the appropriate setup file depending on the operating system. The installation program detects the old version and does the upgrade automatically. Versions lower than 4.0.0 require upgrade to version 4.0.0 5.1.4 before upgrading to version 5.6. 8 Stonesoft Management Center Release Notes for Version 5.6.1

Known Issues The current known issues of Stonesoft Management Center version 5.6.1 are described in the table below. For an updated list of known issues, consult our website at http://www.stonesoft.com/en/customer_care/kb/. Synopsis Description Workaround Audit forwarding not migrated when upgrading to SMC 5.5 or higher (#100067) Log Server does not behave according to Exception rule settings for Correlation Situations (#99344) If you configure the forwarding of audit data from the Management Server to the syslog server in the SGConfiguration.txt file, the configuration is not migrated when upgrading to SMC 5.5 or higher. Either the upgrade is considered failed or audit forwarding is not set up in the Management Server properties. The Log Server does not handle Correlation Situations according to the policy if the protocol is specified in an Exception rule. This may result in unnecessary log entries being generated or normal logs being generated instead of specific alerts. Correlation is done on the engine and/or on the Log Server. Depending on how the Correlation Situation is configured, you can specify where correlation is done. Before upgrading to SMC 5.5 or higher, remove the parameter "SYSLOG_EXPORT_AUDIT=YES" from the SGConfiguration.txt file. After the upgrade, configure the forwarding of audit data to syslog in the properties of the Management Server. Set the Protocol cell to ANY in an Inspection Exception rule that includes a Correlation Situation. Situations and Actions are not displayed as text in Web Portal (#98213) The Logs View in the Web Portal displays Situations and Actions as numbers, not text. Use the Logs view in the Management Client to view or export logs. Top Rate charts in Overviews may show incorrect percentages (#98420) Top Rate charts in Overviews may show incorrect percentages. The results in Overview charts are arranged by percentage, so the results may be arranged incorrectly. Browsing logs from granted elements may fail for administrators with restricted permissions (#89876) 256-bit security strength for management connections is not compatible with SSL VPN (#93100) In rare cases, browsing the logs from granted elements may fail for administrators with restricted permissions. The Logs view is empty and the error message "Failed to create the query" is displayed in the Query panel. The SSL VPN is not compatible with Management Servers that use 256-bit security strength for management connections (introduced in version 5.5.0). The SSL VPN cannot contact the Management Server when 256-bit security strength for management connections is enabled. Monitoring, logging, and statistics related to the SSL VPN do not work. Restart or log in again to the Management Client to resolve the issue. If it does not help, restart the Management Server. Do not enable 256-bit security strength for management connections if you want to monitor the SSL VPN through the SMC. Access rules containing non- HTTP-based applications do not work with 5.3 Firewalls (#81846) Dynamic update packages 450 and later include non-http-based Applications that can be placed in Access rules. If you try to upload a policy containing this type of rule to an engine that is version 5.3 or lower, the rule is ignored because support for non-http-based Application identification is introduced only in engine version 5.4. Do not use non-http-based Applications if your target engines are not yet upgraded to version 5.4. 9 Stonesoft Management Center Release Notes for Version 5.6.1

Synopsis Description Workaround Connection monitoring may not work correctly with older engine versions (#69925) The system may fail to show the active connections in the Connection Monitoring view if the Firewall engine version is 5.1.0 or lower. Upgrade the Firewall engine to version 5.2.0 or higher. System Report schedules are deleted when upgrading from SMC 5.1.4 to 5.2.1 or higher (#65027) If you upgrade from SMC 5.1.4 to 5.2.1 (or higher) you lose all the existing Report schedules for the System Report in the upgrade. You must reschedule the System Report s report operation after the upgrade. This issue concerns only schedules that relate to the System Report Report Design. Policy upload fails because NAT rule contains an invalid definition (#64461) Customers upgrading to SMC 5.2.2 or higher may get a message at policy installation about an invalid static source or destination NAT definition that prevents installing the policy. The reason for the issue is that the size of the original address range is different than the size of the translated address range in a static NAT rule. One explanation for this can be that the Broadcast and Network Addresses Included option is selected for one network but not for the other network used in the NAT definition. Make sure that the original and translated address ranges are of the same size in the Network Address Translation dialog. DHCP REBIND requests are not allowed by default (#29987) Listening ports under 1024 are not supported for Web Start and Web Portal Servers in Unix environments (#38834) If DHCP clients fail to renew IP addresses from the server that originally allocated the addresses, the clients attempt to broadcast DHCP REBIND messages to the network, requesting that some other DHCP server renew the IP address. The DHCP Relay Sub-Policy does not allow these packets by default. Web Start and Web Portal Servers are not able to listen to port numbers under 1024 in Unix environments. Add a stateless rule before the jump to the DHCP Relay Sub-Policy to allow DHCP packets from the DHCP clients to the broadcast address: Source: [Address range of your DHCP pool] Destination: DHCP Broadcast Destination Service: BOOTPS (UDP) Action: Allow Options: No connection state tracking Firewall engines with dynamic control IP address do not support manual blacklisting (#16597) Firewall engines that have a dynamic control IP address do not support manual blacklisting. 10 Stonesoft Management Center Release Notes for Version 5.6.1

Copyright and Disclaimer 2000 2014 Stonesoft Corporation. All rights reserved. These materials, Stonesoft products, and related documentation are protected by copyright and other laws, international treaties and conventions. All rights, title and interest in the materials, Stonesoft products and related documentation shall remain with Stonesoft and its licensors. All registered or unregistered trademarks in these materials are the sole property of their respective owners. No part of this document or related Stonesoft products may be reproduced in any form, or by any means without written authorization of Stonesoft Corporation. Stonesoft provides these materials for informational purposes only. They are subject to change without notice and do not represent a commitment on the part of Stonesoft. Stonesoft assumes no liability for any errors or inaccuracies that may appear in these materials or for incompatibility between different hardware components, required BIOS settings, NIC drivers, or any NIC configuration issues. Use these materials at your own risk. Stonesoft does not warrant or endorse any third party products described herein. THESE MATERIALS ARE PROVIDED "AS-IS." STONESOFT MAKES NO WARRANTIES, EXPRESS OR IMPLIED, AS TO THE INFORMATION CONTAINED HEREIN. IN ADDITION, STONESOFT MAKES NO EXPRESS OR IMPLIED WARRANTIES OF MERCHANTABILITY OR FITNESS FOR A PARTICULAR PURPOSE OR USE WITH RESPECT TO THE INFORMATION CONTAINED IN THESE MATERIALS. IN NO EVENT SHALL STONESOFT BE LIABLE FOR ANY INDIRECT, SPECIAL, CONSEQUENTIAL OR INCIDENTAL DAMAGES, INCLUDING, BUT NOT LIMITED TO, LOST PROFITS OR LOSS OR DAMAGE TO DATA ARISING FROM THE USE OF THESE MATERIALS, EVEN IF ADVISED IN ADVANCE OF THE POSSIBILITY OF SUCH DAMAGES. Trademarks and Patents Stonesoft, the Stonesoft logo and StoneGate are all trademarks or registered trademarks of Stonesoft Corporation. Multi-Link technology, Multi-Link VPN, and the Stonesoft clustering technology-as well as other technologies included in Stonesoft-are protected by patents or pending patent applications in the U.S. and other countries. All other trademarks or registered trademarks are property of their respective owners. Stonesoft Corporation Itälahdenkatu 22A FI-00210 Helsinki Finland Tel. +358 9 476 711 Fax +358 9 4767 1349 Stonesoft Inc. 1050 Crown Pointe Parkway Suite 900 Atlanta, GA 30338 USA Tel. +1 770 668 1125 Fax +1 770 668 1131 Copyright 2014 Stonesoft Corporation. All rights reserved. All specifications are subject to change.