12.1.0 Changelog

From Edge Threat Management Wiki - Arista
Jump to navigationJump to search


12.1 is a major new release. 12.1 has major admin interface innovations and continued improvements on the new dashboard and responsiveness of the admin interface. It also adds geolocation functionality, better reports, and improved performance.

Admin Interfaces

In 12.0 the user interface was drastically changed. This is a part of an ongoing effort to simplify and modernize the admin interface and make administration through PCs, tablets, phones, and the cloud all possible. In 12.1 this effort continued with even more changes.

The first major change you will notice is the new login page and new navigation changes. 12.0 had both a left hand navigation menu and a top bar. 12.1 has only a top navigation menu. This is a much better option for a responsive UI as the top menu will adjust dynmically for the width of the display area.


The administration interface on a Galaxy S5:

Apps - Galaxy S5 phone view

The second major change is a new charting/graphing implementation. The new charts are better looking, faster, and have better functionality. This includes being able to zoom in and out, better smoothing, as well as dynamically resized bar charts. We also include several new types of charts like stacked bars and area charts.

New Charts

The dashboard has been greatly improved. The configuration on the dashboard is now much simpler. Admins can now easily add their favorite reports to the dashboard with one easy button. There are several new very useful widgets such as the "Network Layout."

New Dashboard

The setup wizards are now also responsive and usable via a phone or tablet.


The reports settings administration has been slightly reorganized.

The reports navigation has been reimplemented. It is now completely responsive so reports can be viewed on a tablet or phone. It is also much more usable on a PC with better use of real-estate and easier navigation.


The same page viewed from a Galaxy S5:

Reports on Galaxy S5 phone

Event entries and Report entries are no longer two separate entities. Event lists are now just a type of Report Entry. Additionally you can now create custom Event list report entries. For example, There is an existing "Blocked Web Events" event list report entry in Web Filter and you can add a "Jimmy's Blocked Web Events" that shows only Jimmy's blocked web events. Like any report entry, you can add arbitrary conditions an any attribute (client, hostname, username, interface, domain, site, policy, etc).

12.1 also adds a "session_minutes" table. Similar to sessions this stores all sessions, but has one row for every minute each session is alive and some byte stats about the session during that minute. "sessions" has one row per session, but "session_minutes" would have 5 rows for a given session if that session was alive for 5 minutes. This allows the behavior of an individual session over its lifetime to be tracked. Previously we used the session creation time to group data. While accurate it provides a poor view of bandwidth over time on a small scale, especially for long lived session. The new table allows for us to view bandwidth usage and behavior over time much more accurately and still be queryable/sliceable by any attribute like other reports.

For example, this graphs shows bandwidth usage by host and application respectively.

Top Hostnames Bandwidth Usage
Top Applications Bandwidth Usage

In the above example you can see traffic behavior by the minutes, which allows us to easily spot that the big hump is a large bittorrent download by host "dmorris-PC" and the second part is someone on host "linuxhead" watching a youtube video.


All sessions' IPs are now run through a geolocation lookup and attached to the session. You can view geolocation data in the session viewer. Sessions now have new geo attributes: client_latitude, client_longitude, client_country, server_latitude, server_longitude, server_country. Rules can now be created using geolocation data, and additionally this data can now be queried or displayed in reports so users can see when and where data is flowing.

To analyze that above bittorrent download, you can see that data was coming from all over the world.

Top Countries Bandwidth Usage


UDP layer-7 processing is very expensive. We added a "dynamic bypass" function for UDP such that if all layer-7 applications "release" interest in the session, the data will be passed at layer 3. For example, if you have only Application Control installed, once it has identified with certainty the application of a given UDP session, it will "release" the session. Once all applications release interest no more layer-7 scanning will occur and the data is passed at layer-3 without sending the data to userspace. This provides a massive speedup for UDP processing which will help on big and small sites alike.

We also officially switch to java 8 (OpenJDK) and the G1 garbage collector which should further improvement efficiency and performance.

Certificate Management

Certificate management in Config > Administration > Certificates has been redesigned. You can now upload certificates to a list and choose which services will use the provided certificate. This should simplify the daunting task of reconfiguring the certificates on Untangle to suit all the different scenarios.


Added support for IKEv2. This is for admins with iOS devices that want to use forced on-demand VPN with certificate-based authentication.

Bandwidth Control

Now all sessions (even bypassed session) are counted against a quota. Quotas are now computed every 60 seconds as a periodic task. If a client exceeds a quota, the client will only be marked as having exceeded the quota at the next 60 second processing.

Google / Facebook Authentication

Directory Connector now has the ability to authenticate google and facebook accounts. This is useful for those that wish to authenticate captive portal users with their google or facebook accounts. Like any directory service, once a user logs in with their google/facebook account, the username for that specific host is set and all reports will contain the related google/facebook username.


This functionality is experimental. It does not use the official OAUTH API because when accessing captive portal, the user does not yet have access to the internet. It uses an unofficial API technique to authenticate usernames. Google and/or Facebook may block authentication at any time without notice. This technique also requires lots of memory and processing power on the server itself.

Minor Changes

  • Like "devices", "hosts" are now also saved on disk so they are remembered after a reboot.
  • Added the ability to download language packs directly in the administration interface.
  • Added ability to customize which administrators and/or reports users get alerts and report summary emails.
  • Changed WAN Balancer to choose WAN based on source/destination hash and weight (so sessions between two hosts are sticky to a WAN)
  • Upgraded the snort version for Intrusion Prevention
  • Fix issue with rules specifying multiple MAC addresses
  • Fixed some wireless issues with "Auto" channel selection on some cards
  • Fixed some internationalization issues
  • Fixed issues with dynamic time charts not supporting conditions
  • The root password hash is now saved in settings so it will be set during a restore.
  • We now log "http_referrer" in the "http_events" table so you can see which web requests had a referrer and which did not.
  • Added "policy_rule_id" to each session so reports can show which policy rule matched which session.
  • added support for more 3-level country domains.