StoneGate Management Center Release Notes for Version 4.1.2
Table of Contents What s New........................... page 3 System Requirements................... page 8 Build Version......................... page 8 Compatibility.......................... page 8 Installation Instructions.................. page 9 Upgrade Instructions.................... page 9 Known Issues........................ page 10 Table of Contents 2
What s New New Features Features that have been implemented in StoneGate Management Center v4.1 are described in the table below. Feature Support for Transparent Access Control (TAC) configuration Ethernet Services Element Added to IPS Configuration Improved Diagram View Built in alert forwarding support for Bradford Networks NAC system A new Ethernet rules tab has been added to the IPS policies. These rules define which Ethernet protocol traffic is allowed or stopped for Sensors in Transparent Access Control mode. A separate license is required to use the Ethernet Rules. A new Ethernet Services element has been added to the IPS Configuration branch of the All Elements tree. These elements are used in the Ethernet rules of IPS policies for Sensors in Transparent Access Control mode to define the Ethernet frame type. You can now add a background image to diagrams. The Diagram view now also includes a Diagram Navigation panel that allows you to more easily select and zoom in on a particular area of a diagram. StoneGate can be configured to send critical alert events to Bradford Networks NAC Director / Campus Manager (www.bradfordnetworks.com). Enhancements Enhancements that have been made since StoneGate Management Center v4.1.1 are described in the table below. Enhancement Policy query tool contains new search columns. (#32786) Number of rules is shown in the policy editor. (#32784) The Search Rules tool available in policies has new matching columns. Now, for example, it is possible to search for rules based on the rule tag or comment text. The total number of rules is presented in the task bar when a policy is opened for editing. Fixes Problems described in the table below have been fixed since StoneGate Management Center v4.1.1. A workaround solution is presented for earlier versions where available. Synopsis New rule tag number is generated if a rule is disabled. (#4969) Log pruning filters may work incorrectly and block all the log traffic. (#28368) SNMP traps are not sent for failed tests in the IPS engine tester. (#30232) The rule tag number changes even if the rule is just disabled and re-enabled. In some rare circumstances, log pruning filters may work incorrectly and block all the log data. It is possible to configure the tester to send SNMP traps when a test fails. However, on IPS engines, the SNMP traps are not sent regardless of the configuration of the tester. Workaround for previous versions What s New 3
Synopsis Use of Client object in same VPN as gateway to gateway VPNs prevents use of VPNs. (#31216) sgadmin account is not deleted during uninstallation. (#31428) Custom situations may not be resolved correctly. (#32073) Firewall permission property for Allowed Policies does not work properly. (#32277) Database error when comparing policy snapshot with current policy. (#32331) Policy refresh option for automatic update download and activation does not work. (#32402) RMI wrapper failed error while activating standby management. (#32410) Policy installation may fail on small appliances if SIP protocol agents are used in the policy. (#32411) Policy refresh check may fail. (#32691) VPN site modifications do not take effect when elements are dragged and dropped from Resource panel. (#32798) Element names are missing from delete confirmation dialog. (#32810) Policy option blacklist ANY does not include local cluster. (#32887) The VPN configuration is generated incorrectly if a Client gateway object for VPN clients is used in a VPN element that defines also gateway-to-gateway tunnels. Uninstallation may not delete the sgadmin user account from the system in Linux environments. An existing sgadmin account prevents reinstallation, because the installation process detects the existing partial installation. Under some circumstances, custom situations are not resolved at all or are resolved incorrectly. The firewall permission property for Allowed Policies does not work if the list contains more than one policy. In some situations, policy snapshot comparison in graphical mode fails in database error. The policy refresh option available for dynamic update automation does not work. The Management Server downloads and activates the update package correctly but never initiates the policy refresh for the engines. Activation of the standby Management Server fails, producing an RMI wrapper failed error message if a version 3.5.x backup has been restored to the system after version 4 installation. Small appliances do not support SIP deep inspection. Policy installation fails on small appliances if rules contain services with the SIP protocol agent. In some situations Policy Refresh Needs check may fail with import failed error message. VPN site modifications do not take effect when elements are dragged and dropped from the Resource panel to a Site in the VPN editor. When deleting elements, referred element names are missing from the referred element list. The Firewall Policy option for allowing blacklister devices does not include local devices in the allowed list if the default value Any is used. This prevents the firewall from executing command-line blacklist requests created by administrators on that firewall. Create a separate VPN for VPN clients. Delete the sgadmin user manually after uninstallation. Add the following line in SGConfiguration.txt MGT_SERVER_ID=3 Change SIP services in the policy to custom services that do not use the protocol agent. Workaround for previous versions Restrict blacklisters and select the $$Local Cluster and required elements. What s New 4
Synopsis E-mail notification for Status Surveillance alerts does not tell engine name. (#32894) Certificate export does not export all alternative subject names. (#32943) Policy snapshot does not work if policy is inherited from custom template. (#33073) VPN SA granularity configuration option "Allow SA to ANY Network" does not work. (#33156) Use of SNMP agent may prevent policy upload. (#33161) Deleted gateways may still appear in VPN Monitoring. (#33177) Backup restoration may fail if SMC was installed in the root directory. (#33260) Action:'Terminate(passive)' incorrectly terminates the matching network traffic. (#33262) Single node upgrade to a cluster may fail. (#33263) Backup restoration may fail on Linux platform. (#33366) Upgrade fails if admin user is named "System". (#33370) Rule option for idle timeout is taken into account even when timeout should not be overridden. (#33387) It is possible to configure an alert to be sent when an engine s status indicates a problem. When these alerts are escalated as e-mail, the e-mail alert notification about inoperative security engines is missing the engine name. If a VPN gateway certificate contains several alternative subject names, only one is exported. This makes the certificate unusable when the VPN is imported and the imported VPN invalid. The policy snapshot appears empty if the policy is inherited from a custom template instead of the default template. The Management Server generates an unsupported VPN configuration if the "Allow SA to ANY Network" configuration option is selected from the VPN profile Phase 2 properties. Policy installation to the engine fails when the the failure notification for a link status test is configured to be sent as an SNMP trap. After a VPN gateway element is deleted, the deleted element may still appear in VPN monitoring. Restoration of an SMC backup may fail if the backup was taken from a system where the SMC was installed directly on the root of the disk (for example C:\) Action:'Terminate(passive)' incorrectly terminates the matching network traffic instead of only producing a log indicating that the matching connection would have been terminated. If a single-node firewall element's interfaces have been used in an Analyzer blacklisting configuration, the firewall s upgrade to a cluster element fails. Backup restoration fails on Linux platforms if the backup is from a Solaris system. The Management Server upgrade fails if the system contains an administrator user with the name "system". The idle timeout value in a rule's connection tracking options is taken into account even when the "Override collected values..." option is not selected. Add the following line in smtp_alert.txt $([[$LN_INFO_MSG]]/resolved) Regenerate certificates after VPN import. Contact support for a workaround. Workaround for previous versions Rename the "system" administrator before the upgrade. Remove the idle timeout value from the rule options. What s New 5
Synopsis Management communicaton to a firewall with dynamic control IP address may be lost. (#33592) Log Server backup restoration may fail. (#33622) Sending e-mail may fail. (#33783) Custom syslog configuration is not preserved during Log Server upgrade. (#33794) If a firewall with a dynamic control IP address is set to the offline state, management communication to the engine may be lost. Restoration of a Log Server backup taken from version 3.5.3 fails with a "Creation of directory failed" error message. If the Management Server fails to resolve the name of the local host, it contacts the mail server without an argument for the HELO command. This may prevent the mail from being sent, if the mail server requires the argument to be present. Custom syslog export configuration files under {SG_ROOT_DIR}\data\fields\syslog_templates \ are deleted during Log Server upgrade. Add the parameter LBFILTER_ENGINE=legacy to the SGConfiguration.txt file for the Management Server before uploading the policy to the firewall. Workaround for previous versions Restore the files manually after the upgrade. Changes Introduced in the Previous Major Version This section lists major changes that were introduced in SMC 4.0 that may affect you if you are upgrading from a version prior to 4.0.0. This is not a full listing; see the Release Notes of each version for more details. Change Existing Ethernet Access rules are migrated in new Ethernet rules IPS 1.2 configuration tools are not available in SMC 4.0 and later Unnecessary services related to Protocol Agents are deleted during upgrade Log data stored with versions 2.2 or prior is not readable in SMC 4.0 and later Version 4 log data is not backward compatible RSA encryption is no longer supported as an authentication method If MAC addresses have been used in IPS access rules, the rules will be moved to the new Ethernet rules tab during the upgrade to the version 4.1. However, any IPv4 services that may be used in those rules cannot be transferred and are replaced with the ANY value in the Ethernet rules. The old Access rules are left otherwise intact, except that the MAC addresses are removed from the source and destination fields. If MAC addresses have been used in the IPS Access rules, Stonesoft recommends verifying these rules manually after the upgrade, because the meaning of the rules may have changed in the automated migration. Only IPS engines with version 2.0 or later can be configured and managed through SMC 4.1. Version 4.0 introduced improvements in the structure of protocol agents, which reduces the need for many redundant service elements for the same protocol. During the upgrade, the system cleans up unnecessary system and user-defined services that are not used in any configuration. We recommend you to review policies manually to clean up any remaining redundant services. Old log data still stored in a database is no longer readable with SMC version 4.0 or later, unless the log data is converted to the new file-based format before the upgrade. Log data written with version 4.1 Log Servers is not readable with Log Servers prior to version 4.0. Options for RSA encryption as an authentication method in IKE have been removed from the Management Client. During the upgrade, any existing RSA encryption configurations are migrated to RSA Signatures. What s New 6
Change VPN tunnels are renegotiated after the first policy installation Dynamic Update package is activated automatically during the installation System alias $$Management Server has changed Because of the changes in VPN configuration syntax, engines renegotiate all existing VPN tunnels after the first policy upload with a version 4.1 Management Server. Because of this limitation, Stonesoft recommends scheduling the first policy installation in a service window or a quiet moment when the VPN tunnels are the least utilized. During the installation, Dynamic Update package 121 is automatically activated. The Alias element $$Management Server has been renamed $$Management Servers. The element may now contain several IP addresses. Note that the change can have an impact on element usage in NAT rules, if several Management Servers have been defined. What s New 7
System Requirements Basic Management System Hardware Requirements Pentium 4 processor or higher recommended (the suggested minimum processor speed is 2 GHz) or equivalent on a non-intel platform A mouse or pointing device (for Management Client only) SVGA (1024x768) display or higher (for Management Client only) 1 GB RAM for Management and Log Servers 512 MB RAM for Management Client Disk space for Management Server: 4 GB Disk space for Log Server: 20 GB 80 GB Operating Systems StoneGate Management System supports the following operating systems and versions: Microsoft Windows 2003 SP1 (32bit)* Microsoft Windows XP SP2 (32bit) * Microsoft Windows 2000 SP4 * Red Hat Enterprise Linux 4.0 and 5.0 (for 32bit x86) Fedora Core 5 and 6 (for 32bit x86) Sun Solaris 9 and 10 (for SPARC)** *) Only the U.S. English language version has been tested, but other locales may work as well. **) The SMC version 4 is going to be last version to support Solaris. Build Version The StoneGate Management Center v4.1.2 build version is 7732. This release contains StoneGate Dynamic Update package 123. Compatibility Minimum StoneGate Management Center v4.1.2 is compatible with the following StoneGate component versions: StoneGate Firewall engine v2.2.0 or higher StoneGate IPS engine v2.0.0 or higher Dynamic Update package 123 or later Native Support To utilize all the features of StoneGate Management Center version 4.1, the following StoneGate component versions are required: StoneGate Firewall engine version 4.0 or higher StoneGate IPS engine version 4.1 or higher System Requirements 8
Installation Instructions Note The sgadmin user is reserved for StoneGate use on Linux and Solaris, so it must not exist before the StoneGate Management Center is installed for the first time. The main installation steps for StoneGate Management Center and firewall or IPS engines are as follows: 1. Install the Management Server, the Log Server(s), and the Management Client. The Monitoring Server needs to be installed if Monitoring Clients are used. 2. Import the licenses for all components (you can generate licenses on our Web site at https:// my.stonesoft.com/managelicense.do). 3. Configure the Firewall or IPS elements with the Management Client using the Configuration view. 4. Generate initial configurations for the engines by right-clicking each Firewall or IPS Sensor/Analyzer and selecting Save Initial Configuration from the menu that opens. 5. Install the firewall and IPS engines by rebooting the machines from the installation CD-ROM. 6. Make the initial connection from the engines to the Management Server and enter the one-time password provided during step 4. 7. Create and upload a policy on the engine with the Management Client. 8. Command the nodes online by right-clicking the Firewall or IPS Sensor/Analyzer and selecting Commands Go Online from the menu that opens. Detailed installation instructions can be found in the StoneGate Installation Guide. For a more thorough explanation on using StoneGate, refer to the StoneGate Administrator s Guide and the Administrator s Reference. All guides are available for download at http://www.stonesoft.com/en/support/technical_support_and_documents/manuals/. Upgrade Instructions Note StoneGate Management Center (Management Server and Log Servers) must be upgraded before the firewall and IPS engines are upgraded. StoneGate Management Center v4.1.2 requires an updated license if upgrading from version 4.0 or earlier. The license upgrade request can be made on our website at https://my.stonesoft.com/managelicense.do. Activate the new license using the StoneGate Management Client before upgrading the software. To upgrade an earlier version of StoneGate Management Center to StoneGate Management Center v4.1.2, we strongly recommend that you stop all the StoneGate services and then take a backup before continuing with the upgrade. After taking the backup, run the appropriate setup file depending on the operating system. The installation program detects the old version and does the upgrade automatically. Versions earlier than 3.0.1 require upgrade to version 3.0.1 before upgrading to newer versions. Backup restoration is supported with backups taken from version 3.5.2 and later. Installation Instructions 9
Known Issues The current known issues of StoneGate v4.1.2 are described in the table below. For an updated list of known issues, consult our website at http://www.stonesoft.com/support/stonegate/known_issues/. Synopsis Workaround Scheduled report generation may stop working. (#14771) Unable to delete network elements. (#15836) Dynamic IP Firewall engine does not support manual blacklisting. (#16597) The very first SMS alert may be lost when using GSM modems. (#16983) Protocol field in Inspection Rules does not have effect on "Show Matching Situations" search result. (#21845) Impossible to browse more than 1000 users stored in Active Directory (#22881) Uninstallation may hang in Windows. (#27486) Webstart does not automatically download updated Management Client. (#29023) StoneGate Management Server installation may fail on Microsoft XP SP2. Scheduled report generation stops if it encounters a problem during the post processing step (e.g., if an invalid e-mail address is used in the report task properties). Under some circumstances, deleting a network element fails with the message: "Database error: Problem while trying to remove the Network element: 'ID of the element'". Firewalls with dynamic control IP address do not support manual blacklisting. With industrial GSM modems, the very first SMS message may be lost if the SIM card requires a PIN code. The Protocol field in Inspection Rules does not have an effect on "Show Matching Situations" search result. However, the configuration is generated and matched correctly on a Sensor engine. When Active Directory is used as an external user database, it is impossible to browse more than 1000 users with the Management Client. The uninstallation program may hang when it is trying to delete Windows registry entries. When using Java runtime version 1.5, Web Start uses the locally cached client instead of automatically downloading the updated files from the server. StoneGate Management Server installation fails on Microsoft Windows XP Systems. See known issue 884020. Reset the task by opening its properties and closing the dialog using OK. The failed report and any other reports due for generation between the failure and the current time are automatically generated. Contact support@stonesoft.com for the workaround. To make sure that SMS messages get delivered even after a GSM modem reboots, configure the alert chain to send two messages in a row with some delay between the messages. Increase the maximum value of LDAP search result in SGConfiguration.txt. For example: LDAP_SEARCH_MAX_RESULT_CONST RAINT=5000 See the instructions at Microsoft MSDN library for how to handle the configuration of the Active Directory server when a large number of users is queried. Remove the files and the registry entries manually. Delete the cached client libraries using the Java control panel. Install Windows XP update KB884020. Known Issues 10
Synopsis Workaround Non-spoke sites are migrated to spoke sites if a gateway contains also spoke sites. (#30065) Some settings are lost when importing VPN configurations from versions prior to 4.0 (#30067) Standby/Active settings of forwarded tunnels are not preserved during migration. (#30130) Focus problems on Fedora Core 6 platform. (#30244) No error message when uploading a policy into a sensor without an updated license. (#30711) Because the VPN Spoke setting has been moved to the VPN Gateway level (in versions before 4.0.0 the property was at the Site level), the non-spoke Sites are changed to spoke Sites during upgrade if the gateway had also spoke Sites defined. Tunnel settings are not imported if export has been taken from a Management Center version prior to 4.0. After the import, the tunnels use the default settings. The information about forwarding tunnel status in a client-to-gateway VPN with a hub configuration is lost during an upgrade. There may be focus problems with the Management Client on the Fedora Core 6 platform. For example, the login window does not allow typing a password before clicking the "Remember Server Address" checkbox and changing the focus back to the password field. For more information, see http:// bugs.sun.com/bugdatabase/ view_bug.do?bug_id=6506617. After upgrading an IPS sensor to version 4.0 without importing a new license for it, the system allows starting the policy upload, but nothing appears in the installation dialog. Verify your tunnel settings after the VPN import. If you are using a client-to-gateway VPN with a hub configuration, verify your tunnel settings after an upgrade from version < 4.0.0. Import valid license files for the engines in the Management Center. Known Issues 11
Trademarks and Patents Stonesoft, the Stonesoft logo and StoneGate are all trademarks or registered trademarks of Stonesoft Corporation. Multi-link technology, multi-link VPN, and the StoneGate clustering technology-as well as other technologies included in StoneGate-are protected by patents or pending patent applications in the U.S. and other countries. All other trademarks or registered trademarks are property of their respective owners. Copyright and Disclaimer Copyright 2000 2007 Stonesoft Corporation. All rights reserved. These materials, Stonesoft products and related documentation are protected by copyright and other laws, international treaties and conventions. All rights, title and interest in the materials, Stonesoft products and related documentation shall remain with Stonesoft and its licensors. All registered or unregistered trademarks in these materials are the sole property of their respective owners. No part of this document or related Stonesoft products may be reproduced in any form, or by any means without written authorization of Stonesoft Corporation. Stonesoft provides these materials for informational purposes only. They are subject to change without notice and do not represent a commitment on the part of Stonesoft. Stonesoft assumes no liability for any errors or inaccuracies that may appear in these materials or for incompatibility between different hardware components, required BIOS settings, NIC drivers, or any NIC configuration issues. Use these materials at your own risk. Stonesoft does not warrant or endorse any third party products described herein. THESE MATERIALS ARE PROVIDED "AS-IS." STONESOFT MAKES NO WARRANTIES, EXPRESS OR IMPLIED, AS TO, THE INFORMA- TION CONTAINED HEREIN. IN ADDITION, STONESOFT MAKES NO EXPRESS OR IMPLIED WARRANTIES OF MERCHANTABILITY OR FITNESS FOR A PARTICULAR PURPOSE OR USE WITH RESPECT THE INFORMATION CONTAINED IN THESE MATERIALS. IN NO EVENT SHALL STONESOFT BE LIABLE FOR ANY INDIRECT, SPECIAL, CONSEQUENTIAL OR INCIDENTAL DAMAGES, INCLUD- ING, BUT NOT LIMITED TO, LOST PROFITS OR LOSS OR DAMAGE TO DATA ARISING FROM THE USE OF THESE MATERIALS, EVEN IF ADVISED IN ADVANCE OF THE POSSIBILITY OF SUCH DAMAGES. Revision: RLNT-SG4.1.2-8/10/2007 www.stonesoft.com Stonesoft Corp. Itälahdenkatu 22a FIN-00210 Helsinki Finland tel. +358 9 4767 11 fax +358 9 4767 1234 Stonesoft Inc. 1050 Crown Pointe Parkway Suite 900 Atlanta, GA 30338 USA tel. +1 770 668 1125 fax +1 770 668 1131 12