New in Version 31.0.1.0

Release Notes > What’s New > New in Version 31.0.1.0

New Bundles Offering

This version introduces a new platform lineup with better performance with the integration of the Intel QuickAssist Lewisburg SSL technology.

This new platform lineup is optimized to serve Radware’s customers’ growing challenges in serving their customers in a secure manner. The new platform lineup differs from the existing one as follows:

Use of the Intel QuickAssist Lewisburg SSL technology (instead of the Cavium PX/NX-3 SSL technology)

Different bundling. No more use of the “Non-NG/NG/ NG+” methodology. Moving to a new bundling methodology introduces the “Deliver/Perform/Secure” concept.

New Bundling Scheme – “Deliver/Perform/Secure”

Alteon 31.0.1 introduces a newer bundling concept referred to as “Deliver/Perform/Secure.” At the heart of this new bundling concept lies the need to better balance between perpetual features and subscription-based features. Radware believes that the new bundling will enable Radware to be even more competitive while providing more value to Radware customers, allowing Radware to sell more subscriptions and value-added services.

Syslog Settings – Support Sending Syslog Messages on a Particular Server Port

Syslog messages can now be sent on a user-defined port. The default port number on which to send syslog messages remains 514. This support has been extended to all five syslog hosts (host1-host5).

From CLI – /cfg/sys/syslog/hst<n>

From WBM – Configuration > System > Logging and Alerts > Syslog settings tab

NFR ID: prod00244853

Digital Optical Monitoring

Modern optical SFP transceivers support standard digital diagnostics monitoring (DDM) functions. This feature is also known as digital optical monitoring (DOM). Modules with this capability give you the ability to monitor SFP parameters such as optical output power, optical input power, temperature, laser bias current, and transceiver supply voltage, all in real time.

NFR ID: prod00245154

Set the Server on all Sessions for a Specific Source IP Address

You can now move the persistent entries (p entries) and session entries from a real server to a specific client IP address.

NFR ID: prod00249458

New SSL Acceleration Technology

As the use of SSL is growing exponentially, new, and more powerful SSL ciphers are emerging to enable bulletproof traffic exchange between consumers and merchants, branches and headquarters, and so on. One such cipher is the Elliptic Curve Cypher (ECC). Previous SSL acceleration technologies were geared towards optimization of RSA ciphers and do not also handle ECC. The rise in the requirement for ECC requires the market to upgrade SSL acceleration technologies.

Radware selected the new Intel QuickAssist SSL acceleration technology to offer what is considered the most effective and efficient SSL acceleration technology in the market.

The introduction of the Intel QuickAssist technology within the Radware platform lineup places Radware in an excellent position to provide competitive price/performance platforms to the ever-growing market demand for SSL-oriented products that meet the highest and the most advanced SSL standards.

Alteon 31.0.1.0 introduces the following platforms with Intel QuickAssist (QAT) cards:

5208 S

6024 S and SL

6420 S and SL

8420 S and SL

8820 S and SL

For the SSL RSA and ECC performance data of these platforms, refer to the Alteon Technical Specifications.

These platforms support the latest OpenSSL version (1.1.0e) on the data path.

Note: Alteon 8420 and 8820 S/SL can support hardware SSL acceleration on a maximum 96 vADCs. Any additional vADC will perform software SSL decryption/encryption.

Simple Outbound SSL Inspection Provisioning Interface

A new interface is now available for provisioning outbound SSL-Inspection configuration in a just few simple steps for the following objects:

Global settings, such as proxy mode (explicit or transparent) and outbound action.

Security Device Flow configuration – The following types of security devices are supported:

Active Layer 3 (one/two legs)

Active Virtual-Wire (Layer 2)

Passive

Inspection/bypass policies

When using this interface, Alteon automatically creates the background SSL configuration (filters, port processing, SSL policies, real servers, groups, and so on).

Important Note:

To preserve the correctness of the SSL inspection configuration, edit and delete of auto-created SSL inspection objects (real servers, interfaces, VLANs, filters, and so on) must be done only from the SSL Inspection interface and not from the specific objects.

The front-end and back-end SSL policies can be edited as needed to allow better security.

Limitations

The interface is supported only in Standalone mode (including Alteon VA).

The interface supports only IPv4 addresses.

To avoid loops, each virtual wire/passive device port must be defined on a different VLAN (default VLANs must not be used).

Security Device Group with ID 1 must not be used.

Troubleshooting and Debugging

CLI Commands

cgrep – New global command that filters any pattern within the last saved configuration.

For example:

>> Standalone ADC - Main# cgrep "port 443"
/c/slb/advhc/health dannyhttps HTTP
dport 443

/c/slb/virt 1/service 443 https
rport 443

/c/slb/filt 200
rport 443

DNS Proxy

When performing global server load balancing (GSLB) or inbound link load balancing (LinkProof), Alteon functions as the authoritative name server for certain domains. In addition, Alteon can now function as the DNS proxy for other domains, forwarding their requests to a DNS server group.

For this purpose, a DNS Proxy table has been added. Each DNS proxy entry lets you configure a domain name that should be proxied and the server group to which the DNS queries should be forwarded/load balanced.

In addition, you can configure a default DNS server group. When you configure such a group, the following DNS queries are forwarded/load balanced to it:

DNS queries for domain names that do not display in the Alteon configuration, either in the DNS Proxy table or as domains that must be resolved by Alteon.

DNS queries for domains for which Alteon is the authoritative name server, if the query type is unsupported by Alteon.

NFR ID: prod00244365

GSLB Enhancements

Remote Real Server Status Update via DSSP

Alteon version 31.0 and later includes the option to update the status of remote real servers that are VIP addresses on remote Alteon devices, via DSSP communication instead of through health monitoring.

Version 31.0.1.0 adds a new predefined health check -- DSSP:

When the DSSP health check is attached to a remote real server, Alteon searches for its status in the DSSP messages. If the server does not appear in the DSSP message or DSSP communication has failed, the DSSP health check fails.

The DSSP health check can be attached to a remote real server or to a group that only includes remote real servers. It can also be part of a logical expression health check attached to a remote real server or to a group that only includes remote real servers.

In earlier versions (30.5.3.0 and 31.0.0.0), a partial capability was implemented using a global flag. After upgrading from these versions, if the global flag was previously enabled, a DSSP health check is attached to all remote real servers. If some of the remote real servers are not remote Alteon devices, change their health check manually.

NFR ID: prod00244361, prod00236729

Note: The following capabilities are relevant both for GSLB and for inbound link load balancing (LinkProof) using DNS rules.

DNS Persistency on EDNS parameter

When using the persistency or persistent hash DNS metric, you can now select whether to use the DNS query source IP address or the value of the EDNS field in the query (actual client IP address). This can be defined per DNS rule (ednsprst).

IP Network Class in Client Network

Alteon now lets you select a Network Class of type IP address in the Client Network Rules (previously only the Network Class of the type Region was supported).

Priority in DNS Rule

The DNS rule network metric previously let you configure the priority for each VIP/remote real server. However, that priority was taken into account only for site selection during the HTTP redirection phase. Now this priority is also taken into account during the DNS resolution phase, letting you create a priority between sites/WAN links.

AppShape++ Enhancements

The following AppShape++ commands are introduced in 31.0.1.0:

X509::verify_signature − Verifies that the given certificate has signed on the given data

X509::has_expired − Checks if the given certificate has expired/not yet valid.

NFR ID: prod00231691