R81.10 Jumbo Hotfix Take 55

 

Note - This Take contains all fixes from all earlier Takes.

ID

Product

Description

Take 55

Released on 1 May 2022 and declared as Recommended on 1 June 2022

PRJ-29849,
PRHF-18734

Diagnostics

In some scenarios, CPView shows the SNMP data partially.

PRJ-36494,
PMTR-73021

Security Management

NEW: Added support for Quantum Spark Appliances with R81.10.x Gaia Embedded (Early Availability). Refer to sk178509.

This applies only to SmartConsole (does not apply to SmartProvisioning).

PRJ-30408,
PRHF-19450

Security Management

UPDATE:

  • Added the "--help" and "-h" flags to "mdsstop", "mdsstart" and "mdsstat".

  • It is no longer possible to run the "mdsstop" and "mdsstart" commands with wrong parameters.

PRJ-35099,
PMTR-76491

Security Management

UPDATE: Added a new global parameter: "fw_daf_module_mac_mode". It allows mirroring traffic to a Linux-based device. The parameter is set to "0" by default. Refer to sk178127.

PRJ-33566,
PMTR-75061

Security Management

In rare scenarios, the task of creating/deleting a Domain or Domain Server may be stuck at 5% with the "Task in queue" status.

PRJ-35280,
PMTR-78150

Security Management

In a Multi-Domain environment, only one hundred Domains appear in the Domains view, although there are more.

PRJ-38877,
PRHF-23554

Security Management

In large environments, after installing Jumbo Hotfix Take 38 or Take 45, login to SmartConsole may fail shortly after services are up. Refer to sk178807.

See the Important Notes section.

PRJ-36801,
PMTR-74772

Security Management

In some scenarios, the last modifier name is missing in unpublished sessions and SmartConsole unexpectedly closes.

PRJ-35480,
PMTR-77765

Security Management

Multi-Domain High Availability synchronization in the Global Domain may fail with the "There are invalid assignments on peer" error.

PRJ-34179,
PRHF-20991

Security Management

In rare scenarios, Install Policy Presets may fail with "Failed to run Install Policy on the active Domain Server".

PRJ-33768

Security Management

The Management REST API "add lsm-gateway" with "SIC" parameter may fail with "generic_error".

PRJ-32563,
PRHF-20316

Security Management

Login to SmartEvent with Certificate Authentication may fail. Refer to sk179144.

PRJ-33402,
PRHF-20866

Security Management

When automatic purge is configured in a local Domain and there is an assignment between the Global Domain to that Domain, the "show-automatic-purge" API command may fail in the Global Domain with the "Can't build automatic purge reply" error. Refer to sk176443.

PRJ-33366,
PRHF-20847

Security Management

Global Domain Assignment fails with "An internal error has occurred" when there are more than 32K Threat Prevention Overrides in the local Domain. Refer to sk176464.

PRJ-34748,
PRHF-21362

Security Management

The "Free Memory" column under the "Gateways and Servers" tab may show "N/A" instead of the actual value. Refer to sk177135.

PRJ-32849,
PMTR-74961

Security Management

In rare scenarios, taking over a session may fail with "SmartConsole has experienced an unexpected error. Session operation failure".

PRJ-32133,
PRHF-20181

Security Management

When working with Endpoint Cloud, the License tab under "Gateways and Servers" in SmartConsole may show "Certificate error: CertAuthorityInvalid".

PRJ-32719,
PRHF-20332

Security Management

If there is a Global Domain Assignment, some results may be missing when searching in Packet Mode. Refer to sk178491.

PRJ-34773,
PRHF-20960

Security Management

Policy installation on R81 (and below) Gateways may fail when there are multiple login options configured with SAML which uses Identity Provider as an authentication method. Refer to sk176725.

PRJ-32747,
PRHF-20512

Security Management

In a rare scenario, the FWM process unexpectedly exits.

PRJ-32803,
PRHF-20435

Security Management

The mgmt_cli tool (API) with certificate login may not work.

PRJ-34658,
PRHF-21286

Multi-Domain Management

In a Multi-Domain Management environment, when fetching a LDAP branch using the "fetch" button from the Global Domain tab, the operation may fail.

PRJ-34010,
PMTR-75229

SmartProvisioning

The CPD process may consume a high CPU after an upgrade of the Security Management Server that manages devices through LSM Profiles.

PRJ-32374,
PRHF-18699

Logging

When running CPinfo in a large scale environment, the SmartEventCollectLogs process may get stuck.

PRJ-32581,
PRHF-20447

Logging

In some scenarios, it is not possible to add the "Policy Rule UID" column to the Logs view in the SmartView Web Application.

PRJ-32019,
PRHF-20117

Logging

When running the "show_logs" API command with "query-id argument" and the session is expired, the command ends with a timeout instead of presenting an error.

PRJ-30551,
PRHF-19084

Logging

In rare scenarios, when QoS Blade is enabled, the FWD process may unexpectedly exit. Refer to sk177783.

PRJ-38237,
PMTR-81910

Security Gateway

UPDATE: Apache HTTPD version was updated from 2.4.51 to 2.4.53.

PRJ-31667,
PMTR-68092

Security Gateway

UPDATE: Added Connection and Packet Distribution statistics in CPView.

PRJ-33275,
PMTR-26836

Security Gateway

The control connection may not be refreshed together with data connection if the data connection is accelerated. Refer to sk168952.

PRJ-33211,
PRHF-20674

Security Gateway

The dlpu process may unexpectedly exit, producing a core dump file.

PRJ-33999,
PRHF-18340

Security Gateway

In rare scenarios, slow path connections that should be terminated/aborted may remain open until the timeout.

PRJ-34257,
PRHF-20783

Security Gateway

It may not be possible to use the Office 365 Tenant Restrictions feature when ICAP client is enabled.

PRJ-33613,
PRHF-20810

Security Gateway

In a rare scenario, the FWD process may unexpectedly exit.

PRJ-35096,
PRHF-16013

Security Gateway

Policy installation may fail when reaching out of memory on the Security Gateway.

PRJ-35008,
PRHF-21742

Security Gateway

The dynamic NAT allocation port warning is continuously printed in /var/log/messages. Refer to sk177228.

PRJ-32793,
PRHF-20498

Security Gateway

Matched rules on Inline layer may appear as the "Accept'"/ "Drop" action instead of "Inline".

PRJ-32927,
PRJ-32352

Security Gateway

When running the "cpstop" and "cpstart" commands, NAT statistics may fail with "fwx_alloc_global_find_free_port_atomic: failed to update NAT statistics".

PRJ-31209,
PRHF-19333

Security Gateway

The Security Gateway may crash during policy installation due to memory allocation problems.

PRJ-37417,
PMTR-74360

Security Gateway

In a rare scenario, while idle, the Security Gateway may crash producing a vmcore file.

PRJ-34269,
PRHF-19587

Security Gateway

The log_exporter process may consume a high CPU.

PRJ-36993

Security Gateway

  • On 2200 appliances, the CPD process may unexpectedly exit because of sensor read failure.
  • Sensor table values for 3600, 3600T, 3800, 6200B, 6200P, 6200T, 6400, 6600, 6700, 6900, 7000, 600-S are incorrect.

PRJ-30446,
PRHF-17552

Threat Prevention

In a rare scenario, the DLP process leaves open unused file descriptors in the $FWDIR/tmp/dlp directory which may take up a large amount of disk space.

PRJ-34706,
PMTR-77304

Threat Prevention

In a rare scenario, after excessive memory usage, kernel may crash.

PRJ-33848,
PMTR-76135

Threat Prevention

Threat Prevention policy may fail when the MITRE tactic ID value is invalid.

PRJ-35822,
PRHF-21396

Identity Awareness

On Scalable Platforms\Cluster LS, the Identity Database may become corrupted when an identity session is revoked from a non-master member.

PRJ-34516,
PRHF-20998

URL Filtering

In a rare scenario, when URL Filtering Blade is active, in Website categorization background mode, the FWK process may unexpectedly exit and create a core dump.

PRJ-29429,
PRHF-18966

IPS

When Website categorization mode is set to "Hold" and Gateway is Proxy, some connections may be incorrectly terminated.

PRJ-34646,
PRHF-21416

DLP

In some scenarios, DLP (Data Loss Prevention) Blade may not delete temporary files used for scanning.

PRJ-33003,
PMTR-75153

SSL Inspection

UPDATE: Upgraded the default Infrastructure for local communication between some processes to TLS 1.2.

PRJ-34975,
PMTR-77321

SSL Inspection

In rare scenarios, the WSTLSD daemon may unexpectedly restart.

PRJ-33956,
PMTR-75000

SSL Inspection

A connectivity issue may occur after changing the Security Gateway's name and installing policy.

PRJ-35783,
PMTR-76030

SSL Inspection

When running cipher_util in any VS other than VS0, the "Cannot access features configuration directory" error is shown.

PRJ-34702,
PMTR-76511

SSL Inspection

Connections may hang and reach a timeout during browsing if the number of WSTLSD instances is reduced through configuration settings.

PRJ-33670,
PMTR-75807

SSL Inspection

In some scenarios, the WSTLSD daemon may unexpectedly exit during TLS probing.

PRJ-36356,
PMTR-79533

SSL Inspection

A connectivity issue may occur with certain TLS clients.

PRJ-36497,
PMTR-79264

SSL Inspection

In a rare scenario, the WSTLSD process may unexpectedly exit while validating signatures of sites with improper certificate chains.

PRJ-36300,
PMTR-76171

SSL Inspection

A memory leak related to TLS probe may occur in the WSTLSD process.

PRJ-35934

SSL Network Extender

UPDATE: SSL Network Extender was updated to version 800008304. It provides TLS 1.2 cipher suites support on macOS.

PRJ-38371,
PRHF-23291

ClusterXL

The Security Gateway may drop multicast packets after policy installation.

PRJ-36472,
PRHF-21775

SecureXL

The VSX Gateway may crash when trying to route traffic from a VS to a Virtual Switch (VSW).

PRJ-33583,
PMTR-75970

SecureXL

In some scenarios, Security Gateway may drop fragmented Cluster LS packets.

PRJ-35770,
PMTR-77756

Routing

UPDATE: ROUTED debug log will now show IP addresses.

PRJ-34712,
PMTR-73184

Routing

In rare scenarios, the ROUTED daemon may unexpectedly exit or write logs in the incorrect order.

PRJ-33627,
PMTR-73794

Routing

An OSPFv2 graceful restart with authentication may cause an outage.

PRJ-30715,
PRHF-18975

Routing

Connectivity issues may occur after configuration of route-base VPN (VTI interface). Refer to sk176368.

PRJ-37476,
PMTR-80602

Identity Awareness,
Identity Logging

UPDATE: Adjusted AD-Query and Identity Logging solutions to work with Microsoft hardening changes in DCOM which were required for CVE-2021-26414. Refer to sk176148.

PRJ-32700,
PRHF-14110

Identity Awareness

Memory usage may be high for the PDPD process in a scenario, related to Identity Awareness nested groups in state 2 and 4.

PRJ-28220,
PRHF-15223

Identity Awareness

There may be connectivity issues and high CPU spikes on the PDPD, VPND processes, and on the Gateway when installing policy. Refer to sk174144.

PRJ-35246,
PMTR-78041

Mobile Access

MAB Guacamole-based clientless RDP/SSH connections, when closed prematurely, may cause the GuacProxy process to consume 100% CPU.

PRJ-36060,
PRHF-22134

Mobile Access

Capsule Workspace cannot connect to a Mobile Access Gateway when the Citrix application is configured and allowed to the end-user's group.

PRJ-35978,
PMTR-74818

ClusterXL

A cluster failover may take longer than it should.

PRJ-34341,
PMTR-73930

SecureXL

The "fwaccel dos rate add" command may fail with the "Another fwaccel command is already in progress" error.

PRJ-36074,
PRJ-34902

SecureXL

In some scenarios, related to sending multicast packets, the ICMP errors may be shown.

PRJ-35388,
VPNS2S-2726

VPN

In some scenarios, the RIM script is not activated in DPD Tunnel monitoring.

PRJ-36181,
PMTR-78626

VPN

The FWK process may unexpectedly exit on a VS with an S2S VPN tunnel.

PRJ-34375,
PMTR-75526

VPN

In rare scenarios, Remote Access users cannot connect to the Gateway because of certificate authentication failure.

PRJ-34494

VPN

Remote Access users cannot connect when a certificate issued by a configured subordinate CA is used for authentication.

PRJ-35558,
PMTR-78436

VPN

A memory leak may occur in the VPND process when using Remote Access with Multiple Entry Points configured.

PRJ-35347,
PRJ-35405,
PRJ-35402,
PRJ-35399,
PRJ-35402,
VPNS2S-2770,
VPNS2S-2770,
VPNS2S-2822,
VPNS2S-2457,
VPNS2S-2848

VPN

IKEv2 improvements for DAIP Gateway behind Hide NAT.

PRJ-35767,
SMB-16977

VPN

Enhanced stability of Site-to-Site VPN with interoperable devices.

PRJ-35232,
PMTR-73490

VPN

SSL entries may not be deleted from the "vpn tu tlist" command output, although there was a graceful exit.

PRJ-35431,
PMTR-78314

VPN

In some scenarios, L2TP users cannot connect to the Gateway in a cluster environment.

PRJ-35536,
PMTR-78432

VPN

A memory leak may occur in the VPND process when using remote Access Back Connection.

PRJ-35560,
PMTR-78462

VPN

A memory leak may occur in the VPND process when using Remote Access Secondary Connect.

PRJ-35344,
VPNS2S-2701

VPN

Policy installation and establishing a connection from a Gateway with Static IP may fail, if the IP address was previously used by a peer Gateway with DAIP IP which was configured before and had a connection from the DAIP Encryption Domain.

PRJ-35390,
VPNS2S-2769

VPN

Improved IKEv2 for working with DAIPs.

PRJ-35473,
PRJ-35306,
VPNS2S-2847,
PMTR-74009

VPN

Added VPN improvements for IKEv2 SA re-key.

PRJ-33657,
PRHF-21022

VPN

The VPND process may unexpectedly exit with a core dump file.

PRJ-35489,
VPNS2S-2740

VPN

In ike_sa_table there may be an entry with an IP address and not with a DAIP ID.

PRJ-36239,
PRHF-22206

VPN

A memory leak may occur in the VPND process.

PRJ-35001,
PMTR-77287

VSX

The "vsx_util reconfigure" command may fail without printing a reason which caused the error.

PRJ-34604,
PMTR-74840

VSX

In some scenarios, the VSX Gateway may incorrectly handle broadcast packets received from a Virtual Switch.

PRJ-31697,
PMTR-73594

Gaia OS

The "cpopenssl" command may fail with "No such file or directory".

PRJ-35004,
PMTR-77709

Gaia OS

Fixed the CVE-2020-14145 vulnerability.

PRJ-27910,
PRHF-17814

Harmony Endpoint

In some scenarios, logs related to Harmony Endpoint may be missing.

PRJ-32919,
PMTR-75175

CloudGuard Network

NEW:

  • Rule base search in SmartConsole now also matches rules with Data Center Objects.
  • In SmartConsole, it is now possible to see IP addresses of all the objects included in:
  • AWS VPC and Availability Zone,Azure Virtual Network, GCP Network
  • In SmartConsole, improved searching objects using tags.

PRJ-28480,
SMB-17079

CloudGuard Network

In rare scenarios, policy installation fails when adding a CloudGuard object to the NAT rulebase.

PRJ-35549,
PRHF-21841

CloudGuard Network

When there are VS's with the same name prefix, the CloudGuard Controller fails to update the VS with Data Center Objects.

PRJ-36275,
PRHF-22059

CloudGuard Network

In some scenarios, incorrect data center updates are pushed to the Gateway.

PRJ-36705,
ODU-244

Public Cloud CA Bundle

Added Take 14 of Public Cloud CA Bundle. Refer to sk172188.

PRJ-38970,
PMTR-82980

Scalable Platforms

Packet drop may occur during Maestro Orchestrator reboot or performing the "orchd stop" command. Refer to sk178831.

PRJ-33452,
PMTR-75745

Scalable Platforms

In a rare scenario, after a reboot, there may be connectivity issues between a Gateway and Maestro Hyperscale Orchestrator (MHO).

PRJ-34217,
PMTR-76383

Scalable Platforms

In some scenarios, when accelerated policy installation is performed on a Security Gateway that does not have a valid policy, an obscure failure message is shown.

PRJ-36361,
PRHF-22250

Scalable Platforms

OSPF may install a route to the incorrect IP when configured as P2P. Refer to sk177686.

PRJ-35613,
PMTR-77091

Scalable Platforms

Setting the time on Quantum Scalable Chassis may fail with the "Failed to update the date WARNING: CliError( ) called without module or error code" error.

PRJ-37217,
PMTR-80218

Scalable Platforms

Local connection from a Standby site may be dropped if there is a switch between the sites. Refer to sk178045.

PRJ-34011,
PRJ-29821

Scalable Platforms

On a Scalable Platform configured in VSX mode, a new member added to a security Group, may stay in down state because of a false-positive license issue.

PRJ-36831,
ODU-287

HCP

Added Update 7 of HealthCheck Point (HCP) Release. Refer to sk171436.