Patch Name: PHNE_14797 Patch Description: s700_800 10.20 FireWall-1 v3.0b Exportable patch (VPN) Creation Date: 98/04/09 Post Date: 98/04/15 Hardware Platforms - OS Releases: s700: 10.20 s800: 10.20 Products: Check Point FireWall-1 V3.0b (VPN) Filesets: FireWall-1.V3.0b Automatic Reboot?: No Status: General Superseded Critical: Yes PHNE_14797: HANG Path Name: /hp-ux_patches/s700_800/10.X/PHNE_14797 Symptoms: PHNE_14797: Various Symptoms may be found in the following areas: 1. OPSEC 2. HTTP Security Server 3. SMTP Security Server 4. FTP Security Server 5. FireWall Synchronization 6. Address Translation 7. Encryption 8. Management GUI 9. INSPECT 10. Authentication - SecurID PHNE_13485: Various Symptoms may be found in the following areas: 1) State Synchronization - several crash scenarios 2) SMTP Security Server 3) HTTP Security Server 4) FTP Security Server 5) UFP 6) Authentication 7) Address Translation 8) GUI 9) INSPECT 10) Encryption 11) Security Properties Defect Description: PHNE_14797: This patch contains all bug fixes to 3045, 3055 (not a general patch release) as well as OPSEC SDK support, and several bug fixes to the SMTP, HTTP, and FTP security servers. This patch can be applied to any 3.0b version of FireWall-1 including those systems running Build 3045. Bug Fixes: OPSEC: 1.OPSEC/SDK Support is now provided. 2.Fixes many CVP and UFP problems. HTTP Security Server: 1.FTP from Netscape Communicator failed in some circumstances. 2.HTTP Security Server crashed under heavy load. 3.When the HTTP Resource Path is *:*, a redundant DNS query was submitted. 4.HTTP Security Server - When a URL specified in a URI Resource was reloaded a few times, the ahttpd.log grew abnormally. 5.UFP - The process of fetching a dictionary from a UFP server sometimes crashed if the UFP server was down. 6.SecurID: Entering next PASSCODE through HTTP crashes HTTP Security Server SMTP Security Server: 1.When non multipart attachments are to be stripped, MIME Content-Type is changed for text/plain. Other 'Content-' fields are stripped. 2.Too many open files messages. 3.Mail occasionally lost under load (i.e. scores of mails in the spool). 4.smtpd crashes (after a number of mails were rejected). 5.Using a rewriting scheme 'Field Contents ->' in an SMTP resource with empty rewritten string caused smtpd crashes. 6.SMTP->resource with Client Authentication was not logged correctly. 7.Quoted characters recognized in SMTP commands MAIL and RCPT and also in message headers. 8.smtpd crashed when command DATA was sent preceded by SMTP commands FROM and RCPT containing illegal mail paths. 9.In sending error notifications the header last line was dropped when a mail with empty body was sent. 10.Mails stuck in the spool when working with Eliashim AntiVirus Server. 11.Occasionally added blank line in big attachments. 12.When error notification was sent, the last attachment boundary line was misplaced. 13.Error server definition absent from the FireWall-1 Configuration SMTP dialog box (NT only). 14.SMTP transaction failures, due to resource restrictions, e.g. "Too much mail data", not logged correctly. It is now logged in accordance with the resource 'Exception track' definition. FTP Security Server: 1.FTP Security server did not support PASV FTP with Accounting. 2.FTP + CVP full path file name logged is in URL format (e.g. ftp://...). FireWall Synchronization: 1.FireWall Synchronization with address translation is supported. Address Translation: 1.Number of NAT Rules is up to 2048 rules instead of 1024. Encryption: 1.SKIP Encryption problems when used with NAT. Management GUI: 1.When defining an object whose IP address identical to a FireWalled object, encryption does not work properly. 2.When all users checkboxes are unset, adding a user crashes OpenLook fwui. 3.Windows and X/Motif GUI: State transition alerts did not work in System Status view. 4.Long names for Admin authentication crashes fwm. INSPECT: 1.When rule base exceeds ~250 rules, the INSPECT Virtual Machine stack could overflow. 2.Land Attack protection provided. 3.RealAudio and VDOLive services are now supported in FASTPATH mode. 4.Large FTP transfers: If a file transfer through the FireWall-1 took more than TCP_TIMEOUT (set by default to 60 minutes) the control connection is cut in the middle resulting in file transfer failure. After installing Patch 3055, if you need to transfer files for more then TCP_TIMEOUT, you need to modify the file $FWDIR/lib/base.def changing the line '#define FTP_CONTROL_TIMEOUT TCP_TIMEOUT' to '#define FTP_CONTROL_TIMEOUT ' where is the number of seconds you want the control connection to remain open. Miscellaneous: 1.$FWDIR/conf/fwauthd.conf had a limit of no more than 10 security servers. Number increased from 10 to 64. 2.More then ~20 domain objects in the Rule Base did not work. Authentication: 1.SecurID new PIN mode was not working properly when used via browser. Feature Enhancements: SMTP Security Server: 1.Multiple mail servers/error handling servers can be defined in a resource or in smtp.conf:E.g. Mail server: {smtp-gw1,smtp-gw2,smtp-gw3} 2.Error notification log format changed. An error notification attempt is logged with INFO as in the following example: "Error notification sent: originally from someone@org to soembody@org" 3.In an error notification message the original header is returned together with the message body. Limitations and Known Bugs: 1.NT - When using a HTTP resource with UFP, the category string in the log viewer is the mask and not the category string. 2.AIX, Solaris/X86 VPN+DES - When using a HTTP resource with the File option, the file is not copied to $FWDIR/database/lists during the policy download. A temporary workaround is to add the file name to the $FWDIR/state/fwrl.conf on the management station. 3.Using UNIX (tested using AIX/Motif and Sun/OpenLook), it was not possible to manage a BAY embedded FireWall Module by downloading a policy. The following error is seen: fetch_bload : get_rule_base failed Failed to install security policy on {Bay Module name}: File exists 4.Back channel connections (e.g., FTP Data connection) do not work when using FireWall-1 Synchronization in an asymmetric routing configuration. This limitation will be lifted in the next release of FireWall-1. PHNE_13485: Detailed problem solving description - patch 3045 Release Notes: Bug Fixes: State Synchronization - several crash scenarios 1.FireWalls stopped synchronization after a policy load. 2.FireWall-1 daemon crashed when more then 64K needs to be synchronized at one chunk. 3.FireWalls might get out of synchronization from time to time. 4.Security Servers might stop working if running on two synchronized machines. 5.FireWall synchronization does not behave properly after reload of a policy. 6.System crashes under heavy load. 7.Using synchronization with several features caused system crashes. See Limitations section, below. SMTP Security Server 1.SMTP Security Server reports "Too many open files" error message. 2.Long header lines logging. 3.Redundant spaces in sender and recipient were not RFC-821 compliant. 4.Some files were queued in the spool directory when CVP was used. 5.Mail error notifications were not sent properly. HTTP Security Server 1.Crashes under load with CVP. 2.Crashes when CVP Server goes down. 3.HTTP Server sends a redundant drop request. 4.Crashes under load if 'Block JAVA Code' is enabled. FTP Security Server 1.Crashes under load with CVP. 2.When failing to connect CVP Server, client (a.ftpd) goes out of sync. UFP 1.FireWall-1 omits the query from the URL passing to UFP Server. Authentication 1.Support now provided for the SecurID New PIN Mode. 2.Ability to change RADIUS port added. Windows NT 1.Service Pack 3 PPP Support. 2.NT 4.0 fwntperf.dll. 3.Windows NT DNS crashes. 4.Windows NT Network Card of type El90x3 created incorrect Anti spoofing code. Address Translation 1.UDP DST Static Address Translation. GUI 1.FwStatus - Year 2000 Compliance (FireWall-1 now fully Year 2000 compliant). 2.*local mode on Motif. 3.FwStatus - correct SNMP communities are now used. 4.Windows and Motif GUI allowed creating Groups with illegal. INSPECT 1.Network Cards with / in them caused compilation errors. 2.Others + Anti Spoofing specification creates wrong INSPECT code. 3.Defining a network object with name 'servers' creates wrong INSPECT code. Encryption 1.SKIP and IPSec with 'Decrypt upon accept' and ICMP caused daemon crash. Security Properties 1.SNMP From external machines (like HP OpenView) will not be accepted automatically but requires an explicit rule. Miscellaneous 1.URI resource URL list file was not downloaded properly to remote FireWall Modules. 2.Support longer INSPECT filters (up to 128K). 3.'fw logexport' crashes if info field is longer than 1024 bytes. SR: 0000000000 Patch Files: /tmp/ckp_3064_vpn.tar /tmp/ckp_3064_vpn.README_FIRST what(1) Output: /tmp/ckp_3064_vpn.tar: Copyright (c) 1993 Regents of the University of Mich igan. Copyright (c) 1990 Regents of the University of Mich igan. Copyright (c) 1990 Regents of the University of Mich igan. Copyright (c) 1993 The Regents of the University of Michigan. Copyright (c) 1995 Regents of the University of Mich igan. gcm.c 2.12 91/10/15 Copyright 1989 Sun Microsystem s gfm.c 2.30 91/10/15 Copyright 1990 Sun Microsystem s group_data.c 2.7 91/10/15 Copyright 1991 Sun Micr osystems gfm_load_dir.c 2.22 91/10/15 Copyright 1990 Sun Mic rosystems group.c 2.27 91/10/15 Copyright 1991 Sun Microsystem s /tmp/ckp_3064_vpn.README_FIRST: None cksum(1) Output: 1470986953 662 /tmp/ckp_3064_vpn.README_FIRST 3617499702 14366720 /tmp/ckp_3064_vpn.tar Patch Conflicts: None Patch Dependencies: None Hardware Dependencies: None Other Dependencies: None Supersedes: PHNE_13485 Equivalent Patches: None Patch Package Size: 14090 KBytes Installation Instructions: Please review all instructions and the Hewlett-Packard SupportLine User Guide or your Hewlett-Packard support terms and conditions for precautions, scope of license, restrictions, and, limitation of liability and warranties, before installing this patch. ------------------------------------------------------------ 1. Back up your system before installing a patch. 2. Login as root. 3. Copy the patch to the /tmp directory. 4. Move to the /tmp directory and unshar the patch: cd /tmp sh PHNE_14797 5a. For a standalone system, run swinstall to install the patch: swinstall -x autoreboot=true -x match_target=true \ -s /tmp/PHNE_14797.depot 5b. For a homogeneous NFS Diskless cluster run swcluster on the server to install the patch on the server and the clients: swcluster -i -b This will invoke swcluster in the interactive mode and force all clients to be shut down. WARNING: All cluster clients must be shut down prior to the patch installation. Installing the patch while the clients are booted is unsupported and can lead to serious problems. The swcluster command will invoke an swinstall session in which you must specify: alternate root path - default is /export/shared_root/OS_700 source depot path - /tmp/PHNE_14797.depot To complete the installation, select the patch by choosing "Actions -> Match What Target Has" and then "Actions -> Install" from the Menubar. 5c. For a heterogeneous NFS Diskless cluster: - run swinstall on the server as in step 5a to install the patch on the cluster server. - run swcluster on the server as in step 5b to install the patch on the cluster clients. By default swinstall will archive the original software in /var/adm/sw/patch/PHNE_14797. If you do not wish to retain a copy of the original software, you can create an empty file named /var/adm/sw/patch/PATCH_NOSAVE. Warning: If this file exists when a patch is installed, the patch cannot be deinstalled. Please be careful when using this feature. It is recommended that you move the PHNE_14797.text file to /var/adm/sw/patch for future reference. To put this patch on a magnetic tape and install from the tape drive, use the command: dd if=/tmp/PHNE_14797.depot of=/dev/rmt/0m bs=2k Special Installation Instructions: Note: This patch is for FireWall-1 V3.0b only. Customer must have FireWall-1 V3.0b installed before this patch can be applied. This patch does not upgrade previously released FireWall-1 products. Note: DO NOT select the "match what target has" test option in SWINSTALL menu. This test will fail because the FireWall-1 product was not installed using SD method. SUBSYSTEM_SHUT All active connection through the firewall must be closed before installing this patch. Follow the instructions below to complete the installation of this patch after you have swinstall'ed PHNE_14797. 1) cd /tmp/ 2) tar xvf ckp_3064_vpn.tar 3) cd ckp_3064_vpn A) To apply the patch for a firewall module A1) cd fw_patch A2) Issue "fwinstallpatch". This will start the patch installation. B) to apply patches to GUI client B1) cd gui_patch B2) issue "fwguiinstallpatch" to start the installation If your Firewall and GUI management console are installed on the same machine, apply both patches.