StoneGate Management Center

Release Notes for Version 4.1.0

Table of Contents

Whats New. . . . . . . . . . . . . . . . . . . . . . . . . . . page 3

System Requirements . . . . . . . . . . . . . . . . . . . page 6
Build Version . . . . . . . . . . . . . . . . . . . . . . . . . page 6
Compatibility. . . . . . . . . . . . . . . . . . . . . . . . . . page 6
Installation Instructions . . . . . . . . . . . . . . . . . . page 7
Upgrade Instructions . . . . . . . . . . . . . . . . . . . . page 7
Known Issues . . . . . . . . . . . . . . . . . . . . . . . . . page 8

Table of Contents

W hats New

New features

Features that have been implemented since StoneGate Management Center v4.0 are described in the table below.

Feature

Description

Support for Transparent

Access Control (TAC)
configuration

A new Ethernet rules tab has been added to the IPS policies. These rules define which
Ethernet protocol traffic is allowed or stopped for Sensors in Transparent Access
Control mode. A separate license is required to use the Ethernet Rules.

Ethernet Services Element

Added to IPS Configuration

A new Ethernet Service elements have been added to the IPS Configuration branch of
the All Elements tree. These elements are used in the Ethernet rules of IPS policies
for Sensors in Transparent Access Control mode to define the Ethernet frame type.

Improved Diagram View

You can now add a background image to diagrams. The Diagram view now also
includes a Diagram Navigation panel that allows you to more easily select and zoom in
on a particular area of a diagram.

Built in alert forwarding

support for Bradford
Networks NAC system

StoneGate can be configured to send critical alert events to Bradford Networks NAC
Director/ Campus Manager (www.bradfordnetworks.com).

Enhancements

Enhancements that have been made since StoneGate Management Center v4.0 are described in the table below.

Enhancement

Description

Enhanced Printing and CopyPaste Options.

You can now print element listings from the Search view and the Configuration view
with all the information displayed in the Info panel. You can also copy-paste selected
elements with all the information in comma-separated value (CSV) format.

Log Explorer progress line

chart supports current log
mode.

In StoneGate Log Explorer, the progress line chart supports now also current log
mode.

Version information is
available in login screen.
(#21807)

Management Client login screen now displays the Management Clients software
version.

New option for silent drop of

duplicate log events.
(#31210)

The Properties dialog for Sensors, Sensor Clusters and combined Sensor-Analyzers
includes a new option on the Advanced Properties tab to silently drop duplicate log
events. This option can be used when a group of Sensors is deployed in front of a
Firewall cluster.

IPS daily summary report

template has been renewed.
(#18759)

System report template Daily Summary content has been enhanced.

Improved Element Reference

Search. (#18851)

The Reference search is now able to present more detailed information about the
reference in a tree view. For example, the reference search for policies now return also
the rule numbers for elements used in policies in addition to the policy element.

Whats New

Fixes

Problems described in the table below have been fixed since StoneGate Management Center v4.0.1. A workaround
solution is presented for earlier versions where available.

Synopsis

Description

Workaround for previous

versions

Active Directory user groups

do not work properly.
(#30160)

If Microsoft Active Directory user groups are

used in the rules, users in the group are not
able to login.

Use individual users in the rules

instead of groups.

Alert info message never

displayed. (#31263)

Alert info message is resolved incorrectly and

does not appear in alert messages sent as email. Note that the information message is not
included in the messages by default, so it is
meant to appear only when the file "data/
notification/smtp_alert.txt" is edited to contain
the line "description: $([[$LN_INFO_MSG]]/
resolved)".

N/A

$$Management servers alias

may be resolved incorrectly.
(#31358)

When contact address(es) are defined for a

Management Server, a $$Management server
alias element in policies is resolved incorrectly
to contain both the real IP address and the
contact address(es).

Create host elements for the IP

addresses and use them in the
rules instead of the alias element.

Filter editor may not accept

valid fields. (#31363)

Filter editor may not accept a field and may

report an error even when the field is valid for
the expression. This happens if a section of the
expression containing the field is first removed
and the same field is then added back into the
expression.

N/A

Importing a custom-defined CA
element may fail. (#31446)

If a file with exported elements contains a

custom-defined Certificate Authority (CA)
element, importing may fail with "Error while
storing object meta-data for Storable".

N/A

Access rule with time options

cannot be deleted. (#31743)

An IPS access rule cannot be deleted if the rule

has a specific validity time. Deletion of such
rules fails and reports a database error.

Remove the time options before

deleting the rule.

VPN tunnels are always invalid

if the Gateway Profile does not
use AH. (#31803)

The system always considers VPN tunnels as

invalid if ESP without AH is selected in the
external gateway's profile under IPSec
capabilities.

N/A

Referenced logs cannot be

viewed from blacklist
monitoring. (#31816)

The "Show Referenced Logs" action does not

work in the blacklist monitoring view.

N/A

Management Server may not

start after upgrade. (#31820)

Upgrade may fail during database migration

and the Management Server may not start if
the system contains IPS elements for old
engine versions.

Delete all IPS version 1.x policies

(sensor + analyzer) before the
upgrade.

Monitoring may erroneously

report engine status as
unknown. (#31911)

If Management and Log Servers have been

installed separately, the Management Server
may fail to read engine status information from
the Log Server. In such cases, the engine is
shown with unknown (gray) status even though
the engines can be controlled normally.

Create a subdirectory called

'datalogserver' under the directory
'data' on the Management Server.

Whats New

Workaround for previous

versions

Synopsis

Description

Unexpected error when trying

to open report item
properties. (#32069)

Opening properties of report items with default

names fails in unexpected error.

N/A

Changes Introduced in the Previous Major Version

This section lists major changes that were introduced in SMC 4.0 that may affect you if you are upgrading from a
version prior to 4.0.0. This is not a full listing; see the Release Notes of each version for more details.

Change

Description

Existing Ethernet Access rules are

migrated in new Ethernet rulebase.

If MAC addresses have been used in IPS access rules, during upgrade to the
version 4.1, the rules will be moved to the new Ethernet rulebase. However, if
the rule has contained Ipv4 services, these services cannot be moved to the
Ethernet rules and ANY value will be used in migrate rule service definition. The
old access rules are left in the access rulebase, but the MAC addresses are
removed from the source and destination fields.
If MAC addresses has been used in the IPS access rules, Stonesoft
recommends to verify these rules manually after the upgrade, because the
meaning of the may have changed in the automated migration.

IPS 1.2 configuration tools are not

available in SMC 4.0 and later

Only IPS engines with version 2.0 or later can be configured and managed
through SMC 4.1.

Unnecessary services related to

Protocol Agents are deleted during
upgrade

Version 4.0 introduced improvements in the structure of protocol agents, which

reduces the need for many redundant service elements for the same protocol.
During the upgrade, the system cleans up unnecessary system and user-defined
services that are not used in any configuration. It is also recommend to review
policies manually to clean up any remaining redundant services that are in use.

Log data stored with versions 2.2 or

prior is not readable in SMC 4.0 and
later

Old log data which has been stored to the database is no longer readable with
SMC version 4.0 or later, unless the log data is converted to the new format
before the upgrade.

Version 4 log data is not backward

compatible

Log data written with version 4.1 Log servers is not readable with Log servers
prior version 4.0

RSA encryption is no longer supported

as an authentication method

Options for RSA encryption as an authentication method in IKE have been

removed from the Management Client. During the upgrade, any existing RSA
encryption configurations are migrated to RSA Signatures.

VPN tunnels are renegotiated after the

first policy installation

Because of the changes in VPN configuration syntax, engines renegotiate all

existing VPN tunnels after the first time that the configuration is uploaded to the
engines with a version 4.1 Management. Because of this limitation, Stonesoft
recommends scheduling the first policy installation in a service window or a
quiet moment when the VPN tunnels are the least utilized.

Dynamic Update package is activated

automatically during the installation

During the installation, Dynamic Update package 112 is automatically activated.

System alias $$Management Server

has changed

A network element $$Management Server has been renamed $$Management

Servers. The element may now contain several IP addresses. Note that the
change can have an impact on element usage in NAT rules, if several
Management Servers have been defined.

Whats New

S y s te m R e qu i r e m e n ts
Basic Management System Hardware Requirements
Pentium 4 processor or higher recommended (the suggested minimum processor speed is 2 GHz) or equivalent
on a non-Intel platform
A mouse or pointing device (for Management Client only)
SVGA (1024x768) display or higher (for Management Client only)
1 GB RAM
Disk space for Management Server: 4 GB
Disk space for Log Server: 20 GB 80 GB

Operating Systems

StoneGate Management System supports the following operating systems and versions:

Microsoft Windows 2003 SP1 (32bit)*

Microsoft Windows XP SP2 (32bit) *
Microsoft Windows 2000 SP4 *
Red Hat Enterprise Linux 4.0 and 5.0 (for 32bit x86)

Fedora Core 5 and 6 (for 32bit x86)

Sun Solaris 9 and 10 (for SPARC)**

*) Only the U.S. English language version has been tested, but other locales may work as well.
**) The SMC version 4 is going to be last version to support Solaris.

Build Version
The StoneGate Management Center v4.1.0 build version is 7711.
This release contains StoneGate Dynamic Update package 112.

C o m p a ti bi l i ty

Minimum

StoneGate Management Center v4.1.0 is compatible with the following StoneGate component versions:
StoneGate Firewall engine v2.2.0 or higher
StoneGate IPS engine v2.0.0 or higher
Dynamic Update package 112 or later

Native support

In order to utilize all the features of StoneGate Management Center version 4.1, the following StoneGate
component versions are required:
StoneGate Firewall engine version 4.0 or higher
StoneGate IPS engine version 4.1 or higher

System Requirements

I ns ta l l a ti o n In s t ru c t i o ns
Note The sgadmin user is reserved for StoneGate use on Linux and Solaris, so it must not exist before the
StoneGate Management Center is installed for the first time.

The main installation steps for StoneGate Management Center and firewall or IPS engines are as follows:
1. Install the Management Server, the Log Server(s), and the Management Client. The Monitoring Server needs
to be installed if Monitoring Clients are used.
2. Import the licenses for all components (you can generate licenses on our Web site at https://
my.stonesoft.com/managelicense.do).
3. Configure the Firewall or IPS elements with the Management Client using the Configuration view.
4. Generate initial configurations for the engines by right-clicking the Firewall or IPS Sensor/analyzer and
selecting Save Initial Configuration from the menu that opens.
5. Install the firewall and IPS engines by rebooting the machines from the installation CD-ROM.
6. Make the initial connection from the engines to the Management Server and enter the one-time password
provided during step 4.
7. Create and upload a policy on the engine with the Management Client.
8. Command the nodes online by right-clicking the Firewall or IPS Sensor/analyzer and selecting Commands
Go Online from the menu that opens.
Detailed installation instructions can be found in the StoneGate Installation Guide . For a more thorough explanation
on using StoneGate, refer to the StoneGate Administrators Guide and the Administrators Reference .

U p gr a d e In s t ru c t i on s
Note StoneGate Management Center (Management Server and Log Servers)
firewall and IPS engines are upgraded.

must be upgraded before the

StoneGate Management Center v4.1.0 requires an updated license. The license upgrade request can be done on
our website at https://my.stonesoft.com/managelicense.do. Activate the new license using the StoneGate
Management Client before upgrading the software.
To upgrade an earlier version of StoneGate Management Center to StoneGate Management Center v4.1.0, we
strongly recommend that you stop all the StoneGate services and then perform a backup before continuing with the
upgrade. After taking the backup, run the appropriate setup file depending on the operating system. The installation
program detects the old version and does the upgrade automatically.
Versions earlier than 3.0.1 require upgrade to version 3.0.1 before upgrading to newer versions.
Backup restoration is supported with backups taken from version 3.5.2 and later.

Installation Instructions

K n ow n Is s u e s
The current known issues of StoneGate v4.1.0 are described in the table below. For an updated list of known
issues, consult our website at http://www.stonesoft.com/support/StoneGate/Known_Issues/.

Synopsis

Description

Workaround

Scheduled report generation

may stop working. (#14771)

Scheduled report generation stops if it

encounters a problem during the post
processing step (e.g., if an invalid e-mail
address is used in the report task
properties).

Reset the task by opening its

properties and closing the dialog
using OK. The failed report and any
other reports due for generation
between the failure and the current
time are automatically generated.

Unable to delete network

elements. (#15836)

Under some circumstances, deleting a

network element fails with the message:
"Database error: Problem while trying to
remove the Network element: 'ID of the
element'"

Contact support@stonesoft.com for

the workaround.

Dynamic IP Firewall engine

does not support manual
blacklisting. (#16597)

Firewalls with dynamic control IP address do

not support manual blacklisting.

N/A

The very first SMS alert may

get lost when using GSM
modems. (#16983)

With industrial GSM modems, the very first

SMS message may get lost if the SIM card
requires a PIN code.

To make sure that SMS messages

also get delivered after a GMS
modem reboot, send two messages
in a row with some delay between the
messages.

Protocol field in Inspection

Rules does not have effect on
"Show Matching Situations"
search result. (#21845)

The Protocol field in Inspection Rules does

not have an effect on "Show Matching
Situations" search result. However, the
configuration is generated and matched
correctly on a Sensor engine.

N/A

Impossible to browse more

than 1000 users stored in
Active Directory (#22881)

When Active Directory is used as an external

user database, it is impossible to browse
more than 1000 users with the Management
Client.

Increase the maximum value of LDAP

search result in SGConfiguration.txt.
For example:
LDAP_SEARCH_MAX_RESULT_CONST
RAINT=5000
See the instructions at Microsoft
MSDN library for how to handle the
configuration of the Active Directory
server when a large number of users
is queried.

Uninstallation may hang in

Windows. (#27486)

The uninstallation program may hang when it

is trying to delete Windows registry entries.

Remove the files and the registry

entries manually.

Webstart does not

automatically download
updated Management Client.
(#29023)

When using Java runtime version 1.5, Web

Start uses the locally cached client instead of
starting automatically downloading the
updated files from the server.

Delete the cached client libraries

using the Java control panel.

StoneGate Management
Server installation may fail on
Microsoft XPSP2.

StoneGate Management Server installation

fails on Microsoft Windows XPSystems. See
known issue 884020.

Install Windows XPupdate

KB884020.

Known Issues

Synopsis

Description

Workaround

Non-spoke sites are migrated

to spoke sites if a gateway
contains also spoke sites.
(#30065)

Because VPN Spoke setting has been moved

to the VPN Gateway level (in versions before
4.0.0 the property was at the Site level), the
non-spoke Sites are changed to spoke Sites
during upgrade if the gateway had also spoke
Sites defined.

N/A

Some settings are lost when

importing VPN configurations
from versions prior to 4.0
(#30067)

Tunnel settings are not imported if export has

been taken from a Management Center
version prior to 4.0. After the import, the
tunnels use the default settings.

Verify your tunnel settings after the

VPN import.

Standby/Active settings of
forwarded tunnels are not
preserved during migration.
(#30130)

The information about forwarding tunnel

status is lost during an upgrade.

If you are using mVPN with HUB

configuration, verify your tunnel
settings after an upgrade from
version < 4.0.0.

Right-clicking in the log query

view may cause error.
(#32100)

An "Unexpected error" message appears

when right-clicking the space under the and/
or column in the log query view.

Right-click the space under the filter

name instead to access the menu.

Focus problems on Fedora

Core 6 platform. (#30244)

There may be focus problems with the

Management Client on the Fedora Core 6
platform. For example, the login window does
not allow typing a password before clicking
on the "Remember Server Address"
checkbox and changing the focus back to the
password field. For more information, see
http://bugs.sun.com/bugdatabase/
view_bug.do?bug_id=6506617.

N/A

No error message when

uploading a policy into a
sensor without an updated
license. (#30711)

After upgrading an IPS sensor to version 4.0

without importing a new license for it, the
system allows to start the policy upload, but
nothing appears on the installation dialog.

Import valid licenses to the engines.

Invalid configuration is sent to

small appliances when deep
inspection is used. (#32094)

Some of the low-throughput appliances do

not support deep inspection due to their
limited resources. The Management Server
does not check this information from the
appliances' license as intended and may
generate an unsupported configuration for
these appliances. If this happens, the policy
installation fails with 'Error code 203
(H2AMGMT_REPLY_INTERNAL_ERROR)
"Message error code:-1"'.

Set Deep Inspection to OFF in the

rule options of all Access rules.

Known Issues

Trademarks and Patents

Stonesoft, the Stonesoft logo and StoneGate are all trademarks or registered trademarks of Stonesoft Corporation. Multi-link
technology, multi-link VPN, and the StoneGate clustering technology-as well as other technologies included in StoneGate-are protected by patents or pending patent applications in the U.S. and other countries. All other trademarks or registered trademarks
are property of their respective owners.
Copyright and Disclaimer
Copyright 20002007 Stonesoft Corporation. All rights reserved.
These materials, Stonesoft products and related documentation are protected by copyright and other laws, international treaties
and conventions. All rights, title and interest in the materials, Stonesoft products and related documentation shall remain with
Stonesoft and its licensors. All registered or unregistered trademarks in these materials are the sole property of their respective
owners. No part of this document or related Stonesoft products may be reproduced in any form, or by any means without written
authorization of Stonesoft Corporation.
Stonesoft provides these materials for informational purposes only. They are subject to change without notice and do not represent a commitment on the part of Stonesoft. Stonesoft assumes no liability for any errors or inaccuracies that may appear in
these materials or for incompatibility between different hardware components, required BIOS settings, NIC drivers, or any NIC
configuration issues. Use these materials at your own risk. Stonesoft does not warrant or endorse any third party products
described herein.
THESE MATERIALS ARE PROVIDED "AS-IS." STONESOFT MAKES NO WARRANTIES, EXPRESS OR IMPLIED, AS TO, THE INFORMATION CONTAINED HEREIN. IN ADDITION, STONESOFT MAKES NO EXPRESS OR IMPLIED WARRANTIES OF MERCHANTABILITY OR
FITNESS FOR A PARTICULAR PURPOSE OR USE WITH RESPECT THE INFORMATION CONTAINED IN THESE MATERIALS.
IN NO EVENT SHALL STONESOFT BE LIABLE FOR ANY INDIRECT, SPECIAL, CONSEQUENTIAL OR INCIDENTAL DAMAGES, INCLUDING, BUT NOT LIMITED TO, LOST PROFITS OR LOSS OR DAMAGE TO DATA ARISING FROM THE USE OF THESE MATERIALS, EVEN
IF ADVISED IN ADVANCE OF THE POSSIBILITY OF SUCH DAMAGES.
Revision: RLNT-SG4.1.0 - 9/7/2007

www.stonesoft.com

Stonesoft Corp.
Itlahdenkatu 22a
FIN-00210 Helsinki
Finland
tel. +358 9 4767 11
fax +358 9 4767 1234

Stonesoft Inc.
1050 Crown Pointe Parkway
Suite 900
Atlanta, GA 30338 USA
tel. +1 770 668 1125
fax +1 770 668 1131

10