Patch-ID# 105813-01 Keywords: Upgrade, jumbo, patch, 3.0b, 3.0bp2, build 3045, 3045 Synopsis: Solstice FireWall-1 3.0b SunOS: 3.0bp2 (Build 3045) Jumbo (Des) Date: Jan/08/98 Solaris Release: SunOS Release: 4.1.3 Unbundled Product: Firewall-1 Unbundled Release: 3.0 Relevant Architectures: sparc BugId's fixed with this patch: Changes incorporated in this version: Patches accumulated and obsoleted by this patch: Patches which conflict with this patch: Patches required with this patch: Obsoleted by: Files included with this patch: bin/fw bin/fwui bin/router_load lib/base.def lib/code.def lib/formats.def lib/table.def modules/fwmod.5.x.o Problem Description: This patch contains the following changes: Corrections of various anomalies in FireWall-1 Security Servers, State Synchronization, Windows NT and Service Pack 3,Address Translation, GUI problems, INSPECT and Security properties. WARNING: This patch is compatible with FireWall-1 version 3.0b ONLY! Do not apply it on any previous version. Bug Fixes: ========== State Synchronization - several crash scenarios 1. FireWalls stopped synchronization after a policy load. 2. FireWall-1 daemon crashed when more then 64K needs to be synchronized at one chunk. 3. FireWalls might get out of synchronization from time to time. 4. Security Servers might stop working if running on two synchronized machines. 5. FireWall synchronization does not behave properly after reload of a policy. 6. System crashes under heavy load. 7. Using synchronization with several features caused system crashes. See Limitations section, below. SMTP Security Server 1. SMTP Security Server reports "Too many open files" error message. 2. Long header lines logging. 3. Redundant spaces in sender and recipient were not RFC-821 compliant. 4. Some files were queued in the spool directory when CVP was used. 5. Mail error notifications were not sent properly. HTTP Security Server 1. Crashes under load with CVP. 2. Crashes when CVP Server goes down. 3. HTTP Server sends a redundant drop request. 4. Crashes under load if 'Block JAVA Code' is enabled. FTP Security Server 1. Crashes under load with CVP. 2. When failing to connect CVP Server, client (a.ftpd) goes out of sync. UFP 1. FireWall-1 omits the query from the URL passing to UFP Server. Authentication 1. Support now provided for the SecurID New PIN Mode. 2. Ability to change RADIUS port added. Windows NT 1. Service Pack 3 PPP Support. 2. NT 4.0 fwntperf.dll. 3. Windows NT DNS crashes. 4. Windows NT Network Card of type El90x3 created incorrect Anti spoofing code. Address Translation 1. UDP DST Static Address Translation. GUI 1. FwStatus - Year 2000 Compliance (FireWall-1 now fully Year 2000 compliant). 2. *local mode now works on Motif. 3. FwStatus - correct SNMP communities are now used. 4. Windows and Motif GUI allowed creating Groups with illegal names (INSPECT reserved words). INSPECT 1. Network Cards with / in them caused compilation errors. 2. Others + Anti Spoofing specification creates wrong INSPECT code. 3. Defining a network object with name 'servers' creates wrong INSPECT code. Encryption 1. SKIP and IPSec with 'Decrypt upon accept' and ICMP caused daemon crash. Security Properties 1. SNMP From external machines (like HP OpenView) will not be accepted automatically but requires an explicit rule. Miscellaneous 1. URI resource URL list file was not downloaded properly to remote FireWall Modules. 2. Support longer INSPECT filters (up to 128K). 3. 'fw logexport' crashes if info field is longer than 1024 bytes. Limitations and known bugs: =========================== 1. The patch does not support State Synchronization of the following features (but can still be used with synchronized modules): Network Address Translation. Encryption (VPN and SecuRemote). Accounting. Security Servers (Authentication and Content Security). Load Balancing (Logical Servers). 2. The patch is incompatible with the following embedded systems: Xylan switches running FireWall-1. Bay routers running FireWall-1. (Please note that Bay routers running Access List are not considered embedded systems, and as such, they will run properly with this patch). This implies that in order to control these embedded systems, a user must keep the old Management station, rather than apply the patch. A user with a combined environment, who needs the latest bug fixes that are incorporated into this patch, must keep two separate Management stations; the old one for usage with his embedded systems, and the new one for all other systems. 3. User Authentication done by PASV FTP via NetScape 3.0, 4.0 browsers does not work (for instance, trying to issue: ftp://username:passwd@workstation.checkpoint.com). Installation Issues: ==================== 1. To upgrade a FireWall-1 Module, you must upgrade all components - kernel and fw. 2. To use State Synchronization, you must upgrade both the Management station and FireWall Module, and to edit table.def by deleting line 20 ("#define sync"). In this case the patch should be applied to all FireWall-1 modules in the enterprise. 3. To upgrade a Management server, upgrade both fw and the GUI. 4. For Windows NT, the setup.exe will install both the GUI and the Module (it automatically determines if it is necessary). Patch Installation Instructions: -------------------------------- (1) Copy the patch file on to Intel platform machine. (2) Execute the fwinstallpatch script.