Search
Close this search box.

iSecurity Firewall Release News

  • ADDED: On the Setting DB-OPEN and SQL screen (STRFW > 1 > 2), you can pre-select files for processing by pressing the F8 key. This opens the Pre-Select Files for DB-OPEN screen, which you can also reach at STRFW > 4 > 1.
  • ADDED: The SIEM interface parser now uses -QUOTE or -DBLQUOTE to pack values in quotes. The special characters = * ( and ) that SPLUNK had misinterpreted are now changed to underscores “_”.
  • ADDED: Firewall SYSLOG (SIEM) uses the standard “outcome=” field name with “failure” or “accept” for rejected or allowed events. If the product was in simulation mode, the notaion *FYI (For Your Information) follows.
  • ADDED:  Firewall SYSLOG (SIEM) now reports the firewall event numeric code in a similar way to the audit type in Audit
  • ADDED: To the User Wizard:
    • For each user, show whether it is a user or group profile
    • Option to hide access through servers that are allowed on a higher level (Skip Allow All).
    • In Option 3, combine currend and userd lines into a single rule.
    • In Options 8 and 9, users can be added easily to %groups or Group Profiles.
    • Options G & P can show the %groups or Group Profiles to which a user belongs.
  • ADDED: Visualizer was extended to support IFS file names in addition to Native objects. It also allow improved drilling down to the log related to IFS objects.
  • ADDED: The Replace Firewall User (RPLFWUSR) which is capable of finding or removing user references, has been enhanced. It can now display results on the screen as well as check if there are any references. The scope to check can either be *ALL, or *REFERRED. The *ALL checks also if the user is specified as a separate entity.  
  • ADDED: A “where used” option is added to the Work with User Security (STRFW > 3 > 1). It shows where the user/group is referred to within other parts of Firewall.
  • ADDED: Configuration of Rule Wizards now allows you to change the command defaults for parameters (STRFW > 81 > 1). Changing the defaults enable more convenience.
  • ADDED: Work with User Security (STRFW > 3 > 1) now shows where the user/group is used.
  • FIXED: Issues with the configuration files that could have prevented SSHD/SFTP/FTP were removed.
  • FIXED: A problem with DSPFWLOG and Socket plus false MFA.
  • FIXED: Several accesses on the DBOPEN server had caused rejects on the FWIPA level.
  • FIXED: The issues that caused from time-to-time MCH3601 when SuperSpeed was set to Yes, has been removed. IBM confirmed that this is due to repetitive usage of some prestart jobs. Firewall now enables under all circumstances the SuperSpeed. Super Speed improves performance be reducing the number of full OPENs. Starting with this release is automatically adjust its activity to prevent error of type MCH3601.  Note that when SuperSpeed is set to Yes, setting MAXUSE(1) to some prestart jobs can farther improve the performance.
  • FIXED: Display Suspend/Resume status (STRFW > 1 > 25) shows the most recent SUSPEND/RESUME operation and its time.
  • FIXED: Empty report emails are now sent properly, with a subject containing the string “NO-DATA”.
  • Added: An option to check whether a connection is running under SSL This makes it easier to detect devices that have to be changed using SSL.
  • Added: At the object level, we can now ignore group profiles and check only single user profiles and the %firewall group. This makes it easier when a user profile acts as a group profile, but is also in use for running tasks.
  • Improved: In the user wizard. “<Done>” replaced with “<Used>”   The <Used> Y  value is now marked in blue if it differs from the corresponding <Current> value
  • Improved: The number of Multi system queries of systems was enhanced from 30 to 100.
  • Fixed: A problem in PC Application Security *APP that did not log.
  • Fixed: When scrolling through many firewall log entries, the restriction of subfiles caused a problem when scrolling back to the top. We added F17 to jump to the top.
  • Cumulative PTFs for MFA and SSL
  • Improved:  Performance with DBOPEN, SQL and RMTSRV.
  • Fixed: A problem in DSPFWLOG RECALC that created dumps.
  • Fixed: The DSPFWUSRA command had  ignored the user profile.
  • Added: Functions for MFA.
  • Added: The IFS wizard now supports passing long directory names to DSPFWLO.
  • Improved: In SRFW > 18 > 2, you can specify whether the log indicates whether SSL was used in a connection.
  • Improved: FILSVR performance, by implementing user spaces. The first version had created problems in recreation. This prevents a recreation of User Space. This also removed the CPC2206 from the joblog.
  • Improved: Optimized speed for suspend.
  • Improved: Creation of %Firewall groups. When creating a user group %Name, the cursor always points to the % sign in the group name, not to the option field to select 1 for Server.
  • Improved: SQL – Parser was improved
  • Improved: In user management, “Select-User enabled” was changed to “Select-User disabled”.
  • Fixed: In Firewall query, MCH3601 program AUPQRYR had been called from program DSPS1DFN with the wrong number of parameters.
  • The order in which scheduled reports can be run has changed.
  • New Product MFA added to SMZ8 library
  • New main menu item:
    15. Incoming/Outgoing Socket Connections
  • In Rule Wizards:
    • For Native Objects (STRFW > 45 > 1 > 5): New option S=Skip, to check and allow without logging

    • For Native and IFS Objects (STRFW > 45 > 1 > 5 or 6): New option: E=CHGUSRPRF
  • New Feature: Database Statistics function was added as DBSTT  standard server STRFW, 1, 1 Database Statistics function was added as the DBSTT standard server to the standard activation / de-activation system. It now supports also adding Action and User Exit Programs. As such this function is automatically started after IPL.
  • New Feature: Real-Time Alert and SIEM Capabilities when important definitions are changed STRFW, 82 – Option   “78.  Real-Time Alert on definition chg” now support the full AP-Journal capabilities to alert in real-time by Email, SIEM etc., when important definitions are changed.
  • Enhancement: User’s Wizard STRFW, 45. Rule Wizards, 4. Users – A new column was added to tell whether the user profile exists in the system or not. The Subset was enhanced to include this column.
  • Enhancement: Server (local) Port added to Telnet information Query and Logs now report this added field
  • Menu Option Relocated STRFW – Option “83. Central Administration” was excluded  from the Firewall Main Menu. All its options are covered in “89. Base Support” and in “82. Maintenance Menu”
  • The “IFS Security” screen (STRFW > 5 > 1) now has:
    • Separate fields for “Create” and “Write” authority.
    • “Create” can distinguish between:
      • D=Dir Only
      • F=STMF only
      • Y=Both of the above
  • New “How to work with What If” screen (STRFW > 41 >25) explains the “What If” mode.
  • Information was added to describe the “What If” (testing existing logs against new proposed) capability of each server. Usage: “Work with Server Security” screen (STRFW > 1 > 1), when selecting 5=Display Server Information.
  • Improvement in the information displayed as per OS400 requirement for setting exit point QPWDLVL2 Validate Password-CRTUSRPRF,CHGUSRPRF. “Work with Server Security” screen (STRFW > 1 > 1) item PWDLV2.
  • In the “Set Firewall Security (SETFWSEC)” screen for “Suspend Firewall” (STRFW> 1 > 21) or “Resume Firewall” (STRFW > 1 > 22), a new field “Wait for ending of QSERVER” determines whether the process should wait until the QSERVER subsystem has ended. The value “*DSP” means that, when running interactively, the screen should show subsystem information for QSERVER and that the user should refresh the screen with the F5 key until QSERVER has finished.
  • Firewall can be set to use the same groups as those in Audit. Setting is by  (STRFW > 89 > 59 > 5) “Global Site Defaults – Product Behavior” screen under “Firewall shares Groups”
  • On “Define Time Groups: screen (STRFW > 41 > 31), option 3 copies an existing Time Group.
  • Compiling RPGLE while DBOPEN is running does not requires an additional exception rule.
  • Free-Style rules now written to SMZTMPA rather than SMZ4DTA
  • Bug fixes
  • Password validation uses OS values
  • CHKFWSEC command now also supports server *FILSRV

Socket Exit Points added

It is now possible to secure the Socket Exit Points

There are 3 types of Socket Exit Points:

  • Socket Accept                SKTACP
  • Socket Connect             SKTCNT
  • Socket Listen                  SKTLSN

It is possible to specify condition by User Exit Point. See examples in SMZ8/GRSOURCE UPSKT* .

Rule specification screens will be provided during July 2019.

** Use extreme care when specifying rules for Socket exit points. These control your ability to connect to and from the system. If not carefully specified you may find yourself unable to connect to your system **

SQL Parser timeout was added

A timeout was added for parsing operations.

If reached, the SQL statement is processed as per STRFW, 81, 2, “Action for SQL that cannot be parsed“

The possible options for Action for SQL that cannot be parsed are:

  • 1=Allow
  • 2=Allow+Extended log
  • 5=Reject
  • 6=Reject+Extended log

The extended log (known as ILOG) enables later checking of the SQL at Raz-Lee Security.

Running an Action after the end of a query

The Run Firewall Query (RUNFWQRY) was enhanced by the parameter RUNACTEND (Run action after end of run) to run an action after the end of a query.

A possible use case is to run user programs on output files created in the query.

To build the action, use the interface of creating a new query for type $8  Query log report.

Enable IASP notation and security for IFS.

This option 22, 61 enables equating names for IFS on IASP. Notation enables equating the same name for multiple IASPs.

The software now checks IFS folder on IASP.

Note: notation and security for Native object has existed since 2014.

Export/Import of definitions enhanced to support IASP IFS and Native equation rules. (82, 1 & 2; GUI)

Display of definitions enhanced to support IASP IFS and Native equation rules. (82, 5; GUI)

RUNAUQRY

Now supports the order of audit entries display.

The parameter is START(*OLD, *NEW, *DFT)

– *OLD the display starts with the oldest entry (as was)

– *NEW the display starts with the newest entry

– *DFT as specified in STRAUD, 81, 1. (System Configuration)

Multi System User description in query.

Previously referenced user description was not clear. It was general description.

Now User description of referenced user in query is replaced by real user description

even if this user is existing on remote system.

Query Summary Definitions.

Now it is possible to include summary field or count by conditioning.

Other minor additions and corrections.

Cumulative updates from several releases:

What If  (“RECALC”)

New functionality was added to allow evaluation of past transitions per the current setting of security rules. This uses coded colors to show differences.

To activate, use the parameter  “RECALC(*DIFFONLY, *SAMEONLY)” in all of the places that the log is displayed or in the Display Firewall Log (DSPFWLOG) command

*DIFFONLY         Display differences only

*SAMEONLY      Display what has not changed only

The RECALC output has been extended for OUTPUT(*PRINT, *OUTFILE)

The RECALC output has been extended for the GUI display

RECALC has been enhanced to also support servers the following servers *DDM, *SQLENT, *CSLICM, *TCPSGN. This completes all major exit points.

 

Check Firewall Security (CHKFWSEC)

A new command enables testing of the reaction of Firewall to possible transactions. This saves the need to actually build up a situation to verify if the expected response is achieved.

Wizards grouping of transactions

The following wizards:

  • Users
  • Native objects
  • IFS objects

have been enhanced to support new grouping of activity by:

*ALLGRP             User activity is considered to all internal groups and all group profiles that the user is part of.

*ALL                    Same as *ALLGRP plus for the user himself

In the general definition (81, 1) the default grouping now supports the above additions.

Wizard group contents

Options G=Groups,  U=Users  for  Native and IFS  Wizards now show members of each group

Option  3=Allow by use   for  IP and IFS Wizards builds rules according to the past usage

It is now possible to subset the display information to show authority given by generic rules or in the IFS from higher level of directories authority

The server activity summary (wizard for servers) has been extended to show additional relevant information.

 

New Servers and  Menu options

This is relevant for the product Password:

PWDVL2   –   Server: Validate Password-CRTUSRPRF,CHGUSRPR  (FromV7R2) was added to the servers supported.

 

Server settings

  Opt.1

     Use  combined security  setting with ATP  for  FILSRV:  Secure=Y+ATP    instead  Secure=Y

      Parameter FYI  for SETFWSEC

  Opt. 1/2 – DBOPEN

     Mark ‘>’  if     exist

  Opt. 11

    Mark with   non-existing  single users

    Mark with   members of %Groups that are Group Profiles

    SQL verbs processed –  CRTFNC,DLTFNC,DRPFNC,ALTPRC

Global settings

  Opt. 81/2  –  new value for   < Inherit In-product DB2 authorities>

        3=No, if Usr/GrpPrf found-stop

  Opt. 81/2  –  new value for

        4=Yes, from higher dir Allowed only

  • New JOB parameter was added to the DSPFWLOG.
  • Function key F5 was added to the DSPFWLOG results screen. This feature will show captured screens (providing Capture™ was active).
  • Export/Import – now supports the servers’ severity settings (81<22). A GNSEVSET parameter was added to the EXPS1 and IMPS1 commands. ● New menu option 41>61 – this new feature allows to add users into Firewall™ groups.
  • New option in the Setting DB‐OPEN and SQL, menu option 1>2. The new option allows exclusion of:
    • Specific object in all (*ALL) libraries.
    • Specific object from specific library.
    • All objects (*ALL) from QSYS and QUSRSYS libraries.

from being checked by Firewall™ DBOEN.

A number of updates were made including SQL verb Merge.

Setting Exit Points

The DBOPEN/SQL Exit Point Setting Properties Screen moved to a new location and is now called Setting DB‐OPEN and SQL (STRFW>1>2). It is made up of two screens. In the 2nd screen there is a new option:

  • Work with files to exclude
Work with Database SQL Server Jobs

This option is new and enables working with SQL database items only.

Additional Message Information

This new screen provides information about actions performed (or not performed) which are listed in the log. This screen enables viewing of Command Type, User, IP, Decision Level and Operation Mode.

New Verb – Merge Processed

A new status was added in the Status Column – Merge.

DSPFWLOG Type (*TELNET)

Telnet device installation is now enabled as a server option in the Additional Message Information screen.

*PRINT1-*PRINT9 User Parameters

Export/Import Options are defined (in Audit™ definitions only), and the parameters can be viewed in Firewall™ and set accordingly.

  • The DBOPEN/SQL Exit Point Setting (STRFW>1>2) was enhanced to include “Control by Exit-Point” and to allow greater operational flexibility, significant performance improvements and better security.
  • A new option exists in STRFW>1>9. It works with Database SQL Server Jobs.
  • The DSPFWLOGoption in STRFW>41>1 Additional Message Information has new updates.
  • STRFW>11 now includes a new SQL Verb Merge Record Status.
  • DSPFWLOG TYPE(*TELNET) provides Information about Server IP.
  • STRFW>81>1/2 Export/Import Definitions parameters relocated to definitions’ screen.
Triple Syslog Definitions

Raz‐Lee’s iSecurity™ products now support sending Syslog messages to up to three (3) SIEM products simultaneously:

  • In Syslog definitions, select option 81 in from the main menu of any product (i.e. STRAUD>81>32/33/34 or STRFW>81>71/72/73). The SYSLOG message is now enabled for multiple SIEM messages (note the SIEM 1SIEM 2 and SIEM 3 option items) and message structures using built‐in as well as mixed variables and constants.
  • The feature enables adjustable PortSeverityFacility and Length while offering Syslog TypesUDPTCP and TLS (encrypted) support in CEF and LEEF and user editable modes, using filters for relevant fields.
  • Processing of SIEM is done on a separate job per SIEM. A buffer exists to allow intermediate communication problems, or SIEM downtime.
  • Once this buffer is full, the processing is delayed. A message is then sent to QSYSOPR, and an attempt is reconstructed while communication is made periodically and consistently.
Source IP Determination
  • In Global Installation Defaults (STRAUD>89>59), a SYSLOG source Port/IP field was added (UDP only).
  • Major performance change in LOG and Report access time. Improvement of 80% expected in certain situations.
Extended Monitoring of ODBC and SQL by Combining DB‐OPEN and SQL Exit Points Benefits

Both the DBOPEN and the SQL exit points can be used to control file access, yet there are some differences:

  • SQL controls ODBC requests, including Create/Delete of file/library.
  • DBOPEN controls ALL file opens, remote and local (Interactive and Batch). DBOPEN also allows working with pre‐selected files to reduce overhead.
  • While DBOPEN is superiority to the SQL exit point in performance and analysis accuracy, SQL statements which do not OPEN files cannot be recorded via DBOPEN.

The DBOPEN/SQL Exit Point Setting (STRFW>81>10) was enhanced. Since DB‐OPEN has higher priority than the SQL, exit point in performance and accuracy of analysis, SQL statements which do not involve OPEN of files cannot be recorded by its use. A significant benefit of DBOPEN is the ability to monitor pre‐selected files only; this dramatically reduces the number of times the exit point is invoked, improving performance. To enable this capability, select either options 2 or 8 below. Files can be pre‐selected by STRFW>21>51 or by other methods which sets these file’s audit attribute to *CHANGE or *READ. New features were added to enable simultaneous use of the two exit points to allow the full monitoring of activity and still preserve the advantages of each. Options 7 and 8 were added, so the product now allows:

  • 1=DBOPEN All files.
  • 2=DBOPEN Audited files.
  • 7=DBOPEN All files in addition to the ability to monitor SQL statements that cause no OPEN.
  • 8=DBOPEN Audited files in addition to the ability to monitor SQL statements that cause no OPEN.
  • 9=SQL.

Selecting option 7 or 8, where both exit points are used, SQL setting which can accept:

  • 1=All operations.
  • 2=Non DBOPEN operations

Should be set to 2=Non DBOPEN operations. NOTE: It is possible to set DBOPEN to monitor only pre‐selected files. This dramatically reduces the number of time this exit point is being alerted by the operation system, resulting with performance improvement. To enable this capability, the user should select option 2 or 8. The user must also pre‐select files to be monitor by use of STRFW>21>51 or by other methods which sets these file audit attribute to *CHANGE or *READ. Doing so does not mean that the Audit™ module should be set to include entries which may be generated as per this definition.

Tracing Changes in Product Definitions

Firewall™ as well all iSecurity™ modules allow tracing of product definitions by use of DB‐Journaling and a completely free use of the AP‐Journal™ for this reporting. To enable this option, do the following:

  • Set definition files to be journaled (STRFW>82>71).
  • Set Global Installation (STRFW>89>59)
    • Auto jrn def files on install = Y.
    • Use AP-Journal™ to trace def chgs =Y.
  • Trace changes (STRFW 82>79).
Generic Base Support

A generic BASE Support Menu was added to the product (STRFW>89). This screen integrates considerable functionality which crosses different modules of iSecurity™.

Extended Reporting of Firewall™ Definitions

Firewall™ now present improved possibilities to report product definitions:

  • The standard Print Definition option was enhanced to provide a single spool file to include all the different definitions.
  • The menu provides a separate entry for reporting Firewall Definition (STRFW>42).
  • A new query was added to the Firewall Definition Query Generator (which includes HTMP, PDF, Email) to include the definitions of Firewall™:
    • Z$9_FWDFN $9 Firewall Definitions.
Print Firewall™ Definitions

For Type *ALL only one combined spool file is generated instead of a lot of separate spools.

  • In the Definitions of IFS Object Usage (STRFW>22>1), defining a generic entry for the directory allows the directory subtree to inherit In‐product IFS authorities, according to the definitions in the Additional Definitions screen (STRFW>81>2).
  • In the Syslog definitions (STRFW>81>71), variable &6 now represents the IP and not the Product ID.
  • In options 1 – 6 of the Native Object Security Menu (STRFW>21), when opening a new definition by pressing the F9 key, there is now no validation on the Library. Previously, the user could not enter *USRLIBL as the Library.
  • When running Display definition STRxx>82>5, and selecting *ALL, a single spool file is produced instead of several.
  • Changed behavior in DSPFLOG that prevented users with iASP environment to switch to another iASP. It is possible now to use the Set ASP Group (SETASPGRP) in all cases. The prevention after using DSPxxLOGRUNxxQRY was removed.
  • Additional function in IFS objects usage. It is now possible to limit the authorities of a directory and do not inherit it to lower directories when using generic names.
  • STRFW>11>1:Now there are no more differences between the situation where the >5. Device Names appears with > but says *ALL Y, and when it is not defined (no >).
  • Upon defining Users and Groups, the user can now limit them to single IP address. From that IP address, the users and groups will be allowed to work with as many sessions as necessary. To access the user settings, select 11 – Users and Groups from the Firewall™ Main Menu.
  • The process for running a second Network Security system in parallel to Firewall™ was improved. To run a second Network Security system in parallel, do the following:
    • Select 82 – Maintenance Menu from the Firewall™ Main Menu.
    • Select 99 – More… from the Maintenance Menu.
    • Select 1 – Use Firewall™ in parallel with other Exit Programs from the Maintenance Menu – Part 2.

NOTE: Since this option involves running other vendor programs, it is provided as a service which carries no warranty for its results.

  • STRFW>42(Firewall definition reports) is now shipped with a predefined set of reports. Field based information includes:
    • 1K *FW‐DFN Native Object Security
    • 1L *FW‐DFN IFS object security
    • 1M *FW‐DFN Command Exceptions
    • 1N *FW‐DFN Users & Groups
  • Upon defining Users and Groups, the user can now limit them to single IP address. From that IP address, they will be allowed to work with as many sessions as necessary.
  • To access the User Settings, select 11 – Users and Groups from the Firewall™ Main Menu.
  • The process for running a second Network Security system in parallel to Firewall™ was improved. To run a second Network Security system in parallel, do the following:
    • Select 82 – Maintenance Menu from the Firewall™ Main Menu.
    • Select 99 – More… from the Maintenance Menu.
    • Select 1 – Use Firewall™ along with other Exit Programs from the Maintenance Menu – Part 2.

NOTE: Since this option involves running other vendor programs, it is provided as a service which carries no warranty for its consequences.