Release Notes 7.1.0
Ubuntu 14.04 users: please upgrade to Ubuntu 18.04 to upgrade to 7.1
See the migration guide to update to Ubuntu 18.04
Platform
New Features
New and improved Issue Page
- Customizable table – Filter, sort and pin columns to get your data right. Add, remove and change the width of each column for more efficient use
The New Knowledge Explorer applies a new coat of paint to the Rule Section
- Explore the Indeni rule and Auto-Triage Elements (ATE) base, customize rule configurations and quickly enable or disable rules for select devices and label
New Dashboard Section
- Get a high-level view of your device estate, best practice and health rating scores at a glance
Auto-Triage
- Run ATEs automatically or manually from the interface for select issues
Granular Device Permissions
- Allocate granular permissions to different users to efficiently segregate data between user roles. Group devices under labels and assign them to different users to make sure only the right roles can see the information
Security Features
- Automatic GUI session timeout
- Automatic account lockout when an incorrect password has been entered 5 consecutive times
Bug Fixes
- FRONT-2947: Fixed an issue in which PAN bandwidth charts were showing an incorrect unit on 10Gb interfaces
- FRONT-2808: Corrected a missing digit showing in some charts in the Custom Reports section
Knowledge
New Features
Blue Coat Proxy SG
IKP-2685: Added checks to identify interface utilization
IKP-3249: Added check to limit SNMP protocol to SNMPv3 only
IKP-3246: Added check to make sure only SSHv2 should be used
IKP-3247: Added check to make sure actions is configured for failed logins to prevent brute force attacks
IKP-3248: Added check to limit the inactivity timeout
IKP-3295: Added check to make sure secure ICAP connection is used
IKP-3296: Added check to identify if the management access is not restricted
IKP-3328: Added check to identify is password policy for password length is too short
Check Point
IKP-3330: Added interrogation support for Maestro Hyperscale Orchestrator
IKP-1811: Added check to identify if unsuccessful logins ratio is too high and if unsuccessful the LDAP queries is too high
IKP-3360: Added playbook to auto-triage DNS lookup failure issue
IKP-3359: Added playbook to auto-triage NTP sync failure issue
IKP-3189: Added playbook to auto-triage High cpu usage per core issue
IKP-3179: Added playbook to auto-triage Communication issues with certain log servers issue
IKP-3353: Added playbook to auto-triage Next hop inaccessible issue
Cisco ASA
IKP-3155: Added check to identify NTP sync failure
IKP-3159: Added check to detect if device is vulnerable to OSPF LSA manipulation
IKP-3161: Added check to identify users defined do not match expected list
IKP-3162: Added check to identify high storage usage
IKP-3163: Added check to identify device uptime too high or too low
IKP-3421: Added check to identify if uptime of the VPN tunnel is too low
IKP-3422: Added check to identify if there is high number of concurrent Anyconnect VPN users
IKP-3584: Added check to identify maximum number of ASDM sessions nearing
IKP-3553: Added check to identify maximum number of routes nearing (IPv4)
IKP-3585: Added check to identify maximum number of SSH sessions nearing
IKP-3586: Added check to identify maximum number of NAT translations nearing
IKP-3598: Added check to identify the number of concurrent connections for a device is too high
F5
IKP-1146: Added check to identify out of memory error
FireEye
IKP-2891: Added check to identify memory utilization
Fortinet
IKP-3292: Added check to identify slave units high CPU and memory utilization
IKP-3175: Added check to identify when default static route is not configured
IKP-3174: Added check to identify if heartbeat interfaces are not configured following best practices
IKP-3176: Added check to identify when a wildcard FQDN is found
IKP-3233: Added check to identify if firewall doesn’t have an explicit deny rule
Palo Alto Networks
IKP-2266: Added check to identify if User Credential detection is disabled or User Credential submission is allowed
IKP-2656: Added CIS checks to identify Login Banner not configured and device not logging high DP load
IKP-2657: Added checks to ensure management interface settings are following CIS best practices
IKP-2658: Added checks to ensure password requirements are following CIS best practices
IKP-2659: Added checks to ensure authentication settings are following CIS best practices
IKP-2661: Added checks to ensure user identification configurations are following CIS best practices
IKP-2662: Added checks to ensure High Availability configurations are following CIS best practices
IKP-2666: Added checks to ensure Security Policies configurations are following CIS best practices
IKP-3185: Added playbook to auto-triage Configuration changed on standby member issue
IKP-3363: Added playbook to auto-triage Maximum number of routes nearing (IPv4) issue
IKP-3365: Added playbook to auto-triage High CPU Usage per core issue
IKP-3355: Added playbook to auto-triage MAC cache usage high issue
IKP-3356: Added playbook to auto-triage High ARP cache usage issue
IKP-3357: Added playbook to auto-triage Logs are been discarded issue
IKP-3358: Added playbook to auto-triage Disk RAID in error state issue
IKP-3365: Added playbook to auto-triage High CPU Usage per core issue
Bug Fixes
Blue CoatProxy SG
IKP-3262: Network port(s) down issue is not triggering due to missing network-interface-state metric
Check Point
IKP-2798: Fixed false positive issues triggered due to command failure in chkp-tcp-test-18264
IKP-3299: Increased polling interval of cpmiquery-check-SIC-mds to 30 mins
IKP-3386: Signature update status issue not triggering
IKP-2986: Duplicate alert item for License expiration nearing issues
IKP-3499: Management service down false positive for Multi-domain Log Module
IKP-2778: Removed DASERVICE from Critical Process lists
IKP-3128: Missing data caused false positive issue generated by chkp-cphaprob_state_monitoring script
IKP-2701: “fw ctl get int” spamming /var/log/messages
IKP-2837: “Cluster has preemption enabled” is triggering on VSX but does not report VSID or VS Name
IKP-2357: PNotes reported as being down on 3+ node clusters where that is the intended design of such clusters
IKP-2679: Duplicate text in “Critical Process(es) Down” issues
IKP-2806: False positive for “Cluster Down” issue for 3-way cluster situation
IKP-2849: Duplicate connected networks returned in gaia-routes-novsx and gaia-routes-vsx scripts
IKP-3274: Empty value in Cluster ID mismatch across cluster memebers
IKP-3319: False positive caused by incorrect tags used in chkp-debug-securexl-module-options-vsx script
IKP-3343: False positive issues of “Firewall logging locally” triggered for small increments over short intervals
IKP-3432: Fixed asg-hw_monitor script to work with Mastro HALS security group
IKP-3433: Fixed asg-bond script to work with Maestro HALS security group
IKP-3448: Fixed detecting-cluster interrogation script to work in Maestro in security groups
IKP-3563: Excluded hotfix-jumbo-take script from running on R77.30
F5
IKP-3370: Cluster Down false positive issue triggered due to multiple Traffic-Groups configured
Palo Alto Networks
IKP-3077: Restricted some scripts from running on PA-VMs since the commands are not applicable
IKP-3034: PAN update schedule scripts have missing duration metrics
IKP-3331: High log DB usage issue never triggers for PAN devices
IKP-3320: Fixed affected version for Denial of Service in PAN-OS Management Web Interface PAN-SA-2018-0008 check