This document details changes introduced by the 5.5.14 LTS version for i-Suite.
This version is a LTS (Long Term Support). However we invite you to use the new LTS version 5.5 of R&S®Web Application Firewall.
Revision number: 6ef08f0b21106c6d38ba8101db979048e47af588
Release date: April 23th, 2019
Reminder of the LTS/LVS concepts:
- Long term support (LTS): these releases are maintained and supported for at least 3 years. They include no new features. Bug fixes and security patches will be issued approximately once a quarter. They are thoroughly tested and should be used in production environments.
- Last version support (LVS): these versions include new features and improvements. Bug fixes and security patches issued approximately twice a year. While they go through our Quality Assurance process, they should be used in production environments with caution.
TLS 1.2 between Administration Interface and Management Box
To improvement security communication between the Administration Interface and the Management Box, we now use TLS 1.2 instead of TLS 1.0.
GeoIP replaced by GeoLite2
Custom IPv4 and IPv6 GeoIP databases are now deprecated as Maxmind has ended the maintenance of free databases since March 2018 and will end maintenance of commercial databases in January 2019. For more details, see https://dev.maxmind.com/geoip/legacy/geolite/.
The WAF is now using GeoLite2 with the mod_maxminddb from Apache. You can now upload the country database in the Global settings then IP Geolocation database menu.
Database download page: https://dev.maxmind.com/geoip/geoip2/geolite2/
- OpenSSL from 1.0.2p to 1.0.2r
- Kernel from 3.16.48 to 4.9.162
- PHP from 5.6.33 to 5.6.38
Keepalived from 1.2.15 to 1.2.24
Bug criticality indicators:
: Serious, : Moderate or with workaround, : Low or cosmetic.
|IS-53||SCP export regression since lib paramiko downgrade from 1.6.0 to 1.5.0|
|IS-44||VRRP configuration is using the wrong interface for VIP|
|IS-15||Backups sent via SCP from Scheduled tasks are truncated|
|Restore focus table failed when one is already present|
|IS-18||Cannot resolve security log when containing double variable with same name|
|IS-19||Cannot re-upload RSE after disconnection network during a previous upload|
|IS-43||CRL Update is very slow with many tunnels|
|IS-16||Scheduled task Export log file doesn't work because of special character in tunnel name|
Java heap space error when saving ICX policy
|DA-9235||Start attribut of the content-Type Multipart/Related can be optional|
|DA-8502||Cannot upload CRT file containing dhparams|
|DA-9738||Space character in a regexp fails to match in ICX|
|DA-9409||'\xXX' encoded characters are sent to the external syslog (realtime alerting)|
|DA-7097||Datastore dependencies in Sub-Workflow are not retrieved by the Backup/Restore process|
ICX rules behavior
Before i-Suite 5.5.8, a rule with several conditions on the same field matched as soon as one of the conditions was true whatever the selected "Match" type ("Any" or "All").
In i-Suite 5.5.8, for the Match type "All", the rule will match only if all conditions are true regardless the type of fields.
The fix for "DA-724 - Double conditions on same element in an ICX rule doesn't work" can lead to a behavior change with some ICX exception rules.
Before 5.5.8, R1 = C1 AND (C2 OR C3)
In 5.5.8, R1 = C1 AND C2 AND C3
In 5.5.9, the previous behavior was reintroduced, it corresponds to the "All fields" match type (DA-3490).
OpenSSL weak ciphers no longer supported
Since i-Suite 5.5.13 and the update to OpenSSL 1.0.2m, weak ciphers are no longer supported. Update can't be done if weak ciphers are not removed from all SSL Cipher Profiles.
Deprecated EXPORT ciphers in OpenSSL
Export ciphers are now deprecated since OpenSSL 1.0.1m. Update cannot be done if these ciphers are not removed.
We also remind that TLS clients are rejecting handshakes with DH parameters shorter than 1024 bits (since OpenSSL 1.0.1r).
Downloading administration interface from product
Since the 5.5.0, the administration interface could be downloaded from theinterface. We have decided to remove those download links and to not include administration interfaces in the product anymore.
Administration interfaces have to been downloaded from https://my.denyall.com/.
|IS-38||Different behaviour between original security log and import from XML (parse logs)|
|IS-62||Cannot generate report: Failed to read result from server|
|IS-72||Beeshell: changes keyboard layout does not work (qwerty)|
|IS-82||logfilter not handling some regexp|
|IS-39||Security update file not found when changing the default DSU due to force_master|
|IS-33||ntpd service fails to update time due to synchronization limitation|
|IS-73||Perimetric Authentification broken after restoring backup from previous version|
|IS-75||Socket graph is not complete under charge|
|IS-74||URL mappings needs user full user rights to be modified|
|IS-21||Test connectivity shortcut does not choose the selected tunnel|
|IS-36||Security log inconsistency between report & GUI display: encoding issue|
|IS-37||Tools backend connectivity no relevant on SSL connection|
|IS-76||Perimeter Gate unavailable until new save and apply|
|IS-77||Restoration wizard can select items that are not on the right box|
Large request may not be logged in security logs
When a request contains an attack and the header size is large (near 64K), the alert will not be logged in the Security Logs.
SSL accelerator cards
Concern only appliance models IS4*00, IS5*00 and IS8*00.
Hardware acceleration must be disabled (Reverse Proxies settings). If it is not disabled, SSL performance can be reduced by up to 60%. This new version takes advantage of the encryption capabilities of CPUs that are equivalent or superior to the performance of the cryptography cards. SSL accelerator cards can also lead to a child segfault issue on the Reverse Proxy.
100% CPU load problem
in some cases, an increase of the CPU load up to 100% can occur on Power Edge R220.
If the problem occurs on one of your server, install the following fix by uploading the file from the menu "Setup > i-Boxes > box > i-Box Settings > Utils > Support debug script".
Fix download: CPU Load fix
Ambiguous report for raid and power supply status
On 2100 server, RAID status could be misleading when a disk is in fault.
Changing the IP administration of i-Box
The procedure Changing the IP administration of i-Box via Beeshell must be followed by a reboot (reboot command) of the i-Box for the connection can be established on the new IP.
Installation and Update
Notes before update
Read previous release notes
If the update jumps more than one version (5.5.11 to 5.5.14 for example), we recommend you to read previous release notes to see changes and fixes.
For more details see: i-Suite Releases Notes
Before installing this version, backup any work that is in progress. Go to Management > Backups panel and backup all the configurations then download the backup file.
In case of a virtualization environment, you may also stop the virtual appliance and create a backup (snapshot) of your appliances.
Follow the steps hereunder to install this version of i-Suite:
- Download the ISO file and the Administration Interface from the customer area at: https://my.denyall.com/
- Install the product on an appliance, virtual machine.
- Log into the Beeshell and set the role: Management or Managed (for more details see the Initializing the Management and Managed mode page).
- Repeat stages 2 and 3 for each Managed appliance, if there are any.
- Install and connect to the Administration Interface.
- If there are any, add Managed appliances to the cluster. Go to Setup > i-Boxes > Add
- Create request on https://my.denyall.com/ to retrieve the license. The serial number (Service Tag) of the appliance will be needed (It can be found in Setup > i-Boxes > Licenses, select an i-Box and click View). For more details, see the Request and assign a WAF license page
- Upload license(s) in the Setup > Boxes > Licenses panel
- Perform an apply of all configurations to verify that all i-Boxes are responding well
If any backup from 5.5, you can restore them in the Management > Backups panel
Then perform an apply (with Cold Restart selected) on all the configurations
The following steps describe how to update the product from a version 5.5.X (inferior to the new version) by using the RSE system.
System requirements: The cluster has to be in 5.5.11 version or upper. To update in the 5.5.11 version, see Release Notes 5.5.11.
- Check that the i‑Box cluster is running on the beeware-os-5.5.11 version or upper.
- Download the latest Administration Interface (5.5.14) from https://my.denyall.com
- Log into the Management i‑Box with the new Interface.
- Download the beeware-os 5.5.14 RSE file to the i‑Box.
- Back up all the configurations and download the backup file.
Select the Management i‑Box and click "Install".
The Management i‑Box must be updated first, before updating the managed i-Box.
- The installation process will automatically reboot the i‑Box.
- Repeat stages 5 and 6 for each managed i‑Box, if there are any.
- Perform an Apply (with Cold Restart selected) on all the configurations.
- Start uninstall all managed i-Boxes. Select a managed i‑Box; click Uninstall.
- The i-Box is reboot automatically.
- Repeat stages 1 and 2 for all managed i-Boxes.
- Repeat stages 1 and 2 for the Management i-Box. The administration console will be disconnected.
- After Management i-Box reboot, log into the Management i-Box, and perform an Apply (with Cold Restart selected) on all the configurations.
- No labels