Fix: Fixes an issue related with DNS-based FQDN Address Object resources where enabling DNS caching could result in a race condition between policy change and the DNS resolution interval that would result in the cache for a domain to be reset to a value of 0 (no cache). When this situation occurs, the domain resolution will never be cached and any existing cache values will be flushed as their TTL expire. The end result is the Gateway will eventually not match traffic for that domain. This fix addresses the race condition such that the cache will operate as expected.
Enhancement: Moves the policy type mismatch message generated for each session that is processed by two Rules that have mismatched policy type (Forwarding and Forward Proxy) to an Event related to each session. This eliminates a many System Log messages when this scenario occurs and generates error as an Event associated with each session. When this scenario occurs, the session will be denied and the Event will report the reason. The deny will also be represented in the Traffic Summary Log.
Enhancement: Enhances the Forward Proxy policy to validate the server certificate when negotiating the backend (Gateway to Server) TLS session. The certificate validation is disabled by default, but can be configured in a Decryption Profile for all TLS sessions and in an FQDN Match Object on a per-domain (or set of domains) basis.
Enhancement: Integrates with Teleport to accommodate reverse SSH making it easier to SSH to the Gateway instance management interface especially when the Gateway is orchestrated without public IPs. The requirements to SSH is rare and only necessary for advanced troubleshooting purposes. Inbound communication is inhibited by default using CSP restrictions (Security Groups, Network Security Groups, Firewall Rules).
Fix: Fixes an issue related to a Forward Proxy Rule that uses an FQDN Match Object for decryption exception could result in traffic processing issues
Fix: Fixes an issue where traffic would be incorrectly denied by a Forward Proxy Rule configured with an FQDN Match Profile due to delays in certificate validation. The deny will be seen as an FQDNFILTER Security Event even though an FQDN Filtering Profile is not applied.
Fix: Fixes an issue where a Rule that uses an FQDN Match object would incorrectly process traffic for an uncategorized domain
Fix: Fixes an issue related to dynamic Address Objects where a large number of IPs and a large number of changes to those IPs could result in the datapath not accepting changes, causing matching issues resulting in traffic being processed incorrectly
Fix: Fixes an issue with DNS-based FQDN caching where setting the DNS resolution interval would not change the frequency of DNS resolution
Fix: Fixes an issue with Packet Collection that could cause the Gateway to become unhealthy
Fix: Fixes an issue where certain logs from the Gateway could contain private key information
Fix: Fixes various Gateway stability issues
Fix: Fixes a Gateway memory leak that could also cause a CPU issue resulting in traffic processing issues
Fix: Fixes an issue where the URI information is not shown in Traffic Summary Log
Fix: Fixes an issue where L7DOS Event does not properly show the URI