Versa Concerto Release Notes for Release 12.1
These release notes describe features, enhancements, fixes, and known issues in Concerto Release 12.1, for Releases 12.1.1 and 12.1.2.
October 31, 2024
Revision 2
Product Documentation
The Versa Networks product documentation is located at https://docs.versa-networks.com.
Install Concerto
If you are installing new Concerto instances, follow the steps in Install Concerto.
Upgrade Concerto
Warning: Before you upgrade to Concerto 12.1.2, ensure that the current operating system security package (OS SPack) is installed on all the nodes in the cluster.
To check that the current OS SPack is installed on all the nodes in a cluster:
- Download the latest OS SPack from https://versanetworks.box.com/v/osspack or from alternate download server at https://download.versa-networks.com/index.php/s/nEkF9xOO3e7BA9Z.
- Copy the OS SPack to /var/versa/ecp/share/packages.
- On each node, issue the vsh stop command to stop all Versa services.
- On each node, execute the OS SPack file:
sudo /var/versa/ecp/share/packages/versa-concerto-osspack-B-20241014.bin
- If errors are seen during package installation, re-install the same package again.
- Reboot each node.
To upgrade Concerto nodes from Release 11.x.x to Release 12.1.1 or 12.1.2:
- Download the Concerto 12.1.2 bin file to the /var/versa/ecp/share/packages directory on any one of the nodes in the Concerto cluster. The bin file is automatically synced to all other nodes in the cluster.
- Generate a backup of the existing Concerto cluster by issuing the vsh database backup create command. To verify that the backup has been created, check the output of vsh database backup list command.
- To upgrade to the new version of software, issue the vsh system package upgrade package-bin-filename command. This command triggers the upgrade process on all the nodes in the cluster. The upgrade debug logs are saved to the upgrade.log and install.log files in the /var/log/ecp directory.
- After the upgrade process completes, services start automatically on all the nodes. If the upgrade fails, the system automatically rolls back to the previous software image running on all the nodes.
- To check that the services are running, issue the vsh status command:
admin@concerto-1:~$ vsh status postgresql is Running zookeeper is Running kafka is Running solr is Running glances is Running mgmt-service is Running web-service is Running cache-service is Running core-service is Running monitoring-service is Running traefik is Running
The docker service ls command also shows the status of the services:
New Features and Enhancements in Concerto Release 12.1.1
This section describe the new features and enhancements in Concerto Release 12.1.1.
SD-WAN
- ALG settings—You can configure Application-Layer Gateway (ALG) settings. See Configure Application Layer Gateway (ALG).
- Application QoS policy new GUI screens—The GUI screens for application QoS policies and rules have been updated to be larger. See Configure QoS Policies and Rules.
- Bulk device upgrades—You can select multiple devices and upgrade the software, SPack, or OS SPack as a group. You can upgrade packages directly on Concerto portal under the Inventory page. See Concerto Inventory Lifecycle, Use OSPacks with Concerto, Use SPacks with Concerto, and Upgrade VOS Software from Concerto.
- Deploy VOS devices as standalone NGFW, router, and UTM devices—You can deploy VOS devices as standalone NGFW, router, or UTM devices by selecting the appropriate solution tier in the master profile. The solution tier controls which features are configured in the master profile. See Configure a Secure SD-WAN Tenant.
- DNS proxy policies and profiles—You can configure DNS proxy policies and profiles under Profile Elements > Policies > Network Services. See Configure DNS Proxy for Concerto.
- Ingress shaping configuration on single-tenant and multitenant devices—On single tenant devices, egress and ingress shaping rates are configured based on the configured link-level QoS shaping rate and downlink bandwidth .On multitenant WAN interfaces, you can configure the uplink and downlink bandwidths for subtenants, and then the egress and ingress shaping rates are configured for the subtenants accordingly. See Configure Bandwidth Limits for Multitenant WAN Interfaces in Concerto.
- Public key infrastructure (PKI)–based authentication on the SD-WAN overlay—You can deploy SD-WAN devices from Concerto to use PKI certificate-based authentication between devices and Controller nodes. You can deploy CA servers on the internet or in the data center reachable by the remote SD-WAN branch devices through Versa Controller nodes. See Configure a Secure SD-WAN Tenant.
- Route redistribution policies—Concerto automatically generates redistribution polices to redistribute LAN side routes into enterprise VRFs. The Concerto-generated configuration is based on the routing protocols enabled in the LAN VRF and the type of device (hub, hub–controller, spoke or full mesh; single appliance or active–active HA pair). In most deployments, customized the redistribution policies are not required. However, if you want to customize redistribution policy terms, you can define route redistribution policies under Profile Elements > Policies > Routing and then attach the policies in the VPN instance configuration. When you attach a redistribution policy to a VPN instance, Concerto does not automatically configure any redistribution terms. You must configure all required terms in the redistribution policy. See Configure Redistribution Policies in Concerto.
-
Secondary IP addresses on WAN and LAN interfaces—You can configure more than one static IP address on LAN and WAN interfaces. See Configure Appliances, Hubs, and Hub–Controllers, Configure TVI-Based WAN Interfaces, and Configure VRRP and DHCP Relay on LAN Interfaces in Concerto.
- Security profiles new GUI screens—The GUI screens for IP filter, IPS, malware protection, URL filtering, and user-defined security profiles have been updated to be larger.
- Timezone setting—You can configure a device's timezone under System Settings policy. See Configure Tenant System Settings Profiles.
-
TLS decryption policies and profiles—You can configure TLS decryption policies and profiles under Profile Elements > Policies > Security. See Configure SD-WAN TLS Decryption in Concerto.
-
Traffic-steering policy new GUI screens—The GUI screens for traffic-steering policies and rules have been updated to be larger. See Configure Traffic-Steering Policies and Rules.
- Tunnel CoS rewrite rules—You can configure SD-WAN overlay tunnel CoS rewrite globally, to apply them to all devices, under Settings > SD-WAN Overlay > Tunnel CoS. See Configure QoS Elements on Concerto.
- User authentication profile—To authenticate and identify the user when sending traffic through SD-WAN devices, you can configure LDAP, SAML, RADIUS, and Versa Directory (local user database) profiles and authentication policies under Profile Elements > Policies > User and Device Authentication. See Configure SD-WAN User and Device Authentication.
- User-based and group-based match criteria in policy rules—You can configure access control, application QoS, DNS proxy, TLS decryption, and traffic-steering rules in policies to match based on users and user groups. See Configure SD-WAN Security Access Control Policies and Rules.
Security Service Edge (SSE)
- CASB profile enhancements—You can apply additional constraints in CASB profiles. To apply constraints, you refer to constraint profiles that are in CASB profiles. See Configure CASB Profiles.
- Creation of address objects and URL categories by uploading a file—You can create user-defined address group objects and URL categories by uploading file that contain their definitions. See Configure SASE User-Defined Objects and Manage Files and Folders.
- Customer LAN Interfaces on SSE gateways—You can define LAN interfaces on the SSE gateways to allow service providers to connect SSE gateways to PE routers in the tenant VRFs. Only service provider administrators can create and edit the LAN interfaces. Enterprise users can read the LAN interfaces configuration created in their tenant and can use them as source and destination zones to match in the policy rules. See Configure LAN Interfaces on SSE Gateways.
- Custom signatures—You can upload custom signatures for IPS and CASB under SWG Profiles > Custom Signatures. See Configure Custom Signatures.
- Digital experience monitoring—The DEM GUI is provided in the Concerto portal. See View Integrated Monitoring and Analytics.
- Proxy autoconfiguration files for SSE connections—You can upload enterprise PAC files under Settings > User Defined Objects. See Configure SASE User-Defined Objects.
- Roll back published configuration—You can preserve the history of the configurations last published to SSE gateways, and you can view the configuration changes between older published versions. See Publish SASE Gateways.
- SASE for SIM—SASE for SIM allows mobile service providers to steer traffic from enterprise customer mobile devices to SSE gateways and to apply security features without installing the Versa Client on the mobile devices. You configure the device IMSIs and device groups under Security Service Edge > SASE for SIM. For device groups, you can configure real-time protection policy rules in the match criteria under User Device Groups. See Configure SASE for SIM.
- SIEM integration—You can stream security logs from SSE gateways to a customer’s external log collectors, such as Splunk. See Configure SIEM Destinations.
- SSE client prelogon—When a provider administrator enables prelogon for a tenant, the enterprise tenant administrator can download a prelogon JSON file, which can be used to configure the Versa Client on the enterprise user devices. See Configure SASE Secure Client Access Rules.
- SSL-based VPNs—In secure client access rules, you can select the IPsec or SSL VPN protocol type, or both. When you enable both protocols, you can configure which one is the primary type. See Configure SASE Secure Client Access Rules.
- User and device agent certificate-based authentication—Additional certificate-based Versa Client authentication methods are available. You can enable multiple authentication methods to authenticate users and devices. See Configure User and Device Authentication.
Enhancements in Concerto Release 12.1.2
This section describe the enhancements in Concerto Release 12.1.2.
SD-WAN
- LAN interfaces in Active-Active HA master profiles—Enforce VRRP or a dynamic protocol configured on LAN interfaces in Active-Active HA master profile deployment. (ID 100730)
- SaaS Application SLA tracking over Site-to-Site tunnels—Added an option to input VPN names also in a SaaS application monitor to make SaaS application SLA tracking over site-to-site tunnels. (ID 111714)
Security Service Edge (SSE)
- ATP profile configuration—Simplified ATP profiles configurations with new UX. (ID 107288)
- DNS servers—Provide the ability to use different public DNS servers on different gateways based on the region. To define region-specific DNS servers, configure the system/dns on the gateway and discover appliances in the provider tenant. Concerto use these gateway-specific DNS servers when generating public DNS configuration for sub-tenants. (ID 100165)
- EIP profile enhancement—Add support for disk-encryption 'locations' and 'status' and EDR-XDR. (ID 111435)
- Maximum concurrent logins—Add support in all Authentication Profiles for maximum concurrent logins for the same user-name using multiple devices. (ID 110238)
- Password configuration options—Add new configuration options Password Max Age and Password Last Set in LDAP authentication profile configuration screen. (ID 101973)
- Public IP address to be accessible for VSPA only subscriptions—Allow public IP address to be accessible for VSPA only subscriptions. Both public and private address prefixes are allowed for VSPA subscriptions as well in Secure Client Access > Profiles. (ID 114830)
- Secure Client Access traffic-steering on Apple devices—Allow application based Secure Client Access traffic-steering on Apple devices. This option was previously supported on Windows and Android devices only. (ID 113692)
- TCP optimization—Enable TCP Optimization for SMB protocol on SASE Gateways by default to optimize traffic SMB protocol traffic (ID 110259)
Fixed Bugs and Minor Enhancements in Concerto Release 12.1.1
The following table lists the critical and major defects that were fixed and minor enhancements that were added in Release 12.1.1.
Bug ID | Service | Description |
---|---|---|
92093 |
SD-WAN |
Deleting service-template associated with the appliance on Concerto does not disassociate them from the device group on the Director node. |
94234 |
SD-WAN |
SD-WAN device View tab for HA pair devices displays whether the WAN interface is connected to the selected device or to the redundant pair device |
95305 |
SD-WAN |
Show all tenant appliances as Publishing Pending when a tenant-level IPsec/IKE parameter is modified. |
96306 |
SD-WAN |
Prime SD-WAN license configures stateful firewall service instead of next-generation firewall service on VOS devices |
100561 |
SD-WAN |
Add user-defined URL categories and security action objects for SD-WAN devices. |
100741 |
SSE |
Add support for configuring the group attribute in SAML authentication profiles. |
103001 |
SSE |
Add bind timeout and search timeout configuration options in LDAP profiles. |
103101 |
SSE |
SafeSearch dns-proxy logs are not seen on Analytics nodes. |
103161 |
SSE |
Add support for adding multiple gateway labels per gateway on the tenant screen. |
103760 |
SSE |
Add support for cloning security rules and profiles in the Concerto GUI. |
105169 |
SSE |
Add support for configuration a cache expiration timer in user authentication profiles. |
105312 |
SSE |
Add support for performing a URL or IP lookup on the SSE gateway. |
105354 |
SD-WAN |
Tenant user cannot configure SSE gateways in the exit location list in an SD-WAN forwarding profile. |
106042 |
SD-WAN |
Overlay TVI addresses overlap with the DIA split tunnel paired tvi if the tenant ID is larger than 300. The fix is to change the split-tunnel TVI number space to tvi-2/x. |
106076 |
SD-WAN |
An error may occur when you publish security policies that have rules that contain service groups. |
107196 |
SSE |
Add support for the NO_DIA circuit tag on SSE gateway WAN interfaces that are not supposed to be used for any internet connection activity. You can use this tag on private MPLS WAN circuits on SSE gateways. |
107483 |
SSE |
Issue with SAML RAS user authentication when the tenant name contains an underscore. |
107768 |
SD-WAN, SSE |
Add support for configuring both the host pattern and the IP prefix in a single custom application. |
107789 |
SD-WAN |
Add support for configuring native VLAN on Layer 2 interfaces in trunk mode. |
108629 |
SD-WAN |
ICMP packets from reachability monitor IP address used in a forwarding profile should be allowed if ICMP is blocked on the WAN interface. |
109084 |
SD-WAN, SSE |
SMTP authentication failure occurs even though authentication is set to false on Concerto. |
109206 |
SSE |
VSIA/VSPA policy-based IPsec tunnel traffic drops traffic that does not match any real-time protection rule, because it cannot select any zone in the drop-down menu and a zone is mandatory. In real-time protection rules, the source zone is now mandatory. |
109223 |
SD-WAN |
Concerto DHCP setting that contains a comma is stripped of all text after the comma when generating the configuration for the device. |
109506 |
SD-WAN |
Appliance ZTP fails when leading or trailing white spaces are present in the serial number when creating a device in the Concerto GUI |
109690 |
SD-WAN |
When service templates are synchronized during device configuration in the Deploy Lifecycle, the master profile attached to the device should change to Custom. |
109709 |
SSE |
Remove mandatory source and destination port validation in policy-based site-to-site tunnel configurations. Ports are now optional. |
Fixed Bugs in Concerto Release 12.1.2
The following table lists the critical and major defects that were fixed in Release 12.1.2.
Bug ID | Service | Summary |
---|---|---|
95300 |
SDWAN |
Name change to a Policy in Master Profile does not change the Policy to custom |
101514 |
SSE |
Skip enterprise internal domains in implicitly created IP Cache DNS Proxy rule |
102029 |
SDWAN |
Multi-tenant QOS configuration on Redundant WAN interface was not migrated from 11.4.x to 12.1.1 release causing configuration to miss after upgrading to 12.1.1 |
105057 |
INFRA |
ping command from Concerto shell does not work for non-sudo users |
106675 |
SDWAN |
User and Device Authentication Profile: Review & Submit Tab needs text alignments for Settings |
108554 |
SDWAN |
Dismiss All Alarms at site level API fails and does not clear the alarms |
108635 |
SDWAN |
Unable to fetch interface details from Monitor à Networking Tab |
108847 |
SSE |
Settings à Subscriptions à Security Service Edge: Licenses Count on Summary page is not in sync with the details page |
108859 |
SDWAN |
Unable to clear filters or set new filter for Routing Table in SDWAN View routes |
108930 |
SSE |
Application logos are not showing in IPS-Vulnerability Rules |
95300 |
SDWAN |
Name change to a Policy in Master Profile does not change the Policy to custom |
109007 |
SSE |
Custom captive porta page doesn't show information like username and URL |
109428 |
SSE |
Trusted Routes are offloaded when Trusted Networks Hostname IP/FQDN is not defined. Fix: Trusted Routes shall be offloaded ONLY when Trust or Semi-Trust is established |
109855 |
INFRA |
Concerto Authentication fails when Primary Versa Director node services are down |
109873 |
SDWAN |
Path not found for federated path error while accessing ACL/TLS profile under policy from Basic Master ProfileàSecurity |
109922 |
SSE |
User and Group based match criteria in Secure Client Access rule is not configured properly for Certificate authentication profile |
109985 |
SSE |
Delete API for non-existing profile like CASB returns code 200 OK |
109987 |
SSE |
Delete non-existing Internet-Protection rule, returns no error message in response |
110029 |
SSE |
Create date is not shown on UI as backend returns value as 'null' for SAML Profile |
110032 |
SDWAN |
Not able to modify VPN policies (SDWAN) if any policy has a variable |
110088 |
SDWAN |
Application Category name should not accept special characters from user |
110119 |
SSE |
VMS disconnection caused director IMSI create failure, but concerto saves IMSI in SASE for SIM devices |
110147 |
SSE |
In Concerto generated SAML configuration, host name includes Tenant Name even though “Include TENANT Name in FQDN” is disabled |
110245 |
SSE |
User defined EIP agent for custom category does not support space in file path |
110284 |
INFRA |
Allow accent characters in first and last name while creating users |
110349 |
SDWAN |
Allow updating device model for appliances before ZTP is completed for the device. Do not allow model number change only after ZTP is completed |
110449 |
SDWAN |
Not able to select multiple management server types in a single rule under Profile ElementsàPoliciesàSystemàManagement Servers |
110600 |
SDWAN |
WAN connection should not be a mandatory when creating a DIA path in forwarding profile. WAN connection name or Nexthop should be present. |
110770 |
SSE |
LDAP Authentication Profile Publish to SASE-GW is failing with the error - Failed at GatewayServiceTemplateStage : Failed to create service template in director DirectorRestAPIException{errorCode=400 BAD_REQUEST, errorDetails= |
110795 |
INFRA |
Director Discovery adds all the controllers on the Director to all the discovered tenants from it |
110804 |
SDWAN |
In the Forwarding profile, when route path type is Direct Internet or Exit through SDWAN device, the max latency and max packet loss fields should only be allowed to be filled if the SLA monitor field is selected |
110835 | SSE | Sort user and group names when displaying in policy rules. |
111013 |
SSE |
Realtime Protection Rule Names Cached Incorrectly Across Tenants in UI, showing wrong rule names when user switches to another tenant |
111118 |
SDWAN |
Make Nexthop optional on VNI for WAN TVI type interface as Nexthop is not required if dynamic routing protocol is configured |
111124 |
SSE |
Fix issue with fetching users/groups from LDAP server when the tenant is deployed on multiple Versa Directors |
111254 |
INFRA |
SSO user login fails if the same external role mapping is present in 2 different tenants |
111601 |
SDWAN |
Unable to publish profile with Site-to-Site tunnel interface to Directors running 21.X with error ipsec:lef-profile-default","error-path". Fixed backward incompatibility issue. |
111688 |
SDWAN |
Asset summary counts do not add up with total appliance count in ViewàSecure SDWAN summary page |
111744 |
SDWAN |
Additional Controllers where tenant is not onboarded are showing in Site create UI in Deploy Life Cycle |
111831 |
SSE |
Create Date is not shown for auth profiles as backend returns null value |
112064 |
SSE |
Authentication rules can't be deleted. Backend returns error "Entity is referenced by one or more places, deletion abort" |
112098 |
SDWAN |
Dual stack IRB interfaces from Concerto are not generating any policy configuration in LAN-VR to advertise or receive IPv6 BGP prefixes |
112115 |
INFRA |
Directors are not listed are not in tenant create page if the license installed on Director is contract year 2018 |
112202 |
SSE |
User and groups are not seen on the internet protection rules UI. They are shown only after toggle of the tab in the rule. |
112274 |
SDWAN |
Policy Elements->Device->Interface: Saving a Interface with VRRP configuration fails with "There was an error while updating entity. Please try again later." (java.lang.NullPointerException: null) |
112403 |
SSE |
Internet Protection Rule Display Issue. "Known Users" are displayed as "All Users" |
112479 |
SSE |
When an Authentication Profile or Internet Protection Rule is updated, the last modified date is not getting updated |
116047 |
INFRA |
/v1/system/setting API allows negative numbers for max publishing history and invalid values for other parameters |
116670 |
SSE |
"Last Modified" is not reflected for Site-To-Site tunnels and Authentication Profiles |
115567 |
SSE |
When Internet Protection Rules are reordered, Gateways publish status is not getting changed |
116343 |
SSE |
GW Publish fails when more than one resolver added in application Obfuscation configuration |
110213 |
SDWAN |
Unable to open or edit the existing DHCP Service in Basic Master Profile. |
116514 |
SDWAN |
LAN interface scheduler configuration is not generated when published to SDWAN appliance |
115844 |
SSE |
Internet Protection rules disappear when re-order API is called with incorrect payload |
111563 |
SDWAN |
Concerto generated configuration on HCN is showing 4 LEF collectors (show configuration orgs org-services provider-org lef collectors) when only 2 Controllers are configured at system level (show conf system sd-wan controllers) |
110109 |
SSE |
Hub as Gateway functionality serving multiple regions with different hub priorities uses only one region information in the configuration |
112833 | SSE | Trusted Network Hostname in Secure Client Access rule Client Controls must be FQDN and should not accept IP address |
113865 | SDWAN | Error in SNMPv3 configuration generated by Concerto when SNMPv2 or SNMPv3 are not enabled |
113931 |
INFRA |
Not able to change the Security Package (spack) link under spack configuration window |
111453 |
SDWAN |
Service templates association is not removed in the Device Group on the Director when user removes service templates from the master profile on Concerto |
113507 |
INFRA |
Upgrading Concerto with FIPS image stuck at services not coming up state |
116278 |
SDWAN |
Speed test not working due to versa-speedtest zone pushed by concerto in sub tenant on a multi-tenant appliance |
116970 |
SDWAN |
Concerto Slowness & publish takes more time due to heavy database queries by monitoring service |
Vulnerability Fixes in Concerto 12.1.2
The following table lists the vulnerability issues that were fixed in Release 12.1.2.
Bug ID | Summary |
---|---|
109741 |
Update Linux kernel to 5.4.0-195. |
112069 |
Fix swagger issue of APIs execution without authentication. |
112885 |
Block access to swagger-ui.html if the user is not logged in. |
116061 |
Information Disclosure: /portalapi/v1/tenants/{tenant-uuid}/file/folder/fetchZip API can be used to get information from disk. |
115330 |
Files and Folders API exposes Path Traversal vulnerability. Allow upload and delete files under /var/versa/. |
Known Limitations and Behavioral Changes in Concerto Release 12.1.1
The following are the limitations and behavior changes in Release 12.1.1:
- SD-WAN forwarding profiles, TCP optimization profiles and user-defined objects under elements that are propagated from a parent tenant cannot be modified under child tenant.
- Monitor objects attached to aDNS server under DNS proxy profile do not take effect when generating the VOS configuration.
- Certificate (PKI)–based authentication does not work on hub–controller nodes (HCN).
Known Limitations and Behavioral Changes in Concerto Release 12.1.2
The following are the limitations and behavior changes in Release 12.1.2:
- SD-WAN forwarding profiles, TCP optimization profiles and user-defined objects under elements that are propagated from a parent tenant cannot be modified under child tenant.
- Monitor objects attached to aDNS server under DNS proxy profile do not take effect when generating the VOS configuration.
- Certificate (PKI)–based authentication does not work on hub–controller nodes (HCN).
Concerto 12.1.1 REST API Updates
The attached files list the REST API changes for Concerto Release 12.1.1:
Concerto 12.1.2 REST API Updates
The attached files list the REST API changes for Concerto Release 12.1.2:
Concerto Release 12.1.1 Director Version Compatibility
Concerto 12.1.1 is compatible with Director and VOS versions 21.2.2, 21.2.3, 22.1.2, 22.1.3, and 22.1.4 for SD-WAN services. For the SSE service Director, Analytics, and Gateways need to be on VOS Release 22.1.4.
Concerto Release 12.1.2 Director Version Compatibility
Concerto 12.1.2 is compatible with Director and VOS versions 21.2.3, 22.1.2, 22.1.3 and 22.1.4 for SD-WAN services. For the SSE service Director, Analytics, and Gateways need to be on VOS Release 22.1.4.
Request Technical Support
To request technical support, visit http://support.versa-networks.com. If you are contacting support for the first time, register and create an account. You can also send email to support@versa-networks.com or contact your Versa Networks sales account team.
Revision History
Revision 1—Release 12.1.1, May 6, 2024
Revision 2—Release 12.1.2, October 31, 2024