Patch-ID# 108454-01 Keywords: y2000 Upgrade FireWall-1 3.0b SP9 Build_3096 Synopsis: Solstice FireWall-1 3.0b (Service Pack 9)_x86: Upgrade patch (VPN) Date: Nov/16/1999 Solaris Release: 2.5.1_x86 2.5_x86 2.6_x86 SunOS Release: 5.5.1_x86 5.5_x86 5.6_x86 Unbundled Product: Firewall-1 Unbundled Release: 3.0b Xref: Topic: Relevant Architectures: i386 BugId's fixed with this patch: Changes incorporated in this version: Patches accumulated and obsoleted by this patch: Patches which conflict with this patch: Patches required with this patch: Obsoleted by: Files included with this patch: acl.conf base.def chkpnt.mib code.def context.conf control.map formats.def fw.exe fwconfig fwconfig.exe fwopsec.conf fwsvc.exe fwui, fwui_head.def logviewer.C mib.txt mib4.txt objects.C omi.conf party.conf router_load router_load.exe sendmail.exe setup.C slapd.conf snmp.def table.def traps.def view.conf wellfleet.mib fw fwc NOTE: 1.Kernel module. New build number: 3096. To view run 'fw ver -k' 2.Executables in $FWDIR/bin: fw, fwconfig, router_load executables fw.exe, fwconfig.exe, router_load.exe, fwsvc.exe and sendmail.exe on Windows NT only. New build number: 3096. To view run 'fw ver' fwui (Openlook GUI, on Solaris2, Solaris2-i386 and HPUX only). New build number: 3097. To view run 'fwui ver' fwc (script, on UNIX platforms only) 3.Inspect files in $FWDIR/lib base.def code.def formats.def fwui_head.def table.def traps.def snmp.def control.map setup.C 4.SNMP configuration files in $FWDIR/lib/snmp acl.conf context.conf party.conf view.conf chkpnt.mib mib.txt mib4.txt wellfleet.mib 5.Configuration files in $FWDIR/conf fwopsec.conf omi.conf slapd.conf logviewer.C (On Unix platforms only) objects.C (The new file will be merged with the existing one.) Problem Description: Bug Fixes: Security Servers: 1.Fixed a problem where S/Key authentication would sometimes fail although it should have succeeded. 2.Fixed a bug, which could cause error logs saying ''info buffer to short'' when using URI resources and connecting to long URLs. 3.When the FireWall-1 mail dequeuer closes a connection with the mail server prematurely for any reason, the connection will now be closed in an orderly manner 4.Fixed crashes in the SMTP security server. 5.Fixed a problem that would cause error mails sent by the SMTP security server to be rejected by certain types of mail servers. 6.The SMTP security server can now handle addresses where the user name includes spaces and is quoted. 7.Fixed a bug that could cause the SMTP security server to crash when installing a policy during heavy traffic load. 8.It is now possible to specify an IP address as the definition of the Mail Server for SMTP resources. Encryption: 1.Fixed a problem in Manual IPSEC which would cause the first packet sent by a peer after it was rebooted to be dropped. 2.Fixed a problem when using FWZ encryption with MD5, where once in a while connections (especially long ones, e.g. big FTP downloads) would get stuck. The fix is activated by editing objects.C as detailed below. Once the fix is activated, FWZ with MD5 on the fixed VPN-1 module will not be compatible with another VPN-1 module that does not have the fix activated, and will also not be compatible with SecuRemote clients of version 3.0 or earlier. To activate the fix: 1.Stop the VPN-1 module by running ''fwstop''. 2.Edit the file $FWDIR/conf/objects.C. Search for the line :icmpcryptver (n) where n is a numeric value. If n=0, change it to 2. If n=1, change it to 3. 3.Start the VPN-1 module by running ''fwstart''. 3.Fixed a problem where setting ''accept outgoing packets'' to ''first'' when using encryption rules for protocols other than TCP and UDP (e.g. ICMP) could result in failure of connections and in packets passing clear on these encryption rules. 4.The H323 service can now work with encryption. OpenLook GUI: 1.In the OpenLook GUI, fixed the auto-update of the System Status. 2.Fixed bugs that could cause the OpenLook System Status to crash. Router Management (RSC/SRE): 1.Fixed a problem where selecting more than one switch object to install the policy on would fail to install on any but the first switch. 2.Corrected the generation of the netmask created for routers when using ''Specific'' as the ''Valid Addresses'' option of the ''Interface Properties'' defining the network object. 3.Fixed a bug when choosing long logs for a rule which is installed on a Cisco router the resulting access list would have a syntax error. 4.When managing a Bay router from the OpenLook GUI it is now possible to select the version of the bay router when defining its network object. 5.When managing routers, the policy will now be correctly installed on all routers when the ''Install On'' column is set to ''Routers''. Client Encryption: 1.Fixed a bug where some connections with SecuRemote clients would not show in the Active Connections in the Log Viewer. 2.Added the ''Password Expire After'' value of SecuRemote users to ''fw dbexport'' and ''fw dbimport'' HPUX: 1.Fixed a bug that could cause the machine to panic when running on an HPUX Dual CPU machine and using Security Servers. 2.On HP platforms fixed the selection by date in the LogViewer for year 2000, in the Motif GUI and in the OpenLook GUI. 3.Fixed a bug which could cause an HPUX machine to crash when the VPN-1 & FireWall-1 license is node limited. 4.The handling of IP forwarding by the FireWall-1 kernel on HPUX was changed so that now the kernel will only turn on IP forwarding once it receives the first packet. This will only be done if the user configured the FireWall to control IP forwarding at boot time, or if IP forwarding in the system was initially set to 0. Otherwise the FireWall will not turn IP forwarding on. It is recommended to configure the FireWall to control IP forwarding at boot time. Windows NT: 1.In FwConfig on Windows NT fixed a bug where the selection of controlling IP forwarding was not shown in the IP forwarding tab. 2.On Windows NT the ''Address Translation'' tab has been removed from FwConfig since its functionality is no longer required. 3.On Windows NT, fixed a bug when on a failed attempt to connect on Session Authentication rules, the FireWall would not properly terminate the connection. AIX: 1.Fixed a bug which could cause a dual CPU AIX machine to crash when running ''fwstop'' during heavy traffic. Miscellaneous: 1.Fixed a problem where S/Key authentication would sometimes fail although it should have succeeded. 2.Fixed a bug, which could cause the code generation process to crash with very large rulebases. 3.Fixed a bug in ''fw dbexport'' that would produce bad output if no Radius Server was defined. 4.It is now possible to define an unlimited number of interfaces per network object. 5.Fixed a problem on UNIX platforms, where in the process of compiling a security policy FireWall-1 would write a temporary file in the directory /tmp . 6.Fixed a bug that could cause the FireWall daemon to crash when trying to authenticate with a user which belongs to a group which was nested in another group but then removed. 7.Fixed a bug where when a remotely managed module was configured to log locally, event logs would be received saying ''Too many logs, lost some''. 8.Fixed a bug where license violation messages could cause the FireWall daemon to crash if the machine had a long host name. 9.The default expiration date for user templates in the GUI has been changed to December 31, 2000. 10.Corrected the ports for IRC predefined service. 11.You can now enable light policy verification by a property as follows: Stop the FireWall using ''fwstop'' (or on NT stop the FireWall-1 service) Edit the file $FWDIR/conf/objects.C . After the line: :props ( Add the line: :fw_light_verify (true) Start the FireWall by running ''fwstart'' (or on NT start the FireWall-1 service). 12.In the log viewer it is now possible to select entries for a single day by giving the same date in the ''from'' and ''to'' fields of the selection. Feature Enhancements: HTTP Security Server: It is now possible to instruct the HTTP security server to accept double slashes (i.e. ''//'') in a substring of the URL. In order to allow this the security server will define a set of schemes that it will accept. The default set includes prospero, gopher, telnet, finger, mailto, http, news, nntp, wais, file & ftp. You may define new schemes, which will be added to this set. To configure this you must do the following: Stop the FireWall using ''fwstop'' (or on NT stop the FireWall-1 service) Edit the file $FWDIR/conf/objects.C . After the line: :props ( Add the lines: :http_allow_double_slash (true) :http_use_default_schemes (true) In order to define additional schemes add also: :scheme (":") Where scheme_name is the name of the new scheme. For example to define http you would add: : scheme ("http:") Start the FireWall by running ''fwstart'' (or on NT start the FireWall-1 service). Kernel Build Number: You can now view the build number of the FireWall-1 kernel module by running the command ''fw ver -k''. The last line of the output gives the kernel build number. Windows NT Boot Security: A new option has been added for boot security on Windows NT. Until the security policy is loaded the FireWall-1 module can now block incoming packets in addition to blocking IP forwarding. To turn this option on you must edit the registry, setting the value of the following parameter to 2: HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\FW1\Parameters\IPForwarding End users who purchased FireWall-1 version 3.0b. Warning: This Service Pack is compatible with FireWall-1 version 3.0b ONLY! Do not apply it on a lower version. Patch Installation Instructions: -------------------------------- Refer to the Install.info file for instructions on using the generic ''installpatch'' and ''backoutpatch'' scripts provided with each patch. Any other special or non-generic installation instructions should be described below as special instructions. Special Install Instructions: ----------------------------- All Service Pack files are grouped into one .tgz (tar and gzipped) file, for each UNIX platform, and compressed into a ZIP file for Windows. To install the Service Pack, please follow the instructions below: UNIX platforms: 1.Download both tg''zipped files (Module and GUI), each to a different temp directory. 2.Gunzip and untar each file in the different temp directories. 3.Issue "fwinstallpatch". This will start the Service Pack installation for both the FireWall-1 and OpenLook GUI. Windows: 1.Download the .ZIP file to a temporary directory and extract the files. 2.Double-click setup.exe. This will start the Service Packs installation. README -- Last modified date: Thursday, December 7, 2000