Version 23.04-01 April 20, 2023

Enhances the error message reporting by the Gateway when a TLS session cannot be negotiated due to no shared cipher suite. The error message for Security Events of type "TLS_ERROR" have been enhanced to be more descriptive.

Enhances the hardening of the Centos base image used in the Valtix Gateway. The base image has now been moved to Centos9 and is hardened to accommodate environments that have strict compliance requirements.

Provides support for configuring the NTP settings of a Gateway. The Gateway NTP settings can be configured using an NTP Profile that can be assigned to the Gateway.

Support for Azure GWLB-based architectures for Ingress protection.

Fixes an issue with FQDN Match Object where the traffic would be processed by an incorrect Rule when no SNI is present in the traffic.

Fixes an issue where DLP and IDS/IPS Profiles that were created prior to IDS/IPS and WAF Custom Rule support might not operate as expected unless the Profile was modified and saved.

Fixes an Ingress Gateway issue related to large-volume bursty TLS traffic where the Gateway could issue an incorrect certificate to the client. This scenario is rare and is a downstream issue that could occur in Gateway releases 22.12-04 and earlier. This fix addresses the downstream issue by ensuring it is never reached and is a safeguard to ensure the issue never occurs.

Fixes an issue where the same certificate could be issued when the policy is specified with two or more unique listener ports, with each sharing the same SNI and backend configuration.

Fixes an issue where the datapath engine would not start after failing to load an updated package. This issue has been addressed with the new CentOS 9 base image where package updates are handled by Valtix and not by the Linux kernel itself.

Fixes an issue where FQDNFILTER Events where showing a reversed source and destination IP/Port information.

Fixes an issue related to URL Filter Profile where the a Profile created using an older Controller version would not properly deny URLs when the action is configured as deny.

Fixes a traffic processing issue related to L7DOS Profile configuration. When the Profile is configured with a Request Rate or Burst Size of 1, the datapath would not limit the traffic properly.

Fixes a traffic processing issue related to L7DOS Profile configuration. When the Profile is configured with Request Rate or Burst Size values of 0, the datapath should inhibit any traffic related to the specified URL/URI. Even though the L7DOS Profile can be used to block URLs/URIs by using this method, the recommended method is to create a URL Filter Profile and apply the Profile to the Policy Ruleset Rules that are processing traffic related to the URL.

Fixes an issue with Traffic Summary Logs and Events that are sent directly from the Gateway to CSP storage systems (S3 Bucket, GCP Logging) where the friendly name to field values were represented by an integer. This would require a documented integer to friendly name translation by the user. The Logs and Events will now contain the friendly name and not the integer value.

Fixes a stability issue in an Egress Gateway related to various traffic patterns.

Fixes an issue related to Websockets Proxy where a duplicate host header would be added to the backend connection. In general, this is not an issue as the RFC states that multiple (and duplicate) host headers are allowed. But there are some application frameworks that do not accept multiple host headers. Ngnix as an application server is one of those systems. When Nginx receives HTTP traffic with multiple host headers, it will reject the session and respond back with a 400 Bad Request.

Fixes OS vulnerabilities related to Gateway Management Centos Linux container that would result in information notices in vulnerability scanners.

Fixes an issue with MLX4 DPDK driver for Azure Gateway that could cause an infrequent datapath self-heal.

Changes the auto-scaling CPU threshold from 75% to 95% to reduce the CPU-based auto-scaling sensitivity.