New in Version 31.0.7.0
Destination MAC Matching on Filters
By default, filters do not match the source or destination MAC unless specifically defined (cfg/slb/filt/dmac or smac). Some filters are required only to process traffic addressed to Alteon MAC addresses. This was required in earlier versions to define such filters for each Alteon MAC address.
In this version, you can now configure a filter to match all Alteon MACs and only Alteon MACs as the destination MAC, which simplifies the configuration.
To use this feature, you must enable it both globally (cfg/slb/adv/mactome) and per relevant filter (cfg/slb/filt/adv/mactome).
Overload Detection via SNMP Health Check
Alteon now also lets you detect the overload status of a real server via SNMP health checks (in previous versions, this was possible only via an HTTP/S health check).
The following parameters were added to the SNMP health check to support this capability:
Overload Response String - Relevant when the Response Type is String. Specifies a string received in the response that represents server overload.Minimum Overload Value and Maximum Overload Value – Relevant when the Response Type is Integer. Any response that falls between these two values represents server overload.NFR ID: prod00254990
SNMP Statistics of Persistent Sessions
Alteon now has options to get/walk/get-next a persistent session’s Current, Total, and High statistics for virtual servers and filters via SNMP through MIBs. This is also extended in the CLI with the new commands /maint/debug/vspsess and /maint/debug/fltpsess.
The following MIBs have been added:
fltStatPsess (1.3.6.1.4.1.1872.2.5.4.2.6.3) – Device filter Persistent session statistics.slbStatEnhVServerEntry (1.3.6.1.4.1.1872.2.5.4.2.32.1 mib .17 – 19) – Device virtual server Persistent session statistics.slbStatSpFltPsessTable (1.3.6.1.4.1.1872.2.5.4.2.1.10) -- Per SP filter Persistent session statistics.slbStatSpVServerTable (1.3.6.1.4.1.1872.2.5.4.2.1.11) – Per SP virtual server Persistent session statistics.NFR ID: prod00259611
Link SSL Certificate by Key ID
In previous versions, Alteon built the certificate trust chain (Intermediate CA group) by Subject/Issuer. However these values are not always unique. In this version, an option to chain by Key ID (Subject-Key-Identifier/Authority-Key-Identifier) was added. This is the default for new Intermediate CA groups. After upgrade, for existing groups for backward compatibility, the chaining mode is set to the legacy name method.
The chaining mode can be changed using the CLI command cfg/slb/ssl/certs/group X/chainmod. (Currently there is no support in WBM.)
NFR ID: prod00260958
Reset on Timeout
Alteon now lets you reset the connection when the session was idle for the configured session timeout; the session entry is aged out. You can select whether to send an RST only to the client, only to the server or both (cfg/slb/virt/service/clsaging).
This option is available only when delayed binding is disabled or in forceproxy mode (in previous versions, this was supported only in forceproxy mode using an AppShape++ script).
NFR ID: prod00261199
CAA Record
A Certification Authority Authorization (CAA) record is used to specify which certificate authorities (CAs) are allowed to issue certificates for a domain.
The purpose of the CAA record is to allow domain owners to declare which certificate authorities are allowed to issue a certificate for a domain. It also provides a means for indicating notification rules in case someone requests a certificate from a non-authorized certificate authority. If no CAA record is present, any CA is allowed to issue a certificate for the domain. If a CAA record is present, only the CAs listed in the records are allowed to issue certificates for that hostname.
CAA records can set policy for the entire domain or for specific hostnames. CAA records are also inherited by subdomains. For example, a CAA record set on example.com also applies to any subdomain, such as subdomain.example.com (unless overridden). CAA records can control the issuance single-name certificates, wildcard certificates, or both.
In this version, Alteon can now answer CAA queries addressed to a DNS VIP. For this purpose, CAA records must be defined (Application Delivery/DNS Authority/CAA Records).
NFR ID: prod00261828
Default Number of VLANs Increased to 4096
Starting with this version, you can configure up to 4096 VLANs (instead of 2048 VLANs in earlier versions).
NFR ID: prod00251950
Support PIP Network Class with VRRP
Alteon now supports multiple proxy IP addresses from network class range/subnet (under a virtual service or real server) in the VRRP environment as virtual proxy routers.
NFR ID: prod00262634