Release Overview - Unimus 2.3.0
2.3.0 is the latest major Unimus release. With 120+ lines in the Changelog, this article hopes to provide a short overview of the major features and other new additions in this release.
The full Changelog is also present at the bottom of this article - if you would like to see everything that this release contains.
LDAP authentication support
The most expected feature in this release is support for native LDAP authentication. LDAP has been requested by many users from the community and we are happy to report it's now here!
The LDAP connector was designed to be fully configurable and to support both OpenLDAP and Microsoft Active Directory. Examples on how to configure both are available on our Wiki. Please check the full documentation on our Wiki for more info.
MS SQL database support
Another often requested feature implemented in this release is support for using a Microsoft SQL Server database. During the Deploy Wizard, you can now select MSSQL as your database. After you finish the Wizard, everything should work as expected.
Support for MSSQL brings the total database support in Unimus up to 5 different DB engines (HSQL, MySQL, MariaDB, PostgreSQL and MSSQL). We hope this offers enough flexibility to deploy Unimus in just about any environment.
"Offline Mode" (support for air-gapped networks)
Last year, we announced that we will be bringing support for Offline Mode to Unimus. Until today, Unimus required a check with our Licensing Server to function. Starting with 2.3.0, full air-gapped deployment of Unimus is possible.
With Offline Mode, Unimus can now be deployed in highly-secured environments where complete outside connectivity blocking is required.
Please note the Offline Mode is only available to customers with the Unlimited License (more info here). If you are interested in using Offline Mode, just contact our Support.
Config Search Export and Send functions
Results of Config Search can now be exported! This is very useful when you need to present a report for a security audit, to management, or use the search results for processing in a different system.
The export format, as well as the contents are fully configurable. You can export the search results in a nice looking HTML document with full search information, or only export the search results themselves in YAML for further machine processing.
We hope this feature makes your reporting duties a bit easier :)
Other minor new features
On top of the major features shown above, there are many other minor features, improvements, and UI / UX updates. As with every release, we also added support for many new devices types. This time around, drivers for 28 new device types were added.
For the full list of new features (and supported devices), please see the Changelog below.
Bug fixes and security fixes
As with every release, a sizable list of fixes for various bugs and issues is present. One of the things of note are the fixes for many edge-cases where jobs (Discovery / Backups / Push) could fail on various older networking devices.
There are also a few security issues fixed in this release. In particular, our MySQL DB driver library was updated due to multiple fixed vulnerabilities reported in its older versions.
Finally, here is the full Changelog for 2.3.0. As this is a major release, the Changelog is quite long. But if you want to see all the changes in this release, please read on:
= Version 2.3.0 =
Features:
Added device UUIDs in APIv2 (all "/devices" endpoints)
The "Default" Zone will now be marked as "Default" when renamed
Added support for recognizing Observium devices IDs in Observium NMS Sync
Improved built-in backup filters for Siklu devices
Incremental performance improvements across many parts of the system
Added support for acknowledging login prompts in keyboard-interactive mode during SSH login
Added retrieval of backup from Fiberhome devices in configure mode if not available in enable mode
Improved device CLI mode switching and mode detection during discovery
Added support for prompt format changing when switching contexts on Cisco ASA (multi-context)
Added support for Configure Mode on Sonicwall NSA
Added handling which improves backup formatting on Cambium cnMatrix switches (removes double lining)
Added "Offline Mode" (support for air-gapped networks):
- Unimus can be now switched to full offline mode, which removes the necessity to contact our Licensing Server
- Offline Mode licenses are only available to users with an Unlimited License subscription
- please contact us to request an Offline Mode license
Added support for LDAP authentication:
- LDAP can now be used as an external authentication provider
- full support for configuring custom user search DN and specifying username LDAP attributes
- tested on both OpenLDAP as well as Microsoft Active Directory
- full documentation: https://wiki.unimus.net/display/UNPUB/LDAP+Auth
Added support for MS SQL:
- we have added support for Microsoft SQL Server as an officially supported DB engine
- the Deploy Wizard will allow you to select MSSQL during deployment
- to migrate to MSSQL, you will need to setup a new Unimus deploy, data migration is currently not supported
Added Config Search Export and Send functionality:
- you can now export (download) or directly send Config Search results
- support for exporting in both HTML and YAML format
- configurable export formatting (header, search criteria, etc.) or just results
Added options to specify which SSH cryptography options Unimus supports:
- in some environments, it may be desired to disable support for weaker SSH crypto
- full documentation: https://wiki.unimus.net/display/UNPUB/Supported+SSH+cryptography
Added support for:
- Accedian AMO series
- ADVA LX series console servers
- Arris C4 series chassis
- BDCOM OLTs
- Additional Brocade NOS device models
- CheckPoint Gaia devices
- CheckPoint Security Gateway
- CheckPoint Security Management Server
- CheckPoint SMB Gateway
- CheckPoint VSX
- Additional Ciena SAOS device models
- Dasan OLTs
- Entrasys switches (A4 / B2 series)
- Extreme Wing APs in cluster mode / virtual controller mode
- Extreme WLC
- Fortinet FortiAuthenticator
- Metaswitch Perimeta SBCs
- NetApp switches
- Nokia OLTs (FX-8)
- MRV LX series console servers
- Opengear Infrastructure Manager devices
- Opengear Resilience Gateway (ACM)
- Pulse Secure Virtual Traffic Manager
- Ribbon (ECI) Apollo
- Securepoint UTM
- SNR (NAG) Switches
- YunKe switches
- Zyxel GS19xx series switches
- Zyxel ATP
Fixes:
Fixed backup retention would not work on specific MySQL Server versions
Fixed Inverted Config Search would not work on specific PostgreSQL versions
Fixed diff visualization would incorrectly show new empty lines when large delete sections were followed by a new addition
Fixed first failed job on a newly added device would not set its Last Job Status to failed
Fixed disabled retention jobs would still show up in "Schedules > Show scheduled jobs" window
Fixed API v2 get backups by device id and latest backups by device id not working
Fixed API (of the local instance) denying all requests when connection to Licensing Server was down
Fixed API v3 Push Jobs search not working on PostgreSQL
Fixed possible deletion attempt on an already deleted object comment which would result in errors
Fixed Per-Tag Connector config updates not being propagated between concurrent users (live updates were missing)
Fixed "Schedules" table updates not being propagated between concurrent users (live updates were missing)
Fixed "Config Search > Show all lines" does not work if Context lines is set to a negative value
Fixed moving devices between Zones would not trigger needed rediscovery in specific cases
Fixed moving devices between Zones would trigger unneeded rediscovery in specific cases
Fixed incorrect "Currently running Scans" count if a Network Scan preset was deleted while it was running
Fixed "Devices > Last Job Status" could be incorrect if running a job with all Connectors disabled
Fixed multiple minor UI / UX issues and UI element state and alignment issues
Fixed SSH connections failing to PanOS devices when login acknowledgement prompts were enabled
Fixed backup not working on specific Fiberhome devices
Fixed backup and Config Push could fail on some Positron GAM devices
Fixed backup not working on Cisco FXOS devices in cluster mode
Fixed Cisco SX devices could contain backup command echo as part of the backup
Fixed Exablaze Fusion devices could contain backup command echo as part of the backup
Fixed discovery failing on specific Aruba ArubaOS / HP(E) ProCurve devices
Fixed discovery failing on specific Brocade NOS devices
Fixed discovery failing on specific Ciena SAOS devices
Fixed discovery failing on DCN devices with newer firmwares (after rebranding to YunKe)
Fixed discovery failing on netElastic vBNG
Fixed discovery failing on Dell OS10 switches if they output a Bell before the prompt
Fixed discovery failing on Extreme VX devices (VX9000)
Fixed discovery failing on Opengear devices when using the "root" user
Fixed discovery failing on newer versions of OPNsense
Fixed discovery failing on Fiberstore S5850 (and related devices) with newer firmwares
Fixed discovery failing on specific Nokia / Vecima OLT devices
Fixed discovery failing on multi-context Cisco ASA with different prompt in different contexts
Fixed discovery could fail on devices which use pagination in very specific cases
Fixed discovery not falling back to Telnet after IO errors occurred on the SSH connection
Fixed SSH connections failing to servers which did not support higher MAC segment size:
- affected devices usually had very old firmwares with weak SSH MAC support
- example of affected devices: Dell PowerConnect 55xx, some versions of Cisco SF/SG switches, etc.
Security fixes:
Updated MySQL Connector due to multiple published vulnerabilities in older versions
Fixed currently opened "Devices > Tags" window still working if user lost access to the device
Fixed currently opened "Devices > Comments" window still working if user lost access to the device
Users which did not have full access to a Config Push preset could still delete the preset in its context menu
Embedded Core version:
2.3.0
Known issues:
ISSUE: "Re-discover affected devices when Ports or Connectors change" Advanced Settings option does not work
WORKAROUND: none
STATUS: issue scheduled for fixing
ISSUE: Some screens in Unimus show time in server's time zone, others in client's (browser's) time zone
WORKAROUND: none, issue only relevant if client has different time zone than server
STATUS: we are debating on how to fix this - will likely create a setting to select which TZ should be used