**************************************************************************** Software Release: Secomea ONS 12.6 - public release Product: TrustGate Main Code Firmware Release: 12.6 build 10486 Release Date: 2010-12-06 **************************************************************************** **************************************************************************** * This is TrustGate Release 12.6 * **************************************************************************** TrustGate models and firmware codes covered: ------------------------------------------------ TrustGate 5 Model 20,21,22 (AUX) - V17 TrustGate 5 Model 31 (AUX) - V27 TrustGate 5 Model 33 (dual WAN) - V22 TrustGate 60 - V1060 TrustGate 61 - V1061 TrustGate 160 - V50 TrustGate 260 - V51 TrustGate 363R - V21 TrustGate 363R Lite - V21 TrustGate 460R - V1460 TrustGate SoftClient 6043 - V43 This release note describes changes since Release 12.5 build 10271. Note that some of the changes described below may be relevant only for a subset of the products listed above; for example, a change may affect only products with multiple WAN interfaces and is therefore irrelevant for products with just one WAN interface. Note: The TrustGate SoftClient release corresponding to this TrustGate Firmware release 12.6 build 10486 is identified as version number 12.5.0.10486 in installer file names and the tray icon. **************************************************************************** **************************************************************************** Support portal for download of firmware and documentation: www.secomea.com **************************************************************************** **************************************************************************** Contents of the remainder of this release note: ----------------------------------------------- 1. New functionality 2. Bug fixes 3. Other improvements 4. Known issues or limitations 5. Firmware upgrade information 6. Previous public releases ---------------------------------------------------------------------------- Note: Codes such as (#1118) are reference codes used by Secomea's developers and supporters. **************************************************************************** 1. New functionality **************************************************************************** - It is now possible to configure a specific MAC address for WAN interfaces. This may be useful when replacing a router whose DHCP client lease must expire before the ISP will assign the same lease to another MAC address. (#4129) - DHCP relaying is now supported for VLANs. (#4144) - Automatic whitelist filtering is now supported on all DMZ interfaces. - UMTS support has been added for TrustGate 460R. (#4292) **************************************************************************** 2. Bug fixes **************************************************************************** - A Denial of Service (DoS) vulnerability in the Web Proxy has been fixed. (#4235) - If firmware upgrade was attempted from multiple sources (eg. from Gate- Manager and the web GUI) simultaneously, the appliance could end up in an unbootable state, especially if the firmware images were different. Now only one firmware upgrade at a time will be allowed. (#4116) - After configuration import, the Reboot button did not always work. (#4109) - Various DHCP relaying shortcomings have been removed: * Relaying through EasyTunnel was rejected. * Relaying through a WAN interface in DHCP client mode was rejected. * Multiple relays (eg. on LAN and DMZ) to different DHCP servers were rejected if the routes to the servers were via the same interface. * Relaying through a tunnel did not work for clients on the DMZ network. (#4107, #4110, #4123) - Whitelist filter logging did not work as configured if the log option was configured differently among interfaces. - In case the GateManager address was covered by a tunnel (eg. a 0/0 tunnel), and the tunnel couldn't be started (eg. because the remote peer was down), the GateManager connection would fail too. (#4319) **************************************************************************** 3. Other improvements **************************************************************************** - Work around broken ISPs, who always set the ECN flag on every packet. Previously such IPsec packets would, in accordance with relevant standards, simply get dropped, so no traffic would get through the tunnel. - Interfaces (except LAN) can now be disabled by assigning them the static address 0.0.0.0. - Spanning Tree Protocol (STP) is now always enabled when AUX is bridged to LAN. - Gratuitous ARP will now be broadcast on each VLAN on each boot. - ARP entries for VLANs will now also be shown on the Status > Network > ARP page. ARP entries are now sorted by IP address. - A new priority level option has been added to static route entries, allowing configuration of routes with higher priority than automatic neighbor routes (see online help for details). - More thorough validation and error logging will now be performed for static routes. - Portscan detection now only applies to packets incoming on WAN interfaces (not LAN/DMZ). - The GateManager Tunnel Agent has been extended with a list of up to 10 IP addresses that can be pinged to trigger automatic restart of tunnels that may have stopped working. (#4304) **************************************************************************** 4. Known issues or limitations **************************************************************************** - Tunnel Agents: A Tunnel Agent will only work if the appliance itself is covered by the Local Network of the tunnel. In other words, it must be possible to send a ping packet from the appliance itself to the specified IP address through the tunnel. To test this use the Status > Ping/Trace function and ping the remote IP address you want to target with the Tunnel agent. - Known limitation: Performance issue on Tunnels using VPN Load Balancing. There is a performance issue if the tunnel to a remote site is using VPN Load Balancing and at the same time is using two internet connections with very different packet delay. This may result in packet retransmissions. Some systems seem to be more affected by this than others. The problem decreases as the number of clients increases. The problem is related to the TCP protocol not being capable of receiving reordered frames with too much time variation. See below for a possible workaround. - ET supports VPN Load Balancing and Tunnel Failover. Note, however, that if the Client is NAT'ted, only Tunnel Failover is supported. ET does not (yet) support WAN3 on TG260's running as ET server. - Manual tunnels support Tunnel Failover to WAN3 of TG160's and TG260's. However, VPN Load Balancing is not supported for WAN3. Instead, you can distribute the VPN load across WAN interfaces by configuring the peers differently. E.g.: configure peer1 to use the WAN(1) address as the primary address, configure peer2 to use the WAN2 address as the primary address, etc. - Using a WAN interface as source with the TCP/UDP ping tool only works if that WAN interface is the default interface. **************************************************************************** 5. Firmware upgrade information **************************************************************************** - Specific upgrade information ------------------------------ - TrustGate SoftClient: You must upgrade by running the setup program specific for the Windows OS. For 32-bit (x86/i386) Windows, run TGSoftClient-12.5.0.10486-Setup.exe For 64-bit (x64/amd64) Windows, run TGSoftClient-x64-12.5.0.10486-Setup.exe Upgrade of SoftClient via GateManager is currently not possible. - General upgrade information ----------------------------- - If you do not have a current Firmware Maintenance Service (FMS) agreement, it is illegal to install this firmware upgrade. If your FMS has expired, contact your point-of-purchase to arrange an FMS upgrade extension. - It is always recommended that you make a full configuration backup before you start a firmware upgrade. **************************************************************************** 6. Previous public releases - release notes **************************************************************************** All release notes are found on the product support portal: www.secomea.com **************************************************************************** **************************************************************************** *** END ***