StoneGate Management Center Release Notes for Version 5.1.4 Created: August 20, 2010
Table of Contents What s New... 3 Enhancements... 3 Fixes... 3 Major Changes Introduced in Version 5.1... 4 System Requirements... 5 Basic Management System Hardware Requirements... 5 Operating Systems... 5 Build Version... 5 Compatibility... 5 Minimum... 5 Native Support... 6 Installation Instructions... 6 Upgrade Instructions... 6 Known Issues... 7
What s New Enhancements Enhancements that have been made since StoneGate Management Center version 5.1.3 are described in the table below. Enhancement Rule count analysis now also shows the percentages Description When running the rule count analysis tool in the Policy Editor, the system now shows not only the absolute number of times the rule has matched within the given time period but also the relative percentage of the traffic that matched each rule. Fixes Problems described in the table below have been fixed since StoneGate Management Center version 5.1.3. A workaround solution is presented for earlier versions where available. Synopsis Location setting of Management Client may suddenly stop working. (#55728) System Report contains redundant information (#56462) Policy upload to IPS-400 appliance times out (#56600) Web Start Management client may freeze with JRE 1.6.0_19 and later (#59141) VPN certificate renewal does not work (#59468) Static default contact address in dynamic internal gateway endpoint prevents policy installation (#61210) The rule count analysis takes a long time to perform (#58911) Desktop shortcuts for SMC Web Start do not work after upgrade (#57531) Detailed error messages are not reported upon SMS sending failure (#60061) Description The Location setting of the Management Client may suddenly stop working, so that alternative Locations can no longer be selected. After each summary table in the System Report, the same information is repeated by element in separate sections. Policy upload to an IPS-400 appliance times out with IPS version 4.3 and SMC version 5.1 with dynamic update 288 and later. The default timeout for the IPS policy upload is 60 seconds. The Management Client may freeze at a security warning dialog when using Web Start and Java runtime version 1.6.0_19 or later. Use of the mouse or keyboard during the freeze usually makes the situation even worse. When attempting to renew a VPN gateway certificate, the following error message may appear: Certificate Error: Failed to obtain a Certificate Request from engine. Policy installation fails if a static default contact address is used in a dynamic internal gateway endpoint for a VPN client tunnel. The performance of the rule count analysis tool may be poor if there are a large number of rules in the policy, or when Sub-Policies are extensively used. Limitations in JDK version 5 require the JNLP link that launches the Management Client on the Web Start page to be versioned. For this reason, desktop shortcuts that point to a version-specific link do not work after SMC upgrade. The system does not give enough information in the error message when there is a problem with the SMS modem when sending the alert notification. Workaround for Previous Versions Restart the Management Client. Press the Esc key. Generate a new certificate for the VPN Gateway: select Tools > Generate Certificate from the menu. Upgrade to Java Runtime Enviroment version 1.6.0_20 or higher on the computer where Web Start is used. 3 StoneGate Management Center Release Notes for Version 5.1.4
Synopsis Comparing policies with different names in HTML format results in unusable output (#56529) Cut and paste of large set of rules does not work as expected (#61403) Policy rendering problems when using Comment Rules in Policy Templates (#61408) Description The HTML policy comparison view is missing the color and icon indications about which rules are new, modified, and removed if the names of the compared policies are different. The problem can occur in the Web Portal, and when converting policy comparison results into an HTML file from the Management Client. When user copies/cuts more than 17 rules and pastes the rules to a new location in the policy, the rule order of the copied rules may slightly differ from what it was when copying the rules. The policy rendering may be incorrect if the policy hierarchy contains more than one template, and Comment Rules are used in the Policy Templates. In this case, rendering problems appear when viewing the main policy with the Inherited Rulesoption disabled. Workaround for Previous Versions Use the regular Policy Comparison view in the Management Client. Copy fewer than 17 rules at time. Enable the Inherited Rules option in the toolbar, or remove the Comment Rules from the inherited Policy Templates. Major Changes Introduced in Version 5.1 This section lists major changes that were introduced in SMC 5.1.0 that may affect you if you are upgrading from a version prior to 5.1.0. This is not a full listing; see the Release Notes of each version for more details. Change Deep inspection support for legacy IPS versions removed from dynamic update packages 271 and later Changes in supported operating systems Default template Access rule change Routing configuration uses secondary IP addresses Description Deep inspection with legacy IPS (version 4.1 and older) is no longer supported by StoneGate Management Center versions 4.2 and later after update package 271 is installed. 64-bit versions of CentOS, SuSe Linux Enterprise, Red Hat Enterprise Linux, Windows 2008, and Windows Vista have been added to the supported operating systems list. Fedora 8 and 9 have been removed from the list. TCP/2316 service has been added in rule @14.0 to allow Web Filtering database queries on the firewall. If your policy id based on a copy of the Default template, you must manually add the corresponding rule for Web Filtering in the copy template. Previously, the secondary IP addresses defined for elements have only been used in rules in policies and ignored elsewhere. When you upgrade to SMC version 5.1, the secondary IP addresses are now also valid in the Routing and Antispoofing views for all supported Firewall/VPN versions. If you have defined secondary IP addresses for elements that are present in the Routing or Antispoofing views, make sure that the secondary IP addresses are valid for the configuration before you refresh the firewall policies from SMC 5.1. 4 StoneGate Management Center Release Notes for Version 5.1.4
System Requirements Basic Management System Hardware Requirements Intel Core family processor or higher, or equivalent on a non-intel platform recommended A mouse or pointing device (for Management Client only) SVGA (1024x768) display or higher (for Management Client only) Disk space for Management Server: 6 GB Disk space for Log Server: 50 GB Memory requirements for 32-bit operating systems: o o 2 GB RAM for Server (3 GB minimum if all components are installed on the same server) 1 GB RAM for Management Client Memory requirements for 64-bit operating systems: o o 6 GB RAM for Server (8 GB minimum if all components are installed on the same server) 2 GB RAM for Management Client Operating Systems StoneGate Management System supports the following operating systems and versions: Microsoft Windows Server 2008 SP2 (32-bit and 64-bit)* Microsoft Windows 7 (32-bit and 64-bit)* Microsoft Windows Vista SP2 (32-bit and 64-bit)* Microsoft Windows 2003 SP2 (32-bit)* Microsoft Windows XP SP3 (32-bit)* CentOS 5 (for 32-bit and 64-bit x86) Red Hat Enterprise Linux 4 and 5 (for 32-bit and 64-bit x86) SuSe Linux Enterprise 11 (for 32-bit and 64-bit x86) *) Only the U.S. English language version has been tested, but other locales may work as well. Build Version StoneGate Management Center v 5.1.4 build version is 8144. This release contains StoneGate Dynamic Update package 331. Compatibility Minimum StoneGate Management Center version 5.1 is compatible with the following StoneGate component versions: StoneGate Firewall engine version 4.2.0 or higher StoneGate IPS engine version 4.2.0 or higher StoneGate SSL VPN version 1.2.0 or higher Dynamic Update package 304 or later 5 StoneGate Management Center Release Notes for Version 5.1.4
Native Support To utilize all the features of StoneGate Management Center version 5.1, the following StoneGate component versions are required: StoneGate Firewall engine version 5.1 or higher StoneGate IPS engine version 5.1 or higher StoneGate SSL VPN version 1.4 or higher Installation Instructions Note The sgadmin user is reserved for StoneGate use on Linux. It must not exist before the StoneGate Management Center is installed for the first time. The main installation steps for StoneGate Management Center and firewall or IPS engines are as follows: 1. Install the Management Server, the Log Server(s), and the Web Portal Server(s). 2. Import the licenses for all components (you can generate licenses on our website at https://my.stonesoft.com/managelicense.do). 3. Configure the Firewall or IPS elements with the Management Client. 4. Generate initial configurations for the engines by right-clicking each Firewall or IPS Sensor/Analyzer and selecting Save Initial Configuration. 5. Make the initial connection from the engines to the Management Server and enter the one-time password provided during Step 4. 6. Create and upload a policy on the engines with the Management Client. For detailed installation instructions, see product-specific installation guides. For a more thorough explanation on using StoneGate, refer to the Online Help or the StoneGate Administrator s Guide. For background information, see the StoneGate Management Center Reference Guide. All guides are available at http://www.stonesoft.com/en/support/technical_support_and_documents/manuals/. Upgrade Instructions Note StoneGate Management Center (Management Server and Log Servers) must be upgraded before the firewall and IPS engines are upgraded to the same major version. StoneGate Management Center version 5.1.4 requires an updated license if upgrading from version 5.0 or earlier. Unless the automatic license update functionality is in use, request a license upgrade on our website at https://my.stonesoft.com/managelicense.do and activate the new license using the StoneGate Management Client before upgrading the software. To upgrade an earlier version of StoneGate Management Center to StoneGate Management Center version 5.1.4, we strongly recommend that you stop all the StoneGate services and then take a backup before continuing with the upgrade. After taking the backup, run the appropriate setup file depending on the operating system. The installation program detects the old version and does the upgrade automatically. Versions earlier than 3.5.2 require upgrade to version 3.5.2 3.5.6 before upgrading to version 5.1. 6 StoneGate Management Center Release Notes for Version 5.1.4
Known Issues The current known issues of StoneGate version 5.1.4 are described in the table below. For an updated list of known issues, consult our website at http://www.stonesoft.com/support/stonegate/known_issues/. Synopsis Description Workaround Dynamic update package activation and policy upload do not work. (#50716) Customized title information may not appear in PDF reports. (#50214) Upgrade of online node in standby cluster never reaches 100%. (#49342) Validating a newly created logging profile may not work properly. (#49338) Management Client may freeze during the creation of a Connectivity Diagram. (#48755) Add from Routing action in the Diagram Editor is slow. (#44989) Standby/Active settings of forwarded tunnels are not preserved during migration from versions prior to 4.0. (#30130) Some settings are lost when importing VPN configurations from versions prior to 4.0. (#30067) Non-spoke Sites are migrated to spoke Sites if a gateway also contains spoke Sites. (#30065) DHCP REBIND requests are not allowed by default. (#29987) The Management Server database may be corrupted, preventing update activation and policy upload if dynamic update package 218 has been active at some point in the Management Server history. Usually the symptoms of the problem appear after upgrading to a new version. If report sections are labeled with Cyrillic characters, the titles are missing from exported PDF reports. When upgrading an online node in a standbymode cluster, the Management Center keeps waiting for the node to get back online after upgrade, even though the normal behavior is that the node stays in standby mode after reboot. Validating a logging profile may not work properly if the profile has not yet been saved. Displaying a VPN or Gateway Connectivity Diagram may take several minutes if the diagram contains a larger number of gateways with fullmesh VPN. The Add from Routing action in the Diagram Editor is slow with large setups. The information about forwarding tunnel status in a client-to-gateway VPN with a hub configuration is lost during an upgrade. Tunnel settings are not imported if the export has been taken from a Management Center version prior to 4.0. After the import, the tunnels use the default settings. Because the VPN Spoke setting has been moved to the VPN Gateway level (in versions before 4.0.0 the property was at the Site level), nonspoke Sites are changed to spoke Sites during upgrade if the gateway also had spoke Sites defined. If DHCP clients fail to renew IP addresses from the server that originally allocated the addresses, the clients attempt to broadcast DHCP REBIND messages to the network, requesting that some other DHCP server renew the IP. The DHCP Relay Sub-Policy does not allow these packets by default. Contact Stonesoft Support for a workaround. Close the upgrade window and ignore the message about waiting for the node to come online. Before validation, click OK to close the logging profile and then reopen the profile. Deselect the Draw Diagram on Selection option and drag and drop monitored elements to the area that is reserved for diagrams. If you are using a client-to-gateway VPN with a hub configuration, verify your tunnel settings after an upgrade from a version prior to 4.0.0. Verify your tunnel settings after the VPN import. Add a stateless rule before the jump to the DHCP Relay Sub-Policy to allow DHCP packets from the DHCP clients to the broadcast address: Source: [Address range of your DHCP pool] Destination: DHCP Broadcast Destination Service: BOOTPC (UDP) Action: Allow Options: No connection state tracking 7 StoneGate Management Center Release Notes for Version 5.1.4
Synopsis Description Workaround Impossible to browse more than 1000 users stored in Active Directory. (#22881) Protocol field in Inspection Rules does not have effect on "Show Matching Situations" search result. (#21845) Dynamic IP Firewall engine does not support manual blacklisting. (#16597) When Active Directory is used as an external user database, it is impossible to browse more than 1000 users with the Management Client. The Protocol field in Inspection Rules does not have an effect on the "Show Matching Situations" search result. However, the configuration is generated and matched correctly on a Sensor engine. Firewalls with dynamic control IP addresses do not support manual blacklisting. Increase the maximum value of LDAP search results in SGConfiguration.txt. For example: LDAP_SEARCH_MAX_RESULT_CONS TRAINT=5000 See the instructions at Microsoft MSDN library for how to handle the configuration of the Active Directory server when a large number of users are queried. 8 StoneGate Management Center Release Notes for Version 5.1.4
Copyright and Disclaimer 2000 2010 Stonesoft Corporation. All rights reserved. These materials, Stonesoft products, and related documentation are protected by copyright and other laws, international treaties and conventions. All rights, title and interest in the materials, Stonesoft products and related documentation shall remain with Stonesoft and its licensors. All registered or unregistered trademarks in these materials are the sole property of their respective owners. No part of this document or related Stonesoft products may be reproduced in any form, or by any means without written authorization of Stonesoft Corporation. Stonesoft provides these materials for informational purposes only. They are subject to change without notice and do not represent a commitment on the part of Stonesoft. Stonesoft assumes no liability for any errors or inaccuracies that may appear in these materials or for incompatibility between different hardware components, required BIOS settings, NIC drivers, or any NIC configuration issues. Use these materials at your own risk. Stonesoft does not warrant or endorse any third party products described herein. THESE MATERIALS ARE PROVIDED "AS-IS." STONESOFT MAKES NO WARRANTIES, EXPRESS OR IMPLIED, AS TO, THE INFORMATION CONTAINED HEREIN. IN ADDITION, STONESOFT MAKES NO EXPRESS OR IMPLIED WARRANTIES OF MERCHANTABILITY OR FITNESS FOR A PARTICULAR PURPOSE OR USE WITH RESPECT THE INFORMATION CONTAINED IN THESE MATERIALS. IN NO EVENT SHALL STONESOFT BE LIABLE FOR ANY INDIRECT, SPECIAL, CONSEQUENTIAL OR INCIDENTAL DAMAGES, INCLUDING, BUT NOT LIMITED TO, LOST PROFITS OR LOSS OR DAMAGE TO DATA ARISING FROM THE USE OF THESE MATERIALS, EVEN IF ADVISED IN ADVANCE OF THE POSSIBILITY OF SUCH DAMAGES. Trademarks and Patents Stonesoft, the Stonesoft logo and StoneGate are all trademarks or registered trademarks of Stonesoft Corporation. Multi-Link technology, Multi-Link VPN, and the StoneGate clustering technology-as well as other technologies included in StoneGateare protected by patents or pending patent applications in the U.S. and other countries. All other trademarks or registered trademarks are property of their respective owners. Stonesoft Corporation Itälahdenkatu 22A FI-00210 Helsinki Finland Tel. +358 9 476 711 Fax +358 9 4767 1234 Stonesoft Inc. 1050 Crown Pointe Parkway Suite 900 Atlanta, GA 30338 USA Tel. +1 770 668 1125 Fax +1 770 668 1131 Copyright 2010 Stonesoft Corporation. All rights reserved. All specifications are subject to change.