R81.20 Jumbo Hotfix Take 111

NEW: Added the option to send Gaia backup to a Remote Server using SFTP protocol. This feature also supports restore operations via SFTP and scheduled backups (including retention policy support).

• For information about regular backups, refer to R81.20 Gaia Administration Guide > Maintenance > System Backup > Backing Up and Restoring the System.

• For information about scheduled backups, refer to R81.20 Gaia Administration Guide > Maintenance > System Backup > Configuring Scheduled Backups.

UPDATE: Added the ability to monitor the CPU cores that run CoreXL SND (Secure Network Dispatcher) instances separately from the CPU cores that run CoreXL Firewall instances. The monitoring of CPU cores handling CoreXL SND instances was improved. It is possible now to:

• view the exact number of CPU cores running SND instances that are under load, instead of seeing it as a percentage of total CPU cores.

• configure the load threshold for CPU cores running CoreXL SND instances.

• configure the load duration for SND CPU cores.

When these parameters are configured, the load on SND CPUs triggers a failover at a different time and under different load conditions compared to Firewall CPUs. Refer to the R81.20 ClusterXL Administration Guide > Advanced Features and Procedures > ClusterXL Failover based on the Load on ClusterXL SND Instances.

UPDATE: In SmartConsole > Logs & Monitor > Logs, added information to the "Per Session" logs:

• NAT fields

• Dynamic object name

• Updatable object name

• Network feed object name

• Destination Domain Name field

UPDATE: Improved processing of ICMP packets in the Security Gateway.

UPDATE: Added an out-of-the-box package for updatable objects that is included with clean installations or Jumbo Accumulator Hotfix Takes (when no other package exists). If the out-of-the-box package is present during policy installation, an update is now initiated in addition to the automatic update.

UPDATE: Increased the maximum supported number of Uplink interfaces from 64 to 99 on Maestro Orchestrator. Refer to Quantum Maestro Getting Started Guide.

UPDATE: Added Take 179 and Take 192 of CPotelcol (OpenTelemetry Collector) Release Updates. Refer to sk180522.

UPDATE: Added Take 44 and Take 75 of CPViewExporter Release Updates. Refer to sk180521.

An FD (file descriptor) memory leak may occur when creating a new object in SmartConsole.

In rare scenarios, accelerated policy installation fails to initialize, the full Access Control Policy installation is executed instead and it may take up to 20 minutes.

In some scenarios, policy installation fails with the "/opt/<xxxxx>-R81.20/conf/Policy-name.pf" line N: ERROR: syntax error Error compiling IPv6 flavor. Operation ended with errors" error.

In some scenarios, the Postgres database on the Standby Security Management Server is growing after every High Availability synchronization. Refer to sk182868.

In rare scenarios, the first packet of a connection is incorrectly dropped when a non-FQDN object is used in the Rule Base.

The "vsx-run-operation" Management API command may fail on the Multi-Domain Security Management Server. Refer to sk182524.

In some scenarios, Virtual Security Gateways lose their licenses. This causes Site to Site VPN and Remote Access VPN services to go down, while general internet access remains functional. SmartUpdate may not load.

In some scenarios, when exporting the Gateways and Servers View to CSV, the resulting file may contain an extra empty column. Refer to sk182233.

In some scenarios, SmartTasks triggered by "after submit", "approve" and "reject" events fail to run.

Fetching branches from an LDAP Server fails with "Failed to connect to LDAP Server. Please ensure that the administrator's credentials are correct and try again" when the LDAP Server does not support anonymous bind (when a client connects to an LDAP server without providing any credentials). To enable the ability, refer to sk183461.

When disconnecting the Security Management Server from the Infinity Portal and connecting to a different region, log sharing from Log Servers does not work until the Log Server restarts.

The VSX Security Gateway may crash when an external interface connected to the Virtual Router or Virtual Switch starts flapping.

• In rare scenarios, the CPD, CPVIEW_SERVICES, RAD, SNMPD and VPN processes may exit with a core dump file because of memory corruption.

• When handling interface statistics, the CPD or FWK processes may unexpectedly restart with an error related to IOCTL printed in logs.
  Refer to sk183544.

RADIUS authentication fails when a response packet contains the Message-Authenticator attribute. Refer to sk183244.

In some scenarios, the "Use of undefined constant session" warning is frequently printed in the SAML Portal's error_log file.

In rare scenarios, the FWK process may unexpectedly exit when the IPS Blade logs triggered protections.

Incorrect memory handling may cause the FWK process to unexpectedly exit.

When Mirror and Decrypt features are enabled, the Security Gateway may experience unexpected reboots.

Security Gateways with default MDPS task settings using proxy can fetch CPUSE updates and licenses successfully. On MPLANE updatable objects are not updated while everything works on DPLANE.

In rare scenarios, the Packet Capture field is missing from Threat Prevention logs in SmartConsole. Refer to sk182597.

In a rare scenario, a script related to CPView may take a long time to execute and the SCRUBD process becomes unresponsive.

Identity Broker Subscriber configured with local Access Role recalculation incorrectly deletes external groups during new Identity publishing, causing missing access roles and improper enforcement for CISCO ISE identity sessions.

False threat alerts may appear in Anti-Virus logs for benign traffic (action: accept). This is a cosmetic issue with no security impact.

In some failure scenarios, the Anti-Virus blade does not report the failure in a SmartConsole log.

The Mobile Access Portal hosted on a Security Gateway R81.20 or lower becomes unresponsive, and CVPND core files are generated after the Security Management Server is upgraded to version R82.

In VSX environments, deleting a Virtual System interface through SmartConsole fails to remove certain bindings, causing the interface to be automatically re-added.

Cluster member state queries return non-unique or irrelevant state codes, making it impossible to distinguish between different cluster member states.

A Multi-Version Cluster (MVC) member with VPN enabled may crash when performing an upgrade from R80.40.

In High Availability Bridge Mode ClusterXL environments, the management interface of a Standby member becomes inaccessible. Refer to sk183124.

A race condition may occur during startup when the ROUTED daemon does not receive all cluster Virtual IP addresses, causing static routes to disappear.

In a rare scenario, no traffic is passed in the 6in4 tunnel and the two hosts cannot reach each other. The output for the "tcpdump" command in the tunnel shows "ip: unknown ip 0".

Installing R81.20 Jumbo Hotfix Accumulator Take 96 and higher on Maestro Gateways with SecureXL working in User Mode (UPPAK) may cause an outage.

See the Critical Information section.

In rare scenarios, when SecureXL works in User Mode, running the "reset_gw" or "vsx_util reconfigure" commands may cause the Security Gateway to crash.

The Security Gateway with SecureXL in UPPAK mode may crash under load during bond interface state flapping.

Multicast traffic is dropped when the Packet-Broker operates in Monitor Mode with Promiscuous Mode disabled.

The Security Gateway may crash when connected to the Smart-1 Cloud Management Server and a maas_tunnel interface is repeatedly added and deleted.

The ROUTED daemon core dump file may be generated because of an assertion failure in the OSPF code.

When working in User Mode (UPPAK), SecureXL may crash when multiple SND cores perform simultaneous next hop lookup for the same next hop.

DHCP broadcast packets are not visible on the intended VLAN when working in SecureXL User Mode (UPPAK). Refer to sk183675.

See the Critical Information section.

If BFD (Bidirectional Forwarding Detection) timing parameters, such as "min-rx-interval", are modified during an active BFD session deletion process, and a new BFD session is established before the deletion fully completes (deletion typically requires up to 2 hours), the newly created session inherits the previous timing configuration rather than applying the updated timing settings.

In a rare scenario, a Security Gateway crash and temporary loss of routing adjacency occur when the cluster messaging system attempts to process a deletion request for a BFD session that no longer exists.

In a rare scenario, the FWK process may exit during VPN traffic decryption and routing when the PPPoE interface is enabled.

Policy installation fails after converting VSX ClusterXL from High Availability to Load Sharing Mode using the "vsx_util convert_cluster" command.

Virtual Router advanced routes may be assigned incorrect priorities in policy-based routing configurations.

The "vsx_util view_vs_conf" command output may show "N/A" for a Gateway when an object in the Domain shares the same name as the Virtual System object.

When deleting a bond interface with slaves still attached while maintaining both WebUI and SSH sessions, the deletion succeeds but generates "unregister_netdevice" syslog messages and terminates the WebUI session. The issue occurs because local connections to the Gateway cause slow bond interface deletion, leading to WebUI timeout.

In rare scenarios, when using IP Aliasing, deleting an interface by IP address reference may incorrectly delete the wrong IP address because of incorrect error handling.

SNMP OID .1.3.6.1.4.1.2620.1.6.7.5.1.5.X falsely reports high CPU because of incorrect calculation. Refer to sk182784.

In rare scenarios, a Security Gateway may unexpectedly restart when deleting interfaces of an 802.3ad bond interface.

SD-WAN fails to obtain next hop address automatically from the DHCP Server.

In rare scenarios, SD-WAN policy installation hangs indefinitely.

A cluster member may crash when performing a manual site failover and the deployment is using "Interface Active Check" with IPv6 enabled.

Connections with fragmented packets drop with the "Virt Defrag Timeout" error. Refer to sk182559.

A reboot loop with a generated configuration pnote may be triggered when Security Group hostname contains strings with "mq" or "otlp".

Incorrect entry order in the /etc/passwd file (admin user entry appearing after root user entry) causes adding Security Group Member with the "member / m" command to hang/fail. Refer to sk180183.

Local connections from members at a standby site may fail when using the Same VMAC feature and a VPN Tunnel Interface (VTI) is configured.