R81.20 Jumbo Hotfix Take 79

NEW: Added the ability to unset a persistent environment variable, using the "-u" flag for the override_server_setting.sh script introduced in sk165938. Upon execution, the specified property is now removed from the $MDS_FWDIR/conf/cpmEnvVars.conf file.

NEW:

• Added ARP Next-Hop prober to enhance support for additional network topologies.

• Introduced HTTP prober to reflect real-time Web Access metrics.

• Implemented Link Aggregation mode proportional to Download and Upload bandwidth.

• Administrators are now able to override SD-WAN interface Circuit configuration.

• Integrated Forward Error Correction to ensure successful traffic delivery by adding error correction code packets to the Overlay packet stream.

• Introduced Dynamic Objects (SD-WAN Internet, My VPN Domain, and Peer VPN Domain) to better represent Overlay and Internet address spaces.

• Added administrator control for Symmetric Packet Return, forcing Ingress Traffic to be replied on the same ISP.

• Enabled SD-WAN Overlay establishment across different Domains using Global VPN Community (MDS).

• Allowed SD-WAN Overlay to operate on top of Route-based VPN.

• Increased maximum Overlay size to support up to 500 Security Gateways.

• Improved accuracy of SD-WAN decision-making during policy installation.

• Enabled setup of IPv4 SD-WAN overlay when non-SD-WAN IPv6 interfaces are configured.

UPDATE: Deprecated RC2-CBC cipher for SIC in OpenSSL.

UPDATE: Added a defense mechanism against malicious code injections through special HTTP requests. Resolved CVE-2024-24914. Refer to sk182743.

UPDATE: Various Web Portals on the Security Management Server (for example, Web SmartConsole, SmartView) no longer accept HTTPS connections to ports 443 and 19009 with specific TLS 1.2 ciphers. Refer to sk181879.

UPDATE: Changed the hardware name "1570R Appliances" to "1570R/1575R Appliances" in the Security Gateway editor in SmartConsole and SmartProvisioning.

• Requires R81.20 SmartConsole Build 656 or higher.

UPDATE: Added SHA256 fingerprints to certificate objects to mitigate the risk of hash collisions and enhance trust when utilizing the fingerprint, encoded with English words, as a verification mechanism.

UPDATE: Optimized Hyperflow wake-up process on smaller appliances (up to 32 cores) now uses only two cores initially, reducing resource contention and improving stability during Elephant Flows.

UPDATE: The performance of the thread blocker feature (sk180437) is now improved and the feature is re-enabled.

UPDATE: SSL Network Extender is updated to version 80008409.

UPDATE: The Mobile Access Portal is no longer compatible with the Chrome browser on iOS and Android mobile devices.

UPDATE: Extended the "allowed-client" setting to enforce IP restrictions for both password and SSH key authentication methods, providing more comprehensive access control.

UPDATE: VPN connections are now synchronized to all members of the Security Group by default. The default value of the "vpn_sync_to_all" kernel parameter is set to "1".

UPDATE: Removed the ability to delete the "_lldp" internal user in Gaia OS to prevent traffic impact. Refer to sk182026.

UPDATE: Added Take 97 of CPotelcol (OpenTelemetry Collector) Release Updates. Refer to sk180522.

UPDATE: Added Take 21 of Public Cloud CA Bundle. Refer to sk172188.

Upgrade of the Multi-Domain Security Management Server may fail with the error "Folder object not found".

• The fix requires the upgrade to be done using a Blink image or the Advanced Upgrade method.

In rare scenarios, the Management Server upgrade fails during the import stage with "an eclipse error has occurred enable logging on EclipseLinkExceptionHandler to see full error".

• The fix will only be applied if the upgrade to this Jumbo Hotfix Take is done using a Blink image or via the Advanced Upgrade method.

In rare scenarios, the CPCA process on the Security Management Server / Domain Management Server may exit unexpectedly, creating a core dump file. Refer to sk183101.

In rare scenarios, login to the Security Management Server may fail with timeout and the FWM process on the Management Server may unexpectedly exit, creating a core dump file.

After upgrading, administrators with read/write permissions to edit Security Gateways and Clusters may lack IPS permissions and are unable to perform certain management tasks, such as enabling or disabling blades.

The "domains_tool -report" command may fail if more than sixteen host objects are defined as DNS Servers in the environment.

When using the "set simple-gateway" Management API command to edit interfaces, the operation is only performed on fifty interfaces at a time.

Exporting a policy that contains thousands of rules may fail when the "Hit Count" column is enabled.

In rare scenarios, if a Star VPN Community object is created, publish operations may fail.

Deleting a Security Gateway object fails if there is a license attached to the Security Gateway and the Security Gateway is physically disconnected.

In some scenarios, SmartConsole may unexpectedly disconnect.

In rare scenarios, the API status shows "Automatic Start: Disabled" even though the automatic start was not disabled manually.

Objects Explorer search fails with "Error retrieving results" when more than twenty thousand IP addresses match the search criteria.

Login to SmartConsole fails if the "Read_Write_All_Profile" permission profile is deleted.

In rare scenarios, the CPD process may exit with core dumps.

The Management API command "get-interfaces" may return subordinate physical interfaces of a bond interface.

When a Domain name (for example, "XXX") is a subset of another Domain name (for example, "XXX-YYY"), the "mdsstop" command may fail to stop a Domain named "XXX-YYY".

In some scenarios, in a Multi-Domain Security Management environment, creating a Domain on a remote Multi-Domain Management Server may fail with "Check connectivity between Domain Servers IPs and initialize SIC manually" error.

In some scenarios, viewing a Forensics report in Threat Hunting fails with the "Unable to load report" error. Refer to sk181800.

Log Exporter may unexpectedly exit when using a non-RSA certificate.

The traffic field in the SmartEvent "Application and URL Filtering" report, specifically in the "High Bandwidth Applications" section, is incorrectly displaying data in petabytes (PB) instead of the expected gigabytes (GB).

Log searches for the same time period may return more results in SmartConsole compared to SmartView.

In SmartView, some countries are not displayed in the countries picker.

In rare scenarios, Zero Phishing logs may disappear from the SmartConsole Logs view.

In some occasions, redundant errors appear in logs: "fw_inspect_ghtab_bl_ld_sync: invalid FW_INSPECT_GHTAB_BL_LD_SYNC_TABLE_ID".

The RAD process exits and creates a core file on the Security Gateway.

In some scenarios, when SecureXL User Mode is enabled, the Security Gateway drops traffic after it was processed.

In some scenarios, websites that use HTTP2 protocol do not load properly.

In some scenarios, the Security Gateway offloads connections to SecureXL in error when the initial route lookup could not find a route for it.

CRL fetch may fail when passing through a Security Gateway with deep inspection, even if the connection hold is quickly released. CPCA closes the connection prematurely.

In rare scenarios, when the Anti-Virus, Threat Extraction and Threat Emulation Blades are enabled, some connections that were on hold are dropped.

In some scenarios, the PEPD process may consume a high CPU because of a high rate of identity propagation. Refer to sk182588.

A connectivity issue may happen when processing a specific HTTP2 traffic.

The DLPU process may unexpectedly exit due to uninitialized memory when the Anti-Virus Blade scans files. Refer to sk182030.

The HTTPD process of the Mobile Access Portal may exit with a core dump file.

In a rare scenario, the FWK process consistently exits causing failovers. Crashes may happen on both cluster members.

In a rare scenario, after an upgrade, connections between networks may be dropped with the "First Packet isn't SYN" error.

When SecureXL User Mode (UPPAK) is enabled, packets originating from the Security Gateway may not be fragmented properly.

When SecureXL User Mode (UPPAK) is enabled, in some scenarios, a VSX Security Gateway with many Virtual Systems may crash.

In rare scenarios, the Security Gateway crashes when the interface goes down right before it transmits packets out.

In some scenarios, traffic with Passive or Active Streaming configuration may not correctly pass through a Virtual Router on a VSX Security Gateway.

In some scenarios, the VSX Security Gateway may fail to properly reroute traffic originating from a Virtual Switch.

OSPFv3 NSSA may fail to re-originate Type 7 LSAs after an OSPFv3 process restart, disrupting proper route propagation.

Enabling rfc1583-compatibility via Clish fails with "CLINFR0329 Invalid command:'set ospf instance default rfc1583-compatibility on".

Gaia Portal operation mode options are not visible in the Editing Bond window. Refer to sk182432.

Duo management reports display incorrect access source locations due to Security Gateways providing inverted IP addresses during the two-factor authentication challenge response process. Refer to sk181783.

During high-frequency encryption of packets over a VPN tunnel, the Security Gateway may assign the same sequence number to multiple packets. This causes the receiving VPN peer to mistakenly identify these legitimate packets as replay attacks and drop them.

During high-volume VPN tunnel initiations, several packets may be dropped with "encrypted packet too big".

Tunnel testing fails after an upgrade. Refer to sk182267.

In a VSX Cluster with IPv6 enabled, after an upgrade, VS's without IPv6 address may fail to install the Access policy.

Upgrade failures may occur when the source server contains an existing am_top_infections_master view, as the upgrade process attempts to drop and recreate this view during the final stages of the Endpoint Server database schema update.

In the Kubernetes Data Center, the Import window may be stuck in "Initializing" state.

When different Network Interface Card models are attached among Maestro Security Group members, it may trigger unnecessary reboots.

After changing the CoreXL configurations of a VS in SmartConsole, the dynamic split state switches to off until the "g_dynamic_split -r" command is performed.

The "distutil" script may take a long time to run in an environment with many VS's.