Patch-ID# 105810-04
Keywords: Upgrade, jumbo, patch, 3.0b, build_3072 
Synopsis: Solstice FireWall-1 3.0b (Build 3072) Intel: Upgrade/Jumbo (VPN+DES)
Date: Aug/26/98

Solaris Release: 

SunOS Release: 

Unbundled Product: FireWall-1

Unbundled Release: 3.0b

Relevant Architectures: intel 

BugId's fixed with this patch:

Changes incorporated in this version: 

Patches accumulated and obsoleted by this patch: 

Patches which conflict with this patch: 

Patches required with this patch: 

Obsoleted by: 

Files included with this patch: 

	DATA.Z
	DATA2.Z
	DISK1.ID
	README
	SETUP.EXE
	_INST32I.EX_
	_SETUP.DLL
	_SETUP.LIB
	setup.ini
	setup.ins
	setup.pkg

Table of Contents:

      Overview 
      Service Pack Availability 
      Bug Fixes 
      Limitations and Known Bugs 
      Installation Instructions 
      Downloading 

 

Overview:

	The 3072 Service Pack can be applied to any 3.0b version of FireWall-1 
	including those systems running Build 3045 or 3064.

Important Notes: 

	This Service Pack includes a new control.map file which includes new 
	configuration for OPSEC communications protocols.  Installing the 
	Service Pack will Replace your existing control.map with the new one.  
	If you have changes in control.map which you want to save, you must 
	copy the file aside before installing this Service Pack. After the 
	installation you can then either merge the two files manually, or if 
	you are not using OPSEC you can replace the newly installed control.map
	 with your old one. 

	This Service Pack will NOT work with FloodGate-1 version 1.1 (nor with 
	1.0). Installing this patch to an existing FireWall-1/FloodGate-1 
	installation, will disable FloodGate-1. There will be no FloodGate-1 
	that supports 3072 Service Pack and as a result, the Gateway that you 
	installed this patch on, will no longer have bandwidth management 
	capabilities integrated with FireWall-1. The next major version of 
	FloodGate-1 will inter-operate with the coming release of FireWall-1 
	version 4.0. 

Service Pack Availability:

	This Service Pack is available for the Non-VPN, VPN and VPN+DES 
	editions for all product platforms (AIX/Power, HP-UX/HPPA, 
	Solaris/SPARC, Solaris/X86, SunOS/SPARC, Windows NT/X86). 

Bug Fixes:

Windows and Motif GUI Client: 

	1.Fixed a GUI resource leak which had a number of symptoms. For 
	  example when scrolling through a lot of rules the GUI would hang 
	  and the graphics get distorted. 
	2.When opening the GUI as 'Read Only' you can now scroll through group 
	  object members. 
	3.Fixed printing of a Rule Base from GUI where all the last rules of 
	  each page were only half printed. 
	4.In the Motif Log and System Status GUIs, fixed problem where different
	  configuration parameters were written to the directory the application
	  was launched instead of $FWDIR/conf directory. 
	5.For Motif GUI, prevent 'en_US language' error when starting the GUI. 
	6.For Motif GUI there is available in this Service Pack an application 
	  which will save colors for the FireWall-1 GUI.   This prevents 
	  problems of the GUI crashing when colors are not available.   This 
	  application should be installed on the machine running the display 
	  and run automatically before any other application is opened on the 
	  display.  See instructions in the Installation Instructions below. 

OpenLook GUI: 

	1.When defining a network object on Solaris 2.5.1 x86, fixed the problem
	  which was causing the message 'llegal Netmask 255.255.255.0'. 
	2.Fixed triggering of alerts for actions in the System Status window. 

Encryption: 

	1.Fixed reassembly of fragmented SKIP packets. 
	2.Fixed SKIP bug which occasionally caused the fw daemon to crash. 

Logging: 

	1.Fixed  bug in 'fw logswitch' mechanism, related to the fw.logtrack 
	  file, which was causing the fw daemon to fail due to too many open 
	  file descriptors. 
	2.Removed message "fwd: Unable to open 'dev/fw0'" which was being 
	  displayed on the management station whenever the active log file 
	  ($FWDIR/log/fw.vlog) exceeded the default size of 10KB. 
	3.Changed representation of date in 'fw log' output to be Y2K compliant.
	4.Changed representation of date in the name of the log file switched 
	  by 'fw logswitch' to be Y2K compliant. 

Address Translation: 

	1.In Address translation made testing of minimum length be protocol 
	  sensitive.  This fixes problems such as ICMP type 9 packets being 
	  wrongly dropped when translation is applied. 

Router Management: 

	1.When using Cisco access-lists, it is now possible to define a filter 
	  that checks the source port of a packet. 

Security Servers: 

	1.The SMTP security server now adds full name, including domain, to 
	  the HELO command. 
	2.The SMTP security server now sends 552 error messages for mail that's 
	  too large, and not 452. 
	3.Fixed handling of multiple mail messages on a single connection. 
	4.Fixed the sendmail.exe program for NT to correct a problem where mail 
	  alerts changed according to the date. 
	5.In FTP security server correct handling of 220 multiline messages. 
	6.In FTP security server fix a problem with Welcome message that ends 
	  with a new line (\n), which was preventing connections from opening. 
	7.In FTP security server the reason log for CVP server will be sent even
	  if CVP message is empty. 
	8.Corrected handling of HTTP server replies which have no headers. 

User Authentication: 

	1.Fix SecurID related FireWall daemon crashes on NT. 
	2.Defining a user with time limitation using the interval 00:00 to 
	  23:59 now covers the minute from 23:59 to midnight. 

Management: 

	1.Protection from 'Radio Flyer' attack, where opening connections to 
	  the FireWall management daemon could prevent any FireWall 
	  administrator from connecting to the management station. 

Kernel: 

	1.Fixed a problem that could cause a kernel crash on AIX in a situation 	  where packets must be modified (NAT or encryption) and the FireWall-1 
	  gateway does not have an ARP entry of the next hop. 
	2.Protection from the fragmentation attack, where sending fragmented 
	  packets can cause the FireWall to stop forwarding packets.  

	There are also several configurable parameters which can help the user 
	fine tune FireWall-1 to deal best with this kind of attack.

	For NT there are 4 new registry parameters:
	PacketPoolSize - How many packets can be handled by the FireWall 
		simultaneously. Default = 1024.
	BufferPoolSize - How many buffers can be handled by the FireWall 
		simultaneously (a packet may divide into a number of buffers). 
		Default = 2048
	MaxPendingPackets - How many packets can be pending - waiting on 'hold'
		(for encryption or session authentication) or for 
		defragmentation at one time. Default = max-100
	MaxPendingBuffers - How many buffers can be held by pending packets at 
		one time. Default= max-200

	For Unix the packets come from a system pool controlled by the operating	system which grows dynamically as the need arises.

	In addition, for all platforms, the following 3 parameters may be 
	defined in objects.C under the 'props:' line (after editing objects.C 
	run fwstop and fwstart for the change to take effect):
	fwfrag_limit - how many fragment chains are allowed to be in the middle 		of assembly.  Default is 1000.
	fwfrag_minsize - the smallest acceptable fragment size (maximum is 576).		Default is 0.
	fwfrag_timeout - how long do we wait for fragment chain completion 
		before we give up on the packet and free its resources. Default 		is 20 seconds. 


Limitations and Known Bugs:
---------------------------
	1.A problem in the SMTP server causes it not send any logs.  You will 
	  receive logs on mail messages only from the mail dequeuer process.   
	  For example connections which are rejected by the Rule Base should be 	  logged by the SMTP server, but these logs will not be received, on the	  other hand any mail that was accepted and reached its target will be 
	  logged as usual by the mail dequeuer. 
	2.Occasionally, during multiple, concurrent authentication between a FM 	  and an ACE server, the challenge will return a failure even if the 
	  right PIN was entered. This will be fixed in a subsequent hot fix. 
	3.When managing pre-3072 modules with 3072 management, Security Status 	
	  window in the GUI crashes, gets stuck or shows no info for pre-3072 
	  modules. A hot fix is under development by Checkpoint and will be 
	  posted no later than the  1st week of September 1998.  The workaround: 
		1. Stop the FireWall-1 management using 'fwstop'. 
		2. Edit the file $FWDIR/lib/snmp/mib.txt as follows: 
			Change the line - 
				checkpoint OBJECT IDENTIFIER ::= { enterprises 2620 } 
			To the line - 
				checkpoint OBJECT IDENTIFIER ::= { enterprises 1919 } 
		3. Start the FireWall-1 management using 'fwstart'.
	

Patch Installation Instructions: 
-------------------------------- 

Important Note:
	This Service Pack includes a new control.map file which includes new 
	configuration for OPSEC communications protocols. Installing the Service
	Pack will Replace your existing control.map with the new one.  If you 
	have changes in control.map which you want to save, you must copy the 
	file aside before installing this Service Pack. After the installation 
	you can then either merge the two files manually, or if you are not 
	using OPSEC you can replace the newly installed control.map with your 
	old one.

(1) Copy the patch file on to Intel platform machine.

(2) Unzip the patch

(3) Execute the Install Wizard (setup.exe) included

