Fix: Fixes an issue where a proxy policy could could issue the wrong certificate when a Chrome browser is connecting to the Gateway using TLS 1.3. This is caused by a change made in Chrome in April 2024 to shift to Post-Quantum Cryptography. With this change, the Client Hello is larger than 1415 bytes, which can result in an inability to retrieve the Server Name Indication (SNI), which is used by the proxy to determine what certificate to issue. The fix ensures the proxy can support Client Hello sizes greater than 1415 bytes.
Fix: Fixes an issue related to the use of GeoIP. Countries with many providers have a very large number of advertised prefixes. When those country codes are used in a GeoIP Address Group, the Address Group will contain a large number of CIDR blocks. The GeoIP Address Group was restricted to 64k CIDRs where exceeding this limit would result in a partial set of CIDRs applied to the policy. This fix relaxes the limit to ensure the full set of CIDRs will be applied to the policy. It is recommended to use an 8-core instance type due to the additional memory requirements imposed by GeoIP.
Fix: Fixes an issue where an Egress Gateway would silently close TCP connections at 240s even though the TCP established timeout was changed to a value greater than 240s.
Fix: Fixes an issue where the datapath of an Egress Gateway could self heal when filtering traffic using a URL Filtering Profile.
Fix: Fixes an issue where the Gateway could issue the wrong certificate when a Chrome browser is connecting to the Gateway using TLS 1.3. This is caused by a change made in Chrome in April 2024 to shift to Post-Quantum Cryptography. With this change, the Client Hello is larger than 1415 bytes, which can result in an inability to retrieve the Server Name Indication (SNI), which is used by the proxy to determine what certificate to issue. The fix ensures the proxy can support Client Hello sizes greater than 1415 bytes.
Fix: Fixes an issue where sending a TCP RST by the datapath to close a session could cause the datapath to self heal
Fix: Fixes an issue related to receive buffer exhaustion that could impact the ability of the Gateway to process traffic. For the Gateway to accommodate resetting connections (TCP RST), information from the last packet received must be retained (receive buffer). If the active session volume is high, there is a risk that the receive buffer can become exhausted, causing the Gateway to not receive new packets. This scenario can occur more commonly from half-opened connections related to SYN floods (intentional or unintentional). This fix extracts the necessary information from the last packet of each active session and stores this information in a buffer that is large enough to accommodate the Gateway active session limits, eliminating the possibility of buffer exhaustion.
Fix: Fixes an issue related to blue/green policy change. When the policy change occurs and the new datapath becomes active, the Gateway begins draining current sessions off the old datapath. If the datapath cannot properly drain the sessions, it treats the datapath as unhealthy and will employ a datapath restart. This will terminate both old and new datapaths, which could cause disruption to olFd and new sessions. The fix ensures that the session draining completes properly and eliminates the situation where the datapath is seen as unhealthy.
Fix:: Fixes an issue with log rotation for Gateways in OCI. The fix ensures that the logs are properly rotated to not consume unnecessary disk space.
Fix: Fixes an issue related to active connection reset where the TCP RST was being sent with the wrong sequence number and not actively resetting the connection
Fix: Fixes a slow memory leak for an Ingress Gateway that eventually results in a datapath self heal. The memory leak is related to traffic that contains files that are gzip compressed.
Fix: Fixes an issue related to the use of GeoIP. Countries with many providers have a very large number of advertised prefixes. When those country codes are used in a GeoIP Address Group, the Address Group will contain a large number of CIDR blocks. The GeoIP Address Group was restricted to 64k CIDRs where exceeding this limit would result in a partial set of CIDRs applied to the policy. This fix relaxes the limit to ensure the full set of CIDRs will be applied to the policy. It is recommended to use an 8-core instance type due to the additional memory requirements imposed by GeoIP.
Fix: Fixes an issue where the Gateway could issue the wrong certificate when a Chrome browser is connecting to the Gateway using TLS 1.3. This is caused by a change made in Chrome in April 2024 to shift to Post-Quantum Cryptography. With this change, the Client Hello is larger than 1415 bytes, which can result in an inability to retrieve the Server Name Indication (SNI), which is used by the proxy to determine what certificate to issue. The fix ensures the proxy can support Client Hello sizes greater than 1415 bytes.
Fix: Fixes a slow memory leak for an Ingress Gateway that eventually results in a datapath self heal. The memory leak is related to traffic that contains files that are gzip compressed.
Fix: Fixes an issue related to receive buffer exhaustion that could impact the ability of the Gateway to process traffic. For the Gateway to accommodate resetting connections (TCP RST), information from the last packet received must be retained (receive buffer). If the active session volume is high, there is a risk that the receive buffer can become exhausted, causing the Gateway to not receive new packets. This scenario can occur more commonly from half-opened connections related to SYN floods (intentional or unintentional). This fix extracts the necessary information from the last packet of each active session and stores this information in a buffer that is large enough to accommodate the Gateway active session limits, eliminating the possibility of buffer exhaustion.
Fix: Fixes an issue related to blue/green policy change. When the policy change occurs and the new datapath becomes active, the Gateway begins draining current sessions off the old datapath. If the datapath cannot properly drain the sessions, it treats the datapath as unhealthy and will employ a datapath restart. This will terminate both old and new datapaths, which could cause disruption to old and new sessions. The fix ensures that the session draining completes properly and eliminates the situation where the datapath is seen as unhealthy.
Fix: Fixes an issue where HTTP traffic passing through an Ingress Gateway was not using the proper domain specified in the Reverse Proxy Target associated with the matched Policy Rule Set Rule.
Fix: Fixes an issue where HTTP traffic passing through an Ingress Gateway was not properly matching the proper Policy Rule Set Rule
Fix: Fixes an issue related to forwarding and how the datapath protocol stack handles timings with TCP FINs and RSTs. A FIN from the server and a RST from the client could occur in a sequence such that the protocol stack would inhibit accepting (and forwarding) the RST after it has already seen a FIN. The change relaxes the protocol stacks acceptance of the RST so it can be forwarded to the server and not dropped by the protocol stack. The RST drop occurs due to a mismatch in the expected sequence number since the protocol stack has already received a FIN from the server.
Fix: Fixes an issue where the datapath could restart due to a policy change taking too long to apply
Fix: Fixes an issue that results in increased CPU usage during a blue/green policy update where two datapaths would be running at the same time. Each datapath would consume CPU in a way that assumes it is the only datapath running. When the second datapath is instantiated to accommodate the new policy, the CPU would not be shared properly and the CPU metrics would not be recorded properly.
Fix: Fixes an issue related to a memory leak for that would result in a preemptive datapath self-heal
Fix: Addresses the CVE-2023-4863 vulnerability related to libwebp version 1.2.0-3.el9
Fix: Fixes an issue related to a lost write event after a write operation to the backend server returns EAGAIN. This lost event causes the Gateway to think it has sent the request body to the backend server and is awaiting a response that will never arrive. This is a timing issue related to the speed of the Gateway vs. the speed of the backend server.
Fix: Fixes an issue with generating diagnostic bundles for Gateways deployed in OCI
Fix: Fixes an issue related to active connection reset where the TCP RST was being sent with the wrong sequence number and not actively resetting the connection
Fix: Fixes a traffic processing issue during a policy change where traffic passing through the datapath running the old policy would be unnecessarily delayed
Fix: Fixes an issue with large request body traffic where the WAF component would consume the client request body. This causes the Gateway to keep expecting the request body from the client, while the client is expecting a response from the Gateway, leading to a client timeout.
Fix: Fixes an issue related to forwarding and how the datapath protocol stack handles timings with TCP FINs and RSTs. A FIN from the server and a RST from the client could occur in a sequence such that the protocol stack would inhibit accepting (and forwarding) the RST after it has already seen a FIN. The change relaxes the protocol stacks acceptance of the RST so it can be forwarded to the server and not dropped by the protocol stack. The RST drop occurs due to a mismatch in the expected sequence number since the protocol stack has already received a FIN from the server.
Fix: Fixes an issue that results in increased CPU usage during a blue/green policy update where two datapaths would be running at the same time. Each datapath would consume CPU in a way that assumes it is the only datapath running. When the second datapath is instantiated to accommodate the new policy, the CPU would not be shared properly and the CPU metrics would not be recorded properly.
Fix: Fixes an issue where HTTP traffic passing through an Ingress Gateway was not using the proper domain specified in the Reverse Proxy Target associated with the matched Policy Rule Set Rule.
Fix: Fixes an issue where HTTP traffic passing through an Ingress Gateway was not matching the proper Policy Rule Set Rule
Fix: Fixes an issue related to a lost write event after a write operation to the backend server returns EAGAIN. This lost event causes the Gateway to think it has sent the request body to the backend server and is awaiting a response that will never arrive. This is a timing issue related to the speed of the Gateway vs. the speed of the backend server.
Fix: Fixes an issue with generating diagnostic bundles for Gateways deployed in OCI
Fix: Fixes an issue with large request body traffic where the WAF component would consume the client request body. This causes the Gateway to keep expecting the request body from the client, while the client is expecting a response from the Gateway, leading to a client timeout.
Fix: Fix: Fixes an issue related to active connection reset where the TCP RST was being sent with the wrong sequence number and not actively resetting the connection
Fix: Fixes a traffic processing issue during a policy change where traffic passing through the datapath running the old policy would be unnecessarily delayed
Fix: Fixes an issue addressed in 23.08-12 that still impacted 4-core instance types. The issue addresses high CPU utilization caused by debug I/O activity. The previous fix now addresses all instance types across all CSPs.
Fix: Fixes an issue where a policy change that results in a datapath hitless restart could cause high latencies that impact traffic processing, including load balancer health checks, under light or moderate load
Fix: Fixes an issue related to high CPU utilization that was caused by I/O related debug activity
Fix: Fixes an issue related to intermittent LB healthcheck failures. The fix enhances the Gateway by prioritizing heathchecks to ensure the LB does not incorrectly mark instances as unhealthy.
Fix: Improves performance of the Gateway by optimizing API calls to the Controller to retrieve Gateway profile information
Enhancement: Moves the policy type mismatch message generated for each session that is processed by two Rules that have mismatched policy type (Forwarding and Forward Proxy) to a Security Event log related to each session. This eliminates a large volume of per-session System Log messages without eliminating the per-session log. When this scenario occurs, the session will be denied and the Event associated with the session will report the reason. The deny will also be represented in the Traffic Summary Log.
Fix: Changes the timeout for waiting for a SYN ACK after receiving a SYN. The original timeout was 120 seconds. In certain scenarios (e.g., port scanning) where a SYN ACK is never returned, a long timeout will consume an entry in the session pool longer than desired. For scenarios where many sessions do not respond with a SYN ACK, the session pool could become exhausted. This is referred to as a SYN flood. By reducing the timeout, the session will be released sooner in order to free up the session pool for use in processing valid sessions. The timeout has been reduced to 30s and is configurable via a Gateway setting.
Fix: Fixes an issue where the Gateway might not successfully build the IP cache when either an active or inactive rule has DNS-based FQDN caching configured. When the cache is not properly built, policy could fail to match traffic. This fix ensures the IP cache is properly built in order for the policy match and process traffic properly.
Fix: Fixes an issue where a generated Gateway diagnostic bundle would be larger than what would be permitted to send to the Controller resulting in the inability to analyze Gateway logs. This fix addreses the restrictive limit so generated diagnostic bundles will be successfully sent to the Controller.
Fix: Fixes an issue related with DNS-based FQDN Address Object resources where enabling DNS caching could result in a race condition between policy change and the DNS resolution interval that would result in the cache for a domain to be reset to a value of 0 (no cache). When this situation occurs, the domain resolution will never be cached and any existing cache values will be flushed as their TTL expire. The end result is the Gateway will eventually not match traffic for that domain. This fix addresses the race condition such that the cache will operate as expected.
Fix: Fixes an issue where traffic would be incorrectly denied by a Forward Proxy Rule configured with an FQDN Match Profile due to delays in certificate validation. The deny will be seen as an FQDNFILTER Security Event even though an FQDN Filtering Profile is not applied.
Fix: Fixes an issue related to dynamic Address Objects where a large number of IPs and a large number of changes to those IPs could result in the datapath not accepting changes, causing matching issues resulting in traffic being processed incorrectly
Fix: Fixes a slow session pool leak related to UDP traffic that would result in the DP detecting the leak and restarting the datapath
Enhancement: Enhances the datapath to generate a session summary event when the Gateway connection and proxy timers are exceeded. This enhancement will help in troubleshooting when a session is closed by the Gateway due to timer settings.
Enhancement: Enhances the Forward Proxy Service Object to support L4 (TCP) and L5 (TLS) proxies
Enhancement: Enhances the Gateway datapath to track session performance
Enhancement: Enhances the Gateway datapath process to generate a TCP reset to actively close the connections during a datapath restart
Fix: Fixes an issue where URL encoded characters of [ and ] in an HTTP object name where decoded by the Gateway, but not re-encoded before sending the request to the server. This results in the server not being able to properly locate the object, returning a 400 response code. This fix properly re-encodes the characters prior to sending the request to the server.
Fix: Fixes an issue where the presence of underscores in an SNI would cause the proxy to not pass traffic. This change enables the proxy configuration to accommodate the use of underscores in domain names.
Fix: Fixes an additional issue with large file transfers related to HTTP commands (e.g., Github repository cloning) where a proxy timeout would result in a 408 status code
Fix: Fixes an issue where traffic is matched to a correct policy, but an incorrect certificate is issued
Fix: Fixes an issue with large file transfers related to HTTP commands (e.g., Github repository cloning) where a proxy timeout would result in a 408 status code
Fix: Fixes an issue where URL Filtering category query timeout expires causing the traffic to be denied
Fix: Fixes a stability issue with the Ingress Gateway where the datapath could self heal due to an issue with the upstream proxy
Fix: Fixes an issue where the Gateway could introduce additional latency when processing certain types of traffic
Fix: Fixes an unnecessary datapath restart that is triggered when enabling memory profiling
Fix: Fixes an issue where the Gateway could intermittently generate a 502 due to a datapath restart triggered by a policy change
Fix: Fixes an issue with CPU-based auto-scale could result in an unnecessary scale out