Version 24.06
Version 24.06-07-a1 December 18, 2024
This release is a hotfix.
Fixes
The following fix is included in this hotfix:
-
Fixes an issue where a forwarding policy could not retrieve the Service Name Indication (SNI) from a TLS Client Hello message causing the gateway to close the connection with a TCP RST. This is caused by a change made in Chrome in April 2024 to shift to Post-Quantum Cryptography. With this change, the Client Hello is larger than 1415 bytes, which can result in an inability to retrieve the SNI, which is used by the policy to match or filter by domain. The fix ensures the forwarding policy can support Client Hello sizes greater than 1415 bytes
Version 24.06-07 December 18, 2024 (Recommended)
Fixes
The following fixes are included in this release:
-
Fixes an issue related to new Talos rulesets where a ruleset change could cause issues with applying the new rulesets to the gateway. The gateway will become stuck in policy ruleset Status "
Updating...
" state. This issue was caught prior to new Talos rulesets being published. The issue has is resolved with this update such that new Talos rulesets can be successfully applied. -
Fixes an issue where the datapath could become momentarily stuck, causing issues processing traffic, including heathchecks. When this occurs, the gateway will bounce between healthy and unhealthy, which is evident in a series of system log messages. The stuckness usually does not last long enough for the controller to mark the instance for replacement.
-
Fixes an issue related to a UDP connection pool leak caused by specific UDP session behavior that could eventually result in a datapath restart. When the datapath restart occurs, the instance will be unhealthy for the duration of the restart. If that unhealthy period is long enough, the controller will mark the instance for replacement.
Version 24.06-06-a1 November 28, 2024
This release is a hotfix.
Fixes
The following fix is included in this hotfix:
-
Fixes an issue where a forwarding policy could not retrieve the Service Name Indication (SNI) from a TLS Client Hello message causing the Gateway to close the connection with a TCP RST. This is caused by a change made in Chrome in April 2024 to shift to Post-Quantum Cryptography. With this change, the Client Hello is larger than 1415 bytes, which can result in an inability to retrieve the SNI, which is used by the policy to match or filter by domain. The fix ensures the forwarding policy can support Client Hello sizes greater than 1415 bytes.
Version 24.06-06 November 26, 2024
Fixes
The following fix is included in this release:
-
Fixes an issue where an Azure ingress gateway could crash when a new gateway instance is becoming active.
Version 24.06-05 November 22, 2024
Enhancements
The following enhancement is included in this release:
-
Integrates the FIPs Teleport agent into the Gateway to accommodate both FIPS (FedRAMP) and non-FIPS (commercial) environments. Teleport is disabled by default. It can only be enabled by the customer when working in conjunction with Cisco Support for advanced troubleshooting.
Fixes
The following fixes are included in this release:
-
Fixes an issue where traffic processing on an Ingress Gateway could cause high CPU resulting in an unnecessary auto-scale. The high CPU is a result of moving from a policy that initially processes a connection using an unencrypted HTTP proxy and then moving to an encrypted TCP proxy due to an HTTP redirection.
-
Fixes an issue where an Egress Gateway Forward Proxy policy could get stuck in attempting to match traffic to the proper Policy Rule.
-
Fixes an issue where some long-lived active connections would not be properly actively reset (send a TCP RST).
-
Fixes a Gateway crash that is caused by detection of malware in an Ingress Gateway reverse proxy policy.
-
Fixes the recording of Stats related to Active Connections and Connection Rate where UDP sessions were not being properly counted.
Version 24.06-04 October 25, 2024
Fixes
The following fix is included in this release:
-
Fixes an issue where a gateway could unnecessarily consume CPU in a proxy scenario where the backend connection is unresponsive causing delays in processing traffic.
Version 24.06-03 October 20, 2024
Enhancements
The following enhancements are inlcuded in this release:
-
Provides an enhanced gateway image that supports the BoringCrypto required for use for gateways deployed in a FedRamp environment. This is a continued effort towards Multicloud Defense being FedRamp compliant.
-
Adds support for a custom banner to be displayed when an SSH session to the gateway is established through Teleport.
Fixes
The following fixes are inlcuded in this release:
-
Fixes an issue where a TLS session that contains Kyber cipher suites could cause increased CPU usage resulting in the inability to process traffic.
-
Fixes an issue where the connection drain time was not being honored when a gateway instance was replaced.
-
Fixes a stability issue where the gateway datapath could self-heal when proxied sessions are actively terminated during policy change or gateway instance replacement.
-
Fixes an issue where the generation of a Diagnostic Bundle could fail.
-
Fixes an issue where the gateway could not retrieve the SNI from a TLS Client Hello message causing the gateway to close the connection with a TCP RST. This is caused by a change made in Chrome in April 2024 to shift to Post-Quantum Cryptography. With this change, the Client Hello is larger than 1415 bytes, which can result in an inability to retrieve the Server Name Indication (SNI), which is used by the proxy to determine what certificate to issue. The fix ensures the proxy can support Client Hello sizes greater than 1415 bytes.
-
Fixes various stability issues.
-
Fixes an issue where a change to DNS for a domain used in an FQDN-based address object would be received by the gateway datapath agent, but not applied to the datapath workers. This would result in the DNS change not being applied to the dynamic nature of the address object, impacting proper traffic processing.
-
Fixes an issue where the gateway-side cipher suites used in a gateway SSH session were potentially flagged as weaker cipher suites. The fix accommodates only the most secure GCM-based cipher suites.
Version 24.06-02-a2 October 2, 2024
This release is a hotfix.
Fixes
The following fixes are included in this hotfix:
-
Fixes an isuse where the Multicloud Defense Gateway temporarily crashes when a new gateway image is deployed.
-
The Multicloud Defense Gateway now honors the drain time value configured in the Multicloud Defense Controller when terminating a gateway instance.
Version 24.06-02 September 18, 2024
Enhancements
The following enhancement is included in this release:
-
Continued enhancements to the gateway to accommodate FedRAMP CIS Level-2 hardening.
Fixes
The following fixes are included in this release:
-
Fixes and issue where the gateway will self-heal if an empty FQDN/URL Filtering profile is assigned to the policy rule set.
-
Fixes a deny rule action issue related to the use of domains as a 6-tuple match. If the first rule match is a 6-tuple match (includes an assigned FQDN Match Profile) and the policy action is set to Deny, the deny action will be based on the 5-tuple match and will not include the domain for match consideration. This fix ensures that all 6-tuples are considered when evaluating the rule and its action. If the traffic does not match the rule based on the 6-tuple match, then it will refine its match to a subsequent rule and take action based on the matched rule's configuration.
-
Fixes an issue where an Azure ingress gateway will get stuck in
Health Checking Pending
state after a policy update is applied. This issue also includes new gateway deployments . -
Fixes an allow rule match issue related to the use of domains as a 6-tuple match. If the first rule match is a 6-tuple match (includes an assigned FQDN Match profile), the policy action is set to Allow and there are no subsequent rules that are consistent with the 5-tuple match of the first rule, then all domains will be allowed and domains will be denied. This fix ensures that only the domains that are matched in the rule will be allowed and all other domains will be denied
-
Fixes an issue where a egress policy rule set that uses an decryption-based forward proxy (TLS, HTTPS, WebsocketS) is initially matching on 5-tuple and retrieving the domain from the SNI, but not performing a match refinement based on the 6th tuple resulting in a TLS error. The fix ensures that 6-tuple match refinement occurs such that the traffic can be successfully processed by the proper decryption rule.
-
Fixes an issue where sessions with TLS negotiation errors where not recording the SNI as a
. -
Fixes an issue where multiple SNI events were being recorded for each forward proxy full decrypted session.
-
Fixes an issue where the address group size could be exceeded, causing all IPs/CIDRs in excess of the size to not be included in the address group. The address group size has been increased to 20k IPs/CIDRs.
-
Adds a System Log message if the GeoIP limitations of the gateway are exceeded.
-
Fixes an issue where the wrong action would be taken for URL filtering category matching if a timeout occurs when attempting to retrieve the URL filtering category if the URL is not found in the cache.
-
Ensures that an user with administrator access to configure a URL Filtering profile cannot use the custom URL response to inject Javascript. The fix enforces HTML encoding in the custom URL response.
Version 24.06-01 July 10, 2024
Enhancements
The following enhancements are included in this release:
-
Adds support for inspecting content within a GRE tunnel that passes through the gateway. The gateway will decapsulate the traffic, perform inspection on the encapsulated traffic to apply proper policy and protection, then re-encapsulate that traffic back into the GRE tunnel.
-
Adds support for active connection resets during gateway upgrade and scale-in scenarios. When these scenarios occur and the gateway is processing long running connections that are not closed by the client or server, the gateway will take action by sending a TCP RST to active close the connection when reaping the old instance.
-
Support ability to specify a custom banner when logging into a gateway instance through Teleport (SSH access). This is a requirement for gateways deployed into FedRamp environments where any method of SSH access requires a customer-defined banner to be displayed.
Fixes
The following fixes are included in this release:
-
Fixes an issue where specifying an Validate Certificate action other than "Default" in a Decryption profile will cause the gateway to become unhealthy.
-
Fixes an issue for user-generate diagnostic bundles where the gateway would fail to generate the diagnostic bundle and send to the Multicloud Defense Controller.
-
Fixes an issue related to the use of GeoIP. Countries with many providers have a very large number of advertised prefixes. When those country codes are used in a GeoIP address group, the address group will contain a large number of CIDR blocks. The GeoIP address group was restricted to 64k CIDRs where exceeding this limit would result in a partial set of CIDRs applied to the policy. This fix relaxes the limit to ensure the full set of CIDRs will be applied to the policy. It is recommended to use an 8-core instance type due to the additional memory requirements imposed by GeoIP.
-
Fixes an issue where the gateway could issue the wrong certificate when a Chrome browser is connecting to the gateway using TLS 1.3. This is caused by a change made in Chrome in April 2024 to shift to Post-Quantum Cryptography. With this change, the Client Hello is larger than 1415 bytes, which can result in an inability to retrieve the Server Name Indication (SNI), which is used by the proxy to determine what certificate to issue. The fix ensures the proxy can support Client Hello sizes greater than 1415 bytes.
-
Fixes an issue where the gateway was producing the correct statistics for display in the
page. -
Fixes various stability issues.
-
Fixes an issue related to blue/green policy change. When the policy change occurs and the new datapath becomes active, the gateway begins draining current sessions off the old datapath. If the datapath cannot properly drain the sessions, it treats the datapath as unhealthy and will employ a datapath restart. This will terminate both old and new datapaths, which could cause disruption to old and new sessions. The fix ensures that the session draining completes properly and eliminates the situation where the datapath is seen as unhealthy.
-
Fixes an issue where a VPN tunnel state transition was not generating a System Log message to provide troubleshooting and debugging information on the tunnel setup and negotiation.
-
Fixes a slow memory leak for an ingress gateway that eventually results in a datapath self heal. The memory leak is related to traffic that contains files that are gzip compressed.
-
Fixes an issue where an ingress gateway could drop a connection when back-to-back POST commands contain a payload greater than 160k.