On Thursday, April 16, 2020, Cisco Umbrella will release Virtual Appliance (VA) version 2.8.1 to the stage track. These VAs will upgrade from version 2.7.10 to version 2.8.1.
Customer VAs may upgrade over a period of days as opposed to consecutively upgrading one after another. To receive this upgrade, ensure that your firewall is configured to enable access to disthost.umbrella.com.
As a reminder, two VAs must be configured in order to upgrade automatically during these windows.
Important Notice: Starting with version 2.8, the VA will by default send DNS queries only to the standard DNS resolvers (220.127.116.11 and 18.104.22.168) and will no longer send DNS queries to the alternate Umbrella DNS resolvers (22.214.171.124 and 126.96.36.199). This change has been done to enhance the performance of the VA.
If your ISP blocks queries to the standard Umbrella resolvers (188.8.131.52 and 184.108.40.206) and allows queries to the alternate Umbrella resolvers (220.127.116.11 and 18.104.22.168), you can use the following command to switch to the alternate Umbrella resolvers:
config va resolvers alternate
CHANGE SUMMARY (2.7.10 to 2.8.1)
- Dual-stack (IPv4/v6) support:
- VA can now be configured with an IPv6 address and can receive incoming queries on both IPv4 and IPv6.
- The VA tries to receive an IPv6 address over DHCP by default. If this does not succeed, admin can configure a static IPv6 address.
- Local DNS servers can be configured with an IPv4 or IPv6 address.
- Internal IPv6 address of source endpoints making the DNS query will be displayed in Umbrella dashboard reporting.
- The VA does not receive IPv6 - AD user mappings from the Connector currently. So AD user reporting and AD policy will not work for endpoints that have only IPv6 addresses.
- By default, the VA forwards DNS queries for external domains to the Umbrella IPv4 resolvers. The VA can be configured to send DNS queries to Umbrella IPv6 resolvers instead.
- Communication to other external endpoints (api.opendns.com, disthost.umbrella.com, s.tunnels.ironport.com) will be over IPv4 only.
- IPv6 address for VA cannot be configured in the dual-NIC mode.
- Configuration of IPv6 Anycast address is not supported.
- Configuration of IPv6 NTP servers is not supported.
- Option to specify the Umbrella resolvers to be used (Standard Umbrella resolvers, US-only Umbrella resolvers, alternate Umbrella resolvers, standard Umbrella IPv6 resolvers, US-only Umbrella IPv6 resolvers)
- Issue around removing NTP server is addressed
- Dynamic disk size of VA increased to 20 MB so that an additional resize step is not required for new VA deployments on Nutanix
- VM Hardware version on VMware changed to version 9 in line with the VMware security advisory
- VA now sends a BGP Update message to the router with withdrawn routes during a scheduled upgrade or reboot.
KNOWN ISSUES IN VERSION 2.8.1
- traceroute6 command does not work though it is mentioned in the list of supported commands.