R81.20 Jumbo Hotfix Take 96

 

Note - This Take contains all fixes from all earlier Takes.

ID

Product

Description

Take 96

Released on 05 January 2025

Take 96 - New Functionality

 

PRJ-51150,
PMTR-90911,

PRJ-56796,

PMTR-93129

Security Management

NEW: In SmartConsole, the CSV export file of Access Policy NAT rules now contains the hit count data: "Hits", "First Hits" and "Last Hits" columns.

  • Requires R81.20 SmartConsole Build 661 or higher.

PRJ-56656,
PMTR-92241

Security Management

NEW: The "show nat-rule" and "show nat-rulebase" Management API commands now support displaying hit count data with optional date range filtering through the "show-hits true" parameter, allowing users to retrieve hit statistics for NAT rules with flexible time-based querying in JSON format.

Syntax examples:

  • mgmt_cli show nat-rule rule-number 1 show-hits true package "standard" --format json

  • mgmt_cli show nat-rulebase offset 0 limit 20 details-level "standard" use-object-dictionary true package "standard" show-hits true --format json

  • mgmt_cli show nat-rule rule-number 1 show-hits true package "standard" hits-settings.from-date "2014-01-01" hits-settings.to-date "2014-12-31T23:59" --format json

PRJ-56664,
PMTR-102617

Security Gateway

NEW: Updatable objects can now be updated through the Security Management Server by adding the "<ProxyRoute>1</ProxyRoute>" configuration entry in the $CPDIR/conf/downloads/dl_prof_ONLINE_SERVICES.xml file on the Security Gateway. This enables proxy-based updates.

PRJ-54456,

PMTR-103606

Gaia OS

NEW: Added Two-Factor Authentication (2FA) support for Gaia OS login using time-based authenticator apps from Google and Microsoft. Refer to sk181854.

PRJ-52905,

PMTR-100688

Anti-Bot

NEW: Added protection that prevents multiple unsuccessful login attempts from Endpoint Security Client users connecting through a Remote Access VPN to the Security Gateway. This protection prevents brute-force attacks on Endpoint Security Client users' passwords. Refer to sk182087.

Take 96 - Improvements and Resolved Issues

 

PRJ-57490,
PMTR-108994

Security Management

UPDATE: The Management API command "set-https-rule" now automatically sets the negative value to "false" when modifying the destination, source, service, or site-category fields, regardless of its previous setting.

PRJ-54481,
CPDIAG-2743

CPView

UPDATE: Optimized the CPVIEWD daemon, which manages multiple general producers, to reduce CPU spiking and memory consumption.

PRJ-57159,
PRJ-57160

Logging

UPDATE: Improved Log Sharing functionality in the Infinity Portal, focusing on core stability and log status accuracy and detail level.

PRJ-51051,

ACCESS-613,

PMTR-110124

SD-WAN

UPDATE: The Security Gateway now automatically updates the configured application categories in Access Control and SD-WAN Policies with other applications and corresponding port ranges. Refer to sk182790.

PRJ-57923,

PMTR-‎‎10‎‎49‎‎82‎

SecureXL

UPDATE: SD-WAN is now supported when SecureXL User Space Mode (UPPAK) is enabled.

PRJ-51225,
PRHF-31341

Gaia OS

UPDATE: Implemented robust path validation during user deletion to prevent unintended deletion of parent directories.

PRJ-56455

Scalable Platforms

UPDATE: Maestro Orchestrator WebUI now previews topology changes and summary before applying, improved the error handling.

PRJ-57570,
PMTR-93424

Scalable Platforms

UPDATE: Optimized policy distribution to Maestro Security Group members to avoid failure under high load conditions.

PRJ-58356,

ODU-2139

Automatic Updates - Web SmartConsole

UPDATE: New features and improvements are released in Take 124 via self-updatable package. Refer to sk170314.

PRJ-58245,
ODU-2099

Automatic Updates - HCP

UPDATE: Added Update 20 of HealthCheck Point (HCP) Release. Refer to sk171436.

PRJ-55884,
PMTR-106113

Security Management

In some scenarios, the webservices_cmas_ports.conf file is not updated after Domain deletion from the Multi-Domain Security Management Server, and contains ports of deleted Domains.

PRJ-55320,
PMTR-104567

Security Management

Packet mode search does not return specific layered rules when an action is defined, unlike searches using only source and destination parameters.

PRJ-57335,
PMTR-105173

Security Management

The on-premises Security Management Server with a proxy address configured may fail to connect to the Infinity Portal.

PRJ-57906,
PRHF-36295

Security Management

In rare scenarios, the FWM process on the Security Management Server may unexpectedly exit, creating a core dump file.

PRJ-57272,

SDWANM-2320,

PMTR-108672

SmartConsole

When the Security Management has an additional NAT configuration in the SD-WAN policy (Infinity Portal), an indicating banner may not appear in SmartConsole NAT Rule Base. This is a cosmetic issue.

  • Requires R81.20 SmartConsole Build 661 or higher.

PRJ-55714,
PMTR-105491

Multi-Domain Security Management

During an upgrade, Global Policy Assignment on Active Domains may fail when performed from the Multi-Domain Security Management Server where the Global Domain is Standby.

PRJ-57530,
PRHF-36514

Multi-Domain Security Management

In rare scenarios, in Multi-Domain Security Management environments, login to Smart Console fails.

PRJ-58518,

PMTR-110408

Logging

In some scenarios, in Log Servers or Multi-Domain Log Modules (MLM):

  • The SOLR process consumes high CPU.

  • There is a delay in displaying logs in the Logs view.

PRJ-56101,
PMTR-106586

Security Gateway

The server.log file of the ICAP Server is filled with "Failed to scan web object" entries. This is a cosmetic issue.

PRJ-56185,
PRHF-31197

Security Gateway

When enabling MDPS using the "set mdps mgmt plane on" command, the "Failed to commit transaction on database" error is shown instead of a message explaining that the management interface should be configured first.

PRJ-57843,
PMTR-109616

Security Gateway

In a rare scenario, when multiple Elephant Flows are running in parallel in the accelerated pipelining path, there may be high CPU utilization. Refer to sk183007.

PRJ-57267,

PMTR-108660

Security Gateway

DoS protection and connection rate limiting configurations may fail to effectively enforce rules.

PRJ-56507,
PMTR-107344

Security Gateway

When using HTTP/2 through a proxy, the Security Gateway may incorrectly add carriage return and newline characters (\r\n) to the X-Forwarded-For (XFF) header. This causes the header to become invalid and results in a connection failure. This issue only occurs when the Gateway is configured as a proxy.

PRJ-56761,
PMTR-107823

Security Gateway

In a rare scenario, the FWK process may exit because of an error occurred in the accelerated pipelined path.

PRJ-58270,

PRHF-36963

Security Gateway

Security Gateway with QoS enabled may crash because of a rare race condition.

PRJ-54574,

PMTR-103054

SD-WAN

In a DAIP peer environment, traffic outage may occur in SD-WAN during dynamic IP change.

PRJ-57714,
PRHF-36800

SD-WAN

In a star community topology, SD-WAN overlay traffic connectivity may be disrupted due to unexpected routing and encryption configurations.

PRJ-57116,

SDWANGW-2623

SD-WAN

SD-WAN overlay traffic may experience an outage.

PRJ-50735,

PMTR-105178

SD-WAN

In some scenarios, when SD-WAN policy is enabled, open connections are not routed according to the SD-WAN decision.

PRJ-57567,
PMTR-109178

Internal CA

In a rare scenario, when running the cpca_client utility, the CPCA process on the Security Management Server may exit.

PRJ-49857,
PRHF-30600

Threat Prevention

In a rare scenario, Anti-Virus blade prevents benign traffic due to improper parsing of URL observables in IoC feeds. Refer to sk181519.

PRJ-57135,
PMTR-90069

Threat Prevention

When SSH Deep Packet Inspection (SSH DPI) is enabled, a bypass log entry may not be generated if no Threat Prevention blade is active on the connection. This is a cosmetic issue.

PRJ-58006,

PRHF-37011

Identity Awareness

IDA Captive Portal may not be available after Jumbo Hotfix Accumulator installation or after an upgrade using the Blink image. Refer to sk172324.

PRJ-57853,
PMTR-109709

Identity Awareness

Identity Broker Subscriber configured with recalculation of Access Roles does not match all Access Roles after User and Machine are identified.

PRJ-56868,
PRHF-35625,

PRJ-56872,
PRHF-35636

Identity Awareness

In rare scenarios:

  • The PDPD process may become unresponsive during termination.

  • PDP to PEP Identity synchronization fails on the PEP side when Identity Sharing is configured with PUSH Identity Sharing.

Refer to sk182613.

PRJ-56501,
PMTR-107149

ClusterXL

Connection to Loopback VIP (Virtual IP) may be dropped.

PRJ-57681,
PRHF-36561

SecureXL

A memory leak may occur in the SIM process when using DOS/Rate Limiting rules.

PRJ-56400,
PMTR-107175

SecureXL

When modifying MTU settings on LightSpeed Line Card interfaces with SecureXL working in User mode (UPPAK) and not re-enabling both ports immediately after the change, persistent interface binding errors may be printed in the /var/log/usim_x86.elg file, such as "Failed to bind hairpin Tx 2 to Rx 3 (64 - all ports)".

PRJ-57611,
PRHF-36204

SecureXL

In some scenarios, after an update of the OS route configuration, there may be a significant delay in traffic passing through the Security Gateway when SecureXL works in the User space (UPPAK) mode. Refer to sk182740.

PRJ-57800,
PMTR-109570

SecureXL

Policy installation failures may cause "fwaccel dos" commands to stop working.

PRJ-57061,
PMTR-107742

Gaia OS

SW RAID (RAID-1) fails to resynchronize after formatting one of the SSD drives. This is applicable for these appliances: 15400,15600, 5900, 6800, 16000, 16000T, 26000, 26000T, 6900, 7000, 16200, 28000, QLS250, QLS450, QLS650, QLS800, MLS200, MLS400.

PRJ-46985,
PRHF-27944

Gaia OS

When working with SNMP traps, Clish may become slow and unresponsive.

PRJ-56498,
PRHF-35416

VPN

There is no audio during the first 5 seconds of each VoIP call. Refer to sk182730.

PRJ-53463,
PRHF-31882

VPN

In some scenarios when Link Selection (LS) is configured, traffic outage may occur after policy installation.

PRJ-53944,
PMTR-102412

VPN

The IKED daemon may exit during IKEv2 negotiation of SD-WAN with a DAIP peer.

PRJ-53949,
PMTR-98528

VPN

In a rare scenario, a memory leak may occur in the VPND process when IKEv2 Remote Access Clients are connected to the Security Gateway.

PRJ-56172,
PRHF-35251

VPN

An ECDH object may be deleted before its associated event is completed processing.

PRJ-56914,
PRHF-35806

VSX

In SmartConsole, in the Device and License Information view, the Compliance Blade license status may incorrectly display "Quota Exceeded" when Virtual Routers or Virtual Switches are present.

PRJ-57058,

PRHF-34508

VSX

After a Jumbo Hotfix upgrade, the Mail Transfer Agent may fail on all Virtual Systems except one.

See the Critical Information section.

PRJ-49286,
PRHF-30172

Harmony Endpoint

Exclusions for Anti-Bot policy created through the WebUI do not correctly handle Cyrillic characters.

PRJ-58047

Scalable Platforms

During the Jumbo Hotfix Accumulator installation on an R81.20 Security Gateway or when adding a new Security Gateway to the environment, the member's state may experience intermittent flapping.

PRJ-57639,
PMTR-100964

Scalable Platforms

Security Group Member may be in Down state during the license distribution to Maestro Security Group members. Refer to sk181245.

PRJ-53749,
PRHF-33320

Scalable Platforms

A Maestro Security Group Member may fail to initialize after enabling IPv6 and is stuck with pull_config pnote.

PRJ-57480,

PMTR-109043

Scalable Platforms

During a Maestro upgrade, if one of the Security Gateway members becomes unresponsive or enters a DETACH/LOST state, policy installation from SmartConsole fails.