Skyhigh Security Cloud Bug Fixes and Known Issues
Fix Version | Found Version | Description | |
---|---|---|---|
SSE 6.2.2 | The Policy Incidents page does not support restoring quarantine files larger than 250 MB for OneDrive and SharePoint. It applies to both manual and bulk remediation actions. | ||
SSE 6.2.2 | SSE 6.2.0 | The Private Application report now displays the host name for the private applications configured with a port range or multiple ports. | |
SSE 6.2.2 | SSE 6.2.0 | The host names of the private applications are now displayed correctly on the Private Application report. | |
SSE 6.2.1 | From 6.2.1 onwards, you can enable the queryIncident API for users with the Incident Management role and the Read Only privilege. | ||
SSE 6.2.1 |
Users of Data Protection for message-based cloud services will see a slight increase in email notifications, which were suppressed before this release. |
||
SSE 6.2.1 |
The migration from wgcs.mcafee-cloud.com to wgcs.skyhigh.cloud is postponed. For SCP, despite reverting the default proxy domain, all SCP configurations before the SSE 6.2.1 release (initial or updated) continue to be fully functional. For the SAML ACS URL, configurations after SSE 6.2.1 display a hint that ACS URL must be set to https://saml/wgcs/mcafee-cloud.com/saml. Configurations created with the initial SSE 6.2.1 release point to https://saml/wgcs/skyhigh.cloud.com/saml. This URL stays functional, there is no need to reconfigure. For Private Access, in SSE 6.2.1 the Default URL is reset to https://api.wgcs.mcafee-cloud.com/ztna/dashboard, but you can continue to use https://api.wgcs.skyhigh.cloud/ztna/dashboard if you already bookmarked it. |
||
SSE 6.2.1 | SSE 6.1.2 | Duplicate application names are not allowed across tenants when you enable the Clientless Access option. | |
SSE 6.2.1 | SSE 6.2.0 | The Connector Group column now displays data on the Events Data page of the Private Access Users and Private Access Usage reports. | |
SSE 5.4.0 | There is a known issue in which the FIPS-enabled Skyhigh Cloud Connector generates SSL errors in the Cloud Connector debug log. As a workaround, you can disable FIPS on Skyhigh Cloud Connector based on your operating system. For details on the workaround, see Disable FIPS on CC. | ||
SSE 6.2.0 |
A Known issue has been identified when a file name with double bytes is uploaded to Dropbox to trigger DLP policies, but DLP Policies fail to detect the incidents, resulting in an error message. In Dropbox, DLP Polices accept only the file names with ASCII characters. |
||
SSE 6.2.0 | SSE 6.2.0 | Displays an error message suggesting the correct format when an incorrect connector deployment command is entered. In addition, extra spaces when entering this command is automatically taken care and executes the PA Connector deployment command. | |
SSE 6.2.0 | SSE 6.2.0 | The hostname or the fully qualified domain name (FQDN) entered in uppercase while configuring a private application is automatically converted to lowercase. | |
SSE 6.2.0 | SSE 6.1.0 | The username used for SAML IDP authentication is no longer case-sensitive when you enable the Clientless Access option. | |
SCP 4.5 |
In Skyhigh Client Proxy 4.5, Skyhigh Security has rebranded the client proxy from MCP to SCP. Before you upgrade to SCP 4.5, update your third-party endpoint protection to add the new service and directory names to the allowlist. This will prevent the endpoint protection from blocking SCP operations. For details, see https://kcm.trellix.com/corporate/index?page=content&id=KB9016. |
||
SSE 6.1.2 |
IMPORTANT: SAML on port 8084 is not supported with Security Service Edge Web Hybrid. |
||
SSE 6.1.2 |
When a report is generated for Security Configuration Audit policy incidents, some incidents display a Scan Run Date later than the Incident Created On date instead of a Scan Run Date prior to the Incident Created On date. |
||
SSE 5.5.5 | The False AD Custom Attribute Notifications alerts are sent when the Shadow and Sanctioned data is imported at a default frequency of 24 hours. As a workaround, configure the Shadow Upload and Sanctioned Upload frequency to 23 hours. So, the Shadow import and Sanctioned import occurs every 23 hours in CC. | ||
SSE 6.1.2 |
Hybrid (WPS2) license users with the admin role cannot add new users and get an error message that states “the user could not be added”. As a workaround, select the following roles while you add new users for WPS2 license on Settings > User Management > Users page.
|
||
SSE 6.1.2 | The Point of Presence (PoP) counter increases and decreases on the Skyhigh Security Status site. The PoP counter increases or decreases because a new PoP is added, an existing PoP is decommissioned, or a new PoP replaces an old PoP for better performance. No action is needed; this behavior is expected. | ||
SSE 4.3.0 | When Inline Email DLP users (Exchange Online, Gmail) send an email, there is a time-out of 55 seconds to receive a response from Skyhigh CASB Gateway SMTP server. If the DLP inspection or policy evaluation is not finished within 55 seconds, Skyhigh CASB Gateway SMTP server uses the fail open process to relay the email back to the CSP without waiting for the policy evaluation to finish. For details, see About Gmail Inline DLP and About Exchange Online Inline Email DLP. | ||
SSE 6.1.2 | When ICAP settings are updated on Secure Web Gateway, connections to the ICAP servers are not interrupted anymore. | ||
SSE 6.1.2 |
An error that occurs when a web policy action is executed on Secure Web Gateway is no longer communicated to the end user without suitable details about what happened. |
||
SSE 6.1.1 | High browser CPU usage, high RAM utilization, and browser crashing may be caused by running complex DLP policies. If this issue persists, contact Support to enable the Pagination feature to resolve the issue. | ||
SWG 8.2.29
|
Issue: 8.2.29 (and later) uses an updated version of Tomcat. |
||
SWG 8.2.22 |
Issue: You can't log in to the SWG GUI by using any externally managed admin account. Logging in using the local admin account still works.
If you enable the setting again and save your changes, it's disabled again after a few minutes. |
||
SWG 8.2 |
Issue: You disable the Enabled Openers rule set and configure the Gateway Anti-Malware Engine as Avira only. |
||
SWG 8.2.1 |
SWG 8.2 |
Issue: In ProxyHA or Transparent Router mode, when a node previously marked as Director is set as Scanner and the configuration is saved, the resulting node fails to become a Scanner node. The hastats tool shows this node as Redundant Director instead of Scanning node.
Solution: Upgrade to 8.2.1. Issue: Transparent Router Mode plus IP-spoofing Performance drops. In the transparent router mode, if IP spoofing is enabled, a high response time (>250 ms) and connection error is observed.
Issue: In the transparent router mode, when only the HTTP proxy is enabled and IP spoofing is enabled only for HTTP traffic, the HTTP connection fails with a 502 error. Issue: In 8.2, the bandwidth throttling feature in router mode isn't fully supported. Using the feature in the router mode might not throttle the traffic according to the configuration. Existing customers using this feature in the transparent router mode in older releases are advised to not upgrade to the latest version. |
|
SWG 8.2.2 |
SWG 8.2 |
Issue: {{SWG}} 8.2 doesn't support configuring the Transparent proxy in Bridge mode. |
|
SWG 8.0.3.1-8.0.4 |
SWG 8.0.3 |
Issue: You see a kernel panic when you reboot SWG. During the reboot, SWG stops and displays Kernel Offset and Kernel Panic errors. |
|
SWG 8.0.2.1-8.1 |
Issue: Unable to log on to the SWG manager (UI). Issue: You can't paste text when you use the Webswing user interface with the Edge browser. You press Ctrl+V, the paste fails, and you see the following error: SCRIPT5007: Unable to get property 'getData' of undefined or null reference webswing-embed.js (145,464897) Workaround: Use an alternative browser.
Issue: When you update SWG from a version earlier than 7.7.2.14 or with the AV rollback flag (ud-rollbackGAM2015) enabled, SWG 8.0 can't load the old GAM2015 libraries. Instead, it downloads the new engine in the background. This process can take several minutes, depending on your download speed. Users see the error below: Cannot Load Anti-Malware Engine The Anti-Malware engine could not be loaded and your administrator doesn't allow to deliver content without being checked for viruses. Solution: Don't redirect traffic to SWG before the AV engine has finished all updates. You can view the update status in the SWG dashboard. Non-critical Known Issues Issue: In the HAProxy mode, when using the Virtual IP address, the settings for connection timeouts configured in event enable proxy control are ignored. Issue: You intermittently see an antimalware engine update error: Issue: Spanport Automation stops receiving information from the ICAP server. You can't view log entries in access.log on the spanport proxy. |
||
SWG 9.2.25 |
Issue: 9.2.25 uses an updated version of Tomcat. Issue: After you reboot, the kdump service fails to start.
|
||
SWG 9.2.21 |
Issue: Your Browser response page shows corrupted text. No errors are seen in the SWG logs. Issue: Your browser triggers a file download, which is a text file named "f.txt." No errors are seen in the SWG logs. |
||
SWG 9.2.21 |
SWG 9.2.15 |
Issue: Memory-leak leads to one or more of the following issues:
Solution: This issue is fixed in 9.2.21. |
|
SWG 9.2.14 |
SWG 9.2.13 |
Issue: You can't log in to the SWG GUI by using any external managed admin account. Logging in using the local admin account still works. |
|
SWG 9.0.x-SWG 9.1.0 |
SWG 9.11 SWG 9.2 |
Issue: The HSM Agent doesn't work. Any installed HSM card fails. |
|
SWG 9.2.x |
Non-Critical Known Issues Issue: You disable the Enabled Openers rule set and configure the Gateway Anti-Malware Engine as Avira only. |
||
SWG 9.2.9 | SWG 9.2.8 |
Issue: The SWG Update fails if using an offline update or update proxy. |
|
SWG 9.2.5 | SWG 9.0 |
Issue: In HAProxy mode, when using the Virtual IP (VIP) address, the settings for connection timeouts configured in event enable proxy control are ignored. Issue: You intermittently see an anti malware engine update error: |
|
SWG 9.2.4 | SWG 9.2 |
Issue: In Automatic airgap settings, Active mode isn't currently supported. Because of this issue, GTI requests aren't evaluated locally when you select the active mode. Issue: With some of the XMPP clients (ex: Spark), intermittent delay has been observed while establishing an initial connection with the server. |
|
SWG 9.1.2 SWG 9.2 |
SWG 9.1.0 SWG 9.1.0 |
Issue: The PDF opener fails to access restricted PDF files, encrypted using AES. Issue: SWG 9.1 doesn't support configuring a Transparent proxy in Bridge mode. |
|
SWG 9.1.0 |
Issue: The keepalived service doesn't start after restoring a backup file with network interfaces configured.
Issue: The SpanPort - mfetsc service doesn't start after reboot. systemctl start mfetsc Issue: MDS-based exploits and vulnerabilities are seen on Intel® CPUs. |
||
|
SWG 11.2.5
SWG 11.2.3 |
Issue: After you update a central management cluster from 10.2.x to 11.2.x (specifically 11.2.4 or earlier), you see one of the following issues:
Workaround: Run the following commands on each cluster node via CLI: service mwg-core stop After the service restart, a new list is created automatically.
Issue: 11.2.3 uses an updated version of Tomcat. Issue: After you reboot, the kdump service fails to start.
|
|
SWG 11.1.4 | SWG 11.1 |
Issue: Your Browser response page shows corrupted text. No errors are seen in the SWG logs. Issue: Your browser triggers a file download, which is a text file named "f.txt." No errors are seen in the SWG logs. Issue: Memory-leak leads to one or more of the following issues:
Resolution: This issue is fixed in version 11.1.4 |
|
SWG 10.2.15 | SWG 10.2.14 |
Issue: 10.2.14 uses an updated version of Tomcat. |
|
SWG 10.2.2 | SWG 10.2.1 |
Reference number- WP-4043 Issue: You can't log in to the SWG GUI by using any external managed admin account. Logging in using the local admin account still works. |
|
SWG 10.2.4 |
SWG 10.2 |
Reference number- TSWS-6000 Issue: After you update SWG 10.2–10.2.3 or earlier, DATs} and Gateway DATs fail to update. SWG 10.2.3 and earlier don't support the GAM Engine 2021.1.
Reference number- WP-3868 Issue: You disable the Enabled Openers rule set and configure the Gateway Anti-Malware Engine as Avira only. Reference number- WP-3541 Issue: Adding new HSM keys in the SWG UI fails if the HSM server is already started and running. |
|
SWG 10.2 10.0.1-10.1 |
SWG 10.0.1-10.1
|
Reference number- WP-2823 Issue: In the HAProxy mode, when using the Virtual IP address, the settings for connection timeouts configured in event enable proxy control are ignored. The HAProxy only relates to general timeout settings.
|
|
SWG 10.1 | SWG 10.0.1-10.0.2 |
Reference number- WP-3305 Issue: You intermittently see an anti malware engine update error: |
|
SWG 10.2.10 | Random f.txt files no longer download incorrectly on Chrome and Edge browsers. | ||
SSE 6.0.2 | When using a particular type of browser for data downloads, progress pages work again after the use of methods by a relevant script was modified to exclude some recently introduced methods, which the browser does not support. | ||
SSE 6.0.2 | In a list of IP address ranges that is exported to the CSV format, the individual IP addresses show up again, which they had failed to do before when only a generic term for objects to export had been shown. | ||
SSE 6.0.2 | A failure of the core process on several instances of SWG, which had been caused by a corrupted entry in a map with codes for loading errors, does not occur anymore after a conflict between multiple threads referring to the same CString function for performing a comparison to find the map has been resolved. | ||
SSE 6.0.2 | The Server Message Block protocol doesn't work with Private Access. | ||
SSE 6.0.0 | An issue with inappropriate values that were returned for ongoing processes has been resolved by implementing a fix that made the Client.ProcessExePath property work as expected again. This property is for use in a Hybrid solution where Client Proxy is also running. Its value is the path to an .exe file that enables a process, for example, ...\program files (x86)\google\chrome\application\chrome.exe. You can include this information in end-user notification pages, also known as block pages. | ||
SSE 6.0.2 | When an inline DLP policy is created for Exchange Online, and the policy is violated, an email notification is sent to internal or external users' email addresses via To/From/CC/Bcc fields with the remediation action to delete the message from the user's mailbox. The incident generated doesn't show the information of the Bcc recipients. | ||
SSE 6.0.2 | A known issue has been identified when an email contains multiple events, such as BCC recipients or internal and external recipients, the event that is processed first deletes the original violating email from the user's mailbox. The incident created for this event includes the BCC recipients’ information along with the email message and associated metadata before being deleted. Due to the recent deletion of the email, the subsequent events can’t find this email. As a result, the subsequent incidents cannot populate the BCC recipients’ details. | ||
SSE 6.1.0 | Private Access SSH connections do not work with the Tera Term client. | ||
SSE 6.1.0 | Remote Browser Isolation is not supported with clientless Private Access deployment. | ||
SSE 6.1.0 | In Private Access, publish updates fail when there is a hostname conflict and Browser Access is enabled. An incorrect error message is displayed. |