What’s New in 32.4.0.0
This section describes the new features and components introduced in this version on top of Alteon version 32.4.0.0.
For more details on all features described here, see the Alteon Application Guide and the Alteon Command Reference for AlteonOS version 32.4.0.0.
Documentation in HTML Format
Starting with this version, the documentation set is available from the Radware Customer Portal in both PDF and HTML format. You can access the new HTML documentation either from the Documentation Download page for a given version, or you can perform a search for text from the Customer Portal search feature.
Application Traffic Log Dashboard (Advanced Analytics)
The Application Traffic Log dashboard is available starting with this version, using APSolute Vision version 4.30 or later.
It provides deep-level analytics based on transaction information, improves troubleshooting and speeds up the root cause analysis, it provides user insights, and enables anomaly detection.
Using the Traffic Log dashboard, you get clear insights to the traffic patterns that your application handles.
The dashboard includes the following components:
A filter area – Filters events using Lucene Query syntax.A histogram – Displays the number of events per severity (Normal/Exception) that match the filter criteria, within the selected period.A Traffic Event Log table – Displays the list of events that match the filter criteria, with expanded capability-per-event for detailed information.A Fields Summary area – Provides 5 Top values per each and every field of the transactionException events can quickly be identified, including:
Failed Front-end and Back-end SSL handshake connectionsTransactions ended with 4xx and 5xx response codesTransactions with high end-to-end time latencyService unavailable use-cases
Notes:
The Traffic Event dashboard is available only for Alteon devices installed with version 32.4 or later.Advanced Analytics requires a valid Perform-subscription or Secure-subscription license WAF Support in Standalone Form-Factor
Integrated AppWall is now also available on Alteon platforms running in Standalone mode. This includes the following platforms: 4208 /S, 5208 /S, 5424 S/SL, 5820 S/SL, 6024 /S/SL/FIPS 7220, 7612.
To provision these capabilities on a Standalone model, perform the following steps:
1. Install the appropriate AppWall licenses on the Alteon platform.
2. Allocate the appropriate number of cores for AppWall. Note that device reset is required to activate core allocation to AppWall.
From WBM: Configuration > System > Core AllocationFrom CLI: /cfg/sys/resourcesNote: When boot configuration is set to factory default, the device reboot removes the allocated AppWall cores.
Single IP Support on Common Alteon VA Environments
Starting with version 32.4, the option to run Alteon VA in single IP mode is available on AWS, VMware, and KVM on top of its current availability in Azure.
Single IP mode is automatically selected when an Alteon VA has a single NIC attached to it.
Configuring an Alteon VA running in single IP mode is very straightforward, as VIPs, PIPs, and interface configuration are done automatically behind the scenes.
There are also cases of public clouds that provide instances with only a single NIC, and using this capability enables the support of such environments.
SCTP Support
The Stream Control Transmission Protocol (SCTP) is a Transport Layer protocol, serving in a similar role to the popular protocols Transmission Control Protocol (TCP) and User Datagram Protocol (UDP). SCTP is a reliable transport protocol operating on top of a potentially unreliable connectionless packet service such as IP. It offers acknowledged error-free non-duplicated transfer of datagrams (messages). Detection of data corruption, loss of data and duplication of data is achieved by using checksums and sequence numbers. A selective retransmission mechanism is applied to correct loss or corruption of data.
The decisive difference from TCP is multi-homing and the concept of several streams within a connection. In TCP, a stream is referred to as a sequence of bytes, but in a SCTP, a stream represents a sequence of messages (and these may be very short or long).
Radware defines a single-home SCTP association as a connection between two single IP addresses. A multi-home SCTP association is a connection between multiple addresses. Both client and server can supply additional addresses on top of the one that is carried in the Layer 3 header.
The client sends the additional IP addresses in the INIT packet while the server sends the additional IP addresses in the INIT-ACK packet.
When NAT is performed for SCTP, the INIT and INIT-ACK packets should be updated and the SCTP association should be supported.
SCTP Load Balancing with Alteon
Alteon now supports Layer 4 load balancing for SCTP. The following SCTP communication types are supported:
Single-homed SCTP (a connection between two single IP addresses)Multi-homed SCTP (connection between multiple addresses belonging to the same client and server entities)NAT for outbound SCTPNew Alteon Platforms (Alteon D-5424/D-5820)
The Alteon Application Switch D-5424/D-5820 is a very high port density ADC with up to 40 Gbps throughput.
These platforms support the latest encryption standards (ECC) with an HW SSL acceleration integrated by default, and have superior performance coupled with a wide range of connectivity options, high performing and reliable storage (SSD), high memory size, advanced capabilities, and OnDemand scalability.
They are suitable for small to medium-sized enterprises that require a high-performing solution.
Alteon D-5424/ D-5820 Highlights
On-demand throughput scalability: 12 Gbps, 22 Gbps, and 40 Gbps Platform flavors:Alteon D-5424S / D-5820S up to:10K RSA SSL CPS 7K EC SSL CPS 10Gbps bulk encryptionAlteon D-5424SL / D-5820SL up to:20K RSA SSL CPS 12K EC SSL CPS 10Gbps bulk encryptionPort density:Alteon D-5424S/SLFour (4) 10 GE SFP+Sixteen (16) 1 GE SFP Eight (8) 1 GE RJ45Two (2) management port – 1Gbe copperOne (1) console RJ45Alteon D-5820 S/SLEight (8) 10 GE SFP+Twelve (12) 1 GE SFP Eight (8) 1 GE RJ45Two (2) management port – 1Gbe copperOne (1) console RJ45RAM: 32 GBStorage: 128GB SSDSingle AC power supply – dual power supply is optional (currently DC PS is not available) Capabilities: Deliver, Perform, and Secure capability packagesNotes:
Upgrade between S flavors to SL flavors are based on software license only.The ADC-VX form factor is not yet supported (planned for end of 2019).Shipping will start on September 20, 2019.SSL
SNI-based Decisions without SSL Decryption
There are scenarios that require making host-based decisions for SSL traffic without decrypting it using the Server Name Indicator (SNI). Previously, this capability was available only for outbound SSL Inspection. Starting with this version, this was extended to support the following scenarios:
Inbound SSL Inspection Bypass–− When virtual hosting is present (multiple hosts on the same service IP address), in order to bypass SSL inspection for some of the hosts:a. Configure a front-end filter that handles bypassed hosts, using an SSL Content Class to match the hosts that should be bypassed, and no SSL policy.
b. Configure additional front-end filter/s that handle traffic that must be inspected with an SSL policy and the necessary certificate/certificate group.
c. Configure a Multi-protocol Filter Set and attach to it the front-end filters.
Redirect or block SSL traffic to certain sites–− Allows redirecting SSL traffic to a specific server group or WAN Links group, or block SSL traffic based on hostname or web category, without SSL decryption.a. Configure an SSL Content Class that matches the hostnames for which you want to define a certain policy (for example, Office365 hostnames) or a URL Filter policy that matches the categories for which you want to define the policy.
b. Configure SSL Content Class that includes a single Host entry set to “.” – this matches all the rest of the SSL traffic (“any”).
c. Configure filter SSL (Application set to HTTP) and attach to it the SSL Content Class or URL Filter Policy that matches the specific hosts/web categories. If it is a URL Filter Policy, the URL Filtering Mode must also be set to SSL.
If the requirement is to redirect this traffic to specific servers or WAN Link/s, the filter must be of type Redirect or Outbound LLB and the specific WAN Link group must be configured.If the requirement is to block such traffic, the filter must be of type Deny.d. Configure an additional SSL filter (Application set to HTTP) that handles the rest of the SSL traffic and attach to it the “any” SSL Content Class.
e. Configure a Multi-protocol Filter Set and attach to it the above filters. Note that the above filters do not include an SSL policy.
Virtual Hosting without SSL decryption–− It is possible to redirect traffic of different hosts on the same virtual service to different server groups, without decrypting the SSL.a. Configure SSL Content Classes that match the hostnames you want to redirect.
b. Configure Content Rules and attach them to an HTTPS/SSL virtual service.
Notes:
No SSL policy is attached to the virtual serviceAll Content Classes attached to a virtual service must be of the same type – either HTTP or SSL. OpenSSL Update
The OpenSSL version is updated in this release as follows:
S/SL platform models, regular platform models, and Alteon VA now use OpenSSL 1.1.1bXL/Extreme platform models, as well as 6024 FIPS II, use OpenSSL 1.0.2rAppWall–- Redirect Validation
Remote File Inclusion (RFI) and Local File Inclusion (LFI) are file inclusion vulnerabilities that allow an attacker to include a file or expose sensitive internal content, usually exploiting “dynamic file inclusion” mechanisms implemented in the application. The vulnerability occurs due to the use of user-supplied input without proper validation.
AppWall’s Redirect Validation scans all parameters in the request (including JSON, URL and body parameters) and looks for external or internal redirect attempts to include files.
You can add trusted domains and trusted URIs for which the Redirect Validation are not applied. These can be added manually by clicking Add in the trusted domains and trusted URIs list.
OCSP Multiple Servers
OCSP multiple servers increase availability by letting you configure a secondary (backup) static OCSP server and by supporting a retry mechanism that prevents OCSP communication failure because of a temporary issue (number of retries is configurable).