Support Content Notification - Support Portal

SGOS AND ADVANCED SECURE GATEWAY 7.3.8.2 Patch Release

Product/Component

ASG-S200

11 more products

Notification Id

20621

Last Updated

08 June 2022

Initial Publication Date

08 June 2022

June 8, 2022

To: Symantec Secure Web Gateway Customers

From: SGOS and Advanced Secure Gateway Product Teams

Subject: General Availability Announcement for SGOS and Advanced Secure Gateway 7.3.8.2 Patch Release

On behalf of Broadcom, we appreciate your business and the opportunity to provide you with high-quality, innovative software and services. As part of our ongoing commitment to customer success, we regularly release updated versions of our products. Today, we are pleased to announce that SGOS and Advanced Secure Gateway version 7.3.8.2 are now available, including a number of fixes and the following changes:

IMPORTANT: This patch release (PR) includes a critical fix and replaces SGOS 7.3.8.1 released on May 11, 2022. If you are running version 7.3.8.1, upgrade to version 7.3.8.2 to apply the fix. See the version 7.3.8.2 release notes for information. The following features were introduced in version 7.3.8.1, which is no longer available for download.

SSL/TLS Version Controls for SSL Forward Proxy

In the ProxySG Admin Console, you can specify a range of SSL/TLS versions to use for all intercepted SSL connections. In the SSL Version Controls section (Configuration > Services > SSL Proxy Settings), select minimum and maximum SSL/TLS protocol versions for client connections and server connections.

Alternatively, use the CLI. Set the minimum version and maximum version of the SSL/TLS protocol to use for client connections:

# (config ssl) proxy client-ssl-version-range <minimum_version> <maximum_version>

Set the minimum version and maximum version of the SSL/TLS protocol to use for server connections:

# (config ssl) proxy server-ssl-version-range <minimum_version> <maximum_version>

To control the SSL/TLS versions used for specific transactions instead of using the global command, add the following web VPM objects to policy:

Set Client Min Max SSL Version
Set Server Min Max SSL Version

Alternatively, use the CPL properties associated with these VPM objects:

client.connection.min_ssl_version()
client.connection.max_ssl_version()
server.connection.min_ssl_version()
server.connection.max_ssl_version()

Prior to this release, the SSL/TLS version used for intercepted SSL connections was the highest version supported by the appliance, the client, and the server. This behavior is the same as using the preserve option, which is the default setting.

More information:

X.509v3 Enhancements for Self-Signed Certificates and Certificate Signing Requests

When creating self-signed certificates and certificate signing requests (CSRs) through the Admin Console, you can specify values for the following extensions:

Subject Alternative Name
Basic Constraints
Key Usage
Extended Key Usage

Refer to the following CLI example for usage:

#(config ssl)create signing-request ssl_proxy_issuer_keyring c US cn "My SSL Proxy" bc CA:TRUE ku digitalSignature,keyCertSign eku serverAuth,clientAuth

You can also set a "critical" flag for these attributes to indicate that OpenSSL must enforce using the attribute for your security needs. Refer to the Command Line Interface for more information.

More information:

Separate Event Logging Configuration for Email and Syslog

Previous SGOSAdvanced Secure Gateway releases allowed you to select event logging levels that applied to all events for Syslog and email. Now, you can select different event logging levels for Syslog and email, as well as use event IDs to specify overrides to the default logging level.

To support this feature, the following commands are deprecated:

# (config event-log) level <level>

# (config event-log) syslog {enable | disable}

Use the following new commands to configure and view event log notification settings:

# (config event-log notifications) <subcommands>

# show event-log notifications

You can also use the ProxySG Admin Console (Administration > Logging > Event Logging) to configure the logging behavior.

More information:

Recognition of Specific CAB Data Types in HTTP Responses

The http.response.apparent_data_type=<data_type> condition now supports matching for specific CAB file types:

MSCAB: MS Cab archive
ISCAB: InstallShield archive

The existing CAB type previously matched for MS Cab only; now you can use it to match for both MSCAB and ISCAB.

More information:

Threat Detection Notification VPM Objects

Version 7.3.4.1 introduced CPL to trigger ICAP notifications based on content in ICAP-scanned requests and responses. For more information, see "ProxySG ICAP Enhancements" in the version 7.3.4.1 release notes. Version 7.3.8.1 adds the following new Service VPM objects for the ICAP notification policy gestures:

Request Threat Detected: (Static object) Specifies whether threat scanning detected a threat in the request.
CPL condition: request.icap.threat_detected=
Response Threat Detected: (Static object) Specifies whether threat scanning detected a threat in the response.
CPL condition: response.icap.threat_detected=
Request Threat Info: Specifies whether threat scanning detected a specific type of threat in the request.
CPL conditions: request.icap.threat_id=, request.icap.threat_id.exists=, request.icap.threat_details=, request.icap.threat_details.exists=, request.icap.threat_source=, and request.icap.threat_source.exists=
Response Threat Info: Specifies whether threat scanning detected a specific type of threat in the response.
CPL conditions: response.icap.threat_id=, response.icap.threat_id.exists=, response.icap.threat_details=, response.icap.threat_details.exists=, response.icap.threat_source=, and response.icap.threat_source.exists=

These objects are available in the Web Access Layer and Web Request Layer.

More information:

Web Visual Policy Manager Reference

ProxySG Admin Console 1.2.4.1

The following features are available in the ProxySG Admin Console:

Configure Certificate Revocation Lists (CRLs) to check certificates against CA-provided lists of invalid and expired certificates (Configuration > SSL > CRLs).
You can create self-signed certificates and certificate signing requests (CSRs) with the extensions described in the "X.509v3 Enhancements for Self-Signed Certificates and Certificate Signing Requests" feature above. When viewing the certificate, the extensions are displayed in an Extensions section (Configuration > SSL > CA Certificates).
Import external certificates, for which Symantec does not have the private key, to the appliance and manage external certificate lists (Configuration > SSL > External Certificates).
Specify a range of SSL/TLS versions to use for all intercepted SSL connections (Configuration > Services > SSL Proxy Settings). See the "SSL/TLS Version Controls for SSL Forward Proxy" feature above. To support this feature, when configuring the SSL client, device profile, reverse proxy listener service, and HTTPS management service, you must specify a contiguous range of SSL/TLS versions (for example, TLSv1.1,
v1.2, and v1.3). If you specify only TLSv1.3 and v1.1, for example, you receive an error "SSL versions must be contiguous" and cannot save the configuration.
Keep the central policy file up to date by automatically downloading a new file when it is updated, and receiving email notifications in the event of a policy file change. You can view and update policy files on the appliance and view the policy source (Configuration > Policy > Policy Options).
Enable SNMP functionality on the appliance and configure SNMPv1, SNMPv2c, or SNMPv3 to monitor network devices for health or status conditions (Administration > SNMP > SNMP).
View and edit settings for system, licensing, status, and subscription metrics (Administration > Health Checks and Monitoring > Health Monitoring).
Configure global event logging settings such as maximum event log file size, SMTP server, and Syslog loghosts. You can also select different event logging levels for Syslog and email and specify overrides as described in the "Separate Event Logging Configuration for Email and Syslog" feature above (Administration > Logging > Event Logging).
Perform routine and troubleshooting tasks such as restart, shutdown, clearing caches, and resetting the system (Administration > General > Tasks).

The System Image Catalog (Administration > Systems > Software System Images) is updated:

The list of system images now shows the index number for each system.
The Signed column has been removed from the list (all system images are signed).

More information:

ProxySG Admin Console

Deploy ProxySG Virtual Appliance on VMWare Tools

You can now deploy a ProxySG virtual appliance via zero-touch provisioning (ZTP) on VMware Tools.

More information:

ZTP Deployment

Microsoft Outlook Email Protocol (MAPI) Improvements

REQMOD and RESPMOD statistics are now reported separately under MAPI over HTTP proxy statistics (available at advanced URL /mapihttp/statistics).
Email attachment upload in Outlook 2021 is significantly improved. Previously, sometimes uploaded email attachments were truncated, jumbled, or both. Email attachment upload is now fully supported in Outlook 2021.
Email attachment upload performance is improved.

Specify an Interface for Reflect Client IP

When initiating upstream connections, use the specified interface for the outbound source IP address.


reflect_ip(interface.<label>)

More information:

Content Policy Language Reference

Removed Hardware Registration Commands

The following CLI commands have been removed:


#licensing register-hardware
#licensing mark-registered

These commands are no longer required for licensing an appliance.

To download this release and review Release Notes, visit the Symantec Enterprise Security portal at https://support.broadcom.com/security. A MyBroadcom login is required. See https://knowledge.broadcom.com/external/article/151364/download-the-latest-version-of-symantec.html for details.

If you have any questions or require assistance, please contact Broadcom Customer Care online at https://www.broadcom.com/support/software/contact where you can submit an online request using the Customer Care web form: https://ca-broadcom.wolkenservicedesk.com/web-form?_ga=2.205828371.1432263889.1590607313-713014253.1588711301. You can also call Broadcom Customer Care at +1-800-225-5224 in North America or see https://www.broadcom.com/support/software/contact for the local number in your country.

Should you need any assistance, our Broadcom Services experts can help. For more information on Broadcom Services and how you can leverage our experience, please visit https://www.broadcom.com/support/ca/services-support/ca-services.

Your success is very important to us, and we look forward to continuing our successful partnership with you.

To review Broadcom Support lifecycle policies, please review the Broadcom Support Policy and Terms located at: https://support.broadcom.com/.

Thank you again for your business.