R81.20 Jumbo Hotfix Take 96

Note - This Take contains all fixes from all earlier Takes.

ID	Product	Description
Take 96 Released on 05 January 2025
Take 96 - New Functionality
PRJ-51150, PMTR-90911, PRJ-56796, PMTR-93129	Security Management	NEW: In SmartConsole, the CSV export file of Access Policy NAT rules now contains the hit count data: "Hits", "First Hits" and "Last Hits" columns. Requires R81.20 SmartConsole Build 661 or higher.
PRJ-56656, PMTR-92241	Security Management	NEW: The "show nat-rule" and "show nat-rulebase" Management API commands now support displaying hit count data with optional date range filtering through the "show-hits true" parameter, allowing users to retrieve hit statistics for NAT rules with flexible time-based querying in JSON format. Syntax examples: mgmt_cli show nat-rule rule-number 1 show-hits true package "standard" --format json mgmt_cli show nat-rulebase offset 0 limit 20 details-level "standard" use-object-dictionary true package "standard" show-hits true --format json mgmt_cli show nat-rule rule-number 1 show-hits true package "standard" hits-settings.from-date "2014-01-01" hits-settings.to-date "2014-12-31T23:59" --format json
PRJ-56664, PMTR-102617	Security Gateway	NEW: Updatable objects can now be updated through the Security Management Server by adding the "<ProxyRoute>1</ProxyRoute>" configuration entry in the $CPDIR/conf/downloads/dl_prof_ONLINE_SERVICES.xml file on the Security Gateway. This enables proxy-based updates.
PRJ-54456, PMTR-103606	Gaia OS	NEW: Added Two-Factor Authentication (2FA) support for Gaia OS login using time-based authenticator apps from Google and Microsoft. Refer to sk181854.
PRJ-52905, PMTR-100688	Anti-Bot	NEW: Added protection that prevents multiple unsuccessful login attempts from Endpoint Security Client users connecting through a Remote Access VPN to the Security Gateway. This protection prevents brute-force attacks on Endpoint Security Client users' passwords. Refer to sk182087.
PRJ-53878, PRJ-54023, PRHF-33261, PRHF-32290	Identity Awareness	NEW: Added new OID (1.3.6.1.4.1.2620.1.38.55) to monitor the Identity Collector connection status in the $CPDIR/lib/snmp/chkpnt.mib file. This capability is supported for Identity Collector agents running with version R82.120.0000 or higher.
Take 96 - Improvements and Resolved Issues
PRJ-57490, PMTR-108994	Security Management	UPDATE: The Management API command "set-https-rule" now automatically sets the negative value to "false" when modifying the destination, source, service, or site-category fields, regardless of its previous setting.
PRJ-54481, CPDIAG-2743	CPView	UPDATE: Optimized the CPVIEWD daemon, which manages multiple general producers, to reduce CPU spiking and memory consumption.
PRJ-57159, PRJ-57160	Logging	UPDATE: Improved Log Sharing functionality in the Infinity Portal, focusing on core stability and log status accuracy and detail level.
PRJ-51051, ACCESS-613, PMTR-110124	SD-WAN	UPDATE: The Security Gateway now automatically updates the configured application categories in Access Control and SD-WAN Policies with other applications and corresponding port ranges. Refer to sk182790.
PRJ-57923, PMTR-‎‎10‎‎49‎‎82‎	SecureXL	UPDATE: SD-WAN is now supported when SecureXL User Space Mode (UPPAK) is enabled.
PRJ-51225, PRHF-31341	Gaia OS	UPDATE: Implemented robust path validation during user deletion to prevent unintended deletion of parent directories.
PRJ-56455	Scalable Platforms	UPDATE: Maestro Orchestrator WebUI now previews topology changes and summary before applying, improved the error handling.
PRJ-57570, PMTR-93424	Scalable Platforms	UPDATE: Optimized policy distribution to Maestro Security Group members to avoid failure under high load conditions.
PRJ-58356, ODU-2139	Automatic Updates - Web SmartConsole	UPDATE: New features and improvements are released in Take 124 via self-updatable package. Refer to sk170314.
PRJ-58245, ODU-2099	Automatic Updates - HCP	UPDATE: Added Update 20 of HealthCheck Point (HCP) Release. Refer to sk171436.
PRJ-55884, PMTR-106113	Security Management	In some scenarios, the webservices_cmas_ports.conf file is not updated after Domain deletion from the Multi-Domain Security Management Server, and contains ports of deleted Domains.
PRJ-55320, PMTR-104567	Security Management	Packet mode search does not return specific layered rules when an action is defined, unlike searches using only source and destination parameters.
PRJ-57335, PMTR-105173	Security Management	The on-premises Security Management Server with a proxy address configured may fail to connect to the Infinity Portal.
PRJ-57906, PRHF-36295	Security Management	In rare scenarios, the FWM process on the Security Management Server may unexpectedly exit, creating a core dump file.
PRJ-57272, SDWANM-2320, PMTR-108672	SmartConsole	When the Security Management has an additional NAT configuration in the SD-WAN policy (Infinity Portal), an indicating banner may not appear in SmartConsole NAT Rule Base. This is a cosmetic issue. Requires R81.20 SmartConsole Build 661 or higher.
PRJ-55714, PMTR-105491	Multi-Domain Security Management	During an upgrade, Global Policy Assignment on Active Domains may fail when performed from the Multi-Domain Security Management Server where the Global Domain is Standby.
PRJ-57530, PRHF-36514	Multi-Domain Security Management	In rare scenarios, in Multi-Domain Security Management environments, login to Smart Console fails.
PRJ-58518, PMTR-110408	Logging	In some scenarios, in Log Servers or Multi-Domain Log Modules (MLM): The SOLR process consumes high CPU. There is a delay in displaying logs in the Logs view.
PRJ-56101, PMTR-106586	Security Gateway	The server.log file of the ICAP Server is filled with "Failed to scan web object" entries. This is a cosmetic issue.
PRJ-56185, PRHF-31197	Security Gateway	When enabling MDPS using the "set mdps mgmt plane on" command, the "Failed to commit transaction on database" error is shown instead of a message explaining that the management interface should be configured first.
PRJ-57843, PMTR-109616	Security Gateway	In a rare scenario, when multiple Elephant Flows are running in parallel in the accelerated pipelining path, there may be high CPU utilization. Refer to sk183007.
PRJ-57267, PMTR-108660	Security Gateway	DoS protection and connection rate limiting configurations may fail to effectively enforce rules.
PRJ-56507, PMTR-107344	Security Gateway	When using HTTP/2 through a proxy, the Security Gateway may incorrectly add carriage return and newline characters (\r\n) to the X-Forwarded-For (XFF) header. This causes the header to become invalid and results in a connection failure. This issue only occurs when the Gateway is configured as a proxy.
PRJ-56761, PMTR-107823	Security Gateway	In a rare scenario, the FWK process may exit because of an error occurred in the accelerated pipelined path.
PRJ-58270, PRHF-36963	Security Gateway	Security Gateway with QoS enabled may crash because of a rare race condition.
PRJ-54574, PMTR-103054	SD-WAN	In a DAIP peer environment, traffic outage may occur in SD-WAN during dynamic IP change.
PRJ-57714, PRHF-36800	SD-WAN	In a star community topology, SD-WAN overlay traffic connectivity may be disrupted due to unexpected routing and encryption configurations.
PRJ-57116, SDWANGW-2623	SD-WAN	SD-WAN overlay traffic may experience an outage.
PRJ-50735, PMTR-105178	SD-WAN	In some scenarios, when SD-WAN policy is enabled, open connections are not routed according to the SD-WAN decision.
PRJ-57567, PMTR-109178	Internal CA	In a rare scenario, when running the cpca_client utility, the CPCA process on the Security Management Server may exit.
PRJ-49857, PRHF-30600	Threat Prevention	In a rare scenario, Anti-Virus blade prevents benign traffic due to improper parsing of URL observables in IoC feeds. Refer to sk181519.
PRJ-57135, PMTR-90069	Threat Prevention	When SSH Deep Packet Inspection (SSH DPI) is enabled, a bypass log entry may not be generated if no Threat Prevention blade is active on the connection. This is a cosmetic issue.
PRJ-58006, PRHF-37011	Identity Awareness	IDA Captive Portal may not be available after Jumbo Hotfix Accumulator installation or after an upgrade using the Blink image. Refer to sk172324.
PRJ-57853, PMTR-109709	Identity Awareness	Identity Broker Subscriber configured with recalculation of Access Roles does not match all Access Roles after User and Machine are identified.
PRJ-56868, PRHF-35625, PRJ-56872, PRHF-35636	Identity Awareness	In rare scenarios: The PDPD process may become unresponsive during termination. PDP to PEP Identity synchronization fails on the PEP side when Identity Sharing is configured with PUSH Identity Sharing. Refer to sk182613.
PRJ-56501, PMTR-107149	ClusterXL	Connection to Loopback VIP (Virtual IP) may be dropped.
PRJ-57681, PRHF-36561	SecureXL	A memory leak may occur in the SIM process when using DOS/Rate Limiting rules.
PRJ-56400, PMTR-107175	SecureXL	When modifying MTU settings on LightSpeed Line Card interfaces with SecureXL working in User mode (UPPAK) and not re-enabling both ports immediately after the change, persistent interface binding errors may be printed in the /var/log/usim_x86.elg file, such as "Failed to bind hairpin Tx 2 to Rx 3 (64 - all ports)".
PRJ-57611, PRHF-36204	SecureXL	In some scenarios, after an update of the OS route configuration, there may be a significant delay in traffic passing through the Security Gateway when SecureXL works in the User space (UPPAK) mode. Refer to sk182740.
PRJ-57800, PMTR-109570	SecureXL	Policy installation failures may cause "fwaccel dos" commands to stop working.
PRJ-57061, PMTR-107742	Gaia OS	SW RAID (RAID-1) fails to resynchronize after formatting one of the SSD drives. This is applicable for these appliances: 15400,15600, 5900, 6800, 16000, 16000T, 26000, 26000T, 6900, 7000, 16200, 28000, QLS250, QLS450, QLS650, QLS800, MLS200, MLS400.
PRJ-46985, PRHF-27944	Gaia OS	When working with SNMP traps, Clish may become slow and unresponsive.
PRJ-56498, PRHF-35416	VPN	There is no audio during the first 5 seconds of each VoIP call. Refer to sk182730.
PRJ-53463, PRHF-31882	VPN	In some scenarios when Link Selection (LS) is configured, traffic outage may occur after policy installation.
PRJ-53944, PMTR-102412	VPN	The IKED daemon may exit during IKEv2 negotiation of SD-WAN with a DAIP peer.
PRJ-53949, PMTR-98528	VPN	In a rare scenario, a memory leak may occur in the VPND process when IKEv2 Remote Access Clients are connected to the Security Gateway.
PRJ-56172, PRHF-35251	VPN	An ECDH object may be deleted before its associated event is completed processing.
PRJ-56914, PRHF-35806	VSX	In SmartConsole, in the Device and License Information view, the Compliance Blade license status may incorrectly display "Quota Exceeded" when Virtual Routers or Virtual Switches are present.
PRJ-57058, PRHF-34508	VSX	After a Jumbo Hotfix upgrade, the Mail Transfer Agent may fail on all Virtual Systems except one. See the Critical Information section.
PRJ-49286, PRHF-30172	Harmony Endpoint	Exclusions for Anti-Bot policy created through the WebUI do not correctly handle Cyrillic characters.
PRJ-58047	Scalable Platforms	During the Jumbo Hotfix Accumulator installation on an R81.20 Security Gateway or when adding a new Security Gateway to the environment, the member's state may experience intermittent flapping.
PRJ-57639, PMTR-100964	Scalable Platforms	Security Group Member may be in Down state during the license distribution to Maestro Security Group members. Refer to sk181245.
PRJ-53749, PRHF-33320	Scalable Platforms	A Maestro Security Group Member may fail to initialize after enabling IPv6 and is stuck with pull_config pnote.
PRJ-57480, PMTR-109043	Scalable Platforms	During a Maestro upgrade, if one of the Security Gateway members becomes unresponsive or enters a DETACH/LOST state, policy installation from SmartConsole fails.