LoadMaster 7.2.40 Release Notes
Refer to the sections below for details about firmware version 7.2.40. This was released on 1st November 2017.
New Features
The following features were added to the 7.2.40 release:
- Activation Server Local (ASL) LoadMasters have the ability to download Web Application Firewall (WAF) commercial rules and GEO IP blacklist rules.
- A LoadMaster Web User Interface (WUI) Help menu option to provide knowledge about External Services provided by KEMP.
Feature Enhancements
- The Call Home feature is now an opt-out process during initial activation of a LoadMaster.
- Added support in the LoadMaster for the following OWASP secure HTTP response headers: X-Frame-Options, X-XSS-Protection, X-Content-Type-Options, HSTS Strict-Transport-Security.
- Added the ability to easily delete a Virtual Service and all its nested SubVSs.
- Real Server enhancements:
- Added the ability to select from the available list of Real Servers when configuring a Virtual Service or SubVS.
- On the Real Servers screen, it is possible to sort the Real Server addresses or the status column by clicking the column label.
- When adding a Real Server to a SubVS, a check box appears that enables you to assign that Real Server to all other SubVSs of the main Virtual Services.
- Added the ability to use the DNS name as the Online Certificate Status Protocol (OCSP) server.
- In SAML authentication, the URL provided in the original request from Layer 7 is preserved. This URL gets precedence over the destination URL from the SAML response.
- Improvements to using FQDN to designate to a Real Server; there is now a configurable DNS Update Interval. Also, Reload DNS Entries for Real Server Errors can be enabled to allow a reload of DNS entries when health checks have errors and an FQDN is associated with the Real Server IP address.
- When an OCSP server fails to connect, error logs are printed.
Issues Resolved
|
PD-9886 |
Fixed a security issue with the initial boot password in the Azure Virtual LoadMaster logs. |
|
PD-9838 |
Fixed a security issue where the full session ID was printed in the logs. Now, only a partial session ID is printed. |
|
PD-9837 |
Fixed an issue with the WUI admin login in Password or Client certificate mode. |
|
PD-9768 |
Fixed a security issue when the 'Logon Transcode' option and ESP are enabled. |
|
PD-9892 |
Fixed an issue preventing SNORT rules from being applied. |
|
PD-9889 |
Transparency is removed if the connection to the Real Server is part of a HTTP/2 connection. |
|
PD-9972 |
Edge Security Pack (ESP) group Common Name and Domain Name can be up to 127 characters long. |
|
PD-9898 |
Fixed an issue with configuration corruption that caused some GEO features to not function. |
|
PD-9865 |
Fixed issues that prevented automatic update of GEO IP blacklist rules. |
|
PD-9861 |
An ESP re-authentication is forced when a closed session is reopened after a user terminates without logging out. |
|
PD-9795 |
Fixed an issue that caused SAML response decoding to fail. |
|
PD-9770 |
Added more information to the ESP logs. |
|
PD-9761 |
Made enhancements to support a high number of connections. |
|
PD-9743 |
Fixed an issue relating to exporting a template for a Virtual Service that has content switching enabled with default rules. |
|
PD-9666 |
Fixed an issue with underscores in HTTP header name which is not handled by Apache server 2.4. |
|
PD-9633 |
Fixed an issue when using HTTP/1.1 to enable the port number to be used with Checkhost. |
|
PD-9517 |
Applied username normalization when permitted groups are configured to permit authentication. |
|
PD-9508 |
With ESP and SAML, the certificate in the SAML response must match the certificate assigned in the SAML SSO domain. This limits the solution to trusted certificates. |
|
PD-9470 |
Fixed an issue with LDAP Real Server health checks. |
|
PD-9453 |
Removed pinging of default gateway and nameserver in Azure because they are not supposed to work. |
|
PD-9359 |
Fixed an issue causing problems for some users authenticating to ESP. |
|
PD-9159 |
Fixed an issue causing traffic to the back-end to be blocked in certain scenarios when the Web Application Firewall (WAF) is enabled. |
|
PD-10107 |
Fixed an issue that caused WAF to be inactive upon first licensing in certain scenarios. |
|
PD-10089 |
Fixed an issue that caused WAF Process Responses to be inactive in certain situations. |
|
PD-10062 |
Improved error handling when there is an invalid FQDN in OCSP configuration. |
|
PD-9995 |
Fixed a client certificate issue preventing users from accessing SharePoint or OWA. |
|
PD-9908 |
Fixed an issue with ESP steering groups. |
|
PD-9903 |
Fixed an issue with multiple Network Interface Cards (NICs) on Azure Virtual LoadMasters and private IP addresses. |
|
PD-9869 |
Fixed an issue in Content Rules that caused a rule to be deleted if a 'white space' was the only thing in the 'replacement text' field. |
|
PD-9867 |
Fixed an issue preventing the global connection timeout from being honored on Virtual Services. |
|
PD-9857 |
Fixed a rare situation that caused HTTP/2 to crash when using 'RS drop on fail'. |
|
PD-9845 |
Improved compatibility for Arabic characters when generating local certificates. |
|
PD-9783 |
Fixed an issue causing the incorrect IP address to be displayed in the tool-tip text on High Availability (HA) icons. |
|
PD-9758 |
Fixed an issue preventing customers from editing or accessing Office files in SharePoint. |
|
PD-9747 |
Fixed an issue preventing HA from working with certificate authentication and KEMP 360. |
|
PD-9604 |
Fixed an import issue preventing Content Rules from being correctly applied to a SubVS. |
|
PD-9590 |
Improved the subscription expiry display date to be more accurate. |
|
PD-9657 |
The LoadMaster handles cipher names with special characters better. |
|
PD-9643 |
Fixed an issue in Azure to permit mapping of IP addresses and add the ability to change IP addresses if a match is not found. |
|
PD-9560 |
Improved error handling when clicking the shared IP address in HA mode. |
|
PD-9383 |
Improved error handling for special characters in passwords when working with KEMP 360. |
|
PD-8227 |
Fixed an issue preventing the addition of network/addresses in the GEO IP blacklist. |
|
PD-7157 |
Fixed an issue preventing users from attaching files when using OWA or SharePoint if WAF and Kerberos Constrained Delegation (KCD) are both enabled. |
|
PD-8413 |
Fixed an issue that caused an error if a wildcard port was in a template. |
|
PD-9489 |
Fixed an issue with the Application Program Interface (API) command to reset the CPU and network usage. |
|
PD-9963 |
Fixes made to the PowerShell API wrapper in relation to Activation Server Local (ASL) functionality and its interaction with KEMP 360. |
|
PD-9883 |
Improved error handling when creating Virtual Services with specific ports using the API. |
|
PD-9836 |
Improved compatibility in the RESTful API when using a Polish character set in passwords. |
|
PD-9781 |
Added missing parameters to the New-AdcContentRule and Set-AdcContentRule commands in the PowerShell API. |
|
PD-9779 |
Made the WUI and RESTful API consistent for the Client Authentication Mode ESP parameter. |
|
PD-9771 |
Fixed a situation that caused the RESTful API to report the wrong status for disabled/down Virtual Services. |
|
PD-9596 |
Fixed an issue causing the RESTful API to show an incorrect interface value in the showiface command output. |
|
PD-9360 |
Fixed an issue that caused a crash when restoring a LoadMaster backup with 'Type' All, Base, Base+VS and Base+Geo using the RESTful API. |
|
PD-9349 |
Fixed the PowerShell API wrapper command Get-AslLicenseType in relation to new ASL behavior. |
|
PD-7978 |
Fixed an issue with the PowerShell API command New-TlsHSMClientCertthat caused an error when the LoadBalancer and Credential/SubjectCN parameters were used. |
|
PD-9129 |
Fixed an issue with the response formatting in the API backup commands. |
Known Issues
|
PD-10980 |
A critical vulnerability (CVE-2018-9091) in the LoadMaster Operating System (LMOS) related to Session Management could allow an unauthorized, remote attacker to bypass security protections, gain system privileges, and execute elevated commands such as ls, ps, cat, and so on, thereby compromising the system. Through this remote execution, in certain cases, exposure of sensitive system data such as certificates, private keys, and other information may be possible. |
|
PD-8725 |
Proximity and Location Based scheduling does not work with IPv6 source addresses. |
|
PD-9765 |
GEO does not support DNS TCP requests from unknown sources. |
|
PD-10155 |
Issue with configuration corruption causes some GEO features not to function. |
|
PD-10392 |
Random reboots can occur on the master unit after upgrading the firmware to 7.2.39 and patching to 7.2.39.1 or 7.2.40. |
|
PD-10141 |
Service check interval configuration causes dropped connections. |
|
PD-10193 |
A WAF, ESP, and KCD configuration with Microsoft Exchange 2010 is not supported. |
|
PD-10126 |
Issues with cache causes connection problems. |
|
PD-10086 |
When selecting the 'Use for Default Gateway' option on a new interface, access to the LoadMaster WUI is lost. However, there is still access to the LoadMaster using the local IP address. |
|
PD-10083 |
There is an issue displaying a large number of Virtual Services/SubVSs when using SNMP. |
|
PD-10080 |
Failover issues occur with bonded interfaces that are configured to use the default gateway. |
|
PD-10042 |
WAF statistics do not get reset on Virtual Service deletion. |
|
PD-10039 |
The HTTP/2 feature is only supported in the Internet Explorer (IE) browser. |
|
PD-9975 |
When testing LDAP-based users by using the Test AAA for User on the WUI Authentication and Authorization page, logs were not generated or visible in syslog. |
|
PD-9854 |
WAF does not support chunked transfer encoding on the POST body. |
|
PD-9764 |
The LoadMaster is unable to set up an IPsec tunnel to Azure classic/Azure Resource Manager (ARM) endpoints. |
|
PD-8697 |
Some users are having issues detecting the partition when using the Hardware Security Module (HSM). |
|
PD-10188 |
When adding a Real Server to a Virtual Service or SubVS on a Safari browser, the list of available Real Servers is not available. |
|
PD-10131 |
Problems attaching files in SharePoint when using WAF with process response enabled and Kerberos Constrained Delegation (KCD). |
|
PD-10159 |
When upgrading firmware from 7.1.35.x, CPU and network usage graphs are not appearing. As a workaround, reset the statistics in the WUI. |
|
PD-10143 |
Access is denied when KCD, the WAF Process Responses option and the creditcard_track_pan rule are enabled. |
|
PD-9375 |
Microsoft Office files in SharePoint do not work in Firefox and Chrome when using SAML authentication. |
|
PD-10095 |
When L7 debugging is enabled, Virtual LoadMasters may reboot in certain situations. |
|
PD-7156 |
The VSIndex parameter is missing in some API commands. |
|
PD-9476 |
There is no RESTful API command to get/list the installed custom rule data files. |
|
PD-9525 |
The RESTful API returns the value of the failtime parameter in seconds, but it is set in minutes. |
|
PD-9539 |
There are issues with the PowerShell New-GeoCluster command in a specific scenario. |
|
PD-9553 |
There is no API command to disable secure NTP mode. |
|
PD-9570 |
There is a typo in the removecountry API response error message. |
|
PD-9572 |
There are discrepancies displaying the location latitude/longitude parameter values for some RESTful API commands. |