Version 24.06-01 July 10, 2024

Adds support for inspecting content within a GRE tunnel that passes through the gateway. The gateway will decapsulate the traffic, perform inspection on the encapsulated traffic to apply proper policy and protection, then re-encapsulate that traffic back into the GRE tunnel.

Adds support for active connection resets during gateway upgrade and scale-in scenarios. When these scenarios occur and the gateway is processing long running connections that are not closed by the client or server, the gateway will take action by sending a TCP RST to active close the connection when reaping the old instance.

Support ability to specify a custom banner when logging into a gateway instance through Teleport (SSH access). This is a requirement for gateways deployed into FedRamp environments where any method of SSH access requires a customer-defined banner to be displayed.

Fixes an issue where specifying an Validate Certificate action other than "Default" in a Decryption profile will cause the gateway to become unhealthy.

Fixes an issue for user-generate diagnostic bundles where the gateway would fail to generate the diagnostic bundle and send to the Multicloud Defense Controller.

Fixes an issue related to the use of GeoIP. Countries with many providers have a very large number of advertised prefixes. When those country codes are used in a GeoIP address group, the address group will contain a large number of CIDR blocks. The GeoIP address group was restricted to 64k CIDRs where exceeding this limit would result in a partial set of CIDRs applied to the policy. This fix relaxes the limit to ensure the full set of CIDRs will be applied to the policy. It is recommended to use an 8-core instance type due to the additional memory requirements imposed by GeoIP.

Fixes an issue where the gateway could issue the wrong certificate when a Chrome browser is connecting to the gateway using TLS 1.3. This is caused by a change made in Chrome in April 2024 to shift to Post-Quantum Cryptography. With this change, the Client Hello is larger than 1415 bytes, which can result in an inability to retrieve the Server Name Indication (SNI), which is used by the proxy to determine what certificate to issue. The fix ensures the proxy can support Client Hello sizes greater than 1415 bytes.

Fixes an issue where the gateway was not producing the correct statistics for display in the Investigate > Network Analytics > Stats page.

Fixes various stability issues.

Fixes an issue related to blue/green policy change. When the policy change occurs and the new datapath becomes active, the gateway begins draining current sessions off the old datapath. If the datapath cannot properly drain the sessions, it treats the datapath as unhealthy and will employ a datapath restart. This will terminate both old and new datapaths, which could cause disruption to old and new sessions. The fix ensures that the session draining completes properly and eliminates the situation where the datapath is seen as unhealthy.

Fixes an issue where a VPN tunnel state transition was not generating a System Log message to provide troubleshooting and debugging information on the tunnel setup and negotiation.

Fixes a slow memory leak for an ingress gateway that eventually results in a datapath self heal. The memory leak is related to traffic that contains files that are gzip compressed.

Fixes an issue where an ingress gateway could drop a connection when back-to-back POST commands contain a payload greater than 160k.