Take 173 - General Availability

List of Resolved Issues and New Features

Note - This Take contains all fixes from all earlier Takes.

ID

Product

Description

Take 173

Released on 23 July 2020 and declared as General Availability on 26 August 2020

PRJ-12024,
PMTR-51885

Security Management

NEW: Tasks that fail to complete within 18 hours will be stopped automatically and appear as failed. Refer to sk166455.

PRJ-12273,
PMTR-53007

Security Management

In Management HA configuration, a hotfix installation may fail during the verification phase.

PRJ-12505,
PRHF-10058

Security Management

When using packet mode in Rulebase Search, results from inline layer may be matched even though their parent layer is not.

PRJ-4953,
PRHF-4593

Security Management

"The Correlation Unit can't connect to one of its Log Servers. Please make sure connectivity between the Correlation Unit and Log Server isn't blocked. There is no need to stop the job." message after the putkey process. Refer to sk12882.

PRJ-12477,
PRHF-9260

Security Management

In some scenarios, when using Rulebase Search, the 'number of rules' section is incorrect. Refer to sk166003.

PRJ-13158,
CPM-2811

Security Management

In rare scenarios, a session becomes unusable, and one or more of the following may occur:

  • The user is not able to log in and make changes with this session.
  • Publishing this session fails.
  • Discarding this session fails.

Refer to sk167735.

PRJ-12669,
PMTR-52789

Security Management

If an administrator searches for a certain text in SmartConsole, it may cause the Management Server to become inaccessible until a restart.

PRJ-13165,
PMTR-53758

Security Management

When an administrator enters a very long text into an object field (more than 32767 characters), the Security Management Server terminates and fails to start.

PRJ-10057,
PRHF-8924

Security Management

In some scenarios, Security policy deletion or installation may fail when there are many Application Control objects used in this policy. Refer to sk175588.

PRJ-12144,
CPM-2624

Security Management

Management HA synchronization between the active Domain server to a standby Domain server may fail with "Failed to import data" error.

PRJ-13032,
PRHF-10917

Multi-Domain Management

Global Policy reassignment may fail after performing the IPS update in the Global domain.

PRJ-12486,
PRHF-10330

Multi-Domain Management

Multi-Domain Administrator configuration for RADIUS authentication may show local Domain RADIUS servers and groups.

PRJ-12204,
PRHF-10405

Multi-Domain Management

In some scenarios, changes to a .def file in $FWDIR/lib may be reverted when creating a secondary CMA.

PRJ-12554,
PRHF-10523

Multi-Domain Management

In some scenarios, updating firewall_properties in GuiDBedit in the MDS context fails. Refer to sk42184.

PRJ-9599,
PRHF-8502

Multi-Domain Management

In environments with more than five Multi Domain servers, changes to objects may not be reflected in the logs.

PRJ-1391,
PMTR-33408

Multi-Domain Management

NEW: Added ability to log in to the Management Server with SmartConsole while MDS Backup is running.

PRJ-12964,
PRHF-10944

Multi-Domain Management

In some scenarios, certain deleted domain level objects are visible in the SmartConsole at the MDS level.

PRJ-12899,
PMTR-53694

SmartConsole

NEW: Added more information on each Management API call to api.csv.

PRJ-12972,
PMTR-51691

SmartConsole

When the VSX Cluster object editor is closed without making any changes, the "Topology has changed. Please reinstall Security Policy" message is displayed unnecessarily.

PRJ-12453,
PMTR-37222

SmartConsole

In some scenarios, a calculation of UIDs for irrelevant rules may result in the "Cannot insert a rule into its own sub rulebase" validation error.

PRJ-11257,
PRHF-9106

SmartConsole

In some scenarios, Inspection Settings view under the General tab is blank.

PRJ-12459,
PRHF-8968

SmartConsole

In some scenarios, IPS update may be locked with the message "IPS management update is locked by Scheduled update" .

PRJ-12960,
PRHF-10916

SmartConsole

Global Policy reassign in MDS may fail with "An internal error has occurred" message after adding overrides to Snort protections.

PRJ-12537,
PRHF-9941

SmartConsole

Unable to delete Snort protections in Multi-Domain environment - they still exist after deletion.

PRJ-12082,
PRHF-10297

SmartConsole

When configuring "Visitor Mode" in SmartConsole and choosing the IP address, the wrong IP address may be displayed after clicking "OK".

PRJ-12872,
PMTR-53909

SmartConsole

An incorrect netmask may be shown for Virtual System objects in the network group editor.

PRJ-12907,
PMTR-53855

SmartConsole

When using the Management API "show-objects" command to show OPSEC application objects, it may fail with "Requested object [OBJECT ID] not found".

PRJ-13006,
PRHF-10998

SmartConsole

In the Management API, the "show objects" command with details-level full may return the "ip-address" field even if it is empty.

PRJ-12449,
PRHF-8488

SmartConsole

In some scenarios, IPS update tasks may stuck when multiple machines are attempting an update within the same time frame.

PRJ-12209,
PMTR-52897

SmartConsole

When running the "show-domain" API command, the "active" field may be missing from the reply.

PRJ-11431,
PRHF-8506

SmartProvisioning

The SmartProvisioning application may hang when the user adds/edits Dynamic Objects in the LSM Gateway object editor.

PRJ-10199,
PRHF-9019

SmartView

SmartView may show "query failed" error message when creating a table widget with filter by source/destination host name. Refer to sk119056.

PRJ-10669,
PMTR-49128

SmartView

In SmartView, when using a language other than English, an error may occur when drilling down on a widget.

PRJ-12690,
MB-731

Compliance

Compliance Blade may show incorrect Best Practice status if one or more relevant network objects for that Best Practice is in status "N/A".

PRJ-2194,
PMTR-38377

Logging

NEW: Added new SmartView Report for SandBlast Threat Extraction. The report provides visibility of sanitized files in mail and web downloads, including cleaned file types and cleaned active and embedded content.

PRJ-10155,
PRHF-8586

Logging

"UserCheck Reference ID" field is missing from logs when the message of the UserCheck customized page is modified and does not contain the text "reference:". Refer to sk165355.

PRJ-4609,
PRHF-5209

Logging

When the user tries to open a Forensic report in SmartLog, the "Error getting report." message may appear if there is a network object configured with the same IP address as that of the Endpoint Security Management Server.

PRJ-11887,
PRHF-10057

Logging

In some scenarios, searching for logs using "client_name" in the logging tab returns no values.

PRJ-10359,
PMTR-46596

Logging

Log_indexer may unexpectedly exit on a SmartEvent server with a large number of CPUs (32 and up), and\or when the total number of log servers declared in correlation units is above 30.

PRJ-4737

Logging

In environments that use certain mail servers, sending a report using SmartView may not work properly.

PRJ-11500,
PMTR-52209

Security Gateway

NEW: Added "Hold" override for unsupported protocols (i.e. GRE). Refer to sk148432.

PRJ-5032,
PMTR-41300

Security Gateway

In some scenarios, when running "fw monitor" with the "-e" flag, SecureXL traffic is not filtered, and all traffic is displayed. Refer to sk166592.

PRJ-13074,
PMTR-54306

Security Gateway

When HTTPS Inspection is enabled using layer-2/bridge, traffic may be dropped when deciding the outgoing interfaces.

PRJ-11694,
PRHF-9799

Security Gateway

In a rare scenario, access rules with service type of "other" may not be matched correctly. Refer to sk166365.

PRJ-11140,
PMTR-39019

Security Gateway

In some scenarios, "fwxlate_dyn_port_global_to_local_get_port: port was not found in global, and not in local" error message may appear in dmesg.

PRJ-12517,
PRHF-10672

Security Gateway

In some scenarios, a backup on a Gaia device with Threat Emulation Blade enabled may fail with "Cannot complete the backup process: not enough space". Refer to sk166833.

PRJ-13430,
PRHF-1197

Security Gateway

In some scenarios, "cmik_loader_fw_get_connkey: Invalid streaming opaque type: (3)" message appears in dmseg. Refer to sk137494.

PRJ-11741,
SWG-2533

Security Gateway

Improved connectivity in a specific flow when ICAP Client is enabled with Trickling 3.

PRJ-11415,
PRHF-9776

Security Gateway

In some scenarios, NAT log shows source port 0 even though a port was allocated.

PRJ-8674,
PMTR-38384

Security Gateway

In some scenarios, "simple_debug_filter_unset: unsetting debug filter when no filter is set" messages may appear in dmesg. Refer to sk165675.

PRJ-10769,
PRHF-8926

Internal CA

In some scenarios, no SIC between R80.x Security Management and R77 Security gateway after ICA certificate replacement procedure described in sk158096.

PRJ-9046,
PRHF-8153

Threat Prevention

The number of overrides in Threat Prevention policy -> Profile -> Overrides may also show inactivated overrides, with mismatched information between "override" and "User Modified".

PRJ-5230,
PRHF-4808

Identity Awareness

Failure in LDAP groups membership query for specific user that was reported by MUH agent, may cause all users under the same MUH agent to be removed from the PDP database.

PRJ-12618,
MTR-45782

Identity Awareness

After the user disables and re-enables the Identity Collector in SmartConsole, the Identity Collector may fail to connect to the PDP Gateway again.

PRJ-13564,
PRHF-561

Identity Awareness

In some scenarios, when the user changes the TACACS+ server to a different one, the configuration is applied only after an MDS reboot.

PRJ-8711,
PRHF-7978

Identity Awareness

In some scenarios, Dynamic ID authentication fails when SMS server returns HTTP status code 2xx but not 200 or 202.

PRJ-7277,
PRHF-7027

Application Control

In some scenarios, Application Control updates cannot be initiated on Gateways without Application Control enabled, even though URL Filtering is enabled.

PRJ-11060,
PRHF-9354

Application Control

In some scenarios, Application Control update task may get stuck indefinitely when it is executed as part of Global Policy assignment.

PRJ-12164,
PMTR-52106

Application Control

In some scenarios, Application Control updates in Multi-Domain High Availability environments may get stuck when multiple updates from different Domains/Multi-Domains take place simultaneously.

PRJ-12338,
PMTR-53146

URL Filtering

In a rare scenario, policy installation may fail with "Error code: 0-2000112" if the URL Filtering Blade is active while no other feature or Blade is enabled.

PRJ-13108,
PRHF-11112

HTTPS Inspection

In some scenarios, HTTPS websites may show corrupted text when HTTPS Inspection and Anti-Virus are enabled.

PRJ-13596,
PMTR-55344

HTTPS Inspection

In some scenarios, web traffic is blocked with "HTTP parsing error occurred" and "parameters are undecodable in request" errors.

PRJ-8298,
MBS-9133

SSL Inspection

In some scenarios, some HTTPS sites are not categorized when both "Categorize HTTPS Sites" and "HTTPS Inspection" are enabled.

PRJ-13115,
PMTR-52580

DLP

Improved DLP functionality when working with IDA MUH1 and MUH2 agents.

PRJ-8902,
PRJ-8880

IPS

In a rare scenario, Security Gateway may crash due to NULL pointer reference.

PRJ-12708,
RHF-10849

ClusterXL

In some scenarios, a Cluster member forwards ICMP replies via its Sync interface after being rebooted.

PRJ-12284,
CLUS-1752

ClusterXL

ClusterXL in Load Sharing mode may drop traffic after a cluster member is rebooted, due to inconsistency of MAC addresses saved in the Firewall kernel and in SecureXL kernel.

PRJ-12551,
PRHF-10647

SecureXL

NEW: Added tunable kernel parameter "adp_mc_rt_hold_queue_len" to adpkern.conf to eliminate multicast packet drops at the start of a connection (when large bursts of multicast traffic are expected).

PRJ-12173,
PRHF-10228

SecureXL

In some scenarios, TCP traffic containing the TCP Fast Open option may be dropped by the Security Gateway.

PRJ-10495,
PMTR-50926

SecureXL

In some scenarios, SecureXL makes an offload decision to not accelerate multicast traffic for route-based VPN.

PRJ-14076,
PMTR-56026

SecureXL

For some topologies, RIPV2 neighbors may be missing. Refer to sk167934.

PRJ-11630,
PRJ-11552

SecureXL

In some scenarios, MCAST packets may not be accelerated on a PIM-SM RP Gateway.

PRJ-11449,
PMTR-51868

Gaia OS

NEW: Added support for Smart-1 3150/3050 SAN and 'show asset' line cards for SAN.

PRJ-7270,
PRHF-7124

Gaia OS

In some scenarios, adding a Gaia user may result in a high number of zombie sh processes. Refer to sk164259.

PRJ-13647,
PRJ-10350,
PRHF-8760

Gaia OS

In rare scenarios, clish consumes 100% CPU when the user runs a Tenable scan. Refer to sk166195.

PRJ-13154,
PRJ-13746

Gaia OS

In some scenarios, SNMPD daemon unexpectedly exits with core dump, causing the SNMP service to become unavailable.

PRJ-13478,
PMTR-55154

Gaia OS

Intake and outlet temperature sensors display incorrect values on 15400 appliance.

PRJ-12760,
PMTR-52834

Gaia OS

In some scenarios, WebUI shows unknown HDDs that are not part of RAID.

PRJ-8948,
GAIA-7018

Gaia OS

In some scenarios, interface names may not correspond to the correct ports on 4-ports 10GbE SFP+ Rev 1.1 on 12200/4200/4400/4600/4800/TE250 appliances.

PRJ-12250,
PMTR-52663

Gaia OS

UPDATE: on Smart-1 5050:

  • Line card 1 model PE2G2SFPi35*-CP* is changed to CPAC-2-1F-SM*-C*
  • Line card 2 model PE210G2SPI9A-XR*-CP* is changed to CPAC-2-10F-SM*-C*

PRJ-3025,
PRHF-4557

Gaia OS

Backup on Gaia machine may fail with "Cannot complete the backup process: not enough space". Refer to sk98609.

PRJ-13265,
PRJ-13266,
GAIA-7496

Gaia OS

In some scenarios, the value for Voltage/Fan/Temperature sensor may appear as "NotValid".

PRJ-11780,
PRJ-10761,
PRHF-9221

Gaia OS

Only 1024 characters of a cron jobs output are displayed when using show cron jobs from clish.

PRJ-12917,
PMTR-17149

Gaia OS

In some scenarios, snapshot creation on Gaia OS may get stuck at 1-2% because of a large number of tmp files. Refer to sk116679.

PRJ-11619,
PRHF-10009

Gaia OS

When a bond exceeds 60GB/s, ethtool may report an incorrect speed of the bond interface.

PRJ-12420,
GAIA-7499

Gaia OS

In some scenarios, concurrent CIFS mount/umount processes to the same Windows machine may crash the kernel.

PRJ-471

Gaia OS

In the load configuration command, when the loading configuration file contains SNMP, the interface configuration commands may not apply the configuration correctly.

PRJ-9782,
PMTR-42309

Gaia OS

'#', '=' and '+' characters cannot be used in "Banner" and "Message of the day" features.

PRJ-11496,
PMTR-51462

Gaia OS

In some scenarios, the PSU status is reflected even if there is no PSU on the appliance.

PRJ-11682,
PRJ-11365

Routing

NEW: Performance improvement for multicast packets in SecureXL (fast path) when there are no multicast listeners.

PRJ-12797,
ROUT-530

Routing

In some scenarios, there may be a loss of BGP adjacency when displaying BGP routes with very long AS paths or large numbers of BGP communities.

PRJ-12801,
ROUT-541

Routing

In some scenarios, when processing BGP ECMP routes, ROUTED may unexpectedly exit, resulting in loss of BGP adjacency.

PRJ-13351,
PMTR-54833

Routing

In some scenarios, routed process generates an assert when the user runs the "dbget -rv iclid" command.

PRJ-11243,
PRHF-9628

VoIP

SIP calls with NAT (SIP packet with no SDP but content-type=sdp) may fail to open correctly.

PRJ-9103,
PRHF-7758

VoIP

In a rare scenario, Security Gateway crashes when passing SIP traffic. Refer to sk166474.

PRJ-8620,
PRHF-7485

VPN

Improved the VPN connectivity with DAIP peers when Tunnel Monitoring is enabled. Refer to sk164933.

PRJ-12193,
PRHF-9885

VPN

A connectivity issue may occur when a non-encrypted VPN tunnel is used with IKEv2. Refer to sk167902.

PRJ-58

VPN

In a rare scenario, the vpnd process unexpectedly exits when unallocated memory is accessed.

PRJ-13312

VPN

In some scenarios, packets are dropped on proposal unmatched, although the VPN tunnel is established. Refer to sk122438.

PRJ-4510,
PMTR-1408

VPN

In some scenarios, Site-to-Site VPN between central Security gateway and 700 DAIP appliances disconnects in random fashion. Refer to sk149432.

PRJ-13528,
VPNRA-398

VPN

In some scenarios, Remote Access VPN users are not matched against the Access Control policy and traffic is dropped. Refer to sk167432.

PRJ-13406,
PMTR-54443

VPN

In rare scenarios, the Global Domain Assignment view shows that a Global Domain Assignment is in the 'up to date' state even though it is not.

PRJ-11803,
VPNRA-357

VPN

In some scenarios, an incorrect number of connected Remote Access users is displayed in SmartView Monitor. Refer to sk167297.

PRJ-12889,
PRHF-10685

VPN

IKEv2 rekey may fail when the resolved peer IP address is not the main IP address. Refer to sk166897.

PRJ-12463,
PRHF-388

VPN

In a rare scenario, Security Gateway may crash when using Remote Access VPN with L2TP clients.

PRJ-13340,
PRHF-1164

VPN

In some scenarios, L2TP client fails to connect with "Failed to write L2TP session params to kernel" error in vpnd.elg file. Refer to sk167636.

PRJ-13079,
PRHF-10978

VSX

When performing a provisioning operation in VSX, process may hang on "Pushing configuration to ...". Refer to sk167175.

PRJ-11839,
PRHF-9304

Endpoint Security

Cannot delete the client MSI package from SmartEndpoint because of a previously deleted FDE offline group.

PRJ-11144,
PRHF-9706

Endpoint Security

Local users may not be displayed under the selected machine in the "Users and Computers tab" in SmartEndpoint. Refer to sk166316.