R81.20 Jumbo Hotfix Take 43

 

Note - This Take contains all fixes from all earlier Takes.

ID

Product

Description

Take 43

Released on 8 January 2024

PRJ-50012,

PRJ-49119,

PMTR-94679,
PMTR-94786

Security Management

NEW: Added support for Quantum Spark Appliances 1900/2000 for EA (Early Availability) customers.

PRJ-48759,
PRJ-51416

SD-WAN

NEW: Added Quantum SD-WAN local breakout and VPN overlay support for Security Gateways with dynamic IP addresses.

PRJ-47122,
PMTR-92660

Anti-Spam

NEW: We have extended the grace period of Anti-Spam Blade to support you for 90 days following contract expiration to continue providing the best security value during the renewal process.

PRJ-45065,
PRHF-28095

Security Management

UPDATE: Added support for scheduling automatic purges of the System Data domain.

PRJ-46326

Security Management

UPDATE: Added support for the VPN certificate alert feature for Quantum Spark Appliances R81.10.X.

PRJ-47499,
PMTR-92999

Security Management

UPDATE: Added a new API version (1.9.1). Refer to Management API Reference.

PRJ-52357,
ODU-1400

CPView

UPDATE: Added Take 74 of CPotelcol (OpenTelemetry Collector) Release Updates. Refer to sk180522.

PRJ-48300,
PMTR-93298

SmartConsole

UPDATE: Added a pop-up message explaining that it is not possible to add an exception to a Global Domain policy from a local Domain when clicking "add exception" in a Global rule.

  • Requires installing SmartConsole R81.20 Build 651 (or higher).

PRJ-49364,
PRHF-28875

Security Gateway

UPDATE: Previously, in the "Hide NAT behind IP Address Range" feature, only the source IP address determined the Hide NAT IP address from the IP Address Range. It is now possible to configure the Security Gateway to select the Hide NAT IP address based on the combination of the source IP address and the source port. Refer to sk105302.

PRJ-46317,
PMTR-92164

Security Gateway

UPDATE: When changes are made to updatable objects within a policy and a missing or corrupted package is detected, the policy installation will fail, resulting in the generation of a log.

PRJ-46558,
PMTR-92206

Security Gateway

UPDATE: Added a new option in domains_tool, which allows to retrieve IP addresses of multiple Domains - "-md <list of domains>". Refer to sk161632.

PRJ-48447,
PMTR-94030

Threat Prevention

UPDATE: Improved the parser of Custom Intelligence feeds to support values written in "Camel case", where multiple words are combined without spaces, and each word begins with a capital letter.

PRJ-51511,
ODU-1248

Threat Prevention

UPDATE: Added Update 22 of Autonomous Threat Prevention Management integration Release. Refer to sk167109.

PRJ-48139,
PMTR-93683

Threat Prevention

UPDATE: Re-enabled the deprecated feature of exporting/importing Custom Intelligence feeds.

PRJ-43434,
PRHF-26673

Threat Prevention

UPDATE: It is now possible to add exceptions to external Custom Intelligence feeds.

PRJ-47916,
AVIR-1544

Anti-Virus

UPDATE: Improved Anti-Virus caching mechanism to prevent generating malicious sub-domains in Background resource categorization mode.

PRJ-49233,
PMTR-92549

SSL Network Extender

UPDATE: SSL Network Extender was updated to version 80008407.

PRJ-44244,
PMTR-87141

Mobile Access

UPDATE: Enhanced PushReport (a troubleshooting tool for Mobile Access Blade):

  • changes in the cloud service configuration,

  • stability improvement.

PRJ-46316,
PMTR-90870

ClusterXL

UPDATE: When enabling the VMAC feature, link_monitoring on the cluster members is now configured automatically.

PRJ-45338,
PMTR-88036

VPN

UPDATE: Added SAML authentication support for Capsule Connect / Capsule VPN.

PRJ-41132,
PMTR-86206

VSX

UPDATE: In VSX, removed the redundant option to change CoreXL mode from USFW to Kernel mode.

PRJ-48109,
PMTR-90795

VSX

UPDATE: Changed the vsx push configuration log:

  • The log file last_vsx_push_configuration.elg now holds only the last vsx push configuration log.

  • The cyclic log file vsx_push_configuration.elg now holds all previous push configuration logs, except the last one.

PRJ-50874,
PMTR-97129

Gaia OS

UPDATE: Upgraded OpenSSL from 1.1.1u to 1.1.1w to include the latest security improvements.

PRJ-48011,
PRHF-29711

Gaia OS

UPDATE: The output of "show arp dynamic all" and "dbget ip:arpdynamic:show:0" which was previously limited to +-4450 entries, now increases dynamically.

PRJ-50198

Gaia OS

UPDATE: Gaia API updates is now installed automatically through AutoUpdater. Refer to sk165653.

PRJ-45237,
PRHF-28236

Gaia OS

UPDATE: SNMP traps for interfaces going up and going down now contains the interface name and description.

PRJ-50604,
PMTR-97169

Harmony Endpoint

UPDATE: Posture Management (Vulnerability & Patch Management) is now supported.

PRJ-45728,
PMTR-91551

Harmony Endpoint

UPDATE: Added new file types supported by Harmony Endpoint Threat Emulation blade.

PRJ-48082,
PRHF-29774

CloudGuard Network

UPDATE: Added support for Azure Scale sets with Flexible orchestration mode.

PRJ-47189,
PRHF-28352

CloudGuard Network

UPDATE: Added the "namespace" label to pods in Kubernetes Data Center.

PRJ-48098,
PRHF-28329

CloudGuard Network

UPDATE:

  • Enhanced the mapping performance of Azure subscriptions and the overall process of mapping Data Centers.

  • Minimized the duration required for policy updates to gateways in environments incorporating Public Data Centers (Azure, AWS, GCP, Oracle-Cloud OCI, and Generic-Data-Center).

  • Updating Data Center properties requires installing the policy on only one Security Gateway.

PRJ-48764
PMTR-94130

CloudGuard Network

UPDATE: Added support for Data Centers in AWS il-central-1 Israel (Tel Aviv) region

PRJ-49997,
PMTR-95965

CloudGuard Network

UPDATE: Updated the Jetty open source library from the 9.3.6.v20151106 version to 9.4.52.v20230823.

PRJ-45772,
PMTR-90618

Scalable Platforms

UPDATE: Added the ability to stop configuration mismatch repeated reboots for debugging purposes. The new command is " cpha_blade_config auto_reboot <on/off>".

PRJ-48197,
PMTR-91032

Scalable Platforms

UPDATE: Added ability to use Generic Data Centers and Dynamic Objects with Maestro cluster, not just for a separate Security Gateway.

PRJ-47962,
PRJ-47560

IoT

UPDATE: Enabled new docker capabilities on IoT Gateways.

PRJ-47170,
PRHF-29222

Security Management

In rare scenarios, Global Policy reassignment fails with "IPS Update Failed On Assign".

PRJ-48898,
PRHF-30157

Security Management

In rare scenarios, upgrade of the Security Management Server to R81.20 fails with the "Task was interrupted because of server restart" and "DEADLOCK IN POSTGRES DETECTED!!!" messages in the cpm.elg log file.

PRJ-46700,
PRHF-24917

Security Management

Global Policy assignment fails if it is configured to assign to specific Domain policies and one of these local Domain policies is deleted.

PRJ-42640,
PRHF-24486

Security Management

In some scenarios, an automatic Trusted Certificate Authorities (CAs) update fails.

PRJ-42936,
PRHF-25050

Security Management

When closing an application from SmartConsole without changes, a redundant revision is created.

PRJ-46004,
PRHF-28590

Security Management

Changing the cluster mode via the "set simple-cluster" Management API command to "cluster-xl-ha" or "ospec-ha" returns success but has no effect on the cluster object.

PRJ-46829,
PRHF-28923

Security Management

In some scenarios, the "Object is no longer available" validation warning appears for updatable objects.

PRJ-45989,
PRHF-28558

Security Management

Deleting a Domain that is connected to an AD Group fails.

PRJ-46014,
PRHF-28592

Security Management

The "show-nat-rulebase" Management API command fails when Packet mode is enabled and "match on any" is set to "false". For example, "show-nat-rulebase XXX package YYY filter-settings.search-mode packet filter-settings.packet-search-settings.match-on-any false filter ZZZ".

PRJ-45035,
PRHF-27706

Security Management

Upgrade of a Security Management Server or a Multi-Domain Security Management Server with over 2000 NAT rules may take over 10 hours to complete.

  • The fix requires the upgrade to be done using a Blink image or via the Advanced Upgrade method.

PRJ-44988,
PRHF-28001

Security Management

A migrate export or CPUSE upgrade of a Security Management Server fails if a Rule Base contains more than 35,000 rules. Refer to sk178325 to check the recommended size of Rule Bases.

PRJ-47620,
PRHF-29494

Security Management

In rare scenarios, the /var/log/message file is filled with Clish login messages for the Admin user.

PRJ-48865,
PRHF-30091

Security Management

In multi-site Multi-Domain Security Management environments, login to SmartConsole fails if the "Read_Write_All_Profile" permission profile is deleted.

PRJ-45800,
PRHF-28187

Security Management

Security Management Server import fails with the "Tried to persist object XXX with domain YYY while active domain is ZZZ" error in the upgrade report.

PRJ-47043,
PRHF-29223

Security Management

When using the RADIUS username for authentication, login to SmartConsole may fail.

PRJ-47047,
PRHF-29104

Security Management

In rare scenarios, after an upgrade, the Security Management Server may fail to start.

PRJ-47012,
PRHF-29254

Security Management

The "show-objects" Management API command with an "in" clause fails if the object name contains a period. For example, "show-objects in.1 <name> in.2 <ab.c>".

PRJ-46656,
PRHF-24236

Security Management

When the Access Rule Base contains several hundred rules, the "set-access-rule" Management API command with the "new-position" parameter may take longer than expected or time out after 5 minutes.

PRJ-46732,
PRHF-28910

Security Management

In rare scenarios, opening the Install Policy view gets timed out, and SmartConsole unexpectedly closes. Refer to sk181397.

PRJ-41549,
PRHF-25551

Security Management

QoS policy cannot be installed if the policy package name contains a dot symbol.

PRJ-48818,
PRHF-20141

Security Management

In the Revisions view, when comparing the selected revision to its previous revision, an empty screen is shown instead of a report.

PRJ-47967,
PRHF-29565

Security Management

In High Availability Security Management Server environments, outdated IPS packages are retained, which leads to a substantial increase of the database on Standby Security Management Server. Refer to sk182178.

PRJ-48788,
PRHF-30027

Security Management

SmartConsole may unexpectedly close after clicking "Install Policy" while the Compliance blade is running a full scan.

PRJ-49226,
PRHF-30300

Security Management

In some scenarios, an upgrade of the Security Management Server may fail if the import is running at 12 AM.

  • The fix will only be applied if the upgrade to this Jumbo Hotfix Take is done using a Blink image or via the Advanced Upgrade method.

PRJ-48442,
PRHF-30005

Security Management

The "set checkpoint-host" API command may fail if the host object has a VPN Tunnel interface (vpnt) defined.

PRJ-45899,
PRHF-28666

Security Management

In rare scenarios, during an IPS update, a task notification reports that a database purge failed on the Standby Security Management Server. Refer to sk180920.

PRJ-44801,
PMTR-82908

Security Management

In rare scenarios, the update_inspect_files tool may unexpectedly exit with a core dump file.

PRJ-48371,
PRHF-29850

Security Management

The "crldp_initialized"and "crldp_name" keys may be missing in the registry after running promote_util.

PRJ-45783,
PRHF-27471

Security Management

In rare scenarios, the High Availability synchronization status shows "NGM failed to import data", and then is cleared automatically within 15 minutes.

PRJ-47259,

PRJ-47236,
PRHF-29374,
PRHF-29423

Security Management

If the HTTPS policy contains an Identity Awareness Gateway object in the "Source"/"Destination" column, policy installation may fail when selecting more than one policy target. Refer to sk181097.

PRJ-43290,
PRHF-26909

Security Management

In rare scenarios:

  • Login to the Security Management Server may fail with timeout.

  • Publish operations may take a long time.

PRJ-46783,
PRHF-28958

Security Management

In an environment with many Security Gateways, SmartConsole may unexpectedly close when selecting a policy package to install.

PRJ-48201,
PRHF-29851

Security Management

Login via API fails if the Security Management Server has multiple IP addresses and they are not defined on the Security Management Server object in SmartConsole.

PRJ-48038,
PRHF-29549

Security Management

An audit log may not be created after running Revert to Revision.

PRJ-49371,
PRHF-30255

Security Management

In environments with tens of thousands of network objects, opening and closing Security Gateway objects in SmartConsole takes a long time. Refer to sk181460.

PRJ-49196,
PRHF-30329

Security Management

In some scenarios, the CPRLIC process may unexpectedly exit without affecting the connectivity, and a core dump is generated.

PRJ-48382,
PRHF-29957

Security Management

In SmartConsole, export of policies with the "Hit count" column may get stuck.

PRJ-48692,
SL-8197

Security Management

Users may be able to configure user-defined scripts to run on the Security Management Server, although they do not have the permissions of a super-user.

PRJ-46411,
PMTR-90123

Security Management

The Security Gateway may listen to the ports used by NAT.

PRJ-50359,
PRHF-30763

Security Management

In multi-site environments, when using LDAP administrators configured on an external LDAP Server, logging into Domains on different Multi-Domain Security Management Servers in parallel, synchronization may fail with the "failed to import data" status.

PRJ-50817,
PRHF-31173

Security Management

In some scenarios, if a DAIP Gateway is registered to a VPN Community:

  • "show-vpn-communities-star" Management API command may fail.

  • sharing SmartConsole configuration with Infinity Portal fails.

PRJ-49715,
PRHF-30513

Security Management

In rare scenarios, in a Multi-Domain Security Management environment:

  • Login to the Management Server may timeout and fail.

  • Publish operation may take a long time.

PRJ-48705,
PRHF-29307

Security Management

In some scenarios, in High Availability Security Management Server environments, there may be increase of the database on the Security Management Server.

PRJ-49884,
PRHF-30289

Security Management

Export of the Security Management Server may fail with "Could not find workSession WORKSESSION_UID in worksession's List" message in the upgrade report.

PRJ-48162,
PMTR-93236

Security Management

The "run-script - audit log" Management API program may fail and the audit log may be missing the "performed on" field.

PRJ-42955,
PMTR-88417

Security Management

Application Control and IPS updates may take a long time.

PRJ-45441,
PRHF-28361

Security Management

In rare scenarios, Global Policy Reassignment takes a long time to complete after deleting a Global IPS profile. Refer to sk180787.

PRJ-48795,

PRJ-48796

Multi-Domain Security Management

When connecting with SmartConsole to a Domain in a Multi-Domain Management environment, object pickers in Threat Prevention policy may not show available objects.

PRJ-49480,
PRHF-29987

Multi-Domain Management

When viewing Subordinate CA objects in SmartConsole:

  • Users with read-only permissions may receive a "Trusted CA" field as "not initialized" message.

  • The information under "Retrieve CRLs from" in the OPSEC PKI tab is inaccurate.

The fix requires installing SmartConsole R81.20 Build 651 (or higher).

PRJ-47039,
PRHF-29235

Multi-Domain Security Management

In multi-site Multi-Domain Security Management environments, login to SmartConsole fails while an Install Policy Preset relays the Security Gateway installation statuses.

PRJ-49715,

PRHF-30513

Multi-Domain Security Management

In rare scenarios, in a Multi-Domain Security Management environment:

  • Login to the Management Server may timeout and fail.

  • Publish operation may take a long time.

PRJ-46105,
PRHF-28809

Multi-Domain Security Management

In some scenarios, the "Uninstall Threat Prevention Policy" window may show "no candidates found for operation", even though there are Security Gateways that have Threat Prevention policy installed and Threat Prevention is disabled in the Security Gateway editor. Refer to sk180983.

PRJ-43692,
PRHF-27130

Multi-Domain Management

Deleting the entire Domain including all its Domain Servers fails, if any of the Domain Servers is used in the Domain policy.

PRJ-51427,
PMTR-98332

Web SmartConsole

Login with Web SmartConsole to the Security Management Server may fail if using a trusted client with IPv6.

PRJ-46436,
PRHF-28762

SmartProvisioning

After importing or deleting SNORT protections in the IPS Protections view, the view may not show the change.

  • The fix requires installing SmartConsole R81.20 Build 651 (or higher).

PRJ-47343,
PRHF-29472

SmartView

In some scenarios, when a language other than English is chosen in SmartView, login to SmartView fails with an "Initialization failed" message.

PRJ-47470,
PMTR-92958

CPUSE

Tasks in SmartConsole may end unexpectedly during the Jumbo/ major version upgrade operation.

PRJ-50726,
PMTR-96971

SD-WAN

After Jumbo Hotfix Accumulator installation, the connection in the IoT environment stays down.

PRJ-45325,
PMTR-79944

Logging

Configuring log settings to delete logs if free disk space is lower than a certain percentage may not be applied.

PRJ-45041,
PRHF-28139

Logging

The "Low disk space" warning may be incorrectly displayed in SmartConsole.

PRJ-48341,
PMTR-93310

Logging

In some scenarios, the "show logs" Management API returns incorrect values for the "Match table" field.

PRJ-46742,
PRHF-28812

Logging

In some scenarios, implied rules are not logged for clusters.

PRJ-47220,
PRHF-29347

Logging

The "fwm logexport" may return "Failed to print record at position" and "missing table field" error messages despite succeeding to export the logs.

PRJ-46702,
SL-6793

Logging

The Logs view may show a "Failed to read record number" message.

PRJ-44208,
PRHF-27544

Logging

Windows Syslog messages information may be displayed in the "Description" field of the log and not parsed into the suitable fields.

PRJ-47809,
PRHF-25147

Logging

The "show-simple-gateway" and "set-simple-gateway" Management API commands with the "logs-settings.forward-logs-to-log-server-schedule-name" parameter fail with "generic_server_error".

PRJ-46841,
PRHF-29149

Logging

In SmartView, filtering logs by Media Encryption & Port Protection blade may fail.

PRJ-46187,
PRHF-28421

Logging

When the CPD process is automatically restarted on the Security Gateway, the output of the "cpstat ls -f logging" command on the Security Management shows the Security Gateway is disconnected, the Log Server cannot be reached, although logs are sent.

PRJ-48728,
PMTR-93770

Logging

In some scenarios, the Log Sharing status may show an error in exporting the logs, although logs are correctly shared to the cloud.

PRJ-45607,
PMTR-90654

Logging

In some scenarios, in the Logs view, the "Destination" field may be missing. The issue is only cosmetic.

PRJ-46742,
PRHF-28812

Logging

In some scenarios, implied rules are not logged for clusters.

PRJ-49141,

SL-7477

Logging

In some scenarios, in a Quantum Smart-1 Cloud environment, login to SmartView may fail.

PRJ-48272,
PMTR-93819

Security Gateway

Following the installation of R81.20 Jumbo Hotfix Accumulator Take 26, it is impossible to configure a new Maestro group via the Gaia Portal.

PRJ-51226,
PMTR-98012

Security Gateway

In some scenarios, policy installation may fail. The fwk.elg and the dmd.elg files show correlating errors.

PRJ-45694,
PRHF-28403

Security Gateway

The VPND, CVPND, and PDPD processes on the Security Gateway may become non-responsive and cause SAML authentication for Remote Access VPN users to fail.

PRJ-49865,
PRHF-30556

Security Gateway

After approximately 24 hours after a reboot, memory utilization starts at 30-40% utilization and gets to 80% utilized. This leads to issues with loading web pages and may cause an outage.

PRJ-46482,
PRHF-28857

Security Gateway

The output of the "cpstat os -f cpu" command may be incorrect. Refer to sk180966.

PRJ-48810,
PRHF-29932

Security Gateway

VPN tunnel between the Security Gateways with Link Selection and Remote Desktop Protocol (RDP) may fail after policy installation. Refer to sk181481.

PRJ-48023,
PMTR-91868

Security Gateway

In some scenarios, when IPS is enabled, CPU spikes may occur.

PRJ-48823,
PRHF-29853

Security Gateway

In some scenarios, a misconfiguration on a DNS Server may lead to exhaustion of ephemeral ports on the Security Gateway.

PRJ-41968,
PRHF-25829

Security Gateway

When adding another loopback interface in an MDPS environment, it is shown in MPLANE and not in DPLANE as expected.

PRJ-47149,
PMTR-92710

Security Gateway

Enlarging MTU may cause even small packets to be allocated as Jumbo frames. This impacts the performance of SNDs CPUs.

PRJ-47210,
PRHF-29194

Security Gateway

When running the tp_collector tool, the FW_FULL process may unexpectedly exit.

PRJ-44702,
PRHF-27451

Security Gateway

In rare scenarios, the WSDNSD process may restart because of an internal error.

PRJ-48154,
PRHF-29602

Security Gateway

Topology and Anti-Spoofing ranges are not calculated on an external interface when adding a route to an internal interface that shares the same subnet.

PRJ-47304,
PMTR-86113

Security Gateway

The /var/log/messages file of a VSX gateway is flooded with the "fwmultik_predefined_dispatching: BAD_MULTIK_TAG" messages with no impact of the connectivity. Refer to sk181281.

PRJ-47521,
PRHF-29318

Security Gateway

After installing a policy, because of high latency, the Security Gateway may delete connection before SIM Affinity is able to send an update notification. This may cause some connections to be dropped.

PRJ-47332,
PMTR-92600

Security Gateway

When using the "cpstop" command on the Security Gateway, the fw_full core may be generated.

PRJ-46378,
PMTR-84794

Security Gateway

Re-mirrored traffic may be re-ordered in the Mirror & Decrypt feature.

PRJ-47269,
PRHF-29384

Security Gateway

Latency in loading websites when using Security Gateway as a Proxy with HTTPS Inspection enabled. Refer to sk180673.

PRJ-44856,
PRHF-27465

Security Gateway

Web Security parsing error "illegal header format detected: Missing quotation mark" of content-disposition header - that contains a filename* parameter or an unquoted parameter.

PRJ-47326,
PMTR-75350

Security Gateway

Benign files scanned by the ICAP Server may not be logged by Anti-Virus blade.

PRJ-45341,
PRHF-28058

Security Gateway

When two routes with similar attributes are added to different routing tables, and one is deleted, Anti-Spoofing may drop the traffic to that route.

PRJ-47371,
PMTR-88610

Security Gateway

The ICAP Server may stop sending files to the Threat Emulation and Anti-Virus Blades if the TED daemon was restarted.

PRJ-43857,
PMTR-83014

Security Gateway

The FWK process may unexpectedly exit with a core dump file when removing an IPv6 interface on VSX.

PRJ-45484,
PRHF-27892

Security Gateway

Incorrect bonds may be shown in the Data Plane when using MDPS with the "show bonding groups" command.

PRJ-44619,
PRHF-27190

Security Gateway

In a rare scenario, the FWD process listens to high ports that are not blocked by the "auth_services_real_ports_block" implied rule. Refer to sk180505.

PRJ-47559,
PRHF-29583

Security Gateway

FTP connection may fail in Port mode with NAT and specific FTP clients. Refer to sk181165.

PRJ-47603,
PRHF-29572

Internal CA

In rare scenarios, ICA certificate creation and enrollment fail.

PRJ-46838,
PMTR-92384

Threat Prevention

When SSH Deep Packet Inspection (SSH DPI) is enabled, the Security Gateway may have SSH connectivity issues because of an incorrect choice of Message Authentication Code (MAC) algorithm during the SSH handshake.

PRJ-47637,
PRHF-29215

Threat Prevention

The output of the "fw amw unload" command shows the policy gets unloaded, however CPView still shows that the blades are enabled. Refer to sk181148.

PRJ-43728,
PMTR-89275

Threat Prevention

In some scenarios, CIFS parser is triggered when it is not needed, this leads to the Security Gateway not accelerating fully the SMB traffic.

PRJ-48847,
PMTR-88858

Threat Prevention

Anti-Virus Blade triggers the "Detect" logs for DNS traffic, although these malicious DNS requests were prevented.

PRJ-44692,
PRHF-27890

Threat Prevention

In some scenarios, the Security Gateway fails to export or import Custom Intelligence feeds.

PRJ-46720,
PMTR-92083

Threat Prevention

Uploading an IoC file containing invalid characters (for example, quotation marks) may cause Threat Prevention policy installation failure.

PRJ-44767,
PRHF-27722

Threat Prevention

Fetching of Custom Intelligence feeds fails when no proxy is configured on the Security Gateway.

PRJ-46118,
PMTR-91889

Threat Emulation

Multiple ifiPython3 processes may utilize the Security Gateway memory, affecting the Anti-Virus blade performance.

PRJ-48192,
PRHF-29760

Threat Prevention

Anti-Virus blade fails to parse external Custom Intelligence feeds that contain specific delimiters.

PRJ-48745,
PMTR-88384

Threat Prevention

Anti-Virus fails to block Custom Intelligence feeds that contain percent-encoding.

PRJ-50556,
PRHF-30793

Threat Prevention

In rare scenarios, CPU utilization can reach high levels because the Multi-Queue affinity of interfaces that use the "mlx5_core" driver is not configured correctly during the boot process.

PRJ-48430,
PMTR-93558

Threat Prevention

Some connections may be dropped because of an issue in IPS inspection, which can be resolved by installing/fetching a local policy.

PRJ-48268,
PRHF-29756

Threat Prevention

URL observables with question marks "?" are not parsed correctly by the Threat Prevention Custom Intelligence feeds feature. Refer to sk181367.

PRJ-49009,

PMTR-92233

Threat Prevention

In a rare scenario, when cloning SGM in Maestro, the FWD process may exit during an IPS/Anti-Virus/Anti-Bot package update.

PRJ-45902,
PMTR-91000

Threat Prevention

The "Exception Handling" option for Observables in Threat Prevention indicator may not be applied.

PRJ-46905,
PRHF-29115

Threat Prevention

Ioc_feeds changes the username to lowercase, which causes the "401" error. Refer to sk181039.

PRJ-48087,
PMTR-93601

Threat Prevention

An outage may occur when an unsupported SSH cipher is selected.

PRJ-47447,
PRHF-29413

Threat Prevention

When configuring Custom Intelligence feeds from the management:

  • The "no_ssl_validation" variable may be deleted after the policy installation.

  • Fetching feed fails with the "Peer certificate cannot be authenticated with given CA certificates" reason.

PRJ-46759,
PRHF-28441

Identity Awareness

The ida_tables_util tool may fail with the "bad adress" error.

PRJ-47442,
PMTR-92960

Identity Awareness

In a rare scenario, when Identity Broker is configured, a memory leak in the PDPD process may occur during policy installation.

PRJ-48275,
PRHF-29815

Identity Awareness

There may be no access to resources for identities received from the Remote Access identity source by splitting Domain (sk147417).

PRJ-49045,
PRHF-30082

DLP

The DLP process may unexpectedly exit during policy installation.

PRJ-49898,
PMTR-95150

SSL Inspection

In rare scenarios, the WSTLSD process may unexpectedly exit and create core dump files.

PRJ-47065,
PMTR-92599

Application Control

When the "Categorize HTTPS Websites" option is enabled and the global parameter "appi_urlf_ssl_cn_use_sni_without_validation" is set to true, a memory leak may occur.

PRJ-45721,
PRHF-27843

Application Control

Policy installation fails when a custom application and user category have the same name.

PRJ-46199,
PMTR-85660

Application Control

CPView and the 'cpstat' command show different Application Control database versions. Refer to sk181186.

PRJ-47750,
PRJ-47646

IPS

In rare scenarios, there may be a memory leak in ips_cmi_handler_match_cb_ex.

PRJ-47555,
PRHF-29458

Anti-Virus

Loading a large Custom Intelligence feed may fail. Refer to sk181158.

PRJ-45837,
TPP-3445

Anti-Virus

DLPU process memory consumption may be increased when SMB protocol is enabled in the Anti-Virus policy.

PRJ-47936,
PRHF-29090

Anti-Virus

When transferring many files, SMB traffic may freeze while scanned by Anti-Virus blade.

PRJ-48128,
PMTR-93685

Anti-Virus

A memory leak in the DLPU process may occur when Anti-Virus scans files over HTTP(s) or SMB (Server Message Block) protocol.

PRJ-47785,
PRHF-29581

Anti-Virus

A memory leak may occur in the Security Gateway when a connection is not correctly released after the inspection.

PRJ-48973,
PRHF-30090

Anti-Virus

When Anti-Virus DNS classification is set to Hold mode, the first DNS trap log of malicious Domains shows "Detect" in the Action field, although the connection was successfully blocked.

PRJ-47240,
PRHF-29289

Anti-Virus

Some websites may be unreachable when one of Threat Prevention Blades is in Hold mode.

PRJ-50430,
PMTR-96334

Anti-Bot

In rare scenarios, when the IPS or Anti-Bot Blades are enabled, Threat Prevention logs with packet captures appear in SmartConsole without details.

PRJ-47183,
PRHF-29248

SSL Inspection

The Security Gateway may fail to enforce certificate blacklisting.

PRJ-47204,
PRHF-29309

Mobile Access

When copying special German characters to and from the Guacamole Server, they are replaced with unreadable symbols.

PRJ-47108,
PRHF-29247

Mobile Access

It may not be possible to connect to the RDP application with SNX in Application mode. Refer to sk181155.

PRJ-43928,
PMTR-89813

ClusterXL

Site to Site VPN outage on ClusterXL Active member when running "cpstop" on the Standby cluster member. Refer to sk170055.

PRJ-44276,
PRHF-27346

ClusterXL

A Standby member may initiate FTP data connection, although it should be sent from the Active member. As a result, the connection is teminated. Refer to sk180531.

PRJ-45199,
PRHF-28013

ClusterXL

In a cluster/Maestro in Load Sharing mode, the Security Gateway may drop NAT traversal traffic with "fwmultik_process_f2p_cookie_inner Reason: PSL Drop: No connection".

PRJ-43607,
PRHF-25160

ClusterXL

When interfaces disconnect/connect on both members at the same time, it may cause a failover.

PRJ-49758,
PMTR-95601

SecureXL

Multicast restrictions set in SmartConsole may be bypassed if varying restrictions are configured for different interfaces.

PRJ-50927,
PMTR-97095

SecureXL

When attempting to route packets to unresponsive hosts, the CPU utilization may be high.

PRJ-44735,
PMTR-70190

SecureXL

The "IOCTL command CPHWD_IOCTL_DOS_DENY_LIST_CLEAR was not successful" error may be printed during cpstart. Refer to sk180646.

PRJ-51290,
PMTR-97193

SecureXL

In some scenarios, traffic may not pass through a Virtual System on a VSX Security Gateway when it originally came through a Virtual Switch and User Mode (UPPAK) was enabled.

PRJ-49960,
PMTR-95764

Routing

During the processing of PIM Join-Prune messages, the absence of prior ({},G) state prevents the processing of (S,G) joins for the same group, even when present in the message.

PRJ-49237,
PMTR-94838

Routing

When one of the multiple PIM neighbors goes down on the LAN,there may be outages in multicast traffic.

PRJ-47488,
PMTR-93015

Routing

When multicast traffic for an existing (S,G) entry arrives at a non-IIF interface, the entry may be deleted and re-added when the next multicast packet is released, although the entry should not be deleted.

PRJ-43249,
ROUT-2018

Routing

Traffic may be dropped when there are many OSPF routes of type 5.

PRJ-47802,
PRHF-29662

Routing

When a BFD session is added or removed, disabled sessions may incorrectly come up.

PRJ-47941,
PMTR-93492

Routing

An OIF entry may be missing when multiple downstream neighbors are present on a LAN. Refer to sk181354.

PRJ-48118,
PRHF-29848

Routing

The ROUTED process may exit with a core dump when querying details of OSPF Type 5 LSA.

PRJ-46901,
PRHF-29091

Routing

The traffic may be dropped, because the routes are sent but not installed to the routing table. The issue is related to IS-IS when running on P2P interfaces.

PRJ-51184,
PMTR-97662

Routing

Adding an IPv6 OSPFv3 interface in WebUI may fail when SecureXL UPPAK mode is enabled.

PRJ-42940,
PRHF-25665

VPN

Policy installation may take a long time and fail with "Operation failed, install/uninstall has been improperly terminated.&CURRENTVERCMP *##MSG_IDENTIFY##".

PRJ-42959,
PRHF-26612

VPN

When SCV is enabled, Capsule Connect/ Capsule VPN clients may fail to access internal resources.

PRJ-45128,
PMTR-89945

VPN

Back connection does not function on the Statically NATed Office Mode address as expected.

PRJ-51016,
PRHF-31253

VPN

In a rare scenario, all the IKED processes exit approximately once an hour without core or log indicating that it was triggered by the FWD/CPWD process exit. Refer to sk181643.

PRJ-46261,
PRHF-28718

VPN

The "Encryption Domain Per community" feature overrides the Encryption Domain for other communities. Refer to sk170857.

PRJ-46295,
PRHF-28702

VPN

Users that were moved from one AD group to another group still are shown in both access role groups when running the "pdp monitor" command. Refer to sk181429.

PRJ-47493,
PRHF-28831

VPN

Potential VPN outage during policy installation.

PRJ-43907,
PMTR-86796

VPN

When working with ClusterXL in Load Sharing mode, a VPN tunnel may fail to be established.

PRJ-47878,
PRHF-29650

Multi-Portal

The Security Gateway may send a wrong certificate to the MAB Portal during certificate authentication.

PRJ-46919,
PMTR-92516

Multi-Portal

The MPDAEMON process may be persistently down, even post reboot.

PRJ-50313,
PMTR-96307

Multi-Portal

A low-severity security vulnerability may exist when establishing an HTTPS connection to the Security Gateway.

PRJ-43879,
PMTR-87205

VSX

When running "vsx_fetch" from a context that is not VS0, this output is displayed: "Management rejected fetch for this module - sic name does not match. Couldn't fetch VSX configuration by IPs, trying to fetch by names."

PRJ-50953,
PRHF-30747

VSX

In some scenarios, the VSX Security Gateway may not set the MAC header correctly when sending traffic directly out of an interface on a Virtual Router.

PRJ-51077,
PMTR-97700

VSX

When User Mode (UPPAK) is enabled, there may be performance loss when passing traffic through a Virtual Switch on a VSX Security Gateway.

PRJ-51166,
PMTR-97873

VSX

In some scenarios, the VSX VSLS cluster cannot pass the traffic for up to twenty seconds after performing a failover and failback when User Mode (UPPAK) is enabled.

PRJ-47838,
PRHF-29698

VSX

In a rare scenario, affinity configuration on VSX may fail.

PRJ-47797,
PRHF-29709

VSX

A memory leak may occur in the CPD process.

PRJ-44301,
PMTR-90180

VSX

When adding a route using vsx_provisioning_tool and the "interface_name" option, this route cannot be removed.

PRJ-44269,
PMTR-86105

VSX

Vsx_util upgrade or downgrade validation fails on Virtual Systems where policy was never installed.

PRJ-47399,
PRHF-29485

VSX

When changing Virtual Systems (VS's) using the VS name, the "failed to find an ID for a VS named XXX" error is shown.

PRJ-46972,
PRHF-29232

Gaia OS

Incorrect Multi-Queue configuration when MDPS, VSX, or both are enabled. Refer to sk181249.

PRJ-46276,
PRHF-28848

Gaia OS

When changing bond settings, the bond may be missing the global IPv6 Address.

PRJ-47774,
PRHF-28671

Gaia OS

Snapshot fails when the unpartitioned disk size is greater than 1TB. Refer to sk181485.

PRJ-44371,
PRHF-27627

Gaia OS

SNMP OIDs for ISP Redundancy status are not refreshed when the ISP link changes the status.

PRJ-46021,
PRHF-28611

Gaia OS

The SNMPD process memory consumption may be high, which causes the process to become unresponsive.

PRJ-46284,
EPS-51347

Harmony Endpoint

Non-domain macOS devices are created as a new endpoint on the Endpoint Management when re-installing the device.

PRJ-46852,
PRHF-22912

Harmony Endpoint

Because of a rare race condition, AD scanners may get stuck in the initializing state with "ERROR ajp-nio2-127.0.0.1-8009-exec-96 - Failed to enumerate scanner instances for SF-DC2.mapro.cat, scanner instance788b7398-5a79-91fb-6f68-137813a5556e (UsmDSConfigResponder)java.lang.NumberFormatException".

PRJ-48876,
EPS-52991

Harmony Endpoint

  • Under Reporting > Anti-Malware > Anti-Malware Status, the table is empty or stuck with a "Endpoint Count: Loading" message.

  • Under Reporting > Anti-Malware > Anti-Malware Status > Report Action, when clicking "Export Report", it returns an "Unknown error".

PRJ-43572,
PRHF-27125

Harmony Endpoint

After the Deploy New Endpoint push operation is successfully done, the list of target devices may change to "None". And it is not possible to delete this push operation manually, a "Sorry, we had an API issue during request" message is printed.

PRJ-46803,
PRHF-28984

Harmony Endpoint

In rare scenarios, when making changes in SmartConsole, it gets disconnected.

PRJ-47056,
EPS-51960

Harmony Endpoint

Some devices added to a Virtual Group from the SmartEndpoint Reporting tab do not receive the assigned policy.

PRJ-43045,
PRHF-26539

Harmony Endpoint

E2 engine may send an incorrect value of datDate in sync request.

PRJ-48257,
PRHF-25142

Harmony Endpoint

The default policy configured in the Infinity Portal may not be exported with the new Endpoint Security client package.

PRJ-51660,
EPS-54792

Harmony Endpoint

  • If a password update from the client is denied on the Server because it is too old, the Server still updates the salt for the password (password then becomes unusable). This affects all client versions.

  • E87.31 clients and lower which do not support authentication timestamps, cannot update passwords for Full Disk Encryption users with authentication timestamps stored on the Server (password then becomes unusable).

PRJ-47900,
PRHF-29630

CloudGuard Network

Azure mapping may fail on Private Endpoint without network interfaces. In the cloud proxy logs, the "ERROR datacenter.scanner.DcScanner [scanner-Azure-XXX]: Error during scan - attempting to reconnect for scanner of [Azure] in domainYYY" messages are printed.

PRJ-47735,
PRHF-29654

CloudGuard Network

After an upgrade, Azure Gov mapping may fail.

PRJ-43610,
PRHF-27033

VoIP

SIP agent implements a keep-alive mechanism against the RFC, making each message arrive with a different tag in the "From" header, which may increase the memory of the Security Gateway, and these messages may be dropped once they hit the limit defined (the "sim_max_reinvite" parameter).

PRJ-43719,
PRHF-26939

VoIP

After an upgrade, VoIP, and SIP / H323 traffic may be dropped in the VPN tunnel. Refer to sk179651.

PRJ-48851,
PMTR-94227

Scalable Platforms

In a Maestro Orchestrator environment, the "orch_stat -p" command may bring the "invalid literal for int() with base 10" error message.

PRJ-50121

Scalable Platforms

After enabling the Maestro Fastforward feature, policy installation on a Maestro Security Group may fail in SmartConsole with "Maestro acceleration (MXL) failed, reason: General error. Please check /var/log/acl_cli.log on the security group SMO for more details". Refer to sk181661.

PRJ-49177,
PRJ-45520

Scalable Platforms

Reboot may take a long time.

PRJ-50344,
MBS-17829

Scalable Platforms

When the LightSpeed interface is brought down or up, the hardware nroute flow is added to the list even if it fails to offload. This may trigger a Security Gateway crash.

PRJ-50031,
PRJ-46817

Scalable Platforms

  • If member ID 1 is removed and then re-added to the Security Group on the active site, while there are two or more active members, it may result in a matrix mismatch. This can potentially lead to traffic interruption until member ID 1 becomes active again.

  • Similarly, installing Jumbo Hotfix Accumulator when member 1 is absent may result in the same behavior and Jumbo Hotfix Accumulator installation may be blocked.

PRJ-46575,
PMTR-92205

Scalable Platforms

In a Maestro environment, LACP bond subordinates may become suspended when using the shared interfaces feature, particularly when the quantity of bonds and subordinates is significantly high.

PRJ-46246,
PMTR-91940

Scalable Platforms

In rare scenarios, when using "chassis_admin" command, the "asg_chassis_admin | "/opt/CPsmos-R81.20/bin/asg_chassis_admin: line 192: [[: |: syntax error: operand expected (error token is "|")" output may be printed. This is only cosmetic and does not prevent performing site failover.

PRJ-50346,
MBS-17803

Scalable Platforms

In a rare scenario, the Security Gateway may access obsolete nroute memory, resulting in a crash.

PRJ-44501,
PRHF-27538

Scalable Platforms

Policy installation may cause traffic interruption on Maestro Security Group due to missing VLANs of a Virtual System in the configuration file.

PRJ-48213,
PMTR-93744

Scalable Platforms

In rare scenarios, the CONFD process may get stuck. This may cause Maestro Orchestrator boot to hang and login to Gaia Portal to fail.

PRJ-47641,
PRHF-29629

Scalable Platforms

In a Scalable Platform environment, when opening an IPS Packet Capture originated on a local member, the "Fetching in progress" error is displayed, and a "Capture file was not found on remote SGM" entry is printed in the log.

PRJ-47864,

ACCHA-3317

Scalable Platforms

Accessing the SMO WebUI and performing configuration changes may fail with the "Error in acquiring buffer of member info (-1)" error."