Secure Web Gateway 12.2.19 Release Notes

Last updated
Save as PDF

The Skyhigh SWG 12.2.x release includes a list of new features and important fixes. For details on the issues resolved in this release, see the Resolved Issues section.

IMPORTANT: Upgrade to SWG 12.2.20 to get the latest fixes, as 12.2.19 is deprecated.

New Features in the 12.2.x Release

Rebranding to Account for Transition

Names of products, components, and other items have been rebranded to account for the transition from McAfee to Secure Web Gateway.

Rebranded SNMP SMI and MIB file with Updated Org OID for Skyhigh Security

As part of the rebranding, a new Object Identifier (OID) has been introduced for Org Skyhigh Security. We are updating the SNMP OID from .1.3.6.1.4.1.1230* to .1.3.6.1.4.1.59732*. You'll need to update your management software accordingly if they are referring to these OID. For more details, see Configure event monitoring with SNMP.

Trellix VX Integration to SWG

The SWG 12.2.0 supports integration with Trellix Virtual Execution (VX). For more details, see Trellix Virtual Execution Integration to SWG.

Detection of OneNote files

New Mediatype detection has been added for OneNote files to detect .one and .onepkg files.

Insecure NETLOGON

Insecure NETLOGON channel is blocked by default. To explicitly allow Insecure NETLOGON, a new checkbox is provided in the Windows Join Domain Dialogue. For more details, see Insecure Netlogon.

TCP Health Check

Prior to this feature, SWG would send live traffic to Next Hop Proxies to determine its health, which resulted in a delayed response in case the Next Hop Proxy is not healthy. With this feature, SWG will have knowledge of the health of the Next Hop Proxies beforehand. For more details, see TCP Health Check for Next Hop Proxy.

Server Chunk Encoding

A new check box option is provided in proxy control event settings, which allows to enforce chunk encoding transfer on server requests from SWG. For more details, see Server Side Chunk Encoding.

Connection Established Response Based on HTTP-Protocol

The Connection Established response message always shows HTTP 1.0 even if the HTTP Protocol header of the request was HTTP 1.1. Now you can configure this under Proxy Control Event, where we can select to send back the Connection Established response text based on the HTTP Protocol version received. For more details, see Configure Connection Established Response based on HTTP Protocol Version.

Support for Pipelined Application/HTTP

A new media type has been added to media type filtering for detection and openers for Pipelined Application/HTTP.

New Properties for Multiline Base64

To support the multiline Base64, new properties are added in SWG.

Support for kdbx and kdb Filetype

A new media type has been added to media type filtering to detect files of the kdbx and kdb types.

Client Certificate Authentication for HTML UI

Client Certificate Authentication is now added for the HTML UI. For more details, see Client Certificate Authentication for HTML UI.

Configurable Size Limit of Single XML Attributes

The configurable size limit of single XML attributes has been increased to reduce errors on startup when having large inline lists.

Known Issues and Workarounds

For a list of issues that are currently known, see SWG 12.x.x Known Issues and Workaround.

Resolved Issues in the 12.2.19 Release

NOTE:

SWG 12.2.19 is provided as a main release. For information about how to upgrade, see Upgrading to a new version – Main Release.
If you have configured SWG in Transparent Router mode, ensure that your configuration follows the mandatory steps outlined in the Configure Proxy Settings for a Director Node in Transparent Router Mode before upgrading to SWG version 12.2.9 or later.

IMPORTANT: Hybrid users must apply and maintain the Workaround for Let's Encrypt Certificate Issue until the related cloud changes are fully deployed and the rollout is complete. Not implementing so may result in traffic disruption in environments that use Paranoid Certificate Verification. You will receive a notification via Skyhigh Connect once the rollout and deployment are complete.

You can sign up here to receive the latest product and support updates from Skyhigh.

The following table provides a list of Resolved Issues:

Reference	Description
WP-2708	The SWG UI now restricts adding an alias identical to the machine IP address.
WP-6917/WP-7809	The hang and leak issues in FastFallback (Dual DNS) triggered by a DNS callback without an IP are now fixed.
WP-7125	The Tomcat version is no longer displayed on error pages.
WP-7794/WP-7954	The SWG UI now supports enabling TLS 1.3 for the Configuration File Server.
WP-7835/WP-8102	Added routing information for adcache optimization in Azure/Entra ID.
WP-7968	NHP now correctly populates the URL.Destination.IP property when serving requests from the cache.
WP-7978	HTTP/2 uploads no longer fail with a 502 error when the 200 OK response body to a POST request exceeds 65 KB.
WP-7985	Tar Opener now supports base-256 encoding for numeric header fields.
WP-8002	Broken packages in the MLOS3 repository with dependencies are fixed.
WP-8156	SWG now supports validating multiple CRLs from certificates in the certificate chain, in addition to OCSP.

Vulnerabilities Fixed in the 12.2.19 Release

This Secure Web Gateway release includes updates addressing publicly disclosed CVEs, regardless of whether a CVE is shown to impact customers.
The following medium and higher-level CVEs (CVSS 3.0 >= 4) were involved:

Reference	CVE	Description
WP-6328	CVE-2024-3596	SWG is vulnerable, and it is recommended to upgrade the pam radius to pam radius-3.0.0-2.

IMPORTANT: For resolved issues on the previous releases and other information, see Secure Web Gateway 12.2.x Release Notes