R81.10 Jumbo Hotfix Take 75
|
Note - This Take contains all fixes from all earlier Takes. |
ID |
Product |
Description |
---|---|---|
Take 75 Released on 1 September 2022 |
||
PRJ-41205 |
Installation |
Refer to sk179799. See the Important Notes section. |
PRJ-34854, |
Security Management |
UPDATE: Added validation of Custom Application/Site objects to prevent configuring invalid URLs, which causes Access policy installation failure. Refer to sk175187. |
PRJ-38152, |
Security Management |
UPDATE: Improved Access Policy installation time. |
PRJ-37260, |
Security Management |
In a large scale environment, the Management API command "show-access-rulebase" may take a significant amount of time to complete or time out after 5 minutes. |
PRJ-36921, |
Security Management |
When a Security Gateway is removed from a VPN community, it may still be seen under the permanent tunnel configuration. The issue is scoped to the Management side and does not impact the Gateway. |
PRJ-37524, |
Security Management |
Reassign Global Policy tasks may be stuck for Domains active on a different Multi-Domain Server even though the task is completed on the destination Multi-Domain Server. |
PRJ-37710, |
Security Management |
Install Policy preset fails if the Threat Prevention policy was uninstalled. |
PRJ-35656, |
Security Management |
The Security Cluster Wizard is not shown again after a Management restart in a Full High Availability cluster environment. |
PRJ-35313, |
Security Management |
The web_api_show_package.sh script and some Management API commands with the "details-level full" option may fail when VPN settings are not defined for Interoperable objects. Refer to sk178410. |
PRJ-35532, |
Security Management |
An IPS update may fail if the user that performs the update is connected to the Multi-Domain Server on which the Global Domain is in Standby mode. |
PRJ-37505, |
Security Management |
In rare scenarios, Global Domain Assignment may fail with a "class name not found for object" error message. |
PRJ-37028, |
Security Management |
Policy Installation may fail with the "Unable to start policy installation" error when the Import Domain task is running in the background. |
PRJ-37764, |
Security Management |
The FWM process on the Management Server may unexpectedly exit, creating a core dump file. |
PRJ-38065, |
Security Management |
When uninstalling a Threat Prevention policy, there may be a verification warning "There are Threat Prevention uninstall candidates in policy targets", although the operation on the Security Gateway was completed successfully. |
PRJ-39472, |
Security Management |
Management HA synchronization may fail with the "NGM failed to import data" error. |
PRJ-38401, |
Security Management |
An Application Control and URL Filtering update may get stuck because of a lock object duplicate issue. |
PRJ-37400, |
Security Management |
Global Policy Assignment may fail with the "Failed to connect to FWM" error when the Domain is Active on the remote Multi-Domain Management Server. |
PRJ-38800, |
Security Management |
In some scenarios, the "show-gateways-and-servers" Management API command fails with "generic_err_object_not_found" when running it with "details-level full". |
PRJ-38616, |
Security Management |
A deleted Security Gateway may appear as unavailable in the Gateways&Servers view. |
PRJ-37200, |
Security Management |
The Management API command "show-vpn-communities-star" for Diffie-Hellman group 24 fails with the "Invalid DH-Group in VPN Reply" error. Refer to sk27054. |
PRJ-38181, |
Security Management |
Deleting a Domain operation may fail with an "internal error" when more than one of the Security Gateways in the Domain points to the same cluster object in the NAT configuration. |
PRJ-34154, |
Security Management |
Packet mode search in HTTPS Inspection policy may not work. |
PRJ-39211, |
Security Management |
The "Throughput/sec" column in the Gateways&Servers view may show "N/A" instead of the actual value. |
PRJ-39529, |
Security Management |
Improved memory usage and performance of Access Policy installation when numerous Network Groups are used in the Access Rule Base. |
PRJ-33689, |
Security Management |
The Management API command "show object" may fail on a specific UID with a "Null Pointer exception" message. |
PRJ-35061, |
Security Management |
Renaming the Security Management Server may fail with the "Failed to save object" error. Refer to sk177224. |
PRJ-38121, |
Security Management |
Policy installation may fail with "an internal error" because of an orphan policy issue. Refer to sk122954. |
PRJ-35606, |
Security Management |
In SmartConsole, the "error retrieving results" message may be displayed when opening a new tab. |
PRJ-37887, |
Security Management |
Editing an object may fail with the "Could not access file for write operation" error. |
PRJ-37510, |
Security Management |
Deleting a domain may fail when using the createDomainRecovery.sh script with the "UID" flag. |
PRJ-37636, |
Security Management |
After changing the IP address of the Secondary Management Server, the old IP address is still shown in the High Availability window until the services are restarted. |
PRJ-38742, |
Security Management |
In a rare scenario, the FWM process may unexpectedly exit and create a core dump. |
PRJ-39021, |
Licensing |
|
PRJ-37989, |
SmartConsole |
After an Application Control update, some application control objects may disappear from SmartConsole, although they are not deprecated. |
PRJ-39119, |
Web SmartConsole |
UPDATE: Released Take 59 with new features and improvements. Refer to sk170314. |
PRJ-35672, |
SmartProvisioning |
UPDATE: To prevent duplicates issue in LSM REST API, it is no longer possible to create an object with the same name but written in a different letter case. |
PRJ-35065, |
SmartProvisioning |
UPDATE: It is now possible to make a change in the provisioning profile of a cluster via the API command "set lsm-cluster" using the UID parameter. |
PRJ-36053, |
SmartProvisioning |
The "set-lsm-gateway" command may fail during the SIC initialization. |
PRJ-39856, |
SmartProvisioning |
After deleting an LSM object, the Security Gateway can still communicate and fetch policy from the Management Server. |
PRJ-38317, |
SmartProvisioning |
The PostgreSQL database fully utilizes disk space on the Multi-Domain Management Server when SmartProvisioning is enabled in a large scale environment. Refer to sk178889. |
PRJ-37103, |
Logging |
UPDATE: Scheduled email reports will now use TLS1.2 instead of TLS1.0. Refer to sk178125. |
PRJ-36463, |
Logging |
When running the "cp_log_export filter-Blade-in" command with the value "Endpoint" and restarting the LOG_EXPORTER process, LOG_EXPORTER may fail to start. |
PRJ-35997, |
Logging |
Logs with actions "Expired" and "Hold" may be missing from the Logging view. |
PRJ-38416, |
Logging |
When there are several Log Servers, a log distribution issue may occur. |
PRJ-39297, |
Logging |
An error may occur when changing default Time Frame while the SmartView language is not English. |
PRJ-39680, |
Logging |
When exporting the logs table with "All Columns" to a CSV file, the first cell of the first log (time column) displays a non-ASCII character ("ן»¿"), and the time is split into two cells. |
PRJ-39677, |
Logging |
A CSV file exported from SmartView may contain duplicated lines of headers. |
PRJ-33817, |
Logging |
The "log_exporter_reexport" command may export the logs from the beginning of the log file and not from the provided start position. |
PRJ-36028, |
Logging |
In IPS Core Protections logs, the link to the Threat Prevention profile is written incorrectly. |
PRJ-36021, |
Logging |
In SmartView, the "Top Users that Downloaded Malicious Files" widget in the "Hosts that Encountered Malicious files" view may show no results, although there are matches. |
PRJ-39668, |
Security Gateway |
It may not be possible to monitor Security Gateways with enabled Management Data Plane Separation (MDPS). Refer to sk138672. |
PRJ-36121, |
Security Gateway |
In CPView, under Network, Bytes Per Sec value in Traffic Rate may be incorrect. |
PRJ-38077, |
Security Gateway |
The Security Gateway may crash with a vmcore. |
PRJ-27917, |
Security Gateway |
When Strict Hold is enabled, traffic is logged with the log "HTTP parsing error detected. Bypassing the request as defined in the Inspection Settings". Refer to sk169995. |
PRJ-41000, |
Security Gateway |
In a VSX environment, SNMP queries to OSPF OIDs may fail. |
PRJ-39216, |
Security Gateway |
The Security Gateway may crash during PM Stats collection. |
PRJ-37519, |
Security Gateway |
The FW Monitor tool may fail when it is used on VSX with the "-v" and "-p all" options. |
PRJ-39686, |
Security Gateway |
An ICAP client crash may cause the Security Gateway also to crash and generate an FWK core dump. |
PRJ-37953, |
Security Gateway |
There is a Content Awareness alert for multiple connections and the processing error "Failed to extract text" is printed in logs. |
PRJ-40442, |
Security Gateway |
When Anti-Virus Blade is enabled, there may be a continuous high memory consumption which can lead to latency. |
PRJ-41456, |
Security Gateway |
During a DDoS attack, the CPD and CPRID processes may unexpectedly exit with core dump files and cause latency. |
PRJ-36568, |
Internal CA |
UPDATE: In SmartConsole, added an alert to inform that the ICA certificate will be expired in less than one year. Refer sk158096. |
PRJ-36294, |
Threat Prevention |
A "sft_rule_str_match_init: allocates 0 bytes" message may be printed many times in the /var/log/messages file. |
PRJ-39196, |
Threat Prevention |
In a scenario, when Ant-Virus Blade is enabled, the Security Gateway may crash during policy installation. |
PRJ-39324, |
Threat Prevention |
Improved memory consumption by decreasing the size of the mal_conns table. |
PRJ-38685, |
Threat Prevention |
In a rare scenario, an IPS, Anti-Virus, or Anti-Bot update package may fail to load because of a timeout |
PRJ-40397, |
Threat Prevention |
Added Update 15 of Autonomous Threat Prevention Management integration Release Updates. Refer to sk167109. |
PRJ-41446, |
Threat Prevention |
In a specific HTTP connection scenario, the Security Gateway may become unresponsive. And the /var/log/messages file contains these messages during the time of the issue: " FW-1: fw_kfree: wrong magic number at tail end of XXX (XXX) caller is 'cmik_loader_fw_pm_match_cb' sz=80. FW-1 panic: cmik_loader_fw_pm_match_cb: fw_kfree: wrong magic number at tail (kiss_memory.c:XXX)". See the Important Notes section. |
PRJ-36522, |
IPS |
Improved detection in some IPS protections. |
PRJ-39063, |
IPS |
In a VSX setup, the IP address used as the origin SIC name in the IPS address log may differ from the IP address in other reports. |
PRJ-35293, |
Mobile Access |
In some scenarios, when Mobile Access Blade is enabled, the Security Gateway may crash. |
PRJ-34725, |
Mobile Access |
In some scenarios, the Mobile Access applications fail to login because the Security Gateway may not forward HTTP request cookies of some browser-initiated requests to an internal Server. |
PRJ-39154, |
Mobile Access |
Login to Mobile Access Citrix application may fail. |
PRJ-34871, |
ClusterXL |
UPDATE: Added support for the "Same VMAC" feature. |
PRJ-31527, |
ClusterXL |
UPDATE: Added a new Gaia Clish command "show cluster members monitored" to show cluster monitored IP addresses of all the members in a table format. This command is equivalent to the Expert mode command "cphaprob -m tablestat". |
PRJ-38615, |
ClusterXL |
When moving a cluster from Unicast to Multicast LS, Gratuitous ARP Request (GARP) may not be sent. The cluster cannot update multicast MAC entries on peers, which can cause traffic lost. |
PRJ-37490, |
ClusterXL |
In a VSLS cluster with a few members and Virtual Systems, when shutting down a bond connected to one of the Virtual Systems, all Virtual Systems on this member may go to Down state. |
PRJ-38820, |
ClusterXL |
Local connection from the Management interface on a non-standard port (e.g. 8000) may fail. |
PRJ-36604, |
ClusterXL |
Data connection may be interrupted during a Multi-Version Cluster (MVC) upgrade. |
PRJ-37883, |
ClusterXL |
Local connection from a Standby member may fail when packets are not fragmented even if the interface MTU is smaller than the packet size. |
PRJ-39084, |
ClusterXL |
VPN may not operate correctly on ClusterXL in Load Sharing mode and Scalable Platforms (Quantum Maestro and Chassis). This causes sporadic but frequent traffic drops. Refer to sk179808. See the Important Notes section. |
PRJ-37814, |
SecureXL |
NEW: In some scenarios, the Security Gateway may not forward traffic to a client if its IP address is changed by DHCP. Added a global parameter "cphwd_refresh_nh", disabled by default. It determines whether or not the Security Gateway will invoke its own refresh ARP mechanism after a successful route lookup. Refer to sk175603. |
PRJ-38595, |
SecureXL |
UPDATE: Added a new parameter cphwd_mcast_routing_interval_ms (default value is 0), which allows the multicast routing interval to be expressed in milliseconds. |
PRJ-32710, |
SecureXL |
UPDATE: Virtual Extensible LAN (VXLAN) interfaces can now be configured over interfaces with an alias IP address. VXLAN interfaces will not use the alias IP as the local IP address of the tunnel. |
PRJ-39010, |
SecureXL |
SYN Defender may not properly handle the S2C traffic related to Allow List. As a result, this traffic may be dropped. |
PRJ-39004, |
SecureXL |
SYN Defender may change MSS in an SYN packet to a larger value, potentially causing traffic drop. |
PRJ-38560, |
Routing |
UPDATE: Source Pruning will now be disabled by default when VRRP is enabled. This will prevent an interface from keeping the Standby member in Master state after port flapping. The issue is relevant only for Intel X710 network cards using the I40E driver. Refer to sk178484. |
PRJ-38983, |
Routing |
There may be high CPU utilization and slow recovery of the ROUTED process after a failover. |
PRJ-38984, |
Routing |
A buffer overflow may cause the ROUTED process to exit with PNOTE. |
PRJ-38985, |
Routing |
It may take up to three hours for the second member to become Standby after a failover. An outage may occur during this time. |
PRJ-36940, |
Routing |
In a rare scenario, the ROUTED daemon may unexpectedly exit during a Multi-Version Cluster (MVC) upgrade when using OSPF. |
PRJ-37941, |
VPN |
NEW: KAT tests for IKE and TLS are now validated for FIPS certification. |
PRJ-37775, |
VPN |
Capsule Connect (IPSec VPN) may fail to re-authenticate. |
PRJ-35422, |
VPN |
When using Remote Access SAML authentication, the "Remote access client IP address and port were changed" log may contain incorrect data in the "Old IP" field. |
PRJ-32681, |
VPN |
An IKEv1 tunnel may be deleted after the Dead Peer Detection (DPD) exchange and can cause an outage. |
PRJ-37549, |
VPN |
In some scenarios, when StrongSwan client is connecting to a site or Security Gateway, the connection is established successfully, and the tunnel is created, but there is no traffic. Refer to sk118536. |
PRJ-37556, |
VPN |
An outage may occur when using IKEv2. |
PRJ-39065, |
VPN |
Capsule Connect may fail to connect to the Security Gateway because of an Office Mode IP allocation failure. |
PRJ-36451, |
VSX |
UPDATE: When resetting SIC for a specific virtual system (sk34098), the new certificate on the Security Gateway will now be automatically pulled from SmartConsole. |
PRJ-32408, |
VSX |
The OID "Syslocation" can now be configured in the context of a virtual system as described in the article (IV-1) Advanced SNMP configuration in sk90860. |
PRJ-33316, |
VSX |
The FWM process may unexpectedly exit after using the VSX Provisioning tool. |
PRJ-32478, |
VSX |
When using the VSX Provisioning Tool, it may not be possible to create a new warp interface and then change the main IP address of the VS in the same transaction. |
PRJ-32707, |
VSX |
After restoring the VSX Gateway backup, the SNMP agent stops responding when the context is set for a specific VS. |
PRJ-37807, |
VSX |
Running the "vsx_util vsls" command may end with the "Segmentation fault" error. |
PRJ-28951, |
VSX |
Multi-Queue configuration does not survive reboot on VSX. Refer to sk173950. |
PRJ-38829, |
VSX |
The FWK process of Virtual Switch (VSW) may consume a high CPU. |
PRJ-38409, |
VSX |
When creating a virtual system, the "Failed to create Virtual System directories" error is displayed. |
PRJ-34767, |
VSX |
When using Link Selection probing, the VPND process may unexpectedly exit and create a core dump file. |
PRJ-38794, |
VSX |
In some scenarios, it is not possible to start a vsx_util upgrade/downgrade after a failed attempt. |
PRJ-38011, |
VSX |
"Loading kernel module for a network device with CAP_SYS_MODULE (deprecated). Use CAP_NET_ADMIN..." may be printed in dmesg. |
PRJ-38727, |
VSX |
When running the "vsx_util downgrade" command, R80.20SP may not be listed as an available version. |
PRJ-40704, |
VSX |
A member in a VSX cluster may get stuck in DOWN state with "Event Code CLUS-113200" and a FULLSYNC PNOTE "Could not start a connection to remote member". |
PRJ-40950, |
VSX |
The VSX Security Gateway may crash when pushing a policy after deleting an interface. Refer to sk179820. See the Important Notes section. |
PRJ-36525, |
Gaia OS |
NEW: Added a Gaia Clish command "show configuration vxlan" to show all VXLAN info (interface creation, IP, MTU, comments, state). |
PRJ-35586, |
Gaia OS |
UPDATE: It is now possible to use Gaia proxy addresses with more than 16 characters. |
PRJ-39379, |
Gaia OS |
The CONFD process may unexpectedly exit and generate a core dump file. |
PRJ-40366, |
Gaia OS |
Gaia Snapshot fails in Gaia Portal ("Maintenance" section > "Snapshot Management" page) - after clicking the "New" button, the progress gets to 100%, but the snapshot file is never created. Refer to sk180579. |
PRJ-38960, |
Gaia OS |
When loading a configuration file to the new Security Gateway, VLAN interfaces may not be added to the bridge as expected. |
PRJ-37349, |
Gaia OS |
When adding and deleting a neighbor-entry ipv6-address, an error message is displayed, although the operation is successful. |
PRJ-38231, |
Gaia OS |
When running the "save configuration" command on a VSX device, other interfaces besides the Management interface are still presented. This is a cosmetic issue. |
PRJ-39096, |
Gaia OS |
Dynamic routing SNMP OID polling may work only in VSX mode. |
PRJ-29673, |
CloudGuard Network |
UPDATE: After a failed Data Center mapping, the next scan retry will be initiated with a delay to provide sufficient recovery time. |
PRJ-38569, |
CloudGuard Network |
UPDATE: Previously, because of connectivity issues with Azure, CloudGuard Controller was deleting IP addresses of Data Center objects from the Security Gateway. CloudGuard Controller will now show an error message instead of revoking identities from the Security Gateway. |
PRJ-33578, |
CloudGuard Network |
When trying to add a comment to a Data Center object with API, the name of the object may get the value of the "comments". |
PRJ-38871, |
CloudGuard Network |
After changing the default behavior in Identity session conciliation, the "delete-identity" request may trigger Cloud Controller to delete IP addresses from other Identity sources. |
PRJ-38071, |
CloudGuard Network |
Policy install or publish may fail because of the CPM process operations overload. |
PRJ-40198, |
CloudGuard Network |
Azure Data Center mapping may fail because of a corrupt response from Azure for a specific Virtual Machine Scale Set (VMSS). |
PRJ-39798, |
CloudGuard Network |
Importing NSX-T Data Center NSGroups with more than 1000 IP addresses may fail and lead to an outage. |
PRJ-38644, |
VoIP |
NEW: Added a new tab for VoIP monitoring in CPView. |
PRJ-39817, |
VoIP |
The Security Gateway may crash when running UDP and TCP SIP traffic. |
PRJ-40930, |
VoIP |
After an upgrade, the MGCP traffic may be dropped. The output of the "fw ctl zdebug + drop" command shows: "dropped by fw_early_sip_nat reason: failed to get MGCP ports". |
PRJ-39110, |
Scalable Platforms |
UPDATE: Added ability to change CIN interface IP ranges. Refer to sk179028. |
PRJ-37469, |
Scalable Platforms |
UPDATE: When creating a new Security Group on Quantum Maestro, it is mandatory to configure First Time Wizard settings. |
PRJ-35111, |
Scalable Platforms |
UPDATE: The asg_info command is no longer supported on Scalable Platforms. The "cpinfo -Q" command should be used instead. |
PRJ-39636, |
Scalable Platforms |
The Hit Count feature may not provide data for non-SMO members on VSX with Kernel 3.10. |
PRJ-38297, |
Scalable Platforms |
During Jumbo Hotfix Accumulator installation, the sgm_lsp core dump may be created. |
PRJ-38483, |
Scalable Platforms |
When running the CPUSE "installer" command in Gaia gClish of a Security Group, the output may show: "Error Failed to invoke action." Refer to sk178647. |
PRJ-38699, |
Scalable Platforms |
The ROUTED process may unexpectedly exit when OSPF is configured as P2P. |
PRJ-39720, |
Scalable Platforms |
Changed the message informing that CPUSE upgrade packages are not available on Scalable Platforms appliances with VPN enabled. The fix is only cosmetic. |
PRJ-39115, |
Scalable Platforms |
The "asg_excp_conf get" command may fail. Existing exceptions cannot be printed due to unaligned exception max size between kernel and userspace (cphaprob). |
PRJ-34872, |
Scalable Platforms |
In some scenarios, CPWD and HCP report the CPUS_USGS process as terminated. |
PRJ-35285, |
Scalable Platforms |
A cluster member may fail to perform FullSync and remain in Down state with FULLSYNC PNOTE. |
PRJ-39997, |
Scalable Platforms |
When a Maestro Security Gateway is active again after a reboot, the LACP bond may drop incoming and outgoing packets. |
PRJ-36092, |
Scalable Platforms |
A Security Gateway may not be added to the Security Group distribution matrix when moving from a site with two MHOs to a single MHO. |
PRJ-37640, |
Scalable Platforms |
The "asg_copy_capture" logs repeatedly appear in the var/log/messages file. The reason given in the logs is "capture file was not found on remote SGMs". |
PRJ-33924, |
Scalable Platforms |
On Scalable platform Chassis in VSX mode, when adding a new member to Security Gateway, the "dxl stat" command may fail with the "Failed to retrieve dxl status" error. |
PRJ-41043 |
Scalable Platforms |
Disk partition of the /var/log directory on Quantum Maestro appliances may fail. |
PRJ-40309, |
HCP |
Added Update 9 of HealthCheck Point (HCP) Release. Refer to sk171436. |