diff --git a/docs/about_releases.mdx b/docs/about_releases.mdx index 626498a15e..c8f2b0c1d5 100644 --- a/docs/about_releases.mdx +++ b/docs/about_releases.mdx @@ -36,8 +36,9 @@ However, issues resolved in `4.3.12`, which was released on 3/12/2021 are not ad ## General Availability -| Version | Initial GA Version | First Release Shipping Date | Latest GA Version | End of Engineering support | End of Support | -| -- | -- | -- | -- | -- | -- | +| Version | Initial GA Version | First Release Shipping Date | Latest GA Version | End of Software Engineering support | End of Support | +| --| -- | -- | -- | -- | -- | +| Release 7.0 | [7.0.0](release_notes_128t_7.0.md#release-700-63r1) | April 30, 2025| [7.0.0](release_notes_128t_7.0.md#release-700-63r1) | January 30, 2026 | June 30, 2026 | | Release 6.3 | [6.3.0](release_notes_128t_6.3.md#release-630-107r1) | September 30, 2024 | [6.3.4-r2](release_notes_128t_6.3.md#release-634-7r2) | March 26, 2026 | September 26, 2026 | | Release 6.2 | [6.2.0](release_notes_128t_6.2.md#release-620-39r1) | November 16, 2023 | [6.2.8-lts](release_notes_128t_6.2.md#release-628-10-lts) | September 6, 2026 | March 6, 2027 | | Release 6.1 | [6.1.0](release_notes_128t_6.1.md#release-610-55r1) | April 14, 2023 | [6.1.13-lts](release_notes_128t_6.1.md#release-6113-7-lts) | July 14, 2025 | January 14, 2026 | diff --git a/docs/app_policy_hit_count.md b/docs/app_policy_hit_count.md new file mode 100644 index 0000000000..5d4924aea3 --- /dev/null +++ b/docs/app_policy_hit_count.md @@ -0,0 +1,177 @@ +--- +title: Application Policy Hit Count +sidebar_label: Application Policy Hit Count +--- + +Application Policy Hit Count (APHC) provides insight into the routing policies being referenced to direct traffic in your network operations; it reports which policies are being referenced ("hit") and how. These values are presented as metrics tracked per service, per tenant; where each tenant service combination could be "hit" in one of the following ways. + +| Count | Description | +| ---- | ----------- | +| Allowed | The session was allowed and created successfully. | +| Failed | The session could not be created. | +| Denied due to Access Policy | The packet was denied because an access policy explicitly disallows access. | +| Denied due to URL Filtering | The session was created but was blocked once app classification was completed. | +| Denied due to Local Service Definition | The session was allowed on another ingress router, but is denied here based on the rules of this router (relates to hierarchical services). | + +## How Does It Work? + +Application Policy Hit Count is enabled by default, tracking counts for all observed service and tenant combinations, including the `access policy denied` counters. + +The system maintains the current value in memory and will not provide a historical time series of the data. To prevent excessive consumption of memory resources, the device periodically removes combinations that are no longer being observed. Inactive tenant service combinations remain in the system for 30 to 60 minutes before being removed. + +## Configuration + +Counter configuration is flexible and can be enabled or disabled on individual routers, or across the whole authority. Counters can be configured to persist the policy hit count metrics, allowing them to be viewed as a time-series graph. The following configuration snippets show how each configure each option. + +### Disable APHC for the Authority + +``` +configure + authority + metrics + application-policy-hit-count-tracking + enabled false + exit + exit + exit +exit +``` + +### Disable APHC for the Router + +``` +configure + authority + router + system + metrics + application-policy-hit-count-tracking disabled + exit + exit + exit + exit +exit +``` + +### Disable APHC for the Authority but Enable for a Specific Router + +``` +configure + authority + metrics + application-policy-hit-count-tracking + enabled false + exit + exit + router + system + metrics + application-policy-hit-count-tracking enabled + exit + exit + exit + exit +exit +``` + +### Clear Expiring Counts + +The cleanup of expired counters runs automatically every 30 minutes. However, in some situations it may be necessary to manually clear hit count entries. In this situation the following command is available:. + +`clear application-policy-hit-counts [force] [node ] {router | resource-group }` + +This command manually triggers the cleanup process. The execution does not change or prevent the scheduled cleanup run. However, executing the command twice will move cleanup forward by an hour and fully clear the policy hit count metrics. + +## Persist APHC Metrics + +Persistence can be configured using a metrics profile as described in the SSR Documentation. The example below show how to persist all hit count types for a specific service and tenant combination, using the `short` retention policy. It is a best practice to always use the shortest retention policy that satisfies your requirements. + +There are typically a significant number of APHC metrics active on a system. If persistence is necessary, select a small number of service tenant combinations to be persisted. Careless selection may overwhelm the stats infrastructure resulting in resource shortages. + +The following configurations are examples only; they should not be directly copied into another environment. Service, tenant, and router names must be replaced. + +### Authority Configuration + +``` +configure + authority + metrics-profile internet-policy-hit-counts + name internet-policy-hit-counts + metric /stats/application-policy-hit-count/allowed + id /stats/application-policy-hit-count/allowed + description "Allowed Hit Count" + exit + metric /stats/application-policy-hit-count/failed + id /stats/application-policy-hit-count/failed + description "Failed Hit Count" + exit + metric /stats/application-policy-hit-count/deny/policy-table + id /stats/application-policy-hit-count/deny/policy-table + description "Denied for Explicit Access Policy Hit Count" + exit + metric /stats/application-policy-hit-count/deny/local-service + id /stats/application-policy-hit-count/deny/local-service + description "Denied After Ingress Router Allowed Hit Count" + exit + metric /stats/application-policy-hit-count/deny/url-filtering + id /stats/application-policy-hit-count/deny/url-filtering + description "Denied For URL Filtering Hit count" + exit + filter service + parameter service + value internet + exit + filter tenant + parameter tenant + value engineering + exit + exit + exit +exit +``` + + +### Router Configuration + +``` +configure + authority + router + name + system + metrics + profile internet-policy-hit-counts + name internet-policy-hit-counts + retention short + exit + exit + exit + exit + exit +exit +``` + +## Stats Output + +The hit count metrics can be accessed via the PCLI as shown. They provide a combination of services and tenants and show how traffic is allowed or blocked. In the example shown, we also see failures due to improperly configured services. + +``` +admin@westB.T207_West# show stats application-policy-hit-count node westA +Wed 2025-01-08 18:59:28 UTC +✔ Retrieving statistics... + +Highway Manager application policy hit count Stats +-------------------------------------------------- + +========= ======= ================= ================== ======= + Metric Node Tenant Service Value +========= ======= ================= ================== ======= + allowed westA lan2-service 1 + westA red lan2-service 1 + westA red lan2-service 326 + deleted westA lan2-service 1 + failed westA 11 + westA red 5841 + +Completed in 0.06 seconds +``` diff --git a/docs/cert_based_sec_encrpt.md b/docs/cert_based_sec_encrpt.md new file mode 100644 index 0000000000..ecc8967b72 --- /dev/null +++ b/docs/cert_based_sec_encrpt.md @@ -0,0 +1,196 @@ +--- +title: Certificate-based Security Encryption +sidebar_label: Certificate-based Security Encryption +--- + +Security is a critical component of SD-WAN products in today’s world. The effectiveness of any security strategy relies on the strength of the security algorithm and how related information is exchanged between participants. + +The SSR uses a Public Key Infrastructure (PKI) to validate the installed certificates and the authenticity of devices within the network, as well as a peer-to-peer security key exchange between SSRs. The result is a design that creates maximum scale, avoids mid-network re-encryption, and provides the ability to rotate keys as required. + +## Certificate Management + +Certificate management is performed from the CLI using the commands and parameters provided in Configuration Commands and Parameters. The Certificate Signing Request Workflow is interactive, asking the user what they would like placed in the CSR. The following three validity checks take place upon importing a certificate: + +- Ensure that there is no private key accompanying the certificate. On 100 and 1000 series platforms the private key is parsed and validated against the matching private key on disk. + +- Parse the certificate and then validate it (dates/roles/other restrictions, etc.). + +- Check the certificate against the known revoked certificates (CRL). + +If the above three checks pass, then the private key and certificate are accepted and imported + +Long-lived Certificates are issued to every Juniper manufactured router by the Juniper Networks Certificate Authority. Use of the rekey feature requires that a certificate be provided during installation. The base certificate can be replaced during initial software installation, however all routers in a single authority MUST have certificates issued by the same certificate hierarchy. Otherwise, replacing a certificate may be done during a maintenance window. + +### Certificate Security + +The Certificate Revocation List (CRL) Manager handles the discovery, fetching, and periodic updates to CRLs. From this process a list of all known revoked certificates from all CRL sources is created, and the master list is published to disk. + +The following are some details of certificate security. + +- The Trusted Platform Module (TPM) stores the private key of the base certificate. The certificate and any keys are not included in any configuration. + +- Periodic revocation checks of the base certificate are performed based on the configuration defaults or user configured timelines. + +- When rekeying is enabled on a newly initialized router that does NOT have a valid, signed certificate, an alarm is generated. A valid certificate must be obtained from a Certificate Authority before valid secure communication can take place. When a valid certificate is present, the router will create an elliptic-curve public/private key pair (see [RFC8422]). + +- Contained within the SVR certificate is a router identifier, which must match the identifier of the router in the peer configuration. This router identifier is a UUID and guaranteed to be unique per node, even across RMAs. + +- The public key is used to create an X.509 certificate signing request (CSR) with the common name field set to the router's UUID. A certificate signing request is initiated through a secure connection to a configured Certificate Authority (CA). The CA digitally signs the CSR and returns it to the requesting router. Certificates and Public Keys are stored locally on each router in PEM format defined by RFC7468. + +## Certificate Revocation List + +Managing the Certificate Revocation List (CRL) includes the discovery, fetching, and periodic updates to CRLs using the configuration commands and parameters provided in Configuration Commands and Parameters. These parameters generate a list of all known valid and revoked certificates from all CRL sources and saves this information to disk. The CRL configuration parameters include: + +**There does not seem to be any commands directly associated with creating a CRL other than certificate-revocation url and polling-interval. If there are others, please provide pointers.** + +## Installing Certificates + +Installing a trusted CA certificate on the SSR uses the existing functionality as described in [Adding a Trusted Certificate](howto_trusted_ca_certificate.md). + +## Replace or Revoke a Certificate + +When a certificate is revoked, expired, or invalid, the SSR generates an alarm. Based upon the SSR configuration, it will either `fail-soft` (the default behavior) or `fail-hard`. + +Soft failure results in a notification that the certificate is no longer valid and that appropriate action must be taken. + +Hard failure results in the same notification, as well as the removal of all peering relationships. This stops the device from participating in SVR. + +The following sections describe the procedures for replacing and revoking certificates. + +### Expiring Certificate + +Expiring certificates will generate the following alarms. + +If a certificate expires within a month, a minor alarm is generated. +If a certificate expires within a week, a major alarm is generated. +If a certificate is expired or otherwise invalid, a critical alarm is generated. + +When a router's certificate is about to expire or needs to be replaced, a new certificate can be added to the system using the [installation procedure](https://www.juniper.net/documentation/us/en/software/session-smart-router/docs/howto_trusted_ca_certificate). Once the new certificate file has been loaded into the system, an event is triggered to restart the peer authentication procedure again. + +### Compromised Certificate + +In the case of a compromised system or certificate, the certificate will be revoked. + +The router periodically checks the Certificate Revocation List (CRL) from existing certificate authority servers for any revocations, according to the interval defined in the configuration. If a revocation has taken place, the router takes the action defined in the configuration (fail-soft or fail-hard). + +## Peer Authentication + +Peer validation is done whenever a new certificate is added, or peer configuration has changed. When a certificate is received from a peer on multiple peer paths, a cached validation response is used. Validation is accomplished by verifying the routerID of its peer matches that of the certificate. + +The public key is sent by both routers on both pathways, but only needs to be validated one time for each router peer. + +When receiving a certificate from a peer router and performing validation, the receiving router must extract the peer router's public key and save it. This is used for validating the authenticity of any subsequent Peer Key/Rekey requests. + +## High Availability + +Each node of an HA pair manages its own unique certificate - certificates are not shared between nodes. Each node manages its own unique connection to its peers. + +When two nodes are configured as a redundant pair, each of the keys need to be exchanged between nodes. This is done to avoid rekeying on flow migration due to node failures. Keys can be safely exchanged between nodes as the HA sync interfaces are connected point to point over a SSH connection. + +## Configuration + +config certificate-revocation + - url blah.bla.com + - polling interval + - Frequency to fetch CRL + - units: hours + - range: 1-168 + - default: 24 + - backoff- interval: delay in seconds to apply to the polling-interval + - units: seconds + - type: uint32 + - default: ? + +Peer Certificate Validation + +config peer-validation + - validate peering connections on this router + - values: true/false + - default: false + + +## Troubleshooting + +Use the following information to help troublshoot certificate events or issues. + +### PCLI commands + +- `show certificate` - Show basic certificate information +- `show certificate detail` - Show all OpenSSL details about the certificate +- `show certificate crl` - Show basic information about the CRL (including source) + +### Audit Events/Logging + +Audit events and logs are generated for the following events: + +- Generate CSR + +``` +======================================================================================================================================================= + 2025-03-19T20:50:35.173Z Generated certificate signing request. +======================================================================================================================================================= + Type: system.generate_csr + Node: test-1 + Description: Generated CSR for: TestCertificate + Json Event Detail: {"name":"TestCertificate","common_name":"example.com","country_name":"US","state_province_name":"California","locality_name":"San + Francisco","organization_name":"ExampleOrg","organizational_unit_name":"IT","email_address":"admin@example.com","validity_period_days":365} + Permitted: True +``` + +- Import Certificate +``` +====================================================================================================================================================================================================== + 2025-03-26T21:22:43.108Z Ingested a certificate. +====================================================================================================================================================================================================== + Type: system.ingest_certificate + Node: test-1 + Description: Ingested certificate: TestCertificate + Json Event Detail: {"purpose":"TLS Web Client + Authentication","common_name":"example.com","crl_urls":["http://10.27.34.42/crlfile.crl"],"certificate_authority":"N/A","fingerprint":"6D:C7:8E:48:4F:55:63:D9:AB:70:66:CD:29:4E:1C:37:CF:89:17:B0"} + Permitted: True +``` + +- Peer Certificate Validation + +(Need example) + +- CRL Update +``` +======================================================================================================================================================================================================== + 2025-03-07T20:59:50.736Z Updated certificate revocation list files. +======================================================================================================================================================================================================== + Type: system.crl_update + Node: t158-dut1.CONDUCTOR + Description: Updated CRL for issuer: endpoint + Json Event Detail: {"forced":false,"last_updated":"Oct 17 16:33:11 2024 GMT","next_update":"Oct 27 15:33:10 2024 + GMT","crl_url":"http://10.27.39.143/testCrl.pem","size":14162,"total_entries":279,"added_entries":0,"removed_entries":0,"success":true,"certificate_authority":"/C=US/O=Google Trust Services/CN=WR2"} + Permitted: True +``` + +### Show Stats Commands + +#### Event Counters + +`show stats security CSR success` +`show stats security CSR failure` +`show stats security certificate import success` +`show stats security certificate import failure` +`show stats security CRL fetch success` +`show stats security CRL fetch failure` +`show stats security CRL ingestion success` +`show stats security CRL ingestion failure ` + +#### Certificate Event Counters + +`show stats security certificate expired` +`show stats security certificate invalid` +`show stats security certificate revoked` + +#### Peer Certificate Event Counters + +`show stats security peer certificate expired` +`show stats security peer certificate invalid` +`show stats security peer certificate revoked` + + + diff --git a/docs/config_forward_error_correction.md b/docs/config_forward_error_correction.md index ddff7e0d2f..77d6d587b9 100644 --- a/docs/config_forward_error_correction.md +++ b/docs/config_forward_error_correction.md @@ -139,6 +139,46 @@ Forward Error Correction has the following limitations: - Packet retransmission will not work when FEC is enabled. +## FEC Support on High Speed Ports + +The `fec-mode` feature provides compatibility with other devices (Dell, Broadcom, etc) that use optical ports, allowing you to set the port speed for these high speed optical ports. The feature is enabled on 100GB NIC ports at the device-interface level, and is an advanced or administrator only feature/command. + +The `fec-mode` is configured as `auto`, `baser`, `rs`, or `none`. For example: + +#### Configuration Example: + +``` +config + authority + router router-b + node node + device-interface xe-4-2 + fec-mode baser + + + router router-b + node node + device-interface xe-4-3 + fec-mode auto + exit + exit + exit +exit + + +admin@node.router-b# show config running flat | grep fec +✔ Piping output... +config authority router router-b node node device-interface xe-4-2 fec-mode baser +config authority router router-b node node device-interface xe-4-3 fec-mode auto +``` + +If the switch speed and port speed do not match, the link will be reported as `down`. + +- Switch set to default (fec74); SSR port is `auto` or `baser` (fec74): fec74 on both ends; link is up +- Set switch to fec108; SSR port is `auto` or `rs` (fec108): fec108 on both ends; link is up +- Set switch to fec108; SSR port is `baser` (fec74): link is down +- Set switch to fec74; SSR port is `rs` (fec108): link is down + ## Troubleshooting Metrics for FEC are categorized into success and failure counters. Use the following counters to help diagnose any issues that arise. diff --git a/docs/config_password_security.md b/docs/config_password_security.md new file mode 100644 index 0000000000..fa77716ac5 --- /dev/null +++ b/docs/config_password_security.md @@ -0,0 +1,39 @@ +--- +title: Password Security +sidebar_label: Password Security +--- + +Password security is one of the first lines of defense for every organization, and Juniper recommends strong password security. For information on password requirements, see [Password Policies](config_password_policies.md). + +## Set a Password for the System Accounts + +Setting the password for the system accounts (`admin`, `root`, and `t128`) is performed during initialization from either the web interface, the conductor command line, or the interactive intializer. All system account passwords are set to the same value, preventing any of the account passwords from being overlooked. + +Create a password for the SSR system accounts. The password must be at least 9 characters long, contain at least 1 uppercase letter, at least 1 lowercase letter, at least 1 number, cannot contain the username in any form, and cannot repeat characters more than 3 times. + +### From the Web Interface + +From the Conductor Association screen, select PASSWORD, or PASSWORD HASH, and enter a password for the system accounts. Selecting PASSWORD HASH will generate a pre-salted sha512 hashed password using the text you enter. + +![Conductor Association](/img/u-iso9_define_conductor.png) + +Click ASSOCIATE to assign the password to the `admin`, `root`, and `t128` user accounts. + +### From the Command Line + +Use the `initialize conductor` command to set the SSR system account passwords. The password must be at least 9 characters long, contain at least 1 uppercase letter, at least 1 lowercase letter, at least 1 number, cannot contain the username in any form, and cannot repeat characters more than 3 times. + +``` +admin@default.router# initialize conductor node-name c1 router-name conductor1 +Enter a password for the SSR 'admin', 't128' and 'root' users: +Confirm: +✔ Initializing... +Device successfully initialized. + +admin@default.router# +``` +You can also specify the `password-hash` argument to generate a pre-salted sha512 hashed password using the text you enter. + +:::note +The root account will not be used for day-to-day access, but the root account password should be stored securely off-box so that it can be used for admin account recovery if required. +::: diff --git a/docs/initialize_u-iso_device.md b/docs/initialize_u-iso_device.md index 7f4b68e269..8754edbfbb 100644 --- a/docs/initialize_u-iso_device.md +++ b/docs/initialize_u-iso_device.md @@ -31,21 +31,26 @@ Use the following process to initialize your device as a Conductor. 2. To initialize a standalone conductor, select **STANDALONE**. To initialize the first conductor of an HA pair, select **HA NODE 0**. Select the address type (DHCP or STATIC). -:::note -In an HA configuration, **HA NODE 0** must always be configured before HA NODE 1. Configuring Node 1 first prevents Node 0 from starting. -::: + :::note + In an HA configuration, **HA NODE 0** must always be configured before HA NODE 1. Configuring Node 1 first prevents Node 0 from starting. + ::: -Enter the following information: + Enter the following information: - - Conductor name - - Node IP Address (Static) - - Node Gateway (Static) - - Interface Name (Static) - - DNS Server address (Optional) - - Artifactory username and password (if available) + - Conductor name + - Node IP Address (Static) + - Node Gateway (Static) + - Interface Name (Static) + - DNS Server address (Optional) + - Admin and system accounts password + - Artifactory username and password (if available) ![Conductor Association](/img/u-iso9_define_conductor.png) +:::note +Setting the password for the system accounts (`admin`, `root`, and `t128`) is performed during initialization from either the web interface or the conductor command line. All system account passwords are set to the same value. +::: + 3. Click **ASSOCIATE** 4. The device reboots and comes online as a Conductor. @@ -57,9 +62,10 @@ Enter the following information: - Node Gateway (Static) - Interface Name (Static) - DNS Server address (Optional) + - Admin and system account passwords - Artifactory username and password (if available) - ![HA Conductor Association](/img/u-iso9a_ha_conductor.png) + ![HA Conductor Association](/img/u-iso9a_ha_conductor1.png) 5. Click **ASSOCIATE** when you have completed the required information. The device reboots and comes online as the second Conductor. @@ -72,9 +78,9 @@ Use the following process to initialize your device as a Conductor-managed route ![SSR Conductor-managed router](/img/u-iso10_cond-mngd_router.png) -2. Enter the router name and the associated Conductor IP address. +2. Enter the router name, the associated Conductor IP address, and the Admin and system account passwords. - ![Conductor Managed Association](/img/u-iso11_cond-mngd-assoc.png) + ![Conductor Managed Association](/img/u-iso11_cond-mngd-assoc-new.png) 3. Click **ASSOCIATE** when you have completed the required information. diff --git a/docs/release_notes_128t_7.0.md b/docs/release_notes_128t_7.0.md new file mode 100644 index 0000000000..3ae4428dcd --- /dev/null +++ b/docs/release_notes_128t_7.0.md @@ -0,0 +1,86 @@ +--- +title: SSR 7.0 Release Notes +sidebar_label: '7.0' +--- +The SSR has moved away from the historical package-based delivery to an image-based delivery. As such, it is strongly suggested that you revisit your "standard" procedures for installation and upgrade of SSR Software. + +Beginning with SSR v6.3.0, the use of the interactive installer is not supported, or necessary. Software installation and upgrade upgrade activities are supported from the Web Interface or the Command Line Interface. + +### Installation from ISO + +When installing SSR V6.3.0 or newer on a new system, use the image-based ISO - identified by the filename prefix "SSR": `SSR-6.3.0-107.r1.el7.x86_64.ibu-v1.iso`. Installation documentation for the image-based process can be found in the [Image-based ISO Installation Overview](intro_installation_univ-iso.md). + +Offline mode conductor and router upgrades to image-based installations are detailed in the [Single-Version 6.3.0 Upgrade](upgrade_restricted_access.md#single-version-630-upgrade) instructions. + + +### Upgrade Considerations + +:::important +Before upgrading please review the [**Upgrade Considerations**](intro_upgrade_considerations.md) and the [**Rolling Back Software**](intro_rollback.md) pages. Several modifications have been made to the process for verifying configurations, which will impact existing configurations. +::: + +**System Disk Considerations** + +As mentioned above, during the upgrade to an image-based installation, existing systems will go through a conversion process to support image-based delivery. This process involves resizing the existing disk partition to support writing a new disk image to the remaining disk space. As such, the usable disk space seen after this conversion will be approximately halved. The system will automatically detect if there is not enough usable disk space on the existing drive to support this partition resizing and, if so, will trigger an upgrade failure. Even if the conversion is succesful and the upgrade succeeds, users may note that the system is experiencing disk space alarms after the upgrade due to the reduction in overall capacity. It is suggested to remove unnecessary large files from systems before upgrading. Old saved tech-support-info archives (check for tar.gz or zip files in `/var/log/128technology`) and uploaded ISO images are frequent contributors to used disk space and should be manually deleted. + +In certain scenarios, existing cloud routers may have been installed from images that did not use LVM for partitions. For these systems, the automatic resizing of disk partitions will fail and they cannot be upgraded. It is suggested to rebuild these instances from the official [SSR BYOL](intro_installation_quickstart_byol_conductor_aws.md) image. + +When the conductor is initially upgraded to an image-based installation, it will be upgraded as a package-based system. This is because the system does not understand how to handle image-based delivery until it is running 6.3 software. Once the conductor is running 6.3 all router upgrades will be treated as image-based upgrades and any subsequent conductor upgrade will be treated as image-based. Therefore, it is possible that issues related to disk usage on conductor may not arise until a subsequent upgrade of the conductor beyond the initial step to 6.3. + +**Offline-Mode: Upgrading 6.3.x Conductor Deployments to 6.3.x+** + +An issue has been identified that may be observed in conductor deployments running version 6.3.x software, when attempting to upgrade from one 6.3.x patch release to another. This results in the message, “SSR firmware upgrade failed for the local node: SSR upgrade failed after reboot”. To work around this, run `request system software upgrade installation-service` from the command line of the Conductor, after importing the image-based ISO. Once complete, perform the full system upgrade from the Web-interface. This issue will be resolved in a future release. + +**Offline-Mode: Onboarding Routers Running older SSR Software to a 6.3.x Conductor** + +We have identified an issue when onboarding SSR routers installed with older versions of software (such as 5.4.4) to Conductors running 6.3.x, when running in offline-mode. In some cases, certain software packages are not available to be installed during onboarding. To work around this issue, import the **package-based** (the "128T" prefixed) ISO for the current conductor version onto the conductor. This provides the necessary software packages to complete the onboarding process. This issue will be resolved in a future release. + +## Release 7.0.0-63r1 + +**Release Date:** July 10, 2025 + +### New Features + +- **I95-22432 Conductor Management IPv6:** All router to conductor communication along with management protocols (ssh, radius, syslog, snmp, web gui/api) now support IPv6. However in an IPv6 managed node, devices must be running the same IP version. For example, in an IPv6 HA configuration, both Conductors must be running IPv6. +------ +- **I95-29382 Certificate-based Security Encryption for SVR:** Introduces a new peer-to-peer, certificate-based key exchange mechanism to the SVR protocol. This key exchange avoids mid-network re-encryption, provides the ability to rotate keys as required, and supports all deployment scenarios. The security rekeying mechanism is configured at the Authority, and requires that all routers and conductors be running the same version of software that supports this capability. The existing security key exchange mechanisms continue to exist and will be supported during the transition to the new model. The two security approaches cannot coexist at the same time within an authority. See [Certificate-based Security Encryption](cert_based_sec_encrpt.md) for more information. +------ +- **I95-52924 NIC Driver FEC Support:** Support has been added to configure optical FEC for SFPs. +------ +- **I95-53993 Display LLDP Neighbors:** A CLI command to output neighbors discovered through LLDP has been added. +------ +- **I95-57454 Management traffic over SVR (in-band management):** Router to Conductor communication is supported over SVR with the use of [rekey](svr-ztna.md#peer-key-and-key-rotation). +------ +- **I95-58635 Source Peer added to output of `show session by-id`:** Added information to the output of `show session by-id`, making it easier to troubleshoot sessions. +------ +- **I95-59239 Application Policy Hit Counter:** [Application Policy Hit Count (APHC)](app_policy_hit_count.md) provides insight into the routing policies being referenced to direct traffic in your network operations; it reports which policies are being referenced ("hit") and how. These values are presented as metrics tracked per service, per tenant; where each tenant service combination could be "hit" in one of the following ways. + +| Count | Description | +| ---- | ----------- | +| Allowed | The session was allowed and created successfully. | +| Failed | The session could not be created. | +| Denied due to Access Policy | The packet was denied because an access policy explicitly disallows access. | +| Denied due to URL Filtering | The session was created was blocked once app classification was completed. | +| Denied due to Local Service Definition | The session was allowed on another ingress router, but is denied here based on the rules of this router (relates to hierarchical services). | +------ +- **I95-59634 Allow Highway lockup detection to be disabled:** Added a `local.init` override for disabling datapath lockup detector mechanism. + +``` + "datapath": { + "lockupDetectionEnabled": true/false + }, +``` +------ +- **I95-59758 Interactive Initializer updates all system account passwords:** Interactive initialization now changes the `admin`, `t128` and `root` user passwords to the same value. The initialization preference file has the fields, `t128-password`, `root-password`, and `admin-password`, to set password hashes for each user, respectively. +------ +- **I95-59996 GUI Initialization sets passwords for all system accounts:** GUI initialization now changes the `admin`, `t128` and `root` user passwords to the same value. See [Password Security](config_password_security.md) for additional information. +------ +- **I95-60041 `initialize conductor` command sets password for all system accounts:** The system accounts `admin`, `t128` and `root` are simultaneously set to the provided password hash, ensuring default passwords are not used. +------ +- **I95-60220 SSR OS Upgrade:** SSR OS distribution has been upgraded to Oracle Linux 9. +------ +- **WAN-2284 Critical IDP Profile:** A new **Critical** attack list profile that is more lightweight has been added to reduce the commit/policy change times. +------ +- **WAN-3834 Remove Private AS for BGP Neighbor:** + +### Resolved Issues diff --git a/docs/releases.table.js b/docs/releases.table.js index f11a156ebe..60b41c1e73 100644 --- a/docs/releases.table.js +++ b/docs/releases.table.js @@ -6,6 +6,11 @@ import useBaseUrl from '@docusaurus/useBaseUrl'; // New entries should be placed at the top. // ---------------------------------------------------------------------------- export const releases = [ + { + version: '7.0.0-63-r1', + url: '/docs/release_notes_128t_7.0#release-700-63r1', + releaseDate: 'April 30, 2025', + }, { version: '6.1.13', url: '/docs/release_notes_128t_6.1#release-6113-7-lts', diff --git a/docs/svr-ztna.md b/docs/svr-ztna.md new file mode 100644 index 0000000000..dec3f0ec91 --- /dev/null +++ b/docs/svr-ztna.md @@ -0,0 +1,126 @@ +--- +title: SVR Zero Trust Network Architecture +sidebars-label: SVR Zero Trust Network Architecture +--- + +Security is a critical component of SD-WAN products in today’s market. The SSR (Session Smart Router) offers several means of ensuring the integrity of data transmitted through the router, such as encrypting application payload content, encrypting SVR (Secure Vector Routing) metadata and authentication for metadata. + +As an example, let's look at the needs of a financial institution. They have to keep transaction traffic secure. If it is not kept secure, the results are catastrophic for both the instution and the individual/companies whose transaction gets hijacked. SSR technology uses SVR to create a Zero Trust Network Architecture (ZTNA), allowing you to configure unparalelled security without the increased packet size, fragmentation, and increased transaction time common with IPSec. This design creates maximum scale, avoids mid-network re-encryption, and provides the ability to rotate keys as required. + +In a newly deployed network, SVR ZTNA is more secure than the default security implementation of SVR, and far more secure than IPSec. SVR ZTNA affords you the best security strength not only because of the encryption key exchange, but through its ability to perform key rotations. + +Additionally, the flexiblity of SVR to choose a different physical path to satisfy SLA requirements is not found in traffic encrypted within an IPSec Tunnel. Traffic encrypted within an IPSec Tunnel always follows the same path, not allowing for different flows to have different SLA-driven physical paths. + +## SVRv2 and IPSec + +To understand the value of the SVR zero-trust network architecture (SVR ZTNA), we can draw some comparisons against IPSec. Not with IPSec, but against it. + +| Characteristic | IPSec/IKE | SVRv2 | +| --- | --- | --- | +| Payload Encryption | Yes—via ESP | Yes; encrypted with per-Flow AES-CBC-256 payload key. | +| Encrypt Original IP SA/DA | Yes—via ESP | Yes; encrypted with AES-CBC-256 encrypted Metadata sent within first Payload packet using metadata key. | +| Secure Channel to exchange keys | Yes, via IKEv2 | Yes, via Diffie-Hellman-Ephemeral. DH-E provides 4096-bit Peer key used to encrypt BFD Metadata. | +| Confidentiality | Payload is encrypted with the IPSec Tunnel key; however, all individual sessions with the same IPSec tunnel share the same key. There is no confidentiality between sessions sharing the same source and destination address. | Payload encrypted with Per-Flow Payload key; SVR Metadata (containing the Per-Flow Payload key) is encrypted with the SVR Metadata Key. Because each flow has a separate key, each flow has confidentiality, even between the same source and destination address. | +| Integrity | ESP Authentication Header | HMAC SHA-384 signature signs all SVR Metadata and/or Payload in SVR packet. | +| Authentication | IKEv2 PSK or x.509v3 certificates | Yes. Via SSR-signed x.509v3 certificate through root of trust to Intermediate CA installed on SSR| +| Data Origin Authentication | HMAC-SHA-384 | HMAC SHA-384 signature| +| Replay Protection Yes | Yes. Nonce added for Replay Protection.| +| Perfect Forward Secrecy | Yes | Yes. Ephemeral Keys in DH-E are seeded by salt. | +| IPv4 and IPv6 | Yes | Yes | + +The SVR ZTNA is a more secure, more flexible, and more efficient transport network. If you want securtiy across your network, this is the best option. + +## How It Works + +Key rotation provides a high level of transport security. Configuring this feature creates a specific interval for the router to generate a new security key/payload key and distribute it across the network (or session?). + +The security rekeying mechanism (key rotation) is configured on the conductor, at the Authority level, and requires that all routers and conductors are running the same version of software that supports this feature. Any SSR running an older version of software that does not support this functionality will cause traffic to fail between those peers. In these cases, events will be generated when peering fails to establish. + +The Security Key Manager is enabled by setting `enhanced-security-key-management` to `true`. The leader node then generates a local metadata key, which includes the following data: + +- rekey index +- encryption key +- encryption cipher +- encryption IV +- HMAC key +- HMAC cipher + +The leader node sends this and other information to the peer node(s), which stores the metadata key that allows the peer to encrypt and decrypt messages. + +This allows peer authentication, and the dynamic key generation and exchange provides the encryption of Secure Vector Routing (SVR) traffic. Routers generate their own keys based on X.509 certificates for encrypting metadata (metadata keys) and distribute them to their peers by BFD metadata. Sessions are encrypted using payload keys generated on demand, encrypted, and distributed to the peer by SVR. + +### Peer Key and Key Rotation + +A single symmetric key is used for all paths between two routers. The key is saved and remains valid during network outages and path failures, until a new key is accepted as a replacement. + +During the rekeying period the old key is used. A wait time of 30 seconds is added post key computation to prevent any retransmitted packets, delayed packets, or long latency packets not having a key ready for use. + +If a peer sends a Key Request to a peer for which there is no valid key and receives no response, then the peer path remains out of service until there is a valid response. + +The peer continues to resend requests at periodic intervals as defined in the configuration setting `authority > security-key-management > peer-key-retransmit-interval`. If there is no response after the time defined by `authority > security-key-management > peer-key-timeout`, the peer path is declared invalid and removed from service. Once the peer is taken out of service due to key timeout, it will continue to send rekey attempts at the `peer-key-timeout intervals`, or upon interface state change. + +## Configuration + +Configuration is performed on the conductor, at the Authority level, on a per router basis. To accept the default values for enhanced and security key management, simply set `enhanced-security-key-management` to `true`; + +``` +config + + authority + enhanced-security-key-management true +``` +And configure a `peering-common-name` on each router. This enables SVR and key rotation between all associated routers, and provides excellent security. + +``` + router combo-east + name combo-east + peering-common-name second-fake-alias-2 + location usa + description "router 1" + inter-node-security internal +``` + +The default values for rekeying (Key Rotation) are the following: + +| Configuration Attributes | Description | +| --- | --- | +| key-exchange-algorithm | Configure Key Exchange Algorithm | +| payload-key-rekey-interval | Hours between payload security key regeneration. Range is 1-720, or never. Default is 24 hours. | +| peer-key-rekey-interval | Hours between security key regeneration for peer routers. Range is 1-720, or never. Default is 24 hours. | +| peer-key-retransmit-interval | Seconds between security key retransmission for peer routers, when peer key establishment has not been acknowledged. Range is 5-3600, default is 30 seconds. | +| peer-key-timeout | Seconds before security key retransmission timeout for peer routers, when peer key establishment has not been acknowledged. Default is 3600 seconds. | + +#### Sample Default Configuration: + +``` +config + + authority + enhanced-security-key-management true + + + + router RTR_EAST_CONDUCTOR + name RTR_EAST_CONDUCTOR + + node conductor-east-1 + name conductor-east-1 + exit + exit + + router combo-east + name combo-east + peering-common-name second-fake-alias-2 + location usa + description "router 1" + inter-node-security internal + + + + router combo-west + name combo-west + peering-common-name second-fake-alias-3 + location usa + inter-node-security internal +``` + diff --git a/sidebars-orig.js b/sidebars-orig.js new file mode 100644 index 0000000000..ec60dbe2d3 --- /dev/null +++ b/sidebars-orig.js @@ -0,0 +1,489 @@ +module.exports = { + "docs": { + "About": [ + "about_128t", + "about_svr_savings", + "about_releases", + "about_support_policy", + "about_supported_platforms", + "about_certified_platforms", + "about_security_policy", + "CONTRIBUTING", + ], + "Introduction": [ + "intro_getting_started", + ], + "Deployment Considerations": [ + "intro_system_reqs", + "config_firewall_ports", + ], + "SSR Common Criteria Install and Configuration": [ + "cc_fips_titlepage", + "cc_fips_intro", + "cc_fips_compliance_guidelines", + "cc_fips_ssr_security_scope", + "cc_fips_secure_deliver", + "cc_fips_intro_installation", + "cc_fips_downloading_iso", + "cc_fips_conductor_install", + "cc_fips_otp_router_install", + "cc_fips_install_quickstart_otpiso", + "cc_fips_router_install", + "cc_fips_access_mgmt", + "cc_fips_config_ntp_auth", + "cc_fips_config_password_policies", + "cc_fips_config_audit_event", + "cc_fips_sec_firewall_filtering", + "cc_fips_banners", + "cc_fips_software_upgrades", + "cc_fips_appendix", + ], + "Upgrading the SSR": [ + "intro_upgrade_considerations", + "intro_upgrading", + "upgrade_ibu_conductor", + "upgrade_router", + "upgrade_restricted_access", + "upgrade_legacy", + "intro_rollback", + ], + "Installation Overview": [ + "intro_installation", + + ], + "RMA Workflows": [ + "rma_wan_assurance", + ], + "SSR Universal ISO Installation": [ + "intro_installation_univ-iso", + "install_univ_iso", + "initialize_u-iso_device", + "initialize_u-iso_adv_workflow", + ], + "Cloud / Hypervisor Installations": [ + "supported_cloud_platforms", + "install_vmware_config", + "intro_initialize_HA_conductor", + { + "type": "category", + "label": "Installing In AWS", + "items": [ + "intro_installation_quickstart_aws", + "intro_installation_quickstart_mist_aws", + "intro_installation_quickstart_byol_conductor_aws", + "intro_installation_quickstart_byol_mist_aws", + ], + }, + { + "type": "category", + "label": "Installing In Azure", + "items": [ + "intro_installation_azure", + "intro_installation_azure_mist", + "intro_installation_byol_azure_conductor", + "intro_installation_byol_azure_mist", + ], + }, + ], + "Legacy Install Information": [ + "intro_installation_legacy", + "intro_downloading_iso", + "intro_creating_bootable_usb", + { + "type": "category", + "label": "Conductor Installation", + "items": [ + "install_conductor_overview", + "bcp_conductor_deployment", + "single_conductor_install", + "ha_conductor_install", + "single_conductor_config", + "conductor_upgrade", + "howto_conductor_migration", + ], + }, + { + "type": "category", + "label": "Router Installation", + "items": [ + "intro_installation_bootable_media", + "intro_basic_router_config", + "intro_otp_iso_install", + "intro_install_quickstart_otpiso", + "onboard_ssr_to_conductor", + "onboard_ssr_device_otp", + "howto_router_migration", + ], + }, + { + "type": "category", + "label": "Image-Based Installation", + "items": [ + "intro_installation_image", + ], + }, + { + "type": "category", + "label": "Appendix", + "items": [ + "intro_installation_installer", + "install_qcow2_deployment", + "legacy_OTP_install", + ], + }, + ], + "Concepts": [ + "concepts_application_discovery", + "concepts_EthOverSVR", + "concepts_ha_theoryofoperation", + "concepts_interface_types", + "concepts_kni", + "concepts_linux_host_networking", + "concepts_learning_VRF_routes", + "concepts_network_planes", + "concepts_metadata", + "concepts_metrics", + "concepts_machine_communication", + "concepts_pcli", + "concepts_session_timer", + "concepts_waypoint_ports", + "concepts_monitoring", + "concepts_glossary", + ], + "Understanding the Forwarding Information Base": [ + "concepts_fib", + "concepts_fib_construction", + "concepts_fib_design", + "bcp_fib_design", + "ts_fib", + ], + "WAN Assurance": [ + "wan_overview", + "hdwr_ssr_device_port_layout", + { + "type": "category", + "label": "WAN Assurance Quick Start", + "items": [ + "wan_assurance_ssr120_quickstart", + "wan_assurance_ssr130_quickstart", + "wan_assurance_ssr1200_quickstart", + "wan_assurance_ssr1300_quickstart", + "wan_assurance_ssr1400_quickstart", + "wan_assurance_ssr1500_quickstart", + "intro_wa_quickstart_3_templates", + "intro_wa_quickstart_4_siteassign", + ], + }, + { + "type": "category", + "label": "Whitebox Adoption", + "items": [ + "wan_staging", + "hdwr_whitebox_port_layout", + "wan_onboarding_whitebox", + "wan_telemetry_site_assign", + ] + }, + { + "type": "category", + "label": "Cloud Telemetry for a Conductor-Managed SSR", + "items": [ + "config_wan_assurance", + "wan_telemetry_features", + "wan_telemetry_troubleshooting", + ], + }, + ], + "Administration": [ + { + "type": "category", + "label": "Configuration", + "items": [ + "config_basics", + "config_templates", + "config_asset_connection_resiliency", + "config_session_recovery", + "config_dscp_steering", + "config_dscp_preservation", + "config_vrf_learning", + "config_audit_event", + "config_dns_proxy", + "config_forward_error_correction", + "config_management_over_forwarding", + "config_domain-based_web_filter", + "config_application_steering", + "config_EthoSVR", + "config_EthoSVR_activestandby", + "config_flow_perf_mon", + "config_gre_tunnel", + "config_in-memory_metrics", + "config_rate_limiting", + "config_RBAC", + "config_service_health", + "config_snmp", + "howto_config_snmp", + "config_snmp_metrics", + "config_static_hostname_mapping", + "config_tenants", + "config_transport_encryption", + ], + }, + { + "type": "category", + "label": "Application Identification", + "items": [ + "concepts_appid", + "config_app_ident", + "how_to_use_app_summary", + "app_policy_hit_count", + ], + }, + { + "type": "category", + "label": "Optimizing Routing Protocols", + "items": [ + "howto_tune_bfd", + "config_session_optimization", + "config_bgp", + "config_vrf_route_leaking", + "config_ospf", + "config_bfd", + "config_multicast", + "config_lacp", + "config_dhcp", + ], + }, + { + "type": "category", + "label": "Network Address Translation (NAT)", + "items": [ + "config_source-dest_nat", + "config_static_nat", + "config_dnat", + "config_nat_pools", + "ts_nat_troubleshooting", + ], + }, + { + "type": "category", + "label": "High Availability", + "items": [ + "config_ha", + "config_dual_router_ha", + "config_ha_vrrp", + "config_non_forwarding_ha_interfaces", + "config_adding_interfaces_to_ha_team", + "config_transition_standalone_to_ha", + ], + }, + { + "type": "category", + "label": "Traffic Engineering", + "items": [ + "concepts_traf_eng", + "bcp_per-adjacency_traffic_engineering", + "config_te_net_intf", + "config_dev_intf_traf_eng", + ] + }, + { + "type": "category", + "label": "Access Management and Authentication", + "items": [ + "config_access_mgmt", + "config_ldap", + "config_radius", + "config_radsec", + "config_syslog_tls", + "config_webserver_certs", + "config_password_security", + "config_password_policies", + "howto_reset_user_password", + ], + }, + { + "type": "category", + "label": "NTP", + "items": [ + "config_ntp_auth", + ], + }, + { + "type": "category", + "label": "Security", + "items": [ + "sec_adaptive_encrypt", + "sec_firewall_filtering", + "sec_security_policy", + "sec_hardening_guidelines", + "sec-usb-security", + "sec-disable-console-output", + "cert_based_sec_encrpt", + ], + }, + { + "type": "category", + "label": "Intrusion Detection and Prevention", + "items": [ + "concepts_ssr_idp", + "config_idp", + "ts_idp", + "sec-config-antivirus", + ], + }, + { + "type": "category", + "label": "How To", + "items": [ + "howto_update_bios", + "how_to_local_config_override", + "howto_extend_gui_nav", + "howto_lte", + "config_bfd_tunnel", + "howto_config_PPPoE", + "howto_pppoe_vlan", + "howto_ms365", + "howto_trusted_ca_certificate", + ], + }, + { + "type": "category", + "label": "Troubleshooting", + "items": [ + "ts_applications", + "ts_ap_duplicate_assets", + "ts_ap_salt_minion", + "ts_cpu_spikes", + "ts_connecting_to_routers", + "ts_forwarding_resource_pools", + "ts_logs", + "ts_mac_uniqueness", + "ts_packet_capture", + "ts_serial_console_tsing", + "ts_session_processing", + "ts_t1_troubleshooting", + "ts_traceroute", + "ts_troubleshooting_vrf", + ], + }, + ], + "Events": [ + "events_overview", + "events_alarms", + "events_events", + "config_alarm_suppression", + "howto_maintenance_mode", + ], + "Best Practices": [ + "bcp_sdwan_design_guide", + "bcp_per-adjacency_traffic_engineering", + "bcp_att_avpn_configuration", + "bcp_using_128T_as_ntp_server", + "bcp_dhcp_relay_overview", + "bcp_qos_msft_expressroute", + "bcp_lte_peering", + "bcp_monitoring_headends", + "bcp_salt_pillars", + "bcp_service_and_service_policy_design", + "bcp_service-policy_defaults", + "bcp_tenants", + ], + "CLI and Element Reference": [ + "cli_reference", + "config_command_guide", + "config_reference_guide", + "cli_stats_reference", + "intro_rest_graphql_apis", + ], + "Installer/Initializer Reference": [ + "installer_cli_reference", + "installer_preferences", + "initializer_cli_reference", + "initializer_preferences", + ], + "Plugins": [ + "plugin_intro", + "plugin_bgp_community_services", + "plugin_cloud_ha", + "plugin_dns_app_id", + "plugin_dns_cache", + "plugin_gre", + "plugin_ha_sync_redundancy", + "plugin_http_probe", + "plugin_icmp_reachability_detection", + "plugin_ipsec_client", + "plugin_loopback_static_routes", + "plugin_m800_watchdog", + "plugin_monitoring_agent", + "plugin_mosh", + "plugin_set_hostname", + "plugin_sip_alg", + "plugin_wireguard", + "plugin_kni_namespace_scripts", + ], + "Release Notes": [ + { + "type": "category", + "label": "SSR", + "items": [ + "release_notes_128t_7.0", + "release_notes_128t_6.3", + "release_notes_128t_6.2", + "release_notes_128t_6.1", + "release_notes_128t_6.0", + "release_notes_128t_5.6", + "release_notes_128t_5.5", + "release_notes_128t_5.4", + "release_notes_128t_5.3", + "release_notes_128t_5.2", + "release_notes_128t_5.1", + "release_notes_128t_5.0", + "release_notes_128t_4.5", + "release_notes_128t_4.4", + "release_notes_128t_4.3", + "release_notes_128t_4.2", + "release_notes_128t_4.1", + "release_notes_128t_4.0", + ], + }, + { + "type": "category", + "label": "SSR Installer", + "items": [ + "release_notes_128t_installer_3.2", + "release_notes_128t_installer_3.1", + "release_notes_128t_installer_3.0", + "release_notes_128t_installer_2.7", + "release_notes_128t_installer_2.6", + "release_notes_128t_installer_2.5", + "release_notes_128t_installer_2.4", + "release_notes_128t_installer_2.3", + "release_notes_128t_installer_2.2", + "release_notes_128t_installer_2.1", + ], + }, + { + "type": "category", + "label": "WAN Assurance", + "items": [ + "release_notes_wan_assurance_plugin_3.10", + "release_notes_wan_assurance_plugin_3.9", + "release_notes_wan_assurance_plugin_3.8", + "release_notes_wan_assurance_plugin_3.7", + "release_notes_wan_assurance_plugin_3.6", + "release_notes_wan_assurance_plugin_3.5", + "release_notes_wan_assurance_plugin_3.4", + "release_notes_wan_assurance_plugin_3.3" + ] + }, + { + "type": "category", + "label": "BYOL Cloud Images", + "items": [ + "release_notes_byol_2.0", + "release_notes_byol" + ] + } + ], + }, +}; diff --git a/sidebars.js b/sidebars.js index 5c9ee187aa..a429d7e03a 100644 --- a/sidebars.js +++ b/sidebars.js @@ -13,6 +13,7 @@ module.exports = { "type": "category", "label": "SSR", "items": [ + "release_notes_128t_7.0", "release_notes_128t_6.3", "release_notes_128t_6.2", "release_notes_128t_6.1", @@ -237,6 +238,7 @@ module.exports = { "concepts_appid", "config_app_ident", "how_to_use_app_summary", + "app_policy_hit_count", ], }, { @@ -346,6 +348,7 @@ module.exports = { "config_syslog_tls", "config_webserver_certs", "howto_trusted_ca_certificate", + "config_password_security", "config_password_policies", "howto_reset_user_password", "config_ntp_auth", @@ -361,6 +364,8 @@ module.exports = { "sec_hardening_guidelines", "sec-usb-security", "sec-disable-console-output", + "cert_based_sec_encrpt", + "svr-ztna", ], }, { diff --git a/static/img/u-iso11_cond-mngd-assoc-new.png b/static/img/u-iso11_cond-mngd-assoc-new.png new file mode 100644 index 0000000000..d245b4521b Binary files /dev/null and b/static/img/u-iso11_cond-mngd-assoc-new.png differ diff --git a/static/img/u-iso11_define_conductor copy.png b/static/img/u-iso11_define_conductor copy.png new file mode 100644 index 0000000000..e65ff23f5f Binary files /dev/null and b/static/img/u-iso11_define_conductor copy.png differ diff --git a/static/img/u-iso9_define_conductor.png b/static/img/u-iso9_define_conductor.png index faeddcf8a1..0db58fe953 100644 Binary files a/static/img/u-iso9_define_conductor.png and b/static/img/u-iso9_define_conductor.png differ diff --git a/static/img/u-iso9a_ha_conductor-2 copy.png b/static/img/u-iso9a_ha_conductor-2 copy.png new file mode 100644 index 0000000000..11890c8fde Binary files /dev/null and b/static/img/u-iso9a_ha_conductor-2 copy.png differ diff --git a/static/img/u-iso9a_ha_conductor1.png b/static/img/u-iso9a_ha_conductor1.png new file mode 100644 index 0000000000..e0035e3242 Binary files /dev/null and b/static/img/u-iso9a_ha_conductor1.png differ