What’s CHANGED in 33.0.1.0
Cluster Persistency Data Sync
The cluster persistency data sync interval (/c/slb/sync/cluster/interval) determines timing for synchronization of new persistency entries and updates of the persistency entries ages.
In this version, a new value was added for the interval parameter – 0. When the interval is set to 0, new persistency entries are immediately synced to the other cluster members. When the interval is greater than 0, the previous behavior is maintained; new entries are synchronized once 32 new entries need sync or the interval is reached, whichever occurs first.
SSLi Dynamic Certificate Cache Key
The dynamic certificates generated for outbound SSL inspection are stored in a cache. Prior to this version, the cache key was based on SNI + destination IP + destination port. In cases where the same certificate (SNI) is received from different IP addresses/ports, Alteon generated and stored duplications of the certificate.
To overcome this situation, this version introduces the option to generate and store the dynamic certificate based on SNI only (the default remains SNI + destination IP + destination port).
Notes:
Changing the cache key (/c/slb/ssl/inspect/cachekey) requires first disabling the SSL inspection filters.In a 2 box solution, the cache key configuration must be done on the client-side box.NFR ID: 201210-000099
Default Management Port Access on a Data Port in ADC-VX
Starting with this version, management access on the data port is disabled on a vADC by default. This change was done to align with the standalone behavior. The change is applicable for new configurations (an existing configuration will not be affected after upgrade).
NFR ID: 201204-000112
OpenSSL Version
The OpenSSL version for S/SL platform models, regular platform models, and Alteon VA has been updated to OpenSSL 1.1.1k.
Server Failure Reason on Block State
A server failure reason is now also available when the server is in the Block state due to
An advanced health check failureA server is down in another service that uses the same server group A server that has multiple rports while one port is down Trace Log Update
From WBM it is now possible to set the application level trace log of each module. The default level remains “Error” as in previous versions.
Bot Manager Updates
The User ID is an optional parameter in a Bot Manager policy. Starting with this version, the User ID value is encrypted using SHA1 when configured (instead of sending it in clear text).It is now possible to clear Bot Manger statistics separately from the SLB statistics. This can be done using the CLI command /stats/security/botmng/clear, or from the WBMThe cookies that are added to the client communications as part of Bot management processing, have now been removed from the client request before sending to the server.Security Notice when Telnet is Enabled
Telnet is a non-secure plain-text protocol. Radware recommends using SSH instead. A warning message displays when enabling Telnet.
NFR ID: 201231-000094
Warning Messages and Notifications
A message is sent to the syslog every 15 minutes when a packet capture is running. This periodic syslog can be disabled using the following command: /maint/pktcap/pcaplogWhen switch HA is enabled, Radware highly recommends to sync the PIP configuration. On Apply, a warning message displays when switch HA is enabled if PIP synchronization is disabled.The legacy Device Performance Monitoring capability (DPM) is not related to ADC Basic Analytics and it is being retired. As DPM has a performance impact, it should not be enabled if not specifically required. To eliminate misconfiguration, the following message displays when enabling DPM: “DPM shouldn’t be enabled for ADC Basic analytics support”
Traffic Events Update
In the unified event, the in and out parameters that represent the number of bytes in the request and response now appear in the event even if their values are 0 (for example, in a GET request the in value that is generally 0 now displays in the event).
AppWall Features
1. In the Tunnel configuration, AppWall now defines multiple properties related to the HTTP parser per URI. The following changes have been added in this version:
a. By default, when adding a new URI, the following parameters are validated:
i. Allow Parameter without an equal sign
ii. Fast Upload for large HTTP requests
iii. Fast Upload for large HTTP requests with files
b. The option “Use IIS Extended Unicode Measures (Block Unicode Payloads)” has been removed from the AppWall management console but is still available from the configuration file.
2. The BruteForce Security Filter prevents remote users from attempting to guess the username and password of an authorized user. The option “Shared IP auto-Detection” check box has been removed from the AppWall management console to limit false positives.
3. Remote File Inclusion (RFI) and Local File Inclusion (LFI) are file inclusion vulnerabilities that allow an attacker to include a file or expose sensitive internal content, usually exploiting a “dynamic file inclusion” mechanism implemented in the application. In the Hosts protection section, by default, Redirect Validation is in passive mode with the option “Protect against external URL” activated.
4. The Tunnel IP (VIP), the Port and the Host have been added to the system log event titled "Large number of parameters in request".