What’s New in 32.6.0.0
This section describes the new features and components introduced in this version on top of Alteon version 32.4.1.0.
For more details on all features described here, see the Alteon Application Guide and the Alteon Command Reference for AlteonOS version 32.6.0.0.
Network HSM
Starting with this version, Alteon can provide FIPS-compliant solutions in conjunction with the SafeNet Luna Network HSM 7 appliance from Gemalto/Thales.
Because it is network-based, you can use the SafeNet Luna solution with multiple Alteon form-factors:
Alteon VA, with at least 3 GB RAMAlteon Application Switch platforms 4208, 5424, 5820, 7612, 7220, 9800, in standalone mode. When operating with network HSM, Alteon offloads the public key cryptography (SSL handshake) to the SafeNet Luna appliance, while the symmetric key cryptography (SSL data encryption/decryption) is performed by Alteon.
Alteon supports working with a pair of redundant SafeNet Luna devices.
Note: Currently, Alteon can only communicate with SafeNet Luna devices over IPv4.
When operation with network HSM is enabled on Alteon (requires reboot), you can still generate keys and certificates on Alteon, import non-HSM keys and certificates, and associate them to virtual services and filters:
If an HSM-originated certificate is associated to a virtual service or filter, the SSL handshake is performed by the network HSM.If a non-HSM certificate is associated to a virtual service or filter, the SSL offload will be performed entirely by Alteon software.For more details, see the Alteon Application Guide.
For pricing information, contact your local Radware Sales representative.
Virtualization on Alteon D-9800, D-5820, D-5424
Starting with this version, Alteon D-9800, D-5820, and D-5424 support ADC-VX mode and its related features.
Alteon D-9800 supports up to 72 instances with the default memory of 192 GB (available elastic core allocation modes: system default and Maximum vADC density).
Alteon D-5820/D-5424 supports up to 10 instances with the default memory of 32 GB (with 32 GB RAM no other elastic core allocation modes are available except of the default mode - 10 vADCs).
WAF Security Events per Application
Security events are the events reported by WAF when an attack is detected. This allows user visibility to the protected traffic, refinement of false positives, and detailed explanations of security attacks.
Security events generated by the integrated AppWall module can currently be shown in AppWall Forensics, and can be sent to Vision Reporter, where they are presented in the WAF dashboard, Forensics and Alerts. Starting from this version, Alteon can also send the WAF security events, in CEF format, via its event logging module (over TCP/TLS), in the context of the application. This lets you correlate between the security event and its relevant traffic event using the WAF transaction ID, to obtain more information on the transaction.
The security events per application can be viewed on the Alteon Cloud Control Application Dashboard, version 1.3.0 and alter, but are currently not available on the APSolute Vision Application Dashboard. However, they can be sent to a third-party SIEM.
Outbound SSLi Wizard
An updated wizard for quick and easy configuration of an outbound SSL Inspection solution is now available using a vDirect workflow available on APSolute Vision 4.50.
The updated wizard adds 2-box Layer 3 deployment to the previously supported single-box Layer 3.
Wizard Support Notes:
Layer 3 network deployment refers to both transparent and explicit proxy:Layer 3 network deployment refers to both transparent and explicit proxy and is now supported in both single box and 2-box deployments.Fully transparent network deployments (Alteon as bump-in-the-wire), support single box only.To access the wizard, access vDirect from APSolute Vision 4.50, navigate to the catalog, and filter by SSL inspection.AppShape++ Enhancements
The following AppShape++ capabilities were added:
The httponly flag is added to the persist cookie insert and persist cookie rewrite commands. This flag informs the browser not to display the cookie through client-side scripts (document.cookie and others).NFR ID: 190911-000550 (prod00271354)
The 308 response code option is added to http::redirect command. 308 is the Permanent Redirect response code and it indicates that the resource requested has been definitively moved to the URL given by the Location headers.NFR ID: 190925-000125 (prod00253762)
Cloud Init
Using Cloud-Init, customers can now spin up a preconfigured Alteon VA in an OpenStack environment. Cloud Init enables the following pre-configuration:
Management info – Management IP address management mask and gateway (both IPV4 and IPV6)User credentialsVA resources – Such as number of vCPUs and RAM size per Alteon and AppWall.Jumbo frame configuration (MTU size)Option to enter any of the Alteon configuration parametersAll of these configurations are done at the initial Alteon boot with no need for an additional boot, as required when configuring some of these parameters (such as the VA resources, and jumbo frames).
AppWall Enhancements
Anti-Scraping Thresholds per URI
Anti-Scraping now supports defining thresholds per URI. In Anti-Scraping mode, the Activity Tracking module counts the HTTP transaction rate to the defined application scope (domain/page) per user per second. You can define different thresholds and different blocking time settings for each (up to 30) protected URI.
Forensics Filters
Forensics events can now be filtered by: URI, Parameter Name, and Refinements. Filtering by refinements display either refined events or events not refined.
Note: When upgrading from previous versions, filtering by 'Refined' includes only new events generated after the upgrade. Filtering 'Not Refined" events includes all events from before the upgrade, refined and not. Radware advises to use this filter together with a time range filter.
High Availability Enhancements
New tracking options (VIP and server group) were added to Alteon High Availability capability. These options are not available in the legacy VRRP mode.
In this version, these new options are configurable via CLI only:
VIP TrackingA user can mark the VIPs to track, and when any of these VIPs is unavailable (at least one of its services is unavailable) a failover will occur.
The user has the option to determine the criteria for the VIP to fail over according to its services, meaning to limit the failover only if specific services of that virtual services are not available.
NFR ID: 191006-000023
Group Tracking A user can select a real servers group to track, and when that group is not available a failover will occur.
A group is considered as not available according to the number of available real servers as configured for the Group status threshold parameters.
Radware recommends using the group tacking option mainly when working with filters, where a virtual service is not relevant, and as result the VIP tracking option cannot be used.
NFR ID: 190911-000428 (prod00269501)
Alteon VA White Label Support
Starting with this version, Alteon VA can be white-labeled for OEMs, with the same functionality as the platform white-labelling.