WALLIX Bastion 9.0 Hotfix 2 - Release Notes

5/4/22, 5:29 PM WALLIX Bastion 9.
0 hotfix 2 – Release Notes
WALLIX Bastion 9.0 hotfix 2 – Release Notes
Reference: https://doc.wallix.com/en/bastion/9.0/rn-en-9.0.2.html
Date: 2021-09-28
Copyright: © 2021 WALLIX
Contents
1 New functionalities and improvements

1.1 New functionalities and improvements in WALLIX Bastion 9.0
1.1.1 New features
1.1.1.1 Discovery and on-boarding of devices
1.1.1.2 Management and rotation of service accounts
1.1.1.3 Real-time dashboards and KPIs
1.1.1.4 General improvements
1.1.1.5 Complete list of changes
1.1.2 Graphical improvements
1.1.2.1 New graphical features
1.1.2.2 Limits and missing functionalities
1.2.1 New features
1.2.1.1 Tag management for devices
1.2.1.2 AAPM
1.3.1 New features
1.3.1.1 OT access automatization/Universal Tunneling
2 Changes by corrective level
2.1 Improvements and fixes in WALLIX Bastion 9.0 hotfix 2
3 Hardware requirements
4 Deploying on a virtual environment
5 Upgrading to WALLIX Bastion 9.0
5.1 Accessing the upgrade
5.1.1 Prerequisites
5.1.2 Retrieving the ISO image
5.1.3 Creating a USB key from the ISO image
5.2 Upgrading from WALLIX Bastion 6.2 or higher version
5.2.1 Transferring the upgrade image to WALLIX Bastion
5.2.2 Upgrading a standalone WALLIX Bastion
5.2.3 Upgrading a High Availability cluster
5.2.3.1 Prerequisites
5.2.3.2 Process sequence
https://doc.wallix.com/en/bastion/9.0/rn-en-9.0.2.html 1/24
5/4/22, 5:29 PM WALLIX Bastion 9.0 hotfix 2 – Release Notes
5.2.3.3 Procedure
6 Installing an hotfix from an earlier version
6.1 Procedure for hotfix installation
6.2 Procedure for hotfix uninstallation
7 Known issues
8 Compatibility with third-party software
9 Compatibility with third-party hardware
1 New functionalities and improvements

This version includes all the improvements and new features implemented from WALLIX Bastion
8.1 and listed in the sections below.
1.1 New functionalities and improvements in WALLIX

Bastion 9.0
1.1.1 New features
1.1.1.1 Discovery and on-boarding of devices
In order to protect against and avoid lateral attacks, it is recommended to know well the devices on
the local network.
In this version, we propose a discovery module based on the scan of network ports (RDP and
SSH) as well as import from the AD. This module has a scheduling capability, a complete
traceability and an on-boarding workflow of discovered devices.
1.1.1.2 Management and rotation of service accounts
A service account is a specific dedicated account that allows software deployed on the customers'
infrastructure to run. Service accounts are a security weakness because they often run software
that contains sensitive information.
Best practices recommend enforcing password policies, rotating passwords regularly as well as
changing passwords when used as service accounts on the servers.
You can now manage your service accounts from WALLIX Bastion, by automatically rotating the
secrets, and restarting the services to take them into account.
1.1.1.3 Real-time dashboards and KPIs
Real-time analysis and improved reporting of Bastion-centric activities in two dashboards:
Administration dashboard
Audit dashboard.
Business-oriented reporting:
Dashboard visualization based on the user's profile

This complements the continuous discovery.
Sessions:
RDP: support of audio input in RDP sessions.

VNC: improve keyboard mapping.
Telnet/Rlogin: scenario startup.
SSH: support of the private key in RSA SHA2.
Support of RADIUS "Push only" authentication to simplify the user experience in MFA.
Security:
AD authentication silos:
AD related double authentication Kerberos-based, protected users (Kerberos

only) can be put into silos in the AD.
Purpose of the AD authentication silos: credentials of the admin domain cannot

be used outside the silo.
Best practice: have a dedicated Bastion for the AD admin to store secrets and AD
silos to secure the scope of use.
Silo 1: users (primary)

Silo 2: AD infrastructure: AD, admin workstation, AD admin
Silo 3: catch-all
For further information:
https://docs.microsoft.com/en-us/windows-server/security/credentials-protection-
and-management/authentication-policies-and-authentication-policy-silos
The following features and improvements have been implemented in this version:
#13583: Implement option to view RDP sessions in real-time (4eyes) without recording
#15519: Implement support of Unix socket forwarding in SSH sessions
#16600: Implement option to allow a user to retrieve the target session of another user
#17057: Add mail notification when a license threshold is exceeded
#17387: Improve VNC keyboard mapping
#19495: Implement support of rsa-sha2 user public key signature
#22422: Improve REST API error when the given API version in the URL does not exist
#28215: Add new "References" feature in "Accounts" menu (aka "service accounts")
#28583: Add automatic discovery of devices by network and AD server scan
#28592: Add new dashboards in the Web interface
#28929: Implement shell startup scenario for Telnet and Rlogin target sessions
#29066: Add support of ping of LDAP server in external authentications
#29148: Improve RDP selector filters
#29199: Improve SSH selector filters
#29471: Add a way to filters devices and applications by tag key or key+value pair in REST
API
#29562: Add UNIXSOCK proxy options for SSH services
#29680: Add support of mobile device with RADIUS authentication
#29688: Add dedicated user for performing appliance upgrades
#29746: Generate disk images with associated NVRAM to allow a EFI boot
#29941: Implement WALLIX Bastion REST API 3.6 and remove version 3.4
#30518: Add more logs in syslog when the ITSM script is called
#30566: spark_view_specific_glyph_width is no longer required to support SparkView RDP
client
#30594: Add a way to check if user passwords expire when saving a local password policy
via the REST API
#30752: Prevent search engine bots from indexing the legacy interface pages
#31047: Implement support of audio input channel in RDP session
#31305: New signing certificate for WALLIX-Putty
#31326: Remove default password for GUI admin account
#31359: Allow IPv6 address in /etc/hosts and DNS Servers
Since WALLIX Bastion 7.1, the Web interface is being redesigned to provide a more intuitive and
efficient navigation and offer better performance.
1.1.2.1 New graphical features
The following features and improvements have been implemented for the Web interface in this
version:
#27371: Improve the table component of the Web interface

#29483: Implement a way to filter devices' tags from the table view
#29488: Implement the possibility to automatically discover devices on a network
#29489: Implement the possibility to automatically discover devices on an Active Directory
#29490: Implement support of Service Accounts
#29501: Redesign user interface to improve user experience
#29517: Implement new pages with dashboards for reporting
#30337: Implement the possibility to activate a debug mode on the new interface
#30516: Implement the possibility to add tags to multiple devices
#30540: Implement the possibility to remove tags from multiple devices
#30564: Prevent search engine bots from indexing the new Web interface pages
1.1.2.2 Limits and missing functionalities
Following the implementation of security measures against cross-site request forgery attacks (or
CSRF attacks), REST API requests can no longer be made directly from a browser.
Internet Explorer is not supported by the default interface.
This interface implements a new design which is only available for the following pages:
My preferences
Dashboards
Administration
Audit
Targets
Devices
Accounts
Groups
Checkout policies
Discovery
Password management
Password change policies
Configuration
Notifications
Local password policy

Connection messages
X509 configuration
API keys
License
Encryption
The other pages of the interface operate in hybrid mode: they show the graphical elements of the
legacy interface inside the new design.

Bastion 8.2
1.2.1 New features
1.2.1.1 Tag management for devices
In many IT infrastructures, devices are identified by tags. The use of these tags has also been
generalized in the Cloud.
Users now can apply tags and use them to filter their devices.
1.2.1.2 AAPM
PasswordFS is a new tool for removing passwords from configuration files. It dynamically injects
the password into the configuration file when requested.
Use case: Wordpress database access password that resides in a configuration file.
Group-based fingerprint: new capacity to have users of a group in the Seal mechanism.
Sessions:
Session sharing ("session shadowing"): now visible in the audit list, recording of
auditor's actions in session sharing. The user is informed that a session sharing is
about to start.
New analysis and recording protocol: WinSCP. It is a multi-channel protocol, audited by
default.
DLP/AV (Data Loss Prevention/Anti-Virus): WinSCP and SFTP are now analyzed and
can be blocked.
ITSM ticket number: the ITSM ticket number is stored in the UI approval list, and is
displayed in the session history.
TCP keepalive: TCP keepalive option added for SSH sessions.
ECDSA key: support of ECDSA key for SSH hosts.
Performance improvements:
Parallel execution of password change plugins. Credential change operation lab
measured credential change of 1000 accounts in 6 minutes.
Add session performance tracking in seconds (to /var/log/wabproxy.log with tag
"TIME_METRICS" once target connection is done), on:
Primary connection (network time)
Primary authentication (Bastion CPU/database time)
Rights retrieval (Bastion CPU/database time)
Credential retrieval (Bastion CPU/database time)

Target connection (network time)
Total.
Security:
SIEM new events: improve audit ability through new activity events.
SIEM event filtering: provide the capacity to filter logs sent to an external SIEM:
Extension of the "SIEM integration" page, with check boxes to select which logs
are to be sent via syslog.
Support custom filtering by manual syslog configuration.
Log retention policy: configurable data retention policy:
Audit logs and metadata can be automatically deleted after a configurable period
of time.
Default rotation period is 36 weeks (252 days), configurable on the interface.
License management:
New license management system: packs, options and metric display improvement.
Integrated revocation capability.
#12526: Implement real time view notification to user in RDP sessions

#23002: Implement log retention policy
#23162: Improve information on session sharing
#23228: Implement retention periods for the user data
#23467: Implement "Tags" field for devices and applications in REST API
#24914: Improve error message when connecting in RDP with unauthorized user account
target authentication
#26724: Implement connection time metrics in proxy sessions
#27202: Implement RDP proxy options for theme configuration
#27567: Implement the possibility to connect with an OTP token in the URL
#27571: Fix user disconnection when using "Switch to the default interface" button
#27771: Add support for Hyper-V generation 2
#27898: Add option to ignore alert emails when GPG key is missing
#27916: Implement RDP proxy option to change OEM logo
#28143: Implement SFTP file transfer blocking on invalid verification by DLP/AV solutions
#28281: Implement REST API 3.5 and remove REST API 3.2
#28564: Add API resource to get primary authentications
#28615: Implement a new license model
#28735: Improve security by updating default values for Diffie-Hellman paramepters in SSH
proxy configuration options
#28801: Implement ECDSA host key generation for SSH Proxy
#28821: Implement credential change parallelization
#28960: Implement "WABChangeDbRootPassword" command to manage database
administrator role password
#28975: Improve default keyboard mapping in VNC session
#28983: Implement support of Microsoft Edge Chromium in WALLIX Application Driver
#29013: Add extra header in the "targetpasswords" API resource to encrypt the SSH private
key
#29045: Rename add-on "RawTCP" to "Universal Tunneling" in "License" page
#29388: Implement file transfer blocking on invalid verification by DLP/AV solutions for
WinSCP sessions
#29394: Implement WinSCP session recordings
#29866: Add variables available for the custom notifications in the Administration Guide
#28485: Add a custom image to support Yandex Cloud
#24596: Redesign of the "Password change policies" page

#28930: Remove display size management in "My preferences" menu
#29044: Implement new license support in the Web interface Note: The "License" page is no
longer accessible from the legacy interface.
#29081: Implement tag management on devices in the Web interface

Bastion 8.1
1.3.1 New features
1.3.1.1 OT access automatization/Universal Tunneling
Simplification of OT management via WALLIX Bastion by simplifying and automating the creation
of OT tunnels.
WALLIX-PuTTY version 0.73.6 has a new flag for tunnel management which allows mapping the
local IP to the loopback interface. Windows admin rights are required (windows routing).
Notification email customization:

Allows customazing notifications in the desired language, using dynamic variables.
Notification sent is the one defined for the user. If none has been defined, then the
default notification is sent.
Improvements:
Generalize the management of email templates to all notifications.
Manage multilinguism in email templates, the order of sending is:
custom template in the user's language
custom template in English
default template.
Allow sending HTML email.
Security:
Source-based routing:
New flag that instructs the Bastion to create additional routing rules to force the
Bastion to reply on the same interface as the ingress request.
As a consequence, combined with a flow split configuration, this allows to
completely separate the administrator from the user and audit traffic.
Network link aggregation:
Support of modes "Active backup policy" and "Dynamic link aggregation".
Implement automatic deployment of Application Driver

File transfer blocking on invalid verification by DLP/AV solutions
Implement network interface bonding
Implement interface routing based on source IP
Implement customization of notification emails
Implement target declaration on RDP login screen

Upgrade WALLIX-PuTTY to version 0.73.6 with addition of an option to map target on client
loopback for RAWTCP protocol
The following minor features and improvements have been implemented in this version:
Availability of a new WALLIX Bastion REST API version: REST API 3.4. This version includes
the latest updates. The REST API versions 3.3 and 3.2 are also available and remain
unchanged. The REST API version 2.4 is deprecated and then no longer available for this
version of WALLIX Bastion. For further information, please refer to the REST API
documentation available online: https://bastion_ip_address/api/doc.
Add package cloud-init.
Note: The network configuration is now located in /etc/network/interfaces.d/50-cloud-init.cfg.

Any custom configuration can be placed in /etc/network/interfaces.d/ and will be preserved
during upgrade.
Improve service management when launching script wallix-config-restore.py
Support UEFI boot mode
Important
It is now possible to boot WALLIX Bastion installer on a native UEFI mode.

However, the Secure Boot functionality must be disabled to allow WALLIX
Bastion to boot.
If the installer boots on a BIOS system or a BIOS-compatible UEFI

system, then the Bastion's system will be installed in BIOS mode. It is not
possible to change the system boot mode (BIOS or native UEFI) after
installation. Otherwise, WALLIX Bastion could not boot unless the
firmware is restored in the appropriate mode.
The GRUB boot screen shows an additional entry for the UEFI mode to
access the firmware setup. The access to this entry requests the same
login and password as those required when accessing the "Recovery
Mode" entry in the BIOS mode, below the "Advanced Options" entry.
When booting in UEFI mode, the command-line system tool efibootmgr is

installed and accessible in the shell. It allows to read and define (with root
privileges) some parameters in the NVRAM UEFI. Enter efibootmgr --help
to get the command help information.
As the Secure Boot functionality is not used when booting in UEFI mode,
WALLIX Bastion is not affected by the following latest vulnerabilities
observed on grub2 for this mode: CVE-2020-10713 (BootHole), CVE-
2020-14308, CVE-2020-14309, CVE-2020-14310, CVE-2020-14311,
CVE-2020-15706 and CVE-2020-15707.
Redesign of the following pages on the Configuration menu: Local password policy, API keys
and License.
Implement the selection of resource associations to be able to create applications or clusters.
Russian is available as display language
2 Changes by corrective level

This version includes all the improvements and fixes implemented from WALLIX Bastion 8.0. The
improvements and fixes listed in the following sections have been implemented in WALLIX Bastion
9.0.

#31409: Fix rotation of the log file /var/log/daemon
#31505: Support Okta Identity Cloud LDAP server
#31709: Deny Open Redirects via HTTP headers
#31767: Fix application sessions using RemoteApp mode via WALLIX Access Manager
#31819: Fix requests for key re-exchange by SSH servers
#31939: Implement UserPrincipalName as login attribute for LDAP/AD authentication
#32004: Fix issue on license when WALLIX Bastion is deployed in Microsoft Azure
#32036: Update AngularJS to version 1.8.2 to fix the following security issue: CVE-2020-
7676
#32055: Fix a regression on the addition of a custom route
#32056: Integrate SailPoint
#32114: Update Debian base to 10.10
#32159: Fix trace migration from version 8.0 to version 9.0
#32288: Improve performance during provisioning with RESTAPI
#32443: Add index to log_session table for better performance
#32469: Add daily cron to move sessions to remote storage
#32475: Remove unnecessary cron messages such as "Exception IOError: IOError (17, 'File
exists')"
#32477: Fix WSC connection error in cron jobs
#32501: Fix potential security issue in SSH proxy: CVE-2021-3634
#32507: Fix import of session logs
#32709: Allow to specify a gateway for container network

#19764: Fix video generation when using RDP with multiple monitors
#26362: Reduce the SMTP configuration application time from ~15 seconds to ~5 seconds
when SNMP is activated
#27976: Fix display of long warning messages in RDP proxy
#28384: Implement UserPrincipalName as login attribute for LDAP/AD authentication
#28910: Add trace of sessions viewed in real-time (4eyes) to SIEM
#29019: Fix error 500 for REST API resources synchronization when deleting services from
devices
#29166: Fix inconsistency between bastionStatus OID and wabwatchdog status
#29239: Fix constraints when uploading keytab file
#29350: Fix filtering on boolean values in the REST API
#29364: Fix missing principal list when displaying a Kerberos external authentication in the
interface
#29481: Fix "secret" field in external authentications resource in the REST API
#29492: Fix error on user notification icon when restoring a backup
#29521: Fix LDAP/AD connection failure due to certificate verification, by allowing
configuration of TLS cipher suite
#29525: Display an error message when the Bastion is updated and needs a full refresh
#29649: Fix force attribute usage in restapi calls to keep original content if not defined
#29743: Fix error in logs when importing sessions from another Bastion
#29774: Fix Thycotic plugin issues with check-in, check-out, and URL validation
#29799: Display min/max values for string/integer fields in REST API GET schema
documentation
#29828: Allow duplicate of forbidden passwords in PUT /api/localpasswordpolicies
#29907: Fix sending of HTML emails in custom notifications
#29925: Fix error 500 from REST API in case of invalid Authorization header
#29927: Check authentication type in Authorization header (REST API)
#29931: Fix encoding error in messages returned by the REST API when objects already
exist
#29934: Fix error 500 from REST API when searching device certificates
#29938: Fix error 500 from REST API when searching time frames
#29946: Fix error 500 with search "q=~search" in several REST API resources
#29952: Fix REST API to make tag search case sensitive
#29955: Return an error 404 in REST API /api/tags when a tag id is not found
#29957: Fix error 500 when an invalid id is sent in an API REST GET request
#29981: Fix domain root password update when password change is successful on target
#30059: Add information when changing password of primary or secondary account
#30066: Fix display of unused target accounts in "Connection statistics" page in "Audit" menu
#30121: Fix LDAP GSSAPI protected user authentication
#30123: Fix crash of RDP session when dragged between several monitors
#30158: Fix Kerberos authentication issue on SSH proxy with the new authentication
interface
#30170: Re-enable DLP/AV feature with a "Legacy license"
#30171: Re-enable ITSM feature with a "Legacy license"
#30217: Update sudo package to fix the following security issue: CVE-2021-3156
#30251: Fix form validation on the "Passphrase" field for an account
#30276: Fix disk size issue for /var/wab directory on AWS, Azure and GCP
#30281: Fix issue with duration of pending approval request with a start date in the past
#30326: Fix user disconnection on legacy interface when many Web sessions are open
#30359: Fix LDAP GSSAPI authentication
#30410: Fix PUT applications/devices resources on the option to force tags (REST API
3.5/3.6)
#30411: Fix issue with copy/paste function in RDP application sessions
#30471: Fix missing checksum for the Vmware images
#30495: Change default settings for SIEM log export
#30522: Allow test of LDAP external authentication if the resource already exists
#30523: Do not call ITSM script at start/end of session if the license does not allow it
#30527: Fix empty file sent to the approval ticketing script
#30551: Fix default gateway which disappears after reboot in some network configurations
#30601: Fix precision of API session timeout
#30647: Add SSH session logs integrity check upon access
#30658: Fix session logs not moved to the remote storage
#30693: Fix erroneous logs of REST API requests
#30696: Fix REST API External Auth resource for PUT request
#30722: Improve display of errors after form validation
#30762: Fix blocked request issues in REST API
#30771: Fix URLs with spaces returned by REST API
#30800: Fix wrong login page language after a logout
#30824: Fix issue when displaying the "Backup/Restore" page in some specific hardware
environments
#30825: Fix an issue when trying to restore a backup on a system with a modified database
root password
#30829: Allow upload of CA certificate embedding elliptic curve in LDAP external
authentication
#30834: Use REST API timeout immediately after change without restarting the service
#30903: Fix subnet route when IP source routing is enabled
#30912: Fix display issue when associating an account with an application
#30914: Support SCP file transfer with MobaXterm
#30927: Fix BestSafe metadata error

#30928: Fix security issue with openssl
#30980: Fix summary in form of "My Preferences" page
#31015: Fix different copy/paste behaviors depending on the client used when ICAP is
enabled
#31016: Add search keywords "rdp:app" and "rdp:notapp" on pages "Current sessions" and
"Session history" in "Audit" menu
#31025: Fix UNIX password change for root target account
#31052: Fix case issue for the user logged on the default interface via LDAP/AD
authentication
#31053: Fix pagination on accounts with limitations on target groups in the interface and
REST API
#31075: Upgrade OpenSSL to version 1.1.1k
#31094: Fix issue when an application account is added by a profile with limitations on target
groups
#31108: Fix crash of RDP session on Remmina client
#31171: Fix issue on synchronization of credential changes and email notification
#31218: Fix issue when launching command WABSessionLogImport
#31327: Fix working directory of applications created by the REST API
#31354: Application Driver: Fix behavior for not trusted certificates in Chrome 90.0.4430.93
for Windows
#31437: Remove applications from user rights when RDP is not selected in the authorization
#31458: Fix random error when launching Session Probe on target with a slow network
#31477: Fix option --max-delete of script bastion-clean-user-data
3 Hardware requirements
WALLIX Bastion version 9.0 hotfix 2 requires at least 4GB of RAM and 30GB of disk space.
Please contact WALLIX Technical Support Team if you need further information related to the
necessary sizing parameters.
External storage is recommended for virtual machines.
The old appliances Dell R310, R320, R510, R520, R810 and R820 are no longer supported.
4 Deploying on a virtual environment

WALLIX Bastion can be deployed in the following virtual environments:
Amazon Web Services (AWS)

Google Cloud Platform (GCP)
Kernel-based Virtual Machine (KVM)
Microsoft Azure
Microsoft Hyper-V
OpenStack
VMware vSphere
WALLIX provides a generic ISO and specific images for the above-mentioned environments.
Whenever a platform-specific image is provided by WALLIX, we recommend installing this image

rather than the generic ISO image.
Please refer to the Quick Start Guide to get the instructions on how to deploy on-premises images
and Cloud tenant images.
5 Upgrading to WALLIX Bastion 9.0

Important
You can only upgrade to WALLIX Bastion 9.0 hotfix 2 from WALLIX Bastion
6.2 or higher version. We recommend installing first the last hotfix released for
your current version before upgrading to WALLIX Bastion 9.0 hotfix 2.
Please contact WALLIX Support Team if you wish to upgrade from a

version earlier than WALLIX Bastion 6.2.
Please also note that only backups created from WALLIX Bastion 6.0 or higher
version can be restored on this version.
The table below lists the versions from which the upgrade to WALLIX Bastion
9.0 hotfix 2 can be performed.
Last recommended version for

Original version upgrade
WALLIX Bastion 6.0 N/A
WALLIX Bastion 6.1 N/A
WALLIX Bastion 6.2 From hotfix 6.2.5
The upgrade to WALLIX Bastion 9.0 hotfix 2 can be performed from hotfix
versions prior to the one listed in the above table. However, we strongly advise
you to apply this procedure from the recommended version.
The upgrade to WALLIX Bastion 9.0 hotfix 2 cannot be performed from an

hotfix version higher than the recommended version mentioned on the above
table.
Important: Before any update to version 9.0.2 from a previous version, please
proceed to the verification list detailed in the Known issues section.
Your configuration parameters are normally preserved during the upgrade

procedure. Nevertheless, before upgrading your Bastion, we recommend
performing a backup of your Bastion configuration. This is done from the
administration Web interface (refer to the Administration Guide for further
information).
The upgrade process takes at least a few minutes and may run over a longer
period in the case of High Availability clusters containing many session
recordings.
In case of an SSH disconnection during the upgrade or the HA setup, you can
return to the input/output of the running script by entering the following
command:
# cd /mnt
# ./bastion-upgrade.sh
When the upgrade has completed, we recommend you to check that the
selection of the cryptographic algorithms accepted by both the SSH and the
HTTP servers still meet your requirements. Otherwise, the command
WABSecurityLevel allows you to set the security level of these servers.
The default security level for the SSH server is set to a low value, allowing any
cryptographic algorithms to be used.
The default security level for the HTTP server is set to a high value. Only the
following cryptographic algorithms can then be used:
ECDHE-ECDSA-AES256-GCM-SHA384
ECDHE-RSA-AES256-GCM-SHA384
ECDHE-ECDSA-CHACHA20-POLY1305
ECDHE-RSA-CHACHA20-POLY1305
ECDHE-ECDSA-AES128-GCM-SHA256
ECDHE-RSA-AES128-GCM-SHA256
ECDHE-ECDSA-AES256-SHA384
ECDHE-RSA-AES256-SHA384
ECDHE-ECDSA-AES128-SHA256
ECDHE-RSA-AES128-SHA256
The old appliances Dell R310, R510 and R810 are no longer supported neither
by the manufacturer nor by WALLIX. Nevertheless, WALLIX Support Team will
provide a best-effort assistance on these products, with no obligation to
achieve a fixed result.
5.1 Accessing the upgrade
5.1.1 Prerequisites
In order to upgrade your Bastion, ensure that you have:
a USB key with WALLIX Bastion version 9.0 hotfix 2 or

a workstation connected to the Internet in order to retrieve the ISO image of the upgrade and
a blank USB key of 1GB or more you can transfer the image onto.
Note
If you cannot access Internet in order to retrieve the ISO image, please contact
WALLIX Support Team, which will send you the upgrade on a USB key.
5.1.2 Retrieving the ISO image
If you do not have the USB key, the first step consists in retrieving the ISO image of the upgrade
‘bastion-9.0.2.9.iso’ and its checksum file ‘bastion-9.0.2.9.iso.sha256sum’.
The procedure is as follows:
1. Connect to the following address in your Internet browser and enter your WALLIX Support
credentials:
https://support.wallix.com/
2. Click on the “Downloads” tab and download both the image and the integrity check files from
the “Update image” section for WALLIX Bastion version 9.0.2.
3. Check the image by using an appropriate tool, such as HashCheck on Windows

(https://github.com/gurnec/HashCheck), or under Linux by entering the following command:
sha256sum -c bastion-9.0.2.9.iso.sha256sum
5.1.3 Creating a USB key from the ISO image
On Windows, use a tool similar to Win32DiskImager
(https://sourceforge.net/projects/win32diskimager/)
Change the filter from *.img to *.iso to select the file.
On Linux, simply use the dd command as follows:
dd if=bastion-9.0.2.9.iso of=<usb_device> bs=4M; sync
then check by entering the following command:
sed 's/bastion-9.0.2.9.iso/-/' bastion-9.0.2.9.iso.sha256sum \

>stdin.sha256sum
head -c `stat -c%s bastion-9.0.2.9.iso` <usb_device>| \
sha256sum -c stdin.sha256sum
where <usb_device> must be replaced by the device onto which the USB key is connected,
typically something like /dev/sdb.
5.2 Upgrading from WALLIX Bastion 6.2 or higher version

The upgrade script records the entire upgrade in the log file in /root/migration-
<PREVIOUS_VERSION>-9.0.2.log, listing all actions executed during script execution. All the
actions during upgrade are also displayed on the terminal.
If the script stops after a few seconds, you must consult the last part of the /root/migration-
<PREVIOUS_VERSION>-9.0.2.log file using the following command:
tail /root/migration-<PREVIOUS_VERSION>-9.0.2.log
where <PREVIOUS_VERSION> must be replaced by the version number from which the upgrade is
performed.
The last line should indicate which problem must be corrected before continuing the upgrade.
5.2.1 Transferring the upgrade image to WALLIX Bastion
1. If you have the USB key and a physical appliance, you just need to plug it in a free USB port
in the front or back of the unit.
If Bastion is a virtual machine, you can use the ISO file as a disk image to the VM's optical
drive (CD/DVD drive).
Otherwise you need to transfer the ISO image to WALLIX Bastion.
2. Use an SCP client (such as WinSCP - http://winscp.net/) to send the two downloaded files to
the Bastion’s /home/wabadmin/ directory (the wabadmin user’s default directory). If you use
the High Availability (HA) mode, the files must be transferred to the Master and to the Slave.
3. Check that the transfer was successful by entering the following command:
wabadmin@wab:~$ sha256sum -c bastion-9.0.2.9.iso.sha256sum

bastion-9.0.2.9.iso: OK
In the case of HA configuration, the above command must be executed on both the master
and the slave.
4. You can now upgrade WALLIX Bastion by following the procedure described in one of the
next two sections, according to your particular configuration.
5.2.2 Upgrading a standalone WALLIX Bastion
1. Connect to WALLIX Bastion by entering the wabadmin user name and password.
2. Pass root by entering the following commands and providing the wabsuper password each
time you are prompted:
wabadmin@wab:~$ super
wabsuper@wab:/home/wabadmin$ sudo -i
3. Next, mount the ISO image:
# mount -o loop /home/wabadmin/bastion-9.0.2.9.iso /mnt
or if you are using the USB key (replacing sdb by the device onto which the key is
connected):
# mount /dev/sdb /mnt
4. Next, execute the following commands to upgrade your system:
# cd /mnt
# ./bastion-upgrade.sh
WALLIX Bastion will now install the Debian packages and the WALLIX packages in order to
perform the updates of the system and Bastion. It will then migrate the data to the
appropriate format.
5. Once the upgrade is completed, press the Enter key to exit the screen displaying the process
actions and go back to the shell. Please make sure that the upgrade process has
successfully completed by checking the last lines of the /root/migration-
<PREVIOUS_VERSION>-9.0.2.log file using the following command:
tail /root/migration-<PREVIOUS_VERSION>-9.0.2.log
where <PREVIOUS_VERSION> must be replaced by the version number from which the
upgrade is performed.
6. Restart the system by entering the command:
# reboot
After the system reboot, you can use WALLIX Bastion immediately.
5.2.3 Upgrading a High Availability cluster
5.2.3.1 Prerequisites
In order to upgrade a HA cluster, you must upgrade the Master node first then the Slave one.
Continuity of service cannot be maintained during the upgrade process.
You must beforehand check that the network parameters are correctly configured, the Bastion
administrator’s email address has been defined and encryption has been unlocked on the Web
User Interface.
On both the Master and the Slave nodes, the /etc/hosts file must include the following lines:
127.0.0.1 localhost
IP_MASTER HOSTNAME_FQDN_MASTER
IP_SLAVE HOSTNAME_FQDN_SLAVE
On the Master, the /etc/hostname file must include the line:
HOSTNAME_FQDN_MASTER
On the Slave, the /etc/hostname file must include the line:
HOSTNAME_FQDN_SLAVE
Lastly, execute the following command on both machines:
hostname -F /etc/hostname
(Replace the locations indicated in capitals above by the actual values. _FQDN_: the fully qualified
domain name, which must be included in the host name).
We will now call your current Master node as “node1” and your current Slave node as “node2”. You
can determine which machine is the Master and which is the Slave by entering the following
command:
WABHAStatus
5.2.3.2 Process sequence
When the upgrade script is launched on node1, HA service is stopped on both nodes (node1 and
node2): a lock file in the directory for node2 prevents HA service from accidentally restarting. This
aims to prevent node2 from becoming the Master node.
When the script has finished execution on node1, HA service must be restarted on this node only!
After reboot, node1 is still the Master node.
When the script is launched on node2 and the execution has finished, HA service must be
restarted on this node. After reboot, node2 is still the Slave node.
5.2.3.3 Procedure
1. Upgrade node1 (refer to section: Upgrading a standalone WALLIX Bastion) then reboot.
2. Upgrade node2 (refer to section: Upgrading a standalone WALLIX Bastion) then reboot.
Important
HA service is stopped on node2 when the upgrade script is

executed on node 1 until the end of the script execution on
node2. This prevents node2 from becoming the Master node.
When HA is restarting on both nodes, a loss of synchronization

may occur when the master node is taking control and the
passphrase may thus be requested. In such a case, enter the
passphrase then restart the service on the slave node to restore
synchronization by executing the following command:
systemctl start wabha
3. Test the upgrade:
Stop HA operation on node1 by executing the following command:
systemctl stop wabha
Check that after a few seconds node2 does indeed become the new Master and
the services are restored
If ever the system does not work, stop node2 and restart HA operation on node1
by executing the following command, then contact WALLIX Support Team:
4. Lastly, to restore your initial configuration:
Stop HA operation on node2 by executing the command:
systemctl stop wabha
Restart HA operation on node1 by executing the command:

This will force the switchover to the former Master.
After node1 has taken control, restart HA operation on node2 by executing the
command:
6 Installing an hotfix from an earlier version

Important
Prior to installation, we recommend you to take a snapshot of the Virtual

machine or create a backup of WALLIX Bastion.
6.1 Procedure for hotfix installation

1. Connect to the following address in your Internet browser and enter your WALLIX Support
credentials:
https://support.wallix.com/
2. Click on the “Downloads” tab and download both the hotfix .tar.gz folder and the integrity
check files from the “Hotfixes” section for the last available hotfix version.
3. Check the integrity of the archive by using an appropriate tool, such as HashCheck on
Windows (https://github.com/gurnec/HashCheck), or under Linux by entering the following
command:
sha256sum -c archive_name.tar.gz.sha256sum
4. Use an SCP client (such as WinSCP - http://winscp.net/) to send the two downloaded files to
the Bastion’s /home/wabadmin/ directory (the wabadmin user’s default directory).
Important
The hotfix package cannot be installed if the path to the install

directory includes spaces.
5. Connect to WALLIX Bastion by entering the wabadmin user name and password.
6. Pass root and install the hotfix using the following commands:
$ super
$ sudo -i
# tar xf archive_name.tar.gz
# cd archive_name
# ./install.py
Important
If you are running a setup using the High Availability (HA) mode, the procedure
must first be run on the MASTER node. Once the hotfix is installed, the
procedure must then be run on the SLAVE node. During installation on the
MASTER node, both nodes are unavailable.
Note
The following services are automatically restarted when the hotfix is being
installed:
Wabengine
GUI
REST API
HA (when running a setup using the High Availability (HA) mode)
6.2 Procedure for hotfix uninstallation

If necessary, the hotfix can be uninstalled. To do so, connect to WALLIX Bastion then pass root
and enter the following command:
# ./uninstall.py
Important
If you are running a setup using the High Availability (HA) mode, the procedure
must first be run on the MASTER node. Once the hotfix is installed, the
procedure must be run on the SLAVE node. During installation on the
MASTER node, both nodes are unavailable.
The old hotfixes previously installed are archived in the directory /var/hotfix.
They can be reinstalled if needed from the hotfix directory by entering the
following command:
./install.py
7 Known issues
Important for major upgrades
Before upgrading to version 9.0.2 from a previous major version, please verify
the following points:
License:
Before upgrading, verify if the license has a "Pack" activated. If so,
please contact WALLIX support, a new license needs to be
generated.
If the upgrade is done without the change, license will be
invalidated, you will then need to ask for a new license file wy
sending the new context file through a support case.
Upgrading with backup export-import:
When upgrading with backup export-import, some configuration
files are wrongly restored. It can cause service activation issues on
the network interfaces. (Issue #32542)
If the number of network interfaces is different between the source
and the target Bastions, please contact WALLIX support in order to
fix the service mapping issue.
Verification of free space:
Before upgrading, please verify the free space on the disk,
particularly on partitions / , /var and /var/wab .
These three partitions need at least 3GB of free space.
Command df -h executed in CLI can be used for this verification.
Password Change plugins:
Before upgrading a Bastion, if you have modified some plugins with
the help of the support team, we recommend that you backup those
plugins.
They are stored in the following path:
/opt/wab/share/plugins/cred_chg/${PLUGIN}/${PLUGIN}.py.
You can either backup the plugins in the same directory by copying
them with a '.bak' extension, or store them in another directory like
/var/tmp, to be able to restore them tokeep all the modifications
done.
Important
For troubleshooting with Remote Desktop Connection and failed connection to

target, please refer to section "Configure the security level to restore RDP
protocol compatibility" in the Administration Guide.
The following functionalities are defective:
License:
The email notification alert for the license is in English even if the user preference is in
French. (Issue #31768)
LDAP/AD authentication:
From WALLIX Bastion 8.0, password change for AD Protected Users will fail.
(Issue #29200)
X509 authentication:
The upload of multiple CA certificates will fail on "X509 Configuration" page. (Issues
#29385, #29461)
Transparent mode authentication
The authentication through the transparent mode for both RDP and SSH connections
will fail. (Issue #29558)
Discovery:
Discovery process is stuck when automatic backup is triggered concurrently.
(Issue #31434)
There are some issues in the behaviour and error management when the license limit is
reached. (Issue #31848)
Logs:
Many errors in journalctl related to "Scope has no PIDs. Refusing". (Issue #31443)
Dashboards:
The order of dashboards on a new profile is not always properly saved. (Issue #30113)
RDP session:
There is an issue when connecting from an Access Manager to Windows Server 2008
targets through Bastion 8.0.8. Please refer to the procedure here, or search the
knowledge 2001 on the support website for a solution. (Issue #31434)
The logon via a Smart card is only available for target access through interactive login.
Once the relevant target has been chosen from the selector, the Smart card logon can
be selected from the "Sign-in options" link on the Windows standard login screen. Note
that it may take 5 to 30 seconds for Windows to display the "Sign-in options" link.
(Issue #30102)
The client Remote Desktop Connection (MSTSC) connected to Windows Server 2008
or 2012 does not allow several RemoteApp programs to share the same RDP session.
There will be as many RDP sessions created as the number of RemoteApp programs
launched. (Issue #30021)
Using applications through the Access Manager may fail. (Issue #31767) Please
contact WALLIX Support Team if you need further information.
Due to the certificate update used to sign the Session Probe, it is required to upgrade
BestSafe agent for proper interoperability of the two products. (Issue #31805) A
workaround exists by updating a dll on the target, please contact WALLIX Support
Team if you need further information.
VNC session:
Encoded characters are not fully supported when converting Unicode to ScanCode.
(Issue #31876)
SSH session:
The SOCKS proxy in SSH session is unstable with PuTTY. (Issue #29167)
REST API:
Some fields of the REST API "External Authentications" resource are missing,
incomplete or have errors. The REST API documentation for this resource will be
updated in a future release. (Issues #29395, #29083, #28828, #29386)
Installation/Upgrade:
From WALLIX Bastion 6.2, the ordering of the 4 network interfaces is reversed on
installation.(Issue #31802)
Error in migration logs when performing an upgrade on Azure. (Issue #31731)
Multiple errors appear in the syslog file during the execution of an upgrade, these
errors do not affect the product operation. (Issue #31875)
Audit:
Inconsistent authentication logs when using Kerberos + AD authenticator.

(Issue #31771)
Issue when running the WABSessionLogImport command. (Issue #31218)
Backup/Restore:
It will not be possible to interact with the untrusted certificate popup after restoring a
backup from the default interface. (Issue #28064)
Sometimes display issues when restoring a backup through the GUI with Firefox.
(Issue #31699)
8 Compatibility with third-party software

WALLIX Bastion supports the following third-party software:
WALLIX Access Manager compatibility:

WALLIX Access Manager 2.0.21
WALLIX Access Manager 2.1.16
WALLIX Access Manager 3.0
REST API supported clients based on:
REST API version 3.3 LTS

REST API version 3.4
REST API version 3.5
SSH clients via SSH proxy (primary connection):
OpenSSH
PuTTY
Cygwin (+ Xming for X11 forwarding)
FileZilla
WinSCP
SSH servers via SSH proxy (secondary connection):
OpenSSH
Cisco IOS SSH Server
RDP clients via RDP proxy (primary connection):
Remote Desktop Connection / MSTSC for Windows XP, Windows 7, Windows 8,
Windows 10
rdesktop (Linux)
FreeRDP (Linux)
Remmina
RDP servers via RDP proxy (secondary connection):
Windows Server 2003 / 2008 / 2008 R2 / 2012 / 2012 R2 / 2016 / 2019
Windows 10 Pro and Enterprise
Windows 8.1 / 8 Pro and Enterprise
Windows 7 Professional, Enterprise and Ultimate
xRDP
VNC servers via RDP proxy (secondary connection):
TightVNC
TigerVNC
UltraVNC
RealVNC
Supported Web browsers:
The Web interface supports the up-to-date version of the following browsers:
Apple Safari (only supported by the default interface)

Google Chrome
Internet Explorer (only supported by the legacy interface)
Microsoft Edge
Mozilla Firefox
Compatibility information for password change plugins and external password vault
plugins:
Tested
Category Device/System Version/Type Scope Version/Origin version
Network Palo Alto PA-500 Password change V1.0
Network Generic Radius Authentication Internal FreeRADIUS
Version 2.1.12
Router Cisco 800 Series Password change V1.0.2
Router Cisco Nexus Password change Available on
demand
Router Juniper SRX Password change V1.0
MFA Gemalto Card reader Integration Internal
Firewall Cisco Generic Password change V1.0.2
Tested
Firewall Stormshield Stormshield Password change Available on
3.x demand
Firewall Checkpoint Checkpoint Password change Available on
R77.30 Gaia demand
Firewall F5 BigIP v15.1.0. Password change Available on
demand
Firewall Fortinet Fortigate Password change, V1.0
SSH key
Server Controller iDRAC DELL Password change V1.1 v7 & v8
Storage PowerVault ME4024 Password change Available on
demand
OS IBM IBM 3270 Password change V1.0.0
OS Microsoft Windows Password change V1.0.1 Windows
Windows Server 2003 Server 2003
R2 R2
R2 R2
OS Linux/Unix GNU/linux Password change, V1.2.1 Debian 8,9,10,
Debian/Ubuntu SSH key Ubuntu 18.04.4
LTS
OS Linux/Unix GNU/linux Password change, V1.2.1 SLES 11
SLES/Suse SSH key 12SP3 15
OS Linux/Unix GNU/linux Password change, V1.2.1 CentOS 6.6,
RedHat/Centos SSH key 7.1 RedHat 8
OS Linux/Unix OpenBSD 5.1 Password change, V1.2.1
SSH key
OS Linux/Unix FreeBSD 9 Password change, V1.2.1
SSH key
OS Linux/Unix NetBSD 5.1.2 Password change, V1.2.1
SSH key
OS Linux/Unix Solaris 10 Password change, V1.2.1
French SSH key
OS Linux/Unix Solaris 11 Password change, V1.2.1
SSH key
OS Linux/Unix AIX Password change, Available on
SSH key demand
Tested
OS VMware ESX 6.5 ESX local Available on
password change demand
OS IBM zOS 3270 Password change 1.0.0
OS HP ILO V4 Password change Available on
demand
Database LDAP Generic Password change V1.0 openldap 2.4
Database Oracle Generic, 11g, Password change V1.0.2
12c
Database Microsoft SQL MsSQL Password change Available on
2008, 2017 demand
Database Mariadb Mariadb Password change V1.0.3 10.2 10.3 10.4
Database Oracle MySQL 5.X to Password change V1.0.3 MySql 7,
8.X MySql 8
Database SAP ASE Password change Available on
demand
Database Teradata Teradata V14 Password change Available on
demand
Vault Cyberark Vault Password change Internal 10.3
Vault Hashicorp Vault, API V1 Password change Internal Hashicorp
Vault 0.10.4
Vault Thycotic Vault Password change Internal 10.5.000001
Application UltraVNC VNC & Password change Available on
ViewOnly demand
Application SAP SAP_IQ 16 Password change Available on
demand
Cloud AWS AWS_IAM Password change Available on
boto3 demand
API version for Password Change plugins: 1.2.1

API version for Password External Vault plugins: 1.2.1
9 Compatibility with third-party hardware

Gemalto SafeNet IDPrime MD
Yubico YubiKey 5 NFC

WALLIX Bastion 9.0 Hotfix 2 - Release Notes

Uploaded by

Document Information

Original Title

Copyright

Available Formats

Share this document

Share or Embed Document

Sharing Options

Did you find this document useful?

Is this content inappropriate?

Copyright:

Available Formats

WALLIX Bastion 9.0 Hotfix 2 - Release Notes

Uploaded by

Copyright:

Available Formats

5/4/22, 5:29 PM WALLIX Bastion 9.

0 hotfix 2 – Release Notes

WALLIX Bastion 9.0 hotfix 2 – Release Notes

1 New functionalities and improvements

1 New functionalities and improvements

1.1 New functionalities and improvements in WALLIX

1.1.1 New features

1.1.1.1 Discovery and on-boarding of devices

1.1.1.2 Management and rotation of service accounts

1.1.1.3 Real-time dashboards and KPIs

Real-time analysis and improved reporting of Bastion-centric activities in two dashboards:

Dashboard visualization based on the user's profile

1.1.1.4 General improvements

RDP: support of audio input in RDP sessions.

AD related double authentication Kerberos-based, protected users (Kerberos

Purpose of the AD authentication silos: credentials of the admin domain cannot

Silo 1: users (primary)

For further information:

1.1.1.5 Complete list of changes

1.1.2 Graphical improvements

1.1.2.1 New graphical features

#27371: Improve the table component of the Web interface

1.1.2.2 Limits and missing functionalities

Internet Explorer is not supported by the default interface.

Local password policy

1.2 New functionalities and improvements in WALLIX

1.2.1 New features

1.2.1.1 Tag management for devices

1.2.1.3 General improvements

Credential retrieval (Bastion CPU/database time)

1.2.1.4 Complete list of changes

#12526: Implement real time view notification to user in RDP sessions

1.2.2 Graphical improvements

#24596: Redesign of the "Password change policies" page

1.3 New functionalities and improvements in WALLIX

1.3.1 New features

1.3.1.1 OT access automatization/Universal Tunneling

1.3.1.2 General improvements

Notification email customization:

1.3.1.3 Complete list of changes

Implement automatic deployment of Application Driver

Implement target declaration on RDP login screen

Add package cloud-init.

Note: The network configuration is now located in /etc/network/interfaces.d/50-cloud-init.cfg.

Improve service management when launching script wallix-config-restore.py

Support UEFI boot mode

It is now possible to boot WALLIX Bastion installer on a native UEFI mode.

If the installer boots on a BIOS system or a BIOS-compatible UEFI

When booting in UEFI mode, the command-line system tool efibootmgr is

1.3.2 Graphical improvements

2 Changes by corrective level

2.1 Improvements and fixes in WALLIX Bastion 9.0 hotfix 2

2.2 Improvements and fixes in WALLIX Bastion 9.0 hotfix 1

#30927: Fix BestSafe metadata error

4 Deploying on a virtual environment

Amazon Web Services (AWS)

Whenever a platform-specific image is provided by WALLIX, we recommend installing this image

5 Upgrading to WALLIX Bastion 9.0

Please contact WALLIX Support Team if you wish to upgrade from a

Last recommended version for

The upgrade to WALLIX Bastion 9.0 hotfix 2 cannot be performed from an

Your configuration parameters are normally preserved during the upgrade

5.1 Accessing the upgrade

Change the filter from .img to .iso to select the file.