This version is a maintenance release of the Long Term Support (LTS) v5.5.
ICX rules behavior
The fix for "[DA-724]: Double conditions on same element in an ICX rule doesn't work” can lead to a behavior change with some ICX exception rules. Previously, a rule with several conditions on the same field matched as soon as one of the conditions was true whatever the selected ‘Match’ type (‘Any’ or ‘All’). In i-Suite 5.5.8, for the Match type ‘All’, the rule will match only if all conditions are true regardless the type of fields.
Before 5.5.8, R1 = C1 AND (C2 OR C3)
In 5.5.8, R1 = C1 AND C2 AND C3
In 5.5.9, the previous behaviour was reintroduced, it corresponds to the 'All fields' match type ([DA-3490]).
OpenSSL weak ciphers no longer supported
i-Suite 5.5.10 has the last version of OpenSSL. Since OpenSSL 1.0.1s, weak ciphers are no longer supported. Update can't be done if weak ciphers are not removed from all SSL Cipher Profiles.
ADH-AES256-GCM-SHA384, ADH-AES256-SHA256, ADH-AES256-SHA, ADH-CAMELLIA256-SHA, ADH-AES128-GCM-SHA256, ADH-AES128-SHA256, ADH-AES128-SHA, ADH-SEED-SHA, ADH-CAMELLIA128-SHA, ADH-RC4-MD5, ADH-DES-CBC3-SHA, AECDH-AES256-SHA, AECDH-AES128-SHA, AECDH-RC4-SHA, AECDH-DES-CBC3-SHA, AECDH-NULL-SHA
We also remind that TLS clients are rejecting handshakes with DH parameters shorter than 1024 bits (since OpenSSL 1.0.1r).
Security and Component's update
- php version to 5.5.35
- OpenSSL to 1.0.1t
Bug criticality indicators
: Serious, : Moderate or with workaround, : Low or cosmetic.
- [DA-4291] Change primary interface to other device, older primary disappear
- [DA-4076] Change Primary IP drop VIP linked to this device
- [DA-4579] Loading and runtime crash with URL Mappings using load-balancers
- [DA-4667] Mod_geoip update due to segfault in runtime
- [DA-3982] X509 extract pubkey is not valid
- [DA-3633] Spaces are not correctly displayed by the GUI in the workflow nodes
[DA-3981] CRL no up to date after an apply
[DA-4102] Accept self signed certificate upload in Certificate Bundle CA
- [DA-4401] Updated CRLs are not used by tunnel configuration
- [DA-3648] P12 import with chain file include into certificate file
- [DA-4440] Logfilter takes too much stack memory
- [DA-3601] Wrong scheduled tasks last run date behaviours
- [DA-4058] SNMP not working on managed after apply
- [DA-4393] IP Reputation option not enabled in GUI
- [DA-3735] MMProxy metric is critical when no MMProxy configured
- [DA-3354] Webroot licence for managed
- [DA-4509] Backend-monitor does not use configured SSL protocols only
- [DA-4579] Crash at apply when using URL Mapping and Load Balancing
Identified problems, failures and limitations
Deprecated EXPORT ciphers in OpenSSL
SSL accelerator cards
Ambiguous report for raid and power supply status
On 2100 server, RAID status could be misleading when a disk is in fault.
- This version cannot be installed on hardware (or virtual machines) with 32-bit CPUs. The installation process will abort.
- The procedure Changing the IP administration of i-Box via BeeShell must be followed by a reboot (reboot command) of the i-Box for the connection can be established on the new IP.
- [BW-2213] - Configuration overwrite if Credential repository and Authentication server have the same name.
- [BW-2015] - SSH daemon, SNMP deamon, DNS and Hosts sections of i-Box configuration are not activated after restore.
The workaround consists in opening the i‑Box modification dialog after restoring and validating the configuration.
- [BW-1750] - "HTTP Basic Authentication - Custom Learning" doesn't support non-UTF8 encoding
- [BW-1317] - Credential learning does not work when backend is sending back gzip/deflate
- [BW-2209] - Scheduled task: reports are generated in english despite french setting
- [BW-2096] - Large request headers won't be logged in security logs
When a request contains an attack and the header size is large (near 64K), the alert is not logged in the Security Logs.
- [BW-1126] - Labels are lost after restoring items
[BW-1076] - Failed scheduled task not reported in event log
Before installing this version, back up any work that is in progress. Generate and download a backup of all the i‑Boxes.
- Check that the i‑Box cluster is running under version 5.4.x, or 5.5.x
- Download the latest Administration Interface (5.5.10) from https://my.denyall.com
- Log into the Management i‑Box with the new Interface.
- Download the beeware-os 5.5.10 RSE file to the i‑Box.
- Back up all the configurations and download the backup file.
Select the Management i‑Box and click “Install”.The Management i‑Box must be updated first, before updating the managed i‑Box.
- The installation process will automatically reboot the i‑Box.
- Repeat stages 5 and 6 for each managed i‑Box, if there are any.
- Perform an Apply (with Cold Restart selected) on all the configurations.
- Start uninstall all managed i-Boxes. Select a managed i‑Box; click Uninstall.
- The i-Box is reboot automatically.
- Repeat stages 1 and 2 for all managed i-Boxes.
- Repeat stages 1 and 2 for the Management i-Box. The administration console will be disconnected.
- After Management i-Box reboot, log into the Management i-Box, and perform an Apply (with Cold Restart selected) on all the configurations.