Be careful with NGX-R65

[JohnMH]

I have two distributed environments

Both management servers upgraded to R65. (enforcement modules all NGX pre R65: NGX-R61 HFA 01, NGX-R60 HFA03 and NGX-R62)
On the first install of policy smartdefense is broken with many non http traffic being blocked with SD anouncing it as "WSE0020001 illegal header format detected: Malformed HTTP version in request"

This does not happen when the enforcement module is at the same release as management R65, tested with one of the gateways.

I had to disable SD for gateway that had policy push and SD broken.

Ticket opened..
I am upgrading all my gateways in the next few days, can't wait for a fix.

Seems the new backward compatibility in R65 is broken for SD.

John

[ngxadmin]

Thanks for the insight/caution on R65. I have a similiar environment (distributed/SPLAT/NGX_R62/Sun_V20Z's). I presume your suggesting upgrading the managment and enforcement nodes to R65 prior to any policy push?

[JohnMH]

That is what allows smartdefense to keep working in my setup.

John

[ngxadmin]

End result, you upgraded your nodes, reenalbled Smartdefense and alls well?

[JohnMH]

Yes, I am still in the process of upgrading.

The ones I upgraded smartdefense works fine. The ones that have not been upgraded yet I have to disable smartdefense or it blocks non http traffic complaining about it does not have proper http headers.

Since it is not http it shouldn't have http headers..

John

[RobertGraham]

Actually, I would suggest one be careful with any/all versions...

The rule of thumb repeated by some of the experts at the CPUG 2007 conference in Las Vegas is:

You always want to stay one or two minor versions behind the latest and greatest, *unless* you have a genuine need (i.e. it includes a fix that you absolutely need). Make sure there's a good reason for the sanguine pain that accompanies the delights of bleeding edge.

There are always exceptions, and a rule like this should never replace judicious cost/benefit analysis. I would also add that sometimes it's tempting to upgrade to get some new whiz-bang feature. But, the new features should be weighed against the risk.

[JohnMH]

It seems this is related to ClusterXL
Any box I have NG-R65 and Cluster XL (windows or SPLAT) Smartdefense is blocking things (things other than HTTP) with "WSE0020001 illegal header format detected: Malformed HTTP version in request". The only work around for now is disable smartdefense.

John

I understand what you are saying about staying one or two minor releases behind, but with the way hotfixes are not coming out equally for each release it doesn't leave much choice. (I am speaking about voice fixes and hotfixes for R60-R61-R62) The scheme until recently hasn't supported distributed environments very well. You couldn't apply a hotfix for R61 on a R62 management box, meaning the R61 hotfix you need to apply on the enforcement point wouldn't mean much (for things that need .def file replacement). Also, when you only have very limited times for upgrade/patch it pays to stay at the more recent releases.