New ZyWALL/USG Firmware 4.13(AAxx.0) released

To me the most important (security) fixes are: [5] (freak) [6] (logjam) [7] (HTTP authentication) [31] (pure switch during boot) From the ZyWALL 110 release notes: Features: V4.13(AAAA.0)C0 Modifications in V4.13(AAAA.0)C0 - 2015/07/30 1. [ENHANCEMENT] Management Feature Enhancement: 1. Support CloudCNM, a cloud-based network management system. 4.13 CloudCNM feature support includes: - Batch import of managed devices at one time using one CSV file - See an overview of all managed devices and system information in one place - Monitor and manage devices - Install firmware to multiple devices of the same model at one time - Backup and restore device configuration - View the location of managed devices on a map - Receive notification for events and alarms, such as when a device goes down - Graphically monitor individual devices and see related statistics - Directly access a device for remote configuration - Create four types of administrators with different privileges - Perform Site-to-Site, Hub & Spoke, Fully-meshed and Remote Access VPN provisioning. 2. Support Russian Language 3. VPN MIB Support: eITS#150317956 SNMP VPN status MIBs. The VPN status MIB is a MIB table containing the following information: - Connection name - VPN gateway - IP version - Active status - Connected status. Followings are the example of snmpwalk for the added MIBs; VPN status MIB table: - 1.3.6.1.4.1.890.1.6.22.2.4.1.1.1 = INTEGER: 1 --> table index - 1.3.6.1.4.1.890.1.6.22.2.4.1.1.2 = INTEGER: 2 - 1.3.6.1.4.1.890.1.6.22.2.4.1.1.3 = INTEGER: 3 - 1.3.6.1.4.1.890.1.6.22.2.4.1.2.1 = STRING: "vpnconn1" --> name - 1.3.6.1.4.1.890.1.6.22.2.4.1.2.2 = STRING: "vpnconn2" - 1.3.6.1.4.1.890.1.6.22.2.4.1.2.3 = STRING: "vpn6conn1" - 1.3.6.1.4.1.890.1.6.22.2.4.1.3.1 = STRING: "usg110_1" --> gateway - 1.3.6.1.4.1.890.1.6.22.2.4.1.3.2 = STRING: "usg110_1" - 1.3.6.1.4.1.890.1.6.22.2.4.1.3.3 = STRING: "vpn6_1" - 1.3.6.1.4.1.890.1.6.22.2.4.1.4.1 = STRING: "IPv4" --> IP version - 1.3.6.1.4.1.890.1.6.22.2.4.1.4.2 = STRING: "IPv4" - 1.3.6.1.4.1.890.1.6.22.2.4.1.4.3 = STRING: "IPv6" - 1.3.6.1.4.1.890.1.6.22.2.4.1.5.1 = INTEGER: 0 --> active status - 1.3.6.1.4.1.890.1.6.22.2.4.1.5.2 = INTEGER: 1 - 1.3.6.1.4.1.890.1.6.22.2.4.1.5.3 = INTEGER: 1 - 1.3.6.1.4.1.890.1.6.22.2.4.1.6.1 = INTEGER: 0 --> connected status - 1.3.6.1.4.1.890.1.6.22.2.4.1.6.2 = INTEGER: 0 - 1.3.6.1.4.1.890.1.6.22.2.4.1.6.3 = INTEGER: 0 VPN connection counter MIBs. The VPN connection counter MIB is a MIB group containing: - Total VPN connection configured - Number of activated connection - Number of connected connection - Number of disconnected connection Followings are the example of snmpwalk for the added MIBs; VPN connection counters: - 1.3.6.1.4.1.890.1.6.22.2.5.1.0 = Counter32: 3 --> Total connection configured - 1.3.6.1.4.1.890.1.6.22.2.5.2.0 = Counter32: 2 --> Number of active connection - 1.3.6.1.4.1.890.1.6.22.2.5.3.0 = Counter32: 0 --> Number of connected connection - 1.3.6.1.4.1.890.1.6.22.2.5.4.0 = Counter32: 2 --> Number of disconnected connection MIB table for VPN SA monitor The new OID is 1.3.6.1.4.1.890.1.6.22.2.6. The MIB table contains the following columns: - 1.3.6.1.4.1.890.1.6.22.2.6.1.1 --> VPN connection index - 1.3.6.1.4.1.890.1.6.22.2.6.1.2 --> VPN connection name - 1.3.6.1.4.1.890.1.6.22.2.6.1.3 --> VPN connection policy - 1.3.6.1.4.1.890.1.6.22.2.6.1.4 --> VPN connection uptime - 1.3.6.1.4.1.890.1.6.22.2.6.1.5 --> VPN connection timeout - 1.3.6.1.4.1.890.1.6.22.2.6.1.6 --> Number of in-bound packets for the connection - 1.3.6.1.4.1.890.1.6.22.2.6.1.7 --> Number of in-bound octets for the connection - 1.3.6.1.4.1.890.1.6.22.2.6.1.8 --> Number of out-bound packets for the connection - 1.3.6.1.4.1.890.1.6.22.2.6.1.9 --> Number of out-bound octets for the connection 4. Support license refresh immediately while device-ha backup device become active. 5. Add pre-defined configuration (or pre-defined UTM profile) by default. 2. [ENHANCEMENT] Connectivity Feature Enhancement: 1. Support RPS(Receive Packet Steering) to ensure that packets for the same stream of data are sent to the same CPU, which could help to increase performance in a congest(low bandwidth or high latency) network environment, eITS# 150200442, 150200636. 2. We enlarge static DHCP host pool from 512 to 1024 for ZyWALL 110, USG1100, and USG1900, eITS# 150100773 3. Adjust Spec for SSLVPN Connections Model - Default SSLVPN Connections - Maximum SSLVPN Connections USG40/40W - 5 - 15 USG60/60W - 5 - 20 USG110 - 25 - 150 USG210 - 35 - 150 USG310 - 50 - 150 USG1100 - 250 - 500 USG1900 - 250 - 750 ZyWALL 110 - 25 - 150 ZyWALL 310 - 50 - 150 ZyWALL 1100 - 250 - 500 3. [ENHANCEMENT] Security Feature Enhancement: 1. ADP engine and IDP engine upgrade to support more social networking application behavior, such as FACEBOOK like, FACEBOOK share…etc. 4. [ENHANCEMENT] eITS#150200756 UDP session timeout value can be configured up to 28800 seconds. 5. [ENHANCEMENT] Patches for CVE-2015-0204, FREAK: OpenSSL vulnerability. 6. [ENHANCEMENT] Patches for CVE-2015-4000, Logjam: TLS vulnerabilities (CVE-2015-4000). 7. [ENHANCEMENT] Patches for vulnerability of HTTP authentication module which may cause USG behave as an open proxy to proxy HTTP request from external clients to internal servers. 8. [BUG FIX] eITS#150317956 [OID]OID formats are different between USG40W and USG1900. [Condition] MIBs...1.3.6.1.4.1.890.1.15.3.1.6.0..... USG40W: V4.11(AALB.0)/1.01 | Aug 28 2013 14:19:07/2015-03-13 06:53:46 USG1900: V4.11(AAPL.0)/1.10/2015-03-13 01:27:44 9. [BUG FIX] eITS#150301008 DNS Security configuration can't change. [Condition] 1. Go to Configuration > System > DNS > Click Show Advanced Settings > Security Option Control > Edit default profile e.g. Query Recursion deny > Click OK button 2. You will find the OK button no function. 10. [BUG FIX] eITS#150300062 If adding radius server into auth. method, L2TP cannot be established successfully. [Condition] 1. Go to Configuration > Object > AAA Server > RADIUS. 2. Set Server address: R1.domain.tw 3. Set Backup Server address: R2.domain.tw (PS. R1.domain.tw and R2.domain.tw need result same ip address) 4. Radiusd daemon couldn't bring on fail. 11. [BUG FIX] eITS#150300789 Combo-box show field is in wrong location. [Condition] 1. In the settings of WLAN-interface, the input fields "802.11 band" and "Channel" are incorrectly positioned. 2. The problem occurs only in the browser IE 11 12. [BUG FIX] eITS#150300851 Limited admin user fails to view click diagnostic page [Condition] 1. Add a limited admin account 2. Login by limited admin 3. Go to Maintenance > Diagnostic 4. You will find USG GUI no response 13. [BUG FIX] eITS#150300910 DHCP Relay may not work in Device HA environment. [Condition] When master device change status from fault state to active state, the DHCP relay function may not work. 14. [BUG FIX] eITS#150400012, 150200484, 150500302, 150600123, 150301005, 150501020, 150301061 In some cases, apply configuration will fail and cause zyshd dead. This may occur during the firmware upgrade progress or manually apply configuration. 15. [BUG FIX] eITS#150400115 [SSO][Authentication] Without SSO enabled, user can be correctly authenticated and associated with the AD-group "Internet Users". However, with SSO enabled, the user from the AD-group "Internet Users" always appears only in the group of "ext-user (ad-users)". 16. [BUG FIX] eITS#150301062 VLAN Packets can still be sent out even the base interface is disabled. 17. [BUG FIX] eITS#150300850 Configure many static DHCP address up to maximum, the CLI command may not correctly be configured and cause “incomplete entry” error each time DUT reboot. 18. [BUG FIX] eITS#150401185 In USG310, 1100, 1900, ZyWALL 310, 1100, it will show error message when configuring the port negotiation type on port 8. 19. [BUG FIX] eITS#150400882 When trying to sort the table (Hits) of "Top 5 Viruses" and "Top 5 Intrusions" in Dashboard by descending/ascending, sorting is only by the first digit. 20. [BUG FIX] eITS#150500769 Unable to edit application object page if it contains “,” character. 21. [BUG FIX] eITS#150300799, 150400336, 150401001, 150401067, 150401143, 150200666 SSO does not work correctly sometimes. 22. [BUG FIX] eITS#150300240 Unable to open IDP signature name to see the description in MONITOR > UTM Statistics > IDP 23. [BUG FIX] eITS#150200331 Fix unexpected reboot related to packet processing. 24. [BUG FIX] eITS#140900194, 150600194 In some cases, user cannot get mails from external mail server through USG. 25. [BUG FIX] eITS#150200355 When we set speed on port1, the traffic doesn't work and show some abnormal message. 26. [BUG FIX] eITS#150600082 The CF report in monitoring page and report server record not match. 27. [BUG FIX] eITS#150600688 In some cases, DUT will crash when trying to establish L2TP. 28. [BUG FIX] eITS#150501015 In some cases, enable connectivity check in policy route rules may cause zyshd daemon dead. 29. [BUG FIX] eITS#150600137 In some cases, AV signature cannot be successfully updated. 30. [BUG FIX] eITS#150700094 Self-Signed DSA certificate can be created but cannot show on the GUI. 31. [BUG FIX] eITS#150300324 In USG110, USG210 and ZyWALL 110, DUT will become pure switch in a short period during booting process. When external AP and USG reboot at the same time, there might have possibility that AP will acquire IP address from outer DHCP server instead of DUT LAN DHCP server. 32. [BUG FIX] eITS#150600585 Wrong German translation, “Intra-BSS-Verkehr aktivieren” should be corrected to “Intra-BSS-Verkehr blockieren” 33. [BUG FIX] eITS#150200663, 150500327 Some mails with attached files transferred from WAN to LAN cannot be received while Anti-Spam enabled. 34. [BUG FIX] eITS#150100252 TFTP over IPsec cannot work well in the following topology. TFTP Server---------USG40/60=======VPN tunnel========USG20------TFTP Client 35. [BUG FIX] eITS#150100898 After Device HA fallback to Master, IP on VLAN interface become 0.0.0.0. 36. [BUG FIX] eITS# 150500371 3G dongle E372 cannot work well in ZLD 4.11 Firmware. 37. [BUG FIX] eITS# 150200205 Some session will hit wrong BWM rules with application service type and application object is not any. 38. [BUG FIX] eITS# 150200080 ZyXEL VPN Client cannot establish VPN tunnel when using DUT default certificate to do IKE authentication.