Known issues and limitations
Known Issues
The following are known issues:
Security Connector
Direct-to-origin failover setting for HTTP Forwarder drops domains configured to bypass the proxy if they are in other lists with a conflicting policy action
Issue: If direct-to-origin failover is enabled for HTTP Forwarder and the SIA proxy is in an unhealthy state, domains configured to bypass the proxy are not directed to the origin if the domains are included in lists with a conflicting policy action, such as Allow or Bypass. For example, this can occur if the domain is in a list thatās configured with the block policy action.
Workaround: Configure an exception list with the domains you want directed to the origin. For instructions on creating an exception list, see Add a custom exception list.
Traffic is not directed to a sinkhole on version 3.1.0 if proxy certificate is not generated or uploaded to āSIAā
Issue: For version 3.1.0, traffic is not directed to a sinkhole if the proxy certificate is not generated or the signed intermediate certificate is not uploaded to āSIAā.
Workaround: Generate a certificate or upload a signed certificate for the proxy. For instructions, see Create a āSIAā Proxy MITM certificate.
Unreachable IP address can be configured for the en1 and en2 interfaces
Issue: When configuring the en1 and en2 interfaces, Security Connector allows administrators to configure IP addresses that are unreachable, and it incorrectly shows a message to indicate the configuration was successful. Security Connector then shows an āUnavailableā status in the Mgmt Gateway and Data Gateway fields of the system information panel.
Workaround: Make sure you configure IP addresses that are reachable and valid for these interfaces.
Option to enable or disable PII logging for HTTP Forwarder is no longer needed in Security Connector
Issue: Security Connector still includes the option to enable or disable PII logging for HTTP Forwarder. At this time, the userās encrypted internal IP address is reported in āSIAā reports by default.
Workaround: Ignore the PII logging setting in the Security Connector console. This operation will be removed in a future release.
Cannot load Web Console when the console certificate changes from invalid to valid
Issue: If the Web Console certificate changed from invalid to valid, an administrator could not load the Web Console.
Workaround: To load the Web Console, refresh the browser twice.
Security Connector Traffic Stats show 0 in some areas
Issue: In Security Connector 3.2.0, the Traffic Stats show 0 in these areas:
- Requests to Explicit Proxy
- Requests to Transparent Proxy
- Rate Limit Drops
Workaround: No workaround. This issue will be fixed in an upcoming Security Connector release.
Multi-Tenancy
Tenant administrator cannot select a default action for access control in the Unidentified Location Policy
Issue: When first viewing the Unidentified Location Policy, a tenant administrator is unable to select the default action for Access Control.
Workaround: The tenant administrator can go to the Settings tab, disable the proxy and enable it again in the Unidentified Location policy. After doing this, the administrator can return to the Access Control tab and modify the Default Action setting.
Fields for adding the first tenant load behind information panel
Issue:When first accessing the Tenant Management page, the information panel appears. When clicking to add a tenant for the first time, the tenant fields do not appear because they load behind the information panel.
Workaround: Click the information icon twice to hide the information panel. You can now see the fields for adding a tenant.
ETP Client
System bypass proxy setting does not show full list of hosts and domains
Issue: āETP Clientā automatically updates the systemās bypass proxy settings with the hosts and domains that are configured in āSIAā for the local bypass settings. There is a character limit on both Windows and macOS that prevents the proxy settings from showing the full list of bypassed domains and IP addresses. As a result, applications that use the system proxy settings direct these domains and IP addresses to the proxy, while āETP Clientā allows these domains and IP addresses to bypass the proxy based on the local bypass settings.
Workaround: There is no workaround. Despite this character limit and OS behavior, āETP Clientā continues to bypass the domains and IP addresses that are configured for bypass in āSIAā.
Bypass Domains are dropped when Local Breakout for Bypass Domains is disabled in the policy for the Off Network āETP Clientās location
Issue: If the Local Breakout for Bypass Domains setting is disabled in the policy assigned to the Off Network āETP Clientās location, domains configured for bypass are dropped for off-network clients.
Workaround: Make sure you enable the Local Breakout for Bypass Domains setting in the policy associated with the Off Network āETP Clientās location.
āETP Clientā cannot automatically upgrade to version 4.1
Issue: If youāve configured Force Upgrade for the desktop client, the client is unable to automatically upgrade.
Workaround: Download version 4.1 from Enterprise Center. In the Threat Protection of Enterprise Center, select Clients & Connectors > āETP Clientās. Under the Versions Management tab, click the download icon for version 4.1
Clients forced to upgrade may indicate that an update is in progress for up to three hours
Issue: After an update is triggered for a client thatās set to automatically upgrade with the Force Upgrade setting, the client indicates that an upgrade is in progress. However, the upgrade actually occurs at any time during a three-hour window. As a result, this message may give the impression that the upgrade takes a long time to complete.
Workaround: There is no workaround.
Dynamic Analysis
UI requires that administrators select the Allow and Scan action for Large files to enable Dynamic Analysis
Issue: To enable Dynamic Analysis, an administrator must select the Allow and Scan action for Large files. However, this feature currently does not scan files that exceed 5 MB.
Workaround: To scan files that are up to 5 MB in an offline, isolated environment, make sure you select the Allow and Scan action for large files, and then select Dynamic Analysis.
Limitations
The following are known limitations.
Locations and Sub-Locations
Location policy takes precedence over the sub-location policy in specific situations
The actions configured in the policy of a location are prioritized over the sub-location policy in these situations:
- The location policy uses a block action. For example, if a block action is assigned to a threat category, this configuration takes precedence over the action thatās assigned to the same category in a sub-location policy.
- Thereās non-web traffic and the location policy uses a bypass action. For all non-web traffic, the policy configuration of a location is prioritized over the policy of a sub-location when the location policy uses the bypass action. Non-web traffic includes Extensible Messaging and Presence Protocol (XMPP) or XMPP over TLS traffic.
- If the enterprise resolver does not support the EDNS Client Subnet (ECS) extension, in case of fallback, the policy for a location is applied over the sub-location policy.
DNS Forwarder may produce inconsistent data in reports when used with sub-locations.
When a sub-location is configured, a DNS Forwarder may be unable to report and log the internal IP address of the device that made a DNS request. This can occur because the request from a sub-location is forwarded to both the enterprise resolver and āSIAā in parallel. If the request is not for an internal resource, the enterprise resolver may further forward the request to āSIAā, resulting in duplicate or inconsistent logging.
āSIAā Proxy
To review āSIAā Proxy limitations, see Limitations of āSIAā Proxy.
These limitations also apply:
Enterprises using pip need to add MITM certificate to pip configuration file
If your organization uses pip, make sure you also add the āSIAā Proxy TLS man-in-the-middle (MITM) certificate to the pip configuration file. In the pip.conf file, add this entry:
[global]
cert = /<path>/<certificate>.pem
where:
- <path> is the path to the certificate.
- <certificate> is the name of the certificate.
Handling of non-HTTPS traffic
When directing traffic to āSIAā Proxy, especially DNS redirection or traffic from āETP Clientā version 4.0 or later, thereās a rare possibility that non-HTTPS traffic is also directed to the proxy. If this occurs, āSIAā Proxy drops the traffic, and the Network Activity report indicates that the traffic was dropped.
ETP Client
- Traffic specified in exception lists automatically bypass āSIAā. When āETP Clientā is enabled on a device, the domains, URLs, and IP addresses specified in exception lists automatically bypass āSIAā even if the list is not associated with the client policy.
- Mobile device incorrectly reports high data usage for āETP Clientā. When viewing battery usage information, the mobile device reports that the āETP Clientā app uses a lot of data and battery power. This is caused by the way the device operating system calculates data usage. The data generated by the apps that pass through the client, such as YouTube, Instagram, the browser, and more, are mistakenly attributed to the āETP Clientā app.
- Mobile Client limitations. To review limitations of the mobile client, see Limitations of the mobile client.
- Network Activity report shows āonrampā instead of ābypassā when the Local Breakout for Bypass Domains setting is disabled in a policy. For āETP Clientā traffic thatās on the corporate network, the Network Activity report shows onramp instead of bypass for domains that are configured for bypass when the Local Breakout for Bypass Domains setting is disabled in a policy.
- āETP Clientā is not supported in locations configured with IPsec tunnels. If your organization uses IPsec, make sure you disable the client in policies that are associated with IPsec tunnel locations. In a policy, you can find the Disable Client toggle in the āETP Clientā Settings area of the Settings tab.
- ETP Client does not support QUIC. QUIC, a transport protocol used by HTTP/3, is not supported. As a result, āETP Clientā cannot intercept HTTP/3 traffic. QUIC support is expected in an upcoming release.
- These limitations apply to āETP Clientā when it's enabled as a full web proxy:
- IPv6-only networks are not supported. Currently, āETP Clientā does not support IPv6-only networks when the client is set up to forward web traffic to āSIAā Proxy. While IPv6-only networks are supported for āETP Clientā when itās configured for DNS traffic only, NAT64 may not function for āETP Clientā when DNS over TLS (DoT) is enabled.
- wpad.dat file is not supported. The wpad.dat file is not supported when āETP Clientā is configured as the local web proxy. Make sure this file is not accessible to the Web Proxy Auto-Discovery (WPAD) service on Windows.
Security Connector
DNS Forwarder may produce inconsistent data in reports when used with sub-locations.
When a sub-location is configured, a DNS Forwarder may be unable to report and log the internal IP address of the device that made a DNS request. This can occur because the request from a sub-location is forwarded to both the enterprise resolver and āSIAā in parallel. If the request is not for an internal resource, the enterprise resolver may further forward the request to āSIAā, resulting in duplicate or inconsistent logging.
Sinkhole logs are not captured for traffic that arrives through Web Console port when Security Connector uses two interfaces
If two interfaces are used for the DNS or HTTP Forwarder and the Security Connector is also used as a sinkhole, the logs for sinkhole traffic are not captured when traffic arrives on the Web Console port.
HTTP Forwarder
For a list of limitations on Security Connector when itās configured as an HTTP Forwarder, see Limitations of HTTP Forwarder.
Domains configured in local bypass settings are dropped if they can only be resolved by local DNS server
If HTTP Forwarder is deployed, domains configured in the Local Bypass Settings (Clients & Connectors > Local Bypass Settings) are dropped if they can only be resolved by the local DNS server.
Device Posture (Beta)
A change to device risk level in a policy takes 30 minutes to affect users who already authenticated
If the risk level for a device changes after a user authenticates, it takes up to 30 minutes for the new risk level to affect the userās session.
Updated about 9 hours ago