R80.40 Jumbo Hotfix Take 196

NEW: We have extended the grace period of Compliance Blade to support you for 90 days following contract expiration to continue providing the best security value during the renewal process.

NEW: We have extended the grace period of Threat Extraction Blade to support you for 90 days following contract expiration to continue providing the best security value during the renewal process.

UPDATE: Added an option to configure the maximum number of IPS SNORT rules.

These lines should be added at the end (or their value should be changed if they already exist) in the file $FWDIR/conf/malware_config

(for MDS - additionally in the $MDS_FWDIR/conf/malware_config file):

"[IPS]

snort_convertor_max_rules_per_update=<value>

snort_convertor_total_rules_num_limit=<value>".

Refer to sk136515.

UPDATE: Added logging information. The Logging tab can be found in the Advanced tab on both the Security Management Server and Security Gateway. Refer to sk101878.

UPDATE: Apache HTTPD version was updated from 2.4.53 to 2.4.55 to fix CVE-2022-37436.

UPDATE: Reduced loading time of big external Custom Intelligence Feeds.

UPDATE: Added a new CLI command "fw ctl voip [-p {sip| mgcp| sccp| h323}] [-na]". It allows printing the description of defined VoIP protections, the required action, and the logging option configured for each protection.

UPDATE: Added support for connecting to VMware NSX-T 4.0.0.x and higher.

UPDATE: Improved handling of NSX-T API responses.

Skyline may not show any information. Refer to sk180748.

On R77.20 Quantum Spark appliances with some IPS packages, policy installation fails with the "Operation failed, install/uninstall has been improperly terminated" error. Refer to sk180448.

After creating a new administrator in SmartConsole, the Administrators view may fail to load with "Error retrieving results".

The FWK process may unexpectedly exit during Threat Prevention policy installation.

After performing the "Revert to Revision" operation, new Audit logs cannot be seen in the Logging&Monitoring View in SmartConsole.

Policy with a large number of AD users may fail with timeout or take a long time to be installed.

In some scenarios, the "Assign Global Policy" action fails with the error message: "An internal error has occurred".

After an upgrade, while installing a policy, SmartConsole may unexpectedly close with a "The connection with the server was lost. Any unsaved changes will be preserved" message. Refer to sk180294.

Login to the Security Management Server or Multi-Domain Security Management Server may fail with the "Connection timeout" error.

High Availability synchronization fails if automatic purge is configured to run on the Standby Management Server.

Adding a rule with the Management API and setting the action "to ask" does not set a default UserCheck if UserCheck was not specified. This may cause policy verification failure.

In rare scenarios in a Multi-Domain Security Management environment:

• Login to the Management Server may timeout and fail.

• Publish operation may take a long time.

A typo in "Dropped fragmentation violation" under CPView > Advanced > SecureXL > Drops.

In some scenarios, in the Logs view, the "Description" field may be missing. The issue is only cosmetic.

When LEA spawning is turned off (sk91343), the FWD process may run out of memory.

The "Daily logs retention" configuration on the Security Management Server / Log Server object is not applied if the "When disk space is below <number> Mbytes, start deleting old files" option is not enabled in the Disk Space Management. Refer to sk176803.

When using the SMTP service with resource objects in a rule and NAT is configured for the destination IP address, the traffic may match the Cleanup rule instead.

When Anti-Virus Blade is enabled, the Security Gateway may crash multiple times with core dump files.

When adding a new RADIUS Server in Gaia Portal, its IP address is automatically added to MDPS tasks, but when deleting this Server, the MDPS task is not deleted.

The Security Gateway may receive duplicated traffic (such as non-IP protocol connections) for IPS inspection. This can trigger high CPU usage and result in failures to connect over SSH or policy installation.

Security Gateway may drop traffic when Dynamic Anti-Spoofing is enabled.

Dynamic Dispatcher may send fragments of the same packet to different Firewall instances during a high load of fragmented traffic. This may cause some packets to drop.

The Security Gateway may frequently crash with vmcore files, recording invalid context.

The Security Group Member (SGM) frequently goes into a Lost-> Down-> Active state because of fullsync pnote. This causes outages.

After making changes in Policy-Based Routing (PBR) and GRE configuration, the Security Gateway may repeatedly crash.

In rare scenarios, the FWK process can unexpectedly exit and cause an outage.

Stability issues when ICAP client is active.

After an upgrade, it is not possible to monitor Security Gateways with enabled Management Data Plane Separation (MDPS).

In a rare scenario, the Security Gateway may crash when offloading packets to SecureXL.

Some TCP connections may be stuck in "Both-Fin" state in the SecureXL connection table and cause high memory consumption.

When managing cloud Gateways, the FWM process memory usage may increase.

Anti-Virus Blade fails to parse external IoC feeds that contain commas in the CSV column field value.

File Download using SSH with MobaXterm Client fails when SSH Deep Packet Inspection (SSH DPI) is enabled.

After an upgrade, the FWD process may frequently exit while creating an AMW_report.xml.

Automatic IPS, Anti-Virus or Anti-Bot updates may fail because of a corrupted next_update file.

In a rare scenario, the mal_conns table may consume a large amount of memory.

During subsequent policy installations (with an interval of at least 11 minutes between them), the Identity Awareness Gateway configured as an Identity Broker Subscriber revoked all Identities it learned from the Identity Awareness Gateway configured as its Identity Broker Publisher. Refer to sk180659.

The PDPD process may cause CPU spikes during cluster failover.

In a rare scenario, the PDPD process may unexpectedly exit during peer certificate verification.

In a rare scenario, when Application Control is enabled, the Security Gateway in AWS Cloud may crash. The issue does not occur if Application Control database on the Security Gateway is updated with Release 141122_1 and higher.

Policy installation may fail with an "Error 0-200184" message because of memory allocation issues.

The Security Gateway may crash during policy installation because of a memory allocation problem.

DLP logs for files uploaded to Microsoft OneDrive do not show the initial file names and extensions. Refer to sk178290.

The WSTLSD process may unexpectedly exit and create core dump files.

Access to a web application that uses WebSocket protocol may not be possible.

Web applications may not work correctly when Mobile Access Blade is configured in Hostname Translation (HT) mode while the "obscure_destination_hostname" management attribute is disabled.

The "cphaprob tablestat" command may fail on the Security Gateway with many interfaces.

Traffic does not pass through the GRE tunnel when Virtual MAC (VMAC) is enabled. Refer to sk180292.

When the "fw_tcp_out_of_state_monitor" mode is enabled with the "fw_allow_out_of_state_tcp" flag, some connections may be dropped, although they should go through and be monitored.

The Security Gateway may prematurely expire half-closed TCP connections and drop VoIP and HTTPS packets with "First packet isn't SYN". Refer to sk180364.

IPv6 template is not created when the connection is NATed.

Failover may take longer than expected and traffic does not pass for several seconds because dynamic routes are lost.

When many users in nested groups login using Remote Access Client \ connect to VPN, and the LDAP topology is large, there may be a spike of CPU usage and performance impact. Refer to sk180664.

When the user connects with RADIUS authentication method, the "Authentication method" value in Mobile Access logs is shown as empty.

A memory leak may occur in the VPND process.

In some scenarios, when NAT is configured, VoIP traffic is dropped.

Trying to perform the "Reset Tunnel" action for an LDAP user from SmartView Monitor fails. Refer to sk178592.

In large environments, the "vsx_util reconfigure" procedure and booting may take a long time .

The "vsx_util change_mgmt_subnet" command may fail if a VSX object is not correctly saved in the database.

Running the "save configuration" command the second time in the same Clish session may fail with the "free(): invalid pointer" error.

When setting password hash on cloning group members, some members may not get updated.

When uninstalling a Jumbo Hotfix, some of the REST APIs may not work. The "gaia_api status" command returns an error and requests may fail.

In some scenarios, the "nslookup" command can cause the NSLOOKUP process to exit.

After an upgrade, the backup operation on VSX fails because there is not enough space in /var/log/CPbackup/backups.

The /usr/local/apache2/logs/access_log file is now rotated when its size reaches 1GB. This log file was added to the /etc/cpshell/log_rotation.conf configuration file. Refer to sk166198.

When connecting to the Security Management Server with SmartEndpoint but Endpoint component is not activated on the Server, the FWM process may unexpectedly exit.

VPN Cluster stability issue when the peer is an Azure Security Gateway.

When mapping of some Azure Subscriptions fails, assets of these Subscriptions are revoked from the Security Gateway.

A Kernel-based Virtual Machine (KVM) or a Virtual Machine using SRIOV with the i40evf/ixgbevf network driver, may boot with non-optimized performance settings.

While handling a multi-INVITE scenario (where a user registers with multiple devices), and the VoIP SIP MultiCore feature is enabled, each SIP INVITE maybe be handled simultaneously on different FW instances and cause memory corruption.

The SMO may frequently go into Lost-> Down-> Active state because of a memory leak in the FWK process. The issue causes failover and outages.