LevelBlue Knowledge Base » Knowledgebase » Legacy Products » Secure Web Gateway » Updates

Latest MHF/RHF patches for SWG v11.8.0

Stanislav Michailov — Fri, 11 Aug 2017 17:43:10 GMT

This article applies to:

SWG v11.8.0

Question:

What are the latest MHF/RHF patches for SWG v11.8.0 ?

Information:

The latest patches for SWG 11.8 OS version are:

RHF#08 - Runtime Hotfix #08

RHF#06 - Runtime Hotfix #06

RHF#04 - Runtime Hotfix #04

Notes:

These are FTP links, in some web browsers you may need to enter the username and password from the above URLs separately.
General information about MHF/RHF patches for SWG OS is provided in KB article Q16782.
MHF/RHF patches are installed as local updates. Refer to the following KB articles for installation procedure guidelines:
- Q13868: Install local updates on SWG appliances
- Q14452: .fup installation for SWG

Version 11.5 End of Maintenance

Shawn Cook — Thu, 10 Nov 2016 11:17:36 GMT

This article applies to:

SWG 11.5

Information:

The purpose of this notice is to inform you that the End of Maintenance period for Secure Web Gateway version 11.5 will be on October 19, 2016.

To assist you in making the transition to a later, supported SWG version, we will extend the support period for an additional 6 months, until April 19, 2017 (SWG version 11.5’s End of Life). During that time, you will still receive database downloads and security patches. Once the End of Life occurs, Trustwave will stop supporting SWG Version 11.5.

To keep your Trustwave SWG Appliances up-to-date and supported, please upgrade to version 11.6, 11.7 or later. Doing so will ensure your Trustwave SWG Appliances are updated and supported. We recommend that you upgrade to our latest available version in order to enjoy our latest enhancements.

More information on the policy including definitions of key terms can be found in the Secure Web Gateway Life Cycle Support Policy.

The latest SWG versions and documentation can be found on the Secure Web Gateway product pages.

Please contact Customer Support if you need guidance and information on the upgrade process.

Latest MHF/RHF patches for SWG v11.7.1

Shawn Cook — Thu, 20 Oct 2016 15:03:55 GMT

This article applies to:

SWG v11.7.1

Question:

What are the latest MHF/RHF patches for SWG v11.7.1 ?

Information:

The latest patches for this version of SWG are:

RHF#02 - Runtime Hotfix #02

MHF#02 - Maintenance Hotfix #01

Notes:

These are FTP links, in some web browsers you may need to enter the username and password from the above URLs separately.
General information about MHF/RHF patches for SWG OS is provided in KB article Q16782.
MHF/RHF patches are installed as local updates. Refer to the following KB articles for installation procedure guidelines:
- Q13868: Install local updates on SWG appliances
- Q14452: .fup installation for SWG

How to apply hotfix for Logjam vulnerability on SWG acting as a server and a client.

Mariusz Cieślak — Thu, 25 Jun 2015 03:44:19 GMT

This article applies to:

SWG 11.0

SWG 11.5

SWG 11.6
Question:

How to apply hotfix for Logjam vulnerability on SWG acting as a server and a client.
Procedure:
Logjam vulnerability is related to Diffie-Hellman key exchange which allows Internet protocols such as HTTPS, SSH, IPsec, SMTPS and other that depend on TLS to agree on a shared key and negotiate a secure connection.
Diffie-Hellmankey exchange is a cryptographic algorithm that allows Internet protocols to agree on a shared key and negotiate a secure connection. It is fundamental to many protocols including HTTPS, SSH, and protocols that rely on Transport Layer Security (TLS).
This hotfix addresses weaknesses in how Diffie-Hellman key exchange is deployed,which can result in a Logjam attack against the TLS protocol. The vulnerability is attributable to a flaw in the TLS protocol rather than an implementation vulnerability.
A Logjam attack can affect any server that supports Ephemeral Diffie-Hellman export ciphers, as well as all modern web browsers. The attack allows a man-in-the-middle attacker to downgrade vulnerable TLS connections to 512-bit export-grade cryptography, enabling the attacker to read and modify any data passing over the connection.
SWG in this case can act as Client and as Server. Please see below steps to apply the hotfix:

For SWG acting as a Server:
Auto hotfix (AHF) has been already released for downloading for SWG running software version v11.0,v11.5,v11.6. This patch will cause SSHd to not support Export Diffie Helman key exchange.
Please note that our HTTPS service doesn't support EDH already therefore no change is needed.

For SWG acting as a Client:
After installing this hotfix, SWG will no longer support cipher suites using authenticated ephemeral Diffie-Helman (EDH) key agreements. Some websites will only negotiate TLS with this cipher, and so will no longer work. If the operation of such websites is critical, you can revert the change and allow SWG to use that cipher again.
For this reason we created a separate patch which is not being distributed by any of SWG HotFixes (AHF,RHF,MHF).
This general patch disables EDH support automatically after the installation and puts additional script in case customer want to revert back the changes.

Patch installation on SWG v11.5/11.6/11.7:
To install this Hotfix (if you have already downloaded the Hotfix file, ignore steps 1-4):
1. Download the Hotfix from the FTP site to your local desktop ( hotfix link is also attached to this KB article). Note that you can verify the Hotfix content using the md5 utility against the md5 file from the FTP.
2. In the Management Console, navigate to Settings > Updates > Updates Management.
3. Click Import Updates at the lower right of the screen.
4. In the Local Update Import window that opens, browse to the Hotfix fup file on your desktop; select it and click Upload in the window. The Hotfix will appear in the Available Updates window. If it does not appear right away, click the Refresh button.
5. In the Available Updates window, select the Hotfix from the list and click Install Update. Once the Hotfix has been installed, it will move to the Installed Updates tab.
During patch installation process 2 scripts will be loaded to the system:
a./usr/share/perl5/update_https_module.pl
b ./usr/share/perl5/update_https_module_revert.pl
First script will be run automatically during the patch installation and second one will have to be run by TAC support technician as it requires root access (only when a revert is needed) .
A"dummy" commit after running the patch is needed to apply changes.

Patch installation on SWG v11.0:
First of all we do recommend to upgrade to SWG 11.5 and apply the above hotfix. However if this is not possible please follow below instructions.
This Hotfix must be installed by the SWG administrator on top of SWG 11.0. ManagementHotfix 08-01 for SWG 11.0 must be applied before applying this hotfix. This Hotfix restarts the Scanning Server and will therefore impact user Web access for some minutes.
Any future Management hotfixes applied to the Policy Server will revert this change. This hotfix cannot be reapplied afterwards.
After any future migration to SWG version 11.5, the string affected by this hotfix will not be recognized and the system will downgrade to a WEAK cipher list.For each device, the Allow Weak Ciphersuites check box in Devices> HTTPS > Advanced tab will be updated automatically and should be unchecked to return to usage of strong ciphers only.
Inaddition, Logjam Hotfix CVE-2015-4000 for SWG 11.5 must be applied after the migration to version 11.5.
To install this Hotfix (if you have already downloaded the Hotfix file, ignore steps 1-4):
1. For each device under Devices, select HTTPS and in the Advanced tab,uncheck the Allow Weak Ciphersuites check box.
2. Download the Hotfix from the FTP site to your local desktop ( hotfix is also attached to this KB article). Note that you can verify the Hotfix content using the md5 utility against the md5 file from the FTP.
3. In the Management Console, navigate to Settings > Updates > Updates Management.
4. Click Import Updates at the lower right of the screen.
5. In the Local Update Import window that opens, browse to the Hotfix fup file on your desktop; select it and click Upload in the window. The Hotfix will appear in the Available Updates window. If it does not appear right away, click the Refresh button.
6. In the Available Updates window, select the Hotfix from the list and click Install Update. Once the Hotfix has been installed, it will move to the Installed Updates tab.

Notes:
If the system must be reverted back to support EDH, contact Trustwave Support at tac@trustwave.com.

End of Maintenance for Secure Web Gateway version 10.2

Charles — Mon, 20 Apr 2015 14:57:44 GMT

This article applies to:

Secure Web Gateway (SWG) 10.2

Secure Web Gateway 10.2 End of Life

Dear valued SWG customer,

According to the Trustwave Product Support Policy, we are announcing that the End-of-Maintenance period for Secure Web Gateway version 10.2 will close on October 1, 2014.

To assist you in making the transition to a later, supported version, we will extend the support period for an additional 6 months. During that time, until the version's End-of-Life, you will receive database downloads and security patches.

We will officially stop supporting SWG version 10.2 when this timeframe expires, on April 1, 2015. To keep your Trustwave SWG Appliances up-to-date and supported, please use the remaining period to upgrade to version 11.0, 11.5 or later. (To determine which supported versions can be installed on your existing hardware, see the Supported Versions matrix.)

The latest SWG versions and documentation can be found on the Secure Web Gateway support pages.

Please contact the Technical Assistance Center if you need guidance and information on the upgrade process.

MHF/RHF patch, what is it and how is it installed ?

Charles — Wed, 23 Apr 2014 15:27:23 GMT

This article applies to:

SWG v10.x
SWG v11.x

Question:

What are the differences between MHF and RHF patches ?
How should these patches be installed ?
Is there any specific order of installation ?

Information:

MHF patch is a Maintenance Hot Fix, mainly addressing issues of the Policy Server role in SWG OS.
RHF patch is a Run-time Hot Fix, addressing issues of the Scanning Server role in SWG OS.

These patches are installed as local updates, refer to below KB article for installation procedure guidelines:
Q13868: Install local updates on SWG appliances
Q14452: .fup installation for SWG

There are no internal dependencies between MHF and RHF patches, no specific order of installation is required.
These patches are cumulative, and newer version of MHF/RHF patch will include the libraries included in the previous version of the MHF/RHF patch, respectively.

Patch usually consists of Debian libraries that are being updated from version to version, as shown below for example:

The patch is always installed first on the Policy Server and then the Policy Server is responsible to update internally the scanner(s) managed by this Policy Server.
The installation order is also similar in the case of HA Policy Server, once the patch is installed on the Active Policy Server, it will also be installed on the Backup Policy Server.

Refer to the below KB articles for the links to the most recent patches for different SWG OS versions:
SWG v10.2 - Q16783
SWG v11.0 - Q16784
SWG v11.5 - Q16785

Upgrade SWG version 10.2 to version 11.0

ofer Kalef — Tue, 24 Sep 2013 08:28:14 GMT

This article applies to:

SWG 10.x
SWG 11.x

Question:

How do I upgrade my SWG from 10.2 to 11.0?

Procedure:

A new system has been introduced into SWG 10.2 and 11.0 to enable the download and upgrade to a new version from the Policy Server Management GUI. Follow the steps below to complete the upgrade process:

1. Log into your SWG Policy Server.

2. Navigate to Administration > Updates > Update Management.

3. Click Install on the version 11 upgrade item. If this item is not present, click Retrieve Updates.

4. The rest of the install process is automatic.

To install the upgrade on scanners:

1. Go to Administration > System Settings > Trustwave Devices.

2. Right-click each relevant device and select Upgrade Scanners to PS Version.

Notes:

The install process can take as long as 1 hour or more. During the upgrade process, GUI access can be limited or inaccessible. Allow extra time after notification that the install process is finished - back-end and other processes not visible may still be coming online and upgrading.

Important: The Upgrade will stop production scanning.

No updates for Virtual SWG system

ofer Kalef — Sun, 08 Sep 2013 07:05:56 GMT

This article applies to:

Virtual SWG 10.x
Virtual SWG 11.x

Symptoms:

Updates are not installed, and no new updates are shown as available when attempting to retrieve manually.
System Log shows an error on connecting with the Updates server.

Causes:

This may happen due to the default date/time settings used for a Virtual installation - check the current date/time set on SWG to verify.

Resolution:

Update the date/time settings using the config_time Limited Shell command. The best update method is to specify an NTP server, public or local.

SWG Support Policy Aug 2013

ofer Kalef — Mon, 26 Aug 2013 03:18:54 GMT

This article applies to:

Question:

What is the Trustwave SWG support policy

Information:

See attached File

.fup installation for SWG

ofer Kalef — Fri, 23 Aug 2013 04:37:48 GMT

This article applies to:

SWG 9.x
SWG 10.x
SWG 11.x

Itmay be needed to manually install an update, hotfix or patch to the SWG system. The instructions below will give you a step by step on how this is done

Procedure:

You will first need to download the patch/update to your local desktop. (This file should be provided by Trustwave support technician)

In the SWG GUI, navigate to Administration -> Updates -> Update Management. Click “Import Updates” -> Browse your local PC and select the update/patch supplied by the Trustwave support technician. Click Import.

Once the import process is finished, the file should be ready to install. In the available updates tab you should see the imported update/patch ready to install, click the icon and then click install.

Once the install begins you should see an install screen.

Wait for the install to finish then click “Redirect to Login Page”. The installation should be complete and the update/patch is now installed.

Notes:

Manual Updates like these will cause certain processes to restart on the SWG; this may interrupt scanning in a production environment. It’s recommended to install an update or patch during a maintenance window where it’s appropriate for the system to go down.

Install local updates on SWG appliances

ofer Kalef — Fri, 09 Aug 2013 01:53:28 GMT

This article applies to:

SWG 10.x
SWG 11.x

Question:

What is the procedure for installing a local update file on a Secure Web Gateway (SWG) appliance?

Reply:

Patches, fixes and software updates for Secure Web Gateway appliances are released periodically.
Patches typically address specific issues and are initially released as standalone packages before they are included in a general maintenance update. This article describes how to install any .fup patch or update.

Download the update package as instructed by support personnel and save it locally on your desktop.
Navigate to Administration > Updates and Upgrades > Management.
In the Available Updates tab, click Import Updates .
Browse to the update location on the local machine and click the Import button.
Wait for the upload process to complete.
The amount of time will vary depending on the size of the update and the speed of the connection to the Policy Server.
Make sure that the required update package appears in the list of available updates.
It may be necessary to click the Refresh button in order to update the list.
To see more information about the update, click the + icon next to the update row and click the Release Notes link in the detailed description.
Click the required update and choose the Install Now option.

What is the procedure to follow if updates fail to install?

ofer Kalef — Mon, 08 Jul 2013 02:43:50 GMT

This article applies to:

SWG 10.x
SWG 11.x

Question:

What is the procedure to follow if all updates fail to install: Requests to https://mirror.updateng.finjan.com/updates return 500 (Connect failed: connect: Connection timed out; Connection timed out)

Reply:

1. Try to ping mirror.updateng.finjan.com and see if it resolves.

2. Check http://www.whatsmydns.net/#A/mirror.updateng.finjan.com to see if there is a worldwide problem, and try to ping the various IPs of mirror.updateng.finjan.com

3. If you are running Version 11.x and behind a proxy, make sure you have installed MHF01 or higher.

It is probable that your firewall blocks mirror.updateng.finjan.com. Check your firewall and open port 443 to [1] updateng.finjan.com and [2] mirror.updateng.finjan.com

How do changes to cloud configuration get passed to the Mobile Security Client (MSC)?

ofer Kalef — Mon, 08 Jul 2013 02:22:56 GMT

This article applies to:

SWG 10.x
SWG 11.x
MSC 2.0

Question:

After making changes to cloud configuration (like proxy port numbers), how does the update get passed to the MSC?

Reply:

As stated in the MSC Administrator Guide:

"Checks for MSC configuration updates are performed once per hour. When a configuration update is detected, a fresh copy is downloaded and applied, and the MSC begins utilizing the new configuration immediately; this is all transparent to the end-user.

The MSC is capable of handling most configuration changes automatically as long as there are no certificate authority-related changes, and at least one Server IP address remains unchanged so that the new configuration can be obtained. However, browsers will need to be restarted in order to use an updated PAC file."

For more information, see chapter 8 in https://support.levelblue.com/software/secure_web_gateway/manuals/11.0/Trustwave_MSC-2_0_1-AdministratorGuide.pdf

The SWG GUI provides the following options to manage client updates. (In Internal mode. In PKI mode, cloud users are certified and managed externally.):

Administration > Cloud > Configuration > Provisioning tab: You can select to send an email update upon configuration changes.

Administration > Cloud > Email Template: You can customize the emails that are sent after any cloud configuration change.

Also check the Users > Cloud User Certificate Management tab for user certificate actions.

No updates for Virtual SWG system

ofer Kalef — Mon, 17 Jun 2013 01:29:20 GMT

This article applies to:

Virtual SWG 10.x
Virtual SWG 11.x

Symptoms:

Updates not installed, and no new updates are available when retrieving updates manually.
System log shows an error on connecting with the Update server.

Causes:

This may happen due to the default date/time settings used for a Virtual installation - Check the current time/date set on SWG to verify.

Resolution:

Update the date/time settings using the config_time limited shell command. The best update method is to specify an NTP server, public or local:

Updating SWG from version 9.2 to 10.1.2

Charles Creegan — Wed, 01 Aug 2012 07:18:55 GMT

This article applies to:

SWG 9.2.x
SWG 10.x

Question:

What is the best procedure for upgrading Secure Web Gateway from version 9.2.x to 10.1.2?

Procedure:

# General remarks

There are a number of ways to move a Secure Web Gateway environment from 9.2 to 10.1.2. The best option for a specific organization will depend on their topology (whether it is a High Availability setup with two Policy Servers, a single Policy Server with a few Scanners, or an All-In-One) and their requirements for acceptable system downtime.

For smaller environments or All-In-One setups, the migration option might fit better than a clean installation on a second Policy Server (PS).

Once a PS has 10.1.2 up and working, Scanners can be upgraded independently (although they must start with at least version 9.2) by using a command in the Limited Shell (LS). This command ('config_upgrade') is basically a new installation over the network, which preserves each scanner's configuration settings.

A Scanner should not be listed in the devices tree of two or more Policy Servers at the same time. A scanner which is supposed to be 'moved' from one PS to another, must be deleted and added in the devices lists accordingly.

A Policy Server on 10.1.2 can restore a Rollback Backup files from version 9.2 and 10.0.

# Preparation

Create a bootable USB key with all of the necessary files on it.

Use a key which is at least 2 GB in size, and make it bootable. Any appropriate tool will do (e.g., under Linux use “UNetbootin”, or under Win7 use the Windows version of this tool (link °4)).
Unzip the 1.4.1-05 installer files (link °1), and copy all files onto the USB key. DO NOT USE an older version of these files.
Copy the 10.0-19 ISO (link °2) onto the key.
Copy the 10.1-12 ISO (link °3) onto the key.

If performing a clean installation, make sure that you have a 10.1 license key. The format of 9.x and 10.1.x keys is different, so a 9.2 key would not be accepted on a cleanly installed 10.1 appliance. For any license issue, please contact your Trustwave Sales representative and request a new license with the same options.

# Upgrade

1) Release Policy Server High Availability (PS HA), if applicable:

Stop synchronization between the master and backup policy servers
Release HA
Access the Backup PS GUI, and remove the scanner devices (select the IP, right click, 'Delete Device')
Shut down the backup PS (Limited Shell: 'poweroff')

2) On the (to-be-upgraded) Policy Server, delete the scanners from the devices tree (select the IP, right click, 'Delete Device'), to make sure they are still up and untouched until the PS is fully upgraded. All scanners will continue to work and scan traffic.

3) Plug in the USB key. If the local console is not accessible remotely (for example, via an IP KVM), also connect a USB keyboard and VGA monitor.

4) Reboot the appliance (Limited Shell: 'reboot').

5) Perform each of the three phases of the upgrade:

Boot from the USB key and run the migration to 10.0, as described in the Tech Brief Installation Utility document
Boot from the hard disk, log in to the PS GUI from a browser, navigate to the Updates section, and install 10.0 Maintenance Fix 01 (listed in 'Available Updates').
Reboot the appliance from the USB key and run the migration to 10.1. When the upgrade has finished and the appliance is rebooting, unplug the USB stick.

6) After the appliance finishes booting, log in to the PS GUI, and install all recent patches:

Maintenance Fix 10.1.2 (listed in 'Available Updates')
recent Management and Runtime Hotfixes (Knowledge Base Article 14562, please contact Support if you do not have access)

7) Check the configuration and policies (AD configuration and import, Upstream Proxy Policies, etc.).

8) Add the scanners back into the devices tree (one by one, or in groups). Make sure that a scanner is not listed under and managed by any other PS.

9) Log in to the Limited shell via SSH, and run 'config_upgrade' in order to upgrade the scanners. Wait until all of the scanners are updated and stable. (Note: The scanners will go offline during the upgrade. It is possible to upgrade scanners individually or in groups in order to prevent all scanners from being offline at once. The upgrade can take a while, since the Policy Server will copy the ISO to each scanner over the network, and each scanner must then install the ISO. This process takes some time, however it will take less time than an installation from USB.)

10) Establish Policy Server HA again, if applicable:

Perform steps 3 through 6 on the backup PS (migration and updates).
On the master PS, setup HA again, enable synchronization (do not synchronize unless all updates are installed).

# Alternatively: PS on the side (‘PS clone’) in order to test the process in advance

Advantage: Production environment is not affected (Main difference: this is a clean install, not a migration process)

1) Boot from USB and install 10.1.0 clean (do not choose the migration option)

2) On the Limited Shell, run 'setup', and configure the appliance according to your needs

3) Enter the GUI, install your license (PS must have access to the Update Server, otherwise the license cannot be applied)

4) Install all recent AV / URL / Security Updates

5) Install all recent patches

Maintenance Fix 10.1.2 (listed in ‘available updates’)
recent Management and Runtime Hotfixes (Knowledge Base Article 14562, please contact Support if you do not have access)

6) Copy the latest Rollback Backup files (from the source PS) to an FTP or Samba location

The actual backup file (xxxxx_backup_yyyy_mm_dd_hh_mm_ss.tar.enc)
index.xml
date

7) Restore

Configure the PS’s Rollback settings (with FTP selected, it might be necessary to add a trailing '/' after the server´s IP)
Navigate to Administration > Rollback > Restore
Start Rollback Restore

NOTE: After this Rollback Restore has been performed, all scanners will be listed under Devices. Remove them immediately on the "new" Policy Server in order to avoid conflicts.

In addition, this Policy Server will have the IP configuration of the PS from which the Backup originates (in the Database and GUI, not in terms of network-settings). This address is probably different from the setting after step [2]. To correct this, follow the steps below:

Navigate to Administration > System Settings > Devices > select Policy Server IP
In the pane on the right hand side, click the Edit button, select the correct IP address under 'Device IP', and click the Save button. Commit this change.

8) From here, follow steps 7+ of the migration process as described above in order to transition the 9.2-scanners to 10.1.2.

Notes:

Download Links USB installer:

1) ftp://outgoing:Mr8om21r@ftp.finjan.com/support/vsi/1-4-1--5/VSI_1.4.1-05_79592M-2011-11-27_1102.tgz

2) ftp://outgoing:Mr8om21r@ftp.finjan.com/support/images/10.0/1000-b19-04-10-2010--12-26PM.iso

3) ftp://outgoing:Mr8om21r@ftp.finjan.com/support/images/10.1/1010-b12-10-04-2011--10-32AM.iso

4) USB Creator for Win7 (do not select “reboot” at the end of this process; see the howto movie)

Recent Patches (as of May 2012)

Update 10.1.2: Updates > Available Updates

Recent Management and Runtime Hotfixes: Knowledge Base Article 14562

Documentation:

5) Secure Web Gateway 10.1 Upgrade Release Notes

6) Secure Web Gateway 10.1.2 Release Notes

What is the SWG update server address?

Rudolf Kessler — Mon, 14 May 2012 02:24:49 GMT

This article applies to:

SWG 9.x
SWG 10.x

Question:

I want to restrict Policy Servers' requests, but updates should be allowed. What access do I have to permit through my Firewall?

Reply:

The required access is:

Destination Port 443 / HTTPS
Hosts [1] updateng.finjan.com and [2] mirror.updateng.finjan.com

Notes:

Trustwave strongly recommends that you use DNS. The IP addresses of these servers could change.

Preventing ICAP Scanning Loops

Rudolf Kessler — Mon, 09 Aug 2010 02:42:09 GMT

Description
In some environments, the only device that is allowed to connect directly to the web is the cache appliance. In such cases, the Vital Security Web Appliance must be configured to proxy its connections through the cache appliance. When the cache appliance is also an ICAP client, it is important to ensure that the Vital Security's transactions do not receive ICAP processing.

Symptoms
When transactions that originate from the Vital Security Web Appliance are scanned through ICAP, users might report lengthy scanning times for Java applets and ActiveX controls. If a sniffer is used to analyze the traffic, the administrator might see the same code (for example, a Java .class file) being requested multiple times. Additionally, updates might not install.

Cause
All Vital Security Web Appliances, regardless of role, must be able to connect to the Internet. The reason for this is broken out by role below:

All in One / Policy Server: These appliances must connect to the Internet in order to download both security and operating system updates.

All in One / Scanning Server: These appliances must connect to the Internet in order to prefetch content for scanning purposes. A common scenario in which prefetching occurs is when Vital Security analyzes a Java .class file that has dependencies on other Java .class files. Vital Security will request all of the associated .class files so that the entire applet can be scanned as a whole.

If transactions originating from the Vital Security appliances are passed back via ICAP, then the appliances may waste cycles scanning updates that do not need to be scanned. Additionally, prefetched content will be double-scanned, and this could result in scanning recursion and double-prefetching, which will increase system utilization and decrease overall performance.

Solution
The best way to prevent scanning loops is to configure the ICAP client (the cache appliance) so that transactions that originate from the IP addresses of the Vital Security Web Appliances do not receive ICAP processing. Neither REQMOD nor RESPMOD processing should be performed on transactions that originate from Vital Security. Additionally, if the IP addresses of the appliances are ever changed, the policy on the cache appliances should be updated so that transactions originating from the new IP addresses are not scanned.

Please note that these configurations are only necessary when the Vital Security Web appliances use an ICAP-enabled cache appliance as their upstream proxy. This includes any situations where the traffic might be transparently redirected to the ICAP-enabled cache appliance. However, when Vital Security appliances are allowed to connect directly to the Internet (without going through the cache appliance), there is no need to apply these configurations on the cache appliance.

Different cache appliances (and different versions of the same cache appliance) can vary in their configuration. For details on configuring a specific cache appliance to bypass ICAP for connections that originate from Vital Security's IP, we recommend contacting the vendor of the cache appliance. The vendor will be able to identify the best way to apply this configuration in your environment.

VSOS
all SWG versions

This article applies to:

NG 5000

SWG 3000 / NG 6000

SWG 7000 / NG 8000

This article was previously published as:

Finjan KB 1096

Rollback Restore fails if Policy Servers are in HA mode

support finjan — Wed, 23 Dec 2009 00:00:00 GMT

Description

High Availability mode must be disabled prior to restoring a rollback.

Symptoms
When restoring a rollback, a "Restore failed" pop-up dialog box appears. Further information regarding this event is absent from the System Log. If a packet capture is recorded while trying to restore the rollback, no connections to the backup location (e.g., FTP server) are observed.

Cause
This is the correct behavior for a Finjan system operating in High Availability mode. It prevents the functionality of the standby policy server from being adversely affected if High Availabiliy is disabled in the restored backup.

Solution
The administrator should verify that High Availability is disabled before restoring a rollback. Should any changes be required in order to disable High Availability, these changes must be committed, and the administrator should wait until all devices have finished committing before restoring the rollback.

If appropriate, High Availability should be enabled again after the rollback is fully restored and all devices are stable.

Details about enabling and disabling High Availability for specific VSOS releases can be found in the Management Console Reference Guide.

Software Version
up to 9.2-M01

This article applies to:: NG 5000; NG 6000; NG 8000

This article was previously published as:: Finjan KB 12675

Blade Server Firmware Upgrade Process

support finjan — Fri, 27 Mar 2009 00:00:00 GMT

This article applies to:
NG 8000
This article was previously published as:
Finjan KB 1110

NG-6000 Firmware update process

support finjan — Fri, 27 Mar 2009 00:00:00 GMT

This article applies to:
NG 6000
This article was previously published as:
Finjan KB 1525

How to avoid simultaneous scanner restarts during an upgrade

Eric Hanson — Mon, 23 Mar 2009 00:00:00 GMT

Question
When upgrading, all the remote scanners simultaneously restart, bringing the appliances out of production. What can be done in order to prevent this behavior when upgrading the Finjan to a newer software version?

Answer
In order to update each scanner separately and avoid simultaneous scanner restarts, please browse to the management console of the appliance and then click on the Settings tab -> Devices -> Policy Server -> VSOS Updates -> Click the Update selected Scanning Servers -> Apply and commit changes, as depicted in the screenshot below:

Software Version
8.5.0

This article applies to:
NG 1000
NG 5000
NG 6000
NG 8000
This article was previously published as:
Finjan KB 1790

Offline Updates

support finjan — Mon, 23 Mar 2009 00:00:00 GMT

This article applies to:
NG 1000
NG 5000
NG 8000
This article was previously published as:
Finjan KB 1441

Why does there appear to be a duplicate Security Update after 8.4.0 installation?

support finjan — Mon, 23 Mar 2009 00:00:00 GMT

Question
Why does the security update that I previously installed on 8.3.X (as shown in the Installed Update tab) reappear on the Available Updates tab together with the 8.4.0 installation?

Answer
8.4.0 does not support the format of the previously installed security update and has reset the system to use security update #52. Please make sure to install the latest security update after the 8.4.0 installation.

Note: You will see both security updates afterwards in the Installed Updates tab, but from the logs you can see that they are actually different (e.g. one is SECURITY_UPDATE830000053 and the second one is SECURITY_UPDATE840000053).

Software Version
8.4.0

This article applies to:
NG 1000
NG 5000
NG 8000
This article was previously published as:
Finjan KB 1348

Why can't the McAfee 5200 Engine be Installed?

support finjan — Mon, 23 Mar 2009 00:00:00 GMT

Question
When I try to install the NAI Engine file update (McAfee new 5200 engine), I get an update failed message.
Why do I get this message and what should I do?

Answer
As noted on our website (http://www.finjan.com/Content.aspx?id=1799), the McAfee Anti-Virus engine version 5100 will be End of Life by January 31st 2008. Customers using the McAfee Anti-Virus engine on the Vital Security Appliance series should upgrade to the following Maintenance releases in order to support the new Anti-Virus engine:

Software Version
8.4.0
8.4.3
8.5.0

This article applies to:
NG 1000
NG 5000
NG 6000
NG 8000
This article was previously published as:
Finjan KB 1662

How do I Install a Failed Update?

support finjan — Mon, 23 Mar 2009 00:00:00 GMT

Question
I retrieved either an Anti-Virus / URL category / OS update and it is displayed in my Available Updates section.
However, when I try to install it I get "update failed" message, or if it is an OS update, it seems that the update status page is stuck.
How can I install this failed update?

Answer
If the update status page is stuck, delete the IE cookies (see also article Update Status Page Stuck - http://kb.finjan.com/article.asp?article=1025&p=4).
Otherwise: navigate to Settings -> Updates -> Available Updates and delete the update that failed (marked with a red cross).
Select Retrieves Updates and try again to reinstall this update.

Software Version
8.3.x
8.4.x
8.5.0

This article applies to:
NG 1000
NG 5000
NG 8000
This article was previously published as:
Finjan KB 1293