Known issues and limitations

Known Issues

The following are known issues:

Security Connector

Direct-to-origin failover setting for HTTP Forwarder drops domains configured to bypass the proxy if they are in other lists with a conflicting policy action

Issue: If direct-to-origin failover is enabled for HTTP Forwarder and the SIA proxy is in an unhealthy state, domains configured to bypass the proxy are not directed to the origin if the domains are included in lists with a conflicting policy action, such as Allow or Bypass. For example, this can occur if the domain is in a list that’s configured with the block policy action.

Workaround: Configure an exception list with the domains you want directed to the origin. For instructions on creating an exception list, see Add a custom exception list.

Traffic is not directed to a sinkhole on version 3.1.0 if proxy certificate is not generated or uploaded to ‚ÄčSIA‚Äč

Issue: For version 3.1.0, traffic is not directed to a sinkhole if the proxy certificate is not generated or the signed intermediate certificate is not uploaded to ‚ÄčSIA‚Äč.

Workaround: Generate a certificate or upload a signed certificate for the proxy. For instructions, see Create a ‚ÄčSIA‚Äč Proxy MITM certificate.

Unreachable IP address can be configured for the en1 and en2 interfaces

Issue: When configuring the en1 and en2 interfaces, Security Connector allows administrators to configure IP addresses that are unreachable, and it incorrectly shows a message to indicate the configuration was successful. Security Connector then shows an ‚ÄúUnavailable‚ÄĚ status in the Mgmt Gateway and Data Gateway fields of the system information panel.

Workaround: Make sure you configure IP addresses that are reachable and valid for these interfaces.

Option to enable or disable PII logging for HTTP Forwarder is no longer needed in Security Connector

Issue: Security Connector still includes the option to enable or disable PII logging for HTTP Forwarder. At this time, the user‚Äôs encrypted internal IP address is reported in ‚ÄčSIA‚Äč reports by default.

Workaround: Ignore the PII logging setting in the Security Connector console. This operation will be removed in a future release.

Cannot load Web Console when the console certificate changes from invalid to valid

Issue: If the Web Console certificate changed from invalid to valid, an administrator could not load the Web Console.

Workaround: To load the Web Console, refresh the browser twice.

Security Connector Traffic Stats show 0 in some areas

Issue: In Security Connector 3.2.0, the Traffic Stats show 0 in these areas:

  • Requests to Explicit Proxy
  • Requests to Transparent Proxy
  • Rate Limit Drops

Workaround: No workaround. This issue will be fixed in an upcoming Security Connector release.

Multi-Tenancy

Tenant administrator cannot select a default action for access control in the Unidentified Location Policy

Issue: When first viewing the Unidentified Location Policy, a tenant administrator is unable to select the default action for Access Control.

Workaround: The tenant administrator can go to the Settings tab, disable the proxy and enable it again in the Unidentified Location policy. After doing this, the administrator can return to the Access Control tab and modify the Default Action setting.

Fields for adding the first tenant load behind information panel

Issue:When first accessing the Tenant Management page, the information panel appears. When clicking to add a tenant for the first time, the tenant fields do not appear because they load behind the information panel.

Workaround: Click the information icon twice to hide the information panel. You can now see the fields for adding a tenant.

ETP Client

System bypass proxy setting does not show full list of hosts and domains

Issue: ‚ÄčETP Client‚Äč automatically updates the system‚Äôs bypass proxy settings with the hosts and domains that are configured in ‚ÄčSIA‚Äč for the local bypass settings. There is a character limit on both Windows and macOS that prevents the proxy settings from showing the full list of bypassed domains and IP addresses. As a result, applications that use the system proxy settings direct these domains and IP addresses to the proxy, while ‚ÄčETP Client‚Äč allows these domains and IP addresses to bypass the proxy based on the local bypass settings.

Workaround: There is no workaround. Despite this character limit and OS behavior, ‚ÄčETP Client‚Äč continues to bypass the domains and IP addresses that are configured for bypass in ‚ÄčSIA‚Äč.

Bypass Domains are dropped when Local Breakout for Bypass Domains is disabled in the policy for the Off Network ‚ÄčETP Client‚Äčs location

Issue: If the Local Breakout for Bypass Domains setting is disabled in the policy assigned to the Off Network ‚ÄčETP Client‚Äčs location, domains configured for bypass are dropped for off-network clients.

Workaround: Make sure you enable the Local Breakout for Bypass Domains setting in the policy associated with the Off Network ‚ÄčETP Client‚Äčs location.

‚ÄčETP Client‚Äč cannot automatically upgrade to version 4.1

Issue: If you’ve configured Force Upgrade for the desktop client, the client is unable to automatically upgrade.

Workaround: Download version 4.1 from Enterprise Center. In the Threat Protection of Enterprise Center, select Clients & Connectors > ‚ÄčETP Client‚Äčs. Under the Versions Management tab, click the download icon for version 4.1

Clients forced to upgrade may indicate that an update is in progress for up to three hours

Issue: After an update is triggered for a client that’s set to automatically upgrade with the Force Upgrade setting, the client indicates that an upgrade is in progress. However, the upgrade actually occurs at any time during a three-hour window. As a result, this message may give the impression that the upgrade takes a long time to complete.

Workaround: There is no workaround.

Dynamic Analysis

UI requires that administrators select the Allow and Scan action for Large files to enable Dynamic Analysis

Issue: To enable Dynamic Analysis, an administrator must select the Allow and Scan action for Large files. However, this feature currently does not scan files that exceed 5 MB.

Workaround: To scan files that are up to 5 MB in an offline, isolated environment, make sure you select the Allow and Scan action for large files, and then select Dynamic Analysis.

Limitations

The following are known limitations.

Locations and Sub-Locations

Location policy takes precedence over the sub-location policy in specific situations

The actions configured in the policy of a location are prioritized over the sub-location policy in these situations:

  • The location policy uses a block action. For example, if a block action is assigned to a threat category, this configuration takes precedence over the action that‚Äôs assigned to the same category in a sub-location policy.
  • There‚Äôs non-web traffic and the location policy uses a bypass action. For all non-web traffic, the policy configuration of a location is prioritized over the policy of a sub-location when the location policy uses the bypass action. Non-web traffic includes Extensible Messaging and Presence Protocol (XMPP) or XMPP over TLS traffic.
  • If the enterprise resolver does not support the EDNS Client Subnet (ECS) extension, in case of fallback, the policy for a location is applied over the sub-location policy.

DNS Forwarder may produce inconsistent data in reports when used with sub-locations.

When a sub-location is configured, a DNS Forwarder may be unable to report and log the internal IP address of the device that made a DNS request. This can occur because the request from a sub-location is forwarded to both the enterprise resolver and ‚ÄčSIA‚Äč in parallel. If the request is not for an internal resource, the enterprise resolver may further forward the request to ‚ÄčSIA‚Äč, resulting in duplicate or inconsistent logging.

‚ÄčSIA‚Äč Proxy

To review ‚ÄčSIA‚Äč Proxy limitations, see Limitations of ‚ÄčSIA‚Äč Proxy.

These limitations also apply:

Enterprises using pip need to add MITM certificate to pip configuration file

If your organization uses pip, make sure you also add the ‚ÄčSIA‚Äč Proxy TLS man-in-the-middle (MITM) certificate to the pip configuration file. In the pip.conf file, add this entry:

[global] 
cert = /<path>/<certificate>.pem

where:

  • <path> is the path to the certificate.
  • <certificate> is the name of the certificate.

Handling of non-HTTPS traffic

When directing traffic to ‚ÄčSIA‚Äč Proxy, especially DNS redirection or traffic from ‚ÄčETP Client‚Äč version 4.0 or later, there‚Äôs a rare possibility that non-HTTPS traffic is also directed to the proxy. If this occurs, ‚ÄčSIA‚Äč Proxy drops the traffic, and the Network Activity report indicates that the traffic was dropped.

ETP Client

  • Traffic specified in exception lists automatically bypass ‚ÄčSIA‚Äč. When ‚ÄčETP Client‚Äč is enabled on a device, the domains, URLs, and IP addresses specified in exception lists automatically bypass ‚ÄčSIA‚Äč even if the list is not associated with the client policy.
  • Mobile device incorrectly reports high data usage for ‚ÄčETP Client‚Äč. When viewing battery usage information, the mobile device reports that the ‚ÄčETP Client‚Äč app uses a lot of data and battery power. This is caused by the way the device operating system calculates data usage. The data generated by the apps that pass through the client, such as YouTube, Instagram, the browser, and more, are mistakenly attributed to the ‚ÄčETP Client‚Äč app.
  • Mobile Client limitations. To review limitations of the mobile client, see Limitations of the mobile client.
  • Network Activity report shows ‚Äúonramp‚ÄĚ instead of ‚Äúbypass‚ÄĚ when the Local Breakout for Bypass Domains setting is disabled in a policy. For ‚ÄčETP Client‚Äč traffic that‚Äôs on the corporate network, the Network Activity report shows onramp instead of bypass for domains that are configured for bypass when the Local Breakout for Bypass Domains setting is disabled in a policy.
  • ‚ÄčETP Client‚Äč is not supported in locations configured with IPsec tunnels. If your organization uses IPsec, make sure you disable the client in policies that are associated with IPsec tunnel locations. In a policy, you can find the Disable Client toggle in the ‚ÄčETP Client‚Äč Settings area of the Settings tab.
  • ETP Client does not support QUIC. QUIC, a transport protocol used by HTTP/3, is not supported. As a result, ‚ÄčETP Client‚Äč cannot intercept HTTP/3 traffic. QUIC support is expected in an upcoming release.
  • These limitations apply to ‚ÄčETP Client‚Äč when it's enabled as a full web proxy:
    • IPv6-only networks are not supported. Currently, ‚ÄčETP Client‚Äč does not support IPv6-only networks when the client is set up to forward web traffic to ‚ÄčSIA‚Äč Proxy. While IPv6-only networks are supported for ‚ÄčETP Client‚Äč when it‚Äôs configured for DNS traffic only, NAT64 may not function for ‚ÄčETP Client‚Äč when DNS over TLS (DoT) is enabled.
    • wpad.dat file is not supported. The wpad.dat file is not supported when ‚ÄčETP Client‚Äč is configured as the local web proxy. Make sure this file is not accessible to the Web Proxy Auto-Discovery (WPAD) service on Windows.

Security Connector

DNS Forwarder may produce inconsistent data in reports when used with sub-locations.

When a sub-location is configured, a DNS Forwarder may be unable to report and log the internal IP address of the device that made a DNS request. This can occur because the request from a sub-location is forwarded to both the enterprise resolver and ‚ÄčSIA‚Äč in parallel. If the request is not for an internal resource, the enterprise resolver may further forward the request to ‚ÄčSIA‚Äč, resulting in duplicate or inconsistent logging.

Sinkhole logs are not captured for traffic that arrives through Web Console port when Security Connector uses two interfaces

If two interfaces are used for the DNS or HTTP Forwarder and the Security Connector is also used as a sinkhole, the logs for sinkhole traffic are not captured when traffic arrives on the Web Console port.

HTTP Forwarder

For a list of limitations on Security Connector when it’s configured as an HTTP Forwarder, see Limitations of HTTP Forwarder.

Domains configured in local bypass settings are dropped if they can only be resolved by local DNS server

If HTTP Forwarder is deployed, domains configured in the Local Bypass Settings (Clients & Connectors > Local Bypass Settings) are dropped if they can only be resolved by the local DNS server.

Device Posture (Beta)

A change to device risk level in a policy takes 30 minutes to affect users who already authenticated
If the risk level for a device changes after a user authenticates, it takes up to 30 minutes for the new risk level to affect the user’s session.