Page tree
Skip to end of metadata
Go to start of metadata

This document details changes introduced by the 6.5 LTS version for the R&S®Web Application Firewall.

This version is a LTS (Long Term Support).

Revision number: 430dd93+b7378

Release date: December 13th, 2018 

Reminder of the LTS/LVS concepts:

  • Long term support (LTS): these releases are maintained and supported for at least 3 years. They include no new features. Bug fixes and security patches will be issued approximately once a quarter. They are thoroughly tested and should be used in production environments.
  • Last version support (LVS): these versions include new features and improvements. Bug fixes and security patches issued approximately twice a year. While they go through our Quality Assurance process, they should be used in production environments with caution.

Major enhancements

GeoIP replaced by GeoLite2

Custom IPv4 and IPv6 GeoIP databases are now deprecated as Maxmind has ended the maintenance of free databases since March 2018 and will end maintenance of commercial databases in January 2019. For more details, see https://dev.maxmind.com/geoip/legacy/geolite/.

The WAF is now using GeoLite2 with the mod_maxminddb from Apache. You can now upload the country database in the Global settings then IP Geolocation database menu.

Database download page: https://dev.maxmind.com/geoip/geoip2/geolite2/

How to use IP Geolocation in the workflow ? see IP Geolocation.

Administration interface certificate

SSL certificate verification between the administration interface and the WAF has been improved for better security. You will be disconnected from the interface at the first apply (all) as the previous certificate is not trusted anymore. We recommend to update your certificate at the next authentication. See Global Settings page for more information about GUI Certificate.

Password update for WAF administrators and TUI

Passwords have to be updated to meet new security recommendations.

WAF administrators and dashell user will have to update their password on the first connection after the upgrade to 6.5.1 version.

For more details, see Password Policies page.

TLS enabled between Poller and Pooler nodes

Pooling mode has been enhanced to enforce encryption of the data sent between pooler and poller nodes. The WAF automatically enable options in the SSL panel of Poller nodes when such tunnel is created. See documentation on Poller to get more information.

Kibana dashboards updated

Kibana dashboards have been updated, custom dashboards and visualizations created will be discarded. Please export your custom Kibana configuration before upgrading.

SSLProxyHelloNoTLSExt directive no longer supported

If the backend was using an old OpenSSL version (inferior to 0.9.7d), an error "Error during SSL Handshake with remote server" appeared in the tunnel debug logs. Until 6.5.1 version, setting "SSLProxyHelloNoTLSExt on" directive in the tunnel's Advanced Parameters allowed handshakes with the backend to occur.

This directive is no longer supported for security reasons, it has to be removed from Advanced Parameters and the backend should be updated if this situation occurs.

Minor enhancements

Components upgrade

  • Apache from 2.4.33 to version 2.4.35
  • OpenSSL from 1.0.2o to version 1.0.2p
  • KeepAlived from 1.3.5 to version 2.0.7
  • Kernel from 3.10.0-693.21.1 to version 3.10.0-862.11.6

Components added

  • Open-vm-tools 10.1.10-3.el7_5.1 (allow usage of VMWare Tools)

Bug fixes

Bug criticality indicators:

(error): Serious, (warning): Moderate or with workaround, (info): Low or cosmetic.

System

  • (error) [WAF-404] AWS: Partition size cannot be enlarge
  • (error) [WAF-444] AWS: Partition deleted after second reboot when customer upgrade his version with RSE
  • (error) [DA-9133] SCP export regression since lib paramiko downgrade from 1.6.0 to 1.5.0 

Backup/Restore

  • (error) [WAF-160] Impossible to restore backup rWeb 4.2.1 
  • (error) [WAF-443] Missing static blacklists while creating backup 
  • (error) [DA-9534] Apply error on imported / migrated alerting destinations
  • (warning) [WAF-22] Restoring rWeb backup: path traversal engine is always activated
  • (warning) [WAF-27] After rule on eaccess are not loaded on apply
  • (warning) [WAF-70] Lost remote filesystems password while restoring a backup from 5.5.x

Workflow

  • (error) [WAF-23] Apply can timeout while checking workflows when system entropy is low 
  • (error) [WAF-383] Subrequest node configured with POST method fail
  • (error) [DA-9235] Start attribut of the content-Type Multipart/Related can be optional
  • (error) [DA-9680] NTML authentication with UTF-8 (non-ASCII) fields doesn't work
  • (warning) [DA-9508] Sitemap: type 'string' validation on special UTF-8 characters doesn't work
  • (warning) [DA-9749] Cookie Set node: secure Flag missing when enabling http2 in tunnel configuration
  • (warning) [DA-9738] Space character in a regexp fail to match in libicx
  • (warning) [DA-8106] Workflow session cache dependencies are missing in backup

RP/Tunnel

  • (error) [WAF-894] SSLRenegBufferSize directive leads to 502 HTTP errors on tunnel (in an advanced parameter)
  • (error) [DA-9765] SSL directives in a <Location> doesn't work (advanced parameter)

SNMP

  • (error) [WAF-504] SNMP values are not returned by plugin but present in MIB
  • (error) [WAF-158] Massive SNMP logs in /var/log/messages for each SNMP request
  • (error) [WAF-158] SNMP Plugin returns incorrect types

WAM

  • (error) [WAF-584] Proxy Request: NTLM offset error
  • (warning) [DA-8692] Unable to change WAM password of a "must reset password's" user and option "use user account ..."
  • (warning) [DA-7122] In some case authorizations are broken after WAM apply

Monitor

  • (error) [WAF-153] Alert destinations are sent only when status is red and on changing value 
  • (error) [WAF-5] Monitoring of VRRP Active Active Members doesn't work 
  • (error) [DA-8886] VIP metrics remain red even after removing all vrrp configuration
  • (warning) [WAF-536] Distributed Datastore monitoring: useless warning
  • (warning) [WAF-548] Process Keepalived status metric is not monitored after apply
  • (warning) [DA-9402] Monitoring: no HA values when multiple HA cluster
  • (info) [WAF-465] Monitoring backend status is spaming when tunnel is setup as HA active/passive

Administration interface (GUI)

  • (error) [WAF-413] Download URL field for CRL auto update does not accept query string
  • (error) [DA-9855] GUI latency when refreshing list with big selections
  • (warning) [WAF-931] RSE installation in Azure environment: GUI may lost connection with the updater
    The administration interface may lost connection with the updater system during the installation. This disconnection does not interfere with the installation.
    If it's happen, please wait some minutes for the end of the installation. In any case, do not shutdown or reboot the system.
  • (warning) [DA-9402] Sitemap: GUI does not displays a required parameter as required
  • (warning) [DA-9413] Missing certificate when using tunnel wizard with generate certificate
  • (warning) [DA-7830] Refresh issue on IAM Application Authentication type fields
  • (info) [WAF-403] Auto-Resolve creates a Security Exception Rule with attack family in the title, which does not match with the real pattern attack family
  • (info) [DA-9505] Default exception profile is not visible in configuration explorer or in current configuration of the restore wizard
  • (info) [DA-5701] Maps role on attribute profil is not displayed in GUI Authentication form

REST API

  • (error) [DA-9777] REST API: performance issue with many tunnels

  • (error) [DA-9844] REST API: enable access log in database on a tunnel doesn't work
  • (error) [DA-9408] REST API: PATCH tunnel securityFormat is not working
  • (error) [DA-9873] REST API: cannot link a workflow name at the tunnel creation

Miscellaneous

  • (error) [WAF-21] Distributed Datastore Failover request timeout 
  • (error) [WAF-51] Scheduled Report generation failed
  • (error) [DA-9446] Generate Report Scheduled task doesn't work
  • (error) [DA-9358] When using the "Replace Box" feature the webservice doesn't restart with the new administration IP
  • (error) [DA-9359] Connectivity tools don't handle IPv6 correctly
  • (error) [DA-9510] Lost of static content resources after some apply
  • (warning) [DA-9409] '\xXX' encoded characters are sent to the external syslog (realtime alerting)
  • (warning) [DA-9690] Event logs: no items name, only UID displayed
  • (info) [DA-9769] URL overflow in Kibana: default URL are too long
  • (info) [DA-9748] Default filter on Appliance Kibana dashboard is set on Management
  • (info) [DA-9839] Default Kibana searches use deprecated fields
  • (info) [DA-9391] Kibana dashboards: timeframe issue and typo

Known issues

  • [WAF-516] Loss of logs in Elasticsearch on high load (logs from workflow)
    Under very high load, few logs can be lost when most of the requests are blocked by security engines
  • [WAF-541] Unable to create vlans on bonded interfaces
  • [WAF-873] Using "matches pattern" condition in workflow context exception rule leads to an apply timeout (indefinitely loop)
  • [WAF-624] [rWeb Migration] EAccessUriTrans multipart-form-data & auto-file-upload are not available in Blacklist engine
  • [WAF-184] Security exception doesn't work if there is no workflow context
  • [WAF-401] Security Exception Rules edition: In "Workflow Context", the value disappears when typing text into the value field and changing to "matches regexp"
  • [WAF-503] WAM: some hashes don't work for SMS gateway
  • [WAF-475] No matching value for blacklist and scoringlist (no highlight)

  • [WAF-543] Backend response time higher than Total response time
  • [WAF-662] Debug log from other tunnels (not in debug) occuring inside error log
  • [WAF-723] Perimetric Authentification broken after restoring backup from 5.5.9
  • [WAF-44] No program name in logs sent to external syslog/SIEM
  • [WAF-543] Backend response time higher than Total response time
  • [WAF-880] GUI latency with huge tunnel configuration
  • [WAF-481] Backend monitoring fails with protocol error: wrong curve
  • [WAF-175] Block unknown hostname logs are not sent to syslog server
  • [WAF-597] SMTP profile can be create through event log alerting menu but can not be used
  • [WAF-715] WAM Application Access with NTLMv2 Strips Proxy-Authorization
  • [WAF-880] GUI latency with huge tunnel configuration
  • [WAF-552] Secondary tunnels names are differents between Kibana and GUI: special characters are removed or replaced
    Some special characters such as # in the name of secondary tunnels are replaced by '_' (underscore) in Kibana panels
  • [WAF-24] BWSESSID is not set when using LB members in URL Mapping
  • [WAF-492] Value sent in SNMP for tunnelListenStatus are not the good one
  • [WAF-522] Workflow revalidation issue with invalid subworkflows
  • [WAF-721] Perimeter Gate unavailable until new save and apply on GUI
  • [WAF-702] URL mappings needs user full rights to be modified
  • [WAF-578] No information given when a Reverse Proxy fail to start due to certificates
  • [WAF-670] GUI XLS export default name containing illegal caracters on windows
  • [WAF-694] BWSESSID cookie allows extra characters at the end of the value
    Characters can be added at the end of the value of BWSESSID cookie without breaking the corresponding session
  • [WAF-611] Password policy check displays an error when changing TUI password

Appendix

Installation and Upgrade

Configuration Backup

Before installing this version, backup any work that is in progress. Go to Management > Backups panel and backup all the configurations then download the backup file.

In case of a virtualization environment, you may also stop the virtual appliance and create a backup (snapshot) of your appliances.

Installation procedure 

For new users, we recommend to read our Get started guide to install the product.

Follow the steps hereunder to install this version of Rohde & Schwarz WAF:
  1. Download the ISO file and the Administration Interface from the customer area at: https://my.denyall.com/ 
  2. Install the product on an appliance, virtual machine or in a cloud provider. The installation is described in the Installing from ISO page
  3. Log into the TUI (Text User Interface) and set the role: Management or Managed (for more details see the Initializing the Management and Managed mode page)
  4. Repeat stages 2 and 3 for each Managed appliance, if there are any
  5. Install and connect to the Administration Interface (for more details see the Installing the Administration Interface page)
    It will be asked to temporary or permanently accept the certificate from the Management appliance (for more details see the Connection certificates page)
  6. If there are any, add Managed appliances to the cluster. Go to Setup > Boxes > Add
  7. Create request on https://my.denyall.com/ to retrieve the license. The serial number (Service Tag) of the appliance will be needed (It can be found in Setup > Boxes > Licenses, select a Box and click View). For more details, see the Request and assign a WAF license page
  8. Upload license(s) in the Setup > Boxes > Licenses panel
  9. Perform an apply of all configurations to verify that all Boxes are responding well
  10. If any backup from 5.x or 6.x, you can restore them in the Management > Backups panel

  11. Then perform an apply (with Cold Restart selected) on all the configurations

Update procedure 

The following steps describe how to update the product from an version 6.X (inferior to the new version) by using the RSE system.

System requirements: The cluster has to be in any 6.5.0 versions. To update in the 6.5.0 version, see Release Notes 6.5.0.

Warning, an interruption of service will occurred. The selected Box will reboot.

Automatic snapshot

It is no more necessary to create a manual snapshot of the cluster configuration before upgrading to the 6.5 version. This snapshot is automatically created by the Management Console before the upgrade.

  1. Download the RSE file and the Administration Interface from your customer area at: https://my.denyall.com/
    1. Use the following file: RS_Web_Application_Firewall-6.5.1-20181210-release-v6-5-1-430dd93+b7378.rse 
  2. Install the new Administration Interface and connect to the product (for more details see the Installing the Administration Interface page) 
  3. Go to Management > Backups panel and backup all the configurations then download the backup file. In case of a virtualization environment, you may also stop the virtual appliance and create a backup (snapshot) of your appliances
  4. Optional. Go to Management > Snapshots and add a manual snapshot corresponding to the current cluster configuration then download the snapshot file 
  5. Go to Management > System Updates and upload the RSE file
  6. Select the Management Box and click Install
    The Management Box must be updated first, before updating Managed Boxes
  7. Read and confirm the readme

  8. The installation process will automatically restart the Box and the user will be disconnected from the administration interface

  9. Wait for the Box to restart

  10. Reconnect on GUI and change password to match password security policy. It is recommended to also change the TUI password for dashell user at this time.
  11. Repeat stages 5, 6, 7 and 8 for each managed Box, if any

  12. Perform an Apply (with Cold Restart selected) on all the configurations

At the next connection after the update, it will be asked to temporary or permanently accept the certificate from the Management appliance (for more details see the Connection certificates page)

Uninstall procedure

In order to roll-back to the previous installed version:
  1. Go to Management > System Updates

  2. Start by uninstalling managed Boxes. Select a managed Box and click Uninstall. The Box will reboot automatically

    Warning, an interruption of service will occur. The selected Box will reboot.

  3. Repeat stage 2 for all managed Boxes of the cluster
  4. While uninstalling a Managed box to a version below 6.5.1, SSL certificates between Management and Managed won't be recognized any more and you will have to use the functionality "Setup > Global Settings > Disable SSL check peer" to allow to the resynchronisation of Managed box version on the Management box (this make take up to one minute).

  5. Repeat stage 2 for the Management Box. You may have to refresh the System Updates View after uninstalling managed boxes.

    The uninstall process will automatically restart the Box and the user will be disconnected from the administration interface

  6. Wait for the Box to restart then log into the Management Box with the administration interface corresponding to the version


  7. Restore the latest snapshot or backup corresponding to the version

  8. Perform an Apply (with Cold Restart selected) on all the configurations

You can also restore previous snapshots in case of a virtualization environment.

Administration password

The new user password is still needed after uninstalling the RSE. The old password is set back only after restoring the snapshot done before the upgrade and performing an Apply of the cluster.

  • No labels