******************************************************
The items made available through this website
are subject to United States export laws and
may be subject to export and import laws
of other countries. You agree to strictly comply
with all such laws and obtain licenses to
export, re-export, or import as may be required.
Unless expressly authorized by the United States
Government to do so you will not, directly or
indirectly, export or re-export the items made
available through this website, nor direct the
items therefrom, to any embargoed or restricted
country identified in the United States export
laws, including but not limited to the Export
Administration Regulations (15 C.F.R. Parts
730-774).
******************************************************
Install Requirements: None
Solaris Release: 9
SunOS Release: 5.9
Unbundled Product: SunScreen EFS
Unbundled Release: 3.2
Xref: This patch is available for Trusted Solaris 8 as Patch 112614.
4458205 error in traffic_stats output
4474065 screen write queue can fill up
4475718 large number of address objects can cause compile failure
4494052 UDP 162 is not being blocked
4498719 ifconfig modlist can fail with "invalid argument"
4504550 problem re-editing manual ipsec parameters in SunScreen GUI
4504560 cannot add Source/Dest tunnel in manual ipsec rules in GUI
4504562 cannot add tunnel address in manual ipsec rules in GUI
4530873 ssadm traffic_stats reports negative values
4546483 problem compiling manual IPsec policy in HA configuration
4623384 transport mode IPsec fragments dropped in reassembly
4627419 GUI does not allow ESP with no auth with IPsec Manual
4632254 sqlnet engine hangs after fetching few records
4641757 problem with screen_ipsec if wrong source tunnel address received
4641855 GUI strips out white space from key names when creating rules
4650187 problem with RealAudio traffic
4658497 only a single HA_ETHER object can be stored
4693028 stealth Screen can leak packets with no route to remote net
4701439 incorrect permissions on several SunScreen files
4708402 screen_ipsec module is not unloaded correctly
Patch Installation Instructions:
--------------------------------
See Special Install Instructions.
Special Install Instructions:
-----------------------------
Installation Instructions for the Administration Station
--------------------------------------------------------
1. Become root on the Administration Station.
2. Transfer the patch file to the Administration Station.
3. Then type:
# uncompress 112613-01.tar.Z
# tar xf 112613-01.tar
# patchadd 112613-01
Installation Instructions for Locally Administered Screens
----------------------------------------------------------
1. Become root on the Screen.
2. Transfer patch file to the Screen using a diskette or ftp (with 3 MB free).
3. Type the following:
# uncompress 112613-01.tar.Z
# tar xf 112613-01.tar
# patchadd 112613-01
4. Reboot the Screen.
How to be sure this is the Correct SunScreen 3.2 Patch
------------------------------------------------------
There were two revisions of the SunScreen 3.2 product. The installation
of patch 112613-01 will fail if the revision you are patching does not
match that of the product installed. In the case of a mismatch, you will
see the following error:
# patchadd 112613-01
Checking installed patches...
One or more patch packages included in
112613-01 are not installed on this system.
Patchadd is terminating.
#
To verify which product revision is installed, run the following command:
# pkginfo -l SUNWsfwr | grep VERSION
For patch 112613-01, the result should be as follows:
3.2,REV=45
If you get no result, then there was a problem installing the SunScreen
3.2 product initially, and the installation logs should be checked for
errors. If you have a revision mismatch, the result will read as follows:
3.2,REV=42
In this case, you are installing the wrong patch. You should be installing
patch 112614 instead.
Instructions for Remotely Administered Screens in Stealth Mode
--------------------------------------------------------------
Use this procedure ONLY if you cannot otherwise transfer the patch to
the Screen.
1. Become root on the Administration Station.
2. Transfer the patch file to the Administration Station.
3. Type the following:
# ssadm -r <Name_of_Screen> patch install < 112613-01.tar.Z
Installation Instructions for High Availability (HA) clusters.
--------------------------------------------------------------
1. Determine which screen is ACTIVE within the HA Cluster using the following
command on each:
# ssadm ha status
2. Follow appropriate patch installation instructions from this README file to
install the patch on the CURRENTLY ACTIVE SCREEN within the HA Cluster
(determined from the previous step).
3. Be sure to reboot that screen upon completion of the patch installation.
4. After the reboot, the screen which the patch was just installed on
will come up in PASSIVE mode and some other member of the HA cluster
will become ACTIVE.
5. Repeat steps 1-4 until the patch has been applied to all members of
the HA cluster.
Notes on patching HA clusters:
The SunScreen HA model works by having 2 or more firewalls in parallel. Both
firewalls see the same packets and hence calculate the same statetable entries.
If a packet matches a statetable entry , then it is passed through the screen.
If the ACTIVE screen is rebooted, one of the PASSIVE firewall(s) will take over.
Existing connections will still be maintained as the PASSIVE firewall(s)
which has just become ACTIVE will have the statetable entries.
Once the originally ACTIVE firewall has been rebooted, it will have an empty
statetable. This firewall will add any new connections made since it was
rebooted to its statetable, but will not know about connections established
before it was rebooted. If the currently ACTIVE screen is rebooted , some
connections may get dropped.
It's not possible to say exactly how long it will take for both (all) the
firewalls to have the same statetable entries as this will depend on the
type of connection being passed and the lifetime of this connection.
Running the following command on both (all) firewalls in the cluster will
give the administrator a good indication of when it is safe to reboot
the second firewall, without significant loss of service:
# ssadm lib/statetables | grep ESTABLISHED | wc -l
Instructions for Identifying Patches Installed on System
--------------------------------------------------------
1. To identify the patch level on your locally administered Screen,
type the commands:
Instructions to remove the patch on the Administration Station
--------------------------------------------------------------
1. Become root on the Administration Station.
2. Then type:
# patchrm 112613-01
Instructions to Remove the Patch on Locally Administered Screen
---------------------------------------------------------------
1. Become root on the Screen.
2. Type the following:
# patchrm 112613-01
Instructions to Remove the Patch on Remotely Administered Screens in
Stealth Mode
--------------------------------------------------------------------
Use this procedure ONLY if you cannot otherwise obtain access to a
login prompt on the Screen.
1. Become root on the Administration Station.
2. Type the following:
# ssadm -r <Name_of_Screen> patch backout 112613-01
Additional Patch Installation Instructions
------------------------------------------
Refer to the "Install.info" file within the patch for instructions on
using the generic 'installpatch' and 'backoutpatch' scripts provided
with each patch.
README -- Last modified date: Wednesday, January 22, 2003
