Known issues and limitations

Known Issues

The following are known issues:

Security Connector

Unreachable IP address can be configured for the en1 and en2 interfaces

Issue: When configuring the en1 and en2 interfaces, Security Connector allows administrators to configure IP addresses that are unreachable, and it incorrectly shows a message to indicate the configuration was successful. Security Connector then shows an “Unavailable” status in the Mgmt Gateway and Data Gateway fields of the system information panel.

Workaround: Make sure you configure IP addresses that are reachable and valid for these interfaces.

Option to enable or disable PII logging for HTTP Forwarder is no longer needed in Security Connector

Issue: Security Connector still includes the option to enable or disable PII logging for HTTP Forwarder. At this time, the user’s encrypted internal IP address is reported in ETP reports by default.

Workaround: Ignore the PII logging setting in the Security Connector console. This operation will be removed in a future release.

Multi-Tenancy

Tenant administrator cannot select a default action for access control in the Unidentified Location Policy

Issue: When first viewing the Unidentified Location Policy, a tenant administrator is unable to select the default action for Access Control.

Workaround: The tenant administrator can go to the Settings tab, disable the proxy and enable it again in the Unidentified Location policy. After doing this, the administrator can return to the Access Control tab and modify the Default Action setting.

Fields for adding the first tenant load behind information panel

Issue:When first accessing the Tenant Management page, the information panel appears. When clicking to add a tenant for the first time, the tenant fields do not appear because they load behind the information panel.

Workaround: Click the information icon twice to hide the information panel. You can now see the fields for adding a tenant.

ETP Client

Bypass Domains are dropped when Local Breakout for Bypass Domains is disabled in the policy for the Off Network ETP Clients location

Issue: If the Local Breakout for Bypass Domains setting is disabled in the policy assigned to the Off Network ETP Clients location, domains configured for bypass are dropped for off-network clients.

Workaround: Make sure you enable the Local Breakout for Bypass Domains setting in the policy associated with the Off Network ETP Clients location.

ETP Client cannot automatically upgrade to version 4.1

Issue: If you’ve configured Force Upgrade for the ETP desktop client, the client is unable to automatically upgrade.

Workaround: Download version 4.1 from Enterprise Center. In the Threat Protection of Enterprise Center, select Clients & Connectors > ETP Clients. Under the Versions Management tab, click the download icon for version 4.1

Dynamic Analysis

UI requires that administrators select the Allow and Scan action for Large files to enable Dynamic Analysis

Issue: To enable Dynamic Analysis, an administrator must select the Allow and Scan action for Large files. However, this feature currently does not scan files that exceed 5 MB.

Workaround: To scan files that are up to 5 MB in an offline, isolated environment, make sure you select the Allow and Scan action for large files, and then select Dynamic Analysis.

Limitations

The following are known limitations.

Locations and Sub-Locations

Location policy takes precedence over the sub-location policy in specific situations

The actions configured in the policy of a location are prioritized over the sub-location policy in these situations:

  • The location policy uses a block action. For example, if a block action is assigned to a threat category, this configuration takes precedence over the action that’s assigned to the same category in a sub-location policy.
  • There’s non-web traffic and the location policy uses a bypass action. For all non-web traffic, the policy configuration of a location is prioritized over the policy of a sub-location when the location policy uses the bypass action. Non-web traffic includes Extensible Messaging and Presence Protocol (XMPP) or XMPP over TLS traffic.
  • If the enterprise resolver does not support the EDNS Client Subnet (ECS) extension, in case of fallback, the policy for a location is applied over the sub-location policy.

DNS Forwarder may produce inconsistent data in reports when used with sub-locations.

When a sub-location is configured, a DNS Forwarder may be unable to report and log the internal IP address of the device that made a DNS request. This can occur because the request from a sub-location is forwarded to both the enterprise resolver and ETP in parallel. If the request is not for an internal resource, the enterprise resolver may further forward the request to ETP, resulting in duplicate or inconsistent logging.

ETP Proxy

To review ETP Proxy limitations, see Limitations of ETP Proxy.

These limitations also apply:

Enterprises using pip need to add MITM certificate to pip configuration file

If your organization uses pip, make sure you also add the ETP Proxy TLS man-in-the-middle (MITM) certificate to the pip configuration file. In the pip.conf file, add this entry:

[global] 
cert = /<path>/<certificate>.pem

where:

  • <path> is the path to the certificate.
  • <certificate> is the name of the certificate.

Handling of non-HTTPS traffic

When directing traffic to ETP Proxy, especially DNS redirection or traffic from ETP Client version 4.0 or later, there’s a rare possibility that non-HTTPS traffic is also directed to the proxy. If this occurs, ETP Proxy drops the traffic, and the Network Activity report indicates that the traffic was dropped.

ETP Client

  • Traffic specified in exception lists automatically bypass ETP. When ETP Client is enabled on a device, the domains, URLs, and IP addresses specified in exception lists automatically bypass ETP even if the list is not associated with the client policy.
  • Mobile device incorrectly reports high data usage for ETP Client. When viewing battery usage information, the mobile device reports that the ETP Client app uses a lot of data and battery power. This is caused by the way the device operating system calculates data usage. The data generated by the apps that pass through the client, such as YouTube, Instagram, the browser, and more, are mistakenly attributed to the ETP Client app.
  • Mobile Client limitations. To review limitations of ETP mobile client, see Limitations of the ETP Mobile Client.
  • ETP Client must have ETP Client Identity Reporting enabled when directing traffic to ETP Proxy. When using ETP Client with the selective or full web proxy, make sure you enable the ETP Client Identity Reporting configuration setting. This setting is currently required for ETP Client to send traffic to ETP Proxy.
  • Network Activity report shows “onramp” instead of “bypass” when the Local Breakout for Bypass Domains setting is disabled in a policy. For ETP Client traffic that’s on the corporate network, the Network Activity report shows onramp instead of bypass for domains that are configured for bypass when the Local Breakout for Bypass Domains setting is disabled in a policy.
  • These limitations apply to ETP Client when it's enabled as a full web proxy:
    • IPv6-only networks are not supported. Currently, ETP Client does not support IPv6-only networks when the client is set up to forward web traffic to ETP Proxy. While IPv6-only networks are supported for ETP Client when it’s configured for DNS traffic only, NAT64 may not function for ETP Client when DNS over TLS (DoT) is enabled.
    • wpad.dat file is not supported. The wpad.dat file is not supported when ETP Client is configured as the local web proxy. Make sure this file is not accessible to the Web Proxy Auto-Discovery (WPAD) service on Windows.

Security Connector

DNS Forwarder may produce inconsistent data in reports when used with sub-locations.

When a sub-location is configured, a DNS Forwarder may be unable to report and log the internal IP address of the device that made a DNS request. This can occur because the request from a sub-location is forwarded to both the enterprise resolver and ETP in parallel. If the request is not for an internal resource, the enterprise resolver may further forward the request to ETP, resulting in duplicate or inconsistent logging.

Sinkhole logs are not captured for traffic that arrives through Web Console port when Security Connector uses two interfaces

If two interfaces are used for the DNS or HTTP Forwarder and the Security Connector is also used as a sinkhole, the logs for sinkhole traffic are not captured when traffic arrives on the Web Console port.

HTTP Forwarder

For a list of limitations on Security Connector when it’s configured as an HTTP Forwarder, see Limitations of HTTP Forwarder.


Did this page help you?