EQ/OS Release Notes

Transcription

1 EQ/OS Release Notes About This Document... 3 Supported Hardware... 3 EQ/OS 10 Documentation... 3 Enhancements and Fixes in f... 4 What s New... 4 HTTP and HTTPS Application Health Checks... 4 Distributed Denial of Service Protection... 4 New Header Editing Features... 5 Enhanced Interface Port Statistics... 5 Selecting Cipher Preference on HTTPS Clusters... 5 Change Notices... 5 Changes to Default Cipher Specification for HTTPS Clusters... 5 OpenSSL Updated to 1.0.1p... 5 Remove SSLv2 From Allowed Protocols... 6 Upgrade Aborted for HTTPS Clusters with Only SSLv2 Selected... 6 Support SSLv2 for Server Side Encryption of Legacy Applications... 6 Minor Change to ACV Health Checks... 6 Resolved Issues... 6 Enhancements and Fixes in e-patch What s New... 9 Multi-Pick Web UI Interface for SSL Cipher Suites... 9 Resolved Issues... 9 Enhancements and Fixes in d What s New HTTP Caching FortiDirector Integration Header Editing Enhancements UDP Health Checks for Any Port Alerts Support Wild Card for Object Type USB Drive Support Page 1 of 35

2 LACP Status of Link Partner Added to Aggregated Link Status Change Notices User Accounts Now Sync Between Failover Peers Layer 4 Persistence Behavior Modified Forcefully Deleting Objects in Web UI Web UI Plots for CPU and Memory Default HTTPS Cluster Ciphers Japanese Language Web UI Update Health Check Coalescing Changes Upgrade Image for E250GX Does Not Allow Downgrade to the Previous Release Resolved Issues Fixes in c Resolved Issues Fixes in b-patch Resolved Issues Enhancements and Fixes in a What s New Top Level Health Checks Layer 7 Header Editing Specifying Which System Will Generate Alerts in Failover Change Notices Version 8.6 Configuration Converter Not Supported in and Later Releases.. 23 Resolved Issues Known Issues EQ/OS 10 Images and Documentation Fortinet Support Site Registering Your Product Copyright 2015 Coyote Point Systems Inc. Page 2 of 35

3 About This Document These are the release notes for EQ/OS Version releases. Release notes are available from the Fortinet Support Site, in the Coyote Point file download area: 1. Log in to support.fortinet.com using your support account information. 2. Click on Download near the top of the Support Home Page, and choose Firmware Images from the drop-down menu. 3. In the Select Product box, choose CoyotePoint. 4. Click on the Download tab. 5. Click on Supported Hardware This release is supported on all LX and GX model Equalizer hardware. For download image links, see the section EQ/OS 10 Images and Documentation. EQ/OS 10 Documentation The online Webhelp system in the Equalizer graphical user interface (Web UI) contains complete hardware installation, configuration, and operation information. To display Webhelp while using the Web UI, press the F1 key or choose Help > Context Help from the menu at the top right of the Web UI screen. The Administration Guide is the PDF format version of the Webhelp available in the Web UI. The latest Guide is always available for download in PDF format here: ftp://ftp.coyotepoint.com/pub/doc/v10/adminguidev10.pdf Copyright 2015 Coyote Point Systems Inc. Page 3 of 35

4 Enhancements and Fixes in f What s New For more information on all the new and changed features in this release, see the appropriate sections of the online WebHelp included with the Web UI. Press F1 at any time when viewing the Web UI to bring up the context-appropriate section of WebHelp. HTTP and HTTPS Application Health Checks Two new Health Check types are now available that provide application specific web service availability and status checks over HTTP and HTTPS. These health checks allow you to: Specify the target object s IP address and port in the probe configuration, or inherit the target object parameters from the attached object. Choose the HTTP method (GET, POST, HEAD) for the health check. Include specific headers and header content in health check probes. Set the HTTP return codes and data expected to be received from the target. Set basic HTTP authentication parameters for the health check. Distributed Denial of Service Protection Distribute Denial of Service (DDoS) protection uses heuristic analysis to prevent DDoS attacks from a single or many clients. This analysis is performed at both the global level (i.e., across all clusters) and at the cluster level, when specific profiles have been attached to clusters. DDoS protection is used by first running in monitor mode in this mode, the system examines the flow of traffic through the system and decides upon recommended values for the various thresholds supported. It is important that the system be in monitor mode for a period of time that encompasses at least one peak traffic period for the applications (clusters) on which DDoS has been enabled. At the end of the monitoring period, the user then sets the thresholds in DDoS profiles to the values recommended by the system and changes to mitigate mode. Once in mitigate mode, the DDoS subsystem watches the cluster traffic and makes decisions to block (or not block) traffic based on the current traffic level and the specified threshold settings. DDoS attacks and system mitigation actions can be tracked through statistics, graphs, and plots on the system Dashboard, and in the profile-specific tabs for the global profile and for each cluster profile you create. Copyright 2015 Coyote Point Systems Inc. Page 4 of 35

5 New Header Editing Features Header editing for Layer 7 clusters has been enhanced to allow user variables, provide the ability to create complex conditional expressions, and emit more detailed execution traces to enhance debugging: User-defined variables are now supported, as well as the ability to compare two variables. If-Then-Else control flow (including nesting) is now supported. The negation operator (!) can be used to negate conditional expressions. The logical constructs && and are now supported. Improved tracing and diagnostics are now provided in the header editing CLI. Enhanced Interface Port Statistics Interface port statistics have been enhanced to provide additional statistics to aid in troubleshooting networking issues. These are provided in the CLI under the interface context, and in the GUI under System > Network > Interface. (3604) Selecting Cipher Preference on HTTPS Clusters A new option on HTTPS clusters (use_server_cipher_preference in the CLI; Server Cipher Preference in the GUI) lets you change whose list of ciphers are preferred when a client and a cluster (the server in the negotiation) negotiate a secure connection. By default, the client cipher order is used. When this option is enabled, the order of ciphers configured on the cluster is used. Change Notices Changes to Default Cipher Specification for HTTPS Clusters The default cipher specification for newly created HTTPS clusters has been changed to contain the following ciphers, in this order: ECDHE-RSA-AES128-SHA256 ECDHE-RSA-AES256-SHA ECDHE-RSA-DES-CBC3-SHA AES128-SHA:DES-CBC3-SHA Existing HTTPS clusters are unaffected by this change. OpenSSL Updated to 1.0.1p On all LX models, the version of OpenSSL used for software-only SSL and hardwareaccelerated SSL has been updated to Version 1.0.1p. Note that on the legacy GX hardware models, software SSL is upgraded to 1.0.1p. However, on E450GX and E650GX hardware, the OpenSSL version for hardware-acceleration is not Copyright 2015 Coyote Point Systems Inc. Page 5 of 35

6 being upgraded. Customers with these models should enable Software Only SSL on all HTTPS clusters. Remove SSLv2 From Allowed Protocols SSLv2 is no longer supported on HTTPS clusters, since it is regarded as an insecure protocol. SSLv2 specific ciphers will no longer be permitted for client connections to HTTPS clusters. Upgrade Aborted for HTTPS Clusters with Only SSLv2 Selected Because this release does not support SSLv2, if any cluster in your configuration is enabled for SSLv2 only, the upgrade will be aborted. The workaround is to select a higher protocol version and then re-try the upgrade. Support SSLv2 for Server Side Encryption of Legacy Applications Support for SSLv2 has been added to the Server Side Encryption feature, to support legacy applications that still use SSLv2. This is intended to be used in situations where the backend servers run applications that require SSLv2. Since all client access occurs through the ADC, this does not present any security issues, as long as the servers are properly firewalled to prevent direct client access. (10188) Minor Change to ACV Health Checks The query CLI parameter for ACV health checks ( Query in the GUI) has been changed to send_data ( Send Data in the GUI). Resolved Issues Bug ID Description 6648 Regular Expressions in CLI: A? (question mark character) cannot be entered into a regular expression in the CLI, since the CLI recognizes this as the help character. Instead, the CLI prints the context help. This bug has been fixed Health Check Icons in GUI: On the Server Pool and Cluster Summary screens, server instance health is indicate with three icons: gree, red, and yellow. In some cases, the green and yellow icons are showing the same number of server instances when the server instance status should be indicated as healthy (green). This bug has been fixed Timestamps on Saved Files Incorrect (CLI): It has been observed that some commands (like tcpdump) that create output files on the system use the wrong timezone when creating the filename (which includes the time the file was created). This bug has been fixed. ( ) Copyright 2015 Coyote Point Systems Inc. Page 6 of 35

7 10024 Networking: Path MTU discovery is broken for HTTP and HTTPS clusters. This bug has been fixed Health Check Test (GUI): If a health check test fails, the popup window containing the failure message is broken. This bug has been fixed CLI Commands Broken over SSH: Some CLI commands (e.g., show boot ) do not work if you logged into the CLI over SSH. This issue has been fixed Layer 7 SYN Cache: The SYN cache was broken in the previous release and has now been fixed Arbitrary HTTP Methods: Support for arbitrary HTTP methods was broken in the previous release. Support for arbitrary HTTP methods has been restored, and the following known methods have been verified as working correctly. CONNECT COPY DELETE GET HEAD LOCK MKCOL MOVE OPTION POST PROPFIND PROPPATCH PUT TRACE UNLOCK ( ) HTTPS Clusters: The roxy daemon will exit with a cannot open for write error message if it cannot open files it uses for internal purposes. The daemon has been modified so that it will log the problem and continue, instead of exiting CLI Widget on GUI Dashboard: Fixed an issue that caused broken or missing output from commands entered into the CLI widget Regular Expressions in GUI: When entering a regular expression in the GUI, a slash ("\") entered by the user is replaced by two slashes ("\\") when the expression is committed. This bug has been fixed. Copyright 2015 Coyote Point Systems Inc. Page 7 of 35

8 10244 The tcpdump CLI Command Fails with Permission Denied: Running the tcpdump command ( diags tcpdump ) displays a permission denied error under certain circumstances, due to a problem with capturing output to pcap files. This bug has been fixed Server Pool Active Connections Incorrect when Caching Enabled: It has been observed that when caching is enabled on a server pool, the statistics output for active connections can be a very large (and incorrect) value. This bug has been fixed GUI Cipher Selection for HTTPS Clusters: The ability to sort by column in the cipher selection table on the HTTPS cluster Security > SSL tab has been removed, since sorting the ciphers changes the order in which the ciphers are offered to the client. You must explicitly move the ciphers to the order in which you want them presented to clients HTTP/HTTPS Health Checks: Fixed an issue that could cause the health check monitor daemon to dump core when adding or deleting a header from an HTTP or HTTPS health check. Copyright 2015 Coyote Point Systems Inc. Page 8 of 35

9 Enhancements and Fixes in e-patch1 Note: e-RELEASE was created and posted to the FTP site, but never officially released to customers. In the unlikely event that some small number of users may have downloaded and installed it, we are releasing an updated image as patch1 to avoid any possible confusion. What s New Multi-Pick Web UI Interface for SSL Cipher Suites A new interface for configuring cipher suites for HTTPS clusters has been added to the Load Balance > cluster name > Security > SSL tab. In previous releases, the configured SSL cipher suites for a cluster were specified in a text box as a single user-supplied string. In this release, a new list-based interface that presents the available cipher list for the platform, and enable/disable them by moving them into (or out of) the Configured Cipher List. The list of available ciphers presented is specific to the Equalizer model. (7360) Resolved Issues Bug ID Description 7337 Event log: Fixed an issue that prevented display of error messages by object using the hierarchy on the left side of the log display Responders (Redirect): Fixed an issue that can cause a responder s regular expression to become corrupted. (20143) 9000 Responders: Fixed an issue that prevented keep-alive connections from working when a Responder replied to a client request Failover: Fixed two issues: 1. Peers do not listen on the Command subnet (the subnet over which peers communicate status and other information) unless the Heartbeat flag is enabled on that subnet. 2. If the user accidentally enters an incorrect failover signature (one that does not match any remote peer), this can under certain circumstances cause a core dump of the Peer Management daemon (peerd). Copyright 2015 Coyote Point Systems Inc. Page 9 of 35

10 9775 Health Checks: An issue was observed where a bogus VLB manager value for an object to which a health check is attached could cause the health check monitor daemon (mond) to dump core. This issue has been fixed. ( ) 9832 IPv6 Routing: Fixed an issue that caused an IPv6 route to be added to the IPv4 routing table, resulting in a bogus route. ( ) 9940 Failover: Fixed an issue that caused a peer to go into Isolated mode in a configuration with over 20 VLANs. ( ) 9848 System ID: On the 100E only, a 40 character System ID is generated. This issue has been fixed, and a 12 character System ID is now generated (as on other hardware models) Logging: During system startup, some unnecessary messages of the form eqipc call failed configd communication error. Operation cancelled are logged. The messages (numbered: , , , , , ) do not indicate any issue with the unit, and are no longer logged. ( ) 9864 Web UI: Fixed an issue that prevents a user from modifying an alert for a Link Load Balancing Gateway Web UI: Fixed an issue that allowed the user to add an alert without specifying the type of notification for the alert (a required parameter) Web UI: when a locale other then en is selected, the drag and drop feature in the left frame of the Web UI does not work. This issue has been fixed Export of Web UI Event Log: Seconds are not reported in the data exported by the Web UI when you select Export to CSV. This bug has been fixed Stability: Fixed an issue that can cause a small memory leak when performing match rule operations Failover / NAT: Fixed an issue that caused a subnet NAT IP address to be instantiated on a peer in Backup mode after a reboot. ( ) Failover: Fixed an issue observed in active-passive failover where both peers appear in Backup state after executing the rebalance CLI command NAT & Failover: When NAT is configured while also in failover, spurious log messages may be seen of the form NAT out IP_address: Not in internal configuration. This issue has been fixed. Copyright 2015 Coyote Point Systems Inc. Page 10 of 35

11 10010 Networking: Fixed an issue where a Gratuitous ARP (GARP) was being issued only once. GARPs are now issued 3 times Failover: In active-passive mode, a subnet Failover IP Address on the current primary may not be instantiated on the other unit when a failover occurs. This is demonstrated by using the ping command on the Failover IP Address and getting responses of the form Time To Live exceeded for icmp_seq=number. This bug has been fixed SSL: Reduced the amount of memory consumed by SSL-related system daemons for HTTPS clusters Header Editing Cleanup: Removed the hdredit cluster parameter from the system configuration file. Its presence in the cluster configuration caused no issues, but it is no longer necessary and has been removed. ( ) Copyright 2015 Coyote Point Systems Inc. Page 11 of 35

12 Enhancements and Fixes in d What s New For more information on all the new and changed features in this release, see the appropriate sections of the online WebHelp included with the Web UI. Press F1 at any time when viewing the Web UI to bring up the context-appropriate section of WebHelp. HTTP Caching HTTP caching has been added as an option on all server pools. Caching is disabled by default. When enabled on a server pool, the cache is active when the server pool is attached to a Layer 7 cluster, and inactive when the server pool is attached to a Layer 4 cluster. Each server pool cache can be individually configured with its own: Replacement policy (Largest or Oldest) Maximum cache size Cacheable page types Cacheable item size Maximum item age FortiDirector Integration FortiDirector is a Global Service Load Balancing (GSLB) service that provides a cloudbased alternative to the native Envoy GSLB service installed with Equalizer. FortiDirector is completely cloud-based and requires no additional software to be installed on monitored devices. It takes inbound queries and responds with DNS or HTTP redirect responses that are determined by user-defined health checks. These health checks specify how each network resource is to be monitored, and what the thresholds are for considering the network resource to be UP or DOWN for the purpose of making GSLB decisions. The Equalizer Web UI includes an interface to FortiDirector that allows you to: Sign up for a free FortiDirector trial account. As part of the sign up process, a network resource is also automatically created within FortiDirector. Monitor HTTP and DNS redirect statistics generated by the FortiDirector service for devices connected to a FortiDirector account. For more information on FortiDirector, please see the FortiDirector Documentation Page. Copyright 2015 Coyote Point Systems Inc. Page 12 of 35

13 Header Editing Enhancements The following enhancements have been made to the Header Editing feature: Additional functions have been added to allow editing of name=value pairs: Locator functions: str_find_item str_find_item_value str_find_item_by_name Editing functions: str_insert_item str_delete_item str_replace_item str_replace_item_value Overlapping edits are now detected by the header edit compiler. Comments can now be included in header edit scripts by preceding them with a pound symbol (#); all text appearing after the pound sign on the same line are considered part of the comment. If the first character of a line is the pound sign, the entire line is considered a comment. UDP Health Checks for Any Port In previous releases, UDP health checks only worked for three well-known UDP services: DNS, Portmap, and NFS (ports 53, 111, and 2049, respectively). If the port on the device being probed is the port for one of these services, then service-specific UDP health checking is performed; otherwise, no health checking is performed. In this release, generic probing of any UDP port is supported. If a port other than one of the three well-known service ports above is being probed, then a UDP datagram is sent to the Health check target. If any UDP datagram is received from the target, it is considered UP for that health check; otherwise, it is considered DOWN. (6634) Alerts Support Wild Card for Object Type The Object Type of an alert specifies the type of the target object for the alert, and in previous releases was constrained to one particular type it was not possible to create an alert that would fire based on objects of more than one type. Now users can specify an object type of *, which indicates that an object of any type can fire the alert. (6862) Copyright 2015 Coyote Point Systems Inc. Page 13 of 35

14 USB Drive Support The CLI now supports the ability to copy files between the file store and a locally attached USB flash drive. The USB flash drive must be pre-formatted with an MSDOS filesystem, and the user must manually mount and unmount the USB flash drive. (8598) LACP Status of Link Partner Added to Aggregated Link Status The output of the show agr command in the CLI has been enhanced to show the MAC address and LACP status returned by the device on the other end of the link (the link partner ). This will be added to the Web UI in a future release. (8622/ ) Change Notices User Accounts Now Sync Between Failover Peers User accounts are now synchronized between failover peers. As with all other objects, the user accounts on the system with the highest configuration sequence number will be automatically propagated to all other failover peers. (8158) Layer 4 Persistence Behavior Modified The persistence (sticky) behavior for Layer 4 clusters has been modified so that all sticky connection records for a cluster or server are removed when any of the following events occur: The cluster or server is deleted. The cluster or server name, IP address, or port is modified. The server or an associated server instance is marked down. The weight on a server instance associated with a server is set to 0. In all the above cases, all persistent connections will be terminated. (7680) Forcefully Deleting Objects in Web UI In previous releases, it was not possible in the Web UI to delete an object (such as a server pool) if it was attached to another object (i.e., a cluster). The GUI now prompts the user to forcefully remove the object from the system and from all objects to which it is currently attached. (4651) Web UI Plots for CPU and Memory The Web UI under Log & Reports > CPU & Memory has been enhanced to allow the user to plot CPU and memory usage statistics, using either static or real-time data sampling. (7725) Default HTTPS Cluster Ciphers Starting with this release, the following changes have been made to the default SSL options on HTTPS clusters: Copyright 2015 Coyote Point Systems Inc. Page 14 of 35

15 The Allow SSLv3 flag is now disabled by default. (9042) The Allow TLSv1.1 and Allow TLSv2 flags are now enabled by default. (9750) Japanese Language Web UI Update The Japanese language strings for the Web UI have been updated for this release. (9856) Health Check Coalescing Changes The rules under which multiple similar health checks will be combined into a single health check have been modified so that individual timing parameters are not ignored. (9562) ICMP: All ICMP probing occurs at the same frequency, which is the highest frequency needed to satisfy the highest probe interval/tries combination. If the addresses of 2 ICMP attached health checks are the same, then they will be combined into a single probe. VLB: If the UUIDs of 2 VLB attached health checks are the same, then they will be combined into a single probe. Note a single probe can access both the VM's CPU and RAM information, and appropriately manage either CPU or RAM (or both) VLB health check instances. UDP: If the address, port, and global timeout of 2 attached health checks are the same, they will be combined into a single probe. TCP: If the address, port, global timeout, connection timeout, data timeout, and probe_ssl flag of 2 attached TCP health checks are the same, then they will be combined into a single probe. ACV: In addition to the above TCP requirements, if the ACV query and response of the 2 attached ACV health checks are the same, then they will be combined into a single probe. Server Agent: In addition to the above TCP requirements, if the query fields of the 2 attached Server Agent health checks are the same, then they will be combined into a single probe. Upgrade Image for E250GX Does Not Allow Downgrade to the Previous Release If you have an E250GX model Equalizer, once you upgrade it to d, you will not be able to directly downgrade to the previous release. You will, however, be able to switch the boot partition back to the partition that is running the previous release as long as you only upgrade the system once. Be sure to save a backup archive before upgrading your E250GX to d. If you need to downgrade your E250GX to the previously running release, contact support for assistance. Copyright 2015 Coyote Point Systems Inc. Page 15 of 35

16 Resolved Issues Bug Description Alerts: If an object is deleted, any alerts that use that object become nonfunctional but are left in the system without any notification to the user. This has been addressed by logging these messages when this situation occurs: 6474 Alert is not referenced by any objects Alert is administratively disabled The user must then manually add an object to the alert and re-enable it, or delete the alert IE 10 Browser: Fixed issues seen with the Web UI Reset button on some pages Alerts: SNMP type trap alerts for LLB Gateways have been implemented Console / CLI: Addressed rendering and refresh issues associated with different terminal types SNMP: Implemented OIDs in the MIB for Link Load Balancing gateways Backup / Restore: In previous releases, issues were sometimes seen after a restore was performed, due to files that had been left behind from the previously running image. This issue has been fixed by properly cleaning up the system state before the restore. Link Load Balancing: Issues in previous release with Link Load Balancing Gateway alerts have been fixed. Server Side Encryption: Server side encryption does not work with a server that has an IPv6 address; instead, the connections are dropped. This bug has been fixed. SNMP: A missing entry for custom load balancing health check weight has been added to the MIB under the "eqserverpoolcfgtable" OID. Health Checks: It has been observed in previous releases that it is possible in large configurations for a server or server instance to be marked down even though a response has been received from the server. This bug has been fixed by increasing the resources allocated to service heath check responses for the maximum supported configuration. ( ) Copyright 2015 Coyote Point Systems Inc. Page 16 of 35

17 Remote Access: The telnet flag introduced in an earlier release as a global flag is now supported on all subnets. This allows the user to enable/disable telnet access on a per-subnet basis, as well as on the system as a whole. Regular Expressions: The regular expression library used in various parts of the system (match rules, responders, etc.) has been updated to address Import fix to regex library to address a heap overflow security vulnerability. (VU#695940) Failover: Users can configure two different floating IPs on the same subnet on two peers in failover. This bug has been fixed. Stability: Customers have observed a configuration daemon core dump while taking a save state (a.k.a. eqcollect). This bug has been fixed. ( ) Web UI: On the Global > Networking > Intefaces page, the status lights on each pictured port now indicate the link status and speed of the port. Alert Logging: Removed spurious error messages that appear on reboot associated with default alerts. ( ) Networking: An aggregated interface that contains two 10G ports will not negotiate LACP with the device on the other side of the link. This bug has been fixed. Networking / Stability: Fixed an internal issue that could result in two serverside connections using the same port. This bug has been fixed. Networking: Cannot change the IPv6 address assigned to a subnet. This bug has been fixed. ( ) Networking: The output of the show sbr CLI command in the CLI is truncated. This bug has been fixed. ( ) Reliability / Stability: Debug files associated with HTTPS clusters can fill up the file system on low-end units with limited disk space. This problem has been fixed. ( ) Copyright 2015 Coyote Point Systems Inc. Page 17 of 35

18 Fixes in c Resolved Issues Bug Description 9694 NAT: When configuring Network Address Translation on a subnet, if the NAT IP address is located on another subnet, it may not be instantiated on that subnet. This bug has been fixed. ( ) 9695 Link Aggregation: If an aggregated interface is created, the cluster IP address is not instantiated on the aggregated interface. This bug has been fixed. ( ) 9728 Web UI: The Web UI does not work properly in Internet Explorer 11, and does not work at all with Internet Explorer 10. This bug has been fixed Responders / Stability: System panics have been observed that are related to responder traffic. The specific issue occurs when the first request in a keep-alive connection is sent to a server behind the ADC and the next is sent to a responder. This bug has been fixed. ( , ) Copyright 2015 Coyote Point Systems Inc. Page 18 of 35

19 Fixes in b-patch1 Resolved Issues Bug Description 8549 CLI Usability: Improved error message reporting when user tries to add a new attached object to a container object that does not yet exist (e.g.: if the user attempts to add both a VLAN and a subnet for that VLAN in the same command line. The messages now clearly inform the user that the container object (e.g., the VLAN) must exist before any attached objects (e.g., a subnet) are created GUI Upgrade: If the user filestore is full and an upgrade is attempted, the upgrade process may freeze after the message "Downloading the upgrade archive, please wait..." is displayed. This bug has been fixed Stability: Fixed an OS issue that could cause a system panic while deleting a load balancing object (e.g., cluster, server pool) while in failover Setting Ciphers for HTTPS Clusters: The CLI and Web UI have been enhanced to accept a semicolon (;) as well as a colon (:) as a delimiter in an HTTPS cluster s cipher_spec parameter as permitted by OpenSSL Stability / Responders: A system panic may occur when traffic is sent to a cluster that has a responder attached, but no server pool / servers are attached. This bug has been fixed. ( ) 9213 ACV Health Check Test Usability: Additional debugging detail has been added to the output displayed when testing an ACV (Active Content Verification) health check probe Stability: Fixed a memory leak in an internal library that could cause out of swap error conditions when the system is under stress Health Checks: The last returned load values are displayed for a server instance when a load type health check is returning a down status. This bug has been fixed. A load type health check will display for a load value if the health check has returned a down status. Copyright 2015 Coyote Point Systems Inc. Page 19 of 35

20 Health Check Upgrade / Usability: The upgrade script that converts pre a configurations to use top level health checks has been enhanced to combine identical health checks into a single top level health check. This reduces the number of health checks attached to a server pool / server instance to the lowest number possible Failover Usability: If the user adds a new remote peer definition and does not configure failover, the CLI and Web UI will report spurious errors in the log: : There is no preferred_primary peer!. This issue has been fixed Failover Backup Mode Detection : If systems configured in failover are all in Backup mode, the following message may be displayed: : F/O Group Unassigned: All Peers in Backup. Following IPs already present on network. Check for conflicts:, but with no list of IP addresses. In this case, the systems remain stuck in Backup mode. This bug has been fixed Header Editing: Fixed an issue where editing a saved header value fails Networking Reliability: When configuring multiple Layer 4 clusters with the same IP address and different ports, disabling the last cluster configured renders the IP address unresponsive. This issue has been fixed Security: Closed a system-specific security vulnerability where unvalidated text can be passed to a system executable (e.g., the ping command) via the CLI. This vulnerability has been closed. ( ) 9667 Header Editing: Fixed an issue that caused the str_find_regex() function to return errors intermittently when the system is under stress VLB Health Checks: Modifying a global VLB Health Check sets the UUID to 'none' in the configuration file, which results in the target object being marked down. This bug has been fixed Server Agent Health Checks: If you attach the same global server agent health check to multiple server instances, it is possible that the server agent load value will not be reported correctly for all server instances. This bug has been fixed Health Checks / Failover: When configured in failover, the Highest TLS Version parameter is set to 0 on one of the failover peers because the parameter was not properly synchronized with the other peers. This caused a core dump in the health check monitoring daemon (mond) see bug 9693, below. This bug has been fixed. ( ) Copyright 2015 Coyote Point Systems Inc. Page 20 of 35

21 9690 Web UI: The Header Editing tab is not displayed after deleting an attached match rule. This bug has been fixed Health Check Upgrade / Usability: The upgrade script that converts pre a configurations to use top level health checks may incorrectly convert a server agent health check, enabling the Probe SSL flag after upgrade. This bug has been fixed Stability: If the Highest TLS Version for a Health Check is set to 0, the health check monitoring daemon (mond) dumps core. This bug has been fixed. ( ) 9715 Networking Stability: If a cluster IP address is modified, the existing IP address is removed from the subnet, but the new one is not instantiated. Disabling and re-enabling the cluster instantiates the IP address. This bug has been fixed. Copyright 2015 Coyote Point Systems Inc. Page 21 of 35

22 Enhancements and Fixes in a What s New Top Level Health Checks In previous releases, health check probes were limited to defining all probe parameters on an object-by-object basis. Starting with version a, all Health Checks are defined at the top or global level of the object hierarchy, at the same level as cluster, server pools, server, etc. These global templates are then attached to specific objects. Some Health Check parameters (e.g., IP, port) can be specified either in the Health Check itself, or using the parameters on the objects to which the health check is attached. Two basic health check types can be defined: status and load health checks. Status health checks indicate whether an object is available or not (up or down), and can be attached to any supported object. Load health checks indicate the relative availability of an object compared to other objects, and for this reason can only be attached to server pools. To complement top level health checks, new alert object types are now supported. In addition to the existing capability of attaching alerts to objects such as servers, you can also set alerts on health checks attached to load balancing objects (such as server instance health checks, LLB Gateway Health Checks, etc. When upgrading from version c and earlier releases, upgrade scripts convert your existing configuration automatically when you upgrade the firmware. The details of how existing configurations are converted to use top level health checks is in the Health Checks chapter in the product WebHelp and in the Administration Guide. Layer 7 Header Editing Header editing allows you to add, modify, and delete Layer 7 packet header data contained in client requests and server responses. You can choose to apply header editing rules on every request or response, or you can selectively apply header edits based on whether or not the client request is selected by a match rule. Header editing is supported on Layer 7 HTTP and HTTPS clusters only. Edits are defined using a server side scripting language, similar to PHP, that allows you to create custom scripts with a set of rich locator and editing functions that let you easily select headers, locate and modify specific header data, and use that data to add or modify additional headers. Among the operations you can perform are: Copyright 2015 Coyote Point Systems Inc. Page 22 of 35

23 Mask server information such as server version. Update request URIs to accommodate path changes on servers. For example, you could change paths from /marketing to /departments/marketing. Work around broken features on the server. For example if compression were broken on a server, you could delete gzip from the accept-encoding header. Make changes to a query string. For example, you may wish to extract a session ID from a cookie and add it to the query string before sending a request on to a server. For more information, see the Header Editing chapter in WebHelp and in the Administration Guide. Specifying Which System Will Generate Alerts in Failover A new advanced option has been added to the CLI that allows the user to specify which unit in failover will generate alerts for failover groups. [Objects not associated with failover groups will continue to be generated by all units.] The new primary flag on users is set as follows: eqcli > user name flags primary When in failover, this flag controls the generation of alerts on for all failover groups. If set, alerts for the following load balancing objects will only be generated for failover groups that are in primary mode on the ADC: Servers Server pools Server instances LLB gateways If the primary flag is not set, alerts for load balancing objects will be generated for all failover groups. If not in failover, this flag has no effect. This option will be added to the Web UI in a future release. Change Notices Version 8.6 Configuration Converter Not Supported in and Later Releases The Version 8.6 to Version 10 configuration converter supported in previous releases is discontinued with version a. This means that customers currently running Version 8.6 on legacy Coyote Point GX hardware will need to follow this upgrade path to Version : 8.6.0i-patch1 > c-RELEASE > x 1. Customers must be running Version 8.6.0i-patch1 to upgrade to Version c. Copyright 2015 Coyote Point Systems Inc. Page 23 of 35

24 2. After upgrading to c, the configuration converter can be used to convert a backup archive of your Version 8.6 configuration to a Version 10 configuration. 3. Once your configuration is running c, you can upgrade to Version a and subsequent releases. Resolved Issues Bug Description SNMP: Two new OIDs have been added to report the number of servers active in a server pool attached to a cluster or match rule: eqclusterstatushttpsactiveservers eqclustermatchrulestatushttpsactiveservers Web UI: Clusters are now sorted in ascending alphabetical order in the left frame, without regard to cluster type. SNMP: New OIDs have been added that expand the storage reporting information available for the Host Resources MIB (RFC2790). Web UI: The HTTPS cluster summary (appears when you click on a cluster name in the left frame) has been enhanced to clearly indicate when a cluster is disabled because of a missing certificate or server pool. Link Aggregation Stability / Reliability: If a port is removed from an aggregated interface, and then the same port is re-added to the same aggregated interface, the system may panic. This bug has been fixed. Interface Reliability: The error message MDIC write error problem may appear in the log and cause connectivity outages on 1Gb interfaces. Alerts: In some cases, a similar alert configured for more than one user may only fore for one of the configured users. This issue has been fixed. ( ) Web UI: Fixed scrolling issues that appear when attempting to assign a VMware UUID to a server. Copyright 2015 Coyote Point Systems Inc. Page 24 of 35

25 Alert Format: Enhanced the default subject line and body text of type alerts to provide critical information at a glance. ( ) 9097 The default subject line format is now: Subject: <hostname>: <object_type> <object_name> [in <container_object_type><container_name>] <status>: <SUBJECT> Note that <SUBJECT> is the user-provided text from the alert definition. The default alert body is now: <alert_type>: <object_type> <object_name> (<IP:port>) [in <containing_object_type> (<IP:port>)] <status> IP Reputation: If the user attempts to upload a very large file that is NOT an IP Reputation database file, a success popup may appear with an undefined error message. This issue has been fixed so that a failure popup appears in this case, and a proper error message is returned. Certificates: When attaching a certificate to an HTTPS cluster, the Web UI has been enhanced to prevent the user from attaching a certificate that is incomplete (e.g., missing a key file). IP Address Validation: Added validation to prevent adding an object with a blank IP address, or with an IP address that is all zeros. Certificate Validation: Modified certificate validation as follows: If the user uploads a certificate and key file, and the key file validation fails against the certificate, an error is returned. Both the key file and the certificate file are not stored. If the user uploads only a certificate file and does not attempt to upload a key file, the certificate is uploaded and stored in the configuration. Failover: If two systems are configured in failover and are simultaneously rebooted, the following error may be seen on one of the systems: " : eqipc call failed - configd communication error. This bug has been fixed. SSL Certificates: Improved error processing in GUI when the user submits an invalid certificate file, or accidentally provides two key files when uploading a certificate/key file pair. Remote Management via Telnet: A new global services option has been added to enable telnet access across all existing subnets. Copyright 2015 Coyote Point Systems Inc. Page 25 of 35

26 SSL Certificates: A certificate can be deleted while it is in use. This bug has been fixed; the system will not allow the user to remove a certificate unless it is not attached to any object. Web UI: Fixed an issue where a server pool cannot be removed from an enabled match rule unless there is a responder attached. Alerts: Exception alerts sent to the remote syslog are always sent with LOG_INFO priority. Exception alerts have been enhanced to return LOG_ERR, LOG_WARN, and LOG_NOTICE in specific situations where they are required. Web UI: Fixed an issue that caused a long certificate list to be truncated on display. Failover Reliability: Preferred Peer Setting Change Not Synchronized: In a failover configuration, creating a cluster in the CLI and then immediately removing the preferred_peer setting may not be correctly reflected on other peers; the existing preferred_peer setting may not be updated on the remote peers. This bug has been fixed. ( ) Failover Reliability: Corrupted UUID After Config Sync: Adding a real server (not a VM) on one unit, the change is configured to the other peers, but the UUID : corrupted UUID value appears after config sync. Web UI: Disabling the TLS 1.0 flag also disables the Server Side Encryption flag. This bug has been fixed. ( ) Web UI: Fixed issues that caused the Cluster Summary to display as a blank page on Internet Explorer 9 (only). Web UI: Sorting on the Server Pool Summary page table does not work for columns other than Cluster. This bug has been fixed. ( ) Web UI: Category status (allow or block) is incorrectly reflected in the GUI, bot h for default and modified values. (The CLI is always correct.) This bug has been fixed. ( ) Documentation: Updated information about addresses used as NAT addresses on outbound subnets. If a specified NAT address does not already exist on one of the unit s subnets, it will be instantiated on the appropriate subnet after the NAT is added. ( ) Link Aggregation: If an aggregated interface is removed from a subnet, and an IP address on that subnet is then ping ed, the system may panic. This bug has been fixed. Copyright 2015 Coyote Point Systems Inc. Page 26 of 35

27 Web UI Certificates: Added validation to prevent a DSA or EC certificate to be attached to the Web UI. (Currently, these are not supported for use with the GUI.) HTTPS Cluster Reliability / Stability: During certain rare events on hardware-accelerated systems, an HTTPS cluster can become unresponsive when certain rare events occur during SSL processing. The message returned is: abort in cav_pending_assert unexpected cavium pending. This issue has been fixed. ( ) HTTPS Cluster Reliability / Stability: Fixed issues with undocumented error codes (e.g., 0x42) being returned on hardware-accelerated systems. User Management: Disabling any user flags removes an already configured mail server from the user configuration. This bug has been fixed. Copyright 2015 Coyote Point Systems Inc. Page 27 of 35

28 Known Issues Read this section thoroughly before upgrading! Bug ID Description Match Rules: debug_message(), ssl2(), ssl3(), and tls1() functions (supported in Version 8) are not accepted for expressions. Clusters: The Reset on server failure global option supported in previous releases is not yet implemented in Version 10. Layer 4 UDP clusters: The persist override flag on UDP cluster server instances does not override persistence. (4101 TCP/ACV Health Checks: The CLI and Web UI will indicate that a server instance is 'ACV DOWN' (or not responding to ACV probes) even when ACV is not set, when the server is not responding to TCP probes. It should be shown as L4 TCP DOWN. In any case, the server is correctly marked down. Health Checks: In a server pool configuration, do not define more than 16 health check instances per server instance. If 17 health check instances are defined on a server instance, the system will become unresponsive and reboot. The workaround, after the system comes back up, is to remove the 17th health check from the configuration file. This bug will be fixed in a future release. VMware Integration: In a VMware configuration where Microsoft Active Directory is used, logging in to VMware from Equalizer will fail if the VMware account used to log into VMware is defined within an Active Directory domain. On VMware the login succeeds, but on Equalizer the login attempt fails. If you test the login, it will appear to hang. Messages like the following appear in the Equalizer log: vlbd[22043]: e v vcenter; : unable to send message Message too long.the workaround is to use a VMware account that is not defined within Active Directory to log into VMware. Copyright 2015 Coyote Point Systems Inc. Page 28 of 35

29 ACV Probes Require \r\n at Layer 7: In Version 8.6, Layer 7 ACV probes did not require that the user insert \r\n characters at the end of the Probe. In Version 10, the user must add these characters at the end of the probe string manually. (6497) If you modify a VLAN MTU parameter to a value that is lower than the currently set value, you must reboot Equalizer to ensure proper operation of the network interface. Web UI: Cannot define an SNMP Trap server in the Web UI. The workaround is to use the CLI. Web UI: Some CLI commands are not supported by the CLI Console widget in the Web UI Dashboard. See the online WebHelp for more information. Subnet destination (or policy) routes have been removed (see bug 7556, above). That feature included the ability to specify the source IP address to use for a packet routed to another network. Now, the system automatically configures destination routes, and uses the subnet IP address as the source IP address. The capability to specify a source IP address will be provided in a future release. Layer 4 TCP Clusters: The IP address and port for an FTP cluster (a TCP cluster with a start port of 21) cannot be modified. The workaround is to create a new FTP cluster. Failover: The per-subnet command flag has been moved in the CLI to a new failover context. This flag must currently be managed through the CLI. In the Web UI, this flag remains on the subnet configuration tab. Attempting to disable the flag in the Web UI appears to succeed, but if the tab is redisplayed the flag is still set on that subnet. This issue in the Web UI will be fixed in a subsequent release. The VLAN MTU parameter cannot be modified to be larger than 4839 on all LX hardware (except the E370LX) and on Equalizer OnDemand. This will be fixed in a future release. On the E370LX (and on legacy GX models), the maximum MTU value is Preferred static routes: If the user adds a 0/0 static route and a preferred static route for a server with the same gateway, then the preferred static route is ignored. Copyright 2015 Coyote Point Systems Inc. Page 29 of 35