LoadMaster 7.2.45.0 Release Notes
Refer to the sections below for details about firmware version 7.2.45.0. This was released on 23rd January 2019.
New Features
The following new features were added to the 7.2.45.0 release:
- Added TLS 1.3 Support for Software SSL.
- Supported on Virtual LoadMasters (VLMs) and hardware LoadMasters without SSL hardware acceleration cards.
- As part of this implementation OpenSSL has been upgraded to version 1.1.1
- Created a new hard disk partitioning structure for hardware LoadMasters.
- Previously, the LoadMaster Operating System (LMOS) did not make full use of all the hard disk capacity that was available. With these changes, all the available space on the hard disk is now accessible to the LMOS.
Feature Enhancements
- Added the ability to set and send the Remote Authentication Dial-In User Service (RADIUS) Network Access Server (NAS) identifier attribute in RADIUS requests.
- The LoadMaster Web User Interface (WUI) and Application Programming Interfaces (REST and PowerShell APIs) now allow the setting and sending of NAS-ID attribute in RADIUS requests for WUI Authorization and for Edge Security Pack (ESP) RADIUS Authentication.
- Added support for new MaxMind GeoLite2 database.
- The LoadMaster now supports the new MaxMind GeoLite2 database. The GeoLite Legacy database has been discontinued by MaxMind and is no longer supported on LoadMaster firmware 7.2.45.0 onwards.
- Added support for SFTP as an option for LoadMaster Automated Backups feature.
- SFTP can now be configured in the LoadMaster WUI as a backup method for Automated Backups. Options are also available to configure automated backups using SFTP with the REST and PowerShell APIs.
- The LoadMaster Disk Management capabilities have been enhanced.
- Improvements have been made to the management of log files. Users now have greater control over log file management with the ability to download and delete individual log files. The logrotate utility has been made more robust.
- Updated OpenSSH from version 7.5p1 to 7.9p1.
- This is to mitigate against some security vulnerabilities - specifically CVE-2018-15473.
- Edge Security Pack (ESP) server-side token-based authentication with SAML-based client authentication.
- When the LoadMaster Single Sign On (SSO) service receives the SAML response from the Identity Provider (IdP), the response is verified, and the user Id is retrieved from the assertion. The LoadMaster can then communicate with an authenticated service hosted on the authenticated server or Real Server (RS) to request a long-lived token for that user Id. The user Id, together with the token, is returned to the client completing the authentication process. The client then knows the user Id and has a token that it can use to access selected services on the target RS.
Issues Resolved
|
PD-12392 |
An issue where random LoadMaster reboots occur under high load on a Virtual Service configuration with Edge Security Pack (ESP) enabled has been fixed. |
| PD-12388 |
Addressed a further vulnerability (CVE-2018-9091) in the LoadMaster Operating System (LMOS) related to Session Management that allows a logged in user to gain access to sensitive system data, thereby compromising the system. The expanded scope of this vulnerability covers additional cases of exploitation through the use of insecure WUI endpoints. These vulnerabilities have been addressed in this release. Further information can be found here: Mitigation For Remote Access Execution Vulnerability. |
| PD-12256 |
Fixed error handling issues which resulted in a dropped stream on a HTTP/2-enabled VS configuration using compression. |
| PD-12246 |
Fixed an issue that prevented the adding of a static route if an IPv6 IP was configured as an additional address. |
| PD-12235 |
Corrected an issue which prevented some Web Application Firewall (WAF) rules from being displayed in the LoadMaster WUI. |
| PD-12232 |
Fixed an issue which prevented the LoadMaster Historical Graphs from being displayed following a statistic reset operation. |
| PD-12221 |
Fixed an issue where unrequested diagnostics were being displayed when HTTP/2 was enabled. |
| PD-12214 |
Removed whitespace characters from the output of the RaidDisksInfo debug option for Disk Serial number and Disk Model name of the RAID Controller. |
| PD-12205 |
Fixed the issue where the SNMP user password changes when editing SNMP configuration. |
| PD-12203 |
Improved the GEO Nameserver Statistic output that is displayed from the System Log files WUI page. |
| PD-12202 |
Real Server (RS) health check optimizations when using HTTP/1.1, where the health checks are multiplexed to a single connection, is only applicable to a HTTP connection and not to a HTTPS connection. |
| PD-12201 |
Added consistency in the number of characters supported between the LoadMaster WUI and the Application Programming Interface (API) for the following configuration items in the Edge Security Pack (ESP) feature; Logoff String and Additional Authentication Header now both support 255 characters, SSO Domain and Alternative SSO Domains both support 64 characters. |
| PD-12148 |
Fixed a kernel panic that occurred when the caching feature was enabled on a Virtual Service (VS). |
| PD-12102 |
In a LoadMaster Edge Security Pack (ESP) configuration that uses an LDAP endpoint with LDAP Protocol set to LDAPS the LoadMaster now uses the correct port (port 636) for communication. |
| PD-12097 |
Removed the reference to the incorrect hard disk in the syslog message indicating the RAID disk rebuilding has completed. |
| PD-12084 |
Corrected some inconsistencies in the description of LoadMaster SNMP MIB parameters. |
| PD-12077 |
A validly-configured RADIUS user can now login to the LoadMaster WUI with Session Management enabled or disabled. |
| PD-12070 |
Previously, a GEO Cluster could be created without a name. This caused problems when selecting this cluster as part of the FQDN configuration as the name would be a blank entry in the Cluster drop down selection area. Now, if a name is not specified when creating a new GEO Cluster, the IP address is automatically used as the name. |
| PD-12062 |
Added missing parameter syslognone to the Set-LogSyslogConfiguration PowerShell cmdlet. |
| PD-12045 |
The error message displayed for exceeding the maximum allowed characters for the Allowed Virtual Directories configuration item under ESP Options when configuring a VS has been improved and is now more informative. |
| PD-12000 |
Added the parameter ldapephc to REST and PowerShell APIs to allow the setting of the Use LDAP Endpoint for Healthcheck WUI configuration item for an ESP SSO domain. |
| PD-11966 |
For a VS created with the Extra Ports configuration item set under Standard Options, the ability to add a SubVS is now available. |
| PD-11939 |
The API parameter for setting the Allowed Virtual Directories in ESP Options for a VS and in the LoadMaster WUI now both accept up to 254 characters. |
| PD-11892 |
The error message displayed on the LoadMaster WUI for uploading a WAF template on a non-WAF enabled LoadMaster has been made more informative. |
| PD-11823 |
Previously, the Include Nested Groups WUI configuration item in ESP Options item was only applicable for Permitted groups. Now, this check is also applicable for Steering groups. |
| PD-11818 |
Improved the API error message when adding a VS with an invalid IP on the AWS platform. |
| PD-11767 |
In a LoadMaster configuration with ESP enabled and Server Side Authentication set to Forms Based, a user with incorrectly formatted login credentials will fail to log in but on the second attempt the login credentials now get correctly normalized to use the configured domain to allow successful login. |
| PD-11757 |
Previously, when ESP Client Authentication Mode was set to Client Certificate, the WAF feature could be enabled. However, this is not a supported configuration and is now not permitted. |
| PD-11253 |
Added a REST and PowerShell API parameter AddToAllSubvs to allow a Real Server (RS) to be added to all SubVSs. This new parameter was added to the PowerShell command New-AdcRealServer and to the REST command addrs. |
| PD-10627 |
In a clustered LoadMaster configuration it is now possible to disable and delete a down/failed node from the cluster. These actions can now be performed from the WUI and using the REST and PowerShell API commands. |
| PD-10363 |
The PowerShell API parameters for ServerFbaPath and ServerFBAPPost have been added. |
| PD-9553 |
A user can disable secure NTP by setting the REST API parameter ntpkeysecret to an empty string. |
| PD-7156 |
Added the vsindex parameter to the following REST API commands; listlistvs, addaddvs, deldelvs and the following PowerShell API commands; Get-VSPacketFilterACL, New-VSPacketFilterACL and Remove-VSPacketFilterACL. |
Known Issues
|
PD-12876 |
GSLB functionality in Azure may not work. |
|
PD-12869 |
When a UDP VS is configured some unusual debug logs are generated. |
|
PD-12861 |
In a LoadMaster cluster configuration if a non admin cluster node is marked as down and if the admin node in the cluster is rebooted, the down cluster node can never be disabled. |
|
PD-12836 |
When an additional static route is added to an interface the netmask gets defaulted to /64. |
|
PD-12828 |
Failures occur when running read/write commands to a Real Server with caching and compression features enabled on the LoadMaster. |
|
PD-12773 |
The RC4 cipher sets are not available for selection. |
|
PD-12609 |
Any LoadMaster certificate backup file created on firmware version 7.2.45.0 cannot be restored on any LoadMaster. A workaround is available - open a ticket with KEMP Customer Support if you require assistance. |
|
PD-12578 |
When an Edge Security Pack (ESP) Single Sign On (SSO) Domain/Realm name is specified in an SSO Domain configuration the authenticating user is being incorrectly normalized to the Domain Name initially set when adding the SSO Domain. |
|
PD-12450 |
Log partition Disk Usage on the LoadMaster WUI under Statistics >> Real Time Statistics is not available when using the REST or PowerShell API commands. |
|
PD-12443 |
In rare situations when the Enable HTTP/2 Stack configuration item under Advanced Properties of a Virtual Service configuration has been selected the LoadMaster may encounter an unexpected reboot. |
|
PD-12424 |
Special characters for LDAP String Representation of Search Filters are not currently supported on the LoadMaster. |
|
PD-12357 |
WUI Multi-Interface access does not work on any port other than the default port 443. |
|
PD-12354 |
The LoadMasters LM-X25 and LM-X40 do not support the following SFP+ modules in this release: LM-SFP-SX (SFP+ SX Transceiver 1000BASE-SX 850nm, 550m over MMF), LM-SFP-LX (SFP+ LX Transceiver 1000BASE-LX 1310nm, 10KM over SMF). |
|
PD-12058 |
An issue exists when connecting to the LoadMaster WUI when using newer versions of the Firefox browser on initial configuration of a hardware FIPS LoadMaster. |
|
PD-11861 |
IPv6 is not supported by the current RADIUS implementation in the LoadMaster for both WUI Authorization and ESP Authentication. |
|
PD-11166 |
Azure LoadMasters are not translating the additional network address between the Master and Slave correctly. |
|
PD-11044 |
A second authentication prompt is presented when a file is uploaded to SharePoint with the following configuration: WAF is configured with Process Responses enabled on the main Virtual Service and KCD is enabled on the SubVS level for server-side authentication. |
|
PD-11024 |
The WUI is not accessible on NIC-1 from a non-local subnet. |
|
PD-10970 |
If a template is exported from an older version of the LoadMaster and it contains an improper string, a newer LoadMaster cannot import it. |
|
PD-10917 |
An issue exists when setting up a 2-armed HA Virtual LoadMaster in Azure. |
|
PD-10784 |
Configuring LoadMaster HA using eth1 on an Amazon Web Services (AWS) Virtual LoadMaster does not work. |
|
PD-10586 |
If a GEO FQDN is configured with All Available as the Selection Criteria, IP addresses are returned even if the cluster is disabled. |
|
PD-10572 |
The extended log view fails when the selected range is in different years. |
|
PD-10490 |
The vsremovewafrule RESTful API command does not allow multiple rules to be removed. |
|
PD-10474 |
A SNORT rule is triggering a false positive in certain scenarios. |
|
PD-10466 |
The LoadMaster LM-X15 does not support the following SFP+ modules in this release: LM-SFP-SX (SFP+ SX Transceiver 1000BASE-SX 850nm, 550m over MMF), LM-SFP-LX (SFP+ LX Transceiver 1000Base-LX 1310nm, 10KM over SMF). |
|
PD-10193 |
A WAF, ESP, and KCD configuration with Microsoft Exchange 2010 is not supported. |
|
PD-10188 |
When adding a Real Server to a Virtual Service or SubVS using a Safari browser, the list of available Real Servers is not available. |
|
PD-10159 |
When upgrading firmware from version 7.1.35.n, CPU and network usage graphs are not appearing. As a workaround, reset the statistics in the WUI. |
|
PD-10136 |
In a LoadMaster cluster configuration, a new node can be added with the same IP address as an existing node. |
|
PD-10129 |
There is a discrepancy in validation between global-level connection timeout and Virtual Service-level timeout. |
|
PD-9947 |
Virtual Services/Real Servers can report as "up" in the API, even if the SubVSs are disabled. |
|
PD-9854 |
WAF does not support chunked transfer encoding on the POST body. |
|
PD-9816 |
There is an API command to list individual rules in a ruleset, but there is no command to list the available rulesets themselves. |
|
PD-9765 |
GEO does not support DNS TCP requests from unknown sources. |
|
PD-9507 |
Unable to add an SDN controller using the RESTful API/WUI in a specific scenario. |
|
PD-9476 |
There is no RESTful API command to get/list the installed custom rule data files. |
|
PD-9375 |
Microsoft Office files in SharePoint do not work in Firefox and Chrome when using SAML authentication. |
|
PD-8853 |
GEO Location Based failover does not work as expected. |
|
PD-8725 |
GEO Proximity and Location Based scheduling do not work with IPv6 source addresses. |
|
PD-8697 |
Some users are experiencing issues when trying to configure a Hardware Security Module (HSM) device. |