This document details changes introduced by the 6.5 LTS version for the R&S®Web Application Firewall. It comes to replace the previous i-Suite 5.5 LTS version.
This version is a LTS (Long Term Support).
Revision number: aa47ecd+b5834
Release date: May 28th, 2018
Reminder of the LTS/LVS concepts:
- Long term support (LTS): these releases are maintained and supported for at least 3 years. Bug fixes and security patches will be issued approximately once a quarter. They are thoroughly tested and should be used in production environments.
- Last version support (LVS): these versions include new features and improvements. Bug fixes and security patches issued approximately twice a year. While they go through our Quality Assurance process, they should be used in production environments with caution.
VLAN Tagging support
JSON Schema Validation Node
Sitemap enhancements : Body Location, JSON Schema validation, Security Events
Security Events Replay
VLAN Tagged Interface support
From the Network Device panel, it is now possible to assign a VLAN Tag to an interface.
See VLAN documentation for further details.
- The VLAN Priority is set to Default (0) - Best Effort
- Please note that VLAN Tagging and Interface Bonding are mutually exclusive.
The Multi-user option allows multiple user accounts to access the Management Console with writing Privilege as opposite in prior versions where additional users permissions were read-only.
This feature is designed especially for organization which only need access its own objects, and thus having very few shared resources interaction that could affect other production teams.
That's why Multi-user is turned off by default and can be activated in the Setup > Boxes > Global settings > Gui Authentication menu.
When multiple users are connected, a list of active users with their originate IP address, role and log time can be retrieved by clicking on the User button.
- A smart lock mechanism has been implemented preventing misuse of wrong versions of resources during critical operations like Snapshot, Backup, Restoration, Security Updates or Configuration Apply. During these operations, users cannot apply changes and an error message is prompted.
- When multiple users modifies a same object, a conflict screen will pop-up allowing them to either force or reload the changes.
JSON Schema Validation node
This release introduce a new Workflow node able to validate a JSON document against a schema. Thus, allowing you to control and enforce the document format when communicating in JSON .This node make use of the newly introduced JSON Bundles.
See JSON Schema Validation documentation for further details.
- Current supported version of JSON Schema is draft-04
- Requires WSF license
The powerful Sitemap feature allows a fine-grained whitelisting and control over the structure of your websites or web-services and now benefits from 3 important improvements :
- Support of the 'body' location keyword as per Swagger 2.0 Specification
- Support of JSON Schema Validation as per Swagger 2.0 Specification
- Raise Security Events whenever a request is illegitimate
This release introduce a refurbished Replay mechanism that takes advantage of the Security alerts format newly introduced in this major version. Now, this feature is able to 'replay' existing logs against a testing policy, and that for all existing Security Engines even from custom-made alerts. Verifying false positive resolution can be achieve in a glimpse.
Auto-Snapshot before critical operations
Before executing some important operations like restoring a backup or applying a new policy, the system will automatically take a snapshot of your current settings allowing you to revert effortlessly in case you needed to.
See Snapshots documentation for further details.
An XML bundle is a logical set of XML files that can be used in XML features of workflow such as XML Schema Validation node.
In practice, different versions of a XML schema are not always distinguished by namespacing, leading to conflicts and complexity when the numbers of document increases. This is the reason why we introduced the concept of bundle to logically separate files even if they share the some properties.
While upgrading to 6.5.0 or while restoring a backup from a previous version, the product will create a default bundle to hold all previous XML files.
An JSON bundle is a logical set of JSON schemas that can be used in JSON features of workflow such as JSON Schema Validation node.
In practice, different versions of a JSON schema are not always distinguished by namespacing, leading to conflicts and complexity when the numbers of document increases. This is the reason why we introduced the concept of bundle to logically separate files even if they share the some properties.
See JSON Bundles documentation for further details.
Certificate download items selection
When downloading a certificate package, it is now possible to exclude sensitive items such as private keys.
When you add a SSL certificats in the Setup > SSL > Certificates > Add (certificate). And after , click on Utils > Download
In this version, the API service is bundled and activated by default during the installation process. It is no more required to install an additional package (RSE).
See WAF API documentation for further details.
Installed API version is 1.5.
Security Logs enhancement
The Security Logs view and format has been improved to provide a more complete and comprehensive set of information (HTTP requests, business context, security events). All these information are provided in a standard JSON format and can be easily exported into an external SIEM for example. New format is described on this page: JSON Logs format.
WAM Logs enhancement
The WAM Logs view and format has been improved to provide a more complete and comprehensive set of information (HTTP requests, business and WAM context). All these information are provided in a standard JSON format and can be easily exported into an external SIEM for example. New format is described on this page: JSON Logs format.
Bug criticality indicators:
: Serious, : Moderate or with workaround, : Low or cosmetic.
- ] Spectre and Meltdown vulnerabilities on intel processors
- ] Runtime cleaner remove used directory
- ] Invalid serial number on server Dell R640 (4400)
- ] Configuration of Internal database PostgreSQL sometimes fails on ISO install
- ] Issue on password management for certificates
- ] Problem with apply of RP after RSE uninstallation
- ] Remote command execution when typing SSL certificate password
- ] WAF API update failed
- ] When /var is full: log file rotates each 10min and are empty
- ] TUI password is reset after upgrade
- ] VRRP instance in fault when using VIP on a bonding device
- ] Apply error when gateway ip is on the wrong network/interface
- ] Eth2 becomes alias of Eth0 when adding IP on Dell R230 interfaces
- ] Add new device duplicate last device uid
- ] IPv6 restoration from a full backup doesn't work
- ] Bonding on administration interface fail
- ] Priority is not checked when applying tunnels
- ] Reverse proxy without tunnel ignores the apply
- ] "No tunnel in this reverse proxy" is returned if tunnel's configuration is invalid
- ] Do not allow Apache to start if some tunnel have same ip:port
- ] Apply a disabled RP return an empty apply
- ] keepAlive parameter in RP profiles can take other values than a boolean
- ] Missing realtime alerting attributes WAM and security in tunnels
- ] Chain file is not checked during the upload of a new certificate
- ] Can not generate CSR certificate
- ] SSL Certificate organizational field is mandatory
- ] Default SSL cipher profiles are not listed in current configuration for restoration
- ] Security metrics remain empty for backup node of HA cluster
- ] Invalid rights with certificate after backup restore or pkcs12
- ] Restore a (XML)Keystores backup v5 to v6 fails
- ] Upload rWeb backup not working due to specific filename
- ] Unable to modify a WAM credential repository configured with asymmetric encryption
- ] Change some password field type in WAM
- ] WAM category in Logs Management doesn't use Log Rotation Profile
- ] Failure on NTLMv2 if password contains special chars
- ] NTLMv2 Authentication is doing NTLMv1
- ] Authorizations seems to be broken after WAM apply
- ] Unable to use multiline in "Custom" Log Alert node
- ] Parts in Adv. Detection Engine - XSS are malformed
- ] Error code 500 sent by the WAF when using the Command injection security engine
- ] Commands not properly blocked by the Command Injection engine
- ] Security exceptions are not valid after a "save as" of an ICX configuration
] Ramdisk size metric is not updated
- ] Without VRRP configuration, keepalived is not started and metric is red
- ] Backend load balancer metrics are not correctly referenced in web monitoring interface
- ] Disabling a tunnel does not change its metrics to N/A
- ] Some default metric not found
- ] SNMPD daemon failed to start due to systemd timeout
Administration interface (GUI)
- ] Timeout when downloading large files from the GUI
- ] Stacktrace when using '*' filter in Realtime log viewer
- ] Missing mandatory apply flags in apply wizards after uninstalling RSE
- ] GUI not disconnected on force managed
- ] Timeout value in loadbalancer profile can not be '0'
- ] Status on HA-AA is inconsistent when a tunnel is disabled
- ] Filter on Log Management does not work
- ] "Redirect clear http traffic" doesn't check if port is already used on an other reverse proxy
- ] Filtering security logs from tunnels with HA-AA is not possible anymore
- ] Lost static Content bundle selection when uploading an item
- ] Proxy check peer CN and expire depend on CA certificates
- ] Invalid 'Save' management button when creating Security Exception on Default Security Policy from Custom Resolve
- ] A default workflow remains in non-registered status
- ] GUI windows freeze when try to validate corrupted xml file
- ] Decision node: new lines are added at the bottom of the list
- ] High Availability Panel: lost Selection on Refresh
- ] Wrong file name when exporting logs to excel
- ] Refreshing metric list move the scroll bar
- ] SSL Cipher multi selection
Web monitoring interface
- ] Timezone issue on web monitoring
- ] Special characters in password are not supported in the web monitoring interface
- ] Internal syslog catch access logs from tunnel even if realtime syslog are not enabled
- ] Realtime log viewer still returns "Value not authorized."
- ] No event logs sent by syslog
- ] Scheduled task export log file fail because of directory mismatch
- ] Scheduled task export log file doesn't work because of special char in tunnel name
- ] Export and purge database logs task doesn't work with email destination
- ] Logs Realtime view: the 'At date' feature is not working into error file
- ] MM Proxies do not start
- [DA-3601] Security metrics remain empty for backup node of HA cluster
Tunnel metrics for security events are never updated on backup node of High Availability cluster.
- [DA-9296] Loss of security logs in Elasticsearch on high load
Under very high load, few security logs can be lost when most of the requests are blocked by security engines
- [DA-7070] Webroot fail to update when no route found
The update can fail if no route is found to reach the website where the IP database is downloaded
- [DA-8774] Time to update the GUI after RSE install/uninstall on managed
After the end of the RSE installation, it is recommended to wait few minutes for the manage to reboot before using the cluster again
- [DA-8998] XML Signature Verification fails if certificate is not on top
- [DA-8992] XML Decrypt fails depending the order of keys
- [DA-5594] TUI not allowing ip management modification if IP is on an alias
- [DA-9257] Issue when creating a tunnel with application template
- [DA-9235] Start attribute of the content-Type Multipart/Related can be optional
- [DA-9335] Logs are purged even if sending mail fail for action "export and purge database logs"
- [DA-9337] Workflow restoration incomplete without error
- [DA-8028] Console serial port not working anymore in 6.3
- [DA-9378] TUI change administration IP failed
- [DA-8033] Backup restore issue when backuped box have another role in current cluster
- [DA-8241] Ciphers list not fit with the selected protocol
- [DA-6877] ICAP brick : add headers
- [DA-7899] Workflow revalidation issue with invalid subworkflows
- [DA-9228] Syslog ICX Engine missing "Accept" rule messages
- [DA-8692] Unable to change WAM password of a "must reset password's" user and option "use user account ..."
- [DA-8916] Tunnel port specification into ServerName and/or ServerAlias
- [DA-8236] Secondary tunnels names are different between Kibana and GUI: special characters are removed or replaced
Some special characters such as # in the name of secondary tunnels are replaced by '_' (underscore) in Kibana panels
- [DA-8106] Workflow session cache dependencies are missing in backup
Some dependencies are missing in backups created with version 5.5.x which cause problems at restoration in version 6.5
- [DA-7083] BWSESSID cookie allows extra characters at the end of the value
Characters can be added at the end of the value of BWSESSID cookie without breaking the corresponding session
[DA-8357] Password policy check displays an error when changing TUI password
- [DA-7459] No information given when a Reverse Proxy fail to start due to certificates
- [DA-8750] GUI XLS export default name containing illegal characters on windows
- [DA-8759] Read Blacklist and Scoringlist rules in GUI
- [DA-8962] REST API: swagger file and sitemap updates
- [DA-9534] Apply error on imported / migrated alerting destinations
Restoring Alerting destinations from i-Suite 5.5.x backups generate error at Apply. The problem can be fixed by editing and saving alerting destinations configuration in the GUI before applying.
The following features from i-Suite version 5 won't be available and there is currently no plan to be re-implemented in a future version:
Focus tables (replaced by Sitemap)
ACE (a beta security engine designed for auto learning)
Bridge mode (allowing transparent setup of the box)
Installation and Upgrade
Notes before update
Migrating to R&S®Web Application Firewall
If you have chosen to migrate from i-Suite 5.5 or rWeb to R&S®Web Application Firewall 6.5, we invite you to read the Migration to Rohde & Schwarz WAF section, especially the Behavior change part that can require manual modification.
Custom dashboards, visualization and searches in Kibana have to be exported before the upgrade. As we improve dashboards and visualizations through versions, the entire Kibana configuration is erased by the new version after the upgrade.
Configuration can be exported in the Management > Saved Objects menu. Exported configurations can be restored after the upgrade. For more details see Logs visualization with Kibana.
Before installing this version, backup any work that is in progress. Go to Management > Backups panel and backup all the configurations then download the backup file.
In case of a virtualization environment, you may also stop the virtual appliance and create a backup (snapshot) of your appliances
Important notice to read before upgrading
This update will update security patterns for ICX. Default ICX configurations will be updated but user ICX configurations will not be modified, they need to be manually updated (see Security Updates).
For customers upgrading from version 6.3 or 6.4 and willing to keep their security logs, they can use the log migration assistant documented in the following page: Security logs migration from 6.3 or 6.4 version to 6.5.
Be ware, ICX logs from 6.3 version and Learning/WAM logs from 6.3/6.4 versions will not be migrated due to major changes. In 6.4 version, the ICX Engine, Learning and WAM nodes has been updated to use the new log system with events (see new log format).
- Licensing changes:
- Customers migrating from i-Suite version 5 or rWeb are required to contact their Support Center in order to upgrade the license file.
- As a reminder, a new licensing model is now available and is bound by CPU / RAM limits. Please contact your sales representative for further information.
- All of JSON & XML features are now WSF licensed but a few exception such as JSON to Table Node.
- Encryption of x509 private keys on disk is now handled by OpenSSL. Unfortunately, previous encrypted keys won't be supported by OpenSSL and will required to be re-uploaded after migrating to version 6.5
For new users, we recommend to read our Get started guide to install the product.
- Download the ISO file and the Administration Interface from the customer area at: https://my.denyall.com/
- Install the product on an appliance, virtual machine or in a cloud provider. The installation is described in the Installing from ISO page
- Log into the TUI (Text User Interface) and set the role: Management or Managed (for more details see the Initializing the Management and Managed mode page)
- Repeat stages 2 and 3 for each Managed appliance, if there are any
- Install and connect to the Administration Interface (for more details see the Installing the Administration Interface page)
- If there are any, add Managed appliances to the cluster. Go to Setup > Boxes > Add
- Create request on https://my.denyall.com/ to retrieve the license. The serial number (Service Tag) of the appliance will be needed (It can be found in Setup > Boxes > Licenses, select a Box and click View). For more details, see the Request and assign a WAF license page
- Upload license(s) in the Setup > Boxes > Licenses panel
- Perform an apply of all configurations to verify that all Boxes are responding well
If any backup from 5.x or 6.x, you can restore them in the Management > Backups panel
Then perform an apply (with Cold Restart selected) on all the configurations
System requirements: The cluster has to be in a version 6.3 or 6.4
Warning, an interruption of service will occurred. The selected Box will reboot.
It is no more necessary to create a manual snapshot of the cluster configuration before upgrading to the 6.5 version. This snapshot is automatically created by the Management Console before the upgrade.
- Download the RSE file and the Administration Interface from your customer area at: https://my.denyall.com/
- for those upgrading from 6.4.x, use the file: RS_Web_Application_Firewall-6.5.0-20180525-release-v6-5-0-aa47ecd+b5834-6.4_to_6.5.rse
- for those upgrading from 6.3, use the file: RS_Web_Application_Firewall-6.5.0-20180525-release-v6-5-0-aa47ecd+b5834-6.3_to_6.5.rse
- Install the new Administration Interface and connect to the product (for more details see the Installing the Administration Interface page)
- Go to Management > Backups panel and backup all the configurations then download the backup file. In case of a virtualization environment, you may also stop the virtual appliance and create a backup (snapshot) of your appliances
- Optional. Go to Management > Snapshots and add a manual snapshot corresponding to the current cluster configuration then download the snapshot file
- Go to Management > System Updates and upload the RSE file
- Select the Management Box and click Install
The Management Box must be updated first, before updating Managed Boxes
Read and confirm the readme
The installation process will automatically restart the Box and the user will be disconnected from the administration interface
Wait for the Box to restart
Repeat stages 5, 6, 7 and 8 for each managed Box, if any
Perform an Apply (with Cold Restart selected) on all the configurations
Warning, an interruption of service will occurred. The selected Box will reboot.
It is mandatory to restore a snapshot after uninstalling a RSE to remove all incompatible configurations that may persists on your environment.
- Go to Management > System Updates
- Start by uninstalling managed Boxes. Select a managed Box and click Uninstall. The Box will reboot automatically
- Repeat stage 2 for all managed Boxes of the cluster
- Repeat stage 2 for the Management Box. The uninstall process will automatically restart the Box and the user will be disconnected from the administration interface
- Wait for the Box to restart then log into the Management Box with the administration interface corresponding to the version
- Restore the latest snapshot or backup corresponding to the version
- Perform an Apply (with Cold Restart selected) on all the configurations
You can also restore previous snapshots in case of a virtualization environment.
- No labels