Versa Titan Release Notes for Releases 10.3, 10.3.3, and 10.3.4
This document describes features, enhancements, bug fixes, limitations, and recommendations in Titan Releases 10.3, 10.3.3, and 10.3.4.
The Versa Titan software supports Versa Operating SystemTM (VOSTM) Release 22.1.3 Ubuntu 18.04 (Bionic) version and Release 21.2.3 Ubuntu 14.04 (Trusty) and Bionic versions. Your VOS devices must be running the latest supported VOS software version. To check the VOS software version, go to Inventory menu in the Titan Portal dashboard. To upgrade the software, see Upgrade the Software. For any VOS devices running Ubuntu 14.04 (Trusty), you must contact Versa Networks Customer Support to upgrade them to Ubuntu 18.04 (Bionic) version.
For more information about the VOS release and features, see Versa Operating System (VOS) Release Notes for Release 21.2.
November 08, 2024
Revision 3
Product Documentation
The Versa Networks Titan product documentation is located at https://docs.versa-networks.com/Titan.
New Features
This section describes the new Versa Titan Portal features introduced in Releases 10.3, 10.3.3, and 10.3.4.
Titan Portal Release 10.3.4
- Versa Cloud NGFW (SaaS) Service using AWS—Customers can subscribe to the Versa Cloud NGFW (SaaS) Service from their AWS account, and then add licenses and activate the devices from Versa Titan Portal. This release supports the Pay-As-You-Go model, and billing is managed by AWS. Versa Networks manages the headend, and Titan Portal creates and configures the cloud formation template. See Onboard Versa Cloud NGFW (SaaS) Service License on AWS.
Inventory
- Enhanced Inventory dashboard view for operators and enterprise administrators—On the Inventory dashboard, operators and enterprise administrators can view the following information:
- Operators login—New organization reports and device reports are available for an AWS instance, including start and stop billing, CPU actual cores and subscribed cores, and license information.
- Ubuntu 18.04 (Bionic) or Ubuntu 14.04 (Trusty) operating system—The Inventory dashboard displays if a customer has Bionic or Trusty versions of operating system. Customers should upgrade devices to the 22.1.3 Bionic version. Contact Versa Networks Customer Support to upgrade from the Trusty to Bionic version before upgrading to 22.1.3. The CSG350-4GB license is discontinued and replaced by the CSG350-8GB license. Existing customers using the CSG350-4GB license must upgrad the device to the Bionic version. After the device is upgraded to the Bionic version, you can upgrade VOS to the Lite version of Release 21.2.3, due to limited memory. See Manage Device Inventory.
Monitor
- Enhanced monitoring to display CPU usage—You can view the monitor information for subscriptions, accounts, and CPU usage for virtual devices. See Monitor Device Status.
Templates
- Service Template—Customers can configure any number of devices in their environment with a one-time service template configuration, and then publish the configuration to multiple devices. You can make mass configuration changes using the service template. See Manage Templates.
-
Support for new CPE devices—Titan Portal supports the following new CSG, cCSG, and vCSG devices:
- CSG150
- CSG780R
- CSG5000
- cCSG-2XL (32 cores, 64 GB)
- vCSG-2XL (32 cores, 64 GB)
- Enhanced options for VSPA client and restrictions for remote access license—Users can set the profiles for VSPA for different operating systems and set up tunnel monitoring and Always Connected. For remote access licenses, you cannot configure steering and security. It must be full tunnel only, with no TWAMP or Always Connected. See Configure a Secure Access Service (Remote Access VPN) Template.
Network
- Syslog IP address and port number—Configure reachable Syslog IP server. A syslog server consolidates logs from multiple sources into a single location. Syslog messages contain information that identifies basic information about where, when, and why the log was sent, including the IP address, timestamp, and the actual log message. You configure a syslog server for each VOS device. You can add the port number at the end of the IP address in the format IP Address:PortNumber. The default port number is 514. See Configure Miscellaneous Parameters.
- Private LTE on MPLS—Titan Portal supports private LTE on MPLS. You can toggle transport between Internet and MPLS. For the tunnel, you can select SD-WAN only or SD-WAN and Internet. See Configure WAN Connections.
Organization Settings
- Alerts and notifications—You can now trigger emails based on conditions that create a notification email. You should configure the soak time to decrease triggering of repetitive emails. Excessive email generation due to customer configuration issues will cause discontinuation of this feature by Versa NOC. See Manage Organization Settings.
- VNF Manager—You can configure the Virtual Network Functions (VNF) manager IP address assigned to the Versa VNF manager, which is used to manage and monitor VNFs within Versa SD-WAN environment. See Manage Organization Settings.
Security
- Versa IDP profile—You can select Versa IDP profile for use in firewall, decryption, and steering User and Group match criteria to create rules. You must select Versa IDP profile for VSA/remote access VPN in the template for authentication and create users with Versa IDP, VSA/RAC/RAS. Note that users created with Versa IDP will take 60 minutes to refresh and list in the profile. See Configure Security.
- LAN static route with discard and reject options—You can configure static route with discard or reject option on a LAN virtual router. The discard and reject options are displayed when you enter the next- hop IP address as 0.0.0.0. See Configure Routing.
- Multiple geo IP action rule—You can add multiple action rules for geographical reputation-based IP filtering. See Configure Security.
Titan Portal Release 10.3.3
Inventory
- Tenant license upgrade—For multitenant and multitenant RAC/RAS devices, you can upgrade the tenant users, bandwidth, and security tier. If you want to upgrade the tenant license, contact Versa Customer Support. Only an operator can upgrade a tenant license.
Monitor
- File-filtering monitoring—You can monitor the file-filtering actions and the File Type Denied status in the Monitor > Security > File Filter tab. See Monitor Device Status.
Network
- DHCP array—You can enable a DHCP array to enter multiple DHCP custom option values in all DHCP messages. See Configure LAN Connections.
Security
- Application group—In the match criteria configuration for security rules, steering rules, and authentication rules, you can select an application group that selects all the applications associated with the group. See Configure Security and Configure Traffic Steering.
- File-filtering configuration—You can configure file filtering to block the transfer of potentially dangerous files and types of files (that is, files associated with specific applications), files of specific sizes, files associated with specific protocols, and files traveling in a particular direction. See Configure Security.
- LDAP custom filters—You can add custom filters for LDAP users or groups with the users and groups available in an LDAP server. Only the users or groups that are added using the custom filter can connect to the Versa SASE client. You can configure LDAP custom filters on SASE gateways, multitenant gateways, and remote access VPN devices. You must enable appliance proxy for the SASE gateway, multitenant gateway, or remote access VPN to use the custom filter. See Manage Organization Settings.
- Site description—You can enter a text description for the site. The description can be a maximum of 128 characters. See Configure and Activate a Site.
Titan Portal Dashboard
- Maintenance notification enhancements—You can activate the override function that bypasses any notification preferences previously set by the user. A Versa Support team member or an MSP can set an expiration date for notifications. If the message has expired, the notification popup does not display. See Titan Portal Home Screen.
A store administrator, MSP, reseller, or Versa Support team member can enable or disable maintenance notifications for the organization or the enterprises that belong to them. A store administrator or MSP can disable the notifications using the Lock icon in the Notification column. If an MSP or store administrator locks the notifications for a provider organization, then all enterprises under the MSP are locked, and only a user with a higher privilege level can unlock and modify the notification enable and disable function.
- Static IP with advance configuration option—You can configure static routing with advanced configuration settings. For SASE and multitenant gateway tenants, you must configure an allow firewall rule at provider level without any source zone for the router-generated traffic, such as ICMP, TCP, and UDP, traffic, to work. You cannot configure both BFD and monitor object for a static route. See Configure Routing.
- WAN interface for SNMP—You can configure WAN interface with static IP address to reach an SNMP server. See Configure Miscellaneous Parameters.
Titan Portal Release 10.3
Gateway
- HA multitenant/multitenant remote access client (RAC)/remote access service (RAS)—You can order a multitenant device for an MSP organization. After you activate the device, it is available to all customers to add a multitenant device. If you plan to use remote access VPN in future, it is recommended that you order a multitenant with remote access device. You can disable multitenant with remote access in the WAN port configuration. If you do not add multitenant initially and later want to add it, you must first deactivate the device completely before you can add it, which is disruptive for the other tenants on the device. See Add Devices Using Titan Portal.
Inventory
- CSG350-8GB hardware add-on—When you add a device to an organization, the CSG350-8GB model is available with all three license tiers (Advanced Security, Enterprise Security, and Secure Application Optimization). See Add Devices Using Titan Portal.
Monitor
- Degraded status for WAN monitoring—If you configure a WAN or LTE (primary) interface and the port is down or unplugged, the device configuration status shows the status Degraded. This status is removed when the interface comes up. See Titan Portal Home Screen.
- Device alarms in list view—In the sites list view, you can view the device alarms and details based on the alarm type with high priority. Click the Refresh icon to fetch the latest alarm data for the device. See Titan Portal Home Screen.
- IP SLA monitor—You can monitor the state and source interface for configured IP SLA monitors. In the device options card, select the Monitor > Network > IP SLA tab. See Monitor Device Status.
Network
- Additional WiFi SSID for corporate WiFi —When you select WiFi, you can add additional six corporate WiFi SSIDs on a device, for a total of up to eight SSIDs. See Use the Configure Dashboard.
When you select WiFi, corporate, and security mode with the enterprise option, you can set up a RADIUS profile for each SSID.
- Ingress traffic shaper on WAN ports—On WAN ports, you can configure the peak ingress rate, in kilobits per second (Kbps), and the maximum burst size, in bytes per second, to control ingress traffic flow. For multitenant devices, use the traffic shaper configuration in the Miscellaneous tab to set ingress rates for the tenant. See Configure Miscellaneous Parameters and Configure WAN Connections.
-
IP address reservation to allow MAC and IP addresses from the WiFi network—You can add device IP reservation rules with the WLAN interface ports listed in the interfaces option. See Configure LAN Connections.
You can add wireless devices connected to WLAN interfaces from the connected device icon on the Device IP Address Reservation screen.
Organization Settings
- Custom captive portal—You can upload a custom captive portal page if you do not want to use one of the default captive portal pages. You must compress the files for the captive portal webpage into a .zip file. The main index file in the .zip file must be named index.htm, and it must contain the custom captive portal page HTML files, the CSS files, and the image files. See Manage Organization Settings.
- Mass publish—An enterprise admin can clone the default template and save the configuration in a new template. You can add and publish the device template configuration to multiple devices that are associated with the template, an operation sometimes referred to as a mass publish. When you do this, the device Miscellaneous tab configuration is replaced with a template Miscellaneous Configuration tab. You can perform a mass publish operation only for devices; you cannot use it to publish a configuration to SASE or to a multitenant gateway. You can also create custom templates (not default templates) with LAN configuration and publish the changes to multiple devices. See Manage Organization Settings.
- WiFi RADIUS authenticator—You can configure a WiFi RADIUS profile with the security mode and an enterprise option to use to transmit data from the WiFi access point. See Manage Organization Settings.
- Source interfaces for RADIUS—You can select the LAN port to reach the RADIUS server.
SASE
- HA with remote access VPN—You can configure remote access VPN on high availability (HA) devices before you deploy the HA device. This add-on service is available for customers who purchase a device license to enable the secure access VPN. After you add the HA device, you can enable remote access VPN in the WAN network configuration, and then the Remote Access VPN tab is displayed in the device configuration window. See Configure WAN Connections.
Security
- Custom applications—You can configure predefined applications and use them in security and steering settings. The custom applications are available to all devices for configuration. To configure custom applications, go to Org Settings > Management Profiles > Custom Application. See Manage Organization Settings.
- Custom URL categories—You can configure predefined URLs and use them in security and steering settings. The custom URL categories are available to all devices for configuration. To configure custom application, go to Org Settings > Management Profiles > Custom URL Categories. See Manage Organization Settings.
- Lookup URL—In the security configuration, URL category, Reputation, and Troubleshooting, the lookup URL button displays, on which you can enter a URL or look up the mappings to a predefined or custom URL reputation and category. The Lookup URL Result section displays information about the URL, including its category and reputation. See Troubleshooting Titan Portal.
Steering
- Loss recovery feature—You can configure loss recovery in the Steering > Profile > Real Time > Add screen on devices that use the secure application optimization license.
Titan Portal Dashboard
- New Titan Portal dashboard view and alarms—On Titan Portal dashboard, you can do the following. See Titan Portal Home Screen.
- Configure and Monitor menus—View the sites in list view.
- Pin view—Pin the view so that you see the same screen on next login. You can also pin the expanded or minimized view.
- Column selection—Select the columns to display in list view.
- Alarms—View the device's alarms based on alarm type with high priority and view alarm details.
- Configure and Monitor menus—View the sites in list view.
Users
- Custom logo URL and custom support URL for tenants—MSPs can add the URL for a logo image file to upload and display a customer logo, and they can add a URL for the MSP support website to redirect tenants to the MSP's support website. See Manage Users and Add and Manage New Customers on the Titan Portal Dashboard.
- Versa Director customer roles—You can select the Versa Director customer role when you add a store admin, MSP, or reseller. Two customer roles are available:
- TenantDashboardOperator—Cannot access the device configuration from Versa Director. By default, a migrated store admin, MSP, or reseller is assigned this role. To change the role, edit the user or contact Versa Support.
- TenantOperator—Allows an MSP or store admin to view (read access) the device configuration from Versa Director.
Limitations and Behavior Changes
Limitations and Behavior Changes in Release 10.3.4
The following are the limitations and behavior changes in Release 10.3.4:
- Undeploying NGFW devices will not remove the instance from AWS. You must remove the stack or instance manually from AWS.
- Removing the NGFW instance from AWS directly does not remove the license from Versa Portal. You must deactivate the device manually.
- Remote Access no longer has TWAMP or Always Connected options. It is fixed to Full Tunnel. Steering and security is also reserved for VSPA only. Additional options are available if a customer subscribes to VSPA and SASE products.
- Versable support is discontinued, and existing organizations can use Trusty devices until Release 21.2.3.
- By default, Versa Director is configured with an LDAP cache scheduler interval of 60 minutes. Versa Director fetches user or group information from VOS after 60 minutes. Users must wait for a minimum of 60 minutes to list the newly created users in the Titan Portal UI in the following scenarios:
- Create a new Versa IDP user.
- Delete a Versa IDP user.
- Create a new organization with Versa IDP.
- For eBGP inbound and outbound policies, you can set community criteria only with a single community with the format 2-byte decimal number:2-byte decimal number. If a user tries to configure more than one community, it displays an error.
- In the service template firewall rules zone configuration, the source zone lists Trust(LAN) as the LAN zone. It does not list specific LAN interfaces as it shows on device configuration or device template configuration.
- Wireless LAN zone and remote client zone are not available in the service template for firewall rules.
- In the miscellaneous parameters configuration, SPack auto-update configuration change is not allowed on AWS licenses with provider login from mass publish and service template.
- Configuring BFD is not allowed for the static routes using next-hop address as 0.0.0.0 on LAN virtual router with discard or reject option.
Limitations and Behavior Changes in Release 10.3.3
The following are the limitations and behavior changes in Release 10.3.3:
- For multitenant devices, only Versa Customer Support can upgrade the tenant license.
- For multitenant devices, DNS proxy does not support the tenant LAN VRF as the network.
- File filtering is supported in the Advance Security and Secure Applications Optimization license tiers.
- File-based action rules are supported for the following file types:
- The private gateway device license is not supported.
- If a notification is locked or disabled for an MSP or store administrator, and the same configuration is copied to all enterprises under the MSP and store administrator, you can unlock the notification individually for any enterprise.
- A store administrator, MSP, or reseller with Manage Customer privileges can lock and unlock or enable and disable notifications for provider organizations and enterprise users.
- SNMP is not supported on SASE and multitenant gateway devices.
- When you configure BFD sessions with multiple routing protocols for the same next-hop, it throws aan error as VOS supports only one protocol.
- When a static route is configured with monitor and BFD tracking, routing table gets updated even if a monitor or BFD tracking is down.
- When two or more static routes are configured through same next-hop with BFD tracking, BFD session information disappears and no BFD packets are sent after you delete the first static route.
- An error occurs when you configure static route through exit interface (0.0.0.0) with BFD and a monitor.
Limitations and Behavior Changes in Release 10.3
The following are the limitations and behavior changes in Release 10.3:
- If validation fails for one of the devices during a mass publish from the device template, the task is considered to have failed even though the configuration is pushed to the other devices that have no conflicts.
- If you perform a mass publish from device template by selecting multiple devices, the configuration is pushed to devices sequentially, not simultaneously.
- When you publish the configuration from a device template to devices, the configuration UI changes to read-access mode during the publish process. The user cannot modify configuration for the specific device until the publish process for the device completes.
- In WiFi networks, when you change radio type it applies to all added SSIDs except the Guest Wi-Fi (vni-0/201) SSID.
- When an interface goes down, the Degraded status is displayed for devices. If that interface comes back up, the degraded status is not displayed. However, Titan Portal captures the interface down alarm, but it does not capture the interface up alarm because it is cleared immediately after it is generated. This means that some devices show the Degraded status even after the interface comes back up.
- You can clone a full-mesh template device into any topology, including hub, HA, hub controller, spoke, or full mesh. But if you clone a specific topology, such as spoke, it is cloned as a spoke.
- If you select a spoke template, ensure that you select the spoke topology, and ff you select an HA template, select the HA topology. If there is a mismatch between the template and topology, saving and publishing result in an error.
- When you publish a template, it shows the publish status. If the publish fails on the device, you can retry the operation on the same screen; do not close the screen. If you close the mass publish configuration screen and come back to publish on same device, it displays no changes found and cannot publish.
- In the Titan Portal dashboard, alarms can be updated in multiple ways. If the updates do not display, you can manually refresh the alarms by clicking the reload column button on the list view screen. Alarms that are cleared while rebooting do not display after the alarm clears
- Avoid performing a mass publish operation for configuration changes in LAN or WAN, because the operation can cause outages on existing sites. It is recommended that you configure LAN or WAN and then publish on individual devices.
- When you use mass publish for an HA device, any changes that you make to the LAN that require a redeploy are automatically replicated on both the primary and secondary devices, because the HA LAN configuration is synchronized between primary and secondary devices.
- The Versable activation method is supported only for VOS Release 21.2.3 for VOS devices running the Ubuntu 14.04 (Trusty) operating system (OS). For VOS devices running the Ubuntu 18.04 (Bionic) OS, Versable activation is not supported.
- If a tenant uses SASE gateway, the tenant cannot order multitenant with RAV and multitenant without RAV gateways. If a tenant uses multitenant gateway, the tenant cannot purchase a SASE gateway. A tenant cannot have multitenant both with and without RAV.
- Multitenant gateway does not support SD-WAN speed test.
- An MSP or a provider can choose only the hub and hub controller topologies for a multitenant gateway. The spoke and full-mesh topologies are not supported.
- Only an operator can order multitenant and private gateway devices for a provider organization. An MSP, store admin, or reseller must contact Versa Support to order multitenant or private gateway devices for their provider organization.
- The Degraded status is not supported for IP SLA monitor down and for PPPoE interfaces.
- When you deploy cCSG with AWS cloud, the post-staging configuration is not pushed to devices.
- To onboard HA multitenant devices, the primary and secondary devices must be up and running and the template and device workflow status must be in the Deployed state. Otherwise, onboarding fails. If this occurs, the admin must clean the tenant from another device and onboard the devices again.
- For a SASE gateway or HA multitenant devices, you must install the device with wildcard certificates and configure the server URL as .*. domain-name so that the group connect to work as expected. An example server URL is group.versa-test.net.
- The default template does not support 5G interfaces.
- 5G support is available in VOS Releases 22.1.x and later.
- When onboarding a SASE or multitenant gateway, the LAN network name for captive portal must be OrgNAME-LAN-VR if the same configuration is used in the default configuration template. After you onboard the gateway, in Miscellaneous tab, the LAN network name for the captive portal shows as OrgName, but in the configuration, the network name shows as OrgName-LAN-VR. This is a UI limitation. To have the names be the same, you can update the configuration in the UI with listed LAN network name.
- The indention for URL lookup results displayed in the result window may be incorrect.
- You cannot configure EBGP with 4-byte local or remote AS number on MPLS WAN because of a community problem, because VOS devices do not support 4-byte communities.
- Mass publish validation shows the Conflict Found status when you add a configuration using mass publish and delete from the device configuration, and then you delete the configuration from custom template, add a new configuration in the custom template, and then publish.
- In a custom template you cannot reorder firewall and routing rules.
- For multitenant for MSPs, lock and publish is not available after you deploy the device. Therefore, if you want to configure the following features, you must configure them before you deploy the device. After you save the configuration, you can then deploy the device.
- Miscellaneous device tab
- Configure SNMP
- Configure NTP server
- Syslog server IP address
- Security pack (SPack) auto update disable
- Configure traffic shaper
- LAN VRRP ports
- Allocate WAN and LAN ports. If you need to reserve more WAN ports, or if you want to use only one WAN port for remote access, toggle the Remote Access VPN to off on the port. You cannot change the configuration after deploying the device. To add a remote access VPN after you activate the device, you must deactivate the device completely and start again.
- If you provision a tenant on a multitenant device with remote access, and if you want to add the same tenant on an other device, the other device also must be a multitenant device with remote access.
- You can provision a tenant either on a SASE gateway or multitenant gateway device, but not on both devices. If you have already provisioned a tenant on a SASE gateway, you must deactivate and remove the tenant from the SASE gateway, and then provision on a multitenant gateway device.
- For SASE gateway tenants, custom pages are displayed instead of default captive portal pages when you access blocked or ask websites if custom captive portal is configured at provider level as provider captive portal configuration is superseded tenant captive portal.
- Deleting custom URL categories and custom applications will delete them only from Titan Portal, not from an appliance.
- Miscellaneous device tab
Revision History
Revision 1—Release 10.3, March 15, 2024
Revision 2—Release 10.3.3, May 28, 2024
Revision 3—Release 10.3.4, November 08, 2024