List of All Resolved Issues and New Features in R82 Jumbo Hotfix Accumulator

Take |
Available Since | Recommended Since |
---|---|---|
20 Apr 2025 |
- |
|
26 Feb 2025 |
18 Mar 2025 |
|
27 Jan 2025 |
- |
ID |
Product |
Description |
---|---|---|
Take 14 Released on 20 April 2025 |
||
Take 14 - New Functionality
|
||
PRJ-56952, |
SD-WAN |
NEW: In SD-WAN, added support for:
|
PRJ-56409, |
SD-WAN |
NEW:
|
PRJ-57083, |
VPN |
NEW: Local SCV settings can be customized by Security Gateway when creating a $FWDIR/conf/local.scv_<GW NAME> file, otherwise the settings fall back to the standard local.scv configuration. |
Take 14 - Improvements and Resolved Issues |
||
PRJ-58376, PMTR-110261 |
Mobile Access |
UPDATE: Resolved CVE-2024-52887 - Self-XSS vulnerability in Mobile Access Native Applications 'favorites' dialog. Refer to sk183054. |
PRJ-58382, PMTR-110274 |
Mobile Access |
UPDATE: Resolved CVE-2024-52888 - Mobile Access File Share applications are vulnerable to stored XSS attacks. Refer to sk183055. |
PRJ-56536, |
Security Management |
UPDATE: The Management API logs outbound payloads to api.elg only for non-"200" response codes. It is now possible to enable the "WRITE_FULL_OUT_PAYLOAD" environment variable to force comprehensive logging of all API call payloads, regardless of the response status. Refer to sk182786. |
PRJ-58728, PMTR-110883 |
Security Management |
UPDATE: The Global Domain automatic purge settings now automatically restore and reschedule after a Security Management Server restart. |
PRJ-57848, |
Logging |
UPDATE: Enhanced the CLI "cp_log_export" command with additional examples and expanded help documentation. |
PRJ-56569, |
Security Gateway |
UPDATE: Reduced memory usage of LDAP keepalives and improved connection error handling, resulting in improved system reliability and security performance. |
PRJ-56706, |
Security Gateway |
UPDATE: Added information about VSX context to the mem.report files in /var/log/CP_mem_dwarf/. |
PRJ-58468, |
Routing |
UPDATE: Added a new Gaia Clish parameter to ignore the Autonomous System (AS) Path when aggregating routes: "set aggregate <IP Address>/<IP Mask> aspath-ignore {on | off}". Note, enabling "aspath-ignore" will disable "aspath-truncate" if configured. |
PRJ-58466, |
Routing |
UPDATE: IP Reachability Detection now supports simultaneous BFD and ping monitoring to the same remote address, where previously only one method was functional at a time. When both are configured, each monitoring protocol operates independently, allowing features to track their preferred detection method while maintaining existing configuration syntax. |
PRJ-58738, |
SecureXL |
UPDATE: Optimized memory management when processing Jumbo Frames. |
PRJ-58795, PMTR-110837 |
VSNext |
UPDATE: All interfaces are now automatically assigned to VS0 (the default virtual system) with no instance bind, and can be moved between Virtual Systems without requiring unassigning, enabling immediate VSNext functionality. |
PRJ-57735, |
Scalable Platforms |
UPDATE: In ElasticXL, restoring Gaia OS backup is now supported. |
PRJ-58348, |
Scalable Platforms |
UPDATE: VSLS Mode is now supported in VSNext ElasticXL environments. |
PRJ-57616, PMTR-109197 |
Scalable Platforms |
In VSNext ElasticXL Load Sharing environments, traffic latency and interface flapping may occur between two members in the Virtual Switch (VSW), when the switch is configured on non-management interfaces and both members are on the same site. |
PRJ-57907, |
Security Management |
In rare scenarios, the FWM process on the Security Management Server may unexpectedly exit, creating a core dump file. |
PRJ-58942 |
Security Management |
In SmartConsole, in the Quantum Spark Cluster object, editing the interfaces (manually or with the "Get Interfaces" action) fails with an unclear error message "Failed to save object". |
PRJ-57658, |
Security Management |
In some scenarios, High Availability synchronization fails with "NGM failed to export data" because of invalid Global Domain Assignments. |
PRJ-58274, |
Security Management |
In rare scenarios:
|
PRJ-58222, |
Security Management |
In SmartConsole, when exporting Access Policy data to a CSV file, the hit count values may be displayed incorrectly in the exported file. |
PRJ-57541, |
Security Management |
Scheduled Snapshot Issues:
Refer to sk182665. |
PRJ-57782, |
Security Management |
In rare scenarios, publishing Multi-Domain Security Management level changes such as Administrator configuration changes fails. The "Action Failed due to an Internal Error" error is displayed. |
PRJ-60340, PRHF-38803 |
Security Management |
In some scenarios, SmartTasks triggered by "after submit", "approve" and "reject" events fail to run. |
PRJ-57069, |
Security Management |
After an upgrade, when browsing to SmartConsole > Manage & Settings > Permissions & Administrator > Administrators, the page may display "Error retrieving results". |
PRJ-57036, |
Security Management |
In some scenarios, deleting a Security Gateway object fails if the Security Gateway is a participant in the Global VPN Community. |
PRJ-57539, |
Security Management |
In some scenarios, the "show packages" Management API command with "details-level full", fails with "Null Pointer exception: null". |
PRJ-59028, |
Security Management |
In the "Gateways and Servers" tab, when opening a shell on a specific Security Gateway, a "Connection failed" message pops up. |
PRJ-59038, |
Security Management |
SmartConsole "Validations" panel shows "'statusDescription' can not include html tags". Refer to sk183075. |
PRJ-58696, |
Security Management |
Performing changes to the Global Properties may not be possible if:
|
PRJ-58030, |
Multi-Domain Security Management |
In rare scenarios, in Multi-Domain Security Management environments, domain creation fails with "Failed to create Domain server "Domain name" Permission calculation failed." |
PRJ-57982, |
Multi-Domain Security Management |
In rare scenarios, an upgrade of Multi-Domain Security Management Server, handling Domain Log Server certificates, may get stuck.
|
PRJ-57785, |
Multi-Domain Security Management |
In environments where not all Domains are Active on the same Server (for example, in a multi-site environment), and there is no Domain Management Server for a specific Domain, logs from that Domain are not forwarded to the Infinity Portal. |
PRJ-57829, |
Security Gateway |
In some scenarios, an HTTP format size protection exception is not applied to the HTTP/2 flow. |
PRJ-56815, |
Security Gateway |
GTP-U traffic may be dropped because of incorrect message type handling. |
PRJ-58091, |
Security Gateway |
When the autodebug feature is enabled, the RAD service may consume high CPU and trigger "RAD service not available" alert logs. |
PRJ-58271, |
Security Gateway |
Security Gateway with QoS enabled may crash because of a rare race condition. |
PRJ-58206, |
Security Gateway |
Incorrect Rule Base parameters synchronization logic may lead to the FWK process exit. |
PRJ-57962, |
Security Gateway |
In the HTTP/2 connection scenario, the tenant restriction header injection mechanism encountered an issue affecting the connectivity. |
PRJ-58768, |
Security Gateway |
High CPU usage on SND cores related to processing network traffic and distributing it to the appropriate firewall instances. |
PRJ-58152, |
Security Gateway |
In a rare scenario, the FWK process may exit when HTTPS Inspection is enabled and TLS connections are inspected on non-standard ports (ports other than 443 or 8080). |
PRJ-56740, |
Security Gateway |
Large NAT Rule Base may lead to high CPU usage during packet processing. |
PRJ-58420, |
Security Gateway |
Android devices' HTTP HEAD requests to Google services are blocked by Security Gateway proxy, generating excessive logs that impact Security Gateway performance through high CPU usage. Refer to sk182990. |
PRJ-58902, PRJ-58903, PMTR-110909 |
Security Gateway |
The FWK process may exit with a core dump file when the Security Gateway passes SMB traffic and the Hyperflow feature is enabled. |
PRJ-59119, PMTR-110235 |
Security Gateway |
In a rare scenario, the RAD daemon may crash during large memory allocation operations. |
PRJ-58407, |
Security Gateway |
PPPoE interface fails to restart when it is disconnected from the Server side. Refer to sk182154. |
PRJ-56404, |
Internal CA |
The "cpca_dbutil print" command may delete the provided output file content if the input file does not exist. |
PRJ-58131, |
Identity Awareness |
In a rare scenario, the PDPD process may unexpectedly exit during the PDP sharing flow. |
PRJ-58441, |
Identity Awareness |
In some scenarios, SAML authentication fails with "Error 500". |
PRJ-58191, |
Application Control |
HTTPS Site Categorization fails to properly handle unsupported QUIC protocol versions, causing classification errors instead of following the configured fail-mode (open/close) policy. |
PRJ-59452, PMTR-112600 |
IPS |
In rare scenarios, a memory leak in the FWK process may occur when IPS is active. |
PRJ-57969, |
DLP |
The DLP blade may not block the password-protected files of a specific type, although it should. |
PRJ-58170, |
Anti-Virus |
In a specific scenario involving a long-lived SMTP connection, the memory usage allocated by the Anti-Virus blade steadily increases over time. |
PRJ-57690, |
SSL Inspection |
HTTPS inspection session logs lack detailed explanations in the "explanation" field, displaying generic messages that do not clarify action reasons. This is a cosmetic issue. |
PRJ-58073, |
Mobile Access |
The debug output file for Mobile Access, named "exchangeRegistration_portal_error_log" is increasing in size. |
PRJ-59491, PMTR-111453 |
ClusterXL |
During cluster startup with routing separation enabled, a mismatch between routing and firewall process initialization can trigger premature full synchronization pnotes when the routing process is not fully synchronized. |
PRJ-58173, PRJ-58174, ACCHA-3821 |
SecureXL |
SD-WAN may not work as expected when SecureXL User Space Mode (UPPAK) is enabled. |
PRJ-60467, PMTR-114455 |
SecureXL |
In some scenarios, a memory leak occurs in the FWK process when SecureXL fails to update an existing route's next hop. |
PRJ-60160, PRHF-38880 |
SecureXL |
Routing related connectivity and stability issues may occur when SecureXL operates in User Mode (UPPAK). Refer to sk183181. |
PRJ-58276, |
SecureXL |
SecureXL User Mode crashes if an acceleration card interface has an MTU above 9000 and receives frames larger than 9234 bytes. |
PRJ-57991, |
Routing |
The "iphelper" (IP Broadcast Helper) service may trigger high CPU utilization because of a recursive packet broadcasting loop between network interfaces. |
PRJ-57987, |
Routing |
Static routes may get permanently deleted from the kernel during rapid interface configuration changes when there is a large number of routes. |
PRJ-59288, PMTR-111756 |
Routing |
Network traffic to the Internet experiences slowdowns and file download interruptions due to packets being dropped with "OS routing failed" errors during route lookup failures. |
PRJ-58001, |
VPN |
Capsule VPN connectivity failures may occur after a configuration change of the VPND daemon table parameters. |
PRJ-58061, |
VPN |
Two or more Endpoint Security VPN (Remote Access VPN) Users may get the same Office Mode IP address. Refer to sk182537. |
PRJ-57797, |
VPN |
Authentication failure may occur when an IKEv2 VPN Endpoint client connects using a machine certificate configured for a specific realm. |
PRJ-59251, PMTR-109563 |
VPN |
When using machine-restricted Access Roles, IKEv2 VPN connections fail at the cleanup rule due to missing machine information and user source IP, while IKEv1 connections are unaffected. |
PRJ-57943, PRJ-58107, |
VPN |
When configuring machine authentication without an LDAP server, the computer is authenticated during the connection with the RA VPN. However, the logs in SmartConsole do not display the "Authenticated machine ..." message as expected. |
PRJ-58155, |
VPN |
VPN connection may not be stable when transitioning from Legacy Link Selection to R82 Link Selection. |
PRJ-58067, |
VPN |
Different members in a Quantum Maestro environment may show different statuses for VPN probes. |
PRJ-58268, |
VPN |
After traffic is stopped and tunnels are deleted, the tunnels may appear as "Disconnected" for about 30 seconds, and then again as "Connected" because of DPD probing. |
PRJ-58750, PMTR-109317 |
VPN |
Remote Access VPN client repeatedly reconnects to a VPN Virtual System when it connects through another Virtual System on a Scalable Platform in the VSX/ VSNext mode. Refer to sk183052. |
PRJ-57423, PMTR-108927 |
VSNext |
In VSNext, multiple CPRID processes running on different ports per virtual system may cause instability in large scale environments. |
PRJ-58165, |
Gaia OS |
The ROUTED daemon fails to start when a VTI is configured with a local IP address that matches the next-hop address used in the static route configuration. Refer to sk182848. |
PRJ-58036, |
Scalable Platforms |
Using the "#" character in the Message of the Day (MOTD) banner message causes SGMs to fail during boot. |
PRJ-57640, |
Scalable Platforms |
Security Group Member may be in Down state during the license distribution to Maestro Security Group members. Refer to sk181245. |
PRJ-57606, |
Scalable Platforms |
When running the "enabled_blades" command multiple times simultaneously, the command output may be incorrect. |
PRJ-58736, |
Scalable Platforms |
In a Maestro environment, a Security Gateway may enter a reboot loop because of sync issues of the settings.fwset file. |
PRJ-58375, |
Scalable Platforms |
In rare scenarios, Security Group members may fail to receive their Gaia database from the Single Management Object (SMO). When this occurs, gClish commands related to these missing Security Group configurations may fail. |
PRJ-56444, |
Carrier Security |
When Carrier Security is enabled, GTP-U packets are incorrectly matched against GTP rules instead of a non-GTP UDP rule, causing drops with the "Unestablished tunnel" error. |
Take 12 Released on 26 February 2025 and declared as Recommended on 18 March 2025 |
||
Take 12 - Improvements and Resolved Issues |
||
PRJ-59635, PMTR-113416 |
Gaia OS |
In a rare scenario, when installing a blink package, the Security Gateway may get stuck in a boot loop. |
Take 10 Released on 27 January 2025 |
||
Take 10 - Improvements and Resolved Issues |
||
PRJ-56747, |
SmartConsole |
UPDATE: Resolved CVE-2024-3596 - Blast-RADIUS attacks. Fix for Remote Access VPN and login to SmartConsole, Mobile Access and Identity Awareness Captive Portal. Refer to sk182516. |
PRJ-58281, PMTR-97400 |
Security Gateway |
UPDATE: Deprecated RC2-CBC cipher for SIC in OpenSSL. |
PRJ-57491, |
Security Management |
UPDATE: The Management API command "set-https-rule" now automatically sets the negative value to "false" when modifying the destination, source, service, or site-category fields, regardless of its previous setting. |
PRJ-57066, |
SecureXL |
UPDATE:
|
PRJ-58125, PMTR-106186 |
Scalable Platforms |
UPDATE: Added support for Multicast Listener Discovery (MLD) on Maestro Hyperscale Orchestrator (MHO). |
PRJ-57074, |
Security Management |
In rare scenarios, when exporting policy hitcounts to CSV format, the "Hitcount" column may appear blank in the exported file. |
PRJ-58104, |
Security Management |
Audit logs may not be generated when changes are made to an inline (shared) layer that appears multiple times within the same policy. |
PRJ-57319, |
Security Management |
The Database Installation progress bar may not update during task execution. |
PRJ-59004, PMTR-111056 |
Security Management |
When editing the administrator expiration date, after publishing, the expiration date resets to "Never". Refer to sk182997. |
PRJ-56542, |
Multi-Domain Security Management |
In some scenarios, in a Multi-Domain Security Management environment, the Hit Count retention mechanism may not remove the Hit Count data from all the Domains. |
PRJ-56532, |
Multi-Domain Security Management |
The Multi-Domain Security Management Server experiences high CPU usage when communicating with the Multi-Domain Log Server. And the cpm.elg log prints the "You have reached the maximum number of active session" error. Refer to sk182738. |
PRJ-57531, |
Multi-Domain Security Management |
In rare scenarios, in Multi-Domain Security Management environments, login to SmartConsole fails. |
PRJ-57310, |
SmartConsole |
SmartConsole fails to connect with "Unable to connect to server. Server is initializing". Refer to sk182507. |
PRJ-57273, PMTR-108672 |
SmartConsole |
When the Security Management has an additional NAT configuration in the SD-WAN policy (Infinity Portal), an indicating banner may not appear in SmartConsole NAT Rule Base. This is a cosmetic issue.
|
PRJ-58050, |
Security Gateway |
In a rare scenario, the FWK process may exit when processing traffic over QUIC protocol. |
PRJ-58659, PMTR-110556 |
Security Gateway |
In a rare scenario, the FWK process may exit due to a race condition. |
PRJ-56911, PRJ-56840, PRHF-35918 |
Security Gateway |
The Security Gateway may crash after a failure in policy installation. |
PRJ-56702, |
Security Gateway |
Anti-Spoofing may drop IPv6 traffic that arrives at an interface with an IPv6 address configured. Refer to sk182725. |
PRJ-57844, |
Security Gateway |
In a rare scenario, when multiple Elephant Flows are running in parallel in the accelerated pipelining path, there may be high CPU utilization. Refer to sk183007. |
PRJ-58100, |
Security Gateway |
Traffic through specific interfaces is dropped when the QoS blade is active and "ISP redundancy-LS" is configured. Refer to sk182807. |
PRJ-57109, |
Security Gateway |
Memory leak may occur in SecureXL templates. Refer to sk182648. |
PRJ-57895, PMTR-108660 |
Security Gateway |
DoS protection and connection rate limiting configurations may fail to effectively enforce rules. |
PRJ-57098, PMTR-108273 |
SD-WAN |
In a rare scenario, when SD-WAN transport is incorrectly marked as "UP" despite its underlying ISP interface is "DOWN", traffic fails to reach the remote peer because of incorrect routing decisions. |
PRJ-58021, |
Threat Prevention |
In a VSX environment, enabling Threat Prevention blades may cause continuous file accumulation on the Security Gateway's hard drive. |
PRJ-57007, PRHF-35823 |
Threat Prevention |
In some scenarios, when Zero Phishing is enabled, kernel crash may occur. |
PRJ-57926, |
Identity Awareness |
Identity Broker Subscriber configured with recalculation of Access Roles does not match all Access Roles after the User and Machine are identified. |
PRJ-56869, PRJ-56873, PRHF-35636 |
Identity Awareness |
In rare scenarios:
Refer to sk182613. |
PRJ-57046, |
Identity Awareness |
In a rare scenario, the PDPD process may unexpectedly exit during policy installation. |
PRJ-57411, |
SSL Inspection |
The Trusted CA package update fails when the Security Management Server connects to the Internet only through a Proxy Server. |
PRJ-57682, |
SecureXL |
A memory leak may occur in the SIM process when using DOS/Rate Limiting rules. |
PRJ-58592, PMTR-110486 |
SecureXL |
When working with SecureXL in User mode (UPPAK), some CPUs may reach 100% utilization when enabling or disabling debug filters. |
PRJ-57801, |
SecureXL |
Policy installation failures can disrupt the expected behavior of "fwaccel dos" commands. |
PRJ-57558, |
VPN |
SSL Network Extender (SNX) traffic on Maestro may be dropped with "vpnk_tcpt invalid negative tunnel id". Refer to sk182806. |
PRJ-56335, |
VPN |
An ECDH object may be deleted before its associated event is completed processing. |
PRJ-57901, |
VPN |
After a cluster failover, VPN tunnels may be not stable. |
PRJ-56499, |
VPN |
There is no audio during the first 5 seconds of each VoIP call. Refer to sk182730. |
PRJ-57825, |
VSX |
Multi-Queue configuration does not survive reboot on VSX. Refer to sk173950. |
PRJ-56915, |
VSX |
In SmartConsole, in the Device and License Information view, the Compliance Blade license status may incorrectly display "Quota Exceeded" when Virtual Routers or Virtual Switches are present. |
PRJ-57059, PRHF-34508 |
VSX |
After a Jumbo Hotfix upgrade, the Mail Transfer Agent may fail on all Virtual Systems except one. |
PRJ-56875, |
Harmony Endpoint |
During patch deployment in Posture Management, attempting to patch multiple systems for a specific application using the "Group By Application" option fails with the "Failed to Start Patching Process" error. |
PRJ-57473, |
Scalable Platforms |
In rare scenarios, Interface Active check may cause a Security Gateway crash when probing a local network. |
PRJ-58056, PRHF-37015 |
Scalable Platforms |
When handling multiple shared uplinks across numerous interfaces, errors related to LACP bond uplink updates may be printed in logs. |
PRJ-58195, PMTR-109784 |
Scalable Platforms |
In a rare scenario, the FWK process may unexpectedly exit and bring down the Security Gateway Member (SGM). |
PRJ-58127, PMTR-109620 |
Scalable Platforms |
In rare scenarios, authentication between MHOs is not established. Trying to establish authentication manually fails with the "TrustEstablishmentError: Failed to set up communication user on host 1_1: invalid literal for int() with base 10" error. |