A lot to talk about this time, so let's get right to it:
Grouping for Application Rules
Application Control Rules created at Web Security >> Application Control >> Application Control Rules can now be grouped just like Packetfilter Rules.
Application Control Reporting
There is now a basic reporting for the Application Control Rules available at Reporting >> Web Security >> Application Control.
Note that this requires a database schema upgrade for the reporting database after the Up2Date. So if you have a big reporting database the reboot after the Up2Date will be slower than usual.
Currently this upgrade is mostly tested on stand-alone systems with generated data. If you greatly value your reporting data and have a more complex setup like HA/Cluster, you might want to wait a day or two until more extensive tests have been completed.
Renaming AAC to AAA
Because nobody seemed to be able to differentiate between AAC and ACC, the "Astaro Authentication Client" is now called "Astaro Authentication Agent", or "AAA" [;)]
"No NAT" NAT rules (NAT exceptions)
When definining NAT rules at Network Security >> NAT >> DNAT/SNAT you can now set the NAT mode to "No NAT". Traffic matching this rule will not be seen by any later NAT rules. This way you can exclude some traffic from NAT. E.g. when specifying a SNAT rule for a certain source network you can now create a "No NAT" rule for a specific host in that network and place it before the SNAT rule to exclude this host from SNAT.
Support for multipart format in Form Hardening
Form Hardening now can be used for forms that use the "multipart/form-data" encoding for submission, usually because they include file uploads.
Option to drop invalid cookies silently in Cookie Signing
Per default, if you activate Cookie Signing, request containing unsigned or invalidly signed cookies will be rejected. You have now the option to instead let the Web Application Firewall only remove the invalid Cookie from the request before letting it pass.
Useful e.g. if you switch an existing web application to cookie signing and don't want to reject the requests from existing users that already have an (unsigned) cookie from you.
This can be configured in the Firewall Profiles (Web Application Security >> Web Application Firewall >> Firewall Profiles).
Option to skip specific WAF rules
Also in the Firewall Profiles there is now a list hidden under the Advanced profile settings button where you can add WAF rules to skip. You need to add WAF rule numbers which you can e.g. see in WAF reporting.
Usually this is something you don't want to touch unless you have a very specific problem. Support engineers could already use this feature via confd client, but to make it more transparent to the user it is now visible in WebAdmin, too.
Support for Microsoft HyperV
Support for Microsoft's HyperV was improved significantly. You should now be able to use the default "VMBus" network cards instead of the "legacy" variant. Also the integration services "operating system shutdown" and "heartbeat" should work now.
Option to apply WebAdmin timeout to dashboard
This actually was in the previous release already but I forgot to
mention it.
At Management >> WebAdmin Settings >> Advanced where you can
define the WebAdmin timeout after which you will automatically be
logged out, you can now configure whether this log out also applies
to dashboard. In the past it did not (and this is also what will be
configured when upgrading/importing an old config). For the new install
the default is now that you will be logged out from dashboard, too.
"Terms of Use" for WebAdmin
You can now configure a "Terms of Use" text to be displayed on
every login to WebAdmin. Apparently some of our customers need
that for compliance reasons.
This feature can be configured at Management >> WebAdmin Settings >> Advanced. Individual users can disable it for themself at Management >> WebAdmin Settings >> User Preferences (the latter option is only visible if the feature is enabled at all).
Fixed Issues
- [11298] [UBB][7.490] create a new host definition with IP already exists gives error: "Invalid object parameter"
- [15655] [UBB][8.050] client and server addresses in IM/Torrent reporting mixed up
- [16973] [UBB][8.160] WiFi: Cisco 7921 clients time out after some time
- [17010] [UBB][8.160] WiFi: Changing AP group doesn't work correctly
- [17061] [UBB][8.160] AAC Help button doesn't work
- [17082] No Access to SSL sites with AAC and Transparent Client Authentification
- [17163] [UBB][8.160] LAN cannot be reconfigured in Wizard
- [17256] [UBB][8.161] Proxy Auto Configuration broken + javascript as message
- [17257] [UBB][8.161] consistent messages Support>Advanced>Resolve REF
- [17258] [UBB][8.161] consistent messages Support>Tools
- [17304] If external SMTP server is disabled, the notifier doesn't use SMTP proxy (settings)
- [17371] [UBB][8.161] App Control window stays if you change to dashboard
- [17376] [UBB][8.161] trailing whitespace in smtp->smarthost_host doesn't get removed on upgrade
- [17392] [UBB][8.161] Application Rules stackable in Groups
- [17417] [UBB][8.162] IPS layout still broken
- [17428] 8.2 beta Confd does not accept any 7.x backups
- [17444] [UBB][8.162] ipv6: set broker traffic light to red if ipv6 is disabled
- [17459] [UBB] afc: never set "classification completed" before classifier says so
- [17463] [UBB][8.162] cosmetic / view log files
- [17467] [UBB][8.162] Prevent ddclient from using /usr/sbin/sendmail
- [17528] [UBB][8.162] "search report" encoding problem
Download Information
ASG ISO for Software/Virtual appliance installation:
ftp://ftp.astaro.de/pub/ASG/v8/beta/asg-8.163-9.1.iso
ISO size................: 496M (519573504 bytes)
ISO md5sum..............: 0c23bdd62e2985cd542fcec31ed7e212
ISO sha1sum.............: cf9a3de09d67639d5866fdfd12de6773fbd4e2cd
SSI ISO for Hardware appliance installation:
ftp://ftp.astaro.de/pub/ASG/v8/beta/ssi-8.163-9.1.iso
ISO size................: 497M (520837120 bytes)
ISO md5sum..............: 4dbe63af803015dc0f4fc032555e2a8c
ISO sha1sum.............: 49f12133293f0f65265e7d3b70df8b7b81d8c7e5
Up2Date package:
ftp://ftp.astaro.de/pub/ASG/v8/beta/u2d-sys-8.162-163.tgz.gpg
U2D size................: 101M (106033908 bytes)
U2D md5sum..............: 2d051a063f9b553f87b1921cffd7c995
U2D sha1sum.............: 3e3379c48ea8bda5dc5c319a8fc52ddc19efc493
Please note that the Up2date package will also be distributed over the
Up2Date server, so your ASG should usually download the package by itself.
