R81 Jumbo Hotfix Take 60

NEW: Added support for Management API commands: "add-rules-batch" and "delete-rules-batch".

UPDATE: Meta-info and comments fields are now displayed in the output of the "show-tasks" API command with "details-level standard".

Added Update 13 of Autonomous Threat Prevention Management integration Release. Refer to sk167109.

Desktop policy installation may fail with the "Service ReferenceObject of type is not supported!" error.

In rare scenarios, deleting a Domain fails, leaving some remnants in the Management database.

In rare scenarios, the Management Server may fail to start due to incorrect sessions handling.

In rare scenarios, editing a cluster object fails with the "Code: 0x8003001D, Could not access file for write operation" error. Refer to sk176930.

When searching for tags usage, the "where-used" Management API command may fail with "Requested object not found".

After the Management Server restart, the API command "show_tasks" may show some suppressed tasks as "in progress", if before the restart they were cleared in SmartConsole while they were still running.

• The High Availability status on Security Management Server may be incorrect and performing failover is not possible.
• On Multi-Domain Server, after performing failover in the Global Domain and restarting services, the former active Global Domain Server still appears as active (although it is standby).

When searching an IP in Object Explorer, network objects with both IPv6 and IPv4 configured, may not appear in the results, although they match the IP.

When performing IPS Update or Global Domain Assignment, creating a Domain at the same time may fail with "Internal Error".

Policy installation may fail if more than 20,000 objects are created and added to rules.

In some scenarios, the API command "login-to-domain" fails, and the cpm.elg log shows "Null Pointer Exception".

In some cases, when changing only the "color" and "comment" object fields, policy installation may not be accelerated.

Creating an administrator in a Multi-Domain environment may cause SmartConsole to freeze and time out.

In some scenarios, it is possible to disable a shared layer, although it is used in more than one rule.

• The API command "show_packages_details" does not support the "OneTimeProb" parameter, although it is supported in GUI.
• In some scenarios, the API command "show_packages" with "details-level full" fails with "generic_error".

In rare scenarios, the Management Server may fail to start.

Policy installation with Directional VPN rules may fail with a verification error.

In some scenarios, the user may fail to connect to VPN Remote Access if there are expiration dates saved in a non-English date format. The issue can occur when SmartConsole is installed on a Windows client that uses a non-English locale. Refer to sk173967.

In some scenarios, when editing Exceptions in Inspection Settings, Gateways without IPS Blade may be missing from the "Install On" list.

When many sessions are opened:

• Publish operation may be slow
• APPI Update may be stuck on 30% and eventually fail
• Domain Import task may be stuck after 50% and then fail

In some scenarios, the $MDS_FWDIR/log/cpm.elg file contains many lines about "UnmarshalException".

In some scenarios, deleting a Domain fails when there is an administrator with API key authentication associated with this Domain.

When one Server in a logical Server group is down, the second Server keeps trying to access it, no matter how long the Server is down.

During a CPUSE upgrade of a Multi-Domain Server, if there are multiple external interfaces defined, the Domain Servers may be assigned to an incorrect interface.

The mds_backup script may not collect Multi-Domain Server log files from $MDSDIR/log/.

In some scenarios, auto-update flow fails during updatable object registration.

• Requires R81 SmartConsole Build 559 (or higher).

On Gateways with many interfaces, after policy installation or after reboot, Real-Time Monitor (RTM) may consume a high CPU on the Gateway. Refer to sk170928.

Non-English letters in SmartView reports exported as CSV may be displayed incorrectly. Refer to sk175543.

When SmartView Web is configured to not return empty values, a query may fail with a "query failed" message.

When configuring an Email alert as an Automatic Reaction in SmartEvent, and the alert contains data from the event, some fields may be missing in the generated email.

Daily Log/Indexes Maintenance does not delete old index files from $RTDIR/log_indexes if they contain files or subdirectories with a format different than %Y-%m-%d.

Logs that are sent by Log Exporter in CEF format, cannot be displayed if they include non-digit characters in the "dst_phone_number" field.

In a rare scenario, after an NSX Gateway upgrade, enforcement details/identities are not pushed by the controller to the Gateway automatically, it can be done only by manual update. Refer to sk173323.

In SmartConsole:

• In Gateways and Servers view, IP statuses may not be accurate
• In the Threat Prevention Policy tab, under "Updates", Gateways IPS update status may not be up-to-date, although the new IPS package was received successfully.

NEW: Added a new kernel parameter "cphwd_medium_path_qid_by_cpu_id". The parameter is disabled by default. Refer to sk175890.

UPDATE: The "fw unloadlocal" command can now be used on a Virtual System only with the "-f" flag added. Otherwise, a warning message is displayed, indicating that unloading policy on a Virtual System will cause traffic issues with any Virtual System connected to a Virtual Switch or a Virtual System in Bridge mode.

UPDATE: The "-c" and "-i" flags in Top Connections Tool are now supported on VSX Gateways. Refer to sk172229.

Enhanced Check Point Active Streaming (CPAS). Refer to sk177025.

Access Policy installation may fail with "Error code 1-2000078".

Running the "threshold_config" command may cause the CPD process to consume a high CPU.

In a rare scenario, the TCP Half Closed timer (sk137672) may fail when configured for medium/fast connections.

After reboot and policy installation, the "No interface configured in SmartCenter server with name mdps_tun. Matching by IP address to interface Mgmt" error may be printed in fwk.elg.

Improved CPS rate on Autoscale deployments of Amazon Web Services (AWS).

When deleting all Suspicious Activity Monitoring (SAM) rules, adding a large number of new rules, and installing policy, the system may hang.

In a rare scenario, "Connection/sec" data for accelerated traffic in CPView may differ from the statistics in SNMP.

Defining an IPv6 NAT rule with address range (hide) on the translated column may fail with an incorrect error message.

In a rare scenario, policy push to multiple Security Gateways may fail. Refer to sk177963.

In rare a scenario, a memory leak may occur with a "cpas_streamh_init_from_cookie failed" message printed in /var/log/messages.

In a rare scenario, the Security Gateway may crash during policy installation.

In some scenarios, memory consumption and CPU usage may increase consistently. Refer to sk176370.

DNS Server is getting overloaded with DNS requests from the Security Gateway when Domains or updatable objects are used in policy. The "Domain doesn't exist" error is shown.

In a rare scenario, when CRL files are created, some of them may be generated with a large number in the filename. When deleting CRL files, CPCA repeatedly fails to start.

When the "Automatically download Blade Contracts, new software, and other important data" checkbox is unchecked, Security Gateway may fail to update Threat Prevention packages.

UPDATE: Adjusted AD-Query and Identity Logging solutions to work with Microsoft hardening changes in DCOM which were required for CVE-2021-26414. Refer to sk176148.

When Identity Awareness Blade is enabled on the Security Gateway, rebooting of a member may trigger additional reboots. This may cause
one of the members to go down with a configuration pnote.

In a rare scenario, the priorities defined in User Directory (Gateway level) override the default Domain Controller (DC) priorities defined in the LDAP Account unit. Servers with priority above 1000 are not ignored, although they should be.

An Identity Broker subscriber may be shown as the session owner for Remote Access VPN sessions received from another publisher.

In a very rare scenario, when the Application Control (APPI) and URL filtering Blades are active, in hold mode, some applications cannot be identified and the traffic is dropped.

After installing a Threat Prevention policy with many rules and/or exceptions, on multiple Security Gateways together, Security Gateways may consume more CPU during rule-match of new connections.

In Autonomous Threat Prevention mode, "Profile Name" and "SmartDefense" fields may be missing in the IPS log.

The dlpu process may unexpectedly exit with core dump file.

The fwk process may unexpectedly exit during the TLS handshake.

If TLS 1.3 is enabled, using imported ECDSA certificates for HTTPS Inspection may cause the Security Gateway to crash.

When TLS 1.3 support is disabled, a memory leak may occur in the WSTLSD process during TLS session renegotiation.

In rare scenarios, TLS probing connections may remain open for extended periods.

SSL Network Extender (SNX) may fail during large file transfers. Refer to sk87760.

Policy installation may fail due to table creation issues.

In a rare scenario, after an upgrade and reboot, a Standby member is set to down with a FULLSYNC PNOTE and cannot synchronize.

A redundant message "ACC: Accelerator started. " is printed in dmesg logs.

In some scenarios, when using DHCP, the Security Gateway may not correctly route traffic to hosts.

After a failover, OSPF may restart immediately after the ROUTED daemon starts which causes the Active member to go into Down state instead of Standby state.

UPDATE: In policy installation, the type of messages, related to VPN certificate expiration, is changed from "info" to "warning". This issue is only cosmetic.

In some scenarios, a memory leak may occur in the VPND process.

A memory leak may occur during Office Mode IP allocation.

In some scenarios, IKEv2 tunnel may not work due to SA expiration.

The output of the "vpn tu tlist" command may show an incorrect type of S2S tunnels protocol.

Although the Simultaneous Login Prevention (SLP) feature is on, the user can connect with two clients and receive the same statically assigned Office-Mode IP.

The output of the "vpn tu tlist" command may show a wrong date and time in "Authenticated at" line, although machine date and time settings are correct.

When the IKE daemon is enabled, VPN counters in CPView may show incorrect value.

In some scenarios, Remote Access VPN users cannot connect to the Gateway due to a kernel table issue.

In some scenarios, Remote Client connections in Visitor Mode may cause the fwk process to exit.

A machine-only tunnel cannot be established when VPN default realm is disabled.

UPDATE: It is now possible to define interface topology as "defined by routes" using the VSX provisioning tool.

In some scenarios, running the "snmpwalk" command may fail with incorrect OSPF-MIB information for VSX. Refer to sk172064.

After deleting a warp interface in SmartConsole, the active VSX cluster member may crash.

NEW: Added support for TE2000XN appliances.

Potential vulnerability related to specific Gaia API command on VSX systems.

In some scenarios, after adding an SNMP USM user, the confd process may unexpectedly exit.

• VLAN IPv6 address disappears after setting the parent interface state "off" and "on".
• IPv6 address disappears after enabling Layer 3 bridge interface monitoring.

Refer to sk174969.

Fixed CVE-2021-30361 - Gaia Portal Authenticated Command Injection. Refer to sk179128.

NEW: It is now possible to configure Super Node in Harmony Endpoint. Refer to sk171703.

• When in "cpconfig"-> "GUI clients"-> "Modify" the option "Any" is deleted, the Endpoint Security Server UEPM Apache cannot start.
• When manually launching UEPM Apache the following output is shown: "AH00526: Syntax error on line 1 of /opt/CPuepm-R81/apache/conf/acl.conf:ip address 'Require' appears to be invalid"

Refer to sk176186.

When using SIP, memory usage may increase over time on Active and Standby members.

Improved the handling of NSX-T Data Center throttling issues.

The "vsec_lic_cli update" command now supports IP change in the license string.

In a rare scenario, the FWD process may unexpectedly exit due to invalid QoS logs.

NEW: Added ability to create and manage VSX objects of R80.30SP version via vsx_util and vsx_provisioning_tool.

UPDATE: Added ability to run the "hw_utilization" command on Quantum Maestro members.

In a Dual Site Quantum Maestro environment, traffic may be interrupted intermittently when a Domain object is used in the Rule Base.

Identity Sharing in VSLS Mode may not work as expected.

Changing VLAN of an existing interface may cause arp reply not to be processed by the Gateway. Refer to sk176929.

RADIUS user that has gclish set as default shell cannot login into the Security Group on Scalable Platforms R81.10: "Unable to get user permissions". Refer to sk176364.

The CMM is not updated with the time from a configured NTP Server. As a result, SGMs stay in the Down state for a long time.

Connectivity issues may occur on Identity Server (PDP) in large VSX setups.

SNMP OID .1.3.6.1.4.1.2620.1.48.16 (asgSecureXLStatusBitmask) returns the status of SecureXL as enabled, even when it is not.

In some scenarios, a physical link issue on a Maestro Gateway may cause an unexpected site failover, a cluster state change on other Gateways, or packet drops.

Multiple traffic drops may occur on Scalable Platforms. Refer to sk173545.

Added support for a new VMAC design. Refer to sk165674.

UPDATE: Updated Python 2.7.17 to 2.7.18, Python 3.7.7 to 3.7.12, added Python 3.9.7 and a Python3 alias.