This article enumerates the possible issues that you may encounter when using the initial release build of Deep Security 11.2.
Below are the known issues in Deep Security Manager:
- When using Deep Security Manager with containers that use an overlay network, Deep Security Manager may report a virtual network interface (e.g. vx-001000-93cfm or flannel.1) that should be invisible to Deep Security Manager.
To address this issue, follow this article to set firewall rules: Necessary steps in Kubernetes environment for Deep Security.
- In a Docker environment, when a host reboots, it gets a new NIC name and MAC address. When the said host is protected by a Deep Security Agent, the agent receives the new interface information and sends it to Deep Security Manager, which adds it as a new NIC name and MAC address pair, leading to extra unused interfaces listed in Deep Security Manager.
- When the same container is loaded and unloaded quickly, it may reuse the conntrack that was established in the previous container's traffic. Deep Security could pass or block the traffic unexpectedly.
- Beginning with JDK version 8u181, the JVM enforces endpoint identification for LDAPS connections by default. The JVM verifies the server address of an Active Directory connector against the server certificate Common Name (or subjectAltName, if it exists). As a result, if the existing Active Directory connector uses a server address that does not match the certificate CN (or subjectAltName), the connector won't be able to synchronize successfully.
To avoid the issue, do one of the following:
- When performing a fresh installation, always enable endpoint identification. You can manually enable the endpoint identification by changing the hidden setting "Disable endpoint identification for secure LDAP connection" to False.
- When performing an upgrade, if any tenants have an existing Active Directory connector (for either a computer or a user) that connects using LDAPS, disable endpoint identification. If no Active Directory connector is found, endpoint identification is enabled by default.
- When upgrading from Deep Security 11.0 or earlier to version 11.2 or later, Deep Security Manager does not apply auto-tagging to events that it receives approximately five (5) seconds before the service shuts down.