This document details changes introduced by the 6.5.2 - Patch 2 LTS version for the R&S®Web Application Firewall.
This version is a LTS (Long Term Support).
Revision number: 4d48e6cf9f2e7e70cae25c544438ddccae2e1186
Release date: May 6th, 2019
Reminder of the LTS/LVS concepts:
- Long term support (LTS): these releases are maintained and supported for at least 3 years. They include no new features. Bug fixes and security patches will be issued approximately once a quarter. They are thoroughly tested and should be used in production environments.
- Last version support (LVS): these versions include new features and improvements. Bug fixes and security patches issued approximately twice a year. While they go through our Quality Assurance process, they should be used in production environments with caution.
Support cloud-init parameters on AWS
The instance role, instance name, username and password can now be provided via user-data to cloud-init as a JSON document.
Here are supported cloud-init parameters:
|"management"||Configure the appliance mode|
"Management" or "Managed"
|Set the name of the appliance|
|String||Management||Any||"admin"||Set the username of the Administrator|
|String||Management||Any||AWS instance ID||Set the password for the Administrator|
Bug criticality indicators:
: Serious, : Moderate or with workaround, : Low or cosmetic.
|WAF-1401||VRRP with VIP in IPv6 drops VIP after apply network|
|WAF-469||Elasticsearch receives invalid UTF-8 middle byte from workflow security logs|
|WAF-1335||Unexpected apply error between old and new license|
|WAF-1382||Scheduled task "Check ssl certificate expiration" does not work|
|WAF-1246||No event log when creating debug.dat|
Installation and Update
Notes before update
Changes and known issues
If the update jumps more than one version (6.5.0 to 6.5.2 for example), we recommend you to read previous release notes to see changes and known issues.
For patch update, known issues will be listed in the release note from the same version as the patch.
For more details see: R&S®Web Application Firewall Release notes
Custom dashboards, visualization and searches in Kibana have to be exported before the upgrade. As we improve dashboards and visualizations through versions, the entire Kibana configuration is erased by the new version after the upgrade.
Configuration can be exported in the Management > Saved Objects menu. Exported configurations can be restored after the upgrade. For more details see Logs visualization with Kibana.
Before installing this version, backup any work that is in progress. Go to Management > Backups panel and backup all the configurations then download the backup file.
In case of a virtualization environment, you may also stop the virtual appliance and create a backup (snapshot) of your appliances.
For new users, we recommend to read our Get started guide to install the product.
- Download the ISO file and the Administration Interface from the customer area at: https://my.denyall.com/
- Install the product on an appliance, virtual machine or in a cloud provider. The installation is described in the Installing from ISO page
- Log into the TUI (Text User Interface) and set the role: Management or Managed (for more details see the Initializing the Management and Managed mode page)
- Repeat stages 2 and 3 for each Managed appliance, if there are any
- Install and connect to the Administration Interface (for more details see the Installing the Administration Interface page)
It will be asked to temporary or permanently accept the certificate from the Management appliance
- If there are any, add Managed appliances to the cluster. Go to Setup > Boxes > Add
- Create request on https://my.denyall.com/ to retrieve the license. The serial number (Service Tag) of the appliance will be needed (It can be found in Setup > Boxes > Licenses, select a Box and click View). For more details, see the Request and assign a WAF license page
- Upload license(s) in the Setup > Boxes > Licenses panel
- Perform an apply of all configurations to verify that all Boxes are responding well
If any backup from 5.x or 6.x, you can restore them in the Management > Backups panel
Then perform an apply (with Cold Restart selected) on all the configurations
Update procedure with RSE
System requirements: The cluster has to be in 6.5.0 version or upper. To update in the 6.5.0 version, see Release Notes 6.5.0.
Warning, an interruption of service will occurred. The selected Box will reboot.
It is no more necessary to create a manual snapshot of the cluster configuration before upgrading to the 6.5 version. This snapshot is automatically created by the Management Console before the upgrade.
- Download the RSE file and the Administration Interface from your customer area at: https://my.denyall.com/
- Install the new Administration Interface and connect to the product (for more details see the Installing the Administration Interface page)
- Go to Management > Backups panel and backup all the configurations then download the backup file. In case of a virtualization environment, you may also stop the virtual appliance and create a backup (snapshot) of your appliances
- Optional. Go to Management > Snapshots and add a manual snapshot corresponding to the current cluster configuration then download the snapshot file
- Go to Management > System Updates and upload the RSE file
- Select the Management Box and click Install
The Management Box must be updated first, before updating Managed Boxes
Read and confirm the readme
The installation process will automatically restart the Box and the user will be disconnected from the administration interface
Wait for the Box to restart
- (Only for upgrades from R&S®Web Application Firewall 6.5.0) Reconnect on GUI and change the password to match new password policy. It is recommended to also change the TUI password for dashell user at this time.
Repeat stages 5, 6, 7 and 8 for each managed Box, if any
Perform an Apply (with Cold Restart selected) on all the configurations
At the next connection after the update, it will be asked to temporary or permanently accept the certificate from the Management appliance
- Go to Management > System Updates
Start by uninstalling Managed boxes. Select a managed Box and click Uninstall. The Box will reboot automatically.
Warning, an interruption of service will occur. The selected Box will reboot.
- Repeat stage 2 for all managed Boxes of the cluster.
Below 6.5.1 version: while uninstalling a Managed box to a version below 6.5.1, SSL certificates between Management and Managed won't be recognized any more and you will have to use the functionality "Setup > Global Settings > Disable SSL check peer" to allow to the synchronization of Managed box version on the Management box (this make take up to one minute).
Repeat stage 2 for the Management Box. You may have to refresh the System Updates View after uninstalling managed boxes.
The uninstall process will automatically restart the Box and the user will be disconnected from the administration interface
Wait for the Box to restart then log into the Management Box with the administration interface corresponding to the version.
- Restore the latest snapshot or backup corresponding to the version.
- Perform an Apply (with Cold Restart selected) on all the configurations
You can also restore previous snapshots in case of a virtualization environment.
The new user password is still needed after uninstalling the RSE. The old password is set back only after restoring the snapshot done before the upgrade and performing an Apply of the cluster.
- No labels