R81 Jumbo Hotfix Take 89

NEW: We have extended the grace period of Anti-Spam Blade to support you for 90 days following contract expiration to continue providing the best security value during the renewal process.

UPDATE: Removed a redundant guava package.

UPDATE: properJavaRDP - an SNX-embedded application for Mobile Access is now blocked and is no longer supported because of deprecated Java library dependencies.

UPDATE: New features and improvements are released in Take 81, Take 85, Take 88, and Take 90 via a self-updatable package. Refer to sk170314.

UPDATE: Added Take 68 and Take 70 of CPotelcol (OpenTelemetry Collector) Release Updates. Refer to sk180522.

UPDATE: Improved traffic classification of GTP traffic on the Security Gateway to enhance the stability.

UPDATE: Re-enabled the deprecated feature of exporting/importing custom intelligence feeds.

UPDATE: Added Update 21 of Autonomous Threat Prevention Management integration Release. Refer to sk167109.

UPDATE: SSL Network Extender was updated to version 80008407.

UPDATE: Enhanced PushReport (a troubleshooting tool for Mobile Access Blade):

• changes in the cloud service configuration,

• stability improvement.

UPDATE: When enabling the VMAC feature, link_monitoring on the cluster members will now be configured automatically.

UPDATE: Changed the vsx push configuration log:

• The log file last_vsx_push_configuration.elg will now hold only the last vsx push configuration log.

• The cyclic log file vsx_push_configuration.elg will now hold all previous push configuration logs, except the last one.

UPDATE: SNMP traps for interfaces going up and going down will now contain the interface name and description.

UPDATE: Increased the size of the scheduled snapshot database binding, allowing longer paths and passwords to be defined.

UPDATE: Added new file types supported by Harmony Endpoint Threat Emulation blade.

UPDATE: Added support for Data Centers in AWS il-central-1 Israel (Tel Aviv) region.

UPDATE: Added ability to stop configuration mismatch repeated reboots for debugging purposes. The new command is " cpha_blade_config auto_reboot <on/off>".

UPDATE: Added support for 40G SFP transceiver for SSM160 (BTI40GSRDDQSFP).

UPDATE: Added Update 13 and Update 14 of HealthCheck Point (HCP) Release. Refer to sk171436.

• Running a Gaia API command on a Security Gateway using Management API from the Multi-Domain Security Management Server fails.

• Running a Gaia API command on a Security Gateway using Management API from the Security Management Server fails if the Security Gateway certificate was not recreated.

In rare scenarios, Global Policy reassignment fails with "IPS Update Failed On Assign".

Policy installation gets stuck if the known proxy group contains the policy target.

In some scenarios, the CPRLIC process may unexpectedly exit without affecting the connectivity, and a core dump is generated.

A policy installation task may become stuck when an error occurs in the early installation stage, for example, when trying to install a policy on an unsupported version of Security Gateway.

The "show-nat-rulebase" Management API command fails when Packet mode is enabled and "match on any" is set to "false". For example, "show-nat-rulebase XXX package YYY filter-settings.search-mode packet filter-settings.packet-search-settings.match-on-any false filter ZZZ".

The Security Gateway may listen to the ports used by NAT.

In SmartConsole, an attempt to view administrators may fail with "Error retrieving results".

Disabling or enabling rules may not affect the "last-modify-time" field in the output of the "show-access-rule" Management API command.

Login via API fails if the Security Management Server has multiple IP addresses and they are not defined on the Security Management Server object in SmartConsole.

In SmartConsole, export of policies with the "Hit count" column may get stuck.

In rare scenarios, during an IPS update, a task notification reports that a database purge failed on the Standby Security Management Server. Refer to sk180920.

If the HTTPS policy contains an Identity Awareness Gateway object in the "Source"/"Destination" column, policy installation may fail when selecting more than one policy target. Refer to sk181097.

In rare scenarios, upgrade of the Security Management Server to R81.20 fails with the "Task was interrupted because of server restart" and "DEADLOCK IN POSTGRES DETECTED!!!" messages in the cpm.elg log file.

A migrate export or CPUSE upgrade of a Security Management Server fails if a Rule Base contains more than 35,000 rules. Refer to sk178325 to check the recommended size of Rule Bases.

In some scenarios, an automatic Trusted Certificate Authorities (CAs) update fails.

When using the RADIUS username for authentication, login to SmartConsole may fail.

The "show-vpn-communities-star" Management API command fails for VPN communities using Diffie-Hellman groups 15-18. Refer to sk27054.

In rare scenarios, the High Availability synchronization status shows "NGM failed to import data", and then is cleared automatically within 15 minutes.

Users may be able to configure user-defined scripts to run on the Security Management Server, although they do not have the permissions of a super-user.

In multi-site Multi-Domain Security Management environments, login to SmartConsole fails if the "Read_Write_All_Profile" permission profile is deleted.

In multi-site Multi-Domain Security Management environments, login to SmartConsole fails while an Install Policy Preset relays the Security Gateway installation statuses.

In some scenarios, the "Uninstall Threat Prevention Policy" window may show "no candidates found for operation", even though there are Security Gateways that have Threat Prevention policy installed and Threat Prevention is disabled in the Security Gateway editor. Refer to sk180983.

In rare scenarios. in a Multi-Domain Security Management environment:

• Login to the Management Server may timeout and fail.

• Publish operation may take a long time.

After an upgrade, "Every cluster network should define unique subnet" messages may be displayed in the Validation Pane.

• The fix applies only when Jumbo Hotfix Accumulator Take is installed via Advanced upgrade or with a Blink image containing this Take.

In some scenarios, when a language other than English is chosen in SmartView, login to SmartView fails with an "Initialization failed" message.

When the CPD process is automatically restarted on the Security Gateway, the output of the "cpstat ls -f logging" command on the Security Management shows the Security Gateway is disconnected, the Log Server cannot be reached, although logs are sent.

The "fwm logexport" may return "Failed to print record at position" and "missing table field" error messages despite succeeding to export the logs.

The "show-simple-gateway" and "set-simple-gateway" Management API commands with the "logs-settings.forward-logs-to-log-server-schedule-name" parameter fail with "generic_server_error".

Configuring log settings to delete logs if free disk space is lower than a certain percentage may not be applied.

Source and destination IP addresses in SmartLog may not be shown correctly for duplicate packets of fragmented traffic.

Latency in loading websites when using Security Gateway as a Proxy with HTTPS Inspection enabled. Refer to sk180673.

In rare scenarios, the WSDNSD process may restart because of an internal error.

The ICAP Server may stop sending files to the Threat Emulation and Anti-Virus Blades if the TED daemon was restarted.

The /var/log/messages file of a VSX gateway is flooded with the "fwmultik_predefined_dispatching: BAD_MULTIK_TAG" messages with no impact of the connectivity. Refer to sk181281.

The Security Gateway may crash due to a memory issue.

The Security Gateway may crash while inspecting non-HTTP traffic.

Incorrect bonds may be shown in the Data Plane when using MDPS with the "show bonding groups" command.

Resolved an issue where CPD would consume a large amount of CPU in VSX with a large number of interfaces configured (greater than 1024). Refer to sk181588.

In a rare scenario, the FWD process listens to high ports that are not blocked by the "auth_services_real_ports_block" implied rule. Refer to sk180505.

FTP connection may fail in Port mode with NAT and specific FTP clients. Refer to sk181165.

Re-mirrored traffic may be re-ordered in the Mirror & Decrypt feature.

In a rare scenario, policy installation may fail because of IoC observables overrides.

In some scenarios, CIFS parser is triggered when it is not needed, this leads to the Security Gateway not accelerating fully the SMB traffic.

In some scenarios, the Security Gateway fails to export or import IoC feeds.

Fetching custom intelligence feeds via CLI may fail because of SSL certificate issues.

Anti-Virus Blade triggers the "Detect" logs for DNS traffic, although these malicious DNS requests were prevented.

Multiple ifiPython3 processes may utilize the Security Gateway memory, affecting the Anti-Virus Blade performance.

When the "Categorize HTTPS Websites" option is enabled and the global parameter "appi_urlf_ssl_cn_use_sni_without_validation" is set to true, a memory leak may occur.

Policy installation may fail on Security Gateways with enabled IPS and configured Strict profile and IPv6.

When transferring many files, SMB traffic may freeze while scanned by Anti-Virus Blade.

A memory leak in the DLPU process may occur when Anti-Virus scans files over HTTP(s) or SMB (Server Message Block) protocol.

A memory leak may occur in the Security Gateway when a connection is not correctly released after the inspection.

When copying special German characters to and from the Guacamole Server, they are replaced with unreadable symbols.

In a VSX environment, the WSTLSD process run by Virtual Systems may ignore proxy configuration on VS0.

The fwk.elg file may be flooded with the "mux_hold_opq_free: App has no hold params free function" messages for the TLS_PARSER app because of a memory leak.

Some IPv6 connections randomly stop passing through ClusterXL in High Availability mode. Refer to sk180969.

In a cluster/Maestro in Load Sharing mode, the Security Gateway may drop NAT traversal traffic with "fwmultik_process_f2p_cookie_inner Reason: PSL Drop: No connection".

Site to Site VPN outage on ClusterXL Active member when running "cpstop" on the Standby cluster member. Refer to sk170055.

The "IOCTL command CPHWD_IOCTL_DOS_DENY_LIST_CLEAR was not successful" error may be printed during cpstart. Refer to sk180646.

When multicast traffic for an existing (S,G) entry arrives at a non-IIF interface, the entry may be deleted and re-added when the next multicast packet is released, although the entry should not be deleted.

When a BFD session is added or removed, disabled sessions may incorrectly come up.

The ROUTED process may exit with a core dump when querying details of OSPF Type 5 LSA.

Users that were moved from one AD group to another group still are shown in both access role groups when running the "pdp monitor" command. Refer to sk181429.

When working with ClusterXL in Load Sharing mode, a VPN tunnel may fail to be established.

Vsx_util upgrade or downgrade validation fails on Virtual Systems where policy was never installed.

When changing Virtual Systems (VS's) using the VS name, the "failed to find an ID for a VS named XXX" error is shown.

In a rare scenario, affinity configuration on VSX may fail.

In some scenarios, in a Maestro Security Group configured in the VSX mode, a Virtual System that connects to a Virtual Switch may drop traffic as "Out of State" or wrongly drop it on the clean up rule. Refer to sk181823.

When changing bond settings, the bond may be missing the global IPv6 Address.

Backup on Gaia machine with Threat Emulation Blade enabled fails with "Cannot complete the backup process: not enough space". But the solution of sk166833 does not resolve the issue in a VSX environment.

After the Deploy New Endpoint push operation is successfully done, the list of target devices may change to "None". And it is not possible to delete this push operation manually, a "Sorry, we had an API issue during request" message is printed.

KAV updater on the Server may fail to receive updates when proxy is used.

In rare scenarios, when making changes in SmartConsole, it gets disconnected.

Azure mapping may fail on Private Endpoint without network interfaces. In the cloud proxy logs, the "ERROR datacenter.scanner.DcScanner [scanner-Azure-XXX]: Error during scan - attempting to reconnect for scanner of [Azure] in domainYYY" messages are printed.

SIP agent implements a keep-alive mechanism against the RFC, making each message arrive with a different tag in the "From" header, which may increase the memory of the Security Gateway, and these messages may be dropped once they hit the limit defined (the "sim_max_reinvite" parameter).