New Features in the 12.1 Release
Rebranded SNMP SMI and MIB file with updated Org OID for Skyhigh Security
As part of the rebranding, a new Object Identifier (OID) has been introduced for Org Skyhigh Security. We are updating the SNMP OID from .1.3.6.1.4.1.1230* to .1.3.6.1.4.1.59732*. You'll need to update your management software accordingly if they are referring to these OID. For more details, see Configure event monitoring with SNMP.
Configure Proxy Control X-Cache Header
A configurable option is now available to either add or remove the Proxy Control X-Cache header in the response. The new setting is located at Policy > settings > proxy control, and the checkbox is called Override X-Cache Header. The setting is enabled by default. For more details, Configure the X-Cache Header in the Response.
TCP Half Close support for TCP Proxy and SOCKS Proxy
TCP Half Close refers to a TCP connection that is half-closed. So if one participant in a TCP connection has initiated FIN in one direction, then it can still receive data from another participant until the second FIN is received from the other direction. TCP Half Close support is provided for SWG acting as TCP Proxy or SOCKS Proxy. For details, see TCP Half Close for TCP or SOCKS Proxy.
Configure Separate Passwords for SNMPv3 Auth and Encryption
You can now configure separate passwords for Authentication and Encryption for the SNMPv3 messages. For details, see Configure Event Monitoring with SNMP.
Return To Sender
This feature allows outgoing traffic of SWG to skip default kernel routing. Each reply packet going out
- will have same source mac as destination mac in the request packet.
- will have same destination mac as source mac in the request packet.
- If the reply going out on different interface it came from, the reply will be redirected to the same interface on which the request came from.
MediaType Detection for InDesign Files
Media Type can detect InDesign INDD and INDT files and templates. For these file types, the MediaType.EnsuredTypes property contains application/x-indesign. For details, see Media Type Detection for InDesign.
Resolved Issues in the 12.1.2 Release
This release resolves known issues.
For a list of issues that are currently known, but not resolved yet, see Secure Web Gateway 12.x Known Issues.
NOTE: Secure Web Gateway 12.1.2 is provided as a controlled release.
For information about how to upgrade to this release, see Upgrading to a New Version - Controlled Release.
JIRA issue numbers are provided in the reference columns.
| Reference | Description |
|---|---|
| WP-5172 | JSP files are not interpreted anymore but delivered as text without additional processing except pre-compiled JSP pages. |
| WP-5177 | Correct MediaType Detection for application/x-git. |
| WP-5205 | REST Interface access to System files without required Permissions has been fixed. |
| WP-5224 | Bad gateway error while visiting some HTTP2 websites has been resloved. |
| WP-5239 | Memory management optimizations are made for the HTTP2 SSL tap feature. |
| WP-5241 | The upgrade from 12.1.0 to 12.1.1 was failing due to ebpf, which has now been resolved as part of this issue. |
| WP-5256 | Webswing has been upgraded from version 20.1.16 to version 20.2.21 LTS. |
| WP-5265 | The maximum configurable value of ‘Connection timeout’ is now 99999 seconds in ‘Enable Proxy Control’ event. |
Announced Vulnerabilities
| Reference | Description |
|---|---|
| WP-5165, WP-5273 |
This Secure Web Gateway release includes updates addressing publicly disclosed CVEs, regardless of whether a CVE has been shown to impact customers. The following medium and higher-level CVEs (CVSS 3.0 >= 4) were involved:
|
Resolved Issues in the 12.1.1 Release
This release resolves known issues.
For a list of issues that are currently known, but not resolved yet, see Secure Web Gateway 12.x Known Issues.
NOTE: Secure Web Gateway 12.1.1 is provided as a controlled release.
For information about how to upgrade to this release, see Upgrading to a New Version - Controlled Release.
JIRA issue numbers are provided in the reference columns.
SWG Release version 12.1.0 was rolled back due to an identified performance Issue. Therefore, the List of Issues fixed in the aforementioned Version is available as resolved in the Current Release Version.
| Reference | Description |
|---|---|
| WP-5067 | Sub rule sets are no longer deleted when importing a rule set via REST API. |
| WP-5108 | Core dump issue related NHP and connection timeout has been fixed. |
| WP-5170 | Parallel events can be handled again properly when the rule engine on Secure Web Gateway is called from a temporary proxy process transaction. |
| WP-5225 | When mirroring decrypted traffic with the SSL Tap feature, the source and destination IP addresses are not reversed. |
| WP-5226 | Fixed performance and slowness issues caused due to an update in Kerberos package. |
Announced Vulnerabilities
| Reference | Description |
|---|---|
|
WP-5164 |
This Secure Web Gateway release includes updates addressing publicly disclosed CVEs, regardless of whether a CVE has been shown to impact customers. The following medium and higher-level CVEs (CVSS 3.0 >= 4) were involved:
|
Resolved Issues in the 12.1.0 Release
This release resolves known issues.
For a list of issues that are currently known, but not resolved yet, see Secure Web Gateway 12.x Known Issues.
NOTE: Secure Web Gateway 12.1.0 is provided as a controlled release.
For information about how to upgrade to this release, see Upgrading to a New Version - Controlled Release.
JIRA issue numbers are provided in the reference columns.
Web Filtering
| Reference | Description |
|---|---|
| WP-2217 | The PDF opener now also supports PDFs with versions 2.0. |
| WP-4536 | Client IP or URL to be logged with Kerberos error messages, when authentication logs are enabled. |
| WP-4859 | File previously not getting detected as TTF gets detected correctly as TTF now. |
| WP-4934 | Long list names used when configuring Secure Web Gateway web policy rules are rendered completely in rule sets. |
| WP-4966 | The file opener does not crash anymore when used to parse rtf documents. |
| WP-4981 | Block page now shows URL and category, which was missing after transitioning from coaching block page to URL blocked page |
| WP-4992 | A new media type has been added to detect InDesign documents and templates. |
| WP-4998 | The file opener now supports tar files with pax headers. |
| WP-5076 | The PDF opener function for detecting JavaScript has been improved. |
Network communication
| Reference | Description |
|---|---|
| WP-4064 | SWG now supports to have different username & password for SNMPv3 Auth and Encryption. |
| WP-4360 | Cluster sync for PDstorage data is not filling up in the provided path /opt/mwg/temp anymore. |
| WP-4557 | No error was found when selecting rule trace even when option Restrict browser session to IP address of user is enabled |
| WP-4954 | Passive FTP is are working as expected now in a HA Proxy setup through Haproxy. |
| WP-4985 | An HTTP2 issue related to a wrong value for connection level flow control has been fixed. |
| WP-5010 | TCP half-close support for TCP and SOCKS proxies to access an application works without issues. |
| WP-5018 | Version discrepancy of DLP system lists no longer occurs after updating SWG 10.2 to 11.2. |
| WP-5070 | A high client connection issue related to URL parsing has been fixed. |
| WP-5069 | SWG now supports different passwords for authentication and encryption |
| WP-5111 | SaaSConnectors are syncing again. |
Other
| Reference | Description |
|---|---|
| WP-4491 | Issue related to LinkedIn video upload with HTTP2 is now fixed. |
| WP-4667 | Users can join a Zoom meeting via browser when the waiting room option is enabled. |
| WP-4724 | SWG UI login issue while using Client Certificate for Authentication does not occur anymore. |
| WP-4944 | Restore backup are working as expected now, which had happened due to duplicate ID that had been assigned to configuration file. |
| WP-4988 | Files are no longer blocked as corrupted |
| WP-5020 | Core does not crash anymore. |
| WP-5024 | The rsyslog daemon had kept the /var/log/haproxy/ haproxy-info_1.log file open until all disk space had been filled up on a Secure Web Gateway appliance. This has been fixed now and log rotation works fine again. |
| WP-5074 | A core crash issue with the NativeBrowserCA feature has been resolved. |
| WP-5081 | An option to configure addition of X cache headers is added to proxy control configuration |
| WP-5109 | All the logs are rotated as per Log Manager Configuration. |
Announced Vulnerabilities
| Reference | Description |
|---|---|
|
WP-4996, WP-4999 |
This Secure Web Gateway release includes updates addressing publicly disclosed CVEs, regardless of whether a CVE has been shown to impact customers. The following medium and higher-level CVEs (CVSS 3.0 >= 4) were involved:
|