One Identity Safeguard for Privileged Sessions 5.10.0 - Release Notes

Setting syslog and SIEM forwarding to the same IP:port pair causes errors

Setting syslog forwarding (Basic Settings > Management > Syslog) and SIEM forwarding to the same ip:port pair caused an error in forwarding the messages. This has been corrected.

MFA plugin does not return gateway user when derived from remote username

When there is no gateway authentication, the remote username is used to look up the MFA identity. However, the plugin did not set this identity as the gateway user, causing Channel policies to fail. This has been corrected.

Gateway authentication fails when gateway username is not set

Previous versions of SPS attempted gateway authentication even when no gateway user was specified and there was no Usermapping policy configured: the default gateway user was the remote username. After upgrading to 5.10.0a, the gateway authentication was not performed at all. This has been corrected.

Permission errors on the Search page

After upgrading to SPS 5.10.0, permission errors were displayed for the admin user on the Search page. This has been corrected.

LDAP connections leak the file descriptors in some cases

In certain cases, LDAP connections could leak the related file descriptor, consuming the file descriptors if this error occurred a lot. This has been corrected.

Misleading error message during cleanup

None

"Too many open files" errors during LDAP lookups

In some cases the connection was terminated in the initatialization phase and the error message "Too many open files" appeared in the logs. The file limit was raised to support heavy system load better.

Incorrect license usage numbers on the GUI

Even though the license limits were enforced correctly, the current usage number on the interface was incorrectly capped at around 2000 target hosts. This limitation has been removed and larger usage numbers are now reported correctly everywhere.

Selecting "Enable pre channel check" breaks ICA connections

If the setting "Enable pre channel check" was selected for an ICA session at ICA Control > Settings (it is turned off by default), connections could not be established. This is now fixed and the "Enable pre channel check" setting can be selected for ICA sessions, too.

LDAP service fails if the connection to the LDAP server is slow

None

X509 authentication for the web GUI does not support certificate chains

Starting with version 5.7, it was not possible to log in to the web interface if the certificate chain used for client-side authentication had multiple CAs in it. A "400 Bad Request" error message was displayed instead of the login page. This is now fixed and it is possible to log in using such certificates again.

"504 Gateway Timeout" errors on the configuration interface for large configurations

Starting with version 5.7, if the configuration of the appliance was extremely complex (for example, contained hundreds of connection policies), the error message "504 Gateway Timeout" was displayed when the user attempted to log in to the web GUI. This is now fixed.

Out-of-memory errors for large volume HTTP traffic

The internal Redis service that is used to track HTTP traffic could run out of its allocated memory under heavy load. This could prevent new HTTP connections from being initiated. The memory limit has been increased significantly.

LDAP and Active Directory performance issue with large number of gateway groups

Starting with version 5.8, the membership to each gateway group specified on channel policies were checked sequentially which could be very slow if a large number of groups were used. This process has been optimized and these checks are now performed in parallel.

Local credential store finds the first host entry, not the most specific one

If there were multiple entries in a local credential store that matched both the target username and the target host network, SPS always used the first hit. Because the order of the entries cannot be changed, that made it difficult to configure such credential stores. This behavior is now changed and SPS always uses the most specific match from the host specifications.

Citrix ICA proxy generates lots of core files

In certain cases, the standalone ICA proxy generated lots of core files. This has been corrected.

Extreme memory usage in indexing very large terminal SSH sessions

When indexing the SSH sessions that have the terminal set to unusually large, the indexer could consume the memory. This has been corrected.

In HA mode both nodes use the same MAC address

When SPS is configured in HA, the primary and the secondary nodes used the same MAC address on the network. This has been removed from the software so from now each node will communicate using its own MAC address.

Floating point values ending with .0 not accepted as thresholds on Alerting & Monitoring

The GUI did not accept floating point numbers ending with .0 on the Basic Settings > Alerting & Monitoring page as alerting thresholds. This has been corrected and it is now possible to specify any floating point values there.

Filtering gateway groups does not work for RDP Channel Policies

It is possible to restrict the usage of different protocol channels based on the group memberships of the gateway user in Channel Policies. This filtering was broken for RDP sessions and if a group restriction was specified, that channel was blocked for all users. The problem did not affect other protocols, nor the 5.0.x branch. The filtering has been fixed and this restriction is now correctly applied.

Browser playback of audit trails created a large number of download records

The playback of an audit trail using the browser-based player filled the audit trail download record list with a huge number of entries. This has been corrected and only one record is created now for every playback.

LDAP schema error with pooled connections

Starting with 5.7.0, in some rare cases when multiple LDAP servers were used, the session initiation could fail due to schema validation errors even if the LDAP servers worked perfectly. The underlying issue is now fixed and there are no more false schema validation errors.

SPS does not detect the username in certain Telnet sessions

SPS did not correctly detect the username for Telnet sessions when the user immediately became a privileged user (without manually enabling config mode). This has been corrected, SPS now correctly handles the username for such sessions.

Wrong client IP address sent as NAS IP ADDRESS during RADIUS authentication

If RADIUS was used for authentication, the appliance always sent the first IP address of the first physical interface as the NAS IP ADDRESS during RADIUS authentication, which could cause problems depending on the network configuration. This has been fixed and we always use the source IP address configured for the configuration GUI.

Certificate chains are not supported in LDAP/AD

Starting with version 5.7 certificate chains could not be used to verify TLS sessions for LDAP and AD connections, the only option was to upload a root CA certificate that signed the AD/LDAP server's certificate directly. This has been fixed and certificate chains are now fully supported again.

Unicity check of user/host pairs in local credential store only performed for new entries

To avoid confusion, the user-host pairs were verified to be unique in local credential stores. However, this check was only performed for new entries and not when existing entries were changed. This is now fixed and changed entries are checked too.

Manual restarting of the HTTP proxy leaves ongoing sessions open

If the user restarted the HTTP proxy manually at Basic Settings > System > Traffic control page, ongoing sessions were not closed, they remained open on the Search interface and their indexing never started. This is now fixed and all ongoing sessions are properly closed if the HTTP proxy is restarted.

Permission query fails for groups with special characters

Querying the permissions of groups that had non-Latin-2 characters in their name always returned empty results on the AAA > Permission Query page. This is now fixed and the full UTF-8 character set is supported here.

Some system alerts are not sent out

Due to an issue in the underlying SNMP infrastructure, some alerts, including high system load alerts, were not sent out even if they were enabled. This included SNMP traps and email-based alerts too. This is now fixed and all alerts are sent out properly.

VNC sessions with failed authentication were not visible on the Search interface

If the user could not provide the right credentials and the authentication failed during the initiation of a VNC session, that session was not visible on the new Search interface, only on the classic one. This is now fixed and such sessions are displayed properly with the right verdict on the new Seach interface too.

Show missing elements on the Channel Policies page in read-only mode

Some elements were not visible on the Channel Policy pages in read-only mode, making it impossible to review the current settings. This is now fixed and all elements are properly displayed.

"Illegal action" error messages in the log when using the search interface

While someone was using the search interface of the appliance, log messages about "Illegal actions" appeared in the logs. It was not a sign of any actual intrusion, only an issue with how the software checked if the user has the right permissions to terminate a session. This is now fixed and such errors no longer appear in the logs.