Thứ Hai, 10 tháng 2, 2014

Tài liệu Embedded NGX 7.5 Release Notes General Availability Version pptx





5
Changes from 7.5 to 7.5.55
7.5.55
New Features
Additional USB modems
Support was added for the following USB modems:
- Teltonika U3G15S
- Qualcomm ZTE MF622 HSDPA
Issues resolved
Firewall

Resolved issue:
When handling large packets, requiring fragmentation, over PPP
Internet links, some packets are handled incorrectly.
Connectivity

Resolved issue:
Dead Connection Detection set on the primary Internet
connection coupled with a secondary PPP Internet connection in Connect-on-
Demand mode, may fail to operate as expected.
VPN

Resolved issue:
DHCP relay does not function as expected when used from a
bridged network over a VPN link.



Resolved issue
: In rare cases, remote HTTPS and SSH connections to the
appliance IP address over VPN may be abnormally terminated.

Resolved issue
: When using more than 10 VPN tunnels simultaneously,
connections scanned by VStream Antivirus are sometimes cut.


HTTPS

Resolved Issue:
In the web user interface, the logout button now appears in
HTTPS mode, when using Internet Explorer or Firefox.


Wireless




6

Resolved Issue:
When using WPA security, Windows Vista clients may fail
obtaining an IP address using DHCP, and certain broadcast packets may be
encrypted with an incorrect key.
7.5.51
Issues resolved
Management

Resolved issue:
Upgrade from firmware 6.0 directly to 7.5 may cause certain
settings to be reset to their default values.

Resolved issue
: During an appliance reboot, the gateway continues to appear as
“connected” in the Service Center (SMP/SmartCenter).

Resolved issue
: When downloading a

CLI scripts from the Service Center, the
managed items are not correctly marked as “Remotely Managed”.

Firewall and Smart Defense

Resolved issue:
SIP ALG does not work correctly through a VPN tunnel.

Resolved issue:
SIP support for Cisco VoIP phones improved.

Resolved issue:
As a normal side effect, SIP ALG processing or IPSEC decryption
may sometimes cause shortening of packets. In rare cases, fragmented packets
that were shortened, may be silently dropped or incorrectly transmitted.
VPN

Resolved issue:
In certain cases, IKE Phase1 failures may cause a memory leak.

Resolved issue:
Disconnects

when using L2TP VPN with Apple IPhone clients.

Resolved issue: W
hen using VPN in “Route all Traffic” mode, certain connections
are not established correctly.

Resolved issue:
When configured in a managed VPN community (Enterprise Site),
the appliance may fail to connect to externally managed gateways requiring
shared secret authentication.

Wireless

Resolved issue:
Wireless LAN

may operate unreliably when using certain wireless
devices supporting power save mode (such as Blackberry).




7

7.5.48
Issues resolved
Firewall and Smart Defense

Resolved issue:
In certain cases, the appliance may restart when processing SIP IP
telephony packets.
Vstream Anti-Virus

Resolved issue:
Specific EXE files are scanned slowly.
Management and settings

Resolved issue:
When upgrading from firmware, 7.0 VPN sites and SNMP settings
revert to disabled.

Resolved issue:
A potential security vulnerability corrected in the SNMP server.
7.5.45
New Features

Additional USB modems
Support was added for the following USB modems:
- Novatel Ovation MC950D
- Novatel U727
SIP support
The SIP application level gateway (ALG) can now be optionally disabled.
ADSL
Norway's ISPs details were added to the ADSL wizard.
Enhanced HTTPS Support
To increase security, the following changes were done to the HTTPS web
configuration portal (
https://my.firewall):




8
- HTTPS web server cookies are now marked as “secure cookies”.
- HTTPS clients are no longer permitted to select weak 40 and 56 bit
ciphers.
Enhanced L2TP Support
The L2TP server has been enhanced to support the following cases:
- Windows Vista VPN clients behind a NAT device.
- Apple iPhone VPN clients.

Issues resolved
HTTP/HTTPS

Resolve issue:
low severity cross side scripting (XSS) attack potentially possible
against the configuration web portal. This issue is unlikely to be successfully
exploited.
Vstream Anti-Virus
Resolved issue:
in certain cases, VStream Antivirus may block valid connections.
Firewall

Resolved issue:
A memory issue when using DHCP relay.
ADSL

Resolved issue:
ANNEX B DSL modems support for G.DMT standard.
IP60

Resolved

issue: Nokia IP60 GUI layout appears incorrectly.





9
New Features
New Security Features
Web Rules
It is now possible to define Web rules
that allow or block access to specific Web
sites based on the site’s URL.

If desired, you can log attempts to access
allowed and blocked Web sites. In
addition, you can exclude specific IP
addresses or address ranges from Web
rule enforcement.

Wildcards may be used in web rules to
allow partial access to certain web sites.

This feature does not require subscription
to the category-based Web Filtering service
and can operate in parallel with the
subscription service, if desired.

When a site is blocked, a configurable message is displayed to the user. See
“Customizable Web Filtering Page”.

Time-Based Rules
It is now possible to define firewall rules
that only take effect during certain hours of
the day.




10

This feature is supported for locally defined firewall rules, for locally defined
antivirus rules, and for firewall rules downloaded from Check Point SmartCenter
(rules using time objects).
Rule Descriptions
A new Description field allows attaching an explanation or remark to each locally
defined firewall and antivirus rule. This optional field can be used for naming a
rule or for explaining why the rule is needed and under what circumstances.
Reusable Network Service Objects
Embedded NGX 7.5 allows defining custom network service objects in the local
Web interface and assigning them unique
names. The network service objects can
then be used in firewall rules, antivirus
rules, and policy-based routing rules.

Network service objects consist of an IP
protocol and either a TCP/UDP port or a
port range. It is possible to define several
non-consecutive port ranges, by
separating them with commas.



Allow & Forward Rules with Destination IP Address
It is now possible to define “Allow & Forward” rules with a specific destination IP
address. This allows defining NAT forwarding rules that only take effect when
accessing a certain IP address.

Embedded NGX 7.5 allows defining
different forwarding rules for each external
IP address. For example, consider a case in




11
which the gateway has two public IP addresses, 62.98.112.1 and 62.98.112.2,
and the network contains two private Web servers, A and B. It is now possible, to
forward all HTTP traffic with the destination 62.98.112.1 to server A, while
mapping all HTTP traffic with the destination 62.98.112.2 to server B. Previously,
this was only possible using static NAT mappings.

Advanced users can also use this feature for outgoing traffic, creating
"transparent proxy" rules that divert all traffic that is destined for a certain IP
address to a different IP address.
Advanced Address Translation Rule Base
Embedded NGX 7.5 allows configuring advanced network address translation
(NAT) rules in the local management interface.

The Address Translation table is divided into Original Packet and Translated
Packet sections. The
Original Packet section
specifies the conditions
under which the rule is
applied, and the
Translated Packet
section specifies the
action taken when the
rule is applied. You can change the source IP address, the destination IP address,
the service, or any combination of the above.

When translating an IP address range to another IP address range of the same
size, static NAT is performed.

When translating an IP address range to a
smaller IP address range, static NAT is
performed for all but the last address in
the translated range, and hide NAT is
used to hide all the remaining addresses




12
in the original range behind the last IP address in the translated range.

NAT rules can be implicitly defined though a number of methods: by enabling
“Hide NAT” on an internal network, by creating an “Allow & Forward” firewall
rule, or by configuring static NAT for a network object. In addition, NAT rules can
be received from the SmartCenter policy editor. Implicitly defined NAT rules are
displayed in the Address Translation table, but cannot be edited.

Note: This feature is not available in the ZoneAlarm Secure Wireless Router Z100G.

New SmartDefense Protection: Checksum Verification
When this protection is enabled, SmartDefense will identify and drop IP, TCP, or
UDP packets with incorrect checksums.



New SmartDefense Protection: Urgent Flag Clearing
The URG flag is used to indicate that urgent data exists in a TCP stream, and that
the data should be delivered with high priority. Since handling of the URG flag is
inconsistent between different operating systems, allowing the URG flag may
enable an attacker to conceal certain attacks.





13
By default, SmartDefense automatically clears the URG flag to ensure security.
To allow the URG flag, in the SmartDefense tree's TCP > Flags node, set the URG
Flag field to Allow. To prevent the URG flag from being used, set the URG Flag
field to Clear.
New SmartDefense Protection: Sequence Number Verifier
When this protection is enabled, Embedded NGX examines each TCP packet's
sequence number and checks whether it matches a TCP connection state. You
can configure how the router handles packets that match a TCP connection in
terms of the TCP session but have incorrect sequence numbers.
Secure HotSpot: Redirect URL
The Secure HotSpot feature now allows defining an optional “Redirect URL”.
When a “Redirect URL” is defined, every user who successfully authenticates to
the Secure HotSpot will be automatically redirected to the specified URL. For
example, the “Redirect URL” can be your company’s Web site or a “Welcome”
page.
This feature is supported in the following platforms: UTM-1 Edge, Safe@Office 500 with Power
Pack, Safe@Office 225, and Safe@Office 410/425.
Remote Desktop Access Granular Permissions
Embedded NGX includes an integrated client for Microsoft Terminal Services,
allowing you to enjoy convenient clientless access to your Windows computers
from anywhere, via the my.firewall portal. System administrators can remotely
access the desktop of each of employee's computer, and even redirect printers
or ports to a remote computer.

Starting from Embedded NGX 7.5, granular permissions are now available for
Remote Desktop Access,
enabling an administrator to
limit access to the Remote
Desktop Access feature to a
limited set of users.

Non-administrator users which
have the “Remote Desktop”
permission in their profile can




14
now login to the Embedded NGX web based configuration portal, my.firewall,
and gain access to a restricted portal, showing only the “Active Computers”
page, and allowing access to the Remote Desktop Access feature.
Enhanced SIP Support
Embedded NGX 7.5 now includes a dedicated ALG (Application Level Gateway)
for SIP (Session Initiation Protocol), the popular signaling protocol commonly
used for IP telephony (VoIP). This ALG enables easy NAT and Firewall traversal.
Note:
1. Embedded NGX 7.5 supports SIP over UDP. SIP over TCP is currently not
supported.
2. A SIP Proxy must be used, and the proxy must not reside in the same
network as the SIP client.

Enhanced VPN Topology Display
An enhanced topology viewer is now available, for convenient display of the VPN
network topology. The VPN topology viewer is accessible from the “Active
Tunnels” page in the web user interface.

New Networking Features
WAN Load Balancing

Không có nhận xét nào:

Đăng nhận xét