R81.20 Jumbo Hotfix Take 79

 

Note - This Take contains all fixes from all earlier Takes.

ID

Product

Description

Take 79

Released on 19 August 2024

Take 79 - New Functionality

 

PRJ-53640,

PMTR-102064

Security Management

NEW: Added the ability to unset a persistent environment variable, using the "-u" flag for the override_server_setting.sh script introduced in sk165938. Upon execution, the specified property is now removed from the $MDS_FWDIR/conf/cpmEnvVars.conf file.

PRJ-54715,
PMTR-103677

Security Management

NEW: Automatic refresh of SmartConsole views after Global Policy Assignment on a Multi-Domain Security Management Server. To enable this ability, refer to sk182307.

PRJ-53464

SD-WAN

NEW:

  • Added ARP Next-Hop prober to enhance support for additional network topologies.

  • Introduced HTTP prober to reflect real-time Web Access metrics.

  • Implemented Link Aggregation mode proportional to Download and Upload bandwidth.

  • Administrators are now able to override SD-WAN interface Circuit configuration.

  • Integrated Forward Error Correction to ensure successful traffic delivery by adding error correction code packets to the Overlay packet stream.

  • Introduced Dynamic Objects (SD-WAN Internet, My VPN Domain, and Peer VPN Domain) to better represent Overlay and Internet address spaces.

  • Added administrator control for Symmetric Packet Return, forcing Ingress Traffic to be replied on the same ISP.

  • Enabled SD-WAN Overlay establishment across different Domains using Global VPN Community (MDS).

  • Allowed SD-WAN Overlay to operate on top of Route-based VPN.

  • Increased maximum Overlay size to support up to 500 Security Gateways.

  • Improved accuracy of SD-WAN decision-making during policy installation.

  • Enabled setup of IPv4 SD-WAN overlay when non-SD-WAN IPv6 interfaces are configured.

PRJ-53477,
CLUS-1936

Scalable Platforms

NEW: Added Generic Data Center support for Quantum Maestro environments.

Take 79 - Improvements and Resolved Issues

 

PRJ-50857,
PMTR-97312

Security Gateway

UPDATE: Apache HTTPD version was updated from 2.4.55 to 2.4.58 to fix CVE-2023-31122 and CVE-2023-43622.

PRJ-50924,

PMTR-97400

Security Gateway

UPDATE: Deprecated RC2-CBC cipher for SIC in OpenSSL.

PRJ-55316,
PMTR-104507

Gaia OS

UPDATE: A patch on top of OpenSSL 1.1.1w to fix CVE-2024-2511. Refer to sk182320.

PRJ-56226,

PMTR-106852

Gaia OS

UPDATE: Added a defense mechanism against malicious code injections through special HTTP requests. Resolved CVE-2024-24914. Refer to sk182743.

PRJ-54496,
PMTR-104054

Security Management

UPDATE: JRE is updated from version 8.0_8.10 to version 8.0_8.21.

PRJ-50381,
PRHF-30774

Security Management

UPDATE: Various Web Portals on the Security Management Server (for example, Web SmartConsole, SmartView) no longer accept HTTPS connections to ports 443 and 19009 with specific TLS 1.2 ciphers. Refer to sk181879.

PRJ-53605,
PMTR-102275

Security Management

UPDATE: Modified the content of the https://<ip_adress>/license_management/ page.

PRJ-53954,
PMTR-103052

Security Management

UPDATE: Changed the hardware name "1570R Appliances" to "1570R/1575R Appliances" in the Security Gateway editor in SmartConsole and SmartProvisioning.

  • Requires R81.20 SmartConsole Build 656 or higher.

PRJ-52932,
PRHF-32414

Security Management

UPDATE: When deleting a Secondary Multi-Domain Security Management Server, SmartConsole now shows an "After MDS '<MDS name>' is deleted, you should delete the Secondary Domain Servers from the Domains and revoke their certificates" message.

PRJ-52404,

PMTR-99617

Security Management

UPDATE: Added SHA256 fingerprints to certificate objects to mitigate the risk of hash collisions and enhance trust when utilizing the fingerprint, encoded with English words, as a verification mechanism.

PRJ-52954,
PMTR-101078

Logging

UPDATE: Enhanced the Access Control log for "Accept" actions with initial matched layers of "IoT" or "Playblocks":

The "Layer Name" field now shows the admin-configured layer, alongside Rule Name and Rule Number, allowing administrators to view their preferred match layer rather than defaulting to the first matched layer or inline rule. This change improves visibility into the specific security policy components responsible for accepting traffic.

PRJ-55290,

PMTR-104620

Security Gateway

UPDATE: Optimized Hyperflow wake-up process on smaller appliances (up to 32 cores) now uses only two cores initially, reducing resource contention and improving stability during Elephant Flows.

PRJ-55428,
PMTR-104574

Security Gateway

UPDATE: The severity of the debug message for cp_shmem huge page allocation failures is reduced. When huge pages are unavailable, the message now appears as a warning instead of an error. The system now falls back to using regular memory pages.

PRJ-51989,
PMTR-88361

Security Gateway

UPDATE: The performance of the thread blocker feature (sk180437) is now improved and the feature is re-enabled.

PRJ-47490,
PRHF-28566

Security Gateway

UPDATE: Implemented automatic purging of expired SIC certificates on Security Gateways to eliminate memory residues and prevent misuse.

PRJ-54341,
SNX-99

SSL Network Extender

UPDATE: SSL Network Extender is updated to version 80008409.

PRJ-53919,
PRHF-32600

URL Filtering

UPDATE: When URL Filtering operates in Background Mode and encounters an unclassified connection, instead of being approved automatically, such connection is now accepted or rejected based on Access Rule Base execution, and listed under the "unknown" category.

PRJ-51532,
PMTR-97036

Mobile Access

UPDATE: The Mobile Access Portal is no longer compatible with the Chrome browser on iOS and Android mobile devices.

PRJ-53587

Gaia OS

UPDATE: The "show asset" and "show lom" commands now also display a sub-minor version of LOM firmware on the 9000/19000/29000 appliance lines.

PRJ-54590,
PMTR-100544

Gaia OS

UPDATE: Extended the "allowed-client" setting to enforce IP restrictions for both password and SSH key authentication methods, providing more comprehensive access control.

PRJ-54672,
PMTR-104379

VoIP

UPDATE: SIP over UDP requests and responses may be dispatched to different firewall instances when a single-direction rule is defined in the Rule Base, potentially causing returned SIP traffic to be dropped as an unknown connection. To address this, a new global parameter "sip_forward_if_needed" is introduced (disabled by default). When enabled, the Security Gateway forwards responses to the appropriate request instances. Refer to sk182667.

PRJ-55719,
PMTR-105631

VPN

UPDATE: VPN connections are now synchronized to all members of the Security Group by default. The default value of the "vpn_sync_to_all" kernel parameter is set to "1".

PRJ-53822,
PMTR-102697

CloudGuard Network

UPDATE: It is no longer necessary to run the $MDS_FWDIR/scripts/alignLicensesInDB.sh script (sk181500) after the import during Security Management Database migration. The script now runs automatically after the migration.

PRJ-53101,
PMTR-101359

Scalable Platforms

UPDATE: Removed the ability to delete the "_lldp" internal user in Gaia OS to prevent traffic impact. Refer to sk182026.

PRJ-56057,

ODU-1923

Automatic Updates - HCP

UPDATE: Added Update 18 of HealthCheck Point (HCP) Release. Refer to sk171436.

PRJ-55914,
ODU-1849

Automatic Updates - CPView

UPDATE: Added Take 97 of CPotelcol (OpenTelemetry Collector) Release Updates. Refer to sk180522.

PRJ-56193,

ODU-1787

Automatic Updates - Web SmartConsole

UPDATE: New features and improvements are released in Take 114 via self-updatable package. Refer to sk170314.

PRJ-55917,
ODU-1819

Automatic Updates - CloudGuard Network

UPDATE: Added Take 21 of Public Cloud CA Bundle. Refer to sk172188.

PRJ-50936,
PRHF-31120

Security Management

SmartConsole may freeze when selecting a client under Security Gateway object > Identity Awareness tab > RADIUS Accounting Settings.

  • Requires additional configuration and R81.20 SmartConsole Build 656 or higher. Refer to sk181630.

PRJ-53454,
PRHF-32750

Security Management

Upgrade of the Multi-Domain Security Management Server may fail with the error "Folder object not found".

  • The fix requires the upgrade to be done using a Blink image or the Advanced Upgrade method.

PRJ-52045,
PRHF-31789

Security Management

In some scenarios, the Security Management Server upgrade to R81.20 fails with "java.lang.String incompatible with com.checkpoint.infrastructure.types.CPUUID" in the upgrade report. The issue occurs during the import of the User Data Domain.

  • The fix requires the upgrade to be done using a Blink image or via the Advanced Upgrade method.

PRJ-54005,
PRHF-33311

Security Management

In rare scenarios, the Management Server upgrade fails during the import stage with "an eclipse error has occurred enable logging on EclipseLinkExceptionHandler to see full error".

  • The fix will only be applied if the upgrade to this Jumbo Hotfix Take is done using a Blink image or via the Advanced Upgrade method.

PRJ-46788,

PRHF-29046

Security Management

In some scenarios, an upgrade of Security Management Server or Multi-Domain Security Management Server fails with the "Failed: upgrade of "DOMAIN_NAME". For more details see upgrade logs below" error in the upgrade report.

  • The fix requires the upgrade to be done using a Blink image or via the Advanced Upgrade method.

PRJ-52546,

PMTR-100061

Security Management

In rare scenarios, the CPCA process on the Security Management Server / Domain Management Server may exit unexpectedly, creating a core dump file. Refer to sk183101.

PRJ-52889,
PRHF-32372

Security Management

"Mapping of Data Center [xxxx] failed. Next mapping is in 300 seconds" errors in the CME logs show failed attempts to scan deleted data centers.

PRJ-45161,
PRHF-28147

Security Management

In rare scenarios, login to the Security Management Server may fail with timeout and the FWM process on the Management Server may unexpectedly exit, creating a core dump file.

PRJ-53771,
PRHF-32899

Security Management

In some scenarios, the "show-gateways-and-servers" Management API command fails with "generic_err_object_not_found" when running with "details-level full".

PRJ-53507,
PRHF-32561

Security Management

After upgrading, administrators with read/write permissions to edit Security Gateways and Clusters may lack IPS permissions and are unable to perform certain management tasks, such as enabling or disabling blades.

PRJ-52434,
PRHF-31953

Security Management

When Global Domain Assignment fails with the "More than one object named 'XXX' exists" error, not all duplicate objects are listed.

PRJ-53760,

PRHF-32936

Security Management

The "domains_tool -report" command may fail if more than sixteen host objects are defined as DNS Servers in the environment.

PRJ-49241,
PMTR-89973

Security Management

In some scenarios, the SmartTask "Before login" trigger may be executed although there was no login operation.

PRJ-52781,
PRHF-32286

Security Management

When using the "set simple-gateway" Management API command to edit interfaces, the operation is only performed on fifty interfaces at a time.

PRJ-49438,
PRHF-30400

Security Management

The UPDATE_INSPECT_FILES process of Upgrade Tools may exit with a core dump.

PRJ-52019,
PRHF-31622

Security Management

Exporting a policy that contains thousands of rules may fail when the "Hit Count" column is enabled.

PRJ-50844,
PRHF-31188

Security Management

Export of a list of objects from the Global Object Explorer fails with the "Export policy is not supported when rule name is in a format of UUID" error message.

PRJ-51121,
PRHF-31318

Security Management

In rare scenarios, if a Star VPN Community object is created, publish operations may fail.

PRJ-50755,
ACCESS-704

Security Management

Access to and from the Generic Data Center objects may not be enforced when MDPS configuration is enabled on the Security Gateway.

PRJ-52915,
PRHF-32334

Security Management

Deleting a Security Gateway object fails if there is a license attached to the Security Gateway and the Security Gateway is physically disconnected.

PRJ-54066,
PRHF-33349

Security Management

In some scenarios, users may be disconnected from SmartConsole, and an FWM process core dump is generated.

PRJ-53502,
PRHF-32764

Security Management

In some scenarios, SmartConsole may unexpectedly disconnect.

PRJ-52518,
PRHF-32065

Security Management

In rare scenarios, Access policy installation may fail with the "Installation failed. Reason: Failed to load Policy on Security Gateway" or "Operation failed, install/uninstall has been improperly terminated" messages.

PRJ-53895,
PRHF-32890

Security Management

In rare scenarios, the API status shows "Automatic Start: Disabled" even though the automatic start was not disabled manually.

PRJ-48937,
PRHF-30136

Security Management

The "set simple-cluster" Management API command with the "vpn-settings.vpn-domain" parameter succeeds, but the VPN Domain is not set.

PRJ-52778,
PRHF-32265

Security Management

Objects Explorer search fails with "Error retrieving results" when more than twenty thousand IP addresses match the search criteria.

PRJ-49057,
PRHF-30130

Security Management

In rare scenarios, publishing a session in SmartConsole fails with the "got at least one duplicate UID in requested list, duplicates UIDs: [XXX]" error.

PRJ-52850,
PRHF-32222

Security Management

Login to SmartConsole fails if the "Read_Write_All_Profile" permission profile is deleted.

PRJ-57031,

PRHF-30884

Security Management

Log queries fail with the error "Problems have occurred during search" when Domain migration is in progress. This occurs specifically during the execution of "export-management" or "import-management" Management API commands.

PRJ-55523,
PMTR-85279

Security Management

In rare scenarios, the CPD process may exit with core dumps.

PRJ-52346,
PRHF-31814

Security Management

In some scenarios, the PostgreSQL database fully utilizes disk space on the Standby Security Management Server.

PRJ-53677,

PMTR-98465

Security Management

The Management API command "get-interfaces" may return subordinate physical interfaces of a bond interface.

PRJ-51630,
PRHF-31681

Multi-Domain Security Management

In rare scenarios, login to a newly created Domain fails and the CPCA daemon has the "down" status. Refer to sk181798.

PRJ-53552,
PRHF-32881

Multi-Domain Security Management

When a Domain name (for example, "XXX") is a subset of another Domain name (for example, "XXX-YYY"), the "mdsstop" command may fail to stop a Domain named "XXX-YYY".

PRJ-52950,
PRHF-31148

Multi-Domain Security Management

In a Multi-Domain Security Management environment, there may be synchronization timeout errors, and automatic revisions purge may fail.

PRJ-55658,
PRHF-34503

Multi-Domain Security Management

In some scenarios, in a Multi-Domain Security Management environment, creating a Domain on a remote Multi-Domain Management Server may fail with "Check connectivity between Domain Servers IPs and initialize SIC manually" error.

PRJ-54514,
PRHF-33741

SmartConsole

In rare scenarios, login to SmartConsole fails.

PRJ-50695,
PRHF-31105

Logging

In some scenarios, viewing a Forensics report in Threat Hunting fails with the "Unable to load report" error. Refer to sk181800.

PRJ-54061,
PMTR-102031

Logging

In rare scenarios, empty log list may be displayed when selecting a log file to view in SmartConsole.

PRJ-54238,
PRHF-20992

Logging

Log Exporter may unexpectedly exit when using a non-RSA certificate.

PRJ-51276,
PRHF-31323

Logging

When adding a table widget to a SmartView report:

  • The "Missed Malware Activity" and "Spyware Action" fields may not be possible to pick.

  • The "Malware Action" filter may appear twice in the picker.

PRJ-51444,
PRHF-31195

Logging

The traffic field in the SmartEvent "Application and URL Filtering" report, specifically in the "High Bandwidth Applications" section, is incorrectly displaying data in petabytes (PB) instead of the expected gigabytes (GB).

PRJ-50794,
PRHF-31160

Logging

In SmartView, filtering logs by "event_type" may fail with the "Query failed" error.

PRJ-51517,
PRHF-31567

Logging

Log searches for the same time period may return more results in SmartConsole compared to SmartView.

PRJ-55512,
PRHF-34283

Logging

In some scenarios, the name of the Security Gateway is not shown in the title of the automatic reaction email, although it should be.

PRJ-50262,
PRHF-30848

Logging

In SmartView, some countries are not displayed in the countries picker.

PRJ-52941,

PRHF-32194

Logging

In the Logs view, the "TCP-other" and "UDP-other" services are displayed as generic service IDs, for example, "cp_tcp_A936BBAC_EBC3_4F18_B3CC_A63365F07477".

PRJ-54020,
PMTR-99697

Logging

In rare scenarios, Zero Phishing logs may disappear from the SmartConsole Logs view.

PRJ-53451,
PMTR-101938

Security Gateway

Even if the interface is configured with an MTU higher than 1500, the maximal MTU over CPAS is limited to 1500.

PRJ-53075,
PMTR-96269

Security Gateway

In some occasions, redundant errors appear in logs: "fw_inspect_ghtab_bl_ld_sync: invalid FW_INSPECT_GHTAB_BL_LD_SYNC_TABLE_ID".

PRJ-51970,
PMTR-99054

Security Gateway

The CPWD daemon does not restart automatically.

PRJ-51480,

PMTR-98475

Security Gateway

The RAD process exits and creates a core file on the Security Gateway.

PRJ-55423,
PRHF-33908,

PRJ-55422,

PRHF-33730,

PRJ-55424,

PRHF-33912

Security Gateway

In a multi-cloud networking environment (AWS GWLB and VMware NSX-T), the Security Gateway may crash due to memory corruption.

PRJ-54526,
PMTR-96126

Security Gateway

In some scenarios, when SecureXL User Mode is enabled, the Security Gateway drops traffic after it was processed.

PRJ-54628,
PRHF-33768

Security Gateway

In some scenarios, adding sequential IP addresses as MDPS task addresses may fail.

PRJ-51049,
PMTR-97496

Security Gateway

In some scenarios, websites that use HTTP2 protocol do not load properly.

PRJ-49902,
PRHF-30541

Security Gateway

Kernel Memory usage increases persistently each day on a Security Gateway/Security Group when CGNAT is enabled. Refer to sk182140.

PRJ-54529,
PMTR-103857

Security Gateway

In some scenarios, the Security Gateway offloads connections to SecureXL in error when the initial route lookup could not find a route for it.

PRJ-52774,
PRHF-32213

Security Gateway

In rare scenarios, the FWK process may unexpectedly exit.

PRJ-52647,
PRHF-31996

Internal CA

CRL fetch may fail when passing through a Security Gateway with deep inspection, even if the connection hold is quickly released. CPCA closes the connection prematurely.

PRJ-50701,
PRHF-30997

Threat Prevention

The Anti-Virus Blade fails to parse IoC feeds that contain IPv6 addresses.

PRJ-48310,
ACCESS-680

Threat Prevention

In rare scenarios, when the Anti-Virus, Threat Extraction and Threat Emulation Blades are enabled, some connections that were on hold are dropped.

PRJ-53201,
PMTR-97508

Threat Prevention

In some scenarios, policy installation and IPS package updates may take a very long time to finish and cause traffic drops.

PRJ-51341,
PRHF-29801

Identity Awareness

In some scenarios, the PEPD process may consume a high CPU because of a high rate of identity propagation. Refer to sk182588.

PRJ-46490,
PRHF-28698

Identity Awareness

Policy Enforcement Point (PEP) logs show a username after the user session is expired. Refer to sk181553.

PRJ-53249,
PRHF-32646

IPS

A connectivity issue may happen when processing a specific HTTP2 traffic.

PRJ-43104,
PMTR-87284

DLP

Multiple internal errors, including file metadata retrieval failures and parsing errors, may be printed in the DLPDA logs.

PRJ-53128,
PRHF-32438

Anti-Virus

The DLPU process may unexpectedly exit due to uninitialized memory when the Anti-Virus Blade scans files. Refer to sk182030.

PRJ-55520,
PMTR-104668

SSL Inspection

In rare scenarios, when HTTPS Inspection is enabled, the FWK process may unexpectedly exit due to memory violation.

PRJ-54641,
PMTR-90199

Mobile Access

The HTTPD process of the Mobile Access Portal may exit with a core dump file.

PRJ-51154,
PMTR-92065

Mobile Access

Web Application names column width is too narrow to fit in the Mobile Access Portal. Refer to sk181774.

PRJ-54324,

PRHF-33620

ClusterXL

In a rare scenario, the FWK process consistently exits causing failovers. Crashes may happen on both cluster members.

PRJ-54170,
PMTR-103483

ClusterXL

In rare scenarios, in a cluster environment, the CPDiag tool may crash.

PRJ-52896,
PMTR-100934

ClusterXL

In a rare scenario, after an upgrade, connections between networks may be dropped with the "First Packet isn't SYN" error.

PRJ-55307,
PMTR-104663

SecureXL

Potential kernel crash in MDPS configurations when modifying and re-adding slave interfaces to bonds in non-default virtual systems.

PRJ-55493,
PMTR-103647

SecureXL

When SecureXL User Mode (UPPAK) is enabled, packets originating from the Security Gateway may not be fragmented properly.

PRJ-53481,
PMTR-101681

SecureXL

In some scenarios, when QoS blade is enabled and SecureXL works in User Mode (UPPAK), Security Gateway may crash with the "invalid data" error.

PRJ-55799,
PMTR-105097

SecureXL

When SecureXL User Mode (UPPAK) is enabled, in some scenarios, a VSX Security Gateway with many Virtual Systems may crash.

PRJ-55566,
PMTR-104603

SecureXL

The USIM process may unexpectedly exit.

PRJ-54331,
PRHF-33511

SecureXL

In rare scenarios, the Security Gateway crashes when the interface goes down right before it transmits packets out.

PRJ-54428,
PMTR-102834

SecureXL

In some scenarios, the VSX Security Gateway does not initialize the Virtual System correctly when connected to a Virtual Router or Virtual Switch.

PRJ-54323,
PMTR-103651

SecureXL

In some scenarios, traffic with Passive or Active Streaming configuration may not correctly pass through a Virtual Router on a VSX Security Gateway.

PRJ-55958,
PRHF-34753

SecureXL

The duration of each "stop" and "start" API call for the LightSpeed Acceleration interfaces may take several seconds. Refer to sk182585.

PRJ-54425,
PMTR-102759

SecureXL

In some scenarios, the VSX Security Gateway may fail to properly reroute traffic originating from a Virtual Switch.

PRJ-55344,
PMTR-104736

Routing

OSPFv2 graceful restart mechanism fails on broadcast and point-to-multipoint networks due to the omission of an "IP-Address" field in the grace LSA.

PRJ-55399,
PMTR-104846

Routing

OSPFv3 NSSA may fail to re-originate Type 7 LSAs after an OSPFv3 process restart, disrupting proper route propagation.

PRJ-54603,
PMTR-104146

Routing

Routing BFD sessions using IPv6 global addresses on single-hop interfaces fail to recover after the network interface is administratively disabled and re-enabled.

PRJ-52671,
PRHF-32205

Routing

Enabling rfc1583-compatibility via Clish fails with "CLINFR0329 Invalid command:'set ospf instance default rfc1583-compatibility on".

PRJ-55016,
PMTR-104584

Gaia OS

The "fw ctl affinity" command output shows interfaces with no multi-queue, while the "mq_mng -o" command shows that multi-queue is enabled on all interfaces.

PRJ-53387,
PRHF-32742

Gaia OS

Gaia Portal operation mode options are not visible in the Editing Bond window. Refer to sk182432.

PRJ-52416,

PRHF-31929

Gaia OS

SNMP query for OID 1.3.6.1.4.1.2620.1.6.7.5.1.5 (CPU utilization per CPU core) and the "cpstat os -f cpu" command may return an incorrect value. Refer to sk182447.

PRJ-51020,
PRHF-31136

VPN

Duo management reports display incorrect access source locations due to Security Gateways providing inverted IP addresses during the two-factor authentication challenge response process. Refer to sk181783.

PRJ-55293,
PMTR-103968

VPN

Configuring a Large Scale VPN (LSV) with IPv6 and establishing a VPN tunnel may cause the FWK process to exit.

PRJ-55488,
PRHF-30493

VPN

During high-frequency encryption of packets over a VPN tunnel, the Security Gateway may assign the same sequence number to multiple packets. This causes the receiving VPN peer to mistakenly identify these legitimate packets as replay attacks and drop them.

PRJ-52912,
PRHF-32348

VPN

SNMP queries show a different number of connected RA VPN users than what is shown in CPView and from CLI. RaUserState information is missing in the SNMP MIB file.

PRJ-55986,
PMTR-106469

VPN

During high-volume VPN tunnel initiations, several packets may be dropped with "encrypted packet too big".

PRJ-53940,
PRHF-32773

VPN

After running the "vpn iked disable" command, the VPND daemon does not listen on the tunnel test port instead of IKED.

PRJ-53715,
PRHF-32719

VPN

Tunnel testing fails after an upgrade. Refer to sk182267.

PRJ-54548,

PMTR-104230

Multi-Portal

Under a special routing configuration, an active Cluster member may accept portal traffic (on TCP ports 80 and 443) destined to a Standby member IP address.

PRJ-53118,
PMTR-99343

VSX

In a VSX Cluster with IPv6 enabled, after an upgrade, VS's without IPv6 address may fail to install the Access policy.

PRJ-54598,
PRHF-33572

VSX

In rare scenarios, the CPD process of the default Virtual System on a VSX Gateway (VS0) gets stuck.

PRJ-51993,

PMTR-99136

Harmony Endpoint

Upgrade failures may occur when the source server contains an existing am_top_infections_master view, as the upgrade process attempts to drop and recreate this view during the final stages of the Endpoint Server database schema update.

PRJ-53555,
PMTR-101660

CloudGuard Network

Central License tool (vsec_lic_cli) unexpectedly removes Central Licenses from the default license pool on the Primary Multi-Domain Security Management Server in a High Availability (HA) environment. Refer to sk182483.

PRJ-47808,
PRHF-29624

CloudGuard Network

In the Kubernetes Data Center, the Import window may be stuck in "Initializing" state.

PRJ-55862,
PRHF-33031

Scalable Platforms

When using MPDS routing separation and Maestro Dual site, the Log Server may get disconnected on a Standby site.

PRJ-54335,
PMTR-96560

Scalable Platforms

When different Network Interface Card models are attached among Maestro Security Group members, it may trigger unnecessary reboots.

PRJ-55461

Scalable Platforms

When dynamic split is enabled, the system fails to update the "/tmp/mq_cores_list" file, causing "cores_verifier" and "asg perf" verifiers to display incorrect PPAK cores numbers.

PRJ-54126,
PMTR-103375

Scalable Platforms

After changing the CoreXL configurations of a VS in SmartConsole, the dynamic split state switches to off until the "g_dynamic_split -r" command is performed.

PRJ-53511,
PRHF-29741

Scalable Platforms

When running the "set user username force-password-change yes" command in gClish on Scalable Platforms, the new configuration may not be applied.

PRJ-43739,
PMTR-88853

Scalable Platforms

The "distutil" script may take a long time to run in an environment with many VS's.

PRJ-49848,
PRHF-30436

Scalable Platforms

Site to Site VPN traffic may be interrupted after installing policy with VSLS.

PRJ-50626,
PRHF-29180

Carrier Security

  • ClusterXL Active member changes the status to "LOST".

  • Kernel segfault error is printed in /var/log/messages.

  • The CPD daemon and CPVIEW_SERVICE exit.