SGOS AND ADVANCED SECURE GATEWAY 7.3.1.1 GA

16401

16 November 2020

16 November 2020

November 12, 2020

 

To:         Symantec Secure Web Gateway Customers

From:     SGOS and Advanced Secure Gateway Product Teams

Subject:  General Availability Announcement for SGOS and Advanced Secure Gateway 7.3.1.1

 

On behalf of Broadcom, we appreciate your business and the opportunity to provide you with high-quality, innovative software and services.  As part of our ongoing commitment to customer success, we regularly release updated versions of our products. Today, we are pleased to announce that SGOS and Advanced Secure Gateway version 7.3.1.1 are now available, including a number of fixes and the following changes:

Web Isolation

The Symantec Web Isolation solution is a client-less solution that enables and protects users to browse the internet safely on any device using any browser. The zero footprint negates the need for software installation on clients. Starting in SGOS 7.3.x, you can easily configure the ProxySG appliance to send HTTP and HTTPS requests to Symantec Web Isolation.

You can configure the appliance with your existing dedicated cloud or on-premises isolation service. This requires configuration through the command line interface (CLI) and Visual Policy Manager (VPM) or content policy language (CPL) policy.

Refer to KB article 201609 for an overview and configuration information.
Note: In the future, the Symantec cloud Web Isolation service will also be available for customers who do not have a dedicated web isolation service.
More information:

ProxySG Admin Console 1.1.3.1

The ProxySG Admin Console, introduced with SGOS 7.2.1.1 GA, has been updated with:

  • SAML authentication realm configuration
  • geolocation configuration
  • Web Isolation configuration

The ProxySG Admin Console is not associated with SGOS releases; thus, you can use these new features without having to change your SGOS version. 

More information:

  • ProxySG Administration (Admin Console Edition)
  • Management Center Configuration and Management Guide, version 2.4 or later

Policy Coverage Updates

  • In previous releases, policy coverage statistics were reset to zero after policy was re-installed. Now, statistics persist after policy re-installations. In a multi-tenant deployment, policy coverage statistics are maintained separately per tenant and persist after tenant policy re-installation.
  • In previous releases, policy coverage showed statistics for the policy that is currently installed. Now the feature also shows cumulative statistics that include coverage from previous policy versions.
    Access current statistics at Statistics > Advanced > Policy > Show Current Policy Coverage or  https://<ProxySG_IP_address>:8082/policy/current-coverage.
    Access cumulative statistics at  Statistics > Advanced > Policy > Show Policy Coverage or  https://<ProxySG_IP_address>:8082/policy/coverage.
More information:

Policy Compile Behavior Changes

When installing policy (CPL, legacy visual policy, or web visual policy), warnings might appear at compile time to reinforce the following recommendations for accurate policy coverage statistics:
  • (CPL only) All policy sections should have labels
  • (CPL only) All policy layers should have labels, and policy layers of the same type should have unique labels  
  • Rules in the same layer can't have the same conditions
If policy contains layers or sections with the same name, installing policy results in the message: "Warning: Coverage may not be consistent across policy versions: duplicate layer/section label". Assign unique labels to layers and sections to easily identify policy rules and ensure the continuity of cumulative policy coverage statistics. 
If a policy layer contains rules with identical conditions, installing policy results in the message for the subsequent rule(s): "Warning: Unreachable rule, conditions will be matched by a preceding rule". Make sure that rule conditions are unique, so that policy coverage does not record duplicate statistics.
More Information:
  • Content Policy Language Reference
  • Web Visual Policy Manager Reference and Legacy Visual Policy Manager Reference

 

Additional Supported Apparent Data Types

The ProxySG appliance detects more apparent data types in HTTP requests and responses. The new types are now supported in apparent data type CPL properties and conditions. refer to the Release Notes for more information.

Authentication Transaction Trace Logging

The define probe CPL definition now supports logging for authentication-related traffic. Use the following syntax:
define probe case_label
  condition=condition_label
  target=auth:log_level
  ...
end

 

SSL Session Ticket and PSK Support for Session Resumption

In previous releases, the appliance used session ID to resume previously established TLS sessions. For better performance, this release improves SSL session resumption (caching) by using the SSL session ticket and pre-shared key (PSK), as follows:
  • TLS connections up to version 1.2 use session tickets
  • TLS 1.3 connections use the PSK
To support this feature, the SSL session cache size is doubled, with the following allocations:
  • Session ID - 50% of overall cache size
  • Session ticket and PSK - 50% of overall cache size
To track the session ticket hashes that the appliance sends or receives when resuming the session, include the following new fields to your access log format:
  • x-cs-session-hash - SHA256 hash of session ticket issued to or resumed by client for current SSL session
  • x-rs-session-hash - SHA256 hash of session ticket returned or resumed by server for current SSL session
If you downgrade SGOS/Advanced Secure Gateway, SSL session resumption will use SSL session ID.
This feature is available in forward proxy mode.

 

SSL Session Ticket and PSK Support for Host Affinity

In previous releases, the appliance used session ID to determine host affinity for HTTPS connections. This release supports using the SSL session ticket and PSK for host affinity, as follows:
  • TLS connections up to version 1.2 use session tickets
  • TLS 1.3 connections use the PSK
When SSL session is selected for host affinity in forwarding/SOCKS host configuration, the appliance dynamically uses the session ID, session ticket SHA256 hash, or PSK hash to make multiple client connections to the same forwarding host/group or SOCKS gateway/group. 
In the CLI, the ssl-session-id flag is changed to ssl-session for the following commands: 
# (config forwarding) host-affinity ssl ssl-session [host_or_group_alias]
# (config forwarding host_or_group_aliashost-affinity ssl ssl-session
# (config socks-gateways) host-affinity ssl ssl-session [host_or_group_alias]
# (config socks-gateways gateway_or_group_aliashost-affinity ssl ssl-session 
 
In the Management Console, the SSL Session ID  host affinity method in forwarding host and SOCKS gateway configurations is changed to SSL Session.
If you downgrade SGOS/Advanced Secure Gateway , hosts and gateways created or modified to use SSL session will use SSL session ID.
This feature is available in forward proxy mode.

 

SNI Hostname Policy

You can create policy that tests the Server Name Indication (SNI) hostname in client connections. The SNI hostname is available if the client connection is TLS and has a valid ServerName extension; otherwise, the policy has no effect.
 
The following policy gestures were added to support this feature:
 
client.connection.ssl_server_name=
client.connection.ssl_server_name.exists=
client.connection.ssl_server_name.length=

The first two gestures are available in the web VPM in the new SSL Server Name object.

In addition, you can include the x-cs-connection-ssl-server-name and x-rs-connection-ssl-server-name access log fields to log the SNI hostname.

More Information:

  • Content Policy Language Reference
  • Web Visual Policy Manager Reference
  • ProxySG Log Fields and Substitutions

Network Stack Improvements

The SGOS network stack was updated to improve performance and stability. This release includes:

  • Improved IPv6 handling.
  • ARP, TCP, and IP conformance to the latest internet standards.
  • Improved TCP throughput in the presence of out-of-order TCP packets.
  • The PCAP file downloaded from the appliance is updated to *.pcapng format, replacing the previous *.cap format.

Web Visual Policy Manager Improvements

  • A new HTTP Connect URL Category destination object allows you to test the category of the host name in the HTTP CONNECT request. This object is available in the Web Access and Web Request layers.
  • A new SSL Server Name source object tests whether a server name indication (SNI) exists based on the client.connection.ssl_server_name.exists= condition, or performs a match using a specified string or regex. This object is available in the SSL Access, SSL Intercept, Web Access, and Forwarding layers.
  • The existing Application GroupApplication Name, and Application Operation destination objects are available in the Web Authentication and Web Content layers.
  • Policy rule column headers (SourceDestinationTrack, etc.) are sticky. The column headers remain visible when you scroll through layers containing many rules.
  • For better navigation when creating and editing Combined Objects, you can sort objects by name or type.
  • To provide better visibility into large policies with many rules, the rule view features a more condensed layout with less unused space.
  • You can add a policy rule at a specific position within a layer. In the VPM, open the context menu in a rule and select Insert Rule. The new rule appears below the current rule.
  • Various areas of the Web VPM interface were improved for a more consistent and intuitive user experience.

Trust Package Update

The trust package has been updated. To download the latest trust package, issue the following CLI:

#(config) load trust-package

    Deprecations and Removals in SGOS/Advanced Secure Gateway 7.3.1.1

    • SkyUI is disabled by default in version 7.3.x. You can re-enable this management interface, but be aware that it is potentially vulnerable to security issues. For best security, do not enable SkyUI.
    • Managing ProxyClient and Unified Agent is deprecated. You can enable these features, but the proxy Management Console and the CLI indicate that support for these remote clients will be removed in a future release.
    • In the Web VPM, the Protocol Methods service object no longer includes the Instant Messaging protocol and methods. IM policies were removed in a previous release.

    To download this release and review Release Notes, visit the Symantec Enterprise Security portal at https://support.broadcom.com/security. A MyBroadcom login is required. See https://knowledge.broadcom.com/external/article/151364/download-the-latest-version-of-symantec.html for details.

     

    If you have any questions or require assistance, please contact Broadcom Customer Care online at https://www.broadcom.com/support/software/contact where you can submit an online request using the Customer Care web form: https://ca-broadcom.wolkenservicedesk.com/web-form?_ga=2.205828371.1432263889.1590607313-713014253.1588711301 .  You can also call Broadcom Customer Care at +1-800-225-5224 in North America or see https://www.broadcom.com/support/software/contact for the local number in your country. 


    Should you need any assistance, our Broadcom Services experts can help.  For more information on Broadcom Services and how you can leverage our experience, please visit https://www.broadcom.com/support/ca/services-support/ca-services.


    Your success is very important to us, and we look forward to continuing our successful partnership with you.

     

    To review Broadcom Support lifecycle policies, please review the Broadcom Support Policy and Terms located at: https://support.broadcom.com/.  

     

    Thank you again for your business.