Version 5.40.73 RTM
This document contains important information regarding changes and new features in F-Secure Internet Gatekeeper. We strongly recommend that you read the entire document.
What’s in this file
- System Requirements
- Product Contents
- New Features
- Known Issues
- Contact Information and Feedback
- Third-party software used in the product
To use F-Secure Internet Gatekeeper 5.40, the computer must meet the following requirements:
- x86 compatible (2Ghz or faster recommended)
- At least 512 MB of RAM (1 GB or more recommended)
- At least 5 GB of free disk space (20 GB recommended)
- Installed files need at least 1 GB of free disk space and the running system needs significantly more space for temporary files, logs, and other similar files.
- The following Linux distributions are supported:
- CentOS 5.5, 5.10, 5.11, 6.4 – 6.8
- Debian 7.4 – 7.11, 8.0 – 8.6
- Red Hat Enterprise Linux 5.5, 5.10, 5.11, 6.4 – 6.8
- Ubuntu 12.04.5, 14.04.5, 16.04.1
- CentOS 5.5, 5.10, 5.11, 6.4 – 6.8, 7.0 – 7.2
- Debian 7.4 – 7.11, 8.0 – 8.6
- Red Hat Enterprise Linux 5.5, 5.10, 5.11, 6.4 – 6.8, 7.0 – 7.2
- Ubuntu 12.04.5, 14.04.5, 16.04.1
- The following software must be available in the operating system:
- Linux kernel 2.6 or later
- Perl 5.8 or later
- 32-bit C and C++ runtime environment. Consult your OS documentation for installing the compatibility libraries in 64-bit environment:
- policycoreutils-python package to enable the log rotation support in environments where SELinux is set to the Enforcing mode.
- zlib library
- Support for any other Linux distributions or newer versions will be announced in future releases and on our web site.
- The Web UI is compatible with the following web browsers:
- Firefox (Version 45.3.0 ESR)
- Chrome (Version 53)
- IE (Versions 9, 10, 11)
For up-to-date information about supported platforms, see our Knowledge Base:
F-Secure Internet Gatekeeper is a gateway product that acts as a virus scanning proxy for HTTP, SMTP, POP, and FTP protocols.
The product uses F-Secure’s scanning technologies to scan for malware that provides an outstanding protection level and fast, automatic updates to the scanning engines and anti-virus databases. With F-Secure’s Security Cloud, the product can react to new threats rapidly, which keeps the users protected and enhances the protection even further.
The product can be integrated with third-party HTTP proxies with the standard ICAP protocol. The content that is submitted to the ICAP service is scanned with F-Secure’s malware scanning technologies.
This release contains the following new features, bug fixes and other changes that have been added since the 5.30.75 release:
- Revised the web user interface with new look and feel.
- Includes important hotfixes for issues CSLP-1307 and CSLP-1197 (previously released as Internet Gatekeeper 5 hotfix 2)
- Support systemd for managing the services. See Known Issues section and Administrator’s Guide for further information.
- Improved the detection rate on HTTP proxy corner cases
- Zlib library is required to be installed before installing or upgrading the product
- ICAP service is now compatible with EMC Isilon
- Fixed CSLP-683: Improve archive compression bomb detection
- Fixed CSLP-1404: Enable file reputation check by default in ICAP service for new installations
- Fixed CSLP-1397: Version number not updated in fsigk.ini when upgrading from version 4
- Fixed CSLP-1344: IGK does not properly migrate orsp_timeout setting on product upgrade
- Fixed CSLP-1442: Use a separate admin notification template when blocking Disallowed sites
- Fixed CSLP-1124: Archive scanning fails with “Archive compression ratio is too high” error
- Fixed CSLP-1448: Support HTTP response headers up to 256 kB
- Fixed CSLP-1196: Regression in virus_check_text SMTP/POP proxy setting
- Fixed CSLP-1205: Extraneous “Received:” header from POP proxy response
- Fixed CSLP-1228: “connection refused” warnings in HTTP and SMTP proxy
- Fixed CSLP-1307: Memory leak in Web Content Control URL filtering
- Fixed CSLP-1197: False positive virus detection in SMTP and POP proxy
- Fixed CSLP-1347: “Parsing ORSP response body failed ” errors in HTTP and SMTP log
- Fixed CSLP-1268: ORSP errors caused by interrupted system call
- Fixed CSLP-1341: Use proper detection names instead of “FSIGK/ORSP” when possible
- Fixed CSLP-1311: Clarify access log documentation in Admin Guide
- Fixed CSLP-1308: Services not started during boot in RHEL 7.2
- Fixed CSLP-694: Display latest applied hotfix in web UI
- Fixed CSLP-1236: “Maximum file size in bytes” setting value shown incorrectly in Web UI
- Fixed CSLP-1068: ICAP detection response template is overwritten during product upgrade
- Fixed CSLP-823: Document third-party usage terms when enabling RBL for spam scanning
- Fixed CSLP-1186: Fix file name extension and place of rotated log files for fsdiag compatibility
- Fixed CTS-95734: Service startup does not create new process group for logging
5.22.14 => 5.30.75
- Integration with F-Secure Security Cloud, which provides the file and Web site (URL) reputation lookup service
- Web Content Control: enforce website restrictions using content categories
- Changes to the default configuration file fsigk.ini: Security Cloud is now enabled by default and its settings have been moved to the global section from the service-specific sections. The ICAP settings are unchanged. Upgrading from an earlier version to IGK 5.30 migrates these settings automatically.
- Fixed CSLP-745: WebUI cannot load if fsigk.ini contains lines longer than 4096 bytes
- Fixed CSLP-776: Last newline missing in HTTP POST multipart/mixed request to a web server
- Fixed CSLP-781: IGK fails to handle URIs with uppercase scheme
- Fixed CSLP-792: Access control is checked for parent proxy instead of HTTP request host
- Fixed CSLP-819: Custom spam filter match options are reset when applying changes
- Fixed CSLP-822: Remove pre-defined RBL servers from default configuration
- Fixed CSLP-946: SELinux does not allow log rotation
- Fixed CSLP-1049: Japanese localization corrections in Web UI
- Fixed CSLP-1056: Japanese localization correction in the Web UI login page
- Fixed CSLP-1099: Memory leak when parsing invalid HTTP request header
- Fixed CSLP-694: Display applied hotfix in Web UI System Information page
- Fixed CTS-97121: Incorrect configuration field in access control documentation
- Fixed SC-349: ICAP: incorrect parsing of the HTTP response Status-Line
- Changes to http/access.log: The CONNECT method entries will now have “https://” included in the URL field
- Minor security bug fixes in Web UI
5.21.18 => 5.22.14
- Fixed CSLP-371: Proxy services are not started on system boot.
- Fixed CSLP-703: Truncate long URLs to 3 KB when writing access/detect log entries.
- Added a list of supported web browsers to the system requirements.
5.20.646 => 5.21.18
- Fixed security vulnerability FSC-2015-2
- Fixed CSLP-467: Increase the maximum size of HTTP request
5.10.12 => 5.20.646
- Added support for Japanese localization in Web UI.
- Added various missing settings in Web UI.
- Fixed CSLP-331: fsupdated is still running after turning off automatic updates.
- Fixed CSLP-344: LANG=C locale causes installer to fail.
- Fixed CTS-91677: “pass_type” and pass_type_list” options not working accurately.
- Fixed CTS-94558: Database update with fsdbupdate9.run leaves fsaua and fsupdated running when services are disabled
- Fixed CTS-95383: LAN access settings not migrated during product upgrade.
- Fixed CTS-95301: IGK leaves unexpectedly restarted proxy processes marked as busy, causing “Maximum connections” issue.
- Fixed CTS-95267: E-mail addresses of Admin notification settings cannot be set properly.
- Fixed CTS-95168: Add missing log files to logrotate.conf.
- Fixed CTS-95547: getaddrinfo_randomize expert option not working
- Removed the quick start guide and merged its contents to the admin guide.
5.00.5 => 5.10.12
- ICAP service supports scanning emails for malware and spam.
- New and improved web user interface added.
- New quick start guide added for easy installation and usage instructions.
- Fixed CTS-82476: fsaua now restart automatically when customer changes virus database download proxy settings from web user interface.
- Fixed CTS-84901: FmLib library version is not visible in the web user interface.
- Fixed CTS-86302: Added documentation for configuring HTTP proxy for anti-spam daemon (fsasd) in the administrator guide.
- Fixed CTS-91852: Added missing information for ICAP detections templates in administrator guide.
- Fixed CTS-91867: Improved documentation for transparent proxy bridge mode using subnet in administrator guide.
- Fixed CTS-92216: Fix timeout_inactive for web servers that take more time than keepalive_timeout to start sending the reponse to IGK.
- Fixed CTS-92759: Fixed log size specification of logconv tool in administrator guide.
- Fixed CTS-92797: Fixed information for scanning daemon (fsavd) process management in administrator guide.
- Fixed CTS-92814: Parsing very large email header can lead to false detection or other unexpected result.
- Fixed CTS-92861: IGK fails to detect too long HTTP request URL.
- Fixed CTS-93579: Fixed information about connection error messages in administrator guide.
- Fixed CTS-94390: Added missing system requirements and dependencies in IGK release notes.
- Fixed CTS-94834: Added information about orsp_file_check for HTTP proxy in administrator guide.
4.10.17 => 5.00.5
- Support for F-Secure Real Time Protection Network was added to the HTTP proxy. When enabled, common files are identified by rapidly updating black and white lists. This saves system resources and improves the protection.
- The malware scanning capabilities are now available by a standard ICAP interface. This enables integration with third party proxies that support ICAP.
- The list of supported distributions was reworked to focus on the most popular, current and actively supported distributions.
- Removed dependency to Java, which is a common source of security vulnerabilities. Java runtime environment is no longer distributed with the product. As a consequence, this release does not contain a web UI, but is also significantly smaller and lighter. Configuration is done by editing the configuration files directly.
- Improved quality of RPM packages.
- Improved the output from IGK init scripts.
- Fixed CTS-91383: Added an option to control whether to transparently re-establish keepalive upstream HTTP connections.
If you are upgrading from a version earlier than 4.10.17, 4.11.8 or 4.12.5, see the release notes of version 4.12.5 for a list of earlier changes.
- Upgrading from 4.X Japanese version of the product (virusgw) to international version (fsigk) is not supported. Follow the instructions in the Administrator’s guide of the product to migrate settings from old (virusgw) installation to F-Secure Internet Gatekeeper (fsigk) installation.
- Only the following printable ASCII characters are allowed in the credentials for accessing services using HTTP proxy (http_proxyauth_user and http_proxyauth_pass in fsigk.ini): letters, digits and the following special characters: -._~!$&'()*+,;=
- If you use rpm to upgrade the product to the latest release, the product configuration files are reset to the factory defaults. The upgrade process renames the old configuration files by attaching an .rpmorig extension to the file name. This does not affect the main configuration file, fsigk.ini. As a workaround, you can rename the backup files back to their original names.
- IE9: Placeholder texts for username and password in the Login screen are not displayed.
- The product has limitations with HTTPS sites in the Web Content Control settings: https://community.f-secure.com/t5/Business/Limitations-with-HTTPS-sites-in/ta-p/79757
- SELinux may prevent the log rotation. To solve this issue, set the appropriate security context to the log files after the product installation. Install policycoreutils-python package and run the following commands as root user:# yum install policycoreutils-python# semanage fcontext -a -t antivirus_log_t “/opt/f-secure/fsigk/log(/.*)?”# restorecon -Frv “/opt/f-secure/fsigk/log”
- Symbolic links to sysvinit scripts in /etc/init.d/ have been removed when installing or upgrading in systemd environment. The services can be managed via corresponding init scripts in the installation directory: /opt/f-secure/fsigk/rc.fsigk_*.
- The init script console output is now different compared to previous product releases when using systemd-enabled environment. The status (exit) code for starting, stopping and querying for service status remain the same as before.
- ICAP daemon (fsicapd) may refuse to start in CentOS/RHEL 5 environments due to the default limit of available file descriptors a process may allocate (RLIMIT_NOFILE). Refer to Admin Guide chapter 4.5.1 for instructions how to configure a suitable limit.
- Services may not start automatically when you upgrade the product from version 5.xx to 5.40 in systemd enabled operating systems: https://community.f-secure.com/t5/Business/Services-may-not-be/ta-p/88214
- The System Information page of WebUI shows an incorrect product version after you upgrade to version 5.40. If Internet Gatepeer 5.30 hotfix 2 has been installed prior the upgrade, it will be shown for the new version as well. Run the following command as root user to resolve this issue:# rm -f /opt/f-secure/fsigk/log/hotfix.log
See our Knowledge Base for up-to-date information about known issues and possible workarounds: http://www.f-secure.com/en_EMEA/support/business/
The product can be installed from an RPM package, or a tar package.
- RPM installation or upgrade
- Download the rpm package and run the following command as root user:
# rpm -Uvh fsigk-5.40.73-0.i386.rpmAfter the installation, open http://<HOSTNAME>:9012/ with your web browser and use the default username and password to log in and configure the product. See the Administrator’s guide for information on how to configure the product with the web user interface.
- Installing using a tar package
- Download the tar package and run the following commands as root user:
# tar zxf fsigk-5.40.73.tar.gz# cd fsigk-5.40.73 # make installAfter the installation, open http://<HOSTNAME>:9012/ with your web browser and use the default username and password to log in and configure the product. See the Administrator’s guide for information on how to configure the product with the web user interface.
Contact information and feedback
To provide feedback or report any issues, go to:
Please include the product version and Linux distribution you are using to your support request when contacting us.
Third party software used in the product
Berkeley DB 1.85
Copyright (c) 1991, 1993, 1994 The Regents of the University of California. All rights reserved.[http://www.oracle.com/technetwork/database/database-technologies/berkeleydb/overview/index.html]
Copyright (c) 1997-2016 Bitdefender. All rights reserved.
Copyright (c) 2009-2012 Eric HaszlakiewiczCopyright (c) 2004, 2005 Metaparadigm Pte Ltd[https://github.com/json-c/json-c]
Linux PAM userdb module 188.8.131.52
MD5 message-digest algorithm
Copyright (C) 1991-2, RSA Data Security, Inc. Created 1991. All rights reserved.[http://www.ietf.org/rfc/rfc1321.txt]
TCP wrapper utilities 7.6
Copyright 1995 by Wietse Venema.[ftp://ftp.porcupine.org/pub/security/index.html]
The author disclaims copyright to this source code (Public Domain).[http://www.sqlite.org/]
Transparent Proxying patches for Linux kernel 2.6
Copyright (C) 2007-2008 BalaBit IT Ltd.[http://www.balabit.com/support/community/products/tproxy]
Copyright (c) 2004-2013 Sergey Lyubka Copyright (c) 2013 No Face Press, LLC (Thomas Davis)[https://github.com/sunsetbrew/civetweb]