Upgrades

Release notice for Ingate Firewall® 6.3.1 and Ingate SIParator® 6.3.1

The new version can be found here

Release notice for Ingate SIParator(R)/Firewall(R) 6.3.1

Release name: Ingate SIParator(R)/Firewall(R) 6.3.1
Release date: July 23, 2020

The new version and documentation can be found at:
https://account.ingate.com/

This is a major release with new features and enhancements.
We recommend everyone to upgrade.

Note: Only the first time a unit is upgraded from 6.2.x to 6.3.x will EMPTY
the persistent log partition. (Any subsequent down->upgrades will not require
this). Meaning that *all logs* will be lost. This inconvenience is necessary
for improved file system support. If you want to save the on-unit logs prior
to the upgrade, use the "Export the Log" functionality found in the tab
"Logging and Tools -> Display Log". (Exported logs cannot be imported in the
new version).

* SIP **************************************************

*** Added built-in TURN server.

*** Added support for STIR/SHAKEN.
    Standard to combat caller ID spoofing used by robocallers.
    RFC 8588 and RFC 8224 - RFC 8226

*** Added built-in HEP Capture Agent.
    Ability to duplicate SIP and media packets to a HEPv3 capture server
    or endpoint like HOMER or sngrep.

*** Improved performance during un-register.

*** Improved performance during call tear down.

*** Improved performance of the B2BUA.

*** Added support for G729B, OPUS and SILK transcoding.

*** Fixed media transcoding when forking to endpoints with
    different transcoding rules.

*** Added "Request Timeout" and "Cache Lifetime" to Call Control.

*** Allow to redirect using Call Control.

*** Multiple improvements to Call Control.

*** Added Transport to the Media Encryption Policy table.

*** Option to force media encryption even if the clients use the same suites.

*** Multiple fixes related to media encryption transcoding.

*** Multiple fixes related to Multi Profile media encryption transcoding.
 
*** Fix B2BUA session refresh method detection.

*** Respond 491 to re-INVITE during B2BUA transfer.

*** Include SIP-URI parameters in Refer-To when forwarding REFER to trunk (B2BUA).

*** Support route lookup when next hop is a Link-Local IPv6 address.

*** Support parallel forward in dial plan.

*** Added Server Domain Match Exceptions to Signaling Encryption.

*** New interop: Copy headers from REFER to INVITE in the B2BUA.


* Other ********************************************************

*** Add support for deleting an active security token using the HTTP
    REST API.

*** Added support for incoming (D)TLS SNMP requests.

*** Added support for SNMPv3 Informs, with or without (D)TLS.

*** Added new SNMP traps for failover monitoring.

    These are:

    * ::failoverLostContactWithStandby
      - Failover lost contact with standby unit.
    * ::failoverLostContactDedicatedInterface
      - Failover lost contact over dedicated interface.
    * ::failoverEncryptionFailure
      - Failover cannot sync configuration because of passphrase mismatch.
    * ::failoverBrokenInterfaceOnStandby
      - Failover detected broken interface on standby unit.
    * ::failoverStandbyHasLowerVersion
      - Standby unit has lower version than active unit.
    * ::failoverOperatingNormally
      - Failover team is now operating normally.

*** Added an SNMP trap that signals when the unit has (re)booted.

    * ::systemBoot
      - The system has (re)booted.

*** Added a third IP Policy option "Reject IP packets (TCP Reset)" that
    will respond with a RST/ACK packet for blocked TCP requests.

*** Check that prefixes advertised via Router Advertisement belong to a
    directly connected network.

*** Check that the amount of NAT relay listen ports is below the
    specified maximum.

*** Improved functionality in the syslog facility.

    New features/enhancements include:
     * Specify server port.
     * TCP support.
     * TLS support.
     * Send HOSTNAME in remote syslog messages (unitname/serial/custom).

*** Removed setting "Advanced->IP Fragments" (discard_weird_fragments).

*** Added support for running on AWS Nitro hypervisor.
    This enables support for next generation EC2 instances.

*** Improved how file systems are created/used on hardware 95 (IG-095).

*** Improved network performance on IG-410, IG-450 and IG-096.

*** Added support to gather and send Time Series Metrics.

    This feature is configured under the tab

    Logging and Tools -> Time Series Metrics

    When enabled and configured, the unit will send/export metrics regarding
    CPU, general system load, memory usage, network interfaces and SIP. Please
    refer to the reference manual for details.

    The following Time Series Databases (TSDB) are supported:
     * InfluxDB (collectd)
     * Graphite
     * OpenTSDB
     * Prometheus

*** Request DHCPv4 option 'interface-mtu'.

*** Added setting for changing the MTU on physical network interfaces.


* VPN & IPsec *********************************************************

*** Improved user-space IKE daemon.

    - NOTE: upon upgrade from 6.2.x you *must* set a new
      password for each XAUTH user.
    - NOTE: if you use CA (with CRL) for authentication, ensure
      that the CRL contains the 'authority key identifier'.

*** Added interoperability setting to allow overlapping IKEv2 SAs.

*** Distinguish IPsec rules from non-IPsec firewall rules.
 

* GUI *****************************************************************

*** General look and feel improvements.

*** Added 'Clear log' button on 'Display Log' page to empty the log partition.

*** Added 'Interface Statistics' on Interface Status page.