R81.10 Jumbo Hotfix Take 14
|
Note - This Take contains all fixes from all earlier Takes. |
ID |
Product |
Description |
---|---|---|
Take 14 Released on 22 November 2021 |
||
PRJ-30364, |
Security Management |
UPDATE: Added new flags for Management API commands "add/set simple-gateway" and "add/set simple-cluster":
|
PRJ-29235, |
Security Management |
UPDATE: Added a new flag to the Threat Prevention "show-protections" API command ("show-capture-packets-and-track") that allows not to return capture-packets and track information. |
PRJ-32347, |
Security Management |
Network objects groups with more than 101 members may not be enforced correctly on the Security Gateway. The Security Gateway will only match 101 members of the group. Refer to sk176065. |
PRJ-30055, |
Security Management |
In rare scenarios, the FWM process may unexpectedly exit and fail to start, creating core dumps in the /var/log/dump/usermode directory. Refer to sk175007. |
PRJ-29189, |
Security Management |
In a rare scenario, High Availability full synchronization may fail due to a large number of records. |
PRJ-29100, |
Security Management |
In some scenarios, it is possible to disable a parent rule for the Domain Policy. |
PRJ-29005, |
Security Management |
In some scenarios, publish operation fails with the "Object with uid=<RandomCharacters> was updated in the database but its dleConvertedObject wasn't found" error. Refer to sk174703. |
PRJ-29306, |
Security Management |
In environments with a large number of objects, licenses for cluster members in the Licenses tab may not be displayed. |
PRJ-28650, |
Security Management |
In some scenarios, when using a VPN community, the status of the Global Domain Assignment may change to "not up to date", although no changes were made in the Global Domain. |
PRJ-28479, |
Security Management |
In a rare scenario, when Identity Awareness Blade is enabled, policy verification on an LSM Profile may fail. |
PRJ-28537, |
Security Management |
In rare scenarios, Global Policy Assignment may fail with the "class name not found for object" error. |
PRJ-28897, |
Security Management |
If there are no explicit rules in one or more policy layers, policy verification may fail with the "No active rules found in the Security Policy" error. |
PRJ-28786, |
Security Management |
In some scenarios, "show-mdss" and "show-domains" Management API commands take a significant amount of time to complete or time out after 5 minutes. |
PRJ-28778, |
Security Management |
The "show-global-assignment" command returns the default limit when the limit request is greater than the default limit. |
PRJ-28002, |
Security Management |
If Brute Force Password Guessing Protection is set to the value of more than 25 seconds, login to SmartConsole fails.
|
PRJ-27500, |
Security Management |
Policy installation to multiple Gateways from Install Policy Presets may fail if each policy has its own HTTPS Inspection policy. |
PRJ-27501, |
Security Management |
In rare scenarios during system startup, a cleanup operation may cause high CPU on multiple Postgres processes and prevent login to SmartConsole. Refer to sk175189. |
PRJ-27503, |
Security Management |
In rare scenarios, Global Domain Assignment and Domain Creation tasks may continue to run indefinitely. |
PRJ-28571, |
Security Management |
In some scenarios, the Purge Revisions operation fails with the "An error has occurred while performing revisions purge operation, Incident ID - xxxxx-xxxxxxx-xxxxx-xxxxx" message. Refer to sk174645. |
PRJ-28300, |
Security Management |
In rare scenarios, High Availability on the Global Domain may fail to synchronize the Multi-Domain Log Server if IPS protection was added or removed in the Threat Prevention rulebase. |
PRJ-28294, |
Security Management |
In rare scenarios, High Availability incremental synchronization may fail with a wrong status message. |
PRJ-28089, |
Security Management |
In some scenarios, the Administrators view may not filter Domain names according to the permission profile of the connected administrator. |
PRJ-28158, |
Security Management |
In rare scenarios, if Domain migration fails, the operation may not revert fully and leave some remnants in the database of the Management Server. |
PRJ-29159, |
Security Management |
Scheduled IPS updates data may not be shown in the IPS update report. |
PRJ-29899, |
Security Management |
In some scenarios, login to a Domain from the System Domain dashboard may fail with "Failed to connect to server". |
PRJ-30047, |
Security Management |
The Management API command "show-sessions" may return sessions that were purged and no longer exist in the Management database. |
PRJ-29518, |
Security Management |
In rare scenarios, when installing a policy immediately after publishing a session, the installation is not accelerated. |
PRJ-29790, |
Security Management |
In rare scenarios, login to Multi-Domain Management fails with the "No Valid Domains were found for [username]" error. Refer to sk175005. |
PRJ-30031, |
Security Management |
In some scenarios, applying the "Where used" action may show incorrect data when an object exists more than once in an Inline Layer. |
PRJ-29969, |
Security Management |
In some scenarios, simultaneous policy installation on multiple Gateways may fail if there is at least one Gateway on R77.X and one Gateway on R80.X. |
PRJ-29470, |
Security Management |
In some scenarios, an API query to VRRP cluster for "show simple-cluster name <name>" returns an incorrect cluster type. Refer to sk174866. |
PRJ-29791, |
Security Management |
When initiating the Secure Internal Communication (SIC) for LSM objects using management API:
|
PRJ-30020, |
Security Management |
In rare scenarios, the "set-group" API command may return the "generic_err_invalid_parameter" error. |
PRJ-27765, |
Security Management |
The Management API commands "import-smart-task" and "export-smart-task" are enabled at the System Domain level, although Smart Tasks are only supported at the Local Domain level. |
PRJ-29200, |
Security Management |
After an upgrade from R77.x. in a multi-site environment, High Availability full synchronization may fail with an "NGM failed to load data" message. |
PRJ-30101, |
Security Management |
In rare scenarios, a Multi-Domain administrator's profile may be changed after deleting a Domain if the administrator had custom permissions for it. |
PRJ-31536, |
Multi-Domain Management |
High Availability synchronization status in the Global Domain may show "Unknown" for some Multi-Domain Log Modules (MLM) in environments with more than 6 MDS's/MLM's. |
PRJ-29312, |
SmartConsole |
The Compliance "Security Best Practices" report for the Anti-Bot practice contains unrelated objects starting with "AB_". Refer to sk174911. |
PRJ-29805 |
Web SmartConsole |
Added enhancements for Task Manager and policy installation. Refer to Take 48 in sk170314. |
PRJ-30371, |
CPInfo |
UPDATE: Added CPInfo Build 914000219. Refer to sk92739. |
PRJ-29826, |
SmartView |
UPDATE: In SmartView, new MITRE ATT&CK techniques were added to the heatmap view. |
PRJ-31152, |
Logging |
NEW: SmartEvent can now skip indexing of firewall session logs to reduce load on the Log Server device. The feature is disabled by default. To enable it, see Issue #4 in sk150452. |
PRJ-28084, |
Logging |
The CPSEMD process on SmartEvent Server may unexpectedly exit when trying to send two automatic reactions simultaneously for the same event. |
PRJ-27883, |
Logging |
In rare scenarios, Management object changes may not be reflected in the Logs view. When the issue occurs, the CPM process may also consume a high CPU. |
PRJ-28342, |
Logging |
In some scenarios, Log Exporter configured to export in TLS, cannot authenticate a certificate from an external certificate authority. |
PRJ-29031, |
Logging |
In rare scenarios, SmartEvent may show no results or partial results in the Audit Log report. |
PRJ-25441, |
Logging |
On a Management Server, with SmartEvent enabled and many networks configured in the database, login to SmartConsole may fail with an "Error: the operation timeout" message, and the FWM process is running with a high CPU. Refer to sk167239. |
PRJ-29577, |
Security Gateway |
NEW: Added a new kernel parameter "up_disable_early_drop_optimization_for_reject" to disable "Early Drop Optimization" for reject rules. The parameter is enabled by default. |
PRJ-29444, |
Security Gateway |
UPDATE: The default value for the kiss_kthread_allow_resched kernel parameter is changed to 1. Refer to sk170560. |
PRJ-28854, |
Security Gateway |
UPDATE: Added DNS Passive Learning support for DNS responses containing the Domain name in uppercase letters. |
PRJ-31371, |
Security Gateway |
Improved the handling of a large number of sessions per single HTTP/S connection. |
PRJ-29131, |
Security Gateway |
In rare scenarios, policy installation may fail with an "Operation failed, install/uninstall has been improperly terminated "message. |
PRJ-30205, |
Security Gateway |
In some scenarios, NATed VPN traffic may be routed out through the wrong interface. Refer to sk176785. |
PRJ-29528, |
Security Gateway |
In a very rare scenario, the ICAP Server may crash with a core dump file generated. |
PRJ-29506, |
Security Gateway |
In some scenarios, using automatic Network Static NAT/Address range objects may cause connectivity issues. |
PRJ-29421, |
Security Gateway |
In a rare scenario, policy installation on the Security Gateway may fail with an "Error code: 0-2000108" message. Refer to sk170673. |
PRJ-29223, |
Security Gateway |
In some scenarios, the WSDNSD process may unexpectedly exit and create a core file. Refer to sk173627. |
PRJ-29080, |
Security Gateway |
In rare scenarios, a duplicate entry may appear in the /etc/cpshell/log_rotation.conf file. This issue is only cosmetic. |
PRJ-29089, |
Security Gateway |
In some scenarios, the CPD process may consume a high CPU because of the memory leak in FDT (File Download Tool). |
PRJ-29095, |
Security Gateway |
In rare scenarios, policy installation fails with "Segmentation fault" and "Error compiling IPv4 flavor" messages. |
PRJ-27652, |
Security Gateway |
Negative values may appear in the output of the "fw tab -t connections -s" command and under the NAT section. |
PRJ-28811, |
Security Gateway |
Added cosmetic fixes of the cpwd_admin list command output. |
PRJ-28412, |
Security Gateway |
In some scenarios, the ROUTED process may unexpectedly exit. |
PRJ-28105, |
Security Gateway |
In a rare scenario, a memory leak may occur on the Security Gateway. |
PRJ-27561, |
Security Gateway |
In some scenarios, configuring an un-numbered virtual interface may cause ARP requests to stay not answered by the interface. Refer to sk174188. |
PRJ-29140, |
Security Gateway |
The cpsicdemux process may unexpectedly exit, causing the Secure Internal Communication (SIC) connection to fail. |
PRJ-30014, |
Security Gateway |
In a rare scenario, CPView may show incorrect SecureXL statistics per VS. |
PRJ-28874, |
Security Gateway |
In a rare scenario, when using ICAP client, Security Gateway may crash. |
PRJ-28555, |
Security Gateway |
Capsule Workspace end users may fail to authenticate to their Exchange mail Server via Mobile Access SSO when authenticated with Kerberos, and the end users belong to many user groups or user groups with very long names. |
PRJ-29744, |
Security Gateway |
In a rare scenario, due to TCP connection reuse, a TCP connection may not be initiated. Refer to sk11088. |
PRJ-30216, |
Security Gateway |
In some scenarios, policy installation may take longer or fail when GEO Updatable Objects are used in the policy. |
PRJ-30149, |
Security Gateway |
There is no option to enable hyperthreading via cpconfig. |
PRJ-30252, |
Security Gateway |
Added a translation of the error exit code of cprid_util in $CPDIR/log/cprid_util.elg debug log. |
PRJ-29589, |
Security Gateway |
In a rare scenario, Security Gateway may crash. |
PRJ-27165, |
Security Gateway |
In a rare scenario, traffic outage may occur. It is caused by a memory leak related to delayed logs. |
PRJ-28681, |
Threat Prevention |
UPDATE: Added the option to remove proxy usage in IoC_feeds tool. |
PRJ-28521, |
Threat Prevention |
In rare scenarios, the Security Gateway may crash when the TCP connection is unexpectedly closed. |
PRJ-28765, |
Threat Prevention |
In some scenarios, when using OpenSSH 8.2 Server, file download fails after starting the transfer. |
PRJ-28975, |
Threat Prevention |
Improved telemetry for Infinity Vision SOC. |
PRJ-27437, |
Threat Extraction |
In some scenarios, the "fw_send_kmsg: No buffer for tsid 44" error is printed in dmesg. |
PRJ-27436, |
Identity Awareness |
NEW: Added automatic mechanism to exclude service accounts on PDP Gateway to improve both PDP performance and functionality. The default threshold value for Identity Collector Service Accounts exclusion is 100. Refer to sk174266. |
PRJ-29404, |
Identity Awareness |
Improved the Identity Server (PDP) performance for publishing new network on Identity Sharing with SmartPull. |
PRJ-27477, |
Identity Awareness |
When using sk167118, the user may fail to authenticate if the "Ask user for password" checkbox is enabled. |
PRJ-28129, |
Identity Awareness |
In some scenarios, the "Browser Transparent Single Sign-On" portal may not use the certificate associated with the IP address resolved from the portal's main URL. Refer to sk174869. |
PRJ-27942, |
Identity Awareness |
In some scenarios, users may not be able to reach Identity Gateway (PEP). Refer to sk174105. |
PRJ-29615, |
Identity Awareness |
In a rare scenario, some IPv6 sessions may get deleted due to incorrect update of Identity Gateway (PEP) kernel tables. |
PRJ-28117, |
Application Control |
UPDATE: Improved matching of URLs for custom applications. |
PRJ-29308, |
URL Filtering |
In some scenarios, HTTPS connections to servers with untrusted certificates are held and not resumed (page cannot load). |
PRJ-28637, |
IPS |
Proxy source IP address is not printed in the IPS logs. |
PRJ-28246, |
IPS |
In some scenarios, HTTP Parser in the CPView statistics may show incorrect values for connections with more than 50 sessions. |
PRJ-27960, |
IPS |
In some scenarios for HTTP, Gateway closes a connection from the Server side, but the user side may remain open. |
PRJ-29942, |
IPS |
In rare scenarios, if IPS Geolocation is enabled, the Security Gateway may crash. |
PRJ-28740, |
IPS |
In some scenarios, the destination IP is missing from the IPS logs. Refer to sk174588. |
PRJ-32498, |
IPS |
In some scenarios, when IPS Automatic update is enabled, a memory leak may occur in the FWD process. |
PRJ-31761, |
IPS |
Improved the handling of decoded HTTP/S traffic. |
PRJ-29193, |
Anti-Bot |
UPDATE: Improved the performance of Anti-Bot URL Reputation. |
PRJ-29477, |
SSL Inspection |
In some scenarios, a memory leak may occur when creating ECDHE keys. |
PRJ-31203, |
SSL Inspection |
If TLS 1.3 is enabled, using imported ECDSA certificates for HTTPS Inspection may cause the Security Gateway to crash. |
PRJ-31150, |
SSL Inspection |
A memory leak, related to TLS probing, may occur in the WSTLSD process. |
PRJ-31151, |
SSL Inspection |
In some scenarios, the WSTLSD process may unexpectedly close, or a memory leak may occur. |
PRJ-30461, |
SSL Inspection |
In rare scenarios, HTTPS connections may hang indefinitely during the TLS handshake, causing timeout. |
PRJ-30702, |
SSL Inspection, |
A memory leak in HTTPS Inspection and HTTPS portals may occur when using ECDHE ciphers. |
PRJ-28259, |
Mobile Access |
In a rare scenario, the VPND process may unexpectedly exit causing user disconnections from Checkpoint Mobile client. |
PRJ-28069, |
Mobile Access |
In rare scenarios, when SNX client is used with Application mode on the Mobile Access Blade, the VPND process may unexpectedly exit. |
PRJ-29276, |
Mobile Access |
In some scenarios, a memory leak may occur in the CVPND process. |
PRJ-30383, |
ClusterXL |
In a rare scenario, after an upgrade and reboot, a Standby member is set to down with a FULLSYNC PNOTE and cannot synchronize. |
PRJ-28285, |
ClusterXL |
Scalable Platform Gateway may drop traffic as "Out of State" when static NAT is configured for the destination IP Address. Refer to sk174234. |
PRJ-31796, |
ClusterXL |
In some scenarios, during an upgrade to R81.10SP, a failover fails with a crash. |
PRJ-27229, |
SecureXL |
TCP packets may be dropped as "TCP out of state" although following sk11088. |
PRJ-27227, |
SecureXL |
Invalid VLAN traffic may cause repeated "deliver_list is empty!!!" error messages in the /var/log/messages file. |
PRJ-28287, |
SecureXL |
In a rare scenario, DoS/Rate Limiting when using rules with country codes (CC) or autonomous system numbers (ASN) may not update Geo IP files correctly. |
PRJ-29498, |
Routing |
BGP sessions may unexpectedly close because of unrecognized AFI/SAFI pairs in multiprotocol capability advertisements from a peer. |
PRJ-28959, |
Routing |
The ROUTED process may unexpectedly exit. |
PRJ-29321, |
Routing |
AS path loops may occur, although BGP multihop is configured. |
PRJ-29894, |
Routing |
In some scenarios, when BootP is configured, during policy installation, the Security Gateway may become unresponsive and the ROUTED process may crash. |
PRJ-31128, |
Routing |
In rare cases, if Graceful Restart is not configured on the BGP peer, BGP routes may be lost near the Graceful Restart ending. |
PRJ-28173, |
VPN |
NEW: Added StrongSwan clients counter to the VPN TU Tool. |
PRJ-27857, |
VPN |
When deleting an entry from m_ht hash table, a memory leak may occur. |
PRJ-28028, |
VPN |
When StrongSwan client connecting with a RADIUS user, it may not receive an Office Mode IP address. |
PRJ-28514, |
VPN |
In some scenarios, a memory leak may occur on the Security Gateway. |
PRJ-28507, |
VPN |
A memory leak may occur in the VPND process. |
PRJ-28076, |
VPN |
A Remote Access client fails to login when a DN record length is bigger than 256. Refer to sk174249. |
PRJ-28576, |
VPN |
In some scenarios, Server connections to Remote Access L2TP clients may be unstable. |
PRJ-29298, |
VPN |
Added VPN IKEv2 improvements. |
PRJ-28754, |
VPN |
Added IKEv2 improvement for DAIP peer. |
PRJ-29284, |
VPN |
In rare scenarios, re-configuring a trusted CA bundle may cause a memory leak in the VPND process. |
PRJ-28773, |
VPN |
In some scenarios, in High Availability clusters with enabled CoreXL, SSL clients cannot connect to the Security Gateway because of incorrect license calculation. |
PRJ-28266, |
VPN |
A memory leak may occur when clearing the CRL cache file. |
PRJ-29484, |
VPN |
A memory leak may occur in the VPND process in IKEv2 Site to Site VPN. |
PRJ-28557, |
VPN |
In some scenarios, when sending the SCV drop log, a memory leak may occur. |
PRJ-30971, |
VPN |
In a rare scenario, a memory leak may occur in the IKED process. |
PRJ-29533, |
VPN |
RIM script is not invoked for DAIP peer with Dead Peer Detection (DPD) permanent tunnels in passive mode. |
PRJ-31109, |
VPN |
In some scenarios, a memory leak may occur in the VPND process. |
PRJ-31149, |
VPN |
In some scenarios, a memory leak may occur when using the SSL Network Extender (SNX) client to create a site. |
PRJ-30870, |
VPN |
A memory leak may occur in the VPND process. |
PRJ-29554, |
VSX |
After reboot, the VS's clish static arps configurations exist, but the static arps may be missing. |
PRJ-28180, |
VSX |
In a rare scenario, the "asg perf" command may take up to 90 seconds to update the data. The information may differ from CPView results. |
PRJ-28143, |
VSX |
In some scenarios, running the "asg perf" command with -vv flag fails. |
PRJ-30277, |
Gaia OS |
UPDATE: Upgraded OpenSSL to 1.1.1L. Merged the CVE-2021-3711 and CVE-2021-3712 fixes. |
PRJ-27697, |
Gaia OS |
When a non-TACACS user logs out from WebUI, there is a "Cannot get pid" error message in the /var/log/messages file. |
PRJ-28414, |
Gaia OS |
After 248 days of up time, the VMSS Gateway sends a Cold restart alert reboot, but the VMSS does not reboot. Refer to sk173413. |
PRJ-27614, |
Gaia OS |
If NTPD service is configured in MDPS settings, the NTPD error logs appear in var/log/messages after a reboot. |
PRJ-26999, |
Gaia OS |
Setting hashed SHA256/SHA512 expert password may fail with an error message: "set password-controls password-hash-type <password_hased> GAIA9999 Invalid Salted Hash". Refer to sk176703. |
PRJ-28798, |
Gaia OS |
In a rare scenario, a memory leak may occur in the monitord process. |
PRJ-26456, |
Gaia OS |
The Link Layer Discovery Protocol (LLDP) sends the hostname with a dot when the Domain name is empty. |
PRJ-29179, |
Harmony Endpoint |
Remote installation push operation "Deployed new Endpoints" does not work on Servers on premises because of self-signed certificates. |
PRJ-29974, |
Harmony Endpoint |
In some scenarios, a query which counts host_ckp objects may return more results than expected. It leads to a memory leak with the "Out Of Memory" error. |
PRJ-31101, |
Harmony Endpoint |
Restoring a UEPM Server backup via the Web Gaia Portal may not work on a new Server where the UEPM Blade is not activated. |
PRJ-29860, |
Harmony Endpoint |
UPDATE: In SmartEndpoint, besides FDE Remote Help, Bitlocker Management Recovery is now available for administrators with limited rights. |
PRJ-30516, |
Harmony Endpoint |
In the Smart Endpoint tabs, the Server may generate reports where users have long names starting with "ntdomain://". |
PRJ-29514, |
CloudGuard Network |
NEW: In Amazon Web Services (AWS):
To enable the feature:
Note: This feature requires adding DescribeTags and DescribeLoadBalancers permissions to the AWS Data Centers accounts. NEW: In Azure:
To enable the feature:
Note: This feature requires adding permissions to list Application Security Groups and Private Endpoints.
NEW: In AWS, Azure and Google Cloud Platform (GCP): Added support for API calls with HTTP response with reason-code only (without reason-phrase).
|
PRJ-29652, |
CloudGuard Network |
Amazon Web Services (AWS) Data Center scan may fail and no updates are sent to the Security Gateway. |
PRJ-29623, |
CloudGuard Network |
In some scenarios, when there are Data Center objects in Access Policy Rule Base, policy verification may fail although policy installation succeeds. |
PRJ-32479 |
Scalable Platforms |
UPDATE: Added support for Bridge Mode in Maestro Security Group. |
PRJ-32689 |
Scalable Platforms |
UPDATE: Added support for Maestro Hyperscale Orchestrator MHO-175. |
PRJ-27336, |
Scalable Platforms |
Added a cosmetic fix in asgPeaksTable. |
PRJ-29981, |
Scalable Platforms |
The outage may occur when configuring OSPF over VPN/VTI interface because of missing cluster IP address for VPN/VTI interface. |
PRJ-27625, |
Scalable Platforms |
In rare scenarios, when running the "snmpwalk" command, multiple irrelevant error logs may appear in /var/log/messages. |
PRJ-27512, |
Scalable Platforms |
In a rare scenario, a memory leak that requires constant reboots may occur. |
PRJ-29153, |
Scalable platforms |
In some scenarios, Maestro Orchestrator SDK may stop responding until restarting the Orchestrator service. |
PRJ-30025, |
Scalable platforms |
When rebooting a member from the standby site, it may send GARP when booting and cause a connectivity issue. Refer to sk176523. |
PRJ-30286 |
Scalable platforms |
Packet drop may occur after Maestro Orchestrator reboot. |
PRJ-27157, |
Scalable Platforms |
After adding a new user via WebUI, asg_diag may fail on configuration test (config_verify -v) due to inconsistent value in the database. The issue is only cosmetic. |
PRJ-29516, |
Scalable Platforms |
After setting a specific range of Blades in gclish, some commands may fail. |
PRJ-30023, |
HCP |
Added Update 5 of HealthCheck Point (HCP) Release. Refer to sk171436. |