StoneGate Management Center Release Notes for Version 4.0.1
Table of Contents What s New................................. page 3 System Requirements......................... page 6 Build Version............................... page 6 Compatibility................................ page 6 Installation Instructions........................ page 7 Upgrade Instructions.......................... page 7 Known Issues............................... page 8 Table of Contents 2
What s New Enhancements Enhancements that have been made since StoneGate Management Center v4.0.0 are described in the table below. Enhancement Summary information for VPN Gateway Profile elements. (#29517) Ability to duplicate Gateway Profile and VPN Profile. (#30038) Situations can be dragged and dropped from the Logs view to the Policy editor. (#30378) SIP can be used without Deep Inspection option. (#31372) New report items. (#31308) Description Summary information about Gateway Profile settings has been added to the Info tab of the element. VPN Gateway Profile and VPN Profile elements have a new context menu option to duplicate an existing configuration set. Situations in the inspection rules can now be specified by dragging and dropping Situations directly from the Situation column in the Logs view. SIP protocol agent does not require anymore the Deep Inspection option to work statefully. The following new IPS report items have been added: HTTP entries by situation, URI HTTP entries by src. IP, URI HTTP entries by dest. IP, URI Fixes Problems described in the table below have been fixed since StoneGate Management Center v4.0.0. A workaround solution is presented for earlier versions where available. Synopsis Debug message "Command.run(): process" may show during the installation. (#26767) Import fails if export contains services that use custom Protocol Agents. (#29947) Unresolved situations may appear in a report after activating dynamic update packages. (#30009) Warning may not always be shown when invalid rule is installed. (#30190) Description The debug message "Command.run()" may show during Monitoring server installation. This message is harmless. Version 4.0 does not support exports taken from versions prior to 4.0 if the exports include services that use custom Protocol Agents. The Log Server is not able to resolve situation names which have been imported to the system after a Log Server reboot. StoneGate Firewall does not support configurations where CIS redirection is used together with deep inspection in the same rule. However, the Management Server allows the creation of such a configuration, and no errors are shown when the policy is installed on the firewall. Workaround for previous versions Ignore the message. Restart the Log Server after activating the dynamic update packages. De-select deep inspection from the rule options. What s New 3
Synopsis IPsec compression is not used. (#30448) Manual upgrade download prevents Management Client use during the download. (#30792) Policy installation may fail with an unexpected error. (#30811) Connections view does not show any connections. (#30852) Blacklist configuration with "Port:: Ignored" does not work as expected. (#30913) Rule Search Tool does not take the protocol into account. (#31034) Cannot activate dynamic update #106 on top of dynamic update #104 or earlier updates. (#31060) Management Center upgrade from 3.5.x to 4.0.0 may fail if dynamic update #106 is activated before the upgrade. (#31112) Upgrade from version 3.5.1 fails if incident cases have been used. (#31120) A policy cannot be saved when more than one rule has a reference to the same subpolicy. (#31261) Description The Management Server generates a configuration where IPsec compression is not used, even though both ends support it. If an upgrade package download is started from the Management Client manually, the Management Client prevents the user from continuing work by showing an hourglass as the mouse cursor while downloading the file. Policy installation fails when a VPN with DHCP relay enabled on one of the internal security gateways is used, but no NDI has been selected for the DHCP relay. The NDI cannot be selected while the security gateway is being created, but it can be selected by editing an existing security gateway's properties. In some situations, old monitoring connections may reserve all communication channels and prevent new monitoring connections to the engine with the result that the Connections view does not show any data. If this problem occurs, the following error message is displayed for monitoring connections (port 8888) "Remote host closed connection during handshakessl peer shutdown incorrectly". Blacklist configuration with "Port:Ignored" for either Endpoint 1 or Endpoint 2 disables all port information when matched. The Rule Search Tool matches port information without taking into account the used protocol. For example, a search with TCP 22 service matches also rules with UDP 22 services. Dynamic update 106 activation on top of dynamic update package #104 or earlier update versions fails with the error message: "Unresolved references: A denial of service vulnerability in Microsoft Windows Lanman service". Management Center upgrade from 3.5.x to 4.0.0 may fail if the dynamic update package #106 is activated before the upgrade. Upgrade from version 3.5.1 fails, if the system contains incident cases with several log data attachments. You cannot save a security policy where more than one rule refers to the same sub-policy. You will receive a "Loop detected" error message when you try to save the policy. Open another Management Client. Create the internal security gateway first without enabling the DHCP relay. Re-open its properties and enable the DHCP relay with the correct NDI. Restart the engine. "Port" match for Blacklist Scope works correctly when both Endpoint 1 and Endpoint 2 have the same setting. Workaround for previous versions Activate first dynamic update #105 and then dynamic update #106. Contact support@stonesoft.com for the workaround. Upgrade first to version 3.5.6 before upgrade to version 4.0.0. Take copies of the sub-policy and change the jump rules to point to different policies. What s New 4
Synopsis Log server may run out of memory. (#31334) Inspection Log/Alert Data Daily Summary reports hang at 50%. (#31433) Policy installation on IPS sensor may fail after upgrade. (#31462) Description A log server may run out of memory, if alert forwarding to another log server is used. "FW/IPS Inspection Log Data Daily Summary" and "Inspection Alert Daily Summary" reports hang at 50%. If a policy has contained IP services for TCP, ICMP, or UDP before an upgrade, the services in the policy get corrupted in the upgrade so that only the icons of the services without descriptions are shown in the rules. Because of this, the policy installation on the sensors fails. Workaround for previous versions Increase the available stack size by adding "-Xss400K" into the sgstartlogsrv.bat/sh and sgstartmgtsrv.bat/sh starting scripts. Edit the rules and delete the icons and set back the correct services. Other Changes StoneGate Management Center 4.0 introduces the following changes: IPS 1.2 configuration tools are not available in StoneGate Management Center 4.0 Only IPS engines with version 2.0 or later can be configured and managed through StoneGate Management Center 4.0. Unnecessary services related to Protocol Agents are deleted during upgrade Version 4.0 introduces improvements in the structure of protocol agents, which reduces the need for many redundant service elements for the same protocol. During the upgrade, the system cleans up unnecessary system and user-defined services that are not used in any configuration. It is also recommend to review policies manually to clean up any remaining redundant services that are in use. Log data stored with version 2.2 or earlier is not readable in StoneGate Management Center 4.0 Old log data which has been stored to the database is no longer readable with version 4.0 or later, unless the log data is converted to the new format before the upgrade. Version 4.0 log data is not backward compatible Log data written with version 4.0 Log Servers is not readable with older Log Servers. RSA encryption is no longer supported as an authentication method Options for RSA encryption as an authentication method in IKE have been removed from the Management Client. During the upgrade, any existing RSA encryption configurations are migrated to RSA Signatures. VPN tunnels are renegotiated after the first policy installation Because of the changes in VPN configuration syntax, engines renegotiate all existing VPN tunnels after the first time that the configuration is uploaded to the engines with version 4.0 StoneGate Management Center. Because of this limitation, Stonesoft recommends scheduling the first policy installation in a service window or a quiet moment when the VPN tunnels are the least utilized. Dynamic Update package is activated automatically during the installation During the installation, Dynamic Update package 105 is automatically activated. What s New 5
System alias $$Management Server has changed A network element $$Management Server has been renamed $$Management Servers. The element may now contain several IP addresses. Note that the change can have an impact on element usage in NAT rules, if several Management Servers have been defined. System Requirements Basic Management System Hardware Requirements Pentium 4 processor or higher recommended (the suggested minimum processor speed is 2 GHz) or equivalent on a non-intel platform A mouse or pointing device (for Management Client only) SVGA (1024x768) display or higher (for Management Client only) 1 GB RAM Disk space for Management Server: 4 GB Disk space for Log Server: 20 GB 80 GB Operating Systems StoneGate Management Center supports the following operating systems and versions: Microsoft Windows 2003 SP1 (32bit)* Microsoft Windows XP SP2 (32bit) * Microsoft Windows 2000 SP4 * Red Hat Enterprise Linux 4.0 and 5.0 (for 32bit x86) Fedora Core 5 and 6 (for 32bit x86) Sun Solaris 9 and 10 (for SPARC)** *) Only the U.S. English language version has been tested, but other locales may work as well. **) StoneGate Management Center version 4 is going to be the last version to support Solaris. Build Version The StoneGate Management Center v4.0.1 build version is 7603. This release contains StoneGate Dynamic Update package 110. Compatibility Minimum StoneGate Management Center v4.0.1 is compatible with the following StoneGate component versions: StoneGate Firewall engine v2.2.0 or higher StoneGate IPS engine v2.0.0 or higher Dynamic Update package 105 or later Native support In order to utilize all the features of StoneGate Management Center version 4.0, the following StoneGate component versions are required: StoneGate Firewall engine version 4.0 or higher StoneGate IPS engine version 4.0 or higher System Requirements 6
Installation Instructions Note The sgadmin user is reserved for StoneGate use on Linux and Solaris, so it must not exist before the StoneGate Management Center is installed for the first time. The main installation steps for StoneGate Management Center and firewall or IPS engines are as follows: 1. Install the Management Server, the Log Server(s), and the Management Client. The Monitoring Server needs to be installed if Monitoring Clients are used. 2. Configure the Firewall or IPS elements with the Management Client using the Configuration view. 3. Generate initial configurations for the engines by right-clicking the Firewall or IPS Sensor/Analyzer and selecting Save Initial Configuration from the menu that opens. 4. Install the firewall and IPS engines by rebooting the machines from the installation CD-ROM. 5. Make the initial connection from the engines to the Management Server and enter the one-time password provided during step 3. 6. Create and upload a policy on the engine with the Management Client. 7. Command the nodes online by right-clicking the Firewall or IPS Sensor/Analyzer and selecting Commands Go Online from the menu that opens. Detailed installation instructions can be found in the StoneGate Installation Guide. For a more thorough explanation on using StoneGate, refer to the StoneGate Administrator s Guide and the Administrator s Reference. Upgrade Instructions Note StoneGate Management Center (Management Server and Log Servers) must be upgraded before the firewall and IPS engines are upgraded. StoneGate Management Center v4.0.1 requires an updated license if upgraded from a version prior to 4.0.0. The license upgrade request can be made on our website at https://my.stonesoft.com/managelicense.do. Activate the new license using the StoneGate Management Client before upgrading the software. To upgrade an earlier version of StoneGate Management Center to StoneGate Management Center v4.0.1, it is strongly recommended that you stop all the StoneGate services and then perform a backup before continuing with the upgrade. After taking the backup, run the appropriate setup file depending on the operating system. The installation program detects the old version and does the upgrade automatically. Versions earlier than 3.0.1 require upgrade to version 3.0.1 before upgrading to newer versions. Backup restoration is supported with backups taken from version 3.5.2 and later. Installation Instructions 7
Known Issues The current known issues of StoneGate v4.0.1 are described in the table below. For an updated list of known issues, consult our website at http://www.stonesoft.com/support/stonegate/known_issues/. Synopsis Description Workaround Impossible to browse more than 1000 users stored in Active Directory (#22881) Scheduled report generation may stop working. (#14771) Unable to delete network elements. (#15836) Dynamic IP Firewall engine does not support manual blacklisting. (#16597) The very first SMS alert may get lost when using GSM modems. (#16983) Webstart does not automatically download updated Management Client. (#29023) Protocol field in Inspection Rules does not have effect on "Show Matching Situations" search result. (#21845) StoneGate Management Server installation may fail on Microsoft XP SP2. When Active Directory is used as an external user database, it is impossible to browse more than 1000 users with the Management Client. Scheduled report generation stops if it encounters a problem during the post processing step (e.g., if an invalid e-mail address is used in the report task properties). Under some circumstances, deleting a network element fails with the message: "Database error: Problem while trying to remove the Network element: 'ID of the element'" Firewalls with dynamic control IP address do not support manual blacklisting. With industrial GSM modems, the very first SMS message may get lost if the SIM card requires a PIN code. When using Java runtime version 1.5, Web Start uses the locally cached client instead of starting automatically downloading the updated files from the server. The Protocol field in Inspection Rules does not have an effect on "Show Matching Situations" search result. However, the configuration is generated and matched correctly on a Sensor engine. StoneGate Management Server installation fails on Microsoft Windows XP Systems. See known issue 884020. Increase the maximum value of LDAP search result in SGConfiguration.txt. For example: LDAP_SEARCH_MAX_RESULT_CONST RAINT=5000 See the instructions at Microsoft MSDN library for how to handle the configuration of the Active Directory server when a large number of users is queried. Reset the task by opening its properties and closing the dialog using OK. The failed report and any other reports due for generation between the failure and the current time are automatically generated. Contact support@stonesoft.com for the workaround. To make sure that SMS messages also get delivered after a GMS modem reboot, send two messages in a row with some delay between the messages. Delete the cached client libraries using the Java control panel. Install Windows XP update KB884020. Known Issues 8
Synopsis Description Workaround Non-spoke sites are migrated to spoke sites if a gateway contains also spoke sites. (#30065) Some settings are lost when importing VPN configurations from versions prior to 4.0 (#30067) No proper error message when uploading policy into a sensor with a proper license. (#30711) Standby/Active settings of forwarded tunnels are not preserved during migration. (#30130) Focus problems on Fedora Core 6 platform. (#30244) Because VPN Spoke setting has been moved to a VPN gateway setting (in versions before 4.0.0 the property was at the site level), the non-spoke sites are migrated during upgrade to spokes, if the gateway had also spoke sites defined. Tunnel settings are not imported, if export has been taken from a Management Center version prior to 4.0. After the import, the tunnels use the default settings. After upgrading an IPS sensor to version 4.0 without importing a new license for it, the system allows to start the policy upload, but nothing appears on the installation dialog. The information about forwarding tunnel status is lost during an upgrade. There may be focus problems with the Management Client on the Fedora Core 6 platform. For example, the login window does not allow typing a password before clicking on the "Remember Server Address" checkbox and changing the focus back to the password field. For more information, see http://bugs.sun.com/bugdatabase/ view_bug.do?bug_id=6506617. Verify your tunnel settings after the VPN import. Import valid licenses to the engines. If you are using mvpn with HUB configuration, verify your tunnel settings after an upgrade from version < 4.0.0. Known Issues 9
Trademarks and Patents Stonesoft, the Stonesoft logo and StoneGate are all trademarks or registered trademarks of Stonesoft Corporation. Multi-link technology, multi-link VPN, and the StoneGate clustering technology-as well as other technologies included in StoneGate-are protected by patents or pending patent applications in the U.S. and other countries. All other trademarks or registered trademarks are property of their respective owners. Copyright and Disclaimer Copyright 2000 2007 Stonesoft Corporation. All rights reserved. These materials, Stonesoft products and related documentation are protected by copyright and other laws, international treaties and conventions. All rights, title and interest in the materials, Stonesoft products and related documentation shall remain with Stonesoft and its licensors. All registered or unregistered trademarks in these materials are the sole property of their respective owners. No part of this document or related Stonesoft products may be reproduced in any form, or by any means without written authorization of Stonesoft Corporation. Stonesoft provides these materials for informational purposes only. They are subject to change without notice and do not represent a commitment on the part of Stonesoft. Stonesoft assumes no liability for any errors or inaccuracies that may appear in these materials or for incompatibility between different hardware components, required BIOS settings, NIC drivers, or any NIC configuration issues. Use these materials at your own risk. Stonesoft does not warrant or endorse any third party products described herein. THESE MATERIALS ARE PROVIDED "AS-IS." STONESOFT MAKES NO WARRANTIES, EXPRESS OR IMPLIED, AS TO, THE INFORMA- TION CONTAINED HEREIN. IN ADDITION, STONESOFT MAKES NO EXPRESS OR IMPLIED WARRANTIES OF MERCHANTABILITY OR FITNESS FOR A PARTICULAR PURPOSE OR USE WITH RESPECT THE INFORMATION CONTAINED IN THESE MATERIALS. IN NO EVENT SHALL STONESOFT BE LIABLE FOR ANY INDIRECT, SPECIAL, CONSEQUENTIAL OR INCIDENTAL DAMAGES, INCLUD- ING, BUT NOT LIMITED TO, LOST PROFITS OR LOSS OR DAMAGE TO DATA ARISING FROM THE USE OF THESE MATERIALS, EVEN IF ADVISED IN ADVANCE OF THE POSSIBILITY OF SUCH DAMAGES. Revision: RLNT-SG4.0.1-18/6/2007 www.stonesoft.com Stonesoft Corp. Itälahdenkatu 22a FIN-00210 Helsinki Finland tel. +358 9 4767 11 fax +358 9 4767 1234 Stonesoft Inc. 1050 Crown Pointe Parkway Suite 900 Atlanta, GA 30338 USA tel. +1 770 668 1125 fax +1 770 668 1131 Known Issues 10