R81.20 Jumbo Hotfix Take 43

NEW: Added support for Quantum Spark Appliances 1900/2000 for EA (Early Availability) customers.

NEW: We have extended the grace period of Anti-Spam Blade to support you for 90 days following contract expiration to continue providing the best security value during the renewal process.

UPDATE: Added support for the VPN certificate alert feature for Quantum Spark Appliances R81.10.X.

UPDATE: Added Take 74 of CPotelcol (OpenTelemetry Collector) Release Updates. Refer to sk180522.

UPDATE: Previously, in the "Hide NAT behind IP Address Range" feature, only the source IP address determined the Hide NAT IP address from the IP Address Range. It is now possible to configure the Security Gateway to select the Hide NAT IP address based on the combination of the source IP address and the source port. Refer to sk105302.

UPDATE: Added a new option in domains_tool, which allows to retrieve IP addresses of multiple Domains - "-md <list of domains>". Refer to sk161632.

UPDATE: Added Update 22 of Autonomous Threat Prevention Management integration Release. Refer to sk167109.

UPDATE: It is now possible to add exceptions to external Custom Intelligence feeds.

UPDATE: SSL Network Extender was updated to version 80008407.

UPDATE: When enabling the VMAC feature, link_monitoring on the cluster members is now configured automatically.

UPDATE: In VSX, removed the redundant option to change CoreXL mode from USFW to Kernel mode.

UPDATE: Upgraded OpenSSL from 1.1.1u to 1.1.1w to include the latest security improvements.

UPDATE: Gaia API updates is now installed automatically through AutoUpdater. Refer to sk165653.

UPDATE: Posture Management (Vulnerability & Patch Management) is now supported.

UPDATE: Added support for Azure Scale sets with Flexible orchestration mode.

UPDATE:

• Enhanced the mapping performance of Azure subscriptions and the overall process of mapping Data Centers.

• Minimized the duration required for policy updates to gateways in environments incorporating Public Data Centers (Azure, AWS, GCP, Oracle-Cloud OCI, and Generic-Data-Center).

• Updating Data Center properties requires installing the policy on only one Security Gateway.

UPDATE: Updated the Jetty open source library from the 9.3.6.v20151106 version to 9.4.52.v20230823.

UPDATE: Added ability to use Generic Data Centers and Dynamic Objects with Maestro cluster, not just for a separate Security Gateway.

In rare scenarios, Global Policy reassignment fails with "IPS Update Failed On Assign".

Global Policy assignment fails if it is configured to assign to specific Domain policies and one of these local Domain policies is deleted.

When closing an application from SmartConsole without changes, a redundant revision is created.

In some scenarios, the "Object is no longer available" validation warning appears for updatable objects.

The "show-nat-rulebase" Management API command fails when Packet mode is enabled and "match on any" is set to "false". For example, "show-nat-rulebase XXX package YYY filter-settings.search-mode packet filter-settings.packet-search-settings.match-on-any false filter ZZZ".

A migrate export or CPUSE upgrade of a Security Management Server fails if a Rule Base contains more than 35,000 rules. Refer to sk178325 to check the recommended size of Rule Bases.

In multi-site Multi-Domain Security Management environments, login to SmartConsole fails if the "Read_Write_All_Profile" permission profile is deleted.

When using the RADIUS username for authentication, login to SmartConsole may fail.

The "show-objects" Management API command with an "in" clause fails if the object name contains a period. For example, "show-objects in.1 <name> in.2 <ab.c>".

In rare scenarios, opening the Install Policy view gets timed out, and SmartConsole unexpectedly closes. Refer to sk181397.

In the Revisions view, when comparing the selected revision to its previous revision, an empty screen is shown instead of a report.

SmartConsole may unexpectedly close after clicking "Install Policy" while the Compliance blade is running a full scan.

The "set checkpoint-host" API command may fail if the host object has a VPN Tunnel interface (vpnt) defined.

In rare scenarios, the update_inspect_files tool may unexpectedly exit with a core dump file.

In rare scenarios, the High Availability synchronization status shows "NGM failed to import data", and then is cleared automatically within 15 minutes.

In rare scenarios:

• Login to the Security Management Server may fail with timeout.

• Publish operations may take a long time.

Login via API fails if the Security Management Server has multiple IP addresses and they are not defined on the Security Management Server object in SmartConsole.

In environments with tens of thousands of network objects, opening and closing Security Gateway objects in SmartConsole takes a long time. Refer to sk181460.

In SmartConsole, export of policies with the "Hit count" column may get stuck.

The Security Gateway may listen to the ports used by NAT.

In some scenarios, if a DAIP Gateway is registered to a VPN Community:

• "show-vpn-communities-star" Management API command may fail.

• sharing SmartConsole configuration with Infinity Portal fails.

In some scenarios, in High Availability Security Management Server environments, there may be increase of the database on the Security Management Server.

The "run-script - audit log" Management API program may fail and the audit log may be missing the "performed on" field.

In rare scenarios, Global Policy Reassignment takes a long time to complete after deleting a Global IPS profile. Refer to sk180787.

When viewing Subordinate CA objects in SmartConsole:

• Users with read-only permissions may receive a "Trusted CA" field as "not initialized" message.

• The information under "Retrieve CRLs from" in the OPSEC PKI tab is inaccurate.

The fix requires installing SmartConsole R81.20 Build 651 (or higher).

In rare scenarios, in a Multi-Domain Security Management environment:

• Login to the Management Server may timeout and fail.

• Publish operation may take a long time.

Deleting the entire Domain including all its Domain Servers fails, if any of the Domain Servers is used in the Domain policy.

After importing or deleting SNORT protections in the IPS Protections view, the view may not show the change.

• The fix requires installing SmartConsole R81.20 Build 651 (or higher).

Tasks in SmartConsole may end unexpectedly during the Jumbo/ major version upgrade operation.

Configuring log settings to delete logs if free disk space is lower than a certain percentage may not be applied.

In some scenarios, the "show logs" Management API returns incorrect values for the "Match table" field.

The "fwm logexport" may return "Failed to print record at position" and "missing table field" error messages despite succeeding to export the logs.

Windows Syslog messages information may be displayed in the "Description" field of the log and not parsed into the suitable fields.

In SmartView, filtering logs by Media Encryption & Port Protection blade may fail.

In some scenarios, the Log Sharing status may show an error in exporting the logs, although logs are correctly shared to the cloud.

In some scenarios, implied rules are not logged for clusters.

Following the installation of R81.20 Jumbo Hotfix Accumulator Take 26, it is impossible to configure a new Maestro group via the Gaia Portal.

The VPND, CVPND, and PDPD processes on the Security Gateway may become non-responsive and cause SAML authentication for Remote Access VPN users to fail.

The output of the "cpstat os -f cpu" command may be incorrect. Refer to sk180966.

In some scenarios, when IPS is enabled, CPU spikes may occur.

When adding another loopback interface in an MDPS environment, it is shown in MPLANE and not in DPLANE as expected.

When running the tp_collector tool, the FW_FULL process may unexpectedly exit.

Topology and Anti-Spoofing ranges are not calculated on an external interface when adding a route to an internal interface that shares the same subnet.

After installing a policy, because of high latency, the Security Gateway may delete connection before SIM Affinity is able to send an update notification. This may cause some connections to be dropped.

Re-mirrored traffic may be re-ordered in the Mirror & Decrypt feature.

Web Security parsing error "illegal header format detected: Missing quotation mark" of content-disposition header - that contains a filename* parameter or an unquoted parameter.

When two routes with similar attributes are added to different routing tables, and one is deleted, Anti-Spoofing may drop the traffic to that route.

The FWK process may unexpectedly exit with a core dump file when removing an IPv6 interface on VSX.

In a rare scenario, the FWD process listens to high ports that are not blocked by the "auth_services_real_ports_block" implied rule. Refer to sk180505.

In rare scenarios, ICA certificate creation and enrollment fail.

The output of the "fw amw unload" command shows the policy gets unloaded, however CPView still shows that the blades are enabled. Refer to sk181148.

Anti-Virus Blade triggers the "Detect" logs for DNS traffic, although these malicious DNS requests were prevented.

Uploading an IoC file containing invalid characters (for example, quotation marks) may cause Threat Prevention policy installation failure.

Multiple ifiPython3 processes may utilize the Security Gateway memory, affecting the Anti-Virus blade performance.

Anti-Virus fails to block Custom Intelligence feeds that contain percent-encoding.

Some connections may be dropped because of an issue in IPS inspection, which can be resolved by installing/fetching a local policy.

In a rare scenario, when cloning SGM in Maestro, the FWD process may exit during an IPS/Anti-Virus/Anti-Bot package update.

Ioc_feeds changes the username to lowercase, which causes the "401" error. Refer to sk181039.

When configuring Custom Intelligence feeds from the management:

• The "no_ssl_validation" variable may be deleted after the policy installation.

• Fetching feed fails with the "Peer certificate cannot be authenticated with given CA certificates" reason.

In a rare scenario, when Identity Broker is configured, a memory leak in the PDPD process may occur during policy installation.

The DLP process may unexpectedly exit during policy installation.

When the "Categorize HTTPS Websites" option is enabled and the global parameter "appi_urlf_ssl_cn_use_sni_without_validation" is set to true, a memory leak may occur.

CPView and the 'cpstat' command show different Application Control database versions. Refer to sk181186.

Loading a large Custom Intelligence feed may fail. Refer to sk181158.

When transferring many files, SMB traffic may freeze while scanned by Anti-Virus blade.

A memory leak may occur in the Security Gateway when a connection is not correctly released after the inspection.

Some websites may be unreachable when one of Threat Prevention Blades is in Hold mode.

The Security Gateway may fail to enforce certificate blacklisting.

It may not be possible to connect to the RDP application with SNX in Application mode. Refer to sk181155.

The VLAN configured bonded interface monitored state disappear after modifying the bonded interface properties. Refer to sk180724.

In a cluster/Maestro in Load Sharing mode, the Security Gateway may drop NAT traversal traffic with "fwmultik_process_f2p_cookie_inner Reason: PSL Drop: No connection".

Multicast restrictions set in SmartConsole may be bypassed if varying restrictions are configured for different interfaces.

The "IOCTL command CPHWD_IOCTL_DOS_DENY_LIST_CLEAR was not successful" error may be printed during cpstart. Refer to sk180646.

During the processing of PIM Join-Prune messages, the absence of prior ({},G) state prevents the processing of (S,G) joins for the same group, even when present in the message.

When multicast traffic for an existing (S,G) entry arrives at a non-IIF interface, the entry may be deleted and re-added when the next multicast packet is released, although the entry should not be deleted.

When a BFD session is added or removed, disabled sessions may incorrectly come up.

The ROUTED process may exit with a core dump when querying details of OSPF Type 5 LSA.

Adding an IPv6 OSPFv3 interface in WebUI may fail when SecureXL UPPAK mode is enabled.

When SCV is enabled, Capsule Connect/ Capsule VPN clients may fail to access internal resources.

In a rare scenario, all the IKED processes exit approximately once an hour without core or log indicating that it was triggered by the FWD/CPWD process exit. Refer to sk181643.

Users that were moved from one AD group to another group still are shown in both access role groups when running the "pdp monitor" command. Refer to sk181429.

When working with ClusterXL in Load Sharing mode, a VPN tunnel may fail to be established.

The MPDAEMON process may be persistently down, even post reboot.

When running "vsx_fetch" from a context that is not VS0, this output is displayed: "Management rejected fetch for this module - sic name does not match. Couldn't fetch VSX configuration by IPs, trying to fetch by names."

When User Mode (UPPAK) is enabled, there may be performance loss when passing traffic through a Virtual Switch on a VSX Security Gateway.

In a rare scenario, affinity configuration on VSX may fail.

When adding a route using vsx_provisioning_tool and the "interface_name" option, this route cannot be removed.

When changing Virtual Systems (VS's) using the VS name, the "failed to find an ID for a VS named XXX" error is shown.

When changing bond settings, the bond may be missing the global IPv6 Address.

SNMP OIDs for ISP Redundancy status are not refreshed when the ISP link changes the status.

Non-domain macOS devices are created as a new endpoint on the Endpoint Management when re-installing the device.

• Under Reporting > Anti-Malware > Anti-Malware Status, the table is empty or stuck with a "Endpoint Count: Loading" message.

• Under Reporting > Anti-Malware > Anti-Malware Status > Report Action, when clicking "Export Report", it returns an "Unknown error".

In rare scenarios, when making changes in SmartConsole, it gets disconnected.

E2 engine may send an incorrect value of datDate in sync request.

• If a password update from the client is denied on the Server because it is too old, the Server still updates the salt for the password (password then becomes unusable). This affects all client versions.

• E87.31 clients and lower which do not support authentication timestamps, cannot update passwords for Full Disk Encryption users with authentication timestamps stored on the Server (password then becomes unusable).

After an upgrade, Azure Gov mapping may fail.

After an upgrade, VoIP, and SIP / H323 traffic may be dropped in the VPN tunnel. Refer to sk179651.

After enabling the Maestro Fastforward feature, policy installation on a Maestro Security Group may fail in SmartConsole with "Maestro acceleration (MXL) failed, reason: General error. Please check /var/log/acl_cli.log on the security group SMO for more details". Refer to sk181661.

When the LightSpeed interface is brought down or up, the hardware nroute flow is added to the list even if it fails to offload. This may trigger a Security Gateway crash.

In a Maestro environment, LACP bond subordinates may become suspended when using the shared interfaces feature, particularly when the quantity of bonds and subordinates is significantly high.

In a rare scenario, the Security Gateway may access obsolete nroute memory, resulting in a crash.

In rare scenarios, the CONFD process may get stuck. This may cause Maestro Orchestrator boot to hang and login to Gaia Portal to fail.