GB-OS FIREWALL SOFTWARE
Author: Global Technology Associates, Inc.
Product: GB-OS version 4.0.0
Date: 14 April 2006
GB-OS version 4.0.0 includes updated versions of the following GTA
products and utilities:
Release notes are located on the installation CD and on GTA's web site.
For more about upgrading related software, see individual product
Release Notes sections are categorized first by feature addressed, then
by the type of change.
1. INSTALL NOTES
7. THREAT MANAGEMENT
10. OPERATING SYSTEM
12. RELEASE NOTES HISTORY
1. INSTALL NOTES
1.1 Entering New Activation Codes
If upgrading from 3.7.2 or below, new activation codes must be
entered. GB-OS version 4.0.0 is available at no charge to
customers with a GTA support contract or annual maintenance
agreement. Other users should contact their local
GTA channel partner or email firstname.lastname@example.org for information and
pricing of upgrade options.
1.2 Upgrading from GB-OS 3.5 or Below
If upgrading from GB-OS 3.5 or below, it is necessary to first
upgrade to an interim version of GB-OS before installing GB-OS
4.0. For upgrade instructions, refer to Reference D in the
GB-OS User's Guide.
1.3 Upgrading Hard Drive GB-Ware Installations from 3.5.x to 4.0.0
When upgrading a hard drive GB-Ware firewall from version 3.5.x
1. Back up the firewall configuration.
2. Reinstall the firewall software completely from the CD.
3. Restore the configuration.
The GB-Ware CD image (ISO-9660) is available for download from
GTA's Online Support Center
(https://www.gta.com/support/center/login/). Failure to reinstall
from CD may cause hard drive geometry errors that prevent the
1.4 Error Messages Upon Initial Reboot
Upon rebooting after successful installation, the GTA firewall
may display errors when accessed using the Web interface. This
is expected, these errors are generated because the browser's
cache is trying to access files and locations that no longer
apply. Click OK to any displayed errors and refresh the browser
window to access GB-OS 4.0. If the error messages persist, clear
your browser's cache.
1.5 Default Login and Password Changes
Firewall administrators who have never changed their default
login and password in the Admin Accounts section of GB-OS 3.x
will find that their default account's login information will no
longer work with GB-OS 4.0. After the firewall administrator
has upgraded to GB-OS 4.0, their login and password will both
default to fwadmin.
1.6 Platform Independent Web Interface
GB-OS 4.0 includes a platform independent web interface which
provides an improved workflow, user-friendly design with
enhanced features such as offline configuration and verification
using GB-OS 4.0's Test Mode. GBAdmin is not supported by
1.7 User Group Assignments When Upgrading From Previous Versions
When upgrading to GB-OS 4.0.0, users will automatically be
organized into groups based on the name of the their VPN object.
For example, a user that made use of a VPN object with a name
of Marketing Department will be assigned to a group named
Marketing Department, while a user that made use of a VPN object
with the name of MOBILE will be assigned to a group named
Users that have no VPN object assigned to them will be
organized into groups based on the GB-OS version that the
administrator is upgrading from, such as Users_372.
1.8 Static Gateway to Static Gateway VPN Failure
Firewall administrators that have a configured VPN between two
static gateways may find that their VPN no longer functions
after they have upgraded to GB-OS 4.0. This is caused when the
firewall administrator had a local identity configured in the
Authorization>VPN section on their GTA firewall before it was
upgraded to GB-OS 4.0. GB-OS versions prior to GB-OS 4.0
ignored this field when a static gateway to static gateway VPN
was configured; in GB-OS 4.0, the local identity is recognized
and can result in a failure when a VPN connection previously
worked. To correct this issue, simply navigate to
Configuration>VPN>IPSec Tunnels and edit the IPSec tunnel in
question by setting the local identity to IP Address.
1.9 Restrictive VPN Configurations
When upgrading to GB-OS 4.0, firewall administrators may need to
rebuild their VPN policies. In previous versions of GB-OS, VPN
access was controlled using pass through filters. In GB-OS 4.0,
VPN access is controlled using VPN policies which allow all VPN
traffic by default. Firewall administrators who have upgraded to
GB-OS 4.0 will need to manually recreate any restrictive VPN
1.10 VPN Object Names
Previously defined VPN objects will have the GB-OS version
number appended to their name after the GTA firewall has been
upgraded to version 4.0. For example, a VPN object with a name
of IKE in GB-OS 3.7.0 will be named IKE_370 after the upgrade.
1.11 Address Object Identification
Previously defined address objects that were of type IP
Addresses will be re-categorized as being of type All after the
GTA firewall has been upgraded to version 4.0.
1.12 SSL Certificate Replacement
Version 4.0.0 will install a new default security/SSL
certificate. Some browsers, including Netscape and Mozilla,
will not recognize the new certificate if the original has
never been replaced. If you are unable to log on to the
firewall after upgrading, delete the browser's cached security
certificate, then close and restart your browser before
reattempting remote access to your firewall.
2.1 New Features
2.1.1 Administrators can now switch between runtime slices in
the firewall's flash memory when using the Web
3.1 New Features
3.1.1 Service group objects added to the Object Editor.
Administrators can explicitly allow or deny a protocol
on a certain port according to configured service group
3.1.2 Time Group objects now allow for additional flexibility
when defining time blocks.
4.1 New Features
4.1.1 Groups added to increase efficiency when defining user
authentication in security policies. Groups are pools of
user accounts used for reference throughout the
5.1 Bug Fixes
5.1.1 Static routes now update correctly when their
address object is updated.
6.1 New Features
6.1.1 Dynamic DNS now allows for multiple dynamic DNS
definitions to be used.
6.1.2 DHCP now allows for up to three WINS servers to be
defined per DHCP address range.
6.2.1 DHCP Server now allows for broader definitions when
configuring lease durations.
6.2.2 SNMP now includes automatic policies that allow access
from the protected interface.
6.2.3 The Firewall Control Center now operates on TCP port
2033 by default.
6.3 Bug Fixes
6.3.1 Aliases are now properly removed when deleted and the
High Availability service is enabled.
6.3.2 The DNS server now correctly verifies reverse zone
7. THREAT MANAGEMENT
7.1 New Features
7.1.1 Surf Sentinel now supports multiple local allow and
deny lists through the use of address objects.
7.2.1 Mail Sentinel now tracks an increased number of email
addresses within a single email.
7.2.2 Surf Sentinel now supports authentication via user groups.
7.3 Bug Fixes
7.3.1 Mail Sentinel Anti-Spam now properly closes connections
with the ALS server.
8.1 New Features
8.1.1 GB-OS now automatically generates policies to allow VPN
9.1 New Features
9.1.1 Configuration reports are now organized in easy-to-read
sections labeled Summary located in the Configuration
9.1.2 DHCP Leases now allows for the administrator to flush
all DHCP-assigned IP addresses assigned by the DHCP
Server and recorded in the DHCP Leases table.
10. OPERATING SYSTEM
10.1 New Features
10.1.1 GB-OS now includes VLAN support.
10.1.2 GB-OS now includes pre-configured, default objects that
cannot be edited or disabled.
10.1.3 GB-OS now allows for the disabling of all objects that
are not built into the system.
10.1.4 GB-OS now supports regular expression when defining IP
addresses and domain names in address objects of type
10.1.5 Inbound tunnels now support load balancing when
multiple IP addresses are referenced in the tunnel's
destination address object.
10.2.1 Default user ID and password are now "fwadmin".
10.2.2 Interfaces are now referenced using GB-OS specific
names (eth0, eth1, etc.) instead of their Unix
10.2.3 Service group objects can now be used when configuring
security policies and tunnels.
10.2.4 Time groups have been relocated to the Object Editor.
10.2.5 Mail Sentinel Statistics now display maximum allowed
and peak concurrent connections.
10.2.6 GB-OS log messages now log security policy types as
pol_type and security policy actions as pol_action.
10.2.7 GB-OS log messages now log interface types by their
logical name instead of their NIC driver type and
10.2.8 The Configuration Summary now displays configured
Mail Sentinel policies' type.
10.2.9 The Configuration Summary now displays whether Surf
Sentinel policies accept or deny unknown HTTP commands.
10.2.10 The Configuration Summary now displays an address
object's type and whether the object uses regular
10.2.11 GB-Ware installations that have not been activated
will default to a two user license that can support up
to 200 concurrent connections and five aliases. IPSec
tunnels and GTA Mobile VPN Client connections cannot be
11.1.1 The GNAT-Box field has been renamed to Firewall in the
11.1.2 Updated GTA Syslog to version 2.0.0. This version is
no longer compatible with GTA Reporting Suite version
12. RELEASE NOTES HISTORY
12.1 Previous Release Notes
These notes cover the 4.0.0 release of GB-OS. Release notes
for previous versions can be found at GTA's web site,