Xem mẫu
- Embedded NGX 7.5 Release Notes
General Availability Version
March 2008 – Document Revision 11
1
- Contents
CONTENTS ......................................................................................................... 2
INTRODUCTION.................................................................................................. 3
Highlights of This Version ........................................................................................... 3
Supported Platforms .................................................................................................. 3
Availability................................................................................................................. 4
Copyright ................................................................................................................... 4
CHANGES FROM 7.5 TO 7.5.55......................................................................... 5
7.5.55......................................................................................................................... 5
7.5.51......................................................................................................................... 6
7.5.48......................................................................................................................... 7
7.5.45......................................................................................................................... 7
NEW FEATURES ................................................................................................ 9
New Security Features................................................................................................ 9
New Networking Features ........................................................................................ 14
New Usability Features ............................................................................................ 19
APPENDIX A: SUPPORTED PERIPHERALS ...................................................21
2
- Introduction
Highlights of This Version
Embedded NGX 7.5 incorporates a host of new and improved features, including:
• Internet Connection Load Balancing
• Advanced Firewall Rules
• Advanced NAT Rules
• Reusable Network Service Objects
• Service-Based Routing
• Web Rules
• Enhanced SIP VoIP Support
Supported Platforms
Embedded NGX 7.5 EA supports the following hardware platforms:
• Check Point Safe@Office 100B series
• Check Point Safe@Office 200 series
• Check Point Safe@Office 400W series
• Check Point Safe@Office 500 series
• Check Point UTM-1 Edge (VPN-1 UTM Edge) X series
• Check Point UTM-1 Edge (VPN-1 UTM Edge) W series
• Check Point ZoneAlarm Z100G
• NEC SecureBlade 300
• Nokia IP60
3
- Availability
• Embedded NGX 7.5 is available to existing Embedded NGX customers with a valid
software subscription contract.
For additional information and documentation, click here.
Copyright
© Copyright 2007 SofaWare Technologies Ltd.
SofaWare is a registered trademark of SofaWare Technologies Ltd.
Check Point is a registered trademark of Check Point Software Technologies Ltd.
4
- Changes from 7.5 to 7.5.55
7.5.55
New Features
Additional USB modems
Support was added for the following USB modems:
- Teltonika U3G15S
- Qualcomm ZTE MF622 HSDPA
Issues resolved
Firewall
• Resolved issue: When handling large packets, requiring fragmentation, over PPP
Internet links, some packets are handled incorrectly.
Connectivity
• Resolved issue: Dead Connection Detection set on the primary Internet
connection coupled with a secondary PPP Internet connection in Connect-on-
Demand mode, may fail to operate as expected.
VPN
• Resolved issue: DHCP relay does not function as expected when used from a
bridged network over a VPN link.
• Resolved issue: In rare cases, remote HTTPS and SSH connections to the
appliance IP address over VPN may be abnormally terminated.
• Resolved issue: When using more than 10 VPN tunnels simultaneously,
connections scanned by VStream Antivirus are sometimes cut.
HTTPS
• Resolved Issue: In the web user interface, the logout button now appears in
HTTPS mode, when using Internet Explorer or Firefox.
Wireless
5
- • Resolved Issue: When using WPA security, Windows Vista clients may fail
obtaining an IP address using DHCP, and certain broadcast packets may be
encrypted with an incorrect key.
7.5.51
Issues resolved
Management
• Resolved issue: Upgrade from firmware 6.0 directly to 7.5 may cause certain
settings to be reset to their default values.
• Resolved issue: During an appliance reboot, the gateway continues to appear as
“connected” in the Service Center (SMP/SmartCenter).
• Resolved issue: When downloading a CLI scripts from the Service Center, the
managed items are not correctly marked as “Remotely Managed”.
Firewall and Smart Defense
• Resolved issue: SIP ALG does not work correctly through a VPN tunnel.
• Resolved issue: SIP support for Cisco VoIP phones improved.
• Resolved issue: As a normal side effect, SIP ALG processing or IPSEC decryption
may sometimes cause shortening of packets. In rare cases, fragmented packets
that were shortened, may be silently dropped or incorrectly transmitted.
VPN
• Resolved issue: In certain cases, IKE Phase1 failures may cause a memory leak.
• Resolved issue: Disconnects when using L2TP VPN with Apple IPhone clients.
• Resolved issue: W hen using VPN in “Route all Traffic” mode, certain connections
are not established correctly.
• Resolved issue: When configured in a managed VPN community (Enterprise Site),
the appliance may fail to connect to externally managed gateways requiring
shared secret authentication.
Wireless
• Wireless LAN may operate unreliably when using certain wireless
Resolved issue:
devices supporting power save mode (such as Blackberry).
6
- 7.5.48
Issues resolved
Firewall and Smart Defense
• In certain cases, the appliance may restart when processing SIP IP
Resolved issue:
telephony packets.
Vstream Anti-Virus
• Resolved issue: Specific EXE files are scanned slowly.
Management and settings
• Resolved issue: When upgrading from firmware, 7.0 VPN sites and SNMP settings
revert to disabled.
• Resolved issue: A potential security vulnerability corrected in the SNMP server.
7.5.45
New Features
Additional USB modems
Support was added for the following USB modems:
- Novatel Ovation MC950D
- Novatel U727
SIP support
The SIP application level gateway (ALG) can now be optionally disabled.
ADSL
Norway's ISPs details were added to the ADSL wizard.
Enhanced HTTPS Support
To increase security, the following changes were done to the HTTPS web
configuration portal (https://my.firewall):
7
- - HTTPS web server cookies are now marked as “secure cookies”.
- HTTPS clients are no longer permitted to select weak 40 and 56 bit
ciphers.
Enhanced L2TP Support
The L2TP server has been enhanced to support the following cases:
- Windows Vista VPN clients behind a NAT device.
- Apple iPhone VPN clients.
Issues resolved
HTTP/HTTPS
• Resolve issue:low severity cross side scripting (XSS) attack potentially possible
against the configuration web portal. This issue is unlikely to be successfully
exploited.
Vstream Anti-Virus
Resolved issue: in certain cases, VStream Antivirus may block valid connections.
Firewall
• Resolved issue: A memory issue when using DHCP relay.
ADSL
• Resolved issue: ANNEX B DSL modems support for G.DMT standard.
IP60
• Resolved issue: Nokia IP60 GUI layout appears incorrectly.
8
- New Features
New Security Features
Web Rules
It is now possible to define Web rules
that allow or block access to specific Web
sites based on the site’s URL.
If desired, you can log attempts to access
allowed and blocked Web sites. In
addition, you can exclude specific IP
addresses or address ranges from Web
rule enforcement.
Wildcards may be used in web rules to
allow partial access to certain web sites.
This feature does not require subscription
to the category-based Web Filtering service
and can operate in parallel with the
subscription service, if desired.
When a site is blocked, a configurable message is displayed to the user. See
“Customizable Web Filtering Page”.
Time-Based Rules
It is now possible to define firewall rules
that only take effect during certain hours of
the day.
9
- This feature is supported for locally defined firewall rules, for locally defined
antivirus rules, and for firewall rules downloaded from Check Point SmartCenter
(rules using time objects).
Rule Descriptions
A new Description field allows attaching an explanation or remark to each locally
defined firewall and antivirus rule. This optional field can be used for naming a
rule or for explaining why the rule is needed and under what circumstances.
Reusable Network Service Objects
Embedded NGX 7.5 allows defining custom network service objects in the local
Web interface and assigning them unique
names. The network service objects can
then be used in firewall rules, antivirus
rules, and policy-based routing rules.
Network service objects consist of an IP
protocol and either a TCP/UDP port or a
port range. It is possible to define several
non-consecutive port ranges, by
separating them with commas.
Allow & Forward Rules with Destination IP Address
It is now possible to define “Allow & Forward” rules with a specific destination IP
address. This allows defining NAT forwarding rules that only take effect when
accessing a certain IP address.
Embedded NGX 7.5 allows defining
different forwarding rules for each external
IP address. For example, consider a case in
10
- which the gateway has two public IP addresses, 62.98.112.1 and 62.98.112.2,
and the network contains two private Web servers, A and B. It is now possible, to
forward all HTTP traffic with the destination 62.98.112.1 to server A, while
mapping all HTTP traffic with the destination 62.98.112.2 to server B. Previously,
this was only possible using static NAT mappings.
Advanced users can also use this feature for outgoing traffic, creating
"transparent proxy" rules that divert all traffic that is destined for a certain IP
address to a different IP address.
Advanced Address Translation Rule Base
Embedded NGX 7.5 allows configuring advanced network address translation
(NAT) rules in the local management interface.
The Address Translation table is divided into Original Packet and Translated
Packet sections. The
Original Packet section
specifies the conditions
under which the rule is
applied, and the
Translated Packet
section specifies the
action taken when the
rule is applied. You can change the source IP address, the destination IP address,
the service, or any combination of the above.
When translating an IP address range to another IP address range of the same
size, static NAT is performed.
When translating an IP address range to a
smaller IP address range, static NAT is
performed for all but the last address in
the translated range, and hide NAT is
used to hide all the remaining addresses
11
- in the original range behind the last IP address in the translated range.
NAT rules can be implicitly defined though a number of methods: by enabling
“Hide NAT” on an internal network, by creating an “Allow & Forward” firewall
rule, or by configuring static NAT for a network object. In addition, NAT rules can
be received from the SmartCenter policy editor. Implicitly defined NAT rules are
displayed in the Address Translation table, but cannot be edited.
Note: This feature is not available in the ZoneAlarm Secure Wireless Router Z100G.
New SmartDefense Protection: Checksum Verification
When this protection is enabled, SmartDefense will identify and drop IP, TCP, or
UDP packets with incorrect checksums.
New SmartDefense Protection: Urgent Flag Clearing
The URG flag is used to indicate that urgent data exists in a TCP stream, and that
the data should be delivered with high priority. Since handling of the URG flag is
inconsistent between different operating systems, allowing the URG flag may
enable an attacker to conceal certain attacks.
12
- By default, SmartDefense automatically clears the URG flag to ensure security.
To allow the URG flag, in the SmartDefense tree's TCP > Flags node, set the URG
Flag field to Allow. To prevent the URG flag from being used, set the URG Flag
field to Clear.
New SmartDefense Protection: Sequence Number Verifier
When this protection is enabled, Embedded NGX examines each TCP packet's
sequence number and checks whether it matches a TCP connection state. You
can configure how the router handles packets that match a TCP connection in
terms of the TCP session but have incorrect sequence numbers.
Secure HotSpot: Redirect URL
The Secure HotSpot feature now allows defining an optional “Redirect URL”.
When a “Redirect URL” is defined, every user who successfully authenticates to
the Secure HotSpot will be automatically redirected to the specified URL. For
example, the “Redirect URL” can be your company’s Web site or a “Welcome”
page.
This feature is supported in the following platforms: UTM-1 Edge, Safe@Office 500 with Power
Pack, Safe@Office 225, and Safe@Office 410/425.
Remote Desktop Access Granular Permissions
Embedded NGX includes an integrated client for Microsoft Terminal Services,
allowing you to enjoy convenient clientless access to your Windows computers
from anywhere, via the my.firewall portal. System administrators can remotely
access the desktop of each of employee's computer, and even redirect printers
or ports to a remote computer.
Starting from Embedded NGX 7.5, granular permissions are now available for
Remote Desktop Access,
enabling an administrator to
limit access to the Remote
Desktop Access feature to a
limited set of users.
Non-administrator users which
have the “Remote Desktop”
permission in their profile can
13
- now login to the Embedded NGX web based configuration portal, my.firewall,
and gain access to a restricted portal, showing only the “Active Computers”
page, and allowing access to the Remote Desktop Access feature.
Enhanced SIP Support
Embedded NGX 7.5 now includes a dedicated ALG (Application Level Gateway)
for SIP (Session Initiation Protocol), the popular signaling protocol commonly
used for IP telephony (VoIP). This ALG enables easy NAT and Firewall traversal.
Note:
1. Embedded NGX 7.5 supports SIP over UDP. SIP over TCP is currently not
supported.
2. A SIP Proxy must be used, and the proxy must not reside in the same
network as the SIP client.
Enhanced VPN Topology Display
An enhanced topology viewer is now available, for convenient display of the VPN
network topology. The VPN topology viewer is accessible from the “Active
Tunnels” page in the web user interface.
New Networking Features
WAN Load Balancing
14
- Embedded NGX 7.5 supports WAN load balancing. When WAN load balancing is
enabled, two Internet connections can be used in parallel, and the load is
automatically distributed between them, based on available bandwidth.
To prevent disruption of
stateful protocols, load
balancing is performed on a
per source IP address and
destination IP address
basis, meaning that all
traffic from a certain source
IP address to a certain
destination IP address will
be consistently sent to the
same Internet connection. In the case of a single client communicating with a
single server, no throughput benefits will be realized; however, in typical
network conditions, where multiple clients or servers are active, bandwidth-
based load balancing can balance the use of both Internet connections
exceptionally well, effectively doubling the available bandwidth.
By default, the load distribution is symmetric; however, it is possible to achieve
non-symmetric balancing by assigning a different weight to each Internet
connection.
To ensure continuous Internet connectivity, an Internet connection that fails for
any reason is automatically excluded from load balancing.
Note: This feature is supported in the following platforms: UTM-1 Edge X series, UTM-1 Edge W
series, Safe@Office 500, Safe@Office 225, and Safe@Office 425.
ADSL Configuration Assistant
Embedded NGX 7.5 ADSL appliances offer an ADSL configuration assistant. To
use the ADSL Configuration Assistant, choose your country and ISP, then click
OK. The appropriate
VPI, VCI, and
encapsulation type
values for your ISP will
be inserted
automatically. You can
15
- still change these settings manually at a later time, if needed.
The ADSL Configuration Assistant appears in both the ADSL Setup Wizard, and in
the Internet Setup page.
For the full list of ISPs supported by the ADSL Configuration Assistant, click here.
Note: This feature is available in all appliance models with an integrated ADSL modem, including
UTM-1 Edge X/W ADSL and Safe@Office 500/500W ADSL.
ADSL IPoA Support
Embedded NGX 7.5 ADSL appliances now support the IPoA (IP over ATM)
connectivity protocol, used by certain ADSL service providers.
Bridged / Unnumbered PPPoA Support
Embedded NGX 7.5 ADSL appliances now support bridge mode for PPPoA ADSL
internet connections. This enables the Embedded NGX ADSL appliance to
connect to ISPs who use “Unnumbered” PPPoA mode.
Routing Table Report
Embedded NGX 7.5 includes a new Routing Table report, providing an easy view
of the routing table
currently in effect. The
table shows the route's
source, destination,
gateway IP address,
metric, and interface.
In addition, the table's Origin field displays the route's type:
• Connected Routes - Routes to networks directly connected to the
appliance.
• Static Routes - Routes to networks connected through a router.
• Dynamic Routes - Routes obtained through a dynamic routing protocol.
The same routing table information can also be obtained through the info routes
CLI command.
16
- Note: This feature is not available in the ZoneAlarm Secure Wireless Router Z100G.
Connect On Demand in PPPoA, PPPoE, and PPTP Modes
"Connect on Demand" is now supported in all PPP modes, including PPPoA,
PPPoE, and PPTP. In "Connect on Demand" mode, the Internet connection will
automatically connect as needed, and disconnect during network idle periods.
"Connect on Demand" continues to be supported for dialup connections, as in
previous Embedded NGX versions.
Service-Based Policy Routing
Embedded NGX 7.5 allows configuring service-based policy routing. You can use
service-based policy routes to direct all traffic matching a particular protocol and
port range to a specific Internet connection.
For example, you can choose to route all HTTP (TCP Port 80) traffic to the
secondary Internet connection, while routing all other traffic to the primary
Internet connection. To ensure continuous availability, if the secondary Internet
connection is unavailable, this rule is automatically disregarded, and the
appliance routes the traffic through the route with the next-lowest metric.
Notes:
1. In a service-based route, the source network and destination network fields cannot be
specified.
2. Stateful protocols such as passive FTP and SIP will not work as expected with service
based routes.
3. This feature is not available in the ZoneAlarm Secure Wireless Router Z100G.
Interface-Based Static Routes
Embedded NGX 7.5 allows specifying an Internet connection as a static route's
next hop, instead of a specific IP address.
This feature is useful in cases where the ISP's default gateway IP address is
dynamically assigned to the gateway. By specifying the Internet connection's
name (primary/secondary) in the Next Hop IP field, you can route traffic to a
specific Internet connection, without having to statically specify the ISP's default
gateway IP address.
17
- Note: This feature is not available in the ZoneAlarm Secure Wireless Router Z100G.
Incoming Dialup for Out-of-Band Management
Embedded NGX 7.5 supports auto-answering incoming data calls using a dialup
modem (PSTN, ISDN or cellular). By dialing into the appliance, an administrator
can remotely troubleshoot and reconfigure a device out of band, even if the
main Internet connection is inaccessible.
When incoming dialup is enabled, the gateway automatically answers incoming
data calls, and establishes a connection using PPP (Point to Point Protocol). An IP
address is assigned to the client from the OfficeMode IP pool.
To secure the device against unauthorized dialers, the session must be
authenticated with a username/password combination belonging to a known
user with Administrator credentials.
To enable Incoming Dialup, check the “Answer Incoming PPP Calls” in the Serial
Port setup page, or in the USB modem setup page.
Enhanced Cellular Modem Support
Embedded NGX 7.5 offers a list of predefined cellular modem types, removing
the need to provide a custom initialization string in most cases.
18
- In addition, specific fields are provided for entering the Access Point Name (APN)
and Personal Identification Number (PIN) code required by a number of cellular
networks.
Note: USB-based modems (including dialup and cellular modems) are supported in the following
appliance models: Safe@Office 500W, Safe@Office 500W ADSL, Safe@Office 425W/425WU,
UTM-1 Edge X ADSL, UTM-1 Edge W, and UTM-1 Edge W ADSL. A supported external modem
with a USB interface is required.
SNMP Traps
A trap is a Simple Network Management Protocol (SNMP) notification sent from
one application to another. Embedded NGX 7.5 now supports sending the
following traps:
• Startup / Shutdown
• SNMP Authentication Failure
• Link Up / Link Down
The administrator can choose between SNMPv1, SNMPv2, and SNMP INFORM
style traps. The trap destination, community, and UDP port are also configurable.
Syslog Support in ZoneAlarm Z100G
ZoneAlarm Secure Wireless Router Z100G now includes support for sending log
messages through the Syslog protocol.
OSPF Simple Authentication
Embedded NGX 7.5 supports OSPF “Simple Authentication” mode, in addition to
the MD5 authentication mode supported in previous versions.
New Usability Features
New Look & Feel
The UTM-1 Edge and Safe@Office appliances' look & feel has been improved
with a new, sleek design.
Enhanced CLI Syntax
19
- Command line interface (CLI) commands that are not supported by the current
hardware type and license are not displayed as options in the CLI help or as
possible command completions.
Note: The command line interface is not available in the ZoneAlarm Secure Wireless Router
Z100G.
Configurable Serial Console Port Speed
When using the appliance’s serial port in “Console” mode, it is now possible to
change the baud rate from its default speed (57600 bps).
Note: The serial console port speed feature is not applicable to ZoneAlarm Secure Wireless Router
Z100G.
Customizable Web Filtering Page
It is now possible to customize the message displayed in the “Access Denied”
page. This message is used both by the category-based Web Filtering service and
by the new Web rules feature. If
desired, you can use HTML tags in
the message.
In addition, you can force the
“Access Denied” page to be
displayed using secure HTTP
(HTTPS), by selecting the Use HTTPS check box.
Multiple Concurrent Administrators over HTTP
It is now possible for multiple administrators to log on to the my.firewall Web
interface concurrently using the HTTP protocol. As in previous Embedded NGX
versions, multiple administrators can also log on concurrently using HTTPS.
Enhanced Behavior of VPN LED
The VPN LED is now a steady green when there are open VPN tunnels but no
VPN activity, and it blinks whenever traffic is sent or received over a VPN tunnel.
20
nguon tai.lieu . vn