R81.20 Jumbo Hotfix Take 70

 

Note - This Take contains all fixes from all earlier Takes.

ID

Product

Description

Take 70

Released on 1 July 2024

Take 70 - New Functionality

 

PRJ-51436,
PMTR-98141

SSL Inspection

NEW: Added ability to import PKCS#12 files using AES-256-CBC encryption with PBKDF2-HMAC-SHA-256. This enhancement is designed for use in multi-portal environments and HTTPS Inspection scenarios.

PRJ-53699,
PMTR-101481

Security Management

NEW:

  • Added support for the Gaia API proxy with VSX to use Management API from both the Multi-Domain Security Management Server and the Security Management Server. Refer to Management API Reference.

  • This release also resolves issues that occur when using Multi-Portal Blades with internally issued certificates and third-party certificates.

PRJ-50184,

PRHF-29458

Threat Prevention

NEW: This Jumbo Hotfix Accumulator Take introduces enhanced protection against zero-day attacks. It detects and blocks advanced malware variants by automatically analyzing and identifying communication patterns. The feature is disabled by default. Refer to sk181168.

PRJ-52856,
PRHF-32233

CloudGuard Network

NEW: Added support for AWS Elastic Network Interfaces (ENIs). These ENIs can now be viewed and managed in SmartConsole, similar to how other supported Data Center objects are handled. The feature is disabled by default. Refer to R81.20 CloudGuard Controller Administration Guide > Supported Data Centers > CloudGuard Controller for Amazon Web Services (AWS).

PRJ-48744,

PMTR-94089

SmartConsole

NEW: Added support for 3072 bits key size in IKE certificates. To use 3072 bits key size, refer to "HTTPS Portals (Multi-Portal) Certificate, VPN Certificate" section in sk96591.

Take 70 - Improvements and Resolved Issues

 

PRJ-49174,
PRHF-30294

Security Management

UPDATE: Added verification for policy deletion. If the policy is installed on the Security Gateway, the "delete-package" Management API command now fails with "Policy X is installed on 1 or more gateways.". Refer to sk181877.

PRJ-52448,
PRHF-31852

Security Management

UPDATE: Added an ability to configure the schedule for Compliance blade scans. This should prevent login issues during the scans. Refer to sk182033.

PRJ-52065,
PMTR-99262

SmartConsole

UPDATE: The SmartConsole Change Report now highlights changes to the disable/enable state of rules more clearly.

PRJ-53113,
PMTR-101354

Security Management

UPDATE: In the Change Report, updated some portions of the translated GUI.

PRJ-48160

SmartView

UPDATE: In SmartView Report, the Security Checkup tool now also provides the IoT data.

PRJ-49861,

PMTR-95625

CPView

UPDATE: Added the "SecureXL" filter to the "cpview -m -f" command, which allows to extract to Skyline all the information related to SecureXL drops. Refer to the Skyline Metrics Repository.

PRJ-51125,
PRHF-31302

Security Gateway

UPDATE: Added ability to increase the instance processing queue size, by modifying the kernel parameter "fwmultik_pending_queue_len_limit" (the default value is "2000"). Refer to sk181921.

PRJ-51975,
CRYPTOIS-3027

SSL Inspection

UPDATE: If inspection logging is configured, the "Inspect" log now displays the negotiated ciphers and TLS version used for successful inspections, both between the client and the Security Gateway, and between the Security Gateway and the Server.

PRJ-48389,

PMTR-93901

Threat Prevention

UPDATE: It is now possible to disable a custom field in the IoC feed configuration. Refer to Management API Reference.

PRJ-52400,
ACCHA-3762

SecureXL

UPDATE: The DOS/Rate Limiting feature can now run in SecureXL User Mode (UPPAK) environments without a Light Speed, allowing IoC Feeds that use it for enforcement to function properly.

PRJ-53892,
PMTR-101528

SecureXL

UPDATE: The UPPAK start up script is changed to allocate additional memory buffers for handling Jumbo Frames based on Security Gateway configuration.

PRJ-48177,
PMTR-95781

Mobile Access

UPDATE: jQuery UI is upgraded to version 1.13.2.

PRJ-51701,
PRHF-31790

Harmony Endpoint

UPDATE: The audit event information when adding or removing Virtual Group members is now unified. The data includes the administrator name and device/user names for both actions.

Previously:

  • When removing an object, the administrator name who did the operation and also the device/user name were shown.

  • When adding an object, the administrator name was not shown and there was an ID list instead of the user or device names.

PRJ-52863,
PMTR-100872

CloudGuard Network

UPDATE: Added support for Data Centers in AWS ca-west-1 Calgary region.

PRJ-51248,
PMTR-98059

CloudGuard Network

UPDATE: The AWS Security Group Data Center object name now includes both the name tag and Security Group name, formatted as "ID <Name tag> <Security Group name>".

Previously, only the name tag was included, with the format "ID <Name tag>".

This change to include the Security Group name can be enabled by adding the setting "aws.supportSearchGroupName=true" in the vsec.conf file.

PRJ-53526,
PMTR-100166

Gaia OS

UPDATE: Added Multi-Queue support for Microsoft Azure Network Adapter (MANA) accelerated network interfaces.

PRJ-50751,

PMTR-96420

Infrastructure

UPDATE: Added Python 3.11.4.

PRJ-54099,

PRJ-54459,

PRJ-55301,

PRJ-55687,

ODU-1779,

ODU-1755,

ODU-1731,

ODU-1667

Automatic Updates - Web SmartConsole

UPDATE: New features and improvements are released in Take 100, Take 102, Take 104 and Take 111 via self-updatable package. Refer to sk170314.

PRJ-54688,

ODU-1707

Automatic Updates - CPView

UPDATE: Added Take 93 of CPotelcol (OpenTelemetry Collector) Release Updates. Refer to sk180522.

PRJ-54173,

ODU-1683

Automatic Updates - CPSDC

UPDATE: Added Take 34 of Check Point Support Data Collector (CPSDC) for Scalable Platforms and Maestro Security Appliances. Refer to sk164414.

PRJ-54177,

PRJ-55582,

ODU-1803,

ODU-1659

Automatic Updates - HCP

UPDATE: Added Update 17 of HealthCheck Point (HCP) Release. Refer to sk171436.

PRJ-53341,

PRHF-32639

Security Management

When a Domain object in a policy is set with a backslash in the suffix, policy installation fails with the "Unterminated string&CURRENTVERCMP" error.

PRJ-50767,
PRHF-31101

Security Management

In rare scenarios, during an upgrade or Domain migration, the API readiness test fails if the upgrade failed.

PRJ-51619,
PRHF-31710

Security Management

Deleting a domain may fail when using the createDomainRecovery.sh script.

PRJ-50593,
PRHF-30931

Security Management

High Availability synchronization runs after every scheduled Application Control update, even if the Application Control is up to date.

PRJ-51596,
PRHF-31532

Security Management

In rare scenarios, Global Policy assignment fails when there are many open Remote CPM Server sessions. Refer to sk181822.

PRJ-52817,
PMTR-100795

Security Management

If there are changes in the HTTPS Policy and Certificates in the session, a "Something went wrong" message appears when opening the Change Report.

PRJ-49362,
PRHF-30301

Security Management

There may be synchronization failure and, as a result, corrupted Domain policies on the Multi-Domain Security Server when a newly created local administrator on the backup Security Management Server makes changes to rules or objects, after the Active role is switched to that Security Management Server.

PRJ-50019,
PMTR-86613

Security Management

It may not be possible to add/set a Threat Prevention Exception with a protection-or-site UID.

PRJ-53349,
PRHF-32714

Security Management

In rare scenarios, the FWM process on the Security Management Server may unexpectedly exit or not start, creating a core dump file.

PRJ-50999,
PRHF-31180

Security Management

Install Policy Presets may fail after purging all revisions. Refer to sk181652.

PRJ-52012,
PRHF-31738

Security Management

In some scenarios, policy installation may fail and the displayed message erroneously refers to sk178886: "One of the updatable objects was downloaded incorrectly (see SK178886". sk178886 describes a different scenario and does not resolve the issue.

PRJ-54095,
PRHF-28962

Security Management

In rare scenarios, policy installation on R77.30 Security Gateway fails with "Operation failed, install/uninstall has been improperly terminated". Refer to sk180448.

PRJ-53731,
PMTR-102450

Security Management

Changes Report may allow to list certain directory contents.

PRJ-55502,

PRHF-34248

Security Management

A memory leak may occur in the FWM process which leads to SmartConsole connection failures.

PRJ-49583,
PRHF-30453

Security Management

In some scenarios, when searching objects in SmartConsole, not all relevant results are highlighted.

PRJ-51507,
PMTR-98543

Security Management

The on-premises Security Management Server fails to connect to Infinity Portal when this Server has a proxy configured.

PRJ-53472,
PRHF-32798

Security Management

In Multi-Domain Security Management environments, High Availability synchronization issues may arise after making and publishing changes through the SmartTasks feature in SmartConsole for a local Domain.

PRJ-52825,

PMTR-100459

Security Management

On the Security Management Server, a CPD zombie process may be created.

PRJ-51633,
PRHF-30990

Security Management

In rare scenarios, after an upgrade or a Domain migration:

  • Policy installation might fail with "ERROR: Duplicate keys xxxxxxxx in table 'gw_properties".

  • DAIP Gateway objects will have duplicate IP addresses.

    Refer to sk181834.

PRJ-51696,
PMTR-98972

Security Management

After a global assignment, when installing policy on several installation targets at once, the log may show an incorrect rule name.

PRJ-51514,
PRHF-31523

Security Management

The revisions purge process may get stuck due to an incomplete purge operation from a previous attempt.

PRJ-51205,
PRHF-31334

Security Management

If all revisions were purged on the Security Management Server, the "show packages details-level full" Management API call may fail.

PRJ-51543,
PMTR-98526

Security Management

Enabling automatic updates of Trusted CAs as described in sk173629 may fail.

PRJ-50373,
PMTR-96089

Security Management

When attempting to load a SNORT Rules file that contains one or more spaces, the import process fails with an ambiguous error message.

PRJ-41781,
PRHF-25318

Security Management

In some scenarios, SmartConsole may close unexpectedly when clicking the "View Changes" option in the Install Policy view.

PRJ-52879,
PRHF-32383

Security Management

In rare scenarios, Access policy installation may fail with the "Installation failed. Reason: Failed to load Policy on Security Gateway" or "Operation failed, install/uninstall has been improperly terminated" messages.

PRJ-52791,
PRHF-32309

Security Management

In rare scenarios, High Availability synchronization fails with "Peer is busy".

PRJ-51677,
PRHF-31606

Security Management

Global Assignment fails with "Locked for editing by another administrator and need to be published or discarded before the operation can take place". Refer to sk181807.

PRJ-49667,
PMTR-92847

Security Management

The "set-smart-task" API command fails when enabling the "Send mail to/from" option in SmartTasks.

PRJ-51505,

PMTR-98271

Security Management

After a Multi-Domain Security Management upgrade to R81.20 version, some Infinity Portal Services may stop working.

PRJ-51085,
PRHF-31155

Multi-Domain Security Management

In Multi-Domain Security Management environments with over two hundred administrators, Domain creation may fail with "Timeout expired while waiting for permissions calculation".

PRJ-51085,
PRHF-31155

Multi-Domain Security Management

In Multi-Domain Security Management environments with over two hundred administrators, Domain creation may fail with "Timeout expired while waiting for permissions calculation".

PRJ-48396,
PRHF-29737

Multi-Domain Security Management

In a Multi-Domain Security Management environment, the "show simple-gateway" and "show simple-cluster" Management API commands may fail with "Runtime error: An internal error has occurred"

PRJ-51272,
PRHF-30806

Multi-Domain Security Management

In Multi-Domain Security Management environments, if there are more than three hundred forty Domains, login to SmartConsole fails.

PRJ-52970,
PRHF-29693

Multi-Domain Security Management

The "cprlic get" command output may not provide correct information about vSEC licenses.

PRJ-52578,

PMTR-99856

Multi-Domain Security Management

In some scenarios, during an upgrade of a Multi-Domain Security Management Server, the "created by" and "date created" fields of some rules may be displayed as "system" and "date of the upgrade".

  • The fix will only be applied if the upgrade to this Jumbo Hotfix Take is done using a Blink image or via the Advanced Upgrade method.

PRJ-51570,

PMTR-90798

SmartConsole

SmartConsole slowness when adding applications to rules. Refer to sk182063.

PRJ-53275,
PMTR-100689

SmartProvisioning

The "show-lsm-gateways" Management API command returns LSM cluster objects besides the LSM Security Gateways.

PRJ-53227,
PMTR-100502

SmartProvisioning

The Management API command "set-lsm-gateway" with the "sic.ip-address" parameter may fail with "Establish SIC failed. Reset SIC on gateway and try again." when resetting SIC.

PRJ-52721,
PRHF-30795

Logging

Administrators without the "run script" permissions can enable or disable the option to run a script on a Security Gateway, using advanced configuration options.

PRJ-51148,
PRHF-31357

Logging

When Identity Awareness blade is enabled, the "Src User Dn" and "Dst User Dn" fields in ICMP Logs are not masked for users without "Identities" permissions. Refer to sk181677.

PRJ-51327,
PMTR-96510

Logging

In rare scenarios, after an upgrade, the LOG_EXPORTER process may fail to send the log files to SIEM or to the cloud.

PRJ-53938,
SL-8466

Logging

In Quantum Smart-1 Cloud environments, exporting more than five thousand logs to CSV may fail.

PRJ-51430,
PRHF-31388

Logging

In some scenarios, in Multi-Domain Management environments with over 300,000 network objects, the LOG_INDEXER process repeatedly exits if the procedure from sk164452 is not applied.

PRJ-44795,
PRHF-27521

Logging

In rare scenarios, the FWD process on the Security Gateway may reach out of memory and produce a core dump file of around 3GB.

PRJ-54108,
SL-8626

Logging

In rare scenarios, the LOG_EXPORTER process fails to send logs although marks them as sent.

PRJ-49790,
PMTR-95167

Logging

The "cpstat -h log server ip ls -f logging" command fails when running it from Security Management.

PRJ-51525,

SDWANGW-2060

Logging

SD-WAN log information may be missing from SmartConsole connection log when SecureXL Templates are used.

PRJ-52679,
PRHF-31821

Security Gateway

Running GTP traffic may cause a crash on a Security Gateway without a GTP license.

PRJ-52725,
PMTR-100460

Security Gateway

In some rare cases, the Dynamic Split functionality may be disabled on VSX Gateways with Hyperflow enabled. When checking the status of Dynamic Balancing, the "Initiating shut-down due to state mismatch detection (reason dmd_sleep_status)" message is printed in the logs under $FWDIR/log/dsd.elg.

PRJ-50576,
PRHF-30817

Security Gateway

There may be log entries related to the drop optimization feature, although the dropped traffic matches a non-logging rule.

PRJ-55412,

PRHF-34173

Security Gateway

The CPD process may unexpectedly exit and create a core dump.

PRJ-52521,
PRHF-31425

Security Gateway

The ICAP Server does not send data for the Threat Prevention blades inspection, after the restart of the TEMAIN process.

PRJ-47672,
PRHF-29535,

PRJ-47668,
PRHF-29516

Security Gateway

When there is fragmented traffic, the /var/log/messages file may be flooded with the "dst_release" entries.

PRJ-52952,
PRHF-32357

Security Gateway

Traffic outages may occur because of high utilization of CPU cores that run CoreXL SND instances. Refer to sk181996.

PRJ-53850,
PMTR-94689

Security Gateway

In some scenarios, when SecureXL works in the User Space (UPPAK) mode, the VSX Security Gateway cluster members are not able to send and receive CCP packets correctly through a Virtual Switch.

PRJ-51439,
PMTR-98446

Security Gateway

A rare race condition may be triggered by the timing and packet patterns of VoIP traffic, and, as a result, the FWK process may restart.

PRJ-53628,
PMTR-102177

Security Gateway

A memory issue may occur in a cluster environment, when SIP inspection is enabled.

PRJ-48817,
PRHF-30025

Security Gateway

After deploying a new license to a Multi-Domain Log Module (MLM), all Customer Log Modules (CLMs) generate alert logs about missing license/contracts stating "No valid license was found".

PRJ-41754,
PRHF-25570

Security Gateway

Some debug messages may appear in the /var/log/messages file, although the debug mode is not activated. The issue is cosmetic only.

PRJ-49046,
PMTR-94275

Security Gateway

In rare scenarios, a file downloaded via HTTP may be corrupted.

PRJ-52421,
PMTR-99316

Security Gateway

Incorrect static NAT destination is applied when the original destination in the NAT rule is the Security Gateway object, but the actual destination does not match the main IP address of the Security Gateway object.

PRJ-51460,
PRHF-31473

Security Gateway

When using three or more ISP DNS proxies in High Availability mode and Load Sharing mode:

  • A DNS query to any ISP returns IP addresses of all three, although it should return only the active ISP.

  • When one ISP is down, the faulty ISP is also returned instead of the newly active.

PRJ-47664,
PRHF-29452

Security Gateway

Incorrect local traffic routing by the Security Gateway causes message flooding in /var/log/messages.

PRJ-50757,
PRHF-31127

Security Gateway

In a rare scenario, because of a memory allocation issue, the Security Gateway may crash and reboot.

PRJ-48263,
PMTR-93809

Security Gateway

Notifications of SecureXL connection deletion appear unfiltered in the debug output, also when using a debug filter.

PRJ-51946,
PRHF-31780

Security Gateway

In some scenarios, if a rule with a security zone is installed using accelerated install policy, the traffic may stop matching the NAT Rule Base.

PRJ-51609,
PRHF-31672

Security Gateway

The ICAP Server may fail to initialize.

PRJ-51039,

PRHF-31146

Security Gateway

The Security Gateway may crash during policy installation.

PRJ-52796,
PRHF-31617

Security Gateway

In some scenarios, the VSX Security Gateway may not set the MAC header correctly when sending traffic back to Gaia OS directly out of an interface on a Virtual Router.

PRJ-51528,
PRHF-31572

Security Gateway

Sporadic latency while uploading a file when HTTPS Inspection and ICAP client are active. Refer to sk181793.

PRJ-52564,
PRHF-32096

Internal CA

CRLs may not be recreated after cleaning expired certificates from the ICA database.

PRJ-42871,
PRHF-26332

Threat Prevention

After installing a hotfix in a cluster setup with a Threat Prevention policy that includes Network Objects, a member may get stuck during initialization after a reboot. Refer to sk180225.

PRJ-53912,
PMTR-102756

Threat Prevention

SSH DPI may not work because of incorrect parsing of the client hello from a non-standard SSH client.

PRJ-49031,
PMTR-96716

Threat Prevention

In a bond failover setup with the XOR bond mode, rapid toggling the port states causes the switch to display incorrect "connected" port statuses for both ports, despite one port being actually down, leading to a non-functioning bond interface.

PRJ-53458,
PMTR-87269

Threat Prevention

Installation of Threat Prevention Policy fails with the error "No profile defined on GW <Name of Security Gateway Object>" in this scenario:

  • The "Install On" column of a Threat Prevention rule contains a Group object (Group #1).

  • This Group object (Group #1) contains another Group object (Group #2).

  • This nested Group object (Group #2) contains the Security Gateway object.

PRJ-53091,

PMTR-98503

Threat Prevention

The "ioc_feeds" CLI command with the "--transport local_directory" argument may fail to load feeds.

PRJ-53404,

PMTR-101787

Threat Prevention

No feedback form appears when disabling the Zero Phishing Blade, although it should.

PRJ-51335,
PRHF-31398

Identity Awareness

When a Multi-User Host is used with Identity Broker, the user session may expire on the PEP side, while still connected on the PDP, causing failure of user-based access.

PRJ-49436,
PMTR-92848

Identity Awareness

In a rare scenario, revoked identity on Broker Publisher is not synchronized with its Broker subscribers.

PRJ-52371,
PRHF-31314

Identity Awareness

After an upgrade, the Security Identifier (SID) for LDAP Users or LDAP Groups that were configured prior to the upgrade may be empty. Refer to sk181946.

PRJ-52793,
PRHF-32291

Identity Awareness

In some scenarios, access roles using packet tagging are not calculated correctly for new sessions. Refer to sk182009.

PRJ-50584,
PRHF-30933

Identity Awareness

During policy installation, users authenticated using the Captive Portal may get disconnected.

PRJ-52873,
PRHF-32296

Identity Awareness

User/Security Gateway identities may be revoked unexpectedly if an additional update from the AD Query identity source is rejected due to Identity session conciliation.

PRJ-50514,
PMTR-92204

Identity Awareness

In a Cluster Load Sharing environment or when a single Policy Decision Point (PDP) is shared among multiple Policy Enforcement Points (PEPs), the PDP registers the PEP, but the PEP may not be aware of this registration.

PRJ-52541,
PRHF-31937

IPS

In a rare scenario, Security Gateway may drop client-to-server web browsing traffic.

PRJ-50805,
PRHF-28437

IPS

There may be excessive "fwconn_chain_is_data_conn failed" messages in the /var/log/messages files when activating the IPS Blade.

PRJ-51183,
PRHF-31305

Anti-Virus

Some file downloads fail with a logged "failure-reject" error because of the Anti-Virus Blade improperly classifying documents, causing inspection failures.

PRJ-53572,
PRJ-53566

Anti-Virus

In a rare scenario, the Security Gateway crashes due to memory corruption caused by the Anti-Virus blade.

PRJ-53125,
PRHF-32092

Anti-Virus

The DLPU process may frequently exit with a core dump file.

PRJ-52048,

PRHF-31811

Mobile Access

SSL Network Extender (SNX) cannot connect after installing Jumbo Hotfix Accumulator. Refer to sk181805.

See the Important Notes section.

PRJ-42809,
PRHF-24122

ClusterXL

Cluster members may crash, generating vmcores in /var/log/crash.

PRJ-51588,
PRHF-31481

ClusterXL

The Security Gateway may crash during the conversion from VRRP Cluster to ClusterXL Cluster.

PRJ-50117,
PRHF-30245

ClusterXL

In a cluster environment, the Security Gateway may become unresponsive on the Active member, and after a failover the issue occurs on the new Active member also.

PRJ-52799,
PRHF-31629

SecureXL

The Security Gateway may fail to add interfaces to the SecureXL accelerated interfaces list.

PRJ-44520,
PRHF-23500

SecureXL

Multicast packets received on an interface with PIM disabled can cause multicast packet drops on other interfaces by filling up the kernel routing queue.

PRJ-52802,
PRHF-31631

SecureXL

In some scenarios, the VSX Security Gateway may not set the MAC header correctly when sending traffic directly out of an interface on a Virtual Router or Virtual Switch.

PRJ-51210,

PRHF-31259

SecureXL

In Kernel mode Firewall, traffic passing through the GRE tunnel may not reach the peer.

PRJ-50856,
PMTR-96036

SecureXL

There may be a delay in enforcing DOS/ Rate Limiting rules to drop packets when concurrent connection limits are exceeded.

PRJ-51622,
PMTR-97796

SecureXL

In some scenarios, fragmented ICMP packets may bypass the DOS/ Rate limiting deny list.

PRJ-52806,
PMTR-96017

SecureXL

In some scenarios when Route based probing is configured, the VSX Security Gateway sends out encrypted traffic with a source IP address of all zeroes through a Virtual Switch interface. This traffic may be dropped by routers, the VPN peer Gateway or other Security Gateways due to the invalid source IP address.

PRJ-54530,

PRHF-33850

SecureXL

Policy installation on a Security Gateway running with SecureXL User Mode (UPPAK) fails with the "2000240" or "2000267" error code. Refer to sk182272.

PRJ-53479,
PMTR-102025

SecureXL

Entering Maintenance Mode during the boot process may result in disabling SecureXL User Mode (UPPAK).

PRJ-52859,
PMTR-101273

SecureXL

In some scenarios, when SecureXL User Mode (UPPAK) is enabled, the Security Gateway crashes during boot up.

PRJ-53253,
PMTR-101573

SecureXL

When SecureXL User Mode (UPPAK) is enabled, there may be some increased latency when sending cleartext traffic between a Virtual System and a Virtual Router.

PRJ-53061,
PMTR-101152

SecureXL

During the deny list update process, there is a temporary gap where no IP addresses are blocked, allowing unwanted traffic to pass through the Security Gateway unfiltered.

PRJ-52663,
PMTR-100376

SecureXL

DOS/Rate Limiting commands that require a change from default configuration are not allowed to run in SecureXL User Mode (UPPAK) . "ERROR: fwaccel_dos: DOS features are not supported for SecureXL User Space Mode with LightSpeed" is printed in the /var/log/messages file.

PRJ-55396,

PMTR-104268

SecureXL

A race condition may occur in a large scale VSX Cluster environment and SecureXL User Mode (UPPAK) is enabled.

PRJ-53856,
PRHF-33138

Routing

ROUTED process assert failure may take place when LSA from a neighbor's retransmission list is freed if that LSA belongs to the max age hold tree that is flooded at max age.

PRJ-53172,
PMTR-99623

Routing

The ROUTED process may unexpectedly exit because of an OSPF assertion failure.

PRJ-53054,

ROUT-2968

Routing

BGP peers may experience timeouts when these conditions occur simultaneously:

  • The network has more than 100 BGP peers configured,

  • The routing table contains tens of thousands of routes,

  • BGP tracing is enabled,

  • The BGP timers (such as keepalive and hold timers) are reduced from their default values, making the peers more sensitive to delays or congestion.

PRJ-52734,
PRHF-31847

Routing

In networks where multicast groups are manually configured through IGMP if only one membership report is received for a specific <S,G> pair and no further reports follow, it may cause outages.

PRJ-52659,

PRJ-52656,
PRHF-31818,

PRHF-31977

Routing

Cluster failover may occur when the ROUTED process due to a memory leak unexpectedly exits with a core dump file generated.

PRJ-53057,
PRHF-32078

Routing

In scenarios where numerous BGP peers are configured with the "multihop" option enabled, combined with short "keepalive" settings and a large number of routes being received from each peer, the ROUTED process may experience high CPU utilization.

PRJ-51260,
PRHF-31307

Routing

It may not be possible to propagate a newly added static route through OSPF.

PRJ-51983,
ROUT-2393

Routing

When running a Gaia API request that results in multiple configuration changes, only the first change may be applied initially. The subsequent changes are not enforced until another change triggers re-processing.

PRJ-53569,
PMTR-100631

Routing

In rare scenarios, when a PIM interface or PIM instance stops working, the Security Gateway may crash if trying to access a bogus reference to a PIM neighbor.

PRJ-48210,
PMTR-91011

VPN

IKEv2 Remote Access stability issues.

PRJ-47953,
PMTR-92800

VPN

Establishing an IKEv2 tunnel with Cross AZ Cluster may fail.

PRJ-53384,
PMTR-101269

VPN

IPv6 non-VPN traffic may be dropped with "Clear text packet should be encrypted".

PRJ-53178,
PRHF-32616

VPN

In a rare scenario, while connecting SNX client, the VPND process may exit.

PRJ-52830,
PMTR-96593

VPN

In a rare scenario, in a Maestro environment, the first packet of the VPN tunnel is lost or has a large delay.

PRJ-52514,
PRHF-32030

VPN

In Cross-AZ clusters, when using probing-based link selection for High Availability and Load Sharing, there may be a potential VPN traffic outage. Refer to sk181909.

PRJ-54241,

PMTR-103618

VPN

In a VPN Community with a configuration involving two Security Gateways (a Center Cluster and a Satellite Security Gateway) with IPv6 external and internal interfaces, when attempting to establish a Link Selection Star community between them, the VPN process may unexpectedly exit due to repetitive IKE core crashes on one of the Security Gateways while the other Security Gateway tries to establish a tunnel, resulting in connectivity issues.

PRJ-52949,
PRHF-32461

VPN

When the DAIP Gateway public IP address occasionally changes, the connected Security Gateway fails to update the new IP address and continues responding to the old IP address, causing communication issues.

PRJ-44265,
PRHF-20660

VPN

The FWK process crashes sporadically, causing impact on traffic due to an issue related to the decryption of fragmented traffic.

PRJ-51297,

PMTR-97905

VSX

When adding a new Virtual System, a CPD core dump file may be generated.

PRJ-52509,
PMTR-99867

Gaia OS

When a non-local user executes a Gaia API command, the action is incorrectly logged as performed by the "admin" user in the /var/log/messages file.

PRJ-52724,
PRHF-32115

Gaia OS

The MONITORD daemon causes high CPU after 388 days of uptime. Refer to sk181922.

PRJ-53486,
PMTR-95316

Gaia OS

Some valid interfaces may not be available with running the "set lldp interface" command.

PRJ-53195,
PRHF-32504

Gaia OS

In rare scenarios, the Gaia Portal daemon HTTPD may unexpectedly exit and create a core dump file in the /var/log/dump/usermode/ directory.

PRJ-52886,
PMTR-100352

Gaia OS

Disabling a bond with one interface from WebUI may fail.

PRJ-54180,
PMTR-103543

Gaia OS

Removing unused built-in user called "cp_ender" that may appear in Gaia OS after an upgrade. Refer to sk182185.

PRJ-51441,
EPS-54570

Harmony Endpoint

Clients may not be assigned to default groups after adding a device to the AD Server.

PRJ-50572,
EPS-53505

Harmony Endpoint

In an on-premises environment, large Active Directory groups with more than 1500 members appear empty or have incomplete membership information.

PRJ-52129,
PRHF-31662

Harmony Endpoint

When attempting a one-time login for a migrated client in the Infinity Portal, the request fails with "400 error" caused by duplicate logon_name and domain_name entries in the database, preventing password generation from the Web Interface.

PRJ-51292,
EPS-54427

Harmony Endpoint

In some scenarios, Unified Endpoint Policy Management (UEPM) database upgrade fails or takes a long time during the scripts stage.

PRJ-51138,
PRHF-31298

Harmony Endpoint

When duplicate users with the same name and domain exist in the database or Active Directory, FDE Pre-boot authentication on LAN may fail, not able to identify the user attempting to log in.

PRJ-53431,
PRHF-32749

Harmony Endpoint

SmartEndpoint creates an empty "Policy Report" CSV file.

PRJ-50589,
PRHF-30890

CloudGuard Network

In an environment with Cloud Security Gateways, frequent High Availability synchronization sessions can cause high CPU utilization. As a result, change of the Activity status may fail.

PRJ-50638,
PRHF-28490

CloudGuard Network

CloudGuard Controller synchronizes cloud object configurations with a noticeable latency, reflecting the updates made to those objects in the cloud environment after a significant time delay.

PRJ-51302,
PRHF-31310

Scalable Platforms

When using NAT64 rules, Server to Client traffic may be dropped because of the "Out of state" error.

PRJ-47396,
PMTR-92635

Scalable Platforms

Excessive CPU usage occurs on a Maestro Security Group because of exhaustion of available NAT ports when traffic is subjected to NAT and Layer 4 (L4) load distribution is enabled. Refer to sk181925.

PRJ-53832,

PMTR-73771

Scalable Platforms

Before enabling MDPS, CoreXL Dynamic Balancing (sk164155) must be disabled.

PRJ-52644,
PMTR-100357

Scalable Platforms

After a failover scenario, the "m site-id member-id" command requires reauthentication.

PRJ-53083,
PMTR-97118

Scalable Platforms

Redundant "MHO_stateAgent[3230]: QuidAddon: System not ready yet - attempting to re-init" messages in the /var/log/messages file.

PRJ-52883,
MBS-18033

Scalable Platforms

When running the "fwaccel stat" command on a VSX Security Gateway, the output may show physical interfaces as not accelerated, although they are.

PRJ-53622,
PMTR-99823

Scalable Platforms

The "reboot -b all" command in gClish may fail. The environment hangs or reboots partially (only some of the members).

PRJ-44133,
MBS-16004

Scalable Platforms

Member state may flap between Active and Ready.

PRJ-46223,
PMTR-88316

Scalable Platforms

During site failover, IPv6 traffic that goes through the Warp interface may be interrupted.

PRJ-50827,
PMTR-97227

Scalable Platforms

In a rare scenario, file system corruption may lead to a failure identifying the Maestro Orchestrator hardware model during the Maestro Orchestrator OS boot process, causing the boot to fail.

PRJ-44136,
MBS-16756

Scalable Platforms

If a DR packet arrives fragmented, it may not get forwarded to the DR manager, potentially causing connectivity issues.

PRJ-46793,
PMTR-92392

Scalable Platforms

An additional reboot may be performed on Maestro Security Gateway because of the database entry (otlp) which should not be pulled from SMO. This entry is updated locally on each member via self-update functionality and therefore may differ between members.

PRJ-52532,

PMTR-99841

Scalable Platforms

After dynamic routing manager failure and recovery, connections are dropped with a log message "TCP out of state: First packet isn't SYN". Refer to sk181874.

PRJ-51186,

PMTR-97932

Scalable Platforms

In a rare scenario, when a Maestro Security Gateway is active again after a reboot, and LightSpeed is used, the LACP bond may drop incoming and outgoing packets.

PRJ-55570,

PMTR-105246

Scalable Platforms

Traffic outage after policy installation on a Maestro Security Group in the VSX mode that works in the Dual Site configuration. Refer to sk182379.

PRJ-55518,

PMTR-105145

Scalable Platforms

• On Quantum Maestro/Chassis or in ClusterXL, the Security Gateway may crash while processing a VPN/correction flow with a vmcore in /var/log/crash or FWK core in /var/log/dump/usermode/.

• The "kernel: xxxxx: tx_timeout" error is printed in /var/log/messages.

• PSL drops packets with "PSL Drop: psl_build_pslip failed” message, potentially impacting network performance and streaming capabilities.

Refer to sk182463.

See the Important Notes section.