StoneGate Management Center Release Notes for Version 4.2.1 Created: July 24, 2008
Table of Contents What s New... 3 System Requirements... 4 Build Version... 5 Compatibility... 5 Installation Instructions... 5 Upgrade Instructions... 6 Known Issues... 6
What s New Enhancements Enhancements that have been made since StoneGate Management Center v4.2.0 are described in the table below. Enhancement Support for FW-100 version 7.5 (revision 4) software. (#36250) Description SMC supports the management of FW-100 SOHO (Small Office/Home Office) firewalls appliances using version 7.5 (revision 4) or later software. Fixes Problems described in the table below have been fixed since StoneGate Management Center v4.2.0. A workaround solution is presented for earlier versions where available. Synopsis Description Workaround for previous versions Alert forwarding using SMTP may not work with all mail servers. (#22884) Reference search may find rules that do not exist. (#32700) Unexpected error when trying to contact the Management Server. (#32823) Some fields not resolved in sgtextbrowser. (#33944) Control interface is not stored in initial configuration. (#34931) Management Server may freeze in multi-processor environment. (#35663) Using connection monitoring may disturb status monitoring. (#36186) TCP reset interface cannot be created without defining an IP address. (#36292) Since the Alert server may close a connection to the server in a nonstandard way, the mail server may not process the sent information at all. The Element Reference search may find references to rules that no longer exist in the policy. In an environment where there is more than one Management Server for High Availability, using startup bookmarks may prevent the Management Client from starting. Not all the log fields that are resolved against management database content are resolved when using text based log browser. The Management Server does not store information about the interface ID for the control interface in the initial configuration. Because of this, the engine uses NIC ID 0 for the control interface after importing the configuration, unless the setting is changed manually from the console. In some rare situations, the Management Server may freeze when Windows and multi-processor environments are used. Node status monitoring may start to work improperly after the use of connection monitoring when the protocol of the connection is something other than "TCP, UDP, ICMP, AH, ESP". Management Client version 4.2.0 does not allow defining an interface that is used for TCP reset sending only (an interface with no IP address). Such a configuration is valid in some IDS deployments where TCP Reset packets are sent from "stealth" interface(s) which do not have an IP address. Create an empty file: ${user.home}/.stonegate/smc.session The system attempts to recover a locally saved startup session, which fails, and the system falls back to the default view. Open the Task Manager and set the following processes' affinity to CPU 0 only (No need to restart the server): java.exe (2 processes) postgres.exe (several processes) postmaster.exe (1 process) Define an IP address for the TCP reset interface. 3 StoneGate Management Center Release Notes for version 4.2.1
Synopsis Description Workaround for previous versions IPS Sensor's capture VLAN interface configuration does not work properly. (#36514) Policy installation fails after upgrade if MAC address has been filled for VLANs. (#36707) Policy installation may fail on a cluster after upgrade. (#36860) Due to a problem in IPS sensor element configuration, it is not possible to create more than one Capture VLAN interface per physical interface in SMC version 4.2.0. In addition, migration from earlier SMC versions with Capture VLAN configuration fails to generate a working configuration. After SMC upgrade to version 4.2.0, a firewall engine policy installation fails with the error "FATAL: syntax error in network configuration: invalid mac address" if the VLAN configuration contained a MAC-address before the upgrade. If the first node of the cluster has been deleted at some point and DHCP relay has been enabled, the policy installation and import of the firewall cluster fails. After the upgrade, export the firewall element and then re-import it. Changes Introduced in the Previous Major version This section lists major changes that were introduced in SMC 4.2.0 that may affect you if you are upgrading from a version prior to 4.2.0. This is not a full listing; see the Release Notes of each version for more details. Change New Network Interface Configuration IBM zseries firewall engines are no longer supported. Default value of IKE Phase-2 kilobytes limit has been changed. New SGConfiguration.txt option for load balancing filter generation. Menus have been reorganized Filter field categories have been reorganized Description Significant changes have been made to the way network interfaces are configured for firewall/vpn engines and IPS engines. Note that some invalid interface configurations that cold be configured with the old management are now prevented. Stonesoft recommends that you verify the interface settings after the upgrade. The new interface configuration no longer supports IBM zseries-specific configuration parameters. The default value of the IPsec tunnel lifetime kilobytes limit has been changed to 0 (not in use). With this setting, the tunnel renegotiations are done only based on time elapsed. A new tweak option for load balancing filter generation has been introduced to be used together with the OPTIMIZE_STATIC_NAT option. The new ring offset algorithm should be used whenever optimization of filter entries for static NAT is enabled: OPTIMIZE_STATIC_NAT=true LBFILTER_ENGINE=ring_offsets The structure of menu items has been reorganized to be more user-friendly. The categories of filter fields have been reorganized to be more user-friendly. System Requirements Basic Management System Hardware Requirements Pentium 4 processor or higher recommended (the suggested minimum processor speed is 2 GHz) or equivalent on a non-intel platform A mouse or pointing device (for Management Client only) SVGA (1024x768) display or higher (for Management Client only) 1 GB RAM for Management and Log Servers 512 MB RAM for Management Client Disk space for Management Server: 4 GB Disk space for Log Server: 20 GB 80 GB 4 StoneGate Management Center Release Notes for version 4.2.1
Operating Systems StoneGate Management System supports the following operating systems and versions: Microsoft Windows 2003 SP1 (32bit)* Microsoft Windows XP SP2 (32bit) * Microsoft Windows 2000 SP4 * Red Hat Enterprise Linux 4.0 and 5.0 (for 32bit x86) Fedora Core 6 and 7 (for 32bit x86) Sun Solaris 9 and 10 (for SPARC)** *) Only the U.S. English language version has been tested, but other locales may work as well. **) SMC version 4.2 is the last version to support Solaris. Build Version The StoneGate Management Center v4.2.1 build version is 7810. This release contains StoneGate Dynamic Update package 138. Compatibility Minimum StoneGate Management Center v4.2.0 is compatible with the following StoneGate component versions: StoneGate Firewall engine v2.6.0 or higher StoneGate IPS engine v4.0.0 or higher Dynamic Update package 131 or later Native Support To utilize all the features of StoneGate Management Center version 4.2, the following StoneGate component versions are required: StoneGate Firewall engine version 4.2 or higher StoneGate IPS engine version 4.2 or higher Installation Instructions NOTE The sgadmin user is reserved for StoneGate use on Linux and Solaris, so it must not exist before the StoneGate Management Center is installed for the first time. The main installation steps for StoneGate Management Center and firewall or IPS engines are as follows: 1. Install the Management Server, the Log Server(s), and the Management Client. The Monitoring Server needs to be installed if Monitoring Clients are used. 2. Import the licenses for all components (you can generate licenses on our Web site at https://my.stonesoft.com/managelicense.do). 5 StoneGate Management Center Release Notes for version 4.2.1
3. Configure the Firewall or IPS elements with the Management Client using the Configuration view. 4. Generate initial configurations for the engines by right-clicking each Firewall or IPS Sensor/Analyzer and selecting Save Initial Configuration from the menu that opens. 5. Install the firewall and IPS engines by rebooting the machines from the installation CD-ROM. 6. Make the initial connection from the engines to the Management Server and enter the one-time password provided during Step 4. 7. Create and upload a policy on the engine with the Management Client. 8. Command the nodes online by right-clicking the Firewall or IPS Sensor/Analyzer and selecting Commands Go Online from the menu that opens. Detailed installation instructions can be found in the StoneGate Installation Guide. For a more thorough explanation on using StoneGate, refer to the StoneGate Administrator s Guide and the Administrator s Reference. All guides are available for download at http://www.stonesoft.com/en/support/technical_support_and_documents/manuals/. Upgrade Instructions NOTE StoneGate Management Center (Management Server and Log Servers) must be upgraded before the firewall and IPS engines are upgraded. StoneGate Management Center v4.2.1 requires an updated license if upgrading from version 4.1 or earlier. The license upgrade request can be made on our website at https://my.stonesoft.com/managelicense.do. Activate the new license using the StoneGate Management Client before upgrading the software. To upgrade an earlier version of StoneGate Management Center to StoneGate Management Center v4.2.1, we strongly recommend that you stop all the StoneGate services and then take a backup before continuing with the upgrade. After taking the backup, run the appropriate setup file depending on the operating system. The installation program detects the old version and does the upgrade automatically. Versions earlier than 3.5.2 require upgrade to version 3.5.2 before upgrading to newer versions. Known Issues The current known issues of StoneGate v4.2.1 are described in the table below. For an updated list of known issues, consult our website at http://www.stonesoft.com/support/stonegate/known_issues/. Synopsis Description Workaround Scheduled report generation may stop working. (#14771) Dynamic IP Firewall engine does not support manual blacklisting. (#16597) The very first SMS alert may be lost when using GSM modems. (#16983) Scheduled report generation stops if it encounters a problem during the post processing step (e.g., if an invalid e-mail address is used in the report task properties). Firewalls with dynamic control IP address do not support manual blacklisting. With industrial GSM modems, the very first SMS message may be lost if the SIM card requires a PIN code. Reset the task by opening its properties and closing the dialog using OK. The failed report and any other reports due for generation between the failure and the current time are automatically generated. To make sure that SMS messages get delivered even after a GSM modem reboots, configure the alert chain to send two messages in a row with some delay between the messages. 6 StoneGate Management Center Release Notes for version 4.2.1
Synopsis Description Workaround Protocol field in Inspection Rules does not have effect on "Show Matching Situations" search result. (#21845) Impossible to browse more than 1000 users stored in Active Directory (#22881) sginfo is stored on the server even when local workstation save is selected. (#25640) Uninstallation may hang in Windows. (#27486) Webstart does not automatically download updated Management Client. (#29023) StoneGate Management Server installation may fail on Microsoft XP SP2. Non-spoke sites are migrated to spoke sites if a gateway contains also spoke sites. (#30065) Some settings are lost when importing VPN configurations from versions prior to 4.0 (#30067) Standby/Active settings of forwarded tunnels are not preserved during migration from versions prior 4.0. (#30130) Focus problems on Fedora Core 6 platform. (#30244) Web Start server listening ports under 1024 are not supported in Unix environments. (#35591) Corrupted firewall policy snapshots. (#36915) Corrupted IPS policy snapshots. (#36917) The Protocol field in Inspection Rules does not have an effect on "Show Matching Situations" search result. However, the configuration is generated and matched correctly on a Sensor engine. When Active Directory is used as an external user database, it is impossible to browse more than 1000 users with the Management Client. When downloading sginfo files from engines using the Management Client, the sginfo file is also stored on the server even though a local workstation destination path is selected. The uninstallation program may hang when it is trying to delete Windows registry entries. When using Java runtime version 1.5, Web Start uses the locally cached client instead of automatically downloading the updated files from the server. StoneGate Management Server installation fails on Microsoft Windows XP Systems. See known issue 884020. Because the VPN Spoke setting has been moved to the VPN Gateway level (in versions before 4.0.0 the property was at the Site level), the non-spoke Sites are changed to spoke Sites during upgrade if the gateway had also spoke Sites defined. Tunnel settings are not imported if export has been taken from a Management Center version prior to 4.0. After the import, the tunnels use the default settings. The information about forwarding tunnel status in a client-to-gateway VPN with a hub configuration is lost during an upgrade. There may be focus problems with the Management Client on the Fedora Core 6 platform. For example, the login window does not allow typing a password before clicking the "Remember Server Address" checkbox and changing the focus back to the password field. For more information, see http://bugs.sun.com/bugdatabase/view_bug.do?b ug_id=6506617. Web Start server is not able to listen to port numbers under 1024 in Unix environments. Opening firewall policy snapshots that contain Outbound Multi-Link elements linked to dynamic NetLinks fails with a corrupted snapshot error message. Opening policy snapshots that contain Analyzer_Compress-SID situations fails with a corrupted snapshot error message. Increase the maximum value of LDAP search result in SGConfiguration.txt. For example: LDAP_SEARCH_MAX_RESULT_CONSTRAIN T=5000 See the instructions at Microsoft MSDN library for how to handle the configuration of the Active Directory server when a large number of users is queried. Remove the files and the registry entries manually. Delete the cached client libraries using the Java control panel. Install Windows XP update KB884020. Verify your tunnel settings after the VPN import. If you are using a client-to-gateway VPN with a hub configuration, verify your tunnel settings after an upgrade from version < 4.0.0. 7 StoneGate Management Center Release Notes for version 4.2.1
Copyright and Disclaimer 2000 2008 Stonesoft Corporation. All rights reserved. These materials, Stonesoft products, and related documentation are protected by copyright and other laws, international treaties and conventions. All rights, title and interest in the materials, Stonesoft products and related documentation shall remain with Stonesoft and its licensors. All registered or unregistered trademarks in these materials are the sole property of their respective owners. No part of this document or related Stonesoft products may be reproduced in any form, or by any means without written authorization of Stonesoft Corporation. Stonesoft provides these materials for informational purposes only. They are subject to change without notice and do not represent a commitment on the part of Stonesoft. Stonesoft assumes no liability for any errors or inaccuracies that may appear in these materials or for incompatibility between different hardware components, required BIOS settings, NIC drivers, or any NIC configuration issues. Use these materials at your own risk. Stonesoft does not warrant or endorse any third party products described herein. THESE MATERIALS ARE PROVIDED "AS-IS." STONESOFT MAKES NO WARRANTIES, EXPRESS OR IMPLIED, AS TO, THE INFORMATION CONTAINED HEREIN. IN ADDITION, STONESOFT MAKES NO EXPRESS OR IMPLIED WARRANTIES OF MERCHANTABILITY OR FITNESS FOR A PARTICULAR PURPOSE OR USE WITH RESPECT THE INFORMATION CONTAINED IN THESE MATERIALS. IN NO EVENT SHALL STONESOFT BE LIABLE FOR ANY INDIRECT, SPECIAL, CONSEQUENTIAL OR INCIDENTAL DAMAGES, INCLUDING, BUT NOT LIMITED TO, LOST PROFITS OR LOSS OR DAMAGE TO DATA ARISING FROM THE USE OF THESE MATERIALS, EVEN IF ADVISED IN ADVANCE OF THE POSSIBILITY OF SUCH DAMAGES. Trademarks and Patents Stonesoft, the Stonesoft logo and StoneGate are all trademarks or registered trademarks of Stonesoft Corporation. Multi-link technology, multi-link VPN, and the StoneGate clustering technology-as well as other technologies included in StoneGate-are protected by patents or pending patent applications in the U.S. and other countries. All other trademarks or registered trademarks are property of their respective owners. Stonesoft Corporation Itälahdenkatu 22A FI-00210 Helsinki Finland Tel. +358 9 476 711 Fax +358 9 4767 1234 Business ID: 0837548-0 Domicile: Helsinki Stonesoft Inc. 1050 Crown Pointe Parkway Suite 900 Atlanta, GA 30338 USA Tel. +1 770 668 1125 Fax +1 770 668 1131 Copyright 2008 Stonesoft Corporation. All rights Reserved. All specifications are subject to change.