Release Note 8.6.1.40

ArrayOS APV 8.6.1.
40 Release Note
ArrayOS APV 8.6.1.40 Release Note

Release Date: February 1, 2018
Introduction
This release note summarizes the new features, general enhancements, resolved issues and
known limitations for ArrayOS APV 8.6.1.40.
Contacting Customer Support

To contact Array Networks Customer Support, please call 1-877-992-7729 or email the team
at support@arraynetworks.com.
Additional Information:
Array Networks, Inc.

1371 McCarthy Blvd.
Milpitas, CA 95035
Phone: (408)240-8700
Toll Free: 1-866-692-7729 (1-866-MY-ARRAY)
Fax: (408)240-8753
Telephone access to Array Networks is available Monday - Friday, 9 A.M. to 5 P.M. PST.
©2018 Array Networks, Inc. All Rights Reserved. 1

Table of Contents
WHAT’S NEW .................................................................................................................. 3
Website Classification ..................................................................................................................... 3
SPAN Port ....................................................................................................................................... 4
ENHANCEMENTS .......................................................................................................... 7
Secure Sockets Layer (SSL)............................................................................................................ 7
SSL Interception.............................................................................................................................. 7
High Availability (HA) .................................................................................................................. 12
WebUI ........................................................................................................................................... 13
General System/Tools ................................................................................................................... 14
RESOLVED ISSUES ...................................................................................................... 16
Secure Sockets Layer (SSL).......................................................................................................... 16
SSL Interception............................................................................................................................ 16
Global Server Load Balance (GSLB) ........................................................................................... 16
High Availability (HA) .................................................................................................................. 16
General System/Tools ................................................................................................................... 17
WebUI ........................................................................................................................................... 18
Legacy WebUI .............................................................................................................................. 19
KNOWN LIMITATIONS .............................................................................................. 20

WHAT’S NEW
Website Classification
Website classification is a dynamic website category recognition function that the
APV appliance provides by subscribing to Webroot BrightCloud’s website
classification service. This function allows the APV appliance to look up the
category of a website via the local cache, local database and online connection to the
Webroot BrightCloud server. Currently, the website classification function applies
only to the SSL interception feature. Administrators can configure the system’s
processing modes (intercept or bypass) for traffic accessing specific website
categories (for example Adult, Job Search, Games, Illegal, etc). More information on
configuring the APV processing modes is included in the section “Supporting
intelligent URL filtering via the website classification function”.
The website classification function is supported on APV 1600v5, APV 2600v5, APV
3600v5, APV 3650, APV 6600, APV 7600, APV 11600 and vAPV running ArrayOS
APV 8.6.1.40 and later versions. To enable the website classification function on
these APV models, administrators need to import a license into the system. This
function supports two types of licenses:
 Trial license: 30-day free trial
 Formal license: 365-day validity period
After the license expires, the website classification function will be unavailable. The
Webroot server will deny the APV appliance’s access and the APV appliance will
stop sending website category lookup queries to the server. To obtain a license,
please contact Array Networks Customer Support and provide the device model and
serial number.
To support this new feature, the following commands are added:
webclassify license <license_key>
This command is used to import a license key for the website classification function. This
license allows the system to use the website classification function provided by Webroot
BrightCloud Threat Intelligence Service.
show webclassify license
This command is used to display information about the website classification function
license, including OEM, device ID, serial number, license type (trial license or production
license) as well as the issue information and expiration time of the license.
webclassify {on|off}
This command is used to enable or disable the global website classification function. By
default, this function is disabled.
webclassify cloud {on|off}

This command is used to enable or disable the online website classification lookup function.
This function can be enabled only after the global website classification function
(“webclassify on”) is enabled. By default, online website classification lookup is disabled.
When this function is disabled, the system performs only local lookups. After this function
is enabled, the system will connect to the Webroot BrightCloud service for online lookup if
the local lookup fails, and the results stored to local cache for future use.
show webclassify settings
This command is used to display the configurations of the global website classification and
online website classification lookup functions.
show webclassify status
This command is used to display all configurations related to website classification
functions, such as the domain name of the Webroot server, the license status, the enabling
status of the online website classification lookup function, and the database version.
show webclassify url categories
This command is used to display all website categories that the system can look up.
show webclassify url category <website_name>
This command is used to show the category of the specified website. If the system can
obtain the category of a website from the local cache or database, it will display the result
quickly. If the local cache and database has no category information for a website, the
system will experience a slight delay in returning the result. The maximum delay is 20s.
SPAN Port
Beginning with ArrayOS APV 8.6.1.40, the system supports the SPAN Port feature.
It uses this feature to capture packets on a source port and then send the captured
packet to a destination port. The destination port can be connected to a security
device, so that the captured traffic will be sent to the security device for
troubleshooting, debugging and traffic analysis. For load balancing or other purposes,
SPAN Port also allows the capture and transmission of the captured traffic to
multiple security devices of same type or different types.
 When the security devices are of the same type, the system supports the load
balancing of captured traffic to them or the duplication of the captured packets to
each of them.
 When the security devices are of different types, for example an IDS and a
firewall, the captured packets will be duplicated and sent to each of them.
SPAN Port employs filter lists to define the source IPs, source ports, destination IPs
and destination ports of the traffic to be captured. In addition, the filter list can filter
out packets to be captured that are flowing in the inbound direction, the outbound
direction or both (bidirectional). It also allows self-definition of the transport
protocol (TCP, UDP or both) of traffic to be captured.
The SPAN port feature plays an important role in SSL interception implementation.
With SPAN port deployed in SSL interception implemented, the security device used

to inspect traffic can be deployed in bypass mode, so that traffic on the ingress node
can be transparently transferred to the egress node without going through the security
device. However, the security device will still get a copy of the decrypted SSL traffic
for future analysis. In addition, SPAN Port enables the APV appliance working in
Layer 2 mode to send the captured traffic to multiple security devices in a load
balancing manner, whereas in previous implementation a Layer 2 APV appliance
could cooperate with only one security device set up in inline mode.
To support this new feature, the following commands are added:
spanport filterlist name <filterlist_name>
This command is used to configure a filter list. The system supports a maximum of eight
filter lists.
no spanport filterlist name <filterlist_name>
This command is used to delete the specified filter list.
spanport filterlist member <filterlist_name> <interface_name> <src_ip> <src_port>
<dst_ip> <dst_port> <protocol> [direction]
This command is used to add a filter rule to the specified filter list. The system will filter out
the packets to be copied based on the filter rule. A maximum of eight filter rules can be
added to a filter list. It is suggested that the filter rules should not have duplicate matching
conditions. If a packet matches multiple filter rules at the same time, the system will select
only one of them.
no spanport filterlist member <filterlist_name > <interface_name> <src_ip>
<src_port> <dst_ip> <dst_port> <protocol> <direction>
This command is used to delete a filter rule from the specified filter list.
show spanport filterlist [filterlist_name]
This command is used to display the specified filter list and its filter rules.
clear spanport filterlist [filterlist_name]
This command is used to clear the specified filter list and its filter rules.
spanport devicegroup name <group_name> <group_method>
This command is used to configure the security device group to which the copied packets
are destined and set the method that the system uses to send the copied packets to the group.
no spanport devicegroup name <group_name>
This command is used to delete the specified security device group.
spanport devicegroup member <group_name> <interface_name> <mac> [sort_string]
This command is used to add a security device as a member to the specified security device
group.
no spanport devicegroup member <group_name> <interface_name> <mac>
This command is used to delete a member from the specified security device group.
show spanport devicegroup [group_name]
This command is used to display the specified security device group and its members.
clear spanport devicegroup [group_name]

This command is used to clear the specified security device group and its members.
spanport policy <policy_name> <filterlist_name> <group_name>
This command is used to configure a SPAN port policy to associate the specified filter list
with the specified security device group.
no spanport policy <policy_name>
This command is used to delete the specified SPAN port policy.
show spanport policy [policy_name]
This command is used to display the specified SPAN port policy.
clear spanport policy
This command is used to clear all SPAN port policies.
clear spanport config
This command is used to clear all SPAN port configurations.
show statistics spanport
This command is used to display SPAN port statistics.
clear statistics spanport
This command is used to clear SPAN port statistics.
For guidelines in deploying SPAN port in an SSL interception implementation,
please refer to the Deployment Guide for SSL Interception and Security Device Load
Balancing.

ENHANCEMENTS
Secure Sockets Layer (SSL)

Increasing the number of supported client certificate filters (ID: 74546)
Previously, the system supported a maximum of three client certificate filters
(configured by the “ssl settings certfilter” command) for a virtual host. Now, the
maximum number of client certificate filters that can be configured increases to 1024.
SSL Interception
Redesign of SSL interception whitelist (ID: 72251)
Previously, the SSL interception module supported definition of SSL interception
whitelists to bypass decryption of SSL traffic that is destined to specific domain
names. To allow more flexible configuration options, the SSL interception whitelist
function has now been reconstructed and renamed as the domain list function. This
function can be enabled or disabled by the “ssli domainlist {on|off}” command.
When it is disabled, the system intercepts all SSL traffic by default. When it is
enabled, the domain list function employs two types of domain lists to define
whether SSL traffic needs to be intercepted.
 Bypass domain list: SSL traffic that accesses domain names contained in this
domain list is allowed to pass through in encrypted format without being
inspected by a security device.
 Interception domain list: traffic that accesses domain names contained in this
domain list will be decrypted and then sent for inspection by a security device
before passing through.
Administrators can apply bypass or interception domain lists to an SSL interception
virtual host. Bypass domain lists and interception domain lists are mutually exclusive.
They cannot be configured on the same virtual host simultaneously, and typically
only one or the other is used depending on the administrator’s preferences. When a
client’s SNI or server certificate’s Common Name or Subject Alternative Name
(SAN) matches a bypass domain list, the virtual host will allow the SSL traffic to
pass through without being decrypted. When a client’s SNI or server certificate’s
Common Name or SAN matches an interception domain list, the virtual host will
intercept and decrypt the SSL traffic.
The domain list function also supports the application of a single bypass or
interception domain string to a virtual host. For example, when only SSL traffic
accessing a specific domain name needs to be intercepted, it allows application of
this domain string to the virtual host as an interception domain string. It is not

necessary to add the domain string to an interception domain list and then apply the
list to the virtual host.
To support this enhancement, the following commands are deleted:
ssli whitelist {on|off}
show ssli whitelist status
ssli whitelist list <list_name>
no ssli whitelist list <list_name>
show ssli whitelist list
clear ssli whitelist list
ssli whitelist item <list_name> <sni_regex>
no ssli whitelist item <list_name> <sni_regex>
show ssli whitelist item <list_name>
clear ssli whitelist item <list_name>
ssli whitelist apply list <virtual_host_name><list_name>
no ssli whitelist apply list <virtual_host_name> <list_name>
ssli whitelist apply item <virtual_host_name> <sni_regex>
no ssli whitelist apply item <virtual_host_name><sni_regex>
show ssli whitelist apply <virtual_host_name> [type]
clear whitelist apply <virtual_host_name> [type]
show statistics ssli whitelist [virtual_host_name]
clear statistics ssli whitelist [virtual_host_name]
show ssli whitelist match <virtual_host_name> <domain_name>
To support this enhancement, the following commands are added:
ssli domainlist {on|off}
This command is used to enable or disable the domain interception control function. By
default, this function is disabled.
show ssli domainlist status
This command is used to display the enabled/disabled status of the domain interception
control function.
ssli domainlist list <list_name> <list_type>
This command is used to create a domain list. The system supports a maximum of 256
domain lists.
no ssli domainlist list <list_name>
This command is used to delete the specified domain list and all domain strings contained in
it.
show ssli domainlist list [list_type]
This command is used to display all configured domain lists of the specified type.

clear ssli domainlist list [list_type]

This command is used to clear all domain lists and domain strings contained in them.
ssli domainlist item <list_name> <sni_regex>
This command is used to add a domain string to the specified domain list.
no ssli domainlist item <list_name> <sni_regex>
This command is used to remove the specified domain string from the specified domain list.
show ssli domainlist item <list_name>
This command is used to display all domain strings contained in the specified domain list.
clear ssli domainlist item <list_name>
This command is used to remove all domain strings from the specified domain list.
ssli domainlist apply list <virtual_host_name><list_name>
This command is used to apply a domain list to the specified virtual host. A maximum of
256 domain lists can be applied to each virtual host.
no ssli domainlist apply list <virtual_host_name> <list_name>
This command is used to cancel the application of the specified domain list to the specified
virtual host.
ssli domainlist apply item <virtual_host_name> <sni_regex> <item_type>
This command is used to apply a bypass or an interception domain string to the specified
virtual host.
no ssli domainlist apply item <virtual_host_name><sni_regex>
This command is used to cancel the application of the domain string to the specified virtual
host.
show ssli domainlist apply <virtual_host_name> [type]
This command is used to display all domain strings and (or) domain lists applied to the
specified virtual host.
clear domainlist apply <virtual_host_name> [type]
This command is used to cancel the application of domain strings and (or) domain lists to
the specified virtual host.
show statistics ssli domainlist [virtual_host_name]
This command is used to display the domain list matching statistics on the specified virtual
host.
clear statistics ssli domainlist [virtual_host_name]
This command is used to clear the domain list matching statistics on the specified virtual
host.
show ssli domainlist match <virtual_host_name> <domain_name>
This command is used to check whether the specified virtual host has the specified domain
string applied.

Supporting intelligent URL filtering via the website classification function (ID:
71213&71675&73978)
With the redesign of SSL interception whitelists, the SSL interception module
supports manual configurations of interception domain lists to define SSL traffic to
be intercepted. Administrators can also manually add bypass domain lists to define
SSL traffic to be bypassed. The manual method applies if clients access only a few
types of websites and the manual configuration workload is light.
If the application scenario accommodates access to a wide variety of websites, traffic
filtering using manual domain list configurations becomes a heavy workload. In
addition, internet resources are diverse, and accesses to some websites may be
unnecessarily intercepted. In this case, it is recommended to purchase and configure
the website classification function for the SSL interception module to achieve
intelligent URL filtering. Via Webroot website classification, the system supports
recognition of 82 website categories. For an overview of these categories, please
refer to: http://www.brightcloud.com/tools/change-request-url-categorization.php.
URL Filtering Policy
The website classification function supports definition of either of the following
filtering policies to distinguish SSL processing modes.
 Interception policy: all traffic accessing websites belonging to the configured
website categories will be decrypted and then sent to security devices for
inspection. Traffic accessing website categories that are not defined by the
policy will be forwarded transparently.
 Bypass policy: all traffic accessing websites belonging to the configured website
categories will be transparently forwarded without being decrypted and
inspected by security devices. Traffic accessing website categories that are not
defined by the policy will be intercepted and decrypted.
On the same virtual host, interception policies and bypass policies cannot be
configured simultaneously.
When both domain lists and filtering polices are configured for an SSL interception
virtual host, it will process the traffic according to the following principles:
 It will preferentially match the domain lists configured by the domain list
function.
– If a matching entry is found, it will process the request or response based
upon the control type (interception or bypass) of the domain list.
– If no matching entry is found in the domain list, it will look up the website’s
category using the website classification function.
 When trying to determine the website category using the website classification
function, the virtual host will first search in the local cache and database.
– If the local cache or database has category information for the website, the
virtual host will process the request or response based on the control type
(interception or bypass) of the filtering policy.

– If no category information is available in the local cache and database, the

system will connect to the Webroot server (if enabled) to query the website
category online and then save the acquired category information to the local
cache.
– If the Webroot server cannot recognize the website category, the system will
intercept the request or response by default, although the administrator can
choose to change this setting as described in the next section.
Website Classification Function License
To use the website classification function for the SSL interception module to
implement intelligent URL filtering, the system must be installed with a website
classification license. Without a valid license, the website classification function
cannot be enabled. The Webroot server will deny the APV appliance’s access and the
APV appliance will stop sending website category lookup queries to the server.
ssli webclassify {on|off} <virtual_host_name>
This command is used to enable the website classification function for the specified virtual
host of the SSL interception module to implement intelligent URL filtering. This function
can be enabled only after the global website classification function is enabled (“webclassify
on”). To enable this function, a valid website classification function license must be
imported.
ssli webclassify defaction <virtual_host_name> <action>
This command is used to configure the specified virtual host to bypass traffic that accesses a
website whose category cannot be recognized. If this command is not configured, the
system will intercept such traffic by default.
ssli webclassify url bypass <virtual_host_name> <category_name>
This command is used to define a bypass website category for the specified virtual host, that
is, the virtual host will not intercept traffic that accesses a website belonging to this URL
category.
no ssli webclassify url bypass <virtual_host_name> <category_name>
This command is used to delete an “ssli webclassify url bypass” configuration of the
clear ssli webclassify url bypass <virtual_host_name>
This command is used to clear all “ssli webclassify url bypass” configurations of the
ssli webclassify url intercept <virtual_host_name> <category_name>
This command is used to define an interception website category for the specified virtual
host, that is, the virtual host will intercept all traffic that accesses a website belonging to this
URL category.
no ssli webclassify url intercept <virtual_host_name> <category_name>
This command is used to delete an “ssli webclassify url intercept” configuration of the
clear ssli webclassify url intercept <virtual_host_name>

This command is used to clear all “ssli webclassify url intercept” configurations of the
show ssli webclassify settings <virtual_host_name>
This command is used to display the enabling status of the URL classification function, the
configurations of bypass or interception URL categories, and the configuration of the “ssli
webclassify defaction” command on the specified virtual host of the SSL interception
module.
show statistics ssli webclassify <virtual_host_name>
This command is used to display the statistics related to the URL classification function on
the specified virtual host of the SSL interception module, including the hit counts of URL
categories and record information about local database, cache and online lookups.
clear statistics ssli webclassify
This command is used to clear the statistics related to the website classification function on
the specified virtual host of the SSL interception module, including the hit counts of URL
categories and record information about local database, cache and online lookups as well as
the matching statistics of the “ssli webclassify defaction” command.
For more details about website classification configuration guidelines for the SSL
interception module, please refer to ArrayOS APV 8.6.1 CLI Handbook, User Guide
and Deployment Guide for SSL Interception and Security Device Load Balancing.
Supporting Dynamic Port Interception (ID: 73490)

Beginning with ArrayOS APV 8.6.1.40, the system supports the Dynamic Port
Interception (DPI) feature for SSL interception. With DPI, the APV appliance can
intercept all SSL traffic, no matter whether the SSL traffic is bound for the default
443 port of HTTPS or another port.
For configuration examples of DPI, please refer to Deployment Guide for SSL
Interception and Security Device Load Balancing.
High Availability (HA)

Supporting self-definition of source IP for gateway health check conditions (ID:
73968)
With a gateway health check condition configured, the system will ping the gateway
to check the gateway connectivity. Previously, the system used the IP address of a
system interface as the source IP address in ICMP echo requests. However, in some
conditions, the router on the external network could not reply with ICMP echo
responses to this system interface, and the health check result would be unnecessarily
set as Down. To allow self-definition of the source IP address used in the gateway
health check condition, the “monitor network gateway” command supports an
optional parameter “source_ip”. When this parameter is not specified, the system will
still use an interface’s IP address as the source IP.
Before:

monitor network gateway <unit_name> <gateway_ip> <condition_name> [interval]

[up_check_times] [down_check_times]
Now:
monitor network gateway <unit_name> <gateway_ip> <condition_name> [interval]
[up_check_times] [down_check_times] [source_ip]
source_ip Optional. This parameter specifies the source IP address used to ping
the gateway. Both IPv4 and IPv6 addresses are supported.
The default value is empty.
Supporting the check of HA group status on peer units (ID: 74022)

Previously, when the health check result was Down on the local HA unit, it would
check HA group status on all the peer units. If all HA groups on peer units were also
Down, the local unit would stay in the active status instead of switching to Down.
Now, the system supports the “ha checkpeer {on|off}” commands to enable or
disable the peer unit HA group status check function. In the aforementioned situation,
if “ha checkpeer on” is configured, the local unit will stay in the active status as
before. If “ha checkpeer off” is configured, the local unit will not check the HA
group status on peer units but directly switches to Down.
ha checkpeer {on|off}
This command is used to enable or disable the peer unit HA group status check function.
After this function is enabled, when the health check result is Down on the active HA unit, it
will check HA group status on the peer HA unit. If the HA group on the peer HA unit is also
Down, it will stay in the active status instead of switching to Down.
After this function is disabled, when the health check result is Down on the active HA unit,
it will not check the HA group status on the peer HA unit but directly switches to Down.
By default, this function is enabled. The function status can be displayed by the “show ha
config” command.
clear ha checkpeer
This command is used to restore the peer unit HA group status check function to the default
setting. After this command is executed, this function will be enabled.
WebUI
Reconstructing the statistics storage mechanism for WebUI graphs (ID: 72187)
Previously, the system supported the display of a maximum of 1000 total statistics in
WebUI, including System Status and Server Load Balance statistics. In scenarios
where a large number of virtual services and real services were configured, the total

number of statistics would exceed the limit and thus some of them could not be
displayed.
Now, the statistics storage mechanism is reconstructed. With the reconstruction, the
following changes have been implemented:
1. The restriction on the number of statistics that can be displayed is removed.
2. The preservation time of statistics is adjusted from a fixed 2-year period to a
mechanism that is implemented based on the available hard disk space. When the
available hard disk space is less than 1 GB or the total size of storage files takes
50% of the hard disk space, the system will delete the oldest statistics storage file.
If no old statistics storage file exists, the system will also allow the creation of
new storage files.
Note: Because the statistics mechanism has been reconstructed, an upgrade from an
earlier version to ArrayOS APV 8.6.1.40 or later will clear all statistics that were
collected before the upgrade. Administrators can use the data export function to back
up them before an upgrade.
General System/Tools
Supporting static SNMP OID settings for virtual services and real services (ID:
67913&74308)
Previously, when the system had a virtual service added or deleted, the SNMP OIDs
of existing virtual services might change. Real services had the same issue as the
virtual services. Now, the system supports definition of static SNMP OIDs for virtual
services and real services. The static SNMP OID is comprised of a predefined SNMP
OID prefix and an OID index (in the range of 4000 to 7999).
The static SNMP OID will not change once it is configured, and it has a higher
priority than the auto-generated dynamic SNMP OID. If the static SNMP OID of a
virtual service or real service is not configured or is deleted, the system will use the
dynamic SNMP OID.
slb snmp oid virtual <virtual_service> <index>
This command is used to configure a static SNMP OID for the specified virtual service.
no slb snmp oid virtual <virtual_service>
This command is used to delete the static SNMP OID of the specified virtual service.
show slb snmp oid virtual [virtual_service]
This command is used to display the static SNMP OID of the specified virtual service.
clear slb snmp oid virtual
This command is used to clear the static SNMP OIDs of all the virtual services.
slb snmp oid real <real_service> <index>

This command is used to configure a static SNMP OID for the specified real service.
no slb snmp oid real <real_service>
This command is used to delete the static SNMP OID of the specified real service.
show slb snmp oid real [real_service]
This command is used to display the static SNMP OID of the specified real service.
clear slb snmp oid real
This command is used to clear the static SNMP OIDs of all the real services.
Supporting new license policy for vAPV running on AVX series (ID: 74928)
Beginning with ArrayOS APV 8.6.1.40, a vAPV running on the AVX Series network
function platform can only obtain a license from the AVX appliance. It is not allowed
to import a license for the vAPV by running the “system license” command.

RESOLVED ISSUES
Secure Sockets Layer (SSL)

Could not back up the intermediate CA certificate (ID: 75224)
After importing the server certificate and intermediate certificate for a virtual host,
the administrator executed the “ssl backup certificate” command to back up the
certificates. However, in the backup package downloaded to the local host, the
intermediate certificate was not found. If the virtual host also had the trusted CA
certificate imported, the intermediate CA certificate could be successfully backed up.
This issue was caused by an internal processing error. It has now been resolved.
Affected releases: ArrayOS APV 8.6.1.5 to ArrayOS APV 8.6.1.37
SSL Interception
Decryption failed after the activated certificate was changed for an SSL
interception virtual host (ID: 74203)
Previously, the system allowed changing the activated certificate of an SSL
interception virtual host without first disabling the virtual host. This would cause an
internal processing error and lead to SSL decryption failures. Now, the system
disallows the change of an SSL interception virtual host’s certificate when the virtual
host is in activated state. Administrators need to stop the virtual host first using the
“ssl stop” command.
Global Server Load Balance (GSLB)

System intermittently rebooted (ID: 74577)
This issue was caused by an internal logic error in processing unrecognized query
names in the Additional RRs field of a DNS query. When receiving a DNS query
whose query name in the Additional RRs field was out of order or had format errors,
the system would not respond to it and there was a small possibility that the system
would automatically reboot. This issue has now been resolved.
High Availability (HA)

Self-defined health check scripts could not work (ID: 74355)

After the self-defined health check scripts were imported into the system using the
“monitor import scp” or “monitor import tftp” command, the system would
execute them to apply the health check conditions defined by them. However, there
was an internal error causing the scripts to be unable to successfully execute. This
issue has now been resolved.
General System/Tools
SSH vulnerability (ID: 72130)
Previously, Cipher Block Chaining (CBC) mode ciphers were allowed for SSH
connections to the APV appliance. This mode has a security risk that allows an
attacker to recover the plaintext message from the ciphertext. Now, the CBC mode
ciphers are disabled to improve the SSH access security.
CLI printed error messages during startup and then the system rebooted
automatically (ID: 74049)
During startup, the system printed “Fatal trap 19” error messages in the CLI and then
rebooted automatically. During the reboot, no errors were reported. This issue was
triggered by a timeout of data writing to the serial port. There was a very low
probability that the timeout event would occur and trigger this issue. It has now been
resolved.
Lots of health check failure logs were recorded with execution of “show tech”
(ID: 73690)
When an administrator executed the “show tech” command via an SSH connection,
the system recorded a lot of logs that indicated real service health check failures.
This issue was caused by the TCP Segment Offload (TSO) capacity limitation of the
adapter driver and it occurred only when the system used a specific type of adapter
driver to transfer SSH traffic. It has now been resolved.
Occasional service interruptions after a system upgrade (ID: 74509)

After an upgrade, the system experienced service interruptions intermittently, and
with a network outage and recovery, it rebooted. This issue occurred because of an

internal logic error during processing of IP fragments over UDP connections. It has
now been resolved.
TLS vulnerability (ID: 74829)

ArrayOS APV 8.6.1.40 has addressed the TLS vulnerability known as Return of
Bleichenbacher’s Oracle Threat (ROBOT). When the APV appliance uses an SSL
card to handle TLS connections that utilize RSA cipher suites, ROBOT allows an
attacker to obtain the RSA key necessary to decrypt TLS traffic under certain
conditions.
Local syslog host failed to record a log (ID: 75255)

With local syslog host configured, after the administrator executed a “log alert”
configuration, the local syslog host did not print this log. This issue occurred only
when the executed command contained the angular bracket. It has now been resolved.
WebUI
An error was displayed when a real service name was clicked (ID: 72363)
In SLB > Real Service or Virtual Service, when the administrator clicked a real
service name or virtual service name that contained the slash (“/”) character, a “500 -
Internal server error” page was displayed. This issue has now been resolved.
Could not access the WebUI as expected after a system reboot (ID: 73306)
With correct “webui source” command configurations, two administrator accounts
could successfully connect the WebUI. However, after a system reboot, one of the
administrator accounts would not be able to access the WebUI. This issue occurred
only when there was more than one administrator account attempting to connect to
the WebUI simultaneously after a system reboot. It has now been resolved.
“synconfig from peer” did not work (ID: 72496)

On the WebUI, an error was reported after the administrator performed the Sync
Configuration from Peer operation. This issue has now been resolved.

Legacy WebUI
A user with only the Enable level privilege could access the Config mode on the
legacy WebUI (ID: 72085)
On the legacy WebUI, an administrator with only the Enable level privilege could
switch to the Config mode and perform SLB and SSL configurations etc. This issue
is caused by an internal logic error. It has now been resolved.

KNOWN LIMITATIONS
There are no known limitations in this release.

Release Note 8.6.1.40

Uploaded by

Document Information

Copyright

Available Formats

Share this document

Share or Embed Document

Sharing Options

Did you find this document useful?

Is this content inappropriate?

Copyright:

Available Formats

Release Note 8.6.1.40

Uploaded by

Copyright:

Available Formats

ArrayOS APV 8.6.1.

ArrayOS APV 8.6.1.40 Release Note

Contacting Customer Support

Array Networks, Inc.

©2018 Array Networks, Inc. All Rights Reserved. 1

©2018 Array Networks, Inc. All Rights Reserved. 2

©2018 Array Networks, Inc. All Rights Reserved. 3

©2018 Array Networks, Inc. All Rights Reserved. 4

©2018 Array Networks, Inc. All Rights Reserved. 5

©2018 Array Networks, Inc. All Rights Reserved. 6

Secure Sockets Layer (SSL)

©2018 Array Networks, Inc. All Rights Reserved. 7

©2018 Array Networks, Inc. All Rights Reserved. 8

clear ssli domainlist list [list_type]

©2018 Array Networks, Inc. All Rights Reserved. 9

©2018 Array Networks, Inc. All Rights Reserved. 10

– If no category information is available in the local cache and database, the

©2018 Array Networks, Inc. All Rights Reserved. 11

Supporting Dynamic Port Interception (ID: 73490)

High Availability (HA)

©2018 Array Networks, Inc. All Rights Reserved. 12

monitor network gateway <unit_name> <gateway_ip> <condition_name> [interval]

Supporting the check of HA group status on peer units (ID: 74022)

©2018 Array Networks, Inc. All Rights Reserved. 13

©2018 Array Networks, Inc. All Rights Reserved. 14

©2018 Array Networks, Inc. All Rights Reserved. 15

Secure Sockets Layer (SSL)

Global Server Load Balance (GSLB)

High Availability (HA)

©2018 Array Networks, Inc. All Rights Reserved. 16

Self-defined health check scripts could not work (ID: 74355)

Occasional service interruptions after a system upgrade (ID: 74509)

©2018 Array Networks, Inc. All Rights Reserved. 17

TLS vulnerability (ID: 74829)

Local syslog host failed to record a log (ID: 75255)

“synconfig from peer” did not work (ID: 72496)

©2018 Array Networks, Inc. All Rights Reserved. 18

©2018 Array Networks, Inc. All Rights Reserved. 19

There are no known limitations in this release.

©2018 Array Networks, Inc. All Rights Reserved. 20

You might also like