HFA06 for 6.5?

[zoo-loo]

Anyone know when HFA06 is actually going to be released? Seems like it keeps getting delayed....

[lammbo]

???

Do you mean HFA_01 for R65? If so, it will be released very soon.

If you mean HFA_06 for R60, well... HFA_05 isn't that old, so I wouldn't expect a new one anytime soon.

[unclerichard]

We are waiting for an imminent release of (presumably) HFA-06 for Integrity Client 6.5 due to issues with release 166 and CA Antivirus. The latest date that I had from Tech Supp. was 12th October.

Unc

[lammbo]

Ahhh... Ambiguity will be the death of us all. Thanks for the clarification.

[CSING]

HFA06 is still more than 2 weeks away.

[dingo8mybaby]

Was told 16th Nov - don't know if that is a general release date though.

[CSING]

There is already a one-off client build 195 that is availible for special cases. It is possible that a Nov 14 date for HFA06 will be met.

[CSING]

You were correct!

HFA6 is now available on the Check Point Download Center. Release notes are also on the Download Center.

Note:

The wireless feature still has the same limitation in HFA6 as in all versions before: It will NOT work on machines with a static IP address. This will be fixed in HFA7.

[securitydude]

How is 6.5 HFA06 working for everyone so far? Any issues?

[CSING]

Are you more concerned about the client or server? I haven't heard of any negative feedback on HFA06. There are a number of issues that this fix corrected. Here are notiable fixes from the RN.

Integrity Client Issues Fixed:

§ Added: Password persistence

Description:
Client rules database corruption could cause the installation password to be lost. In HFA-6 this problem has been resolved. User and install passwords are now backed up (hash value) and read back in automatically.


§ Added: Global Reset-to-Default Feature:
Description:
This new feature adds a tray menu item and supporting code to handle the new Global Reset-to-Default Feature. Ctrl-Shift Right Click on the tray icon enables a newly added item, "Reset" to the right click menu. Clicking “Reset” prompts the user to proceed with reset; if they do then it resets all of the policies in the client. When the client is restarted, the personal policy is re-created and the connection.xml file is read in so that the connection to the integrity server is re-established. Also the installation password is read back in and active.


§ Added the ability to detect WWAN adapters and to disable WWAN adapters the same way that we disable WLAN adapters. This means that if "Disable Wireless On LAN" property is set in the policy both types of adapters should be disabled.


§ Added support of setting dump flags (8, 10 or 14)in the Set Debug Level dialog, which is invoked by Shift+Ctrl+Right Click on the systray menu.

§ Detect VPN Adapter as virtual adapter rather than LAN connections. This fixes the issue of mistakenly disconnecting the Wireless adapters when connecting through wireless to a VPN gateway with "Disable Wireless on LAN" setting because VPN adapter would detected as LAN.


§ Fixed: VSDATANT Multiple IOCTL Privilege Escalation Vulnerabilities (iDefense reported 8/20/2007)

§ Fixed: Multiple Products Privilege Escalation Vulnerability (iDefense reported 8/20/2007)

§ Fixed: Matousec exploit: insufficient checking on ioctl parameter


Integrity Server Issues Fixed:

§ Duplicate deployed policies were not getting purged at all, and now all older versions of current deployed policies are purged.

§ Added MS-SQL Server 2005 to list of supported db

§ Endpoints were not getting deleted from EMON_{domain} table and therefore endpoints even older than 4 weeks were showing up in reports.

§ Policy data retrieved from db is now cached, greatly improving performance.


§ Made synchronization of cluster members robust by getting rid of unreliable JGroups messaging and enforcing periodic uploading of each member cache from common database. This period is configurable by the admin, and is part of the system properties which can be dynamically changed from the tech support page


§ When server gets spyware DAT and engine updates, they are also cached, improving performance and reliability.

[unclerichard]

Just one point relating to the patching itself. Ensure that the Apache logs are not excessive in size as a complete backup of the Integrity directory is made. We noticed that the patching was taking ages - the cause of which being an 8Gb log file !!!

No problems with either the client or server software so far and that 'Reset' facility is a peach !!

Unc

[mrjoshua]

I am running Integrity Advanced Server 6.5 HFA05 and Integrity Agent 6.5 HFA05. If I update to HFA06 agent will I need to update the server as well?

I am currently having issues with things like Outlook, VPN, and Drive Mapping not working properly on random clients until the Integrity client is stopped, followed immediately by a system reboot. I want to change out the client with the new version but the server is so stable I do not want to change it out at the same time.

[CSING]

You may update the client to build 199 (HFA06) without upgrading the server. If you are using cisco vpn then I would think about upgarding the server also.

I always hear about issues with Outlook and Drive Mapping (Netbios) Have you checked the zalog and fwpktlog and fwdbglog in the windows/internet logs directory of the affected endpoints to see if the block is logged? Also ensure that 127 is in the trusted zone.

HTH

[mrjoshua]

Thank you for the information I will double check the machine settings and upgrade the client version and see how it goes with the server running HFA05.

[securitydude]

Quote:

Originally Posted by CSING

You may update the client to build 199 (HFA06) without upgrading the server. If you are using cisco vpn then I would think about upgarding the server also.

I always hear about issues with Outlook and Drive Mapping (Netbios) Have you checked the zalog and fwpktlog and fwdbglog in the windows/internet logs directory of the affected endpoints to see if the block is logged? Also ensure that 127 is in the trusted zone.

HTH

Why do you recommend upgrading the server if you are using Cisco VPN?

[securitydude]

Quote:

Originally Posted by unclerichard

Just one point relating to the patching itself. Ensure that the Apache logs are not excessive in size as a complete backup of the Integrity directory is made. We noticed that the patching was taking ages - the cause of which being an 8Gb log file !!!

No problems with either the client or server software so far and that 'Reset' facility is a peach !!

Unc

what is the "reset" facility?

thanks

[CSING]

Checked the notes and I was incorrect. The correction for the Cisco VPN was made in the client and not the server. A bug was introduced in HFA05 whereby if you connect a second time to the Cisco concentrator, the client sends a heartbeat with a session ID from the first connection, so the Integrity server never authorizes the session to the VPN concentrator. This has been fixed in HFA6.

[CSING]

Quote:

Originally Posted by securitydude

what is the "reset" facility?

thanks

CNTL+Shift right click Integrity icon. Hidden menu appears with log setting and reset options

[securitydude]

Quote:

Originally Posted by CSING

CNTL+Shift right click Integrity icon. Hidden menu appears with log setting and reset options

What does the "reset" option actually do?

Thanks,

[CSING]

This new feature adds a tray menu item and supporting code to handle the new Global Reset-to-Default Feature.

Ctrl-Shift Right Click on the tray icon enables a newly added item, "Reset" to the right click menu. Clicking “Reset” prompts the user to proceed with reset; if they do then it resets all of the policies in the client. When the client is restarted, the personal policy is re-created and the connection.xml file is read in so that the connection to the integrity server is re-established. Also the installation password is read back in and active.

-cs