R81 Jumbo Hotfix Take 82

NEW: We have extended the grace period of Threat Extraction Blade to support you for 90 days following contract expiration to continue providing the best security value during the renewal process.

NEW: Previously, the Internal CA certificate required manual renewal process. Now it will be automatically renewed one year before its expiration date.

NEW: Added ability to block "HTTP 206 partial content" responses from resources with malicious content.

UPDATE: Improved the "Purge revisions" operation to reduce the size of the database.

UPDATE: Added logging information. The Logging tab can be found in the Advanced tab on both the Security Management Server and Security Gateway. Refer to sk101878.

UPDATE: Added ability to force GNAT Port randomization. It is controlled by kernel parameter (off by default).

• To activate it, GNAT should be enabled. Also, in the fwkern.conf file, run "set fwx_force_random_nat_port_alloc=1",

• To disable, run "set fwx_force_random_nat_port_alloc=0".

UPDATE: The secp256r1 curve is now the preferred choice for signing ECDSA (Elliptic Curve Digital Signature Algorithm) certificates.

UPDATE: When the VTI MTU is different from the physical MTU, the physical MTU is used for sending packets by default.

• To modify the default behavior (the change does not survive reboot), run the CLI command "fw ctl set int sim_vpn_use_physical_mtu 0 -a". This allows using configured VTI MTU as the default.

• To make the change permanently, open the $PPKDIR/conf/simkern.conf file for editing and add the entry "sim_vpn_use_physical_mtu=0".

Refer to sk98074.

UPDATE: Added a defense mechanism against the hostname command injection in the Gaia Portal (CVE-2023-28130). Refer to sk181311.

UPDATE: Gaia Cloning Groups will now use the highest TLS version available.

UPDATE: Added support for Data Centers in AWS eu-south-2 (Spain) and eu-central-2 (Zurich) and ap-south-2 (Hyderabad) regions.

Skyline may not show any information. Refer to sk180748.

The FWM process may frequently exit. This causes SmartConsole authentication to fail and dashboards that were opened before to get closed.

High Availability synchronization fails if automatic purge is configured to run on the Standby Management Server.

After configuring an IoC feed on the Global Domain and assigning a Global Policy, Threat Prevention policy installation in the local Domain fails.

In a rare scenario, the Show Package tool and some Management API commands with details-level "full" fail.

Editing a Global Assignment object using Ansible may fail.

There may be many duplicates of OCSP response in the $CPDIR/tmp/curl_crl_ocsp folder.

The date of a policy configured with "accelerated installation" may not be updated in logs.

In rare scenarios, the Security Gateway accepts all IP addresses as approved "gui_clients", although it was provided with a list of specific trusted IP addresses.

In rare scenarios in a Multi-Domain Security Management environment:

• Login to the Management Server may timeout and fail.

• Publish operation may take a long time.

The Network-per-CPU tab under CPVIEW > Advanced > SecureXL does not show traffic distribution for all CPUs. Refer to sk180540.

In a Multi-Domain Security Management environment, Skyline is down after mdsstop/mdsstart.

When working with Multi-Domain Security Management, Virtual Systems (VS's) may be unable to send logs to the management because the Log Server constantly disconnects.

The "Daily logs retention" configuration on the Security Management Server / Log Server object is not applied if the "When disk space is below <number> Mbytes, start deleting old files" option is not enabled in the Disk Space Management. Refer to sk176803.

After making changes in Policy-Based Routing (PBR) and GRE configuration, the Security Gateway may repeatedly crash.

The "fw monitor" command output may contain "no packets left to merge" messages.

The FWK process may unexpectedly exit during Threat Prevention policy installation.

SAML authentication fails with the "HTTP 500" error when MDPS is enabled on the Security Gateways. Refer to sk179625.

In an Active/Standby cluster, when downloading a file using FTP protocol, the FWK process may unexpectedly exit, and a core dump file is generated.

In an Active/Active cluster, a member may reboot because of a memory corruption issue.

In rare scenarios, policy installation fails with "Segmentation fault" and "Error compiling IPv4 flavor" messages.

The Security Group Member (SGM) frequently goes into a Lost-> Down-> Active state because of fullsync pnote. This causes outages.

When Anti-Spoofing is enabled, the Security Gateway may crash.

Dynamic Dispatcher may send fragments of the same packet to different Firewall instances during a high load of fragmented traffic. This may cause some packets to drop.

The Security Gateway may crash during policy installation if the Rule Base has multiple layers and many interfaces on the Security Gateway (VLANs).

The Security Gateway may crash because of a race condition that occurs during interface change while interface statistic is calculated.

In some scenarios, the FWD process is stuck during policy installation.

When MDPS is configured, mdps_tun interface is shown when running the "cpstat ha -f all" command.

Stability issues when ICAP client is active.

A connection may be closed with the "ws_mux_handle_poll: ERROR: Poll flag still set after unsetting" error in the fwk.elg file, when HTTP parser does not receive requested data.

When managing cloud Gateways, the FWM process memory usage may increase.

In some scenarios, a "malware_res_rep_rad_query: rad_kernel_malware_request_prepare() failed" message may appear in the /var/log/messages file.

IoC feed may not load because of a parsing issue with the IP address range indicator.

IoC feed may not load, and the "Feed status cybercrime-tracker_hash_list :: engine memory allocation error. Feed log External IoC - External Indicators processing failed" error is displayed in CLI.

When Anti-Virus Blade is enabled, the Security Gateway may crash because of a memory allocation issue.

Automatic IPS, Anti-Virus or Anti-Bot updates may fail because of a corrupted next_update file.

During subsequent policy installations (with an interval of at least 11 minutes between them), the Identity Awareness Gateway configured as an Identity Broker Subscriber revoked all Identities it learned from the Identity Awareness Gateway configured as its Identity Broker Publisher. Refer to sk180659.

In a VSX High Availability cluster, a member in the Backup state should remain idle, but it opens connections for identity sharing.

The PDPD process may cause CPU spikes during cluster failover.

A buffer overflow may occur and cause the FWD process to exit. This leads to the Security Group Members in a Maestro environment change from Active to Down state and creates instability.

The RAD process may freeze when an error occurs, and an error event is initialized.

When applying the "appi_urlf_ssl_cn_use_sni_without_validation" kernel parameter, only the first notified application may be considered for Rule Base matching, and the rest of the apps are not detected.

The "asg perf --delay" command does not change the "refresh time" on the screen.

Access to a web application that uses WebSocket protocol may not be possible.

In some scenarios, the FWK process may unexpectedly exit, while Threat Prevention Blades inspect HTTP traffic.

A memory leak may occur in the DLPU process.

The fwk.elg file may be flooded with the "match_cb for CMI APP 11 - CI AV failed on context 144, executing context 366 and adding the app to apps in exception" messages because of improper parsing of HTTP headers by Anti-Virus Blade.

In rare scenarios, the FWK and/or WSTLSD processes may unexpectedly exit and create a core dump during certificate validation. Refer to sk180473.

The CVPND process may unexpectedly exit and create a core dump file.

When Mobile Device Management (MDM) cooperative enforcement feature is enabled, establishing a VPN connection fails while the HTTPD log incorrectly indicates a compliance issue.

Stability issues may occur in a Multi-Version Cluster (MVC) when VPN is enabled.

When handling HTTP/2 traffic, cluster members may crash, generating vmcores.

When the "fw_tcp_out_of_state_monitor" mode is enabled with the "fw_allow_out_of_state_tcp" flag, some connections may be dropped, although they should go through and be monitored.

IPv6 template is not created when the connection is NATed.

The ROUTED process may repeatedly exit when using PIM in Sparse mode (SM).

The "show ospf neighbors" command shows incorrect values for OSPF "Hello" and "Dead" intervals. Refer to sk180486.

It may take up to three hours for the second member to become Standby after a failover. An outage may occur during this time.

Improved VPN tunnel synchronization in a Multi-Version Cluster environment (MVC).

VPN endpoint users fail to login with ECDSA certificate.

The "failed to terminate session" error is displayed when using RAsession_util to terminate Endpoint client.

In some scenarios, when NAT is configured, VoIP traffic is dropped.

When the user connects with RADIUS authentication method, the "Authentication method" value in Mobile Access logs is shown as empty.

StrongSWAN Remote Access client can connect but fails to access internal resources.

Stability issues for Data connections (RDP / RTP / FTP/ETC). Refer to sk179651.

• NAT-T traffic may stop matching the implied rule after policy installation and is dropped with "IKE_NAT_TRAVERSAL Traffic Dropped from x.x.x.x to y.y.y.y" message in SmartLog.

• VPND and IKED stability issues occur when loading newly created LDAP group objects.

Refer to sk180530.

Changing the main IP address of a Virtual Router may cause the FWM process to exit.

The "vsx_util change_mgmt_subnet" command may fail if a VSX object is not correctly saved in the database.

IPv6 address may be removed from bond VLAN interface when changing bond xmit-hash-policy configuration. Refer to sk180309.

Gaia backup fails with "Cannot complete the backup process: not enough space in /var/log/CPbackup/backups" although there is enough free disk space in the /var/log/ partition. Refer to sk180181.

SNMP trap may not be sent after a cluster failover if it occurred by running the "clusterXL_admin down" command.

The System Backup page in the Cloning Group view may be empty, although a scheduled backup was added.

When restoring a backup with VSX objects, the objects database may not be restored on the newly installed Security Management Server.

The "lldpneighbors" Clish command may have a corrupted output. Refer to sk182065.

Azure scan fails if a Virtual Machine Scale Set (VMSS) is deleted after the scan started.

Disabling or removing all network interfaces from a vCenter object is not dynamically reflected on the CloudGuard Controller Data Center object.

When enabling debug mode with the "$MDS_FWDIR/scripts/cpm_debug.sh -c ObjectCrudSvcImpl" command, it may impact the work of CloudGuard Central License utility. And adding license fails.

Importing objects from VMware vCenter may fail with a "Failed to fetch objects from the Data Center." message because of a rare communication issue between CloudGuard Network Security controller and VMware vCenter Data.

The SMO may frequently go into Lost-> Down-> Active state because of a memory leak in the FWK process. The issue causes failover and outages.

A Hide NAT port may be allocated twice causing the "out of state" drops.

The clock verifier test (clock_verifier -v) fails.

In VSX mode, when configuring affinity settings on Security Group members, a new added member may stay in Down state.

When uninstalling a Jumbo Hotfix, some of the REST APIs may not work. The "gaia_api status" command returns an error and requests may fail.

See the Important Notes section.

GTP traffic may be dropped, and tunnels are not registered in gtp_tunnels.