These release notes provide additional guidance for Firewall Security Manager v6.6.5.
Version 6.6.5 includes the following new features and enhancements:
- Enhanced rule tracking, with an option to only export reviewed rule documentation.
- Extended support for importing Juniper NetScreen devices with "Accept this agreement" banners.
- Additional tool for changing the IP address in the firewall inventory. For more information, refer to the KB article.
- Version 6.6.5 also contains the following HotFixes:
- HotFix 1: Fixes translation error on Cisco IOS 15.
- HotFix 2: Fixes an issue which occurs when the VIM and FSM modules are installed on the same server.
- HotFix 3: Fixes an issue in the script template with importing Junos SRX clusters.
- HotFix 4: Fixes an issue when the FSM Swis plugin ServiceLocator is not initialized. This issue appears in the Firewall Details page of Orion Firewall Security Manager.
- HotFix 5: Contains improvements of HotFix 3.
- HotFix 6: Contains improvements of HotFix 4.
Orion Firewall Security Manager
An Orion integration module that enables you to view all your firewall details from the Orion dashboard, alongside any other SolarWinds Orion products. This new FSM/Orion module provides visibility into your firewall inventory and security status, along with the ability to point and click for drill-down details. From the Orion FSM dashboard, you can get a summary of all the devices that are in Firewall Security Manager:
- PCI summary and the Security Audit summary.
- View Rule/Object Cleanup reports.
- Review configs and recent changes.
- View firewall details.
- NAT Rules
- Security Rules
- Network/Address Objects
- Service/Application Objects
Orion integration module introduces a new “Firewalls” tab. The Firewalls tab includes firewall details, rules, and objects. These details are also available as downloadable reports.
- Web services to Orion Firewall Security Manager Module (client).
- Some reports are stored in the Firewall Security Manager database and are accessible in Orion Firewall Security Manager Module.
The Orion integration module is installed separately using the Orion Firewall Security Manager Module PreInstaller. You can find the installation requirements here: Requirements Before Installing Orion Firewall Security Manager Module.
Junos/SRX Device Support – SRX Firewalls and J Series Routers
FSM 6.6.5 supports Junos devices that include SRX firewalls and J series routers. The following Junos versions are supported: 10.4, 11.1, 11.2, 11.4, 12.1(R version only)
See Supported Devices.
Supported features include the following:
- Security Zone and global objects (IPv4 addresses only, domain names)
- Zone-to-zone Security Policy
- Global Policy
- Filter Rules
- SRC, DST, and static NAT
- Static Routes
IOS Rule Documentation
FSM 6.6.5 supports the rule documentation feature for security rules in IOS devices, v. 10.0 – 14.1.
The following separate log files are created: Deviceconnector, Devicetranslator, Fsm-core, Loganalysis. In device translator logs and in the problems view, multiple occurrences of the same error are consolidated into a single statement.
FSM Features Available for Junos
- Configuration imported from the device, NCM or from the file system.
- Device detail views
- Query and filtering
- Rule documentation for security policies
- Impact Monitor
- Compare text, rule/object and policy
- Rule/object cleanup including log aggregation and cleanup script
- Packet tracer
- Security checks and PCI compliance
The following FSM features are not supported for Junos in the current release:
- Debug traffic flow
- Rule recommendation and change modeling script generation
- VPN reports
Upgrading from v. 6.4, v. 6.5 or v. 6.6
There is an automatic upgrade from version 6.4, 6.5 or 6.6 to version 6.6.5 during the installation of version 6.6.5. Note that Change Modelling sessions that were open need to be re-created after installation.
Upgrading from Supported Client-server Versions v. 6.0 – 6.3.2
If you are upgrading from a supported client-server version, you can upgrade your server to version 6.6.5 directly. We recommend that you upgrade the shared database first, then upgrade the remote clients.
If you have remote clients running version 6.0 or 6.1, we recommend you uninstall the client, then install version 6.6.5 from the beginning. This avoids a known re-translation issue with these clients. This is not an issue with remote clients running version 6.3.
Upgrading from a Standalone Version
If you are running a standalone version, you must first upgrade to 6.4 using the standalone upgrade script. After you have upgraded to 6.4, you can then upgrade to version 6.6.5.
Before you proceed, gather the following information:
- The firebird installation folder
By default, this folder is located here:
C:\Program Files\SolarWinds\SolarWinds FSMServer\firebird.
- The firebird administrator username and password
By default, these values are
masterkey, respectively. If you changed these values, find them in
C:\Program Files\AthenaSecurity\AthenaFirePAC\plugins\com.lisletech.athena.rcp.tools_1.2\conf\applicationContext.xml. Search for the first occurrence of user and password in a text editor.
- The version of FirePAC you are upgrading
Find the exact version you are currently running by opening Help > About in the FirePAC client. The version number is part of the phrase, "Build versionNumber-rcN-date".
- Details not handled by the script-assisted upgrade
The following details will be missing in your FSM 6.4 client after you upgrade. Recreate these manually if you want to keep them:
Note: You might want to re-create the last two items on a specific client only you use.
- Scheduled tasks
- The mail server for notifications; re-enter this information in the Window > Preferences window
- Check Point OPSEC certificates and one-time activation key; reset the certificates from the Check Point SmartDashboard, and re-specify the one-time activation key used to download the OPSEC certificates in the FSM client
- Saved queries
- Users and change modeling sessions (version 6.x only)
- Close the FirePAC client.
- Make a copy of the FirePAC database to use later. The database file is by default located at
C:\AthenaSecurity\AthenaFirePAC\data\athena_firepac.fdb. Copy this file to a new location, but do not rename it.
- Uninstall FirePAC:
- Launch the uninstaller from Start > All Programs > AthenaFirePAC > AthenaFirePAC Uninstaller.
- Select all of the check boxes, and then start the uninstaller.
- After the uninstaller finishes, click Quit to exit.
- Download the stand-alone upgrade scripts from here, and then unzip the contents to a folder you can use for the rest of the procedure.
- Install FSM 6.4, but do not launch it:
- If you have not already downloaded the FSM 6.4 installer, download it from the SolarWinds customer portal.
- Complete either the Express or Advanced installation but do not launch the client: At the end of the installer wizard, clear the Launch SolarWinds FSM now? option, and then click Done.
- Stop the FSM services from Start > All Programs > SolarWinds Change Advisor > Stop Server.
- Rename the new FSM database:
- The new database file is by default located at
C:\Program Files\SolarWinds\SolarWinds FSMServer\data\fsm_server.fdb.
- Rename this file. For example, change the name to
- Make a copy of the database file you copied in Step 2 and put it in the
~\data\ folder. Retain the other copy in case this upgrade fails.
- Run the
upgrade_from_versionNumber.bat script for the applicable FirePAC version:
- Open a Command window.
- Change directories to the working folder you specified in Step 4 for the upgrade scripts.
- Run the upgrade script for the FirePAC version you are upgrading, followed by arguments containing the firebird installation folder and credentials. For example, enter
upgrade_from_5.1.bat "C:\Program Files\SolarWinds\SolarWinds FSMServer\firebird" sysdba masterkey. Enclose the first argument in quotation marks to account for spaces in the installation path.
- Copy the following files from the working folder that contains the scripts to the FSM installation folder (
C:\Program Files\SolarWinds\SolarWinds FSMServer):
- If you are upgrading from a 6.x version, edit the
app.oldVersion file in a text editor so that it reflects 6.0 instead of 5.0.
- Start the FSM services from Start > All Programs > SolarWinds Change Advisor > Start Server.
- Start the FSM client from Start > All Programs > SolarWinds Change Advisor > SolarWinds FSM Client.
- When the FSM client prompts you with Require re-translation, click Yes. This process can take a while for clients with large inventories.
- After you finish this procedure, FSM 6.6.5 is running in evaluation mode. Click Help > License Manager in the FSM client to apply your license key.
- If the upgrade fails and you need to re-run this procedure, repeat the procedure from Step 7, specifying a different name when you rename the existing (new) database.
|Issue ||Case Number |
|Superfluous dots are present in the RAW Config resource. ||FSM-4030 |
|Breadcrumb navigation added. ||FSM-3662 |
|Links in the Getting Started and Firewall Security Manager features are not working as expected. ||FSM-3125 |
|Removed the hand symbol when there is a mouse hover over the objects of the Rule details page. ||FSM-4238 |
|Changed the column heading for the device name in the Firewall Reports page of OFSMM from "Report Device" to "Firewall". ||FSM-4589 |
|Renamed the Node column to "Firewall" in the Security Checks Reports Needed page. ||FSM-4634 |
|Resolved a conflict between the OFSMM Firewall resource and the Virtualization Assets resource. ||FSM-4663 |
|Fixed an issue when the Search in hierarchy hint appears slowly and is hard to notice. ||FSM-4694 |
|Fixed an issue when resizing grid resources. ||FSM-4696 |
|Fixed an issue with upper versus lowercase "O" when entering management server DN. ||FSM-4767 |
|Text improvements in the OFSMM installer. ||FSM-4771 |
|Fixed an error occurring when trying to execute script from FSM to NCM 7.3. ||FSM-4787 |
|New version of Phone Home free of gSOAP. ||FSM-4792 |
|Export feature: do not capture the search filter and the number of records information. ||FSM-3867 |
|Fixed a documentation inconsistency regarding traffic flow and data flow. ||FSM-3311 |
|The translator for Junos devices fails on special characters. ||FSM-4993 |
|The object reference is not set to an instance of an object. ||FSM-4969 |
|Importing Junos SRX clusters is not possible; global policies are not working. ||FSM-4936 |
|Translation error in Cisco IOS 15. ||FSM-4728, FSM-4759 |
|Orion website error. ||FSM-4719 |
|Incorrect links on the Firewall nodes page. ||FSM-4975 |
|Change Advisor encounters PermGen Space error. ||FSM-4922 |
|Offline import fails with NullPointerException in VSX clusters. ||FSM-5176 |
|The import of Check Point VSQ cluster members fail in online mode. ||FSM-5175 |
|Fixed the vulnerability to the Poodle attack and other security issues. ||FSM-5153, FSM-5123 |
|Error rendering resources on the Orion website. ||FSM-5031 |
|Error while importing Check Point firewalls. ||FSM-5015 |
|Failure to update NetScreen configurations. ||FSM-4989 |
|System.InvalidOperation.Exception in Orion. ||FSM-4978 |
|Issue with route parsing on ASA routers. ||FSM-4974 |
|JRE bundle error during installation. ||FSM-4708 |
|Inconsistent results for multiple firewalls in the Object Standardization Report. ||FSM-4899 |
|The "Needed" link on the Report Details page works incorrectly. ||FSM-4665 |
|Fix to an issue where Firewall Security Manager cannot connect to Check Point. ||FSM-2831 |
|Error when the search term in Service object search contains leading or trailing whitespaces. ||FSM-4262 |
|Report downloads do not work in certain detached Orion resources. ||FSM-4624 |
|Fixed an issue when the FSM Swis plugin ServiceLocator is not initialized. ||FSM-4711 |
|Added an option to only export reviewed rule documentation. ||FSM-4726 |
- Fatal error can result in the 64-bit English version of Win7 if Region & Language format is set to "Turkish".
- Devices that are imported into FSM must have unique primary IP addresses.
- FSM requires clients upgraded from 6.0 or 6.1 to re-translate their firewall configs; complete this task for the local client, but do not complete it for remote clients (see Upgrading instructions above). Note: This task takes a while for clients with large inventories.
- If a change modeling session is open while upgrading from 6.0, FSM returns a database script error; delete any open change modeling sessions and re-create them as needed.
- FSM does not uninstall automatically after aborting an installation; manually uninstall the program or use the Advanced Install to complete the installation.
- FSM fails to install if you run setup.exe from a PeaZip window; extract the contents of the ZIP file or open the archive in Windows Explorer.
- When upgrading 32-bit clients from 6.3.x, the installer may encounter memory issues, as the bundled JRE requires contiguous memory; reduce memory usage on the server, add more memory to the server, or install on a 64-bit server.
- FSM returns an "Invalid enable password" if you do not press Enter after you enter the enable password in the Firewall Command Template Parameters form; enter the enable password, and then press Enter to complete the form.
- FSM does not migrate some device connector passwords correctly after upgrading from 6.0 or 6.1; manually update the device connector with the correct password, and then update the firewall with the force-update option selected.
- FSM does not display the expected results when filtering services in Cisco IOS configurations; use the format tcp/eq_443 (for example) instead of tcp/443.
- FSM only supports Adobe PDF readers for PDF reports; reports in other readers might not work as expected.
- Implicit rules cannot be traced back to the original configuration for devices other than Check Point.
- Same route rules with preference are not handled in the parsing of Cisco PIX dynamic routes.
- NSM Configurations for Juniper NetScreen firewalls are not supported.
- On Windows 2000, the GDI+ library must be installed for better quality graphics.
- The WinZIP utility cannot compress large files correctly ( >4 GB); use gzip to compress large firewall log files when doing log analysis.
- FSM cannot read firewall log files in .gz format that consists of a sequence of independently compressed members; concatenate all input files into one input file before compressing them.
- The Services Summary report uses the standard service names for port numbers, as defined by IANA. These may differ from the service names used by some firewall devices (notably Check Point).
- An error is displayed when domain objects in a policy cannot be resolved to IP addresses.
- Only Standard Profile Security Checks list is provided at the end of the summary report; customized profiles used by firewalls are not listed.
- Cannot import a configuration without a valid host name defined in the configuration.
- IPv6 is not supported.
- DHCP/DIALUP based IP addresses are not supported for network interfaces.
- Dynamic VPN connection is not supported for any firewall type.
- Policy-based routing is not supported.
- Dynamic VPN peer discovery is not supported.
- DCE/RPC services are not supported.
- Traffic filtering based on application layer information is not supported.
- FSM cannot ascertain an interface IP address based on dynamic route if the interface is configured with DHCP
Out of Memory Errors
FSM is a Java application that requires at least 1 GB of available memory. If it is launched with insufficient memory, the Java Virtual Machine (JVM) can abort the launch.
The message displayed is:
“Java was started but returned exit code =1
When FSM is running, it may require additional memory for analysis. FSM displays the following message if not enough memory is available.
“An unexpected exception has occurred, please contact
Java.lang.OutOfMemoryError: Java heap space
Before you contact support, try the following:
- Reduce the memory usage on the FSM server.
- Add more memory to the FSM server.
- Install FSM on a host that meets the FSM system requirements.
Note: These errors occur most frequently on 32-bit systems. To avoid these issues, we recommend installing FSM on 64-bit systems with a recommended 8 GB of memory whenever possible. For additional information about system requirements, see the FSM Quick Start Guide.
Junos SRX Devices
The following Junos features are not supported in this release:
- IPSEC point-to-point VPN (policy and route-based)
- Multiple routing instances
- Transparent firewalls
- Policy-based filter rules
- NAT action at policy rule
- Application services
- Chain policies
- Multiple NAT pools
- Persistent NAT
Cisco Security Appliances
- GRE tunnel is not supported.
- Multiple contexts are supported only when there is no sharing of network interfaces between contexts; multiple bridge-groups are not supported.
- Transparent mode is supported only when there is a management interface, or a bridge virtual interface (BVI) with IP address is configured.
- If a protocol object-group is used instead of protocol in an access-list, the object-group details will not be displayed in the rule-search tool-tip window.
- Hairpinning (the process by which traffic is sent back out on the same interface on which it arrived) is not supported.
- Non-standard IP addresses and non-contiguous netmasks are not supported.
Juniper NetScreen Devices
- NSRP failover configurations (Active/Active, Active/Standby) and interface failover are not supported.
- Hub and spoke VPN configurations without an explicit policy to allow traffic between the hubs are not supported.
- Transparent mode is not supported.
NetScreen virtual systems (vsys) only:
- Rule and Object Cleanup, Rule optimization, Object and Rule Query features work fine.
- Security Audit, Policy Analysis and Advanced Data Flow Query work for a given vsys where there are no shared interfaces, zones, or virtual routers with any other vsys; if there are shared interfaces, zones, or virtual routers, the results are not accurate.
- The packet classification method to route packets to different virtual systems present on the device is not supported.
Juniper SRX Devices
- Transparent mode is not supported.
- IPSec Point-to-point VPN is not supported.
Check Point Devices
- Rule search queries show only the explicit security rules, and this way they correspond to the rule numbering in the management console; however, the rule numbers listed in Check Point firewall configuration reports may not correspond to the rule numbers listed in the Check Point management console due to the inclusion of implied rules in the numbering.
- Object and Rule Search queries do not handle exclusion object group types or objects with multiple operators in a single destination port expression.
- Object and Rule Search queries do not handle interface IPs for gateway objects; you can only search by the primary IP of the gateway.
- Remote Access VPN, Directional VPN, Multiple Entry Point VPN, and Route-based VPN are not supported.
- Domain-based VPN routing is not supported.
- IP Pool NATs are not supported.
- VoIP Services are not supported.
- Domain objects that cannot be resolved to an IP address are not supported.
- Dynamic objects are not supported.
- Resource objects are not supported.
- Logical server objects are not supported.
- Virtual systems are not supported.
- Connectra, Edge and Externally managed Check Point gateways are not supported as install targets.
- Authentication rules that intersect with the user database are not supported.
- Security rules that authenticate users, clients and sessions are not supported.
- Overlapping NAT using the following parameters that can be defined on an interface are not supported:
- Only the following global properties for Check Point firewalls are recognized in data flow analyses and security checks in this release:
- Accept Outgoing Packets
- Accept Domain Name over UDP
- Accept Domain Name over TCP
- Accept ICMP Requests
- Accept Encrypted Packets Between Gateways in a VPN Community
- Rule comparison does not handle excluded services for a VPN rule.
- Object comparison does not handle groups with exclusions.
- The only authentication type (auth_type) supported to connect to Checkpoint CPMI and LEA servers is "sslca".
Cisco IOS Devices
- Zone based firewall configurations are not supported.
- NAT rules with route map specifications are not supported.
- Network and service object-groups are supported, but "ip address" and "ip port" groups, and the addrgroup keyword in access-lists are not supported.
- Generating change scripts in a Change Modeling Session for IOS routers is not supported.
- Virtual NAT is not supported.
- Rules that have the same entering and exiting interface (hairpin traffic) are not supported.
Copyright © 2015 SolarWinds Worldwide, LLC. All rights reserved worldwide.
No part of this document may be reproduced by any means nor modified, decompiled, disassembled, published or distributed, in whole or in part, or translated to any electronic medium or other means without the written consent of SolarWinds. All right, title, and interest in and to the software and documentation are and shall remain the exclusive property of SolarWinds and its respective licensors.
SOLARWINDS DISCLAIMS ALL WARRANTIES, CONDITIONS OR OTHER TERMS, EXPRESS OR IMPLIED, STATUTORY OR OTHERWISE, ON SOFTWARE AND DOCUMENTATION FURNISHED HEREUNDER INCLUDING WITHOUT LIMITATION THE WARRANTIES OF DESIGN, MERCHANTABILITY OR FITNESS FOR A PARTICULAR PURPOSE, AND NONINFRINGEMENT. IN NO EVENT SHALL SOLARWINDS, ITS SUPPLIERS, NOR ITS LICENSORS BE LIABLE FOR ANY DAMAGES, WHETHER ARISING IN TORT, CONTRACT OR ANY OTHER LEGAL THEORY EVEN IF SOLARWINDS HAS BEEN ADVISED OF THE POSSIBILITY OF SUCH DAMAGES.
The SOLARWINDS and SOLARWINDS & Design marks are the exclusive property of SolarWinds Worldwide, LLC and its affiliates, are registered with the U.S. Patent and Trademark Office, and may be registered or pending registration in other countries. All other SolarWinds trademarks, service marks, and logos may be common law marks, registered or pending registration in the United States or in other countries. All other trademarks mentioned herein are used for identification purposes only and may be or are trademarks or registered trademarks of their respective companies.