R80.40 Jumbo Hotfix Take 172

UPDATE: Added validation to the Custom Application/Site object to prevent configuring invalid URLs that cause Access policy installation failure. Refer to sk175187.

Install Policy preset fails if the Threat Prevention policy was uninstalled.

After changing the IP address of the Secondary Management Server, the old IP address is still shown in the High Availability window until the services are restarted.

Reassign Global Policy tasks may be stuck for Domains active on a different Multi-Domain Server even though the task is completed on the destination Multi-Domain Server.

The Management API command "show-vpn-communities-star" for Diffie-Hellman groups 15-18 and group 24 fails with the "Invalid DH-Group in VPN Reply" error. Refer to sk27054.

The FWM process on the Management Server may unexpectedly exit, creating a core dump file.

Deleting a domain may fail when using the createDomainRecovery.sh script with the "UID" flag.

When uninstalling a Threat Prevention policy, there may be a verification warning "There are Threat Prevention uninstall candidates in policy targets", although the operation on the Security Gateway was completed successfully.

Policy installation may fail with "an internal error" if some objects are pointed to by an old deleted policy. Refer to sk122954.

Editing an object may fail with the "Could not access file for write operation" error.

Renaming the Security Management Server may fail with the "Failed to save object" error. Refer to sk177224.

After an Application Control update, some application control objects may disappear from SmartConsole, although they are not deprecated.

The "log_exporter_reexport" command may export the logs from the beginning of the log file and not from the provided start position.

In IPS Core Protections logs, the link to the Threat Prevention profile is written incorrectly.

An error may occur when changing default Time Frame while the SmartView language is not English.

A CSV file exported from SmartView may contain duplicated lines of headers.

UPDATE: When using Routing Separation, hosts and servers configured in Clish will be automatically added to Management Plane (MPLANE).

An ICAP client crash may cause the Security Gateway also to crash and generate an FWK core dump.

In some scenarios, file download may fail with the "Connection queue exceeded max size" error.

When using the DAIP Gateway object in the Access Rulebase, debug error "fwdnd_log_info_lookup failed" may appear in the fwk.elglog, if the relevant rule has log track. Refer to sk178670.

In CPView, under Network, Bytes Per Sec value in Traffic Rate may be incorrect.

In a rare scenario, the Security Gateway may crash when disabling or enabling Threat Prevention Blade.

After renewing an Internal Certificate Authority (ICA) certificate, policy installation on Virtual Systems may fail with "Internal SSL authentication SSL error (Unknown)".

The Security Gateway may crash with a vmcore.

Improved memory consumption by decreasing the size of the mal_conns table.

A "sft_rule_str_match_init: allocates 0 bytes" message may be printed many times in the /var/log/messages file.

UPDATE: In SmartConsole, added an alert to inform that the ICA certificate will be expired in less than one year. Refer sk158096.

In a VSX setup, the IP address used as the origin SIC name in the IPS address log may differ from the IP address in other reports.

When ClusterXL is configured, a file may pass without inspection during a failover.

When installing a specific hotfix, the CVPND process may unexpectedly exit.

UPDATE: It is now possible to edit minimal number of required subordinate interfaces for Bond Load Sharing via Clish. The new Clish command is "set interface <interface_name> links <value>".

There may be connectivity issues for multicast traffic in PIM Sparse Mode.

During a Multi-Version Cluster (MVC) upgrade from R80.30 or lower, Active-Active split brain may happen. Refer to sk174510.

In an Active/Active cluster, potential FTP data connection interruption may occur during failover.

NEW: In some scenarios, the Security Gateway may not forward traffic to a client if its IP address is changed by DHCP. Added a global parameter "cphwd_refresh_nh", disabled by default. It determines whether or not the Security Gateway will invoke its own refresh ARP mechanism after a successful route lookup. Refer to sk175603.

SYN Defender may not properly handle the S2C traffic related to Allow List. As a result, this traffic may be dropped.

CoreXL instances of SND type may appear in CPView as "OTHER" and not as "CoreXL_SND".

UPDATE: Source Pruning will now be disabled by default when VRRP is enabled. This will prevent an interface from keeping the Standby member in Master state after port flapping. The issue is relevant only for Intel X710 network cards using the I40E driver. Refer to sk178484.

NEW: KAT tests for IKE and TLS are now validated for FIPS certification.

An IKEv1 tunnel may be deleted after the Dead Peer Detection (DPD) exchange and can cause an outage.

Capsule Connect (IPSec VPN) may fail to re-authenticate.

When using Link Selection probing, the VPND process may unexpectedly exit and create a core dump file.

UPDATE: Decreased the time to edit routes in topologies where multiple Virtual Systems are connected to a Virtual Switch (VSW).

Latency and packet loss issues may occur when traffic goes through external VS connected to Virtual switch (VSW). Refer to sk177344.

When using the VSX Provisioning Tool, it may not be possible to create a new warp interface and then change the main IP address of the VS in the same transaction.

After restoring the VSX Gateway backup, the SNMP agent stops responding when the context is set for a specific VS.

The FWK process of Virtual Switch (VSW) may consume a high CPU.

In a VSX cluster, after pushing Bridge configuration, the state may change from Active/Active to Active/Standby.

"Loading kernel module for a network device with CAP_SYS_MODULE (deprecated). Use CAP_NET_ADMIN..." may be printed in dmesg.

UPDATE: A description was added to the output of the "show backup logs" command with information about each column. Refer to sk173970.

WebUI session may end when creating a Role with full permissions.

Dynamic routing SNMP OID polling may work only in VSX mode.

When running the "save configuration" command on a VSX device, other interfaces besides the Management interface are still presented. This is a cosmetic issue.

NEW: Added support for Amazon Gateway Load Balancer (GWLB). Starting from this Take, Jumbo Hotfix Accumulator R80.40 can be installed on GWLB deployments.

UPDATE: Previously, because of connectivity issues with Azure, CloudGuard Controller was deleting IP addresses of Data Center objects from the Security Gateway. CloudGuard Controller will now show an error message instead of revoking identities from the Security Gateway.

In some scenarios, when there are Data Center objects in Access Policy Rule Base, policy verification may fail although policy installation succeeds. Refer to the PMTR-60092 limitation in sk166717.

When trying to add a comment to a Data Center object with API, the name of the object may get the value of the "comments".

NEW: Added a new tab for VoIP monitoring in CPView.

The Security Gateway may crash when running UDP and TCP SIP traffic.