Page tree

Versions Compared

Key

  • This line was added.
  • This line was removed.
  • Formatting was changed.

About this document

Purpose

This document details changes introduced by the 6.4.1 version for DenyAll Web Application Firewall.

Context

Version information

This version follows the version 6.4.0 of DenyAll Web Application Firewall. This version is an LVS (Last Version Support).

Reminder of the LTS/LVS concepts:

  • Long term support (LTS): these releases are maintained and supported for at least 3 years. They include no new features. Bug fixes and security patches will be issued approximately once a quarter. They are thoroughly tested and should be used in production environments.
  • Last version support (LVS): these versions include new features and improvements. Bug fixes and security patches issued approximately twice a year. While they go through our Quality Assurance process, they should be used in production environments with caution.

Revision

Revision number: r41636+b2185

Official release date

September 2122th, 2017.

Bug fixes

Bug criticality indicators:

(error): Serious, (warning): Moderate or with workaround, (info): Low or cosmetic.

Security

  • (error) [DA-7779] Fix Unauthenticated Remote Code Execution
    See the DenyAll Advisory for more details.

Known issues

  • [DA-3601] Security metrics remain empty for backup node of HA cluster
    Tunnel metrics for security events are never updated on backup node of High Availability cluster.
  • [DA-5307] Duplicate logs when using realtime alerting
    Security and WAM logs can be duplicated when using syslog realtime alerting while log alerting configurations are configured.
  • [DA-6206] Multiple occurrence of the query string parameter not supported in Sitemap validation
    The Sitemap validation node does not support incoming requests validation containing multiple occurrences of a same query string parameter. This can prevent whitelist configured on our rWeb products to be migrated to DenyAll WAF 6.3.
  • [DA-6483] Raid metric returns power supply status
    Power status metrics are not in the correct category.

  • [DA-7349] Distributed datastore not working when IP Range is distributed on several interfaces
  • [DA-4125] ICX does not ignore attachments or some application/* content-types
  • [DA-7097] Datastore dependencies in Sub-Workflow are not retrieved by the Backup/Restore process
  • [DA-4229] WAM category in Logs Management doesn't use Log Rotation Profile
  • [DA-6345] Invalid 'Save' management when creating Security Exception on Default Security Policy from Custom Resolve
  • [DA-7439] After uninstalling a RSE, there is missing mandatory apply flags in apply wizards
  • [DA-7122] Authorizations seems to be broken after WAM apply
    After a WAM apply, java engine is unable to connect to postgres database only when using StorageOperationMultiSearchSqlDb in group table.
  • [DA-7459] No information given when a Reverse Proxy fail to start due to certificates
  • [DA-7130] [GUI] Some nodes are not red when a parameter is invalid
  • [DA-7136] Invalid configuration of user authorization templates
    Role created from Workflow Operator template needs to be manually updated.
  • [DA-4601] [TUI] Daemon management bugs and mistakes
  • [DA-6055] Ramdisk size metric is not updated
  • [DA-5772] [rWeb Migration] EAccessUriTrans multipart-form-data & auto-file-upload are not available on Blacklist engine
  • [DA-7400] Reverse Proxy apply can be long with many tunnels using different workflows (> 100 tunnels)
  • [DA-6569] Exported Sitemap in swagger format does not match the full swagger specifications (missing description in parameters and responses in operations)
  • [DA-7294] Export and purge database logs task doesn't work with email destination
  • [DA-6656] "Test Connectivity" tool does not use the configured SSL cipher of the tunnel
  • [DA-7462] "No tunnel in this reverse proxy" is returned if tunnel's configuration is invalid
  • [DA-7485] Backend load balancer metrics are not correctly referenced in Web Monitoring Interface
  • [DA-7364] KeepAlived metric is red because service is not started when there is no VRRP configuration
  • [DA-6499] [Security Logs] Change supported fields in filters
    Some parameters are missing in the Filter log view of the security logs such as "Attack Family" or "Engine".
  • [DA-7608] Response header following truncated header disappears
    In some cases, when a response header is truncated because his length is higher than the maximum header length set in a Reverse Proxy Profile, the next header disappears from the response.
  • [DA-7706]  JSON export of security logs does not contain tokens
    The exported JSON file has missing information about logs, they do not contain tokens. Instead, we recommend to use the XML export.

Removed feature

The following features from i-Suite version 5 won't be available and will not be reimplemented in a future version:

  • Focus tables (replaced by Sitemap)

  • ACE (a beta security engine designed for auto learning)

  • Bridge mode (allowing transparent setup of the box)

  • Network sniffer

Warning
titleReport of Security Logs

The option of the scheduled tasks allowing generation of reports based on Security Logs is temporarily deactivated in DenyAll WAF 6.4. The option will be re-activated in 6.5 version. All scheduled tasks generating report on Security Logs are disabled in version 6.4 if upgraded from version 6.3 or imported through backups.

Appendix

Installation and Upgrade

Information to know before the 6.4.X version upgrade

  • The DenyAll WAF 6.4 update will also update security patterns for ICX. Default ICX configurations will be updated but user ICX configurations will not be modified, they need to be manually updated (see Security Updates).
  • If ICX logs are flagged with “No Attack Family”: patterns used in ICX Configurations are not up to date. You should update your patterns to the 3.28 DSU version to have the attack family in ICX event logs. We recommend to update all your ICX Configuration to (at least) the 3.28 DSU version.
  • Old ICX Security logs cannot be seen any more: ICX Engine node has been updated to use the new log system with events (new log format, see new Security Logs).
    ICX Logs can now be seen in the new security log view. We highly recommend you to export ICX Security logs before updating to 6.4 version.
  • Filters saved on the Security Logs view will be lost from the 6.3 version.
  • Security Logs from 6.3 version cannot be seen any more in the administration interface: The database schema has changed due to new fields.
    Logs are still available through the Kibana interface by adding new Index Patterns named "63elslog_accesslog_*", "63elslog_learninglog_*" or "63elslog_securitylog_*".
  • Filters saved on the Security Logs view will be lost from 6.3 to 6.4 version.
  • Log Alerting configurations are not working for Security Logs in 6.4 version (DA-6706).
  • Log obfuscation (or log filter) will be enable on tunnels when updating to 6.4 version from 6.3. Log obfuscation was always enabled for credit card numbers even if the option in the tunnel was not activated. After the update, the option will be activated with the default profile that will replace credit card numbers and passwords by stars ("******").
  • Format of Security Exception Configurations has changed in 6.4 version. All configurations from 6.3 version will be automatically migrated to the new format. Be aware that the downgrade from 6.4 to 6.3 version will not restore the Security Exception Configurations to 6.3 format: we recommend to restore a 6.3 backup to have Security Exception Configurations again.
  • Keepalived and Ntpd metric status are triggered: those metrics are triggered even if there is no VRRP or Ntp configuration set on the cluster. Criticity levels have been updated to ‘warning’ instead of ‘critical’. If you are using VRRP configuration(s), we recommend to update the criticity level of the Keepalived metric to ‘critical’.
  • Metrics named “Buffer overflow”, “Command Injection“, “Cross site scripting”, “SQL Injection”, “Parser Evasion”, “Path traversal”, “HTML Injection”, “LDAP Injection”, “Mail Injection”, “Remote file include by Cookie”, “Remote file include by Get Vars”, “Remote file include by Post Vars”, “XPATH Injection” and “Custom Rules” are no more available and have been replaced by new attack families introduced in 6.3 version. See the Tokens documentation page for available attack families (token attackFamily).
  • The metric “logs - numlogs” is no more available.
  • The metric “logs - icxlogs” is no more available and have been replaced by a new metric named “logs - securitylogs”.
  • The metric “logs - customlogs” is no more available and have been replaced by a new dynamic metric named “tunnel – No Attack Family”.
  • The following indicators have been flagged has “obsolete” in the DenyAll MIB:
    •  “icxLogsCount”,
    • “customLogsCount”,
    • “otherLogsCount”,
    • “tunnelAttRmtFlIncldCks”,
    • “tunnelAttSQLInjctCnt”,
    • “tunnelAttXSSCnt”,
    • “tunnelAttLDAPInjctCnt”,
    • “tunnelAttHTMLInjctCnt”,
    • “tunnelAttXPATHCnt”,
    • “tunnelAttCMDInjctCnt”,
    • “tunnelAttBuffOFInjctCnt”,
    • “tunnelAttMailInjctCount”,
    • “tunnelAttPrsrEvs”,
    • “tunnelAttPthTransv”,
    • “tunnelAttRmtFlIncldGtVr”,
    • “tunnelAttRmtFlIncldPtVr”,
    • “tunnelAttCustomRules.

Configuration Backup

Before installing this version, backup any work that is in progress. Go to Management > Backups panel and backup all the configurations then download the backup file.

In case of a virtualization environment, you may also stop the virtual appliance and create a backup (snapshot) of your appliances.

Installation procedure

Follow the steps hereunder to install this version of DenyAll WAF:

  1. Download the ISO file and the Administration Interface from the customer area at: https://my.denyall.com/

  2. Install the product on your appliance or virtual machine. The installation is described in the Installing from ISO page

  3. Log into the DenyAll Text User Interface and set the role: Management or Managed (for more details see the Initialization of the Management and Managed mode page)

  4. Repeat stages 2 and 3 for each Managed appliance, if there are any

  5. Install and connect to the Administration Interface (for more details see the Installing the Administration Interface page)
  6. If there are any, add Managed appliances to the cluster. Go to Setup > Boxes > Add
  7. Create a support request to DenyAll to retrieve the license. The serial number (Service Tag) of the appliance will be needed (It can be found in Setup > i-Boxes > Licenses, select a Box and click View). For more details, see the Obtaining and assigning an DenyAll WAF license page
  8. Upload license(s) in the Setup > Boxes > Licenses panel
  9. Perform an apply of all configurations to verify that all Boxes are responding well
  10. If any backup from 5.x pr 6.x, you can restore them in the Management > Backups panel, then perform an apply (with Cold Restart selected) on all the configurations

Update procedure

The following steps describe how to update the product from an version 6.X (inferior to the new version) by using the RSE system.

System requirements: The cluster has to be in a version 6.3 or 6.4.0

Info
titleAPI RSE

It is highly recommended to uninstall any API RSE in version up to 1.2.0 before upgrading from DenyAll WAF 6.3 to DenyAll WAF 6.4.1. After completing the upgrade, the API RSE version 1.4.1 can be installed.

Info
titleManual snapshot

It is mandatory to create a manual snapshot of the cluster configuration before upgrading to DenyAll WAF 6.4 version. This snapshot is necessary in case of downgrade to restore a compatible configuration of the product.


  1. Download the RSE file and the Administration Interface from your customer area at: https://my.denyall.com/
  2. Install the new Administration Interface and connect to the product (for more details see the Installing the Administration Interface page) 
  3. Go to Management > Backups panel and backup all the configurations then download the backup file. In case of a virtualization environment, you may also stop the virtual appliance and create a backup (snapshot) of your appliances
  4. Go to Management > Snapshots and add a manual snapshot corresponding to the current cluster configuration then download the DenyAll WAF snapshot file
  5. Go to Management > System Updates and upload the RSE file
  6. Select the Management Box and click Install

    The Management Box must be updated first, before updating Managed Boxes
  7. Read and confirm the readme

  8. The installation process will automatically restart the Box and the user will be disconnected from the administration interface

  9. Wait for the Box to restart
  10. Repeat stages 5, 6, 7 and 8 for each managed Box, if any

  11. Perform an Apply (with Cold Restart selected) on all the configurations

Uninstall procedure

In order to roll-back to version 6.3 or 6.4.0:

Info
titleSnapshot restore to 6.3

It is mandatory to restore a DenyAll WAF snapshot after uninstalling a RSE to remove all incompatible configurations from DenyAll WAF 6.4 version and restore latest valid DenyAll WAF 6.3.

  1. Go to Management > System Updates
  2. Start by uninstalling managed Boxes. Select a managed Box and click Uninstall. The Box will reboot automatically
  3. Repeat stage 2 for all managed Boxes of the cluster
  4. Repeat stage 2 for the Management Box. The administration interface will be disconnected
  5. After the Management restart, log into the Management Box with the 6.3 or 6.4.0 Administration Interface
  6. Restore the manual snapshot created before the update
  7. Perform an Apply (with Cold Restart selected) on all the configurations

In case of a virtualization environment, you can use snapshots to roll-back to a previous version of DenyAll WAF 6.3 or 6.4.0.

Table of Contents