Secure Web Gateway 11.0.2 Release Notes
What's new in the 11.0 release
This release introduces new features and enhances existing features.
NOTE: Skyhigh Secure Web Gateway 11.0 is provided as a controlled release.
For information about how to upgrade to this release, see Upgrade to a new version provided as a controlled release.
Download of lists maintained under MVISION Unified Cloud Edge for on-prem web policy
You can download lists of user names, user groups, and other web objects that are maintained under Skyhigh Security Service Edge for the on-prem policy that you set up on Web Gateway.
The lists are continually synchronized. When enabling the download on Web Gateway, you set the synchronization interval.
This download feature is a part of a Hybrid solution that allows you to filter web traffic using both Web Gateway and Skyhigh Security Service Edge.
For more information, see Synchronize lists for your web policy when using a Hybrid solution in the McAfee Web Gateway Product Guide.
Secure net-hop proxy for securing traffic to MVISION Unified Cloud Edge
You can set up a secure next-hop proxy on Web Gateway to ensure traffic going to Skyhigh Security Service Edge is secure.
The traffic follows the TLS protocol. A certificate is presented at the initial handshake from the server side whereas Web Gateway uses the authentication method that is enabled by Client Proxy to authenticate to Skyhigh Security Service Edge.
For more information, see Set up a secure next-hop proxy to secure traffic on a Hybrid connection in the McAfee Web Gateway Product Guide.
Use of keywords to filter lists with Azure Active Directory group names
When searching lists of user groups stored in an Azure Active Directory, you can use a keyword to filter the search result. You can create lists of keywords and use more than one in a search.
For more information, see Azure Directory settings in the McAfee Web Gateway Product Guide.
SmartMatch optimization
Performance has been optimized for SmartMatch lookups by improving the handling of partial matches in URL lists.
For more information, see the entry on the URL.SmartMatch property under Properties — U in the McAfee Web Gateway Product Guide.
Improved detection of CPIO application type
Applications of the application/x-cpio type are properly recognized through improving the methods for their detection, which had only relied on checking the file header before and caused incorrect further treatment, for example, being rated as corrupt by the file opener.
New locations for storing cloud access log data
New options available when choosing the country or region where cloud access log data are stored, including Canada, United Kingdom, United Arab Emirates, and Singapore.
For more information, see Cloud Access Log Data Residency settings in the McAfee Web Gateway Product Guide.
Recognition of intermediary HTTP2 headers
When receiving web traffic from servers that support HTTP2 on the connection to Web Gateway, headers with status code 1xx are recognized by Web Gateway as intermediary headers preceding the main headers and processed accordingly.
Improved handling of HTTP2 statistics
HTTP2 statistics, which are also shown on the Web Gateway dashboard, are provided under the Simple Network Management Protocol (SNMP) to be read by an external SNMP manage poll.
For more information about how to configure this protocol, see Event monitoring with SNMP in the McAfee Web Gateway Product Guide.
Kerberos authentication with improved logging
When the Kerberos authentication method is used, error logging has been improved, for example, by writing client IP addresses in the log.
More efficient troubleshooting methods
More efficient methods are used now to identify customers, clients, and connections relating to high load or overload issues in temp files on Web Gateway.
Known Issues and their Patches
For a list of issues that are known, but not resolved yet, see the table below.
Fix Version | Found Version | Description |
SWG 11.2.5 |
SWG 11.2.0 |
Issue: After you update a central management cluster from 10.2.x to 11.2.x (specifically 11.2.4 or earlier), you see one of the following issues:
Workaround: Run the following commands on each cluster node via CLI: service mwg-core stop After the service restart, a new list is created automatically. |
SWG 11.2.4 |
SWG 11.2.3 |
Issue: 11.2.3 uses an updated version of Tomcat.
Issue: After you reboot, the kdump service fails to start.
|
SWG 11.1.14 |
SWG 11.1 |
Issue: Your Browser response page shows corrupted text. No errors are seen in the SWG logs. Issue: Your browser triggers a file download, which is a text file named "f.txt." No errors are seen in the SWG logs. Issue: Memory-leak leads to one or more of the following issues:
Resolution: This issue is fixed in version 11.1.4 |
Resolved issues in update 11.0.2
This release resolves known issues.
NOTE: Secure Web Gateway 11.0.2 is provided as a controlled release.
For information about how to upgrade to this release, see Upgrade to a new version provided as a controlled release.
The JIRA issue number is provided in the reference column.
Vulnerabilities Fixed
Reference | Description |
---|---|
WP-4355 | This Secure Web Gateway release includes updates addressing publicly disclosed CVEs, regardless of whether a CVE has been shown to impact customers. The following medium and higher level CVEs (CVSS 3.0 >= 4) were involved:
|