Secure Web Gateway 10.2.x Release Notes
What's new in the 10.2 release
Releases can introduce new features and enhancements or update platform support.
Improvements for Proxy HA mode
Several options are now available that allow for improved performance and handling when running Secure Web Gateway in Proxy High Availability (Proxy HA) network mode.
- An inactivity timeout, a load balancing algorithm, and sticky sessions can be configured, as well as egress IP addresses to increase the number of simultaneously active connections to cluster nodes scanning web traffic.
- Filtering traffic coming in under the SOCKS protocol is supported.
For more information, see the Proxy HA mode section of the Secure Web Gateway Product Guide.
More protocol versions for secure ICAP
Different versions of the TLS and SSL protocols can now be selected when running Web Gateway in a secure ICAP server configuration.
For more information, see the ICAP server section of the Secure Web Gateway Product Guide.
Property for troubleshooting ATD issues
The Antimalware.MATD.Error.MessageDetails string-type property has been added to the list of properties for use in web security rules. It provides details of an Advanced Threat Defense error message, such as timeouts, missing values, or network problems.
For more information, see the Properties - A section of the Secure Web Gateway Product Guide.
More media types detected
More media types are detected by the functions for media type filtering on Web Gateway, including:
- Visio files with the following extensions: vsdm, vsdx, vssm, vssx, vstm, vstx
- CAD files
More efficiency in internal processing
- Several internal processes have been improved on Web Gateway as follows.
- For users working with the WebSwing version of the user interface, the individual IP addresses of their client systems are recorded in the audit log when requests come in from these clients. The common 127.0.0.1 address is no longer in use here.
This address had been logged for all users due the role as a remote desktop that WebSwing took from the point of view of the Java user interface.
A commercial WebSwing version has also been implemented to overcome some limitations of the open source versions.
- More efficient methods of identifying customers, clients, and connections involved in issues that occurred are now used when reading core files stored in a temp folder.
- Some enhancements have been implemented for the consistency checking tool, which identifies unused settings and lists on Web Gateway.
- The feedback file that is evaluated on the master node in a cluster of Web Gateway appliances now provides the current version of the appliance software for each cluster node.
- Processing lists with entries in Regex format performs better due to an improvement of the diagnostic tool.
What's new in update 10.2.1
This release introduces several enhancements.
Performance has been optimized for SmartMatch lookups by improving the way lists are handled when searching for matches.
Kerberos authentication with improved logging
When the Kerberos authentication method is used, error logging has been improved, for example, by writing client IP addresses in the log.
Handling of HTTP2 statistics improved
HTTP2 statistics, which are also shown on the Secure Web Gateway dashboard, are provided under the Simple Network Management Protocol (SNMP) to be read by an external SNMP manage poll.
Known Issues and their Patches
For a list of issues that are currently known, see the table below.
|Issue: 10.2.14 uses an updated version of Tomcat.
This new version of Tomcat causes SWG to suffer an incompatibility with the authentication method "client certificate authentication."
This authentication method is only available when using the SWG UI as a Java Applet (logging in via the browser login page).
Detailed information about client certificate authentication can be found on the SWG documentation page.
NOTE: Most current browsers don't support Java Applets.
The most notable browser still supporting them is the old Internet Explorer 11, but this is now End of Life.
You see the following entries, present in the log file /opt/mwg/log/mwg-errors/mwg-ui.errors.log:
[ERROR] Cannot determine if client certificate is enabled due to implementation changes in Tomcat: java.lang.NoSuchFieldException: endpoint
Reference number- WP-4043
Issue: You can't log in to the SWG GUI by using any external managed admin account. Logging in using the local admin account still works.
Reference number- TSWS-6000
Issue: After you update SWG 10.2–10.2.3 or earlier, DATs} and Gateway DATs fail to update. SWG 10.2.3 and earlier don't support the GAM Engine 2021.1.
Reference number- WP-3868
Issue: You disable the Enabled Openers rule set and configure the Gateway Anti-Malware Engine as Avira only.
Reference number- WP-3541
Issue: Adding new HSM keys in the SWG UI fails if the HSM server is already started and running.
Reference number- WP-2823
Issue: In the HAProxy mode, when using the Virtual IP address, the settings for connection timeouts configured in event enable proxy control are ignored. The HAProxy only relates to general timeout settings.
Reference number- WP-3305
Issue: You intermittently see an anti malware engine update error:
|SWG 10.2.10||Random f.txt files no longer download incorrectly on Chrome and Edge browsers.|
Resolved issues in update 10.2.21
This release resolves issues.
NOTE: Secure Web Gateway 10.2.21 is provided as a main release and archived.
For information about how to upgrade to this release, see Upgrading to a new version – Main Release.
The JIRA issue number is provided in the reference column.