Documenti di Didattica
Documenti di Professioni
Documenti di Cultura
Release Notes
Release Summary
Release Date: February 15, 2017
Objective: Major software release introducing new capabilities and offerings
Upgrade Path
You can upgrade to this AlteonOS from AlteonOS versions 28.x, 29.x and 30.x.
General upgrade instructions are found in the Alteon Installation and Maintenance Guide.
General Considerations
Hypervisors (ADC-VX) running a certain version (for example, 31.0) only support vADCs
that run the same version or later.
Downgrade
Configuration rollback (downgrade) is not supported. The configuration should be saved before
upgrading to a newer version. If you perform version rollback, after the downgrade upload the
saved configuration.
What’s New
This section describes the new features and components introduced in this version on top of
Alteon version 30.5.1.0.
For more details on all features described here, see the Alteon Application Guide and the Alteon
Command Reference for AlteonOS version 31.0.0.0.
The Alteon 6024 VX platform includes the following enhancements as part of version 31.0:
Maximum number of supported vADCs – This was increased from 20 to 32.
Elastic Core Allocation on the Alteon 6024 Platform – Alteon 6024 supports the elastic
core allocation configuration (previously named "advanced core allocation”). There is no
option to disable the elastic core allocation on this platform. The system default mode is
performance mode, supporting up to 20 vADCs.
In this version there are now two redundant management ports providing out-of-band highly
reliable management interfaces with enhanced security.
NFR ID: prod00237950
Performance
SAML SSO works by transferring the user’s identity from one place (the identity provider) to
another (the service provider). This is done through an exchange of digitally signed
XML documents. In this version, the Alteon Authentication Gateway introduces new support for
SAML 2.0 SP functionality. It can integrate with external SAML 2.0 Identity Providers (IdP) for
the purpose of Single Sign-on (SSO) implementation across the organization. The
Authentication Gateway functions in such a setup as the SAML Service Provider (SP), offering
authorization and access control services to the back-end applications along with its currently
available back-end authentication schemes, such as Form Based Authentication, NTLM, and
Kerberos Constrained Delegation (KCD).
One example of such integration with SAML IdP is Microsoft ADFS 3.0. ADFS provides
simplified and secured identity federation and Web Single Sign-on capabilities for end-users
who want to access applications within an ADFS-secured enterprise, or in the Cloud. The Alteon
Authentication Gateway can integrate with ADFS, which can be configured as a SAML IdP. In
such a setup, Alteon can offer comprehensive Application Delivery and security services for the
Microsoft application environment. Not only does it provide a replacement to TMG/UAG
functionality in such an environment, but it also provides significant enhancements to
functionality currently provided by TMG/UAG. SAML SSO provides better protection, significant
performance optimization, and scalability to Web-based applications. Next generation services,
built into the Alteon ADC, add advanced load balancing and health checks with Layer 7
awareness, content and URL filtering, content rewrites, user programmable policies and traffic
steering logic, a Web Application Firewall, network access control, an authentication gateway,
single sign-on, Web access management, and hardware-based SSL termination.
Alteon has also been tested and certified for Microsoft SharePoint based on its integration with
ADFS. A detailed Technical Integration Guide (TIG) for integrating the Alteon Authentication
Gateway with ADFS and SharePoint with back-end KCD authentication is available.
PPTP Support
With the full implementation of the Smart NAT feature, Alteon now fully supports VPN and other
Point-to-Point Tunneling Protocols such as PPTP.
Limitation: Only IPv4 is supported
NFR ID: Prod00239734
Alteon VA/NFV/Cloud
VMware
Alteon VA on VMware reaches 10 Gbps throughput over VMware and no longer requires
PCI-[pass through/SR-IOV] to reach this throughput.
Starting with this version, VMware ESXi version 4.1 is no longer supported.
Microsoft Azure Support (which will be available a few weeks after the official release of
version 31.0)
Alteon VA on Azure now supports both High Availability (HA) and Global Server Load Balancing
(GSLB):
Ease of deployment – Similar to LBaaS
In version 31.0, Alteon VA is integrated with the Azure solution template.
This enables you to configure Alteon VA from the Azure portal without accessing either the
Alteon CLI or WBM.
SLB configuration
To configure Alteon VA for Basic SLB, you only need to provide the number of real servers
and their IP addresses, beyond the regular VM deployment parameters. If you choose, you
can also change the SLB metrics.
After the Alteon VA is up, it is ready to load balance your servers, even without accessing
the Alteon VA user interface.
Virtual servers now support load balancing of IPsec along with TCP, UDP, and ICMP.
IPsec support has been added to the virtual service IP address (port 1).Now when the protocol
parameter is configured as both in the IP service configuration (/cfg/slb/virt
<xyz>/service 1/protocol both), it also includes IPsec along with TCP, UDP, and ICMP
Notes:
IPsec negotiation does not work with the Gateway ID type as IP, but only with type FQDN
(DE19232).
Proxy IP (PIP) cannot be used for an IPsec tunnel while NAT-T with IPsec Gateway is
working (DE19111).
In an SLB environment with persistent binding set to Client IP and rport configured, IPsec
traffic is not load balanced (DE19089).
This NFR enhances the capabilities of tracking real servers for HA purposes. When selecting
this mode, you can either track all the real servers (as was done prior to version 31.0) or
explicitly select the real servers you want to track.
Notes:
Using WBM in Switch HA mode only, when real server tracking is enabled, all the real
servers are considered for tracking.
Use the CLI if you want to configure Alteon to track just a smaller set of the real servers.
Configure the active switch/group on the master Alteon before you configure the backup
Alteon.
If you configure the backup Alteon before the master, a failover occurs. The backup
switch/group takes control because its “priority” is higher (as a result of the new tracked
servers that were added to it).
If one or more of the tracked servers becomes unavailable, an unexpected failover can
occur if the health check sent from the backup switch precedes the health check sent from
the master, and vice versa when the servers become available again.
NFR ID: prod00229797
This NFR provides additional flexibility in defining routes when advertising the VIPs through
BGP on Alteon platforms. The capability to assign a network class to the route map active list
and on top of network filters was added. You can assign either a network class or network filters
(but not both).
NFR ID: prod00245390
An option to stop the VIP BGP advertisement when all servers are set to operational disable
was added.
NFR ID: prod00238047
The number of supported routes for Equal Cost Multipath Routing in OSPF was extended from
3 to 4.
NFR ID: prod00247457
In this version, Alteon now enables making load balancing decisions based on the geographical
location of the traffic source or destination. For this purpose, Alteon has integrated the MaxMind
GeoLite2 City geolocation database.
To define a geolocation, you must configure a network class of the new type Region. The
Region network class lets you define a location down to the State level (Continent, Country, or
State).
This feature includes the following capabilities:
Select a data center based on the geographical location of the client (GSLB). The selection
is made via the DNS Rule Network metric:
The DNS Network metric now lets you define the network using the legacy range or a
Network Class (either the IP or Region type).
In addition, the selection can be made based on the geographical location of the DNS
client (LDNS) or on the geographical location of the actual client, if its IP address is
present in the DNS request (EDNS0 extension).
Select a link based on the geographical location (LinkProof):
For inbound traffic, the selection is made based on the geographical location of the
client. The selection is made via a DNS Rule Network metric (the same as for GSLB).
For outbound traffic, the selection is made based on the geographical location of the
destination
Provide different services based on the user’s geographical location. For example:
Traffic from French customers should go to group of servers that have French content.
Response traffic to a customer from Afghanistan should be compressed due to high
latency.
Block traffic from/to certain countries.
Enforce different bandwidth/rate limits per geolocation.
GSLB Enhancements
Dynamic IP Reputation
IP Reputation is a new added value security feature that protects Alteon from ‘known *’
malicious IP addresses.
The malicious IP addresses database is dynamically updated by Cyren (or in future versions,
any other vendor) and automatically downloaded by Alteon.
You can easily and effectively stop network based IP threats that are targeting your network,
and define whether to block or issues alerts of malicious IP addresses based on region,
category (spam/Malware) or level of severity.
AppShape++ Enhancements
The full HTTP/2 Proxy capability lets you load balance HTTP/2 traffic to HTTP/2 real servers.
The following features are available for the HTTP/2 Proxy:
Front end SSL offload
Backend SSL encryption
HTTP/2 health check
Important: HTTP/2 Full Proxy support is in beta mode. You must contact the local Radware
account team if you want to activate and test this capability.
The below capabilities were added in order to make technical support more efficient:
Identifying the RCA quicker
Reducing the need to install the debug version in the field
Reducing the need for reproduction (better traceability)
Understanding upgrade issues quicker
SP Logger
SP logger information is used for critical SP issues, such as the SP not being able to load.
The information is logged at /disk/logs/messagesSP and exportable via techdata.
Console Log
This feature was first introduced version 30.5.2.0.
All console output is saved to disk. The information is logged at /disk/logs/console_log and
exportable via techdata.
vADC Console
The vADC console feature provides console access to individual vADCs, and lets you easily
switch between the vADCs on the platform.
The vADC console is enabled by default for version 31.0 and later, or for upgrades from version
31.x and later.
When upgrading from earlier versions, the vADC console is disabled. In order to enable it run
the command /c/sys/vconsole on the VX console. (This requires applying, saving the
configuration, and rebooting the platform.)
This feature is available using the Telnet protocol, with a Linux keyboard simulation.
Use the following key combinations to switch between the vADC consoles:
CTRL+B, N — Goes to the next vADC console screen.
CTRL+B, P — Goes to the previous vADC console screen.
CTRL+B, <terminal slot number> — Goes to the specified vADC console screen
For slots greater than 10, press CTRL+B, ' and, when prompted, enter the slot number.
CTRL+B, 0 — Goes to the base ADC-VX console screen.
SP Distribution Monitoring
In order to visualize the CPU utilization distribution between all SPs, use the
/stats/sp/allcpu command. The default sampling interval is set to 4 seconds and can be
changed to 1 or 64 seconds.
CLI Commands
The Technical Support Data File (tsdmp), which is part of the techdata file, is one of the main
debugging tools in Alteon. It contains all the required information on the device (such as
configuration, statistics, run-time information, events and so on) to help with problem
investigation. Starting with Alteon 31.0.0.0, in order to ease the use of this file, the following
improvements were made:
Table of contents
Summary Section – Section that includes highlights
Command Headlines – These headlines display the CLI command name before the
command output.
CLI Command Conditional Output – Rarely needed outputs are now conditional
techdata <hostname> <filename> <-tftp|username password> [-mgmt|-
data] [-scp] [-key <passphrase>] [-dnssec] -[persist] [-ucb]
Added Historical Event and Error Counters – Displays the last 15 seconds, 30 seconds,
45 seconds, 60 seconds, 75 seconds counters
Known Limitations
This section lists known limitations for version 31.0.0.0.
Upgrade Limitations
Alteon VA Limitations
WBM Limitations
This section includes limitations of the Smart NAT feature that was added in version 30.5.2.0.
All of these limitations are scheduled to be fixed in version 31.0.0.0.
Item Description Bug ID
1. In a Smart NAT environment for outbound traffic and Global SLB
DNS queries, sometimes the priority doesn't work as expected. DE19218
2. Statistics are displayed for the wrong NAT ID. DE19177
3. In a No NAT static NAT environment, even though the local server
is up and running and HTTP requests are forwarded to the local
server, no response is given to the ICMP command (that is, the
ping to the static address does not work). DE18963
4. You can submit a Smart NAT entry with different IP versions (such
as IPv4 SNAT and IPv6 WAN link). DE18862
5. When adding an IPv6 NAT, in the Smart NAT table the local
address and NAT address columns display address 0.0.0.0 instead DE19118,
of the IPv6 address. DE20225
General Limitations
FastView Limitations
AppWall Limitations
© 2017 Radware, Ltd. All Rights Reserved. Radware and all other Radware product and service names are registered
trademarks of Radware in the U.S. and other countries. All other trademarks and names are the property of their respective
owners. Printed in the U.S.A