Release Overview - Unimus 2.3.0

2.3.0 is the latest major Unimus release. With 120+ lines in the Changelog, this article hopes to provide a short overview of the major features and other new additions in this release.

The full Changelog is also present at the bottom of this article - if you would like to see everything that this release contains.


LDAP authentication support

The most expected feature in this release is support for native LDAP authentication. LDAP has been requested by many users from the community and we are happy to report it's now here!

The LDAP connector was designed to be fully configurable and to support both OpenLDAP and Microsoft Active Directory. Examples on how to configure both are available on our Wiki. Please check the full documentation on our Wiki for more info.


MS SQL database support

Another often requested feature implemented in this release is support for using a Microsoft SQL Server database. During the Deploy Wizard, you can now select MSSQL as your database. After you finish the Wizard, everything should work as expected.

Support for MSSQL brings the total database support in Unimus up to 5 different DB engines (HSQL, MySQL, MariaDB, PostgreSQL and MSSQL). We hope this offers enough flexibility to deploy Unimus in just about any environment.


"Offline Mode" (support for air-gapped networks)

Last year, we announced that we will be bringing support for Offline Mode to Unimus. Until today, Unimus required a check with our Licensing Server to function. Starting with 2.3.0, full air-gapped deployment of Unimus is possible.

With Offline Mode, Unimus can now be deployed in highly-secured environments where complete outside connectivity blocking is required.

Please note the Offline Mode is only available to customers with the Unlimited License (more info here). If you are interested in using Offline Mode, just contact our Support.


Config Search Export and Send functions

Results of Config Search can now be exported! This is very useful when you need to present a report for a security audit, to management, or use the search results for processing in a different system.

The export format, as well as the contents are fully configurable. You can export the search results in a nice looking HTML document with full search information, or only export the search results themselves in YAML for further machine processing.

We hope this feature makes your reporting duties a bit easier :)


Other minor new features

On top of the major features shown above, there are many other minor features, improvements, and UI / UX updates. As with every release, we also added support for many new devices types. This time around, drivers for 28 new device types were added.

For the full list of new features (and supported devices), please see the Changelog below.


Bug fixes and security fixes

As with every release, a sizable list of fixes for various bugs and issues is present. One of the things of note are the fixes for many edge-cases where jobs (Discovery / Backups / Push) could fail on various older networking devices.

There are also a few security issues fixed in this release. In particular, our MySQL DB driver library was updated due to multiple fixed vulnerabilities reported in its older versions.


Finally, here is the full Changelog for 2.3.0. As this is a major release, the Changelog is quite long. But if you want to see all the changes in this release, please read on:

= Version 2.3.0 =
Features:
  Added device UUIDs in APIv2 (all "/devices" endpoints)
  The "Default" Zone will now be marked as "Default" when renamed
  Added support for recognizing Observium devices IDs in Observium NMS Sync
  Improved built-in backup filters for Siklu devices
  Incremental performance improvements across many parts of the system
  Added support for acknowledging login prompts in keyboard-interactive mode during SSH login
  Added retrieval of backup from Fiberhome devices in configure mode if not available in enable mode
  Improved device CLI mode switching and mode detection during discovery
  Added support for prompt format changing when switching contexts on Cisco ASA (multi-context)
  Added support for Configure Mode on Sonicwall NSA
  Added handling which improves backup formatting on Cambium cnMatrix switches (removes double lining)

  Added "Offline Mode" (support for air-gapped networks):
    - Unimus can be now switched to full offline mode, which removes the necessity to contact our Licensing Server
    - Offline Mode licenses are only available to users with an Unlimited License subscription
    - please contact us to request an Offline Mode license

  Added support for LDAP authentication:
    - LDAP can now be used as an external authentication provider
    - full support for configuring custom user search DN and specifying username LDAP attributes
    - tested on both OpenLDAP as well as Microsoft Active Directory
    - full documentation: https://wiki.unimus.net/display/UNPUB/LDAP+Auth

  Added support for MS SQL:
    - we have added support for Microsoft SQL Server as an officially supported DB engine
    - the Deploy Wizard will allow you to select MSSQL during deployment
    - to migrate to MSSQL, you will need to setup a new Unimus deploy, data migration is currently not supported

  Added Config Search Export and Send functionality:
    - you can now export (download) or directly send Config Search results
    - support for exporting in both HTML and YAML format
    - configurable export formatting (header, search criteria, etc.) or just results

  Added options to specify which SSH cryptography options Unimus supports:
    - in some environments, it may be desired to disable support for weaker SSH crypto
    - full documentation: https://wiki.unimus.net/display/UNPUB/Supported+SSH+cryptography

  Added support for:
    - Accedian AMO series
    - ADVA LX series console servers
    - Arris C4 series chassis
    - BDCOM OLTs
    - Additional Brocade NOS device models
    - CheckPoint Gaia devices
    - CheckPoint Security Gateway
    - CheckPoint Security Management Server
    - CheckPoint SMB Gateway
    - CheckPoint VSX
    - Additional Ciena SAOS device models
    - Dasan OLTs
    - Entrasys switches (A4 / B2 series)
    - Extreme Wing APs in cluster mode / virtual controller mode
    - Extreme WLC
    - Fortinet FortiAuthenticator
    - Metaswitch Perimeta SBCs
    - NetApp switches
    - Nokia OLTs (FX-8)
    - MRV LX series console servers
    - Opengear Infrastructure Manager devices
    - Opengear Resilience Gateway (ACM)
    - Pulse Secure Virtual Traffic Manager
    - Ribbon (ECI) Apollo
    - Securepoint UTM
    - SNR (NAG) Switches
    - YunKe switches
    - Zyxel GS19xx series switches
    - Zyxel ATP

Fixes:
  Fixed backup retention would not work on specific MySQL Server versions
  Fixed Inverted Config Search would not work on specific PostgreSQL versions
  Fixed diff visualization would incorrectly show new empty lines when large delete sections were followed by a new addition
  Fixed first failed job on a newly added device would not set its Last Job Status to failed
  Fixed disabled retention jobs would still show up in "Schedules > Show scheduled jobs" window
  Fixed API v2 get backups by device id and latest backups by device id not working
  Fixed API (of the local instance) denying all requests when connection to Licensing Server was down
  Fixed API v3 Push Jobs search not working on PostgreSQL
  Fixed possible deletion attempt on an already deleted object comment which would result in errors
  Fixed Per-Tag Connector config updates not being propagated between concurrent users (live updates were missing)
  Fixed "Schedules" table updates not being propagated between concurrent users (live updates were missing)
  Fixed "Config Search > Show all lines" does not work if Context lines is set to a negative value
  Fixed moving devices between Zones would not trigger needed rediscovery in specific cases
  Fixed moving devices between Zones would trigger unneeded rediscovery in specific cases
  Fixed incorrect "Currently running Scans" count if a Network Scan preset was deleted while it was running
  Fixed "Devices > Last Job Status" could be incorrect if running a job with all Connectors disabled
  Fixed multiple minor UI / UX issues and UI element state and alignment issues
  Fixed SSH connections failing to PanOS devices when login acknowledgement prompts were enabled
  Fixed backup not working on specific Fiberhome devices
  Fixed backup and Config Push could fail on some Positron GAM devices
  Fixed backup not working on Cisco FXOS devices in cluster mode
  Fixed Cisco SX devices could contain backup command echo as part of the backup
  Fixed Exablaze Fusion devices could contain backup command echo as part of the backup
  Fixed discovery failing on specific Aruba ArubaOS / HP(E) ProCurve devices
  Fixed discovery failing on specific Brocade NOS devices
  Fixed discovery failing on specific Ciena SAOS devices
  Fixed discovery failing on DCN devices with newer firmwares (after rebranding to YunKe)
  Fixed discovery failing on netElastic vBNG
  Fixed discovery failing on Dell OS10 switches if they output a Bell before the prompt
  Fixed discovery failing on Extreme VX devices (VX9000)
  Fixed discovery failing on Opengear devices when using the "root" user
  Fixed discovery failing on newer versions of OPNsense
  Fixed discovery failing on Fiberstore S5850 (and related devices) with newer firmwares
  Fixed discovery failing on specific Nokia / Vecima OLT devices
  Fixed discovery failing on multi-context Cisco ASA with different prompt in different contexts
  Fixed discovery could fail on devices which use pagination in very specific cases
  Fixed discovery not falling back to Telnet after IO errors occurred on the SSH connection

  Fixed SSH connections failing to servers which did not support higher MAC segment size:
     - affected devices usually had very old firmwares with weak SSH MAC support
     - example of affected devices: Dell PowerConnect 55xx, some versions of Cisco SF/SG switches, etc.

Security fixes:
  Updated MySQL Connector due to multiple published vulnerabilities in older versions
  Fixed currently opened "Devices > Tags" window still working if user lost access to the device
  Fixed currently opened "Devices > Comments" window still working if user lost access to the device
  Users which did not have full access to a Config Push preset could still delete the preset in its context menu

Embedded Core version:
  2.3.0

Known issues:
  ISSUE: "Re-discover affected devices when Ports or Connectors change" Advanced Settings option does not work
  WORKAROUND: none
  STATUS: issue scheduled for fixing

  ISSUE: Some screens in Unimus show time in server's time zone, others in client's (browser's) time zone
  WORKAROUND: none, issue only relevant if client has different time zone than server
  STATUS: we are debating on how to fix this - will likely create a setting to select which TZ should be used