R81.20 Jumbo Hotfix Take 8

NEW: Central Deployment of Hotfixes and Version Upgrades in SmartConsole will now support clusters of Centrally Managed Quantum Spark Appliances that run R81.10.XX firmware versions.

NEW: We have extended the grace period of Compliance Blade to support you for 90 days following contract expiration to continue providing the best security value during the renewal process.

NEW: We have extended the grace period of SmartEvent Blade to support you for 90 days following contract expiration to continue providing the best security value during the renewal process.

NEW: Added ability to block "HTTP 206 partial content" responses from resources with malicious content.

UPDATE: When adding R81.10 or lower Security Gateways to a Threat Prevention policy with Zero Phishing Blade, a verification error will be shown.

UPDATE: Added an option to configure the maximum number of IPS SNORT rules.

These lines should be added at the end (or their value should be changed if they already exist) in the file $FWDIR/conf/malware_config

(for MDS - additionally in the $MDS_FWDIR/conf/malware_config file):

"[IPS]

snort_convertor_max_rules_per_update=<value>

snort_convertor_total_rules_num_limit=<value>".

Refer to sk136515.

UPDATE: Improved the "Purge revisions" operation to reduce the size of the database.

UPDATE: Apache HTTPD version was updated from 2.4.53 to 2.4.55 to fix CVE-2022-37436.

UPDATE: In several IPS protections, improved performance for traffic that contains repeated sections.

UPDATE: Reduced loading time of big external Custom Intelligence Feeds.

UPDATE: When the VTI MTU is different from the physical MTU, the physical MTU is used for sending packets by default.

• To modify the default behavior (the change does not survive reboot), run the CLI command "fw ctl set int sim_vpn_use_physical_mtu 0 -a". This allows using configured VTI MTU as the default.

• To make the change permanently, open the $PPKDIR/conf/simkern.conf file for editing and add the entry "sim_vpn_use_physical_mtu=0".

Refer to sk98074.

UPDATE: Gaia API updates will now be automatically installed through AutoUpdater. Refer to sk165653.

UPDATE: Added support for Data Centers in AWS eu-central-2 (Zurich) and eu-south-2 (Spain) and ap-south-2 (Hyderabad) regions.

UPDATE: Improved handling of NSX-T API responses.

UPDATE: Upon member state change to Active, there may be minor packet drops. Added an option to not forward traffic to a new Active member until all connections are synchronized to it:

• To enable this option:

• on the fly, run g_fw -a ctl set int fwha_force_present_state_over_active 1

• to be boot persistent, run g_update_conf_file fwkern.conf fwha_force_present_state_over_active =1

• To disable this option:

• on the fly, run g_fw -a ctl set int fwha_force_present_state_over_active 0

• to be boot persistent, run g_update_conf_file fwkern.conf fwha_force_present_state_over_active =0

The date of a policy configured with "accelerated installation" may not be updated in logs.

In some scenarios, the CME process fails to start.

Login to the Security Management Server or Multi-Domain Security Management Server may fail with the "Connection timeout" error.

High Availability synchronization fails when one Management Server is installed on an appliance of 6000 series and the other one is an Open Server, a Virtual Machine, or installed on an appliance of different series.

Editing a Global Assignment object using Ansible may fail.

Running API commands with the "dereference-max-depth" parameter with "0" value may fail when there is the "groups" field in the reply.

Installing a large Access Control policy on Quantum Spark Security Gateways may fail due to high memory consumption on the Security Management Server caused by FW_LOADER.

The "show simple-gateways" Management API command may fail with the "Null Pointer Exception" error and cause the CME failure. Refer to sk180944.

When running the "update-provisioned-satellites" Management API command on a cluster, it may fail with the "The operation does not support this object type" error.

The "show objects" command returns all objects in Global Domain with any filter when "ip-only" flag is set to "true".

After performing the "Revert to Revision" operation, new Audit logs cannot be seen in the Logging&Monitoring View in SmartConsole.

When using CME (Cloud Management Extension), the FWM process may unexpectedly exit because of a memory issue.

High Availability synchronization fails if automatic purge is configured to run on the Standby Management Server.

The API command "show-nat-rulebase" may not show the name of each rule in the Rule Base.

In a Multi-Domain Security Management environment, traffic may not match rules with custom applications.

In rare scenarios in a Multi-Domain Security Management environment:

• Login to the Management Server may timeout and fail.

• Publish operation may take a long time.

SmartConsole installation folder contains screenshots of legacy demo documents.

A typo in "Dropped fragmentation violation" under CPView > Advanced > SecureXL > Drops.

The Network-per-CPU tab under CPVIEW > Advanced > SecureXL does not show traffic distribution for all CPUs. Refer to sk180540.

After an upgrade and change of the Security Management Server name, logs created before the upgrade are unavailable.

The Security Gateway may crash when running a memory leak detection procedure.

When adding a new RADIUS Server to Gaia, its IP address is automatically added to MDPS tasks, but when deleting this Server, the MDPS task is not deleted.

When Anti-Spoofing is enabled, the Security Gateway may crash.

DNS parser incorrectly handles additional records, which results in appearing additional DNS IP addresses in the FQDn objects list.

In some scenarios, the FWD process is stuck during policy installation.

Security Gateway may drop traffic when Dynamic Anti-Spoofing is enabled.

In rare scenarios when ISP Redundancy feature is enabled, default route disappears after policy installation.

Stability issues when ICAP client is active.

A connection may be closed with the "ws_mux_handle_poll: ERROR: Poll flag still set after unsetting" error in the fwk.elg file, when HTTP parser does not receive requested data.

The Security Gateway on a LightSpeed appliance may crash when a Bond interface is configured on the LightSpeed 10/25/40/100G QSFP28 Ports, and the state of this Bond interface changes between on / off, or off / on.

Policy installation from R81/R81.10 Security Management Server on R81.20 Security Gateway fails if Autonomous Threat Prevention mode is enabled.

Some TCP connections may be stuck in "Both-Fin" state in the SecureXL connection table and cause high memory consumption.

In some scenarios, the Security Gateway may frequently crash, causing outages.

The Security Gateway with enabled Anti-Virus Blade may experience a memory allocation issue.

In a rare scenario, the MPDAEMON process may fail to start on one of the cluster members.

The certificate in SmartConsole is shown as valid, although it is expired.

Some logs with IP observables from custom intelligence feeds may be suppressed, although they contain different IP addresses.

The "ioc_feeds set interval -r" command may fail.

In some scenarios, a "malware_res_rep_rad_query: rad_kernel_malware_request_prepare() failed" message may appear in the /var/log/messages file.

The Security Gateway becomes unresponsive when loading external IoC feeds on a Security Gateway with EXT3 filesystem.

Policy installation may fail with an "Error 0-200184" message because of memory allocation issues.

In a rare scenario, disconnection between the Identity Server (PDP) and Identity Gateway (PEP) leads to missing identities on the PEP side.

The PDPD process may cause CPU spikes during cluster failover.

Connectivity issue may occur during Azure AD Group fetch, and the "get_http_error_msg - http code is 401" error response is shown in Identity Awareness logs.

Running the "ips stats" command in CLI may cause the IPS process to unexpectedly exit with core dumps.

A memory leak may occur in the DLPU process.

The fwk.elg file may be flooded with the "match_cb for CMI APP 11 - CI AV failed on context 144, executing context 366 and adding the app to apps in exception" messages because of improper parsing of HTTP headers by Anti-Virus Blade.

The WSTLSD process may unexpectedly exit and create core dump files.

In some scenarios, Inbound HTTPS Inspection may fail when working in USFW (User-Space Firewall) mode.

Some web applications which use PT or UT link translation methods may have issues after a browser upgrade.

Web applications may not work correctly when Mobile Access Blade is configured in Hostname Translation (HT) mode while the "obscure_destination_hostname" management attribute is disabled.

The cphaprob show_bond command does not show newly added subordinates from Virtual Systems (VSs).

Traffic does not pass through the GRE tunnel when Virtual MAC (VMAC) is enabled. Refer to sk180292.

A Hide NAT port may be allocated twice causing the "out of state" drops.

Multicast traffic may get dropped, and no logs are generated.

In a rare scenario, a CPAQ message sent during policy push does not have critical priority, and can be dropped when the Security Gateway is busy.

The Security Gateway may prematurely expire half-closed TCP connections and drop VoIP and HTTPS packets with "First packet isn't SYN".

Failover may take longer than expected and traffic does not pass for several seconds because dynamic routes are lost.

The ROUTED daemon may repeatedly exit when using PIM in Sparse mode (SM).

OSPF routes may not be redistributed after reboot.

The IKED process unexpectedly exits when the "Aggressive SLP" (Simultaneous Login Prevention) feature is enabled.

• NAT-T traffic may stop matching the implied rule after policy installation and is dropped with "IKE_NAT_TRAVERSAL Traffic Dropped from x.x.x.x to y.y.y.y" message in SmartLog.

• VPND and IKED stability issues occur when loading newly created LDAP group objects.

Refer to sk180530.

After an upgrade, an incorrect IPSec users counter may be displayed in SmartView Monitor or when running the "cpstat vpn -f ipsec" command for a cluster. The issue is cosmetic only.

Stability issues for Data connections (RDP / RTP / FTP / ETC). Refer to sk179651.

StrongSWAN Remote Access client can connect but fails to access internal resources.

After an upgrade, the community name may not be visible from SmartView Monitor, and the "snmpwalk" command returns an empty value for this entry.

The "vsx_util change_mgmt_subnet" command may fail if a VSX object is not correctly saved in the database.

Some connections inspected by Threat Prevention Blade may not be closed successfully, which leads to connectivity issues.

When setting password hash on cloning group members, some members may not get updated.

In some scenarios, the "nslookup" command can cause the NSLOOKUP process to exit.

Incorrect logs are printed in the /var/log/httpd2_error_log file when logging into the WebUI.

When uninstalling a Jumbo Hotfix, some of the Management APIs may not work. The "gaia_api status" command returns an error and requests may fail.

When running the "ifconfig -a" command on a Virtual System (VS) with more than 250 interfaces, the "/bin/cp-ifconfig.sh: line 179: /bin/echo: Argument list too long" error is printed.

The "lldpneighbors" Clish command may have a corrupted output. Refer to sk182065.

Running the "save configuration" command the second time in the same Clish session may fail with the "free(): invalid pointer" error.

After an upgrade, the RADIUS Server is unavailable and authentication fails.

Endpoint Web Management service may fail to delete old logs.

Importing objects from VMware vCenter may fail with a "Failed to fetch objects from the Data Center." message because of a rare communication issue between CloudGuard Network Security controller and VMware vCenter Data.

A Kernel-based Virtual Machine (KVM) or a Virtual Machine using SRIOV with the i40evf/ixgbevf network driver, may boot with non-optimized performance settings.

When mapping of some Azure Subscriptions fails, assets of these Subscriptions are revoked from the Security Gateway.

Connectivity issues may occur between the Security Gateway and cluster on Alibaba cloud.

In some scenarios, when using static NAT, VoIP traffic may be affected.

SNMP threshold events traps may be missing "Chassis ID" and "Blade ID" fields. Refer to sk179926.

Optimized the SNMP communication between Security Gateway Module (SGM) and Security Switch Module (SSM) to prevent timeouts.

Running the "show" or "set" commands for SSH in gClish fails.

When using asg alert, the domain name is changed to "BladedCenter.com" instead of the configured name.

The task in "cpd_sched_config" is not correctly added and performed because of predefined NTP Servers.