Secure Web Gateway 11.2.11 Release Notes

New Features in the 11.2 Release

This release provides the following new features. For resolved issues in this release and the update releases, see further below.

NOTE: Secure Web Gateway 11.2 is provided as a main release.

For information about how to install this release, see the Upgrading to a New Version - Controlled Release. If you are installing the Secure Web Gateway appliance software for the first time, see Installing Secure Web Gateway for the First Time.

When configuring rules for your web policy, you can use these new items:

A new property to expose encrypted archive directory listings.
A new property to store the rule and rule set names or IDs that were processed at the end of the request and response filtering cycles.

Data that is collected by the GTI diagnosis script of the operating system is included in the output feedback file.

Support for rolling TCPdump collection option is now available in the UI. For more details, see Create a packet tracing file. For more details on Performing Packet Tracing in Secure Web Gateway, see Performing Packet Tracing in Secure Web Gateway SWG

When configuring an HTTP Proxy Port, you can disable the Enable FTP over HTTP option. The option is enabled by default.

The following enhancements have been added to SSL Tap configuration:

The destination port number is not overwritten by default when tapped packets are created.
The destination MAC address can be customized when tapped packets are broadcast.
SSL tapping now supports HTTP2 on Secure Web Gateway.

Excel 4 macros are now detected in media type filtering.

IP spoofing is supported for HTTP(S) when setting up proxies in Explicit Proxy or L2 Transparent mode.

For a list of issues that are currently known, see SWG 11.x.x Known Issues and Workaround

This release resolves known issues.

NOTE: Secure Web Gateway 11.2.11 is provided as a main release.

For information about how to upgrade to this release, see Upgrading to a new version – Main Release.

JIRA issue numbers are provided in the reference columns

Reference	Description
WP-4517	A new media type has been added to media type filtering to cover requests where pipelined application/http traffic is involved.
WP-4952	Rules that include multiple conditions with multiple IP addresses are shown correctly now.
WP-5261	Enhanced media type detection for SVG files.
WP-5281	A signature has been added for detecting the .one and .onepkg media types.
WP-5338	There is now an option to configure chunk encoding of traffic that is sent to a server.
WP-5361	When using SmartMatch the path component in an URL will now be matched in a case insensitive manner.
WP-5365	Read-only users are now able to switch to the network interface and read the information.
WP-5367	Media type detection has been enhanced for the EML file type.
WP-5377	An ENV variable has been introduced to disable ARP on interfaces where V4 is marked as disabled.
WP-5388	When an EICAR file with a test virus is embedded in a .docx file, it is extracted now and sent to the Gateway Anti-Malware (GAM) engine for scanning.
WP-5393	When data trickling is enabled, response data created under the HTTP2 protocol is completely sent to the client again.
WP-5398	When the value of the acknowledgement number field for the SSL tap is not zero, the ACK flag is set now.
WP-5461	Improved performance behaviour under heavy load situations.
WP-5462	UI login issues when large inline list is involved has been fixed.

Vulnerabilities Fixed

Reference

Description

WP-3575, WP-5369,
WP-5387, WP-5409, WP-5425

This Secure Web Gateway release includes updates addressing publicly disclosed CVEs, regardless of whether a CVE has been shown to impact customers.

The following medium and higher-level CVEs (CVSS 3.0 >= 4) were involved: