R81 Jumbo Hotfix Take 72

UPDATE: Management API performance improvements:

• When moving a rule, the "set-access-rule" command is now up to 15 times faster.

• When using a rule name, the "set-access-rule" command is now twice as fast.

When a Security Gateway is removed from a VPN community, it may still be seen under the permanent tunnel configuration. The issue is scoped to the Management side and does not impact the Gateway.

An IPS update may fail if the user that performs the update is connected to the Multi-Domain Server on which the Global Domain is in Standby mode.

In SmartConsole, the "error retrieving results" message may be displayed when opening a new tab.

When uninstalling a Threat Prevention policy, there may be a verification warning "There are Threat Prevention uninstall candidates in policy targets", although the operation on the Gateway was completed successfully.

An Application Control and URL Filtering update may get stuck because of a lock object duplicate issue.

Renaming the Security Management Server may fail with the "Failed to save object" error. Refer to sk177224.

In a rare scenario, the FWM process may unexpectedly exit and create a core dump.

In some scenarios, the Hit Count column on the NAT policy shows zero hits on all rules, even though there are hits.

Upon policy installation, Security Gateways may not receive changes made in the Service Based Link Selection configuration file $FWDIR/conf/vpn_service_based_routing.conf as per instructions of sk56384. Refer to sk179699.

Login to Domain via Management API using FQDN as the Domain parameter may fail with the "Domain not found" error.

The flag "--method" for a CME command is not supported in SmartConsole Command Line.

In some scenarios, certificate based login to a Log Server may fail with "Authentication Error". Refer to sk179144.

After an Application Control update, some application control objects may disappear from SmartConsole, although they are not deprecated.

UPDATE: The local logging test will no longer run on the "asg_perf_hogs" utility, as it has its HCP (HealthCheck Point) test. Refer to sk171436.

When running the "cp_log_export filter-Blade-in" command with the value "Endpoint" and restarting the LOG_EXPORTER process, LOG_EXPORTER may fail to start.

An error may occur when changing Default Time Frame while the SmartView language is not English.

In SmartView, the "Top Users that Downloaded Malicious Files" widget in the "Hosts that Encountered Malicious files" view may show no results, although there are matches.

When exporting the logs table with "All Columns" to a CSV file, the first cell of the first log (time column) displays a non-ASCII character ("ן»¿"), and the time is split into two cells.

UPDATE: Added a defense mechanism against partial header attacks known as "Slowloris DoS" (CVE-2007-6750).

It may not be possible to monitor Security Gateways with enabled Management Data Plane Separation (MDPS). Refer to sk138672.

The FW Monitor tool may fail when it is used on VSX with the "-v" and "-p all" options.

There may be a delay in the Logging view when more than 1000 Security Gateways are connected to the same Log Server.

There is a Content Awareness alert for multiple connections and the processing error "Failed to extract text" is printed in logs.

The Security Gateway may crash during PM Stats collection.

An ICAP client crash may cause the Security Gateway also to crash and generate an FWK core dump.

During a DDoS attack, the CPD and CPRID processes may unexpectedly exit with core dump files and cause latency.

UPDATE: In SmartConsole, added an alert to inform that the ICA certificate will be expired in less than one year. Refer sk158096.

Improved memory consumption by decreasing the size of the mal_conns table.

In a specific HTTP connection scenario, the Security Gateway may become unresponsive. And the /var/log/messages file contains these messages during the time of the issue: " FW-1: fw_kfree: wrong magic number at tail end of XXX (XXX) caller is 'cmik_loader_fw_pm_match_cb' sz=80. FW-1 panic: cmik_loader_fw_pm_match_cb: fw_kfree: wrong magic number at tail (kiss_memory.c:XXX)".

See the Important Notes section.

• The /var/log/messages directory may be flooded with "appi_app_db_get_kattrib_info: attribs hash does not exist" messages.

• A Security Gateway may be slow or unresponsive.

Refer to sk178406.

In a VSX setup, the IP address used as the origin SIC name in the IPS address log may differ from the IP in other reports.

• Downloading or opening the packet capture file from the Anti-Bot log entries may fail with a "File fetching is still in progress" message.

• When opening the capture file link in the log entry in SmartConsole, the "Failed getting the incident file from the gateway. It may be expired" error is shown.

Login to Mobile Access Citrix application may fail.

In some scenarios, when Mobile Access Blade is enabled, the Security Gateway may crash.

UPDATE: Added support for the "Same VMAC" feature.

In a cluster configured in the Active-Active mode, there may be connectivity issues when one of the cluster interfaces is down on one of the cluster members.

When reconnecting the OSPF interface on both members in a cluster, a failover may occur when receiving a ROUTED PNOTE on the Active member.

UPDATE: Added a new parameter cphwd_mcast_routing_interval_ms (default value is 0), which allows the multicast routing interval to be expressed in milliseconds.

A kernel memory leak may occur in an environment with a cluster in Active/Standby bridge mode.

When running CPView and working in Source-Specific Multicast Mode (PIM-SSM) simultaneously, the ROUTED process may unexpectedly exit and create a core dump file.

In some scenarios, when StrongSwan client is connecting to a site or Security Gateway, the connection is established successfully, and the tunnel is created, but there is no traffic. Refer to sk118536.

There may be a low throughput in a Site-to-Site VPN tunnel between two VSX Gateways with enabled.

Capsule Connect may fail to connect to the Security Gateway because of an Office Mode IP allocation failure.

UPDATE: Added verification to prevent adding a bridge to a Virtual Router (VR) via the vsx_provisioning tool.

Policy installation may fail after resetting a Security Geteway and restoring a VSX cluster member backup.

When running the "vsx_util downgrade" command, R80.20SP may not be listed as an available version.

CoreXL instances of SND type may appear in CPView as "OTHER" and not as "CoreXL_SND".

The FWM process may unexpectedly exit after using the VSX Provisioning tool.

When using Link Selection probing, the VPND process may unexpectedly exit and create a core dump file.

In a VSX cluster, after pushing Bridge configuration, the state may change from Active/Active to Active/Standby.

When creating a virtual system, the "Failed to create Virtual System directories" error is displayed.

In VSX, when deleting a warp interface (either by deleting the warp itself or by performing the "reset_gw" command, which deletes all Virtual Devices), the VSX Gateway may crash.

Improved packet rate performance on warp interfaces.

UPDATE: It is now possible to use Gaia proxy addresses with more than 16 characters.

UPDATE: A description was added to the output of the "show backup logs" command with information about each column. Refer to sk173970.

The CONFD process may unexpectedly exit and generate a core dump file.

When adding and deleting a neighbor-entry ipv6-address, an error message is displayed, although the operation is successful.

The /var/log/messages file may be flooded with "failed to update arp table file" messages.

When trying to add a comment to a Data Center object with API, the name of the object may get the value of the "comments".

NEW: Added a new tab for VoIP monitoring in CPView.

The Security Gateway may crash when running UDP and TCP SIP traffic.

UPDATE: Added ability to change CIN interface IP ranges. Refer to sk179028.

Changed the message informing that CPUSE upgrade packages are not available on Scalable Platforms appliances with VPN enabled. The fix is only cosmetic.

The Hit Count feature may not provide data for non-SMO members on VSX with Kernel 3.10.

The ROUTED process may unexpectedly exit when OSPF is configured as P2P.

A cluster member may fail to perform Full Sync and remain in Down state with FULLSYNC PNOTE.

Added Update 9 of HealthCheck Point (HCP) Release. Refer to sk171436.