Version 24.06-02 September 18, 2024

Continued enhancements to the gateway to accommodate FedRAMP CIS Level-2 hardening.

Fixes and issue where the gateway will self-heal if an empty FQDN/URL Filtering profile is assigned to the policy rule set.

Fixes a deny rule action issue related to the use of domains as a 6-tuple match. If the first rule match is a 6-tuple match (includes an assigned FQDN Match Profile) and the policy action is set to Deny, the deny action will be based on the 5-tuple match and will not include the domain for match consideration. This fix ensures that all 6-tuples are considered when evaluating the rule and its action. If the traffic does not match the rule based on the 6-tuple match, then it will refine its match to a subsequent rule and take action based on the matched rule's configuration.

Fixes an issue where an Azure ingress gateway will get stuck in Health Checking Pending state after a policy update is applied. This issue also includes new gateway deployments .

Fixes an allow rule match issue related to the use of domains as a 6-tuple match. If the first rule match is a 6-tuple match (includes an assigned FQDN Match profile), the policy action is set to Allow and there are no subsequent rules that are consistent with the 5-tuple match of the first rule, then all domains will be allowed and domains will be denied. This fix ensures that only the domains that are matched in the rule are allowed, and all other domains that are not matched are denied.

Fixes an issue where a egress policy rule set that uses an decryption-based forward proxy (TLS, HTTPS, WebsocketS) is initially matching on 5-tuple and retrieving the domain from the SNI, but not performing a match refinement based on the 6th tuple resulting in a TLS error. The fix ensures that 6-tuple match refinement occurs such that the traffic can be successfully processed by the proper decryption rule.

Fixes an issue where sessions with TLS negotiation errors where not recording the SNI as a Traffic Summary > Event.

Fixes an issue where multiple SNI events were being recorded for each forward proxy full decrypted session.

Fixes an issue where the address group size could be exceeded, causing all IPs/CIDRs in excess of the size to not be included in the address group. The address group size has been increased to 20k IPs/CIDRs.

Adds a System Log message if the GeoIP limitations of the gateway are exceeded.

Fixes an issue where the wrong action would be taken for URL filtering category matching if a timeout occurs when attempting to retrieve the URL filtering category if the URL is not found in the cache.

Ensures that an user with administrator access to configure a URL Filtering profile cannot use the custom URL response to inject Javascript. The fix enforces HTML encoding in the custom URL response.