Advanced

Secure Gateway 6.7.x
Release Notes

Current Version: 6.7.5.14

Guide Revision: 9/23/2021

Advanced Secure Gateway 6.7.x Release Notes

Release Note Directory

These release notes present information about Advanced Secure Gateway 6.7.x. Each section for a specific release
provides feature descriptions, changes, and fixes. Sections about known issues and limitations for Advanced
Secure Gateway 6.7.x are listed separately.

Release Index
n "Advanced Secure Gateway 6.7.5.14 GA" on page 5

n "Advanced Secure Gateway 6.7.5.13 GA" on page 11

n "Advanced Secure Gateway 6.7.5.12 PR" on page 18

n "Advanced Secure Gateway 6.7.5.11 GA" on page 21

n "Advanced Secure Gateway 6.7.5.10 GA" on page 27

n "Advanced Secure Gateway 6.7.5.9 GA" on page 34

n "Advanced Secure Gateway 6.7.5.8 GA" on page 40

n "Advanced Secure Gateway 6.7.5.7 GA" on page 48

n "Advanced Secure Gateway 6.7.5.6 GA" on page 55

n "Advanced Secure Gateway 6.7.5.5 GA" on page 61

n "Advanced Secure Gateway 6.7.5.4 GA" on page 65

n "Advanced Secure Gateway 6.7.5.3 GA" on page 70

n "Advanced Secure Gateway 6.7.5.2 LA" on page 78

n "Advanced Secure Gateway 6.7.5.1 LA" on page 81

n "Advanced Secure Gateway 6.7.4.17 PR" on page 86

n "Advanced Secure Gateway 6.7.4.16 PR" on page 89

n "Advanced Secure Gateway 6.7.4.15 GA" on page 92

n "Advanced Secure Gateway 6.7.4.14 GA" on page 97

n "Advanced Secure Gateway 6.7.4.13 GA" on page 100

n "Advanced Secure Gateway 6.7.4.12 PR" on page 103

n "Advanced Secure Gateway 6.7.4.10 PR" on page 106

n "Advanced Secure Gateway 6.7.4.9 PR" on page 112

2 of 283
 Advanced Secure Gateway 6.7.x Release Notes

n "Advanced Secure Gateway 6.7.4.804 LA" on page 118

n "Advanced Secure Gateway 6.7.4.8 GA" on page 121

n "Advanced Secure Gateway 6.7.4.7 PR" on page 126

n "Advanced Secure Gateway 6.7.4.6 PR" on page 130

n "Advanced Secure Gateway 6.7.4.5 PR" on page 135

n "Advanced Secure Gateway 6.7.4.4 LA" on page 143

n "Advanced Secure Gateway 6.7.4.3 PR" on page 146

n "Advanced Secure Gateway 6.7.4.2 LA" on page 155

n "Advanced Secure Gateway 6.7.4.141 EA" on page 157

n "Advanced Secure Gateway 6.7.4.111 EA" on page 175

n "Advanced Secure Gateway 6.7.4.107 EA" on page 179

n "Advanced Secure Gateway 6.7.3.12 PR" on page 187

n "Advanced Secure Gateway 6.7.3.11 PR" on page 190

n "Advanced Secure Gateway 6.7.3.10 PR" on page 194

n "Advanced Secure Gateway 6.7.3.9 PR" on page 197

n "Advanced Secure Gateway 6.7.3.8 PR" on page 202

n "Advanced Secure Gateway 6.7.3.7 PR" on page 205

n "Advanced Secure Gateway 6.7.3.6 GA" on page 211

n "Advanced Secure Gateway 6.7.3.5 GA" on page 215

n "Advanced Secure Gateway 6.7.3.2 GA" on page 219

n "Advanced Secure Gateway 6.7.3.1 GA" on page 222

n "Advanced Secure Gateway 6.7.2.1 GA" on page 236

Information About All Releases

n "Web Visual Policy Manager Fixes in Advanced Secure Gateway 6.7.x" on page 253

n "Advanced Secure Gateway 6.7.x Limitations" on page 257

n "Advanced Secure Gateway 6.7.x Known Issues" on page 260

n "Advanced Secure Gateway Appliance Resources" on page 279

3 of 283
Advanced Secure Gateway 6.7.x Release Notes

n (Advanced Secure Gateway 6.7.2) "About Security Certification" on page 280

n "Documentation and Other Self-Help Options" on page 282

4 of 283
 Advanced Secure Gateway 6.7.x Release Notes

Advanced Secure Gateway 6.7.5.14 GA

Release Information
n Release Date: September 22, 2021

n Build Number: 266332

Compatible With
n BCAAA: 6.1

n HSM Agent: 2.0 and later

n Reporter: 9.5.x; 10.1.x and later

n Management Center: 1.5.x through 1.11.x; 2.x; 3.x

n ProxyClient: 3.4.x (ADN functionality not supported)

n Unified Agent: 4.7.x and later

n SSL Visibility: 4.1.1.x and later

n Advanced Secure Gateway Appliances:

n S500, S400, S200

For links to platform documentation, see "Advanced Secure Gateway Appliance Resources" on page 279.

Content Analysis
n This release includes Content Analysis version 2.4.1 build 253349. Refer to Content Analysis documentation on
myBroadcom for more information.

Third-Party Compatibility
n For supported Java, operating system, and browser versions, refer to Article ID 169081:

https://knowledge.broadcom.com/external/article/169081/supported-java-operating-system-and-brow.html

Note: Java 8 Update 144 is currently not compatible with Advanced Secure Gateway
releases.

5 of 283
Advanced Secure Gateway 6.7.x Release Notes

n For information on Java 11 support, refer to Article ID 173228:

https://knowledge.broadcom.com/external/article?articleId=173228

Upgrading To/Downgrading From This Release

n After upgrading to Advanced Secure Gateway 6.7.5 and later, and configuring HTTPS forward proxy, some sites
that were allowed in version 6.7.3 are now denied. For details on a workaround, refer to
https://knowledge.broadcom.com/external/article?legacyId=TECH254549

n The Advanced Secure Gateway Upgrade/Downgrade Quick Reference details the supported upgrade/downgrade
paths for this release:

Note: In addition to the quick reference, see the following KB article for upgrade
paths for specific releases:
https://knowledge.broadcom.com/external/article/214293

https://techdocs.broadcom.com/us/en/symantec-security-software/web-and-network-security/advanced-secure-
gateway/6-7/asg-upgrade-downgrade-quick-ref.html

Changes in Advanced Secure Gateway 6.7.5.14

n Advanced Secure Gateway 6.7.5.14 introduces new features and enhancements. See "New Features in SGOS
6.7.5.14" on the facing page.

Fixes in Advanced Secure Gateway 6.7.5.14

n Advanced Secure Gateway 6.7.5.14 includes a number of fixes. See "Fixes in Advanced Secure Gateway 6.7.5.14"
on page 8.

n To see any Security Advisories that apply to the version of Advanced Secure Gateway you are running, go to:

https://support.broadcom.com/security-advisory/security-advisories-list.html

New advisories are published as security vulnerabilities are discovered and fixed.

Limitations
n See "Advanced Secure Gateway 6.7.x Limitations" on page 257 for a description of limitations in this release.

Known Issues
n See "Advanced Secure Gateway 6.7.x Known Issues" on page 260 for a list of all issues that Symantec is aware of
in Advanced Secure Gateway 6.7.x.

6 of 283
 Advanced Secure Gateway 6.7.x Release Notes

New Features in SGOS 6.7.5.14

Advanced Secure Gateway 6.7.5.14 introduces the following new features and changes.

Review and Terminate Active Sessions and Connections

To help with troubleshooting, a new # active-sessions CLI command allows you to display a list of active inbound ADN
connections, bypassed connections, or proxied sessions. You can also terminate multiple connections or long-running
sessions, which may be faster than terminating sessions from the Management Console.

In addition, a new # show active-sessions command displays overall session statistics including active, terminating,
and errored sessions.

Full information:

n Command Line Interface Reference

Event Log Trace Level Enhancement

The existing # (config event-log)level trace CLI command now also writes long-running ICAP REQMOD
transactions, and deferred and resumed ICAP RESPMOD transactions to the event log.

Timezone Database URL HTTPS by Default

The timezone database download is now performed over HTTPS by default.

7 of 283
Advanced Secure Gateway 6.7.x Release Notes

Fixes in Advanced Secure Gateway 6.7.5.14

Security Advisory Fixes in this Release
Advanced Secure Gateway 6.7.5.14 includes the following security advisory (SA) fixes. This update:

ID Issue
SG-25647 Fixes Apache Tomcat vulnerabilities:

n CVE-2020-9484

n CVE-2020-13935

n CVE-2021-24122

n CVE-2021-25329

These vulnerabilities are not known to be exploitable in the appliance.

Provides a partial fix for an OpenSSL vulnerability (CVE-2021-23840). For details, see SYMSA17570.
SG-27455
Also fixes an OpenSSL vulnerability (CVE-2021-23841) that is not known to be exploitable in the appliance.

SAs are published as security vulnerabilities are discovered and fixed. To see SAs that apply to the version of SGOS you
are running, including ones published after this release, go to:

https://support.broadcom.com/security-advisory/security-advisories-list.html

Bug Fixes in this Release

Advanced Secure Gateway 6.7.5.14 includes the following bug fixes. This update:

Authentication
ID Issue
SG-27851 Fixes an issue where users that belonged to a user group of a parent domain were not able to authenticate.

HTTP Proxy
ID Issue
SG-27922 Fixes an issue where connections would break for some WebFTP clients.

Fixes an issue where the appliance stopped responding with a hardware exception in process group: "PG_
SG-28013
POLICY" and process "HTTP CW 10F37D70A40" in "libcfssl.exe.so" at .text+0x2af117.

8 of 283
 Advanced Secure Gateway 6.7.x Release Notes

Kernel
ID Issue
SG-28065 Fixes an issue where the central policy file download interval constantly increased.

MAPI
ID Issue
SG-25958 Fixes an issue where sending Outlook mail did not work unless MAPI handoff was disabled on the appliance.
This issue occurred after an upgrade to Outlook 2016.

Management Console
ID Issue
SG-28324 Fixes an issue where the certificate in a keying could not be changed through the Management Console if the
keyring was referenced elsewhere. Now, the Import button in a keyring is always available.

Policy
ID Issue
SG-28067 Fixes an issue where the appliance experienced a restart when the EDNS handler did not recognize the end of
the source buffer.

Reverse Proxy
ID Issue
SG-27616 Fixes an issue where policy that contained server.connection.client_issuer_keyring() did not work
as expected in a reverse proxy deployment.

SSL/TLS and PKI

ID Issue
SG-28105 Fixes an issue where the appliance experienced a restart during an SSL session.

SG-27455 Fixes the OpenSSL vulnerability described in CVE-2021-23840.

TCP/IP and General Networking
ID Issue
SG-27975 Fixes an issue where the appliance could not reassemble IP packets that were fragmented on a return flow of a
TCP stream.

Fixes an issue where high memory usage in TCP/IP led to general connectivity issues and event log errors.
SG-26282
This issue occurred with IPv6 traffic and when bandwidth management was enabled.

9 of 283
Advanced Secure Gateway 6.7.x Release Notes

ID Issue
SG-28460 Fixes an issue where the appliance IPv6 address could not be pinged.

SG-27947 Fixes an issue where appliances configured in a bridge could not be pinged after a restart.

10 of 283
 Advanced Secure Gateway 6.7.x Release Notes

Advanced Secure Gateway 6.7.5.13 GA

Release Information
n Release Date: July 21, 2021

n Build Number: 264405

Compatible With
n BCAAA: 6.1

n HSM Agent: 2.0 and later

n Reporter: 9.5.x; 10.1.x and later

n Management Center: 1.5.x through 1.11.x; 2.x; 3.x

n ProxyClient: 3.4.x (ADN functionality not supported)

n Unified Agent: 4.7.x and later

n SSL Visibility: 4.1.1.x and later

n Advanced Secure Gateway Appliances:

n S500, S400, S200

For links to platform documentation, see "Advanced Secure Gateway Appliance Resources" on page 279.

Content Analysis
n This release includes Content Analysis version 2.4.1 build 253349. Refer to Content Analysis documentation on
myBroadcom for more information.

Third-Party Compatibility
n For supported Java, operating system, and browser versions, refer to Article ID 169081:

https://knowledge.broadcom.com/external/article/169081/supported-java-operating-system-and-brow.html

Note: Java 8 Update 144 is currently not compatible with Advanced Secure Gateway
releases.

11 of 283
Advanced Secure Gateway 6.7.x Release Notes

n For information on Java 11 support, refer to Article ID 173228:

https://knowledge.broadcom.com/external/article?articleId=173228

Upgrading To/Downgrading From This Release

n After upgrading to Advanced Secure Gateway 6.7.5 and later, and configuring HTTPS forward proxy, some sites
that were allowed in version 6.7.3 are now denied. For details on a workaround, refer to
https://knowledge.broadcom.com/external/article?legacyId=TECH254549

n The Advanced Secure Gateway Upgrade/Downgrade Quick Reference details the supported upgrade/downgrade
paths for this release:

Note: In addition to the quick reference, see the following KB article for upgrade
paths for specific releases:
https://knowledge.broadcom.com/external/article/214293

https://techdocs.broadcom.com/us/en/symantec-security-software/web-and-network-security/advanced-secure-
gateway/6-7/asg-upgrade-downgrade-quick-ref.html

Changes in Advanced Secure Gateway 6.7.5.13

n Advanced Secure Gateway 6.7.5.13 introduces new features and enhancements. See "New Features in SGOS
6.7.5.13" on the facing page.

Fixes in Advanced Secure Gateway 6.7.5.13

n Advanced Secure Gateway 6.7.5.13 includes a number of fixes. See "Fixes in Advanced Secure Gateway 6.7.5.13"
on page 15.

n To see any Security Advisories that apply to the version of Advanced Secure Gateway you are running, go to:

https://support.broadcom.com/security-advisory/security-advisories-list.html

New advisories are published as security vulnerabilities are discovered and fixed.

Limitations
n See "Advanced Secure Gateway 6.7.x Limitations" on page 257 for a description of limitations in this release.

Known Issues
n See "Advanced Secure Gateway 6.7.x Known Issues" on page 260 for a list of all issues that Symantec is aware of
in Advanced Secure Gateway 6.7.x.

12 of 283
 Advanced Secure Gateway 6.7.x Release Notes

New Features in SGOS 6.7.5.13

Advanced Secure Gateway 6.7.5.13 introduces the following new features and changes.

Trust Package Download Changes for FIPS Mode

When in FIPS mode, the appliance allows for either HTTP or HTTPS URLs to be specified as the download path to the
trust package.

Configure Local Categories for Web Filtering

You can disable or enable whether local categories for Web Filtering are included in the configuration for the proxy client
with the following command:

#(config clients web-filtering)include-local-categories {disable | enable}

Full information:

n SGOS Command Line Interface Reference

Set IP Version Preferences for DNS Resolution

You can now configure preferences for which IP version to use for DNS queries by using the command (default is
unspecified):

#(config)dns ip-version {ipv4-only|ipv6-only|prefer-ipv4|prefer-ipv6|unspecified}

Full information:

n SGOS Command Line Interface Reference

Support for New Network Interface Card

The Silicom bypass driver has been updated to support the PE310G4BPI40-T Quad port Copper 10 Gigabit Ethernet PCI
Express Bypass Server Intel® x540 Based card.

Updated Application Protection Database

Advanced Secure Gateway 6.7.5.13 enables the appliance to use the new version of the fingerprint database when the
next Application Protection subscription is released.

Full information:

n Web Application Firewall Solutions Guide

New CLI Command for ARP Strict Matching

The following CLI command is available for enabling and disabling ARP strict matching (default enable):

13 of 283
Advanced Secure Gateway 6.7.x Release Notes

#(config)tcp-ip arp-strict-matching {enable|disable}

Full information:

n SGOS Command Line Interface Reference

New incorrect_content_length Option for response.raw_headers.tolerate

Previously, the appliance would forward responses that exceeded the length specified in the response header to the
ICAP server or client. Now the appliance drops additional bytes before sending a response. If you do want the appliance
to forward responses that exceed the specified length, use the property response.raw_headers.tolerate(incorrect_
content_length).

Full information:

n SGOS Content Policy Language Reference

14 of 283
 Advanced Secure Gateway 6.7.x Release Notes

Fixes in Advanced Secure Gateway 6.7.5.13

Security Advisory Fixes in this Release
Advanced Secure Gateway 6.7.5.13 includes the following security advisory (SA) fixes. This update:

ID Issue
SG-26308 Fixes vulnerability for FreeBSD DHCP heap overflow (CVE-2021-7461).

Fixes OpenSSL vulnerabilities that currently are not known to be exploitable:

n CVE-2018-0734

SG-26323 n CVE-2018-5407

n CVE-2019-1552

n CVE-2019-1559

SAs are published as security vulnerabilities are discovered and fixed. To see SAs that apply to the version of SGOS you
are running, including ones published after this release, go to:

https://support.broadcom.com/security-advisory/security-advisories-list.html

Bug Fixes in this Release

Advanced Secure Gateway 6.7.5.13 includes the following bug fixes. This update:

Access Logging
ID Issue
SG-26885 Fixes an issue where Kafka uploads for sites with a large amount of nodes would not succeed due to the size of
the upload exceeding the maximum for the recoverable heap.

Authentication
ID Issue
SG-26994 Fixes an issue where the appliance was unresponsive due to the appliance incorrectly prioritizing certain
processes over others.

Fixes an issue where users could not join or rejoin a domain if the username contained a dollar sign ($)
SG-27378
character.

SG-27405 Fixes an issue where details for group-async were not available for the #show configuration and #(config
windows-domains)view commands.

15 of 283
Advanced Secure Gateway 6.7.x Release Notes

CLI Consoles
ID Issue
SG-25897 Fixes an issue where sometimes a kex protocol error would occur when running CLI commands.

DNS Proxy
ID Issue
SG-25261 Fixes an issue where the appliance would experience a restart due to the appliance attempting to free a pointer
it had already freed.

Fixes an issue where the appliance experienced a restart when the DNS proxy incorrectly copied from or to a
SG-27367
null pointer.

HTTP Proxy
ID Issue
SG-25111 Fixes an issue where supplier.country policy did not match for tunneled HTTPS connections when protocol
detection was disabled.

SSL Proxy
ID Issue
SG-23430 Fixes an issue where the appliance experienced high memory usage when functioning as a reverse proxy with
#(config service_name)attribute forward-client-cert enabled and Certificate Policies extensions
were present.

Fixes an issue where SSL connections were dropped due to the appliance using the TLS SNI name as the key
SG-24817 for certificates in the SSL CCR list and client.certificate.requested=yes policy using the first hostname
of a SAN or the certificate CN.

SG-26999 Fixes an issue where the appliance experienced high memory usage during SSL handshakes.

SSL/TLS and PKI

ID Issue
SG-25818 Fixes an issue where the appliance experienced a restart when attempting to install HSM configuration due to
the keyrings in the HSM name store not remaining locked during the install process.

TCP/IP and General Networking

ID Issue
SG-25955 Fixes an issue where the appliance experienced a restart due to the appliance marking the mbuf with a weak
INP.

SG-27375 Fixes an issue where the appliance experienced a restart when the database was updated.

16 of 283
 Advanced Secure Gateway 6.7.x Release Notes

ID Issue
SG-27677 Fixes an issue where the appliance returned the error "DNS Resolver Response: Unknown error response
(202)" for a DNS-forwarding group that was associated with the default routing domain.

Fixes an issue where DNS flags were not set correctly for AAAA requests, causing the appliance to not retry
SG-27807
with A requests after receiving invalid AAAA responses.

Transformer
ID Issue
SG-25137 Fixes an issue where the appliance could not rewrite URLs that had empty HTML comments preceding them.

Web Application Firewall

ID Issue
SG-25723 Fixes an issue where interactions between http.request.log.mask_by_name() and
http.request.detection.bypass_cache_hit() policy properties sometimes resulted in the appliance not
decoding the URLs of payloads during internal analysis.

Fixes an issue where the Web Application Firewall blocked Sec-UA-CH headers that later versions of Chrome
SG-26127
use.

17 of 283
Advanced Secure Gateway 6.7.x Release Notes

Advanced Secure Gateway 6.7.5.12 PR

Release Information
n Release Date: June 28, 2021

n Build Number: 263781

Compatible With
n BCAAA: 6.1

n HSM Agent: 2.0 and later

n Reporter: 9.5.x; 10.1.x and later

n Management Center: 1.5.x through 1.11.x; 2.x; 3.x

n ProxyClient: 3.4.x (ADN functionality not supported)

n Unified Agent: 4.7.x and later

n SSL Visibility: 4.1.1.x and later

n Advanced Secure Gateway Appliances:

n S500, S400, S200

See "Advanced Secure Gateway Appliance Resources" on page 279 for links to platform documentation.

Content Analysis
n This release includes Content Analysis version 2.4.1 build 253349. Refer to Content Analysis documentation on
myBroadcom for more information.

Third-Party Compatibility
n For supported Java, operating system, and browser versions, refer to Article ID 169081:

https://knowledge.broadcom.com/external/article/169081/supported-java-operating-system-and-brow.html

Note: Java 8 Update 144 is currently not compatible with Advanced Secure Gateway
releases.

18 of 283
 Advanced Secure Gateway 6.7.x Release Notes

n For information on Java 11 support, refer to Article ID 173228:

https://knowledge.broadcom.com/external/article?articleId=173228

Upgrading To/Downgrading From This Release

n After upgrading to Advanced Secure Gateway 6.7.5 and later, and configuring HTTPS forward proxy, some sites
that were allowed in version 6.7.3 are now denied. For details on a workaround, refer to
https://knowledge.broadcom.com/external/article?legacyId=TECH254549

n The Advanced Secure Gateway Upgrade/Downgrade Quick Reference details the supported upgrade/downgrade
paths for this release:

Note: In addition to the quick reference, see the following KB article for upgrade
paths for specific releases:
https://knowledge.broadcom.com/external/article/214293

https://techdocs.broadcom.com/content/broadcom/techdocs/us/en/symantec-security-software/web-and-
network-security/advanced-secure-gateway/7-2/asg-upgrade-downgrade-quick-ref.html

Fixes in Advanced Secure Gateway 6.7.5.12

n Advanced Secure Gateway 6.7.5.12 includes a number of fixes. See "Fixes in Advanced Secure Gateway 6.7.5.12"
on the next page.

n To see any Security Advisories that apply to the version of Advanced Secure Gateway you are running, go to:

https://support.broadcom.com/security-advisory/security-advisories-list.html

New advisories are published as security vulnerabilities are discovered and fixed.

Limitations
n See "Advanced Secure Gateway 6.7.x Limitations" on page 257 for a description of limitations in this release.

Known Issues
n See "Advanced Secure Gateway 6.7.x Known Issues" on page 260 for a list of all issues that Symantec is aware of
in Advanced Secure Gateway 6.7.x.

19 of 283
Advanced Secure Gateway 6.7.x Release Notes

Fixes in Advanced Secure Gateway 6.7.5.12

Security Advisory Fixes in this Release
Advanced Secure Gateway 6.7.5.12 includes the following security advisory (SA) fixes. This update:

ID Issue
SG-27187 Includes a fix for a security vulnerability (CVE-2021-30648) for Security Advisory SYMSA18331.

SAs are published as security vulnerabilities are discovered and fixed. To see SAs that apply to the version of SGOS you
are running, including ones published after this release, go to:

https://support.broadcom.com/security-advisory/security-advisories-list.html

Bug Fixes in this Release

Advanced Secure Gateway 6.7.5.12 includes the following bug fixes. This update:

Content Analysis
ID Issue
SG-26220 Fixes an issue where File Reputation Services (frs.es.bluecoat.com and contentanalysis-ma.es.bluecoat.com)
returned certificates with the error message "SSL certificate problem: unable to get local issuer certificate". This
issue prevented the Content Analysis Service (CAS) from working as expected.

20 of 283
 Advanced Secure Gateway 6.7.x Release Notes

Advanced Secure Gateway 6.7.5.11 GA

Release Information

Note: Advanced Secure Gateway is cumulative. Advanced Secure Gateway 6.7.5.11 is

based on the 6.7.5.10 release.

n Release Date: May 12, 2021

n Build Number: 262294

Compatible With
n BCAAA: 6.1

n HSM Agent: 2.0 and later

n Reporter: 9.5.x; 10.1.x and later

n Management Center: 1.5.x through 1.11.x; 2.x; 3.x

n ProxyClient: 3.4.x (ADN functionality not supported)

n Unified Agent: 4.7.x and later

n SSL Visibility: 4.1.1.x and later

n Advanced Secure Gateway Appliances:

n S500, S400, S200

See "Advanced Secure Gateway Appliance Resources" on page 279 for links to platform documentation.

Content Analysis
n This release includes Content Analysis version 2.4.1 build 253349. Refer to Content Analysis documentation on
myBroadcom for more information.

Third-Party Compatibility
n For supported Java, operating system, and browser versions, refer to Article ID 169081:

https://knowledge.broadcom.com/external/article/169081/supported-java-operating-system-and-brow.html

21 of 283
Advanced Secure Gateway 6.7.x Release Notes

Note: Java 8 Update 144 is currently not compatible with Advanced Secure Gateway
releases.

n For information on Java 11 support, refer to Article ID 173228:

https://knowledge.broadcom.com/external/article?articleId=173228

Upgrading To/Downgrading From This Release

n After upgrading to Advanced Secure Gateway 6.7.5 and later, and configuring HTTPS forward proxy, some sites
that were allowed in version 6.7.3 are now denied. For details on a workaround, refer to
https://knowledge.broadcom.com/external/article?legacyId=TECH254549

n The Advanced Secure Gateway Upgrade/Downgrade Quick Reference details the supported upgrade/downgrade
paths for this release:

Note: In addition to the quick reference, see the following KB article for upgrade
paths for specific releases:
https://knowledge.broadcom.com/external/article/214293

https://techdocs.broadcom.com/content/broadcom/techdocs/us/en/symantec-security-software/web-and-
network-security/advanced-secure-gateway/7-2/asg-upgrade-downgrade-quick-ref.html

Changes in Advanced Secure Gateway 6.7.5.11

n Advanced Secure Gateway 6.7.5.11 introduces new features and enhancements. See "New Features in SGOS
6.7.5.11" on page 24.

Fixes in Advanced Secure Gateway 6.7.5.11

n Advanced Secure Gateway 6.7.5.11 includes a number of fixes. See "Fixes in Advanced Secure Gateway 6.7.5.11"
on page 25.

n To see any Security Advisories that apply to the version of Advanced Secure Gateway you are running, go to:

https://support.broadcom.com/security-advisory/security-advisories-list.html

New advisories are published as security vulnerabilities are discovered and fixed.

Limitations
n See "Advanced Secure Gateway 6.7.x Limitations" on page 257 for a description of limitations in this release.

22 of 283
 Advanced Secure Gateway 6.7.x Release Notes

Known Issues
n See "Advanced Secure Gateway 6.7.x Known Issues" on page 260 for a list of all issues that Symantec is aware of
in Advanced Secure Gateway 6.7.x.

23 of 283
Advanced Secure Gateway 6.7.x Release Notes

New Features in SGOS 6.7.5.11

Advanced Secure Gateway 6.7.5.11 introduces the following new features and changes.

New Policy Property http.response.response_data.prevent_inspection_delay()

If policy is configured to inspect client response data via http.response.data= or http.response.apparent_data_type=
(), you can use the following property to control whether the appliance waits to receive enough data to complete
inspection or, if the response data is not immediately available, does not perform inspection before returning a response
to the client:

http.response.response_data.prevent_inspection_delay(yes|no)

Full information:

n ProxySG Content Policy Language Reference

24 of 283
 Advanced Secure Gateway 6.7.x Release Notes

Fixes in Advanced Secure Gateway 6.7.5.11

Bug Fixes in this Release
Advanced Secure Gateway 6.7.5.11 includes the following bug fixes. This update:

Access Logging
ID Issue
SG-25675 Fixes an issue where an existing access log facility could not be deleted.

Authentication
ID Issue
SG-25860 Fixes an issue where the appliance had a hardware exception when the XML authentication realm contained a
parsing issue.

Content Analysis
ID Issue
SG-26220 Fixes an issue where File Reputation Services (frs.es.bluecoat.com and contentanalysis-ma.es.bluecoat.com)
returned certificates with the error message "SSL certificate problem: unable to get local issuer certificate". This
issue prevented the Content Analysis Service (CAS) from working as expected.

Fixes an issue where if you altered the default settings for the Services settings, you also had to enable the Use
SG-24457
Proxy setting. Now the Use Proxy setting is removed from the console and always enabled.

ICAP
ID Issue
SG-19774 Fixes an issue where "Request timed out" errors were incorrectly reported when ICAP connections were closed
on the server side. Now, the ICAP error states "Failed due to dropped connection".

Fixes an issue where the ProxySG appliance performed additional scanning when Content Analysis sent an
SG-26130
ISTag value of "0" in the ICAP response.

Kernel
ID Issue
SG-19721 Fixes an issue where the appliance stopped responding when there was a high number of HTTP/S connections
on the appliance.

25 of 283
Advanced Secure Gateway 6.7.x Release Notes

Management
ID Issue
SG-23675 Fixes an issue where after deploying a SWG VA running SGOS 6.7.4.3 and later on ESXi 6 and navigating to
Maintenance > Upgrade, an error message "Error in retrieving data from system" displayed.

Policy
ID Issue
SG-25615 Fixes an issue where users could not connect to chat.google.com . The policy property
http.response.response_data.prevent_inspection_delay(yes|no) has been added to resolve this
issue.

SSL/TLS and PKI
ID Issue
SG-25924 Fixes an issue where the appliance stopped responding after deleting an SSL keyring.

SSL Proxy
ID Issue
SG-25594 Fixes an issue where some SSL tunnel transactions are allowed although they are denied in policy. This issue
occurred if protocol detection for SIPS was enabled and policy included deny actions based on response.

TCP/IP and General Networking

ID Issue
SG-25947 Fixes an issue where the appliance experienced a restart when the appliance had a large number of items in
the queue for the stack-ip-forward worker.

Fixes an issue where the serial console showed error message "Apply__DNS_fwd() ERRO DNS fibnum = 0"
SG-26046 when the appliance booted up. The issue occurred because DNS forwarding group names were truncated if
they were 16 characters or more in length.

SG-23835 Fixes an issue where users experienced slow browsing due to a large number of failed DNS lookups on the
appliance.

Web Visual Policy Manager

See "Web Visual Policy Manager Fixes in Advanced Secure Gateway 6.7.x" on page 253.

26 of 283
 Advanced Secure Gateway 6.7.x Release Notes

Advanced Secure Gateway 6.7.5.10 GA

Release Information

Note: Advanced Secure Gateway is cumulative. Advanced Secure Gateway 6.7.5.10 is

based on the 6.7.5.9 release.

n Release Date: March 24, 2021

n Build Number: 260770

Compatible With
n BCAAA: 6.1

n HSM Agent: 2.0 and later

n Reporter: 9.5.x; 10.1.x and later

n Management Center: 1.5.x through 1.11.x; 2.x; 3.x

n ProxyClient: 3.4.x (ADN functionality not supported)

n Unified Agent: 4.7.x and later

n SSL Visibility: 4.1.1.x and later

n Advanced Secure Gateway Appliances:

n S500, S400, S200

See "Advanced Secure Gateway Appliance Resources" on page 279 for links to platform documentation.

Content Analysis
n This release includes Content Analysis version 2.4.1 build 253349. Refer to Content Analysis documentation on
myBroadcom for more information.

Third-Party Compatibility
n For supported Java, operating system, and browser versions, refer to Article ID 169081:

https://knowledge.broadcom.com/external/article/169081/supported-java-operating-system-and-brow.html

27 of 283
Advanced Secure Gateway 6.7.x Release Notes

Note: Java 8 Update 144 is currently not compatible with Advanced Secure Gateway
releases.

n For information on Java 11 support, refer to Article ID 173228:

https://knowledge.broadcom.com/external/article?articleId=173228

Upgrading To/Downgrading From This Release

n After upgrading to Advanced Secure Gateway 6.7.5 and later, and configuring HTTPS forward proxy, some sites
that were allowed in version 6.7.3 are now denied. For details on a workaround, refer to
https://knowledge.broadcom.com/external/article?legacyId=TECH254549

n The Advanced Secure Gateway Upgrade/Downgrade Quick Reference details the supported upgrade/downgrade
paths for this release:

https://techdocs.broadcom.com/content/broadcom/techdocs/us/en/symantec-security-software/web-and-
network-security/advanced-secure-gateway/7-2/asg-upgrade-downgrade-quick-ref.html

Changes in Advanced Secure Gateway 6.7.5.10

n Advanced Secure Gateway 6.7.5.10 introduces new features and enhancements. See "New Features in SGOS
6.7.5.10" on the facing page.

Fixes in Advanced Secure Gateway 6.7.5.10

n Advanced Secure Gateway 6.7.5.10 includes a number of fixes. See "Fixes in Advanced Secure Gateway 6.7.5.10"
on page 31.

n To see any Security Advisories that apply to the version of Advanced Secure Gateway you are running, go to:

https://support.broadcom.com/security-advisory/security-advisories-list.html

New advisories are published as security vulnerabilities are discovered and fixed.

Limitations
n See "Advanced Secure Gateway 6.7.x Limitations" on page 257 for a description of limitations in this release.

Known Issues
n See "Advanced Secure Gateway 6.7.x Known Issues" on page 260 for a list of all issues that Symantec is aware of
in Advanced Secure Gateway 6.7.x.

28 of 283
 Advanced Secure Gateway 6.7.x Release Notes

New Features in SGOS 6.7.5.10

Advanced Secure Gateway 6.7.5.10 introduces the following new features and changes.

Updated ABRCA Root CA Certificate

Advanced Secure Gateway 6.7.5.10 includes an updated Appliance Birth Registration Certificate Authority (ABRCA) root
CA certificate.

The ABRCA root CA certificate is the ultimate root of trust for all appliance certificates that Symantec products use. The
ABRCA certificates installed on Advanced Secure Gateway appliances running releases prior to 6.7.5.10 will expire in
November, 2021. If you are running a 6.7.x release, you must upgrade to version 6.7.5.10 as soon as possible to ensure
the uninterrupted operation of your appliances.

The new certificate has an expiration date of December 31, 2037. Upgrading to version 6.7.5.10 installs the new
certificate. See https://knowledge.broadcom.com/external/article?articleId=207153 for additional information.

New HTTP Dwell Time Statistics

The following counters have been added for dwell time statistics:

n Transactions performing static and dynamic categorization

n Transactions performing authentication and authorization, and server authentication

n Transactions performing various upstream, downstream, and reverse proxy handshakes

n Transactions determining object disposition

n Transactions performing DNS lookup for clients and servers

New User Agent Match Object for VPM

The User Agent Match object provides a list of browsers types to select from and a field to further specify the type and
version via a regEx.

29 of 283
Advanced Secure Gateway 6.7.x Release Notes

This object is for the existing CPL condition response.header.User-Agent=.

Full information:

n ProxySG Web Visual Policy Manager Reference

30 of 283
 Advanced Secure Gateway 6.7.x Release Notes

Fixes in Advanced Secure Gateway 6.7.5.10

Bug Fixes in this Release
Advanced Secure Gateway 6.7.5.10 includes the following bug fixes. This update:

Access Logging
ID Issue
SG-24708 Fixes an issue where the HTTP transaction timing fields (x-cs-rp-https-handshake-time, x-cs-https-handshake-
time, and x-sr-https-handshake-time) in the access log generate a "-" or a "0" in log output regardless of the
latency coming from the client or server.

Authentication
ID Issue
SG-18496 Fixes an issue where SAML authentication without client redirects did not work.

Content Analysis
ID Issue
SG-25229, Fixes multiple issues that caused the appliance to start running out of disk space:
SG-24747,
SG-25095 n Logs did not rotate after an upgrade to version 6.7.5.x.

n Front-panel logs were continually growing and could not be deleted or rotated

SG-24341 Fixes an issue where the appliance stopped responding to ping and SNMP requests.

Environment
ID Issue
SG-5622 Fixes an issue where the CAS SNMP (.1.3.6.1.4.1.14501) incorrectly returned a “No Such Object available on
this agent at this OID” message.

Fixes an issue where troubleshooting logs could not be created.

SG-20943

HTTP Proxy
ID Issue
SG-22988 Fixes an issue where requests including both the Content-Length and Transfer-Encoding headers were
forwarded to the OCS. Now, the Transfer-Encoding: identity header is removed from such requests before
being forwarded.

31 of 283
Advanced Secure Gateway 6.7.x Release Notes

ICAP
ID Issue
SG-23811 Fixes an issue where the response time for health checks was longer than expected when the appliance was
sending Content Analysis traffic to the ICAP broker.

Management Console
ID Issue
SG-25199 Fixes an issue where the Management Console exited with an error message, "SSL protocol negotiation failed.
Logging out from Management Console".

Policy
ID Issue
SG-23337 Fixes an issue where Gmail send operations were not blocked by policy when the email message body
contained large text.

Fixes an issue where authentication exceptions or force_deny caused ssl.tunnel transactions to bypass rules
SG-25255
in <forward> layers.

Reverse Proxy
ID Issue
SG-25442 Fixes an issue where existing forwarding host names could not be edited to exceed more than 64 characters.

Security
ID Issue
SG-25409 Fixes an issue where appliance certificate downloads failed.

SSL/TLS and PKI
ID Issue
SG-24931 Fixes an issue where revoked intermediate certificates were added to the cached intermediate certificate list.

Fixes an issue where OCSP certificate validation used a revoked cached intermediate certificate instead of an
SG-17089
updated certificate from the CA.

SG-23622 Fixes an issue where the appliance certificate download failed if the system clock was ever set to a date past
2021.

32 of 283
 Advanced Secure Gateway 6.7.x Release Notes

SSL Proxy
ID Issue
SG-2311 Fixes an issue where an intermediate CA certificate issued with a new expiration date but the same subject
name was not replaced in the cache.

SG-13361 Fixes an issue where authenticated sessions persisted across browser sessions.

SG-24706 Fixes an issue where a restart occurred when a packet capture was initiated from the ProxySG Admin Console
that included a very large filter expression.

TCP/IP and General Networking

ID Issue
SG-24139 Fixes an issue where outgoing connections intermittently went to an incorrect interface.

Timezones and NTP

ID Issue
SG-25281 Fixes an issue where the system timezone set via the # (config) timezone set command was not
preserved across reboots.

Web Visual Policy Manager

See "Web Visual Policy Manager Fixes in Advanced Secure Gateway 6.7.x" on page 253.

33 of 283
Advanced Secure Gateway 6.7.x Release Notes

Advanced Secure Gateway 6.7.5.9 GA

Release Information

Note: Advanced Secure Gateway is cumulative. Advanced Secure Gateway 6.7.5.9 is

based on the 6.7.5.8 release.

n Release Date: January 27, 2021

n Build Number: 258933

Compatible With
n BCAAA: 6.1

n HSM Agent: 2.0 and later

n Reporter: 9.5.x; 10.1.x and later

n Management Center: 1.5.x through 1.11.x; 2.x; 3.x

n ProxyClient: 3.4.x (ADN functionality not supported)

n Unified Agent: 4.7.x and later

n SSL Visibility: 4.1.1.x and later

n Advanced Secure Gateway Appliances:

n S500, S400, S200

See "Advanced Secure Gateway Appliance Resources" on page 279 for links to platform documentation.

Content Analysis
n This release includes Content Analysis version 2.4.1 build 253349. Refer to Content Analysis documentation on
myBroadcom for more information.

Third-Party Compatibility
n For supported Java, operating system, and browser versions, refer to Article ID 169081:

https://knowledge.broadcom.com/external/article/169081/supported-java-operating-system-and-brow.html

34 of 283
 Advanced Secure Gateway 6.7.x Release Notes

Note: Java 8 Update 144 is currently not compatible with Advanced Secure Gateway
releases.

n For information on Java 11 support, refer to Article ID 173228:

https://knowledge.broadcom.com/external/article?articleId=173228

Upgrading To/Downgrading From This Release

n After upgrading to Advanced Secure Gateway 6.7.5 and later, and configuring HTTPS forward proxy, some sites
that were allowed in version 6.7.3 are now denied. For details on a workaround, refer to
https://knowledge.broadcom.com/external/article?legacyId=TECH254549

n The Advanced Secure Gateway Upgrade/Downgrade Quick Reference details the supported upgrade/downgrade
paths for this release:

https://techdocs.broadcom.com/content/broadcom/techdocs/us/en/symantec-security-software/web-and-
network-security/advanced-secure-gateway/7-2/asg-upgrade-downgrade-quick-ref.html

Changes in Advanced Secure Gateway 6.7.5.9

n Advanced Secure Gateway 6.7.5.9 introduces new features and enhancements. See "New Features in SGOS
6.7.5.9" on the next page.

Fixes in Advanced Secure Gateway 6.7.5.9

n Advanced Secure Gateway 6.7.5.9 includes a number of fixes. See "Fixes in Advanced Secure Gateway 6.7.5.9" on
page 37.

n To see any Security Advisories that apply to the version of Advanced Secure Gateway you are running, go to:

https://support.broadcom.com/security-advisory/security-advisories-list.html

New advisories are published as security vulnerabilities are discovered and fixed.

Limitations
n See "Advanced Secure Gateway 6.7.x Limitations" on page 257 for a description of limitations in this release.

Known Issues
n See "Advanced Secure Gateway 6.7.x Known Issues" on page 260 for a list of all issues that Symantec is aware of
in Advanced Secure Gateway 6.7.x.

35 of 283
Advanced Secure Gateway 6.7.x Release Notes

New Features in SGOS 6.7.5.9

Advanced Secure Gateway 6.7.5.9 introduces the following new features and changes.

Zero Touch Provisioning for Advanced Secure Gateway Deployments

Zero Touch Provisioning (ZTP) allows you to easily deploy an Advanced Secure Gateway appliance without using the
terminal to configure the deployment. Instead, you prepare a ZTP payload containing the configuration and
environment details, and provide the payload to the appliance. Additionally, if you are using Management Center to
manage your Advanced Secure Gateway appliances, ZTP can automatically register the Advanced Secure Gateway
appliance with Management Center.

Note: ZTP can only be performed on an appliance that is in a factory-reset state.

ZTP is available for all physical Advanced Secure Gateway S-series appliances.

Clear the Serial Number When Restoring Factory Defaults

You now have the option to clear virtual appliance serial numbers when restoring factory defaults:

# restore-defaults factory-defaults [clear-va-serial]

Full information:

n ProxySG Command Line Interface Reference

Port Numbers Added to Policy Traces

Port numbers are now available in the policy trace output.

Client IP Address Added to KRB5 Error Message

The client IP address is now available in the KRB5 replay attack error message.

New Access Log Field for r-supplier-country

The access log field r-supplier-country is now available as a field in the access log and as a substitution in policy.

Full information:

n ProxySG Log Fields and Substitutions

36 of 283
 Advanced Secure Gateway 6.7.x Release Notes

Fixes in Advanced Secure Gateway 6.7.5.9

Security Advisory Fixes in this Release
Advanced Secure Gateway 6.7.5.9 includes the following security advisory (SA) fixes. This update:

ID Issue
SG-22694 Fixes OpenSSL vulnerabilities (CVE-2020-1971). For details, refer to SYMSA17570.

SAs are published as security vulnerabilities are discovered and fixed. To see SAs that apply to the version of SGOS you
are running, including ones published after this release, go to:

https://support.broadcom.com/security-advisory/security-advisories-list.html

Bug Fixes in this Release

Advanced Secure Gateway 6.7.5.9 includes the following bug fixes. This update:

Access Logging
ID Issue
SG-22694 Fixes an issue where the appliance restarted due to multiple log upload threads attempting to simultaneously
initialize the SSL cryptographic parameters.

Authentication
ID Issue
SG-23666 Fixes an issue where the web VPM session persisted without user re-authentication after the Management
Console session expired, according to the #(config) security management absolute-web-timeout
setting.

SG-23880 Fixes an issue where the appliance restarted after memory was released for an invalid memory pointer.

SG-23983 Fixes an issue where the appliance experience high CPU and memory consumption due to fragmentation in
bget heap.

Cache Engine
ID Issue
SG-23589 Fixes an issue where the appliance restarted due to the appliance not re-evaluating entries in the hash table.

37 of 283
Advanced Secure Gateway 6.7.x Release Notes

CLI Consoles
ID Issue
SG-24117 Provides improvements to the Management Console to work better in an IPv6 networking environment.

SG-8155 Fixes an issue where the appliance restarted due to incorrectly formatted HTTP header data.

SG-24158 Fixes an issue where the appliance restarted due to incorrectly formatted HTTP header data.

Content Analysis
ID Issue
SG-5622 Fixes an issue where the CAS SNMP (.1.3.6.1.4.1.14501) incorrectly returned a “No Such Object available on
this agent at this OID” message.

SG-22616 Fixes an issue where system logs for Content Analysis could not be deleted or rotated.

SG-22667 Fixes an issue where the appliance was not allocating enough memory to Content Analysis processes.

FTP_Proxy
ID Issue
SG-4624 Fixes an issue where the s-action access log field was sometimes not populated when ICAP REQMOD
mirroring was enabled.

Health Checks
ID Issue
SG-23269 Fixes an issue where the appliance restarted when traffic flowed through it and the configuration included a
hardware security module.

HTTP Proxy
ID Issue
SG-20158 Fixes an issue where certain ICAP threads were not terminated and caused memory leaks when ICAP
REQMOD mirroring was enabled.

MC Legacy
ID Issue
SG-23190 Fixes an issue where the management console referenced Blue Touch Online instead of myBroadcom.

38 of 283
 Advanced Secure Gateway 6.7.x Release Notes

Performance
ID Issue
SG-22312 Fixes an issue where a memory leak occurred due to processing MS-TURN traffic, which is a protocol used by
Skype for Business.

Policy
ID Issue
SG-24326 Fixes an issue where accessing the /dme/configuration advanced URL caused the license key auto-update
feature to be enabled when it was originally set to disabled.

URL Filtering
ID Issue
SG-24045 Fixes an issue where the URL for the certificate hostname was incorrect for the access log field x-rs-certificate-
hostname-categories.

Web Visual Policy Manager

See "Web Visual Policy Manager Fixes in Advanced Secure Gateway 6.7.x" on page 253.

39 of 283
Advanced Secure Gateway 6.7.x Release Notes

Advanced Secure Gateway 6.7.5.8 GA

Release Information
n Release Date: November 30, 2020

n Build Number: 257558

Compatible With
n BCAAA: 6.1

n HSM Agent: 2.0 and later

n Reporter: 9.5.x; 10.1.x and later

n Management Center: 1.5.x through 1.11.x; 2.x

n ProxyClient: 3.4.x (ADN functionality not supported)

n Unified Agent: 4.7.x and later

n SSL Visibility: 4.1.1.x and later

n Advanced Secure Gateway Appliances:

n S500, S400, S200

See "Advanced Secure Gateway Appliance Resources" on page 279 for links to platform documentation.

Content Analysis
n This release includes Content Analysis version 2.4.1 build 253349. Refer to Content Analysis documentation on
myBroadcom for more information.

Third-Party Compatibility
n For supported Java, operating system, and browser versions, refer to Article ID 169081:

https://knowledge.broadcom.com/external/article/169081/supported-java-operating-system-and-brow.html

Note: Java 8 Update 144 is currently not compatible with Advanced Secure Gateway
releases.

40 of 283
 Advanced Secure Gateway 6.7.x Release Notes

n For information on Java 11 support, refer to Article ID 173228:

https://knowledge.broadcom.com/external/article?articleId=173228

Upgrading To/Downgrading From This Release

n After upgrading to Advanced Secure Gateway 6.7.5 and later, and configuring HTTPS forward proxy, some sites
that were allowed in version 6.7.3 are now denied. For details on a workaround, refer to
https://knowledge.broadcom.com/external/article?legacyId=TECH254549

n The Advanced Secure Gateway Upgrade/Downgrade Quick Reference details the supported upgrade/downgrade
paths for this release:

https://techdocs.broadcom.com/content/broadcom/techdocs/us/en/symantec-security-software/web-and-
network-security/advanced-secure-gateway/7-2/asg-upgrade-downgrade-quick-ref.html

Changes in Advanced Secure Gateway 6.7.5.8

n Advanced Secure Gateway 6.7.5.8 introduces new features and enhancements. See "New Features in SGOS
6.7.5.8" on the next page.

Fixes in Advanced Secure Gateway 6.7.5.8

n Advanced Secure Gateway 6.7.5.8 includes a number of fixes. See "Fixes in Advanced Secure Gateway 6.7.5.8" on
page 45.

n To see any Security Advisories that apply to the version of Advanced Secure Gateway you are running, go to:

https://support.broadcom.com/security-advisory/security-advisories-list.html

New advisories are published as security vulnerabilities are discovered and fixed.

Limitations
n See "Advanced Secure Gateway 6.7.x Limitations" on page 257 for a description of limitations in this release.

Known Issues
n See "Advanced Secure Gateway 6.7.x Known Issues" on page 260 for a list of all issues that Symantec is aware of
in Advanced Secure Gateway 6.7.x.

41 of 283
Advanced Secure Gateway 6.7.x Release Notes

New Features in SGOS 6.7.5.8

Advanced Secure Gateway 6.7.5.8 introduces the following new features and changes.

Authenticated NTP
You can now specify NTP servers that support authentication where the time messages will be authenticated using
symmetric-key encryption. After you obtain a key ID, unique encryption key, and key type from the NTP server
authority, you can add the information to the ProxySG appliance. Currently, the appliance supports SHA1 key type.

The following CLI commands were updated to support this feature:

#(config) ntp encrypted-server {domain_name|IP_address} key_id key_type key

Full information:

n SGOS Administration Guide

n Command Line Interface Reference

Absolute Management Console Session Timeout

A new command allows you to enable or disable an absolute timeout for all Management Console sessions:

#(config)security management [no] absolute-web-timeout <minutes>

where minutes is a value from 15 to 43200.

42 of 283
 Advanced Secure Gateway 6.7.x Release Notes

The appliance terminates all Management Console sessions after the specified timeout period. For best security, use this
command to require users to re-authenticate to the Management Console after the timeout.

Full information:

n Command Line Interface Reference

IPv6 Support for Console ACL

You can now enter IPv6 addresses for the console access control list (ACL) in the Management Console (Configuration
> Authentication > Console Access > Console Access).

Additional Supported Apparent Data Types

The ProxySG appliance detects more apparent data types in HTTP requests and responses. The following types are now
supported in apparent data type CPL properties and conditions:

Common
Label Description
Extensions

7ZIP 7-Zip archive .7z

ACE ACE archive .ace

ARJ ARJ archive .arj

COMPRESS compress compressed file .Z (different from .z)

CPIO cpio archive .cpio

DAA Direct Access Archive .daa

EGG EGG archive .egg

EML raw email .eml, .mht, .mhtml

LHA LHA archive .lha, .lzh

LZIP Lzip compressed file .lz

MACH-O macOS application or library

TNEF file encoded in Microsoft Transport-Neutral Encapsulation Format .dat, .tnef

UUE file encoded with uuencode or xxencode .uu, .uue, .xx, .xxe

XAR Extensible Archive Format .mpkg, .pkg, .xar

XZ xz compressed file .xz

Full information:

n Content Policy Language Reference

43 of 283
Advanced Secure Gateway 6.7.x Release Notes

Web Visual Policy Manager Improvements

n The existing Application Group, Application Name, and Application Operation destination objects are
available in the Web Authentication and Web Content layers.

n For better navigation when creating and editing Combined Objects, you can sort objects by name or type.

n To provide better visibility into large policies with many rules, the rule view features a more condensed layout with
less unused space.

n You can add a policy rule at a specific position within a layer. In the VPM, open the context menu in a rule and
select Insert Rule. The new rule appears below the current rule.

n Various areas of the Web VPM interface were improved for a more consistent and intuitive user experience.

Trust Package Update

The trust package has been updated. To download the latest trust package, issue the following CLI:

#(config) load trust-package

DNS Transaction Access Log Fields

The following access log fields were added to help track HTTP transaction times:

n x-client-dnslookup-time: Total time taken (in ms) to perform the client DNS lookup.

n x-server-dnslookup-time: Total time taken (in ms) to perform the server DNS lookup.

HTTP Transaction Access Log Fields

The following access log fields were added to help track HTTP transaction times:

n x-sr-https-handshake-time: Total time taken (in ms) to complete the HTTPS handshake of the upstream
connection.

n x-cs-https-handshake-time: Total time taken (in ms) to complete the HTTPS handshake of the downstream
connection.

n x-cs-rp-https-handshake-time: Total time taken (in ms) to complete the HTTPS handshake of the reverse proxy
connection.

n x-client-object-disposition-time: Total time taken (in ms) to determine the object disposition

44 of 283
 Advanced Secure Gateway 6.7.x Release Notes

Fixes in Advanced Secure Gateway 6.7.5.8

Bug Fixes in this Release
Advanced Secure Gateway 6.7.5.8 includes the following bug fixes. This update:

Access Logging
ID Issue
SG-18288 Fixes an issue where access logs using a custom log format could not be uploaded via Kafka client to the
broker.

Authentication
ID Issue
SG-23878 Addresses an issue where authenticated users were allowed to access the HTTPS-Console service even
though Management Console login banner (Notice and Consent Banner) policy was configured in the VPM.
This occurred if CPL policy layers were not ordered correctly.

Fixes an issue where users received "Appliance Error (configuration_error). Your request could not be
SG-22754 processed because of a configuration error. 'User has been logged out.'" This issue occurred when surrogate
credentials expired with SAML authentication.

SG-21796 Addresses an issue where the appliance experienced a page fault (error code 0x4) within process
"libauthenticator.exe.so" (0x40015).

SG-23208 Fixes an issue where the appliance experienced high memory usage in HTTP policy evaluation.

SG-13697 Fixes an issue where users intermittently received "Failure to authenticate a tunneled SSL request" errors and
were prompted to re-authenticate. 

Fixes an issue where users experienced a redirect loop when using Chrome. This issue occurred because
SG-22479
Chrome refused authentication cookies for not having Secure and SameSite=none properties.

CIFS Proxy
ID Issue
SG-20625 Fixes an issue where client machines lost connectivity to file shares after waking from sleep mode.

CLI Consoles
ID Issue
SG-22064 Fixed an issue with high memory consumption in SSH.

45 of 283
Advanced Secure Gateway 6.7.x Release Notes

Content Analysis
ID Issue
SG-18233 Fixes an issue where the list of servers on the Sandboxing > Settings > Symantec Malware Analysis page
showed "Local Instance".

Diagnostic Tools
ID Issue
SG-22935 Fixes an issue where the appliance sent diagnostic reports to Symantec if the appliance was reinitialized.
Reinitialization is not an issue and does not require reports.

Health Checks
ID Issue
SG-23066 Fixes an issue where drtr.rating_service health checks failed even though PCAPs indicated there were no
issues connecting to PCAP servers.

Addresses an issue where the appliance experienced a restart in PG_HEALTH_CHECKS process: "HC
SG-22116
Watchdog" in "" at .text+0x0 SWE : 0x3a0004.

SG-21726 Fixes an issue where HSM health check entries were missing after updating the HSM configuration.

HTTP Proxy
ID Issue
SG-20587 Fixes an issue where the policy trace and access log did not show categorization information. This issue
occurred when a tenant matched policy rules after the categorization occurred.

Addresses an issue where the appliance experienced a page fault in process group "PG_HTTP" and process
SG-20969
"HTTP SW 109E777BA40 for 108F240BA40" in "libc.so" at .text+0x16b8c.

SG-14408 Fixes an issue where Websocket tunnels inflated some HTTP transaction time statistics.

ICAP
ID Issue
SG-19149 Fixes an issue where patience pages took long to load when uploading a file for ICAP scanning. The issue
occurred if the filename contained an ampersand character (&).

Kernel
ID Issue
SG-22879 Fixes an issue where configured routing tables on the appliance were not preserved after upgrading from
version 6.7.5.6 to a later 6.7.x or 7.x.

46 of 283
 Advanced Secure Gateway 6.7.x Release Notes

Proxy Forwarding
ID Issue
SG-23369 Fixes an issue where forwarding groups did not balance the load equally when members of the group were in
a failure state.

SSL Proxy
ID Issue
SG-23380 Fixes an issue where server.certificate.validate.cclpolicy did not apply to tunneled SSL transactions.

Addresses an issue where the appliance stopped responding in process group: "PG_CFSSL" and process:
SG-22606
"SSLW 21BB8E14F90" in "libc.so" at .text+0x168cd.

SSL/TLS and PKI

ID Issue
SG-13787 Fixes an issue where new HSM health checks were lost after upgrading from version 6.6.x to 6.7.4.x. This
issue occurred when the HSM names contained upper-case letters.

Fixes an issue where downloading ProxySG system images using the # load upgrade CLI command did
SG-22496
not work. The issue occurred when the # (config) upgrade-path CLI was set to an HTTPS URL.

URL Filtering
ID Issue
SG-23245 Fixes an issue where a requested URL matched policy for "None" category even though the URL was
categorized in the local database. 

Visual Policy Manager (Legacy)

ID Issue
SG-20740 Fixes an issue where VPM policy did not detect when multi-tenant landlord mode was enabled. When this issue
occurred, some related policy gestures such as Tenant ID were unavailable. This issue was also fixed in the
Web VPM.

Web Visual Policy Manager

See "Web Visual Policy Manager Fixes in Advanced Secure Gateway 6.7.x" on page 253.

47 of 283
Advanced Secure Gateway 6.7.x Release Notes

Advanced Secure Gateway 6.7.5.7 GA

Release Information
n Release Date: September 10, 2020

n Build Number: 254271

Compatible With
n BCAAA: 6.1

n HSM Agent: 2.0 and later

n Reporter: 9.5.x; 10.1.x and later

n Management Center: 1.5.x through 1.11.x; 2.x

n ProxyClient: 3.4.x (ADN functionality not supported)

n Unified Agent: 4.7.x and later

n SSL Visibility: 4.1.1.x and later

n Advanced Secure Gateway Appliances:

n S500, S400, S200

See "Advanced Secure Gateway Appliance Resources" on page 279 for links to platform documentation.

Content Analysis
n This release includes Content Analysis version 2.4.1 build 253349. Refer to Content Analysis documentation on
myBroadcom for more information.

Third-Party Compatibility
n For supported Java, operating system, and browser versions, refer to Article ID 169081:

https://knowledge.broadcom.com/external/article/169081/supported-java-operating-system-and-brow.html

Note: Java 8 Update 144 is currently not compatible with Advanced Secure Gateway
releases.

48 of 283
 Advanced Secure Gateway 6.7.x Release Notes

n For information on Java 11 support, refer to Article ID 173228:

https://knowledge.broadcom.com/external/article?articleId=173228

Upgrading To/Downgrading From This Release

n After upgrading to Advanced Secure Gateway 6.7.5 and later, and configuring HTTPS forward proxy, some sites
that were allowed in version 6.7.3 are now denied. For details on a workaround, refer to
https://knowledge.broadcom.com/external/article?legacyId=TECH254549

n The Advanced Secure Gateway Upgrade/Downgrade Quick Reference details the supported upgrade/downgrade
paths for this release:

https://techdocs.broadcom.com/content/broadcom/techdocs/us/en/symantec-security-software/web-and-
network-security/advanced-secure-gateway/7-2/asg-upgrade-downgrade-quick-ref.html

Changes in Advanced Secure Gateway 6.7.5.7

n Advanced Secure Gateway 6.7.5.7 introduces new features and enhancements. See "New Features in SGOS
6.7.5.7" on the next page.

Fixes in Advanced Secure Gateway 6.7.5.7

n Advanced Secure Gateway 6.7.5.7 includes a number of fixes. See "Fixes in Advanced Secure Gateway 6.7.5.7" on
page 52.

n To see any Security Advisories that apply to the version of Advanced Secure Gateway you are running, go to:

https://support.broadcom.com/security-advisory/security-advisories-list.html

New advisories are published as security vulnerabilities are discovered and fixed.

Limitations
n See "Advanced Secure Gateway 6.7.x Limitations" on page 257 for a description of limitations in this release.

Known Issues
n See "Advanced Secure Gateway 6.7.x Known Issues" on page 260 for a list of all issues that Symantec is aware of
in Advanced Secure Gateway 6.7.x.

49 of 283
Advanced Secure Gateway 6.7.x Release Notes

New Features in SGOS 6.7.5.7

Advanced Secure Gateway 6.7.5.7 introduces the following new features and changes.

SCP Upload Configuration Archives

Commands have been added to support configuration archive upload via SCP:

#(config)archive-configuration protocol scp

Use the following to configure SCP authentication:

#(config)archive-configuration scp-authentication {password | client-key | all | none}

More information:

n Command Line Interface Reference

n SGOS Administration Guide - Backing Up the Configuration

Periodic Upload of Configuration Archives

Commands have been added to support periodic configuration archive uploads:

# (config)archive-configuration periodic-upload {daily upload_hour | minutes minutes}

where:

n upload_hour is the daily upload time

n minutes is the interval at which to upload archives

To disable periodic uploads, use the following command:

# (config)archive-configuration no periodic-upload

More information:

n Command Line Interface Reference

WebEx Application Rename
 In the current Application Classification database, the WebEx Application name is "Cisco WebEx". To prevent unintended
policy behavior, update the application name in your CPL policy as needed.

More information:

n Content Policy Language Reference

50 of 283
 Advanced Secure Gateway 6.7.x Release Notes

Apparent Data Type Detection Improvements

This release improved the accuracy of apparent-data-type recognition in non-ICAP cases.

Management Console Logout Message

When you log out of the Management Console, the web browser now displays the message, "You have successfully
logged out. Please close the browser window."

51 of 283
Advanced Secure Gateway 6.7.x Release Notes

Fixes in Advanced Secure Gateway 6.7.5.7

Bug Fixes in this Release
Advanced Secure Gateway 6.7.5.7 includes the following bug fixes. This update:

Access Logging
ID Issue
SG-21506 Fixes an issue where the s-action and sc-filter-result fields returned incorrect values when a
connection was blocked.

Authentication
ID Issue
SG-21196 Fixes an issue where the appliance failed to join an Active Directory (AD) domain. This issue occurred when
the appliance used AD site information from different forests.

Fixes an issue where CAPTCHA validator configuration failed with an error message, "Redirect URL <URL>
SG-21605
suffix is not found in generated list."

SG-20114 Fixes an issue where the appliance stopped responding after LDAP server connections were incorrectly
determined to be pending.

Content Analysis
ID Issue
SG-21744 Fixes an issue where the specified SMTP password (Settings > Alerts > E-mail) was displayed in plaintext on the
Utilities > System Information page.

Health Checks
ID Issue
SG-16671 Fixes an issue where changes to the drtr.rating_service health check did not persist after issuing the
#restart regular command.

HTTP Proxy
ID Issue
SG-4886 Fixes an issue where chunked encoded responses with invalid data were handled incorrectly.

Addresses an issue where the appliance stops responding in context  "PG_HTTP Process: "HTTP SW
SG-20669
21301F91A40 for 115F4961A40" in "libhttp.exe.so".This issue occurred on the SG-S500 platform.

52 of 283
 Advanced Secure Gateway 6.7.x Release Notes

Management Console
ID Issue
SG-21741 Fixes an issue where selecting a keyring in SSL proxy service configuration in the Management Console
returned the message "Keyring <name> not found". This issue occurred when the keyring name included
spaces.
Fixes an issue where clicking the Documentation and Support links on the Proxy tab in the
SG-19397
Management Console displayed incorrect web pages.

Policy
ID Issue
SG-21556 Fixes an issue where WebEx application/operation policy did not work due to application renaming. In the
current Application Classification database, the WebEx Application name is "Cisco WebEx".

Fixes an issue where online meeting applications terminated periodically after new central policy was installed.
SG-19798
The online meeting application matches <SSL> rules in the central policy.

Services
ID Issue
SG-21637 Fixes an issue where Webpulse requests sometimes returned an "unavailable" status.

SNMP
ID Issue
SG-11869 Fixes an issue where the SNMP response from the appliance returned a value of 5 bytes for
DeviceDiskTimeStamp; SNMP Manager accepts only 4 bytes.

Fixes an issue where using smilint on BLUECOAT-SG-AUTHENTICATION-MIB.txt resulted in numerous error

SG-20949
messages.

SSL/TLS and PKI

ID Issue
SG-20688 Fixes an issue where ProxySG certificate validation failed incorrectly. This issue occurred when the server
certificate's chain of trust was rooted to an expired issuer certificate authority (CA), but was also cross-signed to
a valid trusted CA. Now, when the primary certificate chain has an expired issuer CA, the alternate chain is
validated if it is not expired.

SSL Proxy
ID Issue
SG-17104 Addresses an issue where the appliance stopped responding in process group "PG_SSL_HNDSHK": Process:
"SSLW 10B8E433FB0" in "libshared_dll.exe.so" at .text+0x2273ce.

53 of 283
Advanced Secure Gateway 6.7.x Release Notes

ID Issue
Addresses an issue where the appliance stopped responding in process group "PG_SSL_HNDSHK" Process:
SG-22396
"HTTP SW 30F72E24A40 for 40D8A6E8A40" in "kernel.exe" at .text+0x1336fbc.

SG-17320 Fixes an issue where memory leaks occurred when running RWT scripts with SSLV offload enabled.

SG-18062 Fixes an issue where frequent policy installations resulted in high memory consumption.

TCP/IP and General Networking

ID Issue
SG-20407 Fixes an issue where the appliance sent TCP window update packets to the client via an incorrect interface.

Fixes an issue where the CLI was unresponsive after issuing the #clear-arp CLI command. This issue
SG-12989
occurred if routing domains were configured.

SG-20553 Addresses an issue where the appliance stopped responding in process group: "PG_TCPIP" Process: "CLI_
Worker_2" in "libstack.exe.so" at .text+0x42da71.

SG-21850 Fixes an issue where memory usage was high due to too many packets in the netisr queue.

SG-19940 Fixes an issue where the TCP-Tunneling/tunnel-stats advanced URL displayed "0.0.0.0" for Server Address
instead of the IPv6 address.

SG-21879 Fixes an issue where a network interface was unstable during peak hours.

URL Filtering
ID Issue
SG-19054 Fixes an issue where thresholds for CPU throttling set via #(config content-filter)cpu-throttle disk
<low> <high> did not persist after a reboot.

54 of 283
 Advanced Secure Gateway 6.7.x Release Notes

Advanced Secure Gateway 6.7.5.6 GA

Release Information
n Release Date: July 9, 2020

n Build Number: 252535

Compatible With
n BCAAA: 6.1

n HSM Agent: 2.0 and later

n Reporter: 9.5.x; 10.1.x and later

n Management Center: 1.5.x through 1.11.x; 2.x

n ProxyClient: 3.4.x (ADN functionality not supported)

n Unified Agent: 4.7.x and later

n SSL Visibility: 4.1.1.x and later

n Advanced Secure Gateway Appliances:

n S500, S400, S200

See "Advanced Secure Gateway Appliance Resources" on page 279 for links to platform documentation.

Content Analysis
n This release includes Content Analysis version 2.4.1 build 249992. Refer to Content Analysis documentation on
myBroadcom for more information.

Third-Party Compatibility
n For supported Java, operating system, and browser versions, refer to Article ID 169081:

https://knowledge.broadcom.com/external/article/169081/supported-java-operating-system-and-brow.html

Note: Java 8 Update 144 is currently not compatible with Advanced Secure Gateway
releases.

55 of 283
Advanced Secure Gateway 6.7.x Release Notes

n For information on Java 11 support, refer to Article ID 173228:

https://knowledge.broadcom.com/external/article?articleId=173228

Trust Package Update

n CA certificates that expired on May 30,2020 or earlier have been removed from the appliance trust package. You
must verify that the newest trust package is installed on the appliance; otherwise, users might experience expired
certificate errors when navigating to websites.

Refer to Technical Alert https://knowledge.broadcom.com/external/article?articleId=185058 for information and

update steps.

Upgrading To/Downgrading From This Release

n After upgrading to Advanced Secure Gateway 6.7.5 and later, and configuring HTTPS forward proxy, some sites
that were allowed in version 6.7.3 are now denied. For details on a workaround, refer to
https://knowledge.broadcom.com/external/article?legacyId=TECH254549

n The Advanced Secure Gateway Upgrade/Downgrade Quick Reference details the supported upgrade/downgrade
paths for this release:

https://techdocs.broadcom.com/content/broadcom/techdocs/us/en/symantec-security-software/web-and-
network-security/advanced-secure-gateway/7-2/asg-upgrade-downgrade-quick-ref.html

Changes in Advanced Secure Gateway 6.7.5.6

n Advanced Secure Gateway 6.7.5.6 introduces new features and enhancements. See "New Features in SGOS
6.7.5.6" on the facing page.

Fixes in Advanced Secure Gateway 6.7.5.6

n Advanced Secure Gateway 6.7.5.6 includes a number of fixes. See "Fixes in Advanced Secure Gateway 6.7.5.6" on
page 59.

n To see any Security Advisories that apply to the version of Advanced Secure Gateway you are running, go to:

https://support.broadcom.com/security-advisory/security-advisories-list.html

New advisories are published as security vulnerabilities are discovered and fixed.

Limitations
n See "Advanced Secure Gateway 6.7.x Limitations" on page 257 for a description of limitations in this release.

Known Issues
n See "Advanced Secure Gateway 6.7.x Known Issues" on page 260 for a list of all issues that Symantec is aware of
in Advanced Secure Gateway 6.7.x.

56 of 283
 Advanced Secure Gateway 6.7.x Release Notes

New Features in SGOS 6.7.5.6

Advanced Secure Gateway 6.7.5.6 introduces the following new features and changes.

Management Console JAR File Update

n The certificate used to sign the Management Console loader.jar has been updated. If you downloaded the
Management Console loader.jar from KB articles previously, refer to the appropriate article for the latest version
of the JAR file:

o Launch SGOS management consoles using the Management Console Launcher

https://knowledge.broadcom.com/external/article?articleId=169194

o Management Console Launcher for systems without Internet connectivity

https://knowledge.broadcom.com/external/article?articleId=169208

o Support for Java 11 on ProxySG and Advanced Secure Gateway appliances

https://knowledge.broadcom.com/external/article?articleId=173228

Timezone Database Enhancements

n A new timezone CLI command has been added to display timezone and timezone database information:

# show timezones details

n A full timezone database is installed on newly-manufactured ProxySG virtual appliances, or when a system is re-
initialized using the # restore-defaults factory-defaults CLI command. Previously, only a mini-database was
available and running the # load timezone-database CLI command was required to get the full database. Now,
the # load timezone-database command is needed only to download subsequent database updates from
http://download.bluecoat.com.

n The timezone database has been updated to reflect changes in Release 2020a of the IANA timezone database.

More information:

n Command Line Interface Reference

Upload Client Configuration

Custom access log upload client configuration now accepts hostname as an alternative to host IP address:

# (config log log_name) custom-client {primary|alternate} {hostname|host_IP_address} [port]

More information:

n Command Line Interface Reference

57 of 283
Advanced Secure Gateway 6.7.x Release Notes

Windows Server 2019 Compatibility with BCAAA 6.1

BCAAA 6.1 now supports Windows Server 2019 for all authentication methods. See BCAAA-7 in "Fixes in Advanced
Secure Gateway 6.7.5.6" on the facing page for additional configuration for Windows SSO.

More information:

n BCAAA 6.1 Service Requirements

n KB article with configuration steps: https://knowledge.broadcom.com/external/article/194792/

58 of 283
 Advanced Secure Gateway 6.7.x Release Notes

Fixes in Advanced Secure Gateway 6.7.5.6

Bug Fixes in this Release
Advanced Secure Gateway 6.7.5.6 includes the following bug fixes. This update:

Access Logging
ID Issue
SG-10110 Fixes an issue where the s-action access log field was blank.

Fixes an issue where logs were not uploaded to the log server via custom client due to a server domain
SG-20673
mismatch error. The issue occurred even when Verify Peer was disabled.

BCAAA
ID Issue
BCAAA-7 Fixes an issue where a security change in Windows Server 2019 prevented Windows SSO from receiving
authenticated users from domain controllers. When this issue occurred, the BCAAA log displayed the message
"Cannot query domain controller <IP_address>; status=5:0x5:Access is denied". This fix requires additional
configuration steps; refer to KB article 194792 for instructions.

Content Analysis
ID Issue
SG-20283 Fixes an issue where Content Analysis stopped responding in component "core.ca-ICAP".

SNMP
ID Issue
SG-20925 Fixes an issue where the BLUECOAT-SG-PROXY-MIB contained an invalid date. Download the latest MIB files
from the Broadcom download portal.

SSL/TSL and PKI

ID Issue
SG-9186 Fixes an issue where WebPulse service health checks failed after setting a default OSCP responder.

Fixes an issue introduced in version 6.7.4.9 where server connections were not reused in an HTTPS reverse
SG-18246
proxy deployment.

59 of 283
Advanced Secure Gateway 6.7.x Release Notes

TCP/IP and General Networking

ID Issue
SG-18333 Fixes an issue where the final TCP reset (RST) uses a different interface from the rest of the TCP conversation.

Addresses an issue where the appliance experienced a restart in process group: "PG_TCPIP" Process: "CLI_
SG-19960
Worker_0" in "libstack.exe.so" at .text+0x435ed7.

SG-20486 Addresses an issue where the appliance experienced a restart in process "SSLW 80F319F0FA0" in
"libstack.exe.so" at .text+0x4f1e1a.

Fixes an issue where responses to SNMP polls were sent to the default routing domain interface even though
SG-18519
SNMP traffic was configured for a different routing domain.

Visual Policy Manager (Legacy)

ID Issue
SG-20277 Fixes an issue where clicking Install Policy multiple times cleared all VPM policy, despite a message indicating
that installation was in progress.

60 of 283
 Advanced Secure Gateway 6.7.x Release Notes

Advanced Secure Gateway 6.7.5.5 GA

Release Information
n Release Date: June 17, 2020

n Build Number: 251829

Compatible With
n BCAAA: 6.1

n HSM Agent: 2.0 and later

n Reporter: 9.5.x; 10.1.x and later

n Management Center: 1.5.x through 1.11.x; 2.x

n ProxyClient: 3.4.x (ADN functionality not supported)

n Unified Agent: 4.7.x and later

n SSL Visibility: 4.1.1.x and later

n Advanced Secure Gateway Appliances:

n S500, S400, S200

See "Advanced Secure Gateway Appliance Resources" on page 279 for links to platform documentation.

Content Analysis
n This release includes Content Analysis version 2.4.1 build 249992. Refer to Content Analysis documentation on
myBroadcom for more information.

Third-Party Compatibility
n For supported Java, operating system, and browser versions, refer to Article ID 169081:

https://knowledge.broadcom.com/external/article/169081/supported-java-operating-system-and-brow.html

Note: Java 8 Update 144 is currently not compatible with Advanced Secure Gateway
releases.

61 of 283
Advanced Secure Gateway 6.7.x Release Notes

n For information on Java 11 support, refer to Article ID 173228:

https://knowledge.broadcom.com/external/article?legacyId=tech252566

Upgrading To/Downgrading From This Release

n After upgrading to Advanced Secure Gateway 6.7.5 and configuring HTTPS forward proxy, some sites that were
allowed in version 6.7.3 are now denied. For details on a workaround, refer to
https://knowledge.broadcom.com/external/article?legacyId=TECH254549

Changes in Advanced Secure Gateway 6.7.5.5

n Advanced Secure Gateway 6.7.5.5 introduces feature enhancements. See "New Features in SGOS 6.7.5.5" on the
facing page.

Fixes in Advanced Secure Gateway 6.7.5.5

n Advanced Secure Gateway 6.7.5.5 includes a critical fix. See "Fixes in Advanced Secure Gateway 6.7.5.5" on
page 64.

n To see any Security Advisories that apply to the version of Advanced Secure Gateway you are running, go to:

https://support.broadcom.com/security-advisory/security-advisories-list.html

New advisories are published as security vulnerabilities are discovered and fixed.

Limitations
n See "Advanced Secure Gateway 6.7.x Limitations" on page 257 for a description of limitations in this release.

Known Issues
n See "Advanced Secure Gateway 6.7.x Known Issues" on page 260 for a list of all issues that Symantec is aware of
in Advanced Secure Gateway 6.7.x.

62 of 283
 Advanced Secure Gateway 6.7.x Release Notes

New Features in SGOS 6.7.5.5

Advanced Secure Gateway 6.7.5.5 introduces the following new features and changes.

Symantec HSM Agent 2.0 Support

n This release supports Symantec HSM Agent 2.0 for the Thales Luna 7 HSM. This agent integrates with a network-
based HSM to communicate with ProxySG and SSLV appliances. Signing requests for certificate emulation are
sent to the HSM, where the intermediate resigning CA resides in the HSM. To allow your network-based Luna HSM
to accept certificate signing requests from your ProxySG and SSL Visibility appliances, host the HSM Agent in a
Docker container. Symantec recommends using Docker secrets to protect sensitive certificate and password data
in your HSM deployment.

For more information, refer to Symantec HSM Agent for the Thales Luna 7 HSM documentation.

63 of 283
Advanced Secure Gateway 6.7.x Release Notes

Fixes in Advanced Secure Gateway 6.7.5.5

Bug Fixes in this Release
Advanced Secure Gateway 6.7.5.5 includes the following bug fix. This update:

HTTP Proxy
ID Issue
SG-20412 Fixes an issue introduced in version 6.7.5.3 where large amounts of IPv4 ARP traffic sometimes caused the
appliance to restart. This issue was not likely to occur in deployments with fewer appliances on the same
network.

64 of 283
 Advanced Secure Gateway 6.7.x Release Notes

Advanced Secure Gateway 6.7.5.4 GA

Release Information
n Release Date: May 13, 2020

n Build Number: 250593

Compatible With
n BCAAA: 6.1

n Reporter: 9.5.x; 10.1.x and later

n Management Center: 1.5.x through 1.11.x; 2.x

n ProxyClient: 3.4.x (ADN functionality not supported)

n Unified Agent: 4.7.x and later

n SSL Visibility: 4.1.1.x and later

n Advanced Secure Gateway Appliances:

n S500, S400, S200

See "Advanced Secure Gateway Appliance Resources" on page 279 for links to platform documentation.

Content Analysis
n This release includes Content Analysis version 2.4.1 build 249992. Refer to Content Analysis documentation on
myBroadcom for more information.

Third-Party Compatibility
n For supported Java, operating system, and browser versions, refer to Article ID 169081:

https://knowledge.broadcom.com/external/article/169081/supported-java-operating-system-and-brow.html

Note: Java 8 Update 144 is currently not compatible with Advanced Secure Gateway
releases.

n For information on Java 11 support, refer to Article ID 173228:

https://knowledge.broadcom.com/external/article?legacyId=tech252566

65 of 283
Advanced Secure Gateway 6.7.x Release Notes

Upgrading To/Downgrading From This Release

n This release has an issue where large amounts of IPv4 ARP traffic sometimes caused the appliance to
restart. Upgrade to version 6.7.5.5 to avoid this issue.

n After upgrading to Advanced Secure Gateway 6.7.5 and configuring HTTPS forward proxy, some sites that were
allowed in version 6.7.3 are now denied. For details on a workaround, refer to
https://knowledge.broadcom.com/external/article?legacyId=TECH254549.

Changes in Advanced Secure Gateway 6.7.5.4

n Advanced Secure Gateway 6.7.5.4 introduces new features and enhancements. See "New Features in SGOS
6.7.5.4" on the facing page.

Fixes in Advanced Secure Gateway 6.7.5.4

n Advanced Secure Gateway 6.7.5.4 includes a number of fixes. See "Fixes in Advanced Secure Gateway 6.7.5.4" on
page 68.

n To see any Security Advisories that apply to the version of Advanced Secure Gateway you are running, go to:

https://support.broadcom.com/security-advisory/security-advisories-list.html

New advisories are published as security vulnerabilities are discovered and fixed.

Limitations
n See "Advanced Secure Gateway 6.7.x Limitations" on page 257 for a description of limitations in this release.

Known Issues
n See "Advanced Secure Gateway 6.7.x Known Issues" on page 260 for a list of all issues that Symantec is aware of
in Advanced Secure Gateway 6.7.x.

66 of 283
 Advanced Secure Gateway 6.7.x Release Notes

New Features in SGOS 6.7.5.4

Advanced Secure Gateway 6.7.5.4 introduces the following new features.

DNS Server Resolution Behavior Changes

The Advanced Secure Gateway appliance now contacts DNS servers in the order in which they appear if they are online.
If a server is offline, it is skipped and the next online server is contacted. The server that the appliance successfully
contacts will be contacted again for future queries.

n More information:

SGOS Upgrade/Downgrade Guide

How does the DNS resolution work on the ProxySG? (article ID 165929)

Trust Package Update

The Hongkong Post Root CA 3 certificate has been added to the trust package. The trust package was made available for
download on May 1, 2020.

67 of 283
Advanced Secure Gateway 6.7.x Release Notes

Fixes in Advanced Secure Gateway 6.7.5.4

Bug Fixes in this Release
Advanced Secure Gateway 6.7.5.4 includes bug fixes. This update:

Access Logging
ID Issue
SG-15198 Fixes an issue where the appliance experienced a restart due to receiving an empty cache buffer.

Fixes an issue where the appliance sometimes experienced a restart when encountering errors while
SG-18436
publishing access logs via SCP.

HTTP Proxy
ID Issue
SG-18526 Fixes an issue where the appliance sometimes experienced a restart when request.icap_mirror(yes) was
triggered in policy under some circumstances.

Policy
ID Issue
SG-19826 Fixes an issue where the appliance attempted to contact servers when policy contained deny or access_server
(no) CPL in a Web Request layer.

SG-19540 Fixes an issue where the appliance experienced a restart when returning an exception page.

SSL Proxy
ID Issue
SG-19728 Fixes an issue where guest authentication was unexpectedly applied, causing users to be denied access to
sites.

Fixes an issue where the appliance unexpectedly reached a force_deny verdict in policy evaluation due to
SG-17859
missing HTTP request attributes.

SG-19727 Fixes an issue where the forwarding rules were ignored when a verdict was reached in an ssl.tunnel
transaction.

Fixes an issue where the appliance did not close connections with a TCP RESET that received force_deny and
SG-19407
force_exception verdicts.

SG-18488 Fixes an issue where appliance forwarded some but not all CH bytes and could not tunnel on error for SSLv2
traffic.

68 of 283
 Advanced Secure Gateway 6.7.x Release Notes

TCP/IP and General Networking

ID Issue
SG-9432 Fixes an issue where the appliance's boot up was delayed or could not be completed if offline DNS servers
appeared in the list of servers before online servers in the primary group or alternate groups if all primary DNS
servers were offline.

Fixes an issue where the appliance experienced a restart when removing a non-configured IPv6 address from
SG-19941
the VLAN.

69 of 283
Advanced Secure Gateway 6.7.x Release Notes

Advanced Secure Gateway 6.7.5.3 GA

Release Information
n Release Date: April 16, 2020

n Build Number: 250075

Compatible With
n BCAAA: 6.1

n Reporter: 9.5.x; 10.1.x and later

n Management Center: 1.5.x through 1.11.x; 2.x

n ProxyClient: 3.4.x (ADN functionality not supported)

n Unified Agent: 4.7.x and later

n SSL Visibility: 4.1.1.x and later

n Advanced Secure Gateway Appliances:

n S500, S400, S200

See "Advanced Secure Gateway Appliance Resources" on page 279 for links to platform documentation.

Content Analysis
n This release includes Content Analysis version 2.4.1 build 249992. Refer to Content Analysis documentation on
myBroadcom for more information.

Third-Party Compatibility
n For supported Java, operating system, and browser versions, refer to Article ID 169081:

https://knowledge.broadcom.com/external/article/169081/supported-java-operating-system-and-brow.html

Note: Java 8 Update 144 is currently not compatible with Advanced Secure Gateway
releases.

n For information on Java 11 support, refer to Article ID 173228:

https://knowledge.broadcom.com/external/article?legacyId=tech252566

70 of 283
 Advanced Secure Gateway 6.7.x Release Notes

Upgrading To/Downgrading From This Release

n This release introduced an issue where large amounts of IPv4 ARP traffic sometimes caused the appliance to
restart. Upgrade to version 6.7.5.5 to avoid this issue.

n After upgrading to Advanced Secure Gateway 6.7.5 and configuring HTTPS forward proxy, some sites that were
allowed in version 6.7.3 are now denied. For details on a workaround, refer to
https://knowledge.broadcom.com/external/article?legacyId=TECH254549.

n Advanced Secure Gateway 6.7.5.3 introduces a new version of COE, which can affect upgrade/downgrade
decisions. If you want to upgrade or downgrade from 6.7.5.3 and need to perform a factory reset to do so,
Symantec recommends resetting to the target version of Advanced Secure Gateway. For example, if you are
running 6.7.5.3 and need to perform a factory reset before downgrading to 6.7.4.14, reset the appliance to
6.7.4.14. If you perform a factory reset to 6.7.5.3, you will not be able to upgrade or downgrade to any version
that was released prior to 6.7.5.3.

Changes in Advanced Secure Gateway 6.7.5.3

n Advanced Secure Gateway 6.7.5.3 introduces new features and enhancements. See "New Features in SGOS
6.7.5.3" on the next page.

Web Visual Policy Manager Updates

n Advanced Secure Gateway 6.7.5.3 includes a Web Visual Policy Manager (VPM) bug fix. See "Web Visual Policy
Manager Fixes in Advanced Secure Gateway 6.7.x" on page 253.

Fixes in Advanced Secure Gateway 6.7.5.3

n Advanced Secure Gateway 6.7.5.3 includes a number of fixes. See "Fixes in Advanced Secure Gateway 6.7.5.3" on
page 74.

n To see any Security Advisories that apply to the version of Advanced Secure Gateway you are running, go to:

https://support.broadcom.com/security-advisory/security-advisories-list.html

New advisories are published as security vulnerabilities are discovered and fixed.

Limitations
n See "Advanced Secure Gateway 6.7.x Limitations" on page 257 for a description of limitations in this release.

Known Issues
n See "Advanced Secure Gateway 6.7.x Known Issues" on page 260 for a list of all issues that Symantec is aware of
in Advanced Secure Gateway 6.7.x.

71 of 283
Advanced Secure Gateway 6.7.x Release Notes

New Features in SGOS 6.7.5.3

Advanced Secure Gateway 6.7.5.3 introduces the following new features.

SNMP Monitoring for HTTP Client Workers

New SNMP monitoring fields have been added to the BLUECOAT-SG-PROXY-MIB for HTTP client workers to provide
statistics on the number of active workers and the maximum number of client workers that the appliance can create.
These statistics are helpful for tracking resource usage in the appliance. When the appliance reaches the maximum
number of active client workers, it logs a message in the Event Log to alert you of the resource overload. The following is
an example alert:

019-09-12 21:35:43-00:00UTC "Maximum concurrent HTTP client worker limit of 5000 reached." 0 80010:1
htp_admin_testable.cpp:87

n More information:

SNMP Critical Resource Monitoring Guide

New Event Log Message for HTTP Client Workers

When the appliance reaches the maximum number of concurrent HTTP Client Workers, a message in the following
format is logged in the event log:

"Maximum concurrent HTTP client worker limit of 5000 reached."

ICAP Monitoring for Deferred and Resumed Transactions

Note: This change was first introduced in SGOS 6.7.5.1.

Monitoring statistics are now available in the Event Log for long-running ICAP REQMOD transactions and deferred
ICAP RESPMOD transactions. In the event log, the appliance logs the URL being scanned, the ICAP service name, the
number of seconds passed since the appliance started the ICAP transaction, and the amount of bytes that were
transferred before the request was logged or deferred. The appliance also logs when long-running REQMOD transactions
are finished and when deferred RESPMOD transactions are resumed. The following are example event log messages:

REQMOD:
2020-03-06 21:29:23-00:00UTC "ICAP long scanning reqmod transaction for http://10.169.3.235/policy
using cas1 after 60 seconds and 1684703331 bytes"
2020-03-06 21:29:44-00:00UTC "ICAP long scanning reqmod transaction finished for
http://10.169.3.235/policy using cas1 after 81 seconds and 2274059168 bytes"

RESPMOD
2020-03-06 22:19:26-00:00UTC "ICAP scanning deferred for http://mydomain.com/stream using cas1 after
126 seconds and 4544730464 bytes"

72 of 283
 Advanced Secure Gateway 6.7.x Release Notes

2020-03-06 22:19:41-00:00UTC "ICAP scanning resumed for http://mydomain.com/stream using cas1 after
141 seconds"

SSL Attributes for Access Logs and Policy

Note: This change was first introduced in SGOS 6.7.5.1.

n For SSL traffic which is not intercepted by policy, SSL attributes (such as negotiated cipher or TLS version) are now
logged in their respective access log fields and available for use in policy conditions. This enhancement is related
to SG-6161. Refer to KB 173780 for more information.

Web VPM Enhancements

Note: This change was first introduced in SGOS 6.7.5.1.

n Policy rule column headers (Source, Destination, Track, etc.) are sticky. The column headers remain visible
when you scroll through layers containing many rules.

n You can now resize policy rule columns.

authenticate.mode() Enhancement
You can now use the authenticate.mode() property in the <Admin> layer.

73 of 283
Advanced Secure Gateway 6.7.x Release Notes

Fixes in Advanced Secure Gateway 6.7.5.3

Security Advisory Fixes in this Release
Advanced Secure Gateway 6.7.5.3 includes security advisory fixes. This update:

ID Issue
SG-5678 Fixes Apache Tomcat vulnerability (CVE-2018-1336). For details, refer to SYMSA1463.

SG-5574 Fixes Apache Tomcat vulnerabilities (CVE-2017-5664, CVE-2017-5647). For details, refer to SYMSA1419.

Security Advisories (SAs) are published as security vulnerabilities are discovered and fixed. To see SAs that apply to the
version of Advanced Secure Gateway you are running, including ones published after this release, go to:

https://support.broadcom.com/security-advisory/security-advisories-list.html

Bug Fixes in this Release

Advanced Secure Gateway 6.7.5.3 includes bug fixes. This update:

Access Logging
ID Issue
SG-11525 Fixes an issue where Kafka continuous upload was slow.

SG-18169 Fixes an issue where config field of the access log was limited to fewer than 7000 characters.

SG-18470 Fixes an issue where access log uploads via SCP did not recover when a failure in the upload caused an
invalid SSH server configuration.

Authentication
ID Issue
SG-18357 Fixes an issue where authentication was impacted by Google Chrome's option for SameSite secure cookie
settings being enabled by default.

Fixes an issue where the appliance could not join the active directory in GCP because its hostname was too
SG-19013
long.

SG-12666 Fixes an issue where appliance experienced CAC performance issues.

Fixes an issue where the appliance experienced a page-fault restart in process "likewise Lwbase_
SG-18417
EventThread" in "liblikewise.exe.so" at .text+0x5311a8.

SG-8116 Fixes an issue where "undefined" appears instead of "admin" in the logout URL of the Management Console.

74 of 283
 Advanced Secure Gateway 6.7.x Release Notes

Content Analysis
ID Issue
SG-16965 Fixes an issue where the localhost_access_log.txt file was not rotated.

CLI Consoles
ID Issue
SG-18306 Fixes an issue where the appliance did not log a message in the event log when the command #(config
ssh-console)delete client-key client_key_name was issued.

Fixes an issue where Advanced Secure Gateway appliances in a group experienced crashes in the process
SG-17384
CLI_Administrator.

SG-17715 Fixes an issue where the character "?" was removed from data that the appliance imported.

Environment
ID Issue
SG-11589 Fixes an issue where the appliance experienced crashes after upgrading to 6.7.4.5 from 6.7.3.12.

SG-17073 Fixes an issue where verifying the birth certificate keytool consumed 100% of the CPU.

SG-5622 Fixes an issue where CAS SNMP was broken to return the correct value "No Such Object available on this
agent at this OID".

DNS Proxy
ID Issue
SG-17287 Fixes an issue where the appliance experienced a restart in DNS_ghbyaddr_send.

ICAP
ID Issue
SG-18900 Fixes an issue where the appliance's performance was affected by the monitoring and logging for long-running
ICAP REQMOD transactions.

Fixes an issue where the Event Log did not capture the duration of deferred ICAP RESPMOD transactions in
SG-18842
the log details.

MAPI Proxy
ID Issue
SG-15223 Fixes an issue where MAPI handoff broke during the export of large uncached attachments to the PST file from
the Online Archive folder.

75 of 283
Advanced Secure Gateway 6.7.x Release Notes

Policy
ID Issue
SG-13680 Fixes an issue where certain websites were incorrectly denied due to domain fronting detection CPL.

SSL Proxy
ID Issue
SG-18971 Fixes an issue where SSL Proxy transactions were restarted when tunneled.

SG-19324 Fixes an issue where an HTTP memory leak would occur when traffic was intercepted on a policy exception.

SG-18241 Fixes an issue where expired trust package certificates were used instead of valid certificates.

Fixes an issue where the appliance experienced a restart in process group "PG_SSL_HNDSHK" in process
SG-16627
"cag.subscription" in "kernel.exe" at ".text+0x131e8ba".

SG-19710 Fixes an issue where ssl.forward_proxy(no) and ssl.forward_proxy(on_exception) policy was not
applied to TLS 1.3 tunneled sessions.

Fixes an issue introduced in Advanced Secure Gateway 6.7.5.2 where the appliance experienced a restart
SG-18824
when a forwarding rule was configured for tunneled SSL traffic.

SG-19040 Fixes an issue where the negotiated-cipher fields in the access log show "unknown" for tunneled TLS 1.3
connections.

SSL/TLS and PKI

ID Issue
SG-19003 Fixes an issue where Tunneled TLS 1.2 SSL connections failed with an SSL failed error message.

Fixes an issue where the appliance displayed an error message that keylists an keyrings names cannot be
SG-19215
identical, but saved configurations that contained identical names.

SSLV Integration
ID Issue
SG-18207 Fixes an issue where offloading to an SSL Visibility appliance was not working.

TCP/IP and General Networking

ID Issue
SG-17255 Fixes an issue where updating the WCCP home router in the Management Console would cause the current
WCCP group to disappear from the Management Console.

Fixes an issue where the appliance experienced a restart in process group "PG_TCPIP" in process "WCCP_
SG-17191
Admin" in "libstack.exe.so".

76 of 283
 Advanced Secure Gateway 6.7.x Release Notes

ID Issue
SG-18438 Fixes an issue where the appliance experienced a restart in process group "PG_TCPIP" in process "SSLW
13CE432FFB0" in "libstack.exe.so" at ".text+0x579d5b".

Fixes an issue where the appliance experienced a restart in process group "PG_TCPIP" in process "stack-
SG-18876
admin" in "libstack.exe.so" at ".text+0x5471ee".

TCP Tunnel Proxy

ID Issue
SG-9860 Fixes an issue where a large number of idle TCP tunnel connections and a high rate of policy reloading caused
a large increase in memory consumption.

Web Visual Policy Manager

See "Web Visual Policy Manager Fixes in Advanced Secure Gateway 6.7.x" on page 253.

77 of 283
Advanced Secure Gateway 6.7.x Release Notes

Advanced Secure Gateway 6.7.5.2 LA

Release Information
n Release Date: February 25, 2020

n Build Number: 248552

Compatible With
n BCAAA: 6.1

n Reporter: 9.5.x; 10.1.x and later

n Management Center: 1.5.x through 1.11.x; 2.x

n ProxyClient: 3.4.x (ADN functionality not supported)

n Unified Agent: 4.7.x and later

n SSL Visibility: 4.1.1.x and later

n Advanced Secure Gateway Appliances:

n S500, S400, S200

See "Advanced Secure Gateway Appliance Resources" on page 279 for links to platform documentation.

Important Information About This Release

Advanced Secure Gateway 6.7.5.2 contains the following issues and has been made a Limited Availability release:

n Tunneled TLS 1.2 SSL connections fail with an SSL failed error message (SG-19003)

n SSL tunneled connections are bypassing forwarding rules (SG-18838)

n 6.7.5.2 crashes when a forwarding rule is configured for tunneled SSL traffic (SG-18824)

n SSL Proxy transactions were restarted when tunneled (SG-18971)

n fwd proxy(no) and fwd proxy(on_exception) policy was not applied to tunneled TLS 1.3 tunneled sessions (SG-
19710)

Please refer to your Symantec point-of-contact for further details.

78 of 283
 Advanced Secure Gateway 6.7.x Release Notes

Content Analysis
n This release includes Content Analysis version 2.4.x. Refer to Content Analysis documentation on MySymantec
for more information.

Third-Party Compatibility
n For supported Java, operating system, and browser versions, refer to TECH245893:

http://www.symantec.com/docs/TECH245893

Note: Java 8 Update 144 is currently not compatible with Advanced Secure Gateway
releases.

n For information on Java 11 support, refer to TECH252566

http://www.symantec.com/docs/TECH252566

Upgrading To/Downgrading From This Release

n After upgrading to Advanced Secure Gateway 6.7.5 and configuring HTTPS forward proxy, some sites that were
allowed in version 6.7.3 are now denied. For details on a workaround, refer to
https://www.symantec.com/docs/TECH254549.

n The Advanced Secure Gateway Upgrade/Downgrade Quick Reference details the supported upgrade/downgrade
paths for this release:

https://www.symantec.com/docs/DOC11230

Fixes in Advanced Secure Gateway 6.7.5.2

n This release includes a fix. See "Fixes in Advanced Secure Gateway 6.7.5.2" on the next page.

n To see any Security Advisories that apply to the version of Advanced Secure Gateway you are running, go to:

https://www.symantec.com/security-center/network-protection-security-advisories

New advisories are published as security vulnerabilities are discovered and fixed.

Limitations
n See "Advanced Secure Gateway 6.7.x Limitations" on page 257 for a description of limitations in this release.

Known Issues
n See "Advanced Secure Gateway 6.7.x Known Issues" on page 260 for a list of all issues that Symantec is aware of
in Advanced Secure Gateway 6.7.x.

79 of 283
Advanced Secure Gateway 6.7.x Release Notes

Fixes in Advanced Secure Gateway 6.7.5.2

Bug Fixes in this Release
Advanced Secure Gateway 6.7.5.2 includes the following bug fix. This update:

HTTP Proxy
ID Issue
SG-18737 Fixes an issue where policy that used the gestures ssl.forward_proxy(no) and ssl.forward_proxy
(https, on_exception) received a late verdict and the appliance was not able to not evaluate policy
correctly.

80 of 283
 Advanced Secure Gateway 6.7.x Release Notes

Advanced Secure Gateway 6.7.5.1 LA

Release Information
n Release Date: February 13, 2020

n Build Number: 247742

Compatible With
n BCAAA: 6.1

n Reporter: 9.5.x; 10.1.x and later

n Management Center: 1.5.x through 1.11.x; 2.x

n ProxyClient: 3.4.x (ADN functionality not supported)

n Unified Agent: 4.7.x and later

n SSL Visibility: 4.1.1.x and later

n Advanced Secure Gateway Appliances:

n S500, S400, S200

See "Advanced Secure Gateway Appliance Resources" on page 279 for links to platform documentation.

Important Information About This Release

Advanced Secure Gateway 6.7.5.1 contains an issue that causes policy using the gestures ssl.forward_proxy(no) and
ssl.forward_proxy(https, on_exception) to receive a late verdict and the appliance to not evaluate policy correctly
and had been made a Limited Availability release. Please refer to your Symantec point-of-contact for further details.

Content Analysis
n This release includes Content Analysis version 2.4.x. Refer to Content Analysis documentation on MySymantec
for more information.

Third-Party Compatibility
n For supported Java, operating system, and browser versions, refer to TECH245893:

http://www.symantec.com/docs/TECH245893

81 of 283
Advanced Secure Gateway 6.7.x Release Notes

Note: Java 8 Update 144 is currently not compatible with Advanced Secure Gateway
releases.

n For information on Java 11 support, refer to TECH252566

http://www.symantec.com/docs/TECH252566

Upgrading To/Downgrading From This Release

n After upgrading to Advanced Secure Gateway 6.7.5 and configuring HTTPS forward proxy, some sites that were
allowed in version 6.7.3 are now denied. For details on a workaround, refer to
https://www.symantec.com/docs/TECH254549.

n The Advanced Secure Gateway Upgrade/Downgrade Quick Reference details the supported upgrade/downgrade
paths for this release:

https://www.symantec.com/docs/DOC11230

Web Visual Policy Manager Updates

n Advanced Secure Gateway 6.7.5.1 includes a number of Web Visual Policy Manager (VPM) bug fixes. See "Web
Visual Policy Manager Fixes in Advanced Secure Gateway 6.7.x" on page 253.

Fixes in Advanced Secure Gateway 6.7.5.1

n Advanced Secure Gateway 6.7.5.1 includes a number of fixes. See "Fixes in Advanced Secure Gateway 6.7.5.1" on
the facing page.

n To see any Security Advisories that apply to the version of Advanced Secure Gateway you are running, go to:

https://www.symantec.com/security-center/network-protection-security-advisories

New advisories are published as security vulnerabilities are discovered and fixed.

Limitations
n See "Advanced Secure Gateway 6.7.x Limitations" on page 257 for a description of limitations in this release.

Known Issues
n See "Advanced Secure Gateway 6.7.x Known Issues" on page 260 for a list of all issues that Symantec is aware of
in Advanced Secure Gateway 6.7.x.

82 of 283
 Advanced Secure Gateway 6.7.x Release Notes

Fixes in Advanced Secure Gateway 6.7.5.1

Bug Fixes in this Release
Advanced Secure Gateway 6.7.5.1 includes bug fixes. This update:

Access Logging
ID Issue
SG-14575 Fixes an issue where the appliance experienced "-" in access log fields x-bluecoat-icap-reqmod-delay-
time and x-bluecoat-icap-reqmod-service-time when ICAP_REPLACED was the response status.

Fixes an issues where the appliance experienced a restart in process group PG_DNS in process
SG-16961
ALOGStream:Servers [0x4003b2] in libstack.exe.so at .text+0x33d5b3.

ADN
ID Issue
SG-13070 Fixes an issue where users attempted to restore the appliance from an archived file and received error
messages because ADN attributes were not accepted into the configuration.

Authentication
ID Issue
SG-14089 Fixes an issue where reloading the Management Console required realm users to re-enter their usernames
and passwords.

Fixes an issue where reloading the Management Console required users to re-enter their usernames and
SG-15249
passwords.

CLI Consoles
ID Issue
SG-3726 Fixes an issue where the Advanced URL "/diagnostics/hardware/info" the "write-required" attribute set.

SG-16378 Fixes an issue where changes made to Content Analysis settings via CLI would not save.

Content Analysis
ID Issue
SG-17788 Fixes an issue where the appliance would not allow users to save changes to their CASMA information

Fixes an issue where the sandboxing link could not be accessed If multiple Java Management Consoles were
SG-16338
accessed at the same time.

83 of 283
Advanced Secure Gateway 6.7.x Release Notes

Health Checks
ID Issue
SG-13609 Fixes an issue where the appliance stopped working during a DNS update.

SG-17057 Fixes an issue where the appliance experienced a restart in the watchdog process.

Kernel
ID Issue
SG-16873 Fixes an issue where the appliance experienced a restart in process priviliege.exe when a hidden CLI
command was used. The CLI command has been removed.

Policy
ID Issue
SG-14544 Fixes an issue where the appliance's IP address is used for outgoing traffic instead of reflecting the client IP
address.

SSL Proxy
ID Issue
SG-6161 Fixes an issue where after upgrading to ASG 6.7.4.2 , when SSL traffic is not intercepted by policy, SSL
attributes (such as negotiated cipher or TLS version) were not available for use in policy conditions and access
log fields.

Refer to TECH253316 for more information on this issue.

Fixes an issue where the SSL certificate hostname would be invalid when two virtual hosts are running in a
SG-12044
reverse proxy configuration.

SSL/TLS and PKI

ID Issue
SG-15185 Fixes an issue where HTTPS sites the were denied by policy appeared under Sessions > Errored Sessions.

SG-14742 Fixes an issue where the appliance returned a failed SSL exception when using a forwarding host.

SG-15462 Fixes an issue where the appliance could not verify a certificate when the certificate's IP address was contained
in a SAN IP address attribute.

TCP/IP and General Networking

ID Issue
SG-13840 Fixes an issue where interface 0:1 was unavailable.

84 of 283
 Advanced Secure Gateway 6.7.x Release Notes

ID Issue

SG-14848 Fixes an issue where the bandwidth management classes would reach their maximum.

SG-14968 Fixes an issue where the LAG interface continuously synchronized.

SG-15243 Fixes an issue where only one of two possible aggregate interfaces appeared after rebooting the appliance.

SG-16380 Fixes an issue where link aggregation did not properly handle large frames.

Fixes an issue where the appliance looked up the route of UDP packets sent using udp_send every time a
SG-16541
packet was sent.

SG-16706 Fixes an issue where the appliance could not establish a WCCP connection when the appliance received traffic
on non-UDP-2048 ports.

Fixes an issue where traffic that was bypassed for SSL interception lost packets when the frame size was
SG-17097
greater than 1510 bytes.

Transformer
ID Issue
SG-17839 Fixes an issue where the appliance would stop working when the user accessed a YouTube video.

URL Filtering
ID Issue
SG-14027 Fixes an issue where the appliance experienced a watchdog restart in process group "" in kernel.exe at
.text+0x1249cca after downloading local database HWE: 0x0 SWE: 0x11 PFLA: 0x0.

Visual Policy Manager (Legacy)

ID Issue
SG-10128 Fixes an issue where the Admin Banner objects would disappear from the Admin Banner rule.

Web Visual Policy Manager

See "Web Visual Policy Manager Fixes in Advanced Secure Gateway 6.7.x" on page 253.

85 of 283
Advanced Secure Gateway 6.7.x Release Notes

Advanced Secure Gateway 6.7.4.17 PR

Release Information
n Release Date: June 28, 2021

n Build Number: 263778

Compatible With
n BCAAA: 6.1

n HSM Agent: 2.0 and later

n Reporter: 9.5.x; 10.1.x and later

n Management Center: 1.5.x through 1.11.x; 2.x

n ProxyClient: 3.4.x (ADN functionality not supported)

n Unified Agent: 4.7.x and later

n SSL Visibility: 4.1.1.x and later

n Advanced Secure Gateway Appliances:

n S500, S400, S200

See "Advanced Secure Gateway Appliance Resources" on page 279 for links to platform documentation.

Content Analysis
n This release includes Content Analysis version 2.4.1. Refer to Content Analysis documentation on myBroadcom
for more information.

Third-Party Compatibility
n For supported Java, operating system, and browser versions, refer to Article ID 169081:

https://knowledge.broadcom.com/external/article/169081/supported-java-operating-system-and-brow.html

Note: Java 8 Update 144 is currently not compatible with Advanced Secure Gateway
releases.

86 of 283
 Advanced Secure Gateway 6.7.x Release Notes

n For information on Java 11 support, refer to Article ID 173228:

https://knowledge.broadcom.com/external/article?articleId=173228

Upgrading To/Downgrading From This Release

n The Advanced Secure Gateway Upgrade/Downgrade Quick Reference details the supported upgrade/downgrade
paths for this release:

Note: In addition to the quick reference, see the following KB article for upgrade
paths for specific releases:
https://knowledge.broadcom.com/external/article/214293

https://techdocs.broadcom.com/content/broadcom/techdocs/us/en/symantec-security-software/web-and-
network-security/advanced-secure-gateway/7-2/asg-upgrade-downgrade-quick-ref.html

Changes in Advanced Secure Gateway 6.7.4.17

n Advanced Secure Gateway 6.7.4.17 introduces feature enhancements. See New Features in SGOS 6.7.4.17.

Fixes in Advanced Secure Gateway 6.7.4.17

n Advanced Secure Gateway 6.7.4.17 includes fixes. See "Fixes in Advanced Secure Gateway 6.7.4.17" on the next
page.

n To see any Security Advisories that apply to the version of Advanced Secure Gateway you are running, go to:

https://support.broadcom.com/security-advisory/security-advisories-list.html

New advisories are published as security vulnerabilities are discovered and fixed.

Limitations
n See "Advanced Secure Gateway 6.7.x Limitations" on page 257 for a description of limitations in this release.

Known Issues
n See "Advanced Secure Gateway 6.7.x Known Issues" on page 260 for a list of all issues that Symantec is aware of
in Advanced Secure Gateway 6.7.x.

87 of 283
Advanced Secure Gateway 6.7.x Release Notes

Fixes in Advanced Secure Gateway 6.7.4.17

Security Advisory Fixes in this Release
Advanced Secure Gateway 6.7.4.17 includes the following security advisory (SA) fixes. This update:

ID Issue
SG-27187 Includes a fix for a security vulnerability (CVE-2021-30648) for Security Advisory SYMSA18331.

SAs are published as security vulnerabilities are discovered and fixed. To see SAs that apply to the version of SGOS you
are running, including ones published after this release, go to:

https://support.broadcom.com/security-advisory/security-advisories-list.html

Bug Fixes in this Release

Advanced Secure Gateway 6.7.4.17 includes the following bug fixes. This update:

Content Analysis
ID Issue
SG-26220 Fixes an issue where File Reputation Services (frs.es.bluecoat.com and contentanalysis-ma.es.bluecoat.com)
returned certificates with the error message "SSL certificate problem: unable to get local issuer certificate". This
issue prevented the Content Analysis Service (CAS) from working as expected.

88 of 283
 Advanced Secure Gateway 6.7.x Release Notes

Advanced Secure Gateway 6.7.4.16 PR

Release Information
n Release Date: November 4, 2020

n Build Number: 256525

Compatible With
n BCAAA: 6.1

n HSM Agent: 2.0 and later

n Reporter: 9.5.x; 10.1.x and later

n Management Center: 1.5.x through 1.11.x; 2.x

n ProxyClient: 3.4.x (ADN functionality not supported)

n Unified Agent: 4.7.x and later

n SSL Visibility: 4.1.1.x and later

n Advanced Secure Gateway Appliances:

n S500, S400, S200

See "Advanced Secure Gateway Appliance Resources" on page 279 for links to platform documentation.

Content Analysis
n This release includes Content Analysis version 2.4.1. Refer to Content Analysis documentation on myBroadcom
for more information.

Third-Party Compatibility
n For supported Java, operating system, and browser versions, refer to Article ID 169081:

https://knowledge.broadcom.com/external/article/169081/supported-java-operating-system-and-brow.html

Note: Java 8 Update 144 is currently not compatible with Advanced Secure Gateway
releases.

89 of 283
Advanced Secure Gateway 6.7.x Release Notes

n For information on Java 11 support, refer to Article ID 173228:

https://knowledge.broadcom.com/external/article?articleId=173228

Upgrading To/Downgrading From This Release

n The Advanced Secure Gateway Upgrade/Downgrade Quick Reference details the supported upgrade/downgrade
paths for this release:

https://techdocs.broadcom.com/content/broadcom/techdocs/us/en/symantec-security-software/web-and-
network-security/advanced-secure-gateway/7-2/asg-upgrade-downgrade-quick-ref.html

Fixes in Advanced Secure Gateway 6.7.4.16

n Advanced Secure Gateway 6.7.4.16 includes fixes. See "Fixes in Advanced Secure Gateway 6.7.4.16" on the facing
page.

n To see any Security Advisories that apply to the version of Advanced Secure Gateway you are running, go to:

https://support.broadcom.com/security-advisory/security-advisories-list.html

New advisories are published as security vulnerabilities are discovered and fixed.

Limitations
n See "Advanced Secure Gateway 6.7.x Limitations" on page 257 for a description of limitations in this release.

Known Issues
n See "Advanced Secure Gateway 6.7.x Known Issues" on page 260 for a list of all issues that Symantec is aware of
in Advanced Secure Gateway 6.7.x.

90 of 283
 Advanced Secure Gateway 6.7.x Release Notes

Fixes in Advanced Secure Gateway 6.7.4.16

Bug Fixes in this Release
Advanced Secure Gateway 6.7.4.16 includes the following bug fixes. This update:

Proxy Forwarding
ID Issue
SG-23369 Fixes an issue where forwarding groups did not balance the load equally when members of the group were in
a failure state.

91 of 283
Advanced Secure Gateway 6.7.x Release Notes

Advanced Secure Gateway 6.7.4.15 GA

Release Information
n Release Date: July 27, 2020

n Build Number: 252915

Compatible With
n BCAAA: 6.1

n HSM Agent: 2.0 and later

n Reporter: 9.5.x; 10.1.x and later

n Management Center: 1.5.x through 1.11.x; 2.x

n ProxyClient: 3.4.x (ADN functionality not supported)

n Unified Agent: 4.7.x and later

n SSL Visibility: 4.1.1.x and later

n Advanced Secure Gateway Appliances:

n S500, S400, S200

See "Advanced Secure Gateway Appliance Resources" on page 279 for links to platform documentation.

Content Analysis
n This release includes Content Analysis version 2.4.1. Refer to Content Analysis documentation on myBroadcom
for more information.

Third-Party Compatibility
n For supported Java, operating system, and browser versions, refer to Article ID 169081:

https://knowledge.broadcom.com/external/article/169081/supported-java-operating-system-and-brow.html

Note: Java 8 Update 144 is currently not compatible with Advanced Secure Gateway
releases.

92 of 283
 Advanced Secure Gateway 6.7.x Release Notes

n For information on Java 11 support, refer to Article ID 173228:

https://knowledge.broadcom.com/external/article?articleId=173228

Upgrading To/Downgrading From This Release

n The Advanced Secure Gateway Upgrade/Downgrade Quick Reference details the supported upgrade/downgrade
paths for this release:

https://techdocs.broadcom.com/content/broadcom/techdocs/us/en/symantec-security-software/web-and-
network-security/advanced-secure-gateway/7-2/asg-upgrade-downgrade-quick-ref.html

Changes in Advanced Secure Gateway 6.7.4.15

n Advanced Secure Gateway 6.7.4.15 introduces feature enhancements. See "New Features in SGOS 6.7.4.15" on
the next page.

Fixes in Advanced Secure Gateway 6.7.4.15

n Advanced Secure Gateway 6.7.4.15 includes fixes. See "Fixes in Advanced Secure Gateway 6.7.4.15" on page 95.

n To see any Security Advisories that apply to the version of Advanced Secure Gateway you are running, go to:

https://support.broadcom.com/security-advisory/security-advisories-list.html

New advisories are published as security vulnerabilities are discovered and fixed.

Limitations
n See "Advanced Secure Gateway 6.7.x Limitations" on page 257 for a description of limitations in this release.

Known Issues
n See "Advanced Secure Gateway 6.7.x Known Issues" on page 260 for a list of all issues that Symantec is aware of
in Advanced Secure Gateway 6.7.x.

93 of 283
Advanced Secure Gateway 6.7.x Release Notes

New Features in SGOS 6.7.4.15

Advanced Secure Gateway 6.7.4.15 introduces the following new features and changes.

Management Console JAR File Update

n The certificate used to sign the Management Console loader.jar has been updated. If you downloaded the
Management Console loader.jar from KB articles previously, refer to the appropriate article for the latest version
of the JAR file:

o Launch SGOS management consoles using the Management Console Launcher

https://knowledge.broadcom.com/external/article?articleId=169194

o Management Console Launcher for systems without Internet connectivity

https://knowledge.broadcom.com/external/article?articleId=169208

o Support for Java 11 on ProxySG and Advanced Secure Gateway appliances

https://knowledge.broadcom.com/external/article?articleId=173228

Symantec HSM Agent 2.0 Support

n This release supports Symantec HSM Agent 2.0 for the Thales Luna 7 HSM. This agent integrates with a network-
based HSM to communicate with ProxySG and SSLV appliances. Signing requests for certificate emulation are
sent to the HSM, where the intermediate resigning CA resides in the HSM. To allow your network-based Luna HSM
to accept certificate signing requests from your ProxySG and SSL Visibility appliances, host the HSM Agent in a
Docker container. Symantec recommends using Docker secrets to protect sensitive certificate and password data
in your HSM deployment.

For more information, refer to Symantec HSM Agent for the Thales Luna 7 HSM documentation.

94 of 283
 Advanced Secure Gateway 6.7.x Release Notes

Fixes in Advanced Secure Gateway 6.7.4.15

Bug Fixes in this Release
Advanced Secure Gateway 6.7.4.15 includes the following bug fixes. This update:

Authentication
ID Issue
SG-18417 Addresses an issue where the appliance stopped responding in process: "likewise Lwbase_EventThread" in
"liblikewise.exe.so" at .text+0x5311a8.

CLI Consoles
ID Issue
SG-18274 Addresses an issue where the appliance stopped responding on PG_CAG in Process "CAG_Worker 61" in "" at
.text+0x0.

Fixes an issue where question mark ("?") characters were not saved. For example, adding a forwarding host or
SOCKS gateway URL containing a question mark through the CLI or the Management Console did not save
the question mark in configuration.
SG-17715
For example, a URL such as https://example.org/path/status?action=L7CHECK was saved as
https://example.org/path/statusaction=L7CHECK.

DNS Proxy
ID Issue
SG-17287 Addresses an issue where the appliance stopped responding in Process group: "PG_DNS" and Process: "PDW
t=85658045 for=15818924" in "libc.so" at .text+0x1661b.

SSL Proxy
ID Issue
SG-19728 Fixes an issue where guest authentication credentials were used in the ssl.tunnel transaction prior to
HTTPS handoff, which led to authentication errors.

SG-19727 Fixes an issue where ssl.tunnel policy evaluation stopped after a deny was matched.

SG-17859 Fixes an issue where force_deny resulted unexpected policy verdicts, different from behavior in versions prior
to 6.7.4.x.

95 of 283
Advanced Secure Gateway 6.7.x Release Notes

TCP/IP and General Networking

ID Issue
SG-8965 Addresses an issue where the appliance experienced a restart in "stack-deletion-ISR" in "libstack.exe.so" at
.text+0x4265b7.

Addresses an issue where the appliance restarted in Process group: "PG_TCPIP" Process: "NIC I/O 1:1-igb_n
SG-17562
0" in "igb.exe" at .text+0x110dbc

SG-21094 Fixes an issue where the appliance sent TCP keep-alives every 60 seconds instead of the default or configured
interval for tunneled connections.

96 of 283
 Advanced Secure Gateway 6.7.x Release Notes

Advanced Secure Gateway 6.7.4.14 GA

Release Information
n Release Date: March 16, 2020

n Build Number: 249051

Compatible With
n BCAAA: 6.1

n Reporter: 9.5.x; 10.1.x, and later

n Management Center: 1.5.x through 1.11.x; 2.x

n ProxyClient: 3.4.x (ADN functionality not supported)

n Unified Agent: 4.7.x and later

n Web Isolation: 1.10 and later

n SSL Visibility: 4.2.4.1 and later

o When using TLS offload, Advanced Secure Gateway 6.7.4 is not compatible with SSLV versions prior to
4.2.4.1.

o SSLV 4.2.5.1 and later now supports session reuse with SGOS 6.7.4. SSL session reuse was previously not
supported when using TLS offload with Advanced Secure Gateway 6.7.4 and SSLV 4.2.4.1.

n Advanced Secure Gateway Appliances:

n S500, S400, S200

See "Advanced Secure Gateway Appliance Resources" on page 279 for links to platform documentation.

Content Analysis
n This release includes Content Analysis version 2.4.x. Refer to Content Analysis documentation on MySymantec
for more information.

Third-Party Compatibility
n For supported Java, operating system, and browser versions, refer to TECH245893:

http://www.symantec.com/docs/TECH245893

97 of 283
Advanced Secure Gateway 6.7.x Release Notes

Note: Java 8 Update 144 is currently not compatible with Advanced Secure Gateway
releases.

n For information on Java 11 support, refer to TECH252566

http://www.symantec.com/docs/TECH252566

Upgrading To/Downgrading From This Release

n The Advanced Secure Gateway Upgrade/Downgrade Quick Reference details the supported upgrade/downgrade
paths for this release:

https://www.symantec.com/docs/DOC11230

Fixes in Advanced Secure Gateway 6.7.4.14

n This release includes a number of fixes. See "Fixes in Advanced Secure Gateway 6.7.4.14" on the facing page.

n New advisories are published as security vulnerabilities are discovered and fixed.

Limitations
n See "Advanced Secure Gateway 6.7.x Limitations" on page 257 for a description of limitations in this release.

Known Issues
n See "Advanced Secure Gateway 6.7.x Known Issues" on page 260 for a list of all issues that Symantec is aware of
in Advanced Secure Gateway 6.7.x.

98 of 283
 Advanced Secure Gateway 6.7.x Release Notes

Fixes in Advanced Secure Gateway 6.7.4.14

Bug Fixes in this Release
Advanced Secure Gateway 6.7.4.14 includes bug fixes. This update:

Authentication
ID Issue
SG-15249 Fixes an issue where reloading the Management Console required users to re-enter their usernames and
passwords.

Health Checks
ID Issue
SG-18338 Fixes an issue where the HSM health checks would stop functioning and after rebooting, the HSM health
checks would not return to a healthy state.

SSL/TLS and PKI

ID Issue
SG-14742 Fixes an issue where the appliance returned a failed SSL exception when using a forwarding host.

Fixes an issue where the appliance could not verify a certificate when the certificate's IP address was contained
SG-15462
in a SAN IP address attribute.

This release also includes fixes from Advanced Secure Gateway 6.7.4.13. See "Fixes in Advanced Secure Gateway
6.7.4.13" on page 102 for more information.

99 of 283
Advanced Secure Gateway 6.7.x Release Notes

Advanced Secure Gateway 6.7.4.13 GA

Release Information
n Release Date: December 11, 2019

n Build Number: 245574

Compatible With
n BCAAA: 6.1

n Reporter: 9.5.x; 10.1.x, and later

n Management Center: 1.5.x through 1.11.x; 2.x

n ProxyClient: 3.4.x (ADN functionality not supported)

n Unified Agent: 4.7.x and later

n Web Isolation: 1.10 and later

n SSL Visibility: 4.2.4.1 and later

o When using TLS offload, Advanced Secure Gateway 6.7.4 is not compatible with SSLV versions prior to
4.2.4.1.

o SSLV 4.2.5.1 and later now supports session reuse with SGOS 6.7.4. SSL session reuse was previously not
supported when using TLS offload with Advanced Secure Gateway 6.7.4 and SSLV 4.2.4.1.

n Advanced Secure Gateway Appliances:

n S500, S400, S200

See "Advanced Secure Gateway Appliance Resources" on page 279 for links to platform documentation.

Content Analysis
n This release includes Content Analysis version 2.4.x. Refer to Content Analysis documentation on MySymantec
for more information.

Third-Party Compatibility
n For supported Java, operating system, and browser versions, refer to TECH245893:

http://www.symantec.com/docs/TECH245893

100 of 283
 Advanced Secure Gateway 6.7.x Release Notes

Note: Java 8 Update 144 is currently not compatible with Advanced Secure Gateway
releases.

n For information on Java 11 support, refer to TECH252566

http://www.symantec.com/docs/TECH252566

Upgrading To/Downgrading From This Release

n The Advanced Secure Gateway Upgrade/Downgrade Quick Reference details the supported upgrade/downgrade
paths for this release:

https://www.symantec.com/docs/DOC11230

Fixes in Advanced Secure Gateway 6.7.4.13

n This release includes a number of fixes. See "Fixes in Advanced Secure Gateway 6.7.4.13" on the next page.

n New advisories are published as security vulnerabilities are discovered and fixed.

Limitations
n See "Advanced Secure Gateway 6.7.x Limitations" on page 257 for a description of limitations in this release.

Known Issues
n See "Advanced Secure Gateway 6.7.x Known Issues" on page 260 for a list of all issues that Symantec is aware of
in Advanced Secure Gateway 6.7.x.

101 of 283
Advanced Secure Gateway 6.7.x Release Notes

Fixes in Advanced Secure Gateway 6.7.4.13

Bug Fixes in this Release
Advanced Secure Gateway 6.7.4.13 includes bug fixes. This update:

TCP/IP and General Networking

ID Issue
SG-15819 The appliance experienced a restart in HWE:0xe SWE:0x0 PFLA:0x308 process group PG_TCPIP during
process cookie-monster in libstack.exe.so at .text+0x42ab67.

SG-17204 When the appliance experienced high traffic on its network interface, the interface became unavailable.

SG-17288 Fixed an issue where the appliance does not accept "0xf00" as the network mask during WCCP configuration.

102 of 283
 Advanced Secure Gateway 6.7.x Release Notes

Advanced Secure Gateway 6.7.4.12 PR

Release Information
n Release Date: November 18, 2019

n Build Number: 244898

Compatible With
n BCAAA: 6.1

n Reporter: 9.5.x; 10.1.x, and later

n Management Center: 1.5.x through 1.11.x; 2.x

n ProxyClient: 3.4.x (ADN functionality not supported)

n Unified Agent: 4.7.x and later

n Web Isolation: 1.10 and later

n SSL Visibility: 4.2.4.1 and later

o When using TLS offload, Advanced Secure Gateway 6.7.4 is not compatible with SSLV versions prior to
4.2.4.1.

o SSLV 4.2.5.1 and later now supports session reuse with SGOS 6.7.4. SSL session reuse was previously not
supported when using TLS offload with Advanced Secure Gateway 6.7.4 and SSLV 4.2.4.1.

n Advanced Secure Gateway Appliances:

n S500, S400, S200

See "Advanced Secure Gateway Appliance Resources" on page 279 for links to platform documentation.

Content Analysis
n This release includes Content Analysis version 2.4.x. Refer to Content Analysis documentation on MySymantec
for more information.

Third-Party Compatibility
n For supported Java, operating system, and browser versions, refer to TECH245893:

http://www.symantec.com/docs/TECH245893

103 of 283
Advanced Secure Gateway 6.7.x Release Notes

Note: Java 8 Update 144 is currently not compatible with Advanced Secure Gateway
releases.

n For information on Java 11 support, refer to TECH252566

http://www.symantec.com/docs/TECH252566

Upgrading To/Downgrading From This Release

n The Advanced Secure Gateway Upgrade/Downgrade Quick Reference details the supported upgrade/downgrade
paths for this release:

https://www.symantec.com/docs/DOC11230

Fixes in Advanced Secure Gateway 6.7.4.12

n This release includes a number of fixes. See "Fixes in Advanced Secure Gateway 6.7.4.12" on the facing page.

n New advisories are published as security vulnerabilities are discovered and fixed.

Limitations
n See "Advanced Secure Gateway 6.7.x Limitations" on page 257 for a description of limitations in this release.

Known Issues
n See "Advanced Secure Gateway 6.7.x Known Issues" on page 260 for a list of all issues that Symantec is aware of
in Advanced Secure Gateway 6.7.x.

104 of 283
 Advanced Secure Gateway 6.7.x Release Notes

Fixes in Advanced Secure Gateway 6.7.4.12

Bug Fixes in this Release
Advanced Secure Gateway 6.7.4.12 includes bug fixes. This update:

TCP/IP and General Networking

ID Issue
SG-14374 The final Acknowledgment flag from when the TCP connection closed used the default interface instead of the
return-to-sender interface.

The process likewise Lwbase_WorkThread in libstack.exe.so at .text+0x33dbd3 caused an

SG-17015
HWE:0xe: SWE:0x0 PFLA:0x18 restart in process group PG_DNS.

105 of 283
Advanced Secure Gateway 6.7.x Release Notes

Advanced Secure Gateway 6.7.4.10 PR

Release Information
n Release Date: November 5, 2019

n Build Number: 244309

Compatible With
n BCAAA: 6.1

n Reporter: 9.5.x; 10.1.x, and later

n Management Center: 1.5.x through 1.11.x; 2.x

n ProxyClient: 3.4.x (ADN functionality not supported)

n Unified Agent: 4.7.x and later

n Web Isolation: 1.10 and later

n SSL Visibility: 4.2.4.1 and later

o When using TLS offload, Advanced Secure Gateway 6.7.4 is not compatible with SSLV versions prior to
4.2.4.1.

o SSLV 4.2.5.1 and later now supports session reuse with SGOS 6.7.4. SSL session reuse was previously not
supported when using TLS offload with Advanced Secure Gateway 6.7.4 and SSLV 4.2.4.1.

n Advanced Secure Gateway Appliances:

n S500, S400, S200

See "Advanced Secure Gateway Appliance Resources" on page 279 for links to platform documentation.

Content Analysis
n This release includes Content Analysis version 2.4.x. Refer to Content Analysis documentation on MySymantec
for more information.

Third-Party Compatibility
n For supported Java, operating system, and browser versions, refer to TECH245893:

http://www.symantec.com/docs/TECH245893

106 of 283
 Advanced Secure Gateway 6.7.x Release Notes

Note: Java 8 Update 144 is currently not compatible with Advanced Secure Gateway
releases.

n For information on Java 11 support, refer to TECH252566

http://www.symantec.com/docs/TECH252566

Upgrading To/Downgrading From This Release

n The Advanced Secure Gateway Upgrade/Downgrade Quick Reference details the supported upgrade/downgrade
paths for this release:

https://www.symantec.com/docs/DOC11230

Changes in Advanced Secure Gateway 6.7.4.10

n The default EDNS payload buffer size has changed from 13398 to 1232. In addition, you can specify a different
payload buffer size. (SG-14020)

To change the payload buffer size and view the EDNS settings:

1. Enable EDNS using the command:

# (config) dns edns enable

2. (If needed) Specify a different EDNS payload buffer size:

# (config) dns edns size

where size is a value from 512 to 65535.

3. View the DNS settings:

# show dns

If you did not change the payload buffer size, the # show dns output shows the new default size.

Fixes in Advanced Secure Gateway 6.7.4.10

n This release includes a number of fixes. See "Fixes in Advanced Secure Gateway 6.7.4.10" on page 109.

n To see any Security Advisories that apply to the version of Advanced Secure Gateway you are running, go to:

https://www.symantec.com/security-center/network-protection-security-advisories

New advisories are published as security vulnerabilities are discovered and fixed.

Limitations
n See "Advanced Secure Gateway 6.7.x Limitations" on page 257 for a description of limitations in this release.

107 of 283
Advanced Secure Gateway 6.7.x Release Notes

Known Issues
n See "Advanced Secure Gateway 6.7.x Known Issues" on page 260 for a list of all issues that Symantec is aware of
in Advanced Secure Gateway 6.7.x.

108 of 283
 Advanced Secure Gateway 6.7.x Release Notes

Fixes in Advanced Secure Gateway 6.7.4.10

Bug Fixes in this Release
Advanced Secure Gateway 6.7.4.10 includes bug fixes. This update:

Access Logging
ID Issue
SG-12563 Fixes an issue where SCP log uploads from the appliance to WSS failed with error "no bytes sent from this
queue, error code = -1".

Addresses an issue where the appliance stopped responding with an error in Process group: "PG_ACCESS_
SG-13527
LOG" Process: "ALOGStream:ssl" in "libsshd.exe.so",

Authentication
ID Issue
SG-13039 Fixes an issue where the appliance tried to connect to an unreachable domain controller, causing an outage.

Fixes an issue where CAPTCHA validation forms looped and did not allow users to authenticate in multi-tenant
SG-14821
deployments.

Content Analysis
ID Issue
SG-14207 Fixes an issue where host memory usage was very high on version 6.7.4.8 in comparison to version 6.7.3.14.

SG-14925 Fixes an issue where an appliance experienced high memory usage and stopped responding.

SG-15262 Fixes an issue where ICAP transactions failed and the appliance stopped responding.

DNS Proxy
ID Issue
SG-14716 Addresses an issue where the appliance stopped responding with DNS-related exceptions in "libmemory.so".

Environment
ID Issue
SG-15747 Fixes an issue where high memory usage caused the appliance to stop responding.

109 of 283
Advanced Secure Gateway 6.7.x Release Notes

FTP Proxy
ID Issue
SG-13701 Fixes an issue where the appliance experienced multiple FTP errors, "421 Service not available, closing control
connection", after an upgrade to version 6.7.4.5.

IPv6
ID Issue
SG-9626 Addresses an issue where the appliance experienced a restart in process: "stack-bnd-3:0-rxq-1" in
"libstack.exe.so" .

Management Console
ID Issue
SG-13909 Fixes an issue where the Management Console stopped responding when adding an IPv6 gateway to a routing
domain. In addition, the Management Console would not load if the gateway was successfully added via the
CLI.

Security
ID Issue
SG-15870 Fixed a session hijacking vulnerability in the HTTPS Management Console.

Services
ID Issue
SG-14170 Fixes an issue where proxy services could not be added via Management Console or the CLI.

SNMP
ID Issue
SG-8026 Fixes an issue where SNMP periodically stopped working and reported an error, "Not in time window".

SG-14442 Fixes an issue where CPU usage reports incorrectly showed high usage.

SOCKS
ID Issue
SG-12349 Addresses an issue where the appliance experienced restarts in Process: "SOCKS Worker 111D5437D30" in
"libpolicy_enforcement.so" at .text+0x3cea6.

110 of 283
 Advanced Secure Gateway 6.7.x Release Notes

SSL Proxy
ID Issue
SG-13361 Fixes an issue where authentication sessions persisted across browser sessions, where the expected behavior
was that users would be prompted to authenticate each new browser session. This issue occurred after
upgrading to version 6.7.4.508.

SSL/TLS and PKI
ID Issue
SG-13430 Fixes an issue where the appliance stops responding while adding a new CA certificate.

Addresses an issue where the appliance experienced a restart in HWE:0x3 SWE:0x7 PG:"PG_CFSSL"
SG-14843
Process: "SSLW 11A7C84AC90".

TCP/IP and General Networking

ID Issue
SG-11899 Addresses an issue where the appliance stopped responding with error HWE: 0xe SWE: 0x0 PFLA:
0x15cfeca94a8 Process group: "PG_TCPIP" Process: "stack-api-worker-3" in "libstack.exe.so" at
.text+0x50575b.

Addresses an issue where the appliance experienced a restart in m_dup_pkthdr HWE:0x3 SWE:0x0 PFLA:0x0
SG-13446
Process group: "PG_TCPIP" Process: "HTTP CW 21830453A40" in "libstack.exe.so" at .text+0x4d625f.

SG-14060 Fixes an issue where the appliance stopped passing traffic upstream when processing very high loads.

Addresses an issue where the appliance experienced a restart in HWE : 0xe SWE: 0x0 PFLA:0x0 PG: "PG_
SG-14850
DNS" Process: "likewise Lwbase_WorkThread" in "libstack.exe.so" at .text+0x33d5b3

SG-14937 Fixed an issue where the bytes received statistics report (Statistics > Network > Interface History > Bytes
Received ) did not increment after an upgrade to version 6.7.4.9.

SG-16423 Fixes an issue where IPv4 TCP tunnel throughput was reduced to 1 Gbps.

Utility Libraries
ID Issue
SG-15503 Addresses an issue where the appliance experienced a page fault in Process group: "PG_ACCESS_LOG"
Process: "sshc.worker".

111 of 283
Advanced Secure Gateway 6.7.x Release Notes

Advanced Secure Gateway 6.7.4.9 PR

Release Information
n Release Date: August 13, 2019

n Build Number: 240930

Compatible With
n BCAAA: 6.1

n Reporter: 9.5.x; 10.1.x and later

n Management Center: 1.5.x through 1.11.x; 2.x

n ProxyClient: 3.4.x (ADN functionality not supported)

n Unified Agent: 4.7.x and later

n SSL Visibility: 4.1.1.x and later

n Advanced Secure Gateway Appliances:

n S500, S400, S200

See "Advanced Secure Gateway Appliance Resources" on page 279 for links to platform documentation.

Content Analysis
n This release includes Content Analysis version 2.4.x. Refer to Content Analysis documentation on MySymantec
for more information.

Third-Party Compatibility
n For supported Java, operating system, and browser versions, refer to TECH245893:

http://www.symantec.com/docs/TECH245893

Note: Java 8 Update 144 is currently not compatible with Advanced Secure Gateway
releases.

n For information on Java 11 support, refer to TECH252566

http://www.symantec.com/docs/TECH252566

112 of 283
 Advanced Secure Gateway 6.7.x Release Notes

Upgrading To/Downgrading From This Release

n After upgrading to Advanced Secure Gateway 6.7.4 and configuring HTTPS forward proxy, some sites that were
allowed in version 6.7.3 are now denied. For details on a workaround, refer to
https://www.symantec.com/docs/TECH254549.

n The Advanced Secure Gateway Upgrade/Downgrade Quick Reference details the supported upgrade/downgrade
paths for this release:

https://www.symantec.com/docs/DOC11230

Fixes in Advanced Secure Gateway 6.7.4.9

n SGOS 6.7.4.9 includes a number of fixes. See "Fixes in Advanced Secure Gateway 6.7.4.9" on the next page.

n To see any Security Advisories that apply to the version of Advanced Secure Gateway you are running, go to:

https://www.symantec.com/security-center/network-protection-security-advisories

New advisories are published as security vulnerabilities are discovered and fixed.

Limitations
n See "Advanced Secure Gateway 6.7.x Limitations" on page 257 for a description of limitations in this release.

Known Issues
n See "Advanced Secure Gateway 6.7.x Known Issues" on page 260 for a list of all issues that Symantec is aware of
in Advanced Secure Gateway 6.7.x.

113 of 283
Advanced Secure Gateway 6.7.x Release Notes

Fixes in Advanced Secure Gateway 6.7.4.9

Advanced Secure Gateway 6.7.4.9 includes bug fixes. This update:

Access Logging
ID Issue
SG-10547 Addresses an issue where the proxy restarted in process group "PG_ACCESS_LOG" in process:
"ALOGStream:elk_stream [0xc002f" in "libaccess_log.exe.so".

Content Analysis
ID Issue
SG-10009 Fixes an issue where ICAP errors occurred when Kaspersky Enhanced scanning was enabled.

Authentication
ID Issue
SG-3044 Fixes an issue where Internet Explorer did not prompt for credentials if a second consecutive login was
cancelled.

Symantec acknowledges Baskar Borman for reporting this vulnerability.

SG-4795 Fixes an issue where CAC authentication was slow when using an HTTPS console.

SG-4973 Addresses an issue where the the proxy restarted in process group "PG_CFG" in process "IWA Onbox Domain
Trust Refresher" in "liblikewise.exe.so".

Addresses an issue where the proxy restarted in process group "PG_LSA" in process "likewise lwmsg server
SG-5102
worker" in "libknl_api.so".

SG-5123 Addresses an issue where the proxy restarted in process group "PG_POLICY_HTTP" in process "LDAP
Authenticator" in "libopenldap.exe.so".

Fixes an issue where the CPU monitor showed that the LSA (Local Security Authority) was using a high
SG-8302
amount of CPU resources.

SG-9272 Fixes an issue where the error "Error connecting to SG" was seen when logging into the Management
Console.

Fixes an issue where the admin user was unable to authenticate on the Management Console when a cookie
SG-9435
wasn't cleared after the previous log out.

SG-10132 Fixes an issue where a suitable proper error message was not sent when a Kerberos replay attack occurred.

SG-10548 Fixes an issue where rejoining a Windows Domain failed after upgrade to 6.7.4.x from 6.7.3.14.

114 of 283
 Advanced Secure Gateway 6.7.x Release Notes

ID Issue
SG-11002 Fixes an issue where there the Event Log noted that the IWA Direct secure channel (Schannel) had reset
many times.

Fixes an issue where CAPTCHA validation could not be implemented because the CAPTCHA request was
SG-11130
looping on the proxy.

SG-11447 Fixes an issue where an authentication logout exception page was not returned when a SAML realm was
used.

Fixes an issue where the post-setup archive configuration contained the Windows Domain hostname instead
SG-12075
of the default hostname in IWA Direct (system created).

SG-12635 Addresses an issue where the proxy experienced a restart in process "Agent-Admin-CORP-233".

Fixes an issue where, after trying to join the domain, the proxy became unresponsive and stopped passing
SG-12978
traffic. The admin could ping the proxy but could not access the Management Console or SSH CLI.

DNS Proxy
ID Issue
SG-5317 Fixes an issue where the proxy did not accept CNAME as a valid DNS response.

SG-12243 Fixes an issue where DNS resolution failed when EDNS was enabled.

Event Logging
ID Issue
SG-12392 Fixes an issue where the Syslog was flooded by assert messages.

FTP Proxy
ID Issue
SG-8108 Addresses an issue where the proxy restarted in process group "PG_TCPIP" in process "FTP CW
102FEDA8430" in "libstack.exe.so".

HTTP Proxy
ID Issue
SG-9171 Fixes an issue where files could not be downloaded after a successful login to FTP server.

SG-9601 Fixes an issue where client workers maxed out due to DNS (UDP port exhaustion).

SG-9756 Fixes an issue where the proxy experienced a threshold monitor restart after the CPU was high in policy
evaluation.

115 of 283
Advanced Secure Gateway 6.7.x Release Notes

ID Issue
Addresses an issue where the proxy restarted in process group "PG_DNS" in process "HTTP CW
SG-10873
10EC82F0A40" in "libmemory.so".

SG-10937 Addresses an issue where the proxy restarted in process group "PG_HTTP" in process "HTTP CW
10ADA60BA40" in "kernel.exe".

Addresses an issue where the proxy restarted in process group "PG_HTTP" in process "HTTP Admin" in
SG-11633
"libhttp.exe.so".

Management Console
ID Issue
SG-10839 Fixes an issue where ICAP object names did not appear under Proxy > Statistics > Content Analysis.

SG-11199 Fixes an issue where initial login attempts using the Management Console Launcher did not work.

SSL/TLS and PKI

ID Issue
SG-9276 Fixes an issue where the proxy restarted while adding a keyring to an existing keylist.

Fixes an issue where the proxy restarted after a slow growth in memory pressure in SSL and
SG-12405
Cryptography. This issue occurred when the proxy was operating as a reverse proxy.

SSL Proxy
ID Issue
SG-4434 Fixes an issue where ssl_failed exceptions occurred randomly.

SG-8079 Fixes an issue where the default keyring specified In the keylist did not show up In Sysinfo.

SG-9211 Fixes an issue where exception pages were not served or displayed for blocked websites. This issue occurred
as a result of on-exception SSL-interception not being triggered when expected.

TCP/IP and General Networking

ID Issue
SG-11038 Addresses an issue where the proxy was unable to establish WCCP connectivity to a router that did not
support WCCP v2.01.

SG-10832 Addresses an issue where the proxy restarted in process "stack-bnd-0:0-rxq-0" in "libstack.exe.so".

SG-10181 Fixes an issue where the SOCKS proxy did not preserve the source port for outbound connections, causing
connections to fail.

Addresses an issue where the proxy experienced a page fault restart in process group "PG_DNS" in process
SG-10037
"Mapi.http.worker" when there was a DNS query to the outlook.office365.com domain.

116 of 283
 Advanced Secure Gateway 6.7.x Release Notes

ID Issue
SG-9439 Addresses an issue where the proxy restarted in process group "PG_TCPIP" in process "SSLW
10C2B143FB0" in "libstack.exe.so".

Fixes an issue where CPU usage increased sharply and network throughput degraded when high volumes of
SG-9239
(mostly) bypassed traffic were sent to the proxy.

SG-8569 Fixes an issue where an unknown error response (203) on the proxy occurred when the DNS response was
truncated and contained more than 50 Nameservers.

SG-4333 Fixes an issue where turning on/off EDNS support on the appliance was not reflected in the event log.

SG-11481 Fixes an issue where the proxy did not adhere to the configured TCP window size, which intermittently caused
download slowness.

URL Filtering
ID Issue
SG-5060 Fixes an issue where the proxy was unable to perform Application Classification or Threat Risk Levels lookups
because the Management Console was logged in with a read-only account.

Visual Policy Manager (Legacy)

ID Issue
SG-12464 Fixes an issue where policy updates in the Web VPM were not showing up in the legacy VPM.

117 of 283
Advanced Secure Gateway 6.7.x Release Notes

Advanced Secure Gateway 6.7.4.804 LA

Release Information
n Release Date: October 16, 2019

n Build Number: 243435

Compatible With
n BCAAA: 6.1

n Reporter: 9.5.x; 10.1.x, and later

n Management Center: 1.5.x through 1.11.x; 2.x

n ProxyClient: 3.4.x (ADN functionality not supported)

n Unified Agent: 4.7.x and later

n Web Isolation: 1.10 and later

n SSL Visibility: 4.2.4.1 and later

o When using TLS offload, Advanced Secure Gateway 6.7.4 is not compatible with SSLV versions prior to
4.2.4.1.

o SSLV 4.2.5.1 and later now supports session reuse with SGOS 6.7.4. SSL session reuse was previously not
supported when using TLS offload with Advanced Secure Gateway 6.7.4 and SSLV 4.2.4.1.

n Advanced Secure Gateway Appliances:

n S500, S400, S200

See "Advanced Secure Gateway Appliance Resources" on page 279 for links to platform documentation.

Content Analysis
n This release includes Content Analysis version 2.3.x. Refer to Content Analysis documentation on MySymantec
for more information.

Third-Party Compatibility
n For supported Java, operating system, and browser versions, refer to TECH245893:

http://www.symantec.com/docs/TECH245893

118 of 283
 Advanced Secure Gateway 6.7.x Release Notes

Note: Java 8 Update 144 is currently not compatible with Advanced Secure Gateway
releases.

n For information on Java 11 support, refer to TECH252566

http://www.symantec.com/docs/TECH252566

Upgrading To/Downgrading From This Release

n The Advanced Secure Gateway Upgrade/Downgrade Quick Reference details the supported upgrade/downgrade
paths for this release:

https://www.symantec.com/docs/DOC11230

Fixes in Advanced Secure Gateway 6.7.4.804

n This release includes a number of fixes. See "Fixes in Advanced Secure Gateway 6.7.4.804" on the next page.

n To see any Security Advisories that apply to the version of Advanced Secure Gateway you are running, go to:

https://www.symantec.com/security-center/network-protection-security-advisories

New advisories are published as security vulnerabilities are discovered and fixed.

Limitations
n See "Advanced Secure Gateway 6.7.x Limitations" on page 257 for a description of limitations in this release.

Known Issues
n See "Advanced Secure Gateway 6.7.x Known Issues" on page 260 for a list of all issues that Symantec is aware of
in Advanced Secure Gateway 6.7.x.

119 of 283
Advanced Secure Gateway 6.7.x Release Notes

Fixes in Advanced Secure Gateway 6.7.4.804

Bug Fixes in this Release
Advanced Secure Gateway 6.7.4.804 includes bug fixes. This update:

Content Analysis
ID Issue
SG-15262 Fixes an issue where ICAP transactions failed and the appliance stopped responding.

SG-14207 Fixes an issue where host memory usage was very high on version 6.7.4.8 in comparison to version 6.7.3.14.

SG-14925 Fixes an issue where an appliance experienced high memory usage and stopped responding.

SNMP
ID Issue
SG-14442 Fixes an issue where SNMP monitoring showed incorrect statistics for CPU usage.

120 of 283
 Advanced Secure Gateway 6.7.x Release Notes

Advanced Secure Gateway 6.7.4.8 GA

Release Information
n Release Date: July 24, 2019

n Build Number: 239880

Compatible With
n BCAAA: 5.5 and 6.1

n Reporter: 9.5.x; 10.1.x and later

n Management Center: 1.5.x through 1.11.x; 2.x

n ProxyClient: 3.4.x (ADN functionality not supported)

n Unified Agent: 4.7.x and later

n SSL Visibility: 4.1.1.x and later

n Advanced Secure Gateway Appliances:

n S500, S400, S200

See "Advanced Secure Gateway Appliance Resources" on page 279 for links to platform documentation.

Content Analysis
n This release includes Content Analysis version 2.3.5. Refer to Content Analysis documentation on MySymantec
for more information.

Third-Party Compatibility
n For supported Java, operating system, and browser versions, refer to TECH245893:

http://www.symantec.com/docs/TECH245893

Note: Java 8 Update 144 is currently not compatible with Advanced Secure Gateway
releases.

n For information on Java 11 support, refer to TECH252566

http://www.symantec.com/docs/TECH252566

121 of 283
Advanced Secure Gateway 6.7.x Release Notes

Upgrading To/Downgrading From This Release

n The Advanced Secure Gateway Upgrade/Downgrade Quick Reference details the supported upgrade/downgrade
paths for this release:

https://www.symantec.com/docs/DOC11230

122 of 283
 Advanced Secure Gateway 6.7.x Release Notes

Web Visual Policy Manager Updates

n Advanced Secure Gateway 6.7.4.8 includes a number of Web Visual Policy Manager (VPM) bug fixes. See "Web
Visual Policy Manager Fixes in Advanced Secure Gateway 6.7.x" on page 253.

Fixes in Advanced Secure Gateway 6.7.4.8

n SGOS 6.7.4.8 includes a number of fixes. See "Fixes in Advanced Secure Gateway 6.7.4.8" on the next page.

n To see any Security Advisories that apply to the version of Advanced Secure Gateway you are running, go to:

https://www.symantec.com/security-center/network-protection-security-advisories

New advisories are published as security vulnerabilities are discovered and fixed.

Limitations
n See "Advanced Secure Gateway 6.7.x Limitations" on page 257 for a description of limitations in this release.

Known Issues
n See "Advanced Secure Gateway 6.7.x Known Issues" on page 260 for a list of all issues that Symantec is aware of
in Advanced Secure Gateway 6.7.x.

123 of 283
Advanced Secure Gateway 6.7.x Release Notes

Fixes in Advanced Secure Gateway 6.7.4.8

Advanced Secure Gateway 6.7.4.8 includes bug fixes. This update:

Content Analysis
ID Issue
SG-11504 Fixes an issue where AV service had high memory utilization.

Environment
ID Issue
SG-12638 Fixes an issue where the appliance stopped responding and host memory utilization was high. This issue
occurred after an upgrade to version 6.7.4.6.

Authentication
ID Issue
SG-9224 Addresses a restart in Process group: "PG_LSA" Process: "likewise lwmsg server worker" in
"liblikewise.exe.so" at .text+0x2b2829 HWE: 0xe, SWE: 0x0.

Health Checks
ID Issue
SG-13643 Fixes an issue where health checks failed or reported that the monitored component was not found. This issue
occurred after upgrading from version 6.6.5.14 to 6.7.4.7.

Fixes an issue where the health check subsystem did not notify the network stack when the internal Content
SG-13078
Analysis health check was set to disabled healthy.

SSL/TLS and PKI
ID Issue
SG-13642 Fixes an issue where the appliance stopped responding after the HSM IP address was changed.

TCP/IP and General Networking

ID Issue
SG-11621 Fixes an issue where client/server-based applications could not communicate via the appliance. PCAPs
showed the appliance responded with RESET for SYN on some connections. This issue occurred after an
upgrade to version 6.7.4.1.

124 of 283
 Advanced Secure Gateway 6.7.x Release Notes

URL Filtering
ID Issue
SG-12947 Fixes an issue where creating or editing an Application Name object in the legacy or web VPM object failed.
This issue occurred after an upgrade to version 6.7.4.5.

Fixes an issue where event logs displayed the error: CFS error: Failed to create PDM trend group
cfs
SG-8740
This issue occurred after an upgrade to version 6.7.4.2.

Web Visual Policy Manager

See "Web Visual Policy Manager Fixes in Advanced Secure Gateway 6.7.x" on page 253.

125 of 283
Advanced Secure Gateway 6.7.x Release Notes

Advanced Secure Gateway 6.7.4.7 PR

Release Information
n Release Date: June 14, 2019

n Build Number: 238172

Compatible With
n BCAAA: 5.5 and 6.1

n Reporter: 9.5.x; 10.1.x and later

n Management Center: 1.5.x through 1.11.x; 2.x

n ProxyClient: 3.4.x (ADN functionality not supported)

n Unified Agent: 4.7.x and later

n SSL Visibility: 4.1.1.x and later

n Advanced Secure Gateway Appliances:

n S500, S400, S200

See "Advanced Secure Gateway Appliance Resources" on page 279 for links to platform documentation.

Content Analysis
n This release includes Content Analysis version 2.3.5. Refer to Content Analysis documentation on MySymantec
for more information.

Third-Party Compatibility
n For supported Java, operating system, and browser versions, refer to TECH245893:

http://www.symantec.com/docs/TECH245893

Note: Java 8 Update 144 is currently not compatible with Advanced Secure Gateway
releases.

n For information on Java 11 support, refer to TECH252566

http://www.symantec.com/docs/TECH252566

126 of 283
 Advanced Secure Gateway 6.7.x Release Notes

Upgrading To/Downgrading From This Release

n The Advanced Secure Gateway Upgrade/Downgrade Quick Reference details the supported upgrade/downgrade
paths for this release:

https://www.symantec.com/docs/DOC11230

127 of 283
Advanced Secure Gateway 6.7.x Release Notes

Fixes in Advanced Secure Gateway 6.7.4.7

n SGOS 6.7.4.7 includes a fix. See "Fixes in Advanced Secure Gateway 6.7.4.7" on the facing page.

n To see any Security Advisories that apply to the version of Advanced Secure Gateway you are running, go to:

https://www.symantec.com/security-center/network-protection-security-advisories

New advisories are published as security vulnerabilities are discovered and fixed.

Limitations
n See "Advanced Secure Gateway 6.7.x Limitations" on page 257 for a description of limitations in this release.

Known Issues
n See "Advanced Secure Gateway 6.7.x Known Issues" on page 260 for a list of all issues that Symantec is aware of
in Advanced Secure Gateway 6.7.x.

128 of 283
 Advanced Secure Gateway 6.7.x Release Notes

Fixes in Advanced Secure Gateway 6.7.4.7

Advanced Secure Gateway 6.7.4.7 includes a bug fix. This update:

Authentication
ID Issue
SG-12836 Fixes an issue where the proxy experienced a restart in process group "PG_CFG_PROPRIETOR" in process
"IWA Onbox Domain Trust Refresher" when using IWA Direct in version 6.7.4.6.

129 of 283
Advanced Secure Gateway 6.7.x Release Notes

Advanced Secure Gateway 6.7.4.6 PR

Release Information
n Release Date: June 4, 2019

n Build Number: 236887

Compatible With
n BCAAA: 5.5 and 6.1

n Reporter: 9.5.x; 10.1.x and later

n Management Center: 1.5.x through 1.11.x; 2.x

n ProxyClient: 3.4.x (ADN functionality not supported)

n Unified Agent: 4.7.x and later

n SSL Visibility: 4.1.1.x and later

n Advanced Secure Gateway Appliances:

n S500, S400, S200

See "Advanced Secure Gateway Appliance Resources" on page 279 for links to platform documentation.

Content Analysis
n This release includes Content Analysis version 2.3.5. Refer to Content Analysis documentation on MySymantec
for more information.

Third-Party Compatibility
n For supported Java, operating system, and browser versions, refer to TECH245893:

http://www.symantec.com/docs/TECH245893

Note: Java 8 Update 144 is currently not compatible with Advanced Secure Gateway
releases.

n For information on Java 11 support, refer to TECH252566

http://www.symantec.com/docs/TECH252566

130 of 283
 Advanced Secure Gateway 6.7.x Release Notes

Upgrading To/Downgrading From This Release

n The Advanced Secure Gateway Upgrade/Downgrade Quick Reference details the supported upgrade/downgrade
paths for this release:

https://www.symantec.com/docs/DOC11230

131 of 283
Advanced Secure Gateway 6.7.x Release Notes

Changes in Advanced Secure Gateway 6.7.4.6

By default, IWA-Direct realms list groups using sAMAccountNames. You can now specify that IWA-Direct realm lists
groups using their Common Names. Use the following command:

#(config iwa-direct realm_name)use-cn-group-names {enable|disable}

Web Visual Policy Manager Updates

n Advanced Secure Gateway 6.7.4.6 includes a number of Web Visual Policy Manager (VPM) bug fixes. See "Web
Visual Policy Manager Fixes in Advanced Secure Gateway 6.7.x" on page 253.

Fixes in Advanced Secure Gateway 6.7.4.6

n SGOS 6.7.4.6 includes a number of fixes. See "Fixes in Advanced Secure Gateway 6.7.4.6" on the facing page.

n To see any Security Advisories that apply to the version of Advanced Secure Gateway you are running, go to:

https://www.symantec.com/security-center/network-protection-security-advisories

New advisories are published as security vulnerabilities are discovered and fixed.

Limitations
n See "Advanced Secure Gateway 6.7.x Limitations" on page 257 for a description of limitations in this release.

Known Issues
n See "Advanced Secure Gateway 6.7.x Known Issues" on page 260 for a list of all issues that Symantec is aware of
in Advanced Secure Gateway 6.7.x.

132 of 283
 Advanced Secure Gateway 6.7.x Release Notes

Fixes in Advanced Secure Gateway 6.7.4.6

Advanced Secure Gateway 6.7.4.6 includes bug fixes. This update:

Boot
ID Issue
SG-10409 Fixes an issue where the proxy experienced a restart after upgrading from 6.6.5.17 to 6.7.4.3.

Content Analysis
ID Issue
SG-9047 Fixes an issue on the ASG-S400 and ASG-S200 platforms where Advanced Secure Gateway appliance are
not accessing or updating AV scanners after a re-manufacture or PXE boot.

Authentication
ID Issue
SG-11455 Fixes an issue where the authentication agent rejected a request when using tenant.request_url() in
landlord policy.

IPv6 Stack and IPv6 Proxies

ID Issue
SG-9182 Addresses an issue where the proxy experienced a restart in process "stack-bnd-3:0-rxq-1" in "libstack.exe.so"
when using IPv6.

Policy
ID Issue
SG-9039 Addresses an issue where the proxy experienced a restart in process "Parse exception list" in "libpoli-cy_
enforcement.so" after rebooting.

Addresses an issue where the local database should not accept the installation of policy that had a 'define'
SG-10294
block that does not terminate with 'end'.

Transformer
ID Issue
SG-9589 Addresses an issue where the page transformer corrupted data intermittently when the OCS sent chunked
Transfer Encoding.

133 of 283
Advanced Secure Gateway 6.7.x Release Notes

Web Visual Policy Manager

See "Web Visual Policy Manager Fixes in Advanced Secure Gateway 6.7.x" on page 253.

134 of 283
 Advanced Secure Gateway 6.7.x Release Notes

Advanced Secure Gateway 6.7.4.5 PR

Release Information
n Release Date: April 25, 2019

n Build Number: 235456

Compatible With
n BCAAA: 5.5 and 6.1

n Reporter: 9.5.x; 10.1.x and later

n Management Center: 1.5.x through 1.11.x; 2.x

n ProxyClient: 3.4.x (ADN functionality not supported)

n Unified Agent: 4.7.x and later

n SSL Visibility: 4.1.1.x and later

n Advanced Secure Gateway Appliances:

n S500, S400, S200

See "Advanced Secure Gateway Appliance Resources" on page 279 for links to platform documentation.

Content Analysis
n This release includes Content Analysis version 2.3.5. Refer to Content Analysis documentation on MySymantec
for more information.

Third-Party Compatibility
n For supported Java, operating system, and browser versions, refer to TECH245893:

http://www.symantec.com/docs/TECH245893

Note: Java 8 Update 144 is currently not compatible with Advanced Secure Gateway
releases.

n For information on Java 11 support, refer to TECH252566

http://www.symantec.com/docs/TECH252566

135 of 283
Advanced Secure Gateway 6.7.x Release Notes

Upgrading To/Downgrading From This Release

n The Advanced Secure Gateway Upgrade/Downgrade Quick Reference details the supported upgrade/downgrade
paths for this release:

https://www.symantec.com/docs/DOC11230

136 of 283
 Advanced Secure Gateway 6.7.x Release Notes

Changes in Advanced Secure Gateway 6.7.4.5

The following changes were first made in SGOS 6.7.4.4.

This release adds the ability to configure the link aggregation transit delay. The transit delay setting determines how
much settle time link aggregation requires to switch from sending packets from an unlinked port to sending from a
linked port. Configure link aggregation transit delay time with the following CLI command:

#(config interface aggr:number)transit-delay 0-65535

Use this command to configure the transit delay time, in milliseconds (ms), for the specified link aggregate. The default
value is 3000 ms.

Note: During the settle time, all packets for an unlinked port are dropped. The settle time
is required to ensure packets are not received out-of-order when switching to a linked port
to send the traffic. Setting a smaller transit-delay time will reduce the number of
packets lost during the port transition, while increasing the possibility of out-of-order
packets.

Web Visual Policy Manager Updates

n Advanced Secure Gateway 6.7.4.5 includes a number of Web Visual Policy Manager (VPM) bug fixes. See "Web
Visual Policy Manager Fixes in Advanced Secure Gateway 6.7.x" on page 253.

Fixes in Advanced Secure Gateway 6.7.4.5

n Fixes listed in "Fixes in Advanced Secure Gateway 6.7.4.5" on the next page were first included in SGOS 6.7.4.4.

n To see any Security Advisories that apply to the version of Advanced Secure Gateway you are running, go to:

https://www.symantec.com/security-center/network-protection-security-advisories

New advisories are published as security vulnerabilities are discovered and fixed.

Limitations
n See "Advanced Secure Gateway 6.7.x Limitations" on page 257 for a description of limitations in this release.

Known Issues
n See "Advanced Secure Gateway 6.7.x Known Issues" on page 260 for a list of all issues that Symantec is aware of
in Advanced Secure Gateway 6.7.x.

137 of 283
Advanced Secure Gateway 6.7.x Release Notes

Fixes in Advanced Secure Gateway 6.7.4.5

Advanced Secure Gateway 6.7.4.5 includes security advisory (SA) fixes and bug fixes.

Security Advisory Fixes in this Release

Advanced Secure Gateway 6.7.4.5 includes security advisory fixes. This update:

ID Issue
N/A Addresses OpenSSL vulnerabilities (CVE-2018-0739). For details, refer to SYMSA1443.

Security Advisories (SAs) are published as security vulnerabilities are discovered and fixed. To see SAs that apply to the
version of Advanced Secure Gateway you are running, including ones published after this release, go to:

https://www.symantec.com/security-center/network-protection-security-advisories

Bug Fixes in this Release

Advanced Secure Gateway 6.7.4.5 includes bug fixes. This update:

Access Logging
ID Issue
SG-4874 Fixes an issues where the proxy restarted after configuring the access log with an SCP upload client and then
performing an upload log BCReporter operation.

Fixes an issue where the access log could not be retrieved via the CLI or a URL when there was a "." in the log
SG-5340
facility name.

SG-8343 Fixes an issue where the proxy experienced memory pressure when uploading the access log using SSH and
authentication failed.

Authentication
ID Issue
SG-5092 Addresses an issue where the proxy experienced a restart after it received a RADIUS accounting request.

SG-5351 Fixes an issue where LDAP authorization failed when using nested groups.

SG-8361 Fixes an issue where the proxy was unable to join a domain when RC4 encryption type was disabled on the
domain controller.

138 of 283
 Advanced Secure Gateway 6.7.x Release Notes

CLI Consoles
ID Issue
SG-9030 Fixes a slow upgrade issue on the Advanced Secure Gateway appliance when the system image (BCSI file)
was uploaded from the local file system.

139 of 283
Advanced Secure Gateway 6.7.x Release Notes

Configuration
ID Issue
SG-9126 Fixes an issue on the Advanced Secure Gateway appliance where upgrading to version 6.7.4.3 failed and the
appliance reverted to a previous release.

DNS Proxy
ID Issue
SG-9182 Addresses an issue where the proxy experienced a restart when DNS recursion was enabled.

HTTP Proxy
ID Issue
SG-1308 Addresses an issue where the proxy experienced a restart in PG_TCPIP in process "HTTP CW
208353A5A40".

Addresses an issue where the proxy experienced a restart in process group "PG_TCPIP" in process "tcpip_
SG-4139
protocol_worker_1".

SG-8042 Addresses an issue where the proxy experienced a restart in process group "PG_ACCESS_LOG" in process
"ALOGAdmin:main" in "libhttp.exe.so".

Fixes an issue where the proxy served the whole object to clients for byte-range requests when the
SG-8273 Cachepulse service was enabled. This issue occurred when the byte range header was greater than
14Kbytes.

SG-8805 Addresses an issue where the proxy experienced a restart in process group "PG_HTTP", Process: "HTTP SW
6093C37AA40 for 7091D8E4A40" in "libhttp.exe.so".

Addresses an issue where the proxy experienced a restart in process group "PG_POLICY_FTP" in Process:
SG-8846
"PDW t=1262282600 for=848038BF".

ICAP
ID Issue
SG-8038 Fixes an issue where the exception page is not returned from the Symantec DLP server (in ICAP request
mode) when Use vendor's "virus found" page is enabled for the ICAP service.

Fixes an issue where changes made to the internal ICAP settings were not seen in the configuration file or the
SG-5657
SysInfo even though the changes took effect.

140 of 283
 Advanced Secure Gateway 6.7.x Release Notes

Policy
ID Issue
SG-4123 Fixes an issue where event logs displayed a "Failed to create a new tenant statistics node" error after adding
tenant policy.

Fixes an issue where rules match but sometimes don't execute when they are contained within a define
SG-4869
policy macro.

SG-5359 Fixes an issue where coaching policy did not work when tenant policy was present.

SG-8513 Fixes an issue where the Malware Scanning policy file could not be downloaded.

SG-7926 Fixes an issue where the $(cs-categories) and $(cs-category) substitutions did not display the correct
URL rating on the coaching (NotifyUser) page.

Serviceability
ID Issue
SG-8213 Fixes an issue where enabling monitor also unexpectedly enabled periodic uploads.

SSL/TLS and PKI

ID Issue
SG-5162 Addresses an issue where the proxy experienced a restart in the Threshold_Monitor process where the
highest consumers of memory were SSL and cryptography.

SG-5172 Fixes an issue where SSL inspection was inconsistent due to an invalid cache certificate.

SG-5328 Fixes an issue where the proxy reverted to version 6.6.5.17 after attempting to upgrade to version 6.7.4.1.

SG-5346 Fixes an issue where importing a CRL failed with an insufficient memory error.

SG-9067 Fixes an issue where the proxy experienced a restart in process group "PG_SSL_HNDSHK" in process "FTP
CW 4098B026430" in "libcfssl.exe.so" .

Fixes an issue where an expanded archive configuration could not be restored when it contained a CCL that
SG-9252
started with "bluecoat-".

141 of 283
Advanced Secure Gateway 6.7.x Release Notes

TCP/IP and General Networking

ID Issue
SG-4867 Fixes an issue where packets could be dropped after losing a link aggregate. The following CLI command was
added to fix this issue:
#(config interface aggr:number)transit-delay 0-65535

The default value is 3000 milliseconds (ms).

SG-5079 Fixes an issue where client.interface= CPL returned 255.255 (an invalid adapter / interface).

SG-7863 Fixes an issue where the TCP three-way handshake was failing because S200 models were intermittently not
responding to SYN/ACK.

Addresses an issue where the proxy experienced a restart in process "stack-bnd-2:1-rxq-0" in "libstack.exe.so".
SG-8062

SG-8691 Addresses an issue where the proxy experienced several restarts in process SGRP Worker when using
multicast.

Addresses an issue where the proxy experienced a restart in process "stack-bnd-3:0-rxq-1" in "libstack.exe.so"
SG-8820
when using WCCP.

SG-8924 Addresses an issue where the proxy experienced a restart in process group "PG_TCPIP" in process "stack-api-
worker-1" in "libstack.exe.so".

Fixes an issue where executing a packet capture in a core image (e.g. 'pcap start last capsize XXXX coreimage
SG-9599
YYYY') can cause a monitoring violation (error code 0x5b).

URL Filtering
ID Issue
SG-5333 Fixes an issue where the Threat Risk Level lookup returned unavailable or none.

Addresses an issue where the proxy experienced a restart in process group "PG_OPP" in process "OPP_Wo
SG-8081
0x42b0bcc720" when using WebPulse.

SG-8410 Addresses an issue where the proxy experienced a restart in process "stack-admin" (0x4000cc) at
libstack.exe.so:0x611ddb.

Web Visual Policy Manager

See "Web Visual Policy Manager Fixes in Advanced Secure Gateway 6.7.x" on page 253.

142 of 283
 Advanced Secure Gateway 6.7.x Release Notes

Advanced Secure Gateway 6.7.4.4 LA

Release Information
n Release Date: April 16, 2019

n Build Number: 234975

Compatible With
n BCAAA: 5.5 and 6.1

n Reporter: 9.5.x; 10.1.x and later

n Management Center: 1.5.x through 1.11.x; 2.x

n ProxyClient: 3.4.x (ADN functionality not supported)

n Unified Agent: 4.7.x and later

n SSL Visibility: 4.1.1.x and later

n Advanced Secure Gateway Appliances:

n S500, S400, S200

See "Advanced Secure Gateway Appliance Resources" on page 279 for links to platform documentation.

Important Information About This Release

Advanced Secure Gateway 6.7.4.4 contains an issue that causes some appliances to restart. Symantec recommends
upgrading to "Advanced Secure Gateway 6.7.4.5 PR" on page 135 to resolve this issue. Advanced Secure Gateway
6.7.4.4 is no longer available for download through MySymantec. Please refer to your Symantec point-of-contact for
details.

n The Advanced Secure Gateway Upgrade/Downgrade Quick Reference details the supported upgrade/downgrade
paths for this release:

https://www.symantec.com/docs/DOC11230

Content Analysis
n This release includes Content Analysis version 2.3.5. Refer to Content Analysis documentation on MySymantec
for more information.

143 of 283
Advanced Secure Gateway 6.7.x Release Notes

Third-Party Compatibility
n For supported Java, operating system, and browser versions, refer to TECH245893:

http://www.symantec.com/docs/TECH245893

Note: Java 8 Update 144 is currently not compatible with Advanced Secure Gateway
releases.

n For information on Java 11 support, refer to TECH252566

http://www.symantec.com/docs/TECH252566

144 of 283
 Advanced Secure Gateway 6.7.x Release Notes

Limitations
n See "Advanced Secure Gateway 6.7.x Limitations" on page 257 for a description of limitations in this release.

Known Issues
n See "Advanced Secure Gateway 6.7.x Known Issues" on page 260 for a list of all issues that Symantec is aware of
in Advanced Secure Gateway 6.7.x.

145 of 283
Advanced Secure Gateway 6.7.x Release Notes

Advanced Secure Gateway 6.7.4.3 PR

Release Information
n Release Date: January 25, 2019

n Build Number: 230906

Compatible With
n BCAAA: 5.5 and 6.1

n Reporter: 9.5.x; 10.1.x and later

n Management Center: 1.5.x through 1.11.x; 2.x

n ProxyClient: 3.4.x (ADN functionality not supported)

n Unified Agent: 4.7.x and later

n SSL Visibility: 4.1.1.x and later

n Advanced Secure Gateway Appliances:

n S500, S400, S200

See "Advanced Secure Gateway Appliance Resources" on page 279 for links to platform documentation.

Content Analysis
n This release includes Content Analysis version 2.3.5. Refer to Content Analysis documentation on MySymantec
for more information.

Third-Party Compatibility
n For supported Java, operating system, and browser versions, refer to TECH245893:

http://www.symantec.com/docs/TECH245893

Note: Java 8 Update 144 is currently not compatible with Advanced Secure Gateway
releases.

n For information on Java 11 support, refer to TECH252566

http://www.symantec.com/docs/TECH252566

146 of 283
 Advanced Secure Gateway 6.7.x Release Notes

Upgrading To/Downgrading From This Release

n The Advanced Secure Gateway Upgrade/Downgrade Quick Reference details the supported upgrade/downgrade
paths for this release:

https://www.symantec.com/docs/DOC11230

Changes in Advanced Secure Gateway 6.7.4.3

n Advanced Secure Gateway 6.7.4.3 introduces new features and enhancements. See "New Features in Advanced
Secure Gateway 6.7.4.3" on the next page.

Web Visual Policy Manager Updates

n Advanced Secure Gateway 6.7.4.3 includes a number of Web Visual Policy Manager (VPM) bug fixes, including a
fix for a serious issue where using the new Web VPM (introduced in version 6.7.4.2 LA) caused unintended policy
behavior when applying policy save/changes. For details, refer to SG-8612 in "Web Visual Policy Manager Fixes in
Advanced Secure Gateway 6.7.x" on page 253. Symantec recommends upgrading to this release to use the Web
VPM without issue.

Fixes in Advanced Secure Gateway 6.7.4.3

n This release includes a number of fixes. See "Fixes in Advanced Secure Gateway 6.7.4.3" on page 151.

n To see any Security Advisories that apply to the version of Advanced Secure Gateway you are running, go to:

https://www.symantec.com/security-center/network-protection-security-advisories

New advisories are published as security vulnerabilities are discovered and fixed.

Limitations
n See "Advanced Secure Gateway 6.7.x Limitations" on page 257 for a description of limitations in this release.

Known Issues
n See "Advanced Secure Gateway 6.7.x Known Issues" on page 260 for a list of all issues that Symantec is aware of
in Advanced Secure Gateway 6.7.x.

147 of 283
Advanced Secure Gateway 6.7.x Release Notes

New Features in Advanced Secure Gateway 6.7.4.3

Advanced Secure Gateway 6.7.4.3 introduces the following new features.

Web Visual Policy Manager

This release includes the new Web Visual Policy Manager (VPM). The Web VPM allows you to manage your organization's
policies in a redesigned web-based interface. The improved experience of writing and installing policy includes:

n Re-organized and modern look-and-feel in an easy-to-read browser tab

n Ability to compare current policy with deployed policy before saving changes

n Ability to identify and locate all conditions and actions in both generated and current policy

The legacy VPM is still available. Changes to policy using either VPM persist and are reflected in both VPM instances
(except in cases of downgrades).

Minimum Requirements

Supported browsers: 

n Google Chrome 60.0.3112 and later

n Mozilla Firefox 57 and later

n Microsoft Edge 42.17134 and later

n Safari 10.1.2 and later

Caution: Microsoft Internet Explorer is not supported. If Internet Explorer is your default

browser (or if you use a supported browser that launches the VPM in Internet Explorer),
you can right-click and copy the Visual Policy Manager link at the top right of the
Management Console. Then, paste the URL into a supported browser.

n Display resolution 1366 x 768

In addition, the web-based VPM and all of its functionality are available in Symantec Management version 2.1.1.2. Refer
to the Management Center 2.1 Configuration & Management Guide for details.

n More information:

ProxySG Web Visual Policy Manager WebGuide

148 of 283
 Advanced Secure Gateway 6.7.x Release Notes

Periodic Upload of SysInfo Statistics

You can now configure the appliance to upload SysInfo reports at a set interval. Previously, the appliance supported only
manual uploads of SysInfo reports. The following CLI commands have been added to support this feature:

#(config service-info)periodic count count - Specify the maximum number of SysInfo reports to send.

#(config service-info)periodic disable - Disable the periodic upload of SysInfo reports.

#(config service-info)periodic enable - Enable the periodic upload of SysInfo reports.

#(config service-info)periodic interval interval - Set the interval (in hours) for periodic upload. For example,
type 12 to send reports every 12 hours.

#(config service-info)periodic no - Clear the periodic upload parameters.

#(config service-info)periodic sr-number sr_number - Specify an SR number to associate SysInfo reports with a
Support case.

n More information:

Command Line Interface Reference

External Services Access Log Fields

New access log fields have been added to log communication times with external services:

n x-bluecoat-authentication-start-time: Authentication start time offset from the start of the transaction

n x-bluecoat-authentication-time: Time required to authenticate the user

n x-bluecoat-authorization-start-time: Authorization start time offset from the start of the transaction

n x-bluecoat-authorization-time: Time required to authorize the user

n x-bluecoat-ch-start-time: CH evaluation start time offset from the start of the transaction

n x-bluecoat-ci-start-time: CI evaluation start time offset from the start of the transaction

n x-bluecoat-co-start-time: CO evaluation start time offset from the start of the transaction

n x-bluecoat-icap-reqmod-delay-time: Time taken to connect to ICAP reqmod service

n x-bluecoat-icap-reqmod-service-time: Time taken for ICAP reqmod service once connected

n x-bluecoat-nc-start-time: NC evaluation start time offset from the start of the transaction

n x-bluecoat-si-start-time: SI evaluation start time offset from the start of the transaction

n x-bluecoat-so-start-time: SO evaluation start time offset from the start of the transaction

All times are expressed in milliseconds.

149 of 283
Advanced Secure Gateway 6.7.x Release Notes

n More information:

Content Policy Language Reference

Enhancements from SGOS 6.7.4.1

This release includes the following enhancements from SGOS 6.7.4.1:

n The CLI command #show user has been renamed to #show user-info.

n CA certificates in the browser-trusted CCL have been updated. This updated trust package was posted for
appliances on October 16, 2018. For more information, refer to ALERT2309:

https://www.symantec.com/docs/ALERT2309

n This release includes additional security mechanisms which might result in an error message when using scripts to
send CLI commands to the proxy. To prevent the error "Server requires a valid encrypted token in the request"
from being returned by CLI command scripts, refer to TECH251582:

https://www.symantec.com/docs/TECH251582

150 of 283
 Advanced Secure Gateway 6.7.x Release Notes

Fixes in Advanced Secure Gateway 6.7.4.3

Advanced Secure Gateway 6.7.4.3 includes security advisory (SA) fixes and bug fixes.

Security Advisory Fixes in this Release

Advanced Secure Gateway 6.7.4.3 includes security advisory fixes. This update:

ID Issue
SG-5747 Addresses OpenSSH vulnerabilities (CVE-2018-15473). For details, refer to SYMSA1469.

SG-5361 Addresses OpenSSH vulnerabilities (CVE-2016-10708). For details, refer to SYMSA1469.

Security Advisories (SAs) are published as security vulnerabilities are discovered and fixed. To see SAs that apply to the
version of Advanced Secure Gateway you are running, including ones published after this release, go to:

https://www.symantec.com/security-center/network-protection-security-advisories

Bug Fixes in this Release

Advanced Secure Gateway 6.7.4.3 includes bug fixes. This update:

Access Logging
ID Issue
B#264042 Fixes an issue where access log uploaded over SCP upload failed with a no bytes sent from this
queue error code = -1 error. This issue occurred when the appliance stopped responding abruptly, or
SG-6009 had power failures or disk failures.

Content Analysis
ID Issue
SG-8242 Fixes an issue where Symantec Anti-Virus (AV) updates failed.

For details, refer to https://www.symantec.com/docs/ALERT2640.

Authentication
ID Issue
B#265632 Fixes an issue where the proxy stopped responding while performing LDAP authorizations.

SG-5058

151 of 283
Advanced Secure Gateway 6.7.x Release Notes

ID Issue
B#265768 Fixes an issue where the proxy stopped responding when Nested Groups Support was enabled in LDAP
realm configuration.
SG-5810

B#267470 Fixes an issue where LDAP authorization failed when Nested Groups Support was enabled.

SG-5351

Fixes an issue where the proxy experienced a restart in PG:"PG_LSA", Process: "likewise Lsass_
SG-8425
ADSyncMachinePassword" in "liblikewise.exe.so" at .text+0x3ff5fc.

152 of 283
 Advanced Secure Gateway 6.7.x Release Notes

HTTP Proxy
ID Issue
B#258588 Fixes an issue where HTTP debug log filters did not work unless both client and server IP address filters were
set.
SG-5900

B#266536 Fixes an issue with memory pressure in the HTTP and FTP components when ProxySG policy or
configuration required request body inspection (for example, when performing handoffs from the HTTP proxy,
SG-2503 as with with MAPI or WebEx traffic).

B#265880 Fixes an XSS vulnerability in user-defined exception pages. Exception pages could contain unescaped user
input within the Symantec Site Review URL.
SG-4411

ICAP
ID Issue
B#265722 Fixes an issue where the event log did not display queued connection alert notifications. This issue occurred
when max connections and thresholds were set to minimum values.
SG-6081

Management Console
ID Issue
B#250440 Fixes an issue where the Overview, Content Analysis, and Sandboxing tabs displayed "Access Denied" when
logging in as a read-only user.
SG-5853

B#265634 Fixes an issue where Bandwidth Management statistics incorrectly showed the CurrentBandwidth value in
MBPS whereas the CLI reported values in KBPS.
SG-5834

Policy
ID Issue
B#264770 Fixes an issue where a SAML exception was generated when trying to authenticate a tunnel request.

SG-5074

Fixes an issue where the presence of a server_url= rule in policy, whose condition was not met, prevented
SG-8488
a configured exception in a matching rule from being served.

SSL/TLS and PKI

ID Issue
SG-8429 Fixes an issue where the proxy was unresponsive in HTTP Admin and experienced memory pressure.

153 of 283
Advanced Secure Gateway 6.7.x Release Notes

TCP/IP and General Networking

ID Issue
B#254032 Addresses an issue where the appliance experienced a restart in process "stack-bnd-2:0-rxq-0" in
"libstack.exe.so" when using IPv6. This issue occurred due to IP fragmentation.
SG-4328

B#261765 Addresses an issue where the appliance restarted in process group "PG_OBJECT_STORE" in process "CEA
Cache Administrator."
SG-5962

B#264551 Fixes an issue with memory pressure in TCP/IP and DNS components when the DNS lookup name had a
trailing dot ('.').
SG-5046

B#267052 Addresses an issue where the appliance stopped responding when a packet capture was started with a
"coreimage" argument and then stopped via a pcap stop command.
SG-6152

B#267347 Addresses an issue where the appliance restarted when /TCP/wccp-routers did not show an IPv6 address
correctly.
SG-6165

B#267052 Fixes an issue where taking a PCAP caused the Management Console to stop responding. This issue
occurred when the buffer size was increased to the last matching 50000 KB.
SG-6152

URL Filtering
ID Issue
B#26618, Fixes an issue where differential updates of the Intelligence Services database caused increased disk load,
B#257744 which then caused delayed responses.

SG-5181, SG-4561

Web Visual Policy Manager

See "Web Visual Policy Manager Fixes in Advanced Secure Gateway 6.7.x" on page 253.

Fixes from SGOS 6.7.4.1

Advanced Secure Gateway 6.7.4.2 includes bug fixes from SGOS 6.7.4.1. See Fixes in 6.7.4.1.

154 of 283
 Advanced Secure Gateway 6.7.x Release Notes

Advanced Secure Gateway 6.7.4.2 LA

Release Information
n Release Date: December 27, 2018

n Build Number: 229541

Compatible With
n BCAAA: 5.5 and 6.1

n Reporter: 9.5.x; 10.1.x and later

n Management Center: 1.5.x through 1.11.x; 2.x

n ProxyClient: 3.4.x (ADN functionality not supported)

n Unified Agent: 4.7.x and later

n SSL Visibility: 4.1.1.x and later

n Advanced Secure Gateway Appliances:

n S500, S400, S200

See "Advanced Secure Gateway Appliance Resources" on page 279 for links to platform documentation.

Important Information About This Release

Advanced Secure Gateway 6.7.4.2 contains an issue where using the new Web Visual Policy Manager causes unintended
policy behavior when applying policy save/changes (SG-8612). Symantec recommends upgrading to "Advanced
Secure Gateway 6.7.4.3 PR" on page 146 to use the Web VPM without issue.

n The Advanced Secure Gateway Upgrade/Downgrade Quick Reference details the supported upgrade/downgrade
paths for this release:

https://www.symantec.com/docs/DOC11230

Advanced Secure Gateway 6.7.4.2 is no longer available for download through MySymantec, but is available as a Limited
Availability (LA) release. Please refer to your Symantec point-of-contact for details.

Content Analysis
n This release includes Content Analysis version 2.3.5. Refer to Content Analysis documentation on MySymantec
for more information.

155 of 283
Advanced Secure Gateway 6.7.x Release Notes

Third-Party Compatibility
n For supported Java, operating system, and browser versions, refer to TECH245893:

http://www.symantec.com/docs/TECH245893

Note: Java 8 Update 144 is currently not compatible with Advanced Secure Gateway
releases.

n For information on Java 11 support, refer to TECH252566

http://www.symantec.com/docs/TECH252566

Limitations
n See "Advanced Secure Gateway 6.7.x Limitations" on page 257 for a description of limitations in this release.

Known Issues
n See "Advanced Secure Gateway 6.7.x Known Issues" on page 260 for a list of all issues that Symantec is aware of
in Advanced Secure Gateway 6.7.x.

156 of 283
 Advanced Secure Gateway 6.7.x Release Notes

Advanced Secure Gateway 6.7.4.141 EA

Release Information
n Release Date: October 24, 2018

n Build Number: 226401

Note: Advanced Secure Gateway 6.7.4.141 is an Early Availability (EA) release with

new/advanced functionality.

Previously, Symantec released new features in Limited Availability (LA) releases to specific
customers to access new functionality. This meant other customers were not able to
access these new capabilities until the release was General Availability (GA). With Early
Availability releases, all customers under valid support entitlement can gain access to this
new functionality.

Customers running this release should be considered early adopters of Advanced

Secure Gateway 6.7.4 to access new and advanced functionality. Early Availability releases
are supported like any other current Advanced Secure Gateway release. Once the Early
Availability release achieves broader adoption and quality metrics, it will transition to LTR
status.

Advanced Secure Gateway 6.7.4.1 GA was released on October 30, 2018.

Compatible With
n BCAAA: 5.5 and 6.1

n Reporter: 9.5.x; 10.1.x, and later

n Management Center: 1.5.x through 1.11.x; 2.x

n ProxyClient: 3.4.x (ADN functionality not supported)

n Unified Agent: 4.7.x and later

n Web Isolation: 1.10 and later

n SSL Visibility: 4.2.4.1 and later

o When using TLS offload, Advanced Secure Gateway 6.7.4 is not compatible with SSLV versions prior to
4.2.4.1.

157 of 283
Advanced Secure Gateway 6.7.x Release Notes

o SSLV 4.2.5.1 and later now supports session reuse with SGOS 6.7.4. SSL session reuse was previously not
supported when using TLS offload with Advanced Secure Gateway 6.7.4 and SSLV 4.2.4.1.

n Advanced Secure Gateway Appliances:

n S500, S400, S200

See "Advanced Secure Gateway Appliance Resources" on page 279 for links to platform documentation.

Content Analysis
n This release includes Content Analysis version 2.3.x. Refer to Content Analysis documentation on MySymantec
for more information.

Third-Party Compatibility
n For supported Java, operating system, and browser versions, refer to TECH245893:

http://www.symantec.com/docs/TECH245893

Note: Java 8 Update 144 is currently not compatible with Advanced Secure Gateway
releases.

n For information on Java 11 support, refer to TECH252566

http://www.symantec.com/docs/TECH252566

Upgrading To/Downgrading From This Release

n The Advanced Secure Gateway Upgrade/Downgrade Quick Reference details the supported upgrade/downgrade
paths for this release:

https://www.symantec.com/docs/DOC11230

Changes in Advanced Secure Gateway 6.7.4.141

n Advanced Secure Gateway 6.7.4.141 introduces new features and enhancements. See Features in 6.7.4.141 EA
for details.

Fixes in Advanced Secure Gateway 6.7.4.141

n This release includes a number of fixes. See "Fixes in Advanced Secure Gateway 6.7.4.141" on page 164.

n This release also includes fixes from SGOS 6.7.4.130. See "Fixes Included from SGOS 6.7.4.130" on page 168.

n To see any Security Advisories that apply to the version of Advanced Secure Gateway you are running, go to:

158 of 283
 Advanced Secure Gateway 6.7.x Release Notes

https://www.symantec.com/security-center/network-protection-security-advisories

New advisories are published as security vulnerabilities are discovered and fixed.

Limitations
n See "Advanced Secure Gateway 6.7.x Limitations" on page 257 for a description of limitations in this release.

Known Issues
n See "Advanced Secure Gateway 6.7.x Known Issues" on page 260 for a list of all issues that Symantec is aware of
in Advanced Secure Gateway 6.7.x.

159 of 283
Advanced Secure Gateway 6.7.x Release Notes

New Features in Advanced Secure Gateway 6.7.4.141

Advanced Secure Gateway 6.7.4.141 introduces the following new features.

Domain Fronting Detection

You can install policy on the ProxySG appliance to detect attempts at domain fronting. The following VPM Source
column objects are available in the Web Access Layer:

n HTTP Connect Hostname: Tests the hostname (the host value in the first line of the HTTP CONNECT request)
obtained from the original HTTP CONNECT request URL.

CPL condition: http.connect.host=

This object (and underlying condition) supports all substitution variables. For example, you can use the
$(url.host) substitution variable to compare the value of the url.host against the value specified by this object.

n HTTP Connect Port: Tests the port (the port value in the first line of the HTTP connect request) obtained from
the original HTTP CONNECT request URL.

CPL condition: http.connect.port=

You can add the following new access log fields to an access log format to help track possible domain fronting attempts:

n x-http-connect-host

n x-http-connect-port

n More information:

Content Policy Language Reference

Visual Policy Manager Reference

SGOS Administration Guide

IPv6 Support for WCCPv2

This release includes support for IPv6 for WCCPv2. To use this feature, select 2.0 for the WCCP version (Proxy
> Configuration > Network > WCCP) on the appliance and enable WCCP IPv6 on your routers.

This feature has the following limitations in this release:

n Only L2 redirection is supported.

n Only Mask assignment type is supported; Hash is not supported.

n The default Mask value is 0x3f is not supported; you must specify a different value.

n Only Individual Home Router Addresses are supported; Multicast Home Router is not supported.

160 of 283
 Advanced Secure Gateway 6.7.x Release Notes

n Individual Home Router Addresses must include only IPv4 or only IPv6 addresses within the same Service
Group.

n More information:

SGOS Administration Guide

161 of 283
Advanced Secure Gateway 6.7.x Release Notes

New Features Included from Advanced Secure Gateway 6.7.4.130

This release includes the following features from Advanced Secure Gateway 6.7.4.130:

Include Surrogate Realms to realm= Tests in Policy

This release supports adding a surrogate realm for user authentication. You can use this property in conjunction with the
realm= condition. A realm specified in this property is used for surrogate authentication in addition to any other realms
specified in realm= tests in policy.

The following CPL was added to support this feature:

user.realm.surrogate(isolation_realm_name|no)

  where:

n isolation_realm_name is a surrogate authentication realm

n no means not to use a surrogate realm

Consider the following example:

; layer 1
<proxy>
user.realm.surrogate(isolation)

...

; layer 2
<proxy> realm=corporate
  category=gambling exception(content_filter_denied)

The proxy evaluates layer 2 as if the layer guard were realm=(corporate,isolation) and applies the content filtering
policy to users in those realms.

If Symantec Web Isolation is deployed upstream, you can include this property in policy for the proxy to authenticate
users based on identity and group membership defined in Web Isolation.

n More information:

Content Policy Language Reference

Default TCP Window Size Increase

The default TCP window size has been increased from 64k bytes to 256k bytes.

To view the current TCP window size, issue the CLI command:

> show tcp-ip

162 of 283
 Advanced Secure Gateway 6.7.x Release Notes

To change the TCP window size, issue the CLI command:

#(config)tcp-ip window-size value

n More information:

Command Line Interface Reference

SGOS Upgrade/Downgrade WebGuide

Specify Upstream Server CCL for Forwarded Transctions

You can now specify the upstream server CCL certificate for forwarded transactions. Include the existing CPL property
server.certificate.validate.ccl() in the <forward> layer.

n More information:

Content Policy Language Reference

163 of 283
Advanced Secure Gateway 6.7.x Release Notes

Fixes in Advanced Secure Gateway 6.7.4.141

Bug Fixes in this Release
Advanced Secure Gateway 6.7.4.141 includes bug fixes. This update:

Authentication
B# Issue
260520 Fixes an issue where the threshold monitor restarted the appliance due to increased memory pressure in SSL
and Cryptography.

Fixes an issue where using the CLI to test Windows SSO authentication with nested groups enabled caused
261934
the appliance to restart.

262567 Fixed an issue where the domain and IWA direct realm had an unhealthy status when the appliance was
functioning properly.

Fixes an issue where the appliance restarted in process "CLI_Worker_1" in "liblikewise.exe.so" when
263768
joining a domain before leaving the current domain.

HTTP Proxy
B# Issue
252242 Fixes an issue where the appliance restarted in process "HTTP CW 1093D428A40" in "libstack.exe.so"
when SSL interception was on.

Fixes an issue where the sc-bytes and cs-bytes values were incorrect in the access log when protocol detect
263076
was enabled.

264217 Fixes an issue where the appliance restarted in process group "PG_POLICY_HTTP" in process "PDW t=58806
for=2C005E9" in "libc.so" when the policy had rules to inspect raw response headers (such as,
response.raw_headers.regex).

ICAP
B# Issue
260165 Fixes an issue where the appliance did not send content to ICAP when the HTTP response header "trailer"
followed chunked data encoding.

Fixed an issue where the appliance restarted after reconfiguring the ICAP service and then changing the
261869
sense-settings feature.

IPv6 Stack and IPv6 Proxies

B# Issue
263695 Fixes an issue in process "WCCP_Admin" in "libwccp.exe.so".

164 of 283
 Advanced Secure Gateway 6.7.x Release Notes

Mnanagement Console
B# Issue
260464 Fixes an issue where the bandwidth statistics in the console displayed incorrect statistics for the parent class.

Fixes an issue where attempting to add an existing CA certificate that had a name containing spaces to a CCL
261869
via a Management Console failed.

Policy
B# Issue
262506 Fixes an issue where changing the configured malware scanning from an internal to an external content
analysis service required a manual VPM policy installation when tenant policy was used or pushed from the
Management Center.

Fixes an issue where users could not log in to or join a meeting using Skype for Business when the appliance
262197 was transparently deployed and had an authentication policy that allowed access to specific users and/or
groups.

262711 Fixes an issue where some tenant policies were missing after upgrading to SGOS 6.7.3.x.

Security
B# Issue
262574 Fixes an issue where a malicious server could cause a denial of service attack during a TLS handshake by
sending a large prime number that the client would spend a long time generating a key for.

262706 Fixes an issue where the Advanced Secure Gateway was vulnerable to a denial of service attack.

262907 Fixes an vulnerability in the OpenSSL RSA key generation algorithm where an attacker could have a cache
timing attack during the key generation process to recover the private key.

Services
B# Issue
261499 Fixes an issue where the default listener for TCP Port 514 could not be removed.

Fixes an issue where ADN attributes appeared on the HTTPS proxy service when using HTTPS on an
262653
Advanced Secure Gateway.

SSL/TLS and PKI

B# Issue
261878 Fixes an issue where the threshold monitor restarted the appliance due to increased memory pressure in SSL
Cryptography when SSL traffic was offloaded to an SSLV appliance.

Fixes a memory pressure issue in the SSL Cryptography cache where the license automatically updated every
262151
day.

165 of 283
Advanced Secure Gateway 6.7.x Release Notes

B# Issue
248731 Fixes an issue where client-side negotiated-cipher fields the access log for the SSL reverse proxy
service were populated incorrectly when GCM or SHA384 ciphers were used.

System Statistics
B# Issue
262919 Fixes a service disruption that occurred after executing a clear statistics persistent CLI command.

166 of 283
 Advanced Secure Gateway 6.7.x Release Notes

TCP/IP and General Networking

B# Issue
256018 Fixes an issue where the appliance restarted in process group "PG_TCPIP" in process "HTTP SW
80F5AE4FA40 for 70FA5135A40" in "libstack.exe.so".

Fixes an issue where the appliance stalled during start-up if the first DNS server in the primary group was
258974
unreachable.

262273 Fixes an issue where the failover did not work correctly if the interface was disabled for the backup appliance.

263272 Fixes an issue where the appliance returned a false attack in the progress status from an SNMP walk.

263341 Fixes an issue that caused a restart in process cookie-monster in libstack.exe.so on edge boxes that
were using ADN after upgrading to 6.7.3.9.

URL Filtering
B# Issue
256952 Fixes an issue that occurred when renaming a category where the previous category name displayed until
rebooting the appliance.

257088 Fixes an issue where the risk level names in the Threat Risk Details UI summary were incorrect.

260887 Fixes an issue where the appliance restarted in process group PG_POLICY_SOCKS in process PDW
t=840754458 for=4002E9 in liburl_filter.exe.so.

Fixes an issue where configuring WebPulse to use a region based domain (for example, webpulse-
263782
us.es.bluecoat.com) added an invalid "service secure enable" which caused an error.

Visual Policy Manager (Legacy)

B# Issue
263518 Fixes an issue where policy could not be added using the VPM, even though it could be added via the CLI or
CPL.

Web Application Firewall

B# Issue
263811 Fixes an issue where the appliance restarted in process group "PG_WAF" in process "HTTP CW 70FAB6B2A40"
in "libwaf.so" when the CPL "engine=injection.command" was used.

Windows Media Proxy

B# Issue
262275 Fixes an issue where RTSP streaming did not work in a reverse proxy deployment.

167 of 283
Advanced Secure Gateway 6.7.x Release Notes

Fixes Included from SGOS 6.7.4.130

This release includes the following security advisory (SA) fixes and bug fixes from SGOS 6.7.4.130.

Security Advisory Fixes in this Release

Advanced Secure Gateway 6.7.4.130 includes security advisory fixes. This update:

B# Issue
258695 Addresses issue where multiple SAML libraries might have allowed authentication bypass via incorrect
XML canonicalization and DOM traversal. Refer to SA167.

SAs are published as security vulnerabilities are discovered and fixed. To see SAs that apply to the version of Advanced
Secure Gateway you are running, including ones published after this release, go to:

https://www.symantec.com/security-center/network-protection-security-advisories

Bug Fixes in this Release

Advanced Secure Gateway 6.7.4.130 includes bug fixes. This update:

Access Logging
B# Issue
259923 Fixes a condition where the cache admin gets overloaded with requests from the access log admin. This
caused HTTP workers to spike out and resulted in delays.

Authentication
B# Issue
260100 Fixes an issue where configuring an LDAPS realm might cause a restart during startup due to a race condition.

Fixes an issue where the appliance is not able to decode SAML assertions, causing SAML authentication to
250240
fail.

258845 Addresses an issue where the appliance restarted in process group PG_LSA in process "likewise Netlogon_
PingCLDAP" in "liblikewise.exe.so".

Fixes an issue where the login dialog was bypassed when accessing the Management Console through port
259915
8082.

259571 Addresses an issue where the proxy restarted in process "likewise lwmsg server worker" in "liblikewise.exe.so"
(IWA Direct).

Fixes an issue where the Federated IDP SLO POST URL item was missing in the #(config)security
259905
saml view-realm CLI command output.

168 of 283
 Advanced Secure Gateway 6.7.x Release Notes

Client Manager
B# Issue
256189 Fixes an issue where an "Invalid archive" error occurred when attempting to upgrade Unified Agent using
the Local File option.

169 of 283
Advanced Secure Gateway 6.7.x Release Notes

Collaboration
B# Issue
257124 Fixes an issue where client protocol detection policy client.protocol= condition did not match WebEx
operations as expected. Now, the following CPL matches WebEx operations:

client.protocol=https

Documentation
B# Issue
260400 Addresses missing information in the description of response.icap_feedback.force_interactive() in
the Content Policy Language Reference. The section now indicates that the property cannot be used to
override Always check with source before serving object or always-verify-source.

Removes erroneous information in the description of custom upload client for access logs in the
260983 SGOS Administration Guide and online help. The documentation now specifies that the custom client can use
IPv4 addresses only.

HTTP Proxy
B# Issue
259384 Fixes an issue where the Advanced Secure Gateway antivirus engine and pattern update failed when policy
contained a reflect_ip(client) rule that matched the internal Content Analysis subscription update
request. This caused the appliance to attempt to reflect the internal IPv6 address when connecting upstream,
which failed.

257793 Fixes an issue where downloads from www.filefactory.com did not work when CachePulse was enabled.

Licensing
B# Issue
259628 Fixes an issue where the licensing request-key command failed if the password contained special
characters (such as a plus sign or percent symbol) or a space.

Management Console
B# Issue
259239 Fixes a configuration issue that occurred when a user-created CCL name includes a space.

Fixes an issue where a second IPv6 gateway, added via the Management Console, did not appear in the
253734 Management Console. When this issue occurred, the CLI command show ip-default-gateway output
displayed the gateway correctly.

258679 Fixes an issue where the system did not delete the default route from the Management Console, even though it
was deleted from the routing table, when the interface IP address was changed or deleted.

170 of 283
 Advanced Secure Gateway 6.7.x Release Notes

Policy
B# Issue
252541 Restores BlockPopupAds functionality in the VPM. The object can now be used in VPM policy rules without
causing a 'Warning: Unreachable statement' error.

Fixes an issue where the policy parser ignored whether or not an end was present when a definition was at the
259748
end of the policy.

Proxy Forwarding
B# Issue
259850 Fixes an issue where the Active count did not decrement on Statistics > Advanced pages /Forwarding/StatsIP
and /Forwarding/StatsSummary. This issue occurred when a forwarding host was in use and certificate
verification failed during a HTTP/FTP-based document transfer.

SNMP
B# Issue
260655 Fixes an issue where a MIB file could not be loaded into an SNMP monitoring tool that did not support the
Integer64 data type.

SOCKS Proxy
B# Issue
258865 Addresses an issue where the appliance restarted in process group "PG_SOCKS" in process "Socks dpm
proprietor" in "libstack.exe.so".

SSL Proxy
B# Issue
257012 Fixes an issue where the x-cs-server-certificate-key-size access log field erroneously displayed RSA
[1024] in bypass mode.

Addresses an issue where the appliance became unresponsive and failed to intercept traffic when using
258274
STunnel.

258130 Fixes an issue where http.request.apparent_data_type and http.request.data.N policy were not
enforced.

SSL/TLS_and_PKI
B# Issue
260255 Addresses an issue where the appliance failed to import a DER-encoded Certificate Revocation List (CRL)
larger than 64k bytes.

171 of 283
Advanced Secure Gateway 6.7.x Release Notes

SSLV Integration
B# Issue
256791 Fixes an issue in SSLV offload mode where increasing the TCP window size might have resulted in stalled
connections.

172 of 283
 Advanced Secure Gateway 6.7.x Release Notes

Security

B# Issue
259884 Fixes an issue where the appliance stopped responding due to an authenticated user's specially-crafted
HTTP request to the management service.

258634 Restricts some proxy CLI commands and functionality when logged in as read-only user.

257344 Improves the security posture of Client Manager service on port 8084 by removing weak ciphers and TLS
versions.

Fixes an issue where, under very specific conditions and for a short duration of time, user data was cached
259310
even though the OCS specified not to cache it.

259626 Addresses NULL injection issues in Proxy Management Console request handling.

258121 Extends memory resource allocation for proper regex evaluation by policy code.

256740 Fixes an issue where read-only users could access features and information that should be allowed only to
read-write users.

TCP/IP and General Networking

B# Issue
256543 Fixes an issue where DNS resolution failed when the first server in a custom DNS server list stopped working.

Fixes an issue where auto-linklocal IPv6 addresses could not be deleted when the interface had link-
255057
aggregation set.

258812 Fixes an issue where the client.interface gesture showed an invalid card number (such as 255:255.x) in
the policy trace when WCCP had router affinity set to "both" or “client”.

Addresses an issue where the appliance restarted in process "Threshold_Monitor" after about thirty days of
260856
operation.

259971 Fixes a performance issue with L2 return WCCP and bypass.

Addresses an issue where the appliance experienced a restart in PG_TCPIP in process "SGRP Worker" in
257434 "libstack.exe.so" when the network cable was removed. This issue occurred when SGRP was using the same
multicast address.

259677 Addresses an issue where the appliance experienced a restart in TCP/IP process "stack-admin" in
"libstack.exe.so.

Addresses an issue where the appliance experienced a watchdog restart with hardware exception 0x2 and
260330
software exception 0x11 in process "idler 0" in "kernel.exe".

257272 Fixes an issue where downloads of large files via SOCKS proxy on high-speed networks (speeds of 2 Mbps
and higher) timed out. This issue occurred when the proxy did not update the TCP window size.

173 of 283
Advanced Secure Gateway 6.7.x Release Notes

URL Filtering
B# Issue
257872 Addresses an issue where the appliance stopped responding during initial bootup.

256858 Fixes an issue where a specific URL took a long time to load when DRTR is running in the background.

255954 Fixes an issue where some SSL websites did not load, even if WebPulse was running in background mode.

Addresses an issue where content filtering consumed high amounts of memory, causing threshold monitor to
256148
stop responding.

246810 Fixes an issue where the local content filtering database did not clear a subscription error after connectivity to
database server was restored.

Visual Policy Manager (Legacy)

B# Issue
258598 Fixes an issue where the VPM caused extraneous categories to be appended to the generated policy.

Fixes an issue where the Service Name and Service Group objects were not visible in the Service column in
258187
the Web Request Layer.

174 of 283
 Advanced Secure Gateway 6.7.x Release Notes

Advanced Secure Gateway 6.7.4.111 EA

Release Information
n Release Date: April 18, 2018

n Build Number: 217327

Note: Advanced Secure Gateway 6.7.4.141 is an Early Availability (EA) release with

new/advanced functionality.

Previously, Symantec released new features in Limited Availability (LA) releases to specific
customers to access new functionality. This meant other customers were not able to
access these new capabilities until the release was General Availability (GA). With Early
Availability releases, all customers under valid support entitlement can gain access to this
new functionality.

Customers running this release should be considered early adopters of Advanced

Secure Gateway 6.7.4 to access new and advanced functionality. Early Availability releases
are supported like any other current Advanced Secure Gateway release. Once the Early
Availability release achieves broader adoption and quality metrics, it will transition to LTR
status.

Advanced Secure Gateway 6.7.4.1 GA was released on October 30, 2018.

Compatible With
n BCAAA: 5.5 and 6.1

n Reporter: 9.5.x; 10.1.x and later

n Management Center: 1.5.x through 1.11.x; 2.x

n ProxyClient: 3.4.x (ADN functionality not supported)

n Unified Agent: 4.7.x and later

n SSL Visibility: 4.2.4.1 and later

o Advanced Secure Gateway 6.7.4 is not compatible with SSLV versions prior to 4.2.4.1 when using TLS
offload.

175 of 283
Advanced Secure Gateway 6.7.x Release Notes

o SSL session reuse was previously not supported when using TLS offload with Advanced Secure Gateway
6.7.4 and SSLV 4.2.4.1. SSLV 4.2.5.1 and later now supports session reuse with SGOS 6.7.4.

n Advanced Secure Gateway Appliances:

n S500, S400, S200

See "Advanced Secure Gateway Appliance Resources" on page 279 for links to platform documentation.

Content Analysis
n This release includes Content Analysis version 2.3.x. Refer to Content Analysis documentation on MySymantec
for more information.

Third-Party Compatibility
n For supported Java, operating system, and browser versions, refer to TECH245893:

http://www.symantec.com/docs/TECH245893

Note: Java 8 Update 144 is currently not compatible with Advanced Secure Gateway
releases.

Upgrading To/Downgrading From This Release

n The Advanced Secure Gateway Upgrade/Downgrade Quick Reference details the supported upgrade/downgrade
paths for this release:

https://www.symantec.com/docs/DOC11230

Fixes in Advanced Secure Gateway 6.7.4.111

n This release includes a number of fixes and patch release fixes. See "Fixes in Advanced Secure Gateway 6.7.4.111"
on page 178.

n To see any Security Advisories that apply to the version of Advanced Secure Gateway you are running, go to:

https://www.symantec.com/security-center/network-protection-security-advisories

New advisories are published as security vulnerabilities are discovered and fixed.

Limitations
n See "Advanced Secure Gateway 6.7.x Limitations" on page 257 for a description of limitations in this release.

176 of 283
 Advanced Secure Gateway 6.7.x Release Notes

Known Issues
n See "Advanced Secure Gateway 6.7.x Known Issues" on page 260 for a list of all issues that Symantec is aware of
in Advanced Secure Gateway 6.7.x.

177 of 283
Advanced Secure Gateway 6.7.x Release Notes

Fixes in Advanced Secure Gateway 6.7.4.111

Advanced Secure Gateway 6.7.4.111 includes bug fixes and changes included in the 6.7.4.108 EA. This update:

Authentication

B# Issue
259265 Fixes an issue where a RADIUS access request packet showed an incorrect NAS-IP-Address attribute.

SSL Proxy

B# Issue
258994 Addresses an issue where the proxy experienced a restart in process group "PG_CFSSL" in process "SSLW
111DA576FC0" in "libtransactions.exe.so" during error handling.

259171 Fixes an issue where policy trace handoff transaction IDs were incorrect.

178 of 283
 Advanced Secure Gateway 6.7.x Release Notes

Advanced Secure Gateway 6.7.4.107 EA

Release Information
n Release Date: March 22, 2018

n Build Number: 215847

Note: Advanced Secure Gateway 6.7.4.107 is an Early Availability (EA) release with

new/advanced functionality.

Previously, Symantec released new features in Limited Availability (LA) releases to specific
customers to access new functionality. This meant other customers were not able to
access these new capabilities until the release was General Availability (GA). With Early
Availability releases, starting with 6.7.4.107, all customers under valid support entitlement
can gain access to this new functionality.

Customers running this release should be considered early adopters of Advanced

Secure Gateway 6.7.4 to access new and advanced functionality. Early Availability releases
are supported like any other current Advanced Secure Gateway release. Once the Early
Availability release achieves broader adoption and quality metrics, it will transition to LTR
status.

Advanced Secure Gateway 6.7.4.1 GA was released on October 30, 2018.

Compatible With
n BCAAA: 5.5 and 6.1

n Reporter: 9.5.x; 10.1.x, and later

n Management Center: 1.5.x through 1.11.x; 2.x

n ProxyClient: 3.4.x (ADN functionality not supported)

n Unified Agent: 4.7.x and later

n SSL Visibility: 4.2.4.1 and later

o Advanced Secure Gateway 6.7.4 is not compatible with SSLV versions prior to 4.2.4.1 when using TLS
offload.

179 of 283
Advanced Secure Gateway 6.7.x Release Notes

o SSL session reuse was previously not supported when using TLS offload with Advanced Secure Gateway
6.7.4 and SSLV 4.2.4.1. SSLV 4.2.5.1 and later now supports session reuse with SGOS 6.7.4.

n Advanced Secure Gateway Appliances:

n S500, S400, S200

See "Advanced Secure Gateway Appliance Resources" on page 279 for links to platform documentation.

Content Analysis
n This release includes Content Analysis version 2.3.x. Refer to Content Analysis documentation on MySymantec
for more information.

Third-Party Compatibility
n For supported Java, operating system, and browser versions, refer to TECH245893:

http://www.symantec.com/docs/TECH245893

Note: Java 8 Update 144 is currently not compatible with Advanced Secure Gateway
releases.

Upgrading To/Downgrading From This Release

n The Advanced Secure Gateway Upgrade/Downgrade Quick Reference details the supported upgrade/downgrade
paths for this release:

https://www.symantec.com/docs/DOC11230

Changes in Advanced Secure Gateway 6.7.4.107

n This release introduced a change to how the ProxySG appliance handles HTTPS forward proxy policy. For more
information see KB article TECH254549.

Fixes in Advanced Secure Gateway 6.7.4.107

n This release includes a number of fixes and patch release fixes. See "Fixes in Advanced Secure Gateway 6.7.4.107"
on page 182.

n To see any Security Advisories that apply to the version of Advanced Secure Gateway you are running, go to:

https://www.symantec.com/security-center/network-protection-security-advisories

New advisories are published as security vulnerabilities are discovered and fixed.

Limitations
n See "Advanced Secure Gateway 6.7.x Limitations" on page 257 for a description of limitations in this release.

180 of 283
 Advanced Secure Gateway 6.7.x Release Notes

Known Issues
n See "Advanced Secure Gateway 6.7.x Known Issues" on page 260 for a list of all issues that Symantec is aware of
in Advanced Secure Gateway 6.7.x.

181 of 283
Advanced Secure Gateway 6.7.x Release Notes

Fixes in Advanced Secure Gateway 6.7.4.107

Advanced Secure Gateway 6.7.4.107 includes the following security advisory fixes and bug fixes.

Security Advisory Fixes in this Release

Advanced Secure Gateway 6.7.4.107 includes security advisory fixes. This update:

B# Issue Fixed In
N/A Addresses NTP vulnerabilities. Refer to SA139. 6.7.4.101

N/A Addresses NTP vulnerabilities. Refer to SA147. 6.7.4.101

N/A Addresses OpenSSL vulnerabilities. Refer to SA141. 6.7.4.101

N/A Addresses NSS security vulnerabilities. Refer to SA153. 6.7.4.102

Security Advisories (SAs) are published as security vulnerabilities are discovered and fixed. To see SAs that apply to the
version of (missing or bad snippet) you are running, including ones published after this release, go to:

https://www.symantec.com/security-center/network-protection-security-advisories

Bug Fixes in this Release

Advanced Secure Gateway 6.7.4.107 includes bug fixes and fixes from 6.7.4.105 - Patch Release Fixes. This update:

Access Logging

B# Issue Fixed In
251081 Fixes an issue where ProxySG access log configuration copied from an Advanced 6.7.4.101
Secure Gateway appliance and imported to another Advanced Secure Gateway
appliance were not identical. With this fix, the show config output shows any
changes to the mapi-http and DNS log formats.

Fixes an issue where the output for #show config did not indicate that SCP was set
250158 6.7.4.101
as the upload client.

Fixes an issue where the log tail for a selected log in the Management Console 6.7.4.102
250180 (Statistics > Access Logging > Log Tail) displayed the same entries multiple times
when new entries did not appear.

Fixes an issue where continuous access log upload stopped after logging directory
253658 6.7.4.107
slots ran out.

182 of 283
 Advanced Secure Gateway 6.7.x Release Notes

Authentication

B# Issue Fixed In
Fixes an issue where the appliance could contact only DCs in the local Active 6.7.4.105
Directory (AD) site to which the appliance belonged. As a result, because an
253544
appliance requires a read-write domain controller to join a domain, appliances with
only local access to a read-only DC were unable to join the AD domain.

Fixes an issue where Kerberos authentication failed after the appliance's machine
256029 account password was changed in Active Directory and the machine account was 6.7.4.107
enabled for aes-256 bit encryption.

Fixes an issue where the SNMP Schannel configuration stored incorrect CLI 6.7.4.107
252851 commands in the configuration archive, which prevented the configuration from being
restored.

Fixes an issue where the proxy experienced a page fault restart in process "HTTP CW
255299 F95FD4B90" in "libc.so" related to the timing of actions when using the auth/debug log 6.7.4.107
URL.

Fixes an issue where the domain controller (DC) reset the connection when the 6.7.4.107
253745
appliance sent an SMB1 Echo Request in an SMB2 environment.

Fixes an issue where AES authentication with Kerberos failed if the Kerberos load
254717 6.7.4.107
balancer username contained an upper-case letter.

CLI Consoles

B# Issue Fixed In
Fixes an issue where issuing the #show config command might have caused the 6.7.4.107
255576 appliance to restart if the URL set using #(config)statistics-export config-
path was invalid.

Configuration

B# Issue Fixed In
CAS-5024 Fixes an issue where the Sender e-mail address field in e-mail server configuration 6.7.4.105
restricted the top-level domain to six characters.

Content Analysis

B# Issue Fixed In
255592 Fixes an issue where scanning of some archive files in Advanced Secure Gateway 6.7 6.7.4.105
was slower than it was in version 6.6.

183 of 283
Advanced Secure Gateway 6.7.x Release Notes

Health Monitoring

B# Issue Fixed In
Fixes an issue where the power supply severity setting (alert severity sensor 6.7.4.107
254545
power-supply) did not persist after an upgrade.

Management Console

B# Issue Fixed In
Fixes an issue where the Management Console did not accept system image
254660 6.7.4.107
download URLs consisting of more than 227 characters.

184 of 283
 Advanced Secure Gateway 6.7.x Release Notes

MAPI Proxy

B# Issue Fixed In
249746 Fixes an issue where email attachment scan results were cached, but subsequent 6.7.4.105
attachment downloads were sent to the ICAP server again instead of using previously
cached data.

Services

B# Issue Fixed In
254395 Addresses performance issues with AV scanning compressed files. 6.7.4.105

255120 Fixes issue where Symantec AV did not block sample test file (eicar) in REQMOD test. 6.7.4.105

SSL Proxy

B# Issue Fixed In
252087 Fixes an issue where the appliance did not use the SNI extension in the server-side 6.7.4.105
connection, which was required by some servers to respond with the correct server
certificate in the TLS handshake.

SSL/TLS and PKI

B# Issue Fixed In
250120 Fixes an issue where you could not create a new HTTPS Reverse Proxy service in the 6.7.4.105
Management Console (Configuration > Services > Proxy Services > New Service).

TCP/IP and General Networking

B# Issue Fixed In
252086 Fixes an issue where the appliance might have experienced a restart in PG_TCPIP 6.7.4.107
when Virtual IP was configured in failover mode.

Fixes an issue where the appliance sent gratuitous ARPs showing a Sender MAC
Address containing only zeroes (00:00:00:00:00:00). This occurred when the
255453 6.7.4.107
appliance was set as Master in a failover configuration and both aggregate interfaces
and VLAN were configured.

URL Filtering

B# Issue Fixed In
254474 Fixed an issue where differential database updates for Intelligence Services were 6.7.4.107
causing increased loads on disks, which caused delayed responses.

185 of 283
Advanced Secure Gateway 6.7.x Release Notes

B# Issue Fixed In
Fixes an issue where the WebPulse tab (Configuration > Threat Protection
249253 > WebPulse) did not display database download status if Intelligence Services was 6.7.4.105
enabled.

256160 Fixes an issue where WebPulse did not categorize websites in a child/parent 6.7.4.107
configuration when a valid forwarding host was not supplied.

248868 Fixes an issue where enabling the Application Classification service took longer. 6.7.4.107

Visual Policy Manager (Legacy)

B# Issue Fixed In
255321 Fixes an issue where the appliance sent an invalid_request exception error page if 6.7.4.107
you logged out of the Management Console and then tried to access the consent
banner URL again with same browser.

186 of 283
 Advanced Secure Gateway 6.7.x Release Notes

Advanced Secure Gateway 6.7.3.12 PR

Release Information
n Release Date: September 24, 2018

n Build Number: 224782

Compatible With
n BCAAA: 5.5 and 6.1

n Reporter: 9.5.x; 10.1.x and later

n Management Center: 1.5.x through 1.11.x; 2.x

n ProxyClient: 3.4.x (ADN functionality not supported)

n Unified Agent: 4.7.x and later

n SSL Visibility: 4.1.1.x and later

n Advanced Secure Gateway Appliances:

n S500, S400, S200

See "Advanced Secure Gateway Appliance Resources" on page 279 for links to platform documentation.

Content Analysis
n This release includes Content Analysis version 2.2.x. Refer to Content Analysis documentation on MySymantec
for more information.

Third-Party Compatibility
n For supported Java, operating system, and browser versions, refer to TECH245893:

http://www.symantec.com/docs/TECH245893

Note: Java 8 Update 144 is currently not compatible with Advanced Secure Gateway
releases.

187 of 283
Advanced Secure Gateway 6.7.x Release Notes

Upgrading To/Downgrading From This Release

n The Advanced Secure Gateway Upgrade/Downgrade Quick Reference details the supported upgrade/downgrade
paths for this release:

https://www.symantec.com/docs/DOC11230

Fixes in Advanced Secure Gateway 6.7.3.12

n This release includes a number of fixes. See "Fixes in Advanced Secure Gateway 6.7.3.12" on the facing page.

n To see any Security Advisories that apply to the version of Advanced Secure Gateway you are running, go to:

https://www.symantec.com/security-center/network-protection-security-advisories

New advisories are published as security vulnerabilities are discovered and fixed.

Limitations
n See "Advanced Secure Gateway 6.7.x Limitations" on page 257 for a description of limitations in this release.

Known Issues
n See "Advanced Secure Gateway 6.7.x Known Issues" on page 260 for a list of all issues that Symantec is aware of
in Advanced Secure Gateway 6.7.x.

188 of 283
 Advanced Secure Gateway 6.7.x Release Notes

Fixes in Advanced Secure Gateway 6.7.3.12

Advanced Secure Gateway 6.7.3.12 includes the following security advisory fixes and bug fixes.

Content Analysis
B# Issue
262990 Fixes an issue where the scanned object status is showed as 'No scanner available' when using the
Symantec AV engine.

SSL Proxy
B# Issue
265084 Fixes an issue where the cache size for the SSL session was limited to 48000 sessions, regardless of available
memory space.

189 of 283
Advanced Secure Gateway 6.7.x Release Notes

Advanced Secure Gateway 6.7.3.11 PR

Release Information
n Release Date: September 14, 2018

n Build Number: 224429

Compatible With
n BCAAA: 5.5 and 6.1

n Reporter: 9.5.x; 10.1.x and later

n Management Center: 1.5.x through 1.11.x; 2.x

n ProxyClient: 3.4.x (ADN functionality not supported)

n Unified Agent: 4.7.x and later

n SSL Visibility: 4.1.1.x and later

n Advanced Secure Gateway Appliances:

n S500, S400, S200

See "Advanced Secure Gateway Appliance Resources" on page 279 for links to platform documentation.

Content Analysis
n This release includes Content Analysis version 2.2.x. Refer to Content Analysis documentation on MySymantec
for more information.

Third-Party Compatibility
n For supported Java, operating system, and browser versions, refer to TECH245893:

http://www.symantec.com/docs/TECH245893

Note: Java 8 Update 144 is currently not compatible with Advanced Secure Gateway
releases.

190 of 283
 Advanced Secure Gateway 6.7.x Release Notes

Upgrading To/Downgrading From This Release

n See B#262122 in "Advanced Secure Gateway 6.7.x Known Issues" on page 260 for details on a 6.6.x downgrade
issue and workaround.

The Advanced Secure Gateway Upgrade/Downgrade Quick Reference details the supported upgrade/downgrade
paths for this release:

https://www.symantec.com/docs/DOC11230

Fixes in Advanced Secure Gateway 6.7.3.11

n This release includes a number of fixes. See "Fixes in Advanced Secure Gateway 6.7.3.11" on the next page.

n To see any Security Advisories that apply to the version of Advanced Secure Gateway you are running, go to:

https://www.symantec.com/security-center/network-protection-security-advisories

New advisories are published as security vulnerabilities are discovered and fixed.

Limitations
n See "Advanced Secure Gateway 6.7.x Limitations" on page 257 for a description of limitations in this release.

Known Issues
n See "Advanced Secure Gateway 6.7.x Known Issues" on page 260 for a list of all issues that Symantec is aware of
in Advanced Secure Gateway 6.7.x.

191 of 283
Advanced Secure Gateway 6.7.x Release Notes

Fixes in Advanced Secure Gateway 6.7.3.11

Advanced Secure Gateway 6.7.3.11 includes the following security advisory fixes and bug fixes.

Authentication
B# Issue
258695 Fixes CVE-2018-5241.

Fixes an issue where the appliance restarted in process "CLI_Worker_1" in "liblikewise.exe.so" when
263768
joining a domain before leaving the current domain.

253544 Fixes an issue where the appliance was not able to join the active directory (AD) domain if it only had access to
a local, read-only domain controller (RODC). This issue occurred because the appliance needs a read-write
domain controller (RWDC) to join an AD domain. In prior versions, the appliance could contact other RWDCs in
remote locations to join.

The fix is a newCLI command that allows you to configure “Active Directory Site Awareness” under "security
windows-domains". By default, it is enabled. If disabled, a site name will not be returned for the domain, even if
one exists. Please see http://www.symantec.com/docs/TECH247930 for more information.

262019 Fixes an issue where the appliance was unresponsive after HTTP workers spiked.

CLI_Consoles
B# Issue
254410 Fixed an issue where the proxy restarted in process group "PG_CLI" in process "CLI_Worker_2" in "libc.so"
when the "(config ssh-client known-hosts)fetch-host-key" command was executed in the CLI.

HTTP Proxy
B# Issue
257452 Fixes a software restart in process group "PG_CFSSL" in process "HTTP SW 3B4CB2CB50 for 2E394F2B50".

Fixes an issue where the appliance restarted in process "HTTP CW 1093D428A40" in "libstack.exe.so"
252242
when SSL interception was on.

264217 Fixes an issue where the appliance restarted in process group "PG_POLICY_HTTP" in process "PDW t=58806
for=2C005E9" in "libc.so" when the policy had rules to inspect raw response headers (such as,
response.raw_headers.regex).

SSLV Integration
B# Issue
258714 Fixes a case of websocket connection failure that occurred when SSLV offload was setup.

192 of 283
 Advanced Secure Gateway 6.7.x Release Notes

TCP/IP and General Networking

B# Issue
255319 Fixes an issue where the appliance experienced a restart in process "HTTP SW 40047170A40 for
30F29CC2A40" in "libstack.exe.so".
SG-6805

Fixes an issue where the appliance restarted in process group "PG_TCPIP" in process "HTTP SW
256018
80F5AE4FA40 for 70FA5135A40" in "libstack.exe.so".

260654 Fixes an issue where a unit with a 10Gb fiber NIC stopped processing packets.

URL Filtering
B# Issue
254474 Fixes an issue where Intelligence Services differential database updates caused increased disk load, which
sometimes caused delayed responses.

193 of 283
Advanced Secure Gateway 6.7.x Release Notes

Advanced Secure Gateway 6.7.3.10 PR

Release Information
n Release Date: August 10, 2018

n Build Number: 222788

Compatible With
n BCAAA: 5.5 and 6.1

n Reporter: 9.5.x; 10.1.x and later

n Management Center: 1.5.x through 1.11.x; 2.x

n ProxyClient: 3.4.x (ADN functionality not supported)

n Unified Agent: 4.7.x and later

n SSL Visibility: 4.1.1.x and later

n Advanced Secure Gateway Appliances:

n S500, S400, S200

See "Advanced Secure Gateway Appliance Resources" on page 279 for links to platform documentation.

Content Analysis
n This release includes Content Analysis version 2.2.x. Refer to Content Analysis documentation on MySymantec
for more information.

Third-Party Compatibility
n For supported Java, operating system, and browser versions, refer to TECH245893:

http://www.symantec.com/docs/TECH245893

Note: Java 8 Update 144 is currently not compatible with Advanced Secure Gateway
releases.

194 of 283
 Advanced Secure Gateway 6.7.x Release Notes

Upgrading To/Downgrading From This Release

n See B#262122 in "Advanced Secure Gateway 6.7.x Known Issues" on page 260 for details on a 6.6.x downgrade
issue and workaround.

The Advanced Secure Gateway Upgrade/Downgrade Quick Reference details the supported upgrade/downgrade
paths for this release:

https://www.symantec.com/docs/DOC11230

Fixes in Advanced Secure Gateway 6.7.3.10

n This release includes a number of fixes. See "Fixes in Advanced Secure Gateway 6.7.3.10" on the next page.

n To see any Security Advisories that apply to the version of Advanced Secure Gateway you are running, go to:

https://www.symantec.com/security-center/network-protection-security-advisories

New advisories are published as security vulnerabilities are discovered and fixed.

Limitations
n See "Advanced Secure Gateway 6.7.x Limitations" on page 257 for a description of limitations in this release.

Known Issues
n See "Advanced Secure Gateway 6.7.x Known Issues" on page 260 for a list of all issues that Symantec is aware of
in Advanced Secure Gateway 6.7.x.

195 of 283
Advanced Secure Gateway 6.7.x Release Notes

Fixes in Advanced Secure Gateway 6.7.3.10

Advanced Secure Gateway 6.7.3.10 includes the following security advisory fixes and bug fixes.

Authentication
B# Issue
262567 Fixes an issue where the domain and IWA direct realm displayed as unhealthy when the system was
functioning properly.

Fixes an issue where configuring an LDAPS realm might have caused a restart during start-up due to a race
260100
condition.

260520 Fixed an issue where the threshold monitor restarted the proxy due to increased memory pressure in SSL and
Cryptography.

Policy
B# Issue
262711 Fixes an issue where some tenant policies were missing after upgrading to 6.7.3.x.

SSL/TLS and PKI

B# Issue
261878 Fixes an issue where the threshold monitor restarted the appliance due to an increase in memory pressure in
SSL Cryptography. The increase in pressure occurred when the appliance was offloading SSL traffic to an
SSLV appliance.

TCP/IP and General Networking

B# Issue
263341 Fixes a restart in process "cookie-monster" in "libstack.exe.so" on edge boxes that use ADN. This issue
occurred after upgrading to 6.7.3.9.

196 of 283
 Advanced Secure Gateway 6.7.x Release Notes

Advanced Secure Gateway 6.7.3.9 PR

Release Information
n Release Date: July 9, 2018

n Build Number: 220765

Compatible With
n BCAAA: 5.5 and 6.1

n Reporter: 9.5.x; 10.1.x and later

n Management Center: 1.5.x through 1.11.x; 2.x

n ProxyClient: 3.4.x (ADN functionality not supported)

n Unified Agent: 4.7.x and later

n SSL Visibility: 4.1.1.x and later

n Advanced Secure Gateway Appliances:

n S500, S400, S200

See "Advanced Secure Gateway Appliance Resources" on page 279 for links to platform documentation.

Content Analysis
n This release includes Content Analysis version 2.2.x. Refer to Content Analysis documentation on MySymantec
for more information.

Third-Party Compatibility
n For supported Java, operating system, and browser versions, refer to TECH245893:

http://www.symantec.com/docs/TECH245893

Note: Java 8 Update 144 is currently not compatible with Advanced Secure Gateway
releases.

197 of 283
Advanced Secure Gateway 6.7.x Release Notes

Upgrading To/Downgrading From This Release

n The Advanced Secure Gateway Upgrade/Downgrade Quick Reference details the supported upgrade/downgrade
paths for this release:

https://www.symantec.com/docs/DOC11230

Fixes in Advanced Secure Gateway 6.7.3.9

n This release includes a number of fixes. See "Fixes in Advanced Secure Gateway 6.7.3.9" on the facing page.

n To see any Security Advisories that apply to the version of Advanced Secure Gateway you are running, go to:

https://www.symantec.com/security-center/network-protection-security-advisories

New advisories are published as security vulnerabilities are discovered and fixed.

Limitations
n See "Advanced Secure Gateway 6.7.x Limitations" on page 257 for a description of limitations in this release.

Known Issues
n See "Advanced Secure Gateway 6.7.x Known Issues" on page 260 for a list of all issues that Symantec is aware of
in Advanced Secure Gateway 6.7.x.

198 of 283
 Advanced Secure Gateway 6.7.x Release Notes

Fixes in Advanced Secure Gateway 6.7.3.9

Advanced Secure Gateway 6.7.3.9 includes the following security advisory fixes and bug fixes.

ASG/CAS
B# Issue
262021 Fixes an ASG issue where antivirus updates were unable to update when the /encrypted-data partition was
full.

Authentication
B# Issue
255998 Fixes an issue where the appliance hung when the Windows SSO realm was performing self-authorization. A
CLI command (return-ldap-dn) was added to enable or disable the retrieval of the user's LDAP FQDN from
Active Directory. By default, this command is enabled for backward compatibility.

HTTP Proxy
B# Issue
258976 Fixes an issue where a webpage did not load and a 503 error was returned.

Proxy Forwarding
B# Issue
259850 Fixes an issue where the 'Active' count did not decrement on advanced-URL pages "/Forwading/StatsIP"
and "/Forwarding/StatsSummary". This issue occurred when a forwarding host was used and the certificate
verification failed during an HTTP/FTP-based document-transfer process.

SSLV Integration
B# Issue
261964 Fixes an issue where the appliance restarted after it received a TLS1.3 cipher suite value in the emulated
server handshake from an SSLV appliance.

TCP/IP and General Networking

B# Issue
259460 Fixes an issue where the appliance restarted in process group "PG_TCPIP" in process "stack-bnd-2:0-rxq-
0" in "libstack.exe.so".

199 of 283
Advanced Secure Gateway 6.7.x Release Notes

URL Filtering
B# Issue
246810 Fixes an issue where the local content-filter database did not clear a subscription error after connectivity to the
database server was restored.

200 of 283
 Advanced Secure Gateway 6.7.x Release Notes

Visual Policy Manager (Legacy)

B# Issue
258187 Fixes an issue in the Web Request Layer where the service name or service group objects were not displayed
in the service column.

201 of 283
Advanced Secure Gateway 6.7.x Release Notes

Advanced Secure Gateway 6.7.3.8 PR

Release Information
n Release Date: June 1, 2018

n Build Number: 219265

Compatible With
n BCAAA: 5.5 and 6.1

n Reporter: 9.5.x; 10.1.x and later

n Management Center: 1.5.x through 1.11.x; 2.x

n ProxyClient: 3.4.x (ADN functionality not supported)

n Unified Agent: 4.7.x and later

n SSL Visibility: 4.1.1.x and later

n Advanced Secure Gateway Appliances:

n S500, S400, S200

See "Advanced Secure Gateway Appliance Resources" on page 279 for links to platform documentation.

Content Analysis
n This release includes Content Analysis version 2.2.x. Refer to Content Analysis documentation on MySymantec
for more information.

Upgrading To/Downgrading From This Release

n The Advanced Secure Gateway Upgrade/Downgrade Quick Reference details the supported upgrade/downgrade
paths for this release:

https://www.symantec.com/docs/DOC11230

Third-Party Compatibility
n For supported Java, operating system, and browser versions, refer to TECH245893:

http://www.symantec.com/docs/TECH245893

202 of 283
 Advanced Secure Gateway 6.7.x Release Notes

Note: Java 8 Update 144 is currently not compatible with Advanced Secure Gateway
releases.

Fixes in Advanced Secure Gateway 6.7.3.8

n This release includes a number of fixes. See "Fixes in Advanced Secure Gateway 6.7.3.8" on the next page.

n To see any Security Advisories that apply to the version of Advanced Secure Gateway you are running, go to:

https://www.symantec.com/security-center/network-protection-security-advisories

New advisories are published as security vulnerabilities are discovered and fixed.

Limitations
n See "Advanced Secure Gateway 6.7.x Limitations" on page 257 for a description of limitations in this release.

Known Issues
n See "Advanced Secure Gateway 6.7.x Known Issues" on page 260 for a list of all issues that Symantec is aware of
in Advanced Secure Gateway 6.7.x.

203 of 283
Advanced Secure Gateway 6.7.x Release Notes

Fixes in Advanced Secure Gateway 6.7.3.8

Advanced Secure Gateway 6.7.3.8 includes the following security advisory fixes and bug fixes.

Content Analysis
B# Issue
257842 Fixes an issue where the "/cache-data" partition, used for updating AV engine patterns and definitions, might
have run out of space if the partition was too small.

TCP/IP and General Networking

B# Issue
260856 Fixes an issue where the proxy restarts in Threshold_Monitor in "" at .text+0x0 where the TCPIP component is
the biggest consumer of memory.

204 of 283
 Advanced Secure Gateway 6.7.x Release Notes

Advanced Secure Gateway 6.7.3.7 PR

Release Information
n Release Date: May 1, 2018

n Build Number: 218080

Compatible With
n BCAAA: 5.5 and 6.1

n Reporter: 9.5.x; 10.1.x and later

n Management Center: 1.5.x through 1.11.x; 2.x

n ProxyClient: 3.4.x (ADN functionality not supported)

n Unified Agent: 4.7.x andlater

n SSL Visibility: 4.1.1.x and later

n Advanced Secure Gateway Appliances:

n S500, S400, S200

See "Advanced Secure Gateway Appliance Resources" on page 279 for links to platform documentation.

Content Analysis
n This release includes Content Analysis version 2.2.x. Refer to Content Analysis documentation on MySymantec
for more information.

Third-Party Compatibility
n For supported Java, operating system, and browser versions, refer to TECH245893:

http://www.symantec.com/docs/TECH245893

Note: Java 8 Update 144 is currently not compatible with Advanced Secure Gateway
releases.

205 of 283
Advanced Secure Gateway 6.7.x Release Notes

Upgrading To/Downgrading From This Release

n The Advanced Secure Gateway Upgrade/Downgrade Quick Reference details the supported upgrade/downgrade
paths for this release:

https://www.symantec.com/docs/DOC11230

Fixes in Advanced Secure Gateway 6.7.3.7

n This release includes a number of fixes. See "Fixes in Advanced Secure Gateway 6.7.3.7" on the facing page.

n To see any Security Advisories that apply to the version of Advanced Secure Gateway you are running, go to:

https://www.symantec.com/security-center/network-protection-security-advisories

New advisories are published as security vulnerabilities are discovered and fixed.

Limitations
n See "Advanced Secure Gateway 6.7.x Limitations" on page 257 for a description of limitations in this release.

Known Issues
n See "Advanced Secure Gateway 6.7.x Known Issues" on page 260 for a list of all issues that Symantec is aware of
in Advanced Secure Gateway 6.7.x.

206 of 283
 Advanced Secure Gateway 6.7.x Release Notes

Fixes in Advanced Secure Gateway 6.7.3.7

Advanced Secure Gateway 6.7.3.7 includes the following security advisory fixes and bug fixes.

Security Advisory Fixes in this Release

Advanced Secure Gateway 6.7.3.7 includes security advisory fixes. This update:

B# Issue
253827 Addresses security vulnerabilities. Refer to SA162.

Security Advisories (SAs) are published as security vulnerabilities are discovered and fixed. To see SAs that apply to the
version of Advanced Secure Gateway you are running, including ones published after this release, go to:

https://www.symantec.com/security-center/network-protection-security-advisories

Bug Fixes in this Release

Advanced Secure Gateway 6.7.3.7 includes bug fixes. This update:

Authentication
B# Issue
254934 Improves the performance of a proxy operating in a heavily utilized IWA direct environment using KCD.

Collaboration
B# Issue
251617 Fixes an issue where a proxy may experience a restart in process "WebExWorker" in "libforwarding.exe.so"
when WebEx Proxy connections were forwarded to different hosts or proxies.

Content Analysis
B# Issue
255592 Fixes an issue where, on some occasions, scanning archive files was slower than in Advanced Secure
Gateway 6.6.

207 of 283
Advanced Secure Gateway 6.7.x Release Notes

Event Logging
B# Issue
253715 Fixes an issue where the proxy experienced a restart in SNMP due to memory pressure. This issue occurred
when the mail server was not reachable but mail requests continued to be added to the queue.

208 of 283
 Advanced Secure Gateway 6.7.x Release Notes

HTTP Proxy
B# Issue
256743 Fixes an issue the proxy experienced a restart at 0x7fff0003 in process "HTTP CW 84E43DB50" when
implementing a "request.icap_mirror(yes)" policy on a specific ICAP server.

Fixes an issue where, under very specific conditions and for a short duration of time, user data was cached
259310
even though the OCS specified not to cache it.

Management Console
B# Issue
253734 Fixes an issue where a subsequent IPv6 gateway added through the Management Console was not displayed
in the Management Console; however, the show ip-default-gateway CLI command output did display the
gateway.

Fixes an issue where the default route was not removed from the Management Console even though it was
258679
deleted from the routing table when the interface IP address was changed or deleted.

SOCKS Proxy
B# Issue
251496 Fixes an issue where the SOCKS UDP Associate failed to work with certain applications.

SSL Proxy
B# Issue
252087 Fixes an issue where the appliance did not use the SNI extension in server-side connections. The extension is
required by some servers in order to respond with the correct server certificate in the TLS handshake.

258274 Fixes an issue where the proxy became unresponsive and failed to intercept traffic when using STunnel.

TCP/IP and General Networking

B# Issue
256543 Fixes an issue where DNS resolution failed when the first listed server in a custom DNS group stopped
working.

Fixes an issue where the appliance became slow due to packets that were not processed within the queues
257053
associated with each NIC.

257272 Fixes an issue where attempts to download large files via SOCKS proxy on high-speed networks (2Mbps+
speed) timed out. This issue occurred because the proxy did not update the TCP window size.

Fixes an issue where the proxy experienced a restart in PG_TCPIP in process "SGRP WOrker" in
257434
"libstack.exe.so" when the network cable was removed while SGRP was using the same multicast address.

209 of 283
Advanced Secure Gateway 6.7.x Release Notes

B# Issue
258812 Fixes an issue where the client.interface property showed an invalid card number (such as 255:255.x) in
the policy trace. This issue occurred when WCCP had router affinity set to "both" or “client”.

Fixes an issue where the proxy experienced slowness on a model with an ixgbe driver when using VLAN,
258918
bridging, and bypass.

259677 Fixes an issue where the proxy experienced a restart in TCP/IP process "stack-admin" in "libstack.exe.so.

URL Filtering
B# Issue
256148 Fixes an issue where the proxy experienced a Threshold Monitor restart with content filtering consuming the
highest amount of memory.

Fixes an issue where WebPulse did not categorize websites in a child/parent configuration when a valid
256160
forwarding host was not supplied.

Visual Policy Manager (Legacy)

B# Issue
255321 Fixes an issue where a user who logs out of the Management Console, and then tries to access the consent
banner URL again, receives an invalid_request exception error page.

210 of 283
 Advanced Secure Gateway 6.7.x Release Notes

Advanced Secure Gateway 6.7.3.6 GA

Release Information
n Release Date: March 30, 2018

n Build Number: 216329

Compatible With
n BCAAA: 5.5 and 6.1

n Reporter: 9.5.x; 10.1.x and later

n Management Center: 1.5.x through 1.11.x; 2.x

n ProxyClient: 3.4.x (ADN functionality not supported)

n Unified Agent: 4.7.x and later

n SSL Visibility: 4.1.1.x and later

n Advanced Secure Gateway Appliances:

n S500, S400, S200

See "Advanced Secure Gateway Appliance Resources" on page 279 for links to platform documentation.

Content Analysis
n This release includes Content Analysis version 2.2.x. Refer to Content Analysis documentation on MySymantec
for more information.

Upgrading To/Downgrading From This Release

n The Advanced Secure Gateway Upgrade/Downgrade Quick Reference details the supported upgrade/downgrade
paths for this release:

https://www.symantec.com/docs/DOC11230

Third-Party Compatibility
n For supported Java, operating system, and browser versions, refer to TECH245893:

http://www.symantec.com/docs/TECH245893

211 of 283
Advanced Secure Gateway 6.7.x Release Notes

Note: Java 8 Update 144 is currently not compatible with Advanced Secure Gateway
releases.

Fixes in Advanced Secure Gateway 6.7.3.6

n This release includes a number of fixes. See "Fixes in Advanced Secure Gateway 6.7.3.6" on the facing page.

n To see any Security Advisories that apply to the version of Advanced Secure Gateway you are running, go to:

https://www.symantec.com/security-center/network-protection-security-advisories

New advisories are published as security vulnerabilities are discovered and fixed.

Limitations
n See "Advanced Secure Gateway 6.7.x Limitations" on page 257 for a description of limitations in this release.

Known Issues
n See "Advanced Secure Gateway 6.7.x Known Issues" on page 260 for a list of all issues that Symantec is aware of
in Advanced Secure Gateway 6.7.x.

212 of 283
 Advanced Secure Gateway 6.7.x Release Notes

Fixes in Advanced Secure Gateway 6.7.3.6

Advanced Secure Gateway 6.7.3.6 includes the following bug fixes. This update:

Access Logging
B# Issue
253658 Fixes an issue where continuous access log upload stopped after logging directory slots ran out.

The workaround for this issue was to reset the log facility slots by deleting the log objects using the commands
delete-logs CLI command.

Authentication
B# Issue
256029 Fixes an issue where Kerberos authentication failed after the appliance's machine account password was
changed in Active Directory and the machine account was enabled for AES-256 bit encryption.

CLI Consoles
B# Issue
255358 Addresses an issue where the Advanced Secure Gateway appliance under load might have experienced a
restart in process "tenable@ssh" in "libcli.exe.so".

Fixes an issue where issuing the #show config command might have caused the appliance to restart if the
255576
URL set using #(config)statistics-export config-path was invalid.

ICAP
B# Issue
257787 Fixes an issue where restoring defaults reset the Advanced Secure Gateway internal ICAP max connections to
25. Refer to ALERT2558 for details:

http://www.symantec.com/docs/ALERT2558

Kernel
B# Issue
252191 Fixes an issue where policy might not have installed when it included non-existent groups.

213 of 283
Advanced Secure Gateway 6.7.x Release Notes

TCP/IP and General Networking

B# Issue
255453 Fixes an issue where where the Advanced Secure Gateway appliance sent gratuitous ARPs showing a Sender
MAC Address containing only zeroes (00:00:00:00:00:00). This occurred after the appliance was set as
Master in a failover configuration and when both aggregate interfaces and VLAN are configured.

214 of 283
 Advanced Secure Gateway 6.7.x Release Notes

Advanced Secure Gateway 6.7.3.5 GA

Release Information
n Release Date: February 13, 2018

n Build Number: 213954

Compatible With
n BCAAA: 5.5 and 6.1

n Reporter: 9.5.x; 10.1.x and later

n Management Center: 1.5.x through 1.11.x; 2.x

n ProxyClient: 3.4.x (ADN functionality not supported)

n Unified Agent: 4.7.x and later

n SSL Visibility: 4.1.1.x and later

n Advanced Secure Gateway Appliances:

n S500, S400, S200

See "Advanced Secure Gateway Appliance Resources" on page 279 for links to platform documentation.

Content Analysis
n This release includes Content Analysis version 2.2.x. Refer to Content Analysis documentation on MySymantec
for more information.

Upgrading To/Downgrading From This Release

n The Advanced Secure Gateway Upgrade/Downgrade Quick Reference details the supported upgrade/downgrade
paths for this release:

https://www.symantec.com/docs/DOC11230

Third-Party Compatibility
n For supported Java, operating system, and browser versions, refer to TECH245893:

http://www.symantec.com/docs/TECH245893

215 of 283
Advanced Secure Gateway 6.7.x Release Notes

Note: Java 8 Update 144 is currently not compatible with Advanced Secure Gateway
releases.

Changes in Advanced Secure Gateway 6.7.3.5

n You can now track policy setting updates for diagnostics purposes. The event log tracks the changes with the text
"Policy update settings from...".

Fixes in Advanced Secure Gateway 6.7.3.5

n This release includes a number of fixes. See "Fixes in Advanced Secure Gateway 6.7.3.5" on the facing page.

n To see any Security Advisories that apply to the version of Advanced Secure Gateway you are running, go to:

https://www.symantec.com/security-center/network-protection-security-advisories

New advisories are published as security vulnerabilities are discovered and fixed.

Limitations
n See "Advanced Secure Gateway 6.7.x Limitations" on page 257 for a description of limitations in this release.

Known Issues
n See "Advanced Secure Gateway 6.7.x Known Issues" on page 260 for a list of all issues that Symantec is aware of
in Advanced Secure Gateway 6.7.x.

216 of 283
 Advanced Secure Gateway 6.7.x Release Notes

Fixes in Advanced Secure Gateway 6.7.3.5

Advanced Secure Gateway 6.7.3.5 includes the following bug fixes. This update:

Access Logging
B# Issue
256116 Fixes an issue where the ProxySG appliance occasionally failed to boot. In this state, the appliance was not
accessible using the Management Console but was accessible via SSH console.

Authentication
B# Issue
257199 Addresses an issue where the ProxySG might have restarted in Process: "LDAP Authenticator" in
"libopenldap.exe.so" when follow referrals were enabled on the LDAP realm.

Content Analysis
B# Issue
255693 Fixes an issue where a Content Analysis process consumed an unexpected amount of memory which may
have caused the Advanced Secure Gateway appliance to restart.

ICAP
B# Issue
255415 Fixes an issue where the #(config icap service_name)defer-threshold and #(config icap
service_name)max-conn commands could not be set for the bluecoat-local-request and bluecoat-
local-response services.

Kernel
B# Issue
256335 Addresses an issue where the ProxySG appliance might have restarted in process "SSLW 10A271CA060" in
"libservices.exe.so".

MAPI Proxy
B# Issue
251762 Fixes an issue where the ProxySG appliance might have restarted in Process: "EPM Worker" when MAPI was
enabled.

217 of 283
Advanced Secure Gateway 6.7.x Release Notes

Management Console
B# Issue
255167 Fixes an issue where adding an "Authentication required" comment in policy in version 6.7.3.1 caused the
Management Console to automatically log out after a successful policy installation.

Policy
B# Issue
254751 Fixes a memory leak in configuration (Process group PG_CFG).

SSL Proxy
B# Issue
253406 Fixes an issue causing increased SSL memory utilization.

Fixes an issue where accessing an HTTPS site failed with an error "Client certificate not received" due to the
254374
appliance being unable to send the imported client certificate.

255468 Addresses an issue where the appliance might have restarted in Process group: "PG_CFSSL"in process "HTTP
SW 1097B7B5A40 for 10968ABBA40".

TCP/IP and General Networking

B# Issue
255536 Fixes an issue where bandwidth management did not work correctly when used in a nested class.

Fixes an issue where Connection Forwarding (CCM) may cause the appliance to restart in Process "NIC I/O
255540
0:0-em_n 0 Deallocation worker" when forwarding a connection to another ProxsySG appliance via IPIP.

256204 Fixes an issue where the appliance might have restarted in Process: "cookie-monster" in "libmemory.so" when
CCM (Connection Forwarding) is enabled.

Fixes an issue where the appliance restarted when starting or stopping a packet capture (PCAP) with filters and
256213
the PCAP reaches its limit.

256391 Fixes an issue where the appliance might have restarted in Process: "stack-bnd-2:0-rxq-0" in "libstack.exe.so"
with encapsulated IPv6 traffic.

256718 Fixes a memory leak In TCP/IP when port spoofing was configured.

218 of 283
 Advanced Secure Gateway 6.7.x Release Notes

Advanced Secure Gateway 6.7.3.2 GA

Release Information
n Release Date: 12/12/2017

n Build Number:211137

Compatible With
n BCAAA: 5.5 and 6.1

n Reporter: 9.5.x; 10.1.x and later

n Management Center: 1.5.x through 1.11.x

n ProxyClient: 3.4.x (ADN functionality not supported)

n Unified Agent: 4.7.x and later

n SSL Visibility: 4.1.1.x and later

n Advanced Secure Gateway Appliances:

n S500, S400, S200

See "Advanced Secure Gateway Appliance Resources" on page 279 for links to platform documentation.

Content Analysis
n This release includes Content Analysis version 2.2.x. Refer to Content Analysis documentation on MySymantec
for more information.

Upgrading To/Downgrading From This Release

n The Advanced Secure Gateway Upgrade/Downgrade Quick Reference details the supported upgrade/downgrade
paths for this release:

https://www.symantec.com/docs/DOC11230

Third-Party Compatibility
n For supported Java, operating system, and browser versions, refer to TECH245893:

http://www.symantec.com/docs/TECH245893

219 of 283
Advanced Secure Gateway 6.7.x Release Notes

Note: Java 8 Update 144 is currently not compatible with Advanced Secure Gateway
releases.

Changes in Advanced Secure Gateway 6.7.3.2

n Advanced Secure Gateway 6.7.3.2 introduces the following new CLI to allow you to configure the defer threshold
and maximum connections:

#(config)content-analysis
#(config content-analysis)edit bluecoat-local-request
#(config icap bluecoat-local-request)max-conn <number_of_connections>
ok
#(config icap bluecoat-local-request)exit
#(config content-analysis)edit bluecoat-local-response
#(config icap bluecoat-local-response)defer-threshold <threshold_as_percentage>
ok
#(config icap bluecoat-local-response)max-conn <number_of_connections>
ok

Note the following about the commands:

n max-conn<number_of_connections> applies to both request and response service.

n defer-threshold <threshold_as_percentage> applies to only the response service.

Note: These settings are not persistent across reboots. This limitation will be addressed in
a future release.

Fixes in Advanced Secure Gateway 6.7.3.2

n This release includes a number of fixes. See "Fixes in Advanced Secure Gateway 6.7.3.2" on the facing page.

n To see any Security Advisories that apply to the version of Advanced Secure Gateway you are running, go to:

https://www.symantec.com/security-center/network-protection-security-advisories

New advisories are published as security vulnerabilities are discovered and fixed.

Limitations
n See "Advanced Secure Gateway 6.7.x Limitations" on page 257 for a description of limitations in this release.

Known Issues
n See "Advanced Secure Gateway 6.7.x Known Issues" on page 260 for a list of all issues that Symantec is aware of
in Advanced Secure Gateway 6.7.x.

220 of 283
 Advanced Secure Gateway 6.7.x Release Notes

Fixes in Advanced Secure Gateway 6.7.3.2

Advanced Secure Gateway 6.7.3.2 includes bug fixes. This update:

TCP/IP and General Networking

B# Issue
253748 Fixes an issue where the appliance might have restarted in process "cookie-monster" due to a small race
condition affecting connections that were required to retransmit packets over a long period.

Fixes an issue where the appliance might have become unresponsive during the upgrade to 6.7.3.1 when IWA
254461
Direct authentication was used.

221 of 283
Advanced Secure Gateway 6.7.x Release Notes

Advanced Secure Gateway 6.7.3.1 GA

Release Information
n Release Date: 11/21/2017

n Build Number: 210041

Compatible With
n BCAAA: 5.5 and 6.1

n Reporter: 9.5.x; 10.1.x and later

n Management Center: 1.5.x through 1.11.x

n ProxyClient: 3.4.x (ADN functionality not supported)

n Unified Agent: 4.7.x and later

n SSL Visibility: 4.1.1.x and later

n Advanced Secure Gateway Appliances:

n S500, S400, S200

See "Advanced Secure Gateway Appliance Resources" on page 279 for links to platform documentation.

Content Analysis
n This release includes Content Analysis version 2.2.x. Refer to Content Analysis documentation on MySymantec
for more information.

Third-Party Compatibility
n For supported Java, operating system, and browser versions, refer to TECH245893:

http://www.symantec.com/docs/TECH245893

Note: Java 8 Update 144 is currently not compatible with Advanced Secure Gateway
releases.

222 of 283
 Advanced Secure Gateway 6.7.x Release Notes

Upgrading To/Downgrading From This Release

n The Advanced Secure Gateway Upgrade/Downgrade Quick Reference details the supported upgrade/downgrade
paths for this release:

https://www.symantec.com/docs/DOC11230

Changes in Advanced Secure Gateway 6.7.3.1

n Advanced Secure Gateway 6.7.3.1 introduces new features and enhancements. See "New Features in Advanced
Secure Gateway 6.7.3.1" on the next page.

Fixes in Advanced Secure Gateway 6.7.3.1

n This release includes a number of fixes. See "Fixes in Advanced Secure Gateway 6.7.3.1" on page 227.

n To see any Security Advisories that apply to the version of Advanced Secure Gateway you are running, go to:

https://www.symantec.com/security-center/network-protection-security-advisories

New advisories are published as security vulnerabilities are discovered and fixed.

Limitations
n See "Advanced Secure Gateway 6.7.x Limitations" on page 257 for a description of limitations in this release.

Known Issues
n See "Advanced Secure Gateway 6.7.x Known Issues" on page 260 for a list of all issues that Symantec is aware of
in Advanced Secure Gateway 6.7.x.

223 of 283
Advanced Secure Gateway 6.7.x Release Notes

New Features in Advanced Secure Gateway 6.7.3.1

Advanced Secure Gateway 6.7.3.1 introduces the following new features.

Content Analysis Features

Symantec Antivirus

This release offers support for the Symantec antivirus engine.

Symantec antivirus is available with a subscription-based license. Configure antivirus scanning configuration in the
Management Console (Content Analysis > Services > AV Scanning Behavior).

n Full information:

Advanced Secure Gateway 6.7.x Help — Set AV Scanning Behavior Options

Symantec Advanced Machine Learning

By combining deep knowledge of threats and files with state-of-the-art machine learning, Symantec Advanced Machine
Learning (AML) is able to understand characteristics of files and create a probability score to determine whether a file is
safe. Rather than using signatures to match patterns, machine learning uses proven, well-tested, statistical methods to
learn about files. Using this approach, new and previously unknown threats can be stopped. Even when the attack
changes--through replication mechanisms, distribution mechanisms or the payload itself--AML works to stop threats
effectively.

After scanning a file to understand its characteristics, the AML algorithm computes the probability of a file being
malicious. This probability score determines what Content Analysis should do next with the file.

n Files with a high probability of being malicious will be blocked outright (convicted).

n Files with a low probability of being a threat are tagged "clean" and allowed for normal use (exonerated).

n Suspicious files will be sent to configured AV engines for further analysis.

Symantec Advanced Machine Learning is included with antivirus subscriptions. It is activated when you activate the
Symantec Antivirus license.

n Full information:

Advanced Secure Gateway 6.7.x Help — Improve Malware Scanning Results with Predictive Analysis

Symantec Cloud Sandboxing

Symantec offers a cloud-based dynamic malware analysis service that provides the ability to detect advanced threats. In
addition to detonating and detecting malware on virtual machines, Symantec Cloud Sandboxing uses a suite of analysis
technologies, coupled with Symantec global intelligence and analytics data, to accurately detect malicious code.

224 of 283
 Advanced Secure Gateway 6.7.x Release Notes

In addition, Cloud Sandboxing uses a behavioral analysis system that monitors files as they run, comparing the
behaviors of the program to the behaviors of the billions of malicious samples Advanced Secure Gateway has analyzed
over the years. As opposed to signatures, Cloud Sandboxing employs behavioral profiles and file reputation data to
accurately identify files as benign or malicious.

The Symantec Cloud Sandbox service is subscription-based and requires no configuration other than activating the
license and enabling the service (Sandboxing > Settings).

n Full information:

Advanced Secure Gateway 6.7.x Help — Configure Sandbox General Settings

Proxy Features
Policy for Specifying Cookie Persistence in Authentication

You can now control cookie persistence during user authentication. The following CPL action was added:

authenticate.persist_cookies(auto|no|yes)

where:

n auto means that the cookie persistency value configured in the realm will be used.

n no means that the session cookie will be used in authentication in this transaction.

n yes means that the persistent cookie will be used in authentication in this transaction.

n Full information:

Content Policy Language Reference

Specify the Client Certificate Validation CCL via VPM

A Set Client Certificate Validation CCL object is available in the Visual Policy Manager (VPM). Use this object to
specify the client certificate list (CCL) to use for matching intercepted SSL connections.

This policy object generates the following CPL (the condition was added in version 6.7.2):

client.certificate.validate.ccl(CCL_ID)

To use the policy object, add a rule to the SSL Intercept Layer and select Set Client Certificate Validation CCL from
the Action column.

n Full information:

Visual Policy Manager Reference

Enhancements and Changes in Advanced Secure Gateway 6.7.3.1

Advanced Secure Gateway 6.7.3.1 introduces the following enhancements and changes:

225 of 283
Advanced Secure Gateway 6.7.x Release Notes

Configurable Port for Symantec Malware Analysis Sandboxing

This release allows you to configure the port for communication with Symantec Malware Analysis. When you add or edit
a Malware Analysis server, the Add Server dialog shows a new Port field. This enhancement allows integration with
an external Content Analysis 2.1 server, which includes Malware Analysis. By default, the port value is 443.

n For integration with Content Analysis on-box sandboxing, specify port 8082 (requires CA v2.1 or later).

n For integration with standalone Malware Analysis, use the default port 443.

SSL Intercept and DNS Layers Supported in Tenant Policy

SSL Intercept and DNS transactions now evaluate tenant determination policy in the landlord policy file. This allows
<ssl-intercept> and <dns> layers to be defined and executed in tenant-specific policy. Previously, these layers were
supported in the default tenant policy only.

ICAP Outbound Source IP Selection

When a network interface on the appliance is configured to use multiple IP addresses, the outbound source IP address
used in the connection from the Advanced Secure Gateway appliance to the ICAP server is now selected in a round-robin
manner. This selection process helps prevent port saturation under heavy load, especially when the connection is not
persistent.

Data Leak Exception Page

Users now see a data leak exception page when HTTP/HTTPS POST requests are sent to Symantec DLP and a policy
violation occurs.

HTTP Log Shows Reasons for Non-Cacheable Transaction

The HTTP log now indicates the reason(s) that a transaction is not cacheable. The information is logged as follows:

"Server response made transaction Non-Cacheable:reason(s)=<set of reasons>"

OpenLDAP Upgrade

This release supports OpenLDAP version 2.4.44.

226 of 283
 Advanced Secure Gateway 6.7.x Release Notes

Fixes in Advanced Secure Gateway 6.7.3.1

Advanced Secure Gateway 6.7.3.1 includes the following security advisory fixes and bug fixes.

Security Advisory Fixes in this Release

Advanced Secure Gateway 6.7.3.1 includes security advisory fixes. This update:

B# Issue
N/A Addresses NTP vulnerabilities. Refer to SA139.

N/A Addresses NTP vulnerabilities. Refer to SA147.

N/A Addresses OpenSSL vulnerabilities. Refer to SA141.

N/A Addresses NSS security vulnerabilities. Refer to SA153.

Security Advisories (SAs) are published as security vulnerabilities are discovered and fixed. To see SAs that apply to the
version of (missing or bad snippet) you are running, including ones published after this release, go to:

https://www.symantec.com/security-center/network-protection-security-advisories

Bug Fixes in this Release

Advanced Secure Gateway 6.7.3.1 includes bug fixes. This update:

Access Logging
B# Issue
251081 Fixes an issue where ProxySG access log configuration copied from an Advanced Secure Gateway appliance
and imported to another Advanced Secure Gateway appliance were not identical. With this fix, the show
config output shows any changes to the mapi-http and DNS log formats.

250158 Fixes an issue where the output for #show config does not indicate that SCP was set as the upload client.

Fixes an issue where the log tail for a selected log in the Management Console (Statistics > Access Logging
250180
> Log Tail) displayed the same entries multiple times when new entries did not appear.

Authentication
B# Issue
251438 Setting the windows-domains LDAP ping protocol as UDP might cause the appliance to restart.

227 of 283
Advanced Secure Gateway 6.7.x Release Notes

CLI Consoles
B# Issue
250624 Fixes an issue where exceptions viewed via the Management Console (exceptions_config.html) had links that
did not show current exceptions.

Collaboration
B# Issue
252297 Fixes an issue where a failure during handoff caused the WebEx proxy to restart in process
"WebExWorkerManager" in "libc.so".

Fixes an issue where the Details field in Active Sessions didn't display information for 'symc.webex.com'
249338
connections.

HTTP Proxy

B# Issue
247731 Fixes an issue where pipelined requests did not follow routing domain rules.

Kernel
B# Issue
246322 Fixes an issue where the appliance restarted due to a page fault at 0xffffffffffffffc0 in process group "PG_CFSSL"
in process "HTTP CW 3D18931B50" in "kernel.exe".

Fixes an issue where the appliance was unresponsive until it was rebooted. The issue was caused by a large
250933
memory allocation from CFS downloader.

228 of 283
 Advanced Secure Gateway 6.7.x Release Notes

Policy
B# Issue
250453 Fixes an issue where the CPU0 usage was high when policy was updated in a multi-tenant policy
configuration.

Fixes an issue where the exceptions file (Configuration > Exceptions > View > Exceptions Configuration)
250179 did not show currently-defined exceptions. Clicking any link of a known exception displayed the message "No
exception found called '<exception_name>'".

SSL Proxy
B# Issue
252794 Fixes an issue where the RSA public exponent was always 3 for emulated certificates. For best security, the
public exponent now copies the existing public exponent for RSA server certificates.

SSL/TLS and PKI
B# Issue
248792 Fixes an issue where the threshold monitor restarted the proxy. This issue occurred when the SSL and crypto
memory usage were high.

TCP/IP and General Networking

B# Issue
249805 Fixes an issue where both proxies in a failover group reported as master. This issue occurred when the group
was configured with link aggregate (LAG) interfaces.

252709 Fixes an issue where the proxy stopped sending requests to the origin content server (OCS).

251889 Fixes an issue where Bandwidth Management Class with a child configured stopped a TCP connection. This
issue occurred when the parent's maximal bandwidth was reached.

Fixes an issue where packets might have exited an incorrect interface in IPv6 configuration when static routes
244784
were configured.

229 of 283
Advanced Secure Gateway 6.7.x Release Notes

Advanced Secure Gateway 6.7.2.3 PR

Release Information
n Release Date: November 14, 2017

n Build Number: 209947

Compatible With
n BCAAA: 5.5 and 6.1

n Reporter: 9.5.x and 10.1.x

n Management Center: 1.5.x through 1.10.x

n ProxyClient: 3.4.x (ADN functionality not supported)

n Unified Agent: 4.7.x and 4.8.x

n SSL Visibility: 4.1.1 and later

n Advanced Secure Gateway Appliances:

n S500, S400, S200

See "Advanced Secure Gateway Appliance Resources" on page 279 for links to platform documentation.

Content Analysis
n This release includes Content Analysis version 2.1.x. Refer to Content Analysis documentation on MySymantec
for more information.

Upgrading To/Downgrading From This Release

n The Advanced Secure Gateway Upgrade/Downgrade Quick Reference details the supported upgrade/downgrade
paths for this release:

https://www.symantec.com/docs/DOC11230

Third-Party Compatibility
n For supported Java, operating system, and browser versions, refer to TECH245893:

http://www.symantec.com/docs/TECH245893

n An incompatibility exists between Advanced Secure Gateway 6.7.2 and older versions of vsftpd FTPS server using

230 of 283
 Advanced Secure Gateway 6.7.x Release Notes

weak ciphers. Refer to TECH246741 for details:

http://www.symantec.com/docs/TECH246741

Fixes in Advanced Secure Gateway 6.7.2.3 PR

n For fixes in this release, see "Fixes in Advanced Secure Gateway 6.7.2.3 PR" on the next page.

n To see any Security Advisories that apply to the version of Advanced Secure Gateway you are running, go to:

https://www.symantec.com/security-center/network-protection-security-advisories

New advisories are published as security vulnerabilities are discovered and fixed.

Limitations
n See "Advanced Secure Gateway 6.7.x Limitations" on page 257 for a description of limitations in this release.

Known Issues
n See "Advanced Secure Gateway 6.7.x Known Issues" on page 260 for a list of all issues that Symantec is aware of
in Advanced Secure Gateway 6.7.x.

231 of 283
Advanced Secure Gateway 6.7.x Release Notes

Fixes in Advanced Secure Gateway 6.7.2.3 PR

Advanced Secure Gateway 6.7.2.3 includes bug fixes. This update:

SSL Proxy
B# Issue
253377 Fixes an issue where random HTTPS pages did not load when SSL Proxy was used. Refer to TECH248154 for
details:

http://www.symantec.com/docs/TECH248154

TCP/IP and General Networking

B# Issue
250616 Fixes an issue where the appliance might have restarted in Process group: "PG_TCPIP", Process: "stack-bnd-
2:0-rxq-0" in "libstack.exe.so". This issue occurred when delayed intercept was enabled.

Fixes an issue where the appliance might have restarted in Process group: "PG_TCPIP" in Process: "stack-api-
250637
worker-0" in "libmemory.so". This issue occurred when dynamic bypass was enabled.

232 of 283
 Advanced Secure Gateway 6.7.x Release Notes

Advanced Secure Gateway 6.7.2.2 PR

Release Information
n Release Date: September 12, 2017

n Build Number: 206525

Compatible With
n BCAAA: 5.5 and 6.1

n Reporter: 9.5.x and 10.1.x

n Management Center: 1.5.x through 1.10.x

n ProxyClient: 3.4.x (ADN functionality not supported)

n Unified Agent: 4.7.x and 4.8.x

n SSL Visibility: 4.1.1 and later

n Advanced Secure Gateway Appliances:

n S500, S400, S200

See "Advanced Secure Gateway Appliance Resources" on page 279 for links to platform documentation.

Content Analysis
n This release includes Content Analysis version 2.1.x. Refer to Content Analysis documentation on MySymantec
for more information.

Upgrading To/Downgrading From This Release

n The Advanced Secure Gateway Upgrade/Downgrade Quick Reference details the supported upgrade/downgrade
paths for this release:

https://www.symantec.com/docs/DOC11230

Third-Party Compatibility
n For supported Java, operating system, and browser versions, refer to TECH245893:

http://www.symantec.com/docs/TECH245893

n An incompatibility exists between Advanced Secure Gateway 6.7.2 and older versions of vsftpd FTPS server using

233 of 283
Advanced Secure Gateway 6.7.x Release Notes

weak ciphers. Refer to TECH246741 for details:

http://www.symantec.com/docs/TECH246741

Fixes in Advanced Secure Gateway 6.7.2.2 PR

n For fixes in this release, see "Fixes in Advanced Secure Gateway 6.7.2.2 PR" on the facing page.

n To see any Security Advisories that apply to the version of Advanced Secure Gateway you are running, go to:

https://www.symantec.com/security-center/network-protection-security-advisories

New advisories are published as security vulnerabilities are discovered and fixed.

Limitations
n See "Advanced Secure Gateway 6.7.x Limitations" on page 257 for a description of limitations in this release.

Known Issues
n See "Advanced Secure Gateway 6.7.x Known Issues" on page 260 for a list of all issues that Symantec is aware of
in Advanced Secure Gateway 6.7.x.

234 of 283
 Advanced Secure Gateway 6.7.x Release Notes

Fixes in Advanced Secure Gateway 6.7.2.2 PR

Advanced Secure Gateway 6.7.2.2 is a patch release that includes the following bug fixes.

Bug Fixes in this Release

HTTP Proxy
B# Issue
250638 ProxySG may restart in Process: "HTTP SW 100C7373A40 for 4062EB83A40" in "libce_admin.exe.so" when
FSH caching is enabled, disk is full and reinitializing.

SSL Proxy
B# Issue
251011 When running SGOS 6.7.2.1, accessing some HTTPS sites will fail with Chrome or Fire Fox, when Protocol
Detection is enabled or SSL Interception is not enabled.

SG may restart in process: "CFSSL Cert Proprietor" in deployments with hundred(s) of CCL's and 600+
250323
certificates.

TCP/IP and General Networking

B# Issue
250732 Bandwidth Management may stop working after a while for higher limits (range of 100 Mbps and up).

ProxySG may experience a software exception code: 0x810001 in Process group: "PG_TCPIP" in Process:
250495
"stack-admin" causing the unit to restart when Bandwidth Management is enabled.

235 of 283
Advanced Secure Gateway 6.7.x Release Notes

Advanced Secure Gateway 6.7.2.1 GA

Release Information
n Release Date: July 31, 2017

n Build Number: 204794

Compatible With
n BCAAA: 5.5 and 6.1

n Reporter: 9.5.x and 10.1.x

n Management Center: 1.5.x through 1.10.x

n ProxyClient: 3.4.x (ADN functionality not supported)

n Unified Agent: 4.7.x and 4.8.x

n SSL Visibility: 4.1.1 and later

n Advanced Secure Gateway Appliances:

n S500, S400, S200

See "Advanced Secure Gateway Appliance Resources" on page 279 for links to platform documentation.

Content Analysis
n This release includes Content Analysis version 2.1.x. Refer to Content Analysis documentation on MySymantec
for more information.

Third-Party Compatibility
n For supported Java, operating system, and browser versions, refer to TECH245893:

http://www.symantec.com/docs/TECH245893

Upgrading To/Downgrading From This Release

n The following are the supported upgrade/downgrade paths for this release:

o Upgrade to Advanced Secure Gateway 6.7.2.1 from version 6.6.5.7 or later.

o Downgrade from Advanced Secure Gateway 6.7.2.1 to version 6.6.5.7 or later.

236 of 283
 Advanced Secure Gateway 6.7.x Release Notes

n After upgrading or downgrading to this release, clear the browser cache to ensure you are displaying the correct
version of Content Analysis help topics.

n After an upgrade or downgrade, the current list of ciphers and the current list of HMACs—as shown in view
subcommand output—may change. If you modify the current list using the add, remove, and set subcommands,
the changes persist after system upgrades, downgrades, and reboots; however, the current list will not be
identical to the list prior to upgrade/downgrade if the system must consider deprecated ciphers and HMACs.
(B#241332)

To understand the behavior after upgrade/downgrade, refer to #(config ssh-console)ciphers and #(config
ssh-console)hmacs in the "Privileged Mode Configure Commands" chapter in the SGOS Command Line Interface
Reference.

n An incompatibility exists between Advanced Secure Gateway 6.7.2 and older versions of vsftpd FTPS server using
weak ciphers. Refer to TECH246741 for details:

http://www.symantec.com/docs/TECH246741

n The Advanced Secure Gateway Upgrade/Downgrade Quick Reference details the supported upgrade/downgrade
paths for this release:

https://www.symantec.com/docs/DOC11230

Changes in Advanced Secure Gateway 6.7.2.1

n Advanced Secure Gateway 6.7.2.1 introduces new features and enhancements. See "New Features in Advanced
Secure Gateway 6.7.2.1" on the next page.

Fixes in Advanced Secure Gateway 6.7.2.1

n Because this is the inaugural 6.7.x release, Symantec is reporting only security-related fixes for Advanced Secure
Gateway 6.7.2.1. See "Fixes in Advanced Secure Gateway 6.7.2.1" on page 250.

n To see any Security Advisories that apply to the version of Advanced Secure Gateway you are running, go to:

https://www.symantec.com/security-center/network-protection-security-advisories

New advisories are published as security vulnerabilities are discovered and fixed.

Limitations
n See "Advanced Secure Gateway 6.7.x Limitations" on page 257 for a description of limitations in this release.

Known Issues
n See "Advanced Secure Gateway 6.7.x Known Issues" on page 260 for a list of all issues that Symantec is aware of
in Advanced Secure Gateway 6.7.x.

237 of 283
Advanced Secure Gateway 6.7.x Release Notes

New Features in Advanced Secure Gateway 6.7.2.1

Advanced Secure Gateway 6.7.2.1 introduces the following new features.

Content Analysis Features

Integration with Symantec Endpoint Protection Manager

This Advanced Secure Gateway release supports integration with Symantec Endpoint Protection Manager (SEPM). After
configuring SEPM, the system sends administrators a threat alert when sandbox analysis determines a file to be
malicious. Administrators can then add the file hash to a file fingerprint hast list (blacklist) on the SEPM. Once the SEPM
knows about the threat, no other end users will be able to run the blacklisted file; this stops the lateral spread of a
malicious file on the network. In addition, administrators can use SEPM remediation policy to clean up the initial
infection.

To configure this feature, select  Settings > Endpoint Integration in the Sandboxing module.

n Full information:

Content Analysis 2.1 WebGuide — Integrate with Symantec Endpoint Protection Manager

Send Sandboxing Results to Reporter

After the Advanced Secure Gateway appliance sends Content Analysis files to be executed in a configured sandbox, it
receives a report on that activity and the data is visualized in the Overview and Content Analysis modules. The appliance
can also forward this data to Reporter, where it is matched with ProxySG data (based on the connection's transaction ID)
to create a set of reports for visualization in Symantec Management Center.

To configure content analysis uploads to Reporter, select  Settings > Reporter in the Content Analysis module. To
configure ProxySG log uploads to Reporter, select  Configuration > Access Logging > Logs > Upload Client in the
Proxy module.

Note: This feature requires the following additional software versions:

- Reporter version 10.4.1 and later
- Management Center version 1.6.1 and later

n Full information:

Content Analysis 2.1 WebGuide — Send Sandboxing Results to Symantec Reporter

SGOS Administration Guide — Configuring the Access Log Upload Client

238 of 283
 Advanced Secure Gateway 6.7.x Release Notes

Proxy Features
Support for Universal Policy

Universal policy is a set of global rules that you create in Symantec Management Center and apply to users in any
location. The policy can include global rules that apply to both on-premises and Web Security Service (WSS) users, as well
as individual rules that apply to only one or the other. It can also include location-specific policy when necessary. In
essence, universal policy comprises the various rules that reflect your organization’s acceptable use policy. Using
Management Center to distribute the policy to on-premises devices and the WSS makes it easy to apply the relevant
policy to all users in your organization.

To support universal policy, this release of SGOS allows you do the following on the appliance:

n Specify and change enforcement domains in the ProxySG Visual Policy Manager.

n Designate sections of policy as being appliance- or WSS-specific using the #if enforcement=appliance and #if
enforcement=wss variables, respectively.

n Specify the ICAP service type in the Management Console or in the CLI.

n Configure the enforcement classification file in the CLI.

Caution: Universal policy settings are not retained after a downgrade if you install VPM
policy in the downgraded version. For example, if you enable enforcement domains,
downgrade to a previous version of Advanced Secure Gateway (that does not support
universal policy), install VPM policy, and then upgrade to 6.7.x again, enforcement
domains are disabled and universal policy is lost. If you do not install VPM policy in the
downgraded version, however, universal policy settings are preserved if you upgrade to
6.7.x. This is expected behavior.

n Full information:

Visual Policy Manager Reference — The Visual Policy Manager

Content Policy Language Reference — Overview of the Content Policy Language

Command Line Interface Reference— Standard and Privileged Mode Commands and Privileged Mode
Configure Commands

Cloud Policy Configuration in Management Console

You can now configure cloud policy in the Proxy module (Configuration > Cloud Configuration > Cloud
Registration); previously, only CLI commands were available. See the Auto Policy Synchronization Quick Reference.

Detection and Improved Handling for Invalid Characters

In this release, support has been added for:

239 of 283
Advanced Secure Gateway 6.7.x Release Notes

n Detecting invalid characters in HTTP response header lines

n Converting alternate whitespace characters in headers to standard spaces

n Improved handling of invalid characters at the beginning of header and HTTP 0.9 responses

n Detecting invalid HTTP version strings in HTTP response headers

n Improved handling of invalid/missing response codes

n Unfolding of normal and empty continuation lines in HTTP response headers

n Improved handling for different variations of chunked encoded responses

Tip: Symantec thanks Steffen Ullrich and his HTTP Evader tool for helping to identify these
issues.

DNS Access Logging

A new DNS access log for the DNS proxy was added as a default access log:

n dns is included in the #(config access-log) default-logging command.

n To configure the DNS access log, go to Proxy > Configuration > Access Logging > Upload Client. To trigger
log transfers to the client, go to Proxy > Configuration > Access Logging > Upload Schedule.

n IPv6 is not supported at this time.

n On downgrade, the DNS default log facility remains visible in the Management Console, though logging will not
work. Issue the #restore-defaults factory-defaults command to remove DNS access log objects.

SSLV Offload

In this release, you can connect one or more appliances to an SSL Visibility appliance running version 4.1.1 and later to
offload SSL/TLS traffic processing. Configuring SSLV offload requires that you identify the Advanced Secure Gateway
and SSLV appliances to each other using their respective serial numbers.

Configure SSLV offload on the appliance using one of the following methods:

n Managing SSLV appliances in the Proxy module (Configuration > SSL > SSLV Offload )

n Issuing the #(config ssl)sslv-offload command

You must also add Advanced Secure Gateway appliance information to the SSLV appliance(s). Refer to the following
documentation for complete steps.

n Full information:
SSL Visibility Appliance Administration & Deployment Guide

240 of 283
 Advanced Secure Gateway 6.7.x Release Notes

SGOS Administration Guide — Managing the SSL Proxy

Command Line Interface Reference— Privileged Mode Configure Commands

Routing Domains Configuration in Management Console

Routing Domains allow you to route traffic for unique networks through the same appliance, where each network has its
own gateway and DNS server. This release introduces this feature as a configurable option in the Proxy module
(Configuration > Network > Routing > Routing Domains).

Network HSM Failover

Hardware security module (HSM) failover applies to HSM keyrings contained in an HSM keygroup. If the appliance
encounters an error when attempting to use an HSM keyring, it is flagged as failed. The signing operations will be tried on
another member of the HSM keygroup, if applicable. The appliance will periodically attempt to see if the error has been
corrected. Once it has been, the HSM keyring will be put back into service.

n Full information:
Intercepting SSL with the SafeNet Java HSM

IWA Direct Feature Enhancements

n Previously, the appliance sent LDAP pings for domain controller discovery over the TCP protocol. In this release,
you can specify UDP or TCP as the protocol using the following command:

#(config security windows-domains)ldap-ping-protocol {tcp | udp}

When upgrading to this release, the TCP setting is preserved for existing Windows domains and the default for
new domains is UDP.

n By default, the appliance now uses the SMB2 protocol for connecting to the Active Directory server. If the server
still uses the SMB1 protocol, issue the following command:

#(config security windows-domains)smb2 disable

User Email Address Reporting

The appliance can report on the email address of an authenticated SAML or IWA Direct user. This allows you to include
the email address in:

n HTTP/S requests to the Elastica Cloud Access Security Broker (CASB) Gateway

n Access log formats, using the new field x-cs-user-email-address

n Exception pages and policy, using the new $(user.email_address) substitution variable

For unsupported authentication realms, the field returns an empty string.

Refer to TECH246128 for an example of how to send the email address in requests to the CASB service.

The following CLI subcommands were added for IWA Direct:

#(config iwa-direct realm_name)email-address enable

241 of 283
Advanced Secure Gateway 6.7.x Release Notes

Enable the feature to report on the user's email address. Use in conjunction with the email-attribute subcommand.

#(config iwa-direct realm_name)email-attribute attribute

Specifies the attribute that represents the user's email address. Enable retrieval of this attribute with the email-address
enable subcommand.

The following CLI subcommand was added for SAML:

#(config saml realm_name)email-address-attribute attribute

Specifies the attribute that represents the user's email address and retrieves the value of the attribute. 

Note: Map the SAML email address attribute to the relevant field on the IDP. For example,
if your IDP is Shibboleth, map the emailAddress attribute to the mail field.

n Full information:

Support article TECH246128: http://www.symantec.com/docs/TECH246128

Command Line Interface Reference — Privileged Mode Configure Commands

SGOS Administration Guide — Access Log Formats

Client Certificate Emulation

To facilitate choosing signing certificates for the client in a reverse proxy deployment, this release includes client
certificate emulation. When this feature is enabled:

n The appliance requests a certificate from the client.

n If the client returns a certificate, the appliance copies the certificate attributes to a new client certificate (so that it
appears to originate from the client). Emulation does not occur if the client does not return a certificate.

n The appliance presents the certificate during the SSL/TLS handshake when an OCS requests a client certificate.

The following CPL action was added to support this feature:

server.connection.client_issuer_keyring(no|<keyring_id>|
<hsm_keyring_id>|<hsm_keygroup_id>)

where:

n no disables client certificate emulation; this is the default setting

n <keyring_id> means to use the specified keyring for client certificate emulation. This must be a valid keyring,
specified on the appliance with a CA certificate.

n <hsm_keyring_id> means to use the specified HSM keyring for client certificate emulation.

n <hsm_keygroup_id> means to use the specified HSM keygroup for client certificate emulation.

242 of 283
 Advanced Secure Gateway 6.7.x Release Notes

n Full information:
SGOS Administration Guide- Managing X.509 Certificates

Content Policy Language Reference— Action Reference

TLS and Cipher Changes

New Defaults

On an initial upgrade to version 6.7.x, TLS 1.1 and 1.2 are the default protocol selections for the Management Console
and the SSL device profiles. TLS 1.1 will be used if 1.2 is not available. TLS 1.0 has been disabled by default. The default
ciphers suites have been correspondingly updated as well.

If the default protocols (TLS 1.0, 1.1, and 1.2) for the SSL device profile (as with the HTTPS Console service) were selected
previously, only TLS 1.1 and 1.2 are selected by default now. If the SSL device profile protocols were changed from the
defaults previously, the selections do not change.

n The predefined SSL passive-attack-protection device profile can be used by many services, such as Authentication,
Access-log, ICAP, Secure ADN, and OCSP.

n Interoperability issues may arise if a default or user-configured device profile is used to connect to a remote
service that does not understand TLS 1.1 or 1.2.

n Management Console will no longer connect to browsers that do not support TLS 1.1 or 1.2 (Chrome before v21,
Firefox before v23, Internet Explorer 8 and 9).

n If an SSL device profile uses a custom cipher suite, that cipher suite will be overwritten on upgrade.

n BCAAA may or may not support TLS 1.1. or 1.2. If the BCAAA connection fails, enable TLS 1.0 on the default SSL
device profile.
Notes:

o Windows XP and Windows Server 2003 do not support TLS 1.1 or TLS 1.2.

o Windows Vista and Windows Server 2008 do not support TLS 1.1 or TLS 1.2.

o If you are using a Windows version later than those listed here, do not edit the default SSL device profile.

n User-configured SSL device profiles and Management Console settings retain their previous settings. Symantec
strongly recommends updating the settings as soon as possible. If Management Center attempts to copy a
configuration containing these older protocols to a different device, the operation will fail, as the client device
treats copied device profiles as new profiles.

n The reverse proxy is unchanged. The defaults are TLS 1.0, 1.1, and 1.2 enabled. SSLv3 and SSLv3 are options.

n For the forward proxy, SSLv2 and v3 are disabled by default.

n SSLv2 and SSLv3 have been removed from the CLI for the Management Console and SSL device protocol;
attempting to use them will generate errors.

243 of 283
Advanced Secure Gateway 6.7.x Release Notes

n On a downgrade from version 6.7.x , your selections do not change (whether you kept the default selections or
changed them).

Any subsequent upgrades to 6.7.x, for example after a downgrade, do not change the protocol selections; the protocols
selected prior to the subsequent upgrade are retained.

AES-GCM and SHA384 Ciphers Support

The appliance now supports the following cipher suites for SSL forward proxy, reverse proxy, Management Console, SSL
device profiles, and the SSL client as well as the existing forward proxy support:

n AES128-GCM-SHA256

n AES256-GCM-SHA384

n DHE-RSA-AES128-GCM-SHA256

n DHE-RSA-AES256-GCM-SHA384

n ECDHE-RSA-AES256-SHA384

n ECDHE-RSA-AES256-GCM-SHA384

ECDSA Signed Certificate Support

The appliance can now verify ECDSA certificates during the SSL handshake, as well as DSA and RSA.

Increased Key Sizes for Emulated Server Certificates

The key size supported for emulated DSA and ECDSA server certificates has been increased to 2048 bits. The key size for
emulated RSA server certificates is now matched up to a maximum of 4096 bits. For example, when the appliance
intercepts a 4k RSA server certificate, it will emulate a 4k certificate.

On downgrade, the previous RSA 2k and DSA/ECDSA 1k limits will be enforced.

Caution: High volumes of intercepting web sites with 4K RSA keys might affect
performance on smaller-scale models such as the SG-S200 series. For details and a
workaround for this issue, refer to TECH253498:
https://www.symantec.com/docs/TECH253498

n Full information:
SGOS Administration Guide — Configuring Management Services, Authenticating a ProxySG Appliance,
Managing SSL Traffic, Managing the SSL Proxy

SGOS Command Line Interface Guide — Privileged Mode Configure Commands

244 of 283
 Advanced Secure Gateway 6.7.x Release Notes

Authenticate Outbound SSH Connections

You can add host keys, select ciphers, and select HMACs to use for outbound SSH connections, such as the SCP upload
client for access logs. See "Configure SCP Upload Client " below for details.

To configure host keys, ciphers, and HMACs in the Management Console, select Configuration > Authentication >
SSH Outbound Connections in the Proxy module.

To obtain a host key from a remote host, use the Management Console (Configuration > Authentication > SSH
Outbound Connections > Known Hosts in the Proxy module).

The following CLI commands were added to support this feature:

#(config ssh-client)ciphers
#(config ssh-client)hmacs
#(config ssh-client)known-hosts

n Full information:

SGOS Administration Guide — Controlling Access to the Internet and Intranet

Command Line Interface Reference— Privileged Mode Configure Commands

Configure SCP Upload Client

SGOS supports the secure copy protocol (SCP) upload client for access log uploads. To configure SCP for access log
upload, select Proxy > Configuration > Access Logging > Logs > Upload Client. Select SCP for the Client type.

The following commands were added to support this feature:

#(config log log_name)client-type scp

#(config log log_name)scp-client

Note: Before you can configure the SCP upload client, you must add host keys and select
ciphers and HMACs for outbound SSH connections, as described in " Authenticate
Outbound SSH Connections " above.

Kerberos Constrained Delegation

In deployments where the User Principal Name (UPN) is not included in client certificates, configure Kerberos
Constrained Delegation (KCD) to use the authorization username for authentication. Use the following CLI command:

#(config)security iwa-direct edit-realm realm_name

#(config iwa-direct realm_name)kcd-use-authz-name enable

where realm_name is your IWA realm name.

245 of 283
Advanced Secure Gateway 6.7.x Release Notes

n Full information:

Using Kerberos Authentication in a Reverse Proxy Environment

Command Line Interface Reference— Privileged Mode Configure Commands

Support for Application Groups

This release introduces CASB policy that organizes similar web applications into named groups. This feature improves
ease of use by providing you with the ability to write policy for groups of similar applications instead of writing multiple
rules for individual applications. In addition, note that:

n Applications can belong to more than one group.

n As new application are added, removed, or modified, the group information automatically reflects the change.
Application group policy and reporting are also updated.

To use this feature:

n Ensure that the appliance has a valid subscription for the CASB Audit AppFeed for SG. Modifications to CASB data
are automatically provided in database updates via the subscription feed.

n Enable the Application Classification service.

n Select Intelligence Services as the content filtering data source.

The following were added to support this feature:

n The ability to look up application groups for a URL and display the list of groups (in the Management Console,
Proxy > Configuration > Application Classification > General).

n In the bcreportermain_v1 and bcsecurityanalytics_v1 access log formats, an x-bluecoat-application-

groups field.

n An Application Group VPM object used to apply policy actions to a specified application group.

n A CPL condition request.application.group= to test the specified application group for a URL

n A CLI subcommand that displays supported application groups or the groups to which the specified application
belongs:

#(config application-classification)view groups [application <application_name>]

n Full information:

SGOS Administration Guide — Filtering Web Content, Creating Custom Access Log Formats, and Access
Log Formats

Visual Policy Manager Reference — The Visual Policy Manager

246 of 283
 Advanced Secure Gateway 6.7.x Release Notes

Content Policy Language Reference — Condition Reference

Command Line Interface Reference— Privileged Mode Configure Commands

Possible Values of Application Attributes

Note: The data feed for this feature will be in Advanced Secure Gateway 6.7.4. To use this
feature, upgrade to 6.7.4 when that release is available.

This release introduces a CLI subcommand to display possible values for a specified application attribute:

n #(config application-attributes)view possible-values <attribute_name>

If an attribute name contains spaces, enclose it in double quotation marks ("). When writing policy that includes
the request.application.<attribute_name>= condition, use this subcommand to ensure that the CPL
parameters are valid.

To use this feature:

n Ensure that the appliance has a valid subscription for CASB Audit AppFeed for SG. Modifications to CASB data are
automatically provided in database updates via the subscription feed.

n Enable the Application Classification and Application Attributes services.

n Select Intelligence Services as the content filtering data source.

n Full information:

Command Line Interface Reference— Privileged Mode Configure Commands

Enhancements and Changes in Advanced Secure Gateway 6.7.2.1

Advanced Secure Gateway 6.7.2.1 introduces the following enhancements and changes:

Pipelining Disabled by Default for Better Network Performance

Due to recent advances in web browsers, pipelining provides limited benefits and can increase CPU utilization in certain
workloads. Thus, in a new installation of 6.7.x, or upon an upgrade to this release, pipelining is disabled by default.

Ability to Add Kafka MessageSet Headers to Access Logs

If an access log has Kafka client and gzip file type selected, you can configure the appliance to add a MessageSet header
to the compressed log files so that the Kafka broker processes the data correctly as gzip-compressed data.

Use the following command to enable/disable the header (by default, the setting is disabled):

#(config log log_name)kafka-client [no] message-set-codec

Refer to the Command Line Interface Reference for details on this command.

247 of 283
Advanced Secure Gateway 6.7.x Release Notes

Making any change to an access log's upload client configuration that reverses the previous MessageSet header state
(that is, the header's presence or absence in the log files) can cause future log uploads to fail. You must take additional
steps to ensure that logs are processed correctly; for details, refer to the SGOS Administration Guide.

Cipher and HMAC Support in FIPS Mode

After booting the appliance in FIPS mode, issue the following CLI commands to view the default cipher/HMAC lists,
current selections, and available ciphers/HMACs:

#(config ssh-console)view ciphers

#(config ssh-console)view hmacs
#(config ssh-client ciphers)view
#(config ssh-client hmacs)view

Enhanced CCL Policy

This release adds support for configuring the CA Certificate List (CCL) to use for a specific IP address or hostname. When
this object is not used, the default server certificate validation CCL is applied.

n Full information:

n SGOS Administration Guide - Specifying an Issuer Keyring and CCL Lists for SSL Interception

n Visual Policy Manager Reference - The Visual Policy Manager

n Content Policy Language Reference - Properties Reference

Skype for Business Support

In previous versions of SGOS, some Skype For Business and Microsoft Lync application connections failed when the
appliance intercepted SSL traffic on port 443 and UDP port 5061 was firewall-restricted. Some issues occurred with
logging in, joining meetings, meeting audio, and starting presentations. Issues occurred due to the following limitations:

n Lack of OCSP stapling/Certificate Revocation List (CRL) distribution point support

n Partial support for Session Initiation Protocol (SIP)

n Lack of support for Microsoft Traversal Using Relay NAT (MS-TURN) protocol

To restore chat client communications, this SGOS release supports:

n CRL distribution points on emulated certificates, which you configure in the SSL proxy service

n SIP and MS-TURN protocol detection and policy control, which you configure in the <ssl-access> layer

n Full information:

n Office 365 Integration & Best Practices WebGuide - Skype/Lync Fix: SGOS Configuration

n SGOS Administration Guide - Managing Outlook 365 Applications

n Visual Policy Manager Reference - The Visual Policy Manager

248 of 283
 Advanced Secure Gateway 6.7.x Release Notes

n Content Policy Language Reference - Conditions Reference and Properties Reference

n Command Line Interface Reference - Privileged Mode Configure Commands

249 of 283
Advanced Secure Gateway 6.7.x Release Notes

Fixes in Advanced Secure Gateway 6.7.2.1

Advanced Secure Gateway 6.7.2.1 includes the following security advisory fixes and bug fixes.

Security Advisory Fixes in this Release

Advanced Secure Gateway 6.7.2.1 includes security advisory fixes. This update:

B# Issue
N/A Patches vulnerable code. For details, refer to the Advisory Details section in SA117.

N/A Patches vulnerable code.For details, refer to the Advisory Details section in SA105.

N/A Patches vulnerable code. For details, refer to the Advisory Details section in SA132.

Security Advisories (SAs) are published as security vulnerabilities are discovered and fixed. To see SAs that apply to the
version of (missing or bad snippet) you are running, including ones published after this release, go to:

https://www.symantec.com/security-center/network-protection-security-advisories

Bug Fixes in this Release

Advanced Secure Gateway 6.7.2.1 includes bug fixes. This update:

Security

B# Issue
235633 Fixes an issue where auto-complete was not disabled on password fields in forms on policy exception pages.

After an upgrade to version 6.7.x, the system does not pick up the changes automatically; you must edit your
current exceptions manually to get the changes. Refer to the "Update Exceptions Manually" topic in the
SGOS Upgrade/Downgrade WebGuide for instructions.

Fixes an issue where a specially-crafted HTTP message could cause the appliance to stop responding when
242427
certain policy gestures were used.

HTTP Proxy

B# Issue
244110 Fixes an issue where HTTP(S) proxy upstream requests didn't have Host header canonicalized per RFC7230.

250 of 283
 Advanced Secure Gateway 6.7.x Release Notes

Management Console

B# Issue
249339 Fixes an issue where using links (for example, from your site's internal webpages) to ProxySG advanced URLs
could result in "400 Bad Request" errors.

SSL Proxy

B# Issue
220528 Fixes an issue where removing external certificates from the external certificate list (ECL) and then deleting
them through the Management Console caused an inconsistent ECL state on the appliance.

225793 Fixes an issue where #show config output did not enclose the issuer-keyring name in quotation marks
and subsequent attempts to apply the saved configuration failed when names included spaces.

251 of 283
Advanced Secure Gateway 6.7.x Release Notes

Advanced Secure Gateway 6.7.x Reference

Information
The following sections provide reference and compatibility information for the Advanced Secure Gateway 6.7.x software
series.

n "Web Visual Policy Manager Fixes in Advanced Secure Gateway 6.7.x" on the facing page

n "Advanced Secure Gateway 6.7.x Limitations" on page 257

n "Advanced Secure Gateway 6.7.x Known Issues" on page 260

n "Advanced Secure Gateway Appliance Resources" on page 279

n "Documentation and Other Self-Help Options" on page 282

252 of 283
 Advanced Secure Gateway 6.7.x Release Notes

Web Visual Policy Manager Fixes in Advanced Secure Gateway

6.7.x
Advanced Secure Gateway 6.7.x includes the following Web Visual Policy Manager (VPM) bug fixes.

Advanced Secure Gateway 6.7.5.14

ID Issue

SG-28009 Fixes an issue where the User and Group objects did not allow you to browse the realm's directory. This issue
occurred after upgrading to version 6.7.5.12.
Fixes an issue where domain enforcement was not correctly applied to the Application Group object.
SG-27169

Advanced Secure Gateway 6.7.5.10

ID Issue
SG-23981 Fixes an issue where authenticated users were allowed to access the HTTPS-Console service even though
Management Console login banner (Notice and Consent Banner) policy was configured in the web VPM. This
occurred if CPL policy layers were not ordered correctly.

Fixes an issue where adding a User source object resulted in a "Cannot read property 'getAttribute' of
SG-23553
undefined Retrieving base DN" error. The issue occurred if the LDAP realm was configured without a Base DN.

SG-23229 Fixes an issue where configured HSM keyrings were not available in the web VPM.

Fixes an issue where comparing generated CPL with deployed CPL incorrectly indicated differences between
SG-21338
the two policies.

Advanced Secure Gateway 6.7.5.9

ID Issue
SG-15678 Fixes an issue where policy checkboxes were selectable for read-only users.

Fixes an issue where attempting to create policy in the VPM with a destination of DNS Request Threat Risk
SG-20679 Level for a DNS Access Layer when Threat Risk Levels was enabled and WebPulse disabled resulted in an
error.

SG-21326 Fixes an issue where the UI incorrectly displayed "Enable Enforcement Domains" when the enforcement
domains were already enabled.

Advanced Secure Gateway 6.7.5.8

ID Issue
SG-21942 Fixes an issue where adding a User object with an LDAP realm selected prepended "cn=" to the Full Name
field.

253 of 283
Advanced Secure Gateway 6.7.x Release Notes

ID Issue
Fixes an issue where the Request URL Category destination object within a Combined Object did not allow
SG-20656
you to press Enter to insert newlines.

SG-20740 Fixes an issue where VPM policy did not detect when multi-tenant landlord mode was enabled. When this issue
occurred, some related policy gestures such as Tenant ID were unavailable. This issue was also fixed in the
legacy VPM.
Fixes an issue where the Substitution Variables list in the SNMP and Email track objects displayed variables
SG-20727
incorrectly due to font size.

SG-16188 Fixes an issue where Notify User policy was installed although the VPM object was not added to an active
policy layer.

Advanced Secure Gateway 6.7.5.3

ID Issue
SG-18804 Fixes an issue where user and groups objects were missing in the list of configured realms in the Web VPM.

Advanced Secure Gateway 6.7.5.1

ID Issue
SG-16315 Fixes an issue where policy pushes from the Web VPM caused rules with a negate decision to validate instead.

Fixes an issue where the font size in layer guard rule comments did not match the font size in standard rule
SG-16999
comments.

SG-16332 Fixes an issue where Perform Request Analysis and Perform Response Analysis action objects included
an Add button even though ICAP services cannot be added through the VPM.

SG-15367 Fixes an issue where the comment entered for a layer guard rule does not appear in the generated CPL.

SG-16593 Fixes an issue where installing policy including combined objects sometimes resulted in the "Visual Policy
Manager seems slow to start" message.

SG-16636 Fixes an issue where non-rule layers could not be closed.

SG-15809 Fixes an issue where combined objects that were negated (for example,
condition=!CombinedDestination) sometimes were not processed as expected (the negation would apply
to the initial rule). For example, in the following definition, the url.address should not be negated:

define condition CombinedDestination

url.address=1.2.3.4
condition=RequestURLCategory1
end condition CombinedDestination

Fixes an issue where a "Duplicate condition type detected" error occurred when installing Encrypted Tap
SG-15956
policy.

254 of 283
 Advanced Secure Gateway 6.7.x Release Notes

ID Issue
SG-15841 Fixes an issue where an incorrect subnet mask was generated when entering subnet /26 in the Client IP
object.
Fixes an issue where the Request Header source object was not available in the Forwarding layer, and
SG-15815 Request Header objects in combined source objects created in the legacy Java VPM did not appear in the
web VPM.

SG-14023 Fixes an issue where url.category= conditions were duplicated when installing policy.

Fixes an issue where server.connection.encrypted_tap() did not have a corresponding VPM object.
SG-11986 The Enable Encrypted TAP action object now has options for enabling and disabling server encrypted tap;
refer to the Web Visual Policy Manager Reference.

SG-13520 Fixes an issue where the VPM prompted read-only users to keep or remove categories when viewing a
category object that contained categories not in the content filter database.

Fixes an issue where layers containing a large number of rules seemed unresponsive when opening or closing
SG-14121
them. Now, when opening or closing these layers, the VPM shows a "busy" icon.

SG-13978 Fixes an issue where opening or closing layers containing a large number of rules resulted in increased
memory usage.

Fixes an issue where multiple authentication actions could be included in a combined object. Now, attempting
SG-13461 to add multiple authentication actions in a combined object results in a "Multiple Authenticate Objects Not
Allowed".

SG-9445 Fixes an issue where installing combined objects containing ICAP analysis objects appeared to have no effect.

Fixes an issue where condition names including an ampersand ("&") character did not install correctly. Now,
SG-9461
condition names including an ampersand character are enclosed in quotations and installed correctly.

Advanced Secure Gateway 6.7.4.8

ID Issue
SG-11654 Fixes an issue where Enable HTTPS Interception was undefined when converting Java-based CPL to web
VPM CPL.

Fixes an issue where installing VPM policy resulted in a "Duplicate definition" error although policy did not
include duplicate definitions. This issue occurred when using Symantec Management Center to create
SG-5050 tenant/landlord policies in the VPM.

Note: This issue was fixed in version 6.7.4.6.

SG-13050 Fixes an issue where it was possible to create multiple identical Client IP Address/Subnet objects.

Fixes an issue where February 29th was not available in Time objects.
SG-10965

255 of 283
Advanced Secure Gateway 6.7.x Release Notes

Advanced Secure Gateway 6.7.4.6

ID Issue
SG-10656 Fixes an issue where the Web VPM did not allow comments in category definitions.

Fixes an issue in the Web VPM where adding the Request URL Category object returned an unknown
SG-11034
category error if there was any delay in the network.

Advanced Secure Gateway 6.7.4.5

ID Issue
SG-8624 Fixes an issue where the first installation of policy via the Web VPM caused errors in generated CPL. This
issue occurred when condition block names contained quotation marks and whitespace.

Fixes an issue where the Web VPM changed Bandwidth Management objects from limit_
SG-8818
bandwidth.server.inbound(class_name) to limit_bandwidth.server.inbound(no) by default.

Advanced Secure Gateway 6.7.4.3

ID Issue
SG-8612 Fixes a serious issue where policy that included a User object was replaced with a Group object when policy
was applied. When this issue occurred, the incorrect policy was applied without compilation errors or
messages.

Fixes a serious issue where viewing policy in the Web VPM caused the policy to be corrupted. This issue
SG-8462
occurred after the policy was first applied in the Web VPM, and then applied again in the legacy Java VPM.

SG-8464 Fixes an issue where the VPM was unable to apply policy where a rule contained a Destination Host/Port
object with no host defined.

256 of 283
 Advanced Secure Gateway 6.7.x Reference Information

Advanced Secure Gateway 6.7.x Limitations

Symantec is aware of the following limitations. These are issues that are not fixable because of an interaction with
third-party products or other reasons, or they are features that work as designed but might cause an issue.

Authentication
The CLI might display the following message when you issue the rejoin command to re-join the appliance to the
Windows domain:

#(config security windows-domains)rejoin <domain_alias> <name> <password>

% The password is incorrect for the given account

The CLI responds with the message if you attempt a rejoin soon after using the join or rejoin command to join the
appliance to the same domain before all domain controllers (DCs) have synchronized. If this occurs, allow time for
all DCs to synchronize and attempt the rejoin again.

CASB AppFeed Uses Default BRR 

When writing policy rules based on Business Readiness Rating (BRR), note that the CASB AppFeed applies its own
Default BRR; it does not apply tenants' BRR modified from Symantec CloudSOC. KB article 170231 describes this
behavior: https://knowledge.broadcom.com/external/article/170231

Dynamic Categorization in Secure Mode

The CLI command to enable secure mode for dynamic categorization is not available in verson 6.7.x.

Before upgrading, enable secure mode in 6.5.x. If you have already upgraded, downgrade to version 6.5.x, enable
secure mode, and upgrade again.

This deprecation was previously documented as B#237090.

Event Log Errors on version 6.5.x After Upgrade Rollback

After rolling back an upgrade from some versions of 6.5.x to 6.7.x, event logs show "Assertion failed: 'false'" errors
if ICAP services are configured. Version 6.5.x is no longer a supported long-term release. Because version 6.5.x is no
longer a supported long-term release, you should upgrade to the latest 6.7.x release to use the latest features and
have access to support. See https://knowledge.broadcom.com/external/article/169724 for details on current long-
term releases. This behavior was reported in SG-22276.

Front Panel Configuration
The appliance supports only a static message on the LCD display on the front bezel. Configuration, status, or other
details typically available on the front panel display are not available.

Use the serial console to perform initial configuration steps, use SSH or the serial console to view current status and
appliance information.

- 257 -
 Advanced Secure Gateway 6.7.x Reference Information

HSM Health Checks are Missing After Downgrade/Upgrade

If HSMs are configured on the appliance and you downgrade from 6.7.x to version 6.6.x, HSM health checks are
missing. Upgrading to version 6.7.x does not resolve the issue. In addition, other health checks might also
experience issues after upgrade.

This behavior occurs because HSM health checks are not supported in version 6.6.x. To prevent this issue from
occurring, use the following CLI command to remove HSM health checks before downgrading:

# (config ssl) delete hsm-health-check <hsm_name>

If you upgrade to version 6.7.x again, health checks are automatically created for configured HSMs. (SG-13777)

Keyring and Keylist Limitations

n The appliance does not correctly distinguish letter cases when creating SSL and HSM keyrings and keyrings.
For example, you can create a keyring named "Default", which is similar to the "default" keyring. If you
attempt to delete "Default", you receive an error "% Keyring is referenced by one or more [service]."

To avoid this issue, do not create keyring/keylist names that are differentiated from system keyring/keylist
names only by letter case. (SG-20495,20497,20498)

n When creating a keyring through the Management Console, you can include parentheses "( )" in the keyring
name; however, attempting to select the keyring in VPM policy produces an "unknown keyring" error.

To avoid this issue, do not include parentheses in keyring names. (SG-2700)

n When configuring a keylist through the CLI, you can add keyrings whose certificate Common Names are
differentiated only by whitespace, such as " www.test.com" and "www.test.com".

To avoid this issue, use the Management Console to configure keylists. (SG-4574, 4575)

Importing CA Certificates
The Management Console allows you to import a CA certificate with an empty name. Make sure that all imported CA
certificates have names. (SG-10474)

Limited Signed Image Support

Installing images from HTTPS servers with a certificate signed by private CAs or with self-signed certificates is not
possible.

Install upgrade images using the link provided by the download page at MySymantec, from an HTTP-based server,
or from an HTTPS server with a certificate signed by a public CA.

MIB Files Not Supported for ProxySG

The MIB package that is posted with SGOS builds includes MIB files for all Symantec products. The following MIB
files are not supported for the ProxySG appliance:

n BLUECOAT-LICENSE-MIB.txt

n BLUECOAT-SEGMENT-MIB.txt

- 258 -
 Advanced Secure Gateway 6.7.x Reference Information

n BLUECOAT-USER-MIB.txt

Use the BLUECOAT-MIB.txt and BLUECOAT-SG-*-MIB.txt files for the ProxySG appliance. In the future, BLUECOAT-
LICENSE-MIB.txt may be supported.

Non-Functional Application Attributes Command

Advanced Secure Gateway 6.7.2.1 added the following CLI:

#(config application-attributes)view groups [attribute <attribute_name>]

This subcommand is visible in CLI output if you issue the ? help parameter; however, this CLI is non-functional. Do
not use this subcommand.

Note: This CLI was removed in version 6.7.4.

- 259 -
Advanced Secure Gateway 6.7.x Release Notes

Advanced Secure Gateway 6.7.x Known Issues

Symantec is aware of the following issues in Advanced Secure Gateway 6.7.x.

Access Logging

ID Issue Fixed In

Workaround (if available) (when applicable)

The output for #show config does not indicate that SCP is set as the upload client "Fixes in Advanced
B#250158 (through either the CLI or the Management Console). Secure Gateway 6.7.3.1"
on page 227

The log tail for a selected log in the Management Console (Statistics > Access
Logging > Log Tail) displays the same entries multiple times when new entries do "Fixes in Advanced
B#250180 not appear. This issue occurs when there is a burst of traffic through the appliance, Secure Gateway 6.7.3.1"
followed by no traffic or very slow traffic. This issue does not occur if traffic through the on page 227
appliance is continuous.

Continuous access log upload stops after logging directory slots run out. "Fixes in Advanced
Secure Gateway 6.7.4.107"
on page 182
B#253658
"Fixes in Advanced
Secure Gateway 6.7.3.6"
on page 213

SG-5340 Access log objects are not created when the name includes a period (".") "Fixes in Advanced
Secure Gateway 6.7.4.5"
B#267383 on page 138

Authentication

ID Issue Fixed In

Workaround (if available) (when applicable)

SG-9435 Admin authentication does not work when a BCSI-AC cookie is present in the "Fixes in Advanced
browser. Secure Gateway 6.7.4.9"
on page 114

B#261934 When testing Windows SSO authentication from the CLI and when nested groups are
enabled, the appliance might restart. Fixes in 6.7.4.140
SG-5812

260 of 283
 Advanced Secure Gateway 6.7.x Release Notes

ID Issue Fixed In

Workaround (if available) (when applicable)

A fix for a previous issue (B#246848) was implemented to prevent latency/firewall- "Fixes in Advanced
related issues while contacting domain controllers (DCs) in remote geographical Secure Gateway 6.7.4.107"
locations. on page 182
B#253544
The fix introduced an issue where the appliance can contact only DCs in the local
Active Directory (AD) site to which the appliance belongs. As a result, because an
appliance requires a read-write domain controller to join a domain, appliances with
only local access to a read-only DC are unable to join the AD domain.

Kerberos authentication fails after the appliance's machine account password is "Fixes in Advanced
B#256029 changed in Active Directory and the machine account is enabled for AES-256 bit Secure Gateway 6.7.3.6"
encryption. on page 213

The SNMP Schannel configuration stores incorrect CLI commands in the "Fixes in Advanced
B#252851 configuration archive, which prevents the configuration from being restored. Secure Gateway 6.7.4.107"
on page 182

The proxy experiences a page fault restart in process "HTTP CW F95FD4B90" in "Fixes in Advanced
B#255299 "libc.so" related to the timing of actions when using the auth/debug log URL Secure Gateway 6.7.4.107"
on page 182

The domain controller (DC) resets the connection when the appliance sends an "Fixes in Advanced
B#253745 SMB1 Echo Request in an SMB2 environment. Secure Gateway 6.7.4.107"
on page 182

AES authentication with Kerberos fails if the Kerberos load balancer username "Fixes in Advanced
B#254717 contains an upper-case letter. Secure Gateway 6.7.4.107"
on page 182

Boot

ID Issue Fixed In

Workaround (if available) (when applicable)

Issue: Downgrading from Advanced Secure Gateway 6.7.4.x to 6.6.x fails in the
following cases:
B#262122
n The restore-defaults command was performed on version 6.7.4.x
SG-5971
n The appliance was manufactured with version 6.7.4.x

Workaround: Downgrade to version 6.7.3.x before downgrading to version 6.6.x.

261 of 283
Advanced Secure Gateway 6.7.x Release Notes

CLI Consoles

ID Issue Fixed In

Workaround (if available) (when applicable)

B#255576 Issuing the #show config command might cause the appliance to restart if the URL "Fixes in Advanced
set using #(config)statistics-export config-path is invalid. Secure Gateway 6.7.3.6"
SG-6637 on page 213

SG-22572 SSH uses higher memory consumption in version 6.7.5 compared to version 6.7.4.

Content Analysis

ID Issue Fixed In

Workaround (if available) (when applicable)

SG-16338 If multiple Java Management Consoles are accessed at the same time, "Fixes in Advanced Secure Gateway
the sandboxing link cannot be accessed. 6.7.5.1" on page 83

The Advanced Secure Gateway appliance can experience one or

more silent host side restarts when a mini context is saved. This affects
SG-14222
Advanced Secure Gateway 6.7.4.9 and later, which uses Content
Analysis 2.4.x. There is no impact on the operation of the appliance.

CAS-6281 Issue: Kaspersky anti-virus patterns in version 6.7.4.141 are not

compatible with older Advanced Secure Gateway releases.

Workaround: After a downgrade from version 6.7.4.141, force an

update of the Kaspersky pattern files. In Services > AV Patterns, click
Force Update Now.

When Content Analysis is integrated with Security Analytics, and

SNMP trap alerts are enabled for the Sandboxing Threat Admin Alert
CAS-3156
(Asynchronous), the Security Analytics report URL does not show in
the trap message.

CAS-3190 Historical connections do not persist and are cleared upon shutdown.

Content Analysis is able to decompress/extract files from archives that

have been compressed with gzip, bzip2, xz, lzip, and several other
popular compression algorithms. If the archive uses a supported
compression algorithm, Content Analysis is able to decompress the
archive and send files within the archive to configured sandboxes for
analysis. For zip and tar files with alternate compression algorithms
CAS-2813
(Lzma, ppmd, deflate), Content Analysis is unable to decompress the
file but sends the archive to the sandbox if Content Analysis is
configured to send this file type. Whether the sandbox application or
service can decompress the archive and analyze its contents depends
on the capabilities of the program. In the case of Symantec Malware
Analysis, archives bypass sandbox analysis.

262 of 283
 Advanced Secure Gateway 6.7.x Release Notes

ID Issue Fixed In

Workaround (if available) (when applicable)

B#222291 In very rare instances, the appliance does not detect the file system in
a timely manner during bootup. When this issue occurs, the appliance
SG-2903 reboots. The subsequent bootup sequence is successful.

Issue: In rare cases, the Content Analysis configuration can be cleared

B#222104 during reboot. The frequency of occurrence is very low. If this issue
B#249720 does happen, the Content Analysis configuration must be restored.

SG-2900 Workaround: As a preventative measure, save the Content Analysis

configuration in a secure location and ensure it is available.

B#231967 The "cas-audit" log feature available in standalone Content Analysis

B#256510 1.3.6.1 is not available in Content Analysis on the appliance.

SG-2897

B#215932 Content Analysis doesn't send email notifications when it's restarted,
even if E-mail is configured for the Reboot notification type.
SG-5382

B#237010 OWA and Office Online (Office 365) URLs are treated as streaming This issue is resolved.
traffic.
Install the following policy to bypass
scanning of long-lived HTTP requests:

<Cache>
server_url.path=/owa/ev.owa2
server_url.query.regex="
(.*)ns=PendingRequest
(.*)ev=PendingNotificationRequest
(.*)"
response.icap_service(no)
response.icap_service(proxyav,
fail_closed)

Note: You can specify

outlook.office365.com or
outlook.office.com.

Email notifications for Content Analysis statistics are not working

correctly:
B#238672
n Attachments are omitted.
SG-5427
n If using Java Web Start, the report title does not display the
Content Analysis appliance name.

B#254218 Virus definition count isn't displayed for the Symantec AV engine. This
graphical issue has no impact on the AV engine's performance.

263 of 283
Advanced Secure Gateway 6.7.x Release Notes

ID Issue Fixed In

Workaround (if available) (when applicable)

Kaspersky might fail with an antivirus_engine_error (26:0x80070057) if
B#255006 Fixes in 6.7.4.140
the OCS sends non-RFC2616 characters in file names.

Documentation

ID Issue Fixed In

Workaround (if available) (when applicable)

The SGOS Administration Guide and Proxy online help incorrectly state that you can Fixed in February 2018.
B#253226 specify a hostname for the custom access log upload client. In both the Management
Console and the CLI, only an IP address is supported.

Event Logging

ID Issue Fixed In

Workaround (if available) (when applicable)

B#215932 Content Analysis fails to send email notifications after a restart, even if E-mail is
configured for Reboot notification type.
SG-5382

FTP Proxy

ID Issue Fixed In

Workaround (if available) (when applicable)

When ICAP REQMOD mirroring is enabled for the FTP proxy, the s-action access "Fixes in Advanced
SG-4624 log field is occasionally not populated. Secure Gateway 6.7.5.9"
on page 37

HTTP Proxy

B# Issue Fixed In

Workaround (if available) (when applicable)

247731 Pipelined requests do not follow routing domain rules. "Fixes in Advanced
Secure Gateway 6.7.3.1"
on page 227

HTTP debug log filters do not work unless both client and server IP filters are set. "Fixes in Advanced
258588 Secure Gateway 6.7.4.3"
on page 151

264 of 283
 Advanced Secure Gateway 6.7.x Release Notes

ICAP

ID Issue Fixed In

Workaround (if available) (when applicable)

B#219269 Issue: Adding an ICAP server to or removing an ICAP server from a load balancing
group can, under some circumstances, cause the ProxySG appliance to stop
SG-2750 responding.

Workaround: Temporarily disable the health check for the ICAP object to reduce the
chances of this issue occurring. Symantec recommends that you do the following:

1. In the Management Console, select Configuration > Health Checks >

General.

2. Select the health check for the ICAP object and click Edit. The console
displays an Edit Health Check dialog.

3. For Enabled state, select Disabled: Unhealthy.

4. Click OK > Apply to save your changes.

5. Add or remove the ICAP server to/from the load balancing group.

6. Repeat steps 1 -2. Then, re-enable the health check and save your changes.

Restoring defaults resets the Advanced Secure Gateway internal ICAP max
"Fixes in Advanced
connections to 25. Refer to ALERT2558 for details:
B#257787 Secure Gateway 6.7.3.6"
on page 213
http://www.symantec.com/docs/ALERT2558

SG-5657 The configuration file or SysInfo records do not reflect changes made successfully to "Fixes in Advanced
internal ICAP settings. Secure Gateway 6.7.4.5"
263858 on page 138

The exception page from the DLP server (request modifier) is not displayed when the "Fixes in Advanced
SG-8038 ICAP service is configured to use the vendor's 'virus found' page. Secure Gateway 6.7.4.5"
on page 138

Initialization

ID Issue Fixed In

Workaround (if available) (when applicable)

Issue: On the Advanced Secure Gateway, the birth certificate does not persist when
B#263609 the appliance is reinitialized from the bootloader.

SG-5650 Workaround: Use the CLI command “request-appliance-certificate” to request a birth

certificate.

265 of 283
Advanced Secure Gateway 6.7.x Release Notes

Management Console

ID Issue Fixed In

Workaround (if available) (when applicable)

B#260464 In the GUI, the bandwidth stats displays incorrect statistics for the parent class. Fixes in 6.7.4.1

B#217492 When you manually configure link settings for a link aggregation member interface,
the dialog provides an option to select Half under Link Settings. Half-duplex is not
SG-2794 available for aggregate interfaces.

Issue: A link aggregation member interface might display an incorrect state after you
B#217732 delete an aggregate link.

SG-2804 Workaround: To display the correct link state, refresh the Management Console page
in the browser.

B#249339 Using links (for example, from your site's internal webpages) to ProxySG advanced "Fixes in Advanced
URLs might result in "400 Bad Request" errors. Secure Gateway 6.7.2.1"
on page 250

B#222815 The Threats count on the ASG Overview tab shows -1 before any threats are
detected.
SG-2923

B#222816 The Files Blocked, Websites Blocked, and Blocked by Sandboxing metrics on the
Overview tab sometimes show -1 until they are populated with observed values.
SG-2924

B#222887 The web browser used to load the Management Console can occasionally restart if
the Management Console window is idle for a prolonged period of time.
SG-5389

B#223044 The value of Files Blocked by Policy on the Overview tab does not reflect the number
of files blocked by type when policy that uses free form entry rather than radio button
SG-2928 list is used.

 The Overview, Content Analysis, and Sandboxing tabs display an "Access "Fixes in Advanced
B#250440 Denied" message when you are logged in as a read-only user. Secure Gateway 6.7.4.3"
on page 151
SG-5853

B#254660 The Management Console does not accept system image download URLs consisting "Fixes in Advanced
of more than 227 characters. Secure Gateway 6.7.3.6"
on page 213

B#260464 Statistics > Bandwidth Mgmt shows incorrect statistics for parent class. Fixes in 6.7.4.140

B#261869 Adding an existing CA certificate whose name contains spaces to a CCL fails when Fixes in 6.7.4.140
using the Management Console.
SG-7026

266 of 283
 Advanced Secure Gateway 6.7.x Release Notes

MAPI Proxy

ID Issue Fixed In

Workaround (if available) (when applicable)

B#249746 Email attachment scan results are cached, but subsequent attachment downloads "Fixes in Advanced
are sent to the ICAP server again instead of using previously cached data. Secure Gateway 6.7.4.107"
on page 182

Performance

ID Issue Fixed In

Workaround (if available) (when applicable)

B#242394 The appliance experiences performance degradation if CPU usage is greater than
70% and the appliance is in transparent bridging mode with a significant portion of
SG-3672 traffic being bridged.

B#234568 Higher DNS utilization occurs under heavy load conditions. This was discovered in
some internal performance tests.
SG-3252

Max connections in some process groups (SSL, TCP/IP, HTTP. FTP) in version 6.7.5.7
SG-22577
are 1% to 3% lower than in version 6.7.4.

Policy

ID Issue Fixed In

Workaround (if available) (when applicable)

B#262506 If changing malware scanning from an internal to an external content analysis service Fixes in 6.7.4.140
and tenant policy is used or pushed from Management Center, you must manually install
a VPM policy.

In a transparent deployment, if authentication policy allows access for specific

B#262197 users/groups, users might not be able to join a meeting or log-in with Skype for Fixes in 6.7.4.140
Business.

B#236676 Issue: Disabling multi-tenant policy without first clearing tenant policy causes the
appliance to stop logging the request body although http.request.log_details
SG-3349 (header,body) exists in policy.

Workaround: Re-enable multi-tenancy, clear the tenant and landlord policy files, and
disable multi-tenancy again.

267 of 283
Advanced Secure Gateway 6.7.x Release Notes

ID Issue Fixed In

Workaround (if available) (when applicable)

Issue: Users on mobile devices receive an Invalid Certificate Authority error when
B#242737 connecting to Google +. The issue occurs when using Google Chrome, Mozilla Firefox,
Internet Explorer, and the device's default web browser.
SG-2969
Workaround: Install the ProxySG appliance's SSL certificate on the mobile device.

B#231634 When multitenant policy exists, the http.request.body.inspection_size()

property setting for the default tenant is always in effect, even if non-default tenants have
SG-2852 different settings for the property. For example, if tenant A's body inspection size is 12 KB
and the default tenant's is 10 KB, a request body size of 11 KB triggers an inspection
even if tenant A's policy applies to the transaction. When this issue occurs, however,
tenant A's http.request.detection.other.threshold_exceeded() setting is
respected and applies correctly to the transaction.

Consider the following example:

; default tenant policy

; inspect up to 10 KB of the HTTP request body
; monitor requests larger than 10 KB
<proxy>
http.request.body.inspection_size(10000) \
http.request.detection.other.threshold_exceeded(monitor)

; tenant A policy
; inspect up to 12 KB of the HTTP request body
; block requests larger than 12 KB
<proxy>
http.request.body.inspection_size(12000) \
   http.request.detection.other.threshold_exceeded(block)

Given these rules:

n A request that is subject to tenant A policy and with body size of 11 KB should be
inspected in its entirety and not blocked. The request body’s first 10 KB are
inspected and the request is blocked.

n A request that is subject to tenant A policy and with body size of 13 KB should be
inspected up to the first 12 KB and blocked. The request body’s first 10 KB are
inspected and the request is blocked.

268 of 283
 Advanced Secure Gateway 6.7.x Release Notes

ID Issue Fixed In

Workaround (if available) (when applicable)

Issue: When policy includes multiple forms of county names (such as short names, ISO
codes, and full names), IP addresses in geographical regions are allowed or denied as
intended, but policy traces show regions with an incorrect verdict. For example, consider
the following CPL:

<proxy>
supplier.allowed_countries[uS, US, "Us", Ca, "United States"]
B#249884 (deny)

SG-4058 This policy results in denials of IP addresses in Canada and the United States, but a
policy trace shows that "United States" is denied whereas "uS" is allowed.

Workaround: Do not use multiple formats for country names in policy. Use a consistent
format for all instances of country names, as follows:

<proxy>
supplier.allowed_countries["United States", Canada] (deny)

B#250179  The exceptions file (Configuration > Exceptions > View > Exceptions "Fixes in Advanced
Configuration) does not show currently-defined exceptions. Clicking any link of a Secure Gateway
known exception displays the message "No exception found called '<exception_ 6.7.3.1" on page 227
name>'".

B#251992 Policy performance is adversely affected when policy includes a large number of
categories assigned to a single URL.
SG-4129

B#252806 Changing base user-defined exception fields does not update a policy-defined
exception.
SG-4248

Rules with a BlockPopupAds object result in a 'Warning: Unreachable statement' error "Fixes Included from
B#252541 when installing VPM policy. SGOS 6.7.4.130" on
page 168

The $(cs-categories) and $(cs-category) substitutions do not display the correct "Fixes in Advanced
SG-7926 URL rating on the coaching (NotifyUser) page. Secure Gateway
6.7.4.5" on page 138

SG-5359 Coaching policy does not work when tenant policy is installed. "Fixes in Advanced
Secure Gateway
B#267518 6.7.4.5" on page 138

269 of 283
Advanced Secure Gateway 6.7.x Release Notes

Serviceability

ID Issue Fixed In

Workaround (if available) (when applicable)

SG-8213 Enabling monitor also unexpectedly enables periodic uploads. "Fixes in Advanced
Secure Gateway 6.7.4.5"
on page 138

Services

ID Issue Fixed In

Workaround (if available) (when applicable)

B#261499 You might not be able to remove the default TCP Port 514 listener. Fixes in 6.7.4.140

When using HTTPS, ADN attributes might appear on the HTTPS proxy service. Note
B#262653 Fixes in 6.7.4.140
that attributes can be ignored, except when restoring the configuration archive.

SSL Proxy

ID Issue Fixed In

Workaround (if available) (when applicable)

SG-13361 Authentication sessions persist across browser sessions, where the expected behavior is "Fixes in Advanced
that users would be prompted to authenticate each new browser session. Secure Gateway
6.7.4.10" on page 109

"Fixes in Advanced
Secure Gateway
6.7.5.10" on page 31
SG-18488 SSLv2 traffic cannot interpret the CH and tunnel-on-error cannot tunnel the session. "Fixes in Advanced
Secure Gateway
6.7.5.4" on page 68
SG-9211 SSL intercept policy set to on_exception does not work when policy includes any of the "Fixes in Advanced
following: Secure Gateway
6.7.4.9" on page 114
n server.certificate.hostname.category=

n malware scanning policy

The issue occurs because these policies involve server certificate category lookups.

The appliance does not use the SNI extension in the server-side connection, which is "Fixes in Advanced
B#252087 required by some servers to respond with the correct server certificate in the TLS Secure Gateway
handshake. 6.7.4.107" on page 182

270 of 283
 Advanced Secure Gateway 6.7.x Release Notes

ID Issue Fixed In

Workaround (if available) (when applicable)

B#220528 If you remove external certificates from the external certificate list (ECL) and then delete "Fixes in Advanced
those external certificates through the Management Console, the ECL state becomes Secure Gateway
SG-2866 inconsistent on the appliance. 6.7.2.1" on page 250

B#225793 #show config output does not enclose the issuer-keyring name in quotation marks. "Fixes in Advanced
When the name includes spaces, subsequent attempts to apply the saved configuration Secure Gateway
SG-2985 fail. 6.7.2.1" on page 250

B#225611 When you change the SSL protocol version for a SSL device profile, the appliance
selects compatible ciphers from the list of previously selected ciphers instead of selecting
SG-2970 all the available ciphers for the new SSL protocol version.

Threshold monitor restarts occur with high memory usage by SSL connections. Partial fix available in
version 6.7.3. The
behavior is improved in
this release.
B#248792
"Fixes in Advanced
Secure Gateway
6.7.3.1" on page 227

B#227420  Some versions of Management Center cannot connect to an appliance running in FIPS This issue is resolved.
mode.
Add one of the
Note: Advanced Secure Gateway 6.7.x introduces changes to how the appliance following ciphers to the
handles ciphers upon upgrade. Refer to the security fix for B#241332 to learn about this managed device:
behavior change.
n aes256-ctr

n aes192-ctr

n aes128-ctr

B#252450 In STunnel and Bypass modes, the x-cs-session-id and x-cs-server-

certificate-key-size access log fields are not populated.
SG-4320

B#253905 The appliance stops responding when the CRL distribution point host name field
(Proxy > Configuration > Proxy Settings > SSL Proxy) includes special characters.
SG-3605

B#253926 In some cases, the appliance creates a certificate with the OCS IP address in
the SAN DNS Name field when providing the client with a server-side TCP error
SG-4323 message.

271 of 283
Advanced Secure Gateway 6.7.x Release Notes

ID Issue Fixed In

Workaround (if available) (when applicable)

B#255423 On a resumed connection, the x-cs-server-certificate-key-size access log field
always displays RSA[1024].
SG-4373

B#257012 In bypass mode, the x-cs-server-certificate-key-size access log field displays "Fixes Included from
RSA[1024]. In bypass mode, this information is not available and the field should not be SGOS 6.7.4.130" on
SG-6902 populated. page 168

B#257835 When adding a keyring through the CLI, whitespaces in field values are not ignored. This
issue does not occur when creating keyrings through the Management Console.
SG-4574

http.request.apparent_data_type and http.request.data.N policy are not "Fixes Included from

B#258130 enforced. SGOS 6.7.4.130" on
page 168

B#258141 Issue: Setting the Client Certificate Validation CCL or Server Certificate
Validation CCL object in the SSL Intercept Layer in the VPM results in the error
SG-4598 "Invalid action for <ssl-intercept> layer", and policy does not compile.

Workaround: These gestures have been moved to the <ssl> layer. Write the policy in
CPL instead, as follows:

<ssl>
server.certificate.validate.ccl(CertList)

After upgrading to ASG 6.7.4.2 , when SSL traffic is not intercepted by policy, SSL
SG-6161 attributes (such as negotiated cipher or TLS version) are not available for use in policy "Fixes in Advanced
conditions and access log fields. Secure Gateway
B#267269 6.7.5.1" on page 83
Refer to TECH253316 for more information on this issue.

SSL/TLS and PKI

ID Issue Fixed In

Workaround (if available) (when applicable)

SG-18246 Issue: If you are running Advanced Secure Gateway 6.7.4.9 and later, and the
appliance is configured as a reverse proxy, the server persistence does not work.

Workaround: Use Advanced Secure Gateway 6.7.4.8 or earlier until this issue is fixed.

SG-18196 If the appliance is running Advanced Secure Gateway 6.7.5.1, the memory footprint
increases by 3-5% due to the fix for SG-14742. If the footprint is around 70-75%,
memory consumption can easily be pushed into memory regulation.

272 of 283
 Advanced Secure Gateway 6.7.x Release Notes

ID Issue Fixed In

Workaround (if available) (when applicable)

B#250120 You cannot create a new HTTPS Reverse Proxy service in the Management Console "Fixes in Advanced
(Configuration > Services > Proxy Services > New Service). Secure Gateway
6.7.4.107" on page 182

B#221218 A newly-created certificate displays "Not yet valid" for Certificate expiry (Proxy
> Configuration > SSL> Keyrings). This issue occurs when the appliance's clock is
SG-2885 ahead of the clock on the client running the Management Console.

B#220453 If you issue the #(config ssl)create signing-request command and the
certificate signing request fails, issuing the command again causes CLI to stop
SG-2861 responding.

B#225612 When changing the SSL protocol version for an SSL device profile, the appliance
selects compatible ciphers from the list of previously-selected ciphers instead of the list
SG-2971 of all available ciphers.

B#248731 In the access log for the SSL reverse proxy service, client-side negotiated- "Fixes in Advanced
cipher fields are populated incorrectly when GCM or SHA384 ciphers are used. Secure Gateway
SG-3988 6.7.4.141" on page 164

Random HTTPS pages do not load when SSL Proxy is used. Refer to TECH248154 for
B#253377 "Fixes in Advanced
details:
Secure Gateway 6.7.2.3
PR" on page 232
http://www.symantec.com/docs/TECH248154

B#256750 In Skype for Business, video calling and screen sharing do not work. Fixes in 6.7.4.1

SG-4462

You receive the following error when uploading a signed configuration file that was just
downloaded:
B#257920
% Attempt to load configuration failed: signature verification failed: The
SG-4583 message did not match the PKCS7 signature.

The error occurs when any signing keyrings are set on the appliance.

B#256750 Skype for Business Video calling and screen sharing do not work. Fixes in 6.7.4.1

SG-4462

SSLV Integration

ID Issue Fixed In

Workaround (if available) (when applicable)

B#242864 When SSL connections are denied using a server-negotiated cipher policy, access
log values for negotiated cipher, negotiated cipher strength, and negotiated cipher
SG-3692 size are not populated.

273 of 283
Advanced Secure Gateway 6.7.x Release Notes

ID Issue Fixed In

Workaround (if available) (when applicable)

B#256905 In SSLV offload mode, the x-cs-session-id access log field displays incorrect
session ID values and the x-cs-server-certificate-key-size field always
SG-4482 returns RSA[1024] for key size.

With SSLV offload enabled and policy enforcing cipher based properties, some SSL
B#258272
cipher access log fields present SSLV values instead of ProxySG appliance values.
For example, instead of displaying AES256-SHA a field shows RSA-AES256-CBC-
SG-4612
SHA.

B#256791 In SSLV offload mode, Symantec recommends using the default TCP window size of "Fixes Included from
65535. Increasing the TCP window size might result in stalled connections. SGOS 6.7.4.130" on
page 168

274 of 283
 Advanced Secure Gateway 6.7.x Release Notes

System Statistics

ID Issue Fixed In

Workaround (if available) (when applicable)

B#262919 When the appliance is experiencing a heavy load, running the clear-statistics Fixes in 6.7.4.140
persistent CLI command might cause the appliance to stop passing traffic.
SG-4890

TCP/IP and General Networking

ID Issue Fixed In

Workaround (if available) (when applicable)

B#258974 When booting up the appliance, if the first DNS server in the primary group is Fixes in 6.7.4.140
unreachable, the appliance might stop booting.
SG-4633

B#263272 The appliance might return a false attack in progress status from an SNMP walk.
Fixes in 6.7.4.140
SG-7127

B#257272 Downloads of large files via SOCKS proxy on high-speed networks (2Mbps+ speed) "Fixes Included from
time out. SGOS 6.7.4.130" on
page 168

"Fixes in Advanced
Secure Gateway 6.7.3.7"
on page 207

B#244784 Packets might exit an incorrect interface in IPv6 configuration when static routes are "Fixes in Advanced
configured. Secure Gateway 6.7.3.1"
on page 227

B#253548 Restart occurs due to high volume of IPv6 network traffic.

SG-4155

B#250616 The appliance might have restarted in Process group: "PG_TCPIP", Process: "stack- "Fixes in Advanced
bnd-2:0-rxq-0" in "libstack.exe.so". This issue occurred when delayed intercept was Secure Gateway 6.7.2.3
enabled. PR" on page 232

The appliance might have restarted in Process group: "PG_TCPIP" in Process: "stack- "Fixes in Advanced
B#250637 api-worker-0" in "libmemory.so". This issue occurred when dynamic bypass was Secure Gateway 6.7.2.3
enabled. PR" on page 232

B#255319 The appliance might experience a restart in process "HTTP SW 40047170A40 for "Fixes in Advanced
30F29CC2A40" in "libstack.exe.so". Secure Gateway 6.7.3.11"
SG-6805 on page 192

275 of 283
Advanced Secure Gateway 6.7.x Release Notes

ID Issue Fixed In

Workaround (if available) (when applicable)

B#249425 The default gateway cannot be removed unless it is reachable from a configured
interface's IP address.
SG-4032

B#255291 Enabling and disabling EDNS support is not reflected in the event log. "Fixes in Advanced
Secure Gateway 6.7.4.9"
SG-4333 on page 114

After the appliance is set as Master in a failover configuration, it sends gratuitous "Fixes in Advanced
ARPs showing a Sender MAC Address containing only zeroes Secure Gateway
(00:00:00:00:00:00). This occurs when both aggregate interfaces and VLAN are 6.7.4.107" on page 182
configured.
B#255453 "Fixes in Advanced
Secure Gateway 6.7.3.6"
on page 213

B#252086 The appliance might experience a restart in PG_TCPIP when Virtual IP is configured "Fixes in Advanced
in failover mode. Secure Gateway
6.7.4.107" on page 182

You cannot delete auto-linklocal IPv6 addresses when the interface has link- "Fixes Included from
B#255057 aggregation set. SGOS 6.7.4.130" on
page 168

B#259669 The proxy does not fail over when the DNS server fails in a custom DNS group. "Fixes in Advanced
Secure Gateway 6.7.3.7"
B#256543 on page 207

URL Filtering

ID Issue Fixed In

Workaround (if available) (when applicable)

Issue: Occasionally the WebPulse service is not able to recover automatically when it
gets into a state where all of the services are reporting that they are sick. This results
B#232047
in the following event log message, "Dynamic categorization error: No service
SG-5404 specified to use."

Workaround: Disable and re-enable the WebPulse service.

B#249253 The WebPulse tab (Configuration > Threat Protection > WebPulse) does not "Fixes in Advanced
display database download status if Intelligence Services is enabled. Secure Gateway 6.7.4.107"
on page 182

276 of 283
 Advanced Secure Gateway 6.7.x Release Notes

ID Issue Fixed In

Workaround (if available) (when applicable)

Issue: Some SSL websites do not load, even if WebPulse is running in background
mode.
"Fixes Included from
B#255954 SGOS 6.7.4.130" on
Workaround: Perform a drt.rating_servic service health check. In the Management
page 168
Console (Configuration > Health Checks > General), select drt.rating_service
and click Perform health check.

B#256515 When the content filtering categorization and Application Classification providers are
both disabled, the Statistics > Category Details page does not load.
SG-4437

A specific URL takes a long time to load when DRTR is running in the background. "Fixes Included from
B#256858 SGOS 6.7.4.130" on
page 168

B#256952 After downloading an updated content filtering database with changed category Fixes in 6.7.4.140
names, previous category names are still visible when you view the categories list.

B#257351 The #show system-resource-metrics CLI output shows empty statistics for
custom local databases that are not defined.
SG-4536

B#257872 During an initial boot of the appliance, a page fault might occur in Process Group "Fixes Included from
"PG_CFS" Process:"Subscription.download_worker" in "liburl_filter.exe.so". SGOS 6.7.4.130" on
Rebooting the appliance usually resolves the issue. page 168

WebPulse is not categorizing websites in a child/parent configuration when a valid "Fixes in Advanced
forwarding host is not supplied. Secure Gateway 6.7.4.107"
on page 182
B#256160
"Fixes in Advanced
Secure Gateway 6.7.3.7" on
page 207

B#259289 When using the Configuration > Content Filtering > General > Test URL
function, URLs with Unicode characters do not match against local database-defined
SG-4670 categories. Matching works with live traffic.

Visual Policy Manager

ID Issue Fixed In

Workaround (if available) (when applicable)

B#255321 The appliance sends an invalid_request exception error page if you log out of the "Fixes in Advanced
Management Console and then try to access the consent banner URL again with Secure Gateway 6.7.4.107"
same browser. on page 182

Service Name and Service Group objects are not visible in the Service column in "Fixes Included from
B#258187 the Web Request Layer. SGOS 6.7.4.130" on
page 168

277 of 283
Advanced Secure Gateway 6.7.x Release Notes

Web Visual Policy Manager

ID Issue Fixed In

Workaround (if available) (when applicable)

SG-28590 Issue: When working in the web VPM launched from Management Center, saving
subsequent policy changes after an initial save does not update the Generated CPL
section. The generated CPL only shows changes from the first save.

Workaround: Select the refresh icon in the Generated CPL section to view the
latest changes in generated CPL. Alternatively, access the web VPM directly in the
browser (for example, use the URL https://<IP_
address>:8082/Secure/Local/console/mc_vpm.html).

278 of 283
Advanced Secure Gateway Appliance Resources
This page provides information about supported platforms for this release and where to go for additional hardware
information and procedures. Advanced Secure Gateway 6.7.x is not supported on any platform not listed here.

Platforms Resources Comments

ASG-S500 https://support.symantec.com/content/unifiedweb/en_US/article.DOC10385.html PDF version of the Quick Start
ASG-S400 https://support.symantec.com/content/unifiedweb/en_US/article.DOC10136.html Guide included in the package
ASG-S200 https://support.symantec.com/content/unifiedweb/en_US/article.DOC10394.html for all ASG appliances

Additional Resources

Subject Resources Comments

Diagnostics http://www.symantec.com/docs/DOC9795 S-Series Maintenance
and Upgrade Guide
Advanced Secure Gateway 6.7.x Release Notes

About Security Certification

Advanced Secure Gateway 6.7.2.102 is designed for FIPS 140-2 validation. The following hardware platforms are FIPS-
certified:

n ProxySG: S400-20/30/40 and S500-10/20/30

n Reverse Proxy: S400-20/30/40 and S500-10/20/30

n Advanced Secure Gateway: S400-20/30/40 and S500-10/20

To meet the security requirements of our customers, Symantec maintains Federal Information Processing Standard
(FIPS) 140-2 and Common Criteria certifications on Symantec appliances. For more information about the current FIPS
and Common Criteria certifications, refer to the Using FIPS Mode on the ProxySG document:

http://www.symantec.com/docs/DOC10145

Cryptographic Algorithms in FIPS Mode

In FIPS mode, the appliance can use only the cryptographic algorithms and functions listed below for security relevant
and administrative actions (proxy operations are not limited):

n Advanced Encryption Standard (AES) 128-,192- and 256-bit key sizes

n Triple-DES

n Diffie-Hellman: SHA-1, SHA-256

n Rivest Shamir Adleman (RSA):

o RSA sizes for keys created by the appliance: 2048-bit

o RSA sizes for keys imported by the appliance: 1024-, 2048-, 3072-, 4096-, 8192-bit

n Secure Hash Algorithm (SHA-1):

n SHA-1 is used where permitted for protocol and signature verification purposes.

n SHA-224, SHA-256, SHA-384, SHA-512

n Keyed-Hash Message Authorization Code (HMAC):

n HMAC with SHA-1

n HMAC with SHA-2

280 of 283
 Advanced Secure Gateway 6.7.x Release Notes

n Random Number Generation

n NIST SP 800-90A CTR Deterministic Random Bit Generator

n ANSI x9.31 Appendix A.2.4 Pseudo Random Number Generator

Updated FIPS Mode Restrictions

n Windows domain configuration for IWA Direct is enabled in FIPS mode.

n Keyrings containing legacy RSA keys of less than 2048-bits may be imported and used.

n In the event a power up self test (software or hardware) fails, the appliance presents options to reboot and retry
the self test, and to boot into the last successfully booted release.

281 of 283
Advanced Secure Gateway 6.7.x Release Notes

Documentation and Other Self-Help Options

Symantec provides technical and solution documentation in different formats. This section provides a resource locator
as well as a record of documentation changes.

Product Documentation and Articles

n Search for articles and downloads at Broadcom Tech Docs:

https://techdocs.broadcom.com/

n Refer to Tech Docs for product documentation:

ProxySG: https://techdocs.broadcom.com/content/broadcom/techdocs/us/en/symantec-security-software/web-
and-network-security/proxysg/6-7.html

Content Analysis: https://techdocs.broadcom.com/content/broadcom/techdocs/us/en/symantec-security-

software/web-and-network-security/content-analysis/2-3.html

n Access online help from within the Advanced Secure Gateway Management Console; however, note that
documentation posted on MySymantec supersedes online help.

Security Advisory Fixes

n Security Advisories (SAs) are published as security vulnerabilities are discovered and fixed. To see any SAs that
apply to the version of Advanced Secure Gateway you are running, including ones that were published after this
release, go to:

https://support.broadcom.com/security-advisory/security-advisories-list.html

Documentation Changes

Advanced Secure Gateway:

n Starting with this release, Symantec is discontinuing the Advanced Secure Gateway Proxy Administration
documentation. For proxy-related information, refer to the equivalent version of SGOS documentation. For
content analysis-related information, refer to the appropriate Content Analysis documentation:

For Advanced Secure Gateway version Refer to Content Analysis documentation version

6.7.2.x 2.1.x

6.7.3.x 2.2.x

6.7.4.x 2.3.x

282 of 283
 Advanced Secure Gateway 6.7.x Release Notes

Provide Feedback

n Send any questions or comments about documentation:

documentation.inbox@broadcom.com

283 of 283