Login
| Title | Size | Downloads |
|---|---|---|
| vFW1000_H3C-CMW710-E1260P45-X64_QCO.zip | 413.06 MB | |
| vFW1000_H3C-CMW710-E1260P45-X64_OVA.zip | 409.25 MB | |
| vFW1000_H3C-CMW710-E1260P45-X64_ISO.zip | 695.45 MB | |
| vFW1000_H3C-CMW710-E1260P45-X64_IPE.zip | 196.24 MB | |
| vFW1000_H3C-CMW710-E1260P45-X64_descriptor.zip | 14.47 KB | |
| H3C_SecPath_vFW1000-CMW710-E1260P45-X64_Release_Notes.pdf | 592.10 KB | |
| H3C_SecPath_vFW1000-CMW710-E1260P45-X64_Release_Notes_(Software_Feature_Changes).pdf | 362.55 KB |
H3C SecPath vFW1000-CMW710-E1260P45-X64 Release Notes
Software operating environments· 2
Hardware and software compatibility· 3
Upgrade restrictions and guidelines· 6
Software feature and command updates· 6
Operation changes in vFW1000-CMW710-E1260P45-X64· 7
Operation changes in vFW1000-CMW710-E1260P39-X64· 8
Operation changes in vFW1000&vFW2000-CMW710-E1185P29-X64· 8
Operation changes in vFW1000&vFW2000-CMW710-E1185P26-X64· 8
Operation changes in vFW1000&vFW2000-CMW710-E1185P21-X64· 8
Operation changes in vFW1000&vFW2000-CMW710-E1185P18-X64· 8
Operation changes in vFW1000&vFW2000-CMW710-E1185P1213-X64· 8
Operation changes in vFW1000&vFW2000-CMW710-E1185P1211-X64· 8
Operation changes in vFW1000&vFW2000-CMW710-E1185P1210-X64· 9
Operation changes in vFW1000&vFW2000-CMW710-E1185P12-X64· 9
Operation changes in vFW1000&vFW2000-CMW710-E1185P09-X64· 9
Operation changes in vFW1000&vFW2000-CMW710-E1185P07-X64· 9
Operation changes in vFW1000&vFW2000-CMW710-E1184P01-X64· 9
Operation changes in vFW1000&vFW2000-CMW710-E1711P14-X64· 9
Operation changes in vFW1000&vFW2000-CMW710-E1711P13-X64· 9
Operation changes in vFW1000&vFW2000-CMW710-E1711P11-X64· 10
Operation changes in vFW1000&vFW2000-CMW710-E1711P02-X64· 10
Open problems and workarounds· 11
Resolved problems in vFW1000-CMW710-E1260P45-X64· 11
List of tables
Table 2 Software operating environments of vFW1000. 2
Table 3 Software operating environments of vFW1000-V. 2
Table 4 Software operating environments of vFW1000-E-Cloud. 2
Table 5 Hardware and software compatibility matrix. 3
Table 6 ISSU version compatibility matrix. 6
This document introduces the features, usage restrictions, issues, and workarounds of version vFW1000-CMW710-E1260P45-X64. Before loading this version, back up the configuration file and perform internal verification to avoid potential risks as a best practice.
Use this document in conjunction with H3C SecPath vFW1000-CMW710-E1260P45-X64 Release Notes (Software Feature Changes) and the documents listed in "Related documentation."
Version information
Version number
H3C Comware Software, Version 7.1.064, ESS 1260P45
Version history
Version number | Last version | Release date | Release type | Remarks |
vFW1000-CMW711-E1260P45-X64 | vFW1000-CMW710-E1185P39-X64 | April 27, 2023 | ESS versions | Fixed bugs |
vFW1000-CMW711-E1260P39-X64 | vFW1000-CMW710-E1185P29-X64 | September 25, 2023 | ESS versions | Fixed bugs |
vFW1000-CMW711-E1185P29-X64 | vFW1000-CMW710-E1185P26-X64 | November 11, 2022 | ESS versions | Released for TR4A and TR5 of vFW-E-Cloud |
vFW1000-CMW711-E1185P26-X64 | vFW1000-CMW710-E1185P21-X64 | July 29, 2022 | ESS versions | Fixed bugs |
vFW1000-CMW711-E1185P21-X64 | vFW1000-CMW710-E1185P1218-X64 | February 25, 2022 | ESS versions | Fixed bugs |
vFW1000-CMW711-E1185P18-X64 | vFW1000-CMW710-E1185P1213-X64 | November 27, 2021 | ESS versions | Fixed bugs |
vFW1000-CMW711-E1185P1213-X64 | vFW1000-CMW710-E1185P1211-X64 | October 22, 2021 | ESS versions | Fixed bugs |
vFW1000-CMW711-E1185P1211-X64 | vFW1000-CMW710-E1185P1210-X64 | July 16, 2021 | ESS versions | Fixed bugs |
vFW1000-CMW710-E1185P1210-X64 | vFW1000-CMW710-E1185P12-X64 | June 19, 2021 | ESS versions | Fixed bugs |
vFW1000-CMW710-E1185P12-X64 | vFW1000-CMW710-E1185P09-X64 | May 18, 2021 | ESS versions | Fixed bugs |
vFW1000-CMW710-E1185P09-X64 | vFW1000-CMW710-E1185P07-X64 | February 23, 2021 | ESS versions | Fixed bugs |
vFW1000-CMW710-E1185P01-X64 | vFW1000-CMW710-E1171P14-X64 | May 26, 2020 | ESS versions | Fixed bugs |
vFW1000-CMW710-E1171P14-X64 | vFW1000-CMW710-E1171P13-X64 | April 17, 2020 | ESS versions | Fixed bugs |
vFW1000-CMW710-E1171P13-X64 | vFW1000-CMW710-E1171P11-X64 | March 27, 2020 | ESS versions | Fixed bugs |
Software operating environments
Table 2 Software operating environments of vFW1000
Hypervisor | Hardware requirements | ||
VMware/KVM/CAS | 1 vCPU (clock speed ≥ 2.0 GHz) | 4 vCPU (clock speed ≥ 2.0 GHz) | 8 vCPU (clock speed ≥ 2.0 GHz) |
Virtual memory capacity: 2GB or above | Virtual memory capacity: 4GB or above | Virtual memory capacity: 8GB or above | |
Virtual disk capacity: 8GB or above Virtual network interfaces: Two or more virtual Ethernet NICs | |||
Table 3 Software operating environments of vFW1000-V
Hypervisor | Hardware requirements | ||
VMware/KVM/CAS | vFW1000-V2 | vFW1000-V4 | vFW1000-V8 |
4 vCPU (clock speed ≥ 2.0 GHz) | 8 vCPU (clock speed ≥ 2.0 GHz) | 8 vCPU (clock speed ≥ 2.0 GHz) | |
Virtual memory capacity: 4GB or above Virtual disk capacity: 256GB or above | Virtual memory capacity: 8GB or above Virtual disk capacity: 512GB or above | Virtual memory capacity: 16GB or above Virtual disk capacity: 1T or above | |
Virtual network interfaces: Two or more virtual Ethernet NICs | |||
Table 4 Software operating environments of vFW1000-E-Cloud
Hypervisor | Hardware requirements | |
VMware/KVM/CAS | vFW-E-Cloud-100[300][500] | vFW-E-Cloud-1000[3000][5000] |
4 vCPU (clock speed ≥ 2.0 GHz) | 8 vCPU (clock speed ≥ 2.0 GHz) | |
Virtual memory capacity: 8GB or above | Virtual memory capacity: 16GB or above | |
Virtual disk capacity: 8GB or above Virtual network interfaces: Two or more virtual Ethernet NICs | ||
Hardware and software compatibility
CAUTION: To avoid an upgrade failure, use the following table to verify the hardware and software compatibility before performing an upgrade. |
Table 5 Hardware and software compatibility matrix
Product series | vFW1000/vFW-E-Cloud/vFW1000-V virtual firewalls |
Models | vFW1000/vFW-E-Cloud/vFW1000-V |
Server processors | x86 servers with Intel or Hygon processors: · Intel Gold 5218R, processor clock speed ≥ 2.0 GHz · UNIS Server R3830 G3/CPU · Hygon G3-RS4M1CHG7280-7280B CPU computing capabilities affect the performance of VIPS virtual devices. The CPU computing capabilities vary by CPU model. |
Hypervisor | · VMware ESXi 4.1, 5.0, 5.1, 5.5, 6.0 · Linux KVM (Linux kernel > 2.6.25). As a best practice, use the following Linux release versions: ¡ CentOS 7.0 ¡ Ubuntu 14.04 ¡ Red Hat Enterprise Linux (RHEL) 6.3 ¡ SUSE Linux Enterprise Server 11SP2 · H3C CAS E0306H07 As a best practice, use the KVM version that comes with the server system. Use the VFIO network adapter driver. |
Virtual NICs | · E1000 · VirtIO · VMXNET3 · Intel 82599VF · Intel X540VF/X710VF/X722VF NIC performance varies by NIC model. |
NIC driver | The system comes with open-source/H3C drivers. The driver version affects SRIOV compatibility. As a best practice, use driver versions 2.10 through 2.15 for X710 network adapters. Some network adapter models with open-source drivers do not support virtual MAC and VLAN promiscuous modes (involving virtual interfaces and VLAN termination scenarios). In such scenarios, H3C drivers are required. |
Deployment mode | SRIOV and VIRTIO. As a best practice to ensure high performance, use the SRIOV deployment mode and compatible network adapters and drivers. |
Performance optimization configuration, restrictions, and guidelines | Performance improvement configuration: Core binding, core isolation, HugePages memory, and inter-NUMA avoidance. For more information, see the deployment guide. Compatibility considerations: In Intel environments, consider KVM, network adapter driver, and network adapter model compatibility. Performance factors: Resource allocation, network adapter deployment mode, server performance optimization configuration, and actual server load all affect performance. Performance varies by deployment mode. Specific performance data depends on the deployment environment and configuration. |
Boot ROM version | 1.03 or above |
Image file names and MD5 values | vFW1000_H3C-CMW710-E1260P45-X64.ipe MD5 checksum: 75b0eb6caee13c03128cca8aeda1c7f0 vFW1000_H3C-CMW710-E1260P45-X64.iso MD5 checksum: d6cf2e4c15d7fe300d3f71f925292619 vFW1000_H3C-CMW710-E1260P45-X64.ova MD5 checksum: eeb5be03055247e86c649c6698817540 vFW1000_H3C-CMW710-E1260P45-X64.qco MD5 checksum: adf37e7ff923a2803b34dae3f2d66f15 vFW1000_H3C-CMW710-E1260P45-X64.descriptor toMarketToolsV2.02.zip vFW1000-CMW710-E1260P45-X64.ova is required only in the first installation of the VMware hypervisor. For more information, see H3C NFV Series Products Installation and Startup Guide. vFW1000-CMW710-E1260P45-X64.ova is based on VMware VM version 8. It is compatible with hosts of ESXi 5.0 and later versions. |
IMC versions | iMC PLAT 7.3 (E0706P09) iMC PLAT(ACLM) 7.3 (E0706P09) iMC PLAT(DM) 7.3 (E0706P09) iMC PLAT(ICC) 7.3 (E0706P09) iMC PLAT(VLAN)(E0706P09) iMC UBA 7.3 (E0707L06) iMC IVM 7.3 (E0506) iMC EIA 7.3 (E0611P13) iMC SHM 7.3 (E0707L06) |
iNode version | iNode PC 7.3 (E0585) |
License server version | E1205 |
CSAP-S version | E1143P0601 |
Security Management Platform (SMP) version | E1112P02 |
SecCloud OMP version | E1301P01 |
Unified Platform | Not supported |
AD-NET | E0709 |
U-Center AOM | E0706P01 |
Application-Driven Campus Network (AD-Campus) | Not supported |
Application-Driven Data Center (AD-DC) | E6103 |
Application-Driven Wide Area Network (AD-WAN) | Not supported |
Cloudnet | Not supported |
To display the host software and BootWare version of vFW1000, perform the following:
<H3C> display version
H3C Comware Software, Version 7.1.064, ESS 1260P45
Copyright (c) 2004-2024 New H3C Technologies Co., Ltd. All rights reserved.
H3C SecPath vFW1000 uptime is 0 weeks, 2 days, 18 hours, 39 minutes
Last reboot reason : IRF merge
Boot image: flash:/vFW1000-CMW710-BOOT-E1260P45-X64.bin
Boot image version: 7.1.064, ESS 1260P45
Compiled Mar 19 2024 14:00:00
System image: flash:/vFW1000-CMW710-SYSTEM-E1260P45-X64.bin
System image version: 7.1.064, ESS 1260P45
Compiled Mar 19 2024 14:00:00
CPU ID: 0x01000107, vCPUs: Total 8, Available 8
16.00G bytes RAM Memory
Basic BootWare Version: 1.13
Extended BootWare Version: 1.13
[SUBSLOT 1]VNIC-VIRTIO (Driver)1.0
[SUBSLOT 2]VNIC-VIRTIO (Driver)1.0
[SUBSLOT 3]VNIC-VIRTIO (Driver)1.0
[H3C-probe]display system internal version
H3C SecPath vFW1000 V100R001B02D660SP45
Comware V700R001B64D060SP45
UniCloud Uniware Software, Version 7.1.064, ESS 1260P45
Copyright (c) 2024 UniCloud Tech Co., Ltd. All rights reserved.
UniCloud SecPath vFW1000 uptime is 0 weeks, 2 days, 20 hours, 0 minutes
Last reboot reason : User reboot
Boot image: flash:/vFW1000G-UNW710-BOOT-E1260P45-X64.bin
Boot image version: 7.1.064, ESS 1260P45
Compiled Mar 19 2024 14:00:00
System image: flash:/vFW1000G-UNW710-SYSTEM-E1260P45-X64.bin
System image version: 7.1.064, ESS 1260P45
Compiled Mar 19 2024 14:00:00
[VFW-probe]display system internal version
UniCloud SecPath vFW1000 V100R002B02D660SP45
Uniware V700R001B64D060SP45
ISSU upgrade type matrix
ISSU provides two upgrade types: compatible upgrade and incompatible upgrade. Table 6 provides the approved ISSU upgrade types only between the current version and the history versions within the past 18 months. This matrix does not include history versions that are 18 months earlier than the current version, for which, no ISSU upgrade verification is performed.
For more information about ISSU, see the fundamental configuration guide for the device.
Table 6 ISSU version compatibility matrix
Current version | History version | ISSU upgrade method |
vFW1000-CMW710-E1260P45-X64 | vFW1000&vFW2000-CMW710-E1185P39-X64 | Compatible |
vFW1000-CMW710-E1260P39-X64 | vFW1000&vFW2000-CMW710-E1185P29-X64 | Incompatible ISSU upgrade with versions earlier than D060SP36 is not supported. |
vFW1000&vFW2000-CMW710-E1185P29-X64 | vFW1000&vFW2000-CMW710-E1185P26-X64 | Incompatible First release. vFW-E-Cloud and vFW shares the same IPE file and do not support ISSU. |
vFW1000&vFW2000-CMW710-E1185P26-X64 | vFW1000&vFW2000-CMW710-E1185P21-X64 | Compatible |
vFW1000&vFW2000-CMW710-E1185P21-X64 | vFW1000&vFW2000-CMW710-E1185P18-X64 | Compatible |
| vFW1000&vFW2000-CMW710-E1185P1213-X64 | Incompatible IRF network. ISSU upgrade is not recommended. |
Upgrade restrictions and guidelines
Do not upgrade the device through remote login.
Hardware feature updates
None.
Software feature and command updates
For more information about the software feature and command update history, see H3C vFW1000_H3C-CMW710-E1260P45-X64 Release Notes (Software Feature Changes).
MIB updates
Item | MIB file | Module name | Description | |
vFW1000-CMW710-E1260P45-X64 | New | N/A | N/A |
|
Modified | N/A | N/A |
| |
vFW1000-CMW710-E1260P39-X64 | New | N/A | N/A |
|
Modified | N/A | N/A |
| |
vFW1000&vFW2000-CMW710-E1185P29-X64 | New | N/A | N/A |
|
Modified | N/A | N/A |
| |
vFW1000&vFW2000-CMW710-E1185P26-X64 | New | N/A | N/A |
|
Modified | N/A | N/A |
| |
vFW1000&vFW2000-CMW710-E1185P21-X64 | New | N/A | N/A |
|
Modified | N/A | N/A |
| |
vFW1000&vFW2000-CMW710-E1185P18-X64 | New | N/A | N/A |
|
Modified | N/A | N/A |
| |
vFW1000&vFW2000-CMW710-E1185P1213-X64 | New | N/A | N/A |
|
Modified | N/A | N/A |
| |
vFW1000&vFW2000-CMW710-E1185P1211-X64 | New | N/A | N/A |
|
Modified | N/A | N/A |
| |
vFW1000&vFW2000-CMW710-E1185P1210-X64 | New | N/A | N/A |
|
Modified | N/A | N/A |
| |
vFW1000&vFW2000-CMW710-E1185P12-X64 | New | N/A | N/A |
|
Modified | N/A | N/A |
| |
vFW1000&vFW2000-CMW710-E1185P09-X64 | New | N/A | N/A |
|
Modified | N/A | N/A |
| |
vFW1000&vFW2000-CMW710-E1184P01-X64 | New | N/A | N/A |
|
Modified | N/A | N/A |
| |
vFW1000&vFW2000-CMW710-E1171P14-X64 | New | N/A | N/A |
|
Modified | N/A | N/A |
| |
vFW1000&vFW2000-CMW710-E1171P13-X64 | New | N/A | N/A |
|
Modified | N/A | N/A |
| |
vFW1000&vFW2000-CMW710-E1171P11-X64 | New | N/A | N/A |
|
Modified | N/A | N/A |
| |
vFW1000&vFW2000-CMW710-E1171P02-X64 | New | N/A | N/A |
|
Modified | N/A | N/A |
| |
Modified | N/A | N/A | First release |
Operation changes
Operation changes in vFW1000-CMW710-E1260P45-X64
None.
Operation changes in vFW1000-CMW710-E1260P39-X64
None.
Operation changes in vFW1000&vFW2000-CMW710-E1185P29-X64
None.
Operation changes in vFW1000&vFW2000-CMW710-E1185P26-X64
None.
Operation changes in vFW1000&vFW2000-CMW710-E1185P21-X64
None.
Operation changes in vFW1000&vFW2000-CMW710-E1185P18-X64
None.
Operation changes in vFW1000&vFW2000-CMW710-E1185P1213-X64
None.
Operation changes in vFW1000&vFW2000-CMW710-E1185P1211-X64
None.
Operation changes in vFW1000&vFW2000-CMW710-E1185P1210-X64
None.
Operation changes in vFW1000&vFW2000-CMW710-E1185P12-X64
None.
Operation changes in vFW1000&vFW2000-CMW710-E1185P09-X64
None.
Operation changes in vFW1000&vFW2000-CMW710-E1185P07-X64
First release of the D060SP branch.
Operation changes in vFW1000&vFW2000-CMW710-E1184P01-X64
First release of the D059SP branch.
Operation changes in vFW1000&vFW2000-CMW710-E1711P14-X64
None.
Operation changes in vFW1000&vFW2000-CMW710-E1711P13-X64
None.
Operation changes in vFW1000&vFW2000-CMW710-E1711P11-X64
None.
Operation changes in vFW1000&vFW2000-CMW710-E1711P02-X64
First release of the D045SP branch.
Restrictions and cautions
· If no license is installed on a vFW1000, vFW2000, or vFW1000-V device, the performance and features of the device are strictly limited. Make sure you have purchased and installed a formal license before you use the device. After installing a license, you must reboot the device for the license to take effect. After the license changes, for example, the license capacity is expanded, you must reboot the device to obtain the full performance and functionality of the new license.
· The durations for a single-feature license and a multi-feature license cannot be combined.
· The xxv710 network card's virtual port (25G) is displayed as a 10G interface because its device_id is the same as the x710 network card's virtual port (10G). The network card speed is obtained in the later stage of driver initialization, and the interface information has already been reported to the interface management module at this time. Therefore, it is impossible to distinguish the interface type based on the network card speed. Changing the timing of obtaining the network card speed requires altering the entire driver process. However, Mellanox provides a driver interface to obtain interface capabilities (including speed), allowing interface types to be distinguished based on speeds.
· Because the vFW device is installed in a server, its ports are not fixed. In the default configuration, the black hole forwarding mode does not include ports, and the DPI configurations have been added to the default configuration.
· Because the underlying chip cannot distinguish whether an X722 network card is a 1G or 10G one, the vFW product identifies the 1G interfaces on the X722 network card as 10G interfaces. However, this does not affect the network card functions. When the rate exceeds 1000 M/s, the network card automatically drops packets, and the actual maximum rate can only reach 1 Gbps.
· The VIRTIO interfaces on the vFW1000 are all displayed as 1G interfaces because the virtualization platform prevents the system from detecting whether the physical network card is a 1G card or a 10G card. If a VIRTIO interface is a 10G interface, the interface forwarding function is not affected because the system capability can meet the forwarding requirement.
· An X722 (1G copper ports) network card can be added through PCI.
¡ When the X722 network card (PCI passthrough) is not loaded, the vFW1000 upgrades the IPE version (2 cores and 4 GB memory) and functions correctly.
¡ When the X722 network card (PCI passthrough) is loaded, the vFW1000 is installed with an ISO image (4 cores and 4 GB memory) and functions correctly.
· Switchover between vFW product models
The vFW-E-Cloud only supports authorization through a License Server, and does not support local authorization.
The vFW1000, vFW-E-Cloud, and vFW1000-V use the same version file (for example, vFW1000-X64.ipe). To switch a vFW1000 to a vFW-E-Cloud, edit the ovf-env.xml file as follows:
a. Identify whether the current device is a vFW-E-Cloud.
[H3C]license client install standard ?
1vcpu-1year License for 1 vCPU with a validity period of 1 year
The output shows that the device is a vFW1000.
b. To change the device model, upload the following XML file to the /mnt/flash\:/ directory through FTP or TFTP.
c. Restart the device.
d. After the device starts up, execute the [H3C] license client install standard command.
[H3C]license client install standard ?
100M-common-1year License for 256 vCPU with a bandwidth upper limit of 100M and a validity period of 1 year
The output shows that the device is a vFW-E-Cloud.
· After you address the vulnerabilities caused by low encryption algorithm strength, the iNode client carried by B64D060SP22 (which uses TLS1.0 for negotiation by default) cannot successfully log in to the SSLVPN gateway. You must use an iNode client in a version later than E0582.
Open problems and workarounds
List of resolved problems
Resolved problems in vFW1000-CMW710-E1260P45-X64
202401110943
· Symptom: When MAD is performed in a dual-member IRF fabric, slot 2 has a higher priority. The member devices might be shut down by MAD if heartbeat channels and MAD channels are reconnected after a physical link disconnection.
· Condition: This symptom might occur if heartbeat channels and MAD channels are reconnected after a physical link disconnection in a dual-member IRF fabric where MAD is performed and slot 2 has a higher priority.
202312052180
· Symptom: The device might get stuck when large configurations such as a large number of security policies and ACL rules are deployed. To resolve this issue, you can execute the undo cfg-change log enable command to disable configuration logging for all modules. However, the undo cfg-change log enable command might cause an RBM backup failure. To perform RBM backup, execute the cfg-change log enable command again.
· Condition: This symptom might occur if large configurations such as a large number of security policies and ACL rules are deployed.
202210191379
· Symptom: NAT ALG RTSP is enabled by default. Then, if an error occurs when the ALG service processes specific RTSP packets on the device, the device will restart.
· Condition: This symptom might occur if NAT or AFT is used for service processing on a standalone device and NAT ALG and AFT ALG are enabled by default.
202101071262
· Symptom: The ipoe process enters a dead loop, causing high CPU usage.
· Condition: This symptom might occur if a primary/backup switchover is performed after an IPoE user comes online and goes offline in an IRF environment.
202310200813
· Symptom: The httpd process is abnormal, resulting in the generation of core files on the device.
· Condition: This symptom might occur if an HTTP fuzz testing tool is used to initiate HTTP attacks on the device.
202401091404
· Symptom: Errors occur on the device intermittently.
· Condition: This symptom might occur if you use a Python script to SSH to the device and execute three display commands.
202401261208
· Symptom: The Web interface displays abnormally.
· Condition: This symptom might occur if a large number of SSL VPN users come online or go offline and resource access logging is enabled.
202401221344
· Symptom: On the Web interface, for static routes with the egress interface as a dialer interface, change the next hop address requirement from mandatory to optional.
· Condition: This symptom might occur if you configure the settings on the Web interface in a PPPOE dial-up scenario.
202403010923
· Symptom: The DNS server cannot connect to the database through the firewall.
· Condition: This symptom might occur if the server acts as the DNS proxy and the value of the answer RRs field is incorrect in the DNS response packet.
202402080028
· Symptom: The last 6 rules of global NAT were not issued to the kernel, causing the service to be disrupted.
· Condition: This symptom might occur in an RBM network after the master device restarts.
202404092037
· Symptom: The object-group dns-aging time 70000000 configuration gets lost after a master/backup switchover.
· Condition: This symptom might occur after a master/backup switchover.
202309210057
· Symptom: The system prompts that the file download failed. You must return to the root firewall, perform a successful downloading, and then switch back to the user context to succeed.
· Condition: This symptom might occur if you create a new user context, enable the gateway, and click to enter template management to download the system or default template.
202309191742
· Symptom: After the upgrade, the next hop VPN of the IPv6 static route for the loopback interface is incorrect, causing the SYN-ACK packets to mismatch the VPN and be discarded.
· Condition: This symptom might occur in the scenario of IPv6 cross-VPC access if you perform a version upgrade using binary configuration recovery.
202309141186
· Symptom: The system enters KDB.
· Condition: This symptom might occur under heavy attack traffic if you upgrade the signature library and frequently query for rule hits during the upgrade process.
202309131661
· Symptom: The IP address of the backup device's aggregate interface cannot be used to reach the directly connected addresses.
· Condition: This symptom might occur in an EVPN networking environment with branch IRF stacking if the master and the backup devices each have a physical port joined to different aggregate interfaces, with IPs configured under the aggregate interfaces.
202309120975
· Symptom: The global NAT-associated VRRP configuration gets lost.
· Condition: This symptom might occur in an RBM+VRRP network if global NAT is configured after you upgrade the system from D045SP to D060SP.
202309120324
· Symptom: A memory out-of-bounds issue occurred in the driver code.
· Condition: This symptom might occur if you use the Kasan version to enable virtual context.
202309062224
· Symptom: WEB upload failed and the system prompts that the file is invalid. You must add a JS file for uploading to the device.
· Condition: This symptom might occur if you upload a single-point-login encrypted file from the Web interface.
202309051138
· Symptom: The driver will clear the bypass flag, causing the bypass function to fail.
· Condition: This symptom occurs when the device performs Layer 3 inline forwarding.
202309010341
· Symptom: The device reboots unexpectedly.
· Condition: This symptom occurs if an alarm template has been configured in the anti-virus policy, and the device receives HTTP traffic when a security policy has used the anti-virus policy.
202308301581
· Symptom: In a security zone, the configuration that includes the vpn-instance parameter is lost. For example, the import ip 0.0.0.0 0 vpn-instance b and import ipv6 :: 1 vpn-instance b commands configured in a security zone are lost.
· Condition: This symptom occurs if you restore the device configuration by using a binary configuration file after the device restarts.
202307100879
· Symptom: The system prompts an import failure for a row of data.
· Condition: This symptom occurs if you navigate to the Policies > Security Policies page, and then export security policies and then import them.
Resolved problems in vFW1000-CMW710-E1260P39-X64
202308232731
· Symptom: The NAT66 configuration is lost.
· Condition: This symptom occurs if NAT66 is configured on the device and then the device version is upgraded from the D045SP branch to the D060SP branch.
202308150080
· Symptom: The RBM secondary device enters KDB state.
· Condition: This symptom occurs in an RBM asymmetric environment where the user context is under attack for a period of time.
202308140047
· Symptom: When the offset is 0, the calculated offset is exactly 8 bytes, which is the same as the length of the fragment extension header, therefore no error occurs. When the offset is not 0, the protocol number and source/destination port numbers obtained based on the offset are incorrect.
· Condition: This symptom occurs in the security policy match process for packets, during which the device incorrectly uses the Reserved octet field from the extension header of IPv6 fragmented packets as the offset variable for subsequent queries.
202307260561
· Symptom: In an RBM network, the configuration consistency check reports an error.
· Condition: This symptom occurs if a configuration consistency check is performed in an RBM network where the nas-ip is the local host's IP address.
202306160682
· Symptom: The buffer is not released after traffic stops.
· Condition: This symptom occurs when 9000-byte transparent relay packets are injected into a dual-active F5000-CN40 network.
202208150532
· Symptom: The IP reputation feature of TCP is unavailable.
· Condition: This symptom occurs when you enable the TCP reassembly and IP reputation features.
202309160373
· Symptom: The device reboots due to a memory issue.
· Condition: This symptom occurs if you repeat the following operations multiple times:
a. Repeatedly replay faulty packets in an IRF fabric configured with master and subordinate devices.
b. Change the license status for the primary and secondary devices when traffic exists.
c. Restart the subordinate device.
202309131420
· Symptom: OSPF flapping and session interruption occur.
· Condition: This symptom occurs if you configure the context-capability inbound drop-logging enable command in an aggregated OSPF network, and upgrade the version from D060P27 to D060P36.
202309010743
· Symptom: The NAT policy does not take effect.
· Condition: This symptom occurs if you perform the following operations:
a. Configure two rules for a NAT policy, which match the same object group specified for the source address and destination address.
b. Add a new server address to the object group. Two seconds later, the NAT translation does not take effect for traffic destined to this new server address.
202308250059
· Symptom: When URL filtering and HTTPS traffic filtering are enabled for the device, HTTPS traffic cannot be intercepted.
· Condition: This symptom occurs if you enable URL filtering and HTTPS traffic filtering for the device, and create HTTPS traffic matching the filtering conditions.
202307251310
· Symptom: When you install or remove 10-GE copper-port module 0231AH0W (10G_BASE_T_AN_SFP) for 10-GE ports 26 to 29 on the F1000-AI-75/65 device, an error message is displayed that Transceiver type not supported!.
· Condition: This symptom occurs if you install or remove 10-GE copper-port module 0231AH0W (10G_BASE_T_AN_SFP) for 10-GE ports 26 to 29 on the F1000-AI-75/65 device.
202306021249
· Symptom: If you associate a static route with control-mode BFD, the device continuously reports BFD logs.
· Condition: This symptom occurs if you configure a static route and associate it with control-mode BFD.
202309070275
· Symptom: After you configure RBM settings on the master device, which are then auto synced to the backup device, the settings are not automatically saved.
· Condition: This symptom occurs if you configure RBM settings on the master device, which are then auto synced to the backup device.
Related documentation
Documentation set
· H3C NFV Products Installation and Startup Guide
· H3C Security Products Licensing Guide(Comware 7)
· H3C Firewall Products Comware 7 Web Configuration Guide
· H3C SecPath F1000[F5000][VFW] Firewalls Series Configuration Guides(V7)
· H3C SecPath F1000[F5000][VFW] Firewalls Series Command Reference(V7)
· H3C Security Products Comware 7 System Log Messages Reference
Obtaining documentation
To obtain the latest documents, go to the H3C website www.h3c.com/en
1. To obtain the most recent drive and firmware, access http://www.h3c.com/en/Technical_Documents
2. Select the product category and product model. Then, you can search for and download documents related to the product.
Technical support
Email: [email protected]
Website: http://www.h3c.com/en
None.
Item | Description | ||
Network security | AAA | Portal authentication RADIUS HWTACACS authentication Local authentication | |
Firewall | Security zone division. Prevention of multiple attacks, including Land, Smurf, Fraggle, Ping of Death, Tear Drop, IP Spoofing, IP fragment, ARP spoofing, ARP active reverse lookup, TCP packet invalid flag, oversized ICMP packets, address scanning, port scanning, SYN Flood, UPD flood, and ICMP flood attacks Basic and advanced ACLs Interface-based ACLs Time range-based ACLs Dynamic packet filtering ASPF Static and dynamic blacklists Connection limit | ||
NAT | Mapping multiple internal addresses to the same public address Mapping multiple internal addresses to multiple public addresses One-to-one mapping of internal addresses to public addresses Simultaneous conversion of source and destination addresses External network hosts accessing internal servers Direct mapping of internal addresses to interface public IP addresses DNS mappings Validity period setting for address translation Multiple NAT ALG settings, including DNS, FTP, TFTP, PPTP, H.323, SIP, RSH, ILS, MSN, and NBT. | ||
Content filtering and auditing | Content filtering and auditing | Recipient and sender filtering Attachment name and content check Email subject and content check Filtering files uploaded or downloaded through FTP Matching Chinese encoding methods | |
Bandwidth management | Bandwidth management | Setting the maximum uplink bandwidth Setting the maximum downlink bandwidth Setting the guaranteed uplink bandwidth Setting the guaranteed downlink bandwidth Bandwidth channels can be specified based on different parameters (source security zone, destination security zone, source address, destination address, application or application group, time range, and user) Configuring parent/child traffic profiles Configuring interface-specific bandwidth AVC reports and logs (user logs, local logs, and local reports) Traffic blocking and rate-limiting | |
VPN | L2TP VPN | Initiating connections to the specified LNSs based on VPN user full username and user domain Assigning addresses to VPN users LCP renegotiation and secondary CHAP authentication | |
IPSec/IKE | AH and ESP protocols Manual or IKE-based automatic setup of SAs ESP support for DES, 3DES, and AES algorithms MD5 and SHA-1 authentication algorithms IKE main mode and aggressive mode NAT traversal DPD detection | ||
GRE VPN |
| ||
Network connectivity | LAN protocols | Layer 3 Ethernet interfaces/subinterfaces Layer 2 Ethernet interfaces MAC forwarding ARP VLAN Terminating | |
Link layer protocols | PPPoE Client | ||
Network protocols | IP services | IP Forwarding/Fast Forwarding TCP, UDP, IP Option Ping, Trace DHCP Server, DHCP Relay, DHCP Client DNS Client, DNS Proxy, DDNS FTP Server, FTP Client, TFTP Client Telnet Server. Telnet Client NTP/SNTP | |
IP routing | Static routing RIP v1/2 OSPF Policy-based routing | ||
High availability | High availability | VRRP/VRRPv3 BFD | |
Configuration management | CLI | Local configuration through the console port Local or remote configuration via Telnet or SSH Command-level protection to ensure unauthorized users cannot infiltrate the device Providing detailed debugging information for troubleshooting User interface configuration, providing various authentication and authorization methods for users | |
SNMPv3, compatible with SNMP v1 and SNMP v2c NETCONF, Syslog | |||
H3C IMC | |||
IPv6 | IPv6 services | TELNET/ICMP Configuring DNS DHCP relay DHCP client IPv6 ND, IPv6 PMTU, IPv6 FIB, IPv6 ACL | |
IPv6 routing | Static routing Policy-based routing RIPng OSPFv3 | ||
IPv6 security | IPv6 packet filter IPv6 ASPF IPv6 inter-domain policies IPv6 attack prevention | ||
Appendix B Fixed security vulnerabilities
Fixed security vulnerabilities in E1260P45 and earlier versions
CVE-2017-3735
Attackers can exploit this vulnerability to bypass security restrictions and perform unauthorized actions.
CVE-2019-3855
The input validation error vulnerability in libssh2, a client C library that implements the SSH2 protocol, allows execution of remote commands and file transfers while providing a secure transmission channel for remote programs.
HSVD-201904-001
The TCP/IP SYN + FIN packet filtering vulnerability occurs when the remote host does not discard TCP SYN packets set with the FIN flag. Depending on the type of firewall you use, attackers may exploit this vulnerability to bypass its rules.
HSVD-201902-001
The remote host exploits the TCP timestamp vulnerability to ascertain the actual uptime of the system.
HSVD-201901-016
CVE-2019-548: A information leakage vulnerability in the Linux kernel.
Vulnerabilities in JavaScript framework libraries
Vulnerabilities in JavaScript framework libraries and the presence of internal IP address leakage vulnerabilities in the target URL.
CVE-2020-10188
Netkit telnet is a telnet client program used on Linux platforms, primarily for interactive communication with another host using the TELNET protocol. A buffer overflow vulnerability exists in the `utility.c` file of the `telnetd` component in Netkit telnet version 0.17 and earlier. Remote attackers can exploit this vulnerability to execute arbitrary code.
WEB js vulnerability
A web vulnerability scan has detected a minor vulnerability in JavaScript (js).
WEB CSRF vulnerability
The SSLVPN Web page has a CSRF vulnerability.
HTTPmethod vulnerability
By invoking the OPTIONS method, it is possible to determine which HTTP methods are allowed on each directory.
CRLF injection vulnerability
When an HTTP request containing Cookie information is sent, and the domain in the Cookie is a domain value configured on a device, or the request is GET/enterdomain.cgi?domain=%0d%0aSomeCustomInjectedHeader:%0d%0aset-cookie:iamyy HTTP1/1, a CRLF injection vulnerability is triggered.
CVE-2019-1547
Attackers can exploit this vulnerability to obtain sensitive information.
CVE-2019-1563
Attackers can exploit this vulnerability to recover encrypted keys transmitted by CMS/PKCS7 or decrypt messages encrypted with a public RSA key by sending a large number of encrypted messages.
CVE-2016-7056
The vulnerability arises because the ecdsa_sign_setup() function in the crypto/ec/ecdsa_ossl.c file fails to properly set the BN_FLG_CONSTTIME flag. Local attackers can exploit this vulnerability to carry out cache-timing attacks and obtain the ECDSA P-256 private key.
CVE-2018-0739
The vulnerability originates from the use of excessively recursive malicious input. The constructed ASN.1 type can cause a stack overflow, leading to a denial of service attack.
CVE-2019-1559
Attackers can exploit this vulnerability to bypass access restrictions and obtain sensitive information.
CVE-2018-0737
The generation algorithm has a security vulnerability. Attackers can exploit this vulnerability to carry out timing attacks and recover private keys.
CVE-2018-0732
Attackers can exploit this vulnerability to cause a denial of service (hang).
CVE-2019-1552
Security vulnerability in OpenSSL, which attackers can exploit to bypass security protections.
CVE-2019-1563
Attackers can exploit this vulnerability by sending a large number of encrypted messages to recover the encryption keys transmitted by CMS/PKCS7 or to decrypt messages encrypted with a public RSA key.
CVE-2018-5407
Local information leakage vulnerability in OpenSSL. A local attacker can exploit this vulnerability to obtain sensitive information, which may assist in further attacks.
X-Frame-Options attribute vulnerability
The HTTP message does not set the X-Frame-Options field, which may lead to the insertion of iframes from different origins, thus causing clickjacking.
CVE-2011-1473
SSL in the kernel does not process the field for disabling SSL renegotiation. As a result, an SSL client can renegotiate successfully.
CVE-2021-23841/CVE-2021-23840/CVE-2020-1971
Fixed the security vulnerabilities in OpenSSL: When OpenSSL is processing EDIPartyName (of the X.509GeneralName type), the used GENERAL_NAME_cmp function has one null pointer dereference. When the two parameters that use this function for comparison both contain EDIPartyName, the security vulnerability is triggered.
CVE-2016-6329
The issue with the encryption algorithm itself, if by default it is modified to not support several encryption algorithms involved in the vulnerability, may lead to users being unable to log in to the WEB after upgrading. Mitigation plan: Under [UNIS-ssl-server-policy-fxm] ciphersuite, do not choose ciphers with a block length of 8 bytes such as DES, 3DES, RC2. Instead, opt for algorithms like aes_256_cbc, then restart the HTTPS service.
CVE-2022-0778
The OpenSSL BN_mod_sqrt DoS vulnerability is fixed: The BN_mod_sqrt() function used for parsing certificates contains a bug that can cause it to loop forever for non-prime moduli. The infinite loop is triggered through generating a certificate containing invalid explicit curve parameters. Because certificate parsing is executed before the certificate signature is verified, any program of parsing external certificate might encounter a DoS attack. Additionally, when a crafted private key (containing explicit elliptic curve parameters) is parsed, an infinite loop will be triggered. Thus vulnerable situations include: TLS clients consuming server certificates; TLS servers consuming client certificates; Hosting providers taking certificates or private keys from customers; Certificate authorities parsing certification requests from subscribers; Anything else which parses ASN.1 elliptic curve parameters.
CVE-2021-3711
Fixed OpenSSL SM2 decryption buffer overflow vulnerability. This vulnerability is caused by an error in calculating buffer size when the API function EVP_PKEY_decrypt is called to decrypt SM2 encrypted data, leading to buffer overflow.
CVE-2021-3712
To fix the OpenSSL ASN.1 strings buffer overflow vulnerability, it is crucial to address the issue where the ASN_1_String structure, used by OpenSSL to store ASN.1 strings, does not strictly enforce a null byte ending during creation. This oversight can lead to a buffer overflow during printing.
Stack overflow vulnerability
When the Comware system processes the flag parameter, it copies data to the stack buffer based on the user-provided string length. It does not adequately limit the copy length, leading to a stack overflow vulnerability. If an attacker repeatedly exploits this vulnerability, it can ultimately render web management unusable, resulting in a denial-of-service attack.
A startup software image is used to boot device software. Startup software images can be classified into the following categories:
· Boot image—Contains the Linux operating system kernel. It provides process management, memory management, file system management, and the emergency shell.
· System image—Contains the Comware kernel and basic software features, including device management, interface management, configuration management, and routing.
· Feature image—Contains one or multiple advanced software features for users to purchase as needed. Support for feature images depends on the device model.
· Patch image—Fixes software bugs. One patch image corresponds to one software version. A patch image can fix only vulnerabilities for the corresponding startup software image, and does not add or delete features.
The boot image and system image are required for the system to run correctly. Install feature images as needed, and install patch images to fix specific software bugs.
vFW1000 supports the following types of image files:
· BIN file—A BIN file is a startup software image. Before upgrading the software by using a BIN file, make sure the target and current version images are compatible.
· IPE file—An Image Package Envelope (IPE) file is a set of software images that are released as a whole. After you upload an IPE file to the device, the device decompresses the file automatically to load the software images. Typically, an IPE file is used for upgrade.
Upgrade method | Description |
Upgrading vFW1000 through the CLI | You must reboot vFW1000 to complete the upgrade. This method interrupts services. |
Upgrading vFW1000 through the ISO image | You must reboot vFW1000 to complete the upgrade. |
IMPORTANT: You must reboot vFW1000 after upgrading its startup image. During the reboot, vFW1000 cannot provide any services. |
Before you upgrade the system software image, complete the following tasks:
· Configure routes to make sure vFW1000 and the file server can reach each other.
· Enable the TFTP or FTP server on the file server.
· Log in to the CLI of vFW1000 through the configuration terminal.
· Copy the upgrade file for the system software image to the file server and correctly set the access path of the TFTP or FTP server.
Figure 1 Network diagram
Upgrading vFW1000 through the CLI
1. Log in to the CLI of vFW1000, and download the target vFW1000 IPE file through FTP or TFTP.
For more information about FTP and TFTP configuration, see the fundamentals configuration guide in H3C SecPath vFW1000 Configuration Guides.
2. Configure the downloaded vFW1000 IPE file as the new startup configuration file.
In vFW1000 user view, execute the boot-loader file ipe-filename { backup | main } command to extract all software packages from the IPE file and use the file as the next-startup configuration file.
3. In user view, execute the display irf command to view IRF fabric information. To upgrade the vFW stacked over a Layer 2 network from version E1166 to E1166P02 or above, execute this step and record the device's Topo-domain ID.
< Sysname>display irf
Member ID Role Priority CPU MAC Description
*+1 Master 1 5254-0037-973c ---
2 Standby 1 5254-0058-5060 ---
--------------------------------------------------
The asterisk (*) indicates the master.
The plus sign (+) indicates the device through which you are logged in.
The right angle bracket (>) indicates the device's stack capability is disabled.
Bridge MAC of the IRF: 7425-8ae3-c430
Auto upgrade : Enabled
MAC persistence : 6 min
Topo-domain ID : 8540
Auto merge : Enabled
4. Save the configuration and restart the system to complete the upgrade.
Execute the save command to save the current configuration, and then execute the reboot command to restart vFW1000 to complete the upgrade.
For more information about software upgrade, see the fundamentals configuration guide in H3C SecPath vFW1000 Configuration Guides.
Upgrading vFW1000 through the ISO image
1. Access the page for installing vFW1000 through ISO image. For details, see installing vFW1000 (VMware) through ISO image and installing vFW1000 (KVM) through ISO image in H3C NFV Series Products Installation and Startup Guide.
2. Select (2) Upgrade Install from the menu to upgrade vFW1000 to the ISO image version.
Figure 2 Upgrading vFW1000 through the ISO image
3. After the installation completes, disconnect the CD/DVD driver, and then restart the system.
Figure 3 Disconnecting the CD/DVD driver
Restoring vFW1000 through the ISO image
1. Access the page for installing vFW1000 through ISO image. For details, see installing vFW1000 (VMware) through ISO image and installing vFW1000 (KVM) through ISO image in H3C NFV Series Products Installation and Startup Guide.
2. Select (3) Recovery Install from the menu to restore vFW1000 to the ISO image version.
Figure 4 Restoring vFW1000 through the ISO image
3. After the restoration completes, disconnect the CD/DVD driver (only required in VMware), and then restart the system.
Handling software upgrade failures
If a software upgrade fails, the system runs the old software version of the startup file.
To handle a software failure:
1. View the information displayed on the HyperTerminal to verify that the file transfer settings are correct:
¡ If TFTP is used, make sure you enter the same TFTP server IP address, file name, and working directory as set on the TFTP server.
¡ If FTP is used, make sure you enter the same FTP server IP address, file name, working directory, and FTP username and password as set on the FTP server.
2. Verify that the FTP or TFTP server software is running correctly and has correct settings.
3. Verify that the flash has sufficient space for the upgrade files.
4. Verify that the upgrade files are correct and available.
