Take 215 - General Availability

NEW: Tasks that fail to complete within 18 hours will be stopped automatically and appear as failed. Refer to sk166455.

In some scenarios, Security policy deletion or installation may fail when there are many Application Control objects used in this policy.

In rare scenarios, a session becomes unusable, and one or more of the following may occur:

• The user is not able to log in and make changes with this session.
• Publishing this session fails.
• Discarding this session fails.

Refer to sk167735.

In some scenarios, changes to a .def file in $FWDIR/lib might be reverted when creating a secondary CMA.

The "Recent Tasks" and "Install Policy Preset" views in MDS Domain might include Domain names, policy packages, and Gateways names. This information is not filtered according to the administrator's permission profile.

Multi-Domain Administrator configuration for RADIUS authentication might show local Domain Radius servers and groups.

Global Policy reassignment may fail after performing the IPS update in the Global domain.

NEW: Added API commands for user, user-template, user-group and identity-tag.

In some scenarios, Inspection Settings view under the General tab is blank.

When using the Management API "show-objects" command to show OPSEC application objects, it may fail with "Requested object [OBJECT ID] not found".

In some scenarios, IPS update tasks may stuck when multiple machines are attempting an update within the same time frame.

When running the "show-domain" API command, the "active" field may be missing from the reply.

SmartView may show "query failed" error message when creating table widget with filter by source/destination host name. Refer to sk119056.

NEW: Added "Hold" override for unsupported protocols (i.e. GRE). Refer to sk148432.

In rare scenario, a traffic outage may occur when time objects are used in the access policy.

In a rare scenario, memory is not freed correctly in the routing mechanism.

• Fix is relevant for Gaia 3.10 only.

In a rare scenario, Security Gateway memory consumption may increase when the Anti-Virus blade is enabled.

Added ability for fw monitor to support monitoring traffic on Acceleration Card.

The number of overrides in Threat Prevention policy -> Profile -> Overrides may also show inactivated overrides, with mismatched information between "override" and "User Modified".

In some scenarios, policy installation fails with "Error code 0-2000111".

In a rare scenario, policy installation may fail with "Error code: 0-2000112" if the URL Filtering blade is active while no other feature or blade is enabled.

In rare scenarios, Security Gateway crashes during CIFS traffic when the Anti-Virus blade is in Hold mode and the CIFS feature is enabled for Anti-Virus or Threat Extraction (see sk101606).

In some scenarios, Application Control update task may get stuck indefinitely when it is executed as part of Global Policy assignment.

"UserCheck Reference ID" field is missing from logs when the message of the UserCheck customized page is modified and does not contain the text "reference:". Refer to sk165355.

In environments that use certain mail servers, sending a report using SmartView may not work properly.

ClusterXL in Load Sharing mode may drop traffic after a cluster member is rebooted, due to inconsistency of MAC addresses saved in the Firewall kernel and in SecureXL kernel.

NEW: Added tunable kernel parameter "adp_mc_rt_hold_queue_len" to adpkern.conf to eliminate multicast packet drops at the start of a connection (when large bursts of multicast traffic are expected).

NEW: Performance improvement for multicast packets in SecureXL (fast path) when there are no multicast listeners.

• Fix is relevant for Gaia 3.10 only.

In some scenarios, there may be a loss of BGP adjacency when displaying BGP routes with very long AS paths or large numbers of BGP communities.

In some scenarios, the xmlUpgradeExec process may unexpectedly exit during Jumbo Hotfix installation. As a result, the configuration file may not be created correctly. Upon login, the following error message may appear:

/etc/appliance_config.xml:1: parser error : Document is empty

/etc/appliance_config.xml:1: parser error: Start tag expected, ^^^ not found"

UPDATE: on Smart-1 410:

• Line card 1 model PE2G2SFPi35*-CP* is changed to CPAC-2-1F-SM*-C*
• Line card 2 model PE210G2SPI9A-XR*-CP* is changed to CPAC-2-10F-SM*-C*

When a bond exceeds 60GB/s, ethtool may report an incorrect speed of the bond interface.

In some scenarios, a backup on a Gaia device with Threat Emulation Blade enabled may fail with "Cannot complete the backup process: not enough space". Refer to sk166833.

Added L2TP Remote Access client connectivity improvements. Refer to Scenario 2 in sk145895.

• Fix is relevant for Gaia 3.10 only.

A connectivity issue may occur when a non-encrypted VPN tunnel is used with IKEv2. Refer to sk167902.

SIP calls with NAT (SIP packet with no SDP but content-type=sdp) may fail to open correctly.

In a rare scenario, creating new VSX and pushing configuration may cause the cluster members to crash.

• Fix is relevant to Gaia 3.10 only.

Some Web applications published by Mobile Access Blade may not work in Host Translation mode.

An error in FDE preboot users calculation might cause Endpoint to be left in a disconnected state. Refer to sk142313.

In some scenarios, SmartEndpoint doe not update info in reports about devices when the user is logged out. Refer to sk164035.

The Endpoint directory scanner may fail to reconnect to the AD if the connection was lost during the scan.

When a user name is updated in SmartEndpoint, the change may result in an unexpected expiration date. Refer to sk165872.

Users/devices may not change their locations in the tree according to Active Directory changes when certain special characters appear in the names.