ACOS 4.1.4-GR1 GUI 1.0.

0
Release Notes
for A10 Thunder® Series and AX™ Series
27 December 2018
© 2018 A10 NETWORKS, INC. CONFIDENTIAL AND PROPRIETARY- ALL RIGHTS RESERVED
Information in this document is subject to change without notice.

PATENT PROTECTION
A10 Networks products are protected by patents in the U.S. and elsewhere. The following website is provided to satisfy the virtual patent marking pro-
visions of various jurisdictions including the virtual patent marking provisions of the America Invents Act. A10 Networks' products, including all
Thunder Series products, are protected by one or more of U.S. patents and patents pending listed at:

https://www.a10networks.com/company/legal-notices/a10-virtual-patent-marking

TRADEMARKS
A10 Networks trademarks are listed at:

https://www.a10networks.com/company/legal-notices/a10-trademarks

CONFIDENTIALITY
This document contains confidential materials proprietary to A10 Networks, Inc. This document and information and ideas herein may not be dis-
closed, copied, reproduced or distributed to anyone outside A10 Networks, Inc. without prior written consent of A10 Networks, Inc.

A10 NETWORKS INC. SOFTWARE LICENSE AND END USER AGREEMENT

Software for all A10 Networks products contains trade secrets of A10 Networks and its subsidiaries and Customer agrees to treat Software as confi-
dential information.

Anyone who uses the Software does so only in compliance with the terms of the End User License Agreement (EULA), provided later in this docu-
ment or available separately. Customer shall not:

1. Reverse engineer, reverse compile, reverse de-assemble, or otherwise translate the Software by any means.
2. Sub-license, rent, or lease the Software.

DISCLAIMER
This document does not create any express or implied warranty about A10 Networks or about its products or services, including but not limited to fit-
ness for a particular use and non-infringement. A10 Networks has made reasonable efforts to verify that the information contained herein is accurate,
but A10 Networks assumes no responsibility for its use. All information is provided "as-is." The product specifications and features described in this
publication are based on the latest information available; however, specifications are subject to change without notice, and certain features may not be
available upon initial product release. Contact A10 Networks for current information regarding its products or services. A10 Networks’ products and
services are subject to A10 Networks’ standard terms and conditions.

ENVIRONMENTAL CONSIDERATIONS
Some electronic components may possibly contain dangerous substances. For information on specific component types, please contact the manufac-
turer of that component. Always consult local authorities for regulations regarding proper disposal of electronic components in your area.

FURTHER INFORMATION
For additional information about A10 products, terms and conditions of delivery, and pricing, contact your nearest A10 Networks location, which can
be found by visiting www.a10networks.com.
Table of Contents

New Features and Enhancements ................................................................................................ 5

Prerequisite.............................................................................................................................5
New Features and Enhancements in the ACOS 4.1.4-GR1 GUI 1.0.0 Release Version ......5
Send TCP Reset for Invalid IPv6 Packets on GiFW ................................................................................6
SSLi Connection Buffering During Certificate Fetching and Forging .................................................6
Enhanced GUI for DNS Response Rate Limiting (RRL) ........................................................................7
Customizable Response Codes on Blocking HTTP Requests ............................................................7
DNS64 Support on Thunder 14045 ...........................................................................................................8
IPv6 Prefix User Quota Support on Thunder 14045 ..............................................................................8
Security Menu Enabled on Thunder 14045 .............................................................................................8

Issues and Limitations ................................................................................................................. 9

Overview..................................................................................................................................9
Fixed and Known Issues or Limitations in ACOS 4.1.4-GR1 GUI 1.0.0................................9

page 3
ACOS 4.1.4-GR1 GUI 1.0.0 Release Notes
Contents

page 4
Feedback ACOS 4.1.4-GR1 GUI 1.0.0 Release Notes

New Features and Enhancements

This chapter describes about the new features and the latest enhancements in the ACOS 4.1.4-GR1 GUI 1.0.0
release version.

The following topics are covered in this chapter:

• Prerequisite

• New Features and Enhancements in the ACOS 4.1.4-GR1 GUI 1.0.0 Release Version

Prerequisite
The ACOS 4.1.4-GR1 GUI 1.0.0 Onbox GUI image requires the ACOS release ACOS 4.1.4-GR1 image.

New Features and Enhancements in the ACOS 4.1.4-GR1

GUI 1.0.0 Release Version
The following is a list of new features and enhancements in the ACOS 4.1.4-GR1 GUI 1.0.0 release version:

• Send TCP Reset for Invalid IPv6 Packets on GiFW

• SSLi Connection Buffering During Certificate Fetching and Forging

• Enhanced GUI for DNS Response Rate Limiting (RRL)

• Customizable Response Codes on Blocking HTTP Requests

• DNS64 Support on Thunder 14045

• IPv6 Prefix User Quota Support on Thunder 14045

• Security Menu Enabled on Thunder 14045

Feedback page 5
ACOS 4.1.4-GR1 GUI 1.0.0 Release Notes
FeedbackFFe
New Features and Enhancements in the ACOS 4.1.4-GR1 GUI 1.0.0 Release Version ee

Send TCP Reset for Invalid IPv6 Packets on GiFW

ACOS now supports the ability to send a TCP reset for invalid IPv6 packets. In prior releases, invalid IPv6 packets
could be dropped, but not reset. This may be helpful if, for example, the GiFW receives an invalid IPv6 TCP packet
attempting to start a new session, but missing the requisite SYN flag.

To configure this feature, navigate to Security > Firewall > Configure > Settings, and select the TCP Reset
on Error Outbound checkbox.

SSLi Connection Buffering During Certificate Fetching and Forging

In the earlier SSLi deployments for new connections, when a server certificate fetch request was sent to a server,
the incoming new SSLi connection requests to the same server were either bypassed or reset (based on configu-
ration) till the time the server certificate was forged and ready.

However, this behavior may cause a security breach especially during the initial connections, when a cache certif-
icate is expired and all subsequent connections were either reset or bypassed till a new forged certificate was
ready.

As a solution to this issue, there is a new configuration option available in the client-SSL template, where you are
able to buffer all the new connections to a server till the time the forged certificate is ready.

In case of an SSLi deployment with OSCP and CRL implemented, the new connections are buffered till a verifica-
tion result response is received from the server.

The default option for this SSLi configuration is to bypass all the new connections.

Hence, in order to buffer the new connections from a server, the SSLi connection buffer option must be enabled
either through the ACOS CLI or ACOS GUI.

NOTE: For more information, see SSLi Configuration Guide.

page 6
 ACOS 4.1.4-GR1 GUI 1.0.0 Release Notes
Feedback
New Features and Enhancements in the ACOS 4.1.4-GR1 GUI 1.0.0 Release Version

Enhanced GUI for DNS Response Rate Limiting (RRL)

Several new GUI options have been added to the DNS templates page. The new DNS Response Rate Limiting
(RRL) feature helps prevent your network equipment (DNS authoritative servers) from becoming unwanted par-
ticipants in a DNS reflection or DNS amplification attack.

These options are accessible through the ADC > Templates > L7 menu. Navigate to Create > DNS, and then
select the DNS Response Rate Limiting checkbox at the bottom of the page.

From here, you can configure the options needed to enable DNS Response Rate Limiting (RRL).

In addition, you can set limits around the amount of memory consumed during a DNS reflection attack by navi-
gating to ADC > SLB > Global.

To configure this option, select the DNS Response Rate Limiting checkbox and specify the desired value in
the Max Table Entries field.

Customizable Response Codes on Blocking HTTP Requests

In the earlier implementations for explicit and transparent proxies, a response code of either 200 or 403 was
returned for blocked traffic, except when blocking HTTPS requests in a transparent proxy deployment.

The following is a list of the original behavior for explicit proxy deployments:

• For blocking HTTP requests: 200 status code

• For blocking HTTPS requests: 403 status code *HTTP header check on CONNECT method

The following is a list of the original behavior for transparent proxy deployments:

• For blocking HTTP requests: 200 status code

• For blocking HTTPS requests: TCP Reset *SNI header check

Starting from ACOS 4.1.4-GR1, the standard status codes are configurable for blocking HTTP and HTTPS traffic
for explicit proxy and for blocking HTTP traffic for transparent proxy.

The feature is supported only with the drop-message option for forward policy in an SLB template. The configu-
rable response code can be any integer between 100 to 599. The SLB template must then be associated with a
virtual server.

The following is a list of the new behavior for explicit proxy deployments:

• For blocking HTTP requests: Configurable (default 200)

• For blocking HTTPS requests: Configurable (default 403) *HTTP header check on CONNECT method

The following is a list of the new behavior for transparent proxy deployments:

page 7
ACOS 4.1.4-GR1 GUI 1.0.0 Release Notes
FeedbackFFe
New Features and Enhancements in the ACOS 4.1.4-GR1 GUI 1.0.0 Release Version ee

• For blocking HTTP requests: Configurable (default 200)

• For blocking HTTPS requests: TCP RST *SNI header check page

You can configure the option in both ACOS GUI and CLI.

NOTE: For more information, see Application Delivery and Server Load Balancing Guide.

DNS64 Support on Thunder 14045

Starting from ACOS 4.1.4-GR1, DNS64 is supported on Thunder 14045. The DNS64 options are accessible
through the CGN > DNS64 menu.

NOTE: For more information on DNS64, see IPv4-to-IPv6 Transition Solutions Guide.

IPv6 Prefix User Quota Support on Thunder 14045

Starting from ACOS 4.1.4-GR1, the IPv6 prefix user quota prefix is supported on Thunder 14045. The IPv6 prefix
user quota option is accessible through the CGN > NAT64 menu. In the NAT64 page, scroll down to configure
User Quote Prefix Length.

NOTE: For more information on IPv6 Prefix User Quota, see IPv4-to-IPv6 Transition Solu-
tions Guide.

Security Menu Enabled on Thunder 14045

The Security menu is added on the Thunder 14045 GUI to display the Gi-Firewall related sub-menus. The sub-
menus displayed in the Security menu are Firewall, Access List, DDoS, Object, and Object Group.

NOTE: For more information, see Online Help.

page 8
Feedback ACOS 4.1.4-GR1 GUI 1.0.0 Release Notes

Issues and Limitations

The following topics are covered in this chapter:

• Overview

• Fixed and Known Issues or Limitations in ACOS 4.1.4-GR1 GUI 1.0.0

Overview
The following sections are covered for issues fixed or the limitations in the ACOS 4.1.4-GR1 GUI 1.0.0 release
version.

For each issue, the following information is provided:

• A10 Tracking ID: A10 Networks tracking identifier.

• System area: Part of the system that had the issue (for example, IP NAT, SLB, or aFleX).

• Severity: Indicates the impact the issue had or could potentially have:

• Critical: Issue caused or could cause a service outage or a reload of the ACOS device.
• Major: Major issue that caused or could cause a major service outage.
• Normal: Relatively minor issue that caused or could cause a minor service outage.
• Issue Description: Description of the issue.

• Version Reported: Software version(s) in which the issue is present. Later versions (including the version
documented by this release note) are not affected by the issue.

Fixed and Known Issues or Limitations in ACOS 4.1.4-GR1

GUI 1.0.0
All the applicable fixed issues, known issues, and limitations for the ACOS 4.1.4-GR1 GUI 1.0.0 release version are
listed in the Table 1.

Feedback page 9
ACOS 4.1.4-GR1 GUI 1.0.0 Release Notes
FeedbackFFe
Fixed and Known Issues or Limitations in ACOS 4.1.4-GR1 GUI 1.0.0 ee

The issues are listed by A10 tracking ID, beginning with the highest issue ID (the most recently logged issue).

TABLE 1 Fixed Issues or Limitations in ACOS 4.1.4-GR1 GUI 1.0.0 Release Version
A10
Tracking Version
ID System Area Severity Description Reported
425546 RBA Major When RBA is disabled, in CLI, login users with role “Parti- 4.1.4
tionSlbServiceOperator” can configure other objects,
Web - ADC except role “PartitionSlbServiceOperator”.

CGN On GUI, login users with role “PartitionSlbServiceOpera-

tor” can access objects or pages that under the role “Par-
titionSlbServiceOperator”.
392408 Web - ADC Major In Dashboard >> System Page, the Memory Usage and 4.1.4
Data CPU Statistics graph displays the time range for start
CGN to end time with a shortage of few to several minutes if you
select Last 1 day or Last 7 days from available menu
options.

page 10
 ACOS 4.1.4-GR1 GUI 1.0.0 Release Notes

page 11
 CONTACT US
1 a10networks.com/contact

ACOS 4.1.4-GR1 GUI 1.0.0 RELEASE NOTES 27 DECEMBER 2018