IBM Security Network Protection 5.2.0.0-ISS-XGS-All-Models-Hotfix-FP0008 README ======================================================================== Readme file for: IBM Security Network Protection Firmware 5.2.0 All-Models-Hotfix 0008 Product/Component Release: 5.2.0.0 Update Name: 5.2.0.0-ISS-XGS-All-Models-Hotfix-FP0008 PatchID: 2069 Platforms: XGS Publication date: March 26, 2015 Last Modification date: March 26, 2015 Copyright IBM Corporation 2015. Read this document in its entirety. ======================================================================== CONTENTS ======================================================================== * Description * Compatibility and Prerequisites * Known Issues * Installation information * Files included in this update * Contacting IBM Support * Copyright and trademark ======================================================================== DESCRIPTION ======================================================================== NOTE: A reboot is required for the changes made by the fixpack to apply. It also recommended to clear the browser cache on any browsers used to manage the appliance. - Delivers security fixes to date. Please visit http://www-947.ibm.com/support/entry/portal/support to view security bulletins for this product. - 64948: Disabling protection ports prior to port pair for SSL inspection prevents any Outbound SSL inspection from occurring. - 65209: Firmware Settings page displays an error on Internet Explorer 11. - 65864: XGS LCD panel displays incoherent text on several XGS3100 models. - 66565: mesa_eventsd fails to initialize DB after enough number of reloading. - 67899: LUM's agent description string is missing firmware version. - 67900: alpsd has no effective watchdog during shutdown Previous Fixes: - 62145: Update time zones to support Eternal Winter Time. - 64019: An invalid "TCP Reset Interface" setting in the adapters policy causes all future policy changes to reset links on all connected protection interfaces. - Fix an issue with LACP Down. - Fix issue with snapshot upload not working for some browser configurations. - Fix adapter configuration for ips event filter rules. - Fix issue for not able to add ICMP into restriction tab for Non-Web Object in NAP rules. - Fix issue for not able to save customized schedule security setting policy in SP for Windows OS Language that doe not support the 12-hour notation (AM/PM) conversion. e.g Japanese NOTE: Patch in SiteProtector-XGS-Schedule-Security-Settings-Fix folder - Fixes an issue where XGS fails to post events to SP. - Fixes an Exception on License and Updates Overview page that doesn't load page when all protection interfaces disabled. - Corrects aplsd crash - Add DCA lookup logging - Corrects pktcapd restart race condition which prevents NAP rule from being changed. - Fix kernel panic - Quarantine rules are not added in response to non-sequitur events (Network sweeps, scans and flood events) that have quarantine responses enabled. - Quarantine rules are added in response to events that are detected in Monitoring mode (IDS mode), even though quarantine responses are not applicable in Monitoring mode. - Improvements to hardware bypass to prevent a crash on exit under certain conditions. - PAM XPU 34.070 (July 2014) breaks Domain Certificate Object matching in Network Access and SSL Inspection rules. - Update to hardware bypass to allow for continued operation of the bypass modules if an internal error occurs. - Fixes the command line interface to display DHCP acquired management IP addresses. - Fixes Inbound SSL decryption failures related to error message "No Error Set." - Fixes an internal error that can occur while processing TLS/SSL traffic. - Optimizations to decrease packet latency. - Fixes an internal error that can occur when processing TLS or SSL traffic. - Fixes an intermittent issue that displays Top 10 Applications as Unknown when the application is known. - Replaces application database recovery files that were not migrated when updating from 5.1.2 to 5.2. - Fixes the status of the Application Control license. - Fix to preserve the IP Reputation license when the Application License is removed Note: If the Event Id GLGSY0038W appears in your System Events Event Log, then the operating system is experiencing a temporary failure. However, the appliance is still protecting your network. Contact IBM Support for assistance. ======================================================================== COMPATIBILITY AND PREREQUISITES ======================================================================== This update is only compatible with the IBM Security Network Protection firmware 5.2.0. It can be applied on top of any previously installed fix pack. MD5 checksum calculation: - 4a71ea5527f56dc5ca85c63139bc342e 5.2.0.0-ISS-XGS-All-Models-Hotfix-FP0008.fixpack ======================================================================== KNOWN ISSUES ======================================================================== 1) We are aware of issue 64948 - where if you disable any protected interfaces before enabling outbound SSL inspection it will cause the SSL inspection to not work. As a work around re-enable the protected interfaces, re-enable outbound SSL inspection and then disable your desired interface. This should allow the inspection to function correctly. A fix for this is planed for a future release. 2) Fixpack does not allow for rollback. If rollback is done and appliance is then rebooted then the appliance will get into an unconfigured state. There is no way to recover but to reimage the box or change to the secondary partition. Change to secondary partition: a) reboot b) choose none selected partition from the grub menu c) press enter ======================================================================== INSTALLATION INFORMATION ======================================================================== To apply fix pack through LMI 1) Go to Manage System Settings --> Updates and Licensing --> Fix Packs 2) Click +New 3) Browse for fix pack file: - 5.2.0.0-ISS-XGS-All-Models-Hotfix-FP0008.fixpack 4) Click Save Configuration 5) Reboot Appliance and clear Browser cache on any browser used to manage appliance To apply fix pack through USB port of XGS 1) Copy fix pack file into a USB device: - 5.2.0.0-ISS-XGS-All-Models-Hotfix-FP0008.fixpack 2) Connect USB device onto XGS in which you want to apply fix pack 3) ssh to XGS appliance - ssh admin@XXX.XXX.XXX.XXX 4) Type fix pack, press enter 5) Type install, press enter 6) Confirm USB device is inserted by typing YES and pressing enter ======================================================================== FILES INCLUDED IN THIS UPDATE ======================================================================== 5.2.0.0-ISS-XGS-All-Models-Hotfix-FP0008.zip | |--5.2.0.0-ISS-XGS-All-Models-Hotfix-FP0008.fixpack | |--5.2.0.0-ISS-XGS-All-Models-Hotfix-FP0008-Readme.txt | |--SiteProtector-XGS-Schedule-Security-Settings-Fix/ ======================================================================== CONTACTING IBM SUPPORT ======================================================================== To Contact IBM Support Worldwide Phone: Call IBM Support by selecting phone number from this location: http://www.ibm.com/planetwide When prompted for type of support, select option 2 for Software Support You will need to provide your IBM Customer Number (ICN) Electronically: Go to http://www.ibm.com/legal/copytrade.shtml and open a new service request =========================================================================== COPYRIGHT AND TRADEMARK =========================================================================== Copyright and trademark information http://www.ibm.com/legal/copytrade.shtml Notices INTERNATIONAL BUSINESS MACHINES CORPORATION PROVIDES THIS PUBLICATION "AS IS" WITHOUT WARRANTY OF ANY KIND, EITHER EXPRESS OR IMPLIED, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF NON-INFRINGEMENT, MERCHANTABILITY OR FITNESS FOR A PARTICULAR PURPOSE. Some jurisdictions do not allow disclaimer of express or implied warranties in certain transactions, therefore, this statement may not apply to you. This information could include technical inaccuracies or typographical errors. Changes are periodically made to the information herein; these changes will be incorporated in new editions of the publication. IBM may make improvements and/or changes in the product(s) and/or the program(s) described in this publication at any time without notice. Microsoft, Windows, and Windows Server are trademarks of Microsoft Corporation in the United States, other countries, or both. Intel, Intel logo, Intel Inside, Intel Inside logo, Intel Centrino, Intel Centrino logo, Celeron, Intel Xeon, Intel SpeedStep, Itanium, and Pentium are trademarks or registered trademarks of Intel Corporation or its subsidiaries in the United States and other countries. Linux is the registered trademark of Linus Torvalds in the U.S. and other countries. Other company, product, or service names may be trademarks or service marks of others. *THIRD-PARTY LICENSE TERMS AND CONDITIONS, NOTICES AND INFORMATION* See the license agreement for this product for details concerning terms and conditions applicable to third party software code included in this product, and for certain notices and other information IBM must provide to you under its license to certain software code. Notwithstanding the terms and conditions of any other agreement you may have with IBM or any of its related or affiliated entities (collectively "IBM"), the third party software code identified below are "Excluded Components" and are subject to the following terms and conditions: * the Excluded Components are provided on an "AS IS" basis * IBM DISCLAIMS ANY AND ALL EXPRESS AND IMPLIED WARRANTIES AND CONDITIONS WITH RESPECT TO THE EXCLUDED COMPONENTS, INCLUDING, BUT NOT LIMITED TO, THE WARRANTY OF NON-INFRINGEMENT OR INTERFERENCE AND THE IMPLIED WARRANTIES AND CONDITIONS OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE * IBM will not be liable to you or indemnify you for any claims related to the Excluded Components * IBM will not be liable for any direct, indirect, incidental, special, exemplary, punitive or consequential damages with respect to the Excluded Components. ===========================================================================