EQ/OS 10.3.2 Release Notes
Transcription
EQ/OS 10.3.2 Release Notes
EQ/OS 10.3.2 Release Notes About This Document .................................................................................................................. 2 Supported Hardware ................................................................................................................... 2 EQ/OS 10 Documentation ........................................................................................................... 2 Enhancements and Fixes in 10.3.2a ........................................................................................... 3 What’s New .....................................................................................................................................3 Top Level Health Checks ......................................................................................................3 Layer 7 Header Editing .........................................................................................................3 Change Notices ..............................................................................................................................4 Version 8.6 Configuration Converter Not Supported in 10.3.2 and Later Releases .....4 Resolved Issues ..............................................................................................................................5 Known Issues ................................................................................................................................ 9 Registering Your Product .......................................................................................................... 13 Page 1 of 14 EQ/OS 10.3.2 Release Notes 18 February 2015 About This Document These are the release notes for EQ/OS Version 10.3.2 releases. Release notes are available from the Fortinet Support Site: http://support.fortinet.com They are also available from the legacy Coyote Point Systems Website: http://www.coyotepoint.com/downloads-category/release-notes Supported Hardware This release is supported on all LX and GX model hardware. Please see the EQ/OS 10 Support Web Page for download links: http://www.coyotepoint.com/content/eqos-10-support-page EQ/OS 10 Documentation The online Webhelp system in the Equalizer graphical user interface (Web UI) contains complete hardware installation, configuration, and operation information. To display Webhelp while using the Web UI, press the F1 key or choose Help > Context Help from the menu at the top right of the Web UI screen. The Administration Guide is the PDF format version of the Webhelp available in the Web UI. The latest Guide is always available from the EQ/OS 10 Support Web Page: http://www.coyotepoint.com/content/eqos-10-support-page Copyright 2015 Coyote Point Systems Inc. A subsidiary of Fortinet, Inc. All Rights Reserved. Page 2 of 14 EQ/OS 10.3.2 Release Notes 18 February 2015 Enhancements and Fixes in 10.3.2a What’s New Top Level Health Checks In previous releases, health check probes were limited to defining all probe parameters on an object-by-object basis. Starting with version 10.3.2a, all Health Checks are defined at the top or global level of the object hierarchy, at the same level as cluster, server pools, server, etc. These global ‘templates’ are then attached to specific objects. Some Health Check parameters (e.g., IP, port) can be specified either in the Health Check itself, or using the parameters on the objects to which the health check is attached. Two basic health check types can be defined: status and load health checks. Status health checks indicate whether an object is available or not (up or down), and can be attached to any supported object. Load health checks indicate the relative availability of an object compared to other objects, and for this reason can only be attached to server pools. To complement top level health checks, new alert object types are now supported. In addition to the existing capability of attaching alerts to objects such as servers, you can also set alerts on health checks attached to load balancing objects (such as server instance health checks, LLB Gateway Health Checks, etc. When upgrading from version 10.3.1c and earlier releases, upgrade scripts convert your existing configuration automatically when you upgrade the firmware. The details of how existing configurations are converted to use top level health checks is in the ‘Health Checks’ chapter in the product WebHelp and in the Administration Guide. Layer 7 Header Editing Header editing allows you to add, modify, and delete Layer 7 packet header data contained in client requests and server responses. You can choose to apply header editing rules on every request or response, or you can selectively apply header edits based on whether or not the client request is selected by a match rule. Header editing is supported on Layer 7 HTTP and HTTPS clusters only. Edits are defined using a server side scripting language, similar to PHP, that allows you to create custom scripts with a set of rich locator and editing functions that let you easily select headers, locate and modify specific header data, and use that data to add or modify additional headers. Among the operations you can perform are: • Mask server information such as server version. Copyright 2015 Coyote Point Systems Inc. A subsidiary of Fortinet, Inc. All Rights Reserved. Page 3 of 14 EQ/OS 10.3.2 Release Notes 18 February 2015 • Update request URIs to accommodate path changes on servers. For example, you could change paths from /marketing to /departments/marketing. • Work around broken features on the server. For example if compression were broken on a server, you could delete gzip from the accept-encoding header. • Make changes to a query string. For example, you may wish to extract a session ID from a cookie and add it to the query string before sending a request on to a server. For more information, see the Header Editing chapter in WebHelp and in the Administration Guide. Specifying Which System Will Generate Alerts in Failover A new advanced option has been added to the CLI that allows the user to specify which unit in failover will generate alerts for failover groups. [Objects not associated with failover groups will continue to be generated by all units.] The new ‘primary’ flag on users is set as follows: eqcli > user name flags primary When in failover, this flag controls the generation of alerts on for all failover groups. If set, alerts for the following load balancing objects will only be generated for failover groups that are in primary mode on the ADC: • • • • Servers Server pools Server instances LLB gateways If the ‘primary’ flag is not set, alerts for load balancing objects will be generated for all failover groups. If not in failover, this flag has no effect. This option will be added to the Web UI in a future release. Change Notices Version 8.6 Configuration Converter Not Supported in 10.3.2 and Later Releases The Version 8.6 to Version 10 configuration converter supported in previous releases is discontinued with version 10.3.2a. This means that customers currently running Version 8.6 on legacy Coyote Point GX hardware will need to follow this upgrade path to Version 10.3.2: 8.6.0i-patch1 > 10.3.1c-RELEASE > 10.3.2x 1. Customers must be running Version 8.6.0i-patch1 to upgrade to Version 10.3.1c. Copyright 2015 Coyote Point Systems Inc. A subsidiary of Fortinet, Inc. All Rights Reserved. Page 4 of 14 EQ/OS 10.3.2 Release Notes 18 February 2015 2. After upgrading to 10.3.1c, the configuration converter can be used to convert a backup archive of your Version 8.6 configuration to a Version 10 configuration. 3. Once your configuration is running 10.3.1c, you can upgrade to Version 10.3.2a and subsequent releases. Resolved Issues Bug Description 2594 SNMP: Two new OIDs have been added to report the number of servers active in a server pool attached to a cluster or match rule: eqClusterStatusHTTPSActiveServers eqClusterMatchRuleStatusHTTPSActiveServers 8582 Web UI: Clusters are now sorted in ascending alphabetical order in the left frame, without regard to cluster type. 8589 SNMP: New OIDs have been added that expand the storage reporting information available for the Host Resources MIB (RFC2790). 8638 Web UI: The HTTPS cluster summary (appears when you click on a cluster name in the left frame) has been enhanced to clearly indicate when a cluster is disabled because of a missing certificate or server pool. 8759 Link Aggregation Stability / Reliability: If a port is removed from an aggregated interface, and then the same port is re-added to the same aggregated interface, the system may panic. This bug has been fixed. 8903 Interface Reliability: The error message “MDIC write error problem” may appear in the log and cause connectivity outages on 1Gb interfaces. 8948 Alerts: In some cases, a similar alert configured for more than one user may only fore for one of the configured users. This issue has been fixed. (1204360) 9092 Web UI: Fixed scrolling issues that appear when attempting to assign a VMware UUID to a server. Copyright 2015 Coyote Point Systems Inc. A subsidiary of Fortinet, Inc. All Rights Reserved. Page 5 of 14 EQ/OS 10.3.2 Release Notes 18 February 2015 Email Alert Format: Enhanced the default subject line and body text of email type alerts to provide critical information at a glance. (1243443) 9097 The default subject line format is now: Subject: <hostname>: <object_type> <object_name> [in <container_object_type><container_name>] <status>: <SUBJECT> Note that <SUBJECT> is the user-provided text from the alert definition. The default alert email body is now: <alert_type>: <object_type> <object_name> (<IP:port>) [in <containing_object_type> (<IP:port>)] <status> 9166 IP Reputation: If the user attempts to upload a very large file that is NOT an IP Reputation database file, a success popup may appear with an ‘undefined error’ message. This issue has been fixed so that a failure popup appears in this case, and a proper error message is returned. 9185 Certificates: When attaching a certificate to an HTTPS cluster, the Web UI has been enhanced to prevent the user from attaching a certificate that is incomplete (e.g., missing a key file). 9189 9300 IP Address Validation: Added validation to prevent adding an object with a blank IP address, or with an IP address that is all zeros. 9195 Certificate Validation: Modified certificate validation as follows: • If the user uploads a certificate and key file, and the key file validation fails against the certificate, an error is returned. Both the key file and the certificate file are not stored. • If the user uploads only a certificate file and does not attempt to upload a key file, the certificate is uploaded and stored in the configuration. 9205 Failover: If two systems are configured in failover and are simultaneously rebooted, the following error may be seen on one of the systems: "47000017: eqipc call failed - configd communication error”. This bug has been fixed. 9212 SSL Certificates: Improved error processing in GUI when the user submits an invalid certificate file, or accidentally provides two key files when uploading a certificate/key file pair. 9241 Remote Management via Telnet: A new global ‘services’ option has been added to enable telnet access across all existing subnets. Copyright 2015 Coyote Point Systems Inc. A subsidiary of Fortinet, Inc. All Rights Reserved. Page 6 of 14 EQ/OS 10.3.2 Release Notes 18 February 2015 9276 SSL Certificates: A certificate can be deleted while it is in use. This bug has been fixed; the system will not allow the user to remove a certificate unless it is not attached to any object. 9289 Web UI: Fixed an issue where a server pool cannot be removed from an enabled match rule unless there is a responder attached. 9364 Alerts: Exception alerts sent to the remote syslog are always sent with LOG_INFO priority. Exception alerts have been enhanced to return LOG_ERR, LOG_WARN, and LOG_NOTICE in specific situations where they are required. 9367 Web UI: Fixed an issue that caused a long certificate list to be truncated on display. 9397 Failover Reliability: Preferred Peer Setting Change Not Synchronized: In a failover configuration, creating a cluster in the CLI and then immediately removing the ‘preferred_peer’ setting may not be correctly reflected on other peers; the existing ‘preferred_peer’ setting may not be updated on the remote peers. This bug has been fixed. (1271540) 9403 Failover Reliability: Corrupted UUID After Config Sync: Adding a real server (not a VM) on one unit, the change is configured to the other peers, but the UUID 1287135: corrupted UUID value appears after config sync. 9411 Web UI: Disabling the TLS 1.0 flag also disables the Server Side Encryption flag. This bug has been fixed. (1299256) 9434 Web UI: Fixed issues that caused the Cluster Summary to display as a blank page on Internet Explorer 9 (only). 9452 Web UI: Sorting on the Server Pool Summary page table does not work for columns other than ‘Cluster’. This bug has been fixed. (1295397) 9454 Web UI: Category status (allow or block) is incorrectly reflected in the GUI, bot h for default and modified values. (The CLI is always correct.) This bug has been fixed. (1295015) 9489 Documentation: Updated information about addresses used as NAT addresses on outbound subnets. If a specified NAT address does not already exist on one of the unit’s subnets, it will be instantiated on the appropriate subnet after the NAT is added. (1278015) 9491 Link Aggregation: If an aggregated interface is removed from a subnet, and an IP address on that subnet is then ping’ed, the system may panic. This bug has been fixed. Copyright 2015 Coyote Point Systems Inc. A subsidiary of Fortinet, Inc. All Rights Reserved. Page 7 of 14 EQ/OS 10.3.2 Release Notes 18 February 2015 9499 Web UI Certificates: Added validation to prevent a DSA or EC certificate to be attached to the Web UI. (Currently, these are not supported for use with the GUI.) 9552 9608 HTTPS Cluster Reliability / Stability: During certain rare events on hardware-accelerated systems, an HTTPS cluster can become unresponsive when certain rare events occur during SSL processing. The message returned is: “abort in cav_pending_assert unexpected cavium pending “. This issue has been fixed. (1324824) 9554 HTTPS Cluster Reliability / Stability: Fixed issues with undocumented error codes (e.g., 0x42) being returned on hardware-accelerated systems. 9560 User Management: Disabling any user flags removes an already configured mail server from the user configuration. This bug has been fixed. Copyright 2015 Coyote Point Systems Inc. A subsidiary of Fortinet, Inc. All Rights Reserved. Page 8 of 14 EQ/OS 10.3.2 Release Notes 18 February 2015 Known Issues Read this section thoroughly before upgrading! Bug ID Description 3351 3989 Match Rules: debug_message(), ssl2(), ssl3(), and tls1() functions (supported in Version 8) are not accepted for expressions. 3468 Clusters: The ‘Reset on server failure’ global option supported in previous releases is not yet implemented in Version 10. 4101 Layer 4 UDP clusters: The ‘persist override’ flag on UDP cluster server instances does not override persistence. (4101 5393 TCP/ACV Health Checks: The CLI and Web UI will indicate that a server instance is 'ACV DOWN' (or not responding to ACV probes) even when ACV is not set, when the server is not responding to TCP probes. It should be shown as ‘L4 TCP DOWN’. In any case, the server is correctly marked ‘down’. 5663 Health Checks: In a server pool configuration, do not define more than 16 health check instances per server instance. If 17 health check instances are defined on a server instance, the system will become unresponsive and reboot. The workaround, after the system comes back up, is to remove the 17th health check from the configuration file. This bug will be fixed in a future release. 6385 VMware Integration: In a VMware configuration where Microsoft Active Directory is used, logging in to VMware from Equalizer will fail if the VMware account used to log into VMware is defined within an Active Directory domain. On VMware the login succeeds, but on Equalizer the login attempt fails. If you test the login, it will appear to hang. Messages like the following appear in the Equalizer log: “vlbd[22043]: |e|v vCenter;|75000039: unable to send message|Message too long|”.The workaround is to use a VMware account that is not defined within Active Directory to log into VMware. 6583 If you modify a VLAN MTU parameter to a value that is lower than the currently set value, you must reboot Equalizer to ensure proper operation of the network interface. Copyright 2015 Coyote Point Systems Inc. A subsidiary of Fortinet, Inc. All Rights Reserved. Page 9 of 14 EQ/OS 10.3.2 Release Notes 18 February 2015 6634 UDP Health Checks: If a UDP health check is attached to an object with a port that is not port 53, 111, or 2049, then no probing will occur. If the health check is attached to a server pool, all server instances for which the destination port is one of the 3 supported ports will be probed; others will not. UDP probing on ports other than 53, 111, and 2049 will be provided in a future release. 6648 Responders: It is not possible to enter a regular expression containing a "?" character using the CLI. The workaround is to use the Web UI instead 6669 SSH: When using SSH to log into the CLI, the file editor (for certificates, responders, etc.) may not work. This may be due to the terminal type presented to the system on login. To work around this issue, modify your terminal emulator settings before logging in and set the terminal type to ‘xterm’. 6497 ACV Probes Require ‘\r\n’ at Layer 7: In Version 8.6, Layer 7 ACV probes did not require that the user insert ‘\r\n’ characters at the end of the Probe. In Version 10, the user must add these characters at the end of the probe string manually. (6497) 6966 Web UI: Cannot define an SNMP Trap server in the Web UI. The workaround is to use the CLI. 7363 Web UI: Some CLI commands are not supported by the CLI Console widget in the Web UI Dashboard. See the online WebHelp for more information. 7599 Subnet destination (or policy) routes have been removed (see bug 7556, above). That feature included the ability to specify the source IP address to use for a packet routed to another network. Now, the system automatically configures destination routes, and uses the subnet IP address as the source IP address. The capability to specify a source IP address will be provided in a future release. 7750 Layer 4 TCP Clusters: The IP address and port for an FTP cluster (a TCP cluster with a start port of 21) cannot be modified. The workaround is to create a new FTP cluster. 7814 Failover: The per-subnet ‘command’ flag has been moved in the CLI to a new ‘failover’ context. This flag must currently be managed through the CLI. In the Web UI, this flag remains on the subnet configuration tab. Attempting to disable the flag in the Web UI appears to succeed, but if the tab is redisplayed the flag is still set on that subnet. This issue in the Web UI will be fixed in a subsequent release. Copyright 2015 Coyote Point Systems Inc. A subsidiary of Fortinet, Inc. All Rights Reserved. Page 10 of 14 EQ/OS 10.3.2 Release Notes 18 February 2015 7830 The VLAN MTU parameter cannot be modified to be larger than 4839 on all LX and FortiADC hardware, as well as on Equalizer OnDemand. For legacy GX models, the MTU parameter limitation is 1500. This will be fixed in a future release. 7923 Preferred static routes: If the user adds a ‘0/0’ static route and a preferred static route for a server with the same gateway, then the preferred static route is ignored. 8657 SSL Ciphers: The following cipher is temporarily disabled for all HTTPS clusters due to reconnection issues: • AES256-GCM-SHA384 Upgrade using Local File in Web UI: When upgrading using a ‘Local File’ uploaded to the system via the browser, the system displays a popup that says: ‘Downloading the upgrade archive…’. If the system runs out of space in the filestore, this popup will appear and never be dismissed. Also, a message in the system log will appear: 8676 command phpcgi, on /var/crash: file system full If this occurs, you must remove files from the filestore (using the CLI) so that there is at least 50MB of space in the filestore. Then, re-try the upgrade and it should now succeed. 9257 Web UI Certificate: A certificate that requires a DSA (DSS) private key cannot be selected for use as the certificate for Web UI HTTPS connections. 9465 Web UI: If a Health Check that returns both up/down status and a load value returns a ‘down’ status, the previously obtained (and now invalid) load values remain displayed in the Web UI. 9562 Health Check ‘Coalescing’: If 2 non-UDP health checks are identical except for the probe timing parameters, they will coalesce into a single probe. This means that probing might happen at a different interval than expected. Copyright 2015 Coyote Point Systems Inc. A subsidiary of Fortinet, Inc. All Rights Reserved. Page 11 of 14 EQ/OS 10.3.2 Release Notes 9630 18 February 2015 Duplicate Cluster IP Addresses: If more than one cluster is configured with the same IP address (and different ports), then the last cluster IP/port configured on the subnet will take ownership of the address. For example: 1. Create two clusters with the same IP address and different ports. 2. Ping the IP address -- a ping response is received. 3. Disable the first cluster -- the ping will still succeed. 4. Re-enable the first cluster and disable the second -- there is no response to the ping. Copyright 2015 Coyote Point Systems Inc. A subsidiary of Fortinet, Inc. All Rights Reserved. Page 12 of 14 EQ/OS 10.3.2 Release Notes 18 February 2015 Registering Your Product Fortinet customer services (such as firmware updates and technical support) require product registration. Take a moment now to register your product at the Fortinet Customer Service and Support web site: https://support.fortinet.com Before you can register, you will need: 1. Access to a new or existing Support Account. Information on how to create and manage a support account is provided in the Fortinet Support Portal User Guide. If your organization already has an account, obtain the user name and password information from your local account administrator to log in. 2. The serial number of the unit you want to register. You can find this information using either the CLI or the GUI after powering up your appliance: • To use the CLI, log in to the CLI (over the serial console or, if networking is configured, using SSH over an appropriately configured subnet) and enter the following CLI command: eqcli > version Record the System Serial Number from the command output. • If networking is configured and the GUI has been enabled on a subnet., you can also get the serial number from the ‘System Information’ widget on the GUI dashboard. The Dashboard appears automatically when you log into the GUI. Once you have obtained both the login credentials of a support account and the System Serial Number of the unit to register, do the following: 1. Log in to https://support.fortinet.com using the login credentials obtained above. 2. Follow the instructions provided in the Registration Frequently Asked Questions under the heading “How do I register a Fortinet device?”. When requested, enter the System Serial Number you obtained above into the appropriate form. Once registration is completed, the appliance serial number and other information will appear in the FortiCare Registration area. Your system is now registered. If your system can connect to the internet, you can now update the support information displayed in the CLI and GUI by doing one of the following: • In the CLI, enter the following to update the support information on your unit: eqcli > forticare registration Copyright 2015 Coyote Point Systems Inc. A subsidiary of Fortinet, Inc. All Rights Reserved. Page 13 of 14 EQ/OS 10.3.2 Release Notes 18 February 2015 View the updated Support information (including Last refresh date, Support end, and Email) by entering: eqcli > version • In the GUI, select the System configuration tab on the left navigational pane and then click on Global > Dashboard. The System information widget on the right pane will indicate the Support information (including Last refresh date, Support end, and Email). Click on the Refresh button to update the registration information. Note that the registration information does not update automatically in either the CLI or the GUI; you must use either the CLI ‘forticare registration’ command or the Refresh button in the GUI Dashboard’s System Information widget to update. Copyright 2015 Coyote Point Systems Inc. A subsidiary of Fortinet, Inc. All Rights Reserved. Page 14 of 14