Software Releases

Current Release - Release Notes Ransomware Defender AirGap 2.0

Home



What’s New in Superna Eyeglass Ransomware Defender Edition Release 2.5.7 AirGap 2.0


What’s New! In Superna Eyeglass Ransomware Defender Edition Release 2.5.7 can be found here.


Controlled Availability Ransomware Defender Edition Release 2.5.8 AirGap 2.0

What’s New! In Superna Eyeglass Ransomware Defender Edition Release 2.5.8 can be found here.


Controlled Availability release is available for new deployments and upgrades approved by support.


Supported OneFS releases

Source cluster

8.1.2.x

8.1.3.x

8.2.0.x

8.2.1.x

8.2.2.x


Target Airgap Cluster

8.2.2.x


Supported Eyeglass releases

Superna Eyeglass Ransomware Defender Version


Superna Eyeglass Version


2.5.8-21222 Controlled Availability
2.5.8-21222 Controlled Availability
2.5.8-21213 Controlled Availability
2.5.8-21213 Controlled Availability
2.5.7.1-21161
2.5.7.1-21161
2.5.7.1-211402.5.7.1-21140
2.5.7-210962.5.7-21096
2.5.7-210812.5.7-21081
2.5.7-210682.5.7-21068
2.5.7-201292.5.7-20129


Inter Release Functional Compatibility


OneFS 8.0

OneFS 8.1
OneFS 8.2

OneFS 8.0 -

OneFS 8.1

OneFS 8.0 or 8.1 - OneFS 8.2





End of Life Notifications

End of Life Notifications can be found here.

Deprecation Notices

Following features will no longer be supported as indicated below:
  1. As of Release 2.5.8
    1. Support for OneFS 8.1.x.x releases


Technical Advisories

Technical Advisories for all products are available here.

AirGap Enterprise Controlled Availability

NEW AirGap Enterprise Controlled Availability

New for AirGap 2.5.8-21213/21222

T19522 AirGap Enterprise

AirGap solution with an inside the vault host and VM that opens and closes the vault from within the vault. This is done by removing the replication interfaces from the IP pool which removes the IP address from the interfaces.  This mode places a VM inside the vault and disables the IP stack that connects the vault cluster to any outside network.

Documentation for AirGap Enterprise is available here:

New for Ransomware Defender 2.5.8-21213/21222

Ransomware Defender Snapshot Management Enhancements

The Ransomware Defender window has a new Snapshots menu where the new snapshot related features Snapshot Budget and Critical Path Snapshot will be managed.  In addition, it is now possible to disable user share/export snapshots.


Documentation for Snapshot Management can be found here.

To maintain existing snapshot behaviour to take a snapshot at the base path of all shares that associated account has access to, ensure that the User Share Snapshot Settings “Enable Share Snapshots” checkbox is checked.


T19823 Snapshot Budget

Going forward Ransomware Defender (2.5.8 build 21213 and higher) maximum number of snapshots created will be the configured Snapshot Budget (default is 5000).  Prior to creating snapshots, Ransomware Defender will determine the number of Ransomware Defender specific snapshots (snapshot name starts with igls) and only if less than the snapshot budget will proceed with the snapshot step. If snapshots cannot be created due to snapshot budget a critical severity alarm is sent and the Event Action History is updated as well.  


T19619 Critical Path Snapshot

Introduced in 2.5.8 (build 21213 and higher) one or more paths can be configured to always have a snapshot created for any detection.


T15666 New Behaviour Detections Enabled

New behaviour detections are available and enabled by default.


NOTE: This may introduce new detections that will need to be evaluated to determine whether additional tuning of Ransomware Defender settings is required. Recommend to enable Learning Mode after upgrade and verify no new events after several days. 

New for DR Edition 2.5.8-21213/21222

T17849 DNS Dual Delegation disabled

Access Zone Failover Readiness DNS Dual Delegation is now disabled by default.

Workaround: None required.  Verify DNS Dual Delegation manually.  In future release this validation is planned to be provided on demand.


New for Easy Auditor 2.5.8-21222

T19711 Easy Auditor new validation that selected path is on an audited Access Zone

Easy Auditor path selector now verifies whether the selected path falls under an Access Zone with protocol auditing enabled.


Fixed in 2.5.8-21222

T20628 Cannot disable Zone/IP Pool Readiness AD Delegation Validation (2.5.7.1 and higher)

In 2.5.7.1 and higher, when the AD Delegation validation is disabled the AD Delegation validation steps continue to run. The Zone / Pool Readiness GUI does not show the validation and any error that occurs is not rolled up to the overall readiness status but an alarm is sent related to the failed step. This does not impact ability to failover.

Resolution: Validation steps no longer run if the validation is disabled.

T20770 AirGap Event Retrieval Job Fails with No route to host

AirGap Event Retrieval job uses the IP address configured in Eyeglass to manage the production Powerscale cluster. If that IP address is not associated with a node that is configured in the AirGap pool for replication to the vault then event retrieval fails because the static route applied to the AirGap pool is only applied to the nodes in the pool.

Resolution: IP address from a node in the AirGap pool is now used for event retrieval. Note that additional sudoer permissions required as documented here.

T21112 Eyeglass log shows vault cluster password in clear text during event retrieval

The Eyeglass logs show the vault cluster password in clear text during event retrieval.


Resolution: Password is now redacted.


T19619 Critical Path Snapshot not applied to all managed clusters

If multiple clusters are managed by Ransomware Defender, a configured critical path snapshot is only created on the cluster where the suspicious behaviour was detected.  This issue is for critical path snapshots only.  Regular user snapshots continue to be taken on all managed clusters.


Resolution: Critical path snapshot now created on applicable clusters.


T20668 Cannot save or run query in Report Query Builder

Clicking Save Query As or Run Report Using Query for Easy Auditor Report Query Builder has no effect.  The query is not saved or run.  This does not affect other Easy Auditor menus.


Resolution: Query can now be saved and run.


T20966 AirGap Job Configuration lost on rediscover or anyrelease restore

If the igls rediscover command is executed on Eyeglass with AirGap configuration or an anyrelease restore to a new appliance the AirGap Job Configuration for subnet mask and gateway are lost. Schedule is maintained.

Resolution: AirGap Job configuration preserved on rediscover or anyrelease restore.

T20790 AirGap SyncIQ policy timeout uses failover timeout setting

The amount of time that RansomwareDefender will wait for an AirGap SyncIQ job to complete is defined in the Eyeglass system.xml "failovertimeout" setting. Impact: If the "failovertimeout" setting is lower than the time required for the SyncIQ policy to complete, the AirGap job will timeout and remove the static routes causing the AirGap SyncIQ job to fail with an incomplete update to the vault copy of the data.

Resolution: Eyeglass system.xml now has separate tag for timeout setting for AirGap SyncIQ policy: airgapJobTimeout. Post upgrade this tag will need to be set to the desired value. Default is 240 minutes.

T20358 Not able to create an AirGap Job Report for a selected period

The AirGap Reports tab feature to Create Report for a custom time frame results in an error and the report is not produced. Impact: This does not affect the daily AirGap job report that is sent out. The issue is specific to custom report generation.

Resolution: Specific timeframe can now be selected.

Fixed in 2.5.8-21213

T20766 Cannot view second page of AirGap Config AirGap job list

The AirGap Config list of AirGap jobs list is limited to 10 jobs per page. If you have configured more than 10 jobs, when you navigate to the second page the display is blank.

Resolution: AirGap Jobs are now displayed on all pages.

 

T11832 Ransomware Security Event which is promoted from Warning to Major does not respect Major Grace Period

If a Ransomware Security Event is promoted from Warning to Major threshold, the associated user is locked out right away instead of starting Grace Period timer and only locking out if Grace Period has expired and no manual action has been taken. Note that a Ransomware Defender Security event which is raised at the Major level will respect the configured Grace Period.

Resolution: Major threshold Grace Period timer is now respected.

T20936 Bulk Ingest of Old Audit Data is not functional

The ability to bulk ingest old audit data is not functional as of 2.5.7.1-21140 release.

Resolution: Bulk Ingest of audit data is now functional. Requires ECA nodes to be running OpenSUSE 15.3. If ECA nodes not running this OpenSUSE version need to redeploy the 15.3 ECA nodes and backup and restore configuration file and mount file.



Known Issues in 2.5.8-21222

For complete list of known issues please also refer to current release notes:


AirGap

T21327 Managed Device Alarms have incorrect date and are sorted oldest to newest

The vault cluster events displayed in Managed Device Alarms have the date/time they were retrieved rather than the actual event date and are sorted oldest to newest.


Workaround: Use pagination to navigate to newer alerts.



T21224 Snapshot schedule job created for AirGap Job

A Snapshot Schedule Configuration Replication job is incorrectly created for each AirGap job and is enabled.  When Configuration Replication runs the Snapshot Schedule jobs are also run and result in error for AirGap jobs as the target cluster (vault cluster) is not reachable.


Workaround: Set the Snapshot Schedule jobs for the AirGap Jobs to User Disabled.

T21147 Customizing AirGap policy prefix results in job errors


If the AirGap Job SyncIQ policy prefix is customized, existing and new AirGap jobs are in error.


Workaround: Contact support.superna.net for assistance to remove references to previous prefix jobs.



T20932 AirGap Job Reports do not report failed jobs


AirGap Job reports that are sent out by schedule or created manually do not report on failed jobs.  Failed jobs always shows 0.


Workaround: Alarms must be monitored to be advised of failed jobs.  Job history can also be reviewed for failed jobs.



Ransomware Defender

T21334 Snapshots may not be created

In some cases, Ransomware Defender snapshots are not created for an active event when they should have been. In the Event History the snapshot step states: No snapshots were created. 


Workaround: Contact support.superna.net for assistance.



T21261 Cannot edit a user configured in the Ignored List or Monitor Only Settings

Cannot edit entries for users configured in the Ignored List or Monitor Only Settings. The Save button has no action. Path and IP Address can be edited.


Workaround: Delete and readd user to the list.



Easy Auditor


T21226 Active Auditor Snapshot functionality follows Ransomware Defender Snapshot configuration


The snapshot behaviour for Active Auditor Mass Delete and manual snapshot creation follow the configuration for snapshot budget, and snapshot enable/disable in the Ransomware Defender / Snapshots window.


Workaround: Do not use the Create Snapshot checkbox in the Easy Auditor / Active Auditor window to manage Active Auditor snapshots. It does not have any effect. Use the Ransomware Defender / Snapshots window to enable / disable snapshots. Important - configuration here also affects snapshot management for Ransomware Defender.



DR Edition


T21375 Snapshot schedule replication error on update

Initial snapshot schedule replication completes successfully, but a change to the snapshot schedule such as changing the snapshot expiration results in following error on update:  AEC_CONFLICT  Schedule entry already exists with that name: File exists.


Workaround: Snapshot schedule can be updated manually on the target cluster for changes.



General

T21275 Powerscale cannot be deleted

A Powerscale cluster that has been added into Eyeglass cannot be deleted.  The delete function results in an error: Error when submitting job to remove network element. Cannot locate network elemen with id: ....


Workaround: Contact suppor.superna.net for assistance.



Known Limitations in 2.5.8-21222

T21316 Vault stays open for vault cluster event retrieval

If event retrieval from the vault cluster takes longer than running the AirGap SyncIQ job, the vault will stay open until the event retrieval step completes after which it will be closed.


T21274 Alarm raised for vault open in Eyeglass is not cleared after maintenance window is finished

Alarm raised when vault manually opened for maintenance window is not cleared once the maintenance window is ended and vault is closed again. Alarm is able to be manually cleared.

T21208 Snapshots taken using Action Menu for Ransomware Defender Event follow Ransomware / Snapshots settings

If the Enable Share Snapshots option in Ransomware / Snapshots is unchecked, selecting the Create Snapshot option from the Action Menu will also not create snapshots.

T21110 Ransomware Defender / Snapshots User Share Snapshot Settings also applies for NFS detections

The option to disable / enable Ransomware Defender snapshot functionality is called User Share Snapshot Settings and Enable Share Snapshots but applies to any Ransomware Defender detection for SMB or NFS.




Fixed in 2.5.7.1-21140

Refer to previous 2.5.7 fixes/enhancements.

Fixed in 2.5.7-21096

Refer to previous 2.5.7 fixes/enhancements.

Fixed in 2.5.7-21081

Refer to previous 2.5.7 fixes/enhancements.

Fixed in 2.5.7-21068

T16196 Eyeglass Backup & Restore does not restore Airgap Settings

An Eyeglass backup & restore operation will not restore Airgap settings.

Resolution: Airgap settings now backed up and restored.

—————————————————–


Known Issues

T15104 Default schedule does not run the job

Airgap jobs are created with a default schedule (daily at midnight) but Status shows as Not Scheduled and jobs never run.

Workaround: Set a manual schedule.

—————————————————–

T15300 Error on manually connecting Airgap not displayed

If the command to manually establish connectivity igls airga

p connect fails it correctly does not apply the static route but the status message indicates that connectivity has been established.

Workaround: Verify from Isilon interface whether pool has static route applied.

—————————————————–

T15333 No notification if Airgap jobs are globally disabled

After using the command igls airgap disable to globally disable Airgap jobs there is no alarm to notify administrator of this action and no indication in the GUI that action has been taken.

Workaround: Airgap last run date can be used to determine whether it is running on it's schedule.

—————————————————–

T16199 No alarm if Airgap event retrieval from Powerscale cluster is in error

If the job to retrieve events from Powerscale cluster encounters an error there is no alarm raised to notify administrator.

Workaround: Login to the Eyeglass GUI and check the status of the event retrieval job.

—————————————————–

T16436 Airgap Jobs cannot be manually run from the Airgap window

Airgap Jobs cannot be manually run from the Airgap window.

Workaround: Airgap jobs must be manually run from the Eyeglass Jobs window.  

—————————————————–

T16456 Customized Airgap schedules reset to default after upgrade

After an upgrade, the Airgap schedules get reset to the default once a day setting.

Workaround: Document schedules prior to upgrade and reapply post upgrade.

—————————————————–

T16457 Airgap window not refreshed

After adding a new job the Airgap window is not refreshed to show the new job.

Workaround: Close and reopen the Airgap window.

—————————————————–

T16470 Renaming Airgap SyncIQ policy does not preserve original settings

If an Airgap SyncIq policy is renamed the settings related to this SyncIQ policy are not preserved in Eyeglass.

Workaround: Reapply settings in Eyeglass once Inventory has run and the Airgap job with new name is visible in Eyeglass.

—————————————————–

T16476 AirGap Job continues to run after Powerscale cluster deleted from Eyeglass

If there are Airgap jobs related to Powerscale cluster that has been deleted from Eyeglass, Eyeglass will continue to attempt to run them but the job will not succeed.

Workaround: None required. No alarm is generated.

—————————————————–

T19195, T19221 AirGap Job shows success when failed

Under some circumstances if an AirGap job fails, such as running the AirGap SyncIQ job or AirGap job source cluster unreachable, the AirGap Config window job status shows success.

Workaround:

The AirGap Reports would indicate that less than expected number of SyncIQ jobs had run/succeeded.

The PowerScale reporting for the AirGap SyncIQ policy can be used.

—————————————————–

T19609, T19632 User Disabled AirGap Job may have status of having been run when it has not

If an AirGap Job is User Disabled in the Jobs window, it may appear in Running Jobs, AirGap Jobs History or show a Last Run date as though it had run after being user disabled even though it did not actually open the vault and run the airgap SyncIQ job.

Workaround: Check on Powerscale directly to confirm that AirGap SyncIQ job has not been run.

—————————————————–

T19631 AirGap Config window time uses Eyeglass appliance timezone

The date and time shown in the AirGap Config window uses the Eyeglass appliance timezone instead of the timezone of the computer which is accessing Eyeglass as is done elsewhere in the GUI.

Workaround: If Eyeglass appliance and local browser time zone are different, manually convert the date / timestamps in the AirGap Config window to the local browser time zone to be able to compare run times in different windows.

—————————————————–

T20358 Not able to create an AirGap Job Report for a selected period

The AirGap Reports tab feature to Create Report for a custom time frame results in an error and the report is not produced. Impact: This does not affect the daily AirGap job report that is sent out. The issue is specific to custom report generation.

Workaround: Use Powerscale native reporting tools for SyncIQ jobs to view jobs for a specific timeframe.

—————————————————–

T20766 Cannot view second page of AirGap Config AirGap job list

The AirGap Config list of AirGap jobs list is limited to 10 jobs per page. If you have configured more than 10 jobs, when you navigate to the second page the display is blank.

Workaround: Sort the the AirGap job list by policy name after which switching between pages displays all policies.

—————————————————–

T20770 AirGap Event Retrieval Job Fails with No route to host

AirGap Event Retrieval job uses the IP address configured in Eyeglass to manage the production Powerscale cluster. If that IP address is not associated with a node that is configured in the AirGap pool for replication to the vault then event retrieval fails because the static route applied to the AirGap pool is only applied to the nodes in the pool.

Workaround: In Eyeglass use a node IP from the System Access Zone that corresponds to a different interface of a node that is configured in the AirGap pool.

—————————————————–

T20790 AirGap SyncIQ policy timeout uses failover timeout setting

The amount of time that RansomwareDefender will wait for an AirGap SyncIQ job to complete is defined in the Eyeglass system.xml "failovertimeout" setting. Impact: If the "failovertimeout" setting is lower than the time required for the SyncIQ policy to complete, the AirGap job will timeout and remove the static routes causing the AirGap SyncIQ job to fail with an incomplete update to the vault copy of the data.

Workaround: If the AirGap SyncIQ policy requires more time to complete the /opt/superna/sca/data/system.xml failovertimeout setting must be increased to required time (in minutes) and then the main Eyeglass sca service must be restarted. Impact: This setting is shared by failover timeout. Changing this setting will also change the time that Eyeglass DR Edition will wait for SyncIQ related failover steps to complete and could increase failover time for failover where timeout applies.  Plan in future release to have separate setting for AirGap and DR Edition.

—————————————————–

T20966 AirGap Job Configuration lost on rediscover or anyrelease restore

If the igls rediscover command is executed on Eyeglass with AirGap configuration or an anyrelease restore to a new appliance the AirGap Job Configuration for subnet mask and gateway are lost. Schedule is maintained.

Workaround: Consult with support.superna.net before performing either of those operations. Keep an independent record of AirGap job configuration.

—————————————————–

T21134 AirGap Basic Job can be started from Jobs window without AirGap role

Any member of a User Role with the Jobs Modify permission can run an AirGap Basic job.

Workaround: Only include Jobs Modify permission for roles where it is required and limit membership to Roles with the Jobs Modify permission.


Known Limitations

T19614 AirGap Job consideration of Easy Auditor Active Auditor Active Event not configurable

If in the Easy Auditor Active Auditor "Active Events" list there is an Active Event listed at the time when the AirGap job is scheduled to run, the AirGap Job will be blocked from running with the message "Found active RSW events, will not run AirGap job...." and in the AirGap Config GUI the job AirGap State is "Disabled for Active Events" and Status is Error.

Easy Auditor Active Events should be managed and cleared to not impact AirGap jobs. This behaviour may be made configurable in a future release to be able to specify whether or not active auditor events block AirGap jobs.










 



© Superna LLC