Skyhigh Security Cloud Bug Fixes and Known Issues

Last updated
Save as PDF

Fix Version	Found Version	Description
	SSE 6.2.2	The Policy Incidents page does not support restoring quarantine files larger than 250 MB for OneDrive and SharePoint. It applies to both manual and bulk remediation actions.
SSE 6.2.2	SSE 6.2.0	The Private Application report now displays the host name for the private applications configured with a port range or multiple ports.
SSE 6.2.2	SSE 6.2.0	The host names of the private applications are now displayed correctly on the Private Application report.
SSE 6.2.1		From 6.2.1 onwards, you can enable the queryIncident API for users with the Incident Management role and the Read Only privilege.
	SSE 6.2.1	Users of Data Protection for message-based cloud services will see a slight increase in email notifications, which were suppressed before this release.
	SSE 6.2.1	The migration from wgcs.mcafee-cloud.com to wgcs.skyhigh.cloud is postponed. For SCP, despite reverting the default proxy domain, all SCP configurations before the SSE 6.2.1 release (initial or updated) continue to be fully functional. The Default SCP Gateway List continues to point to the cloud proxy c<customerID>.wgcs.mcafee-cloud.com. If you made manual changes to the proxy domain name or created a new Gateway List for SSE 6.2.1, you can safely continue to use proxies in wgcs.skyhigh.cloud. For the SAML ACS URL, configurations after SSE 6.2.1 display a hint that ACS URL must be set to https://saml/wgcs/mcafee-cloud.com/saml. Configurations created with the initial SSE 6.2.1 release point to https://saml/wgcs/skyhigh.cloud.com/saml. This URL stays functional, there is no need to reconfigure. For Private Access, in SSE 6.2.1 the Default URL is reset to https://api.wgcs.mcafee-cloud.com/ztna/dashboard, but you can continue to use https://api.wgcs.skyhigh.cloud/ztna/dashboard if you already bookmarked it.
SSE 6.2.1	SSE 6.1.2	Duplicate application names are not allowed across tenants when you enable the Clientless Access option.
SSE 6.2.1	SSE 6.2.0	The Connector Group column now displays data on the Events Data page of the Private Access Users and Private Access Usage reports.
	SSE 5.4.0	There is a known issue in which the FIPS-enabled Skyhigh Cloud Connector generates SSL errors in the Cloud Connector debug log. As a workaround, you can disable FIPS on Skyhigh Cloud Connector based on your operating system. For details on the workaround, see Disable FIPS on CC.
	SSE 6.2.0	A Known issue has been identified when a file name with double bytes is uploaded to Dropbox to trigger DLP policies, but DLP Policies fail to detect the incidents, resulting in an error message. In Dropbox, DLP Polices accept only the file names with ASCII characters.
SSE 6.2.0	SSE 6.2.0	Displays an error message suggesting the correct format when an incorrect connector deployment command is entered. In addition, extra spaces when entering this command is automatically taken care and executes the PA Connector deployment command.
SSE 6.2.0	SSE 6.2.0	The hostname or the fully qualified domain name (FQDN) entered in uppercase while configuring a private application is automatically converted to lowercase.
SSE 6.2.0	SSE 6.1.0	The username used for SAML IDP authentication is no longer case-sensitive when you enable the Clientless Access option.
	SCP 4.5	In Skyhigh Client Proxy 4.5, Skyhigh Security has rebranded the client proxy from MCP to SCP. Before you upgrade to SCP 4.5, update your third-party endpoint protection to add the new service and directory names to the allowlist. This will prevent the endpoint protection from blocking SCP operations. For details, see https://kcm.trellix.com/corporate/index?page=content&id=KB9016.
	SSE 6.1.2	IMPORTANT: SAML on port 8084 is not supported with Security Service Edge Web Hybrid.
	SSE 6.1.2	When a report is generated for Security Configuration Audit policy incidents, some incidents display a Scan Run Date later than the Incident Created On date instead of a Scan Run Date prior to the Incident Created On date.
	SSE 5.5.5	The False AD Custom Attribute Notifications alerts are sent when the Shadow and Sanctioned data is imported at a default frequency of 24 hours. As a workaround, configure the Shadow Upload and Sanctioned Upload frequency to 23 hours. So, the Shadow import and Sanctioned import occurs every 23 hours in CC.
SSE 6.1.2		Hybrid (WPS2) license users with the admin role cannot add new users and get an error message that states “the user could not be added”. As a workaround, select the following roles while you add new users for WPS2 license on Settings > User Management > Users page. Administrator Under Policy Management, select Private Access Policy Usage Analytics Users
SSE 6.1.2		The Point of Presence (PoP) counter increases and decreases on the Skyhigh Security Status site. The PoP counter increases or decreases because a new PoP is added, an existing PoP is decommissioned, or a new PoP replaces an old PoP for better performance. No action is needed; this behavior is expected.
SSE 4.3.0		When Inline Email DLP users (Exchange Online, Gmail) send an email, there is a time-out of 55 seconds to receive a response from Skyhigh CASB Gateway SMTP server. If the DLP inspection or policy evaluation is not finished within 55 seconds, Skyhigh CASB Gateway SMTP server uses the fail open process to relay the email back to the CSP without waiting for the policy evaluation to finish. For details, see About Gmail Inline DLP and About Exchange Online Inline Email DLP.
SSE 6.1.2		When ICAP settings are updated on Secure Web Gateway, connections to the ICAP servers are not interrupted anymore.
SSE 6.1.2		An error that occurs when a web policy action is executed on Secure Web Gateway is no longer communicated to the end user without suitable details about what happened.
	SSE 6.1.1	High browser CPU usage, high RAM utilization, and browser crashing may be caused by running complex DLP policies. If this issue persists, contact Support to enable the Pagination feature to resolve the issue.
	SWG 8.2.29	Issue: 8.2.29 (and later) uses an updated version of Tomcat. This new version of Tomcat causes SWG to suffer an incompatibility with the authentication method "client certificate authentication." This authentication method is only available when using the SWG UI as a Java Applet (logging in via the browser login page). Detailed information about client certificate authentication can be found on the {{SWG}} documentation page. NOTE: Most current browsers don't support Java Applets. The most notable browser still supporting them is the old Internet Explorer 11, but this is now End of Life. You see the following entries, present in the log file /opt/mwg/log/mwg-errors/mwg-ui.errors.log: [ERROR] Cannot determine if client certificate is enabled due to implementation changes in Tomcat: java.lang.NoSuchFieldException: endpoint
	SWG 8.2.22	Issue: You can't log in to the SWG GUI by using any externally managed admin account. Logging in using the local admin account still works. The following setting is disabled: Accounts > Administrator accounts are managed externally. If you enable the setting again and save your changes, it's disabled again after a few minutes. Workaround: Use the local admin account.
	SWG 8.2	Issue: You disable the Enabled Openers rule set and configure the Gateway Anti-Malware Engine as Avira only. But Avira doesn't detect specific or modified eicar files inside the archive. Workaround: Open the SWG Policy under Common Rules, and enable the Enable Opener Rule set.
SWG 8.2.1	SWG 8.2	Issue: In ProxyHA or Transparent Router mode, when a node previously marked as Director is set as Scanner and the configuration is saved, the resulting node fails to become a Scanner node. The hastats tool shows this node as Redundant Director instead of Scanning node. Workaround: When a node previously marked as Director is to be changed as Scanner: Set the director priority to 0 and set it as the scanner node. Save the changes. Log on to the SWG back-end of the corresponding node and execute the command service haproxy stop. Configure the IP in the HTTP and FTP proxy listeners as 0.0.0.0:<port>. For example, change 192.168.20.10:9090 to 0.0.0.0::9090. Save all changes. Solution: Upgrade to 8.2.1. Issue: Transparent Router Mode plus IP-spoofing Performance drops. In the transparent router mode, if IP spoofing is enabled, a high response time (>250 ms) and connection error is observed. Workaround: Perform the following steps every time any proxy-related configuration is updated from the GUI-based manager. Locate and open in a text editor of your choice the file /etc/haproxy/haproxy.cfg. Search for the string frontend fwd_proxy. Under that block, after the line bind <ip>:<port> accept-proxy transparent, enter the new line maxconn 50000. For example: bind 192.168.20.150:80 accept-proxy transparent maxconn 50000 Repeat this process for each instance of the string frontend fwd_proxy, adding the new line under the accept-proxy transparent entry. Save and close the file. Restart the service. Type service haproxy restart and press Enter. Issue: In the transparent router mode, when only the HTTP proxy is enabled and IP spoofing is enabled only for HTTP traffic, the HTTP connection fails with a 502 error. Workaround: Enable the FTP proxy. Enable the FTP port redirects and FTP listener configuration at the same time. Issue: In 8.2, the bandwidth throttling feature in router mode isn't fully supported. Using the feature in the router mode might not throttle the traffic according to the configuration. Existing customers using this feature in the transparent router mode in older releases are advised to not upgrade to the latest version.
SWG 8.2.2	SWG 8.2	Issue: {{SWG}} 8.2 doesn't support configuring the Transparent proxy in Bridge mode. Existing customers using the transparent bridge mode in older releases are advised to not upgrade to the latest version. Solution: This feature is supported in SWG 8.2.2 and later.
SWG 8.0.3.1-8.0.4	SWG 8.0.3	Issue: You see a kernel panic when you reboot SWG. During the reboot, SWG stops and displays Kernel Offset and Kernel Panic errors. Workaround: Reboot SWG again.
	SWG 8.0.2.1-8.1	Issue: Unable to log on to the SWG manager (UI). Solution: See the related article. Issue: You can't paste text when you use the Webswing user interface with the Edge browser. You press Ctrl+V, the paste fails, and you see the following error: SCRIPT5007: Unable to get property 'getData' of undefined or null reference webswing-embed.js (145,464897) Workaround: Use an alternative browser. Issue: When you update SWG from a version earlier than 7.7.2.14 or with the AV rollback flag (ud-rollbackGAM2015) enabled, SWG 8.0 can't load the old GAM2015 libraries. Instead, it downloads the new engine in the background. This process can take several minutes, depending on your download speed. Users see the error below: Cannot Load Anti-Malware Engine The Anti-Malware engine could not be loaded and your administrator doesn't allow to deliver content without being checked for viruses. Please call your administrator with the error message below. Solution: Don't redirect traffic to SWG before the AV engine has finished all updates. You can view the update status in the SWG dashboard. Non-critical Known Issues Issue: In the HAProxy mode, when using the Virtual IP address, the settings for connection timeouts configured in event enable proxy control are ignored. The HAProxy only relates to general timeout settings. Workaround: Increase the general timeout settings in SWG or increase the timeout on the remote site. Issue: You intermittently see an antimalware engine update error: [AV] [UpdateFailed2] Error updating the Antivirus engine. Reason: 'Error starting engine 'Skyhigh Gateway Anti-Malware', error code: 5'." You also see that service restarts take upwards of 40 minutes rather than the expected 5 minutes. Issue: Spanport Automation stops receiving information from the ICAP server. You can't view log entries in access.log on the spanport proxy.
	SWG 9.2.25	Issue: 9.2.25 uses an updated version of Tomcat. This new version of Tomcat causes SWG to suffer an incompatibility with the authentication method "client certificate authentication." This authentication method is only available when using the SWG UI as a Java Applet (logging in via the browser login page). Detailed information about client certificate authentication can be found on the {{SWG}} documentation page. NOTE: Most current browsers don't support Java Applets. The most notable browser still supporting them is the old Internet Explorer 11, but this is now End of Life. You see the following entries present in the log file /opt/mwg/log/mwg-errors/mwg-ui.errors.log: [ERROR] Cannot determine if client certificate is enabled due to implementation changes in Tomcat: java.lang.NoSuchFieldException: endpoint Issue: After you reboot, the kdump service fails to start. The current kdump service included in SWG isn't compatible with the latest kernel upgrade provided as part of the Sept 20, 2022 releases. The kdump service handles kernel failures that occur and recovery from these issues. When this service is non-functional, kernel failures cause the appliance to become unresponsive, and a manual power cycle is needed to get the appliance back to a working state. Workarounds: You can avoid the issue on installation and prevent the kernel package from being upgraded. NOTE: This workaround is only applicable to the CMD method of upgrade. Instead of running yum upgrade yum && yum upgrade, run *yum upgrade yum && yum upgrade --exclude=kernel -** If you've already upgraded, edit the config files and allow the appliance to recover from the kernel failure and automatically reboot after 5 s: Edit the sysctl.conf file from the SWG-UI. Add the line kernel.panic=5 outside the autogenerated block. Save your changes.
SWG 9.2.21		Issue: Your Browser response page shows corrupted text. No errors are seen in the SWG logs. Solution: This issue is fixed in 9.2.21. Issue: Your browser triggers a file download, which is a text file named "f.txt." No errors are seen in the SWG logs. Solution: This issue is fixed in 9.2.21.
SWG 9.2.21	SWG 9.2.15	Issue: Memory-leak leads to one or more of the following issues: Appliance not reachable SWG stops handling network traffic No access to SWG UI Solution: This issue is fixed in 9.2.21.
SWG 9.2.14	SWG 9.2.13	Issue: You can't log in to the SWG GUI by using any external managed admin account. Logging in using the local admin account still works. The following setting is disabled: Accounts > Administrator accounts are managed externally If you enable the setting and save changes, it's disabled again after a few minutes. Workaround: Use the local admin account. Solution: This issue is fixed in 9.2.14.
SWG 9.0.x-SWG 9.1.0	SWG 9.11 SWG 9.2	Issue: The HSM Agent doesn't work. Any installed HSM card fails. Solution: This issue is fixed in 9.1.1 and 9.2.
	SWG 9.2.x	Non-Critical Known Issues Issue: You disable the Enabled Openers rule set and configure the Gateway Anti-Malware Engine as Avira only. But, Avira doesn't detect specific or modified Eicar files inside the archive. Workaround: Open SWG Policy under Common Rules, and enable the Enable Opener Rule set.
SWG 9.2.9	SWG 9.2.8	Issue: The SWG Update fails if using an offline update or update proxy. Workaround: See the related article. Solution: This issue is resolved in 9.2.9.
SWG 9.2.5	SWG 9.0	Issue: In HAProxy mode, when using the Virtual IP (VIP) address, the settings for connection timeouts configured in event enable proxy control are ignored. The HAProxy only relates to general timeout settings. Workaround: Increase the general timeout settings in SWG or increase the timeout on the remote site. Issue: You intermittently see an anti malware engine update error: [AV] [UpdateFailed2] Error updating the Antivirus engine. Reason: 'Error starting engine 'Skyhigh Gateway Anti-Malware', error code: 5'." You also see that service restarts take upward of 40 minutes rather than the expected 5 minutes.
SWG 9.2.4	SWG 9.2	Issue: In Automatic airgap settings, Active mode isn't currently supported. Because of this issue, GTI requests aren't evaluated locally when you select the active mode. Workaround: Use the Monitor Only option to track GTI-related connection issues. This option detects connectivity issues to the GTI server and notifies you. Solution: Resolved in 9.2.4 Issue: With some of the XMPP clients (ex: Spark), intermittent delay has been observed while establishing an initial connection with the server. Workaround: Increase the client connection timeout.
SWG 9.1.2 SWG 9.2	SWG 9.1.0 SWG 9.1.0	Issue: The PDF opener fails to access restricted PDF files, encrypted using AES. Issue: SWG 9.1 doesn't support configuring a Transparent proxy in Bridge mode. Existing customers using the transparent bridge mode in older releases are advised to not upgrade to the latest version. Solution: This issue is fixed in 9.2.
	SWG 9.1.0	Issue: The keepalived service doesn't start after restoring a backup file with network interfaces configured. Workaround: Start the keepalived service manually with the below command: systemctl start keepalived Issue: The SpanPort - mfetsc service doesn't start after reboot. Workaround: Start the mfetsc service manually with the below command: systemctl start mfetsc Issue: MDS-based exploits and vulnerabilities are seen on Intel® CPUs. Solution: With SWG 9.1, the administrator can start an appliance with an option to disable the use of hyper-threading, which mitigates some vulnerabilities. This action can be done for appliances that use hyper-threading, such as 4500-C, 5500-C, and -D. You can't enable it on the WBG-5000-C models where the relevant microcode isn't available yet.
SWG 11.2.4	SWG 11.2.5 SWG 11.2.3	Issue: After you update a central management cluster from 10.2.x to 11.2.x (specifically 11.2.4 or earlier), you see one of the following issues: No access to UI. You might see the following error: Error while receiving data. Received 'HTTP:200' System list updates fail with the following error: System Lists update failed, with ID 333 Workaround: Run the following commands on each cluster node via CLI: service mwg-core stop rm /opt/mwg/plugin/data/DLP/0/lists -rf service mwg-core start After the service restart, a new list is created automatically. NOTE: This workaround includes a service restart; all connections will be disconnected and no connections will be accepted until the service is started again. Solution: This issue is fixed in version 11.2.5; release date is November 15, 2022. Issue: 11.2.3 uses an updated version of Tomcat. This new version of Tomcat causes SWG to suffer an incompatibility with the authentication method "client certificate authentication." This authentication method is only available when using the SWG UI as a Java Applet (logging in via the browser login page). Detailed information about client certificate authentication can be found on the {{SWG}} documentation page. NOTE: Most current browsers don't support Java Applets. The most notable browser still supporting them is the old Internet Explorer 11, but this is now EOL. You see the following entries, present in the log file /opt/mwg/log/mwg-errors/mwg-ui.errors.log: [ERROR] Cannot determine if client certificate is enabled due to implementation changes in Tomcat: java.lang.NoSuchFieldException: endpoint Issue: After you reboot, the kdump service fails to start. The current kdump service included in SWG isn't compatible with the latest kernel upgrade provided as part of the September 20, 2022 releases. The kdump service handles kernel failures that occur and recovery from these issues. When this service is non-functional, kernel failures cause the appliance to become unresponsive, and a manual power cycle is needed to get the appliance back to a working state. Workarounds: You can avoid this issue on installation and prevent the kernel package from being upgraded. NOTE: This workaround is only applicable to the CMD method of upgrade. Instead of running yum upgrade yum && yum upgrade, run yum upgrade yum && yum upgrade --exclude=kernel* If already upgraded>edit the config files> allow the appliance to recover from the kernel failure> and automatically reboot after 5 secs: Edit the sysctl.conf file from the SWG-UI. Add the line kernel.panic=5 outside the auto generated block. Save your changes.
SWG 11.1.4	SWG 11.1	Issue: Your Browser response page shows corrupted text. No errors are seen in the SWG logs. Solution: This issue is fixed in version 11.1.4. Issue: Your browser triggers a file download, which is a text file named "f.txt." No errors are seen in the SWG logs. Solution: This issue is fixed in version 11.1.4. Issue: Memory-leak leads to one or more of the following issues: Appliance not reachable SWG stops handling network traffic No access to SWG UI Resolution: This issue is fixed in version 11.1.4
SWG 10.2.15	SWG 10.2.14	Issue: 10.2.14 uses an updated version of Tomcat. This new version of Tomcat causes SWG to suffer an incompatibility with the authentication method "client certificate authentication." This authentication method is only available when using the SWG UI as a Java Applet (logging in via the browser login page). Detailed information about client certificate authentication can be found on the {{SWG}} documentation page. NOTE: Most current browsers don't support Java Applets. The most notable browser still supporting them is the old Internet Explorer 11, but this is now End of Life. You see the following entries, present in the log file /opt/mwg/log/mwg-errors/mwg-ui.errors.log: [ERROR] Cannot determine if client certificate is enabled due to implementation changes in Tomcat: java.lang.NoSuchFieldException: endpoint
SWG 10.2.2	SWG 10.2.1	Reference number- WP-4043 Issue: You can't log in to the SWG GUI by using any external managed admin account. Logging in using the local admin account still works. The following setting is disabled: Accounts > Administrator accounts are managed externally If you enable the setting and save changes, it's disabled again after a few minutes. Workaround: Use the local admin account.
SWG 10.2.4	SWG 10.2	Reference number- TSWS-6000 Issue: After you update SWG 10.2–10.2.3 or earlier, DATs} and Gateway DATs fail to update. SWG 10.2.3 and earlier don't support the GAM Engine 2021.1. Resolution: Update to 10.2.4 or later. Workaround: If you continue to use 10.2.3 or earlier, you need to remove all updates. Also, it runs with GAM Engine 2019 after you follow this workaround: Log on to the SWG appliance using SSH or the console. Stop the main mwg process: Type service mwg stop and press Enter. Delete the patterns saved: Type cd /opt/mwg/plugin/data/antivirus and press Enter. Type rm -rf * and press Enter. Delete temp data or the broken pattern that's saved: Type cd /opt/mwg/temp and press Enter. Type rm -rf * and press Enter. Start the mwg process again: Type service mwg start and press Enter. Manually update the engine through the Manager: Click Configuration, Appliances, Update Engine, Trigger Update. Reference number- WP-3868 Issue: You disable the Enabled Openers rule set and configure the Gateway Anti-Malware Engine as Avira only. But, Avira doesn't detect specific or modified Eicar files inside the archive. Workaround: Open SWG Policy under Common Rules, and enable the Enable Opener Rule set. Reference number- WP-3541 Issue: Adding new HSM keys in the SWG UI fails if the HSM server is already started and running. Workaround: Restart the HSM Server from the SWG UI after you add new keys.
SWG 10.2 10.0.1-10.1	SWG 10.0.1-10.1	Reference number- WP-2823 Issue: In the HAProxy mode, when using the Virtual IP address, the settings for connection timeouts configured in event enable proxy control are ignored. The HAProxy only relates to general timeout settings. Workaround: Increase the general timeout settings in SWG or increase the timeout on the remote site
SWG 10.1	SWG 10.0.1-10.0.2	Reference number- WP-3305 Issue: You intermittently see an anti malware engine update error: [AV] [UpdateFailed2] Error updating the Antivirus engine. Reason: 'Error starting engine 'McAfee Gateway Anti-Malware', error code: 5'." You also see that service restarts take about 40 minutes rather than the expected 5 minutes.
SWG 10.2.10		Random f.txt files no longer download incorrectly on Chrome and Edge browsers.
SSE 6.0.2		When using a particular type of browser for data downloads, progress pages work again after the use of methods by a relevant script was modified to exclude some recently introduced methods, which the browser does not support.
SSE 6.0.2		In a list of IP address ranges that is exported to the CSV format, the individual IP addresses show up again, which they had failed to do before when only a generic term for objects to export had been shown.
SSE 6.0.2		A failure of the core process on several instances of SWG, which had been caused by a corrupted entry in a map with codes for loading errors, does not occur anymore after a conflict between multiple threads referring to the same CString function for performing a comparison to find the map has been resolved.
SSE 6.0.2		The Server Message Block protocol doesn't work with Private Access.
SSE 6.0.0		An issue with inappropriate values that were returned for ongoing processes has been resolved by implementing a fix that made the Client.ProcessExePath property work as expected again. This property is for use in a Hybrid solution where Client Proxy is also running. Its value is the path to an .exe file that enables a process, for example, ...\program files (x86)\google\chrome\application\chrome.exe. You can include this information in end-user notification pages, also known as block pages.
	SSE 6.0.2	When an inline DLP policy is created for Exchange Online, and the policy is violated, an email notification is sent to internal or external users' email addresses via To/From/CC/Bcc fields with the remediation action to delete the message from the user's mailbox. The incident generated doesn't show the information of the Bcc recipients.
	SSE 6.0.2	A known issue has been identified when an email contains multiple events, such as BCC recipients or internal and external recipients, the event that is processed first deletes the original violating email from the user's mailbox. The incident created for this event includes the BCC recipients’ information along with the email message and associated metadata before being deleted. Due to the recent deletion of the email, the subsequent events can’t find this email. As a result, the subsequent incidents cannot populate the BCC recipients’ details.
	SSE 6.1.0	Private Access SSH connections do not work with the Tera Term client.
	SSE 6.1.0	Remote Browser Isolation is not supported with clientless Private Access deployment.
	SSE 6.1.0	In Private Access, publish updates fail when there is a hostname conflict and Browser Access is enabled. An incorrect error message is displayed.