StoneGate Management Center Release Notes for Version 5.3.4 Created: December 20, 2011
Table of Contents What s New... 3 Fixes... 3 Other Changes... 5 System Requirements... 6 Basic Management System Hardware Requirements... 6 Operating Systems... 6 Build Version... 6 Compatibility... 6 Minimum... 6 Native Support... 7 Installation Instructions... 7 Upgrade Instructions... 7 Known Issues... 8
What s New Fixes Problems described in the table below have been fixed since StoneGate Management Center version 5.3.3. A workaround solution is presented for earlier versions where available. Synopsis User matching may not work with Inspection rules (#76771) Description The Management Client generates user data incorrectly for Inspection rules. It uses CN in policy configurations, while in Access rules the "Name" attribute is used. If the CN and "Name" attributes are not exactly the same, Inspection rules that contain users in Source or Destination cells do not match correctly. Workaround for Previous Versions Checking maintenance contract from dedicated Management Servers may fail (#75349) When Management and Log Servers are installed on separate servers, the Management Server may fail to contact Stonesoft servers to verify the maintenance contract. Maintenance contract information is not shown in the Licenses view and automatic update checks fail. Contact Stonesoft Support for a workaround. Ethernet access rules with source or destination MAC address matches are ignored in IPS policy (#75351) Ethernet access rules with source or destination MAC address matches are ignored. A policy issue is returned during the policy refresh saying "...source/destination contains an element that uses only IPv6 addresses..." and the rule is ignored. Refresh issues in VPN Editor view (#67430) When adding gateways in the VPN Editor, they may not appear in the Overall Topology tab correctly and the related tunnels are not shown either in the Tunnels tab. Save the configured VPN and close the VPN editor. The configuration is displayed correctly once you reopen the VPN editor. SMC does not set MTU value for VLAN interfaces (#74990) If a custom MTU value is set in VLAN interface properties, the SMC fails to include the value in the engine configuration. The Firewall uses the default MTU value instead. If the MTU is set in Physical interface properties, there is no problem. Alias element is resolved incorrectly in NAT rules if policy is installed on several firewalls (#75479) Using an Alias element in static source or destination NAT rules generates an improper NAT configuration when the same policy is used on multiple firewalls. There are two alternative workarounds: a) Create a separate NAT rule for each firewall, define in the 'Used On' cell to which firewall the NAT rule applies, and install the policy at one go on all affected firewalls. b) Install the policy separately on each firewall. Logic problem related to action and logging level settings in Inspection Rules panel (#75416) If you have set an action or logging level for a Situation or Situation Type in the Policy Template's Inspection rules panel, and you have overridden its parent's action or logging level in the main policy, the value that you have originally set in the policy template may be reflected automatically to the whole parent branch in the Situation Type hierarchy. Override the action or logging level again for the same Situation or Situation Type in the main policy (for the branch/node you have already set in the template) 3 StoneGate Management Center Release Notes for Version 5.3.4
Synopsis Status surveillance alerts are not shown (#74951) Description Status surveillance alerts may not be shown in the Logs view and alert notifications are thus not triggered correctly. Workaround for Previous Versions Update package activation fails after activating update package 354 (#65149) Update package 354 contains overlapping Situation keys which prevents the activation of newer update packages. For example, the activation of update package 358 fails with the following error message after update package 354 has been activated: "Activation started... Error: Details: Saving element HTTP_SS-Apple-QuickTime-And-iTunes-Heap- Memory-Corruption" If you have already activated update package 354, activate first update package 355, restart the Management Server, and then activate the latest available update package. If you have not yet activated update package 354, activate the latest available update package. A deleted authentication method can be selected for an administrator (#75155) It is possible during a single GUI session to first delete an authentication method and then create a new Administrator with the same authentication method. Doing this corrupts the Administrator element. 1. Delete the corrupted Administrator element. 2. Create a new Administrator element and use a valid authentication method. Network elements imported via CSV or txt file import do not contain IP addresses (75850) Since SMC 5.2.0, it has been possible to introduce a large amount of Hosts, Networks, and Address Ranges into the SMC by importing a CSV or text file. Starting from SMC 5.3.0, Network elements which have been imported as a CSV or text file do not contain IP addresses even though IP address information is specified in the input file. Imported Hosts and Address Ranges contain IP addresses correctly. Add the IP addresses manually for imported networks or create the Network elements manually in the first place. Management Client may end up downloading Express firewall engine image in a loop (#75202) When "Notify and Automatically Download Engine Upgrades" is selected in the Management Client, it may end up downloading an Express firewall image in a loop even if the Express firewall image with the same version number (5.3.1_9061_express) already exists. This issue with automatic engine upgrade downloads is caused by a change in the name of the Express firewall image. The new image name is written with a capital "E". 1. Unselect temporarily "Notify and Automatically Download Engine Upgrades" in the Configure Updates and Upgrades dialog. 2. Delete the "express" image through the Management Client. 3. Delete the SGHOME/data/engineupgrades/sg_engi ne_5.3.1.9061_express.zip file from the Management Server. 4. Reselect "Notify and Automatically Download Engine Upgrades". After these procedures, the system should download only the correct Express firewall image. Management Server may generate incorrect Multi-Link VPN configurations with QoS Exceptions (#76050) The Management Server may generate a configuration containing references to non-existing VPN tunnels. This may happen in a Multi-Link VPN setup when link modes are edited with QoS Exceptions and the same gateway elements are used in several VPN definitions. Merge the VPN setup into a single fullmesh VPN. SSL VPN cannot be upgraded through the Management Client in SMC 5.3.2 or 5.3.3 (#75673) When you try to upgrade an SSL VPN engine through the Management Client, it is impossible to select an engine upgrade version through the Remote Upgrade Task Properties dialog. The list of available engine upgrades is displayed as empty. Upgrade the SSL VPN through the Web Console on port 10000 with the System -> Remote Upgrade command. 4 StoneGate Management Center Release Notes for Version 5.3.4
Other Changes Change Description Changes in MSRPC protocol parameter naming The names of MSRPC protocol parameters have been changed. The parameter names now indicate more accurately the relationship to MS Exchange. Authentication Server licensing (since SMC 5.3.1) The Authentication Server is counted as a managed unit in the SMC but it is not included in the node count in SMC licenses. Authentication Server installation requires an SMC to be up and running. If you already have SMC 5.3.x, you can install the Authentication Server on the same server or on another server without consuming any node count in that SMC. If you do not already have an SMC license, you must purchase an SMC-2L license or higher to be able to use the Authentication Server. Synchronization between the primary Management Server and the secondary Management Server(s) in SMC 5.3 is done incrementally in real time. Only the changed parts of the Management Server database are replicated to the secondary Management Server(s). SMC HA - Changes in Database Replication (since SMC 5.3.0) The Management Server database is no longer synchronized automatically between the Management Servers after upgrade in an SMC high-availability environment. You must synchronize the database between the Management Servers manually after the upgrade either through the Management Client or with the sgha command line tool. In SMC versions prior to 5.3 it was possible to use the sgreplicate command line tool to restore a backup taken from one Management Server on another Management Server. The sgreplicate command is now obsolete. 5 StoneGate Management Center Release Notes for Version 5.3.4
System Requirements Basic Management System Hardware Requirements Intel Core family processor or higher recommended or equivalent on a non-intel platform A mouse or pointing device (for Management Client only) SVGA (1024x768) display or higher (for Management Client only) Disk space for Management Server: 6 GB Disk space for Log Server: 50 GB Memory requirements for 32-bit operating systems: o o 2 GB RAM for Server (3 GB minimum if all components are installed on the same server) 1 GB RAM for Management Client Memory requirements for 64-bit operating systems: o o 6 GB RAM for Server (8 GB minimum if all components are installed on the same server) 2 GB RAM for Management Client Operating Systems StoneGate Management Center supports the following operating systems and versions: Microsoft Windows Server 2008 SP2 and R2 (32-bit and 64-bit)* Microsoft Windows 7 SP1 (32-bit and 64-bit)* Microsoft Windows Vista SP2 (32-bit and 64-bit)* Microsoft Windows Server 2003 SP2 (32-bit)* CentOS 5 (for 32-bit and 64-bit x86) Red Hat Enterprise Linux 6 (for 32-bit and 64-bit x86) SUSE Linux Enterprise 11 SP1 (for 32-bit and 64-bit x86) *) Only the U.S. English language version has been tested, but other locales may work as well. Build Version StoneGate Management Center version 5.3.4 build version is 8337. This release contains StoneGate Dynamic Update package 428. Compatibility Minimum StoneGate Management Center version 5.3 is compatible with the following StoneGate component versions: StoneGate Firewall engine version 4.2.0 or higher StoneGate IPS engine version 4.2.0 or higher StoneGate SSL VPN version 1.2.0 or higher Dynamic Update package 320 or later 6 StoneGate Management Center Release Notes for Version 5.3.4
Native Support To utilize all the features of StoneGate Management Center version 5.3, the following StoneGate component versions are required: StoneGate Firewall engine version 5.3 or higher StoneGate IPS engine version 5.2 or higher StoneGate SSL VPN version 1.5 or higher Installation Instructions Note The sgadmin user is reserved for StoneGate use on Linux, so it must not exist before the StoneGate Management Center is installed for the first time. The main installation steps for the StoneGate Management Center and the firewall or IPS engines are as follows: 1. Install the Management Server, the Log Server(s), the optional Authentication Server, and the optional Web Portal Server(s). 2. Import the licenses for all components (you can generate licenses on our website at https://my.stonesoft.com/managelicense.do). 3. Configure the Firewall or IPS elements with the Management Client using the Configuration view. 4. Generate initial configurations for the engines by right-clicking each Firewall or IPS Sensor/Analyzer and selecting Save Initial Configuration from the menu that opens. 5. Make the initial connection from the engines to the Management Server and enter the one-time password provided during Step 4. 6. Create and upload a policy on the engines with the Management Client. The detailed installation instructions can be found in the product-specific installation guides. For a more thorough explanation on using StoneGate, refer to the Online Help system or the StoneGate Administrator s Guide. For background information on how the system works, consult the StoneGate Management Center Reference Guide. All guides are available for download at http://www.stonesoft.com/en/support/technical_support_and_documents/manuals/. Upgrade Instructions Note StoneGate Management Center (Management Server, Log Servers, Authentication Server, and Web Portal Server) must be upgraded before the firewall and IPS engines are upgraded to the same major version. StoneGate Management Center version 5.3.4 requires an updated license if upgrading from version 5.1 or earlier. Unless the automatic license updates functionality is in use, request a license upgrade on our website at https://my.stonesoft.com/managelicense.do and activate the new license using the StoneGate Management Client before upgrading the software. To upgrade an earlier version of the StoneGate Management Center to StoneGate Management Center version 5.3.4, we strongly recommend that you stop all the StoneGate services and then take a backup before continuing with the upgrade. After taking the backup, run the appropriate setup file depending on the operating system. The installation program detects the old version and does the upgrade automatically. Versions earlier than 4.0.0 require upgrade to version 4.0.0 5.1.4 before upgrading to version 5.3. 7 StoneGate Management Center Release Notes for Version 5.3.4
Known Issues The current known issues of StoneGate version 5.3.4 are described in the table below. For an updated list of known issues, consult our website at http://www.stonesoft.com/support/stonegate/known_issues/. Synopsis Description Workaround Rule history does not show creation and modification details (#76692) The Management Client fails to display rule creation and modification time as well as rule creator and modifier information when a policy is saved. <Unknown> is displayed in the History tab of the Rule's Info panel. An existing Authentication Method cannot be selected for the Authentication Server (#75618) It is not possible to add an already existing Authentication Method to Authentication Server properties. The Selector dialog provides only the option to define a new Authentication Method. Add an Authentication Server in the Authentication Method properties. New IPsec VPN not monitored (#47868) Newly created IPsec VPNs appear as unmonitored in the Management Client whenever they use certificates. Restart the Management Server. User Responses do not work when used in Access rules with Application or URL Category matching (#76703) User Responses do not work when they are used in Access rules and the rule contains Application or URL Category elements in Source or Destination cells. The SMC fails to generate the correct configuration for the engine. Use User Responses in Inspection rules or configure matching in Access rules without using Applications or URL Categories. Password change fails for an internal user belonging to a group with special characters in the group name (#63294) Changing the password for a user stored in InternalDomain may fail with the following error: "<group> parent group not found in database". This can happen when a user is a member of a group whose group name contains special characters. There are three alternative workarounds: a) Delete the user and recreate it with a new password. b) Avoid special characters in group names. c) Remove the user from the group, change the password, and move the user back to the group. Users stored in Management Server's internal user database are visible in all administrative Domains (#71510) Proof-of-serial licenses are not always bound correctly (#49192) There is currently no mechanism for restricting the visibility of internal database users according to administrative Domain. All users that are stored in the Management Server's internal user database are visible in all administrative Domains. When the appliance makes initial contact with the Management Server, the appliance is not always recognized correctly. As a result, the proof-ofserial code and the name of the appliance do not appear in the Info panel. When this happens, the SMC is not able to automatically retrieve the license for the appliance. Set up an external LDAP server or AD server for each administrative Domain. Right-click the engine node element, and select "Tools > Get DMI Info". If that does not help, try to save the initial configuration for the appliance again. Connection monitoring may not work correctly with older engine versions (#69925) The system may fail to show the active connections in the Connection Monitoring view if the Firewall engine version is 5.1.0 or lower. Upgrade the Firewall engine to version 5.2.0 or higher. 8 StoneGate Management Center Release Notes for Version 5.3.4
System report schedules are deleted when upgrading from SMC 5.1.4 to SMC 5.2.1 or higher (#65027) Policy upload fails because NAT rule contains an invalid definition (#64461) Dynamic update package activation and policy upload do not work. (#50716) DHCP REBIND requests are not allowed by default. (#29987) If you upgrade from SMC 5.1.4 to 5.2.1 (or higher) you lose all the existing report schedules for the "System Report" in the upgrade. You must reschedule the System Report's report operation after the upgrade. Note that this issue concerns only schedules that relate to the "System Report" Report Design. Customers who are upgrading to SMC 5.2.2 or higher may get at policy installation a message about an invalid static source or destination NAT definition that prevents installing the policy. The reason for the issue is that the size of the original address range is different than the size of the translated address range in a static NAT rule. One explanation for this can be that the Broadcast and Network Addresses Included option is selected for one network but not for the other network used in the NAT definition. The Management Server database may be corrupted, preventing update activation and policy upload if dynamic update package 218 has been active at some point in the Management Server history. Usually the symptoms of the problem appear after upgrading to a new version. If DHCP clients fail to renew IP addresses from the server that originally allocated the addresses, the clients attempt to broadcast DHCP REBIND messages to the network, requesting that some other DHCP server renew the IP. The DHCP Relay Sub-Policy does not allow these packets by default. Make sure that the original and translated address ranges are of the same size in the Network Address Translation dialog. Contact Stonesoft Support for a workaround. Add a stateless rule before the jump to the DHCP Relay Sub-Policy to allow DHCP packets from the DHCP clients to the broadcast address: Source: [Address range of your DHCP pool] Destination: DHCP Broadcast Destination Service: BOOTPC (UDP) Action: Allow Options: No connection state tracking Add from Routing action in the Diagram Editor is slow. (#44989) The Add from Routing action in the Diagram Editor is slow in large environments. Not possible to browse more than 1000 users stored in Active Directory. (#22881) Upgrade of online node in standby cluster never reaches 100%. (#49342) Listening ports under 1024 are not supported for Web Start and Web Portal Servers in Unix environments (#38834) Dynamic IP Firewall engine does not support manual blacklisting. (#16597) When Active Directory is used as an external user database, it is impossible to browse more than 1000 users with the Management Client. When upgrading an online node in a standbymode cluster, the Management Server keeps waiting for the node to get back online after upgrade, even though the normal behavior is that the node stays in standby mode after reboot. Web Start and Web Portal Servers are not able to listen to port numbers under 1024 in Unix environments. Firewalls with dynamic control IP addresses do not support manual blacklisting. Increase the maximum value of LDAP search result in SGConfiguration.txt. For example: LDAP_SEARCH_MAX_RESULT_CONS TRAINT=5000 See the instructions at Microsoft MSDN library for how to handle the configuration of the Active Directory server when a large number of users are queried. Close the upgrade window and ignore the message about waiting for the node to come online. 9 StoneGate Management Center Release Notes for Version 5.3.4
Copyright and Disclaimer 2000 2011 Stonesoft Corporation. All rights reserved. These materials, Stonesoft products, and related documentation are protected by copyright and other laws, international treaties and conventions. All rights, title and interest in the materials, Stonesoft products and related documentation shall remain with Stonesoft and its licensors. All registered or unregistered trademarks in these materials are the sole property of their respective owners. No part of this document or related Stonesoft products may be reproduced in any form, or by any means without written authorization of Stonesoft Corporation. Stonesoft provides these materials for informational purposes only. They are subject to change without notice and do not represent a commitment on the part of Stonesoft. Stonesoft assumes no liability for any errors or inaccuracies that may appear in these materials or for incompatibility between different hardware components, required BIOS settings, NIC drivers, or any NIC configuration issues. Use these materials at your own risk. Stonesoft does not warrant or endorse any third party products described herein. THESE MATERIALS ARE PROVIDED "AS-IS." STONESOFT MAKES NO WARRANTIES, EXPRESS OR IMPLIED, AS TO, THE INFORMATION CONTAINED HEREIN. IN ADDITION, STONESOFT MAKES NO EXPRESS OR IMPLIED WARRANTIES OF MERCHANTABILITY OR FITNESS FOR A PARTICULAR PURPOSE OR USE WITH RESPECT THE INFORMATION CONTAINED IN THESE MATERIALS. IN NO EVENT SHALL STONESOFT BE LIABLE FOR ANY INDIRECT, SPECIAL, CONSEQUENTIAL OR INCIDENTAL DAMAGES, INCLUDING, BUT NOT LIMITED TO, LOST PROFITS OR LOSS OR DAMAGE TO DATA ARISING FROM THE USE OF THESE MATERIALS, EVEN IF ADVISED IN ADVANCE OF THE POSSIBILITY OF SUCH DAMAGES. Trademarks and Patents Stonesoft, the Stonesoft logo and StoneGate are all trademarks or registered trademarks of Stonesoft Corporation. Multi-Link technology, Multi-Link VPN, and the StoneGate clustering technology-as well as other technologies included in StoneGateare protected by patents or pending patent applications in the U.S. and other countries. All other trademarks or registered trademarks are property of their respective owners. Stonesoft Corporation Itälahdenkatu 22A FI-00210 Helsinki Finland Tel. +358 9 476 711 Fax +358 9 4767 1349 Stonesoft Inc. 1050 Crown Pointe Parkway Suite 900 Atlanta, GA 30338 USA Tel. +1 770 668 1125 Fax +1 770 668 1131 Copyright 2011 Stonesoft Corporation. All rights reserved. All specifications are subject to change.