HP Network Protector SDN Application - 1.1.15 Release Notes Abstract This document contains supplemental information for the HP Network Protector SDN Application Release 1.1.15. HP Part Number: 5998-6987 Published: November 2014 Edition: 1
Copyright 2014 Hewlett-Packard Development Company, L.P. Confidential computer software. Valid license from HP required for possession, use or copying. Consistent with FAR 12.211 and 12.212, Commercial Computer Software, Computer Software Documentation, and Technical Data for Commercial Items are licensed to the U.S. Government under vendor's standard commercial license. The information contained herein is subject to change without notice. The only warranties for HP products and services are set forth in the express warranty statements accompanying such products and services. Nothing herein should be construed as constituting an additional warranty. HP shall not be liable for technical or editorial errors or omissions contained herein. The information contained herein is subject to change without notice. The only warranties for HP products and services are set forth in the express warranty statements accompanying such products and services. Nothing herein should be construed as constituting an additional warranty. HP shall not be liable for technical or editorial errors or omissions contained herein. Acknowledgements OpenFlow is a trademark of the Open Networking Foundation. Microsoft, and Windows are U.S. registered trademarks of Microsoft Corporation. Disclaimer HEWLETT-PACKARD COMPANY MAKES NO WARRANTY OF ANY KIND WITH REGARD TO THIS MATERIAL, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE. Hewlett-Packard shall not be liable for errors contained herein or for incidental or consequential damages in connection with the furnishing, performance, or use of this material. Hewlett-Packard assumes no responsibility for the use or reliability of its software that is not furnished by Hewlett-Packard. Warranty For the software end user license agreement and warranty information for HP Networking products, see http://www.hp.com/networking/support. HP Security Policy and Release Notes A Security Bulletin is the first published notification of security vulnerabilities and is the only communication vehicle for security vulnerabilities. Fixes for security vulnerabilities are not documented in manuals, release notes, or other forms of product documentation. A Security Bulletin is released once all vulnerable products still in support life have publicly available images that contain the fix for the security vulnerability. To find any security bulletins for the application, visit the HP Networking manuals web page: www.hp.com/networking/support To initiate a subscription to receive further HP Security Bulletin alerts via email, go to: http://h41183.www4.hp.com/signup_alerts.php?jumpid=hpsc_secbulletins
Contents Description...4 Version 1.1.15...4 Fixed issues...4 Version 1.1...4 What s new...4 Fixed issues...4 Issues and suggested actions in versions 1.1 and earlier...5 Finding the latest documentation...6 Product requirements...6 Version 1.0.2...6 What s new...6 Issues and suggested actions in version 1.0.2...7 Documentation feedback...7 Contents 3
Description The HP Network Protector SDN Application V 1.1.15 runs on the HP VAN SDN (Virtual Area Network Software-Defined Networking) Controller software and utilizes the HP Reputation Digital Vaccine (RepDV) service to prevent clients from making connections to suspicious or malicious hosts. For information about administration and installation of HP Network Protector SDN Application V 1.1.15, see HP Network Protector SDN Application V 1.1 administration and installation documents. Version 1.1.15 Fixed issues Version 1.1 What s new Fixed issues The CR fixed in version 1.1.15 is: (CR159130) Exceptions observed when high number (~400) of switches are connected to the HP Network Protector. Resolution: The number of threads created for each datapath connected to the HP Network Protector was causing a high thread and socket count which caused over utilization of hardware resources. The number of threads connecting to the HP Network Protector are optimized regardless of the number of datapaths that connect to the HP Network Protector. The key features of HP Network Protector SDN Application version 1.1 are: Generating reports of the quarantined user list. Multi NIC support for user to choose NIC for SI Tunnel termination. Enable/disable SI tunnels on individual switches. Ability to unquarantine individual user. Greylist Policy Support. SI Tunnel Performance enhancement to support 60K packets/sec. Throttling feature enhancement to disable top three switches with high traffic instead of all the switches. License compliance details on landing page. Application installation via controller Application manager. Application support via OOBM port. Network Administrators can specify separate redirect server s IP addresses for greylist and blacklist. Page for license compliance details and license compliance history report. The CRs mentioned in Issues and suggested actions in version 1.0.2 (page 7) are fixed in version 1.1. 4
Issues and suggested actions in versions 1.1 and earlier The following are the known issues in this release: (CR146522) In whitelist upload file, if we have comma in comment, it fails. Resolution: This limitation has been documented in HP Network Protector SDN Application Administrator Guide. (CR149328)Total DNS and malicious DNS count on the Home page gets rolled over a period of time. Resolution: Total DNS requests and malicious DNS requests counters shown on the dashboard of the HP Network Protector SDN Application roll over a period of 24 hours. (CR149370)Date is displayed differently in different client machines. Resolution: The timezone must match between the client machines on which the GUI is opened and the machine where the HP Network Protector SDN Application is installed. (CR150001) Upgrade clears the counters in the home page Resolution: During HP Network Protector SDN Application upgrade, data migration takes considerable amount of time. During this period, the DNS Data counter values is shown as zero. (CR152077)Device discover is not working with snmpv3 no-auth- no-priv credential. Resolution: The no-auth-no-priv snmp credentials can be added only to operator-noauth group in the switch. The operator-noauth group has onlyread permission but not WRITE permission. For HP Network Protector SDN Application to work with the given credentials requires both READ and WRITE permissions for a given switch. As a result, switches cannot be discovered/protected using no-auth-no-priv credentials configured in the network protector. (CR153429)Acknowledge/UnAcknowledge button in alert logs page does not update the count of alert notification button on the top right hand corner of Network Protector GUI, instead the count in SDN VAN Controller notification button is updated. Resolution: The count of Network Protector notification button is always the total number of Network Protector Critical Alert logs. (CR153743)On Browser resizing - Titles get overlapped in Chrome, Firefox but not in Safari. Resolution: The rendering of the UI component layouts is specific to the implementation of Java script on each type of browser. When the browser is minimized to significantly small size, this issue is noticed. (CR153745 )Date and Time format - Chrome and Firefox in 12 hour format, whereas in Safari, date and time is displayed in 24 hour format. Resolution: Data time format displayed on the Web browsers is specific to the implementation of the Java script date time format on each browser type. (CR153842 )SI tunnels are lost when the network link flaps and never gets re-negotiated until netprotector service restart. Resolution: The Network Protector does not consider the health of the SI tunnel (Up/Down) while showing the status as enabled/disabled in the Service Insertion page. As a result, the status is shown as enabled even if the SI tunnel s health is down for any reason. In other words, the state of the SI tunnel is like ADMIN status of the port (Enabled/Disabled) and the health of the SI tunnel is like OPER status of a port (Up/Down). Version 1.1 5
(CR 154003 ): Network protector UI issues with -Windows Vista - Firefox, Chrome and Safari. Resolution: On resizing the web browsers, you can notice overlapping of UI components on few pages of the application UI. On removal of the exception user IP address, on Windows Vista OS using Chrome, Safari browser, the entry is not cleared from the UI though it is cleared in database. On refreshing the web browser, the application displays the list of exception users correctly. This behavior is not seen on Firefox browser and works fine on other browsers and platforms. (CR154149): When SI across L3 boundary moves to openflow, then the application will not work. Resolution: A known limitation on switches for openflow channel is that it cannot route L3 packets coming from controller. If a switch configured with SI across L3 boundaries (that is when the switch is configured with routing and it can route across L3 boundaries), moves to openflow due to heartbeat or SI disabled on the switch, the packets are not routed across L3 boundaries. Finding the latest documentation To view the latest version of these release notes and the guides for HP Network Protector SDN Application, see the following: 1. HP SDN information library at http://www.hp.com/go/sdn/infolib. 2. Open your browser and go to www.hp.com/support/manuals. 3. Use the tools provided to search by product name (for example, HP Network Protector SDN Application) or product number. Product requirements Detailed information about the selected product displays, including a list of support options in the left column. Ensure that your system meets the requirements described in the HP VAN SDN Controller and Applications Support Matrix. Before installing the Network Protector application, install, configure, and verify the installation of the HP VAN SDN Controller as described in the HP VAN SDN Controller Installation Guide. Ensure that the controller and its Cassandra database are running properly as described in the HP VAN SDN Controller Administrator Guide. NOTE: The HP Network Protector SDN Application does not support controller teaming. Ensure that the HP VAN SDN Controller is running in standalone mode. Version 1.0.2 What s new First public release of HP Network Protector. 6
Issues and suggested actions in version 1.0.2 The following are known issues with the HP Network Protector SDN Application 1.0.2: (CR144083) Termination of Service Insertion tunnel and OpenFlow channel is not possible on different NICs. Resolution: The HP Network Protector SDN Application does not provide a mechanism for configuring termination of Service Insertion tunnel and OpenFlow channel on different NICs. (CR148717) When pointing to bar chart on the HP Network Protector SDN Application UI, the IP address of the switch is not visible. Resolution: When pointing to the top 10 Clients With Most Malicious Queries bar chart on the home page of the HP Network Protector SDN Application UI, the pointer displays the notavailable message instead of displaying the IP address of the switch. (CR145458) When releasing quarantined hosts, a single quarantined host cannot be released. Resolution: When releasing quarantined hosts, the HP Network Protector SDN Application UI does not provide for releasing a single quarantined host. You can release all the quarantined hosts together and not individually. Documentation feedback HP is committed to providing documentation that meets your needs. To help us improve the documentation, send any errors, suggestions, or comments to Documentation Feedback (docsfeedback@hp.com). Include the document title and part number, version number, or the URL when submitting your feedback. Documentation feedback 7