R81.10 Jumbo Hotfix Take 113
|
Note - This Take contains all fixes from all earlier Takes. |
ID |
Product |
Description |
---|---|---|
Take 113 Released on 6 September 2023 |
||
PRJ-47121, |
Anti-Spam |
NEW: We have extended the grace period of Anti-Spam Blade to support you for 90 days following contract expiration to continue providing the best security value during the renewal process. |
PRJ-48299, |
SmartConsole |
UPDATE: Added a pop-up message explaining that it is not possible to add an exception to a Global Domain policy from a local Domain when clicking "add exception" in a Global rule.
|
PRJ-48317, |
Web SmartConsole |
UPDATE: New features and improvements are released in Take 81 via a self-updatable package. Refer to sk170314. |
PRJ-46557, |
Security Gateway |
UPDATE: Added a new option in domains_tool, which allows to retrieve IP addresses of multiple Domains - "-md <list of domains>". Refer to sk161632. |
PRJ-44320, |
Threat Prevention |
UPDATE: The DCE-RPC kernel tables will now be global instead of local. This adjustment helps avoid issues with syncing between firewall instances and keeps data connections stable. |
PRJ-44243, |
Mobile Access |
UPDATE: Enhanced PushReport (a troubleshooting tool for Mobile Access Blade):
|
PRJ-46315, |
ClusterXL |
UPDATE: When enabling the VMAC feature, link_monitoring on the cluster members will now be configured automatically. |
PRJ-47677, |
VPN |
UPDATE: Added SAML authentication support for Capsule Connect / Capsule VPN. |
PRJ-44280, |
VSX |
UPDATE: In VSX, removed the redundant option to change CoreXL mode from USFW to Kernel mode. |
PRJ-48339, |
CloudGuard Network |
UPDATE: Added Take 20 of Public Cloud CA Bundle. Refer to sk172188. |
PRJ-45727, |
Harmony Endpoint |
UPDATE: Added new file types supported by Harmony Endpoint Threat Emulation blade. |
PRJ-45771, |
Scalable Platforms |
UPDATE: Added ability to stop configuration mismatch repeated reboots for debugging purposes. The new command is " cpha_blade_config auto_reboot <on/off>". |
PRJ-48196, |
Scalable Platforms |
UPDATE: Added ability to use Generic Data Centers and Dynamic Objects with Maestro cluster, not just for a separate Security Gateway. |
PRJ-48404, |
HCP |
UPDATE: Added Update 13 of HealthCheck Point (HCP) Release. Refer to sk171436. |
PRJ-45988, |
Security Management |
Deleting a Domain that is connected to an AD Group fails. |
PRJ-44472, |
Security Management |
Excluding a network with anti-spoofing by name on the Security Gateway using the "set simple-gateway" Management API command fails with an "Anti spoofing: excluded network object must be defined." validation error message. |
PRJ-46731, |
Security Management |
In rare scenarios, opening the Install Policy view gets timed out, and SmartConsole unexpectedly closes. Refer to sk181397. |
PRJ-46796, |
Security Management |
The "show-vpn-communities-star" Management API command fails for VPN communities using Diffie-Hellman groups 15-18. Refer to sk27054. |
PRJ-45440, |
Security Management |
In rare scenarios, Global Policy Reassignment takes a long time to complete after deleting a Global IPS profile. Refer to sk180787. |
PRJ-46016, |
Security Management |
The "show-nat-rulebase" Management API command fails when Packet mode is enabled and "match on any" is set to "false". For example, "show-nat-rulebase XXX package YYY filter-settings.search-mode packet filter-settings.packet-search-settings.match-on-any false filter ZZZ". |
PRJ-47258, PRJ-47235, |
Security Management |
If the HTTPS policy contains an Identity Awareness Gateway object in the "Source"/"Destination" column, policy installation may fail when selecting more than one policy target. Refer to sk181097. |
PRJ-41548, |
Security Management |
QoS policy cannot be installed if the policy package name contains a dot symbol. |
PRJ-41244, |
Security Management |
When closing an application from SmartConsole without changes, a redundant revision is created. |
PRJ-44987, |
Security Management |
A migrate export or CPUSE upgrade of a Security Management Server fails if a Rule Base contains more than 35,000 rules. Refer to sk178325 to check the recommended size of Rule Bases. |
PRJ-46003, |
Security Management |
Changing the cluster mode via the "set simple-cluster" Management API command to "cluster-xl-ha" or "ospec-ha" returns success but has no effect on the cluster object. |
PRJ-45799, |
Security Management |
Security Management Server import fails with the "Tried to persist object XXX with domain YYY while active domain is ZZZ" error in the upgrade report. |
PRJ-41460, |
Security Management |
In some scenarios, an automatic Trusted Certificate Authorities (CAs) update fails. |
PRJ-47011, |
Security Management |
The "show-objects" Management API command with an "in" clause fails if the object name contains a period. For example, "show-objects in.1 <name> in.2 <ab.c>". |
PRJ-47050, |
Security Management |
In rare scenarios. in a Multi-Domain Security Management environment:
|
PRJ-45782, |
Security Management |
In rare scenarios, the High Availability synchronization status shows "NGM failed to import data", and then is cleared automatically within 15 minutes. |
PRJ-47046, |
Security Management |
In rare scenarios, after an upgrade, the Security Management Server may fail to start. |
PRJ-47042, |
Security Management |
When using the RADIUS username for authentication, login to SmartConsole may fail. |
PRJ-45034, |
Security Management |
Upgrade of a Security Management Server or a Multi-Domain Security Management Server with over 2000 NAT rules may take over 10 hours to complete.
|
PRJ-46782, |
Security Management |
In an environment with many Security Gateways, SmartConsole may unexpectedly close when selecting a policy package to install. |
PRJ-47169, |
Security Management |
In rare scenarios, Global Policy reassignment fails with "IPS Update Failed On Assign". |
PRJ-46699, |
Security Management |
Global Policy assignment fails if it is configured to assign to specific Domain policies and one of these local Domain policies is deleted. |
PRJ-40589, |
SmartConsole |
SmartConsole may crash while checking for updates.
|
PRJ-47469, |
CPUSE |
Tasks in SmartConsole may end unexpectedly during the Jumbo/ major version upgrade operation. |
PRJ-45040, |
Logging |
The "Low disk space" warning may be incorrectly displayed in SmartConsole. |
PRJ-41167, |
Logging |
The "show-simple-gateway" and "set-simple-gateway" Management API commands with the "logs-settings.forward-logs-to-log-server-schedule-name" parameter fail with "generic_server_error". |
PRJ-44207, |
Logging |
Windows Syslog messages information may be displayed in the "Description" field of the log and not parsed into the suitable fields. |
PRJ-45324, |
Logging |
Configuring log settings to delete logs if free disk space is lower than a certain percentage may not be applied. |
PRJ-39450, |
Logging |
The Logs view may show a "Failed to read record number" message. |
PRJ-46840, |
Logging |
In SmartView, filtering logs by Media Encryption & Port Protection Blade may fail. |
PRJ-44115, |
Security Gateway |
High CPU is consumed when there are many rules with apps in the Access Rule Base. Refer to sk181264. |
PRJ-47889, |
Security Gateway |
When enabling Management Data Plane Separation (MDPS) in Clish, a "Failed to commit the transaction on database" error message may be displayed. |
PRJ-44618, |
Security Gateway |
In a rare scenario, the FWD process listens to high ports that are not blocked by the "auth_services_real_ports_block" implied rule. Refer to sk180505. |
PRJ-44189, |
Security Gateway |
The Security Gateway may crash due to a memory issue. |
PRJ-47558, |
Security Gateway |
FTP connection may fail in Port mode with NAT and specific FTP clients. Refer to sk181165. |
PRJ-47325, |
Security Gateway |
Benign files scanned by the ICAP Server may not be logged by Anti-Virus Blade. |
PRJ-46377, |
Security Gateway |
Re-mirrored traffic may be re-ordered in the Mirror & Decrypt feature. |
PRJ-45343, |
Security Gateway |
When two routes with similar attributes are added to different routing tables, and one is deleted, Anti-Spoofing may drop the traffic to that route. |
PRJ-47602, |
Internal CA |
In rare scenarios, ICA certificate creation and enrollment fail. |
PRJ-43727, |
Threat Prevention |
In some scenarios, CIFS parser is triggered when it is not needed, this leads to the Security Gateway not accelerating fully the SMB traffic. |
PRJ-48191, |
Threat Prevention |
Anti-Virus Blade fails to parse external IoC feeds that contain specific delimiters. |
PRJ-46837, |
Threat Prevention |
When SSH Deep Packet Inspection (SSH DPI) is enabled, the Security Gateway may have SSH connectivity issues because of an incorrect choice of Message Authentication Code (MAC) algorithm during the SSH handshake. |
PRJ-44691, |
Threat Prevention |
In some scenarios, the Security Gateway fails to export or import IoC feeds. |
PRJ-44766, |
Threat Prevention |
Fetching of Custom Intelligence Feeds fails when no proxy is configured on the Security Gateway. |
PRJ-46117, |
Threat Emulation |
Multiple ifiPython3 processes may utilize the Security Gateway memory, affecting the Anti-Virus Blade performance. |
PRJ-47749, |
IPS |
In rare scenarios, there may be a memory leak in ips_cmi_handler_match_cb_ex. |
PRJ-45836, |
Anti-Virus |
DLPU process memory consumption may be increased when SMB protocol is enabled in the Anti-Virus policy. |
PRJ-47784, |
Anti-Virus |
A memory leak may occur in the Security Gateway when a connection is not correctly released after the inspection. |
PRJ-47182, |
SSL Inspection |
The Security Gateway may fail to enforce certificate blacklisting. |
PRJ-47203, |
Mobile Access |
When copying special German characters to and from the Guacamole Server, they are replaced with unreadable symbols. |
PRJ-47107, |
Mobile Access |
It may not be possible to connect to the RDP application with SNX in Application mode. Refer to sk181155. |
PRJ-45198, |
ClusterXL |
In a cluster/Maestro in Load Sharing mode, the Security Gateway may drop NAT traversal traffic with "fwmultik_process_f2p_cookie_inner Reason: PSL Drop: No connection". |
PRJ-44275, |
ClusterXL |
A Standby member may initiate FTP data connection, although it should be sent from the Active member. As a result, the connection is teminated. Refer to sk180531. |
PRJ-44773, |
SecureXL |
The "IOCTL command CPHWD_IOCTL_DOS_DENY_LIST_CLEAR was not successful" error may be printed during cpstart. Refer to sk180646. |
PRJ-43639, |
SecureXL |
In some scenarios, incorrect MSS value calculation may lead to traffic drops and performance instability. |
PRJ-47487, |
Routing |
When multicast traffic for an existing (S,G) entry arrives at a non-IIF interface, the entry may be deleted and re-added when the next multicast packet is released, although the entry should not be deleted. |
PRJ-43248, |
Routing |
Traffic may be dropped when there are many OSPF routes of type 5. |
PRJ-47940, |
Routing |
An OIF entry may be missing when multiple downstream neighbors are present on a LAN. Refer to sk181354. |
PRJ-48117, |
Routing |
The ROUTED process may exit with a core dump when querying details of OSPF Type 5 LSA. |
PRJ-47801, |
Routing |
When a BFD session is added or removed, disabled sessions may incorrectly come up. |
PRJ-41794, |
Routing |
Adding or deleting a multicast group from a configured static RP environment can lead to outages in traffic. |
PRJ-44956, |
VPN |
A potential leak in VPN tunnels in a Multi-Version Cluster. |
PRJ-41391, |
VPN |
When working with ClusterXL in Load Sharing mode, a VPN tunnel may fail to be established. |
PRJ-47492, |
VPN |
Potential VPN outage during policy installation. |
PRJ-42939, |
VPN |
Policy installation may take a long time and fail with "Operation failed, install/uninstall has been improperly terminated.&CURRENTVERCMP *##MSG_IDENTIFY##". |
PRJ-47837, |
VSX |
In a rare scenario, affinity configuration on VSX may fail. |
PRJ-44300, |
VSX |
When adding a route using vsx_provisioning_tool and the "interface_name" option, this route cannot be removed. |
PRJ-43878, |
VSX |
When running "vsx_fetch" from a context that is not VS0, this output is displayed: "Management rejected fetch for this module - sic name does not match. Couldn't fetch VSX configuration by IPs, trying to fetch by names." |
PRJ-49350, |
VSX |
In some scenarios, in a Maestro Security Group configured in the VSX mode, a Virtual System that connects to a Virtual Switch may drop traffic as "Out of State" or wrongly drop it on the clean up rule. Refer to sk181823. |
PRJ-46275, |
Gaia OS |
When changing bond settings, the bond may be missing the global IPv6 Address. |
PRJ-47773, |
Gaia OS |
Snapshot fails when the unpartitioned disk size is greater than 1TB. Refer to sk181485. |
PRJ-41337, |
Harmony Endpoint |
When downloading a dynamic package from the Endpoint Security Server and using the "/createmsi" command, the operation results with a "CRITICAL ERROR: Unable to create MSI! Missing file: System32\FirewallMonitor.dll"error. |
PRJ-43571, |
Harmony Endpoint |
After the Deploy New Endpoint push operation is successfully done, the list of target devices may change to “None”. And it is not possible to delete this push operation manually, a "Sorry, we had an API issue during request" message is printed. |
PRJ-46031, |
Harmony Endpoint |
Because of a rare race condition, AD scanners may get stuck in the initializing state with "ERROR ajp-nio2-127.0.0.1-8009-exec-96 - Failed to enumerate scanner instances for SF-DC2.mapro.cat, scanner instance788b7398-5a79-91fb-6f68-137813a5556e (UsmDSConfigResponder)java.lang.NumberFormatException". |
PRJ-47055, |
Harmony Endpoint |
Some devices added to a Virtual Group from the SmartEndpoint Reporting tab do not receive the assigned policy. |
PRJ-42633, |
Harmony Endpoint |
After an Endpoint Security client is uninstalled via a push operation, there is no indication in the Asset Management that the client is successfully removed (only if it is inactive for more than 30 days, then it is deleted from the Server database). Although it should be immediately shown as non-active. |
PRJ-46802, |
Harmony Endpoint |
In rare scenarios, when making changes in SmartConsole, it gets disconnected. |
PRJ-48256, |
Harmony Endpoint |
The default policy configured in the Infinity Portal may not be exported with the new Endpoint Security client package. |
PRJ-43609, |
VoIP |
SIP agent implements a keep-alive mechanism against the RFC, making each message arrive with a different tag in the "From" header, which may increase the memory of the Security Gateway, and these messages may be dropped once they hit the limit defined (the "sim_max_reinvite" parameter). |
PRJ-47640, |
Scalable Platforms |
In a Scalable Platform environment, when opening an IPS Packet Capture originated on a local member, the "Fetching in progress" error is displayed, and a "Capture file was not found on remote SGM" entry is printed in the log. |
PRJ-45233, |
Scalable Platforms |
The "asg_dr_verifier" command shows "Status: Inconsistency found on some of the SGMs", even if the OSPF neighbors are in Full state. Refer to sk179921. |
PRJ-48212, |
Scalable Platforms |
In rare scenarios, the CONFD process may get stuck. This may cause Maestro Orchestrator boot to hang and login to Gaia Portal to fail. |
PRJ-49111 |
Scalable Platforms |
After adding a new Security Group Member to a Security Group with the default shell /bin/gclish, the status of the new Security Group Member is "Down" with a Critical Device "image_clone" pnote. |
PRJ-47865, ACCHA-3317 |
Scalable Platforms |
Accessing the SMO WebUI and performing configuration changes may fail with the "Error in acquiring buffer of member info (-1)" error." |