This document details changes introduced by the 6.5.2 LTS version for the R&S®Web Application Firewall.
This version is a LTS (Long Term Support).
Revision number: 23cdc105ddf34f3639f04f754c857fa2586a2ee4
Release date: March 06th, 2019
Reminder of the LTS/LVS concepts:
- Long term support (LTS): these releases are maintained and supported for at least 3 years. They include no new features. Bug fixes and security patches will be issued approximately once a quarter. They are thoroughly tested and should be used in production environments.
- Last version support (LVS): these versions include new features and improvements. Bug fixes and security patches issued approximately twice a year. While they go through our Quality Assurance process, they should be used in production environments with caution.
R&S®Web Application Firewall – two editions to meet different needs
Since the release of 6.5.2, R&S®Web Application Firewall is available in two different versions or 'Editions': Business and Enterprise to address different use cases with the right capabilities.
Business Edition is the entry-level solution, runs on less powerful appliances/virtual machines with limited core security functionalities (Generic patterns-ICX, Heuristics via Scoring List and API Security based on JSON / XML).
Enterprise Edition is essentially ‘Business Edition’ with extra features that advanced and enterprise users are likely to want to take advantage of: complementary security engines, available with Advanced Security, Extended API Security to protect API-based custom applications & Machine-to-Machine communications. Comprehensive Analytics & Reporting as well as Web Access Manager optional modules are only available with Enterprise Edition.
IP Reputation is an optional service available with both Editions.
For more information about, see the Licenses page.
The scope of migrated features from rWeb to R&S®Web Application Firewall hasbeen increased. The following configurations from rWeb are now migrated:
- Syslog destination,
- SMTP destination,
- Application monitoring.
For more details about which feature is automatically migrated, see the page Migration status from rWeb.
SSL Cipher profiles
The view of SSL Cipher profiles has been improved to provide a better ciphers management. Ciphers can now be simply filtered by names:
Further enhancements will continue in next versions.
- Elasticsearch and Kibana from 5.6.10 to 5.6.14
- NodeJs from 8.9 to 8.15
- Kernel from 3.10.0-862.14.4.el7.x86_64 to 3.10.0-957.1.3.el7.x86_64
- rsyslog from 8.37.0-1.el7.x86_64 to 8.40.0-1.el7.x86_64
The monitoring consolidation frequency (in Kibana) has been decreased to every 1 minute instead of every 15 seconds.
OpenSSL version migration
We've decided to not build our own OpenSSL and use the one from the CentOS system. It allows use to have the same SSL behavior for each component (Apache, Curl, Backend Monitor, etc ...). This leads to deprecate some ciphers and elliptic curves.
SRP SSL ciphers removed
Secure Remote Password ciphers are not handled by the WAF anymore. 'SRP-*' ciphers have been marked has "not supported" in SSL cipher profiles. They have to be removed from the 'Selected Ciphers' list before applying tunnels.
Here is the list of unsupported ciphers since the 6.5.2 version:
For more information about ciphers see the SSL Cipher Profiles page.
SSL Elliptic Curve
The Elliptic Curves list that we handle as changed, we now supported the following curves:
- secp256k1 : SECG curve over a 256 bit prime field
- secp384r1 : NIST/SECG curve over a 384 bit prime field
- secp521r1 : NIST/SECG curve over a 521 bit prime field
- prime256v1: X9.62/SECG curve over a 256 bit prime field
Bug criticality indicators:
: Serious, : Moderate or with workaround, : Low or cosmetic.
|WAF-1085||Python script truncates backup files when sent by SCP|
|WAF-1177||High Availability Active/Active with Load balancer leads to TCP flood|
|WAF-873||Using "matches pattern" condition in workflow context exception rule leads to an apply timeout (indefinitely loop)|
|WAF-1030||Custom GUI certificate breaks the inter box communication|
|WAF-990||WAM Gate listener on VRRP leads to an apply error|
|WAF-880||GUI latency with huge tunnel configuration|
|WAF-481||Backend monitoring fails when using ECDH ciphers|
|WAF-658||SNMP plugin must be restarted (Apply Box) to handle new items|
|WAF-931||RSE installation in Azure environment: GUI may lost connection with the updater|
|WAF-1029||Workflow parameters: boolean field type has changed to string field type|
|WAF-1178||Internal log destination from Box: passwords used for external destination are sent in plain text to external syslog|
|WAF-1067||Advanced parameters lines are missing after a restore from a 5.5 backup|
|WAF-385||Boolean value type matching in Security Exception Configuration is not working|
|WAF-541||Unable to create VLAN on bonded interfaces|
|WAF-1025||mod_remoteip unsets the X-Forwarded-For header by default|
|WAF-44||No program name in logs sent to external syslog/SIEM|
|WAF-471||GUI slows down when refreshing application view with many selected tunnels|
|WAF-1038||CPU usage metric is over 100% (no rationnalising the number of cores)|
|WAF-1103||SNMP plugins returns no value for security logs and wam logs count|
|WAF-1047||"Block unknown hostname" logs from RP are not sent to external syslog|
|WAF-1078||Error message in TUI when accessing to Support Menu > Transfert or truncate logs|
|WAF-1032||Selector does not include Yes/No tunnel workflow parameters|
|WAF-552||Secondary tunnels names are differents between Kibana and GUI: special characters are removed or replaced|
|WAF-948||Cannot modify text file on Static Content when part of a zip file|
|WAF-412||Analyse button from Sitemap view returns nothing|
|WAF-164||No information about RAID status in debug|
|WAF-475||No matching value for blacklist and scoringlist (no highlight)|
|WAF-1113||Cannot use LDAP GET node with LDAPS active directory|
|WAF-522||Workflow revalidation issue with invalid subworkflows|
|WAF-543||Backend response time higher than Total response time|
|WAF-637||WAF allows secure cookie through clear communication channel|
|WAF-706||SAML Pack : NotBefore/NotAfter malfunction|
|WAF-707||ICX does not ignore attachments or some application/* content-types|
|WAF-715||WAM Application Access with NTLMv2 strips Proxy-Authorization|
|WAF-24||BWSESSID is not set when using LB members in URL Mapping|
|WAF-175||Block unknown hostname logs from RP are not sent to syslog server|
|WAF-184||Security exception doesn't work if there is no workflow context condition|
|WAF-503||WAM: some hashes don't work for SMS gateway|
|WAF-1109||Workflow node forms keep values of hidden fields|
|WAF-1174||Second load balancer member is lost after importing load balancer configuration|
|WAF-1175||BWROUTEID not automatically set when importing LB with auto route option|
|WAF-1181||Wrong fiber cards speed display|
|WAF-578||No information given when a Reverse Proxy fail to start due to certificates|
|WAF-694||BWSESSID cookie allows extra characters at the end of the value|
|WAF-1139||WAM Connected users does not refresh content information|
|WAF-678||Corrupted syslog destination after restoring a backup from a 5.5.6|
|WAF-401||Security Exception Rules edition: In "Workflow Context", the value disappears when typing text into the value field and changing to "matches regexp"|
|WAF-1105||Static content not removable when used once in SWF (deconfigured)|
|WAF-1165||MAC address is not updated on network card replacement|
|WAF-670||XLS export default name is containing illegal caracters on Windows|
|WAF-597||SMTP profile can be create through event log alerting menu but can not be used|
|WAF-567||XML Signature Verification fails if certificate is not on top|
|WAF-570||XML Decrypt fails depending the order of keys|
|WAF-523||TUI change administration IP failed when IP does not match the gateway network|
|WAF-526||Scheduled Task "export and purge database log" is purging logs even if sending mail fails|
|WAF-875||Missing dependencies between security exception profiles and patterns (from patterns categories)|
|WAF-1111||Scheduled Task "export and purge database log" is deleting logs when excedeed few thousand of logs|
|WAF-557||Opening n window view logs does not work|
|WAF-728||Administration IP cannot be changed on managed|
|WAF-625||"Test Connectivity" tool does not use the configured SSL cipher of the tunnel|
|WAF-638||Multiple occurrence of the query string parameter not supported in sitemap validation|
|WAF-542||Static Content: file format is not detected when importing a content from a zip file|
|WAF-524||Workflow nodes are not red with invalid parameters|
|WAF-533||Box dependency replacement fails on MMProxy restore|
|WAF-546||ICX renaming stays cached on Workflow (old name on ICX)|
|WAF-553||High-Availability makes keepalived down when no IP on interface|
|WAF-558||ICX Legacy resolve is enabled in some case (and should not)|
|WAF-569||SNMP Alert destination line break|
|WAF-512||Web monitoring GUI fails to connect when no space left on device|
|WAF-10||CPN metrics are in critical state after doing force_master/force_managed|
|WAF-163||Possibility to remove proxy profile when used by certificats bundle|
|WAF-1076||After an update to 6.5.1, VMware console is no more accessible (ESX 5.0.0)|
|WAF-491||High-Availability in no-preempt mode fails|
|WAF-860||Distributed Datastores: set default open timeout value|
|WAF-1079||Kibana dashboards don't display all elements: no results found|
|WAF-1123||Network interface is still visible after been removed from the VM|
|WAF-1133||Security exceptions: switch from "matches pattern" to another condition displays the pattern uid|
WAM and SSL Ciphers
To communicate with WAM components the workflow uses the same protocols and ciphers as the outgoing SSL cipher profile selected in the parent tunnel. However, WAM components can only be negotiated using TLSv1.2 and the cipher ECDHE-RSA-AES128-SHA256. The outgoing SSL cipher profile must have this cipher selected.
Installation and Update
Notes before update
Read previous release notes
If the update jumps more than one version (6.5.0 to 6.5.2 for example), we recommend you to read previous release notes to see changes.
For more details see: R&S®Web Application Firewall Release notes
Custom dashboards, visualization and searches in Kibana have to be exported before the upgrade. As we improve dashboards and visualizations through versions, the entire Kibana configuration is erased by the new version after the upgrade.
Configuration can be exported in the Management > Saved Objects menu. Exported configurations can be restored after the upgrade. For more details see Logs visualization with Kibana.
Before installing this version, backup any work that is in progress. Go to Management > Backups panel and backup all the configurations then download the backup file.
In case of a virtualization environment, you may also stop the virtual appliance and create a backup (snapshot) of your appliances.
For new users, we recommend to read our Get started guide to install the product.
- Download the ISO file and the Administration Interface from the customer area at: https://my.denyall.com/
- Install the product on an appliance, virtual machine or in a cloud provider. The installation is described in the Installing from ISO page
- Log into the TUI (Text User Interface) and set the role: Management or Managed (for more details see the Initializing the Management and Managed mode page)
- Repeat stages 2 and 3 for each Managed appliance, if there are any
- Install and connect to the Administration Interface (for more details see the Installing the Administration Interface page)
It will be asked to temporary or permanently accept the certificate from the Management appliance
- If there are any, add Managed appliances to the cluster. Go to Setup > Boxes > Add
- Create request on https://my.denyall.com/ to retrieve the license. The serial number (Service Tag) of the appliance will be needed (It can be found in Setup > Boxes > Licenses, select a Box and click View). For more details, see the Request and assign a WAF license page
- Upload license(s) in the Setup > Boxes > Licenses panel
- Perform an apply of all configurations to verify that all Boxes are responding well
If any backup from 5.x or 6.x, you can restore them in the Management > Backups panel
Then perform an apply (with Cold Restart selected) on all the configurations
System requirements: The cluster has to be in 6.5.0 version or upper. To update in the 6.5.0 version, see Release Notes 6.5.0.
Warning, an interruption of service will occurred. The selected Box will reboot.
It is no more necessary to create a manual snapshot of the cluster configuration before upgrading to the 6.5 version. This snapshot is automatically created by the Management Console before the upgrade.
- Download the RSE file and the Administration Interface from your customer area at: https://my.denyall.com/
- Install the new Administration Interface and connect to the product (for more details see the Installing the Administration Interface page)
- Go to Management > Backups panel and backup all the configurations then download the backup file. In case of a virtualization environment, you may also stop the virtual appliance and create a backup (snapshot) of your appliances
- Optional. Go to Management > Snapshots and add a manual snapshot corresponding to the current cluster configuration then download the snapshot file
- Go to Management > System Updates and upload the RSE file
- Select the Management Box and click Install
The Management Box must be updated first, before updating Managed Boxes
Read and confirm the readme
The installation process will automatically restart the Box and the user will be disconnected from the administration interface
Wait for the Box to restart
- (Only for upgrades from R&S®Web Application Firewall 6.5.0) Reconnect on GUI and change the password to match new password policy. It is recommended to also change the TUI password for dashell user at this time.
Repeat stages 5, 6, 7 and 8 for each managed Box, if any
Perform an Apply (with Cold Restart selected) on all the configurations
At the next connection after the update, it will be asked to temporary or permanently accept the certificate from the Management appliance
- Go to Management > System Updates
Start by uninstalling Managed boxes. Select a managed Box and click Uninstall. The Box will reboot automatically.
Warning, an interruption of service will occur. The selected Box will reboot.
- Repeat stage 2 for all managed Boxes of the cluster.
Below 6.5.1 version: while uninstalling a Managed box to a version below 6.5.1, SSL certificates between Management and Managed won't be recognized any more and you will have to use the functionality "Setup > Global Settings > Disable SSL check peer" to allow to the synchronization of Managed box version on the Management box (this make take up to one minute).
Repeat stage 2 for the Management Box. You may have to refresh the System Updates View after uninstalling managed boxes.
The uninstall process will automatically restart the Box and the user will be disconnected from the administration interface
Wait for the Box to restart then log into the Management Box with the administration interface corresponding to the version.
- Restore the latest snapshot or backup corresponding to the version.
- Perform an Apply (with Cold Restart selected) on all the configurations
You can also restore previous snapshots in case of a virtualization environment.
The new user password is still needed after uninstalling the RSE. The old password is set back only after restoring the snapshot done before the upgrade and performing an Apply of the cluster.
- No labels