Patch-ID# 107668-01 Keywords: y2000 3.0b SP-8 Service Pack 8 WinNT 4.0 VPN Synopsis: Solstice FireWall-1 3.0b: Windows NT 4.0 VPN upgrade patch Date: May/21/99 Solaris Release: SunOS Release: Unbundled Product: Solstice FireWall-1 Unbundled Release: 3.0b Relevant Architectures: i386 BugId's fixed with this patch: Changes incorporated in this version: Patches accumulated and obsoleted by this patch: Patches which conflict with this patch: Patches required with this patch: Obsoleted by: Files included with this patch: fw_sp8_win32vpn.zip Problem Description: FireWall-1 3.0b with Service Pack 8 supports Windows NT 4.0 Service Pack 4. Service Pack Availability: This Service Pack is available for the non-VPN, VPN, and VPN+DES editions for the following product platforms (AIX/RS6000, HP-UX/PA, Solaris/SPARC, Solaris/X86, SunOs, Windows NT/X86). Bug Fixes: Security Servers: 1.Fixed a memory leak in SMTP when using MIME stripping. 2.Fixed a bug in the SMTP daemon where error mails were deleted from the spool directory if a server was unreachable, if the 'Notify sender on error' option was checked. 3.Fixed a bug which could cause the HTTP security server to crash when using URI resources with accounting and long URLs. 4.Fixed a bug in the handling of replacement URL which could cause delays in the appearance of the authentication prompt, depending on the length of the replacement URL. The default maximal length for replacement URL is 2048. This length can be configured by editing the value of the property :http_max_url_length in $FWDIR/conf/objects.C. 5.Fixed a bug that was introduced in Service Pack 3078, where the HTTP daemon would crash when using POST operations (e.g. sending out web forms). 6.Fixed bug in accounting for HTTP resources with 'accept outgoing packets' first. 7.In the HTTP security server made the match of the scheme (e.g. HTTP ) and the method (e.g. GET) case insensitive. 8.Fixed a bug on UNIX platforms, where the in.telnetd process was orphaned after the connection is closed in backward compatibility mode when using user authentication with the FireWall as the destination. 9.Corrected handling of multiple simultaneous SecurID authentication sessions. Multiple users can now authenticate concurrently using SecurID. 10.To control the timeout when the security server gives up on connecting the destination server, you may now define (or modify) the au_connect_timout property in objects.C to specify the requested timeout (default is 10 seconds if no such property is specified). Encryption: 1.Fixed bug in de-fragmentation which could cause connections to hang when using SKIP with large packets. 2.Enlarged the stack used on Solaris to prevent kernel crashes when using SKIP. 3.Fixed bug where connections were incorrectly rejected when using SKIP with ESP only or AH only and with User Authentication on the decrypt side. 4.Fixed a bug where SKIP 1.1 would not work on NT for some keys exported from Solaris. 5.Enabled multiple Gateway tunnels so that the Gateway can connect to two sites using Manual IPSEC. 6.Fixed the way decryption is handled in Manual IPSEC to prevent crashes. 7.Corrected logs to reflect if AH or ESP were used alone in Manual IPSEC, instead of always showing that they were used together. 8.Fixed bug in FWZ encapsulation problem between SecuRemote 4.0 and FireWall-1 3.0. on all platforms except HP, where the problem still exists. 9.Fixed a bug which could cause the FireWall to crash when on a SecuRemote client the expiration timeout for the password was set to zero. 10.Dropped support for RC4 in Manual IPSEC, since connectivity is not guaranteed in this mode. GUI Client: 1.Fixed a bug in the handling of nested user groups. When an item was deleted from an included group, the including group was not updated correctly. 2.Fixed Year 2000 bugs in select and find functions in the Log Viewer. With this fix, all known Year 2000 limitations on FireWall-1 3.0b are closed. 3.On Dual CPU machines, fixed a bug which prevented the GUI client and the Management from working when both were installed on the same machine. 4.Corrected GUI (specifically bitmaps) allocation which could cause the GUI client to get stuck on Win95 when working with very large rulebase. 5.When fetching interfaces for a network object, if a fetched interface existed previous to the fetch its definition will now be overwritten by the result of the fetch. 6.It is no longer permitted to enter a drive prefix to the file name (e.g. 'a:filename') when using 'save as' for a policy. 7.Disabled the use of address range objects in the security policy rulebase. It is still available for defining NAT rules. OpenLook GUI: 1.Fixed a bug where the values "Mail server" and "Error handling server" were not shown in the OpenLook GUI, although they were defined in objects.C. Router Management (RSC/SRE): 1.On Cisco, 3com and Steelhead routers, using the predefined RIP service produced incorrect access lists for that service. A RIP rule can now be correctly defined either from the access-list properties or from the rule-base editor. 2.Fixed a bug where using the format 'n" : Bigger than n, but not n "m-n" : between m and n, include m and n. "n" : only n To define "any" in the port field - enter ">0". "<=", ">=" are currently illegal. source-port-from allows only "m", and source-port-to allows only "n", and the meaning is always the same as "m-n" in the port field. To put "any" in the source port, leave both source-port-from and source-port-to empty. 3.Fixed a bug where on installation of a new policy the access list was uninstalled from a Bay router although the new policy had no rules to install on the router. Miscellaneous: 1.Fix problem where 'fw lichosts' on HP was showing one month behind. 2.Removed from SNMP configuration files specific IP addresses which were being used as place holders. 3.Corrected the location of snmp_version and snmp_community_len in snmp.def. 4.Corrected the responses of the FireWall SNMP daemon. 5.Fixed file descriptor leak in Load Balancing, HTTP method. 6.When FireWall-1 is reconfigured using FwConfig on WinNT or fwconfig on UNIX platforms, if the change requires restarting the FireWall, only the daemons are now stopped instead of unloading the policy and disabling the FireWall module, as was done previously. 7.During the compilation of a policy, if conflicts are found between objects in the policy, the compilation will now fail where before only a warning message was given. 8.For FTP, match the PORT command in mixed case letters.. 9.Reduced the memory requirements for presenting kernel tables when using 'fw tab'. 10.For FireWall-1 Modules on Bay routers: updated the message describing the format for interfaces necessary for Anti-Spoofing to comply with Bay version 12.10. 11.Fixed problem which prevented from synchronizing two FireWalls unidirectionally (i.e. FireWall A is updating B, but B is not updating A). Limitations and Known Bugs: 1.FWZ encapsulation problem exists between SecuRemote 4.0 and FireWall-1 3.0b for HPUX platforms. Patch Installation Instructions: ------------------------------- All Service Pack files are grouped into one .tgz (tar and gzipped) file, for each UNIX platform, and compressed into a ZIP file for Windows. To install the Service Pack, please follow the instructions below: Windows: 1.Download the .ZIP file to a temporary directory and extract the files. 2.Double-click setup.exe. This will start the Service Packs installation. Special Install Instructions: ----------------------------- None.