R81.10 Jumbo Hotfix Take 95
|
Note - This Take contains all fixes from all earlier Takes. |
ID |
Product |
Description |
---|---|---|
Take 95 Released on 13 April 2023 and declared as Recommended on 15 May 2023 |
||
PRJ-42693, |
Security Management |
NEW: Added ability to run the "verify-policy" Management API command on a private session with unpublished changes. |
PRJ-45365, |
Security Management |
NEW:
|
PRJ-44576, |
Internal CA |
NEW: Previously, the Internal CA certificate required manual renewal process. Now it will be automatically renewed one year before its expiration date. |
PRJ-44226, |
Compliance |
NEW: Compliance Blade is enhanced with 5 new Firewall Best Practices:
|
PRJ-42453, |
HCP |
NEW: HCP report is now available in WebUI. To access it, use the link: https://<Security Gateway IP address>/hcp. |
PRJ-41010, |
Security Management |
UPDATE: Defining GUI Clients on the Log Server is now blocked. Defining GUI Clients is allowed only from the Security Management Server in Active mode. |
PRJ-41201, |
Security Gateway |
UPDATE: Added ability to force GNAT Port randomization. It is controlled by kernel parameter (off by default).
|
PRJ-43605, PRHF-22566 |
SecureXL |
UPDATE: Added a new kernel parameter allowing to control the size of fragments table in SecureXL. To use it, set the kernel parameter "sim_frag_limit_override" with the new value and install policy. This can prevent fragment drops when having multiple instances in the Firewall. |
PRJ-44610, |
Threat Emulation |
UPDATE: FakeServer will now listen for packets coming from the Virtual Machine during Threat Emulation to port 18443 instead of port 8443. |
PRJ-43969, |
VPN |
UPDATE: When the VTI MTU is different from the physical MTU, the physical MTU is used for sending packets by default.
Refer to sk98074. |
PRJ-42404, |
VSX |
UPDATE: Added more logs related to Pushing VSX Configuration.
. |
PRJ-43675, |
Harmony Endpoint |
UPDATE: Linux installations are now automatically added to "All Linux Desktops Virtual Group" in Harmony Endpoint. Refer to sk180430. |
PRJ-45266, |
GaiaOS |
UPDATE: Added a defense mechanism against the hostname command injection in the Gaia Portal (CVE-2023-28130). Refer to sk181311. |
PRJ-44639, |
Gaia OS |
UPDATE: Upgraded OpenSSL from 1.1.1n to 1.1.1t to include the latest security improvements. |
PRJ-43925, |
CloudGuard Network |
UPDATE: Added support for sending Data Center updates from the CloudGuard Controller to the main IP address of Active member on the Management Plane instead of the cluster VIP address on the Data Plane. Refer to the "updateClusterMemberAndNotVip" section in CloudGuard Controller R81.10 Administration Guide > Configuration Parameters. This change prevents scenarios when CloudGuard Controller fails to connect to Cluster with MDPS enabled (sk180981). |
PRJ-44355, |
CloudGuard Network |
UPDATE: Added support for Data Centers in AWS ap-southeast-4 Melbourne region. |
PRJ-40857, MBS-14161 |
Scalable Platforms |
UPDATE: Added Management Data Plane Separation (MDPS) support for Maestro Orchestrator and Chassis scalable platforms. |
PRJ-45755, PMTR-91592 |
Scalable Platforms |
UPDATE: Enhanced the mechanism of Maestro Gateway leaving a Security Group. |
PRJ-44629, PMTR-90519 |
Security Management |
There may be many duplicates of OCSP response in the $CPDIR/tmp/curl_crl_ocsp folder. |
PRJ-44460, |
Security Management |
In some scenarios, the "run-script" Management API command may fail with "Null Pointer Exception" when using root user permissions. |
PRJ-39758, |
Security Management |
In some scenarios, exact search in the Object Explorer may not return the expected results. |
PRJ-38358, |
Security Management |
After creating a new administrator in SmartConsole, the Administrators view may fail to load with "Error retrieving results". |
PRJ-42060, |
Security Management |
The "show objects" command returns all objects in Global Domain with any filter when "ip-only" flag is set to "true". |
PRJ-44025, |
Security Management |
When using Custom Application/Site Group objects in an Access policy, policy installation may fail with an "Internal error" message. |
PRJ-43962, |
Security Management |
In rare scenarios, the Security Gateway accepts all IP addresses as approved "gui_clients", although it was provided with a list of specific trusted IP addresses. |
PRJ-42084, |
CPView |
A typo in "Dropped fragmentation violation" under CPView > Advanced > SecureXL > Drops. |
PRJ-43472 |
CPUSE |
In some scenarios, the Task Progress bar is missing from SmartConsole during Jumbo Hotfix installation. |
PRJ-44337, |
CPView |
The Network-per-CPU tab under CPVIEW > Advanced > SecureXL does not show traffic distribution for all CPUs. Refer to sk180540. |
PRJ-43393, |
Logging |
When working with Multi-Domain Security Management, Virtual Systems (VS's) may be unable to send logs to the management because the Log Server constantly disconnects. |
PRJ-44095, |
Security Gateway |
In some scenarios, the FWD process may unexpectedly exit and cause a short outage related to a BGP failure. |
PRJ-36112, |
Security Gateway |
When on Microsoft Active Directory the "mobile" attribute value in DynamicID authentication preferred method is changed to an email address and then back to a phone number, OTP may still be sent to the email. |
PRJ-44920, |
Security Gateway |
After an upgrade to Take 79, memory usage may increase on all Security Gateway Modules, and the "pkt_handle_f2v_if_needed: dropping packet (failed to send notification)" error is printed in logs. |
PRJ-44232, |
Security Gateway |
After policy installation, a VSX High Availability Cluster member may have a failover and generate a vmcore. |
PRJ-42296, |
Security Gateway |
When MDPS is configured, mdps_tun interface is shown when running the "cpstat ha -f all" command. |
PRJ-42707, |
Security Gateway |
DNS parser incorrectly handles additional records, which results in appearing additional DNS IP addresses in the FQDn objects list. |
PRJ-43011, |
Security Gateway |
When adding a new RADIUS Server in Gaia Portal, its IP address is automatically added to MDPS tasks, but when deleting this Server, the MDPS task is not deleted. |
PRJ-43886, |
Security Gateway |
In rare scenarios, the FWD process is stuck during policy installation. |
PRJ-43839, |
Security Gateway |
The Security Gateway may receive duplicated traffic (such as non-IP protocol connections) for IPS inspection. This can trigger high CPU usage and result in failures to connect over SSH or policy installation. |
PRJ-40878, |
Security Gateway |
In rare scenarios, policy installation fails with "Segmentation fault" and "Error compiling IPv4 flavor" messages. |
PRJ-41564, |
Security Gateway |
SAML authentication fails with the "HTTP 500" error when MDPS is enabled on the Security Gateways. Refer to sk179625. |
PRJ-44081, |
Security Gateway |
In an Active/Standby cluster, when downloading a file using FTP protocol, the FWK process may unexpectedly exit, and a core dump file is generated. |
PRJ-41878, |
Security Gateway |
On supported Open Servers (sk167052), after changing the Firewall mode from Kernel Space (KSFW) to User Space (USFW) and reboot, the Security Gateway continues to boot in the Kernel Space mode. |
PRJ-43533, |
Security Gateway |
The Security Gateway may crash because of a race condition that occurs during interface change while interface statistic is calculated. |
PRJ-40472, |
Threat Prevention |
If SSH Deep Packet Inspection (DPI) is enabled and NAT is configured on the Security Gateway, SSH connectivity from the Internet may not be possible. |
PRJ-41901, |
Threat Prevention |
IoC feed may not load because of a parsing issue with the IP address range indicator. |
PRJ-44222, |
Threat Prevention |
In a Quantum Maestro environment, adding an IoC feed from the command line may fail with a "Can not load indicators feed without AV & AB Blades enabled, please enable AV & AB and try again" message, although Anti-Virus and Anti-Bot Blades are enabled. |
PRJ-42344, |
Identity Awareness |
During subsequent policy installations (with an interval of at least 11 minutes between them), the Identity Awareness Gateway configured as an Identity Broker Subscriber revoked all Identities it learned from the Identity Awareness Gateway configured as its Identity Broker Publisher. Refer to sk180659. |
PRJ-42933, |
Identity Awareness |
The PDPD process may cause CPU spikes during cluster failover. |
PRJ-43747, |
Identity Awareness |
The output of the "pdp monitor cv_le <agent-version>" command may be incorrect. |
PRJ-33065, |
Identity Awareness |
In a rare scenario, a wrong access role may be assigned to a user. |
PRJ-43503, |
Application Control |
Policy installation may fail with an "Error 0-200184" message because of memory allocation issues. |
PRJ-44383, |
Application Control |
A buffer overflow may occur and cause the FWD process to exit. This leads to the Security Group Members in a Maestro environment change from Active to Down state and creates instability. |
PRJ-43975, |
URL Filtering |
When applying the "appi_urlf_ssl_cn_use_sni_without_validation" kernel parameter, only the first notified application may be considered for Rule Base matching, and the rest of the apps are not detected. |
PRJ-42714, |
IPS |
In a rare scenario, the Security Gateway may crash during an IPS package update. |
PRJ-44180, |
IPS |
In some scenarios, the FWK process may unexpectedly exit, while Threat Prevention Blades inspect HTTP traffic. |
PRJ-43583, |
DLP |
A memory leak may occur in the DLPU process. |
PRJ-44009, |
Anti-Virus |
The fwk.elg file may be flooded with the "match_cb for CMI APP 11 - CI AV failed on context 144, executing context 366 and adding the app to apps in exception" messages because of improper parsing of HTTP headers by Anti-Virus Blade. |
PRJ-44291, |
Mobile Access |
Some web applications which use PT or UT link translation methods may have issues after a browser upgrade. |
PRJ-41413, |
Mobile Access |
Access to a web application that uses WebSocket protocol may not be possible. |
PRJ-44131, |
SecureXL |
IPv6 template is not created when the connection is NATed. |
PRJ-42781, |
SecureXL |
After installing R81.10 Jumbo Hotfix Take 61 and higher, running the "tcpdump" command fails with the "/bin/cp-tcpdump.sh: line 14: /sbin/tcpdump: No such file or directory" error. Refer to sk180737. |
PRJ-44677, |
SecureXL |
After an upgrade, packets passing through a Remote Access VPN tunnel in a VSX environment may be silently dropped. |
PRJ-43983, |
SecureXL |
In a rare scenario, a CPAQ message sent during policy push does not have critical and can be dropped when the Security Gateway is busy. |
PRJ-43922, |
Routing |
Failover may take longer than expected and traffic does not pass for several seconds because dynamic routes are lost. |
PRJ-44940, |
Routing |
After an update, multicast traffic may be dropped. |
PRJ-43410, |
Routing |
The ROUTED process may repeatedly exit when using PIM in Sparse mode (SM). |
PRJ-44372, |
Routing |
OSPF routes may not be redistributed after reboot. |
PRJ-41331, |
Routing |
The ROUTED daemon may unexpectedly exit and generate core dumps after OSPF neighborship was established, but did not advertise routes. Lost routing causes the network to be down. |
PRJ-44259, |
Routing |
The ROUTED daemon may unexpectedly exit when using PIM and source IP address is set "0.0.0.0". |
PRJ-44688, |
Routing |
Cluster member may stop sending multicast PIM traffic after failover or a reboot. Refer to sk180669. |
PRJ-43827, |
VPN |
In a Site to Site VPN, when one of the sites is a cluster in Load Sharing mode, it can cause incorrect destination member calculation for asymmetric connection, and the traffic might be dropped. Refer to sk180855. |
PRJ-44285, |
VPN |
VPN endpoint users fail to login with ECDSA certificate. |
PRJ-43386, |
VPN |
After an upgrade, an incorrect IPSec users counter may be displayed in SmartView Monitor or when running the "cpstat vpn -f ipsec" command for a cluster. The issue is cosmetic only. |
PRJ-40284, PRJ-43713, PRJ-42371, |
VPN |
Refer to sk180530. |
PRJ-43550, |
VPN |
VPN stability issues. |
PRJ-43195, |
VPN |
TCP traffic on port 34500 may be encrypted by VPN, although it should not. |
PRJ-40913, |
VPN |
The "failed to terminate session" error is displayed when using RAsession_util to terminate Endpoint client. |
PRJ-44667, |
VPN |
When running the "vpn tu tlist" on cluster Standby members, old IKEv2 SAs may be printed in the output. |
PRJ-44122, |
VSX |
Changing the main IP address of a Virtual Router may cause the FWM process to exit. |
PRJ-40034, |
Gaia OS |
When running the "ifconfig -a" command on a Virtual System (VS) with more than 250 interfaces, the "/bin/cp-ifconfig.sh: line 179: /bin/echo: Argument list too long" error is printed. |
PRJ-44238, |
Gaia OS |
The System Backup page in the Cloning Group view may be empty, although a scheduled backup was added. |
PRJ-42220, |
Gaia OS |
Incorrect logs are printed in the /var/log/httpd2_error_log file when logging into the WebUI. |
PRJ-43986, |
Gaia OS |
The "lldpneighbors" Clish command may have a corrupted output. Refer to sk182065. |
PRJ-43563, |
Gaia OS |
When restoring a backup with VSX objects, the objects database may not be restored on the newly installed Security Management Server. |
PRJ-44347, |
CloudGuard Network |
The "Logical Volume duplicate fail" error is displayed when increasing the lv_current partition with lvm_manager on Azure. Refer to sk180381. |
PRJ-43397, |
CloudGuard Network |
VPN Cluster stability issue when the peer is an Azure Security Gateway. |
PRJ-43577, |
CloudGuard Network |
When enabling debug mode with the "$MDS_FWDIR/scripts/cpm_debug.sh -c ObjectCrudSvcImpl" command, it may impact the work of CloudGuard Central License utility. And adding license fails. |
PRJ-44478, |
CloudGuard Network |
Azure scan fails if a Virtual Machine Scale Set (VMSS) is deleted after the scan started. |
PRJ-44614, |
VoIP |
In rare scenarios, SIP UDP traffic may cause Security Gateway to crash because of a memory allocation issue. |
PRJ-44881, |
Scalable Platforms |
After an upgrade, local IPv6 traffic from Active members may fail. |
PRJ-41941, |
Scalable Platforms |
When adding a new Virtual System and installing a policy, member state may change to Down. |
PRJ-42677, |
Scalable Platforms |
Adding more than 250 VLANs on an Orchestrator MHO-175 Maestro Uplink interface causes intermittent traffic outages. Refer to sk180340. |
PRJ-43383, |
Scalable Platforms |
The clock verifier test (clock_verifier -v) fails. |
PRJ-43802, |
Scalable Platforms |
The "asg perf" command fails when running it with the "-vv" flag. |
PRJ-39722, |
Scalable Platforms |
In a Maestro Security Group, VPN tunnel is established correctly, but the local connection from Virtual Systems (VSs) fails. The issue occurs when packets are not forwarded to the right VS from the Virtual Switch (VSW). |
PRJ-40400, |
Carrier Security |
GTP traffic may be dropped and tunnels are not registered in gtp_tunnels. |