Skip to content

Gateway Release: 23.02

23.02-11 - July 10, 2023

  • Fix: Fixes a stability issue in the Snort engine that could cause the Gateway to self heal
  • Fix: Fixes an issue where Ingress traffic containing a long header will cause the Reverse Proxy to generate a 400 response code
  • Fix: Fixes an issue where traffic is not processed properly by a Forward Proxy Rule when the Rule uses a FQDN Match Profile with multiple rows containing a mixture of Decryption Exception settings

23.02-10 - June 28, 2023

  • Fix: Fixes an issue where applying a DNS-based cache setting to a Gateway will cause the Gateway instance to become unhealthy

23.02-09 - June 25, 2023

  • Fix: Removes 15-day periodic Gateway datapath self-heal that was in place to help ensure consistent Gateway health. This was incorporated more than 2 years ago to address an issue that was challenging to catch and fix. That issue has since been addressed, but the periodic self-heal was never removed. It is no longer needed and has now been removed.
  • Fix: Fixes an issue where a GCP Gateway could not generate support-related diagnostic bundles
  • Fix: Fixes an issue where an NTP Profile was repeatedly applied to a Gateway even though no Profile change was introduced
  • Fix: Fixes an issue where a Policy Rule Set could be in a persistent "Updating" state when an FQDN Filtering Profile is applied
  • Fix: Fixes an issue where an empty Address Object applied to a Gateway would result in a traffic processing issue
  • Fix: Fixes an issue where an unnecessary datapath self-heal would occur when simultaneously applying both an NTP Profile and Log Forwarding Profile to a Gateway. This issue would only surface if the Profiles are applied using orchestration since the operations are independent, would occur sequentially and all within a very short separation in time.

23.02-08 - June 15, 2023

  • Fix: Fixes an issue where changing the WAF action from "Allow Log" to "Rule Default" could cause the datapath to restart multiple times
  • Fix: Provides an update to revert a change that was made in 23.04-05 related to a slow session pool leak addressed by a preemptive datapath self-heal. The previous update has the potential to cause datapath self-heals that cannot be preempted. This release ensures stability while the initial issue is fully addressed.

23.02-07 - June 8, 2023

  • Fix: Fixes an issue where an L4_FW event was not consistently produced when for traffic processed by the Gateway
  • Fix: Fixes an issue where HTTP traffic with chunked Transfer-Encoding could cause large memory consumption in WAF that would trigger a datapath self heal

23.02-06 - June 2, 2023

  • Fix: Fixes a slow memory leak that results in a silent datapath restart that could disrupt traffic
  • Fix: Fixes a very slow session pool leak that would result in a preemptive datapath self-heal
  • Fix: Fixes an issue where a Reset on Deny (TCP Reset) would not be issued when traffic is processed by a Ruleset that uses FQDN Match
  • Fix: Fixes an issue where an Ingress Gateway could issue an incorrect certificate when a Rule has been configured with a domain that contains more than 3 levels
  • Fix: Fixes an issue where frequent changes to an Address Object could result in the datapath not accepting further changes
  • Fix: Fixes various Gateway stability issues that would result in a datapath self-heal

23.02-05 - May 22, 2023

  • Enhancement: Provides an enhanced memory profiling mode enabled as a Gateway setting. This is useful for advanced troubleshooting to understand memory consumption.
  • Fix: Fixes an issue with traffic processing for a Policy Ruleset Rule that uses FQDN Match. Sessions containing a TLS SNI that would match the FQDN would initially be denied, but subsequent sessions would be incorrectly allowed.

23.02-04 - April 14, 2023

  • Fix: Fixes an issue related to Websockets Proxy where a duplicate host header would be added to the backend connection. In general, this is not an issue as the RFC states that multiple (and duplicate) host headers are allowed. But there are some application frameworks that do not accept multiple host headers. Ngnix as an application server is one of those systems. When Nginx receives HTTP traffic with multiple host headers, it will reject the session and respond back with a 400 Bad Request.
  • Fix: Moved the TLS renegotiation configuration to a Valtix-configurable setting. Changed the renegotiation back to a default state of enabled due to potential issues with older clients that rely on renegotiation. To disable renegotiation, please contact Valtix Support.
  • Fix: Changes the auto-scaling CPU threshold from 75% to 95% to reduce the CPU-based auto-scaling sensitivity

23.02-03 - March 7, 2023

  • Fix: Fixes an issue where DLP and IDS/IPS Profiles that were created prior to IDS/IPS and WAF Custom Rule support might not operate as expected unless the Profile was modified and saved

23.02-02 - February 20, 2023

  • Fix: Fixes an Ingress Gateway issue related to large-volume bursty TLS traffic where the Gateway could issue an incorrect certificate to the client. This scenario is rare and is a downstream issue that could occur in Gateway release 23.02-01. This fix addresses the downstream issue by ensuring it is never reached and is a safeguard to ensure the issue never occurs.
  • Fix: Disabled TLS renegotiation to address vulnerability related to CVE-2009-3555
  • Fix: Fixes an issue where the FQDN Filtering Events would show reversed source/destination IP/Port information

23.02-01 - February 15, 2023

  • Enhancement: Enhances the DNS-based FQDN Address Object to accommodate IP Address caching. The enhancement provides a configurable set of Gateway settings related to DNS resolution frequency (update interval), IP Address TTL (entry TTL) and IP Address cache size (cache). These settings can be applied using Terraform only. When not applied, default values are: 60 (seconds) for DNS resolution frequency, 0 (seconds) for IP Address TTL (no caching), and 0 (address count) for IP Address cache size (no caching).
  • Enhancement: Enhances the Egress/East-West Policy Ruleset Rule matching criteria to introduce a new variation of an FQDN Profile called an FQDN Match Profile. The FQDN Profile variant is a set of PCRE-defined FQDNs that can be applied to TLS encrypted traffic such that the policy can match on SNI. This enhances the segmentation policy with added flexibility for policies that need to have finer-grained control based on FQDNs.
  • Fix: Fixes an Ingress Gateway issue related to the session upstream connection where the connection being null could result in a datapath self heal
  • Fix: Fixes a stability issue in WAF related to large POST commands with chunked encoding enabled
  • Fix: Fixes an Ingress Gateway session pool exhaustion issue related to HTTP Keepalives where frontend (Client to Gateway) has KA enabled and backend (Gateway to Server) has KA disabled
  • Fix: Fixes an issue related to a dynamic policy that leverages a GCP service where the service does not exist resulting in a policy that contains an empty IP/CIDR. The configuration is valid requiring the Gateway to handle cases where a policy might contain an empty IP/CIDR.
  • Fix: Fixes an issue related to Rule matching that could result in a datapath self-heal
  • Fix: Removes an Azure-generated message that is presented as a System Log message related to Gateway provisioning where Azure assigns a different interface type than requested and posts a warning message suggesting potential performance degradation. The message is seen as TYPE_AZURE_DEGRADED_PERFORMANCE. There is no performance impact related to the assigned interface type.
  • Fix: Enhances Gateway stability for all use cases to eliminate any potential session pool exhaustion