Patch-ID# 105811-02
Keywords: Upgrade, jumbo, patch, 3.0b, Build 3064, 3064
Synopsis: Solstice FireWall-1 3.0b SunOS: Build 3064 Jumbo (Non-VPN)
Date: Apr/20/98

Solaris Release: 1.1 

SunOS Release: 4.1.3

Unbundled Product: Firewall-1

Unbundled Release: 3.0

Relevant Architectures: sparc 

BugId's fixed with this patch:

Changes incorporated in this version: 

Patches accumulated and obsoleted by this patch: 

Patches which conflict with this patch: 

Patches required with this patch: 

Obsoleted by: 

Files included with this patch: 


	FW-1 Files that get installed:
	-----------------------------

	bin/fw
	bin/fwui
	bin/router_load
	lib/base.def
	lib/code.def
	lib/formats.def
	lib/table.def
	modules/fwmod.5.x.o


Patch Release Notes:
====================
Table of Contents:

     Patch Availability 
     Release Notes 
     Limitations and known bugs 
     Installation instructions 
     Downloading 

NOTE: This is a cummulative patch to 3.0b.  It can be applied
to a plain 3.0b system, or one that has patched up to Build 3055.
 

This patch contains the following changes:

All bug fixes to 3045, 3055 (not official release) as well as OPSEC SDK
support, and several bug fixes to the SMTP, HTTP, and FTP security
servers. This patch can be applied to any 3.0b version of FireWall-1
including those systems running Build 3045.

 

Patch Availability:

This patch is available for the non-VPN, VPN, and VPN+DES editions for all
product platforms (Solaris/SPARC, Solaris/X86, Windows NT/X86,
AIX/Power, HP-UX/HPPA, SunOS4/SPARK).

 

Detailed problem solving description - patch 3064 Release Notes:

Bug Fixes:

Note: - the following list includes the bug fixes closed in the 3055 patch
candidate.

OPSEC: 

   1.OPSEC/SDK Support is now provided. 
   2.Fixes many CVP and UFP problems. 

Windows NT: 

   1.Executing alerts on Windows NT creates system memory leaks. 
   2."fw log -ft" on Windows NT did not work. 

HTTP Security Server: 

   1.FTP from Netscape Communicator failed in some circumstances. 
   2.HTTP Security Server crashed under heavy load. 
   3.When the HTTP Resource Path is *:*, a redundant DNS query was submitted. 
   4.HTTP Security Server - When a URL specified in a URI Resource was
     reloaded a few times, the ahttpd.log grew abnormally. 
   5.UFP - The process of fetching a dictionary from a UFP server sometimes
     crashed if the UFP server was down. 
   6.SecurID: Entering next PASSCODE through HTTP crashes HTTP Security Server 
     SMTP Security Server: 

   1.When non multipart attachments are to be stripped, MIME Content-Type is
     changed for text/plain. Other 'Content-' fields are stripped. 
   2.Too many open files messages. 
   3.Mail occasionally lost under load (i.e. scores of mails in the spool). 
   4.SMTPD crashes (after a number of mails were rejected). 
   5.Using a rewriting scheme 'Field Contents ->' in an SMTP resource with
     empty rewritten string caused SMTPD crashes. 
   6.SMTP->resource with Client Authentication was not logged correctly. 
   7.Quoted characters recognized in SMTP commands MAIL and RCPT and also in
     message headers. 
   8.SMTPD crashed when command DATA was sent preceded by SMTP commands FROM
     and RCPT containing illegal mail paths. 
   9.In sending error notifications the header last line was dropped when a
     mail with empty body was sent. 
  10.Mails stuck in the spool when working with Eliashim AntiVirus Server. 
  11.Occasionally added blank line in big attachments. 
  12.When error notification was sent, the last attachment boundary line was
     misplaced. 
  13.Error server definition absent from the FireWall-1 Configuration SMTP
     dialog box (NT only). 
  14.SMTP transaction failures, due to resource restrictions, e.g. "Too much
     mail data", not logged correctly. It is now logged in accordance with the
     resource    'Exception track' definition. 

FTP Security Server: 

   1.FTP Security server did not support PASV FTP with Accounting. 
   2.FTP + CVP full path  file name logged is in URL format (e.g. ftp://...). 

FireWall Synchronization: 

   1.FireWall Synchronization with address translation is supported. 

Address Translation: 

   1.Number of NAT Rules is up to 2048 rules instead of 1024. 

Encryption: 

   1.SKIP Encryption problems when used with NAT. 

Management GUI: 

   1.When defining an object whose IP address identical to a FireWalled
     object, encryption does not work properly. 
   2.When all users checkboxes are unset, adding a user crashes OpenLook fwui. 
   3.Windows and X/Motif GUI: State transition alerts did not work in System
     Status view. 
   4.Long names for Admin authentication crashes fwm. 
   5.Solaris x86 (OpenLook) spurious error message creating type network 

INSPECT: 

   1.When rule base exceeds ~250 rules, the INSPECT Virtual Machine stack
     could overflow. 
   2.Land Attack protection provided. 
   3.RealAudio and VDOLive services are now supported in FASTPATH mode. 
   4.Large FTP transfers: If a file transfer through the FireWall-1 took more
     than TCP_TIMEOUT (set by default to 60 minutes) the control
     connection is cut in the middle resulting in file transfer failure. After
     installing Patch 3055, if you need to transfer files for more then
     TCP_TIMEOUT, you need to modify the file $FWDIR/lib/base.def changing the
     line '#define FTP_CONTROL_TIMEOUT TCP_TIMEOUT'
     to 
     '#define FTP_CONTROL_TIMEOUT <seconds>' where <seconds> is the number of
     seconds you want the control connection to remain open. 

Miscellaneous: 

   1.$FWDIR/conf/fwauthd.conf had a limit of no more than 10 security servers.
     Number increased from 10 to 64. 
   2.More then ~20 domain objects in the Rule Base did not work. 

Authentication: 

   1.SecurID new PIN mode was not working properly when used via browser. 

Embedded System FireWall Modules: 

   1.Managing embedded FireWall modules from 'Starter Console' products did
     not work. 
   2.Support is now provided for the following embedded systems: 

          Xylan switches 

  Note: These embedded systems are supported by FireWall-1 version 3.0b. They
  were not supported by patch 3045.

Feature Enhancements:

SMTP Security Server: 

   1.Multiple mail servers/error handling servers can be defined in a resource
     or in smtp.conf:E.g. Mail server:
     {smtp-gw1,smtp-gw2,smtp-gw3} 
   2.Error notification log format changed.  An error notification attempt
     is logged with INFO as in the following example: 
     "Error notification sent: originally from someone@org to soembody@org" 
   3.In an error notification message the original header is returned together
     with the message body. 

Limitations and Known Bugs: 

   1.NT - When using a HTTP resource with UFP, the category string in the log
     viewer is the mask and not the category string. 
   2.AIX, Solaris/X86 VPN+DES - When using a HTTP resource with the File
     option, the file is not copied to $FWDIR/database/lists during
     the policy download. A temporary workaround is to add the file name to
     the $FWDIR/state/fwrl.conf on the management station. 
   3.Using UNIX (tested using AIX/Motif and Sun/OpenLook), it was not possible
     to manage a BAY embedded FireWall Module by
     downloading a policy.
     The following error is seen:
     fetch_bload : get_rule_base failed
     Failed to install security policy on {Bay Module name}: File exists 



Installation Issues:
====================
   1.  To upgrade a FireWall-1 Module, you must upgrade all components - 
       kernel and fw. 
   2.  To use State Synchronization, you must upgrade both the Management 
       station and FireWall Module, and to edit table.def by deleting line 20 
       ("#define sync"). In this case the patch should be applied to all 
       FireWall-1 modules in the enterprise. 
   3.  To upgrade a Management server, upgrade both fw and the GUI. 
   4.  For Windows NT, the setup.exe will install both the GUI and the Module 
       (it automatically determines if it is necessary).


Patch Installation Instructions: 
-------------------------------- 

(1) Copy the patch file on to Intel platform machine.

(2) Execute the fwinstallpatch script.
