Version 5.0.1
RELEASE NOTES
Updated 01/04/2005
I. FEATURES AND REQUIREMENTS
BACKING UP YOUR APS CONFIGURATION. You should use the Import/Export
Configuration feature in the Management Console Setup Task to perform
regular backups of your APS configuration.
REGULAR EXPRESSIONS. The APS uses the POSIX Regex library. Any regular
expressions you use anywhere in the Management Console must conform to
POSIX standards.
Periods are interpreted literally in a web application URL.
VIRTUAL MEMORY and INTERNET EXPLORER. You must ensure that you have
sufficient available virtual memory on the workstation from which you
access the Management Console. If you do not have enough free virtual
memory (perhaps because of limited hard disk space, or because you are
running too many applications simultaneously), Internet Explorer may behave
erratically. This is a limitation of various versions of Internet Explorer
running under different releases of the Microsoft Windows operating system.
SUPPORTED SFTP VERSIONS FOR UPGRADING. You must use the SFTP client version
3.0.2 or later to upload upgrade patches.
ERROR URL. Enter your Error Page URL in the Request Inspection Activity
screen, Start URL relaxation rules (Enterprise Edition) or URL Filtering
rules (Base Edition).
SESSION FAILOVER. If the Web Application contains relative URLs inside
JavaScrip which do not begin with a slash (/), set URL Signature in Query
during setup in the management UI.
SITE IMPORT. When we import a site configuration, nodes need to be
present in the network already configured via the CLI with the same
lan-wan-control parameters as in the configuration otherwise import may
not complete correctly.
SWITCHES. In a VRRP setup, if the switch to which the APS is connected runs
the Spanning Tree Protocol (STP), there might be problems associated with
proper failure detection and takeover. It is strongly recommended that STP
be turned OFF on the switch interfaces connected to the APS. This does not
affect switches that do not run STP. To turn off STP on Cisco switches,
enable PortFast on the specific interfaces used by the Teros APS nodes.
For other vendor switches, please consult your switch documentation.
START URLs. It is often a good idea to add the application path of an
application to its list of start URLs:
{APP_PATH}/\?$
WAN VRRP.
1. Only 2 node clusters are supported with one Master (Active) node and one
Backup (Passive)node.
2. HTTP and HTTPS traffic is only handled by WAN aliases that have a different
IP address than the WAN IP address. The WAN IP address does not handle traffic.
3. Port forwarding feature works only for WAN aliases under failover conditions
and not for the WAN IPs.
4. Backup management server should also always be configured for WAN VRRP
to work correctly.
5. Turning VRRP On/Off could be performed only when there are no nodes added
in the UI. On Network Settings page press Settings button to open VRRP Settings
dialog box. Check/uncheck VRRP Mode check box and press Save Mode button.
6. VRRP Id must be unique for each APS cluster in the same broadcast domain that
has WAN VRRP turned on. On Network Settings page press Settings button to open
VRRP Settings dialog box. By default VRRP Id is set to 240 and can be changed
to any number between 1 and 254.
7. Site Import is not supported after WAN failover takes place. The import should
be performed on the same APS as the export was from.
BACKUP MANAGEMENT SERVER.
1. To set up the backup management server open System Settings page and press
Settings button in Backup Management Server group. If nodes have already been
added in the UI, the drop down box will have a list of available ones. If APS
node will be used only as a Backup management server, the node will not
be added as an APS and thus its IP will not show up in the list. In that
case, its control IP should be entered in "Other" test box. Then press the
Save button in Backup Management Server dialog box.
2. To browse settings on Backup management server, open management console on Backup
management server. Press "Continue as Backup" button to get Read-only access.
3. To change Backup management server to Primary, open management console on Backup
management server. Press "Set as Primary" button to swap the Backup and Primary
management servers. If the change was made while the original Primary node was
down, when the node comes back it may not be aware that it should be the Backup.
At that point open System Settings page on the new Primary and press Setting
button in Backup Management Server group. Press Save button in Backup Management
Server dialog box. This will cause the configuration to be flushed to the
original Primary and also make it the new Backup.
II. KNOWN ISSUES AND WORKAROUNDS
BROWSING PROTECTED WEB SITES FROM NETWORK SERVERS. Do not browse a web site
protected by an APS node or cluster from any network server (such as the
NTP, SNMP, or SMTP server) that you have configured for the APS to use in
its Management Server. If you do, you may not be able to view the web site.
For example, do not run a web browser on your company's NTP server and
then browse your company's protected web site or intranet site.
LOAD BALANCERS AND BRIDGE MODE. If you use an Alteon Ace Director load
balancer, you must perform an extra step when setting up your APS as a
bridge. During initial configuration at the APS command line, you must
type the following:
set_bridge_parameters -i=<IP address> -n=<network mask>
For IP address, substitute an unused IP from the same subnet as the web
servers your APS will protect.
If you use any load balancer with an APS in bridge mode, and your APS does
not function properly after installation, you should remove your APS nodes
from the Management Console's list. Then, for each of your APS nodes,
log on to the APS command line, as you did during initial configuration,
and type the command provided above at the command line. This may fix
the problem.
SERVER COOKIE LIMIT. Teros recommends limiting total number of application
cookies set per protected domain to less than seventeen.
HITS (AND NUMBER THEREOF) ISSUES IN ADAPTIVE LEARNING. The "number of hits"
threshold parameter in the Adaptive Learning pages represents the number of
session hits. If you repeatedly access an application in the same session,
the number will not increase unless accessed in other sessions.
MODIFYING LAN/WAN PARAMETERS. Once an APS node is added in the UI,
site administrators must use only the UI (and not the CLI) to modify its
WAN/LAN parameters.
BRIDGE MODE.
1. In the Setup Task, Network Settings Activity, Global Bridge Settings,
your customized settings are not maintained if you switch from Customize
to Block All Services or Allow All Services. When you switch back to
Customize, your list of services and protocols will have cleared.
You should keep a copy of your customized list in order to reset the
services and protocols later.
2. ssldump functionality is not currrently supported in this mode.
HEAD REQUEST VARIANCE. Under certain conditions, it is possible that the
headers returned for a HEAD request will be slightly different from the ones
returned for the corresponding GET. The former may contain a Content-Length
header, which the latter will substitute with a "Transfer-Encoding:
chunked" one.
IMPORTING WEB SERVERS. If you are not using https, when you import a list
of web servers to your proxy mode APS, the import file should still follow
the same syntax rules as are used with https:
webserver1.example.com,10.129.161.34,80, Do not omit the final comma.
CLI SET_CONFIG RESETFAC COMMAND. If you have previously run the set_config
resetfac command and rebooted an APS node, then while reconfiguring that
APS at the CLI, after setting the IP addresses for the interfaces, you
must run the restart_procs command.
PATCH IMPORT. While importing a patch in the Management Interface, a "Patch
in progress" message appears within a couple of minutes after you have
clicked the Import button. You should not click the button a second time.
Depending on a patch size and connection speed if patch upload takes more
than 5 min, we recommend to upgrade via sftp.
SITE/APPLICATION IMPORT.
1. While importing a configuration in the Management Interface, there is no
visual indication that Site or Application Import is in Progress. You
should not click the button a second time.
2. Importing site configuration with FIPS setup into a non-FIPS setup is not
supported.
NETSCREEN FIREWALL INTEGRATION. Integration with NetScreen firewall is
not fully functional after the management server fails over to a backup.
If you have a NetScreen firewall and integrate your APS with it, you should
not configure a backup management server.
UI does not display Netscreen Log file.
TEROS 100FIPS/200FIPS CONFIGURATION.
1. You must configure the Teros 100FIPS/200FIPS as follows:
a. Add an APS node.
b. Add your web servers with their SSL certificates.
c. Perform SSL mapping in the APS node properties dialog box.
2. If you import the site configuration for a Teros 100FIPS/200FIPS, you must
reload your SSL certificates afterward, and perform SSL mapping
after reloading them.
3. On a Teros 100FIPS/200FIPS, the SSL certificate and key must
not be combined in a single file -- you must upload them separately.
4. ssldump functionality is not supported in FIPS configuration.
REQUEST/RESPONSE HEADERS SECTION. When logged on as Site Administrator,
in the Security Policy Task, Input Validation Activity screen, in the
Define Allowed Request Headers section, if you:
1. Select the Customize radio button,
2. Click the Settings... button, to display the Customization dialog
box, and then
3. In the Customization dialog box, just click the Close button, the
Management Console will have still the Customize option selected.
MANAGEMENT INTERFACE DISPLAY. When configuring your APS in the Management
Interface, if you get an error message for any add/delete operation, you
must reverse your changes and repeat that operation. You must do this
even if the add or delete appears to have occurred properly.
BASE EDITION.
1. The online help for all screens contains information for Enterprise
Edition of the APS. It may refer to features that are not available
in the APS Base Edition.
2. Strip HTML comments is supported only if a response URL rewriting rule
is defined for the application.
3. Set AutoComplete is supported only if a response URL rewriting rule
is defined for the application.
SERVER CHAIN CERTIFICATE. To upload server chain certificate, you need
to create a dummy application and upload server chain certificate as
client-side CA certificate.
4.1.X to 5.0.1 PATCH UPGRADE IN CASE OF WAN VRRP and/or BACKUP MANAGEMENT SERVER.
1. Turn off WAN VRRP.
Skip this step if you do not have WAN VRRP set up.
1.1 Open Network Settings page and delete all APS nodes from UI.
1.2 Run set_wan_parameters CLI command with appropriate arguments on all
nodes in the cluster.
1.3 On Network Settings page, uncheck VRRP Mode check box and press
Save Mode button.
1.4 Add Teros APS nodes. Do not fill in WAN IP address.
2. Turn off backup management server.
Skip this step if you do not have MANAGEMENT SERVER set up.
2.1 Log out of UI.
2.2 First issue CLI commands "set_primary_mgmt_server_ip off" and
"set_backup_mgmt_server_ip off" on backup mgmt server APS and then on
primary APS.
2.3 Re-run set_control_parameters CLI command with appropriate arguments on
both primary and backup APS nodes.
2.4 Run set_mgmt_server_ip CLI command with the control IP of the designated
management server node on all nodes in the cluster.
2.5 Run "set_config save" CLI command on all nodes in the cluster.
3. Apply the patch.
Upgrade the APS following the instructions to upgrade the APS detailed in
Chapter 7, Upgrading your APS, in the APS Installation Guide (Release 4.0).
4. Turn on WAN VRRP.
4.1 Open Network Settings page and delete all APS nodes.
4.2 On Network Settings page press Settings button to open VRRP Settings
dialog box. Check VRRP Mode check box and press Save button.
4.3 Add Teros APS nodes.
5. Turn on backup management server.
5.1 Open System Settings page and press Setting button in Backup Management
Server group to set backup management server.
5.2 Do not run set_primary_mgmt_server_ip and set_backup_mgmt_server_ip CLI
commands.
CENTRALIZED LOGGING.
1. Centralized logging via SFTP is not functional after a site config import
or after a failover of the management server to its backup. In such
circumstances, some parts of it will need to be redone in the UI.
2. When adding SFTP Server Public Key in SFTP Settings window, remove all
leading and trailing blank lines.
3. After making any changes in Centralized Log Properties window, open
Build-in Log Properties dialog box and press OK button.
WSDL FILE RETRIEVAL. In order to allow wsdl retrieval, add the URL which delivers
the XML document as a start URL.
TIME SETTINGS.
1. After patch upgrade or whenever a new node is added to the cluster log on
as a Site Administrator and re-save the NTP server IP address on System
Settings page in the Time Settings section.
2. Time should not be changed more often than once in 5 min.
3. Setting Time Zone: do not use Etc/GMT+n or Etc/GMT-n as an argument.
WEB APPLICATION URL. Backslash (\) is displayed as two backslashes (\\) in web
application URL.
REPORTS. Inspection Report in PDF format cannot be downloaded on Windows 2000.
III. BUG FIXES
Fixed in 3.0.2:
Setting Blocking OFF for Cookies/Field Consistencies sets URL Closure OFF.
Fixed in 3.0.3:
WAN IP listens only on port 443 for ssl, ignores set_https_port CLI command.
Fixed in 3.0.4:
Treat comma as separator in cookies only if appropriate
Fixed in 3.0.7:
Alias port null being treated as a unique value
Fixed in 3.1.0:
Sanity check should be done when RegEx is added in Field Types.
The log entries should be sortable by clicking on the column headings
Error message "Can't find FIPS card" should be generated in APS Log if
SAFE Key license is present, but no FIPS card can be found.
Application-level Disable Blocking disables URL Rewriting.
Data validation should be done in UI for error page: it should either
start with /, http:// or https://
Centralized logging cannot be unset.
Fixed in 3.2.0:
Log entries at the Breach level are displayed at the Information level
in APS Logs
Fixed in 4.0.0:
A node in bridge mode will always listen on port 443 if any of the web
servers behind it is listening for https.
The APS does not generate access logs (CLF/ECLF) for errors that it
generates, such as 500, 401 etc.
Should be able to Apply/Skip/Ignore any number of recommendations at once
Some default DenyURLs RegExes don't block when error page is
set to slash (/).
Alert notifications are still sent to the old IP after modifying Syslog IP.
Patch version should be validated in UI.
Misdirected session forwarding for WAN aliases in proxy mode.
Time was not shifted back by 1 hour on APS after the Summer months.
When license for SSL is uploaded on a top of expired one, SSL does not work.
2 same name cookies creating probs as 1 (the required 1) stripped off by APS.
After turning VRRP off node is not listening on port 80.
Exported site and application configuration file should have the aps version in it.
Invalid inputs to ui_access command deny access completely.
Fixed in 4.1.1:
Disable blocking check box is sometimes incorrectly unchecked after 3.0.10
to 3.x.x patch upgrade.
Fixed in 4.1.5:
Requests with negative Content-Length may not be handled properly.
Added denied_req_headers and denied_resp_headers CLI commands.
Fixed in 4.1.6:
Extra memory was being used when downloading large files.
Fixed in 4.1.7:
FTP not working in some cases through APS.
Fixed in 4.1.8:
Relative URLs in the response are rewritten only when the original request
itself was rewritten.
Fixed in 4.1.9:
Data after ampersand in error URL is truncated.
Field format recommendations for some multibyte encoding are incorrect.
Record mac error during SSLv3 negotiation on MSIE 6 SP1 windows 2000 sp4 machine
using default MSIE SSL options along with turning TLS on.
Fixed in 4.1.10:
MSIE error in bridge mode opening Web Applications page if there is no
applications.
In bridge mode if set_ssl_reencrypt is off - getting 400 Error.
Support for configurable idle timeout for ssl sessions.
Fixed in 4.1.11:
Allows to import only limited number of web servers.
Fixed in 4.1.12:
Added alerts if ftp/sftp for centralized logging failed.
Fixed in 5.0.0:
If ALL inspection bits are turned off, Location HTTP header is not rewritten.
Can't unset NTP server.
No access logs (clf logs) when server closes connection after reading request.
UTC should not be a part of exported logs in Custom log formats.
APS is taking too long to respond to an ARP destined for a server behind it
in bridge mode.
SSL TLS1 should be enabled.
