Patch-ID# 105811-02 Keywords: Upgrade, jumbo, patch, 3.0b, Build 3064, 3064 Synopsis: Solstice FireWall-1 3.0b SunOS: Build 3064 Jumbo (Non-VPN) Date: Apr/20/98 Solaris Release: 1.1 SunOS Release: 4.1.3 Unbundled Product: Firewall-1 Unbundled Release: 3.0 Relevant Architectures: sparc BugId's fixed with this patch: Changes incorporated in this version: Patches accumulated and obsoleted by this patch: Patches which conflict with this patch: Patches required with this patch: Obsoleted by: Files included with this patch: bin/fw bin/fwui bin/router_load lib/base.def lib/code.def lib/formats.def lib/table.def modules/fwmod.5.x.o Problem Description: Table of Contents: Patch Availability Release Notes Limitations and known bugs Installation instructions Downloading NOTE: This is a cummulative patch to 3.0b. It can be applied to a plain 3.0b system, or one that has patched up to Build 3055. This patch contains the following changes: All bug fixes to 3045, 3055 (not official release) as well as OPSEC SDK support, and several bug fixes to the SMTP, HTTP, and FTP security servers. This patch can be applied to any 3.0b version of FireWall-1 including those systems running Build 3045. Patch Availability: This patch is available for the non-VPN, VPN, and VPN+DES editions for all product platforms (Solaris/SPARC, Solaris/X86, Windows NT/X86, AIX/Power, HP-UX/HPPA, SunOS4/SPARK). Detailed problem solving description - patch 3064 Release Notes: Bug Fixes: Note: - the following list includes the bug fixes closed in the 3055 patch candidate. OPSEC: 1.OPSEC/SDK Support is now provided. 2.Fixes many CVP and UFP problems. Windows NT: 1.Executing alerts on Windows NT creates system memory leaks. 2."fw log -ft" on Windows NT did not work. HTTP Security Server: 1.FTP from Netscape Communicator failed in some circumstances. 2.HTTP Security Server crashed under heavy load. 3.When the HTTP Resource Path is *:*, a redundant DNS query was submitted. 4.HTTP Security Server - When a URL specified in a URI Resource was reloaded a few times, the ahttpd.log grew abnormally. 5.UFP - The process of fetching a dictionary from a UFP server sometimes crashed if the UFP server was down. 6.SecurID: Entering next PASSCODE through HTTP crashes HTTP Security Server SMTP Security Server: 1.When non multipart attachments are to be stripped, MIME Content-Type is changed for text/plain. Other 'Content-' fields are stripped. 2.Too many open files messages. 3.Mail occasionally lost under load (i.e. scores of mails in the spool). 4.SMTPD crashes (after a number of mails were rejected). 5.Using a rewriting scheme 'Field Contents ->' in an SMTP resource with empty rewritten string caused SMTPD crashes. 6.SMTP->resource with Client Authentication was not logged correctly. 7.Quoted characters recognized in SMTP commands MAIL and RCPT and also in message headers. 8.SMTPD crashed when command DATA was sent preceded by SMTP commands FROM and RCPT containing illegal mail paths. 9.In sending error notifications the header last line was dropped when a mail with empty body was sent. 10.Mails stuck in the spool when working with Eliashim AntiVirus Server. 11.Occasionally added blank line in big attachments. 12.When error notification was sent, the last attachment boundary line was misplaced. 13.Error server definition absent from the FireWall-1 Configuration SMTP dialog box (NT only). 14.SMTP transaction failures, due to resource restrictions, e.g. "Too much mail data", not logged correctly. It is now logged in accordance with the resource 'Exception track' definition. FTP Security Server: 1.FTP Security server did not support PASV FTP with Accounting. 2.FTP + CVP full path file name logged is in URL format (e.g. ftp://...). FireWall Synchronization: 1.FireWall Synchronization with address translation is supported. Address Translation: 1.Number of NAT Rules is up to 2048 rules instead of 1024. Encryption: 1.SKIP Encryption problems when used with NAT. Management GUI: 1.When defining an object whose IP address identical to a FireWalled object, encryption does not work properly. 2.When all users checkboxes are unset, adding a user crashes OpenLook fwui. 3.Windows and X/Motif GUI: State transition alerts did not work in System Status view. 4.Long names for Admin authentication crashes fwm. 5.Solaris x86 (OpenLook) spurious error message creating type network INSPECT: 1.When rule base exceeds ~250 rules, the INSPECT Virtual Machine stack could overflow. 2.Land Attack protection provided. 3.RealAudio and VDOLive services are now supported in FASTPATH mode. 4.Large FTP transfers: If a file transfer through the FireWall-1 took more than TCP_TIMEOUT (set by default to 60 minutes) the control connection is cut in the middle resulting in file transfer failure. After installing Patch 3055, if you need to transfer files for more then TCP_TIMEOUT, you need to modify the file $FWDIR/lib/base.def changing the line '#define FTP_CONTROL_TIMEOUT TCP_TIMEOUT' to '#define FTP_CONTROL_TIMEOUT ' where is the number of seconds you want the control connection to remain open. Miscellaneous: 1.$FWDIR/conf/fwauthd.conf had a limit of no more than 10 security servers. Number increased from 10 to 64. 2.More then ~20 domain objects in the Rule Base did not work. Authentication: 1.SecurID new PIN mode was not working properly when used via browser. Embedded System FireWall Modules: 1.Managing embedded FireWall modules from 'Starter Console' products did not work. 2.Support is now provided for the following embedded systems: Xylan switches Note: These embedded systems are supported by FireWall-1 version 3.0b. They were not supported by patch 3045. Feature Enhancements: SMTP Security Server: 1.Multiple mail servers/error handling servers can be defined in a resource or in smtp.conf:E.g. Mail server: {smtp-gw1,smtp-gw2,smtp-gw3} 2.Error notification log format changed. An error notification attempt is logged with INFO as in the following example: "Error notification sent: originally from someone@org to soembody@org" 3.In an error notification message the original header is returned together with the message body. Limitations and Known Bugs: 1.NT - When using a HTTP resource with UFP, the category string in the log viewer is the mask and not the category string. 2.AIX, Solaris/X86 VPN+DES - When using a HTTP resource with the File option, the file is not copied to $FWDIR/database/lists during the policy download. A temporary workaround is to add the file name to the $FWDIR/state/fwrl.conf on the management station. 3.Using UNIX (tested using AIX/Motif and Sun/OpenLook), it was not possible to manage a BAY embedded FireWall Module by downloading a policy. The following error is seen: fetch_bload : get_rule_base failed Failed to install security policy on {Bay Module name}: File exists Installation Issues: ==================== 1. To upgrade a FireWall-1 Module, you must upgrade all components - kernel and fw. 2. To use State Synchronization, you must upgrade both the Management station and FireWall Module, and to edit table.def by deleting line 20 ("#define sync"). In this case the patch should be applied to all FireWall-1 modules in the enterprise. 3. To upgrade a Management server, upgrade both fw and the GUI. 4. For Windows NT, the setup.exe will install both the GUI and the Module (it automatically determines if it is necessary). Patch Installation Instructions: -------------------------------- (1) Copy the patch file on to Intel platform machine. (2) Execute the fwinstallpatch script.