Management Console Proxy Tab Access Using Java Web Start
In previous versions of Advanced Secure Gateway, some browsers could not display the Management Console Proxy tab. This release includes Java Web Start support, which provides an alternative to running the Management Console directly in a browser. Use Java Web Start if any of the following apply to your deployment:
- Your browser does not support NPAPI.
- Your browser is not configured to run Java or JavaScript.
- You want to be able to launch multiple appliances from a single interface.
Depending on what you want to achieve, your environment must meet specific requirements to use Java Web Start. Refer to KB article 000032374 for details.
RDNS Lookups are Disabled by Default
To prevent potential misuse of RDNS by malicious third parties, the policy engine disables RDNS lookups by default. The following new CLI command supports this change:
#(config) policy restrict-rdns {all|none}
where all is the default setting.
This change affects the following policy gestures if they attempt to trigger an RDNS lookup when the host is specified as an IP address:
- client.host=
- client.host.has_name=
- request.header.Referer.url.category=
- server_url.domain=
- url=
- url.category=
- url.domain=
- url.host=
To enable RDNS lookups on trusted subnets, add restrict rdns definition blocks to policy. Symantec recommends that you write policy such as the following:
; restrict all RDNS except for the specified subnets
restrict rdns
except
<list of trusted subnets>
end
If you are upgrading to this release, the following command reverts the appliance to its previous behavior. To enable RDNS lookups globally via the CLI:
#(config) policy restrict-rdns none
Note:
- For details, refer to KB article 000032657.
- Symantec strongly recommends that you do not allow RDNS lookups of untrusted IP addresses. RDNS should be restricted to only subnets under your control, or the control of another trusted party. For details on the potential impact of RDNS lookups, refer to Security Advisory SA130.
Improved WAF Command Injection Detection Engine
By default, the command injection engine now detects a wider set of attacks, including non-chained command injection payloads. The existing
define application_protection_set definition has been updated with a new keyword/property to support this new version of the engine.
Although you can change the command injection engine version in CPL, Symantec recommends that you keep the default setting to use the current version of the engine.
To use the previous version of the engine, specify the
version=2 keyword/property, as follows:
define application_protection_set mySet
engine=injection.command version=2
end
<proxy>
http.requestion.detection.mySet(block)
To return to the default setting, specify
version=3, as follows:
define application_protection_set mySet
engine=injection.command version=3
end
<proxy>
http.requestion.detection.mySet(block)
Support for DHE-DSS Ciphers for Forward Proxy
This release supports DHE-DSS ciphers for Forward Proxy. The following ciphers are available in upstream connections in forward proxy mode:
- DHE-DSS-AES128-SHA
- DHE-DSS-AES128-SHA256
- DHE-DSS-AES256-SHA
- DHE-DSS-AES256-SHA256
- DHE-DSS-DES-CBC-SHA
- DHE-DSS-DES-CBC3-SHA
Enhancements and Changes in this Release
This release also includes the following changes:
- This release supports Seagate 1TB HDD ST1000NX0353 hard disks for the S200 platform.
- Access logs now report when errors occur due to Kafka broker configuration changes.
- You can now specify the authentication virtual URL for the CAPTCHA validator. Use the following CLI command:
#(config captcha <realm_name>)virtual-url <URL>
- Currently-supported ciphers are now available when creating policy using the Visual Policy Manager.
- You can now designate sections of policy as being appliance-specific using the #if and #endif variables.
For example, protect policy specific to Advanced Secure Gateway with:
#if product=asg
; guarded rules
...
#endif
Protect policy specific to SGOS with:
#if product=sg
; guarded rules
...
#endif
Thanks for your feedback. Let us know if you have additional comments below. (requires login)