Stonesoft
Next Generation Firewall
Release Notes
6.1.2
Revision B
Stonesoft Next Generation Firewall 6.1.2 | Release Notes
Contents
•
About this release on page 2
•
Lifecycle model on page 2
•
System requirements on page 3
•
Build version on page 6
•
Compatibility on page 7
•
New features on page 7
•
Enhancements on page 9
•
Resolved issues on page 10
•
Installation instructions on page 11
•
Known issues on page 12
•
Find product documentation on page 13
About this release
This document contains important information about this release of Stonesoft Next Generation Firewall (Stonesoft
NGFW); formerly known as McAfee® Next Generation Firewall. We strongly recommend that you read the entire
document.
Lifecycle model
This release of Stonesoft NGFW is a Feature Stream (FS) version.
Support for Feature Stream versions is discontinued when a new major version of Stonesoft NGFW is available.
We recommend using the most recent Long-Term Support (LTS) version if you do not need any features from a
later Feature Stream version.
For more information about the Stonesoft NGFW lifecycle policy, see Knowledge Base article 10192.
2
Stonesoft Next Generation Firewall 6.1.2 | Release Notes
System requirements
Make sure that you meet these basic hardware and software requirements.
Stonesoft NGFW appliances
We strongly recommend using a pre-installed Stonesoft NGFW appliance as the hardware solution for new
Stonesoft NGFW installations.
Note: Some features in this release are not available for all appliance models. See Knowledge
Base article 9743 for up-to-date appliance-specific software compatibility information.
Two Stonesoft NGFW engine images are available:
•
x86-64 — A 64-bit image that includes the Local Manager.
•
x86-64-small — A 64-bit image that does not include the Local Manager.
Note: If you do not use the Local Manager, we recommend that you use the x86-64-small image.
Some appliance models support only the x86-64-small image.
The following table shows whether you can use an appliance model in the Firewall/VPN (FW), IPS, or Layer 2
Firewall (L2FW) role, and the image that is supported.
Appliance model
Roles
Images
FW-315
FW
The image that does not include the Local Manager is supported
320X (MIL-320)
FW
Both images are supported
IPS-1205
IPS, L2FW
Both images are supported
FWL321
FW
The image that does not include the Local Manager is supported
NGF321
FW, IPS, L2FW
Both images are supported
FWL325
FW
The image that does not include the Local Manager is supported
NGF325
FW, IPS, L2FW
Both images are supported
110
FW
The image that does not include the Local Manager is supported
115
FW
The image that does not include the Local Manager is supported
1035
FW, IPS, L2FW
Both images are supported
1065
FW, IPS, L2FW
Both images are supported
1301
FW, IPS, L2FW
Both images are supported
1302
FW, IPS, L2FW
Both images are supported
1401
FW, IPS, L2FW
Both images are supported
1402
FW, IPS, L2FW
Both images are supported
3201
FW, IPS, L2FW
Both images are supported
3
Stonesoft Next Generation Firewall 6.1.2 | Release Notes
Appliance model
Roles
Images
3202
FW, IPS, L2FW
Both images are supported
3205
FW, IPS, L2FW
Both images are supported
3206
FW, IPS, L2FW
Both images are supported
3207
FW, IPS, L2FW
Both images are supported
3301
FW, IPS, L2FW
Both images are supported
3305
FW, IPS, L2FW
Both images are supported
5201
FW, IPS, L2FW
Both images are supported
5205
FW, IPS, L2FW
Both images are supported
5206
FW, IPS, L2FW
Both images are supported
Sidewinder S-series appliances
These Sidewinder appliance models can be re-imaged to run Stonesoft NGFW software.
Appliance model
Roles
Images
S-1104
FW
Both images are supported
S-2008
FW
Both images are supported
S-3008
FW
Both images are supported
S-4016
FW
Both images are supported
S-5032
FW
Both images are supported
S-6032
FW
Both images are supported
Certified Intel platforms
We have certified specific Intel-based platforms for Stonesoft NGFW.
The tested platforms can be found at https://support.forcepoint.com under the Stonesoft Next Generation Firewall
product.
We strongly recommend using certified hardware or a pre-installed Stonesoft NGFW appliance as the hardware
solution for new Stonesoft NGFW installations. If it is not possible to use a certified platform, Stonesoft NGFW
can also run on standard Intel-based hardware that fulfills the hardware requirements.
Basic hardware requirements
You can install Stonesoft NGFW on standard hardware with these basic requirements.
•
(Recommended for new deployments) Intel® Xeon®-based hardware from the E5-16xx product family or
higher
4
Stonesoft Next Generation Firewall 6.1.2 | Release Notes
Note: Legacy deployments with Intel® Core™2 are supported.
•
IDE hard disk and CD drive
Note: IDE RAID controllers are not supported.
•
Memory:
•
4 GB RAM minimum for x86-64-small installation
•
8 GB RAM minimum for x86-64 installation
•
VGA-compatible display and keyboard
•
One or more certified network interfaces for the Firewall/VPN role
•
Two or more certified network interfaces for IPS with IDS configuration
•
Three or more certified network interfaces for Inline IPS or Layer 2 Firewall
For information about certified network interfaces, see Knowledge Base article 9721.
Master Engine requirements
Master Engines have specific hardware requirements.
•
Each Master Engine must run on a separate physical device. For more details, see the Stonesoft Next
Generation Firewall Installation Guide.
•
All Virtual Security Engines hosted by a Master Engine or Master Engine cluster must have the same role and
the same Failure Mode (fail-open or fail-close).
•
Master Engines can allocate VLANs or interfaces to Virtual Security Engines. If the Failure Mode of the Virtual
IPS engines or Virtual Layer 2 Firewalls is Normal (fail-close) and you want to allocate VLANs to several
engines, you must use the Master Engine cluster in standby mode.
•
Cabling requirements for Master Engine clusters that host Virtual IPS engines or Layer 2 Firewalls:
•
Failure Mode Bypass (fail-open) requires IPS serial cluster cabling.
•
Failure Mode Normal (fail-close) requires Layer 2 Firewall cluster cabling.
For more information about cabling, see the Stonesoft Next Generation Firewall Installation Guide.
Virtual appliance node requirements
You can install Stonesoft NGFW on virtual appliances with these hardware requirements. Also be aware of some
limitations.
•
(Recommended for new deployments) Intel® Xeon®-based hardware from the E5-16xx product family or
higher
Note: Legacy deployments with Intel® Core™2 are supported.
•
One of the following hypervisors:
•
VMware ESXi 5.5 and 6.0
•
KVM (KVM is tested as shipped with Red Hat Enterprise Linux Server 7.1 and 7.2)
•
8 GB virtual disk
•
4 GB RAM minimum
5
Stonesoft Next Generation Firewall 6.1.2 | Release Notes
•
A minimum of one virtual network interface for the Firewall/VPN role, three for IPS or Layer 2 Firewall roles
When Stonesoft NGFW is run as a virtual appliance node in the Firewall/VPN role, these limitations apply:
•
Only Packet Dispatching CVI mode is supported.
•
Only standby clustering mode is supported.
•
Heartbeat requires a dedicated non-VLAN-tagged interface.
When Stonesoft NGFW is run as a virtual appliance node in the IPS or Layer 2 Firewall role, clustering is not
supported.
Build version
Stonesoft Next Generation Firewall 6.1.2 build version is 17037.
Product binary checksums
Use the checksums to make sure that the installation files downloaded correctly.
•
sg_engine_6.1.2.17037_x86-64.iso
SHA1SUM:
4d1ea0fdcf756071f395b8a23460bff9a93caeb5
SHA256SUM:
378fe2e299671a818902387742101d1f2cb468b33a99a4d84b22dffd7e60276a
SHA512SUM:
37385842ab0aa4facf87afe8a61022dd
216268fce724d7746e8b1b5d64df0b4a
1e98437ac69fceb9ba3f33564de979be
fb09c457c9d3f98c04956ecc0604a939
•
sg_engine_6.1.2.17037_x86-64.zip
SHA1SUM:
74ae10bcaf2b6c107df9d30341e5846ac1e87dc5
SHA256SUM:
46cd1e2abf0af068e42df1325bed42f406132eb52c49868ee01b068f239f1472
SHA512SUM:
981b42d1dd1835bf35d5c4d629cdadd8
996f6ca7bbdbdde1bfaaf4d8d4809731
fc8f90ecdf0e2e12f8fa94768c823cb9
ef98e204f7fcbaa2d7130463b743b49e
•
sg_engine_6.1.2.17037_x86-64-small.iso
SHA1SUM:
b298584946b8afee5cb4851f1b3e8c9a5da49fa5
SHA256SUM:
2dc25e237eb5f18ae6b63349267702798dc8633a5bb66811bc6f784c96160997
SHA512SUM:
c11a407ee20b398fdb76cae15e13d6da
3ff78db6e0e7286bc20b4a641d58b9b3
77c7cf6b945c135c2b7e341311f0e160
ec7d8b10b54a9fc3c4e1e847f85bf648
6
Stonesoft Next Generation Firewall 6.1.2 | Release Notes
•
sg_engine_6.1.2.17037_x86-64-small.zip
SHA1SUM:
cf11a38ca3626ed98e7992d2b4bc8a9a869f049d
SHA256SUM:
deefd4b6d07eacf95e7b697871a0e9a9bceee6526603b74a60f0dd63ee9dac20
SHA512SUM:
0050a7eb2cae5a417552ac5b90b6a0a0
e6502c8f4e3b02f2a60d38d5cb10b8ed
c1ae57829f17766e7e014c4c5211b179
848d0a88a86e9efd3e9303e29726d27c
Compatibility
Stonesoft NGFW 6.1 is compatible with the following component versions.
•
Stonesoft® Management Center (SMC) 6.1 or later
•
Dynamic Update 810 or later
•
Stonesoft® VPN Client for Windows 6.0.0 or later
•
Stonesoft® VPN Client for Mac OS X 2.0.0 or later
•
Stonesoft® VPN Client for Android 2.0.0 or later
•
Server Pool Monitoring Agent 4.0.0 or later
•
McAfee® Logon Collector 2.2 and 3.0
•
McAfee® Advanced Threat Defense 3.6
•
McAfee® Endpoint Intelligence Agent (McAfee EIA) 2.5
New features
This release of the product includes these new features. For more information and configuration instructions, see
the Stonesoft Next Generation Firewall Product Guide and the Stonesoft Next Generation Firewall Installation
Guide.
Geo-protection and IP address categorization
You can now configure geo-protection to allow or block traffic. There are predefined Country elements that
represent IP addresses registered in specific countries. You can use Country elements to filter traffic in Access
rules based on the source or destination country, or entire continents. They can also be used in NAT rules,
Inspection rules, and File Filtering rules.
You can use predefined IP address lists to control access to known good or bad IP addresses. You can either
use the predefined IP address lists or create new IP address lists. You can also import IP address lists through
the SMC API to the SMC. For more information, see the Stonesoft SMC API Reference Guide.
7
Stonesoft Next Generation Firewall 6.1.2 | Release Notes
Integration of Sidewinder Proxies
On Sidewinder firewalls, proxies provide high assurance protocol validation. On Stonesoft NGFW, Sidewinder
Proxies enable some of the proxy features that are available on Sidewinder. In Stonesoft NGFW version 6.1, the
following Sidewinder Proxies are supported: HTTP, SSH, TCP, and UDP.
You can use Sidewinder Proxies on Stonesoft NGFW to enforce protocol validation and to restrict the
allowed parameters for each protocol. Sidewinder Proxies are primarily intended for users in high assurance
environments, such as government or financial institutions. In environments that limit access to external networks
or access between networks with different security requirements, you can use Sidewinder Proxies for data loss
protection.
Changes in category-based URL filtering
Category-based web filtering now uses URL categories provided by Forcepoint™ ThreatSeeker® Intelligence
Cloud. There are new types of elements for configuring URL filtering:
•
URL Category elements are Network Application elements that represent the categories for category-based
URL filtering.
•
URL Category Group elements contain several related URL Categories.
•
URL List elements are Network Application elements that allow you to manually define lists of URLs that you
want to allow or block.
The way that category-based URL filtering is applied to traffic has changed. You can now use URL Categories,
URL Category Groups, and URL Lists in the Service cell of Access rules to configure URL filtering. It is no longer
possible to configure URL filtering using Situation elements in the Inspection Policy.
Note: These changes affect all existing users of category-based URL filtering. Legacy URL
Situation elements can no longer be used in policies for Stonesoft NGFW version 6.1 or higher.
If rules in your policy contain legacy URL Situation elements, you must replace them with URL
Category elements.
Browser-based wizard for configuring NGFW appliances
As an alternative to using the command-line version of the NGFW Initial Configuration Wizard (sg-reconfigure) to
configure an NGFW appliance, you can now use an initial configuration wizard in a web browser.
Redirection of web traffic to TRITON AP-WEB Cloud
TRITON® AP-WEB Cloud is a cloud-based web security proxy service. Stonesoft NGFW can now redirect web
traffic to the TRITON® AP-WEB Cloud for inspection. Stonesoft NGFW redirects web traffic to the TRITON
AP-WEB Cloud using a predefined policy-based VPN. The traffic is inspected in the TRITON AP-WEB Cloud and
transparently forwarded to the destination.
Note: To use TRITON AP-WEB Cloud to inspect web traffic, you must have a subscription to the
TRITON AP-WEB Cloud service.
In addition to an IPv4 or IPv6 address, you can now use a fully qualified domain name (FQDN) as a dynamic
contact address of an external VPN gateway. Connecting through a VPN to a dynamic FQDN endpoint allows
TRITON AP-WEB Cloud to offer addresses from the geographically closest service point.
8
Stonesoft Next Generation Firewall 6.1.2 | Release Notes
The TRITON AP-WEB Cloud service requires the endpoint to use a MAC address as a unique identifier. You
can now define VPN-specific exceptions to the IKE Phase-1 ID for endpoints on VPN Gateways. Exceptions are
useful in cases where an external VPN gateway requires specific information in the IKE phase-1 value.
For more information and configuration instructions, see Knowledge Base article 10582.
Enhancements
This release of the product includes these enhancements.
Enhancements in Stonesoft NGFW version 6.1.0
Enhancement
Description
Simplified service configuration and You can now allow access to intranet services in the SSL VPN Portal with
customization improvements in SSL a freeform URL. It is no longer necessary to configure each SSL VPN
VPN Portal
Portal service separately. End users can access the services by typing
the URL directly in the SSL VPN Portal.
You can now also modify the look-and-feel of the SSL VPN Portal and
create a custom theme with company colors and logos for the SSL VPN
Portal in the Management Client.
Fully qualified domain names as
contact addresses in external VPN
gateways
In addition to an IPv4 or IPv6 address, you can now use a fully qualified
domain name (FQDN) as a dynamic contact address of an external VPN
gateway.
VPN-specific exceptions for IKE
Phase-1 ID
You can now define VPN-specific exceptions to the IKE Phase-1 ID for
endpoints on VPN Gateways. Exceptions are useful in cases where an
external VPN gateway requires specific information in the IKE phase-1
value.
Improved throughput for antimalware inspection
The throughput of anti-malware inspection has been significantly
improved.
Improved scaling of inspection for
Virtual Security Engines
Inspection now scales up better with multiple Virtual Security Engines.
Improved TCP handling in the
inspection module
TCP protocol handling in the inspection module has been enhanced for
performance and compatibility.
Support for Tunnel Interfaces and
unnumbered interfaces for OSPF
Support for Tunnel Interfaces and unnumbered interfaces for OSPF has
been added.
Enhanced botnet detection
Botnet detection has been enhanced.
SSH server key fingerprints shown
on engine console when the engine
starts up
If SSH is enabled, SSH server key fingerprints are shown on the local
console when the NGFW engine starts up.
9
Stonesoft Next Generation Firewall 6.1.2 | Release Notes
Enhancements in Stonesoft NGFW version 6.1.1
Enhancement
Description
Improved logging for File Filtering
Logging for File Filtering has been improved significantly. For example, all
File Filtering Situations are now logged under File Filtering in the Facility
column of the Logs view.
Improved evasion detection for
HTTP traffic
Deep inspection is now better able to detect evasions in HTTP traffic.
Optimized policy refresh for Virtual
Security Engines
Refreshing a policy that includes inspection for a large number of Virtual
Security Engines is now faster.
Enhancements in Stonesoft NGFW version 6.1.2
Enhancement
Description
Improved TLS inspection
The performance of TLS inspection on larger NGFW appliances has been
improved.
Resolved issues
These issues are resolved in this release of the product. For a list of issues fixed in earlier releases, see the
Release Notes for the specific release.
Description
Role
Issue number
User information provided by McAfee Endpoint Intelligence Agent (EIA)
overrides user information from user authentication, such as authentication
using the Stonesoft VPN Client or Browser-Based User Authentication.
FW
NGFW-352
When you select ANY in the Service (Port) cell of a Service Definition, the
inspection process might restart when some types of traffic are inspected.
FW, IPS, L2FW NGFW-1854
If SYN flood protection is configured and source translation NAT is applied
to the connection, reset packets are not correctly sent to the server when a
TCP connection times out.
FW
NGFW-2264
On engines that have a large number of Physical Interfaces or VLAN
Interfaces, Aggregated Link Interfaces might not work correctly.
FW
NGFW-2340
If DHCP requests or replies contain too much group information, the DHCP
relay service cannot handle the request. The DHCP relay service stops
working.
FW
NGFW-2387
The engine might restart when VoIP connections are processed using the
SIP Protocol Agent.
FW, IPS, L2FW NGFW-2509
DHCP relay might stop working when you modify an interface that has
DHCP relay enabled.
FW
When users access websites through a proxy, URL categorization does not
work.
FW, IPS, L2FW NGFW-2721
NGFW-2675
10
Stonesoft Next Generation Firewall 6.1.2 | Release Notes
Description
Role
Issue number
Policy installation might fail when anti-spam is configured for the engine.
FW
NGFW-2773
On some larger NGFW appliance models, the inspection process might use FW, IPS, L2FW NGFW-2793
too much memory. This issue can cause latency and load peaks.
HTTPS websites may get incorrect additional URL categories returned
when web filtering is based on SNI.
FW, IPS, L2FW NGFW-3010
If IPv6 NAT is configured for a firewall node, the node does not respond to
neighbor solicitation messages after the node reboots, or after there is a
state change in the cluster.
FW
The OpenSSL library has been updated to address CVE-2016-7056,
CVE-2016-8610, and CVE-2017-3731. There are no known attack vectors
for these vulnerabilities in Stonesoft Next Generation Firewall (Stonesoft
NGFW).
FW, IPS, L2FW NGFW-3315
NGFW-3049
Installation instructions
Use these high-level steps to install SMC and the Stonesoft NGFW engines.
For detailed information, see the Stonesoft Next Generation Firewall Installation Guide. All guides are available
for download at https://support.forcepoint.com.
Note: The sgadmin user is reserved for SMC use on Linux, so it must not exist before SMC is
installed for the first time.
Steps
1)
Install the Management Server, the Log Servers, and optionally the Web Portal Servers.
2)
Import the licenses for all components.
You can generate licenses at https://stonesoftlicenses.forcepoint.com.
3)
Configure the Firewall, IPS, or Layer 2 Firewall elements with the Management Client using the
Configuration view.
4)
To generate initial configurations for the engines, right-click each Firewall, IPS, or Layer 2 Firewall element,
then select Configuration > Save Initial Configuration.
Make a note of the one-time password.
5)
Make the initial connection from the engines to the Management Server, then enter the one-time password.
6)
Create and upload a policy on the engines using the Management Client.
11
Stonesoft Next Generation Firewall 6.1.2 | Release Notes
Upgrade instructions
Take the following into consideration before upgrading licenses, engines, and clusters.
•
Upgrading to version 6.1 is only supported from version 5.10 or later. If you have an earlier version, first
upgrade to version 5.10.
•
Stonesoft NGFW version 6.1 requires an updated license. The license upgrade can be requested at
https://stonesoftlicenses.forcepoint.com. Install the new license using the Management Client before
upgrading the software. If communication between the SMC and the license server is enabled and the
maintenance contract is valid, the license is updated automatically.
•
To upgrade the engine, use the remote upgrade feature or reboot from the installation CD and follow the
instructions. For detailed instructions, see the Stonesoft Next Generation Firewall Installation Guide.
•
Changes to category-based URL filtering in Forcepoint NGFW version 6.1 affect all existing users of categorybased URL filtering. Legacy URL Situation elements can no longer be used in policies for Forcepoint NGFW
version 6.1 or later. If rules in your policy contain legacy URL Situation elements, you must replace them with
URL Category elements. See the Forcepoint Next Generation Firewall Product Guide for detailed instructions.
•
The way that routes defined in the Management Client are handled by Quagga has changed. In Forcepoint
NGFW version 6.0 and earlier, static routes that you defined in the Management Client were considered
kernel routes in Quagga. When redistributing these to dynamic routing protocols, you could use the
"redistribute kernel" command.
Starting from Forcepoint NGFW version 6.1.0, static routes that you define in the Management Client are
considered static routes in Quagga. This change affects, for example, redistributing routes that you define in
the Management Client to the dynamic routing protocols. Configuring static routes using vtysh in Quagga is no
longer supported. Use the Management Client to configure static routing.
Known issues
For a list of known issues in this product release, see Knowledge Base article 10571.
Known limitations
This release of the product includes these known limitations.
Limitation
Description
Inspection in
asymmetrically routed
networks
In asymmetrically routed networks, using the stream-modifying features (TLS
Inspection, URL filtering, and file filtering) can make connections stall.
Inline Interface disconnect The disconnect mode for Inline Interfaces is not supported on IPS virtual
mode in the IPS role
appliances, IPS software installations, IPS appliance models other than IPS-6xxx,
or modular appliance models that have bypass interface modules.
For information about feature-specific limitations, see the Stonesoft Next Generation Firewall Product Guide.
12
Stonesoft Next Generation Firewall 6.1.2 | Release Notes
Find product documentation
On the Forcepoint support website, you can find information about a released product, including product
documentation, technical articles, and more.
You can get additional information and support for your product on the Forcepoint support website at
https://support.forcepoint.com. There, you can access product documentation, Knowledge Base articles,
downloads, cases, and contact information.
Product documentation
Every Forcepoint product has a comprehensive set of documentation.
•
Stonesoft Next Generation Firewall Product Guide
•
Stonesoft Next Generation Firewall online Help
Note: By default, the online Help is used from the Forcepoint help server. If you want to use
the online Help from a local machine (for example, an intranet server or your own computer),
see Knowledge Base article 10097.
•
Stonesoft Next Generation Firewall Installation Guide
Other available documents include:
•
Stonesoft Next Generation Firewall Hardware Guide for your model
•
Stonesoft Next Generation Firewall Quick Start Guide
•
Stonesoft SMC API Reference Guide
•
Stonesoft VPN Client User Guide for Windows or Mac
•
Stonesoft VPN Client Product Guide
13
© 2017 Forcepoint
Forcepoint and the FORCEPOINT logo are trademarks of Forcepoint.
Raytheon is a registered trademark of Raytheon Company.
All other trademarks used in this document are the property of their respective owners.