16.0 Changelog: Difference between revisions

From Edge Threat Management Wiki - Arista
Jump to navigationJump to search
No edit summary
m (Græmer moved page 16.0.0 - 16.0.1 Changelog to 16.0 Changelog)
 
(26 intermediate revisions by 5 users not shown)
Line 1: Line 1:
= Overview =
= Overview =


16.0 is a major new release containing new the new WireGuard VPN application, UEFI support, and many improvements and bug fixes.
16.0.1 is a major release containing the new WireGuard VPN application, UEFI support, and many improvements and bug fixes. There was a minor package change in early 16.0.1 testing which created 16.0.1 release.  Previous 15.1.x releases will upgrade directly to 16.0.1.


= WireGuard =
= WireGuard =


WireGuard is a VPN alternative to OpenVPN that is much easier to configure and deploy. It can be used in both site-to-site environents as well as roaming environments.
[https://wireguard.com WireGuard] is a very simple, yet fast and modern VPN technology that uses state-of-the-art cryptography. It can be used in both site-to-site environments as well as mobile devices. Learn more about the WireGuard App in the [[WireGuard VPN]] wiki page


== Roaming ==
=== Roaming ===


In Roaming environments, creating a new tunnel is as simple as providing a Description. The public key will be automatically generated and after saving tunnel information, the gear icon under the Remote Client column will show configuration in either QR code or WireGuard configuration.  Many table and phone WireGuard application implementations can scan the QR code to configure their tunnel.
Creating a tunnel profile for the WireGuard client is as simple as providing a description. The public and private keys are automatically generated after saving tunnel information. On the client device, either take a picture or the QR code or paste the profile details into the client to configure the tunnel.


== Monitoring ==
=== Tunnels ===
Creating site to site tunnels for other NG Firewall appliances is as simple as a copy and paste of the tunnel configuration from one endpoint to the other.


Similar to IPSec, tunnel monitoring will if a connection is down and can restart the tunnel.
= UEFI =
 
You can now install NG Firewall on UEFI for most modern BIOS platforms.


= IPsec =


= UEFI =
=== Failover ===
If you use WAN Failover, you can now specify to use any "Active WAN". When the primary WAN switches, IPsec tunnels reconnect using the new link. On the remote endpoint, there is a new option to allow the incoming tunnel connection from any address.


You can now install NGFW on UEFI for most modern BIOS platforms.
=== Better performance ===
IPsec now uses AES-GCM as the default cipher resulting in a significant performance boost.


= IPSec =
=== Improved reliability ===
The mechanism to detect the tunnel status has been improved, resulting in better reliability of IPsec tunnels.


== Failover ==
=== Remote GUI over IPsec tunnel ===
With WAN Failover, you can now specify an Active Wan interface.  If selected, when WAN failover falls over, it will reconnect using the new IP address.  When the WAN falls back, the previous IP address.
Added the ability to access the remote NGFW over the IPsec tunnel.


= General VPN Improvements =
= General VPN Improvements =


== Restarting Tunnels ==
=== Tunnel Persistence ===
 
Active OpenVPN and IPsec tunnels are not affected by configuration changes such as adding a new tunnel.
 
=== Automatic LAN configuration ===


Tunnels for WireGuard, OpenVPN, IPSec no longer restart the entire services, only the specific tunnels enabled, disabled, or modifed.
If you change the IP address of a LAN interface, this change will propagate to WireGuard, OpenVPN, and IPsec tunnels.


= Threat Prevention =
= Threat Prevention =


== Lookup ==
=== Threat lookup ===
 
The Threat Lookup tool now shows the results from both "client" and "server" reputation values. Prior to this release, the lookup returned only the server reputation.
 
=== Custom block actions ===


The Lookup now allows you to specify Source/Destination for the IP address or URL to better clarify the difference between results that can occur between client addresses and destination addresses.
You can now redirect the user to an external block page URL or you can choose to block the connection without redirecting the user to a block page.


== Custom Page ==
=== Pass Sites ===


You can now specify a custom page for Threat Prevention blocks.
You can now create exceptions for IP addresses and URLs without having to create individual rules for each item.


= Other =
= Other =
Line 54: Line 69:
* L2TP local directory auth fails after deleting IPsec tunnels has been fixed.
* L2TP local directory auth fails after deleting IPsec tunnels has been fixed.
* Removing remote server from OpenVPN does not close connection has been fixed.
* Removing remote server from OpenVPN does not close connection has been fixed.
* Better error messaging on OSPF configuration issues.
* Policy Manager rules race condition on upgrade fixed.
* Parse large log directories correctly.
* Upload root certificate.
* Enforcement of strong cryptography SHA-512 for credentials
= System Requirements and Technical Notes =
* 32 bit upgrades will no longer be provided from 16.1 onwards
* The software appliance installer for USB disks now uses the ISO file format, the same as for CD media. Therefore, as of 16.0 the IMG file download is no longer necessary and removed from the download page.
* The WireGuard app is not available for cloud deployments (Amazon Web Services or Microsoft Azure). AWS and Azure deployments will update to version 16.0.1 if automatic updates are on, but the WireGuard app will not be included in that update.
* Ports 80 and 443 are now reserved on all IP Addresses, including aliases. This means that port forwarding on TCP ports 80 and 443 are not functional unless the [[services]] are moved to alternate ports. Additional considerations regarding service ports are described in the Knowledge Base article [https://support.untangle.com/hc/en-us/articles/360056200914 What happens when I change my service ports?].

Latest revision as of 15:46, 3 May 2022

Overview

16.0.1 is a major release containing the new WireGuard VPN application, UEFI support, and many improvements and bug fixes. There was a minor package change in early 16.0.1 testing which created 16.0.1 release. Previous 15.1.x releases will upgrade directly to 16.0.1.

WireGuard

WireGuard is a very simple, yet fast and modern VPN technology that uses state-of-the-art cryptography. It can be used in both site-to-site environments as well as mobile devices. Learn more about the WireGuard App in the WireGuard VPN wiki page

Roaming

Creating a tunnel profile for the WireGuard client is as simple as providing a description. The public and private keys are automatically generated after saving tunnel information. On the client device, either take a picture or the QR code or paste the profile details into the client to configure the tunnel.

Tunnels

Creating site to site tunnels for other NG Firewall appliances is as simple as a copy and paste of the tunnel configuration from one endpoint to the other.

UEFI

You can now install NG Firewall on UEFI for most modern BIOS platforms.

IPsec

Failover

If you use WAN Failover, you can now specify to use any "Active WAN". When the primary WAN switches, IPsec tunnels reconnect using the new link. On the remote endpoint, there is a new option to allow the incoming tunnel connection from any address.

Better performance

IPsec now uses AES-GCM as the default cipher resulting in a significant performance boost.

Improved reliability

The mechanism to detect the tunnel status has been improved, resulting in better reliability of IPsec tunnels.

Remote GUI over IPsec tunnel

Added the ability to access the remote NGFW over the IPsec tunnel.

General VPN Improvements

Tunnel Persistence

Active OpenVPN and IPsec tunnels are not affected by configuration changes such as adding a new tunnel.

Automatic LAN configuration

If you change the IP address of a LAN interface, this change will propagate to WireGuard, OpenVPN, and IPsec tunnels.

Threat Prevention

Threat lookup

The Threat Lookup tool now shows the results from both "client" and "server" reputation values. Prior to this release, the lookup returned only the server reputation.

Custom block actions

You can now redirect the user to an external block page URL or you can choose to block the connection without redirecting the user to a block page.

Pass Sites

You can now create exceptions for IP addresses and URLs without having to create individual rules for each item.

Other

  • Numerous performance improvements have been made to reporting and HTTP traffic processing.
  • Admin UI now operates on applicable interface aliases.
  • SSL Inspector now supports TLS 1.3.
  • Under Config, System, the new Logs tab allows you to better control disk space used by logs by specifying retention.
  • Report retention can now be configured at an hourly resolution.
  • Event reports can now export what is displayed or the entire table.
  • Web event reports now have the host field before the URI field.
  • Remote syslog events are no longer cut off at a certain size limit.
  • Disk space now uses a more accurate calucation.
  • Exporting JSON content columns issues has been fixed.
  • L2TP local directory auth fails after deleting IPsec tunnels has been fixed.
  • Removing remote server from OpenVPN does not close connection has been fixed.
  • Better error messaging on OSPF configuration issues.
  • Policy Manager rules race condition on upgrade fixed.
  • Parse large log directories correctly.
  • Upload root certificate.
  • Enforcement of strong cryptography SHA-512 for credentials

System Requirements and Technical Notes

  • 32 bit upgrades will no longer be provided from 16.1 onwards
  • The software appliance installer for USB disks now uses the ISO file format, the same as for CD media. Therefore, as of 16.0 the IMG file download is no longer necessary and removed from the download page.
  • The WireGuard app is not available for cloud deployments (Amazon Web Services or Microsoft Azure). AWS and Azure deployments will update to version 16.0.1 if automatic updates are on, but the WireGuard app will not be included in that update.
  • Ports 80 and 443 are now reserved on all IP Addresses, including aliases. This means that port forwarding on TCP ports 80 and 443 are not functional unless the services are moved to alternate ports. Additional considerations regarding service ports are described in the Knowledge Base article What happens when I change my service ports?.