LP 6 12 Release Notes

North America Radware Inc. 575 Corporate Dr., Lobby 1

Mahwah, NJ 07430

Tel: (888) 234-5763

International Radware Ltd. 22 Raoul Wallenberg St.

Tel Aviv 69710, Israel

LinkProof Release Notes Version 6.12 November 1, 2010

LinkProof version 6.12 Release Notes Date: November 1, 2010 Page - 2 -

Radware announces the release of LinkProof version 6.12. These release notes describe new features since the last released version of LinkProof 6.10.01. LinkProof 6.12.02 includes bug fixes from maintenance version LinkProof 5.22.01 DL, LinkProof 6.00.01DL, LinkProof 6.10.01DL, LinkProof 6.12.00DL and LinkProof 6.12.01DL.

Table of Contents Supported Platforms and Modules ................................................................................................... 4 Build Number ....................................................................................................................................... 5 Note to Customers Upgrading to LinkProof 6.12 ............................................................................ 5 What’s New .......................................................................................................................................... 5

OnDemand Switch VL EL ................................................................................................................. 5

Software Image Note: ................................................................................................................ 5

OnDemand Switch 3 ......................................................................................................................... 5

OnDemand Switch VL ....................................................................................................................... 5

New LinkProof Features .................................................................................................................... 6

Copy Configuration in Redundant Environment ............................................................................... 6

Configuration ............................................................................................................................. 6

Server Farm Usability Changes ........................................................................................................ 7

Server Farm Unification .................................................................................................................... 7

Support for NAT with Proxy ............................................................................................................... 7

Configuration ............................................................................................................................. 8

Farm Extended Parameters .............................................................................................................. 9

Persistency According to Hostname ................................................................................................. 9

Configuration ............................................................................................................................. 9

Persistency According to HTTP Header ........................................................................................... 9

Configuration ........................................................................................................................... 10

Default Farm Action ......................................................................................................................... 10

Advanced Layer 7 Services ............................................................................................................ 11

Layer 7 Hostname Lists................................................................................................................... 11

Support for Out-of-Order IP Fragments .......................................................................................... 11

Configuration ........................................................................................................................... 12

Watchdog Timer Status Configuration ............................................................................................ 12

Configuration ........................................................................................................................... 12

New Web Help Look and Feel ........................................................................................................ 12


Obsolete Entry Aging ...................................................................................................................... 13

Configuration ........................................................................................................................... 13

Power Supply SNMP Traps ............................................................................................................ 13

Configuration ........................................................................................................................... 13

OnDemand Switch VL Support for 4-GB RAM ............................................................................... 13

OnDemand Switch 2 support for 4-GB RAM .................................................................................. 14

Client Table Mirroring .............................................................................................................. 14

Extended Persistency .............................................................................................................. 14

CLI Installation Wizard Changes (OnDemand Switch VL) ..................................................... 14

Related Documentation .................................................................................................................... 15 Known Limitations ............................................................................................................................ 15


Supported Platforms and Modules This version is supported by the following platforms:

Platform Lowest Boot Version Highest Boot Version Notes and Exceptions

LinkProof 1016, 2016, 4016

These are based on OnDemand Switch 2.

6.25 6.31 Installation of LinkProof 6.00.00 on OnDemand Switch 2 platforms with serial number below 21900405 is not supported.

LinkProof 58 EL, 108 EL ,108, 208, 1008, 2008, 4008

These are based on OnDemand Switch VL and OnDemand Switch VL EL.

6.26 6.31

LinkProof 8016, 12016, 16016

These are based on OnDemand Switch 3.

6.31 6.31

For more information on platform specifications, refer to the Radware Installation and Maintenance Guide. This version includes the following modules: Module Supported Version Notes and Exceptions

Application Security DoS and BDoS

2.06.10 Application Security, IPS, DoS, and BDoS functionality are not supported by LinkProof 6.12.

APSolute OS 10.31-08.04A

ND Version 11.64.02


Build Number LinkProof 6.12.02 is released with software version based on Build Number 5.

Note to Customers Upgrading to LinkProof 6.12 If the LinkProof device was configured with Layer 7 redirection, after upgrade, you must reconfigure a new Filter (Basic or Advanced) and link it under the relevant L7 Policy. This procedure is necessary due to the major infrastructure enhancements introduced in this version.

What’s New The new features introduced in this software release are described below.

OnDemand Switch VL EL

For a detailed description of the OnDemand Switch VL EL hardware, refer to the Radware Installation and Maintenance Guide.

OnDemand Switch VL EL supports the following throughput rates:

Product Name Throughput

LinkProof 58 EL 50 Mbps

LinkProof 108 EL 100 Mbps

Software Image Note: OnDemand Switch VL and OnDemand Switch VL EL use the same software Image. When installed the image identifies the hardware and automatically sets the tuning values accordingly.

OnDemand Switch 3

For a detailed description of the OnDemand Switch 3 hardware, refer to the Radware Installation and Maintenance Guide.

OnDemand Switch 3 supports the following throughput rates:


LinkProof 8016 8 Gbps



OnDemand Switch VL For a detailed description of the OnDemand Switch VL hardware, refer to the Radware Installation and Maintenance Guide.


OnDemand Switch VL supports the following throughput rates:


LinkProof 108 100 Mbps





New LinkProof Features

Copy Configuration in Redundant Environment Running LinkProof in a redundant configuration requires setting up both devices identically with minor differences. Until LinkProof version 5.22, Radware’s management application, APSolute Insite, was needed to copy a configuration from one device to another, with the appropriate changes. Starting with LinkProof version 6.12.01, a LinkProof device can generate a configuration file for the redundant peer device when the user initiates it manually. The configuration file generated can then be uploaded to the peer device.

Note Copy configuration is also supported via Insite 2.90.

Configuration Web Based Management Under IP configuration define the peer for every interface for which you would like to enable redundancy. In WBM, select Router > IP Router > Interface Parameters (create or edit existing properties). To use the configuration file for the redundant device, do the following: In WBM, select File > Configuration > Receive from Device. In the ‘configuration type’ drop-down list, choose Backup (active-backup).

Click Set to download the file in HTML format. Optionally, you can select the check box to download the Private Key for SSH/SSL configuration, so that both devices will use the same Private Key.


CLI To download the configuration file for the backup device, use the following commands: system config download [file] [Tftp Server IP] [file type]

The file type has optional parameters: file type: Optional parameter values [regular/active-backup] (Default: regular)

Server Farm Usability Changes Prior to version LP 6.12, the network administrator needed to configure one of two server-farm options:

• Router farm (Routers)

• Firewall Farm (Firewalls)

In addition, similar servers (Routers, Firewalls) needed to be set a logical servers, and be associated with their corresponding farms.

In LP 6.12, the following change was introduced.

Server Farm Unification LinkProof now supports a single farm entity.

When creating a server farm, you have two options:

• Router Farm

• Firewall Farm

This makes server configuration easier. You can create a farm, and then create a Router or a Firewall logical server. After this step, the Router or Firewall servers are associated with the farms created in the previous steps.

Support for NAT with Proxy Starting with LP 6.12, in the Router/Firewall farm, the NAT option is not one of the Packet Handling options. This increases the number of supported configurations with NAT enabled on the farm—for example, various proxy modes (HTTP Proxy, Remote Proxy, etc.) with NAT enabled.


LP 6.12 supports the following new fields:

• NAT Mode

• Packet Handling

o VIP

o Transform HTTP Requests (support for HTTP Transparent Proxy)

o Transform POP3 Requests (support for POP3 Transparent Proxy)

o Virtual Tunneling

Configuration Web Based Management In WBM, select LP > Farms > Farm Name. Within the relevant farm, set the NAT Mode to Enable or Disable.

In the specific farm, specify one of the following Packet Handling modes:

• Disable

• VIP

• Transform HTTP Request

• Transform POP3 Proxy

• Virtual Tunnelling CLI To configure a NAT and Packet Handling, use the following commands: lp farms table set <Farm Name> -nm <Enabled / Disable>

lp farms table set <Farm Name> -pt <Packet handling type>

(1) VIP

(2) Disable

(3) Transform HTTP Requests

(4) Transform POP3 Requests

(7) Virtual Tunneling

For additional information on how to configure server farms, refer to the LinkProof User Guide.


Farm Extended Parameters Starting in LinkProof 6.12, the following parameters are in the Farm Extended Parameters Table:

• Clear Client Table Condition.

• Persistency Mode – new in LP 6.12

• Persistency String – new in LP 6.12

• Basic NAT Fallback

• Extended Persistency Time

• Multicast MAC Address (used in Firewall configurations only)

For a description of the parameters, see the LinkProof User Guide.

Persistency According to Hostname Starting with version 6.12, LinkProof supports persistency based on the hostname.

Configuration Web Based Management From WBM, select LP > Farms > Farms Extended Parameters > (choose specific Farm). Within the specific farm, set the Persistency type to Hostname. CLI To configure the persistency to be based on Header Persistency, use the following command: lp farms table-extended-params set <Farm Name> -pm 6

Persistency According to HTTP Header Starting with version 6.12, LinkProof supports persistency based on the HTTP header. This enables load balancing according to various parameters, while the load balancing itself will be persistent if set in the Persistency String.

Example:

Two clients passing through the two different one-legged server farms:

Both farms are configured with the Cyclic Dispatch Method.

Client A

Reaches a farm in which Persistency Mode is set to Client Table.

The first client does not have any preferred server in the farm.

Traffic coming from Client A will be load balanced across all Routers/Firewalls in the first farm.


Client B

Reaches a Farm in which Persistency Mode is set to Header:

Persistency string is set to agent.

Clients with browser type X will get a sticky connection to a specific server, while clients with browser type Y will get a sticky connection to another server.

Configuration Web Based Management From WBM, select LP > Farms > Farms Extended Parameters > specific Farm. Within the specific farm, set the Persistency String with which you want to set the persistent connection. CLI To configure the persistency to be based on Header Persistency, use the following commands: lp farms table-extended-params –pm <Persistency Mode>

lp farms table-extended-params set <Farm Name> -pm 7

To configure a specific persistency string, use the following command: lp farms table-extended-params –ps <Persistency String>

Default Farm Action Starting with version 6.12, LinkProof supports a feature to address the behaviour of a Server Farm.

The Default Farm action specifies the action that the LinkProof device takes if the farm is unavailable (all the servers in the farm are Not in Service).

Values:

• Drop—The device drops the packet.

• Skip—The device bypasses the farm and forwards the packet to the next farm in the flow.

Default: Drop Web Based Management From WBM, select LP > Farms > specific Farm. Within the specific farm, set the Default Farm Action flag on which you want to set the persistent connection.


CLI To configure the Default Farm Action, use the following commands: lp farms table set (Farm Name) –fa

(1) Drop

(2) Skip

Advanced Layer 7 Services Starting with version 6.12, LinkProof uses Services to filter traffic in Layer 7 redirection policies. Services characterize traffic based on Layer-3–7 criteria. A Service is a configuration of a basic filter, which may combine with logical operators to achieve more sophisticated filters (AND Group filters and OR Group filters). LinkProof supports a long list of predefined basic filters. A basic filter includes attributes that specify parameters such as protocol, application port, and content type. When the protocol of a basic filter is TCP or UDP, the filter can include a text string.

You can configure Services separately from policies. When you configure a policy, you can associate it with an existing Service.

Supporting Services to filter traffic in Layer 7 redirection policies not only removed a LinkProof Layer-7–redirection limitation but also added many features and configuration options to redirect traffic according to the highest levels of the OSI network model.

Starting with LinkProof 6.12, you configure L7 redirection in the following order:

1. L7 Policy

2. L7 Service (Optional)

3. Content Rule

4. Farm Flow

5. Flow Policy

For more information, see to the LinkProof User Guide.

Layer 7 Hostname Lists An L7 Policy can include a user-defined Hostname List to which LinkProof matches packets. That is, when an L7 Policy includes a selected user-defined Hostname List, LinkProof checks whether the host of the packet header is included in the selected Hostname List.

For more information, see to the LinkProof User Guide.

Support for Out-of-Order IP Fragments Starting with version 6.12, LinkProof supports out-of-order IP fragments that arrive and that the device needs to forward.


LinkProof queues out-of-order IP fragments and releases the fragments according to the following criteria:

• All fragments have arrived and packet can be forwarded by the LinkProof device.

• The timer for discarding a non-complete IP packet has expired (1–10 seconds).

LinkProof can queue about 1,500 fragments that have all arrived out of order. (Fragments that arrive in order do not require any queuing.)

Configuration Web Based Management From WBM, select LinkProof > Global Configuration > General The timer can be set from 1 second (default) to 20 seconds. CLI To configure the Out-of-Order IP fragments timer, use the following command: lp global fragment-aging-time set <1-10> (Default is 1)

Watchdog Timer Status Configuration Starting with version 6.12, LinkProof supports a Watchdog timer (which was based on hardware revision B5). It is enabled by default.

The Watchdog timer is a special-purpose timer, which generates a system reset if a special hardware register (the Watchdog register) is not acknowledged during the predefined time.

An application can hang in these cases because, while the software may be functioning properly, there is a delay in a process that is being called—for example, when an update policy is under heavy stress from traffic passing though the device. In this case, the Watchdog timer will reboot the device due to lack of response.

To resolve this problem, a CLI flag has been created to disable the Watchdog timer and allow the application to continue functioning.

Configuration The Watchdog timer can only be enabled / disabled using CLI, with the following command: Manage watchdog status set disable (/ enable)

New Web Help Look and Feel Starting with version 6.12, LinkProof supports a new look and feel for the Web Help.


Obsolete Entry Aging There are cases where old Client Table entries are not removed from the Client Table even when their respective aging periods have expired. This is due to several client source IP addresses appearing in and disappearing from the Client Table within a very short interval.

The Obsolete Entry Aging feature reviews the entire Client Table every 10 minutes (600 seconds), and deletes any entries whose aging period has expired.

The feature is enabled by default, and using it does not affect performance.

Configuration Web Based Management From WBM, select LinkProof > Global Configuration > General > Obsolete-Entry Aging

The Obsolete Entry Aging timer can be enabled (default) or disabled. CLI To configure the Obsolete Entry Aging fragments timer, use the following command: lp global obsolete-entry-aging set enable / disabled (Default is enabled)

Power Supply SNMP Traps With the addition of dual power supplies to the OnDemand Switch VL platform, an SNMP flag was added to enable or disable the power-supply unit SNMP traps in the event of a Failure and or Removal of a Power Supply unit.

Configuration Web Based Management From WBM, select Services > Logging > SNMP Traps.

Set the Power Supply Trap status to enabled (default) or disabled. CLI To configure the Power Supply SNMP Trap status, use the following command: manage trap-logging power-supply-traps set enable / disabled (Default is enabled)

OnDemand Switch VL Support for 4-GB RAM The OnDemand Switch VL platform supports 4 GB RAM (available via a factory installed upgrade) and up to 6,500,000 concurrent client table entries.


OnDemand Switch 2 support for 4-GB RAM The OnDemand Switch 2 platform supports 4 GB RAM (available via factory installed upgrade) and up to 6,500,000 concurrent client table entries.

Client Table Mirroring Starting with version 6.12, LinkProof supports Client Table mirroring—across all platforms that support this version 6.12.

For more information, see the LinkProof User Guide.

Extended Persistency To efficiently handle the flow of traffic between the clients and the servers, Radware products use a Client Table. The Client Table stores client-session information, which is necessary to maintain session persistency.

There are several scenarios where a client or a group of clients passes through the device and is forwarded to a specific server.

The client may still be connected to a Web page while the Client Table entry itself has been removed due to timeout. If the user tries to continue the session to this Web page, for the LinkProof client table it appears to be a new session, which may be forwarded to another server, thus, severing the original session. This is very common with Web sites that use short-duration session cookies. To prevent this behavior, enhanced persistency was developed.

Extended persistency maintains the client information (Server, Farm and original Persistency method as defined in the Farm Table). The information is stored in this Extended Persistency table with a predefined timer of its own—regardless of whether the session has already been cleared from the Client Table.

CLI Installation Wizard Changes (OnDemand Switch VL) When using the CLI Wizard (on OnDemand Switch VL), you must enable the management port if you require a dedicated management port. If you choose to ignore the parameter in the wizard, and the LinkProof device continues to boot, there will be no dedicated management port on the device.


Related Documentation The following documentation is related to this version:

• Radware Installation and Maintenance Guide • LinkProof User Guide • LinkProof Maintenance Release Notes • LinkProof Tuning Guide

For the latest Radware product documentation, download it from http://www.radware.com/Customer/Portal/default.asp.

Known Limitations The following are known limitations for this version (Final Version Build 5):

Item Description Bug ID

General Limitations

1. APSolute OS – Application Security – is not supported (IPS, BDOS etc.). N/A

2. When working with APSolute Insite 2.90 an error “This version is not fully supported” might be generated. The error can be ignored as the device is supported by Insite 2.90

N/A

Virtual Tunneling (VT)

3. Trace Route does not work in VT. 62638

4. When working with virtual tunneling, after the remote link is disconnected, the TRP does not re-initiate the tunnel.

62777

Redundancy

5. Mirroring a configuration is not supported via APSolute Insite (WBM and CLI only)

88802


2010 Radware, Ltd. All Rights Reserved. Radware and all other Radware product and service names are registered trademarks of Radware in the U.S. and other countries. All other trademarks and names are the property of their respective owners. Printed in the U.S.A.

LP 6 12 Release Notes

Documents

Transcript of LP 6 12 Release Notes