Take 190 - General Availability

List of Resolved Issues and New Features

Note - This Take contains all fixes from all earlier Takes.

ID

Product

Description

Take 190

Released on 28 February 2021 and declared as General Availability on 12 April 2021

PRJ-7662,
PMTR-46091

CPview

CPview may show partial information, if there are more than 256 interfaces configured on the system.

PRJ-18836,
PRHF-13728,
PRJ-21003,
PRHF-14969

Security Management

NEW: Improved FWM process performance during Security policy or database installation.

PRJ-19949,
PMTR-62429

Security Management

NEW: Added new Management HA utility to schedule automatic full syncs to peers that failed to be synchronized incrementally.

PRJ-20070,
MCFG-229

Security Management

NEW: Optimized the Solr build time to improve performance in the following operations:

  • Restore of the entire MDS/MLM from backup
  • Upgrade from R80.10
  • Solr Cure

PRJ-19998,
PRHF-14293

Security Management

UPDATE: Added improvements in policy load process, to reduce the policy installation time when having large amount of objects.

PRJ-19698,
PRJ-13465

Security Management

UPDATE: If a Management HA synchronization stalls (displaying "Peer is busy"), it will be released within 2 hours instead of 24 hours.

PRJ-20029,
PMTR-61770

Security Management

UPDATE: When purging revisions, task notifications will also be purged if created before the last revision to purge was published.

PRJ-21589,
PRHF-15244

Security Management

Although the Access Settings of the Management API is set to "All IP addresses", the API server does not accept requests from any IP address unless the IP is defined explicitly as a Trusted Client.

PRJ-20885,
PRHF-14946

Security Management

In some scenarios, when connecting to an existing session in SmartConsole from a different IP address, a wrong "Client IP" is shown in Audit Logs view.

PRJ-18473,
PRHF-13644

Security Management

In some scenarios, the first environment variable configured using sk165938 is not loaded and not used by the CPM process.

PRJ-18896,
PRHF-13860

Security Management

Policy installation may fail after migration from Domain Management to Security Management Server.

PRJ-20115,
PMTR-60541

Security Management

In a rare scenario, the FWM process unexpectedly exits.

PRJ-18815,
PRHF-13819

Security Management

Management HA synchronization between Multi-Domain Management Servers may fail with "Failed to import data" error due to manual or automatic updates of contracts.

PRJ-19023,
PMTR-61616

Security Management

In rare scenarios, FWM process may unexpectedly exit after a login attempt to the Management server.

PRJ-18490,
PRHF-13681

Security Management

In rare scenarios, a policy installation task may never complete.

PRJ-20852,
SMCUPG-1316

Security Management

Management Server upgrade from R80.20 to R80.40 may fail if a Network Interface object refers to a Gateway object that does not exist.

PRJ-20840,
SMCUPG-1454

Security Management

When migrating a Domain Management Server to a Security Management Server:

  • SmartEvent Blade cannot be activated on the migrated domain
  • If the Domain had standby Domain Servers , it may cause inconsistencies in the database, that may result in different failures. For example, policy installation may fail.

PRJ-20302,
PRHF-14634

Security Management

In some scenarios, deleting a Domain Server may fail with "Got at least one duplicate UID in requested list" error.

PRJ-17690,
PRHF-13332

Security Management

In some scenarios, HA temporary sub-directories under $FWDIR/tmp are not deleted if sync fails. Refer to sk170972.

PRJ-16472,
PMTR-58630

Security Management

Login with SmartConsole is blocked while the purge revisions task is running.

PRJ-19953,
PRHF-14394

Security Management

The Management HA window in SmartConsole may mistakenly show the "Peer is busy" warning message for a few seconds.

PRJ-18286,
PMTR-61010

Security Management

In rare scenarios, the CPU and memory usage of the CPM process may be abnormally high. Refer to sk170672.

PRJ-20763,
PRHF-14399

Security Management

High load may occur on the Management Server when searching for a prefix of IP address that has more than 10 thousand matches.

PRJ-20802,
PRHF-14691

Security Management

In some scenarios, delete partial domain with createDomainRecovery.sh script fails when there are several RadiusGroup objects with the same name in different domains.

PRJ-21584,
PRHF-15222

Security Management

In rare cases, the CPM Solr process may not be stopped when running cpstop or mdsstop.

PRJ-21187,
PMTR-63358

Security Management

In rare scenarios, logout from a session fails with "An internal error has occurred" message.

PRJ-21357,
PRHF-14606

Security Management

In some scenarios, the Purge Revisions task may stop and show 0% for hours or fail with the "An error has occurred while performing revision purge operation" message in SmartConsole.

PRJ-17787,
PRHF-13382

Security Management

In some scenarios, policy verification for static NAT rules succeeds even though the source subnet NAT is bigger than the destination subnet NAT.

PRJ-16470,
PMTR-58631

Multi-Domain Management

UPDATE: When reassigning Global Domain for a Domain that is active on another Multi-Domain Server, the task is immediately relayed to the remote Multi-Domain Server without waiting in queue of the local server due to other tasks that are running.

PRJ-17211,
PRHF-12851

Multi-Domain Management

UPDATE: With this fix, mds_backup will backup the Upgrade Tools package(s) and mds_restore will restore them on a Multi-Domain Server.

PRJ-22273,
PMTR-65110

Multi-Domain Management

In some scenarios, updating a Domain Server may fail with the "<IP> already in use" message. Refer to sk171916.

PRJ-18688,
PRHF-13744

Multi-Domain Management

Database installation to the newly created Domain Log Server may fail.

PRJ-19723,
PMTR-62272

Multi-Domain Management

The Multi-Domain session APIs "view sessions" and "show last-published-session" results may include sessions that were not filtered according to the administrator's permissions profile.

  • A Domain manager running the API will be notified when the results will be filtered and will be asked to run the command again with the "ignore-warnings" flag.

PRJ-19275,
PRHF-13977

Multi-Domain Management

In rare scenarios, Management Server becomes inaccessible after a Global Policy reassign operation.

PRJ-19645,
PMTR-62201

Multi-Domain Management

In rare scenarios, a Domain is shown in the Domains view without any Domain Server or a Domain is shown with Domain Server that was deleted and does not exist anymore. Refer to sk170556.

PRJ-17560,
PRHF-12885

Multi-Domain Management

In some scenarios, reassigning a Global Policy may fail if the Global and local domains are not active on the same Multi-Domain Server.

PRJ-21342,
PRJ-16910

Multi-Domain Management

When running many Reassign Global Domain operations for Domains that are not active on the current Multi-Domain Server, the load on the Server may increase and result in slowness of user and automation work.

PRJ-21277,
SMCUPG-1625

Multi-Domain Management

In some scenarios, HA Full Sync on the System Domain fails after upgrade on a Multi-Site environment with multiple Multi-Domain Servers. Refer to sk171059.

PRJ-19992,
PRHF-14349

Multi-Domain Management

After importing two (or more) Security Management servers into a Multi-Domain Server, the Gateway objects may not be functional:

  • The editor may not show configuration correctly
  • Security Gateway update may fail.

PRJ-19317,
PMTR-61346

SmartConsole

NEW: Added support for Python 3 in Management API scripts.

PRJ-20244,
PMTR-62490

SmartConsole

UPDATE: A pop-up warning will be displayed every time a "Custom Application" object with a performance impacting URL is edited (instead of being displayed only once).

PRJ-13810,
PRJ-13808

SmartConsole

In some scenarios, the Administrators view shows all administrators in all domains regardless to specific permission profile of the connected administrator.

PRJ-20145,
PRJ-20146

SmartConsole

SmartConsole may disconnect when searching in the Object Explorer for the text with an odd number of double quotes.

PRJ-20784,
PRHF-13556

SmartConsole

When the user creates an Access Role, the AD organization tree may show duplicate branches, and some branches may be missing.

PRJ-19831,
PMTR-50205

SmartConsole

The "show objects" command returns all objects in Global domain with any filter when "ip-only" flag is set to "true".

PRJ-13121,
PRHF-11105

SmartConsole

In some scenarios, the "Update operation failed" error is displayed when attempting to delete a Gateway from the VPN community. Refer to sk167212.

PRJ-19200,
PRHF-13955

SmartConsole

In some scenarios, when using the "set simple-gateway" API command with "logs-settings.forward-logs-to-log-server", it fails with "Generic server error". Refer to sk170352.

PRJ-14104,
PRHF-11590

SmartConsole

Search in Threat Prevention Exceptions in Protection/Site/File/Blade column may not return all expected results.

PRJ-18882,
PRHF-13818

SmartConsole

Setting values for the environment variables of the Management API as per sk165938 does not work: the values are neither loaded nor used by the API process.

PRJ-19059,
PMTR-34323

SmartConsole

Upgrade may fail due to IPS protections comment that is exceeding the comment length limit.

PRJ-13815,
PMTR-19017

SmartConsole

In some scenarios, when the user attempts to delete a VSX Gateway / VSX Cluster, an error message may appear and the operation may not be completed successfully. Refer to sk167492.

  • Requires R80.20 SmartConsole Build 121 (or higher).

PRJ-18380,
PRHF-13609

SmartConsole

In some scenarios, running an action on a ROBO Gateway behind NAT does not work during sync on SMB appliances.

PRJ-20313,
PRHF-14637

SmartConsole

In some scenarios, the "show gateways-and-servers" Management API command fails when running it with details-level full and when connected to the Global Domain. Refer to sk170895.

PRJ-21523

SmartConsole

In a rare scenario, Automatic NAT rules are not visible in SmartConsole.

PRJ-20238,
PRHF-14533

SmartConsole

When there are no search results, search in Access Control Policy displays "An error occurred while searching" instead of "No Items Found".

PRJ-18920,
PRHF-13879

SmartConsole

In some scenarios, the "show-access-rulebase" Management API command fails when running it with details-level "full" and there is a network group with more than 50000 objects on one of the rules. Refer to sk170435.

PRJ-17480,
PRHF-12997

SmartProvisioning

In some scenarios, when recreating a ROBO object with the same name, the new object receives the previous status.

PRJ-17998,
SL-2106

Logging

NEW:

  1. Log Exporter can now schedule a recurring reconnection to the target 3rd party server periodically. This allows usage of a Load Balancer component for target servers.
  2. The target 3rd party server can be declared as a DNS name also when using UDP protocol.

PRJ-12199,
PRHF-10306

Logging

In some scenarios, the "Failed to fetch the file" error is displayed when trying to open Threat Emulation summary reports generated by VSX Gateways.

PRJ-17354,
PMTR-59205

Logging

FWM and\or log_indexer processes may repeatedly stop when there are more than ~500K network objects declared. Refer to sk164452.

PRJ-1651,
SL-1901

Logging

UPDATE: Added ability to SOLR process running on the Log server to prevent TLS1.1 and below in port 8211. Refer to sk168472.

PRJ-19714,
PMTR-53967

Logging

When installing a newer Jumbo Hotfix, the Log Exporter filtering configuration may not persist and set to default.

PRJ-16174,
PMTR-55550

Logging

In some scenarios, the cpsemd process on the log server may close unexpectedly during a restart, shutdown or upgrade.

PRJ-17162,
PMTR-59241

Logging

The "show-log" API command may fail with the "GENERIC_SERVER_ERROR" error.

PRJ-7952,
PRHF-7415

Logging

In rare scenarios, a log may display incorrect values in the Action and Rule field. Refer to sk170676.

PRJ-19008,
PRHF-13936

Logging

In a rare scenario, CPD process may use a random port for AMON communication instead of port 18196.

PRJ-21157,
PRJ-21078

Logging

In rare scenarios, the FWD process on the Security gateway may be blocked for several seconds due to processing of log attachments.

PRJ-11310,
PMTR-51802

Logging

In Multi-Domain Management environments, some of the LOG_INDEXER processes may fail to start due to an occupied port.

PRJ-19820,
SL-4358

Logging

In rare scenarios, the log_indexer process may unexpectedly exit when reading a specific log format. Refer to sk116117.

PRJ-7523,
SL-2989

Logging

Connection between the Gateway and the Log Server may go down, with the following error message in the fwd.elg file on the Gateway: "Log server xxx.xxx.xxx.xxx went down".

PRJ-5872,
PRHF-3460

Logging

In rare scenarios, when the user configures a custom event with a script based automatic reaction in SmartEvent, the SmartEvent client may show the following error: "Server is not responding. Please try to reconnect later". Refer to sk155192.

PRJ-20561,
PMTR-58714

Logging

In rare scenarios, the Log Exporter fails to connect to external destination when using the TLS protocol.

PRJ-19843,
PMTR-62010

SmartView

UPDATE: Improved the time resolutions usability (formally known as samples) of the Timeline widgets.

PRJ-20872,
PMTR-62957

SmartView

UPDATE: To improve performance, SmartView now exports data in CSV format instead of Excel.

PRJ-18778,
PMTR-56281

SmartView

In rare scenarios, "Critical attacks allowed by policy widgets" in "General Overview" view may show no results while actual data exists. Refer to sk171001.

PRJ-9548,
PRJ-9381

Security Gateway

NEW: Added DNS Passive Learning feature for enhanced non-FQDN domain objects & updatable objects matching. Refer to sk161612.

PRJ-11341,
PRHF-9582

Security Gateway

NEW: Added support for authentication with a RADIUS server that expects to receive an empty password on the first message. VPN client will receive 2 dialogs instead of 3.

PRJ-20335,
PMTR-57101

Security Gateway

NEW: Added Performance improvement when IP Pool NAT is used.

PRJ-13344,
PRHF-8408

Security Gateway

In a rare scenario, the FWD process opens connections to port 111.

PRJ-20735,
PRJ-20058

Security Gateway

In rare scenarios, Security Gateway memory consumption may increase.

PRJ-21609,
PRHF-14715

Security Gateway

Security Gateway may crash when "Categorize HTTPS Websites" feature is enabled and categorization mode is set to "Hold".

PRJ-11203,
PRHF-9029

Security Gateway

In some scenarios, traffic that is matched on implied rule is dropped while it should not.

PRJ-20382,
PRHF-13431

Security Gateway

In a rare scenario, Access Control policy installation may fail after upgrade of Security Gateway from R80.10 or below to R80.20 or higher.

PRJ-21242,
PRHF-12746

Security Gateway

In rare scenarios, proxy ARP entries may be deleted when installing a policy.

PRJ-20629,
PRHF-14378

Security Gateway

In rare scenarios, high memory consumption in CPD may occur due to a memory leak in authentication flow with an LDAP server.

PRJ-21108,
PRHF-14953

Security Gateway

Authentication may fail when LDAP branch name contains "\".

PRJ-11404,
PMTR-24679

Security Gateway

In some scenarios, dmesg shows "up_manager_resume_chain: fwhold_send failed. chain will be dropped by the fwhold API" error messages when the connection was already dropped and cannot be resumed. Refer to sk133253.

PRJ-20652,
PMTR-63092

Security Gateway

Accept logs with reason "Connection terminated before detection: Insufficient data passed. To learn more see sk113479." may be wrongly generated when the matched action is user authentication and the wrong username/password is provided by the user.

PRJ-18627,
PRHF-11912

Security Gateway

Wrong memory (hmem) values may be reported by specific SNMP OID. Refer to sk168992.

PRJ-11792,
AVIR-479

Security Gateway

False "alert" logs may be displayed in some Anti-Spam events.

PRJ-20720,
PRJ-20057

Security Gateway

In rare scenarios, Security Gateway memory consumption may increase.

PRJ-20897,
PRHF-14824

Security Gateway

In some scenarios, the DNS requests from the Security gateway may fail.

PRJ-19701,
PMTR-62215

Security Gateway

In rare scenarios, a memory leak may occur in TOPOD process.

PRJ-14446,
PMTR-10041

Security Gateway

In some scenarios, large number of interfaces defined on Security gateway may cause high CPU utilization by CPD process. Refer to sk168674.

PRJ-17366,
PRHF-858

Security Gateway

DynamicID via SMTP does not work when an HTTP proxy server is defined.

PRJ-19954,
PMTR-62477

Security Gateway

Half-closed accelerated TCP connections may take too long time to expire.

PRJ-19064,
PRJ-18831

Security Gateway

In a rare scenario, Security Gateway memory consumption may increase and lead to a memory leak.

PRJ-13374,
PMTR-54887

Security Gateway

The TCP State Logging feature may not work as expected. Refer to sk101221.

PRJ-19582,
PMTR-61102

Security Gateway

In some scenarios, "email_unified_cmi_get_attribs: not valid caller: up_log_get_user_hash" error appears in dmesg for SMTP traffic.

PRJ-19848,
PRHF-14268

Security Gateway

In some scenarios, a memory leak may appear after sending a packet from the kernel.

PRJ-19158,
TEX-1482

Threat Extraction

UPDATE: Threat Extraction will no longer attempt to perform "Convert to PDF" if the file is corrupted, because the resulting files in these cases are usually unreadable.

To reactivate this behavior, set the "enable_alternative_scrub_method" variable in $FWDIR/conf/scrub_debug.conf file to 1 and install the Security policy.

PRJ-9943,
PRHF-8315

Anti-Malware

In some scenarios, multiple files called "ckp_mutex" are created on the Security Gateway.

PRJ-17841,
PMTR-58416

Anti-Malware

In some scenarios, Threat Prevention logs appear half full (not unified).

PRJ-19736,
PRJ-17439

Anti-Malware

In some scenarios, users may fail to access a web site with many malicious URLs.

PRJ-12467,
PMTR-38976

Anti-Malware

In rare scenarios, Security Gateway crashes during CIFS traffic when the Anti-Virus Blade is in Hold mode and the CIFS feature is enabled for Anti-Virus or Threat Extraction (see sk101606).

PRJ-19742,
PRHF-13998

Anti-Bot

Dynamic Global Network Object usage inside a Network Group object may cause an Access Policy installation failure.

PRJ-18124

Identity Awareness

NEW: Added Identity Sharing SmartPull mechanism performance and functionality improvements. Refer to sk170516.

PRJ-13173,
PMTR-53443

Identity Awareness

UPDATE: Optimized memory usage in the PDP process's LDAP operations.

PRJ-19748,
PRHF-14338

Identity Awareness

In some scenarios, the Security Gateway may not recognize an IP address as a local address, resulting in wrong drops.

PRJ-19636,
PMTR-61982

Identity Awareness

In some scenarios, when a standby cluster member receives RADIUS accounting updates, there may be high CPU on the PDP process.

PRJ-16169,
IDA-754

Identity Awareness

After changing 'pdp nested_groups __set_state 2' ,flat groups are fetched correctly, but nested groups are not fetched. Refer to sk166199.

PRJ-12501,
PRHF-10481

Identity Awareness

In some scenarios, Identity Awareness counters in cluster environments show zero.

PRJ-20844,
PRHF-14347

Identity Awareness

In some scenarios, running pdpd commands results in "daemon did not respond or not running!" error. Refer to sk171136.

PRJ-20093,
PMTR-59101

DLP

UPDATE: Added support for multi-part data to DLP.

PRJ-17871,
PRHF-10279

HTTPS Inspection

UPDATE: "Categorize HTTPS websites" feature enhancements when "Categorize HTTPS Sites" feature is enabled:

  • Improved enforcement of first connection when URL Filtering setting is in 'Hold' mode
  • Added SNI information to connection logs when connection is matched on rule with "Extended Log"
  • Hold mode granularity

For configuration, refer to sk173633.

PRJ-18822,
PRHF-13605

HTTPS Inspection

Cannot browse with Chrome when using mixed chain with ECDSA subordinate CA in HTTPS Inspection. Refer to sk170332.

PRJ-19468,
PMTR-58086

HTTPS Inspection

In some scenarios, the HTTPS Inspection CA bundle is not created on the Security Gateway.

PRJ-18702,
PRHF-12299

UserCheck

When using the UserCheck agent, the original URL attribute variable $orig_url$ may appear on URL field of log details.

PRJ-19038,
PRHF-13886

UserCheck

In some scenarios, users cannot restore original attachment via UserCheck portal and receive the "An unexpected error has occurred" error message.

PRJ-13968,
PRHF-11634

IPS

UPDATE: The "ips stat" command now shows all active Threat Prevention profiles with IPS enabled on the Security Gateway.

PRJ-13497,
PRHF-10943

IPS

In some scenarios, a non-compliant IMAP traffic is dropped.

PRJ-14059,
PRHF-5061

IPS

In some scenarios, SmartEvent does not create IPS events based on the "Critical severity" field.

PRJ-19297,
PRHF-13560

IPS

In some scenarios, log output shows the Origin/Source as "0.0.0.0" in VSX 3rd party IPS logs.

PRJ-20345,
PRHF-14266

IPS

In rare scenario, the SmartConsole shows the "IPS is not responding" message even though IPS is functioning normally.

PRJ-10921,
HP-97

IPS

In some scenarios, "cmik_loader_fw_context_match_cb: match_cb for CMI APP 10 failed" error appears in dmesg for HTTP traffic.

PRJ-18177,
MBS-12220

URL Filtering

In some scenarios, the wstlsd process may unexpectedly exit and produce a core dump.

PRJ-20583,
VPNRA-642

Mobile Access

Removed potential XSS vulnerability in the MAB Login page.

PRJ-19233,
PRHF-14046

Mobile Access

There may be a delay when connecting to HTTPS based SMS portal over a non-standard proxy port. Refer to sk170497.

PRJ-17323,
PRHF-13031

Mobile Access

A user may not connect with Remote Access Client if this user belongs to many groups defined in SmartConsole.

PRJ-20532,
PRHF-14728

ClusterXL

In some scenarios, data connections are dropped with "First packet isn't SYN" message on ClusterXL Load Sharing.

PRJ-14358

ClusterXL

Same MAC Magic configuration on different clusters in Unicast mode may cause flapping in switch. Refer to sk167206.

PRJ-16513,
MBS-11708

SecureXL

NEW: Added the ability to enable monitor-only mode for penalty box independently of other DOS/Rate limiting features.

PRJ-14937,
PMTR-56844

SecureXL

UPDATE: "fwaccel dos blacklist" and "fwaccel dos whitelist" commands are deprecated and replaced by "fwaccel dos deny" and "fwaccel dos allow". Refer to sk112454.

PRJ-18320,
PRHF-13474

SecureXL

UPDATE: Drop templates can be generated for connections with matched action Reject. For additional information and configuration, refer to sk171146.

PRJ-20024,
PRHF-14228

SecureXL

Server may not reuse the TCP connection when the user allows out of state TCP packets.

PRJ-16580,
PRHF-12716

SecureXL

In some scenarios, traffic with the destination IP address as the broadcast address configured according to sk98810 is dropped.

PRJ-18081,
RHF-13507

SecureXL

SNMP may show wrong values for the number of bytes and packets accepted by Security gateway. Refer to sk170132.

PRJ-20052,
PRHF-14417

SecureXL

In rare scenarios, SecureXL may crash due to NULL handling.

PRJ-891,
PRHF-2914

SecureXL

In some scenarios, output of "fwaccel stat" command does not display the layer name that disables the templates (only "Layer ---" is displayed). Refer to sk145533.

PRJ-19661,
PRHF-13929

SecureXL

In some scenarios, connections are dropped when SYN Defender and ISN Defender are both enabled on the same interface.

PRJ-19403,
PMTR-60870

SecureXL

In some scenarios, Rate Limiting rules for DoS do not work after reboot. Refer to sk170148.

PRJ-17401,
PRHF-13153

SecureXL

In some scenarios, PPTP or GRE traffic may be dropped. Refer to sk170293.

PRJ-16353,
PRJ-16349

CoreXL

In a rare scenario, CPU consuming on some instances is high. Refer to sk168513.

PRJ-20468,
PRHF-14653

Gaia OS

In some scenarios, the Security Gateway attempts to fetch the policy from / send logs to the real IP address of the Management Server (defined in the "General Properties" section of the server object) instead of the server's NAT IP address (defined in the "NAT" section of the server object).

Refer to sk171055 to configure the required parameter FORCE_NATTED_IP.

PRJ-19143,
PMTR-55383

Gaia OS

UPDATE: Added the option to bind IP addresses to sockets using the udp_connect API. Refer to sk171019.

PRJ-18240,
PRHF-13451

Gaia OS

"cphaprob -h" shows wrong explanation for "cphaprob show_bond [<bond_name>]" command.

PRJ-18078,
PRHF-13504

Gaia OS

On environments with large IP routing tables, the SNMPD process may consume 100% CPU when running a scan from an external tool. Refer to sk170150.

PRJ-20940,
PMTR-63343

Gaia OS

Upgrade process may fail due to corrupted sic_local_cert.p12 certificate. Refer to sk171253.

PRJ-18086,
PRHF-13504

Gaia OS

Query routing info via SNMP may consume 100% CPU in case of a massive IP routing table. Refer to sk170150.

PRJ-18937,
PRHF-13812

Gaia OS

In some scenarios, the "... fwldbcast_handle_retrans_request: Updated bchosts_mask to 1" message may be printed in /var/log/messages file.

PRJ-20745,
PMTR-63201

Gaia OS

CVE-2020-25705: ICMP reply rate.

PRJ-15659,
PMTR-57216

Routing

UPDATE: Display of routing CPview results is limited to 30 lines.

PRJ-18798,
PMTR-46178

Routing

In some scenarios, the ROUTED process unexpectedly exits when removing an OSPF interface that had authentication configured. Refer to sk170272.

PRJ-19460,
PMTR-60878

Routing

Routed logs may incorrectly state that routemaps that export to OSPF cannot set the OSPF manual tag, even though the functionality works.

PRJ-19626,
PRHF-14280

Routing

ip-reachability-detection ping marks a target IP address as "unreachable" if the path goes via a VPN tunnel, although pinging this IP address directly works.

PRJ-20441,
ROUT-1325

Routing

The old route may be not removed when an BGP ECMP route was changed.

PRJ-20436,
PMTR-45014

Routing

ECMP route nexthops learned from BGP peers may be not properly updated in the kernel, resulting in network connectivity loss.

PRJ-18785,
PMTR-60976

VPN

NEW: Added VPN command line mechanism stability enhancement and VPN improvements in IKEv2.

PRJ-17484,
PMTR-40127

VPN

NEW: Added Anti-Spoofing functionality for Remote Access Office Mode IPs in SecureXL.

PRJ-16429

VPN

UPDATE: Added support for fetching CRL with proxy in Site-to-site VPN configuration.

PRJ-19087,
PMTR-61752

VPN

UPDATE: Remote Access VPN stability improvement.

PRJ-15547,
PRHF-11629

VPN

UPDATE: Added the TTM-per-group feature improvement that allows it to work with more client types (for example Nemo client).

PRJ-15739,
PRHF-12010

VPN

In some scenarios, findSAByPeer does not validate the peer IP address for DAIP peer behind NAT.

PRJ-18750,
PRHF-2209

VPN

In some scenarios, the Dynamic ID configuration in SmartConsole (SMS/Email) is ignored. Refer to sk144933.
With this fix, an administrator will be able to choose for each login option separately which protocol (HTTP/SMTP) will be used to send the one-time code.

PRJ-20330,
PMTR-62776

VPN

Security Gateway may crash when you install policy on a MAB Gateway and a policy file is corrupted.

PRJ-20865,
PMTR-56565

VPN

In some scenarios, the VPND process keeps re-downloading the same CRL, which can cause performance issues.

PRJ-20945,
PMTR-63287

VPN

In some scenarios, L2TP clients disconnect from the Security gateway after 10 minutes of the connection.

PRJ-17491,
PRHF-13007

VPN

In IKEv2 renegotiation scenario, IPSec SAs may be deleted on a standby cluster member during post sync causing a VPN traffic outage. Refer to sk172926.

PRJ-7479,
GAIA-6504

VPN

Policy installation with VPN enabled may take a long time.

PRJ-19421,
PRHF-13784

VPN

In some scenarios, the vpnd process unexpectedly exits with Segmentation fault.

PRJ-20824

VPN

In IKEv2, the renegotiation of IKE SA may fail.

PRJ-20646,
PMTR-63280

VPN

In some scenarios, the VPND process may unexpectedly exit.

PRJ-20272,
PRHF-14308

VPN

In a rare scenario, a memory leak may appear when RASession_util is active.

PRJ-20519,
PRHF-14766

VPN

In a rare scenario, the FWM process unexpectedly exits when enrolling a certificate using the SCEP protocol.

PRJ-16338,
PRHF-12447

VPN

The user may be unable to connect with Remote Access when the username or user field in the certificate is too long.

PRJ-13093,
PRHF-11004

VPN

RADIUS packet sent by Security gateway, may show the Framed-IP-Address field in the reverse order. Refer to sk167361.

PRJ-19213,
PRHF-13685

VPN

Site to Site VPN fails to establish with IKEv2 on GCP when NAT-t is enabled.

PRJ-18268,
PRHF-13543

VPN

The VPND process on a standby cluster member may unexpectedly exit when VPN peer has a probing link selection configured. Refer to sk170136.

PRJ-12240,
PRHF-10370

VPN

When clicking "View" in Trusted CA object's OPSEC PKI tab, this may show the "Failed to get a certificate of <object name> from keyset" error. Refer to sk166496.

PRJ-13819,
PRHF-10420

VPN

Access roles do not recognize Remote Access SNX CLI clients.

PRJ-18500,
PMTR-60820

VSX

UPDATE: Added support for VSX SecureXL tabs on CPView. Refer to sk167903.

PRJ-18292,
PMTR-53549

VSX

VSX VSLS with 3 Members may fail to connect to Identity Collector. Refer to sk170836.

PRJ-20962,
VSX-2519

VSX

After running "vsx_util vsls" and selecting option #6, the operation may fail with the "Internal Error: got empty reply set" error. Refer to sk171352.

PRJ-18612,
PMTR-55887

VSX

In some scenarios, there may be high CPU utilization in a VSX environment with several instances.

PRJ-18575,
PMTR-59637

Compliance

UPDATE: Added ability to select 'Any' in the Service column when creating a custom firewall Best practice.

  • Requires R80.20 SmartConsole Build 121 (or higher).

PRJ-14100,
PRJ-14100

Compliance

In some scenarios, Compliance Blade does not scan inline layers for Application Control and URL Filtering Best Practices.

PRJ-20601,
PRHF-14400

VoIP

VoIP RTP can cause overload on global instance (CoreXL instance 0).

PRJ-16454,
PRHF-12691

VoIP

SIP parser may cause the wrong RTP dynamic connection to be opened. Refer to sk169373.