Known Issues

The following are known issues:

Security Connector

Direct-to-origin failover setting for HTTP Forwarder drops domains configured to bypass the proxy if they are in other lists with a conflicting policy action

Issue: If direct-to-origin failover is enabled for HTTP Forwarder and the SIA proxy is in an unhealthy state, domains configured to bypass the proxy are not directed to the origin if the domains are included in lists with a conflicting policy action, such as Allow or Bypass. For example, this can occur if the domain is in a list that’s configured with the block policy action.

Workaround: Configure an exception list with the domains you want directed to the origin. For instructions on creating an exception list, see Add a custom exception list.

Traffic is not directed to a sinkhole on version 3.1.0 if proxy certificate is not generated or uploaded to ​SIA​

Issue: For version 3.1.0, traffic is not directed to a sinkhole if the proxy certificate is not generated or the signed intermediate certificate is not uploaded to ​SIA​.

Workaround: Generate a certificate or upload a signed certificate for the proxy. For instructions, see Create a ​SIA​ Proxy MITM certificate.

Unreachable IP address can be configured for the en1 and en2 interfaces

Issue: When configuring the en1 and en2 interfaces, Security Connector allows administrators to configure IP addresses that are unreachable, and it incorrectly shows a message to indicate the configuration was successful. Security Connector then shows an “Unavailable” status in the Mgmt Gateway and Data Gateway fields of the system information panel.

Workaround: Make sure you configure IP addresses that are reachable and valid for these interfaces.

Option to enable or disable PII logging for HTTP Forwarder is no longer needed in Security Connector

Issue: Security Connector still includes the option to enable or disable PII logging for HTTP Forwarder. At this time, the user’s encrypted internal IP address is reported in ​SIA​ reports by default.

Workaround: Ignore the PII logging setting in the Security Connector console. This operation will be removed in a future release.

Cannot load Web Console when the console certificate changes from invalid to valid

Issue: If the Web Console certificate changed from invalid to valid, an administrator could not load the Web Console.

Workaround: To load the Web Console, refresh the browser twice.

Security Connector Traffic Stats show 0 in some areas

Issue: In Security Connector 3.2.0, the Traffic Stats show 0 in these areas:

• Requests to Explicit Proxy
• Requests to Transparent Proxy
• Rate Limit Drops

Workaround: No workaround. This issue will be fixed in an upcoming Security Connector release.

Multi-Tenancy

Tenant administrator cannot select a default action for access control in the Unidentified Location Policy

Issue: When first viewing the Unidentified Location Policy, a tenant administrator is unable to select the default action for Access Control.

Workaround: The tenant administrator can go to the Settings tab, disable the proxy and enable it again in the Unidentified Location policy. After doing this, the administrator can return to the Access Control tab and modify the Default Action setting.

Fields for adding the first tenant load behind information panel

Issue:When first accessing the Tenant Management page, the information panel appears. When clicking to add a tenant for the first time, the tenant fields do not appear because they load behind the information panel.

Workaround: Click the information icon twice to hide the information panel. You can now see the fields for adding a tenant.

ETP Client

System bypass proxy setting does not show full list of hosts and domains

Issue: ​ETP Client​ automatically updates the system’s bypass proxy settings with the hosts and domains that are configured in ​SIA​ for the local bypass settings. There is a character limit on both Windows and macOS that prevents the proxy settings from showing the full list of bypassed domains and IP addresses. As a result, applications that use the system proxy settings direct these domains and IP addresses to the proxy, while ​ETP Client​ allows these domains and IP addresses to bypass the proxy based on the local bypass settings.

Workaround: There is no workaround. Despite this character limit and OS behavior, ​ETP Client​ continues to bypass the domains and IP addresses that are configured for bypass in ​SIA​.

Bypass Domains are dropped when Local Breakout for Bypass Domains is disabled in the policy for the Off Network ​ETP Client​s location

Issue: If the Local Breakout for Bypass Domains setting is disabled in the policy assigned to the Off Network ​ETP Client​s location, domains configured for bypass are dropped for off-network clients.

Workaround: Make sure you enable the Local Breakout for Bypass Domains setting in the policy associated with the Off Network ​ETP Client​s location.

​ETP Client​ cannot automatically upgrade to version 4.1

Issue: If you’ve configured Force Upgrade for the desktop client, the client is unable to automatically upgrade.

Workaround: Download version 4.1 from Enterprise Center. In the Threat Protection of Enterprise Center, select Clients & Connectors > ​ETP Client​s. Under the Versions Management tab, click the download icon for version 4.1

Clients forced to upgrade may indicate that an update is in progress for up to three hours

Issue: After an update is triggered for a client that’s set to automatically upgrade with the Force Upgrade setting, the client indicates that an upgrade is in progress. However, the upgrade actually occurs at any time during a three-hour window. As a result, this message may give the impression that the upgrade takes a long time to complete.

Workaround: There is no workaround.

Dynamic Analysis

UI requires that administrators select the Allow and Scan action for Large files to enable Dynamic Analysis

Issue: To enable Dynamic Analysis, an administrator must select the Allow and Scan action for Large files. However, this feature currently does not scan files that exceed 5 MB.

Workaround: To scan files that are up to 5 MB in an offline, isolated environment, make sure you select the Allow and Scan action for large files, and then select Dynamic Analysis.

Limitations

The following are known limitations.

Locations and Sub-Locations

Location policy takes precedence over the sub-location policy in specific situations

The actions configured in the policy of a location are prioritized over the sub-location policy in these situations:

• The location policy uses a block action. For example, if a block action is assigned to a threat category, this configuration takes precedence over the action that’s assigned to the same category in a sub-location policy.
• There’s non-web traffic and the location policy uses a bypass action. For all non-web traffic, the policy configuration of a location is prioritized over the policy of a sub-location when the location policy uses the bypass action. Non-web traffic includes Extensible Messaging and Presence Protocol (XMPP) or XMPP over TLS traffic.
• If the enterprise resolver does not support the EDNS Client Subnet (ECS) extension, in case of fallback, the policy for a location is applied over the sub-location policy.

DNS Forwarder may produce inconsistent data in reports when used with sub-locations.

When a sub-location is configured, a DNS Forwarder may be unable to report and log the internal IP address of the device that made a DNS request. This can occur because the request from a sub-location is forwarded to both the enterprise resolver and ​SIA​ in parallel. If the request is not for an internal resource, the enterprise resolver may further forward the request to ​SIA​, resulting in duplicate or inconsistent logging.

​SIA​ Proxy

To review ​SIA​ Proxy limitations, see Limitations of ​SIA​ Proxy.

These limitations also apply:

Enterprises using pip need to add MITM certificate to pip configuration file

If your organization uses pip, make sure you also add the ​SIA​ Proxy TLS man-in-the-middle (MITM) certificate to the pip configuration file. In the pip.conf file, add this entry:

[global] 
cert = /<path>/<certificate>.pem

where:

• <path> is the path to the certificate.
• <certificate> is the name of the certificate.

Handling of non-HTTPS traffic

When directing traffic to ​SIA​ Proxy, especially DNS redirection or traffic from ​ETP Client​ version 4.0 or later, there’s a rare possibility that non-HTTPS traffic is also directed to the proxy. If this occurs, ​SIA​ Proxy drops the traffic, and the Network Activity report indicates that the traffic was dropped.

ETP Client

• Traffic specified in exception lists automatically bypass ​SIA​. When ​ETP Client​ is enabled on a device, the domains, URLs, and IP addresses specified in exception lists automatically bypass ​SIA​ even if the list is not associated with the client policy.
• Mobile device incorrectly reports high data usage for ​ETP Client​. When viewing battery usage information, the mobile device reports that the ​ETP Client​ app uses a lot of data and battery power. This is caused by the way the device operating system calculates data usage. The data generated by the apps that pass through the client, such as YouTube, Instagram, the browser, and more, are mistakenly attributed to the ​ETP Client​ app.
• Mobile Client limitations. To review limitations of the mobile client, see Limitations of the mobile client.
• Network Activity report shows “onramp” instead of “bypass” when the Local Breakout for Bypass Domains setting is disabled in a policy. For ​ETP Client​ traffic that’s on the corporate network, the Network Activity report shows onramp instead of bypass for domains that are configured for bypass when the Local Breakout for Bypass Domains setting is disabled in a policy.
• ​ETP Client​ is not supported in locations configured with IPsec tunnels. If your organization uses IPsec, make sure you disable the client in policies that are associated with IPsec tunnel locations. In a policy, you can find the Disable Client toggle in the ​ETP Client​ Settings area of the Settings tab.
• ETP Client does not support QUIC. QUIC, a transport protocol used by HTTP/3, is not supported. As a result, ​ETP Client​ cannot intercept HTTP/3 traffic. QUIC support is expected in an upcoming release.
• These limitations apply to ​ETP Client​ when it's enabled as a full web proxy:
  • IPv6-only networks are not supported. Currently, ​ETP Client​ does not support IPv6-only networks when the client is set up to forward web traffic to ​SIA​ Proxy. While IPv6-only networks are supported for ​ETP Client​ when it’s configured for DNS traffic only, NAT64 may not function for ​ETP Client​ when DNS over TLS (DoT) is enabled.
  • wpad.dat file is not supported. The wpad.dat file is not supported when ​ETP Client​ is configured as the local web proxy. Make sure this file is not accessible to the Web Proxy Auto-Discovery (WPAD) service on Windows.

Security Connector

DNS Forwarder may produce inconsistent data in reports when used with sub-locations.

When a sub-location is configured, a DNS Forwarder may be unable to report and log the internal IP address of the device that made a DNS request. This can occur because the request from a sub-location is forwarded to both the enterprise resolver and ​SIA​ in parallel. If the request is not for an internal resource, the enterprise resolver may further forward the request to ​SIA​, resulting in duplicate or inconsistent logging.

Sinkhole logs are not captured for traffic that arrives through Web Console port when Security Connector uses two interfaces

If two interfaces are used for the DNS or HTTP Forwarder and the Security Connector is also used as a sinkhole, the logs for sinkhole traffic are not captured when traffic arrives on the Web Console port.

HTTP Forwarder

For a list of limitations on Security Connector when it’s configured as an HTTP Forwarder, see Limitations of HTTP Forwarder.

Domains configured in local bypass settings are dropped if they can only be resolved by local DNS server

If HTTP Forwarder is deployed, domains configured in the Local Bypass Settings (Clients & Connectors > Local Bypass Settings) are dropped if they can only be resolved by the local DNS server.

Device Posture (Beta)

A change to device risk level in a policy takes 30 minutes to affect users who already authenticated
If the risk level for a device changes after a user authenticates, it takes up to 30 minutes for the new risk level to affect the user’s session.