Skip to main content
Versa Networks

Versa Concerto Release Notes for Release 12.1

These release notes describe features, enhancements, fixes, and known issues in Concerto Release 12.1, for Releases 12.1.1 and 12.1.2.

October 31, 2024
Revision 2

Product Documentation

The Versa Networks product documentation is located at https://docs.versa-networks.com.

Install Concerto

If you are installing new Concerto instances, follow the steps in Install Concerto.

Upgrade Concerto

Warning: Before you upgrade to Concerto 12.1.2, ensure that the current operating system security package (OS SPack) is installed on all the nodes in the cluster.

To check that the current OS SPack is installed on all the nodes in a cluster:

  1. Download the latest OS SPack from https://versanetworks.box.com/v/osspack or from alternate download server at https://download.versa-networks.com/index.php/s/nEkF9xOO3e7BA9Z.
  2. Copy the OS SPack to /var/versa/ecp/share/packages.
  3. On each node, issue the vsh stop command to stop all Versa services.
  4. On each node, execute the OS SPack file:
sudo /var/versa/ecp/share/packages/versa-concerto-osspack-B-20241014.bin
  1. If errors are seen during package installation, re-install the same package again.
  2. Reboot each node.

To upgrade Concerto nodes from Release 11.x.x to Release 12.1.1 or 12.1.2:

  1. Download the Concerto 12.1.2 bin file to the /var/versa/ecp/share/packages directory on any one of the nodes in the Concerto cluster. The bin file is automatically synced to all other nodes in the cluster.
  2. Generate a backup of the existing Concerto cluster by issuing the vsh database backup create command. To verify that the backup has been created, check the output of vsh database backup list command.
  3. To upgrade to the new version of software, issue the vsh system package upgrade package-bin-filename command. This command triggers the upgrade process on all the nodes in the cluster. The upgrade debug logs are saved to the upgrade.log and install.log files in the /var/log/ecp directory.
  4. After the upgrade process completes, services start automatically on all the nodes. If the upgrade fails, the system automatically rolls back to the previous software image running on all the nodes.
  5. To check that the services are running, issue the vsh status command:
admin@concerto-1:~$ vsh status
postgresql            is Running
zookeeper             is Running
kafka                 is Running
solr                  is Running
glances               is Running
mgmt-service          is Running
web-service           is Running
cache-service         is Running
core-service          is Running
monitoring-service    is Running
traefik               is Running

The docker service ls command also shows the status of the services:

docker-services-ls-v2.png

New Features and Enhancements in Concerto Release 12.1.1

This section describe the new features and enhancements in Concerto Release 12.1.1.

SD-WAN

  • ALG settings—You can configure Application-Layer Gateway (ALG) settings. See Configure Application Layer Gateway (ALG).

    sse-14.png

     
  • Application QoS policy new GUI screens—The GUI screens for application QoS policies and rules have been updated to be larger. See Configure QoS Policies and Rules.

    sdwan-9.png


     
  • Bulk device upgrades—You can select multiple devices and upgrade the software, SPack, or OS SPack as a group. You can upgrade packages directly on Concerto portal under the Inventory page. See Concerto Inventory Lifecycle, Use OSPacks with Concerto, Use SPacks with Concerto, and Upgrade VOS Software from Concerto.

    sdwan-3-1.png


    sdwan-2.png
     
  • Deploy VOS devices as standalone NGFW, router, and UTM devices—You can deploy VOS devices as standalone NGFW, router, or UTM devices by selecting the appropriate solution tier in the master profile. The solution tier controls which features are configured in the master profile. See Configure a Secure SD-WAN Tenant.

    sdwan-15.png
  • DNS proxy policies and profiles—You can configure DNS proxy policies and profiles under Profile Elements > Policies > Network Services. See Configure DNS Proxy for Concerto.

    sdwan-2.png

     
  • Ingress shaping configuration on single-tenant and multitenant devices—On single tenant devices, egress and ingress shaping rates are configured based on the configured link-level QoS shaping rate and downlink bandwidth .On multitenant WAN interfaces, you can configure the uplink and downlink bandwidths for subtenants, and then the egress and ingress shaping rates are configured for the subtenants accordingly. See Configure Bandwidth Limits for Multitenant WAN Interfaces in Concerto.

    sdwan-16.png

     
  • Public key infrastructure (PKI)–based authentication on the SD-WAN overlay—You can deploy SD-WAN devices from Concerto to use PKI certificate-based authentication between devices and Controller nodes. You can deploy CA servers on the internet or in the data center reachable by the remote SD-WAN branch devices through Versa Controller nodes. See Configure a Secure SD-WAN Tenant.
  • Route redistribution policies—Concerto automatically generates redistribution polices to redistribute LAN side routes into enterprise VRFs. The Concerto-generated configuration is based on the routing protocols enabled in the LAN VRF and the type of device (hub, hub–controller, spoke or full mesh; single appliance or active–active HA pair). In most deployments, customized the redistribution policies are not required. However, if you want to customize redistribution policy terms, you can define route redistribution policies under Profile Elements > Policies > Routing and then attach the policies in the VPN instance configuration. When you attach a redistribution policy to a VPN instance, Concerto does not automatically configure any redistribution terms. You must configure all required terms in the redistribution policy. See Configure Redistribution Policies in Concerto.

    sdwan-5-1.png

    sdwan-5-2.png
  • Secondary IP addresses on WAN and LAN interfaces—You can configure more than one static IP address on LAN and WAN interfaces. See Configure Appliances, Hubs, and Hub–Controllers, Configure TVI-Based WAN Interfaces, and Configure VRRP and DHCP Relay on LAN Interfaces in Concerto.

    sdwan-13.png

     

  • Security profiles new GUI screens—The GUI screens for IP filter, IPS, malware protection, URL filtering, and user-defined security profiles have been updated to be larger.
  • Timezone setting—You can configure a device's timezone under System Settings policy. See Configure Tenant System Settings Profiles.

    sdwan-10.png
     
  • TLS decryption policies and profiles—You can configure TLS decryption policies and profiles under Profile Elements > Policies > Security. See Configure SD-WAN TLS Decryption in Concerto.

    sdwan-4.png

     

  • Traffic-steering policy new GUI screens—The GUI screens for traffic-steering policies and rules have been updated to be larger. See Configure Traffic-Steering Policies and Rules.

    sdwan-8.png

     

  • Tunnel CoS rewrite rules—You can configure SD-WAN overlay tunnel CoS rewrite globally, to apply them to all devices, under Settings > SD-WAN Overlay > Tunnel CoS. See Configure QoS Elements on Concerto.

    sdwan-11.png


     
  • User authentication profile—To authenticate and identify the user when sending traffic through SD-WAN devices, you can configure LDAP, SAML, RADIUS, and Versa Directory (local user database) profiles and authentication policies under Profile Elements > Policies > User and Device Authentication. See Configure SD-WAN User and Device Authentication.

    sdwan-6-1.png

    sdwan-6-2.png

  • User-based and group-based match criteria in policy rules—You can configure access control, application QoS, DNS proxy, TLS decryption, and traffic-steering rules in policies to match based on users and user groups. See Configure SD-WAN Security Access Control Policies and Rules.

    sdwan-7.png

Security Service Edge (SSE)

  • CASB profile enhancements—You can apply additional constraints in CASB profiles. To apply constraints, you refer to constraint profiles that are in CASB profiles. See Configure CASB Profiles.

    sse-5.png
  • Creation of address objects and URL categories by uploading a file—You can create user-defined address group objects and URL categories by uploading file that contain their definitions. See Configure SASE User-Defined Objects and Manage Files and Folders.

    sse-15-1.png

    sse-15-2.png

  • Customer LAN Interfaces on SSE gateways—You can define LAN interfaces on the SSE gateways to allow service providers to connect SSE gateways to PE routers in the tenant VRFs. Only service provider administrators can create and edit the LAN interfaces. Enterprise users can read the LAN interfaces configuration created in their tenant and can use them as source and destination zones to match in the policy rules. See Configure LAN Interfaces on SSE Gateways.

    sse-10.png
  • Custom signatures—You can upload custom signatures for IPS and CASB under SWG Profiles > Custom Signatures. See Configure Custom Signatures.

    sse-14.png
  • Digital experience monitoring—The DEM GUI is provided in the Concerto portal. See View Integrated Monitoring and Analytics.

    sse-7-1.png

    sse-7-2.png

  • Proxy autoconfiguration files for SSE connections—You can upload enterprise PAC files under Settings > User Defined Objects. See Configure SASE User-Defined Objects.

    sse-16-1.png

    sse-16-2.png

  • Roll back published configuration—You can preserve the history of the configurations last published to SSE gateways, and you can view the configuration changes between older published versions. See Publish SASE Gateways.

    sse-9.png
  • SASE for SIM—SASE for SIM allows mobile service providers to steer traffic from enterprise customer mobile devices to SSE gateways and to apply security features without installing the Versa Client on the mobile devices. You configure the device IMSIs and device groups under Security Service Edge > SASE for SIM. For device groups, you can configure real-time protection policy rules in the match criteria under User Device Groups. See Configure SASE for SIM.

    sse-6-1.png
  • SIEM integration—You can stream security logs from SSE gateways to a customer’s external log collectors, such as Splunk. See Configure SIEM Destinations.

    sse-12.png

     
  • SSE client prelogon—When a provider administrator enables prelogon for a tenant, the enterprise tenant administrator can download a prelogon JSON file, which can be used to configure the Versa Client on the enterprise user devices. See Configure SASE Secure Client Access Rules.

    sse-8.png

     
  • SSL-based VPNs—In secure client access rules, you can select the IPsec or SSL VPN protocol type, or both. When you enable both protocols, you can configure which one is the primary type. See Configure SASE Secure Client Access Rules.

    sse-11.png
  • User and device agent certificate-based authentication—Additional certificate-based Versa Client authentication methods are available. You can enable multiple authentication methods to authenticate users and devices. See Configure User and Device Authentication.

    sse-13.png

Enhancements in Concerto Release 12.1.2

This section describe the enhancements in Concerto Release 12.1.2.

SD-WAN

  • LAN interfaces in Active-Active HA master profiles—Enforce VRRP or a dynamic protocol configured on LAN interfaces in Active-Active HA master profile deployment. (ID 100730)
  • SaaS Application SLA tracking over Site-to-Site tunnels—Added an option to input VPN names also in a SaaS application monitor to make SaaS application SLA tracking over site-to-site tunnels. (ID 111714)

    111714-border.png

Security Service Edge (SSE)

  • ATP profile configuration—Simplified ATP profiles configurations with new UX. (ID 107288)

    107288-1-border.png

    107288-2-border.png
     
  • DNS servers—Provide the ability to use different public DNS servers on different gateways based on the region. To define region-specific DNS servers, configure the system/dns on the gateway and discover appliances in the provider tenant. Concerto use these gateway-specific DNS servers when generating public DNS configuration for sub-tenants. (ID 100165)
  • EIP profile enhancement—Add support for disk-encryption 'locations' and 'status' and EDR-XDR. (ID 111435)
  • Maximum concurrent logins—Add support in all Authentication Profiles for maximum concurrent logins for the same user-name using multiple devices. (ID 110238)
  • Password configuration options—Add new configuration options Password Max Age and Password Last Set in LDAP authentication profile configuration screen. (ID 101973)

    101973-border.png
     
  • Public IP address to be accessible for VSPA only subscriptions—Allow public IP address to be accessible for VSPA only subscriptions. Both public and private address prefixes are allowed for VSPA subscriptions as well in Secure Client Access > Profiles. (ID 114830)

    114830-border.png
     
  • Secure Client Access traffic-steering on Apple devices—Allow application based Secure Client Access traffic-steering on Apple devices. This option was previously supported on Windows and Android devices only. (ID 113692)

    113692-border.png
     
  • TCP optimization—Enable TCP Optimization for SMB protocol on SASE Gateways by default to optimize traffic SMB protocol traffic (ID 110259)

Fixed Bugs and Minor Enhancements in Concerto Release 12.1.1

The following table lists the critical and major defects that were fixed and minor enhancements that were added in Release 12.1.1.

Bug ID Service Description

92093

SD-WAN

Deleting service-template associated with the appliance on Concerto does not disassociate them from the device group on the Director node.

94234

SD-WAN

SD-WAN device View tab for HA pair devices displays whether the WAN interface is connected to the selected device or to the redundant pair device

95305

SD-WAN

Show all tenant appliances as Publishing Pending when a tenant-level IPsec/IKE parameter is modified.

96306

SD-WAN

Prime SD-WAN license configures stateful firewall service instead of next-generation firewall service on VOS devices

100561

SD-WAN

Add user-defined URL categories and security action objects for SD-WAN devices.

100741

SSE

Add support for configuring the group attribute in SAML authentication profiles.

103001

SSE

Add bind timeout and search timeout configuration options in LDAP profiles.

103101

SSE

SafeSearch dns-proxy logs are not seen on Analytics nodes.

103161

SSE

Add support for adding multiple gateway labels per gateway on the tenant screen.

103760

SSE

Add support for cloning security rules and profiles in the Concerto GUI.

105169

SSE

Add support for configuration a cache expiration timer in user authentication profiles.

105312

SSE

Add support for performing a URL or IP lookup on the SSE gateway.

Bug-id-105312.png

105354

SD-WAN

Tenant user cannot configure SSE gateways in the exit location list in an SD-WAN forwarding profile.

106042

SD-WAN

Overlay TVI addresses overlap with the DIA split tunnel paired tvi if the tenant ID is larger than 300. The fix is to change the split-tunnel TVI number space to tvi-2/x.

106076

SD-WAN

An error may occur when you publish security policies that have rules that contain service groups.

107196

SSE

Add support for the NO_DIA circuit tag on SSE gateway WAN interfaces that are not supposed to be used for any internet connection activity. You can use this tag on private MPLS WAN circuits on SSE gateways.

107483

SSE

Issue with SAML RAS user authentication when the tenant name contains an underscore.

107768

SD-WAN, SSE

Add support for configuring both the host pattern and the IP prefix in a single custom application.

107789

SD-WAN

Add support for configuring native VLAN on Layer 2 interfaces in trunk mode.

108629

SD-WAN

ICMP packets from reachability monitor IP address used in a forwarding profile should be allowed if ICMP is blocked on the WAN interface.

109084

SD-WAN, SSE

SMTP authentication failure occurs even though authentication is set to false on Concerto.

109206

SSE

VSIA/VSPA policy-based IPsec tunnel traffic drops traffic that does not match any real-time protection rule, because it cannot select any zone in the drop-down menu and a zone is mandatory. In real-time protection rules, the source zone is now mandatory.

109223

SD-WAN

Concerto DHCP setting that contains a comma is stripped of all text after the comma when generating the configuration for the device.

109506

SD-WAN

Appliance ZTP fails when leading or trailing white spaces are present in the serial number when creating a device in the Concerto GUI

109690

SD-WAN

When service templates are synchronized during device configuration in the Deploy Lifecycle, the master profile attached to the device should change to Custom.

109709

SSE

Remove mandatory source and destination port validation in policy-based site-to-site tunnel configurations. Ports are now optional.

Fixed Bugs in Concerto Release 12.1.2

The following table lists the critical and major defects that were fixed in Release 12.1.2.

Bug ID Service Summary

95300

SDWAN

Name change to a Policy in Master Profile does not change the Policy to custom

101514

SSE

Skip enterprise internal domains in implicitly created IP Cache DNS Proxy rule

102029

SDWAN

Multi-tenant QOS configuration on Redundant WAN interface was not migrated from 11.4.x to 12.1.1 release causing configuration to miss after upgrading to 12.1.1

105057

INFRA

ping command from Concerto shell does not work for non-sudo users

106675

SDWAN

User and Device Authentication Profile: Review & Submit Tab needs text alignments for Settings

108554

SDWAN

Dismiss All Alarms at site level API fails and does not clear the alarms

108635

SDWAN

Unable to fetch interface details from Monitor à Networking Tab

108847

SSE

Settings à Subscriptions à Security Service Edge: Licenses Count on Summary page is not in sync with the details page

108859

SDWAN

Unable to clear filters or set new filter for Routing Table in SDWAN View routes

108930

SSE

Application logos are not showing in IPS-Vulnerability Rules

95300

SDWAN

Name change to a Policy in Master Profile does not change the Policy to custom

109007

SSE

Custom captive porta page doesn't show information like username and URL

109428

SSE

Trusted Routes are offloaded when Trusted Networks Hostname IP/FQDN is not defined. Fix: Trusted Routes shall be offloaded ONLY when Trust or Semi-Trust is established

109855

INFRA

Concerto Authentication fails when Primary Versa Director node services are down

109873

SDWAN

Path not found for federated path error while accessing ACL/TLS profile under policy from Basic Master ProfileàSecurity

109922

SSE

User and Group based match criteria in Secure Client Access rule is not configured properly for Certificate authentication profile

109985

SSE

Delete API for non-existing profile like CASB returns code 200 OK

109987

SSE

Delete non-existing Internet-Protection rule, returns no error message in response

110029

SSE

Create date is not shown on UI as backend returns value as 'null' for SAML Profile

110032

SDWAN

Not able to modify VPN policies (SDWAN) if any policy has a variable

110088

SDWAN

Application Category name should not accept special characters from user

110119

SSE

VMS disconnection caused director IMSI create failure, but concerto saves IMSI in SASE for SIM devices

110147

SSE

In Concerto generated SAML configuration, host name includes Tenant Name even though “Include TENANT Name in FQDN” is disabled

110245

SSE

User defined EIP agent for custom category does not support space in file path

110284

INFRA

Allow accent characters in first and last name while creating users

110349

SDWAN

Allow updating device model for appliances before ZTP is completed for the device. Do not allow model number change only after ZTP is completed

110449

SDWAN

Not able to select multiple management server types in a single rule under Profile ElementsàPoliciesàSystemàManagement Servers

110600

SDWAN

WAN connection should not be a mandatory when creating a DIA path in forwarding profile. WAN connection name or Nexthop should be present.

110770

SSE

LDAP Authentication Profile Publish to SASE-GW is failing with the error - Failed at GatewayServiceTemplateStage : Failed to create service template in director DirectorRestAPIException{errorCode=400 BAD_REQUEST, errorDetails=

110795

INFRA

Director Discovery adds all the controllers on the Director to all the discovered tenants from it

110804

SDWAN

In the Forwarding profile, when route path type is Direct Internet or Exit through SDWAN device, the max latency and max packet loss fields should only be allowed to be filled if the SLA monitor field is selected

110835 SSE Sort user and group names when displaying in policy rules.

111013

SSE

Realtime Protection Rule Names Cached Incorrectly Across Tenants in UI, showing wrong rule names when user switches to another tenant

111118

SDWAN

Make Nexthop optional on VNI for WAN TVI type interface as Nexthop is not required if dynamic routing protocol is configured

111124

SSE

Fix issue with fetching users/groups from LDAP server when the tenant is deployed on multiple Versa Directors

111254

INFRA

SSO user login fails if the same external role mapping is present in 2 different tenants

111601

SDWAN

Unable to publish profile with Site-to-Site tunnel interface to Directors running 21.X with error ipsec:lef-profile-default","error-path". Fixed backward incompatibility issue.

111688

SDWAN

Asset summary counts do not add up with total appliance count in ViewàSecure SDWAN summary page

111744

SDWAN

Additional Controllers where tenant is not onboarded are showing in Site create UI in Deploy Life Cycle

111831

SSE

Create Date is not shown for auth profiles as backend returns null value

112064

SSE

Authentication rules can't be deleted. Backend returns error "Entity is referenced by one or more places, deletion abort"

112098

SDWAN

Dual stack IRB interfaces from Concerto are not generating any policy configuration in LAN-VR to advertise or receive IPv6 BGP prefixes

112115

INFRA

Directors are not listed are not in tenant create page if the license installed on Director is contract year 2018

112202

SSE

User and groups are not seen on the internet protection rules UI. They are shown only after toggle of the tab in the rule.

112274

SDWAN

Policy Elements->Device->Interface: Saving a Interface with VRRP configuration fails with "There was an error while updating entity. Please try again later." (java.lang.NullPointerException: null)

112403

SSE

Internet Protection Rule Display Issue. "Known Users" are displayed as "All Users"

112479

SSE

When an Authentication Profile or Internet Protection Rule is updated, the last modified date is not getting updated

116047

INFRA

/v1/system/setting API allows negative numbers for max publishing history and invalid values for other parameters

116670

SSE

"Last Modified" is not reflected for Site-To-Site tunnels and Authentication Profiles

115567

SSE

When Internet Protection Rules are reordered, Gateways publish status is not getting changed

116343

SSE

GW Publish fails when more than one resolver added in application Obfuscation configuration

110213

SDWAN

Unable to open or edit the existing DHCP Service in Basic Master Profile.

116514

SDWAN

LAN interface scheduler configuration is not generated when published to SDWAN appliance

115844

SSE

Internet Protection rules disappear when re-order API is called with incorrect payload

111563

SDWAN

Concerto generated configuration on HCN is showing 4 LEF collectors (show configuration orgs org-services provider-org lef collectors) when only 2 Controllers are configured at system level (show conf system sd-wan controllers)

110109

SSE

Hub as Gateway functionality serving multiple regions with different hub priorities uses only one region information in the configuration

112833 SSE Trusted Network Hostname in Secure Client Access rule Client Controls must be FQDN and should not accept IP address
113865 SDWAN Error in SNMPv3 configuration generated by Concerto when SNMPv2 or SNMPv3 are not enabled

113931

INFRA

Not able to change the Security Package (spack) link under spack configuration window

111453

SDWAN

Service templates association is not removed in the Device Group on the Director when user removes service templates from the master profile on Concerto

113507

INFRA

Upgrading Concerto with FIPS image stuck at services not coming up state

116278

SDWAN

Speed test not working due to versa-speedtest zone pushed by concerto in sub tenant on a multi-tenant appliance

116970

SDWAN

Concerto Slowness & publish takes more time due to heavy database queries by monitoring service

Vulnerability Fixes in Concerto 12.1.2

The following table lists the vulnerability issues that were fixed in Release 12.1.2.

Bug ID Summary

109741

Update Linux kernel to 5.4.0-195.

112069

Fix swagger issue of APIs execution without authentication.

112885

Block access to swagger-ui.html if the user is not logged in.

116061

Information Disclosure:  /portalapi/v1/tenants/{tenant-uuid}/file/folder/fetchZip API can be used to get information from disk.

115330

Files and Folders API exposes Path Traversal vulnerability. Allow upload and delete files under /var/versa/.

Known Limitations and Behavioral Changes in Concerto Release 12.1.1

The following are the limitations and behavior changes in Release 12.1.1:

  • SD-WAN forwarding profiles, TCP optimization profiles and user-defined objects under elements that are propagated from a parent tenant cannot be modified under child tenant.
  • Monitor objects attached to aDNS server under DNS proxy profile do not take effect when generating the VOS configuration.
  • Certificate (PKI)–based authentication does not work on hub–controller nodes (HCN).

Known Limitations and Behavioral Changes in Concerto Release 12.1.2

The following are the limitations and behavior changes in Release 12.1.2:

  • SD-WAN forwarding profiles, TCP optimization profiles and user-defined objects under elements that are propagated from a parent tenant cannot be modified under child tenant.
  • Monitor objects attached to aDNS server under DNS proxy profile do not take effect when generating the VOS configuration.
  • Certificate (PKI)–based authentication does not work on hub–controller nodes (HCN).

Concerto 12.1.1 REST API Updates

The attached files list the REST API changes for Concerto Release 12.1.1:

Concerto 12.1.2 REST API Updates

The attached files list the REST API changes for Concerto Release 12.1.2:

Concerto Release 12.1.1 Director Version Compatibility

Concerto 12.1.1 is compatible with Director and VOS versions 21.2.2, 21.2.3, 22.1.2, 22.1.3, and 22.1.4 for SD-WAN services. For the SSE service Director, Analytics, and Gateways need to be on VOS Release 22.1.4.

Concerto Release 12.1.2 Director Version Compatibility

Concerto 12.1.2 is compatible with Director and VOS versions 21.2.3, 22.1.2, 22.1.3 and 22.1.4 for SD-WAN services. For the SSE service Director, Analytics, and Gateways need to be on VOS Release 22.1.4. 

Request Technical Support

To request technical support, visit http://support.versa-networks.com. If you are contacting support for the first time, register and create an account. You can also send email to support@versa-networks.com or contact your Versa Networks sales account team.

Revision History

Revision 1—Release 12.1.1, May 6, 2024
Revision 2—Release 12.1.2, October 31, 2024

  • Was this article helpful?