SonicOS Enhanced 3.6 Release Notes

Transcription

SonicOS Enhanced 3.6.0.4
Release Notes
SonicWALL, Inc.
Software Release: May 14, 2007
CONTENTS
Platform Compatibility
Enhancements
Known Issues
Resolved Known Issues in SonicOS Enhanced 3.6.0.4
Resolved Known Issues in SonicOS Enhanced 3.6.0.1
Key Features
SonicWALL TZ 190 Hardware Feature Highlights
Resetting the SonicWALL TZ 190 Using Safemode
Related Technical Documentation
PLATFORM COMPATIBILITY
SonicOS Enhanced version 3.6.0.4 (3.6.0.4-30) is a supported release for the following platform:
•
SonicWALL TZ 190
ENHANCEMENTS
Strong SSL and TLS Encryption
The internal SonicWALL web-server now only supports SSL version 3.0 and TLS with strong ciphers (128
bits or greater) when negotiating HTTPS management sessions. SSL implementations prior to version 3.0
and weak ciphers (symmetric ciphers less than 128 bits) are not supported. This heightened level of
HTTPS security protects against potential SSLv2 roll-back vulnerabilities and ensures compliance with
the Payment Card Industry (PCI) and other security and risk-management standards.
TIP: By default, Mozilla Firefox 2.0 and Microsoft Internet Explorer 7.0 enable SSL 3.0 and TLS,
and disable SSL 2.0. SonicWALL recommends using these most recent web browser releases. If
you are using a previous release of these browsers, you should enable SSL 3.0 and TLS and
disable SSL 2.0. In Internet Explorer, go to Tools > Internet Options, click on the Advanced
tab, and scroll to the bottom of the Settings menu. In Firefox, go to Tools > Options, click on the
Advanced tab, and then click on the Encryption tab.
Page 1 of 14
© 2006 SonicWALL, Inc. SonicWALL is a registered trademark of SonicWALL, Inc. Other product and company names mentioned herein may be trademarks and/or registered
trademarks of their respective companies.
P/N 232-000736-00
Rev A 05/07
3604e
SonicOS Enhanced 3.6.0.4 Release Notes
KNOWN ISSUES
The following is a list of known issues in the SonicOS Enhanced 3.6.0.4 release:
•
45335: Symptom: The Enable Remotely Triggered Dial-Out feature does not work with the
Option Globetrotter GT Max card. Condition: Occurs when an incoming call is made to the
Option wireless card.
•
45689: Symptom: Management traffic is not allowed through the WAN interface. Condition:
Occurs when the WAN Connection Model is configured for WWAN only mode. Workaround:
Configure the WAN Connection Model for Ethernet with WWAN Failover and force a failover
to the WWAN by unplugging the Ethernet cable.
•
45797: Symptom: Runtime changes to WAN/WWAN probe settings do not always take effect
until restart. Condition: Occurs when the default target not reachable and WAN probing fails. The
WAN stays in the failover state even after probe monitoring is successful. Workaround: Reboot
the SonicWALL security device.
•
46327: Symptom: The WWAN interface fails to re-associate with the wireless network after the
WWAN card is reset. Condition: Occurs intermittently on a SonicWALL TZ 190 security
appliance using a Novatel S620 or S720 WWAN adapter.
RESOLVED KNOWN ISSUES IN SONICOS ENHANCED 3.6.0.4
The following is a list of resolved known issues in the SonicOS Enhanced 3.6.0.4 release:
•
45514: Symptom: On the Firewall > Services page, the HTTP and HTTPS services display
uneditable port ranges of 1 – 65535 instead of the default ports 80 and 443. Because the HTTP
and HTTPS ports are not configurable, it is not possible to block traffic for non-default ports.
Condition: Occurs when the SonicWALL TZ 190 security appliance is rebooted.
•
46322: Symptom: Reducing the number of missed probes to redial setting below the defaults
can cause a Cingular WWAN card to redial more often than desired. Condition: Occurs when the
WWAN Interface Monitoring Setting values are reduced from the default values of:
o Check Interface every 5 seconds
o Re-establish connection after 6 missed intervals
Workaround: Set the WWAN Interface Monitoring Setting to the following:
o Check Interface every 6 seconds
o Re-establish connection after 10 missed intervals
•
48244: Symptom: The SonicWALL TZ 190 security appliance spontaneously reboots into
SafeMode in certain corner cases. Condition: Occurs when a BSP parameter is set incorrectly
on appliances running SonicOS Enhanced 3.6.0.2.
Page 2 of 14
P/N 232-000736-00
Rev A 05/07
3604e
RESOLVED KNOWN ISSUES IN SONICOS ENHANCED 3.6.0.1
The following is a list of resolved known issues in the SonicOS Enhanced 3.6.0.1 release:
•
45829: Symptom: The WWAN > Status page displays an incorrect Signal Strength for Sprint
cards. For the Novatel cards, the Signal Strength may show Initializing even when it is receiving a
signal and in a call. For the Novatel S720 card, the Signal Strength may always show Excellent
even if signal is unavailable. Condition: Occurs when the firmware does not get a correct reading
from a Sprint card when it queries the signal strength.
•
45846: Symptom: The TZ 190 can occasionally lose its Internet connection when manually
changing the WAN Connection Model configuration from Ethernet Only to WWAN Only. This can
cause the TZ 190 to restart. Condition: Occurs when the TZ 190 initially uses an Ethernet
connection on the WAN port, and then fails over to the WWAN. The user interface might still
show “Connected” for the WWAN status.
•
45876: Symptom: With Policy Based Routing configured, the TZ190 may restart once when you
change the WAN Connection Model from WWAN Only to Ethernet Only. Condition: Occurs after
the following steps:
1. Policy Based Routing is configured for the Ethernet WAN and OPT interfaces
2. The WAN Connection Model is set to WWAN-only
3. The security appliance is manually rebooted
4. The WAN Connection Model is changed to Ethernet-only
•
45912: Symptom: After a WAN failover, statistics for Probe Alternate Target always show Target
Unavailable. Condition: Occurs when the WAN connection fails and then comes back up while
probe monitoring is set to "Probe succeeds when both Main Target and Alternate Target respond"
or "Probe succeeds when either Main Target or Alternate Target respond".
•
45915: Symptom: On the TZ 190, WWAN dialing failure can occur when using a Novatel S620
card. Condition: Occurs when the WWAN is forced to repeatedly terminate and redial (for
example, every 60 seconds). This can occur when the Maximum Connection Time is set to one
minute.
•
45924: Symptom: For Sprint wireless cards, the Active Band (Service Type) can be incorrectly
reported as 'CDMA 1xRTT'. Condition: May occur when Sprint wireless cards are used.
•
45972: Symptom: The TZ 190 should be able to force PAP authentication on a per-profile basis.
Condition: Need option on WWAN > Connection Profiles > Add/Edit Dialog > Parameters tab.
•
46054: Symptom: TZ 190 firmware version 3.6.0.0-20e does not send heartbeats to GMS.
Condition: Occurs when doing HTTPS management, with syslog server port set to 3003.
•
46123: Symptom: Option Globetrotter HSDPA may become unusable. Condition: Occurs when
subjected to certain high levels of traffic.
46175: Symptom: The user interface (UI) shows incorrect default connection parameters for UAE
provider Etisalat. Condition: Occurs when you use the setup wizard or connection profile Add/Edit
•
dialog to create a profile for the UAE provider Etisalat.
Page 3 of 14
P/N 232-000736-00
Rev A 05/07
3604e
KEY FEATURES
The following are the key features supported in SonicOS Enhanced 3.6:
Wireless WAN Support
SonicOS Enhanced 3.6 for the SonicWALL TZ 190 introduces support for 3G (Third Generation) and
other Wireless WAN connections that utilize data connections over cellular networks. The Wireless WAN
(WWAN) can be used for:
•
WAN Failover to a connection that is not dependent on wire or cable.
•
Temporary networks where a pre-configured connection may not be available, such as tradeshows and kiosks.
•
Mobile networks, where the TZ 190 is based in a vehicle.
• Primary WAN connection where wire-based connections are not available and cellular is.
Wireless WAN support requires a wireless card and a contract with a wireless network provider.
Internet Service Providers (ISPs) and Data Plans
You should carefully read and analyze the rate plans provided by various ISPs. Some ISPs fully endorse
the use of WWAN cards in firewall/router type deployments, while other vendors specifically discourage
such usage. You should read the full terms and conditions of each plan to determine whether your
deployment is compatible with the ISP licensing requirements.
In North America, Sprint specifically endorses the use of firewall/router deployments and offers true
“Unlimited Data” plans. SonicWALL currently supports both the Novatel S620 and Novatel S720 cards on
the Sprint network. Due to the flexibility of the data plans, SonicWALL highly recommends that you
consider activating your unit with a Sprint service contract.
Other ISPs may or may not endorse the use of WWAN cards in firewall/router deployments and may have
more limited data plans that are either capped or charge by the amount of data transmitted.
SonicOS Enhanced 3.6 and the TZ 190 support the following wireless network providers (this list is
subject to change):
•
Cingular Wireless
•
H3G
•
Sprint PCS Wireless
•
Verizon Wireless
•
Vodafone
•
Telecom Italia Mobile
•
Telefonica
•
T-Mobile
•
TDC Song
•
Orange
Page 4 of 14
P/N 232-000736-00
Rev A 05/07
3604e
SonicWALL Supported WWAN Cards
Before installing your WWAN card, be sure to confirm that your card is on the SonicWALL approved card
list. This section of the release notes contains the initial list of approved cards, which is subject to
change. You can find updates to the list of approved WWAN cards on the SonicWALL Web site:
http://www.sonicwall.com/products/tz190_details.html
You should check the SonicWALL Web site frequently for updates to the supported card list.
SonicOS Enhanced 3.6 and the SonicWALL TZ 190 currently support the following wireless cards:
•
GSM Wireless Carriers (with the exception of Cingular)
o Option GlobeTrotter HSDPA
o Option GlobeTrotter GT MAX
o Option GlobeTrotter GT MAX 7.2 Ready (new in SonicOS 3.6.0.2)
o Sierra Wireless AirCard 860
•
CDMA Wireless Carriers (with the exception of Sprint and Verizon)
o Novatel Wireless Merlin 620
o Novatel Wireless Merlin PC720
•
Cingular
o Option GT Max
o Option GT Max 3.6 (new in SonicOS 3.6.0.2)
o Sierra Wireless AirCard 860
•
Sprint
o Novatel Wireless Merlin S620 (Sprint Mobile Broadband Card)
o Novatel Wireless Merlin S720 (Sprint Mobile Broadband Card)
•
Verizon Wireless
o Verizon Wireless V620
o Novatel Wireless Merlin V620
User Interface Features for WWAN Support
This section provides a brief introduction to the WWAN user interface. For detailed information on
configuring the WWAN, see the “Configuring Wireless WAN” and “Configuring Interfaces” chapters in the
SonicOS Enhanced 3.6 Administrator’s Guide, which is available at the SonicWALL support site:
http://www.sonicwall.com/us/Support.html
Page 5 of 14
P/N 232-000736-00
Rev A 05/07
3604e
•
WWAN Interface configuration and management on the Network > Interfaces page of the
SonicOS Enhanced 3.6 management interface:
o
On the Network > Interfaces page, you can click the configure icon in the Interface
Settings table to open the WWAN Settings dialog box:
Page 6 of 14
P/N 232-000736-00
Rev A 05/07
3604e
o
•
You can click the Manage button in the Interface Settings table to disconnect, reconnect, or
view statistics on the connection.
WWAN Configuration on the WWAN pages of the SonicOS Enhanced 3.6 management
interface:
o WWAN > Status:
Page 7 of 14
P/N 232-000736-00
Rev A 05/07
3604e
o
WWAN > Settings
Page 8 of 14
P/N 232-000736-00
Rev A 05/07
3604e
o
WWAN > Advanced
The Remotely Triggered Dial-out feature is only supported with the following hardware:

o
Novatel S620/720
Sierra Wireless 860
WWAN > Connection Profiles
Page 9 of 14
P/N 232-000736-00
Rev A 05/07
3604e
o
WWAN > Data Usage
Page 10 of 14
P/N 232-000736-00
Rev A 05/07
3604e
PortShield Interfaces
SonicOS Enhanced 3.6 introduces PortShield Interfaces for the TZ 190. A PortShield interface is a virtual
interface with a set of ports assigned to it. You can configure a separate security context for each
PortShield interface.
Data Usage Limiting
In SonicOS Enhanced 3.6, you can enable data usage limiting to automatically disable the WWAN
interface when the specified data or time limit for the month has been reached. If your WWAN account
has a monthly data or time limit, data usage limiting can help you avoid excessive billings or terms-ofservice violations. You can enable data limiting on a per-profile basis.
Page 11 of 14
P/N 232-000736-00
Rev A 05/07
3604e
SONICWALL TZ 190 HARDWARE FEATURE HIGHLIGHTS
•
WWAN: 1 PCMCIA slot for wireless cards
•
WAN: 1 10/100 Ethernet port
•
OPT: 1 10/100 Ethernet port
•
LAN: 8 10/100 Ethernet ports
The TZ 190 is a new platform. The TZ 190 runs SonicOS Enhanced, starting with SonicOS Enhanced
3.6.
Page 12 of 14
P/N 232-000736-00
Rev A 05/07
3604e
RESETTING THE SONICWALL TZ 190 USING SAFEMODE
If you are unable to connect to the SonicWALL security appliance’s management interface, you can
restart the SonicWALL security appliance in SafeMode. The SafeMode feature allows you to quickly
recover from uncertain configuration states with a simplified management interface that includes the
same settings available on the System > Settings page.
To reset the SonicWALL security appliance, perform the following steps:
1. Connect your management station to a LAN port on the SonicWALL security appliance and
configure your management station IP address with an address on the 192.168.168.0/24 subnet,
such as 192.168.168.20.
Note: The SonicWALL security appliance can also respond to the last configured LAN IP
address in SafeMode. This is useful for remote management recovery or hands off recovery in a
datacenter.
2. Use a narrow, straight object, like a straightened paper clip or a toothpick, to press and hold the
reset button on the security appliance for five to ten seconds. The reset button is in a small hole
next to the connector for the power supply.
Reset Button – TZ 190
Tip: If this procedure does not work while the power is on, turn the unit off and on while
holding the reset button until the Test light starts blinking.
The Test light starts blinking when the SonicWALL security appliance has rebooted into
SafeMode.
Page 13 of 14
P/N 232-000736-00
Rev A 05/07
3604e
3. Connect to the management interface: Point the Web browser on your management station to
192.168.168.168. The SafeMode management interface displays.
4. If you have made any configuration changes to the security appliance, make a backup copy of
your current settings. Click Create Backup Settings. Note that this will overwrite any previous
backup settings.
5. Try rebooting the SonicWALL security appliance with your current settings. Click the boot icon
in the same line with Current Firmware.
6. After the SonicWALL security appliance has rebooted, try to open the management interface
again. If you still cannot open the management interface, use the reset button to restart the
appliance in SafeMode again. In SafeMode, restart the SonicOS image with the factory default
in the same line with Current Firmware with Factory Default
settings. Click the boot icon
Settings.
7. After the SonicWALL security appliance has rebooted, try to open the management interface
again. If you are able to connect, you can recreate your configuration or try to reboot with the
backup settings: Restart the security appliance in SafeMode again, and click the boot icon in the
same line with Current Firmware with Backup Settings.
RELATED TECHNICAL DOCUMENTATION
SonicWALL user guide reference documentation is available at the SonicWALL Technical Documentation
Online Library:
http://www.sonicwall.com/us/Support.html

SonicOS Enhanced 3.6 Administrator’s Guide

SonicOS Log Event Reference Guide

SonicOS CLI Reference Guide
Document Version: May 14, 2007
Page 14 of 14
P/N 232-000736-00
Rev A 05/07
3604e