R81 Jumbo Hotfix Take 89

NEW: We have extended the grace period of Anti-Spam Blade to support you for 90 days following contract expiration to continue providing the best security value during the renewal process.

UPDATE: Removed a redundant guava package.

UPDATE: properJavaRDP - an SNX-embedded application for Mobile Access is now blocked and is no longer supported because of deprecated Java library dependencies.

UPDATE: New features and improvements are released in Take 81, Take 85, Take 88, and Take 90 via a self-updatable package. Refer to sk170314.

UPDATE: Added Take 68 and Take 70 of CPotelcol (OpenTelemetry Collector) Release Updates. Refer to sk180522.

UPDATE: Improved traffic classification of GTP traffic on the Security Gateway to enhance the stability.

UPDATE: Re-enabled the deprecated feature of exporting/importing custom intelligence feeds.

UPDATE: Added Update 21 of Autonomous Threat Prevention Management integration Release. Refer to sk167109.

UPDATE: SSL Network Extender was updated to version 80008407.

UPDATE: Enhanced PushReport (a troubleshooting tool for Mobile Access Blade):

• changes in the cloud service configuration,

• stability improvement.

UPDATE: When enabling the VMAC feature, link_monitoring on the cluster members will now be configured automatically.

UPDATE: Changed the vsx push configuration log:

• The log file last_vsx_push_configuration.elg will now hold only the last vsx push configuration log.

• The cyclic log file vsx_push_configuration.elg will now hold all previous push configuration logs, except the last one.

UPDATE: SNMP traps for interfaces going up and going down will now contain the interface name and description.

UPDATE: Increased the size of the scheduled snapshot database binding, allowing longer paths and passwords to be defined.

UPDATE: Added new file types supported by Harmony Endpoint Threat Emulation blade.

UPDATE: Added support for Data Centers in AWS il-central-1 Israel (Tel Aviv) region.

UPDATE: Added ability to stop configuration mismatch repeated reboots for debugging purposes. The new command is " cpha_blade_config auto_reboot <on/off>".

UPDATE: Added support for 40G SFP transceiver for SSM160 (BTI40GSRDDQSFP).

UPDATE: Added Update 13 and Update 14 of HealthCheck Point (HCP) Release. Refer to sk171436.

• Running a Gaia API command on a Security Gateway using Management API from the Multi-Domain Security Management Server fails.

• Running a Gaia API command on a Security Gateway using Management API from the Security Management Server fails if the Security Gateway certificate was not recreated.

In rare scenarios, Global Policy reassignment fails with "IPS Update Failed On Assign".

Policy installation gets stuck if the known proxy group contains the policy target.

In some scenarios, the CPRLIC process may unexpectedly exit without affecting the connectivity, and a core dump is generated.

A policy installation task may become stuck when an error occurs in the early installation stage, for example, when trying to install a policy on an unsupported version of Security Gateway.

The "show-nat-rulebase" Management API command fails when Packet mode is enabled and "match on any" is set to "false". For example, "show-nat-rulebase XXX package YYY filter-settings.search-mode packet filter-settings.packet-search-settings.match-on-any false filter ZZZ".

The Security Gateway may listen to the ports used by NAT.

In SmartConsole, an attempt to view administrators may fail with "Error retrieving results".

Disabling or enabling rules may not affect the "last-modify-time" field in the output of the "show-access-rule" Management API command.

Login via API fails if the Security Management Server has multiple IP addresses and they are not defined on the Security Management Server object in SmartConsole.

In SmartConsole, export of policies with the "Hit count" column may get stuck.

In rare scenarios, during an IPS update, a task notification reports that a database purge failed on the Standby Security Management Server. Refer to sk180920.

If the HTTPS policy contains an Identity Awareness Gateway object in the "Source"/"Destination" column, policy installation may fail when selecting more than one policy target. Refer to sk181097.

In rare scenarios, upgrade of the Security Management Server to R81.20 fails with the "Task was interrupted because of server restart" and "DEADLOCK IN POSTGRES DETECTED!!!" messages in the cpm.elg log file.

A migrate export or CPUSE upgrade of a Security Management Server fails if a Rule Base contains more than 35,000 rules. Refer to sk178325 to check the recommended size of Rule Bases.

In some scenarios, an automatic Trusted Certificate Authorities (CAs) update fails.

When using the RADIUS username for authentication, login to SmartConsole may fail.

The "show-vpn-communities-star" Management API command fails for VPN communities using Diffie-Hellman groups 15-18. Refer to sk27054.

In rare scenarios, the High Availability synchronization status shows "NGM failed to import data", and then is cleared automatically within 15 minutes.

Users may be able to configure user-defined scripts to run on the Security Management Server, although they do not have the permissions of a super-user.

In multi-site Multi-Domain Security Management environments, login to SmartConsole fails if the "Read_Write_All_Profile" permission profile is deleted.

In multi-site Multi-Domain Security Management environments, login to SmartConsole fails while an Install Policy Preset relays the Security Gateway installation statuses.

In some scenarios, the "Uninstall Threat Prevention Policy" window may show "no candidates found for operation", even though there are Security Gateways that have Threat Prevention policy installed and Threat Prevention is disabled in the Security Gateway editor. Refer to sk180983.

In rare scenarios. in a Multi-Domain Security Management environment:

• Login to the Management Server may timeout and fail.

• Publish operation may take a long time.

After an upgrade, "Every cluster network should define unique subnet" messages may be displayed in the Validation Pane.

• The fix applies only when Jumbo Hotfix Accumulator Take is installed via Advanced upgrade or with a Blink image containing this Take.

In some scenarios, when a language other than English is chosen in SmartView, login to SmartView fails with an "Initialization failed" message.

When the CPD process is automatically restarted on the Security Gateway, the output of the "cpstat ls -f logging" command on the Security Management shows the Security Gateway is disconnected, the Log Server cannot be reached, although logs are sent.

The "fwm logexport" may return "Failed to print record at position" and "missing table field" error messages despite succeeding to export the logs.

The "show-simple-gateway" and "set-simple-gateway" Management API commands with the "logs-settings.forward-logs-to-log-server-schedule-name" parameter fail with "generic_server_error".

Configuring log settings to delete logs if free disk space is lower than a certain percentage may not be applied.

Source and destination IP addresses in SmartLog may not be shown correctly for duplicate packets of fragmented traffic.

Latency in loading websites when using Security Gateway as a Proxy with HTTPS Inspection enabled. Refer to sk180673.

In rare scenarios, the WSDNSD process may restart because of an internal error.

The ICAP Server may stop sending files to the Threat Emulation and Anti-Virus Blades if the TED daemon was restarted.

The /var/log/messages file of a VSX gateway is flooded with the "fwmultik_predefined_dispatching: BAD_MULTIK_TAG" messages with no impact of the connectivity. Refer to sk181281.

The Security Gateway may crash due to a memory issue.

The Security Gateway may crash while inspecting non-HTTP traffic.

Incorrect bonds may be shown in the Data Plane when using MDPS with the "show bonding groups" command.

Resolved an issue where CPD would consume a large amount of CPU in VSX with a large number of interfaces configured (greater than 1024). Refer to sk181588.

In a rare scenario, the FWD process listens to high ports that are not blocked by the "auth_services_real_ports_block" implied rule. Refer to sk180505.

FTP connection may fail in Port mode with NAT and specific FTP clients. Refer to sk181165.

Re-mirrored traffic may be re-ordered in the Mirror & Decrypt feature.

In a rare scenario, policy installation may fail because of IoC observables overrides.

In some scenarios, CIFS parser is triggered when it is not needed, this leads to the Security Gateway not accelerating fully the SMB traffic.

In some scenarios, the Security Gateway fails to export or import IoC feeds.

Fetching custom intelligence feeds via CLI may fail because of SSL certificate issues.

Anti-Virus Blade triggers the "Detect" logs for DNS traffic, although these malicious DNS requests were prevented.

Multiple ifiPython3 processes may utilize the Security Gateway memory, affecting the Anti-Virus Blade performance.

When the "Categorize HTTPS Websites" option is enabled and the global parameter "appi_urlf_ssl_cn_use_sni_without_validation" is set to true, a memory leak may occur.

Policy installation may fail on Security Gateways with enabled IPS and configured Strict profile and IPv6.

When transferring many files, SMB traffic may freeze while scanned by Anti-Virus Blade.

A memory leak in the DLPU process may occur when Anti-Virus scans files over HTTP(s) or SMB (Server Message Block) protocol.

A memory leak may occur in the Security Gateway when a connection is not correctly released after the inspection.

When copying special German characters to and from the Guacamole Server, they are replaced with unreadable symbols.

In a VSX environment, the WSTLSD process run by Virtual Systems may ignore proxy configuration on VS0.

The fwk.elg file may be flooded with the "mux_hold_opq_free: App has no hold params free function" messages for the TLS_PARSER app because of a memory leak.

Some IPv6 connections randomly stop passing through ClusterXL in High Availability mode. Refer to sk180969.

In a cluster/Maestro in Load Sharing mode, the Security Gateway may drop NAT traversal traffic with "fwmultik_process_f2p_cookie_inner Reason: PSL Drop: No connection".

Site to Site VPN outage on ClusterXL Active member when running "cpstop" on the Standby cluster member. Refer to sk170055.

In some scenarios, incorrect MSS value calculation may lead to traffic drops and performance instability.

Adding or deleting a multicast group from a configured static RP environment can lead to outages in traffic.

Traffic may be dropped when there are many OSPF routes of type 5.

An OIF entry may be missing when multiple downstream neighbors are present on a LAN. Refer to sk181354.

A potential leak in VPN tunnels in a Multi-Version Cluster.

Policy installation may take a long time and fail with "Operation failed, install/uninstall has been improperly terminated.&CURRENTVERCMP *##MSG_IDENTIFY##".

The Security Gateway may send a wrong certificate to the MAB Portal during certificate authentication.

A memory leak may occur in the CPD process.

When running "vsx_fetch" from a context that is not VS0, this output is displayed: "Management rejected fetch for this module - sic name does not match. Couldn't fetch VSX configuration by IPs, trying to fetch by names."

When adding a route using vsx_provisioning_tool and the "interface_name" option, this route cannot be removed.

• Requires installing SmartConsole R81 Build 567 (or higher).

Incorrect Multi-Queue configuration when MDPS, VSX, or both are enabled. Refer to sk181249.

Snapshot fails when the unpartitioned disk size is greater than 1TB. Refer to sk181485.

SNMP OIDs for ISP Redundancy status are not refreshed when the ISP link changes the status.

When downloading a dynamic package from the Endpoint Security Server and using the "/createmsi" command, the operation results with a "CRITICAL ERROR: Unable to create MSI! Missing file: System32\FirewallMonitor.dll" error.

The default policy configured in the Infinity Portal may not be exported with the new Endpoint Security client package.

E2 engine may send an incorrect value of datDate in sync request.

After an upgrade, Azure Gov mapping may fail.

The "asg_dr_verifier" command shows "Status: Inconsistency found on some of the SGMs", even if the OSPF neighbors are in Full state. Refer to sk179921.