0% found this document useful (0 votes)

663 views184 pages

ProxySG-7391 Release Notes

ProxySG v7391 Release Notes

Uploaded by

We take content rights seriously. If you suspect this is your content, claim it here.

Available Formats

Download as PDF, TXT or read online on Scribd

0% found this document useful (0 votes)

663 views184 pages

ProxySG-7391 Release Notes

ProxySG v7391 Release Notes

Uploaded by

We take content rights seriously. If you suspect this is your content, claim it here.

Available Formats

Download as PDF, TXT or read online on Scribd

You are on page 1/ 184

SGOS 7.

x Release Notes
July 15, 2022
SGOS 7.x Release Notes

Table of Contents
SGOS Release Index and Maintenance Streams..............................................................................5
SGOS 7.3.9.1 GA.................................................................................................................................. 6
Features in SGOS 7.3.9.1................................................................................................................................................ 7
Fixes in SGOS 7.3.9.1.................................................................................................................................................... 10
SGOS 7.3.8.2 PR.................................................................................................................................13
Fixes in SGOS 7.3.8.2.................................................................................................................................................... 15
SGOS 7.3.8.1 GA................................................................................................................................ 16
Features in SGOS 7.3.8.1.............................................................................................................................................. 18
Fixes in SGOS 7.3.8.1.................................................................................................................................................... 21
SGOS 7.3.7.1 GA................................................................................................................................ 25
Features in SGOS 7.3.7.1.............................................................................................................................................. 27
Fixes in SGOS 7.3.7.1.................................................................................................................................................... 28
SGOS 7.3.6.4 PR.................................................................................................................................33
Fixes in SGOS 7.3.6.4.................................................................................................................................................... 34
SGOS 7.3.6.3 PR.................................................................................................................................36
Fixes in SGOS 7.3.6.3.................................................................................................................................................... 37
SGOS 7.3.6.1 GA................................................................................................................................ 39
Features in SGOS 7.3.6.1.............................................................................................................................................. 40
Fixes in SGOS 7.3.6.1.................................................................................................................................................... 42
SGOS 7.3.5.2 PR.................................................................................................................................45
Features in SGOS 7.3.5.2.............................................................................................................................................. 46
Fixes in SGOS 7.3.5.2...................................................................................................................................................46
SGOS 7.3.5.1 GA................................................................................................................................ 48
Features in SGOS 7.3.5.1.............................................................................................................................................. 49
Fixes in SGOS 7.3.5.1...................................................................................................................................................52
SGOS 7.3.4.1 GA................................................................................................................................ 55
Features in SGOS 7.3.4.1.............................................................................................................................................. 56
Fixes in SGOS 7.3.4.1...................................................................................................................................................62
SGOS 7.3.3.3 PR.................................................................................................................................66
Fixes in SGOS 7.3.3.3...................................................................................................................................................67
SGOS 7.3.3.2 PR.................................................................................................................................68
Fixes in SGOS 7.3.3.2.................................................................................................................................................... 69
SGOS 7.3.3.1 GA.................................................................................................................................71
Features in SGOS 7.3.3.1.............................................................................................................................................. 72

2
SGOS 7.x Release Notes

Fixes in SGOS 7.3.3.1.................................................................................................................................................... 74

SGOS 7.3.2.1 GA.................................................................................................................................77
Features in SGOS 7.3.2.1.............................................................................................................................................. 78
Fixes in SGOS 7.3.2.1.................................................................................................................................................... 83
SGOS 7.3.1.1 GA.................................................................................................................................88
Features in SGOS 7.3.1.1.............................................................................................................................................. 89
Fixes in SGOS 7.3.1.1.................................................................................................................................................... 95
SGOS 7.2.8.1 GA................................................................................................................................ 98
Features in SGOS 7.2.8.1.............................................................................................................................................. 99
Fixes in SGOS 7.2.8.1.................................................................................................................................................. 102
SGOS 7.2.7.2 PR...............................................................................................................................105
Fixes in SGOS 7.2.7.2.................................................................................................................................................106
SGOS 7.2.7.1 GA.............................................................................................................................. 107
Features in SGOS 7.2.7.1............................................................................................................................................ 108
Fixes in SGOS 7.2.7.1.................................................................................................................................................109
SGOS 7.2.6.1 GA.............................................................................................................................. 112
Features in SGOS 7.2.6.1............................................................................................................................................ 113
Fixes in SGOS 7.2.6.1.................................................................................................................................................. 115
SGOS 7.2.5.1 GA.............................................................................................................................. 117
Features in SGOS 7.2.5.1............................................................................................................................................ 118
Fixes in SGOS 7.2.5.1.................................................................................................................................................. 121
SGOS 7.2.4.1 GA.............................................................................................................................. 123
Features in SGOS 7.2.4.1............................................................................................................................................ 124
Fixes in SGOS 7.2.4.1.................................................................................................................................................. 127
SGOS 7.2.3.2 PR...............................................................................................................................131
Fixes in SGOS 7.2.3.2.................................................................................................................................................. 132
SGOS 7.2.3.1 GA.............................................................................................................................. 134
Features in SGOS 7.2.3.1............................................................................................................................................ 135
Fixes in SGOS 7.2.3.1.................................................................................................................................................. 136
SGOS 7.2.2.1 GA.............................................................................................................................. 139
Features in SGOS 7.2.2.1............................................................................................................................................ 140
Fixes in SGOS 7.2.2.1.................................................................................................................................................. 142
SGOS 7.2.1.1 GA.............................................................................................................................. 148
Features in SGOS 7.2.1.1............................................................................................................................................ 149
Fixes in SGOS 7.2.1.1.................................................................................................................................................. 163
SGOS 7.2.0.1 EA............................................................................................................................... 165
Features in SGOS 7.2.0.1............................................................................................................................................ 166
Fixes in SGOS 7.2.0.1.................................................................................................................................................. 167

3
SGOS 7.x Release Notes

SGOS 7.1.1.1 EA...............................................................................................................................169

Features in SGOS 7.1.1.1............................................................................................................................................ 170
SGOS 7.x Reference Information................................................................................................... 172
Security Advisory Fixes in SGOS 7.x........................................................................................................................ 172
Web Visual Policy Manager Fixes in SGOS 7.x........................................................................................................173
Known Issues in SGOS 7.x.........................................................................................................................................176
Limitations in SGOS 7.x.............................................................................................................................................. 180
About the ProxySG Admin Console.......................................................................................................................... 181
Documentation and Feedback.................................................................................................................................... 182
Documentation Legal Notice.......................................................................................................... 183

4
SGOS 7.x Release Notes

SGOS Release Index and Maintenance Streams

The following table illustrates the relationship between various 7.x and 6.7.x releases to clarify what fixes and features
each 7.x release contains.
The Base Version column indicates which software release was used as a starting point for the GA release. The
Maintenance Release Parity column indicates which releases the GA release is similar to in terms of bug fixes and
features.

GA or PR Release Base Version Maintenance Release Parity

7.3.9.1 7.3.8.2 6.7.5.18

7.3.8.1is no longer available. This release is replaced by 7.3.7.1 6.7.5.17
SGOS 7.3.8.2.
7.3.7.1 7.3.6.1 6.7.5.16
7.3.6.1 7.3.5.1 6.7.5.14
7.3.5.1 7.3.4.1 6.7.5.13, 7.2.8.1
7.3.4.1 7.3.3.1 6.7.5.12, 7.2.7.2
7.3.3.1 7.3.2.1 6.7.5.10, 7.2.6.1
7.3.2.1 7.3.1.1 6.7.5.9, 7.2.5.1
7.3.1.1 7.2.3.1 6.7.5.7
7.2.8.1 7.2.7.1 6.7.5.13, 7.3.4.1
7.2.7.1 7.2.6.1 6.7.5.11
7.2.6.1 7.2.5.1 6.7.5.10
7.2.5.1 7.2.4.1 6.7.5.9
7.2.4.1 7.2.3.1 6.7.5.8
7.2.3.1 7.2.2.1 6.7.5.7
7.2.2.1 7.2.1.1 6.7.5.6
7.2.1.1 6.7.5.2 7.1.1.1, 7.2.0.1

Information About All 7.x Releases

• Security Advisory Fixes in SGOS 7.x
• Web Visual Policy Manager Fixes in SGOS 7.x
• Known Issues in SGOS 7.x
• Limitations in SGOS 7.x
• About the ProxySG Admin Console
• Documentation and Feedback

5
SGOS 7.x Release Notes

SGOS 7.3.9.1 GA
Release Information
• Release Date: July 13, 2022
• Build Number: 275996

Supported Platforms
• ProxySG hardware appliances: S200, S400, S500
• Standard/Advanced Reverse Proxy hardware appliances: S200, S400, S410, S500
• High-performance Gen2 virtual appliances: SG-VA, ARP-VA, SRP-VA
• Gen3 ProxySG virtual appliances for GCP and ISG Enterprise VA deployments: ISG-Proxy-VA-100, ISG-Proxy-VA-200
• Integrated Secure Gateway hardware appliances: SSP-S210, SSP-S410
See Hardware Appliances and ProxySG Tech Docs for platform documentation.

Compatible With
• BCAAA: 6.1
• Integrated Secure Gateway: 2.1 and later
• HSM Agent: 2.0 and later
• ProxySG Admin Console: 1.1.1 and later
• Reporter: 11.x
• Management Center: 2.2.2.3 and later
NOTE
The new ProxySG Admin Console (SGAC) requires Management Center 2.4.x or later.
• Content Analysis: 2.4.x, 3.0.x, and 3.1.x
• SSL Visibility: 4.2.x, 4.3.x. 4.4.x, 4.5.x, and 5.x
• Web Isolation: 1.10 and later

Third-Party Compatibility
• For supported Java, operating system, and browser versions, refer to KB Article 169081.
• For information on Java 11 support, refer to KB Article 173228.

Upgrading To/Downgrading From This Release

• Upgrading from ProxySG 6.7.x to version 7.x might cause unexpected behavior with configured HSMs. See SG-23187
in Known Issues in SGOS 7.x for more information.
• ProxySG 7.3.x does not support FIPS mode. Disable FIPS mode before you attempt to upgrade to 7.3.x. If you
begin upgrading to 7.3.x from an appliance that has FIPS mode enabled, abort the upgrade at the boot process,
disable FIPS mode, and attempt the upgrade again. If you upgrade to 7.3.x without disabling FIPS mode, your
appliance will not function as expected.
• If you are downgrading from ProxySG 7.3.x to a version earlier than 7.2.0.1, ensure that after you downgrade your
policy includes CPL that protects against low strength ciphers (RC4, CBC, DES, and 3DES). These ciphers were
deprecated in 7.2.0.1 and any policy that references them is no longer necessary. For appliances running versions
earlier than 7.2.0.1, use the following CPL:

6
SGOS 7.x Release Notes

<ssl>
client.connection.negotiated_cipher=(EXP-RC4-MD5,EXP-RC2-CBC-MD5,EXP-DES-CBC-SHA) force_deny
<ssl>
server.connection.negotiated_cipher=(EXP-RC4-MD5,EXP-RC2-CBC-MD5,EXP-DES-CBC-SHA) force_deny

• Upon upgrading to 7.3.x, malware scanning is replaced with Symantec Access Security Policy and Content Security
Policy. For information, see Using Policy Services in the ProxySG administration documentation.
• When upgrading to version 7.3.2 and later, the HTTPS console's cipher suites configuration is preserved. In addition,
the following TLS 1.3 high-strength cipher suites are enabled by default:
– tls_aes_256_gcm_sha384
– tls_chacha20_poly1305_sha256
– tls_aes_128_gcm_sha256
– tls_aes_128_ccm_8-sha256
– tls_aes_128_ccm_sha256
• The following are the supported upgrade/downgrade paths for this release:
– Upgrade to 7.3.x from an earlier version 7.x or from version 6.7.4.4 or later.
– Downgrade from 7.3.x to to an earlier version 7.x or to version 6.7.4.4 or later.
NOTE
If upgrading from version 6.7.4.2 or earlier, an interim upgrade to version 6.7.4.3 might be required. To
determine whether you can upgrade directly to version 6.7.4.4, refer to KB Article 18536.
See SGOS Upgrade/Downgrade documentation for the supported upgrade/downgrade paths for this release.
NOTE
In a future release of 7.x, support for WebFilter (BCWF) will be removed.

Changes in SGOS 7.3.9.1

• SGOS 7.3.9.1 includes features and enhancements. See Features in SGOS 7.3.9.1.

Fixes in ProxySG 7.3.9.1

• This release includes includes fixes. See Fixes in SGOS 7.3.9.1.
• To see any Security Advisories that apply to the version of you are running, go to:https://support.broadcom.com/
security-advisory/security-advisories-list.html
New advisories are published as security vulnerabilities are discovered and fixed.
For a list of Security Advisories fixed in 7.x, see Security Advisory Fixes in SGOS 7.x.

Limitations
• See Limitations in SGOS 7.x for a description of limitations in this release.

Known Issues
• See Known Issues in SGOS 7.x for a list of all issues that Symantec is aware of in SGOS 7.x.

Features in SGOS 7.3.9.1

SGOS 7.3.9.1 introduces the following new features and changes.

Deploy ProxySG VAs on VMware with ZTP

You can now deploy a ProxySG VA on VMware using ZTP.

7
SGOS 7.x Release Notes

More information:
• ZTP Deployment Guide

New Integrated Secure Gateway ProxySG Virtual Appliance Package for Microsoft Hyper-V
A new ProxySG virtual appliance package for the Integrated Secure Gateway (ISG) license is available to download from
the Broadcom Support Portal and to deploy on Microsoft Hyper-V.
More information:
• ISG ProxySG VA on Hyper-V Deployment Guide

New Integrated Secure Gateway ProxySG Virtual Appliance Package for KVM
A new ProxySG virtual appliance package for the Integrated Secure Gateway (ISG) license is available to download from
the Broadcom Support Portal and to deploy on Linux Kernel-based Virtual Machine (KVM).
More information:
• ISG ProxySG VA on KVM Deployment Guide

Layer 2 Transparent Support on Integrated Secure Gateway

The ProxySG appliance now supports Layer 2 (L2) transparent deployment when running as an application on Integrated
Secure Gateway (ISG). To enable bridging, the ISG must be running 2.4.3.1 or later, and the ProxySG application must be
running 7.3.9.1 or later.
L2 bridging support includes the following behavior changes or new behaviors:

Behavior on ProxySG appliances Behavior when running ProxySG 7.3.9.1+

applications on ISG 2.4.3.1+ (if applicable)
The ProxySG appliance supports hardware and software bridges. Hardware bridging support is new in this release. Enable hardware
bridges on the ISG. The bridges are populated automatically in
the ProxySG application.
Software bridges are not supported. Any existing software
bridges created in previous versions of the ProxySG application
on ISG are automatically removed upon upgrade.
Hardware bridges have default labels of WAN/LAN. Bridges are not labeled by default.
Configure a bridge's failover mode and link failure propagation Change a bridge's failure mode or link failure propagation settings
settings on the ProxySG appliance: on the ISG.
# (config bridge bridge_name) failover mode
{parallel | serial}
#(config bridge bridge_name) propagate-failure
{enable | disable}
Reject inbound is enabled by default on WAN/LAN interfaces. Reject inbound is disabled by default.
Enable reject inbound on the externally-facing interface:
# (config interface interface) reject-
inbound enable

NOTE
To configure bridging on the ISG, refer to ISG documentation:

8
SGOS 7.x Release Notes

https://techdocs.broadcom.com/us/en/symantec-security-software/web-and-network-security/integrated-secure-
gateway/2-4.html

License and Usage Telemetry Reporting

This release allows you to collect and send telemetry data to Broadcom. This feature is enabled by default. If you cannot
send usage data automatically, you can enter the data manually at the Broadcom Support Portal. For more information,
refer to Usage Data (Telemetry).
To support this feature, new #(config telemetry) commands have been added.
More information:
• Usage Data (Telemetry)
• Command Line Interface Reference

Web Visual Policy Manager Warns of Duplicate User Objects in Migrated Policy
The legacy VPM allows case-sensitive User object names, such as Bkent, bkent, and bKent. The Web VPM does not
allow case-sensitive User object names; for example, if a User object named BKent already exists, you cannot create a
User object named bKent. As a result, when you use the Web VPM to edit policy that was created in the legacy VPM, the
Web VPM considers any existing User objects whose names differ only in letter case to be duplicates.
Starting in this release, the Web VPM displays a warning when you click Edit to change an existing User object to another
object that has a duplicate.
To support this feature, the Web VPM allows you to filter the objects in the following areas:
• The All Objects dialog (Operations > View All Objects).
• The Set <object_type> Object dialog.
To filter objects, select Filter By and select one of the following options:
• None: (Default) No filter; the dialog displays all applicable objects.
• Duplicates: The dialog displays duplicate objects.
• Unused: The dialog displays objects that are configured but not included in any policy rules or objects.
NOTE
In a future release, the Web VPM will facilitate resolving duplicate objects without affecting policy operation.
To receive updates about this feature, subscribe to KB244059 and refer to the SGOS Release Notes for future
releases.
More information:
• Web VPM warns "User already exists" but I can't edit the user (KB244059)
• Web Visual Policy Manager documentation

Health Check Policy Enhancement

The health_check= condition now supports pattern matches and case sensitivity to test more selectively for health
check names:
health_check[.string_modifier][.case_sensitive|.case_insensitive]=[user.]health_check_name

Supported modifiers are exact , prefix , regex , substring , and suffix . Refer to the CPL documentation for more
information on the modifiers and how to use them in policy.
You can still test whether the current transaction is for any health check, or for a specific health check, using
health_check={yes|no} .

9
SGOS 7.x Release Notes

More information:
• Content Policy Language Reference

'Service Request' Updated to 'Case Number' in User Interfaces

The ProxySG Management Console, Admin Console, and command line interface (CLI) now use the current term for
support cases.

Previous term Current term

service request (SR) case
SR number case number

For example, the command # (config service-info) periodic sr-number sr_number is now changed to #
(config service-info) periodic case-number case_number .
More information:
• ProxySG Administration
• ProxySG Admin Console
• Command Line Interface Reference

Fixes in SGOS 7.3.9.1

SGOS 7.3.9.1 includes the following bug fixes. This release:

Table 1: Access Logging

ID Issue

SG-29738 Fixes an issue where Kafka access logging had high memory usage.

Table 2: Authentication

ID Issue

SG-26327 Fixes an issue where authenticating from a SAML realm without client redirects to a SAML realm with client
redirects failed with a configuration error.
SG-31652 Fixes an issue where an error incorrectly indicated that SAML assertions were not encrypted. This issue
occurred only when Require encryption was enabled in SAML realm configuration.
SG-31984 Fixes an issue where SAML stopped working with Chromium-based browsers (Chrome, Edge, Chromium, etc.)
due to blank (space) characters between the cookie parameters.
SG-31405 Fixes an issue where changing a member realm within a sequence realm after installing authentication policy
resulted in an authentication error.
SG-31006 Fixes an issue where a page fault occurred in PG_POLICY_HTTP and the event log contained LDAP
authentication errors.
SG-31809 Fixes an issue where a page fault occurred in PG_CFG_PROPRIETOR in process: "IWA Onbox Domain Trust
Refresher".
SG-32045 Fixes realm configuration issues that occurred after deleting policy that referenced a sequence realm with a
Windows SSO member realm.

10
SGOS 7.x Release Notes

Table 3: DNS Proxy

ID Issue

SG-30851 Fixes an issue where, when the appliance replied to DNS queries with the correct IP address and TTL=0.

Table 4: HTTP Proxy

ID Issue

SG-31525 Fixes an issue where the appliance stopped responding when the appliance processed an ICAP RESPMOD with
a header value greater than 8kB.

Table 5: IPv6 Stack and IPv6 Proxies

ID Issue

SG-31698 Fixes an issue where the appliance experienced a restart in process "stack-bnd-2:0-rxq-0" in "libstack.exe.so".

Table 6: Legacy Visual Policy Manager

ID Issue

SG-30905 Fixes an issue where policy could not be installed using the legacy VPM when policy included Notify User
objects.

Table 7: MAPI Proxy

ID Issue

SG-30723 Fixes an issue where ROP_GET_PER_USER_LONG_TERM_IDS request parsing failed due to the GUID value
being read incorrectly.

Table 8: Reverse Proxy

ID Issue

SG-31076 Fixes an issue where reverse proxy traffic had latency of 5-15 seconds. This issue occurred with session-
cache-clientmap enabled and HTTP configuration set to http no persistent server . The issue
was caused by unnecessary checks during cache insertion and removal that degraded performance under heavy
load.

Table 9: SNMP

ID Issue

SG-30952 Fixes an issue where event logs showed SNMP errors "Getting ipV4 vlan information for <interface> failed".

11
SGOS 7.x Release Notes

Table 10: SSH Proxy

ID Issue

SG-31624 Fixes an issue where the appliance experienced a page fault in PG-SSH and process "admin@ssh".

Table 11: TCP/IP and General Networking

ID Issue

SG-31420 Fixes an issue where enabling IP forwarding (IPv4/IPv6) disabled the stack's LRO (Large Receive Offload) for all
flows (whether they were forwarded or not), preventing some performance gains provided by LRO.
SG-20236 Fixes an issue where the appliance experienced a restart due to a socket allocation failure.
SG-31640 Fixes an issue where the appliance experienced a restart because a cached packet was for a terminated
connection (in TIME_WAIT), causing the appliance to lose track of the listening socket to which a SYN needed to
be sent.
SG-31670 Fixes an issue where the appliance experienced a restart and prompted you to select an image to load after the
reboot.
SG-31513 Fixes an issue where the appliance experienced a page fault due to a corrupted heap.
SG-31175 Fixes an issue where the appliance experienced a page fault in PG_TCPIP in process: "stack-ip-forward".
SG-31804 Fixes an issue where the passthru interface was configured for spanning tree participation (STP) even though
the interface was disabled.
SG-29829 Fixes an issue where the appliance experienced a page fault in PG_TCPIP in process: "cookie-monster" in
"libstack.exe.so".

12
SGOS 7.x Release Notes

SGOS 7.3.8.2 PR
Release Information
• Release Date: June 7, 2022
• Build Number: 274167
IMPORTANT
This patch release (PR) includes a critical fix and replaces SGOS 7.3.8.1 released on May 11, 2022. If you are
running version 7.3.8.1, upgrade to version 7.3.8.2 to apply the fix. See Fixes in SGOS 7.3.8.2 for information.

Third-Party Compatibility
• For supported Java, operating system, and browser versions, refer to KB Article 169081.
• For information on Java 11 support, refer to KB Article 173228.

Upgrading To/Downgrading From This Release

13
SGOS 7.x Release Notes

disable FIPS mode, and attempt the upgrade again. If you upgrade to 7.3.x without disabling FIPS mode, your
appliance will not function as expected.
• If you are downgrading from ProxySG 7.3.x to a version earlier than 7.2.0.1, ensure that after you downgrade your
policy includes CPL that protects against low strength ciphers (RC4, CBC, DES, and 3DES). These ciphers were
deprecated in 7.2.0.1 and any policy that references them is no longer necessary. For appliances running versions
earlier than 7.2.0.1, use the following CPL:
<ssl>
client.connection.negotiated_cipher=(EXP-RC4-MD5,EXP-RC2-CBC-MD5,EXP-DES-CBC-SHA) force_deny
<ssl>
server.connection.negotiated_cipher=(EXP-RC4-MD5,EXP-RC2-CBC-MD5,EXP-DES-CBC-SHA) force_deny

Changes in SGOS 7.3.8.2

• SGOS 7.3.8.2 includes the features and enhancements introduced in version 7.3.8.1. See Features in SGOS 7.3.8.1.

Fixes in ProxySG 7.3.8.2

• This release includes includes the fixes introduced in version 7.3.8.1 as well as a critical fix. See Fixes in SGOS
7.3.8.1 and Fixes in SGOS 7.3.8.2.
• To see any Security Advisories that apply to the version of you are running, go to:https://support.broadcom.com/
security-advisory/security-advisories-list.html
New advisories are published as security vulnerabilities are discovered and fixed.
For a list of Security Advisories fixed in 7.x, see Security Advisory Fixes in SGOS 7.x.

Limitations
• See Limitations in SGOS 7.x for a description of limitations in this release.

Known Issues
• See Known Issues in SGOS 7.x for a list of all issues that Symantec is aware of in SGOS 7.x.

14
SGOS 7.x Release Notes

Fixes in SGOS 7.3.8.2

SGOS 7.3.8.2 includes the following bug fix, as well as the fixes included in version 7.3.8.1.

Table 12: Kernel

ID Issue

SG-31689 Fixes an issue where kernel lock changes caused the appliance stop responding.

15
SGOS 7.x Release Notes

SGOS 7.3.8.1 GA

Release Information
• Release Date: May 11, 2022
• Build Number: 273000
IMPORTANT
This release is no longer available for download. To apply the changes and fixes from this release, upgrade to
SGOS 7.3.8.2, which includes a critical fix. See Fixes in SGOS 7.3.8.2 for information.

Compatible With
• BCAAA: 6.1
• Integrated Secure Gateway: 2.1 and later
• HSM Agent: 2.0 and later
• ProxySG Admin Console: 1.1.1 and later
• Reporter: 10.1.x, and 10.2.x
• Management Center: 2.2.2.3 and later
NOTE
The new ProxySG Admin Console (SGAC) requires Management Center 2.4.x or later.
• Content Analysis: 2.4.x, 3.0.x, and 3.1.x
• SSL Visibility: 4.2.x, 4.3.x. 4.4.x, 4.5.x, and 5.x
• Web Isolation: 1.10 and later

Third-Party Compatibility
• For supported Java, operating system, and browser versions, refer to KB Article 169081.
• For information on Java 11 support, refer to KB Article 173228.

Upgrading To/Downgrading From This Release

16
SGOS 7.x Release Notes

Changes in SGOS 7.3.8.1

• SGOS 7.3.8.1 introduces new features and enhancements. See Features in SGOS 7.3.8.1.

Fixes in ProxySG 7.3.8.1

• This release includes includes a number of fixes. See Fixes in SGOS 7.3.8.1.
• To see any Security Advisories that apply to the version of you are running, go to:https://support.broadcom.com/
security-advisory/security-advisories-list.html
New advisories are published as security vulnerabilities are discovered and fixed.
For a list of Security Advisories fixed in 7.x, see Security Advisory Fixes in SGOS 7.x.

Limitations
• See Limitations in SGOS 7.x for a description of limitations in this release.

Known Issues
• See Known Issues in SGOS 7.x for a list of all issues that Symantec is aware of in SGOS 7.x.

17
SGOS 7.x Release Notes

Features in SGOS 7.3.8.1

SGOS 7.3.8.1 introduces the following new features and changes.

SSL/TLS Version Controls for SSL Forward Proxy

In the ProxySG Admin Console, you can specify a range of SSL/TLS versions to use for all
intercepted SSL connections. In the SSL Version Controls section (Configuration > Services > SSL Proxy Settings),
select minimum and maximum SSL/TLS protocol versions for client connections and server connections.
Alternatively, use the CLI. Set the minimum version and maximum version of the SSL/TLS protocol to use for client
connections:
# (config ssl) proxy client-ssl-version-range <minimum_version> <maximum_version>

Set the minimum version and maximum version of the SSL/TLS protocol to use for server connections:
# (config ssl) proxy server-ssl-version-range <minimum_version> <maximum_version>

To control the SSL/TLS versions used for specific transactions instead of using the global command, add the
following Action VPM objects to policy:
• Set Client Min Max SSL Version
• Set Server Min Max SSL Version
Alternatively, use the CPL properties associated with these VPM objects:
• client.connection.min_ssl_version()
• client.connection.max_ssl_version()
• server.connection.min_ssl_version()
• server.connection.max_ssl_version()
Prior to this release, the SSL/TLS version used for intercepted SSL connections was the highest version supported by the
appliance, the client, and the server. This behavior is the same as using the preserve option, which is the default setting.
More information:
• ProxySG Admin Console
• Command Line Interface Reference
• Web Visual Policy Manager Reference
• Content Policy Language Reference
• Security Best Practices

X.509v3 Enhancements for Self-Signed Certificates and Certificate Signing Requests

When creating self-signed certificates and certificate signing requests (CSRs) through the Admin Console, you can
specify values for the following extensions:
• Subject Alternative Name
• Basic Constraints
• Key Usage
• Extended Key Usage
Refer to the following CLI example for usage:
#(config ssl)create signing-request ssl_proxy_issuer_keyring c US cn "My SSL Proxy" bc CA:TRUE ku
digitalSignature,keyCertSign eku serverAuth,clientAuth

18
SGOS 7.x Release Notes

You can also set a "critical" flag for these attributes to indicate that OpenSSL must enforce using the attribute for your
security needs. Refer to the Command Line Interface for more information.
More information:
• Command Line Interface Reference
• ProxySG Admin Console

Separate Event Logging Configuration for Email and Syslog

Previous SGOS releases allowed you to select event logging levels that applied to all events for Syslog and email. Now,
you can select different event logging levels for Syslog and email, as well as use event IDs to specify overrides to the
default logging level.
To support this feature, the following commands are deprecated:
# (config event-log) level <level>
# (config event-log) syslog {enable | disable}
Use the following new commands to configure and view event log notification settings:
# (config event-log notifications) <subcommands>
# show event-log notifications
You can also use the ProxySG Admin Console (Administration > Logging > Event Logging) to configure the logging
behavior.
More information:
• ProxySG Admin Console
• Command Line Interface Reference

Recognition of Specific CAB Data Types in HTTP Responses

The http.response.apparent_data_type=<data_type> condition now supports matching for specific CAB file
types:
• MSCAB : MS Cab archive
• ISCAB : InstallShield archive
The existingCAB type previously matched for MS Cab only; now you can use it to match for both MSCAB and ISCAB.
More information:
• Content Policy Language Reference
• SGOS 7.3.x Upgrade/Downgrade

Threat Detection Notification VPM Objects

SGOS 7.3.4.1 introduced CPL to trigger ICAP notifications based on content in ICAP-scanned requests and
responses. For more information, see "ProxySG ICAP Enhancements" in Features in SGOS 7.3.4.1. Version 7.3.8.1 adds
the following new Service VPM objects for the gestures:
• Request Threat Detected: (Static object) Specifies whether threat scanning detected a threat in the request.
CPL condition: request.icap.threat_detected=
• Response Threat Detected: (Static object) Specifies whether threat scanning detected a threat in the response.
CPL condition: response.icap.threat_detected=
• Request Threat Info: Specifies whether threat scanning detected a specific type of threat in the request.

19
SGOS 7.x Release Notes

CPL conditions: request.icap.threat_id= , request.icap.threat_id.exists=

, request.icap.threat_details= , request.icap.threat_details.exists= ,
request.icap.threat_source= , and request.icap.threat_source.exists=
• Response Threat Info: Specifies whether threat scanning detected a specific type of threat in the response.
CPL conditions: response.icap.threat_id= , response.icap.threat_id.exists=
, response.icap.threat_details= , response.icap.threat_details.exists= ,
response.icap.threat_source= , and response.icap.threat_source.exists=
These objects are available in the Web Access Layer and Web Request Layer.
More information:
• Web Visual Policy Manager Reference

ProxySG Admin Console 1.2.4.1

The following features are available in the ProxySG Admin Console:
• Configure Certificate Revocation Lists (CRLs) to check certificates against CA-provided lists of invalid and expired
certificates (Configuration > SSL > CRLs).
• You can create self-signed certificates and certificate signing requests (CSRs) with the extensions described in the
"X.509v3 Enhancements for Self-Signed Certificates and Certificate Signing Requests" feature above. When viewing
the certificate, the extensions are displayed in an Extensions section (Configuration > SSL > CA Certificates).
• Import external certificates, for which Symantec does not have the private key, to the appliance and manage external
certificate lists (Configuration > SSL > External Certificates).
• Specify a range of SSL/TLS versions to use for all intercepted SSL connections (Configuration > Services
> SSL Proxy Settings). See the "SSL/TLS Version Controls for SSL Forward Proxy" feature above.
To support this feature, when configuring the SSL client, device profile, reverse proxy listener service,
and HTTPS management service, you must specify a contiguous range of SSL/TLS versions (for example, TLSv1.1,
v1.2, and v1.3). If you specify only TLSv1.3 and v1.1, for example, you receive an error "SSL versions must be
contiguous" and cannot save the configuration.
• Keep the central policy file up to date by automatically downloading a new file when it is updated, and receiving email
notifications in the event of a policy file change. You can view and update policy files on the appliance and view the
policy source (Configuration > Policy > Policy Options).
• Enable SNMP functionality on the appliance and configure SNMPv1, SNMPv2c, or SNMPv3 to monitor network
devices for health or status conditions (Administration > SNMP > SNMP).
• View and edit settings for system, licensing, status, and subscription metrics (Administration > Health Checks and
Monitoring > Health Monitoring).
• Configure global event logging settings such as maximum event log file size, SMTP server, and Syslog loghosts.
You can also select different event logging levels for Syslog and email and specify overrides as described in the
"Separate Event Logging Configuration for Email and Syslog" feature above (Administration > Logging > Event
Logging).
• Perform routine and troubleshooting tasks such as restart, shutdown, clearing caches, and resetting the system
(Administration > General > Task
The System Image Catalog (Administration > Systems > Software System Images) is updated:
• The list of system images now shows the index number for each system.
• The Signed column has been removed from the list (all system images are signed).
More information:
• ProxySG Admin Console

20
SGOS 7.x Release Notes

Deploy ProxySG Virtual Appliance on VMWare Tools

You can now deploy a ProxySG virtual appliance via zero-touch provisioning (ZTP) on VMware Tools.
More information:
• ZTP Deployment

Microsoft Outlook Email Protocol (MAPI) Improvements

• REQMOD and RESPMOD statistics are now reported separately under MAPI over HTTP proxy statistics (available at
advanced URL /mapihttp/statistics).
• Email attachment upload in Outlook 2021 is significantly improved. Previously, sometimes uploaded email attachments
were truncated, jumbled, or both. Email attachment upload is now fully supported in Outlook 2021.
• Email attachment upload performance is improved.

Specify an Interface for Reflect Client IP

When initiating upstream connections, use the specified interface for the outbound source IP address.
reflect_ip(interface.<label>)

More information:
• Content Policy Language Reference

Removed Hardware Registration Commands

The following CLI commands have been removed:
#licensing register-hardware
#licensing mark-registered

These commands are no longer required for licensing an appliance.

Fixes in SGOS 7.3.8.1

SGOS 7.3.8.1 includes the following bug fixes.

Table 13: Access Logging

ID Issue

SG-23434 Fixes an issue where the appliance stopped responding when running an access logging script from
Management Center.
SG-30186 Fixes an issue where the s-action access log field returned "-" instead of information from the transaction.
SG-30522 Fixes an issue where the appliance stopped responding in process "cfg.proprietor" in "libtransactions.exe.so"
at .text+0x3135c0.
SG-29190 Fixes an issue where the appliance stopped responding when access logs included *-supplier-country
fields or policy included references to supplier country.

21
SGOS 7.x Release Notes

Table 14: Active Sessions

ID Issue

SG-31084 Fixes an issue where terminating active sessions (using #active-sessions proxied-sessions
terminate ) caused the appliance to stop responding.

Table 15: Authentication

ID Issue

SG-29479 Fixes an issue where CPU utilization was 100% under heavy LDAP load.
SG-31219 Fixes an issue where changing policy that included a sequence realm caused the appliance to stop responding.
SG-30269 Fixes an issue where the "Access Denied" exception page did not display information about the transaction
when users clicked the more link.
SG-31171 Fixes an issue where policy failed to install after a sequence realm had an authorization error.
SG-30293 Fixes an issue where changing the SAML IDP caused an "invalid certificate" error and required an appliance
reboot to refresh the certificate cache.
SG-30783 Fixes an issue where the appliance rebooted when attempting to apply policy changes. This issue occurred after
an IWA realm was removed.
SG-30844 Fixes an issue where attempting to upgrade version 7.2.5.1 to 7.3.7.1 failed. When this issue occured, but the
appliance rebooted with version 7.2.5.1 running.
SG-31292 Fixes an issue where the appliance stopped responding after deleting realms after attempting to install policy
with bad syntax.

Table 16: CLI Consoles

ID Issue

SG-30692 Fixes an issue where the show config CLI output did not indicate whether automatic refresh bandwidth for
caching was enabled (for example, using #(config caching)refresh bandwidth automatic ).
SG-30948 Fixes an issue where the appliance stopped responding in process group PG_ACCESS_LOG, process:
"sshc.worker" in "" at .text+0x0.
SG-30917 Fixes an issue where #show output displayed some archive-config settings incorrectly, without quotation
marks.

Table 17: Cloud Platform

ID Issue

SG-30953 Fixes an issue where an appliance with a ZTP payload could not be registered to a device group in Management
Center.
SG-23203 Fixes an issue where the appliance stopped responding due to a hardware exception in
process "STORVSC" in "storvsc.exe".

Table 18: DNS Proxy

ID Issue

SG-31007 Fixes an issue where the appliance stopped responding with a hardware exception
in process group "PG_DNS"Process: "DNS Proxy Administrator" in "libdnsproxy.exe.so".

22
SGOS 7.x Release Notes

Table 19: Hardware Drivers

ID Issue

SG-30813 Fixes an issue where PCAPs with filters captured traffic only in one direction. This issue occurred on ProxySG
applications on the SSP platform.

Table 20: HTTP Proxy

ID Issue

SG-26322 Fixes an issue where the appliance stopped responding with a software exception in process group "PG_HTTP"
process: "HTTP SW 20B1CD01A40 for 30C2D661A40" in "".
SG-29480 Fixes an issue where the appliance did not send an "HTTP/1.1" ALPN extension in the server hello message
back to the client when the server used HTTP/2.
SG-29969 Fixes an issue where the appliance stopped responding when trying to allocate memory when mapping HTTP/2
to HTTP/1 headers.

Table 21: Licensing

ID Issue

SG-29643 Fixes an issue where a SWG VA that could not communicate with the license validation server had a grace
period of 3.5 days instead of 7 days.

Table 22: Management

ID Issue

SG-30997 Fixes an issue where the https://<IP_address>:8082/Secure/Local/console/MCApplet.html page had a potential

XSS exploit.

Table 23: MAPI Proxy

ID Issue

SG-30307 Fixes an issue where some users intermittently could not send messages with attachments from Outlook 2021.
SG-30245 Fixes an issue where messages from which the proxy blocked and removed attachments were not sent.
SG-30807, Fixes an issue where dragging and dropping a file from email to a delegate calendar sometimes resulted in file
SG-31250 corruption.

Table 24: Management Console

ID Issue

SG-31038 Fixes an issue where the Management Console could not be accessed after Chrome was updated to version 10.

23
SGOS 7.x Release Notes

Table 25: Policy

ID Issue

SG-30288 Fixes an issue where the appliance performed DNS queries even when policy included a restrict dns rule.
SG-30564 Fixes an issue where logs did not indicate that a local database containing an error was downloaded. When
this issue occurred, the download status did not reflect the latest download status immediately, and the Local
Database communication status metric was Critical.
SG-30206 Fixes an issue where the appliance experienced a hardware exception in
process group "PG_POLICY"Process: "SSLW 10D7510DC00" in "libc.so".
SG-30360 Fixes an issue where a variable's default value was not used when the variable was used in a substitution.

Table 26: SSL/TLS and PKI

ID Issue

SG-30816 Fixes OpenSSL vulnerabilities (CVE-2022-0778).

SG-30416 Fixes an issue where the appliance had a hardware exception in process group: "PG_SSL_HNDSHK"
process: "Hybrid_Administrator" in "kernel.exe".
SG-30565 Fixes an issue where multiple TCP sessions used the same TCP connection, causing some requests not to
match.

Table 27: SSL Proxy

ID Issue

SG-30706 Fixes an issue where high memory caused TCP connections to drop.
SG-29909 Fixes an issue where SSL connections requiring server certificate emulation timed out when the server certificate
cache was full.
SG-26714 Fixes an issue where client.certificate.requested= lookups failed.

Table 28: TCP/IP and General Networking

ID Issue

SG-30509 Fixes an issue where upgrading the appliance from version 7.2.x to a later 7.2.x or 7.3.x failed while
performing #restart upgrade.
SG-30896 Fixes an issue where the appliance stopped responding when adding default gateways.
SG-29589 Fixes an issue where the appliance stopped responding in process: "cookie-monster" in "libstack.exe.so" at .text
+0x42d3e1.

Table 29: Legacy VPM

ID Issue

SG-30750 Fixes an issue where a line break in the Comment cell creates an unknown tag that fails to install.

This release also includes VPM fixes. See Web Visual Policy Manager Fixes in SGOS 7.x.

24
SGOS 7.x Release Notes

SGOS 7.3.7.1 GA

Release Information
• Release Date: February 24, 2022
• Build Number: 271019

Supported Platforms
• ProxySG hardware appliances: S200, S400, S500
• Standard/Advanced Reverse Proxy hardware appliances: S200, S400, S410, S500
• High-performance Gen2 virtual appliances: SG-VA, ARP-VA, SRP-VA
• Gen3 Proxy SG virtual appliances for GCP and ISG Enterprise VA deployments: ISG-Proxy-VA-100, ISG-Proxy-
VA-200
• Integrated Secure Gateway hardware appliances: SSP-S210, SSP-S410
See Hardware Appliances and ProxySG Tech Docs for platform documentation.

Third-Party Compatibility
• For supported Java, operating system, and browser versions, refer to KB Article 169081.
• For information on Java 11 support, refer to KB Article 173228.

Upgrading To/Downgrading From This Release

• You may potentially experience performance issues after upgrading to this release. See SG-30438 in Known Issues in
SGOS 7.x for more information.
• Upgrading from ProxySG 6.7.x to version 7.x might cause unexpected behavior with configured HSMs. See SG-23187
in Known Issues in SGOS 7.x for more information.
• ProxySG 7.3.x does not support FIPS mode. Disable FIPS mode before you attempt to upgrade to 7.3.x. If you
begin upgrading to 7.3.x from an appliance that has FIPS mode enabled, abort the upgrade at the boot process,

25
SGOS 7.x Release Notes

• When upgrading to 7.3.x, your malware scanning configuration is not preserved. After upgrading, reconfigure
your malware scanning. For information, see the SGOS Administration Guide and ProxySG Web Visual Policy
Manager Reference .
• When upgrading to version 7.3.2 and later, the HTTPS console's cipher suites configuration is preserved. In addition,
the following TLS 1.3 high-strength cipher suites are enabled by default:
– tls_aes_256_gcm_sha384
– tls_chacha20_poly1305_sha256
– tls_aes_128_gcm_sha256
– tls_aes_128_ccm_8-sha256
– tls_aes_128_ccm_sha256
• The following are the supported upgrade/downgrade paths for this release:
– Upgrade to 7.3.x from an earlier version 7.x or from version 6.7.4.4 or later.
– Downgrade from 7.3.x to to an earlier version 7.x or to version 6.7.4.4 or later.
NOTE
If upgrading from version 6.7.4.2 or earlier, an interim upgrade to version 6.7.4.3 might be required. To
determine whether you can upgrade directly to version 6.7.4.4, refer to KB Article 18536.
See SGOS Upgrade/Downgrade documentation for the supported upgrade/downgrade paths for this release.
NOTE
In a future release of 7.x, support for WebFilter (BCWF) will be removed.

Changes in SGOS 7.3.7.1

• SGOS 7.3.7.1 introduces new features and enhancements. See Features in SGOS 7.3.7.1.

Fixes in ProxySG 7.3.7.1

• This release includes includes a number of fixes. See Fixes in SGOS 7.3.7.1.
• To see any Security Advisories that apply to the version of you are running, go to:https://support.broadcom.com/
security-advisory/security-advisories-list.html
New advisories are published as security vulnerabilities are discovered and fixed.
For a list of Security Advisories fixed in 7.x, see Security Advisory Fixes in SGOS 7.x.

Limitations
• See Limitations in SGOS 7.x for a description of limitations in this release.

Known Issues
• See Known Issues in SGOS 7.x for a list of all issues that Symantec is aware of in SGOS 7.x.

26
SGOS 7.x Release Notes

Features in SGOS 7.3.7.1

SGOS 7.3.7.1 introduces the following new features and changes.

Session Correlation with SSL Visibility Appliance

When session correlation is enabled, the SSL Visibility (SSLV) appliance sends its client-side and server-side session log
IDs to the ProxySG appliance. To review the SSLV session log IDs from the ProxySG appliance, add the following fields to
the access log.
1. In the SSL Visibility Management Console, enable the Session Correlation with ProxySG option.
2. In the ProxySG Admin Console or Management Console, add the following access log fields to the ssl log:
– x-cs-offload-session-log-id : SSLV client-side session log ID when SSLV is performing SSL offload.
– x-rs-offload-session-log-id : SSLV server-side session log ID when SSLV is performing SSL offload.
– cs(X-Forwarded-For) : Value of request header X-Forwarded-For.
This feature requires SSLV appliance version 5.4.1.1 or later. SSLV version 4.5.9.1 will also support this feature.
NOTE
These options only apply to traffic that is not destined for ProxySG appliances, and the ProxySG segment
needs at least one copy port in place to have SSLV inspect non-proxy flows.
More information:
• SSLV documentation (available when version 5.4.1.1 is released)
• ProxySG Log Fields and Substitutions

Drop ICMP Redirect Packets

This release addresses a potential vulnerability where an attacker could send ICMP redirect packets to the appliance.
This can result in the redirection of traffic to an attacker-controlled device, potentially compromising the integrity of any
redirected unencrypted traffic, or lead to a denial-of-service if the attacker blocks redirected traffic. This release includes a
new CLI command to enable dropping ICMP redirects:
#(config)tcp-ip icmp-drop-redirect {disable|enable}

The setting is disabled by default. For best security, enable it.

More information:
• Command Line Interface Reference

Access Log Fields for ICAP Failure Mode

The following access log fields have been added to track the ICAP failure mode (fail open or fail closed):
• cs-icap-failure-mode : REQMOD ICAP service failure mode
• rs-icap-failure-mode : RESPMOD ICAP service failure mode
More information:
• ProxySG Log Fields and Substitutions

Trust Package Update

The trust package has been updated to match the Microsoft July 2021 update level. Obsolete CAs have been removed.
To download the latest trust package, issue the following CLI:
#(config) load trust-package

27
SGOS 7.x Release Notes

Timezone Database Update

The timezone database has been updated to reflect changes in Release 2021e of the IANA timezone database.

CSRF Protection for Advanced URLs

This release includes additional cross-site request forgery (CSRF) attack protection for ProxySG advanced URLs.

Removed ProxySG Initial Configuration Wizard

The browser-based ProxySG Initial Configuration Wizard (available through https://proxysg.bluecoat.com:8083 or
https://IP_address:8083) has been removed. Starting in this release, you can perform initial configuration through the
serial console only.

Fixes in SGOS 7.3.7.1

SGOS 7.3.7.1 includes the following bug fixes.
For Web Visual Policy Manager fixes, see Web Visual Policy Manager Fixes in SGOS 7.x.

Table 30: Access Logging

ID Issue

SG-28439 Fixes an issue where the appliance experienced a restart following disk re-initialization due to an error in the
access log copying process.
SG-29685 Fixes an issue where access logging used significantly more memory than required.

Table 31: Authentication

ID Issue

SG-26170 Fixes an issue where RADIUS authentication stopped working after upgrading to version 7.3.2.1.
SG-29329 Fixes an issue where SNMP walk failed because the appliance attempted to retrieve authentication statistics
from a server that was unavailable, instead of retrieving them from a cache.
SG-25285 Fixes an issue where SAML authentication stopped working with Chromium-based browsers (such as Chrome,
Edge, and Chromium) in versions after SGOS 6.7.5.6 due to blank characters (spaces) between the cookie
parameters.

Table 32: CLI Consoles

ID Issue

SG-29744 Fixes an issue where the appliance experienced a page fault due to insufficient Syslog worker stack size.

Table 33: CPLE

ID Issue

SG-29957 Fixes an issue where server.certificate.hostname= matched only the first entry under a certificate's
subjectAlternativeName . Now, all available server certificate hostnames are checked and matched.

28
SGOS 7.x Release Notes

Table 34: DNS Proxy

ID Issue

SG-28533 Fixes an issue where the appliance experienced restarts when EDNS was enabled and DNS lookup was
performed for an IP address.
SG-28266 Fixes an issue where the appliance did not honor the configured DNS server preference after a primary or
alternate server went offline and then came back online.
SG-32131 Fixes an issue where performing# test dns resulted in an "Unknown error response(203)" when EDNS was
enabled.

Table 35: HTTP Proxy

ID Issue

SG-28504 Fixes an issue in reverse proxy during the processing of HTTP requests to prevent HTTP request smuggling /
HTTP desync attacks.
SG-29322 Fixes an issue where Firefox showed an alert on the Host Affinity cookie because the appliance did not set up all
of the required cookie attributes.
SG-28248 Fixes an issue where the appliance experienced a restart when policy included a log_message() action
referring to an HTTP header substitution string.
SG-29187 Fixes an issue where the appliance experienced a restart when multiple H2 workers tried to use the same socket
during an HTTP/2 upgrade.
SG-30148 Fixes an issue where the downstream SNI header was not applied on an upstream connection when the HTTP
Connect message contained a dotted IP address. This issue occurred when a transparent downstream Squid
proxy connected upstream to an explicit ProxySG appliance.

Table 36: Kernel

ID Issue

SG-29402 Fixes an issue where the appliance experienced a restart due to an insufficient front panel worker stack size.

Table 37: MAPI Proxy

ID Issu

SG-30196 Fixes an issue where Outlook 2012 file attachments were not sent to Content Analysis.
SG-28606 Fixes an issue where the MAPI debug log displayed the error:
Rop response parser failed to parse RopId = ROP_QUERY_ROWS with value
ERROR_CODE_PARSE_ERROR.
This issue occurred in Outlook 2016 with caching disabled.

Table 38: Policy

ID Issue

SG-27100 Fixes an issue where Excel files on Dropbox could not be previewed when policy included the Notify User
action.
SG-30085 Fixes an issue where the link to Symantec Site Review on exception pages was broken in some cases.

29
SGOS 7.x Release Notes

ID Issue

SG-29657 Fixes an issue where installing policy that contained a large number of categories resulted in multiple "Unknown
category" warnings.
SG-28593 Fixes an issue where long lines in exceptions files were parsed incorrectly, preventing some elements from
displaying in exception pages.
SG-28416 Fixes an issue where installing policy fails with a warning "Unreachable rule, conditions will be matched by a
preceding rule" when policy contains different IP addresses in a category definition.

Table 39: Security

ID Issue

SG-28694 Fixes an issue where the load trust-package command output showed an incorrect creation time,
suggesting that the trust package was not the latest version.
SG-29650 Fixes an issue where the show configuration command output did not display the trust-package
auto-update or auto-update-interval configuration settings.

Table 40: Serviceability

ID Issue

SG-29688 Fixes an issue where PDM statistics were inaccurate because the PG process memory usage reported on linear
memory instead of physical memory.

Table 41: SSL/TLS and PKI

ID Issue

SG-28734 Fixes OpenSSL vulnerabilities described in CVE-2021-3712.

SG-29503 Fixes an issue where a memory leak occurred when a certificate was re-signed for an intercepted TLS
connection and OCSP was enabled.

Table 42: SSL Proxy

ID Issue

SG-29358 Fixes an issue where the appliance experienced a restart when attempting to complete an SSL handshake via a
closed socket.
SG-28624 Fixes an issue where the browser returned an exception because the latest Chrome and Firefox extensions were
not included in the known extensions list.
SG-28622 Fixes an issue where server certificates were not validated as specified in policy when the appliance
encountered unrecognized extensions.

Table 43: Storage

ID Issue

SG-29406 Fixes an issue where disk space issues caused the appliance to stop responding. This issue occurred when
ICAP scanned large objects.

30
SGOS 7.x Release Notes

Table 44: TCP/IP and General Networking

ID Issue

SG-28822 Fixes an issue where the connection pair of a transparent IPv6 session via SSLV reused the same TCP source
port if the Reflect Client IP option was enabled, resulting in session timeouts.
SG-29607 Fixes an issue where download failures occurred due to an insufficient number of TCP re-assembly objects for
the number of connections.
SG-28561 Fixes an issue where the user could not filter active sessions with IPv6 address.
SG-28638 Fixes an issue where the appliance experienced a restart due to asynchronous requests in progress during a
SOCKS timeout.
SG-28909 Fixes a rare race condition when a TCP connection was cleaning up that could lead to a restart.
SG-28841 Fixes an issue where the appliance experienced a restart due to invalid memory pointers.
SG-28822 Fixes an issue where the connection pair of a transparent IPv6 session via SSLV reused the same TCP source
port if reflect-client-ip was enabled.
SG-28994 Fixes an issue where port reuse caused latency and dropped internet connections. This issue occurred in a
transparent proxy environment with reflect-client-ip enabled.
SG-29217 Fixes an issue where the appliance experienced a restart because the limit on the number of canceled timers
was reached.
SG-29824 Fixes an issue where running the pcap start coreimage bytes command caused the appliance to
stop responding.
SG-29051 Fixes an issue where the appliance experienced high memory consumption in TCP/IP, causing internet sessions
to stop until until the appliance restarted. This issue occurred with bandwidth management enabled.
SG-28444 Fixes a timer issue that caused the appliance to experience high CPU usage and a restart.
SG-30132 Fixes an issue where some TCP connections were incorrectly kept open instead of closing or being reused.
SG-29737 Fixes a potential race condition where TCP persistence timer reuse led to a restart.

Table 45: URL Filtering

ID Issue

SG-29178 Fixes an issue where every URL lookup returned an 'unavailable; unlicensed' status after clearing category
mappings and synonyms and reloading the Blue Coat content filtering database.
SG-28860 Fixes an issue where the Threat Risk Levels database was stuck in a 'loading' status even after an appliance
restart.
SG-28565 Fixes an issue where the appliance sent too many SNMP messages for content filtering database changes.

Table 46: Utility Libraries

ID Issue

SG-28924 Fixes an issue where the third-party libxml component required updating to resolve critical vulnerabilities
(CVE-2018-9251, CVE-2018-14567, CVE-2018-14404, CVE-2021-3541). This open-source component is used
to parse untrusted XML content in WAF and for XML/SAML authentication realms.
SG-28926 Fixes an issue where the third-party ICU (International Components for Unicode) library required updating to
resolve critical vulnerabilities. This open-source component consists of C/C++ and Java libraries for Unicode
support, software internationalization, and software globalization.

31
SGOS 7.x Release Notes

Table 47: Web Application Firewall

ID Issue

SG-28299 Fixes an issue where the third-party libxml component required updating to resolve critical vulnerabilities
(CVE-2018-9251, CVE-2018-14567, CVE-2018-14404, CVE-2021-3541). This open-source component is used
to parse untrusted XML content in WAF and for XML/SAML authentication realms.

32
SGOS 7.x Release Notes

SGOS 7.3.6.4 PR

Release Information
• Release Date: December 15, 2021
• Build Number: 269365

Supported Platforms
• ProxySG hardware appliances: S200, S400, S410, S500
• Standard/Advanced Reverse Proxy hardware appliances: S200, S400, S410, S500
• High-performance Gen2 virtual appliances: SG-VA, ARP-VA, SRP-VA
• 3 Gen Proxy SG virtual appliances for GCP and ISG Enterprise VA deployments: ISG-Proxy-VA-100, ISG-Proxy-
VA-200
See Hardware Appliances and ProxySG Tech Docs for platform documentation.

Third-Party Compatibility
• For supported Java, operating system, and browser versions, refer to KB Article 169081.
• For information on Java 11 support, refer to KB Article 173228.

Upgrading To/Downgrading From This Release

33
SGOS 7.x Release Notes

deprecated in 7.2.0.1 and any policy that references them is no longer necessary. For appliances running versions
earlier than 7.2.0.1, use the following CPL:
<ssl>
client.connection.negotiated_cipher=(EXP-RC4-MD5,EXP-RC2-CBC-MD5,EXP-DES-CBC-SHA) force_deny
<ssl>
server.connection.negotiated_cipher=(EXP-RC4-MD5,EXP-RC2-CBC-MD5,EXP-DES-CBC-SHA) force_deny

Fixes in ProxySG 7.3.6.4

• This release includes includes a fix for a connection issue for configurations transparently intercepting traffic with
reflect-client-IP enabled. See Fixes in SGOS 7.3.6.4.
• To see any Security Advisories that apply to the version of you are running, go to:https://support.broadcom.com/
security-advisory/security-advisories-list.html
New advisories are published as security vulnerabilities are discovered and fixed.
For a list of Security Advisories fixed in 7.x, see Security Advisory Fixes in SGOS 7.x.

Limitations
• See Limitations in SGOS 7.x for a description of limitations in this release.

Known Issues
• See Known Issues in SGOS 7.x for a list of all issues that Symantec is aware of in SGOS 7.x.

Fixes in SGOS 7.3.6.4

SGOS 7.3.6.4 includes the following bug fix.

34
SGOS 7.x Release Notes

Table 48: Health Checks, TCP/IP and General Networking

ID Issue

SG-29088 Fixes an issue where ProxySG 7.3.6.1 and higher configurations transparently intercepting traffic with
reflect-client-IP enabled stopped initiating or responding to new connections. These configurations
consequently required a scheduled SG reboot before the maximum number of available connections was
reached.

35
SGOS 7.x Release Notes

SGOS 7.3.6.3 PR

Release Information
• Release Date: December 13, 2021
• Build Number: 268974

Third-Party Compatibility
• For supported Java, operating system, and browser versions, refer to KB Article 169081.
• For information on Java 11 support, refer to KB Article 173228.

Upgrading To/Downgrading From This Release

36
SGOS 7.x Release Notes

Fixes in ProxySG 7.3.6.3

• This release includes includes a performance fix. See Fixes in SGOS 7.3.6.3.
• To see any Security Advisories that apply to the version of you are running, go to:https://support.broadcom.com/
security-advisory/security-advisories-list.html
New advisories are published as security vulnerabilities are discovered and fixed.
For a list of Security Advisories fixed in 7.x, see Security Advisory Fixes in SGOS 7.x.

Limitations
• See Limitations in SGOS 7.x for a description of limitations in this release.

Known Issues
• See Known Issues in SGOS 7.x for a list of all issues that Symantec is aware of in SGOS 7.x.

Fixes in SGOS 7.3.6.3

SGOS 7.3.6.3 includes the following bug fix.

37
SGOS 7.x Release Notes

Table 49: Performance

ID Issue

SG-29292 Fixes an issue where SSL performance dropped. This issue occurred when SSL interception policy was
installed.

38
SGOS 7.x Release Notes

SGOS 7.3.6.1 GA

Release Information
• Release Date: October 7, 2021
• Build Number: 266990

Compatible With
• BCAAA: 6.1
• Integrated Secure Gateway: 2.1 and later
• HSM Agent: 2.0 and later
• ProxySG Admin Console: 1.1.1 and later
• Reporter: 9.5.x, 10.1.x, and 10.2.x
• Management Center: 2.2.2.3 and later
NOTE
The new ProxySG Admin Console (SGAC) requires Management Center 2.4.x or later.
• Content Analysis: 2.4.x, 3.0.x, and 3.1.x
• SSL Visibility: 4.2.x, 4.3.x. 4.4.x, 4.5.x, and 5.x
• Web Isolation: 1.10 and later

Third-Party Compatibility
• For supported Java, operating system, and browser versions, refer to KB Article 169081.
• For information on Java 11 support, refer to KB Article 173228.

Upgrading To/Downgrading From This Release

39
SGOS 7.x Release Notes

Fixes in ProxySG 7.3.6.1

• This release includes a number of fixes. See Fixes in SGOS 7.3.6.1.
• To see any Security Advisories that apply to the version of you are running, go to:https://support.broadcom.com/
security-advisory/security-advisories-list.html
New advisories are published as security vulnerabilities are discovered and fixed.
For a list of Security Advisories fixed in 7.x, see Security Advisory Fixes in SGOS 7.x.

Limitations
• See Limitations in SGOS 7.x for a description of limitations in this release.

Known Issues
• See Known Issues in SGOS 7.x for a list of all issues that Symantec is aware of in SGOS 7.x.

Features in SGOS 7.3.6.1

SGOS 7.3.6.1 introduces the following new features and changes.

ProxySG Admin Console 1.2.3.1

You can perform the following tasks in this release of the ProxySG Admin Console (SGAC):

40
SGOS 7.x Release Notes

• Manage HTTP, HTTPS, SSH, SNMP, and Telnet services for administrative access to the ProxySG appliance.
• Configure SOCKS gateways and gateway groups for forwarding.
• Manage the appliance's SSL client profile.
• Offload processing of SSL/TLS traffic to a configured SSLV device.
• Add existing Online Certificate Status Protocol (OCSP) OCSP responders to perform real-time certificate revocation
checks and send responses to the appliance.
In addition, forwarding host lists have been renamed to forwarding groups.
More information:
• SGOS Administration (Admin Console Edition)

PM Object to Enable/Disable Parallel Connectivity

The content policy language (CPL) to enable or disable parallel connectivity using RFC8305 (Happy Eyeballs algorithm)
was added in version 7.3.4. This release adds new Enable Parallel Connect and Disable Parallel Connect static Action
objects to the Web Visual Policy Manager (VPM). The algorithm can improve user experience when requesting specified
URL domains by allowing parallel connections, which avert delays that might occur with serial connection attempts. To
enable or disable parallel connections globally, use the #(config)parallel-connect {enable | disable} CLI
command, introduced in version 7.3.4.1.
More information:
• Web Visual Policy Manager Reference

New Default Port for Web Isolation Service

Starting in this release, the default port for the Web Isolation Service is 443 instead of 8080. If you currently use the
default web isolation service hostname and port, upgrading will change the port from 8080 to 443. If you then downgrade
to version 7.3.5 or earlier, the configuration retains the port 443 setting. If you configured a custom web isolation service,
issuing the # (config isolation) service cloud command in version 7.3.6 reverts the service to default
settings, including the new default port.
More information:
• Command Line Interface Reference
• KB article 201609

Review and Terminate Active Sessions and Connections

To help with troubleshooting, a new # active-sessions CLI command allows you to display a list of active inbound
ADN connections, bypassed connections, or proxied sessions. You can also terminate multiple connections or long-
running sessions, which may be faster than terminating sessions from the Management Console.
In addition, a new # show active-sessions command displays overall session statistics including active,
terminating, and errored sessions.
More information:
• Command Line Interface Reference

Determine Host ISG for ProxySG Applications

A new # show isg-host CLI command allows you to determine if the current appliance is running as an application
on Integrated Secure Gateway (ISG). If it is an application running on ISG, the command displays ISG host
information. Otherwise, the CLI indicates that the system is not running on ISG.
More information:

41
SGOS 7.x Release Notes

• Command Line Interface Reference

Detect Protocol in <Proxy> Layers

The <SSL-Intercept> layer no longer supports detect_protocol() . Use this property in <Proxy> layers.

Fixes in SGOS 7.3.6.1

SGOS 7.3.6.1 includes the following bug fixes.
For Security Advisory fixes, see Security Advisory Fixes in SGOS 7.x.
For Web Visual Policy Manager fixes, see Web Visual Policy Manager Fixes in SGOS 7.x.

Table 50: Abstract Management Interface

ID Issue

SG-28486 Fixes an issue where the upgrade process had an uncaught exception because an invalid hostname was saved
in the registry.

Table 51: Authentication

ID Issue

SG-25971 Fixes an issue where the whoami response header (X-WSS-CLIENT-INFO-2-RESPONSE) was not being
returned from the proxy unless SAML authentication was used. This caused WSSA to use a cached username
when switching to/from SAML authentication.
SG-28600 Fixes an issue where the appliance restarted when an object representing authentication state was sometimes
NULL and was handled incorrectly.

Table 52: DNS Proxy

ID Issue

SG-17287 Fixes an issue where the ProxySG appliance was restarting because DNS/Stack allocations that were close to a
multiple of the page size were causing a page fault.

Table 53: Initial Configuration

ID Issue

SG-28355 Fixes an issue where new ProxySG appliances that were not yet licensed could not be added to Management
Center using ZTP.

Table 54: HTTP Proxy

ID Issue

SG-28013 Fixes an issue where the appliance stopped responding with a hardware exception in process group: "PG_
POLICY" and process "HTTP CW 10F37D70A40" in "libcfssl.exe.so" at .text+0x2af117.
SG-28181 Fixes an issue where proxy exception pages were not loading when SSLv offload and HTTP/2 were enabled.

42
SGOS 7.x Release Notes

ID Issue

SG-28553 Fixes an issue where setting http2.client.max_concurrent_streams(1) did not allow any streams
through because the concurrent stream count was incremented too early.
SG-28708 Fixes an issue where ip_country_uid_map was not initialized properly if parallel connections are enabled.
SG-28290 Fixes an issue where the appliance experienced high memory usage due to some HTTP/2 processes.

Table 55: Kernel

ID Issue

SG-28065 Fixes an issue where the central policy file download interval constantly increased.

Table 56: Management Console

ID Issue

SG-28324 Fixes an issue where the certificate in a keying could not be changed through the Management Console if the
keyring was referenced elsewhere. Now, the Import button in a keyring is always available.

Table 57: MAPI

ID Issue

SG-25958 Fixes an issue where sending Outlook mail did not work unless MAPI handoff was disabled on the appliance (or
HTTPS interception of office 365 servers were not enabled). This issue occurred after an upgrade to Outlook
2016.

Table 58: Policy

ID Issue

SG-28376 Fixes an issue where larger base64-encoded images using <style> tags did not display in exception pages.
SG-28353 Fixes an issue where, after authenticating and getting the group policy site location, refreshing the browser
caused the location ID to change to the default of 0 .

Table 59: SNMP

ID Issue

SG-28264 Fixes an issue where the SNMP OID tcpCurrEstab reported a larger number than the number in /TCP/
Connections .

Table 60: SSL Proxy

ID Issue

SG-27138 Fixes an issue where specifying the CCL using the client.certificate.validate.ccl() property
did not work in reverse proxy mode.

43
SGOS 7.x Release Notes

Table 61: SSL/TLS and PKI

ID Issue

SG-28279 Fixes an issue where an ADN deployment had a potential memory leak in SSL and Cryptography.

Table 62: TCP/IP and General Networking

ID Issue

SG-26282 Fixes an issue where high memory usage in TCP/IP led to general connectivity issues and event log errors. This
issue occurred with IPv6 traffic and when bandwidth management was enabled.
SG-28111 Fixes an issue where additional interfaces defined in the ARM template for ProxySG on Azure were not
displayed when issuing the >show interface all command output on the VM.
SG-28434 Fixes an issue where there was a memory leak when Jumbo frames were enabled, which were not accounted
for when cleaning up reference count objects.
SG-28528, Fixes an issue where the appliance experienced frequent unforced restarts in the PG_TCPIP process.
SG-28723

44
SGOS 7.x Release Notes

SGOS 7.3.5.2 PR
Release Information
• Release Date: September 7, 2021
• Build Number: 265904

Supported Platforms
• ProxySG hardware appliances: S200, S400, S410, S500
• Standard/Advanced Reverse Proxy hardware appliances: S200, S400, S410, S500
• High-performance Gen2 virtual appliances: SG-VA, ARP-VA, SRP-VA
See Hardware Appliances and ProxySG Tech Docs for platform documentation.

Third-Party Compatibility
• For supported Java, operating system, and browser versions, refer to KB Article 169081.
• For information on Java 11 support, refer to KB Article 173228.

Upgrading To/Downgrading From This Release

45
SGOS 7.x Release Notes

server.connection.negotiated_cipher=(EXP-RC4-MD5,EXP-RC2-CBC-MD5,EXP-DES-CBC-SHA) force_deny

Fixes in ProxySG 7.3.5.2

• This release includes a single fix. See Fixes in SGOS 7.3.5.2.
• To see any Security Advisories that apply to the version of you are running, go to:https://support.broadcom.com/
security-advisory/security-advisories-list.html
New advisories are published as security vulnerabilities are discovered and fixed.
For a list of Security Advisories fixed in 7.x, see Security Advisory Fixes in SGOS 7.x.

Limitations
• See Limitations in SGOS 7.x for a description of limitations in this release.

Known Issues
• See Known Issues in SGOS 7.x for a list of all issues that Symantec is aware of in SGOS 7.x.

Features in SGOS 7.3.5.2

Deprecations and Removals

This release removes the HTTP/2 Server Connection handling improvements made in SGOS 7.3.5.1. These
improvements will be available in a future release.

Fixes in SGOS 7.3.5.2

SGOS 7.3.5.2 includes the following bug fixes.
For Security Advisory fixes, see Security Advisory Fixes in SGOS 7.x.

46
SGOS 7.x Release Notes

For Web Visual Policy Manager fixes, see Web Visual Policy Manager Fixes in SGOS 7.x.

Table 63: HTTP Proxy

ID Issue

SG-28388 Fixes an issue where the appliance experienced a restart when upgrading server connections to HTTP/2.

47
SGOS 7.x Release Notes

SGOS 7.3.5.1 GA
Release Information
• Release Date: August 25, 2021
• Build Number: 265431

Supported Platforms
• ProxySG hardware appliances: S200, S400, S410, S500
• Standard/Advanced Reverse Proxy hardware appliances: S200, S400, S410, S500
• High-performance Gen2 virtual appliances: SG-VA, ARP-VA, SRP-VA
See Hardware Appliances and ProxySG Tech Docs for platform documentation.

Third-Party Compatibility
• For supported Java, operating system, and browser versions, refer to KB Article 169081.
• For information on Java 11 support, refer to KB Article 173228.

Upgrading To/Downgrading From This Release

• Upgrading from ProxySG 6.7.x to version 7.x might cause unexpected behavior with configured HSMs. See SG-23187
in Known Issues in SGOS 7.x for more information.
• ProxySG 7.3.x does not support FIPS mode. Disable FIPS mode before you attempt to upgrade to 7.3.x. If you begin
upgrading to 7.3.x from an appliance that has FIPS mode enabled, abort the upgrade at the boot process, disable
FIPS mode, and attempt the upgrade again. If you upgrade to 7.3.x without disabling FIPS mode, your appliance will
not function as expected.
• If you are downgrading from ProxySG 7.3.x to a version earlier than 7.2.0.1, ensure that after you downgrade your
policy includes CPL that protects against low strength ciphers (RC4, CBC, DES, and 3DES). These ciphers were
deprecated in 7.2.0.1 and any policy that references them is no longer necessary. For appliances running versions
earlier than 7.2.0.1, use the following CPL:
<ssl>
client.connection.negotiated_cipher=(EXP-RC4-MD5,EXP-RC2-CBC-MD5,EXP-DES-CBC-SHA) force_deny
<ssl>

48
SGOS 7.x Release Notes

server.connection.negotiated_cipher=(EXP-RC4-MD5,EXP-RC2-CBC-MD5,EXP-DES-CBC-SHA) force_deny

• When upgrading to 7.3.x, your malware scanning configuration is not preserved. After upgrading, reconfigure your
malware scanning. For information, see the SGOS Administration Guide and ProxySG Web Visual Policy Manager
Reference .
• When upgrading to version 7.3.2 and later, the HTTPS console's cipher suites configuration is preserved. In addition,
the following TLS 1.3 high-strength cipher suites are enabled by default:
– tls_aes_256_gcm_sha384
– tls_chacha20_poly1305_sha256
– tls_aes_128_gcm_sha256
– tls_aes_128_ccm_8-sha256
– tls_aes_128_ccm_sha256
• The following are the supported upgrade/downgrade paths for this release:
– Upgrade to 7.3.x from an earlier version 7.x or from version 6.7.4.4 or later.
– Downgrade from 7.3.x to to an earlier version 7.x or to version 6.7.4.4 or later.
NOTE
If upgrading from version 6.7.4.2 or earlier, an interim upgrade to version 6.7.4.3 might be required. To
determine whether you can upgrade directly to version 6.7.4.4, refer to KB Article 18536.
See SGOS Upgrade/Downgrade documentation for the supported upgrade/downgrade paths for this release.
NOTE
In a future release of 7.x, support for WebFilter (BCWF) will be removed.

Fixes in ProxySG 7.3.5.1

• This release includes a number of fixes. See Fixes in SGOS 7.3.5.1.
• To see any Security Advisories that apply to the version of you are running, go to:https://support.broadcom.com/
security-advisory/security-advisories-list.html
New advisories are published as security vulnerabilities are discovered and fixed.
For a list of Security Advisories fixed in 7.x, see Security Advisory Fixes in SGOS 7.x.

Limitations
• See Limitations in SGOS 7.x for a description of limitations in this release.

Known Issues
• See Known Issues in SGOS 7.x for a list of all issues that Symantec is aware of in SGOS 7.x.

Features in SGOS 7.3.5.1

SGOS 7.3.5.1 introduces the following new features and changes.

New Models for Virtual Appliances

For ProxySG virtual appliances, the following new models are available for GCP and ISG Enterprise VA deployments:

ISG-Proxy-VA-100 ISG-Proxy-VA-200
Virtual CPUs Virtual Memory (GB) Connection Count
Storage (GB) Storage (GB)
6 24 2x100 1x200 37,500
6 40 4x100 2x200 62,500

49
SGOS 7.x Release Notes

ISG-Proxy-VA-100 ISG-Proxy-VA-200
Virtual CPUs Virtual Memory (GB) Connection Count
Storage (GB) Storage (GB)
6 48 4x100 2x200 75,000
10 40 4x100 2x200 62,500
10 80 4x100 2x200 125,000
10 96 4x100 2x200 150,000
12 48 4x100 2x200 75,000
12 96 4x100 2x200 150,000
12 128 4x100 2x200 200,000
14 64 4x100 2x200 100,000
14 112 4x100 2x200 175,000
14 144 8x100 4x200 225,000
20 96 4x100 2x200 150,000
20 144 N/A 4x200 225,000
20 192 N/A 6x200 300,000
24 112 4x100 2x200 175,000
28 128 8x100 4x200 200,000
28 192 N/A 6x200 300,000
28 288 N/A 8x200 450,000
32 80 8x100 2x200 125,000
32 160 N/A 4x200 250,000
32 256 N/A 8x200 400,000
32 320 N/A 8x200 500,000

More information:
• SGOS on GCP Configuration Guide
• ISG Enterprise VA Guide

Set IP Version Preferences for DNS Resolution

You can now configure preferences for which IP version to use for DNS queries by using the following command (default
is unspecified ):
#(config)dns ip-version {ipv4-only|ipv6-only|prefer-ipv4|prefer-ipv6|unspecified}
More Information:
• Command Line Interface Reference

Configure Local Categories for Web Filtering

You can disable or enable whether local categories for Web Filtering are included in the configuration for the proxy client
with the following command:
#(config clients web-filtering)include-local-categories {disable | enable}
More Information:

50
SGOS 7.x Release Notes

• Command Line Interface Reference

New incorrect_content_length Option for response.raw_headers.tolerate

Previously, the appliance would forward responses that exceeded the length specified in the response
header to the ICAP server or client. Now the appliance drops additional bytes before sending a response.
If you do want the appliance to forward responses that exceed the specified length, use the property
response.raw_headers.tolerate(incorrect_content_length) .
More information:
• Content Policy Language Reference

Updated Application Protection Database

SGOS 7.3.5.1 enables the appliance to use the new version of the fingerprint database when the next Application
Protection subscription is released.
More information:
• Web Applications Firewall Solutions Guide

New CLI Command for ARP Strict Matching

The following CLI command is available for enabling and disabling ARP strict matching (default enable ):
#(config)tcp-ip arp-strict-matching {enable|disable}
More information:
• Command Line Interface Reference

Event Log Trace Level Enhancement

The #(config event-log)level trace CLI command was added in version 7.3.2.1. In this release, the trace level
also writes long-running ICAP REQMOD transactions, and deferred and resumed ICAP RESPMOD transactions to the
event log.
More Information:
• Command Line Interface Reference
• SGOS Upgrade/Downgrade, "Behavior Changes in SGOS 7.3.x"

Timezone Database URL HTTPS by Default

The timezone database download is now performed over HTTPS by default.

New HTTP Headers for delete() Action

You can now delete the following custom request headers by using the delete() policy action:
• X-BlueCoat-Authorization
• X-WSS-Client-Info
• X-WSS-Client-Info-2
• X-WSS-Client-Info-SSO-Request
• X-WSS-SAML
More Information:
• Content Policy Language Reference

51
SGOS 7.x Release Notes

HTTP/2 Hardening
Improvements to HTTP/2 connections have been made to increase security and efficiency of HTTP/2 connections by
reducing additional upstream connections.

Fixes in SGOS 7.3.5.1

SGOS 7.3.5.1 includes the following bug fixes.
For Security Advisory fixes, see Security Advisory Fixes in SGOS 7.x.
For Web Visual Policy Manager fixes, see Web Visual Policy Manager Fixes in SGOS 7.x.

Table 64: Authentication

ID Issue

SG-27258 Fixes an issue with the help text for the # (config local-user-list local_user_list
user_name) password-grace ? command. Now the help text prompts for the number of days to be
supplied.
SG-27378 Fixes an issue where users could not join or rejoin a domain if the username contained a dollar sign ($)
character.
SG-27405 Fixes an issue where details for group-async were not available for the #show configuration and
#(config windows-domains)view commands.
SG-27851 Fixes an issue where users that belonged to a user group of a parent domain were not able to authenticate.

Table 65: DNS Proxy

ID Issue

SG-27367 Fixes an issue where the appliance experienced a restart when the DNS proxy incorrectly copied from or to a
null pointer.

Table 66: HTTP Proxy

ID Issue

SG-25111 Fixes an issue where supplier.country policy did not match for tunneled HTTPS connections when
protocol detection was disabled.
SG-26987 Fixes an issue where content-length headers had incorrect values when server-side HTTP requests were
translated to HTTP/2.
SG-27922 Fixes an issue where connections would break for some WebFTP clients.

Table 67: Initial Configuration

ID Issue

SG-27919 Fixes an issue where appliances that could not download the application database on the first attempt would
wait until the next scheduled download time, which might not have been for several hours. Now the appliance re-
attempts the download more frequently until a connection is established and then returns to the usual frequency
for downloading.

52
SGOS 7.x Release Notes

Table 68: Kernel

ID Issue

SG-27772 Fixes an issue where after 49 days, appliances running any version including and between SGOS 7.3.1.1 to
7.3.4.1 experienced high CPU utilization, and traffic being refused and hung up.

Table 69: Policy

ID Issue

SG-26626 Fixes an issue where the appliance experienced a restart when the hostname was assigned "null" during
address resolution.
SG-27924 Fixes an issue where HTTP connections that were terminated by a timed termination caused a delay in
exception pages from displaying. Now the fields for the timed termination are copied to the SSL proxy to prevent
delays.
SG-28067 Fixes an issue where the appliance experienced a restart when the EDNS handler did not recognize the end of
the source buffer.

Table 70: SSL/TLS and PKI

ID Issue

SG-27616 Fixes an issue where policy that contained server.connection.client_issuer_keyring() did not
work as expected in a reverse proxy deployment.
SG-28105 Fixes an issue where the appliance experienced a restart during an SSL session.

Table 71: SSL Proxy

ID Issue

SG-23268 Fixes an issue where a memory leak occurred when SSLV offloading was enabled.
SG-26999 Fixes an issue where the appliance experienced high memory usage during SSL handshakes.

Table 72: TCP/IP and General Networking

ID Issue

SG-25055 Fixes an issue where the appliance experienced a restart due to outstanding TCP timers.
SG-26136 Fixes an issue where the interfaces showed the speed and duplex as unknown in the SysInfo for virtual
appliances.
NOTE: After talking with Khaled and Peter, they've asked to hold off on reporting this one until they can
communicate what we found and fixed to the customer who reported it as it may have been an attack or
pentesters who are aware of this vulnerability now and are wanting to know how we react.
SG-27025 Fixes an issue where ARP strict matching was not functioning as expected.
SG-27375 Fixes an issue where the appliance experienced a restart when the database was updated.
SG-27677 Fixes an issue where the appliance returned the error "DNS Resolver Response: Unknown error response(202)"
for a DNS-forwarding group that was associated with the default routing domain.
SG-27681 Fixes an issue where entries in the ARP table were incorrectly shown as expired when accessed via CLI or
Management console.

53
SGOS 7.x Release Notes

ID Issue

SG-27756 Fixes an issue where the statistics counter for ARP strict matching continued to increase when Management
Console URLs were accessed in a bridge configuration.
SG-27807 Fixes an issue where DNS flags were not set correctly for AAAA requests, causing the appliance to not retry with
A requests after receiving invalid AAAA responses.
SG-27947 Fixes an issue where appliances configured in a bridge could not be pinged after a restart.
SG-28005 Fixes an issue where default gateways or static routes in routing domains were pointing to the incorrect
interface.
SG-28102 Fixes an issue where the appliance experienced a crash when a high number of HTTP connections were
established.

54
SGOS 7.x Release Notes

SGOS 7.3.4.1 GA
Release Information
• Release Date: July 14, 2021
• Build Number: 264353

Supported Platforms
• ProxySG hardware appliances: S200, S400, S410, S500
• Standard/Advanced Reverse Proxy hardware appliances: S200, S400, S410, S500
• High-performance Gen2 virtual appliances: SG-VA, ARP-VA, SRP-VA
See Hardware Appliances and ProxySG Tech Docs for platform documentation.

Third-Party Compatibility
• For supported Java, operating system, and browser versions, refer to KB Article 169081.
• For information on Java 11 support, refer to KB Article 173228.

Upgrading To/Downgrading From This Release

• Upgrading from ProxySG 6.7.x to version 7.x might cause unexpected behavior with configured HSMs. See SG-23187
in Known Issues in SGOS 7.x for more information.
• ProxySG 7.3.x does not support FIPS mode. Disable FIPS mode before you attempt to upgrade to 7.3.x. If you begin
upgrading to 7.3.x from an appliance that has FIPS mode enabled, abort the upgrade at the boot process, disable
FIPS mode, and attempt the upgrade again. If you upgrade to 7.3.x without disabling FIPS mode, your appliance will
not function as expected.
• If you are downgrading from ProxySG 7.3.x to a version earlier than 7.2.0.1, ensure that after you downgrade your
policy includes CPL that protects against low strength ciphers (RC4, CBC, DES, and 3DES). These ciphers were
deprecated in 7.2.0.1 and any policy that references them is no longer necessary. For appliances running versions
earlier than 7.2.0.1, use the following CPL:
<ssl>
client.connection.negotiated_cipher=(EXP-RC4-MD5,EXP-RC2-CBC-MD5,EXP-DES-CBC-SHA) force_deny
<ssl>

55
SGOS 7.x Release Notes

server.connection.negotiated_cipher=(EXP-RC4-MD5,EXP-RC2-CBC-MD5,EXP-DES-CBC-SHA) force_deny

• When upgrading to 7.3.x, your malware scanning configuration is not preserved. After upgrading, reconfigure your
malware scanning. For information, see the SGOS Administration Guide and ProxySG Web Visual Policy Manager
Reference .
• When upgrading to version 7.3.2 and later, the HTTPS console's cipher suites configuration is preserved. In addition,
the following TLS 1.3 high-strength cipher suites are enabled by default:
– tls_aes_256_gcm_sha384
– tls_chacha20_poly1305_sha256
– tls_aes_128_gcm_sha256
– tls_aes_128_ccm_8-sha256
– tls_aes_128_ccm_sha256
• The following are the supported upgrade/downgrade paths for this release:
– Upgrade to 7.3.x from an earlier version 7.x or from version 6.7.4.4 or later.
– Downgrade from 7.3.x to to an earlier version 7.x or to version 6.7.4.4 or later.
NOTE
If upgrading from version 6.7.4.2 or earlier, an interim upgrade to version 6.7.4.3 might be required. To
determine whether you can upgrade directly to version 6.7.4.4, refer to KB Article 18536.
See SGOS Upgrade/Downgrade documentation for the supported upgrade/downgrade paths for this release.
NOTE
In a future release of 7.x, support for WebFilter (BCWF) will be removed.

Changes in SGOS 7.3.4.1

• SGOS 7.3.4.1 introduces new features and enhancements. See Features in SGOS 7.3.4.1.

Fixes in ProxySG 7.3.4.1

• This release includes a number of fixes. See Fixes in SGOS 7.3.4.1.
• To see any Security Advisories that apply to the version of you are running, go to:https://support.broadcom.com/
security-advisory/security-advisories-list.html
New advisories are published as security vulnerabilities are discovered and fixed.
For a list of Security Advisories fixed in 7.x, see Security Advisory Fixes in SGOS 7.x.

Limitations
• See Limitations in SGOS 7.x for a description of limitations in this release.

Known Issues
• See Known Issues in SGOS 7.x for a list of all issues that Symantec is aware of in SGOS 7.x.

Features in SGOS 7.3.4.1

SGOS 7.3.4.1 introduces the following new features and changes.

ProxySG Admin Console version 1.2.2.1

The following features are now available in the ProxySG Admin Console:

56
SGOS 7.x Release Notes

• You can configure a UDP Tunnel proxy service. See the "UDP Proxy Enhancements" section below.
• A new MS Teams proxy service is available in Proxy Services (Configuration > Services). See the "UDP Proxy
Enhancements" section below.
• As of version 7.3.2, proxy service listeners now support two more default actions:
– drop: Silently drops matching incoming packets.
– reject: Responds to the sender indicating that the packet was rejected.
• You can now send the following header information in ICAP requests. Configure an ICAP service (Administration >
ICAP > ICAP Services):
– X-SYMC-Groups
– X-SYMC-User-Email-Address
• Global policy tracing is now available under Administration > Service Information > Policy Tracing.
• You can enable policy coverage (Configuration > Policy > Policy Options).
• You can enable or disable parallel DNS lookups using RFC8305 (Happy Eyeballs algorithm). See the "Support for
Parallel Connections" section below.
• A Troubleshooting report, which summarizes the current statuses of packet capture and policy tracing, has been added
to the Dashboards view.
• You can configure virtual IP addresses and failover groups (Configuration > Network > Advanced).
• The Administration > Upgrade page has been renamed to Administration > Systems > Software System Images.

Support for Java 16 on ProxySG Appliances

The Management Console Launcher is now supported for Java 16. For more information, refer to https://
knowledge.broadcom.com/external/article/173228/.

UDP Proxy Enhancements

SGOS 7.3.2 introduced a UDP-Tunnel proxy service and provided basic visibility into UDP flows through the appliance.
This release allows you to intercept and further manage UDP flows.
UDP proxy services
Starting in this release, the appliance's Default service listener which matched all TCP traffic not intercepted by other
services is renamed to Default TCP. A new Default UDP service listener has been added, which is used for all UDP
traffic not intercepted by other services.
This release also introduces the following new CLI commands:
• # (config udp_proxy_service) intercept <subcommands>
Set the behavior of the UDP service listener to intercept.
• # (config) udp-tunnel <subcommands>
Configure UDP tunnel connections.
In the ProxySG Admin Console, you can configure a UDP Tunnel proxy service in Configuration > Services >
UDP Tunnel Proxy Settings.
New Microsoft Teams proxy service
This release includes a new built-in proxy service for Microsoft Teams. This proxy service uses the UDP Tunnel proxy and
is set to Bypass by default. To edit the Microsoft Teams service, use the following commands:
#(config proxy-services)edit "MS Teams"
This changes the prompt to #(config MS Teams) . Refer to the#(config udp_proxy_service) command in the
Command Line Interface documentation for supported subcommands.
New policy URL scheme
The url= and related url conditions now support UDP as follows:

57
SGOS 7.x Release Notes

server_url=udp-tunnel://<ip_address>

Statistics and monitoring

Statistics about UDP traffic are now available in various areas of the Management Console:
• Active Sessions
• Advanced URLs:
• Show UDP proxy debug log - Displays information such as internal settings and error messages
• Show UDP proxy statistics - Displays basic statistics about memory, flow, and transferred bytes
• SysInfo
In addition, the ProxySG Admin Console shows UDP Tunnel service information in Reports > Traffic Details.
More Information:
• Command Line Interface Reference
• SGOS Administration Guide
• SGOS Administration Guide (Admin Console Edition)

Support for Parallel DNS Lookups (Happy Eyeballs)

You can enable or disable parallel DNS lookups using RFC8305 (Happy Eyeballs algorithm). The algorithm allows
parallel connections, which avert delays that might occur with serial connection attempts. To support this feature, the
following CLI command was added:
# (config general) parallel-connect {attempt-delay [<10-10000> | default] | enable |
disable}
Use this command to enable parallel connections and configure its settings globally. By default, parallel connections are
disabled.
To override the global enable/disable setting, use the following property:
server.connection.parallel_connect(yes|no)
More Information:
• Command Line Interface Reference
• Web Visual Policy Manager Reference
• Content Policy Language Reference

New http.response Policy Gesture

The following property has been added to force the appliance to stop waiting for HTTP response data from the client:
http.response.response_data.prevent_inspection_delay(yes|no)

More Information:
• Content Policy Language Reference

New Policy Action for SOCKS Requests

To ensure that SOCKS requests use cached surrogate credentials for authentication, a new
socks.authenticate.mode() policy action has been added. Use this policy instead of authenticate.mode() for
SOCKS requests. The policy supports the proxy and proxy-ip challenge type and surrogate credential.
For example:

58
SGOS 7.x Release Notes

<proxy> client.protocol=socks
socks.authenticate(testrealm) socks.authenticate.mode(proxy-ip)

More information:
• Content Policy Language Reference
• KB Article 166657

ProxySG ICAP Enhancements

ProxySG and DLP integration is improved. You can configure the ICAP service to send additional request headers to the
ICAP server, and add more ICAP server and service information to access logs.
Information in ICAP requests from the ProxySG appliance to the ICAP server
You can now send the following header information in ICAP requests from the ProxySG appliance:
#(config icap service_name)send server-country
#(config icap service_name)send threat-risk-level
#(config icap service_name)send url-categories

Additional headers are sent in ICAP requests with the existing commands:
• #(config icap service_name)send authenticated-groups includes the X-SYMC-Groups header.
• #(config icap service_name)send authenticated-users includes the X-SYMC-Users and X-SYMC-
User-Email-Address headers.
ICAP server and ICAP service information in access logs
The following access log fields have been added to help identify ICAP servers and services:
• cs-icap-host
• cs-icap-ip
• cs-icap-service
• rs-icap-host
• rs-icap-ip
• rs-icap-service
More Information:
• Command Line Interface Reference
• ProxySG Log Fields and Substitutions
This release introduces new policy conditions that you can use in CPL to trigger ICAP notifications based on content in
ICAP-scanned requests and responses.
Use the conditions to specify the service that identified the threat in the scanned request or response:
• request.icap.threat_source=
• request.icap.threat_source.exists=
• response.icap.threat_source=
• response.icap.threat_source.exists=
Use the conditions to specify an identifier of the threat detected in the scanned request or response:

59
SGOS 7.x Release Notes

• request.icap.threat_id=
• request.icap.threat_id.exists=
• response.icap.threat_id=
• response.icap.threat_id.exists=
Use the conditions to specify details detected in the scanned request or response:
• request.icap.threat_details=
• request.icap.threat_details.exists=
• response.icap.threat_details=
• response.icap.threat_details.exists=
Use the conditions to specify whether or not a threat was detected in the scanned request or response:
• request.icap.threat_detected=
• response.icap.threat_detected=
Use these conditions instead of virus_detected= , which is now deprecated.
Deprecations
Refer to the Upgrade/Downgrade Guide for a list of all policy, log fields, and substitutions that are deprecated with the
introduction of this new policy.

HTTP Enhancements
This release includes the following HTTP enhancements:
Cached HTTP/1.1 Session Timeout for HTTP/2 Client Sessions
For an HTTP/2 client session, the cached server-side HTTP/1.1 connections expire and are removed from cache if
they exceed the threshold specified in the existing # (config) http persistent-timeout client seconds
setting. Connections that are closed on the server side are removed from cache regardless of the timeout setting..
New HTTP/2 Connection and Stream Counts in the Heartbeat Report
New counters have been added to the heartbeat report for HTTP/2 connections and streams.

Explicit Congestion Notification (ECN) Support

The following commands were added to support ECN:
#(config)tcp-ip ecn {disable | receive-only | send-receive}

You can specify receive-only to respond to inbound ECN notifications, or send-receive to request outbound and
receive inbound ECN notifications. By default, ECN is disabled.
More Information:
• Command Line Interface Reference

Web Isolation Enhancement

The Web Isolation service is enabled by default. If you have configured your custom web isolation service with forwarding
hosts, you can now disable the Web Isolation service to allow forwarding-based isolation to work as intended. Use the
following CLI:
#(config isolation)disable

60
SGOS 7.x Release Notes

CAUTION
Before disabling the Web Isolation service, you must first uninstall any existing Web Isolation policy. Disabling
the service before removing the policy will return exception pages for traffic matching the isolation policy rules.
To re-enable the service, use the CLI:
#(config isolation)enable

Make sure that the Web Isolation service is enabled before configuring Web Isolation policy; otherwise, policy compilation
warnings occur, such as "Warning: 'isolate' Isolation service is disabled; it must be enabled in order to use the isolate
action using the CLI isolation->enable command".
The output of the #show isolation and #(config)isolation view commands display the status of the service.
More Information:
• KB 201609

Improved Security for Local User Passwords

New commands have been added to improve security of local user passwords:
# (config local-user-list local_user_list) inactivity-lockout number_of_days

Specify how long an account can be inactive before it is locked out. Accepted values are between 0 and 365. The default
is 0, which disables the setting (there is no inactivity period).
You can use the existing # (config local-user-list local_user_list user_name) enable command to
reset the inactivity-lockout period for an expired password.
# (config local-user-list local_user_list) max-password-age number_of_days

Specify the maximum age of a password. Accepted values are between 0 and 365. The default is 0, which disables the
setting (there is no maximum age).
# (config local-user-list local_user_list user_name) password-grace number_of_days

Provide the user with a grace period in which they can change their expired password. Accepted values are from 1 to 5.
More Information:
• Command Line Interface Reference

TLS 1.3 Offload Support

TLS 1.3 offload support for SSLV was disabled in version 7.2.2.1. The feature is restored in this release.

Removal of Custom Diffie-Hellman Groups

For better security, custom Diffie-Hellman groups have been removed from TLS cipher suites.

Timezone Database Update

The timezone database has been updated to reflect changes in Release 2021a of the IANA timezone database.

Support for New Network Interface Card

The Silicom bypass driver has been updated to support the PE310G4BPI40-T Quad port Copper 10 Gigabit Ethernet PCI
Express Bypass Server Intel® x540 Based card.

61
SGOS 7.x Release Notes

New Maximum High Memory Threshold for Cloud Deployments

For ProxySG virtual appliances deployed in the cloud with Enterprise and Node-Locked licenses, the thresholds for high
memory pools have been increased to 1600 MB.

Increased Maximum Number of NICs on Virtual Appliances

The following types of ProxySG virtual appliances now support more virtual interfaces:

Platform Maximum NICs

AWS 8
Azure 8
GCP 8
Hyper-V 8
KVM 16
VMware 10
Xen 8

Fixes in SGOS 7.3.4.1

SGOS 7.3.4.1 includes the following bug fixes.
For Security Advisory fixes, see Security Advisory Fixes in SGOS 7.x.
For Web Visual Policy Manager fixes, see Web Visual Policy Manager Fixes in SGOS 7.x.

Table 73: Access Logging

ID Issue

SG-26885 Fixes an issue where Kafka uploads failed if a cluster had a large amount of nodes.

Table 74: Admin Console

ID Issue

SGAC-2841 Fixes an issue where selections for sending service information (Administration > Service Information > Send
Information) were not displayed.
SGAC-2764 Fixes an issue where the Instant Save function did not work when entering Kerberos credentials in an IWA realm
configuration.
SGAC-2763 Fixes an issue where updated values in the Timeout request after field were not saved in an IWA realm
configuration.
SGAC-2702 Fixes an issue where disabling the Prefix IDP cookies setting in a SAML realm did not take effect after saving
the configuration.
SGAC-2702 Fixes an issue where showing Advanced Settings in an IWA realm displayed console errors.
SGAC-2693 Fixes an issue where the console erroneously reported conflicting proxy service listeners on the appliance.

62
SGOS 7.x Release Notes

Table 75: Authentication

ID Issue

SG-26727 Fixes an issue where the appliance stopped responding during LDAP realm destruction while attempting to clean
up a cached network socket used for LDAP searches.
SG-26994 Fixes an issue where the appliance was unresponsive due to incorrectly prioritizing certain processes.

Table 76: CLI Consoles

ID Issue

SG-25897 Fixes an issue where sometimes a kex protocol error would occur when running CLI commands.

Table 77: Cloud Platform

ID Issue

SG-26843 Fixes an issue where ZTP did not successfully set up an appliance.

Table 78: DNS Proxy

ID Issue

SG-25261 Fixes an issue where the appliance experienced a restart when attempting to free a pointer it had already freed.

Table 79: Health Monitoring

ID Issue

SG-25858 Fixes an issue where the Policy Services Communication Status was in a critical state after upgrading an
appliance with the MACH5 license to version 7.3.x. Previously, Policy Services was disabled by default for some
license types; now, it is enabled and available for all license types.

Table 80: HTTP Proxy

ID Issue

SG-26832 Fixes an issue where web isolation forwarding did not work if the appliance was upgraded from version 6.7.x to
7.3.2.
SG-25593 Fixes an issue where protocol detection didn't detect HTTP/2 when a server response was received before the
client connection. When this issue occurred, the log displayed "Cannot detect server speakfirst protocol".

Table 81: Kernel

ID Issue

SG-25602 Fixes an issue where Secure Web Gateway virtual appliances running on Microsoft Azure platforms stopped
responding.

63
SGOS 7.x Release Notes

Table 82: Policy

ID Issue

SG-26413 Fixes an issue where policy coverage reports showed inaccurate 'true' counts for unconditional rules in
scheduled layers (such as timed denials and access logging).
SG-25137 Fixes an issue where the appliance could not rewrite URLs that had empty HTML comments preceding them.

Table 83: SOCKS Proxy

ID Issue

SG-25580 Fixes an issue where SOCKS requests failed due to not being matched to the IP surrogate credential. This fix
requires using the new socks.authenticate.mode() , policy action, as described in Features in SGOS
7.3.4.1.

Table 84: SSL Proxy

ID Issue

Table 85: SSL/TLS and PLI

ID Issue

SG-25640 Fixes an issue where the appliance became unresponsive when loading a trust package.
SG-25818 Fixes an issue where the appliance experienced a restart when attempting to install HSM configuration.

Table 86: TCP/IP and General Networking

ID Issue

SG-26111 Fixes an issue where users experienced slow loading pages or pages not loading due to high memory utilization
in TCP/IP.
SG-10571 Fixes an issue where the appliance dropped fragmented IPv6 NDP packets.
SG-26509 Fixes an issue where the ProxySG applications restarted frequently due to encrypted tap sessions not closing
correctly.
SG-25552 Fixes an issue where IPv6 UDP did not track destination addresses correctly.
SG-27101 Fixes an issue where the appliance stopped responding due to a bypassed connection with fragmented packets,
which had no TCP header.
SG-27115 Fixes an issue where adding NICs to a virtual appliance running on VMware ESXi changed the order of NICs.
SG-25955 Fixes an issue where the appliance experienced a restart due to the appliance marking the mbuf with a weak
INP.
SG-26308 Fixes an issue where the FreeBSD DHCP vulnerability described in CVE-2021-7461 could cause the appliance
to stop responding.

64
SGOS 7.x Release Notes

ID Issue

SG-25947 Fixes an issue where the appliance experienced a restart when the appliance had a large number of items in the
queue for the stack-ip-forward worker.

Table 87: URL Filtering

ID Issue

SG-25492 Fixes an issue where purging the databases of Intelligence Service subscription services changes the
previously-configured download method.

Table 88: Web Application Firewall

ID Issue

SG-25723 Fixes an issue where interactions between http.request.log.mask_by_name() and

http.request.detection.bypass_cache_hit() policy properties sometimes resulted in the
appliance not decoding the URLs of payloads during internal analysis.
SG-26127 Fixes an issue where the SQL injection engine incorrectly blocked some Chrome headers.

65
SGOS 7.x Release Notes

SGOS 7.3.3.3 PR
Release Information
• Release Date: June 28, 2021
• Build Number: 263824

Supported Platforms
• ProxySG hardware appliances: S200, S400, S410, S500
• Standard/Advanced Reverse Proxy hardware appliances: S200, S400, S410, S500
• High-performance Gen2 virtual appliances: SG-VA, ARP-VA, SRP-VA
See Hardware Appliances and ProxySG Tech Docs for platform documentation.

Compatible With
• BCAAA: 6.1
• Integrated Secure Gateway: 2.1 and later
• HSM Agent: 2.0 and later
• ProxySG Admin Console: 1.1.1 and later
• Reporter: 9.5.x, 10.1.x, and 10.2.x
• Management Center: 2.2.2.3 and later
NOTE
The new ProxySG Admin Console (SGAC) requires Management Center 2.4.x or later.
• ProxyAV: 3.5.x
• Content Analysis: 2.3.x, and 3.0.x
• ProxyClient: 3.4.x
• Unified Agent: 4.7.x and 4.8.x
ATTENTION
Support for Client Manager, ProxyClient, and Unified Agent will be removed in a future release.
• SSL Visibility: 4.2.x, 4.3.x. 4.4.x, 4.5.x, and 5.x
• Web Isolation: 1.10 and later

Third-Party Compatibility
• For supported Java, operating system, and browser versions, refer to KB Article 169081.
• For information on Java 11 support, refer to KB Article 173228.

Upgrading To/Downgrading From This Release

• Upgrading from ProxySG 6.7.x to version 7.x might cause unexpected behavior with configured HSMs. See SG-23187
in Known Issues in SGOS 7.x for more information.
• ProxySG 7.3.x does not support FIPS mode. Disable FIPS mode before you attempt to upgrade to 7.3.x. If you begin
upgrading to 7.3.x from an appliance that has FIPS mode enabled, abort the upgrade at the boot process, disable
FIPS mode, and attempt the upgrade again. If you upgrade to 7.3.x without disabling FIPS mode, your appliance will
not function as expected.
• If you are downgrading from ProxySG 7.3.x to a version earlier than 7.2.0.1, ensure that after you downgrade your
policy includes CPL that protects against low strength ciphers (RC4, CBC, DES, and 3DES). These ciphers were

66
SGOS 7.x Release Notes

• When upgrading to 7.3.x, your malware scanning configuration is not preserved. After upgrading, reconfigure your
malware scanning. For information, see the SGOS Administration Guide and ProxySG Web Visual Policy Manager
Reference .
• When upgrading to version 7.3.2 and later, the HTTPS console's cipher suites configuration is preserved. In addition,
the following TLS 1.3 high-strength cipher suites are enabled by default:
– tls_aes_256_gcm_sha384
– tls_chacha20_poly1305_sha256
– tls_aes_128_gcm_sha256
– tls_aes_128_ccm_8-sha256
– tls_aes_128_ccm_sha256
• The following are the supported upgrade/downgrade paths for this release:
– Upgrade to 7.3.x from an earlier version 7.x or from version 6.7.4.4 or later.
– Downgrade from 7.3.x to to an earlier version 7.x or to version 6.7.4.4 or later.
NOTE
If upgrading from version 6.7.4.2 or earlier, an interim upgrade to version 6.7.4.3 might be required. To
determine whether you can upgrade directly to version 6.7.4.4, refer to KB Article 18536.
See SGOS Upgrade/Downgrade documentation for the supported upgrade/downgrade paths for this release.
NOTE
In a future release of 7.x, support for WebFilter (BCWF) will be removed.

Fixes in ProxySG 7.3.3.3

• This release includes a number of fixes. See Fixes in SGOS 7.3.3.3.
• To see any Security Advisories that apply to the version of you are running, go to:https://support.broadcom.com/
security-advisory/security-advisories-list.html
New advisories are published as security vulnerabilities are discovered and fixed.
For a list of Security Advisories fixed in 7.x, see Security Advisory Fixes in SGOS 7.x.

Limitations
• See Limitations in SGOS 7.x for a description of limitations in this release.

Known Issues
• See Known Issues in SGOS 7.x for a list of all issues that Symantec is aware of in SGOS 7.x.

Fixes in SGOS 7.3.3.3

See Security Advisory Fixes in SGOS 7.x for security advisory fixes for this release.

67
SGOS 7.x Release Notes

SGOS 7.3.3.2 PR

Release Information
• Release Date: May 20, 2021
• Build Number: 262454

Supported Platforms
• ProxySG hardware appliances: S200, S400, S410, S500
• Standard/Advanced Reverse Proxy hardware appliances: S200, S400, S410, S500
• High-performance Gen2 virtual appliances: SG-VA, ARP-VA, SRP-VA
See Hardware Appliances and ProxySG Tech Docs for platform documentation.

Compatible With
• BCAAA: 6.1
• Integrated Secure Gateway: 2.1 and later
• HSM Agent: 2.0 and later
• ProxySG Admin Console: 1.1.1 and later
• Reporter: 9.5.x, 10.1.x, and 10.2.x
• Management Center: 2.2.2.3 and later
NOTE
The new ProxySG Admin Console (SGAC) requires Management Center 2.4.x or later.
• ProxyAV: 3.5.x
• Content Analysis: 2.3.x, and 3.0.x
• ProxyClient: 3.4.x
• Unified Agent: 4.7.x and 4.8.x
ATTENTION
Support for Client Manager, ProxyClient, and Unified Agent will be removed in a future release.
• SSL Visibility: 4.2.x, 4.3.x. 4.4.x, 4.5.x, and 5.x
• Web Isolation: 1.10 and later

Third-Party Compatibility
• For supported Java, operating system, and browser versions, refer to KB Article 169081.
• For information on Java 11 support, refer to KB Article 173228.

Upgrading To/Downgrading From This Release

68
SGOS 7.x Release Notes

FIPS mode, and attempt the upgrade again. If you upgrade to 7.3.x without disabling FIPS mode, your appliance will
not function as expected.
• If you are downgrading from ProxySG 7.3.x to a version earlier than 7.2.0.1, ensure that after you downgrade your
policy includes CPL that protects against low strength ciphers (RC4, CBC, DES, and 3DES). These ciphers were
deprecated in 7.2.0.1 and any policy that references them is no longer necessary. For appliances running versions
earlier than 7.2.0.1, use the following CPL:
<ssl>
client.connection.negotiated_cipher=(EXP-RC4-MD5,EXP-RC2-CBC-MD5,EXP-DES-CBC-SHA) force_deny
<ssl>
server.connection.negotiated_cipher=(EXP-RC4-MD5,EXP-RC2-CBC-MD5,EXP-DES-CBC-SHA) force_deny

• When upgrading to 7.3.x, your malware scanning configuration is not preserved. After upgrading, reconfigure your
malware scanning. For information, see the SGOS Administration Guide and ProxySG Web Visual Policy Manager
Reference .
• When upgrading to version 7.3.2 and later, the HTTPS console's cipher suites configuration is preserved. In addition,
the following TLS 1.3 high-strength cipher suites are enabled by default:
– tls_aes_256_gcm_sha384
– tls_chacha20_poly1305_sha256
– tls_aes_128_gcm_sha256
– tls_aes_128_ccm_8-sha256
– tls_aes_128_ccm_sha256
• The following are the supported upgrade/downgrade paths for this release:
– Upgrade to 7.3.x from an earlier version 7.x or from version 6.7.4.4 or later.
– Downgrade from 7.3.x to to an earlier version 7.x or to version 6.7.4.4 or later.
NOTE
If upgrading from version 6.7.4.2 or earlier, an interim upgrade to version 6.7.4.3 might be required. To
determine whether you can upgrade directly to version 6.7.4.4, refer to KB Article 18536.
See SGOS Upgrade/Downgrade documentation for the supported upgrade/downgrade paths for this release.
NOTE
In a future release of 7.x, support for WebFilter (BCWF) will be removed.

Fixes in ProxySG 7.3.3.2

• This release includes a number of fixes. See Fixes in SGOS 7.3.3.2.
• To see any Security Advisories that apply to the version of you are running, go to:https://support.broadcom.com/
security-advisory/security-advisories-list.html
New advisories are published as security vulnerabilities are discovered and fixed.
For a list of Security Advisories fixed in 7.x, see Security Advisory Fixes in SGOS 7.x.

Limitations
• See Limitations in SGOS 7.x for a description of limitations in this release.

Known Issues
• See Known Issues in SGOS 7.x for a list of all issues that Symantec is aware of in SGOS 7.x.

Fixes in SGOS 7.3.3.2

SGOS 7.3.3.2 includes the following bug fix.

69
SGOS 7.x Release Notes

For Web Visual Policy Manager fixes, see Web Visual Policy Manager Fixes in SGOS 7.x.

Table 89: SSL/TLS and PKI

ID Issue

SG-25328 Fixes an issue where the appliance would experience a restart when the appliance parsed all PSK
extensions regardless of the maximum TLS version for the client.

70
SGOS 7.x Release Notes

SGOS 7.3.3.1 GA
Release Information
• Release Date: April 28, 2021
• Build Number: 261578

Supported Platforms
• ProxySG hardware appliances: S200, S400, S410, S500
• Standard/Advanced Reverse Proxy hardware appliances: S200, S400, S410, S500
• High-performance Gen2 virtual appliances: SG-VA, ARP-VA, SRP-VA
See Hardware Appliances and ProxySG Tech Docs for platform documentation.

Compatible With
• BCAAA: 6.1
• Integrated Secure Gateway: 2.1 and later
• HSM Agent: 2.0 and later
• ProxySG Admin Console: 1.1.1 and later
• Reporter: 9.5.x, 10.1.x, and 10.2.x
• Management Center: 2.2.2.3 and later
NOTE
The new ProxySG Admin Console (SGAC) requires Management Center 2.4.x or later.
• ProxyAV: 3.5.x
• Content Analysis: 2.3.x, and 3.0.x
• ProxyClient: 3.4.x
• Unified Agent: 4.7.x and 4.8.x
ATTENTION
Support for Client Manager, ProxyClient, and Unified Agent will be removed in a future release.
• SSL Visibility: 4.2.x, 4.3.x. 4.4.x, 4.5.x, and 5.x
• Web Isolation: 1.10 and later

Third-Party Compatibility
• For supported Java, operating system, and browser versions, refer to KB Article 169081.
• For information on Java 11 support, refer to KB Article 173228.

Upgrading To/Downgrading From This Release

• Upgrading from ProxySG 6.7.x to version 7.x might cause unexpected behavior with configured HSMs. See SG-23187
in Known Issues in SGOS 7.x for more information.
• ProxySG 7.3.x does not support FIPS mode. Disable FIPS mode before you attempt to upgrade to 7.3.x. If you begin
upgrading to 7.3.x from an appliance that has FIPS mode enabled, abort the upgrade at the boot process, disable
FIPS mode, and attempt the upgrade again. If you upgrade to 7.3.x without disabling FIPS mode, your appliance will
not function as expected.
• If you are downgrading from ProxySG 7.3.x to a version earlier than 7.2.0.1, ensure that after you downgrade your
policy includes CPL that protects against low strength ciphers (RC4, CBC, DES, and 3DES). These ciphers were

71
SGOS 7.x Release Notes

• When upgrading to 7.3.x, your malware scanning configuration is not preserved. After upgrading, reconfigure your
malware scanning. For information, see the SGOS Administration Guide and ProxySG Web Visual Policy Manager
Reference .
• When upgrading to version 7.3.2 and later, the HTTPS console's cipher suites configuration is preserved. In addition,
the following TLS 1.3 high-strength cipher suites are enabled by default:
– tls_aes_256_gcm_sha384
– tls_chacha20_poly1305_sha256
– tls_aes_128_gcm_sha256
– tls_aes_128_ccm_8-sha256
– tls_aes_128_ccm_sha256
• The following are the supported upgrade/downgrade paths for this release:
– Upgrade to 7.3.x from an earlier version 7.x or from version 6.7.4.4 or later.
– Downgrade from 7.3.x to to an earlier version 7.x or to version 6.7.4.4 or later.
NOTE
If upgrading from version 6.7.4.2 or earlier, an interim upgrade to version 6.7.4.3 might be required. To
determine whether you can upgrade directly to version 6.7.4.4, refer to KB Article 18536.
See SGOS Upgrade/Downgrade documentation for the supported upgrade/downgrade paths for this release.
NOTE
In a future release of 7.x, support for WebFilter (BCWF) will be removed.

Changes in SGOS 7.3.3.1

• SGOS 7.3.3.1 introduces new features and enhancements. See Features in SGOS 7.3.3.1.

Fixes in ProxySG 7.3.3.1

• This release includes a number of fixes. See Fixes in SGOS 7.3.3.1.
• To see any Security Advisories that apply to the version of you are running, go to:https://support.broadcom.com/
security-advisory/security-advisories-list.html
New advisories are published as security vulnerabilities are discovered and fixed.
For a list of Security Advisories fixed in 7.x, see Security Advisory Fixes in SGOS 7.x.

Limitations
• See Limitations in SGOS 7.x for a description of limitations in this release.

Known Issues
• See Known Issues in SGOS 7.x for a list of all issues that Symantec is aware of in SGOS 7.x.

Features in SGOS 7.3.3.1

SGOS 7.3.3.1 introduces the following new features:

72
SGOS 7.x Release Notes

Integrated Secure Gateway Enterprise Secure Web Gateway Virtual Appliance

A new Integrated Secure Gateway (ISG) Enterprise Secure Web Gateway Virtual Appliance (SWG VA) license is
supported for ProxySG VAs running on VMware’s vSphere Hypervisor. The ISG Enterprise SWG VA facilitates server
consolidation by co-existing with other virtual machines on a single hardware platform, including Symantec Content
Analysis. With the ISG SWG VA providing security, the other virtual machines can provide branch office services (such as
Domain Controller, print, DNS, and DHCP), as well as any VMware-certified software applications.
For more information, refer to the Integrated Secure Gateway Enterprise Secure Web Gateway Virtual Appliance
Deployment Guide.

New HTTP/2 Connection and Stream Counts in the Heartbeat Report

New counters have been added to the heartbeat report for HTTP/2 connections and streams.

Policy Optimizations
Hashed Conditions in Executable Policy
A new command has been added to enable or disable policy hash optimizations:
# (config) policy optimize-hash

The command applies to theurl.domain= and server_url.domain= conditions. When enabled, lists of
url.domain= , and server_url.domain= conditions, and various subnet and substitution conditions are transformed
into a hashed condition in executable policy.
The following command was introduced in version 7.3.1:
# (config) policy optimize-tautology

When enabled, conditions that are determined to be constantly true or constantly false at compilation time are not
evaluated (they still appear in executable policy).
Policy Compilation Improvement
Compilation of policy that includes many user= conditions is improved. The policy compiler now optimizes user=
conditions into groups of case-sensitive and case-insensitive realms. A minimum of five qualifying conditions is required
for optimization into a group.
NOTE
Conditions that have variable criteria, such as substitutions rather than strings, are not optimized.
For more information, refer to the Command Line Interface Reference documentation.

Web Visual Policy Manager Enhancements

This release includes the following web VPM enhancements:
Management Center Roles and Permissions
Management Center administrators can assign permissions to users, which determine whether users can:
• View, add, edit, and delete policy layers.
• View, add, edit, and delete policy layer guards.
• View, add, edit, and delete policy rules.
• View, add, edit, and delete specific VPM objects.
• View and use the following options in the Operations menu: Change Enforcement Domains, View All Objects, View
Generated CPL.

73
SGOS 7.x Release Notes

Improved Look and Feel

• The Update policy menu option to refresh generated CPL has been replaced with a 'refresh' icon:

. When you use the icon to refresh the CPL, the VPM notifies you of the change with a message, "Successfully
refreshed generated CPL."
• All policy rule menu options now have icons:

Fixes in SGOS 7.3.3.1

SGOS 7.3.3.1 includes the following bug fixes.
For Web Visual Policy Manager fixes, see Web Visual Policy Manager Fixes in SGOS 7.x.

Table 90: Access Logging

ID Issue

SG-25675 Fixes an issue where an existing access log facility could not be deleted.

Table 91: Authentication

ID Issue

SG-25138 Fixes an issue where the appliance stopped responding after writing some <admin> layer policy.
SG-25860 Fixes an issue where the appliance had a hardware exception when the XML authentication realm contained a
parsing issue.

Table 92: Cache Engine

ID Issue

SG-25363 Addresses potential denial of service attacks when there was a high number of simultaneous URL-based
searches in /CE/Listing_Form.

Table 93: CLI Consoles

ID Issue

SG-25564 Fixes an issue where attempting to view Advanced URLs results in an "Encrypted token has expired" message.
This issue occurred when logging in to the console with a non-local admin user.

Table 94: Health Monitoring

ID Issue

SG-23967 Fixes an issue where the appliance stopped responding when starting up in standalone mode.

74
SGOS 7.x Release Notes

Table 95: HTTP Proxy

ID Issue

SG-22988 Fixes an issue where requests including both the Content-Length and Transfer-Encoding headers were
forwarded to the OCS. Now, the Transfer-Encoding: identity header is removed from such requests before being
forwarded.
SG-25957 Fixes an issue where users cannot access alldata.com after an upgrade to version 7.3.
SG-25953 Fixes an issue where the appliance had a software exception when policy included
ssl.forward_proxy(yes) and a deferred transaction was denied.
SG-25612 Fixes an issue where protocol detection failed to detect HTTPS with TLS 1.3 post handshake messages, and the
HTTP logs contained "Cannot detect server speakfirst protocol" messages.

Table 96: ICAP

ID Issue

SG-19774 Fixes an issue where "Request timed out" errors were incorrectly reported when ICAP connections were closed
on the server side. Now, the ICAP error states "Failed due to dropped connection".

Table 97: Kernel

ID Issue

SG-19721 Fixes an issue where the appliance stopped responding when there was a high number of HTTP/S connections
on the appliance.

Table 98: Management Console

ID Issue

SG-25199 Fixes an issue where the Management Console exited with an error message, "SSL protocol negotiation failed.
Logging out from Management Console".

Table 99: Policy

ID Issue

SG-25255 Fixes an issue where the Management Console exited with an error message, "SSL protocol negotiation failed.
Logging out from Management Console".
SG-25472 Fixes an issue where a define condition did not match if it included more than four user= conditions.

Table 100: Reverse Proxy

ID Issue

SG-25442 Fixes an issue where existing forwarding host names could not be edited to exceed 64 characters.

75
SGOS 7.x Release Notes

Table 101: SSL/TLS and PKI

ID Issue

SG-25924 Fixes an issue where the appliance stopped responding after deleting an SSL keyring.

Table 102: SSL Proxy

ID Issue

SG-13361 Fixes an issue where authentication sessions persisted across browser sessions. Now, users are prompted to
authenticate each new browser session.
SG-25006 Fixes an issue where users received an "EXCEPTION(tcp_error): Request could not be handled" message when
a site required a client certificate.
SG-25594 Fixes an issue where some SSL tunnel transactions are allowed although they are denied in policy. This issue
occurred if protocol detection for SIPS was enabled and policy included deny actions based on response.

Table 103: TCP/IP and General Networking

ID Issue

SG-24139 Fixes an issue where outgoing connections intermittently went to an incorrect interface.
SG-23835 Fixes an issue where users experienced slow browsing due to a large number of failed DNS lookups on the
appliance.
SG-26046 Fixes an issue where the serial console showed error message "Apply__DNS_fwd() ERRO DNS fibnum = 0"
when the appliance booted up. The issue occurred because DNS forwarding group names were truncated if they
were 16 characters or more in length.

Table 104: URL Filtering

ID Issue

SG-25892 Fixes an issue where user requests were denied due to a content_filter_denied exception that matched in
error. This issue occurred after an upgrade from version 7.2.3.
SG-25752 Fixes an issue where application attributes policy was not enforced. This occurred when application classification
or access logging was disabled.

76
SGOS 7.x Release Notes

SGOS 7.3.2.1 GA
Release Information
• Release Date: March 3, 2021
• Build Number: 259959

Supported Platforms
• ProxySG hardware appliances: S200, S400, S410, S500
• Standard/Advanced Reverse Proxy hardware appliances: S200, S400, S410, S500
• High-performance Gen2 virtual appliances: SG-VA, ARP-VA, SRP-VA
See Hardware Appliances and ProxySG Tech Docs for platform documentation.

Compatible With
• BCAAA: 6.1
• Integrated Secure Gateway: 2.1 and later
• HSM Agent: 2.0 and later
• ProxySG Admin Console: 1.1.1 and later
• Reporter: 9.5.x, 10.1.x, and 10.2.x
• Management Center: 2.2.2.3 and later
NOTE
The new ProxySG Admin Console (SGAC) requires Management Center 2.4.x or later.
• ProxyAV: 3.5.x
• Content Analysis: 2.3.x, and 3.0.x
• ProxyClient: 3.4.x
• Unified Agent: 4.7.x and 4.8.x
ATTENTION
Support for Client Manager, ProxyClient, and Unified Agent will be removed in a future release.
• SSL Visibility: 4.2.x, 4.3.x. 4.4.x, 4.5.x, and 5.x
• Web Isolation: 1.10 and later

Third-Party Compatibility
• For supported Java, operating system, and browser versions, refer to KB Article 169081.
• For information on Java 11 support, refer to KB Article 173228.

Upgrading To/Downgrading From This Release

• Upgrading from ProxySG 6.7.x to version 7.x might cause unexpected behavior with configured HSMs.
See SG-23171 in Known Issues in SGOS 7.x for more information.
• ProxySG 7.3.x does not support FIPS mode. Disable FIPS mode before you attempt to upgrade to 7.3.x. If you begin
upgrading to 7.3.x from an appliance that has FIPS mode enabled, abort the upgrade at the boot process, disable
FIPS mode, and attempt the upgrade again. If you upgrade to 7.3.x without disabling FIPS mode, your appliance will
not function as expected.
• If you are downgrading from ProxySG 7.3.x to a version earlier than 7.2.0.1, ensure that after you downgrade your
policy includes CPL that protects against low strength ciphers (RC4, CBC, DES, and 3DES). These ciphers were

77
SGOS 7.x Release Notes

• When upgrading to 7.3.x, your malware scanning configuration is not preserved. After upgrading, reconfigure your
malware scanning. For information, see the SGOS Administration Guide and ProxySG Web Visual Policy Manager
Reference .
• When upgrading to version 7.3.2, the HTTPS console's cipher suites configuration is preserved. In addition, the
following TLS 1.3 high-strength cipher suites are enabled by default:
– tls_aes_256_gcm_sha384
– tls_chacha20_poly1305_sha256
– tls_aes_128_gcm_sha256
– tls_aes_128_ccm_8-sha256
– tls_aes_128_ccm_sha256
• The following are the supported upgrade/downgrade paths for this release:
– Upgrade to 7.3.x from an earlier version 7.x or from version 6.7.4.4 or later. If upgrading from version 6.7.4.2 or
earlier, an interim upgrade to version 6.7.4.3 might be required. To determine whether you can upgrade directly to
version 6.7.4.4, refer to KB Article 18536.
– Downgrade from 7.3.x to to an earlier version 7.x or to version 6.7.4.4 or later.
See SGOS Upgrade/Downgrade documentation for the supported upgrade/downgrade paths for this release.
NOTE
In a future release of 7.x, support for WebFilter (BCWF) will be removed.

Changes in SGOS 7.3.2.1

• SGOS 7.3.2.1 introduces new features and enhancements. See Features in SGOS 7.3.2.1.

Fixes in ProxySG 7.3.2.1

• This release includes a number of fixes. See Fixes in SGOS 7.3.2.1.
• To see any Security Advisories that apply to the version of you are running, go to:https://support.broadcom.com/
security-advisory/security-advisories-list.html
New advisories are published as security vulnerabilities are discovered and fixed.
For a list of Security Advisories fixed in 7.x, see Security Advisory Fixes in SGOS 7.x.

Limitations
• See Limitations in SGOS 7.x for a description of limitations in this release.

Known Issues
• See Known Issues in SGOS 7.x for a list of all issues that Symantec is aware of in SGOS 7.x.

Features in SGOS 7.3.2.1

SGOS 7.3.2.1 introduces the following new features:

78
SGOS 7.x Release Notes

Zero Touch Provisioning for ProxySG Deployments

Zero Touch Provisioning (ZTP) allows you to easily deploy ProxySG appliances or virtual appliances without using the
terminal to configure the deployment. Instead, you prepare a ZTP payload containing the configuration and environment
details, and provide the payload to the appliance. Additionally, if you are using Management Center to manage your
appliances, ZTP can automatically register the appliance with Management Center.
NOTE
ZTP can only be performed on an appliance that is in a factory-reset state.
ZTP is available for all physical ProxySG S-series appliances and the following virtual platforms:
• AWS
• Azure
• Cisco Cloud Services Platform
• ESXi
• KVM
• Microsoft Hyper-V
NOTE
ZTP is not currently available for ProxySG applications running on Integrated Secure Gateway.

ProxySG Admin Console 1.2.1.1

The ProxySG Admin Console, introduced with SGOS 7.2.1.1 GA, has been updated with:
• Statistics graphs have been added (Dashboards > Home).
• Explicit HTTP and External HTTP services now include an Expect Proxy Protocol option; see Proxy Protocol
Support below for more information.
• Isolation configuration (Administration > Data Services > Isolation) supports sending the Appliance ID in the HTTP
headers of traffic forwarded to the isolation service.
The ProxySG Admin Console is not associated with SGOS releases; thus, you can use these new features without having
to change your SGOS version. See About the ProxySG Admin Console for compatibility information.
Full information:
• ProxySG Administration (Admin Console Edition)
• Management Center Configuration and Management Guide, version 2.4 or later

Proxy Protocol Support

The DNS, HTTP, HTTPS, RTSP, SOCKS, SSL, TCP, and Telnet services now include an Expect Proxy Protocol option.
When enabled, the appliance looks for the originating IPv4 or IPv6 addresses in the Proxy Protocol request header. If
Proxy Protocol is supported on the OCS and available, the proxy then includes the originating address in the request.
The IP address is used for the effective client IP address in policy; refer to the Visual Policy Manager Reference or
Content Policy Language Reference for more information.
When Expect Proxy Protocol option is enabled and Proxy Protocol is not supported on the OCS or is unavailable, the
request header is unchanged.
In the CLI, configure Expect Proxy Protocol with the following command:
# (config proxy_service_name) attribute expect-proxy-protocol {disable | enable}S
To learn about the Proxy Protocol, refer to https://www.haproxy.org/download/1.8/doc/proxy-protocol.txt.
Full information:

79
SGOS 7.x Release Notes

• SGOS Administration Guide

• Command Line Interface Reference

Proxy Service Drop and Reject Actions

• Proxy service listeners now support two more default actions:
– # (config proxy_service) drop [all|<source_ip>|<source_ip/subnet_mask>]
transparent|explicit|all|<destination_ip>|<destination_ip/subnet_mask> <port>|
<first_port>-<last_port>
Silently drop matching incoming packets.
– # (config telnet_proxy_service) reject [all|<source_ip>|<source_ip/subnet_mask>]
transparent|explicit|all|<destination_ip>|<destination_ip/subnet_mask> <port>|
<first_port>-<last_port>
Respond to the sender indicating that the packet was rejected.
These actions are added to the DNS, FTP, FTPS, HTTP, HTTPS reverse proxy, MMS, SOCKS, SSL, TCP Tunnel, and
UDP Tunnel proxy services.
Full information:
• Command Line Interface Reference

UDP Proxy Enhancements

This release supports a UDP-Tunnel proxy service, which allows basic visibility and control of UDP flows through the
appliance.
Use the following CLI:
# (config proxy-services)
# (config proxy-services) create udp-tunnel udp_proxy_service [service_group]
# (config proxy-services) edit udp_proxy_service

You can add listeners to the UDP proxy service and set listener actions to bypass, drop, or reject.
Full information:
• Command Line Interface Reference

User Agent Match Object for Web VPM

A new User Agent Match Web Visual Policy Manager (VPM) object has been added for the existing
request.header.User-Agent= CPL condition. Use the object to test the User-Agent request header: select a browser
from a list and optionally specify a regular expression for the type and version.

80
SGOS 7.x Release Notes

Full information:
• Web Visual Policy Manager Reference

Diagnostic Probe Enhancements

The define probe definition has the following enhancements:
• The existing limit attribute is now tenant-specific when the probe definition is included in the tenant policy file.
• The new limit.reset attribute resets the diagnostic probe limit after the specified number of seconds. If
unspecified, the diagnostic probe does not reset.
Refer to the following example of usage:
define probe case123
condition=my_traffic_selection
scope=session
target=http:debug,ssl:all
policy_trace=yes
limit=10
limit.reset=10
expiry=20220101:2350
end

81
SGOS 7.x Release Notes

New Trace Logging Level

A new trace logging level has been added:
#(config event-log)level trace
Full information:
• Command Line Interface Reference

Absolute Management Console Session Timeout

A new command allows you to enable or disable an absolute timeout for all Management Console sessions:
#(config)security management [no] absolute-web-timeout <minutes>

where minutes is a value from 15 to 43200.

The appliance terminates all Management Console sessions after the specified timeout period. For best security, use this
command to require users to re-authenticate to the Management Console after the timeout.
Full information:
• Command Line Interface Reference

Clear the Serial Number When Restoring Factory Defaults

You now have the option to clear virtual appliance serial numbers when restoring factory defaults:
# restore-defaults factory-defaults [clear-va-serial]

HTTP/2 Enhancements and Changes

This release includes the following HTTP/2 enhancements and changes:
• HTTP/2 response headers up to 1 MB are supported.
• HTTP/2 responses with large headers no longer cause an error.
• The default value of http2.client_max_concurrent_streams() is changed to 0. The previous default was 100
(according to bug) or 15 (according to CLI guide)
• The http2.client.accept() property does not apply when it is guarded with
client.connection.ssl_server_name= for HTTPS reverse proxy transactions.

TCP/IP Enhancements and Changes

This release includes the following TCP/IP enhancements and changes:
• You can use the following command to specify the algorithm to use for TCP congestion avoidance:
# (config) tcp-ip congestion-algorithm {cubic | htcp | newreno}
• IPv4 Path MTU Discovery support has been updated to reflect latest standards.
• The appliance has improved detection of out-of-order packets, allowing throughput to remain high.
• The appliance supports RFC2883, which extends TCP SACK support.

DNS Transaction Access Log Fields

The following access log fields were added to help track HTTP transaction times:
• x-client-dnslookup-time : Total time taken (in ms) to perform the client DNS lookup.
• x-server-dnslookup-time : Total time taken (in ms) to perform the server DNS lookup.

82
SGOS 7.x Release Notes

New HTTP Dwell Time Statistics

The following counters have been added for dwell time statistics:
• Transactions performing static and dynamic categorization
• Transactions performing authentication and authorization, and server authentication
• Transactions performing various upstream, downstream, and reverse proxy handshakes
• Transactions determining object disposition
• Transactions performing DNS lookup for clients and servers

Troubleshooting Improvements
• HTTP/2 connection and stream counters have been added to the heartbeat report.
• Port numbers are now available in the policy trace output.
• Kerberos 5 replay attack error messages in the event log now include the client IP address.

Other Enhancements and Changes

• You can now view your entitlements via the Management Console. Select Maintenance > Licensing > Install and
click View Entitlements. The console opens the MyBroadcom portal, where you can log in with your MyBroadcom
credentials. View Entitlements replaces the previous Register/Manage option.
• For best security, CBC cipher suites are now disabled by default for the HTTPS management console.
• Performance is improved when bridging packets on machines with more than 8 cores.
• Performance of dynamic bypass and asymmetric bypass are improved when higher maximum entries are configured.
• Protocol detection is now enabled by default when:
– Creating a new HTTP/S proxy service and on new installations
– Performing a restore-defaults
The protocol detection setting on existing built-in and user-defined HTTP/S proxy services persists after an upgrade.

Deprecations and Removals

• This release removes support for Space Communications Protocol Specification (SCPS). The # (config) tcp-ip
scps commands are no longer available.
• The following commands were removed:
# (config) tcp-ip tcp-loss-recovery-mode {aggressive | enhanced | normal}
# (config) tcp-ip tcp-newreno {disable | enable}
These commands are replaced by # (config) tcp-ip congestion-algorithm ; see TCP/IP Enhancements
and Changes for information.
• Support for Novell SSO, CA eTrust SiteMinder, and Oracle COREid authentication realms is deprecated. You can no
longer configure new or existing realms through the Management Console; you can configure existing realms through
the CLI.

Fixes in SGOS 7.3.2.1

SGOS 7.3.2.1 includes the following bug fixes.
For Web Visual Policy Manager fixes, see Web Visual Policy Manager Fixes in SGOS 7.x.

83
SGOS 7.x Release Notes

Table 105: Access Logging

ID Issue

SG-22694 Fixes an issue where the appliance restarted due to multiple log upload threads attempting to simultaneously
initialize the SSL cryptographic parameters.
SG-18288 Fixes an issue where access logs using a custom log format could not be uploaded via Kafka client to the broker.
SG-24708 Fixes an issue where the HTTP transaction timing fields (x-cs-rp-https-handshake-time, x-cs-https-
handshaketime, and x-sr-https-handshake-time) in the access log generated a "-" or a "0" in log output
regardless of the latency from the client or server.

Table 106: Admin Console

ID Issue

SGAC-2591 Fixes an issue where the console did not reflect changes to the User Overflow Action option in General Proxy
Settings.
SGAC-2577 Fixes an issue where offline download could not be configured for the geolocation database.
SGAC-2574 Fixes an issue where net 10.10.10.10/24 could not be saved as a packet capture filter expression.
SGAC-2446 Fixes an issue where disabled fields in the Admin Console did not appear to be disabled. Disabled fields now
look disabled, consistent with behavior in the Management Console.
SGAC-2306 Fixes issues with Windows Domain configuration:
• The console no longer incorrectly indicates that there are no changes to be saved.
• When joining a domain, the console now shows the operation is in progress.

Table 107: Authentication

ID Issue

SG-17630 Upgrades Kerberos libraries to fix multiple known CVEs.

SG-23878 Addresses an issue where authenticated users were allowed to access the HTTPS-Console service even
though Management Console login banner (Notice and Consent Banner) policy was configured in the VPM. This
occurred if CPL policy layers were not ordered correctly.
SG-23208 Fixes an issue where the appliance experienced high memory usage in HTTP policy evaluation.
SG-22754 Fixes an issue where users received "Appliance Error (configuration_error). Your request could not be processed
because of a configuration error. 'User has been logged out.'" This issue occurred when surrogate credentials
expired with SAML authentication.
SG-21796 Addresses an issue where the appliance experienced a page fault (error code 0x4) within process
"libauthenticator.exe.so" (0x40015).
SG-23983 Fixes an issue where the appliance experience high CPU and memory consumption due to fragmentation in bget
heap.
SG-23880 Addresses an issue where the appliance restarted after memory was released for an invalid memory pointer.
SG-23666 Fixes an issue where the web VPM session persisted without user re-authentication after the Management
Console session expired according to the #(config) security management absolute-web-timeout
setting.
SG-23644 Fixes an issue by adding the IP address of the client to the event log message when the appliance receives a
Krb5 replay error.

84
SGOS 7.x Release Notes

Table 108: Cache Engine

ID Issue

SG-23589 Fixes an issue where the appliance restarted due to the appliance not re-evaluating entries in the hash table.

Table 109: FTP Proxy

ID Issue

SG-4624 Fixes an issue where the s-action access log field was sometimes not populated.

Table 110: Health Checks

ID Issue

SG-22815 Fixes a timing issue where the appliance stopped responding when modifying an access log facility.
SG-23269 Fixes an issue where a restart occurred in a forward proxy deployment that included HSMs.

Table 111: HTTP Proxy

ID Issue

SG-18817 Fixes an issue where the browser did not display full exception details when the default policy was set to deny
and the TCP Tunnel service had protocol detection enabled.
SG-20969 Addresses an issue where the appliance experienced a restart in the HTTP process when reading a response
from ICAP.
SG-23441 Fixes an issue where some webpages would not render correctly when an SSL Visibility appliance was
decrypting traffic.
SG-14408 Fixes an issue where Websocket tunnels inflated some HTTP transaction time statistics.
SG-22779 Addresses an issue where the appliance experienced a restart after receiving an invalid request when using
HTTP/2 and SSLV offload.
SG-23197 Addresses an issue where the appliance experienced a restart when there were multiple concurrent HTTP/2
requests and the web server closed the connection.
SG-23178 Fixes an issue where the limit set in http2.client.max_concurrent_streams() did not apply
immediately to new HTTP/2 connections.
SG-20158 Fixes an issue where certain ICAP threads were not terminated and caused memory leaks.
SG-24969 Fixes an issue where browsing to facebook.com returned error 502: Content Encoding Error.
SG-22988 Fixes an issue where requests including both the Content-Length and Transfer-Encoding headers were
forwarded to the OCS. Now, the Transfer-Encoding: identity header is removed from such requests before being
forwarded.

Table 112: ICAP

ID Issue

SG-23811 Fixes an issue where the response time for health checks was longer than expected when the appliance was
sending Content Analysis traffic to the ICAP broker.

85
SGOS 7.x Release Notes

Table 113: Management

ID Issue

SG-24442 Fixes an issue where upgrading from version 6.7.4 to 7.2 did not preserve the previous non-default HTTPS
console ciphers configuration or enable TLS 1.3 by default. This issue occurred if non-default SSL protocols
were selected for the HTTPS console. If the appliance was never upgraded to 7.2.x or 7.3.x previously,
upgrading to this release will preserve the previous ciphers selection and enable TLS 1.3 by default. To apply
the fix if the appliance was previously upgraded to 7.2.x or 7.3.x, you must remove the existing SGOS 7.x
configuration before upgrading. Issue the #remove-sgos7-config command, restart the appliance, and
then install this release.

Table 114: Performance

ID Issue

SG-21976 Fixes an issue where ProxySG instances running on Hyper-V and Azure experienced a 20% reduction in traffic
throughput. The issue occurred after changes were made to the Hyper-V paravirtual network driver in version
7.2.2.

Table 115: Policy

ID Issue

SG-21244 Fixes an issue where exception pages rendered incorrectly when they were larger than 8000 bytes.
SG-24326 Fixes an issue where accessing the /dme/configuration advanced URL caused the license key auto-update
feature to be enabled when it was originally set to disabled.
SG-24288 Fixes an issue where authenticating traffic via NTLM with BCAAA did not work.

Table 116: Proxy Forwarding

ID Issue

SG-23369 Fixes an issue where forwarding groups did not balance the load equally when members of the group were in a
failure state.

Table 117: SSL/TLS and PKI

ID Issue

SG-24065 Fixes an issue where the appliance incorrectly listed the DHE-DSS-DES-CBC3-SHA cipher strength as High
instead of Medium.
SG-24931 Fixes an issue where revoked intermediate certificates were added to the cached intermediate certificate list.
SG-24947 Addresses an issue where the appliance experienced a restart when multiple SSL connections are opened. The
issue occurred due to changes made for SSL session ticket support in version 7.3.1.

86
SGOS 7.x Release Notes

Table 118: SSL Proxy

ID Issue

SG-22312 Fixes an issue where a memory leak occurred when MS-TURN traffic was detected.
SG-23828 Fixes an issue where the appliance experienced a memory leak when handling HTTPS reverse proxy traffic with
forward-client-cert enabled.
SG-2311 Fixes an issue where cached intermediate CA certificates caused certificate expiration errors even when
the certificate expiration date was updated. Now, the certificate with an updated expiration date replaces the
certificate in the cache.
SG-23380 Fixes an issue where server.certificate.validate.ccl() did not apply to SSL tunnel transactions.
SG-23117 Fixes an issue where handshake failure occurred when using Java applications. This issue occurred if TSL 1.3
was enabled and protocol detection was disabled on the appliance.

Table 119: TCP/IP and General Networking

ID Issue

SG-24546 Addresses an issue where a restart occurred when Routing Information Protocol (RIP) was in use.
SG-24706 Addresses an issue here a restart occurred when a packet capture was initiated from the ProxySG Admin
Console that included a very large filter expression.
SG-24034 Fixes an issue where the appliance did not indicate that WCCP did not start after a reboot. Now, when WCCP
does not start after a reboot, error messages are logged in the debug log.
SG-24810 Fixes an issue where the appliance experienced a restart when an HTTP/2 transaction could not be completed
due to a null socket.
SG-24291 Fixes a number of implementation issues in dynamic bypass and asymmetric bypass that might have led to a
restart.

Table 120: URL Filtering

ID Issue

SG-24231 Fixes an issue where the appliance experienced a restart when testing a URL category in the format of an email
address (for example, "/ContentFilter/TestUrl/[email protected]").
SG-23245 Fixes an issue where a requested URL matched policy for "None" category even though the URL was
categorized in the local database.
SG-20587 Fixes an issue where categorization timing information was not displayed correctly in the access log.

87
SGOS 7.x Release Notes

SGOS 7.3.1.1 GA
Release Information
• Release Date: November 12, 2020
• Build Number: 256495
NOTE
SGOS is cumulative. SGOS 7.3.1.1 is based on the SGOS 7.2.3.1 release. In addition, this release includes all
features and fixes that were included in the 6.7.5.7 release.

Supported Platforms
• ProxySG hardware appliances: S200, S400, S410, S500
• Standard/Advanced Reverse Proxy hardware appliances: S200, S400, S410, S500
• High-performance Gen2 virtual appliances: SG-VA, ARP-VA, SRP-VA
See Hardware Appliances and ProxySG Tech Docs for platform documentation.

Compatible With
• BCAAA: 6.1
• Integrated Secure Gateway: 2.1 and later
• HSM Agent: 2.0 and later
• ProxySG Admin Console: 1.1.1 and later
• Reporter: 9.5.x, 10.1.x, and 10.2.x
• Management Center: 2.2.2.3 and later
NOTE
The new ProxySG Admin Console (SGAC) requires Management Center 2.4.x or later.
• ProxyAV: 3.5.x
• Content Analysis: 2.3.x, and 3.0.x
• ProxyClient: 3.4.x
• Unified Agent: 4.7.x and 4.8.x
ATTENTION
Support for Client Manager, ProxyClient, and Unified Agent will be removed in a future release.
• SSL Visibility: 4.2.x, 4.3.x. 4.4.x, 4.5.x, and 5.x
• Web Isolation: 1.10 and later

Third-Party Compatibility
• For supported Java, operating system, and browser versions, refer to KB Article 169081.
• For information on Java 11 support, refer to KB Article 173228.

Upgrading To/Downgrading From This Release

• Upgrading from ProxySG 6.7.x to version 7.1.x might cause unexpected behavior with configured HSMs.
See SG-23171 in Known Issues in SGOS 7.x for more information.
• ProxySG 7.3.1.1 does not support FIPS mode. Disable FIPS mode before you attempt to upgrade to 7.3.1.1. If you
begin upgrading to 7.3.1.1 from an appliance that has FIPS mode enabled, abort the upgrade at the boot process,

88
SGOS 7.x Release Notes

disable FIPS mode, and attempt the upgrade again. If you upgrade to 7.3.1.1 without disabling FIPS mode, your
appliance will not function as expected.
• If you are downgrading from ProxySG 7.3.1.1 to a version earlier than 7.2.0.1, ensure that after you downgrade your
policy includes CPL that protects against low strength ciphers (RC4, CBC, DES, and 3DES). These ciphers were
deprecated in 7.2.0.1 and any policy that references them is no longer necessary. For appliances running versions
earlier than 7.2.0.1, use the following CPL:
<ssl>
client.connection.negotiated_cipher=(EXP-RC4-MD5,EXP-RC2-CBC-MD5,EXP-DES-CBC-SHA) force_deny
<ssl>
server.connection.negotiated_cipher=(EXP-RC4-MD5,EXP-RC2-CBC-MD5,EXP-DES-CBC-SHA) force_deny

• When upgrading to 7.3.1.1, your malware scanning configuration is not preserved. After upgrading, reconfigure your
malware scanning. For information, see the SGOS Administration Guide and ProxySG Web Visual Policy Manager
Reference .
• The following are the supported upgrade/downgrade paths for this release:
– Upgrade to 7.3.1.1 from an earlier version 7.x or from version 6.7.4.4 or later. If upgrading from version 6.7.4.2 or
earlier, an interim upgrade to version 6.7.4.3 might be required. To determine whether you can upgrade directly to
version 6.7.4.4, refer to KB Article 18536.
– Downgrade from 7.3.1.1 to to an earlier version 7.x or to version 6.7.4.4 or later.
See SGOS Upgrade/Downgrade documentation for the supported upgrade/downgrade paths for this release.
NOTE
In a future release of 7.x, support for WebFilter (BCWF) will be removed.

Changes in SGOS 7.3.1.1

• SGOS 7.3.1.1 introduces new features and enhancements. See Features in SGOS 7.3.1.1.

Fixes in ProxySG 7.3.1.1

• This release includes a number of fixes. See Fixes in SGOS 7.3.1.1.
• To see any Security Advisories that apply to the version of you are running, go to:https://support.broadcom.com/
security-advisory/security-advisories-list.html
New advisories are published as security vulnerabilities are discovered and fixed.
For a list of Security Advisories fixed in 7.x, see Security Advisory Fixes in SGOS 7.x.

Limitations
• See Limitations in SGOS 7.x for a description of limitations in this release.

Known Issues
• See Known Issues in SGOS 7.x for a list of all issues that Symantec is aware of in SGOS 7.x.

Features in SGOS 7.3.1.1

SGOS 7.3.1.1 introduces the following new features:

Symantec Web Isolation

The Symantec Web Isolation solution is a client-less solution that enables and protects users to browse the internet
safely on any device using any browser. The zero footprint negates the need for software installation on clients. Starting

89
SGOS 7.x Release Notes

in SGOS 7.3.x, you can easily configure the ProxySG appliance to send HTTP and HTTPS requests to Symantec Web
Isolation.
You can configure the appliance with your existing dedicated cloud or on-premises isolation service. This requires
configuration through the command line interface (CLI) and Visual Policy Manager (VPM) or content policy language
(CPL) policy.
NOTE
In the future, the Symantec cloud Web Isolation service will also be available for customers who do not have a
dedicated web isolation service.
More information:
• KB article for configuration instructions: https://knowledge.broadcom.com/external/article/201609
• Content Policy Language Reference
• Command Line Interface Reference
• Web Visual Policy Manager Reference

ProxySG Admin Console 1.1.3.1

The ProxySG Admin Console, introduced with SGOS 7.2.1.1 GA, has been updated with:
• SAML authentication realm configuration
• geolocation configuration
• Web Isolation configuration
The ProxySG Admin Console is not associated with SGOS releases; thus, you can use these new features without having
to change your SGOS version. See About the ProxySG Admin Console for compatibility information. More information:
• ProxySG Administration (Admin Console Edition)
• Management Center Configuration and Management Guide, version 2.4 or later

Policy Coverage Updates

• In previous releases, policy coverage statistics were reset to zero after policy was re-installed. Now, statistics persist
after policy re-installations. In a multi-tenant deployment, policy coverage statistics are maintained separately per
tenant and persist after tenant policy re-installation.
• In previous releases, policy coverage showed statistics for the policy that is currently installed. Now the feature also
shows cumulative statistics that include coverage from previous policy versions.
Access current statistics at Statistics > Advanced > Policy > Show Current Policy Coverage or https://
<ProxySG_IP_address>:8082/policy/current-coverage.
Access cumulative statistics at Statistics > Advanced > Policy > Show Policy Coverage or https://
<ProxySG_IP_address>:8082/policy/coverage.
More information:
• How can I find which policy rules are being used?
• Content Policy Language Reference

Policy Compile Behavior Changes

When installing policy (CPL, legacy visual policy, or web visual policy), warnings might appear at compile time to reinforce
the following recommendations for accurate policy coverage statistics:
• (CPL only) All policy sections should have labels
• (CPL only) All policy layers should have labels, and policy layers of the same type should have unique labels
• Rules in the same layer can't have the same conditions

90
SGOS 7.x Release Notes

If policy contains layers or sections with the same name, installing policy results in the message: "Warning: Coverage
may not be consistent across policy versions: duplicate layer/section label". Assign unique labels to layers and sections to
easily identify policy rules and ensure the continuity of cumulative policy coverage statistics.
If a policy layer contains rules with identical conditions, installing policy results in the message for the subsequent rule(s):
"Warning: Unreachable rule, conditions will be matched by a preceding rule". Make sure that rule conditions are unique,
so that policy coverage does not record duplicate statistics.
More Information:
• Content Policy Language Reference
• Web Visual Policy Manager Reference and Legacy Visual Policy Manager Reference

Additional Supported Apparent Data Types

The ProxySG appliance detects more apparent data types in HTTP requests and responses. The following types are now
supported in apparent data type CPL properties and conditions:

Table 121: New apparent data types supported in this release

Label Description Common Extensions

7ZIP 7-Zip archive .7z

ACE ACE archive .ace
ARJ ARJ archive .arj
COMPRESS compress compressed file .Z (different from .z)
CPIO cpio archive .cpio
DAA Direct Access Archive .daa
EGG EGG archive .egg
EML raw email .eml, .mht, .mhtml
LHA LHA archive .lha, .lzh
LZIP Lzip compressed file .lz
MACH-O macOS application or library
TNEF file encoded in Microsoft Transport-Neutral .dat, .tnef
Encapsulation Format
UUE file encoded with uuencode or xxencode .uu, .uue, .xx, .xxe
XAR Extensible Archive Format .mpkg, .pkg, .xar
XZ .xz

More Information:
• Content Policy Language Reference

Authentication Transaction Trace Logging

The define probe CPL definition now supports logging for authentication-related traffic. Use the following syntax:
define probe case_label
condition=condition_label
target=auth:log_level

91
SGOS 7.x Release Notes

...
end

More Information:
• Content Policy Language Reference

SSL Session Ticket and PSK Support for Session Resumption

In previous releases, the appliance used session ID to resume previously established TLS sessions. For better
performance, this release improves SSL session resumption (caching) by using the SSL session ticket and pre-shared
key (PSK), as follows:
• TLS connections up to version 1.2 use session tickets
• TLS 1.3 connections use the PSK
To support this feature, the SSL session cache size is doubled, with the following allocations:
• Session ID - 50% of overall cache size
• Session ticket and PSK - 50% of overall cache size
To track the session ticket hashes that the appliance sends or receives when resuming the session, include the following
new fields to your access log format:
• x-cs-session-hash - SHA256 hash of session ticket issued to or resumed by client for current SSL session
• x-rs-session-hash - SHA256 hash of session ticket returned or resumed by server for current SSL session
If you downgrade SGOS , SSL session resumption will use SSL session ID.
NOTE
This feature is available in forward proxy mode.
More Information:
• SGOS Administration Guide
• ProxySG Log Fields and Substitutions

SSL Session Ticket and PSK Support for Host Affinity

In previous releases, the appliance used session ID to determine host affinity for HTTPS connections. This release
supports using the SSL session ticket and PSK for host affinity, as follows:
• TLS connections up to version 1.2 use session tickets
• TLS 1.3 connections use the PSK
When SSL session is selected for host affinity in forwarding/SOCKS host configuration, the appliance dynamically uses
the session ID, session ticket SHA256 hash, or PSK hash to make multiple client connections to the same forwarding
host/group or SOCKS gateway/group.
In the CLI, the ssl-session-id flag is changed to ssl-session for the following commands:
# (config forwarding) host-affinity ssl ssl-session [host_or_group_alias]
# (config forwarding host_or_group_alias) host-affinity ssl ssl-session
# (config socks-gateways) host-affinity ssl ssl-session [host_or_group_alias]
# (config socks-gateways gateway_or_group_alias) host-affinity ssl ssl-session

In the Management Console, the SSL Session ID host affinity method in forwarding host and SOCKS gateway
configurations is changed to SSL Session.
If you downgrade SGOS , hosts and gateways created or modified to use SSL session will use SSL session ID.

92
SGOS 7.x Release Notes

NOTE
This feature is available in forward proxy mode.
More Information:
• ProxySG Log Fields and Substitutions

SNI Hostname Policy

You can create policy that tests the Server Name Indication (SNI) hostname in client connections. The SNI hostname is
available if the client connection is TLS and has a valid ServerName extension; otherwise, the policy has no effect.
The following policy gestures were added to support this feature:

Table 122: New SNI hostname policy

CPL condition and corresponding

Description
web VPM source object (if applicable)
client.connection.ssl_server_name= Perform a string match for the SNI hostname.
SSL Server Name : This object is available in the SSL Access,
SSL Intercept, Web Access, and Forwarding layers
client.connection.ssl_server_name.exists= Test if the SNI hostname exists.
SSL Server Name: This object is available in the SSL Access,
SSL Intercept, Web Access, and Forwarding layers.
client.connection.ssl_server_name.length= Test the total size of the SNI hostname.
No VPM object.

In addition, you can include the x-cs-connection-ssl-server-name and x-rs-connection-ssl-server-name

access log fields to log the SNI hostname.
More Information:
• Content Policy Language Reference
• Web Visual Policy Manager Reference
• ProxySG Log Fields and Substitutions

Network Stack Improvements

The SGOS network stack was updated to improve performance and stability. This release includes:
• Improved IPv6 handling.
• ARP, TCP, and IP conformance to the latest internet standards.
• Improved TCP throughput in the presence of out-of-order TCP packets.
• Updated PCAP file. The file downloaded from the appliance is in *.pcapng format, replacing the previous *.cap format.

93
SGOS 7.x Release Notes

Web Visual Policy Manager Improvements

• A new HTTP Connect URL Category destination object allows you to test the category of the host name in the HTTP
CONNECT request. This object is available in the Web Access and Web Request layers.
• The existing Application Group, Application Name, and Application Operation destination objects are available in
the Web Authentication and Web Content layers.
• Policy rule column headers (Source, Destination, Track, etc.) are sticky. The column headers remain visible when
you scroll through layers containing many rules.
• For better navigation when creating and editing Combined Objects, you can sort objects by name or type.
• To provide better visibility into large policies with many rules, the rule view features a more condensed layout with less
unused space.
• You can add a policy rule at a specific position within a layer. In the VPM, open the context menu in a rule and select
Insert Rule. The new rule appears below the current rule.
• Various areas of the Web VPM interface were improved for a more consistent and intuitive user experience.

Trust Package Update

The trust package has been updated. To download the latest trust package, issue the following CLI:
#(config) load trust-package

Other Enhancements and Changes in SGOS 7.3.1.1

• The built-in Access Security Policy has been updated. Access Security Policy is part of Policy Services, which is
available on all supported ProxySG appliances with a valid base license. No additional subscription is required to
use the policy; however, the Policy Services subscription should be used to keep the policy up to date. To keep the
subscription active, make sure that your Symantec support contract is valid.
• Some deny decisions are deferred until after an SSL intercept decision in policy. Previously, when policy included
deny.* gestures and ssl.forward_proxy(https) , an HTTP handoff occurred before the deny. The behavior is
now corrected so that deny.connection and deny.request decisions will occur before HTTP handoff. Other deny
gestures are not affected.
• In previous releases, when policy was changed and re-installed, authenticated users in multi-tenant deployments
had to re-authenticate for transactions subsequent to the policy change. Now, user authentication persists when non-
authentication policy is changed and re-installed. Policy changes related to authentication configuration (realms,
groups of interest, etc.) still require user re-authentication.
The default tenant contains the authentication information for users who authenticate under multiple inline tenant
policies.
• This release improves the accuracy of apparent-data-type recognition.

Deprecations and Removals in SGOS 7.3.1.1

• SkyUI is disabled by default in version 7.3.x. You can re-enable this management interface, but be aware that it is
potentially vulnerable to security issues. For best security, do not enable SkyUI.
• Managing ProxyClient and Unified Agent is deprecated. You can enable these features, but the Management Console
and the CLI indicate that support for these remote clients will be removed in a future release.
• In the Web VPM, the Protocol Methods service object no longer includes the Instant Messaging protocol and
methods. IM policies were removed in a previous release.
• IPv6 site-local addresses are no longer supported in ProxySG configurations.
• Network adapters associated with unsupported platforms (such as SG300, SG600, SG900, and SG9000) are no
longer supported.

94
SGOS 7.x Release Notes

Fixes in SGOS 7.3.1.1

SGOS 7.3.1.1 includes the following bug fixes.
For Web Visual Policy Manager fixes, see Web Visual Policy Manager Fixes in SGOS 7.x.

Table 123: Authentication

ID Issue

SG-22479 Fixes an issue where users experienced a redirect loop when using Chrome. This issue occurred because
Chrome refused authentication cookies for not having Secure and SameSite=none properties.

Table 124: CIFS Proxy

ID Issue

SG-20625 Fixes an issue where client machines lost connectivity to file shares after waking from sleep mode.

Table 125: CLI Console

ID Issue

SG-4912, SG-19528 Fixes an issue where ProxySG advanced URLs used less-secure HTTP GET methods.

Table 126: Diagnostic Tools

ID Issue

SG-22935 Fixes an issue where the appliance sent diagnostic reports to Symantec if the appliance was reinitialized.

Table 127: Health Checks

ID Issue

SG-22116 Addresses an issue where the appliance experienced a restart in PG_HEALTH_CHECKS process: "HC
Watchdog" in "" at .text+0x0 SWE : 0x3a0004.

Table 128: HTTP Proxy

ID Issue

SG-18485 Addresses an issue where the system stopped responding in process "HTTP CW 15C1CFADA40" in
"libmemory.so".

Table 129: ICAP

ID Issue

SG-19149 Fixes an issue where patience pages took long to load when uploading a file for ICAP scanning. The issue
occurred if the filename contained an ampersand character (&).

95
SGOS 7.x Release Notes

Table 130: Licensing

ID Issue

SG-23360 Fixes an issue where creating a C16XS model on the Integrated Secure Gateway resulted in "Warning:
Nonstandard memory configuration detected."

Table 131: SSL Proxy

ID Issue

SG-22606 Addresses an issue where the appliance stopped responding in process group: "PG_CFSSL" and process:
"SSLW 21BB8E14F90" in "libc.so" at .text+0x168cd.

Table 132: SSL/TLS and PKI

ID Issue

SG-11173 Fixes an issue where the event log displayed "failed to copy keyring" and "failed to copy certificate file"
errors after an upgrade from version 6.7.x to version 7.x.
SG-23060 Addresses an issue where the appliance stopped responding in process group: "PG_SSL_HNDSHK" and
process: "HTTP CW 10EC3699A40" in "libcfssl.exe.so" at .text+0x39f1cc.

Table 133: TCP/IP and General Networking

ID Issue

SG-4154 Fixes an issue where a restart occurred due to a high volume of IPv6 network traffic.
SG-11975 Fixes an issue where the appliance was vulnerable to a LAND attack.
SG-21102 Fixes an issue where the final TCP reset (RST) used a different interface from the rest of the TCP
conversation.
SG-18904 Fixes an issue where running the #(config)ipv6 auto-linklocal disable command did not
remove the auto link-local IPv6 address.
SG-21747 Fixes an issue where an IPv6 address could not be added using the #(config connection-
forwarding)add command.
SG-22295 Fixes an issue where the Secure Web Gateway V100 platform experienced a memory leak due to an
interface reinitializing repeatedly.
SG-20003 Fixes an issue where configuring failover with two ProxySG appliances with IPv6 addresses resulted in
both appliances to be master.
SG-22879 Fixes an issue where configured routing tables on the appliance were not preserved after upgrading from
version 6.7.5.6 to a later 6.7.x or 7.x.
SG-4156 Addresses an issue where the system stopped responding in process group: "PG_TCPIP" and process:
"stack-bnd-1:0-rxq-0" in "libstack.exe.so" at .text+0x50657a.
SG-13300 Fixes an issue where policy traces contained an incorrect interface number when return-to-sender (RTS)
was disabled and policy specified the interface in the client.interface= condition.

96
SGOS 7.x Release Notes

Table 134: Visual Policy Manager (Legacy)

ID Issue

SG-20740 Fixes an issue where VPM policy did not detect when multi-tenant landlord mode was enabled. When this
issue occurred, some related policy gestures such as Tenant ID were unavailable. This issue was also fixed
in the Web VPM.

97
SGOS 7.x Release Notes

SGOS 7.2.8.1 GA
Release Information
• Release Date: August 4, 2021
• Build Number: 264841

Supported Platforms
• ProxySG hardware appliances: S200, S400, S410, S500
• Standard/Advanced Reverse Proxy hardware appliances: S200, S400, S410, S500
• High-performance Gen2 virtual appliances: SG-VA, ARP-VA, SRP-VA
See Hardware Appliances and ProxySG Tech Docs for platform documentation.

Compatible With
• BCAAA: 6.1
• Integrated Secure Gateway: 2.1 and later
• HSM Agent: 2.0 and later
• ProxySG Admin Console: 1.1.1 and later
• Reporter: 9.5.x, 10.1.x, and 10.2.x
• Management Center: 2.2.2.3 and later
NOTE
The new ProxySG Admin Console (SGAC) requires Management Center 2.4.x or later.
• ProxyAV: 3.5.x
• Content Analysis: 2.3.x, and 3.0.x
• ProxyClient: 3.4.x
• Unified Agent: 4.7.x and 4.8.x
ATTENTION
Support for Client Manager, ProxyClient, and Unified Agent will be removed in a future release.
• SSL Visibility: 4.2.x, 4.3.x. 4.4.x, 4.5.x, and 5.x
• Web Isolation: 1.10 and later

Third-Party Compatibility
• For supported Java, operating system, and browser versions, refer to KB Article 169081.
• For information on Java 11 support, refer to KB Article 173228.

Upgrading To/Downgrading From This Release

• Upgrading from ProxySG 6.7.x to version 7.2.x might cause unexpected behavior with configured HSMs.
See SG-23187 in Known Issues in SGOS 7.x for more information.
• ProxySG 7.2.x does not support FIPS mode. Disable FIPS mode before you attempt to upgrade to 7.2.x. If you begin
upgrading to 7.2.x from an appliance that has FIPS mode enabled, abort the upgrade at the boot process, disable
FIPS mode, and attempt the upgrade again. If you upgrade to 7.2.1.1 without disabling FIPS mode, your appliance will
not function as expected.
• If you are downgrading from ProxySG 7.2.x to a version earlier than 7.2.0.1, ensure that after you downgrade your
policy includes CPL that protects against low strength ciphers (RC4, CBC, DES, and 3DES). These ciphers were

98
SGOS 7.x Release Notes

• When upgrading to 7.2.x, your malware scanning configuration is not preserved. After upgrading, reconfigure your
malware scanning. For information, see the SGOS Administration Guide and ProxySG Web Visual Policy Manager
Reference .
• The following are the supported upgrade/downgrade paths for this release:
– Upgrade to 7.2.x from an earlier version 7.x or from version 6.7.4.4 or later.
– Downgrade from 7.2.x to to an earlier version 7.x or to version 6.7.4.4 or later.
NOTE
If upgrading from version 6.7.4.2 or earlier, an interim upgrade to version 6.7.4.3 might be required. To
determine whether you can upgrade directly to version 6.7.4.4, refer to KB Article 18536.
See SGOS Upgrade/Downgrade documentation for the supported upgrade/downgrade paths for this release.
NOTE
In a future release of 7.x, support for WebFilter (BCWF) will be removed.

Changes in SGOS 7.2.8.1

• SGOS 7.2.8.1 introduces new features and enhancements. See Features in SGOS 7.2.8.1.

Fixes in ProxySG 7.2.8.1

• This release includes a number of fixes. See Fixes in SGOS 7.2.8.1.
• To see any Security Advisories that apply to the version of you are running, go to:https://support.broadcom.com/
security-advisory/security-advisories-list.html
New advisories are published as security vulnerabilities are discovered and fixed.
For a list of Security Advisories fixed in 7.x, see Security Advisory Fixes in SGOS 7.x.

Limitations
• See Limitations in SGOS 7.x for a description of limitations in this release.

Known Issues
• See Known Issues in SGOS 7.x for a list of all issues that Symantec is aware of in SGOS 7.x.

Features in SGOS 7.2.8.1

SGOS 7.2.8.1 introduces the following new features and changes.

99
SGOS 7.x Release Notes

New Models for Virtual Appliances

For ProxySG virtual appliances, the following new models are available for GCP and ISG Enterprise VA deployments:

ISG-Proxy-VA-100 ISG-Proxy-VA-200
Virtual CPUs Virtual Memory (GB) Connection Count
Storage (GB) Storage (GB)
6 24 2x100 1x200 37,500
6 40 4x100 2x200 62,500
6 48 4x100 2x200 75,000
10 40 4x100 2x200 62,500
10 80 4x100 2x200 125,000
10 96 4x100 2x200 150,000
12 48 4x100 2x200 75,000
12 96 4x100 2x200 150,000
12 128 4x100 2x200 200,000
14 64 4x100 2x200 100,000
14 112 4x100 2x200 175,000
14 144 8x100 4x200 225,000
20 96 4x100 2x200 150,000
20 144 N/A 4x200 225,000
20 192 N/A 6x200 300,000
24 112 4x100 2x200 175,000
28 128 8x100 4x200 200,000
28 192 N/A 6x200 300,000
28 288 N/A 8x200 450,000
32 80 8x100 2x200 125,000
32 160 N/A 4x200 250,000
32 256 N/A 8x200 400,000
32 320 N/A 8x200 500,000

More information:
• SGOS on GCP Configuration Guide
• ISG Enterprise VA Guide

Timezone Database Update

As of July 10, 2021, a new timezone database (2021a) is available at https://download.bluecoat.com/release/
timezones.tar
The database can be installed using the CLI command load timezone-database . The database will also be installed
on an SGOS appliance running 7.2.7.1 or newer after a restore-defaults factory-defaults or on a new virtual
appliance instance.

100
SGOS 7.x Release Notes

Support for New Network Interface Card

The Silicom bypass driver has been updated to support the PE310G4BPI40-T Quad port Copper 10 Gigabit Ethernet PCI
Express Bypass Server Intel® x540 Based card.

Configure Local Categories for Web Filtering

New CLI Command for ARP Strict Matching

Link Speed No Longer Displayed for Virtual Appliances

For virtual appliances that are using a para-virtual network adapter, when you view the output for the show interface
command or the SysInfo , the link speed no longer displays and instead reads "virtual network" or "virtual link".
Additionally, the MAC address now displays in the show interface output.
More Information:
• Command Line Interface Reference

Set IP Version Preferences for DNS Resolution

New incorrect_content_length Option for response.raw_headers.tolerate

101
SGOS 7.x Release Notes

New Policy Action for SOCKS Requests

<proxy> client.protocol=socks
socks.authenticate(testrealm) socks.authenticate.mode(proxy-ip)

More information:
• Content Policy Language Reference
• KB Article 166657

Event Log Trace Level Enhancement

The#(config event-log)level trace CLI command was added in version 7.2.5.1. In this release, the trace level
also writes long-running ICAP REQMOD transactions, and deferred and resumed ICAP RESPMOD transactions to the
event log.
More Information:
• Command Line Interface Reference
• SGOS Upgrade/Downgrade, "Behavior Changes in SGOS 7.2.x"

Fixes in SGOS 7.2.8.1

SGOS 7.2.8.1 includes the following bug fixes.
For Security Advisory fixes, see Security Advisory Fixes in SGOS 7.x.
For Web Visual Policy Manager fixes, see Web Visual Policy Manager Fixes in SGOS 7.x.

Table 135: Access Logging

ID Issue

SG-27063 Fixes an issue where show advanced-url /accesslog/tail was taking a long time to respond
because the buffers for TE_Transaction::Generate_random_ipv6_address() were too small.
SG-26885 Fixes an issue where Kafka uploads for sites with a large amount of nodes would not succeed due to the size of
the upload exceeding the maximum for the recoverable heap.

Table 136: Authentication

ID Issue

SG-27405 Fixes an issue where details for group-async were not available for the #show configuration and
#(config windows-domains)view commands.
SG-27378 Fixes an issue where users could not join or rejoin a domain if the username contained a dollar sign ($)
character.
SG-26994 Fixes an issue where the appliance was unresponsive due to incorrectly prioritizing certain processes.

102
SGOS 7.x Release Notes

Table 137: Cloud Platform

ID Issue

SG-25640 Fixes an issue where the appliance became unresponsive when loading a trust package.
SG-26843 Fixes an issue where sometimes ZTP would not successfully set up an appliance due to ZTP attempting to parse
the JSON object as part of the jobTargetData.

Table 138: DNS Proxy

ID Issue

SG-27367 Fixes an issue where the appliance experienced a restart when the DNS proxy incorrectly copied from or to a
null pointer.
SG-25261 Fixes an issue where the appliance experienced a restart when attempting to free a pointer it had already freed.

Table 139: HTTP Proxy

ID Issue

SG-25111 Fixes an issue where supplier.country policy did not match for tunneled HTTPS connections when
protocol detection was disabled.
SG-25593 Fixes an issue where protocol detection didn't detect HTTP/2 when a server response was received before the
client connection. When this issue occurred, the log displayed "Cannot detect server speakfirst protocol".

Table 140: Policy

ID Issue

SG-26626 Fixes an issue where the appliance experienced a restart when the hostname was assigned "null" during
address resolution.

Table 141: SOCKS Proxy

ID Issue

SG-25580 Fixes an issue where SOCKS requests failed due to not being matched to the IP surrogate credential. This fix
requires using the new socks.authenticate.mode() policy action, as described in Features in SGOS
7.2.8.1.

Table 142: SL Proxy

ID Issue

SG-23430 Fixes an issue where the appliance experienced high memory usage. This issue occurred in reverse proxy
mode with #(config service_name)attribute forward-client-cert enabled and Certificate
Policies extensions in use.
SG-26999 Fixes an issue where the appliance experienced high memory usage during SSL handshakes.

103
SGOS 7.x Release Notes

Table 143: SSL/TLS and PKI

ID Issue

Table 144: TCP/IP and General Networking

ID Issue

SG-27807 Fixes an issue where DNS flags were not set correctly for AAAA requests, causing the appliance to not retry with
A requests after receiving invalid AAAA responses.
SG-27115 Fixes an issue where adding NICs to a virtual appliance running on VMware ESXi changed the order of NICs.
SG-25955 Fixes an issue where the appliance experienced a restart due to the appliance marking the mbuf with a weak
INP.
SG-27375 Fixes an issue where the appliance experienced a restart when the database was updated.
SG-27677 Fixes an issue where the appliance returned the error "DNS Resolver Response: Unknown error response (202)"
for a DNS-forwarding group that was associated with the default routing domain.
SG-26136 Fixes an issue where the interfaces showed the speed and duplex as unknown in the SysInfo for virtual
appliances.

Table 145: Timezones and NTP

ID Issue

SG-27893 Fixes an issue where the warning message when attempting to configure an NTP server that is not present
included a leading "%" used for error messages.

Table 146: Transformer

ID Issue

SG-25137 Fixes an issue where the appliance could not rewrite URLs that had empty HTML comments preceding them.

Table 147: Web Application Firewall

ID Issue

SG-25723 Fixes an issue where interactions between http.request.log.mask_by_name() and

http.request.detection.bypass_cache_hit() policy properties sometimes resulted in the
appliance not decoding the URLs of payloads during internal analysis.

104
SGOS 7.x Release Notes

SGOS 7.2.7.2 PR
Release Information
• Release Date: June 28, 2021
• Build Number: 263784

Supported Platforms
• ProxySG hardware appliances: S200, S400, S410, S500
• Standard/Advanced Reverse Proxy hardware appliances: S200, S400, S410, S500
• High-performance Gen2 virtual appliances: SG-VA, ARP-VA, SRP-VA
See Hardware Appliances and ProxySG Tech Docs for platform documentation.

Compatible With
• BCAAA: 6.1
• Integrated Secure Gateway: 2.1.x and later
• HSM Agent: 2.0 and later
• ProxySG Admin Console: 1.1.1 and later
• Reporter: 9.5.x, 10.1.x, and 10.2.x
• Management Center: 2.2.2.3 and later
NOTE
The new ProxySG Admin Console (SGAC) requires Management Center 2.4.x or later.
• ProxyAV: 3.5.x
• Content Analysis: 2.3.x, and 3.0.x
• ProxyClient: 3.4.x
• Unified Agent: 4.7.x and 4.8.x
• SSL Visibility: 4.2.x, 4.3.x. 4.4.x, 4.5.x, and 5.x
• Web Isolation: 1.10 and later

Third-Party Compatibility
• For supported Java, operating system, and browser versions, refer to KB Article 169081.
• For information on Java 11 support, refer to KB Article 173228.

Upgrading To/Downgrading From This Release

• Upgrading from ProxySG 6.7.x to version 7.1.x might cause unexpected behavior with configured HSMs.
See SG-23187 in Known Issues in SGOS 7.x for more information.
• ProxySG 7.2.1.1 does not support FIPS mode. Disable FIPS mode before you attempt to upgrade to 7.2.1.1. If you
begin upgrading to 7.2.1.1 from an appliance that has FIPS mode enabled, abort the upgrade at the boot process,
disable FIPS mode, and attempt the upgrade again. If you upgrade to 7.2.1.1 without disabling FIPS mode, your
appliance will not function as expected.
• If you are downgrading from ProxySG 7.2.1.1 to a version earlier than 7.2.0.1, ensure that after you downgrade your
policy includes CPL that protects against low strength ciphers (RC4, CBC, DES, and 3DES). These ciphers were
deprecated in 7.2.0.1 and any policy that references them is no longer necessary. For appliances running versions
earlier than 7.2.0.1, use the following CPL:

105
SGOS 7.x Release Notes

<ssl>
client.connection.negotiated_cipher=(EXP-RC4-MD5,EXP-RC2-CBC-MD5,EXP-DES-CBC-SHA) force_deny
<ssl>
server.connection.negotiated_cipher=(EXP-RC4-MD5,EXP-RC2-CBC-MD5,EXP-DES-CBC-SHA) force_deny

• When upgrading to 7.2.1.1, your malware scanning configuration is not preserved. After upgrading, reconfigure your
malware scanning. For information, see the SGOS Administration Guide and ProxySG Web Visual Policy Manager
Reference .
• The following are the supported upgrade/downgrade paths for this release:
– Upgrade to 7.2.x from an earlier version 7.x or from version 6.7.4.4 or later.
– Downgrade from 7.2.x to to an earlier version 7.x or to version 6.7.4.4 or later.
NOTE
If upgrading from version 6.7.4.2 or earlier, an interim upgrade to version 6.7.4.3 might be required. To
determine whether you can upgrade directly to version 6.7.4.4, refer to KB Article 18536.
See SGOS Upgrade/Downgrade documentation for the supported upgrade/downgrade paths for this release.
NOTE
In a future release of 7.x, support for WebFilter (BCWF) will be removed.

Fixes in ProxySG 7.2.7.2

• This release includes a number of fixes. See Fixes in SGOS 7.2.7.2.
• To see any Security Advisories that apply to the version of you are running, go to:https://support.broadcom.com/
security-advisory/security-advisories-list.html
New advisories are published as security vulnerabilities are discovered and fixed.
For a list of Security Advisories fixed in 7.x, see Security Advisory Fixes in SGOS 7.x.

Limitations
• See Limitations in SGOS 7.x for a description of limitations in this release.

Known Issues
• See Known Issues in SGOS 7.x for a list of all issues that Symantec is aware of in SGOS 7.x.

Fixes in SGOS 7.2.7.2

See Security Advisory Fixes in SGOS 7.x for security advisory fixes for this release.

106
SGOS 7.x Release Notes

SGOS 7.2.7.1 GA
Release Information
• Release Date: May 26, 2021
• Build Number: 262380
NOTE
SGOS is cumulative. SGOS 7.2.7.1 is based on the SGOS 7.2.6.1 release. In addition, this release includes all
features and fixes that were included in the 6.7.5.11 release.

Supported Platforms
• ProxySG hardware appliances: S200, S400, S410, S500
• Standard/Advanced Reverse Proxy hardware appliances: S200, S400, S410, S500
• High-performance Gen2 virtual appliances: SG-VA, ARP-VA, SRP-VA
See Hardware Appliances and ProxySG Tech Docs for platform documentation.

Third-Party Compatibility
• For supported Java, operating system, and browser versions, refer to KB Article 169081.
• For information on Java 11 support, refer to KB Article 173228.

Upgrading To/Downgrading From This Release

• Upgrading from ProxySG 6.7.x to version 7.1.x might cause unexpected behavior with configured HSMs.
See SG-23187 in #unique_60 for more information.
• ProxySG 7.2.1.1 does not support FIPS mode. Disable FIPS mode before you attempt to upgrade to 7.2.1.1. If you
begin upgrading to 7.2.1.1 from an appliance that has FIPS mode enabled, abort the upgrade at the boot process,

107
SGOS 7.x Release Notes

disable FIPS mode, and attempt the upgrade again. If you upgrade to 7.2.1.1 without disabling FIPS mode, your
appliance will not function as expected.
• If you are downgrading from ProxySG 7.2.1.1 to a version earlier than 7.2.0.1, ensure that after you downgrade your
policy includes CPL that protects against low strength ciphers (RC4, CBC, DES, and 3DES). These ciphers were
deprecated in 7.2.0.1 and any policy that references them is no longer necessary. For appliances running versions
earlier than 7.2.0.1, use the following CPL:
<ssl>
client.connection.negotiated_cipher=(EXP-RC4-MD5,EXP-RC2-CBC-MD5,EXP-DES-CBC-SHA) force_deny
<ssl>
server.connection.negotiated_cipher=(EXP-RC4-MD5,EXP-RC2-CBC-MD5,EXP-DES-CBC-SHA) force_deny

Changes in SGOS 7.2.7.1

• SGOS 7.2.7.1 introduces new features and enhancements. See Features in SGOS 7.2.7.1.

Fixes in ProxySG 7.2.7.1

• This release includes a number of fixes. See Fixes in SGOS 7.2.7.1.
• To see any Security Advisories that apply to the version of you are running, go to:https://support.broadcom.com/
security-advisory/security-advisories-list.html
New advisories are published as security vulnerabilities are discovered and fixed.
For a list of Security Advisories fixed in 7.x, see Security Advisory Fixes in SGOS 7.x.

Limitations
• See Limitations in SGOS 7.x for a description of limitations in this release.

Known Issues
• See Known Issues in SGOS 7.x for a list of all issues that Symantec is aware of in SGOS 7.x.

Features in SGOS 7.2.7.1

New Maximum High Memory Threshold for ISG Licensed Deployments
For ProxySG virtual appliances deployed with Enterprise and Node-Locked licenses, the thresholds for the CFS high
memory pool has been increased to 1600 MB. (SG-23702)

108
SGOS 7.x Release Notes

New NIC Maximum for Virtual Appliances

The following types of ProxySG virtual appliances now have a new maximum number of virtual interfaces:

Platform Maximum NICs

AWS 8
Azure 8
GCP 8
Hyper-V 8
KVM 16
VMware 10
Xen 8

(SG-26185)

New http.response Policy Gesture

The following property has been added to force the appliance to stop waiting for HTTP response data from the client:
http.response.response_data.prevent_inspection_delay(yes|no)

See the Content Policy Language Reference for more information. (SG-25615)

Fixes in SGOS 7.2.7.1

SGOS 7.2.7.1 includes the following bug fixes.

Table 148: Access Logging

ID Issue

SG-25675 Fixes an issue where an existing access log facility could not be deleted.

Table 149: Authentication

ID Issue

SG-25860 Fixes an issue where the appliance had a hardware exception when the XML authentication realm contained a
parsing issue.

Table 150: CLI Consoles

ID Issue

SG-26539 Fixes an issue where some CLI commands returned a kex protocol error message.

109
SGOS 7.x Release Notes

Table 151: HTTP Proxy

ID Issue

SG-25953 Fixes an issue where the appliance had a software exception when policy included
ssl.forward_proxy(yes) and a deferred transaction was denied.
SG-25957 Fixes an issue where users cannot access alldata.com after an upgrade.

Table 152: ICAP

ID Issue

SG-19774 Fixes an issue where "Request timed out" errors were incorrectly reported when ICAP connections were closed
on the server side. Now, the ICAP error states "Failed due to dropped connection".
SG-26130 Fixes an issue where the ProxySG appliance performed additional scanning when Content Analysis sends an
ISTag value of "0" in the ICAP response.

Table 153: Kernel

ID Issue

SG-19721 Fixes an issue where the appliance stopped responding when there was a high number of HTTP/S connections
on the appliance.

Table 154: Policy

ID Issue

SG-25615 Fixes an issue where users could not connect to chat.google.com. The policy property
http.response.response_data.prevent_inspection_delay(yes|no) has been added to
resolve this issue.

Table 155: SSL/TLS and PKI

ID Issue

SG-25924 Fixes an issue where the appliance stopped responding after deleting an SSL keyring.

Table 156: TCP/IP and General Networking

ID Issue

SG-26046 Fixes an issue where the serial console showed error message "Apply__DNS_fwd() ERRO DNS fibnum = 0"
when the appliance booted up. The issue occurred because DNS forwarding group names were truncated if they
were 16 characters or more in length.
SG-23835 Fixes an issue where users experienced slow browsing due to a large number of failed DNS lookups on the
appliance.
SG-26308 Fixes an issue where the FreeBSD DHCP vulnerability described in CVE-2021-7461 could cause the appliance
to stop responding.

110
SGOS 7.x Release Notes

Table 157: Web Application Firewall

ID Issue

SG-26127 Fixes an issue where the SQL injection engine incorrectly blocked some Chrome headers.

111
SGOS 7.x Release Notes

SGOS 7.2.6.1 GA
Release Information
• Release Date: April 13, 2021
• Build Number: 260877
NOTE
SGOS is cumulative. SGOS 7.2.6.1 is based on the SGOS 7.2.5.1 release. In addition, this release includes all
features and fixes that were included in the 6.7.5.10 release.

Supported Platforms
• ProxySG hardware appliances: S200, S400, S410, S500
• Standard/Advanced Reverse Proxy hardware appliances: S200, S400, S410, S500
• High-performance Gen2 virtual appliances: SG-VA, ARP-VA, SRP-VA
See Hardware Appliances and ProxySG Tech Docs for platform documentation.

Third-Party Compatibility
• For supported Java, operating system, and browser versions, refer to KB Article 169081.
• For information on Java 11 support, refer to KB Article 173228.

Upgrading To/Downgrading From This Release

112
SGOS 7.x Release Notes

Changes in SGOS 7.2.6.1

• SGOS 7.2.6.1 introduces new features and enhancements. See Features in SGOS 7.2.6.1.

Fixes in ProxySG 7.2.6.1

• This release includes a number of fixes. See Fixes in SGOS 7.2.6.1.
• To see any Security Advisories that apply to the version of you are running, go to:https://support.broadcom.com/
security-advisory/security-advisories-list.html
New advisories are published as security vulnerabilities are discovered and fixed.
For a list of Security Advisories fixed in 7.x, see Security Advisory Fixes in SGOS 7.x.

Limitations
• See Limitations in SGOS 7.x for a description of limitations in this release.

Known Issues
• See Known Issues in SGOS 7.x for a list of all issues that Symantec is aware of in SGOS 7.x.

Features in SGOS 7.2.6.1

SGOS 7.2.6.1 introduces the following new features and changes.

113
SGOS 7.x Release Notes

Integrated Secure Gateway Enterprise Secure Web Gateway Virtual Appliance

Heartbeat Reports Enhancement

Heartbeat reports sent to Support now include environment information for physical and virtual appliances. In addition, the
heartbeats for applications running on Integrated Secure Gateway report the serial number.

New HTTP Dwell Time Statistics

HTTP Debug Log Enhancement for gateway_error Error

When the appliance treats detects a proxy loop, it returns a gateway_error exception page. To assist with troubleshooting
this error, the HTTP debug log now displays the message: "Detected proxy loop while parsing X-BlueCoat-Via header,
returning gateway_error exception". To prevent the issue from occurring, remove the X-BlueCoat-Via header when
sending requests upstream. Refer to KB 167710 for information.

Web Visual Policy Manager Enhancements

114
SGOS 7.x Release Notes

. When you use the icon to refresh the CPL, the VPM notifies you of the change with a message, "Successfully
refreshed generated CPL."
• All policy rule menu options now have icons:

Fixes in SGOS 7.2.6.1

SGOS 7.2.6.1 includes the following bug fixes.
For Web Visual Policy Manager fixes, see Web Visual Policy Manager Fixes in SGOS 7.x.

Table 158: Authentication

ID Issue

SG-18496 Fixes an issue where SAML authentication without client redirects did not work.

Table 159: Cache Engine

ID Issue

SG-25363 Addresses potential denial of service attacks when there was a high number of simultaneous URL-based
searches in /CE/Listing_Form.

Table 160: CLI Consoles

ID Issue

SG-25564 Fixes an issue where attempting to view Advanced URLs results in an "Encrypted token has expired" message.
This issue occurred when logging in to the console with a non-local admin user.

Table 161: Cloud Platform

ID Issue

SG-25035 Fixes an issue where a ZTP-deployed appliance stopped responding when a routers option was not specified in
the DHCP data source.

Table 162: HTTP Proxy

ID Issue

SG-24969 Fixes an issue where users received error 502 "Content Encoding Error" when going to Facebook.
SG-22988 Fixes an issue where requests including both the Content-Length and Transfer-Encoding headers were
forwarded to the OCS. Now, the Transfer-Encoding: identity header is removed from such requests before being
forwarded.

115
SGOS 7.x Release Notes

Table 163: Management

ID Issue

Table 164: Policy

ID Issue

SG-25255 Fixes an issue where authentication exceptions or force_deny caused ssl.tunnel transactions to bypass rules
in <forward> layers.

Table 165: Reverse Proxy

ID Issue

SG-25442 Fixes an issue where existing forwarding host names could not be edited to exceed more than 64 characters.

Table 166: SSL/TLS and PKI

ID Issue

SG-24931 Fixes an issue where revoked intermediate certificates were added to the cached intermediate certificate list.

Table 167: SSL Proxy

ID Issue

SG-13361 Fixes an issue where authenticated sessions persisted across browser sessions.
SG-25594 Fixes an issue where some SSL transactions were unexpectedly not denied. This issue occurred when policy
included denials based on the response and SIPS protocol detection was enabled.
SG-25006 Fixes an issue where users received an "EXCEPTION(tcp_error): Request could not be handled" message when
a site required a client certificate. This issue occurred when upgrading to version 7.2.
SG-25545 Fixes an issue where a site could not be accessed if protocol detection or TLS 1.3 was enabled.

Table 168: TCP/IP and General Networking

ID Issue

SG-24139 Fixes an issue where outgoing connections intermittently went to an incorrect interface.

116
SGOS 7.x Release Notes

SGOS 7.2.5.1 GA

Release Information
• Release Date: February 4, 2021
• Build Number: 259008
NOTE
SGOS is cumulative. SGOS 7.2.5.1 is based on the SGOS 7.2.4.1 release. In addition, this release includes all
features and fixes that were included in the 6.7.5.9 release.

Supported Platforms
• ProxySG hardware appliances: S200, S400, S410, S500
• Standard/Advanced Reverse Proxy hardware appliances: S200, S400, S410, S500
• High-performance Gen2 virtual appliances: SG-VA, ARP-VA, SRP-VA
See Hardware Appliances and ProxySG Tech Docs for platform documentation.

Third-Party Compatibility
• For supported Java, operating system, and browser versions, refer to KB Article 169081.
• For information on Java 11 support, refer to KB Article 173228.

Upgrading To/Downgrading From This Release

117
SGOS 7.x Release Notes

• When upgrading to 7.2.1.1, your malware scanning configuration is not preserved. After upgrading, reconfigure your
malware scanning. For information, see the SGOS Administration Guide and ProxySG Web Visual Policy Manager
Reference .
• The following are the supported upgrade/downgrade paths for this release:
– Upgrade to 7.2.x from an earlier version 7.x or from version 6.7.4.4 or later. If upgrading from version 6.7.4.2 or
earlier, an interim upgrade to version 6.7.4.3 might be required. To determine whether you can upgrade directly to
version 6.7.4.4, refer to KB Article 18536.
– Downgrade from 7.2.x to to an earlier version 7.x or to version 6.7.4.4 or later.
See SGOS Upgrade/Downgrade documentation for the supported upgrade/downgrade paths for this release.
NOTE
In a future release of 7.x, support for WebFilter (BCWF) will be removed.

Changes in SGOS 7.2.5.1

• SGOS 7.2.5.1 introduces new features and enhancements. See Features in SGOS 7.2.5.1.

Fixes in ProxySG 7.2.5.1

• This release includes a number of fixes. See Fixes in SGOS 7.2.5.1.
• To see any Security Advisories that apply to the version of you are running, go to:https://support.broadcom.com/
security-advisory/security-advisories-list.html
New advisories are published as security vulnerabilities are discovered and fixed.
For a list of Security Advisories fixed in 7.x, see Security Advisory Fixes in SGOS 7.x.

Limitations
• See Limitations in SGOS 7.x for a description of limitations in this release.

Known Issues
• See Known Issues in SGOS 7.x for a list of all issues that Symantec is aware of in SGOS 7.x.

Features in SGOS 7.2.5.1

SGOS 7.2.5.1 introduces the following new features:

Zero Touch Provisioning for Deployments

Zero Touch Provisioning (ZTP) allows you to easily deploy a ProxySG appliance or virtual appliance without using the
terminal to configure the deployment. Instead, you prepare a ZTP payload containing the configuration and environment

118
SGOS 7.x Release Notes

details, and provide the payload to the appliance. Additionally, if you are using Management Center to manage your
ProxySG appliances, ZTP can automatically register the ProxySG appliance with Management Center.
NOTE
ZTP can only be performed on an appliance that is in a factory-reset state.
ZTP is available for all physical S-series appliances and the following virtual platforms:
• AWS
• Azure
• Cisco Cloud Services Platform
• ESXi
• KVM
• Microsoft Hyper-V
NOTE
ZTP is not currently available for ProxySG applications running on Integrated Secure Gateway.

Clear the Serial Number When Restoring Factory Defaults

You now have the option to clear virtual appliance serial numbers when restoring factory defaults:
# restore-defaults factory-defaults [clear-va-serial]

New User Agent Match Object for VPM

The User Agent Match object provides a list of browsers types to select from and a field to further specify the type and
version via a regEx.

119
SGOS 7.x Release Notes

Full information:
• ProxySG Web Visual Policy Manager Reference

New Counters for HTTP Dwell Time Statistics

The following counters have been added for dwell time statistics :
• Transactions performing static and dynamic categorization
• Transactions performing authentication and authorization, and server authentication
• Transactions performing various upstream, downstream, and reverse proxy handshakes
• Transactions determining object disposition
• Transactions performing DNS lookup for clients and servers

New HTTP/2 Connection and Stream Counts in the Heartbeat Report

New counters have been added to the heartbeat report for HTTP/2 connections and streams.

Port Numbers Added to Policy Traces

Port numbers are now available in the policy trace output.

120
SGOS 7.x Release Notes

Fixes in SGOS 7.2.5.1

SGOS 7.2.5.1 includes the following bug fixes.
For Web Visual Policy Manager fixes, see Web Visual Policy Manager Fixes in SGOS 7.x.

Table 169: Access Logging

ID Issue

SG-22694 Fixes an issue where the appliance restarted due to multiple log upload threads attempting to simultaneously
initialize the SSL cryptographic parameters.
SG-24708 Fixes an issue where the HTTP transaction timing fields (x-cs-rp-https-handshake-time, x-cs-https-handshake-
time, and x-sr-https-handshake-time) in the access log generate a "-" or a "0" in log output regardless of the
latency coming from the client or server.

Table 170: Authentication

ID Issue

SG-23880 Fixes an issue where the appliance restarted after memory was released for an invalid memory pointer.
SG-23983 Fixes an issue where the appliance experience high CPU and memory consumption due to memory
fragmentation.

Table 171: FTP Proxy

ID Issue

SG-4624 Fixes an issue where the s-action access log field was sometimes not populated when ICAP REQMOD mirroring
was enabled.

Table 172: HTTP Proxy

ID Issue

SG-20158 Fixes an issue where certain ICAP threads were not terminated and caused memory leaks when ICAP
REQMOD mirroring was enabled.

Table 173: ICAP

ID Issue

SG-23811 Fixes an issue where the response time for health checks was longer than expected when the appliance was
sending Content Analysis traffic to the ICAP broker.

Table 174: Performance

ID Issue

SG-22312 Fixes an issue where a memory leak occurred due to processing MS-TURN traffic, which is a protocol used by
Skype for Business.

121
SGOS 7.x Release Notes

Table 175: Policy

ID Issue

SG-21244 Fixes an issue where exception pages that were greater than 8080 bytes did not display in the browser.
SG-24288 Fixes an issue where authenticating traffic via NTLM with BCAAA did not work in 7.2.4.1.
SG-24326 Fixes an issue where accessing the /dme/configuration advanced URL caused the license key auto-update
feature to be enabled when it was originally set to disabled.

Table 176: SSL Proxy

ID Issue

SG-2311 Fixes an issue where a new intermediate CA certificate that had the same subject name as a expired or revoked
CA certificate could not replace the current expired or revoked CA certificate.
SG-23828 Fixes an issue where the appliance experienced a memory leak when handling HTTPS reverse proxy traffic with
forward-client-cert enabled.

Table 177: SSL/TLS and PKI

ID Issue

SG-24706 Fixes an issue where the ProxySG Admin Console experienced a restart because the PCAP stack was not large
enough to handle all the filter expressions.
SG-24065 Fixes an issue where the appliance listed the strength for the dhe-dss-des-cbc3-sha cipher as "high" when
OpenSSL classifies the cipher as "medium" strength.

Table 178: TCP/IP and General Networking

ID Issue

SG-24034 Fixes an issue where the appliance did not notify users that WCCP did not start after a reboot. Now when WCCP
does not start after a reboot, error messages are logged in the debug log.
SG-24810 Fixes an issue where the appliance experienced a restart when an HTTP/2 transaction could not be completed
due to a null socket.

Table 179: URL Filtering

ID Issue

SG-24231 Fixes an issue where the appliance experienced a restart when testing the category of a URL in the format of an
email address (for example, "/ContentFilter/TestUrl/[email protected]").

122
SGOS 7.x Release Notes

SGOS 7.2.4.1 GA

Release Information
• Release Date: December 10, 2020
• Build Number: 257580
NOTE
SGOS is cumulative. SGOS 7.2.4.1 is based on the SGOS 7.2.3.1 release. In addition, this release includes all
features and fixes that were included in the 6.7.5.8 release.

Supported Platforms
• ProxySG hardware appliances: S200, S400, S410, S500
• Standard/Advanced Reverse Proxy hardware appliances: S200, S400, S410, S500
• High-performance Gen2 virtual appliances: SG-VA, ARP-VA, SRP-VA
See Hardware Appliances and ProxySG Tech Docs for platform documentation.

Third-Party Compatibility
• For supported Java, operating system, and browser versions, refer to KB Article 169081.
• For information on Java 11 support, refer to KB Article 173228.

Upgrading To/Downgrading From This Release

123
SGOS 7.x Release Notes

• When upgrading to 7.2.1.1, your malware scanning configuration is not preserved. After upgrading, reconfigure your
malware scanning. For information, see the SGOS Administration Guide and ProxySG Web Visual Policy Manager
Reference .
• The following are the supported upgrade/downgrade paths for this release:
– Upgrade to 7.2.x from an earlier version 7.x or from version 6.7.4.4 or later. If upgrading from version 6.7.4.2 or
earlier, an interim upgrade to version 6.7.4.3 might be required. To determine whether you can upgrade directly to
version 6.7.4.4, refer to KB Article 18536.
– Downgrade from 7.2.x to to an earlier version 7.x or to version 6.7.4.4 or later.
See SGOS Upgrade/Downgrade documentation for the supported upgrade/downgrade paths for this release.
NOTE
In a future release of 7.x, support for WebFilter (BCWF) will be removed.

Changes in SGOS 7.2.4.1

• SGOS 7.2.4.1 introduces new features and enhancements. See Features in SGOS 7.2.4.1.

Fixes in ProxySG 7.2.4.1

• This release includes a number of fixes. See Fixes in SGOS 7.2.4.1.
• To see any Security Advisories that apply to the version of you are running, go to:https://support.broadcom.com/
security-advisory/security-advisories-list.html
New advisories are published as security vulnerabilities are discovered and fixed.
For a list of Security Advisories fixed in 7.x, see Security Advisory Fixes in SGOS 7.x.

Limitations
• See Limitations in SGOS 7.x for a description of limitations in this release.

Known Issues
• See Known Issues in SGOS 7.x for a list of all issues that Symantec is aware of in SGOS 7.x.

Features in SGOS 7.2.4.1

SGOS 7.2.4.1 introduces the following new features:

Authenticated NTP
You can now specify NTP servers that support authentication where the time messages will be authenticated using
symmetric-key encryption. After you obtain a key ID, unique encryption key, and key type from the NTP server authority,
you can add the information to the ProxySG appliance. Currently, the appliance supports SHA1 key type.

124
SGOS 7.x Release Notes

The following CLI commands were updated to support this feature:

#(config) ntp encrypted-server {domain_name|IP_address} key_id key_type key
Full information:
• SGOS Administration Guide
• Command Line Interface Reference

Absolute Management Console Session Timeout

A new command allows you to enable or disable an absolute timeout for all Management Console sessions:
#(config)security management [no] absolute-web-timeout <minutes>
where minutes is a value from 15 to 43200.
The appliance terminates all Management Console sessions after the specified timeout period. For best security, use this
command to require users to re-authenticate to the Management Console after the timeout. Full information:
• Command Line Interface Reference

IPv6 Support for Console ACL

You can now enter IPv6 addresses for the console access control list (ACL) in the Management Console (Configuration
> Authentication > Console Access > Console Access).

125
SGOS 7.x Release Notes

Additional Supported Apparent Data Types

The ProxySG appliance detects more apparent data types in HTTP requests and responses. The following types are now
supported in apparent data type CPL properties and conditions:

Label Description Common Extensions

7ZIP 7-Zip archive .7z

Full information:
• Content Policy Language Reference

Web Visual Policy Manager Improvements

• The existing Application Group, Application Name, and Application Operation destination objects are available in
the Web Authentication and Web Content layers.
• For better navigation when creating and editing Combined Objects, you can sort objects by name or type.
• To provide better visibility into large policies with many rules, the rule view features a more condensed layout with less
unused space.
• You can add a policy rule at a specific position within a layer. In the VPM, open the context menu in a rule and select
Insert Rule. The new rule appears below the current rule.
• Various areas of the Web VPM interface were improved for a more consistent and intuitive user experience.

Trust Package Update

The trust package has been updated. To download the latest trust package, issue the following CLI:
#(config) load trust-package

DNS Transaction Access Log Fields

The following access log fields were added to help track HTTP transaction times:

126
SGOS 7.x Release Notes

• x-client-dnslookup-time : Total time taken (in ms) to perform the client DNS lookup.
• x-server-dnslookup-time : Total time taken (in ms) to perform the server DNS lookup.

HTTP Transaction Access Log Fields

The following access log fields were added to help track HTTP transaction times:
• x-sr-https-handshake-time : Total time taken (in ms) to complete the HTTPS handshake of the upstream
connection.
• x-cs-https-handshake-time : Total time taken (in ms) to complete the HTTPS handshake of the downstream
connection.
• x-cs-rp-https-handshake-time : Total time taken (in ms) to complete the HTTPS handshake of the reverse
proxy connection.
• x-client-object-disposition-time : Total time taken (in ms) to determine the object disposition

Fixes in SGOS 7.2.4.1

SGOS 7.2.4.1 includes the following bug fixes.

Table 180: Access Logging

ID Issue

SG-18288 Fixes an issue where access logs using a custom log format could not be uploaded via Kafka client to the broker.

Table 181: Authentication

ID Issue

SG-23666 Fixes an issue where the Web Visual Policy Manager did not prompt users to sign in again after the session
expired.
SG-23644 Fixes an issue by adding the IP address of the client to the event log message when the appliance receives a
Krb5 replay error.
SG-22754 Fixes an issue where users received "Appliance Error (configuration_error). Your request could not be processed
because of a configuration error. 'User has been logged out.'" This issue occurred when surrogate credentials
expired with SAML authentication.
SG-21796 Addresses an issue where the appliance experienced a page fault (error code 0x4) within process
"libauthenticator.exe.so" (0x40015).
SG-23208 Fixes an issue where the appliance experienced high memory usage in HTTP policy evaluation.
SG-22479 Fixes an issue where users experienced a redirect loop when using Chrome. This issue occurred because
Chrome refused authentication cookies for not having Secure and SameSite=none properties.
SG-23878 Addresses an issue where authenticated users were allowed to access the HTTPS-Console service even
though Management Console login banner (Notice and Consent Banner) policy was configured in the VPM. This
occurred if CPL policy layers were not ordered correctly.

Table 182: Cache Engine

ID Issue

SG-23589 Fixes a race condition where opening up a cached object sometimes resulted in the appliance to stop
responding.

127
SGOS 7.x Release Notes

Table 183: CIFS Proxy

ID Issue

SG-20625 Fixes an issue where client machines lost connectivity to file shares after waking from sleep mode.

Table 184: CLI Consoles

ID Issue

SG-22064 Fixes an issue with high memory consumption in SSH.

Table 185: Diagnostic Tools

ID Issue

SG-22935 Fixes an issue where the appliance sent diagnostic reports to Symantec if the appliance was reinitialized.
Reinitialization is not an issue and does not require reports.

Table 186: Health Checks

ID Issue

SG-22815 Fixes a timing issue where the appliance would stop responding when modifying an access log in configuration.
SG-22116 Addresses an issue where the appliance experienced a restart in PG_HEALTH_CHECKS process: "HC
Watchdog" in "" at .text+0x0 SWE : 0x3a0004.

Table 187: HTTP Proxy

ID Issue

SG-22779 Fixes an issue where the appliance experienced a restart after receiving an invalid request when using HTTP/2
and SSLV offload.
SG-23197 Fixes an issue where the appliance experienced a restart when there were multiple concurrent HTTP/2 requests
and the web server closed the connection.
SG-23441 Fixes an issue where some webpages would not render correctly when an SSL Visibility appliance was
decrypting traffic.
SG-20969 Addresses an issue where the appliance experienced a page fault in process group "PG_HTTP" and process
"HTTP SW 109E777BA40 for 108F240BA40" in "libc.so" at .text+0x16b8c.
SG-20587 Fixes an issue where the policy trace and access log did not show categorization information. This issue
occurred when a tenant matched policy rules after the categorization occurred.
SG-14408 Fixes an issue where Websocket tunnels inflated some HTTP transaction time statistics.

Table 188: ICAP

ID Issue

SG-19149 Fixes an issue where patience pages took long to load when uploading a file for ICAP scanning. The issue
occurred if the filename contained an ampersand character (&).

128
SGOS 7.x Release Notes

Table 189: Kernel

ID Issue

SG-22879 Fixes an issue where configured routing tables on the appliance were not preserved after upgrading from version
6.7.5.6 to a later 6.7.x or 7.x.

Table 190: Licensing

ID Issue

SG-23360 Fixes an issue where adding a C16XS model to Integrated Secure Gateway resulted in "Warning: Non-standard
memory configuration detected."

Table 191: Network Drivers

ID Issue

SG-21976 Fixes an issue where ProxySG instances running on Hyper-V and Azure experienced a reduction in
performance due to batch processing being enabled.

Table 192: Proxy Forwarding

ID Issue

SG-23369 Fixes an issue where forwarding groups did not balance the load equally when members of the group were in a
failure state.

Table 193: SSL Proxy

ID Issue

SG-23117 Fixes an issue where the appliance could not establish outbound connections using TLS 1.3 for Java
applications.
SG-23380 Fixes an issue where server.certificate.validate.cclpolicy did not apply to tunneled SSL
transactions.
SG-22606 Addresses an issue where the appliance stopped responding in process group: "PG_CFSSL" and process:
"SSLW 21BB8E14F90" in "libc.so" at .text+0x168cd.

Table 194: SSL/TLS and PKI

ID Issue

SG-23060 Fixes an issue where the appliance experienced a restart after upgrading in SGOS 7.2.2.1 when tunnel-on-
protocol-error was enabled and a set of cascading SSL errors occurs.

Table 195: TCP/IP and General Networking

ID Issue

SG-22295 Addresses an issue where the Secure Web Gateway V100 platform experienced a restart in process group:
"PG_OBJECT_STORE" and process: "CEA Cache Administrator" in "" at .text+0x0.

129
SGOS 7.x Release Notes

Table 196: URL Filtering

ID Issue

SG-23245 Fixes an issue where a requested URL matched policy for "None" category even though the URL was
categorized in the local database.

130
SGOS 7.x Release Notes

SGOS 7.2.3.2 PR
Release Information
• Release Date: November 11, 2020
• Build Number: 256747

Supported Platforms
• ProxySG hardware appliances: S200, S400, S410, S500
• Standard/Advanced Reverse Proxy hardware appliances: S200, S400, S410, S500
• High-performance Gen2 virtual appliances: SG-VA, ARP-VA, SRP-VA
See Hardware Appliances and ProxySG Tech Docs for platform documentation.

Third-Party Compatibility
• For supported Java, operating system, and browser versions, refer to KB Article 169081.
• For information on Java 11 support, refer to KB Article 173228.

Upgrading To/Downgrading From This Release

• Upgrading from ProxySG 6.7.x to version 7.1.x might cause unexpected behavior with configured HSMs.
See SG-23171 in Known Issues in SGOS 7.x for more information.
• ProxySG 7.2.1.1 does not support FIPS mode. Disable FIPS mode before you attempt to upgrade to 7.2.1.1. If you
begin upgrading to 7.2.1.1 from an appliance that has FIPS mode enabled, abort the upgrade at the boot process,
disable FIPS mode, and attempt the upgrade again. If you upgrade to 7.2.1.1 without disabling FIPS mode, your
appliance will not function as expected.
• If you are downgrading from ProxySG 7.2.1.1 to a version earlier than 7.2.0.1, ensure that after you downgrade your
policy includes CPL that protects against low strength ciphers (RC4, CBC, DES, and 3DES). These ciphers were
deprecated in 7.2.0.1 and any policy that references them is no longer necessary. For appliances running versions
earlier than 7.2.0.1, use the following CPL:

131
SGOS 7.x Release Notes

<ssl>
client.connection.negotiated_cipher=(EXP-RC4-MD5,EXP-RC2-CBC-MD5,EXP-DES-CBC-SHA) force_deny
<ssl>
server.connection.negotiated_cipher=(EXP-RC4-MD5,EXP-RC2-CBC-MD5,EXP-DES-CBC-SHA) force_deny

• When upgrading to 7.2.1.1, your malware scanning configuration is not preserved. After upgrading, reconfigure your
malware scanning. For information, see the SGOS Administration Guide and ProxySG Web Visual Policy Manager
Reference .
• The following are the supported upgrade/downgrade paths for this release:
– Upgrade to 7.2.1.1 from version 6.7.4.3 and later 6.7.x releases, or another version 7.x.
– Downgrade from 7.2.1.1 to version 6.7.4.3 and later 6.7.x releases, or another version of 7.x.
NOTE
If upgrading from SGOS 6.7.4.2 or earlier, you might have to upgrade to version 6.7.4.3 as an interim step
before upgrading to this release. For more information, refer to KB Article 18536
See SGOS Upgrade/Downgrade documentation for the supported upgrade/downgrade paths for this release.
NOTE
In a future release of 7.x, support for WebFilter (BCWF) will be removed.

Fixes in ProxySG 7.2.3.2

• This release includes a number of fixes. See Fixes in SGOS 7.2.3.2.
• To see any Security Advisories that apply to the version of you are running, go to:https://support.broadcom.com/
security-advisory/security-advisories-list.html
New advisories are published as security vulnerabilities are discovered and fixed.
For a list of Security Advisories fixed in 7.x, see Security Advisory Fixes in SGOS 7.x.

Limitations
• See Limitations in SGOS 7.x for a description of limitations in this release.

Known Issues
• See Known Issues in SGOS 7.x for a list of all issues that Symantec is aware of in SGOS 7.x.

Fixes in SGOS 7.2.3.2

SGOS 7.2.3.2 includes the following bug fixes.

Table 197: Cloud Platform

ID Issue

SG-22202 Addresses an issue where instances launched from the AWS Marketplace failed to complete bootstrapping
and were unable to boot up. This issue affected only newly-created instances and instances where
a #restore-defaults factory-defaults was issued in version 7.x. Version 6.7.x was
unaffected.

132
SGOS 7.x Release Notes

Table 198: Health Checks

ID Issue

SG-21726 Fixes an issue where HSM health check entries were missing after updating the HSM configuration.
SG-23269 Addresses an issue where the appliance stopped responding in process group: "PG_HEALTH_CHECKS"
and process: "HC Watchdog" in "" at .text+0x0.
SG-23525 Addresses an issue where the appliance stopped responding in process group: "PG_HEALTH_CHECKS"
and process: "HC Worker hsm.lunasp1p-nc" in "libcfssl.exe.so" at .text+0x3276fd.

Table 199: SSL/TLS and PKI

ID Issue

SG-13787 Fixes an issue where new HSM health checks were lost after a restart. This issue occurred when the HSM
names contained upper-case letters.
If you add an HSM whose name contains upper-case letters, the name is converted to lower-case. To
configure or refer to the HSM in the CLI, you must use the lower-case name. For example, if you add an
HSM called EastHSM1, the name is converted to easthsm1. To edit the HSM, specify the lower-case name
as in #(config)edit hsm easthsm1 . You can verify HSM names using the #show ssl hsm
command
Note that this fix applies to newly-created HSMs only. Any existing HSMs whose names contain upper-case
letters will continue to have failed health checks.
SG-23630 Addresses an issue where the appliance stopped responding in process group: "PG_SSL_KEY2K" and
process: "** NO NAME **" in "libcfssl.exe.so" at .text+0x2fc493.

133
SGOS 7.x Release Notes

SGOS 7.2.3.1 GA
Release Information
• Release Date: September 28, 2020
• Build Number: 254850
NOTE
SGOS is cumulative. SGOS 7.2.3.1 is based on the SGOS 7.2.2.1 release. In addition, this release includes all
features and fixes that were included in the 6.7.5.7 release.

Supported Platforms
• ProxySG hardware appliances: S200, S400, S410, S500
• Standard/Advanced Reverse Proxy hardware appliances: S200, S400, S410, S500
• High-performance Gen2 virtual appliances: SG-VA, ARP-VA, SRP-VA
See Hardware Appliances and ProxySG Tech Docs for platform documentation.

Third-Party Compatibility
• For supported Java, operating system, and browser versions, refer to KB Article 169081.
• For information on Java 11 support, refer to KB Article 173228.

Upgrading To/Downgrading From This Release

• ProxySG 7.2.1.1 does not support FIPS mode. Disable FIPS mode before you attempt to upgrade to 7.2.1.1. If you
begin upgrading to 7.2.1.1 from an appliance that has FIPS mode enabled, abort the upgrade at the boot process,
disable FIPS mode, and attempt the upgrade again. If you upgrade to 7.2.1.1 without disabling FIPS mode, your
appliance will not function as expected.
• If you are downgrading from ProxySG 7.2.1.1 to a version earlier than 7.2.0.1, ensure that after you downgrade your
policy includes CPL that protects against low strength ciphers (RC4, CBC, DES, and 3DES). These ciphers were

134
SGOS 7.x Release Notes

• When upgrading to 7.2.1.1, your malware scanning configuration is not preserved. After upgrading, reconfigure your
malware scanning. For information, see the SGOS Administration Guide and ProxySG Web Visual Policy Manager
Reference .
• The following are the supported upgrade/downgrade paths for this release:
– Upgrade to 7.2.1.1 from version 6.7.4.3 and later 6.7.x releases, or another version 7.x.
– Downgrade from 7.2.1.1 to version 6.7.4.3 and later 6.7.x releases, or another version of 7.x.
NOTE
If upgrading from SGOS 6.7.4.2 or earlier, you might have to upgrade to version 6.7.4.3 as an interim step
before upgrading to this release. For more information, refer to KB Article 18536
See SGOS Upgrade/Downgrade documentation for the supported upgrade/downgrade paths for this release.
NOTE
In a future release of 7.x, support for WebFilter (BCWF) will be removed.

Changes in SGOS 7.2.3.1

• SGOS 7.2.3.1 introduces new features and enhancements. See Features in SGOS 7.2.3.1.

Fixes in ProxySG 7.2.3.1

• This release includes a number of fixes. See Fixes in SGOS 7.2.3.1.
• To see any Security Advisories that apply to the version of you are running, go to:https://support.broadcom.com/
security-advisory/security-advisories-list.html
New advisories are published as security vulnerabilities are discovered and fixed.
For a list of Security Advisories fixed in 7.x, see Security Advisory Fixes in SGOS 7.x.

Limitations
• See Limitations in SGOS 7.x for a description of limitations in this release.

Known Issues
• See Known Issues in SGOS 7.x for a list of all issues that Symantec is aware of in SGOS 7.x.

Features in SGOS 7.2.3.1

SGOS 7.2.3.1 introduces the following features.

Apparent Data Type Detection Improvements

This release improved the accuracy of apparent-data-type recognition in non-ICAP cases.

Unsupported Platform Message in Initial Configuration Wizard

If you are upgrading to version 7.x on an unsupported platform, the initial configuration wizard displays the following
message:

135
SGOS 7.x Release Notes

* CONFIGURATION ALERT *

This version of SGOS is no longer supported on this hardware.

System halted. Please reboot and select a supported version of SGOS.

Management Console Logout Message

When you log out of the Management Console, the web browser now displays the message, "You have successfully
logged out. Please close the browser window."

Fixes in SGOS 7.2.3.1

SGOS 7.2.3.1 includes the following bug fixes.

Table 200: Access Logging

ID Issue

SG-21506 Fixes an issue where the s-action and sc-filter-result fields returned incorrect values when a
connection was blocked.

Table 201: Authentication

ID Issue

SG-13697 Fixes an issue where users intermittently received a “Failure to authenticate a tunneled SSL request” error.
This issue occurred in explicit deployments.
SG-21605 Fixes an issue where CAPTCHA validator configuration failed with an error message, "Redirect URL
<URL> suffix is not found in generated list."
SG-22524 Fixes an issue where a SAML attribute that is no longer referenced in a SAML realm cannot be deleted.
SG-21196 Fixes an issue where the appliance failed to join an Active Directory (AD) domain. This issue occurred
when the appliance used AD site information from different forests.
SG-20114 Fixes an issue where the appliance stopped responding after LDAP server connections were incorrectly
determined to be pending.

Table 202: Cache Engine

ID Issue

SG-22439 Addresses an unexpected restart in SWE: 0x0 HWE: 0x40018 PFLA: 0x0 in PG_OBJECT_STORE
Process: "CEA Cache Administrator" in "" at .text+0x0.

Table 203: Health Checks

ID Issue

SG-16671 Fixes an issue where changes to the drtr.rating_service health check did not persist after issuing
the #restart regular command.

136
SGOS 7.x Release Notes

Table 204: HTTP Proxy

ID Issue

SG-4886 Fixes an issue where chunked encoded responses with invalid data were handled incorrectly.
SG-20669 Addresses an issue where the appliance stops responding in context "PG_HTTP Process: "HTTP SW
21301F91A40 for 115F4961A40" in "libhttp.exe.so". This issue occurred on the SG-S500 platform.

Table 205: Management Console

ID Issue

SG-21741 Fixes an issue where selecting a keyring in SSL proxy service configuration in the Management Console
returned the message "Keyring <name> not found". This issue occurred when the keyring name included
spaces.
SG-19397 Fixes an issue where clicking the Documentation and Support links in the Management Console
displayed incorrect web pages.

Table 206: Policy

ID Issue

SG-21910 Addresses a restart in process: "HTTP SW 40F7BD3CA40 for 111B47EDA40" in

"libpolicy_enforcement.so" at .text+0x30b904.
SG-21556 Fixes an issue where WebEx application/operation policy did not work due to application renaming. In the
current Application Classification database, the WebEx Application name is "Cisco WebEx".
SG-19798 Fixes an issue where online meeting applications terminated periodically after new central policy was
installed. The online meeting application matches <SSL> rules in the central policy.

Table 207: Services

ID Issue

SG-21637 Fixes an issue where WebPulse requests sometimes returned an "unavailable" status.

Table 208: SNMP

ID Issue

SG-11869 Fixes an issue where the SNMP response from the appliance returned a value of 5 bytes for
DeviceDiskTimeStamp; SNMP Manager accepts only 4 bytes.
SG-20949 Fixes an issue where using smilint on BLUECOAT-SG-AUTHENTICATION-MIB.txt resulted in numerous
error messages.

Table 209: SSL/TLS and PKI

ID Issue

SG-21941 Fixes memory leaks in Open SSH.

SG-22496 Fixes an issue where using the CLI command #(config)upgrade-path <URL> did not work.

137
SGOS 7.x Release Notes

ID Issue

SG-20688 Fixes an issue where ProxySG certificate validation failed incorrectly. This issue occurred when the
server certificate's chain of trust was rooted to an expired issuer certificate authority (CA), but was also
cross-signed to a valid trusted CA. Now, when the primary certificate chain has an expired issuer CA, the
alternate chain is validated if it is not expired.

Table 210: SSL Proxy

ID Issue

SG-18062 Fixes an issue where frequent policy installations resulted in high memory consumption.
SG-22396 Addresses an issue where the appliance stopped responding in process group "PG_SSL_HNDSHK"
Process: "HTTP SW 30F72E24A40 for 40D8A6E8A40" in "kernel.exe" at .text+0x1336fbc.
SG-17320 Fixes an issue where memory leaks occurred when running RWT scripts with SSLV offload enabled.
SG-22173 Fixes an issue where users received HTTP error 400 because client SSL certificates were not sent in
forward proxy mode.

Table 211: System Statistics

ID Issue

SG-22082 Addresses an exception in Process group: "PG_BDC_TUNNEL", Process:

"bdc.tunnel.sw.004082E0.7055861A000" in "libbdc.exe.so" at .text+0x2ff3c4.

Table 212: TCP/IP and General Networking

ID Issue

SG-12989 Fixes an issue where the CLI was unresponsive after issuing the #clear-arp CLI command. This issue
occurred if routing domains were configured.
SG-20553 Addresses an issue where the appliance stopped responding in process group: "PG_TCPIP" Process:
"CLI_Worker_2" in "libstack.exe.so" at .text+0x42da71.
SG-21850 Fixes an issue where memory usage was high due to too many packets in the netisr queue.
SG-21879 Fixes an issue where a network interface was unstable during peak hours.

Table 213: URL Filtering

ID Issue

SG-19054 Fixes an issue where thresholds for CPU throttling set via #(config content-filter)cpu-
throttle disk <low> <high> did not persist after a reboot.

138
SGOS 7.x Release Notes

SGOS 7.2.2.1 GA
Release Information
• Release Date: August 17, 2020
• Build Number: 253750
NOTE
SGOS is cumulative. SGOS 7.2.2.1 is based on the SGOS 7.2.1.1 release. In addition, this release includes all
features and fixes that were included in the 6.7.5.6 release.

Supported Platforms
• ProxySG hardware appliances: S200, S410, S500
• Standard/Advanced Reverse Proxy hardware appliances: S200, S400, S500
• High-performance Gen2 virtual appliances: SG-VA, ARP-VA, SRP-VA
See Hardware Appliances and ProxySG Tech Docs for platform documentation.

Third-Party Compatibility
• For supported Java, operating system, and browser versions, refer to KB Article 169081.
• For information on Java 11 support, refer to KB Article 173228.

Upgrading To/Downgrading From This Release

• The following are the supported upgrade/downgrade paths for this release:
– Upgrade to 7.2.2.1 from version 6.7.4.3 and later 6.7.x releases, or another version 7.x.
– Downgrade from 7.2.2.1 to version 6.7.4.3 and later 6.7.x releases, or another version of 7.x.
NOTE
If upgrading from SGOS 6.7.4.2 or earlier, you might have to upgrade to version 6.7.4.3 as an interim step
before upgrading to this release. For more information, refer to KB Article 18536.

139
SGOS 7.x Release Notes

See SGOS Upgrade/Downgrade documentation details the supported upgrade/downgrade paths for this release.
NOTE
In a future release of 7.x, support for WebFilter (BCWF) will be removed.

Changes in SGOS 7.2.2.1

• SGOS 7.2.2.1 introduces new features and enhancements. See Features in SGOS 7.2.2.1.

Web Visual Policy Manager Updates

• SGOS 7.2.2.1 includes Web Visual Policy Manager (VPM) bug fixes. See Web Visual Policy Manager Fixes in SGOS
7.x.

Fixes in SGOS 7.2.2.1

• This release includes a number of fixes. See Fixes in SGOS 7.2.2.1.
• To see any Security Advisories that apply to the version of you are running, go to https://support.broadcom.com/
security-advisory/security-advisories-list.html. New advisories are published as security vulnerabilities are discovered
and fixed.
For a list of Security Advisories fixed in 7.x, see Security Advisory Fixes in SGOS 7.x.

Limitations
• See Limitations in SGOS 7.x for a description of limitations in this release.

Known Issues
• See Known Issues in SGOS 7.x for a list of all issues that Symantec is aware of in SGOS 7.x.

Features in SGOS 7.2.2.1

SGOS 7.2.2.1 introduces the following features.

ProxySG Admin Console 1.1.2.1

The ProxySG Admin Console, introduced with SGOS 7.2.1.1 GA, has been updated with more configurations and
workflows:
• Health checks
• Service info and snapshot jobs
• IWA, LDAP, and RADIUS authentication realms
• Thales Luna HSM integration
Refer to Symantec HSM Agent 2.0 documentation for details on HSM configuration.
• SSH inbound connections
• SSH outbound connections
The ProxySG Admin Console is not associated with SGOS releases; thus, you can use these new features without having
to change your SGOS version. See About the ProxySG Admin Console for compatibility information.
More information:
• ProxySG Administration (Admin Console Edition)
• Management Center 2.4 Configuration and Management Guide

140
SGOS 7.x Release Notes

Trust Package Update

The Hongkong Post Root CA 3 certificate has been added to the trust package. The trust package was made available for
download on May 1, 2020.

DNS Server Resolution Behavior Changes

The appliance now contacts DNS servers in the order in which they appear if they are online. If a server is offline, it is
skipped and the next online server is contacted. The server that the appliance successfully contacts will be contacted
again for future queries.
More information:
• SGOS Upgrade/Downgrade Guide
• How does the DNS resolution work on the ProxySG? (article ID 165929)

Management Console JAR File Update

The certificate used to sign the Management Console loader.jar has been updated. If you downloaded the Management
Console loader.jar from KB articles previously, refer to the appropriate article for the latest version of the JAR file:
• Launch SGOS management consoles using the Management Console Launcher
https://knowledge.broadcom.com/external/article?articleId=169194
• Management Console Launcher for systems without Internet connectivity
https://knowledge.broadcom.com/external/article?articleId=169208
• Support for Java 11 on ProxySG and Advanced Secure Gateway appliances
https://knowledge.broadcom.com/external/article?articleId=173228

Timezone Database Enhancements

• A new timezone CLI command has been added to display timezone and timezone database information:
# show timezones details
• A full timezone database is installed on newly-manufactured ProxySG virtual appliances, or when a system is re-
initialized using the # restore-defaults factory-defaults CLI command. Previously, only a mini-database
was available and running the # load timezone-database CLI command was required to get the full database.
Now, the # load timezone-database command is needed only to download subsequent database updates from
http://download.bluecoat.com.
• The timezone database has been updated to reflect changes in Release 2020a of the IANA timezone database.
More information:
• Command Line Interface Reference

Custom Upload Client Configuration

Custom access log upload client configuration now accepts hostname as an alternative to host IP address:
#(config log log_name)custom-client {alternate | primary} {hostname | host_IP_address} [port]

More information:
• Command Line Interface Reference

Deprecations and Removals

• TLS 1.3 offload support for SSLV has been disabled. This feature will be supported in a later release. (SG-21320)

141
SGOS 7.x Release Notes

Fixes in SGOS 7.2.2.1

SGOS 7.2.2.1 includes the following bug fixes.
For Web Visual Policy Manager fixes, see Web Visual Policy Manager Fixes in SGOS 7.x.

Table 214: Access Logging

ID Issue

SG-11525 Fixes an issue where Kafka continuous upload was slow.

SG-18169 Fixes an issue where the config field in access logs was limited to fewer than 7000 characters.
SG-18470 Fixes an issue where access log uploads via SCP did not recover when a failure in the upload caused an
invalid SSH server configuration.
SG-15198 Fixes an issue where the appliance experienced a restart due to receiving an empty cache buffer.
SG-10110 Fixes an issue where the s-action access log field was blank.
SG-20673 Fixes an issue where logs were not uploaded to the log server via custom client due to a server domain
mismatch error. The issue occurred even when Verify Peer was disabled.

Table 215: Authentication

ID Issue

SG-18357 Fixes an issue where authentication was impacted by Google Chrome's option for SameSite secure cookie
settings being enabled by default.
SG-12666 Fixes an issue where appliance experienced CAC performance issues.
SG-8116 Fixes an issue where "undefined" appears instead of "admin" in the logout URL of the Management
Console.
SG-18417 Fixes an issue where the appliance experienced a page-fault restart in process "likewise
Lwbase_EventThread" in "liblikewise.exe.so" at .text+0x5311a8.
SG-19013 Fixes an issue where the appliance could not join the active directory in GCP because its hostname was
too long.
SG-20312 Fixes an issue where the CAPTCHA form was not displayed when using CAPTCHA authentication.

Table 216: BCAAA

ID Issue

BCAAA-7 Fixes an issue where a security change in Windows Server 2019 prevented Windows SSO from receiving
authenticated users from domain controllers. When this issue occurred, the BCAAA log displayed the
message "Cannot query domain controller <IP_address>; status=5:0x5:Access is denied". This fix
requires additional configuration steps; refer to KB article 194792 for instructions.

Table 217: Cache Engine

ID Issue

SG-20885 Addresses an issue where the appliance stopped responding in Process group: "PG_OBJECT_STORE"
Process: "CEA Cache Administrator".

142
SGOS 7.x Release Notes

Table 218: CLI Consoles

ID Issue

SG-21358 Fixes an issue whereshow xml-config concise output was inconsistent with previous versions of
SGOS.
SG-18306 Fixes an issue where the appliance did not log a message in the event log when the command #(config
ssh-console)delete client-key client_key_name was issued.
SG-17715 Fixes an issue where the character "?" was removed from data that the appliance imported.

Table 219: DNS Proxy

ID Issue

SG-17287 Fixes an issue where the appliance experienced a restart in DNS_ghbyaddr_send.

Table 220: Health Checks

ID Issue

SG-21465 Addresses exceptions in DNS health checks in a SWG VA on Microsoft Azure deployment.

Table 221: Health Monitoring

ID Issue

SG-14656, SG-20825 Fixes an issue where HTTPS health check connections to servers with multiple virtual hosts failed. When
this issue occurred, the server returned a certificate containing a different CN from the one specified in
configuration.

Table 222: HTTP Proxy

ID Issue

SG-20933 Addresses an issue where the appliance stopped responding with HE 0xE (page fault) in process H2 CCH-
* in libc.so.
SG-18526 Fixes an issue where the appliance sometimes experienced a restart when request.icap_mirror(yes) was
triggered in policy under some circumstances.
SG-20412 Fixes an issue introduced in version 6.7.5.3 where large amounts of IPv4 ARP traffic sometimes caused
the appliance to restart. This issue was not likely to occur in deployments with fewer appliances on the
same network.

Table 223: ICAP

ID Issue

SG-18900 Fixes an issue where the appliance's performance was affected by the monitoring and logging for long-
running ICAP REQMOD transactions.
SG-18842 Fixes an issue where the Event Log did not capture the duration of deferred ICAP RESPMOD transactions
in the log details.

143
SGOS 7.x Release Notes

Table 224: Kernel

ID Issue

SG-21332 Fixes an issue where Secure Web Gateway virtual appliances running on Hyper-V or Microsoft Azure
platforms with multiple network interfaces stopped processing on one or more interfaces, causing the VA to
stop responding.
This fix introduces an issue where the VA experiences lower throughput and performance (up to 10%)
compared to other virtualization environments.
SG-21298 Addresses an issue where the appliance stopped responding in process Group:"" Process:"kernel.exe".

Table 225: MAPl Proxy

ID Issue

SG-15223 Fixes an issue where MAPI handoff broke during the export of large uncached attachments to the PST file
from the Online Archive folder.

Table 226: Policy

ID Issue

SG-17978 Fixes an issue where the browser address bar showed an incorrect URL after successful LDAP
authentication.
SG-18066 Fixes an issue where quota policy failed to compile on a new installation of version 7.2.1.1.
SG-13680 Fixes an issue where certain websites were incorrectly denied due to domain fronting detection CPL.
SG-19826 Fixes an issue where the appliance attempted to contact servers when policy contained deny or
access_server(no) CPL in a Web Request layer.
SG-19540 Fixes an issue where the appliance experienced a restart when returning an exception page.
SG-22028 Addresses an issue where the appliance stopped responding in Process: "CLI_Worker_0" in "kernel.exe"
at .text+0x12d6564.

Table 227: Registry

ID Issue

SG-20565 Addresses an issue where the appliance stopped responding in PG_HEALTH_CHECKS in Process "HC
Watchdog" in "" at .text+0x0.

Table 228: SNMP

ID Issue

SG-20925 Fixes an issue where the BLUECOAT-SG-PROXY-MIB contained an invalid date. Download the latest MIB
files from the Broadcom download portal.

144
SGOS 7.x Release Notes

Table 229: SSL Proxy

ID Issue

SG-18193 Fixes an issue where the HTTP CONNECT hostname was not rewritten according to rewrite() policy
when proxy forwarding was enabled.
SG-21147 Fixes an issue where the SNI hostname was not rewritten according to rewrite() policy in the initial
proxied connection.
SG-21748 Fixes an issue where the appliance does not request a client certificate for TLS 1.3 in reverse proxy mode
although the HTTPS service is configured to forward the client certificate.
SG-17104 Addresses an issue where the appliance stopped responding in PG: "PG_SSL_HNDSHK": Process:
"SSLW 10B8E433FB0" in "libshared_dll.exe.so" at .text+0x2273ce.
SG-20873 Fixes an issue where uninitialized memory could cause the appliance to stop responding.
SG-18971 Fixes an issue where SSL Proxy transactions were restarted when tunneled.
SG-19324 Fixes an issue where an HTTP memory leak would occur when traffic was intercepted on a policy
exception.
SG-18241 Fixes an issue where expired trust package certificates were used instead of valid certificates.
SG-16627 Fixes an issue where the appliance experienced a restart in process group "PG_SSL_HNDSHK" in process
"cag.subscription" in "kernel.exe" at ".text+0x131e8ba"
SG-19710 Fixes an issue where ssl.forward_proxy(no) and ssl.forward_proxy(on_exception)
policy was not applied to TLS 1.3 tunneled sessions.
SG-18824 Fixes an issue introduced in 6.7.5.2 where the appliance experienced a restart when a forwarding rule was
configured for tunneled SSL traffic.
SG-19040 Fixes an issue where the negotiated-cipher fields in the access log show "unknown" for tunneled TLS 1.3
connections.
SG-19728 Fixes an issue where guest authentication was unexpectedly applied, causing users to be denied access to
sites.
SG-17859 Fixes an issue where the appliance unexpectedly reached a force_deny verdict in policy evaluation due
to missing HTTP request attributes.
SG-19727 Fixes an issue where the forwarding rules were ignored when a verdict was reached in an ssl.tunnel
transaction.
SG-19407 Fixes an issue where the appliance did not close connections with a TCP RESET that received force_deny
and force_exception verdicts.
SG-18488 Fixes an issue where appliance forwarded some but not all CH bytes and could not tunnel on error for
SSLv2 traffic.

Table 230: SSL/TLS and PKI

ID Issue

SG-20787 Fixes an issue where TLS 1.3 did not work in reverse proxy when a keylist was specified.
SG-20736 Fixes an issue where users received HTTP error 403 with multi-tenant policy installed. The policy worked
as expected in version 6.7.5.3, but not in version 7.2.x.
SG-19003 Fixes an issue where Tunneled TLS 1.2 SSL connections failed with an SSL failed error message.
SG-19215 Fixes an issue where the appliance displayed an error message that keylists an keyrings names cannot be
identical, but saved configurations that contained identical names.
SG-9186 Fixes an issue where WebPulse service health checks failed after setting a default OSCP responder.

145
SGOS 7.x Release Notes

ID Issue

SG-18246 Fixes an issue introduced in version 6.7.4.9 where server connections were not reused in an HTTPS
reverse proxy deployment.
SG-17567 Fixes an issue where memory usage per connection increased significantly when the appliance reached
the maximum number of HTTPS connections via SSL tunnel and detect protocol was enabled.

Table 231: SSLV Integration

ID Issue

SG-18207 Fixes an issue where offloading to an SSL Visibility appliance was not working.

Table 232: TCP/IP and General Networking

ID Issue

SG-20407 Fixes an issue where the appliance sent TCP window update packets to the client via an incorrect
interface.
SG-17255 Fixes an issue where updating the WCCP home router in the Management Console would cause the
current WCCP group to disappear from the Management Console.
SG-17191 Fixes an issue where the appliance experienced a restart in process group "PG_TCPIP" in process
"WCCP_Admin" in "libstack.exe.so".
SG-18438 Fixes an issue where the appliance experienced a restart in process group "PG_TCPIP" in process "SSLW
13CE432FFB0" in "libstack.exe.so" at ".text+0x579d5b".
SG-18876 Fixes an issue where the appliance experienced a restart in process group "PG_TCPIP" in process "stack-
admin" in "libstack.exe.so" at ".text+0x5471ee".
SG-9432 Fixes an issue where the appliance's boot up was delayed or could not be completed if offline DNS servers
appeared in the list of servers before online servers in the primary group or alternate groups if all primary
DNS servers were offline.
SG-19941 Fixes an issue where the appliance experienced a restart when removing a non-configured IPv6 address
from the VLAN.
SG-18333 Fixes an issue where the final TCP reset (RST) uses a different interface from the rest of the TCP
conversation.
SG-19960 Addresses an issue where the appliance experienced a restart in process group: "PG_TCPIP" Process:
"CLI_Worker_0" in "libstack.exe.so" at .text+0x435ed7.
SG-20486 Addresses an issue where the appliance experienced a restart in process "SSLW 80F319F0FA0" in
"libstack.exe.so" at .text+0x4f1e1a.
SG-18519 Fixes an issue where responses to SNMP polls were sent to the default routing domain interface even
though SNMP traffic was configured for a different routing domain.

Table 233: TCP Tunnel Proxy

ID Issue

SG-19940 Fixes an issue where TCP-Tunneling/tunnel-stats did not display IPv6 server address.
SG-9860 Fixes an issue where a large number of idle TCP tunnel connections and a high rate of policy reloading
caused a large increase in memory consumption.

146
SGOS 7.x Release Notes

Table 234: Visual Policy Manager (Legacy)

ID Issue

SG-20277 Fixes an issue where clicking Install Policy multiple times cleared all VPM policy, despite a message
indicating that installation was in progress.

147
SGOS 7.x Release Notes

SGOS 7.2.1.1 GA
Release Information
• Release Date: May 29, 2020
• Build Number: 250985
NOTE
SGOS is cumulative. SGOS 7.2.1.1 is based on the SGOS 6.7.5.2 release. In addition, this release includes all
features and fixes that were included in the 7.1.1.1 and 7.2.0.1 releases.

Supported Platforms
• ProxySG hardware appliances: S200, S400, S500
• Standard/Advanced Reverse Proxy hardware appliances: S200, S400, S500
• High-performance Gen2 virtual appliances: SG-VA, ARP-VA, SRP-VA
See Hardware Appliances and ProxySG Tech Docs for platform documentation.

Compatible With
• BCAAA: 6.1
• HSM Agent: 2.0 and later
• ProxySG Admin Console: 1.1.1 and later
• Reporter: 9.5.x, 10.1.x, and 10.2.x
• Management Center: 2.2.2.3 and later
NOTE
The new ProxySG Admin Console (SGAC) requires Management Center 2.4.x or later.
• ProxyAV: 3.5.x
• Content Analysis: 2.3.x, and 3.0.x
• ProxyClient: 3.4.x
• Unified Agent: 4.7.x and 4.8.x
• SSL Visibility: 4.2.x, 4.3.x. 4.4.x, 4.5.x, and 5.x
• Web Isolation: 1.10 and later

Third-Party Compatibility
• For supported Java, operating system, and browser versions, refer to KB Article 169081.
• For information on Java 11 support, refer to KB Article 173228.

Upgrading To/Downgrading From This Release

148
SGOS 7.x Release Notes

• The following are the supported upgrade/downgrade paths for this release:
– Upgrade to 7.2.1.1 from version 6.7.4.3 and later 6.7.x releases, or another version 7.x.
– Downgrade from 7.2.1.1 to version 6.7.4.3 and later 6.7.x releases, or another version of 7.x.
NOTE
If upgrading from SGOS 6.7.4.2 or earlier, you might have to upgrade to version 6.7.4.3 as an interim step
before upgrading to this release. For more information, refer to KB Article 18536
See SGOS Upgrade/Downgrade documentation for the supported upgrade/downgrade paths for this release.
NOTE
In a future release of 7.x, support for WebFilter (BCWF) will be removed.

Changes in SGOS 7.2.1.1

• SGOS 7.2.1.1 introduces new features and enhancements. See Features in SGOS 7.2.1.1.

Web Visual Policy Manager Updates

• SGOS 7.2.1.1 includes Web Visual Policy Manager (VPM) bug fixes. See Web Visual Policy Manager Fixes in SGOS
7.x.

Fixes in ProxySG 7.2.1.1

• This release includes a number of fixes. See Fixes in SGOS 7.2.1.1.
• To see any Security Advisories that apply to the version of you are running, go to:https://support.broadcom.com/
security-advisory/security-advisories-list.html
New advisories are published as security vulnerabilities are discovered and fixed.
For a list of Security Advisories fixed in 7.x, see Security Advisory Fixes in SGOS 7.x.

Limitations
• See Limitations in SGOS 7.x for a description of limitations in this release.

Known Issues
• See Known Issues in SGOS 7.x for a list of all issues that Symantec is aware of in SGOS 7.x.

Features in SGOS 7.2.1.1

SGOS 7.2.1.1 introduces the following features.

Introduction of ProxySG Admin Console

This SGOS release coincides with the initial release of the Blue Coat ProxySG Admin Console (SGAC), which is designed
to help you manage and monitor the appliance more efficiently. This next-generation web interface is the successor to the
Java-based Management Console and can be accessed through the latest browsers. This initial release of the ProxySG

149
SGOS 7.x Release Notes

Admin Console focuses on replacing the most commonly utilized configuration and workflow steps, with additional
releases to follow.
The ProxySG Admin Console is not associated with SGOS releases; thus, you can access new workflows and
configurations without having to change your SGOS version.
To access the Admin Console, you require Symantec Management Center version 2.4 or later. Download Management
Center from the Broadcom Support site.
More information:
• About the ProxySG Admin Console
• SGOS Administration (Admin Console Edition)
• Management Center 2.4 Configuration and Management Guide

Web Visual Policy Manager

This release includes the new Web Visual Policy Manager (VPM). The Web VPM allows you to manage your
organization's policies in a redesigned web-based interface. The improved experience of writing and installing policy
includes:
• Re-organized and modern look-and-feel in an easy-to-read browser tab
• Ability to compare current policy with deployed policy before saving changes
• Ability to identify and locate all conditions and actions in both generated and current policy
The legacy VPM is still available. Changes to policy using either VPM persist and are reflected in both VPM instances
(except in cases of downgrades).
Minimum Requirements
• Display resolution:
– 1366 x 768
• Supported browsers:
– Google Chrome 60.0.3112 and later
– Mozilla Firefox 57 and later
– Microsoft Edge 42.17134 and later
– Safari 10.1.2 and later
CAUTION
Microsoft Internet Explorer is not supported. If Internet Explorer is your default browser (or if you use a
supported browser that launches the VPM in Internet Explorer), you can right-click and copy the Visual
Policy Manager link at the top right of the Management Console. Then, paste the URL into a supported browser.
In addition, the web-based VPM and all of its functionality are available in Symantec Management Center. Refer to
Management Center documentation for details.
More information:
• ProxySG Web Visual Policy Manager Reference

Policy Services Subscription and Security Policies

Symantec’s Policy Services is a policy subscription service that delivers curated security policies to the appliance to block
malware downloads and web threats, and enable compliance to quickly configure network security policies. Use this
feature to implement best-practices security coverage, and to facilitate setup, deployment, and testing of policies.
Policy Services is available on all entitled ProxySG hardware and virtual appliances:

150
SGOS 7.x Release Notes

• An entitled appliance must have an active and valid support maintenance contract.
• An entitled virtual appliance must be under an active subscription or extension (that is, the subscription term is valid
and has not reached its termination end date).
• The subscription is enabled by default and no additional purchase is required to use the policy; however, for optimum
coverage, the Policy Services subscription should be enabled to keep the policy up to date. To keep the subscription
active, make sure that your Symantec support contract or subscription term is valid.
NOTE
Content Security Policy has superseded Malware Scanning from version 6.7.x, but Symantec Web Security
Service (WSS) is not yet updated with Content Security Policy rules. In the interim, deployments using Content
Security Policy on the appliance with Universal Policy enforcement will continue to use the previous threat
protection policy. Content Security Policy levels are mapped to WSS security levels; refer to the SGOS Upgrade/
Downgrade documentation for details.
Access Security Policy
Enable this policy to block malicious transactions. Refer to https://knowledge.broadcom.com/external/article/174668 for
details.
Content Security Policy
Enable this policy to secure content scanning. Refer to https://knowledge.broadcom.com/external/article/174669 for
details.
More information:
• SGOS Administration Guide - Using Policy Services
• ProxySG Web Visual Policy Manager Reference
• SGOS Security Best Practices
• SGOS Upgrade/Downgrade Guide - Behavior Changes Applicable to SGOS 7.1.x Upgrade/Downgrade
• Integrating Content Analysis 3.0 with Other Symantec Products: ProxySG and Malware Analysis

TLS 1.3 Support

For improved security and performance, this release supports the TLS 1.3 protocol in configurations and policy gestures.
SSLv2 support has been removed (see Removals and Deprecations).
When configuring the following services/profiles in the Management Console and in the CLI, TLS 1.3 is available and
SSLv2 has been removed:
• HTTPS Console service
• HTTPS reverse proxy service
• SSL client profile
• SSL device profile
For the following VPM objects and associated policy gestures, TLS1.3 has been added as an option and SSLV2 has been
removed:
• Client Negotiated SSL Version objects (legacy and web VPM)
client.connection.negotiated_ssl_version=
• Server Negotiated SSL Version objects (legacy and web VPM)
server.connection.negotiated_ssl_version=

New Cipher Suites

The following TLS 1.3 cipher suites have been added:

151
SGOS 7.x Release Notes

• TLS_AES_256_GCM_SHA384
• TLS_CHACHA20_POLY1305_SHA256
• TLS_AES_128_GCM_SHA256
• TLS_AES_128_CCM_8_SHA256
• TLS_AES_128_CCM_SHA256
In addition, 40- and 56-bit ciphers, and Export and Low strength ciphers have been removed.
Refer to https://knowledge.broadcom.com/external/article/170130 for a list of all cipher suites shipped with the appliance.
NOTE
TLS 1.3 is not supported in ADN mode. When ADN is enabled, TLS 1.3 client connections are downgraded to
TLS 1.2.
Impact on FIPS Mode
This release is based on OpenSSL 1.1.1, which supports TLS 1.3 but does not support FIPS 140-2. As a result, this
release is not FIPS-capable. See Limitations in SGOS 7.x and the SGOS Upgrade/Downgrade documentation for more
information.
More information:
• SGOS Administration Guide
• Command Line Interface Reference
• Content Policy Language Reference
• Web Visual Policy Manager Reference
• Legacy Visual Policy Manager Reference

Symantec HSM Agent 2.0

This release supports Symantec HSM Agent 2.0 for the Thales Luna 7 HSM. This agent integrates with a network-based
HSM to communicate with ProxySG and SSLV appliances. Signing requests for certificate emulation are sent to the HSM,
where the intermediate resigning CA resides in the HSM. To allow your network-based Luna HSM to accept certificate
signing requests from your ProxySG and SSL Visibility appliances, host the HSM Agent in a Docker container. Use
Docker secrets to protect sensitive certificate and password data in your HSM deployment.
More information:
• Symantec HSM Agent 2.0 for the Thales Luna 7 HSM

HTTP/2 Support
The SGOS appliance now supports the HTTP/2 protocol. HTTP/2 offers improved performance due to its compression
of HTTP headers, and multiplexing multiple requests and responses over a single connection. The feature is enabled by
default, without the need for additional configuration or policy, and includes the following:
You can change these default settings by configuring settings and policy.
Configuring HTTP/2 Settings and Policy
To configure HTTP/2 on the appliance, use the new #(config) http2 commands. Refer to the Command Line
Interface Reference for details.
The following policy objects and gestures have been added or updated for this feature.

152
SGOS 7.x Release Notes

Table 235: HTTP/2 Policy Changes

VPM Object CPL Description

New static Action objects: New property: Specifies whether the proxy
• Accept HTTP/2 Client- http2.client.accept(yes|no) accepts HTTP/2 on the
Side Connections client-side connection.
• Do Not Accept Default behavior is yes.
HTTP/2 Client-Side
Connections
New Action object: New property: Specifies the maximum
Set HTTP/2 Client Max http2.client.max_concurrent_streams(streams) number of concurrent
Concurrent Streams HTTP/2 streams that
the client may initiate
on the current client
connection. Default
maximum is 15.
New Action object: New property: Specifies whether the proxy
Request HTTP/2 On http2.server.request(yes|no|preserve) requests HTTP/2 on the
Server-Side server-side connection.
Set object to Yes, No, or Default behavior is preserve
Preserve Client-Side
Setting
N/A Condition supports new parameter: Tests if the client used
http.request.version=2 HTTP/2 to make the request
to the appliance.
N/A Condition supports new parameter: Tests if the origin content
http.response.version=2 server used HTTP/2 to
deliver the response to the
appliance.

Verifying HTTP/2 Traffic

• Add the cs-version field to the access log format to display the protocol and version from the client request, such as
HTTP/2 .
• Add the rs-version field to the access log format to display the protocol and version from the server response, such
as HTTP/2 .
NOTE
When offloading SSL from an attached SGOS appliance running version 7.1 or later, an SSL Visibility appliance
running version 4.5.x supports HTTP/2 traffic between the two appliances.
http2.client.accept(yes|no) is not honored for STunnel-intercepted connections.
If protocol detection is enabled and policy includes certain combinations of ssl.forward_proxy(yes) and
http2.client.accept(no) , some server responses fail. If this issue occurs, Symantec recommends
controlling HTTP/2 with the http2.server.request(no) property.
More information:
• Command Line Interface Reference
• Content Policy Language Reference
• ProxySG Web Visual Policy Manager Reference and Legacy Visual Policy Manager Reference
• SGOS Administration Guide

153
SGOS 7.x Release Notes

DNS over HTTPS Support

The ProxySG appliance supports DNS over HTTPS (DoH) in the following modes:
• The ProxySG appliance acts as a HTTPS forward proxy. In this mode, the appliance detects and intercepts DoH
requests, and serves the response from its DNS proxy. The appliance can detect DoH requests for any externally
deployed DoH server as long as HTTPS interception is enabled for that server.
• A DoH service is configured inside the ProxySG reverse proxy services. In this mode, a forwarding server may or may
not be configured as well. If no forwarding server is configured, the reverse proxy service is used exclusively as a DoH
server.
NOTE
The appliance’s DNS proxy cannot be used as a DoH client.
The following policy was added or updated to support this feature:
• In the DNS Access layer, the DNS Client Transport source object has a new HTTPS option (legacy VPM only).The
dns.client_tranport= condition now tests for https.
• In the Web Access layer, new static VPM objects Disable/Enable Handoff of DNS over HTTPS allow for disabling/
enabling handoff of DoH requests (legacy VPM only).The http.dns_handoff(yes|no) property was added.
More information:
• SGOS Administration Guide
• Content Policy Language Reference
• Legacy Visual Policy Manager Reference

Domain Fronting: Look Up Content Filtering Categories Associated with Hostnames

Use policy to test for categories associated with the hostname in an HTTP CONNECT Host header:
http.connect.host.category={status|category_name1[,category_name2,...]|category_group1[,category_group2,...]}

The following access log fields have been added to support this feature:
cs-http-connect-categoriescs-http-connect-categoriescs-http-connect-categories-bluecoatcs-http-connect-
categories-external cs-http-connect-categories-local cs-http-connect-categories-policy cs-http-connect-
categories-providercs-http-connect-categories-qualifiedcs-http-connect-category

More information:
• Content Policy Language Reference
• ProxySG Log Fields and CPL Substitutions Reference

Origin Header Categorization Policy

The following CPL has been added:
request.header.Origin.url.category={status|category_name1[,category_name2,...]|category_group1[,category_group2,...]}

This condition tests the content filter categories associated with the hostname in the Origin request header.
request.header.Origin.url.risk_level={status|risk_level1[,risk_level2,...]}

This condition tests the Threat Risk Level associated with the hostname in the Origin request header.
More information:
• Content Policy Language Reference

154
SGOS 7.x Release Notes

Brotli Encoding Support

The following properties support Brotli encoding:
http.client.allow_encoding()
http.server.accept_encoding()
Specify Brotli using the br parameter.
More information:
• Content Policy Language Reference

OCSP Stapling for Forward Proxy

This release supports OCSP stapling for forward proxy. When CRLs (certificate revocation lists) become outdated, OCSP
stapling can be used to determine the status of certificates in a CRL. The OCSP stapled response is valid for seven days.
Use the following commands to enable and disable the feature:
#(config ssl)proxy ocsp-stapling {disable | enable}

More information:
• Command Line Interface Reference

SNMP Monitoring for HTTP Client Workers

New SNMP monitoring fields have been added to the BLUECOAT-SG-PROXY-MIB for HTTP client workers to provide
statistics on the number of active workers and the maximum number of client workers that the appliance can create.
These statistics are helpful for tracking resource usage in the appliance. When the appliance reaches the maximum
number of active client workers, it logs a message in the Event Log to alert you of the resource overload. The following is
an example alert:
019-09-12 21:35:43-00:00UTC "Maximum concurrent HTTP client worker limit of 5 reached." 0 80010:1
htp_admin_testable.cpp:87

More information:
• SNMP Critical Resource Monitoring Guide

Syslog Supports TCP and TLS

This release allows you to configure Syslog monitoring. In addition to UDP log hosts, you can now specify TCP and TLS
log hosts. Use the following new subcommands:
#(config event-log) syslog add [udp]{host_name | ip_address} [port]
#(config event-log) syslog add tcp {host_name | ip_address} [port]
#(config event-log) syslog add tls {host_name | ip_address} [port] [ssl_device_profile_name]

More information:
• Command Line Interface Reference

Authenticated NTP
Commands have been added to support adding authenticated NTP servers to the appliance:
#(config) ntp encrypted-server {domain_name|IP_address} key_id key_type encrypted_key

#(config) ntp server {domain_name|IP_address} [key_id key_type [key]]

155
SGOS 7.x Release Notes

More information:
• Command Line Interface Reference

SSH Enhancements
SSHv2 Host Key Pairs for the SSH Console
This release supports additional, selectable algorithms for creating SSHv2 host key pairs for the SSH console:
• RSA with 2048, 3072, or 4096 bit size
• ECDSA with nistp256, nistp384, or nistp52 curve
• Ed25519
To manage the SSHv2 host key pairs, select Configuration > Authentication >SSH Inbound Connections > SSH Host
Keys.
In the CLI, use the #(config ssh-server) create host-keypair command. Refer to the Command Line
Interface Reference for new arguments for this command.
NOTE
Before a backup and restore of the appliance, you can securely display the host keys by issuing the show config
command. The settings specified by #(config) security private-key-display determine whether or
not host keys are included in the output and whether they are output in encrypted form.
SSH and SSH KEX Host Key Algorithms for the SSH Console
This release supports SSH and SSH KEX algorithms for the SSH console. The following subcommands were added:
#(config ssh-server)hostkey-algs {add | remove | reset | set | view}#(config ssh-server)kex-algs {add | remove
| reset | set | view}

More information:
• Command Line Interface Reference
• SGOS Administration Guide - Configuring Management Services

SCP Upload Configuration Archives

Commands have been added to support configuration archive upload via SCP:
#(config)archive-configuration protocol scp

Use the following to configure SCP authentication:

#(config)archive-configuration scp-authentication {password | client-key | all | none}

More information:
• Command Line Interface Reference
• SGOS Administration Guide - Backing Up the Configuration

Periodic Upload of Configuration Archives

Commands have been added to support periodic configuration archive uploads:
#(config)archive-configuration periodic-upload {daily upload_hour | minutes minutes}

where:
• upload_hour is the daily upload time
• minutes is the interval at which to upload archives

156
SGOS 7.x Release Notes

More information:
• Command Line Interface Reference

Periodic Upload of Service Information

Commands have been added to support periodic service information uploads to Symantec Support:
#(config service-info)periodic {count | custom | disable | enable | interval | no | sr-number}

More information:
• Command Line Interface Reference

Expanded Traffic Taps

The appliance now supports tap of:
• Unencrypted intercepted HTTP, TCP, and FTP traffic on the client and server sides
• Decrypted data from intercepted HTTPS or STunnel SSL traffic on the server side
To enable tap, use the following policy gestures:
client.connection.tap(no|interface)
server.connection.tap(no|interface)
server.connection.encrypted_tap(no|interface)

where:
• no: Disable tap of client-side or server-side traffic.
• interface: Specify the interface for tapped content on the client side or server side. The form isadapter:interface.
NOTE
Encrypted tap does not support server-side HTTP/2 traffic.
In addition, new Enable Client Tap and Enable Server Tap action objects have been added to the legacy Visual Policy
Manager.
More information:
• Content Policy Language Reference
• Legacy Visual Policy Manager Reference

Diagnostic Policy Support

This release introduces the <Diagnostic> layer. Include this layer, with valid rules, to obtain diagnostic information
about transactions. For example, you can write policy to trace transactions or send notifications to specified recipients.
Policy rules in this layer have no effect on traffic.
The <Diagnostic> layer supports the following CPL:
• all existing conditions
• all existing variables, including variables set in other layers and layer types
• the following existing properties, which are useful for troubleshooting and monitoring transactions:
– log_message()
– notify_email()
– notify_snmp()
• the existing define policy macro, which can be called from any other layer and layer type
• the following new gestures:

157
SGOS 7.x Release Notes

– diagnostic.stop(pcap)
– random=
– transaction.field.name=
– transaction.type=
Use the define policy macro and refer to it in other policy rules that need examining or troubleshooting, as follows:
; define policy to trace requests to sample_domain.com
; where time taken to process request is 3000 ms or more
define diagnostic policy slow_traffic
<diagnostic> trace.request(yes)
url.domain=sample_domain.com transaction.field.time-taken=3000..
end

; apply specified diagnostic policy when authenticated user is 'research'

<proxy>
user=research policy.slow_traffic

More information:
• Content Policy Language Reference

Enhanced Policy Variables Tests

You can test if a specified variable is set in policy using the following condition:
is_set.variable.name={yes|no}

In addition, variables can be tested in layers other than the ones in which they were set.
More information:
• Content Policy Language Reference

Policy Profiling Statistics

When policy profiling is enabled, the appliance collects statistics on policy for:
• How long the appliance took to evaluate each layer and rules
• Which policy rules were missed during evaluation
To enable or disable policy profiling, use the following CLI:
#(config) policy profiling {none | layer | rule | all}

You can view policy profiling statistics via the Management Console URLs Policy/Profiling/Statistics and Policy/Profiling/
Results, or via the show config CLI command.
More information:
• Content Policy Language Reference

New CPL Diagnostics Probe and CLI to Upload Diagnostics to Syslog Host
You can collect diagnostics (policy traces, debug logs) with the new CPL define probe and view the details at the
advanced URL page at https://IP_address:port/Diagnostic/Trace.
You can also upload diagnostics reports to a Syslog host using the CLI. TCP and TLS protocols are supported.

158
SGOS 7.x Release Notes

NOTE
You can only specify one hostname or IP address. For example, if you set the syslog tcp hostname and then
set the syslog tls hostname, the TCP hostname is removed and the TLS hostname set.
# (config diagnostics) syslog tcp {hostname | IP_address} [port]
# (config diagnostics) syslog tls {hostname | IP_address} [port] [ssl_device_profile]

More information:
• SGOS Administration Guide
• Content Policy Language Reference
• Command Line Interface Reference

Policy for Positive Security Controls

This release introduces CPL that you can use to define whitelisted (monitored) traffic in a positive security implementation.
• Define field constraints that, when violated, trigger a block or monitor action:
define constraint_set constraint_id
part="attribute" [pattern.string_modifier="string"] {key|value|path}.modifier=constraint
end
• Block or monitor transactions that violate defined field constraints:
http.request.detection.constraint_set.constraint_id(block|monitor)

The bcreporterwarp_v1 log format includes two new fields that are populated when a constraint violation occurs:
• the x-bluecoat-waf-attack-family field shows Constraint Violation
• the x-bluecoat-waf-block-details or x-bluecoat-waf-monitor-details field shows details with the
following syntax:
"{""detection"":""constraint"",""part"":""{name|query_arg_name|query_arg|
arg_name|arg|cookie_name|cookie|post_arg_name|post_arg|header_name|header|
path}"",""line"":""constraint_set_defn_cpl_line"",""data"":""matched_data""}"

More information:
• Content Policy Language Reference

Client IP Reputation Policy

Determine a client's IP address’s reputation category and the confidence in the reputation designation. Then, reference
the reputation category and confidence level (expressed as a level from 1 to 10) in policy to control inbound traffic. For
example, you can:
• Monitor and access-log client requests if an IP address has a reputation as spam, and the service is moderately
confident—such as level 6 out of 10—that the reputation category is correct.
• Block client requests if an IP address has a reputation as a bot, and the service is highly confident—such as level 9 out
of 10—that the reputation category is correct. When a client request is blocked due to IP reputation policy, the client
receives an exception page.
• Allow client requests if there is high confidence that an IP address is benign.
• In a future release, Client IP address reputation categories will be added through an Intelligence Services datafeed;
however, you can define custom IP reputation categories in CPL policy without an Intelligence Services datafeed.
The following CPL was added to support this feature:
client.[effective_]address.ip_reputation[.category1[,category2, …]]=(status|range)

where:

159
SGOS 7.x Release Notes

• address is either the client IP address or effective client IP address

• category is an IP reputation category
• status is one of the following system-defined statuses: none, unavailable, unlicensed
• range is one of the following:
– ..level - the confidence level is less than the specified level
– level.. - the confidence level is greater than or equal to the specified level
– level1..level2 - the confidence level is between the specified levels, inclusive
client.ip_reputation.category1[,category2,...](value, none)

where:
• category is an IP reputation category, including user-defined categories. User-defined categories are specified as
user_defined.category
• value is the confidence level for the specified reputation category or categories
• none means that any database entries for the specified reputation category or categories are suppressed and not
access-logged
You can add the following fields to the bcreporterwarp_v1 log format:
• x-bluecoat-client-address-reputation - Logs the client IP address reputation
• x-bluecoat-client-effective-address-reputation - Logs the effective client IP address reputation
The log shows transaction details in the following format:
[{""reputation"":""spam"",""confidence"":9}]

More information:
• SGOS Administration Guide
• Content Policy Language Reference

PBKDF2 Storage for SGOS Appliance Passwords

The appliance now uses PBKDF2 to store and validate passwords for:
• Console accounts
• Enable mode for the appliance
• The front-panel PIN for systems that have front panels
• The secure serial port passwordUsers defined in a local user list
PBKDF2 hashes are automatically used when creating, updating, and verifying passwords for the aforementioned cases.
A new CLI command is available for destroying the hashed passwords for SGOS versions prior to 7.2.1.1:
#(config) security destroy-old-passwords [force]

More information:
• Command Line Interface Reference

ProxySG SWG VA for Microsoft Azure

You can deploy a ProxySG virtual appliance (Secure Web Gateway edition) directly on Microsoft Azure.
More information:
• ProxySG SWG VA for Microsoft Azure Deployment Guide

160
SGOS 7.x Release Notes

Feature Changes and Enhancements

Geolocation Policy Supports Renamed Countries
A "Warning: Obsolete country name" message now appears when you try to install CPL policy that includes an outdated
country name. An example of the message is, “Warning: Obsolete country name: 'Russian Federation' is now 'Russia'”.
If this occurs, replace the outdated country name in policy with the suggested name in the message. You can also refer
to the geolocation database for current country names and codes. In the Management Console, select Configuration >
Geolocation > General and click the link to display the list.
Geolocation Lookup Supports IPv6
Geolocation lookup (client geolocation in reverse proxy mode) now supports both IPv4 and IPv6.
Renamed Application Attribute Support
If a policy rule includes an attribute that has been renamed in the currently downloaded database, policy warnings occur
when you try to install policy through CPL or the VPM. The following is an example of the warning:
Deprecation warning: 'old_attribute'; 'old_attribute' has been replaced by 'new_attribute' due to Too obscure
and will no longer be accepted after Sat, 27 Jun 2020 00:00:00 UTC. Please switch to the new name before
then.

To ensure that policy performs as intended, edit all instances of the renamed attribute and re-apply policy by the specified
date. You can verify the current name of the attribute by clicking View Attributes List (Configuration > Application
Classification > Attributes > Attributes).
Renamed Category Name Support
(Intelligence Services data source only) If a policy rule includes a category that has been renamed in the currently
downloaded database, policy warnings occur when you try to install policy through CPL or the VPM. The following is an
example of the warning:
Deprecation warning: 'old_category'; 'old_category' has been replaced by 'new_category' due to Category name
updated and will no longer be accepted after Sat, 11 Jul 2020 00:00:00 UTC. Please switch to the new name
before then.

To ensure that policy performs as intended, edit all instances of the renamed category and re-apply policy by the specified
date.
You can verify the current name of the category by clicking View categories ( Configuration > Content Filtering >
General) and checking Blue Coat categories.
Default TCP Window Size Increase
The default TCP window size has been increased from to 256k bytes to 1 MB.
To view the current TCP window size, issue the CLI command:
> show tcp-ip

To change the TCP window size, issue the CLI command:

#(config)tcp-ip window-size value

Test for Domain List Definitions

You can now test for domain list definitions with the server.certificate.hostname= condition. Use the following
syntax:
server.certificate.hostname.list=pattern

where the list is configured in policy using define server_url.domain condition .

161
SGOS 7.x Release Notes

Realm Name is Now Logged in the Event Log

When a user accesses the CLI, event log messages now log the realm name (if applicable) and whether the user is read-
only.
New SSLV Platforms
New SSLV platforms have been added to BLUECOAT-MIB.
Changes to Default 2MSL Value
To help reduce port exhaustion, the default 2MSL value has changed from 120 seconds to 60 seconds.
Encryption Changes to the Access Log
Encrypting an access log now produces a single ENC file, which contains all encrypted access log content. Previously,
encrypting access logs produced an ENC file and a DER file. Refer to the "Configuring the Access Log Upload Client"
chapter in the SGOS Administration Guide for details.
CPU Monitor Enabled By Default
CPU monitor is now enabled by default. Use CPU monitoring to troubleshoot CPU-related issues. To disable CPU
monitoring, use the command #(config diagnostics) cpu-monitor disable .

Removals and Deprecations

• In some scenarios, the Blue Coat WebFilter service is discontinued. If you are upgrading to SGOS 7.2.0.1 and were
using Intelligence Services as the data source previously, you will not have the option to use the WebFilter as a
data source after you upgrade to 7.2.0.1. The option to set the data source in the Management Console and the CLI
command #(config application-classification) data-source {web-filter | intelligence-
services} have been removed.
NOTE
The appliance can restore a configuration archive that includes WebFilter as a data source, but it issues a
deprecation warning.
If you are running a new installation of 7.2.x, you will only have the option to purchase Intelligence Services for content
filtering.
If you are upgrading to 7.2.1.1 and were using WebFilter as the data source previously, there will be no change to your
existing content filtering functionality.
• SSLv2 is no longer supported on the appliance. Options for SSLv2 have been removed from the Management Console
and the CLI.
• The following ciphers are no longer available:
– 40- and 56-bit ciphers
– Export and low strength ciphers:
• DHE-DSS-DES-CBC-SHA
• DES-CBC3-MD5
• RC2-CBC-MD5
• DES-CBC-SHA
• DES-CBC-MD5
• EXP-DES-CBC-SHA
• EXP-RC4-MD5
• EXP-RC2-CBC-MD5
• EXP-DHE-DSS-DES-CBC-SHA
NOTE
If your policy contains reference to the deprecated low strength ciphers, recommends removing the
references. If the references are not removed, policy will compile and a warning message will be issued.

162
SGOS 7.x Release Notes

For information on supported ciphers, refer to https://knowledge.broadcom.com/external/article/170130/cipher-

suites-shipped-with-the-proxysg-a.html.
– DES and DES3 are no longer available for the #(config ssl)view keypair and #show ssl keypair
commands. To display keypairs in an encrypted format, specify either aes128-cbc or aes256-cbc, for example:
#(config ssl)view keypair aes256-cbc keyring_id
– The #(config)security destroy-old-passwords and #(config socks-gateway)destroy-old-
passwords commands have been removed.
– For best security, SSHv1 commands have been removed from the CLI.
– Built-in malware scanning policy in previous versions of SGOS (previously in Proxy > Configuration > Threat
Protection > Malware Scanning ) has been removed. Use Content Security Policy with the Policy Services
subscription instead. See CC-419 in Known Issues in SGOS 7.x for a known issue when using Content Security
Policy with Universal Policy enforcement.
– IM Proxies have been removed from the Management Console and CLI.
– The following platforms are no longer supported:
• SG300, SG600, SG900, and SG9000 physical appliances
• SWG-V100 (Gen1) virtual appliances
• MACH5 (Gen1) virtual appliances

Fixes in SGOS 7.2.1.1

SGOS 7.2.1.1 includes the following bug fixes.
For Web Visual Policy Manager fixes, see Web Visual Policy Manager Fixes in SGOS 7.x.

Table 236: HTTP Proxy

ID Issue

SG-17671 Fixes an issue where HTTP/2 requests might have been handled incorrectly if the HTTP/2 pseudo header
fields were split across HEADERS and CONTINUATION frames. When the issue occurred, the proxy sent
a GOAWAY frame and terminated the client HTTP/2 connection.
SG-17265 Fixes an issue where a missed policy condition triggered a diagnostics probe trace and log update.
SG-17062 Fixes an issue where YouTube pages did not load sidebar content.
SG-16206 Fixes an issue where the HTTP proxy did not capture the debug logs based on a tenant's probe condition.
This occurred when tenancy was not determined yet (RCP, SEP-CIA) and the decision from policy was
cached.
SG-12971 Fixes slow HTTP performance. This issue occurred when a forwarding group was configured to use
Accelerator-Cookie host affinity.
SG-14789 Fixes potential HTTP/2 denial of service vulnerabilities.
SG-13027 Fixes an issue where server-side HTTP/2 connections were not reused when using HTTP/2 in reverse
proxy deployments.
SG-15704 Fixes an issue where the appliance did not upgrade new connections to HTTP/2 when ADN was enabled.

Table 237: Management Console

ID Issue

SG-15003 Fixes an issue where the Management Console did not display Syslog host entries when a port number
was specified.

163
SGOS 7.x Release Notes

Table 238: Performance

ID Issue

SG-17333 Fixes an issue where the appliance experienced a memory leak in SSL and Cryptography.

Table 239: Policy

ID Issue

SG-17634 Addresses an issue where the appliance stopped responding when certain diagnostic policy was installed.
CC-419 Fixes an issue where Content Security Policy exemptions (using the Set Content Security Scanning VPM
object, set to Exempt From Content Security) were not supported in Symantec Web Security Service.
SG-12593 Fixes an issue where requests with "none" category and Threat Risk Level 5 were not blocked, but the
access log incorrectly stated they were blocked. This issue occurred when the Access Security Policy layer
was configured with Strong protection level.
SG-12845 Fixes multiple issues (including response code 500 and authentication errors) that occurred in
a multitenant deployment with IWA Direct authentication, where landlord policy included the
tenant.request_url() property.

Table 240: SNMP

ID Issue

SG-13054 Fixes an issue where the SensorCode values defined in BLUECOAT-SG-SENSOR-MIB did not support the
S450 and S550 platforms.

Table 241: SSL Proxy

ID Issue

SG-4574 Fixes an issue where whitespaces in field values were not ignored when adding a keyring through the CLI.
This issue did not occur when creating keyrings through the Management Console.
SG-9716 Fixes incorrect access log values for the x-cs-sessionid and x-rs-sessionid fields.

Table 242: SSL/TLS and PKI

ID Issue

SG-3988 Fixes an issue where the client-side-negotiated-cipher access field was incorrectly
populated.

Table 243: TCP/IP and General Networking

ID Issue

SG-12469 Fixes errors in TCP congestion control logic that led to sub-optimal performance. Performance on
congested networks has been increased.

164
SGOS 7.x Release Notes

SGOS 7.2.0.1 EA
Release Information
• Release Date: January 21, 2020
• Build Number: 246815
NOTE
This is an Early Availability (EA) release with new/advanced functionality. Previously, Symantec released new
features in Limited Availability (LA) releases to specific customers to access new functionality. This meant
other customers were not able to access these new capabilities until the release was General Availability
(GA). With Early Availability releases, all customers under valid support entitlement can gain access to this
new functionality. Customers running this release should be considered early adopters with access to new
and advanced functionality. Early Availability releases are supported like any other current release. Once the
Early Availability release achieves broader adoption, it will transition to GA status.

Compatible With
• BCAAA: 6.1
• ProxySG Admin Console: 1.1.1 and later
• Reporter: 9.5.x, 10.1.x, and 10.2.x
• Management Center: 2.2.2.3 and later
• ProxyAV: 3.4.x
• Content Analysis: 2.3.x, and 3.0.x
• ProxyClient: 3.4.x
• Unified Agent: 4.7.x and 4.8.x
• SSL Visibility: 4.2.x, 4.3.x. 4.4.x, 4.5.x, and 5.x
• Web Isolation: 1.10 and later

Third-Party Compatibility
• For supported Java, operating system, and browser versions, refer to KB Article 169081.
• For information on Java 11 support, refer to KB Article 173228

Upgrading To/Downgrading From This Release

• SGOS 7.2.0.1 does not support FIPS mode. Disable FIPS mode before you attempt to upgrade to 7.2.1.1. If you begin
upgrading to 7.2.1.1 from an appliance that has FIPS mode enabled, abort the upgrade at the boot process, disable
FIPS mode, and attempt the upgrade again. If you upgrade to 7.2.1.1 without disabling FIPS mode, your appliance will
not function as expected.
• If you are downgrading from SGOS 7.2.0.1, ensure that after you downgrade your policy includes CPL that protects
against low strength ciphers (RC4, CBC, DES, and 3DES). These ciphers are deprecated in 7.2.0.1 and any policy that

165
SGOS 7.x Release Notes

references them is no longer necessary. For appliances running SGOS that is earlier than 7.2.0.1, use the following
CPL:
<ssl>
client.connection.negotiated_cipher=(EXP-RC4-MD5,EXP-RC2-CBC-MD5,EXP-DES-CBC-SHA) force_deny

<ssl>
server.connection.negotiated_cipher=(EXP-RC4-MD5,EXP-RC2-CBC-MD5,EXP-DES-CBC-SHA) force_deny

• The following are the supported upgrade/downgrade paths for this release:
– Upgrade to 7.2.0.1 from version 6.7.4.3 and later 6.7.x releases, or another version 7.x.
– Downgrade from 7.2.0.1 to version 6.7.4.3 and later 6.7.x releases, or another version of 7.x.
NOTE
If upgrading from SGOS 6.7.4.2 or earlier, you might have to upgrade to version 6.7.4.3 as an interim step
before upgrading to this release. For more information, refer to KB Article 18536
See SGOS Upgrade/Downgrade documentation details the supported upgrade/downgrade paths for this release.
NOTE
In a future release of 7.x, support for WebFilter (BCWF) will be removed.

Changes in SGOS 7.2.0.1

• SGOS 7.2.0.1 introduces new features and enhancements. See Features in SGOS 7.2.0.1.

Fixes in SGOS 7.2.0.1

• This release includes a number of fixes. See Fixes in SGOS 7.2.0.1.
• To see any Security Advisories that apply to the version of you are running, go to.https://support.broadcom.com/
security-advisory/security-advisories-list.html
New advisories are published as security vulnerabilities are discovered and fixed.
For a list of Security Advisories fixed in 7.x, see Security Advisory Fixes in SGOS 7.x

Limitations
• See Limitations in SGOS 7.x for a description of limitations in this release.

Known Issues
• See Known Issues in SGOS 7.x for a list of all issues that Symantec is aware of in SGOS 7.x.

Features in SGOS 7.2.0.1

SGOS 7.2.0.1 introduces the following features:
• TLS 1.3 Support
• DNS over HTTPS Support
• New CPL Diagnostics Probe and CLI to Upload Diagnostics to Syslog Host
For feature descriptions, see Features in SGOS 7.2.1.1.

Removals and Deprecations

166
SGOS 7.x Release Notes

in the Management Console and the CLI command #(config application-classification) data-source
{web-filter | intelligence-services} have been removed.
NOTE
The appliance can restore a configuration archive that includes WebFilter as a data source, but it issues a
deprecation warning.
If you are running a new installation of SGOS 7.2.x, you will only have the option to purchase Intelligence Services for
content filtering. functionality.
If you are upgrading to SGOS 7.2.0,1 and were using WebFilter as the data source previously, there will be no change
to your existing content filtering
• SSLv2 is no longer supported on the appliance. Options for SSLv2 have been removed from the Management Console
and the CLI.
• The following ciphers are no longer available:
– 40- and 56-bit ciphers
– Export and low strength ciphers:
• DHE-DSS-DES-CBC-SHA
• DES-CBC3-MD5
• RC2-CBC-MD5
• DES-CBC-SHA
• DES-CBC-MD5
• EXP-DES-CBC-SHA
• EXP-RC4-MD5
• EXP-RC2-CBC-MD5
• EXP-DHE-DSS-DES-CBC-SHA
NOTE
If your policy contains reference to the deprecated low strength ciphers, recommends removing the
references. If the references are not removed, policy will compile and a warning message will be issued.
For information on supported ciphers, refer to https://knowledge.broadcom.com/external/article/170130/cipher-
suites-shipped-with-the-proxysg-a.html.

Fixes in SGOS 7.2.0.1

SGOS 7.2.0.1 includes bug fixes. This update:

Table 244: HTTP Proxy

ID Issue

SG-13027 Fixes an issue where server-side HTTP/2 connections were not reused in HTTP/2 in reverse proxy
deployments.
SG-15704 Fixes an issue where the appliance did not upgrade new connections to HTTP/2 when ADN was
enabled.

Table 245: Performance

ID Issue

SG-17333 Fixes an issue where the appliance experienced a memory leak in SSL and Cryptography.

167
SGOS 7.x Release Notes

Table 246: Policy

ID Issue

CC-419 Fixes an issue where Content Security Policy exemptions (using the Set Content Security
Scanning VPM object, set to Exempt From Content Security) were not supported in Symantec
Web Security Service.
SG-12593 Fixes an issue where requests with "none" category and Threat Risk Level 5 were not blocked
when the Access Security Policy layer was configured with Strong protection level.

Table 247: SSL Proxy

ID Issue

SG-4574 Fixes an issue where whitespaces in field values were not ignored when adding a keyring through
the CLI.

Table 248: SSL/TLS and PKI

ID Issue

SG-3988 Fixes an issue where client-side negotiated-cipher fields were populated incorrectly in the access log
for the SSL reverse proxy service when GCM or SHA384 ciphers were used.

Table 249: CP/IP and General Networking

ID Issue

SG-12976 Fixes an issue where SGOS on AWS deployments experienced increased HTTP request/response
latency when ICAP scanning was enabled.

168
SGOS 7.x Release Notes

SGOS 7.1.1.1 EA
Release Information
• Release Date: July 9, 2019
• Build Number: 239238
NOTE
This is an Early Availability (EA) release with new/advanced functionality. Previously, Symantec released new
features in Limited Availability (LA) releases to specific customers to access new functionality. This meant
other customers were not able to access these new capabilities until the release was General Availability
(GA). With Early Availability releases, all customers under valid support entitlement can gain access to this
new functionality. Customers running this release should be considered early adopters with access to new
and advanced functionality. Early Availability releases are supported like any other current release. Once the
Early Availability release achieves broader adoption, it will transition to GA status.

Compatible With
• BCAAA: 5.5 and 6.1
• ProxySG Admin Console: 1.1.1 and later
• Reporter: 9.5.x, 10.1.x, and 10.2.x
• Management Center: 2.2.2.3 and later
• ProxyAV: 3.4.x
• Content Analysis: 1.3.x, 2.1.x, 2.2.x, and 2.3.x
• ProxyClient: 3.4.x
• Unified Agent: 4.7.x and 4.8.x
• SSL Visibility: 4.2.x, 4.3.x. 4.4.x, 4.5.x, and 5.x
• Web Isolation: 1.10 and later

Third-Party Compatibility
• For supported Java, operating system, and browser versions, refer to KB Article 169081.
• For information on Java 11 support, refer to KB Article 173228

Upgrading To/Downgrading From This Release

• The following are the supported upgrade/downgrade paths for this release:
– Upgrade to 7.1.x from version 6.7.4.3.
– Downgrade from 7.1.x to version 6.7.4.3.
See SGOS Upgrade/Downgrade documentation details the supported upgrade/downgrade paths for this release.
NOTE
In a future release of 7.x, support for WebFilter (BCWF) will be removed.

169
SGOS 7.x Release Notes

Changes in SGOS 7.1.1.1

• SGOS 7.1.1.1 introduces new features and enhancements. See Features in SGOS 7.1.1.1.

Fixes in SGOS 7.1.1.1

• Because this is the inaugural 7.1.x release, Symantec is reporting only security fixes for SGOS 7.1.1.1. See Security
Advisory Fixes in SGOS 7.x.
• To see any Security Advisories that apply to the version of you are running, go to:https://support.broadcom.com/
security-advisory/security-advisories-list.html
New advisories are published as security vulnerabilities are discovered and fixed.

Limitations
• See Limitations in SGOS 7.x for a description of limitations in this release.

Known Issues
• See Known Issues in SGOS 7.x for a list of all issues that Symantec is aware of in SGOS 7.x.

Features in SGOS 7.1.1.1

SGOS 7.1.1.1 introduces the following features. For feature descriptions, see Features in SGOS 7.2.1.1.
NOTE
Some features were available in a limited 6.8.x beta release.
• Web Visual Policy Manager
• Policy Services Subscription and Security Policies
• HTTP/2 Support
• Origin Header Categorization Policy
• Brotli Encoding Support
• OCSP Stapling for Forward Proxy
• Syslog Supports TCP and TLS
• Authenticated NTP
• SSH Enhancements
– SSHv2 Host Key Pairs for the SSH Console
– SSH and SSH KEX Host Key Algorithms for the SSH Console
• SCP Upload Configuration Archives
• Periodic Upload of Configuration Archives
• Periodic Upload of Service Information
• Server-Side Encrypted Tap
• Diagnostic Policy Support
• Enhanced Policy Variables Tests
• Policy for Positive Security Controls
• Client IP Reputation Policy
• ProxySG SWG VA for Microsoft Azure
• Feature Changes and Enhancements

170
SGOS 7.x Release Notes

– Geolocation Policy Supports Renamed Countries

– Geolocation Lookup Supports IPv6
– Renamed Application Attribute Support
– Renamed Category Name Support
– Default TCP Window Size Increase
– CPU Monitor Enabled by Default

Deprecations and Removals

These deprecations and removals apply when upgrading to version 7.1.x.
• DES and DES3 are no longer available for the #(config ssl)view keypair and #show ssl keypair
commands. To display keypairs in an encrypted format, specify either aes128-cbc or aes256-cbc, for example:
#(config ssl)view keypair aes256-cbc keyring_id
• The #(config)security destroy-old-passwords and #(config socks-gateway)destroy-old-
passwords commands have been removed.
• For best security, SSHv1 commands have been removed from the CLI.
• Built-in malware scanning policy in previous versions of SGOS (previously in Proxy > Configuration > Threat
Protection > Malware Scanning ) has been removed. Use Content Security Policy with the Policy Services
subscription instead. See CC-419 in Known Issues in SGOS 7.x for a known issue when using Content Security Policy
with Universal Policy enforcement.
• IM Proxies have been removed from the Management Console and CLI.
• The following platforms are no longer supported:
– SG300, SG600, SG900, and SG9000 physical appliances
– SWG-V100 (Gen1) virtual appliances
– MACH5 (Gen1) virtual appliances

171
SGOS 7.x Release Notes

SGOS 7.x Reference Information

The following sections provide reference information for the SGOS 7.x software series.
• Security Advisory Fixes in SGOS 7.x
• Web Visual Policy Manager Fixes in SGOS 7.x
• Known Issues in SGOS 7.x
• Limitations in SGOS 7.x
• About the ProxySG Admin Console
• Documentation and Feedback

Security Advisory Fixes in SGOS 7.x

SGOS 7.x includes the following security advisory (SA) fixes.

Table 250: Security Advisory Fixes

Issue Description Security Advisory Fix Version

SG-25886 Fixes OpenSSL SYMSA17849 7.3.4.1

vulnerabilities
(CVE-2021-3449).
SG-25487 Fixes OpenSSL SYMSA17570 7.3.4.1
vulnerabilities
(CVE-2021-23840 and
CVE-2021-23841).
SG-26323 Fixes OpenSSL 7.2.8.1
vulnerabilities
that currently are
not known to be
exploitable: (CVE-2018-0734,
CVE-2018-5407,
CVE-2019-1552,
CVE-2019-1559)
SG-27187 Fixes a security SYMSA18331 7.2.7.2, 7.3.3.3
vulnerability
(CVE-2021-30648).
SG-24232 Fixes OpenSSL SYMSA17570 7.2.5.1, 7.3.2.1
vulnerabilities
(CVE-2020-1971).
SG-15870 Addresses session- SYMSA1752 7.2.0.1
hijacking vulnerability
in the Management
Console (CVE-
2019-18375).
SG-10271 Addresses Linux Kernel SYMSA1467 7.2.0.1
issues (CVE-2018-5390).
SG-4862 Fixes OpenSSL SYMSA1462 7.1.1.1
vulnerabilities.

172
SGOS 7.x Release Notes

SAs are published as security vulnerabilities are discovered and fixed. To see SAs that apply to the version of SGOS you
are running, including ones published after this release, go to:
https://support.broadcom.com/security-advisory/security-advisories-list.html

Web Visual Policy Manager Fixes in SGOS 7.x

Table 251: Fixes in version 7.3.8.1

ID Issue

SG-28356 Fixes an issue where the web VPM page did not load. When this issue occurred, policy loaded in the
legacy VPM.
SG-28393 Fixes an issue where the Comment cell and tooltips did not display long comments correctly.
SG-28590 Fixes an issue where saving policy changes after saving previous changes did not automatically refresh the
Generated CPL. This issue occurred when launching the VPM from Management Center.
SG-28100 Fixes an issue where Excel files could not be previewed on Dropbox when policy included a Notify User
object.

Table 252: Fixes in version 7.3.7.1

ID Issue

SG-28521 Fixes an issue where attempting to install web VPM policy that included multiple objects of the same type
did not save all instances of the object. This issue occurred if the object names were not changed from
their defaults.

Table 253: Fixes in version 7.3.5.1

ID Issue

SG-27169 Fixes an issue where the policy enforcement was not correctly applied due to the Application Group
incorrectly referencing an object.

Table 254: Fixes in version 7.3.3.1

ID Issue

SG-25201 Fixes an issue where the Combined Time Object could not be added.
SG-24881, SG-23553 Fixes an issue where adding a User source object resulted in a "Cannot read property 'getAttribute' of
undefined Retrieving base DN" error. The issue occurred if the LDAP realm was configured without a Base
DN.
SG-20718 Fixes an issue where editing an IP address list in an object (such as Send DNS Response) immediately
returned an inaccurate "IP address already exists" error.
SG-23981 Fixes an issue where authenticated users were allowed to access the HTTPS-Console service even though
Management Console login banner (Notice and Consent Banner) policy was configured in the web VPM.
This occurred if CPL policy layers were not ordered correctly.
SG-21338 Fixes an issue where comparing generated CPL with deployed CPL incorrectly indicated differences
between the two policies.
SG-23229 Fixes an issue where configured HSM keyrings were not available in the web VPM.

173
SGOS 7.x Release Notes

ID Issue

SG-21638 Fixes an issue where the Allow user to override read-only option in theWeb Isolation object was not
indented. It is now indented to indicate that it requires the preceding Read-only, prevent user from
entering data option to be selected.

Table 255: Fixes in version 7.3.2.1

ID Issue

SG-15678 Fixes an issue where checkboxes in VPM objects such as Combined Source were editable in read-only mode.
SG-21623 Fixes an issue where the Operations menu option incorrectly read Enable Enforcement Domains when
enforcement domains were enabled. The menu option now says Disable Enforcement Domains when the
feature is enabled.
SG-20679 Fixes an issue where adding a DNS Request Threat Risk Level object resulted in an error, "Please ensure that
you have enabled Threat Risk Levels" even though the Threat Risk Levels service was enabled.
SG-21942 Fixes an issue where adding a User object with an LDAP realm selected prepended "cn=" to the Full Name field.
SG-15678 Fixes an issue where checkboxes in VPM objects such as Combined Source were editable in read-only mode.
SG-20679 Fixes an issue where adding a DNS Request Threat Risk Level object resulted in an error, "Please ensure that
you have enabled Threat Risk Levels" even though the Threat Risk Levels service was enabled.
SG-15678 Fixes an issue where checkboxes in VPM objects such as Combined Source were editable in read-only mode.
SG-21326 Fixes an issue where the UI incorrectly displayed "Enable Enforcement Domains" when the enforcement
domains were already enabled.
SG-21942 Fixes an issue where adding a User object with an LDAP realm selected prepended "cn=" to the Full Name field.

Table 256: Fixes in version 7.3.1.1

ID Issue

SG-20727 Fixes an issue where the Substitution Variables list in the SNMP and Email track objects displayed
variables incorrectly due to font size.
SG-22513 Fixes an issue where the SSL Server Name source object did not generate the correct CPL when set to
Exact Match.
SG-20740 Fixes an issue where VPM policy did not detect when multi-tenant landlord mode was enabled. When this
issue occurred, some related policy gestures such as Tenant ID were unavailable. This issue was also fixed
in the legacy VPM.
SG-20656 Fixes an issue where the Request URL Category destination object within a Combined Object did not
allow you to press Enter to insert newlines.

Table 257: Fixes in version 7.2.6.1

ID Issue

174
SGOS 7.x Release Notes

ID Issue

SG-23981 Fixes an issue where authenticated users were allowed to access the HTTPS-Console service even though
Management Console login banner (Notice and Consent Banner) policy was configured in the web VPM.
This occurred if CPL policy layers were not ordered correctly.
SG-21338 Fixes an issue where comparing generated CPL with deployed CPL incorrectly indicated differences
between the two policies.
SG-23229 Fixes an issue where configured HSM keyrings were not available in the web VPM.
SG-21638 Fixes an issue where the Allow user to override read-only option in theWeb Isolation object was not
indented. It is now indented to indicate that it requires the preceding Read-only, prevent user from
entering data option to be selected.

Table 258: Fixes in version 7.2.5.1

ID Issue

SG-15678 Fixes an issue where checkboxes in VPM objects such as Combined Source were editable in read-only
mode.
SG-20679 Fixes an issue where adding a DNS Request Threat Risk Level object resulted in an error, "Please
ensure that you have enabled Threat Risk Levels" even though the Threat Risk Levels service was
enabled.
SG-21326 Fixes an issue where the UI incorrectly displayed "Enable Enforcement Domains" when the enforcement
domains were already enabled.

Table 259: Fixes in version 7.2.4.1

ID Issue

SG-21942 Fixes an issue where adding a User object with an LDAP realm selected prepended "cn=" to the Full Name
field.

Table 260: Fixes in version 7.2.2.1

ID Issue

SG-18804 Fixes an issue where user and groups objects were missing in the list of configured realms in the Web
VPM.

Table 261: Fixes in version 7.2.1.1

ID Issue

SG-12971 Fixes an issue where the web VPM and legacy VPM each showed different options in the Enable
SSL Interception action object.
SG-16999 Fixes an issue where the font size in layer guard rule comments did not match the font size in standard rule
comments.
SG-16332 Fixes an issue where Perform Request Analysis and Perform Response Analysis action objects
included an Add button even though ICAP services cannot be added through the VPM.
SG-15367 Fixes an issue where the comment entered for a layer guard rule does not appear in the generated CPL.
SG-16593 Fixes an issue where installing policy including combined objects sometimes resulted in the "Visual Policy
Manager seems slow to start" message.

175
SGOS 7.x Release Notes

ID Issue

SG-16636 Fixes an issue where non-rule layers could not be closed.

SG-15809 Fixes an issue where combined objects that were negated (for example, condition=!
CombinedDestination ) sometimes were not processed as expected (the negation would apply to
the initial rule). For example, in the following definition, the url.address should not be negated:
define condition CombinedDestination
url.address=1.2.3.4
condition=RequestURLCategory1
end condition CombinedDestination

SG-15956 Fixes an issue where a "Duplicate condition type detected" error occurred when installing Encrypted Tap
policy.
SG-15841 Fixes an issue where an incorrect subnet mask was generated when entering subnet /26 in the Client IP
object.
SG-15815 Fixes an issue where the Request Header source object was not available in the Forwarding layer, and
Request Header objects in combined source objects created in the legacy Java VPM did not appear in the
web VPM.
SG-14023 Fixes an issue where url.category= conditions were duplicated when installing policy.
SG-11986 Fixes an issue where server.connection.encrypted_tap() did not have a corresponding
VPM object. The Enable Encrypted TAP action object now has options for enabling and disabling server
encrypted tap; refer to the Web Visual Policy Manager Reference.
SG-13520 Fixes an issue where the VPM prompted read-only users to keep or remove categories when viewing a
category object that contained categories not in the content filter database.

Known Issues in SGOS 7.x

Symantec is aware of the following issues in SGOS 7.x.

Table 262: Admin Console

ID Issue Fixed In

SGAC-2842 Issue: When adding an interface in a Web Cache Service Group, the first value
in the dropdown list appears to be selected even though it is not selected. This
issue occurs when using Safari.
Workaround: To select the first interface in the list, select another interface and
then select the first interface again.

Table 263: Authentication

ID Issue Fixed In

SG-20312 In SGOS 7.2.1.1, CAPTCHA forms are not displayed when the appliance Fixes in SGOS 7.2.2.1
invokes CAPTCHA validators in policy. If you are currently using CAPTCHA
validators in policy, do not upgrade to 7.2.1.1. If you are installing 7.2.1.1, do not
write policy that uses CAPTCHA validators.

176
SGOS 7.x Release Notes

Table 264: CLI Consoles

ID Issue Fixed In

SG-23745 A memory leak occurs when there is an SSH host key mismatch between the Fixes in SGOS 7.3.2.1
appliance and Management Center (for example, if the SSH host keypair is
deleted and recreated after the appliance is added to Management Center).

Table 265: FTP Proxy

ID Issue Fixed In

SG-4624 When ICAP REQMOD mirroring is enabled for the FTP proxy, the s-action Fixes in SGOS 7.3.2.1
access log field is occasionally not populated.
SG-13013 Encrypted Tap does not contain any FTP data for intercepted FTPS
connections.

Table 266: HTTP Proxy

SG-30438 CPU usage may be increased by 3% due to HTTP performance. For more
information, see KB article 235104.
SG-28290 When server-side persistence is disabled either by policy or by ProxySG Fixes in SGOS 7.3.6.1
configuration, the appliance does not release memory for HTTP/2
connections. Not releasing memory can result in high memory usage and may
eventually require a restart to correct.
Workaround: Either enable HTTP-server persistence or disable the server-side
HTTP/2 proxy with the policy property http2.server.request(no) .
SG-15704 When ADN is enabled, the appliance does not upgrade new connections Fixes in SGOS 7.2.0.1
to HTTP/2; however, if ADN is enabled when there are existing HTTP/2
connections open, the existing HTTP/2 connections could break or cause
crashes.
SG-15679 For HTTP/2 connections, the active session is associated with individual
streams in the connection and ends when the stream is released, which causes
idle HTTP/2 connection to not display in the Active Sessions.

Table 267: Kernel

ID Issue Fixed In

SG-21332 Secure Web Gateway virtual appliances running on Hyper-V or Microsoft Azure Fixes in SGOS 7.2.2.1
platforms sometimes experience lower throughput and performance (up to 10%)
compared to other virtualization environments.

177
SGOS 7.x Release Notes

Table 268: Policy

ID Issue Fixed In

SG-24288 In 7.2.4.1, authenticating traffic via NTLM with BCAAA does not work. Fixes in SGOS 7.3.2.1
Fixes in SGOS 7.2.5.1
SG-17978 If you are using LDAP authentication and have installed policy to display a Fixes in SGOS 7.2.2.1
redirect link, the redirect link does not display the correct URL in the address
bar.
SG-18066 After installing 7.2.1.1, if you previously didn't use policy quota and had it Fixes in SGOS 7.2.2.1
disabled in configuration, and then attempted to enable it and install time quota
policy via either the Legacy VPM or Web VPM, policy does not compile and
the CPL displays the error message "Error: Variable Linker Error: variable not
defined: 'variable.time_quota_limit(5)'". A similar error occurs when attempting
to install volume quota policy.
Workaround: Downgrade to the latest version of 6.7.x, enable policy quota,
and then upgrade to 7.2.1.1.
CC-419 Content Security Policy exemptions (using the Set Content Security Scanning Fixes in SGOS 7.2.0.1
VPM object, set to Exempt From Content Security) are not supported in
Symantec Web Security Service. Do not use this setting in policy rules when
using Universal Policy enforcement.
SG-12593 When the Access Security Policy layer is configured with Strong protection Fixes in SGOS 7.2.0.1
level, requests with "none" category and Threat Risk Level 5 are not blocked,
but the access log incorrectly states they are blocked.
SG-4058 When policy includes multiple forms of county names (such as short names,
ISO codes, and full names), IP addresses in geographical regions are allowed
or denied as intended, but policy traces show regions with an incorrect verdict.
For example, consider the following CPL:
<proxy>
supplier.allowed_countries[uS, US, "Us", Ca, "United States"]
(deny)
This policy results in denials of IP addresses in Canada and the United States,
but a policy trace shows that "United States" is denied whereas "uS" is allowed.
Workaround: Do not use multiple formats for country names in policy. Use a
consistent format for all instances of country names, as follows:
<proxy>
supplier.allowed_countries["United States", Canada] (deny)

SG-4129 Policy performance is adversely affected when policy includes a large number
of categories assigned to a single URL.
SG-28416 Poor hash algorithm causes false match and incoherent warnings on specific
policy rules.

Table 269: Proxy Forwarding

ID Issue Fixed In

SG-23770 Upgrading from version 7.2.x to 7.3.x with an existing web isolation policy Fixes in SGOS 7.3.2.1
causes web isolation to stop working, with web pages that should be isolated
displaying a "No connectivity to the proxy server" message.

178
SGOS 7.x Release Notes

Table 270: SSL Proxy

ID Issue Fixed In

SG-23187 When upgrading from 6.7.x to 7.2.x, health checks for existing HSMs are lost.
This issue occurs when the HSM names contain upper-case letters.
SG-13014 FTPS uploads using Filezilla fail with error code 1048576. This issue occurs
when OCSP stapling is enabled on the appliance.
SG-4230 In STunnel and Bypass modes, the x-cs-session-id and x-cs-
server-certificate-key-size access log fields are not populated.
SG-3605 The appliance stops responding when the CRL distribution point host name field
( Configuration > Proxy Settings > SSL Proxy) includes special characters.
SG-4323 In some cases, the appliance creates a certificate with the OCS IP address in
the SAN DNS Name field when providing the client with a server-side TCP error
message.
SG-4373 On a resumed connection, the x-cs-server-certificate-key-size
access log field always displays RSA[1024].
SG-4574 When adding a keyring through the CLI, whitespaces in field values are Fixes in SGOS 7.2.0.1
not ignored. This issue does not occur when creating keyrings through the Fixes in SGOS 7.2.1.1
Management Console.

Table 271: SSL/TLS and PKI

ID Issue Fixed In

SG-28279 For ADN deployments, the appliance sometimes experiences high memory
usage when processing SSL traffic.
SG-17567 If the appliance reaches the maximum number of HTTPS connections via SSL Fixes in SGOS 7.2.2.1
tunnel and detect protocol is enabled, memory usage per connection increases
significantly.
SG-4598 Setting the Client Certificate Validation CCL or Server Certificate Validation
CCL object in the SSL Intercept Layer in the VPM results in the error "Invalid
action for <ssl-intercept> layer", and policy does not compile.
Workaround: These gestures have been moved to the <ssl> layer. Write the
policy in CPL instead, as follows:
<ssl>
server.certificate.validate.ccl(CertList)

SG-11173 When upgrading from SGOS 6.7.x, the event log displays errors about Fixes in SGOS 7.3.1.1
HSM keyrings and external certificates. These messages are inaccurate, and
there are no issues with the HSM keyring or external certificate.
SG-4583 Loading signed configuration files on the ProxySG virtual appliance fails with an
error:
% Attempt to load configuration failed: signature
verification failed: The message did not match the
PKCS7 signature.
SG-3988 In the access log for the SSL reverse proxy service, client-side Fixes in SGOS 7.2.0.1
negotiated-cipher fields are populated incorrectly when GCM or
SHA384 ciphers are used.

179
SGOS 7.x Release Notes

Table 272: SSLV Integration

ID Issue Fixed In

SG-4612 When SSLV is enabled, SSL access log fields report SSLV cipher values
instead of ProxySG values. This issue occurs when certain cipher enforcement
conditions exist in policy. For example, instead of displaying AES256-SHA a
field shows RSA-AES256-CBC-SHA .
SG-4482 In SSLV offload mode, the x-cs-session-id access log field displays
incorrect session ID values and the x-cs-server-certificate-key-
size field always returns RSA[1024] for key size.

Table 273: TCP/IP and General Networking

ID Issue Fixed In

SG-12976 SGOS on AWS deployments experience increased HTTP request/response

latency when ICAP scanning is enabled.
SG-28822 The connection pair of a transparent IPv6 session via SSLV will reuse
the same TCP source port if 'reflect client IP' option is enabled. This is a
regression caused by some UDP-Tunnel changes in 7.3.4

Table 274: URL Filtering

ID Issue Fixed In

SG-3101 If a backend database service is unavailable, canceling a download does not

complete until the network timeout is reached. This could take several minutes
to complete.
SG-25492 Purging the databases of Intelligence Service subscription services changes the Fixes in SGOS 7.3.4.1
previously-configured download method.

Table 275: VPM

ID Issue Fixed In

SG-28393 When web VPM is launched outside Management Center, long comments Version 7.3.8.1
content is no longer replaced with ellipsis (...) and tooltip location is off.
SG-29819 Selecting the "Enable SSL interception with automatic protocol detection" option
in the SSL Interception VPM object generates a non-working policy.

Limitations in SGOS 7.x

Symantec is aware of the following limitations. These are issues that are not fixable because of an interaction with third-
party products or other reasons, or they are features that work as designed but might cause an issue.

FIPS Mode
This release is based on OpenSSL 1.1.1, which does not support FIPS 140-2. As a result, this release is not FIPS-
capable. Attempting to use the # fips-mode enable command results in the message:
% Current system image is not FIPS capable.
% Cannot enter FIPS mode. See attributes in "show installed-systems".

180
SGOS 7.x Release Notes

Importing CA Certificates
The Management Console allows you to import a CA certificate with an empty name. Make sure that all imported CA
certificates have names. (SG-10474)

Keyring and Keylist Limitations

• The appliance does not correctly distinguish letter cases when creating SSL and HSM keyrings and keyrings. For
example, you can create a keyring named "Default", which is similar to the "default" keyring. If you attempt to delete
"Default", you receive an error "% Keyring is referenced by one or more [service]."
To avoid this issue, do not create keyring/keylist names that are differentiated from system keyring/keylist names only
by letter case. (SG-20495,20497,20498)
• When creating a keyring through the Management Console, you can include parentheses "( )" in the keyring name;
however, attempting to select the keyring in VPM policy produces an "unknown keyring" error.
To avoid this issue, do not include parentheses in keyring names. (SG-2700)
• When configuring a keylist through the CLI, you can add keyrings whose certificate Common Names are differentiated
only by whitespace, such as " www.test.com" and "www.test.com". To avoid this issue, use the Management Console
to configure keylists. (SG-4574,4575)

TLS
TLS 1.3 connections over ADN will be downgraded to TLS 1.2.

About the ProxySG Admin Console

The ProxySG Admin Console (SGAC) is intended to replace the Java Management Console for configuring the Secure
Web Gateway (SWG) Edition. You can only deploy SGAC via Management Center.

Installation
See Install a Device Admin Console in Management Center documentation.

Features
The organization of the SGAC closely mirrors that of the original Java Management Console. Each page of the
Management Console can be thought of as a separate feature configured in SGAC. Refer to the following sections for
more information:
• Features in SGOS 7.2.1.1
• Features in SGOS 7.2.2.1
• Features in SGOS 7.3.1.1
• Features in SGOS 7.3.2.1
• Features in SGOS 7.3.4.1
• Features in SGOS 7.3.6.1

Supported Dependencies
SGAC requires the following components to run correctly:

181
SGOS 7.x Release Notes

Table 276: SGAC Dependencies

Component Compatible Version

Management Center 2.4.x and later

ProxySG appliance SWG Edition 6.7.4.1 and later
Browser • Apple Safari 13 and later
• Google Chrome 78 and later
• Microsoft Edge 41 and later
• Mozilla Firefox 70 and later

Documentation and Feedback

Refer to the following documentation and feedback options.

Documentation

Table 277: SGOS documentation

Document Description

SGOS Upgrade/Downgrade Steps for upgrading or downgrading SGOS. Also covers behavior
changes and policy deprecations.
SGOS Administration Guide Detailed information for configuring and managing the appliance.
Command Line Interface Reference Commands available in the appliance CLI and how to use them to
perform configuration and management tasks.
ProxySG Web Visual Policy Manager Reference How to create and implement policy in the appliance's web-
based Visual Policy Manager, including layer interactions, object
descriptions, and advanced tasks.
Legacy Visual Policy Manager Reference How to create and implement policy in the appliance's legacy
Visual Policy Manager.
Content Policy Language Reference CPL gestures available for writing the policy by which the
appliance evaluates web requests.
Required Ports, Protocols, and Services for Symantec Enterprise Basic configurations, and some commonly used options, for ports
Security Products and protocols.
ProxySG Security Best Practices Best-effort security considerations for your deployment.
Hardware documents Quick start guides, safety guides, and other hardware
documentation. Refer to these release notes for supported
platforms.
Appliance online help (Help button) Access online help from within the Management Console or
Admin Console; however, note that documentation posted on
MyBroadcom supersedes online help.

Provide Feedback
• Send any questions or comments about documentation: [email protected]
• For Customer Care requests, go to: https://www.broadcom.com/company/contact-us/feedback-and-comments

182
SGOS 7.x Release Notes

Documentation Legal Notice

This Documentation, which includes embedded help systems and electronically distributed materials, (hereinafter referred
to as the “Documentation”) is for your informational purposes only and is subject to change or withdrawal by Broadcom
at any time. This Documentation is proprietary information of Broadcom and may not be copied, transferred, reproduced,
disclosed, modified or duplicated, in whole or in part, without the prior written consent of Broadcom.
If you are a licensed user of the software product(s) addressed in the Documentation, you may print or otherwise make
available a reasonable number of copies of the Documentation for internal use by you and your employees in connection
with that software, provided that all Broadcom copyright notices and legends are affixed to each reproduced copy.
The right to print or otherwise make available copies of the Documentation is limited to the period during which the
applicable license for such software remains in full force and effect. Should the license terminate for any reason, it is your
responsibility to certify in writing to Broadcom that all copies and partial copies of the Documentation have been returned
to Broadcom or destroyed.
TO THE EXTENT PERMITTED BY APPLICABLE LAW, BROADCOM PROVIDES THIS DOCUMENTATION “AS
IS” WITHOUT WARRANTY OF ANY KIND, INCLUDING WITHOUT LIMITATION, ANY IMPLIED WARRANTIES OF
MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE, OR NONINFRINGEMENT. IN NO EVENT WILL
BROADCOM BE LIABLE TO YOU OR ANY THIRD PARTY FOR ANY LOSS OR DAMAGE, DIRECT OR INDIRECT,
FROM THE USE OF THIS DOCUMENTATION, INCLUDING WITHOUT LIMITATION, LOST PROFITS, LOST
INVESTMENT, BUSINESS INTERRUPTION, GOODWILL, OR LOST DATA, EVEN IF BROADCOM IS EXPRESSLY
ADVISED IN ADVANCE OF THE POSSIBILITY OF SUCH LOSS OR DAMAGE.
The use of any software product referenced in the Documentation is governed by the applicable license agreement and
such license agreement is not modified in any way by the terms of this notice.
The manufacturer of this Documentation is Broadcom Inc.
Provided with “Restricted Rights.” Use, duplication or disclosure by the United States Government is subject to the
restrictions set forth in FAR Sections 12.212, 52.227-14, and 52.227-19(c)(1) - (2) and DFARS Section 252.227-7014(b)
(3), as applicable, or their successors.
Copyright © 2005-2022 Broadcom. All Rights Reserved. The term “Broadcom” refers to Broadcom Inc. and/or its
subsidiaries. All trademarks, trade names, service marks, and logos referenced herein belong to their respective
companies.

183

Intrusion Detection Honeypots
From Everand
Intrusion Detection Honeypots
Chris Sanders
3/5 (2)
Yuser: Pitching A Social Media Netwotking App
No ratings yet
Yuser: Pitching A Social Media Netwotking App
8 pages
Design-A Practical Guide To RIBA Plan of Work 2013 Stages 2 and 3 (RIBA Stage Guide) by Tim Bailey (Author)
100% (1)
Design-A Practical Guide To RIBA Plan of Work 2013 Stages 2 and 3 (RIBA Stage Guide) by Tim Bailey (Author)
168 pages
Aquaponic Design Plans Everything You Needs to Know: Everything You Need to Know from Backyard to Profitable Business
From Everand
Aquaponic Design Plans Everything You Needs to Know: Everything You Need to Know from Backyard to Profitable Business
David H Dudley
No ratings yet
SolidWorks 2021 Step-By-Step Guide: 4, #4
From Everand
SolidWorks 2021 Step-By-Step Guide: 4, #4
Amit Bhatt
No ratings yet
Arbor Networks Sightline 9.0.2 9.0.1 9.0 Release-Notes 2019-09-24
No ratings yet
Arbor Networks Sightline 9.0.2 9.0.1 9.0 Release-Notes 2019-09-24
40 pages
Sgos6.7.5.3 RN
No ratings yet
Sgos6.7.5.3 RN
222 pages
SGOS 6.7.x Release Notes: Current Version: 6.7.4.13 Document Revision: 12/13/2019
No ratings yet
SGOS 6.7.x Release Notes: Current Version: 6.7.4.13 Document Revision: 12/13/2019
202 pages
GeoMoS Monitor v8.1.2 Release Notes PDF
100% (1)
GeoMoS Monitor v8.1.2 Release Notes PDF
167 pages
Content Creation Revolution with chatGPT
From Everand
Content Creation Revolution with chatGPT
Maria Cowen
No ratings yet
SGOS Upgrade Downgrade Guide
No ratings yet
SGOS Upgrade Downgrade Guide
55 pages
Blog Smarter, Not Harder: SEO, Blogging, and AI Strategies to Skyrocket Your Traffic
From Everand
Blog Smarter, Not Harder: SEO, Blogging, and AI Strategies to Skyrocket Your Traffic
Jay Nans
No ratings yet
Osama the Gun
From Everand
Osama the Gun
Norman Spinrad
5/5 (1)
Software Patterns Made Easy
From Everand
Software Patterns Made Easy
Justice Nanhou
No ratings yet
Financial Management Made Easy 'Self-Tuition Approach' Concise Second Edition
From Everand
Financial Management Made Easy 'Self-Tuition Approach' Concise Second Edition
DR. BEN EBO ATTOM
No ratings yet
10K Blueprint
From Everand
10K Blueprint
Cian O Farrell
5/5 (2)
SigmaWin+ Ver. 7.50 Release Notes
No ratings yet
SigmaWin+ Ver. 7.50 Release Notes
19 pages
Kellory the Warlock
From Everand
Kellory the Warlock
Lin Carter
No ratings yet
ChatGPT for Business: Strategies for Success
From Everand
ChatGPT for Business: Strategies for Success
Matthew C. Smith
1/5 (1)
SigmaWin+ Ver. 7.51 Release Notes
No ratings yet
SigmaWin+ Ver. 7.51 Release Notes
19 pages
Unlocking Statistics for the Social Sciences
From Everand
Unlocking Statistics for the Social Sciences
Norma Sinclair
No ratings yet
Manual + Caderno (2 Em 1)
From Everand
Manual + Caderno (2 Em 1)
Tiago Ferreira
No ratings yet
SigmaWin+ Ver. 7 Usage Notes (ReadMe File) PDF
No ratings yet
SigmaWin+ Ver. 7 Usage Notes (ReadMe File) PDF
15 pages
SigmaWin+ Ver. 7 Usage Notes (ReadMe File) PDF
No ratings yet
SigmaWin+ Ver. 7 Usage Notes (ReadMe File) PDF
15 pages
The Stock Market from A to See - 2nd Edition
From Everand
The Stock Market from A to See - 2nd Edition
John Nunez
No ratings yet
All New Official Minecraft Explorer’s Handbook
From Everand
All New Official Minecraft Explorer’s Handbook
Mojang AB
4/5 (1)
Web Video Business
From Everand
Web Video Business
MUHAMMAD NUR WAHID ANUAR
No ratings yet
SGOS Upgrade Downgrade Guide 230225 171222
No ratings yet
SGOS Upgrade Downgrade Guide 230225 171222
109 pages
Time-dependent Behaviour and Design of Composite Steel-concrete Structures
From Everand
Time-dependent Behaviour and Design of Composite Steel-concrete Structures
Massimiliano Bocciarelli
No ratings yet
Securing ChatGPT: Best Practices for Protecting Sensitive Data in AI Language Models
From Everand
Securing ChatGPT: Best Practices for Protecting Sensitive Data in AI Language Models
Matthew C. Smith
No ratings yet
Advanced Multiplayer Game Development with Ureal Engine 5: A Comprehensive Guide to C++ Scripting
From Everand
Advanced Multiplayer Game Development with Ureal Engine 5: A Comprehensive Guide to C++ Scripting
Vladimir Kiselev
No ratings yet
SigmaWin+ Ver. 7.31 Usage Notes (ReadMe File) PDF
No ratings yet
SigmaWin+ Ver. 7.31 Usage Notes (ReadMe File) PDF
17 pages
SigmaWin+ Ver. 7.31 Usage Notes (ReadMe File)
No ratings yet
SigmaWin+ Ver. 7.31 Usage Notes (ReadMe File)
17 pages
Aquaponics Design Plans, Construction, Operation, and Income: Organic Food
From Everand
Aquaponics Design Plans, Construction, Operation, and Income: Organic Food
David H Dudley
No ratings yet
Trading Mastery: Unleashing Financial Potential in the Modern Markets Innovative Strategies, Prudent Approaches, and Insider insights for Mastering the Art of Trading
From Everand
Trading Mastery: Unleashing Financial Potential in the Modern Markets Innovative Strategies, Prudent Approaches, and Insider insights for Mastering the Art of Trading
GEORGE L . BROWN
No ratings yet
Cutting-Edge Desktop UI Development with Python, PySide6, PyQt6
From Everand
Cutting-Edge Desktop UI Development with Python, PySide6, PyQt6
Jay Nans
No ratings yet
The Gracious Lily Affair
From Everand
The Gracious Lily Affair
Van Wyck Mason
5/5 (1)
SigmaWin+ Ver. 7.45 Release Notes
No ratings yet
SigmaWin+ Ver. 7.45 Release Notes
17 pages
Aquaponics How to do Everything from Backyard to Profitable Business: from BACKYARD to PROFITABLE BUSINESS
From Everand
Aquaponics How to do Everything from Backyard to Profitable Business: from BACKYARD to PROFITABLE BUSINESS
David H Dudley
No ratings yet
Aquaponics Construct and Operate: Instructions and Everything You Need to Know
From Everand
Aquaponics Construct and Operate: Instructions and Everything You Need to Know
PE David H. Dudley PMP
No ratings yet
Breaking Barriers: S.T.E.M Mentorship in Business
From Everand
Breaking Barriers: S.T.E.M Mentorship in Business
Matthew C. Smith
No ratings yet
Gray Hat Hacking the Ethical Hacker's
From Everand
Gray Hat Hacking the Ethical Hacker's
Çağatay Şanlı
5/5 (1)
Gardening Made Easy!
From Everand
Gardening Made Easy!
Jeannine Hill
No ratings yet
Mercantile laws for CPA CMA 2024 edition
From Everand
Mercantile laws for CPA CMA 2024 edition
nikhil jajoo
No ratings yet
SGO Modified Brochure
No ratings yet
SGO Modified Brochure
2 pages
Cloud Computing : Beginners And Intermediate User Guide
From Everand
Cloud Computing : Beginners And Intermediate User Guide
David comer
No ratings yet
The Linux Terminal for Advanced Users - The Command Line Made Easy: First Edition
From Everand
The Linux Terminal for Advanced Users - The Command Line Made Easy: First Edition
Michael Basler
No ratings yet
Business English Study - Advanced 1 - Fashion Brands
From Everand
Business English Study - Advanced 1 - Fashion Brands
Paul S Fletcher
No ratings yet
Aquaponics Build and Operation Manual: Step-by-Step Instructions, 400+ Pages, 200+Helpful Images
From Everand
Aquaponics Build and Operation Manual: Step-by-Step Instructions, 400+ Pages, 200+Helpful Images
David H Dudley
No ratings yet
The Ultimate Guide To Auto Cad 2022 3D Modeling For 3d Drawing And Modeling
From Everand
The Ultimate Guide To Auto Cad 2022 3D Modeling For 3d Drawing And Modeling
ALLEN BENTON
No ratings yet
Aquaponic Flood-and-Drain Media-Bed Systems
From Everand
Aquaponic Flood-and-Drain Media-Bed Systems
David H Dudley
No ratings yet
Deadline Istanbul (The Elizabeth Darcy Series)
From Everand
Deadline Istanbul (The Elizabeth Darcy Series)
Peggy Hanson
5/5 (1)
Bimbo Heaven: Stone Angel #7
From Everand
Bimbo Heaven: Stone Angel #7
Marvin H. Albert
No ratings yet
Between River and Mountain
From Everand
Between River and Mountain
Sally Walker Brinkmann
No ratings yet
Aquaponics for Profit
From Everand
Aquaponics for Profit
David H Dudley
No ratings yet
The Ultimate Business Blueprint Guide
From Everand
The Ultimate Business Blueprint Guide
Larry Navis
No ratings yet
Rel Notes1
No ratings yet
Rel Notes1
48 pages
Coming Back to the Present: A New ACT Self-Help Workbook to Manage Stress & Live a More Rich, Full, Meaningful Life
From Everand
Coming Back to the Present: A New ACT Self-Help Workbook to Manage Stress & Live a More Rich, Full, Meaningful Life
Audrey N. Hall
No ratings yet
Mastering Windows Automation with AHK 2.0
From Everand
Mastering Windows Automation with AHK 2.0
John Nunez
No ratings yet
Dell Unity OE Revision Matrix - Dell UK
No ratings yet
Dell Unity OE Revision Matrix - Dell UK
4 pages
BlockChain for Beginners
From Everand
BlockChain for Beginners
Matthew Smith
No ratings yet
Deadline Yemen (The Elizabeth Darcy Series)
From Everand
Deadline Yemen (The Elizabeth Darcy Series)
Peggy Hanson
5/5 (1)
Jochi Management Solution - Company Profile English
No ratings yet
Jochi Management Solution - Company Profile English
11 pages
SF PLT SF-IAS Integration Admin en
No ratings yet
SF PLT SF-IAS Integration Admin en
110 pages
Corazon Aquino Bibliography
No ratings yet
Corazon Aquino Bibliography
9 pages
Homewood Audit Statement
No ratings yet
Homewood Audit Statement
2 pages
Princeton
No ratings yet
Princeton
6 pages
PRATAP DOME Holding
No ratings yet
PRATAP DOME Holding
1 page
Fortindr Cloud
No ratings yet
Fortindr Cloud
6 pages
The Happy Man: The Happy Man Is A Short Story Written by A Well-Known English Novelist
No ratings yet
The Happy Man: The Happy Man Is A Short Story Written by A Well-Known English Novelist
2 pages
Courier Handbook EN
No ratings yet
Courier Handbook EN
56 pages
SERVOTECH Offer
No ratings yet
SERVOTECH Offer
12 pages
MSF010358722TMA Certificate
No ratings yet
MSF010358722TMA Certificate
1 page
RANBAXY
No ratings yet
RANBAXY
76 pages
Remedial Law Bar Q A 2013 2019
76% (17)
Remedial Law Bar Q A 2013 2019
75 pages
100 GK Crunch: Title: General Knowledge Quiz Questions With Answers
No ratings yet
100 GK Crunch: Title: General Knowledge Quiz Questions With Answers
4 pages
C À Àå PÀ Á AZÀ : Ananya Kalasinchana
No ratings yet
C À Àå PÀ Á AZÀ : Ananya Kalasinchana
35 pages
Francis Dvornik - The Ecumenical Councils
No ratings yet
Francis Dvornik - The Ecumenical Councils
112 pages
Lustre Band Lyrics
No ratings yet
Lustre Band Lyrics
4 pages
Camlim Project
No ratings yet
Camlim Project
59 pages
B1. Pengelolaan Tapak -Passive Revisi RYN 17 Okt
No ratings yet
B1. Pengelolaan Tapak -Passive Revisi RYN 17 Okt
66 pages
Islamic Republic of Afghanistan Independent Citizens' Charter National Priority Program یدنورهش قاثیم یلم همانرب - مارگورپ یلم نورت یسلو
No ratings yet
Islamic Republic of Afghanistan Independent Citizens' Charter National Priority Program یدنورهش قاثیم یلم همانرب - مارگورپ یلم نورت یسلو
4 pages
Planet Intelligence Q2 2024 0
No ratings yet
Planet Intelligence Q2 2024 0
20 pages
CC To BTC Cryptoexchange Method 2024
No ratings yet
CC To BTC Cryptoexchange Method 2024
6 pages
Hot Verbs-WPS Office
No ratings yet
Hot Verbs-WPS Office
2 pages
Power Point Presentation On Pricing Strategy and Brand Management
No ratings yet
Power Point Presentation On Pricing Strategy and Brand Management
34 pages
Rubi V Provincial Board of Mindoro v2
No ratings yet
Rubi V Provincial Board of Mindoro v2
3 pages
A Study On Witches in Rajasthan
No ratings yet
A Study On Witches in Rajasthan
24 pages
FO-SHE-14 Emergency Drill Critique Form
No ratings yet
FO-SHE-14 Emergency Drill Critique Form
2 pages
Social-Science NAT Questionnaire
No ratings yet
Social-Science NAT Questionnaire
10 pages