Log in

Sangfor Support Center

Table of Contents
< All Topics
Print

【IAG】Release Notes_V13.0.80

Posted
Updated
Byadmin
Views9

New Features

  1. Added Windows inbound port control.
  2. Added Windows screen capture audit.
  3. Support new global IP address database.
  4. Web console support to import custom https certification.
  5. Support auto backup daily config file to email server and FTP server.
  6. Save Engine support configure file extension and file size.
  7. Support 802.1x.
  8. IAG support upload user’s information to ES.
  9. Support App Access Control.

Enhanced Features

  1. Enhanced connection sharing.
  2. Optimise web console’s slowness issue.
  3. Included previous version known issues.

Upgrade Instructions

Confirmation Before Upgrade

  1. Check whether the software upgrade license is within the validity period.
  2. Check whether the current version meets the upgrade conditions.
    Support upgrade to version 13.0.80 from version 11.0 and above. If you are using the Beta version, please update to the official version before proceeding to update. The historical official version can be downloaded on community.sangfor.com.
  3. The separated BI update package: BusinessIntelligenceSetup_4.0.26_BI_eng.zip for English Version can be installed on: DC.
Limitations Solutions: Impacts on Functions After Upgrade
It is not supported to upgrade the unit deployed in Bridge mode and HA mode enabled with active-standby mode. Disable HA mode. HA active-standby mode is not supported for a new version deployed in Bridge mode.
The upgrade is not supported when the Wireless access control license is activated. Log in to the device’s back end, execute a command, and perform the upgrade again. The new version does not support wireless access control.
The upgrade cannot be performed on a customized version. Contact Sangfor developer for migration. None
The upgrade is not supported if there are mobile VPN users configured. Delete the related mobile VPN user configuration. After the upgrade of the VPN module, mobile VPN users cannot get connected.
The upgrade is not supported if a virtual IP address pool is configured for mobile VPN users. Delete the related mobile VPN user configuration. After the upgrade of the VPN module, mobile VPN users cannot get connected.
If VPN is not configured multiple-line policy, the upgrade is not allowed if an IPSec VPN connection is established via Line 2. Enable the multiple-line policy and perform the upgrade again. None
The upgrade is not allowed if the antivirus is enabled. Force upgrade after tagging it backstage. None
VPN configurations have default user enabled and apply local authentication. Delete the related mobile VPN user configuration. None
For devices that have been in use for more than five years, upgrading to newly released versions is no longer allowed.
Specifically: License activation time is used as the device’s start time. End time is generated according to the release date of the update package. If the period between the start and end time is longer than 66 months (5.5 years), an upgrade to the current package is not allowed. The upgrade is not allowed. The upgrade is not allowed.
For the unit deployed in Route mode, if the WAN interface has port 9998 enabled, an upgrade to version 12.0.27 is not allowed. If that port is not open anymore, the upgrade is allowed then. The 9998 port for device correlation is used for internal programming only.
After upgrading to version 12.0.42, port 51111 is disabled by default, and SANGFOR Firmware Updater cannot connect to the device for an upgrade. Log in to the console and enable Firmware Updater. Port 51111 is disabled by default.
A 2GB ram and below device does not support upgrading to this version. Not allow upgrading Not allow upgrading
Port 61182 is already configured on the device. Check whether port 61182 is already in use on the following pages: Open LDAP API, RADIUS Server, Web UI, and Open Ports on WAN Interface. If port 61182 is used on these pages, you need to change it to another port. The upgrade is not allowed.
The current version’s Ingress Client webpage is conflicting with the to-be-upgraded version. Restore default settings and upgrade again. For example, you can restore settings below: go to System > General > Custom Webpage > Others, click Restore Defaults, and close the page. Configuration of the Ingress Client webpage is restored. However, if the Ingress Client webpage is customized, it must be configured again.

Table1: Upgrade limitation table

Upgrade Recommendations

  1. The device will restart automatically upon upgrade completion.
  2. A device will restart automatically upon upgrade completion. However, the network will get interrupted if it is connected to the customer’s network.
  3. Do not reboot the device manually or cut off power during the upgrade.
  4. The upgrade process may take about 20 to 30 minutes.
  5. During the upgrade process, the network connection will be interrupted for 3 to 5 minutes.

Upgrade Procedures

  1. Before the upgrade, do the following:
  2. Obtain the update package of this version from http://community.sangfor.com/plugin.php?id=service:download&action=view&fid=9#/6/all
  3. Launch Sangfor Firmware Updater 6.2, connect it to the IAG unit, and load that update package to start to upgrade.
  4. The upgrade procedure for other means of upgrade is similar to that for the latest official version.
  5. For more guidance, please refer to: https://community.sangfor.com/plugin.php?id=sangfor_databases:index#?Product=IAG
  6. The download path for BI is: http://community.sangfor.com/plugin.php?id=service:download&action=view&fid=9#/14/all
  7. BI deployment guide:
    http://community.sangfor.com/plugin.php?id=sangfor_databases:index&mod=viewdatabase&tid=831

Handling of Upgrade Failure

Upgrade Failure Prompt on Firmware Updater Solution
The new version does not support a high availability mode. "MODE_BRIDGE and HA_CLU not support!" 1. Visit the web admin console, disable high availability, and perform the upgrade again.
Wireless access control is enabled, which is not supported by the new version of the IAM/IAG unit. "wireless sn is valid, not allow to upgrade." Please contact the Technical Support Team on this issue.
Devices with mobile VPN users configured are not supported to upgrade. There are mobile users who exist. Please delete the mobile users before trying again. Remove the mobile users before the upgrade.
Devices with a virtual IP pool available for mobile users are not supported to upgrade. Please remove them before the upgrade. There are virtual IP addresses for mobile users being assigned. Please remove the IP pool before trying again. Remove the virtual IP before the upgrade.
The upgrade is not supported when multiline is not enabled, but an IPsec connection is established through line 2. There are IPSEC connections based on line two on the condition that the multiline feature is not enabled. Please enable the feature or change to line one before upgrading. Enable Multiline and add line 2 before the upgrade.
The upgrade is not supported when auto-negotiation is enabled. For security concerns, auto-negotiation is not supported on this version; please turn it off and update it again. Disable auto-negotiation.

Table 2: Handling of upgrade failure table

Precautions

  1. The internal database version will impact features but not upgrade. Please make sure the internal database is up to date.
  2. Central management: Support central management via Sangfor BBC. Not support central management via Sangfor CMC.
  3. Support pass-through, turning on pass-through does not require the device to restart.
  4. Support HA.
  5. Authorization change: For IAM/IAG trial license, testing is performed on-site after a trial license is activated. No additional operation is needed for a paid license because authorization is granted together with the delivered hardware.
  6. The downgrade is not supported.
  7. Custom webpage based on version 11.x to 12.0.23 old template will be replaced by the new template after updating to 12.0.25 and later.
  8. SSL content root cert used in decryption man in the middle required to be reimport to endpoint’s web browser after update to 12.0.42 version and above.
  9. If the device is configured with Use SSL to encrypt username and password and uses Windows XP with IE6/IE7, do not upgrade to version 12.0.42 and above. It will affect the password authentication redirection.
  10. If you enable the ingress function in 12.0.x version, it is required to purchase the endpoint security license after upgrading to the 13.0.15 version and later.
  11. An upgrade to this firmware version is not supported for 2GB and below devices.
  12. Starting from this version, personal IM such as QQ and WeChat only support attachment audits.