Page tree
Skip to end of metadata
Go to start of metadata

This document details changes introduced by the 6.5 LTS version for the R&S®Web Application Firewall. It comes to replace the previous i-Suite 5.5 LTS version.

This version is a LTS (Long Term Support).

Revision number: aa47ecd+b5834

Release date: May 28th, 2018

Reminder of the LTS/LVS concepts:

  • Long term support (LTS): these releases are maintained and supported for at least 3 years. Bug fixes and security patches will be issued approximately once a quarter. They are thoroughly tested and should be used in production environments.
  • Last version support (LVS): these versions include new features and improvements. Bug fixes and security patches issued approximately twice a year. While they go through our Quality Assurance process, they should be used in production environments with caution.

Main changes

Major enhancements

  • VLAN Tagging support

  • Multi-admin support

  • JSON Schema Validation Node

  • Sitemap enhancements : Body Location, JSON Schema validation, Security Events

  • Security Events Replay

VLAN Tagged Interface support

From the Network Device panel, it is now possible to assign a VLAN Tag to an interface.

 

See VLAN documentation for further details.

  1. The VLAN Priority is set to Default (0) - Best Effort
  2. Please note that VLAN Tagging and Interface Bonding are mutually exclusive.

Multi-user support

The Multi-user option allows multiple user accounts to access the Management Console with writing Privilege as opposite in prior versions where additional users permissions were read-only.
This feature is designed especially for organization which only need access its own objects, and thus having very few shared resources interaction that could affect other production teams.

That's why Multi-user is turned off by default and can be activated in the Setup > Boxes > Global settings > Gui Authentication menu.

When multiple users are connected, a list of active users with their originate IP address, role and log time can be retrieved by clicking on the User button.

  1. A smart lock mechanism has been implemented preventing misuse of wrong versions of resources during critical operations like Snapshot, Backup, Restoration, Security Updates or Configuration Apply. During these operations, users cannot apply changes and an error message is prompted.
  2. When multiple users modifies a same object, a conflict screen will pop-up allowing them to either force or reload the changes.

JSON Schema Validation node

This release introduce a new Workflow node able to validate a JSON document against a schema. Thus, allowing you to control and enforce the document format when communicating in JSON .This node make use of the newly introduced JSON Bundles.

See JSON Schema Validation documentation for further details.

  1. Current supported version of JSON Schema is draft-04
  2. Requires WSF license

Sitemap improvements

The powerful Sitemap feature allows a fine-grained whitelisting and control over the structure of your websites or web-services and now benefits from 3 important improvements : 

  • Support of the 'body' location keyword as per Swagger 2.0 Specification
  • Support of JSON Schema Validation as per Swagger 2.0 Specification
  • Raise Security Events whenever a request is illegitimate

Replay alerts

This release introduce a refurbished Replay mechanism that takes advantage of the Security alerts format newly introduced in this major version. Now, this feature is able to 'replay' existing logs against a testing policy, and that for all existing Security Engines even from custom-made alerts. Verifying false positive resolution can be achieve in a glimpse.

See  Replay Alerts documentation for further details.

Minor enhancements

Auto-Snapshot before critical operations 

Before executing some important operations like restoring a backup or applying a new policy, the system will automatically take a snapshot of your current settings allowing you to revert effortlessly in case you needed to. 

See Snapshots documentation for further details.

XML Bundles

An XML bundle is a logical set of XML files that can be used in XML features of workflow such as XML Schema Validation node.

In practice, different versions of a XML schema are not always distinguished by namespacing, leading to conflicts and complexity when the numbers of document increases. This is the reason why we introduced the concept of bundle to logically separate files even if they share the some properties.

See XML Bundles documentation for further details.

While upgrading to 6.5.0 or while restoring a backup from a previous version, the product will create a default bundle to hold all previous XML files.

JSON Bundles

An JSON bundle is a logical set of JSON schemas that can be used in JSON features of workflow such as JSON Schema Validation node.

In practice, different versions of a JSON schema are not always distinguished by namespacing, leading to conflicts and complexity when the numbers of document increases. This is the reason why we introduced the concept of bundle to logically separate files even if they share the some properties.

See JSON Bundles documentation for further details.

Certificate download items selection

When downloading a certificate package, it is now possible to exclude sensitive items such as private keys.

When you add a SSL certificats in the Setup > SSL > Certificates > Add (certificate). And after , click on Utils > Download

API Availaibility 

In this version, the API service is bundled and activated by default during the installation process. It is no more required to install an additional package (RSE). 

See WAF API documentation for further details.

Installed API version is 1.5.

Security Logs enhancement

The Security Logs view and format has been improved to provide a more complete and comprehensive set of information (HTTP requests, business context, security events). All these information are provided in a standard JSON format and can be easily exported into an external SIEM for example. New format is described on this page: JSON Logs format.

WAM Logs enhancement

The WAM Logs view and format has been improved to provide a more complete and comprehensive set of information (HTTP requests, business and WAM context). All these information are provided in a standard JSON format and can be easily exported into an external SIEM for example. New format is described on this page: JSON Logs format.

Bug fixes

Bug criticality indicators:

(error): Serious, (warning): Moderate or with workaround, (info): Low or cosmetic.

Security

  • (error) [DA-8609] Spectre and Meltdown vulnerabilities on intel processors

System

  • (error) [DA-8242] Runtime cleaner remove used directory
  • (error) [DA-8250] Invalid serial number on server Dell R640 (4400)
  • (error) [DA-9353] Configuration of Internal database PostgreSQL sometimes fails on ISO install
  • (error) [DA-5908] Issue on password management for certificates
  • (error) [DA-7620] Problem with apply of RP after RSE uninstallation
  • (error) [DA-7640] Remote command execution when typing SSL certificate password
  • (error) [DA-9025] WAF API update failed
  • (warning)  [DA-4930] When /var is full: log file rotates each 10min and are empty
  • (warning)  [DA-8424] TUI password is reset after upgrade

Network

  • (error) [DA-8983] VRRP instance in fault when using VIP on a bonding device
  • (error) [DA-7431] Apply error when gateway ip is on the wrong network/interface
  • (error) [DA-7522] Eth2 becomes alias of Eth0 when adding IP on Dell R230 interfaces
  • (error) [DA-7839] Add new device duplicate last device uid
  • (error) [DA-9357] IPv6 restoration from a full backup doesn't work
  • (error) [DA-8417] Bonding on administration interface fail

 RP/Tunnel

  • (error) [DA-8154] Priority is not checked when applying tunnels
  • (error) [DA-7514] Reverse proxy without tunnel ignores the apply
  • (error) [DA-7462] "No tunnel in this reverse proxy" is returned if tunnel's configuration is invalid
  • (warning) [DA-1359] Do not allow Apache to start if some tunnel have same ip:port
  • (info) [DA-7108] Apply a disabled RP return an empty apply

API

  • (error) [DA-9160] keepAlive parameter in RP profiles can take other values than a boolean
  • (error) [DA-9156] Missing realtime alerting attributes WAM and security in tunnels

SSL

  • (error) [DA-8228] Chain file is not checked during the upload of a new certificate
  • (error) [DA-8448] Can not generate CSR certificate
  • (warning) [DA-8383] SSL Certificate organizational field is mandatory

Backup/Restore

  • (error) [DA-8788] Default SSL cipher profiles are not listed in current configuration for restoration
  • (error) [DA-3601] Security metrics remain empty for backup node of HA cluster
  • (error) [DA-8345] Invalid rights with certificate after backup restore or pkcs12
  • (error) [DA-8957] Restore a (XML)Keystores backup v5 to v6 fails
  • (warning) [DA-8164] Upload rWeb backup not working due to specific filename

WAM

  • (error) [DA-8369] Unable to modify a WAM credential repository configured with asymmetric encryption
  • (error) [DA-8370] Change some password field type in WAM
  • (error) [DA-4229] WAM category in Logs Management doesn't use Log Rotation Profile
  • (error) [DA-5694] Failure on NTLMv2 if password contains special chars
  • (error) [DA-7065] NTLMv2 Authentication is doing NTLMv1
  • (error) [DA-7122] Authorizations seems to be broken after WAM apply

Workflow

  • (error) [DA-7616] Unable to use multiline in "Custom" Log Alert node
  • (error) [DA-8192] Parts in Adv. Detection Engine - XSS are malformed
  • (error) [DA-8993] Error code 500 sent by the WAF when using the Command injection security engine 
  • (error) [DA-8429] Commands not properly blocked by the Command Injection engine
  • (warning) [DA-8744] Security exceptions are not valid after a "save as" of an ICX configuration

Monitor

  • (error) [DA-6055] Ramdisk size metric is not updated

  • (error) [DA-7364] Without VRRP configuration, keepalived is not started and metric is red
  • (error) [DA-7485] Backend load balancer metrics are not correctly referenced in web monitoring interface
  • (error) [DA-9031] Disabling a tunnel does not change its metrics to N/A
  • (warning) [DA-6525] Backend monitoring frequency setup is not working
  • (warning) [DA-7662] Some default metric not found

SNMP

  • (error) [DA-8313] SNMPD daemon failed to start due to systemd timeout

Administration interface (GUI)

  • (error) [DA-8234] Timeout when downloading large files from the GUI
  • (error) [DA-7902] Stacktrace when using '*' filter in Realtime log viewer
  • (error) [DA-7439] Missing mandatory apply flags in apply wizards after uninstalling RSE
  • (error) [DA-7801] GUI not disconnected on force managed
  • (error) [DA-8225] Timeout value in loadbalancer profile can not be '0'
  • (error) [DA-7285] Status on HA-AA is inconsistent when a tunnel is disabled
  • (warning) [DA-8155] Filter on Log Management does not work
  • (warning) [DA-7804] "Redirect clear http traffic" doesn't check if port is already used on an other reverse proxy
  • (warning) [DA-8050] Filtering security logs from tunnels with HA-AA is not possible anymore
  • (warning) [DA-7093] Lost static Content bundle selection when uploading an item
  • (warning) [DA-3336] Proxy check peer CN and expire depend on CA certificates
  • (warning) [DA-6345] Invalid 'Save' management button when creating Security Exception on Default Security Policy from Custom Resolve
  • (warning) [DA-8215] A default workflow remains in non-registered status
  • (warning) [DA-7076] GUI windows freeze when try to validate corrupted xml file
  • (info) [DA-6116] Decision node: new lines are added at the bottom of the list
  • (info) [DA-6985] High Availability Panel: lost Selection on Refresh
  • (info) [DA-5325] Wrong file name when exporting logs to excel
  • (info) [DA-4744] Refreshing metric list move the scroll bar
  • (info) [DA-6966] SSL Cipher multi selection

Web monitoring interface

  • (error) [DA-6233] Timezone issue on web monitoring
  • (warning) [DA-8091] Special characters in password are not supported in the web monitoring interface

Miscellaneous

  • (error) [DA-9317] Internal syslog catch access logs from tunnel even if realtime syslog are not enabled
  • (error) [DA-7906] Realtime log viewer still returns "Value not authorized."
  • (error) [DA-8977] No event logs sent by syslog
  • (error) [DA-9148] Scheduled task export log file fail because of directory mismatch
  • (error) [DA-9169] Scheduled task export log file doesn't work because of special char in tunnel name
  • (warning) [DA-7294] Export and purge database logs task doesn't work with email destination
  • (warning) [DA-7640] Logs Realtime view: the 'At date' feature is not working into error file
  • (warning) [DA-8105] MM Proxies do not start

Known issues

  • [DA-3601] Security metrics remain empty for backup node of HA cluster
    Tunnel metrics for security events are never updated on backup node of High Availability cluster.
  • [DA-9296] Loss of security logs in Elasticsearch on high load
    Under very high load, few security logs can be lost when most of the requests are blocked by security engines 
  • [DA-7070] Webroot fail to update when no route found
    The update can fail if no route is found to reach the website where the IP database is downloaded
  • [DA-8774] Time to update the GUI after RSE install/uninstall on managed
    After the end of the RSE installation, it is recommended to wait few minutes for the manage to reboot before using the cluster again
  • [DA-8998] XML Signature Verification fails if certificate is not on top
  • [DA-8992] XML Decrypt fails depending the order of keys
  • [DA-5594] TUI not allowing ip management modification if IP is on an alias
  • [DA-9257] Issue when creating a tunnel with application template
  • [DA-9235] Start attribute of the content-Type Multipart/Related can be optional 
  • [DA-9335] Logs are purged even if sending mail fail for action "export and purge database logs"
  • [DA-9337] Workflow restoration incomplete without error
  • [DA-8028] Console serial port not working anymore in 6.3
  • [DA-9378] TUI change administration IP failed
  • [DA-8033] Backup restore issue when backuped box have another role in current cluster
  • [DA-8241] Ciphers list not fit with the selected protocol
  • [DA-6877] ICAP brick : add headers
  • [DA-7899] Workflow revalidation issue with invalid subworkflows
  • [DA-9228] Syslog ICX Engine missing "Accept" rule messages
  • [DA-8692] Unable to change WAM password of a "must reset password's" user and option "use user account ..."
  • [DA-8916] Tunnel port specification into ServerName and/or ServerAlias
  • [DA-8236] Secondary tunnels names are different between Kibana and GUI: special characters are removed or replaced
    Some special characters such as # in the name of secondary tunnels are replaced by '_' (underscore) in Kibana panels
  • [DA-8106] Workflow session cache dependencies are missing in backup
    Some dependencies are missing in backups created with version 5.5.x which cause problems at restoration in version 6.5
  • [DA-7083] BWSESSID cookie allows extra characters at the end of the value
    Characters can be added at the end of the value of BWSESSID cookie without breaking the corresponding session
  • [DA-8357] Password policy check displays an error when changing TUI password 

  • [DA-7459] No information given when a Reverse Proxy fail to start due to certificates
  • [DA-8750] GUI XLS export default name containing illegal characters on windows
  • [DA-8759] Read Blacklist and Scoringlist rules in GUI
  • [DA-8962] REST API: swagger file and sitemap updates
  • [DA-9534] Apply error on imported / migrated alerting destinations
    Restoring Alerting destinations from i-Suite 5.5.x backups generate error at Apply. The problem can be fixed by editing and saving alerting destinations configuration in the GUI before applying.

Removed feature

The following features from i-Suite version 5 won't be available and there is currently no plan to be re-implemented in a future version:

  • Focus tables (replaced by Sitemap)

  • ACE (a beta security engine designed for auto learning)

  • Bridge mode (allowing transparent setup of the box)

  • Network sniffer

Appendix

Installation and Upgrade

Notes before update

Migrating to R&S®Web Application Firewall

If you have chosen to migrate from i-Suite 5.5 or rWeb to R&S®Web Application Firewall 6.5, we invite you to read the Migration to Rohde & Schwarz WAF section, especially the Behavior change part that can require manual modification.

Kibana customization

Custom dashboards, visualization and searches in Kibana have to be exported before the upgrade. As we improve dashboards and visualizations through versions, the entire Kibana configuration is erased by the new version after the upgrade.

Configuration can be exported in the Management > Saved Objects menu. Exported configurations can be restored after the upgrade. For more details see Logs visualization with Kibana.

Configuration Backup

Before installing this version, backup any work that is in progress. Go to Management > Backups panel and backup all the configurations then download the backup file.

In case of a virtualization environment, you may also stop the virtual appliance and create a backup (snapshot) of your appliances

Important notice to read before upgrading

  • This update will update security patterns for ICX. Default ICX configurations will be updated but user ICX configurations will not be modified, they need to be manually updated (see Security Updates).  
    For customers upgrading from version 6.3 or 6.4 and willing to keep their security logs, they can use the log migration assistant documented in the following page: Security logs migration from 6.3 or 6.4 version to 6.5. 
     

     Be ware, ICX logs from 6.3 version and Learning/WAM logs from 6.3/6.4 versions will not be migrated due to major changes. In 6.4 version, the ICX Engine, Learning and WAM nodes has been updated to use the new log system with events (see new log format).  

     

  • Licensing changes:
    • Customers migrating from i-Suite version 5 or rWeb are required to contact their Support Center in order to upgrade the license file
    • As a reminder, a new licensing model is now available and is bound by CPU / RAM limits. Please contact your sales representative for further information.
    • All of JSON & XML features are now WSF licensed but a few exception such as JSON to Table Node.
  • Encryption of x509 private keys on disk is now handled by OpenSSL. Unfortunately, previous encrypted keys won't be supported by OpenSSL and will required to be re-uploaded after migrating to version 6.5

Installation procedure 

For new users, we recommend to read our Get started guide to install the product.

Follow the steps hereunder to install this version of Rohde & Schwarz WAF:
  1. Download the ISO file and the Administration Interface from the customer area at: https://my.denyall.com/ 
  2. Install the product on an appliance, virtual machine or in a cloud provider. The installation is described in the Installing from ISO page
  3. Log into the TUI (Text User Interface) and set the role: Management or Managed (for more details see the Initializing the Management and Managed mode page)
  4. Repeat stages 2 and 3 for each Managed appliance, if there are any
  5. Install and connect to the Administration Interface (for more details see the Installing the Administration Interface page)
  6. If there are any, add Managed appliances to the cluster. Go to Setup > Boxes > Add
  7. Create request on https://my.denyall.com/ to retrieve the license. The serial number (Service Tag) of the appliance will be needed (It can be found in Setup > Boxes > Licenses, select a Box and click View). For more details, see the Request and assign a WAF license page
  8. Upload license(s) in the Setup > Boxes > Licenses panel
  9. Perform an apply of all configurations to verify that all Boxes are responding well
  10. If any backup from 5.x or 6.x, you can restore them in the Management > Backups panel

  11. Then perform an apply (with Cold Restart selected) on all the configurations

Update procedure 

The following steps describe how to update the product from an version 6.X (inferior to the new version) by using the RSE system.

System requirements: The cluster has to be in a version 6.3 or 6.4

Warning, an interruption of service will occurred. The selected Box will reboot.

Automatic snapshot

It is no more necessary to create a manual snapshot of the cluster configuration before upgrading to the 6.5 version. This snapshot is automatically created by the Management Console before the upgrade.

  1. Download the RSE file and the Administration Interface from your customer area at: https://my.denyall.com/
    1. for those upgrading from 6.4.x, use the file: RS_Web_Application_Firewall-6.5.0-20180525-release-v6-5-0-aa47ecd+b5834-6.4_to_6.5.rse
    2. for those upgrading from 6.3, use the file: RS_Web_Application_Firewall-6.5.0-20180525-release-v6-5-0-aa47ecd+b5834-6.3_to_6.5.rse
  2. Install the new Administration Interface and connect to the product (for more details see the Installing the Administration Interface page) 
  3. Go to Management > Backups panel and backup all the configurations then download the backup file. In case of a virtualization environment, you may also stop the virtual appliance and create a backup (snapshot) of your appliances
  4. Optional. Go to Management > Snapshots and add a manual snapshot corresponding to the current cluster configuration then download the snapshot file 
  5. Go to Management > System Updates and upload the RSE file
  6. Select the Management Box and click Install
    The Management Box must be updated first, before updating Managed Boxes
  7. Read and confirm the readme

  8. The installation process will automatically restart the Box and the user will be disconnected from the administration interface

  9. Wait for the Box to restart

  10. Repeat stages 5, 6, 7 and 8 for each managed Box, if any

  11. Perform an Apply (with Cold Restart selected) on all the configurations

Uninstall procedure

In order to roll-back to the previous installed version:

Warning, an interruption of service will occurred. The selected Box will reboot.

Snapshot restore

It is mandatory to restore a snapshot after uninstalling a RSE to remove all incompatible configurations that may persists on your environment.

  1. Go to Management > System Updates
  2. Start by uninstalling managed Boxes. Select a managed Box and click Uninstall. The Box will reboot automatically
  3. Repeat stage 2 for all managed Boxes of the cluster
  4. Repeat stage 2 for the Management Box. The uninstall process will automatically restart the Box and the user will be disconnected from the administration interface
  5. Wait for the Box to restart then log into the Management Box with the administration interface corresponding to the version
  6. Restore the latest snapshot or backup corresponding to the version
  7. Perform an Apply (with Cold Restart selected) on all the configurations

You can also restore previous snapshots in case of a virtualization environment.

  • No labels