Global Technology Associates, Inc.
Title: GNAT Box Firewall System Release Notes
Product: GNAT Box System Software Version 3.1.3
Date: 15 February 2001
This Release Note includes the following sections:
1. System Software
1.1 Bug Fixes
1.2 Enhancements and Changes
2. Services
2.1 Bug Fixes
2.2 Enhancements and Changes
3. User Interfaces - All Interfaces
3.1 Bug Fixes
3.2 Enhancements and Changes
4. Verification - All User Interfaces
4.1. Enhancements and Changes
5. GBAdmin User Interface
5.1 Bug Fixes
5.2 Enhancements and Changes
6. Console User Interface
6.1 Bug Fixes
6.2 Enhancements and Changes
7. Web Browser Interface
7.1 Bug Fixes
7.2 Enhancements and Changes
8. Syslogger
8.1 Enhancements and Changes
1. System Software
1.1 Bug Fixes
1. The "Automatic accept all filter" option in the
Inbound Tunnel section doesn't function correctly if
a tunnel's "From" port is set to 0 (zero, all ports
notation).
Resolution: Automatic filter control module
modified to handle the special case of a "From" port
set to 0 (zero).
2. If the Network Information section is saved after
the Aliases section is saved, the first alias
becomes default NAT address.
Resolution: Modifications made to specify what the
default NAT address should be for each interface.
3. Error initializing active tunnels on systems with
40Mb and 48Mb of RAM.
Resolution: Modify heuristic for determining number
of supported active connections supported.
4. Fragmented packets silently dropped due to checksum
error because packet length calculated incorrectly.
Resolution: Adjust packet length correctly during
IP fragment reassembly.
5. The system kernel has become too large for GNAT Box
Pro, GB-100, and GNAT Box Light.
Resolution: For GNAT Box Pro, GB-100 and GNAT Box
Light systems:
- Remove IPSec VPN support for CAST128 algorithm.
- Dropped support for Tigon I chipset from ti
driver.
- Drop support for pccard NICs.
- Create two runtimes for GB-100: one with gigabit
support and one with tokenring support.
6. Using same local preshared secret for all VPN IKE
connections forces disclosure of local secret to all
remote VPN administrators.
Resolution: Removed local/remote pre-shared secrets
and use a per VPN pre-shared secret.
7. NAT mode only supports TCP, UDP and ICMP protocols.
Resolution: Add ability to NAT source and
destination IP addresses in IP header for arbitrary
IP protocols. This will allow additional protocols
be used in the NAT mode, however there is no
guarantee that a give protocol (non TCP, UDP or
ICMP) will operate correct with NAT applied.
8. Inbound IP Pass Through connections are tracked as
outbound connections.
Resolution: Modifications made to correctly track
inbound IP Pass Through connections.
1.2 Enhancements and Changes
1. Replaced the "de" network driver with the "dc"
network driver. The "dc" driver supports the
following network cards:
- DEC/Intel 21143 chipset based cards
- Macronix 98713, 98713A, 98715, 98715A and 98725
- Davicom DM9100, DM9102 and DM9102A
- ASIX Electronics AX88140A and AX88141
- ADMtek AL981 Comet and AN985 Centaur
- Lite-On 82c168 and 82c169 PNIC
- Lite-On/Macronix 82c115 PNIC II
2. Added support for gigabit over copper to "ti"
network driver (Tigon II chipset).
3. Add strong VPN encryption support to all products
except GNAT Box Light and GNAT Box Demo. Strong
encryption includes triple DES and increased key
size. The GB-1000 and GB-Flash product also include
support for the AES and twofish encryption
algorithms.
4. Adjustments made to the heuristic for determining
maximum number of concurrent connections. This
adjustment has been made in consideration for all
the new services added in version 3.1.x.
GNAT Box GNAT Box
Light Pro GB-100 GB-Flash GB-1000
-------------------------------------------------------
16MB 200 3,072 N/A N/A N/A
32MB 200 17,408 13,312 13,312 N/A
40MB 200 24,576 N/A 19,456 N/A
64MB 200 32,768 N/A 32,768 32,768
2. Services
2.1 Bug Fixes
1. Domain names for some Mail Abuse Prevention System
(MAPS) lists have changed.
Resolution: Changed the default MAPS servers to:
- blackholes.mail-abuse.org
- dialups.mail-abuse.org
- relays.mail-abuse.org
- relays.orbs.org
2.2 Enhancements and Changes
1. Increase size of mail exchangers field for a DNS
domain. If mail exchanger contains a '.' don't
append domain.
2. Add ability to specify DNS Internet forwarders to
the DNS server.
3. High Availability option has been added to GB-1000.
4. Gateway Selector feature added to all products except
GNAT Box Light.
5. NTP (Network Time Protocol) feature added to GB-1000
and GB-Flash.
6. Update DNS server to BIND version 8.2.3.
3. User Interface - All User Interfaces
3.1 Bug Fixes
1. VPN SPI minimum value should be 256 (not 4096) for
manual key exchange.
Resolution: Change value for minimum SPI to correct
value.
2. Ping always indicates 0 packets received.
Resolution: Increment counter for packets received.
3. Summary report for content filter preferences
missing CyberNOT values.
Resolution: Add CyberNOT information to report.
4. There is no way to tell if the CyberNOT list was
successfully fetched.
Resolution: Add status indicator to Content
Filtering Preference dialog.
5. The downloading and processing of the CyberNOT lists
aborts if unable to e-mail administrator the download
status report.
Resolution: Log but do not abort download or
processing if unable to e-mail administrator.
6. Matching of objects containing IP address ranges
with individual IP addresses doesn't match.
Resolution: Make sure all IP addresses used in
comparison are in host byte order.
7. The usage of MD5 passwords with RIP requires a keyID
that is missing from user interface.
Resolution: Add ability to specify keyID to RIP dialogs.
3.2 Enhancements and Changes - All User Interfaces
1. Allow VPN keys less than minimum size to be entered.
Append zeros to key to pad to minimum size for
algorithm when using key.
2. When saving preferences, if serial number changes,
automatically reload features.
3. Encrypt all stored data.
4. Current statistics now being collected per interface
basis.
5. Added the ability to specify the configuration
parameters for Phase 1 of an IKE VPN definition.
6. Added the support configuring a IPSec VPN definition
for mobile client (GNAT Box VPN client).
7. Sort aliases by interface, then by address.
8. Allow more than one DNS server to be assigned by
DHCP server.
9. Use ISO 8601 date and time formatting.
10. Added the ability to define the timezone on GB-1000
and GB-Flash systems.
11. On GB-1000 and GB-Flash systems added timezone
information to date strings on reports.
12. Added "Flush ARP Table" feature to Administration
section.
13. Added "Active VPNs" system activity report.
14. VPN definitions are sorted by description when
saved.
15. On the Current Statistics report, if the number of
bytes or packets exceeds 1 megabyte in active
connections then display statistics in megabytes. If
the number exceeds 100 kilobytes display statistics
in kilobytes.
4. Verification - All User Interfaces
4.1. Enhancements and Changes
1. Generate an error message if Address Objects
referenced in VPNs don't exist.
2. Generate error message if Address Objects referenced
in VPNs don't contain ranges.
5. GBAdmin User Interface
5.1 Bug Fixes
1. The manual key exchange for remote administration is
difficult to use.
Resolution: Switch to a public key exchange
protocol. Remove support for manual key exchange
interface.
2. When an Address Object is selected in the "Static Address
Mappings" screen it is changed to ??? after the
screen is saved and reloaded.
Resolution: Problem corrected. Address Objects are now
saved properly on the "Static Address Mappings" screen.
3. When the "Filter Preferences Pager" screen is
reloaded. It does not always update the enabled
fields properly.
Resolution: Problem corrected. Enabled fields
are updated correctly.
4. When the "Filter Preferences SNMP" screen is reloaded
the enabled fields are not updated properly.
Resolution: Problem corrected. Enabled fields
are updated correctly.
5. For the DNS server if you have no domains defined
you can't enter any of the DNS server info.
Resolution: Removed the enable dependency on
Domains for data in the top portion of the screen.
6. Under certain circumstances when viewing the log
messages display and then selecting the another
report would cause a sharing violation would occur.
Resolution: Problem resolved. These actions no longer
cause a sharing violation.
7. On the DNS server screen, if a second mail exchanger
is defined, saving it in GBAdmin will cause the entry
to be lost. However the entry is still visiable from
the web browser interface.
Resolution: Problem fixed. A second mail exchanger is
saved correctly.
5.2 Enhancements and Changes
1. Added the ability to specify 3 fowarders to DNS
server.
2. The open file dialog now remembers the last
configuration opened.
3. If Expert mode is selected then Expert mode will
always be in effect until deselected, (selection is
persistent).
4. Updated the time format on change date dialog from
mm/dd/yyyy to the international format yyyy/mm/dd.
5. Add the ability to configure a GB-1000 as a high
availability firewall, (when high availability
feature is enabled).
6. On the Static Address Mapping and Pass Through Host
screens. If an IP Address Object is selected the
next two fields are grayed out and disabled. When
the Object is selected the two fields
are enabled for editing.
7. On the Static Address Mapping and Pass Through Host
screens. You can now drag the rows around to arrange
them in whatever order you like.
8. If the Expert Mode is enabled a "Section saved
successfully" dialog box will no longer be
displayed.
9. When a configuration is loaded the tree view will no
longer flash as all of the items are redrawn.
10. Optimized redrawing of tables.
11. Added an "Expert" indicator on the tool bar. This
indicator is displayed next to the "Online/Offline"
indicator in the tool bar.
6. Console User Interface
6.1 Bug Fixes
1. VPN Source IP Address was copied into Destination IP
Address when saving.
Resolution: Fixed. VPN IP Addresses are saved as
expected.
2. The Console interface for GB-1000 has menu option for
configuring a non-existent screen saver.
Resolution: Removed screen saver menu option from
the GB-1000 console interface.
6.2 Enhancements and Changes
1. Attempt to preserve contact information and feature
codes during reset to factory defaults.
7. Web Browser User Interface
7.1 Bug Fixes
1. Arbitrary files can be retrieved if a password and
a userid are known.
Resolution: Restrict file fetching to WWW directory
tree.
2. Internet Explorer doesn't display all 27 characters
of activation codes.
Resolution: Increase length of field to 30, keep
maximum data entry length at 27.
3. Saving a configuration creates a file named
gbconfig.flp by default. The configuration files should
have an extension of GBcfg.
Resolution: Change default file name to be GB313.GBcfg.
7.2 Enhancements and Changes
1. Add ability to specify 3 fowarders to DNS server.
2. Length of DNS server mail exchanger fields increased
to 80.
8. Syslogger
8.1 Enhancements and Changes
1. Added support for ISO 8601 date and time format when
exporting.
|
