R80.40 Jumbo Hotfix Take 172

 

Note - This Take contains all fixes from all earlier Takes.

ID

Product

Description

Take 172

Released on 25 July 2022

PRJ-38150,
PRHF-23149

Security Management

UPDATE: Improved Access Policy installation time.

PRJ-34852,
PMTR-72440

Security Management

UPDATE: Added validation to the Custom Application/Site object to prevent configuring invalid URLs that cause Access policy installation failure. Refer to sk175187.

PRJ-36848,
PRHF-22352

Security Management

In rare scenarios, the Management Server may fail to start due to incorrect session handling.

PRJ-37708,
PRHF-22796

Security Management

Install Policy preset fails if the Threat Prevention policy was uninstalled.

PRJ-36919,
PRHF-22479

Security Management

When a Security Gateway is removed from a VPN community, it may still be seen under the permanent tunnel configuration. The issue is scoped to the Management side and does not impact the Gateway.

PRJ-37634,
PRHF-22693

Security Management

After changing the IP address of the Secondary Management Server, the old IP address is still shown in the High Availability window until the services are restarted.

PRJ-37863,
PRHF-22678

Security Management

Dynamic Objects defined on LSM Gateway in SmartProvisioning may be removed from the Security Gateway after fetching policy or pushing policy.

PRJ-37522,
PRHF-22656

Security Management

Reassign Global Policy tasks may be stuck for Domains active on a different Multi-Domain Server even though the task is completed on the destination Multi-Domain Server.

PRJ-37503,
PRHF-22597

Security Management

In rare scenarios, Global Domain Assignment may fail with a "class name not found for object" error message.

PRJ-37198,
PRHF-22299

Security Management

The Management API command "show-vpn-communities-star" for Diffie-Hellman groups 15-18 and group 24 fails with the "Invalid DH-Group in VPN Reply" error. Refer to sk27054.

PRJ-35654,
PRHF-21996

Security Management

The Security Cluster Wizard is not shown again after a Management restart in a Full High Availability cluster environment.

PRJ-37762,
PRHF-22671

Security Management

The FWM process on the Management Server may unexpectedly exit, creating a core dump file.

PRJ-35601,
PMTR-77217

Security Management

An IPS update may fail if the user that performs the update is connected to the Multi-Domain Server on which the Global Domain is in Standby mode.

PRJ-37508,
PRHF-22621

Security Management

Deleting a domain may fail when using the createDomainRecovery.sh script with the "UID" flag.

PRJ-35604,

PRHF-21981

Security Management

In SmartConsole, the "error retrieving results" message may be displayed when opening a new tab.

PRJ-38063,
PRHF-22999

Security Management

When uninstalling a Threat Prevention policy, there may be a verification warning "There are Threat Prevention uninstall candidates in policy targets", although the operation on the Security Gateway was completed successfully.

PRJ-38147,
PRHF-23139

Security Management

Cloud Shadow Objects verification may take several minutes.

PRJ-38119,
PRHF-23065

Security Management

Policy installation may fail with "an internal error" if some objects are pointed to by an old deleted policy. Refer to sk122954.

PRJ-39470,
PRHF-23825

Security Management

Management HA synchronization may fail with the "NGM failed to import data" error.

PRJ-37885,
PRHF-22914

Security Management

Editing an object may fail with the "Could not access file for write operation" error.

PRJ-38399,
PRHF-23290

Security Management

An Application Control and URL Filtering update may get stuck because of a lock object duplicate issue.

PRJ-35059,
PRHF-21753

Security Management

Renaming the Security Management Server may fail with the "Failed to save object" error. Refer to sk177224.

PRJ-38740,

PRHF-23467

Security Management

In a rare scenario, the FWM process may unexpectedly exit and create a core dump.

PRJ-37987,

PRHF-22589

SmartConsole

After an Application Control update, some application control objects may disappear from SmartConsole, although they are not deprecated.

PRJ-37101,
PRHF-22528

Logging

UPDATE: Scheduled email reports will now use TLS1.2 instead of TLS1.0. Refer to sk178125.

PRJ-33815,
PMTR-72206

Logging

The "log_exporter_reexport" command may export the logs from the beginning of the log file and not from the provided start position.

PRJ-36514,
PRHF-22273

Logging

In a rare scenario, a memory leak in the FWD process may occur during installing Threat Prevention policy.

PRJ-36026,
PMTR-70703

Logging

In IPS Core Protections logs, the link to the Threat Prevention profile is written incorrectly.

PRJ-36461,
PRHF-22152

Logging

When running the "cp_log_export filter-Blade-in" command with the value "Endpoint" and restarting the LOG_EXPORTER process, LOG_EXPORTER may fail to start.

PRJ-39295,
PMTR-82675

Logging

An error may occur when changing default Time Frame while the SmartView language is not English.

PRJ-39678,
PMTR-82910

Logging

When exporting the logs table with "All Columns" to a CSV file, the first cell of the first log (time column) may display a non-ASCII character ("ן»¿"), and the time may be split into two cells.

PRJ-39675,
PMTR-83316

Logging

A CSV file exported from SmartView may contain duplicated lines of headers.

PRJ-36654,
PMTR-77355

Security Gateway

NEW: Added a new kernel parameter "fw_ignore_before_drop_rules". It allows to skip the "before drop" implied rules and enforce policy according to the explicit rule in the Access Rule Base. By default, this capability is disabled.

Refer to sk105740.

PRJ-38688,
PRHF-22315

Security Gateway

UPDATE: When using Routing Separation, hosts and servers configured in Clish will be automatically added to Management Plane (MPLANE).

PRJ-39666,

PRHF-23392

Security Gateway

It may not be possible to monitor Security Gateways with enabled Management Data Plane Separation (MDPS). Refer to sk138672.

PRJ-39684,
PRHF-23741

Security Gateway

An ICAP client crash may cause the Security Gateway also to crash and generate an FWK core dump.

PRJ-34622,
PRHF-21300

Security Gateway

When running the "show_configuration" command in CLISH, static routes are shown twice.

PRJ-33698,
PMTR-72984

Security Gateway

In some scenarios, file download may fail with the "Connection queue exceeded max size" error.

PRJ-37011,
PRHF-22369

Security Gateway

Multiqueue Clish "show" commands may fail in a Management Data Plane Separation (MDPS) environment.

PRJ-37608,
PMTR-80518

Security Gateway

When using the DAIP Gateway object in the Access Rulebase, debug error "fwdnd_log_info_lookup failed" may appear in the fwk.elglog, if the relevant rule has log track. Refer to sk178670.

PRJ-33858,
PMTR-76224

Security Gateway

In ISP Redundancy settings, when using the "dead on all host" feature and defining one link without any host (which is a misconfiguration) the ISP link is down.

PRJ-36119,
PMTR-71654

Security Gateway

In CPView, under Network, Bytes Per Sec value in Traffic Rate may be incorrect.

PRJ-33929,
PRHF-20845

Security Gateway

Cluster failover may trigger the FWK process to exit, with no traffic impact.

PRJ-31030,
PMTR-69049

Security Gateway

In a rare scenario, the Security Gateway may crash when disabling or enabling Threat Prevention Blade.

PRJ-27915,

PRJ-40137,
PMTR-84236,
PMTR-62741

Security Gateway

When Strict Hold is enabled, traffic is logged with the log "HTTP parsing error detected. Bypassing the request as defined in the Inspection Settings" and Precise Error "Connection queue exceeded max size". Refer to sk169995.

PRJ-39861,

PRHF-23952

Security Gateway

After renewing an Internal Certificate Authority (ICA) certificate, policy installation on Virtual Systems may fail with "Internal SSL authentication SSL error (Unknown)".

PRJ-37951,
PRHF-22703

Security Gateway

There is a Content Awareness alert for multiple connections and the processing error "Failed to extract text" is printed in logs.

PRJ-38075,
GAIA-9576

Security Gateway

The Security Gateway may crash with a vmcore.

PRJ-40998,

PRJ-40954

Security Gateway

In a VSX environment, SNMP queries to OSPF OIDs may fail.

PRJ-39322,
PMTR-83434

Threat Prevention

Improved memory consumption by decreasing the size of the mal_conns table.

PRJ-40610,
PRHF-24611

Threat Prevention

IPS entries of AMW_report.xml may be missing for a Security Gateway onboarded to Infinity SOC.

PRJ-36292,
PMTR-77668

Threat Prevention

A "sft_rule_str_match_init: allocates 0 bytes" message may be printed many times in the /var/log/messages file.

PRJ-38683,
PRHF-23324

Threat Prevention

In a rare scenario, an IPS, Anti-Virus, or Anti-Bot update package may fail to load because of a timeout.

PRJ-36567,
PMTR-79569

Internal CA

UPDATE: In SmartConsole, added an alert to inform that the ICA certificate will be expired in less than one year. Refer sk158096.

PRJ-37978,
PMTR-81714

IPS

In very rare scenarios, a traffic outage may occur.

PRJ-39062,

PRHF-12660

IPS

In a VSX setup, the IP address used as the origin SIC name in the IPS address log may differ from the IP address in other reports.

PRJ-36520,
PMTR-77922

IPS

Improved detection in some IPS protections.

PRJ-36433,
PMTR-77653

IPS

When ClusterXL is configured, a file may pass without inspection during a failover.

PRJ-35291,
PRHF-21849

Mobile Access

In some scenarios, when Mobile Access Blade is enabled, the Security Gateway may crash.

PRJ-38434,
PMTR-82133

Mobile Access

When installing a specific hotfix, the CVPND process may unexpectedly exit.

PRJ-34869,
PMTR-76212

ClusterXL

UPDATE: Added support for the "Same VMAC" feature.

PRJ-35984,
PMTR-72454

ClusterXL

UPDATE: It is now possible to edit minimal number of required subordinate interfaces for Bond Load Sharing via Clish. The new Clish command is "set interface <interface_name> links <value>".

PRJ-37881,

PMTR-81375

ClusterXL

Local connection from a Standby member may fail when packets are not fragmented even if the interface MTU is smaller than the packet size.

PRJ-37434,
PMTR-80319

ClusterXL

There may be connectivity issues for multicast traffic in PIM Sparse Mode.

PRJ-36176,
PMTR-51050

ClusterXL

In Virtual Device Status table, in vs0 context, the output shows the Active-Active status on two members instead of Active-Standby.

PRJ-36614,
PMTR-71442

ClusterXL

During a Multi-Version Cluster (MVC) upgrade from R80.30 or lower, Active-Active split brain may happen. Refer to sk174510.

PRJ-36602,
PMTR-79447

ClusterXL

Data connection may be interrupted during a Multi-Version Cluster (MVC) upgrade.

PRJ-35227,
PMTR-70530

ClusterXL

In an Active/Active cluster, potential FTP data connection interruption may occur during failover.

PRJ-37488,
PMTR-73519

ClusterXL

In a VSLS cluster with a few members and Virtual Systems, when shutting down a bond connected to one of the Virtual Systems, all Virtual Systems on this member may go to Down state.

PRJ-37813,

PRJ-37001

SecureXL

NEW: In some scenarios, the Security Gateway may not forward traffic to a client if its IP address is changed by DHCP. Added a global parameter "cphwd_refresh_nh", disabled by default. It determines whether or not the Security Gateway will invoke its own refresh ARP mechanism after a successful route lookup. Refer to sk175603.

PRJ-38593,
PMTR-82425

SecureXL

UPDATE: Added a new parameter cphwd_mcast_routing_interval_ms (default value is 0), which allows the multicast routing interval to be expressed in milliseconds.

PRJ-39008,

PRHF-22881

SecureXL

SYN Defender may not properly handle the S2C traffic related to Allow List. As a result, this traffic may be dropped.

PRJ-39002,

PRHF-23644

SecureXL

SYN Defender may change MSS in an SYN packet to a larger value, potentially causing traffic drop.

PRJ-39112,
PMTR-77465

CoreXL

CoreXL instances of SND type may appear in CPView as "OTHER" and not as "CoreXL_SND".

PRJ-38501,
PRHF-23143

CoreXL

An Active member in a cluster may make a full reboot during policy installation.

PRJ-38558,
PRHF-22924

Routing

UPDATE: Source Pruning will now be disabled by default when VRRP is enabled. This will prevent an interface from keeping the Standby member in Master state after port flapping. The issue is relevant only for Intel X710 network cards using the I40E driver.

PRJ-36938,
PMTR-79381

Routing

In a rare scenario, the ROUTED daemon may unexpectedly exit during a Multi-Version Cluster (MVC) upgrade when using OSPF.

PRJ-37939,
PMTR-80421

VPN

NEW: KAT tests for IKE and TLS are now validated for FIPS certification.

PRJ-37547,
PMTR-79930

VPN

In some scenarios, when StrongSwan client is connecting to a site or Security Gateway, the connection is established successfully, and the tunnel is created, but there is no traffic. Refer to sk118536.

PRJ-32679,
PMTR-66706

VPN

An IKEv1 tunnel may be deleted after the Dead Peer Detection (DPD) exchange and can cause an outage.

PRJ-37554,
PMTR-77042

VPN

An outage may occur when using IKEv2.

PRJ-37773,
PRHF-22871

VPN

Capsule Connect (IPSec VPN) may fail to re-authenticate.

PRJ-36436,
PMTR-78967

VPN

Machine Authentication stability improvements for Remote Access Endpoint Clients.

PRJ-34765,

PRHF-21568

VPN

When using Link Selection probing, the VPND process may unexpectedly exit and create a core dump file.

PRJ-36449,
PMTR-65595

VSX

UPDATE: When resetting SIC for a specific virtual system (sk34098), the new certificate on the Security Gateway will now be automatically pulled from SmartConsole.

PRJ-29582,
PRHF-16144

VSX

UPDATE: Decreased the time to edit routes in topologies where multiple Virtual Systems are connected to a Virtual Switch (VSW).

PRJ-35277,
PMTR-76457

VSX

In some scenarios, if VSX Gateway creation fails and rollback is done, the default route of the Security Gateway that was configured via Clish is deleted without validation.

PRJ-28545,
PMTR-65366

VSX

Latency and packet loss issues may occur when traffic goes through external VS connected to Virtual switch (VSW). Refer to sk177344.

PRJ-33314,
PRHF-20561

VSX

The FWM process may unexpectedly exit after using the VSX Provisioning tool.

PRJ-32476,
PRHF-20437

VSX

When using the VSX Provisioning Tool, it may not be possible to create a new warp interface and then change the main IP address of the VS in the same transaction.

PRJ-36132,
PRHF-21970

VSX

A member may fail to pull configuration from the SMO on startup.

PRJ-32705,
PRHF-20553

VSX

After restoring the VSX Gateway backup, the SNMP agent stops responding when the context is set for a specific VS.

PRJ-32406,
PMTR-74557

VSX

The OID "Syslocation" can now be configured in the context of a virtual system as described in the article (IV-1) Advanced SNMP configuration in sk90860.

PRJ-38827,

PMTR-82551

VSX

The FWK process of Virtual Switch (VSW) may consume a high CPU.

PRJ-38407,

PMTR-73704

VSX

When creating a virtual system, the "Failed to create Virtual System directories" error is displayed.

PRJ-33040,

PMTR-69098

VSX

In a VSX cluster, after pushing Bridge configuration, the state may change from Active/Active to Active/Standby.

PRJ-38792,

PMTR-82492

VSX

In some scenarios, it is not possible to start a vsx_util upgrade/downgrade after a failed attempt.

PRJ-38009,
PMTR-81493

VSX

"Loading kernel module for a network device with CAP_SYS_MODULE (deprecated). Use CAP_NET_ADMIN..." may be printed in dmesg.

PRJ-10543,
PRJ-39353

VSX

Running the "brctl_show" command in a non-VS0 context may give VS0 results.

PRJ-27470,
PRHF-18056

Gaia OS

UPDATE: A description was added to the output of the "show backup logs" command with information about each column. Refer to sk173970.

PRJ-35584,
PRHF-21922

Gaia OS

UPDATE: It is now possible to use Gaia proxy addresses with more than 16 characters.

PRJ-36086,
PMTR-78169

Gaia OS

WebUI session may end when creating a Role with full permissions.

PRJ-37347,
PMTR-80176

Gaia OS

When adding and deleting a neighbor-entry ipv6-address, an error message is displayed, although the operation is successful.

PRJ-39095,

PRHF-23641

Gaia OS

Dynamic routing SNMP OID polling may work only in VSX mode.

PRJ-33557,

PMTR-75925

Gaia OS

In some scenarios, in 7000 appliances, Power Supply Unit (PSU) status information may be incorrect. Refer to sk174443.

PRJ-38229,

PMTR-81516

Gaia OS

When running the "save configuration" command on a VSX device, other interfaces besides the Management interface are still presented. This is a cosmetic issue.

PRJ-39377,
PMTR-83140

Gaia OS

The CONFD process may unexpectedly exit and generate a core dump file.

PRJ-38097,
PMTR-72669

CloudGuard Network

NEW: Added support for Amazon Gateway Load Balancer (GWLB). Starting from this Take, Jumbo Hotfix Accumulator R80.40 can be installed on GWLB deployments.

PRJ-30119,
PMTR-72575

CloudGuard Network

UPDATE: After a failed Data Center mapping, the next scan retry will be initiated with a delay to provide sufficient recovery time.

PRJ-38567,
PRHF-23328

CloudGuard Network

UPDATE: Previously, because of connectivity issues with Azure, CloudGuard Controller was deleting IP addresses of Data Center objects from the Security Gateway. CloudGuard Controller will now show an error message instead of revoking identities from the Security Gateway.

PRJ-38869,
PRHF-23555

CloudGuard Network

After changing the default behavior in Identity session conciliation, the "delete-identity" request may trigger Cloud Controller to delete IP addresses from other Identity sources.

PRJ-27767,
PRJ-28171

CloudGuard Network

In some scenarios, when there are Data Center objects in Access Policy Rule Base, policy verification may fail although policy installation succeeds. Refer to the PMTR-60092 limitation in sk166717.

PRJ-38069,
PMTR-78814

CloudGuard Network

Policy install or publish may fail because of the CPM process operations overload.

PRJ-33576,
PRHF-20923

CloudGuard Network

When trying to add a comment to a Data Center object with API, the name of the object may get the value of the "comments".

PRJ-31687,
PRHF-20086

CloudGuard Network

The "Object is inaccessible/deleted on Data Center" warning may be shown for Tag objects in SmartConsole.

PRJ-38642,
PRJ-38643

VoIP

NEW: Added a new tab for VoIP monitoring in CPView.

PRJ-40928

VoIP

After an upgrade, the MGCP traffic may be dropped. The output of the "fw ctl zdebug + drop" command shows: "dropped by fw_early_sip_nat reason: failed to get MGCP ports". Refer to sk179747.

PRJ-39815,
PMTR-81965

VoIP

The Security Gateway may crash when running UDP and TCP SIP traffic.

PRJ-26372,
PMTR-68629

Scalable Platforms

NEW: Added ability to create and manage VSX objects of R80.30SP version via vsx_util and vsx_provisioning_tool.

PRJ-40307,

ODU-454

HCP

Added Update 9 of HealthCheck Point (HCP) Release. Refer to sk171436.