Skip to content

Gateway Release: 23.10

23.10-03 - January 11, 2024

  • Fix: Fixes an issue where a generated Gateway diagnostic bundle would be larger than what would be permitted to send to the Controller resulting in the inability to analyze Gateway logs. This fix addresses the restrictive limit so generated diagnostic bundles will be successfully sent to the Controller.
  • Fix: Fixes an issue where the Gateway might not successfully build the IP cache when either an active or inactive rule has DNS-based FQDN caching configured. When the cache is not properly built, policy could fail to match traffic. This fix ensures the IP cache is properly built in order for the policy match and process traffic properly.
  • Fix: Changes the timeout for waiting for a SYN ACK after receiving a SYN. The original timeout was 120 seconds. In certain scenarios (e.g., port scanning) where a SYN ACK is never returned, a long timeout will consume an entry in the session pull long that desired. For scenarios where many sessions do not respond with a SYN ACK, the session pool could be exhausted. This is often referred to as a SYN flood. By reducing the timeout, the session will be released sooner in order to free up the session pool for use in processing valid sessions. The timeout has been reduced to 30s and is configurable via a Gateway setting.
  • Fix: Improvements to the stability of the Gateway

23.10-02 - November 16, 2023

  • Fix: Fixes an issue related with DNS-based FQDN Address Object resources where enabling DNS caching could result in a race condition between policy change and the DNS resolution interval that would result in the cache for a domain to be reset to a value of 0 (no cache). When this situation occurs, the domain resolution will never be cached and any existing cache values will be flushed as their TTL expire. The end result is the Gateway will eventually not match traffic for that domain. This fix addresses the race condition such that the cache will operate as expected.

23.10-01 - November 3, 2023

  • Enhancement: Moves the policy type mismatch message generated for each session that is processed by two Rules that have mismatched policy type (Forwarding and Forward Proxy) to a Security Event log related to each session. This eliminates a large volume of per-session System Log messages without eliminating the per-session log. When this scenario occurs, the session will be denied and the Event associated with the session will report the reason. The deny will also be represented in the Traffic Summary Log.
  • Enhancement: Enhances the Forward Proxy policy to validate the server certificate when negotiating the backend (Gateway to Server) TLS session. The certificate validation is disabled by default, but can be configured in a Decryption Profile for all TLS sessions and in an FQDN Match Object on a per-domain (or set of domains) basis.
  • Enhancement: Integrates with Teleport to accommodate reverse SSH making it easier to SSH to the Gateway instance management interface especially when the Gateway is orchestrated without public IPs. The requirements to SSH is rare and only necessary for advanced troubleshooting purposes. Inbound communication is inhibited by default using CSP restrictions (Security Groups, Network Security Groups, Firewall Rules).
  • Fix: Fixes an issue related to a Forward Proxy Rule that uses an FQDN Match Object for decryption exception could result in traffic processing issues
  • Fix: Fixes an issue where traffic would be incorrectly denied by a Forward Proxy Rule configured with an FQDN Match Profile due to delays in certificate validation. The deny will be seen as an FQDNFILTER Security Event even though an FQDN Filtering Profile is not applied.
  • Fix: Fixes an issue where a Rule that uses an FQDN Match object would incorrectly process traffic for an uncategorized domain
  • Fix: Fixes an issue related to dynamic Address Objects where a large number of IPs and a large number of changes to those IPs could result in the datapath not accepting changes, causing matching issues resulting in traffic being processed incorrectly
  • Fix: Fixes an issue with DNS-based FQDN caching where setting the DNS resolution interval would not change the frequency of DNS resolution
  • Fix: Fixes an issue with Packet Collection that could cause the Gateway to become unhealthy
  • Fix: Fixes an issue where certain logs from the Gateway could contain private key information
  • Fix: Fixes various Gateway stability issues
  • Fix: Fixes a Gateway memory leak that could also cause a CPU issue resulting in traffic processing issues
  • Fix: Fixes an issue where the URI information is not shown in Traffic Summary Log
  • Fix: Fixes an issue where L7DOS Event does not properly show the URI