LoadMaster 7.2.45.0 Release Notes

Refer to the sections below for details about firmware version 7.2.45.0. This was released on 23rd January 2019. 

New Features

The following new features were added to the 7.2.45.0 release:

  • Added TLS 1.3 Support for Software SSL.
    • Supported on Virtual LoadMasters (VLMs) and hardware LoadMasters without SSL hardware acceleration cards.
  • Created a new hard disk partitioning structure for hardware LoadMasters.
    • Previously, the LoadMaster Operating System (LMOS) did not make full use of all the hard disk capacity that was available. With these changes, all the available space on the hard disk is now accessible to the LMOS. 

Feature Enhancements

  • Added the ability to set and send the Remote Authentication Dial-In User Service (RADIUS) Network Access Server (NAS) identifier attribute in RADIUS requests.
    • The LoadMaster Web User Interface (WUI) and Application Programming Interfaces (REST and PowerShell APIs) now allow the setting and sending of NAS-ID attribute in RADIUS requests for WUI Authorization and for Edge Security Pack (ESP) RADIUS Authentication.
  • Added support for new MaxMind GeoLite2 database.
    • The LoadMaster now supports the new MaxMind GeoLite2 database. The GeoLite Legacy database has been discontinued by MaxMind and is no longer supported on LoadMaster firmware 7.2.45.0 onwards.
  • Added support for SFTP as an option for LoadMaster Automated Backups feature.
    • SFTP can now be configured in the LoadMaster WUI as a backup method for Automated Backups. Options are also available to configure automated backups using SFTP with the REST and PowerShell APIs.
  • The LoadMaster Disk Management capabilities have been enhanced.
    • Improvements have been made to the management of log files. Users now have greater control over log file management with the ability to download and delete individual log files. The logrotate utility has been made more robust.
  • Updated OpenSSH from version 7.5p1 to 7.9p1.
    • This is to mitigate against some security vulnerabilities - specifically CVE-2018-15473.
  • Edge Security Pack (ESP) server-side token-based authentication with SAML-based client authentication.
    • When the LoadMaster Single Sign On (SSO) service receives the SAML response from the Identity Provider (IdP), the response is verified, and the user Id is retrieved from the assertion. The LoadMaster can then communicate with an authenticated service hosted on the authenticated server or Real Server (RS) to request a long-lived token for that user Id. The user Id, together with the token, is returned to the client completing the authentication process. The client then knows the user Id and has a token that it can use to access selected services on the target RS.

Issues Resolved

PD-12392

An issue where random LoadMaster reboots occur under high load on a Virtual Service configuration with Edge Security Pack (ESP) enabled has been fixed.

PD-12388

Addressed a further vulnerability (CVE-2018-9091) in the LoadMaster Operating System (LMOS) related to Session Management that allows a logged in user to gain access to sensitive system data, thereby compromising the system.

The expanded scope of this vulnerability covers additional cases of exploitation through the use of insecure WUI endpoints. These vulnerabilities have been addressed in this release. Further information can be found here: Mitigation For Remote Access Execution Vulnerability.

PD-12256

Fixed error handling issues which resulted in a dropped stream on a HTTP/2-enabled VS configuration using compression.

PD-12246

Fixed an issue that prevented the adding of a static route if an IPv6 IP was configured as an additional address.

PD-12235 

Corrected an issue which prevented some Web Application Firewall (WAF) rules from being displayed in the LoadMaster WUI.

PD-12232

Fixed an issue which prevented the LoadMaster Historical Graphs from being displayed following a statistic reset operation.

PD-12221

Fixed an issue where unrequested diagnostics were being displayed when HTTP/2 was enabled.

PD-12214

Removed whitespace characters from the output of the RaidDisksInfo debug option for Disk Serial number and Disk Model name of the RAID Controller.

PD-12205

Fixed the issue where the SNMP user password changes when editing SNMP configuration.

PD-12203

Improved the GEO Nameserver Statistic output that is displayed from the System Log files WUI page.

PD-12202

Real Server (RS) health check optimizations when using HTTP/1.1, where the health checks are multiplexed to a single connection, is only applicable to a HTTP connection and not to a HTTPS connection.

PD-12201

Added consistency in the number of characters supported between the LoadMaster WUI and the Application Programming Interface (API) for the following configuration items in the Edge Security Pack (ESP) feature; Logoff String and Additional Authentication Header now both support 255 characters, SSO Domain and Alternative SSO Domains both support 64 characters.

PD-12148

Fixed a kernel panic that occurred when the caching feature was enabled on a Virtual Service (VS).

PD-12102

In a LoadMaster Edge Security Pack (ESP) configuration that uses an LDAP endpoint with LDAP Protocol set to LDAPS the LoadMaster now uses the correct port (port 636) for communication.

PD-12097

Removed the reference to the incorrect hard disk in the syslog message indicating the RAID disk rebuilding has completed.

PD-12084

Corrected some inconsistencies in the description of LoadMaster SNMP MIB parameters.

PD-12077

A validly-configured RADIUS user can now login to the LoadMaster WUI with Session Management enabled or disabled.

PD-12070

Previously, a GEO Cluster could be created without a name. This caused problems when selecting this cluster as part of the FQDN configuration as the name would be a blank entry in the Cluster drop down selection area.

Now, if a name is not specified when creating a new GEO Cluster, the IP address is automatically used as the name.

PD-12062

Added missing parameter syslognone to the Set-LogSyslogConfiguration PowerShell cmdlet.

PD-12045

The error message displayed for exceeding the maximum allowed characters for the Allowed Virtual Directories configuration item under ESP Options when configuring a VS has been improved and is now more informative.

PD-12000

Added the parameter ldapephc to REST and PowerShell APIs to allow the setting of the Use LDAP Endpoint for Healthcheck WUI configuration item for an ESP SSO domain.

PD-11966

For a VS created with the Extra Ports configuration item set under Standard Options, the ability to add a SubVS is now available.

PD-11939

The API parameter for setting the Allowed Virtual Directories in ESP Options for a VS and in the LoadMaster WUI now both accept up to 254 characters.

PD-11892

The error message displayed on the LoadMaster WUI for uploading a WAF template on a non-WAF enabled LoadMaster has been made more informative.

PD-11823

Previously, the Include Nested Groups WUI configuration item in ESP Options item was only applicable for Permitted groups.

Now, this check is also applicable for Steering groups.

PD-11818

Improved the API error message when adding a VS with an invalid IP on the AWS platform.

PD-11767

In a LoadMaster configuration with ESP enabled and Server Side Authentication set to Forms Based, a user with incorrectly formatted login credentials will fail to log in but on the second attempt the login credentials now get correctly normalized to use the configured domain to allow successful login.

PD-11757

Previously, when ESP Client Authentication Mode was set to Client Certificate, the WAF feature could be enabled. However, this is not a supported configuration and is now not permitted.

PD-11253

Added a REST and PowerShell API parameter AddToAllSubvs to allow a Real Server (RS) to be added to all SubVSs. This new parameter was added to the PowerShell command New-AdcRealServer and to the REST command addrs.

PD-10627

In a clustered LoadMaster configuration it is now possible to disable and delete a down/failed node from the cluster. These actions can now be performed from the WUI and using the REST and PowerShell API commands.

PD-10363

The PowerShell API parameters for ServerFbaPath and ServerFBAPPost have been added.

PD-9553

A user can disable secure NTP by setting the REST API parameter ntpkeysecret to an empty string.

PD-7156

Added the vsindex parameter to the following REST API commands; listlistvs, addaddvs, deldelvs and the following PowerShell API commands; Get-VSPacketFilterACLNew-VSPacketFilterACL and Remove-VSPacketFilterACL.

 

Known Issues

PD-12609

Any LoadMaster certificate backup file created on firmware version 7.2.45.0 cannot be restored on any LoadMaster.

A workaround is available - open a ticket with KEMP Customer Support if you require assistance.

PD-12578

When an Edge Security Pack (ESP) Single Sign On (SSO) Domain/Realm name is specified in an SSO Domain configuration the authenticating user is being incorrectly normalized to the Domain Name initially set when adding the SSO Domain.

PD-12450

Log partition Disk Usage on the LoadMaster WUI under Statistics >> Real Time Statistics is not available when using the REST or PowerShell API commands.

PD-12443

In rare situations when the Enable HTTP/2 Stack configuration item under Advanced Properties of a Virtual Service configuration has been selected the LoadMaster may encounter an unexpected reboot.

PD-12424

Special characters for LDAP String Representation of Search Filters are not currently supported on the LoadMaster.

PD-12357

WUI Multi-Interface access does not work on any port other than the default port 443.

PD-12354

The LoadMasters LM-X25 and LM-X40 do not support the following SFP+ modules in this release: LM-SFP-SX (SFP+ SX Transceiver 1000BASE-SX 850nm, 550m over MMF), LM-SFP-LX (SFP+ LX Transceiver 1000BASE-LX 1310nm, 10KM over SMF).

PD-12058

An issue exists when connecting to the LoadMaster WUI when using newer versions of the Firefox browser on initial configuration of a hardware FIPS LoadMaster.

PD-11861

IPv6 is not supported by the current RADIUS implementation in the LoadMaster for both WUI Authorization and ESP Authentication.

PD-11166

Azure LoadMasters are not translating the additional network address between the Master and Slave correctly.

PD-11044

A second authentication prompt is presented when a file is uploaded to SharePoint with the following configuration: WAF is configured with Process Responses enabled on the main Virtual Service and KCD is enabled on the SubVS level for server-side authentication.

PD-11024

The WUI is not accessible on NIC-1 from a non-local subnet.

PD-10970

If a template is exported from an older version of the LoadMaster and it contains an improper string, a newer LoadMaster cannot import it.

PD-10917

An issue exists when setting up a 2-armed HA Virtual LoadMaster in Azure.

PD-10784

Configuring LoadMaster HA using eth1 on an Amazon Web Services (AWS) Virtual LoadMaster does not work.

PD-10586

If a GEO FQDN is configured with All Available as the Selection Criteria, IP addresses are returned even if the cluster is disabled.

PD-10572

The extended log view fails when the selected range is in different years.

PD-10490

The vsremovewafrule RESTful API command does not allow multiple rules to be removed.

PD-10474

A SNORT rule is triggering a false positive in certain scenarios.

PD-10466

The LoadMaster LM-X15 does not support the following SFP+ modules in this release: LM-SFP-SX (SFP+ SX Transceiver 1000BASE-SX 850nm, 550m over MMF), LM-SFP-LX (SFP+ LX Transceiver 1000Base-LX 1310nm, 10KM over SMF).

PD-10193

A WAF, ESP, and KCD configuration with Microsoft Exchange 2010 is not supported.

PD-10188

When adding a Real Server to a Virtual Service or SubVS using a Safari browser, the list of available Real Servers is not available.

PD-10159

When upgrading firmware from version 7.1.35.n, CPU and network usage graphs are not appearing. As a workaround, reset the statistics in the WUI.

PD-10136

In a LoadMaster cluster configuration, a new node can be added with the same IP address as an existing node.

PD-10129

There is a discrepancy in validation between global-level connection timeout and Virtual Service-level timeout.

PD-9947

Virtual Services/Real Servers can report as "up" in the API, even if the SubVSs are disabled.

PD-9816

There is an API command to list individual rules in a ruleset, but there is no command to list the available rulesets themselves.

PD-9765

GEO does not support DNS TCP requests from unknown sources.

PD-9507

Unable to add an SDN controller using the RESTful API/WUI in a specific scenario.

PD-9476

There is no RESTful API command to get/list the installed custom rule data files.

PD-9375

Microsoft Office files in SharePoint do not work in Firefox and Chrome when using SAML authentication.

PD-8853

GEO Location Based failover does not work as expected.

PD-8725

GEO Proximity and Location Based scheduling do not work with IPv6 source addresses.

PD-8697

Some users are experiencing issues when trying to configure a Hardware Security Module (HSM) device.

 

 

 

 

Was this article helpful?

0 out of 0 found this helpful

Comments