(info) Page non traduite. Anglais uniquement.

About this document

Purpose

This document details changes introduced by the 6.3 version for DenyAll Web Application Firewall.

Context

Version information

This version follows version 6.2 of DenyAll Web Application Firewall. This version is an LVS (Last Version Support).

Reminder of the LTS/LVS concepts:

  • Long term support (LTS): these releases are maintained and supported for at least 3 years. They include no new features. Bug fixes and security patches will be issued approximately once a quarter. They are thoroughly tested and should be used in production environments.
  • Last version support (LVS): these versions include new features and improvements. Bug fixes and security patches issued approximately twice a year. While they go through our Quality Assurance process, they should be used in production environments with caution.

Revision

Revision number: r38847

Official release date

March 30th, 2017.

Main changes

Major enhancements

This version 6.3 brings the following new features:

  • New advanced security engines for SQL injection and Path traversal
  • Parameters support in Sitemap
  • New security events and exceptions management
  • HTTP/2 on incoming requests

New advanced security engines for SQL injection and Path traversal

This release introduces 2 new security engines available through new security workflow nodes.

  • Advanced Detection Engine - SQLi: The Advanced Detection Engine - SQLi node applies heuristics to requests in order to detect attacks or intrusion attempts based on the SQL.

See Notes de version 6.3.0 documentation.

  • Advanced Detection Engine - Path Traversal: The Advanced Detection Engine - Path Traversal node applies heuristics to requests in order to detect attacks or intrusion attempts based on Path Traversal (also called Directory Traversal).

See Notes de version 6.3.0 documentation.

Parameters support in Sitemap

The Sitemap introduced in v6.2 of Denyall Web Application Firewall has been greatly improved in version 6.3. It is now possible to define parameters on paths of a Sitemap to match HTTP parameters present in query string and posted data. The support of dynamic parts has also been introduced in Sitemap to cover different resources with a small number of paths. Import of swagger files containing parameters is also covered by this improvement.

See Notes de version 6.3.0 documentation for a complete description of parameters and dynamic paths.

New security events and exceptions management

The version 6.3 of DenyAll Web Application Firewall introduce a new type of log called security events. These events are created by the new security engines and displayed in the "Security Logs" panel of the "Alert & Reporting" menu. The security events contains many information related to blocked requests and can be used to create exceptions to resolve false positive blockings.

The new security events are handled through 2 new workflow nodes: "Log Security Alert" and "Create Security Alert". These 2 nodes are usually linked to the new exceptions management node: "Security Exception Management" which is able to use the information contained in security events to define exceptions for blocked requests.

See Notes de version 6.3.0 and Notes de version 6.3.0 documentations.

HTTP/2 support on incoming requests

The version 6.3 of DenyAll Web Application Firewall now supports version 2 of the HTTP protocol in tunnels using SSL. For the moment, HTTP/2 is only supported for incoming requests and is not enabled for requests sent by DenyAll Web Application Firewall to backend servers.

Minor enhancements

Components upgrade

  • OpenSSL to 1.0.2k
  • Apache to 2.4.25
  • KeepAlived to 1.2.24
  • Kernel to 3.10.0-514.10.2

Secondary tunnels

A new concept called "Secondary tunnel" has been added in version 6.3 of DenyAll Web Application Firewall. This new type of tunnel has been introduced to quickly create duplicates of an existing tunnel on the different i-Boxes of a cluster. Secondary tunnels are created using a standard tunnel as a model with very limited configuration option. When a standard tunnel configuration is modified, all secondary tunnels created from this tunnel are also modified accordingly. This feature can be useful when using an external front balancer.

Administration interface (GUI) improvements

Many improvements have been added to the administration interface including a rework of the connectivity tools, an improved regular expression validator and better support of modified items in the apply wizard panel.

Bug fixes

Bug criticality indicators

(error): Serious, (warning): Moderate or with workaround, (info): Low or cosmetic.

Network

  • (warning) [DA-2218] MAC address not updated on network card replacement
  • (warning) [DA-3570] Number of devices not correctly updated in web GUI             
  • (error) [DA-4754] Disable "internal routing" for management IPs
  • (error) [DA-6085] Network is not set up at boot if there is no space left on disk
  • (error) [DA-6409] Cannot set a default gateway via the TUI if there is not an already configured one

Workflow

  • (error) [DA-5609] SWF User Tracking - Score Computation gives credit to no-suspicious requests
  • (warning) [DA-4111] User Tracking brick can not be used into a SWF

Tunnel

  • (error) [DA-5560] BWFSESSID cookies invalidated in forward proxy mode
  • (error) [DA-6098] Report by email send always all attacks
  • (error) [DA-5225] Setting an Access Log Files log format will override the "combined" Log Format definition

XML and WSDL

  • (error) [DA-5411] Default XML files are missing on a fresh installed ISO

SNMP

  • (error) [DA-5935] SNMP MIB objects not accessible or inverted
  • (error) [DA-5733] SNMP Alerting destination monitoring is critical with no reason

Monitoring

  • (error) [DA-6051] bw process ntpd metric not working although ntpd is running
  • (warning) [DA-5549] Loss of NTP daemon after upgrade
  • (error) [DA-4074] CPU process metrics - gaps and too many decimals
  • (error) [DA-4425] Memory monitoring does not include children processes
  • (error) [DA-5956] Backend-monitor segfault in libcrypto
  • (error) [DA-5937] Trigger conditions : some comparators are not implemented
  • (error) [DA-5848] Metrics Configuration is not pushed on Managed appliances without apply
  • (error) [DA-6128] Monitoring daemon opens too many threads

SSL

  • (error) [DA-4681] Copy of default cipher remove deprecated ciphers
  • (error) [DA-5895] SNI with trailing dot not recognized
  • (info) [DA-5959] Improve tooltips of SSL ciphers
  • (error) [DA-5243] SSL flag lost in URL Mapping after Export/Import CSV

System

  • (error) [DA-6284] Fix possible loss of syslogs
  • (error) [DA-5775] Tune ulimits for each component
  • (error) [DA-5713] NTP daemon does not start
  • (error) [DA-5571] On reboot, SSH is started even if it is disabled
  • (error) [DA-5239] Ramdisk Cache Clean bad behaviour

Administation interface (GUI)

  • (warning) [DA-4876] Strange ergonomy on file download
  • (warning) [DA-5550] Apply "Unapply Items" - Status "unknown"
  • (warning) [DA-6125] Confirmation message at the end of TUI is no more displayed

  • (error) [DA-5647] Audit log missing
  • (error) [DA-5155] No warning shown before removing a RSE
  • (info) [DA-3779] Purge RSE message is not clear enough
  • (info) [DA-5312] Filtering of labels in the "Applications" tab cannot be reset
  • (error) [DA-4950] Trim deletion affects SAX parser
  • (error) [DA-4920] Learning Logs - Result window is too large

Miscellaneous

  • (warning) [DA-5250] Backend response time higher than Total response time
  • (error) [DA-5683] Jetty xmx not launched with the right amount of RAM
  • (error) [DA-4343] Restore Box does not restore hosts entries

Known issues

  • [DA-3601] Security metrics remain empty for backup node of HA cluster
    Tunnel metrics for security events are never updated on backup node of High Availability cluster.
  • [DA-5307] Duplicate logs when using realtime alerting
    Security and WAM logs can be duplicated when using syslog realtime alerting while log alerting configurations are configured.
  • [DA-5753] dantpd is restarted on each NTP apply even without NTP configuration
  • [DA-6027] Static Content log errors even when content is delivered
    Tunnels error logs contain error about static content though content is correctly sent to clients
  • [DA-6027] Apply error when referenced parameters don't exist
    An error occurs at apply when a Sitemap uses a reference to an unknown Global parameter.
  • [DA-6206] Multiple occurrence of QS parameter not supported in Sitemap validation
    The Sitemap validation node is not able to validate incoming requests containing multiple occurrences of a same query string parameter. This can prevent whitelist configured on our rWeb products to be migrated to DenyAll WAF 6.3.
  • [DA-6234] Custom Logs are not sent through Syslog
    Custom security log provided by the Alert log node are not sent to remote syslog servers.
  • [DA-6482] TUI - Blink function for ethernet interfaces is not working
    Blink function in the TUI doesn't flash hardware network card light.
  • [DA-6488] METRIC - power_status.value in RAID category
    Power status metrics are not in the correct category.

Removed feature

The following features from i-Suite version 5 won't be available and not reimplemented in a future version:

  • Focus tables (replaced by Sitemap)

  • ACE (a beta security engine designed for auto learning)

  • Bridge mode (allowing transparent setup of the box)

  • Network sniffer

Appendix

Installation and Upgrade

Configuration Backup

Before installing this version, backup any work that is in progress. Go to Management > Backups panel and backup all the configurations then download the backup file.

In case of a virtualization environment, you may also stop the virtual appliance and create a backup (snapshot) of your appliances.

Installation procedure

Follow the steps hereunder to install this version of DenyAll WAF:

  1. Download the ISO file and the Administration Interface from the customer area at: https://my.denyall.com/

  2. Install the product on your appliance or virtual machine. The installation is described in the Installing from ISO page

  3. Log into the DenyAll Text User Interface and set the role: Management or Managed (for more details see the Initialization of the Management and Managed mode page)

  4. Repeat stages 2 and 3 for each Managed appliance, if there are any

  5. Install and connect to the Administration Interface (for more details see the Installing the Administration Interface page)
  6. If there are any, add Managed appliances to the cluster. Go to Setup > Boxes > Add
  7. Create a support request to DenyAll to retrieve the license. The serial number (Service Tag) of the appliance will be needed (It can be found in Setup > i-Boxes > Licenses, select a Box and click View). For more details, see the Obtaining and assigning an DenyAll WAF license page
  8. Upload license(s) in the Setup > Boxes > Licenses panel
  9. Perform an apply of all configurations to verify that all Boxes are responding well
  10. If any backup from 5.x pr 6.x, you can restore them in the Management > Backups panel, then perform an apply (with Cold Restart selected) on all the configurations

Update procedure

The following steps describe how to update the product from an version 6.X (inferior to the new version)  by using de RSE system.

System requirements: The cluster has to be in a version 6.2.

API RSE

It is highly recommended to uninstall any API RSE in version up to 1.0.0 before upgrading from DenyAll WAF 6.2 to DenyAll WAF 6.3. After completing the upgrade, the latest API RSE can be installed.

Installation duration

During upgrade from version 6.2 to version 6.3, existing data stored in Elasticsearch are moved to new index. The duration of the upgrade can be greatly increased if the amount of data in Elasticsearch is important.


  1. Download the RSE file and the Administration Interface from your customer area at: https://my.denyall.com/
  2. Install the new Administration Interface and connect to the product (for more details see the Installing the Administration Interface page) 
  3. Go to Management > Backups panel and backup all the configurations then download the backup file. In case of a virtualization environment, you may also stop the virtual appliance and create a backup (snapshot) of your appliances
  4. Go to Management > System Updates and upload the RSE file
  5. Select the Management Box and click Install
    The Management Box must be updated first, before updating managed Boxes

  6. Read and confirm the readme

  7. The installation process will automatically restart the Box and the user will be disconnected from the administration interface

  8. Wait for the Box to restart
  9. Repeat stages 5, 6, 7 and 8 for each managed Box, if any

  10. Perform an Apply (with Cold Restart selected) on all the configurations

Elasticsearch data

The access log and learning logs recorded in DenyAll Web Application Firewall 6.2 are not displayed in the administration interface of DenyAll Web Application Firewall 6.3 because some data types have been modified. Data recorded in version 6.2 are moved to different indexes which are not supported by the swing GUI but are still available in Elasticsearch.

Uninstall procedure

In order to roll-back to version 6.2:

  1. Go to Management > System Updates
  2. Start by uninstalling managed Boxes. Select a managed Box and click Uninstall. The Box will reboot automatically
  3. Repeat stage 2 for all managed Boxes of the cluster.
  4. Repeat stage 2 for the Management Box. The administration interface will be disconnected
  5. After the Management restart, log into the Management Box with the 6.2 Administration Interface
  6. Perform an Apply (with Cold Restart selected) on all the configurations


In case of a virtualization environment, you can use snapshots to roll-back to a previous version of DenyAll WAF 6.2.