R80.40 Jumbo Hotfix Take 211
|
Note - This Take contains all fixes from all earlier Takes. |
ID |
Product |
Description |
---|---|---|
Take 211 Released on 13 March 2024 and declared as Recommended on 1 May 2024 |
||
PRJ-47119, |
Anti-Spam |
NEW: We have extended the grace period of Anti-Spam Blade to support you for 90 days following contract expiration to continue providing the best security value during the renewal process. |
PRJ-50101, PRHF-30325 |
Diagnostics |
UPDATE: Added SecureXL SYN Defender metrics to Skyline. Refer to the Skyline Metrics Repository. |
PRJ-46555, |
Security Gateway |
UPDATE: Added a new option in domains_tool, which allows to retrieve IP addresses of multiple Domains - "-md <list of domains>". Refer to sk161632. |
PRJ-46320, |
Security Gateway |
UPDATE: When changes are made to updatable objects within a policy and a missing or corrupted package is detected, the policy installation will fail, resulting in the generation of a log. |
PRJ-46943, |
Threat Prevention |
UPDATE: IPS bypass triggers is now activated based on the average CPU load exceeding the high threshold, as opposed to the previous implementation, where a single CPU load triggered the bypass. The change results in more effective security measures without unnecessary bypasses. |
PRJ-44318, |
Threat Prevention |
UPDATE: The DCE-RPC kernel tables is now global instead of local. This adjustment helps avoid issues with syncing between firewall instances and keeps data connections stable. |
PRJ-52039, |
Threat Extraction |
UPDATE: Added Update 5 of Threat Extraction Engine. Refer to sk165832. |
PRJ-49230, |
SSL Network Extender |
UPDATE: SSL Network Extender was updated to version 80008407. |
PRJ-44241, |
Mobile Access |
UPDATE: Enhanced PushReport (a troubleshooting tool for Mobile Access Blade):
|
PRJ-46313, |
ClusterXL |
UPDATE: When enabling the VMAC feature, link_monitoring on the cluster members is now configured automatically. |
PRJ-48106, |
VSX |
UPDATE: Changed the vsx push configuration log:
|
PRJ-43880, |
VSX |
UPDATE: The "IPv6 autoconfig" parameter is now disabled by default on VSX. |
PRJ-47224, |
Gaia OS |
UPDATE: Upgraded OpenSSL from 1.1.1t to 1.1.1u to include the latest security improvements. Refer to sk181427. |
PRJ-50871, |
Gaia OS |
UPDATE: Upgraded OpenSSL from 1.1.1u to 1.1.1w to include the latest security improvements. |
PRJ-48008, |
Gaia OS |
UPDATE: The output of "show arp dynamic all" and "dbget ip:arpdynamic:show:0" which was previously limited to +-4450 entries, now increases dynamically. |
PRJ-45234, |
Gaia OS |
UPDATE: SNMP traps for interfaces going up and going down now contains the interface name and description. |
PRJ-47447, |
GaiaOS |
UPDATE: Added driver and firmware update support for Dual-Wide 10/25/40/100G cards as a replacement option for:
|
PRJ-48079, |
CloudGuard Network |
UPDATE: Added support for Azure Scale sets with Flexible orchestration mode. |
PRJ-48800 |
CloudGuard Network |
UPDATE: Added support for Data Centers in AWS il-central-1 Israel (Tel Aviv) region |
PRJ-52693, ODU-1408 |
Smart-1 Cloud |
UPDATE: Added Update 7 of Quantum Smart-1 Cloud. Refer to sk166056. |
RJ-45725, |
Harmony Endpoint |
UPDATE: Added new file types supported by Harmony Endpoint Threat Emulation blade. |
PRJ-48402, PRJ-52864, |
HCP |
UPDATE: Added Update 13, Update 15 of HealthCheck Point (HCP) Release. Refer to sk171436. |
PRJ-53394, ODU-1563 |
Automatic Updates - CPSDC |
UPDATE: Added Take 31 of Check Point Support Data Collector (CPSDC) for Scalable Platforms and Maestro Security Appliances. Refer to sk164414. |
PRJ-46001, |
Security Management |
Changing the cluster mode via the "set simple-cluster" Management API command to "cluster-xl-ha" or "ospec-ha" returns success but has no effect on the cluster object. |
PRJ-45986, |
Security Management |
Deleting a Domain that is connected to an AD Group fails. |
PRJ-47167, |
Security Management |
In rare scenarios, Global Policy reassignment fails with "IPS Update Failed On Assign". |
PRJ-46697, |
Security Management |
Global Policy assignment fails if it is configured to assign to specific Domain policies and one of these local Domain policies is deleted. |
PRJ-46794, |
Security Management |
The "show-vpn-communities-star" Management API command fails for VPN communities using Diffie-Hellman groups 15-18. Refer to sk27054. |
PRJ-46014, |
Security Management |
The "show-nat-rulebase" Management API command fails when Packet mode is enabled and "match on any" is set to "false". For example, "show-nat-rulebase XXX package YYY filter-settings.search-mode packet filter-settings.packet-search-settings.match-on-any false filter ZZZ". |
PRJ-45032, |
Security Management |
Upgrade of a Security Management Server or a Multi-Domain Security Management Server with over 2000 NAT rules may take over 10 hours to complete.
|
PRJ-46826, |
Security Management |
In some scenarios, the "Object is no longer available" validation warning appears for updatable objects. |
PRJ-45896, |
Security Management |
In rare scenarios, during an IPS update, a task notification reports that a database purge failed on the Standby Security Management Server. Refer to sk180920. |
PRJ-44985, |
Security Management |
A migrate export or CPUSE upgrade of a Security Management Server fails if a Rule Base contains more than 35,000 rules. Refer to sk178325 to check the recommended size of Rule Bases. |
PRJ-45797, |
Security Management |
Security Management Server import fails with the "Tried to persist object XXX with domain YYY while active domain is ZZZ" error in the upgrade report. |
PRJ-41458, |
Security Management |
In some scenarios, an automatic Trusted Certificate Authorities (CAs) update fails. |
PRJ-46729, |
Security Management |
In rare scenarios, opening the Install Policy view gets timed out, and SmartConsole unexpectedly closes. Refer to sk181397. |
PRJ-48862, |
Security Management |
In multi-site Multi-Domain Security Management environments, login to SmartConsole fails if the "Read_Write_All_Profile" permission profile is deleted. |
PRJ-43287, |
Security Management |
In rare scenarios:
|
PRJ-41242, |
Security Management |
When closing an application from SmartConsole without changes, a redundant revision is created. |
PRJ-47040, |
Security Management |
When using the RADIUS username for authentication, login to SmartConsole may fail. |
PRJ-47048, |
Security Management |
In rare scenarios. in a Multi-Domain Security Management environment:
|
PRJ-47256, PRJ-47233, |
Security Management |
If the HTTPS policy contains an Identity Awareness Gateway object in the "Source"/"Destination" column, policy installation may fail when selecting more than one policy target. Refer to sk181097. |
PRJ-48035, |
Security Management |
An audit log may not be created after running Revert to Revision. |
PRJ-49193, |
Security Management |
In some scenarios, the CPRLIC process may unexpectedly exit without affecting the connectivity, and a core dump is generated. |
PRJ-45780, |
Security Management |
In rare scenarios, the High Availability synchronization status shows "NGM failed to import data", and then is cleared automatically within 15 minutes. |
PRJ-45438, |
Security Management |
In rare scenarios, Global Policy Reassignment takes a long time to complete after deleting a Global IPS profile. Refer to sk180787. |
PRJ-48379, |
Security Management |
In SmartConsole, export of policies with the "Hit count" column may get stuck. |
PRJ-47036, |
Security Management |
In multi-site Multi-Domain Security Management environments, login to SmartConsole fails while an Install Policy Preset relays the Security Gateway installation statuses. |
PRJ-34858, |
Security Management |
In the Revisions view, when comparing the selected revision to its previous revision, an empty screen is shown instead of a report. |
PRJ-48895, |
Security Management |
In rare scenarios, upgrade of the Security Management Server to R81.20 fails with the "Task was interrupted because of server restart" and "DEADLOCK IN POSTGRES DETECTED!!!" messages in the cpm.elg log file. |
PRJ-48689, |
Security Management |
Users may be able to configure user-defined scripts to run on the Security Management Server, although they do not have the permissions of a super-user. |
PRJ-49219, |
Security Management |
In SmartConsole, an attempt to view administrators may fail with "Error retrieving results". |
PRJ-49202, |
Security Management |
|
PRJ-48368, |
Security Management |
The "crldp_initialized"and "crldp_name" keys may be missing in the registry after running promote_util. |
PRJ-48439, |
Security Management |
The "set checkpoint-host" API command may fail if the host object has a VPN Tunnel interface (vpnt) defined. |
PRJ-49987, |
Security Management |
The "fwm sic_reset" command may fail and generate a core dump. |
PRJ-47964, |
Security Management |
In High Availability Security Management Server environments, outdated IPS packages are retained, which leads to a substantial increase of the database on Standby Security Management Server. Refer to sk182178. |
PRJ-49368, |
Security Management |
In environments with tens of thousands of network objects, opening and closing Security Gateway objects in SmartConsole takes a long time. Refer to sk181460. |
PRJ-49342, |
Security Management |
SmartConsole may unexpectedly close after deleting an object in the Object Explorer view. |
PRJ-50211, |
Security Management |
Packet mode search in SmartConsole may show rules that do not match the query if the query contains four or more filters. |
PRJ-50044, |
Security Management |
In High Availability environments, task progress notifications may get updated only every 5 minutes, even when the task is complete. |
PRJ-49712, |
Multi-Domain Security Management |
In rare scenarios, in a Multi-Domain Security Management environment:
|
PRJ-49477, |
Multi-Domain Security Management |
When viewing Subordinate CA objects in SmartConsole:
|
PRJ-46584, |
Multi-Domain Security Management |
Migration of a Security Management Server to a Multi-Domain Security Management Server may fail with the "Expected single result for object with uid UID, got: 0" error. |
PRJ-46932, |
SmartConsole |
Defining more than two hundred GUI clients causes the "Command Line" tab in SmartConsole to be greyed out and the "api status" command to show an error status. |
PRJ-45073, |
Web SmartConsole |
After an upgrade, "Every cluster network should define unique subnet" messages may be displayed in the Validation Pane.
|
PRJ-46433, |
SmartProvisioning |
After importing or deleting SNORT protections in the IPS Protections view, the view may not show the change. |
PRJ-47340, |
SmartView |
In some scenarios, when a language other than English is chosen in SmartView, login to SmartView fails with an "Initialization failed" message. |
PRJ-49971, |
CPView |
CPU statistics may be incorrect or missing in CPView. |
PRJ-48000, |
CPView |
Offload may fail in CPView with "ERROR! Reason not initialized". |
PRJ-45322, |
Logging |
Configuring log settings to delete logs if free disk space is lower than a certain percentage may not be applied. |
PRJ-47217, |
Logging |
The "fwm logexport" may return "Failed to print record at position" and "missing table field" error messages despite succeeding to export the logs. |
PRJ-45038, |
Logging |
The "Low disk space" warning may be incorrectly displayed in SmartConsole. |
PRJ-39448, |
Logging |
The Logs view may show a "Failed to read record number" message. |
PRJ-46184, |
Logging |
When the CPD process is automatically restarted on the Security Gateway, the output of the "cpstat ls -f logging" command on the Security Management shows the Security Gateway is disconnected, the Log Server cannot be reached, although logs are sent. |
PRJ-47211, |
Logging |
In SmartView, filtering logs by Media Encryption & Port Protection blade may fail. |
PRJ-41165, |
Logging |
The "show-simple-gateway" and "set-simple-gateway" Management API commands with the "logs-settings.forward-logs-to-log-server-schedule-name" parameter fail with "generic_server_error". |
PRJ-47981, |
Logging |
Some Access Rule Base logs may be generated with a wrong interface direction. The issue is cosmetic only. |
PRJ-46559, |
Logging |
In SmartConsole, in the "Device License Information" view, the "New connection rate" field may indicate "please wait 10 seconds". |
PRJ-49387, |
Logging |
In SmartView, incorrect results may be displayed when filtering logs using the "src_machine_name" field. |
PRJ-46204, |
Logging |
Security Gateway forwards logs to the real IP address of the Management Server instead of the public (NATed) IP address. Refer to sk181609. |
PRJ-48803, |
Logging |
Some attributes in SNMP MIB file may not be accessible. |
PRJ-51145, |
Logging |
When Identity Awareness blade is enabled, the "Src User Dn" and "Dst User Dn" fields in ICMP Logs are not masked for users without "Identities" permissions. |
PRJ-48239, |
Logging |
The "source", "destination", "user" and "action" fields are not exported when exporting logs with the "visible columns" option to CSV in the SmartView Web application. Refer to sk181706. |
PRJ-44588, PRHF-26975 |
Logging |
In a rare scenario, a Security Gateway / Cluster Member may stop logging locally or to configured Log Servers. Refer to sk170331. |
PRJ-47313, |
Logging |
When the active log file, for example, the fw.log for the Security Gateway is older than two days, the CPLogFilePrint utility does not print the log records correctly. |
PRJ-52673, PRHF-32203 |
Security Gateway |
CVE-2023-51764 - Postfix SMTP Smuggling vulnerability. Refer to sk181944. |
PRJ-46408, |
Security Gateway |
The Security Gateway may listen to the ports used by NAT. |
PRJ-45691, |
Security Gateway |
The VPND, CVPND, and PDPD processes on the Security Gateway may become non-responsive and cause SAML authentication for Remote Access VPN users to fail. |
PRJ-48820, |
Security Gateway |
In some scenarios, a misconfiguration on a DNS Server may lead to exhaustion of ephemeral ports on the Security Gateway. |
PRJ-48151, |
Security Gateway |
Topology and Anti-Spoofing ranges are not calculated on an external interface when adding a route to an internal interface that shares the same subnet. |
PRJ-47207, |
Security Gateway |
When running the tp_collector tool, the FW_FULL process may unexpectedly exit. |
PRJ-48020, |
Security Gateway |
In some scenarios, when IPS is enabled, CPU spikes may occur. |
PRJ-46375, |
Security Gateway |
Re-mirrored traffic may be re-ordered in the Mirror & Decrypt feature. |
PRJ-44699, |
Security Gateway |
In rare scenarios, the WSDNSD process may restart because of an internal error. |
PRJ-47329, |
Security Gateway |
When using the "cpstop" command on the Security Gateway, the fw_full core may be generated. |
PRJ-48245, |
Security Gateway |
The /var/log/messages file of a VSX gateway is flooded with the "fwmultik_predefined_dispatching: BAD_MULTIK_TAG" messages with no impact of the connectivity. Refer to sk181281. |
PRJ-47518, |
Security Gateway |
After installing a policy, because of high latency, the Security Gateway may delete connection before SIM Affinity is able to send an update notification. This may cause some connections to be dropped. |
PRJ-50137, |
Security Gateway |
Accounting info may not be displayed in logs for IPv6 Cluster VRRP environments. |
PRJ-47266, |
Security Gateway |
Latency in loading websites when using Security Gateway as a Proxy with HTTPS Inspection enabled. Refer to sk180673. |
PRJ-47323, |
Security Gateway |
Benign files scanned by the ICAP Server may not be logged by Anti-Virus blade. |
PRJ-45343, |
Security Gateway |
When two routes with similar attributes are added to different routing tables, and one is deleted, Anti-Spoofing may drop the traffic to that route. |
PRJ-46200, |
Security Gateway |
In rare scenarios, updating the NTP Server may cause a temporary outage. |
PRJ-44187, |
Security Gateway |
The Security Gateway may crash due to a memory issue. |
PRJ-44616, |
Security Gateway |
In a rare scenario, the FWD process listens to high ports that are not blocked by the "auth_services_real_ports_block" implied rule. Refer to sk180505. |
PRJ-47556, |
Security Gateway |
FTP connection may fail in Port mode with NAT and specific FTP clients. Refer to sk181165. |
PRJ-47600, |
Internal CA |
In rare scenarios, ICA certificate creation and enrollment fail. |
PRJ-49006, PMTR-92233 |
Threat Prevention |
In a rare scenario, when cloning SGM in Maestro, the FWD process may exit during an IPS/Anti-Virus/Anti-Bot package update. |
PRJ-47635, |
Threat Prevention |
The output of the "fw amw unload" command shows the policy gets unloaded, however CPView still shows that the blades are enabled. Refer to sk181148. |
PRJ-50655, |
Threat Prevention |
In rare scenarios, CPU utilization can reach high levels because the Multi-Queue affinity of interfaces that use the "mlx5_core" driver is not configured correctly during the boot process. |
PRJ-46835, |
Threat Prevention |
When SSH Deep Packet Inspection (SSH DPI) is enabled, the Security Gateway may have SSH connectivity issues because of an incorrect choice of Message Authentication Code (MAC) algorithm during the SSH handshake. |
PRJ-43725, |
Threat Prevention |
In some scenarios, CIFS parser is triggered when it is not needed, this leads to the Security Gateway not accelerating fully the SMB traffic. |
PRJ-44689, |
Threat Prevention |
In some scenarios, the Security Gateway fails to export or import IoC feeds. |
PRJ-48189, |
Threat Prevention |
Anti-Virus blade fails to parse external IoC feeds that contain specific delimiters. |
PRJ-44764, |
Threat Prevention |
Fetching of Custom Intelligence Feeds fails when no proxy is configured on the Security Gateway. |
PRJ-46882, |
Threat Prevention |
Uploading an IoC file containing invalid characters (for example, quotation marks) may cause Threat Prevention policy installation failure. |
PRJ-48923, |
Threat Prevention |
Anti-Virus Blade triggers the "Detect" logs for DNS traffic, although these malicious DNS requests were prevented. |
PRJ-48427, |
Threat Prevention |
Some connections may be dropped because of an issue in IPS inspection, which can be resolved by installing/fetching a local policy. |
PRJ-46902, |
Threat Prevention |
Ioc_feeds changes the username to lowercase, which causes the "401" error. Refer to sk181039. |
PRJ-46441, |
Threat Prevention |
Files that undergo emulation while operating from a corporate location are transformed into PDF format. However, when the same files are accessed through a VPN remote client, they do not get the pdf file extension. |
PRJ-50049, |
Threat Prevention |
Security Gateway with a large number of CPU cores allocated to CoreXL SND may experience performance issues when an IoC Feed and the " |
PRJ-43970, |
Threat Prevention |
When URLF and APPI are disabled in VS0 in VSX setup, automatic updates fail on other Virtual Systems. |
PRJ-46965, |
Threat Prevention |
Exporting Custom Intelligence feeds from the management to all the Security Gateways succeeds but the generated log shows that the operation failed. |
PRJ-48084, |
Threat Prevention |
An outage may occur when an unsupported SSH cipher is selected. |
PRJ-46756, |
Identity Awareness |
The ida_tables_util tool may fail with the "bad adress" error. |
PRJ-48248, |
Identity Awareness |
There may be no access to resources for identities received from the Remote Access identity source by splitting Domain (sk147417). |
PRJ-45718, |
Application Control |
Policy installation fails when a custom application and user category have the same name. |
PRJ-46196, |
Application Control |
CPView and the 'cpstat' command show different Application Control database versions. Refer to sk181186. |
PRJ-42478, |
IPS |
Core IPS Protection "Unknown Resource Record" drops valid requests of specific DNS types. |
PRJ-49042, |
DLP |
The DLP process may unexpectedly exit during policy installation. |
PRJ-49568, |
Anti-Virus |
The Anti-Virus Blade fails to show the UserCheck page for the URLs blocked by Custom Intelligence feeds. |
PRJ-49639, |
Anti-Virus |
Microsoft Office files may be classified by the Anti-Virus file type classification engine as archives. |
PRJ-50526, |
Anti-Virus |
In a rare scenario, the Security Gateway may crash during inspection of file downloads. |
PRJ-51590, |
Anti-Virus |
The Anti-Bot Blade prevents Domains with the DNS Sinkhole feature, but SmartConsole log shows the "detect" action. |
PRJ-49518, |
Anti-Virus |
The Anti-Virus Blade may inspect files on an SMB appliance although the "SMB" checkbox is disabled on the matched profile. |
PRJ-49295, |
Anti-Virus |
Anti-Virus fails to release held connections after the inspection. |
PRJ-45834, |
Anti-Virus |
DLPU process memory consumption may be increased when SMB protocol is enabled in the Anti-Virus policy. |
PRJ-47782, |
Anti-Virus |
A memory leak may occur in the Security Gateway when a connection is not correctly released after the inspection. |
PRJ-48125, |
Anti-Virus |
A memory leak in the DLPU process may occur when Anti-Virus scans files over HTTP(s) or SMB (Server Message Block) protocol. |
PRJ-47933, |
Anti-Virus |
When transferring many files, SMB traffic may freeze while scanned by Anti-Virus blade. |
PRJ-48970, |
Anti-Virus |
When Anti-Virus DNS classification is set to Hold mode, the first DNS trap log of malicious Domains shows "Detect" in the Action field, although the connection was successfully blocked. |
PRJ-47237, |
Anti-Virus |
Some websites may be unreachable when one of Threat Prevention Blades is in Hold mode. |
PRJ-48173, |
SSL Inspection |
A FWK process memory leak may occur when canceling the download of a large file in the middle of the process. |
PRJ-47105, |
Mobile Access |
It may not be possible to connect to the RDP application with SNX in Application mode. Refer to sk181155. |
PRJ-44273, |
ClusterXL |
A Standby member may initiate FTP data connection, although it should be sent from the Active member. As a result, the connection is teminated. Refer to sk180531. |
PRJ-45178, |
ClusterXL |
The VLAN configured bonded interface monitored state disappear after modifying the bonded interface properties. Refer to sk180724. |
PRJ-43931, |
ClusterXL |
Site to Site VPN outage on ClusterXL Active member when running "cpstop" on the Standby cluster member. Refer to sk170055. |
PRJ-48411, |
ClusterXL |
In a cluster connected to Smart-1 Cloud, local probing may start on the "maas_tunnel" interface, although it is not monitored by the cluster. Output of the Expert command "cphaprob -i list" or the Gaia Clish command "show cluster members pnotes problem" shows that the Critical Device "Local Probing" reports its state as "problem". |
PRJ-51175, |
SecureXL |
The Security Gateway may crash with vmcore during boot while upgrading. |
PRJ-48887, |
SecureXL |
The "fwaccel dos rate get -S IP" command fails to connect to the Security Gateway. |
PRJ-50552, |
SecureXL |
High CPU utilization may be triggered when User Mode (UPPAK) and VPN are enabled under high load. |
PRJ-49755, |
SecureXL |
Multicast restrictions set in SmartConsole may be bypassed if varying restrictions are configured for different interfaces. |
PRJ-43637, |
SecureXL |
In some scenarios, incorrect MSS value calculation may lead to traffic drops and performance instability. |
PRJ-49376, PRHF-30056 |
SecureXL |
Syn Defender may not correctly handle reused connections. |
PRJ-50830, |
Routing |
The "force-if-symmetry" setting in IPv4 static routes fails to mark IP addresses as unreachable, leading to the static route inaccurately remaining active in asymmetric scenarios. |
PRJ-47799, PRHF-29662 |
Routing |
When a BFD session is added or removed, disabled sessions may incorrectly come back up. |
PRJ-41792, |
Routing |
Adding or deleting a multicast group from a configured static RP environment can lead to outages in traffic. |
PRJ-47485, |
Routing |
When multicast traffic for an existing (S,G) entry arrives at a non-IIF interface, the entry may be deleted and re-added when the next multicast packet is released, although the entry should not be deleted. |
PRJ-47938, |
Routing |
An OIF entry may be missing when multiple downstream neighbors are present on a LAN. Refer to sk181354. |
PRJ-48115, |
Routing |
The ROUTED process may exit with a core dump when querying details of OSPF Type 5 LSA. |
PRJ-43246, |
Routing |
Traffic may be dropped when there are many OSPF routes of type 5. |
PRJ-49576, |
Routing |
The CLI Parameters for the "netflow fwrule" command are displayed incorrectly: "set netflow fwrule ?" instead of "set netflow fwrule 0" or "set netflow fwrule 1". The issue is cosmetic only, the functionality works as expected. |
PRJ-49215, |
VPN |
Redundant log prints in /var/log/messages may be generated, although they should be printed only when the debug flags are enabled. |
PRJ-49557, |
VPN |
When using the "fw tab" command to view the IKE_SA_table, the output shows a column containing the IP addresses that are not meant to be displayed while the correct IP addresses are not printed. |
PRJ-47589, |
VPN |
In a Site to Site VPN, following an update, the Security Gateway may erroneously transmit an invalid IKE SPI to its peer. Consequently, during the rekey process, the tunnel fails due to the "invalid IKE SPI" error. |
PRJ-42937, |
VPN |
Policy installation may take a long time and fail with "Operation failed, install/uninstall has been improperly terminated.&CURRENTVERCMP *##MSG_IDENTIFY##". |
PRJ-46259, |
VPN |
The "Encryption Domain Per community" feature overrides the Encryption Domain for other communities. Refer to sk170857. |
PRJ-45125, |
VPN |
Back connection does not function on the Statically NATed Office Mode address as expected. |
PRJ-53368, PRHF-32706 |
VPN |
VPN IKEv2 negotiation with a third-party peer may fail when the peer offers multiple combined encryption algorithms in one proposal. For example, AWS, by default, offers AES-GCM and AES-GCM-256. The issue triggers an IKE failure log. |
PRJ-47875, |
Multi-Portal |
The Security Gateway may send a wrong certificate to the MAB Portal during certificate authentication. |
PRJ-50310, |
Multi-Portal |
A low-severity security vulnerability may exist when establishing an HTTPS connection to the Security Gateway. |
PRJ-49565, |
VSX |
Corrupted VS affinity configuration may cause excessive "cp_set_process_vs_affinity: Error corrupt affinity file" error messages. |
PRJ-50786, |
VSX |
VSX Gateway / VSX cluster member may crash during policy installation after deleting a virtual interface. |
PRJ-50957, |
VSX |
In some scenarios, the VSX Security Gateway may not set the MAC header correctly when sending traffic directly out of an interface on a Virtual Router. |
PRJ-43876, |
VSX |
When running "vsx_fetch" from a context that is not VS0, this output is displayed: "Management rejected fetch for this module - sic name does not match. Couldn't fetch VSX configuration by IPs, trying to fetch by names." |
PRJ-47835, |
VSX |
In a rare scenario, affinity configuration on VSX may fail. |
PRJ-44298, |
VSX |
When adding a route using vsx_provisioning_tool and the "interface_name" option, this route cannot be removed. |
PRJ-44266, |
VSX |
Virtual System context may not be handled correctly by CPView, for example, the same interfaces may be listed on all virtual systems. |
PRJ-48828, |
VSX |
In some scenarios, the VXLAN Driver Kernel may crash. |
PRJ-49348, |
VSX |
In some scenarios, in Maestro VSX environment with a Virtual Switch (VSW), TCP packets can be dropped as "out of state" or incorrectly dropped on the clean up rule. |
PRJ-47794, |
VSX |
A memory leak may occur in the CPD process. |
PRJ-46018, |
Gaia OS |
The SNMPD process memory consumption may be high, which causes the process to become unresponsive. |
PRJ-46969, |
Gaia OS |
Incorrect Multi-Queue configuration when MDPS, VSX, or both are enabled. Refer to sk181249. |
PRJ-48717, |
Gaia OS |
The "show configuration password-controls command output does not print the "set password-controls deny-on-fail block-admin on" option. |
PRJ-46140, |
Gaia OS |
Taking a snapshot on the Security Management Server fails because of the error during copying the /boot/config/ content. |
PRJ-47174, |
Gaia OS |
When rebooting the Security Gateway, some VLANs may lose their IPv6 configuration. |
PRJ-50484, |
Gaia OS |
SNMP query does not bring the CPUSE package information for a single OID (not a table). |
PRJ-28432, |
Gaia OS |
Backup on Gaia machine with Threat Emulation Blade enabled fails with "Cannot complete the backup process: not enough space". But the solution of sk166833 does not resolve the issue in a VSX environment. |
PRJ-46273, |
Gaia OS |
When changing bond settings, the bond may be missing the global IPv6 Address. |
PRJ-47771, |
Gaia OS |
Snapshot fails when the unpartitioned disk size is greater than 1TB. Refer to sk181485. |
PRJ-41335, |
Harmony Endpoint |
When downloading a dynamic package from the Endpoint Security Server and using the "/createmsi" command, the operation results with a "CRITICAL ERROR: Unable to create MSI! Missing file: System32\FirewallMonitor.dll" error. |
PRJ-47145, |
Harmony Endpoint |
When selecting to filter machines by infection name in SmartEndpoint Reporting > Anti-Malware > Top infections, the listed computers do not match the displayed numbers. |
PRJ-47897, |
CloudGuard Network |
Azure mapping may fail on Private Endpoint without network interfaces. In the cloud proxy logs, the "ERROR datacenter.scanner.DcScanner [scanner-Azure-XXX]: Error during scan - attempting to reconnect for scanner of [Azure] in domainYYY" messages are printed. |
PRJ-47992, |
VoIP |
When the SIP Multi-core feature is enabled, and a SIP over UDP rule with one-way calls (only outgoing calls, for example) is defined, the returned traffic is dropped. Refer to sk181525. |
PRJ-46987, |
VoIP |
In some scenarios, SIP TCP connections are dropped after a cluster failover. |
PRJ-43606, |
VoIP |
SIP agent implements a keep-alive mechanism against the RFC, making each message arrive with a different tag in the "From" header, which may increase the memory of the Security Gateway, and these messages may be dropped once they hit the limit defined (the "sim_max_reinvite" parameter). |
PRJ-49464, |
Scalable Platforms |
On a Security Group with MDPS enabled:
After installing this Take, when MDPS plane separation is enabled, in the context of the Management plane, the directory /sys/class/net/ now shows interfaces that belong to the Data plane, although it should show interfaces that belong to the Management plane. See sk182076. |