- This line was added.
- This line was removed.
- Formatting was changed.
This document details changes introduced by the 6.5 LTS version for the R&S®Web Application Firewall.
This version is a LTS (Long Term Support).
Revision number: 430dd93+b7378
Release date: December 13th, 2018
Reminder of the LTS/LVS concepts:
- Long term support (LTS): these releases are maintained and supported for at least 3 years. They include no new features. Bug fixes and security patches will be issued approximately once a quarter. They are thoroughly tested and should be used in production environments.
- Last version support (LVS): these versions include new features and improvements. Bug fixes and security patches issued approximately twice a year. While they go through our Quality Assurance process, they should be used in production environments with caution.
GeoIP replaced by GeoLite2
Custom IPv4 and IPv6 GeoIP databases are now deprecated as Maxmind has ended the maintenance of free databases since March 2018 and will end maintenance of commercial databases in January 2019. For more details, see https://dev.maxmind.com/geoip/legacy/geolite/.
The WAF is now using GeoLite2 with the mod_maxminddb from Apache. You can now upload the country database in the Global settings then IP Geolocation database menu.
Database download page: https://dev.maxmind.com/geoip/geoip2/geolite2/
|How to use IP Geolocation in the workflow ? see IP Geolocation.|
Administration interface certificate
SSL certificate verification between the administration interface and the WAF has been improved for better security. You will be (all) as the previous certificate is not trusted anymore. We recommend to update your certificate at the next authentication. See Global Settings page for more information about GUI Certificate.
Password update on for WAF administrators and TUI
Passwords have to be updated to meet new security recommendations.
WAF administrators and dashell user will have to update their password on the first connection after the upgrade to 6.5.1 version.
For more details, see Password Policies page.
TLS enabled between Poller and Pooler nodes
Pooling mode has been enhanced to enforce encryption of the data sent between pooler and poller nodes. The WAF automatically enable options in the SSL panel of Poller nodes when such tunnel is created. See documentation on Poller to get more information.
Kibana dashboards updated
Kibana dashboards have been updated, custom dashboards and visualizations created will be discarded. Please export your custom Kibana configuration before upgrading.
SSLProxyHelloNoTLSExt directive no longer supported
If the backend was using an old OpenSSL version (inferior to 0.9.7d), an error "Error during SSL Handshake with remote server" appeared in the tunnel debug logs. Until 6.5.1 version, setting "SSLProxyHelloNoTLSExt on" directive in the tunnel's Advanced Parameters allowed handshakes with the backend to occur.
This directive is no longer supported for security reasons, it has to be removed from Advanced Parameters and the backend should be updated if this situation occurs.
- Apache from 2.4.33 to version 2.4.35
- OpenSSL from 1.0.2o to version 1.0.2p
- KeepAlived from 1.3.5 to version 2.0.7
- Kernel from 3.10.0-693.21.1 to version 3.10.0-862.11.6
- Open-vm-tools 10.1.10-3.el7_5.1 (allow usage of VMWare Tools)
Bug criticality indicators:
: Serious, : Moderate or with workaround, : Low or cosmetic.
- ] AWS: Partition size cannot be enlarge
- ] AWS: Partition deleted after second reboot when customer upgrade his version with RSE
- ] SCP export regression since lib paramiko downgrade from 1.6.0 to 1.5.0
- [WAF-160] Impossible to restore backup rWeb 4.2.1
- [WAF-443] Missing static blacklists while creating backup
- [DA-9534] Apply error on imported / migrated alerting destinations
- [WAF-22] Restoring rWeb backup: path traversal engine is always activated
- [WAF-27] After rule on eaccess are not loaded on apply
- [WAF-70] Lost remote filesystems password while restoring a backup from 5.5.x
- [WAF-23] Apply can timeout while checking workflows when system entropy is low
- [WAF-383] Subrequest node configured with POST method fail
- [DA-9235] Start attribut of the content-Type Multipart/Related can be optional
- [DA-9680] NTML authentication with UTF-8 (non-ASCII) fields doesn't work
- [DA-9508] Sitemap: type 'string' validation on special UTF-8 characters doesn't work
- [DA-9749] Cookie Set node: secure Flag missing when enabling http2 in tunnel configuration
- [DA-9738] Space character in a regexp fail to match in libicx
- [DA-8106] Workflow session cache dependencies are missing in backup
- [WAF-894] SSLRenegBufferSize directive leads to 502 HTTP errors on tunnel (in an advanced parameter)
- [DA-9765] SSL directives in a <Location> doesn't work (advanced parameter)
- ] SNMP values are not returned by plugin but present in MIB
- ] Massive SNMP logs in /var/log/messages for each SNMP request
- ] SNMP Plugin returns incorrect types
- ] Proxy Request: NTLM offset error
- ] Unable to change WAM password of a "must reset password's" user and option "use user account ..."
- ] In some case authorizations are broken after WAM apply
- [WAF-153] Alert destinations are sent only when status is red and on changing value
- [WAF-5] Monitoring of VRRP Active Active Members doesn't work
- [DA-8886] VIP metrics remain red even after removing all vrrp configuration
- [WAF-536] Distributed Datastore monitoring: useless warning
- [WAF-548] Process Keepalived status metric is not monitored after apply
- [DA-9402] Monitoring: no HA values when multiple HA cluster
- [WAF-465] Monitoring backend status is spaming when tunnel is setup as HA active/passive
Administration interface (GUI)
- [WAF-413] Download URL field for CRL auto update does not accept query string
- [DA-9855] GUI latency when refreshing list with big selections
- ] RSE installation in Azure environment: GUI may lost connection with the updater
The administration interface may lost connection with the updater system during the installation. This disconnection does not interfere with the installation.
If it's happen, please wait some minutes for the end of the installation. In any case, do not shutdown or reboot the system.
- [DA-9402] Sitemap: GUI does not displays a required parameter as required
- [DA-9413] Missing certificate when using tunnel wizard with generate certificate
- [DA-7830] Refresh issue on IAM Application Authentication type fields
- [WAF-403] Auto-Resolve creates a Security Exception Rule with attack family in the title, which does not match with the real pattern attack family
- [DA-9505] Default exception profile is not visible in configuration explorer or in current configuration of the restore wizard
- [DA-5701] Maps role on attribute profil is not displayed in GUI Authentication form
] REST API: performance issue with many tunnels
- ] REST API: enable access log in database on a tunnel doesn't work
- ] REST API: PATCH tunnel securityFormat is not working
- DA-9873] REST API: cannot link a workflow name at the tunnel creation
- [WAF-21] Distributed Datastore Failover request timeout
- [WAF-51] Scheduled Report generation failed
- [DA-9446] Generate Report Scheduled task doesn't work
- [DA-9358] When using the "Replace Box" feature the webservice doesn't restart with the new administration IP
- [DA-9359] Connectivity tools don't handle IPv6 correctly
- [DA-9510] Lost of static content resources after some apply
- [DA-9409] '\xXX' encoded characters are sent to the external syslog (realtime alerting)
- [DA-9690] Event logs: no items name, only UID displayed
- [DA-9769] URL overflow in Kibana: default URL are too long
- [DA-9748] Default filter on Appliance Kibana dashboard is set on Management
- [DA-9839] Default Kibana searches use deprecated fields
- [DA-9391] Kibana dashboards: timeframe issue and typo
- [WAF-516] Loss of logs in Elasticsearch on high load (logs from workflow)
Under very high load, few logs can be lost when most of the requests are blocked by security engines
- [ ] Unable to create vlans on bonded interfaces
- [WAF-873] Using "matches pattern" condition in workflow context exception rule leads to an apply timeout (indefinitely loop)
- [WAF-624] [rWeb Migration] EAccessUriTrans multipart-form-data & auto-file-upload are not available in Blacklist engine
- [WAF-184] Security exception doesn't work if there is no workflow context
- [ Security Exception Rules edition: In "Workflow Context", the value disappears when typing text into the value field and changing to "matches regexp"
- [WAF-503] WAM: some hashes don't work for SMS gateway
[WAF-475] No matching value for blacklist and scoringlist (no highlight)
- [WAF-543] Backend response time higher than Total response time
- [WAF-662] Debug log from other tunnels (not in debug) occuring inside error log
- [WAF-723] Perimetric Authentification broken after restoring backup from 5.5.9
- [WAF-44] No program name in logs sent to external syslog/SIEM
- [WAF-543] Backend response time higher than Total response time
- [ ] GUI latency with huge tunnel configuration
- [ ] Backend monitoring fails with protocol error: wrong curve
- [WAF-597] SMTP profile can be create through event log alerting menu but can not be used
- [WAF-715] WAM Application Access with NTLMv2 Strips Proxy-Authorization
- [WAF-552] Secondary tunnels names are differents between Kibana and GUI: special characters are removed or replaced
Some special characters such as # in the name of secondary tunnels are replaced by '_' (underscore) in Kibana panels
- [WAF-24] BWSESSID is not set when using LB members in URL Mapping
- [WAF-492] Value sent in SNMP for tunnelListenStatus are not the good one
- [WAF-522] Workflow revalidation issue with invalid subworkflows
- [WAF-721] Perimeter Gate unavailable until new save and apply on GUI
- [WAF-702] URL mappings needs user full rights to be modified
- [WAF-578] No information given when a Reverse Proxy fail to start due to certificates
- [WAF-670] GUI XLS export default name containing illegal caracters on windows
- [WAF-694] BWSESSID cookie allows extra characters at the end of the value
Characters can be added at the end of the value of BWSESSID cookie without breaking the corresponding session
[WAF-611] Password policy check displays an error when changing TUI password
Installation and Upgrade
Before installing this version, backup any work that is in progress. Go to Management > Backups panel and backup all the configurations then download the backup file.
In case of a virtualization environment, you may also stop the virtual appliance and create a backup (snapshot) of your appliances.
For new users, we recommend to read our Get started guide to install the product.
At the next connection after the update, it will be asked to temporary or permanently accept the certificate from the Management appliance
|Table of Contents|