SGOS 7.4.7.1

ISG Proxy

9 more products

25229

05 December 2024

05 December 2024

December 4, 2024

 

To:         Symantec Secure Web Gateway Customers Customers

From:     The Broadcom SGOS and Advanced Secure Gateway Product Team

Subject:  General Availability Announcement for SGOS

 

On behalf of Broadcom, we appreciate your business and the opportunity to provide you with high-quality, innovative software and services.  As part of our ongoing commitment to customer success, we regularly release updated versions of our products. Today, we are pleased to announce that SGOS 7.4.7.1 is now available. This release also includes the first releases of SGAC 2.2.5 and Web VPM 2.2.5 

 

This release includes the following features:

 

New msoutlook Data Type for Apparent Data Type Conditions and Properties

You can now create a policy on how the appliance should handle Microsoft Outlook files (.pst and .ost) for HTTP requests and responses:

  • http.request.apparent_data_type=msoutlook
  • http.response.apparent_data_type=msoutlook
  • http.request.apparent_data_type.deny(msoutlook)
  • http.request.apparent_data_type.allow(msoutlook)

Note: Currently, the Content Analysis System (CAS) product does not recognize Microsoft Outlook file types. If you try to use the MSOUTLOOK apparent data type in the ICAP version of the apparent data type policy conditions (request.icap.apparent_data_type and response.icap.apparent_data_type), the policy will compile but will not match any documents.

More information:

 

New x-allowed-category Field for Access Log or Policy Substitution

The x-allowed-category field enables you to determine which specific category caused a transaction to be allowed in the final match rule. This field uses the same “closest to” strategy as the existing x-exception-category field.

More Information:

 

New Message Authenticator Configuration for the RADIUS Realm

To ensure the integrity and authenticity of RADIUS communications, the ProxySG appliance now includes the Message-Authenticator attribute in all RADIUS client Access-Request packets. The RADIUS client also rejects all Access-Accept, Access-Reject, and Access-Challenge packets coming from a server that do not contain the Message-Authenticator attribute.
 
Concurrently, the RADIUS server should be configured to verify the Message-Authenticator attribute in both Access-Request and response packets, and Access-Request packets that do not contain the attribute will be silently discarded.
 
The ProxySG appliance can allow or deny RADIUS server responses that do not contain the Message-Authenticator attribute. To configure this setting per realm, use the appliance CLI to edit the specific realm, then set the require-message-authenticator flag:
 
#(config) security radius edit-realm <realm_name>
#(config radius realm_namerequire-message-authenticator  enable | disable

When ProxySG is upgraded, to preserve the existing appliance behavior, the default setting on existing RADIUS realms is disable. However, it is recommended that this setting be enabled on all RADIUS realms. The default setting on newly added RADIUS realms is enable.

More Information:

 

New SNMP MIB for Monitoring the TCP Queue 

To monitor events that have an adverse effect on network connections, the BLUECOAT-SG-NETWORK-MIB file defines the SNMPv2-SMI::enterprises.3417.2.20.1 OID with 12 read-only child OIDs.
 
More Information:

 

Policy Trace Now Includes Matched Action Definitions

Previously, a policy trace recorded a matched action, but did not trace the action's definition. Action definitions that are committed during policy evaluation will now be listed in a policy trace:

Committed action delete_header:

  delete( request.x_header.X-TEST )

Any action definitions discarded due to conflicting redirect or rewrite actions will also be noted in the trace:

Discarded conflicting action redirect1

More Information:

 

Timezone Database Update

As of October 10, 2024, a new timezone database (2024b) is available at https://download.bluecoat.com/release/timezones.tar
 
To install the database, use the CLI command:
 
# load timezone-database
 
If the default timezone database path was changed from the default setting, it can be restored to the default path using the command:
 
# (config) timezone database-path default

 

Behavior Changes in SGOS 7.4.7.1

 
Default Appliance Name Format

To remove potentially sensitive internal IP addresses from heartbeat data and license validation services, the default appliance name no longer includes the internal IP address. The default appliance name now uses the format <SG series name> - <appliance identifier>.

  • The appliance name will be updated only for new appliances and appliances that have been reset using "restore-defaults”.
  • The change in the default appliance name also changes the appliance prompt, which displays the appliance name.
  • If you want to include the IP address in the appliance name, you can still do so by manually changing the name.
  • If your appliance name currently includes the internal IP address and you do not want to share it, you should manually change the name of the appliance.
To manually change the appliance name using the Admin Console, see Identification and General Information.
 
To manually change the appliance name using a CLI command, see # (config) appliance-name.
 

 

 

ProxySG Admin Console 2.2.5

This release includes the following new features and enhancements:

 

New Policy Services Option

You can now enable Policy Services (Administration > Data & Cloud Services > Threat Protection) to apply Content Security and Access Security policies to the Edge SWG appliance.

More information:

 

Web VPM 2.2.5

This release includes the following new features and enhancements:

 

New Cloud SWG Access Type UPE Objects

Note: These objects are only available for customers who have access to the Cloud Secure Web Gateway (Cloud SWG) portal and who are deploying policy using the Universal Policy Enforcement (UPE) solution. For more information on UPE, see the UPE Deployment Guide.
 
The following objects have been added to the Source column of the Web VPM:
  • Client Access Type: Use this object to apply policy to requests based on the method that the client used to connect to Cloud SWG.

  • Managed Client: Use this static object to specify that the client device is managed by the Cloud SWG portal. This object matches when the client access type is WSS Agent, Symantec Enterprise Agent, or a mobile client.

  • Unmanaged Client: Use this static object to specify that the client device is not managed by the Cloud SWG portal. This object matches when the client access type is Explicit, Proxy Forward, or Tunnel.
More information:

 

New Options for Apparent Data Type Objects

The PST and OST data types are now available as options for the Apparent Data Type object. Use these options to create policy on how the appliance should handle Microsoft Outlook data files (PST) and offline Microsoft Outlook data files (OST).
 
Note: Currently, the Content Analysis System (CAS) product does not recognize Microsoft Outlook file types. If you try to use the MSOUTLOOK apparent data type in the ICAP version of the apparent data type policy conditions (request.icap.apparent_data_type and response.icap.apparent_data_type), the policy will compile but will not match any documents.
 
More information:

 

To download this release and review Release Notes, visit the Symantec Enterprise Security portal at https://support.broadcom.com/security. A MyBroadcom login is required. See https://knowledge.broadcom.com/external/article/151364/download-the-latest-version-of-symantec.html for details.

If you have any questions or require assistance please contact Broadcom Customer Care online at https://www.broadcom.com/support/software/contact where you can submit an online request using the Customer Care web form: https://ca-broadcom.wolkenservicedesk.com/web-form?_ga=2.205828371.1432263889.1590607313-713014253.1588711301 .  You can also call Broadcom Customer Care at +1-800-225-5224 in North America or see https://www.broadcom.com/support/software/contact for the local number in your country.

Should you need any assistance, our Broadcom Services experts can help.  For more information on Broadcom Services and how you can leverage our experience, please visit https://www.broadcom.com/support/ca/services-support/ca-services.

Your success is very important to us, and we look forward to continuing our successful partnership with you.

To review Broadcom Support lifecycle policies, please review the Broadcom Support Policy and Terms located at: https://support.broadcom.com/.

Thank you again for your business.