July 18, 2024

To:         Secure Web Gateway Customers

From:     The Broadcom SGOS and Advanced Secure Gateway Product Team

Subject:  General Availability Announcement for SGOS and Advanced Secure Gateway

On behalf of Broadcom, we appreciate your business and the opportunity to provide you with high-quality, innovative software and services.  As part of our ongoing commitment to customer success, we regularly release updated versions of our products. Today, we are pleased to announce that SGOS and Advanced Secure Gateway 7.3.21.1 is now available, supporting the following new features:  

New Severity Level for Access Log Size Limit

For event log messages that pertain to access logs that have reached the size limit, the severity level for these log messages has changed from informational to severe. This change ensures you are notified when the access log is close to the limit and that it will stop logging new entries or delete old entries (depending on policy). You can also view the event log to troubleshoot errors that occur when the appliance uploads the access log to a server.

To view the access log limits, use the >show access-log command. To configure the access log limits and policy, use the max-log-size and overflow-policy subcommands of the #(config) access-log command. To configure the event log notification settings, use the #(config) event-log command.

Policy Trace Improvements

In policy traces, authentication entries now include more timestamps. Also, unless you enable the verbose level for authentication entries, authentication entries are filtered out of the trace. To enable different levels for authentication entries, use the define probe definition.

SkyUI Removal

The SkyUI user interface is potentially vulnerable to security issues, and was disabled by default in 7.3.1.1. In releases before 7.3.21.1, you could re-enable SkyUI using an option in the # (config ui) command. In this release, the # (config ui) command has been removed.

The following advanced URLs are also removed:

• /ui
• /ui/index.htm
• /sky
• /sky/index.htm
• /sky/wanop.html
• /sky/wanop-disabled.html
• /sky/system_up.xml

New Size Controls for HTTP/2 Connections and Streams

To enable you to control the speed of data transfers over HTTP/2 connections and streams, the following new CPL properties have been added:

• http2.client.connection_window_size(bytes)
• http2.client.stream_window_size(bytes)
• http2.server.connection_window_size(bytes)
• http2.server.stream_window_size(bytes)

Use these properties to speed up data transfers when specific HTTP/2 domains are experiencing high latency. The server properties affect response data (such as downloads) and the client properties affect request data (such as POST or PUT requests). If the downloading speed is slow, applying the server window properties may improve the speed.

The http2.client.connection_window_size() and http2.client.stream_window_size() properties must be set before the client connection is upgraded to HTTP/2. These properties commit early because the HTTP/2 client upgrade occurs before the appliance processes HTTPS requests. To ensure the window size is set before the HTTP/2 client upgrade occurs, use the client.connection.ssl_server_name= condition to set the client-side window sizes for a specific domain.

Also, the maximum window size for an HTTP/2 stream has increased from 262144 bytes to 1048576 bytes. The default value for the connection window size is 524286 bytes. The default value for the stream window size is 65535 bytes.

More information:

Make these links when topics are created

• http2.client.connection_window_size()
• http2.client.stream_window_size()
• http2.server.connection_window_size()
• http2.server.stream_window_size()
• #(config) http2

Exclude Headers from Being Added

To ensure headers and strings are not leaked if a fail open happens, a new parameter has been added to the set() action:

set(header, string [, exclude_from_origin])

More information:

• Content Policy Language Reference

Update to Event Log Message for PCAP Filters

To make event log messages for PCAP filtering clearer and easier to locate, the message for when you have enabled PCAP filtering now includes the filter keywords.

Increase in the Policy Trace Size

To ensure the appliance provides enough space for advanced policy diagnostics, the default size limit for policy traces has been increased from 1 MB to 10 MB.

SGAC 2.2.3

To download this release and review Release Notes, visit the Symantec Enterprise Security portal at https://support.broadcom.com/security. A MyBroadcom login is required. See https://knowledge.broadcom.com/external/article/151364/download-the-latest-version-of-symantec.html for details.

If you have any questions or require assistance please contact Broadcom Customer Care online at https://www.broadcom.com/support/software/contact where you can submit an online request using the Customer Care web form: https://ca-broadcom.wolkenservicedesk.com/web-form?_ga=2.205828371.1432263889.1590607313-713014253.1588711301 .  You can also call Broadcom Customer Care at +1-800-225-5224 in North America or see https://www.broadcom.com/support/software/contact for the local number in your country.

Should you need any assistance, our Broadcom Services experts can help.  For more information on Broadcom Services and how you can leverage our experience, please visit https://www.broadcom.com/support/ca/services-support/ca-services.

Your success is very important to us, and we look forward to continuing our successful partnership with you.

To review Broadcom Support lifecycle policies, please review the Broadcom Support Policy and Terms located at: https://support.broadcom.com/.  

Thank you again for your business.