SonicOS 6.1.1.4 Release Notes for NSA 3600/4600 ... - SonicWALL

Release NotesSonicOSSonicOS 6.1.1.4 NSA 3600/4600/5600/6600 Release NotesSonicOSContentsRelease Purpose ........................................................................................................................................................... 1Platform Compatibility ................................................................................................................................................... 1Upgrading Information ................................................................................................................................................... 1Browser Support ............................................................................................................................................................ 1Known Issues ................................................................................................................................................................ 2Resolved Issues ............................................................................................................................................................ 6Release PurposeSonicOS 6.1.1.4 is a maintenance release that fixes a number of known issues.Platform CompatibilityThe SonicOS 6.1.1.4 release is supported on the following Dell SonicWALL appliances:• NSA 6600• NSA 5600• NSA 4600• NSA 3600The Dell SonicWALL WXA series appliances (WXA 500 Live CD, WXA 5000 Virtual Appliance, WXA 2000/4000Appliances) are supported for use with Dell SonicWALL NSA appliances running 6.1.1.4. The recommended WXAfirmware version is WXA 1.2.1.WXA 1.1.1 will work with SonicOS 6.1.1.4, but you will not be able to see or use the new features in WXA 1.2.1.Upgrading InformationFor information about obtaining the latest firmware, upgrading the firmware image on your Dell SonicWALLappliance, and importing configuration settings from another appliance, see the SonicOS 6.1 Upgrade Guideavailable on MySonicWALL or on the www.sonicwall.com Product Documentation page for the NSA series:http://www.sonicwall.com/us/en/support/3643.htmlBrowser SupportSonicOS uses advanced browser technologies such as HTML5, which are supported in most recent browsers. DellSonicWALL recommends using the latest Chrome, Firefox, Internet Explorer, or Safari browsers for administrationof SonicOS. This release supports the following Web browsers:• Chrome 18.0 and higher (recommended browser for dashboard real-time graphics display)• Firefox 16.0 and higher• Internet Explorer 8.0 and higher (do not use compatibility mode)• Safari 5.0 and higherMobile device browsers are not recommended for Dell SonicWALL appliance system administration.SonicOS 6.1.1.4 NSA 3600/4600/5600/6600 Release NotesP/N 232-002453-00 Rev A

Known IssuesRelease NotesThis section contains a list of known issues in the SonicOS 6.1.1.4 release.CertificatesSymptom Condition / Workaround IssueAuto-import CRL via http does not work forrevoking certificates.Occurs when you add a certificate, then on theimport CRL popup page, select Periodically autoimportCRL via HTTP, enter a valid HTTP URL forCRL download, and click the Apply button.129379DPI-SSLSymptom Condition / Workaround IssueThe CFS block page is not displayed for ablocked HTTPS website, although the site iscorrectly blocked and the attempt is logged.DPI-SSL does not take effect for a wirelessguest user. The certificate from the remoteserver is not rewritten using the designatedcertificate.Occurs when Enable SSL Client Inspection andContent Filter are selected on the DPI-SSL >Client SSL page, and a Content Filter policy isconfigured to block a site category that usesHTTPS, such as for online banking. When a useraccesses a banking website, it is blocked and theattempt is logged, but the CFS block page does notappear.Occurs when guest services are enabled on theWLAN zone and a guest user logs in and attemptsto access a website using HTTPS, such ashttps://mail.google.com.123676123097High AvailabilitySymptom Condition / Workaround IssueThe Active firewall in a Stateful HA pair doesnot synchronize all VPN connections to theStandby firewall.Occurs when many VPN tunnels are up, all boundto a certain interface, and fully synchronized, thenthe interface goes down on the Primary firewall.The Primary firewall begins deleting the tunnelsand also synchronizing with the Secondary, then afailover occurs before all tunnels are deleted andthe Stateful Sync finishes. The Primary continuesdeleting the rest of the tunnels, but cannot syncwith the Secondary because it is no longer theActive firewall. The Secondary is left with a numberof active VPN tunnels, but does not sync them tothe Primary unless the tunnel configuration ischanged.131211SonicOS 6.1.1.4 NSA 3600/4600/5600/6600 Release NotesP/N 232-002453-00 Rev A2

LogRelease NotesSymptom Condition / Workaround IssueThe first two pages of log events are notdisplayed in the Log View table.Occurs when the Items count above the Log Viewtable indicates that many items exist, such as ahundred or more, and Items per Page is set toshow 50 at a time. The appliance is configured withan imported OCSP certificate, WANGroupVPNenabled, and third party with OCSP enabled.132048NetworkingSymptom Condition / Workaround IssueThe firewall cannot connect with the PPTPserver.FTP connections fail after a Stateful HAfailover when using Wire Mode over LinkAggregation.The FTP session will time out or can beflushed from the Dashboard > ConnectionsMonitor page, then a new FTP session can beestablished.A test virus is logged, but not blocked whenusing Wire Mode over Link Aggregation.Occurs when configuring a WAN zone interface inPPTP mode, and a wrong password is enteredalong with other correct settings. After correctingthe password, the PPTP connection still fails.Occurs when Wire Mode over Link Aggregation(such as X6(X7) to X10(X11)) is configured on aStateful HA pair, and a failover occurs while FTPtraffic is running. One switch is connected toX6(X7) and another switch is connected toX10(X11), with PC’s connected to both switchesand FTP traffic running between the PC’s. After thefailover, the FTP session hangs when anycommand is entered.Occurs when an anchor port is down, in Securemode. Wire Mode is configured from LAN to LAN,X2 and X8. Link Aggregation (LAG) configurationis: X2: X3,X6,X7 and X8: X9,X10,X11, with staticLAG between two switches connected to theseports. Initially, a virus sent from a PC on one switchto a PC on the other switch is blocked. After X2 isshut down administratively, the next virus transferis logged, but not blocked.134038132278129955SystemSymptom Condition / Workaround IssueCertain buttons on the AppFlow > Dashboardand System > Diagnostics screens do notfunction correctly.A 3 rd party certificate cannot be selected, andthe VPN tunnel that uses the 3 rd partycertificate for authentication cannot come up.Occurs when viewing Intrusions on AppFlow >Dashboard and clicking the IPS signature fordetails. The details are blank. On the System >Diagnostics screen with Connections Monitorselected, clicking the button to display theconnections also displays a blank area.Occurs when the VPN Policy is configured andthen the appliance is upgraded to 6.1.1.4. Afterupgrading, the Local Certificate drop-down list isempty in the VPN Policy screen, preventing thelocal certificate from being selected.133816133697SonicOS 6.1.1.4 NSA 3600/4600/5600/6600 Release NotesP/N 232-002453-00 Rev A3

User InterfaceRelease NotesSymptom Condition / Workaround IssueA JavaScript error window is displayed by thebrowser during GMS managementconfiguration.Occurs when using Internet Explorer 9 to managethe appliance, with the “Display a notification aboutevery script error” option enabled under InternetOptions > Advanced. After selecting “Enablemanagement using GMS” on the SonicOS System> Administration page, clicking the Configurebutton causes the error window to display.131990UsersSymptom Condition / Workaround IssueFor Single Sign-On authentication, NTLM doesnot work on Linux (Fedora and Firefox)computers. Instead of NTLM prompting forname and password, the browser redirects tothe user authentication page.The LDAP User/Group Trees Auto-configurerequest fails and the console prints a stacktrace.Occurs when NTLM is configured to be tried beforethe Single Sign-On agent, or NTLM is selected asthe only SSO method. The Simple usernames inlocal database checkbox is enabled. With no userlogged in through the appliance, a new browser isused to browse to a WAN-side web server. Theuser should be prompted for credentials, but is not.Occurs when you open the LDAP configurationwindow from the “LDAP is selected for user grouplookup for RADIUS/SSO users:” side, and thenclick the Auto-configure button and selectAppend to existing trees/Replace existingtrees.Workaround: Open the LDAP configurationwindow from the User authentication method.129835129383VoIPSymptom Condition / Workaround IssueThe firewall drops SIP packets from WAN toLAN (on a bridged LAN interface).Occurs when:1. X0 was already configured as LAN with defaultgateway IP of 192.168.50.12. Configure X5(LAN) to X0 in L2 bridge mode3. Connect a Cisco phone on the LAN side of theX5 interface with IP 192.168.50.13(gateway is192.168.50.1)4. As the proxy is already on WAN, make a callfrom Cisco phone connected to the bridgedLAN interface(X5) to a phone on the WANside.5. The call should be established, but WAN toBridged LAN(X5) SIP packets are dropped bythe firewall.128225SonicOS 6.1.1.4 NSA 3600/4600/5600/6600 Release NotesP/N 232-002453-00 Rev A4

VPNRelease NotesSymptom Condition / Workaround IssueVPN tunnels associated through a portredundancy group on an HA pair go downwhen the primary interface in the portredundancy group fails.Occurs when the tunnels are initiated from an HApair which is also configured for port redundancyusing X4(WAN) and X6. While traffic is passingthrough the tunnels from the remote end LAN tothe head end LAN, the X4 interface is shut downon the Active firewall on the head end side.Although traffic is switched to X6, the tunnelsremain down for an extended period.Workaround: Select the Enable Load Balancingcheckbox on the Network > Failover & LB page.131162SonicOS 6.1.1.4 NSA 3600/4600/5600/6600 Release NotesP/N 232-002453-00 Rev A5

Resolved IssuesRelease NotesThis section contains a list of issues that are resolved in the SonicOS 6.1.1.4 release.LogSymptom Condition / Workaround IssueSyslog messages are not formatted correctly inthe display.Only the first three syslog servers added in theLog > Syslog page can receive syslogmessages from the appliance.Occurs when using an Arcsight syslog server toformat and display the messages.Occurs when more than three syslog servers areconfigured. SonicOS allows up to seven syslogservers to be added.131995131988NetworkingSymptom Condition / Workaround IssueThe Edit Interface screen displays a “DefaultGateway (Optional)” field for non-WANinterfaces, but configuring it does not cause theinterface to be used as a gateway.Default service group objects are missing forActive Directory Server, AD Directory Services,and AD NetBios.Address objects cannot be added to, orremoved from, an address object group, andthe OK button is disabled (grey).Occurs when configuring a non-WAN interfacefrom the Network > Interfaces screen. This field isremoved in the SonicOS 6.1.1.4 release.Occurs when viewing the default service groupobjects on the Network > Services page.Occurs when attempting to edit an address objectgroup.133560132830132827SystemSymptom Condition / Workaround IssueAn appliance restarts frequently and displays amessage containing “Reboot due to DPCore[1] hang”.The firewall cannot boot with firmwarediagnostics enabled. After selecting this option,the Status line displays the message “Theconfiguration has been updated”, but thecheckbox is cleared.Occurs when High Availability is enabled, and auser changes his password.Occurs when the "Boot with firmware diagnosticsenabled" checkbox is selected on the System >Settings page.132896129648User InterfaceSymptom Condition / Workaround IssueHTTPS management of the appliancesometimes loses the connection, while ping tothe interface succeeds.Occurs when the internal web server stopslistening while the appliance is being managedover HTTPS.132366SonicOS 6.1.1.4 NSA 3600/4600/5600/6600 Release NotesP/N 232-002453-00 Rev A6

UsersRelease NotesSymptom Condition / Workaround IssueAn LDAP User/Group Trees auto-configurerequest fails and the console prints a stacktrace.Occurs when using "LDAP is selected for usergroup lookup for RADIUS/SSO users" and then theLDAP configuration button is clicked. Specifically,in the LDAP Configuration screen, on the Directorytab, enter the Primary domain and click the autoconfigurebutton. In the LDAP User/Group TreesAuto-configure screen, select Append to existingtrees/Replace existing trees, and click OK.129383VPNSymptom Condition / Workaround IssueAfter modifying a VPN policy, the message“Error: OCSP Responder URL is invalid” isdisplayed.Occurs when Enable OCSP Checking is selectedand the OCSP Responder URL is entered for asite-to-site VPN policy using IKE with third partycertificates, and then the VPN policy is modified touse IKE with a preshared secret. After thepreshared secret is saved, the error message isdisplayed.132054______________________Last updated: 8/20/2013SonicOS 6.1.1.4 NSA 3600/4600/5600/6600 Release NotesP/N 232-002453-00 Rev A7