41862

• Limits UNIX console messaging
• Support for DCE-RPC operations like Exchange (4.0-5.5), HP Openview
• Gigabit ethernet
• Persistent IPSec Tunnels: allows auto-renegotiation from either peer before SAs expire.
• Optimize LDAP queries
• Fixed problems with CPMAD memory leaks, in.pingd 100% CPU, state sync crashes
• Win 2000 and SecurID New Pin Mode hopefully fixed
• Win 2000 can use local.arp file now, but not in conjuction with RRAS.  For hotfix, see MS KB article Q282312
• fixed "fwstop" panic on IPSO 3.3
• Client Auth fixes
• security server fixes
• SecuRemote MEP and encapsulation works now
• Client Auth and RADIUS does not crash
• Manual IPSec SPI values are checked for validity
• UDP encapsulation is automatic now for SecuRemote
• Supports: limited support for Solaris 8 (non VPN/distributed), IPSO 3.4

41814

• Security Enchancements: enforces a minimum TCP fragment size, consistent IP TLL values for IP fragments, and performs additional IP options checking.
• Filename-based filtering.  Can strip file attachments with given names/extensions (manual edits required)
• VPN clients can access SecureServers/Policy Servers that are statically NATed (manual edits required)
• Can manage RAMP integrated firewall objects
• Supports Small/Medium Business licenses (5-10 user)
• Supports VPN Accelerator Card II (Broadcom) for NT
• VPNx feature, which supports multi-threading for IPSec encryption (DES, 3DES, MD5, SHA1)
• Fixup for UDP IKE encapsulation behind NAT.  Works in Gateway Cluster environments.
• Security Server enhancements:
  • allow server and client auth on one web page
  • set number of rlogin, telnet, and client auth attempts
  • can reject HTTP proxied connections
  • HTTP server will check client requests/responses for illegal characters
• Connect Control URL Redirects can be done by name, not just IP
• Supports use of SSL instead of fwa1 for internal encrypted communications
• LDAP: can limit queries, clients can resend, searchbase changed from sub to base
• ELA proxy works on Linux
• Fixes:
  • Can update Manual IPSec Range
  • GUI with "user edit" privileges can now edit user encryption properties
  • SMTP server would strip out non-english characters
  • a resource rule above client auth rule would prevent username from being logged
  • every 8-9 hours, you would get a Dr Watson
  • 255.255.255.255/32 would erroneously mean "Any"
  • Cisco router fix
  • LDAP under heavy loads would report "User unknown"
  • Client auth with Specific Sign On would cause Dr. Watson
  • HTTP security server would freeze making a DNS request
  • FTP server would not resolve a hostname beginning with a digit
  • When working with a browser through the FireWall which acts as an FTP proxy, some FTP sites could be connected but their content would not display. After some time, timeout would occur.
  • Passive FTP through a browser did not work. Client browsers were pointed to a proxy firewall using HTTP security server for FTP requests as well.
  • When trying to connect to an FTP site, the browser would generate the following error message: "Fatal Error 550. Can't access document: <FTP site URL>.  Reason: FTP-server replies: The system cannot find the path specified".
• While using a UFP server, some of the packets were rejected on rule 0. In the log, the following reason for rejection appeared: "Unknown error while trying to connect to UFP".
• fwasync_conn_params would show incorrect port numbers in debug prints.
• FireWall would core dump when using a large URI file in a distributed environment using a Windows NT Management Station.
• There was a size buffer limit of 8KB for the mail header. The buffer size is configurable now.
• UDP Encapsulation with Single Entry Points would fail in a situation where a secondary gateway would need to initiate a Quickmode to the SecuRemote client. It did not offer a UDP Encapsulation proposal.
• SEP failed with High Availability schemes with virtual IPs.
• When attempting to re-log on to a Policy Server, key exchange could be blocked until reboot.
• NAT processing has been improved. Previously, under rare circumstances, valid packets which passed all security checks could be fowarded by the firewall without correct address translation.
• Comments in the Content Type and Content-Encoding-Type fields were not allowed.
• UDP Encapsulation using MD5 was not possible.
• IKE packets sent in the UDP Encapsulation context with the destination port other than 500 failed to pass the VPN-1/FireWall-1 gateway as FW-1 connections.
• Collecting entropy in cpconfig after the key hit session would cause the core dump.
• The fw accel stat command showed wrong encryption rate statistics on the Linux and Nokia platforms.
• Using hardware accelerators might cause a kernel crash.
• PRNG on Windows NT could cause a process to crash.
• Installing policy which uses several Account Units would cause core dump.
• Remote login to the Management Station would cause core dump.
• H323 connection between two FireWalls did not work.
• The FireWall daemon (FWD) would not load the logical server tables after the interface had come up. This blocked all the traffic handled by the logical server.
• FireWall-1 would not implement certain manual NAT rules.
• The fw sam command failed if the domain name began with a number.
• The Linux computation of the S/Key chain generated a wrong chain if MD4 was selected as the authentication method. Although these passwords could be used for authentication, they did not correspond to the result of the S/Key computation in Unix, Windows or the S/Key generator.
• Either SDL or some NBT services failed because NBNAME was not translated properly.
• The HTTP Security Server daemon (ahttpd) used almost 100% of CPU on a FireWall-1 machine.
• If a new service was added to /etc/services with the port number 32768, a new service was created within fwpolicy. An attempt to get the port number would result in a negative number (either the same number as the service or a different number) appearing in the Port field.
• Error messages would regularly appear in the Event Viewer if the Performance Monitor was running.
• Incomprehesible error messages would appear in the Event Viewer of a SecuRemote Client.
• The fwd -n would crash during initialization in AM_BuildExtGroupsCache() with the customer's user database.
• An attempt to generate a new FireWall certificate instead of an existing one would cause a GUI application error.
• When redoing a SNMP get to refresh interfaces or install new interfaces, the get process overwrites any previous information on an existing interface such as spoof tracking.
• The Log Viewer displayed XlateSrc incorrectly in the leftmost octal of the network prefix.
• When a user group included more than 1024 users, the command fw dbexport -l -s o=checkpoint would core dump.
• Running Netmeeting in combination with SecuRemote would cause a FireWall-1 machine to crash.
• A command line ftp to certain sites, when used in conjunction with User Authentication, failed after upgrading to SP6.
• The Specific and Other+ anti-spoofing methods were allowed but could not be implemented.
• The GUI did not show the right order for the NAT.
• After executing fwstop/fwstart, fw stat would correctly show the policy as installed, but if Open was selected from the File menu in the GUI, the policy would be shown as uninstalled.
• File descriptors would leak when S/Key authentication failed.
• It is now possible to disable IP forwarding on Linux Red Hat 6.2. In order to disable IP forwarding, use cpconfig after applying this patch.

LIMITATIONS:

• local.arp and SecurID do not work on Win 2000
• H323 issues
• omi.conf is overwritten
•  

41716

Security Enhancements

1. One-way connection enforcement — Enhanced directionality check for complex multi-connection protocols.
2. Stderr handling for RSH/REXEC — For administrators who enable the RSH/REXEC property, there is improved RSH/REXEC connection support and protocol validation.
3. FTP connection enforcement — More restrictive FTP control connection analysis. Once enabled, VPN-1/FireWall-1 will enforce that only one FTP client command or server reply can be present in a single packet. This may cause connectivity problems with specific FTP server or client implementations if they happen to send more than one reply or command in a single packet. Furthermore, this feature can be enabled only if the Management Module and all the enforcement modules are upgraded to Version 4.1 SP2 or above. To enable the feature, add the following line to $FWDIR/lib/fwui_head.def on the Management Server:  #define ALL_MODULES_4_1_SP2_OR_ABOVE
4. Encapsulated packet processing — Enhanced protection from IP spoofing being used in conjuction with packet encapsulation.
5. Inter-module communications — Improved protocol validation and authentication mechanism for inter-module communication.
6. OPSEC Authentication — Improved authentication protocol for OPSEC communication.

New Features

1) UDP Encapsulation Mode for IKE/IPSec SecuRemote users to traverse NAT devices.  Two modes of UDP Encapsulation are available:  automatic and forced mode.  Automatic mode uses encapsulation only when necessary, forced mode is manual: (add to gateway object in objects.C):

:isakmp.udpencapsulation (
    :resource (
        :type (refobj)
        :refname ("#_CP_IPSec_transport_encapsulation")
    )
    :active (true)
)

2) When a SecuRemote client attempts to establish an encrypted communication with servers protected by a VPN-1/FireWall-1 gateway, it can be configured to try to connect to all the gateway’s interfaces and not only its primary IP address. The connection will be opened with the first address to reply. To configure the feature, add the set :resolve_multiple_interfaces with the true value to the gateway object.

3) Any TCP service can now implement content security by accessing a CVP Server through the TCP Security Server (TCPSS) which acts as a CVP Client.

4) UFP caching enables the VPN/Firewall Module to cache an IP address and a list of UFP categories that apply to that address.

5) URL logging enables the VPN/FireWall Module to generate URL logs without diverting the connection to the HTTP Security Server, resulting in improved performance.

6) The DNS Validation feature validates that port 53 (TCP or UDP) is used only for DNS transport.

7) A new synchronization feature is now available both for Check Point High Availability (CP HA) configurations and third party High Availability products. The version for third party High Availability products is beta only.

There are also enhancements and bug fixes.

41603

1. The VPN-1/FireWall-1 kernel’s handling of FTP control connections has been modified as follows: a) checking and enforcing the existence if a new line (i.e., CR/LF) for any FTP control connection packets; b) checking and enforcing that all 227 PASV replies are ")/newline".
2. Under rare circumstances, valid packets may traverse the firewall without undergoing the specified address translation. Instructions are given below for addressing this issue via INSPECT code modification. Quit any open GUI clients and, stop VPN-1/FireWall-1 Management Station and edit $FWDIR/lib/code.def and add the following expression above the last line:
   #ifndef ALLOW_NONFIRST_RULEBASE_MATCH
   tcp, first or <conn> in old_connections or
   (src in firewalled_list, dts in firewalled_list) or
   (
   #ifndef NO-NONFIRST_RULEBASE_MATCH_LOG
   (
   <ip_p, src, dst, sport, dport, 0> in logged
   ) or (
   record <ip_p, src, dst, sport, dport, 0> in logged,
   set sr10 12, set sr11 0, set sr12 0, set sr1 0,
   log bad_conn
   ) or 1,
   #endif
   vanish
   ) ;
   #endif
3. Configuring ahttpd to send session ID (snid) for use by NetSO would fail if SSL is used.
4. When a user enters his/her username, the firewall will try to query all the LDAP groups the user belongs to. If the second query fails, the user should be failed. Today the user is written but with no groups on his object. As a result, while using cache and external groups based on group DN, a user will be written as allowed on rule 0 only.
5. When an LDAP query for a user’s template fails, the user will inherit default LDAP attributes.
6. DNs of LDAP users were not cached, which caused high loads when SecuRemote certificates were used.
7. The HTTP proxy server on VPN-1/FireWall-1 would die/hang under certain circumstances.
8. IPSEC encryption mode with no key (ESP NULL mode) had interoperability problems.
9. IPSEC ESP NULL would fail due to the MTU computation problem.

41490

Features:

• The default values of some of the properties in the Security Policy tab of the Properties Setup window have changed
• fw expdate command — This command changes the expiration date of the users in the VPN-1/FireWall-1 users database.
• Disabling synchronization of connections table entries — To do this, add a line to $FWDIR/lib/table.def as follows:
  non_sync_ports ={<80,6>,<443,6>,<53,17>};
  where the first number of each pair specifies the port and the second the protocol (6 is TCP, 17 is UDP, etc.)
• High Availablility Module provides failover capability.
• Various PKI enhancements including: a new command (fw crlview) enables you to debug problems with CRLs.
• Supported LDAP servers are:
  Netscape Directory Server 4.0 and 4.1 for Windows NT and Solaris
  NetWare Directory Service v8.0 for NetWare
  Innosoft Distributed Directory Server 4.4.1 for Solaris
  IBM SecureWay Directory 3.1 for Windows NT

VPN-1/FireWall-1 Bug Fixes

• Given the following configuration (two VPN/FireWall Modules separated by the Internet) and the following rules: Client auth with encrypt, authentication would work, but a FTP connection would timeout.  The Log Viewer on the external VPN/FireWall Module would show encryption but the internal VPN/FireWall Module would not encrypt.
• In the same configuration as in item 1 and with the same rules, if the Client Auth were Partial or Fully Automatic, the VPN/FireWall Module would not authenticate users going from the external network to the internal network. The users would be allowed through without authentication.
• The GUI would allow a user to edit the FTP service and enable Fast Mode. The result would be that FTP data connections could not be established.
• When installing a license string with the pfm feature that was generated from the license center, the printlic information would show pfi1 as the feature instead.
• Certain types of CRLs were not correctly retrieved (VPN-1/FireWall-1 would crash).
• Passive FTP for reverse NAT hide clients would fail.
• In the following scenario: crlcache_timeout in objects.C is changed to 60 (seconds), The Security Policy is installed. The VPN/FireWall Module’s certificate and the Certificate Authority object are deleted. The Security Policy is re-installed.  Isakmpd would crash after several minutes.
• The date stamp of the "Installed On" for a Security Policy would show 2001 as 101. The date in $FWDIR/state/links.C was also incorrectly stored.
• The FTP Security Server would not allow Internet Explorer 5 to connect to anonymous FTP sites.
• If a full path name were specified for the input file to the fw logexport command, the command would fail with an obscure message.
• Error pages generated internally by the HTTP Security Server would be dated 1/1/70 and the year would be coded with only 2 digits.
• fwinfo (VPN-1/FireWall-1 Version 4.1) on NT 4.0 would generate errors when the backward compatibility (to VPN-1/FireWall-1 Version 4.0) is installed.
• (FWZ encryption) MD5 could not be used for UDP connections, so applications like PC Anywhere would fail.
• When changing the entrust.ini file of an existing CA object, the "Talk30" value was not added to the file.
• In the Client Authentication Action Properties window, if Required Sign On was Standard, Destination would be grayed out but would show SecEvt with user database instead of ignore user database.
• In the IKE Properties window, if the user unchecked Supports Subnets and closed the window, Supports Subnets would still be checked when the window was reopened.
• The mail dequeuer would sometimes fail to terminate an open anti-virus session.
• (NT) If the hosts file did not end with a newline character (that is, did not have a blank line at the end) then the VPN-1/FireWall-1 installation program would append the new hostname entry to the end of the previous entry, and thereby corrupt the hosts file.
• (Solaris) SNMP did not support the -help option (it would crash).

41439

Enhancements:

1. Integration of various sundry Check Point products:
a) Meta IP: dynamic DNS/DHCP product providing UAM (user to address mapping) for auditing/authentication
b) Compression: using proprietary peer-peer protocol
c) Floodgate: prioritizes traffic through the firewall
d) Reporting Module: monitors and audits throughput as well as generating reports
2.  Open Security Extension: allows FW-1 to retrieve and send inspect policies to:

• Bay Networks Routers — Version 7.x - 12.x
• Cisco Routers — IOS Version 9,10,11
• Cisco PIX Firewall — Version 3.0, 4.0, 4.1
• 3Com NetBuilder — Version 9.x
• Microsoft Routing and Remote Access Service (RRAS) for Windows NT Server 4.0

3. SecuRemote expanded to include SecureClient, which provides a desktop security policy distributed from a central policy server

4156

Feature Enhancements
1 Oracle Net8 — Support for Oracle’s Net8 protocol has been added. In order to allow Net8 connections, use the "sqlnet2'"service in the Rule Base. Note that Net8 will not work properly through the Firewall in a configuration where domain name is used to specify host address rather than a dotted-decimal IP address.
2 Apple QuickTime — Support for Apple's QuickTime product (using the RTSP protocol) has been added.  To allow QuickTime streaming connections, use the "rtsp" service in the Rule Base. Note that only HIDE Network Address Translation Mode is supported for QuickTime connections.
3 To minimize risks from possibly surreptitious sites attempting to open connections to FTP clients, two new features have been added to VPN-1/FireWall-1: FTP Security Server command controls and HTTP/SMTP weeding of embedded HTML references to ftp and port. For a detailed discussion of FTP issues please see: http://www.checkpoint.com/techsupport/alerts/index.html.

Bug Fixes

• It was possible to enter more than 8 characters for a FireWall-1 password.
• If the user clicked on Show Policy when a non-gateway object was selected under Security Policies on
• Targets in the Open Security Policy window, the following error message would sometimes be displayed: "Inconsistent information found. Verify that your database is intact. Rule X, cannot locate object usergroup@location."
• If FireWall-1 was installed in a directory whose name included embedded spaces (for example, "C:\Program Files\FW"), then an error message was displayed when a Security Policy was installed.
• Querying pseudo rules would return incorrect results.
• Under some conditions, the Log Viewer showed only the first five columns.
• The SMTP Security Server would not add the last mail server’s name to the list of "Received from".
• In the Motif Log Viewer, selecting FileäOpen from the menu would cause a core dump.
• (Windows GUI) In the Log Viewer, selecting Print Preview from the menu and then closing the preview while the ""Getting information from server" message was still displayed would bring up Dr. Watson.
• Connections from virtual interfaces would fail with the following message: "FW-1: No license for IP Forwarding FW-1: Connection from <IP address> refused".
• Error pages generated by the HTTP Security Server were dated 01-Jan-70.
• Available file descriptors could be exhausted if a large number of instances of the HTTP Security Server were running ("Too many open files" message in fwd.log).
• Users with ISAKMP credentials could not be imported to the FireWall-1 database.
• FireWall-1 did not correctly manage the case where more than one RADIUS server was installed on the same machine. FireWall-1 always used the RADIUS server last defined in the GUI. In addition, if the RADIUS servers were defined as a group, then FireWall-1 would always try to contact the first RADIUS server in the group, even if it went down.
• If the HTTP Security Server was defined as a proxy, then when connecting with Internet Explorer 4 or 5 to certain sites that require plug-ins, the browser would correctly download the plug-in and then fail. This happened because the HTTP Security Server ignored the "Proxy-Authorization:" header when the agent was not Netscape or Internet Explorer.
• The mail dequeuer would sometimes fail to terminate an open anti-virus session.
• User Authentication would not work properly if a domain object was defined in a previous rule.
• The ahttpd.log file was filling up with the following messages: "Failed to get my socket name on 22: Invalid argument" and "get_auth_conn: getsockname(22) failed: Invalid argument".
• (AIX) Running fw ctl install after fw ctl uninstall would fail. Only the loopback interface was recognized and no Security Policy was installed.

4094

Enhancements to Service Pack:

1.  In order to allow sending logs to a management station while not allowing it to install policies on the sending module, the file $FWDIR/conf/loggers was introduced.  The 'loggers' file can only be edited directly - there is no GUI for it at this point.
2.  Support for RTSP, NetShow over UDP with NAT was added.
3.  There is now a new sign on method, called 'agent automatic sign-on' (appears in the 'client authentication action properties' in the Policy Editor). This method acts like 'fully automatic' client authentication except for 'authenticated' services (those which have security servers) for which it will activate session authentication (thus differing from 'fully automatic' client authentication which would activate the security servers). 
4.  The HTTP security server can now support the HTTP 1.1 'CONTINUE' command.  To enable: 
Edit the file $FWDIR/conf/objects.C .  After the line  :props ( 
Add the line : http_sup_continue (true) 
5.  It is now possible to instruct the HTTP security server to accept double slashes (i.e. '//') in a substring of the URL. In order to allow this the security server will define a set of schemes that it will accept. The default set includes prospero, gopher, telnet, finger, mailto, http, news, nntp, wais, file & ftp. You may define new schemes, which will be added to this set. 
    To configure, edit the file $FWDIR/conf/objects.C . 
After the line
:props ( 
Add the lines 
:http_allow_double_slash (true) 
:http_use_default_schemes (true) 
In order to define additional schemes add also: 
:scheme ("[scheme_name]:") 
Where [scheme_name] is the name of the new scheme. For example to
define http you would add: 
: scheme ("http:") 

6.   When using partially automatic client authentication, it is now possible to configure the FireWall so that the redirection sent to the client, pointing it to the server, will be done according to the 'host' header and not according to the destination IP. 

To set this configuration: 
1.Stop the FireWall using 'fwstop' (or on NT stop the FireWall-1 service) 
2.Edit the file $FWDIR/conf/objects.C . 
After the line 
:props ( 
Add the line 
:http_use_host_h_as_dst (true) 
3.Start the FireWall by running 'fwstart' (or on NT start the FireWall-1 service). 

7.  The following services have been added as FireWall-1 predefined services: 
MetaIP-UAT 
Sitara 
pcTELECOMUTE 
8.  The following functionality was added to the fw command line. This command can be used to generate an IKE shared secret that can be used by a 3rd party LDAP users management tool. Usage: fw ikecrypt [SecretKey] [UserPassword]  Where [SecretKey] is a secret string stored in the Account Unit (the user belongs to) and the [UserPassword] is a string that will be used by the user to log in.  The output will be the encrypted secret to place under the "fw1ISAKMP-SharedSecret" user attribute. This is also useful for writing bulk scripts for LDAP (with LDIF format). 
9.  Identical CVP Servers or identical UFP Servers can be configured to share the workload among them.  This allows for load sharing and failover, see CVPUFPLoadShare.pdf. 

Bug Fixes:

Encryption:
1.  Fixed bug in the CBC-DES MAC keyed hash function (SKIP and Manual IPSEC).  Interoperability with earlier versions and unpatched 4.1 fails.
2.  Entrust 3.0 certificates can now be used for network objects that have PPP interfaces. 
3.  Fixed a bug that could cause Manual IPSEC connections to block after being open for an hour. 
4.  Fixed a bug which caused encrypted connections that pass on Implied Rules to be logged even if 'Log Implied Rules' was turned off. 
5.  Fixed a bug where defining an encryption rule with Manual Ipsec on the 'encrypt side' and an accept rule on the 'decrypt side' with 'Decrypt upon accept' enabled, would cause connections to fail. 
6.  Fixed a bug that could cause the FireWall daemon to crash when using Manual IPSEC if the peer module returns an undefined SPI. 
7.  Fixed a bug that could sometimes cause the IKE connection to fail, giving an error log saying "Send Delete SA to Peer ..". 
8.  Fixed a bug that could cause the IKE daemon to crash when connecting with a SecuRemote client using IKE and has Axent authentication method defined. 
9.  Fixed a bug where, when downloading the topology for a SecuRemote client from a management station which has no local FireWall module -- if the download is authenticated using certificates the download could fail. 
10. Fixed a bug that could cause very long connections to fail when using FWZ with MD5. 

Management GUI Clients:
1.  Fixed a bug that could cause the Policy Editor to hang when applying a complex query with many clauses. 
2.  Fixed a bug where, when blocking connections from the Log Viewer, which could cause the process doing the block to crash. 
3.  Fixed the date selection in the GUI client when server is running on HPUX. 
4.  Fixed a problem in some of the lists appearing in the Policy Editor where the scroll bar would not appear until an item in the list was clicked on.
5.  Fixed a bug in the Policy Editor, when viewing 'Security Policies on Target' (from the File->Open menu) the 'Install Time' field was showing the year as three digits for dates beyond the year 2000. 
6.  The default expiration date for user templates in the GUI has been changed to December 31, 2000. 
7.  Fixed a problem that would cause the Policy Editor to take a long time to open the interface properties for editing. 

Authentication:
1.  Fixed a bug where, when using LDAP with a very large number of users defined on the server, sometimes memory usage on the FireWalled machine would rise significantly and authentication could fail. 
2.  Fixed a problem where S/Key authentication would sometimes fail although it should have succeeded. 
3.  Fixed a bug where, when a user group name was longer than 31 characters the users could not authenticate.
4.  Fixed bugs which could cause the client authentication daemon to crash. 
5.  Fixed a bug where, when using UAM where SSO would work only when the source was defined as coming from 'any', and not from a specific network object (user@any would work, but user@network_object would not). 
6.  When renaming an object which was used to define a Radius server, if the user ignored the warning message and did not change the reference in the Radius server definition, CPU usage could rise to 100% upon the next authentication request. This problem has now been fixed. 
7.  Client authentication from a browser will now accept names and passwords with special characters (not only alphanumeric). 

Security Servers:
1.  Fixed a bug where, when using HTTP 1.1 with CVP where 'chunked' data could cause the connections to fail. To fix this the FireWall will downgrade the protocol to HTTP 1.0 if going through a CVP server. 
If desired, this fix must be activated as follows: edit the file $FWDIR/conf/objects.C . 
After the line 
:props ( 
Add the line 
: http_force_down_to_10 (true) 

2.  HTTPS will now work with Internet Explorer browsers in non-transparent mode. 
3.  Fixed a bug which prevented using a 'next proxy' when FireWall-1 was defined as the proxy for both HTTP and HTTPS. 
4.  Fixed a bug that caused the FireWall-1 daemon to crash when using HTTPS with no encryption license (specifically the feature 'ca'). 
5.  An interface was added to allow LDAP users authenticating to the HTTP security server to change their passwords using an HTML form when the password has expired. 
6.  HTTPS through the HTTP security server will now work with Internet Explorer browsers. 
7.  When using FTP through HTTP and viewing a directory from the browser, fixed the format of the file dates for year 2000. 
8.  Fixed a bug where, when using HTTP resources, which could sometimes cause the HTTP request to take several minutes. 
9.  Fixed crashes in the SMTP security server. 
10. Fixed a problem that would cause error mails sent by the SMTP security server to be rejected by certain types of mail servers. 
11.  Fixed a problem in the FTP security server when used with CVP, where multi-lined replies from the CVP server were not presented correctly to the client. 
12.  The SMTP security server can now handle addresses where the user name includes spaces and is quoted.
13.  Fixed a bug which would cause the SMTP daemon to send logs saying 'connection ended prematurely' to the SMTP daemon log file even for successful connections.
14.  Fixed a bug that could cause the SMTP server to crash if the directory configured as the spool directory does not exist. 
15.  The SMTP server will now consider 421 reply-code as a temporary failure and resend the mail message after the 'resend-period'. 

Router Management (RSC/SRE):
1.Fixed a bug where, when managing Bay routers, if the first object in the source field was not a valid address the rule would be ignored 

Logging:
1.  Fixed a bug in the presentation of accounting information when the number of bytes is over 2GB, the number will now be shown correctly (there is still a limit of 4GB to the byte counter, after which it will wrap around). 
2.  Fixed a problem where sometimes after purging the log file the new log file would not open. 

Kernel Module:
1.  Fixed a bug where license violation messages could cause the FireWall daemon to crash if the machine had a long host name.
2.  With this service pack you can run VPN-1 & FireWall-1 on Solaris machines with ATM drivers. 
3.  When using 'fw ctl pstat' on AIX, the heap size will now be shown. 
4.  Fixed a bug which could cause an AIX machine to crash when running 'fw stat'. 
5.  Fixed a bug on Unix platforms, which could cause the FireWall daemon to crash when domain objects are used. 
6.  On HPUX eliminated license warning messages that were received when boot security was enabled. 

Management of Embedded Modules:
1.  It is now possible to use rules with time restrictions when managing embedded modules. 
2.  Fixed a bug that prevented Bay routers with embedded FireWall-1 from being presented in the System Status window. 

Miscellaneous:
1.  Fixed a bug which caused the address 0.0.0.0 to be ignored when defined as a 'valid address' for anti spoofing, thus preventing DHCP, for example, from working. 
2.  RSH can now be used through the FireWall with TCP extensions (e.g. on AIX machines). 
3.  When configuring an Account Unit from the Policy Editor, the 'fetch branches' button can now be used with Netscape Directory 4.x.
4.  Fixed a bug where 'fw putkey' would sometimes fail if the password was changed to one with a different length.
5.  When getting the interfaces for a network object, the interfaces will be fetched according to the IP address and not according to the host name given, in case there is a difference.
6.  Fixed a bug that could cause passive FTP connections to get stuck when using NAT and passing many files. 
7.  Fixed a problem where packets whose first fragment did not contain the complete IP and TCP headers were dropped. 

Limitations and Known Bugs:
1.  IKE Phase II logs are not shown. 
2.  Stateful inspection rejects acts as drop on Solaris with pelx interface. Work around: change the line 'pelx accept' to 'pelx deny' in /etc/fw.boot/ifdev.

4066

Enhancements:

1. When handling Radius authentication FireWall-1 verifies that the Radius attributes are such that appear in the RFC. If your system uses non-standard Radius attributes, you can force FireWall-1 to ignore these attributes. In order to do so you must add to objects.C an appropriate line for each such attribute, giving its ID. For example, for an attribute with ID 255:
a) Stop the FireWall using 'fwstop' (or on NT stop the FireWall-1 service)
b) Edit the file $FWDIR/conf/objects.C . After the line
:props (
Add the line
:radius_ignore (255)
c) Start the FireWall by running 'fwstart' (or on NT start the FireWall-1 service).

2. The number of NAT rules allowed in one rulebase has been increased from 1024 to 4096. Note that the Policy Editor might perform very slowly or get stuck if trying to handle more than 1024 rules.

3. In order to allow sending logs to a management station while not allowing it to install policies on the sending module, the file $FWDIR/conf/loggers was introduced. If this file exists, the module will send logs to the machines listed in it (syntax is the same as for masters file), while the $FWDIR/conf/masters file will still be used for policy fetch. The 'loggers' file can only be edited directly - there is no GUI for it at this point.

Bug Fixes:

• The FireWall can be configured to negotiate IKE SAs with different lifetimes. This lifetime will now be enforced only for VPNs and not for SecuRemote, since the SecuRemote client cannot know when the SA has expired. Before this Service Pack, if the lifetime was configured for less than 24 hours, SecuRemote connections could have gotten stuck.
• Fixed a bug that could cause the FireWall daemon to crash when connecting with SecuRemote clients using FWZ.
• HTTPS can now be used with Internet Explorer through the HTTP security server.
• Fixed a bug that could cause the SMTP security server to crash
• Fixed a bug in the SMTP security server where an empty sender was not correctly matched.
• Fixed a problem when using the object 'routers' in the 'Install on' column, the installation on bay routers would fail.
• Fixed a bug that could cause the machine to panic when running on an HPUX Dual CPU machine and using Security Servers.
• Fixed a bug which could cause an HPUX machine to crash when the VPN-1 & FireWall-1 license is node limited.
• The handling of IP forwarding by the FireWall-1 kernel on HPUX was changed so that now the kernel will only turn on IP
  forwarding once it receives the first packet. This will only be done if the user configured the FireWall to control IP forwarding at boot time, or if IP forwarding in the system was initially set to 0. Otherwise the FireWall will not turn IP forwarding on. It is recommended to configure the FireWall to control IP forwarding at boot time.
• Fixed a bug that could cause a machine to crash when the FireWall is configured to use SYN defender in SYN Gateway mode.
• Fixed a bug where deleting a GUI administrator could cause another administrator to get the permissions of the deleted one.

• Fixed a problem related to SKEY authentication that could cause the FireWall daemon to crash if it had no encryption license, in response to certain connections.

Known Limitations:
Using a Service Pack 4 management station to manage a module of version 4.0 Service Pack 1 or Service Pack 2 is only possible if no client authentication rules are used. To use such rules in this configuration the following workaround must be applied:

4055

• UAM: Users in the MetaIP User Address Mapping database can be transparently authenticated at the FireWall Module using Client Authentication and the rule property of Single Sign On.
• Policy Editor GUI Client wizards to help define a policy
• New Service Support for:

• IIOP (CORBA)
• RealNetworks RealPlayer G2: (RTSP is not supported when using NAT)
• Microsoft DCOM (experimental, not supported with NAT): DCOM is supported only when UDP is used as the transport protocol. To ensure that UDP is used (and not TCP or HTTP for example), on each client, using regedt32, modify the 'HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Rpc\DCOM Protocols' registry entry, so that the string "ncadg_ip_udp" will appear first in the list.
• Microsoft NetShow
• pcANYWHERE
• NFS
• NetMeeting: Added T.120 (needed for NetMeeting) as a predefined service

• Kernel:The 'fw ctl pstat' command has been enhanced to display more detailed information about the hash kernel memory in use (controlled by the parameter fwhmem) and the system kernel memory in use
• Entrust CA:  4.0b libraries for Windows NT and Solaris2.
  1. Run 'fwconfig' and choose which version of the Entrust libraries you wish to use.
  2. Edit the file $FWDIR/conf/cms.ini, replacing the following lines:
  [CMS Settings]
  Talk30=TRUE
  To work with Entrust 3.0 replace with:
  [CMS Settings]
  Talk30=1
  To work with Entrust 4.0 replace with:
  [CMS Settings]
  Talk30=0
  3. Re-install the policy to apply the change.
• Mail server: A number of configurable parameters have been added to the mail server to enable better tuning to the required mail traffic. To set a parameter, follow these steps:
  1. Stop the FireWall-1 module by running 'fwstop'.
  2. Edit the file $FWDIR/conf/smtp.conf. Adding the line:  ':parameter_name (value)'    Where 'parameter_name' is one of the names detailed below and 'value' is one of its possible values.
  3. Start the FireWall-1 module by running 'fwstart'.
  
  New parameters:
  1.detailed_err_mail - Value 1 sets this flag. If the flag does not appear in stmp.conf, or has value 0, it is not set. When this flag is set, an error mail will be generated when some or all recipients of the original mail could not receive it. The error mail will include information about which users could not receive the original mail, and a reason message for each recipient.  To use this flag, in addition to setting it, you must check the "notify sender on error" option in the relevant SMTP resource.
  2.detailed_security_err_mail - Value 1 sets this flag. If the flag does not appear in smtp.conf, or has value 0, it is not set. When this flag is set, and a mail fails a content security check, the generated error mail will include a notification of the failure as well as the explanation message received from the content security server.   To use this flag, you must check the "notify sender on error" option in the relevant SMTP resource.
  3.max_load - This value is an abstract measure for the load generated by the mail dequeuer while emptying the mail-spool. When this value is not set explicitly in smtp.conf, its default value is 40. The parameter's limits are 100 for Solaris2 and HP, and 60 for other platforms. If the value exceeds this limit, the mail dequeuer will not run. This option should be used to adjust the load that the mail dequeuer generates to the load that can be handled by the peer mail server. When the mail dequeuer generates more load than the peer mail server can handle, the peer mail server might refuse the mail dequeuer's connection attempts, possibly causing mails to accumulate in the mail dequeuer's spool, and delaying delivery. This parameter's value should be set according to the load capacity of the main peer mail server.
  
• Bug Fixes:
• Encryption:
  1.Fixed a problem when using FWZ encryption with MD5, where once in a while connections (especially long ones, e.g. big FTP downloads) would get stuck. The fix is activated by editing objects.C as detailed below.
  Once the fix is activated, FWZ with MD5 on the fixed VPN-1 module will not be compatible with another VPN-1 module which does not have the fix activated, and will also not be compatible with SecuRemote clients of version 3.0 or earlier.
  To activate the fix:
  1. Stop the VPN-1 module by running 'fwstop'.
  2. Edit the file $FWDIR/conf/objects.C. Search for the line
  :icmpcryptver (n)
  where n is a numeric value. If n=0, change it to 2. If n=1, change it to 3.
  3. Start the VPN-1 module by running 'fwstart'.
  2.When using IKE (IPSEC) encapsulation, the source address will now be the actual interface address and not the main IP address, to fix interoperability with other vendors' IKE implementations.
• GUI Client:
  1.Fixed the time selection in the logviewer when the management is running on Solaris platforms.
  2.Fixed the selection in the Log Viewer to enable selecting logs from a single day.
  3.Fixed a bug where using two SecuRemote clients with the same username, sometimes one of the clients would have to re-authenticate although the user was configured with no timeout on the password.
  4.When running on the same machine a FireWall-1 3.0 GUI client and a FireWall-1 4.0 GUI client, the 4.0 client has now been fixed to launch only 4.0 windows (when launching from the 'window' menu).
  5.When deleting an object which appears in a rulebase, the user will now have the option to see where the object appears before deciding if it should indeed be deleted.
  6.Fixed the 'cutting' of rules in the Policy Editor, which would sometimes cause the GUI to crash.
  7.When choosing 'File->Open' from the LogViewer menu, the list of files will now show only real log files, and not other files which cannot be viewed by the logviewer (e.g. fwui.log).
  8.In the Policy Editor, minor usability changes were made in the Queries window. See the online help for updated instructions.
  9.Fixed a bug in the Policy Editor where in defining more than one VLAN for a switch object, only one of the VLAN's would be saved.
• Motif GUI Client:
  1.From this service pack the Motif GUI can be run on Solaris 2.6.
  2.Fixed a memory leak in the Motif Log Viewer which could cause X-server errors to appear after the Log Viewer was open for a number of hours.
• Authentication:
  1.Fixed a problem when using Axent Defender for user authentication, when a user session was terminated, the sessions were never closed.
  2.Installing this service pack will upgrade any Radius Server objects defined to the format required by VPN-1 and FireWall-1 4.0.
  3.Fixed a problem in LDAP, when an LDAP user expired the user would be requested to change the password on every login until the FireWall-1 daemon was restarted.
  4.Fixed a bug when managing both 4.0 and 3.0 FireWall-1 modules, and having external users (i.e., LDAP) defined, the user database and policy could not be installed on the 3.0 modules.
• Security Servers:
  1.When defining FireWall-1 as FTP proxy and giving the username in the syntax 'user@site', FireWall-1 would request the user to authenticate even when no authentication was required on the FireWall. In this service pack this has been fixed so that the syntax 'user@site' can be used even without authentication. In this case, an additional '@' should be appended at the end (user@site@) to indicate that the 'site' should be sent as part of the username to the FTP server.
  2.Fixed a problem where defining via the Policy Editor an error server for the SMTP security server would not take effect.
  3.When the FireWall-1 mail dequeuer closed a connection with the mail server prematurely for any reason, the connection was not closed in an orderly manner, since the mail dequeuer was not waiting for the mail server's reply
  4.When using the FTP security server (FTP resource or user authentication) certain FTP sites would not respond when opened through a web browser. This was because these sites would only open passive FTP connections to high ports, while FW-1 was using port 20 as the target port.  FW-1 will use high ports as the target ports for passive FTP connections.
  5.Fixed a problem when using FTP through HTTP (FTP from a web browser with FireWall-1 defined as proxy), where browsing certain FTP sites (depending on the phrasing of error messages used by the FTP server) would cause the FireWall-1 security server to crash.
  6.Fixed a problem when using HTTP POST commands (e.g. filling up forms) through the HTTP security server (using HTTP resources or user authentication), for certain sites the request would time out due to a missing character at the end of the request.
  7.Fixed a bug which prevented HTTPS from working in transparent mode.
  8.Fixed a bug where a '%' in the requested URL would cause the HTTP security server to crash.
  9.Fixed a bug where when using HTTP Automatic Client Authentication with many concurrent connections, at some point new connections would begin receiving the error 'FW-1 form has expired'.
  10.The user will be prevented from defining two resources of the same service (ftp, http or stmp) that actively use CVP (i.e. with Read/Only or Read/Write, and not with None) to be in the same rule, since the required behavior in this case is not clear.
  11.The security servers now send the CVP server the resolved host name, when available, and not the IP address.
  12.When using the SMTP security server and sending messages to recipients that do not exist, the sender will now receive a notice of the failure.
  13.Fixed a bug in the Mail Dequeuer which could cause it to stop dequeuing (giving an error 'connection ended prematurely') after a long period of considerable load.
  14.When a CVP server rejects a mail message due to its being unsafe, FireWall-1 will now add the server's rejection message to the error message sent to the recipient.
  15.The FTP security server can now work with FTP clients which send a 'SITE' command after the FireWall-1 authentication (e.g. the Hummingbird FTP client).
  16.Fixed a bug in MIME stripping of 'message/partial' and 'encapsulated content' types.
  17.Fixed a problem when using SMTP, where if the domain is not configured on the FireWall machine, mail messages to some servers may fail due to an incomplete domain name.
  18.Fixed a bug in the handling of chunked data by the HTTP security server which could cause connections to fail when using Internet Explorer 4.x as the browser.
  19.From this Service Pack, creating and using groups of CVP and UFP resources is not possible, since it is not clear what behavior is expected of the FireWall in this case.
• Router Management (RSC/SRE):
  1.This service pack includes all the bug fixes relevant to router management from OSM 1.1.
  2.Fixed a problem when running OSE on a FireWall-1 module which is remote from the management, logging could not reach the management.
• Logging:
  1.Fixed a bug which could cause the FireWall-1 daemon to crash with heavy logging after the daemon was stopped in an irregular manner for some other reason.
  2.Fixed a bug which on UNIX platforms caused several log files to receive the same file ID in fw.logtrack, creating problems when trying to get a file by its file ID.
  3.Fixed a bug in the FireWall-1 logging which could cause new logs not to be readable from the log file.
• Miscellaneous:
  1.Creating a user using a template will no longer cause the user database file to grow disproportionately.
  2.When using a Unix platform for the management station and a non-Unix (WinNT or VPN-1 Appliance - formerly VPN-1 RemoteLink) as the FireWall-1 module, we have fixed a problem where giving for the putkey a password that is longer than 8 characters would cause the authentication between the management and module to fail.
  3.Fixed a problem where having a logical server object defined would cause the policy installation to take a very long time.
  4.There is no longer any limitation on the number of domains which can be defined in FireWall-1. Before this Service Pack, there was a limitation which depends on the length of the domain names defined.
  5.Corrected the exporting of encryption information of users to LDIF format (for use as input to an LDAP server).
  6.Corrected the ports of the Entrust predefined services.
  7.You may add a property which will enable light policy verification. This can be done as follows:
      Edit the file $FWDIR/conf/objects.C. After the line
      :props (
      Add the line
      :fw_light_verify (true)
  8.Increased the default value of fw_maxfiltersize to 64K and of fw_maxcode to 256K to enable loading of larger policies.
  9.When enabling the 'Accept FireWall-1 Connections' property, UDP port 18182 will no longer be opened.
  10.Fixed the X11-verify service and corrected the rule numbers in logs for this service.
  11.Fixed a problem when installing a policy on more than one embedded FireWall-1 module, where installation on the second subsequent embedded module would fail.

4037

• Fixed a crash in the HTTP Security Server with SecureID, which could occur in New PIN mode with HTTP User Authentication.  Fixed an allow option also.
• CVP can be specified as an HTTP Resource that allows FTP through HTTP requests. FTP connections will pass through HTTP on the HTTP rule.
• With this Service Pack the HTTP Security Server can now handle chunked data.
• Fixed a crash in the SMTP Security Server caused by very long headers, and by reloading during heavy traffic.
• Fixed a problem when an FTP connection would be dropped if an ICMP rule precedes the FTP rule, while source and destination are the same in both rules yet the encryption methods differ.
• Fixed a problem where setting 'accept outgoing packets' to 'first' when using encryption rules for protocols other than TCP and UDP (e.g. ICMP) could result in failure of connections and in packets passing clear on these encryption rules.
• Fixed a bug where using RealAudio with IKE or SKIP encryption connections, UDP packets were transferred in cleartext.
• Modified the computation of an AH HMAC SHA1 key to make it conformant to the ISAKMP (IKE) standards (sp2 can't talk to sp1; must have sp2 on all modules).  Fixed misc. IKE problems such as SA expiration, SecureRemote duration of reauthentication, and use with static destination NAT.  To use the latter: you should edit the file $FWDIR/lib/crypt.def on your management station as follows:  At the top of the file, immediately below the line:
  // $Header: /fw/cvs/fw-1/fwlib/crypt.def,v....
  Add the line:
  #define ISAKMP_WITH_DST_STATIC_NAT 1
• In prior versions FireWall-1 would remember the authentication of SecuRemote users by username. Using Service Pack 2 it is possible to configure FireWall-1 to remember this authentication by username and IP address, so that a) When using a different machine or IP address the user will have to re-authenticate.   b) The same username can be used simultaneously from different machines. To use this new setting you must follow these steps:
  1. Stop FireWall-1 (on Windows NT stop the service, on UNIX run 'fwstop').
  2. Edit the file $FWDIR/conf/objects.C as follows:
  After the line
      :props (
  Add the line
          :userc_bind_user_to_IP (true)
  3. Start FireWall-1 (on Windows NT start the service, on UNIX run
  'fwstart').
• Fixed automatic update of System Status window in Openlook GUI.
• On Cisco and Steelhead routers, corrected the generation of access lists for rules using ICMP services other than ICMP-proto.
• Fixed a bug in router management where using the format '<n' for a port range would result in an unlimited range. The values allowed in the port field:
  "<n" : Smaller than n, but not n
  ">n" : Bigger than n, but not n
  "m-n" : between m and n, include m and n.
  "n" : only n
  To define "any" in the port field - enter ">0". "<=", ">=" are currently illegal. source-port-from allows only "m", and source-port-to allows only "n", and the meaning is always the same as "m-n" in the port field. To put "any" in the source port, leave both source-port-from and source-port-to empty.
• Using predefined RIP service for routers ACLs now works.
• Fixed a bug where on installation of a new policy the access list was uninstalled from a Bay router although the new policy had no rules to install on the router.
• Corrected the translation of port range services for Steelhead routers.
• Corrected the generation of the netmask created for routers when using 'Specific' as the 'Valid Addresses' option of the 'Interface Properties' defining the network object.
• Corrected the traversal of log files in the LEA server so that the log files are traversed in correct order even if one of the files was deleted.
• On Windows NT fixed the configuration of the SAM server, where previously the SAM server on FireWall-1 modules was configured as though it were running on a FireWall-1 management station.
• Fixed a problem in the RSH/REXEC
• When using a Logical Server with server type 'other' in rules without 'resource' services or user authentication, connections whose destination is the logical server might hang and not be redirected to a physical server.

4031

• Safe on multiprocessors
• Unlimited number of NICs
• The FireWall-1 Rule Base editor allows a user to: select rules based on flexible criteria, hide rules, disable rules, view a Security Policy installed on a FireWall Module
• ISAKMP/Oakley is now supported for VPNs and SecuRemote, including ENTRUST PKI, and is exportable worldwide.
• LDAP based user databases are now fully integrated into FireWall-1, and an LDAP (Java)client is included with FireWall-1
• Authentication features: support for TACACS/TACACS+, RADIUS Version 2, MD5 in S/Key, secondary (backup) AXENT servers, Client Authentication can now be performed using a Web browser, implicit Client Authentication, Client Authentication now supports dynamic clients.
• All FireWall-1 Security Servers now support OPSEC Version 1.0.
• The HTTP Security Server supports FTP and HTTPS.
• The "sticky servers" feature keeps successive client-logical server connections going to the same physical server. This feature is especially important for HTTPS sessions.
• NAT now supports H-323, NetShow, VXtreme and many other services
• Support for a variety of new services, including DEC RPC and multicast
• FireWall-1 now imports Access Lists from Cisco, 3Com and Microsoft RRAS routers
• The FireWall-1 Log Viewer now displays syslog messages for supported routers and security devices.
• FireWall-1 now supports the following routers and security devices: RRAS routers, Cisco PIX FireWall

3083

• Supports NT SP4
• SMTP Security Server: fixed a memory leak in SMTP when using MIME stripping, error mail deleted if nofity sender on error is checked and server unreachable.
• HTTP Security Server: crashes when using URI resources with accounting and long URLs.  Handling of replacement URL which could cause delays in the appearance of the authentication prompt, depending on the length of the replacement URL.  This length can be configured by editing the value of the property :http_max_url_length in $FWDIR/conf/objects.C.  Fixed bug in accounting for HTTP resources with 'accept outgoing packets' first. In the HTTP security server made the match of the scheme (e.g. HTTP ) and the method (e.g. GET) case insensitive
• Fixed a bug on UNIX platforms, where the in.telnetd process was orphaned after the connection is closed in backward compatibility mode when using user authentication with the FireWall as the destination
• Corrected handling of multiple simultaneous SecurID authentication sessions. Multiple users can now authenticate concurrently using SecurID
• To control the timeout when the security server gives up on connecting the destination server, you may now define (or modify) the au_connect_timout property in objects.C to specify the requested timeout (default is 10 seconds if no such property is specified).
• SKIP:  bug in de-fragmentation which could cause connections to hang when using SKIP with large packets, crashing on Solaris, connections were incorrectly rejected when using SKIP with ESP only or AH only and with User Authentication on the decrypt side. Key export compat. between NT and Solaris
• IPSEC: Enabled multiple Gateway tunnels so that the Gateway can connect to two sites using Manual IPSEC, crashes on decrypt, logging AH vs ESP, discontinued RC4 support
• Fixed bug in FWZ encapsulation problem between SecuRemote 4.0 and FireWall-1 3.0. on all platforms except HP, where the problem still exists.
• Fixed a bug which could cause the FireWall to crash when on a SecuRemote client the expiration timeout for the password was set to zero.
• Fixed a bug in the handling of nested user groups
• Fixed Year 2000 bugs in select and find functions in the Log Viewer
• Fixed hangs on dual CPU machines
• Corrected GUI (specifically bitmaps) allocation which could cause the GUI client to get stuck on Win95 when working with very
  large rulebase
• When fetching interfaces for a network object, if a fetched interface existed previous to the fetch its definition will now be
  overwritten by the result of the fetch.
• It is no longer permitted to enter a drive prefix to the file name (e.g. 'a:filename') when using 'save as' for a policy.
• Disabled the use of address range objects in the security policy rulebase. It is still available for defining NAT rules
• On Cisco, 3com and Steelhead routers, using the predefined RIP service produced incorrect access lists for that service. A RIP rule can now be correctly defined either from the access-list properties or from the rule-base editor
• Fixed a bug where using the format '<n' for a port range would result in an unlimited range
• Fixed a bug where on installation of a new policy the access list was uninstalled from a Bay router although the new policy had no
  rules to install on the router.
• Fix problem where 'fw lichosts' on HP was showing one month behind.
• Removed from SNMP configuration files specific IP addresses which were being used as place holders, corrected the location of snmp_version and snmp_community_len in snmp.def, corrected the responses of the FireWall SNMP daemon.
• Fixed file descriptor leak in Load Balancing, HTTP method
• For FireWall-1 Modules on Bay routers: updated the message describing the format for interfaces necessary for Anti-Spoofing to comply with Bay version 12.10.
• Fixed problem which prevented from synchronizing two FireWalls unidirectionally (i.e. FireWall A is updating B, but B is not updating A).

3072

• Fixed multiple GUI problems including resource leak, print problem, 'Read Only" group object scrolling, error msgs, Motif color problem, x86 Illegal netmask, alert triggering in System Status window.
• Fixed reassembly of fragmented SKIP packets, and SKIP bug which occasionally caused the fw daemon to crash
• Fixed bug in 'fw logswitch' mechanism, related to the fw.logtrack file, which was causing the fw daemon to fail due to too many open file descriptors
• Removed message "fwd: Unable to open 'dev/fw0'" which was being displayed on the management station whenever the active log file ($FWDIR/log/fw.vlog) exceeded the default size of 10KB
• Changed representation of date in 'fw log' output, 'fw logswitch' to be Y2K compliant
• In Address translation made testing of minimum length be protocol sensitive. This fixes problems such as ICMP type 9 packets being wrongly dropped when translation is applied
• When using Cisco access-lists, it is now possible to define a filter that checks the source port of a packet
• The SMTP security server now adds full name, including domain, to the HELO command, sends 552 (not 452) when mail is too large, handles multiple mail messages on a single connection, and NT mail alert problem
• In FTP security server correct handling of 220 multiline messages, Welcome message hang, logging
• Corrected handling of HTTP server replies which have no headers
• Fix SecurID related FireWall daemon crashes on NT
• Defining a user with time limitation using the interval 00:00 to 23:59 now covers the minute from 23:59 to midnight
• Protection from 'Radio Flyer' attack, where opening connections to the FireWall management daemon could prevent any FireWall administrator from connecting to the management station
• Fixed a problem that could cause a kernel crash on AIX in a situation where packets must be modified (NAT or encryption) and the FireWall-1 gateway does not have an ARP entry of the next hop
• Protection from the fragmentation attack, where sending fragmented packets can cause the FireWall to stop forwarding packets
  
  Limitations:
• A problem in the SMTP server causes it not send any logs. You will receive logs on mail messages only from the mail dequeuer process.
• Occasionally, during multiple, concurrent authentication between a FM and an ACE server, the challenge will return a failure even if the right PIN was entered. This will be fixed in a subsequent hot fix.

3064

• OPSEC/SDK Support is now provided
• Fixes many CVP and UFP problems
• Fixes: executing alerts on Windows NT creates system memory leaks
• "fw log -ft" on Windows NT did not work
• HTTP Security Server instabilities including: FTP from Netscape Communicator fails, crashing, multiple DNS queries for a single job, abnormal ahttpd.log growth, SecurID PASSCODE problems
• Many issues with SMTP Security Server: including crashes, logging, stuck mail
• FTP Security server did not support PASV FTP with Accounting
• FireWall Synchronization with address translation is supported
• Number of NAT Rules is up to 2048 rules instead of 1024
• SKIP Encryption problems when used with NAT
• When defining an object whose IP address identical to a FireWalled object, encryption does not work properly
• When all users checkboxes are unset, adding a user crashes OpenLook fwui
• Windows and X/Motif GUI: State transition alerts did not work in System Status view
• Long names for Admin authentication crashes fwm
• When rule base exceeds ~250 rules, the INSPECT Virtual Machine stack could overflow
• Land Attack protection provided
• RealAudio and VDOLive services are now supported in FASTPATH mode
• Large FTP transfers: If a file transfer through the FireWall-1 took more than TCP_TIMEOUT (set by default to 60 minutes) the control connection is cut in the middle resulting in file transfer failure. After installing Patch 3055, if you need to transfer files for more then TCP_TIMEOUT, you need to modify the file $FWDIR/lib/base.def changing the line '#define FTP_CONTROL_TIMEOUT TCP_TIMEOUT' to '#define FTP_CONTROL_TIMEOUT <seconds>' where <seconds> is the number of seconds you want the control connection to remain open
• $FWDIR/conf/fwauthd.conf had a limit of no more than 10 security servers. Number increased from 10 to 64
• More then ~20 domain objects in the Rule Base did not work
• Support is now provided for more embedded systems: Xylan switches, Bay Networks routers, etc.
  
  Limitations:
• Back channel connections (e.g., FTP Data connection) do not work when using FireWall-1 Synchronization in an asymmetric routing configuration.