R81.10 Jumbo Hotfix Take 95

 

Note - This Take contains all fixes from all earlier Takes.

ID

Product

Description

Take 95

Released on 13 April 2023 and declared as Recommended on 15 May 2023

PRJ-42693,
PMTR-88560

Security Management

NEW: Added ability to run the "verify-policy" Management API command on a private session with unpublished changes.

PRJ-45365,
PMTR-90420

Security Management

NEW:

  • Added support for 1595 Slim Ruggedized appliances.

  • Added support for 1535 / 1555, 1575 / 1595 Quantum Spark Pro appliances.

PRJ-44576,
PMTR-90463

Internal CA

NEW: Previously, the Internal CA certificate required manual renewal process. Now it will be automatically renewed one year before its expiration date.

PRJ-44226,
PMTR-89589

Compliance

NEW: Compliance Blade is enhanced with 5 new Firewall Best Practices:

  • FW174 - Check that there are no Access Control rules that contain "Any" in the "Source" column and contain "Accept" or "Ask" in the "Action" column.

  • FW175 - Check that Access Control rules do not contain "Any" in "Destination", and "Accept" or "Ask" in "Action".

  • FW176 - Check that Access Control rules do not contain "Any" in "Services and Applications", and "Accept" or "Ask" in "Action".

  • FW177 - Check that there are no temporary Access Control rules (based on the "Name" column).

  • FW178 - Check that there are no temporary Access Control rules (based on the "Comments" column).

PRJ-42453,
PMTR-77024

HCP

NEW: HCP report is now available in WebUI. To access it, use the link: https://<Security Gateway IP address>/hcp.

PRJ-41010,
PRHF-24971

Security Management

UPDATE: Defining GUI Clients on the Log Server is now blocked. Defining GUI Clients is allowed only from the Security Management Server in Active mode.

PRJ-41201,
PRHF-24563

Security Gateway

UPDATE: Added ability to force GNAT Port randomization. It is controlled by kernel parameter (off by default).

  • To activate it, GNAT should be enabled. Also, in the fwkern.conf file, run "set fwx_force_random_nat_port_alloc=1",

  • To disable, run "set fwx_force_random_nat_port_alloc=0".

PRJ-43605,

PRHF-22566

SecureXL

UPDATE: Added a new kernel parameter allowing to control the size of fragments table in SecureXL. To use it, set the kernel parameter "sim_frag_limit_override" with the new value and install policy. This can prevent fragment drops when having multiple instances in the Firewall.

PRJ-44610,
PMTR-90504

Threat Emulation

UPDATE: FakeServer will now listen for packets coming from the Virtual Machine during Threat Emulation to port 18443 instead of port 8443.

PRJ-43969,
PRHF-27306

VPN

UPDATE: When the VTI MTU is different from the physical MTU, the physical MTU is used for sending packets by default.

  • To modify the default behavior (the change does not survive reboot), run the CLI command "fw ctl set int sim_vpn_use_physical_mtu 0 -a". This allows using configured VTI MTU as the default.

  • To make the change permanently, open the $PPKDIR/conf/simkern.conf file for editing and add the entry "sim_vpn_use_physical_mtu=0".

Refer to sk98074.

PRJ-42404,
PMTR-87600

VSX

UPDATE: Added more logs related to Pushing VSX Configuration.

  • On the Security Gateway side: in the last_vsx_push_configuration.elg. The log file will now be circular.

  • On the Security Management side: in the vsx_util log. Also, commands are added to the name of log files (for example, vsx_util_reconfigure_xxxxx_xx_xx.elg).

  • VSX Provisioning tool is now logged in the vpt_history.elg.

.

PRJ-43675,
PRHF-27227

Harmony Endpoint

UPDATE: Linux installations are now automatically added to "All Linux Desktops Virtual Group" in Harmony Endpoint. Refer to sk180430.

PRJ-45266,
PMTR-91124

GaiaOS

UPDATE: Added a defense mechanism against the hostname command injection in the Gaia Portal (CVE-2023-28130). Refer to sk181311.

PRJ-44639,
PMTR-90527

Gaia OS

UPDATE: Upgraded OpenSSL from 1.1.1n to 1.1.1t to include the latest security improvements.

PRJ-43925,
PRHF-27357

CloudGuard Network

UPDATE: Added support for sending Data Center updates from the CloudGuard Controller to the main IP address of Active member on the Management Plane instead of the cluster VIP address on the Data Plane. Refer to the "updateClusterMemberAndNotVip" section in CloudGuard Controller R81.10 Administration Guide > Configuration Parameters. This change prevents scenarios when CloudGuard Controller fails to connect to Cluster with MDPS enabled (sk180981).

PRJ-44355,
PRJ-44354

CloudGuard Network

UPDATE: Added support for Data Centers in AWS ap-southeast-4 Melbourne region.

PRJ-40857,

MBS-14161

Scalable Platforms

UPDATE: Added Management Data Plane Separation (MDPS) support for Maestro Orchestrator and Chassis scalable platforms.

PRJ-45755,

PMTR-91592

Scalable Platforms

UPDATE: Enhanced the mechanism of Maestro Gateway leaving a Security Group.

PRJ-44629,

PMTR-90519

Security Management

There may be many duplicates of OCSP response in the $CPDIR/tmp/curl_crl_ocsp folder.

PRJ-44460,
PRHF-27327

Security Management

In some scenarios, the "run-script" Management API command may fail with "Null Pointer Exception" when using root user permissions.

PRJ-39758,
PRHF-24058

Security Management

In some scenarios, exact search in the Object Explorer may not return the expected results.

PRJ-38358,
PRHF-23108

Security Management

After creating a new administrator in SmartConsole, the Administrators view may fail to load with "Error retrieving results".

PRJ-42060,
PRHF-25730

Security Management

The "show objects" command returns all objects in Global Domain with any filter when "ip-only" flag is set to "true".

PRJ-44025,
PRHF-27405

Security Management

When using Custom Application/Site Group objects in an Access policy, policy installation may fail with an "Internal error" message.

PRJ-43962,
PRHF-27308

Security Management

In rare scenarios, the Security Gateway accepts all IP addresses as approved "gui_clients", although it was provided with a list of specific trusted IP addresses.

PRJ-42084,
PRHF-25916

CPView

A typo in "Dropped fragmentation violation" under CPView > Advanced > SecureXL > Drops.

PRJ-43472

CPUSE

In some scenarios, the Task Progress bar is missing from SmartConsole during Jumbo Hotfix installation.

PRJ-44337,
PMTR-89535

CPView

The Network-per-CPU tab under CPVIEW > Advanced > SecureXL does not show traffic distribution for all CPUs. Refer to sk180540.

PRJ-43393,
PRHF-26905

Logging

When working with Multi-Domain Security Management, Virtual Systems (VS's) may be unable to send logs to the management because the Log Server constantly disconnects.

PRJ-44095,
PRHF-27460

Security Gateway

In some scenarios, the FWD process may unexpectedly exit and cause a short outage related to a BGP failure.

PRJ-36112,
PRHF-21819

Security Gateway

When on Microsoft Active Directory the "mobile" attribute value in DynamicID authentication preferred method is changed to an email address and then back to a phone number, OTP may still be sent to the email.

PRJ-44920,
PRHF-27936

Security Gateway

After an upgrade to Take 79, memory usage may increase on all Security Gateway Modules, and the "pkt_handle_f2v_if_needed: dropping packet (failed to send notification)" error is printed in logs.

PRJ-44232,
PRHF-27318

Security Gateway

After policy installation, a VSX High Availability Cluster member may have a failover and generate a vmcore.

PRJ-42296,
PRHF-26094

Security Gateway

When MDPS is configured, mdps_tun interface is shown when running the "cpstat ha -f all" command.

PRJ-42707,
PRHF-26247

Security Gateway

DNS parser incorrectly handles additional records, which results in appearing additional DNS IP addresses in the FQDn objects list.

PRJ-43011,
PRHF-26600

Security Gateway

When adding a new RADIUS Server in Gaia Portal, its IP address is automatically added to MDPS tasks, but when deleting this Server, the MDPS task is not deleted.

PRJ-43886,
PRHF-26861

Security Gateway

In rare scenarios, the FWD process is stuck during policy installation.

PRJ-43839,
PRHF-27097

Security Gateway

The Security Gateway may receive duplicated traffic (such as non-IP protocol connections) for IPS inspection. This can trigger high CPU usage and result in failures to connect over SSH or policy installation.

PRJ-40878,
PMTR-85619

Security Gateway

In rare scenarios, policy installation fails with "Segmentation fault" and "Error compiling IPv4 flavor" messages.

PRJ-41564,
PRJ-41202

Security Gateway

SAML authentication fails with the "HTTP 500" error when MDPS is enabled on the Security Gateways. Refer to sk179625.

PRJ-44081,
PRHF-26620

Security Gateway

In an Active/Standby cluster, when downloading a file using FTP protocol, the FWK process may unexpectedly exit, and a core dump file is generated.

PRJ-41878,
PMTR-87372

Security Gateway

On supported Open Servers (sk167052), after changing the Firewall mode from Kernel Space (KSFW) to User Space (USFW) and reboot, the Security Gateway continues to boot in the Kernel Space mode.

PRJ-43533,
PRHF-26097

Security Gateway

The Security Gateway may crash because of a race condition that occurs during interface change while interface statistic is calculated.

PRJ-40472,
PMTR-84923

Threat Prevention

If SSH Deep Packet Inspection (DPI) is enabled and NAT is configured on the Security Gateway, SSH connectivity from the Internet may not be possible.

PRJ-41901,
PRHF-25811

Threat Prevention

IoC feed may not load because of a parsing issue with the IP address range indicator.

PRJ-44222,
PRHF-27358

Threat Prevention

In a Quantum Maestro environment, adding an IoC feed from the command line may fail with a "Can not load indicators feed without AV & AB Blades enabled, please enable AV & AB and try again" message, although Anti-Virus and Anti-Bot Blades are enabled.

PRJ-42344,
PRHF-26221

Identity Awareness

During subsequent policy installations (with an interval of at least 11 minutes between them), the Identity Awareness Gateway configured as an Identity Broker Subscriber revoked all Identities it learned from the Identity Awareness Gateway configured as its Identity Broker Publisher. Refer to sk180659.

PRJ-42933,
PMTR-88806

Identity Awareness

The PDPD process may cause CPU spikes during cluster failover.

PRJ-43747,
PRHF-27158

Identity Awareness

The output of the "pdp monitor cv_le <agent-version>" command may be incorrect.

PRJ-33065,
PRHF-20425

Identity Awareness

In a rare scenario, a wrong access role may be assigned to a user.

PRJ-43503,
PRHF-26475

Application Control

Policy installation may fail with an "Error 0-200184" message because of memory allocation issues.

PRJ-44383,
PRHF-27645

Application Control

A buffer overflow may occur and cause the FWD process to exit. This leads to the Security Group Members in a Maestro environment change from Active to Down state and creates instability.

PRJ-43975,
PRHF-27284

URL Filtering

When applying the "appi_urlf_ssl_cn_use_sni_without_validation" kernel parameter, only the first notified application may be considered for Rule Base matching, and the rest of the apps are not detected.

PRJ-42714,
PRHF-26557

IPS

In a rare scenario, the Security Gateway may crash during an IPS package update.

PRJ-44180,
PMTR-89863

IPS

In some scenarios, the FWK process may unexpectedly exit, while Threat Prevention Blades inspect HTTP traffic.

PRJ-43583,
PRHF-27076

DLP

A memory leak may occur in the DLPU process.

PRJ-44009,
PMTR-89738

Anti-Virus

The fwk.elg file may be flooded with the "match_cb for CMI APP 11 - CI AV failed on context 144, executing context 366 and adding the app to apps in exception" messages because of improper parsing of HTTP headers by Anti-Virus Blade.

PRJ-44291,
PRHF-27598

Mobile Access

Some web applications which use PT or UT link translation methods may have issues after a browser upgrade.

PRJ-41413,
PRHF-25371

Mobile Access

Access to a web application that uses WebSocket protocol may not be possible.

PRJ-44131,
PMTR-89935

SecureXL

IPv6 template is not created when the connection is NATed.

PRJ-42781,
MBS-16193

SecureXL

After installing R81.10 Jumbo Hotfix Take 61 and higher, running the "tcpdump" command fails with the "/bin/cp-tcpdump.sh: line 14: /sbin/tcpdump: No such file or directory" error. Refer to sk180737.

PRJ-44677,
PRHF-27803

SecureXL

After an upgrade, packets passing through a Remote Access VPN tunnel in a VSX environment may be silently dropped.

PRJ-43983,
PMTR-89372

SecureXL

In a rare scenario, a CPAQ message sent during policy push does not have critical and can be dropped when the Security Gateway is busy.

PRJ-43922,
ROUT-2460

Routing

Failover may take longer than expected and traffic does not pass for several seconds because dynamic routes are lost.

PRJ-44940,
PRHF-23766

Routing

After an update, multicast traffic may be dropped.

PRJ-43410,
PRHF-6347

Routing

The ROUTED process may repeatedly exit when using PIM in Sparse mode (SM).

PRJ-44372,
PMTR-88972

Routing

OSPF routes may not be redistributed after reboot.

PRJ-41331,
PRHF-25024

Routing

The ROUTED daemon may unexpectedly exit and generate core dumps after OSPF neighborship was established, but did not advertise routes. Lost routing causes the network to be down.

PRJ-44259,
PRHF-27407

Routing

The ROUTED daemon may unexpectedly exit when using PIM and source IP address is set "0.0.0.0".

PRJ-44688,
ROUT-2353

Routing

Cluster member may stop sending multicast PIM traffic after failover or a reboot. Refer to sk180669.

PRJ-43827,
PRHF-27339

VPN

In a Site to Site VPN, when one of the sites is a cluster in Load Sharing mode, it can cause incorrect destination member calculation for asymmetric connection, and the traffic might be dropped. Refer to sk180855.

PRJ-44285,
PRHF-16890

VPN

VPN endpoint users fail to login with ECDSA certificate.

PRJ-43386,
PRHF-27010

VPN

After an upgrade, an incorrect IPSec users counter may be displayed in SmartView Monitor or when running the "cpstat vpn -f ipsec" command for a cluster. The issue is cosmetic only.

PRJ-40284,
PRHF-24166,

PRJ-43713,
PRHF-27256

PRJ-42371,
PRHF-26116

VPN

  • NAT-T traffic may stop matching the implied rule after policy installation and is dropped with "IKE_NAT_TRAVERSAL Traffic Dropped from x.x.x.x to y.y.y.y" message in SmartLog.

  • VPND and IKED stability issues occur when loading newly created LDAP group objects.

Refer to sk180530.

PRJ-43550,
SDWANGW-1205

VPN

VPN stability issues.

PRJ-43195,
PRHF-26797

VPN

TCP traffic on port 34500 may be encrypted by VPN, although it should not.

PRJ-40913,
PRHF-24641

VPN

The "failed to terminate session" error is displayed when using RAsession_util to terminate Endpoint client.

PRJ-44667,
PMTR-86522

VPN

When running the "vpn tu tlist" on cluster Standby members, old IKEv2 SAs may be printed in the output.

PRJ-44122,
PMTR-88803

VSX

Changing the main IP address of a Virtual Router may cause the FWM process to exit.

PRJ-40034,
PRHF-24249

Gaia OS

When running the "ifconfig -a" command on a Virtual System (VS) with more than 250 interfaces, the "/bin/cp-ifconfig.sh: line 179: /bin/echo: Argument list too long" error is printed.

PRJ-44238,
PRHF-27526

Gaia OS

The System Backup page in the Cloning Group view may be empty, although a scheduled backup was added.

PRJ-42220,
PRHF-25947

Gaia OS

Incorrect logs are printed in the /var/log/httpd2_error_log file when logging into the WebUI.

PRJ-43986,
PRHF-27222

Gaia OS

The "lldpneighbors" Clish command may have a corrupted output.

PRJ-43563,
PRHF-27096

Gaia OS

When restoring a backup with VSX objects, the objects database may not be restored on the newly installed Security Management Server.

PRJ-44347,
PRHF-26820

CloudGuard Network

The "Logical Volume duplicate fail" error is displayed when increasing the lv_current partition with lvm_manager on Azure. Refer to sk180381.

PRJ-43397,
PMTR-80399

CloudGuard Network

VPN Cluster stability issue when the peer is an Azure Security Gateway.

PRJ-43577,
PMTR-89444

CloudGuard Network

When enabling debug mode with the "$MDS_FWDIR/scripts/cpm_debug.sh -c ObjectCrudSvcImpl" command, it may impact the work of CloudGuard Central License utility. And adding license fails.

PRJ-44478,
PMTR-90345

CloudGuard Network

Azure scan fails if a Virtual Machine Scale Set (VMSS) is deleted after the scan started.

PRJ-44614,
PRHF-27502

VoIP

In rare scenarios, SIP UDP traffic may cause Security Gateway to crash because of a memory allocation issue.

PRJ-44881,
PMTR-86526

Scalable Platforms

After an upgrade, local IPv6 traffic from Active members may fail.

PRJ-41941,
PMTR-87577

Scalable Platforms

When adding a new Virtual System and installing a policy, member state may change to Down.

PRJ-42677,
PRJ-42783

Scalable Platforms

Adding more than 250 VLANs on an Orchestrator MHO-175 Maestro Uplink interface causes intermittent traffic outages. Refer to sk180340.

PRJ-43383,
PMTR-76352

Scalable Platforms

The clock verifier test (clock_verifier -v) fails.

PRJ-43802,
PRJ-43803

Scalable Platforms

The "asg perf" command fails when running it with the "-vv" flag.

PRJ-39722,
PMTR-74779

Scalable Platforms

In a Maestro Security Group, VPN tunnel is established correctly, but the local connection from Virtual Systems (VSs) fails. The issue occurs when packets are not forwarded to the right VS from the Virtual Switch (VSW).

PRJ-40400,
PRHF-24044

Carrier Security

GTP traffic may be dropped and tunnels are not registered in gtp_tunnels.