EQ/OS 10.3.1 Release Notes About This Document .................................................................................................................. 2 Supported Hardware ................................................................................................................... 2 EQ/OS 10 Documentation ........................................................................................................... 2 Fixes in 10.3.1b ............................................................................................................................. 3 Resolved Issues ..............................................................................................................................3 Enhancements and Fixes in 10.3.1a ........................................................................................... 5 What’s New .....................................................................................................................................5 Server Side Encryption .........................................................................................................5 Perfect Forward Secrecy support ........................................................................................5 Replacing the Web UI SSL Certificate ..................................................................................6 Uploading an IP Reputation Database File ........................................................................6 Passive FTP Clusters with Spoof Disabled ..........................................................................7 Change Notices ..............................................................................................................................7 Smart Control Web UI Redesigned .....................................................................................7 Resolved Issues ..............................................................................................................................8 Known Issues .............................................................................................................................. 11 Registering Your Product .......................................................................................................... 14 Page 1 of 15 EQ/OS 10.3.1 Release Notes 24 December 2014 About This Document These are the release notes for EQ/OS Version 10.3.1 releases. Release notes are available from the Fortinet Support Site: http://support.fortinet.com They are also available from the legacy Coyote Point Systems Website: http://www.coyotepoint.com/downloads-category/release-notes Supported Hardware This release is supported on all LX and GX model hardware. Please see the EQ/OS 10 Support Web Page for download links: http://www.coyotepoint.com/content/eqos-10-support-page EQ/OS 10 Documentation The online Webhelp system in the Equalizer graphical user interface (Web UI) contains complete hardware installation, configuration, and operation information. To display Webhelp while using the Web UI, press the F1 key or choose Help > Context Help from the menu at the top right of the Web UI screen. The Administration Guide is the PDF format version of the Webhelp available in the Web UI. The latest Guide is always available from the EQ/OS 10 Support Web Page: http://www.coyotepoint.com/content/eqos-10-support-page Copyright 2014 Coyote Point Systems Inc. A subsidiary of Fortinet, Inc. All Rights Reserved. Page 2 of 15 EQ/OS 10.3.1 Release Notes 24 December 2014 Fixes in 10.3.1b Resolved Issues Bug ID Description 8867 Failover: The peer management daemon may crash after configuring two systems into failover an then adding two VLANs to each system. This bug has been fixed. (1202959) 8956 9260 Localization: The Japanese language text in the Web UI has been updated in this release. 9203 Networking Reliability: Fixed an internal issue that could cause a system panic when an attempt is made to use an already closed socket. 9223 Alerts: An alert configured on a server instance or server pool does not fire when a Simple (Server Agent) or VLB Health Check indicates a change of state. This bug has been fixed. (1264224) 9234 Server Side Encryption: Fixed an internal issue that can cause a core dump in the SSE daemon under high workloads. 9236 Failover / Networking: Subnet modification fails in this specific scenario: 1. Two systems with 1 or more VLANs are configured into failover. 2. All VLANs are deleted on both systems. 3. A VLAN and subnet are added to one of the systems. 4. The subnet is modified and the modification fails. This bug has been fixed. 9242 Perfect Forward Secrecy: Fixed issues that prevented adding a DSA or ECDSA key file using the CLI. 9243 SNMP: Fixed the interface node descriptions to correctly indicate that interface speeds are displayed in megabits per second, rather than bits per second. 9250 Server Side Encryption: Fixed issues where the SSE daemon drops connections on restart, instead of allowing existing connections to complete before restarting. 9251 9252 Server Side Encryption: Fixed internal issues that could cause the system to panic under high workloads. 9258 Secure Web UI: If the user modifies the SSL certificate used by the Web UI, the old certificate continues to be used until the HTTPS service is disabled and re-enabled. This bug has been fixed. Copyright 2014 Coyote Point Systems Inc. A subsidiary of Fortinet, Inc. All Rights Reserved. Page 3 of 15 EQ/OS 10.3.1 Release Notes 24 December 2014 9273 VLB Health Checks: Corrected documentation to indicate that the "Last Returned Value" for a VLB Health Check can display a value greater than 100 (unlike other health checks). This is because the load percentage returned by VMware can be above 100, and we simply return what VMware reports. 9274 VLB Health Checks: Load balancing decisions are ignoring VLB health check load status. This bug has been fixed. 9275 Web UI: The CLI widget on the dashboard hangs when the "show config" command is entered. This bug has been fixed. 9278 Web UI Localization: HTML tags are displayed in some dialog boxes when the selected locale is ‘ja’ (Japanese). This issue has been fixed. 9282 Alerts: Alerts are sent to the syslog for “State Change” events when syslog notification type is disabled. This bug has been fixed. Note: syslog notification is always sent when an “Exception” event occurs. 9284 Plotting: Cluster plots may not work when the locale is non-English. This bug has been fixed. 9285 9295 Failover: Fixed issues that can cause the Peer Management Daemon (peerd) to dump core in two scenarios: • The last VLAN/subnet with Heartbeating enabled is deleted. • The same VLAN/subnet with Heartbeat enabled is deleted from one peer and then the other. 9297 Server Instances: If you add a server and set the ‘Quiesce’ flag, the flag is not set properly on the server instance. This bug has been fixed. 9350 Failover Web UI: If the ‘use_ssl’ flag is enabled on the local peer in the CLI, making a change to the local peer using the Web UI removes the ‘use_ssl’ flag. This bug has been fixed by adding the ‘Use SSL’ flag to the Web UI. (1271076) Copyright 2014 Coyote Point Systems Inc. A subsidiary of Fortinet, Inc. All Rights Reserved. Page 4 of 15 EQ/OS 10.3.1 Release Notes 24 December 2014 Enhancements and Fixes in 10.3.1a What’s New Server Side Encryption Encryption of server connections is now supported. In previous releases, all traffic between the ADC and the servers behind it was unencrypted. With this release, HTTP and HTTPS clusters now support an optional Server Side Encryption option which, when enabled, causes all server traffic for that cluster to be encrypted. This option is present on match rules as well, allowing encrypted server connections to be employed on selected cluster traffic. The following global options can be set on Server Side Encryption: • • Cipher specification TLS level Encrypted server connections can also use the Perfect Forward Secrecy ciphers introduced in this release (see below). [Note that Server Side Encryption is not supported on the E250GX.] Perfect Forward Secrecy support Ciphers that support Perfect Forward Secrecy (PFS) are now supported on all models. The PFS ciphers supported are listed below. All of these ciphers except the ciphers in italics are supported with private key lengths of 512, 1024, 2048, and 4096 bits. The ciphers in italics are not supported with a key length of 512 bits. Note that on models that support hardware SSL acceleration (i.e, 400E, 600E, and 1000E), the key exchange operations for these ciphers will be performed in software rather than on the acceleration hardware. For this reason, PFS ciphers should not be expected to perform as well as hardware-accelerated non-PFS ciphers on these units. SSL 3 / TLS 1 / TLS 1.1: ECDHE-RSA-AES256-SHA DHE-RSA-AES256-SHA DHE-RSA-CAMELLIA256-SHA ECDHE-RSA-AES128-SHA DHE-RSA-AES128-SHA DHE-RSA-SEED-SHA DHE-RSA-CAMELLIA128-SHA ECDHE-RSA-RC4-SHA ECDHE-RSA-DES-CBC3-SHA DHE-DSS-AES256-SHA DHE-DSS-CAMELLIA256-SHA Copyright 2014 Coyote Point Systems Inc. A subsidiary of Fortinet, Inc. All Rights Reserved. Page 5 of 15 EQ/OS 10.3.1 Release Notes 24 December 2014 DHE-DSS-AES128-SHA DHE-DSS-SEED-SHA DHE-DSS-CAMELLIA128-SHA ECDHE-ECDSA-AES256-SHA ECDHE-ECDSA-AES128-SHA ECDHE-ECDSA-RC4-SHA ECDHE-ECDSA-DES-CBC3-SHA TLS 1.2: List above, plus the following: DHE-RSA-AES256-GCM-SHA384 ECDHE-RSA-AES256-SHA384 DHE-RSA-AES256-GCM-SHA384 DHE-RSA-AES256-SHA256 ECDHE-RSA-AES128-GCM-SHA256 ECDHE-RSA-AES128-SHA256 DHE-RSA-AES128-GCM-SHA256 DHE-RSA-AES128-SHA256 DHE-DSS-AES256-GCM-SHA384 DHE-DSS-AES256-SHA256 DHE-DSS-AES128-GCM-SHA256 DHE-DSS-AES128-SHA256 ECDHE-ECDSA-AES256-GCM-SHA384 ECDHE-ECDSA-AES256-SHA384 ECDHE-ECDSA-AES128-GCM-SHA256 ECDHE-ECDSA-AES128-SHA256 Replacing the Web UI SSL Certificate Using the CLI, you can now replace the certificate used by the Web UI for secure HTTPS connections with any certificate that has been uploaded to the certificate store. There is a new ‘remote-mgmt’ context in the CLI that allows you to: • • • Specify the certificate to use. Specify the list of ciphers. Set the allowed SSL/TLS protocol levels. In this release, changing the Web UI certificate requires that you disable and re-enable the ‘HTTPS’ flag on all subnets that have this flag set. This will be addressed in a future release. Uploading an IP Reputation Database File Using the CLI or the Web UI, it is now possible to upload to the ADC an IP Reputation database archive that you obtained from the Fortinet Support Site. This is particularly useful in configurations where the ADC is installed in an environment where connections to Copyright 2014 Coyote Point Systems Inc. A subsidiary of Fortinet, Inc. All Rights Reserved. Page 6 of 15 EQ/OS 10.3.1 Release Notes 24 December 2014 the Internet are not allowed and it is not possible for the ADC to connect to the Fortinet site to download the IP Reputation database directly. Passive FTP Clusters with Spoof Disabled In previous releases, an FTP cluster was required to have the ‘Spoof’ option enabled, which means that the ADC would use the client’s IP address as the source IP address in all packets sent to the servers in the cluster. With this release, spoof can now be disabled on an FTP cluster that uses passive FTP connections to servers – which means that the ADC’s subnet IP address will be used as the source IP in all packets sent to servers. Change Notices Smart Control Web UI Redesigned Several usability issues were identified in the Smart Control Web UI. The interface has been redesigned to make creation of a scheduled smart control easier and more intuitive. Copyright 2014 Coyote Point Systems Inc. A subsidiary of Fortinet, Inc. All Rights Reserved. Page 7 of 15 EQ/OS 10.3.1 Release Notes 24 December 2014 Resolved Issues Bug ID Description 7895 7896 Smart Controls: Fixed two issues with smart controls configured to run every day at a specific time: • The smart control may not fire until 24 hours have passed after the creation of the smart control. • Modifying the smart control can result in the creation of a new smart control rather than modifying the existing one. 8517 Logging and Timezone Modification: In previous releases, the system logging daemon (syslogd) is not restarting when a timezone change occurs. This bug has been fixed. Log messages have also been added that will appear in /var/log/eq when a timezone change occurs to help diagnose timezone issues. 8579 Backup: Fixed issues seen in previous releases with backup archives of large configurations consisting of hundreds of clusters, servers, server pools, etc. 8590 SNMP: Corrected the calculation of the hrProcessorLoad OID so that it is calculated as an average over 60 seconds as specified in RFC1514. 8617 Smart Control: Fixed issues with creating a save state archive (a.k.a. a ‘collect’) from a smart control script. 8716 8718 HTTPS Cluster Stability: Improved session management to prevent any single cluster from consuming all available CPU resources. 8793 Firewall Rules in Web UI: A new flag has been added to the System > Global > Parameters page that allows the user to enable and disable the automatic firewall rules created to enforce the permit and deny rules users can place on subnets. This control was added to the CLI in a previous release. 8871 Smart Controls: The "Next Execution Time" displays the incorrect scheduled time if a smart control is created for the last date of a month. This bug has been fixed. 8878 Failover: The peer management daemon (peerd) listens on subnets that do not have the failover heartbeat flag enabled. If connections are attempted to the failover listening port on those subnet IP addresses, it can interfere with failover operation. This bug has been fixed, and the daemon now listens only on subnets that have heartbeat enabled. (1200425) 8917 Failover: Fixed an issue where a peer that is not running a release that supports failover communication via SSL might be displayed in the CLI with that option present and enabled for a short period of time, until the two Copyright 2014 Coyote Point Systems Inc. A subsidiary of Fortinet, Inc. All Rights Reserved. Page 8 of 15 EQ/OS 10.3.1 Release Notes 24 December 2014 peers synchronize successfully. 8922 Smart Control Web UI: In previous releases, it was observed that certain versions of the Internet Explorer and Safari browsers do not support uploading a file in a popup. This issue has been resolved by changing the ‘Add Smart Control’ popup to only present the controls for upload on browsers that support that functionality. 8970 N+1 Failover: If a network cable is unplugged and then plugged in again, a peer may continue to display an "interface down" error after the cable is plugged back in and the interface is actually up. This bug has been fixed. 8995 8996 SSL POODLE Vulnerability: This vulnerability has been closed by updating the version of OpenSSL used for software and hardware acceleration to 1.0.1j. Note that this issue still exists for hardware accelerated legacy GX models (E450GX, E650GX). The workaround on those models is to enable ‘Software SSL Only’ on all HTTPS clusters. 9023 Networking: Changing the IP address on one subnet in a multi-subnet VLAN may result in changing the subnet IP address of another subnet on the VLAN. This bug has been fixed. 9078 Reliability: On systems that are experiencing a high number of alerts, the following message may be seen in the log: 04003075: Configd issue: unable to reply to message with first cmd 280|No buffer space available| This is caused by an internal error in alert processing and can lead to no more alerts being processed. This issue has been fixed. 9087 Stability: If a VLAN is deleted and then the same VLAN is added again, the peer management daemon (peerd) may exit abnormally (and restart). This bug has been fixed. 9117 Smart Controls: Modified smart controls so that a disabled smart control can still be executed manually. 9120 Networking: On GX systems only, tagged VLANs may not come up properly when a cable is plugged or unplugged, or the system is powered up from a powered off state. This bug has been fixed. 9142 Failover: The peer management daemon (peerd) may crash under the following circumstances: a NAT rule that uses a cluster IP address as the ‘out’ address is added to a subnet, and the system is then rebooted. This bug has been fixed. 9143 Failover: If a NAT ‘out’ IP address is set to a cluster IP address, no GARP is issued for the cluster IP address when a peer goes into primary mode. This issue is fixed: three GARPs are now sent out for the cluster IP address when a peer becomes primary. Copyright 2014 Coyote Point Systems Inc. A subsidiary of Fortinet, Inc. All Rights Reserved. Page 9 of 15 EQ/OS 10.3.1 Release Notes 24 December 2014 9171 Alerts: Fixed an issue that caused extra carriage return and line feed (CR, LF) characters to be inserted in to the subject line of an email alert, thereby violating RFC 2822. 9180 Failover: Configuration synchronization may not happen properly between two peers under the following conditions (all must be true): • Their configuration files have different Global Sequence Numbers. • There is a configuration synchronization error. • The two systems are rebooted simultaneously. This bug has been fixed. 9239 N+1 Failover: Fixed an issue with failover state determination when a failover peer (Peer A) has determined it should be backup for a failover group, but before it sends out a heartbeat to the other peers indicating this, it gets a heartbeat from another peer indicating that Peer A should become primary. This bug has been fixed. Copyright 2014 Coyote Point Systems Inc. A subsidiary of Fortinet, Inc. All Rights Reserved. Page 10 of 15 EQ/OS 10.3.1 Release Notes 24 December 2014 Known Issues Read this section thoroughly before upgrading! Bug ID Description 3351 3989 Match Rules: debug_message(), ssl2(), ssl3(), and tls1() functions (supported in Version 8) are not accepted for expressions. 3468 Clusters: The ‘Reset on server failure’ global option supported in previous releases is not yet implemented in Version 10. 4101 Layer 4 UDP clusters: The ‘persist override’ flag on UDP cluster server instances does not override persistence. (4101 5393 TCP/ACV Health Checks: The CLI and Web UI will indicate that a server instance is 'ACV DOWN' (or not responding to ACV probes) even when ACV is not set, when the server is not responding to TCP probes. It should be shown as ‘L4 TCP DOWN’. In any case, the server is correctly marked ‘down’. 5663 Health Checks: In a server pool configuration, do not define more than 16 health check instances per server instance. If 17 health check instances are defined on a server instance, the system will become unresponsive and reboot. The workaround, after the system comes back up, is to remove the 17th health check from the configuration file. This bug will be fixed in a future release. 6385 VMware Integration: In a VMware configuration where Microsoft Active Directory is used, logging in to VMware from Equalizer will fail if the VMware account used to log into VMware is defined within an Active Directory domain. On VMware the login succeeds, but on Equalizer the login attempt fails. If you test the login, it will appear to hang. Messages like the following appear in the Equalizer log: “vlbd[22043]: |e|v vCenter;|75000039: unable to send message|Message too long|”.The workaround is to use a VMware account that is not defined within Active Directory to log into VMware. 6583 If you modify a VLAN MTU parameter to a value that is lower than the currently set value, you must reboot Equalizer to ensure proper operation of the network interface. Copyright 2014 Coyote Point Systems Inc. A subsidiary of Fortinet, Inc. All Rights Reserved. Page 11 of 15 EQ/OS 10.3.1 Release Notes 24 December 2014 6467 Layer 4 UDP clusters: A server defined on the ADC cannot access any UDP clusters defined on the ADC. This bug will be fixed in a future release. 6648 Responders: It is not possible to enter a regular expression containing a "?" character using the CLI. The workaround is to use the Web UI instead 6669 SSH: When using SSH to log into the CLI, the file editor (for certificates, responders, etc.) may not work. This may be due to the terminal type presented to the system on login. To work around this issue, modify your terminal emulator settings before logging in and set the terminal type to ‘xterm’. 6947 ACV Probes Require ‘\r\n’ at Layer 7: In Version 8.6, Layer 7 ACV probes did not require that the user insert ‘\r\n’ characters at the end of the Probe. In Version 10, the user must add these characters at the end of the probe string manually. (6497) 6966 Web UI: Cannot define an SNMP Trap server in the Web UI. The workaround is to use the CLI. 7363 Web UI: Some CLI commands are not supported by the CLI Console widget in the Web UI Dashboard. See the online WebHelp for more information. 7599 Subnet destination (or policy) routes have been removed (see bug 7556, above). That feature included the ability to specify the source IP address to use for a packet routed to another network. Now, the system automatically configures destination routes, and uses the subnet IP address as the source IP address. The capability to specify a source IP address will be provided in a future release. 7656 Web UI: When using Internet Explorer 11 to view the Web UI, issues have been observed where UI source code is displayed and a page is unusable. The only workarounds are to either try Compatibility Mode, use Internet Explorer 10, or use another browser. 7750 Layer 4 TCP Clusters: The IP address and port for an FTP cluster (a TCP cluster with a start port of 21) cannot be modified. The workaround is to create a new FTP cluster. Copyright 2014 Coyote Point Systems Inc. A subsidiary of Fortinet, Inc. All Rights Reserved. Page 12 of 15 EQ/OS 10.3.1 Release Notes 24 December 2014 7814 Failover: The per-subnet ‘command’ flag has been moved in the CLI to a new ‘failover’ context. This flag must currently be managed through the CLI. In the Web UI, this flag remains on the subnet configuration tab. Attempting to disable the flag in the Web UI appears to succeed, but if the tab is redisplayed the flag is still set on that subnet. This issue in the Web UI will be fixed in a subsequent release. 7830 The VLAN MTU parameter cannot be modified to be larger than 4839 on all LX and FortiADC hardware, as well as on Equalizer OnDemand. For legacy GX models, the MTU parameter limitation is 1500. This will be fixed in a future release. 7923 Preferred static routes: If the user adds a ‘0/0’ static route and a preferred static route for a server with the same gateway, then the preferred static route is ignored. 8657 SSL Ciphers: The following cipher is temporarily disabled for all HTTPS clusters due to reconnection issues: • AES256-GCM-SHA384 Upgrade using Local File in Web UI: When upgrading using a ‘Local File’ uploaded to the system via the browser, the system displays a popup that says: ‘Downloading the upgrade archive…’. If the system runs out of space in the filestore, this popup will appear and never be dismissed. Also, a message in the system log will appear: 8676 command phpcgi, on /var/crash: file system full If this occurs, you must remove files from the filestore (using the CLI) so that there is at least 50MB of space in the filestore. Then, re-try the upgrade and it should now succeed. 9257 Web UI Certificate: A certificate that requires a DSA (DSS) private key cannot be selected for use as the certificate for Web UI HTTPS connections. Copyright 2014 Coyote Point Systems Inc. A subsidiary of Fortinet, Inc. All Rights Reserved. Page 13 of 15 EQ/OS 10.3.1 Release Notes 24 December 2014 Registering Your Product Fortinet customer services (such as firmware updates and technical support) require product registration. Take a moment now to register your product at the Fortinet Customer Service and Support web site: https://support.fortinet.com Before you can register, you will need: 1. Access to a new or existing Support Account. Information on how to create and manage a support account is provided in the Fortinet Support Portal User Guide. If your organization already has an account, obtain the user name and password information from your local account administrator to log in. 2. The serial number of the unit you want to register. You can find this information using either the CLI or the GUI after powering up your appliance: • To use the CLI, log in to the CLI (over the serial console or, if networking is configured, using SSH over an appropriately configured subnet) and enter the following CLI command: eqcli > version Record the System Serial Number from the command output. • If networking is configured and the GUI has been enabled on a subnet., you can also get the serial number from the ‘System Information’ widget on the GUI dashboard. The Dashboard appears automatically when you log into the GUI. Once you have obtained both the login credentials of a support account and the System Serial Number of the unit to register, do the following: 1. Log in to https://support.fortinet.com using the login credentials obtained above. 2. Follow the instructions provided in the Registration Frequently Asked Questions under the heading “How do I register a Fortinet device?”. When requested, enter the System Serial Number you obtained above into the appropriate form. Once registration is completed, the appliance serial number and other information will appear in the FortiCare Registration area. Your system is now registered. If your system can connect to the internet, you can now update the support information displayed in the CLI and GUI by doing one of the following: • In the CLI, enter the following to update the support information on your unit: eqcli > forticare registration Copyright 2014 Coyote Point Systems Inc. A subsidiary of Fortinet, Inc. All Rights Reserved. Page 14 of 15 EQ/OS 10.3.1 Release Notes 24 December 2014 View the updated Support information (including Last refresh date, Support end, and Email) by entering: eqcli > version • In the GUI, select the System configuration tab on the left navigational pane and then click on Global > Dashboard. The System information widget on the right pane will indicate the Support information (including Last refresh date, Support end, and Email). Click on the Refresh button to update the registration information. Note that the registration information does not update automatically in either the CLI or the GUI; you must use either the CLI ‘forticare registration’ command or the Refresh button in the GUI Dashboard’s System Information widget to update. Copyright 2014 Coyote Point Systems Inc. A subsidiary of Fortinet, Inc. All Rights Reserved. Page 15 of 15
© Copyright 2024