UpgradesRelease notice for Ingate Firewall® 4.6.0 and Ingate SIParator® 4.6.0
Release name: |
Ingate Firewall® 4.6.0
Ingate SIParator® 4.6.0 |
The new version can be found here
New SIP Functionality
* A framework for Intrusion detection/Intrusion prevention, IDS/IPS, for
SIP has been added. It adds support for rate limiting on SIP
requests/responses. Additionally it supports installation of
Ingate-defined rule sets that will be made available at a later point
in time in order to protect against upcoming types of attacks. The
IDS/IPS feature is available as an optional module on Firewall and
SIParator models with a harddisk. [Tracking ID: 3122]
* SIP routing configuration by means of the Dial Plan and the User
Routing tables now supports time classes. Using time classes, SIP
routing may now be made different for e.g. office hours and other
times. [Tracking ID: 1962]
* Call Admission control now supports definition of codec bandwidth
usage. A table is introduced, including the most common codecs and
their bandwidths. The administrator can extend this table with
additional codecs. [Tracking ID: 1715]
* Call Admission Control now allocates bandwidth for emergency calls
from a separate bandwidth pool. [Tracking ID: 2110]
* Partial support for MKI (Master Key Index) added to enable
interoperability with other SRTP implementations, like Microsoft's.
The Ingate can now handle offers with an MKI, as long as they only
contain a single key. The Ingate still never sends an MKI in an
sdescriptions offer. [Tracking ID: 2336]
New QoS Functionality
* The usability of the QoS GUI has been improved. As a consequence the
administrator selects between two somewhat different QoS strategies:
- Allocating bandwidth per service type.
- Prioritization per service type.
Note that the Call Admission Control always allocates bandwidth, and
that only service types other than SIP media (voice and video) are
affected by the above strategies. [Tracking IDs: 1618, 2209, 2747]
* Support for ingress traffic shaping has been added. [Tracking ID:
2798]
Other New Functionality
* Firewalls can now be changed into a SIParator and vice versa by means
of installing a module. Please note that such a transformation will
erase most of the configuration of the unit and that downgrading to a
previous version before an additional upgrade has been performed will
roll back the unit to its previous product type and the old
configuration. [Tracking ID: 3278]
* The TCP relay now supports a multiple server setup. Thus a relay can
be configured to forward packets to a primary server. If that server
is down, a secondary server is used. [Tracking ID: 3268]
* The well known tools ping and traceroute are now available from the
Ingate web GUI. [Tracking ID: 350]
* A debug user account type has been added. The debug user is allowed to
search the log, obtain packet captures, and generate support reports,
but is not allowed to change any configuration. [Tracking ID: 3402]
* By default, the "All interfaces" option is selected for packet
captures. [Tracking ID: 3333]
* Some table and column names in the configuration database are changed,
in order to present a more uniform naming in the CLI. CLI files from
4.5.x versions should not be used in the 4.6 version. As a consequence
users of the Ingate Startup Tool need to download a new version from
the Ingate web site. The possibility of this name change was announced
when 4.5.0 was released. From now on, the Ingate CLI will not be
changed unless required, merely extended. [Tracking ID: 2573]
* Changing SIParator type can now be done via the CLI. [Tracking ID:
3098]
* Information about serial number, product model, and software version
is now available in a downloaded CLI file. [Tracking ID: 3119]
* Rebooting the Ingate unit can now be done via SSH or the serial
console. [Tracking ID: 3120]
* SIP TLS packet addressed through the Ingate Firewall are now logged.
[Tracking ID: 710]
* Detailed information about the internal state of the Ingate unit can
now be downloaded via the admin program. The same information is
available on the builtin.dump page in the web GUI. [Tracking ID: 2556]
* The configuration database may now optionally be included in a Support
Report. [Tracking ID: 3004]
* Information available on the About page in the web GUI is now also
available via the admin program, accessible via SSH or the serial
console. [Tracking ID: 2019]
* It is now possible, but not recommended, to apply the configuration
without the need for a confirmation step. This action can be found on
the builtin.instant_apply page in the web GUI. [Tracking ID: 3279]
* The DHCP client status now includes information about which interface
acquired a DHCP IP address. [Tracking ID: 3029]
* A single license file can now be used for multiple, named, units.
[Tracking ID: 3280]
Performance Enhancements
* The performance for data traffic has been improved. This will mainly
be a benefit for configurations with many firewall rules and/or many
directly connected or routed networks. [Tracking ID: 588]
* The time neccessary to detect the need to failover to a standby unit
has been decreased from about 30 to about 5 seconds. [Tracking ID
2840]
* The performance of the web server, and thus the performance of web
GUI, has been improved. [Tracking ID: 3301]
* The performance of setting up IPSec tunnels has been improved compared
to 4.5.2. [Tracking ID: 3312]
* The web server now supports transparent compression of pages, using
gzip encoding. This is supported by all common web browsers and can
significantly improve GUI performance over low bandwidth links like
mobile networks.
Fixed Security Problems
* A bug causing certain ICMP packets to be incorrectly accepted has been
fixed. [Tracking ID: 3299]
* Truncated ICMP/UDP/TCP packets are now logged. [Tracking ID: 3379]
* Attempts to log on from non-existing users using the serial console
are now logged. [Tracking ID: 3380]
* Passwords of administrators with less privileges are no longer stored
in clear text. [Tracking ID: 2942]
* Restarting the SIP module may have caused media pinholes to be left
open. This has now been fixed. [Tracking ID: 702]
* SSLv2 support is no longer accepted for https connections to the web
GUI of the Ingate unit. [Tracking ID: 1772]
Fixed SRTP-related Problems
* A potential buffer overflow in libsrtp has been fixed. [Tracking ID:
3209]
* A kernel crash when the RTCP index is much more than expected has been
fixed. [Tracking ID: 3273]
* Improved parsing of a=crypto lines. All errors are now properly
reported in the log. MKI and key lifetimes are no longer ignored. For
increased interoperability, trailing whitespaces are now ignored (but
a message logged in the log). [Tracking IDs: 3214, 3215, 3236, 3388]
* Improved interoperability if the policy allows RTP as well as SRTP: if
we offer SRTP and receive an answer that uses RTP, we now accept that
answer and set up the call using unencrypted RTP. Similarly, if the
answer is labeled "RTP/AVP" instead of "RTP/SAVP" in the SDP but
contains "a=crypto" lines, we use those lines and set up the call
using SRTP. [Tracking ID: 2610]
* Major improvements to SRTP handling of SIP re-INVITEs, spirals and the
internal B2BUA. Most scenarios where the same SDP reached the SIP
module twice (for example after spiraling to an external SIP proxy, or
to an internal B2BUA) would previously fail. [Tracking IDs: 3200,
3144, 3249, 3250, 3258, 3263, 3285]
* The SRTCP authentication tag was miscalculated. This has now been
fixed. [Tracking ID: 3275]
* Fixed session parameter handling. The SIP module does not currently
support any session parameters. It now does the expected thing when
optional and mandatory session parameters a present in an a=crypto
line. Optional session parameters can be ignored, but mandatory
session parameters makes it impossible for the SIP module to transcode
the media. (If the configuration allows, they can still be present in
passthrough media streams.) [Tracking IDs: 3290, 3291, 3292]
* Unknown a=crypto suites were not handled properly by the Ingate. This
has now been fixed. [Tracking ID: 3383]
Fixed SIP-related Problems
* A bug causing the Ingate to add a Session-Expires header even though
one already existed (in compact form) has been fixed. [Tracking ID:
3404]
* Messages sent over TCP/TLS now always contain the required
Content-Length header. [Tracking ID: 2787]
* The Ingate unit no longer switches to TCP for large SIP messages when
sending to a UA through a remote NAT. [Tracking ID: 2948]
* Some configuration parameters for Remote NAT Traversal have changed to
improve interoperability with UAs and NATs. [Tracking ID: 3097]
* Remote NAT Traversal now uses OPTIONS per default for NAT keep-alive.
[Tracking ID: 3197]
* A default gateway is no longer required to enable SIP support.
[Tracking ID: 3124]
* Port values in received Via headers were in some situations changed.
This is no longer done since it confuses some UAs. [Tracking ID: 3217]
* The Ingate unit no longer sends Authorization headers with missing
usernames. [Tracking ID: 3148]
* "auth-int" digest authentication proposal is now removed if the SIP
message body needs modifications. [Tracking ID: 3284]
* We now preserve the Display Name in the From header when acting as a
B2BUA. [Tracking ID: 3255]
* We no longer produce messages with multiple Timestamp headers when
acting as a B2BUA. [Tracking ID: 3269]
* Routing of stateless responses has been improved. [Tracking ID: 2955]
* When Remote NAT Traversal was used, users' registrations could
conflict and messages could be routed to the wrong user. This has been
fixed. [Tracking ID: 3304]
* An issue where the Content-Length header was incorrectly removed from
REGISTER responses has been resolved. [Tracking ID: 3308]
* An issue where REFER requests weren't handled in some situations has
been fixed. [Tracking ID: 3319]
* An issue where sendonly streams where unintentionally blocked has been
fixed. [Tracking ID: 3321]
* Specifying "*local" in the Local SIP User Database table has never
been supported by the SIP module and is now forbidden. [Tracking ID:
3226]
Fixed VPN-related Problems
* Port numbers are now (again) displayed on the IPsec status page.
[Tracking ID: 2869]
* An issue causing PPTP to fail to set up proxy ARP for interfaces with
multiple networks has been fixed. This could previously prevent
communication between PPTP clients on the same subnet. [Tracking ID:
3277]
* An issue where IPsec phase two proposals without PFS could cause the
IPsec module to crash has been fixed. Note that due to security
reasons PFS is still required to establish a tunnel. [Tracking ID:
3296]
* PPTP usernames must now be unique. [Tracking ID: 3334]
* Sometimes a PPTP connection could fail such that it was still active
but no packets were allowed through. This has now been fixed.
[Tracking ID: 3282]
* A VLAN issue where ESP packets (IPsec) were sent untagged instead of
being tagged as intended has been fixed. [Tracking ID: 3331]
Fixed Failover-related Problems
* A race condition that could occur when updating VPN blacklistings has
been removed. [Tracking ID: 577]
* Broken interfaces on the standby unit now causes the active unit to
Alert. [Tracking ID: 629]
* Logging of failover events is extended and is now more informative.
[Tracking ID: 725]
* A bug causing spurious failover to occur when an enabled interface was
left unconnected has been fixed. [Tracking ID: 2462]
* A bug causing a failover to the second unit when a failover team was
created has been fixed. [Tracking ID: 2844]
Other Fixed Problems
* A bug causing the load log to crash has been fixed. [Tracking ID:
3406]
* Certificate chains in PKCS#12 format are now properly supported.
[Tracking ID: 3377]
* The configuration web server should now always restart when needed due
to configuration changes, even if the CLI is used. [Tracking IDs:
3143, 3401]
* When downloading a certificate request in PEM format, the file
extension .req is now used, to match what is expected by the Ingate
OpenSSL package. [Tracking ID: 2720]
* A bug causing a backtrace in the log when the web browser closes the
connection has been fixed. [Tracking ID: 2749]
* An issue causing builtin.dump to show incorrect packet counters for
internal rules has been fixed. [Tracking ID: 2960]
* A kernel bug causing the MPPE buffer to be miscalculated has been
fixed. [Tracking ID: 3282]
* A bug causing restartd to sometimes miss out on restarting the web
server has been fixed. [Tracking ID: 3143]
* A VLAN issue where ESP packets (IPsec) where sent untagged instead of
being tagged as intended has been fixed. [Tracking ID: 3331]
* Some syntax errors in the SNMP MIB have been fixed. [Tracking ID:
3375]
Removed Functionality
* The http rewriting relay has been removed. [Tracking ID: 3000]
* Support for transcoding Windows Messenger encryption has been removed.
[Tracking ID: 3251]
Known Problems
Known SIP-related Problems
These problems are only relevant if the SIP module is enabled.
* Transfer initiated by an internal IP-PBX client between two SIP
Trunking (PSTN) clients fails in some scenarios. The Ingate
firewall/SIParator does not offer the correct set of codecs in the
offer in a REFER-initated INVITE. The problem may be worked around by
selecting/configuring a codec common to all elements. This problem
only appears if Local REFER handling is active. Ingate will shortly
provide a patch that solves this issue. Contact Ingate support to
obtain the patch. [Tracking ID: 2993]
Known VPN-related Problems
These problems are only relevant if IPsec is used.
* Packets with a destination address that belongs to either end of a
tunnel will appear to be encrypted in the log, even when they should
not be encrypted. This is a problem with the log only. [Tracking ID:
46]
* The local endpoint must be chosen so that it is the address closest to
the next-hop router for that peer. This means that mobile clients must
always connect via the same interface (typically the interface
connected to the Internet). [Tracking ID: 508]
Known Failover-related Problems
This problem is only relevant if failover is used.
* Upgrading a failover team is a complex operation. To upgrade it, you
must break the team and upgrade each machine in turn. This will
require a number of reboots and network outages. See the separate
failover upgrade document which is available on the upgrade web.
[Tracking ID: 499]
Other Known Problems
* Using multiple default gateways does not work with PPPoE interfaces.
[Tracking ID: 2980]
* Autonegotiation of NIC duplex and speed does not work with Alcatel
Speedtouch modems using some Ingate models that support configuration
of NIC duplex and speed. Setting the duplex and speed manually to
half/10 solves the problem. Affected models: Ingate Firewall 1450,
1880. Ingate SIParator 45, 88. [Tracking ID: 3006]
|