R80.40 Jumbo Hotfix Take 100

NEW: Optimized the Solr build time to improve performance in the following operations:

• Restore of the entire MDS/MLM from backup
• Upgrade from R80.10
• Solr Cure

UPDATE: Added validation to block migration of a Domain to a Security Management if the Domain is assigned to the Global Domain.

Management Server upgrade from R80.20 to R80.40 may fail if a Network Interface object refers to a Gateway object that does not exist.

In some scenarios, deleting a Domain Server may fail with "Got at least one duplicate UID in requested list" error.

Migrate of Security Management to a Domain on a Multi-Domain Server may fail if a previous migration attempt of the same Security Management already failed and a different Domain name was used for the second attempt.

In rare scenarios, the initiation of the Management server may take a long time.

Although the Access Settings of the Management API is set to "All IP addresses", the API server does not accept requests from any IP address unless the IP is defined explicitly as a Trusted Client.

In some scenarios, when connecting to an existing session in SmartConsole from a different IP address, a wrong "Client IP" is shown in Audit Logs view.

UPDATE: When running Reassign Global Domain for a Domain that is active on another Multi-Domain Server, the task is immediately relayed to the remote Multi-Domain Server without waiting in queue of the local server due to other tasks that are running.

After importing two (or more) Security Management servers into a Multi-Domain Server, the Gateway objects may not be functional:

• The editor may not show configuration correctly
• Security Gateway update may fail.

Migration of a Domain assigned to a Global Domain may fail with the "Dynamic object: not found" error.

The Multi-Domain session APIs "view sessions" and "show last-published-session" results may include sessions that were not filtered according to the administrator's permissions profile.

• A Domain manager running the API will be notified when the results will be filtered and will be asked to run the command again with the "ignore-warnings" flag.

After a network interface is removed by cluster API, a network group assigned to that interface remains as used by cluster members and cannot be deleted.

Slowness may be observed in some SmartProvisioning operations (like open SmartProvisioning GUI, create a new LSM object, open an LSM object editor, etc.).

In some scenarios, the "show gateways-and-servers" Management API command fails when running it with details-level full and when connected to the Global Domain. Refer to sk170895.

In rare scenarios, the "Show Policy Package" tool and some Management API commands with details-level "full" may fail when UTM cluster is part of the policy targets.

In some scenarios, the "show-access-rulebase" Management API command fails when running it with details-level "full" and there is a network group with more than 50000 objects on one of the rules. Refer to sk170435.

UPDATE: To improve performance, SmartView now exports data in CSV format instead of Excel.

In some scenarios, the "Failed to fetch the file" error is displayed when trying to open Threat Emulation summary reports generated by VSX Gateways.

FWM and\or log_indexer processes may repeatedly stop when there are more than ~500K network objects declared. Refer to sk164452.

In rare scenarios, a log may display incorrect values in the Action and Rule field. Refer to sk170676.

UPDATE: Service with source port in the Access rulebase will no longer disable accept templates for all connections.

In some scenarios, "email_unified_cmi_get_attribs: not valid caller: up_log_get_user_hash" error appears in dmesg for SMTP traffic.

In some scenarios, a memory leak may appear after sending a packet from the kernel.

In rare scenarios, high memory consumption in CPD may occur due to a memory leak in authentication flow with an LDAP server.

In some scenarios, logs with incorrect action are generated by ICAP server.

Authentication may fail when LDAP branch name contains "\".

In rare scenarios, proxy ARP entries may be deleted when installing a policy.

In rare scenarios, passive FTP packets may be dropped.

UPDATE: "Categorize HTTPS websites" feature enhancements when "Categorize HTTPS Sites" feature is enabled:

• Improved enforcement of first connection when URL Filtering setting is 'Hold' mode
• Added SNI information to connection logs when connection is matched on rule with "Extended Log"
• Hold mode granularity

For configuration, refer to sk173633.

In some scenarios, there may be enforcement issues for MUHv2 users due to table mismatch.

In some scenarios, running pdpd commands results in "daemon did not respond or not running!" error. Refer to sk171136.

UPDATE: Added support for multi-part data to DLP.

In rare scenarios, a memory leak may occur during policy installation.

In a rare scenario, Security gateway may crash when the Threat Prevention Forensics feature is enabled.

In some scenarios, users cannot restore original attachment via UserCheck portal and receive the "An unexpected error has occurred" error message.

In some scenarios, data connections are dropped with "First packet isn't SYN" message on ClusterXL Load Sharing.

In rare scenarios, running cphastop;cphastart may cause a cluster member to stay in "Down" state.

UPDATE: Drop templates can be generated for connections with matched action Reject. For additional information and configuration, refer to sk171146.

In some scenarios, PPTP or GRE traffic may be dropped. Refer to sk170293.

UPDATE: Display of routing CPview results is limited to 30 lines.

ip-reachability-detection ping marks a target IP address as "unreachable" if the path goes via a VPN tunnel, although pinging this IP address directly works.

In rare scenarios, some interfaces remain in "Down" state after reboot.

UPDATE: Added the TTM-per-group feature improvement that allows it to work with more client types (for example Nemo client).

In some scenarios, the vpnd process unexpectedly exits with Segmentation fault.

In some scenarios, the IKE QM negotiating issue with Windows Server 2008 R2 peer may occur.

Access roles do not recognize Remote Access SNX CLI clients.

When clicking "View" in Trusted CA object's OPSEC PKI tab, this may show the "Failed to get a certificate of <object name> from keyset" error. Refer to sk166496.

In some scenarios, the VPND process may unexpectedly exit.

UPDATE: OpenSSL was updated to version 1.1.1i to include the latest code fixes and security improvements.

UPDATE: Added support for multiple commands definition in Dynamic CLI feature.

Messages log level in /var/log/messages file for ERR level was changed to INFO level when fetching proxy configuration from Clish/WebUI/Gaia API.

Example: [DATE TIME] <daemon.err> ... xpand[25958]: proxy_live_get_proc: Started...

The syslog messages may be spammed when the "show asset all" command is running.

CVE-2020-25705: ICMP reply rate.

In some scenarios, like defected LOM card, or when LOM port exists, but no LOM is connected, the confd process may unexpectedly exit.

Database size may increase exponentially because dynamic packages are packed into exported .tgz using migrate_export.

In some scenarios, the "Endpoint Security Client Version" report shows "N/A" in DAT Date column for all devices on the SmartEndpoint Reporting page.