For more details on all features described here, see the Alteon Application Guide and the Alteon Command Reference for AlteonOS version 31.0.1.0.

In this version there are now two redundant management ports providing out-of-band highly reliable management interfaces with enhanced security.

NFR ID: prod00237950

In addition, a significant increase in SSL throughput (up to 40% depending on the platform) was achieved also on SSL hardware-accelerated platforms by introducing capabilities such as TCP Segmentation Offload and hardware-based core selection at Layer 4.

Prior to version 31.0, traffic that arrives at Alteon is distributed by the NICs between the CPU cores by performing hash on Layer 3 data only (source and destination IP addresses).

Alteon 31.0 introduces the ability to configure NICs to perform hash based on Layer 4 data (4-tuple source and destination IP addresses and ports). This allows for

Important! On standalone appliances and VA form factors, when any SSL encryption/decryption is performed (SSL offload, SSL Inspection), if SSL reuse is required, the hardware hash must be set to Layer 3.

After upgrade, the hardware hash parameter is set to Layer 3 for backward compatibility. For new 31.0 installations, this parameter is set to Layer 4 by default for standalone and Alteon VA form factors and to Layer 3 for ADC-VX.

The basic core allocation for vADC is performed at the hypervisor level (TD). Prior to version 31.0, the core selection was based on the source IP hash. The /cfg/slb/adv/spl4hash parameter lets you select the core based on Layer 4 data (source IP address and source and destination ports) and achieve better core distribution.

The Westwood protocol can now be selected as the Congestion Control Mechanism in a TCP optimization policy.

SAML SSO works by transferring the user’s identity from one place (the identity provider) to another (the service provider). This is done through an exchange of digitally signed XML documents. In this version, the Alteon Authentication Gateway introduces new support for SAML 2.0 SP functionality. It can integrate with external SAML 2.0 Identity Providers (IdP) for the purpose of Single Sign-on (SSO) implementation across the organization. The Authentication Gateway functions in such a setup as the SAML Service Provider (SP), offering authorization and access control services to the back-end applications along with its currently available back-end authentication schemes, such as Form Based Authentication, NTLM, and Kerberos Constrained Delegation (KCD).

One example of such integration with SAML IdP is Microsoft ADFS 3.0. ADFS provides simplified and secured identity federation and Web Single Sign-on capabilities for end-users who want to access applications within an ADFS-secured enterprise, or in the Cloud. The Alteon Authentication Gateway can integrate with ADFS, which can be configured as a SAML IdP. In such a setup, Alteon can offer comprehensive Application Delivery and security services for the Microsoft application environment. Not only does it provide a replacement to TMG/UAG functionality in such an environment, but it also provides significant enhancements to functionality currently provided by TMG/UAG. SAML SSO provides better protection, significant performance optimization, and scalability to Web-based applications. Next generation services, built into the Alteon ADC, add advanced load balancing and health checks with Layer 7 awareness, content and URL filtering, content rewrites, user programmable policies and traffic steering logic, a Web Application Firewall, network access control, an authentication gateway, single sign-on, Web access management, and hardware-based SSL termination.

Alteon has also been tested and certified for Microsoft SharePoint based on its integration with ADFS. A detailed Technical Integration Guide (TIG) for integrating the Alteon Authentication Gateway with ADFS and SharePoint with back-end KCD authentication is available.

Traffic can be bypassed based on the host category (URL Filtering) or list of specific hosts (or the new SSL Content Class type).

Note: The SSL Content Class is supported only in SSL Inspection filters.

Reminder: Alteon already supports host-based SSL Inspection bypass when installed as explicit proxy (starting with version 30.5).

This version removes the previous limitation that required a special workaround to support an IDS server group as the first or only hop in the inspection chain. In addition, multiple IDS groups can now be included in the security inspection chain (both SSL and clear traffic inspection).

To enable this advanced IDS support:

For this purpose, the Client Authentication Policy object was promoted to an Authentication Policy object that can be of type Client (default) or Server.

This capability is now improved with the addition of a new redirect filter Fallback Action value, Continue in Flow. When this value is selected, if the server group bound to the filter is down, traffic matching this filter is forwarded to the next hop in the flow. To bypass this hop and continue the flow, specify the physical port through which traffic from this hop (server group) was expected to ingress Alteon with the Flow Continuation Ingress Port parameter.

Notes:

In this version, you can define an intermediate CA certificate/group for Alteon management via HTTPS. With this support, when accessing Alteon via HTTPS (WBM or REST API), Alteon sends both its server certificate and the configured intermediate CA chain.

This facilitates the process of verifying the chain of trust (instead of installing the chained CA on the client browsers).

NFR ID: prod00234972

Limitation: Only IPv4 is supported

NFR ID: Prod00239734

The Smart NAT feature provides one centralized pane to configure all required NAT translations. You can add, edit, and delete entries in one location, which simplifies the process of NAT translation configuration.

NFR ID: prod00240838

For more details on LinkProof capabilities, see the LinkProof NG User Guide or LinkProof for Alteon NG User Guide, version 31.0.0.0

LinkProof Inbound Host Based LLB Rules configuration was updated to also support the local server without the need for virtual server configuration as the NAT addresses. Instead, the Smart NAT table is used to define the NAT mapping.

In version 31.0, Alteon VA is integrated with the Azure solution template.

This enables you to configure Alteon VA from the Azure portal without accessing either the Alteon CLI or WBM.

To configure Alteon VA for Basic SLB, you only need to provide the number of real servers and their IP addresses, beyond the regular VM deployment parameters. If you choose, you can also change the SLB metrics.

After the Alteon VA is up, it is ready to load balance your servers, even without accessing the Alteon VA user interface.

Both HA instances are configured and run in a high availability environment without the need to enter any of the Alteon VAs.

IPsec support has been added to the virtual service IP address (port 1).Now when the protocol parameter is configured as both in the IP service configuration (/cfg/slb/virt <xyz>/service 1/protocol both); it also includes IPsec along with TCP, UDP, and ICMP

Notes:

Notes:

NFR ID: prod00229797

Up until this version, Alteon supported only a pair of Alteons in a high availability cluster and for configuration sync/session mirroring. Starting with this version, up to four (4) Alteons can participate in a High-Availability cluster and can synchronize their configuration and session table.

To enable Alteon to operate at two sites with a priority for one of the sites to take control, the Failback/Failover order field was added, letting you to give a priority to the Alteon in the group with the lower order value.

For the configuration synchronization to take place, every Alteon should configure an interface for all its peers.

Session mirroring in a configuration with more than two (2) Alteon peers operates in broadcast mode and not in unicast. To avoid broadcast storms, Radware recommends assigning a dedicated VLAN for session mirroring.

NFR ID: prod00242193

NFR ID: prod00245390

NFR ID: prod00238047

Until this version, the Alteon BGP router peer was able to detect that the device was down only after the BGP HoldTme as configured on the peer. According to RFC4271, the default HoldTime is 90 seconds. To reduce this time, Alteon now supports the respond to the BFD. This enables the BGP peer to detect that Alteon is down significantly faster – starting at 300 milliseconds.

Note: Although the detection time by the BGP peer that the Alteon is not responding can be reduced using the support of the BFD protocol, the Alteon High Availability timers were not changed and the minimum time for the backup Alteon to replace the master still remains more than three (3) seconds.

NFR ID: prod00247457

To define a geolocation, you must configure a network class of the new type Region. The Region network class lets you define a location down to the State level (Continent, Country, or State).

You can also buy the GeoIP2 City database from MaxMind and upload it to Alteon.

MaxMind provides both binary and CSV formats, both as .zip files. To upgrade the geolocation database in Alteon, download both files from MaxMind and consolidate them in a .zip file.

Note: For vADC support of Geolocation, you must upgrade the ADC-VX to version 31.0 or later. The Geolocation Database is uploaded to the ADC-VX and then can be used by all its vADCs.

NFR ID: prod00236644

A new global flag was added to let you select whether the status update will be achieved via health check or DSSP:

The flag is disabled by default (status update is performed via health checks).

Important: After the parameter is enabled, after Apply the health check of all remote real servers is changed to NoCheck. If some of the remote real servers are not Alteon VIP addresses, you must manually change their health check back to the desired one.

NFR ID: prod00236729

NFR ID: prod00245937

The malicious IP addresses database is dynamically updated by Cyren (or in future versions, any other vendor) and automatically downloaded by Alteon.

You can easily and effectively stop network based IP threats that are targeting your network, and define whether to block or issues alerts of malicious IP addresses based on region, category (spam/Malware) or level of severity.

Notes:

Limitation: Only IPv4 addresses are supported.

In this version, you can define whether the service should be kept always on or not when AppShape++ scripts are attached. This lets you to keep a virtual service always on only if the attached script is treating the “no real server available” scenario.

This parameter is disabled by default for new services. After upgrading from previous versions, this parameter is enabled on virtual services with AppShape++ scripts to preserve backward compatibility

The rdwr-cookie command retrieves data related to a cookie configured for persistency on the current HTTP/S virtual service (Persistency Mode = Cookie/pbind cookie).

NFR ID: prod00238551

The full HTTP/2 Proxy capability lets you load balance HTTP/2 traffic to HTTP/2 real servers.

Important: HTTP/2 Full Proxy support is in beta mode. You must contact the local Radware account team if you want to activate and test this capability.

CLI command: /c/slb/filt 45/adv/matchdev ena

To capture traffic of a specific vADC management port, use the following command on ADC VX: capture host <vADC MNG IP>.

The maximum Capture file size is 100 MB.

Note: Capture on the ADC VX management port is available starting with version 30.5.0.

For more information on Alteon packet capture capabilities, see the Alteon Command Reference

Limitations: Not supported for IPv6 traffic or filter flow.

The capture file can be filtered by any of these parameters.

Note: The Extra Info capability requires the Wireshark plug-in see the Knowledgbase article in the following link for instructions: KB

For more information on Alteon packet capture capabilities, see the Alteon Command Reference

You can perform live capture on the ADC-VX Traffic Distributor using the /maint/pktcap/td/capture command.

The TD capture enables filtering the traffic by IP address, MAC, VLAN and more.

Traffic for a specific vADC can be captured by filtering on the vADC VLANs.

Note: File Capture on a TD is available starting with version Alteon 30.5

For more information on Alteon packet capture capabilities, see the Alteon Command Reference

BSP and ND logger information can assist with identifying upgrade and traffic related issues.

The information is logged at /disk/logs/BSP_ADMINMP and exportable via techdata.

SP logger information is used for critical SP issues, such as the SP not being able to load.

The information is logged at /disk/logs/messagesSP and exportable via techdata.

This feature was first introduced in version 30.5.2.0.

The default value of configuration audit command (/cfg/sys/syslog/audit) was changed to disable.

In addition, the configuration audit logs are saved to disk regardless of the configuration audit settings. The information is logged at /disk/logs/syslogAudit and exportable via techdata.

This feature was first introduced version 30.5.2.0.

All console output is saved to disk. The information is logged at /disk/logs/console_log and exportable via techdata.

This feature was first introduced version 30.5.2.0.

All SNMP calls are saved to disk. The information is logged at /disk/logs/snmpAudit and exportable via techdata.

This feature was first introduced version 30.5.2.0.

All REST API calls are saved to disk. The information is logged at /disk/logs/webui and exportable via techdata.

The event and error counters allow R&D to quickly identify the reason for specific events and errors.

These counters are available in previous releases. In version Alteon 31.0 a trend on the active events and errors was added, showing the counters in the last 15, 30, 45, 60 and 75 seconds. The relevant commands are /stats/counters/geterrors and /stats/counters/getevents.

The output of these commands is also part of the tsdmp.

The vADC console is enabled by default for version 31.0 and later, or for upgrades from version 31.x and later.

When upgrading from earlier versions, the vADC console is disabled. In order to enable it run the command /c/sys/vconsole on the VX console. (This requires applying, saving the configuration, and rebooting the platform.)

This feature is available using the Telnet protocol, with a Linux keyboard simulation.

For more details on all described features, see the Alteon Command Reference for Alteon version 31.0.0.0.

In order to visualize the CPU utilization distribution between all SPs, use the /stats/sp/allcpu command. The default sampling interval is set to 4 seconds and can be changed to 1 or 64 seconds.

New back-end SSL statistics commands are now available from /stats/slb/ssl/backend.

You can now view the CPS rate per SSL cipher (per device measuring period, default 5 seconds). The information is available per virtual service and per filter for either the front-end or back-end connection using the /stats/slb/ssl/frontend and /stats/slb/ssl/backend menus.

Using the apropos command, you can find any CLI command based on a given pattern.

Syntax: apropos <pattern> [-i] [-d] [-u], where:

For a quick and more readable configuration dump, use the new global command cc, which prints the configuration output without keys and certificates.

Starting with version Alteon 31.0, Alteon identifies if the configuration uploaded to the device was manually changed. The following warning appears on the console, in the CLI, and as a syslog message: