Take 235 - Ongoing

"Unauthorized client" error on login failure from an IP address that is not explicitly defined in the Trusted Clients list. Refer to sk173026.

SmartConsole Extensions fail to load with "Error: unable to retrieve read-only session" if login with SmartConsole is performed with an IP address that is not defined as the primary IP of the Management Server.

Upgrade or migration from R80.10 and lower to R80.20 and higher may fail with "Scheme adjustment had failed" error in logs. Refer to sk172003.

Security policy compilation fails if the Domain network object name (FDQN name) contains space.

"Query failed" error is displayed in Security Gateway Device & License Information view in SmartConsole when canceling the "Export to PDF/CSV" operation.

On Security Management with connected Endpoint Security Server, the SICTUNNEL process may unexpectedly exit and start again every few minutes with core file ~4gb in size. Refer to sk173704.

In a rare scenario, Management HA synchronization fails after the Purge Revisions operation.

UPDATE: Improved the Domain Management Server and Domain Log Server creation and deletion operations.

In some scenarios, HA Full Sync on the System Domain fails after upgrade on a Multi-Site environment with multiple Multi-Domain Servers. Refer to sk171059.

In some scenarios, after upgrade of Multi-Domain environment that has active Domains on multiple Multi-Domain servers, some objects may not be visible in the System Domain.

In some scenarios, Reassign Global Domain for a Domain that is active on another Multi-Domain Server may fail with "An internal error has occurred" message. Refer to sk172704.

In some scenarios, HA sync in a Multi-Domain environment may fail with the "Failed to import data" error message after the user creates new Permission Roles.

"The object specified in 'Always send alerts to' field, has no active 'Logging & Status' Blade" error may be displayed after running the "add-simple-gateway" command in Management HA environments where one of the Security Management servers has the "Logging & Status" Blade disabled. Refer to sk172226.

In some scenarios, a validation warning may appear on an updatable object with the following message: "Object is no longer supported. Enforcing security for this object is not possible." However, the object is still available in the updatable objects picker.

NEW: Resource pools for log queries and report generation have been separated to ensure query responsiveness while multiple reports are generated.

When viewing an Access log card that was matched on both a Network layer (firewall) rule and an Application layer rule, and both actions are "Accept", the application layer rule will be presented in the card instead of the network layer rule. Refer to sk172763.

In rare scenarios, when the user exports logs to Excel using SmartView web, the action fails when the exported logs contain special characters, like emojis.

In SmartView's "Cyber Attack View - Endpoint", the widgets Active/Dormant Attacks and Cleaned/Blocked Attacks show clean hosts as infected (false positive results).

• In environments with more than 500K network objects, the log_indexer process may lead to a memory leak.
• In some scenarios, when there are offline logs to index, queries are slower than expected.

In SmartView, when the user exports multiple PDF/CSV/Templates of the same view/report at the exact same time, the second export to complete may overwrite the first one.

In SmartView, when opening a log card popup in lower resolutions, the text in the header may be cut off.

In some scenarios in SmartView, exporting a report or view to PDF duplicates the item and displays it twice in the Catalog until the export is done.

Deactivated Compliance Best Practices appear in the Compliance report.

NEW: Implemented new Fast-Accel producer.

The following Fast-Accel statistics are added to CPView:

• Status: current status of Fast-Accel feature (enabled/disabled).
• Configured rules: number of rules were added by the user. These rules determines whether a connection should be accelerated or not.
• Accelerated connections amount: number of accelerated connections.
• Total connections amount: total connections opened in PPAK.
• Accelerated connections percentage: percentage of accelerated connections as part of the overall traffic.
• Services distribution: number of times each service was used by the accelerated connections.

UPDATE: Added L3 routing support for bridge interface assigned with IP address. To enable it, set fw_bridge_with_ip_routing=1 in the $FWDIR/fwkern.conf file. Refer to sk165560.

In some scenarios, the "fwauthd_init: got known service port XXX ... choosing another one" message appears repeatedly in the $FWDIR/log/fwd.elg file.

The "new-conn-rate" DOS/Rate limiting rules may not be enforced in usermode when enforcement for internal interfaces is disabled.

In a rare scenario, the FWK process unexpectedly exits during debug.

• Fix is relevant for Gaia 3.10 only.

In a rare scenario, Fast Accel logs are sent although they are disabled on the matched rule. Refer to sk171336.

When the Security Gateway is configured as a proxy, some network objects may not be matched correctly.

The connection may not exist in SecureXL connection table when configuring Smart Connection Reuse kernel parameters and allow out of state TCP packets.

In a rare scenario, the FWK process unexpectedly exits on the Security Gateway.

Added optimization for PDP when handling Terminal servers Multi-User Host Agent (MUH).

In some scenarios, VPN Remote Access client fails to connect if a certificate contains a DN with an asterisk (*).

UPDATE: Exceptions are now enforced for these IPS protections:

• ASCII Request Response
• ASCII Response Response
• HTTP Header Patterns
• HTTP URL Patterns
• CIFS File Patterns

Refer to sk166222.

The fw_full (fwd daemon) unexpectedly exits producing a core dump fila and causing a cluster failover.

In rare scenarios, a memory leak may occur in a crypto module.

A memory leak may occur during policy installation.

In rare scenarios, the Threat Prevention Blade Exception used for performance optimization does not work as expected.

When using the UserCheck agent, the original URL attribute variable $orig_url$ may appear on URL field of log details.

• Fix is relevant for Gaia 3.10 only.

Mobile Access may overwrite the /etc/hosts file on Security Gateway.

In some scenarios, a large quantity of logs is generated on cluster VIP API.

During active-active-bridge mode, the "show routed cluster-state" command may display some members as subordinate instead of master.

• Fix is relevant for Gaia 3.10 only.

TCP reset packets may be dropped with an invalid sequence.

In some scenarios, the concurrent-conns rate limiting count may be inaccurate for FTP data connections.

In some scenarios, not all IP addresses listed in Deny List file $FWDIR/conf/deny_lists are loaded.

In some scenarios, connections are dropped when SYN Defender and ISN Defender are both enabled on the same interface.

• Fix is relevant for Gaia 3.10 only.

UPDATE: SNMP USM user names limitation was increased from 8 characters to 31.

In rare scenarios, SNMP user details may be visible in /var/log/messages file.

Non-English characters in Expert password may cause Clish to crash.

Captive Portal / SAML portal may not work after installation with Blink image.

CVE-2020-25705: ICMP reply rate.

• Fix is relevant for Gaia 3.10 only.

NEW: Added 3 new views to SmartView for Remote Access, providing visibility for Remote Access users, users login summary, failed login attempts, used clients, top login options, number of users, operating systems, authentication methods and login activity.

Mobile Access SNX may fail to connect to the Security gateway when the realm used by the client is different for the SSL VPN realm.

In a rare scenario, there may be an incorrect IKE ID in an ID payload with 3rd party peers in IKEv1 and IKEv2.

Tunnel Test packets may be dropped by Secure Configuration Verification (SCV) check when implied rules are disabled. Refer to sk168033.

Site to Site VPN fails to establish with IKEv2 on GCP when NAT-t is enabled.

• Fix is relevant for Gaia 3.10 only.

When the Remote Access is configured to use DHCP for the Office Mode allocation, disconnection of SNX/L2TP clients may cause the IP address not be removed from the table.

Added stability fix in validation checks for ECDSA certificates.

In some scenarios, NAT-T traffic is sent to the wrong next-hop MAC address.

• Fix is relevant for Gaia 3.10 only.