R80.40 Jumbo Hotfix Take 78

 

Note - This Take contains all fixes from all earlier Takes.

ID

Product

Description

Take 78

Released on 26 August 2020 and declared as Recommended on 9 September 2020

PRJ-13962,
PMTR-55974

Security Management

NEW: Added the ability to purge revisions automatically based on user configuration. Refer to Automatic Purge Documentation.

PRJ-12308,
PMTR-48736

Security Management

NEW: Added enhancements for CPM Monitor Tool:

  • Compatibility of file names between Linux and Windows.
  • Better and more readable resources consumption report.
  • All data is wrapped into a single tgz file, for better handling.

PRJ-14645,
PRHF-11983

Security Management

NEW: Solr server process is restarted automatically if it is not responsive for a long time.

PRJ-13809,
PMTR-55860

Security Management

Publish operation of hundreds of changes may take a long time to complete.

PRJ-16195,
PRHF-9260

Security Management

When running the 'show-access-rulebase' API command with filter, and the selected layer is an inline layer, rules of the inline layer are not returned even though they match the search criteria.

PRJ-11491

Security Management

Access Policy installation may remain on Multi-Domain Server with Global Policy assigned when there is Inline layer usage and APPI/DA/Mobile Access Blade is enabled. Refer to sk166676.

PRJ-13319

Security Management

Upgrade from R80.10 may take many hours when there are hundreds or more Administrators and dozens or more Permission Profiles defined.

PRJ-13920

Security Management

In Multi-Domain environments with High Availability, if the Management Server is stopped while there is a Purge Revisions operation in progress, the server may fail to start again. Refer to sk168175.

PRJ-13167,
PMTR-53758

Security Management

When an administrator enters a very long text into an object field (more than 32767 characters), the Security Management Server terminates and fails to start.

PRJ-13049,
PRHF-11033

Security Management

After the user adds new Threat Indicators, Management HA may fail with "NGM failed to import data" error. Refer to sk167156.

PRJ-15459,
PRHF-6093

Multi-Domain Management

Policy Installation may fail due to an internal error in an MDS environment where there is a Global Dynamic object usage inside Networks Groups with a depth that is higher than 2-level (group inside a group).

PRJ-14096,
PMTR-56164

SmartConsole

NEW: Added new API version (1.6.1). The new version includes useful new commands. For more information, refer to the Management API Reference.

PRJ-13008,
PRHF-10998

SmartConsole

In the Management API, the "show objects" command with details-level full may return the "ip-address" field even if it is empty.

PRJ-14290,
PMTR-53220

SmartConsole

If there are thousands (or more) of unused objects, the "show unused-objects" API command and the Unused Objects view may load and work very slowly. Also, the load on the Management server will increase, causing general slowness when working with SmartConsole.

PRJ-14532,
PMTR-55130

SmartView

In some scenarios, when the user attempts to download a DLP attachment from the log card in SmartView, the download does not start.

PRJ-12705,
PRHF-10295

SmartView

The SmartView Timeline may be distorted when logs contain an empty value for the field specified in the "Series" settings and when the Legend is enabled. Refer to sk167095.

PRJ-12099,
PMTR-52324

Logging

NEW:

  • Added Management API command "show logs" to query logs.
  • Added Management API command "get attachment" to fetch attachments from logs by log ID and attachment ID.

PRJ-14049,
PRHF-11502

Logging

In some scenarios, the command "cp_log_export status" prints "last log read at: N/A" rather than a timestamp.

PRJ-14372,
PRHF-10818

Security Gateway

UPDATE: Reduced CPU usage in some configurations by parsing TLS traffic only when required by the policy. See sk166700 for more information.

PRJ-14007,
PRHF-11326

Security Gateway

In some scenarios, ESP traffic may be dropped with "fwconn_key_init_links (INBOUND) failed" message. Refer to sk167973.

PRJ-13678,
PMTR-53479

Security Gateway

In some scenarios, dmesg shows "up_manager_perform_action: up_manager_resume_chain failed" error messages when span port is configured.

PRJ-8049

Security Gateway

When running 'fw6 ctl affinity -l' command, the IPv6 instances are not displayed.

PRJ-13267,
PMTR-54226

Security Gateway

Occasional slowness while browsing to HTTP/2 sites when Security Gateway is enabled as an explicit Proxy.

PRJ-13696,
PMTR-55510

Security Gateway

Proxy arp change is applied only after the second policy installation.

PRJ-14217,
PMTR-56300

Security Gateway

In a rare scenario, the Security gateway may crash if the rulebase contains a logical server object.

PRJ-11752,
PMTR-52426

Security Gateway

Citrix file download may fail when the Mobile Access Blade is enabled.

PRJ-11417,
PRHF-9776

Security Gateway

In some scenarios, NAT log shows source port 0 even though a port was allocated.

PRJ-13382,
PMTR-54897

Security Gateway

In some scenarios, Security gateway generates an ICMP error with wrong IP address. Refer to sk167953.

PRJ-13631,
IDA-2683

Identity Awareness

NEW: Added the ability to filter sessions by session's owner and immediate publisher in Identity Broker.

PRJ-9494,
PMTR-49855

Identity Awareness

UPDATE: SAML configuration optimizations of policy installation flow.

PRJ-12565,
IDA-2983

Identity Awareness

PDP may consume high CPU during policy installation because of a large amount of Access Roles.

PRJ-10818,
PMTR-51543

Identity Awareness

In a rare scenario, a memory leak may appear in case of LDAP query failure on Identity Collector automatic group update.

PRJ-8713,
PRHF-7978

Identity Awareness

In some scenarios, Dynamic ID authentication fails when SMS server returns HTTP status code 2xx but not 200 or 202.

PRJ-13516,
PMTR-55246

Identity Awareness

In some scenarios, a XFF allowed proxy list is enforced only for instance 0 in VSLS environment after VS has transitioned from Backup to Active.

PRJ-13702,
PRHF-561

Identity Awareness

In some scenarios, when the user changes the TACACS+ server to a different one, the configuration is applied only after an MDS reboot.

PRJ-12503,
PRHF-10481

Identity Awareness

In some scenarios, Identity Awareness counters in cluster environments show zero.

PRJ-11484,
PMTR-40495

SSL Inspection

DynamicID authentication may fail due to server certificate validation failure. Refer to sk167177.

PRJ-11511,
SMB-12153

SSL Inspection

In some scenarios, there may be SSL Inspection issues in cluster environments on 1500 Series Security Gateways. Refer to sk170218.

PRJ-10663,
PRHF-9289

Anti-Malware

In some scenarios, a "Feed Error" message appears when the user fetches a Custom Intelligence Feed. Refer to sk165932.

PRJ-12809,
PMTR-51013

Threat Emulation

In a rare scenario, files are not uploaded for Threat Emulation or Threat Extraction inspection.

PRJ-14224

ClusterXL

In some scenarios, SmartConsole shows ClusterXL status as "is not responding". Refer to sk168187.

PRJ-14612,
PRHF-7700

SecureXL

UPDATE: Added a global variable that enables log for packets that include unapproved IP option. This variable is off by default.

PRJ-14514,
PRHF-10860

SecureXL

In a rare scenario, a VSX gateway with Virtual Switch may crash.

PRJ-13414,
ACCHA-301

SecureXL

DECnet DIGITAL Network Architecture (Phase IV) traffic may be dropped. Refer to sk167202.

PRJ-13763,
PMTR-55537

SecureXL

Security Gateway may crash when concurrent connection rules exist in the DOS/Rate limiting policy and the Application Control Blade is enabled.

PRJ-14079,
PMTR-56026

SecureXL

For some topologies, RIPV2 neighbors may be missing. Refer to sk167934.

PRJ-12254,
PMTR-23165

Mobile Access

In some scenarios, Mobile Access end-users become disconnected from their Citrix sessions after policy installation.

PRJ-13730,
PMTR-54159

Mobile Access

In some scenarios, Web application SSO credentials are not displayed correctly in the 'Credentials' dialog when the application's destination hostname is configured as an IP address.

PRJ-14435,
PMTR-53221

Gaia OS

NEW: Added support for CPAC-4-10-AB cards.

PRJ-14596,
PMTR-55036

Gaia OS

NEW: Added Multi-Queue (MQ) support for Management interface.
Note: Enabling both Dynamic Balancing and MDPS causes Dynamic Balancing to stop.

PRJ-13642,
PMTR-54518

Gaia OS

NEW: The i40e driver version was upgraded to improve performance.

PRJ-13011,
PMTR-54188

Gaia OS

RX/TX ring size may reset when changing queue settings.

PRJ-15424,
PMTR-57108

Gaia OS

Gaia API Service is offline after upgrade to R80.40.

PRJ-13480,
PMTR-55154

Gaia OS

Intake and outlet temperature sensors display incorrect values on 15400 appliance.

PRJ-12513

Gaia OS

In some scenarios, due to backup compression errors, restoring a backup does not restore all files.

PRJ-13719

Gaia OS

In some scenarios, a snapshot creation may fail.

PRJ-10352,
PRHF-8760

Gaia OS

In rare scenarios, clish consumes 100% CPU when the user runs a Tenable scan. Refer to sk166195.

PRJ-14402,
PRHF-11683

Gaia OS

In some scenarios, the snapshot creation fails because of compression errors.

PRJ-13926,
PMTR-54829

Routing

UPDATE: Increased the configuration limits of the BFD timers for detect multiplier, minimum RX interval, and minimum TX interval to 255, 255000, and 255000, respectively.

PRJ-13979,
PRHF-11680

Routing

UPDATE: The logging of "aspath-regex" and "community-regex" routemap fields is now disabled by default and can be enabled through the trace log.

PRJ-11805,
VPNRA-357

VPN

In some scenarios, an incorrect IPSec counter may be displayed with cpstats / SmartView Monitor / SNMP in a ClusterXL environment. Refer to sk167297.

PRJ-14074,
VPNRA-404

VPN

When Security gateway is behind NAT and its main IP address is configured to NAT IP, Client may disconnect when using Visitor Mode.

PRJ-14244,
PRHF-7995

VPN

VPN traffic may be dropped when working with peer behind NAT - Hide NAT with Port Translation.

PRJ-13408,
PMTR-54443

VPN

In rare scenarios, the Global Domain Assignment view shows that a Global Domain Assignment is in the 'up to date' state even though it is not.

PRJ-14075,
VPNRA-417

VPN

When using Visitor Mode, Endpoint Client behind NAT disconnects after 20 seconds when his private network overlaps with some network in the Encryption Domain.

PRJ-15437,
PRHF-12039

VSX

VSs load up in parallel from boot/after cpstart from VS0.

PRJ-14151,
PRHF-11651

Endpoint Security

In some scenarios, no audit logs are shown regarding object changes in SmartEndpoint virtual groups and FDE pre-boot users. Refer to sk167907.

PRJ-14133,
PRHF-7699

Endpoint Security

In some scenarios, the user cannot get an FDE Offline Management File (cpomf) for an offline group in SmartEndpoint if this group or a directory in its path has special characters \ _ %.