Global Technology Associates, Inc.

Title:    GTA Firewall Systems Release Notes 
Product:  GNAT Box System Software version 3.4.0
Date:     1 August 2003 

                         
RELEASE NOTES HISTORY

These notes cover the latest patch release of GNAT Box System Software
version 3.4.0. Release notes for previous versions can be found at
GTA's website, www.gta.com.

-------------------------------------------------------------------------

                             UPGRADE NOTES
                                                              
       For more about upgrading, see individual product text files.
       
                                           
               New Surf Sentinel Feature Activation Code
                                 ----  

Before upgrading to version 3.4.0, Surf Sentinel customers upgrading from
a version previous to 3.3.4 must enter a new feature activation code to
accommodate Cerberian Web Filter version 2.0. The new code is available
in the GTA support center under View Registered Products. Delete the old
feature code, enter the new code and save, then upgrade the firewall. 
                                             
                     Default SSL Encryption Settings
                                 ----

If upgrading from a version previous to 3.2.2, SSL will be disabled and the
default port set to 80. To enable SSL encryption, copy the current web
access Remote Access Filter, change the port on it to 443 and enable. Save
the section. Next, default and save the Authorization > Remote
Admin/Authentication function and save the section. This will enable all
encryption and change the server port to 443. Delete the old filter. 

                         High Availability Names
                                 ----

Beginning in version 3.3, H2A systems began using Interface Object names
(HA-EXTERNAL, HA-PROTECTED), so GTA recommends changing references to HA
systems to reflect the new nomenclature.

                              Netscape/Mozilla
                                   ----
                                   
Version 3.4.0 installs a new default security certificate. Some browsers,
including Netscape and Mozilla, will not recognize the new certificate if
the original has never been replaced. If you are unable to log on to the
GTA Firewall after upgrading, delete the browser security certificate, then
exit and restart. 

-------------------------------------------------------------------------

                              KNOWN ISSUES
                                                                  
                    Internet Explorer 5 for Macintosh
                                   ----

Internet Explorer 5 for Macintosh will not allow you to accept or install
the SSL security certificate. SSL must be disabled to use this combination.

               Internet Explorer 5 Export Version, No Patch
                                   ----
                                   
The export version of IE 5 improperly implements SSL version 3.0, so to use
SSL 3.0, you must have installed the IE security patches.

                 Security Vulnerabilities in SSL Version 2.0
                                   ----
                                   
Due to security vulnerabilities in SSL 2.0, support for it has been
removed in GNAT Box System Software.

-------------------------------------------------------------------------


Release Notes include following enhancements, modification and bug fix
sections:

1.   SYSTEM SOFTWARE 

2.   SERVICES 

3.   CFG LIBRARY

4.   ALL USER INTERFACES 
          
5.   GBADMIN (Windows Only)

6.   WEB
          
7.   CONSOLE

8.   CONTENT FILTERING

9.   INSTALLERS

10.  GTASYSLOG 

11.  GBAUTH (Windows Only)

------------------------------------------------------------------------

1.   SYSTEM SOFTWARE 
1.1  Enhancements

     1.   Make NAT, IP Pass Though and VPNs inherit their logging and
          priority settings from the filter that allowed them to be
          created. GB340432
          
     2.   Add to transparent proxy the ability to return a block
          message or redirect to a URL when blocking a user. GB340435 

     3.   Add ability to require tunnel and filter authentication.
          GB340436
     
     4.   Close connections that use a time-based filter at the stop
          time set for the filter, if connection is still active.
          GB340441

     5.   Log user, packets received (pkts_rcvd) and packets sent
          (pkts_sent) when logging NAT, VPN and IP Pass Through closes.
          GB340455

     6.   Allow TCP packets with ECN bits set. ECN is commonly used by
          default on LINUX systems, but is non-standard, and so was
          previously denied by GTA firewalls. GB340601 

     
1.2  Modifications
     
     1.   Enhancements to system software have increased the size of the
          runtime image, so remove support for the less-used functions
          RIP and Gigabit from floppy-disk based products. GB340517


1.3  Bug Fixes

     1.   Non HTTP services running on HTTP service ports (80 or 8080)
          can not be accessed using WWW proxy. GB340006 

          Resolution: 
          Pass unparseable connections to content filtering as type
          unknown. 

     
2.   SERVICES 
2.1  Enhancements

     1.   Add support for PPTP to PPP client. GB340457, GB340498 
     
     2.   Simplify the use of VPN mobile protocol: mobile protocol will
          be used only if "Force mobile protocol" is selected in the
          VPN object. GB340540

     3.   Set 300 connection maximum on email proxy connections to
          prevent excess memory use. GB340616 

     4.   Add to SMTP proxy the ability to log to and from addresses,
          and log reason for block, when rejecting email. GB340453 

2.2  Modifications

     NONE

2.3  Bug Fixes
            
     1.   IKE service exhausts memory when using RIP. GB340594

          Resolution:
          Remove routing memory leak from IKE daemon.

     2.   Primary domain name is not appended to hosts when using Ping
          or Traceroute if using the DNS Proxy. GB340636

          Resolution: 
          When using DNS Proxy, use primary domain, if specified. 

                   
3.   CFG LIBRARY
3.1  Enhancements and Changes

     1.   Add ability to use wildcard character "*" when specifying DNS
          hosts. GB340407
          
3.2  Modifications

     1.   Added verification for matching aliases to network information
          screen networks when aliases specify a netmask and the alias is
          on the same logical network as a primary address. GB340402 
     
     2.   Add PPPoE interface information to the configuration report
          network information section.  GB340514

3.3  Bug Fixes

     1.   Number of VPN security associations for mobile users and
          authorized VPNs is not directly verified. GB340538 

          Resolution: 
          Add verification check for number of security associations
          being defined. Additionally, when configuring VPNs ignore
          those that would cause system to exceed allowed security
          associations.  
                   
                    
4.   ALL USER INTERFACES 
4.1  Enhancements

     1.   Add ability to use objects for configuring a remote network
          in Users Authorization. GB340012

     2.   Simplify VPN configuration under VPN Authorization. GB340470

     3.   Enhance inbound tunnel configuration by adding a description
          field and an enable checkbox, similar to filter
          configuration. GB340471

     4.   Add system activity report to display authenticated users.
          GB340495
          
     5.   When updating a HA standby/slave firewall, preserve the
          standby firewall's PPP configuration. GB34501
          
     6.   Change the Destination IP address for the Traditional Proxy
          default filter to  (previously,  the default
          destination IP address was  0.0.0.0/0>.)
          GB340503

     7.   Add a system activity report to display the Active Hosts on
          user-limited products. GB340521

     8.   Add filter preference options for logging tunnel opens,
          closes, and filter blocks. GB340560 

     9.   Simplify product activation by moving serial number to
          Feature screen from Preferences/Contact Information screen.
          GB340562
     
     10.  Revise Filter Preferences screen by removing old Default
          Logging section options. GB340580 
          
4.2  Modifications

     1.   As the WebSense service is no longer available, drop support
          for WebSense service from all interfaces. GB340506
     
     2.   Simplify VPN by limiting supported encryption algorithms to
          null, AES, blowfish, des, 3des and strong. Remove cast128 and
          twofish. GB340522 
          
     3.   Remote Logging fields functionality moved to Filter
          Preferences; remove open, close, web priority fields. GB340554 
    
     4.   Make WELF the only supported logging format. GB340712
     
4.3  Bug Fixes
     
     1.   Discrepancy in the Password field for Users authorization in
          GBAdmin and the Web Interface. GB340577 

          Resolution: 
          Revised Password field to allow 127 characters. 
          
     2.   Host name entry is limited to 19 characters. GB340406 

          Resolution: 
          Allow entry of host names up to 63 characters long. 


5.   GBADMIN (Windows Only)
5.1  Enhancements

     1.   Add support for SSL encryption and to create new SSL
          certificates to GBAdmin. GB340437 

     2.   Add the ability to generate a new SSL certificate to GBAdmin
          under Remote Admin/Authentication. GB340450 
          
     3.  Add option to view either summary or description to filter and
          tunnel sets display: View > Descriptions to toggle on/off.
          GB340483
          
     4.  Update GBAdmin Help files. GB340362

          
5.2  Modifications

     NONE
          
5.3  Bug Fixes

     1.   The pager configuration under Filter Preferences does not
          load nor save the configured speed setting correctly.
          GB340600 

          Resolution: 
          System now reads and saves the pager speed correctly. 

6.   WEB
6.1  Enhancements and Changes

     1.   Add Help files. GB340xxx
     
6.2  Modifications
6.3  Bug Fixes

     NONE


7.   CONSOLE
7.1  Enhancements
7.2  Modifications
7.3  Bug Fixes

     NONE


8.   CONTENT FILTERING
8.1  Enhancements and Changes

     1.   Add support so that the Transparent Proxy filters when IP
          Pass Through is used. GB340484
          

8.2  Modifications

     1.   Remove redundant category "Other." GB340610 
          
8.3  Bug Fixes

     1.   The Transparent Proxy sends an incorrect TCP reset packet to
          an External Web Server during a content filtering block.
          GB340545 

          Resolution: 
          When sending reset to server, use correct IP addresses and
          sequence numbers. 

     2.   Adding a trailing dot to a URL (e.g., www.domain.com.) can
          bypass content filtering. GB340735

          Resolution: 
          Remove any trailing domain separators from domain names
          before applying content filtering.
          

9.   INSTALLERS
9.1  Enhancements 
9.2  Modifications
9.3  Bug Fixes

     NONE
     
                    
10.  SYSLOG (Windows Only)
10.1 Enhancements and Changes 

     1.   Syslog has been rewritten to run as a service; Syslog is now
          named GTAsyslog. GB340442

10.2  Modifications
10.3 Bug Fixes
  
     NONE
    
          
11.  GBAUTH (Windows Only)
11.1 Enhancements and Changes  

     1.   Add support for GBAuth utility to use SSL encryption.
          GB340439 
          
     2.   Add ability to log user's name when authenticated by GBAuth
          utility. GB340444

11.2 Modifications
11.3 Bug Fixes

     NONE
     
                     
--------------------------------------------------------------------

Global Technology Associates, Inc.
3505 Lake Lynda Drive, Suite 109
Orlando, Florida 32817
www.gta.com
407.380.0220