Skip to content

Gateway Release: 23.12

24.02-01 - February 28, 2024

  • Enhancement: [Private Preview] Adds support for site-to-site VPN. This includes VPN tunnel configuration, including IPSec and BGP. The VPN is terminated directly on the Gateway to process and protect traffic flowing across the VPN. This enhancement requires Gateway version 24.02 or later.
  • Enhancement: Adds support to dynamically track changes to certificate objects where the private key is stored in the CSP and retrieved by the Gateway. When changes take place to the CSP resource, the Controller will instruct the Gateway to reread the private key from the CSP resource to ensure that it is accessible and the updated content is used. If there are any issues with accessing the certificate, a System Log message will be generated.
  • Enhancement: Adds a message to the management Linux shell when logging in via SSH. The message emphasizes that the device is a Cisco-managed device (e.g., a device managed by the Controller).
  • Enhancement: Adds support for more than one Syslog Server configuration in a Log Forwarding Group
  • Fix: Addresses the CVE-2023-4863 vulnerability related to libwebp version 1.2.0-3.el9
  • Fix: Fixes an issue where a policy change that results in a datapath hitless restart could cause high latencies that impact traffic processing, including load balancer health checks, under light or moderate load
  • Fix: Fixes an issue addressed in 23.08-12 that still impacted 4-core instance types. The issue addresses high CPU utilization caused by debug I/O activity. The previous fix now addresses all instance types across all CSPs.
  • Fix: Fixes an issue related to high CPU utilization that was caused by I/O related debug activity
  • Fix: Fixes an issue related to intermittent LB healthcheck failures. The fix enhances the Gateway by prioritizing heathchecks to ensure the LB does not incorrectly mark instances as unhealthy.
  • Fix: Fixes an Egress Gateway memory leak that would be automatically corrected by triggering a self-healing preemptive datapath restart
  • Fix: Fixes an issue where a generated Gateway diagnostic bundle would be larger than what would be permitted to send to the Controller resulting in the inability to analyze Gateway logs. This fix addresses the restrictive limit so generated diagnostic bundles will be successfully sent to the Controller.
  • Fix: Fixes an issue where more than one SNI event was being recorded for each session processed by a Forward Proxy Rule
  • Fix: Improvements to the stability of the Gateway
  • Fix: Fixes a traffic processing issue where traffic would stop being processed after tCP and TLS due to a race condition related to DNS-based FQDN caching
  • Fix: Fixes an issue where the Gateway might not successfully build the IP cache when either an active or inactive rule has DNS-based FQDN caching configured. When the cache is not properly built, policy could fail to match traffic. This fix ensures the IP cache is properly built in order for the policy match and process traffic properly.
  • Fix: Changes the timeout for waiting for a SYN ACK after receiving a SYN. The original timeout was 120 seconds. In certain scenarios (e.g., port scanning) where a SYN ACK is never returned, a long timeout will consume an entry in the session pull long that desired. For scenarios where many sessions do not respond with a SYN ACK, the session pool could be exhausted. This is often referred to as a SYN flood. By reducing the timeout, the session will be released sooner in order to free up the session pool for use in processing valid sessions. The timeout has been reduced to 30s and is configurable via a Gateway setting.
  • Fix: Fixes an issue related with DNS-based FQDN Address Object resources where enabling DNS caching could result in a race condition between policy change and the DNS resolution interval that would result in the cache for a domain to be reset to a value of 0 (no cache). When this situation occurs, the domain resolution will never be cached and any existing cache values will be flushed as their TTL expire. The end result is the Gateway will eventually not match traffic for that domain. This fix addresses the race condition such that the cache will operate as expected.
  • Fix: Fixes an issue where the DPI (IDS/IPS) Security Event sent to a Syslog Server did not have the Action field present. The Action field was present, but the values were not consistent with the Action values present in the UI or the Event information sent to other SIEMs. The fix addresses this universally across all Security Events to ensure the Action field has values of ALLOW or DENY.
  • Fix: Fixes an issue where a change to a Security Profile auto-update to manual where the ruleset version is not changed would result in an unnecessary datapath restart. The fix ensures that the change is applied without requiring a datapath restart.
  • Fix: Improvements to the stability of the Gateway
  • Fix: Improvements to the performance of the Gateway
  • Fix: Fixes an issue with the SNI Security Event where the domain that is obtained from the SNI field of a TLS Hello message would populate the Text field for the event rather than the FQDN field. The change to populate the FQDN field provides consistency across Logs and Events when viewing and filtering by domain using the FQDN field.
  • Fix: Fixes an issue with the datapath process that could result in a session pool leak. When this situation occurs, the datapath will evaluate the session pool consumption and self heal before the leak becomes operationally impactful. This fix corrects the leak to avoid the datapath needing to self-heal.
  • Fix: Improves performance of the Gateway by optimizing API calls to the Controller to retrieve Gateway profile information
  • Fix: Fixes an issue where setting the Policy Rule Set Rule Action to a No Log value would still generate a Log message