Release Notes Clavister CorePlus · 2013. 1. 10. · The following sections detail new features and enhancements in Clavister CorePlus 9.15. For a complete list and description of

Release Notes

Clavister CorePlus

Version 9.15

Clavister ABSjögatan 6 J

SE-891 60 ÖrnsköldsvikSWEDEN

Phone: +46-660-299200Fax: +46-660-12250

www.clavister.com

Build: 9.15.02Published 2010-06-14

Copyright © 2010 Clavister AB.

Release NotesClavister CorePlusVersion 9.15

Published 2010-06-14Build: 9.15.02

Copyright © 2010 Clavister AB.

Copyright Notice

This publication, including all photographs, illustrations and software, is protected underinternational copyright laws, with all rights reserved. Neither this document nor any of thematerial contained herein, may be reproduced without written consent of the author.

Disclaimer

The information in this document is subject to change without notice. The manufacturer makesno representations or warranties with respect to the contents hereof and specifically disclaimany implied warranties of merchantability or fitness for any particular purpose. The manufacturerreserves the right to revise this publication and to make changes from time to time in thecontent hereof without obligation of the manufacturer to notify any person of such revision orchanges.

Limitations of Liability

UNDER NO CIRCUMSTANCES SHALL CLAVISTER OR ITS SUPPLIERS BE LIABLE FOR DAMAGES OFANY CHARACTER (E.G. DAMAGES FOR LOSS OF PROFIT, SOFTWARE RESTORATION, WORKSTOPPAGE, LOSS OF SAVED DATA OR ANY OTHER COMMERCIAL DAMAGES OR LOSSES)RESULTING FROM THE APPLICATION OR IMPROPER USE OF THE CLAVISTER PRODUCT ORFAILURE OF THE PRODUCT, EVEN IF CLAVISTER IS INFORMED OF THE POSSIBILITY OF SUCHDAMAGES. FURTHERMORE, CLAVISTER WILL NOT BE LIABLE FOR THIRD-PARTY CLAIMS AGAINSTCUSTOMER FOR LOSSES OR DAMAGES. CLAVISTER WILL IN NO EVENT BE LIABLE FOR ANYDAMAGES IN EXCESS OF THE AMOUNT CLAVISTER RECEIVED FROM THE END-USER FOR THEPRODUCT.

2

Table of Contents

1. Version Summary . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 42. New Features . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 4

2.1. New Features and Enhancements in CorePlus 9.15.02 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 42.2. New Features and Enhancements in CorePlus 9.15.01 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 42.3. New Features and Enhancements in CorePlus 9.15.00 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 4

3. Addressed Issues . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 53.1. Addressed Issues in CorePlus 9.15.02 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 53.2. Addressed Issues in CorePlus 9.15.01 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 63.3. Addressed Issues in CorePlus 9.15.00 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 6

4. Installation Instructions . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 74.1. Upgrading from a CorePlus 8.nn system .. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 74.2. Upgrading a CorePlus 9.nn system .. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 7

5. Known Limitations . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 86. Compatibility . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 87. Licensing . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 98. Getting Help . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 9

3

1. Version Summary

Clavister CorePlus 9.15 is the latest version of our award-winning network security operatingsystem powering the Clavister Security Gateway Series, our premium UTM security solution.

For a list of appliances that are supported by this version of Clavister CorePlus, please refer to theCompatibility section.

ImportantIf you are using Clavister InControl for centralized management please note thatCorePlus 9.15 requires InControl version 1.10.01 or later. Please upgrade you InControlinstallation before you upgrade Clavister CorePlus.

ImportantClavister CorePlus 9.15.02 requires a software subscription covering June 1, 2010. Makesure that this is covered before trying to upgrade the system, otherwise the system willenter a "License Lockdown" mode.

NoteClavister CorePlus 9.15.nn versions are not compatible with Clavister FineTune.If you need centralized management, please use the new Clavister InControl centralizedmanagement software.

2. New Features

The following sections detail new features and enhancements in Clavister CorePlus 9.15. For acomplete list and description of all the features in Clavister CorePlus 9.15, refer to ClavisterCorePlus Admin Guide 9.15.

2.1. New Features and Enhancements in CorePlus 9.15.02

CLI Confirmation Question

A confirmation question will be prompted if the user attempts to execute a CLI command thatmay cause system delays.


No new features were introduced in the 9.15.01 release.


Object Grouping

It is now possible to group configuration objects in to logical groups which makes it easier tomanage large number of configuration objects. It is also possible to add a descriptive descriptionand custom color to distinguish what these objects do. This grouping functionality is only forpresentation and does not affect the existing functionality.

Logging enabled by default on rules

4

Logging is now enabled by default for the following objects: Access, DHCP Server, DHCP Relay,Routing Rule, Dynamic Routing Policy Rule, IDP Rule Action, IP Rule, OSPF Router Process,Threshold Action and User Authentication Rule.

Static configuration objects

Static configuration objects now defaults to their default values if the objects containconfiguration errors. This will prevent the Security Gateway to misbehave due to configurationerrors on static objects.

Improved script command

The script command has been updated to handle adding objects with dependencies betweeneach other.

New authentication source for user authentication

User authentication has been updated with a new authentication source that will grant access tothe user without checking any credentials. This functionality can be used to authenticate usersfrom within login scripts etc, to make auditing easier.

The default configuration now uses time synchronization

Time synchronization is now enabled in the default configuration and points tontp.clavister.com.

Updated the layout rules pages

All rules pages have updated the layout for how to enter the interface and network combinationto be more intuitive.

The WebUI data grid shows information about objects as tooltip

The data grid in the WebUI now displays information for simple objects as tooltip (an example isa reference to an IP4Address which would show the address value as a tooltip)

3. Addressed Issues

The following sections detail the addressed issues in the Clavister CorePlus 9.15 release.

COP items refer to issues in Clavister CorePlus.

3.1. Addressed Issues in CorePlus 9.15.02

• COP-8261: Certain SIP PBX configurations blocked media transmission on calls establishedbetween devices located on the same interface of the Security Gateway.

• COP-9135: The POP3 ALG did not reset its state after a failed authentication. This could causethe next login attempt to fail.

• COP-9175: Specific Intrusion Detection Protection (IDP) scenarios using hardwareacceleration could cause scans to fail.

• COP-9195: Restarting a GRE interface did sometimes trigger an unexpected restart of theSecurity Gateway.

• COP-9223: The POP3 ALG did not allow Digest-MD5 authentication.

• COP-9285: The SIP ALG could forward malformed SIP messages if a range 0-65535 was used

5

as destination port in the SIP service configuration.

• COP-9288: Specific scenarios using the PPTP ALG could sometimes cause an unexpectedrestart of the Security Gateway.

• COP-9313: Web User Interface: Activating a configuration that had deleted an item that wasrepresented in the navigation tree would not automatically update the navigation tree. Thisresulted in a navigation tree that did not correspond to the running configuration.

• COP-9327: Checked checkbox properties that were disabled were unchecked whensubmitting data in the Web User Interface (since information sent by a web browser isidentical for an unchecked checkbox and a disabled checkbox). The configuration enginenow correctly remembers the state of disabled checkboxes when submitting data.

• COP-9339: The HTTP ALG MIME type check did not have support for OpenDocument TextDocuments (odt).

• COP-9353: Script execute did not allow the 'cc' command to run without parameters. Thecommand has been updated.


• COP-8364: Certain SIP option messages with high values for the "expires" header field failedto be properly parsed. When that occurred incoming calls to phones placed behind theSecurity Gateway failed.

• COP-8598: Some specific high stressed Intrusion Detection and Protection scenarios using ahardware accelerator could drain the memory of the Security Gateway.

• COP-8802: The SMTP ALG did not accept response codes that only contained numeric data.

• COP-8844: Browsing the Web User Interface over HTTPS would sometimes result in "Error500 - Internal server error".

• COP-9167: A limitation on the number of simultaneous WebAuth transaction could preventthe authentication of authorized users.

• COP-9208: Dropdown menus in the Web User Interface used a fixed width, which causedobjects with long names to push information outsize the window. The dropdowns are nowscaled to be able to show all the information. The dropdown also automatically scrolls to theselected item when opened.

• COP-9251: WebUI: The Mappings and Leases links on the DHCP Server status page didn'twork.

• COP-9280: Disabling objects with references in the WebUI would delete the objects andreferences instead. The objects are now only disabled when selecting to disable them.


• COP-7834: The IP4 Group object didn't handle excluded addresses correctly. It's nowpossible to use excluded and included objects in the correct way.

• COP-8018: CLI command 'show RemoteManagement' did not print netcon headline.

• COP-8308: The "range" parameter in the "rules" CLI command did not work.

• COP-8488: Some HTTP headers could cause HTTP connections through the HTTP ALG to beclosed down prematurely.

6

• COP-8862: Directly after a reconfiguration using a HA configuration the interfacesynchronization list for the Inactive node contained invalid interface references which couldcause problems when connections were synchronized before the list was rebuilt. Thereferences are now properly cleared during a reconfiguration.

• COP-8983: It was not possible to use User Authentication enabled objects in Routing Rules,Threshold Rules, IDP Rules or Pipe Rules.

• COP-9082: Users were not properly logged in when IPsec LAN to LAN tunnels wereconfigured to require IKE XAuth. This could cause an unexpected reboot. Now the LAN toLAN case is properly handled by IKE XAuth.

• COP-9096: The L2TP/PPTP Server overview grid did not have a column for "Server IP".

• COP-9103: The dropdown to select the interface for OSPF Neighbor in the WebUI printed thename wrongly. The dropdown code has been enhanced to handle this value correctly andprint the proper name.

• COP-9104: The validation of the latency setting in the Host Monitor configuration was notcorrect. The configured value was lowered to an incorrect value.

• COP-9107: The WebUI column sort markers were hard to use because they moved whentrying to click on them. The behavior has been fixed in the stylesheet.

• COP-9111: The setup wizard only created the second of the two possible Syslog servers. Thefirst Syslog server is now correctly created by the wizard.

• COP-9116: The "min" and "preferred" input fields had swapped position on the configurationpage for IPsec Algorithms and IKE Algorithms in the WebUI. The position of the input fieldshas been corrected.

• COP-9117: In the WebUI it was not possible to change order of objects that were bothdisabled and deleted. It's now possible to move objects that are both disabled and deleted.

• COP-9162: The CLI techsupport command always sent a "sesmgr_file_error" log message,even when it worked correctly. The techsupport command only sends log message when itfails.

• COP-9178: The IPRule view in the WebUI was slow when viewing large collection of rules.The rendering speed has been improved.

4. Installation Instructions

4.1. Upgrading from a CorePlus 8.nn system

For a detailed instruction on how to upgrade from a CorePlus 8.nn version to 9.nn please refer toChapter 2 of the Admin Guide for CorePlus 9.15

ImportantOnly versions from and including CorePlus 8.60.01 upwards can be upgraded to 9.nn.

4.2. Upgrading a CorePlus 9.nn system

This section describes how to upgrade the system using the Web User Interface. For a detaileddescription on how to upgrade the system using SCP please refer to the Clavister CorePlus adminguide.

7

To upgrade Clavister CorePlus using the Web user interface, follow these simple steps:

• Browse to the Web User Interface and log in as a user with full administrative rights.

• From the "Maintenance" menu select "Upgrade".

• Click the "Browse..." button and select the .upg file which contains the upgrade.

• Click the "Upload firmware image" button to upload the image and start the upgradeprocedure.

• When the file has been uploaded to the gateway, the message "Firmware upload complete."will be presented and the system will restart.

• When the system has been restarted the login screen will appear and the system upgrade iscomplete.

5. Known Limitations

• High Availability: Transparent Mode does not work in HA mode. There is no statesynchronization for Transparent Mode and there is no loop avoidance.

• High Availability: No state synchronization for Application Layer Gateways. No aspect ofApplication Layer Gateways are state synchronized.This means that all traffic handled by ALGs will freeze when the cluster fails over to the otherpeer. If, however, the cluster fails back over to the original peer within approximately half aminute, frozen sessions (and associated transfers) should begin working again. Note thatsuch failover (and consequent fallback) occurs each time a new configuration is uploaded.

• High Availability: Tunnels unreachable from inactive node. The inactive node in an HAcluster cannot communicate over IPsec, PPTP, L2TP and GRE tunnels, as such tunnels areestablished to/from the active node.

• Inactive HA member cannot send log events over tunnels.

• Inactive HA member cannot be managed / monitored over tunnels.

• OSPF: If the cluster members do not share a broadcast interface so that the inactive nodecan learn about OSPF state, OSPF failover over tunnels uses normal OSPF failover ratherthan accelerated (<1s) failover. This means 20-30 seconds with default settings, and 3-4seconds with more aggressively tuned OSPF timings.

• High Availability: No state synchronization for L2TP, PPTP and IPsec tunnels. There is nostate synchronization for L2TP, PPTP and IPsec tunnels. On failover, incoming clients willre-establish their tunnels after the tunnels are deemed non-functional. This timeout istypically in the 30 -- 120 seconds range.

• High Availability: No state synchronization for IDP signature scan states. No aspects ofthe IDP signature states are synchronized. This means that there is a small chance that theIDP engine causes false negatives during an HA failover.

• High Availability: Synchronization with a gateway using Clavister CorePlus version8.81.01 is not supported. Due to an interoperability problem in the High Availabilityprotocol, HA syncronization with version 8.81.01 of Clavister CorePlus is not supported, andwill cause stability issues.

6. Compatibility

8

The following section outlines the direct compatibility considerations as of CorePlus 9.15.02.

The following hardware appliances are supported as of the Clavister CorePlus 9.15 release.Clavister does not guarantee compatibility with other hardware appliances.

• Clavister Security Gateway SG10 Series








For software installations, please refer to the Hardware Compatibility List on the Clavister website.

7. Licensing

Clavister CorePlus 9.15.02 requires a software subscription covering June 1, 2010. Make surethat this is covered before trying to upgrade the system, otherwise the system will enter a"License Lockdown" mode.

8. Getting Help

Technical Assistance via Telephone or EmailWe offer timely and rapid response to customer inquiries and service requests via telephone oremail. Do not hesitate to contact us if you have any questions regarding the upgrade orinstallation procedure.

Clavister Technical SupportPhone: +46 (0)660-29 77 55E-mail: [email protected]: http://www.clavister.com/support/

9

http://www.clavister.com/support/

Clavister ABSjögatan 6 JSE-891 60 ÖrnsköldsvikSWEDEN

Phone: +46-660-299200Fax: +46-660-12250

www.clavister.com