Release Notes 2.0
Release Date: May 31, 2017
What's New
- HIPrelay
-
New in this release is the ability for a HIPswitch to function as a HIPrelay, which you can configure from the Conductor user interface. A HIPrelay controls traffic between HIPswitches, allowing them to securely communicate with each other when direct communication between two switches is not possible or desirable.
To use this feature on a 300 or 400 series HIPswitch, check Allow HIPswitch to act as a HIPrelay on the Edit Settings page of a HIPswitch. Additionally, the HIPrelay rules tab allows you to control which HIPswitches can communicate with each other via a HIPrelay.
- Smart Device Groups
-
Also new in this release are Smart Device Groups. Smart Device Groups allow you to dynamically add devices to a group by using a user-defined rule. Once a rule is created any new devices that match the rule are added to the group automatically.
This feature can greatly simplify the creation and management of large groups of devices. A Smart Device Group can be used to dynamically create and manage devices based on criteria such as organizational hierarchy, geographic location, or network domain.
To use this feature, check the box Use rules to add devices when creating a device group. Once selected a new Rules tab is available where you can add a list of rules, place them in a particular order, and set logical operators, such as include, filter, and exclude. For more information, see Device Group Rules (DGR)
- Alerts and Events
-
The Conductor user interface displays a bell icon in the upper right corner of the window that allows you to access the new alerts and events settings. Selecting the icon displays a new Event Monitoring and Alerting page. This page provides you the ability to create events with user-defined criteria, from the Event Monitors tab and view and take action on alerts from the Alert Notifications tab.
- PCI Compliance
-
The IDN 2.0 Conductor and HIP Services are compliant with PCIDSS guidelines and Payment Card Industry (PCI) data security standards. We provide secure transport of logs, firewall rules creation and reporting, retention of activity logs, and audit reporting of system configuration changes. To access PCI data, go to and click Downloads to access the PCI Report & Reference Download Page.
Changes and Enhancements
| ID | Component | Description |
|---|---|---|
| DEV-5367 | HIPclient for Windows | The Configure HIPclient dialog now displays the Conductor field as green text if the address is valid and as red text if it is invalid. |
| DEV-5350 | Conductor | A warning was added when attempting to downgrade a HIPrelay to 1.12. |
| DEV-5297 | HIPswitch | When attempting to set overlay routes on a HIPswitch functioning in port dual-use mode, you will now receive a notification to inform you that overlay routes are disabled in this mode. |
| DEV-5128 | Conductor | The term factory reset has been changed to unmanaged to align with other wording in the Conductor UI. |
| DEV-5106 | Conductor | The Conductor now allows for the addition of a shared key that HIP Services use to validate the identity of the Conductor. You can configure this from to make it easy to move HIP Services from one Conductor to another. |
| DEV-5088 | HIPswitch | When a DHCP server is configured for a HIPswitch, the server will now use DHCP authoritative mode. |
| DEV-4819, DEV-4667 | BaseOS |
All products were updated to OpenSSL 1.02k. |
| DEV-4767 | Conductor | The Conductor UI now accurately reports a HIPapp as a HIPclient or HIPserver. |
| DEV-4638 | HIPswitch | Diagnostic mode and cellular gateway mode now have STP turned on by default for device ports reducing the potential for broadcast storms when multiple ports are on the same network segment. |
| DEV-4630 | Configuration | The HIPswitch 100v virtual model is no longer supported and will not appear in the Conductor UI. |
| DEV-4595 | Conductor UI | Traceroute was added to align diagnostic functionality between Conductor UI and HIPservice diagnostic mode. |
| DEV-4067 | Conductor | The API documentation is available from your user profile, located in the upper-right of the Conductor UI once you have enabled API access from your profile. |
| DEV-3699 | HIPswitch | HIPswitches can now be configured to use only a single port for both the shared and device network. |
| DEV-2790 | Conductor UI | The login screen now shows password requirements when you are entering a new password. |
| DEV-1569 | Conductor UI | Improved the layout of the VLAN traffic rules section of the Conductor UI. |
Fixes
| ID | Component | Resolution |
|---|---|---|
| DEV-5473 | Conductor | Fixes an issue that could cause a HIPswitch to stop passing traffic if the overlay policy included multiple HA-paired HIPswitches. |
| DEV-5431 | Conductor | Updated the Read-Only System Administrator role to disallow the creation of device groups, HIPswitch groups, and HIPrelay rules. |
| DEV-5393 | HIPclient for Windows | Fixed an issue where deleting a device ID did not remove the device ID or the Conductor address from the HIPclient configuration. |
| DEV-5316 | Conductor | The link on the Conductor UI dashboard indicating you have unlicensed HIP Services now takes you to the Licensing page instead of the Settings page. |
| DEV-5283 | Conductor | Fixed an issue where details for a user did not display the Full Name and Username entries correctly. |
| DEV-5115 | BaseOS | Patched for CVE-2016-10229 UDP remote code execution vulnerability. |
| DEV-5080 | HIPswitch | Fixed an issue where IP address and port changes when tunneling via NATs were not detected properly. |
| DEV-4996 | Conductor | Fixed an issue where setting the Lease time in Local Device DHCP settings would not accept the setting. |
| DEV-4834 | HIPswitch | Fixed an issue in an HA-pair where the secondary HIPswitch would incorrectly detect the gateway IP address of the primary HIPswitch. |
| DEV-4779 | HIPclient for Windows | Fixed an issue where a restart was required on a HIPclient when changing the Windows HIPapp cryptographic mechanism. The HIPclient now restarts after the change. |
| DEV-4773 | BaseOS |
Patched for CVE-2017-5970 IP options header vulnerability. https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2017-5970 |
| DEV-4772 | Conductor | Fixed an issue where the API documentation link to the terms of service pointed to an incorrect location. |
| DEV-4756 | HIP Services | Fixed an issue where setting the default encryption to AES-256 with GCM and compression or AES-256 with GCM would not include the correct ESP transform. |
| DEV-4713 | BaseOS |
Patched for CVE-2016-2147 DHCP client vulnerability. https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2016-2147 |
| DEV-4611 | Conductor, HIPswitch 100 series | Fixed an issue where adding a serial over IP port was missing an option for RS-232 in the Protocol drop-down. |
| DEV-4606 | API | Fixed an issue where incorrect fields present in the API documentation pertaining to endbox_routes would cause errors. |
| DEV-4588 | Conductor | Fixed an issue where configuring a standby HA Conductor may not correctly display a list of firmware available on the standby Conductor. |
| DEV-4327 | HIPclient for Windows | The HIPclient now correctly handles a restart of the TAP adapter. |
| DEV-4299 | API | Fixed an issue where sending a POST request to /api/v1/devices would return an error 500. |
| DEV-4076 | Conductor | Fixed an issue where the network enable button toggled incorrectly. |
| DEV-4051 | Conductor | Fixed an issue where some icons in the Conductor UI would disappear when the UI was resized. |
| DEV-3658 | Conductor |
Fixed an issue where deleting a device from the Devices page did not remove it from the HIPswitch. |
| DEV-3657 | Conductor | Fixed an issue where you could configure and remove a serial over IP device on the Local Devices tab. This functionality is now only available from the page. |
| DEV-2203 | Conductor UI | Fixed an issue where restarting the WWW server from the Settings page would require a page refresh to update the service status. |
Known Issues
| ID | Component | Description |
|---|---|---|
| DEV-5665 | Conductor, HIP Relay | Vouchers added containing a HIPrelay license will diplay in the Vouchers section of the Licensing page as addon/ADD-HPR Unknown. this wil be fixed in a later release. |
| DEV-5535 | HIPswitch |
In rare cases, the identity data for a HIPswitch in the database is different from the data on the HIPswitch. The HIPswitch cannot communicate with the Conductor. Workaround:
|
| DEV-5533 | HIPswitch | In rare cases, configuring a HIPswitch may cause policy metadata to become
corrupt. This can cause the HIPswitch to disconnect and reconnect to IF-MAP
repeatedly. Workaround: Restart IF-MAP in |
| DEV-5532 | HIPswitch | Upgrading a HIPswitch while in transparent mode will fail.
Workaround: Turn off transparent mode before upgrading. |
| DEV-5530, DEV-5441 | Conductor UI | In some cases, Allow incoming pings (ICMP) and
SYN Flood Protection on the Firewall
page may be disabled and won't toggle. Workaround: Refresh your browser to resolve the issue. |
| DEV-5529 | HIPswitch | If you add an invalid overlay route to a HIPswitch from the Conductor UI, the
route will not be created on the HIPswitch and you will not receive a warning.
Workaround: None |
| DEV-5528 | HIPswitch | You cannot enable transparent mode for a HIPswitch 200 running
2.0. Workaround: None |
| DEV-5526 | Conductor UI | Occasionally, the Conductor UI will not display the recent activity of a local
device correctly. Workaround: Refresh your browser |
| DEV-5487 | Conductor UI | If you click Restore positions on a network
visualization graph, you will not be able to move the objects on the
graph. Workaround: Refresh your browser |
| DEV-5469 | Conductor UI | In the Conductor UI, Ping single IP address does not
work correctly and produces an error. Workaround: None |
| DEV-5457 | Conductor | In the Conductor network settings, Default gateway is mislabeled as Default route. This will be fixed in a future update. |
| DEV-5448 | Conductor UI | Clicking the Swap roles button for a secondary HA-paired
HIPswitch will cause the UI to stop responding. Workaround: None |
| DEV-5434 | Conductor UI | Clicking Detect Devices repeatedly on the HIPswitch
properties page will generate excess traffic. Workaround: Give the Conductor time to complete the operation. |
| DEV-5430, DEV-4535 | Conductor | After configuring a Conductor for the first time, you may receive a
Lost connection to the original server message if you
select Return to setings too quickly. Workaround. Wait at least 20 seconds before selecting Return to settings. |
| DEV-5428 | Conductor UI | If you create a Smart Device Group (SDG) with Ignore auto-discovered
devices until accepted unchecked, the SDG will add non-accepted
devices. Workaround: None |
| DEV-5368 | Conductor UI | Import devices has been removed from 2.0. An improved version of the feature
will be added in a future update. Workaround: Tempered Networks Support can provide a tool enabling you to import a CSV, if required. |
| DEV-5343 | Conductor UI | If you try and log in after your session has timed out, you may receive the
following error: The change you wanted was rejected. Workaround: Refresh your browser and log in. |
| DEV-5021 | HIPswitch | In some cases, a HIPswitch may factory reset if the reset button is held for
close to 5 seconds. Workaround: Don't hold the reset button for a full 5 seconds. Anything after 3 seconds should place the HIPswitch in diagnostic mode. |
| DEV-5010 | HIPswitch | A HIPswitch with a static IP does not failover between cellular/WiFi and wired
interfaces successfully. Workaround: None |
| DEV-5008 | PCI Reporting | PCI Reporting shows UUID data instead of object names when generating a PCI
report from Workaround: You will need to make API calls to the Conductor in order to capture the object data. |
| DEV-4846 | HIPswitch | If a HIPswitch is in port dual-use mode and device discovery is enabled, the
HIPswitch will report an error. Workaround: None |
| DEV-4733 | HIPswitch | In some cases, a factory reset of a HIPswitch 100e may cause port 1 to
disappear. Workaround: Install Hotfix HF-4733 in diagnostic mode to correct the issue. |
| DEV-4581 | Conductor | Configuring a standby HA Conductor may take a significant amount of
time. Workaround: None. |
| DEV-4573 | Conductor | Cloud HIPswitches may not display the correct icon in the user interface if
they are on firmware version 1.12.3 or below. Workaround: None. |
| DEV-4537 | Conductor | When demoting a master Conductor to standby, the processing screen might not
correctly update. Workaround: Refresh your browser. |
| DEV-4514 | Conductor | After a HIPswitch is factory reset, its devices may still appear in the
Conductor user interface. Workaround: Refresh your browser. |
| DEV-4292 | Conductor, Cloud | Cloud provider credentials entered in the Conductor can be seen by all
administrators. Workaround: None. |
| DEV-4188 | HIPswitch (Cellular) | In the Graphs section of the Reporting tab, several graphs are available to older HIPswitch 200g models with an Option Cellular card that are not applicable, such as LTE, CDMA, Cell temperature, etc. These graphs will not display data. |
| DEV-4028 | API | When making a POST call to /api/v1/people, the role attribute is set to viewer regardless of the role specified. |
| DEV-2417 | Conductor UI | The password reset email link defaults to the first web enabled interface, and
will be successful only if an administrator configures the first interface with a
publicly-facing default route. Workaround: None. |
| DEV-2022 | Conductor | After configuration setup completes on two HIPswitch Conductors in an HA-pair,
the Conductor UI may not return to the
Dashboard. Workaround: Refresh your browser. |
| DEV-1994 | HIPswitch | When modifying an existing serial over IP configuration, you must reboot the HIPswitch to apply the new configuration settings. |