GB-OS FIREWALL SOFTWARE
Author: Global Technology Associates, Inc.
Product: GB-OS version 5.3.1
Date: 7 April 2010
GB-OS version 5.3.1 includes updated versions of the following GTA
products and utilities:
Release notes are located on the installation CD and on GTA's Web site.
For more about upgrading related software, see individual product
Release Notes sections are categorized first by feature addressed, then
by the type of change.
1. INSTALL NOTES
6. WEB INTERFACE
7. RELEASE NOTES HISTORY
1. INSTALL NOTES
1.1 Entering New Activation Codes
If upgrading from 5.2.x or below, new activation codes must be
entered. GB-OS version 5.3.1 is available at no charge to
customers with a GTA support contract or annual maintenance
agreement. Other users should contact their local Authorized GTA
Channel Partner or email firstname.lastname@example.org for information and pricing
of upgrade options.
1.2 Upgrade Notes
1.2.1 Upgrading to GB-OS 5.3
Firewalls must be on GB-OS version 5.2.0 or higher to properly
upgrade to GB-OS 5.3. See the Upgrade Guide for more information.
1.2.2 GB-250 Rev B Upgrade to GB-OS 5.3
GB-250 Rev B firewalls should be on runtime slice 2 when upgrading
to version 5.3.
The firewall's current runtime slice is displayed on the
firewall's System>Overview screen. To view the current slice, log
into the firewall’s web administration interface and navigate to
System>Overview. The runtime section will display the firewall's
current runtime slice.
Additionaly, some GB-250 Rev B firewalls require a Bios Update
before updating to GB-OS 5.3.0. If the Bios version is not v0.99h
or higher,the Bios may need to be updated.
You can check the BIOS by:
1. Examining the hardware report for the Bios version:
BIOS: PC Engines ALIX.2 v0.99h tinyBIOS V1.4a (C)1997-2007
2. Connecting on the console interface and rebooting the
firewall. The first line displayed should be BIOS revision.
Example: PC Engines ALIX.2 v0.99h
You can check if the firewall is a GB-250 Rev B by the following:
1. GB-250 Rev B firewalls have USB ports while GB-250 Rev A do
not have USB ports.
2. GB-250 Rev B firewall serial numbers are:
Starting at S/N 65002101 and above
Starting at S/N 65902101 and above
1.2.3 Re-sizing Slices and Runtime Upgrades
In order to support the new features in GB-OS 5.2.x and above,
some firewalls may require partition re-sizing during the
upgrade process. Upon re-sizing, both runtime slices will have
GB-OS 5.3.0, and firewall administrators WILL NOT be able to
revert to previous runtimes via the Console or Web interface.
GTA strongly recommends backing up current firewall
configurations PRIOR to upgrading.
Firewalls requiring re-sized partitions will take approximately
5-8 minutes to reboot and fully update once the runtime has
been applied. DO NOT switch off or reboot the firewall during
1.2.4 Error Messages Upon Initial Reboot
Upon rebooting after successful installation, the GTA
Firewall UTM Appliance may display errors when accessed
using the Web interface. This is expected, these errors are
generated because the browser's cache is trying to access
files and locations that no longer apply. Click OK to any
displayed errors and refresh the browser window to access
GB-OS 5.3.0. If the error messages persist, clear your
1.3 SSL Certificate Replacement
GB-OS version 5.3.1 will install a new default security/SSL
certificate. Some browsers, including Netscape and Mozilla,
will not recognize the new certificate if the original has
never been replaced. If you are unable to log on to the
firewall after upgrading, delete the browser's cached security
certificate, then close and restart your browser before
reattempting remote access to your firewall.
1.4 Mail Sentinel Anti-Virus
Since the release of GB-OS version 5.1.2, Mail Sentinel Anti-Virus is
no longer available as a separate subscription option. Mail Sentinel
Anti-Virus is included as a standard feature with valid support
2.1 New Features
2.1.1 Added X-AUTH VPN support.
2.2.1 Updated IPS engine.
2.2.2 Improved password security by obscuring password entry.
2.2.3 Current slice is now displayed for runtime updates.
2.2.4 Improved USB dongle support.
2.2.5 A VPN certificate is now created by default in the Basic Setup
Wizard or when defaulting the certificates section.
2.2.6 Default CA certificates are now named after the host firewall.
2.2.7 Certificates now use a larger hash and key size for increased
2.3 Bug Fixes
2.3.1 When upgrading, circular account groups no longer prevent
2.3.2 When creating new SSL certificates via the Console, the system's
local certificate is properly updated and the admin interface and
authentication services properly restarted upon saving changes.
2.3.3 IPSec tunnels using DNS gateways properly start on boot.
2.3.4 Configuration data is properly exported when certificate names
contain special characters.
2.3.5 A user's group name is properly displayed in XML schema.
2.3.6 VPNs using DNS are properly maintained when saving address
2.3.7 Certificate subject is properly exported.
2.3.8 Special characters are properly allowed for password protecting
configuration files in ZIP and 7ZIP format.
2.3.9 Firewall properly re-attempts connections with ALS server.
2.3.10 Firewall remains operational when saving supernetted VPNs.
2.3.11 Certificate Signing Requests (CSR) are properly generated.
3.1.1 VPN Setup Wizard now uses the full name for generating
certificate names, followed by identity and unknown if fields
3.1.2 Improved VPN throughput speed.
3.3 Bug Fixes
3.2.1 GB-OS service response packets to a local subnet of a remote VPN
supernet are no longer sent over the VPN.
3.2.2 When configuring groups, only aggressive mode VPN objects are
available when selecting a Mobile IPSec VPN object.
3.2.3 Gateway failover properly functions when the name of a disabled
gateway matches an enabled gateway.
3.2.4 Unique IPSec security policies are used for each VPN connection.
3.2.5 Multiple subnets with non-GTA firewalls are properly supported
when using IPSec.
3.2.6 Routing services are maintained when the admin web interface is
restarted following certificate updates.
3.2.7 Gateway Failover properly falls back to the primary gateway when
the gateway returns.
3.2.8 Configurable interfaces and VLAN limits are properly enforced.
3.2.9 Interfaces now display full and half duplex options with duplex
set to automatic if connection is set to automatic.
3.2.10 Policy based routing properly uses the last gateway as
3.2.11 VPN Failover properly functions with multiple local gateways.
4.1.1 Added sessions report option for configuration reports.
4.1.2 Runtime update configuration reports now include current version,
last update check, active slice and console mode information.
4.2 Bug Fixes
4.2.1 Protocol is properly set for logging when using the SSL Sentinel
5.1 New Features
5.1.1 Shrew Soft VPN Client configuration and download files are now
dynamically generated on the user interface.
5.1.2 Mac OS X IPSec Client, certificates and installation guide are
now available for download via the user Interface.
5.2.1 Single Sign-On now attempts server connection until a successful
connection is established.
5.2.2 Allowed number of DHCP zones now equal to VLANs.
5.2.3 Mobile VPN users can now be authenticated via RADIUS and LDAP.
5.3 Bug Fixes
5.3.1 High Availability is properly disabled when no activation codes
5.3.2 LDAP authentication properly functions when no groups are found
by searching the base location.
5.3.3 The SSL Sentinel Client properly reloads and recognizes user
5.3.4 Mail Sentinel auto policy configuration setting is correctly
5.3.5 Virtual keyboard is properly hidden upon entering passwords on
SSL Sentinel file shares.
5.3.6 SSL Browser properly handles file uploads.
5.3.7 SSL Sentinel permissions has been removed from the default
5.3.8 SSL Sentinel properly works with HTTPS web sites.
5.3.9 SSL Sentinel properly works with Outlook Web Access using
Exchange Server 2003, and Internet Explorer.
5.3.10 High Availability maintains VPN service on the master firewall.
5.3.11 IPSec policy compatibility option added for firewalls that are
not compatible with unique policies.
6. WEB INTERFACE
6.1.1 Improved system configuration verification.
GBOS5310015006, GBOS5310014521, GBOS5310015096, GBOS5310015226,
6.1.2 When attempting to enable SSL Sentinel in group accounts, the
activation code requirement is displayed for GB-250 10 User
systems with no VPN option.
6.1.3 LDAPv3 and RADIUS authentication options have been moved to the
default view, and disabled by default, in Account Preferences and
SSL Sentinel Browser configuration screens.
6.1.4 VPN Objects and VPN Setup are now referenced as IPSec Objects
and IPSec Setup throughout the Web Interface.
6.1.5 Certificates configuration section is now located under VPN.
6.1.6 IPSec Tunnels configuration section has been renamed to
Site to Site.
6.2 Bug Fixes
6.2.1 Time group options are properly displayed when adding new time
6.2.2 Multi-byte characters are properly displayed with certificates.
6.2.3 Defined web interface refresh rate is properly displayed.
6.2.4 Bookmark icons are properly exported and imported.
6.2.5 SSL Sentinel Browser disclaimer text displays properly.
6.2.6 Virtual keyboard properly functions on Google Chrome 4.x.
6.2.7 Multiple user sessions no longer appear when using basic
7. RELEASE NOTES HISTORY
7.1 Previous Release Notes
These notes cover the 5.3.1 release of GB-OS. Release notes for
previous versions can be found at GTA's Web site, http://www.gta.com.
Global Technology Associates, Inc.
3505 Lake Lynda Drive, Suite 109
Orlando, Florida 32817