Clavister InControl 1.22.00 och 10.22.01


Clavister har släppt en ny major-version av cOS Core (10.22.00) och den första minor-versionen till den (10.22.01).

Nytt i dessa versioner är att

  • inloggning till WebUI och CLI (SSh) kan kopplas till en RADIUS-server för autentisering av användaren (10.22.00)
  • ringsize-inställningar för e1000 och ixgbe har separerats till olika inställningar (10.22.00)
  • Wolf-seriens brandväggar stödjer upp till 1500-bytes paket i dubbeltaggande VLAN, IEEE 802.1ad (QinQ) (10.22.01)

Kontakta Certezza Support vid frågor,
Telefon: 08-791 92 00

Buggfixar i cOS Core 10.22.01

COP-8880The options “ValidateLogBad”, “ValidateReopen”, “ValidReopenLog”, “ReopenValidate” and “ReopenValidLog” for the setting TCPSequenceNumbers did not work and the system behaved as if configured with “ValidateLogBad”.
COP-8881The Security Gateway would sometimes log packets as “invalid TCP Sequence number” even though it was allowed by the setting “Allow TCP Reopen”.
COP-10405In rare occasions when using the PPTP ALG an incorrect ALG associated connection could be closed, resulting in unexpected behavior.
COP-11205An Ethernet interface with a manually assigned MAC address would revert to its original MAC address after issuing the console command “ifstat -restart”.
COP-11338The Security Gateway might show unexpected behavior when restarting after changes in configuration if an SSL VPN interface using a specific Routing Table was already configured.
COP-12153Under certain circumstances the Security Gateway could display an error message to contact Clavister support after a successful use of the “License Activation” feature.
COP-13365The H.323 Gatekeeper suffered from a compatibility issue, causing Gatekeeper-governed calls to fail when initiated from H.323 endpoints of a specific brand.
COP-13573The cOS Core web authentication feature could fail in some rare situations when the system was under heavy stress.
COP-13803The Security Gateway’s SNMP statistics could report active IPsec tunnels as “down” under certain circumstances.
COP-13810It was not possible to use Loopback interfaces or Interface Groups as the OuterInterface when configuring an SSL VPN interface.
COP-13820The H.323 ALG sometimes caused unexpected reboots.
COP-13900It was not possible to use the CLI command “ippool -renew” to renew leases.
COP-14190An error message is now displayed when trying to save a certificate with the same name as an existing object.
COP-14326A large number of applications that were previously unsupported have been added to Application Control feature.
COP-14343Dead Peer Detection for IPsec interfaces didn’t work against some remote clients.
COP-14376The license page did not always show the correct model information.
COP-14384The Security Gateway could in rare occasions reboot unexpectedly if Anti-Virus scanning was configured.
COP-14387The message shown when trying to log in with a user with insufficient privileges was not descriptive enough.
COP-14395The Advanced TCP Setting for CC (Connection Count) option was incorrectly named “TCP Option Connection Timeout” in the WebUI.
COP-14418The Security Gateway could generate TCP packets with incorrect checksum on connections using address translation and some content inspection feature, such as, Application Control or Anti-Virus. In rare cases this could lead to stalled TCP connections.
COP-14425Descriptions for possible values when configuring Real Time Monitor Alerts has been updated to be more descriptive.
COP-14436The configuration warning message “Shared IP address cannot be equal to iface IP address” was missing the name of the offending interface.
COP-14447Non pertinent information was displayed in the console command “appcontrol -show_lists”.
COP-14449Using some layer 7 features, such as, Application Control or Anti Virus, would prevent ICMP errors from being forwarded even when the service was configured to allow ICMP errors.
COP-14455When using the “IPsecBeforeRules” or “L2TPBeforeRules” settings, i.e. bypassing rules, this registered as a default-rule in syslogs for IPsec and L2TP. Now it the correct specificrule is logged, for both categories respectively.
COP-14461Comments were not visible on folders in the WebUI address book.
COP-14474DHCP Relay did not forward DHCPACK messages if they were received on port68.
COP-14480Some scenarios with static route insertion/removal through OSPF did not workin a High Availability setup.
COP-14493Values for advanced IPsec settings “DPDExpireTime” and “DPDKeepTime” weremissing from the WebUI and could only be changed using the CLI.
COP-14496Some HTTP operations could under certain situations result in second longlockups.
COP-14504NAT-T Vendor ID was sent even when NAT-T setting on IPsec tunnel was set toOFF.
COP-14526The Security Gateway could in rare occasions reboot unexpectedly whenchecking IPsec connections during a reconfiguration.
COP-14528DHCP Server configured with “Relayer Filter” erroneously dropped the unicastDHCP request/renewal messages from DHCP clients.
COP-14534The Security Gateway failed to match an HTTP Monitoring response when it wasused in SLB and the “expected response” value given by the user contained special characterslike spaces, tabs,line feeds, carriage returns.
COP-14536TCP segments with RST flag did not have 0x00000000 as acknowledge number.
COP-14585Interoperability issues regarding NAT-T sometimes caused IPsec traffic to beincorrectly dropped.
COP-14594After receiving large LSA, the OSPF module reported memory error despitehaving enough available memory to use.
COP-14606Some log messages did not correctly display the access_level for some users.
COP-14660Unsupported ISAKMP and IPsec Security Association Attributes received duringIPsec tunnel setup resulted in a failed setup even if configured attributes also were sent.
COP-14663Some rare URLs were incorrectly forbidden by the Web Content Filtering (WCF)functionality.
COP-14664The H323 ALG could in rare occasions cause a system reboot.
COP-14679ICMPv6 error message “Packet too big” was not passed through cOS Corecausing traffic to be blocked in certain scenarios.
COP-14682RemoveScripts was enabled on the http-outbound HTTP ALG in defaultconfigurations. Since almost all web pages use JavaScipts today, removing scripts will greatlyharm the web experience. New default configurations will now have the value set todisabled.
COP-14687In rare occasions, the Security Gateway’s ‘sysmsgs’ console command couldreport “FAT chain inconsistence” for its internal media, for instance when using Anti-Virus.
COP-14690Modern browsers were not correctly identified in the Web User Interfacecausing a message to be displayed that an unsupported browser version was being used.
COP-14694The wrong IPsec Authentication Algorithm (SHA) was sometimes added to anIPsec tunnel configuration if it was set in the same tunnel’s IKE Algorithms, i.e if for instanceSHA1 was configured in the IKE Algorithm it would also be automatically added to the IPsecAlgorithm.
COP-14697In certain scenarios, the number of “Active flows” reported by the’ipsecglobalstats’ CLI command always reached the maximum value even for connectionswith short lifetime.
COP-14706Application Control Rules would, with certain selected applications, take longertime than necessary to parse during reconfiguration.
COP-14709A configuration error occurred when the remote endpoint of an IPsec tunnelwas set to an IP4Group that only consisted of one member.
COP-14719The Security Gateway sent IPsec “initial contact” notification when rekeying anIPsec SA without an existing IKE SA. This could case the responder to first delete the IPsec SAbefore the rekey request was processed and lead to interruptions in traffic going through thetunnel since whole new IKE and IPsec SA could be established as a result instead of a rekey.
COP-14743The span for the Update Center’s Hourly setting was not correct and has beenchanged from 11 to 12 hours.
COP-14744When using the “Hourly” interval for Update Center the updates ran every hourdespite the setting’s value.
COP-14753The blacklist -show command displayed all blacklisted and whitelisted hosts. Ithas been updated to display a default of 20 blacklisted and whitelisted hosts, or the specifiednumber of hosts using the -num argument.
COP-14755The NAT-pool IP range setting used to accept very wide ranges (> 65535) of IPv4addresses if such an address started at
COP-14766Spaces in passwords were incorrectly interpreted as ‘+’-signs when using WebAuthentication.
COP-14768An incorrect date was displayed in the Update Center section of themanagement WebUI when an Anti-Virus or IDP database was deleted manually.
COP-14769The pcapdump -show command displayed all the captured packets. Now thepcapdump -show command displays a default of 20 packets, or the specified number ofpackets using the -num argument.
COP-14773Using certain addresses as IPv6AddressPool in the DHCPv6 Server caused thesystem to not give out any IP addresses.
COP-14786The system sometimes experienced high memory consumption and sometimesrebooted due to low available memory when using IDP.
COP-14803The Anti-Virus log message ID 115 and Application Control log message ID 4had swapped the event and the action. The log revisions have been updated for bothmessages.
COP-14805There was no log or notification shown when IDP scanning was disabledbecause of the license expiration.
COP-14813Received ICMPv6/Neighbor Advertisements containing multiple options wereincorrectly interpreted by the Security Gateway.
COP-14818The console help text for the option “show” of the CLI command “license” wasconfusing and has been rewritten.
COP-14847Full system backup files did not include files related to SSL VPN and ApplicationControl.
COP-14866In rare occasions, the SMTP and POP3 ALG configured with Anti-Virus did notdetect malicious email attachments.
COP-14920In rare High Availability scenarios a restart of the nodes would be necessary inorder to finish a configuration synchronization.
COP-14935Configured IDP pipes were not always displayed in the CLI.
COP-14938Blacklist logs sometimes showed incorrect protocol or port.
COP-14953Memory usage for SIP was displayed incorrectly.
COP-14959A DHCP server lease was not removed from the inactive HA node when the CLIcommand “dhcpserver -releaseip” was issued on the active node.
COP-14972The system could unexpectedly restart if a service’s ALG type changed from e.g.FTP to HTTP while having active connections.
COP-15097The “DPDK-82574L Gigabit Ethernet Adapter” driver accepted packets that werelarger than 1522 bytes even though they should be dropped.
COP-15173The SSL VPN Portal was not accessible in HA scenarios when the server IP wasthe same as the interface IP.
COP-15207It was not possible to log in to the SSL VPN Portal if the server was using adifferent IP or port than the administration web user interface.This only affects cOS Core version 10.22.00.
COP-10890OSPF “point-to-multipoint” interfaces didn’t allow for more than one neighborto be configured.
COP-10902OSPF “point-to-multipoint” interfaces discovered neighbors using multicastinstead of unicast.
COP-10913OSPF “point-to-multipoint” interfaces created an invalid “dummy” route for theinterface IP.
COP-14321The E-flag in OSPF could in certain scenarios be set incorrectly which resulted inconnectivity problems.
COP-14399Web Content Filtering did not work for HTTPS when the traffic was directed to aproxy.8
COP-14779IPsec tunnel setup could fail with certain configurations despite matching IPsecproposals.
COP-14825L2TP/IPsec traffic to multiple clients behind the same NAT device could in rarescenarios be mixed up.
COP-14864Connecting a second L2TP Client located behind a NAT gateway could in rareoccasions disconnect the first client.