About this document

Purpose

This document details changes introduced by the 6.4 version for DenyAll Web Application Firewall.

Context

Version information

This version follows version 6.3 of DenyAll Web Application Firewall. This version is an LVS (Last Version Support).

Reminder of the LTS/LVS concepts:

  • Long term support (LTS): these releases are maintained and supported for at least 3 years. They include no new features. Bug fixes and security patches will be issued approximately once a quarter. They are thoroughly tested and should be used in production environments.
  • Last version support (LVS): these versions include new features and improvements. Bug fixes and security patches issued approximately twice a year. While they go through our Quality Assurance process, they should be used in production environments with caution.

Revision

Revision number: r41475

Official release date

September 18th, 2017.

Main changes

Major enhancements

This version 6.4 brings the following new features:

  • Active-Active High Availability mode
  • Pooling mode
  • New advanced security engines
  • New JSON manipulation nodes
  • New JWT manipulation nodes
  • HSM Safenet Luna support 
  • ICX Engine node with events
  • Query parameters in Learning logs

Active-Active High Availability mode

A new Active-Active mode is available in the High Availability panel of DenyAll WAF 6.4. This mode allows all members of the High Availability (HA) cluster to handle requests at the same time by setting up a master that will redirect traffic to slave members or itself. Each node will then process the requests locally and send responses directly to clients.


See High Availability documentation to get details about Active-Active configuration.

Pooling mode

The pooling mode also known as diode mode is a new configuration available for tunnels. In this mode, the traffic is not forwarded to the backend, but is kept locally by a tunnel called "pooler" to be fetched regularly by a second tunnel called "poller" that will send the requests to the backend server.

tunnel Pooler_Demo Tunnel Poller_Demo

This mode aims at enhancing the security by ensuring the other WAF device or any other device belonging to the same DMZ cannot be used in a bounce attack.

See Pooling documentation to have a description of the possible configurations.

New security engines

This release introduces 2 new security engines available through new security workflow nodes.

  • Advanced Detection Engine - CMDi: The Advanced Detection Engine - CMDi node applies heuristic sandboxing to a request in order to detect attacks or intrusion attempts based on command injections. See Advanced Detection Engine - CMDi documentation.
  • Advanced Detection Engine - XSSThe Advanced Detection Engine - XSS node uses a grammatical approach with a domain specific comprehension of HTML in order to detect attacks or intrusion attempts based on XSS (Cross-Site Scripting). See Advanced Detection Engine - XSS documentation.

New JSON manipulation nodes

This release introduces 3 new workflow nodes to manipulate JSON document using JSON pointer syntax.

  • JSON Attribute GET: The JSON Attribute GET node allows extraction of JSON attributes to store them in new workflow attributes. See JSON Attribute GET documentation.
  • JSON Attribute SET: The JSON Attribute SET node allows creation of JSON attributes. See JSON Attribute SET documentation.
  • JSON Attribute UNSET: The JSON Attribute UNSET node allows deletion of data from JSON documents stored in workflow attributes. See JSON Attribute UNSET documentation.

New JWT manipulation nodes

This release introduces 2 new workflow nodes to create and check JSON Web Token.

  • JWT Generate: This node generates a JSON Web Token (JWT) that can then be used by workflow. A JWT is composed by 2 or 3 parts depends of if it is signed or not. See JWT Generate documentation.
  • JWT Parsing: This node splits a JSON Web Token (JWT) into a JSON header and a JSON payload, and verifies signature. A JWT is composed by 2 or 3 parts depends on if it is signed or not. See JWT Parsing documentation.

HSM Safenet Luna support

The version 6.4 of DenyAll Web Application Firewall allows delegation of cryptographic operations to HSM (Hardware Security Module) cards. The Safenet Luna Viper PCI-e card is the only supported card in this version.

See HSM documentation for details about configuration of HSM products.

ICX Engine node with events

In the version 6.4 of DenyAll Web Application Firewall, the security logs related to ICX blockings are now generated with the same format that the security logs of all the new security engines.

We highly recommend to read the page describing ICX behavior changes.

Query parameters in Learning logs

A new column "Query" is now present in the Learning logs panel displayed logs generated by the "Learning log" node of the workflow. This new column contains the query parameters sent in the requests learned by the node. The query parameters can also be processed and converted to query parameters when learning logs are used to create Sitemaps.

Minor enhancements

Components upgrade

  • Apache from 2.4.25 to version 2.4.27
  • KeepAlived from 1.2.24 to version 1.3.5
  • Kernel from 3.10.0-514.10.2 to version 3.10.0-514.26.2

Improvement of backups restauration

A new option is available in the Backups panel called "Dependency Wizard". This option allows the configuration of objects of same type at the same time. This option can be used to quickly replace many objects in a backup by objects of the same type existing on the current box before restoring configurations. It is very useful when restoring many tunnels on a new box for example.

Administration interface (GUI) improvement

More GUI improvements have been added to this version of DenyAll Web Application Firewall. It is now possible to configure a redirection of HTTP traffic to HTTPS inside a tunnel supporting HTTPS traffic without using a tunnel dedicated to HTTP traffic.

The configuration only requires the value of the HTTP port where HTTP traffic will be received before being redirected to the HTTPS port of the tunnel.


IP reputation administration has also been improved by adding an option to instantly update the IP database and not waiting for the next scheduled update occurring. This also comes with an improvement of the status of the IP reputation database.

The version of the database and the last update status are now available for each box running IP reputation database updates.

IP Reputation requires an internet access from Management Box to update its database.

Applications support in imported rWeb backups

With DenyAll Web Application Firewall 6.4, it is now possible to import backups from DenyAll rWeb and DenyAll sProxy products containing applications and restore them as tunnel in DenyAll Web Application Firewall. This includes restoration of listening IP addresses and port, SSL certificates, incoming URI and backend URL.

Log Alert node

The "Log Alert" node has been improved in DenyAll Web Application Firewall 6.4 to handle all types of security engines. It replaces the old "Log Security Alert" introduced in version 6.3 and still supports the previous version. It will now generate new security events for all security engines in DenyAll Web Application Firewall.

See Log Alert node documentation for more details.

Bug fixes

Bug criticality indicators:

(error): Serious, (warning): Moderate or with workaround, (info): Low or cosmetic.

Network

  • (error) [DA-6987] VRRP Members can not mix ipv4 and ipv6
  • (error) [DA-6700] VIP ipv6 can not be applied

Workflow

  • (error) [DA-6987] Attribute error when using "Selector - Existing Attributes" in a SWF parameter
  • (error) [DA-7241] Segfault on Security Exception engine node with a Scoringlist exception rule

ICX Engine

  • (error) [DA-6786] Categories and rules uids are changing when save as an ICX configuration
  • (error) [DA-6590] ICX Behavior changes on whitelists since 5.7 version

Blacklist Engine

  • (error) [DA-7295] Blacklist "disabled" rules are displayed in red when referring to a custom rule

Sitemap

  • (error) [DA-6915] Sitemap referenced parameters could not be deleted
  • (error) [DA-6270] Apply error when referenced parameters don't exist
  • (error) [DA-6575] Size of Sitemap configuration objects is limited
  • (error) [DA-6491] Corrupted Sitemap API after importing an access log using url encoded data
  • (error) [DA-6262] Formdata in lowercase is supported when importing swagger file
  • (warning) [DA-6945] Sitemap is created even if an error occur during an import

SNMP

  • (warning) [DA-6204] Missing loadbalancing indicators in MIB

SSL

  • (error) [DA-6330] Intermediate certificate can not be uploaded
  • (error) [DA-5751] Elliptic Curve Cryptography certificates can not be uploaded

System

  • (warning) [DA-6532] ipReputation database takes to much time to update
  • (warning) [DA-5753] dantpd service is restarted on each NTP apply even if there is no NTP configuration
  • (warning) [DA-5570] Applying a SSH configuration with a port already in use does not display error
  • (warning) [DA-5569] Connected SSH users are not dropped when the SSH service disabled or the IP is removed of the SSH list
  • (error) [DA-7204] [AWS] AMI does not take full disk size into account

WAM

  • (error) [DA-7038] Multiple Authentication server in gate does not work with RADIUS
  • (error) [DA-6851] Malformed apply message when a portal conflict occurred
  • (warning) [DA-6657] Namespace number is increased at each backup/restore
  • (error) [DA-6095] Unable to modify "Kerberos Delegation Authentication - token" authentication type

ELK

  • (error) [DA-7128] Kibana dashboards can be cleaned after an RSE installation
  • (error) [DA-6704] Temporary files are not deleted after the crash of Elasticsearch and can prevent a further launch
  • (error) [DA-6244] Kibana interface is unreachable after stopping and starting the service

Administration interface (GUI)

  • (error) [DA-7407] Use of an incomplete SWF (in Red) in a WF does not show the WF as incomplete (in Red also)
  • (error) [DA-6578] GUI shows duplicated metric objects in a backup

  • (info) [DA-6046] Node selection in Workflow can be lost
  • (warning) [DA-6395] Path filter in Security Logs does not work
  • (error) [DA-6279] Apply fails silently (with no output) when bash coloring chars are provided on scripts output
  • (error) [DA-6091] Invalid backend status for tunnel with backend balancers
  • (warning) [DA-6063] No destination found when using alert destination not yet synchronized on managed
  • (warning) [DA-5853] Metric view is not correctly updated after modifying a destinations alert on trigger

Web monitoring interface

  • (error) [DA-6524] Reports generated from "System health" view are incomplete

Text User Interface (TUI)

  • (warning) [DA-6482] Blink function for ethernet interfaces is not working

Miscellaneous

  • (warning) [DA-6027] Static Content log errors when the content is delivered
  • (error) [DA-7423] Possible crash when backend's Content-Type header is empty

Known issues

  • [DA-3601] Security metrics remain empty for backup node of HA cluster
    Tunnel metrics for security events are never updated on backup node of High Availability cluster.
  • [DA-5307] Duplicate logs when using realtime alerting
    Security and WAM logs can be duplicated when using syslog realtime alerting while log alerting configurations are configured.
  • [DA-6206] Multiple occurrence of the query string parameter not supported in Sitemap validation
    The Sitemap validation node does not support incoming requests validation containing multiple occurrences of a same query string parameter. This can prevent whitelist configured on our rWeb products to be migrated to DenyAll WAF 6.3.
  • [DA-6483] Raid metric returns power supply status
    Power status metrics are not in the correct category.

  • [DA-7349] Distributed datastore not working when IP Range is distributed on several interfaces
  • [DA-4125] ICX does not ignore attachments or some application/* content-types
  • [DA-7097] Datastore dependencies in Sub-Workflow are not retrieved by the Backup/Restore process
  • [DA-4229] WAM category in Logs Management doesn't use Log Rotation Profile
  • [DA-6345] Invalid 'Save' management when creating Security Exception on Default Security Policy from Custom Resolve
  • [DA-7439] After uninstalling a RSE, there is missing mandatory apply flags in apply wizards
  • [DA-7122] Authorizations seems to be broken after WAM apply
    After a WAM apply, java engine is unable to connect to postgres database only when using StorageOperationMultiSearchSqlDb in group table.
  • [DA-7459] No information given when a Reverse Proxy fail to start due to certificates
  • [DA-7130] [GUI] Some nodes are not red when a parameter is invalid
  • [DA-7136] Invalid configuration of user authorization templates
    Role created from Workflow Operator template needs to be manually updated.
  • [DA-4601] [TUI] Daemon management bugs and mistakes
  • [DA-6055] Ramdisk size metric is not updated
  • [DA-5772] [rWeb Migration] EAccessUriTrans multipart-form-data & auto-file-upload are not available on Blacklist engine
  • [DA-7400] Reverse Proxy apply can be long with many tunnels using different workflows (> 100 tunnels)
  • [DA-6569] Exported Sitemap in swagger format does not match the full swagger specifications (missing description in parameters and responses in operations)
  • [DA-7294] Export and purge database logs task doesn't work with email destination
  • [DA-6656] "Test Connectivity" tool does not use the configured SSL cipher of the tunnel
  • [DA-7462] "No tunnel in this reverse proxy" is returned if tunnel's configuration is invalid
  • [DA-7485] Backend load balancer metrics are not correctly referenced in Web Monitoring Interface
  • [DA-7364] KeepAlived metric is red because service is not started when there is no VRRP configuration
  • [DA-6499] [Security Logs] Change supported fields in filters
    Some parameters are missing in the Filter log view of the security logs such as "Attack Family" or "Engine".
  • [DA-7608] Response header following truncated header disappears
    In some cases, when a response header is truncated because his length is higher than the maximum header length set in a Reverse Proxy Profile, the next header disappears from the response.
  • [DA-7706]  JSON export of security logs does not contain tokens
    The exported JSON file has missing information about logs, they do not contain tokens. Instead, we recommend to use the XML export.

Removed feature

The following features from i-Suite version 5 won't be available and will not be reimplemented in a future version:

  • Focus tables (replaced by Sitemap)

  • ACE (a beta security engine designed for auto learning)

  • Bridge mode (allowing transparent setup of the box)

  • Network sniffer

Report of Security Logs

The option of the scheduled tasks allowing generation of reports based on Security Logs is temporarily deactivated in DenyAll WAF 6.4. The option will be re-activated in 6.5 version. All scheduled tasks generating report on Security Logs are disabled in version 6.4 if upgraded from version 6.3 or imported through backups.

Appendix

Installation and Upgrade

Information know before the 6.4 version upgrade

  • The DenyAll WAF 6.4 update will also update security patterns for ICX. Default ICX configurations will be updated but user ICX configurations will not be modified, they need to be manually updated (see Security Updates).
  • If ICX logs are flagged with “No Attack Family”: patterns used in ICX Configurations are not up to date. You should update your patterns to the 3.28 DSU version to have the attack family in ICX event logs. We recommend to update all your ICX Configuration to (at least) the 3.28 DSU version.
  • Old ICX Security logs cannot be seen any more: ICX Engine node has been updated to use the new log system with events (new log format, see new Security Logs).
    ICX Logs can now be seen in the new security log view. We highly recommend you to export ICX Security logs before updating to 6.4 version.
  • Filters saved on the Security Logs view will be lost.
  • Security Logs from 6.3 version cannot be seen any more in the administration interface: The database schema has changed due to new fields.
    Logs are still available through the Kibana interface by adding new Index Patterns named "63elslog_accesslog_*", "63elslog_learninglog_*" or "63elslog_securitylog_*".
  • The first apply after the 6.4 version update may lead to a disconnection of the administration interface.
  • Log Alerting configurations are not working for Security Logs in 6.4 version (DA-6706).
  • Log obfuscation (or log filter) will be enable on tunnels when updating to 6.4 version. Log obfuscation was always enabled for credit card numbers even if the option in the tunnel was not activated. After the update, the option will be activated with the default profile that will replace credit card numbers and passwords by stars ("******").
  • Format of Security Exception Configurations has changed in 6.4 version. All configurations from 6.3 version will be automatically migrated to the new format. Be aware that the downgrade from 6.4 to 6.3 version will not restore the Security Exception Configurations to 6.3 format: we recommend to restore a 6.3 backup to have Security Exception Configurations again.
  • Keepalived and Ntpd metric status are triggered: those metrics are triggered even if there is no VRRP or Ntp configuration set on the cluster. Criticity levels have been updated to ‘warning’ instead of ‘critical’. If you are using VRRP configuration(s), we recommend to update the criticity level of the Keepalived metric to ‘critical’.
  • Metrics named “Buffer overflow”, “Command Injection“, “Cross site scripting”, “SQL Injection”, “Parser Evasion”, “Path traversal”, “HTML Injection”, “LDAP Injection”, “Mail Injection”, “Remote file include by Cookie”, “Remote file include by Get Vars”, “Remote file include by Post Vars”, “XPATH Injection” and “Custom Rules” are no more available and have been replaced by new attack families introduced in 6.3 version. See the Tokens documentation page for available attack families (token attackFamily).
  • The metric “logs - numlogs” is no more available.
  • The metric “logs - icxlogs” is no more available and have been replaced by a new metric named “logs - securitylogs”.
  • The metric “logs - customlogs” is no more available and have been replaced by a new dynamic metric named “tunnel – No Attack Family”.
  • The following indicators have been flagged has “obsolete” in the DenyAll MIB:
    •  “icxLogsCount”,
    • “customLogsCount”,
    • “otherLogsCount”,
    • “tunnelAttRmtFlIncldCks”,
    • “tunnelAttSQLInjctCnt”,
    • “tunnelAttXSSCnt”,
    • “tunnelAttLDAPInjctCnt”,
    • “tunnelAttHTMLInjctCnt”,
    • “tunnelAttXPATHCnt”,
    • “tunnelAttCMDInjctCnt”,
    • “tunnelAttBuffOFInjctCnt”,
    • “tunnelAttMailInjctCount”,
    • “tunnelAttPrsrEvs”,
    • “tunnelAttPthTransv”,
    • “tunnelAttRmtFlIncldGtVr”,
    • “tunnelAttRmtFlIncldPtVr”,
    • “tunnelAttCustomRules.

Configuration Backup

Before installing this version, backup any work that is in progress. Go to Management > Backups panel and backup all the configurations then download the backup file.

In case of a virtualization environment, you may also stop the virtual appliance and create a backup (snapshot) of your appliances.

Installation procedure

Follow the steps hereunder to install this version of DenyAll WAF:

  1. Download the ISO file and the Administration Interface from the customer area at: https://my.denyall.com/

  2. Install the product on your appliance or virtual machine. The installation is described in the Installing from ISO page

  3. Log into the DenyAll Text User Interface and set the role: Management or Managed (for more details see the Initialization of the Management and Managed mode page)

  4. Repeat stages 2 and 3 for each Managed appliance, if there are any

  5. Install and connect to the Administration Interface (for more details see the Installing the Administration Interface page)
  6. If there are any, add Managed appliances to the cluster. Go to Setup > Boxes > Add
  7. Create a support request to DenyAll to retrieve the license. The serial number (Service Tag) of the appliance will be needed (It can be found in Setup > i-Boxes > Licenses, select a Box and click View). For more details, see the Obtaining and assigning an DenyAll WAF license page
  8. Upload license(s) in the Setup > Boxes > Licenses panel
  9. Perform an apply of all configurations to verify that all Boxes are responding well
  10. If any backup from 5.x pr 6.x, you can restore them in the Management > Backups panel, then perform an apply (with Cold Restart selected) on all the configurations

Update procedure

The following steps describe how to update the product from an version 6.X (inferior to the new version) by using the RSE system.

System requirements: The cluster has to be in a version 6.3.

API RSE

It is highly recommended to uninstall any API RSE in version up to 1.2.0 before upgrading from DenyAll WAF 6.3 to DenyAll WAF 6.4. After completing the upgrade, the API RSE version 1.4.0 can be installed.

Manual snapshot

It is mandatory to create a manual snapshot of the cluster configuration before upgrading to DenyAll WAF 6.4 version. This snapshot is necessary in case of downgrade to restore a compatible configuration of the product.


  1. Download the RSE file and the Administration Interface from your customer area at: https://my.denyall.com/
  2. Install the new Administration Interface and connect to the product (for more details see the Installing the Administration Interface page) 
  3. Go to Management > Backups panel and backup all the configurations then download the backup file. In case of a virtualization environment, you may also stop the virtual appliance and create a backup (snapshot) of your appliances
  4. Go to Management > Snapshots and add a manual snapshot corresponding to the current cluster configuration then download the DenyAll WAF snapshot file
  5. Go to Management > System Updates and upload the RSE file
  6. Select the Management Box and click Install

    The Management Box must be updated first, before updating Managed Boxes
  7. Read and confirm the readme

  8. The installation process will automatically restart the Box and the user will be disconnected from the administration interface

  9. Wait for the Box to restart
  10. Repeat stages 5, 6, 7 and 8 for each managed Box, if any

  11. Perform an Apply (with Cold Restart selected) on all the configurations

Uninstall procedure

In order to roll-back to version 6.3:

Snapshot restore

It is mandatory to restore a DenyAll WAF snapshot after uninstalling a RSE to remove all incompatible configurations from DenyAll WAF 6.4 version and restore latest valid DenyAll WAF 6.3.

  1. Go to Management > System Updates
  2. Start by uninstalling managed Boxes. Select a managed Box and click Uninstall. The Box will reboot automatically
  3. Repeat stage 2 for all managed Boxes of the cluster
  4. Repeat stage 2 for the Management Box. The administration interface will be disconnected
  5. After the Management restart, log into the Management Box with the 6.3 Administration Interface
  6. Restore the manual snapshot created before the update
  7. Perform an Apply (with Cold Restart selected) on all the configurations

 

In case of a virtualization environment, you can use snapshots to roll-back to a previous version of DenyAll WAF 6.3.

  • No labels