5.3.1 Release Notes

Overview

Extreme Security Threat Protection firmware version 5.3.1 is a firmware update for the XGS IPS network protection platform. This release provides the following updates to Extreme Security Threat Protection firmware version 5.3:

• Serviceability and support enhancements:
  • Display system CPU, memory, storage information in the command line interface.
  • Restart the following system services in the command line interface: packet processing, packet capture, LMI, SiteProtector communication, and license and update services.
  • View and search system logs in command line interface.
  • Ability to retrieve support files via SFTP.
• Response enhancements:
  • Support of TCP for syslog forwarding.
  • Events (rsyslog) forwarded over TCP in LEEF or non-LEEF format show the same details as the content that is sent to the SiteProtector System.
• Network Access Policy enhancements:
  • Ability to determine the packet source and then control traffic by IP or by identity, based on the HTTP X-Forward-For header.
• IPS Policy enhancements:
  • Ability to derive a new IPS object from an existing IPS object.
  • Prompt warning message when enabling non-sequitur events and status type events in a non-default IPS object.
• Performance: Support FPL5 (25G bps) on XGS 7100
• Miscellaneous updates and implementation changes:
  • Disabled Top 10 URLs and Web Categories dashboard widget.
  • Customers who are pushing the boundaries of Connections per Second rates are likely affected by gathering Top Ten URL metrics for the dashboard.
  • Disabled mDNS responder due to a possible security issue.
  • Support for mutual certificate authentication for communication between the Network Security appliance and the SiteProtector System

Note

1. The Top 10 URLs and Web Categories dashboard widget is now disabled by default. You can enable this widget by changing the value of tuning parameter tune.url.topten.tracking to enabled and restarting the packet processing service.
2. The Outbound SSL Inspection feature currently has several known issues that will cause inspection to fail for some websites when the client is using the latest Firefox or Chrome browsers. These issues are under investigation, and will be addressed in a future fix pack.

Known Issues

Note

The ISNP Outbound SSL Inspection feature currently has several known issues that will cause inspection to fail for some websites when the client is using Firefox or Chrome browsers. These issues are under investigation, and will be addressed in a future fixpack

1. If you assign multiple protection interface segments to the same subnet, only the first interface assigned to that segment works for portal user authentication. The connection to the portal server cannot be established.
2. After you change a login password using SSH or the management console password expiration prompt, SiteProtector might fail to retrieve certain Security Network Protection agent information such as Users and Groups objects. The password change by SSH or Management console shell due to password expiration uses an Open SSH shell. This causes the agent credentials stored in SiteProtector to be out of sync with the appliance. To avoid this issue, or to correct the problem after it occurs, change the login password using the local management interface.
3. The system event log displays an error when the packet processing service is restarted.When you restart the packet processing service, the protection interfaces going offline and coming back online create events in the Events log. If a DCA download is in progress, the following error message is also displayed in the Events log:An error occurred performing an application database update. This is a known issue and expected behavior.
4. By default, the Top 10 URLs and Web Categories dashboard widget counts only URLs reported by Network Access Policies that have a response object.To enable the widget to count all URLs, you can change the value of tuning parameter tune.url.topten.tracking to enabled.
5. If you disable all protection interfaces, packet processing no longer functions. This causes Site Protector to display a failed health check for the appliance. It also causes other functions to fail, such as the CLI command show interface.
6. The default schedule object policy migrated from a previous firmware version might cause the following error message to appear in the system log:Element '{http://www.iss.net/cml/alps/schedule_objects}policy': Character content other than whitespace is not allowed because the content type is 'element-only' Disregard this error. There is no functional impact.
7. If you are using Outbound SSL Inspection and enable the "Block connection if server certificate is invalid" option in the SSL Inspection Settings, many HTTPS sites are blocked. FNXSI1001E system events are generated with the message "unable to get local issuer certificate." Disable this setting to allow the connection to proceed past the TLS handshake.
8. If you are using Outbound SSL Inspection, SSL/TLS connections that negotiate the use of TLS ALPN extension and support for TLS status request extension (example https://www.yahoo.com) are not decrypted and therefore do not have their cleartext payloads inspected.
9. If you are using Outbound SSL Inspection, network users using Firefox 37 and Chrome 42 cannot connect to web sites that support TLS False Start.
10. If you are using Outbound SSL Inspection, some pages do not load or only partially load due to incorrect TCP ACK values, window size manipulation, and keep-alive handling. This might also impact large file downloads.
11. Outbound SSL Inspection is not performed on connections to Google web sites from a Chrome browser. No impact to end user.
12. In 5.3.0.x firmware, if you have any custom rules in the Management Access Policy that contain address objects and are deployed from the SiteProtector system, the incorrect format of the policy causes the firmware 5.3.1 upgrade to fail. Use the following workaround:
    1. Apply the latest SiteProtector DBSP first, and then migrate your policies from 5.3.0.x to 5.3.1 using the SiteProtector system.
    2. Remove any Management Access Policy rules that contain address objects in 5.3.0.x Agent Version, and deploy to the agents.
    3. Perform the 5.3.1 firmware upgrade.