Known issues and limitations
Known Issues
The following are known issues:
Security Connector
Unreachable IP address can be configured for the en1 and en2 interfaces
Issue: When configuring the en1 and en2 interfaces, Security Connector allows administrators to configure IP addresses that are unreachable, and it incorrectly shows a message to indicate the configuration was successful. Security Connector then shows an “Unavailable” status in the Mgmt Gateway and Data Gateway fields of the system information panel.
Workaround: Make sure you configure IP addresses that are reachable and valid for these interfaces.
Cannot load Web Console when the console certificate changes from invalid to valid
Issue: If the Web Console certificate changed from invalid to valid, an administrator could not load the Web Console.
Workaround: To load the Web Console, refresh the browser twice.
Warning appears in Azure after creating Security Connector VM
Issue: After you deploy the virtual machine on Azure, this message appears in the Azure portal:
<name-of-vm> virtual machine agent status is not ready. Troubleshoot the issue.
Workaround: You can ignore this message. This message appears because Security Connector does not use the Azure Linux Agent.
Multi-Tenancy
Tenant administrator cannot select a default action for access control in the Unidentified Location Policy
Issue: When first viewing the Unidentified Location Policy, a tenant administrator is unable to select the default action for Access Control.
Workaround: The tenant administrator can go to the Settings tab, disable the proxy and enable it again in the Unidentified Location policy. After doing this, the administrator can return to the Access Control tab and modify the Default Action setting.
Fields for adding the first tenant load behind information panel
Issue:When first accessing the Tenant Management page, the information panel appears. When clicking to add a tenant for the first time, the tenant fields do not appear because they load behind the information panel.
Workaround: Click the information icon twice to hide the information panel. You can now see the fields for adding a tenant.
ETP Client
System bypass proxy setting does not show full list of hosts and domains
Issue: ETP Client automatically updates the system’s bypass proxy settings with the hosts and domains that are configured in SIA for the local bypass settings. There is a character limit on both Windows and macOS that prevents the proxy settings from showing the full list of bypassed domains and IP addresses. As a result, applications that use the system proxy settings direct these domains and IP addresses to the proxy, while ETP Client allows these domains and IP addresses to bypass the proxy based on the local bypass settings.
Workaround: There is no workaround. Despite this character limit and OS behavior, ETP Client continues to bypass the domains and IP addresses that are configured for bypass in SIA.
Bypass Domains are dropped when Local Breakout for Bypass Domains is disabled in the policy for the Off Network ETP Clients location
Issue: If the Local Breakout for Bypass Domains setting is disabled in the policy assigned to the Off Network ETP Clients location, domains configured for bypass are dropped for off-network clients.
Workaround: Make sure you enable the Local Breakout for Bypass Domains setting in the policy associated with the Off Network ETP Clients location.
ETP Client cannot automatically upgrade to version 4.1
Issue: If you’ve configured Force Upgrade for the desktop client, the client is unable to automatically upgrade.
Workaround: Download version 4.1 from Enterprise Center. In the Threat Protection of Enterprise Center, select Clients & Connectors > ETP Clients. Under the Versions Management tab, click the download icon for version 4.1
Clients forced to upgrade may indicate that an update is in progress for up to three hours
Issue: After an update is triggered for a client that’s set to automatically upgrade with the Force Upgrade setting, the client indicates that an upgrade is in progress. However, the upgrade actually occurs at any time during a three-hour window. As a result, this message may give the impression that the upgrade takes a long time to complete.
Workaround: There is no workaround.
SentinelOne Endpoint Firewall Control blocks ETP Client communication when Transparent Traffic Interception is enabled on the client
Issue: If an organization used SentinelOne Endpoint Firewall Control and ETP Client was enabled for transparent traffic interception, the client lost its Internet connection. Users were also unable to access apps with the EAA client.
Workaround: To resolve this issue, you must complete these steps:
-
Configure a policy override to allow ETP Client to intercept traffic when Network Quarantine is enabled.
In SentinelOne, create a policy override for your agents that contains this rule:
{ "firewallControl": { "allowOverridingAgentStabilityPermitFilters": true } }
-
If you are applying this rule to a new agent, installing the agent with the token places it into a group where the policy override is applied.
-
If you are applying this rule to an existing agent, after you create the rule, enter these commands to restart the agent and monitor services on the SentinelOne agent.
``` Sentinelctl unload -am -k "ENTER_PASSPHRASE" Sentinelctl load -am ```
where “ENTER_PASSPHRASE” is the passphrase for the agent.
For more information on configuring a policy override, see the SentinelOne documentation.
- Add the domain of the SentinelOne Management Console to the list of domains in the Local Bypass Settings or create an exception list where you include the domain. If you create an exception list, you must add the list to your policy. For more information, see Configure local bypass settings or Create an exception list.
Android and iOS mobile devices may not support proxy certificate in a specific format
Issue: Some Android devices may not support the proxy certificate in DER format, while some iOS devices may not support the certificate in PEM format.
Resolution: If a mobile device does not support the proxy certificate, do the following:
- For Android devices, distribute the certificate in PEM format.
If a specific Android device does not support the PEM format, try downloading the proxy certificate in DER format and then rename it to use the .cer file extension. Distribute the .cer file to the Android device. - For iOS devices, distribute the certificate in DER format.
Dynamic Analysis
UI requires that administrators select the Allow and Scan action for Large files to enable Dynamic Analysis
Issue: To enable Dynamic Analysis, an administrator must select the Allow and Scan action for Large files. However, this feature currently does not scan files that exceed 5 MB.
Workaround: To scan files that are up to 5 MB in an offline, isolated environment, make sure you select the Allow and Scan action for large files, and then select Dynamic Analysis.
User group policy
Cannot assign a policy to a group with a space in its name
Description: If the group you select has space in its name, the policy is not applied to group traffic.
Workaround: This issue will be resolved in a future release.
Group policy does not take effect if it’s already assigned to a location
Description: If you assign a policy to a group and the policy was already assigned to a location, the group policy assignment does not take effect.
Workaround: Make sure you assign policies that are not assigned to a location or sub-location.
Application groups (beta)
Unable to revert the addition and association of application groups to policy
Issue: If you revert a policy that contains the addition and association of application groups, this operation does not revert application groups.
Workaround: There is no workaround at this time. Application groups are still in beta.
Limitations
The following are known limitations.
Locations and Sub-Locations
Location policy takes precedence over the sub-location policy in specific situations
The actions configured in the policy of a location are prioritized over the sub-location policy in these situations:
- The location policy uses a block action. For example, if a block action is assigned to a threat category, this configuration takes precedence over the action that’s assigned to the same category in a sub-location policy.
- There’s non-web traffic and the location policy uses a bypass action. For all non-web traffic, the policy configuration of a location is prioritized over the policy of a sub-location when the location policy uses the bypass action. Non-web traffic includes Extensible Messaging and Presence Protocol (XMPP) or XMPP over TLS traffic.
- If the enterprise resolver does not support the EDNS Client Subnet (ECS) extension, in case of fallback, the policy for a location is applied over the sub-location policy.
DNS Forwarder may produce inconsistent data in reports when used with sub-locations.
When a sub-location is configured, a DNS Forwarder may be unable to report and log the internal IP address of the device that made a DNS request. This can occur because the request from a sub-location is forwarded to both the enterprise resolver and SIA in parallel. If the request is not for an internal resource, the enterprise resolver may further forward the request to SIA, resulting in duplicate or inconsistent logging.
SIA Proxy
To review SIA Proxy limitations, see Limitations of SIA Proxy.
These limitations also apply:
Enterprises using pip need to add MITM certificate to pip configuration file
If your organization uses pip, make sure you also add the SIA Proxy TLS man-in-the-middle (MITM) certificate to the pip configuration file. In the pip.conf file, add this entry:
[global]
cert = /<path>/<certificate>.pem
where:
- <path> is the path to the certificate.
- <certificate> is the name of the certificate.
Handling of non-HTTPS traffic
When directing traffic to SIA Proxy, especially DNS redirection or traffic from ETP Client version 4.0 or later, there’s a rare possibility that non-HTTPS traffic is also directed to the proxy. If this occurs, SIA Proxy drops the traffic, and the Network Activity report indicates that the traffic was dropped.
ETP Client
- Traffic specified in exception lists automatically bypass SIA. When ETP Client is enabled on a device, the domains, URLs, and IP addresses specified in exception lists automatically bypass SIA even if the list is not associated with the client policy.
- Mobile device incorrectly reports high data usage for ETP Client. When viewing battery usage information, the mobile device reports that the ETP Client app uses a lot of data and battery power. This is caused by the way the device operating system calculates data usage. The data generated by the apps that pass through the client, such as YouTube, Instagram, the browser, and more, are mistakenly attributed to the ETP Client app.
- Mobile Client limitations. To review limitations of the mobile client, see Limitations of the mobile client.
- Network Activity report shows “onramp” instead of “bypass” when the Local Breakout for Bypass Domains setting is disabled in a policy. For ETP Client traffic that’s on the corporate network, the Network Activity report shows onramp instead of bypass for domains that are configured for bypass when the Local Breakout for Bypass Domains setting is disabled in a policy.
- ETP Client is not supported in locations configured with IPsec tunnels. If your organization uses IPsec, make sure you disable the client in policies that are associated with IPsec tunnel locations. In a policy, you can find the Disable Client toggle in the ETP Client Settings area of the Settings tab.
- These limitations apply to ETP Client when it's enabled as a full web proxy:
- IPv6-only networks are not supported. Currently, ETP Client does not support IPv6-only networks when the client is set up to forward web traffic to SIA Proxy. While IPv6-only networks are supported for ETP Client when it’s configured for DNS traffic only, NAT64 may not function for ETP Client when DNS over TLS (DoT) is enabled.
- wpad.dat file is not supported. The wpad.dat file is not supported when ETP Client is configured as the local web proxy. Make sure this file is not accessible to the Web Proxy Auto-Discovery (WPAD) service on Windows.
Security Connector
DNS Forwarder may produce inconsistent data in reports when used with sub-locations.
When a sub-location is configured, a DNS Forwarder may be unable to report and log the internal IP address of the device that made a DNS request. This can occur because the request from a sub-location is forwarded to both the enterprise resolver and SIA in parallel. If the request is not for an internal resource, the enterprise resolver may further forward the request to SIA, resulting in duplicate or inconsistent logging.
Sinkhole logs are not captured for traffic that arrives through Web Console port when Security Connector uses two interfaces
If two interfaces are used for the DNS or HTTP Forwarder and the Security Connector is also used as a sinkhole, the logs for sinkhole traffic are not captured when traffic arrives on the Web Console port.
HTTP Forwarder
For a list of limitations on Security Connector when it’s configured as an HTTP Forwarder, see Limitations of HTTP Forwarder.
Device Posture
A change to device risk level in a policy takes 30 minutes to affect users who already authenticated
If the risk level for a device changes after a user authenticates, it takes up to 30 minutes for the new risk level to affect the user’s session.
Zero Trust Client
"Enable HTTPS block pages for DNS only policies” setting changes client to a local web proxy. If you turn on the Enable HTTPS block pages for DNS only policies setting on the Connection Info page and transparent traffic interception mode is not enabled in the Threat Protection configuration, the client changes to full protection mode. This means that HTTP protection is enabled and the client acts as a local (explicit) web proxy. To use the HTTPS block pages setting with DNS only policies, make transparent traffic interception is enabled for Zero Trust Client.
Updated 3 months ago