Release notice for Ingate Firewall® 4.8.1 and Ingate SIParator® 4.8.1


Release notice for Ingate Firewall® 4.8.1 and Ingate SIParator® 4.8.1

Release name: Ingate Firewall® 4.8.1
Ingate SIParator® 4.8.1

The new version can be found here

The user manual can be found here

Release notice for Ingate Firewall(R) 4.8.1 and Ingate SIParator(R) 4.8.1

Release name: Ingate Firewall(R) 4.8.1
              Ingate SIParator(R) 4.8.1
Release date: November 26, 2009

The new version and User Manuals can be found at:

This is a major release with many new features, bug fixes and security
fixes. We recommend everybody to upgrade.

* General change

*** "Firewall" and "SIParator" product operation are now user-
    selectable through web GUI, CLI and startup tool. [Tracking ID:
    3507]. Switching between Firewall and SIParator is now user 
    configurable on the SIParator Type page in the Web GUI, or 
    through the Start-Up Tool.

* New SIP-related features

*** Embedded SIP Test Agent. Test calls are manually initiated or
    scheduled for periodic tests. A call is considered successful if
    200 OK is received and at least 4 media packets are sent and
    received.  [Tracking ID: 4125]

*** Embedded SIP Test Agent - Echo Server. An echo server listening to
    a configured address answers all incoming calls and echoes back
    the media. Hosts/networks allowed to access the Echo Server are
    configurable. This feature is intended for usage with the embedded
    Test Agent or any other test tool.  [Tracking ID: 4129]

*** Estimated MOS values are calculated for RTP streams. A MOS value
    (0-5) is estimated for each call and sent in the RADIUS STOP
    ticket. The MOS values are estimated based on CODEC (type,
    parameters) and packet loss (distribution taken into

    New RADIUS attributes:
    - IG-Acct-Input-Last-Payload-Type  Number describing CODEC used
    - IG-Acct-Output-Last-Payload-Type
    - IG-Acct-Input-Reordered          No of re-ordered RTP packts
    - IG-Acct-Output-Reordered
    - IG-Acct-Input-Comfort-Noise      Comfort Noise used (yes/no)
    - IG-Acct-Output-Comfort-Noise
    - IG-Acct-Input-Codec-Name         Name of CODEC used (e.g PCMU)
    - IG-Acct-Output-Codec-Name
    - IG-Acct-Input-Jitter-Max         Maximum jitter during the call
    - IG-Acct-Output-Jitter-Max
    [Tracking ID: 4269]

*** Additional attributes in RADIUS accounting messages. The following
    additional SIP headers in the initial SIP INVITE will be reported
    by the Ingate:

    - Remote-Party-Id
    - P-Asserted-Identity
    - Diversion

    The value of the header field will be sent as "raw" unformatted data. 
    (In cases of several similar headers, the first will be reported. 
    [Tracking ID: 4458]

*** Wildcard patterns can be used for domains in DNS override. Only
    patters starting with * are supported. [Tracking ID: 4226]

*** Rewriting FROM-header in the Dial-Plan. Rewrite of the From header
    is enabled by adding a ";from=" parameter to the Forward To Reg
    Expr field in the same way ";b2bua" can be used today.

    The from parameter may contain references to Reg Expr sub-strings
    in "Forward To", except the string may both reference sub strings
    in "From Header", and Request-URI Reg Exprs. Sub strings of the
    From header are referenced as $fx, x >= 0. And Request-URI sub
    strings as $rx, x >= 0.

    The from parameter may also contain the following references "$()":
    - ruri.user
    - to.user
    - from.user
    - ip.

    Where iface is the name of a network interface, i.e. one of eth0,
    eth1 etc.


    1) Replace From domain with IP of interface eth1:

    2) Replace From domain with
    [Tracking ID: 2765]

*** "Refer-To replacement domain" is used in attended transfers
    too. This was a new feature in 4.7.0, which replaces the domain in
    Refer-To headers of REFER requests for unattended transfers. In
    4.8 this behaviour can be used in attended transfers too.

    The Refer-To headers of REFER for attended transfers normally
    contain the remote target of a dialog which don't need this
    setting. But some SIP devices use an AOR in the Refer-To header
    for attended transfers.  [Tracking ID: 4394]

*** Wildcard matching of TLS certificates according to RFC 2818. It is
    now supported to use wildcard matching of subjectAltName and CN in
    TLS certificates. [Tracking ID: 4224]

*** Fake support of "privacy" option tag. "privacy" is added as a
    supported options tag. And as a result the sip module will forward
    requests containing "Proxy-Require: privacy". The headers
    Remote-Party-ID and RPID-Privacy are forwarded by the proxy, but
    otherwise ignored.

    In the case of the B2BUA, both Proxy-Require and Remote-Party-ID
    are removed (but RPID-Privacy is kept) before the requests are
    forwarded.  [Tracking ID: 4460]

*** INFOs with Content-Type application/media_control+xml are ignored
    by the B2BUA and responses with 200 (OK) are sent.  [Tracking ID:

*** 491 (Request Pending) to Re-INVITEs are delayed on one call leg,
    if an outgoing Re-INVITE has been sent on the other leg. Instead
    the Ingate will wait some time before responding to allow a pending
    request on the other leg to complete.  [Tracking ID: 4384]

*** Improved interoperability between RFC 2543 and RFC 3264 peers
    regarding onhold. Ingate complies with RFC 3264 and answers an SDP
    containing "inactive" with an SDP containing "inactive" even if the
    other peer didn't include the "inactive" (RFC 2543).  [Tracking
    ID: 4390]

*** New re-INVITEs are now delayed until an ACK is received from 
     the previous re-INVITE.  [Tracking ID: 4229]

* Other new features

*** An SNMP trap is sent when time-limited licenses expire.
    Tracking ID: 4263

* Fixed Security problems

*** Fixed two remotely exploitable bugs in the ASN.1 parser of
    Openswan. This is CVE-2009-2185 and is fixed in Openswan 2.4.15.
    [Tracking ID: 4356]

*** The Bonk attack (aka ping of death) was not satisfactorily 
    handled according to ICSA.
    [Tracking ID: 4312]

*** Fixed man-in-the-middle vulnerability for SSL and TLS by
    disabling renegotiations. This is CVE-2009-3555.
    [Tracking ID: 4471]

* Fixed SIP-related bugs

*** The B2BUA unexpectedly changed the From URI when NAT:ing as an
    alias address.  [Tracking ID: 4252]

*** The SIP module failed to start if a static route was configured to
    a network behind a router on a VLAN unless the physical ethernet
    interface also was configured with an IP address.  [Tracking ID:

*** Route header was not removed in retransmission of stateless ACK
    (2xx) [Tracking ID: 4402]

* Fixed CLI-related bugs

*** The reboot-command uploaded via the GUI in a CLI file containing
    "reboot --now" works as expected.  [Tracking ID: 4465]

* Other

*** The Mediator mode for the Ingate SIParator(R) has been removed and
    is no longer supported.  [Tracking ID: 4228]
 Support?  |  Helpdesk!  
 Rissneleden 45 SE-174 44 Sundbyberg Sweden  |  |  Contact us  |  Home  
  How Ingate uses cookies