Changed Features in Version 31.0.4.0
Management Access
Increased Security Strength of Passwords
In this version, the security strength of Alteon local user passwords storage was increased. The local passwords are now stored in the configuration after a hash with the SHA2-512 function, including seed.
NFR ID: prod00251946
Changed Default Admin Password
Starting with this version, you are required to change the default admin password when logging into Alteon with factory configurations via CLI (console, Telnet, or SSH).
If the first login is performed via HTTPS or if the configuration is not the factory configuration, then no default admin password change is required.
The default admin password change is required for standalone and ADC-VX modes. On vADCs, because there is no factory configuration, there is no enforcement for changing the default admin password.
NFR ID: prod00251914
User Lockout after Authentication Failure
Alteon supports locking out a local user account after a defined number of consecutive failed authentication attempts during a defined lockout period. The administrator can define the duration of the locking out period.
A syslog message and a CLI notification is sent when a user is locked out.
An administrator can unlock a locked-out user account at any time.
Known Limitations:
The CLI notification for lockout of a user does not display when using an SSH interface connection.In SSH, Alteon sends two syslog messages for every failed login attempt.In WBM, there is no notification when the user is locked out NFR ID: prod00251944
Restricted Certificate Management
Alteon now lets you restrict key and certificate management (generate, import, export) only to users with the Certificate Admin role.
This can be done by enabling the restricted access using the following CLI command: cfg/slb/ssl/restrict enable (available only via CLI).
When the restriction is disabled, Certificate Management is permitted, as in earlier versions, for users with the following roles: Admin, SLB Admin with certificate management permissions, Layer 4 Admin with certificate management permissions.
Only a user with Admin role can enable this restriction, and only a user with Certificate Admin role can disable the restriction.
Session Table Expansion
In previous versions, memory management allowed for reduction of the memory allocated to the session table in order to free memory for more concurrent proxy connections.
In this version, you can increase the session table by 200% or 400% for scenarios that have high Layer 4 processing rates. This requires minimum RAM as detailed in the following table:
Platform | Minimum RAM |
|---|---|
5208 | 32 GB |
6024 | 64 GB |
6420 | 128 GB |
8420/8820 | 256 GB |
Notes:
Session table expansion is supported in standalone mode.The session table can be supported in ADC-VX mode only when a single vADC is configured and only for the 6000 and 8000 series platforms.The session table size can be increased using the existing Allocated Session Table Capacity parameter. Important: For the memory allocation change to be activated, the platform must be reset.
Tip: Use /maint/debug/peakInfo to see the last peak size of these tables.
Backend SSL Session Reuse – Default Change
For new installations, the Back-end SSL Session Reuse default has been changed to enabled.
After upgrade from a previous version, the value remains as it was before the upgrade.
OpenSSL Upgrade
OpenSSL on both the data and management interfaces was updated to the following:
On Alteon XL/Extreme platform models: OpenSSL1.0.2m.On all other Alteon platform models and Alteon VA: OpenSSL 1.1.0gFQDN to support underscore character
FQDN servers can now include the underscore (_) character in their FQDNs.
Increased Number of Alteon VA Certificates
The number of supported certificates on the Alteon VA is no longer fixed but varies according to the RAM size of the VM running the Alteon VA.
The following table lists the number of supported certificates per the VM RAM size.
Key Certificate Type | RAM size < 3 GB | 3 GB ≤ RAM size < 6 GB | 6 GB ≤ RAM size < 12 GB | 12 GB ≤ RAM size |
|---|---|---|---|---|
SSL Keys | 99 | 499 | 1499 | 2999 |
Certificate signing requests | 99 | 499 | 1499 | 2999 |
Certificates | 99 | 499 | 1499 | 2999 |
Trusted CA certificates | 24 | 124 | 374 | 749 |
Intermediate CA certificates | 24 | 124 | 374 | 749 |
Certificate groups | 128 | 128 | 128 | 128 |
Memory Pressure Mechanism for WAF
The new memory pressure mechanism for WAF decreases the possibility of the integrated AppWall process reaching 100% memory utilization and requiring reboot, which can cause traffic disruption.
With the new mechanism, when memory utilization reaches 82.5%, Alteon stops forwarding new connections to the AppWall process. These connections continue with regular Alteon processing without WAF inspection. Existing connections continue to be forwarded to the AppWall process. Alteon starts forwarding new connections to AppWall once utilization goes under 77.5%.
Entry into and exit from this bypass mode for new connections are reported via SNMP trap, syslog, and so on.
Time Zone Offset in Syslog
Alteon did not display the time zone offset in the syslog timestamp. In this version, a new command has been added to enable/disable using the new timestamp in syslog messages: /cfg/sys/syslog/extdlog
If this command is enabled, the timestamp in MP- and SP- generated syslog messages includes the year and UTC time zone offset. If disabled, the timestamp remains as it is currently designed (with only the month and day).
BUG ID: prod00255017
Total Cipher Count
The list of ciphers that are used, with their hit counters, has now been updated to include total hits counter in addition to current hits counter (available for the SSL statistics of filters and virtual services - /stat/slb/ssl).
Warning on Apply from WBM
Warning messages now also display in WBM (as a yellow note) upon a successful Apply. In earlier versions, the warning only displayed on a failed Apply.