Home » Release News » Firewall Release News

Firewall Release News

  • Free-Style rules now written to SMZTMPA rather than SMZ4DTA
  • Bug fixes
  • Password validation uses OS values
  • CHKFWSEC command now also supports server *FILSRV

Socket Exit Points added

It is now possible to secure the Socket Exit Points

There are 3 types of Socket Exit Points:

  • Socket Accept                SKTACP
  • Socket Connect             SKTCNT
  • Socket Listen                  SKTLSN

It is possible to specify condition by User Exit Point. See examples in SMZ8/GRSOURCE UPSKT* .

Rule specification screens will be provided during July 2019.

** Use extreme care when specifying rules for Socket exit points. These control your ability to connect to and from the system. If not carefully specified you may find yourself unable to connect to your system **

SQL Parser timeout was added

A timeout was added for parsing operations.

If reached, the SQL statement is processed as per STRFW, 81, 2, “Action for SQL that cannot be parsed“

The possible options for Action for SQL that cannot be parsed are:

  • 1=Allow
  • 2=Allow+Extended log
  • 5=Reject
  • 6=Reject+Extended log

The extended log (known as ILOG) enables later checking of the SQL at Raz-Lee Security.

 

Enable IASP notation and security for IFS.

This option 22, 61 enables equating names for IFS on IASP. Notation enables equating the same name for multiple IASPs.

The software now checks IFS folder on IASP.

Note: notation and security for Native object has existed since 2014.

Export/Import of definitions enhanced to support IASP IFS and Native equation rules. (82, 1 & 2; GUI)

Display of definitions enhanced to support IASP IFS and Native equation rules. (82, 5; GUI)

Other minor additions and corrections.

Cumulative updates from several releases:

What If  (“RECALC”)

New functionality was added to allow evaluation of past transitions per the current setting of security rules. This uses coded colors to show differences.

To activate, use the parameter  “RECALC(*DIFFONLY, *SAMEONLY)” in all of the places that the log is displayed or in the Display Firewall Log (DSPFWLOG) command 

*DIFFONLY         Display differences only

*SAMEONLY      Display what has not changed only

The RECALC output has been extended for OUTPUT(*PRINT, *OUTFILE)

The RECALC output has been extended for the GUI display

RECALC has been enhanced to also support servers the following servers *DDM, *SQLENT, *CSLICM, *TCPSGN. This completes all major exit points.

 

Check Firewall Security (CHKFWSEC)

A new command enables testing of the reaction of Firewall to possible transactions. This saves the need to actually build up a situation to verify if the expected response is achieved.

Wizards grouping of transactions

The following wizards:

  • Users
  • Native objects
  • IFS objects

have been enhanced to support new grouping of activity by:

*ALLGRP             User activity is considered to all internal groups and all group profiles that the user is part of.

*ALL                    Same as *ALLGRP plus for the user himself

In the general definition (81, 1) the default grouping now supports the above additions.

Wizard group contents

Options G=Groups,  U=Users  for  Native and IFS  Wizards now show members of each group

Option  3=Allow by use   for  IP and IFS Wizards builds rules according to the past usage  

It is now possible to subset the display information to show authority given by generic rules or in the IFS from higher level of directories authority

The server activity summary (wizard for servers) has been extended to show additional relevant information.

 

New Servers and  Menu options

This is relevant for the product Password:

PWDVL2   –   Server: Validate Password-CRTUSRPRF,CHGUSRPR  (FromV7R2) was added to the servers supported.

 

Server settings

  Opt.1

     Use  combined security  setting with ATP  for  FILSRV:  Secure=Y+ATP    instead  Secure=Y

      Parameter FYI  for SETFWSEC

  Opt. 1/2 – DBOPEN

     Mark ‘>’  if     exist

  Opt. 11

    Mark with   non-existing  single users

    Mark with   members of %Groups that are Group Profiles

    SQL verbs processed –  CRTFNC,DLTFNC,DRPFNC,ALTPRC

Global settings

  Opt. 81/2  –  new value for   < Inherit In-product DB2 authorities>

        3=No, if Usr/GrpPrf found-stop 

  Opt. 81/2  –  new value for   

        4=Yes, from higher dir Allowed only

 

  • New JOB parameter was added to the DSPFWLOG.
  • Function key F5 was added to the DSPFWLOG results screen.
    This feature will show captured screens (providing Capture™ was active).
  • Export/Import – now supports the servers’ severity settings (81<22).
    A GNSEVSET parameter was added to the EXPS1 and IMPS1 commands.
    ● New menu option 41>61 – this new feature allows to add users into Firewall™
    groups.
  • New option in the Setting DB‐OPEN and SQL, menu option 1>2. The new option
    allows exclusion of:
    • Specific object in all (*ALL) libraries.
    • Specific object from specific library.
    • All objects (*ALL) from QSYS and QUSRSYS libraries.

from being checked by Firewall™ DBOEN.

A number of updates were made including SQL verb Merge.

Setting Exit Points

The DBOPEN/SQL Exit Point Setting Properties Screen moved to a new location and is
now called Setting DB‐OPEN and SQL (STRFW>1>2).

It is made up of two screens. In the 2nd screen there is a new option:

  • Work with files to exclude
Work with Database SQL Server Jobs

This option is new and enables working with SQL database items only.

Additional Message Information

This new screen provides information about actions performed (or not performed) which are listed in the log.
This screen enables viewing of Command Type, User, IP, Decision Level and Operation
Mode.

New Verb – Merge Processed

A new status was added in the Status Column – Merge.

DSPFWLOG Type (*TELNET)

Telnet device installation is now enabled as a server option in the Additional Message
Information screen.

*PRINT1-*PRINT9 User Parameters

Export/Import Options are defined (in Audit™ definitions only), and the parameters
can be viewed in Firewall™ and set accordingly.

  • The DBOPEN/SQL Exit Point Setting (STRFW>1>2) was enhanced to include “Control by Exit-Point” and to allow greater operational flexibility, significant performance improvements and better security.
  • A new option exists in STRFW>1>9. It works with Database SQL Server Jobs.
  • The DSPFWLOGoption in STRFW>41>1 Additional Message Information has new updates.
  • STRFW>11 now includes a new SQL Verb Merge Record Status.
  • DSPFWLOG TYPE(*TELNET) provides Information about Server IP.
  • STRFW>81>1/2 Export/Import Definitions parameters relocated to definitions’ screen.
Triple Syslog Definitions

Raz‐Lee’s iSecurity™ products now support sending Syslog messages to up to three (3) SIEM products simultaneously:

  • In Syslog definitions, select option 81 in from the main menu of any product
    (i.e. STRAUD>81>32/33/34 or STRFW>81>71/72/73).
    The SYSLOG message is now enabled for multiple SIEM messages (note the SIEM 1, SIEM 2 and SIEM 3 option items) and message structures using built‐in as well as mixed variables and constants.
  • The feature enables adjustable Port, Severity, Facility and Length while offering Syslog Types: UDP, TCP and TLS (encrypted) support in CEF and LEEF and user editable modes, using filters for relevant fields.
  • Processing of SIEM is done on a separate job per SIEM. A buffer exists to allow intermediate communication problems, or SIEM downtime.
  • Once this buffer is full, the processing is delayed. A message is then sent to QSYSOPR, and an attempt is reconstructed while communication is made periodically and consistently.
Source IP Determination
  • In Global Installation Defaults (STRAUD>89>59), a SYSLOG source Port/IP field was added (UDP only).
  • Major performance change in LOG and Report access time. Improvement of 80%
    expected in certain situations.
Extended Monitoring of ODBC and SQL by Combining DB‐OPEN and SQL Exit Points Benefits

Both the DBOPEN and the SQL exit points can be used to control file access, yet there
are some differences:

  • SQL controls ODBC requests, including Create/Delete of file/library.
  • DBOPEN controls ALL file opens, remote and local (Interactive and Batch). DBOPEN also allows working with pre‐selected files to reduce overhead.
  • While DBOPEN is superiority to the SQL exit point in performance and analysis accuracy, SQL statements which do not OPEN files cannot be recorded via DBOPEN

The DBOPEN/SQL Exit Point Setting (STRFW>81>10) was enhanced.

Since DB‐OPEN has higher priority than the SQL, exit point in performance and accuracy of analysis, SQL statements which do not involve OPEN of files cannot be recorded by its use.

A significant benefit of DBOPEN is the ability to monitor pre‐selected files only; this dramatically reduces the number of times the exit point is invoked, improving performance. 

To enable this capability, select either options 2 or 8 below. Files can be pre‐selected by STRFW>21>51 or by other methods which sets these file’s audit attribute to *CHANGE or *READ.

New features were added to enable simultaneous use of the two exit points to allow the full monitoring of activity and still preserve the advantages of each. Options 7 and 8 were added, so the product now allows:

  • 1=DBOPEN All files.
  • 2=DBOPEN Audited files.
  • 7=DBOPEN All files in addition to the ability to monitor SQL statements that cause no OPEN.
  • 8=DBOPEN Audited files in addition to the ability to monitor SQL statements
    that cause no OPEN.
  • 9=SQL.

Selecting option 7 or 8, where both exit points are used, SQL setting which can accept:

  • 1=All operations.
  • 2=Non DBOPEN operations

Should be set to 2=Non DBOPEN operations.

NOTE: It is possible to set DBOPEN to monitor only pre‐selected files. This dramatically reduces the number of time this exit point is being alerted by the operation system, resulting with performance improvement.

To enable this capability, the user should select option 2 or 8.

The user must also pre‐select files to be monitor by use of STRFW>21>51 or by other methods which sets these file audit attribute to *CHANGE
or *READ.

Doing so does not mean that the Audit™ module should be set to include entries which may be generated as per this definition.

Tracing Changes in Product Definitions

Firewall™ as well all iSecurity™ modules allow tracing of product definitions by use of DB‐Journaling and a completely free use of the AP‐Journal™ for this reporting.

To enable this option, do the following:

  • Set definition files to be journaled (STRFW>82>71).
  • Set Global Installation (STRFW>89>59)
    • Auto jrn def files on install = Y.
    • Use AP-Journal™ to trace def chgs =Y.
  • Trace changes (STRFW 82>79).
Generic Base Support

A generic BASE Support Menu was added to the product (STRFW>89).

This screen integrates considerable functionality which crosses different modules of
iSecurity™.

Extended Reporting of Firewall™ Definitions

Firewall™ now present improved possibilities to report product definitions:

  • The standard Print Definition option was enhanced to provide a single spool file
    to include all the different definitions.
  • The menu provides a separate entry for reporting Firewall Definition
    (STRFW>42).
  • A new query was added to the Firewall Definition Query Generator (which includes HTMP, PDF, Email) to include the definitions of Firewall™:
    • Z$9_FWDFN $9 Firewall Definitions.
Print Firewall™ Definitions

For Type *ALL only one combined spool file is generated instead of a lot of separate spools.

  • In the Definitions of IFS Object Usage (STRFW>22>1), defining a generic entry for the directory allows the directory subtree to inherit In‐product IFS authorities, according to the definitions in the Additional Definitions screen (STRFW>81>2).
  • In the Syslog definitions (STRFW>81>71), variable &6 now represents the IP and not the Product ID.
  • In options 1 – 6 of the Native Object Security Menu (STRFW>21), when opening a new definition by pressing the F9 key, there is now no validation on the Library. Previously, the user could not enter *USRLIBL as the Library.
  • When running Display definition STRxx>82>5, and selecting *ALL, a single spool file is produced instead of several.
  • Changed behavior in DSPFLOG that prevented users with iASP environment to switch to another iASP.
    It is possible now to use the Set ASP Group (SETASPGRP) in all cases.
    The prevention after using DSPxxLOG, RUNxxQRY was removed.
  • Additional function in IFS objects usage.
    It is now possible to limit the authorities of a directory and do not inherit it to lower directories when using generic names.
  • STRFW>11>1:Now there are no more differences between the situation where the >5. Device Names appears with > but says *ALL Y, and when it is not defined (no >).
  • Upon defining Users and Groups, the user can now limit them to single IP address.
    From that IP address, the users and groups will be allowed to work with as many sessions as necessary.
    To access the user settings, select 11 – Users and Groups from the Firewall™ Main Menu.
  • The process for running a second Network Security system in parallel to Firewall™ was improved.
    To run a second Network Security system in parallel, do the following:
    • Select 82 – Maintenance Menu from the Firewall™ Main Menu.
    • Select 99 – More… from the Maintenance Menu.
    • Select 1 – Use Firewall™ in parallel with other Exit Programs from the
      Maintenance Menu – Part 2.

NOTE: Since this option involves running other vendor programs, it is provided as a service which carries no warranty for its results.

  • STRFW>42(Firewall definition reports) is now shipped with a predefined set of reports.
    Field based information includes:
    • 1K *FW‐DFN Native Object Security
    • 1L *FW‐DFN IFS object security
    • 1M *FW‐DFN Command Exceptions
    • 1N *FW‐DFN Users & Groups
  • Upon defining Users and Groups, the user can now limit them to single IP address.
    From that IP address, they will be allowed to work with as many sessions as necessary.
  • To access the User Settings, select 11 – Users and Groups from the Firewall™ Main Menu.
  • The process for running a second Network Security system in parallel to Firewall™ was improved.
    To run a second Network Security system in parallel, do the following:
    • Select 82 – Maintenance Menu from the Firewall™ Main Menu.
    • Select 99 – More… from the Maintenance Menu.
    • Select 1 – Use Firewall™ along with other Exit Programs from the Maintenance Menu – Part 2.

NOTE: Since this option involves running other vendor programs, it is
provided as a service which carries no warranty for its
consequences.