R81.10 Jumbo Hotfix Take 75

• After Installing R81.10 Jumbo Hotfix Accumulator Take 66 on top of Blink image including Take 55 there is console access but no network connectivity.

• Reference to VMware is written as a name in the /etc/appliance_config.xml file.

Refer to sk179799. See the Important Notes section.

UPDATE: Improved Access Policy installation time.

When a Security Gateway is removed from a VPN community, it may still be seen under the permanent tunnel configuration. The issue is scoped to the Management side and does not impact the Gateway.

Install Policy preset fails if the Threat Prevention policy was uninstalled.

The web_api_show_package.sh script and some Management API commands with the "details-level full" option may fail when VPN settings are not defined for Interoperable objects. Refer to sk178410.

In rare scenarios, Global Domain Assignment may fail with a "class name not found for object" error message.

The FWM process on the Management Server may unexpectedly exit, creating a core dump file.

Management HA synchronization may fail with the "NGM failed to import data" error.

Global Policy Assignment may fail with the "Failed to connect to FWM" error when the Domain is Active on the remote Multi-Domain Management Server.

A deleted Security Gateway may appear as unavailable in the Gateways&Servers view.

Deleting a Domain operation may fail with an "internal error" when more than one of the Security Gateways in the Domain points to the same cluster object in the NAT configuration.

The "Throughput/sec" column in the Gateways&Servers view may show "N/A" instead of the actual value.

The Management API command "show object" may fail on a specific UID with a "Null Pointer exception" message.

Policy installation may fail with "an internal error" because of an orphan policy issue. Refer to sk122954.

Editing an object may fail with the "Could not access file for write operation" error.

After changing the IP address of the Secondary Management Server, the old IP address is still shown in the High Availability window until the services are restarted.

• SmartConsole cannot retrieve licensing information from SMB devices.

• The License tab displays the error "This action is not supported for Quantum Spark appliances with Gaia Embedded OS" instead of "Security Gateway not found".

UPDATE: Released Take 59 with new features and improvements. Refer to sk170314.

UPDATE: It is now possible to make a change in the provisioning profile of a cluster via the API command "set lsm-cluster" using the UID parameter.

After deleting an LSM object, the Security Gateway can still communicate and fetch policy from the Management Server.

UPDATE: Scheduled email reports will now use TLS1.2 instead of TLS1.0. Refer to sk178125.

Logs with actions "Expired" and "Hold" may be missing from the Logging view.

An error may occur when changing default Time Frame while the SmartView language is not English.

A CSV file exported from SmartView may contain duplicated lines of headers.

In IPS Core Protections logs, the link to the Threat Prevention profile is written incorrectly.

It may not be possible to monitor Security Gateways with enabled Management Data Plane Separation (MDPS). Refer to sk138672.

The Security Gateway may crash with a vmcore.

In a VSX environment, SNMP queries to OSPF OIDs may fail.

The FW Monitor tool may fail when it is used on VSX with the "-v" and "-p all" options.

There is a Content Awareness alert for multiple connections and the processing error "Failed to extract text" is printed in logs.

During a DDoS attack, the CPD and CPRID processes may unexpectedly exit with core dump files and cause latency.

A "sft_rule_str_match_init: allocates 0 bytes" message may be printed many times in the /var/log/messages file.

Improved memory consumption by decreasing the size of the mal_conns table.

Added Update 15 of Autonomous Threat Prevention Management integration Release Updates. Refer to sk167109.

Improved detection in some IPS protections.

In some scenarios, when Mobile Access Blade is enabled, the Security Gateway may crash.

Login to Mobile Access Citrix application may fail.

UPDATE: Added a new Gaia Clish command "show cluster members monitored" to show cluster monitored IP addresses of all the members in a table format. This command is equivalent to the Expert mode command "cphaprob -m tablestat".

In a VSLS cluster with a few members and Virtual Systems, when shutting down a bond connected to one of the Virtual Systems, all Virtual Systems on this member may go to Down state.

Data connection may be interrupted during a Multi-Version Cluster (MVC) upgrade.

VPN may not operate correctly on ClusterXL in Load Sharing mode and Scalable Platforms (Quantum Maestro and Chassis). This causes sporadic but frequent traffic drops. Refer to sk179808.

See the Important Notes section.

UPDATE: Added a new parameter cphwd_mcast_routing_interval_ms (default value is 0), which allows the multicast routing interval to be expressed in milliseconds.

SYN Defender may not properly handle the S2C traffic related to Allow List. As a result, this traffic may be dropped.

UPDATE: Source Pruning will now be disabled by default when VRRP is enabled. This will prevent an interface from keeping the Standby member in Master state after port flapping. The issue is relevant only for Intel X710 network cards using the I40E driver. Refer to sk178484.

A buffer overflow may cause the ROUTED process to exit with PNOTE.

In a rare scenario, the ROUTED daemon may unexpectedly exit during a Multi-Version Cluster (MVC) upgrade when using OSPF.

Capsule Connect (IPSec VPN) may fail to re-authenticate.

An IKEv1 tunnel may be deleted after the Dead Peer Detection (DPD) exchange and can cause an outage.

An outage may occur when using IKEv2.

UPDATE: When resetting SIC for a specific virtual system (sk34098), the new certificate on the Security Gateway will now be automatically pulled from SmartConsole.

The FWM process may unexpectedly exit after using the VSX Provisioning tool.

After restoring the VSX Gateway backup, the SNMP agent stops responding when the context is set for a specific VS.

Multi-Queue configuration does not survive reboot on VSX. Refer to sk173950.

When creating a virtual system, the "Failed to create Virtual System directories" error is displayed.

In some scenarios, it is not possible to start a vsx_util upgrade/downgrade after a failed attempt.

When running the "vsx_util downgrade" command, R80.20SP may not be listed as an available version.

The VSX Security Gateway may crash when pushing a policy after deleting an interface. Refer to sk179820.

See the Important Notes section.

UPDATE: It is now possible to use Gaia proxy addresses with more than 16 characters.

Gaia Snapshot fails in Gaia Portal ("Maintenance" section > "Snapshot Management" page) - after clicking the "New" button, the progress gets to 100%, but the snapshot file is never created. Refer to sk180579.

When adding and deleting a neighbor-entry ipv6-address, an error message is displayed, although the operation is successful.

Dynamic routing SNMP OID polling may work only in VSX mode.

UPDATE: Previously, because of connectivity issues with Azure, CloudGuard Controller was deleting IP addresses of Data Center objects from the Security Gateway. CloudGuard Controller will now show an error message instead of revoking identities from the Security Gateway.

After changing the default behavior in Identity session conciliation, the "delete-identity" request may trigger Cloud Controller to delete IP addresses from other Identity sources.

Azure Data Center mapping may fail because of a corrupt response from Azure for a specific Virtual Machine Scale Set (VMSS).

NEW: Added a new tab for VoIP monitoring in CPView.

After an upgrade, the MGCP traffic may be dropped. The output of the "fw ctl zdebug + drop" command shows: "dropped by fw_early_sip_nat reason: failed to get MGCP ports".

UPDATE: When creating a new Security Group on Quantum Maestro, it is mandatory to configure First Time Wizard settings.

The Hit Count feature may not provide data for non-SMO members on VSX with Kernel 3.10.

When running the CPUSE "installer" command in Gaia gClish of a Security Group, the output may show: "Error Failed to invoke action." Refer to sk178647.

Changed the message informing that CPUSE upgrade packages are not available on Scalable Platforms appliances with VPN enabled. The fix is only cosmetic.

In some scenarios, CPWD and HCP report the CPUS_USGS process as terminated.

When a Maestro Security Gateway is active again after a reboot, the LACP bond may drop incoming and outgoing packets.

The "asg_copy_capture" logs repeatedly appear in the var/log/messages file. The reason given in the logs is "capture file was not found on remote SGMs".

Disk partition of the /var/log directory on Quantum Maestro appliances may fail.