What’s CHANGED in 32.2.0.0
Alteon VA Enhancements
Footprint Reduction
Alteon VA is now available with a small footprint (2 GB RAM) on Azure or AWS on top of its availability on other hypervisors that were introduced in version 32.1. This makes the usage of Alteon VA on public Clouds more cost effective (for example, you can now utilize the t2.small instance on an AWS instead of m3. medium instances in previous versions).
With 2GB RAM, some of the system capacity tables were reduced as follows:
Real servers: 1024Health checks: 4096Content rules: 150Filters: 75HTTP modification rules: 1000Data classes: 100The Alteon VA with a small footprint is not recommended for advanced Layer 7 processing, such as force proxy, SSL offload, AppShape++ scripts, and so on. Improved Performance on Azure
Starting with this version, Alteon VA supports SR-IOV on Azure.
With this capability, Alteon VA can utilize up to 15 vCPUs providing improved Layer 7 and SSL performance.
GEL Support Enhancements
GEL License Activation
When activating the GEL license on Alteon instances, there is no longer a need to enter the DPS package. You just need to enter the throughput (in case no subscription add-on is required), and Alteon extracts from the entitlement the relevant DPS package.
DPS Package Upgrade
When upgrading a DPS package license of an entitlement, all of the Alteon devices automatically upgrade their licenses to the new DPS package with no need for manual intervention to change their licenses.
GEL License Presentation on ADC-VX platforms
The licenses of vADCs with GEL licenses are displayed on Alteon ADC-VX platforms with an indication that vADC is running a GEL license.
LLS Availability on Azure
You can now also deploy vDirect with the Local License Server (LLS) on the Microsoft Azure Cloud. This is important if all of your Alteon VAs are running on Azure and need an LLS on the same network.
Password Generator
The password generator also accepts the Entitlement ID to generate the password for upgrades. This enables the support of Alteon VAs running a GEL license that do not have their MAC addresses registered in the install base.
Management IP Address in ADC-VX
Starting with this version, when this platform is configured to operate in ADC-VX mode, the management IP address of the Alteon VX and its vADCs must be on the same network. Otherwise, the apply fails.
Dual Power Supply for Alteon 4208
4208 now supports a dual Power Supply
Note: There is no field upgrade of a single PS to dual PS. Upgrading a single PS to dual PS requires going through the buyback process.
SSL Key Replacement
It is now possible to replace an existing key, using the same ID, via Web UI.
SSL Inspection Wizard Enhancement
A wizard for quick and easy configuration of an inbound SSL Inspection solution is now available via APSolute Vision (version 4.10 and later). The wizard is implemented using a Radware vDirect workflow.
The wizard supports a Layer 3 environment in either a single or 2-box deployment, and can be run on either a standalone, Alteon VA, or vADC.
To access the wizard, do one of the following:
Select the Alteon device from the APSolute Vision device tree. 1. Go to Configuration > Application Delivery > SSL > Inbound SSL inspection.
2. Click the Inbound SSL Inspection Wizard link. A vDirect page with the workflow opens in a separate browser page.
3. Run the Inbound_ SSL_ Inspection_ Wizard workflow.
From APSolute Vision, open the vDirect page:1. Navigate to Operations > Catalog.
2. Filter by the SSL inspection tag (optional).
3. Run the Inbound_ SSL_ Inspection_ Wizard workflow.
LinkProof MAC Overwrite
LinkProof can now handle scenarios where the WAN Link router is in fact a router cluster, but without a floating MAC address (GARP announcements use the active router MAC address and not the floating MAC address).
To support this scenario, when a new MAC address is received for a WAN Link that differs from the MAC address already in the ARP table for that WAN Link IP address, Alteon overwrites the MAC address in all session entries belonging to this WAN Link. This ensures that traffic is sent to the MAC address of the active router.
NFR ID: prod00262807
Allow Local and Remote Authentication
When Alteon management users are authenticated using remote authentication (RADIUS or TACACS), you can now also allow local users. When this capability is enabled (new User Authentication Priority parameter set to Local First) Alteon will first try to authenticate the user locally and if it fails will use remote authentication.
NFR ID: prod00235979
Health Check Enhancements
Graceful Health Check Edit
When a health check attached to a group or real server is changed (either by attaching a new health check ID or by editing the health check parameters), after Apply the status of the health check is preserved. Previously the status of an edited health check immediately after Apply failed, causing the server’s status to temporarily change to Down.
Note: The status of the health check is not preserved after the change in the following cases:
If the destination port of the health check is changed, either by changing it directly on the health check object or by changing it on the virtual service or real server.If the host name is configured as Inherit in the HTTP/HTTPS health check and the virtual service hostname is changed.If a basic health check is replaced by a logical expression health check, if the old basic health check had a user-defined destination port that was different from service/server port.NFR ID: prod00252740, prod00261070
Advanced Virtual Wire Health Check
The Advanced virtual wire health check can be used to check the connectivity between the ingress and egress interfaces of a virtual wire device in an SSL inspection deployment.
As opposed to the OOTB virtual wire health check (used by the on-device outbound SSL inspection wizard), the advanced virtual wire health check can also be used in a manual configuration. It does not require static ARP and it runs on the TCP port defined on the filter rport or the health check dport.
AppWall
AppWall in Transparent Mode
The ability to provide WAF capability in transparent mode via filters was introduced in version 32.1.1.0 with several configuration restrictions.
In this version, there is no longer any restriction to the syntax of the Secure Web Application name or the SSL policy ID. However, on filters with an attached SecureWeb Application, it is required to configure the Multi-protocol Filter Set ID:
If the same Secure Web Application is attached to several filters, all filters must set the filter set ID to the same value.If different Secure Web Applications are attached to different filters, a different filter set ID must be set for each filter.Support for transparent AppWall configuration via WBM has also been added.
Syslog Message Enrichment
The threat category and attack name fields were added to the syslog messages generated by AppWall to external SIEM solutions.
Defense Messaging
Defense Messaging to DefensePro version 8.x was certified to support both a Layer 3 source IP address and Layer 7 XFF based source IP.
Username Format
AppWall now adds support for defining the username format as it is being sent to the user datastore. Now there are three optional formats:
username@domain domain\username usernameThis new function is supported for both RADIUS and LDAP servers.
SSL Statistics and MIBs
MIB and WBM support has been added for SSL front-end and back-end SSL statistics, including the cipher usage statistics. They are available in the following panes:
Monitoring > Application Delivery > Virtual Servers > Service [x] > View ServiceMonitoring > Application Delivery > Filters > View FilterThe SSL summary statistics are available through Monitoring > Application Delivery > SSL.