Page tree
Skip to end of metadata
Go to start of metadata

This document details changes introduced by the 6.5.2 LTS version for the R&S®Web Application Firewall.

This version is a LTS (Long Term Support).

Revision number: 23cdc105ddf34f3639f04f754c857fa2586a2ee4

Release date: March 06th, 2019

Reminder of the LTS/LVS concepts:

  • Long term support (LTS): these releases are maintained and supported for at least 3 years. They include no new features. Bug fixes and security patches will be issued approximately once a quarter. They are thoroughly tested and should be used in production environments.
  • Last version support (LVS): these versions include new features and improvements. Bug fixes and security patches issued approximately twice a year. While they go through our Quality Assurance process, they should be used in production environments with caution.

Major enhancements

Licenses

R&S®Web Application Firewall – two editions to meet different needs

Since the release of 6.5.2, R&S®Web Application Firewall is available in two different versions or 'Editions': Business and Enterprise to address different use cases with the right capabilities.

Business Edition is the entry-level solution, runs on less powerful appliances/virtual machines with limited core security functionalities (Generic patterns-ICX, Heuristics via Scoring List and API Security based on JSON / XML).

Enterprise Edition is essentially ‘Business Edition’ with extra features that advanced and enterprise users are likely to want to take advantage of: complementary security engines, available with Advanced SecurityExtended API Security to protect API-based custom applications & Machine-to-Machine communications. Comprehensive Analytics & Reporting as well as Web Access Manager optional modules are only available with Enterprise Edition.

IP Reputation is an optional service available with both Editions.

It is not possible to deploy different editions in the same environment.

For more information about, see the Licenses page.

Minor enhancements

rWeb Migration

The scope of migrated features from rWeb to R&S®Web Application Firewall hasbeen increased. The following configurations from rWeb are now migrated:

  • NTP,
  • Syslog destination,
  • SMTP destination,
  • Application monitoring.

For more details about which feature is automatically migrated, see the page Migration status from rWeb.

SSL Cipher profiles

The view of SSL Cipher profiles has been improved to provide a better ciphers management. Ciphers can now be simply filtered by names:

Further enhancements will continue in next versions.

Components upgrade

  • Elasticsearch and Kibana from 5.6.10 to 5.6.14
  • NodeJs from 8.9 to 8.15
  • Kernel from 3.10.0-862.14.4.el7.x86_64 to 3.10.0-957.1.3.el7.x86_64
  • rsyslog from 8.37.0-1.el7.x86_64 to 8.40.0-1.el7.x86_64

Behavior changes

Monitoring frequency

The monitoring consolidation frequency (in Kibana) has been decreased to every 1 minute instead of every 15 seconds.

OpenSSL version migration

We've decided to not build our own OpenSSL and use the one from the CentOS system. It allows use to have the same SSL behavior for each component (Apache, Curl, Backend Monitor, etc ...). This leads to deprecate some ciphers and elliptic curves.

SRP SSL ciphers removed

Secure Remote Password ciphers are not handled by the WAF anymore. 'SRP-*' ciphers have been marked has "not supported" in SSL cipher profiles. They have to be removed from the 'Selected Ciphers' list before applying tunnels.

Here is the list of unsupported ciphers since the 6.5.2 version:

  • SRP-DSS-AES-256-CBC-SHA
  • SRP-RSA-AES-256-CBC-SHA
  • SRP-AES-256-CBC-SHA
  • SRP-DSS-AES-128-CBC-SHA
  • SRP-RSA-AES-128-CBC-SHA
  • SRP-AES-128-CBC-SHA
  • SRP-DSS-3DES-EDE-CBC-SHA
  • SRP-RSA-3DES-EDE-CBC-SHA
  • SRP-3DES-EDE-CBC-SHA

For more information about ciphers see the SSL Cipher Profiles page.

SSL Elliptic Curve

The Elliptic Curves list that we handle as changed, we now supported the following curves:

  •   secp256k1 : SECG curve over a 256 bit prime field
  •   secp384r1 : NIST/SECG curve over a 384 bit prime field
  •   secp521r1 : NIST/SECG curve over a 521 bit prime field
  •   prime256v1: X9.62/SECG curve over a 256 bit prime field

Bug fixes

Bug criticality indicators:

(error): Serious, (warning): Moderate or with workaround, (info): Low or cosmetic.

PriorityIssue keySummary
(error)WAF-1085Python script truncates backup files when sent by SCP
(error)WAF-1177High Availability Active/Active with Load balancer leads to TCP flood
(error)WAF-873Using "matches pattern" condition in workflow context exception rule leads to an apply timeout (indefinitely loop)
(error)WAF-1030Custom GUI certificate breaks the inter box communication
(error)WAF-990WAM Gate listener on VRRP leads to an apply error
(warning)WAF-880GUI latency with huge tunnel configuration
(warning)WAF-481Backend monitoring fails when using ECDH ciphers
(warning)WAF-658SNMP plugin must be restarted (Apply Box) to handle new items
(warning)WAF-931RSE installation in Azure environment: GUI may lost connection with the updater
(warning)WAF-1029Workflow parameters: boolean field type has changed to string field type
(warning)WAF-1178Internal log destination from Box: passwords used for external destination are sent in plain text to external syslog
(warning)WAF-1067Advanced parameters lines are missing after a restore from a 5.5 backup
(warning)WAF-385Boolean value type matching in Security Exception Configuration is not working
(warning)WAF-541Unable to create VLAN on bonded interfaces
(warning)WAF-1025mod_remoteip unsets the X-Forwarded-For header by default
(info)WAF-44No program name in logs sent to external syslog/SIEM
(info)WAF-471GUI slows down when refreshing application view with many selected tunnels
(info)WAF-1038CPU usage metric is over 100% (no rationnalising the number of cores)
(info)WAF-1103SNMP plugins returns no value for security logs and wam logs count
(info)WAF-1047"Block unknown hostname" logs from RP are not sent to external syslog
(info)WAF-1078Error message in TUI when accessing to Support Menu > Transfert or truncate logs
(info)WAF-1032Selector does not include Yes/No tunnel workflow parameters
(info)WAF-552Secondary tunnels names are differents between Kibana and GUI: special characters are removed or replaced
(info)WAF-948Cannot modify text file on Static Content when part of a zip file
(info)WAF-412Analyse button from Sitemap view returns nothing
(info)WAF-164No information about RAID status in debug

Known issues

General

Issue keySummary
WAF-475No matching value for blacklist and scoringlist (no highlight)
WAF-1113Cannot use LDAP GET node with LDAPS active directory
WAF-522Workflow revalidation issue with invalid subworkflows
WAF-543Backend response time higher than Total response time
WAF-637WAF allows secure cookie through clear communication channel
WAF-706SAML Pack : NotBefore/NotAfter malfunction
WAF-707ICX does not ignore attachments or some application/* content-types
WAF-715WAM Application Access with NTLMv2 strips Proxy-Authorization
WAF-24BWSESSID is not set when using LB members in URL Mapping
WAF-175Block unknown hostname logs from RP are not sent to syslog server
WAF-184Security exception doesn't work if there is no workflow context condition
WAF-503WAM: some hashes don't work for SMS gateway
WAF-1109Workflow node forms keep values of hidden fields
WAF-1174Second load balancer member is lost after importing load balancer configuration
WAF-1175BWROUTEID not automatically set when importing LB with auto route option
WAF-1181Wrong fiber cards speed display
WAF-578No information given when a Reverse Proxy fail to start due to certificates
WAF-694BWSESSID cookie allows extra characters at the end of the value
WAF-1139WAM Connected users does not refresh content information
WAF-678Corrupted syslog destination after restoring a backup from a 5.5.6
WAF-401Security Exception Rules edition: In "Workflow Context", the value disappears when typing text into the value field and changing to "matches regexp"
WAF-1105Static content not removable when used once in SWF (deconfigured)
WAF-1165MAC address is not updated on network card replacement
WAF-670XLS export default name is containing illegal caracters on Windows
WAF-597SMTP profile can be create through event log alerting menu but can not be used
WAF-567XML Signature Verification fails if certificate is not on top
WAF-570XML Decrypt fails depending the order of keys
WAF-523TUI change administration IP failed when IP does not match the gateway network
WAF-526Scheduled Task "export and purge database log" is purging logs even if sending mail fails
WAF-875Missing dependencies between security exception profiles and patterns (from patterns categories)
WAF-1111Scheduled Task "export and purge database log" is deleting logs when excedeed few thousand of logs
WAF-557Opening n window view logs does not work
WAF-728Administration IP cannot be changed on managed
WAF-625"Test Connectivity" tool does not use the configured SSL cipher of the tunnel
WAF-638Multiple occurrence of the query string parameter not supported in sitemap validation
WAF-542Static Content: file format is not detected when importing a content from a zip file
WAF-524Workflow nodes are not red with invalid parameters
WAF-533Box dependency replacement fails on MMProxy restore
WAF-546ICX renaming stays cached on Workflow (old name on ICX)
WAF-553High-Availability makes keepalived down when no IP on interface
WAF-558ICX Legacy resolve is enabled in some case (and should not)
WAF-569SNMP Alert destination line break
WAF-512Web monitoring GUI fails to connect when no space left on device
WAF-10CPN metrics are in critical state after doing force_master/force_managed
WAF-163Possibility to remove proxy profile when used by certificats bundle
WAF-1076After an update to 6.5.1, VMware console is no more accessible (ESX 5.0.0)
WAF-491High-Availability in no-preempt mode fails
WAF-860Distributed Datastores: set default open timeout value
WAF-1079Kibana dashboards don't display all elements: no results found
WAF-1123Network interface is still visible after been removed from the VM
WAF-1133Security exceptions: switch from "matches pattern" to another condition displays the pattern uid

WAM and SSL Ciphers

To communicate with WAM components the workflow uses the same protocols and ciphers as the outgoing SSL cipher profile selected in the parent tunnel. However, WAM components can only be negotiated using TLSv1.2 and the cipher ECDHE-RSA-AES128-SHA256. The outgoing SSL cipher profile must have this cipher selected.

Appendix

Installation and Update

Notes before update

Read previous release notes

If the update jumps more than one version (6.5.0 to 6.5.2 for example), we recommend you to read previous release notes to see changes.

For more details see: R&S®Web Application Firewall Release notes

Kibana customization

Custom dashboards, visualization and searches in Kibana have to be exported before the upgrade. As we improve dashboards and visualizations through versions, the entire Kibana configuration is erased by the new version after the upgrade.

Configuration can be exported in the Management > Saved Objects menu. Exported configurations can be restored after the upgrade. For more details see Logs visualization with Kibana.

Configuration Backup

Before installing this version, backup any work that is in progress. Go to Management > Backups panel and backup all the configurations then download the backup file.

In case of a virtualization environment, you may also stop the virtual appliance and create a backup (snapshot) of your appliances.

Installation procedure

For new users, we recommend to read our Get started guide to install the product.

Follow the steps hereunder to install this version of Rohde & Schwarz WAF:
  1. Download the ISO file and the Administration Interface from the customer area at: https://my.denyall.com/ 
  2. Install the product on an appliance, virtual machine or in a cloud provider. The installation is described in the Installing from ISO page
  3. Log into the TUI (Text User Interface) and set the role: Management or Managed (for more details see the Initializing the Management and Managed mode page)
  4. Repeat stages 2 and 3 for each Managed appliance, if there are any
  5. Install and connect to the Administration Interface (for more details see the Installing the Administration Interface page)
    It will be asked to temporary or permanently accept the certificate from the Management appliance (for more details see the Connection certificates page)
  6. If there are any, add Managed appliances to the cluster. Go to Setup > Boxes > Add
  7. Create request on https://my.denyall.com/ to retrieve the license. The serial number (Service Tag) of the appliance will be needed (It can be found in Setup > Boxes > Licenses, select a Box and click View). For more details, see the Request and assign a WAF license page
  8. Upload license(s) in the Setup > Boxes > Licenses panel
  9. Perform an apply of all configurations to verify that all Boxes are responding well
  10. If any backup from 5.x or 6.x, you can restore them in the Management > Backups panel

  11. Then perform an apply (with Cold Restart selected) on all the configurations

Update procedure

The following steps describe how to update the product from a version 6.5.X (inferior to the new version) by using the RSE system.

System requirements: The cluster has to be in 6.5.0 version or upper. To update in the 6.5.0 version, see Release Notes 6.5.0.

Warning, an interruption of service will occurred. The selected Box will reboot.

If the update is done on a 6.5.0 version, WAF administrators and dashell user will have to update their password on the first connection. We highly recommend to perform this step for each user.

Automatic snapshot

A snapshot of the configuration is automatically created before the upgrade.

  1. Download the RSE file and the Administration Interface from your customer area at: https://my.denyall.com/
  2. Install the new Administration Interface and connect to the product (for more details see the Installing the Administration Interface page) 
  3. Go to Management > Backups panel and backup all the configurations then download the backup file. In case of a virtualization environment, you may also stop the virtual appliance and create a backup (snapshot) of your appliances
  4. Optional. Go to Management > Snapshots and add a manual snapshot corresponding to the current cluster configuration then download the snapshot file
  5. Go to Management > System Updates and upload the RSE file
  6. Select the Management Box and click Install
    The Management Box must be updated first, before updating Managed Boxes
  7. Read and confirm the readme

  8. The installation process will automatically restart the Box and the user will be disconnected from the administration interface

  9. Wait for the Box to restart

  10. (Only for upgrades from R&S®Web Application Firewall 6.5.0) Reconnect on GUI and TUI then change the password to match new password policy. It is recommended to also change the TUI password for dashell user at this time.
  11. Repeat stages 5, 6, 7 and 8 for each managed Box, if any

  12. Perform an Apply (with Cold Restart selected) on all the configurations

At the next connection after the update, it will be asked to temporary or permanently accept the certificate from the Management appliance (for more details see the Connection certificates page)

At the next connection after the update, it will be asked to temporary or permanently accept the certificate from the Management appliance (for more details see the Connection certificates page)

Uninstall procedure

In order to roll-back to the previous installed version:
  1. Go to Management > System Updates

  2. Start by uninstalling Managed boxes. Select a managed Box and click Uninstall. The Box will reboot automatically.

    Warning, an interruption of service will occur. The selected Box will reboot.

  3. Repeat stage 2 for all managed Boxes of the cluster.
  4. Below 6.5.1 version: while uninstalling a Managed box to a version below 6.5.1, SSL certificates between Management and Managed won't be recognized any more and you will have to use the functionality "Setup > Global Settings > Disable SSL check peer" to allow to the synchronization of Managed box version on the Management box (this make take up to one minute).

  5. Repeat stage 2 for the Management Box. You may have to refresh the System Updates View after uninstalling managed boxes.

    The uninstall process will automatically restart the Box and the user will be disconnected from the administration interface

  6. Wait for the Box to restart then log into the Management Box with the administration interface corresponding to the version.


  7. Restore the latest snapshot or backup corresponding to the version.

  8. Perform an Apply (with Cold Restart selected) on all the configurations

You can also restore previous snapshots in case of a virtualization environment.

Administration password

The new user password is still needed after uninstalling the RSE. The old password is set back only after restoring the snapshot done before the upgrade and performing an Apply of the cluster.

  • No labels