Skip to main content

Welcome to Skyhigh Security!

Skyhigh Security

Secure Web Gateway 11.0.x Release Notes

  1. Last updated
  2. Save as PDF

What's new in the 11.0 release

This release introduces new features and enhances existing features.

NOTE: Skyhigh Secure Web Gateway 11.0 is provided as a controlled release.

For information about how to upgrade to this release, see Upgrade to a new version provided as a controlled release.

Download of lists maintained under MVISION Unified Cloud Edge for on-prem web policy

You can download lists of user names, user groups, and other web objects that are maintained under Skyhigh Security Service Edge for the on-prem policy that you set up on Web Gateway.

The lists are continually synchronized. When enabling the download on Web Gateway, you set the synchronization interval.

This download feature is a part of a Hybrid solution that allows you to filter web traffic using both Web Gateway and Skyhigh Security Service Edge.

For more information, see Synchronize lists for your web policy when using a Hybrid solution in the McAfee Web Gateway Product Guide.

Secure net-hop proxy for securing traffic to MVISION Unified Cloud Edge

You can set up a secure next-hop proxy on Web Gateway to ensure traffic going to Skyhigh Security Service Edge is secure.

The traffic follows the TLS protocol. A certificate is presented at the initial handshake from the server side whereas Web Gateway uses the authentication method that is enabled by Client Proxy to authenticate to Skyhigh Security Service Edge.

For more information, see Set up a secure next-hop proxy to secure traffic on a Hybrid connection in the McAfee Web Gateway Product Guide.

Use of keywords to filter lists with Azure Active Directory group names

When searching lists of user groups stored in an Azure Active Directory, you can use a keyword to filter the search result. You can create lists of keywords and use more than one in a search.

For more information, see Azure Directory settings in the McAfee Web Gateway Product Guide.

SmartMatch optimization

Performance has been optimized for SmartMatch lookups by improving the handling of partial matches in URL lists.

For more information, see the entry on the URL.SmartMatch property under Properties — U in the McAfee Web Gateway Product Guide.

Improved detection of CPIO application type

Applications of the application/x-cpio type are properly recognized through improving the methods for their detection, which had only relied on checking the file header before and caused incorrect further treatment, for example, being rated as corrupt by the file opener.

New locations for storing cloud access log data

New options available when choosing the country or region where cloud access log data are stored, including Canada, United Kingdom, United Arab Emirates, and Singapore.

For more information, see Cloud Access Log Data Residency settings in the McAfee Web Gateway Product Guide.

Recognition of intermediary HTTP2 headers

When receiving web traffic from servers that support HTTP2 on the connection to Web Gateway, headers with status code 1xx are recognized by Web Gateway as intermediary headers preceding the main headers and processed accordingly.

Improved handling of HTTP2 statistics

HTTP2 statistics, which are also shown on the Web Gateway dashboard, are provided under the Simple Network Management Protocol (SNMP) to be read by an external SNMP manage poll.

For more information about how to configure this protocol, see Event monitoring with SNMP in the McAfee Web Gateway Product Guide.

Kerberos authentication with improved logging

When the Kerberos authentication method is used, error logging has been improved, for example, by writing client IP addresses in the log.

More efficient troubleshooting methods

More efficient methods are used now to identify customers, clients, and connections relating to high load or overload issues in temp files on Web Gateway.

Known Issues and their Patches

For a list of issues that are known, but not resolved yet, see the table below.

Fix Version Found Version Description

           

 

 

            

 

          SWG 11.2.5

         

 

 

 

 

              SWG  11.2.0

Issue: After you update a central management cluster from 10.2.x to 11.2.x (specifically 11.2.4 or earlier), you see one of the following issues:

  • No access to UI. You might see the following error: Error while receiving data. Received 'HTTP:200'
  • System list updates fail with the following error: System Lists update failed, with ID 333

Workaround: Run the following commands on each cluster node via CLI:

service mwg-core stop
rm /opt/mwg/plugin/data/DLP/0/lists -rf
service mwg-core start

After the service restart, a new list is created automatically.

NOTE: This workaround includes a service restart; all connections will be disconnected and no connections will be accepted until the service is started again.

Solution: This issue is fixed in version 11.2.5; release date is November 15, 2022.

         

 

 

 

          SWG 11.2.4

       

 

 

 

           

 

 

                  SWG 11.2.3

Issue: 11.2.3 uses an updated version of Tomcat.
This new version of Tomcat causes SWG to suffer an incompatibility with the authentication method "client certificate authentication."
This authentication method is only available when using the SWG UI as a Java Applet (logging in via the browser login page).
Detailed information about client certificate authentication can be found on the SWG documentation page.

NOTE: Most current browsers don't support Java Applets.
The most notable browser still supporting them is the old Internet Explorer 11, but this is now EOL.
You see the following entries, present in the log file /opt/mwg/log/mwg-errors/mwg-ui.errors.log:

[ERROR] Cannot determine if client certificate is enabled due to implementation changes in Tomcat: java.lang.NoSuchFieldException: endpoint

 

Issue: After you reboot, the kdump service fails to start.
The current kdump service included in SWG isn't compatible with the latest kernel upgrade provided as part of the September 20, 2022 releases.
The kdump service handles kernel failures that occur and recovery from these issues.
When this service is non-functional, kernel failures cause the appliance to become unresponsive, and a manual power cycle is needed to get the appliance back to a working state.

Workarounds: You can avoid this issue on installation and prevent the kernel package from being upgraded.

NOTE: This workaround is only applicable to the CMD method of upgrade.
Instead of running yum upgrade yum && yum upgrade, run yum upgrade yum && yum upgrade --exclude=kernel*

If already upgraded>edit the config files>  allow the appliance to recover from the kernel failure> and automatically reboot after 5 secs:

  1. Edit the sysctl.conf file from the SWG-UI.
  2. Add the line kernel.panic=5 outside the auto generated block.
  3. Save your changes.

   

 

 

 

        SWG 11.1.14

   

 

 

 

 

                SWG 11.1

   

Issue: Your Browser response page shows corrupted text. No errors are seen in the SWG logs. 

Solution: This issue is fixed in version 11.1.4.

Issue: Your browser triggers a file download, which is a text file named "f.txt." No errors are seen in the SWG logs. 

Solution: This issue is fixed in version 11.1.4.

Issue: Memory-leak leads to one or more of the following issues:

  • Appliance not reachable

  • SWG stops handling network traffic

  • No access to SWG UI

Resolution: This issue is fixed in version 11.1.4

Resolved issues in update 11.0.2 

This release resolves known issues.

NOTE: Secure Web Gateway 11.0.2 is provided as a controlled release.           

For information about how to upgrade to this release, see Upgrade to a new version provided as a controlled release.

The JIRA issue number is provided in the reference column.

Vulnerabilities 

Reference Description
WP-4355 This Secure Web Gateway release includes updates addressing publicly disclosed CVEs, regardless of whether a CVE has been shown to impact customers. The following medium and higher level CVEs (CVSS 3.0 >= 4) were involved:
  • CVE-2021-44228
  • CVE-2021-45046
For more information about these CVEs and their impact, see the Red Hat CVE portal.

Resolved issues in update 11.0.1 

This release resolves known issues.

NOTE: Skyhigh Security Secure Web Gateway 11.0.1 is provided as a controlled release.

For information about how to upgrade to this release, see Upgrade to a new version provided as a controlled release.

JIRA issue numbers are provided in the reference column.

Web filtering 

Reference Description
WP-4158 The time consumed during a transaction can be retrieved again as a value for the Timer.TimeInTransaction property when Secure Web Gateway is running as a proxy under TCP or the SOCKS protocol.

Other 

Reference Description
WP-3247 The mcelog service will only be enabled on physical appliances now and will remain disabled on virtual appliances.

Resolved issues in the 11.0 release 

This release resolves known issues.

NOTE: Skyhigh Security Secure Web Gateway 11.0.x s provided as a controlled release.

For information about how to upgrade to this release, see Upgrade to a new version provided as a controlled release.

JIRA issue numbers are provided in the reference column. 

Network communication 

Reference Description
WP-1455 POST commands run while HTTP tunneling is enabled do not lead to a failure of the core process on Secure Web Gateway anymore.
WP-3637 When the NTLM authentication method is applied, submitting user names in the User Principal Name (UPN) format does not lead to a failure of the authentication process anymore.
WP-3810 When a director node is not working as a scanner in a Proxy High Availability (Proxy HA) configuration, the proxy on Secure Web Gateway listens to other scanning nodes again.
WP-4073 When using the IP Neigh network tool for troubleshooting on a Secure Web Gateway appliance with an HTML-based user interface, bindings between protocol and link layer addresses are displayed again.

Authentication 

Reference Description
WP-3637 When the NTLM authentication method is applied, submitting user names in the User Principal Name (UPN) format does not lead to a failure of the authentication process anymore.

Web filtering 

Reference Description
WP-3072 Only errors relating to the user interface are logged in the mwg.ui.errors log, whereas unexpected errors, such as error 143 and others, are not logged anymore.
WP-3658 When uncategorized URLs are blocked, events are successfully synchronized for two Trusted Source properties, which had not worked properly before, as an unexpected event had been added.
WP-3663 When running Advanced Threat Defense (ATD) to scan web traffic, a previous detection of malware can be reused, which had not worked for a zip file due to incorrectly querying md5 information.
WP-3751 Upgrade packages for Secure Web Gateway can be downloaded, which had not been possible because the PGP key files inside these packages were blocked as encrypted media types.
WP-3811 Requests to retrieve CRL and OSCP information about the status of certificates used for secure communication are forwarded, which had not worked in a next-hop proxy chain with two Secure Web Gateway appliances.
WP-3904 Infinite loops that were created on some occasions when zip archives were scanned, causing threads to hang and resulting in problems with high CPU and memory load, do no longer occur.

Other 

Reference Description
WP-2686 Documents containing Austrian IBAN numbers are detected with the Data Loss Protection (DLP) functions on Secure Web Gateway even if spaces between number groups are omitted.
WP-3951 An issue that caused the core process on a Point-of-Presence (PoP) for Secure Web Gateway to fail has been resolved.
WP-3998 An issue that caused the core process on Secure Web Gateway running as a node in a cluster to fail has been resolved.
WP-4010 The latest KVM build for the Oracle Cloud Infrastructure (OCI) that Secure Web Gateway runs with can be downloaded again.
WP-4022 The rsyslog daemon had kept the /var/log/haproxy/ haproxy-info_1.log file open until all disk space had been filled up on a Secure Web Gateway appliance. This has been fixed now and log rotation works fine again.
WP-4043 Admins can log on to the Secure Web Gateway user interface again from external accounts.

Vulnerabilities 

Reference Description

WP-3468, WP-3580,

WP-3656, WP-3765,

WP-3792, WP-3806,

WP-3815, WP-3878,

WP-3882, WP-3934,

WP-3935, WP-3936,

WP-3999, WP-4003,

WP-4021, WP-4058,

WP-4067, WP-4203

This Secure Web Gateway release includes updates addressing publicly disclosed CVEs, regardless of whether a CVE has been shown to impact customers.

The following medium and higher-level CVEs (CVSS 3.0 >= 4) were involved:

  • CVE-2016-3674
  • CVE-2017-7957
  • CVE-2017-11610
  • CVE-2019-10208,
  • CVE-2020-15250
  • CVE-2020-24489
  • CVE-2020-25111, CVE-2020-25112, CVE-2020-25113, CVE-2020-25648, CVE-2020-25649, CVE-2020-25694, CVE-2020-25695
  • CVE-2020-26217
  • CVE-2021-2369, CVE-2021-2388
  • CVE-2021-3472
  • CVE-2021-3520
  • CVE-2021-3711, CVE-2021-3712
  • CVE-2021-21341, CVE-2021-21342, CVE-2021-21343, CVE-2021-21344, CVE-2021-21345, CVE-2021-21346, CVE-2021-21347, CVE-2021-21348, CVE-2021-21349, CVE-2021-21350, CVE-2021-21351
  • CVE-2021-22876, CVE-2021-22890, CVE-2021-22901
  • CVE-2021-25214, CVE-2021-25217
  • CVE-2021-27219
  • CVE-2021-30640
  • CVE-2021-31535
  • CVE-2021-32027
  • CVE-2021-33909

For more information about these CVEs and their impact, see the Red Hat CVE portal.
  1. Back to top
  • Was this article helpful?

Recommended articles

  1. Article type
    Topic
    Release Notes
    Latest Release
  2. Tags
    1. KB94979