Skyhigh Security Cloud Bug Fixes and Known Issues
Legends Used
Resolved Issues | Known Issues |
SSE 6.7.2 Release (Oct 10, 2024)
Known Issues
Product | Found Version | Description |
---|---|---|
Secure Web Gateway Cloud |
SSE 6.7.2 |
Issue: Session termination on force browser refresh. If you remain active on the Web Policy UI for more than 10 minutes and then perform a forced browser refresh, your session may terminate. However, regular navigation within the product will not be affected. NOTES:
Workaround: Skyhigh recommends avoiding forced browser refreshes. |
SSE 6.7.1 Release (Aug 20, 2024)
Known Issues
Product | Found Version | Description |
---|---|---|
Secure Web Gateway Cloud |
SSE 6.7.1 |
Issue: The publish badge intermittently disappears from the Dashboard UI. Workaround: Refresh the browser, go to the web policy, and publish. |
Secure Web Gateway Cloud | FedRamp |
Issue: The rule set for media type filtering is not working as expected when trying to block CSV files Workaround: It is recommended to use file extensions (e.g., .csv, .html) for blocking decisions instead of media type filtering. |
SSE 6.7.0 Release (June 20, 2024)
Resolved Issues
Product | Found Version | Description |
---|---|---|
Skyhigh Data Protection |
SSE 6.5.0 |
Skyhigh CASB DLP policies for Microsoft Teams configured using data identifiers could not detect sensitive content uploaded with tab separators in chat messages. This is because Microsoft Teams automatically converts those tabs into em spaces (character U+2003). This conversion disrupts Skyhigh's DLP word boundary detection logic, causing it to miss sensitive data. Note: Skyhigh has enhanced its ability to detect word boundaries for dictionaries configured using the Starts with and Ends with advanced settings in Sanctioned DLP. This enhancement enables Skyhigh to scan content with special characters and trigger classifications accurately. Skyhigh has updated its detection logic to the Enhanced EDM word boundary detection logic (similar to perl \b behavior) instead of the former Trellix DLP word boundary detection logic. |
Skyhigh Client Proxy PAC-2732 |
SCP 4.7.0 |
Issue: Selecting the Download Policy from Skyhigh SSE checkbox will disable the option even if you don't save any changes. (UI issue) Workaround - Click Cancel to access this page again. |
SSE Releases Archive
- ► Click to view the resolved and known issues from releases prior to the 6.7.0 release.
-
Product Name Fixed Version Found Version Description Skyhigh Data Protection SSE 6.6.2
When you select the Incident Type as Shadow/Web DLP on the Policy Incidents Summary page, and select a policy from the Policies table, the filtering of DLP incidents on the Policy Incidents page does not function as expected. The Policy Incidents table displays unrelated incidents (not linked to the selected policy) at the top, along with linked incidents for that policy.
Skyhigh CASB SSE 6.6.2
If you access DLP incidents via dashboard cards on the My Dashboard page, the latest policy incident management features such as Shadow/Web DLP Evidence, User Risk Score, and Bulk Incident Remediation are unavailable on the Policy Incidents page.
Skyhigh Cloud Connector SSE 6.6.1
Currently, the Skyhigh Cloud Connector email notifications for the SIEM Integration (SaaS) are sent with the former template name SIEM Integration Status. This will be fixed in the upcoming releases. Skyhigh Cloud Connector SSE 6.6.2
SSE 6.6.0
On the Skyhigh Cloud Connector, when you configure Log Collector (found under SIEM Integration Inline) using a Syslog server, all the logs are collected under the error.log folder, increasing the disk space usage. However, the logs are collected as expected when you configure the Log Collector using a directory. Skyhigh CASB SSE 6.6.0
Skyhigh CASB DLP will be applied only to the files or attachments within the Documents resource at the Company or Project level in Procore. DLP is not supported for any other resources in Procore. Skyhigh CASB SSE 6.6.0
Skyhigh CASB does not support the Delete response action for the manual remediation of DLP incidents associated with Procore on the Skyhigh Policy Incidents page. Secure Web Gateway Cloud SSE 6.6.0
SSE 6.4.2
When you disable a parent rule set on the policy tree of the Web Policy page, its child rule sets are also disabled, which means they are not processed either and their on/off toggle switches are deactivated. You cannot enable a child rule set then without first enabling its parent rule set again.
This works as expected now after there had been issues with it, for example, when a child rule set was opened, but its parent rule set had not been opened before.Secure Web Gateway Cloud
SSE 6.7.0
When viewing traces with long URLs, the UI experiences layout issues, preventing all trace details from fitting onto the screen. Additionally, without a scrollbar, users are unable to access the entire trace Secure Web Gateway Cloud SSE 6.7.0
Embedded cycles can assist end users in distinguishing individual embedded cycles from a large group. However, currently, no embedded cycles are being displayed. Skyhigh Cloud Connector SSE 6.6.0
SSE 6.5.2
On the Log Collector Configuration page (found under SIEM Integration (Inline) tab), if you configure using the option Send as Syslog, then avoid modifying and saving any other configuration settings on the Cloud Connector Configuration page. Else, the Log Collector settings will automatically be set to Save in Directory.
Workaround: If you modify and save other configurations on the Cloud Connector Configuration page, then reconfigure the Syslog configuration on the Log Collector Configuration page.
Note: Resolved and fixed in SSE 6.6.0.
Skyhigh Cloud Connector SSE 6.6.0
SSE 6.5.2
After setting up and saving the configurations on the Log Collector Configuration page, you will not be able to modify or save any other configuration settings on the Cloud Connector Configuration page immediately.
Workaround: After saving the Log Collector configurations, refresh the Cloud Connector Configuration page and then modify other configuration settings.
Note: Resolved and fixed in SSE 6.6.0.
Skyhigh CASB SSE 6.5.2
Skyhigh CASB uses the Google Reports API to monitor user activities for files in Google Drive. On the Skyhigh Activities page, the file size associated with Google Drive activities appears as -- or -1B based on the following file types: - Non-native Google Drive files. File size for non-native files (PDFs, images) appears as -- because the API response does not include file size details for non-native files
- Native Google Drive files. File size for native files (Docs, Sheets, Slides) appears as -1B because Skyhigh CASB retrieves the file size for native files as -1 from the API response.
Skyhigh Cloud Connector SSE 6.5.2
SSE 6.5.1
Currently, on the Cloud Connector Configuration page, the option to add server configurations under the Syslog tab fails to work as expected. You can have only one default server configuration.
Workaround: To add more server configurations on the Syslog tab, you should run the curl command. To know more about the curl command, contact Skyhigh Support.
Note: Resolved and fixed in SSE 6.5.2.
Secure Web Gateway Cloud SSE 6.5.2
SSE 6.5.1
Selecting the option to disable chat history, which is provided in the library rule set for controlling the use of ChatGPT, works again as expected. Skyhigh Private Access SSE 6.5.1
Before migrating the web policy from simple view to standard view, make sure the Private Access policy is enabled.
Note: The option to enable or disable the Private_Access policy will not be available in the Standard Web Policy view.CNAPP SSE 6.5.1
The resources are not listed on the Resource page when a tenant is configured with ODS without enabling CE. However, the Configuration Audit incidents are captured correctly. Secure Web Gateway Cloud SSE 6.5.1
SSE 6.5.0
When configuring file types to skip DLP scanning using a rule of the Web DLP rule set, the is in list and is not in list operators work again as expected. Skyhigh Private Access SSE 6.5.0
Side menu to select/add user is not coming up when try to add it from connector add page for user launchpad. Skyhigh CASB SSE 6.5.0
When text is added to a Slack Canvas, Skyhigh CASB does not evaluate the text in the title and content of the Canvas for DLP. For details, see Slack Known Behaviors. Skyhigh CASB SSE 6.5.0
If a Slack Canvas is embedded within an existing Canvas, Skyhigh CASB does not evaluate the embedded Canvas for DLP. For details, see Slack Known Behaviors. Skyhigh CASB SSE 6.5.0
If a Slack Canvas is shared via a copy link, Skyhigh CASB does not evaluate the Canvas for DLP. For details, see Slack Known Behaviors. Skyhigh CASB SSE 6.5.0
When a Slack Canvas is created or an existing Canvas is added to a Slack Huddle, Skyhigh CASB evaluates only the newly created Canvas for DLP. Skyhigh CASB does not evaluate the existing Canvas added in Huddles for DLP. For details, see Slack Known Behaviors. Skyhigh CASB SSE 6.4.0
The keyword search in the Omnibar shows results only for the Service Name and not work as expected for the URL and CVE search. Skyhigh CASB SSE 6.4.0
Scheduled On-Demand Scan (ODS) for Microsoft Teams is unable to process the messages for DLP, when user/s are added/removed to the Teams service. This will impact only the Teams Channel/s, where new users are being added/removed, no impact to other Channels. If no users are added/removed during the scheduled scan, ODS will scan all the messages. This known issue will be fixed in the SSE 6.4.1 release. Skyhigh CASB SSE 6.4.0
For Slack Non-Enterprise (Pro or Business+) instances, when users send sensitive messages in Public/Private/Shared channels or Direct Messages (DMs), only the messages that contain plain text are evaluated for DLP. Skyhigh CASB for Slack Non-Enterprise does not evaluate messages that contain text with special characters or formatting elements such as '@' mentions, italicized text, links, bullet points, or numbered lists for DLP. For details, see Slack Non-Enterprise Known Behaviors.
Skyhigh CASB SSE 6.4.0
For Slack Non-Enterprise (Pro or Business+) instances, when users send a message that contains text and file attachment in Public/Private/Shared channels or Direct Messages (DMs), only the file is evaluated for DLP. Skyhigh CASB does not evaluate the text in the message for DLP.
Suppose you have configured a DLP policy with the Delete response action to identify and remove sensitive messages containing text and uploaded files in Slack. Skyhigh CASB deletes only the sensitive file that violates the DLP policy, but not the sensitive text in the message. For details, see Slack Non-Enterprise Known Behaviors.
Skyhigh Cloud Connector FIPS was getting enabled by default even though it was disabled post CC upgrade. This issue was found in the older version of CC below 6.4.0, which is now fixed with the below updates:
- If your CC version is below 6.4.0, FIPS will be enabled on CC by default. To disable FIPS, see Disable FIPS on CC.
- After upgrading CC to 6.4.0 or above, you must execute the CLI command to enable or disable the FIPS. For details, see Disable FIPS on CC. When CC version is 6.4.0 and above, the CC preserves the FIPS status, and no manual intervention is required to update its status.
Skyhigh Cloud Connector
SSE 6.4.0
When you log in to Skyhigh CASB, you may encounter the SMTP server port value displayed as 25, instead of the port value configured in the Custom SMTP Server. This issue has been identified for users who log in to Skyhigh CASB for the first time and it is due to the SMTP server being cached with the default value of 25. As a workaround refresh your page to get the configured port value.
Skyhigh Cloud Connector SSE 6.3.1
The Filter on the Cloud Registry page is not working as expected. The Cloud Registry page displays the incorrect number of events after applying filters. Skyhigh CNAPP
SSE 6.3.0
Certain resources are excluded from the AWS Security Config audit full scan, so the incidents for these resources are not updated with the recent scan history. As a workaround, make sure to provide minimum permission for your IAM account based on your policy. With this permission, Skyhigh CASB scans all your resources and updates the scan history accordingly.
Skyhigh CNAPP SSE 6.3.0
Users have remediated the Configuration Audit incident generated for Azure policy "NSG Flow logs should be enabled" however, the remediation status has not changed on the policy incident. Skyhigh CASB does not support Continuous Evaluation for this Azure policy due to Azure API limitation.
Cloud Firewall SSE 6.6.1
SSE 6.6.0
Crash due to SendKeepAlive packets Cloud Firewall SSE 6.4.0
SSE 6.3.0
No value is displayed for the Gateway Egress Source Port field in the Cloud Firewall Detailed Logs page and Event data on the Cloud Firewall Traffic and Cloud Firewall Users page. Cloud Firewall SSE 6.5.1
SSE 6.3.0
No value is displayed for the Firewall Policy Name field when the traffic does not match any policy rule and all traffic is allowed by default. Cloud Firewall SSE 6.5.0
SSE 6.3.0
Skyhgih Client Proxy auto policy download fails to work as expected when HTTP traffic is sent to the Cloud Firewall when you set the action as Allow with web policy.
Workaround: Addskyhigh.cloud domain
to the redirection list of the alternate gateway and configure cloud proxy as the alternate gateway.Cloud Firewall SSE 6.4.0
SSE 6.3.0
There is no difference in the behavior in Firewall Block and Firewall Drop actions. Cloud Firewall SSE 6.4.0
SSE 6.3.0
Packet Loss is seen during the upload and download process for TCP and UDP protocols. Cloud Firewall SSE 6.5.1
SSE 6.5.0
When we use Service Criteria for applications like Microsoft Teams, it may not work as expected as all the hostnames used by teams are not part of the team's service and without a hostname, Cloud Firewall cannot detect the correct service.
Workaround: It is recommended to use the Process Name or Destination IP for teams instead of Service Criteria.
Skyhigh Cloud Connector SSE 6.3.0
When the Custom attributes are reconfigured with AD and enabled, the Shadow attributes do not contain all key values pulled from AD. Because users might have left blank spaces in attribute keys or entered duplicate values in attribute keys. As a workaround, CC does not consider blank values as duplicates in the Shadow Unique Key Attributes. Blank spaces are not considered for Unique Key Validation.
Skyhigh Cloud Connector SSE 6.3.2
SSE 5.5.0
When Cloud Connector is stopped due to “Too many open files connection" in Linux or Unix OS. As a workaround, the system automatically restarts the CC service (shnlps) in Linux or Unix only if the currently open file connection is greater than or equal to 95 % of the ulimit. The fix is given based on the number of open file connections, so the lsof utility must be installed on Linux or Unix OS.
- ► How to install lsof utility?
- The commands vary for different OS types. For example, if your OS type is UBUNTU, then use the following command to install lsof:
sudo apt install lsof
Skyhigh Cloud Connector SSE 6.3.2
SSE 6.3.0, SSE 6.3.1
If lsof ( List Open Files) command is not installed on Linux where CC is installed, CC throws lsof error commands and CC fails to send a health notification report to users.
Skyhigh Cloud Connector SSE 6.2.1
When Cloud Connector fails to upload large amounts of Sanctions AD Users data (more than 1 lakh users) to Log Collector, CC creates chunk files each containing 20k users and uploads them to Log Collector. The Chunk Upload feature is enabled by default in CC.
Skyhigh CASB SSE 6.3.2
When the custom anomaly rule is created using the Source IP address, the backend process fails. It is recommended not to use any source IP address in the Custom Anomaly rules until this issue is resolved. Skyhigh CNAPP SSE 6.3.2
SSE 6.1.0
NRT DLP and Malware scan is now supported on the AWS region: eu-south-1 (Milan – Italy). SSE 6.3.1
SSE 6.1.2
Domain-fronting detection no longer logs requests with URLs for HTTPS websites as hits falsely, which it had done because of an identical port number that is trailing after the host name in different URLs. SSE 6.3.1
When a report on web traffic is generated in the analytics section of the user interface for Secure Web Gateway, generating the same report immediately afterwards always delivers the same output now, as expected, whereas different reports had been the result on some occasions before. SSE 6.3.1
Entering unavailable arguments while taking tcp dump causes the terminal to crash. SSE 6.3.0
Issue: ePO Reports Failures when Pushing DLP Policy/Classifications to Skyhigh.
Recent fixes and enhancements in Skyhigh Cloud have enhanced the verification process applied when a new policy/classification file is received from ePO. In some circumstances, this process can cause the push from ePO to fail.
The failure is generally caused by classifications being in use in Skyhigh CASB or Web DLP Policy and not present in the content being pushed from ePO, or by EDM training data referenced by ePO classifications not being present in the Skyhigh CASB enhanced EDM fingerprint list.
Resolution: Verify that all classifications present in cloud policies are present in ePO.
Classifications are identified by an internal ID and not by name, so identifying where the policies which require amending/disabling can be difficult to identify. The ePO Orion.log file will show some information regarding the failure, which for these cases will show “409 Conflict”.
Skyhigh Support are able to access internal logs to determine the precise cause of failures.
Cloud Firewall SSE 6.4.0
SSE 6.3.0
Tunnel establishment fails when the socks proxy is unreachable. This may occur when the Skyhigh Web Gateway service is down.
Workaround: Restart the Skyhigh Web Gateway service.
Cloud Firewall SCP 4.7.0
SCP 4.6.0
Gradual performance degradation is noticed on client machines with applications like Microsoft teams when clients sends large amounts of traffic to Cloud Firewall. This is due to an issue with Skyhigh Client Proxy 4.6 not being able to handle the IP packet fragmentation and assembly efficiently. This issue is resolved with the Client Proxy 4.7.0 release. SSE 6.3.0
SSE 6.2.1
High CPU usage on the Tokyo PoP node has been mitigated, which has lead to an improvement in performance and reduced the risk of impacting crucial processes. SSE 6.3.0
SSE 6.2.1
When an ICAP error occurs while a user is working on configuring a web policy under Secure Web Gateway, for example, failure to connect to the ICAP server, it is displayed as ICAP-related in the error message whereas only a policy execution error was indicated before. Cloud Firewall SSE 6.2.2
Fails to apply the .OPG file when you configure the device profile with the Registry key as HKEY_CURRENT_USER hive. (Windows server edition/version) Skyhigh Private Access SSE 6.3.0
SSE 6.2.0
The count of the private applications is now displayed correctly on the Connector Groups report. Skyhigh CASB SSE 6.2.2
The Policy Incidents page does not support restoring quarantine files larger than 250 MB for OneDrive and SharePoint. It applies to both manual and bulk remediation actions. SSE 6.2.2
SSE 6.2.0
The Private Application report now displays the host name for the private applications configured with a port range or multiple ports. SSE 6.2.2
SSE 6.2.0
The host names of the private applications are now displayed correctly on the Private Application report. Skyhigh Data Protection SSE 6.2.1
From 6.2.1 onwards, you can enable the queryIncident API for users with the Incident Management role and the Read Only privilege. Skyhigh Data Protection SSE 6.2.1
Users of Data Protection for message-based cloud services will see a slight increase in email notifications, which were suppressed before this release.
Skyhigh Private Access SSE 6.2.1
The migration from wgcs.mcafee-cloud.com to wgcs.skyhigh.cloud is postponed. For SCP, despite reverting the default proxy domain, all SCP configurations before the SSE 6.2.1 release (initial or updated) continue to be fully functional.
The Default SCP Gateway List continues to point to the cloud proxy c<customerID>.wgcs.mcafee-cloud.com. If you made manual changes to the proxy domain name or created a new Gateway List for SSE 6.2.1, you can safely continue to use proxies in wgcs.skyhigh.cloud.For the SAML ACS URL, configurations after SSE 6.2.1 display a hint that ACS URL must be set to https://saml/wgcs/mcafee-cloud.com/saml. Configurations created with the initial SSE 6.2.1 release point to https://saml/wgcs/skyhigh.cloud.com/saml. This URL stays functional, there is no need to reconfigure.
For Private Access, in SSE 6.2.1 the Default URL is reset to https://api.wgcs.mcafee-cloud.com/ztna/dashboard, but you can continue to use https://api.wgcs.skyhigh.cloud/ztna/dashboard if you already bookmarked it.
Skyhigh Private Access SSE 6.2.1
SSE 6.1.2
Duplicate application names are not allowed across tenants when you enable the Clientless Access option. Skyhigh Private Access SSE 6.2.1
SSE 6.2.0
The Connector Group column now displays data on the Events Data page of the Private Access Users and Private Access Usage reports. Skyhigh Cloud Connector SSE 5.4.0
There is a known issue in which the FIPS-enabled Skyhigh Cloud Connector generates SSL errors in the Cloud Connector debug log. As a workaround, you can disable FIPS on Skyhigh Cloud Connector based on your operating system. For details on the workaround, see Disable FIPS on CC. SSE 6.2.0
A Known issue has been identified when a file name with double bytes is uploaded to Dropbox to trigger DLP policies, but DLP Policies fail to detect the incidents, resulting in an error message. In Dropbox, DLP Polices accept only file names with ASCII characters.
SSE 6.2.0
SSE 6.2.0
Displays an error message suggesting the correct format when an incorrect connector deployment command is entered. In addition, extra spaces when entering this command is automatically taken care and executes the PA Connector deployment command. Skyhigh Private Access SSE 6.2.0
SSE 6.2.0
The hostname or the fully qualified domain name (FQDN) entered in uppercase while configuring a private application is automatically converted to lowercase. Skyhigh Private Access SSE 6.2.0
SSE 6.1.0
The username used for SAML IDP authentication is no longer case-sensitive when you enable the Clientless Access option. Client Proxy SCP 4.5
In Skyhigh Client Proxy 4.5, Skyhigh Security has rebranded the client proxy from MCP to SCP. Before you upgrade to SCP 4.5, update your third-party endpoint protection to add the new service and directory names to the allowlist. This will prevent the endpoint protection from blocking SCP operations.
SSE 6.1.2
IMPORTANT: SAML on port 8084 is not supported with Security Service Edge Web Hybrid.
SSE 6.1.2
When a report is generated for Security Configuration Audit policy incidents, some incidents display a Scan Run Date later than the Incident Created On date instead of a Scan Run Date prior to the Incident Created On date.
SCP 4.8.0
Issue: Skyhigh Client Proxy 4.8 does not support Sonoma. Earlier macOS versions worked fine without disabling IPv6 because they allowed fallback to IPv4 when IPv6 traffic was blocked. Sonoma has changed this behavior and traffic is not falling back to IPv4 if IPv6 is blocked.
Workaround: Disable IPv6 in macOS.Skyhigh Cloud Connector SSE 5.5.5
The False AD Custom Attribute Notifications alerts are sent when the Shadow and Sanctioned data is imported at a default frequency of 24 hours. As a workaround, configure the Shadow Upload and Sanctioned Upload frequency to 23 hours. So, the Shadow import and Sanctioned import occurs every 23 hours in CC. Skyhigh Private Access SSE 6.1.2
Hybrid (WPS2) license users with the admin role cannot add new users and get an error message that states “the user could not be added”. As a workaround, select the following roles while you add new users for WPS2 license on Settings > User Management > Users page.
- Administrator
- Under Policy Management, select Private Access Policy
- Usage Analytics Users
Skyhigh Private Access SSE 6.1.2
The Point of Presence (PoP) counter increases and decreases on the Skyhigh Security Status site. The PoP counter increases or decreases because a new PoP is added, an existing PoP is decommissioned, or a new PoP replaces an old PoP for better performance. No action is needed; this behavior is expected. Skyhigh CASB SSE 4.3.0
When Inline Email DLP users (Exchange Online, Gmail) send an email, there is a time-out of 55 seconds to receive a response from Skyhigh CASB Gateway SMTP server. If the DLP inspection or policy evaluation is not finished within 55 seconds, Skyhigh CASB Gateway SMTP server uses the fail open process to relay the email back to the CSP without waiting for the policy evaluation to finish. For details, see About Gmail Inline DLP and About Exchange Online Inline Email DLP. SSE 6.1.2
When ICAP settings are updated on Secure Web Gateway, connections to the ICAP servers are not interrupted anymore. SSE 6.1.2
An error that occurs when a web policy action is executed on Secure Web Gateway is no longer communicated to the end user without suitable details about what happened.
SSE 6.1.1
High browser CPU usage, high RAM utilization, and browser crashing may be caused by running complex DLP policies. If this issue persists, contact Support to enable the Pagination feature to resolve the issue. SWG 8.2.29
Issue: 8.2.29 (and later) uses an updated version of Tomcat.
This new version of Tomcat causes SWG to suffer an incompatibility with the authentication method "client certificate authentication."
This authentication method is only available when using the SWG UI as a Java Applet (logging in via the browser login page).
Detailed information about client certificate authentication can be found on the About Client Certificate Authentication.
NOTE: Most current browsers don't support Java Applets.
The most notable browser still supporting them is the old Internet Explorer 11, but this is now End of Life.
You see the following entries, present in the log file /opt/mwg/log/mwg-errors/mwg-ui.errors.log:
[ERROR] Cannot determine if client certificate is enabled due to implementation changes in Tomcat: java.lang.NoSuchFieldException: endpointSecure Web Gateway (On-Prem) SWG 8.2.22
Issue: You can't log in to the SWG GUI by using any externally managed admin account. Logging in using the local admin account still works.
The following setting is disabled: Accounts > Administrator accounts are managed externally.If you enable the setting again and save your changes, it's disabled again after a few minutes.
Workaround: Use the local admin account.Secure Web Gateway (On-Prem) SWG 8.2
Issue: You disable the Enabled Openers rule set and configure the Gateway Anti-Malware Engine as Avira only.
But Avira doesn't detect specific or modified eicar files inside the archive.
Workaround: Open the SWG Policy under Common Rules, and enable the Enable Opener Rule set.Secure Web Gateway (On-Prem) SWG 8.2.1
SWG 8.2
Issue: In ProxyHA or Transparent Router mode, when a node previously marked as Director is set as Scanner and the configuration is saved, the resulting node fails to become a Scanner node. The hastats tool shows this node as Redundant Director instead of Scanning node.
Workaround: When a node previously marked as Director is to be changed as Scanner:-
Set the director priority to 0 and set it as the scanner node. Save the changes.
-
Log on to the SWG back-end of the corresponding node and execute the command service haproxy stop.
-
Configure the IP in the HTTP and FTP proxy listeners as 0.0.0.0:<port>.
For example, change 192.168.20.10:9090 to 0.0.0.0::9090. -
Save all changes.
Solution: Upgrade to 8.2.1.
Issue: Transparent Router Mode plus IP-spoofing Performance drops. In the transparent router mode, if IP spoofing is enabled, a high response time (>250 ms) and connection error is observed.
Workaround: Perform the following steps every time any proxy-related configuration is updated from the GUI-based manager.-
Locate and open in a text editor of your choice the file /etc/haproxy/haproxy.cfg.
-
Search for the string frontend fwd_proxy.
-
Under that block, after the line bind <ip>:<port> accept-proxy transparent, enter the new line maxconn 50000.
For example:
bind 192.168.20.150:80 accept-proxy transparent
maxconn 50000 -
Repeat this process for each instance of the string frontend fwd_proxy, adding the new line under the accept-proxy transparent entry.
-
Save and close the file.
-
Restart the service. Type service haproxy restart and press Enter.
Issue: In the transparent router mode, when only the HTTP proxy is enabled and IP spoofing is enabled only for HTTP traffic, the HTTP connection fails with a 502 error.
Workaround: Enable the FTP proxy. Enable the FTP port redirects and FTP listener configuration at the same time.Issue: In 8.2, the bandwidth throttling feature in router mode isn't fully supported. Using the feature in the router mode might not throttle the traffic according to the configuration. Existing customers using this feature in the transparent router mode in older releases are advised to not upgrade to the latest version.
Secure Web Gateway (On-Prem) SWG 8.2.2
SWG 8.2
Issue: SWG 8.2 doesn't support configuring the Transparent proxy in Bridge mode.
Existing customers using the transparent bridge mode in older releases are advised to not upgrade to the latest version.
Solution: This feature is supported in SWG 8.2.2 and later.Secure Web Gateway (On-Prem) SWG 8.0.3.1-8.0.4
SWG 8.0.3
Issue: You see a kernel panic when you reboot SWG. During the reboot, SWG stops and displays Kernel Offset and Kernel Panic errors.
Workaround: Reboot SWG again.Secure Web Gateway (On-Prem) SWG 8.0.2.1-8.1
Issue: Unable to log on to the SWG manager (UI).
Solution: See the related article.Issue: You can't paste text when you use the Webswing user interface with the Edge browser. You press Ctrl+V, the paste fails, and you see the following error:
SCRIPT5007: Unable to get property 'getData' of undefined or null reference webswing-embed.js (145,464897)
Workaround: Use an alternative browser.
Issue: When you update SWG from a version earlier than 7.7.2.14 or with the AV rollback flag (ud-rollbackGAM2015) enabled, SWG 8.0 can't load the old GAM2015 libraries. Instead, it downloads the new engine in the background. This process can take several minutes, depending on your download speed. Users see the error below:
Cannot Load Anti-Malware Engine The Anti-Malware engine could not be loaded and your administrator doesn't allow to deliver content without being checked for viruses.
Please call your administrator with the error message below.Solution: Don't redirect traffic to SWG before the AV engine has finished all updates. You can view the update status in the SWG dashboard.
Non-critical Known Issues
Issue: In the HAProxy mode, when using the Virtual IP address, the settings for connection timeouts configured in event enable proxy control are ignored.
The HAProxy only relates to general timeout settings.
Workaround: Increase the general timeout settings in SWG or increase the timeout on the remote site.Issue: You intermittently see an antimalware engine update error:
[AV] [UpdateFailed2] Error updating the Antivirus engine. Reason: 'Error starting engine 'Skyhigh Gateway Anti-Malware', error code: 5'."
You also see that service restarts take upwards of 40 minutes rather than the expected 5 minutes.Issue: Spanport Automation stops receiving information from the ICAP server. You can't view log entries in access.log on the spanport proxy.
Secure Web Gateway (On-Prem) SWG 9.2.25
Issue: 9.2.25 uses an updated version of Tomcat.
This new version of Tomcat causes SWG to suffer an incompatibility with the authentication method "client certificate authentication."
This authentication method is only available when using the SWG UI as a Java Applet (logging in via the browser login page).
Detailed information about client certificate authentication can be found on the About Client Certificate Authentication.
NOTE: Most current browsers don't support Java Applets.
The most notable browser still supporting them is the old Internet Explorer 11, but this is now End of Life.
You see the following entries present in the log file /opt/mwg/log/mwg-errors/mwg-ui.errors.log:
[ERROR] Cannot determine if client certificate is enabled due to implementation changes in Tomcat: java.lang.NoSuchFieldException: endpointIssue: After you reboot, the kdump service fails to start.
The current kdump service included in SWG isn't compatible with the latest kernel upgrade provided as part of the Sept 20, 2022 releases.
The kdump service handles kernel failures that occur and recovery from these issues.
When this service is non-functional, kernel failures cause the appliance to become unresponsive, and a manual power cycle is needed to get the appliance back to a working state.
Workarounds: You can avoid the issue on installation and prevent the kernel package from being upgraded.
NOTE: This workaround is only applicable to the CMD method of upgrade.
Instead of running yum upgrade yum && yum upgrade, run yum upgrade yum && yum upgrade --exclude=kernel* -
If you've already upgraded, edit the config files and allow the appliance to recover from the kernel failure and automatically reboot after 5 s:-
Edit the sysctl.conf file from the SWG-UI.
-
Add the line kernel.panic=5 outside the autogenerated block.
-
Save your changes.
Secure Web Gateway (On-Prem) SWG 9.2.21
Issue: Your Browser response page shows corrupted text. No errors are seen in the SWG logs.
Solution: This issue is fixed in 9.2.21.Issue: Your browser triggers a file download, which is a text file named "f.txt." No errors are seen in the SWG logs.
Solution: This issue is fixed in 9.2.21.Secure Web Gateway (On-Prem) SWG 9.2.21
SWG 9.2.15
Issue: Memory-leak leads to one or more of the following issues:
-
Appliance not reachable
-
SWG stops handling network traffic
-
No access to SWG UI
Solution: This issue is fixed in 9.2.21.
Secure Web Gateway (On-Prem) SWG 9.2.14
SWG 9.2.13
Issue: You can't log in to the SWG GUI by using any external managed admin account. Logging in using the local admin account still works.
The following setting is disabled: Accounts > Administrator accounts are managed externally
If you enable the setting and save changes, it's disabled again after a few minutes.
Workaround: Use the local admin account.
Solution: This issue is fixed in 9.2.14.Secure Web Gateway (On-Prem) SWG 9.0.x-SWG 9.1.0
SWG 9.11
SWG 9.2
Issue: The HSM Agent doesn't work. Any installed HSM card fails.
Solution: This issue is fixed in 9.1.1 and 9.2.Secure Web Gateway (On-Prem) SWG 9.2.x
Non-Critical Known Issues
Issue: You disable the Enabled Openers rule set and configure the Gateway Anti-Malware Engine as Avira only.
But, Avira doesn't detect specific or modified Eicar files inside the archive.
Workaround: Open SWG Policy under Common Rules, and enable the Enable Opener Rule set.Secure Web Gateway (On-Prem) SWG 9.2.9
SWG 9.2.8
Issue: The SWG Update fails if using an offline update or update proxy.
Workaround: See the related article.
Solution: This issue is resolved in 9.2.9.Secure Web Gateway (On-Prem) SWG 9.2.5
SWG 9.0
Issue: In HAProxy mode, when using the Virtual IP (VIP) address, the settings for connection timeouts configured in event enable proxy control are ignored.
The HAProxy only relates to general timeout settings.
Workaround: Increase the general timeout settings in SWG or increase the timeout on the remote site.Issue: You intermittently see an anti malware engine update error:
[AV] [UpdateFailed2] Error updating the Antivirus engine. Reason: 'Error starting engine 'Skyhigh Gateway Anti-Malware', error code: 5'."
You also see that service restarts take upward of 40 minutes rather than the expected 5 minutes.Secure Web Gateway (On-Prem) SWG 9.2.4
SWG 9.2
Issue: In Automatic airgap settings, Active mode isn't currently supported. Because of this issue, GTI requests aren't evaluated locally when you select the active mode.
Workaround: Use the Monitor Only option to track GTI-related connection issues. This option detects connectivity issues to the GTI server and notifies you.
Solution: Resolved in 9.2.4Issue: With some of the XMPP clients (ex: Spark), intermittent delay has been observed while establishing an initial connection with the server.
Workaround: Increase the client connection timeout.Secure Web Gateway (On-Prem) SWG 9.1.2
SWG 9.2
SWG 9.1.0
SWG 9.1.0
Issue: The PDF opener fails to access restricted PDF files, encrypted using AES.
Issue: SWG 9.1 doesn't support configuring a Transparent proxy in Bridge mode.
Existing customers using the transparent bridge mode in older releases are advised to not upgrade to the latest version.
Solution: This issue is fixed in 9.2.Secure Web Gateway (On-Prem) SWG 9.1.0
Issue: The keepalived service doesn't start after restoring a backup file with network interfaces configured.
Workaround: Start the keepalived service manually with the below command:
systemctl start keepalivedIssue: The SpanPort - mfetsc service doesn't start after reboot.
Workaround: Start the mfetsc service manually with the below command:
systemctl start mfetsc
Issue: MDS-based exploits and vulnerabilities are seen on Intel® CPUs.
Solution: With SWG 9.1, the administrator can start an appliance with an option to disable the use of hyper-threading, which mitigates some vulnerabilities. This action can be done for appliances that use hyper-threading, such as 4500-C, 5500-C, and -D. You can't enable it on the WBG-5000-C models where the relevant microcode isn't available yet.Secure Web Gateway (On-Prem) SWG 11.2.4
SWG 11.2.5
SWG 11.2.3
Issue: After you update a central management cluster from 10.2.x to 11.2.x (specifically 11.2.4 or earlier), you see one of the following issues:
- No access to UI. You might see the following error: Error while receiving data. Received 'HTTP:200'
- System list updates fail with the following error: System Lists update failed, with ID 333
Workaround: Run the following commands on each cluster node via CLI:
service mwg-core stop
rm /opt/mwg/plugin/data/DLP/0/lists -rf
service mwg-core startAfter the service restart, a new list is created automatically.
NOTE: This workaround includes a service restart; all connections will be disconnected and no connections will be accepted until the service is started again.
Solution: This issue is fixed in version 11.2.5; release date is November 15, 2022.Issue: 11.2.3 uses an updated version of Tomcat.
This new version of Tomcat causes SWG to suffer an incompatibility with the authentication method "client certificate authentication."
This authentication method is only available when using the SWG UI as a Java Applet (logging in via the browser login page).
Detailed information about client certificate authentication can be found on About Client Certificate Authentication.
NOTE: Most current browsers don't support Java Applets.
The most notable browser still supporting them is the old Internet Explorer 11, but this is now EOL.
You see the following entries, present in the log file /opt/mwg/log/mwg-errors/mwg-ui.errors.log:
[ERROR] Cannot determine if client certificate is enabled due to implementation changes in Tomcat: java.lang.NoSuchFieldException: endpointIssue: After you reboot, the kdump service fails to start.
The current kdump service included in SWG isn't compatible with the latest kernel upgrade provided as part of the September 20, 2022 releases.
The kdump service handles kernel failures that occur and recovery from these issues.
When this service is non-functional, kernel failures cause the appliance to become unresponsive, and a manual power cycle is needed to get the appliance back to a working state.
Workarounds: You can avoid this issue on installation and prevent the kernel package from being upgraded.
NOTE: This workaround is only applicable to the CMD method of upgrade.
Instead of running yum upgrade yum && yum upgrade, run yum upgrade yum && yum upgrade --exclude=kernel*
If already upgraded>edit the config files> allow the appliance to recover from the kernel failure> and automatically reboot after 5 secs:- Edit the sysctl.conf file from the {{swg}-UI.
- Add the line kernel.panic=5 outside the auto generated block.
- Save your changes.
Secure Web Gateway (On-Prem) SWG 11.1.4
SWG 11.1
Issue: Your Browser response page shows corrupted text. No errors are seen in the SWG logs.
Solution: This issue is fixed in version 11.1.4.Issue: Your browser triggers a file download, which is a text file named "f.txt." No errors are seen in the SWG logs.
Solution: This issue is fixed in version 11.1.4.Issue: Memory-leak leads to one or more of the following issues:
-
Appliance not reachable
-
SWG stops handling network traffic
-
No access to SWG UI
Resolution: This issue is fixed in version 11.1.4
Secure Web Gateway (On-Prem) SWG 10.2.15
SWG 10.2.14
Issue: 10.2.14 uses an updated version of Tomcat.
This new version of Tomcat causes SWG to suffer an incompatibility with the authentication method "client certificate authentication."
This authentication method is only available when using the SWG UI as a Java Applet (logging in via the browser login page).
Detailed information about client certificate authentication can be found on the About Client Certificate Authentication.
NOTE: Most current browsers don't support Java Applets.
The most notable browser still supporting them is the old Internet Explorer 11, but this is now End of Life.
You see the following entries, present in the log file /opt/mwg/log/mwg-errors/mwg-ui.errors.log:
[ERROR] Cannot determine if client certificate is enabled due to implementation changes in Tomcat: java.lang.NoSuchFieldException: endpointSecure Web Gateway (On-Prem) SWG 10.2.2
SWG 10.2.1
Reference number- WP-4043
Issue: You can't log in to the SWG GUI by using any external managed admin account. Logging in using the local admin account still works.
The following setting is disabled: Accounts > Administrator accounts are managed externally
If you enable the setting and save changes, it's disabled again after a few minutes.
Workaround: Use the local admin account.Secure Web Gateway (On-Prem) SWG 10.2.4
SWG 10.2
Reference number- TSWS-6000
Issue: After you update SWG 10.2–10.2.3 or earlier, DATs} and Gateway DATs fail to update. SWG 10.2.3 and earlier don't support the GAM Engine 2021.1.
Resolution: Update to 10.2.4 or later.
Workaround: If you continue to use 10.2.3 or earlier, you need to remove all updates. Also, it runs with GAM Engine 2019 after you follow this workaround:-
Log on to the SWG appliance using SSH or the console.
-
Stop the main mwg process:
Type service mwg stop and press Enter. -
Delete the patterns saved:
Type cd /opt/mwg/plugin/data/antivirus and press Enter.
Type rm -rf * and press Enter. -
Delete temp data or the broken pattern that's saved:
Type cd /opt/mwg/temp and press Enter.
Type rm -rf * and press Enter. -
Start the mwg process again:
Type service mwg start and press Enter. -
Manually update the engine through the Manager:
Click Configuration, Appliances, Update Engine, Trigger Update.
Reference number- WP-3868
Issue: You disable the Enabled Openers rule set and configure the Gateway Anti-Malware Engine as Avira only.
But, Avira doesn't detect specific or modified Eicar files inside the archive.
Workaround: Open SWG Policy under Common Rules, and enable the Enable Opener Rule set.Reference number- WP-3541
Issue: Adding new HSM keys in the SWG UI fails if the HSM server is already started and running.
Workaround: Restart the HSM Server from the SWG UI after you add new keys.Secure Web Gateway (On-Prem) SWG 10.2 10.0.1-10.1
SWG 10.0.1-10.1
Reference number- WP-2823
Issue: In the HAProxy mode, when using the Virtual IP address, the settings for connection timeouts configured in event enable proxy control are ignored. The HAProxy only relates to general timeout settings.
Workaround: Increase the general timeout settings in SWG or increase the timeout on the remote siteSecure Web Gateway (On-Prem) SWG 10.1
SWG 10.0.1-10.0.2
Reference number- WP-3305
Issue: You intermittently see an anti malware engine update error:
[AV] [UpdateFailed2] Error updating the Antivirus engine. Reason: 'Error starting engine 'McAfee Gateway Anti-Malware', error code: 5'."
You also see that service restarts take about 40 minutes rather than the expected 5 minutes.Secure Web Gateway (On-Prem) SWG 10.2.10
Random f.txt files no longer download incorrectly on Chrome and Edge browsers. SSE 6.0.2
When using a particular type of browser for data downloads, progress pages work again after the use of methods by a relevant script was modified to exclude some recently introduced methods, which the browser does not support. SSE 6.0.2
In a list of IP address ranges that is exported to the CSV format, the individual IP addresses show up again, which they had failed to do before when only a generic term for objects to export had been shown. SSE 6.0.2
A failure of the core process on several instances of SWG, which had been caused by a corrupted entry in a map with codes for loading errors, does not occur anymore after a conflict between multiple threads referring to the same CString function for performing a comparison to find the map has been resolved. Skyhigh Private Access SSE 6.0.2
The Server Message Block protocol doesn't work with Private Access. SSE 6.0.0
An issue with inappropriate values that were returned for ongoing processes has been resolved by implementing a fix that made the Client.ProcessExePath property work as expected again. This property is for use in a Hybrid solution where Client Proxy is also running. Its value is the path to an .exe file that enables a process, for example, ...\program files (x86)\google\chrome\application\chrome.exe. You can include this information in end-user notification pages, also known as block pages. Skyhigh CASB SSE 6.0.2
When an inline DLP policy is created for Exchange Online, and the policy is violated, an email notification is sent to internal or external users' email addresses via To/From/CC/Bcc fields with the remediation action to delete the message from the user's mailbox. The incident generated doesn't show the information of the Bcc recipients. Skyhigh CASB SSE 6.0.2
A known issue has been identified when an email contains multiple events, such as BCC recipients or internal and external recipients, and an inline policy is configured with Delete Response action, the event that is processed first deletes the original violating email from the user's mailbox. The incident created for this event includes the BCC recipients’ information along with the email message and associated metadata before being deleted. Due to the recent deletion of the email, the subsequent events can’t find this email. As a result, the subsequent incidents cannot populate the BCC recipients’ details. Skyhigh Private Access SSE 6.1.0
Private Access SSH connections do not work with the Tera Term client. Skyhigh Private Access SSE 6.1.0
Remote Browser Isolation is not supported with clientless Private Access deployment. Skyhigh Private Access SSE 6.1.0
In Private Access, publish updates fail when there is a hostname conflict and Browser Access is enabled. An incorrect error message is displayed. Skyhigh Private Access SSE 6.6.1
In Private Access, the page block does not appear for the private app configured as smart match.
Cloud Firewall SSE 6.6.1
Issue: When the block rule is applied, the Cloud Firewall does not block traffic from Tor services.
Workaround: We require a set of 3 rules to strongly block tor browser traffic :
1 - A Tor service rule to block the Tor website for any download activities.
2- A Tor IP range-based rule to block all the possible Tor IPs
3 -A Tor Process rule based on the process name tor.exe.
Note: Make sure these block rule are kept above Web Traffic(HTTPS)