HP VPN Firewall Module Series - HP SECBLADEIII-CMW520-R3819 Release Notes

ManualsBrandsHP ManualsComputer AccessoriesHP ProCurve Switch xl Access Controller Module

HP SECBLADEIII-CMW520-R3819

Release Notes

herein is subject to change without notice. The only warranties for HP products and services

are set forth in the express warranty statements accompanying such products and services.

Nothing herein should be construed as constituting an additional warranty. HP shall not be

liable for technical or editorial errors or omissions contained herein.

The information in this document is subject to change without notice.

Summary of content (40 pages)

PAGE 1
HP SECBLADEIII-CMW520-R3819 Release Notes © Copyright 2013 Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice. The only warranties for HP products and services are set forth in the express warranty statements accompanying such products and services. Nothing herein should be construed as constituting an additional warranty. HP shall not be liable for technical or editorial errors or omissions contained herein.
PAGE 2
Contents Version information ···················································································································································································1 Version number···················································································································································································1 Version history····························································································
PAGE 3
List of Tables Table 1 Version history.................................................................................................................................................................... 1 Table 2 HP SecBlade product family matrix............................................................................................................................ 1 Table 3 Hardware and software compatibility matrix ........................................................................................
PAGE 4
This document describes the features, restrictions and guidelines, open problems, and workarounds for version R3819. Before you use this version in a live network, back up the configuration and test the version to avoid software upgrade affecting your live network. Use this document in conjunction with the documents listed in "Related documentation." Version information Version number HP SecBlade FW Enhanced Comware software, Version 5.
PAGE 5
Item Specifications Memory 16 GB Flash 4 MB BootWare version Version 1.20 or higher (Note: Execute the command display version command in any view to view the version information. Please see Note 2) System software SECBLADEIII-CMW520-R3819.bin 7500 version 7500-CMW520-R6708P03 10500-CMW710-R2105 10500 version 10500-CMW520-R1208P03 11900 version 11900-CMW710-R2105 12500 version 12500-CMW520-R1825P01 IMC version iMC PLAT 7.
PAGE 6
Hardware feature updates None. Software feature and command updates None. MIB updates Table 4 MIB updates Item MIB file Module Description SECBLADEIII-CMW520-R3819 New / / / Modified / / / Operation changes None. Restrictions and cautions 1. USB is not supported. 2. The Web interface can display a maximum of 5000 sessions.
PAGE 7
 Workaround: Manually modify the interface type configuration on the standby card. HSD100621  Symptom: After the attack defense settings configured at the CLI are removed from the Web interface and then the SecBlade card is rebooted, the attack defense settings still take effect.  Condition: This symptom can be seen after the attack defense settings configured at the CLI are removed from the Web interface and then the SecBlade card is rebooted.
PAGE 8
Resolved problems in R3817 201304220334  Symptom: Memory leaks occur after the SecBlade card has received large numbers of fragment packets in an asymmetric stateful failover scenario.  Condition: This symptom occurs after the SecBlade card has received large numbers of fragment packets in an asymmetric stateful failover scenario. 201307170414  Symptom: The nat traversal field in IKE SA entries displays "No" when IPsec NAT traversal has been enabled.
PAGE 9
HSD113882  Symptom: A firewall enabled with GTP ALG unexpectedly reboots after a long-time operation.  Condition: This symptom can be seen if the following conditions exist:  GTP ALG is enabled.  The firewall has run for a long time. Resolved problems in R3816 First release.
PAGE 10
Subscription service HP recommends that you register your product at the Subscriber's Choice for Business website: http://www.hp.com/go/wwalerts After registering, you will receive email notification of product enhancements, new driver versions, firmware updates, and other product resources.
PAGE 11
Appendix A Feature list Hardware features Table 5 SecBlade FW series hardware features SecBladeIII SecBladeIII (10500/11900/7500) (12500) Dimensions (H × W × D) 40.1 × 399.2 × 376.8 mm (1.58 × 15.72 × 14.83 in) 40.1 × 399.2 × 498.8 mm (1.58 × 15.72 × 19.64 in) Weight 3.9 kg (8.60 lb) 4.8 kg (10.58 lb) Max.
PAGE 12
Category Features Packet filter Access control based on security zones Time-based access control ASPF Firewall Virtual firewall Anti-DoS/DDoS URL Filter Static and dynamic blacklist P2P HTTP/SMTP/POP3/FTP/Telnet packet content filtering Attack log Blacklist log Security management Session log Binary format log Traffic measurement and analysis Security events statistics Address pool ACL-based NAT Easy IP NAT NAT Server NAT with ALG, including FTP, DNS, QQ, MSN, H323, NBT, ILS, RTSP, SQLNET, SIP, and RS
PAGE 13
Category Features ARP Static DNS IP services IP unnumbered DHCP relay DHCP server DHCP client Static routing RIP-1/RIP-2 IP routing OSPF BGP Policy-based routing ICMPv6 TCP6 UDP6 RAWIP6 Ping6 Basic protocol DNS6 TraceRT6 Telnet6 FIB6 DHCPv6 client DHCPv6 relay RIPng OSPFv3 IPv6 BGP4+ Routing & Multicast Static routing Policy-based routing PIM-SM PIM-DM NAT-PT IPv6 tunneling IPv6 packet filter Security RADIUS DS-Lite IPv6 ASPF IPv6 ALG (ICMP6, FTP) IPv6 security policy group High availability VR
PAGE 14
Category Features Session failover Stateful failover IPSec failover Asymmetric path Configuration synchronization Console AUX Telnet, SSH, FTP, and TFTP Command line interfaces Command level configuration Detailed debug information Tracert and ping Configuration management Log and file management User interface Web Login and authentication Web configuration SNMPv3/v1/v2C NTP 11
PAGE 15
Appendix B Upgrading software The following matrix shows the HP 20Gbps VPN Firewall Module and hosting device compatibility: 20Gbps VPN Firewall Module Hosting device LSU1FWCEA0  10500 switches  11900 switches  7500 switches LST1FW3A1 12500 switches The software upgrade procedure is the same for both vpn firewall modules. This chapter uses the LST1FW3A1 module installed in an 12508 to describe how to upgrade software from the CLI, Web interface, and BootWare menus.
PAGE 16
Upgrade methods To upgrade system software, use one of the following methods:  Upgrading system software from the CLI  Upgrading system software from the Web interface  Upgrading system software from BootWare menus To upgrade the BootWare, use either of the following methods:  Upgrading the BootWare from the CLI  Upgrading the BootWare from BootWare menus You must reboot the firewall module after a system software or BootWare upgrade. A device reboot interrupts services.
PAGE 17
Figure 1 Setting up the upgrade environment Ethernet cable TFTP/FTP Server Console cable Upgrading system software Upgrading system software from the CLI You can use TFTP or FTP on the firewall module to access the TFTP or FTP server to back up or download software files for software upgrades. Using TFTP to upgrade system software 1. Back up the system software image and configuration files: a. Use the save command in any view to save the running configuration to the .cfg startup configuration file.
PAGE 18
Directory of cfa0:/ 0 -rw- 19790016 Apr 26 2000 12:12:22 main.bin 1 -rw- 5230 Apr 26 2000 13:03:28 system.xml 2 -rw- 957 Apr 26 2000 13:03:30 startup.cfg 3 drw- - Apr 26 2000 12:00:02 logfile 4 -rw- 891 Apr 26 2000 12:00:00 default_ca.cer 5 -rw- 1411 Apr 26 2000 12:00:00 default_local.cer 6 drw- - Apr 26 2000 12:00:04 seclog 252164 KB total (213314 KB free) File system type of cfa0: FAT32 c. Use the tftp put command in user view to upload main.
PAGE 19
File will be transferred in binary mode Downloading file from remote TFTP server, please wait...\ TFTP: 23446448 bytes sent in 66 second(s). File downloaded successfully. b. Use the boot-loader command in user view to specify fw_card.bin as the main startup image file. boot-loader file fw_card.bin main This command will set the boot file. Continue? [Y/N]:y The specified file will be used as the main boot file at the next reboot on slot 0! c.
PAGE 20
[FIXED PORT] GE0/1(Hardware)Ver.A, (Driver)1.0, (Cpld)3.0 [FIXED PORT] GE0/2(Hardware)Ver.A, (Driver)1.0, (Cpld)3.0 [FIXED PORT] XGE0/1(Hardware)Ver.A, (Driver)1.0, (Cpld)3.0 [FIXED PORT] XGE0/2(Hardware)Ver.A, (Driver)1.0, (Cpld)3.0 Using FTP to upgrade system software 1. Back up the startup system software image and configuration files: a. Use the save command in any view to save the running configuration to the .cfg startup configuration file.
PAGE 21
[ftp] d. Use the put command in FTP client view to upload main.bin to the FTP server. [ftp] put main.bin 227 Entering passive mode (192,168,0,2,26,0) 125 Using existing data connection 226 Closing data connection; File transfer successful. FTP: 19790016 byte(s) sent in 14.605 second(s), 1355.00Kbyte(s)/sec. [ftp] e. Use the put command in FTP client view to upload startup.cfg and system.xml to the FTP server. [ftp] put startup.
PAGE 22
The specified file will be used as the main boot file at the next reboot on slot 0! d. Use the display boot-loader command in user view to verify that the file has been specified as the main startup system software image file. display boot-loader The boot file used this time:cfa0:/main.bin attribute: main The boot file used next time:cfa0:/fw_card.bin attribute: main Failed to get the backup boot file used next time! Failed to get the secure boot file used next time! e.
PAGE 23
Upgrading system software from the Web interface CAUTION:  Do not perform any operation on the Web interface while the system is upgrading software.  The first time you log in to the firewall module from the Web interface, you can use the default login information. After login, create a Web login account of the management level and delete the default Web login account to ensure device security. For more information, see HP VPN Firewalls Appliance Device Getting Started Guide.
PAGE 24
Table 8 Configuration items Item Description Click Browse to set the path to the .bin system software image file. File Set the file attribute:  Main—The image is the primary image. The system always attempts to load the main image at startup in preference to the backup image. File Type  Backup—The image is the backup image. It is used only if the primary image is corrupted or not available. 7.
PAGE 25
CPLD_A Version : 1.0 CPLD_B Version : 3.0 CPLD_C Version : 1.0 PCB Version : Ver.A BootWare Validating... Press Ctrl+B to enter extended boot menu... 2. Press Ctrl+B at the prompt. The following message appears: BootWare password: Not required. Please press Enter to continue. 3. Press Enter to access the EXTEND-BOOTWARE menu. Password recovery capability is enabled. Note: The current operating device is cfa0 Enter < Storage Device Operation > to select device.
PAGE 26
Item Description Restore the factory defaults. <5> Restore to Factory Default Configuration This option is available only if password recovery capability is disabled. CAUTION: Use this option with caution. This option will delete the current configuration file and restarts the firewall module with the factory configuration. Start the firewall module with the factory default configuration.
PAGE 27
Table 10 Ethernet submenu options Item Description <1> Download Application Program To SDRAM And Run 2. Download a system software image to the SDRAM through the Ethernet port and run the image. This option is available only if password recovery capability is enabled. <2> Update Main Application File Upgrade the main system software image. <3> Update Backup Application File Upgrade the backup system software image. <4> Update Secure Application File Upgrade the secure system software image.
PAGE 28
Field Gateway IP Address 3. Description Set a gateway IP address if the firewall module is on a different network from the server. Choose an option from options 1 to 4 in the Ethernet submenu. For example, to upgrade the main system software image, enter 2. Loading..................................................................... ............................................................................ .........................Done! 31911744 bytes downloaded! Updating File cfa0:/main.bin...........
PAGE 29
Table 12 Serial submenu options Item Description <1> Download Application Program To SDRAM And Run 2. Download a system software image to the SDRAM through the serial port and run the image. This option is available only if password recovery capability is enabled. <2> Update Main Application File Upgrade the main system software image. <3> Update Backup Application File Upgrade the backup system software image. <4> Update Secure Application File Upgrade the secure system software image.
PAGE 30
5. Select File > Properties, and in the Properties dialog box, click Configure. Figure 4 Setting firewall module properties 6. Select 115200 from the Bits per second list, and click OK.
PAGE 31
Figure 5 Modifying the baud rate 7. Select Call > Call to reestablish the connection. Figure 6 Reestablishing the connection 8. Press Enter in the BootWare interface.
PAGE 32
|Note:the operating device is cfa0 | |<1> Download Application Program To SDRAM And Run | |<2> Update Main Application File | |<3> Update Backup Application File | |<4> Update Secure Application File | |<5> Modify Serial Interface Parameter | |<0> Exit To Main Menu | ============================================================================ Enter your choice(0-5): 10. Choose an option from options 2 to 4. For example, to upgrade the main system software image, enter 2.
PAGE 33
Figure 8 File transfer progress 13. When the Serial submenu appears after the file transfer is complete, enter 0 at the prompt to return to the EXTEND-BOOTWARE menu. Download successfully! 19790016 bytes downloaded! Input the File Name:main.bin Updating File cfa0:/main.bin.............................................. .....................................................
PAGE 34
Upgrading the BootWare from the CLI Whether a .btw file is compressed together with a .bin file depends on the software release. Please check it with HP technical support. This section describes only how to upgrade the BootWare from the CLI. To upgrade the BootWare from the CLI: 1. Use FTP or TFTP to download or upload the new BootWare image file to the root directory of the storage medium on the firewall module. 2. Use the bootrom upgrade command to upgrade the BootWare.
PAGE 35
Item Description <3> Update BootWare By Serial Upgrade the BootWare through the serial port. <4> Update BootWare By Ethernet Upgrade the BootWare through the Ethernet port. <0> Exit To Main Menu 2. Return to the BootWare menu. Enter 4 to enter the Ethernet submenu.
PAGE 36
|<4> Modify Ethernet Parameter | |<0> Exit To Main Menu | ============================================================================ Enter your choice(0-4): 1 Loading............Done! 485756 bytes downloaded! Updating Basic BootWare? [Y/N]Y Updating Basic BootWare...........Done! Updating Extend BootWare? [Y/N]Y Updating Extend BootWare...........
PAGE 37
Figure 9 File transmission dialog box 4. Click Send. The following dialog box appears: Figure 10 File transfer progress After the file transfer is complete, the following messages appear: Download successfully! 485760 bytes downloaded! Updating Basic BootWare? [Y/N]Y Updating Basic BootWare...........Done! Updating Extend BootWare? [Y/N]Y Updating Extend BootWare...........
PAGE 38
5. After the upgrade is complete, enter 0 twice to return to the BootWare menu and then enter 0 in the BootWare menu to reboot the system. Managing files from BootWare menus To change the attribute of a system software image, retrieve files, or delete files, enter 4 in the EXTEND-BOOTWARE menu.
PAGE 39
Changing the attribute of a system software image System software image file attributes include main (M), backup (B), and secure (S). You can store only one main image, one backup image, and one secure image on the firewall module. A system software image can have any combination of the M, B, and S attributes. If the file attribute you are assigning has been assigned to an image, the assignment removes the attribute from that image, and the image is marked as N/A if it has only that attribute.
PAGE 40
|1 6819 Feb/03/2012 10:39:24 N/A cfa0:/system.xml | |2 207865 Dec/07/2011 17:43:38 N/A cfa0:/logfile/~/logfile.log | |3 1271 Feb/03/2012 10:39:26 M+B cfa0:/startup.cfg | |4 19790016 cfa0:/main.bin | |0 Exit Feb/02/2012 11:01:50 M | ============================================================================ Enter file No: 2. Enter the number of the file you want to delete and press Enter. 3. When the following prompt appears, enter Y.