Release Notes > What’s New in 34.0.0.0
What’s New in 34.0.0.0
 
GEL Support in Standalone Mode
Alteon Kubernetes Connector Enhancements
Overload Protection for Integrated WAF
Slowloris Attack Protection
Layer 7 Modification on HTTP/2 traffic
Out-of-the-box Certificate Pinned Sites List
Sideband and SecurePath Updates in Unified Events
GEL Dashboard Enhancements
Control and Export of Management Port Packet Capture from WBM
This section describes the new features and components introduced in this version on top of Alteon version 33.5.3.0.
GEL Support in Standalone Mode
Starting with this version, GEL is now available on a Standalone platform.
Now, entitlements can be allocated to VA, vADC, and Standalone platforms.
NFR ID: 221222-000039
Alteon Kubernetes Connector Enhancements 
The Alteon Kubernetes Connector (AKC) provides a solution for Alteon integration with Kubernetes/OpenShift orchestration.
AKC runs inside the Kubernetes clusters, discovers services of type LoadBalancer and translates them to an Alteon ADC configuration. In addition, it monitors the cluster nodes and updates the Alteon configuration when nodes are removed or added to a cluster.
The AKC solution enables Alteon to load balance a service that is deployed in multiple Kubernetes clusters, using a single VIP.
The AKC has three components:
*The AKC Controller that monitors the service objects and nodes in the Kubernetes clusters. Such a component is required in each of the participating Kubernetes clusters.
*The AKC Aggregator that aggregates inputs from all the collectors and communicates the necessary configuration changes to the AKC Configurator. These components should be installed in only one of the clusters.
*The AKC Configurator that translates the changes to Alteon configuration file and pushes it to Alteon.
In addition, the solution uses the vDirect module in Cyber Controller/APSolute Vision, which handles the IPAM service, required to allocate the service IP (VIP) from an IP pool (currently a single pool supported).
In this version, the AKC has added support for the following Alteon capabilities for the services deployed in Kubernetes:
*SSL offload. To enable SSL offload, the following annotations can be used during service deployment to specify the SSL policy and certificate that should be used (these objects must be configured in Alteon before the service is deployed).
*akc.radware.com/sslpol: <ssl policy id>
*akc.radware.com/cert: <certificate id>
*The SecurePath connector that allows providing application security (Cloud WAF, API protection, and BoTM) for the deployed service. The following annotations can be used during service deployment to specify the SecurePath and Sideband policies necessary to activate SecurePath for its traffic (these objects must be configured in Alteon before the service is deployed).
*akc.radware.com/sideband: <sideband policy id>
*akc.radware.com/secpath: <secpath policy id>
Overload Protection for Integrated WAF 
A new mechanism is now available to reduce the load on the WAF process in case of overload by bypassing WAF inspection for some of the transactions.
When the overload protection mechanism is enabled, it looks at the transactions sent within a 10-second sliding window, and when at least 1,000 transactions are received within such a window, the following occurs:
*If the WAF processing time of between 31% and 50% of the transactions within the window is higher than the user-specified threshold, Alteon will start sending to the WAF process only 50% of the transactions.
*If the WAF processing time of between 51% and 75% of the transactions within the window is higher than the user-specified threshold, Alteon will start sending to the WAF process only 10% of the transactions.
*If the WAF processing time of over 76% of the transactions within the window is higher than the user-specified threshold, Alteon will start sending to the WAF process only 1% of the transactions.
*Once 30% or less of the transactions within the window have a WAF processing time higher than the user-specified threshold, Alteon will go back to sending all the transactions to the WAF process.
To enable this mechanism, set the value of the WAF Overload Threshold parameter in the relevant virtual service or filter (by default it is disabled, meaning set to 0) as follows:
*From the CLI:
*For a virtual service: cfg/slb/virt <id>/service <port>/http/aw overload
*For a filter: cfg/slb/filt <id>/aw overload
*From the WBM
*For a virtual service: Use the New/Edit Virtual Service pane > Security tab
*For filter: New/Edit Filter page, Security tab
Note: Filters that have this mechanism enabled must be part of a Filter Set.
Slowloris Attack Protection
Slowloris is an application layer DDoS attack that uses partial HTTP requests to open connections between a single computer and a targeted Web server, and then keeping those connections open for as long as possible, thus overwhelming and slowing down the target.
Alteon can now protect itself and the application servers from a slowloris attack.
To activate the protection, configure the new HTTP Headers Timeout parameter for the virtual services or filters you want to protect. If all headers are not received within the specified time, the session is closed. The recommended value is 4000 msecs.
Notes:
*The Delayed Bind mode must be Force Proxy when the Slowloris protection is enabled.
*Filters that have this protection enabled must be part of a Filter Set.
Layer 7 Modification on HTTP/2 traffic
Header modification is now supported for HTTP/2 proxy traffic, via HTTP Modification Rules.
Notes:
*Each rule in the rule list must be a header modification rule.
*If the action is Insert, the rule must not contain a condition.
*If the action is Remove or Replace, the following headers cannot be replaced or removed (the values of the header can be changed):
*Request: ":method", ":scheme", ":authority" and ":path"
*Response: ":status"
*The header names must not contain uppercase characters.
NFR ID: 221123-000123
Out-of-the-box Certificate Pinned Sites List
Pinning is the process of associating a host with the expected X509 certificate or public key. This means the client (browser or app) knows which certificate to expect for a certain site, including who signed the certificate.
SSL inspection is not possible for a site with a pinned certificate, as the client will identify the signer of the certificate as not being the original signer, thus terminating the connection.
Traffic to these application domains should be configured for bypass in any SSL Inspection solution if the enterprise wishes to allow such traffic for its employees.
To simplify this for customers, Radware provides an out-of-the-box list of known sites with pinned certificates. The following out-of-the-box elements have been added:
*Data class bypass_hosts_list, which includes the list of known sites with pinned certificates
*Content class Cert_Pinning_Bypass_Sni of type SSL with the bypass_hosts_list data class attached
*Content class Cert_Pinning_Bypass_Hostnames of type HTTP with the bypass_hosts_list data class attached
To bypass the pinned sites, you need to configure the bypass filter and select the relevant Content Class (SNI for Transparent Proxy mode or Hostnames for Explicit Proxy mode).
All these out-of-the-box objects are editable:
*If the data class was edited, it can be reverted to the default.
*After version upgrades the list could be updated. In such cases, if the bypass_hosts_list data class was not edited it is automatically updated. If the data class was edited, it is not updated unless Revert to Default is performed.
NFR ID: 221011-000139
Sideband and SecurePath Updates in Unified Events
Unified events now include information related to Sideband and SecurePath (based on AppShape++ script  SIDEBAND::add_action commands send_response and terminate_session ):
*In SecurePath integration, if the request is identified as an attack and is responded to by Cloud WAF (without reaching the destination server), the event’s severity is marked as “security” with reason “SecurePath Response”
*When generic sideband is used, if the request is responded to by the sideband server (without reaching the destination server), the event’s severity is marked as “Normal” with outcome “Sideband Response”
*When the connection is terminated by the sideband, meaning that the client connection is closed by FIN/RST, the event’s severity is marked as “Exception” with outcome “Failure” and reason “Connection Closed by Sideband”.
*When there is a Sideband time out, meaning that the client connection is closed by FIN/RST, the event’s severity is marked as “Exception” with reason “Sideband Failure”.
GEL Dashboard Enhancements
The following GEL Dashboard enhancements are available starting with Cyber Controller version 10.1.1.0 for all supported Alteon versions:
*An instance’s last validation time is now visible in the Instances table per the selected entitlement. By default, each instance validates its license with the license server every five (5) minutes.
*The validation status of the license allocated to the Alteon server is now available in the Instances table per selected entitlement. Values include:
*Valid — The Alteon server has received revalidation from the LLS.
*Revalidation Required — The Alteon license is still valid, but the Alteon server did not receive validation from the LLS for more than two (2) hours, half of the borrow period. If the Alteon server receives revalidation before the end of the four-hour borrow period, the status changes back to Valid.
*Sorting was added to the instance table per selected entitlement. By default, the table is sorted according to the validation status. The table can be sorted by each one of the columns in the table.
Control and Export of Management Port Packet Capture from WBM
You can now control and export the Management port packet capture from WBM.
NFR ID: 221102-000004