R81.10 Jumbo Hotfix Take 55
|
Note - This Take contains all fixes from all earlier Takes. |
ID |
Product |
Description |
---|---|---|
Take 55 Released on 1 May 2022 and declared as Recommended on 1 June 2022 |
||
PRJ-29849, |
Diagnostics |
In some scenarios, CPView shows the SNMP data partially. |
PRJ-36494, |
Security Management |
NEW: Added support for Quantum Spark Appliances with R81.10.x Gaia Embedded (Early Availability). Refer to sk178509. This applies only to SmartConsole (does not apply to SmartProvisioning). |
PRJ-30408, |
Security Management |
UPDATE:
|
PRJ-35099, |
Security Management |
UPDATE: Added a new global parameter: "fw_daf_module_mac_mode". It allows mirroring traffic to a Linux-based device. The parameter is set to "0" by default. Refer to sk178127. |
PRJ-33566, |
Security Management |
In rare scenarios, the task of creating/deleting a Domain or Domain Server may be stuck at 5% with the "Task in queue" status. |
PRJ-35280, |
Security Management |
In a Multi-Domain environment, only one hundred Domains appear in the Domains view, although there are more. |
PRJ-38877, |
Security Management |
In large environments, after installing Jumbo Hotfix Take 38 or Take 45, login to SmartConsole may fail shortly after services are up. Refer to sk178807. See the Important Notes section. |
PRJ-36801, |
Security Management |
In some scenarios, the last modifier name is missing in unpublished sessions and SmartConsole unexpectedly closes. |
PRJ-35480, |
Security Management |
Multi-Domain High Availability synchronization in the Global Domain may fail with the "There are invalid assignments on peer" error. |
PRJ-34179, |
Security Management |
In rare scenarios, Install Policy Presets may fail with "Failed to run Install Policy on the active Domain Server". |
PRJ-33768 |
Security Management |
The Management REST API "add lsm-gateway" with "SIC" parameter may fail with "generic_error". |
PRJ-32563, |
Security Management |
Login to SmartEvent with Certificate Authentication may fail. Refer to sk179144. |
PRJ-33402, |
Security Management |
When automatic purge is configured in a local Domain and there is an assignment between the Global Domain to that Domain, the "show-automatic-purge" API command may fail in the Global Domain with the "Can't build automatic purge reply" error. Refer to sk176443. |
PRJ-33366, |
Security Management |
Global Domain Assignment fails with "An internal error has occurred" when there are more than 32K Threat Prevention Overrides in the local Domain. Refer to sk176464. |
PRJ-34748, |
Security Management |
The "Free Memory" column under the "Gateways and Servers" tab may show "N/A" instead of the actual value. Refer to sk177135. |
PRJ-32849, |
Security Management |
In rare scenarios, taking over a session may fail with "SmartConsole has experienced an unexpected error. Session operation failure". |
PRJ-32133, |
Security Management |
When working with Endpoint Cloud, the License tab under "Gateways and Servers" in SmartConsole may show "Certificate error: CertAuthorityInvalid". |
PRJ-32719, |
Security Management |
If there is a Global Domain Assignment, some results may be missing when searching in Packet Mode. Refer to sk178491. |
PRJ-34773, |
Security Management |
Policy installation on R81 (and below) Gateways may fail when there are multiple login options configured with SAML which uses Identity Provider as an authentication method. Refer to sk176725. |
PRJ-32747, |
Security Management |
In a rare scenario, the FWM process unexpectedly exits. |
PRJ-32803, |
Security Management |
The mgmt_cli tool (API) with certificate login may not work. |
PRJ-34658, |
Multi-Domain Management |
In a Multi-Domain Management environment, when fetching a LDAP branch using the "fetch" button from the Global Domain tab, the operation may fail. |
PRJ-34010, |
SmartProvisioning |
The CPD process may consume a high CPU after an upgrade of the Security Management Server that manages devices through LSM Profiles. |
PRJ-32374, |
Logging |
When running CPinfo in a large scale environment, the SmartEventCollectLogs process may get stuck. |
PRJ-32581, |
Logging |
In some scenarios, it is not possible to add the "Policy Rule UID" column to the Logs view in the SmartView Web Application. |
PRJ-32019, |
Logging |
When running the "show_logs" API command with "query-id argument" and the session is expired, the command ends with a timeout instead of presenting an error. |
PRJ-30551, |
Logging |
In rare scenarios, when QoS Blade is enabled, the FWD process may unexpectedly exit. Refer to sk177783. |
PRJ-38237, |
Security Gateway |
UPDATE: Apache HTTPD version was updated from 2.4.51 to 2.4.53. |
PRJ-31667, |
Security Gateway |
UPDATE: Added Connection and Packet Distribution statistics in CPView. |
PRJ-33275, |
Security Gateway |
The control connection may not be refreshed together with data connection if the data connection is accelerated. Refer to sk168952. |
PRJ-33211, |
Security Gateway |
The dlpu process may unexpectedly exit, producing a core dump file. |
PRJ-33999, |
Security Gateway |
In rare scenarios, slow path connections that should be terminated/aborted may remain open until the timeout. |
PRJ-34257, |
Security Gateway |
It may not be possible to use the Office 365 Tenant Restrictions feature when ICAP client is enabled. |
PRJ-33613, |
Security Gateway |
In a rare scenario, the FWD process may unexpectedly exit. |
PRJ-35096, |
Security Gateway |
Policy installation may fail when reaching out of memory on the Security Gateway. |
PRJ-35008, |
Security Gateway |
The dynamic NAT allocation port warning is continuously printed in /var/log/messages. Refer to sk177228. |
PRJ-32793, |
Security Gateway |
Matched rules on Inline layer may appear as the "Accept'"/ "Drop" action instead of "Inline". |
PRJ-32927, |
Security Gateway |
When running the "cpstop" and "cpstart" commands, NAT statistics may fail with "fwx_alloc_global_find_free_port_atomic: failed to update NAT statistics". |
PRJ-31209, |
Security Gateway |
The Security Gateway may crash during policy installation due to memory allocation problems. |
PRJ-37417, |
Security Gateway |
In a rare scenario, while idle, the Security Gateway may crash producing a vmcore file. |
PRJ-34269, |
Security Gateway |
The log_exporter process may consume a high CPU. |
PRJ-36993 |
Security Gateway |
|
PRJ-30446, |
Threat Prevention |
In a rare scenario, the DLP process leaves open unused file descriptors in the $FWDIR/tmp/dlp directory which may take up a large amount of disk space. |
PRJ-34706, |
Threat Prevention |
In a rare scenario, after excessive memory usage, kernel may crash. |
PRJ-33848, |
Threat Prevention |
Threat Prevention policy may fail when the MITRE tactic ID value is invalid. |
PRJ-35822, |
Identity Awareness |
On Scalable Platforms\Cluster LS, the Identity Database may become corrupted when an identity session is revoked from a non-master member. |
PRJ-34516, |
URL Filtering |
In a rare scenario, when URL Filtering Blade is active, in Website categorization background mode, the FWK process may unexpectedly exit and create a core dump. |
PRJ-29429, |
IPS |
When Website categorization mode is set to "Hold" and Gateway is Proxy, some connections may be incorrectly terminated. |
PRJ-34646, |
DLP |
In some scenarios, DLP (Data Loss Prevention) Blade may not delete temporary files used for scanning. |
PRJ-33003, |
SSL Inspection |
UPDATE: Upgraded the default Infrastructure for local communication between some processes to TLS 1.2. |
PRJ-34975, |
SSL Inspection |
In rare scenarios, the WSTLSD daemon may unexpectedly restart. |
PRJ-33956, |
SSL Inspection |
A connectivity issue may occur after changing the Security Gateway's name and installing policy. |
PRJ-35783, |
SSL Inspection |
When running cipher_util in any VS other than VS0, the "Cannot access features configuration directory" error is shown. |
PRJ-34702, |
SSL Inspection |
Connections may hang and reach a timeout during browsing if the number of WSTLSD instances is reduced through configuration settings. |
PRJ-33670, |
SSL Inspection |
In some scenarios, the WSTLSD daemon may unexpectedly exit during TLS probing. |
PRJ-36356, |
SSL Inspection |
A connectivity issue may occur with certain TLS clients. |
PRJ-36497, |
SSL Inspection |
In a rare scenario, the WSTLSD process may unexpectedly exit while validating signatures of sites with improper certificate chains. |
PRJ-36300, |
SSL Inspection |
A memory leak related to TLS probe may occur in the WSTLSD process. |
PRJ-35934 |
SSL Network Extender |
UPDATE: SSL Network Extender was updated to version 800008304. It provides TLS 1.2 cipher suites support on macOS. |
PRJ-38371, |
ClusterXL |
The Security Gateway may drop multicast packets after policy installation. |
PRJ-36472, |
SecureXL |
The VSX Gateway may crash when trying to route traffic from a VS to a Virtual Switch (VSW). |
PRJ-33583, |
SecureXL |
In some scenarios, Security Gateway may drop fragmented Cluster LS packets. |
PRJ-35770, |
Routing |
UPDATE: ROUTED debug log will now show IP addresses. |
PRJ-34712, |
Routing |
In rare scenarios, the ROUTED daemon may unexpectedly exit or write logs in the incorrect order. |
PRJ-33627, |
Routing |
An OSPFv2 graceful restart with authentication may cause an outage. |
PRJ-30715, |
Routing |
Connectivity issues may occur after configuration of route-base VPN (VTI interface). Refer to sk176368. |
PRJ-37476, |
Identity Awareness, |
UPDATE: Adjusted AD-Query and Identity Logging solutions to work with Microsoft hardening changes in DCOM which were required for CVE-2021-26414. Refer to sk176148. |
PRJ-32700, |
Identity Awareness |
Memory usage may be high for the PDPD process in a scenario, related to Identity Awareness nested groups in state 2 and 4. |
PRJ-28220, |
Identity Awareness |
There may be connectivity issues and high CPU spikes on the PDPD, VPND processes, and on the Gateway when installing policy. Refer to sk174144. |
PRJ-35246, |
Mobile Access |
MAB Guacamole-based clientless RDP/SSH connections, when closed prematurely, may cause the GuacProxy process to consume 100% CPU. |
PRJ-36060, |
Mobile Access |
Capsule Workspace cannot connect to a Mobile Access Gateway when the Citrix application is configured and allowed to the end-user's group. |
PRJ-35978, |
ClusterXL |
A cluster failover may take longer than it should. |
PRJ-34341, |
SecureXL |
The "fwaccel dos rate add" command may fail with the "Another fwaccel command is already in progress" error. |
PRJ-36074, |
SecureXL |
In some scenarios, related to sending multicast packets, the ICMP errors may be shown. |
PRJ-35388, |
VPN |
In some scenarios, the RIM script is not activated in DPD Tunnel monitoring. |
PRJ-36181, |
VPN |
The FWK process may unexpectedly exit on a VS with an S2S VPN tunnel. |
PRJ-34375, |
VPN |
In rare scenarios, Remote Access users cannot connect to the Gateway because of certificate authentication failure. |
PRJ-34494 |
VPN |
Remote Access users cannot connect when a certificate issued by a configured subordinate CA is used for authentication. |
PRJ-35558, |
VPN |
A memory leak may occur in the VPND process when using Remote Access with Multiple Entry Points configured. |
PRJ-35347, |
VPN |
IKEv2 improvements for DAIP Gateway behind Hide NAT. |
PRJ-35767, |
VPN |
Enhanced stability of Site-to-Site VPN with interoperable devices. |
PRJ-35232, |
VPN |
SSL entries may not be deleted from the "vpn tu tlist" command output, although there was a graceful exit. |
PRJ-35431, |
VPN |
In some scenarios, L2TP users cannot connect to the Gateway in a cluster environment. |
PRJ-35536, |
VPN |
A memory leak may occur in the VPND process when using remote Access Back Connection. |
PRJ-35560, |
VPN |
A memory leak may occur in the VPND process when using Remote Access Secondary Connect. |
PRJ-35344, |
VPN |
Policy installation and establishing a connection from a Gateway with Static IP may fail, if the IP address was previously used by a peer Gateway with DAIP IP which was configured before and had a connection from the DAIP Encryption Domain. |
PRJ-35390, |
VPN |
Improved IKEv2 for working with DAIPs. |
PRJ-35473, |
VPN |
Added VPN improvements for IKEv2 SA re-key. |
PRJ-33657, |
VPN |
The VPND process may unexpectedly exit with a core dump file. |
PRJ-35489, |
VPN |
In ike_sa_table there may be an entry with an IP address and not with a DAIP ID. |
PRJ-36239, |
VPN |
A memory leak may occur in the VPND process. |
PRJ-35001, |
VSX |
The "vsx_util reconfigure" command may fail without printing a reason which caused the error. |
PRJ-34604, |
VSX |
In some scenarios, the VSX Gateway may incorrectly handle broadcast packets received from a Virtual Switch. |
PRJ-31697, |
Gaia OS |
The "cpopenssl" command may fail with "No such file or directory". |
PRJ-35004, |
Gaia OS |
Fixed the CVE-2020-14145 vulnerability. |
PRJ-27910, |
Harmony Endpoint |
In some scenarios, logs related to Harmony Endpoint may be missing. |
PRJ-32919, |
CloudGuard Network |
NEW:
|
PRJ-28480, |
CloudGuard Network |
In rare scenarios, policy installation fails when adding a CloudGuard object to the NAT rulebase. |
PRJ-35549, |
CloudGuard Network |
When there are VS's with the same name prefix, the CloudGuard Controller fails to update the VS with Data Center Objects. |
PRJ-36275, |
CloudGuard Network |
In some scenarios, incorrect data center updates are pushed to the Gateway. |
PRJ-36705, |
Public Cloud CA Bundle |
Added Take 14 of Public Cloud CA Bundle. Refer to sk172188. |
PRJ-38970, |
Scalable Platforms |
Packet drop may occur during Maestro Orchestrator reboot or performing the "orchd stop" command. Refer to sk178831. |
PRJ-33452, |
Scalable Platforms |
In a rare scenario, after a reboot, there may be connectivity issues between a Gateway and Maestro Hyperscale Orchestrator (MHO). |
PRJ-34217, |
Scalable Platforms |
In some scenarios, when accelerated policy installation is performed on a Security Gateway that does not have a valid policy, an obscure failure message is shown. |
PRJ-36361, |
Scalable Platforms |
OSPF may install a route to the incorrect IP when configured as P2P. Refer to sk177686. |
PRJ-35613, |
Scalable Platforms |
Setting the time on Quantum Scalable Chassis may fail with the "Failed to update the date WARNING: CliError( ) called without module or error code" error. |
PRJ-37217, |
Scalable Platforms |
Local connection from a Standby site may be dropped if there is a switch between the sites. Refer to sk178045. |
PRJ-34011, |
Scalable Platforms |
On a Scalable Platform configured in VSX mode, a new member added to a security Group, may stay in down state because of a false-positive license issue. |
PRJ-36831, |
HCP |
Added Update 7 of HealthCheck Point (HCP) Release. Refer to sk171436. |