EQ/OS 10.3.1 Release Notes

EQ/OS 10.3.1 Release Notes
About This Document .................................................................................................................. 2
Supported Hardware ................................................................................................................... 2
EQ/OS 10 Documentation ........................................................................................................... 2
Fixes in 10.3.1b ............................................................................................................................. 3
Resolved Issues ..............................................................................................................................3
Enhancements and Fixes in 10.3.1a ........................................................................................... 5
What’s New .....................................................................................................................................5
Server Side Encryption .........................................................................................................5
Perfect Forward Secrecy support ........................................................................................5
Replacing the Web UI SSL Certificate ..................................................................................6
Uploading an IP Reputation Database File ........................................................................6
Passive FTP Clusters with Spoof Disabled ..........................................................................7
Change Notices ..............................................................................................................................7
Smart Control Web UI Redesigned .....................................................................................7
Resolved Issues ..............................................................................................................................8
Known Issues .............................................................................................................................. 11
Registering Your Product .......................................................................................................... 14
Page 1 of 15
EQ/OS 10.3.1 Release Notes
24 December 2014
About This Document
These are the release notes for EQ/OS Version 10.3.1 releases. Release notes are available
from the Fortinet Support Site:
http://support.fortinet.com
They are also available from the legacy Coyote Point Systems Website:
http://www.coyotepoint.com/downloads-category/release-notes
Supported Hardware
This release is supported on all LX and GX model hardware.
Please see the EQ/OS 10 Support Web Page for download links:
http://www.coyotepoint.com/content/eqos-10-support-page
EQ/OS 10 Documentation
The online Webhelp system in the Equalizer graphical user interface (Web UI) contains
complete hardware installation, configuration, and operation information. To display
Webhelp while using the Web UI, press the F1 key or choose Help > Context Help from
the menu at the top right of the Web UI screen.
The Administration Guide is the PDF format version of the Webhelp available in the Web UI.
The latest Guide is always available from the EQ/OS 10 Support Web Page:
http://www.coyotepoint.com/content/eqos-10-support-page
Copyright 2014 Coyote Point Systems Inc.
A subsidiary of Fortinet, Inc. All Rights Reserved.
Page 2 of 15
EQ/OS 10.3.1 Release Notes
24 December 2014
Fixes in 10.3.1b
Resolved Issues
Bug ID
Description
8867
Failover: The peer management daemon may crash after configuring two
systems into failover an then adding two VLANs to each system. This bug
has been fixed. (1202959)
8956
9260
Localization: The Japanese language text in the Web UI has been updated
in this release.
9203
Networking Reliability: Fixed an internal issue that could cause a system
panic when an attempt is made to use an already closed socket.
9223
Alerts: An alert configured on a server instance or server pool does not fire
when a Simple (Server Agent) or VLB Health Check indicates a change of
state. This bug has been fixed. (1264224)
9234
Server Side Encryption: Fixed an internal issue that can cause a core dump
in the SSE daemon under high workloads.
9236
Failover / Networking: Subnet modification fails in this specific scenario:
1. Two systems with 1 or more VLANs are configured into failover.
2. All VLANs are deleted on both systems.
3. A VLAN and subnet are added to one of the systems.
4. The subnet is modified and the modification fails.
This bug has been fixed.
9242
Perfect Forward Secrecy: Fixed issues that prevented adding a DSA or
ECDSA key file using the CLI.
9243
SNMP: Fixed the interface node descriptions to correctly indicate that
interface speeds are displayed in megabits per second, rather than bits per
second.
9250
Server Side Encryption: Fixed issues where the SSE daemon drops
connections on restart, instead of allowing existing connections to complete
before restarting.
9251
9252
Server Side Encryption: Fixed internal issues that could cause the system
to panic under high workloads.
9258
Secure Web UI: If the user modifies the SSL certificate used by the Web UI,
the old certificate continues to be used until the HTTPS service is disabled
and re-enabled. This bug has been fixed.
Copyright 2014 Coyote Point Systems Inc.
A subsidiary of Fortinet, Inc. All Rights Reserved.
Page 3 of 15
EQ/OS 10.3.1 Release Notes
24 December 2014
9273
VLB Health Checks: Corrected documentation to indicate that the "Last
Returned Value" for a VLB Health Check can display a value greater than 100
(unlike other health checks). This is because the load percentage returned
by VMware can be above 100, and we simply return what VMware reports.
9274
VLB Health Checks: Load balancing decisions are ignoring VLB health check
load status. This bug has been fixed.
9275
Web UI: The CLI widget on the dashboard hangs when the "show config"
command is entered. This bug has been fixed.
9278
Web UI Localization: HTML tags are displayed in some dialog boxes when
the selected locale is ‘ja’ (Japanese). This issue has been fixed.
9282
Alerts: Alerts are sent to the syslog for “State Change” events when syslog
notification type is disabled. This bug has been fixed. Note: syslog
notification is always sent when an “Exception” event occurs.
9284
Plotting: Cluster plots may not work when the locale is non-English. This
bug has been fixed.
9285
9295
Failover: Fixed issues that can cause the Peer Management Daemon
(peerd) to dump core in two scenarios:
• The last VLAN/subnet with Heartbeating enabled is deleted.
• The same VLAN/subnet with Heartbeat enabled is deleted from one
peer and then the other.
9297
Server Instances: If you add a server and set the ‘Quiesce’ flag, the flag is
not set properly on the server instance. This bug has been fixed.
9350
Failover Web UI: If the ‘use_ssl’ flag is enabled on the local peer in the CLI,
making a change to the local peer using the Web UI removes the ‘use_ssl’
flag. This bug has been fixed by adding the ‘Use SSL’ flag to the Web UI.
(1271076)
Copyright 2014 Coyote Point Systems Inc.
A subsidiary of Fortinet, Inc. All Rights Reserved.
Page 4 of 15
EQ/OS 10.3.1 Release Notes
24 December 2014
Enhancements and Fixes in 10.3.1a
What’s New
Server Side Encryption
Encryption of server connections is now supported. In previous releases, all traffic between
the ADC and the servers behind it was unencrypted. With this release, HTTP and HTTPS
clusters now support an optional Server Side Encryption option which, when enabled,
causes all server traffic for that cluster to be encrypted. This option is present on match
rules as well, allowing encrypted server connections to be employed on selected cluster
traffic. The following global options can be set on Server Side Encryption:
•
•
Cipher specification
TLS level
Encrypted server connections can also use the Perfect Forward Secrecy ciphers introduced
in this release (see below).
[Note that Server Side Encryption is not supported on the E250GX.]
Perfect Forward Secrecy support
Ciphers that support Perfect Forward Secrecy (PFS) are now supported on all models. The
PFS ciphers supported are listed below. All of these ciphers except the ciphers in italics are
supported with private key lengths of 512, 1024, 2048, and 4096 bits. The ciphers in italics
are not supported with a key length of 512 bits.
Note that on models that support hardware SSL acceleration (i.e, 400E, 600E, and 1000E),
the key exchange operations for these ciphers will be performed in software rather than on
the acceleration hardware. For this reason, PFS ciphers should not be expected to perform
as well as hardware-accelerated non-PFS ciphers on these units.
SSL 3 / TLS 1 / TLS 1.1:
ECDHE-RSA-AES256-SHA
DHE-RSA-AES256-SHA
DHE-RSA-CAMELLIA256-SHA
ECDHE-RSA-AES128-SHA
DHE-RSA-AES128-SHA
DHE-RSA-SEED-SHA
DHE-RSA-CAMELLIA128-SHA
ECDHE-RSA-RC4-SHA
ECDHE-RSA-DES-CBC3-SHA
DHE-DSS-AES256-SHA
DHE-DSS-CAMELLIA256-SHA
Copyright 2014 Coyote Point Systems Inc.
A subsidiary of Fortinet, Inc. All Rights Reserved.
Page 5 of 15
EQ/OS 10.3.1 Release Notes
24 December 2014
DHE-DSS-AES128-SHA
DHE-DSS-SEED-SHA
DHE-DSS-CAMELLIA128-SHA
ECDHE-ECDSA-AES256-SHA
ECDHE-ECDSA-AES128-SHA
ECDHE-ECDSA-RC4-SHA
ECDHE-ECDSA-DES-CBC3-SHA
TLS 1.2:
List above, plus the following:
DHE-RSA-AES256-GCM-SHA384
ECDHE-RSA-AES256-SHA384
DHE-RSA-AES256-GCM-SHA384
DHE-RSA-AES256-SHA256
ECDHE-RSA-AES128-GCM-SHA256
ECDHE-RSA-AES128-SHA256
DHE-RSA-AES128-GCM-SHA256
DHE-RSA-AES128-SHA256
DHE-DSS-AES256-GCM-SHA384
DHE-DSS-AES256-SHA256
DHE-DSS-AES128-GCM-SHA256
DHE-DSS-AES128-SHA256
ECDHE-ECDSA-AES256-GCM-SHA384
ECDHE-ECDSA-AES256-SHA384
ECDHE-ECDSA-AES128-GCM-SHA256
ECDHE-ECDSA-AES128-SHA256
Replacing the Web UI SSL Certificate
Using the CLI, you can now replace the certificate used by the Web UI for secure HTTPS
connections with any certificate that has been uploaded to the certificate store. There is a
new ‘remote-mgmt’ context in the CLI that allows you to:
•
•
•
Specify the certificate to use.
Specify the list of ciphers.
Set the allowed SSL/TLS protocol levels.
In this release, changing the Web UI certificate requires that you disable and re-enable the
‘HTTPS’ flag on all subnets that have this flag set. This will be addressed in a future release.
Uploading an IP Reputation Database File
Using the CLI or the Web UI, it is now possible to upload to the ADC an IP Reputation
database archive that you obtained from the Fortinet Support Site. This is particularly
useful in configurations where the ADC is installed in an environment where connections to
Copyright 2014 Coyote Point Systems Inc.
A subsidiary of Fortinet, Inc. All Rights Reserved.
Page 6 of 15
EQ/OS 10.3.1 Release Notes
24 December 2014
the Internet are not allowed and it is not possible for the ADC to connect to the Fortinet site
to download the IP Reputation database directly.
Passive FTP Clusters with Spoof Disabled
In previous releases, an FTP cluster was required to have the ‘Spoof’ option enabled, which
means that the ADC would use the client’s IP address as the source IP address in all packets
sent to the servers in the cluster. With this release, spoof can now be disabled on an FTP
cluster that uses passive FTP connections to servers – which means that the ADC’s subnet
IP address will be used as the source IP in all packets sent to servers.
Change Notices
Smart Control Web UI Redesigned
Several usability issues were identified in the Smart Control Web UI. The interface has been
redesigned to make creation of a scheduled smart control easier and more intuitive.
Copyright 2014 Coyote Point Systems Inc.
A subsidiary of Fortinet, Inc. All Rights Reserved.
Page 7 of 15
EQ/OS 10.3.1 Release Notes
24 December 2014
Resolved Issues
Bug ID
Description
7895
7896
Smart Controls: Fixed two issues with smart controls configured to run
every day at a specific time:
• The smart control may not fire until 24 hours have passed after the
creation of the smart control.
• Modifying the smart control can result in the creation of a new smart
control rather than modifying the existing one.
8517
Logging and Timezone Modification: In previous releases, the system
logging daemon (syslogd) is not restarting when a timezone change occurs.
This bug has been fixed. Log messages have also been added that will
appear in /var/log/eq when a timezone change occurs to help diagnose
timezone issues.
8579
Backup: Fixed issues seen in previous releases with backup archives of large
configurations consisting of hundreds of clusters, servers, server pools, etc.
8590
SNMP: Corrected the calculation of the hrProcessorLoad OID so that it is
calculated as an average over 60 seconds as specified in RFC1514.
8617
Smart Control: Fixed issues with creating a save state archive (a.k.a. a
‘collect’) from a smart control script.
8716
8718
HTTPS Cluster Stability: Improved session management to prevent any
single cluster from consuming all available CPU resources.
8793
Firewall Rules in Web UI: A new flag has been added to the System >
Global > Parameters page that allows the user to enable and disable the
automatic firewall rules created to enforce the permit and deny rules users
can place on subnets. This control was added to the CLI in a previous
release.
8871
Smart Controls: The "Next Execution Time" displays the incorrect scheduled
time if a smart control is created for the last date of a month. This bug has
been fixed.
8878
Failover: The peer management daemon (peerd) listens on subnets that do
not have the failover heartbeat flag enabled. If connections are attempted to
the failover listening port on those subnet IP addresses, it can interfere with
failover operation. This bug has been fixed, and the daemon now listens only
on subnets that have heartbeat enabled. (1200425)
8917
Failover: Fixed an issue where a peer that is not running a release that
supports failover communication via SSL might be displayed in the CLI with
that option present and enabled for a short period of time, until the two
Copyright 2014 Coyote Point Systems Inc.
A subsidiary of Fortinet, Inc. All Rights Reserved.
Page 8 of 15
EQ/OS 10.3.1 Release Notes
24 December 2014
peers synchronize successfully.
8922
Smart Control Web UI: In previous releases, it was observed that certain
versions of the Internet Explorer and Safari browsers do not support
uploading a file in a popup. This issue has been resolved by changing the
‘Add Smart Control’ popup to only present the controls for upload on
browsers that support that functionality.
8970
N+1 Failover: If a network cable is unplugged and then plugged in again, a
peer may continue to display an "interface down" error after the cable is
plugged back in and the interface is actually up. This bug has been fixed.
8995
8996
SSL POODLE Vulnerability: This vulnerability has been closed by updating
the version of OpenSSL used for software and hardware acceleration to
1.0.1j. Note that this issue still exists for hardware accelerated legacy GX
models (E450GX, E650GX). The workaround on those models is to enable
‘Software SSL Only’ on all HTTPS clusters.
9023
Networking: Changing the IP address on one subnet in a multi-subnet VLAN
may result in changing the subnet IP address of another subnet on the
VLAN. This bug has been fixed.
9078
Reliability: On systems that are experiencing a high number of alerts, the
following message may be seen in the log:
04003075: Configd issue: unable to reply to message with first cmd
280|No buffer space available|
This is caused by an internal error in alert processing and can lead to no
more alerts being processed. This issue has been fixed.
9087
Stability: If a VLAN is deleted and then the same VLAN is added again, the
peer management daemon (peerd) may exit abnormally (and restart). This
bug has been fixed.
9117
Smart Controls: Modified smart controls so that a disabled smart control
can still be executed manually.
9120
Networking: On GX systems only, tagged VLANs may not come up properly
when a cable is plugged or unplugged, or the system is powered up from a
powered off state. This bug has been fixed.
9142
Failover: The peer management daemon (peerd) may crash under the
following circumstances: a NAT rule that uses a cluster IP address as the ‘out’
address is added to a subnet, and the system is then rebooted. This bug has
been fixed.
9143
Failover: If a NAT ‘out’ IP address is set to a cluster IP address, no GARP is
issued for the cluster IP address when a peer goes into primary mode. This
issue is fixed: three GARPs are now sent out for the cluster IP address when
a peer becomes primary.
Copyright 2014 Coyote Point Systems Inc.
A subsidiary of Fortinet, Inc. All Rights Reserved.
Page 9 of 15
EQ/OS 10.3.1 Release Notes
24 December 2014
9171
Alerts: Fixed an issue that caused extra carriage return and line feed (CR, LF)
characters to be inserted in to the subject line of an email alert, thereby
violating RFC 2822.
9180
Failover: Configuration synchronization may not happen properly between
two peers under the following conditions (all must be true):
• Their configuration files have different Global Sequence Numbers.
• There is a configuration synchronization error.
• The two systems are rebooted simultaneously.
This bug has been fixed.
9239
N+1 Failover: Fixed an issue with failover state determination when a
failover peer (Peer A) has determined it should be backup for a failover
group, but before it sends out a heartbeat to the other peers indicating this,
it gets a heartbeat from another peer indicating that Peer A should become
primary. This bug has been fixed.
Copyright 2014 Coyote Point Systems Inc.
A subsidiary of Fortinet, Inc. All Rights Reserved.
Page 10 of 15
EQ/OS 10.3.1 Release Notes
24 December 2014
Known Issues
Read this section thoroughly before upgrading!
Bug ID
Description
3351
3989
Match Rules: debug_message(), ssl2(), ssl3(), and tls1() functions
(supported in Version 8) are not accepted for expressions.
3468
Clusters: The ‘Reset on server failure’ global option supported in previous
releases is not yet implemented in Version 10.
4101
Layer 4 UDP clusters: The ‘persist override’ flag on UDP cluster server
instances does not override persistence. (4101
5393
TCP/ACV Health Checks: The CLI and Web UI will indicate that a server
instance is 'ACV DOWN' (or not responding to ACV probes) even when ACV
is not set, when the server is not responding to TCP probes. It should be
shown as ‘L4 TCP DOWN’. In any case, the server is correctly marked
‘down’.
5663
Health Checks: In a server pool configuration, do not define more than
16 health check instances per server instance. If 17 health check instances
are defined on a server instance, the system will become unresponsive
and reboot. The workaround, after the system comes back up, is to
remove the 17th health check from the configuration file. This bug will be
fixed in a future release.
6385
VMware Integration: In a VMware configuration where Microsoft Active
Directory is used, logging in to VMware from Equalizer will fail if the
VMware account used to log into VMware is defined within an Active
Directory domain. On VMware the login succeeds, but on Equalizer the
login attempt fails. If you test the login, it will appear to hang. Messages
like the following appear in the Equalizer log: “vlbd[22043]: |e|v
vCenter;|75000039: unable to send message|Message too long|”.The
workaround is to use a VMware account that is not defined within Active
Directory to log into VMware.
6583
If you modify a VLAN MTU parameter to a value that is lower than the
currently set value, you must reboot Equalizer to ensure proper operation
of the network interface.
Copyright 2014 Coyote Point Systems Inc.
A subsidiary of Fortinet, Inc. All Rights Reserved.
Page 11 of 15
EQ/OS 10.3.1 Release Notes
24 December 2014
6467
Layer 4 UDP clusters: A server defined on the ADC cannot access any
UDP clusters defined on the ADC. This bug will be fixed in a future release.
6648
Responders: It is not possible to enter a regular expression containing a
"?" character using the CLI. The workaround is to use the Web UI instead
6669
SSH: When using SSH to log into the CLI, the file editor (for certificates,
responders, etc.) may not work. This may be due to the terminal type
presented to the system on login. To work around this issue, modify your
terminal emulator settings before logging in and set the terminal type to
‘xterm’.
6947
ACV Probes Require ‘\r\n’ at Layer 7: In Version 8.6, Layer 7 ACV probes
did not require that the user insert ‘\r\n’ characters at the end of the
Probe. In Version 10, the user must add these characters at the end of the
probe string manually. (6497)
6966
Web UI: Cannot define an SNMP Trap server in the Web UI. The
workaround is to use the CLI.
7363
Web UI: Some CLI commands are not supported by the CLI Console
widget in the Web UI Dashboard. See the online WebHelp for more
information.
7599
Subnet destination (or policy) routes have been removed (see bug
7556, above). That feature included the ability to specify the source IP
address to use for a packet routed to another network. Now, the system
automatically configures destination routes, and uses the subnet IP
address as the source IP address. The capability to specify a source IP
address will be provided in a future release.
7656
Web UI: When using Internet Explorer 11 to view the Web UI, issues have
been observed where UI source code is displayed and a page is unusable.
The only workarounds are to either try Compatibility Mode, use Internet
Explorer 10, or use another browser.
7750
Layer 4 TCP Clusters: The IP address and port for an FTP cluster (a TCP
cluster with a start port of 21) cannot be modified. The workaround is to
create a new FTP cluster.
Copyright 2014 Coyote Point Systems Inc.
A subsidiary of Fortinet, Inc. All Rights Reserved.
Page 12 of 15
EQ/OS 10.3.1 Release Notes
24 December 2014
7814
Failover: The per-subnet ‘command’ flag has been moved in the CLI to a
new ‘failover’ context. This flag must currently be managed through the
CLI. In the Web UI, this flag remains on the subnet configuration tab.
Attempting to disable the flag in the Web UI appears to succeed, but if the
tab is redisplayed the flag is still set on that subnet. This issue in the Web
UI will be fixed in a subsequent release.
7830
The VLAN MTU parameter cannot be modified to be larger than 4839 on
all LX and FortiADC hardware, as well as on Equalizer OnDemand. For
legacy GX models, the MTU parameter limitation is 1500. This will be fixed
in a future release.
7923
Preferred static routes: If the user adds a ‘0/0’ static route and a
preferred static route for a server with the same gateway, then the
preferred static route is ignored.
8657
SSL Ciphers: The following cipher is temporarily disabled for all HTTPS
clusters due to reconnection issues:
• AES256-GCM-SHA384
Upgrade using Local File in Web UI: When upgrading using a ‘Local File’
uploaded to the system via the browser, the system displays a popup that
says: ‘Downloading the upgrade archive…’. If the system runs out of space
in the filestore, this popup will appear and never be dismissed. Also, a
message in the system log will appear:
8676
command phpcgi, on /var/crash: file system full
If this occurs, you must remove files from the filestore (using the CLI) so
that there is at least 50MB of space in the filestore. Then, re-try the
upgrade and it should now succeed.
9257
Web UI Certificate: A certificate that requires a DSA (DSS) private key
cannot be selected for use as the certificate for Web UI HTTPS
connections.
Copyright 2014 Coyote Point Systems Inc.
A subsidiary of Fortinet, Inc. All Rights Reserved.
Page 13 of 15
EQ/OS 10.3.1 Release Notes
24 December 2014
Registering Your Product
Fortinet customer services (such as firmware updates and technical support) require
product registration. Take a moment now to register your product at the Fortinet Customer
Service and Support web site:
https://support.fortinet.com
Before you can register, you will need:
1. Access to a new or existing Support Account. Information on how to create and
manage a support account is provided in the Fortinet Support Portal User Guide. If
your organization already has an account, obtain the user name and password
information from your local account administrator to log in.
2. The serial number of the unit you want to register. You can find this information
using either the CLI or the GUI after powering up your appliance:
•
To use the CLI, log in to the CLI (over the serial console or, if networking is
configured, using SSH over an appropriately configured subnet) and enter the
following CLI command:
eqcli > version Record the System Serial Number from the command output.
•
If networking is configured and the GUI has been enabled on a subnet., you can
also get the serial number from the ‘System Information’ widget on the GUI
dashboard. The Dashboard appears automatically when you log into the GUI.
Once you have obtained both the login credentials of a support account and the System
Serial Number of the unit to register, do the following:
1. Log in to https://support.fortinet.com using the login credentials obtained
above.
2. Follow the instructions provided in the Registration Frequently Asked Questions
under the heading “How do I register a Fortinet device?”. When requested, enter
the System Serial Number you obtained above into the appropriate form. Once
registration is completed, the appliance serial number and other information will
appear in the FortiCare Registration area.
Your system is now registered. If your system can connect to the internet, you can now
update the support information displayed in the CLI and GUI by doing one of the following:
•
In the CLI, enter the following to update the support information on your unit:
eqcli > forticare registration Copyright 2014 Coyote Point Systems Inc.
A subsidiary of Fortinet, Inc. All Rights Reserved.
Page 14 of 15
EQ/OS 10.3.1 Release Notes
24 December 2014
View the updated Support information (including Last refresh date, Support
end, and Email) by entering:
eqcli > version
•
In the GUI, select the System configuration tab on the left navigational pane and
then click on Global > Dashboard. The System information widget on the right
pane will indicate the Support information (including Last refresh date,
Support end, and Email). Click on the Refresh button to update the registration
information.
Note that the registration information does not update automatically in either the CLI
or the GUI; you must use either the CLI ‘forticare registration’ command or the
Refresh button in the GUI Dashboard’s System Information widget to update.
Copyright 2014 Coyote Point Systems Inc.
A subsidiary of Fortinet, Inc. All Rights Reserved.
Page 15 of 15