Patch Name: PHNE_13484 Patch Description: s700_800 10.20 FireWall-1 v3.0b Exportable patch (non-VPN) Creation Date: 98/01/13 Post Date: 98/02/06 Repost: 98/02/18 The patch documentation was modified to clarify that the patch only applies to FireWall-1 V3.0b. The patch must not be applied to earlier versions of FireWall-1 products. This information was also added to the README file in the patch depot. The other contents of the depot have not been modified. Hardware Platforms - OS Releases: s700: 10.20 s800: 10.20 Products: Check Point FireWall-1 V3.0b (non-VPN) Filesets: FireWall-1.V3.0b Automatic Reboot?: No Status: General Superseded Critical: Yes PHNE_13484: HANG Path Name: /hp-ux_patches/s700_800/10.X/PHNE_13484 Symptoms: PHNE_13484: Various Symptoms may be found in the following areas: 1) State Synchronization - several crash scenarios 2) SMTP Security Server 3) HTTP Security Server 4) FTP Security Server 5) UFP 6) Authentication 7) Address Translation 8) GUI 9) INSPECT 10) Encryption 11) Security Properties Defect Description: PHNE_13484: Detailed problem solving description - patch 3045 Release Notes: Bug Fixes: State Synchronization - several crash scenarios 1.FireWalls stopped synchronization after a policy load. 2.FireWall-1 daemon crashed when more then 64K needs to be synchronized at one chunk. 3.FireWalls might get out of synchronization from time to time. 4.Security Servers might stop working if running on two synchronized machines. 5.FireWall synchronization does not behave properly after reload of a policy. 6.System crashes under heavy load. 7.Using synchronization with several features caused system crashes. See Limitations section, below. SMTP Security Server 1.SMTP Security Server reports "Too many open files" error message. 2.Long header lines logging. 3.Redundant spaces in sender and recipient were not RFC-821 compliant. 4.Some files were queued in the spool directory when CVP was used. 5.Mail error notifications were not sent properly. HTTP Security Server 1.Crashes under load with CVP. 2.Crashes when CVP Server goes down. 3.HTTP Server sends a redundant drop request. 4.Crashes under load if 'Block JAVA Code' is enabled. FTP Security Server 1.Crashes under load with CVP. 2.When failing to connect CVP Server, client (a.ftpd) goes out of sync. UFP 1.FireWall-1 omits the query from the URL passing to UFP Server. Authentication 1.Support now provided for the SecurID New PIN Mode. 2.Ability to change RADIUS port added. Windows NT 1.Service Pack 3 PPP Support. 2.NT 4.0 fwntperf.dll. 3.Windows NT DNS crashes. 4.Windows NT Network Card of type El90x3 created incorrect Anti spoofing code. Address Translation 1.UDP DST Static Address Translation. GUI 1.FwStatus - Year 2000 Compliance (FireWall-1 now fully Year 2000 compliant). 2.*local mode on Motif. 3.FwStatus - correct SNMP communities are now used. 4.Windows and Motif GUI allowed creating Groups with illegal. INSPECT 1.Network Cards with / in them caused compilation errors. 2.Others + Anti Spoofing specification creates wrong INSPECT code. 3.Defining a network object with name 'servers' creates wrong INSPECT code. Encryption 1.SKIP and IPSec with 'Decrypt upon accept' and ICMP caused daemon crash. Security Properties 1.SNMP From external machines (like HP OpenView) will not be accepted automatically but requires an explicit rule. Miscellaneous 1.URI resource URL list file was not downloaded properly to remote FireWall Modules. 2.Support longer INSPECT filters (up to 128K). 3.'fw logexport' crashes if info field is longer than 1024 bytes. SR: 0000000000 Patch Files: /tmp/ckp_3045_non-vpn.tar /tmp/ckp_3045_non-vpn.README_FIRST what(1) Output: /tmp/ckp_3045_non-vpn.tar: group_data.c 2.4 91/08/14 Copyright 1991 Sun Micr osystems gcm.c 2.12 91/10/15 Copyright 1989 Sun Microsystem s /tmp/ckp_3045_non-vpn.README_FIRST: None cksum(1) Output: 2936905380 670 /tmp/ckp_3045_non-vpn.README_FIRST 2483666429 12144640 /tmp/ckp_3045_non-vpn.tar Patch Conflicts: None Patch Dependencies: None Hardware Dependencies: None Other Dependencies: None Supersedes: None Equivalent Patches: None Patch Package Size: 11920 KBytes Installation Instructions: Please review all instructions and the Hewlett-Packard SupportLine User Guide or your Hewlett-Packard support terms and conditions for precautions, scope of license, restrictions, and, limitation of liability and warranties, before installing this patch. ------------------------------------------------------------ 1. Back up your system before installing a patch. 2. Login as root. 3. Copy the patch to the /tmp directory. 4. Move to the /tmp directory and unshar the patch: cd /tmp sh PHNE_13484 5a. For a standalone system, run swinstall to install the patch: swinstall -x autoreboot=true -x match_target=true \ -s /tmp/PHNE_13484.depot 5b. For a homogeneous NFS Diskless cluster run swcluster on the server to install the patch on the server and the clients: swcluster -i -b This will invoke swcluster in the interactive mode and force all clients to be shut down. WARNING: All cluster clients must be shut down prior to the patch installation. Installing the patch while the clients are booted is unsupported and can lead to serious problems. The swcluster command will invoke an swinstall session in which you must specify: alternate root path - default is /export/shared_root/OS_700 source depot path - /tmp/PHNE_13484.depot To complete the installation, select the patch by choosing "Actions -> Match What Target Has" and then "Actions -> Install" from the Menubar. 5c. For a heterogeneous NFS Diskless cluster: - run swinstall on the server as in step 5a to install the patch on the cluster server. - run swcluster on the server as in step 5b to install the patch on the cluster clients. By default swinstall will archive the original software in /var/adm/sw/patch/PHNE_13484. If you do not wish to retain a copy of the original software, you can create an empty file named /var/adm/sw/patch/PATCH_NOSAVE. Warning: If this file exists when a patch is installed, the patch cannot be deinstalled. Please be careful when using this feature. It is recommended that you move the PHNE_13484.text file to /var/adm/sw/patch for future reference. To put this patch on a magnetic tape and install from the tape drive, use the command: dd if=/tmp/PHNE_13484.depot of=/dev/rmt/0m bs=2k Special Installation Instructions: Note: This patch is for FireWall-1 V3.0b only. Customer must have FireWall-1 V3.0b installed before this patch can be applied. This patch does not upgrade previously released FireWall-1 products. Note: DO NOT select the "match what target has" test option in SWINSTALL menu. This test will fail because the FireWall-1 product was not installed using SD method. SUBSYSTEM_SHUT All active connection through the firewall must be closed before installing this patch. Follow the instructions below to complete the installation of this patch after you have swinstall'ed PHNE_13484. 1) cd /tmp/ 2) tar xvf ckp_3045_non-vpn.tar 3) cd ckp_3045_non-vpn A) To apply the patch for a firewall module A1) cd fw_patch A2) Issue "fwinstallpatch". This will start the patch installation. If you do not intend to use State Synchronization, negate the respective question posted by the installation script. B) to apply patches to GUI client B1) cd gui_patch B2) issue "fwguiinstallpatch" to start the installation If your Firewall and GUI management console are installed on the same machine, apply both patches.