Clavister har släppt en ny major-version av cOS Core (10.22.00) och den första minor-versionen till den (10.22.01).
Nytt i dessa versioner är att
Kontakta Certezza Support vid frågor,
E-post: support@certezza.net
Telefon: 08-791 92 00
| ID | Description |
| COP-8880 | The options “ValidateLogBad”, “ValidateReopen”, “ValidReopenLog”, “ReopenValidate” and “ReopenValidLog” for the setting TCPSequenceNumbers did not work and the system behaved as if configured with “ValidateLogBad”. |
| COP-8881 | The Security Gateway would sometimes log packets as “invalid TCP Sequence number” even though it was allowed by the setting “Allow TCP Reopen”. |
| COP-10405 | In rare occasions when using the PPTP ALG an incorrect ALG associated connection could be closed, resulting in unexpected behavior. |
| COP-11205 | An Ethernet interface with a manually assigned MAC address would revert to its original MAC address after issuing the console command “ifstat -restart”. |
| COP-11338 | The Security Gateway might show unexpected behavior when restarting after changes in configuration if an SSL VPN interface using a specific Routing Table was already configured. |
| COP-12153 | Under certain circumstances the Security Gateway could display an error message to contact Clavister support after a successful use of the “License Activation” feature. |
| COP-13365 | The H.323 Gatekeeper suffered from a compatibility issue, causing Gatekeeper-governed calls to fail when initiated from H.323 endpoints of a specific brand. |
| COP-13573 | The cOS Core web authentication feature could fail in some rare situations when the system was under heavy stress. |
| COP-13803 | The Security Gateway’s SNMP statistics could report active IPsec tunnels as “down” under certain circumstances. |
| COP-13810 | It was not possible to use Loopback interfaces or Interface Groups as the OuterInterface when configuring an SSL VPN interface. |
| COP-13820 | The H.323 ALG sometimes caused unexpected reboots. |
| COP-13900 | It was not possible to use the CLI command “ippool -renew” to renew leases. |
| COP-14190 | An error message is now displayed when trying to save a certificate with the same name as an existing object. |
| COP-14326 | A large number of applications that were previously unsupported have been added to Application Control feature. |
| COP-14343 | Dead Peer Detection for IPsec interfaces didn’t work against some remote clients. |
| COP-14376 | The license page did not always show the correct model information. |
| COP-14384 | The Security Gateway could in rare occasions reboot unexpectedly if Anti-Virus scanning was configured. |
| COP-14387 | The message shown when trying to log in with a user with insufficient privileges was not descriptive enough. |
| COP-14395 | The Advanced TCP Setting for CC (Connection Count) option was incorrectly named “TCP Option Connection Timeout” in the WebUI. |
| COP-14418 | The Security Gateway could generate TCP packets with incorrect checksum on connections using address translation and some content inspection feature, such as, Application Control or Anti-Virus. In rare cases this could lead to stalled TCP connections. |
| COP-14425 | Descriptions for possible values when configuring Real Time Monitor Alerts has been updated to be more descriptive. |
| COP-14436 | The configuration warning message “Shared IP address cannot be equal to iface IP address” was missing the name of the offending interface. |
| COP-14447 | Non pertinent information was displayed in the console command “appcontrol -show_lists”. |
| COP-14449 | Using some layer 7 features, such as, Application Control or Anti Virus, would prevent ICMP errors from being forwarded even when the service was configured to allow ICMP errors. |
| COP-14455 | When using the “IPsecBeforeRules” or “L2TPBeforeRules” settings, i.e. bypassing rules, this registered as a default-rule in syslogs for IPsec and L2TP. Now it the correct specificrule is logged, for both categories respectively. |
| COP-14461 | Comments were not visible on folders in the WebUI address book. |
| COP-14474 | DHCP Relay did not forward DHCPACK messages if they were received on port68. |
| COP-14480 | Some scenarios with static route insertion/removal through OSPF did not workin a High Availability setup. |
| COP-14493 | Values for advanced IPsec settings “DPDExpireTime” and “DPDKeepTime” weremissing from the WebUI and could only be changed using the CLI. |
| COP-14496 | Some HTTP operations could under certain situations result in second longlockups. |
| COP-14504 | NAT-T Vendor ID was sent even when NAT-T setting on IPsec tunnel was set toOFF. |
| COP-14526 | The Security Gateway could in rare occasions reboot unexpectedly whenchecking IPsec connections during a reconfiguration. |
| COP-14528 | DHCP Server configured with “Relayer Filter” erroneously dropped the unicastDHCP request/renewal messages from DHCP clients. |
| COP-14534 | The Security Gateway failed to match an HTTP Monitoring response when it wasused in SLB and the “expected response” value given by the user contained special characterslike spaces, tabs,line feeds, carriage returns. |
| COP-14536 | TCP segments with RST flag did not have 0x00000000 as acknowledge number. |
| COP-14585 | Interoperability issues regarding NAT-T sometimes caused IPsec traffic to beincorrectly dropped. |
| COP-14594 | After receiving large LSA, the OSPF module reported memory error despitehaving enough available memory to use. |
| COP-14606 | Some log messages did not correctly display the access_level for some users. |
| COP-14660 | Unsupported ISAKMP and IPsec Security Association Attributes received duringIPsec tunnel setup resulted in a failed setup even if configured attributes also were sent. |
| COP-14663 | Some rare URLs were incorrectly forbidden by the Web Content Filtering (WCF)functionality. |
| COP-14664 | The H323 ALG could in rare occasions cause a system reboot. |
| COP-14679 | ICMPv6 error message “Packet too big” was not passed through cOS Corecausing traffic to be blocked in certain scenarios. |
| COP-14682 | RemoveScripts was enabled on the http-outbound HTTP ALG in defaultconfigurations. Since almost all web pages use JavaScipts today, removing scripts will greatlyharm the web experience. New default configurations will now have the value set todisabled. |
| COP-14687 | In rare occasions, the Security Gateway’s ‘sysmsgs’ console command couldreport “FAT chain inconsistence” for its internal media, for instance when using Anti-Virus. |
| COP-14690 | Modern browsers were not correctly identified in the Web User Interfacecausing a message to be displayed that an unsupported browser version was being used. |
| COP-14694 | The wrong IPsec Authentication Algorithm (SHA) was sometimes added to anIPsec tunnel configuration if it was set in the same tunnel’s IKE Algorithms, i.e if for instanceSHA1 was configured in the IKE Algorithm it would also be automatically added to the IPsecAlgorithm. |
| COP-14697 | In certain scenarios, the number of “Active flows” reported by the’ipsecglobalstats’ CLI command always reached the maximum value even for connectionswith short lifetime. |
| COP-14706 | Application Control Rules would, with certain selected applications, take longertime than necessary to parse during reconfiguration. |
| COP-14709 | A configuration error occurred when the remote endpoint of an IPsec tunnelwas set to an IP4Group that only consisted of one member. |
| COP-14719 | The Security Gateway sent IPsec “initial contact” notification when rekeying anIPsec SA without an existing IKE SA. This could case the responder to first delete the IPsec SAbefore the rekey request was processed and lead to interruptions in traffic going through thetunnel since whole new IKE and IPsec SA could be established as a result instead of a rekey. |
| COP-14743 | The span for the Update Center’s Hourly setting was not correct and has beenchanged from 11 to 12 hours. |
| COP-14744 | When using the “Hourly” interval for Update Center the updates ran every hourdespite the setting’s value. |
| COP-14753 | The blacklist -show command displayed all blacklisted and whitelisted hosts. Ithas been updated to display a default of 20 blacklisted and whitelisted hosts, or the specifiednumber of hosts using the -num argument. |
| COP-14755 | The NAT-pool IP range setting used to accept very wide ranges (> 65535) of IPv4addresses if such an address started at 0.0.0.0. |
| COP-14766 | Spaces in passwords were incorrectly interpreted as ‘+’-signs when using WebAuthentication. |
| COP-14768 | An incorrect date was displayed in the Update Center section of themanagement WebUI when an Anti-Virus or IDP database was deleted manually. |
| COP-14769 | The pcapdump -show command displayed all the captured packets. Now thepcapdump -show command displays a default of 20 packets, or the specified number ofpackets using the -num argument. |
| COP-14773 | Using certain addresses as IPv6AddressPool in the DHCPv6 Server caused thesystem to not give out any IP addresses. |
| COP-14786 | The system sometimes experienced high memory consumption and sometimesrebooted due to low available memory when using IDP. |
| COP-14803 | The Anti-Virus log message ID 115 and Application Control log message ID 4had swapped the event and the action. The log revisions have been updated for bothmessages. |
| COP-14805 | There was no log or notification shown when IDP scanning was disabledbecause of the license expiration. |
| COP-14813 | Received ICMPv6/Neighbor Advertisements containing multiple options wereincorrectly interpreted by the Security Gateway. |
| COP-14818 | The console help text for the option “show” of the CLI command “license” wasconfusing and has been rewritten. |
| COP-14847 | Full system backup files did not include files related to SSL VPN and ApplicationControl. |
| COP-14866 | In rare occasions, the SMTP and POP3 ALG configured with Anti-Virus did notdetect malicious email attachments. |
| COP-14920 | In rare High Availability scenarios a restart of the nodes would be necessary inorder to finish a configuration synchronization. |
| COP-14935 | Configured IDP pipes were not always displayed in the CLI. |
| COP-14938 | Blacklist logs sometimes showed incorrect protocol or port. |
| COP-14953 | Memory usage for SIP was displayed incorrectly. |
| COP-14959 | A DHCP server lease was not removed from the inactive HA node when the CLIcommand “dhcpserver -releaseip” was issued on the active node. |
| COP-14972 | The system could unexpectedly restart if a service’s ALG type changed from e.g.FTP to HTTP while having active connections. |
| COP-15097 | The “DPDK-82574L Gigabit Ethernet Adapter” driver accepted packets that werelarger than 1522 bytes even though they should be dropped. |
| COP-15173 | The SSL VPN Portal was not accessible in HA scenarios when the server IP wasthe same as the interface IP. |
| COP-15207 | It was not possible to log in to the SSL VPN Portal if the server was using adifferent IP or port than the administration web user interface.This only affects cOS Core version 10.22.00. |
| COP-10890 | OSPF “point-to-multipoint” interfaces didn’t allow for more than one neighborto be configured. |
| COP-10902 | OSPF “point-to-multipoint” interfaces discovered neighbors using multicastinstead of unicast. |
| COP-10913 | OSPF “point-to-multipoint” interfaces created an invalid “dummy” route for theinterface IP. |
| COP-14321 | The E-flag in OSPF could in certain scenarios be set incorrectly which resulted inconnectivity problems. |
| COP-14399 | Web Content Filtering did not work for HTTPS when the traffic was directed to aproxy.8 |
| COP-14779 | IPsec tunnel setup could fail with certain configurations despite matching IPsecproposals. |
| COP-14825 | L2TP/IPsec traffic to multiple clients behind the same NAT device could in rarescenarios be mixed up. |
| COP-14864 | Connecting a second L2TP Client located behind a NAT gateway could in rareoccasions disconnect the first client. |
Mikko Vartiainen
