HP SECBLADEII-CMW520-F3171P05 Release Notes
HP SECBLADEII-CMW520-F3171P05 Release Notes HP SECBLADEII-CMW520-F3171P05 Release Notes Keywords: firewall Abstract: This release notes describes the HP SECBLADEII-CMW520-F3171P05 release with respect to version information, version changes, restrictions and cautions, feature list, open problems and workarounds, list of solved problems, related documentation, and software upgrading.
HP SECBLADEII-CMW520-F3171P05 Release Notes Acronym Full spelling VRRP Virtual Router Redundancy Protocol Hewlett-Packard Development Company, L.P.
HP SECBLADEII-CMW520-F3171P05 Release Notes Contents Version information ················································································································ 7 Version number ·························································································································7 Version history ····························································································································7 Hardware and software compatibility matrix·
HP SECBLADEII-CMW520-F3171P05 Release Notes Upgrading applications ·····································································································38 Upgrading the BootWare program ·····················································································39 Upgrading applications using TFTP ·····························································································41 Upgrading applications using TFTP on the BootWare menu·····································
HP SECBLADEII-CMW520-F3171P05 Release Notes List of tables Table 1 Version history ................................................................................................................................... 7 Table 2 Hardware and software compatibility matrix ............................................................................ 7 Table 3 Hardware features...........................................................................................................................
HP SECBLADEII-CMW520-F3171P05 Release Notes Version information Version number HP SecBlade FW Comware software, Version 5.
HP SECBLADEII-CMW520-F3171P05 Release Notes Item Specifications A8800 version AR8800-CMW520-R3343 IMC version iMC PLAT 5.0 SP1 (E0101L07) SecCenter Firewall Manager SecCenter Firewall Manager E0027 Sample: To display the host software and BootWare version of the SecBladeII card, perform the following command: dis version HP Comware Platform Software Comware Software, Version 5.20, Feature 3171P05 Copyright (c) 2010-2012 Hewlett-Packard Development Company, L.P.
HP SECBLADEII-CMW520-F3171P05 Release Notes ICMP fragment sending restriction Pinging the firewall card from a PC by using ICMP echo packets larger than 35000 bytes may fail. In such a ping operation, the large ICMP reply is fragmented based on the interface MTU, and a large number of fragments overwhelm the sending interface. Without QoS queue support, fragment drop occurs. As a result, the PC cannot receive the complete fragments to reassemble the ICMP reply.
HP SECBLADEII-CMW520-F3171P05 Release Notes Item Description Fixed interfaces 1 × GE RJ-45 copper ports 1 console port (CON) 2 × GE RJ-45 copper ports 2 × GE combo interfaces CF Flash 256 MB (default) Operating temperature 0°C to 40°C (32°F to 104°F) Relative humidity (noncondensing) 10% to 90% Software features Table 4 Software features Category Features RADIUS/HWTACACS+ AAA CHAP authentication PAP authentication Domain authentication Packet-filter Security zone based access control Time base
HP SECBLADEII-CMW520-F3171P05 Release Notes Category Features Real-time attack logs Blacklist logs Security manageme nt Session logs Binary logs Traffic statistics and analysis Security event statistics Address pool based translation Address translation controlled by ACL Easy IP NAT NAT Server Valid time for address translation Multiple ALGs, including FTP, DNS, QQ, MSN, H323, NBT, ILS, RTSP, SQLNET, SIP, RSH, and MGCP AH and ESP Static and IKE security associations ESP support for DES, 3DES and AES I
HP SECBLADEII-CMW520-F3171P05 Release Notes Category Features Protocol processing Ethernet link layer ICMPv6 IPv6 address management PMTU Socket TCP6 Basic IPv6 protocols UDP6 RAWIP6 Ping6 DNS6 TraceRT6 Telnet6 FIB6 DHCPv6 Client IPv6 DHCPv6 Relay RIPng OSPFv3 IPv6 routing and multicast BGP4+ Static routing Policy-based routing PIM-SM PIM-DM NAT-PT Manual tunnel IPv6 over IPv4 GRE tunnel (RFC2784) IPv6 security 6to4 tunnel (RFC3056) ISATAP tunnel IPv6 packet filter RADIUS VRRP Network availability
HP SECBLADEII-CMW520-F3171P05 Release Notes Category Features Local configuration through console port Local or remote configuration through Telnet or SSH Hierarchical user privileges Debugging information Tracert, Ping CLI Telnet to another device to manage the device FTP server/client File upload/download through TFTP Configuratio n manageme nt Logging File system management User interface configuration supporting multiple authentication and authorization schemes Logoff of timed out web administrator
HP SECBLADEII-CMW520-F3171P05 Release Notes Version number Item Description New features: None Deleted features: None Software feature updates Modified features: ACL configuration is added to NAT static and NAT server.
HP SECBLADEII-CMW520-F3171P05 Release Notes Version number Item Description New features: Software feature updates • Stateful failover configuration synchronization • IPv6 Deleted features: None Modified features: Support for policy log query is added on the interzone policy summary page Command line updates Table 6 Command line updates Version number Item Description New commands F3171P05 ip forwarding per-flow ip forwarding per-packet Removed commands None Modified commands None display udp-
HP SECBLADEII-CMW520-F3171P05 Release Notes Configuration changes None Open problems and workarounds Problem 1 HSD76879 • First found-in version: F3170 • Description: For cross-VPN forwarding, if there is a cross-VPN route iteration loop, shutting down the interface or deleting the interface address will trigger a cross-VPN routing loop. The firewall CPU usage rate reaches 100% and responses to CLI operations are very slow. • Workaround: Avoid cross-VPN route iteration loop.
HP SECBLADEII-CMW520-F3171P05 Release Notes • Description: The protected IP addresses configured in TCP Proxy get lost. Problem 3 HSD98603 • Condition: Upgrade the firewall from version F3166, R3166, or F3169 to version F3171. • Description: After the upgrade, the session backup function enabled for stateful failover is not enabled. Resolved problems in SECBLADEII-CMW520-F3171P04 Problem 1 HSD97629 • Condition: Configure OSPF routes.
HP SECBLADEII-CMW520-F3171P05 Release Notes • Description: When the firewall resumes normal traffic level, the occupied memory cannot be reclaimed in time. Problem 4 HSD96862 • Condition: Enable the user log function. • Description: The user log data sent to the log host is not complete, and contains 20-byte invalid data. Problem 5 HSD97292 • Condition: None • Description: The firewall’s internal 10GE interface rate statistics are incorrect.
HP SECBLADEII-CMW520-F3171P05 Release Notes Problem 7 HSD95989 • Condition: None • Description: The number of the HASH buckets for fast forwarding of the firewall is limited. As a result, HASH collision may occur, resulting in packet loss or traffic interruption. Resolved problems in SECBLADEII-CMW520-F3170 Initial release.
HP SECBLADEII-CMW520-F3171P05 Release Notes Software upgrading CAUTION: Upgrade software only when necessary and under the guidance of a technical support engineer.
HP SECBLADEII-CMW520-F3171P05 Release Notes If you have loaded the three application files into the CF card, the SecBladeII card will boot using these three files in sequence. To change the sequence or a file type, see “Maintaining files” on page 50. Note that: • The application files for booting the SecBladeII card can be type M, B, and S, but not type N/A (type other than M, B, or S). • You can modify the name of application files using the rename command after the SecBladeII card boots.
HP SECBLADEII-CMW520-F3171P05 Release Notes NOTE: • The configuration file name containing a drive identifier and a string terminator cannot be longer than 64 characters. For example, if the drive identifier is “CF:/”, the file name excluding the drive identifier and string terminator can be at most [ 64 – 1 – 4 ] = 59 characters in length. Typically, a file name excluding drive identifier and string terminator is recommended to contain no more than 16 characters.
HP SECBLADEII-CMW520-F3171P05 Release Notes Upgrade flow Figure 1 Software upgrade flow Specifying files Specifying a boot file No matter how you upgrade software, use the boot-loader file file-url { main | backup } command in user view to specify a new boot file for the SecBladeII card and then restart the device. In the command, • file file-url: Name of the boot file, consisting of 1 to 64 characters. • main: Main application file. • backup: Backup application file.
HP SECBLADEII-CMW520-F3171P05 Release Notes NOTE: A boot file is an application file used to boot the SecBladeII card. When there are multiple application files on the CF card, you can use the boot-loader command to specify an application file for the next boot. The main application file is used to boot the SecBladeII card. The backup application file is used to boot the SecBladeII card when the main application file is unavailable.
HP SECBLADEII-CMW520-F3171P05 Release Notes Software upgrade After login, select System Management > Software Upgrade from the navigation tree to enter the page shown in Figure 3 Software upgrade page Make settings as described in Table 9 to upgrade software. Table 9 Make settings for upgrading software Field Action File Click Browse to select the application file saved locally Enter a file name to save the downloaded file to the SecBlade. The file extension must be .bin or .app.
HP SECBLADEII-CMW520-F3171P05 Release Notes Preparations for software upgrade Before upgrading the software in conventional methods, set up a configuration environment. Setting HyperTerminal parameters The following describes how to set HyperTerminal parameters on the PC running Windows XP: Step1 Select Start > Programs/All Programs > Accessories > Communications > HyperTerminal to establish a HyperTerminal connection.
HP SECBLADEII-CMW520-F3171P05 Release Notes Figure 5 Select the serial interface for the HyperTerminal connection Step4 Set serial interface parameters. In the COM1 Properties dialog box shown in Table 10 Figure 6 , set the default serial interface properties listed in Table 10 . Table 10 Default serial interface properties Property Value Bits per second 9600 bps Data bits 8 Parity None Stop bits 1 Flow control None Hewlett-Packard Development Company, L.P.
HP SECBLADEII-CMW520-F3171P05 Release Notes Figure 6 Set serial interface parameters Step5 Click OK to enter the HyperTerminal window shown in Figure 7 . Figure 7 HyperTerminal window Step6 In the HyperTerminal window, select File > Properties > Settings to enter the dialog box shown in Figure 8 . Hewlett-Packard Development Company, L.P.
HP SECBLADEII-CMW520-F3171P05 Release Notes Step7 Set the terminal emulation to VT100 or autodetect and click OK to return to the HyperTerminal window. Figure 8 Set the terminal emulation type Step8 Log in to the SecBlade at the switch side Introduction to the BootWare menu Main menu After the above configurations are completed and the SecBlade is powered on, the card first performs system initialization.
HP SECBLADEII-CMW520-F3171P05 Release Notes * * * HPA Series SecBlade FW Module BootWare, Version 1.38 * * * **************************************************************************** Copyright (c) 2010-2011 Hewlett-Packard Development Company, L.P.
HP SECBLADEII-CMW520-F3171P05 Release Notes | <3> Enter Ethernet SubMenu | | <4> File Control | | <5> Modify BootWare Password | | <6> Skip Current System Configuration | | <7> BootWare Operation Menu | | <8> Clear Super Password | | <9> Storage Device Operation | | <0> Reboot | ============================================================= Enter your choice(0-9): The main menu is described in Table 11 .
HP SECBLADEII-CMW520-F3171P05 Release Notes Serial submenu Select 2 on the main menu to enter the serial submenu, where you can upgrade applications using Xmodem.
HP SECBLADEII-CMW520-F3171P05 Release Notes Table 13 Ethernet submenu Submenu item Description <1> Download Application Program To SDRAM and Run Download an application to the SDRAM and run the application. <2> Update Main Application File Upgrade the main application file. <3> Update Backup Application File Upgrade the backup application file. <4> Update Secure Application File Upgrade the secure application file. <5> Modify Ethernet Parameter Modify Ethernet interface parameters.
HP SECBLADEII-CMW520-F3171P05 Release Notes | <4> Update BootWare By Ethernet | | <0> Exit To Main Menu | ============================================================= Enter your choice(0-4): Table 15 describes the BootWare operation submenu items. Table 15 BootWare operation submenu Submenu items Description <1> Backup Full BootWare Back up the entire BootWare program file. <2> Restore Full BootWare Restore the entire BootWare program file.
HP SECBLADEII-CMW520-F3171P05 Release Notes Upgrading the BootWare program and applications through the serial interface NOTE: The SecBlade cards for the S5800 series switches do not support upgrading the BootWare program and applications through the serial interface. Introduction to Xmodem You need to use the Xmodem protocol when upgrading the BootWare program and applications through the serial interface (console interface).
HP SECBLADEII-CMW520-F3171P05 Release Notes | <0> Exit | ============================================================= Enter Your Choice(0-5): Step3 Select a proper baud rate, 5 for example for the baud rate of 115200 bps. The following information is displayed: Baudrate has been changed to 115200 bps. Please change the terminal's baudrate to 115200 bps, press ENTER when ready.
HP SECBLADEII-CMW520-F3171P05 Release Notes Figure 10 Modify the baud rate on the HyperTerminal Step6 Select Call > Call to re-establish a call connection. Figure 11 Re-establish a call connection Step7 Press Enter. You can see the current baud rate and return to the upper level menu. The current baud rate is displayed: Hewlett-Packard Development Company, L.P.
HP SECBLADEII-CMW520-F3171P05 Release Notes The current baudrate is 115200 bps NOTE: After you download files at the modified baud rate to upgrade applications, restore the baud rate on the HyperTerminal to 9600 bps in time, so as to ensure the normal display on the screen when the SecBlade card boots or reboots. Upgrading applications You can upgrade applications on the serial submenu when upgrading them through the serial interface. Step1 Select 2 on the main menu to enter the serial submenu.
HP SECBLADEII-CMW520-F3171P05 Release Notes Figure 13 Sending file dialog box After the file is downloaded, the following information is displayed on the configuration terminal: Download successfully! 10129792 bytes downloaded! NOTE: • The size of an application is often over 10 MB. Even if the baud rate is set to 115200 bps, it usually takes about 30 minutes to upgrade the application through the serial interface. Therefore, you are recommended to upgrade applications through an Ethernet interface.
HP SECBLADEII-CMW520-F3171P05 Release Notes | <3> Update Basic BootWare | | <4> Modify Serial Interface Parameter | | <0> Exit To Main Menu | ============================================================= Enter your choice(0-4): Step2 Select 1. The following information is displayed: Waiting ...CCCCCCCCCCCCCCCCCCCCCCCCC... Step3 Select Transfer > Send file in the HyperTerminal window.
HP SECBLADEII-CMW520-F3171P05 Release Notes Download successfully! 10129792 bytes downloaded! NOTE: • The BootWare program is automatically upgraded when applications are upgraded, that is, you do not need to upgrade the BootWare program separately. • The file name, size, and path in the above figures may vary. Check the current BootWare and application versions before upgrading them. • If you upgraded the extended segment, you only upgrade part of the BootWare program.
HP SECBLADEII-CMW520-F3171P05 Release Notes NOTE: • The TFTP server program is not shipped with the SecBlade card and you need to purchase and install it. • When you upgrade application files using TFTP on the BootWare menu, use Ethernet interface GigabitEthernet 0/2 on the SecBlade cards. Step2 Configure Ethernet interface parameters on the BootWare menu.
HP SECBLADEII-CMW520-F3171P05 Release Notes Field Description Set a name for the target file to be saved to the SecBlade card and the extension of the target file needs to be the same as that of the downloaded file. NOTE: Target File Name • The first “main.bin” is the target file name automatically remembered by the system at the last update. • The second “main.bin” is the target file name set by the user for this update.
HP SECBLADEII-CMW520-F3171P05 Release Notes Step4 After the main application file is upgraded, select 0 to return to the main menu, where you can select 1 on the main menu to reboot the SecBlade card from the CF card. Upgrading application files Using TFTP at the CLI Step1 Set up an upgrade environment. Connect the PC to an Ethernet interface (for example, GigabitEthernet 0/1) on the SecBlade card and ensure the connectivity between them.
HP SECBLADEII-CMW520-F3171P05 Release Notes # Download the main.bin file from the TFTP server to the SecBlade card. tftp 192.168.80.200 get main.bin main.bin The file main.bin exists. Overwrite it? [Y/N]:y Verifying server file... Deleting the old file, please wait... File will be transferred in binary mode Downloading file from remote TFTP server, please wait...| TFTP: 10867848 bytes received in 512.615 second(s) File downloaded successfully.
HP SECBLADEII-CMW520-F3171P05 Release Notes As an application layer protocol in the TCP/IP suite, FTP is mainly used for file transfer between remote hosts. FTP provides reliable and connection-oriented data transfer services over TCP. FTP does not provide any access authorization or authentication mechanism. The FTP program file is much larger than the TFTP program file. You can upgrade application files using FTP on the BootWare menu or at the CLI.
HP SECBLADEII-CMW520-F3171P05 Release Notes Step3 Log in to the FTP server. ftp 192.168.80.200 Trying 192.168.80.200 ... Press CTRL+K to abort Connected to 192.168.80.200. 220 3Com 3CDaemon FTP Server Version 2.0 User(192.168.80.200:(none)):guest 331 User name ok, need password Password: 230 User logged in [ftp] Step4 Upgrade applications. Using FTP, you can download application files from the FTP server to overwrite existing application files on the SecBlade card to implement application upgrade.
HP SECBLADEII-CMW520-F3171P05 Release Notes NOTE: • When you back up an application file, if the file name already exists on the FTP server, the existing file will directly be overwritten. • You can back up configuration files in the way you back up application files. The SecBlade card serving as the FTP server and the PC serving as the FTP client Step1 Set up an upgrade environment.
HP SECBLADEII-CMW520-F3171P05 Release Notes 331 Password required for guest Password: 230 User logged in. Step4 Upgrade applications. Using FTP, you can upload application files from the client to overwrite the existing application files on the server (SecBlade card) to implement application upgrade. The upgraded application files take effect at the next boot. # Upload the main_bac.bin file from the PC to the SecBlade card and save it as main.bin. ftp> binary 200 Type set to I.
HP SECBLADEII-CMW520-F3171P05 Release Notes Maintaining files You can maintain files on the file control submenu or at the CLI. Maintaining files on the file control submenu You can modify the type of an application file, display all files, and delete a file on the file control submenu.
HP SECBLADEII-CMW520-F3171P05 Release Notes | <3> +Backup | | <4> -Backup | | <0> Exit | Enter your choice(0-4): You can add/remove a type attribute, M (main) or B (backup), to/from a file by selecting a choice 1 to 4. For details of each type of files, see “Files” on page 20. Deleting a file Step1 Select 3 on the file control submenu.
HP SECBLADEII-CMW520-F3171P05 Release Notes boot-loader file main.bin main This command will set the boot file. Continue? [Y/N]:y The specified file will be used as the main boot file at the next reboot! By now, the original main.bin file has become type M+B and it will be used as the main boot file at the next boot. If a file of type M already exists on the SecBlade card, it will automatically be changed from type M to type N/A.
HP SECBLADEII-CMW520-F3171P05 Release Notes system-view [HP] user-interface console 0 [HP-ui-console0] authentication-mode password [HP-ui-console0] set authentication password simple 123456 The above information indicates that the password authentication is adopted on the console interface and that the password is set to 123456 and stored in plain text. NOTE: • After reboot, the SecBlade card runs the default configuration, but the original configuration file is still kept in the CF card.
HP SECBLADEII-CMW520-F3171P05 Release Notes If the following information appears, the BootWare password is successfully modified. Password Set Successfully. Super password loss The super password enables you to switch between four super levels. If you forget the super password, you are unable to perform higher level operations. Follow these steps to bypass the super password: Step1 Select 8 on the main menu to clear the super password.
HP SECBLADEII-CMW520-F3171P05 Release Notes Step1 Select 1 on the BootWare operation submenu. The following information is displayed: Will you backup the Basic BootWare? [Y/N] Step2 Enter Y. Begin to backup the Basic BootWare.................... Done! By now, the basic segment has been backed up. Then, the following information is displayed: Will you backup the Extend BootWare? [Y/N] Step3 Enter Y. Begin to backup the Extend BootWare....................
HP SECBLADEII-CMW520-F3171P05 Release Notes Begin to restore Normal Extend BootWare.................... Done! By now, the extended segment has been restored. Restoring the entire BootWare program file at the CLI You can use the following command to restore the entire BootWare program file. bootrom restore This command will restore bootrom file, Continue? [Y/N]:y Now restoring bootrom, please wait... Restore bootrom! Please wait...
