R81.20 Jumbo Hotfix Take 70
|
Note - This Take contains all fixes from all earlier Takes. |
ID |
Product |
Description |
---|---|---|
Take 70 Released on 1 July 2024 |
||
Take 70 - New Functionality
|
||
PRJ-51436, |
SSL Inspection |
NEW: Added ability to import PKCS#12 files using AES-256-CBC encryption with PBKDF2-HMAC-SHA-256. This enhancement is designed for use in multi-portal environments and HTTPS Inspection scenarios. |
PRJ-53699, |
Security Management |
NEW:
|
PRJ-50184, PRHF-29458 |
Threat Prevention |
NEW: This Jumbo Hotfix Accumulator Take introduces enhanced protection against zero-day attacks. It detects and blocks advanced malware variants by automatically analyzing and identifying communication patterns. The feature is disabled by default. Refer to sk181168. |
PRJ-52856, |
CloudGuard Network |
NEW: Added support for AWS Elastic Network Interfaces (ENIs). These ENIs can now be viewed and managed in SmartConsole, similar to how other supported Data Center objects are handled. The feature is disabled by default. Refer to R81.20 CloudGuard Controller Administration Guide > Supported Data Centers > CloudGuard Controller for Amazon Web Services (AWS). |
PRJ-48744, PMTR-94089 |
SmartConsole |
NEW: Added support for 3072 bits key size in IKE certificates. To use 3072 bits key size, refer to "HTTPS Portals (Multi-Portal) Certificate, VPN Certificate" section in sk96591. |
Take 70 - Improvements and Resolved Issues
|
||
PRJ-49174, |
Security Management |
UPDATE: Added verification for policy deletion. If the policy is installed on the Security Gateway, the "delete-package" Management API command now fails with "Policy X is installed on 1 or more gateways.". Refer to sk181877. |
PRJ-52448, |
Security Management |
UPDATE: Added an ability to configure the schedule for Compliance blade scans. This should prevent login issues during the scans. Refer to sk182033. |
PRJ-52065, |
SmartConsole |
UPDATE: The SmartConsole Change Report now highlights changes to the disable/enable state of rules more clearly. |
PRJ-53113, |
Security Management |
UPDATE: In the Change Report, updated some portions of the translated GUI. |
PRJ-48160 |
SmartView |
UPDATE: In SmartView Report, the Security Checkup tool now also provides the IoT data. |
PRJ-49861, PMTR-95625 |
CPView |
UPDATE: Added the "SecureXL" filter to the "cpview -m -f" command, which allows to extract to Skyline all the information related to SecureXL drops. Refer to the Skyline Metrics Repository. |
PRJ-51125, |
Security Gateway |
UPDATE: Added ability to increase the instance processing queue size, by modifying the kernel parameter "fwmultik_pending_queue_len_limit" (the default value is "2000"). Refer to sk181921. |
PRJ-51975, |
SSL Inspection |
UPDATE: If inspection logging is configured, the "Inspect" log now displays the negotiated ciphers and TLS version used for successful inspections, both between the client and the Security Gateway, and between the Security Gateway and the Server. |
PRJ-48389, PMTR-93901 |
Threat Prevention |
UPDATE: It is now possible to disable a custom field in the IoC feed configuration. Refer to Management API Reference. |
PRJ-52400, |
SecureXL |
UPDATE: The DOS/Rate Limiting feature can now run in SecureXL User Mode (UPPAK) environments without a Light Speed, allowing IoC Feeds that use it for enforcement to function properly. |
PRJ-53892, |
SecureXL |
UPDATE: The UPPAK start up script is changed to allocate additional memory buffers for handling Jumbo Frames based on Security Gateway configuration. |
PRJ-48177, |
Mobile Access |
UPDATE: jQuery UI is upgraded to version 1.13.2. |
PRJ-51701, |
Harmony Endpoint |
UPDATE: The audit event information when adding or removing Virtual Group members is now unified. The data includes the administrator name and device/user names for both actions. Previously:
|
PRJ-52863, |
CloudGuard Network |
UPDATE: Added support for Data Centers in AWS ca-west-1 Calgary region. |
PRJ-51248, |
CloudGuard Network |
UPDATE: The AWS Security Group Data Center object name now includes both the name tag and Security Group name, formatted as "ID <Name tag> <Security Group name>". Previously, only the name tag was included, with the format "ID <Name tag>". This change to include the Security Group name can be enabled by adding the setting "aws.supportSearchGroupName=true" in the vsec.conf file. |
PRJ-53526, |
Gaia OS |
UPDATE: Added Multi-Queue support for Microsoft Azure Network Adapter (MANA) accelerated network interfaces. |
PRJ-50751, PMTR-96420 |
Infrastructure |
UPDATE: Added Python 3.11.4. |
PRJ-54099, PRJ-54459, PRJ-55301, PRJ-55687, ODU-1779, ODU-1755, ODU-1731, ODU-1667 |
Automatic Updates - Web SmartConsole |
UPDATE: New features and improvements are released in Take 100, Take 102, Take 104 and Take 111 via self-updatable package. Refer to sk170314. |
PRJ-54688, ODU-1707 |
Automatic Updates - CPView |
UPDATE: Added Take 93 of CPotelcol (OpenTelemetry Collector) Release Updates. Refer to sk180522. |
PRJ-54173, ODU-1683 |
Automatic Updates - CPSDC |
UPDATE: Added Take 34 of Check Point Support Data Collector (CPSDC) for Scalable Platforms and Maestro Security Appliances. Refer to sk164414. |
PRJ-54177, PRJ-55582, ODU-1803, ODU-1659 |
Automatic Updates - HCP |
UPDATE: Added Update 17 of HealthCheck Point (HCP) Release. Refer to sk171436. |
PRJ-53341, PRHF-32639 |
Security Management |
When a Domain object in a policy is set with a backslash in the suffix, policy installation fails with the "Unterminated string&CURRENTVERCMP" error. |
PRJ-50767, |
Security Management |
In rare scenarios, during an upgrade or Domain migration, the API readiness test fails if the upgrade failed. |
PRJ-51619, |
Security Management |
Deleting a domain may fail when using the createDomainRecovery.sh script. |
PRJ-50593, |
Security Management |
High Availability synchronization runs after every scheduled Application Control update, even if the Application Control is up to date. |
PRJ-51596, |
Security Management |
In rare scenarios, Global Policy assignment fails when there are many open Remote CPM Server sessions. Refer to sk181822. |
PRJ-52817, |
Security Management |
If there are changes in the HTTPS Policy and Certificates in the session, a "Something went wrong" message appears when opening the Change Report. |
PRJ-49362, |
Security Management |
There may be synchronization failure and, as a result, corrupted Domain policies on the Multi-Domain Security Server when a newly created local administrator on the backup Security Management Server makes changes to rules or objects, after the Active role is switched to that Security Management Server. |
PRJ-50019, |
Security Management |
It may not be possible to add/set a Threat Prevention Exception with a protection-or-site UID. |
PRJ-53349, |
Security Management |
In rare scenarios, the FWM process on the Security Management Server may unexpectedly exit or not start, creating a core dump file. |
PRJ-50999, |
Security Management |
Install Policy Presets may fail after purging all revisions. Refer to sk181652. |
PRJ-52012, |
Security Management |
In some scenarios, policy installation may fail and the displayed message erroneously refers to sk178886: "One of the updatable objects was downloaded incorrectly (see SK178886". sk178886 describes a different scenario and does not resolve the issue. |
PRJ-54095, |
Security Management |
In rare scenarios, policy installation on R77.30 Security Gateway fails with "Operation failed, install/uninstall has been improperly terminated". Refer to sk180448. |
PRJ-53731, |
Security Management |
Changes Report may allow to list certain directory contents. |
PRJ-55502, PRHF-34248 |
Security Management |
A memory leak may occur in the FWM process which leads to SmartConsole connection failures. |
PRJ-49583, |
Security Management |
In some scenarios, when searching objects in SmartConsole, not all relevant results are highlighted. |
PRJ-51507, |
Security Management |
The on-premises Security Management Server fails to connect to Infinity Portal when this Server has a proxy configured. |
PRJ-53472, |
Security Management |
In Multi-Domain Security Management environments, High Availability synchronization issues may arise after making and publishing changes through the SmartTasks feature in SmartConsole for a local Domain. |
PRJ-52825, PMTR-100459 |
Security Management |
On the Security Management Server, a CPD zombie process may be created. |
PRJ-51633, |
Security Management |
In rare scenarios, after an upgrade or a Domain migration:
|
PRJ-51696, |
Security Management |
After a global assignment, when installing policy on several installation targets at once, the log may show an incorrect rule name. |
PRJ-51514, |
Security Management |
The revisions purge process may get stuck due to an incomplete purge operation from a previous attempt. |
PRJ-51205, |
Security Management |
If all revisions were purged on the Security Management Server, the "show packages details-level full" Management API call may fail. |
PRJ-51543, |
Security Management |
Enabling automatic updates of Trusted CAs as described in sk173629 may fail. |
PRJ-50373, |
Security Management |
When attempting to load a SNORT Rules file that contains one or more spaces, the import process fails with an ambiguous error message. |
PRJ-41781, |
Security Management |
In some scenarios, SmartConsole may close unexpectedly when clicking the "View Changes" option in the Install Policy view. |
PRJ-52879, |
Security Management |
In rare scenarios, Access policy installation may fail with the "Installation failed. Reason: Failed to load Policy on Security Gateway" or "Operation failed, install/uninstall has been improperly terminated" messages. |
PRJ-52791, |
Security Management |
In rare scenarios, High Availability synchronization fails with "Peer is busy". |
PRJ-51677, |
Security Management |
Global Assignment fails with "Locked for editing by another administrator and need to be published or discarded before the operation can take place". Refer to sk181807. |
PRJ-49667, |
Security Management |
The "set-smart-task" API command fails when enabling the "Send mail to/from" option in SmartTasks. |
PRJ-51505, PMTR-98271 |
Security Management |
After a Multi-Domain Security Management upgrade to R81.20 version, some Infinity Portal Services may stop working. |
PRJ-51085, |
Multi-Domain Security Management |
In Multi-Domain Security Management environments with over two hundred administrators, Domain creation may fail with "Timeout expired while waiting for permissions calculation". |
PRJ-51085, |
Multi-Domain Security Management |
In Multi-Domain Security Management environments with over two hundred administrators, Domain creation may fail with "Timeout expired while waiting for permissions calculation". |
PRJ-48396, |
Multi-Domain Security Management |
In a Multi-Domain Security Management environment, the "show simple-gateway" and "show simple-cluster" Management API commands may fail with "Runtime error: An internal error has occurred" |
PRJ-51272, |
Multi-Domain Security Management |
In Multi-Domain Security Management environments, if there are more than three hundred forty Domains, login to SmartConsole fails. |
PRJ-52970, |
Multi-Domain Security Management |
The "cprlic get" command output may not provide correct information about vSEC licenses. |
PRJ-52578, PMTR-99856 |
Multi-Domain Security Management |
In some scenarios, during an upgrade of a Multi-Domain Security Management Server, the "created by" and "date created" fields of some rules may be displayed as "system" and "date of the upgrade".
|
PRJ-51570, PMTR-90798 |
SmartConsole |
SmartConsole slowness when adding applications to rules. Refer to sk182063. |
PRJ-53275, |
SmartProvisioning |
The "show-lsm-gateways" Management API command returns LSM cluster objects besides the LSM Security Gateways. |
PRJ-53227, |
SmartProvisioning |
The Management API command "set-lsm-gateway" with the "sic.ip-address" parameter may fail with "Establish SIC failed. Reset SIC on gateway and try again." when resetting SIC. |
PRJ-52721, |
Logging |
Administrators without the "run script" permissions can enable or disable the option to run a script on a Security Gateway, using advanced configuration options. |
PRJ-51148, |
Logging |
When Identity Awareness blade is enabled, the "Src User Dn" and "Dst User Dn" fields in ICMP Logs are not masked for users without "Identities" permissions. Refer to sk181677. |
PRJ-51327, |
Logging |
In rare scenarios, after an upgrade, the LOG_EXPORTER process may fail to send the log files to SIEM or to the cloud. |
PRJ-53938, |
Logging |
In Quantum Smart-1 Cloud environments, exporting more than five thousand logs to CSV may fail. |
PRJ-51430, |
Logging |
In some scenarios, in Multi-Domain Management environments with over 300,000 network objects, the LOG_INDEXER process repeatedly exits if the procedure from sk164452 is not applied. |
PRJ-44795, |
Logging |
In rare scenarios, the FWD process on the Security Gateway may reach out of memory and produce a core dump file of around 3GB. |
PRJ-54108, |
Logging |
In rare scenarios, the LOG_EXPORTER process fails to send logs although marks them as sent. |
PRJ-49790, |
Logging |
The "cpstat -h log server ip ls -f logging" command fails when running it from Security Management. |
PRJ-51525, SDWANGW-2060 |
Logging |
SD-WAN log information may be missing from SmartConsole connection log when SecureXL Templates are used. |
PRJ-52679, |
Security Gateway |
Running GTP traffic may cause a crash on a Security Gateway without a GTP license. |
PRJ-52725, |
Security Gateway |
In some rare cases, the Dynamic Split functionality may be disabled on VSX Gateways with Hyperflow enabled. When checking the status of Dynamic Balancing, the "Initiating shut-down due to state mismatch detection (reason dmd_sleep_status)" message is printed in the logs under $FWDIR/log/dsd.elg. |
PRJ-50576, |
Security Gateway |
There may be log entries related to the drop optimization feature, although the dropped traffic matches a non-logging rule. |
PRJ-55412, PRHF-34173 |
Security Gateway |
The CPD process may unexpectedly exit and create a core dump. |
PRJ-52521, |
Security Gateway |
The ICAP Server does not send data for the Threat Prevention blades inspection, after the restart of the TEMAIN process. |
PRJ-47672, PRJ-47668, |
Security Gateway |
When there is fragmented traffic, the /var/log/messages file may be flooded with the "dst_release" entries. |
PRJ-52952, |
Security Gateway |
Traffic outages may occur because of high utilization of CPU cores that run CoreXL SND instances. Refer to sk181996. |
PRJ-53850, |
Security Gateway |
In some scenarios, when SecureXL works in the User Space (UPPAK) mode, the VSX Security Gateway cluster members are not able to send and receive CCP packets correctly through a Virtual Switch. |
PRJ-51439, |
Security Gateway |
A rare race condition may be triggered by the timing and packet patterns of VoIP traffic, and, as a result, the FWK process may restart. |
PRJ-53628, |
Security Gateway |
A memory issue may occur in a cluster environment, when SIP inspection is enabled. |
PRJ-48817, |
Security Gateway |
After deploying a new license to a Multi-Domain Log Module (MLM), all Customer Log Modules (CLMs) generate alert logs about missing license/contracts stating "No valid license was found". |
PRJ-41754, |
Security Gateway |
Some debug messages may appear in the /var/log/messages file, although the debug mode is not activated. The issue is cosmetic only. |
PRJ-49046, |
Security Gateway |
In rare scenarios, a file downloaded via HTTP may be corrupted. |
PRJ-52421, |
Security Gateway |
Incorrect static NAT destination is applied when the original destination in the NAT rule is the Security Gateway object, but the actual destination does not match the main IP address of the Security Gateway object. |
PRJ-51460, |
Security Gateway |
When using three or more ISP DNS proxies in High Availability mode and Load Sharing mode:
|
PRJ-47664, |
Security Gateway |
Incorrect local traffic routing by the Security Gateway causes message flooding in /var/log/messages. |
PRJ-50757, |
Security Gateway |
In a rare scenario, because of a memory allocation issue, the Security Gateway may crash and reboot. |
PRJ-48263, |
Security Gateway |
Notifications of SecureXL connection deletion appear unfiltered in the debug output, also when using a debug filter. |
PRJ-51946, |
Security Gateway |
In some scenarios, if a rule with a security zone is installed using accelerated install policy, the traffic may stop matching the NAT Rule Base. |
PRJ-51609, |
Security Gateway |
The ICAP Server may fail to initialize. |
PRJ-51039, PRHF-31146 |
Security Gateway |
The Security Gateway may crash during policy installation. |
PRJ-52796, |
Security Gateway |
In some scenarios, the VSX Security Gateway may not set the MAC header correctly when sending traffic back to Gaia OS directly out of an interface on a Virtual Router. |
PRJ-51528, |
Security Gateway |
Sporadic latency while uploading a file when HTTPS Inspection and ICAP client are active. Refer to sk181793. |
PRJ-52564, |
Internal CA |
CRLs may not be recreated after cleaning expired certificates from the ICA database. |
PRJ-42871, |
Threat Prevention |
After installing a hotfix in a cluster setup with a Threat Prevention policy that includes Network Objects, a member may get stuck during initialization after a reboot. Refer to sk180225. |
PRJ-53912, |
Threat Prevention |
SSH DPI may not work because of incorrect parsing of the client hello from a non-standard SSH client. |
PRJ-49031, |
Threat Prevention |
In a bond failover setup with the XOR bond mode, rapid toggling the port states causes the switch to display incorrect "connected" port statuses for both ports, despite one port being actually down, leading to a non-functioning bond interface. |
PRJ-53458, |
Threat Prevention |
Installation of Threat Prevention Policy fails with the error "No profile defined on GW <Name of Security Gateway Object>" in this scenario:
|
PRJ-53091, PMTR-98503 |
Threat Prevention |
The "ioc_feeds" CLI command with the "--transport local_directory" argument may fail to load feeds. |
PRJ-53404, PMTR-101787 |
Threat Prevention |
No feedback form appears when disabling the Zero Phishing Blade, although it should. |
PRJ-51335, |
Identity Awareness |
When a Multi-User Host is used with Identity Broker, the user session may expire on the PEP side, while still connected on the PDP, causing failure of user-based access. |
PRJ-49436, |
Identity Awareness |
In a rare scenario, revoked identity on Broker Publisher is not synchronized with its Broker subscribers. |
PRJ-52371, |
Identity Awareness |
After an upgrade, the Security Identifier (SID) for LDAP Users or LDAP Groups that were configured prior to the upgrade may be empty. Refer to sk181946. |
PRJ-52793, |
Identity Awareness |
In some scenarios, access roles using packet tagging are not calculated correctly for new sessions. Refer to sk182009. |
PRJ-50584, |
Identity Awareness |
During policy installation, users authenticated using the Captive Portal may get disconnected. |
PRJ-52873, |
Identity Awareness |
User/Security Gateway identities may be revoked unexpectedly if an additional update from the AD Query identity source is rejected due to Identity session conciliation. |
PRJ-50514, |
Identity Awareness |
In a Cluster Load Sharing environment or when a single Policy Decision Point (PDP) is shared among multiple Policy Enforcement Points (PEPs), the PDP registers the PEP, but the PEP may not be aware of this registration. |
PRJ-52541, |
IPS |
In a rare scenario, Security Gateway may drop client-to-server web browsing traffic. |
PRJ-50805, |
IPS |
There may be excessive "fwconn_chain_is_data_conn failed" messages in the /var/log/messages files when activating the IPS Blade. |
PRJ-51183, |
Anti-Virus |
Some file downloads fail with a logged "failure-reject" error because of the Anti-Virus Blade improperly classifying documents, causing inspection failures. |
PRJ-53572, |
Anti-Virus |
In a rare scenario, the Security Gateway crashes due to memory corruption caused by the Anti-Virus blade. |
PRJ-53125, |
Anti-Virus |
The DLPU process may frequently exit with a core dump file. |
PRJ-52048, PRHF-31811 |
Mobile Access |
SSL Network Extender (SNX) cannot connect after installing Jumbo Hotfix Accumulator. Refer to sk181805. See the Important Notes section. |
PRJ-42809, |
ClusterXL |
Cluster members may crash, generating vmcores in /var/log/crash. |
PRJ-51588, |
ClusterXL |
The Security Gateway may crash during the conversion from VRRP Cluster to ClusterXL Cluster. |
PRJ-50117, |
ClusterXL |
In a cluster environment, the Security Gateway may become unresponsive on the Active member, and after a failover the issue occurs on the new Active member also. |
PRJ-52799, |
SecureXL |
The Security Gateway may fail to add interfaces to the SecureXL accelerated interfaces list. |
PRJ-44520, |
SecureXL |
Multicast packets received on an interface with PIM disabled can cause multicast packet drops on other interfaces by filling up the kernel routing queue. |
PRJ-52802, |
SecureXL |
In some scenarios, the VSX Security Gateway may not set the MAC header correctly when sending traffic directly out of an interface on a Virtual Router or Virtual Switch. |
PRJ-51210, PRHF-31259 |
SecureXL |
In Kernel mode Firewall, traffic passing through the GRE tunnel may not reach the peer. |
PRJ-50856, |
SecureXL |
There may be a delay in enforcing DOS/ Rate Limiting rules to drop packets when concurrent connection limits are exceeded. |
PRJ-51622, |
SecureXL |
In some scenarios, fragmented ICMP packets may bypass the DOS/ Rate limiting deny list. |
PRJ-52806, |
SecureXL |
In some scenarios when Route based probing is configured, the VSX Security Gateway sends out encrypted traffic with a source IP address of all zeroes through a Virtual Switch interface. This traffic may be dropped by routers, the VPN peer Gateway or other Security Gateways due to the invalid source IP address. |
PRJ-54530, PRHF-33850 |
SecureXL |
Policy installation on a Security Gateway running with SecureXL User Mode (UPPAK) fails with the "2000240" or "2000267" error code. Refer to sk182272. |
PRJ-53479, |
SecureXL |
Entering Maintenance Mode during the boot process may result in disabling SecureXL User Mode (UPPAK). |
PRJ-52859, |
SecureXL |
In some scenarios, when SecureXL User Mode (UPPAK) is enabled, the Security Gateway crashes during boot up. |
PRJ-53253, |
SecureXL |
When SecureXL User Mode (UPPAK) is enabled, there may be some increased latency when sending cleartext traffic between a Virtual System and a Virtual Router. |
PRJ-53061, |
SecureXL |
During the deny list update process, there is a temporary gap where no IP addresses are blocked, allowing unwanted traffic to pass through the Security Gateway unfiltered. |
PRJ-52663, |
SecureXL |
DOS/Rate Limiting commands that require a change from default configuration are not allowed to run in SecureXL User Mode (UPPAK) . "ERROR: fwaccel_dos: DOS features are not supported for SecureXL User Space Mode with LightSpeed" is printed in the /var/log/messages file. |
PRJ-55396, PMTR-104268 |
SecureXL |
A race condition may occur in a large scale VSX Cluster environment and SecureXL User Mode (UPPAK) is enabled. |
PRJ-53856, |
Routing |
ROUTED process assert failure may take place when LSA from a neighbor's retransmission list is freed if that LSA belongs to the max age hold tree that is flooded at max age. |
PRJ-53172, |
Routing |
The ROUTED process may unexpectedly exit because of an OSPF assertion failure. |
PRJ-53054, ROUT-2968 |
Routing |
BGP peers may experience timeouts when these conditions occur simultaneously:
|
PRJ-52734, |
Routing |
In networks where multicast groups are manually configured through IGMP if only one membership report is received for a specific <S,G> pair and no further reports follow, it may cause outages. |
PRJ-52659, PRJ-52656, PRHF-31977 |
Routing |
Cluster failover may occur when the ROUTED process due to a memory leak unexpectedly exits with a core dump file generated. |
PRJ-53057, |
Routing |
In scenarios where numerous BGP peers are configured with the "multihop" option enabled, combined with short "keepalive" settings and a large number of routes being received from each peer, the ROUTED process may experience high CPU utilization. |
PRJ-51260, |
Routing |
It may not be possible to propagate a newly added static route through OSPF. |
PRJ-51983, |
Routing |
When running a Gaia API request that results in multiple configuration changes, only the first change may be applied initially. The subsequent changes are not enforced until another change triggers re-processing. |
PRJ-53569, |
Routing |
In rare scenarios, when a PIM interface or PIM instance stops working, the Security Gateway may crash if trying to access a bogus reference to a PIM neighbor. |
PRJ-48210, |
VPN |
IKEv2 Remote Access stability issues. |
PRJ-47953, |
VPN |
Establishing an IKEv2 tunnel with Cross AZ Cluster may fail. |
PRJ-53384, |
VPN |
IPv6 non-VPN traffic may be dropped with "Clear text packet should be encrypted". |
PRJ-53178, |
VPN |
In a rare scenario, while connecting SNX client, the VPND process may exit. |
PRJ-52830, |
VPN |
In a rare scenario, in a Maestro environment, the first packet of the VPN tunnel is lost or has a large delay. |
PRJ-52514, |
VPN |
In Cross-AZ clusters, when using probing-based link selection for High Availability and Load Sharing, there may be a potential VPN traffic outage. Refer to sk181909. |
PRJ-54241, PMTR-103618 |
VPN |
In a VPN Community with a configuration involving two Security Gateways (a Center Cluster and a Satellite Security Gateway) with IPv6 external and internal interfaces, when attempting to establish a Link Selection Star community between them, the VPN process may unexpectedly exit due to repetitive IKE core crashes on one of the Security Gateways while the other Security Gateway tries to establish a tunnel, resulting in connectivity issues. |
PRJ-52949, |
VPN |
When the DAIP Gateway public IP address occasionally changes, the connected Security Gateway fails to update the new IP address and continues responding to the old IP address, causing communication issues. |
PRJ-44265, |
VPN |
The FWK process crashes sporadically, causing impact on traffic due to an issue related to the decryption of fragmented traffic. |
PRJ-51297, PMTR-97905 |
VSX |
When adding a new Virtual System, a CPD core dump file may be generated. |
PRJ-52509, |
Gaia OS |
When a non-local user executes a Gaia API command, the action is incorrectly logged as performed by the "admin" user in the /var/log/messages file. |
PRJ-52724, |
Gaia OS |
The MONITORD daemon causes high CPU after 388 days of uptime. Refer to sk181922. |
PRJ-53486, |
Gaia OS |
Some valid interfaces may not be available with running the "set lldp interface" command. |
PRJ-53195, |
Gaia OS |
In rare scenarios, the Gaia Portal daemon HTTPD may unexpectedly exit and create a core dump file in the /var/log/dump/usermode/ directory. |
PRJ-52886, |
Gaia OS |
Disabling a bond with one interface from WebUI may fail. |
PRJ-54180, |
Gaia OS |
Removing unused built-in user called "cp_ender" that may appear in Gaia OS after an upgrade. Refer to sk182185. |
PRJ-51441, |
Harmony Endpoint |
Clients may not be assigned to default groups after adding a device to the AD Server. |
PRJ-50572, |
Harmony Endpoint |
In an on-premises environment, large Active Directory groups with more than 1500 members appear empty or have incomplete membership information. |
PRJ-52129, |
Harmony Endpoint |
When attempting a one-time login for a migrated client in the Infinity Portal, the request fails with "400 error" caused by duplicate |
PRJ-51292, |
Harmony Endpoint |
In some scenarios, Unified Endpoint Policy Management (UEPM) database upgrade fails or takes a long time during the scripts stage. |
PRJ-51138, |
Harmony Endpoint |
When duplicate users with the same name and domain exist in the database or Active Directory, FDE Pre-boot authentication on LAN may fail, not able to identify the user attempting to log in. |
PRJ-53431, |
Harmony Endpoint |
SmartEndpoint creates an empty "Policy Report" CSV file. |
PRJ-50589, |
CloudGuard Network |
In an environment with Cloud Security Gateways, frequent High Availability synchronization sessions can cause high CPU utilization. As a result, change of the Activity status may fail. |
PRJ-50638, |
CloudGuard Network |
CloudGuard Controller synchronizes cloud object configurations with a noticeable latency, reflecting the updates made to those objects in the cloud environment after a significant time delay. |
PRJ-51302, |
Scalable Platforms |
When using NAT64 rules, Server to Client traffic may be dropped because of the "Out of state" error. |
PRJ-47396, |
Scalable Platforms |
Excessive CPU usage occurs on a Maestro Security Group because of exhaustion of available NAT ports when traffic is subjected to NAT and Layer 4 (L4) load distribution is enabled. Refer to sk181925. |
PRJ-53832, PMTR-73771 |
Scalable Platforms |
Before enabling MDPS, CoreXL Dynamic Balancing (sk164155) must be disabled. |
PRJ-52644, |
Scalable Platforms |
After a failover scenario, the "m site-id member-id" command requires reauthentication. |
PRJ-53083, |
Scalable Platforms |
Redundant "MHO_stateAgent[3230]: QuidAddon: System not ready yet - attempting to re-init" messages in the /var/log/messages file. |
PRJ-52883, |
Scalable Platforms |
When running the "fwaccel stat" command on a VSX Security Gateway, the output may show physical interfaces as not accelerated, although they are. |
PRJ-53622, |
Scalable Platforms |
The "reboot -b all" command in gClish may fail. The environment hangs or reboots partially (only some of the members). |
PRJ-44133, |
Scalable Platforms |
Member state may flap between Active and Ready. |
PRJ-46223, |
Scalable Platforms |
During site failover, IPv6 traffic that goes through the Warp interface may be interrupted. |
PRJ-50827, |
Scalable Platforms |
In a rare scenario, file system corruption may lead to a failure identifying the Maestro Orchestrator hardware model during the Maestro Orchestrator OS boot process, causing the boot to fail. |
PRJ-44136, |
Scalable Platforms |
If a DR packet arrives fragmented, it may not get forwarded to the DR manager, potentially causing connectivity issues. |
PRJ-46793, |
Scalable Platforms |
An additional reboot may be performed on Maestro Security Gateway because of the database entry (otlp) which should not be pulled from SMO. This entry is updated locally on each member via self-update functionality and therefore may differ between members. |
PRJ-52532, PMTR-99841 |
Scalable Platforms |
After dynamic routing manager failure and recovery, connections are dropped with a log message "TCP out of state: First packet isn't SYN". Refer to sk181874. |
PRJ-51186, PMTR-97932 |
Scalable Platforms |
In a rare scenario, when a Maestro Security Gateway is active again after a reboot, and LightSpeed is used, the LACP bond may drop incoming and outgoing packets. |
PRJ-55570, PMTR-105246 |
Scalable Platforms |
Traffic outage after policy installation on a Maestro Security Group in the VSX mode that works in the Dual Site configuration. Refer to sk182379. |
PRJ-55518, PMTR-105145 |
Scalable Platforms |
• On Quantum Maestro/Chassis or in ClusterXL, the Security Gateway may crash while processing a VPN/correction flow with a vmcore in /var/log/crash or FWK core in /var/log/dump/usermode/. • The "kernel: xxxxx: tx_timeout" error is printed in /var/log/messages. • PSL drops packets with "PSL Drop: psl_build_pslip failed” message, potentially impacting network performance and streaming capabilities. Refer to sk182463. See the Important Notes section. |