Secure Web Gateway 12.2.18 Release Notes

New Features in the 12.2.x Release

Below is a consolidated list of new features available across the different 12.2.x releases. For issues resolved as a part of this release, see the Resolved Issues section.

For information about how to upgrade to this release, see Upgrading to a new version – Main Release.

Rebranding to Account for Transition

Names of products, components, and other items have been rebranded to account for the transition from McAfee to Secure Web Gateway.

Rebranded SNMP SMI and MIB file with Updated Org OID for Skyhigh Security

As part of the rebranding, a new Object Identifier (OID) has been introduced for Org Skyhigh Security. We are updating the SNMP OID from .1.3.6.1.4.1.1230* to .1.3.6.1.4.1.59732*. You'll need to update your management software accordingly if they are referring to these OID. For more details, see Configure event monitoring with SNMP.

Trellix VX Integration to SWG

The SWG 12.2.0 supports integration with Trellix Virtual Execution (VX). For more details, see Trellix Virtual Execution Integration to SWG.

Detection of OneNote files

New Mediatype detection has been added for OneNote files to detect .one and .onepkg files.

Insecure NETLOGON

Insecure NETLOGON channel is blocked by default. To explicitly allow Insecure NETLOGON, a new checkbox is provided in Windows Join Domain Dialogue. For more details, see Insecure Netlogon.

TCP Health Check

Prior to this feature, SWG would send live traffic to Next Hop Proxies to determine its health which resulted in delayed response in case Next Hop Proxy is not healthy. With this feature, SWG will have knowledge of the health of the Next Hop Proxies beforehand. For more details, see TCP Health Check for Next Hop Proxy.

Server Chunk Encoding

A new check box option is provided in proxy control event settings, which allows to enforce chunk encoding transfer on server requests from SWG. For more details, see Server Side Chunk Encoding.

Connect Response Based on HTTP-Protocol

The Connection Established response message always shows HTTP1.0 even if the HTTP Protocol header of the request was HTTP1.1. Now you can configure this under Proxy Control Event, where we can select to send back the Connection Established response text based on the HTTP Protocol version received. For more details, see Configure Connection Established Response based on HTTP Protocol Version.

Support for Pipelined Application/HTTP

A new media type has been added to media type filtering for detection and openers for Pipelined Application/HTTP.

New Properties for Multiline Base64

To support the multiline Base64, new properties are added in SWG.

Support for kdbx-kdb-Filetype

A new media type has been added to media type filtering to detect files of the kdbx and kdb types.

Client Certificate Authentication for HTML UI

Client Certificate Authentication is now added for the HTML UI. For more details, see Client Certificate Authentication for HTML UI.

Configurable Size Limit of Single XML Attributes

The configurable size limit of single XML attributes has been increased to reduce errors on startup when having large inline lists.

What's New in the 12.2.18 Release

Upgrade in Hardware Security Module Versions

nfast HSM (Entrust) packages are updated from 12.60 to 13.4.4, and Thales upgraded from v7.4.0-226 to v10.7.2-16. For more details, see Hardware Security Module Versions for Secure Web Gateway

NOTE: During the upgrade process, you may see alert messages due to changes in the packaging format of updated packages. These messages are expected and do not require any user action.

Known Issues and Workarounds

For a list of issues that are currently known, see SWG 12.x.x Known Issues and Workaround.

Resolved Issues in the 12.2.18 Release

NOTE:

Secure Web Gateway 12.2.18 is provided as a main release.
If you have configured SWG in Transparent Router mode, ensure that your configuration follows the mandatory steps outlined in the Skyhigh document before upgrading to SWG version 12.2.9 or later.

For information about how to upgrade to this release, see Upgrading to a new version – Main Release.

The following table provides a list of Resolved Issues with associated Jira numbers.

Reference	Description
WP-5588	Memory (RAM) validation values for Tomcat, Applet, and HTML UI are increased.
WP-6261	firewalld package is updated to 6.3-14.
WP-6519	Enhanced the bandwidth control statistics collection, resolving previous issues that led to delayed updates.
WP-7056	nfast HSM (Entrust) packages are updated from v12.60 to v13.4.4.
WP-7148	Enable removal of disinfectable content detected in HTML documents by mobile code filter option is removed from the UI.
WP-7156	SWG does not mark NHP as down when there is no response to CONNECT.
WP-7162	When Listen backlog is changed, SWG tries to rebind all the configured ports. In case the bind fails due to the error Address already in use, SWG has now implemented a retry logic to rebind the failed ports. For more details, see Advanced Settings (for Proxies).
WP-7335	postgresql package is updated from 10.17-1 to 16.8-2.
WP-7369	POST data is not falsely detected as application/dns-message.
WP-7412/WP-7738	Performance is optimized in regular expression processing.
WP-7428/WP-7429	Thales Luna package is updated from v7.4.0-226. to v10.7.2-16.
WP-7744	If the gamserver restarts during a DAT update while querying the current version, the update fails and incorrectly falls back to no version available. It now retains the previously loaded version unless it's the first update.
WP-7756, WP-7757	Documentation enhancement on the Conditional and Proxy DNS TTL Behavior in Skyhigh Secure Web Gateway. For more details, see Proxy DNS TTL Behavior in Skyhigh Secure Web Gateway (SWG).
WP-7772	MP4 fragmented streaming segments are getting detected as ensured type video/mp4.
WP-7775	The HttpConnectionsFromClientPerCustomer counter for some clients, which could cause underflow or data loss in statistics collection, now reports values that closely match the actual number of connections.
WP-7817	Disabling Enable mobile code scanning didn’t trigger GTI DNS queries when GTI reputation was enabled. The scan flag is now set correctly to ensure consistent GTI behavior.
WP-7857	SWG handles DNS queries seamlessly when switching between IPv4 and IPv6. If the query type changes from IPv4 to IPv6, it no longer causes subsequent queries to hang.
WP-7888	Downloads are no longer termed as corrupted, which was caused by a checksum mismatch.

Vulnerabilities Fixed

This Secure Web Gateway release includes updates addressing publicly disclosed CVEs, regardless of whether a CVE is shown to impact customers.
The following medium and higher-level CVEs (CVSS 3.0 >= 4) were involved:

Reference	CVE	Description
WP-7139/WP-7776	CVE-2025-24813	SWG is not affected because the default servlet is still on default read-only.
	CVE-2025-31650	SWG is affected by the CVE. Worst case would be that UI functionality is not available anymore (REST, GUI). To mitigate this by the usual means - have a dedicated UI SWG which is only exposed to SWG management users. A simple service mwg-ui restart (which restarts Tomcat) is enough to restore UI functionality.
	CVE-2025-31651	In SWG, no Tomcat rewrite rules are used, so SWG is NOT affected.
WP-7728	CVE-2025-21587	SWG doesn't deserialize or run any untrusted code and therefore has no direct exposure to this CVE. Due to limited information on the CVE and no real-life reports of exposure, SWG is not expected to be impacted.
	CVE-2025-30691	SWG doesn't deserialize or run any untrusted code and therefore has no direct exposure to this CVE. Due to limited information on the CVE and no real-life reports of exposure, SWG is not expected to be impacted.
	CVE-2025-30698	SWG doesn't deserialize or run any untrusted code and therefore has no direct exposure to this CVE. Due to limited information on the CVE and no real-life reports of exposure, SWG is not expected to be impacted.

IMPORTANT: For resolved issues on the previous releases and other information, see Secure Web Gateway 12.2.x Release Notes