R81.20 Jumbo Hotfix Take 96
|
Note - This Take contains all fixes from all earlier Takes. |
ID |
Product |
Description |
---|---|---|
Take 96 Released on 05 January 2025 |
||
Take 96 - New Functionality
|
||
PRJ-51150, PRJ-56796, PMTR-93129 |
Security Management |
NEW: In SmartConsole, the CSV export file of Access Policy NAT rules now contains the hit count data: "Hits", "First Hits" and "Last Hits" columns.
|
PRJ-56656, |
Security Management |
NEW: The "show nat-rule" and "show nat-rulebase" Management API commands now support displaying hit count data with optional date range filtering through the "show-hits true" parameter, allowing users to retrieve hit statistics for NAT rules with flexible time-based querying in JSON format. Syntax examples:
|
PRJ-56664, |
Security Gateway |
NEW: Updatable objects can now be updated through the Security Management Server by adding the "<ProxyRoute>1</ProxyRoute>" configuration entry in the $CPDIR/conf/downloads/dl_prof_ONLINE_SERVICES.xml file on the Security Gateway. This enables proxy-based updates. |
PRJ-54456, PMTR-103606 |
Gaia OS |
NEW: Added Two-Factor Authentication (2FA) support for Gaia OS login using time-based authenticator apps from Google and Microsoft. Refer to sk181854. |
PRJ-52905, PMTR-100688 |
Anti-Bot |
NEW: Added protection that prevents multiple unsuccessful login attempts from Endpoint Security Client users connecting through a Remote Access VPN to the Security Gateway. This protection prevents brute-force attacks on Endpoint Security Client users' passwords. Refer to sk182087. |
Take 96 - Improvements and Resolved Issues
|
||
PRJ-57490, |
Security Management |
UPDATE: The Management API command "set-https-rule" now automatically sets the negative value to "false" when modifying the destination, source, service, or site-category fields, regardless of its previous setting. |
PRJ-54481, |
CPView |
UPDATE: Optimized the CPVIEWD daemon, which manages multiple general producers, to reduce CPU spiking and memory consumption. |
PRJ-57159, |
Logging |
UPDATE: Improved Log Sharing functionality in the Infinity Portal, focusing on core stability and log status accuracy and detail level. |
PRJ-51051, ACCESS-613, PMTR-110124 |
SD-WAN |
UPDATE: The Security Gateway now automatically updates the configured application categories in Access Control and SD-WAN Policies with other applications and corresponding port ranges. Refer to sk182790. |
PRJ-57923, PMTR-104982 |
SecureXL |
UPDATE: SD-WAN is now supported when SecureXL User Space Mode (UPPAK) is enabled. |
PRJ-51225, |
Gaia OS |
UPDATE: Implemented robust path validation during user deletion to prevent unintended deletion of parent directories. |
PRJ-56455 |
Scalable Platforms |
UPDATE: Maestro Orchestrator WebUI now previews topology changes and summary before applying, improved the error handling. |
PRJ-57570, |
Scalable Platforms |
UPDATE: Optimized policy distribution to Maestro Security Group members to avoid failure under high load conditions. |
PRJ-58356, ODU-2139 |
Automatic Updates - Web SmartConsole |
UPDATE: New features and improvements are released in Take 124 via self-updatable package. Refer to sk170314. |
PRJ-58245, |
Automatic Updates - HCP |
UPDATE: Added Update 20 of HealthCheck Point (HCP) Release. Refer to sk171436. |
PRJ-55884, |
Security Management |
In some scenarios, the webservices_cmas_ports.conf file is not updated after Domain deletion from the Multi-Domain Security Management Server, and contains ports of deleted Domains. |
PRJ-55320, |
Security Management |
Packet mode search does not return specific layered rules when an action is defined, unlike searches using only source and destination parameters. |
PRJ-57335, |
Security Management |
The on-premises Security Management Server with a proxy address configured may fail to connect to the Infinity Portal. |
PRJ-57906, |
Security Management |
In rare scenarios, the FWM process on the Security Management Server may unexpectedly exit, creating a core dump file. |
PRJ-57272, SDWANM-2320, PMTR-108672 |
SmartConsole |
When the Security Management has an additional NAT configuration in the SD-WAN policy (Infinity Portal), an indicating banner may not appear in SmartConsole NAT Rule Base. This is a cosmetic issue.
|
PRJ-55714, |
Multi-Domain Security Management |
During an upgrade, Global Policy Assignment on Active Domains may fail when performed from the Multi-Domain Security Management Server where the Global Domain is Standby. |
PRJ-57530, |
Multi-Domain Security Management |
In rare scenarios, in Multi-Domain Security Management environments, login to Smart Console fails. |
PRJ-58518, PMTR-110408 |
Logging |
In some scenarios, in Log Servers or Multi-Domain Log Modules (MLM):
|
PRJ-56101, |
Security Gateway |
The server.log file of the ICAP Server is filled with "Failed to scan web object" entries. This is a cosmetic issue. |
PRJ-56185, |
Security Gateway |
When enabling MDPS using the "set mdps mgmt plane on" command, the "Failed to commit transaction on database" error is shown instead of a message explaining that the management interface should be configured first. |
PRJ-57843, |
Security Gateway |
In a rare scenario, when multiple Elephant Flows are running in parallel in the accelerated pipelining path, there may be high CPU utilization. Refer to sk183007. |
PRJ-57267, PMTR-108660 |
Security Gateway |
DoS protection and connection rate limiting configurations may fail to effectively enforce rules. |
PRJ-56507, |
Security Gateway |
When using HTTP/2 through a proxy, the Security Gateway may incorrectly add carriage return and newline characters (\r\n) to the X-Forwarded-For (XFF) header. This causes the header to become invalid and results in a connection failure. This issue only occurs when the Gateway is configured as a proxy. |
PRJ-56761, |
Security Gateway |
In a rare scenario, the FWK process may exit because of an error occurred in the accelerated pipelined path. |
PRJ-58270, PRHF-36963 |
Security Gateway |
Security Gateway with QoS enabled may crash because of a rare race condition. |
PRJ-54574, PMTR-103054 |
SD-WAN |
In a DAIP peer environment, traffic outage may occur in SD-WAN during dynamic IP change. |
PRJ-57714, |
SD-WAN |
In a star community topology, SD-WAN overlay traffic connectivity may be disrupted due to unexpected routing and encryption configurations. |
PRJ-57116, SDWANGW-2623 |
SD-WAN |
SD-WAN overlay traffic may experience an outage. |
PRJ-50735, PMTR-105178 |
SD-WAN |
In some scenarios, when SD-WAN policy is enabled, open connections are not routed according to the SD-WAN decision. |
PRJ-57567, |
Internal CA |
In a rare scenario, when running the cpca_client utility, the CPCA process on the Security Management Server may exit. |
PRJ-49857, |
Threat Prevention |
In a rare scenario, Anti-Virus blade prevents benign traffic due to improper parsing of URL observables in IoC feeds. Refer to sk181519. |
PRJ-57135, |
Threat Prevention |
When SSH Deep Packet Inspection (SSH DPI) is enabled, a bypass log entry may not be generated if no Threat Prevention blade is active on the connection. This is a cosmetic issue. |
PRJ-58006, PRHF-37011 |
Identity Awareness |
IDA Captive Portal may not be available after Jumbo Hotfix Accumulator installation or after an upgrade using the Blink image. Refer to sk172324. |
PRJ-57853, |
Identity Awareness |
Identity Broker Subscriber configured with recalculation of Access Roles does not match all Access Roles after User and Machine are identified. |
PRJ-56868, PRJ-56872, |
Identity Awareness |
In rare scenarios:
Refer to sk182613. |
PRJ-56501, |
ClusterXL |
Connection to Loopback VIP (Virtual IP) may be dropped. |
PRJ-57681, |
SecureXL |
A memory leak may occur in the SIM process when using DOS/Rate Limiting rules. |
PRJ-56400, |
SecureXL |
When modifying MTU settings on LightSpeed Line Card interfaces with SecureXL working in User mode (UPPAK) and not re-enabling both ports immediately after the change, persistent interface binding errors may be printed in the /var/log/usim_x86.elg file, such as "Failed to bind hairpin Tx 2 to Rx 3 (64 - all ports)". |
PRJ-57611, |
SecureXL |
In some scenarios, after an update of the OS route configuration, there may be a significant delay in traffic passing through the Security Gateway when SecureXL works in the User space (UPPAK) mode. Refer to sk182740. |
PRJ-57800, |
SecureXL |
Policy installation failures may cause "fwaccel dos" commands to stop working. |
PRJ-57061, |
Gaia OS |
SW RAID (RAID-1) fails to resynchronize after formatting one of the SSD drives. This is applicable for these appliances: 15400,15600, 5900, 6800, 16000, 16000T, 26000, 26000T, 6900, 7000, 16200, 28000, QLS250, QLS450, QLS650, QLS800, MLS200, MLS400. |
PRJ-46985, |
Gaia OS |
When working with SNMP traps, Clish may become slow and unresponsive. |
PRJ-56498, |
VPN |
There is no audio during the first 5 seconds of each VoIP call. Refer to sk182730. |
PRJ-53463, |
VPN |
In some scenarios when Link Selection (LS) is configured, traffic outage may occur after policy installation. |
PRJ-53944, |
VPN |
The IKED daemon may exit during IKEv2 negotiation of SD-WAN with a DAIP peer. |
PRJ-53949, |
VPN |
In a rare scenario, a memory leak may occur in the VPND process when IKEv2 Remote Access Clients are connected to the Security Gateway. |
PRJ-56172, |
VPN |
An ECDH object may be deleted before its associated event is completed processing. |
PRJ-56914, |
VSX |
In SmartConsole, in the Device and License Information view, the Compliance Blade license status may incorrectly display "Quota Exceeded" when Virtual Routers or Virtual Switches are present. |
PRJ-57058, PRHF-34508 |
VSX |
After a Jumbo Hotfix upgrade, the Mail Transfer Agent may fail on all Virtual Systems except one. See the Critical Information section. |
PRJ-49286, |
Harmony Endpoint |
Exclusions for Anti-Bot policy created through the WebUI do not correctly handle Cyrillic characters. |
PRJ-58047 |
Scalable Platforms |
During the Jumbo Hotfix Accumulator installation on an R81.20 Security Gateway or when adding a new Security Gateway to the environment, the member's state may experience intermittent flapping. |
PRJ-57639, |
Scalable Platforms |
Security Group Member may be in Down state during the license distribution to Maestro Security Group members. Refer to sk181245. |
PRJ-53749, |
Scalable Platforms |
A Maestro Security Group Member may fail to initialize after enabling IPv6 and is stuck with pull_config pnote. |
PRJ-57480, PMTR-109043 |
Scalable Platforms |
During a Maestro upgrade, if one of the Security Gateway members becomes unresponsive or enters a DETACH/LOST state, policy installation from SmartConsole fails. |