Professional Documents
Culture Documents
40 Release Note
Introduction
This release note summarizes the new features, general enhancements, resolved issues and
known limitations for ArrayOS APV 8.6.1.40.
Additional Information:
Telephone access to Array Networks is available Monday - Friday, 9 A.M. to 5 P.M. PST.
Table of Contents
WHAT’S NEW .................................................................................................................. 3
Website Classification ..................................................................................................................... 3
SPAN Port ....................................................................................................................................... 4
ENHANCEMENTS .......................................................................................................... 7
Secure Sockets Layer (SSL)............................................................................................................ 7
SSL Interception.............................................................................................................................. 7
High Availability (HA) .................................................................................................................. 12
WebUI ........................................................................................................................................... 13
General System/Tools ................................................................................................................... 14
RESOLVED ISSUES ...................................................................................................... 16
Secure Sockets Layer (SSL).......................................................................................................... 16
SSL Interception............................................................................................................................ 16
Global Server Load Balance (GSLB) ........................................................................................... 16
High Availability (HA) .................................................................................................................. 16
General System/Tools ................................................................................................................... 17
WebUI ........................................................................................................................................... 18
Legacy WebUI .............................................................................................................................. 19
KNOWN LIMITATIONS .............................................................................................. 20
WHAT’S NEW
Website Classification
Website classification is a dynamic website category recognition function that the
APV appliance provides by subscribing to Webroot BrightCloud’s website
classification service. This function allows the APV appliance to look up the
category of a website via the local cache, local database and online connection to the
Webroot BrightCloud server. Currently, the website classification function applies
only to the SSL interception feature. Administrators can configure the system’s
processing modes (intercept or bypass) for traffic accessing specific website
categories (for example Adult, Job Search, Games, Illegal, etc). More information on
configuring the APV processing modes is included in the section “Supporting
intelligent URL filtering via the website classification function”.
The website classification function is supported on APV 1600v5, APV 2600v5, APV
3600v5, APV 3650, APV 6600, APV 7600, APV 11600 and vAPV running ArrayOS
APV 8.6.1.40 and later versions. To enable the website classification function on
these APV models, administrators need to import a license into the system. This
function supports two types of licenses:
Trial license: 30-day free trial
Formal license: 365-day validity period
After the license expires, the website classification function will be unavailable. The
Webroot server will deny the APV appliance’s access and the APV appliance will
stop sending website category lookup queries to the server. To obtain a license,
please contact Array Networks Customer Support and provide the device model and
serial number.
To support this new feature, the following commands are added:
webclassify license <license_key>
This command is used to import a license key for the website classification function. This
license allows the system to use the website classification function provided by Webroot
BrightCloud Threat Intelligence Service.
show webclassify license
This command is used to display information about the website classification function
license, including OEM, device ID, serial number, license type (trial license or production
license) as well as the issue information and expiration time of the license.
webclassify {on|off}
This command is used to enable or disable the global website classification function. By
default, this function is disabled.
webclassify cloud {on|off}
This command is used to enable or disable the online website classification lookup function.
This function can be enabled only after the global website classification function
(“webclassify on”) is enabled. By default, online website classification lookup is disabled.
When this function is disabled, the system performs only local lookups. After this function
is enabled, the system will connect to the Webroot BrightCloud service for online lookup if
the local lookup fails, and the results stored to local cache for future use.
show webclassify settings
This command is used to display the configurations of the global website classification and
online website classification lookup functions.
show webclassify status
This command is used to display all configurations related to website classification
functions, such as the domain name of the Webroot server, the license status, the enabling
status of the online website classification lookup function, and the database version.
show webclassify url categories
This command is used to display all website categories that the system can look up.
show webclassify url category <website_name>
This command is used to show the category of the specified website. If the system can
obtain the category of a website from the local cache or database, it will display the result
quickly. If the local cache and database has no category information for a website, the
system will experience a slight delay in returning the result. The maximum delay is 20s.
SPAN Port
Beginning with ArrayOS APV 8.6.1.40, the system supports the SPAN Port feature.
It uses this feature to capture packets on a source port and then send the captured
packet to a destination port. The destination port can be connected to a security
device, so that the captured traffic will be sent to the security device for
troubleshooting, debugging and traffic analysis. For load balancing or other purposes,
SPAN Port also allows the capture and transmission of the captured traffic to
multiple security devices of same type or different types.
When the security devices are of the same type, the system supports the load
balancing of captured traffic to them or the duplication of the captured packets to
each of them.
When the security devices are of different types, for example an IDS and a
firewall, the captured packets will be duplicated and sent to each of them.
SPAN Port employs filter lists to define the source IPs, source ports, destination IPs
and destination ports of the traffic to be captured. In addition, the filter list can filter
out packets to be captured that are flowing in the inbound direction, the outbound
direction or both (bidirectional). It also allows self-definition of the transport
protocol (TCP, UDP or both) of traffic to be captured.
The SPAN port feature plays an important role in SSL interception implementation.
With SPAN port deployed in SSL interception implemented, the security device used
to inspect traffic can be deployed in bypass mode, so that traffic on the ingress node
can be transparently transferred to the egress node without going through the security
device. However, the security device will still get a copy of the decrypted SSL traffic
for future analysis. In addition, SPAN Port enables the APV appliance working in
Layer 2 mode to send the captured traffic to multiple security devices in a load
balancing manner, whereas in previous implementation a Layer 2 APV appliance
could cooperate with only one security device set up in inline mode.
To support this new feature, the following commands are added:
spanport filterlist name <filterlist_name>
This command is used to configure a filter list. The system supports a maximum of eight
filter lists.
no spanport filterlist name <filterlist_name>
This command is used to delete the specified filter list.
spanport filterlist member <filterlist_name> <interface_name> <src_ip> <src_port>
<dst_ip> <dst_port> <protocol> [direction]
This command is used to add a filter rule to the specified filter list. The system will filter out
the packets to be copied based on the filter rule. A maximum of eight filter rules can be
added to a filter list. It is suggested that the filter rules should not have duplicate matching
conditions. If a packet matches multiple filter rules at the same time, the system will select
only one of them.
no spanport filterlist member <filterlist_name > <interface_name> <src_ip>
<src_port> <dst_ip> <dst_port> <protocol> <direction>
This command is used to delete a filter rule from the specified filter list.
show spanport filterlist [filterlist_name]
This command is used to display the specified filter list and its filter rules.
clear spanport filterlist [filterlist_name]
This command is used to clear the specified filter list and its filter rules.
spanport devicegroup name <group_name> <group_method>
This command is used to configure the security device group to which the copied packets
are destined and set the method that the system uses to send the copied packets to the group.
no spanport devicegroup name <group_name>
This command is used to delete the specified security device group.
spanport devicegroup member <group_name> <interface_name> <mac> [sort_string]
This command is used to add a security device as a member to the specified security device
group.
no spanport devicegroup member <group_name> <interface_name> <mac>
This command is used to delete a member from the specified security device group.
show spanport devicegroup [group_name]
This command is used to display the specified security device group and its members.
clear spanport devicegroup [group_name]
This command is used to clear the specified security device group and its members.
spanport policy <policy_name> <filterlist_name> <group_name>
This command is used to configure a SPAN port policy to associate the specified filter list
with the specified security device group.
no spanport policy <policy_name>
This command is used to delete the specified SPAN port policy.
show spanport policy [policy_name]
This command is used to display the specified SPAN port policy.
clear spanport policy
This command is used to clear all SPAN port policies.
clear spanport config
This command is used to clear all SPAN port configurations.
show statistics spanport
This command is used to display SPAN port statistics.
clear statistics spanport
This command is used to clear SPAN port statistics.
For guidelines in deploying SPAN port in an SSL interception implementation,
please refer to the Deployment Guide for SSL Interception and Security Device Load
Balancing.
ENHANCEMENTS
SSL Interception
Redesign of SSL interception whitelist (ID: 72251)
Previously, the SSL interception module supported definition of SSL interception
whitelists to bypass decryption of SSL traffic that is destined to specific domain
names. To allow more flexible configuration options, the SSL interception whitelist
function has now been reconstructed and renamed as the domain list function. This
function can be enabled or disabled by the “ssli domainlist {on|off}” command.
When it is disabled, the system intercepts all SSL traffic by default. When it is
enabled, the domain list function employs two types of domain lists to define
whether SSL traffic needs to be intercepted.
Bypass domain list: SSL traffic that accesses domain names contained in this
domain list is allowed to pass through in encrypted format without being
inspected by a security device.
Interception domain list: traffic that accesses domain names contained in this
domain list will be decrypted and then sent for inspection by a security device
before passing through.
Administrators can apply bypass or interception domain lists to an SSL interception
virtual host. Bypass domain lists and interception domain lists are mutually exclusive.
They cannot be configured on the same virtual host simultaneously, and typically
only one or the other is used depending on the administrator’s preferences. When a
client’s SNI or server certificate’s Common Name or Subject Alternative Name
(SAN) matches a bypass domain list, the virtual host will allow the SSL traffic to
pass through without being decrypted. When a client’s SNI or server certificate’s
Common Name or SAN matches an interception domain list, the virtual host will
intercept and decrypt the SSL traffic.
The domain list function also supports the application of a single bypass or
interception domain string to a virtual host. For example, when only SSL traffic
accessing a specific domain name needs to be intercepted, it allows application of
this domain string to the virtual host as an interception domain string. It is not
necessary to add the domain string to an interception domain list and then apply the
list to the virtual host.
To support this enhancement, the following commands are deleted:
ssli whitelist {on|off}
show ssli whitelist status
ssli whitelist list <list_name>
no ssli whitelist list <list_name>
show ssli whitelist list
clear ssli whitelist list
ssli whitelist item <list_name> <sni_regex>
no ssli whitelist item <list_name> <sni_regex>
show ssli whitelist item <list_name>
clear ssli whitelist item <list_name>
ssli whitelist apply list <virtual_host_name><list_name>
no ssli whitelist apply list <virtual_host_name> <list_name>
ssli whitelist apply item <virtual_host_name> <sni_regex>
no ssli whitelist apply item <virtual_host_name><sni_regex>
show ssli whitelist apply <virtual_host_name> [type]
clear whitelist apply <virtual_host_name> [type]
show statistics ssli whitelist [virtual_host_name]
clear statistics ssli whitelist [virtual_host_name]
show ssli whitelist match <virtual_host_name> <domain_name>
To support this enhancement, the following commands are added:
ssli domainlist {on|off}
This command is used to enable or disable the domain interception control function. By
default, this function is disabled.
show ssli domainlist status
This command is used to display the enabled/disabled status of the domain interception
control function.
ssli domainlist list <list_name> <list_type>
This command is used to create a domain list. The system supports a maximum of 256
domain lists.
no ssli domainlist list <list_name>
This command is used to delete the specified domain list and all domain strings contained in
it.
show ssli domainlist list [list_type]
This command is used to display all configured domain lists of the specified type.
Supporting intelligent URL filtering via the website classification function (ID:
71213&71675&73978)
With the redesign of SSL interception whitelists, the SSL interception module
supports manual configurations of interception domain lists to define SSL traffic to
be intercepted. Administrators can also manually add bypass domain lists to define
SSL traffic to be bypassed. The manual method applies if clients access only a few
types of websites and the manual configuration workload is light.
If the application scenario accommodates access to a wide variety of websites, traffic
filtering using manual domain list configurations becomes a heavy workload. In
addition, internet resources are diverse, and accesses to some websites may be
unnecessarily intercepted. In this case, it is recommended to purchase and configure
the website classification function for the SSL interception module to achieve
intelligent URL filtering. Via Webroot website classification, the system supports
recognition of 82 website categories. For an overview of these categories, please
refer to: http://www.brightcloud.com/tools/change-request-url-categorization.php.
URL Filtering Policy
The website classification function supports definition of either of the following
filtering policies to distinguish SSL processing modes.
Interception policy: all traffic accessing websites belonging to the configured
website categories will be decrypted and then sent to security devices for
inspection. Traffic accessing website categories that are not defined by the
policy will be forwarded transparently.
Bypass policy: all traffic accessing websites belonging to the configured website
categories will be transparently forwarded without being decrypted and
inspected by security devices. Traffic accessing website categories that are not
defined by the policy will be intercepted and decrypted.
On the same virtual host, interception policies and bypass policies cannot be
configured simultaneously.
When both domain lists and filtering polices are configured for an SSL interception
virtual host, it will process the traffic according to the following principles:
It will preferentially match the domain lists configured by the domain list
function.
– If a matching entry is found, it will process the request or response based
upon the control type (interception or bypass) of the domain list.
– If no matching entry is found in the domain list, it will look up the website’s
category using the website classification function.
When trying to determine the website category using the website classification
function, the virtual host will first search in the local cache and database.
– If the local cache or database has category information for the website, the
virtual host will process the request or response based on the control type
(interception or bypass) of the filtering policy.
This command is used to clear all “ssli webclassify url intercept” configurations of the
specified virtual host.
show ssli webclassify settings <virtual_host_name>
This command is used to display the enabling status of the URL classification function, the
configurations of bypass or interception URL categories, and the configuration of the “ssli
webclassify defaction” command on the specified virtual host of the SSL interception
module.
show statistics ssli webclassify <virtual_host_name>
This command is used to display the statistics related to the URL classification function on
the specified virtual host of the SSL interception module, including the hit counts of URL
categories and record information about local database, cache and online lookups.
clear statistics ssli webclassify
This command is used to clear the statistics related to the website classification function on
the specified virtual host of the SSL interception module, including the hit counts of URL
categories and record information about local database, cache and online lookups as well as
the matching statistics of the “ssli webclassify defaction” command.
For more details about website classification configuration guidelines for the SSL
interception module, please refer to ArrayOS APV 8.6.1 CLI Handbook, User Guide
and Deployment Guide for SSL Interception and Security Device Load Balancing.
source_ip Optional. This parameter specifies the source IP address used to ping
the gateway. Both IPv4 and IPv6 addresses are supported.
The default value is empty.
WebUI
Reconstructing the statistics storage mechanism for WebUI graphs (ID: 72187)
Previously, the system supported the display of a maximum of 1000 total statistics in
WebUI, including System Status and Server Load Balance statistics. In scenarios
where a large number of virtual services and real services were configured, the total
number of statistics would exceed the limit and thus some of them could not be
displayed.
Now, the statistics storage mechanism is reconstructed. With the reconstruction, the
following changes have been implemented:
1. The restriction on the number of statistics that can be displayed is removed.
2. The preservation time of statistics is adjusted from a fixed 2-year period to a
mechanism that is implemented based on the available hard disk space. When the
available hard disk space is less than 1 GB or the total size of storage files takes
50% of the hard disk space, the system will delete the oldest statistics storage file.
If no old statistics storage file exists, the system will also allow the creation of
new storage files.
Note: Because the statistics mechanism has been reconstructed, an upgrade from an
earlier version to ArrayOS APV 8.6.1.40 or later will clear all statistics that were
collected before the upgrade. Administrators can use the data export function to back
up them before an upgrade.
General System/Tools
Supporting static SNMP OID settings for virtual services and real services (ID:
67913&74308)
Previously, when the system had a virtual service added or deleted, the SNMP OIDs
of existing virtual services might change. Real services had the same issue as the
virtual services. Now, the system supports definition of static SNMP OIDs for virtual
services and real services. The static SNMP OID is comprised of a predefined SNMP
OID prefix and an OID index (in the range of 4000 to 7999).
The static SNMP OID will not change once it is configured, and it has a higher
priority than the auto-generated dynamic SNMP OID. If the static SNMP OID of a
virtual service or real service is not configured or is deleted, the system will use the
dynamic SNMP OID.
To support this enhancement, the following commands are added:
slb snmp oid virtual <virtual_service> <index>
This command is used to configure a static SNMP OID for the specified virtual service.
no slb snmp oid virtual <virtual_service>
This command is used to delete the static SNMP OID of the specified virtual service.
show slb snmp oid virtual [virtual_service]
This command is used to display the static SNMP OID of the specified virtual service.
clear slb snmp oid virtual
This command is used to clear the static SNMP OIDs of all the virtual services.
slb snmp oid real <real_service> <index>
This command is used to configure a static SNMP OID for the specified real service.
no slb snmp oid real <real_service>
This command is used to delete the static SNMP OID of the specified real service.
show slb snmp oid real [real_service]
This command is used to display the static SNMP OID of the specified real service.
clear slb snmp oid real
This command is used to clear the static SNMP OIDs of all the real services.
Supporting new license policy for vAPV running on AVX series (ID: 74928)
Beginning with ArrayOS APV 8.6.1.40, a vAPV running on the AVX Series network
function platform can only obtain a license from the AVX appliance. It is not allowed
to import a license for the vAPV by running the “system license” command.
RESOLVED ISSUES
SSL Interception
Decryption failed after the activated certificate was changed for an SSL
interception virtual host (ID: 74203)
Previously, the system allowed changing the activated certificate of an SSL
interception virtual host without first disabling the virtual host. This would cause an
internal processing error and lead to SSL decryption failures. Now, the system
disallows the change of an SSL interception virtual host’s certificate when the virtual
host is in activated state. Administrators need to stop the virtual host first using the
“ssl stop” command.
Affected releases: ArrayOS APV 8.6.1.5 to ArrayOS APV 8.6.1.37
General System/Tools
SSH vulnerability (ID: 72130)
Previously, Cipher Block Chaining (CBC) mode ciphers were allowed for SSH
connections to the APV appliance. This mode has a security risk that allows an
attacker to recover the plaintext message from the ciphertext. Now, the CBC mode
ciphers are disabled to improve the SSH access security.
Affected releases: ArrayOS APV 8.6.1.5 to ArrayOS APV 8.6.1.37
CLI printed error messages during startup and then the system rebooted
automatically (ID: 74049)
During startup, the system printed “Fatal trap 19” error messages in the CLI and then
rebooted automatically. During the reboot, no errors were reported. This issue was
triggered by a timeout of data writing to the serial port. There was a very low
probability that the timeout event would occur and trigger this issue. It has now been
resolved.
Affected releases: ArrayOS APV 8.6.1.5 to ArrayOS APV 8.6.1.37
Lots of health check failure logs were recorded with execution of “show tech”
(ID: 73690)
When an administrator executed the “show tech” command via an SSH connection,
the system recorded a lot of logs that indicated real service health check failures.
This issue was caused by the TCP Segment Offload (TSO) capacity limitation of the
adapter driver and it occurred only when the system used a specific type of adapter
driver to transfer SSH traffic. It has now been resolved.
Affected releases: ArrayOS APV 8.6.1.5 to ArrayOS APV 8.6.1.37
internal logic error during processing of IP fragments over UDP connections. It has
now been resolved.
Affected releases: ArrayOS APV 8.6.1.27 to ArrayOS APV 8.6.1.37
WebUI
An error was displayed when a real service name was clicked (ID: 72363)
In SLB > Real Service or Virtual Service, when the administrator clicked a real
service name or virtual service name that contained the slash (“/”) character, a “500 -
Internal server error” page was displayed. This issue has now been resolved.
Affected releases: ArrayOS APV 8.6.1.5 to ArrayOS APV 8.6.1.37
Could not access the WebUI as expected after a system reboot (ID: 73306)
With correct “webui source” command configurations, two administrator accounts
could successfully connect the WebUI. However, after a system reboot, one of the
administrator accounts would not be able to access the WebUI. This issue occurred
only when there was more than one administrator account attempting to connect to
the WebUI simultaneously after a system reboot. It has now been resolved.
Affected releases: ArrayOS APV 8.6.1.5 to ArrayOS APV 8.6.1.37
Legacy WebUI
A user with only the Enable level privilege could access the Config mode on the
legacy WebUI (ID: 72085)
On the legacy WebUI, an administrator with only the Enable level privilege could
switch to the Config mode and perform SLB and SSL configurations etc. This issue
is caused by an internal logic error. It has now been resolved.
Affected releases: ArrayOS APV 8.6.1.5 to ArrayOS APV 8.6.1.37
KNOWN LIMITATIONS