6.3.3 r1 release docs #800
Merged
Conversation
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Chr1st0ph3rTurn3r
requested review from
jamesesilvia,
migolnikov and
eleung128
MichaelBaj
requested changes
Dec 6, 2024
docs/releases.table.js
Outdated
| @@ -6,6 +6,11 @@ import useBaseUrl from '@docusaurus/useBaseUrl'; | |||
| // New entries should be placed at the top. | |||
| // ---------------------------------------------------------------------------- | |||
| export const releases = [ | |||
| { | |||
There was a problem hiding this comment.
If you have to put up another commit, please correct the formatting of the curly braces.
docs/concepts_ssr_idp.md
Outdated
| @@ -19,6 +19,8 @@ You can apply a profile (Alert, Standard, Strict) to an `access-policy`. Each pr | |||
|
|
|||
| - **Strict** - The **Strict** profile contains a similar set of IDP signatures and rules as the Standard profile. However, when an attack is detected the actions are more likely to actively block any malicious traffic or other attacks detected in the network. | |||
|
|
|||
| - **Critical** - The **Critical** profile focuses on `critical` level attacks, and has a more focused policy, improving the processing time. The default actions are more likely to block traffic to prevent access to the network. | |||
There was a problem hiding this comment.
shouldn't you add a note that the critical profile was added in 6.3-r2?
| @@ -15,6 +15,47 @@ With an upgrade or installation of SSR v6.3.0, conductor rollbacks are performed | |||
|
|
|||
| Beginning with SSR v6.3.0, the use of the interactive installer is not supported, or necessary. Software installation and upgrade upgrade activities are supported from the GUI or PCLI; rollback activities can only be performed from the the PCLI. | |||
|
|
|||
| ## Reinstallation | |||
|
|
|||
There was a problem hiding this comment.
Docusaurus renders it properly, but the markdown files benefit from consistency. Please be consistent within a file. Space new line or no newline after a heading.
docs/intro_rollback.md
Outdated
| @@ -15,6 +15,47 @@ With an upgrade or installation of SSR v6.3.0, conductor rollbacks are performed | |||
|
|
|||
| Beginning with SSR v6.3.0, the use of the interactive installer is not supported, or necessary. Software installation and upgrade upgrade activities are supported from the GUI or PCLI; rollback activities can only be performed from the the PCLI. | |||
There was a problem hiding this comment.
typo: upgrade appears twice.
docs/intro_rollback.md
Outdated
|
|
||
| ### Reinstallation from Mist | ||
|
|
||
| In the Mist interface you have the option of selecting any available software version from the repository. Selecting the same or lower version of firmware than is currently installed initiates an SSR firmware reinstall to the requested version. An informational message is displayed, explaining the limitations of reinstall. |
There was a problem hiding this comment.
explaining the limitations of reinstall.
What are the limitations?
docs/release_notes_128t_6.3.md
Outdated
|
|
||
| ### New Features | ||
|
|
||
| - **I95-50045 IDP Throughput Improvements:** Improvements have been made to increase IDP performance on SSR Devices. While improvements have been made on all SSR's, the larger multi-core SSR devices now auto-size to scale IDP processing and throughput. |
docs/release_notes_128t_6.3.md
Outdated
| ------ | ||
| - **I95-51685 WAN Edge Firmware Downgrade:** Due to network expansion or an RMA, you may need to add or replace a device that is preinstalled with firmware newer than what is currently running on your network. The SSR provides a process for an image-based reinstall to an SSR firmware version which is less than the firmware version on the target device. For additional information, see [Reinstallation](intro_rollback.md#reinstallation). | ||
| ------ | ||
| - **I95-54553 DCSP Steering with BGP over SVR:** DSCP Steering service will now utilize a routing lookup when no explicit service-route configuration is present. |
There was a problem hiding this comment.
This should point to DSCP steering document.
docs/release_notes_128t_6.3.md
Outdated
| ------ | ||
| - **I95-55228 IDP Critical Profile:** A new **Critical** profile has been added to the IDP feature. This profile focuses on `critical` level attacks, and has a more focused policy, improving the processing time. For more information about IDP, see [Intrusion Detection and Prevention](concepts_ssr_idp.md). | ||
| ------ | ||
| - **I95-55342 Anti-Virus for SSR:** The SSR now offers Anti-Virus protection on spoke and branch devices, configurable on a per-application basis. The SSR Anti-Virus protection can run with or without IDP configuration, reports metrics to the User Interface, and generates alarms if the anti-virus engine fails for any reason. For more information, see [SSR Anti-Virus](sec-config-antivirus.md. |
There was a problem hiding this comment.
typo: URL link must end with trailing )
docs/release_notes_128t_6.3.md
Outdated
| ------ | ||
| - **I95-55574 Events Sync Improvements:** In the event of broken communication between HA nodes, each node provides access to one hour of peer events leading up to the disconnection. This is reduced from the full history of events to lower storage needs and expedite restoration and troubleshooting. | ||
| ------ | ||
| - **I95-56292 Increase the length of SSH keys to 4096:** The size of the Salt and 128T SSH keys has been changed to 4096 bits for newly deployed systems. |
There was a problem hiding this comment.
"128T" should be removed. It is implicit that this is referring to the SSR.
docs/release_notes_128t_6.3.md
Outdated
| ------ | ||
| - **I95-57305 Add flow timeout value to Associated Paths:** The Associated Paths window accessed from the Session view of the SSR GUI now displays a Flow Timeout column, providing a way to determine where the session is activity is focused. | ||
| ------ | ||
| - **I95-57471 Allow Radius configuration per router:** Radius servers can now be configured at the router level. The servers can continue to be configured at the Authority level. If configured in both places, the combination of both configured servers will be used. |
There was a problem hiding this comment.
"the combination of both configured servers will be used."
I don't believe this is an accurate statement. I believe this has to do with order of precedence.
If a radius server is configured at the authority, but not the router, then the authority value will be used. If it is configured at the authority and the router, the router value will be used.
…BIOS screen, will add when I get it. Need to update release date when finalized.
docs/sec-config-antivirus.md
Outdated
|
|
||
| ## How Does It Work? | ||
|
|
||
| SSR Anti-Virus uses the Sophos anti-virus engine and includes a self signing certificate for simplified, secure connection. Similar to IDP, Anti-Virus is configurable directly on the hub and spokes of the network. You can select one of the built-in security profiles, or define parameters on your own for a custom profile. |
There was a problem hiding this comment.
We support spoke-side DPI / IDP / AV only. Hub didn't make it in time
docs/sec-config-antivirus.md
Outdated
| access-policy branch | ||
| anti-virus-profile custom-profile | ||
| exit | ||
| anti-virus-profile custom-profile |
There was a problem hiding this comment.
formatting is off here, the top-level key needs to be bumped to th eleft 1 tab
anti-virus-profile custom-profile
name custom-profile
url-allowlist ...
exit
docs/sec-config-antivirus.md
Outdated
|
|
||
| ### Alarms | ||
|
|
||
| - Anti-virus server is down: An alarm is triggered and an error logged. |
There was a problem hiding this comment.
capitalizing virus was done throughout but not here; nit for consistency
MichaelBaj
requested changes
Dec 17, 2024
docs/config_dscp_steering.md
Outdated
| If a `service-route` is configured on the parent service, that route is inherited by the child service. This will prevent routing lookup for the child DSCP services. | ||
|
|
||
| :::info | ||
| In versions 6.2.7 and below and 6.3.0 and below, if you did not configure a service-route for the parent or child services, the system would only consider BGP over SVR routes from the RIB. In versions beginning with 6.2.8 and 6.3.3-r2, if a service route is not configured on the parent or child services, all routes available to the RIB are considered; connected routes, static routes, routes from BGP neighbors (not just BGP over SVR neighbors), and OSPF routes. |
There was a problem hiding this comment.
There should be no releases below 6.3.0.
This should read either "In versions 6.3.0 and below, ... " or "In versions 6.2.7 and below, or 6.3.0, ..."
docs/intro_rollback.md
Outdated
|
|
||
| - System state and configuration outside of the datamodel (for example; analytics, logs, custom salt states, user-installed packages) will not be preserved after a reinstall, except for those required for basic system functionality and cloud connectivity. | ||
|
|
||
| - Some reinstallations may be impossible due to incompatibilities between firmware versions. For example, if the user has configured a feature that did not exist in older software, reinstalling to the older version will not retain the feature configuration. |
There was a problem hiding this comment.
This is effectively the same statement as line 66. I don't understand why this would prevent a reinstallation however. If so, then this needs specific features that would cause this incompatibility (I'm not aware of any).
docs/release_notes_128t_6.3.md
Outdated
| TBA | ||
| - **The following CVEs have bbeen identified and resolved in this release:** CVE-2019-13631, CVE-2019-15505, CVE-2019-25162, CVE-2020-25656, CVE-2020-36777, CVE-2021-3753, CVE-2021-4204, CVE-2021-46934, CVE-2021-47013, CVE-2021-47055, CVE-2021-47118, CVE-2021-47153, CVE-2021-47171, CVE-2021-47185, CVE-2022-0500, CVE-2022-23222, CVE-2022-3565, CVE-2022-45934, CVE-2022-48627, CVE-2022-48669, CVE-2023-1513, CVE-2023-24023, CVE-2023-25775, CVE-2023-28464, CVE-2023-31083, CVE-2023-3567, CVE-2023-37453, CVE-2023-38409, CVE-2023-39189, CVE-2023-39192, CVE-2023-39193, CVE-2023-39194, CVE-2023-39198, CVE-2023-4133, CVE-2023-4244, CVE-2023-42754, CVE-2023-42755, CVE-2023-45863, CVE-2023-51779, CVE-2023-51780, CVE-2023-52340, CVE-2023-52434, CVE-2023-52439, CVE-2023-52445, CVE-2023-52448, CVE-2023-52477, CVE-2023-52489, CVE-2023-52513, CVE-2023-52520, CVE-2023-52528, CVE-2023-52565, CVE-2023-52574, CVE-2023-52578, CVE-2023-52580, CVE-2023-52581, CVE-2023-52594, CVE-2023-52595, CVE-2023-52598, CVE-2023-52606, CVE-2023-52607, CVE-2023-52610, CVE-2023-52620, CVE-2023-6121, CVE-2023-6176, CVE-2023-6240, CVE-2023-6622, CVE-2023-6915, CVE-2023-6932, CVE-2024-0340, CVE-2024-0841, CVE-2024-23307, CVE-2024-25742, CVE-2024-25743, CVE-2024-25744, CVE-2024-26593, CVE-2024-26602, CVE-2024-26603, CVE-2024-26609, CVE-2024-26610, CVE-2024-26615, CVE-2024-26642, CVE-2024-26643, CVE-2024-26659, CVE-2024-26664, CVE-2024-26671, CVE-2024-26693, CVE-2024-26694, CVE-2024-26743, CVE-2024-26744, CVE-2024-26779, CVE-2024-26872, CVE-2024-26892, CVE-2024-26897, CVE-2024-26901, CVE-2024-26919, CVE-2024-26933, CVE-2024-26934, CVE-2024-26964, CVE-2024-26973, CVE-2024-26993, CVE-2024-27014, CVE-2024-27048, CVE-2024-27052, CVE-2024-27056, CVE-2024-27059, CVE-2024-21131, CVE-2024-21138, CVE-2024-21140, CVE-2024-21144, CVE-2024-21145, CVE-2024-21147, CVE-2024-5564, CVE-2021-27290, CVE-2022-24999. | ||
|
|
||
| - **I95-48453 Reverse SSH tunnels do not check Known Hosts file:** Functionality has been added to allow for the retrieval of the ssh known hosts and authorized keys file contents on the SSR. For details on the known host functionality, see [Strict Host Key Checking](cc_fips_otp_router_install.md#enable-strict-host-key-checking). |
There was a problem hiding this comment.
This issue was already listed in the 6.3.0-r1 release notes.
Please cross-check all other issues for accuracy.
docs/release_notes_128t_6.3.md
Outdated
|
|
||
| - **I95-48453 Reverse SSH tunnels do not check Known Hosts file:** Functionality has been added to allow for the retrieval of the ssh known hosts and authorized keys file contents on the SSR. For details on the known host functionality, see [Strict Host Key Checking](cc_fips_otp_router_install.md#enable-strict-host-key-checking). | ||
| ------ | ||
| - **I95-53274 PIM scaling above 1500 (Source,Group) sessions:** The SSR cannot maintain more than 1400 active (Source,Group) sessions. Juniper recommends a limit of 1400 (Source,Group) sessions to prevent a loss of traffic. |
There was a problem hiding this comment.
This reads as a feature as opposed to an issue that needed resolving. Suggested rewording:
- I95-53274 PIM multicast routes unable to maintain more than 1,400 concurrent (Source, Group) sessions: The SSR cannot maintain more than 1400 active (Source,Group) sessions. This scaling limitation has been addressed.
docs/release_notes_128t_6.3.md
Outdated
| ------ | ||
| - **I95-54366 Unable to assign an SNMP view name via the GUI:** Resolved an issue that prevented configuring SNMP (v3) Access Policy View in the GUI. | ||
| ------ | ||
| - **I95-54553 DCSP Steering with BGP over SVR:** DSCP Steering service will now utilize a routing lookup when no explicit service-route configuration is present. For more information, see [Configuring DSCP Steering](config_dscp_steering.md#service-route-configuration). |
There was a problem hiding this comment.
This is new functionality and should be in the new features section.
docs/release_notes_128t_6.3.md
Outdated
| ------ | ||
| - **I95-57128 Slow inter-vlan traffic due to i40e performance issue:** Resolved an issue where devices controlled by i40e driver (x710, x722) were incurring 8ms (8000us) latency due to an incorrect MAX value. This has been resolved and latency reduced to 32us. | ||
| ------ | ||
| - **I95-57205 Race condition on startup with DHCP configured on LTE or PPPoE interface, causing system to crash:** This issue has been resolved. |
There was a problem hiding this comment.
- I95-57205 Race condition on startup with LTE or PPPoE interfaces configured for DHCP, causing system to crash: This issue has been resolved.
docs/release_notes_128t_6.3.md
Outdated
| ------ | ||
| - **I95-57784 Add `show network-interface redundancy` command output to TSI collection:** The `show network-interface redundancy` command has been added to the TSI output to aid in troubleshooting. | ||
| ------ | ||
| - **I95-58201 Increase AMD performance:** Throughput performance on AMD processors has been improved through the tuning of some kernel parameters. |
There was a problem hiding this comment.
- I95-58201 Increase performance for SSR1200, SSR1500 and whitebox AMD platforms: Throughput performance on AMD processors has been improved through the tuning of kernel parameters.
docs/release_notes_128t_6.3.md
Outdated
| ------ | ||
| - **I95-58332 Show service-path incorrectly shows the state as `up` in an unreachable next-hop:** In a config where a `service-route next-hop` is pointing to an unreachable address, the show service-path shows the state is being up. This has been resolved by adding a next-hop reachability check to `show service-path`. | ||
| ------ | ||
| - **I95-58427 Capture SNMP configuration in TSI:** The `/etc/snmp` directory is now captured int ehTSI allowing the inspection of the output. |
There was a problem hiding this comment.
Typo: "in the TSI, allowing"
docs/release_notes_128t_6.3.md
Outdated
| ------ | ||
| - **I95-58583 Bypass message-authentication in RADIUS:** An option to to bypass the requirement for the Message-Authenticator check in RADIUS requests and responses has been added. Disabling this check is considered unsafe and will allow for vulnerabilities to be exploited for users authenticating. Disabling this check is NOT recommended, but may be necessary for some backwards compatiblity scenarios. | ||
| ------ | ||
| - **I95-58637 Relax read-only API RBAC policies:** Users with suitable config-read permissions are now able to generate quickstart files. |
There was a problem hiding this comment.
I95-58637 Relax API RBAC policies for quickstart files: Users with config-read permissions are now able to generate quickstart files.
docs/release_notes_128t_6.3.md
Outdated
| ------ | ||
| - **I95-58637 Relax read-only API RBAC policies:** Users with suitable config-read permissions are now able to generate quickstart files. | ||
| ------ | ||
| - **I95-58722 Update allowed Key Exchange Algorithms:** Expand the list of supported Key Exchange Algorithms in both FIPS and non-FIPS mode. |
There was a problem hiding this comment.
- I95-58722 Update allowed Key Exchange Algorithms to add better support for Gov Cloud environments: Expand the list of supported Key Exchange Algorithms in both FIPS and non-FIPS mode.
eleung128
reviewed
Dec 17, 2024
| ### From the CLI | ||
|
|
||
| 1. Log in to the SSR as the `admin` user. | ||
| 2. Use the following config example to configure `serial-console-enabled false`. |
There was a problem hiding this comment.
May want to mention that serial-console-enabled only show in advanced user mode.
migolnikov
requested changes
Dec 17, 2024
docs/sec-disable-console-output.md
Outdated
|
|
||
| #### Upgrades | ||
|
|
||
| After disabling the serial console output (setting to `false`), the setting **will** perpetuate after an upgrade, but the router must be restarted after the upgrade to maintain the `false` setting. |
There was a problem hiding this comment.
I am not sure this is limited to "false". From my understanding this feature is not dynamically reconfigurable whether it is turned on or off, so in all cases it required a reboot. @eleung128 please confirm
There was a problem hiding this comment.
We should also discuss that this does not apply to system startup. Console gets turned off once kernel starts up, so it is still available for both input and output during bootup.
There was a problem hiding this comment.
@migolnikov Max, I'm going to need a little more info on this - I'm not quite clear on what you mean.
migolnikov
reviewed
Dec 17, 2024
| sidebar_label: USB Boot and Storage Security | ||
| --- | ||
|
|
||
| This document provides guidance on disabling USB booting and storage in the SSR BIOS, and disabling USB storage in the Operating System. |
There was a problem hiding this comment.
I see the instructions below for BIOS changes, but I do not see them for "disabling USB storage in the Operating System." via the config.
…output topic with input from Max, and adjusting dates and build numbers.
Chr1st0ph3rTurn3r
requested review from
jamesesilvia,
MichaelBaj,
migolnikov and
agrawalkaushik
MichaelBaj
reviewed
Dec 20, 2024
| @@ -20,11 +20,19 @@ In some cases, you may want to disable console output to protect the information | |||
|
|
|||
| The router must be rebooted for the change to take effect. | |||
|
|
|||
| :::note | |||
There was a problem hiding this comment.
This note appears twice in this document.
There was a problem hiding this comment.
That is intentional, once in the cli instructions and once in the GUI instructions. Just in case they don't see it in the section they are not using.
MichaelBaj
previously approved these changes
Jan 7, 2025
jamesesilvia
reviewed
Jan 8, 2025
docs/release_notes_128t_6.3.md
Outdated
| @@ -24,6 +24,93 @@ Before upgrading please review the [**Upgrade Considerations**](intro_upgrade_co | |||
| ------ | |||
| - **Plugin Upgrades:** If you are running with plugins, updates are required for some plugins **before** upgrading the conductor to SSR version 5.4.0 or higher. Please review the [Plugin Configuration Generation Changes](intro_upgrade_considerations.md#plugin-configuration-generation-changes) for additional information. | |||
|
|
|||
| ## Release 6.3.3-36r2 | |||
There was a problem hiding this comment.
do we usualyl include the release number? i think its 40 now
jamesesilvia
reviewed
Jan 8, 2025
docs/sec-config-antivirus.md
Outdated
| sidebar_label: SSR Anti-Virus | ||
| --- | ||
|
|
||
| The SSR provides Anti-Virus protection on spoke and hub devices, and is configurable on a per-application basis. SSR Anti-Virus runs with or without IDP configuration, reports metrics to the User Interface, and will generate alarms if the anti-virus engine fails for any reason. With both built-in and user-customizable security profiles, it provides a high level of flexibility. |
There was a problem hiding this comment.
spoke* devices. Hub support didnt make 6.3.3 R2
….com:128technology/docs into 6.3.3-r1-release-docs
jamesesilvia
previously approved these changes
Jan 9, 2025
MichaelBaj
requested changes
Jan 9, 2025
docs/release_notes_128t_6.3.md
Outdated
| @@ -84,6 +82,8 @@ Before upgrading please review the [**Upgrade Considerations**](intro_upgrade_co | |||
| ------ | |||
| - **I95-58528 SSR OS renaming:** The SSR OS has been renamed/rebranded from "CentOS7" to "SSR OS" to more accurately reflect its customized Linux distribution. All internal naming has been updated. | |||
| ------ | |||
| - **I95-58539 The `validate` command does not check or test for router `applies-to` config:** Resolved an issue where the DHCP relay inspector rule that validates whether an interface is not being used for DHCP relay and other DHCP functions, was not considering router-based services. Errors from this rule are now warnings. | |||
There was a problem hiding this comment.
possible better rephrasing:
- I95-58539 The
validatecommand does not check or test for routerapplies-toconfig: Resolved an issue whereby the DHCP relay inspector rule was not honoring router-based services for interfaces without DHCP relay. Errors from this rule are now warnings.
docs/release_notes_128t_6.3.md
Outdated
| @@ -102,14 +102,19 @@ Before upgrading please review the [**Upgrade Considerations**](intro_upgrade_co | |||
| ------ | |||
| - **I95-59131 Next Hops not updated properly when OSPF is used:** Resolved a race condition found in OSPF and the end of FIB update message. | |||
| ------ | |||
| - **I95-59146 BGP confederation member-as modify path incorrect:** Resolved an issue where modifications to `bgp confederation member-as` was not comparing and validating the changes correctly. | |||
| - **I95-59146 BGP confederation member-as modify path incorrect:** Resolved an issue where modifications to `bgp confederation member-as` were not comparing and validating the changes correctly. | |||
There was a problem hiding this comment.
- I95-59146 BGP confederation member-as not dynamically reconfigurable: Resolved an issue where modifications to
bgp confederation member-aswere not comparing and validating the changes correctly.
…github.com:128technology/docs into 6.3.3-r1-release-docs
MichaelBaj
approved these changes
Jan 9, 2025
migolnikov
approved these changes
Jan 10, 2025
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
No description provided.