Skyhigh Security Cloud Bug Fixes and Known Issues
Product Name |
Fix Version |
Found Version |
Description |
---|---|---|---|
Skyhigh CASB | SSE 6.4.0 | The keyword search in the Omnibar shows results only for the Service Name and not work as expected for the URL and CVE search. | |
Skyhigh CASB | SSE 6.4.0 | Scheduled On-Demand Scan (ODS) for Microsoft Teams is unable to process the messages for DLP, when user/s are added/removed to the Teams service. This will impact only the Teams Channel/s, where new users are being added/removed, no impact to other Channels. If no users are added/removed during the scheduled scan, ODS will scan all the messages. This known issue will be fixed in the SSE 6.4.1 release. | |
Skyhigh CASB | SSE 6.4.0 |
For Slack Non-Enterprise (Pro or Business+) instances, when users send sensitive messages in Public/Private/Shared channels or Direct Messages (DMs), only the messages that contain plain text are evaluated for DLP. Skyhigh CASB for Slack Non-Enterprise does not evaluate messages that contain text with special characters or formatting elements such as '@' mentions, italicized text, links, bullet points, or numbered lists for DLP. For details, see Slack Non-Enterprise Known Behaviors. |
|
Skyhigh CASB | SSE 6.4.0 |
For Slack Non-Enterprise (Pro or Business+) instances, when users send a message that contains text and file attachment in Public/Private/Shared channels or Direct Messages (DMs), only the file is evaluated for DLP. Skyhigh CASB does not evaluate the text in the message for DLP. Suppose you have configured a DLP policy with the Delete response action to identify and remove sensitive messages containing text and uploaded files in Slack. Skyhigh CASB deletes only the sensitive file that violates the DLP policy, but not the sensitive text in the message. For details, see Slack Non-Enterprise Known Behaviors. |
|
Skyhigh Cloud Connector |
FIPS was getting enabled by default even though it was disabled post CC upgrade. This issue was found in the older version of CC below 6.4.0, which is now fixed with the below updates:
|
||
Skyhigh Cloud Connector |
SSE 6.4.0 |
When you log in to Skyhigh CASB, you may encounter the SMTP server port value displayed as 25, instead of the port value configured in the Custom SMTP Server. This issue has been identified for users who log in to Skyhigh CASB for the first time and it is due to the SMTP server being cached with the default value of 25. As a workaround refresh your page to get the configured port value. |
|
Skyhigh Cloud Connector | SSE 6.3.1 | The Filter on the Cloud Registry page is not working as expected. The Cloud Registry page displays the incorrect number of events after applying filters. | |
Skyhigh CNAPP |
SSE 6.3.0 |
Certain resources are excluded from the AWS Security Config audit full scan, so the incidents for these resources are not updated with the recent scan history. As a workaround, make sure to provide minimum permission for your IAM account based on your policy. With this permission, Skyhigh CASB scans all your resources and updates the scan history accordingly. |
|
Skyhigh CNAPP |
SSE 6.3.0 |
Users have remediated the Configuration Audit incident generated for Azure policy "NSG Flow logs should be enabled" however, the remediation status has not changed on the policy incident. Skyhigh CASB does not support Continuous Evaluation for this Azure policy due to Azure API limitation. |
|
Cloud Firewall | SSE 6.3.0 | No value is displayed for the Gateway Egress Source Port field in the Cloud Firewall Detailed Logs page and Event data on the Cloud Firewall Traffic and Cloud Firewall Users page. | |
Cloud Firewall | SSE 6.3.0 | No value is displayed for the Firewall Policy Name field when the traffic does not match any policy rule and all traffic is allowed by default. | |
Cloud Firewall | SSE 6.3.0 | Skyhgih Client Proxy auto policy download fails to work as expected when HTTP traffic is sent to the Cloud Firewall when you set the action as Allow with web policy. Workaround: Add skyhigh.cloud domain to the redirection list of the alternate gateway and configure cloud proxy as the alternate gateway. |
|
Cloud Firewall | SSE 6.3.0 | There is no difference in the behavior in Firewall Block and Firewall Drop actions. | |
Cloud Firewall | SSE 6.3.0 | Packet Loss is seen during the upload and download process for TCP and UDP protocols. | |
Skyhigh Cloud Connector |
SSE 6.3.0 |
When the Custom attributes are reconfigured with AD and enabled, the Shadow attributes do not contain all key values pulled from AD. Because users might have left blank spaces in attribute keys or entered duplicate values in attribute keys. As a workaround, CC does not consider blank values as duplicates in the Shadow Unique Key Attributes. Blank spaces are not considered for Unique Key Validation. |
|
Skyhigh Cloud Connector | SSE 6.3.2 | SSE 5.5.0 |
When Cloud Connector is stopped due to “Too many open files connection" in Linux or Unix OS. As a workaround, the system automatically restarts the CC service (shnlps) in Linux or Unix only if the currently open file connection is greater than or equal to 95 % of the ulimit. The fix is given based on the number of open file connections, so the lsof utility must be installed on Linux or Unix OS.
|
Skyhigh Cloud Connector | SSE 6.3.2 | SSE 6.3.0, SSE 6.3.1 |
If lsof ( List Open Files) command is not installed on Linux where CC is installed, CC throws lsof error commands and CC fails to send a health notification report to users. |
Skyhigh Cloud Connector | SSE 6.2.1 |
When Cloud Connector fails to upload large amounts of Sanctions AD Users data (more than 1 lakh users) to Log Collector, CC creates chunk files each containing 20k users and uploads them to Log Collector. The Chunk Upload feature is enabled by default in CC. |
|
Skyhigh CASB | SSE 6.3.2 | When the custom anomaly rule is created using the Source IP address, the backend process fails. It is recommended not to use any source IP address in the Custom Anomaly rules until this issue is resolved. | |
Skyhigh CNAPP | SSE 6.3.2 | SSE 6.1.0 | NRT DLP and Malware scan is now supported on the AWS region: eu-south-1 (Milan – Italy). |
SSE 6.3.1 | SSE 6.1.2 | Domain-fronting detection no longer logs requests with URLs for HTTPS websites as hits falsely, which it had done because of an identical port number that is trailing after the host name in different URLs. | |
SSE 6.3.1 | When a report on web traffic is generated in the analytics section of the user interface for Secure Web Gateway, generating the same report immediately afterwards always delivers the same output now, as expected, whereas different reports had been the result on some occasions before. | ||
SSE 6.3.1 | Entering unavailable arguments while taking tcp dump causes the terminal to crash. | ||
SSE 6.3.0 |
Issue: ePO Reports Failures when Pushing DLP Policy/Classifications to Skyhigh. Recent fixes and enhancements in Skyhigh Cloud have enhanced the verification process applied when a new policy/classification file is received from ePO. In some circumstances, this process can cause the push from ePO to fail. The failure is generally caused by classifications being in use in Skyhigh CASB or Web DLP Policy and not present in the content being pushed from ePO, or by EDM training data referenced by ePO classifications not being present in the Skyhigh CASB enhanced EDM fingerprint list. Resolution: Verify that all classifications present in cloud policies are present in ePO. Classifications are identified by an internal ID and not by name, so identifying where the policies which require amending/disabling can be difficult to identify. The ePO Orion.log file will show some information regarding the failure, which for these cases will show “409 Conflict”. Skyhigh Support are able to access internal logs to determine the precise cause of failures. |
||
Cloud Firewall | SSE 6.3.0 |
Tunnel establishment fails when the socks proxy is unreachable. This may occur when the Skyhigh Web Gateway service is down. Workaround: Restart the Skyhigh Web Gateway service. |
|
Cloud Firewall | SCP 4.7.0 | SSE 6.3.0 | Gradual performance degradation is noticed on client machines with applications like Microsoft teams when clients sends large amounts of traffic to Cloud Firewall. This is due to an issue with Skyhigh Client Proxy 4.6 not being able to handle the IP packet fragmentation and assembly efficiently. This issue is resolved with the Client Proxy 4.7.0 release. |
SSE 6.3.0 | SSE 6.2.1 | High CPU usage on the Tokyo PoP node has been mitigated, which has lead to an improvement in performance and reduced the risk of impacting crucial processes. | |
SSE 6.3.0 | SSE 6.2.1 | When an ICAP error occurs while a user is working on configuring a web policy under Secure Web Gateway, for example, failure to connect to the ICAP server, it is displayed as ICAP-related in the error message whereas only a policy execution error was indicated before. | |
Cloud Firewall | SSE 6.2.2 | Fails to apply the .OPG file when you configure the device profile with the Registry key as HKEY_CURRENT_USER hive. (Windows server edition/version) | |
Skyhigh Private Access | SSE 6.3.0 | SSE 6.2.0 | The count of the private applications is now displayed correctly on the Connector Groups report. |
Skyhigh CASB | SSE 6.2.2 | The Policy Incidents page does not support restoring quarantine files larger than 250 MB for OneDrive and SharePoint. It applies to both manual and bulk remediation actions. | |
SSE 6.2.2 | SSE 6.2.0 | The Private Application report now displays the host name for the private applications configured with a port range or multiple ports. | |
SSE 6.2.2 | SSE 6.2.0 | The host names of the private applications are now displayed correctly on the Private Application report. | |
Skyhigh Data Protection | SSE 6.2.1 | From 6.2.1 onwards, you can enable the queryIncident API for users with the Incident Management role and the Read Only privilege. | |
Skyhigh Data Protection |
SSE 6.2.1 |
Users of Data Protection for message-based cloud services will see a slight increase in email notifications, which were suppressed before this release. |
|
Skyhigh Private Access | SSE 6.2.1 |
The migration from wgcs.mcafee-cloud.com to wgcs.skyhigh.cloud is postponed. For SCP, despite reverting the default proxy domain, all SCP configurations before the SSE 6.2.1 release (initial or updated) continue to be fully functional. For the SAML ACS URL, configurations after SSE 6.2.1 display a hint that ACS URL must be set to https://saml/wgcs/mcafee-cloud.com/saml. Configurations created with the initial SSE 6.2.1 release point to https://saml/wgcs/skyhigh.cloud.com/saml. This URL stays functional, there is no need to reconfigure. For Private Access, in SSE 6.2.1 the Default URL is reset to https://api.wgcs.mcafee-cloud.com/ztna/dashboard, but you can continue to use https://api.wgcs.skyhigh.cloud/ztna/dashboard if you already bookmarked it. |
|
Skyhigh Private Access | SSE 6.2.1 | SSE 6.1.2 | Duplicate application names are not allowed across tenants when you enable the Clientless Access option. |
Skyhigh Private Access | SSE 6.2.1 | SSE 6.2.0 | The Connector Group column now displays data on the Events Data page of the Private Access Users and Private Access Usage reports. |
Skyhigh Cloud Connector | SSE 5.4.0 | There is a known issue in which the FIPS-enabled Skyhigh Cloud Connector generates SSL errors in the Cloud Connector debug log. As a workaround, you can disable FIPS on Skyhigh Cloud Connector based on your operating system. For details on the workaround, see Disable FIPS on CC. | |
SSE 6.2.0 |
A Known issue has been identified when a file name with double bytes is uploaded to Dropbox to trigger DLP policies, but DLP Policies fail to detect the incidents, resulting in an error message. In Dropbox, DLP Polices accept only file names with ASCII characters. |
||
SSE 6.2.0 | SSE 6.2.0 | Displays an error message suggesting the correct format when an incorrect connector deployment command is entered. In addition, extra spaces when entering this command is automatically taken care and executes the PA Connector deployment command. | |
Skyhigh Private Access | SSE 6.2.0 | SSE 6.2.0 | The hostname or the fully qualified domain name (FQDN) entered in uppercase while configuring a private application is automatically converted to lowercase. |
Skyhigh Private Access | SSE 6.2.0 | SSE 6.1.0 | The username used for SAML IDP authentication is no longer case-sensitive when you enable the Clientless Access option. |
Client Proxy | SCP 4.5 |
In Skyhigh Client Proxy 4.5, Skyhigh Security has rebranded the client proxy from MCP to SCP. Before you upgrade to SCP 4.5, update your third-party endpoint protection to add the new service and directory names to the allowlist. This will prevent the endpoint protection from blocking SCP operations. For details, see https://kcm.trellix.com/corporate/index?page=content&id=KB9016. |
|
SSE 6.1.2 |
IMPORTANT: SAML on port 8084 is not supported with Security Service Edge Web Hybrid. |
||
SSE 6.1.2 |
When a report is generated for Security Configuration Audit policy incidents, some incidents display a Scan Run Date later than the Incident Created On date instead of a Scan Run Date prior to the Incident Created On date. |
||
Skyhigh Cloud Connector | SSE 5.5.5 | The False AD Custom Attribute Notifications alerts are sent when the Shadow and Sanctioned data is imported at a default frequency of 24 hours. As a workaround, configure the Shadow Upload and Sanctioned Upload frequency to 23 hours. So, the Shadow import and Sanctioned import occurs every 23 hours in CC. | |
Skyhigh Private Access | SSE 6.1.2 |
Hybrid (WPS2) license users with the admin role cannot add new users and get an error message that states “the user could not be added”. As a workaround, select the following roles while you add new users for WPS2 license on Settings > User Management > Users page.
|
|
Skyhigh Private Access | SSE 6.1.2 | The Point of Presence (PoP) counter increases and decreases on the Skyhigh Security Status site. The PoP counter increases or decreases because a new PoP is added, an existing PoP is decommissioned, or a new PoP replaces an old PoP for better performance. No action is needed; this behavior is expected. | |
Skyhigh CASB | SSE 4.3.0 | When Inline Email DLP users (Exchange Online, Gmail) send an email, there is a time-out of 55 seconds to receive a response from Skyhigh CASB Gateway SMTP server. If the DLP inspection or policy evaluation is not finished within 55 seconds, Skyhigh CASB Gateway SMTP server uses the fail open process to relay the email back to the CSP without waiting for the policy evaluation to finish. For details, see About Gmail Inline DLP and About Exchange Online Inline Email DLP. | |
SSE 6.1.2 | When ICAP settings are updated on Secure Web Gateway, connections to the ICAP servers are not interrupted anymore. | ||
SSE 6.1.2 |
An error that occurs when a web policy action is executed on Secure Web Gateway is no longer communicated to the end user without suitable details about what happened. |
||
SSE 6.1.1 | High browser CPU usage, high RAM utilization, and browser crashing may be caused by running complex DLP policies. If this issue persists, contact Support to enable the Pagination feature to resolve the issue. | ||
SWG 8.2.29
|
Issue: 8.2.29 (and later) uses an updated version of Tomcat. |
||
Secure Web Gateway (On-Prem) |
SWG 8.2.22 |
Issue: You can't log in to the SWG GUI by using any externally managed admin account. Logging in using the local admin account still works. If you enable the setting again and save your changes, it's disabled again after a few minutes. |
|
Secure Web Gateway (On-Prem) | SWG 8.2 |
Issue: You disable the Enabled Openers rule set and configure the Gateway Anti-Malware Engine as Avira only. |
|
Secure Web Gateway (On-Prem) |
SWG 8.2.1 |
SWG 8.2 |
Issue: In ProxyHA or Transparent Router mode, when a node previously marked as Director is set as Scanner and the configuration is saved, the resulting node fails to become a Scanner node. The hastats tool shows this node as Redundant Director instead of Scanning node.
Solution: Upgrade to 8.2.1. Issue: Transparent Router Mode plus IP-spoofing Performance drops. In the transparent router mode, if IP spoofing is enabled, a high response time (>250 ms) and connection error is observed.
Issue: In the transparent router mode, when only the HTTP proxy is enabled and IP spoofing is enabled only for HTTP traffic, the HTTP connection fails with a 502 error. Issue: In 8.2, the bandwidth throttling feature in router mode isn't fully supported. Using the feature in the router mode might not throttle the traffic according to the configuration. Existing customers using this feature in the transparent router mode in older releases are advised to not upgrade to the latest version. |
Secure Web Gateway (On-Prem) |
SWG 8.2.2 |
SWG 8.2 |
Issue: SWG 8.2 doesn't support configuring the Transparent proxy in Bridge mode. |
Secure Web Gateway (On-Prem) |
SWG 8.0.3.1-8.0.4 |
SWG 8.0.3 |
Issue: You see a kernel panic when you reboot SWG. During the reboot, SWG stops and displays Kernel Offset and Kernel Panic errors. |
Secure Web Gateway (On-Prem) |
SWG 8.0.2.1-8.1 |
Issue: Unable to log on to the SWG manager (UI). Issue: You can't paste text when you use the Webswing user interface with the Edge browser. You press Ctrl+V, the paste fails, and you see the following error: SCRIPT5007: Unable to get property 'getData' of undefined or null reference webswing-embed.js (145,464897) Workaround: Use an alternative browser.
Issue: When you update SWG from a version earlier than 7.7.2.14 or with the AV rollback flag (ud-rollbackGAM2015) enabled, SWG 8.0 can't load the old GAM2015 libraries. Instead, it downloads the new engine in the background. This process can take several minutes, depending on your download speed. Users see the error below: Cannot Load Anti-Malware Engine The Anti-Malware engine could not be loaded and your administrator doesn't allow to deliver content without being checked for viruses. Solution: Don't redirect traffic to SWG before the AV engine has finished all updates. You can view the update status in the SWG dashboard. Non-critical Known Issues Issue: In the HAProxy mode, when using the Virtual IP address, the settings for connection timeouts configured in event enable proxy control are ignored. Issue: You intermittently see an antimalware engine update error: Issue: Spanport Automation stops receiving information from the ICAP server. You can't view log entries in access.log on the spanport proxy. |
|
Secure Web Gateway (On-Prem) |
SWG 9.2.25 |
Issue: 9.2.25 uses an updated version of Tomcat. Issue: After you reboot, the kdump service fails to start.
|
|
Secure Web Gateway (On-Prem) | SWG 9.2.21 |
Issue: Your Browser response page shows corrupted text. No errors are seen in the SWG logs. Issue: Your browser triggers a file download, which is a text file named "f.txt." No errors are seen in the SWG logs. |
|
Secure Web Gateway (On-Prem) |
SWG 9.2.21 |
SWG 9.2.15 |
Issue: Memory-leak leads to one or more of the following issues:
Solution: This issue is fixed in 9.2.21. |
Secure Web Gateway (On-Prem) |
SWG 9.2.14 |
SWG 9.2.13 |
Issue: You can't log in to the SWG GUI by using any external managed admin account. Logging in using the local admin account still works. |
Secure Web Gateway (On-Prem) | SWG 9.0.x-SWG 9.1.0 |
SWG 9.11 SWG 9.2 |
Issue: The HSM Agent doesn't work. Any installed HSM card fails. |
Secure Web Gateway (On-Prem) |
SWG 9.2.x |
Non-Critical Known Issues Issue: You disable the Enabled Openers rule set and configure the Gateway Anti-Malware Engine as Avira only. |
|
Secure Web Gateway (On-Prem) | SWG 9.2.9 | SWG 9.2.8 |
Issue: The SWG Update fails if using an offline update or update proxy. |
Secure Web Gateway (On-Prem) | SWG 9.2.5 | SWG 9.0 |
Issue: In HAProxy mode, when using the Virtual IP (VIP) address, the settings for connection timeouts configured in event enable proxy control are ignored. Issue: You intermittently see an anti malware engine update error: |
Secure Web Gateway (On-Prem) | SWG 9.2.4 | SWG 9.2 |
Issue: In Automatic airgap settings, Active mode isn't currently supported. Because of this issue, GTI requests aren't evaluated locally when you select the active mode. Issue: With some of the XMPP clients (ex: Spark), intermittent delay has been observed while establishing an initial connection with the server. |
Secure Web Gateway (On-Prem) |
SWG 9.1.2 SWG 9.2 |
SWG 9.1.0 SWG 9.1.0 |
Issue: The PDF opener fails to access restricted PDF files, encrypted using AES. Issue: SWG 9.1 doesn't support configuring a Transparent proxy in Bridge mode. |
Secure Web Gateway (On-Prem) |
SWG 9.1.0 |
Issue: The keepalived service doesn't start after restoring a backup file with network interfaces configured.
Issue: The SpanPort - mfetsc service doesn't start after reboot. systemctl start mfetsc Issue: MDS-based exploits and vulnerabilities are seen on Intel® CPUs. |
|
Secure Web Gateway (On-Prem) |
|
SWG 11.2.5
SWG 11.2.3 |
Issue: After you update a central management cluster from 10.2.x to 11.2.x (specifically 11.2.4 or earlier), you see one of the following issues:
Workaround: Run the following commands on each cluster node via CLI: service mwg-core stop After the service restart, a new list is created automatically.
Issue: 11.2.3 uses an updated version of Tomcat. Issue: After you reboot, the kdump service fails to start.
|
Secure Web Gateway (On-Prem) | SWG 11.1.4 | SWG 11.1 |
Issue: Your Browser response page shows corrupted text. No errors are seen in the SWG logs. Issue: Your browser triggers a file download, which is a text file named "f.txt." No errors are seen in the SWG logs. Issue: Memory-leak leads to one or more of the following issues:
Resolution: This issue is fixed in version 11.1.4 |
Secure Web Gateway (On-Prem) | SWG 10.2.15 | SWG 10.2.14 |
Issue: 10.2.14 uses an updated version of Tomcat. |
Secure Web Gateway (On-Prem) | SWG 10.2.2 | SWG 10.2.1 |
Reference number- WP-4043 Issue: You can't log in to the SWG GUI by using any external managed admin account. Logging in using the local admin account still works. |
Secure Web Gateway (On-Prem) |
SWG 10.2.4 |
SWG 10.2 |
Reference number- TSWS-6000 Issue: After you update SWG 10.2–10.2.3 or earlier, DATs} and Gateway DATs fail to update. SWG 10.2.3 and earlier don't support the GAM Engine 2021.1.
Reference number- WP-3868 Issue: You disable the Enabled Openers rule set and configure the Gateway Anti-Malware Engine as Avira only. Reference number- WP-3541 Issue: Adding new HSM keys in the SWG UI fails if the HSM server is already started and running. |
Secure Web Gateway (On-Prem) | SWG 10.2 10.0.1-10.1 |
SWG 10.0.1-10.1
|
Reference number- WP-2823 Issue: In the HAProxy mode, when using the Virtual IP address, the settings for connection timeouts configured in event enable proxy control are ignored. The HAProxy only relates to general timeout settings.
|
Secure Web Gateway (On-Prem) | SWG 10.1 | SWG 10.0.1-10.0.2 |
Reference number- WP-3305 Issue: You intermittently see an anti malware engine update error: |
Secure Web Gateway (On-Prem) | SWG 10.2.10 | Random f.txt files no longer download incorrectly on Chrome and Edge browsers. | |
SSE 6.0.2 | When using a particular type of browser for data downloads, progress pages work again after the use of methods by a relevant script was modified to exclude some recently introduced methods, which the browser does not support. | ||
SSE 6.0.2 | In a list of IP address ranges that is exported to the CSV format, the individual IP addresses show up again, which they had failed to do before when only a generic term for objects to export had been shown. | ||
SSE 6.0.2 | A failure of the core process on several instances of SWG, which had been caused by a corrupted entry in a map with codes for loading errors, does not occur anymore after a conflict between multiple threads referring to the same CString function for performing a comparison to find the map has been resolved. | ||
Skyhigh Private Access | SSE 6.0.2 | The Server Message Block protocol doesn't work with Private Access. | |
SSE 6.0.0 | An issue with inappropriate values that were returned for ongoing processes has been resolved by implementing a fix that made the Client.ProcessExePath property work as expected again. This property is for use in a Hybrid solution where Client Proxy is also running. Its value is the path to an .exe file that enables a process, for example, ...\program files (x86)\google\chrome\application\chrome.exe. You can include this information in end-user notification pages, also known as block pages. | ||
Skyhigh CASB | SSE 6.0.2 | When an inline DLP policy is created for Exchange Online, and the policy is violated, an email notification is sent to internal or external users' email addresses via To/From/CC/Bcc fields with the remediation action to delete the message from the user's mailbox. The incident generated doesn't show the information of the Bcc recipients. | |
Skyhigh CASB | SSE 6.0.2 | A known issue has been identified when an email contains multiple events, such as BCC recipients or internal and external recipients, the event that is processed first deletes the original violating email from the user's mailbox. The incident created for this event includes the BCC recipients’ information along with the email message and associated metadata before being deleted. Due to the recent deletion of the email, the subsequent events can’t find this email. As a result, the subsequent incidents cannot populate the BCC recipients’ details. | |
Skyhigh Private Access | SSE 6.1.0 | Private Access SSH connections do not work with the Tera Term client. | |
Skyhigh Private Access | SSE 6.1.0 | Remote Browser Isolation is not supported with clientless Private Access deployment. | |
Skyhigh Private Access | SSE 6.1.0 | In Private Access, publish updates fail when there is a hostname conflict and Browser Access is enabled. An incorrect error message is displayed. |