Skip to main content

Check out Interactive Visual Stories to gain hands-on experience with the SSE product features. Click here.

Skyhigh Security

Secure Web Gateway 12.2.0 Release Notes

New Features in the 12.2 Release   

This release provides the following new features. For resolved issues in this release and the update releases, see further below.

For information about how to upgrade to this release, see Upgrading to a New Version - Controlled Release.

Rebranding to Account for Transition   

Names of products, components, and other items have been rebranded to account for the transition from McAfee to Secure Web Gateway.

Rebranded SNMP SMI and MIB file with updated Org OID for Skyhigh Security   

As part of the rebranding, a new Object Identifier (OID) has been introduced for Org Skyhigh Security. We are updating the SNMP OID from .1.3.6.1.4.1.1230* to .1.3.6.1.4.1.59732*. You'll need to update your management software accordingly if they are referring to these OID. For more details, see Configure event monitoring with SNMP.

Trellix VX Integration to SWG  

The SWG 12.2.0 supports integration with Trellix Virtual Execution (VX). For more details, see Trellix Virtual Execution Integration to SWG.

Detection of OneNote files 

New Mediatype detection has been added for OneNote files to detect .one and .onepkg files. 

InsecureNetlogon  

Insecure NETLOGON channel is blocked by default to explicitly allow Insecure NETLOGON,  a new checkbox is provided in Windows Join Domain Dialogue. For more details, see InsecureNetlogon 

TCP Health Check  

Prior to this features, SWG would send live traffic to Next Hop Proxies to determine its health which resulted in delayed response in case Next Hop Proxy is not healthy. With this feature, SWG will have knowledge of the health of the Next Hop Proxies beforehand. For more details, see TCP Health Check for Next Hop Proxy.

Server Chunk Encoding  

A new check box option is provided in proxy control event settings, which allows to enforce chunk encoding transfer on server requests from SWG. For more details, see Server Side Chunk Encoding

Connect Response Based on HTTP-Protocol 

Connection Established response message always shows HTTP1.0 even if the HTTP Protocol header of the request was HTTP1.1. Now you can configure this under Proxy Control Event, where we can select to send back the Connection Established Response text based on the HTTP Protocol version received.   For more details, see Configure Connection Established Response based on HTTP Protocol Version.

Support to pipelined application/HTTP 

A new media type has been added to media type filtering for detection and Openers for pipelined Application/HTTP. 

New Properties for Multiline Base64 

To support the multiline Base-64, new properties are added in SWG

Support for kdbx-kdb-Filetype 

A new media type has been added to media type filtering to detect files of the kdbx and kdb types.

Client certificate authentication for HTML UI 

Client certificate authentication is now added for the HTML UI, For more details, see Client Certificate Authentication for HTML UI.

Configurable size limit of single XML attributesEdit section

The configurable size limit of single XML attributes has been increased to reduce errors on startup when having large inline lists.

 

Resolved Issues in the 12.2 Release   

This release resolves known issues.

NOTE: Secure Web Gateway 12.2.0 is provided as a controlled release.      

For information about how to upgrade to this release, see Upgrading to a New Version - Controlled Release.

JIRA issue numbers are provided in the reference columns.

Reference Description
WP-274 A new configuration setting is added to Java UI.
WP-1016 Client certificate authentication is now added for the HTML UI.
WP-2682 Downloads with progress pages over Peering PoPs break with 502 have been resolved.
WP-4515 Receive HTTP/1.1 response for Connect HTTP/1.1 request, when configured via proxy control event
WP-4517 A new media type has been added to media type filtering to cover requests where the pipelined application/HTTP traffic is involved.
WP-4758 Improved URL scheme validation as per RFC requirement.
WP-4952 Rules that include multiple conditions with multiple IP addresses are shown correctly now.
WP-5067 Sub rule sets are no longer deleted when importing a rule set via REST API.
WP-5084 Fixed toggle button "Ignore certificate errors" in Customer Maintained list’s Setup Dialogue box.
WP-5108/WP-5170 Fixed core dump issue related to NHP and added handling of timeout in case of TLS handshake with secure NHP.
WP-5131 The configurable size limit of single XML attributes has been increased to reduce errors on startup when having large inline lists.
WP-5137 The TCP-based health check is now supported in SWG.
WP-5153 SUM tool and ipmicfg tool supports bundling with the SWG image for Next-Gen-X13-HW 
WP-5154 A new environment variable is provided to control(enable/disable) creation of UnSecure Netlogon channel.
WP-5172 JSP files are not interpreted anymore but are delivered as text without additional processing except pre-compiled JSP pages.
WP-5174 A new UI option 'Connection Timeout' is introduced in ICAP client settings.
WP-5177 Correct MediaType Detection for application/x-git.
WP-5202 Snmpsa support for X13 Hardware using SD5 tool.
WP-5205 REST Interface access to System files without required Permissions has been fixed.
WP-5224 A bad gateway error while visiting some HTTP2 websites has been resolved.
WP-5225 When mirroring decrypted traffic with the SSL Tap feature, the source and destination IP addresses are not reversed.
WP-5226 Fixed performance and slowness issues caused due to an update in the Kerberos package.
WP-5239 Memory management optimizations are made for the HTTP2 SSL tap feature.
WP-5256 Webswing has been upgraded from version 20.1.16 to version 20.2.21 LTS.
WP-5261 Enhanced media type detection for SVG files.
WP-5264 Uploading a file with chunked encoding format works without problems again.
WP-5265 The maximum configurable value of ‘Connection timeout’ is now 99999 seconds in ‘Enable Proxy Control’ event.
WP-5270 An issue with downloading RTF files that led to a blocking of the download has been resolved.
WP-5281 A signature has been added for detecting the .one and .onepkg media types.
WP-5291 New properties are added to handle Multiline Base64 Strings.
WP-5295 A new media type has been added to media type filtering to detect files of the kdbx and kdb types.
WP-5300 HSM - Fixed AgentPeer socket read/write synchronization issue causing HSM operations failure on high load
WP-5304 Secure Web Gateway reports statistics information as expected, which had not worked before due to an issue with the database lock status.
WP-5338 Introduced Configurable option to enforce chunk encoding transfer towards the server.
WP-5361 When using SmartMatch the path component in an URL will now be matched in a case-insensitive manner.
WP-5365 Read-only users are now able to switch to the network interface and read the information.
WP-5367 Media type detection has been enhanced for the EML file type.
WP-5376 When a download is performed on Web Gateway Cloud Service (WGCS) under the HTTP2 protocol, use of a progress page to show the download
progress no longer causes the download to fail.
WP-5377 An ENV variable has been introduced to disable ARP on interfaces where V4 is marked as disabled.
WP-5388 When an EICAR file with a test virus is embedded in a .docx file, it is extracted now and sent to the Gateway Anti-Malware (GAM) engine for scanning.
WP-5393 Fixed data truncation issue with very slow http2 server when Data trickling is enabled
WP-5398 Fixed issue where non-zero acknowledgment number field is set for packets without ACK flag
WP-5419 When the authentication process on Secure Web Gateway uses the basic NTLM authentication method, adding the default domain of the
NTLM authentication server to the settings no longer leads to a failure of the process.
WP-5462 UI login issues when a large inline list is involved have been fixed.
WP-5471 ProxyHA configuration failure is fixed for SWG on Nutanix.
WP-5497 When regex terms are created for the filtering process on Secure Web Gateway, dereferencing of the null pointer does not occur anymore.
WP-5501 Anti-malware filtering on Secure Web Gateway no longer attempts to access a transaction again that has already been processed and completed.

Vulnerabilities Fixed    

Reference Description
WP-3575 
WP-3762, 
WP-3764,
WP-3814,
WP-4147,
WP-4657, 
WP-4844,
WP-4956, 
WP-4958,
WP-5005,
WP-5049, 
WP-5129,
WP-5164,
WP-5165,
WP-5195,
WP-5260,
WP-5273,
WP-5274,
WP-5322,
WP-5323,
WP-5369,
WP-5387,
WP-5409,
WP-5425

 

This Secure Web Gateway release includes updates addressing publicly disclosed CVEs, regardless of whether a CVE has been shown to impact customers.

The following medium and higher-level CVEs (CVSS 3.0 >= 4) were involved:

  • CVE-2020-15522
  • CVE-2020-13947,
    CVE-2021-26117

  • CVE-2020-27218,
    CVE-2021-28163,
    CVE-2020-27223,
    CVE-2021-28165

  • CVE-2020-15522

  • CVE-2021-29425

  • CVE-2020-36518

  • CVE-2022-2319

  • CVE-2017-9225,
    CVE-2017-9229

  • CVE-2022-38177

  • CVE-2022-32532,
    CVE-2022-40664,
    CVE-2023-22602

  • CVE-2022-1552

  • CVE-2022-42920
  • CVE-2023-22809
  • CVE-2022-3550,
    CVE-2022-3551

  • CVE-2022-4304,
    CVE-2023-0215,
    CVE-2023-0286

  • CVE-2022-4883

  • CVE-2022-4304,
    CVE-2023-0215,
    CVE-2022-4450,
    CVE-2023-0286

  • CVE-2022-37434

  • CVE-2022-23521,
    CVE-2022-41903,

  • CVE-2022-42252

  • CVE-2023-21930

  • CVE-2023-1393

  • CVE-2023-0767

  • Was this article helpful?