Page tree

Versions Compared

Key

  • This line was added.
  • This line was removed.
  • Formatting was changed.

This document details changes introduced by the 6.5 LTS version for the R&S®Web Application Firewall.

This version is a LTS (Long Term Support).

Revision number: 430dd93+b7378

Release date: December 13th, 2018 

Reminder of the LTS/LVS concepts:

  • Long term support (LTS): these releases are maintained and supported for at least 3 years. They include no new features. Bug fixes and security patches will be issued approximately once a quarter. They are thoroughly tested and should be used in production environments.
  • Last version support (LVS): these versions include new features and improvements. Bug fixes and security patches issued approximately twice a year. While they go through our Quality Assurance process, they should be used in production environments with caution.

Major enhancements

GeoIP replaced by GeoLite2

Custom IPv4 and IPv6 GeoIP databases are now deprecated as Maxmind has ended the maintenance of free databases since March 2018 and will end maintenance of commercial databases in January 2019. For more details, see https://dev.maxmind.com/geoip/legacy/geolite/.

The WAF is now using GeoLite2 with the mod_maxminddb from Apache. You can now upload the country database in the Global settings then IP Geolocation database menu.

Database download page: https://dev.maxmind.com/geoip/geoip2/geolite2/

Info
How to use IP Geolocation in the workflow ? see IP Geolocation.

Administration interface certificate

SSL certificate verification between the administration interface and the WAF has been improved for better security. You will be disconnected from the interface at the first apply (all) as the previous certificate is not trusted anymore. We recommend to update your certificate at the next authentication. See Global Settings page for more information about GUI Certificate.

Password update on for WAF administrators and TUI

Passwords have to be updated to meet new security recommendations.

WAF administrators and dashell user will have to update their password on the first connection after the upgrade to 6.5.1 version.

For more details, see Password Policies page.

TLS enabled between Poller and Pooler nodes

Pooling mode has been enhanced to enforce encryption of the data sent between pooler and poller nodes. The WAF automatically enable options in the SSL panel of Poller nodes when such tunnel is created. See documentation on Poller to get more information.

Kibana dashboards updated

Kibana dashboards have been updated, custom dashboards and visualizations created will be discarded. Please export your custom Kibana configuration before upgrading.

SSLProxyHelloNoTLSExt directive no longer supported

If the backend was using an old OpenSSL version (inferior to 0.9.7d), an error "Error during SSL Handshake with remote server" appeared in the tunnel debug logs. Until 6.5.1 version, setting "SSLProxyHelloNoTLSExt on" directive in the tunnel's Advanced Parameters allowed handshakes with the backend to occur.

This directive is no longer supported for security reasons, it has to be removed from Advanced Parameters and the backend should be updated if this situation occurs.

Minor enhancements

Components upgrade

  • Apache from 2.4.33 to version 2.4.35
  • OpenSSL from 1.0.2o to version 1.0.2p
  • KeepAlived from 1.3.5 to version 2.0.7
  • Kernel from 3.10.0-693.21.1 to version 3.10.0-862.11.6

Components added

  • Open-vm-tools 10.1.10-3.el7_5.1 (allow usage of VMWare Tools)

Bug fixes

Bug criticality indicators:

(error)(error): Serious, (warning)(warning): Moderate or with workaround, (info)(info): Low or cosmetic.

System

  • (error) (error) [WAF-404] AWS: Partition size cannot be enlarge
  • (error) (error) [WAF-444] AWS: Partition deleted after second reboot when customer upgrade his version with RSE
  • (error) (error) [DA-9133] SCP export regression since lib paramiko downgrade from 1.6.0 to 1.5.0 

Backup/Restore

  • (error) (error) [WAF-160] Impossible to restore backup rWeb 4.2.1 
  • (error)(error) [WAF-443] Missing static blacklists while creating backup 
  • (error) (error) [DA-9534] Apply error on imported / migrated alerting destinations
  • (warning) (warning) [WAF-22] Restoring rWeb backup: path traversal engine is always activated
  • (warning)(warning) [WAF-27] After rule on eaccess are not loaded on apply
  • (warning) (warning) [WAF-70] Lost remote filesystems password while restoring a backup from 5.5.x

Workflow

  • (error) (error) [WAF-23] Apply can timeout while checking workflows when system entropy is low 
  • (error) (error) [WAF-383] Subrequest node configured with POST method fail
  • (error) (error) [DA-9235] Start attribut of the content-Type Multipart/Related can be optional
  • (error) (error) [DA-9680] NTML authentication with UTF-8 (non-ASCII) fields doesn't work
  • (warning) (warning) [DA-9508] Sitemap: type 'string' validation on special UTF-8 characters doesn't work
  • (warning) (warning) [DA-9749] Cookie Set node: secure Flag missing when enabling http2 in tunnel configuration
  • (warning)(warning) [DA-9738] Space character in a regexp fail to match in libicx
  • (warning)(warning) [DA-8106] Workflow session cache dependencies are missing in backup

RP/Tunnel

  • (error)(error) [WAF-894] SSLRenegBufferSize directive leads to 502 HTTP errors on tunnel (in an advanced parameter)
  • (error)(error) [DA-9765] SSL directives in a <Location> doesn't work (advanced parameter)

SNMP

  • (error) (error) [WAF-504] SNMP values are not returned by plugin but present in MIB
  • (error) (error) [WAF-158] Massive SNMP logs in /var/log/messages for each SNMP request
  • (error) (error) [WAF-158] SNMP Plugin returns incorrect types

WAM

  • (error) (error) [WAF-584] Proxy Request: NTLM offset error
  • (warning) (warning)[DA-8692] Unable to change WAM password of a "must reset password's" user and option "use user account ..."
  • (warning) (warning)[DA-7122] In some case authorizations are broken after WAM apply

Monitor

  • (error) (error) [WAF-153] Alert destinations are sent only when status is red and on changing value 
  • (error) (error) [WAF-5] Monitoring of VRRP Active Active Members doesn't work 
  • (error) (error) [DA-8886] VIP metrics remain red even after removing all vrrp configuration
  • (warning) (warning) [WAF-536] Distributed Datastore monitoring: useless warning
  • (warning)(warning) [WAF-548] Process Keepalived status metric is not monitored after apply
  • (warning) (warning) [DA-9402] Monitoring: no HA values when multiple HA cluster
  • (info)(info) [WAF-465] Monitoring backend status is spaming when tunnel is setup as HA active/passive

Administration interface (GUI)

  • (error) (error) [WAF-413] Download URL field for CRL auto update does not accept query string
  • (error) (error) [DA-9855] GUI latency when refreshing list with big selections
  • (warning) (warning) [WAF-931] RSE installation in Azure environment: GUI may lost connection with the updater
    The administration interface may lost connection with the updater system during the installation. This disconnection does not interfere with the installation.
    If it's happen, please wait some minutes for the end of the installation. In any case, do not shutdown or reboot the system.
  • (warning) (warning) [DA-9402] Sitemap: GUI does not displays a required parameter as required
  • (warning) (warning) [DA-9413] Missing certificate when using tunnel wizard with generate certificate
  • (warning) (warning) [DA-7830] Refresh issue on IAM Application Authentication type fields
  • (info) (info) [WAF-403] Auto-Resolve creates a Security Exception Rule with attack family in the title, which does not match with the real pattern attack family
  • (info) (info) [DA-9505] Default exception profile is not visible in configuration explorer or in current configuration of the restore wizard
  • (info) (info) [DA-5701] Maps role on attribute profil is not displayed in GUI Authentication form

REST API

  • (error)(error) [DA-9777] REST API: performance issue with many tunnels

  • (error)(error) [DA-9844] REST API: enable access log in database on a tunnel doesn't work
  • (error)(error) [DA-9408] REST API: PATCH tunnel securityFormat is not working
  • (error)(error) [DA-9873] REST API: cannot link a workflow name at the tunnel creation

Miscellaneous

  • (error) (error) [WAF-21] Distributed Datastore Failover request timeout 
  • (error) (error) [WAF-51] Scheduled Report generation failed
  • (error) (error) [DA-9446] Generate Report Scheduled task doesn't work
  • (error) (error) [DA-9358] When using the "Replace Box" feature the webservice doesn't restart with the new administration IP
  • (error) (error) [DA-9359] Connectivity tools don't handle IPv6 correctly
  • (error) (error) [DA-9510] Lost of static content resources after some apply
  • (warning)(warning) [DA-9409] '\xXX' encoded characters are sent to the external syslog (realtime alerting)
  • (warning) (warning) [DA-9690] Event logs: no items name, only UID displayed
  • (info) (info) [DA-9769] URL overflow in Kibana: default URL are too long
  • (info) (info) [DA-9748] Default filter on Appliance Kibana dashboard is set on Management
  • (info) (info) [DA-9839] Default Kibana searches use deprecated fields
  • (info) (info) [DA-9391] Kibana dashboards: timeframe issue and typo

Known issues

  • [WAF-516] Loss of logs in Elasticsearch on high load (logs from workflow)
    Under very high load, few logs can be lost when most of the requests are blocked by security engines
  • [WAF-541] Unable to create vlans on bonded interfaces
  • [WAF-873] Using "matches pattern" condition in workflow context exception rule leads to an apply timeout (indefinitely loop)
  • [WAF-624] [rWeb Migration] EAccessUriTrans multipart-form-data & auto-file-upload are not available in Blacklist engine
  • [WAF-184] Security exception doesn't work if there is no workflow context
  • [WAF-401] Security Exception Rules edition: In "Workflow Context", the value disappears when typing text into the value field and changing to "matches regexp"
  • [WAF-503] WAM: some hashes don't work for SMS gateway
  • [WAF-475] No matching value for blacklist and scoringlist (no highlight)

  • [WAF-543] Backend response time higher than Total response time
  • [WAF-662] Debug log from other tunnels (not in debug) occuring inside error log
  • [WAF-723] Perimetric Authentification broken after restoring backup from 5.5.9
  • [WAF-44] No program name in logs sent to external syslog/SIEM
  • [WAF-543] Backend response time higher than Total response time
  • [WAF-880] GUI latency with huge tunnel configuration
  • [WAF-481] Backend monitoring fails with protocol error: wrong curve
  • [WAF-175] Block unknown hostname logs are not sent to syslog server
  • [WAF-597] SMTP profile can be create through event log alerting menu but can not be used
  • [WAF-715] WAM Application Access with NTLMv2 Strips Proxy-Authorization
  • [WAF-880] GUI latency with huge tunnel configuration
  • [WAF-552] Secondary tunnels names are differents between Kibana and GUI: special characters are removed or replaced
    Some special characters such as # in the name of secondary tunnels are replaced by '_' (underscore) in Kibana panels
  • [WAF-24] BWSESSID is not set when using LB members in URL Mapping
  • [WAF-492] Value sent in SNMP for tunnelListenStatus are not the good one
  • [WAF-522] Workflow revalidation issue with invalid subworkflows
  • [WAF-721] Perimeter Gate unavailable until new save and apply on GUI
  • [WAF-702] URL mappings needs user full rights to be modified
  • [WAF-578] No information given when a Reverse Proxy fail to start due to certificates
  • [WAF-670] GUI XLS export default name containing illegal caracters on windows
  • [WAF-694] BWSESSID cookie allows extra characters at the end of the value
    Characters can be added at the end of the value of BWSESSID cookie without breaking the corresponding session
  • [WAF-611] Password policy check displays an error when changing TUI password

Appendix
Anchor
appendix
appendix

Installation and Upgrade

Configuration Backup

Before installing this version, backup any work that is in progress. Go to Management > Backups panel and backup all the configurations then download the backup file.

In case of a virtualization environment, you may also stop the virtual appliance and create a backup (snapshot) of your appliances.

Installation procedure 

For new users, we recommend to read our Get started guide to install the product.

Include Page
Installation procedure from the ISO
Installation procedure from the ISO

Update procedure 

Include Page
Update procedure from the RSE
Update procedure from the RSE

At the next connection after the update, it will be asked to temporary or permanently accept the certificate from the Management appliance (for more details see the Connection certificates page)

Uninstall procedure

Include Page
Uninstall procedure
Uninstall procedure

Table of Contents