Take 160 - Ongoing

List of Resolved Issues and New Features

Note - This Take contains all fixes from all earlier Takes.

ID

Product

Description

Take 160

Released on 2 June 2020

PRJ-8806,
PMTR-48604

Diagnostics

SmartView Monitor may not show a match on accelerated QoS traffic. All or part of the traffic may be matched on "No Match".

PRJ-10630,
PRJ-10629

Installation

Firmware upgrade for Small Office appliance using SmartProvisioning in Multi-Domain Management environment may fail.

PRJ-9777,
PRJ-8605

Security Management

NEW: Added ability to search in the Management Server by adding asterisk before any sequence of characters. For more information, refer to sk164873.

  • Requires R80.20 SmartConsole Build 114 (or higher).

PRJ-8643,
CPM-2623

Security Management

NEW: Performance enhancements while the Management Server is under high load.

PRJ-12009,
PMTR-52087

Security Management

NEW: Significant performance improvement for policy installation time when many groups are defined on the Management Server.

PRJ-10899,
PMTR-49801

Security Management

NEW: Set values for environment variables on the Management Server that will remain there after a Management Server upgrade, as well as Backup/Restore and Export/Import of the Management Server. Refer to sk165938.

PRJ-11707,
PMTR-27164

Security Management

NEW: Performance and stability improvements for large environments.

PRJ-10993,
PMTR-51743,
PRJ-11116,
PMTR-51778

Security Management

NEW: Added ICA Management security enhancements.

PRJ-12358,
PMTR-48272

Security Management

The "Recent Tasks" and "Install Policy Preset" views in MDS Domain may include Domain names, policy packages, and Gateways names. This information is not filtered according to the administrator's permission profile.

PRJ-8792,
VPNRA-316

Security Management

Improved the Access Control Policy installation time for environments with high amount of objects and enabled IPSEC VPN Blade. Refer to sk166321.

PRJ-6703,
PMTR-44004

Security Management

In a rare scenario, when viewing the Layer History, some revisions not relevant to the selected Layer may be shown.

PRJ-10471,
PMTR-49832

Security Management

In a rare scenario, export does not completes because the Postgres dump_all process gets stuck.

PRJ-7469,
CPM-1745

Security Management

Global policy reassignment may fail after a rulebase is deleted in the Global Domain.

PRJ-7783,
PMTR-46434

Security Management

In some scenarios, HA synchronization in the Global Domain fails with the "Failed to sync peer - Global Domain is incompatible with the Domains." error.

PRJ-9213,
PRHF-8370

Security Management

Logging into SmartConsole to the Standby Management Server with a RADIUS or TACACS user may fail after changing the shared secret on the RADIUS or TACACS object.

PRJ-9088,
PRHF-8266

Security Management

In a rare scenario, when an environment has many Gateways (dozens), the FWM daemon may unexpectedly exit when 4 GB of memory is reached. Refer to sk165015.

PRJ-8229,
PRHF-7728

Security Management

The "Unused Objects" filter in Object Explorer may display a failure message if there are more than 20000 unused objects.

  • A limit was added so that only the first 5000 objects will be displayed.

PRJ-7818,
PRHF-4644

Security Management

In some scenarios, SmartView Monitor unexpectedly terminates when the user selects the Specific QoS Rules option in Top QoS Rules.

PRJ-7886,
PMTR-46703

Security Management

In some scenarios, when the user modifies a policy rule and creates a section above it in the same session, the log tracker shows that the rule was created instead of modified.

PRJ-5793,
PMTR-40790

Security Management

In some scenarios, after the user manually performs "Full Sync", a newly created secondary Domain Server or Domain Log Server is not shown in SmartConsole's Domains view.

PRJ-9298,
PRHF-8336

Security Management

In a rare scenario, the "SmartDashboard component failed to connect to server <IP address>. Please contact technical support" error is displayed in SmartConsole when opening the Management object for editing.

PRJ-9321,
PRHF-8494

Security Management

In some scenarios, a disconnected SmartView Monitor session appears in SmartConsole with a grayed out 'Disconnect' option, which cannot be discarded. Refer to sk165037.

PRJ-8864,
PMTR-48673

Security Management

When an administrator fails to publish another administrator's session, the session of the other administrator disappears from the Sessions view in SmartConsole.

PRJ-9085

Security Management

In some scenarios, Management HA synchronization fails with "Failed to export data" error after an advanced upgrade from R77.x to R80.20 Jumbo Hotfix Take 103.

PRJ-7456,
PRHF-7167

Security Management

In some scenarios, upgrade fails with the "Satellite object of type GatewayAggregator not found for core object" message in cpm.elg file.

PRJ-9278,
PMTR-48463

Multi-Domain Management

NEW: Performance improvement for Multi-Domain environments in which many administrators are connected.

PRJ-11506,
PRJ-11508

Multi-Domain Management

A migration from Security Management server to a Domain on a Multi-Domain Management Server may fail with: "didn't find ObjectStoreSessionEntity for session <uuid> return null" error in cpm.elg file.

PRJ-10529,
PRHF-8581

Multi-Domain Management

The mds_import.sh script may fail if the IPS version for a Domain/CMA does not exist on the R80.x Multi-Domain Management Server.

PRJ-8415,
PRHF-7865

Multi-Domain Management

When the user runs the 'add-domain' Web API command on an existing Domain, the original Domain is deleted.

PRJ-11524,
PRHF-9981

Multi-Domain Management

In rare scenarios, upgrading the Multi-Domain Server fails to upgrade some Domain Servers with "IllegalArgumentException" in the upgrade log.

PRJ-11175,
PMTR-51890

Multi-Domain Management

In some scenarios, Full synchronization fails in the Global Domain with "Full sync with peer '[Peer Name]' NGM failed to import data" error. Refer to sk145972.

PRJ-10364,
PMTR-51017

Multi-Domain Management

After performing Full synchronization or failover of the Global Domain, the following operations may fail (refer to sk145972):

  • Global Domain reassignment
  • IPS or Application Control updates in the Global Domain

PRJ-11165,
PMTR-51180

Multi-Domain Management

In a rare scenario, synchronization between Multi-Domain Management Servers breaks after revisions purge operation.

PRJ-12064,
PRHF-10327

Multi-Domain Management

The FWM process of domains may not stop after the user runs mdsstop or mdsstop_customer.

PRJ-10525,
PRHF-8686

Multi-Domain Management

Upgrade of Multi-Domain Server may fail if Sync With User Center is running.

PRJ-9697,
PRHF-8593

Multi-Domain Management

MLM may open a connection to the reversed IP address of the Multi-Domain Server.

PRJ-10036,
PMTR-27672

Multi-Domain Management

In some scenarios, CPUSE and advanced Multi-Domain Management upgrade are stuck at "Upgrading products: 58%". Refer to sk146933.

PRJ-6984,
PMTR-44593

Multi-Domain Management

In some scenarios, there may be high Solr CPU on Multi-Domain Management Servers with dozens of Domains.

PRJ-9239,
PRHF-8077

Multi-Domain Management

In some scenarios, secondary MDS or MLM fail to renew a management certificate. Refer to sk164732.

PRJ-5742

SmartConsole

NEW: LDAP advanced query now supports ANR filtering.

PRJ-9291,
PMTR-49566

SmartConsole

NEW : Enhancement:

Two new flags were added for the performance improvement of Threat Protection API commands: 'show-profiles' and 'show-ips-additional-properties'. The default value for both flags is false.

PRJ-11072,
PMTR-51815

SmartConsole

NEW: Added ability to reset the following network object fields to be empty through the Management API: ipv4-address, ipv6-address, subnet4, subnet6, mask-length4, and mask-length6.

PRJ-5102,
PMTR-40942

SmartConsole

"An internal error has occurred" message may pop up when the user tries to modify a Revision's description.

PRJ-732,
PRHF-3128

SmartConsole

"An internal error has occurred. (Code: 0x8003001D, Could not access file for write operation)" error is displayed when editing IKE PSK on "External User Profile" objects using Legacy SmartDashboard. Refer to Scenario 2 in sk119973.

PRJ-4102,
PRHF-2388

SmartConsole

In "Top services" view of SmartView Monitor, "cp_tcp_A936BBAC_EBC3_4F18_B3CC_A63365F07477*" service is displayed instead of "https" service. Refer to sk146052.

PRJ-9550,
PRJ-9544

SmartConsole

When the user invokes the 'show-access-layer' API command, the parent layer may be missing from the output result.

PRJ-8700,
PRHF-7991

SmartConsole

The shared secret's edit button may be grayed out.

PRJ-9464,
PMTR-49817

SmartConsole

In some scenarios, when the user attempts to delete a Gateway / Cluster member, an error message may appear and the operation may not complete successfully.

PRJ-72,
PRJ-71

SmartConsole

Objects of Unused Access Roles are not visible in the Object Explorer. Refer to sk151896.

PRJ-1448,
PRHF-3822

SmartConsole

In some scenarios, the api.elg log is flooded with the "Returning default standard reply class" message.

PRJ-11904,
PRHF-10275

SmartConsole

In rare scenarios, certain domain level objects may not be visible in SmartConsole at the MDS level.

PRJ-9078,
API-864

SmartConsole

In some scenarios, the Management Server may unexpectedly exit following authenticated API commands to create or update objects with extremely long comments.

PRJ-8133,
PMTR-45751

SmartEvent

"The process <process-name> which is monitored by watchdog restarted more than once in the last half an hour" error may appear in the SmartEvent GUI status window even though the process has been up for more than 30 minutes.

PRJ-7496,
PRHF-7101

SmartEvent

When using SmartEvent automatic reactions, *.MHT files in $RTDIR/tmp directory are not cleaned up in case of email sending failure.

PRJ-4328,
SE-331

SmartEvent

In some scenarios, automatic reactions in SmartEvent are sent with the "Destination address" field containing the resolved country name instead of the raw IP value. Refer to sk146992.

PRJ-433,
PRHF-2797

SmartEvent

In SmartEvent, when the user customizes an event to accumulate logs by the field UUID, logs with UUID equal to 0 may not be correlated.

PRJ-8016,
PMTR-46682

SmartView

SmartView may show wrong time in tables and graphs for clients located in Brazil.

PRJ-9645,
PRHF-4623

Security Gateway

NEW: Added support for the bridge configuration when packet is passing via the Security gateway twice.

PRJ-3476,
PRHF-4624

Security Gateway

In a topology in which Client and Server are connected to the Security Gateway using two different interfaces each, for example:

Client -- eth1 <Gateway> eth2 -- Server

Client -- eth3 <Gateway> eth4 -- Server

The response packets from Server to Client may be incorrectly routed back to the Server because of an incorrect route cache in the Security Gateway.

PRJ-8648,
PMTR-41512

Security Gateway

In a rare scenario, ICAP client requires manual steps to activate RESP mode after running cpstop ; cpstart.

PRJ-11953,
PMTR-52583

Security Gateway

In a rare scenario, Security Gateway may crash due to NULL pointer reference.

PRJ-8750,
PMTR-46471

Security Gateway

In some scenarios, incorrect number of outbound interfaces may be received when SecureXL is disabled.

PRJ-4612,
PRHF-5055

Security Gateway

In some scenarios, policy installation fails with "configload_mgmt_compile: Failed to run compiler command".

PRJ-8503,
PRHF-5333

Security Gateway

In some scenarios, there may be connectivity problems with DHCP traffic.

PRJ-10838,
PRHF-1920

Security Gateway

Improved the in.aftpd process memory management.

PRJ-1213,
PRHF-3652

Security Gateway

In a rare scenario, the Security Gateway may crash due to a NULL pointer reference.

PRJ-5729,
PRHF-6035

Security Gateway

In some scenarios, SIP traffic may be dropped by Anti-Spoofing with "fw_early_sip_nat Reason: spoofed packet on SIP traffic" error in dmesg although it is set to"detect".

PRJ-2410,
PRHF-4282

Security Gateway

DCE-RPC traffic may be dropped because of a drop template that is incorrectly created for the ALL_DCE_RPC service.

PRJ-10565

Security Gateway

In some scenarios, wrong service name appears in SmartConsole logs.

PRJ-4091,
PMTR-35130

Security Gateway

Using spaces in the $FWDIR/boot/modules/fwkern.conf file may cause long reboot time.

PRJ-8151,
PRHF-7736

Security Gateway

Policy installation on Cluster may fail if the Cluster member name is longer than 64 characters.

PRJ-11529,
MUX-319

Security Gateway

In a rare scenario, Security gateway may crash while connection is closed while being held.

PRJ-10408,
PMTR-49504

Security Gateway

In a rare scenario, after upgrading a Security Gateway to R80.20, the LOG_INDEXER process running on the Log server may consume 100% CPU and cause the indexing backlog.

PRJ-9687,
PMTR-46451

Security Gateway

Traffic may be dropped on DAIP gateway after the gateway IP address is changed or the gateway is rebooted. Refer to sk165176.

PRJ-8354,
PRJ-8351

Security Gateway

Improved the ICAP client connectivity when using Trickling mode 3 in settings.

PRJ-8688,
PMTR-39579

Security Gateway

A memory leak may occur in Management/local connection which loop back to the bridge interface.

PRJ-12235,
PRHF-10039

Security Gateway

In a rare scenario, Security Gateway memory consumption may increase when the Anti-Virus Blade is enabled.

PRJ-9119,
PRJ-8907

Security Gateway

Connections may be dropped when "keep all connections" is configured during policy installation. Refer to sk166212.

PRJ-8615,
PMTR-46465

Security Gateway

In some scenarios, the uc_log_suppression_data table may reach its limit and "uc_log_suppression_set_entry: Failed storing log data in log suppression table" error appears in /var/log/messages file.

PRJ-9050,
PRHF-8288

Security Gateway

Global connections may not be freed correctly when the Gateway acts as a Proxy.

PRJ-9416

Security Gateway

Added logs for packets that include invalid TCP options. This feature is off by default.

PRJ-8882,
PRHF-7048

Security Gateway

In a rare scenario, Security gateway may crash when activating a web parsing debug.

PRJ-8552,
PRJ-8548

Logging

NEW: Log Exporter feature exports log attachment identifiers and adds the ability to fetch them through the Management API command.

PRJ-9189

Logging

NEW: Added support for viewing MITRE ATT&CK fields.

PRJ-6024,
PRHF-4951

Logging

When restarting the FWD process on the Log server, the syslogd process (syslog daemon), may unexpectedly exit.

PRJ-5573,
PRHF-6592

Logging

When a Log Server is configured to parse Syslog messages, the field "User" may be truncated in the parsed log in the Log Details view if the field contains underscore.

PRJ-5899,
PRHF-6120

Logging

It is not possible to query the "file_name" field on a Log server that does not have the SmartEvent activated.

PRJ-8495,
PRHF-7875

Logging

In SmartView, when the user exports logs to CSV using the "visible columns" option, the following fields may be missing from the CSV file: Resource, Application Risk, Application Name, and Application Category.

PRJ-3653,
PRHF-4654

Logging

SmartEvent may not correlate certain Anti-Virus logs.

PRJ-5649,
PRHF-6080

Logging

In some scenarios, when the user creates a table widget in SmartView, there is no option to add the "hostname" field. Refer to sk162752.

PRJ-7924,
PMTR-42913

Logging

Following changes in correlation unit settings, new logs may not be read by SmartEvent until the log_indexer process is restarted.

PRJ-11361,
PMTR-51655

Logging

In a rare scenario, the CPD process on a Security Management Server that manages R77.30 Security Gateway may unexpectedly exit.

PRJ-4134,
PRHF-2711

Logging

In some scenarios, it may not be possible to filter logs by the field "IKE IDs:" when searching the log files directly.

PRJ-9315,
PRHF-8166

Logging

Logging view may show results from the wrong day if the server Time Zone is configured to use half/quarter hour deviations from standard time.

PRJ-8921,
PRHF-8148

Logging

When the user searches logs in the "Logs and Monitor" tab in SmartConsole and applies a filter using the "?" wildcard, incorrect logs may be returned.

PRJ-9705,
PRHF-7716

Logging

The FWD process may unexpectedly exit if one of the following changes were made using GuiDBEdit:

  1. Change to log forwarding timing
  2. Change to log switch timing

PRJ-4981,
SL-2893

Logging

In SmartView, the percentage values in pie charts may add up to 99% or 101%.

PRJ-11005,
PRHF-9292

Logging

In some scenarios, changes made to Network Objects on the Security Management Server are not reflected in the logs view. Refer to sk166493.

PRJ-1524,
SL-2379

Logging

In some scenarios, Autosuggestion does not complete in SmartConsole's "Logs & Monitor" tab for users who do not have super user privileges. Refer to sk155252.

PRJ-9192,
PMTR-42449

Logging

After synchronization, MLM / Secondary MDM may have different log policy configuration. Refer to sk165692.

PRJ-4447,
PMTR-39444

Logging

In SmartView, drilling down from the timeline widget to logs, may show less logs than expected.

PRJ-6189, PRHF-6325

Logging

Widgets inside SmartView's "Views and Reports" may result in "Query Failed" messages when filtered by the "Log Server Origin" field.

PRJ-10857,
PRHF-1898

Application Control

NEW: Gateway status will reflect Application Control and URL Filtering updates.

PRJ-2794,
IPS-682

IPS

In some scenarios, the interface name is not displayed correctly in the IPS log.

PRJ-11303,
PMTR-51681

IPS

In a rare scenario, the fw_full process may unexpectedly exit.

PRJ-9487,
PMTR-46123

IPS

After an upgrade, policy installation may not update the IPS version on the gateway if the "IPS scheduled update" option was changed before the upgrade.

PRJ-9448,
PRHF-8530

IPS,
VSX

In some scenarios, SmartConsole shows "No license" and "Contract is expired" for IPS Blade in VSX. Refer to sk164917.

PRJ-10968,
SWG-2484

DLP

NEW: Reading and sending files from the registry by DLP was optimized.

PRJ-10847,
PRJ-10854

DLP

DLP stability for some scenarios was improved.

PRJ-10422,
PMTR-39431

DLP

In a rare scenario, when Security Gateway is configured as proxy, the HTTP traffic may be not scanned by DLP.

PRJ-5021,
PRHF-5528

DLP

The DLP engine may incorrectly process the file if the file name is missing in the connection header.

PRJ-9327,
PRHF-8152

DLP

Improved the scanning time of files for some scenarios in SMTP and HTTP/S.

PRJ-9692,
PRHF-8503

DLP

In some scenarios, DLP prints wrong error message in the log.

PRJ-9773,
PRHF-8847

DLP

In some scenarios for SMTP, when an internal user sends an email, the DLP logs may show the topology as "external to external" instead of as "internal to internal".

PRJ-9404,
PMTR-51402

HTTPS Inspection

In some scenarios, wrong certificate is shown by HTTPS Inspection for some websites, including certificates issued by "CloudFlare Inc ECC CA-2". Refer to sk118392.

PRJ-7995,
PMTR-46960

HTTPS Inspection

WSDNSD memory leak may appear when updatable objects are configured in the policy. Refer to sk165616.

PRJ-9933,
PMTR-49938

HTTPS Inspection

In some scenarios, when the minimum version of HTTPS Inspection is set to TLS 1.1, some websites may unexpectedly exit. Refer to sk165555.

PRJ-7422,
PMTR-44671

Infrastructure

In some scenarios, Anti-Bot\Anti-Virus\IPS\Threat Emulation Blade update fails with "Curl error code 56".

PRJ-9392,
PMTR-49565

Identity Awareness

NEW: Performance improvement in the automatic LDAP group update feature.

PRJ-9495,
PRHF-4033

Identity Awareness

Policy installation process has been improved.

PRJ-10223,
PMTR-39175

Identity Awareness

In a rare scenario, there is a memory leak in the IDA daemon pepd.

PRJ-11613,
IDA-1828

Identity Awareness

In a rare scenario, a memory leak, related to the Identity Awareness flow, may occur in the kernel.

PRJ-7506, PRHF-5184

Identity Awareness

When the Identity Awareness Blade is enabled, a memory leak may appear in LDAP sessions.

PRJ-10385,
IDA-2719

Identity Awareness

In a rare scenario, identity session groups and access roles may disappear following a policy installation.

PRJ-6074,
PMTR-41138

Identity Awareness

Machine identity for Terminal Server agent is not identified unless Identity Agent is also enabled on the Security Gateway.

PRJ-8002,
PMTR-45649

Threat Prevention

Improvements in HTTP chunked encoding inspection.

PRJ-12395,
PMTR-45311

Threat Prevention

In some scenarios, policy installation fails with "Error code 0-2000111".

PRJ-8212,
PRHF-7592

Anti-Bot

"Problem has occurred during search <External Log server> Disconnected" error may appear in "Logs & Monitor" tab after creating dummy object for NAT.

PRJ-7165,
PMTR-23406

SSL Inspection

NEW: Added support for proxy configuration when downloading CRL from a VSX device. Refer to sk151115.

PRJ-4112,
SL-1767

SmartEvent

In SmartEvent policy, adding an exclusion for sensor alert event by event id (e.g. id=20300) causes policy install failure. Refer to sk139854.

PRJ-7921,
PMTR-46737

SmartView

In the Logs page of the SmartView web application, the "File Name" filter may appear twice in the quick filters pane.

PRJ-10372,
PRHF-8973

SmartView

In some scenarios, after user imports view/report in SmartView, the imported view/report is not shown in the Catalog.

PRJ-7723,
PRHF-7326

SmartView

In SmartView, when filtering a view using special characters in the search bar and exporting to Excel, the file may be generated empty.

PRJ-10118,
PRJ-9633

Compliance

In some scenarios, database import on a single Domain machines where the Compliance Blade is activated fails, and as a result, the FWM process unexpectedly exits after the import.

PRJ-2213,
PMTR-30347

VoIP

In some scenarios, Cisco VoIP calls are dropped with "SIP Re-Invites exceeded the limit" reject reason. Refer to sk145412.

PRJ-9955,
PRHF-897

VoIP

In some scenarios, UA traffic is dropped when packet contains more then 9 UA's. Refer to sk135114.

PRJ-8010,
PRHF-5809

ClusterXL

In some scenarios, a connectivity issue takes place in ClusterXL environment after a fast "fail over"-"fail back" or a "fail over" on bridge configuration.

PRJ-1501,
PRHF-3839

ClusterXL

The output of the 'cphaprob routedifcs' command may be missing interfaces.

PRJ-5865,
PMTR-43718

ClusterXL

SNMP Response for OID .1.3.6.1.4.1.2620.1.5.6 ("haState") is "Active" on all members of ClusterXL High Availability mode. Refer to sk106291.

PRJ-599,
PMTR-35261

SecureXL

SYN Defender status in CPView sometimes appears as invalid.

PRJ-10937,
PMTR-25593

SecureXL

Rule that contains dhcpv6 services, does not disable SecureXL Accept Templates. Refer to sk32578.

PRJ-602,
PMTR-36548

SecureXL

In some scenarios, DOS/Rate Limiting configuration is not applied after reboot if no fw samp policy is configured.

PRJ-9670,
PRHF-5522

SecureXL

In some scenarios, SecureXL drops the TCP traffic for the particular connection for invalid state reasons. This fix enables the new property per specific gateway. Refer to sk147093.

PRJ-8760,
PMTR-40390

SecureXL

NEW: Improved performance for multicast traffic after all listeners have been removed for an existing connection.

PRJ-10619

SecureXL

NEW: Added a new feature to support certain types of asymmetric bridged configurations.

PRJ-8914,
PRJ-8890

SecureXL

In some scenarios, multicast packets arrive to the Security gateway in order, but leave out-of-order.

PRJ-8978,
PRJ-8977

SecureXL

When PIM-SM multicast routing transitions from RPT to SPT, packets may be dropped or become out-of-order.

PRJ-8779,
PRHF-6971

SecureXL

In a rare scenario, DOS/Rate Limiting Logs are not searchable.

PRJ-6155,
PRHF-6490

SecureXL

In some scenarios, SecureXL causes an issue in the routing of multicast traffic.

PRJ-7500,
PMTR-34845

SecureXL

In some scenarios, new connection may fail to open if it is reopened with the same source port. Refer to sk164839.

PRJ-6123,
PRHF-5797

SecureXL

In some scenarios, DOS/Rate Limiting drops too few (or too many) packets for "concurrent-conns" fw samp rules. Refer to sk112454.

PRJ-8488,
PMTR-48255

SecureXL

In some scenarios, held packets are incorrectly reported to the penalty box.

PRJ-10233,
PMTR-51942

SecureXL

Policy installation may fail with "Error code 0-2000240" when Drop templates option is enabled. Refer to sk165716.

PRJ-4175,
PRHF-5051

SecureXL

In some scenarios, there may be a length verification error with SCTP traffic.

PRJ-7283,
PRHF-5120

SecureXL

Improved TCP state inspection for "Smart Connection Reuse" feature.

PRJ-9825,
PMTR-50294

SecureXL

In some scenarios, SYN Defender cookie validation may fail.

PRJ-12022,
PRHF-10097

SecureXL

In some scenarios, ACK, FIN, and RST TCP packets are dropped, causing outages.

PRJ-11677,
PRJ-11551

SecureXL

MCAST packets may be handled incorrectly when promiscuous (tcpdump) mode is enabled for the interface.

PRJ-5904,
PMTR-43772

SecureXL

In some scenarios, the penalty box violation rate is configured incorrectly.

PRJ-3815,
PRHF-3767

Routing

Active VRRP cluster member may not show full accounting information in logs. Refer to sk159432.

PRJ-12223,
ROUT-856

Routing

In some scenarios, routed process unexpectedly exits when adding an interface to OSPFv3 with a prefix length above 63 and having two or more areas.

PRJ-10791,
PMTR-39379

Routing

Although only OSPFv2 with Graceful Restart Helper is configured, the Critical Device OSPF3 Graceful Restart may show the "OSPF3 Graceful Restart PROBLEM Master -> Standby. Waiting for GR" message during the cluster failover.

PRJ-11545,
ROUT-554

Routing

In some scenarios, routed unexpectedly exits and traffic is lost after a failover in ClusterXL when BGP and ECMP are enabled. Refer to sk166175.

PRJ-3617,
PRHF-4829

Routing

In some scenarios, routed unexpectedly exits when receiving an LSA with a checksum value of zero.

PRJ-11423,
PRHF-9812

Routing

In some scenarios, routed_mon may unexpectedly exit on some CPView queries when OSPF multiple instances are configured.

PRJ-7613,
PRHF-7166

ConnectControl

  • Logical servers will have global table for lookups to prevent the race condition where two instances has different decisions because local sync is flushed every 0.1 sec.
  • Added 'fw balance' command for visibility.

PRJ-9350,
PRHF-8098

Gaia OS

NEW: Added optimization for 40GbE and 25/100GbE cards configured in multiqueue allowing better transmit performance when Hyper-Threading (SMT) is enabled.

PRJ-3804,
PMTR-40396

Gaia OS

NEW: Added the ability to configure an IPv6 address for a LOM interface on Smart 1-525/5050/5150 appliances.

PRJ-11367,
PRHF-9804

Gaia OS

SNMP Trap may not be sent even though a failover occurred. Refer to sk166100.

PRJ-11295,
PRHF-6250

Gaia OS

In some scenarios, commands that were typed into Clish can be executed later on if the SSH session was uninterruptedly terminated.

PRJ-445,
PRJ-447

Gaia OS

The 'show asset all' command may fail with core dump.

PRJ-11372,
PRHF-7532

Gaia OS

In some scenarios, latency issues may occur in Clish and in the WebUI when using web scanning tools. Refer to sk164153.

PRJ-472

Gaia OS

The "load configuration" command may not work correctly when the loading configuration file contains SNMP, and interface config commands may not apply the configuration correctly.

PRJ-501,
PRJ-498

Gaia OS

The "load configuration" command may not work correctly when trying to add an SNMP user with a hashed password.

PRJ-12442,
PRJ-1618,
PRHF-2637

Gaia OS

In some scenarios, the xmlUpgradeExec process may unexpectedly exit during Jumbo Hotfix installation.

As a result, the configuration file may not be created correctly. Upon login, the following error message may appear:

"/etc/appliance_config.xml:1: parser error : Document is empty

/etc/appliance_config.xml:1: parser error: Start tag expected, ^^^ not found".

PRJ-5269,
PMTR-40400

Gaia OS

Any of the following may occur in vSphere on a Management appliance:

  1. vSphere client/WebUI does not show the instance IP in the instance summary window.
  2. vSphere client/WebUI reports that VMware tools are "not running" in the instance summary window.
  3. Machine time/date is not synchronized with the ESX host.

PRJ-7578,
PMTR-42309

Gaia OS

'#', '=' and '+' characters cannot be used in "Banner" and "Message of the day" features.

PRJ-8006,
PMTR-46037

Gaia OS

Apache API was updated.

PRJ-7371,
PMTR-44835

Gaia OS

In some scenarios, the iDRAC (LOM) interface is not pingable.

PRJ-10397,
PRJ-10396

Gaia OS

In some scenarios, transmit queues may stop, causing packet loss.

PRJ-8053,
PRHF-7532

Gaia OS

In some scenarios, latency issues may occur in Clish and in the WebUI when using web scanning tools (Qualys). Refer to sk164153.

PRJ-4878,
PRHF-5471

VSX

Resource Monitor Control may cause segmentation fault when there are more than 64 CPUs. Refer to sk125112.

PRJ-11280,
PMTR-12883

VSX

In a rare scenario, portals are not reachable after the fwk process unexpectedly exits.

PRJ-10542,
PMTR-51263

VSX

In the menu of 'vsx_util vsls' #1 (Display current VS Load sharing configuration), the table shows cut names of VSs (original names are longer).

PRJ-10910,
PMTR-22709

VSX

In VSX cluster with VMAC mode, traffic may not pass through VSX Cluster members if SecureXL is enabled. Refer to sk138894.

PRJ-5332,
PMTR-41386

VPN

NEW: Added functionality enhancements for the authentication realms that is used with Remote Access VPN.

PRJ-10270,
PMTR-50151

VPN

NEW: 3DES is disabled by default for HTTPS Inspection, Mobile Access Portal, Identity Awareness Portal, ICA Portal, SmartManagement Portal, SecurePlatform WebUI and Mobile Access curl.
Note: Disabling 3DES will fail 3rd party OPSEC SDK 6.0 clients connectivity. To enable it, refer to sk113114.

PRJ-5701,
PMTR-42483

VPN

NEW: Improved policy installation performance when the MAB Blade is enabled with Legacy Policy and Native Application rules. Refer to sk175105.

PRJ-8114,
PMTR-49502

VPN

"vpn_trap_multik: - wrong header length 36 != 72" message may appear in the vpnd.elg when working with multiple users with the same credentials.

PRJ-11240,
PMTR-42727

VPN

Added connectivity improvement for VPN over NAT traversal (UDP 4500). Refer to sk155953.

PRJ-11642,
VPNRA-353

VPN

Added stability improvement for Remote Access VPN.

PRJ-7013,
PRHF-2844

VPN

Added L2TP Remote Access client connectivity improvements. Refer to Scenario 2 in sk145895.

PRJ-11913,
PRHF-252

VPN

In rare scenarios, fwm unexpectedly exits after a 3rd-party certificate is signed.

PRJ-8262,
PRHF-7769

VPN

Server-to-Server and Client-to-Server VPN may fail when using Wire Mode while SecureXL is enabled.

PRJ-12177,
VPNRA-364

VPN

Connectivity improvements for Remote Access VPN using Traditional mode.

PRJ-7853

VPN

Connectivity improvements for Remote Access Endpoint clients that connect without Office Mode IPs.

PRJ-6718,
PRHF-6672

VPN

In some scenarios, the vpnd process unexpectedly exits on cluster members.

PRJ-11281,
PRHF-7681

VPN

In a rare scenario, vpnd process unexpectedly exits due to Segmentation fault.

PRJ-4451,
PMTR-40912

VPN

Improved IKEv2 negotiation flow.

PRJ-7692,
PRHF-7359

VPN

Improved usability of VPN tunnel monitoring "vpn tu" command.

PRJ-6089,
PMTR-43541

VPN

In some scenarios, accelerated VPN tunnels routed over PPPoE interface may cause drop of encrypted traffic of some connections. Refer to sk148872.

PRJ-7857,
PRHF-2142

VPN

In a rare scenario, a VPN memory leak may appear.

PRJ-6117,
PMTR-44901

VPN

In some scenarios, NAT-D traffic goes out from the first external interface.

PRJ-4235,
PRHF-4250

VoIP

In some scenarios, H323 connections are dropped after "Virtual session timeout" is configured. Refer to sk156372.

PRJ-2461,
PRHF-4097

VoIP

In some scenarios, MGCP traffic may be dropped by the Security Gateway with the following message in fw ctl zdebug drop:

fw_mgcp_undo_earlynat: the needed early_nat request entry (with natted src) not found, dropping;

fw_conn_post_inspect Reason: Handler 'mgcp_manager' drop;

PRJ-8259,
PMTR-28302

Endpoint Security

In some scenarios, the wrong cipher suite is chosen for RSA certificates in HTTPS portals. Refer to sk164240.

PRJ-2925,
PMTR-39317

Endpoint Security

Very frequently repeated "update register" requests may cause performance issues.

PRJ-11814,
PRHF-9151

Endpoint Security

When a user name is updated in SmartEndpoint, the change may result in an unexpected expiration date. Refer to sk165872.

PRJ-11834,
PRHF-10015

Endpoint Security

An error in FDE preboot users calculation may cause Endpoint to be left in a disconnected state. Refer to sk142313.

PRJ-11827,
PRHF-7087

Endpoint Security

SmartEndpoint may export a report to Excel in which incorrect distinguished names appear for deleted users/computers. Refer to sk163943.

PRJ-11823,
PRHF-6365

Endpoint Security

Users/devices may not change their locations in the tree according to Active Directory changes when certain special characters appear in the names.

PRJ-11818,
PRHF-9157

Endpoint Security

The default paths for offline folders in SmartEndpoint -> Offline group creation wizard may be incorrect.

PRJ-11831,
PRHF-8234

Endpoint Security

The Endpoint directory scanner may fail to reconnect to the AD if the connection was lost during the scan.

PRJ-11710,
PRHF-10028

Endpoint Security

In SmartEndpoint, Anti-Malware's "Top Infections" report has an empty infection name. Refer to sk166232.

PRJ-5185,
PRHF-5617

Endpoint Security

The log description of the "Media Encryption & Port Protection" Blade may state that the "Media Storage" is encrypted even though it is not. The details in the log show the correct value. Refer to sk162812.

PRJ-7890,
VSECC-1001

CloudGuard IaaS

NEW: Added support for Google Cloud Platform projects with Shared VPC. Refer to sk164139.

PRJ-5804,
VSECNSX-1211

CloudGuard IaaS

NEW: Added support for Identity Sharing with CloudGuard for NSX-V.

PRJ-10866,
VSECC-1119

CloudGuard IaaS

In a rare scenario, the OpenStack Data Center becomes unresponsive, which results in a loss of updates to the Security Gateway.

PRJ-11897

QoS

In some scenarios, SmartView Monitor shows "No Match" rule on QoS traffic.

PRJ-9740,
PMTR-51721

QoS

Packets to the broadcast IP address (255.255.255.255) may cause dmesg to fill with "fg_classify_and_offload_all_ifdirs: fglogRulename Failed." messages.