Firewall Changes in Release 14.0

This chapter identifies features and functionality added to, modified for, or deprecated from 14.0 Firewall software releases.

Topics covered in this chapter are:

IMPORTANT:

Enhancements to Diameter, GTPP, and RADIUS in release 14.0 are located in the Accounting Management Changes chapter.

Enhancements to SNMP MIB in release 14.0 are located in the SNMP MIB Changes chapter.

Enhancements to Web Element Manager (WEM) in release 14.0 are located in the Web Element Manager Changes chapter.

Firewall Feature Changes as of September 28, 2012

This section provides information on Firewall feature changes in release 14.0.

IMPORTANT:

For more information regarding features in this section, refer to the Firewall Administration Guide for this release.

New Firewall Features

This section identifies new Firewall features available in release 14.0.

None for this release.

Modified Firewall Features

This section identifies Firewall features modified in release 14.0. There are two kinds of modified features: enhancements and behavior changes. Enhancements are feature changes based on customer change requests. Behavior changes are feature changes that modify an existing behavior and may result from software error corrections (bug fixes).

Dynamic Access Rules

The stateful packet inspection feature allows operators to configure rule definitions (ruledefs) that take active session information into consideration to permit or deny incoming or outgoing packets. An access ruledef contains the criteria for multiple actions that could be taken on packets matching the rules. These rules specify the protocols, source and destination hosts, source and destination ports, direction of traffic parameters for a subscriber session to allow or reject the traffic flow.

Previous Behavior: When Gx is enabled, “static-and-dynamic” access-rules behave as static rules.

New Behavior: When Gx is enabled, “static-and-dynamic” access-rules behave as dynamic rules. Access ruledefs can be switched on/off from PCRF (Gx). Charging ruledef attributes can be used for this purpose. Access ruledefs that need to be switched on/off must be configured as “dynamic-only” or “static-and-dynamic” in Firewall-and-NAT policy. If configured as “dynamic-only”, the rule will be disabled by default and can be switched on from PCRF. If configured as “static-and-dynamic”, the rule will behave as “dynamic-only” for Gx enabled call and as static rule for non-Gx calls.

Firewall Configuration Management Changes as of September 28, 2012

This section provides information on Firewall configuration command changes in release 14.0.

None for this release.

Firewall Performance Management Changes as of September 28, 2012

This section provides information on Firewall performance management changes in release 14.0.

None for this release.

Firewall Security Management Changes as of September 28, 2012

This section provides information on Firewall security management changes in release 14.0.

None for this release.

Firewall Feature Changes as of June 29, 2012

This section provides information on Firewall feature changes in release 14.0.

IMPORTANT:

For more information regarding features in this section, refer to the Firewall Administration Guide for this release.

New Firewall Features

This section identifies new Firewall features available in release 14.0.

None for this release.

Modified Firewall Features

This section identifies Firewall features modified in release 14.0. There are two kinds of modified features: enhancements and behavior changes. Enhancements are feature changes based on customer change requests. Behavior changes are feature changes that modify an existing behavior and may result from software error corrections (bug fixes).

Mid-session Firewall Policy Update Changes

The Firewall-and-NAT policy can be updated mid-session provided the policy was enabled during call setup. In this release, Firewall-and-NAT policy can also be updated during mid-session rulebase update through Gx and Gy. Mid-session rulebase update support from RADIUS server and CLI is already present.

Previous Behavior: Firewall-and-NAT policy was not updated during mid-session rulebase update through Gx and Gy.

New Behavior: Firewall-and-NAT policy can be updated during Gx/Gy mid-session rulebase update if the new rulebase has Firewall-and-NAT policy configured and the old Firewall-and-NAT policy is configured through old rulebase.

Stateful Packet Inspection Changes

TCP packets with SYN Flag set and destination port zero are now dropped like TCP packets with source port zero are dropped.

Firewall Configuration Management Changes as of June 29, 2012

This section provides information on Firewall configuration command changes in release 14.0.

None for this release.

Firewall Performance Management Changes as of June 29, 2012

This section provides information on Firewall performance management changes in release 14.0.

None for this release.

Firewall Security Management Changes as of June 29, 2012

This section provides information on Firewall security management changes in release 14.0.

None for this release.