Take 173 - General Availability
List of Resolved Issues and New Features
|
Note - This Take contains all fixes from all earlier Takes. |
ID |
Product |
Description |
---|---|---|
Take 173 Released on 23 July 2020 and declared as General Availability on 26 August 2020 |
||
PRJ-12024, |
Security Management |
NEW: Tasks that fail to complete within 18 hours will be stopped automatically and appear as failed. Refer to sk166455. |
PRJ-12273, |
Security Management |
In Management HA configuration, a hotfix installation may fail during the verification phase. |
PRJ-12505, |
Security Management |
When using packet mode in Rulebase Search, results from inline layer may be matched even though their parent layer is not. |
PRJ-4953, |
Security Management |
"The Correlation Unit can't connect to one of its Log Servers. Please make sure connectivity between the Correlation Unit and Log Server isn't blocked. There is no need to stop the job." message after the putkey process. Refer to sk12882. |
PRJ-12477, |
Security Management |
In some scenarios, when using Rulebase Search, the 'number of rules' section is incorrect. Refer to sk166003. |
PRJ-13158, |
Security Management |
In rare scenarios, a session becomes unusable, and one or more of the following may occur:
Refer to sk167735. |
PRJ-12669, |
Security Management |
If an administrator searches for a certain text in SmartConsole, it may cause the Management Server to become inaccessible until a restart. |
PRJ-13165, |
Security Management |
When an administrator enters a very long text into an object field (more than 32767 characters), the Security Management Server terminates and fails to start. |
PRJ-10057, |
Security Management |
In some scenarios, Security policy deletion or installation may fail when there are many Application Control objects used in this policy. Refer to sk175588. |
PRJ-12144, |
Security Management |
Management HA synchronization between the active Domain server to a standby Domain server may fail with "Failed to import data" error. |
PRJ-13032, |
Multi-Domain Management |
Global Policy reassignment may fail after performing the IPS update in the Global domain. |
PRJ-12486, |
Multi-Domain Management |
Multi-Domain Administrator configuration for RADIUS authentication may show local Domain RADIUS servers and groups. |
PRJ-12204, |
Multi-Domain Management |
In some scenarios, changes to a .def file in $FWDIR/lib may be reverted when creating a secondary CMA. |
PRJ-12554, |
Multi-Domain Management |
In some scenarios, updating firewall_properties in GuiDBedit in the MDS context fails. Refer to sk42184. |
PRJ-9599, |
Multi-Domain Management |
In environments with more than five Multi Domain servers, changes to objects may not be reflected in the logs. |
PRJ-1391, |
Multi-Domain Management |
NEW: Added ability to log in to the Management Server with SmartConsole while MDS Backup is running. |
PRJ-12964, |
Multi-Domain Management |
In some scenarios, certain deleted domain level objects are visible in the SmartConsole at the MDS level. |
PRJ-12899, |
SmartConsole |
NEW: Added more information on each Management API call to api.csv. |
PRJ-12972, |
SmartConsole |
When the VSX Cluster object editor is closed without making any changes, the "Topology has changed. Please reinstall Security Policy" message is displayed unnecessarily. |
PRJ-12453, |
SmartConsole |
In some scenarios, a calculation of UIDs for irrelevant rules may result in the "Cannot insert a rule into its own sub rulebase" validation error. |
PRJ-11257, |
SmartConsole |
In some scenarios, Inspection Settings view under the General tab is blank. |
PRJ-12459, |
SmartConsole |
In some scenarios, IPS update may be locked with the message "IPS management update is locked by Scheduled update" . |
PRJ-12960, |
SmartConsole |
Global Policy reassign in MDS may fail with "An internal error has occurred" message after adding overrides to Snort protections. |
PRJ-12537, |
SmartConsole |
Unable to delete Snort protections in Multi-Domain environment - they still exist after deletion. |
PRJ-12082, |
SmartConsole |
When configuring "Visitor Mode" in SmartConsole and choosing the IP address, the wrong IP address may be displayed after clicking "OK". |
PRJ-12872, |
SmartConsole |
An incorrect netmask may be shown for Virtual System objects in the network group editor. |
PRJ-12907, |
SmartConsole |
When using the Management API "show-objects" command to show OPSEC application objects, it may fail with "Requested object [OBJECT ID] not found". |
PRJ-13006, |
SmartConsole |
In the Management API, the "show objects" command with details-level full may return the "ip-address" field even if it is empty. |
PRJ-12449, |
SmartConsole |
In some scenarios, IPS update tasks may stuck when multiple machines are attempting an update within the same time frame. |
PRJ-12209, |
SmartConsole |
When running the "show-domain" API command, the "active" field may be missing from the reply. |
PRJ-11431, |
SmartProvisioning |
The SmartProvisioning application may hang when the user adds/edits Dynamic Objects in the LSM Gateway object editor. |
PRJ-10199, |
SmartView |
SmartView may show "query failed" error message when creating a table widget with filter by source/destination host name. Refer to sk119056. |
PRJ-10669, |
SmartView |
In SmartView, when using a language other than English, an error may occur when drilling down on a widget. |
PRJ-12690, |
Compliance |
Compliance Blade may show incorrect Best Practice status if one or more relevant network objects for that Best Practice is in status "N/A". |
PRJ-2194, |
Logging |
NEW: Added new SmartView Report for SandBlast Threat Extraction. The report provides visibility of sanitized files in mail and web downloads, including cleaned file types and cleaned active and embedded content. |
PRJ-10155, |
Logging |
"UserCheck Reference ID" field is missing from logs when the message of the UserCheck customized page is modified and does not contain the text "reference:". Refer to sk165355. |
PRJ-4609, |
Logging |
When the user tries to open a Forensic report in SmartLog, the "Error getting report." message may appear if there is a network object configured with the same IP address as that of the Endpoint Security Management Server. |
PRJ-11887, |
Logging |
In some scenarios, searching for logs using "client_name" in the logging tab returns no values. |
PRJ-10359, |
Logging |
Log_indexer may unexpectedly exit on a SmartEvent server with a large number of CPUs (32 and up), and\or when the total number of log servers declared in correlation units is above 30. |
PRJ-4737 |
Logging |
In environments that use certain mail servers, sending a report using SmartView may not work properly. |
PRJ-11500, |
Security Gateway |
NEW: Added "Hold" override for unsupported protocols (i.e. GRE). Refer to sk148432. |
PRJ-5032, |
Security Gateway |
In some scenarios, when running "fw monitor" with the "-e" flag, SecureXL traffic is not filtered, and all traffic is displayed. Refer to sk166592. |
PRJ-13074, |
Security Gateway |
When HTTPS Inspection is enabled using layer-2/bridge, traffic may be dropped when deciding the outgoing interfaces. |
PRJ-11694, |
Security Gateway |
In a rare scenario, access rules with service type of "other" may not be matched correctly. Refer to sk166365. |
PRJ-11140, |
Security Gateway |
In some scenarios, "fwxlate_dyn_port_global_to_local_get_port: port was not found in global, and not in local" error message may appear in dmesg. |
PRJ-12517, |
Security Gateway |
In some scenarios, a backup on a Gaia device with Threat Emulation Blade enabled may fail with "Cannot complete the backup process: not enough space". Refer to sk166833. |
PRJ-13430, |
Security Gateway |
In some scenarios, "cmik_loader_fw_get_connkey: Invalid streaming opaque type: (3)" message appears in dmseg. Refer to sk137494. |
PRJ-11741, |
Security Gateway |
Improved connectivity in a specific flow when ICAP Client is enabled with Trickling 3. |
PRJ-11415, |
Security Gateway |
In some scenarios, NAT log shows source port 0 even though a port was allocated. |
PRJ-8674, |
Security Gateway |
In some scenarios, "simple_debug_filter_unset: unsetting debug filter when no filter is set" messages may appear in dmesg. Refer to sk165675. |
PRJ-10769, |
Internal CA |
In some scenarios, no SIC between R80.x Security Management and R77 Security gateway after ICA certificate replacement procedure described in sk158096. |
PRJ-9046, |
Threat Prevention |
The number of overrides in Threat Prevention policy -> Profile -> Overrides may also show inactivated overrides, with mismatched information between "override" and "User Modified". |
PRJ-5230, |
Identity Awareness |
Failure in LDAP groups membership query for specific user that was reported by MUH agent, may cause all users under the same MUH agent to be removed from the PDP database. |
PRJ-12618, |
Identity Awareness |
After the user disables and re-enables the Identity Collector in SmartConsole, the Identity Collector may fail to connect to the PDP Gateway again. |
PRJ-13564, |
Identity Awareness |
In some scenarios, when the user changes the TACACS+ server to a different one, the configuration is applied only after an MDS reboot. |
PRJ-8711, |
Identity Awareness |
In some scenarios, Dynamic ID authentication fails when SMS server returns HTTP status code 2xx but not 200 or 202. |
PRJ-7277, |
Application Control |
In some scenarios, Application Control updates cannot be initiated on Gateways without Application Control enabled, even though URL Filtering is enabled. |
PRJ-11060, |
Application Control |
In some scenarios, Application Control update task may get stuck indefinitely when it is executed as part of Global Policy assignment. |
PRJ-12164, |
Application Control |
In some scenarios, Application Control updates in Multi-Domain High Availability environments may get stuck when multiple updates from different Domains/Multi-Domains take place simultaneously. |
PRJ-12338, |
URL Filtering |
In a rare scenario, policy installation may fail with "Error code: 0-2000112" if the URL Filtering Blade is active while no other feature or Blade is enabled. |
PRJ-13108, |
HTTPS Inspection |
In some scenarios, HTTPS websites may show corrupted text when HTTPS Inspection and Anti-Virus are enabled. |
PRJ-13596, |
HTTPS Inspection |
In some scenarios, web traffic is blocked with "HTTP parsing error occurred" and "parameters are undecodable in request" errors. |
PRJ-8298, |
SSL Inspection |
In some scenarios, some HTTPS sites are not categorized when both "Categorize HTTPS Sites" and "HTTPS Inspection" are enabled. |
PRJ-13115, |
DLP |
Improved DLP functionality when working with IDA MUH1 and MUH2 agents. |
PRJ-8902, |
IPS |
In a rare scenario, Security Gateway may crash due to NULL pointer reference. |
PRJ-12708, |
ClusterXL |
In some scenarios, a Cluster member forwards ICMP replies via its Sync interface after being rebooted. |
PRJ-12284, |
ClusterXL |
ClusterXL in Load Sharing mode may drop traffic after a cluster member is rebooted, due to inconsistency of MAC addresses saved in the Firewall kernel and in SecureXL kernel. |
PRJ-12551, |
SecureXL |
NEW: Added tunable kernel parameter "adp_mc_rt_hold_queue_len" to adpkern.conf to eliminate multicast packet drops at the start of a connection (when large bursts of multicast traffic are expected). |
PRJ-12173, |
SecureXL |
In some scenarios, TCP traffic containing the TCP Fast Open option may be dropped by the Security Gateway. |
PRJ-10495, |
SecureXL |
In some scenarios, SecureXL makes an offload decision to not accelerate multicast traffic for route-based VPN. |
PRJ-14076, |
SecureXL |
For some topologies, RIPV2 neighbors may be missing. Refer to sk167934. |
PRJ-11630, |
SecureXL |
In some scenarios, MCAST packets may not be accelerated on a PIM-SM RP Gateway. |
PRJ-11449, |
Gaia OS |
NEW: Added support for Smart-1 3150/3050 SAN and 'show asset' line cards for SAN. |
PRJ-7270, |
Gaia OS |
In some scenarios, adding a Gaia user may result in a high number of zombie sh processes. Refer to sk164259. |
PRJ-13647, |
Gaia OS |
In rare scenarios, clish consumes 100% CPU when the user runs a Tenable scan. Refer to sk166195. |
PRJ-13154, |
Gaia OS |
In some scenarios, SNMPD daemon unexpectedly exits with core dump, causing the SNMP service to become unavailable. |
PRJ-13478, |
Gaia OS |
Intake and outlet temperature sensors display incorrect values on 15400 appliance. |
PRJ-12760, |
Gaia OS |
In some scenarios, WebUI shows unknown HDDs that are not part of RAID. |
PRJ-8948, |
Gaia OS |
In some scenarios, interface names may not correspond to the correct ports on 4-ports 10GbE SFP+ Rev 1.1 on 12200/4200/4400/4600/4800/TE250 appliances. |
PRJ-12250, |
Gaia OS |
UPDATE: on Smart-1 5050:
|
PRJ-3025, |
Gaia OS |
Backup on Gaia machine may fail with "Cannot complete the backup process: not enough space". Refer to sk98609. |
PRJ-13265, |
Gaia OS |
In some scenarios, the value for Voltage/Fan/Temperature sensor may appear as "NotValid". |
PRJ-11780, |
Gaia OS |
Only 1024 characters of a cron jobs output are displayed when using show cron jobs from clish. |
PRJ-12917, |
Gaia OS |
In some scenarios, snapshot creation on Gaia OS may get stuck at 1-2% because of a large number of tmp files. Refer to sk116679. |
PRJ-11619, |
Gaia OS |
When a bond exceeds 60GB/s, ethtool may report an incorrect speed of the bond interface. |
PRJ-12420, |
Gaia OS |
In some scenarios, concurrent CIFS mount/umount processes to the same Windows machine may crash the kernel. |
PRJ-471 |
Gaia OS |
In the load configuration command, when the loading configuration file contains SNMP, the interface configuration commands may not apply the configuration correctly. |
PRJ-9782, |
Gaia OS |
'#', '=' and '+' characters cannot be used in "Banner" and "Message of the day" features. |
PRJ-11496, |
Gaia OS |
In some scenarios, the PSU status is reflected even if there is no PSU on the appliance. |
PRJ-11682, |
Routing |
NEW: Performance improvement for multicast packets in SecureXL (fast path) when there are no multicast listeners. |
PRJ-12797, |
Routing |
In some scenarios, there may be a loss of BGP adjacency when displaying BGP routes with very long AS paths or large numbers of BGP communities. |
PRJ-12801, |
Routing |
In some scenarios, when processing BGP ECMP routes, ROUTED may unexpectedly exit, resulting in loss of BGP adjacency. |
PRJ-13351, |
Routing |
In some scenarios, routed process generates an assert when the user runs the "dbget -rv iclid" command. |
PRJ-11243, |
VoIP |
SIP calls with NAT (SIP packet with no SDP but content-type=sdp) may fail to open correctly. |
PRJ-9103, |
VoIP |
In a rare scenario, Security Gateway crashes when passing SIP traffic. Refer to sk166474. |
PRJ-8620, |
VPN |
Improved the VPN connectivity with DAIP peers when Tunnel Monitoring is enabled. Refer to sk164933. |
PRJ-12193, |
VPN |
A connectivity issue may occur when a non-encrypted VPN tunnel is used with IKEv2. Refer to sk167902. |
PRJ-58 |
VPN |
In a rare scenario, the vpnd process unexpectedly exits when unallocated memory is accessed. |
PRJ-13312 |
VPN |
In some scenarios, packets are dropped on proposal unmatched, although the VPN tunnel is established. Refer to sk122438. |
PRJ-4510, |
VPN |
In some scenarios, Site-to-Site VPN between central Security gateway and 700 DAIP appliances disconnects in random fashion. Refer to sk149432. |
PRJ-13528, |
VPN |
In some scenarios, Remote Access VPN users are not matched against the Access Control policy and traffic is dropped. Refer to sk167432. |
PRJ-13406, |
VPN |
In rare scenarios, the Global Domain Assignment view shows that a Global Domain Assignment is in the 'up to date' state even though it is not. |
PRJ-11803, |
VPN |
In some scenarios, an incorrect number of connected Remote Access users is displayed in SmartView Monitor. Refer to sk167297. |
PRJ-12889, |
VPN |
IKEv2 rekey may fail when the resolved peer IP address is not the main IP address. Refer to sk166897. |
PRJ-12463, |
VPN |
In a rare scenario, Security Gateway may crash when using Remote Access VPN with L2TP clients. |
PRJ-13340, |
VPN |
In some scenarios, L2TP client fails to connect with "Failed to write L2TP session params to kernel" error in vpnd.elg file. Refer to sk167636. |
PRJ-13079, |
VSX |
When performing a provisioning operation in VSX, process may hang on "Pushing configuration to ...". Refer to sk167175. |
PRJ-11839, |
Endpoint Security |
Cannot delete the client MSI package from SmartEndpoint because of a previously deleted FDE offline group. |
PRJ-11144, |
Endpoint Security |
Local users may not be displayed under the selected machine in the "Users and Computers tab" in SmartEndpoint. Refer to sk166316. |