R81.20 Jumbo Hotfix Take 43
|
Note - This Take contains all fixes from all earlier Takes. |
ID |
Product |
Description |
---|---|---|
Take 43 Released on 8 January 2024 |
||
PRJ-50012, PRJ-49119, PMTR-94679, |
Security Management |
NEW: Added support for Quantum Spark Appliances 1900/2000 for EA (Early Availability) customers. |
PRJ-48759, |
SD-WAN |
NEW: Added Quantum SD-WAN local breakout and VPN overlay support for Security Gateways with dynamic IP addresses. |
PRJ-47122, |
Anti-Spam |
NEW: We have extended the grace period of Anti-Spam Blade to support you for 90 days following contract expiration to continue providing the best security value during the renewal process. |
PRJ-45065, |
Security Management |
UPDATE: Added support for scheduling automatic purges of the System Data domain. |
PRJ-46326 |
Security Management |
UPDATE: Added support for the VPN certificate alert feature for Quantum Spark Appliances R81.10.X. |
PRJ-47499, |
Security Management |
UPDATE: Added a new API version (1.9.1). Refer to Management API Reference. |
PRJ-52357, |
CPView |
UPDATE: Added Take 74 of CPotelcol (OpenTelemetry Collector) Release Updates. Refer to sk180522. |
PRJ-48300, |
SmartConsole |
UPDATE: Added a pop-up message explaining that it is not possible to add an exception to a Global Domain policy from a local Domain when clicking "add exception" in a Global rule.
|
PRJ-49364, |
Security Gateway |
UPDATE: Previously, in the "Hide NAT behind IP Address Range" feature, only the source IP address determined the Hide NAT IP address from the IP Address Range. It is now possible to configure the Security Gateway to select the Hide NAT IP address based on the combination of the source IP address and the source port. Refer to sk105302. |
PRJ-46317, |
Security Gateway |
UPDATE: When changes are made to updatable objects within a policy and a missing or corrupted package is detected, the policy installation will fail, resulting in the generation of a log. |
PRJ-46558, |
Security Gateway |
UPDATE: Added a new option in domains_tool, which allows to retrieve IP addresses of multiple Domains - "-md <list of domains>". Refer to sk161632. |
PRJ-48447, |
Threat Prevention |
UPDATE: Improved the parser of Custom Intelligence feeds to support values written in "Camel case", where multiple words are combined without spaces, and each word begins with a capital letter. |
PRJ-51511, |
Threat Prevention |
UPDATE: Added Update 22 of Autonomous Threat Prevention Management integration Release. Refer to sk167109. |
PRJ-48139, |
Threat Prevention |
UPDATE: Re-enabled the deprecated feature of exporting/importing Custom Intelligence feeds. |
PRJ-43434, |
Threat Prevention |
UPDATE: It is now possible to add exceptions to external Custom Intelligence feeds. |
PRJ-47916, |
Anti-Virus |
UPDATE: Improved Anti-Virus caching mechanism to prevent generating malicious sub-domains in Background resource categorization mode. |
PRJ-49233, |
SSL Network Extender |
UPDATE: SSL Network Extender was updated to version 80008407. |
PRJ-44244, |
Mobile Access |
UPDATE: Enhanced PushReport (a troubleshooting tool for Mobile Access Blade):
|
PRJ-46316, |
ClusterXL |
UPDATE: When enabling the VMAC feature, link_monitoring on the cluster members is now configured automatically. |
PRJ-45338, |
VPN |
UPDATE: Added SAML authentication support for Capsule Connect / Capsule VPN. |
PRJ-41132, |
VSX |
UPDATE: In VSX, removed the redundant option to change CoreXL mode from USFW to Kernel mode. |
PRJ-48109, |
VSX |
UPDATE: Changed the vsx push configuration log:
|
PRJ-50874, |
Gaia OS |
UPDATE: Upgraded OpenSSL from 1.1.1u to 1.1.1w to include the latest security improvements. |
PRJ-48011, |
Gaia OS |
UPDATE: The output of "show arp dynamic all" and "dbget ip:arpdynamic:show:0" which was previously limited to +-4450 entries, now increases dynamically. |
PRJ-50198 |
Gaia OS |
UPDATE: Gaia API updates is now installed automatically through AutoUpdater. Refer to sk165653. |
PRJ-45237, |
Gaia OS |
UPDATE: SNMP traps for interfaces going up and going down now contains the interface name and description. |
PRJ-50604, |
Harmony Endpoint |
UPDATE: Posture Management (Vulnerability & Patch Management) is now supported. |
PRJ-45728, |
Harmony Endpoint |
UPDATE: Added new file types supported by Harmony Endpoint Threat Emulation blade. |
PRJ-48082, |
CloudGuard Network |
UPDATE: Added support for Azure Scale sets with Flexible orchestration mode. |
PRJ-47189, |
CloudGuard Network |
UPDATE: Added the "namespace" label to pods in Kubernetes Data Center. |
PRJ-48098, |
CloudGuard Network |
UPDATE:
|
PRJ-48764 |
CloudGuard Network |
UPDATE: Added support for Data Centers in AWS il-central-1 Israel (Tel Aviv) region |
PRJ-49997, |
CloudGuard Network |
UPDATE: Updated the Jetty open source library from the 9.3.6.v20151106 version to 9.4.52.v20230823. |
PRJ-45772, |
Scalable Platforms |
UPDATE: Added the ability to stop configuration mismatch repeated reboots for debugging purposes. The new command is " cpha_blade_config auto_reboot <on/off>". |
PRJ-48197, |
Scalable Platforms |
UPDATE: Added ability to use Generic Data Centers and Dynamic Objects with Maestro cluster, not just for a separate Security Gateway. |
PRJ-47962, |
IoT |
UPDATE: Enabled new docker capabilities on IoT Gateways. |
PRJ-47170, |
Security Management |
In rare scenarios, Global Policy reassignment fails with "IPS Update Failed On Assign". |
PRJ-48898, |
Security Management |
In rare scenarios, upgrade of the Security Management Server to R81.20 fails with the "Task was interrupted because of server restart" and "DEADLOCK IN POSTGRES DETECTED!!!" messages in the cpm.elg log file. |
PRJ-46700, |
Security Management |
Global Policy assignment fails if it is configured to assign to specific Domain policies and one of these local Domain policies is deleted. |
PRJ-42640, |
Security Management |
In some scenarios, an automatic Trusted Certificate Authorities (CAs) update fails. |
PRJ-42936, |
Security Management |
When closing an application from SmartConsole without changes, a redundant revision is created. |
PRJ-46004, |
Security Management |
Changing the cluster mode via the "set simple-cluster" Management API command to "cluster-xl-ha" or "ospec-ha" returns success but has no effect on the cluster object. |
PRJ-46829, |
Security Management |
In some scenarios, the "Object is no longer available" validation warning appears for updatable objects. |
PRJ-45989, |
Security Management |
Deleting a Domain that is connected to an AD Group fails. |
PRJ-46014, |
Security Management |
The "show-nat-rulebase" Management API command fails when Packet mode is enabled and "match on any" is set to "false". For example, "show-nat-rulebase XXX package YYY filter-settings.search-mode packet filter-settings.packet-search-settings.match-on-any false filter ZZZ". |
PRJ-45035, |
Security Management |
Upgrade of a Security Management Server or a Multi-Domain Security Management Server with over 2000 NAT rules may take over 10 hours to complete.
|
PRJ-44988, |
Security Management |
A migrate export or CPUSE upgrade of a Security Management Server fails if a Rule Base contains more than 35,000 rules. Refer to sk178325 to check the recommended size of Rule Bases. |
PRJ-47620, |
Security Management |
In rare scenarios, the /var/log/message file is filled with Clish login messages for the Admin user. |
PRJ-48865, |
Security Management |
In multi-site Multi-Domain Security Management environments, login to SmartConsole fails if the "Read_Write_All_Profile" permission profile is deleted. |
PRJ-45800, |
Security Management |
Security Management Server import fails with the "Tried to persist object XXX with domain YYY while active domain is ZZZ" error in the upgrade report. |
PRJ-47043, |
Security Management |
When using the RADIUS username for authentication, login to SmartConsole may fail. |
PRJ-47047, |
Security Management |
In rare scenarios, after an upgrade, the Security Management Server may fail to start. |
PRJ-47012, |
Security Management |
The "show-objects" Management API command with an "in" clause fails if the object name contains a period. For example, "show-objects in.1 <name> in.2 <ab.c>". |
PRJ-46656, |
Security Management |
When the Access Rule Base contains several hundred rules, the "set-access-rule" Management API command with the "new-position" parameter may take longer than expected or time out after 5 minutes. |
PRJ-46732, |
Security Management |
In rare scenarios, opening the Install Policy view gets timed out, and SmartConsole unexpectedly closes. Refer to sk181397. |
PRJ-41549, |
Security Management |
QoS policy cannot be installed if the policy package name contains a dot symbol. |
PRJ-48818, |
Security Management |
In the Revisions view, when comparing the selected revision to its previous revision, an empty screen is shown instead of a report. |
PRJ-47967, |
Security Management |
In High Availability Security Management Server environments, outdated IPS packages are retained, which leads to a substantial increase of the database on Standby Security Management Server. Refer to sk182178. |
PRJ-48788, |
Security Management |
SmartConsole may unexpectedly close after clicking "Install Policy" while the Compliance blade is running a full scan. |
PRJ-49226, |
Security Management |
In some scenarios, an upgrade of the Security Management Server may fail if the import is running at 12 AM.
|
PRJ-48442, |
Security Management |
The "set checkpoint-host" API command may fail if the host object has a VPN Tunnel interface (vpnt) defined. |
PRJ-45899, |
Security Management |
In rare scenarios, during an IPS update, a task notification reports that a database purge failed on the Standby Security Management Server. Refer to sk180920. |
PRJ-44801, |
Security Management |
In rare scenarios, the update_inspect_files tool may unexpectedly exit with a core dump file. |
PRJ-48371, |
Security Management |
The "crldp_initialized"and "crldp_name" keys may be missing in the registry after running promote_util. |
PRJ-45783, |
Security Management |
In rare scenarios, the High Availability synchronization status shows "NGM failed to import data", and then is cleared automatically within 15 minutes. |
PRJ-47259, PRJ-47236, |
Security Management |
If the HTTPS policy contains an Identity Awareness Gateway object in the "Source"/"Destination" column, policy installation may fail when selecting more than one policy target. Refer to sk181097. |
PRJ-43290, |
Security Management |
In rare scenarios:
|
PRJ-46783, |
Security Management |
In an environment with many Security Gateways, SmartConsole may unexpectedly close when selecting a policy package to install. |
PRJ-48201, |
Security Management |
Login via API fails if the Security Management Server has multiple IP addresses and they are not defined on the Security Management Server object in SmartConsole. |
PRJ-48038, |
Security Management |
An audit log may not be created after running Revert to Revision. |
PRJ-49371, |
Security Management |
In environments with tens of thousands of network objects, opening and closing Security Gateway objects in SmartConsole takes a long time. Refer to sk181460. |
PRJ-49196, |
Security Management |
In some scenarios, the CPRLIC process may unexpectedly exit without affecting the connectivity, and a core dump is generated. |
PRJ-48382, |
Security Management |
In SmartConsole, export of policies with the "Hit count" column may get stuck. |
PRJ-48692, |
Security Management |
Users may be able to configure user-defined scripts to run on the Security Management Server, although they do not have the permissions of a super-user. |
PRJ-46411, |
Security Management |
The Security Gateway may listen to the ports used by NAT. |
PRJ-50359, |
Security Management |
In multi-site environments, when using LDAP administrators configured on an external LDAP Server, logging into Domains on different Multi-Domain Security Management Servers in parallel, synchronization may fail with the "failed to import data" status. |
PRJ-50817, |
Security Management |
In some scenarios, if a DAIP Gateway is registered to a VPN Community:
|
PRJ-49715, |
Security Management |
In rare scenarios, in a Multi-Domain Security Management environment:
|
PRJ-48705, |
Security Management |
In some scenarios, in High Availability Security Management Server environments, there may be increase of the database on the Security Management Server. |
PRJ-49884, |
Security Management |
Export of the Security Management Server may fail with "Could not find workSession WORKSESSION_UID in worksession's List" message in the upgrade report. |
PRJ-48162, |
Security Management |
The "run-script - audit log" Management API program may fail and the audit log may be missing the "performed on" field. |
PRJ-42955, |
Security Management |
Application Control and IPS updates may take a long time. |
PRJ-45441, |
Security Management |
In rare scenarios, Global Policy Reassignment takes a long time to complete after deleting a Global IPS profile. Refer to sk180787. |
PRJ-48795, PRJ-48796 |
Multi-Domain Security Management |
When connecting with SmartConsole to a Domain in a Multi-Domain Management environment, object pickers in Threat Prevention policy may not show available objects. |
PRJ-49480, |
Multi-Domain Management |
When viewing Subordinate CA objects in SmartConsole:
The fix requires installing SmartConsole R81.20 Build 651 (or higher). |
PRJ-47039, |
Multi-Domain Security Management |
In multi-site Multi-Domain Security Management environments, login to SmartConsole fails while an Install Policy Preset relays the Security Gateway installation statuses. |
PRJ-49715, PRHF-30513 |
Multi-Domain Security Management |
In rare scenarios, in a Multi-Domain Security Management environment:
|
PRJ-46105, |
Multi-Domain Security Management |
In some scenarios, the "Uninstall Threat Prevention Policy" window may show "no candidates found for operation", even though there are Security Gateways that have Threat Prevention policy installed and Threat Prevention is disabled in the Security Gateway editor. Refer to sk180983. |
PRJ-43692, |
Multi-Domain Management |
Deleting the entire Domain including all its Domain Servers fails, if any of the Domain Servers is used in the Domain policy. |
PRJ-51427, |
Web SmartConsole |
Login with Web SmartConsole to the Security Management Server may fail if using a trusted client with IPv6. |
PRJ-46436, |
SmartProvisioning |
After importing or deleting SNORT protections in the IPS Protections view, the view may not show the change.
|
PRJ-47343, |
SmartView |
In some scenarios, when a language other than English is chosen in SmartView, login to SmartView fails with an "Initialization failed" message. |
PRJ-47470, |
CPUSE |
Tasks in SmartConsole may end unexpectedly during the Jumbo/ major version upgrade operation. |
PRJ-50726, |
SD-WAN |
After Jumbo Hotfix Accumulator installation, the connection in the IoT environment stays down. |
PRJ-45325, |
Logging |
Configuring log settings to delete logs if free disk space is lower than a certain percentage may not be applied. |
PRJ-45041, |
Logging |
The "Low disk space" warning may be incorrectly displayed in SmartConsole. |
PRJ-48341, |
Logging |
In some scenarios, the "show logs" Management API returns incorrect values for the "Match table" field. |
PRJ-46742, |
Logging |
In some scenarios, implied rules are not logged for clusters. |
PRJ-47220, |
Logging |
The "fwm logexport" may return "Failed to print record at position" and "missing table field" error messages despite succeeding to export the logs. |
PRJ-46702, |
Logging |
The Logs view may show a "Failed to read record number" message. |
PRJ-44208, |
Logging |
Windows Syslog messages information may be displayed in the "Description" field of the log and not parsed into the suitable fields. |
PRJ-47809, |
Logging |
The "show-simple-gateway" and "set-simple-gateway" Management API commands with the "logs-settings.forward-logs-to-log-server-schedule-name" parameter fail with "generic_server_error". |
PRJ-46841, |
Logging |
In SmartView, filtering logs by Media Encryption & Port Protection blade may fail. |
PRJ-46187, |
Logging |
When the CPD process is automatically restarted on the Security Gateway, the output of the "cpstat ls -f logging" command on the Security Management shows the Security Gateway is disconnected, the Log Server cannot be reached, although logs are sent. |
PRJ-48728, |
Logging |
In some scenarios, the Log Sharing status may show an error in exporting the logs, although logs are correctly shared to the cloud. |
PRJ-45607, |
Logging |
In some scenarios, in the Logs view, the "Destination" field may be missing. The issue is only cosmetic. |
PRJ-46742, |
Logging |
In some scenarios, implied rules are not logged for clusters. |
PRJ-49141, SL-7477 |
Logging |
In some scenarios, in a Quantum Smart-1 Cloud environment, login to SmartView may fail. |
PRJ-48272, |
Security Gateway |
Following the installation of R81.20 Jumbo Hotfix Accumulator Take 26, it is impossible to configure a new Maestro group via the Gaia Portal. |
PRJ-51226, |
Security Gateway |
In some scenarios, policy installation may fail. The fwk.elg and the dmd.elg files show correlating errors. |
PRJ-45694, |
Security Gateway |
The VPND, CVPND, and PDPD processes on the Security Gateway may become non-responsive and cause SAML authentication for Remote Access VPN users to fail. |
PRJ-49865, |
Security Gateway |
After approximately 24 hours after a reboot, memory utilization starts at 30-40% utilization and gets to 80% utilized. This leads to issues with loading web pages and may cause an outage. |
PRJ-46482, |
Security Gateway |
The output of the "cpstat os -f cpu" command may be incorrect. Refer to sk180966. |
PRJ-48810, |
Security Gateway |
VPN tunnel between the Security Gateways with Link Selection and Remote Desktop Protocol (RDP) may fail after policy installation. Refer to sk181481. |
PRJ-48023, |
Security Gateway |
In some scenarios, when IPS is enabled, CPU spikes may occur. |
PRJ-48823, |
Security Gateway |
In some scenarios, a misconfiguration on a DNS Server may lead to exhaustion of ephemeral ports on the Security Gateway. |
PRJ-41968, |
Security Gateway |
When adding another loopback interface in an MDPS environment, it is shown in MPLANE and not in DPLANE as expected. |
PRJ-47149, |
Security Gateway |
Enlarging MTU may cause even small packets to be allocated as Jumbo frames. This impacts the performance of SNDs CPUs. |
PRJ-47210, |
Security Gateway |
When running the tp_collector tool, the FW_FULL process may unexpectedly exit. |
PRJ-44702, |
Security Gateway |
In rare scenarios, the WSDNSD process may restart because of an internal error. |
PRJ-48154, |
Security Gateway |
Topology and Anti-Spoofing ranges are not calculated on an external interface when adding a route to an internal interface that shares the same subnet. |
PRJ-47304, |
Security Gateway |
The /var/log/messages file of a VSX gateway is flooded with the "fwmultik_predefined_dispatching: BAD_MULTIK_TAG" messages with no impact of the connectivity. Refer to sk181281. |
PRJ-47521, |
Security Gateway |
After installing a policy, because of high latency, the Security Gateway may delete connection before SIM Affinity is able to send an update notification. This may cause some connections to be dropped. |
PRJ-47332, |
Security Gateway |
When using the "cpstop" command on the Security Gateway, the fw_full core may be generated. |
PRJ-46378, |
Security Gateway |
Re-mirrored traffic may be re-ordered in the Mirror & Decrypt feature. |
PRJ-47269, |
Security Gateway |
Latency in loading websites when using Security Gateway as a Proxy with HTTPS Inspection enabled. Refer to sk180673. |
PRJ-44856, |
Security Gateway |
Web Security parsing error "illegal header format detected: Missing quotation mark" of content-disposition header - that contains a filename* parameter or an unquoted parameter. |
PRJ-47326, |
Security Gateway |
Benign files scanned by the ICAP Server may not be logged by Anti-Virus blade. |
PRJ-45341, |
Security Gateway |
When two routes with similar attributes are added to different routing tables, and one is deleted, Anti-Spoofing may drop the traffic to that route. |
PRJ-47371, |
Security Gateway |
The ICAP Server may stop sending files to the Threat Emulation and Anti-Virus Blades if the TED daemon was restarted. |
PRJ-43857, |
Security Gateway |
The FWK process may unexpectedly exit with a core dump file when removing an IPv6 interface on VSX. |
PRJ-45484, |
Security Gateway |
Incorrect bonds may be shown in the Data Plane when using MDPS with the "show bonding groups" command. |
PRJ-44619, |
Security Gateway |
In a rare scenario, the FWD process listens to high ports that are not blocked by the "auth_services_real_ports_block" implied rule. Refer to sk180505. |
PRJ-47559, |
Security Gateway |
FTP connection may fail in Port mode with NAT and specific FTP clients. Refer to sk181165. |
PRJ-47603, |
Internal CA |
In rare scenarios, ICA certificate creation and enrollment fail. |
PRJ-46838, |
Threat Prevention |
When SSH Deep Packet Inspection (SSH DPI) is enabled, the Security Gateway may have SSH connectivity issues because of an incorrect choice of Message Authentication Code (MAC) algorithm during the SSH handshake. |
PRJ-47637, |
Threat Prevention |
The output of the "fw amw unload" command shows the policy gets unloaded, however CPView still shows that the blades are enabled. Refer to sk181148. |
PRJ-43728, |
Threat Prevention |
In some scenarios, CIFS parser is triggered when it is not needed, this leads to the Security Gateway not accelerating fully the SMB traffic. |
PRJ-48847, |
Threat Prevention |
Anti-Virus Blade triggers the "Detect" logs for DNS traffic, although these malicious DNS requests were prevented. |
PRJ-44692, |
Threat Prevention |
In some scenarios, the Security Gateway fails to export or import Custom Intelligence feeds. |
PRJ-46720, |
Threat Prevention |
Uploading an IoC file containing invalid characters (for example, quotation marks) may cause Threat Prevention policy installation failure. |
PRJ-44767, |
Threat Prevention |
Fetching of Custom Intelligence feeds fails when no proxy is configured on the Security Gateway. |
PRJ-46118, |
Threat Emulation |
Multiple ifiPython3 processes may utilize the Security Gateway memory, affecting the Anti-Virus blade performance. |
PRJ-48192, |
Threat Prevention |
Anti-Virus blade fails to parse external Custom Intelligence feeds that contain specific delimiters. |
PRJ-48745, |
Threat Prevention |
Anti-Virus fails to block Custom Intelligence feeds that contain percent-encoding. |
PRJ-50556, |
Threat Prevention |
In rare scenarios, CPU utilization can reach high levels because the Multi-Queue affinity of interfaces that use the "mlx5_core" driver is not configured correctly during the boot process. |
PRJ-48430, |
Threat Prevention |
Some connections may be dropped because of an issue in IPS inspection, which can be resolved by installing/fetching a local policy. |
PRJ-48268, |
Threat Prevention |
URL observables with question marks "?" are not parsed correctly by the Threat Prevention Custom Intelligence feeds feature. Refer to sk181367. |
PRJ-49009, PMTR-92233 |
Threat Prevention |
In a rare scenario, when cloning SGM in Maestro, the FWD process may exit during an IPS/Anti-Virus/Anti-Bot package update. |
PRJ-45902, |
Threat Prevention |
The "Exception Handling" option for Observables in Threat Prevention indicator may not be applied. |
PRJ-46905, |
Threat Prevention |
Ioc_feeds changes the username to lowercase, which causes the "401" error. Refer to sk181039. |
PRJ-48087, |
Threat Prevention |
An outage may occur when an unsupported SSH cipher is selected. |
PRJ-47447, |
Threat Prevention |
When configuring Custom Intelligence feeds from the management:
|
PRJ-46759, |
Identity Awareness |
The ida_tables_util tool may fail with the "bad adress" error. |
PRJ-47442, |
Identity Awareness |
In a rare scenario, when Identity Broker is configured, a memory leak in the PDPD process may occur during policy installation. |
PRJ-48275, |
Identity Awareness |
There may be no access to resources for identities received from the Remote Access identity source by splitting Domain (sk147417). |
PRJ-49045, |
DLP |
The DLP process may unexpectedly exit during policy installation. |
PRJ-49898, |
SSL Inspection |
In rare scenarios, the WSTLSD process may unexpectedly exit and create core dump files. |
PRJ-47065, |
Application Control |
When the "Categorize HTTPS Websites" option is enabled and the global parameter "appi_urlf_ssl_cn_use_sni_without_validation" is set to true, a memory leak may occur. |
PRJ-45721, |
Application Control |
Policy installation fails when a custom application and user category have the same name. |
PRJ-46199, |
Application Control |
CPView and the 'cpstat' command show different Application Control database versions. Refer to sk181186. |
PRJ-47750, |
IPS |
In rare scenarios, there may be a memory leak in ips_cmi_handler_match_cb_ex. |
PRJ-47555, |
Anti-Virus |
Loading a large Custom Intelligence feed may fail. Refer to sk181158. |
PRJ-45837, |
Anti-Virus |
DLPU process memory consumption may be increased when SMB protocol is enabled in the Anti-Virus policy. |
PRJ-47936, |
Anti-Virus |
When transferring many files, SMB traffic may freeze while scanned by Anti-Virus blade. |
PRJ-48128, |
Anti-Virus |
A memory leak in the DLPU process may occur when Anti-Virus scans files over HTTP(s) or SMB (Server Message Block) protocol. |
PRJ-47785, |
Anti-Virus |
A memory leak may occur in the Security Gateway when a connection is not correctly released after the inspection. |
PRJ-48973, |
Anti-Virus |
When Anti-Virus DNS classification is set to Hold mode, the first DNS trap log of malicious Domains shows "Detect" in the Action field, although the connection was successfully blocked. |
PRJ-47240, |
Anti-Virus |
Some websites may be unreachable when one of Threat Prevention Blades is in Hold mode. |
PRJ-50430, |
Anti-Bot |
In rare scenarios, when the IPS or Anti-Bot Blades are enabled, Threat Prevention logs with packet captures appear in SmartConsole without details. |
PRJ-47183, |
SSL Inspection |
The Security Gateway may fail to enforce certificate blacklisting. |
PRJ-47204, |
Mobile Access |
When copying special German characters to and from the Guacamole Server, they are replaced with unreadable symbols. |
PRJ-47108, |
Mobile Access |
It may not be possible to connect to the RDP application with SNX in Application mode. Refer to sk181155. |
PRJ-43928, |
ClusterXL |
Site to Site VPN outage on ClusterXL Active member when running "cpstop" on the Standby cluster member. Refer to sk170055. |
PRJ-44276, |
ClusterXL |
A Standby member may initiate FTP data connection, although it should be sent from the Active member. As a result, the connection is teminated. Refer to sk180531. |
PRJ-45199, |
ClusterXL |
In a cluster/Maestro in Load Sharing mode, the Security Gateway may drop NAT traversal traffic with "fwmultik_process_f2p_cookie_inner Reason: PSL Drop: No connection". |
PRJ-43607, |
ClusterXL |
When interfaces disconnect/connect on both members at the same time, it may cause a failover. |
PRJ-49758, |
SecureXL |
Multicast restrictions set in SmartConsole may be bypassed if varying restrictions are configured for different interfaces. |
PRJ-50927, |
SecureXL |
When attempting to route packets to unresponsive hosts, the CPU utilization may be high. |
PRJ-44735, |
SecureXL |
The "IOCTL command CPHWD_IOCTL_DOS_DENY_LIST_CLEAR was not successful" error may be printed during cpstart. Refer to sk180646. |
PRJ-51290, |
SecureXL |
In some scenarios, traffic may not pass through a Virtual System on a VSX Security Gateway when it originally came through a Virtual Switch and User Mode (UPPAK) was enabled. |
PRJ-49960, |
Routing |
During the processing of PIM Join-Prune messages, the absence of prior ({},G) state prevents the processing of (S,G) joins for the same group, even when present in the message. |
PRJ-49237, |
Routing |
When one of the multiple PIM neighbors goes down on the LAN,there may be outages in multicast traffic. |
PRJ-47488, |
Routing |
When multicast traffic for an existing (S,G) entry arrives at a non-IIF interface, the entry may be deleted and re-added when the next multicast packet is released, although the entry should not be deleted. |
PRJ-43249, |
Routing |
Traffic may be dropped when there are many OSPF routes of type 5. |
PRJ-47802, |
Routing |
When a BFD session is added or removed, disabled sessions may incorrectly come up. |
PRJ-47941, |
Routing |
An OIF entry may be missing when multiple downstream neighbors are present on a LAN. Refer to sk181354. |
PRJ-48118, |
Routing |
The ROUTED process may exit with a core dump when querying details of OSPF Type 5 LSA. |
PRJ-46901, |
Routing |
The traffic may be dropped, because the routes are sent but not installed to the routing table. The issue is related to IS-IS when running on P2P interfaces. |
PRJ-51184, |
Routing |
Adding an IPv6 OSPFv3 interface in WebUI may fail when SecureXL UPPAK mode is enabled. |
PRJ-42940, |
VPN |
Policy installation may take a long time and fail with "Operation failed, install/uninstall has been improperly terminated.&CURRENTVERCMP *##MSG_IDENTIFY##". |
PRJ-42959, |
VPN |
When SCV is enabled, Capsule Connect/ Capsule VPN clients may fail to access internal resources. |
PRJ-45128, |
VPN |
Back connection does not function on the Statically NATed Office Mode address as expected. |
PRJ-51016, |
VPN |
In a rare scenario, all the IKED processes exit approximately once an hour without core or log indicating that it was triggered by the FWD/CPWD process exit. Refer to sk181643. |
PRJ-46261, |
VPN |
The "Encryption Domain Per community" feature overrides the Encryption Domain for other communities. Refer to sk170857. |
PRJ-46295, |
VPN |
Users that were moved from one AD group to another group still are shown in both access role groups when running the "pdp monitor" command. Refer to sk181429. |
PRJ-47493, |
VPN |
Potential VPN outage during policy installation. |
PRJ-43907, |
VPN |
When working with ClusterXL in Load Sharing mode, a VPN tunnel may fail to be established. |
PRJ-47878, |
Multi-Portal |
The Security Gateway may send a wrong certificate to the MAB Portal during certificate authentication. |
PRJ-46919, |
Multi-Portal |
The MPDAEMON process may be persistently down, even post reboot. |
PRJ-50313, |
Multi-Portal |
A low-severity security vulnerability may exist when establishing an HTTPS connection to the Security Gateway. |
PRJ-43879, |
VSX |
When running "vsx_fetch" from a context that is not VS0, this output is displayed: "Management rejected fetch for this module - sic name does not match. Couldn't fetch VSX configuration by IPs, trying to fetch by names." |
PRJ-50953, |
VSX |
In some scenarios, the VSX Security Gateway may not set the MAC header correctly when sending traffic directly out of an interface on a Virtual Router. |
PRJ-51077, |
VSX |
When User Mode (UPPAK) is enabled, there may be performance loss when passing traffic through a Virtual Switch on a VSX Security Gateway. |
PRJ-51166, |
VSX |
In some scenarios, the VSX VSLS cluster cannot pass the traffic for up to twenty seconds after performing a failover and failback when User Mode (UPPAK) is enabled. |
PRJ-47838, |
VSX |
In a rare scenario, affinity configuration on VSX may fail. |
PRJ-47797, |
VSX |
A memory leak may occur in the CPD process. |
PRJ-44301, |
VSX |
When adding a route using vsx_provisioning_tool and the "interface_name" option, this route cannot be removed. |
PRJ-44269, |
VSX |
Vsx_util upgrade or downgrade validation fails on Virtual Systems where policy was never installed. |
PRJ-47399, |
VSX |
When changing Virtual Systems (VS's) using the VS name, the "failed to find an ID for a VS named XXX" error is shown. |
PRJ-46972, |
Gaia OS |
Incorrect Multi-Queue configuration when MDPS, VSX, or both are enabled. Refer to sk181249. |
PRJ-46276, |
Gaia OS |
When changing bond settings, the bond may be missing the global IPv6 Address. |
PRJ-47774, |
Gaia OS |
Snapshot fails when the unpartitioned disk size is greater than 1TB. Refer to sk181485. |
PRJ-44371, |
Gaia OS |
SNMP OIDs for ISP Redundancy status are not refreshed when the ISP link changes the status. |
PRJ-46021, |
Gaia OS |
The SNMPD process memory consumption may be high, which causes the process to become unresponsive. |
PRJ-46284, |
Harmony Endpoint |
Non-domain macOS devices are created as a new endpoint on the Endpoint Management when re-installing the device. |
PRJ-46852, |
Harmony Endpoint |
Because of a rare race condition, AD scanners may get stuck in the initializing state with "ERROR ajp-nio2-127.0.0.1-8009-exec-96 - Failed to enumerate scanner instances for SF-DC2.mapro.cat, scanner instance788b7398-5a79-91fb-6f68-137813a5556e (UsmDSConfigResponder)java.lang.NumberFormatException". |
PRJ-48876, |
Harmony Endpoint |
|
PRJ-43572, |
Harmony Endpoint |
After the Deploy New Endpoint push operation is successfully done, the list of target devices may change to "None". And it is not possible to delete this push operation manually, a "Sorry, we had an API issue during request" message is printed. |
PRJ-46803, |
Harmony Endpoint |
In rare scenarios, when making changes in SmartConsole, it gets disconnected. |
PRJ-47056, |
Harmony Endpoint |
Some devices added to a Virtual Group from the SmartEndpoint Reporting tab do not receive the assigned policy. |
PRJ-43045, |
Harmony Endpoint |
E2 engine may send an incorrect value of datDate in sync request. |
PRJ-48257, |
Harmony Endpoint |
The default policy configured in the Infinity Portal may not be exported with the new Endpoint Security client package. |
PRJ-51660, |
Harmony Endpoint |
|
PRJ-47900, |
CloudGuard Network |
Azure mapping may fail on Private Endpoint without network interfaces. In the cloud proxy logs, the "ERROR datacenter.scanner.DcScanner [scanner-Azure-XXX]: Error during scan - attempting to reconnect for scanner of [Azure] in domainYYY" messages are printed. |
PRJ-47735, |
CloudGuard Network |
After an upgrade, Azure Gov mapping may fail. |
PRJ-43610, |
VoIP |
SIP agent implements a keep-alive mechanism against the RFC, making each message arrive with a different tag in the "From" header, which may increase the memory of the Security Gateway, and these messages may be dropped once they hit the limit defined (the "sim_max_reinvite" parameter). |
PRJ-43719, |
VoIP |
After an upgrade, VoIP, and SIP / H323 traffic may be dropped in the VPN tunnel. Refer to sk179651. |
PRJ-48851, |
Scalable Platforms |
In a Maestro Orchestrator environment, the "orch_stat -p" command may bring the "invalid literal for int() with base 10" error message. |
PRJ-50121 |
Scalable Platforms |
After enabling the Maestro Fastforward feature, policy installation on a Maestro Security Group may fail in SmartConsole with "Maestro acceleration (MXL) failed, reason: General error. Please check /var/log/acl_cli.log on the security group SMO for more details". Refer to sk181661. |
PRJ-49177, |
Scalable Platforms |
Reboot may take a long time. |
PRJ-50344, |
Scalable Platforms |
When the LightSpeed interface is brought down or up, the hardware nroute flow is added to the list even if it fails to offload. This may trigger a Security Gateway crash. |
PRJ-50031, |
Scalable Platforms |
|
PRJ-46575, |
Scalable Platforms |
In a Maestro environment, LACP bond subordinates may become suspended when using the shared interfaces feature, particularly when the quantity of bonds and subordinates is significantly high. |
PRJ-46246, |
Scalable Platforms |
In rare scenarios, when using "chassis_admin" command, the "asg_chassis_admin | "/opt/CPsmos-R81.20/bin/asg_chassis_admin: line 192: [[: |: syntax error: operand expected (error token is "|")" output may be printed. This is only cosmetic and does not prevent performing site failover. |
PRJ-50346, |
Scalable Platforms |
In a rare scenario, the Security Gateway may access obsolete nroute memory, resulting in a crash. |
PRJ-44501, |
Scalable Platforms |
Policy installation may cause traffic interruption on Maestro Security Group due to missing VLANs of a Virtual System in the configuration file. |
PRJ-48213, |
Scalable Platforms |
In rare scenarios, the CONFD process may get stuck. This may cause Maestro Orchestrator boot to hang and login to Gaia Portal to fail. |
PRJ-47641, |
Scalable Platforms |
In a Scalable Platform environment, when opening an IPS Packet Capture originated on a local member, the "Fetching in progress" error is displayed, and a "Capture file was not found on remote SGM" entry is printed in the log. |
PRJ-47864, ACCHA-3317 |
Scalable Platforms |
Accessing the SMO WebUI and performing configuration changes may fail with the "Error in acquiring buffer of member info (-1)" error." |