Advanced Secure Gateway 6.6.5.1 was released on September 15, 2016. This release includes a number of new features and enhancements to existing features. To download the release image and the  Advanced Secure Gateway 6.6.x Release Notes, log in to BlueTouch Online (BTO) and go to the  Downloads page.

Management Console Proxy Tab Access Using Java Web Start 

In previous versions of Advanced Secure Gateway, some browsers could not display the Management Console Proxy tab. This release includes Java Web Start support, which provides an alternative to running the Management Console directly in a browser. Use Java Web Start if any of the following apply to your deployment:
  • Your browser does not support NPAPI.
  • Your browser is not configured to run Java or JavaScript.
  • You want to be able to launch multiple appliances from a single interface. 

Depending on what you want to achieve, your environment must meet specific requirements to use Java Web Start. Refer to KB article 000032374 for details.
 

RDNS Lookups are Disabled by Default

To prevent potential misuse of RDNS by malicious third parties, the policy engine disables RDNS lookups by default. The following new CLI command supports this change:

#(config) policy restrict-rdns {all|none}

where all is the default setting.

This change affects the following policy gestures if they attempt to trigger an RDNS lookup when the host is specified as an IP address:

  • client.host=
  • client.host.has_name=
  • request.header.Referer.url.category=
  • server_url.domain=
  • url=
  • url.category=
  • url.domain=
  • url.host=

To enable RDNS lookups on trusted subnets, add restrict rdns definition blocks to policy. Symantec recommends that you write policy such as the following:

; restrict all RDNS except for the specified subnets
restrict rdns
  except
     <list of trusted subnets>
end

If you are upgrading to this release, the following command reverts the appliance to its previous behavior. To enable RDNS lookups globally via the CLI:
#(config) policy restrict-rdns none

Note:

  • For details, refer to KB article 000032657
  • Symantec strongly recommends that you do not allow RDNS lookups of untrusted IP addresses. RDNS should be restricted to only subnets under your control, or the control of another trusted party. For details on the potential impact of RDNS lookups, refer to Security Advisory SA130.


Improved WAF Command Injection Detection Engine

By default, the command injection engine now detects a wider set of attacks, including non-chained command injection payloads. The existing  define application_protection_set definition has been updated with a new keyword/property to support this new version of the engine.

Although you can change the command injection engine version in CPL, Symantec recommends that you keep the default setting to use the current version of the engine.

To use the previous version of the engine, specify the  version=2 keyword/property, as follows:

define application_protection_set mySet
   engine=injection.command version=2
end

<proxy>
 http.requestion.detection.mySet(block)

To return to the default setting, specify  version=3, as follows:

define application_protection_set mySet
  engine=injection.command version=3
end

<proxy>
 http.requestion.detection.mySet(block)

 

Support for DHE-DSS Ciphers for Forward Proxy 

This release supports DHE-DSS ciphers for Forward Proxy. The following ciphers are available in upstream connections in forward proxy mode:
  • DHE-DSS-AES128-SHA 
  • DHE-DSS-AES128-SHA256 
  • DHE-DSS-AES256-SHA 
  • DHE-DSS-AES256-SHA256
  • DHE-DSS-DES-CBC-SHA 
  • DHE-DSS-DES-CBC3-SHA

Enhancements and Changes in this Release

This release also includes the following changes:
  • This release supports Seagate 1TB HDD ST1000NX0353 hard disks for the S200 platform.
  • Access logs now report when errors occur due to Kafka broker configuration changes. 
  • You can now specify the authentication virtual URL for the CAPTCHA validator. Use the following CLI command:
#(config captcha <realm_name>)virtual-url <URL>
  • Currently-supported ciphers are now available when creating policy using the Visual Policy Manager.
  • You can now designate sections of policy as being appliance-specific using the #if and #endif variables.
For example, protect policy specific to Advanced Secure Gateway with:

#if product=asg

; guarded rules
...
#endif

Protect policy specific to SGOS with:

#if product=sg
; guarded rules
...
#endif

All Advanced Secure Gateway 6.6.x documentation is located on BTO at:

https://bto.bluecoat.com/documentation/All-Documents/Advanced%20Secure%20Gateway/ASG%206.6

The following documentation has been updated for this release:

  • Advanced Secure Gateway Proxy Administration Guide​
  • Advanced Secure Gateway Content Policy Language Reference
Imported Document ID: 000032379

Thanks for your feedback. Let us know if you have additional comments below. (requires login)

    © 1995-2020 Broadcom. All Rights Reserved. The term “Broadcom” refers to Broadcom Inc. and/or its subsidiaries.