Version 5.30.75 RTM
This document contains important information regarding changes and new features in F-Secure Internet Gatekeeper. We strongly recommend that you read the entire document.
What’s in this file
- System Requirements
- Product Contents
- New Features
- Known Issues
- Contact Information and Feedback
- Third-party software used in the product
To use F-Secure Internet Gatekeeper 5.30, the computer must meet the following requirements:
- x86 compatible (2Ghz or faster recommended)
- At least 512 MB of RAM (1 GB or more recommended)
- At least 5 GB of free disk space (20 GB recommended)
- Installed files need at least 1 GB of free disk space and the running system needs significantly more space for temporary files, logs, and other similar files.
- The following Linux distributions are supported:
- CentOS 5.5, 5.10, 5.11, 6.4 – 6.7
- Debian 7.4 – 7.9, 8.0 – 8.2
- Red Hat Enterprise Linux 5.5, 5.10, 5.11, 6.4 – 6.7
- Ubuntu 12.04.4, 14.04.3
- CentOS 5.5, 5.10, 5.11, 6.4 – 6.7, 7.0 – 7.2
- Debian 7.4 – 7.9, 8.0 – 8.2
- Red Hat Enterprise Linux 5.5, 5.10, 5.11, 6.4 – 6.7, 7.0 – 7.2
- Ubuntu 12.04.4, 14.04.3
- The following software must be available in the operating system:
- Linux kernel 2.6 or later
- Perl 5.8 or later
- 32-bit C and C++ runtime environment. Consult your OS documentation for installing the compatibility libraries in 64-bit environment:
- policycoreutils-python package to enable the log rotation support in environments where SELinux is set to the Enforcing mode.
- Support for any other Linux distributions or newer versions will be announced in future releases and on our web site.
- The Web UI is compatible with the following web browsers:
- Firefox (Version 38 ESR)
- Chrome (Version 43)
- IE (Versions 9, 11)
For up-to-date information about supported platforms, see our Knowledge Base:
F-Secure Internet Gatekeeper is a gateway product that acts as a virus scanning proxy for HTTP, SMTP, POP, and FTP protocols.
The product uses F-Secure’s scanning technologies to scan for malware that provides an outstanding protection level and fast, automatic updates to the scanning engines and anti-virus databases. With F-Secure’s Security Cloud, the product can react to new threats rapidly, which keeps the users protected and enhances the protection even further.
The product can be integrated with third-party HTTP proxies with the standard ICAP protocol. The content that is submitted to the ICAP service is scanned with F-Secure’s malware scanning technologies.
This release contains the following new features, bug fixes and other changes that have been added since the 5.22.14 release:
- Integration with F-Secure Security Cloud, which provides the file and Web site (URL) reputation lookup service
- Web Content Control: enforce website restrictions using content categories
- Changes to the default configuration file fsigk.ini: Security Cloud is now enabled by default and its settings have been moved to the global section from the service-specific sections. The ICAP settings are unchanged. Upgrading from an earlier version to IGK 5.30 migrates these settings automatically.
- Fixed CSLP-745: WebUI cannot load if fsigk.ini contains lines longer than 4096 bytes
- Fixed CSLP-776: Last newline missing in HTTP POST multipart/mixed request to a web server
- Fixed CSLP-781: IGK fails to handle URIs with uppercase scheme
- Fixed CSLP-792: Access control is checked for parent proxy instead of HTTP request host
- Fixed CSLP-819: Custom spam filter match options are reset when applying changes
- Fixed CSLP-822: Remove pre-defined RBL servers from default configuration
- Fixed CSLP-946: SELinux does not allow log rotation
- Fixed CSLP-1049: Japanese localization corrections in Web UI
- Fixed CSLP-1056: Japanese localization correction in the Web UI login page
- Fixed CSLP-1099: Memory leak when parsing invalid HTTP request header
- Fixed CTS-97121: Incorrect configuration field in access control documentation
- Fixed SC-349: ICAP: incorrect parsing of the HTTP response Status-Line
- Changes to http/access.log: The CONNECT method entries will now have “https://” included in the URL field
- Minor security bug fixes in Web UI
5.21.18 => 5.22.14
- Fixed CSLP-371: Proxy services are not started on system boot.
- Fixed CSLP-703: Truncate long URLs to 3 KB when writing access/detect log entries.
- Added a list of supported web browsers to the system requirements.
5.20.646 => 5.21.18
- Fixed security vulnerability FSC-2015-2
- Fixed CSLP-467: Increase the maximum size of HTTP request
5.10.12 => 5.20.646
- Added support for Japanese localization in Web UI.
- Added various missing settings in Web UI.
- Fixed CSLP-331: fsupdated is still running after turning off automatic updates.
- Fixed CSLP-344: LANG=C locale causes installer to fail.
- Fixed CTS-91677: “pass_type” and pass_type_list” options not working accurately.
- Fixed CTS-94558: Database update with fsdbupdate9.run leaves fsaua and fsupdated running when services are disabled
- Fixed CTS-95383: LAN access settings not migrated during product upgrade.
- Fixed CTS-95301: IGK leaves unexpectedly restarted proxy processes marked as busy, causing “Maximum connections” issue.
- Fixed CTS-95267: E-mail addresses of Admin notification settings cannot be set properly.
- Fixed CTS-95168: Add missing log files to logrotate.conf.
- Fixed CTS-95547: getaddrinfo_randomize expert option not working
- Removed the quick start guide and merged its contents to the admin guide.
5.00.5 => 5.10.12
- ICAP service supports scanning emails for malware and spam.
- New and improved web user interface added.
- New quick start guide added for easy installation and usage instructions.
- Fixed CTS-82476: fsaua now restart automatically when customer changes virus database download proxy settings from web user interface.
- Fixed CTS-84901: FmLib library version is not visible in the web user interface.
- Fixed CTS-86302: Added documentation for configuring HTTP proxy for anti-spam daemon (fsasd) in the administrator guide.
- Fixed CTS-91852: Added missing information for ICAP detections templates in administrator guide.
- Fixed CTS-91867: Improved documentation for transparent proxy bridge mode using subnet in administrator guide.
- Fixed CTS-92216: Fix timeout_inactive for web servers that take more time than keepalive_timeout to start sending the reponse to IGK.
- Fixed CTS-92759: Fixed log size specification of logconv tool in administrator guide.
- Fixed CTS-92797: Fixed information for scanning daemon (fsavd) process management in administrator guide.
- Fixed CTS-92814: Parsing very large email header can lead to false detection or other unexpected result.
- Fixed CTS-92861: IGK fails to detect too long HTTP request URL.
- Fixed CTS-93579: Fixed information about connection error messages in administrator guide.
- Fixed CTS-94390: Added missing system requirements and dependencies in IGK release notes.
- Fixed CTS-94834: Added information about orsp_file_check for HTTP proxy in administrator guide.
4.10.17 => 5.00.5
- Support for F-Secure Real Time Protection Network was added to the HTTP proxy. When enabled, common files are identified by rapidly updating black and white lists. This saves system resources and improves the protection.
- The malware scanning capabilities are now available by a standard ICAP interface. This enables integration with third party proxies that support ICAP.
- The list of supported distributions was reworked to focus on the most popular, current and actively supported distributions.
- Removed dependency to Java, which is a common source of security vulnerabilities. Java runtime environment is no longer distributed with the product. As a consequence, this release does not contain a web UI, but is also significantly smaller and lighter. Configuration is done by editing the configuration files directly.
- Improved quality of RPM packages.
- Improved the output from IGK init scripts.
- Fixed CTS-91383: Added an option to control whether to transparently re-establish keepalive upstream HTTP connections.
If you are upgrading from a version earlier than 4.10.17 ,4.11.8 or 4.12.5, see the release notes of version 4.12.5 for a list of earlier changes.
- Upgrading from any 2.X or 3.X version is not supported. Uninstall the old version completely before installing the latest version.
- Upgrading from 4.X Japanese version of the product (virusgw) to international version (fsigk) is not supported. Follow the instructions in the Administrator’s guide of the product to migrate settings from old (virusgw) installation to F-Secure Internet Gatekeeper (fsigk) installation.
- Only the following printable ASCII characters are allowed in the credentials for accessing services using HTTP proxy (http_proxyauth_user and http_proxyauth_pass in fsigk.ini): letters, digits and the following special characters: -._~!$&'()*+,;=
- If you use rpm to upgrade the product to the latest release, the product configuration files are reset to the factory defaults. The upgrade process renames the old configuration files by attaching an .rpmorig extension to the file name. This does not affect the main configuration file, fsigk.ini. As a workaround, you can rename the backup files back to their original names.
- Web UI is incompatible with Internet Explorer 8 and older versions.
- CentOS / RHEL 7.x: If the product is not installed to the root partition, it does not start automatically after reboot. (Related feature/bug: 1212569 in Bugzilla [private]) Append the following commands to the “/etc/rc.d/rc.local” file to solve this issue: cd /opt/f-secure/fsigk/ ; make start
- CentOS / RHEL 7.2: An issue (1285492 in Bugzilla) prevents the product from starting automatically after reboot. Append the following commands to the “/etc/rc.d/rc.local” file to solve this issue: cd /opt/f-secure/fsigk/ ; make start
- The product has limitations with HTTPS sites in the Web Content Control settings: https://community.f-secure.com/t5/Business/Limitations-with-HTTPS-sites-in/ta-p/79757
- SELinux may prevent the log rotation. To solve this issue, set the appropriate security context to the log files after the product installation. Install policycoreutils-python package and run the following commands as root user:# yum install policycoreutils-python# semanage fcontext -a -t antivirus_log_t “/opt/f-secure/fsigk/log(/.*)?”# restorecon -Frv “/opt/f-secure/fsigk/log”
See our Knowledge Base for up-to-date information about known issues and possible workarounds: http://www.f-secure.com/en_EMEA/support/business/
The product can be installed from an RPM package, or a tar package.
- RPM installation or upgrade
- Download the rpm package and run the following command as root user:
# rpm -Uvh fsigk-5.30.75-0.i386.rpmAfter the installation, open http://<HOSTNAME>:9012/ with your web browser and use the default username and password to log in and configure the product. See the Administrator’s guide for information on how to configure the product with the web user interface.
- Installing using a tar package
- Download the tar package and run the following commands as root user:
# tar zxf fsigk-5.30.75.tar.gz# cd fsigk-5.30.75 # make installAfter the installation, open http://<HOSTNAME>:9012/ with your web browser and use the default username and password to log in and configure the product. See the Administrator’s guide for information on how to configure the product with the web user interface.
Contact information and feedback
To provide feedback or report any issues, go to:
Please include the product version and Linux distribution you are using to your support request when contacting us.
Third party software used in the product
Berkeley DB 1.85
Copyright (c) 1991, 1993, 1994 The Regents of the University of California. All rights reserved.[http://www.oracle.com/technetwork/database/database-technologies/berkeleydb/overview/index.html]
Copyright (c) 1997-2016 Bitdefender. All rights reserved.
Copyright (c) 2009-2012 Eric HaszlakiewiczCopyright (c) 2004, 2005 Metaparadigm Pte Ltd[https://github.com/json-c/json-c]
Linux PAM userdb module 188.8.131.52
MD5 message-digest algorithm
Copyright (C) 1991-2, RSA Data Security, Inc. Created 1991. All rights reserved.[http://www.ietf.org/rfc/rfc1321.txt]
TCP wrapper utilities 7.6
Copyright 1995 by Wietse Venema.[ftp://ftp.porcupine.org/pub/security/index.html]
The author disclaims copyright to this source code (Public Domain).[http://www.sqlite.org/]
Transparent Proxying patches for Linux kernel 2.6
Copyright (C) 2007-2008 BalaBit IT Ltd.[http://www.balabit.com/support/community/products/tproxy]
Copyright (c) 2004-2013 Sergey Lyubka Copyright (c) 2013 No Face Press, LLC (Thomas Davis)[https://github.com/sunsetbrew/civetweb]