About this document

Purpose

This document details changes introduced by the 6.2 version for DenyAll Web Application Firewall.

Context

Version information

This version follows version 6.1 of DenyAll Web Application Firewall. This version is an LVS (Last Version Support).

Reminder of the LTS/LVS concepts:

  • Long term support (LTS): these releases are maintained and supported for at least 3 years. They include no new features. Bug fixes and security patches will be issued approximately once a quarter. They are thoroughly tested and should be used in production environments.
  • Last version support (LVS): these versions include new features and improvements. Bug fixes and security patches issued approximately twice a year. While they go through our Quality Assurance process, they should be used in production environments with caution.

Revision

Revision number: r36250

Official release date

October 10th, 2016.

Main changes

Major enhancements

This version 6.2 brings the following new features:

  • Security engines ported from rWeb
  • Sitemap learning and validation
  • Storage of learning and access log in ElasticSearch

New security engines from rWeb

This release introduces new security engines available through new security workflow nodes. These nodes correspond to existing engines of DenyAll rWeb.

  • Normalization Engine: The Normalization node decodes different parts of an HTTP request and provides a context corresponding to the decoding form of the request to other security engines. It also check if decoded requests still contain encoded characters to let administrators decide if such request are allowed or not.

See Normalization Engine documentation.

  • Blacklist Engine: The Blacklist Engine node applies a set of filters (rules) to a request in order to detect attacks or intrusion attempts.

See Blacklist Engine documentation.

  • Scoringlist Engine: The Scoringlist Engine node applies a set of filters (each filter having a dedicated weight) to the request in order to detect attacks or intrustion attempts depending on the total weight of a request.

See Scoringlist Engine documentation

Along with the new security nodes come new panels where normalization, blacklist and scoringlist profiles can be managed.

  • Normalization Configurations: Allows configuration of Normalization profiles needed by the Normalization node.

See Normalization Configurations documentation

  • Blacklist Configurations: Allows configuration of Blacklist profiles and exceptions used by the Blacklist Engine node.

See Blacklist Configurations documentation

  • Scoringlist Configurations: Allows configuration of Scoringlist profiles and exceptions used by the Scoringlist node.

See Scoringlist Configurations documentation

Sitemap learning and validation

Sitemap has been redesigned in DenyAll WAF 6.2. A new workflow node "Learning log" is available to record incoming requests. The recorded traffic can then be used to create Sitemap corresponding to backend applications. A second node "Sitemap Validation" will compare requests and sitemap entries to decide if a request is valid regarding the backend application.

See Sitemaps, Learning Log, Sitemap Validation for more information.

Not compatible from v5 Sitemaps or FocusTables.

Sitemap validation is limited to paths and methods in this version.

Storage of learning and access logs in Database

With DenyAll WAF 6.2, the access logs can be stored in an internal noSQL database. This database is also used to store all requests learnt through the "Learning Log" node.

Warning

The use of the database is very consuming in term of CPU and RAM. It is highly recommended to have at least 16GB or RAM and 8CPUs to activate this feature.

Minor enhancements

The following metric have been suppressed : "otherlogs.value". The value is now gathered in the other logs indicators which improve the monitoring performances.

Bug fixes

Bug criticality indicators

(error): Serious, (warning): Moderate or with workaround, (info): Low or cosmetic.

Network

  • (error) [DA-4880] Change Primary IP drop VIP linked to this device
  • (error) [DA-4291] change primary interface to other device, older primary disappear
  • (error) [DA-4029] Bonding devices failed
  • (warning) [DA-3656] Apply network error after modifying admin IP in TUI

Workflow

  • (error) [DA-4579] Loading and runtime crash with URL Mappings using load-balancers
  • (warning) [DA-4400] Backups don't include dependencies on static (sub-)workflows
  • (error) [DA-4366] distributed datastore, modworkflow_config segfault
  • (warning) [DA-4111] User Tracking brick can not be used into a SWF
  • (error) [DA-3982] X509 extract pubkey is not valid

Tunnel

  • (error) [DA-4938] Distributed datastore are not started after an apply

XML and WSDL

  • (error) [DA-5008] Issue to restore XML Keystore from 5.x (including 5.7) to 6.1 and upper
  • (error) [DA-4785] XML parsing (libxml) crash with huge element
  • (error) [DA-3613] Condition on table is not coherent

Monitor

  • (error) [DA-4509] Backend-monitor does not use configured SSL protocols only
  • (warning) [DA-3735] MMProxy metric is critical when no MMProxy configured
  • (warning) [DA-4260] Monitor daemon does not always terminate properly
  • (warning) [DA-388] Metric check_authserver can be created but not used

BL/SL/ICX/Nomalization

  • (error) [DA-4530] ICX and Workflow memory footprint

SSL

  • (error) [DA-4401] Updated CRLs are not used by tunnel configuration
  • (error) [DA-4485] SSL Cipher Profiles list : only default profiles are listed
  • (warning) [DA-4102] Accept self signed certificate upload in Certificate Bundle CA
  • (warning) [DA-3981] CRL no up to date after an apply
  • (error) [DA-3768] CRL behavior has changed for client certificates
  • (error) [DA-3648] P12 import with chain file include into certificate file
  • (warning) [DA-2773] Need to apply notifications is missing when updating tunnel's certificate

System

  • (warning) [DA-4440] logfilter takes too much stack memory
  • (error) [DA-3642] V6 Compatiblity with Dell Rx30

GUI

  • (error) [DA-4438] [DATUI] Dashell ask for sudo password on first connection
  • (error) [DA-3832] [DATUI] unable to connect to daTui when no space left on /var/log. So no emergency command
  • (warning) [DA-4857] Filename cannot be empty when importing certificate from ZIP file
  • (error) [DA-4393] IP Reputation option not enabled in GUI
  • (error) [DA-4242] The link to the Web GUI is not valid in Cloud environments
  • (error) [DA-4112] Windows sizing
  • (info) [DA-3737] Popup charts in the web GUI can be moved under browser bar
  • (info) [DA-4383] Tunnel automatic change port popup dialog requires 2 click
  • (info) [DA-1557] When creating a backup, Sorting by name is not correct

Miscellaneous

  • (error) [DA-3765] Do not allow new report generation until previous one has finished
  • (error) [DA-3354] Webroot licence for managed
  • (warning) [DA-1829] Create a runlevel for manager and managed
  • (warning) [DA-4852] Security log filter doesn't work with %

Known issues

None

Removed feature

The following features won't be available and not reimplemented in a future version:

  • Focus tables (replaced by sitemap)

  • ACE (a beta security engine designed for auto learning)

Appendix

Installation and Upgrade

Configuration Backup

Before installing this version, backup any work that is in progress. Go to Management > Backups panel and backup all the configurations then download the backup file.

In case of a virtualization environment, you may also stop the virtual appliance and create a backup (snapshot) of your appliances.

Installation procedure

Follow the steps hereunder to install this version of DenyAll WAF:

  1. Download the ISO file and the Administration Interface from the customer area at: https://my.denyall.com/

  2. Install the product on your appliance or virtual machine. The installation is described in the Installing from ISO page

  3. Log into the DenyAll Text User Interface and set the role: Management or Managed (for more details see the Initialization of the Management and Managed mode page)

  4. Repeat stages 2 and 3 for each Managed appliance, if there are any

  5. Install and connect to the Administration Interface (for more details see the Installing the Administration Interface page)
  6. If there are any, add Managed appliances to the cluster. Go to Setup > Boxes > Add
  7. Create a support request to DenyAll to retrieve the license. The serial number (Service Tag) of the appliance will be needed (It can be found in Setup > i-Boxes > Licenses, select a Box and click View). For more details, see the Obtaining and assigning an DenyAll WAF license page
  8. Upload license(s) in the Setup > Boxes > Licenses panel
  9. Perform an apply of all configurations to verify that all Boxes are responding well
  10. If any backup from 5.x pr 6.x, you can restore them in the Management > Backups panel, then perform an apply (with Cold Restart selected) on all the configurations

Update procedure

The following steps describe how to update the product from an version 6.X (inferior to the new version)  by using de RSE system.

System requirements: The cluster has to be in a version inferior to the new one.

  1. Download the RSE file and the Administration Interface from your customer area at: https://my.denyall.com/
  2. Install the new Administration Interface and connect to the product (for more details see the Installing the Administration Interface page) 
  3. Go to Management > Backups panel and backup all the configurations then download the backup file. In case of a virtualization environment, you may also stop the virtual appliance and create a backup (snapshot) of your appliances
  4. Go to Management > System Updates and upload the RSE file
  5. Select the Management Box and click Install
    The Management Box must be updated first, before updating managed Boxes

  6. Read and confirm the readme

  7. The installation process will automatically restart the Box and the user will be disconnected from the administration interface

  8. Wait for the Box to restart
  9. Repeat stages 5, 6, 7 and 8 for each managed Box, if there are any

  10. Perform an Apply (with Cold Restart selected) on all the configurations

Uninstall procedure

 

The DenyAll WAF 6.2 RSE file cannot be uninstalled.

In case of a virtualization environment, you can use snapshots to roll-back to a previous version of DenyAll WAF 6.2.