Patch-ID# 108156-17 Keywords: encryption efs security international ha logdump ftp fragmentation Synopsis: SunScreen EFS 3.0b (Sparc) miscellaneous fixes. Date: Dec/08/2003 ****************************************************** The items made available through this website are subject to United States export laws and may be subject to export and import laws of other countries. You agree to strictly comply with all such laws and obtain licenses to export, re-export, or import as may be required. Unless expressly authorized by the United States Government to do so you will not, directly or indirectly, export or re-export the items made available through this website, nor direct the items therefrom, to any embargoed or restricted country identified in the United States export laws, including but not limited to the Export Administration Regulations (15 C.F.R. Parts 730-774). ****************************************************** Install Requirements: Additional instructions may be listed below Solaris Release: 2.6 7 SunOS Release: 5.6 5.7 Unbundled Product: SunScreen EFS Unbundled Release: 3.0 Rev B Xref: This patch is available for x86 as Patch 108157. Topic: Relevant Architectures: sparc BugId's fixed with this patch: 4048429 4231913 4231917 4253279 4257613 4258953 4259288 4259291 4263150 4263985 4266794 4267482 4268211 4269897 4271577 4272397 4273153 4273198 4273416 4274877 4275509 4276516 4278908 4279409 4280348 4280375 4281974 4286707 4287892 4291630 4291953 4292561 4296011 4297741 4302056 4302422 4306041 4310845 4313231 4314493 4317939 4326689 4328055 4329296 4333069 4347381 4347894 4347899 4347905 4351317 4355078 4355752 4365144 4366229 4370757 4371086 4371655 4371831 4373963 4373964 4373966 4373972 4373976 4377098 4377829 4378218 4380217 4395538 4400107 4409715 4412981 4415446 4418010 4431381 4432276 4432480 4458205 4464430 4467805 4468944 4474065 4475718 4475976 4483861 4484569 4484731 4485964 4489200 4491469 4493103 4494052 4530873 4531796 4599245 4621944 4632254 4636508 4636511 4636514 4658497 4693028 4710480 4710493 4713896 4729278 4760976 4762492 4764370 4764373 4767244 4770205 4786105 4861572 Changes incorporated in this version: 4861572 4786105 4599245 4636508 4710480 4636511 4636514 Patches accumulated and obsoleted by this patch: Patches which conflict with this patch: Patches required with this patch: Obsoleted by: Files included with this patch: /etc/init.d/plumbsunscreen /etc/opt/SUNWicg/SunScreen/SunScreenEFS.x509 /kernel/drv/screen /kernel/drv/sparcv9/screen /kernel/strmod/efs /kernel/strmod/sparcv9/efs /kernel/strmod/sparcv9/spf /kernel/strmod/spf /opt/SUNWicg/SunScreen/admin/cgi-bin/html_logdump /opt/SUNWicg/SunScreen/admin/com/sun/sunscreen/internal/ssadm/Session.class /opt/SUNWicg/SunScreen/admin/com/sun/sunscreen/internal/ssadm/nl_catd.class /opt/SUNWicg/SunScreen/admin/htdocs/lib/admin/com/sun/sunscreen/efs/internal/gui/ConfigListWindow.class /opt/SUNWicg/SunScreen/admin/htdocs/lib/admin/com/sun/sunscreen/efs/internal/gui/GetTextDialog.class /opt/SUNWicg/SunScreen/admin/htdocs/lib/admin/com/sun/sunscreen/efs/internal/gui/SearchPanel.class /opt/SUNWicg/SunScreen/admin/htdocs/lib/admin/com/sun/sunscreen/efs/internal/gui/SunScreenApplet.class /opt/SUNWicg/SunScreen/admin/htdocs/lib/admin/com/sun/sunscreen/efs/internal/logbrowser/LogBrowser.class /opt/SUNWicg/SunScreen/admin/htdocs/lib/admin/efsgui_en_us.class /opt/SUNWicg/SunScreen/admin/htdocs/lib/admin/sg_registry.jar /opt/SUNWicg/SunScreen/admin/htdocs/plugin/plugins/identitydb.obj /opt/SUNWicg/SunScreen/bin/ss_install /opt/SUNWicg/SunScreen/bin/sslogmgmt /opt/SUNWicg/SunScreen/lib/authuser /opt/SUNWicg/SunScreen/lib/catgets /opt/SUNWicg/SunScreen/lib/datacompiler /opt/SUNWicg/SunScreen/lib/efs2to3 /opt/SUNWicg/SunScreen/lib/get_access /opt/SUNWicg/SunScreen/lib/getlog /opt/SUNWicg/SunScreen/lib/install_UDH_keys /opt/SUNWicg/SunScreen/lib/jar_hash /opt/SUNWicg/SunScreen/lib/jar_sig /opt/SUNWicg/SunScreen/lib/javaexec /opt/SUNWicg/SunScreen/lib/logbrfmt /opt/SUNWicg/SunScreen/lib/logdump /opt/SUNWicg/SunScreen/lib/logmacro /opt/SUNWicg/SunScreen/lib/logmgmt-Xample /opt/SUNWicg/SunScreen/lib/logmsg /opt/SUNWicg/SunScreen/lib/mail_relay /opt/SUNWicg/SunScreen/lib/mail_spam /opt/SUNWicg/SunScreen/lib/natcompiler /opt/SUNWicg/SunScreen/lib/proxyuser /opt/SUNWicg/SunScreen/lib/screeninfo /opt/SUNWicg/SunScreen/lib/ss_access /opt/SUNWicg/SunScreen/lib/ss_access_convert /opt/SUNWicg/SunScreen/lib/ss_active_config /opt/SUNWicg/SunScreen/lib/ss_address /opt/SUNWicg/SunScreen/lib/ss_certificate /opt/SUNWicg/SunScreen/lib/ss_compiler /opt/SUNWicg/SunScreen/lib/ss_default_drop /opt/SUNWicg/SunScreen/lib/ss_disable_send /opt/SUNWicg/SunScreen/lib/ss_ha /opt/SUNWicg/SunScreen/lib/ss_ha_active_mode /opt/SUNWicg/SunScreen/lib/ss_ha_passive_mode /opt/SUNWicg/SunScreen/lib/ss_had /opt/SUNWicg/SunScreen/lib/ss_interfaces /opt/SUNWicg/SunScreen/lib/ss_logd /opt/SUNWicg/SunScreen/lib/ss_nat /opt/SUNWicg/SunScreen/lib/ss_rule /opt/SUNWicg/SunScreen/lib/ss_rule_convert /opt/SUNWicg/SunScreen/lib/ss_service /opt/SUNWicg/SunScreen/lib/ss_spam_list /opt/SUNWicg/SunScreen/lib/ss_upgrade /opt/SUNWicg/SunScreen/lib/statetables /opt/SUNWicg/SunScreen/lib/statetables64 /opt/SUNWicg/SunScreen/lib/strs /opt/SUNWicg/SunScreen/lib/user_authenticate /opt/SUNWicg/SunScreen/lib/vars /opt/SUNWicg/SunScreen/proxies/ftpp /opt/SUNWicg/SunScreen/proxies/httpp /opt/SUNWicg/SunScreen/proxies/smtpp /opt/SUNWicg/SunScreen/proxies/telnetp /opt/SUNWicg/SunScreen/ssadm/activate /opt/SUNWicg/SunScreen/ssadm/algorithm /opt/SUNWicg/SunScreen/ssadm/debug_level /opt/SUNWicg/SunScreen/ssadm/edit /opt/SUNWicg/SunScreen/ssadm/ha /opt/SUNWicg/SunScreen/ssadm/lock /opt/SUNWicg/SunScreen/ssadm/log /opt/SUNWicg/SunScreen/ssadm/logdump /opt/SUNWicg/SunScreen/ssadm/logmacro /opt/SUNWicg/SunScreen/ssadm/logstats /opt/SUNWicg/SunScreen/ssadm/patch /opt/SUNWicg/SunScreen/ssadm/policy /opt/SUNWicg/SunScreen/ssadm/stateengine /opt/SUNWicg/SunScreen/ssadm/sys_info /opt/SUNWicg/SunScreen/ssadm/traffic_stats /opt/SUNWicg/SunScreen/support/findcore /opt/SUNWicg/SunScreen/support/nattables /opt/SUNWicg/SunScreen/support/nattables64 /opt/SUNWicg/SunScreen/support/packages /opt/SUNWicg/SunScreen/support/statetable_summary /opt/SUNWicg/SunScreen/support/stats /opt/SUNWicg/SunScreen/support/versions /usr/kernel/drv/screen_skip /usr/kernel/drv/sparcv9/screen_skip /usr/kernel/misc/screen_fail /usr/kernel/misc/screen_ftp /usr/kernel/misc/screen_nfsro /usr/kernel/misc/screen_normal /usr/kernel/misc/screen_raudio /usr/kernel/misc/screen_rsh /usr/kernel/misc/screen_sqlnet /usr/kernel/misc/screen_tcp /usr/kernel/misc/sparcv9/screen_fail /usr/kernel/misc/sparcv9/screen_ftp /usr/kernel/misc/sparcv9/screen_nfsro /usr/kernel/misc/sparcv9/screen_normal /usr/kernel/misc/sparcv9/screen_raudio /usr/kernel/misc/sparcv9/screen_rsh /usr/kernel/misc/sparcv9/screen_sqlnet /usr/kernel/misc/sparcv9/screen_tcp /opt/SUNWicg/SunScreen/admin/com/sun/sunscreen/internal/ssadm/nl_catd.so Problem Description: 4861572 Sunscreen 3.1 network connectivity slows to unusable level 4786105 passive screen sends wrong MAC address in gratuitous arp at boot time. 4599245 Some HA messages don't get into messages files 4636508 ss_had does not log enough information to diagnose HA issues. 4710480 ss_had prints erroneous errors to syslog. 4636511 Age drift can cause unnecessary HA failover 4636514 Active screen will become passive then active when ss_had restarted on secondary 4484731 typo in ss_had error message Changes to the HA daemon ( ss_had ). ==================================== To make ss_had more reliable and easier to administer a number of changes have been made to the way in which ss_had logs its error messages. There are a number of new error and informative messages which fall into 3 categories: Errors & warnings ================= These are typically reporting something which is critical. These errors are logged to syslog at priority LOG_ERR (see note 1). Examples: Screen myscreen1 (10.0.0.1) is PASSIVE SunScreen HA Screen becoming ACTIVE Screen. Shutting down High Availability. Informative =========== These messages are not critical but are considered important enough to record. These are logged to syslog at priority LOG_NOTICE (see note 1). Examples: Screen 10.0.0.2 (myscreen2) responding to ping, but not sending status. Setting new ether addr: 8:0:20:a9:ea:e4. Screen myscreen1 (10.0.0.1) becoming ACTIVE (Other screen(s) DOWN). Debug ===== These are messages which are used to allow a system administrator or support person work out what is happening when a HA cluster fails over from one node to another. Typically these would be used when a failure keeps occurring but the reason why is not clear. These messages are normally not recorded at all because the output would will up the messages file. Examples: [DEBUG] Warning HA interface not received a packet for 30 seconds [DEBUG] Bumping age of screen myscreen1 (10.0.0.1) to 12345 [DEBUG] Interface qfe0 now receiving packets (This is only a partial list) To see the DEBUG messages send a QUIT signal to ss_had: # pkill -QUIT ss_had This message will be reported: [DEBUG] Debugging turned on. To turn off the DEBUG send another QUIT signal to ss_had. The DEBUG messages are logged to syslog at priority LOG_NOTICE (see note 1). Notes: 1) The default syslog configuration will log: LOG_ERR to the console and /var/adm/messages LOG_NOTICE just to /var/adm/messages This behaviour can be changed by editing /etc/syslog.conf (4) 2) The ss_had no longer writes any messages to stdout. statetable_summary ------------------ This script is provided to aid diagnosis of performance problems caused by large state tables. The performs analysis on a file containing the output from one of: ssadm lib/statetables ssadm lib/nattables ssadm lib/screeninfo Usage: /usr/lib/sunscreen/support/statetable_summary file_to_analyse The output is written to stdout and files in /var/tmp This script can be run on a system with SunScreen installed in which case it will run the statetables & nattables commands directly if an input file is not specified. If an input file is provided then the script can be run on any Solaris system, it does not have to be run on the screen. In many cases this is desirable because the script can take a very long time to run and generate significant load on the system if the statetable it is analysing is very large. As with all programs in /usr/lib/sunscreen/support this is provided for support purposes only and not a supported part of the product. (from 108156-16) 4371086 NFS state engine assumes 20 byte tcp header size 4371655 PASSIVE screen leaks skip encrypted packets 4458205 traffic_stats output has error 4467805 UDP hash lookup needs improvement 4468944 SunScreen drops TCP ECN packets 4474065 SunScreen cluster can hang (allocb fail) 4475976 Does not properly process SYN+ACK packets generated by VIP on local loopback 4483861 ttls for NAT entries need to be more closely related to stateentries 4491469 reply packets don't match broadcast UDP sessions, get dropped 4530873 ssadm traffic_stats reports negative values 4531796 ss_had shutdown sends gratuitous arp with wrong MAC address 4632254 sqlnet engine hangs after fetching few records 4658497 Problem with multiple screen definitions containing HA_ETHER 4693028 Stealth Screen can leak packets destined to non-local subnet with no route 4710493 Network error on heartbeat link can cause HA failover. 4713896 SunScreen3.1 allows to pass the TCP data packets prior to 3way-hand-shake. 4729278 logdump does no bounds checking on transient ports array 4760976 Fin Attack!! port continues being open 4762492 Duplicate FIN or RST will reset SunScreen CLOSING timer. 4764370 Duplicate Syn/Ack can change SunScreen state from from ESTABLISHED to CONNECTING 4764373 SunScreen does not check sequence numbers of FIN packets 4767244 SunScreen allows FIN packet in CONNECTING state. 4770205 SunScreen EFS 3.1 rejects RST packet unexpectedly (from 108156-15) 4418010 sslogmgmt always returns error: argument expected 4475718 large number of address objects in policy can cause compile failure 4484569 BAD TRAP occurred in module "spf" due to a NULL pointer dereference 4493103 TCP state fails on duplicate SYN, connection drops after 120 seconds 4494052 UDP 162 is not being blocked 4621944 ss_had is writing Error: received short packet to /var/adm/messages (from 108156-14) 4432480 Sunscreen NAT has performance problems in certain topologies 4485964 PASV ftp and DYNAMIC NAT broken 4489200 panic in statetable cleanup routines (from 108156-13) 4432276 Performance degradation due to inefficient TCP Hash function (from 108156-12) 4464430 Patch-11 for 3.0B has corrupted efs and spf binaries (from 108156-11) 4378218 smtp proxy does not work with two rules 4412981 ftp state engine does not recognize RST 4431381 ftp state engine confused in certain instances when MicroSoft server is used 4409715 ss_had can die with Interrupted System Call 4415446 Sunscreen 3.X HA failover time usually takes considerably longer than 15 seconds (from 108156-10) 4355078 performance in stealth mode slower than SPF-200 4400107 sunscreen consuming large amounts of kernel memory 4395538 ss_logd core dumps causing the system to hang 4377829 HA screen will become passive if an interface cable is unplugged. 4377098 ss_had has a file descriptor leak. 4380217 SunScreen 3.1 with patch 109734-01 can panic in stealth mode. 4373963 screeninfo output gets truncated. 4266794 ssadm screeninfo does not return ip_forwarding status 4373976 misc enhancements to screeninfo. 4048429 Configurations names with spaces don't work 4373966 screeninfo does not get SCCS versions of all files. 4373972 screeninfo should perform consistancy checks on SunScreen packages. 4373964 Patch information retrieved by screeninfo can be incorrect. (from 108156-09) 4347381 ss_had stops when "ssadm activate" is done. 4351317 HTTP POST does not work without CRLF 4355752 SunScreen http proxy core dumps when URI password included in URL. 4365144 ftp state engine can't handle tcp option tstamp on PORT packets 4366229 When ecryption rule added, machine gets stack overflow panic 4370757 PASV FTP vulnerability fix breaks NAT sequence numbers 4371831 Fragmentation Needed but DF bit set message sent out in error (from 108156-08) 4347894 Vulnerable to the PASV FTP attack that was published on "bugtraq" 4347899 File containing something that looks like FTP commands could be misinterpreted 4347905 vulnerable to the jolt2.c fragmentation attack (from 108156-07) 4326689 Passive HA stealth screen sends ARP's 4333069 traffic passes to undefined addresses despite rules (from 108156-06) 4314493 SunScreen EFS 3.0 in stealth mode can flood a network with packets. 4328055 ssadm logdump -i file -x0 does not display hex dump of packet 4329296 IPSec fragments reassembled into oversized packets (from 108156-05) 4281974 The HTTP_Proxy stops working on EFS 3.0revb 4297741 "ssadm logdump -t a" doesn't show absolute time for SESSION logs 4302422 64-bit kernel writes session log records incorrectly 4310845 ICMP needed to fragment packets not translated in tunnel 4313231 Mixed mode screen panics with non-ip ether packets 4317939 GUI can fail in ssadm.nl_catd class (AppletSecurityException) (from 108156-04) 4258953 Online help and Documentation does not launch from Netscape using the plugin. 4263985 Mix of DYNAMIC NAT and tunnelling sometimes not possible 4292561 ssadm ha active_mode && ssadm ha passive_mode misleading 4296011 SYN/RST spoofed packets reseting statetable entries 4302056 screeninfo: replace "arp -a" with "netstat -pn" 4306041 efs smtp proxy fails to deliver large messages (from 108156-03) 4253279 Running snoop on the Screen does not show correct IP when using NAT 4275509 Compiler needs to enforce that "translated to" address is not empty. 4280375 Stealth machine panics showing "screen: short packet" message 4286707 add interfaces disable cannot be acticated 4287892 logdump / logwhy feature does not work. 4291630 editor core dumps on "load" with no policy specified 4291953 findcore will run off onto nfs & automount directories (from 108156-02) 4231913 User Administration Access (write) does not have all privileges. 4231917 User Administration Access (read) does not have all privileges. 4257613 findcore should run "file" on all core files found. 4259288 screeninfo command needs to gather all configuration data 4259291 screeninfo command sometimes crashes when run under ssadm 4263150 Activate fails on CMG when 24 to 48 hours since last activate 4271577 EFS 3.0b httpp is stripping cookies w/COOKIES set in the rulebase 4273153 Undefined address used in Remote Access Rule dumps core 4278908 SNMP does not work 4280348 Stealth mode ether state engine does not pass traffic (from 108156-01) 4267482 i18n: The status information is wrong. 4268211 Delete window of active config not i18n 4269897 the policy with the Chinese characters in its name can't be activated. 4272397 i18n - Some of messages for skiplocal must not be localized. 4273198 One string in ss_install not translated. 4273416 i18n - Object type pull down menu in common object area is not I18Ned. 4274877 i18n - Some properties are duplicated. 4276516 i18n - Can not activate a l10n policy name via GUI admin. 4279409 i18n - "ssadm logdump -x 0,999" causes Java exception. Patch Installation Instructions: -------------------------------- See Special Install Instructions. Special Install Instructions: ----------------------------- Installation Instructions for the Administration Station --------------------------------------------------------- 1. Become root on the Administration Station. 2. If you are running Solaris 2.6 on the administration station, ensure that you have already installed the latest version of Solaris patch 106125. Version 106125-06 is available on your EFS 3.0 CD. 3. Transfer the patch file to the Administration Station. 4. Then type: # uncompress 108156-17.tar.Z # tar xf 108156-17.tar # patchadd 108156-17 Installation Instructions for Locally Administered Screens ---------------------------------------------------------- 1. Become root on the Screen. 2. If you are running Solaris 2.6 on the Screen, ensure that you have already installed the latest version of Solaris patch 106125. Version 106125-06 is available on your SunScreen EFS 3.0 Rev B CD. 3. Transfer patch file to the Screen using a diskette or ftp (with 3 MB free). 4. Type the following: # uncompress 108156-17.tar.Z # tar xf 108156-17.tar # patchadd 108156-17 5. Reboot the Screen. Instructions for Remotely Administered Screens in Stealth Mode. --------------------------------------------------------------- Use this procedure ONLY if you cannot otherwise transfer the patch to the Screen. 1. Become root on the Administration Station. 2. If you are running Solaris 2.6 on the Screen, ensure that you have already installed the latest version of Solaris patch 106125. Version 106125-06 is available on your SunScreen EFS 3.0 Rev B CD. 3. Transfer the patch file to the Administration Station. 4. Type the following: # ssadm -r patch install < 108156-17.tar.Z Additional Installation Instructions for Users of the Java Plug-In for GUI Administration ------------------------------------------------------------------------ Use this procedure only if you are using the Java plug-in for GUI administration. If the file identitydb.obj is used only for use with the SunScreen EFS 3.0 Rev B product, replace the existing identitydb.obj file with the new identitydb.obj file included in this patch. The new file is located on the Screen at /opt/SUNWicg/SunScreen/admin/htdocs/plugin/plugins/identitydb.obj. If you are running in stealth mode and do not have access to this file, you can retrieve it from the actual patch files with the following commands run on your Administration Station: # uncompress 108156-17.tar.Z # tar xf 108156-17.tar # cp 108156-17/SUNWicgSS/reloc/SUNWicg/SunScreen/admin/htdocs/plugin/plugins/identitydb.obj /tmp/identitydb.obj If the file identitydb.obj is used by other applications, then add SunScreen as one of the accepted signers to the file identitydb.obj using the following steps: 1. Copy the old identitydb.obj to your home directory. 2. Type the following, substituting the path for the javakey binary (/usr/java1.1) for $JAVA_HOME: % $JAVA_HOME/javakey -r SunScreenEFS % $JAVA_HOME/javakey -cs SunScreenEFS true % $JAVA_HOME/javakey -ic SunScreenEFS /etc/opt/SUNWicg/SunScreen/SunScreenEFS.x509 If you are running in stealth mode and do not have access to this file, you can retrieve it from the actual patch files with the following commands run on your Administration Station: # uncompress 108156-17.tar.Z # tar xf 108156-17.tar # cp 108156-17/SUNWicgSS/root/etc/opt/SUNWicg/SunScreen/SunScreenEFS.x509 /tmp/SunScreenEFS.x509 3. Copy the file identitydb.obj to a diskette for distribution to other Administration Stations and install it in the following directories: $HOME on UNIX systems C:\WINDOWS directory for single user Windows 95 systems C:\WINDOWS\PROFILES\username for multiuser Windows 95 & 98 systems C:\WINNT\PROFILES\username on Windows NT systems Instructions for Identifying Patches Installed on System -------------------------------------------------------- 1. To identify the patch level on your locally administered Screen, type the commands: # ls -lt /var/sadm/patch > screen.pkginfo # pkginfo -l >> screen.pkginfo 2. To identify the patch level on your remotely administered Screen in stealth mode: # ssadm -r lib/support packages > screen.pkginfo This shows (1) ls -lt /var/sadm/patch, (2) pkginfo -l, and (3) the contents of /var/log/patch.log. 3. To identify the patch level on your Administration Station, type the commands: # ls -lt /var/sadm/patch > admin.pkginfo # pkginfo -l >> admin.pkginfo Instructions to remove the patch on the Administration Station -------------------------------------------------------------- 1. Become root on the Administration Station. 2. Then type: # patchrm 108156-17 Instructions to Remove the Patch on Locally Administered Screen --------------------------------------------------------------- 1. Become root on the Screen. 2. Type the following: # patchrm 108156-17 Instructions to Remove the Patch on Remotely Administered Screens in Stealth Mode -------------------------------------------------------------------- Use this procedure ONLY if you cannot otherwise obtain access to a login prompt on the Screen. 1. Become root on the Administration Station. 2. If you are running Solaris 2.6 on the Screen, ensure that you have already installed the latest version of Solaris patch 106125. Version 106125-06 is available on your SunScreen EFS 3.0 Rev B CD. 3. Type the following: # ssadm -r patch backout 108156-17 Patch Installation Instructions for High Availability (HA) clusters. -------------------------------------------------------------------- 1. Determine which screen is ACTIVE within the HA Cluster using the following command on each: # ssadm ha status 2. Follow appropriate patch installation instructions from this README file to install the patch on the CURRENTLY ACTIVE SCREEN within the HA Cluster (determined from the previous step). 3. Be sure to reboot that screen upon completion of the patch installation. 4. After the reboot, the screen which the patch was just installed on will come up in PASSIVE mode and some other member of the HA cluster will become ACTIVE. 5. Repeat steps 1-4 until the patch has been applied to all members of the HA cluster. Notes on patching HA clusters: If the patch is installed on a PASSIVE screen before it is installed on an ACTIVE screen, the HA daemon ss_had can core dump, this gives symptoms similar to bug 4347381. The SunScreen HA model works by having 2 or more firewalls in parallel. Both firewalls see the same packets and hence calculate the same statetable entries. If a packet matches a statetable entry , then it is passed through the screen. If the ACTIVE screen is rebooted, one of the PASSIVE firewall(s) will take over. Existing connections will still be maintained as the PASSIVE firewall(s) which has just become ACTIVE will have the statetable entries. Once the originally ACTIVE firewall has been rebooted, it will have an empty statetable. This firewall will add any new connections made since it was rebooted to its statetable, but will not know about connections established before it was rebooted. If the currently ACTIVE screen is rebooted , some connections may get dropped. Its not possible to say exactly how long it will take for both (all) the firewalls to have the same statetable entries as this will depend on the type of connection being passed and the lifetime of this connection. Running the following command on both (all) firewalls in the cluster will give the administrator a good indication of when it is safe to reboot the second firewall, without significant loss of service: # ssadm lib/statetables | grep ESTABLISHED | wc -l Additional Patch Installation Instructions ------------------------------------------ Refer to the "Install.info" file within the patch for instructions on using the generic 'installpatch' and 'backoutpatch' scripts provided with each patch. README -- Last modified date: Monday, December 8, 2003