R81.20 Jumbo Hotfix Take 89
|
Note - This Take contains all fixes from all earlier Takes. |
ID |
Product |
Description |
---|---|---|
Take 89 Released on 06 October 2024 and declared as Recommended on 28 October 2024 |
||
Take 89 - New Functionality
|
||
PRJ-55547, |
SmartProvisioning |
NEW: Added a new "show-statuses" boolean parameter to the "show lsm-gateway" and "show lsm-cluster" Management API commands. When set to "true", this parameter displays the Security Policy and Provisioning Settings statuses for the LSM Security Gateway or Cluster. |
PRJ-53065, |
Identity Awareness |
NEW: This upgrade introduces three important SAML Authentication enhancements:
Administrators gain more control over security policies, while the system becomes more adaptable to various high-security environments and Identity Provider requirements. |
PRJ-56237, MBS-17283 |
Scalable Platforms |
NEW: Added support for these features in Maestro Security Groups:
Applies only to these appliance models:
|
Take 89 - Improvements and Resolved Issues
|
||
PRJ-52882 |
SD-WAN |
UPDATE: When Security Management disconnects from the cloud via the Infinity Services tab in SmartConsole, agents now automatically disconnect as well. Refer to sk180557. |
PRJ-54683, |
Mobile Access |
UPDATE: Resolved CVE-2024-31497. The Putty version used in the Mobile Access Portal Embedded SSL Network Extender application is upgraded from version 0.80 to version 0.81. |
PRJ-56336, |
Gaia OS |
UPDATE: Resolved CVE-2024-3596 - Blast-RADIUS attacks for Gaia Portal and Gaia Clish. Refer to sk182516. |
PRJ-54420, |
Security Management |
UPDATE: Policy installation duration with hundreds of layers is improved by approximately 30%. |
PRJ-50774, |
Logging |
UPDATE: Port 8211 now accepts connections with the cipher ECDHE_RSA_AES_256_GCM_SHA384. |
PRJ-54499, |
Security Gateway |
UPDATE: Optimized the Generic Data Center JSON file processing on the Security Gateways to improve performance when handling large numbers of IP ranges. |
PRJ-54138, |
SSL Inspection |
UPDATE: Added a log for connections rejected because of short Server certificate public key size (RSA 1024 bits or less, ECDSA 256 bits or less). |
PRJ-55747, |
Threat Prevention |
UPDATE: Added the "trackSettings.forensics" parameter to the "threat-rule" Management API command to enable and disable the "forensics" option in the "Track" column. Syntax example: "mgmt_cli add threat-rule layer 'Standard Threat Prevention' position 1 track-settings.forensics false -r true". |
PRJ-52347, |
Scalable Platforms |
UPDATE: It is now possible to add more than fourteen members per site in a Single Site topology. |
PRJ-56681, PRJ-57027, PRJ-57263, ODU-2035, ODU-2019, ODU-1955 |
Automatic Updates - Web SmartConsole |
UPDATE: New features and improvements are released in Take 118, Take 119, Take 120 via self-updatable package. Refer to sk170314. |
PRJ-51503, |
Security Management |
In rare scenarios, an upgrade of a Multi-Domain Security Management Server fails with "Cancelled due to a failure in other domain" in the upgrade report.
|
PRJ-56003, |
Security Management |
In rare scenarios, the FWM process on the Security Management Server may unexpectedly exit, creating a core dump file. |
PRJ-55934, |
Security Management |
In rare scenarios, login to SmartConsole fails with a timeout. |
PRJ-55332, |
Security Management |
If the $FWDIR/conf/fwm.adtlog file is not valid, the FWM process leaves unused file descriptors, which may affect the Security Management Server performance. |
PRJ-55447, |
Security Management |
If any single Data Center fails to register, the registration of all Data Center assets to the Security Management Server also fails. |
PRJ-55929, |
Security Management |
The Revisions Purge process may stall if initiated after restarting the Security Management Server or Multi-Domain Security Management Server because of remnants of a previously interrupted Revisions Purge operation. |
PRJ-56153, |
Security Management |
In rare scenarios, the Revisions tab in SmartConsole shows "Error retrieving results". |
PRJ-56212, |
Security Management |
The database size on the Secondary Management Server increases if dbedit is used without making or saving any changes. Refer to sk182519. |
PRJ-55798, |
Security Management |
SmartConsole may close during login because of repeated attempts to discard a non-existent work session. |
PRJ-55907, |
Security Management |
In rare scenarios, revert to a Database Revision may get stuck on 60% and eventually fail. |
PRJ-55444, |
Security Management |
Accelerated Policy installation may get stuck with the "Policy installation (queued)" status. |
PRJ-55335, |
Security Management |
In rare scenarios, login to SmartView web application using the Domain IP address or Domain name fails. |
PRJ-52058, |
Security Management |
In a Management High Availability environment, the Standby Security Management Server may not update the "Installation date" during policy installation on Security Gateways/Clusters. |
PRJ-54734, PRHF-33948 |
Security Management |
In rare scenarios, the CPD process may unexpectedly exit and create a core dump file. |
PRJ-57031, PRHF-30884 |
Security Management |
Log queries fail with the error "Problems have occurred during search" when Domain migration is in progress. This occurs specifically during the execution of "export-management" or "import-management" Management API commands. |
PRJ-54507, |
Multi-Domain Security Management |
Global Domain Assignment may fail with "Internal Error", if the assigned Domain is currently Active on a different Multi-Domain Security Management Server. |
PRJ-42135, |
CPView |
In a rare scenario, when running the CPView utility, the Security Gateway may crash. |
PRJ-54064, |
Logging |
In rare scenarios, the CPSEMD process on the SmartEvent Server may unexpectedly exit, creating a core dump file. |
PRJ-44900, |
Logging |
In rare scenarios, the Logs view may display unexpected blank lines or gaps in the chronological sequence of entries. |
PRJ-53219, |
Logging |
When adding a table widget to a SmartView report:
|
PRJ-46849, |
Logging |
RAD error messages may be printed to the fwk.elg file during cpstop:cpstart on the Security Gateway. The issue is cosmetic only. |
PRJ-50613, |
Logging |
The FWD process may exit and cause issues with opening packet capture files on remote members. |
PRJ-48772, |
Logging |
The "show logs" Management API command may show partial information for the fields with multiple values. |
PRJ-46890, |
Security Gateway |
Incorrect value in the "fwisusfw" register causes improper CPU affinity and dynamic balancing initialization in User Space Firewall mode after an upgrade. Refer to sk182004. |
PRJ-54415, |
Security Gateway |
In a VSX Cluster environment, the CPVIEWD daemon may cause a high CPU. |
PRJ-55579, |
Security Gateway |
A buffer overflow may occur in the HTTP flow, affecting the FWK process. |
PRJ-45951, |
Security Gateway |
During policy installation, Rule Base internal error drops may be shown in the SmartConsole logs. Logs related to "dynobjs" may be printed in Messages. |
PRJ-57108, PRHF-36116 |
Security Gateway |
Memory leak may occur in SecureXL templates. Refer to sk182648. See the Important Notes section. |
PRJ-55803, |
Security Gateway |
The Security Gateway may fail to resolve external Network Feeds whose URL contains a port number (such as "https://example.com:8080/feed.csv". Refer to sk182684. |
PRJ-52411, |
Security Gateway |
The PDPD process memory consumption may be high when using an Azure AD object. |
PRJ-53636, |
Security Gateway |
In a Maestro Security Group using VSX mode with diverse appliance models and active dynamic balancing, DSD pnotes may appear on member devices and cause a failover from an SMO member. This occurs when the default number of FWK instances on these members differs from the SMO default setting. |
PRJ-48105, |
Security Gateway |
Outages may occur when the FWD process exits or restarts and Security Group member goes down triggering Scalable Chassis failover. |
PRJ-53543, |
Threat Prevention |
In some scenarios, an external IoC may not be enforced on Sub-domains of a Domain that is listed in the feed. |
PRJ-56096, |
Threat Prevention |
SSH Deep Packet Inspection (SSH DPI) fails to start inspection if IPS is enabled while all other Threat Prevention products are disabled. |
PRJ-55989, |
Threat Prevention |
In a rare scenario, Threat Prevention policy installation may fail after an over-the-air (OTA) package update of TP_CONF_SERVICE. Refer to sk182572. |
PRJ-55763, PMTR-104381 |
Threat Prevention |
In rare scenarios, policy installation may fail after an upgrade of a VSX Gateway. |
PRJ-46349, |
Threat Emulation |
The ICAP client may send the file name under "Content-Disposition" in an unsupported format written as "filename*=" instead of "filename=", and the Threat Emulation blade does not process such files. |
PRJ-51492, |
Threat Emulation |
When using ICAP, filename handling occasionally fails. As a result, the Threat Emulation Blade may not be able to process this specific file. |
PRJ-51606, |
Identity Awareness |
In a rare scenario, the PDPD process on Security Gateway with configured Identity Broker may become unresponsive while processing identity updates. Refer to sk182635. |
PRJ-54326, |
Identity Awareness |
In rare scenarios, while handling new connection, the PDPD process can become unresponsive. Refer to sk182220. |
PRJ-55437, |
Application Control |
APPI tenant restriction may not function as expected when the application is not included in the policy or when no extended logging is enabled. |
PRJ-55460, |
URL Filtering |
In scenarios where there is a heavy load on the machine, the RAD queue can fill up and get clogged by unhandled requests, causing an outage and traffic disruption. |
PRJ-54192 PRHF-31001 |
Anti-Bot |
The Anti-Bot Blade may generate error logs with the "Failed to Decrypt CP Site Response" reason. Refer to sk182494. |
PRJ-54445, |
Mobile Access |
HTTPS access to the Mobile Access Portal may be down. |
PRJ-56222, |
Mobile Access |
The "citrixStrictTicketEnforcement" parameter set in the configuration file may not work as expected. |
PRJ-55634, |
ClusterXL |
After modifying a bond, the Monitored VLANs may disappear. Refer to sk180724. |
PRJ-55955, |
SecureXL |
The Security Gateway may crash in Bridge mode or in Non-Bridge mode when the number of MAC addresses in its network interface card's table exceeds the hardware capacity limit. |
PRJ-56061, |
SecureXL |
When attempting to set a MAC address for a VXLAN interface using Clish, Clish displays a warning message and prevents the MAC address from being set. |
PRJ-56367, PRHF-35417 |
SecureXL |
After installation with Gaia Fast Deployment (Blink), SecureXL User Mode (UPPAK) becomes disabled. |
PRJ-56011, |
SecureXL |
In a rare scenario, a memory leak in the adp kernel module may occur during multicast routing assert failures. |
PRJ-51111, |
SecureXL |
SYN Defender configuration in Inspection Settings on the Security Management Server may not be applied on Accelerated Policy installation. |
PRJ-56433, |
Routing |
Dynamic Routing outage in a Security Group during the Zero Downtime (MVC) Upgrade to R81.20, during the Downgrade from R81.20, or during the installation / uninstall of the R81.20 Jumbo Hotfix Accumulator. Refer to sk182556. |
PRJ-54408, |
Routing |
A multicast outage may occur after a failover triggered by incomplete processing of cluster synchronization messages. |
PRJ-53175, |
Routing |
Graceful Restart may end prematurely in OSPF NSSA areas. |
PRJ-53828, |
Routing |
A multicast outage may occur during failovers caused by interface flaps. |
PRJ-53315, |
VPN |
The "vpn tu tlist" command may take a long time to execute, depending on the number of disconnected tunnels. |
PRJ-50090, |
VPN |
By default, the VPN permanent tunnel is configured to use "tunnel test" instead of "DPD". This configuration may cause inaccurate permanent tunnel status reporting when connecting to third-party devices. |
PRJ-54547, |
VPN |
BGP peering over Route-based VPN may fail because Azure cluster members use their own IP address as source instead of the Virtual IP address, preventing proper routing protocol establishment. |
PRJ-56673, PRHF-35637 |
VSX |
Memory corruption occurs when a bond interface is configured, leading to a Security Gateway crash with a vmcore or a boot loop. |
PRJ-57426, PRHF-36390 |
Scalable Platforms |
In a Maestro environment with the "vpn_sync_to_all" parameter enabled, connection going through a Site to Site VPN to a remote location, may be dropped with "First packet isn't SYN". See the Important Notes section. |
PRJ-53310, |
Scalable Platforms |
In Quantum Maestro/Scalable Chassis environments, when using the Threat Prevention Blade in the Security Group, the entitlement_status_collector_db.C files may be inconsistent between the Security Group Members. |
PRJ-51192, |
Scalable Platforms |
Security Group Member in a VSX environment is in a boot loop after creating a new Virtual System with a WRP interface. Refer to sk182476. |
PRJ-56115 |
IoT Protect |
After a Multi-Domain Security Management Server upgrade, the Domain configuration file iot-on-board.conf is not saved. |