Release Notes for SSLi Harmony App v4.1
The SSLi Harmony Controller provides centralized SSLi service configuration and service level visibility to all managed SSLi deployments.
The SSLi Harmony App v4.1 provides an enriched coverage of multiple SSLi deployment scenarios and stand-alone features. The configuration section of this app is redesigned with intuitive interface for customers to perform SSLi deployments, to centrally manage the sites.
This chapter has the following sections:
The SSLi Harmony App v4.1 focuses on enriched deployment and configuration support, that includes the following features:
NOTE: For detailed information, refer.
SSLi App provides users with an option to easily migrate their SSLi App v2.4 or v3.0 configurations to v4.0 & v4.1. User doesn’t need to manually deploy the sites and site groups again; SSLi App recognizes and automatically migrates the SSLi configurations from previous versions.
Migration to SSLi App v4.0 Complete
NOTE: SSLi App does not recommend direct migration from SSLi App v2.4 and v3.0 to v4.1. It is recommended to first migrate from SSLi App v2.4 or v3.0 to SSLi App v4.0 and then upgrade to SSLi App v4.1 using same steps.
Previously, SSLi App v4.0 had full support for Outbound Traffic Flow. Multiple topology options were available for outbound traffic flow.
SSLi App v4.1 now provides support for the following new traffic flow options in addition to Outbound Traffic Flow:
• Inbound Traffic Flow – Inspects incoming traffic to internal networks
• Bidirectional Traffic Flow – Inspects outgoing as well as incoming traffic
User can configure any topology option for the above mentioned traffic flows through both guided and unguided mode.
Guided Mode > Inbound Traffic Flow Topology
Guided Mode > Bidirectional Traffic Flow Topology
SSLi App v4.1 supports Virtual Wire (vWire) mode which is the recommend way to configure IPLess Topology. It considers the use case where existing implementation of IPLess can be used as it and on top of that inbound SSLi vWire or Outbound SSLi vWire can either co-exist or can be configured individually.
vWire mode is supported for all three traffic flows through guided and unguided mode.
Guided Mode > Site Group > Select Virtual Wire Security Device
Guided Mode > Site > Configure vWire Interfaces & Trunks
SSLi App v4.1 now supports Tenant Provisioning, which enables the user to map device partitions to the tenant using the following options:
• Map partitions manually by selecting the device partitions in the ‘Provisioning’ window. The Provisioning link is available against Licenses at the Site level.
• Map partitions automatically when the configurations are deployed to the Thunder.
NOTE: User can only map partitions to the tenant through which the SSLi App is launched.
FIGURE 6: Site Home Page > Provisioning
FIGURE 7: Provisioning > Select partitions manually
The SSLi App supports Difference Tool for deployment configuration changes. Review Updates option provides side by side view of the complete configuration (to the left) and the highlighted updates (to the right). This view enables helps to know all the changes that are about to be deployed to the sites and the possible impact these changes can have. Review Updates option captures the following cases:
• Highlighted Green – New configurations which will be added to the device during deployment
• Highlighted Orange – Configurations which will be updated during deployment
• Highlighted Red – Configurations which will be removed during deployment
• Not Highlighted – Unchanged Configurations, configurations which will not be updated/ removed during deployment
Color code indicators are added at the top of Review Updates window to guide the user what each color indicates.
Review Update > Color Code indicators
SSLi Policies provide centralized SSLi service and rules-based configuration management to all the sites of the site group. Following changes are introduced in SSLi Policy Configurations in SSLi App v4.1
Policy Add Ons
Schedule option is introduced in Add-Ons Advanced Settings in order to Schedule Automatic Application Database Update on Weekly or Daily basis. Day and time can be set for Weekly basis and only time can be configured for daily basis update schedule
Schedule Update option
Schedule Status option is added to show to the summary of update schedule for each site in a site group.
Following changes are introduced in per rule policies:
• Custom servers along with variant health check status bound as a member In Custom Service Group
• Dynamic Service Templates are now referred as Data Interface DNS Tag
• For Inbound Policy Rules, Client SSL Inspection Profile is bound with Outside Rules while Server SSL Inspection Profile is bound with Inside Rules.
Following Options are not supported for Inbound Policy Rules:
• Bypass Traffic
• Tx/Rx Signaling using HTTP Header
• Virtual Ports Templates
• Source NAT (Auto/ Manual)
• Data Interface DNS Tags
• Inline Explicit Proxy
• Upstream Explicit Proxy
Inbound Policy Rules support following services on the Outside Segment:
• User Access Control
• AFleX Script
Shared objects are an abstraction of the configurations. The same configuration can be used and re-used across multiple policies. The following new Shared Objects are added to SSLi App v4.1.
• Server Option Template
• Service Group
• Template Policy
• Authorization Policy
• Health Monitor
• Client SSL Inspection Profile for Inbound traffic flow Type
• Server SSL Inspection Profile for Inbound Traffic Flow Type
A number of features and enhancements are added to the existing shared objects in SSLi App v4.1. The details are as follows:
• Client SSL Inspection Profile (Outbound)
• Forward Proxy Log Disable field
• Forward Proxy Cache Persistence field
• Require SNI Cert No Matched Action field
• Forward Proxy Cert Validity options field
• Forward Proxy Cert Ext options field
• SSL Inspection Option – Server Certificate Issuer
• SSL Inspection Option – Server Certificate SAN
• SSL Inspection Option – Server Certificate Subject
• Domain Bypass Class List
• Cert Validation Failure – Support for Block Option
• Separate Support for Cert-Fetch as TLS Version and Higher/Lower TLS Version
• TLS Version 1.3 support
• TLS 1.3 Ciphers support
• Info Text of fields – Pinned Certificate Site List, User ID, Group ID, Cert-Fetch via Source-NAT
• Server SSL Inspection Profile
• Cert Revocation List (CRL) support
• Certificate Authority (CA) Certificate support
• Advanced Settings options
• ICAP separate modes i.e.
• Request Mode
• Response Mode
• Object Group – Support for Any option in Network Type Object Group
• Access List - Support for “Less Than (LT)” & “Greater Than (GT)” method for Source & Destination Ports of TCP/ UDP Protocols
• Firewall Rule Set – Info Text of Fields (Application Filtering, Src. Threat Intel, Dest. Threat Intel, Track Application)
The following feature enhancements are available in SSLi App v4.1:
The SSLi App supports certificate import from any Harmony Controller registered devices. Application asks the user to select any harmony controller registered device from where to import the certificates and keys, followed by partition and certificate/ key selection. During Brownfield, Certificates are fetched automatically from the device.
SSLI App supports brownfield import of configuration consisting of Inbound or Bidirectional topologies in addition to Outbound topologies. Default Gateways for inbound traffic are detected and selected by default during brownfield import, though user is provided with an option to deselect any if required. Servers deselected will then be considered custom servers.
For Bidirectional topologies, traffic flows of each virtual server are detected by default, however user can change as per their convenience.
SSLi App supports selection of multiple interfaces for each specified role using smart illustration. Only interfaces and Trunk Groups can be selected through interface dropdowns. VEs are not exposed at this level.
If VCS configuration is enabled on the device, then during Brownfield Deployment, a warning message appears at this stage and NEXT button is disabled since SSLi App does not support VCS Configuration currently.
SSLi App now supports pop-up view of IP Addresses in smart illustration. The IP Address field in the illustration only shows the first IP Address entered but if the user has added more VLANs for the particular role then IP Addresses for those VLANs can be seen in VLAN Table as well as IP Address pop-up view.
It enables user to edit or remove IP Addresses as well.
Shared Objects Names Conflict present a list of objects if shared object with same name already exists in the application. SSLi App supports three different options if name conflict occurs for any shared object:
• Use Existing – Objects present is shared objects are used in deployment and those present on device are discarded.
• Override Existing – Objects present in shared objects are overridden with those present in device in deployment.
• Create New – Object with new name is created in shared object and deployed in deployment.
Default Servers are created in the background when Default Gateways are set. SSLi App now supports Custom Servers where Server Options Template can be used and reused for multiple Custom Servers. To configure Custom Servers, user needs to bind Server Options Template in Server tab of Site Advanced Settings as well as in members table of Service Group bound in Policy Rules advanced settings.
Another way is to bind that Service Group in Action table of Template Policy bound in service of Vports.
• License activation through GLM License Request with or without Entitlement Token
• Device ACOS Version detection and warning
• Support check for ACOS Version sub-series
• Support for Preempt Mode in VRID Advanced Settings
• Private Partition support for L2 Topologies
• HTTP port support for Web Category Proxy Server
• Update EHM Logs for Bypass O365 Script
• Characteristics - Info Text of Fields – Upstream Explicit Proxy, Explicit Proxy
• Additional Security Services – Info Text of Fields – ICAP capable Security Device, User Access Control
• Server Tab in Site Advanced Settings
The app service group type can now be configured as ‘inbound’ or ‘outbound’ to distinguish the direction. The ‘SSLi’ option available in the previous release is changed to ‘SSLi Outbound.’ The SSLi Outbound indicates the outbound traffic flow, and the new ‘SSLi Inbound’ option indicates the inbound traffic flow.
Additionally, the SSLi app now supports visibility and analytics for both outbound and inbound SSLi TLS services. The following are the significant enhancements introduced to support this feature:
• New Inbound Analytics - Includes Traffic Insights, Threat Insights, Thunder Cluster, and Source and Destination Insights. A new infographic is also introduced for the inbound type.
• Enhanced Outbound Analytics - Includes the following new or enhanced charts:
• Traffic Insights: New charts for Cipher suites, Certificate in Cache Created and Expired, and Certificate in Cache Hit and Miss are added.
• Threat Insights: Threat Investigator is replaced with new charts for Detected Threats, Threat-Categories by Connections, and Threat Distribution (Volume/Connections).
• Source & Destination: Top used IPs chart from the Traffic Insights is moved under Source & Destination analytics.
For detailed information about these insights, refer Analytics chapter in the SSLi v4.1 User Guide.
A Firewall log tab is introduced in the Log View Panel page to display firewall logs as per connection and various filters. Additionally, the Threat Investigator page under Analytics module is now moved under the Log View panel page.
For detailed information about these logs, refer Log View Panel chapter in the SSLi v4.1 User Guide.
To view an introductory video on how to install and use the SSLi Harmony Controller, refervideo:
Recommended Chrome Version: 89.0.4389.114 (Official Build) (64-bit)
Thunder and Harmony Controller clock must be in sync, and must be within the time difference of less than one minute.
NOTE: When deploying High Availability (HA) based topologies, Thunder HA pair devices must have VRRP-A configured before registration with Harmony Controller as a HA cluster. Some VRRP-A configuration settings are not permitted after VRRP-A is enabled.
The following issues have been reported for SSLi App v4.1:
The known limitations for SSLi App v4.1 are:
• HTTP2 is not supported.
• Recent SSLi features, related settings such as dynamic routing, VCS and advanced custom topologies, are not supported.
• Harmony Controller tenant awareness for configuration objects is not supported. User must log in as Provider Admin.
• For ACL Remark rule if its position or content has been updated then bindings will get through delete and create flow.
• Some of the configurations are not supported in Brownfield and will be configured using the application as follows:
• Bypass O365: Only if configured using SSLi Harmony Controller App.
• WIA SPN: Not recognized.
The following limitations are tracked for SSLi App v4.1:
• Cluster partitions on Harmony Controller are created for active partitions on the device or previously defined and created through Harmony Controller.
• Any Inactive partitions will not be detected by Harmony Controller and the App before and after the registration of the device.
• Any configuration made on the Thunder device directly and not through the Harmony Controller App will not be recognized and may be lost when the Harmony Controller App deploys the configuration.
Harmony SSLi App documents can only be managed through Root level access.
Some of the configurations are now supported in Brownfield deployment:
• URL Filtering: URL Configurations can be fetched through brownfield deployment now as template policy is now supported.
• Service groups are now auto generated as well as custom made as per user requirements. A separate shared object Service Group is introduced in SSLi App v4.1.
• Pass phrase protected private key can now work in L3V partition.
The following fixed issues are tracked for SSLi App v4.1.