StoneGate Management Center. Release Notes for Version 5.3.3

StoneGate Management Center Release Notes for Version 5.3.3 Created: October 21, 2011

Table of Contents What s New... 3 Fixes... 3 Other Changes... 4 System Requirements... 5 Basic Management System Hardware Requirements... 5 Operating Systems... 5 Build Version... 5 Compatibility... 5 Minimum... 5 Native Support... 6 Installation Instructions... 6 Upgrade Instructions... 6 Known Issues... 7

What s New Fixes Problems described in the table below have been fixed since StoneGate Management Center version 5.3.2. A workaround solution is presented for earlier versions where available. Synopsis Anti-Virus software file locking may cause SMC HA replication failure and log spooling (#74362) Description Several file locking issues can occur if SMC servers are installed on Windows, and anti-virus software is used on the same machine. If the anti-virus software locks files in the data and tmp folders in the SMC installation directory, the SMC HA replication may stop working, log reception may be delayed because logs are spooled on the engines, and Overview Statistics may fail to work. Workaround for Previous Versions We recommend installing SMC servers on Linux. If you need to install the SMC on Windows Server, disable the antivirus software, or exclude the data and tmp folders in the SMC installation directory from anti-virus scanning. Federation Identity configuration based on ADFS 1.x protocol is broken (#73944) It is not possible to configure Identity Federation using the ADFS 1.x protocol. An unexpected error occurs when you apply the configuration on the Authentication Server. Use the SAML 2.0 protocol instead. Policy uploads can cause usage breaks if link aggregation is used (#74577) Link aggregation interface IDs may change during policy uploads if you have edited the firewall interface configuration after the previous policy upload. This results in a complete rebuild of the links and interfaces during the policy upload. This may cause usage breaks lasting several minutes when uploading policies. None. You can avoid the usage breaks by removing link aggregation from the interfaces until the issue is fixed. Generate password function in Administrator properties does not work correctly (#74064) When you create a new Administrator account, you can automatically generate a temporary password by clicking the Generate Password button. The system should allow the administrator to log in and require the administrator to change the password immediately. However, automatically generated passwords do not work when the administrator logs in to the Management Client. The administrator gets an Authentication failed" error message. Manually enter the password for the Administrator accounts and advise administrators to change their passwords manually after the first login. Automatic policy installation may fail if a VPN referenced in the policy uses certificates (#71928) If you have uploaded an initial configuration to the Stonesoft Installation Server that includes a policy to be automatically installed on the engine after initial contact, the policy installation may fail. When the Access rules contain VPN jump actions and you have used certificate-based authentication in the VPN profile, the system tries to install the policy before the certificate handshake. Use Pre-Shared keys as the authentication method in the VPN profile if you want to use automatic policy installation. If this is not acceptable, upload the policy manually after initial contact has been made. Situation names are not resolved in Reports (#73263) After activating a dynamic update package, Situation names may no longer be displayed in the Statistics and Reports. Instead of Situation names, Situation ID numbers are displayed. Restart the Management and Log Server. 3 StoneGate Management Center Release Notes for Version 5.3.3

Other Changes Change Authentication Server licensing User Authentication related changes Description The Authentication Server is counted as a managed unit in the SMC but it is not included in the node count in SMC licenses. Authentication Server installation requires an SMC to be up and running. If you already have SMC 5.3.x, you can install the Authentication Server on the same server or on another server without consuming any node count in that SMC. If you do not already have an SMC license, you must purchase an SMC-2L license or higher to be able to use the Authentication Server. All User Authentication-related elements have been relocated to the User Authentication Configuration view. Authentication Service elements are now called Authentication Methods. In addition, the Authentication and User columns have been merged in the Firewall IPv4 Access Rules. User and Authentication criteria in existing rules are automatically merged into the Authentication cell. No reconfiguration is needed. Radius Accounting Log data type There is a new log data type for RADIUS Accounting logs. This data type contains RADIUS authenticated sessions from clients collected by Authentication Server. "Authentication" data type has also been renamed "Authentication Server" to describe more specifically the log data sender. Synchronization between the primary Management Server and the secondary Management Server(s) in SMC 5.3 is done incrementally in real time. Only the changed parts of the Management Server database are replicated to the secondary Management Server(s). SMC HA - Changes in Database Replication The Management Server database is no longer synchronized automatically between the Management Servers after upgrade in an SMC high-availability environment. You must synchronize the database between the Management Servers manually after the upgrade either through the Management Client or with the sgha command line tool. In SMC versions prior to 5.3 it was possible to use the sgreplicate command line tool to restore a backup taken from one Management Server on another Management Server. The sgreplicate command is now obsolete. 4 StoneGate Management Center Release Notes for Version 5.3.3

System Requirements Basic Management System Hardware Requirements Intel Core family processor or higher recommended or equivalent on a non-intel platform A mouse or pointing device (for Management Client only) SVGA (1024x768) display or higher (for Management Client only) Disk space for Management Server: 6 GB Disk space for Log Server: 50 GB Memory requirements for 32-bit operating systems: o o 2 GB RAM for Server (3 GB minimum if all components are installed on the same server) 1 GB RAM for Management Client Memory requirements for 64-bit operating systems: o o 6 GB RAM for Server (8 GB minimum if all components are installed on the same server) 2 GB RAM for Management Client Operating Systems StoneGate Management Center supports the following operating systems and versions: Microsoft Windows Server 2008 SP2 and R2 (32-bit and 64-bit)* Microsoft Windows 7 SP1 (32-bit and 64-bit)* Microsoft Windows Vista SP2 (32-bit and 64-bit)* Microsoft Windows Server 2003 SP2 (32-bit)* CentOS 5 (for 32-bit and 64-bit x86) Red Hat Enterprise Linux 6 (for 32-bit and 64-bit x86) SUSE Linux Enterprise 11 SP1 (for 32-bit and 64-bit x86) *) Only the U.S. English language version has been tested, but other locales may work as well. Build Version StoneGate Management Center version 5.3.3 build version is 8333. This release contains StoneGate Dynamic Update package 418. Compatibility Minimum StoneGate Management Center version 5.3 is compatible with the following StoneGate component versions: StoneGate Firewall engine version 4.2.0 or higher StoneGate IPS engine version 4.2.0 or higher StoneGate SSL VPN version 1.2.0 or higher Dynamic Update package 320 or later 5 StoneGate Management Center Release Notes for Version 5.3.3

Native Support To utilize all the features of StoneGate Management Center version 5.3, the following StoneGate component versions are required: StoneGate Firewall engine version 5.3 or higher StoneGate IPS engine version 5.2 or higher StoneGate SSL VPN version 1.5 or higher Installation Instructions Note The sgadmin user is reserved for StoneGate use on Linux, so it must not exist before the StoneGate Management Center is installed for the first time. The main installation steps for the StoneGate Management Center and the firewall or IPS engines are as follows: 1. Install the Management Server, the Log Server(s), the optional Authentication Server, and the optional Web Portal Server(s). 2. Import the licenses for all components (you can generate licenses on our website at https://my.stonesoft.com/managelicense.do). 3. Configure the Firewall or IPS elements with the Management Client using the Configuration view. 4. Generate initial configurations for the engines by right-clicking each Firewall or IPS Sensor/Analyzer and selecting Save Initial Configuration from the menu that opens. 5. Make the initial connection from the engines to the Management Server and enter the one-time password provided during Step 4. 6. Create and upload a policy on the engines with the Management Client. The detailed installation instructions can be found in the product-specific installation guides. For a more thorough explanation on using StoneGate, refer to the Online Help system or the StoneGate Administrator s Guide. For background information on how the system works, consult the StoneGate Management Center Reference Guide. All guides are available for download at http://www.stonesoft.com/en/support/technical_support_and_documents/manuals/. Upgrade Instructions Note StoneGate Management Center (Management Server, Log Servers, Authentication Server, and Web Portal Server) must be upgraded before the firewall and IPS engines are upgraded to the same major version. StoneGate Management Center version 5.3.3 requires an updated license if upgrading from version 5.1 or earlier. Unless the automatic license updates functionality is in use, request a license upgrade on our website at https://my.stonesoft.com/managelicense.do and activate the new license using the StoneGate Management Client before upgrading the software. To upgrade an earlier version of the StoneGate Management Center to StoneGate Management Center version 5.3.3, we strongly recommend that you stop all the StoneGate services and then take a backup before continuing with the upgrade. After taking the backup, run the appropriate setup file depending on the operating system. The installation program detects the old version and does the upgrade automatically. Versions earlier than 4.0.0 require upgrade to version 4.0.0 5.1.4 before upgrading to version 5.3. 6 StoneGate Management Center Release Notes for Version 5.3.3

Known Issues The current known issues of StoneGate version 5.3.3 are described in the table below. For an updated list of known issues, consult our website at http://www.stonesoft.com/support/stonegate/known_issues/. Synopsis Description Workaround SMC does not set MTU value for VLAN interfaces (#74990) If a custom MTU value is set in VLAN interface properties, the SMC fails to include the value in the engine configuration. The Firewall uses the default MTU value instead. If the MTU is set in Physical interface properties, there is no problem. Match problem with both Zone and IP-address-based elements in both Source and Destination cells in Access Rules (#74049) Users stored in Management Server's internal user database are visible in all administrative Domains (#71510) Proof-of-serial licenses are not always bound correctly (#49192) If an Access rule contains both Zone and IPaddress-based elements (Hosts, Networks, Address Ranges etc.) in both the Source and Destination cells, the system fails to create some Src-Dst match combinations. For example, if you have HostA and ZoneA in the Source cell and HostB and ZoneB in the Destination cell, the system only generates a rule that matches the following Src-Dst match combinations: (from HostA to HostB) OR (from ZoneA to ZoneB). The following Src-Dst match combinations are missing: (From HostA to ZoneB), (from ZoneA to HostB). There is currently no mechanism for restricting the visibility of internal database users according to administrative Domain. All users that are stored in the Management Server's internal user database are visible in all administrative Domains. When the appliance makes initial contact with the Management Server, the appliance is not always recognized correctly. As a result, the proof-ofserial code and the name of the appliance do not appear in the Info panel. When this happens, the SMC is not able to automatically retrieve the license for the appliance. Use separate rules for Zones and IPaddress-based elements. Note that this issue occurs only if there are multiple types of elements in both the Source and Destination cells. Set up an external LDAP server or AD server for each administrative Domain. Right-click the engine node element, and select "Tools > Get DMI Info". If that does not help, try to save the initial configuration for the appliance again. Connection monitoring may not work correctly with older engine versions (#69925) The system may fail to show the active connections in the Connection Monitoring view if the Firewall engine version is 5.1.0 or lower. Upgrade the Firewall engine to version 5.2.0 or higher. Dynamic update activation fails after activating update 354 (#65149) System report schedules are deleted when upgrading from SMC 5.1.4 to SMC 5.2.1 or higher (#65027) Update packet 354 contains overlapping situation keys, which prevent newer update activation. For example, activating update 358 activation after update 354 fails with the following error message: "Activation started... Error: Details: Saving element HTTP_SS-Apple- QuickTime-And-iTunes-Heap-Memory-Corruption" If you upgrade from SMC 5.1.4 to 5.2.1 (or higher) you lose all the existing report schedules for the "System Report" in the upgrade. You must reschedule the System Report's report operation after the upgrade. Note that this issue concerns only schedules that relate to the "System Report" Report Design. If you have activated update package 354 already, first activate update 355, then activate the latest dynamic update available. If you have not yet activated update package 354, activate the latest dynamic update available. 7 StoneGate Management Center Release Notes for Version 5.3.3

Policy upload fails because NAT rule contains an invalid definition (#64461) If you upgrade to SMC 5.2.2 or higher, you may see a message about an invalid static source or destination NAT definition that prevents installing the policy during policy installation. The issue occurs when the size of the original address range is different than the size of the translated address range in a static NAT rule. This can be caused by the Broadcast and Network Addresses Included option being selected for one network but not for the other network used in the NAT definition. Make sure that the original and translated address ranges are of the same size in the Network Address Translation dialog. Dynamic update package activation and policy upload do not work. (#50716) DHCP REBIND requests are not allowed by default. (#29987) Add from Routing action in the Diagram Editor is slow. (#44989) The Management Server database may be corrupted, preventing update activation and policy upload if dynamic update package 218 has been active at some point in the Management Server history. Usually the symptoms of the problem appear after upgrading to a new version. If DHCP clients fail to renew IP addresses from the server that originally allocated the addresses, the clients attempt to broadcast DHCP REBIND messages to the network, requesting that some other DHCP server renew the IP. The DHCP Relay Sub-Policy does not allow these packets by default. The Add from Routing action in the Diagram Editor is slow in large environments. Contact Stonesoft Support for a workaround. Add a stateless rule before the jump to the DHCP Relay Sub-Policy to allow DHCP packets from the DHCP clients to the broadcast address: Source: [Address range of your DHCP pool] Destination: DHCP Broadcast Destination Service: BOOTPC (UDP) Action: Allow Options: No connection state tracking Not possible to browse more than 1000 users stored in Active Directory. (#22881) Upgrade of online node in standby cluster never reaches 100%. (#49342) Listening ports under 1024 are not supported for Web Start and Web Portal Servers in Unix environments (#38834) Dynamic IP Firewall engine does not support manual blacklisting. (#16597) When Active Directory is used as an external user database, it is impossible to browse more than 1000 users with the Management Client. When upgrading an online node in a standbymode cluster, the Management Server keeps waiting for the node to get back online after upgrade, even though the normal behavior is that the node stays in standby mode after reboot. Web Start and Web Portal Servers are not able to listen to port numbers under 1024 in Unix environments. Firewalls with dynamic control IP addresses do not support manual blacklisting. Increase the maximum value of LDAP search result in SGConfiguration.txt. For example: LDAP_SEARCH_MAX_RESULT_CONS TRAINT=5000 See the instructions at Microsoft MSDN library for how to handle the configuration of the Active Directory server when a large number of users are queried. Close the upgrade window and ignore the message about waiting for the node to come online. 8 StoneGate Management Center Release Notes for Version 5.3.3

Copyright and Disclaimer 2000 2011 Stonesoft Corporation. All rights reserved. These materials, Stonesoft products, and related documentation are protected by copyright and other laws, international treaties and conventions. All rights, title and interest in the materials, Stonesoft products and related documentation shall remain with Stonesoft and its licensors. All registered or unregistered trademarks in these materials are the sole property of their respective owners. No part of this document or related Stonesoft products may be reproduced in any form, or by any means without written authorization of Stonesoft Corporation. Stonesoft provides these materials for informational purposes only. They are subject to change without notice and do not represent a commitment on the part of Stonesoft. Stonesoft assumes no liability for any errors or inaccuracies that may appear in these materials or for incompatibility between different hardware components, required BIOS settings, NIC drivers, or any NIC configuration issues. Use these materials at your own risk. Stonesoft does not warrant or endorse any third party products described herein. THESE MATERIALS ARE PROVIDED "AS-IS." STONESOFT MAKES NO WARRANTIES, EXPRESS OR IMPLIED, AS TO, THE INFORMATION CONTAINED HEREIN. IN ADDITION, STONESOFT MAKES NO EXPRESS OR IMPLIED WARRANTIES OF MERCHANTABILITY OR FITNESS FOR A PARTICULAR PURPOSE OR USE WITH RESPECT THE INFORMATION CONTAINED IN THESE MATERIALS. IN NO EVENT SHALL STONESOFT BE LIABLE FOR ANY INDIRECT, SPECIAL, CONSEQUENTIAL OR INCIDENTAL DAMAGES, INCLUDING, BUT NOT LIMITED TO, LOST PROFITS OR LOSS OR DAMAGE TO DATA ARISING FROM THE USE OF THESE MATERIALS, EVEN IF ADVISED IN ADVANCE OF THE POSSIBILITY OF SUCH DAMAGES. Trademarks and Patents Stonesoft, the Stonesoft logo and StoneGate are all trademarks or registered trademarks of Stonesoft Corporation. Multi-Link technology, Multi-Link VPN, and the StoneGate clustering technology-as well as other technologies included in StoneGateare protected by patents or pending patent applications in the U.S. and other countries. All other trademarks or registered trademarks are property of their respective owners. Stonesoft Corporation Itälahdenkatu 22A FI-00210 Helsinki Finland Tel. +358 9 476 711 Fax +358 9 4767 1349 Stonesoft Inc. 1050 Crown Pointe Parkway Suite 900 Atlanta, GA 30338 USA Tel. +1 770 668 1125 Fax +1 770 668 1131 Copyright 2011 Stonesoft Corporation. All rights reserved. All specifications are subject to change.