EQ/OS 10.3.2 Release Notes

EQ/OS 10.3.2 Release Notes
About This Document .................................................................................................................. 2
Supported Hardware ................................................................................................................... 2
EQ/OS 10 Documentation ........................................................................................................... 2
Enhancements and Fixes in 10.3.2a ........................................................................................... 3
What’s New .....................................................................................................................................3
Top Level Health Checks ......................................................................................................3
Layer 7 Header Editing .........................................................................................................3
Change Notices ..............................................................................................................................4
Version 8.6 Configuration Converter Not Supported in 10.3.2 and Later Releases .....4
Resolved Issues ..............................................................................................................................5
Known Issues ................................................................................................................................ 9
Registering Your Product .......................................................................................................... 13
Page 1 of 14
EQ/OS 10.3.2 Release Notes
18 February 2015
About This Document
These are the release notes for EQ/OS Version 10.3.2 releases. Release notes are available
from the Fortinet Support Site:
http://support.fortinet.com
They are also available from the legacy Coyote Point Systems Website:
http://www.coyotepoint.com/downloads-category/release-notes
Supported Hardware
This release is supported on all LX and GX model hardware.
Please see the EQ/OS 10 Support Web Page for download links:
http://www.coyotepoint.com/content/eqos-10-support-page
EQ/OS 10 Documentation
The online Webhelp system in the Equalizer graphical user interface (Web UI) contains
complete hardware installation, configuration, and operation information. To display
Webhelp while using the Web UI, press the F1 key or choose Help > Context Help from
the menu at the top right of the Web UI screen.
The Administration Guide is the PDF format version of the Webhelp available in the Web UI.
The latest Guide is always available from the EQ/OS 10 Support Web Page:
http://www.coyotepoint.com/content/eqos-10-support-page
Copyright 2015 Coyote Point Systems Inc.
A subsidiary of Fortinet, Inc. All Rights Reserved.
Page 2 of 14
EQ/OS 10.3.2 Release Notes
18 February 2015
Enhancements and Fixes in 10.3.2a
What’s New
Top Level Health Checks
In previous releases, health check probes were limited to defining all probe parameters on
an object-by-object basis.
Starting with version 10.3.2a, all Health Checks are defined at the top or global level of the
object hierarchy, at the same level as cluster, server pools, server, etc. These global
‘templates’ are then attached to specific objects.
Some Health Check parameters (e.g., IP, port) can be specified either in the Health Check
itself, or using the parameters on the objects to which the health check is attached.
Two basic health check types can be defined: status and load health checks. Status health
checks indicate whether an object is available or not (up or down), and can be attached to
any supported object. Load health checks indicate the relative availability of an object
compared to other objects, and for this reason can only be attached to server pools.
To complement top level health checks, new alert object types are now supported. In
addition to the existing capability of attaching alerts to objects such as servers, you can
also set alerts on health checks attached to load balancing objects (such as server instance
health checks, LLB Gateway Health Checks, etc.
When upgrading from version 10.3.1c and earlier releases, upgrade scripts convert your
existing configuration automatically when you upgrade the firmware. The details of how
existing configurations are converted to use top level health checks is in the ‘Health Checks’
chapter in the product WebHelp and in the Administration Guide.
Layer 7 Header Editing
Header editing allows you to add, modify, and delete Layer 7 packet header data contained
in client requests and server responses. You can choose to apply header editing rules on
every request or response, or you can selectively apply header edits based on whether or
not the client request is selected by a match rule. Header editing is supported on Layer 7
HTTP and HTTPS clusters only.
Edits are defined using a server side scripting language, similar to PHP, that allows you to
create custom scripts with a set of rich locator and editing functions that let you easily
select headers, locate and modify specific header data, and use that data to add or modify
additional headers.
Among the operations you can perform are:
•
Mask server information such as server version.
Copyright 2015 Coyote Point Systems Inc.
A subsidiary of Fortinet, Inc. All Rights Reserved.
Page 3 of 14
EQ/OS 10.3.2 Release Notes
18 February 2015
•
Update request URIs to accommodate path changes on servers. For example, you
could change paths from /marketing to /departments/marketing.
•
Work around broken features on the server. For example if compression were
broken on a server, you could delete gzip from the accept-encoding header.
•
Make changes to a query string. For example, you may wish to extract a session ID
from a cookie and add it to the query string before sending a request on to a server.
For more information, see the Header Editing chapter in WebHelp and in the Administration
Guide.
Specifying Which System Will Generate Alerts in Failover
A new advanced option has been added to the CLI that allows the user to specify which unit
in failover will generate alerts for failover groups. [Objects not associated with failover
groups will continue to be generated by all units.]
The new ‘primary’ flag on users is set as follows:
eqcli > user name flags primary When in failover, this flag controls the generation of alerts on for all failover groups. If set,
alerts for the following load balancing objects will only be generated for failover groups
that are in primary mode on the ADC:
•
•
•
•
Servers
Server pools
Server instances
LLB gateways
If the ‘primary’ flag is not set, alerts for load balancing objects will be generated for all
failover groups. If not in failover, this flag has no effect.
This option will be added to the Web UI in a future release.
Change Notices
Version 8.6 Configuration Converter Not Supported in 10.3.2 and Later Releases
The Version 8.6 to Version 10 configuration converter supported in previous releases is
discontinued with version 10.3.2a.
This means that customers currently running Version 8.6 on legacy Coyote Point GX
hardware will need to follow this upgrade path to Version 10.3.2:
8.6.0i-patch1 > 10.3.1c-RELEASE > 10.3.2x
1. Customers must be running Version 8.6.0i-patch1 to upgrade to Version 10.3.1c.
Copyright 2015 Coyote Point Systems Inc.
A subsidiary of Fortinet, Inc. All Rights Reserved.
Page 4 of 14
EQ/OS 10.3.2 Release Notes
18 February 2015
2. After upgrading to 10.3.1c, the configuration converter can be used to convert a
backup archive of your Version 8.6 configuration to a Version 10 configuration.
3. Once your configuration is running 10.3.1c, you can upgrade to Version 10.3.2a and
subsequent releases.
Resolved Issues
Bug
Description
2594
SNMP: Two new OIDs have been added to report the number of servers
active in a server pool attached to a cluster or match rule:
eqClusterStatusHTTPSActiveServers
eqClusterMatchRuleStatusHTTPSActiveServers
8582
Web UI: Clusters are now sorted in ascending alphabetical order in the left
frame, without regard to cluster type.
8589
SNMP: New OIDs have been added that expand the storage reporting
information available for the Host Resources MIB (RFC2790).
8638
Web UI: The HTTPS cluster summary (appears when you click on a cluster
name in the left frame) has been enhanced to clearly indicate when a cluster
is disabled because of a missing certificate or server pool.
8759
Link Aggregation Stability / Reliability: If a port is removed from an
aggregated interface, and then the same port is re-added to the same
aggregated interface, the system may panic. This bug has been fixed.
8903
Interface Reliability: The error message “MDIC write error problem” may
appear in the log and cause connectivity outages on 1Gb interfaces.
8948
Alerts: In some cases, a similar alert configured for more than one user may
only fore for one of the configured users. This issue has been fixed.
(1204360)
9092
Web UI: Fixed scrolling issues that appear when attempting to assign a
VMware UUID to a server.
Copyright 2015 Coyote Point Systems Inc.
A subsidiary of Fortinet, Inc. All Rights Reserved.
Page 5 of 14
EQ/OS 10.3.2 Release Notes
18 February 2015
Email Alert Format: Enhanced the default subject line and body text of
email type alerts to provide critical information at a glance. (1243443)
9097
The default subject line format is now:
Subject: <hostname>: <object_type> <object_name> [in <container_object_type><container_name>] <status>: <SUBJECT> Note that <SUBJECT> is the user-provided text from the alert definition.
The default alert email body is now:
<alert_type>: <object_type> <object_name> (<IP:port>) [in <containing_object_type> (<IP:port>)] <status> 9166
IP Reputation: If the user attempts to upload a very large file that is NOT an
IP Reputation database file, a success popup may appear with an ‘undefined
error’ message. This issue has been fixed so that a failure popup appears in
this case, and a proper error message is returned.
9185
Certificates: When attaching a certificate to an HTTPS cluster, the Web UI
has been enhanced to prevent the user from attaching a certificate that is
incomplete (e.g., missing a key file).
9189
9300
IP Address Validation: Added validation to prevent adding an object with a
blank IP address, or with an IP address that is all zeros.
9195
Certificate Validation: Modified certificate validation as follows:
• If the user uploads a certificate and key file, and the key file validation
fails against the certificate, an error is returned. Both the key file and
the certificate file are not stored.
• If the user uploads only a certificate file and does not attempt to
upload a key file, the certificate is uploaded and stored in the
configuration.
9205
Failover: If two systems are configured in failover and are simultaneously
rebooted, the following error may be seen on one of the systems:
"47000017: eqipc call failed - configd communication error”. This bug has
been fixed.
9212
SSL Certificates: Improved error processing in GUI when the user submits
an invalid certificate file, or accidentally provides two key files when
uploading a certificate/key file pair.
9241
Remote Management via Telnet: A new global ‘services’ option has been
added to enable telnet access across all existing subnets.
Copyright 2015 Coyote Point Systems Inc.
A subsidiary of Fortinet, Inc. All Rights Reserved.
Page 6 of 14
EQ/OS 10.3.2 Release Notes
18 February 2015
9276
SSL Certificates: A certificate can be deleted while it is in use. This bug has
been fixed; the system will not allow the user to remove a certificate unless it
is not attached to any object.
9289
Web UI: Fixed an issue where a server pool cannot be removed from an
enabled match rule unless there is a responder attached.
9364
Alerts: Exception alerts sent to the remote syslog are always sent with
LOG_INFO priority. Exception alerts have been enhanced to return LOG_ERR,
LOG_WARN, and LOG_NOTICE in specific situations where they are required.
9367
Web UI: Fixed an issue that caused a long certificate list to be truncated on
display.
9397
Failover Reliability: Preferred Peer Setting Change Not Synchronized: In
a failover configuration, creating a cluster in the CLI and then immediately
removing the ‘preferred_peer’ setting may not be correctly reflected on other
peers; the existing ‘preferred_peer’ setting may not be updated on the
remote peers. This bug has been fixed. (1271540)
9403
Failover Reliability: Corrupted UUID After Config Sync: Adding a real
server (not a VM) on one unit, the change is configured to the other peers,
but the UUID 1287135: corrupted UUID value appears after config sync.
9411
Web UI: Disabling the TLS 1.0 flag also disables the Server Side Encryption
flag. This bug has been fixed. (1299256)
9434
Web UI: Fixed issues that caused the Cluster Summary to display as a blank
page on Internet Explorer 9 (only).
9452
Web UI: Sorting on the Server Pool Summary page table does not work for
columns other than ‘Cluster’. This bug has been fixed. (1295397)
9454
Web UI: Category status (allow or block) is incorrectly reflected in the GUI,
bot h for default and modified values. (The CLI is always correct.) This bug
has been fixed. (1295015)
9489
Documentation: Updated information about addresses used as NAT
addresses on outbound subnets. If a specified NAT address does not already
exist on one of the unit’s subnets, it will be instantiated on the appropriate
subnet after the NAT is added. (1278015)
9491
Link Aggregation: If an aggregated interface is removed from a subnet, and
an IP address on that subnet is then ping’ed, the system may panic. This bug
has been fixed.
Copyright 2015 Coyote Point Systems Inc.
A subsidiary of Fortinet, Inc. All Rights Reserved.
Page 7 of 14
EQ/OS 10.3.2 Release Notes
18 February 2015
9499
Web UI Certificates: Added validation to prevent a DSA or EC certificate to
be attached to the Web UI. (Currently, these are not supported for use with
the GUI.)
9552
9608
HTTPS Cluster Reliability / Stability: During certain rare events on
hardware-accelerated systems, an HTTPS cluster can become unresponsive
when certain rare events occur during SSL processing. The message
returned is: “abort in cav_pending_assert unexpected cavium pending “. This
issue has been fixed. (1324824)
9554
HTTPS Cluster Reliability / Stability: Fixed issues with undocumented error
codes (e.g., 0x42) being returned on hardware-accelerated systems.
9560
User Management: Disabling any user flags removes an already configured
mail server from the user configuration. This bug has been fixed.
Copyright 2015 Coyote Point Systems Inc.
A subsidiary of Fortinet, Inc. All Rights Reserved.
Page 8 of 14
EQ/OS 10.3.2 Release Notes
18 February 2015
Known Issues
Read this section thoroughly before upgrading!
Bug ID
Description
3351
3989
Match Rules: debug_message(), ssl2(), ssl3(), and tls1() functions
(supported in Version 8) are not accepted for expressions.
3468
Clusters: The ‘Reset on server failure’ global option supported in previous
releases is not yet implemented in Version 10.
4101
Layer 4 UDP clusters: The ‘persist override’ flag on UDP cluster server
instances does not override persistence. (4101
5393
TCP/ACV Health Checks: The CLI and Web UI will indicate that a server
instance is 'ACV DOWN' (or not responding to ACV probes) even when ACV
is not set, when the server is not responding to TCP probes. It should be
shown as ‘L4 TCP DOWN’. In any case, the server is correctly marked
‘down’.
5663
Health Checks: In a server pool configuration, do not define more than
16 health check instances per server instance. If 17 health check instances
are defined on a server instance, the system will become unresponsive
and reboot. The workaround, after the system comes back up, is to
remove the 17th health check from the configuration file. This bug will be
fixed in a future release.
6385
VMware Integration: In a VMware configuration where Microsoft Active
Directory is used, logging in to VMware from Equalizer will fail if the
VMware account used to log into VMware is defined within an Active
Directory domain. On VMware the login succeeds, but on Equalizer the
login attempt fails. If you test the login, it will appear to hang. Messages
like the following appear in the Equalizer log: “vlbd[22043]: |e|v
vCenter;|75000039: unable to send message|Message too long|”.The
workaround is to use a VMware account that is not defined within Active
Directory to log into VMware.
6583
If you modify a VLAN MTU parameter to a value that is lower than the
currently set value, you must reboot Equalizer to ensure proper operation
of the network interface.
Copyright 2015 Coyote Point Systems Inc.
A subsidiary of Fortinet, Inc. All Rights Reserved.
Page 9 of 14
EQ/OS 10.3.2 Release Notes
18 February 2015
6634
UDP Health Checks: If a UDP health check is attached to an object with a
port that is not port 53, 111, or 2049, then no probing will occur. If the
health check is attached to a server pool, all server instances for which the
destination port is one of the 3 supported ports will be probed; others will
not. UDP probing on ports other than 53, 111, and 2049 will be provided
in a future release.
6648
Responders: It is not possible to enter a regular expression containing a
"?" character using the CLI. The workaround is to use the Web UI instead
6669
SSH: When using SSH to log into the CLI, the file editor (for certificates,
responders, etc.) may not work. This may be due to the terminal type
presented to the system on login. To work around this issue, modify your
terminal emulator settings before logging in and set the terminal type to
‘xterm’.
6497
ACV Probes Require ‘\r\n’ at Layer 7: In Version 8.6, Layer 7 ACV probes
did not require that the user insert ‘\r\n’ characters at the end of the
Probe. In Version 10, the user must add these characters at the end of the
probe string manually. (6497)
6966
Web UI: Cannot define an SNMP Trap server in the Web UI. The
workaround is to use the CLI.
7363
Web UI: Some CLI commands are not supported by the CLI Console
widget in the Web UI Dashboard. See the online WebHelp for more
information.
7599
Subnet destination (or policy) routes have been removed (see bug
7556, above). That feature included the ability to specify the source IP
address to use for a packet routed to another network. Now, the system
automatically configures destination routes, and uses the subnet IP
address as the source IP address. The capability to specify a source IP
address will be provided in a future release.
7750
Layer 4 TCP Clusters: The IP address and port for an FTP cluster (a TCP
cluster with a start port of 21) cannot be modified. The workaround is to
create a new FTP cluster.
7814
Failover: The per-subnet ‘command’ flag has been moved in the CLI to a
new ‘failover’ context. This flag must currently be managed through the
CLI. In the Web UI, this flag remains on the subnet configuration tab.
Attempting to disable the flag in the Web UI appears to succeed, but if the
tab is redisplayed the flag is still set on that subnet. This issue in the Web
UI will be fixed in a subsequent release.
Copyright 2015 Coyote Point Systems Inc.
A subsidiary of Fortinet, Inc. All Rights Reserved.
Page 10 of 14
EQ/OS 10.3.2 Release Notes
18 February 2015
7830
The VLAN MTU parameter cannot be modified to be larger than 4839 on
all LX and FortiADC hardware, as well as on Equalizer OnDemand. For
legacy GX models, the MTU parameter limitation is 1500. This will be fixed
in a future release.
7923
Preferred static routes: If the user adds a ‘0/0’ static route and a
preferred static route for a server with the same gateway, then the
preferred static route is ignored.
8657
SSL Ciphers: The following cipher is temporarily disabled for all HTTPS
clusters due to reconnection issues:
• AES256-GCM-SHA384
Upgrade using Local File in Web UI: When upgrading using a ‘Local File’
uploaded to the system via the browser, the system displays a popup that
says: ‘Downloading the upgrade archive…’. If the system runs out of space
in the filestore, this popup will appear and never be dismissed. Also, a
message in the system log will appear:
8676
command phpcgi, on /var/crash: file system full
If this occurs, you must remove files from the filestore (using the CLI) so
that there is at least 50MB of space in the filestore. Then, re-try the
upgrade and it should now succeed.
9257
Web UI Certificate: A certificate that requires a DSA (DSS) private key
cannot be selected for use as the certificate for Web UI HTTPS
connections.
9465
Web UI: If a Health Check that returns both up/down status and a load
value returns a ‘down’ status, the previously obtained (and now invalid)
load values remain displayed in the Web UI.
9562
Health Check ‘Coalescing’: If 2 non-UDP health checks are identical
except for the probe timing parameters, they will coalesce into a single
probe. This means that probing might happen at a different interval than
expected.
Copyright 2015 Coyote Point Systems Inc.
A subsidiary of Fortinet, Inc. All Rights Reserved.
Page 11 of 14
EQ/OS 10.3.2 Release Notes
9630
18 February 2015
Duplicate Cluster IP Addresses: If more than one cluster is configured
with the same IP address (and different ports), then the last cluster IP/port
configured on the subnet will take ownership of the address. For example:
1. Create two clusters with the same IP address and different ports.
2. Ping the IP address -- a ping response is received.
3. Disable the first cluster -- the ping will still succeed.
4. Re-enable the first cluster and disable the second -- there is no
response to the ping.
Copyright 2015 Coyote Point Systems Inc.
A subsidiary of Fortinet, Inc. All Rights Reserved.
Page 12 of 14
EQ/OS 10.3.2 Release Notes
18 February 2015
Registering Your Product
Fortinet customer services (such as firmware updates and technical support) require
product registration. Take a moment now to register your product at the Fortinet Customer
Service and Support web site:
https://support.fortinet.com
Before you can register, you will need:
1. Access to a new or existing Support Account. Information on how to create and
manage a support account is provided in the Fortinet Support Portal User Guide. If
your organization already has an account, obtain the user name and password
information from your local account administrator to log in.
2. The serial number of the unit you want to register. You can find this information
using either the CLI or the GUI after powering up your appliance:
•
To use the CLI, log in to the CLI (over the serial console or, if networking is
configured, using SSH over an appropriately configured subnet) and enter the
following CLI command:
eqcli > version Record the System Serial Number from the command output.
•
If networking is configured and the GUI has been enabled on a subnet., you can
also get the serial number from the ‘System Information’ widget on the GUI
dashboard. The Dashboard appears automatically when you log into the GUI.
Once you have obtained both the login credentials of a support account and the System
Serial Number of the unit to register, do the following:
1. Log in to https://support.fortinet.com using the login credentials obtained
above.
2. Follow the instructions provided in the Registration Frequently Asked Questions
under the heading “How do I register a Fortinet device?”. When requested, enter
the System Serial Number you obtained above into the appropriate form. Once
registration is completed, the appliance serial number and other information will
appear in the FortiCare Registration area.
Your system is now registered. If your system can connect to the internet, you can now
update the support information displayed in the CLI and GUI by doing one of the following:
•
In the CLI, enter the following to update the support information on your unit:
eqcli > forticare registration Copyright 2015 Coyote Point Systems Inc.
A subsidiary of Fortinet, Inc. All Rights Reserved.
Page 13 of 14
EQ/OS 10.3.2 Release Notes
18 February 2015
View the updated Support information (including Last refresh date, Support
end, and Email) by entering:
eqcli > version
•
In the GUI, select the System configuration tab on the left navigational pane and
then click on Global > Dashboard. The System information widget on the right
pane will indicate the Support information (including Last refresh date,
Support end, and Email). Click on the Refresh button to update the registration
information.
Note that the registration information does not update automatically in either the CLI
or the GUI; you must use either the CLI ‘forticare registration’ command or the
Refresh button in the GUI Dashboard’s System Information widget to update.
Copyright 2015 Coyote Point Systems Inc.
A subsidiary of Fortinet, Inc. All Rights Reserved.
Page 14 of 14