R81.10 Jumbo Hotfix Take 113

UPDATE: Added a pop-up message explaining that it is not possible to add an exception to a Global Domain policy from a local Domain when clicking "add exception" in a Global rule.

• Requires installing SmartConsole Build 417 (or higher).

UPDATE: Added a new option in domains_tool, which allows to retrieve IP addresses of multiple Domains - "-md <list of domains>". Refer to sk161632.

UPDATE: Enhanced PushReport (a troubleshooting tool for Mobile Access Blade):

• changes in the cloud service configuration,

• stability improvement.

UPDATE: Added SAML authentication support for Capsule Connect / Capsule VPN.

UPDATE: Added Take 20 of Public Cloud CA Bundle. Refer to sk172188.

UPDATE: Added ability to stop configuration mismatch repeated reboots for debugging purposes. The new command is " cpha_blade_config auto_reboot <on/off>".

UPDATE: Added Update 13 of HealthCheck Point (HCP) Release. Refer to sk171436.

Excluding a network with anti-spoofing by name on the Security Gateway using the "set simple-gateway" Management API command fails with an "Anti spoofing: excluded network object must be defined." validation error message.

The "show-vpn-communities-star" Management API command fails for VPN communities using Diffie-Hellman groups 15-18. Refer to sk27054.

The "show-nat-rulebase" Management API command fails when Packet mode is enabled and "match on any" is set to "false". For example, "show-nat-rulebase XXX package YYY filter-settings.search-mode packet filter-settings.packet-search-settings.match-on-any false filter ZZZ".

QoS policy cannot be installed if the policy package name contains a dot symbol.

A migrate export or CPUSE upgrade of a Security Management Server fails if a Rule Base contains more than 35,000 rules. Refer to sk178325 to check the recommended size of Rule Bases.

Security Management Server import fails with the "Tried to persist object XXX with domain YYY while active domain is ZZZ" error in the upgrade report.

The "show-objects" Management API command with an "in" clause fails if the object name contains a period. For example, "show-objects in.1 <name> in.2 <ab.c>".

In rare scenarios, the High Availability synchronization status shows "NGM failed to import data", and then is cleared automatically within 15 minutes.

When using the RADIUS username for authentication, login to SmartConsole may fail.

In an environment with many Security Gateways, SmartConsole may unexpectedly close when selecting a policy package to install.

Global Policy assignment fails if it is configured to assign to specific Domain policies and one of these local Domain policies is deleted.

Tasks in SmartConsole may end unexpectedly during the Jumbo/ major version upgrade operation.

The "show-simple-gateway" and "set-simple-gateway" Management API commands with the "logs-settings.forward-logs-to-log-server-schedule-name" parameter fail with "generic_server_error".

Configuring log settings to delete logs if free disk space is lower than a certain percentage may not be applied.

In SmartView, filtering logs by Media Encryption & Port Protection Blade may fail.

When enabling Management Data Plane Separation (MDPS) in Clish, a "Failed to commit the transaction on database" error message may be displayed.

The Security Gateway may crash due to a memory issue.

Benign files scanned by the ICAP Server may not be logged by Anti-Virus Blade.

When two routes with similar attributes are added to different routing tables, and one is deleted, Anti-Spoofing may drop the traffic to that route.

In some scenarios, CIFS parser is triggered when it is not needed, this leads to the Security Gateway not accelerating fully the SMB traffic.

When SSH Deep Packet Inspection (SSH DPI) is enabled, the Security Gateway may have SSH connectivity issues because of an incorrect choice of Message Authentication Code (MAC) algorithm during the SSH handshake.

Fetching of Custom Intelligence Feeds fails when no proxy is configured on the Security Gateway.

In rare scenarios, there may be a memory leak in ips_cmi_handler_match_cb_ex.

A memory leak may occur in the Security Gateway when a connection is not correctly released after the inspection.

When copying special German characters to and from the Guacamole Server, they are replaced with unreadable symbols.

In a cluster/Maestro in Load Sharing mode, the Security Gateway may drop NAT traversal traffic with "fwmultik_process_f2p_cookie_inner Reason: PSL Drop: No connection".

The "IOCTL command CPHWD_IOCTL_DOS_DENY_LIST_CLEAR was not successful" error may be printed during cpstart. Refer to sk180646.

When multicast traffic for an existing (S,G) entry arrives at a non-IIF interface, the entry may be deleted and re-added when the next multicast packet is released, although the entry should not be deleted.

An OIF entry may be missing when multiple downstream neighbors are present on a LAN. Refer to sk181354.

When a BFD session is added or removed, disabled sessions may incorrectly come up.

A potential leak in VPN tunnels in a Multi-Version Cluster.

Potential VPN outage during policy installation.

In a rare scenario, affinity configuration on VSX may fail.

When running "vsx_fetch" from a context that is not VS0, this output is displayed: "Management rejected fetch for this module - sic name does not match. Couldn't fetch VSX configuration by IPs, trying to fetch by names."

When changing bond settings, the bond may be missing the global IPv6 Address.

When downloading a dynamic package from the Endpoint Security Server and using the "/createmsi" command, the operation results with a "CRITICAL ERROR: Unable to create MSI! Missing file: System32\FirewallMonitor.dll"error.

Because of a rare race condition, AD scanners may get stuck in the initializing state with "ERROR ajp-nio2-127.0.0.1-8009-exec-96 - Failed to enumerate scanner instances for SF-DC2.mapro.cat, scanner instance788b7398-5a79-91fb-6f68-137813a5556e (UsmDSConfigResponder)java.lang.NumberFormatException".

After an Endpoint Security client is uninstalled via a push operation, there is no indication in the Asset Management that the client is successfully removed (only if it is inactive for more than 30 days, then it is deleted from the Server database). Although it should be immediately shown as non-active.

The default policy configured in the Infinity Portal may not be exported with the new Endpoint Security client package.

In a Scalable Platform environment, when opening an IPS Packet Capture originated on a local member, the "Fetching in progress" error is displayed, and a "Capture file was not found on remote SGM" entry is printed in the log.

In rare scenarios, the CONFD process may get stuck. This may cause Maestro Orchestrator boot to hang and login to Gaia Portal to fail.