New in Version 31.0.2.0
DPS Offering Licenses
New license strings have been added for easy activation of the new Deliver/Perform/Secure offering:
aas-deliver − Activates the Deliver feature packageaas-perform − Activates the Perform feature packageaas-secure − Activates the Secure feature packageaas-subscr-perform-<START_DATE>-<END_DATE> − Activates the Perform subscription package for the defined periodaas-subscr-secure-<START_DATE>-<END_DATE> − Activates the Secure Only subscription package for the defined periodaas-subscr-perform-secure-<START_DATE>-<END_DATE> − Activates the full Secure subscription (includes the Perform subscription package) for the defined periodImportant! When you recover Alteon using version 31.0.2.0, the default Software Feature license will be aas-deliver, whether Alteon is NG or standard. To use the licenses that you are entitled to, you must reinstall them before proceeding.
SSL Enhancements
SSL Hardware Offload Control
On the S and SL models of the Alteon D-Line, you can disable hardware acceleration for specific cryptographic algorithms (RSA, DHE, ECDHE, and bulk encryption) per SSL policy, for front-end and/or back-end encryption.
ChaCha20 and Polly1305 Ciphers
The ChaCha20 and Polly1305 cryptographic ciphers are now supported for:
Alteon platforms S, SL, and standard (no SSL card) modelsVA/NFVChaCha20 is a symmetric cipher that is usually faster than AES on general purpose CPUs without the dedicated AES instruction set. Together with Polly1305, it is considered to provide better performance on mobile devices.
Compatibility of Configuration Analysis before Version Upgrade
For a smooth upgrade process, Radware recommends analyzing the compatibility of the active configuration with the target upgrade version, checking all upgrade-related limitations of the version.
This capability is already provided through the external Upgrade Advisory Tool, and now it is integrated in Alteon software and will ease compatibility checks for upgrades from this version forward. You can also analyze the compatibility of any upgrade version, without operating the upgrade, by specifying the target version.
In WBM Version Management pane, after selecting the upgrade version, click Analyze and Download Report to get the Analysis Report, which details all incompatibilities, indicates whether the version upgrade will fail or pass, and provides actions to be taken before and after the upgrade process in order to resolve any upgrade issues and to ensure a successful upgrade.
This tool can also be activated using the CLI command /boot/upgana.
The tool monitoring and resources files for this tool can be updated using the CLI menu /maint/upg/cur.
This analysis report operation may take a few minutes.
Authentication Gateway
Azure MFA
Azure Multi-Factor Authentication (MFA) is Microsoft's two-step verification solution, allowing for an easy to use, scalable, and reliable solution that provides a second method of authentication with One Time Password (OTP) for access from smart phones, tablets, laptops, and PCs. Users have several different options on how they are going to connect and stay connected at any time. Alteon Authentication Gateway offers support for Azure MFA with on-premises Active Directory credential validation or using Azure Active Directory as an Identity Provider.
RSA Support
RSA SecurID Access is the world’s most widely-deployed multi-factor authentication solution. In addition to the already existing integration of the Alteon Authentication Gateway with first and second factor authentication systems (LDAP, Active Directory, RADIUS, and SMS Passcode), Alteon 31.0.2 Authentication Gateway integrates with RSA SecurID Access for OTP services using RSA SecurID hardware and software tokens.
Bidirectional Forwarding Detection Enhancements
The BFD capability is extended to OSPF and iBGP (support for BFD for eBGP was introduced in 31.0.0.0).
NFR ID: prod00168788
OSPF Host Injection Enhancement
The number of hosts that can be advertised over OSPF was increased to 1024 (from 128).
NFR ID: prod00247818
DNS SOA Query
Alteon DNS engine supports now answering SOA queries for domains configured in the new The Alteon DNS engine now supports answering SOA queries for domains configured in the new SOA Zones table (Application Delivery > DNS Authority > SOA Zones in WBM; and /cfg/slb/gslb/dnssoa in CLI).
Alteon only answers SOA queries that arrive at the DNS Responder VIP.
NFR ID: prod00248368
Policy Based Distribution
The new Policy Based Distribution mechanism enables you to easily apply the same security policies throughout a network.
With Policy Based Distribution, you can export a tunnel policy file from an integrated AppWall module and import the policy file into the same or a different AppWall module, or standalone AppWall server.
When importing the policy file, you must select an existing tunnel to override.
NFR ID: prod00251482
Monitoring Enhancements
Connections per Second (CPS) and Throughput per Second (TPS) statistics are now available per virtual server and virtual service using CLI, WBM, or SNMP.
NFR ID: prod00246444, prod00252131, prod00252160
Integrity Verification of an Uploaded OS image
A digital signature has been added to each image file. This signature is validated by Alteon during the version upgrade procedure (image upload process) and allows detecting a bad image (incomplete download) early in the process. If there is an image signature verification mismatch, the upgrade process is aborted.
This feature is enforced on upgrade from version 31.0.2.0 to a later version.
NFR ID: prod00251948
LinkProof Enhancements
The following enhancements were made to inbound link load balancing via the SmartNAT capability (where the Service Type in the Inbound Rule is set to Server):
ICMP support − IPv4 and IPv6 ICMP queries to the static NAT addresses defined in SmartNAT for inbound link load balancing are now supported.Backup Inbound WAN Link − Alteon lets you define primary and backup WAN Links for their respective inbound rules by specifying the group of WAN Links that should be used for the inbound rules.Support for inbound FTP Statistics NAT Type − The type of NAT that was performed is now included in the information output (/info/slb/lp/nat).Additional metrics − The following inbound metrics are now supported in addition to RoundRobin: Bandwidth, Least Connections, Absolute Least ConnectionsOutbound IPv4 and IPv6 ICMP via static SmartNAT entries are now also supported.