R81.20 Jumbo Hotfix Take 89

 

Note - This Take contains all fixes from all earlier Takes.

ID

Product

Description

Take 89

Released on 06 October 2024 and declared as Recommended on 28 October 2024

Take 89 - New Functionality

 

PRJ-55547,
PMTR-104635

SmartProvisioning

NEW: Added a new "show-statuses" boolean parameter to the "show lsm-gateway" and "show lsm-cluster" Management API commands. When set to "true", this parameter displays the Security Policy and Provisioning Settings statuses for the LSM Security Gateway or Cluster.

PRJ-53065,
PMTR-101214

Identity Awareness

NEW: This upgrade introduces three important SAML Authentication enhancements:

  • Request Signing: Verifies authenticity of SAML requests.

  • Assertion Decryption: Protects confidentiality of user attributes.

  • Forced Re-authentication: Enables mandatory login for each session.

Administrators gain more control over security policies, while the system becomes more adaptable to various high-security environments and Identity Provider requirements.

PRJ-56237,

MBS-17283

Scalable Platforms

NEW: Added support for these features in Maestro Security Groups:

  • SecureXL User Space (UPPAK) mode. Refer to sk153832.

  • Hardware Acceleration in Acceleration cards. Refer to sk179432.

Applies only to these appliance models:

  • Quantum Force 29100, 29200

  • Quantum Force 19100, 19200

  • Quantum Force 9700, 9800

  • Quantum LightSpeed QLS250, QLS450

  • Quantum LightSpeed MLS200, MLS400

Take 89 - Improvements and Resolved Issues

 

PRJ-52882

SD-WAN

UPDATE: When Security Management disconnects from the cloud via the Infinity Services tab in SmartConsole, agents now automatically disconnect as well. Refer to sk180557.

PRJ-54683,
PMTR-104266

Mobile Access

UPDATE: Resolved CVE-2024-31497. The Putty version used in the Mobile Access Portal Embedded SSL Network Extender application is upgraded from version 0.80 to version 0.81.

PRJ-56336,
PMTR-107058

Gaia OS

UPDATE: Resolved CVE-2024-3596 - Blast-RADIUS attacks for Gaia Portal and Gaia Clish. Refer to sk182516.

PRJ-54420,
PRHF-33584

Security Management

UPDATE: Policy installation duration with hundreds of layers is improved by approximately 30%.

PRJ-50774,
PRHF-30910

Logging

UPDATE: Port 8211 now accepts connections with the cipher ECDHE_RSA_AES_256_GCM_SHA384.

PRJ-54499,
PRHF-33612

Security Gateway

UPDATE: Optimized the Generic Data Center JSON file processing on the Security Gateways to improve performance when handling large numbers of IP ranges.

PRJ-54138,
PMTR-103001

SSL Inspection

UPDATE: Added a log for connections rejected because of short Server certificate public key size (RSA 1024 bits or less, ECDSA 256 bits or less).

PRJ-55747,
PMTR-104855

Threat Prevention

UPDATE: Added the "trackSettings.forensics" parameter to the "threat-rule" Management API command to enable and disable the "forensics" option in the "Track" column. Syntax example: "mgmt_cli add threat-rule layer 'Standard Threat Prevention' position 1 track-settings.forensics false -r true".

PRJ-52347,
PMTR-98920

Scalable Platforms

UPDATE: It is now possible to add more than fourteen members per site in a Single Site topology.

PRJ-56681,

PRJ-57027,

PRJ-57263,

ODU-2035,

ODU-2019,

ODU-1955

Automatic Updates - Web SmartConsole

UPDATE: New features and improvements are released in Take 118, Take 119, Take 120 via self-updatable package. Refer to sk170314.

PRJ-51503,
PRHF-31420

Security Management

In rare scenarios, an upgrade of a Multi-Domain Security Management Server fails with "Cancelled due to a failure in other domain" in the upgrade report.

  • The fix will only be applied if the upgrade to this Jumbo Hotfix Take is done using a Blink image or via the Advanced Upgrade method.

PRJ-56003,
PRHF-34871

Security Management

In rare scenarios, the FWM process on the Security Management Server may unexpectedly exit, creating a core dump file.

PRJ-55934,
PRHF-34584

Security Management

In rare scenarios, login to SmartConsole fails with a timeout.

PRJ-55332,
PRHF-34049

Security Management

If the $FWDIR/conf/fwm.adtlog file is not valid, the FWM process leaves unused file descriptors, which may affect the Security Management Server performance.

PRJ-55447,
PRHF-33832

Security Management

If any single Data Center fails to register, the registration of all Data Center assets to the Security Management Server also fails.

PRJ-55929,
PRHF-34912

Security Management

The Revisions Purge process may stall if initiated after restarting the Security Management Server or Multi-Domain Security Management Server because of remnants of a previously interrupted Revisions Purge operation.

PRJ-56153,
PRHF-35121

Security Management

In rare scenarios, the Revisions tab in SmartConsole shows "Error retrieving results".

PRJ-56212,
PRHF-35143

Security Management

The database size on the Secondary Management Server increases if dbedit is used without making or saving any changes. Refer to sk182519.

PRJ-55798,
PRHF-34671

Security Management

SmartConsole may close during login because of repeated attempts to discard a non-existent work session.

PRJ-55907,
PRHF-34904

Security Management

In rare scenarios, revert to a Database Revision may get stuck on 60% and eventually fail.

PRJ-55444,
PRHF-34146

Security Management

Accelerated Policy installation may get stuck with the "Policy installation (queued)" status.

PRJ-55335,
PRHF-33993

Security Management

In rare scenarios, login to SmartView web application using the Domain IP address or Domain name fails.

PRJ-52058,
PRHF-31798

Security Management

In a Management High Availability environment, the Standby Security Management Server may not update the "Installation date" during policy installation on Security Gateways/Clusters.

PRJ-54734,

PRHF-33948

Security Management

In rare scenarios, the CPD process may unexpectedly exit and create a core dump file.

PRJ-57031,

PRHF-30884

Security Management

Log queries fail with the error "Problems have occurred during search" when Domain migration is in progress. This occurs specifically during the execution of "export-management" or "import-management" Management API commands.

PRJ-54507,
PMTR-102800

Multi-Domain Security Management

Global Domain Assignment may fail with "Internal Error", if the assigned Domain is currently Active on a different Multi-Domain Security Management Server.

PRJ-42135,
PRHF-25935

CPView

In a rare scenario, when running the CPView utility, the Security Gateway may crash.

PRJ-54064,
PMTR-102780

Logging

In rare scenarios, the CPSEMD process on the SmartEvent Server may unexpectedly exit, creating a core dump file.

PRJ-44900,
PRHF-24639

Logging

In rare scenarios, the Logs view may display unexpected blank lines or gaps in the chronological sequence of entries.

PRJ-53219,
PRHF-32587

Logging

When adding a table widget to a SmartView report:

  • The "Missed Malware Activity" and "Spyware Action" fields may not be possible to pick.

  • The "Malware Action" filter may appear twice in the picker. Refer to sk182049.

PRJ-46849,
PRJ-46579

Logging

RAD error messages may be printed to the fwk.elg file during cpstop:cpstart on the Security Gateway. The issue is cosmetic only.

PRJ-50613,
PRHF-29955

Logging

The FWD process may exit and cause issues with opening packet capture files on remote members.

PRJ-48772,
PRHF-30060

Logging

The "show logs" Management API command may show partial information for the fields with multiple values.

PRJ-46890,
PRHF-29024

Security Gateway

Incorrect value in the "fwisusfw" register causes improper CPU affinity and dynamic balancing initialization in User Space Firewall mode after an upgrade. Refer to sk182004.

PRJ-54415,
PRHF-33710

Security Gateway

In a VSX Cluster environment, the CPVIEWD daemon may cause a high CPU.

PRJ-55579,
PMTR-104837

Security Gateway

A buffer overflow may occur in the HTTP flow, affecting the FWK process.

PRJ-45951,
PRHF-28371

Security Gateway

During policy installation, Rule Base internal error drops may be shown in the SmartConsole logs. Logs related to "dynobjs" may be printed in Messages.

PRJ-57108,

PRHF-36116

Security Gateway

Memory leak may occur in SecureXL templates. Refer to sk182648.

See the Important Notes section.

PRJ-55803,
PRHF-34726

Security Gateway

The Security Gateway may fail to resolve external Network Feeds whose URL contains a port number (such as "https://example.com:8080/feed.csv". Refer to sk182684.

PRJ-52411,
PRHF-31919

Security Gateway

The PDPD process memory consumption may be high when using an Azure AD object.

PRJ-53636,
PMTR-101538

Security Gateway

In a Maestro Security Group using VSX mode with diverse appliance models and active dynamic balancing, DSD pnotes may appear on member devices and cause a failover from an SMO member. This occurs when the default number of FWK instances on these members differs from the SMO default setting.

PRJ-48105,
PRHF-29616

Security Gateway

Outages may occur when the FWD process exits or restarts and Security Group member goes down triggering Scalable Chassis failover.

PRJ-53543,
PRHF-32797

Threat Prevention

In some scenarios, an external IoC may not be enforced on Sub-domains of a Domain that is listed in the feed.

PRJ-56096,
PMTR-106568

Threat Prevention

SSH Deep Packet Inspection (SSH DPI) fails to start inspection if IPS is enabled while all other Threat Prevention products are disabled.

PRJ-55989,
PMTR-104285

Threat Prevention

In a rare scenario, Threat Prevention policy installation may fail after an over-the-air (OTA) package update of TP_CONF_SERVICE. Refer to sk182572.

PRJ-55763,

PMTR-104381

Threat Prevention

In rare scenarios, policy installation may fail after an upgrade of a VSX Gateway.

PRJ-46349,
PRHF-27721

Threat Emulation

The ICAP client may send the file name under "Content-Disposition" in an unsupported format written as "filename*=" instead of "filename=", and the Threat Emulation blade does not process such files.

PRJ-51492,
PRHF-31582

Threat Emulation

When using ICAP, filename handling occasionally fails. As a result, the Threat Emulation Blade may not be able to process this specific file.

PRJ-51606,
PMTR-98865

Identity Awareness

In a rare scenario, the PDPD process on Security Gateway with configured Identity Broker may become unresponsive while processing identity updates. Refer to sk182635.

PRJ-54326,
PRHF-33541

Identity Awareness

In rare scenarios, while handling new connection, the PDPD process can become unresponsive. Refer to sk182220.

PRJ-55437,
PRHF-31271

Application Control

APPI tenant restriction may not function as expected when the application is not included in the policy or when no extended logging is enabled.

PRJ-55460,
PRHF-34098

URL Filtering

In scenarios where there is a heavy load on the machine, the RAD queue can fill up and get clogged by unhandled requests, causing an outage and traffic disruption.

PRJ-54192

PRHF-31001

Anti-Bot

The Anti-Bot Blade may generate error logs with the "Failed to Decrypt CP Site Response" reason. Refer to sk182494.

PRJ-54445,
PMTR-103889

Mobile Access

HTTPS access to the Mobile Access Portal may be down.

PRJ-56222,
PRHF-35271

Mobile Access

The "citrixStrictTicketEnforcement" parameter set in the configuration file may not work as expected.

PRJ-55634,
PRHF-27989

ClusterXL

After modifying a bond, the Monitored VLANs may disappear. Refer to sk180724.

PRJ-55955,
PMTR-105602

SecureXL

The Security Gateway may crash in Bridge mode or in Non-Bridge mode when the number of MAC addresses in its network interface card's table exceeds the hardware capacity limit.

PRJ-56061,
PRHF-34672

SecureXL

When attempting to set a MAC address for a VXLAN interface using Clish, Clish displays a warning message and prevents the MAC address from being set.

PRJ-56367,

PRHF-35417

SecureXL

After installation with Gaia Fast Deployment (Blink), SecureXL User Mode (UPPAK) becomes disabled.

PRJ-56011,
PRHF-34987

SecureXL

In a rare scenario, a memory leak in the adp kernel module may occur during multicast routing assert failures.

PRJ-51111,
PMTR-97788

SecureXL

SYN Defender configuration in Inspection Settings on the Security Management Server may not be applied on Accelerated Policy installation.

PRJ-56433,
PMTR-107256

Routing

Dynamic Routing outage in a Security Group during the Zero Downtime (MVC) Upgrade to R81.20, during the Downgrade from R81.20, or during the installation / uninstall of the R81.20 Jumbo Hotfix Accumulator. Refer to sk182556.

PRJ-54408,
PRHF-33153

Routing

A multicast outage may occur after a failover triggered by incomplete processing of cluster synchronization messages.

PRJ-53175,
PMTR-101331

Routing

Graceful Restart may end prematurely in OSPF NSSA areas.

PRJ-53828,
PMTR-95640

Routing

A multicast outage may occur during failovers caused by interface flaps.

PRJ-53315,
PMTR-101682

VPN

The "vpn tu tlist" command may take a long time to execute, depending on the number of disconnected tunnels.

PRJ-50090,
PMTR-90101

VPN

By default, the VPN permanent tunnel is configured to use "tunnel test" instead of "DPD". This configuration may cause inaccurate permanent tunnel status reporting when connecting to third-party devices.

PRJ-54547,
PMTR-104228

VPN

BGP peering over Route-based VPN may fail because Azure cluster members use their own IP address as source instead of the Virtual IP address, preventing proper routing protocol establishment.

PRJ-56673,

PRHF-35637

VSX

Memory corruption occurs when a bond interface is configured, leading to a Security Gateway crash with a vmcore or a boot loop.

PRJ-57426,

PRHF-36390

Scalable Platforms

In a Maestro environment with the "vpn_sync_to_all" parameter enabled, connection going through a Site to Site VPN to a remote location, may be dropped with "First packet isn't SYN".

See the Important Notes section.

PRJ-53310,
PMTR-95877

Scalable Platforms

In Quantum Maestro/Scalable Chassis environments, when using the Threat Prevention Blade in the Security Group, the entitlement_status_collector_db.C files may be inconsistent between the Security Group Members.

PRJ-51192,
PRHF-29670

Scalable Platforms

Security Group Member in a VSX environment is in a boot loop after creating a new Virtual System with a WRP interface. Refer to sk182476.

PRJ-56115

IoT Protect

After a Multi-Domain Security Management Server upgrade, the Domain configuration file iot-on-board.conf is not saved.