6.4.10 GA Release

Netsweeper is pleased to announce the Netsweeper 6.4.10 GA release. This is the tenth release in the 6.4 release cycle and finishes all major features in the 6.4 release series. Customers running version 6.3 or prior releases should consider upgrading depending on the features, functionality, security enhancements, and bug fixes found in the 6.4 release series.

New features in this release:

Deny Pages

  • Assign the same Deny Page to multiple Groups
  • Allows Reporter Categories to be selected

NSProxy

  • New NSProxy nat lookup mode named ‘samproxy’ that allows you to use the Linux kernels TPROXY feature to redirect IPv4 and IPv6 packets to NSProxy but will not maintain the Client IP address
  • Ability to set a netfilter mark per listen socket with a new nfmarkclient and nfmarkserver setting
  • Ability to copy the nfmark from the connection to the socket on accept() allowing us to mark the connection to NSProxy after we accept the packet
  • Capture Modules can now set a netfilter mark, nfmark on deny packets
  • New auth redirect and auth portal use two cookies netsweeper=, and netsweepers= for secure sites. NSProxy “protect_netsweeper_cookie” has been updated to detect and remove both cookies if present when the feature is enabled
  • Allows control of SSL decryption on a per-port (listen) basis with new setting: decrypt_enabled that enables or disables per-port SSL decryption

Radius

  • Workstation as a configurable Radius field which populates in the WebAdmin

Additional Features:

  • New ‘timestamp’ options have been added to the ‘Request Logger Framework Options’ to allow you to explicitly include the record timestamp

If you have any questions or concerns about planning an upgrade to this release, please contact Netsweeper Technical Support support@netsweeper.com.

Customers can access our community site for more information.

Change Log 6.4.10:

Ticket Description
15620 FEATURE: You can now assign the same Deny Page to multiple Groups.
23236 FEATURE: There is a new NSProxy nat lookup mode named ‘samproxy’. This allows you to use the Linux kernels TPROXY feature to redirect IPv4 and IPv6 packets to NSProxy but will not maintain the Client IP address. This allows for normal transparent proxy without the connection tracking/nat process and does not require the complex load balancing and routing. The main advantage is transparent IPv6 filtering possible.
23237 BUG: The NSRoutes cache file was not updating automatically.
23244 FEATURE: There is now the ability to set a netfilter mark per listen socket. A new nfmarkclient and nfmarkserver setting has been added so each listen port can set a specific socket mark on either the client to proxy socket or the proxy to server socket thus allowing for epic solutions to be done.
23245 FEATURE: There is now the ability to copy the nfmark from the connection to the socket on accept() which allows us to mark the connection to NSProxy after we accept the packet, which allows us to route traffic from gre1 back to gre1 or specifically change routing based on the port NSProxy accepts the packet on.
23246 BUG: Directory sync Managers were not assigned to the Groups when the Group is created.  This is an issue in 6.4.1 to 6.4.9.
23247 BUG: The Chrome Client 7.39 and 7.40 Client Filters could send Asset ID or device serials that caused the domain, user, group message to get corrupted.  This is fixed in the Chrome Client Filter 7.41 and policy service 7.1.1 and above.
23251 FEATURE: The Capture Modules can now set a netfilter mark, nfmark on deny packets.  This allows for mark based routing to occur in Linux with ip rules/ip route tables.  This will only work when a DMAC/SMAC/FLIPMAC/DEVICE is not set in nptransmit and the default OS layer routing is used.
23268 FEATURE: We now include the Workstation as a configurable Radius field which populates in the WebAdmin, there is now also the option to add validation on stop to ensure that clients deleted match the username or workstation of the RADIUS accounting stop.
23280 BUG: When sending LogMod5 logs to Syslog, an empty field was logged as an empty string.  We will now replace any empty string with a dash – in order to make for easier log file parsing when using processors that interpret multiple spaces as a single space causing field count corruption.
23297 BUG: In the Directory Sync, some user groups were not updating when they have different appends.
23303 BUG: NSProxy could have stability issues when used as an explicit proxy when invalid hostnames are sent it due to changes to c-ares DNS library. This impacts version 6.4.5 to 6.4.9.
23320 BUG: The Policy Service would abort and restart when using the Deny Page Redirect URL option with no CGI arguments.
23340 BUG: Upgrading from 6.2.5 to 6.4.9 GA could cause the Policy Service to segfault if the WebAdmin is not upgraded.
23357 BUG: The ‘Run Only on Server’ option was not working correctly for Quick Demand Reports and the Create Report button in Report Templates.
23358 FEATURE: Deny Pages now allow Reporter Categories to be selected.
23414 BUG: The Auth Portal cookie injection process could be halted by new Chrome security settings on HTTPS based sites. This could reject the cookie unless the Chrome feature for SameSite is disabled in Chrome flags. The auth portal redirect process now supports the new Chrome SameSite security feature and segments the cookie between https and http websites.
23417 FEATURE: The new auth redirect and auth portal use two cookies netsweeper=, and netsweepers= for secure sites. NSProxy “protect_netsweeper_cookie” has been updated to detect and remove both of these cookies if present when the feature is enabled.
23420 BUG: The default WebAdmin Auth Portal has been updated to support the Chrome SameSite cookie feature.
23459 BUG: The NSRoutes service did not properly remove both IPv4 and IPv6 entries when lists where changes or DNS resolution changed.
23462 BUG: The New URL refresh on default Deny Page breaks as “$encodedcat” is not supported.
23492 FEATURE: The logmod5 module for the syslog did not include the record timestamp by default. A new ‘timestamp’ option has been added to the ‘Request Logger Framework Options’ in Policy Server Settings that allows you to explicitly include the record timestamp.
23524 BUG: If all file descriptors are used in NSProxy the listener threads would abort.   This could cause a denial of service.   When all file descriptors are used, we will continue waiting for more requests and accept when more file descriptors are available.  This impacted MacOS when the default file descriptors were set very low at the default 256.
23575 BUG: The Policy Service can stop processing all requests when doing DNS lookups in the 6.4.9 and below releases. This can happen if DNS connectivity is present, but Internet connectivity is not.
23601 BUG: A Policy Service memory leak in List data has been fixed.
23630 BUG: WebDB can run out of memory when sending a cached version of the database to a policy service. This is a 6.3 to 7.1.3 issue.
23635 BUG: LogMod5 disk queue would lockup in deadlock on a write error.
23641 BUG: The policy server had a request rate drop to 0 under high load for a few seconds due to glibc malloc_consolidate. There is a new setting configmanager_mxfast that can be changed to disable glibc fast bin support by setting this new setting to 0. It is -1 by default.
23693 FEATURE: NSProxy now allows control of SSL decryption on a per-port (listen) basis. Two new settings have been added: decrypt_enabled that enables or disables per-port SSL decryption and decrypt_request that enables or disables per-port decrypt:// policy request.