What’s CHANGED in 32.6.1.0
Syslog Enhancements
Syslog Support in RFC 5424
Starting with this version, Alteon syslog messages can be sent in IETF-Syslog (RFC5424) format in addition to the common BSD-Syslog (RFC3164) format.
This can be done using the /c/sys/syslog/format command (In WBM, System > Logging and Alerts > Syslog Format)
The syslog format setting is relevant for
Alteon system eventsAlteon traffic logLimitations
The following syslog message types do not support the new syslog format and will continue to be sent with BSD-syslog format:
Session logWAF log messagesSyslog messages sent from AppShape++ Defense messagingURLF logs NFR ID: 191120-000043
Syslog Over TCP
Starting with this version, Alteon system events can be sent to syslog servers over TCP. This can be done using the /c/sys/syslog/proto command (in WBM, System > Logging and Alerts > Syslog Protocol)
Limitations:
The following syslog message types do not support TCP and will continue to be sent over UDP:Session logSyslog messages sent from AppShape++ Defense messagingURLF logsWAF logs will not be sent when the Alteon syslog protocol is set to TCP/TLS.Increase of the Number of Syslog Servers to Six
Prior to this version, five syslog servers were supported. Starting with this version, six syslog servers are supported.
NFR ID: 190911-000460
OpenSSL Version
The OpenSSL version for S/SL platform models, regular platform models, and Alteon VA has been updated to OpenSSL 1.1.1f.
TLS Allowed Versions Default
Prior to this version, by default TLS versions 1.1, 1.2, and (where relevant) 1.3 were enabled in newly configured SSL policies. TLS 1.1. is now considered insufficiently secure and allowing it caps the SSL grade provided by Qualys to B. Starting with this version, newly configured SSL policies will have TLS 1.1 disabled by default. Existing SSL policies will preserve the configuration before upgrade. Radware recommends to manually disable TLS 1.1 to achieve a higher SSL grade.
Support Radware-specific RADIUS VSA
Prior to this version, Alteon took the Service-Type value from the last attribute received from the RADIUS server. This could be a general attribute or vendor-specific, whichever was last on the list.
Starting with this version, Alteon can take the Service-Type value from the vendor-specific attribute irrespective of the order it is received from the RADIUS server. This can be done using the command /cfg/sys/radius/prefer
NFR ID: 200306-000092
Security Hardening
Upon authentication failure, the error message does not reflect the reason for the failure.All password inputs are masked.The log command is available to all user roles using the CLI (to align with the behavior using WBM).For upgrades from versions 32.6.1.50 and later, 32.4.3.50 and later, 32.2.5.50 and later, and 31.0.13.50 and later, to any later version, Alteon uses the SHA2 algorithm for the digital signature (in all platforms). NFR ID: 191126-000098
AppWall KPI Reflection in the Alteon System JSON
Starting with this version, the following AppWall KPIs are available in the Alteon system JSON when integrated AppWall is enabled: AppWall CPU, memory, swap, CPS, concurrent connection, transaction rate, and throughput bps
In addition, the AppWall CPU and memory are taken into consideration in the system health score calculation.
NFR ID: 191212-000019
Client NAT Port Assignment Logic
Starting with this version, it is possible to select the client NAT port assignment algorithm on Alteon running on the vADC form factor. The options are:
Sequential (default) – Minimizes the probability of fast port reuse, but it can be a security vulnerabilityRandom – Provides increased security, but the probability of fast port reuse is higherThis can be done using the command /cfg/slb/adv/pport (in WBM, Application Delivery > Virtual Service > Settings > Session Management tab).
Notes:
The change in the client NAT port assignment algorithm will only take place after statistics are cleared (/oper/slb/clear).On Alteon VA and Alteon platforms in standalone mode, the client NAT port assignment uses an enhanced random mode that also minimizes fast port reuse probability.NFR ID: 200407-000053
Alteon VA Auto-healing – Mismatch of Number Queues
Prior to this version, when there was a mismatch between the number of queues configured on the host and the Alteon VA VM configuration, Alteon VA would not boot up. This could occur, for example, when the number of SPs configured on the Alteon VA was greater than the number of queues the host supports.
Starting with this version, Alteon VA identifies this mismatch and reduces the number of SPs to match the number of supported queues.
Alteon VA Preserves Ports Order after Reboot
The issue when the ports order of an Alteon VA was changed after a reboot (mainly on Alteon VA platforms with more than four ports configured on them) was resolved for VMware and OpenStack/KVM deployments (in this version this capability is disabled by default).
Troubleshooting (More Information in Tech Data)
The following information was added to tech data to facilitate troubleshooting:
Top 100 large filesTCP sockets in use by MP (netstat)