14.2.0 Changelog: Difference between revisions

From Edge Threat Management Wiki - Arista
Jump to navigationJump to search
No edit summary
 
(5 intermediate revisions by 3 users not shown)
Line 9: Line 9:
Many commonly-requested features have been added to [[Web Filter]]. These are especially powerful for those filtering for children like educational institutions and those doing SSL inspection.
Many commonly-requested features have been added to [[Web Filter]]. These are especially powerful for those filtering for children like educational institutions and those doing SSL inspection.


* "Enforce safe search" now includes searches on youtube.
* "Enforce safe search" now includes searches on YouTube, forcing Restricted Mode.
* Logging of online searches now includes searches on youtube.
* Logging of online searches now includes searches on YouTube.
* Added a new "Search Terms" tab to allow admins to block/flag searches containing certain words or phrases.
* Added a new "Search Terms" tab to allow admins to block/flag searches containing certain words or phrases.
* Added the ability to import very large list of suspicious search terms in either JSON or CSV format.
* Added the ability to import very large list of suspicious search terms in either JSON or CSV format.
Line 18: Line 18:
We have switched Web Filter to use Brightcloud's web URL categorization and reputation engine. Untangle often changes the underlying commercial engine used in some of the paid apps (like Virus Blocker) over the years. Doing so is never easy, but is critical for Untangle to stay current with the best technologies available.
We have switched Web Filter to use Brightcloud's web URL categorization and reputation engine. Untangle often changes the underlying commercial engine used in some of the paid apps (like Virus Blocker) over the years. Doing so is never easy, but is critical for Untangle to stay current with the best technologies available.


Brightcloud offered the best categorization of the solutions we tested in our most recent test. This test includes both performance and accuracy as well as other properties like the category taxonomy. Brightcloud also provides the background intelligence so Untangle can now provide information about *why* certain sites where categorized as malicious when customers have questions.
On upgrade, your current category settings will be converted to the new category format.


On upgrade, your current category settings will be converted to the new category format.  
''Important notice'' As of October 30, 2019, NG Firewall must be updated to version 14.2 or later for web categorization to continue to function.
 
Additionally Brightcloud offers several other key reputation services which we hope to use in future versions. More on that in the future!


== Other Quality-of-Life Improvements ==
== Other Quality-of-Life Improvements ==
Line 31: Line 29:
= Intrusion Prevention =
= Intrusion Prevention =


Intrusion Prevention incorporated much user feedback and requests from the new version impremented in 14.1
Intrusion Prevention incorporated much user feedback and requests from the new version implemented in 14.1


== Whitelist (Exempt) ==
== Whitelist (Exempt) ==


Rules now have the ability to whitelist (exempt) certain traffic or subnets from Intrusion Prevention entirely.
Rules now have the ability to whitelist (exempt) certain traffic or subnets from Intrusion Prevention Signatures.  Using the new Rule Whitelist action, you can specify variables on matching Signature Source and/or Destination networks.


== Postrouting Option ==
== Postrouting Option ==


Intrusion Prevention now has the ability to run "post" routing. This is a major change in behavior and which option you will choose to run depends on your reasons for using Intrusion Prevention.  
Intrusion Prevention now has the ability to run "postrouting". This is mode is very different than the standard "prerouting" mode and which option you will choose to run depends on your reasons for using Intrusion Prevention.  


When run in "prerouting" mode (the default), IPS sees all traffic even if it will subsequently be dropped by the firewall. This means IPS will see much malicious activity like port scan, intrusion attempts on the public IP addresses that happen on almost all networks, even though that traffic will ultimately just be dropped. The advantage of this approach is that Intrusion Prevention sees and logs everything providing the most complete picture. The disadvantage is that it usually logs so much that the Intrusion Prevention logs quickly become ignored because its logging thousands of events per day and this is completely normal and expected.
When run in "prerouting" mode (the default), IPS sees all traffic even if it will subsequently be dropped by the firewall. This means IPS will see much malicious activity like port scan, intrusion attempts on the public IP addresses that happen on almost all networks, even though that traffic will ultimately just be dropped. The advantage of this approach is that Intrusion Prevention sees and logs everything providing the most complete picture. The disadvantage is that it usually logs so much that the Intrusion Prevention logs quickly become ignored because its logging thousands of events per day and this is completely normal and expected.


When run in "postrouting" mode, IPS will only scan traffic that will actually pass through the firewall. Most networks where Untangle is running with a Public IP and doing NAT and only port forwarding select or no traffic at all, this will be extremely different that scanning "prerouting". The advantage of this mode is that IPS will only scan/log on traffic that is actually entering your network and therefore ignores a lot of the standard "noise" from incoming port scans and vulnerability scans that just get dropped at the firewall and logs only on traffic that should potentially concern the administrator.  The disadvantage of this mode is that it provides a less complete picture of activity on the public interface it now no longer logs attempts that just get dropped. Additionally, for long time Untangle users, this was once the default, however many administrators were very uncomfortable with this mode because it logs much less than they anticipated or compared to a solution that runs "prerouting".
When run in "postrouting" mode, IPS will only scan traffic that will actually pass through the firewall. Most networks where Untangle is running with a Public IP and doing NAT and only port forwarding select or no traffic at all, this will be extremely different that scanning "prerouting". The advantage of this mode is that IPS will only scan/log on traffic that is actually entering your network and therefore ignores a lot of the standard "noise" from incoming port scans and vulnerability scans that just get dropped at the firewall and logs only on traffic that should potentially concern the administrator.  The disadvantage of this mode is that it provides a less complete picture of activity on the public interface it now no longer logs attempts that just get dropped. Additionally, for long time Untangle users, this was once the default, however many administrators were very uncomfortable with this mode because it logs much less than they anticipated or compared to a solution that runs "prerouting".  Finally, postrouting mode fully supports network bypass rules.


Which mode is right for you depends on your reasons for using Intrusion Prevention. The "prerouting" mode is currently the default because it is the most anticipated behavior of most administrators.
Which mode is right for you depends on your reasons for using Intrusion Prevention. The "prerouting" mode is currently the default because it is the most anticipated behavior of most administrators.
== Rule Reporting ==
Rules are now logged in the IPS event log and there are now several new reports showing top reports.


= Directory Connector =
= Directory Connector =
Line 58: Line 60:


* systemd boot hang issues fixed
* systemd boot hang issues fixed
* many IPS fixes
* Additional IPS fixes (logging rules with reports, easier HOME_NET modifications, etc).
* many AD/directory-connector fixes
* Many AD/directory-connector fixes (improved User/Group windows, improved analysis of test results)
* OpenVPN now build windows client based on 2.4.7 (thanks WebFool!)
* OpenVPN now build windows client based on 2.4.7 (thanks WebFool!)
* Configuration Backup can now be scheduled to a specific time
* Configuration Backup can now be scheduled to a specific time
* Ability to hide wireless SSID
* Ability to hide wireless SSID

Latest revision as of 23:06, 6 November 2019

Overview

14.2 is a major new release containing new functionality and some big changes.

Web Filter

Improved Education Features

Many commonly-requested features have been added to Web Filter. These are especially powerful for those filtering for children like educational institutions and those doing SSL inspection.

  • "Enforce safe search" now includes searches on YouTube, forcing Restricted Mode.
  • Logging of online searches now includes searches on YouTube.
  • Added a new "Search Terms" tab to allow admins to block/flag searches containing certain words or phrases.
  • Added the ability to import very large list of suspicious search terms in either JSON or CSV format.

New Web Filtering Categorization engine

We have switched Web Filter to use Brightcloud's web URL categorization and reputation engine. Untangle often changes the underlying commercial engine used in some of the paid apps (like Virus Blocker) over the years. Doing so is never easy, but is critical for Untangle to stay current with the best technologies available.

On upgrade, your current category settings will be converted to the new category format.

Important notice As of October 30, 2019, NG Firewall must be updated to version 14.2 or later for web categorization to continue to function.

Other Quality-of-Life Improvements

Web Filter categories page is now grouped by default and has a search function to help locate categories more easily. Additionally the database schema has been improved for better reports performance.

Intrusion Prevention

Intrusion Prevention incorporated much user feedback and requests from the new version implemented in 14.1

Whitelist (Exempt)

Rules now have the ability to whitelist (exempt) certain traffic or subnets from Intrusion Prevention Signatures. Using the new Rule Whitelist action, you can specify variables on matching Signature Source and/or Destination networks.

Postrouting Option

Intrusion Prevention now has the ability to run "postrouting". This is mode is very different than the standard "prerouting" mode and which option you will choose to run depends on your reasons for using Intrusion Prevention.

When run in "prerouting" mode (the default), IPS sees all traffic even if it will subsequently be dropped by the firewall. This means IPS will see much malicious activity like port scan, intrusion attempts on the public IP addresses that happen on almost all networks, even though that traffic will ultimately just be dropped. The advantage of this approach is that Intrusion Prevention sees and logs everything providing the most complete picture. The disadvantage is that it usually logs so much that the Intrusion Prevention logs quickly become ignored because its logging thousands of events per day and this is completely normal and expected.

When run in "postrouting" mode, IPS will only scan traffic that will actually pass through the firewall. Most networks where Untangle is running with a Public IP and doing NAT and only port forwarding select or no traffic at all, this will be extremely different that scanning "prerouting". The advantage of this mode is that IPS will only scan/log on traffic that is actually entering your network and therefore ignores a lot of the standard "noise" from incoming port scans and vulnerability scans that just get dropped at the firewall and logs only on traffic that should potentially concern the administrator. The disadvantage of this mode is that it provides a less complete picture of activity on the public interface it now no longer logs attempts that just get dropped. Additionally, for long time Untangle users, this was once the default, however many administrators were very uncomfortable with this mode because it logs much less than they anticipated or compared to a solution that runs "prerouting". Finally, postrouting mode fully supports network bypass rules.

Which mode is right for you depends on your reasons for using Intrusion Prevention. The "prerouting" mode is currently the default because it is the most anticipated behavior of most administrators.

Rule Reporting

Rules are now logged in the IPS event log and there are now several new reports showing top reports.

Directory Connector

Directory Connector can now connect to directory services in Microsoft Azure.

The Active Directory Login Monitor now can monitor RADIUS authentication events on the Active Directory server.

Other

Tons of other improvements and bugfixes

  • systemd boot hang issues fixed
  • Additional IPS fixes (logging rules with reports, easier HOME_NET modifications, etc).
  • Many AD/directory-connector fixes (improved User/Group windows, improved analysis of test results)
  • OpenVPN now build windows client based on 2.4.7 (thanks WebFool!)
  • Configuration Backup can now be scheduled to a specific time
  • Ability to hide wireless SSID