Global Technology Associates, Inc.
Title: GTA Firewall Systems Release Notes
Product: GNAT Box System Software Version 3.3.0
Date: 21 September 2002
RELEASE NOTES HISTORY
These notes cover the latest release of GNAT Box System Software,
version 3.3.0. Release notes for pervious versions can be found on
www.gta.com.
====================================================================
UPGRADES
! CAUTION: BACK UP YOUR CONFIGURATION BEFORE AN UPGRADE. !
--------------------------
SSL ENCRYPTION
---
Default SSL Settings
If you are upgrading from a version previous to 3.2.2, SSL will be
disabled and the default port will be set to 80. To enable SSL
encryption, first copy your current Remote Access Filter for web
access, change the port number to 443 and enable it without
disabling your old filter. Save the section. Next, default and save
the Remote Admin/Authentication function under Authorization and
save the section. This will enable all encryption and change the
server port to 443. Once SSL encryption is activated on port 443, you
can delete your old web access filter.
--------------------------
HIGH AVAILABILITY NAMES
---
H2A systems now use Interface Object names (default, HA-EXTERNAL,
HA-PROTECTED), so it may be helpful to change the references to your
HA systems to reflect the new nomenclature, especially in VPN
Objects and Remote Access Filters.
--------------------------
GB-100 UPGRADES
---
GB-100 directory parameters have been changed in the disk label to
free up space for the enhanced GNAT Box System Software version
3.3.0 runtime. Revising the disk label requires a destructive
installation of version 3.3.0 using GB-100 installation floppies.
! BACK UP YOUR CONFIGURATION --- DESTRUCTIVE !
! INSTALLATION OVERWRITES YOUR CONFIGURATION WITH FACTORY SETTINGS.!
--------------------------
NETWORK INTERFACE CARDS
---
See GTA's website at www.gta.com for an up-to-date list of
compatible NICs.
====================================================================
KNOWN BROWSER ISSUES
--------------------------
Internet Explorer 5 For Macintosh
---
Internet Explorer 5 browser for the Macintosh platform will not
allow you to accept or install the SSL security certificate. SSL
must be disabled to use this combination.
--------------------------
Internet Explorer 5 Export Version, No Patch
---
Because of security flaws in SSL version 2.0, GTA has removed SSL
2.0 support. IE 5 Export version (40-bit) improperly implements
SSL version 3.0, you must have installed the IE security patches in
order to use SSL 3.0 in GNAT Box System Software 3.3.0.
--------------------------
Netscape/Mozilla Browser Issues
---
If you are unable to log on to your GTA Firewall after upgrading,
delete the security certificate in your browser, then exit and
restart to restore access. Version 3.3.0 installs a new default
security certificate. Some browsers, including Netscape and Mozilla,
will not recognize the new default if the original default
certificate has never been replaced.
====================================================================
Release Notes include the following sections:
1. SYSTEM SOFTWARE
1.1 Enhancements and Changes
1.2 Bug Fixes
2. SERVICES
2.1 Enhancements and Changes
2.2 Bug Fixes
3. ALL USER INTERFACES
3.1 Enhancements and Changes
3.2 Bug Fixes
4. GBADMIN (Windows Only)
4.1 Enhancements and Changes
4.2 Bug Fixes
5. WEB
5.1 Enhancements and Changes
5.2 Bug Fixes
6. CONSOLE
6.1 Enhancements and Changes
6.2 Bug Fixes
7. CONTENT FILTERING
7.1 Enhancements and Changes
7.2 Bug Fixes
8. VERIFICATION
8.1 Enhancements and Changes
8.2 Bug Fixes
9. SYSLOG
9.1 Enhancements and Changes
9.2 Bug Fixes
10. INSTALLERS
10.1 Enhancements and Changes
10.2 Bug Fixes
11. GBREPORTS
11.1 Enhancements and Changes
11.2 Bug Fixes
12. GBAUTH
12.1 Enhancements and Changes
12.2 Bug Fixes
--------------------------------------------------------------------
1. SYSTEM SOFTWARE
1.1 Enhancements and Changes
1. Add AES and SHA-2 options to VPN configuration in additional
locations. GB330205:203
In Phase I, add AES (already available in other products) as a
valid encryption algorithm to GB-100, GB-Pro, -Light and -Demo.
In Phase I and II, add SHA-2 as a valid hash algorithm in
flash-based products other than GB-100.
2. Simplify error message. GB300099
Modified system kernel to return simplified error message,
"Permission denied," to indicate that the user is restricted
to read-only access.
3. Attempt to preserve original port numbers. GB330131
Preserve the original port number when performing NAT if the
port number is not being used to access the remote IP address.
4. Add lockout mechanism. GB330237
Added lockout facility to prevent unauthorized access to the GTA
Firewall, and provide log information about access attempts
after lockout.
5. Add support for WebTrends Enhanced Logging Format (WELF).
GB330228
Changed the default logging format to WELF. The old log format
is still available, if enabled, but this format has been
depreciated and may be removed from the system software in the
future.
6. Increase the number of supported maximum concurrent
connections. GB330235
Increased the number of concurrent connections supported by the
GNAT Box System Software from 32,768 to 131,072.
7. Add facility to map a services IP address to an IP alias.
GB330234
In Static Address Mapping, added the ability to map an
IP address used by GNAT Box services to an IP alias.
1.2 Bug Fixes
1. When null encryption (encapsulation-only) is selected in
Phase II of a VPN connection, data is not transmitted.
GB330004
Resolution:
Ensured that VPN is fully functional using null encryption.
2. If a system responding to a VPN connection is rebooted
while the initiating side is still connected, the systems
do not always renegotiate the connection promptly. GB330008
Resolution:
Revised the VPN function so that if either system reboots,
the VPN connection is regained quickly.
3. Negotiation fails when a system using an IP alias initiates
a VPN. The system sends a packet that identifies it by IP
address rather than by IP alias. GB330079
Resolution:
The system now transmits the IP alias recognized by the remote
gateway using Static Address Mapping from the External
IP address to alias.
4. In a High Availability configuration, saving the Network
Information section causes the system to stop NATing to the
HA Virtual IP address. GB330162:102
Resolution:
When Network Information is saved, the system automatically
restarts the HA service.
5. IP aliases cannot be successfully assigned to PPP/PPPoE
interfaces. A warning is given in the message log. GB330164
Resolution:
Now uses a separate utility to add aliases and static routes
associated with PPP.
6. Unable to reach locations behind one brand/version firewall
due to non-standard packet sequencing during TCP 3-way
handshake. GB330156
Resolution:
Added code to accommodate the non-standard packet.
2. SERVICES
2.1 Enhancements and Changes
1. New BIND version. GB330198
DNS server updated to BIND version 8.3.3.
2. Add DNS proxy. GB330168
Added a DNS proxy. If no DNS server is running and DNS proxy is
enabled, the proxy will start automatically, forwarding requests
from allowed hosts to DNS servers. These servers include both
those that have been configured in DNS, and those negotiated
using DHCP and PPP.
3. New mail abuse prevention list. GB330097
Revise information in Email Proxy Mail Abuse Prevention
defaults, replacing inputs.orbz.org with list.dsbl.org.
4. Add support for Simple Network Management Protocol (SNMP).
GB330233
Enhanced system services by adding an SNMP facility that is
disabled by default.
5. Increase PPPoE performance to support high-speed DSL.
GB330230
Enhanced overall PPPoE performance for high-speed and standard
DSL connections.
6. Add more PPP/PPPoE connection capability. GB330229
GNAT Box System Software now supports the configuration of up to
five (5) PPP/PPPoE connections. Multiple PPP/PPPoE connections
can use the same network interface (NIC).
7. Add dynamic Interface Object capability to the Gateway
Selector. GB330232
Enhanced the Gateway Selector by adding the capability to
specify dynamic Interface Objects.
2.2 Bug Fixes
1. In an HA configuration, updating Network Information or
IP aliases on the Master system before updating the Slave
results in the systems becoming either both Master or
both Slave. GB330179
Resolution:
Revised HA service to update IP addresses.
2. RDNS (Reverse DNS) lookups not always recognized when the
user uses a Class A or B netmask. GB330185
Resolution:
Revised code uses a network mask to correctly build dotted
decimal RDNS entry in RDNS configuration files, which allows the
user to enter Class A, B addresses.
3. The DHCP client stays in renewal state instead of switching
to rebinding state if no response is received when renewing
a DHCP lease. GB330216
Resolution:
Revised timeout logic to use absolute timeouts.
4. Using IP aliases with HA, when the Master fails over to a
Slave system, the two systems both send ARP messages with
their respective MAC addresses. Aliases should remain bound
to the Virtual MAC address only. GB330169
Resolution:
Configure IP aliases only when in Master mode.
3. ALL USER INTERFACES
3.1 Enhancements and Changes
1. Increase encryption and hash options to VPN configuration.
GB330203
In Phase I, added AES as a valid encryption algorithm. In
Phase I and II, add SHA-2 as a valid hash algorithm.
2. Add additional CIDR-based notation capability. GB330070
Added CIDR-based notation for entering the IP address/subnet
combination as the default in Static Routes, IP aliases, H2A
High Availability and Network Information screens.
CIDR addresses will also be displayed in the Active Routes
list under System Activity.
3. Add the use of Interface Objects to additional screens.
GB330070
Added Interface Object fields to Static Routes, Static Address
Mapping, H2A High Availability and Tunnels.
3.2 Bug Fixes
1. Extraneous Identity field in Manual VPN definition. GB330098
Resolution:
Removed Identity field from Manual VPN definition.
2. Time Groups cannot be made active from 11:50 pm to midnight
when creating a block that extends from one day to the next.
GB330213
Resolution:
"00:00" can now be used to indicate the end of the day.
4. GBADMIN (Windows Only)
4.1 Enhancements and Changes
1. Add new navigation buttons in GBAdmin HTML pages. GB330201
Arrow navigation buttons for back and forward have been added
to support the use of the HTML help pages.
2. Add ability to cut, copy and paste IP aliases. GB330058
Added cut, copy and paste functions to the IP alias screen,
allowing the text to be pasted into GBAdmin and the IP Alias
object to be pasted into other applications.
3. Add a Links menu item to the GBAdmin Scrolling Menu.
GB330226
Added a Links menu item that accesses information on GTA's
website, www.gta.com.
4.2 Bug Fixes
1. When leaving the Inbound Tunnels section, leaving the
focus on the Automatic Accept All or Hide Source checkboxes
crashes GBAdmin. GB330171
Resolution:
Revised code to allow focus to remain in these fields.
2. Using copy and paste in the IP address fields of Static
Routes crashes GBAdmin. GB330188
Resolution:
Revised code to allow copy and paste in these fields.
3. In GBAdmin, cannot use the capital letter "X" in the Primary
Host Name field. GB330190
Resolution:
Revised code to allow Primary Host Names to contain the capital
letter "X."
4. When trying to load a configuration by connecting to a
server that doesn't exist or using the wrong port, the
"Loading Configuration" dialog box appears to load more than
100% before GBAdmin returns an error. GB330154
Resolution:
The "Loading Configuration" dialog now appears to load 50%
before returnng an error.
5. In GBAdmin, if the PPP connection speed is changed, it
reverts to the default setting. GB330173
Resolution:
Revised code in PPP to allow the connection speed to be changed.
6. Under the Windows 2000 version of the Windows operating
system, GBAdmin loaded log messages slowly. GB330183
Resolution:
Revised the program to load View Log Messages rapidly under
indows 2000.
5. WEB
5.1 Enhancements and Changes
1. Remove support for SSL version 2. GB330215
SSL version 2 was found to have inherent potential security
flaws, therefore version 2 support has been removed.
5.2 Bug Fixes
1. When updating the runtime over a slow connection, the system
disconnects if the process takes longer than three minutes
(180 seconds). GB330159
Resolution:
Changed the code for timeouts so that if the connection is idle
(performing no I/O) for five minutes (300 seconds), the
connection is closed.
6. CONSOLE
6.1 Enhancements and Changes
1. Add "New SSL Certificate" feature. GB330233
Added "New SSL Certificate" feature to the Console interface
under the Auth menu.
6.2 Bug Fixes
NONE
7. CONTENT FILTERING
7.1 Enhancements and Changes
1. Add Surf Sentinel, an optional content filtering facility.
GB330236
Added Surf Sentinel, using the Cerberian Web Filter, to GTA's
web content filtering facility.
2. Add local allow and deny lists to the GNAT Box System
Software. GB330231
Added the ability to create customized local content lists that
can allow or deny specific sites or domains.
3. Add activation code for WebSense feature. GB330240
Legacy support is provided for users of WebSense Open Server
version 3.0.3. In the default configuration, WebSense Content
Filtering is deactivated. Users may request an activation code
by emailing support@gta.com with the following information:
Name, Company, Contact email, Contact phone number, GTA firewall
serial number and WebSense version number. Activation codes
will be supplied in the support center within 48 business hours
after receipt of your email.
7.2 Bug Fixes
NONE
8. VERIFICATION
8.1 Enhancements and Changes
NONE
8.2 Bug Fixes
1. Netmask verification warnings displayed for PPPoE aliases
do not apply and are not necessary. GB330137
Resolution:
Revised verification so that the "unique network" test is
not run for aliases assigned to dynamic interfaces.
9. SYSLOG
9.1 Enhancements and Changes
1. Add GB-DBMaint utility to Syslog and GB-Reports. GB330241
The database maintenance program GB-DBMaint has been added to
Syslog and to GB-Reports. This utility allows the user to
back up and purge all or part of a GTA Firewall database.
GB-DBMaint is accessed from the system tray menu in Syslog and
from the Menu in GB-Reports.
2. Add system tray icon for Syslog. GB330238
Add an icon for the Syslog facility to allow the user to
open the Syslog user interface from the desktop at any time.
9.2 Bug Fixes
NONE
10. INSTALLERS
NONE
11. GBREPORTS
11.1 Enhancements and Changes
1. Add locale setting to registry. GB330084
Added locale setting to registry so that locale will be recalled
each time GBReports is started. (Applies only to non-English
locales.)
2. Add column sort capability. GB330092
The user is now able to sort a report by each column heading,
both ascending and descending.
3. Add graphs and charts capability to GB-Reports. GB330239
Add the ability to chart and graph data from the GTA Firewall.
11.2 Bug Fixes
1. In GBReports, corrupted log files with embedded spaces
following a URL can hang the log import process. GB330114
Resolution:
Changed GBReports to ignore embedded spaces following a URL.
12. GBAUTH
12.1 Enhancements and Changes
1. Add a system tray icon for GBAuth. GB330217
Added a system tray icon that allows GBAuth users to easily
reactivate the user interface when GBAuth is running in the
background.
12.2 Bug Fixes
NONE
--------------------------------------------------------------------
Global Technology Associates, Inc.
3505 Lake Lynda Drive, Suite 109
Orlando, Florida 32817
www.gta.com
407.380.0220
|
