New in Version 31.0.5.0

Release Notes > What’s New > New in Version 31.0.5.0

Support 10G Copper GBICs

In this version, Alteon can now support 10 Gbps copper GBICs that plug into SFP+ ports.

Supported platforms:

4208

5208

6024

6420

Radware Threat Protection Service: Tor and IP Reputation

Tor and Malicious IP address protection is a new added-value security feature that protects Alteon from traffic originating from ‘known’ malicious IP addresses or Tor exit nodes.

The malicious IP addresses database is dynamically updated using Radware’s own unique threat intelligence feed, which is generated by Radware’s ERT Threat Research Center.

The Threat Research Center publishes automatic malicious IP address lists once every 30 minutes for consumption and utilization by Radware devices in the form of Radware subscription threat intelligence feeds.

The malicious IP addresses are collected from the Radware Deception Network and tagged according to their recorded activity, information correlated from the Radware Cloud Security Services, and algorithmic analysis output. The tags are used in order to filter the malicious IP address list and make sure each Radware subscription utilizes IP addresses that are relevant for the specific subscription functionality.

The IP addresses in the IP threat intelligence list are tagged using the following categories:

Malicious IPs – IP addresses involved in malicious activities such as DNS reflection attacks, SYN floods, SSL renegotiation, HTTP and HTTPS floods, PDoS and SMTP attacks, as well as Botnets, IoT devices, Scanners and Web attackers.

Tor Exit Nodes - Anonymous proxies – IP addresses of anonymization services, mainly The Onion Router (Tor) exit nodes

You can easily and effectively stop traffic from network-based IP threats that are targeting your network, and define whether to block or issue alerts of malicious IP addresses based on region, category (Tor Exit Nodes/Malicious IP addresses) or level of severity.

Notes:

A valid Security Subscriptions License is required for this feature. Note that after enabling the feature in Alteon and entering the license, a system reboot is required.

For vADC support for IP Reputation, you must upgrade the ADC-VX to version 31.0.5 or later. The IP Reputation Database is uploaded to the ADC-VX and then can be used by all its vADCs.

Alteon VA using IP Reputation requires a minimum of 4 GB RAM and an 11 GB vDisk.

Alteon can download the Reputation feed from the Radware Domain either directly or via APSolute Vision. If you are using APSolute Vision. access is through port 443, which must be opened

Limitation: Only IPv4 addresses are supported.

Two-tiered Clusters in GSLB Environment

In certain environments, it is required to extend a certain VIP over multiple Alteon instances in the data center using two Alteon tiers – the first tier distributes traffic at Layer 4 between second-tier Alteon instances that perform all required traffic processing.

When such data centers participate in a global solution, the first Alteon tier that participates in GSLB needs to be aware of the local capacity available (active local real servers).

A new capability allows cluster members (second tier) to update the cluster frontend (first tier) with the active local servers per VIP, using the DSSP protocol.

To activate this capability:

1. For each participating device, set its role (frontend or member) using the following CLI command: cfg/slb/cluster/role

2. On each cluster member, define the front-end device/device pair using the following CLI commands: cfg/slb/cluster/feprima, cfg/slb/cluster/fesecon

NFR ID: prod00255532

Overload Detection via Health Check

Alteon now lets you detect the overload status of a real server via HTTP/S health checks and stop allocating connections/sessions to that server.

A new HTTP/S health check parameter, Overload Response String, lets you specify a string that, when received in the server response, represents server overload.

Overload Status Detection

The health check detects the overload status if Overload Response String is in the payload and the response code matches the Expected Response Code, if configured.

• The server enters overload status the first time the health check detects an overload.

The server exits overload status for the first health check response that does not report an overload (the server can move from overload to up or down).

If an overload is defined on multiple health checks in a logexp health check, the logical expression (AND/OR) is not taken into consideration:

The overload status is activated when at least one health check detects an overload.

The server exits overload status when none of the health checks detects an overload.

Behavior of a Server with Overload Status

By default, a server with the overload status is not allocated any new connections, but existing connections continue.

If the Overload/Overflow Exception parameter (cfg/slb/group/maxconex) is enabled, new connections that belong to existing persistent sessions active on the server (client ip/cookie/ssl id) are accepted.

Note: The Overload/Overflow Exception parameter was previously called Maximum Connections Exception in WBM.

When a real server that is part of a specific group participates in several services and has the overload status on one service, the real server behaves in overload mode in all services using that group.

NFR ID: prod00247924

Standalone Health Checks

Alteon performs configured health checks only on servers that participate in (directly or indirectly) a virtual service or filter; otherwise, ICMP is performed for these real servers.

Starting with this version, you can also perform configured health checks on real servers that do not participate in any virtual service/filter.

To allow a health check to be performed on any real server, irrespective of the server association, enable the Always Perform Health Check parameter on it (cfg/slb/advhc/health X/always).

Notes:

This capability is available only for health checks of type HTTP/S, TCP, script and logical expression

A health check configured to always be performed must have the Destination Port specified.

NFR ID: prod00250128

MSTP Interoperability

In MSTP, you can now also configure the entire 4K VLAN ranges for VLANs that are not part of the Alteon Layer 2 configuration.

This enables full interoperability of Alteon with its neighbor switches.

NFR ID: prod00254285

URL Exclusion list for APM

When performing Application Performance Monitoring (APM) on a virtual service, there are cases where specific pages should be excluded (because there is no need to monitor them, or the JS injection is problematic for this page).

By default, APM is performed on all pages. The URL list to exclude is listed in a data class with value 0 (value 1 can be used if an alternate insertion is required for this specific URL). After this is done, add the class apmlist command with the data-class ID to the “INIT” event of the AppShape++ script APM_script.