GB-OS FIREWALL SOFTWARE
Author: Global Technology Associates, Inc.
Product: GB-OS version 6.1.0
Date: 12 December 2012
GB-OS version 6.1.0 includes updated versions of the following GTA
products and utilities:
Release notes are located on the installation CD and on GTA's Web site.
For more about upgrading related software, see individual product
Release Notes sections are categorized first by feature addressed, then
by the type of change.
1. INSTALL NOTES
5. WEB INTERFACE
7. RELEASE NOTES HISTORY
1. INSTALL NOTES
1.1 Entering New Activation Codes
If upgrading from 6.0.x or below, new activation codes must be
entered. GB-OS version 6.1.0 is available at no charge to customers
with a GTA support contract or annual maintenance agreement.
Other users should contact their local Authorized GTA Channel Partner
or email email@example.com for information and pricing of upgrade options.
1.2 Upgrade Notes
1.2.1 Upgrading to GB-OS 6.1.x
Firewalls must be on GB-OS version 6.0.x or higher to properly
upgrade to GB-OS 6.1.x. See the Upgrade Guide for more information.
1.2.2 GB-250 Rev B Upgrade to GB-OS 6.1.x
GB-250 Rev B firewalls on version GB-OS 5.2.x should be on runtime
slice 2 when upgrading to version 6.1.x.
The firewall's current runtime slice is displayed on the
firewall's System>Overview screen. To view the current slice, log
into the firewall's web administration interface and navigate to
System>Overview. The runtime section will display the firewall's
current runtime slice.
Additionaly, some GB-250 Rev B firewalls require a Bios Update
before updating to GB-OS 6.1.x. If the Bios version is not v0.99h
or higher,the Bios may need to be updated.
You can check the BIOS by:
1. Examining the hardware report for the Bios version:
BIOS: PC Engines ALIX.2 v0.99h tinyBIOS V1.4a (C)1997-2007
2. Connecting on the console interface and rebooting the
firewall. The first line displayed should be BIOS revision.
Example: PC Engines ALIX.2 v0.99h
GB-250 Rev A firewalls are NOT supported in GB-OS 6.1.0 and above.
Determine GB-250 Rev A or Rev B by the following:
1. GB-250 Rev B firewalls have USB ports while GB-250 Rev A do
not have USB ports.
2. GB-250 Rev B firewall serial numbers are:
Starting at S/N 65002101 and above
Starting at S/N 65902101 and above
1.2.3 Re-sizing Slices and Runtime Upgrades
In order to support the new features in GB-OS 5.2.x and above,
some firewalls may require partition re-sizing during the
upgrade process. Upon re-sizing, both runtime slices will have
GB-OS 6.1.0, and firewall administrators WILL NOT be able to
revert to previous runtimes via the Console or Web interface.
GTA strongly recommends backing up current firewall
configurations PRIOR to upgrading.
Firewalls requiring re-sized partitions will take approximately
5-8 minutes to reboot and fully update once the runtime has
been applied. DO NOT switch off or reboot the firewall during
1.2.4 Error Messages Upon Initial Reboot
Upon rebooting after successful installation, the GTA
Firewall UTM Appliance may display errors when accessed
using the Web interface. This is expected, these errors are
generated because the browser's cache is trying to access
files and locations that no longer apply. Click OK to any
displayed errors and refresh the browser window to access
GB-OS 6.1.0. If the error messages persist, clear your
1.2.5 IPSec Object Upgrade
When upgrading to GB-OS 5.4.2 and above, all firewalls using
SHA-2, with keys larger than 128, will need to be upgraded.
If unable to upgrade, firewalls must be switched to a compatible
1.3 SSL Certificate Replacement
GB-OS version 6.1.0 will install a new default security/SSL
certificate. Some browsers, including Netscape and Mozilla,
will not recognize the new certificate if the original has
never been replaced. If you are unable to log on to the
firewall after upgrading, delete the browser's cached security
certificate, then close and restart your browser before
reattempting remote access to your firewall.
2.1 New Features
2.1.1 GB-250 Revision A firewalls are not supported in GB-OS version
6.1.0 and above. To determine if your GB-250 firewall is Rev A
or Rev B: GB-250 Rev A firewalls do not have USB ports, while
GB-250 Rev B firewalls do have USB ports. GB-250 Rev B serial
numbers are 65002101 and above, and 65902101 and above.
2.1.2 Added ability to use objects that hold domain or host names.
2.1.3 Added the ability to specify the destination network for
IP Pass Through.
2.1.4 Added support for mounting USB devices using GPT partitions.
2.1.5 Added country code white list object.
2.1.6 Added built-in service objects MSNP, RTMP and XMPP.
2.1.7 Added ability to limit static mapping based upon destination
2.2.1 Log messages showing duration now include microseconds.
2.2.2 Configuration backups via email now display an editable
2.2.3 FTP/CIFS logins only allow virtual keyboard logins if the
virtual keyboard is set to Required.
2.2.4 Updated system log messages.
GBOS6100023491, GBOS6100024111, GBOS6100024736
2.2.5 Active connections now track total packets sent and received
for persistent connections.
2.2.6 Updated drivers for GB-Ware.
GBOS6100020276, GBOS6100019626, GBOS6100018871
2.3 Bug Fixes
2.3.1 Stealth mode blocks properly include the ICMP service.
2.3.2 Configuration settings are properly maintained when importing
XML configuration files.
2.3.3 Time group policies properly process end of time segment.
2.3.4 Security policies properly drop deny options after being
changed to accept.
2.3.5 Address objects are properly maintained upon upgrading.
2.3.6 GB-820 no longer encounters connection speed issues.
2.3.7 Firewall properly handles large numbers of IPSec VPNs.
2.3.8 VPN keep alive is correctly disabled when site-to-site VPN is
disabled, properly releasing host licenses.
2.3.9 Serial PPP interface settings are properly saved.
2.3.10 MTU is properly set for PPPoE connections.
2.3.11 Time based policies properly deny active connections as
2.3.12 Notification email address properly passes XML validation.
3.1 New Features
3.1.1 Added support for exporting and importing certificates and CRLs
in PKCS#7 format.
3.1.2 Added support to use CRLs with IPSec tunnels and the SSL Client.
3.1.3 Added option to configure BGP neighbor weight.
3.1.4 Added ability to set maximum failure value for gateway policies.
3.1.5 Added the ability to configure SPF and TXT records for the
domain, and TXT records for hosts.
3.1.6 Added support for dynamic DNS service providers easyDNS
3.1.7 Added support for ESMTP EHLO and SIZE commands.
3.1.8 Added support to Mail Proxy for DNS white list.
3.1.9 DCHPv6 client now supports multiple interfaces.
3.2.1 Security policies for remote access services are defaulted
based upon network settings.
GBOS6100022466, GBOS6100021306, GBOS6100021311
3.2.2 Traffic shaping limit maximum set to 5GB.
3.2.3 Improved certificate validation.
3.2.4 Improved NTFS support for USB devices.
3.2.5 Multiple destination addresses are now allowed for emailed
3.2.6 Upgraded Anti-Spam processing.
3.2.7 Updated IPS engine.
3.2.8 Updated SSL log messages.
3.2.9 High Availability slave IP, administrative ID and password
are now stored in the web interface.
3.2.10 High Availability Update Slave section changed to
Update HA Group.
3.2.11 Alarm notification emails now contain policy type.
3.2.12 Email sent from the firewall uses EHLO first by default,
followed by HELO.
3.2.13 Increased GB-Ware Virtual Machine VRID support to a
maximum of 4079.
3.2.14 IPS proxy settings now contain the option to set IPS as
default or subscription on the Threat Management, IPS Proxy
configuration screen. IPS Wizard sets the proxy as subscription.
3.2.15 High Availability now uses configured remote administration
port for slave group updates.
3.2.16 IPv4 and IPv6 addresses are coalesced into separate
3.2.17 Updated content filtering with new content categories.
3.2.18 GBAuth is now included on the remote access portal.
3.2.19 Peer IP address added to email proxy reject messages.
3.3 Bug Fixes
3.3.1 Basic Setup Wizard properly sets the domain for the DCHP server
3.3.2 Certificates are properly validated when making SSL connections
that require validation.
3.3.3 DCHP relay properly restarts when saving the network settings
3.3.4 Log messages for VPN blocks are properly reported.
3.3.5 Password character length for the High Availability update
slave field properly matches administrative password length.
3.3.6 IPS alarms are properly generated as configured.
3.3.7 RTSP protocols properly function.
3.3.8 IPS alarm notification emails display proper source,
destination, policy ID and time stamp.
3.3.9 High Availability properly prevents administrators from double
updating the slave.
3.3.10 IPv6 DHCP relay and VLAN properly function if both IPv6 and
IPv4 interfaces are configured.
GBOS6100024721, GBOS6100024731, GBOS6100024726
4.1 New Features
4.1.1 Added report types to the firewall reporting section.
GBOS6100021746, GBOS6100021716, GBOS6100018856
4.1.2 GB-2500 and GB-Ware Enterprise systems now report Top 100.
GB-2100 and GB-Ware Unrestricted now report Top 50.
4.1.3 Added ability to disable logging and reporting for Content
4.1.4 Added Mail Proxy reports.
4.1.5 Added ability to disable logging and reporting for Mail Proxy.
4.1.6 Added ability to save reporting data to USB.
4.2.1 Improved system reports.
GBOS6100021276, GBOS6100021536, GBOS6100021856, GBOS6100018851,
GBOS6100020731, GBOS6100021931, GBOS6100025131
4.2.2 Added SSL Licenses information to the SSL Report.
4.2.3 Improved system reports to display inbound and outbound traffic
by source and destination, as well as total bytes sent and
4.2.4 Improved Network Traffic report with connections moved above
4.2.5 Added country IP support for reports.
4.2.6 Improved reports to display connection limiting blocks in the
4.3 Bug Fixes
4.3.1 Spoof blocks are properly displayed in reports.
4.3.2 Stealth blocks properly appear in the Network Denied report,
4.3.3 Outbound connections are properly reported.
4.3.4 Invalid packet blocks properly display in reports.
4.3.5 Reports properly display network traffic connections.
4.3.6 IPv6 active connections are properly reported.
4.3.7 Fragment packets are properly displayed in reports.
4.3.8 Report graphs properly display statistical information.
5. WEB INTERFACE
5.1 New Features
5.1.1 Added graphs for Web Content Filtering statistics.
5.1.2 Added option to block IP addresses according to country code.
5.1.3 Added country identification flags throughout web interface.
5.1.4 Added enabled/disabled icons for country blocking.
5.1.5 Improvements made to the security policies monitoring section
to display a counter for the number of allowed/denied country
blocks, as well as the ability to flush all counters.
5.1.6 Improved system overview to display enabled automatic backups.
5.1.7 Added ability to revoke certificates issued by the local CA.
5.1.8 Added packet capture page to the Monitoring section. Packet
captures can also be attached to the configuration report.
5.1.9 Added performance optimization options for IPS Proxy.
5.1.10 Added info icon, for DDNS service providers, to the web
5.1.11 Added option to directly download backup configurations from
USB or cloud device.
5.1.12 Added ability to download specific user policies for Mobile
IPsec in the Accounts>Users section.
5.1.13 Added ability to enable automatic country IP database updates.
5.1.14 Added ability to download client configuration via the
VPN Mobile Client Wizard.
5.1.15 Added ability to purge country IP databases via the web
5.1.16 Added ability to enable the gateway via checkbox for IPv6
5.2.1 Improved system configuration verification.
GBOS6100003838, GBOS6100022216, GBOS6100023701, GBOS6100023721,
GBOS6100023901, GBOS6100023896, GBOS6100024001, GBOS6100024486,
GBOS6100024461, GBOS6100023916, GBOS6100024866, GBOS6100025011,
5.2.2 Improved Basic Setup Wizard design layout.
5.2.3 Modified web interface navigation menu.
5.2.4 Country list is now sorted by name on the Contact Information
5.2.5 Removed invalid Delete icon from the IPS policies section.
5.2.6 When importing configurations, the preserve activation codes
option is now enabled by default.
5.2.7 Removed MTU range display in the web interface for gigabit
5.2.8 Modified web interface, moving the add/delete buttons to the
left side of row lists.
5.2.9 Improved filters for viewing active connections.
5.2.10 Improved purge option display for Historical Statistics
and Report data.
5.2.11 Updated cloud backup support for Dropbox.
5.2.12 Updated hints in the Monitor section.
5.2.13 SLAAC is automatically enabled if DHCPv6 is enabled.
5.2.14 Improved web interface display in Chrome and Safari.
5.2.15 Improved display of IPv6 connections list.
5.3 Bug Fixes
5.3.1 UTC is no longer displayed as "null" in the web interface.
5.3.2 Selecting CA certificates is properly disabled for site to site
5.3.3 Web interface displays proper IP address for bridge interfaces
on the summary page.
5.3.4 Resolved row highlighting issue in the backup configuration
section of the web interface.
5.3.5 Custom fields are properly hidden when an object is selected.
5.3.6 Read only administrator rights are properly honored for
5.3.7 Read only firewall administrators are properly limited to
5.3.8 Halt function properly works via the web interface.
5.3.9 Network Diagnostics page properly displays appropriate
5.3.10 Mobile IPsec setup wizard properly prompts for password only
5.3.11 HTML injection is properly prevented in web interface input
5.3.12 Password field for IPSec tunnels does not allow for auto
completion via saved browser passwords.
5.3.13 IPSec Wizard summary screen properly displays all information
for Mobile VPN configurations.
5.3.14 Client DUID is properly displayed for DHCPv6 static leases
in the Activity section.
5.3.15 Entering the maximum character value for the Remote Access login
banner or disclaimer field no longer corrupts the configuration.
5.3.16 Remote Access login banner text is properly displayed in
Internet Explorer and Google Chrome.
5.3.17 Self-signed certificates are properly displayed whether the
certificate was generated or imported.
6.1 New Features
6.1.1 In the console interface, added ability to specify
for an inbound tunnel, both as a service and
GBOS6100003329, GBOS6100024346, GBOS6100024351
6.1.2 Added support for IPv6 alias in the console interface.
6.2.1 Console email configuration reports now include log files by
6.2.2 Updated menu name for Network Timeouts to Network Preferences
in the console interface.
6.2.3 Improved console interface, including adding IPv6 gateway to
the Static Routes page.
6.3 Bug Fixes
6.3.1 Console interface properly displays SSL and None as remote
administration encryption options.
6.3.2 Console interface properly supports pass through hosts/networks.
7. RELEASE NOTES HISTORY
7.1 Previous Release Notes
These notes cover the 6.1.0 release of GB-OS. Release notes for
previous versions can be found at GTA's website, http://www.gta.com.
Global Technology Associates, Inc.
3505 Lake Lynda Drive, Suite 109
Orlando, Florida 32817