Symantec Enterprise Firewall 8.0 Release Notes

Symantec.com > Enterprise > Support > Knowledge Base

Symantec Enterprise Firewall 8.0 Release Notes

Question/Issue:
Release Notes for Symantec Enterprise Firewall 8.0

Solution:
The Symantec Enterprise Firewall v8.0 is a comprehensive network security software product that integrates a full application-inspection firewall, VPN, content filtering, antispam, and high availability/load balancing components to protect networks at the gateway to the Internet or subnets of larger WANs and LANs.

This document contains the following information about the Symantec Enterprise Firewall:

What's new in this release
System requirements
Hotfixes
Documentation
Installing Symantec Enterprise Firewall
Technical Support
Issues and limitations
SRMC (Symantec Raptor Management Console)-to-SGMI (Security Gateway Management Interface) transition

Before installing the product, read this document in its entirety. It contains important information about the Symantec Enterprise Firewall functionality. Refer to the Symantec Technical Support Web site (www.symantec.com/techsupp) for the latest release notes, as well as recommended hotfixes and updates for this product. You can use Microsoft Internet Explorer version 6 or later or Netscape version 7 or later to manage your Symantec Enterprise Firewall through the SGMI.

What's new in this release
The Symantec Enterprise Firewall includes the following new or enhanced features:

Enterprise-wide scalable management
Enterprise-wide event management
LiveUpdate for Content Filtering
High Availability/Load Balancing with stateful failover
Security enhancements
Improved network address translation (NAT) with UDP encapsulation
Flexible licensing
Security Gateway Management Interface

Enterprise-wide scalable management
Symantec Advanced Manager for Security Gateways (Group 1) v2.0.1 or Symantec Event Manager for Security Gateways (Group 1) v2.0.1 plugs into the SESA (Symantec Enterprise Security Architecture) console
and provides a common framework that lets you integrate and manage multiple Symantec enterprise security and select third-party products (by way of a separately purchased event collector) from a single, centralized location. Symantec Advanced Manager through SESA lets you manage both policies and location settings of connected security gateways, in addition to collecting events from those systems. SESA management provides many features important to centralized and scalable management, including:
Logical grouping of security gateways into organizational units
Management of multiple configurations
Sharing of configurations across security gateways
Validation of multiple configurations in a single action

Enterprise-wide event management
Symantec Event Manager for Security Gateways (Group 1) v2.0.1 or Symantec Advanced Manager for Security Gateways (Group 1) v2.0.1 is a software security solution that provides centralized logging, alerting, and reporting across Symantec's security gateway protection solutions and select third-party products (by way of a separately purchased event collector).

LiveUpdate for content filtering
The Symantec Enterprise Firewall incorporates Symantec LiveUpdate technology to keep your content filtering subscription (purchased separately) up to date. The LiveUpdate technology can now retrieve a categorized URL database used with content filtering.

HA/LB with stateful failover
The clustering capabilities now support VPN failover and load balancing, stateful failover for common TCP-based protocols on a per-rule basis, ping monitoring, cluster monitoring, and hot standby mode. You must have a separate license to enable the HA/LB features.

Security enhancements
The Symantec Enterprise Firewall incorporates the following improvements to the current application proxies:

The FTP proxy can now block FTP connections based on the length of user names and passwords. The default is 32 characters, with a maximum of 256 characters. This feature provides protection against buffer overflow attacks.
The FTP, HTTP, SMTP, and Telnet proxies now support changing the default banner to minimize the risk of identifying the presence of the Symantec Enterprise Firewall or related products.
By default, the ping proxy now blocks network pings against the security gateway's outside interfaces.
The HTTP proxy supports additional Web Distributed Authoring and Versioning (WebDAV) commands. WebDAV extensions define a means of searching the Web using title, author, and key words. RFC-2518 defines WebDAV using both HTML and XML for communication between client and server.
The port control mechanism supports registration at the port and interface level. If scanned with any port scanning tool, the security gateway will not listen or respond to any service requests not specifically allowed.

Improved network address translation (NAT) with UDP encapsulation
To alleviate problems caused by intermediate NAT devices, the Symantec Enterprise Firewall now supports UDP encapsulation with Symantec Client VPN V8.0. All intermediate source address translations have no effect when the packet reaches its endpoint.

Flexible licensing
With this release, Symantec introduces a new licensing method. The new licensing mechanism provides a higher degree of flexibility in ordering product features and attributes that meet customer needs. For detailed in
formation on licensing, refer to the Symantec Enterprise Firewall Installation Guide.

Security Gateway Management Interface
The Security Gateway Management Interface (SGMI) is a platform-independent, Java-based management system that replaces the Symantec Raptor Management Console (SRMC). The Security Gateway Management Interface is accessed through your Web browser over an encrypted channel connected to the Symantec Enterprise Firewall. This approach lets an administrator manage a Symantec Enterprise Firewall from any operating
system with a supported Web browser, and provides a common look and feel regardless of the machine used to administer. These Release Notes contain a section that outlines the transition from the old SRMC to the new SGMI user interface.

System requirements

Microsoft Windows requirements

The following are the hardware and software requirements for Windows systems:
Windows 2000 (Server or Advanced Server) with SP4, or Windows Server 2003 Standard Edition (English versions)
Intel Pentium III 600 MHz (multiple-processor systems up to four CPUs are supported)
512 MB memory/512 MB pagefile (1 GB memory/1 GB pagefile for more than 200 users)
10 GB hard disk space (15 GB for more than 200 users)
The following network interface cards are supported in an HA/LB environment:
- SysKonnect Gigabit SK-9821 v2.0
- 3Com EtherLink Server NICs (3C980/3C980B/3C980C)
- Intel PRO/100S and PRO/100+ Family of Fast Ethernet Desktop and Server Adapters
- Intel PRO/1000 Family of Gigabit Desktop and Server Adapters
- Broadcom NetExtreme BCM5700 Gigabit Ethernet Adapter
- Adaptec DuraLAN Fast Ethernet Quartet 66 (ANA-64044) and Quartet 64 (ANA-62044) quad-port NICs

Note: For Windows security gateways, v8.0 is supported on Ethernet, Fast Ethernet, GigaBit Ethernet, and Fiber Ethernet NICs. For updates and the most current driver recommendations, refer to: www.symantec.com/
techsupp/enterprise/select_product_kb.html. Enter Document ID 2003112019183954 and click Go.

Sun Solaris requirements
The following are the hardware and software requirements for Solaris systems:

Solaris 8 32 or 64-bit operation is supported on Sun Microsystems SBUS and PCI architecture workstations and servers based on UltraSPARC II and UltraSPARC IIi processors
Solaris 9 64-bit operation is supported on Sun Microsystems SBUS and PCI architecture workstations and servers based on UltraSPARC II, UltraSPARC IIi, UltraSPARC IIe, UltraSPARC III, UltraSPARC III Cu, and UltraSPARC III+ processors
512 MB memory/512 MB swap space (1 GB memory/1 GB swap space for more than 200 users)
10 GB hard drive space (15 GB for more than 200 users)
Supported datalink drivers include Sun's be, bge, ce, eri, ge, hme (Ethernet and Fast Ethernet), nf, qe, qfe, and tr, Znyxfs znb, SysKonnectfs skge, and Fore's fore_atm (in LAN emulation and CLIP mode).
The following datalink drivers are supported in an HA/LB environment:
- SysKonnect Gigabit Ethernet SK-9821 v2.0, driver version 6.08+
- Onboard Broadcom Gigabit Ethernet Interface using the bge driver
- Sun Fast Ethernet and Sun Swift using the hme or eri driver
- Sun Quad Fast Ethernet using the qfe driver
- Sun Gigabit Ethernet using the ge driver
- Sun GigaSwift Ethernet using the ce driver 4

Browser/JRE requirements
The following are the browser and Java Runtime Environment (JRE) requirements for the management machine:

Windows with Internet Explorer version 6 or later and JRE 1.3.1_04 or later
Windows with Netscape version 7 or later and JRE 1.3.1_04 or later
Solaris with Netscape version 7 or later and JRE 1.4.2 or later

Symantec Client VPN requirements
For Symantec Client VPN requirements, refer to the Symantec Client VPN Release Notes.

Hotfixes
Periodically, Symantec issues hotfixes to improve the performance of the security gateway. Visit Symantec's Web site at www.symantec.com/techsupp for a list of currently available hotfixes. To install a hotfix or view a
list of installed hotfixes, select Hotfix on the Action menu.

Documentation
The Symantec Enterprise Firewall documentation set includes the following:

Symantec. Enterprise Firewall Administrator's Guide
Symantec. Enterprise Firewall Installation Guide
Symantec. Security Gateways Reference Guide
Symantec. Enterprise Firewall Release Notes (this document)
Symantec. Client VPN User's Guide
Symantec. Client VPN Quick Start Card
Symantec. Client VPN Release Notes
License Organizer

Note: These documents are provided in PDF format on the product CD-ROM. You can read these documents using the Adobe Acrobat Reader provided on the CDROM in the ClientSoftware directory. You can also
download it free of charge from the Adobe Web site at www.adobe.com. In addition, online Help is available in the SGMI.

Installing Symantec Enterprise Firewall
To install and connect the Symantec Enterprise Firewall, refer to the Symantec Enterprise Firewall Installation Guide. To install either the Symantec Event Manager or the Symantec Advanced Manager and integrate with the SESA Manager, refer to the Symantec Advanced Manager for Security Gateways Integration Guide.

Technical Support
Customers with a current maintenance agreement may contact the Technical Support group by phone or online at www.symantec.com/techsupp/.
Customers with Platinum support agreements may contact Technical Support at the Platinum Web site at www-secure.symantec.com/platinum/.

Issues and limitations
This section documents limitations associated with this release. Where possible, a workaround is suggested.

Windows application servers
Issue: Data may be lost when attempting to communicate with a Windows 2000 application server that is running Microsoft Windows Service Pack 2.
Workaround: Upgrade the application server to Microsoft Windows Service Pack 3 or later or install the Microsoft hotfix Q301337.

Redirection for CIFS fails
Issue: Configuring CIFS service redirection may fail.
Workaround: If you are configuring a service redirection for the CIFS service, a public DNS record on the security gateway you are configuring must have an entry for both the client (requested address) and the target (actual address of target machine).

Dynamic NAT pools may not work with Gateway-to-Gateway tunnels
Issue: Dynamic NAT may not work with Gateway-to-Gateway tunnel traffic.
Workaround: You must use static NAT pools in Gateway-to-Gateway tunnels.

HA/LB issues
Issue: If NIC monitoring of the heartbeat NIC is disabled, stateful failover is enabled, and network traffic is flowing through the cluster, disconnecting the heartbeat interface from the active node may not failover immediately.
Workaround: Be aware that it may take up to 20 seconds before the other node picks up the traffic.

Issue: During periods of heavy load, clustered nodes may lose track of one another, causing connections to fail even though no security gateway has failed.
Workaround: Either use a dedicated heartbeat or increase the failover timeout in the System > Advanced Parameters tab.

Issue: Problems can occur if you manage a cluster member using its Virtual IP (VIP) address.
Workaround: Use the actual IP address to manage a cluster member.

Issue: Clicking Run Auto Configure on a single cluster node only configures the NTP proxy for that node.
Workaround: To synchronize all cluster nodes, you must run auto configure on each cluster node.

Issue: When creating a cluster using the Cluster Wizard, mismatched logical network interfaces will cause member creation to fail.
Workaround: Make sure all cluster members have matching logical network interfaces. SRL with reverse lookups.

Issue: If DNS is improperly configured and reverse lookups are enabled, SRL may not be able to log on to the security gateway.
Workaround: Properly configure DNS or disable reverse lookups when using SRL. Ratings profile update delay

Issue: After creating the first rating profile or modification, you must disable and enable the rating to make it take effect immediately.
Workaround: This issue only affects the first ratings profile.

Connecting with Netscape browser
Issue: When connecting to the security gateway for the first time with Netscape on a client, the JRE is not automatically installed on the client system.
Workaround: Either use Internet Explorer to run SGMI or go to www.sun.com and download and install JRE v1.4.2.

AES tunnels
Issue: AES encryption cannot be used between Symantec Enterprise Firewall and Symantec Client VPN V7.0 without a hotfix.
Workaround: To use AES encryption, you must apply the latest patch from the Symantec Web site to Symantec Client VPN v7.0.

Copying S/Key password to clipboard
Issue: When using the S/Key generator, copying the password to the clipboard does not work.
Workaround: This is a security feature. Manually type the password.

Opening new browser window
Issue: Using the browserfs File > New > Window function to open a second admin session can result in an unusable browser session.
Workaround: If you need to open a second admin session, restart the browser.

Packet filter for FTP
Issue: Pre-defined FTP service group cannot be used in a packet filter.
Workaround: To set up a working packet filter for the FTP protocol, you must first create a new TCP-based protocol using port 20. This is the data channel portion of FTP which is not included in the pre-defined protocol FTP (port 21 - control channel). Both the control and the data channel protocols must be included in the filter definition. Also, when assigning the FTP filter to a Logical Network Interface, it should only be assigned to the input filter if direction is in to out.

Null GWPassword
Issue: Authentication sequences no longer allow null passwords for GWPassword.
Workaround: You must enter at least 10 characters for the user in the Authentication tab password field.

Timeout prior to activation
Issue: The SGMI may timeout while you have configuration changes pending.
Workaround: Once you restart SGMI following the timeout, the changes will still be pending.

Rebooting cluster member closes FTP connection
Issue: Rebooting a member of a cluster will shut down FTP data connections to the cluster.
Workaround: Use bfstat stop to shut down the cluster first, then reboot.

Off-box scanning of large files
Issue: When performing off-box antivirus scanning, large file downloads may time out.
Workaround: There several measures that can be taken, as follows:

Increase the advanced parameter scanserver.idle_timeout. The default is 120 seconds.
Increase the driver setting Global/ ShortLived_Tcp_Idle_timeout. The default is 119 seconds.
On Windows systems, increase the value of registry key TcpIP\Parameters\TcpTimedWaitDelay The default is 60 seconds. You should increase it only enough to fix the antivirus problem.

Reports in PDF format
Issue: When selecting configuration reports in PDF format, downloading errors can occur.
Workaround: In Internet Explorer, on the Tools > Internet options > Advanced tab, under Security, uncheck Do not save encrypted files to disk or choose the HTML format under Reports Setup.

Uninstall hangs
Issue: On rare occasions, the uninstall of a Windows system can hang on the Finish button.
Workaround: Open the Task Manager and end the ikernel.exe process.

Upgrade issues
Issue: Release 8.0 does not support swIPe tunnels. A security policy using a swIPe tunnel in a pre-8.0 configuration will not upgrade properly.
Workaround: Remove the security policy prior to upgrading.

Issue: If the RTSP or GSP proxy is disabled in a v7.0x firewall, after the upgrade it may be enabled.
Workaround: You must disable the proxy after the upgrade procedure.

Advanced option does not take effect
Issue: After changing a driver parameter using the Advanced Options page, the change may not take effect immediately.
Workaround: You may need to reboot the security gateway after some Advanced Option changes.

Deletable Universe entity
Issue: After upgrading from a v7.x to a v8.0 security gateway, you may be able to delete the Universe network entity.
Workaround: Do not delete the Universe network entity.

Apply hotfixes before backup
Issue: When restoring a v7.0 security gateway backup to a v8.0 security gateway, the SGMI can hang because of the size of the backup.
Workaround: If you have applied all of the hotfixes (including SRMC) for the v7.0 release, the backup operation will not backup log files.

Blocking CIFS access
Issue: In certain Windows 2000 configurations, electing to deny File Access and File Printing through the CIFS service group may not actually prevent those types of connection.
Workaround: Unchecking the File Generic Access Enabled check box will block both types of connection.

Removing IKE users
Issue: After removing a user from a user group, the user may retain access rights to that group's tunnels.
Workaround: To disable IKE access of a user in a user group, you must first set the user's Primary IKE Group to <NONE> before removing the user from the group.

System Setup Wizard validation error
Issue: When running the Restore from backup configuration in the System Setup Wizard, a missing logical network interface message can appear.
Workaround: When the System Setup Wizard finishes, reboot the security gateway.
Disconnected NIC interface
Issue: On a Windows system, if a network interface becomes disconnected for any reason, reconnecting it and rebooting the security gateway is not sufficient to restore the interface to the configuration.
Workaround: You must run the System Setup Wizard to restore the interface.

Connecting to security gateway with Windows 2003
Issue: When connecting to a security gateway from a Windows 2003 machine, the JRE is not automatically pulled down.
Workaround: This is normal behavior for the Enhanced Security feature of Internet Explorer. You must manually add the security gateway to either the Intranet or Trusted Sites zone in Internet Explorer.

Cluster Wizard Back button
Issue: The Back button in the Cluster Wizard is grayed out.
Workaround: To go back and make changes to the cluster configuration, you must click Cancel and restart the Cluster Wizard.

SRMC-to-SGMI transition
This section is intended to ease the transition for an experienced SRMC user to the new interface. The following tables compare the locations of SRMC tasks to their locations in the SGMI.
The SRMC interface was organized in four groups:

Base Components
Access Controls
Virtual Private Networks
Monitoring Controls

The SGMI interface is organized in five groups:

Policy
Location Settings
System
Monitoring
Reports

SRMC Base Components
This table shows the SGMI locations for the items under Base Components in the SRMC.

SRMC	SGMI
System Features	System > Features
Routes	System > Routes
Remote Management Password	Location Settings > Advanced > System Parameters
DNS Records	Location Settings > DNS
Network Interfaces	Policy > Advanced > Logical Network Interfaces System > Network Interfaces
Network Entities	Location Settings > Network Entities
User Groups	Location Settings > User Groups
Users	Location Settings > Users
Authentications	Location Settings > Advanced > Authentication Methods
Times	Policy > Advanced > Time periods
Protocols	Policy > Service Groups Policy > Advanced > Network Protocols
Gateway Services	Location Settings > Advanced > Services
Filters	Policy > Filters

Access Controls
This table shows the SGMI locations for the items under Access Controls in the SRMC.

SRMC	SGMI
Rules	Policy > Rules
Content Profiles	Policy > Content Filtering > Rating Profiles
Redirected Services	Location Settings > Advanced > Redirected Services
NAT Pools	Location Settings > Advanced > NAT Pools
Address Transforms	Location Settings > Advanced > Address Transforms
H323 Aliases	Location Settings > Advanced > H.323 Aliases
Proxy Services	Location Settings > Advanced > Proxies

Virtual Private Networks
This table shows the SGMI locations for the items under Virtual Private Networks in the SRMC.

SRMC	SGMI
Secure Tunnels	Location Settings > Tunnels
VPN Policies	Policy > VPN Policies
Global IKE Policy	Policy > Global IKE Policy
Remote Policies	Remote Policy wizard

Monitoring Controls
This table shows the SGMI locations for the items under Monitoring Controls in the SRMC.

SRMC	SGMI
Notifications	Location Settings > Notifications
Active Connections	Monitoring > Active Connections
Logfiles	Monitoring > View Logs
Configuration Reports	Reports > Configuration Reports

Document ID: 2004032515073954
Last Modified: 06/20/2004
Date Created: 03/25/2004
Operating System(s): Windows 2000, Solaris 8, Solaris 9
Product(s): Symantec Enterprise Firewall 8.x
Release(s): Symantec Enterprise Firewall 8.0