Patch-ID# 105813-01
Keywords: Upgrade, jumbo, patch, 3.0b, 3.0bp2, build 3045, 3045
Synopsis: Solstice FireWall-1 3.0b SunOS: 3.0bp2 (Build 3045) Jumbo (Des)
Date: Jan/08/98

Solaris Release:  

SunOS Release: 4.1.3

Unbundled Product: Firewall-1

Unbundled Release: 3.0

Relevant Architectures: sparc 

BugId's fixed with this patch:

Changes incorporated in this version: 

Patches accumulated and obsoleted by this patch: 

Patches which conflict with this patch: 

Patches required with this patch: 

Obsoleted by: 

Files included with this patch: 
bin/fw
bin/fwui
bin/router_load
lib/base.def
lib/code.def
lib/formats.def
lib/table.def
modules/fwmod.5.x.o

Problem Description:

This patch contains the following changes:

Corrections of various anomalies in FireWall-1 Security Servers, State 
Synchronization, Windows NT and Service Pack 3,Address Translation, GUI 
problems, INSPECT and Security properties.

WARNING: This patch is compatible with FireWall-1 version 3.0b ONLY!  Do not 
apply it on any previous version.
 

Bug Fixes:
==========
State Synchronization - several crash scenarios
   1.  FireWalls stopped synchronization after a policy load. 
   2.  FireWall-1 daemon crashed when more then 64K needs to be synchronized 
       at one chunk. 
   3.  FireWalls might get out of synchronization from time to time. 
   4.  Security Servers might stop working if running on two synchronized 
       machines. 
   5.  FireWall synchronization does not behave properly after reload of a 
       policy. 
   6.  System crashes under heavy load. 
   7.  Using synchronization with several features caused system crashes. See 
       Limitations section, below. 

SMTP Security Server
   1.  SMTP Security Server reports "Too many open files" error message. 
   2.  Long header lines logging. 
   3.  Redundant spaces in sender and recipient were not RFC-821 compliant. 
   4.  Some files were queued in the spool directory when CVP was used. 
   5.  Mail error notifications were not sent properly. 

HTTP Security Server
   1.  Crashes under load with CVP. 
   2.  Crashes when CVP Server goes down. 
   3.  HTTP Server sends a redundant drop request. 
   4.  Crashes under load if 'Block JAVA Code' is enabled. 

FTP Security Server
   1.  Crashes under load with CVP. 
   2.  When failing to connect CVP Server, client (a.ftpd) goes out of sync. 

UFP
   1.  FireWall-1 omits the query from the URL passing to UFP Server. 

Authentication
   1.  Support now provided for the SecurID New PIN Mode. 
   2.  Ability to change RADIUS port added. 

Windows NT
   1.  Service Pack 3 PPP Support. 
   2.  NT 4.0 fwntperf.dll. 
   3.  Windows NT DNS crashes. 
   4.  Windows NT Network Card of type El90x3 created incorrect Anti spoofing 
       code. 

Address Translation
   1.  UDP DST Static Address Translation. 

GUI
   1.  FwStatus - Year 2000 Compliance (FireWall-1 now fully Year 2000 
       compliant). 
   2.  *local mode now works on Motif. 
   3.  FwStatus - correct SNMP communities are now used. 
   4.  Windows and Motif GUI allowed creating Groups with illegal names 
       (INSPECT reserved words). 

INSPECT
   1.  Network Cards with / in them caused compilation errors. 
   2.  Others + Anti Spoofing specification creates wrong INSPECT code. 
   3.  Defining a network object with name 'servers' creates wrong INSPECT code. 

Encryption
   1.  SKIP and IPSec with 'Decrypt upon accept' and ICMP caused daemon crash. 

Security Properties
   1.  SNMP From external machines (like HP OpenView) will not be accepted 
       automatically but requires an explicit rule. 

Miscellaneous
   1.  URI resource URL list file was not downloaded properly to remote 
       FireWall Modules. 
   2.  Support longer INSPECT filters (up to 128K). 
   3.  'fw logexport' crashes if info field is longer than 1024 bytes. 


Limitations and known bugs:
===========================
   1.  The patch does not support State Synchronization of the following 
       features (but can still be used with synchronized modules):
          Network Address Translation. 
          Encryption (VPN and SecuRemote). 
          Accounting. 
          Security Servers (Authentication and Content Security). 
          Load Balancing (Logical Servers). 

   2.  The patch is incompatible with the following embedded systems:
          Xylan switches running FireWall-1. 
          Bay routers running FireWall-1. 
       (Please note that Bay routers running Access List are not considered 
       embedded  systems, and as such, they will run properly with this patch).
     
       This implies that in order to control these embedded systems, a user 
       must keep the old Management station, rather than apply the patch.  A 
       user with a combined environment, who needs the latest bug fixes that 
       are incorporated into this patch, must keep two separate Management 
       stations; the old one for usage with his embedded systems, and the new 
       one for all other systems.

   3.  User Authentication done by PASV FTP via NetScape 3.0, 4.0 browsers 
       does not work (for instance, trying to issue: 
           ftp://username:passwd@workstation.checkpoint.com). 


Installation Issues:
====================
   1.  To upgrade a FireWall-1 Module, you must upgrade all components - 
       kernel and fw. 
   2.  To use State Synchronization, you must upgrade both the Management 
       station and FireWall Module, and to edit table.def by deleting line 20 
       ("#define sync"). In this case the patch should be applied to all 
       FireWall-1 modules in the enterprise. 
   3.  To upgrade a Management server, upgrade both fw and the GUI. 
   4.  For Windows NT, the setup.exe will install both the GUI and the Module 
       (it automatically determines if it is necessary).


Patch Installation Instructions: 
-------------------------------- 

(1) Copy the patch file on to Intel platform machine.

(2) Execute the fwinstallpatch script.

