LoadMaster 7.2.42 Release Notes

Refer to the sections below for details about firmware version 7.2.42. This was released on 4th April 2018.

7.2.42 - New Features

The following new features were added to the 7.2.42 release:

  • Previously, there was no way for a System Administrator to view the underlying processes and system resource usage of a LoadMaster.
    Now, the Linux top command is available in the Debug Options screen and in the Application Program Interface (API) (both RESTful API and PowerShell). Therefore, a System Administrator can get a better understanding of how the LoadMaster is consuming system resources.
  • Previously, to allow LDAP endpoint users (for example, Active Directory users) to authenticate on the LoadMaster, local users needed to be created with specific permissions assigned.
    Now, LDAP endpoint users can authenticate on the LoadMaster without a local account. The LoadMaster queries the LDAP endpoint and if the user is valid and a member of an LDAP user group configured on the LoadMaster, they are authenticated and assigned the permissions of that group. Queries of nested groups are also supported with the first match being returned as the valid user group.
  • Previously, LoadMaster instances were not available in the CenturyLink Cloud environment.
    Now, LoadMaster instances are available to set up and configure in the CenturyLink Cloud environment.

7.2.42 - Feature Enhancements

  • Previously, Azure Bring Your Own License (BYOL) licensing only facilitated an online licensing option.
    Now, Azure BYOL licensing supports both online and offline licensing options.
  • Previously, the LoadMaster did not correctly interpret the Content-Type set in the POST.
    Now, if a POST has a Content-Type set in the additional headers, the LoadMaster uses this setting as intended.
  • Addressed a critical vulnerability (CVE-2018-9091) in the LoadMaster Operating System (LMOS) related to Session Management where an unauthenticated, remote attacker could bypass security protections, gain system privileges, execute elevated commands, and expose certain sensitive system data, such as certificates and private keys. This vulnerability was partially addressed in 7.2.41.2. The expanded scope of this vulnerability, covering exploitation through injection of arbitrary executable commands in cookies, is addressed in this release.
  • Previously, there was no way to reset or download the Web Application Firewall (WAF) debug or WAF event log files.
    Now, there are options to reset and download the WAF debug and WAF event logs in the System Log Files screen in the Web User Interface (WUI) and also using the PowerShell and RESTful APIs.
  • Previously, there was no indication on the LoadMaster WUI of the possible reasons why a WAF-enabled Virtual Service could not be configured.
    Now, a message appears in the Virtual Service modify screen (in the WAF Options section) which displays the possible reasons why a WAF-enabled Virtual Service cannot be configured.
  • Previously, the WAF user logs were not rotated.
    Now, WAF user logs are rotated every 30 minutes if the file size is greater than 50MB.
  • Previously, there was no option in the LoadMaster WUI to view the WAF debug or event logs.
    Now, there is an option to view the WAF debug and event logs in the System Log Files screen in the WUI if the files exist.

7.2.42 - Issues Resolved

PD-9946

Previously, sporadic LoadMaster reboots were reported.
Now, further enhancements have stabilized the system and prevented reboots.

PD-9780

Previously, LoadMaster Virtual Service throughput statistics were reporting incorrectly.
Now, this issue is resolved and the correct values for Virtual Service throughput are reported.

PD-9649

Previously, processing SAML responses failed during the base64 decode when the RelayState parameter was present. The RelayState parameter was present when integrating with an OKTA Identity Provider (IDP).
Now, when the SAML response contains a RelayState parameter, it is ignored to prevent impacting the base64 decode of the SAML response. The parameter is not used on the LoadMaster Service Provider.

PD-10977

Previously, in 7.2.40.1, the SAML verbose logs were logged under system log messages and warnings with debug disabled.
Now, when debug is disabled, the SAML verbose logs are no longer in the system log file.

PD-10973

Previously, there was a race condition between closing a connection and the data being released, which caused the LoadMaster to reboot.
Now, checks exist to ensure that if this race condition occurs, it is handled gracefully to ensure that the LoadMaster does not reboot.

PD-10867

Previously, the image set percentage sign in HTML was being processed incorrectly, showing incorrect text size.
Now, correct handling of the percentage sign no longer causes resizing of the text on the logout page.

PD-10860

Previously, exporting a template with a certain configuration resulted in it being unable to be imported.
Now, the exported template no longer contains the offending string, so it can be successfully imported.

PD-10735

Previously, there was not enough details of the last WAF rule install date and time.
Now, the end user is informed of the last WAF rule download with specific time and timezone information.

PD-10702

Previously, the message "kcd_get_user_ticket: credentials expired" repeated in the syslog, even when there was no client authentication issue.
Now, this message only appears in the syslog when ssomgr debugging is on.

PD-10636

Previously, use of the configured port for the target OCSP server and SSL responses from the server were handled incorrectly.
Now, the port configured for the OCSP server is used correctly per the configuration on the LoadMaster. SSL responses are also handled correctly.

PD-10616

Previously, when the Process Responses option was enabled in WAF, the responses failed.
Now, all responses are successfully processed when Process Responses is enabled in WAF.

PD-10590

Previously, automatic WAF rule downloads did not work if configured for a second HA mode, even when it is in an active state.
Now, automatic WAF rule downloads work when configured for a second HA mode system. The issue that existed during HA configuration has been fixed.

PD-10584

Previously, when both the User Principal Name (UPN) and SAM (WindowsAccountName) Claims were in the SAML response, they were processed and selected for subsequent use inconsistently.
Now, when both the UPN and SAM Claims are present, the SAM (WindowsAccountName) Claim is given precedence for selection and subsequent use for sever-side authentication (for example, Kerberos Constrained Delegation (KCD)).

PD-10131

Previously, users could not add documents to SharePoint sites when a WAF Virtual Service had Process Responses enabled at the main Virtual Service level, and KCD enabled on the SubVS for server-side authentication.
Now, on Chrome and Firefox, users can add documents to sites with the same configuration, but they are prompted to authenticate.

PD-10149

Previously, Alternative Domain selection and handling was not always reliable. When an Alternative Domain could have been selected appropriately, Virtual Service association was not always consistent. As a result, Form Based Authentication (FBA) on the server side did not trigger when expected. Furthermore, some characters were not permitted to be included in the server-side FBA post to the Real Server.
Now, Alternative Domain selection and handling provides reliable and expected processing. The Virtual Service association for Alternative Domains is reliable and allows FBA on the server side to be successfully triggered for the Virtual Service. Support for extra characters in the FBA post to the Real Servers, such as square parenthesis ( ] [ ) has also been added.

PD-10259

Previously, under load, WAF would fail responses from Real Servers due to all response data not being processed.
Now, under load, Real Server responses are handled correctly to ensure all data is processed and no failed responses occur.

PD-10332

Previously, error text appeared in the LoadMaster WUI when adding a VLAN with an ID of an already existing VLAN.
Now, this text does not appear and a pop-up error message appears with the correct error information.

PD-10381

Previously, on a LoadMaster with 2GB or less memory and remote logging enabled, adding/removing Application Generic rule sets to/from a Virtual Service caused WAF misconfiguration.
Now, additional checks exist to ensure that memory is allocated correctly when adding/removing Application Generic rule sets to prevent WAF misconfiguration from occurring.

PD-10445

Previously, when WAF and Process Responses were both enabled on a Virtual Service, the Real Server did not respond correctly.
Now, when WAF and Process Responses are both enabled on a Virtual Service, the Real Server responds as expected.

PD-10455

Previously, when an SSL certificate is used as the administrative certificate, everything works as expected until the LoadMaster was rebooted, which caused access to the LoadMaster WUI to be lost.
Now, access to the LoadMaster WUI is preserved after a reboot.

PD-10478

Previously, SSO image sets did not get listed in the SSO Image Set drop-down list after the ESP SSO configuration was restored from a backup.
Now, SSO image sets are listed in the drop-down list after restoring from a backup.

PD-10525

Previously, when WAFD was terminating, there was a read error from the control channel if a termination sequence was called incorrectly.
Now, checking exists to ensure the termination sequence is correct and this ensures that WAF read errors do not occur.

PD-10545

Previously, Virtual LoadMasters became inaccessible on the Azure cloud when the WUI was moved to Network Interface Controller (NIC)-1.
Now, the WUI can be configured on any available NIC, except for access to the interface from a non-local network, even when the Admin WUI gateway is set to local network gateway with the option Allow Multi Interface Access is set.

PD-10577

Previously, if an edge error condition occurred when creating a Virtual Service using the API, a segfault could occur.
Now, this error condition is correctly handled and it no longer causes a segfault.

PD-10169

Previously, the hapreferred parameter in the Set-LmAzureHAConfiguration PowerShell API command was not spelled correctly.
Now, the parameter spelling has been corrected to hapreferred.

7.2.42 - Known Issues

PD-10466

LoadMaster LM-X15 does not support the following SFP+ modules in this release: LM-SFP-SX (SFP+ SX Transceiver 1000BASE-SX 850nm, 550m over MMF), LM-SFP-LX (SFP+ LX Transceiver 1000Base-LX 1310nm, 10KM over SMF), and LM-SFP-LR (SFP+ LR Transceiver 10GBASE-LR 1310nm, 10KM over SMF).

PD-10504

The active connection values reported in an SNMP tool do not match the LoadMaster statistics for active connections in all situations.

PD-11040

Under certain specific conditions, the Edge Security Pack (ESP) logs can fill the allocated partition for /var/log/userlog which may cause the unit to reboot.

PD-8697

Some users are experiencing issues detecting the partition when using the Hardware Security Module (HSM).

PD-9375

Microsoft Office files in SharePoint do not work in Firefox and Chrome when using SAML authentication.

PD-9507

Unable to add an SDN controller using the RESTful API/WUI in a specific scenario.

PD-9821

Some high memory usage has been observed.

PD-9947

Virtual Services/Real Servers can report as "Up" in the API even if SubVSs are disabled.

PD-10129

There is a discrepancy in validation between global-level connection timeout and Virtual Service-level timeout.

PD-10136

There are some minor issues with LoadMaster clustering.

PD-10159

When upgrading firmware from version 7.1.35.n, CPU and network usage graphs are not appearing. As a workaround, reset the statistics in the WUI.

PD-10188

When adding a Real Server to a Virtual Service or SubVS on a Safari browser, the list of available Real Servers is not available.

PD-10193

A WAF, ESP, and KCD configuration with Microsoft Exchange 2010 is not supported.

PD-10197

Cluster Virtual Service and Real Server home page statistics are reported incorrectly.

PD-10207

The ESP LDAP logs need to be enhanced.

PD-10347

The SSO session expiry time is not updated in domain session management.

PD-10421

Setting options for the syslog server settings multiple times for different levels using the API causes events to repeat.

PD-10474

A SNORT rule is triggering a false positive in certain scenarios.

PD-10488

Occasionally WAF is stopped with an "errno 24" error.

PD-10538

Cannot create body rules when single quotes are in separate capture groups.

PD-10572

The extended log view fails when the selected range is in different years.

PD-10627

There are issues when replacing clustered nodes.

PD-10801

There are some issues relating to username normalization when using RADIUS authentication.

PD-10862

A local user with Real Server permissions cannot make changes to a Real Server when the Virtual Service is offloading or reencrypting.

PD-10961

LoadMasters in an Azure environment are not contacting the KEMP licensing server during a reboot.

PD-10970

If a template is exported from an older version of LoadMaster and it contains an improper string, a newer LoadMaster cannot import it.

PD-10976

High CPU utilization was observed in a certain scenario when using GEO.

PD-11024

The WUI is not accessible on NIC-1 from a non-local subnet.

PD-11031

When the LoadMaster reports settings back to the KEMP Licensing Server, it always reports that KEMP 360 Vision is not in use, even if it is.

PD-11044

A second authentication prompt is presented when a file is uploaded to SharePoint with the following configuration: WAF is configured with Process Responses enabled on the main Virtual Service, and KCD is enabled on the SubVS level for server-side authentication.

PD-9765

GEO does not support DNS TCP requests from unknown sources.

PD-8853

Location Based failover does not work as expected.

PD-8725

Proximity and Location Based scheduling do not work with IPv6 source addresses.

PD-10586

If a GEO FQDN is configured with All Available as the Selection Criteria, IPs are returned even if the cluster is disabled.

PD-10155

An issue with configuration corruption is causing some GEO features to not function.

PD-7156

The VSIndex parameter is missing in some API commands.

PD-9476

There is no RESTful API command to get/list the installed custom rule data files.

PD-9553

There is no API command to disable secure NTP mode.

PD-9816

There is an API command to list individual rules in a ruleset, but there is no command to list the available rulesets themselves.

PD-10490

The vsremovewafrule RESTful API command does not allow multiple rules to be removed.

PD-10598

There is no PowerShell API parameter to modify the IdP Certificate Match option.

PD-10802

It is not possible to set the forward parameter to route using the addrs RESTful API command (you can set it using modrs).

PD-11109

RESTful API does not respond with the correct warning message if the user is unable to enable WAF.

PD-10363

The PowerShell API is missing the ServerFbaPath and ServerFBAPost parameters.

Was this article helpful?

0 out of 0 found this helpful

Comments