SGOS 220.127.116.11 was released on September 15, 2016. This release includes a number of new features and enhancements to existing features. To download the release image and the
SGOS 6.6.x Release Notes, log in to BlueTouch Online (BTO) and go to the
Management Console Access Using Java Web Start
In previous versions of SGOS, some browsers could not display the Management Console. This release includes Java Web Start support, which provides an alternative to running the Management Console directly in a browser. Use Java Web Start if any of the following apply to your deployment:
Your browser does not support NPAPI.
You want to be able to launch multiple appliances from a single interface.
Depending on what you want to achieve, your environment must meet specific requirements to use Java Web Start.
Symantec strongly recommends that you do not allow RDNS lookups of untrusted IP addresses. RDNS should be restricted to only subnets under your control, or the control of another trusted party. For details on the potential impact of RDNS lookups, refer to Security Advisory SA130.
Improved WAF Command Injection Detection Engine
By default, the command injection engine now detects a wider set of attacks, including non-chained command injection payloads. The existing
define application_protection_set definition has been updated with a new keyword/property to support this new version of the engine.
Although you can change the command injection engine version in CPL, Symantec recommends that you keep the default setting to use the current version of the engine.
To use the previous version of the engine, specify the
version=2 keyword/property, as follows:
define application_protection_set mySet engine=injection.command version=2 end
To return to the default setting, specify
version=3, as follows:
define application_protection_set mySet engine=injection.command version=3 end
Simplified CAC Deployment
The Common Access Card (CAC) client workstation no longer requires a PKCS11 provider to be configured. The Blue Coat ProxySG appliance works with the software provided by the third-party card reader software (such as ActiveID® ActivClient®).
Support for DHE-DSS Ciphers for Forward Proxy
This release supports DHE-DSS ciphers for Forward Proxy. The following ciphers are available in upstream connections in forward proxy mode:
Enhancements and Changes in this Release
This release also includes the following changes:
Access logs now report when errors occur due to Kafka broker configuration changes.
You can now specify the authentication virtual URL for the CAPTCHA validator. Use the following CLI command:
#(config captcha <realm_name>)virtual-url <URL>
Currently-supported ciphers are now available when creating policy using the Visual Policy Manager.
You can now designate sections of policy as being appliance-specific using the #if and #endif variables.
For example, protect policy specific to Advanced Secure Gateway with:
#if product=asg ; guarded rules ... #endif
Protect policy specific to SGOS with:
#if product=sg ; guarded rules ... #endif
All SGOS 6.6.x documentation is located on BTO at: