Take 228 - General Availability
List of Resolved Issues and New Features
|
Note - This Take contains all fixes from all earlier Takes. |
ID |
Product |
Description |
---|---|---|
Take 228 Released on 2 February 2021 and declared as General Availability on 16 March 2021 |
||
PRJ-19947, |
Security Management |
NEW: Added new Management HA utility to schedule automatic full syncs to peers that failed to be synchronized incrementally. |
PRJ-19697, |
Security Management |
UPDATE: If a Management HA synchronization stalls (displaying "Peer is busy"), it will be released within 2 hours instead of 24 hours. |
PRJ-17762, |
Security Management |
When migrating a Security Management Server that was created as a standby and then set to active, into a Domain Management Server, the new Domain is created without an active Domain Server. |
PRJ-19083, |
Security Management |
In some scenarios, HA synchronization may fill up the disk space of a standby Management Server. Refer to sk168492. |
PRJ-17691, |
Security Management |
In some scenarios, HA temporary sub-directories under $FWDIR/tmp are not deleted if sync fails. Refer to sk170972. |
PRJ-18287, |
Security Management |
In rare scenarios, the CPU and memory usage of the CPM process may be abnormally high. Refer to sk170672. |
PRJ-20114, |
Security Management |
In a rare scenario, the FWM process unexpectedly exits. |
PRJ-18378, |
Security Management |
In some scenarios, SecurID configuration files on the Security Gateway are overridden upon policy installation. |
PRJ-18474, |
Security Management |
In some scenarios, the first environment variable configured using sk165938 is not loaded and not used by the CPM process. |
PRJ-19952, |
Security Management |
The Management HA window in SmartConsole may mistakenly show the "Peer is busy" warning message for a few seconds. |
PRJ-17727, |
Security Management |
Upgrade may fail if a Data Center object was last modified by an Administrator with a single quote in the name. |
PRJ-18897, |
Security Management |
Policy installation may fail after migration from Domain Management to Security Management Server. |
PRJ-21077 |
Security Management |
When installing an R80.30 Jumbo Hotfix Take higher than 83 on Security Management server, the /opt/CPSFWR80CMP-R80.30/conf/vpn_route.conf file is overwritten. Refer to sk170573. |
PRJ-19272, |
Security Management |
Policy installation duration may increase due to a large $FWDIR/conf/invalid_object_names.C file on the Management Server. Refer to sk170427. |
PRJ-17212, |
Multi-Domain Management |
UPDATE: With this fix, mds_backup will back up the Upgrade Tools package(s) and mds_restore will restore them on a Multi-Domain Server. |
PRJ-19276, |
Multi-Domain Management |
In rare scenarios, the Management Server becomes inaccessible after a Global Policy reassign operation. |
PRJ-18250, |
Multi-Domain Management |
Migration of Domain Server between different Multi-Domain Servers may fail due to incorrect internal values of default objects. |
PRJ-17561, |
Multi-Domain Management |
In some scenarios, reassigning a Global Policy may fail if the Global and local domains are not active on the same Multi-Domain Server. |
PRJ-19646, |
Multi-Domain Management |
In rare scenarios, a Domain is shown in the Domains view without any Domain Server or a Domain is shown with Domain Server that was deleted and does not exist anymore. Refer to sk170556. |
PRJ-19318, |
SmartConsole |
NEW: Added support for Python 3 in Management API scripts. |
PRJ-20245, |
SmartConsole |
UPDATE: A pop-up warning will be displayed every time a "Custom Application" object with a performance impacting URL is edited (instead of being displayed only once). |
PRJ-13811, |
SmartConsole |
In some scenarios, the Administrators view shows all administrators in all domains regardless of the specific permission profile of the connected administrator. |
PRJ-18883, |
SmartConsole |
Setting values for the environment variables of the Management API as per sk165938 does not work: the values are neither loaded nor used by the API process. |
PRJ-20146, |
SmartConsole |
SmartConsole may disconnect when searching in the Object Explorer for the text with an odd number of double quotes. |
PRJ-13814, |
SmartConsole |
In some scenarios, when the user attempts to delete a VSX Gateway / VSX Cluster, an error message may appear and the operation may not be completed successfully. Refer to sk167492.
|
PRJ-20379, |
SmartConsole |
Adding Global dynamic objects to source or destination columns of access rules on the Global Domain via Management API may fail when using the Global dynamic object names. |
PRJ-13122, |
SmartConsole |
In some scenarios, the "Update operation failed" error is displayed when attempting to delete a Gateway from the VPN community. Refer to sk167212. |
PRJ-19832, |
SmartConsole |
The "show objects" command returns all objects in Global domain with any filter when "ip-only" flag is set to "true". |
PRJ-20785, |
SmartConsole |
When the user creates an Access Role, the AD organization tree may show duplicate branches, and some branches may be missing. |
PRJ-19533, |
SmartConsole |
In some scenarios, when adding a new user certificate of type .p12 via API command, the returned certificate may be incorrect. |
PRJ-19201, |
SmartConsole |
In some scenarios, when using the "set simple-gateway" API command with "logs-settings.forward-logs-to-log-server", it fails with "Generic server error". Refer to sk170352. |
PRJ-18381, |
SmartConsole |
In some scenarios, running an action on a ROBO Gateway behind NAT does not work during sync on SMB appliances. |
PRJ-14105, |
SmartConsole |
Search in Threat Prevention Exceptions in Protection/Site/File/Blade column may not return all expected results. |
PRJ-18464, |
SmartConsole |
In some scenarios, Staging mode IPS protections activation in the Local domain does not match the activation in the Global domain after a Global Threat Prevention policy assignment. Refer to sk170322. |
PRJ-18779, |
SmartView |
In rare scenarios, "Critical attacks allowed by policy widgets" in the "General Overview" view may show no results while actual data exists. Refer to sk171001. |
PRJ-19844, |
SmartView |
UPDATE: Improved the time resolutions usability (formally known as samples) of the Timeline widgets. |
PRJ-17996, |
Logging |
NEW:
|
PRJ-1655, |
Logging |
UPDATE: Added ability to SOLR process running on the Log server to prevent TLS1.1 and below in port 8211. Refer to sk168472. |
PRJ-7524, |
Logging |
Connection between the Gateway and the Log Server may go down, with this error message in the fwd.elg file on the Gateway: "Log server xxx.xxx.xxx.xxx went down". |
PRJ-19818, |
Logging |
In rare scenarios, the LOG_INDEXER process may unexpectedly exit when reading a specific log format. Refer to sk116117. |
PRJ-5873, |
Logging |
In rare scenarios, when the user configures a custom event with a script based automatic reaction in SmartEvent, the SmartEvent client may show the "Server is not responding. Please try to reconnect later" error. Refer to sk155192. |
PRJ-19715, |
Logging |
When installing a newer Jumbo Hotfix, the Log Exporter filtering configuration may not persist and set to default. |
PRJ-2522, |
Logging |
In rare scenarios, the log_indexer process may unexpectedly exit. |
PRJ-17163, |
Logging |
The "show-log" API command may fail with the "GENERIC_SERVER_ERROR" error. |
PRJ-11311, |
Logging |
In Multi-Domain Management environments, some of the log_indexer processes may fail to start due to an occupied port. |
PRJ-16175, |
Logging |
In some scenarios, the cpsemd process on the log server may close unexpectedly during a restart, shutdown or upgrade. |
PRJ-12200, |
Logging |
In some scenarios, the "Failed to fetch the file" error is displayed when trying to open Threat Emulation summary reports generated by VSX Gateways. |
PRJ-11342, |
Security Gateway |
NEW: Added support for authentication with a RADIUS server that expects to receive an empty password on the first message. VPN client will receive 2 dialogs instead of 3. |
PRJ-20336, |
Security Gateway |
NEW: Added Performance improvement when IP Pool NAT is used. |
PRJ-20676, |
Security Gateway |
NEW: Added the Connection Tracker module - a background mechanism collecting connection flows' key points vertically from all Security gateway components. The connection flows helps understanding connectivity and latency issue pointing on successful / problematic stages in a connection lifecycle. |
PRJ-18233, |
Security Gateway |
In rare scenarios, Security Gateway memory consumption may increase. |
PRJ-7737, |
Security Gateway |
False "alert" logs may be displayed in some Anti-Spam events. |
PRJ-18628, |
Security Gateway |
Wrong memory (hmem) values may be reported by specific SNMP OID. Refer to sk168992. |
PRJ-13345, |
Security Gateway |
In a rare scenario, the FWD process opens connections to port 111. |
PRJ-20513, |
Security Gateway |
In some scenarios, when using routing separation, connection to Management Plane via Data Plane is dropped. |
PRJ-19955, |
Security Gateway |
Half-closed accelerated TCP connections may take too long time to expire. |
PRJ-13375, |
Security Gateway |
The TCP State Logging feature may not work as expected. Refer to sk101221. |
PRJ-20954, |
Security Gateway |
In some scenarios, logs with incorrect action are generated by ICAP server. |
PRJ-20653, |
Security Gateway |
Accept logs with reason "Connection terminated before detection: Insufficient data passed. To learn more see sk113479." may be wrongly generated when the matched action is user authentication and wrong username/password provided by user. |
PRJ-13969, |
IPS |
UPDATE: The "ips stat" command now shows all active Threat Prevention profiles with IPS enabled on the Security gateway. |
PRJ-19298, |
IPS |
In some scenarios, log output shows the Origin/Source as "0.0.0.0" in VSX 3rd party IPS logs. |
PRJ-16444, |
IPS |
The get_ips_statistics.sh script on VSX may fail with "/bin/cat: /proc/self/vrf: No such file or directory" error. |
PRJ-13498, |
IPS |
In some scenarios, a non-compliant IMAP traffic is dropped. |
PRJ-19743, |
Anti-Bot |
Dynamic Global Network Object usage inside a Network Group object may cause an Access Policy installation failure. |
PRJ-19590, |
Anti-Virus |
In rare scenarios, after downloading files, Anti-Virus prevent logs appear with "Strict hold is not possible failure - Write to other side occured" error message.
|
PRJ-19597, |
DLP |
UPDATE: Improved the DLP scans queue for a better scan rate. |
PRJ-19920, |
DLP |
UPDATE: Expanded DLP postfix authentication to include NTLM to allow the Security gateway to connect to a mail servers that use the NTLM authentication protocol. |
PRJ-18988, |
DLP |
In a rare scenario, "SEC Filings - Draft or Recent" Data Type in DLP is not properly enforced. |
PRJ-17872, |
HTTPS Inspection |
UPDATE: "Categorize HTTPS websites" feature enhancements when "Categorize HTTPS Sites" feature is enabled:
For configuration, refer to sk173633. |
PRJ-19467, |
HTTPS Inspection |
In some scenarios, the HTTPS Inspection CA bundle is not created on the Security Gateway. |
PRJ-16561, |
Anti-Malware |
Security Gateway may crash when certain traffic is handled during policy installation and the Anti-Virus Deep Scanning is enabled. |
PRJ-16621, |
Anti-Malware |
Exported with "ioc_feeds export" command indicator feeds may contain user credentials. Refer to sk169035. |
PRJ-15224, |
Anti-Malware |
In a rare scenario, HTTP connections are timed-out. |
PRJ-17842, |
Anti-Malware |
In some scenarios, Threat Prevention logs appear half-full (not unified). |
PRJ-18700, |
UserCheck |
When using the UserCheck agent, the original URL attribute variable $orig_url$ may appear on URL field of log details. |
PRJ-19159, |
Threat Extraction |
UPDATE: Threat Extraction will no longer attempt to perform "Convert to PDF" if the file is corrupted, because the resulting files in these cases are usually unreadable. To reactivate this behavior, set the "enable_alternative_scrub_method" variable in $FWDIR/conf/scrub_debug.conf file to 1 and install the Security policy. |
PRJ-9944, |
Threat Extraction |
In some scenarios, multiple files called "ckp_mutex" are created on the Security Gateway. |
PRJ-17419, |
Threat Prevention |
Improvements in HTTP chunked encoding inspection. |
PRJ-18246, |
Identity Awareness |
NEW: Added Identity Sharing's performance and functionality improvements. Refer to sk170516.
|
PRJ-13174, |
Identity Awareness |
UPDATE: Optimized memory usage in the PDP process's LDAP operations. |
PRJ-19637, |
Identity Awareness |
In some scenarios, when a standby cluster member receives RADIUS accounting updates, there may be high CPU on the PDP process. |
PRJ-19747, |
Identity Awareness |
In some scenarios, the Security Gateway may not recognize an IP address as a local address, resulting in wrong drops. |
PRJ-18178, |
URL Filtering |
In some scenarios, the wstlsd process may unexpectedly exit and produce a core dump. |
PRJ-17324, |
Mobile Access |
Remote access connectivity failure when the user belongs to number of groups that exceeds the limited available space (200~ groups). |
PRJ-14363, |
ClusterXL |
Same MAC Magic configuration on different clusters in Unicast mode may cause flapping in switch. Refer to sk167206. |
PRJ-16514, |
SecureXL |
NEW: Added the ability to enable monitor-only mode for penalty box independently of other DOS/Rate limiting features. |
PRJ-18321, |
SecureXL |
UPDATE: Drop templates can be generated for connections with matched action Reject. For additional information and configuration, refer to sk171146. |
PRJ-20053, |
SecureXL |
In rare scenarios, SecureXL may crash due to NULL handling. |
PRJ-16581, |
SecureXL |
In some scenarios, traffic with the destination IP address as the broadcast address configured according to sk98810 is dropped. |
PRJ-18082, |
SecureXL |
SNMP may show wrong values for the number of bytes and packets accepted by Security gateway. Refer to sk170132. |
PRJ-20049, |
SecureXL |
Memory leak may appear in VPN or Active Streaming configuration.
|
PRJ-20025, |
SecureXL |
Server may not reuse the TCP connection when the user allows out of state TCP packets. |
PRJ-19461, |
Routing |
Routed logs may incorrectly state that routemaps that export to OSPF cannot set the OSPF manual tag, even though the functionality works. |
PRJ-20046, |
Routing |
In some scenarios, large number of unnecessary log messages may be sent to /var/log/messages file which makes it difficult to run debug. Refer to sk170796. |
PRJ-20437, |
Routing |
ECMP route nexthops learned from BGP peers may be not properly updated in the kernel, resulting in network connectivity loss. |
PRJ-20442, |
Routing |
The old route may be not removed when an BGP ECMP route was changed. |
PRJ-18278, |
Routing |
Certain types of multicast traffic may not be handled correctly in Bridge mode.
|
PRJ-20469, |
Gaia OS |
In some scenarios, the Security Gateway attempts to fetch the policy from / send logs to the real IP address of the Management Server (defined in the "General Properties" section of the server object) instead of the server's NAT IP address (defined in the "NAT" section of the server object). Refer to sk171055 to configure the required parameter FORCE_NATTED_IP. |
PRJ-18239, |
Gaia OS |
"cphaprob -h" shows incorrect explanation for "cphaprob show_bond [<bond_name>]" command. |
PRJ-19328, |
Gaia OS |
In some scenarios, login from data plane context fails (no connectivity to server). |
PRJ-18609, |
Gaia OS |
Bond interface in XOR mode or 802.3AD (LACP) mode may experience suboptimal performance, if on the Bond interface the Transmit Hash Policy is configured to "Layer 3+4" and Multi-Queue is enabled.
|
PRJ-18079, |
Gaia OS |
On environments with large IP routing tables, the SNMPD process may consume 100% CPU when running a scan from an external tool. Refer to sk170150. |
PRJ-20941, |
Gaia OS |
Upgrade process may fail due to corrupted sic_local_cert.p12 certificate. Refer to sk171253. |
PRJ-18786, |
VPN |
NEW: Added VPN command line mechanism stability enhancement and VPN improvements in IKEv2. |
PRJ-17485, |
VPN |
NEW: Added Anti-Spoofing functionality for Remote Access Office Mode IPs in SecureXL. |
PRJ-16430, |
VPN |
UPDATE: Added ability to fetch CRL with proxy in Site to Site VPN. |
PRJ-19088, |
VPN |
UPDATE: Remote Access VPN stability improvement. |
PRJ-15740, |
VPN |
In some scenarios, findSAByPeer does not validate the peer IP address for DAIP peer behind NAT. |
PRJ-16339, |
VPN |
The user may be unable to connect with Remote Access when the username or user field in the certificate is too long. |
PRJ-14334, |
VPN |
A connectivity issue may occur when a non-encrypted VPN tunnel is used with IKEv2. Refer to sk167902.
|
PRJ-21085, |
VPN |
"Decryption failed" drop logs may appear under heavy VPN load for accelerated tunnels using SHA 384 or SHA 512 Ciphers.
|
PRJ-20520, |
VPN |
In a rare scenario, the FWM process unexpectedly exits when enrolling a certificate using the SCEP protocol. |
PRJ-20645, |
VPN |
In some scenarios, the VPND process may unexpectedly exit. |
PRJ-21681, |
VPN |
When IKEv2 and pre-shared-key is configured, VPN may fail on the second IKE SA re-key. |
PRJ-20331, |
VPN |
Security gateway may crash when you install policy on a MAB gateway and a policy file is corrupted. |
PRJ-20273, |
VPN |
In a rare scenario, a memory leak may appear when RASession_util is active. |
PRJ-20866, |
VPN |
In some scenarios, the VPND process keeps re-downloading the same CRL, which can cause performance issues. |
PRJ-18501, |
VSX |
UPDATE: Added support for VSX SecureXL tabs on CPView. Refer to sk167903. |
PRJ-18187, |
VSX |
VSX VSLS Cluster with 3 Members may fail to connect to Identity Collector. Refer to sk170836. |
PRJ-20044 |
Endpoint Security |
Jumbo Hotfix installation may fail on top of the Jumbo Hotfix with Takes lower than 163. |
PRJ-20599, |
VoIP |
VoIP RTP can cause overload on global instance (CoreXL instance 0). |
PRJ-16455, |
VoIP |
SIP parser may cause the wrong RTP dynamic connection to be opened. Refer to sk169373. |