Fix: Fixes an Ingress Gateway issue related to large-volume bursty TLS traffic where the Gateway could issue an incorrect certificate to the client. This scenario is rare and is a downstream issue that could occur in Gateway release 23.02-01. This fix addresses the downstream issue by ensuring it is never reached and is a safeguard to ensure the issue never occurs.
Fix: Disabled TLS renegotiation to address vulnerability related to CVE-2009-3555
Fix: Fixes an issue where the FQDN Filtering Events would show reversed source/destination IP/Port information
Enhancement: Enhances the DNS-based FQDN Address Object to accommodate IP Address caching. The enhancement provides a configurable set of Gateway settings related to DNS resolution frequency (update interval), IP Address TTL (entry TTL) and IP Address cache size (cache). These settings can be applied using Terraform only. When not applied, default values are: 60 (seconds) for DNS resolution frequency, 0 (seconds) for IP Address TTL (no caching), and 0 (address count) for IP Address cache size (no caching).
Enhancement: Enhances the Egress/East-West Policy Ruleset Rule matching criteria to introduce a new variation of an FQDN Profile called an FQDN Match Profile. The FQDN Profile variant is a set of PCRE-defined FQDNs that can be applied to TLS encrypted traffic such that the policy can match on SNI. This enhances the segmentation policy with added flexibility for policies that need to have finer-grained control based on FQDNs.
Fix: Fixes an Ingress Gateway issue related to the session upstream connection where the connection being null could result in a datapath self heal
Fix: Fixes a stability issue in WAF related to large POST commands with chunked encoding enabled
Fix: Fixes an Ingress Gateway session pool exhaustion issue related to HTTP Keepalives where frontend (Client to Gateway) has KA enabled and backend (Gateway to Server) has KA disabled
Fix: Fixes an issue related to a dynamic policy that leverages a GCP service where the service does not exist resulting in a policy that contains an empty IP/CIDR. The configuration is valid requiring the Gateway to handle cases where a policy might contain an empty IP/CIDR.
Fix: Fixes an issue related to Rule matching that could result in a datapath self-heal
Fix: Removes an Azure-generated message that is presented as a System Log message related to Gateway provisioning where Azure assigns a different interface type than requested and posts a warning message suggesting potential performance degradation. The message is seen as TYPE_AZURE_DEGRADED_PERFORMANCE. There is no performance impact related to the assigned interface type.
Fix: Enhances Gateway stability for all use cases to eliminate any potential session pool exhaustion