- No category
advertisement
StoneOS Release Notes
StoneOS 5.5R1P4.4
Release Overview
Release Date: Oct. 30 th
,
2015
This major release is used to support new platforms.
All bugs list:
http://fr.hillstonenet.com/show_bug.cgi?id=6687
Platforms and Images
Platform Models
SG-6000-E3960
SG-6000-E3662
SG-6000-E3660
SG-6000-E2860
SG-6000-E2800
SG-6000-E2300
SG-6000-E1700
SG-6000-E1606
SG-6000-E1600
SG-6000-E1100 (WLAN)
SG-6000-E1100 (WLAN +3G-WCDMA)
SG-6000-E1100 (3G-WCDMA)
SG-6000-C1000
Images
SG6000-M-3-5.5R1P4.4
Upgrading Notes
Upgrading Notes for Each Platform
Upgrading Notes for E/X Platform
For different versions of E/X platform, note the following matters:
• To upgrade the versions before 5.0R3 to 5.5R1, Hillstone recommends you to first upgrade to 5.0R4P5, and then upgrade to 5.5R1.
•
You can upgrade 5.0R3 and its subsequent versions to 5.5R1 directly.
• The following versions support upgrading via WebUI: 5.0R4P6, 5.0R3P10, 5.0R4F4,
5.0R3F5.2, and 5.0R4F4.1. For other versions, use CLI to upgrade versions.
For different models of E/X platform, note the following matters:
1
All rights reserved. Copyright © 2015, Hillstone Networks
SG-1015-5.5R1P4.2-01
StoneOS Release Notes
•
SG-6000-M2105 (512M) does not support 5.5R1.
•
Due to storage limitation, Hillstone does not recommend you to upgrade the following models to 5.5R1: SG-6000-M2105 (1G), SG-6000-M1600, SG-6000-M3100,
SG-6000-M3105, SG-6000-M3108. If needed, contact Service Line to obtain detailed upgrading guideline.
Upgrading Notes for T Platform
•
Upgrading T platform takes a long time and it will last dozens of minutes or several hours.
During the upgrading, the device can normally forward the data in the data plane, but the
WebUI of Dashboard, iCenter, and Monitor cannot display normally. For more detailed upgrading guideline, contact Service Line.
•
After upgrading from 5.0R4 to 5.5R1, the original threat logs cannot display in iCenter due to threat database changes and new iCenter functions. To save the original 5.0R4 threat logs, export them via WebUI in 5.0R4.
Upgrading Notes for UIF Platform
• Upgrading UIF platform takes a long time and it will last dozens of minutes or several hours. During the upgrading, the device can normally forward the data in the data plane, but the WebUI of Dashboard, iCenter, and Monitor cannot display normally. For more detailed upgrading guideline, contact Service Line.
• After upgrading from 5.0R4 to 5.5R1, the original threat data cannot display in iCenter due to threat database changes and new iCenter functions. To save the original 5.0R4 threat logs, export them via WebUI in 5.0R4.
•
To upgrade E platform to UIF platform, you need to install the unified intelligence server license. To roll back UIF platform to E platform, you need to first uninstall the unified intelligence service license.
•
For more information about UIF platform introduction, installation and upgrading, see
Hillstone Unified Intelligence Firewall Installation Manual.
Upgrading Notes for Each Module
Separating Applications from Services
From 5.0R4 release, applications are separated from services. For example, the old Service FTP is divided into Service FTP and Appication FTP. This change will affect these modules: policies, policy routes, NAT, QoS, session limits and statistics. If you update your system to versions higher than 5.0R4, there is no influence on your normal use (however, an “unsupported command” prompt may appear). Due to the separation, downgrading from 5.0R4 will not restore the old
2
All rights reserved. Copyright © 2015, Hillstone Networks
SG-1015-5.5R1P4.2-01
StoneOS Release Notes categorization. Please back up your configuration before upgrading to 5.0R4.
Log Type Change
From 5.0R4, StoneOS has moved alarm type logs to event logs (severity level higher than critical).
If system is upgraded to versions higher than 5.0R4, the commands related to alarm logs
(logging alarm/logging syslog...type alarm) will be deleted. If a system is downgraded from
5.0R4 or higher, the event logs of (and higher than) critical severity will be lost.
New Attribute for Address Books
From 5.0R3, StoneOS has added an ID attribute for each address entry. When the system is upgraded to 5.0R3 from prior versions, the existing address book configurations will be processed smoothly without any effect to users; when the system is downgraded to versions below 5.0R3, all the existing address book configurations will be lost.
Policy Default Mode Change
From 4.5R1, StoneOS changed its policy’s default mode to the global configuration mode. When the system is upgraded to 4.5R1 or higher, the existing policy rule configurations will be processed smoothly without any effect to users; when the system is downgraded to versions below 4.5R1, all the existing policy rule configurations will be lost.
Statistics Configuration Adjustment
From 4.5R1, StoneOS has adjusted the configuration of statistics function. When the system is upgraded to 4.5R1 or higher, the existing statistics configurations will be processed smoothly without any effect to users; when the system is downgraded to versions below 4.5R1, all the existing statistics configurations may be lost.
Interface Mirroring Configuration Change
From 5.0R1, StoneOS changed CLI command for interface mirroring:
Before 5.0R1 After 5.0R1
mirror to interface-name [both | rx | tx]
mirror to interface-name
mirror enable {both | rx | tx}
When the system is upgraded to 5.0R1 or higher, the command will be upgraded smoothly without any effect to users; when the system is downgraded to versions lower than 5.0R1, all the interface mirroring configurations will be lost.
Attack Defense Configuration Change
From 5.0R2, StoneOS does not support layer 2 IP address spoofing attack defense any longer.
When the system is upgraded to versions of 5.0R2 or higher, the configuration of
ad
3
All rights reserved. Copyright © 2015, Hillstone Networks
SG-1015-5.5R1P4.2-01
StoneOS Release Notes
ip-spoofing
will be lost.
New QoS: iQos
Intelligent Quality of Service (iQos) is added from version 5.5R1. When the system is upgraded from older version to 5.5R1, you need to use the
exec iqos enable
command to enable iQoS. iQoS only supports CLI. When iQoS is enabled, the old QoS configuration remains, but cannot be edited. If you need QoS, use the exec iqos diable command to disable iQoS and reactivate QoS.
Layer 2 Switching
Layer 2 switching (VLAN, Super-VLAN and RSTP) is not supported in platforms of
SG-6000-E2800, SG-6000-E2300, SG-6000-E1700, SG-6000-E1600, SG-6000-E1100
(WLAN), SG-6000-E1100 (3G), SG-6000-E1100 (WLAN+3G) and SG-6000-C1000.
Upgrade Notice for Policy Rule Configuration (UIF)
The default mode for policy rule configuration in the current version is changed to global configuration mode. When the system is upgraded to the current version from versions before
5.0R1, the existing policy rule configurations will be processed smoothly without any effect to users; when the system is downgraded from the current version to versions before 5.0R1, all the existing policy rule configurations will be lost.
Upgrade notice for unsupported function (UIF)
After updating to the current version for UIF, few functions will not be supported, which are listed below. Users need to clear all the former configurations before updating to the current version for
UIF in order to avoid conflicting. Recommend you to backup all your configurations before updating.
Unsupported functions System processing methods Suggestions
QoS
802.1x
Role
Connecting to HSM
Clear configurations automatically. Apply for iQoS license and use iQoS to configure again.
Keep global configurations. N/A
Clear interfaces configurations automatically.
Keep configurations.
Keep configurations.
Recommend you to clear configurations before upgrading.
N/A
Statistics
Clear configurations automatically. Recommend you to use
Monitor function to configure again.
4
All rights reserved. Copyright © 2015, Hillstone Networks
SG-1015-5.5R1P4.2-01
StoneOS Release Notes
Object(Pre-defined URL
Keep configurations.
signature, User-defined
URL signature, URL search, Key word category, SSL agent,
Page notification, Bypass domain, User exception)
URL filter
Web content
Web posting
Email filter
IM control
HTTP/FTP control
Global blacklist
HA
VSYS
IPv6
AV/IPS
Recommend you to clear configurations before upgrading.
Clear configurations automatically. N/A
Keep configurations. Recommend you to clear configurations before upgrading. And use
Threat Protection function after upgrading
(apply for license first).
In-Service Software Upgrade
Preparation
Upgrading Environment
ISSU (In-Service Software Upgrade) can avoid network disconnection during the upgrading. To use ISSUE, deploy the following topo and make the HA function work:
5
All rights reserved. Copyright © 2015, Hillstone Networks
SG-1015-5.5R1P4.2-01
StoneOS Release Notes
Preparation Items
No. Preparation Items Detailed Information
1 Prepare upgrading The upgrading reference guide has been printed or stored in your
2 reference guide
Download new version of image
PC.
Obtain the new version of the image from Hillstone.
3
4
5
6
Check current version of image
Check running status of device
Deploy the upgrading environment via
TFTP or FTP
Back up configuration file
According to the model, current version, and the corresponding upgrading notes, select proper upgrading operations.
•
•
Ensure the SCM and SSM work normally
Record the running status of the modules in each slot. After the upgrading completes, you can use the records to verify the running status and perform the troubleshooting.
In the above HA topo, deploy the upgrading environment via TFTP or FTP.
If the configurations after the upgrading differs from the previous one, you can compare them and re-configure the missed settings.
6
All rights reserved. Copyright © 2015, Hillstone Networks
SG-1015-5.5R1P4.2-01
StoneOS Release Notes
Upgrading Operations
Upgrading E/X platform from 4.0/4.5 and corresponding versions to 5.5R1
1. Upgrade E/X platform from 4.0/4.5 and corresponding versions to 5.0R4P5 a. Disable the HA function of device B, shut down its traffic forwarding interface and its HA interface. b. Upgrade device B to 5.0R4P5 and wait its completion. During the upgrading, the traffic is forwarded through device A. c. Disable the HA function of device A, shut down its traffic forwarding interface and its HA interface. Users’ traffic forwarding disconnects. d. Enable the traffic forwarding interface of device B. Users’ traffic will be forwarded through device B. Configure the HA function of device B. e. Upgrade device A to 5.0R4P5 and wait its completion. During the upgrading, the traffic is forwarded through device B. f. Enable the traffic forwarding interface of device A. Configure the HA function of device A. g. Verify the HA status of device A and device B.
2. Upgrade E/X platform from 5.0R4P5 to 5.5R1 a. Upgrade device B to 5.5R1. During the upgrading, users’ traffic will be forwarded through device A. b. After device B upgrades successfully, it will re-negotiate HA with device A. c. After the HA negotiation completes, upgrade device A to 5.5R1. During the upgrading, users’ traffic will be forwarded through device B. d. After device A upgrades successfully, it will re-negotiate HA with device B. e. Complete the upgrading.
Upgrading E/X platform from 5.0R1 and subsequent versions to 5.5R1
1. Upgrade E/X platform from 5.0R1 and subsequent versions to 5.0R4P5 a. Upgrade device B to 5.0R4P5. During the upgrading, users’ traffic will be forwarded through device A. b. After device B upgrades successfully, it will re-negotiate HA with device A. c. After the HA negotiation completes, upgrade device A to 5.0R4P5. During the upgrading, users’ traffic will be forwarded through device B.
d.
After device A upgrades successfully, it will re-negotiate HA with device B.
2. Upgrade E/X platform from 5.0R4P5 to 5.5R1 a. Upgrade device B to 5.5R1. During the upgrading, users’ traffic will be forwarded through
7
All rights reserved. Copyright © 2015, Hillstone Networks
SG-1015-5.5R1P4.2-01
StoneOS Release Notes device A. b. After device B upgrades successfully, it will re-negotiate HA with device A. c. After the HA negotiation completes, upgrade device A to 5.5R1. During the upgrading, users’ traffic will be forwarded through device B. d. After device A upgrades successfully, it will re-negotiate HA with device B. e. Complete the upgrading.
Upgrading T platform from 5.0R4 and subsequent versions to 5.5R1
1. Disable the HA function of device B, shut down its traffic forwarding interface and its HA interface.
2. Upgrade device B to 5.5R1 and wait its completion. During the upgrading, the traffic is forwarded through device A.
3. Disable the HA function of device A, shut down its traffic forwarding interface and its HA interface. Users’ traffic forwarding disconnects.
4. Enable the traffic forwarding interface of device B. Users’ traffic will be forwarded through device B. Configure the HA function of device B.
5. Upgrade device A to 5.5R1 and wait its completion. During the upgrading, the traffic is forwarded through device B.
6. Enable the traffic forwarding interface of device A. Configure the HA function of device A.
7. Verify the HA status of device A and device B.
Verifying the Upgrading
After the upgrading completes, use the show version command to verify whether the system has been upgraded to the new version successfully.
Verifying the Configurations
After the upgrading completes, export the configuration file and compare it with the previous one.
If some configurations miss, you can check whether the commands have changed in the new version and then re-configure the missed settings.
Verifying Basic Business
After the upgrading completes, perform some basic business to verify whether the device can work normally.
8
All rights reserved. Copyright © 2015, Hillstone Networks
SG-1015-5.5R1P4.2-01
StoneOS Release Notes
New Features
New Platform Platform
Support new platforms: SG-6000-E3662,SG-6000-E2860,SG-6000-E1606.
E
Known Issues
Platform
In rare circumstances, after you restore the device, the collected monitoring information in a specified cycle may be not accurate.(107087)
Solution: No
Bypass interface may be not effective when system reboots in an abnormal environment. ( 114583)
Solution: No
WebUI
Cannot login WebUI normally by using IE11 (11.0.9600.17041I).
( 96827-2(101167))
Solution: Use other web browser.
Cannot import IPGEO information via WebUI for the off-line device.(2(104879))
Solution: Update from CLI, and the URL is http://update1.hillstonenet.com/ipgeo_update.html.
After logging in via WebUI, narrow the web browser may cause the menu bar displaying incompletely.(107655-2(107881))
Solution: No
SCVPN
Cannot Log in SCVPN client through USBKey automatically when the Windows started. (79249-2(79250))
Solution: No
If logging in SCVPN client through Windows scheduled tasks, the GUI of SCVPN client may not be started.(79151-2(79467))
Solution: No
HA
In HA environment, manage IP cannot be configured for the MGT0 interface via
WebUI.(78546)
Solution: No
Cannot configure the aggregate interface to be a HA data link interface.(78544)
Solution: No
In HA A/P mode, if rolling back the current version to 5.0R4P3, HA negotiation may be failed.(96131-2(96133))
Solution: No
In HA environment, upgrading firmware version to 5.5R1 may cause device work abnormally.(102331-2(102395))
Platform
SG-6000-T2
860/
SG-6000-T1
860
Platform
E, X, T, UIF
T, UIF
E, X, T, UIF
Platform
E, X, T, UIF
E, X, T, UIF
Platform
T, UIF
E, T, UIF
E, X
E, X
9
All rights reserved. Copyright © 2015, Hillstone Networks
SG-1015-5.5R1P4.2-01
StoneOS Release Notes
Solution: Upgrade device to 5.0R4P4 first, and then update it to 5.5R1.
If priority value and preempt value already configured as default in HA A/P mode, implementation of switching between the main device and backup device frequently may cause priority value ineffective. (91697-0E0(94783))
Solution: No
E, X, T, UIF
Upgrade
Platform
Cannot backup the current device configurations when upgrading to
5.5R1.(101107-2(102135))
Solution: Upgrade through Console.
SG-6000-M2
105/-M1600
/M3100/M31
05/M3108
It may fail for some platforms when upgrading to 5.5R1 via
WebUI.(102407-0E0(102607), 102627-0E0(102629))
Solution: Upgrade via CLI.
After upgrading to 5.5R1, data of Application Monitor, Threat Monitor and Report modules may not display normally via WebUI.(105085-1(105085))
Solution: Export data to your local PC to backup before upgrading.
E, X
T, UIF
URL control may decrease because URL categories changed after upgrading to
5.5R1. (2(104939))
Solution: Configure the URL filter rule again after upgrading to 5.5R1.
Application Signature Database Professional may lost some applications after upgrading to 5.5R1.(106317-2(106333))
Solution: Import a new Application Signature Database Professional manually and then upgrade the firmware to 5.5R1.
Cannot recognize SSL applications normally after upgrading to 5.5R1.
(2(106641))
Solution: Upgrade Application Signature Database Professional before 5.5R1.
E, T, UIF
E, X, T, UIF
E, X, T, UIF
If configuring an URL filter rule on policy in 5.0R4F3/F4 version, upgrading the version to 5.5R1 may lost URL filter configurations. (106899-2(106901))
Solution: Configure the URL filter rule again after upgrading to 5.5R1.
License
Devices with small memory may not start normally after loading AEL license in few cases.(101561-2(102475))
T, UIF
Platform
SG-6000-M3
100/M3108
Solution: No
vFW (virtual firewall) Platform
WebUI operation do not support batch license uploading. When you upload more than one licenses via WebUI, the page does not respond correctly.
87837-2(90507)
Suggestion: Batch uploading via CLI works fine; or you can install one license at a time in WebUI.
VM01, VM02
By default, VMware only uses SCSI disk to start a virtual machine, other controller cannot be used in the initial start. In KVM, SCSI disk driven start works fine. 109081-2(109709)
Suggestion: Change the initial startup disk to IDE type in VMware; or you can change the SCSI Controller Type to VMware Paravirtual. The configuration
VM01, VM02
10
All rights reserved. Copyright © 2015, Hillstone Networks
SG-1015-5.5R1P4.2-01
StoneOS Release Notes method can be found in SG6000-VM Installation Guide.
Cannot support VMware Workstation 11 version. 109255-1(109255)
Suggestion: Choose compatibility with VMware Workstation 10 when you create the virtual machine.
If a vFW of no official platform license (trial or base) is installed with feature/service license (e.g. TP License), it will reduce its session capacity to half. When its session capacity drops to 512, the management connection
(telnet, SSH, Ping and HTTP) will not be able to establish. 116675
Suggestion: Make sure to install platform license (trial or base) before feature/service license.
VM01, VM02
VM01, VM02
Note:E series contains M ,G platform.
Explorer Compatibility
The following browsers have passed compatibility tests:
IE11
Chrome
Getting Help
Hillstone provides the following guides to help you understand our products: http://doc.hillstonenet.com/page/site/documentation/documentlibrary
StoneOS WebUI User Guide
StoneOS CLI User Guide
StoneOS Getting Started Guide
StoneOS Cookbook
Hillstone Multi-core Security Appliance Log Messages Reference Manual
Hillstone SNMP MIB Reference Manual
Hillstone SG-6000 Hardware Reference Guides
Hillstone SG-6000 Expansion Modules Reference Guides
Hillstone Unified Intelligence Firewall Installation Manual
Website: http://www.hillstonenet.com
Service Line: North American (1-800-889-9860)
Asia Pacific (86-400-828-6655)
11
All rights reserved. Copyright © 2015, Hillstone Networks
SG-1015-5.5R1P4.2-01
advertisement
* Your assessment is very important for improving the workof artificial intelligence, which forms the content of this project