Page tree
Skip to end of metadata
Go to start of metadata

This document details changes introduced by the 5.5.14 LTS version for i-Suite.

This version is a LTS (Long Term Support). However we invite you to use the new LTS version 5.5 of R&S®Web Application Firewall.

Revision number: 6ef08f0b21106c6d38ba8101db979048e47af588

Release date: April 23th, 2019

Reminder of the LTS/LVS concepts:

  • Long term support (LTS): these releases are maintained and supported for at least 3 years. They include no new features. Bug fixes and security patches will be issued approximately once a quarter. They are thoroughly tested and should be used in production environments.
  • Last version support (LVS): these versions include new features and improvements. Bug fixes and security patches issued approximately twice a year. While they go through our Quality Assurance process, they should be used in production environments with caution.

Minor enhancements

TLS 1.2 between Administration Interface and Management Box

To improvement security communication between the Administration Interface and the Management Box, we now use TLS 1.2 instead of TLS 1.0.

GeoIP replaced by GeoLite2

Custom IPv4 and IPv6 GeoIP databases are now deprecated as Maxmind has ended the maintenance of free databases since March 2018 and will end maintenance of commercial databases in January 2019. For more details, see https://dev.maxmind.com/geoip/legacy/geolite/.

The WAF is now using GeoLite2 with the mod_maxminddb from Apache. You can now upload the country database in the Global settings then IP Geolocation database menu.

Database download page: https://dev.maxmind.com/geoip/geoip2/geolite2/

How to use IP Geolocation in the workflow ? see IP Geolocation.

Components upgrade

  • OpenSSL from 1.0.2p to 1.0.2r
  • Kernel from 3.16.48 to 4.9.162
  • PHP from 5.6.33 to 5.6.38
  • Keepalived from 1.2.15 to 1.2.24

Bug fixes

Bug criticality indicators:

(error): Serious, (warning): Moderate or with workaround, (info): Low or cosmetic.

PriorityIssue keySummary
(error)IS-53SCP export regression since lib paramiko downgrade from 1.6.0 to 1.5.0
(error)IS-44VRRP configuration is using the wrong interface for VIP
(error)IS-15Backups sent via SCP from Scheduled tasks are truncated
(warning)IS-17Restore focus table failed when one is already present
(warning)IS-18Cannot resolve security log when containing double variable with same name
(warning)IS-19Cannot re-upload RSE after disconnection network during a previous upload
(warning)IS-43CRL Update is very slow with many tunnels
(warning)IS-16Scheduled task Export log file doesn't work because of special character in tunnel name
(warning)IS-32

Java heap space error when saving ICX policy

(warning)DA-9235Start attribut of the content-Type Multipart/Related can be optional
(warning)DA-8502Cannot upload CRT file containing dhparams
(warning)DA-9738Space character in a regexp fails to match in ICX
(warning)DA-9409'\xXX' encoded characters are sent to the external syslog (realtime alerting)
(info)DA-7097Datastore dependencies in Sub-Workflow are not retrieved by the Backup/Restore process

Behavior changes

ICX rules behavior

Before i-Suite 5.5.8, a rule with several conditions on the same field matched as soon as one of the conditions was true whatever the selected "Match" type ("Any" or "All").

In i-Suite 5.5.8, for the Match type "All", the rule will match only if all conditions are true regardless the type of fields.

The fix for "DA-724 - Double conditions on same element in an ICX rule doesn't work" can lead to a behavior change with some ICX exception rules.

Example:

C1 is a condition on field A,
C2 is a condition on field B,
C3 is a condition on field B,

R1 is a ‘match All’ rule with C1, C2, C3.

Before 5.5.8, R1 = C1 AND (C2 OR C3)

In 5.5.8, R1 = C1 AND C2 AND C3

In 5.5.9, the previous behavior was reintroduced, it corresponds to the "All fields" match type (DA-3490).

OpenSSL weak ciphers no longer supported

Since i-Suite 5.5.13 and the update to OpenSSL 1.0.2m, weak ciphers are no longer supported. Update can't be done if weak ciphers are not removed from all SSL Cipher Profiles.

Deprecated EXPORT ciphers in OpenSSL

Export ciphers are now deprecated since OpenSSL 1.0.1m. Update cannot be done if these ciphers are not removed.

Removed Ciphers:

  • ADH-AES256-GCM-SHA384
  • ADH-AES256-SHA256
  • ADH-AES256-SHA
  • ADH-CAMELLIA256-SHA
  • ADH-AES128-GCM-SHA256
  • ADH-AES128-SHA256
  • ADH-AES128-SHA
  • ADH-SEED-SHA
  • ADH-CAMELLIA128-SHA
  • ADH-RC4-MD5
  • ADH-DES-CBC3-SHA
  • AECDH-AES256-SHA
  • AECDH-AES128-SHA
  • AECDH-RC4-SHA
  • AECDH-DES-CBC3-SHA
  • AECDH-NULL-SHA

We also remind that TLS clients are rejecting handshakes with DH parameters shorter than 1024 bits (since OpenSSL 1.0.1r).

Downloading administration interface from product

Since the 5.5.0, the administration interface could be downloaded from the https://[IP]:3001 interface. We have decided to remove those download links and to not include administration interfaces in the product anymore.

Administration interfaces have to been downloaded from https://my.denyall.com/.

Known issues

General

Issue keySummary
IS-38Different behaviour between original security log and import from XML (parse logs)
IS-62Cannot generate report: Failed to read result from server
IS-72Beeshell: changes keyboard layout does not work (qwerty)
IS-82logfilter not handling some regexp
IS-39Security update file not found when changing the default DSU due to force_master
IS-33ntpd service fails to update time due to synchronization limitation
IS-73Perimetric Authentification broken after restoring backup from previous version
IS-75Socket graph is not complete under charge
IS-74URL mappings needs user full user rights to be modified
IS-21Test connectivity shortcut does not choose the selected tunnel
IS-36Security log inconsistency between report & GUI display: encoding issue
IS-37Tools backend connectivity no relevant on SSL connection
IS-76Perimeter Gate unavailable until new save and apply
IS-77Restoration wizard can select items that are not on the right box

Large request may not be logged in security logs

When a request contains an attack and the header size is large (near 64K), the alert will not be logged in the Security Logs.

SSL accelerator cards

Concern only appliance models IS4*00, IS5*00 and IS8*00.

Hardware acceleration must be disabled (Reverse Proxies settings). If it is not disabled, SSL performance can be reduced by up to 60%. This new version takes advantage of the encryption capabilities of CPUs that are equivalent or superior to the performance of the cryptography cards. SSL accelerator cards can also lead to a child segfault issue on the Reverse Proxy.

100% CPU load problem

in some cases, an increase of the CPU load up to 100% can occur on Power Edge R220.

If the problem occurs on one of your server, install the following fix by uploading the file from the menu "Setup > i-Boxes > box > i-Box Settings > Utils > Support debug script".

Fix download: CPU Load fix

Ambiguous report for raid and power supply status

On 2100 server, RAID status could be misleading when a disk is in fault.

Changing the IP administration of i-Box

The procedure Changing the IP administration of i-Box via Beeshell must be followed by a reboot (reboot command) of the i-Box for the connection can be established on the new IP.

Appendix

Installation and Update

Notes before update

Read previous release notes

If the update jumps more than one version (5.5.11 to 5.5.14 for example), we recommend you to read previous release notes to see changes and fixes.

For more details see: i-Suite Releases Notes

Configuration Backup

Before installing this version, backup any work that is in progress. Go to Management > Backups panel and backup all the configurations then download the backup file.

In case of a virtualization environment, you may also stop the virtual appliance and create a backup (snapshot) of your appliances.

Installation procedure

Follow the steps hereunder to install this version of i-Suite:

  1. Download the ISO file and the Administration Interface from the customer area at: https://my.denyall.com/ 
  2. Install the product on an appliance, virtual machine.
  3. Log into the Beeshell and set the role: Management or Managed (for more details see the Initializing the Management and Managed mode page).
  4. Repeat stages 2 and 3 for each Managed appliance, if there are any.
  5. Install and connect to the Administration Interface.
  6. If there are any, add Managed appliances to the cluster. Go to Setup > i-Boxes > Add
  7. Create request on https://my.denyall.com/ to retrieve the license. The serial number (Service Tag) of the appliance will be needed (It can be found in Setup > i-Boxes > Licenses, select an i-Box and click View). For more details, see the Request and assign a WAF license page
  8. Upload license(s) in the Setup > Boxes > Licenses panel
  9. Perform an apply of all configurations to verify that all i-Boxes are responding well
  10. If any backup from 5.5, you can restore them in the Management > Backups panel

  11. Then perform an apply (with Cold Restart selected) on all the configurations

Update procedure

The following steps describe how to update the product from a version 5.5.X (inferior to the new version) by using the RSE system.

System requirements: The cluster has to be in 5.5.11 version or upper. To update in the 5.5.11 version, see Release Notes 5.5.11.

  1. Check that the i‑Box cluster is running on the beeware-os-5.5.11 version or upper.
  1. Download the latest Administration Interface (5.5.14) from https://my.denyall.com
  2. Log into the Management i‑Box with the new Interface.
  3. Download the beeware-os 5.5.14 RSE file to the i‑Box.
  4. Back up all the configurations and download the backup file.
  5. Select the Management i‑Box and click "Install".

    The Management i‑Box must be updated first, before updating the managed i-Box.

  6. The installation process will automatically reboot the i‑Box.
  7. Repeat stages 5 and 6 for each managed i‑Box, if there are any.
  8. Perform an Apply (with Cold Restart selected) on all the configurations.

Uninstall procedure

  1. Start uninstall all managed i-Boxes. Select a managed i‑Box; click Uninstall.
  2. The i-Box is reboot automatically.
  3. Repeat stages 1 and 2 for all managed i-Boxes.
  4. Repeat stages 1 and 2 for the Management i-Box. The administration console will be disconnected.
  5. After Management i-Box reboot, log into the Management i-Box, and perform an Apply (with Cold Restart selected) on all the configurations.

  • No labels