Fix: Fixes an issue related with DNS-based FQDN Address Object resources where enabling DNS caching could result in a race condition between policy change and the DNS resolution interval that would result in the cache for a domain to be reset to a value of 0 (no cache). When this situation occurs, the domain resolution will never be cached and any existing cache values will be flushed as their TTL expire. The end result is the Gateway will eventually not match traffic for that domain. This fix addresses the race condition such that the cache will operate as expected.
Fix: Fixes an issue where traffic would be incorrectly denied by a Forward Proxy Rule configured with an FQDN Match Profile due to delays in certificate validation. The deny will be seen as an FQDNFILTER Security Event even though an FQDN Filtering Profile is not applied.
Fix: Fixes an issue related to Address Objects where a large number of changes to IPs/CIDRs could result in the datapath not accepting changes, causing matching issues resulting in traffic being processed incorrectly
Fix: Fixes a slow session pool leak related to UDP traffic that would result in the DP detecting the leak and restarting the datapath
Fix: Fixes an issue where the presence of underscores in an SNI would cause the proxy to not pass traffic. This change enables the proxy configuration to accommodate the use of underscores in domain names.
Fix: Improvements to the stability of the Gateway
Fix: Fixes an additional issue with large file transfers related to HTTP commands (e.g., Github repository cloning) where a proxy timeout would result in a 408 status code
Fix: Fixes an issue where traffic is matched to a correct policy, but an incorrect certificate is issued
Fix: Fixes an issue where URL Filtering category query timeout expires causing the traffic to be denied
Fix: Fixes a proxy connection leak
Fix: Fixes an issue where URL encoded characters of [ and ] in an HTTP object name where decoded by the Gateway, but not re-encoded before sending the request to the server. This results in the server not being able to properly locate the object, returning a 400 response code. This fix properly re-encodes the characters prior to sending the request to the server.
Fix: Fixes an issue where an update to a CIDR-based Address Object is not properly applied to the datapath workers, resulting in incorrect Rule matching
Fix: Fixes an issue with a DNS-based FQDN Address Object where a DNS cache is properly established, but not properly applied to the datapath workers, resulting in incorrect Rule matching
Fix: Fixes a datapath processing behavior where a Forward Proxy Rule preceded by a Forwarding Rule for the same L3/L4 (IP/port/protocol) matching criteria, but distinct L5 (SNI) matching would result in traffic processed as Forwarding even though proper Rule matching occurs. A similar behavior would be seen if the Forwarding and Forward Proxy Rules order were reversed. The reason this behavior occurs is that in order to accommodate L5 (SNI) matching, the TCP handshake must be fully established to receive the TLS hello message to obtain the SNI. Once the TCP handshake has completed, the traffic has already been processed by the Rule type of the first Rule. Once the session has been established, it is not possible to change the traffic processing from Forwarding to Forward Proxy (or vice versa). If a Policy Rule Set has been configured with this conflict, the datapath will detect the conflict and generate a System Log message. The traffic will be denied as it cannot successfully be processed by the conflicting Rule.
Fix: Fixes a stability issue with the Ingress Gateway where the datapath could self heal due to an issue with the upstream proxy
Fix: Fixes an issue where a datapath restart would result in a spike in CPU that could cause an unnecessary auto-scale
Fix: Fixes an issue where a GCP Gateway could not generate support-related diagnostic bundles
Fix: Fixes an issue where an NTP Profile was repeatedly applied to a Gateway even though no Profile change was introduced
Fix: Fixes an issue where an empty Address Object applied to a Gateway would result in a traffic processing issue
Fix: Fixes an issue where an unnecessary datapath self-heal would occur when simultaneously applying both an NTP Profile and Log Forwarding Profile to a Gateway. This issue would only surface if the Profiles are applied using orchestration since the operations are independent, would occur sequentially and all within a very short separation in time.
Fix: Fixes an issue where an Ingress Gateway could issue an incorrect certificate when a Rule has been configured with a domain that contains more than 3 levels
Fix: Fixes an issue where frequent changes to an Address Object could result in the datapath not accepting further changes
Fix: Fixes an issue where a Reset on Deny (TCP Reset) would not be issued when traffic is processed by a Ruleset that uses FQDN Match
Fix: Fixes an issue where an L4_FW event was not consistently produced when for traffic processed by the Gateway
Fix: Fixes an issue where changing the WAF action from "Allow Log" to "Rule Default" could cause the datapath to restart multiple times
Fix: Fixes an issue where HTTP traffic with chunked Transfer-Encoding could cause large memory consumption in WAF that would trigger a datapath self heal
Fix: Fixes a slow memory leak that results in a silent datapath restart that could disrupt traffic
Fix: Fixes a memory issue that could result in a datapath self heal