R81.10 Jumbo Hotfix Take 75

 

Note - This Take contains all fixes from all earlier Takes.

ID

Product

Description

Take 75

Released on 1 September 2022

PRJ-41205

Installation

  • After Installing R81.10 Jumbo Hotfix Accumulator Take 66 on top of Blink image including Take 55 there is console access but no network connectivity.

  • Reference to VMware is written as a name in the /etc/appliance_config.xml file.

Refer to sk179799. See the Important Notes section.

PRJ-34854,
PMTR-72440

Security Management

UPDATE: Added validation of Custom Application/Site objects to prevent configuring invalid URLs, which causes Access policy installation failure. Refer to sk175187.

PRJ-38152,
PRHF-23149

Security Management

UPDATE: Improved Access Policy installation time.

PRJ-37260,
PRHF-21969

Security Management

In a large scale environment, the Management API command "show-access-rulebase" may take a significant amount of time to complete or time out after 5 minutes.

PRJ-36921,
PRHF-22479

Security Management

When a Security Gateway is removed from a VPN community, it may still be seen under the permanent tunnel configuration. The issue is scoped to the Management side and does not impact the Gateway.

PRJ-37524,
PRHF-22656

Security Management

Reassign Global Policy tasks may be stuck for Domains active on a different Multi-Domain Server even though the task is completed on the destination Multi-Domain Server.

PRJ-37710,
PRHF-22796

Security Management

Install Policy preset fails if the Threat Prevention policy was uninstalled.

PRJ-35656,
PRHF-21996

Security Management

The Security Cluster Wizard is not shown again after a Management restart in a Full High Availability cluster environment.

PRJ-35313,
PRHF-21755

Security Management

The web_api_show_package.sh script and some Management API commands with the "details-level full" option may fail when VPN settings are not defined for Interoperable objects. Refer to sk178410.

PRJ-35532,
PMTR-77217

Security Management

An IPS update may fail if the user that performs the update is connected to the Multi-Domain Server on which the Global Domain is in Standby mode.

PRJ-37505,
PRHF-22597

Security Management

In rare scenarios, Global Domain Assignment may fail with a "class name not found for object" error message.

PRJ-37028,
PRHF-22356

Security Management

Policy Installation may fail with the "Unable to start policy installation" error when the Import Domain task is running in the background.

PRJ-37764,
PRHF-22671

Security Management

The FWM process on the Management Server may unexpectedly exit, creating a core dump file.

PRJ-38065,
PRHF-22999

Security Management

When uninstalling a Threat Prevention policy, there may be a verification warning "There are Threat Prevention uninstall candidates in policy targets", although the operation on the Security Gateway was completed successfully.

PRJ-39472,
PRHF-23825

Security Management

Management HA synchronization may fail with the "NGM failed to import data" error.

PRJ-38401,
PRHF-23290

Security Management

An Application Control and URL Filtering update may get stuck because of a lock object duplicate issue.

PRJ-37400,
PRJ-37404,
PRHF-22147,
PRHF-21075

Security Management

Global Policy Assignment may fail with the "Failed to connect to FWM" error when the Domain is Active on the remote Multi-Domain Management Server.

PRJ-38800,
PRHF-23379

Security Management

In some scenarios, the "show-gateways-and-servers" Management API command fails with "generic_err_object_not_found" when running it with "details-level full".

PRJ-38616,
PRHF-23413

Security Management

A deleted Security Gateway may appear as unavailable in the Gateways&Servers view.

PRJ-37200,
PRHF-22299

Security Management

The Management API command "show-vpn-communities-star" for Diffie-Hellman group 24 fails with the "Invalid DH-Group in VPN Reply" error. Refer to sk27054.

PRJ-38181,
PRHF-22647

Security Management

Deleting a Domain operation may fail with an "internal error" when more than one of the Security Gateways in the Domain points to the same cluster object in the NAT configuration.

PRJ-34154,
PRHF-21236

Security Management

Packet mode search in HTTPS Inspection policy may not work.

PRJ-39211,
PRHF-23634

Security Management

The "Throughput/sec" column in the Gateways&Servers view may show "N/A" instead of the actual value.

PRJ-39529,
PRHF-23939

Security Management

Improved memory usage and performance of Access Policy installation when numerous Network Groups are used in the Access Rule Base.

PRJ-33689,
PMTR-75731

Security Management

The Management API command "show object" may fail on a specific UID with a "Null Pointer exception" message.

PRJ-35061,
PRHF-21753

Security Management

Renaming the Security Management Server may fail with the "Failed to save object" error. Refer to sk177224.

PRJ-38121,
PRHF-23065

Security Management

Policy installation may fail with "an internal error" because of an orphan policy issue. Refer to sk122954.

PRJ-35606,
PRHF-21981

Security Management

In SmartConsole, the "error retrieving results" message may be displayed when opening a new tab.

PRJ-37887,
PRHF-22914

Security Management

Editing an object may fail with the "Could not access file for write operation" error.

PRJ-37510,
PRHF-22621

Security Management

Deleting a domain may fail when using the createDomainRecovery.sh script with the "UID" flag.

PRJ-37636,
PRHF-22693

Security Management

After changing the IP address of the Secondary Management Server, the old IP address is still shown in the High Availability window until the services are restarted.

PRJ-38742,
PRHF-23467

Security Management

In a rare scenario, the FWM process may unexpectedly exit and create a core dump.

PRJ-39021,
PRHF-23435

Licensing

  • SmartConsole cannot retrieve licensing information from SMB devices.

  • The License tab displays the error "This action is not supported for Quantum Spark appliances with Gaia Embedded OS" instead of "Security Gateway not found".

PRJ-37989,
PRHF-22589

SmartConsole

After an Application Control update, some application control objects may disappear from SmartConsole, although they are not deprecated.

PRJ-39119,
ODU-377

Web SmartConsole

UPDATE: Released Take 59 with new features and improvements. Refer to sk170314.

PRJ-35672,
PMTR-77868

SmartProvisioning

UPDATE: To prevent duplicates issue in LSM REST API, it is no longer possible to create an object with the same name but written in a different letter case.

PRJ-35065,
PMTR-77739

SmartProvisioning

UPDATE: It is now possible to make a change in the provisioning profile of a cluster via the API command "set lsm-cluster" using the UID parameter.

PRJ-36053,
PMTR-77749

SmartProvisioning

The "set-lsm-gateway" command may fail during the SIC initialization.

PRJ-39856,
PMTR-84006

SmartProvisioning

After deleting an LSM object, the Security Gateway can still communicate and fetch policy from the Management Server.

PRJ-38317,
PRHF-22563

SmartProvisioning

The PostgreSQL database fully utilizes disk space on the Multi-Domain Management Server when SmartProvisioning is enabled in a large scale environment. Refer to sk178889.

PRJ-37103,
PRHF-22528

Logging

UPDATE: Scheduled email reports will now use TLS1.2 instead of TLS1.0. Refer to sk178125.

PRJ-36463,
PRHF-22152

Logging

When running the "cp_log_export filter-Blade-in" command with the value "Endpoint" and restarting the LOG_EXPORTER process, LOG_EXPORTER may fail to start.

PRJ-35997,
PRHF-22088

Logging

Logs with actions "Expired" and "Hold" may be missing from the Logging view.

PRJ-38416,
PRHF-21511

Logging

When there are several Log Servers, a log distribution issue may occur.

PRJ-39297,
PMTR-82675

Logging

An error may occur when changing default Time Frame while the SmartView language is not English.

PRJ-39680,
PMTR-82910

Logging

When exporting the logs table with "All Columns" to a CSV file, the first cell of the first log (time column) displays a non-ASCII character ("ן»¿"), and the time is split into two cells.

PRJ-39677,
PMTR-83316

Logging

A CSV file exported from SmartView may contain duplicated lines of headers.

PRJ-33817,
PMTR-72206

Logging

The "log_exporter_reexport" command may export the logs from the beginning of the log file and not from the provided start position.

PRJ-36028,
PMTR-70703

Logging

In IPS Core Protections logs, the link to the Threat Prevention profile is written incorrectly.

PRJ-36021,
PRHF-21398

Logging

In SmartView, the "Top Users that Downloaded Malicious Files" widget in the "Hosts that Encountered Malicious files" view may show no results, although there are matches.

PRJ-39668,
PRHF-23392

Security Gateway

It may not be possible to monitor Security Gateways with enabled Management Data Plane Separation (MDPS). Refer to sk138672.

PRJ-36121,
PMTR-71654

Security Gateway

In CPView, under Network, Bytes Per Sec value in Traffic Rate may be incorrect.

PRJ-38077,
GAIA-9576

Security Gateway

The Security Gateway may crash with a vmcore.

PRJ-27917,
PMTR-62741

Security Gateway

When Strict Hold is enabled, traffic is logged with the log "HTTP parsing error detected. Bypassing the request as defined in the Inspection Settings". Refer to sk169995.

PRJ-41000,
PRJ-40954

Security Gateway

In a VSX environment, SNMP queries to OSPF OIDs may fail.

PRJ-39216,
PMTR-81290

Security Gateway

The Security Gateway may crash during PM Stats collection.

PRJ-37519,
PRHF-22548

Security Gateway

The FW Monitor tool may fail when it is used on VSX with the "-v" and "-p all" options.

PRJ-39686,
PRHF-23741

Security Gateway

An ICAP client crash may cause the Security Gateway also to crash and generate an FWK core dump.

PRJ-37953,
PRHF-22703

Security Gateway

There is a Content Awareness alert for multiple connections and the processing error "Failed to extract text" is printed in logs.

PRJ-40442,
PRJ-38912

Security Gateway

When Anti-Virus Blade is enabled, there may be a continuous high memory consumption which can lead to latency.

PRJ-41456,
PMTR-86925

Security Gateway

During a DDoS attack, the CPD and CPRID processes may unexpectedly exit with core dump files and cause latency.

PRJ-36568,
PMTR-79569

Internal CA

UPDATE: In SmartConsole, added an alert to inform that the ICA certificate will be expired in less than one year. Refer sk158096.

PRJ-36294,
PMTR-77668

Threat Prevention

A "sft_rule_str_match_init: allocates 0 bytes" message may be printed many times in the /var/log/messages file.

PRJ-39196,
PMTR-83142

Threat Prevention

In a scenario, when Ant-Virus Blade is enabled, the Security Gateway may crash during policy installation.

PRJ-39324,
PMTR-83434

Threat Prevention

Improved memory consumption by decreasing the size of the mal_conns table.

PRJ-38685,
PRHF-23324

Threat Prevention

In a rare scenario, an IPS, Anti-Virus, or Anti-Bot update package may fail to load because of a timeout

PRJ-40397,
ODU-385

Threat Prevention

Added Update 15 of Autonomous Threat Prevention Management integration Release Updates. Refer to sk167109.

PRJ-41446,
PRHF-25374

Threat Prevention

In a specific HTTP connection scenario, the Security Gateway may become unresponsive. And the /var/log/messages file contains these messages during the time of the issue: " FW-1: fw_kfree: wrong magic number at tail end of XXX (XXX) caller is 'cmik_loader_fw_pm_match_cb' sz=80. FW-1 panic: cmik_loader_fw_pm_match_cb: fw_kfree: wrong magic number at tail (kiss_memory.c:XXX)".

See the Important Notes section.

PRJ-36522,
PMTR-77922

IPS

Improved detection in some IPS protections.

PRJ-39063,
PRHF-12660

IPS

In a VSX setup, the IP address used as the origin SIC name in the IPS address log may differ from the IP address in other reports.

PRJ-35293,
PRHF-21849

Mobile Access

In some scenarios, when Mobile Access Blade is enabled, the Security Gateway may crash.

PRJ-34725,
PMTR-77351

Mobile Access

In some scenarios, the Mobile Access applications fail to login because the Security Gateway may not forward HTTP request cookies of some browser-initiated requests to an internal Server.

PRJ-39154,
PRHF-23617

Mobile Access

Login to Mobile Access Citrix application may fail.

PRJ-34871,
PMTR-76212

ClusterXL

UPDATE: Added support for the "Same VMAC" feature.

PRJ-31527,
PMTR-72074

ClusterXL

UPDATE: Added a new Gaia Clish command "show cluster members monitored" to show cluster monitored IP addresses of all the members in a table format. This command is equivalent to the Expert mode command "cphaprob -m tablestat".

PRJ-38615,
PMTR-82026

ClusterXL

When moving a cluster from Unicast to Multicast LS, Gratuitous ARP Request (GARP) may not be sent. The cluster cannot update multicast MAC entries on peers, which can cause traffic lost.

PRJ-37490,
PMTR-73519

ClusterXL

In a VSLS cluster with a few members and Virtual Systems, when shutting down a bond connected to one of the Virtual Systems, all Virtual Systems on this member may go to Down state.

PRJ-38820,
MBS-14060

ClusterXL

Local connection from the Management interface on a non-standard port (e.g. 8000) may fail.

PRJ-36604,
PMTR-79447

ClusterXL

Data connection may be interrupted during a Multi-Version Cluster (MVC) upgrade.

PRJ-37883,
PMTR-81375

ClusterXL

Local connection from a Standby member may fail when packets are not fragmented even if the interface MTU is smaller than the packet size.

PRJ-39084,
PMTR-79827

ClusterXL

VPN may not operate correctly on ClusterXL in Load Sharing mode and Scalable Platforms (Quantum Maestro and Chassis). This causes sporadic but frequent traffic drops. Refer to sk179808.

See the Important Notes section.

PRJ-37814,
PRJ-37001

SecureXL

NEW: In some scenarios, the Security Gateway may not forward traffic to a client if its IP address is changed by DHCP. Added a global parameter "cphwd_refresh_nh", disabled by default. It determines whether or not the Security Gateway will invoke its own refresh ARP mechanism after a successful route lookup. Refer to sk175603.

PRJ-38595,
PMTR-82425

SecureXL

UPDATE: Added a new parameter cphwd_mcast_routing_interval_ms (default value is 0), which allows the multicast routing interval to be expressed in milliseconds.

PRJ-32710,
PMTR-74854

SecureXL

UPDATE: Virtual Extensible LAN (VXLAN) interfaces can now be configured over interfaces with an alias IP address. VXLAN interfaces will not use the alias IP as the local IP address of the tunnel.

PRJ-39010,
PRHF-22881

SecureXL

SYN Defender may not properly handle the S2C traffic related to Allow List. As a result, this traffic may be dropped.

PRJ-39004,
PRHF-23644

SecureXL

SYN Defender may change MSS in an SYN packet to a larger value, potentially causing traffic drop.

PRJ-38560,
PRHF-22924

Routing

UPDATE: Source Pruning will now be disabled by default when VRRP is enabled. This will prevent an interface from keeping the Standby member in Master state after port flapping. The issue is relevant only for Intel X710 network cards using the I40E driver. Refer to sk178484.

PRJ-38983,
PRHF-23620

Routing

There may be high CPU utilization and slow recovery of the ROUTED process after a failover.

PRJ-38984,
PMTR-82262

Routing

A buffer overflow may cause the ROUTED process to exit with PNOTE.

PRJ-38985,
PMTR-73346

Routing

It may take up to three hours for the second member to become Standby after a failover. An outage may occur during this time.

PRJ-36940,
PMTR-79381

Routing

In a rare scenario, the ROUTED daemon may unexpectedly exit during a Multi-Version Cluster (MVC) upgrade when using OSPF.

PRJ-37941,
PMTR-80421

VPN

NEW: KAT tests for IKE and TLS are now validated for FIPS certification.

PRJ-37775,
PRHF-22871

VPN

Capsule Connect (IPSec VPN) may fail to re-authenticate.

PRJ-35422,
PMTR-77570

VPN

When using Remote Access SAML authentication, the "Remote access client IP address and port were changed" log may contain incorrect data in the "Old IP" field.

PRJ-32681,
PMTR-66706

VPN

An IKEv1 tunnel may be deleted after the Dead Peer Detection (DPD) exchange and can cause an outage.

PRJ-37549,
PMTR-79930

VPN

In some scenarios, when StrongSwan client is connecting to a site or Security Gateway, the connection is established successfully, and the tunnel is created, but there is no traffic. Refer to sk118536.

PRJ-37556,
PMTR-77042

VPN

An outage may occur when using IKEv2.

PRJ-39065,
PMTR-82288

VPN

Capsule Connect may fail to connect to the Security Gateway because of an Office Mode IP allocation failure.

PRJ-36451,
PMTR-65595

VSX

UPDATE: When resetting SIC for a specific virtual system (sk34098), the new certificate on the Security Gateway will now be automatically pulled from SmartConsole.

PRJ-32408,
PMTR-74557

VSX

The OID "Syslocation" can now be configured in the context of a virtual system as described in the article (IV-1) Advanced SNMP configuration in sk90860.

PRJ-33316,
PRHF-20561

VSX

The FWM process may unexpectedly exit after using the VSX Provisioning tool.

PRJ-32478,
PRHF-20437

VSX

When using the VSX Provisioning Tool, it may not be possible to create a new warp interface and then change the main IP address of the VS in the same transaction.

PRJ-32707,
PRHF-20553

VSX

After restoring the VSX Gateway backup, the SNMP agent stops responding when the context is set for a specific VS.

PRJ-37807,
PMTR-81261

VSX

Running the "vsx_util vsls" command may end with the "Segmentation fault" error.

PRJ-28951,
PRHF-17665

VSX

Multi-Queue configuration does not survive reboot on VSX. Refer to sk173950.

PRJ-38829,
PMTR-82551

VSX

The FWK process of Virtual Switch (VSW) may consume a high CPU.

PRJ-38409,
PMTR-73704

VSX

When creating a virtual system, the "Failed to create Virtual System directories" error is displayed.

PRJ-34767,
PRHF-21568

VSX

When using Link Selection probing, the VPND process may unexpectedly exit and create a core dump file.

PRJ-38794,
PMTR-82492

VSX

In some scenarios, it is not possible to start a vsx_util upgrade/downgrade after a failed attempt.

PRJ-38011,
PMTR-81493

VSX

"Loading kernel module for a network device with CAP_SYS_MODULE (deprecated). Use CAP_NET_ADMIN..." may be printed in dmesg.

PRJ-38727,
PMTR-81373

VSX

When running the "vsx_util downgrade" command, R80.20SP may not be listed as an available version.

PRJ-40704,
PMTR-81932

VSX

A member in a VSX cluster may get stuck in DOWN state with "Event Code CLUS-113200" and a FULLSYNC PNOTE "Could not start a connection to remote member".

PRJ-40950,
PMTR-85821

VSX

The VSX Security Gateway may crash when pushing a policy after deleting an interface. Refer to sk179820.

See the Important Notes section.

PRJ-36525,
PMTR-72069

Gaia OS

NEW: Added a Gaia Clish command "show configuration vxlan" to show all VXLAN info (interface creation, IP, MTU, comments, state).

PRJ-35586,
PRHF-21922

Gaia OS

UPDATE: It is now possible to use Gaia proxy addresses with more than 16 characters.

PRJ-39379,
PMTR-83140

Gaia OS

The CONFD process may unexpectedly exit and generate a core dump file.

PRJ-40366,
PMTR-84602

Gaia OS

Gaia Snapshot fails in Gaia Portal ("Maintenance" section > "Snapshot Management" page) - after clicking the "New" button, the progress gets to 100%, but the snapshot file is never created. Refer to sk180579.

PRJ-38960,
PMTR-72373

Gaia OS

When loading a configuration file to the new Security Gateway, VLAN interfaces may not be added to the bridge as expected.

PRJ-37349,
PMTR-80176

Gaia OS

When adding and deleting a neighbor-entry ipv6-address, an error message is displayed, although the operation is successful.

PRJ-38231,
PMTR-81516

Gaia OS

When running the "save configuration" command on a VSX device, other interfaces besides the Management interface are still presented. This is a cosmetic issue.

PRJ-39096,
PRHF-23641

Gaia OS

Dynamic routing SNMP OID polling may work only in VSX mode.

PRJ-29673,
PMTR-72575

CloudGuard Network

UPDATE: After a failed Data Center mapping, the next scan retry will be initiated with a delay to provide sufficient recovery time.

PRJ-38569,
PRHF-23328

CloudGuard Network

UPDATE: Previously, because of connectivity issues with Azure, CloudGuard Controller was deleting IP addresses of Data Center objects from the Security Gateway. CloudGuard Controller will now show an error message instead of revoking identities from the Security Gateway.

PRJ-33578,
PRHF-20923

CloudGuard Network

When trying to add a comment to a Data Center object with API, the name of the object may get the value of the "comments".

PRJ-38871,
PRHF-23555

CloudGuard Network

After changing the default behavior in Identity session conciliation, the "delete-identity" request may trigger Cloud Controller to delete IP addresses from other Identity sources.

PRJ-38071,
PMTR-78814

CloudGuard Network

Policy install or publish may fail because of the CPM process operations overload.

PRJ-40198,
PRHF-24322

CloudGuard Network

Azure Data Center mapping may fail because of a corrupt response from Azure for a specific Virtual Machine Scale Set (VMSS).

PRJ-39798,
PRHF-23081

CloudGuard Network

Importing NSX-T Data Center NSGroups with more than 1000 IP addresses may fail and lead to an outage.

PRJ-38644,
PRJ-38642

VoIP

NEW: Added a new tab for VoIP monitoring in CPView.

PRJ-39817,
PMTR-81965

VoIP

The Security Gateway may crash when running UDP and TCP SIP traffic.

PRJ-40930,
PRJ-40928

VoIP

After an upgrade, the MGCP traffic may be dropped. The output of the "fw ctl zdebug + drop" command shows: "dropped by fw_early_sip_nat reason: failed to get MGCP ports".

PRJ-39110,
MBS-14962

Scalable Platforms

UPDATE: Added ability to change CIN interface IP ranges. Refer to sk179028.

PRJ-37469,
MBS-15425

Scalable Platforms

UPDATE: When creating a new Security Group on Quantum Maestro, it is mandatory to configure First Time Wizard settings.

PRJ-35111,
PMTR-76563

Scalable Platforms

UPDATE: The asg_info command is no longer supported on Scalable Platforms. The "cpinfo -Q" command should be used instead.

PRJ-39636,
MBS-15678

Scalable Platforms

The Hit Count feature may not provide data for non-SMO members on VSX with Kernel 3.10.

PRJ-38297,
MBS-15504

Scalable Platforms

During Jumbo Hotfix Accumulator installation, the sgm_lsp core dump may be created.

PRJ-38483,
MBS-15568

Scalable Platforms

When running the CPUSE "installer" command in Gaia gClish of a Security Group, the output may show: "Error Failed to invoke action." Refer to sk178647.

PRJ-38699,
MBS-15611

Scalable Platforms

The ROUTED process may unexpectedly exit when OSPF is configured as P2P.

PRJ-39720,
PMTR-83873

Scalable Platforms

Changed the message informing that CPUSE upgrade packages are not available on Scalable Platforms appliances with VPN enabled. The fix is only cosmetic.

PRJ-39115,
PRJ-39116

Scalable Platforms

The "asg_excp_conf get" command may fail. Existing exceptions cannot be printed due to unaligned exception max size between kernel and userspace (cphaprob).

PRJ-34872,
PMTR-76980

Scalable Platforms

In some scenarios, CPWD and HCP report the CPUS_USGS process as terminated.

PRJ-35285,
PMTR-78037

Scalable Platforms

A cluster member may fail to perform FullSync and remain in Down state with FULLSYNC PNOTE.

PRJ-39997,
PMTR-78680

Scalable Platforms

When a Maestro Security Gateway is active again after a reboot, the LACP bond may drop incoming and outgoing packets.

PRJ-36092,
MBS-15239

Scalable Platforms

A Security Gateway may not be added to the Security Group distribution matrix when moving from a site with two MHOs to a single MHO.

PRJ-37640,
PRHF-22789

Scalable Platforms

The "asg_copy_capture" logs repeatedly appear in the var/log/messages file. The reason given in the logs is "capture file was not found on remote SGMs".

PRJ-33924,
PMTR-75452

Scalable Platforms

On Scalable platform Chassis in VSX mode, when adding a new member to Security Gateway, the "dxl stat" command may fail with the "Failed to retrieve dxl status" error.

PRJ-41043

Scalable Platforms

Disk partition of the /var/log directory on Quantum Maestro appliances may fail.

PRJ-40309,
ODU-454

HCP

Added Update 9 of HealthCheck Point (HCP) Release. Refer to sk171436.