Embed Size (px)
Citation preview
Stonesoft NextGeneration FirewallRelease Notes6.1.0Revision A
2
Table of contents1 About this release................................................................................................................................................3
Lifecycle model...............................................................................................................................................3System requirements..................................................................................................................................... 3Build version...................................................................................................................................................6Compatibility..................................................................................................................................................7
2 New features.........................................................................................................................................................8
3 Enhancements.................................................................................................................................................... 10
4 Resolved issues................................................................................................................................................. 11
5 Installation instructions.....................................................................................................................................12Upgrade instructions.................................................................................................................................... 12
6 Known issues..................................................................................................................................................... 13Known limitations......................................................................................................................................... 13
7 Find product documentation............................................................................................................................ 14Product documentation................................................................................................................................ 14
About this release | 3
About this releaseThis document contains important information about this release of Stonesoft® Next Generation Firewall byForcepoint (Stonesoft NGFW; formerly known as McAfee® Next Generation Firewall). We strongly recommendthat you read the entire document.
Lifecycle modelThis release of Stonesoft Next Generation Firewall is a Feature Stream (FS) version.
Support for Feature Stream versions is discontinued when a new major version of Stonesoft Next GenerationFirewall is available.
We recommend using the most recent Long-Term Support (LTS) version if you do not need any features from alater Feature Stream version.
For more information about the Stonesoft Next Generation Firewall lifecycle policy, see Knowledge Base article10192.
System requirementsMake sure that you meet these basic hardware and software requirements.
Stonesoft NGFW appliancesWe strongly recommend using a pre-installed Stonesoft NGFW appliance as the hardware solution for newStonesoft NGFW installations.
Note: Some features in this release are not available for all appliance models. See KnowledgeBase article 10192 and Knowledge Base article 9743 for up-to-date appliance-specific softwarecompatibility information.
Appliance model Supported roles Image type
FW-315 Firewall/VPN x86-64-small
320X (MIL-320) Firewall/VPN x86-64
IPS-1205 IPS and Layer 2 Firewall x86-64
FWL321 Firewall/VPN x86-64-small
NGF321 Firewall/VPN, IPS, and Layer 2 Firewall x86-64
FWL325 Firewall/VPN x86-64-small
NGF325 Firewall/VPN, IPS, and Layer 2 Firewall x86-64
110 Firewall/VPN x86-64-small
115 Firewall/VPN x86-64-small
1035 Firewall/VPN, IPS, and Layer 2 Firewall x86-64
About this release | 4
Appliance model Supported roles Image type
1065 Firewall/VPN, IPS, and Layer 2 Firewall x86-64
1301 Firewall/VPN, IPS, and Layer 2 Firewall x86-64
1302 Firewall/VPN, IPS, and Layer 2 Firewall x86-64
1401 Firewall/VPN, IPS, and Layer 2 Firewall x86-64
1402 Firewall/VPN, IPS, and Layer 2 Firewall x86-64
3201 Firewall/VPN, IPS, and Layer 2 Firewall x86-64
3202 Firewall/VPN, IPS, and Layer 2 Firewall x86-64
3205 Firewall/VPN, IPS, and Layer 2 Firewall x86-64
3206 Firewall/VPN, IPS, and Layer 2 Firewall x86-64
3207 Firewall/VPN, IPS, and Layer 2 Firewall x86-64
3301 Firewall/VPN, IPS, and Layer 2 Firewall x86-64
3305 Firewall/VPN, IPS, and Layer 2 Firewall x86-64
5201 Firewall/VPN, IPS, and Layer 2 Firewall x86-64
5205 Firewall/VPN, IPS, and Layer 2 Firewall x86-64
5206 Firewall/VPN, IPS, and Layer 2 Firewall x86-64
Forcepoint Sidewinder S-series appliancesThese Sidewinder appliances can be re-imaged to run Stonesoft NGFW software.
Appliance model Supported roles Image type
S-1104 Firewall/VPN x86-64
S-2008 Firewall/VPN x86-64
S-3008 Firewall/VPN x86-64
S-4016 Firewall/VPN x86-64
S-5032 Firewall/VPN x86-64
S-6032 Firewall/VPN x86-64
Certified Intel platformsWe have certified specific Intel-based platforms for Stonesoft NGFW.
The tested platforms can be found at https://support.forcepoint.com under the Stonesoft Next Generation Firewallproduct.
We strongly recommend using certified hardware or a pre-installed Stonesoft NGFW appliance as the hardwaresolution for new Stonesoft NGFW installations. If it is not possible to use a certified platform, Stonesoft NGFWcan also run on standard Intel-based hardware that fulfills the hardware requirements.
About this release | 5
Basic hardware requirementsYou can install Stonesoft NGFW on standard hardware with these basic requirements.
• (Recommended for new deployments) Intel® Xeon®-based hardware from the E5-16xx product family orhigher
Note: Legacy deployments with Intel® Core™2 are supported.
• IDE hard disk and CD drive
Note: IDE RAID controllers are not supported.
• Memory:
• 4 GB RAM minimum for x86-64-small installation• 8 GB RAM minimum for x86-64 installation
• VGA-compatible display and keyboard• One or more certified network interfaces for the Firewall/VPN role• Two or more certified network interfaces for IPS with IDS configuration• Three or more certified network interfaces for Inline IPS or Layer 2 Firewall
For information about certified network interfaces, see Knowledge Base article 9721.
Master Engine requirementsMaster Engines have specific hardware requirements.
• Each Master Engine must run on a separate physical device. For more details, see the Stonesoft NextGeneration Firewall Installation Guide.
• All Virtual Security Engines hosted by a Master Engine or Master Engine cluster must have the same role andthe same Failure Mode (fail-open or fail-close).
• Master Engines can allocate VLANs or interfaces to Virtual Security Engines. If the Failure Mode of the VirtualIPS engines or Virtual Layer 2 Firewalls is Normal (fail-close) and you want to allocate VLANs to severalengines, you must use the Master Engine cluster in standby mode.
• Cabling requirements for Master Engine clusters that host Virtual IPS engines or Layer 2 Firewalls:
• Failure Mode Bypass (fail-open) requires IPS serial cluster cabling.• Failure Mode Normal (fail-close) requires Layer 2 Firewall cluster cabling.
For more information about cabling, see the Stonesoft Next Generation Firewall Installation Guide.
Virtual appliance node requirementsYou can install Stonesoft NGFW on virtual appliances with these hardware requirements. Also be aware of somelimitations.
• (Recommended for new deployments) Intel® Xeon®-based hardware from the E5-16xx product family orhigher
Note: Legacy deployments with Intel® Core™2 are supported.
• One of the following hypervisors:
• VMware ESXi 5.5 and 6.0• KVM (KVM is tested as shipped with Red Hat Enterprise Linux Server 7.1 and 7.2)
• 8 GB virtual disk
About this release | 6
• 4 GB RAM minimum• A minimum of one virtual network interface for the Firewall/VPN role, three for IPS or Layer 2 Firewall roles
When Stonesoft NGFW is run as a virtual appliance node in the Firewall/VPN role, these limitations apply:
• Only Packet Dispatching CVI mode is supported.• Only standby clustering mode is supported.• Heartbeat requires a dedicated non-VLAN-tagged interface.
When Stonesoft NGFW is run as a virtual appliance node in the IPS or Layer 2 Firewall role, clustering is notsupported.
Build versionStonesoft Next Generation Firewall 6.1.0 build version is 17028.
Product binary checksumsUse the checksums to make sure that the installation files downloaded correctly.
• sg_engine_6.1.0.17028_x86-64.iso
SHA1SUM:f9575d25ee8ef567f201da0ead3f44b3ebaf1116 SHA256SUM:a85bdc79a151af131de6796b63345cb1217b5b94b631ce4d6f8fa0611d5cd134 SHA512SUM:1679d5450d14cfe284d20bc804a5d55cef62c905d21733b024a32f24c5c2fc9ee40c52a65ff5a7487164cf5649d414da7a0ef4007720402a52e9637f1570e01e
• sg_engine_6.1.0.17028_x86-64.zip
SHA1SUM:6ab4ca821e85fbc7ff6ddb477086cd391271f1d0 SHA256SUM:f2b424e1986ac4bad25184113ce5ad9adb31bd76f1d608c9f40a60f754c57af8 SHA512SUM:c3944be3a7428c341a98cd13a9693a1a44b67c5a585e4e490530c6040fa1499559de1c981dac2ac530f58d1b3b3ec0ec25cbd17c767dd18cfc6cd801a65662b5
• sg_engine_6.1.0.17028_x86-64-small.iso
SHA1SUM:15b6643e687112a2a4b5672c2bd80dbdc3fa53ec
SHA256SUM:da94b5fe45a34b8cc99cc701b0d755454d038274eeb1c1af75db68da0903e0e3
SHA512SUM:b0486c33e0ad18c8b55d8d7dbd9141a0f9f15f72f8d068d0f50eede6f9b84d260a6f18761a6fdea8fef339797681e9c100e7613ff22e51efb47df50ef7814502
About this release | 7
• sg_engine_6.1.0.17028_x86-64-small.zip
SHA1SUM:99901191e6e43c257f1d8d166ae8721450b629f9 SHA256SUM:773d79cc70b32c9973757bddb3ef5d2bd71cc5d43f4106656f88843c38e93a2d SHA512SUM:9577aaa8fa730415d1a3ca0e0b1ce0896cdf57c40a6cd9763491af0b2f30a95a9521c9ca202ba580b9aac502a1e5acd089a3ff059b636704d95195ba91edfc12
CompatibilityStonesoft NGFW 6.1 is compatible with the following component versions.
• Stonesoft® Management Center (SMC) 6.1 or later• Dynamic Update 810 or later• Stonesoft® VPN Client for Windows 6.0.0 or later• Stonesoft® VPN Client for Mac OS X 2.0.0 or later• Stonesoft® VPN Client for Android 2.0.0 or later• Server Pool Monitoring Agent 4.0.0 or later• McAfee® Logon Collector 2.2 and 3.0• McAfee® Advanced Threat Defense 3.6• McAfee® Endpoint Intelligence Agent (McAfee EIA) 2.5
New features | 8
New featuresThis release of the product includes these new features. For more information and configuration instructions, seethe Stonesoft Next Generation Firewall Product Guide and the Stonesoft Next Generation Firewall InstallationGuide.
Geo-protection and IP address categorizationYou can now configure geo-protection to allow or block traffic. There are predefined Country elements thatrepresent IP addresses registered in specific countries. You can use Country elements to filter traffic in Accessrules based on the source or destination country, or entire continents. They can also be used in NAT rules,Inspection rules, and File Filtering rules.
You can use predefined IP address lists to control access to known good or bad IP addresses. You can eitheruse the predefined IP address lists or create new IP address lists. You can also import IP address lists throughthe SMC API to the SMC. For more information, see the Stonesoft SMC API Reference Guide.
Integration of Sidewinder ProxiesOn Sidewinder firewalls, proxies provide high assurance protocol validation. On Stonesoft NGFW, SidewinderProxies enable some of the proxy features that are available on Sidewinder. In Stonesoft NGFW version 6.1, thefollowing Sidewinder Proxies are supported: HTTP, SSH, TCP, and UDP.
You can use Sidewinder Proxies on Stonesoft NGFW to enforce protocol validation and to restrict theallowed parameters for each protocol. Sidewinder Proxies are primarily intended for users in high assuranceenvironments, such as government or financial institutions. In environments that limit access to external networksor access between networks with different security requirements, you can use Sidewinder Proxies for data lossprotection.
Changes in category-based URL filteringCategory-based web filtering now uses URL categories provided by Forcepoint™ ThreatSeeker® IntelligenceCloud. There are new types of elements for configuring URL filtering:
• URL Category elements are Network Application elements that represent the categories for category-basedURL filtering.
• URL Category Group elements contain several related URL Categories.• URL List elements are Network Application elements that allow you to manually define lists of URLs that you
want to allow or block.
The way that category-based URL filtering is applied to traffic has changed. You can now use URL Categories,URL Category Groups, and URL Lists in the Service cell of Access rules to configure URL filtering. It is no longerpossible to configure URL filtering using Situation elements in the Inspection Policy.
Note: These changes affect all existing users of category-based URL filtering. Legacy URLSituation elements can no longer be used in policies for Stonesoft NGFW version 6.1 or higher.If rules in your policy contain legacy URL Situation elements, you must replace them with URLCategory elements.
Browser-based wizard for configuring NGFW appliancesAs an alternative to using the command-line version of the NGFW Initial Configuration Wizard (sg-reconfigure) toconfigure an NGFW appliance, you can now use an initial configuration wizard in a web browser.
Redirection of web traffic to TRITON AP-WEB CloudTRITON® AP-WEB Cloud is a cloud-based web security proxy service. Stonesoft NGFW can now redirect webtraffic to the TRITON® AP-WEB Cloud for inspection. Stonesoft NGFW redirects web traffic to the TRITON AP-
New features | 9
WEB Cloud using a predefined policy-based VPN. The traffic is inspected in the TRITON AP-WEB Cloud andtransparently forwarded to the destination.
Note: To use TRITON AP-WEB Cloud to inspect web traffic, you must have a subscription to theTRITON AP-WEB Cloud service.
In addition to an IPv4 or IPv6 address, you can now use a fully qualified domain name (FQDN) as a dynamiccontact address of an external VPN gateway. Connecting through a VPN to a dynamic FQDN endpoint allowsTRITON AP-WEB Cloud to offer addresses from the geographically closest service point.
The TRITON AP-WEB Cloud service requires the endpoint to use a MAC address as a unique identifier. Youcan now define VPN-specific exceptions to the IKE Phase-1 ID for endpoints on VPN Gateways. Exceptions areuseful in cases where an external VPN gateway requires specific information in the IKE phase-1 value.
For more information and configuration instructions, see Knowledge Base article 10582.
Enhancements | 10
EnhancementsThis release of the product includes these enhancements.
Enhancements in Stonesoft NGFW version 6.1.0Enhancement Description
Simplified service configuration andcustomization improvements in SSL VPNPortal
You can now allow access to intranet services in the SSL VPNPortal with a freeform URL. It is no longer necessary to configureeach SSL VPN Portal service separately. End users can accessthe services by typing the URL directly in the SSL VPN Portal.
You can now also modify the look-and-feel of the SSL VPN Portaland create a custom theme with company colors and logos for theSSL VPN Portal in the Management Client.
Fully qualified domain names as contactaddresses in external VPN gateways
In addition to an IPv4 or IPv6 address, you can now use a fullyqualified domain name (FQDN) as a dynamic contact address ofan external VPN gateway.
VPN-specific exceptions for IKE Phase-1ID
You can now define VPN-specific exceptions to the IKE Phase-1ID for endpoints on VPN Gateways. Exceptions are usefulin cases where an external VPN gateway requires specificinformation in the IKE phase-1 value.
Improved throughput for anti-malwareinspection
The throughput of anti-malware inspection has been significantlyimproved.
Improved scaling of inspection for VirtualSecurity Engines
Inspection now scales up better with multiple Virtual SecurityEngines.
Improved TCP handling in the inspectionmodule
TCP protocol handling in the inspection module has beenenhanced for performance and compatibility.
Support for Tunnel Interfaces andunnumbered interfaces for OSPF
Support for Tunnel Interfaces and unnumbered interfaces forOSPF has been added.
Enhanced botnet detection Botnet detection has been enhanced.
SSH server key fingerprints shown onengine console when the engine starts up
If SSH is enabled, SSH server key fingerprints are shown on thelocal console when the NGFW engine starts up.
Resolved issues | 11
Resolved issuesThese issues are resolved in this release of the product. For a list of issues fixed in earlier releases, see theRelease Notes for the specific release.
Description Role Issuenumber
The Master Engine might stop resolving DNS names used in the policy when thepolicy for a Virtual Security Engine is updated.
FW
IPS
L2FW
131081
NAT might not be correctly applied to REFER SIP messages by the SIPinspection module.
FW 132823
When the engine acts as an area border router (ABR) for an OSPF not-so-stubbyarea (NSSA), the engine does not correctly translate incremental changes from atype 7 link-state advertisement (LSA) to a type 5 LSA.
FW 133430
When VPN Client session handling is moved from one node in a cluster toanother node, Virtual IP Address renewal for VPN Clients might not workcorrectly.
FW 134149
The dynamic routing process might not start automatically after restarting theSecurity Engine if the configuration was done in the Management Client.
FW 134502
The engine might not redistribute BGP routes through OSPF after changing theprefix list.
FW 135281
When there are a high number of new connections through dynamic NAT, theengine might slow down and print "BUG: soft lockup" messages to the console.
FW 135444
VPN Client session synchronization in clusters might not synchronize allinformation reliably. This issue can cause random failures in matching VPN Clientconnections to the Access rules.
FW 135527
When using IKEv2 and when more than one node in the cluster is in the onlinestate, IPsec SA delete messages might not be sent correctly.
FW 135643
Due to a loss of authentication information when a node in the cluster is rebooted,VPN Client connections might stop working.
FW 135646
The kernel has been updated to mitigate the TCP weakness described inCVE-2016-5696.
FW
IPS
L2FW
NGFW-115
The OpenSSL library has been updated to mitigate the denial of service issuedescribed in CVE-2016-6304.
FW
IPS
L2FW
NGFW-267
Installation instructions | 12
Installation instructionsUse these high-level steps to install SMC and the Stonesoft NGFW engines.
For detailed information, see the Stonesoft Next Generation Firewall Installation Guide. All guides are availablefor download at https://support.forcepoint.com.
Note: The sgadmin user is reserved for SMC use on Linux, so it must not exist before SMC isinstalled for the first time.
1. Install the Management Server, the Log Servers, and optionally the Web Portal Servers.2. Import the licenses for all components.
You can generate licenses at https://stonesoftlicenses.forcepoint.com.3. Configure the Firewall, IPS, or Layer 2 Firewall elements with the Management Client using the
Configuration view.4. To generate initial configurations for the engines, right-click each Firewall, IPS, or Layer 2 Firewall element,
then select Configuration > Save Initial Configuration.Make a note of the one-time password.
5. Make the initial connection from the engines to the Management Server, then enter the one-time password.6. Create and upload a policy on the engines using the Management Client.
Upgrade instructionsTake the following into consideration before upgrading licenses, engines, and clusters.
Note: Changes to category-based URL filtering in Stonesoft NGFW version 6.1 affect all existingusers of category-based URL filtering. Legacy URL Situation elements can no longer be usedin policies for Stonesoft NGFW version 6.1 or higher. If rules in your policy contain legacy URLSituation elements, you must replace them with URL Category elements. See the Stonesoft NextGeneration Firewall Product Guide for detailed instructions.
• Upgrading to version 6.1 is only supported from version 5.10 or later. If you have an earlier version, firstupgrade to version 5.10.
• Stonesoft NGFW version 6.1 requires an updated license. The license upgrade can be requested at https://stonesoftlicenses.forcepoint.com. Install the new license using the Management Client before upgrading thesoftware. If communication between the SMC and the license server is enabled and the maintenance contractis valid, the license is updated automatically.
• To upgrade the engine, use the remote upgrade feature or reboot from the installation CD and follow theinstructions. For detailed instructions, see the Stonesoft Next Generation Firewall Installation Guide.
Known issues | 13
Known issuesFor a list of known issues in this product release, see Knowledge Base article 10571.
Known limitationsThis release of the product includes these known limitations.
Limitation Description
Inspection in asymmetrically routed networks In asymmetrically routed networks, using the stream-modifying features (TLS Inspection, URL filtering, andfile filtering) can make connections stall.
Inline Interface disconnect mode in the IPS role The disconnect mode for Inline Interfaces is notsupported on IPS virtual appliances, IPS softwareinstallations, IPS appliance models other thanIPS-6xxx, or modular appliance models that havebypass interface modules.
For information about feature-specific limitations, see the Stonesoft Next Generation Firewall Product Guide.
Find product documentation | 14
Find product documentationOn the Forcepoint support website, you can find information about a released product, including productdocumentation, technical articles, and more.
You can get additional information and support for your product on the Forcepoint support website at https://support.forcepoint.com. There, you can access product documentation, Knowledge Base articles, downloads,cases, and contact information.
Product documentationEvery Forcepoint product has a comprehensive set of documentation.
• Stonesoft Next Generation Firewall Product Guide• Stonesoft Next Generation Firewall online Help
Note: By default, the online Help is used from the Forcepoint help server. If you want to usethe online Help from a local machine (for example, an intranet server or your own computer),see Knowledge Base article 10097.
• Stonesoft Next Generation Firewall Installation Guide
Other available documents include:
• Stonesoft Next Generation Firewall Hardware Guide for your model• Stonesoft Management Center Appliance Hardware Guide• Stonesoft Next Generation Firewall Quick Start Guide• Stonesoft SMC API Reference Guide• Stonesoft VPN Client User Guide for Windows or Mac• Stonesoft VPN Client Product Guide
The following document included in appliance deliveries still uses the old product name and brand:
• McAfee Security Management Center Appliance Quick Start Guide
Copyright © 1996 - 2016 Forcepoint LLC Forcepoint™ is a trademark of Forcepoint LLC.
SureView®, ThreatSeeker®, TRITON®, Sidewinder® and Stonesoft® are registered trademarks of Forcepoint LLC. Raytheon is a registered trademark of Raytheon Company.
All other trademarks and registered trademarks are property of their respective owners.
