Patch-ID# 105809-04 Keywords: Upgrade, jumbo, patch, 3.0b, build_3072 Synopsis: Solstice FireWall-1 3.0b (Build 3072) Intel: Upgrade/Jumbo (VPN) Date: Aug/26/98 Solaris Release: SunOS Release: Unbundled Product: FireWall-1 Unbundled Release: 3.0b Relevant Architectures: i386 NOTE:intel BugId's fixed with this patch: Changes incorporated in this version: Patches accumulated and obsoleted by this patch: Patches which conflict with this patch: Patches required with this patch: Obsoleted by: Files included with this patch: DATA.Z DATA2.Z DISK1.ID README SETUP.EXE _INST32I.EX_ _SETUP.DLL _SETUP.LIB setup.ini setup.ins setup.pkg Problem Description: Table of Contents: Overview Service Pack Availability Bug Fixes Limitations and Known Bugs Installation Instructions Downloading Overview: The 3072 Service Pack can be applied to any 3.0b version of FireWall-1 including those systems running Build 3045 or 3064. Important Notes: This Service Pack includes a new control.map file which includes new configuration for OPSEC communications protocols. Installing the Service Pack will Replace your existing control.map with the new one. If you have changes in control.map which you want to save, you must copy the file aside before installing this Service Pack. After the installation you can then either merge the two files manually, or if you are not using OPSEC you can replace the newly installed control.map with your old one. This Service Pack will NOT work with FloodGate-1 version 1.1 (nor with 1.0). Installing this patch to an existing FireWall-1/FloodGate-1 installation, will disable FloodGate-1. There will be no FloodGate-1 that supports 3072 Service Pack and as a result, the Gateway that you installed this patch on, will no longer have bandwidth management capabilities integrated with FireWall-1. The next major version of FloodGate-1 will inter-operate with the coming release of FireWall-1 version 4.0. Service Pack Availability: This Service Pack is available for the Non-VPN, VPN and VPN+DES editions for all product platforms (AIX/Power, HP-UX/HPPA, Solaris/SPARC, Solaris/X86, SunOS/SPARC, Windows NT/X86). Bug Fixes: Windows and Motif GUI Client: 1.Fixed a GUI resource leak which had a number of symptoms. For example when scrolling through a lot of rules the GUI would hang and the graphics get distorted. 2.When opening the GUI as 'Read Only' you can now scroll through group object members. 3.Fixed printing of a Rule Base from GUI where all the last rules of each page were only half printed. 4.In the Motif Log and System Status GUIs, fixed problem where different configuration parameters were written to the directory the application was launched instead of $FWDIR/conf directory. 5.For Motif GUI, prevent 'en_US language' error when starting the GUI. 6.For Motif GUI there is available in this Service Pack an application which will save colors for the FireWall-1 GUI. This prevents problems of the GUI crashing when colors are not available. This application should be installed on the machine running the display and run automatically before any other application is opened on the display. See instructions in the Installation Instructions below. OpenLook GUI: 1.When defining a network object on Solaris 2.5.1 x86, fixed the problem which was causing the message 'llegal Netmask 255.255.255.0'. 2.Fixed triggering of alerts for actions in the System Status window. Encryption: 1.Fixed reassembly of fragmented SKIP packets. 2.Fixed SKIP bug which occasionally caused the fw daemon to crash. Logging: 1.Fixed bug in 'fw logswitch' mechanism, related to the fw.logtrack file, which was causing the fw daemon to fail due to too many open file descriptors. 2.Removed message "fwd: Unable to open 'dev/fw0'" which was being displayed on the management station whenever the active log file ($FWDIR/log/fw.vlog) exceeded the default size of 10KB. 3.Changed representation of date in 'fw log' output to be Y2K compliant. 4.Changed representation of date in the name of the log file switched by 'fw logswitch' to be Y2K compliant. Address Translation: 1.In Address translation made testing of minimum length be protocol sensitive. This fixes problems such as ICMP type 9 packets being wrongly dropped when translation is applied. Router Management: 1.When using Cisco access-lists, it is now possible to define a filter that checks the source port of a packet. Security Servers: 1.The SMTP security server now adds full name, including domain, to the HELO command. 2.The SMTP security server now sends 552 error messages for mail that's too large, and not 452. 3.Fixed handling of multiple mail messages on a single connection. 4.Fixed the sendmail.exe program for NT to correct a problem where mail alerts changed according to the date. 5.In FTP security server correct handling of 220 multiline messages. 6.In FTP security server fix a problem with Welcome message that ends with a new line (\n), which was preventing connections from opening. 7.In FTP security server the reason log for CVP server will be sent even if CVP message is empty. 8.Corrected handling of HTTP server replies which have no headers. User Authentication: 1.Fix SecurID related FireWall daemon crashes on NT. 2.Defining a user with time limitation using the interval 00:00 to 23:59 now covers the minute from 23:59 to midnight. Management: 1.Protection from 'Radio Flyer' attack, where opening connections to the FireWall management daemon could prevent any FireWall administrator from connecting to the management station. Kernel: 1.Fixed a problem that could cause a kernel crash on AIX in a situation where packets must be modified (NAT or encryption) and the FireWall-1 gateway does not have an ARP entry of the next hop. 2.Protection from the fragmentation attack, where sending fragmented packets can cause the FireWall to stop forwarding packets. There are also several configurable parameters which can help the user fine tune FireWall-1 to deal best with this kind of attack. For NT there are 4 new registry parameters: PacketPoolSize - How many packets can be handled by the FireWall simultaneously. Default = 1024. BufferPoolSize - How many buffers can be handled by the FireWall simultaneously (a packet may divide into a number of buffers). Default = 2048 MaxPendingPackets - How many packets can be pending - waiting on 'hold' (for encryption or session authentication) or for defragmentation at one time. Default = max-100 MaxPendingBuffers - How many buffers can be held by pending packets at one time. Default= max-200 For Unix the packets come from a system pool controlled by the operating system which grows dynamically as the need arises. In addition, for all platforms, the following 3 parameters may be defined in objects.C under the 'props:' line (after editing objects.C run fwstop and fwstart for the change to take effect): fwfrag_limit - how many fragment chains are allowed to be in the middle of assembly. Default is 1000. fwfrag_minsize - the smallest acceptable fragment size (maximum is 576). Default is 0. fwfrag_timeout - how long do we wait for fragment chain completion before we give up on the packet and free its resources. Default is 20 seconds. Limitations and Known Bugs: --------------------------- 1.A problem in the SMTP server causes it not send any logs. You will receive logs on mail messages only from the mail dequeuer process. For example connections which are rejected by the Rule Base should be logged by the SMTP server, but these logs will not be received, on the other hand any mail that was accepted and reached its target will be logged as usual by the mail dequeuer. 2.Occasionally, during multiple, concurrent authentication between a FM and an ACE server, the challenge will return a failure even if the right PIN was entered. This will be fixed in a subsequent hot fix. 3.When managing pre-3072 modules with 3072 management, Security Status window in the GUI crashes, gets stuck or shows no info for pre-3072 modules. A hot fix is under development by Checkpoint and will be posted no later than the 1st week of September 1998. The workaround: 1. Stop the FireWall-1 management using 'fwstop'. 2. Edit the file $FWDIR/lib/snmp/mib.txt as follows: Change the line - checkpoint OBJECT IDENTIFIER ::= { enterprises 2620 } To the line - checkpoint OBJECT IDENTIFIER ::= { enterprises 1919 } 3. Start the FireWall-1 management using 'fwstart'. Patch Installation Instructions: -------------------------------- Important Note: This Service Pack includes a new control.map file which includes new configuration for OPSEC communications protocols. Installing the Service Pack will Replace your existing control.map with the new one. If you have changes in control.map which you want to save, you must copy the file aside before installing this Service Pack. After the installation you can then either merge the two files manually, or if you are not using OPSEC you can replace the newly installed control.map with your old one. (1) Copy the patch file on to Intel platform machine. (2) Unzip the patch (3) Execute the Install Wizard (setup.exe) included