Versa Concerto Release Notes for Release 11.4
These release notes describe features, enhancements, fixes, and known issues in Concerto Release 11.4, for Releases 11.4.1 through 11.4.4.
July 12, 2024
Revision 4
Product Documentation
The Versa Networks product documentation is located at https://docs.versa-networks.com.
Install Concerto
If you are installing new Concerto instances, follow the steps in Install Concerto.
Upgrade Concerto
Caution: Before you upgrade to Concerto 11.4.4, ensure that the current operating system security package (OS SPack) is installed on all the nodes in the cluster. To check that the current OS SPack is installed on all nodes in the cluster:
- Download the latest OS SPack from https://versanetworks.box.com/v/osspack or from an alternate download server at https://download.versa-networks.com/index.php/s/nEkF9xOO3e7BA9Z.
- Copy the OS SPack to /var/versa/ecp/share/packages.
- On each node, issue the vsh stop command to stop all Versa services.
- On each node, execute the OS SPack file:
sudo /var/versa/ecp/share/packages/versa-concerto-osspack-B-20240605.bin
- Reboot each node.
To upgrade Concerto nodes from Release 11.x.x to Release 11.4.4:
- Download the Concerto 11.4.4 bin file to the /var/versa/ecp/share/packages directory on any one of the nodes in the Concerto cluster. The bin file is automatically synced to all other nodes in the cluster.
- Generate a backup of the existing Concerto cluster by issuing the vsh database backup create command. To verify that the backup has been created, check the output of vsh database backup list command.
- To upgrade to the new version of software, issue the vsh system package upgrade package-bin-filename command. This command triggers the upgrade process on all the nodes in the cluster. The upgrade debug logs are saved to the upgrade.log and install.log files in the /var/log/ecp directory.
- After the upgrade process completes, services start automatically on all the nodes. If the upgrade fails, the system automatically rolls back to the previous software image running on all the nodes.
- To check that the services are running, issue the vsh status command:
admin@concerto-1:~$ vsh status postgresql is Running zookeeper is Running kafka is Running solr is Running glances is Running mgmt-service is Running web-service is Running cache-service is Running core-service is Running monitoring-service is Running traefik is Running
- The docker service ls command also shows the status of the services:
Concerto 11.4.1 New Features and Enhancements
The following table lists the new features and enhancements in Concerto Release 11.4.1.
ID | Service | Description |
---|---|---|
90625 |
SSE |
Add support for policy rules to authenticate users behind branch devices. You can configure authentication policy rules to authenticate users connecting to SSE gateways from SD-WAN devices or site-to-site tunnels. To configure the user and device authentication rules, select User and Device Authentication > Rule. See Configure User and Device Authentication.
|
86471 |
SSE |
You can modify parameters of predefined IPS profile by creating an IPS override profile and then associating it with internet or private application protection rules when you select a predefined IPS profile. To configure IPS override profiles, select Real-Time Protection > Profiles > IPS Override. See Configure IPS Override.
|
94654 |
SSE |
You can configure advanced threat protection (ATP) or sandboxing profiles from Real-Time Protection > Profiles. You can configure ATP profiles only if the tenant subscription is Bundle/VSA elite or professional tier with add-on ATP service. See Configure Advanced Threat Protection.
|
94893 |
SSE |
You can configure user-defined security actions from Settings > User Defined Objects > Security Actions. See Configure SASE User-Defined Objects.
|
93836 |
SSE |
You can configure user-defined URL categories Settings > User Defined Objects > URL Categories. See Configure SASE User-Defined Objects.
|
89168 |
SSE |
You can configure exact data match (EDM) and document fingerprinting rule types in DLP profiles. See Configure Data Loss Prevention in Concerto.
|
92699 |
SSE |
You can configure Versa SASE client source obfuscation and private application obfuscation from Real-Time Protection > Network Obfuscation. See Configure Network Obfuscation.
|
91038 |
SSE |
You can for IPSec tunnels in policy-based site-to-site tunnels. Releases 11.3.2 and earlier support only route-based site-to-site tunnels. See Configure SASE Site-to-Site Tunnels.
|
93558 |
SSE |
Add support for RADIUS-based user authentication in SSE authentication profiles. See Configure User and Device Authentication.
|
96234 |
SD-WAN, SSE |
Improve the UI for audit logs. See Manage Users.
|
94302 |
SSE |
Add support for the SSE Elite subscription in the Create Tenant window. See Configure SASE Tenants.
|
94305 |
SSE |
You can configure a tenant shaper on SSE gateways based on provisioned bandwidth for the tenant in tenant onboarding flow. See Configure SASE Tenants.
|
80367 |
SD-WAN, SSE |
The Concerto system administrator can configure maintenance windows and other notifications that impact each tenant, selected tenants, or devices. A notification popup window displays for selected users. The user can acknowledge the notification to disable the popup for subsequent logins. See Configure Scheduled Notifications for Concerto and Concerto Home Screen Overview.
|
84911 |
SSE |
Add support for gateway-assisted trusted network detection on per routing-instance (VPN) of tenants. See Configure Trusted Network Detection for a SASE Gateway.
|
85201 |
SSE |
You can the configuration differences before publishing updated configurations to SSE gateways. See Publish SASE Gateways.
|
87327 |
SD-WAN |
Add support for PPPoE WAN interfaces. To configure a PPPoE interface, choose the subcategory PPPoE in the WAN category. See Configure PPPoE Interfaces in Concerto.
|
92762 |
SD-WAN |
You can configure Layer 2 interfaces in trunk mode. In Releases 11.3.2 and earlier, you can only configure Layer 2 interfaces in access mode. See Configure Access and Trunk Interfaces in Concerto.
|
95324 |
SD-WAN, SSE |
Add support for match criteria based on a remote SD-WAN sites and appliance names in real-time protection rules. See Configure SASE Internet Protection Rules and Configure SASE Private Application Protection Rules.
|
87705 |
SD-WAN |
Redesign Application Forwarding Profiles configuration screens with advanced functionality to support SaaS application monitoring and direct internet access. See Configure Profiles.
|
95310 |
SD-WAN |
You can define SaaS application monitors and use them in forwarding profiles. See Configure SaaS Application Monitors.
|
94564 |
SD-WAN |
You can create sites or appliances in bulk by importing CSV files on the Deploy Lifecycle window. See Create a New Site.
|
94869 |
SD-WAN |
Redesign Access Control Rules and Policies UI screens in secure SD-WAN configurations. See Configure SASE Secure Client Access Profiles and Configure SASE Secure Client Access Rules.
|
93682 |
SD-WAN |
Redesign predefined and user-defined services UI screens in secure SD-WAN configurations. See Configure SASE Secure Client Access Profiles and Configure SASE Secure Client Access Rules.
|
95585 |
SD-WAN |
Add support for service groups. A service group can have collections of multiple user-defined and predefined services. See Configure SASE Secure Client Access Profiles and Configure SASE Secure Client Access Rules.
|
|
SD-WAN |
Enhance the View lifecycle, including dashboards for Rules, SLA Metrics, SLA Violation, and QoS. See Concerto Deploy Lifecycle Overview. |
95240 |
SD-WAN, SSE |
Add support for an Analytics aggregator to display aggregated information from multiple Analytics clusters where the tenant is present. See Install Concerto.
|
95005 |
SD-WAN |
Add the Download button on the Global publish window to download the status of all appliances in CSV format. The following screenshot shows a sample CSV file that displays appliances in various states. See Download the Global Publishing Status.
|
90928 |
SD-WAN |
Add support for multitenant hub–controller (HCN) devices. See Configure Appliances, Hubs, and Hub–Controllers. |
95362 |
SD-WAN |
Enhance multitenant master profiles to allow you to create subtenant-specific CGNAT rules by tenant name when you are creating a rule. See Configure Profiles. |
95824 |
SD-WAN, SSE |
Enhance user-defined applications to allow you to configure risk, productivity, family, and subfamily attributes. See Configure Profiles.
|
96576 |
SSE |
Add support for SaaS tenant control. See Configure SaaS Tenant Control Profiles.
|
84314 |
SD-WAN, SSE |
Add support for user login and password-requirements settings at the global level. These settings apply to all system and tenant users. See Manage Users.
|
95060 |
SD-WAN |
You can create TVI-based WAN interfaces with associated multiple VNI interfaces for redundancy. To configure a TVI WAN interface, select the TVI subcategory. To configure an associated VNI for TVI, select the VNI for WAN TVI category. See Configure TVI-Based WAN Interfaces.
|
93593 |
SSE |
You can configure a preferred Versa SASE client version to automatically upgrade clients on supported operating systems MacOS and Windows. See Configure SASE Secure Client Access Rules.
|
87257 |
SSE |
You can customize captive portal pages. You can change the default captive portal certificate from the Captive Portal Settings section on the Customize User Intercept (Captive Portal) window. See Configure Captive Portal.
|
95448 |
SD-WAN |
Users can select the list of controllers and hub–controllers serving the site when you are creating a site in the Deploy Lifecycle. If only one or two Controller nodes are associated with the selected Director node, they are automatically selected on the Create Site window. See Create a New Site.
|
88060 |
SD-WAN |
You can set the license period while creating an SD-WAN appliance. This information is propagated to the Director node when the appliance is published. See Configure Appliances, Hubs, and Hub–Controllers.
|
Fixed Bugs and Minor Enhancements in Concerto Release 11.4.1
The following tables lists the critical and major defects that were fixed and minor enhancements that were added in Release 11.4.1.
Bug ID | Description |
---|---|
100631 |
Concerto does not update the latest alarms and shows old creation dates. |
100555 |
Branch-to-branch IPsec tunnel settings do not apply to subtenant configuration in a multitenant hub configuration. |
100553 |
Concerto SD-WAN Overview does not list all deices. |
100539 |
Custom application using host patterns shows TCP as protocol. |
100516 |
SD-WAN Onboarded Devices Inventory is missing under Inventory tab. |
100498 |
Concerto Release 11.3.2 MDM configuration pushed from Concerto is not reflected in the configuration. |
100497 |
From customer tenant, tenant user can perform upgrade the SPack and software on multitenant SSE and SD-WAN devices. |
100398 |
BGP term to handle unused hubs is missing in LAN VRF's Export-To-LAN-Policy {}. |
100294 |
Remove RMA Serial Number field from Concerto UI when creating a new device. |
100240 |
URLF default action changes are not reflected in Director nodes and gateways. |
99941 |
Prompt user that if are any unsaved bind data values when a user mistakenly closes the window without saving it. |
99939 |
In the Deploy page, the 3-dots icon has no function. Also, there is extra space at the end of the Site Summary box. |
99935 |
The +1 More button in the Director Name column of the tenant list page does not expand the Director names, Instead, it opens the tenant configuration page. |
99934 |
Clicking anywhere in the tenant row should not open the tenant page. |
99746 |
Enhancement to add service list instead of application in Implicit_Drop_Quic FW access policy. |
99715 |
When a user-defined security profile folder is hidden from the user, hide the corresponding card in forward rule also. |
99509 |
OS SPack upgrade fails from Inventory page. |
99429 |
Ellipses of sites is not accessible under Deploy lifecycle to set profile or publish. |
98644 |
Add support to enable autodisconnect in secure client access rule. |
98620 |
MAC client does not process the secure client access profile information on IPsec tunnel configuration. |
98331 |
Clone or deletion of Internet applications causes a CSRPF error. |
98185 |
When you modify the order of rules in the Configure > SASE > Real-Time Protection > Internet Protection Rule screen, a reorder issue occurs with Release 11.3.2 images. |
97941 |
Service template order is not retained between primary and secondary, and when copying from master profile. |
97636 |
Concerto should prevent certificate upload for filenames that contain a space. |
97456 |
Tag community 8009:8009 for hub routes received. |
97438 |
Add new search bar in the Master Profile page to search profiles by name. |
97412 |
Add support for CSG5000 models when adding appliances in Concerto. |
97096 |
Decommissioned tenant custom user roles have not been removed from the Concerto database. |
96503 |
Add ability to search for site/appliance/profile name in the Profile Assignment and Appliance Status zoom in pages. |
96350 |
Publish fails after deleting existing service template attached to an appliance. |
96306 |
Configure security service as stateful firewall with solution tier Prime-SD-WAN. |
96296 |
Group filter value is missing in Concerto-generated configuration for IAM. |
96249 |
Reverse role mapping when user is created using Concerto for the Director custom role is not working. |
96210 |
Appliance-level bind variable value is overwritten with default values from master profile when applying new version of master profile to the appliance. |
96053 |
WAN link down notification is not updated on the View lifecycle. |
95945 |
Propagated user roles should be read-only in the subtenants. |
95938 |
Unable to delete multitenant device of HA pair in Concerto that is created using URL ZTP. |
95759 |
When you delete a parent tenant user role, the associated child tenant users cannot log in or having issues during sessions. |
95362 |
Add DNAT support for multitenant CPE in Concerto. |
95302 |
Remove references to version in Elements, because versioning is not used here. |
94870 |
Increase the allowed portal lifetime value. |
94812 |
Existing Internet Protection/PAP Rules display site-to-site source zones even when tunnel user permission is hidden. |
94784 |
Profile must automatically assign different VRRP priority for redundant devices. |
94765 |
Need GUI option to set Appliance ID (similar to Director), manually overwriting autogenerated ID during appliance creation from Concerto > Deploy lifecycle. |
94632 |
Cannot see the default IPsec parameters for existing configured site-to-site IPsec tunnels after upgrading. |
94536 |
Group ID field should accept non-ASCII characters in SAML user group ID. |
94276 |
Add implicit deny rule in portal/gateway secure access policy rules. |
94238 |
VOS Bionic OS SPack update from Concerto may fail. |
94234 |
In the View tab of an SD-WAN appliance, display whether a WAN interface is attached to the current appliance or to a redundant pair of appliances. |
94082 |
Blank screen while creating a profile under Subprofile > Security |
94286 |
Generated TVI interface numbers for split tunnels are out of range if the VRF ID of LAN routing instance is a greater number. |
93411 |
Add Precedence field in the custom application object for both SSE and SD-WAN. |
92946 |
IPv6 validation required for Track Route - Prefix field under VRRP. |
92513 |
Multitenant scope master profile is propagated in both parent and child tenant using Concerto 11.3.1. |
92205 |
Concerto overwrites changes to To_ST_DIA policy done in Director pushing Reject_All term to the top. |
91953 |
Allow Concerto to create loopback TVI Interfaces and associate with any VRF. |
91794 |
Allow SASE gateway to publish without configuring any authentication profiles and site-to-site tunnels to support SD-WAN devices only connected to the SSE gateways. |
91588 |
Concerto pushes certificate only to the default Director node |
90577 |
Save and Schedule is not sending report in email when requested from Concerto. It is working from standalone Analytics nodes or from Director nodes. |
90373 |
Option to apply service template to specific appliance in HA pair for subtenants. |
90370 |
Remove hardware image in the View tab for unsupported appliance model numbers. |
90366 |
Ability to hide Monitor tab without impacting the View tab in Concerto. |
90315 |
Add option to download the report from the View tab. |
Fixed Bugs and Minor Enhancements in Concerto 11.4.2
The following tables lists the critical and major defects that were fixed and minor enhancements that were added in Release 11.4.2.
Bug ID | Description |
---|---|
93970 |
Interface IP address with mask length /31 is not allowed. This limitation is now removed. |
96631 |
Fix issues with migrating forwarding profiles data from existing profiles. |
98751 |
Allow non–RFC 1918 subnets to be configured on the Secure Access Client Policy if the tenant is subscribed to the VSIA service. |
100930 |
Remove-Label DLP profile configuration is not pushed to the VOS device. |
101183 |
Do not allow the Delete IPS Override Profile if it is attached to or referenced in a real-time protection rule. |
101207 |
Error occurs when accessing DLP rules page. |
101419 |
Fix memory leak in Solr service. |
101543 |
Fix /actuator URL vulnerabilities. |
101748 |
Fix configuration issue with Network obfuscation. |
101777 |
Fix incorrect application logos under internet protection rule. |
101800 |
BGP neighbor policies applied on the secondary device WAN circuits should not be configured on the corresponding cross-connect link. |
101806 |
Transaction failure error when propagating configuration changes to large number of SDWAN configuration objects. |
101807 |
Solr service terminates with memory limitation. This issue has been fixed by removing memory limitation for the Solr service. |
102114 |
Enable server-side REST response payload compression to improve application performance. |
102203 |
Fix base64 decode during certificate validation. |
102243 |
Fix script issues with adding and removing nodes in the Concerto cluster. |
103001 |
Add bind and search timeout configuration options in LDAP profiles. |
103099 |
SASE Versa Directory username creation with uppercase is failing. |
103106 |
Invalid FQDN name in the user-received email address from the Versa Directory service if the tenant’s name contains a _. |
103361 |
URL reputation displays wrong order for the reputation Suspicious. |
103735 |
Allow wildcard domain names in custom client native applications. |
104228 |
Publish fails while custom application contains host patterns that have special characters. |
104550 |
Allow smaller client address pools on SSE gateways (up to /28 prefix lengths) in the tenant onboarding page. |
104639 |
Subtenant publish shows as Failed in the Task bar in the honeycomb view, but the configuration is pushed to the device successfully. |
104716 |
Allow selection of site-to-site tunnel source zones in private application protection rules if the tenant is subscribed to the VSPA Professional Only service. |
Fixed Bugs and Minor Enhancements in Concerto 11.4.3
The following tables lists the critical and major defects that were fixed and minor enhancements that were added in Release 11.4.3.
Bug ID | Service | Description |
---|---|---|
85299 |
SD-WAN |
Generate WAN interface adaptive shaping configuration automatically if downlink bandwidth is configured on the interface. |
99955 | SD-WAN, SSE | A user-defined application cannot be deleted in a tenant if another tenant has its own user-defined application with the same name and it is referred in its rule or application group. |
101221 |
SD-WAN |
Incorrect values and units shown for WAN interface upstream and downstream bandwidth in View Lifecycle of SD-WAN appliance. Bandwidth now displays in the correct units. |
101259 |
SD-WAN |
Service Templates attached with scope Primary on subtenant devices are not attached to the device group on the Director correctly. As a result, the service template configuration is not applied to the primary appliance in HA pair. |
101337 |
SD-WAN |
When a transport connection name is parameterized for IPsec, GRE, or EOGRE, the connection name values do not display in the variable values. |
102865 |
SSE |
Add support for trusted and exclude routes in Secure Client Access rules. |
103357 |
SD-WAN, SSE |
Allow mapping of the Director-level RBAC user role to multiple Concerto user roles. |
103434 |
SD-WAN |
QoS peer classification is not working in active–active spokes (HA pair) when the VPN topology is not full mesh. |
103691 |
SD-WAN |
URL-based ZTP fails with the error “No interface configured with the same transport domain for URL based ZTP with vpn profile.” |
105301 |
SSE |
In site-to-site tunnel view, a maximum of 25 received and sent prefixes is shown in View Lifecyle. |
105354 |
SD-WAN |
Tenant user cannot configure shared SSE VCGs in the exit location list for SD-WAN forwarding profiles. |
105476 |
SD-WAN |
Support source and destination address negate option in SD-WAN policy rules |
106042 |
SD-WAN |
Overlay TVI IP address overlaps with DIA split tunnel paired TVI interface when the Tenant ID is greater than 300. Split tunnel TVI interfaces now have the format tvi-1/x. |
106109 |
SD-WAN, SSE |
Enable Analytics logging (LEF) for site-to-site tunnels implicitly. |
106129 | SD-WAN | Global inventory page displays an out-of-memory error when there are a large number of tenants. |
107058 |
SD-WAN, SSE |
Add option to select both application and URL category/reputation in policy rule match criteria. |
107155 | SD-WAN | User-defined service object does not accept multiple comma-separated source and destination ports and port ranges. |
107417 |
SSE |
Tenant with _ in its name generates an incorrect LDAP server configuration for a Versa Director authentication profile. |
107430 |
SSE |
When a tenant name is long, enabling the trusted network detection fails, because an implicit security rule generated for trusted network detection exceeds 63 characters. This issue has been fixed by generating a shorter firewall (ACL) rule. |
107442 |
SD-WAN, SSE |
Enforce minimum password strength requirements when creating a user on the Concerto portal. |
107483 |
SSE |
Tenant with _ in its name generates an incorrect SAML hostname configuration for an SSO authentication profile. |
107502 |
SD-WAN |
Incorrect VLAN ID values validation on Layer 2 interfaces. |
107513 |
SD-WAN, SSE |
Authentication bypass vulnerability occurred with an API URL that contains ///. This issue has been fixed. |
107768 |
SD-WAN, SSE |
Allow both a host pattern and an IP prefix when creating user-defined applications. |
108069 | SSE | Detailed view of the BGP sent and received prefixes for site-to-site tunnels does not display more than 100 prefixes. |
108199 | SD-WAN | Master profile change propagation to a large number of appliances creates duplicate profiles in the database, and they cannot be deleted from portal GUI. |
Fixed Bugs and Minor Enhancements in Concerto 11.4.4
The following tables lists the critical and major defects that were fixed and minor enhancements that were added in Release 11.4.4.
Bug ID | Service | Description |
---|---|---|
94688 | SD-WAN & SSE | Improve the View tab landing screens load speed. |
99909 | SD-WAN | Add the precedence option in CGNAT rules. |
101514 | SSE | A Concerto-generated implicit IP cache rule intercepts internal DNS requests. |
102709 | SD-WAN & SSE | Print a proper error message when SSO is not enabled for a tenant and a user tries to login using the SSO option. |
104910 | SD-WAN | Not able to view and select file types in a malware protection profile under the Secure SD-WAN configuration. |
105057 | SD-WAN & SSE | Allow pinging from the Concerto shell for a non-root user. |
106743 | SD-WAN & SSE | SSO login for a user with a custom role is not working on Concerto. |
108107 | SSE | The default action getting pushed to Appliance and Director is “Alert” for the any (Alert, Allow, Block, Drop Packet, Drop Session, Reject) configured action as default in Concerto. |
108431 | SSE | The site-to-site tunnel Last Modified time is updating even for read the profile and close the configuration window. |
108554 | SD-WAN | Unable to dismiss all alarms at the site level. API throws an error. |
108629 | SD-WAN | ICMP packets from reachability monitor IP address used in forwarding profile should be allowed if ICMP is blocked on WAN. |
108635 | SD-WAN | Unable to connect to the appliance shell from Concerto monitor using Shell-in-a-Box. |
108750 | SD-WAN | Unable to create traffic steering rule when destination IP is Customized. |
108946 | SD-WAN | Secondary device activation is failing for spoke HA devices as community has unresolved variable. |
108965 | SSE | Display URL reputations order by risk level in URL Filtering profile. |
109084 | SD-WAN & SSE | SMTP Auth failure occurs even if Auth is set to False in Concerto system level SMTP configuration. |
109202 | SSE | Policy-based IPSec Tunnel—Policy configurations are not allowed to match the prefix 0.0.0.0/0. |
109336 | SD-WAN | Unable to delete an appliance to migrate from one Director to another Director. |
109374 | SD-WAN | Propagation failed on Concerto "Unable to commit against JDBC Connection." |
109433 | SSE | Portal FQDN displays underscores from the tenant’s name. Underscores in tenant name should be converted to a dash (-) when converting to FQDN. |
109506 | SD-WAN | Automatically trim white spaces in appliance serial numbers before saving. |
109709 | SSE | Mandatory source/destination port validation needs to be removed from policy-based IPsec site-to-site tunnel. |
109741 | SD-WAN & SSE | Update to version 5.4.0.182. |
109850 | SSE | When deleting Versa Directory Profile, Concerto does not trigger IAM sync operation. |
109855 | SD-WAN & SSE | Concerto authentication fails when the primary Director's services are down. Authentication requests are not sent to new active node. |
110088 | SD-WAN | Application classification is accepting all special characters in the name. |
110245 | SSE | The user-defined EIP agent for custom category does not support spaces in file path. |
110259 | SSE | Create default TCP optimization policy and profile on SSE GWs to match SMB protocol traffic. |
110349 | SD-WAN | Allow the ability to change a device model number before the appliance onboarding (ZTP) is completed. |
110600 | SD-WAN | Make the WAN connection name optional when creating a DIA forwarding profile. This will help to redirect internet-bound traffic to a site-to-site tunnel. |
110795 | SD-WAN & SSE | Director discovery adds all the controllers from the Director to all the existing tenants even though those tenants are deployed with a subset of controllers. |
110800 | SD-WAN & SSE | Load Google fonts locally instead of loading from the internet. |
111013 | SSE | Internet Protection and Private App Protection rules are cached incorrectly across tenants on the UI. |
111124 | SSE | Concerto UI does not display LDAP users/groups in an Internet Protection rule if the tenant is deployed on multiple Directors and one of the Director does not provide a users/groups list. |
111254 | SD-WAN & SSE | SSO user login fails if the same external role mapping is present in two different tenants. |
111427 | SD-WAN | Add the Tenant Health card to View of Secure SD-WAN. |
111688 | SD-WAN | In SD-WAN summary View, the Asset Summary counts do not add up with the total appliances count. |
111714 | SD-WAN | Allow a VPN name to be selected as the exit routing-instance in a SaaS application monitor. |
112098 | SD-WAN | Redistribute to BGP6 if any interface in a LAN VRF is configured with an IPv6 address, even when BGP is not enabled on the interface. |
112267 | SSE | Destination zone “Internet” in Internet Protection rule gets converted to split-tunnel zones “L-ST…” when View Diff is invoked in the gateway's publishing page. |
112274 | SDWAN | Cloning an interface with VRRP throws null pointer exception. |
112304 | SSE | Add secure-access Portal FQDN to the Trusted Network Detection related DNS redirection policy rule. |
Known Limitations in Concerto Release 11.4.1
The following are the limitations and behavior changes in Release 11.4.1:
- Authentication Profiles is now under the menu User and Device Authentication, along with Authentication Rules, which is new.
- If you enable BGP on a WAN or LAN interface, BGP alarms are automatically enabled in the corresponding routing instance.
- On a multitenant SD-WAN appliance, service templates attached with the scope set to Primary at subtenant level are not reflected on the device. The scope should be set to Both for the service template to be applicable on the primary appliance. Note that this limitation is only on the subtenant-level attached service templates on a multitenant appliance.
- Multitenant appliances, hubs, and hub–controllers are not accounted for in Up/Down counts in the Asset Summary card. Clicking on a count shows a list of multitenant devices.
- On a hub–controller device, changing the staging pool prefix size after initially publishing the appliance does not take effect on the Director. node. As a workaround, clear the bind variable values for the staging prefixes on the Director node in the device workflow and then republish the appliance from Concerto.
- The wrong values and units are shown for the WAN Interface Upstream and Downstream Bandwidth in the View lifecycle of an SD-WAN appliance.
Concerto 11.4.1 REST API Updates
The attached files list the REST API changes for Concerto Release 11.4.1:
Concerto 11.4.3 REST API Updates
The attached files list the REST API changes for Concerto Release 11.4.3:
Concerto Release 11.4.1 Director Version Compatibility
Concerto 11.4.1 is compatible with Director Releases 21.2.2, 21.2.3, and 22.1.2 for SD-WAN services.
Concerto Release 11.4.2 Director Version Compatibility
Concerto 11.4.2 is compatible with Director Releases 21.2.2, 21.2.3, 22.1.2, and 22.1.3 for SD-WAN services, and with Director and VOS Release 22.1.3 for SSE services.
Concerto Release 11.4.3 Director Version Compatibility
Concerto 11.4.3 is compatible with Director Releases 21.2.2, 21.2.3, 22.1.2 and 22.1.3 for SD-WAN services, and with Director and VOS Releases 22.1.3 for SSE services.
Concerto Release 11.4.4 Director Version Compatibility
Concerto 11.4.4 is compatible with Director Releases 21.2.2, 21.2.3, 22.1.2, 22.1.3, and 22.1.4 for SD-WAN services, and with Director and VOS Releases 22.1.3 and 22.1.4 for SSE services.
Request Technical Support
To request technical support, visit http://support.versa-networks.com. If you are contacting support for the first time, register and create an account. You can also send email to support@versa-networks.com or contact your Versa Networks sales account team.
Revision History
Revision 1—Release 11.4.1, September 25, 2023
Revision 2—Release 11.4.2, January 18, 2024
Revision 3—Release 11.4.3, March 28, 2024
Revision 4—Release 11.4.4, July 12, 2024