StoneOS 5.5R1P4.4 - Hillstone`s Technical Documentation

StoneOS Release Notes

StoneOS 5.5R1P4.4

Release Overview

Release Date: Oct. 30 th

,

2015

This major release is used to support new platforms.

All bugs list:

http://fr.hillstonenet.com/show_bug.cgi?id=6687

Platforms and Images

Platform Models

SG-6000-E3960

SG-6000-E3662

SG-6000-E3660

SG-6000-E2860

SG-6000-E2800

SG-6000-E2300

SG-6000-E1700

SG-6000-E1606

SG-6000-E1600

SG-6000-E1100 (WLAN)

SG-6000-E1100 (WLAN +3G-WCDMA)

SG-6000-E1100 (3G-WCDMA)

SG-6000-C1000

Images

SG6000-M-3-5.5R1P4.4

Upgrading Notes

Upgrading Notes for Each Platform

Upgrading Notes for E/X Platform

For different versions of E/X platform, note the following matters:

• To upgrade the versions before 5.0R3 to 5.5R1, Hillstone recommends you to first upgrade to 5.0R4P5, and then upgrade to 5.5R1.

•

You can upgrade 5.0R3 and its subsequent versions to 5.5R1 directly.

• The following versions support upgrading via WebUI: 5.0R4P6, 5.0R3P10, 5.0R4F4,

5.0R3F5.2, and 5.0R4F4.1. For other versions, use CLI to upgrade versions.

For different models of E/X platform, note the following matters:

1

All rights reserved. Copyright © 2015, Hillstone Networks

SG-1015-5.5R1P4.2-01

StoneOS Release Notes

•

SG-6000-M2105 (512M) does not support 5.5R1.

•

Due to storage limitation, Hillstone does not recommend you to upgrade the following models to 5.5R1: SG-6000-M2105 (1G), SG-6000-M1600, SG-6000-M3100,

SG-6000-M3105, SG-6000-M3108. If needed, contact Service Line to obtain detailed upgrading guideline.

Upgrading Notes for T Platform

•

Upgrading T platform takes a long time and it will last dozens of minutes or several hours.

During the upgrading, the device can normally forward the data in the data plane, but the

WebUI of Dashboard, iCenter, and Monitor cannot display normally. For more detailed upgrading guideline, contact Service Line.

•

After upgrading from 5.0R4 to 5.5R1, the original threat logs cannot display in iCenter due to threat database changes and new iCenter functions. To save the original 5.0R4 threat logs, export them via WebUI in 5.0R4.

Upgrading Notes for UIF Platform

• Upgrading UIF platform takes a long time and it will last dozens of minutes or several hours. During the upgrading, the device can normally forward the data in the data plane, but the WebUI of Dashboard, iCenter, and Monitor cannot display normally. For more detailed upgrading guideline, contact Service Line.

• After upgrading from 5.0R4 to 5.5R1, the original threat data cannot display in iCenter due to threat database changes and new iCenter functions. To save the original 5.0R4 threat logs, export them via WebUI in 5.0R4.

•

To upgrade E platform to UIF platform, you need to install the unified intelligence server license. To roll back UIF platform to E platform, you need to first uninstall the unified intelligence service license.

•

For more information about UIF platform introduction, installation and upgrading, see

Hillstone Unified Intelligence Firewall Installation Manual.

Upgrading Notes for Each Module

Separating Applications from Services

From 5.0R4 release, applications are separated from services. For example, the old Service FTP is divided into Service FTP and Appication FTP. This change will affect these modules: policies, policy routes, NAT, QoS, session limits and statistics. If you update your system to versions higher than 5.0R4, there is no influence on your normal use (however, an “unsupported command” prompt may appear). Due to the separation, downgrading from 5.0R4 will not restore the old

2

All rights reserved. Copyright © 2015, Hillstone Networks

SG-1015-5.5R1P4.2-01

StoneOS Release Notes categorization. Please back up your configuration before upgrading to 5.0R4.

Log Type Change

From 5.0R4, StoneOS has moved alarm type logs to event logs (severity level higher than critical).

If system is upgraded to versions higher than 5.0R4, the commands related to alarm logs

(logging alarm/logging syslog...type alarm) will be deleted. If a system is downgraded from

5.0R4 or higher, the event logs of (and higher than) critical severity will be lost.

New Attribute for Address Books

From 5.0R3, StoneOS has added an ID attribute for each address entry. When the system is upgraded to 5.0R3 from prior versions, the existing address book configurations will be processed smoothly without any effect to users; when the system is downgraded to versions below 5.0R3, all the existing address book configurations will be lost.

Policy Default Mode Change

From 4.5R1, StoneOS changed its policy’s default mode to the global configuration mode. When the system is upgraded to 4.5R1 or higher, the existing policy rule configurations will be processed smoothly without any effect to users; when the system is downgraded to versions below 4.5R1, all the existing policy rule configurations will be lost.

Statistics Configuration Adjustment

From 4.5R1, StoneOS has adjusted the configuration of statistics function. When the system is upgraded to 4.5R1 or higher, the existing statistics configurations will be processed smoothly without any effect to users; when the system is downgraded to versions below 4.5R1, all the existing statistics configurations may be lost.

Interface Mirroring Configuration Change

From 5.0R1, StoneOS changed CLI command for interface mirroring:

Before 5.0R1 After 5.0R1

mirror to interface-name [both | rx | tx]

mirror to interface-name

mirror enable {both | rx | tx}

When the system is upgraded to 5.0R1 or higher, the command will be upgraded smoothly without any effect to users; when the system is downgraded to versions lower than 5.0R1, all the interface mirroring configurations will be lost.

Attack Defense Configuration Change

From 5.0R2, StoneOS does not support layer 2 IP address spoofing attack defense any longer.

When the system is upgraded to versions of 5.0R2 or higher, the configuration of

ad

3

All rights reserved. Copyright © 2015, Hillstone Networks

SG-1015-5.5R1P4.2-01

StoneOS Release Notes

ip-spoofing

will be lost.

New QoS: iQos

Intelligent Quality of Service (iQos) is added from version 5.5R1. When the system is upgraded from older version to 5.5R1, you need to use the

exec iqos enable

command to enable iQoS. iQoS only supports CLI. When iQoS is enabled, the old QoS configuration remains, but cannot be edited. If you need QoS, use the exec iqos diable command to disable iQoS and reactivate QoS.

Layer 2 Switching

Layer 2 switching (VLAN, Super-VLAN and RSTP) is not supported in platforms of

SG-6000-E2800, SG-6000-E2300, SG-6000-E1700, SG-6000-E1600, SG-6000-E1100

(WLAN), SG-6000-E1100 (3G), SG-6000-E1100 (WLAN+3G) and SG-6000-C1000.

Upgrade Notice for Policy Rule Configuration (UIF)

The default mode for policy rule configuration in the current version is changed to global configuration mode. When the system is upgraded to the current version from versions before

5.0R1, the existing policy rule configurations will be processed smoothly without any effect to users; when the system is downgraded from the current version to versions before 5.0R1, all the existing policy rule configurations will be lost.

Upgrade notice for unsupported function (UIF)

After updating to the current version for UIF, few functions will not be supported, which are listed below. Users need to clear all the former configurations before updating to the current version for

UIF in order to avoid conflicting. Recommend you to backup all your configurations before updating.

Unsupported functions System processing methods Suggestions

QoS

802.1x

Role

Connecting to HSM

Clear configurations automatically. Apply for iQoS license and use iQoS to configure again.

Keep global configurations. N/A

Clear interfaces configurations automatically.

Keep configurations.

Keep configurations.

Recommend you to clear configurations before upgrading.

N/A

Statistics

Clear configurations automatically. Recommend you to use

Monitor function to configure again.

4

All rights reserved. Copyright © 2015, Hillstone Networks

SG-1015-5.5R1P4.2-01

StoneOS Release Notes

Object(Pre-defined URL

Keep configurations.

signature, User-defined

URL signature, URL search, Key word category, SSL agent,

Page notification, Bypass domain, User exception)

URL filter

Web content

Web posting

Email filter

IM control

HTTP/FTP control

Global blacklist

HA

VSYS

IPv6

AV/IPS

Recommend you to clear configurations before upgrading.

Clear configurations automatically. N/A

Keep configurations. Recommend you to clear configurations before upgrading. And use

Threat Protection function after upgrading

(apply for license first).

In-Service Software Upgrade

Preparation

Upgrading Environment

ISSU (In-Service Software Upgrade) can avoid network disconnection during the upgrading. To use ISSUE, deploy the following topo and make the HA function work:

5

All rights reserved. Copyright © 2015, Hillstone Networks

SG-1015-5.5R1P4.2-01

StoneOS Release Notes

Preparation Items

No. Preparation Items Detailed Information

1 Prepare upgrading The upgrading reference guide has been printed or stored in your

2 reference guide

Download new version of image

PC.

Obtain the new version of the image from Hillstone.

3

4

5

6

Check current version of image

Check running status of device

Deploy the upgrading environment via

TFTP or FTP

Back up configuration file

According to the model, current version, and the corresponding upgrading notes, select proper upgrading operations.

•

•

Ensure the SCM and SSM work normally

Record the running status of the modules in each slot. After the upgrading completes, you can use the records to verify the running status and perform the troubleshooting.

In the above HA topo, deploy the upgrading environment via TFTP or FTP.

If the configurations after the upgrading differs from the previous one, you can compare them and re-configure the missed settings.

6

All rights reserved. Copyright © 2015, Hillstone Networks

SG-1015-5.5R1P4.2-01

StoneOS Release Notes

Upgrading Operations

Upgrading E/X platform from 4.0/4.5 and corresponding versions to 5.5R1

1. Upgrade E/X platform from 4.0/4.5 and corresponding versions to 5.0R4P5 a. Disable the HA function of device B, shut down its traffic forwarding interface and its HA interface. b. Upgrade device B to 5.0R4P5 and wait its completion. During the upgrading, the traffic is forwarded through device A. c. Disable the HA function of device A, shut down its traffic forwarding interface and its HA interface. Users’ traffic forwarding disconnects. d. Enable the traffic forwarding interface of device B. Users’ traffic will be forwarded through device B. Configure the HA function of device B. e. Upgrade device A to 5.0R4P5 and wait its completion. During the upgrading, the traffic is forwarded through device B. f. Enable the traffic forwarding interface of device A. Configure the HA function of device A. g. Verify the HA status of device A and device B.

2. Upgrade E/X platform from 5.0R4P5 to 5.5R1 a. Upgrade device B to 5.5R1. During the upgrading, users’ traffic will be forwarded through device A. b. After device B upgrades successfully, it will re-negotiate HA with device A. c. After the HA negotiation completes, upgrade device A to 5.5R1. During the upgrading, users’ traffic will be forwarded through device B. d. After device A upgrades successfully, it will re-negotiate HA with device B. e. Complete the upgrading.

Upgrading E/X platform from 5.0R1 and subsequent versions to 5.5R1

1. Upgrade E/X platform from 5.0R1 and subsequent versions to 5.0R4P5 a. Upgrade device B to 5.0R4P5. During the upgrading, users’ traffic will be forwarded through device A. b. After device B upgrades successfully, it will re-negotiate HA with device A. c. After the HA negotiation completes, upgrade device A to 5.0R4P5. During the upgrading, users’ traffic will be forwarded through device B.

d.

After device A upgrades successfully, it will re-negotiate HA with device B.

2. Upgrade E/X platform from 5.0R4P5 to 5.5R1 a. Upgrade device B to 5.5R1. During the upgrading, users’ traffic will be forwarded through

7

All rights reserved. Copyright © 2015, Hillstone Networks

SG-1015-5.5R1P4.2-01

StoneOS Release Notes device A. b. After device B upgrades successfully, it will re-negotiate HA with device A. c. After the HA negotiation completes, upgrade device A to 5.5R1. During the upgrading, users’ traffic will be forwarded through device B. d. After device A upgrades successfully, it will re-negotiate HA with device B. e. Complete the upgrading.

Upgrading T platform from 5.0R4 and subsequent versions to 5.5R1

1. Disable the HA function of device B, shut down its traffic forwarding interface and its HA interface.

2. Upgrade device B to 5.5R1 and wait its completion. During the upgrading, the traffic is forwarded through device A.

3. Disable the HA function of device A, shut down its traffic forwarding interface and its HA interface. Users’ traffic forwarding disconnects.

4. Enable the traffic forwarding interface of device B. Users’ traffic will be forwarded through device B. Configure the HA function of device B.

5. Upgrade device A to 5.5R1 and wait its completion. During the upgrading, the traffic is forwarded through device B.

6. Enable the traffic forwarding interface of device A. Configure the HA function of device A.

7. Verify the HA status of device A and device B.

Verifying the Upgrading

After the upgrading completes, use the show version command to verify whether the system has been upgraded to the new version successfully.

Verifying the Configurations

After the upgrading completes, export the configuration file and compare it with the previous one.

If some configurations miss, you can check whether the commands have changed in the new version and then re-configure the missed settings.

Verifying Basic Business

After the upgrading completes, perform some basic business to verify whether the device can work normally.

8

All rights reserved. Copyright © 2015, Hillstone Networks

SG-1015-5.5R1P4.2-01

StoneOS Release Notes

New Features

New Platform Platform

Support new platforms: SG-6000-E3662，SG-6000-E2860，SG-6000-E1606.

E

Known Issues

Platform

In rare circumstances, after you restore the device, the collected monitoring information in a specified cycle may be not accurate.(107087)

Solution: No

Bypass interface may be not effective when system reboots in an abnormal environment. ( 114583)

Solution: No

WebUI

Cannot login WebUI normally by using IE11 (11.0.9600.17041I).

( 96827-2(101167))

Solution: Use other web browser.

Cannot import IPGEO information via WebUI for the off-line device.(2(104879))

Solution: Update from CLI, and the URL is http://update1.hillstonenet.com/ipgeo_update.html.

After logging in via WebUI, narrow the web browser may cause the menu bar displaying incompletely.(107655-2(107881))

Solution: No

SCVPN

Cannot Log in SCVPN client through USBKey automatically when the Windows started. (79249-2(79250))

Solution: No

If logging in SCVPN client through Windows scheduled tasks, the GUI of SCVPN client may not be started.(79151-2(79467))

Solution: No

HA

In HA environment, manage IP cannot be configured for the MGT0 interface via

WebUI.(78546)

Solution: No

Cannot configure the aggregate interface to be a HA data link interface.(78544)

Solution: No

In HA A/P mode, if rolling back the current version to 5.0R4P3, HA negotiation may be failed.(96131-2(96133))

Solution: No

In HA environment, upgrading firmware version to 5.5R1 may cause device work abnormally.(102331-2(102395))

Platform

SG-6000-T2

860/

SG-6000-T1

860

Platform

E, X, T, UIF

T, UIF

E, X, T, UIF

Platform

E, X, T, UIF

E, X, T, UIF

Platform

T, UIF

E, T, UIF

E, X

E, X

9

All rights reserved. Copyright © 2015, Hillstone Networks

SG-1015-5.5R1P4.2-01

StoneOS Release Notes

Solution: Upgrade device to 5.0R4P4 first, and then update it to 5.5R1.

If priority value and preempt value already configured as default in HA A/P mode, implementation of switching between the main device and backup device frequently may cause priority value ineffective. (91697-0E0(94783))

Solution: No

E, X, T, UIF

Upgrade

Platform

Cannot backup the current device configurations when upgrading to

5.5R1.(101107-2(102135))

Solution: Upgrade through Console.

SG-6000-M2

105/-M1600

/M3100/M31

05/M3108

It may fail for some platforms when upgrading to 5.5R1 via

WebUI.(102407-0E0(102607), 102627-0E0(102629))

Solution: Upgrade via CLI.

After upgrading to 5.5R1, data of Application Monitor, Threat Monitor and Report modules may not display normally via WebUI.(105085-1(105085))

Solution: Export data to your local PC to backup before upgrading.

E, X

T, UIF

URL control may decrease because URL categories changed after upgrading to

5.5R1. (2(104939))

Solution: Configure the URL filter rule again after upgrading to 5.5R1.

Application Signature Database Professional may lost some applications after upgrading to 5.5R1.(106317-2(106333))

Solution: Import a new Application Signature Database Professional manually and then upgrade the firmware to 5.5R1.

Cannot recognize SSL applications normally after upgrading to 5.5R1.

(2(106641))

Solution: Upgrade Application Signature Database Professional before 5.5R1.

E, T, UIF

E, X, T, UIF

E, X, T, UIF

If configuring an URL filter rule on policy in 5.0R4F3/F4 version, upgrading the version to 5.5R1 may lost URL filter configurations. (106899-2(106901))

Solution: Configure the URL filter rule again after upgrading to 5.5R1.

License

Devices with small memory may not start normally after loading AEL license in few cases.(101561-2(102475))

T, UIF

Platform

SG-6000-M3

100/M3108

Solution: No

vFW (virtual firewall) Platform

WebUI operation do not support batch license uploading. When you upload more than one licenses via WebUI, the page does not respond correctly.

87837-2(90507)

Suggestion: Batch uploading via CLI works fine; or you can install one license at a time in WebUI.

VM01, VM02

By default, VMware only uses SCSI disk to start a virtual machine, other controller cannot be used in the initial start. In KVM, SCSI disk driven start works fine. 109081-2(109709)

Suggestion: Change the initial startup disk to IDE type in VMware; or you can change the SCSI Controller Type to VMware Paravirtual. The configuration

VM01, VM02

10

All rights reserved. Copyright © 2015, Hillstone Networks

SG-1015-5.5R1P4.2-01

StoneOS Release Notes method can be found in SG6000-VM Installation Guide.

Cannot support VMware Workstation 11 version. 109255-1(109255)

Suggestion: Choose compatibility with VMware Workstation 10 when you create the virtual machine.

If a vFW of no official platform license (trial or base) is installed with feature/service license (e.g. TP License), it will reduce its session capacity to half. When its session capacity drops to 512, the management connection

(telnet, SSH, Ping and HTTP) will not be able to establish. 116675

Suggestion: Make sure to install platform license (trial or base) before feature/service license.

VM01, VM02

VM01, VM02

Note：E series contains M ,G platform.

Explorer Compatibility

The following browsers have passed compatibility tests:



IE11



Chrome

Getting Help

Hillstone provides the following guides to help you understand our products: http://doc.hillstonenet.com/page/site/documentation/documentlibrary



StoneOS WebUI User Guide



StoneOS CLI User Guide



StoneOS Getting Started Guide



StoneOS Cookbook



Hillstone Multi-core Security Appliance Log Messages Reference Manual



Hillstone SNMP MIB Reference Manual



Hillstone SG-6000 Hardware Reference Guides



Hillstone SG-6000 Expansion Modules Reference Guides



Hillstone Unified Intelligence Firewall Installation Manual

Website: http://www.hillstonenet.com

Service Line: North American (1-800-889-9860)

Asia Pacific (86-400-828-6655)

11

All rights reserved. Copyright © 2015, Hillstone Networks

SG-1015-5.5R1P4.2-01