R81.20 Jumbo Hotfix Take 101

NEW: Added support for CloudGuard Controller scanner for Global NSX-T Manager. This feature is disabled by default. Refer to R81.20 CloudGuard Controller Administration Guide.

UPDATE: Management upgrade performance is improved by up to 15%.

• The fix will only be applied if the upgrade to this Jumbo Hotfix Take is done using a Blink image or with the Advanced Upgrade method.

UPDATE: CPView and SNMP can now show Hide NAT statistics for up to 200 top NAT IP Pools (the default is 3 top NAT IP Pools). Configure the required value for the kernel parameter "fwx_alloc_top_pools_num" with the CLI command "fw ctl set -f int fwx_alloc_top_pools_num <integer from 1 to 200>".

UPDATE: Improved the FW Monitor command output syntax. Refer to sk30583.

UPDATE: RAD extended flow information is now logged into a cyclic CSV file - $FWDIR/log/rad_events/rad_flows.csv. This enhancement provides visibility into RAD connections, helping to monitoring and troubleshooting. Refer to sk183108.

UPDATE: SecureXL User Mode (UPPAK) is now blocked in Active-Active cluster configurations, as this combination is not supported.

UPDATE: Optimized memory management when processing Jumbo Frames.

UPDATE: SD-WAN now supports AWS Cross Availability Zone Clusters, enabling distributed security deployments across multiple AWS regions.

UPDATE: Harmony Endpoint Management Server Anti-Malware (E2) updater now supports Linux packages. Previously, Linux packages were available for download and installation only through other tools.

UPDATE: Added Update 22 of HealthCheck Point (HCP) Release. Refer to sk171436.

In SmartConsole, in the Gateways & Servers view, under Device & License Information of a Security Gateway or Cluster object, or in CPView and SNMP traps, the value of "new connection rate" for OID .1.3.6.1.4.1.2620.1.1.26.11.6.0 is incorrect.

In rare scenarios, policy installation fails with "Policy installation had failed due to an internal error".

Management Server operations may be slow because of some API commands, and multiple core dumps may be generated.

In some scenarios, the Security Management Server with a proxy configured is unable to connect to Infinity Portal after changing the proxy settings.

Duplicated licenses on the Security Management Server may impact the vsec_lic_cli utility.

Renaming a Secondary Security Management Server that was promoted to Primary fails.

When a Security Gateway object is deleted, its license may still appear as attached even though the Security Gateway Object no longer exists.

Packet mode search or search within Object Explorer for IP address ranges may not work correctly on the Standby Security Management Server.

Login using a TACACS Server created with the "add tacacs-server" Management API command, fails with "authentication to server failed".

If a custom login message exceeds 1000 characters, the login output file, which contains the sid and other session data, cannot be parsed as expected. Using the "mgmt_cli" with the "-s" parameter results in the "Failed to parse login output file" error.

In certain scenarios, when Cluster objects are used in a Multi-Domain Security Management Server with Domains that have Global Domain Assignments, an upgrade may fail with "Tried to persist object OBJ_ID with domain 1e294ce0-367a-11e3-aa6e-0800200c9a66 while active domain is DOMAIN_ID".

• The fix will only be applied if the upgrade to this Jumbo Hotfix Take is done using a Blink image or with the Advanced Upgrade method.

In rare scenarios, Global Policy Assignment fails with an "IPS update is currently running in local domain" message, although IPS update is not running in that Domain.

Policy installation fails on all Domains on the Multi-Domain Security Management Server with "Layer LAYER NAME': Verification failed due to an internal error" if an Externally Managed Security Gateway object with IPsec enabled does not have an encryption Domain. Refer to sk183003.

In some scenarios, on a Multi-Domain Security Management Server, implied rules are not logged for clusters managed by Domains with Global Domain Assignment.

When opening a log card in the Logs View, duplicate values may appear in the "Resource" and "Reason" fields.

Memory handling issue, causing the FWK process to unexpectedly restart.

In a rare scenario, when the Anti-Virus Blade and the ICAP Server are enabled, there may be high CPU usage.

In rare scenarios, HTTPS inspection may block the downloading and uploading of PDF files to and from the Web Server.

In a rare scenario, VoIP Traffic fails after the initial call when SecureXL operates in User Mode (UPPAK). Refer to sk183218.

In a rare scenario, the Security Gateway may crash during email inspection.

Resolved an issue where incorrect handling in rare flows could lead to an FWK crash

In a Maestro environment with configured Virtual System Load Sharing (VSLS) Mode, one of the Security Gateways on an SGM may be unresponsive until it is restarted several times.

In rare scenarios, Security Gateway may crash when running the "ethtool -x" or the "ethtool -X" command for an interface that uses the AWS ENA network driver.

In a rare scenario, if the USIM process exits during firewall memory mapping, it can result in a Security Gateway crash.

The DSD process (Dynamic Split Daemon) may exit when the "affinity" command input is large.

The CPD or FWK process may unexpectedly restart when handling the interface statistics.

The FWK process exits with core dumps and error messages in $FWDIR/log/fwk.elg:"malware_res_rep_match_dns_response: check_dns_response_activate() failed".

In rare scenarios, in a VSX environment, a Virtual System may boot with the default filter. Refer to sk182453.

Using NAT64 may lead to high memory consumption (memory leak) because some packets are not released.

In rare scenarios, the CPD process may unexpectedly exit and create a core dump file.

When a NAT-T tunnel is set up between VPN peers, packets having UDP encapsulation added to the headers are not transmitted out of the PPPoE interface as they should be. VPN connection appears to be established but does not actually pass traffic.

The Anti-Virus Blade incorrectly classifies the .pqx files as .zip files, resulting in failure logs.

In rare scenarios, the Threat Emulation Blade may fail to correctly classify the file type.

Some custom applications in the HTTPS Inspection policy are not matched if they are part of a Group object. Refer to sk183176.

In some scenarios, when URL Filtering Blade analyzes web requests, the RAD error may appear in /var/log/messages: "rad_kernel_urlf_request_serialize: string len =XXXX bigger than max 4096".

In some scenarios, a Security Gateway is not listed as an option for the Threat Prevention uninstall, even though the Threat Prevention Blade is disabled on the Security Gateway object.

In some scenarios, the user configurations are overwritten in the RAD configuration file.

RAD queries fail, generating "wrong status code in reply" errors logged in $FWDIR/log/rad_events/Error/* files. Refer to sk183009.

In some scenarios, the Anti-Bot Blade fails to parse external IoC feeds with IP address observables.

In some scenarios, a SmartConsole log with the Anti-Bot Blade entries may appear when the Anti-Bot Blade is disabled in the profile.

When a TLS connection is rejected because of no shared key exchange between the client and the Security Gateway, no log is generated to inform the administrator.

In a VSX environment, the WebSocket applications in Mobile Access may fail to resolve their destination addresses through DNS when the DNS configuration at the global level differs from the DNS configuration of a local Virtual System.

During cluster startup with routing separation enabled, a mismatch between routing and firewall process initialization can trigger premature full synchronization pnotes when the routing process is not fully synchronized.

A warning message "adp_rt4_delete: rt entry .... does not exist for slot 1" may be printed in the /var/log/dmesg file while VPN the connection remains active.

In an asymmetric UDP traffic scenario (Client-to-Site VPN and Site-to-Site VPN distributed to different members), the connection may not get accelerated.

In some scenarios, a memory leak occurs in the FWK process when SecureXL fails to update an existing route's next hop.

SecureXL in User Mode (UPPAK) may restart when the Security Gateway is under high load and cpWatchDog triggers a reboot.

In a rare scenario, the Security Gateway may become unresponsive during extended high memory utilization.

The Hardware Acceleration offloaded connection may break when the route is updated, affecting the offload flow and slowing down operations.

Duplicate entries in the kernel routing table can occur when iBGP peers disconnect and reconnect, causing the same routes to be added multiple times rather than properly replaced.

In rare cases, when an internal BGP (iBGP) peer disconnects during a graceful restart, BGP may fail to advertise all routes. However, the missing routes still appear under "adj-rib-out" with a next hop of "0.0.0.0."

When configuring a per-peer local address in BGP, IPv6 local address validation fails.

In a Maestro environment, an error message about short string length may be incorrectly displayed when setting an expert password string that includes the colon ":" character on the Security Gateway.

Incorrect SmartConsole download link in the Gaia Portal.

When a network connection is established simultaneously in both directions (server-to-client and client-to-server), the Security Gateway experiences connectivity issues because of incorrect packet dispatching, leading to dropped packets. Refer to sk183072.

The FWM core dump file is created when running the "vsx_util vsls" command on a VSX cluster without Virtual Systems configured.

Output of the "dynamic_split -p" command shows "Dynamic Split is currently off (Stopped due to State Verification failure)" on a VSX Gateway. Refer to sk181231.

Creating multiple Virtual Gateways may fail with "Setting management connection failed!".

Dynamic IP address changes for DAIP Gateway objects are not propagated to all Security Gateways in the SD-WAN VPN community, causing VPN connectivity failures.

Upon contract renewal, non-SMO members in the Maestro Security Group may not get the updated contract automatically.

• The fix requires this Jumbo Hotfix Accumulator Take to be installed on all the members of the group.

TCP and UDP traffic over VLAN IDs greater than 2024 does not pass through a Maestro Security Group when SecureXL in User Mode (UPPAK) is enabled. Refer to sk183337.

See the Critical Information section.

High CPU usage may occur on Security Group members.

Configured proxy ARP may not work as expected, when the "Same VMAC" feature is enabled.