Fireware 12.4 CSP1 – TLS-Probleme behoben

Comment

Im Release Fireware 12.4 kann es zu Problemen bei Zugriffen auf vereinzelte Websites geben. Die Ursache hierfür liegt in der neu hinzugekommene Unterstützung von TLS 1.3 im Release 12.4. Leider wurden hier wohl noch nicht alle möglichen TLS-Cipher-Varianten unterstützt, wodurch es vereinzelt Abbrüche geben kann – genau dann, wenn die Website eines der nicht unterstützten Ciphers verwendet.

Das Problem kann auch bei eingehenen TLS-Verbindungen über SMTP auftreten, da hier die gleichen TLS-Profile verwendet werden.

Abhilfe schafft ein Upgrade auf die Version 12.4 CSP1. Diese ist auf Anfrage über einen Case bei WatchGuard erhältlich.

Details:

Fireware v12.4 CSP 1 Release Notes

Supported Devices Firebox: T10, T15, T30, T35, T50, T55, T70, M200, M270, M300, M370, M400, M440, M470, M500, M570, M670, M4600, M5600 FireboxV, Firebox Cloud, WatchGuard AP
Release Date: 23 April 2019
Fireware OS Build: 592447
WatchGuard System Manager Build: 592565
WatchGuard AP Device Firmware:
AP100, AP102, AP200: 1.2.9.16
AP300: 2.0.0.11
AP125: 8.6.0-644.3
AP120, AP320, AP322, AP325, AP420: 8.6.0-646

Resolved Issues in Fireware v12.4 CSP 1 (Fireware Build 592447, WSM Build 592565)

  • This release resolves an issue that caused websites to fail to load through the HTTPS Proxy when messages are split over multiple TLS records. [FBX-16195]
  • The pxyassist process no longer crashes when PDF files are analyzed. [FBX16197]
  • This release adds additional PFS grade ciphers for better compatibility with HTTPS webservers when using content inspection in the HTTPS Proxy. [FBX16227]
  • The Inspect when a URL is uncategorized option in the HTTPS Proxy now works when you also use an On-Premise WebBlocker server. [FBX-15847]
  • Proxy traffic for 1-to-1 NAT hosts now use the correct NAT Base IP address. [FBX16234]
  • The Fireware Web UI Front Panel now loads correctly for all users. [FBX-15555]
  • This release resolves several issues that caused websites fail to load through the HTTPS Proxy with content inspection disabled. [FBX-16143, FBX-16203]
  • When content inspection is disabled, the HTTPS Proxy can now correctly handle Client Authentication during the SSL handshake. [FBX-15916]
  • An appliance kernel lockup issue was resolved. [FBX-15247]
  • Policy Manager now correctly handles the configuration of BOVPN Virtual Interface settings in pre-Fireware v12.0 configurations. [FBX-16291]
  • In Policy Manager, the default route for a VLAN External interface is now correctly added to the Firebox routing table. [FBX-16358]
  • This release resolves an issue that prevented Management Server Policy Templates from saving to a Firebox when they included FQDNs. [FBX-16237]

 

Leave a Reply

Your email address will not be published. Required fields are marked *