Patch-ID# 105082-01 Keywords: 3.0a jumbo upgrade patch nt Windows NT 4.x Synopsis: Solstice FireWall-1 3.0a upgrade/jumbo patch "non" VPN Date: Jul/18/97 Solaris Release: SunOS Release: Unbundled Product: Solstice FireWall-1 Unbundled Release: 3.0a Relevant Architectures: intel BugId's fixed with this patch: This is a generic upgrade to 3.0. Please see below for a comprehensive list of enhancements and fixes. Changes incorporated in this version: Patches accumulated and obsoleted by this patch: Patches which conflict with this patch: Patches required with this patch: Obsoleted by: Files included with this patch: fw: disk1.zip disk2.zip gui: disk1.zip disk2.zip agents: session.zip Problem Description: Kernel Driver ------------- - Improve control over kernel memory allocation. - Fix problems with modifying packets on HPUX that might crash the machine in rare circumstances. - Reject did not work properly on Token Ring cards for Windows NT. Authentication -------------- - generic* user feature did not work Security Servers ---------------- HTTP: - did not work properly on Solaris2-x86 - crashes if it receives an empty header - Predefined Servers Mode did not work - Using IP Address as host name in URL definition didn't work for Windows NT and Solaris2-x86 - If by changing the security policy, the access to a URL is allowed, then blocked and then re-allowed again, the URL will not be accessed. - resources and authentication, if FireWall password is but the password for the server is not, the user is prompted to enter server passwrd and not for both. - Connection from FW-1 to two HTTP servers that are located on the same host is impossible. SMTP: - failed to rewrite the user-defined field. RLOGIN: - Using successive rlogin sessions did not work. OPSEC ----- - CVP with HTTP was stuck on headers-only HTTP replies - Cannot defined unresolvable UFP Server name Code Generation --------------- - Wrong INSPECT code for network mask 0.0.0.0 - Wrong INSPECT code for IP Addresses of the type 255.*.*.* - Install On 'All' did not apply to routers. Address Translation ------------------- - Fix ICMP errors translations GUI --- OpenLook: - GUI crashed when viewing (or verifying) security policy Windows & X/Motif: - Interfaces Properties lost on Windows GUI from time to time - When defining interfaces, a wrong Warning appeared - *local mode failed to work X/Motif only: - crashed when defining RADIUS Servers - crashed when defining Time objects Encryption ---------- - Session Authentication did not work together with SKIP Encryption - SPI Keys generation did not work on Windows GUI - Error Message in FWZ encryption on Windows NT (FW_FREE_MEMORY - Cannot free NULL pointer) - SecuRemote failed to fetch site information from a management only station - Encryption Method 'Any' choose the weakest encryption method - Encryption Method RC4-40 with Manual IPSEC did not work properly. - SecuRemote communication cannot pass through an intermediate firewall. - Combining Encryption with Security Servers didn't work on some configurations. - Memory leaks of fwd when working with SecuRemote and/or SecuRemote Installation ------------ - Lists directory were not created during Windows NT installation Log & Alert ----------- - FireWall to Management Log connection failed to re-established after Management goes down. - Mail alert default command applied for Solaris2 only - Problems with Accounting information after re-loading a new security Policy - Replace 'packets:' with 'packets' in the log file Licensing --------- - High Availability feature was not available under the Starter Products and limited Modules Patch Installation Instructions ------------------------------- (1) Stop the firewall. (2) Copy the .zip file for the component you wish to install onto the NT system. For agents use session.zip, for fw, disk1.zip and disk2.zip located in the fw subdirectory of the patch distribution, and for agents disk1.zip and disk2.zip from the agents directory in the patch distribution. (3) After copying the zip files into an empty folder on the NT system, unzip the files to expand them, and then run the setup.exe script. This will install everything automatically, prompting the user for anything and everything necessary. It is comprehensive and user-friendly. If the user is upgrading from a prior system, the existing license will automatically be propogated (it is even displayed for the user's perusal in a dialogue box at one point during the install). (4) The system will automatically reboot at the end of the installation. (5) Start the firewall, if it isn't started automatically with your configuration.