Unified Threat Management - Support | GTA, Inc.

		Global Technology Associates, Inc.

Title:    GTA Firewall Systems Release Notes
Product:  GNAT Box System Software Version 3.3.0
Date:     21 September 2002


These notes cover the latest release of GNAT Box System Software,
version 3.3.0. Release notes for pervious versions can be found on





                          SSL ENCRYPTION

                       Default SSL Settings

If you are upgrading from a version previous to 3.2.2, SSL will be
disabled and the default port will be set to 80. To enable SSL
encryption, first copy your current Remote Access Filter for web
access, change the port number to 443 and enable it without
disabling your old filter. Save the section. Next, default and save
the Remote Admin/Authentication function under Authorization and
save the section. This will enable all encryption and change the
server port to 443. Once SSL encryption is activated on port 443, you 
can delete your old web access filter.


                      HIGH AVAILABILITY NAMES

H2A systems now use Interface Object names (default, HA-EXTERNAL,
HA-PROTECTED), so it may be helpful to change the references to your
HA systems to reflect the new nomenclature, especially in VPN
Objects and Remote Access Filters.


                         GB-100 UPGRADES

GB-100 directory parameters have been changed in the disk label to
free up space for the enhanced GNAT Box System Software version
3.3.0 runtime. Revising the disk label requires a destructive
installation of version 3.3.0 using GB-100 installation floppies.

!          BACK UP YOUR CONFIGURATION --- DESTRUCTIVE              !


                      NETWORK INTERFACE CARDS

See GTA's website at www.gta.com for an up-to-date list of
compatible NICs.


                         KNOWN BROWSER ISSUES


                 Internet Explorer 5 For Macintosh

Internet Explorer 5 browser for the Macintosh platform will not
allow you to accept or install the SSL security certificate. SSL
must be disabled to use this combination.


             Internet Explorer 5 Export Version, No Patch

Because of security flaws in SSL version 2.0, GTA has removed SSL
2.0 support. IE 5 Export version (40-bit) improperly implements
SSL version 3.0, you must have installed the IE security patches in
order to use SSL 3.0 in GNAT Box System Software 3.3.0.


                   Netscape/Mozilla Browser Issues

If you are unable to log on to your GTA Firewall after upgrading,
delete the security certificate in your browser, then exit and
restart to restore access. Version 3.3.0 installs a new default
security certificate. Some browsers, including Netscape and Mozilla,
will not recognize the new default if the original default
certificate has never been replaced.


Release Notes include the following sections:

1.1 Enhancements and Changes
1.2 Bug Fixes

2.1 Enhancements and Changes
2.2 Bug Fixes

3.1 Enhancements and Changes
3.2 Bug Fixes

4.  GBADMIN (Windows Only)
4.1 Enhancements and Changes
4.2 Bug Fixes

5.  WEB
5.1 Enhancements and Changes
5.2 Bug Fixes

6.1 Enhancements and Changes
6.2 Bug Fixes

7.1 Enhancements and Changes
7.2 Bug Fixes

8.1 Enhancements and Changes
8.2 Bug Fixes

9.1 Enhancements and Changes
9.2 Bug Fixes

10.1 Enhancements and Changes
10.2 Bug Fixes

11.1 Enhancements and Changes
11.2 Bug Fixes

12.1 Enhancements and Changes
12.2 Bug Fixes


1.1 Enhancements and Changes

     1.  Add AES and SHA-2 options to VPN configuration in additional
         locations. GB330205:203

     In Phase I, add AES (already available in other products) as a
     valid encryption algorithm to GB-100, GB-Pro, -Light and -Demo.
     In Phase I and II, add SHA-2 as a valid hash algorithm in
     flash-based products other than GB-100.

     2.  Simplify error message. GB300099

     Modified system kernel to return simplified error message,
     "Permission denied," to indicate that the user is restricted
     to read-only access.

     3.  Attempt to preserve original port numbers. GB330131

     Preserve the original port number when performing NAT if the
     port number is not being used to access the remote IP address.

     4.  Add lockout mechanism. GB330237

     Added lockout facility to prevent unauthorized access to the GTA
     Firewall, and provide log information about access attempts
     after lockout.

     5.  Add support for WebTrends Enhanced Logging Format (WELF).

     Changed the default logging format to WELF. The old log format
     is still available, if enabled, but this format has been
     depreciated and may be removed from the system software in the

     6.  Increase the number of supported maximum concurrent
         connections. GB330235

     Increased the number of concurrent connections supported by the
     GNAT Box System Software from 32,768 to 131,072.

     7.  Add facility to map a services IP address to an IP alias.

     In Static Address Mapping, added the ability to map an
     IP address used by GNAT Box services to an IP alias.

1.2 Bug Fixes

     1.  When null encryption (encapsulation-only) is selected in
         Phase II of a VPN connection, data is not transmitted.

     Ensured that VPN is fully functional using null encryption.

     2.  If a system responding to a VPN connection is rebooted
         while the initiating side is still connected, the systems
         do not always renegotiate the connection promptly. GB330008

     Revised the VPN function so that if either system reboots,
     the VPN connection is regained quickly.

     3.  Negotiation fails when a system using an IP alias initiates
         a VPN. The system sends a packet that identifies it by IP
         address rather than by IP alias. GB330079

     The system now transmits the IP alias recognized by the remote
     gateway using Static Address Mapping from the External
     IP address to alias.

     4.  In a High Availability configuration, saving the Network
         Information section causes the system to stop NATing to the
         HA Virtual IP address. GB330162:102

     When Network Information is saved, the system automatically
     restarts the HA service.

     5.  IP aliases cannot be successfully assigned to PPP/PPPoE
         interfaces. A warning is given in the message log. GB330164

     Now uses a separate utility to add aliases and static routes
     associated with PPP.

     6.  Unable to reach locations behind one brand/version firewall
         due to non-standard packet sequencing during TCP 3-way
         handshake. GB330156

     Added code to accommodate the non-standard packet.

2.1 Enhancements and Changes

     1.  New BIND version. GB330198

     DNS server updated to BIND version 8.3.3.

     2.  Add DNS proxy. GB330168

     Added a DNS proxy. If no DNS server is running and DNS proxy is
     enabled, the proxy will start automatically, forwarding requests
     from allowed hosts to DNS servers. These servers include both
     those that have been configured in DNS, and those negotiated
     using DHCP and PPP.

     3.  New mail abuse prevention list. GB330097

     Revise information in Email Proxy Mail Abuse Prevention
     defaults, replacing inputs.orbz.org with list.dsbl.org.

     4.  Add support for Simple Network Management Protocol (SNMP).

     Enhanced system services by adding an SNMP facility that is
     disabled by default.

     5.  Increase PPPoE performance to support high-speed DSL.

     Enhanced overall PPPoE performance for high-speed and standard
     DSL connections.

     6.  Add more PPP/PPPoE connection capability. GB330229

     GNAT Box System Software now supports the configuration of up to
     five (5) PPP/PPPoE connections. Multiple PPP/PPPoE connections
     can use the same network interface (NIC).

     7.  Add dynamic Interface Object capability to the Gateway
     Selector. GB330232

     Enhanced the Gateway Selector by adding the capability to
     specify dynamic Interface Objects.

2.2 Bug Fixes

     1.  In an HA configuration, updating Network Information or
         IP aliases on the Master system before updating the Slave
         results in the systems becoming either both Master or
         both Slave. GB330179

     Revised HA service to update IP addresses.

     2.  RDNS (Reverse DNS) lookups not always recognized when the
         user uses a Class A or B netmask. GB330185

     Revised code uses a network mask to correctly build dotted
     decimal RDNS entry in RDNS configuration files, which allows the
     user to enter Class A, B addresses.

     3.  The DHCP client stays in renewal state instead of switching
         to rebinding state if no response is received when renewing
         a DHCP lease. GB330216

     Revised timeout logic to use absolute timeouts.

     4.  Using IP aliases with HA, when the Master fails over to a
         Slave system, the two systems both send ARP messages with
         their respective MAC addresses.  Aliases should remain bound
         to the Virtual MAC address only. GB330169

     Configure IP aliases only when in Master mode.

3.1 Enhancements and Changes

     1.  Increase encryption and hash options to VPN configuration.

     In Phase I, added AES as a valid encryption algorithm. In
     Phase I and II, add SHA-2 as a valid hash algorithm.

     2.  Add additional CIDR-based notation capability. GB330070

     Added CIDR-based notation for entering the IP address/subnet
     combination as the default in Static Routes, IP aliases, H2A
     High Availability and Network Information screens.
     CIDR addresses will also be displayed in the Active Routes
     list under System Activity.

     3.  Add the use of Interface Objects to additional screens.

     Added Interface Object fields to Static Routes, Static Address
     Mapping, H2A High Availability and Tunnels.

3.2 Bug Fixes

     1.  Extraneous Identity field in Manual VPN definition. GB330098

     Removed Identity field from Manual VPN definition.

     2.  Time Groups cannot be made active from 11:50 pm to midnight
         when creating a block that extends from one day to the next.

     "00:00" can now be used to indicate the end of the day.

4.  GBADMIN (Windows Only)
4.1 Enhancements and Changes

     1.  Add new navigation buttons in GBAdmin HTML pages. GB330201

     Arrow navigation buttons for back and forward have been added
     to support the use of the HTML help pages.

     2.  Add ability to cut, copy and paste IP aliases. GB330058

     Added cut, copy and paste functions to the IP alias screen,
     allowing the text to be pasted into GBAdmin and the IP Alias
     object to be pasted into other applications.

     3.  Add a Links menu item to the GBAdmin Scrolling Menu.

     Added a Links menu item that accesses information on GTA's
     website, www.gta.com.

4.2 Bug Fixes

     1.  When leaving the Inbound Tunnels section, leaving the
         focus on the Automatic Accept All or Hide Source checkboxes
         crashes GBAdmin. GB330171

     Revised code to allow focus to remain in these fields.

     2.  Using copy and paste in the IP address fields of Static
         Routes crashes GBAdmin. GB330188

     Revised code to allow copy and paste in these fields.

     3.  In GBAdmin, cannot use the capital letter "X" in the Primary
         Host Name field. GB330190

     Revised code to allow Primary Host Names to contain the capital
     letter "X."

     4.  When trying to load a configuration by connecting to a
         server that doesn't exist or using the wrong port, the
         "Loading Configuration" dialog box appears to load more than
         100% before GBAdmin returns an error. GB330154

     The "Loading Configuration" dialog now appears to load 50%
     before returnng an error.

     5.  In GBAdmin, if the PPP connection speed is changed, it
         reverts to the default setting. GB330173

     Revised code in PPP to allow the connection speed to be changed.

     6.  Under the Windows 2000 version of the Windows operating
         system, GBAdmin loaded log messages slowly. GB330183

     Revised the program to load View Log Messages rapidly under
     indows 2000.

5.  WEB
5.1 Enhancements and Changes

     1.  Remove support for SSL version 2. GB330215

     SSL version 2 was found to have inherent potential security
     flaws, therefore version 2 support has been removed.

5.2 Bug Fixes

     1.  When updating the runtime over a slow connection, the system
         disconnects if the process takes longer than three minutes
         (180 seconds). GB330159

     Changed the code for timeouts so that if the connection is idle
     (performing no I/O) for five minutes (300 seconds), the
     connection is closed.

6.1 Enhancements and Changes

     1.  Add "New SSL Certificate" feature. GB330233

     Added "New SSL Certificate" feature to the Console interface
     under the Auth menu.

6.2 Bug Fixes


7.1 Enhancements and Changes

     1.  Add Surf Sentinel, an optional content filtering facility.

     Added Surf Sentinel, using the Cerberian Web Filter, to GTA's
     web content filtering facility.

     2.  Add local allow and deny lists to the GNAT Box System
         Software. GB330231

     Added the ability to create customized local content lists that
     can allow or deny specific sites or domains.

     3.  Add activation code for WebSense feature. GB330240

     Legacy support is provided for users of WebSense Open Server
     version 3.0.3. In the default configuration, WebSense Content
     Filtering is deactivated. Users may request an activation code
     by emailing support@gta.com with the following information:
     Name, Company, Contact email, Contact phone number, GTA firewall
     serial number and WebSense version number. Activation codes
     will be supplied in the support center within 48 business hours
     after receipt of your email.

7.2 Bug Fixes


8.1 Enhancements and Changes


8.2 Bug Fixes

     1.  Netmask verification warnings displayed for PPPoE aliases
         do not apply and are not necessary. GB330137

         Revised verification so that the "unique network" test is
         not run for aliases assigned to dynamic interfaces.

9.1 Enhancements and Changes

     1. Add GB-DBMaint utility to Syslog and GB-Reports. GB330241

     The database maintenance program GB-DBMaint has been added to
     Syslog and to GB-Reports. This utility allows the user to
     back up and purge all or part of a GTA Firewall database.
     GB-DBMaint is accessed from the system tray menu in Syslog and
     from the Menu in GB-Reports.

     2.  Add system tray icon for Syslog. GB330238

     Add an icon for the Syslog facility to allow the user to
     open the Syslog user interface from the desktop at any time.

9.2 Bug Fixes




11.1 Enhancements and Changes

     1.  Add locale setting to registry. GB330084

     Added locale setting to registry so that locale will be recalled
     each time GBReports is started. (Applies only to non-English

     2.  Add column sort capability. GB330092

     The user is now able to sort a report by each column heading,
     both ascending and descending.

     3.  Add graphs and charts capability to GB-Reports. GB330239

     Add the ability to chart and graph data from the GTA Firewall.

11.2 Bug Fixes

     1.  In GBReports, corrupted log files with embedded spaces
         following a URL can hang the log import process. GB330114

     Changed GBReports to ignore embedded spaces following a URL.

12.1 Enhancements and Changes

     1.  Add a system tray icon for GBAuth. GB330217

     Added a system tray icon that allows GBAuth users to easily
     reactivate the user interface when GBAuth is running in the

12.2 Bug Fixes



Global Technology Associates, Inc.
3505 Lake Lynda Drive, Suite 109
Orlando, Florida 32817

Copyright © 2016 Global Technology Associates, Inc. All rights reserved.

'GB-OS' and 'GB-Ware' are registered trademarks of Global Technology Associates, Incorporated.
'Global Technology Associates' and 'GTA' are service marks of Global Technology Associates, Incorporated.