List of All Resolved Issues and New Features in R82 Jumbo Hotfix Accumulator

NEW: Added statistics for Top Matched Access Control Rules and Top Log Types in the Logs view of SmartConsole and in the response of the "show logs" Management API command. This allows to identify the rules that generate a high volume of logs.

UPDATE: Resolved CVE-2024-52885. Mobile Access File Share applications are vulnerable to directory traversal attacks. Refer to sk183137.

UPDATE: Updated the "show asset" command output with the correct details for the X7 4-port card (CPAC-4-10/25F-DA model).

UPDATE: Log Exporter is now delivered as an autoupdatable package, replacing the maintrain-based deployment. This approach shifts from version-based to component-level updates, enabling a more granular and agile update mechanism. Refer to sk182866.

UPDATE: Improved processing of ICMP packets in the Security Gateway.

UPDATE: Added an out-of-the-box package for updatable objects that is included with clean installations or Jumbo Accumulator Hotfix Takes (when no other package exists). If the out-of-the-box package is present during policy installation, an update is now initiated in addition to the automatic update.

UPDATE: The "fwha_allow_different_corexl_instances" kernel parameter is now added to prevent cluster members from entering a Down state because of firewall instance count mismatches.

An FD (file descriptor) memory leak may occur when creating a new object in SmartConsole.

The "Management rejected fetch for this module - version matching problem" error is displayed when running the "fw vsx fetch" command on an R81.x Scalable Platform (Maestro and Chassis) in VSX mode with an R82 Security Management Server. Refer to sk183298.

Fetching branches from an LDAP Server fails with "Failed to connect to LDAP Server. Please ensure that the administrator's credentials are correct and try again" when the LDAP Server does not support anonymous bind (when a client connects to an LDAP server without providing any credentials). To enable the ability, refer to sk183461.

Deleting a user that is used in a user group with more than 1000 users may cause SmartConsole to time out.

In some scenarios, when exporting the Gateways and Servers View to CSV, the resulting file may contain an extra empty column. Refer to sk182233.

In some scenarios, policy installation fails with the "/opt/<xxxxx>-R81.20/conf/Policy-name.pf" line N: ERROR: syntax error Error compiling IPv6 flavor. Operation ended with errors" error.

In rare scenarios, accelerated policy installation fails to initialize, the full Access Control Policy installation is executed instead and it may take up to 20 minutes.

The "vsx-run-operation" Management API command may fail on the Multi-Domain Security Management Server. Refer to sk182524.

In some scenarios, the Postgres database on the Standby Security Management Server is growing after every High Availability synchronization. Refer to sk182868.

The "show lsm-gateway" and "show lsm-gateways" Management API commands may return an empty "version" field.

In rare scenarios, Domain creation fails with "Failed to create Domain server '<Domain Server Name>'. The connected administrator has no permission to create a Domain-Server on the specified Domain".

CPView history may be corrupted.

When the Mirror and Decrypt feature is enabled, the SKB memory leak may occur.

ElasticXL members communicating with the pivot cluster member may transition to DOWN state when synchronization between the pivot and other members is lost.

Security Gateways with default MDPS task settings using proxy can fetch CPUSE updates and licenses successfully. On MPLANE updatable objects are not updated while everything works on DPLANE.

Enabling debugging in Quick UDP Internet Connections (QUIC) flows may cause an FWK process crash.

In rare scenarios, downloading large files over HTTPS may get stuck.

In a rare scenario, after an upgrade, the Security Gateway may crash with a vmcore.

RADIUS authentication fails when a response packet contains the Message-Authenticator attribute. Refer to sk183244.

In a rare scenario, a script related to CPView may take a long time to execute and the SCRUBD process becomes unresponsive.

In some failure scenarios, the Anti-Virus blade does not report the failure in a SmartConsole log.

The Mobile Access Portal hosted on a Security Gateway R81.20 or lower becomes unresponsive, and CVPND core files are generated after the Security Management Server is upgraded to version R82.

If both bond subordinate interfaces are down, the output of "cphaprob show_bond bond" command is corrupted.

A Multi-Version Cluster (MVC) member with VPN enabled may crash when performing an upgrade from R80.40.

In VSX environments, deleting a Virtual System interface through SmartConsole fails to remove certain bindings, causing the interface to be automatically re-added.

The USIM process to exit during error logging.

The USIM process may crash during route updates when the Hardware Acceleration offloading connection is active.

In rare scenarios, after enabling Bridge Mode, a cluster member may stuck in a boot loop.

The Security Gateway may crash when connected to the Smart-1 Cloud Management Server and a maas_tunnel interface is repeatedly added and deleted.

Multiple SNMP OIDs return incorrect data types. Refer to sk183166.

Exporting logs using the "backup -l" command may fail.

In rare scenarios, users may be disconnected from SmartConsole, and an FWM process core dump is generated.

When working in User Mode (UPPAK), SecureXL may crash when multiple SND cores perform simultaneous next hop lookup for the same next hop.

The ROUTED daemon may exit when processing OSPF network updates in a cluster environment. This occurs because of a timing issue in the routing protocol synchronization process.

In some scenarios, the ROUTED daemon may exit with a core dump file.

A memory leak occurs in the ROUTED daemon when CoreXL is running OSPF and handling large numbers of LSAs combined with frequent route flaps.

When deleting a bond interface with slaves still attached while maintaining both WebUI and SSH sessions, the deletion succeeds but generates "unregister_netdevice" syslog messages and terminates the WebUI session. The issue occurs because local connections to the Gateway cause slow bond interface deletion, leading to WebUI timeout.

In rare scenarios, VPN traffic connectivity may be lost during policy installation.

In a rare scenario, the FWK process may exit during VPN traffic decryption and routing when the PPPoE interface is enabled.

The "fw stat" command output may not display the correct policy name for a Virtual System.

A static route to 0.0.0.0, regardless of the subnet mask, is incorrectly treated as the default route (0.0.0.0/0) and does not appear in the VSX Gateway's routing table. Refer to sk182742.

SD-WAN fails to obtain next hop address automatically from the DHCP Server.

In rare scenarios, SD-WAN policy installation hangs indefinitely.

Connections with fragmented packets drop with the "Virt Defrag Timeout" error. Refer to sk182559.

In rare scenarios, the connection between the Security Gateway (acting as a proxy) and the Security Management Server is not closed correctly.

In a Security Group in VSX mode, if an interface's link state changes during boot, there may be a delay in updating the link state. This delay can cause traffic interruption on that interface.

The CPD process may exit during policy installation on a Scalable Platforms cluster on Quantum Force 29000 appliances.

NEW: SD-WAN functionality now supports AWS Cross Availability Zone and traffic steering with configurable multi-target probing.

UPDATE: Added the "Type" and "Resource" columns to the HTTPS Inspection Logs table under Logs & Events.

UPDATE: Added support for using Network Groups in the "Install On" column of the NAT Policy.

UPDATE: Added a count of Session and Connection logs to the "cpstat" command output.

UPDATE: Support TLS 1.3 for the RAD process requests. To activate it, change the TLS version to "TLSv1_3". Refer to sk178505.

UPDATE: Added a kernel parameter "domo_reverse_lookup_disabled" to disable reverse DNS lookups to avoid rare incorrect matches in scenarios involving non-Fully Qualified Domain Name (non-FQDN) Domains.

• "domo_reverse_lookup_disabled 1" to disable reverse DNS lookups.

• "domo_reverse_lookup_disabled 0" to enable reverse DNS lookups (the default value).

UPDATE: HTTPS Inspection statistics are now available through SNMP requests.

UPDATE: Added support for the Mobile Access Portal "WebSocket" applications to work in environments with asymmetric network bandwidth (the download speed is faster than the upload speed) between external and internal networks. Refer to sk95311.

UPDATE: Added selection of specific Security Gateways to onboard to the Infinity Portal, and the ability to disable the feature completely. Refer to sk180557.

UPDATE: In the Clish API, added the comprehensive VSNext task monitoring capabilities, previously available only in the WebUI.

UPDATE: Rather than using the management switch, it is now possible to choose a different management interface for each virtual system (VS).

UPDATE: Traffic between an external network host and an internal network host is now accelerated when a static NAT is configured to translate a cluster member's IP address or specific high port to an internal host IP address or specific service port. This scenario is relevant in Check Point CloudGuard Network Security Azure High Availability deployments, where traffic passes through a Load Balancer.

• To enable acceleration, add this kernel parameter to the $FWDIR/boot/modules/fwkern.conf file - "accel_dnat_to_cluster=1".

• The change can also be applied immediately to the running FW1 process without requiring a reboot: "fw ctl set int accel_dnat_to_cluster 1".

In SmartConsole, in the Gateways & Servers view, under Device & License Information of a Security Gateway or Cluster object, or in CPView and SNMP traps, the value of "new connection rate" for OID .1.3.6.1.4.1.2620.1.1.26.11.6.0 is incorrect.

In rare scenarios, a core file of the CPRLIC process is generated.

Login using a TACACS Server created with the "add tacacs-server" Management API command, fails with "authentication to server failed".

Creating a Threat Prevention Exception from a log fails with the "Failed to add exception" error when the "File Name" field in the log contains a Windows directory separator ("\").

In some scenarios, Web SmartConsole session gets disconnected after several minutes.

In rare scenarios, when more than one Security Blade is enabled on the Security Gateway, Presets for policy installation may fail after purging all revisions.

When using SmartWorkflow on a Security Management Server with more than 200 administrators, requests may stall or cause SmartConsole crashes during submission.

Access Control Policy installation may take a long time when updatable objects are used in the policy.

In rare scenarios, login to SmartConsole using LDAP, TACACS or RADIUS authentication fails with a timeout.

Global Policy Reassignment fails with the "org.postgresql.util.PSQLException: ERROR: more than one row returned by a subquery used as an expression" error printed in the cpm.elg file.

In rare scenarios, policy installation fails with "Policy installation had failed due to an internal error".

When modifying the URL definition type in an Application Site object using the "set application-site" Management API command with the "urls-defined-as-regular-expression" parameter, the type of pre-existing URLs remains unchanged.

In some scenarios, policy state directories are synchronized between Active and Standby Security Management Servers, leading to high disk space usage.

Duplicated licenses on the Security Management Server may impact the vsec_lic_cli utility.

In some scenarios, opening a specific VPN community in SmartConsole fails and the "Unable to load page" message is printed, while other communities can be opened.

If a custom login message exceeds 1000 characters, the login output file, which contains the sid and other session data, cannot be parsed as expected. Using the "mgmt_cli" with the "-s" parameter results in the "Failed to parse login output file" error.

When a Security Gateway object is deleted, its license may still appear as attached even though the Security Gateway Object no longer exists.

In a rare scenario, December date comments in the IPS User Settings view may display incorrect year.

In a Multi-Domain Security Management environment, RADIUS authentication may be sent with an incorrect IP address. Refer to sk180723.

In a Multi-Domain Security Management environment with a VSX Gateway, such operations as login to SmartConsole, Global Domain Assignment, Domain creation or deletion may take longer than expected or fail with a timeout message "Task failed".

In certain scenarios, when Cluster objects are used in a Multi-Domain Security Management Server with Domains that have Global Domain Assignments, an upgrade may fail with "Tried to persist object OBJ_ID with domain 1e294ce0-367a-11e3-aa6e-0800200c9a66 while active domain is DOMAIN_ID".

• The fix will only be applied if the upgrade to this Jumbo Hotfix Take is done using a Blink image or with the Advanced Upgrade method.

Policy installation fails on all Domains on the Multi-Domain Security Management Server with "Layer '<LAYER NAME>': Verification failed due to an internal error" if an Externally Managed Security Gateway object with IPsec enabled does not have an encryption Domain. Refer to sk183003.

Multiple errors "T_get_event: cannot register socket %d (%d sockets already registered for %s)" are printed in $MDSDIR/log/ in.msd.

Interfaces with VLAN are not visible in CPView stats.

When opening a log card in the Logs View, duplicate values may appear in the "Resource" and "Reason" fields.

The "fileapp_parser_get_attribs: call orig_get_attrib failed" error is printed in the $FWDIR/log/fwk.elg file.

VoIP H.323 calls are dropped with reason "Handler 'h323_h245_code' reject". Refer to sk182835.

In a rare scenario, when the Anti-Virus Blade and the ICAP Server are enabled, there may be high CPU usage.

Local connections originating from the Security Gateway may fail to refresh their timeout values.

In rare scenarios, HTTPS inspection may block the downloading and uploading of PDF files to and from the Web Server.

In a specific scenario, file downloads intermittently stop until resumed manually because of HTTP parsing issues and Content Awareness parsing failures.

The DSD process (Dynamic Split Daemon) may exit when the "affinity" command input is large.

In a rare scenario, the FWK process may unexpectedly exit and bring down the Security Gateway.

• The CPD or FWK process may unexpectedly restart when handling the interface statistics.

• The CPVIEW_SERVICES, RAD, SNMPD and VPN processes may exit with a core dump file because of memory corruption.
  Refer to sk183544.

A rare race condition may cause a Security Gateway to restart when updating the statistics.

In rare scenarios, Security Gateway may crash when running the "ethtool -x" or the "ethtool -X" command for an interface that uses the AWS ENA network driver.

After enabling Security Zones in NAT Rule Base, wrong IP address is shown in logs and NAT is performed incorrectly. Refer to sk183088.

In a rare scenario, the FWK process may exit because of memory corruption.

In a rare scenario, Security Gateway may crash with vmcore when working in Kernel Mode Firewall (KMFW).

A stability issue where the ICAP Server may unexpectedly restart when processing traffic from a Security Gateway with Threat Emulation enabled.

In a rare scenario, VoIP Traffic fails after the initial call when SecureXL operates in User Mode (UPPAK). Refer to sk183218.

Incorrect memory handling may cause the FWK process to unexpectedly exit.

In rare scenarios, SSH connections may be dropped when SSH Deep Packet Inspection (SSH DPI) is activated on the Security Gateway.

The Threat Extraction Software Blade may inadvertently delete some system files on the Security Gateway. Refer to sk183512.

PDP to PEP Identity synchronization may fail on the PDP side if an alternative IP address for PEP communication is configured, as described in sk60701.

In a rare scenario, when fetch_by_SID is enabled, the PDPD process repeatedly exits. Refer to sk182745.

If the Access Rule Base does not contain Extended/Detailed Log Tracking options, category override functionality fails when the "partial load" feature is enabled.

URL Filtering may not classify a site in a specific rare scenario when the Security Gateway is configured as a proxy.

In some scenarios, a Security Gateway is not listed as an option for the Threat Prevention uninstall, even though the Threat Prevention Blade is disabled on the Security Gateway object.

DLP policies may not correctly block password-protected and unprotected files during Google Drive uploads, despite the Content Awareness Blade configuration.

RAD queries fail, generating "wrong status code in reply" errors logged in $FWDIR/log/rad_events/Error/* files. Refer to sk183009.

When the Security Gateway with FIPS mode is enabled, running the Anti-Virus and Anti-Bot Blades updates with the "fw update -b AB -b AV -f" command fails.

The "Detect" logs for Client's TLS alerts are not aligned with the Server's TLS alerts logs. This is a cosmetic issue.

The "HTTPS Inspection Rule ID" and "HTTPS Inspection Rule Name" fields are seen in the "Bypass Under Load" and "Learning Mode" bypasses logs although they should not be printed.

The CPHAPROB process may exit with a core dump file.

Running the "cphaprob -a if <interface name>" command in the VSX Cluster may cause the FWK process to exit.

A race condition may occur during startup when the ROUTED daemon does not receive all cluster Virtual IP addresses, causing static routes to disappear.

Packet drops may occur if the same multicast packet is received on multiple interfaces.

The packets may not be accelerated because of a routing issue.

SecureXL in User Mode (UPPAK) may restart when the Security Gateway is under high load and cpWatchDog triggers a reboot.

Running the "tcpdump" command on all interfaces (for example, "tcpdump -peni any") on machines with SecureXL in User Mode (UPPAK) while under heavy traffic load may cause the system to hang. Refer to sk183222.

The USIM_x86 process may potentially exit because of a race condition when a route is simultaneously used by multiple SND cores.

In some scenarios, the Security Gateway may crash while running "cpstop" or disabling MDPS when SecureXL works in User Mode (UPPAK).

SecureXL in User Mode (UPPAK) may be incorrectly enabled or disabled during runtime or Jumbo Hotfix Accumulator installation.

In an asymmetric UDP traffic scenario (Client-to-Site VPN and Site to Site VPN distributed to different members), the connection may not get accelerated.

After a VSX reboot, other Virtual Systems (VS's) enter a Down/Lost state while USIM core files are generated.

Duplicate entries in the kernel routing table can occur when iBGP peers disconnect and reconnect, causing the same routes to be added multiple times rather than properly replaced.

The ROUTED daemon asserts when enabling eBGP multihop on a directly connected interface.

BGP sessions may terminate upon receiving a BGP Update containing an AS_SET Path Attribute when Peer Local AS was configured on the Security Gateway.

After establishing a successful VPN connection from IKEv2 Client to VS with traffic flowing, the Client disconnects repeatedly with "VPN tunnel has disconnected: Failed to renew IP address" then reconnects with a new Office Mode IP address.

In VSX/VSNext environments with 50 or more VS's, CPView VSX statistics is blocked until re-enabled manually.

VSNext configuration is not included in the output of the "show configuration" command in Clish.

VS creation request may fail because the timeout was too short

Some Management API requests may not be sent when creating many VS's in parallel.

Creating multiple Virtual Gateways may fail with the "Setting management connection failed!" message.

SNMP counters may return incorrect data on VSX.

In a rare scenario, during the VSX Gateway Wizard, SmartConsole disconnects with the warning "The connection with the server was lost. Any unsaved changes will be preserved". And SmartConsole may crash with the "SmartConsole has experienced a serious problem and must close immediately" error.

After enabling CoreXL instances on a Virtual System, the policy status may be displayed as "N/A".

In a Maestro environment with RADIUS users, accessing the Gaia Portal for MHO causes an "ERR_EMPTY_RESPONSE" error and may cause the Gaia Portal (WebUI) not to respond.

The Redis Server does not start after installing the Gaia API Build 299. Refer to sk143612.

The CloudGuard Network Central License utility incorrectly distributes licenses to Azure Virtual vWAN Gateways that already have licenses included during deployment.

The logging_worker daemon may consume a lot of memory per Virtual System.

In VSNext mode, Virtual Systems there may be high CPU consumption.

Import an R82 upgrade package may fail with "[ERROR] Failed to transfer package to several members, Import was aborted" because of timeout which occurs while copying the package to all Security Group members.

Gaia database lock on a Maestro Security Group configured with Management Aggregation (MAGG) is lost when using API or Gaia gClish to add a new Management interface to the Security Group. Refer to sk183031.

DNS configuration may not be pulled to other Security Gateway Members (SGMs) from the Single Management Object (SMO).

Maestro may not properly respond to Router Solicitation messages with the expected Router Advertisement messages.

The "ws_mux_host_only_active_pass: ERROR: There is not enough data in stream to pass" error may be printed in logs. This is a cosmetic issue.

When running the license deletion command "g_cplic del <license signature to delete>" in a Maestro setup, the license is removed from the cp.license file but not from cp.license.smo, causing the deleted license to unexpectedly reappear after a policy installation.

The "asg_dr_verifier" script fails when OSPF Graceful Restart is configured with a grace period.

NEW:

• Added ARP Next-Hop prober to enhance support for additional network topologies.

• Introduced HTTP prober to reflect real-time Web Access metrics.

• Implemented Link Aggregation mode proportional to Download and Upload bandwidth.

• Administrators are now able to override SD-WAN interface Circuit configuration.

• Integrated Forward Error Correction to ensure successful traffic delivery by adding error correction code packets to the Overlay packet stream.

• Introduced Dynamic Objects (SD-WAN Internet, My VPN Domain, and Peer VPN Domain) to better represent Overlay and Internet address spaces.

• Added administrator control for Symmetric Packet Return, forcing Ingress Traffic to be replied on the same ISP.

• Enabled SD-WAN Overlay establishment across different Domains using Global VPN Community (MDS).

• Allowed SD-WAN Overlay to operate on top of Route-based VPN.

• Increased maximum Overlay size to support up to 500 Security Gateways.

• Improved accuracy of SD-WAN decision-making during policy installation.

• Enabled setup of IPv4 SD-WAN overlay when non-SD-WAN IPv6 interfaces are configured.

UPDATE: Resolved CVE-2024-52888 - Mobile Access File Share applications are vulnerable to stored XSS attacks. Refer to sk183055.

UPDATE: The Global Domain automatic purge settings now automatically restore and reschedule after a Security Management Server restart.

UPDATE: Reduced memory usage of LDAP keepalives and improved connection error handling, resulting in improved system reliability and security performance.

UPDATE: Added a new Gaia Clish parameter to ignore the Autonomous System (AS) Path when aggregating routes: "set aggregate <IP Address>/<IP Mask> aspath-ignore {on | off}". Note, enabling "aspath-ignore" will disable "aspath-truncate" if configured.

UPDATE: Optimized memory management when processing Jumbo Frames.

UPDATE: In ElasticXL, restoring Gaia OS backup is now supported.

In VSNext ElasticXL Load Sharing environments, traffic latency and interface flapping may occur between two members in the Virtual Switch (VSW), when the switch is configured on non-management interfaces and both members are on the same site.

In SmartConsole, in the Quantum Spark Cluster object, editing the interfaces (manually or with the "Get Interfaces" action) fails with an unclear error message "Failed to save object".

In rare scenarios:

• Login to the Security Management Server may fail with timeout.

• Publish operations may take a long time.

Scheduled Snapshot Issues:

• Gaia may not recognize the Remote Server as a known host during scheduled backup creation, even after following sk164234 instructions.

• The "Remote server identity is not known by Gaia" error is displayed despite proper HBA configuration.

• The "set snapshot-scheduled recurrence monthly" command fails when using the "all" option.

Refer to sk182665.

In some scenarios, SmartTasks triggered by "after submit", "approve" and "reject" events fail to run.

In some scenarios, deleting a Security Gateway object fails if the Security Gateway is a participant in the Global VPN Community.

In the "Gateways and Servers" tab, when opening a shell on a specific Security Gateway, a "Connection failed" message pops up.

Performing changes to the Global Properties may not be possible if:

• Encryption algorithms in Remote Access > VPN-Authentication and encryption are SHA384 or SHA512.

• There is at least one Security Gateway configured with a version lower than R81.

In rare scenarios, an upgrade of Multi-Domain Security Management Server, handling Domain Log Server certificates, may get stuck.

• The fix will only be applied if the upgrade to R82 Jumbo Hotfix Accumulator Take 14 or higher is done using a Blink image or the Advanced Upgrade method.

In some scenarios, an HTTP format size protection exception is not applied to the HTTP/2 flow.

When the autodebug feature is enabled, the RAD service may consume high CPU and trigger "RAD service not available" alert logs.

Incorrect Rule Base parameters synchronization logic may lead to the FWK process exit.

High CPU usage on SND cores related to processing network traffic and distributing it to the appropriate firewall instances.

Large NAT Rule Base may lead to high CPU usage during packet processing.

The FWK process may exit with a core dump file when the Security Gateway passes SMB traffic and the Hyperflow feature is enabled.

PPPoE interface fails to restart when it is disconnected from the Server side. Refer to sk182154.

In a rare scenario, the PDPD process may unexpectedly exit during the PDP sharing flow.

HTTPS Site Categorization fails to properly handle unsupported QUIC protocol versions, causing classification errors instead of following the configured fail-mode (open/close) policy.

The DLP blade may not block the password-protected files of a specific type, although it should.

HTTPS inspection session logs lack detailed explanations in the "explanation" field, displaying generic messages that do not clarify action reasons. This is a cosmetic issue.

During cluster startup with routing separation enabled, a mismatch between routing and firewall process initialization can trigger premature full synchronization pnotes when the routing process is not fully synchronized.

SD-WAN may not work as expected when SecureXL User Space Mode (UPPAK) is enabled.

Routing related connectivity and stability issues may occur when SecureXL operates in User Mode (UPPAK). Refer to sk183181.

The "iphelper" (IP Broadcast Helper) service may trigger high CPU utilization because of a recursive packet broadcasting loop between network interfaces.

Network traffic to the Internet experiences slowdowns and file download interruptions due to packets being dropped with "OS routing failed" errors during route lookup failures.

Two or more Endpoint Security VPN (Remote Access VPN) Users may get the same Office Mode IP address. Refer to sk182537.

When using machine-restricted Access Roles, IKEv2 VPN connections fail at the cleanup rule due to missing machine information and user source IP, while IKEv1 connections are unaffected.

VPN connection may not be stable when transitioning from Legacy Link Selection to R82 Link Selection.

After traffic is stopped and tunnels are deleted, the tunnels may appear as "Disconnected" for about 30 seconds, and then again as "Connected" because of DPD probing.

In VSNext, multiple CPRID processes running on different ports per virtual system may cause instability in large scale environments.

Using the "#" character in the Message of the Day (MOTD) banner message causes SGMs to fail during boot.

When running the "enabled_blades" command multiple times simultaneously, the command output may be incorrect.

In rare scenarios, Security Group members may fail to receive their Gaia database from the Single Management Object (SMO). When this occurs, gClish commands related to these missing Security Group configurations may fail.

UPDATE: Deprecated RC2-CBC cipher for SIC in OpenSSL.

UPDATE:

• Improved debugging in the Security Gateway to identify problematic hosts when resolving their next-hop IP addresses.

• The custom ADP queue size configuration now persists after rebooting the Security Gateway. The relevant global parameters are located in the $PPKDIR/conf/adpkern.conf file:

  • "adp_nh_total_max_arp_qents"

  • "adp_nh_local_max_arp_qents"

In rare scenarios, when exporting policy hitcounts to CSV format, the "Hitcount" column may appear blank in the exported file.

The Database Installation progress bar may not update during task execution.

In some scenarios, in a Multi-Domain Security Management environment, the Hit Count retention mechanism may not remove the Hit Count data from all the Domains.

In rare scenarios, in Multi-Domain Security Management environments, login to SmartConsole fails.

When the Security Management has an additional NAT configuration in the SD-WAN policy (Infinity Portal), an indicating banner may not appear in SmartConsole NAT Rule Base. This is a cosmetic issue.

• Requires R82 SmartConsole Build 1051 or higher.

In a rare scenario, the FWK process may exit due to a race condition.

Anti-Spoofing may drop IPv6 traffic that arrives at an interface with an IPv6 address configured. Refer to sk182725.

Traffic through specific interfaces is dropped when the QoS blade is active and "ISP redundancy-LS" is configured. Refer to sk182807.

DoS protection and connection rate limiting configurations may fail to effectively enforce rules.

In a VSX environment, enabling Threat Prevention blades may cause continuous file accumulation on the Security Gateway's hard drive.

Identity Broker Subscriber configured with recalculation of Access Roles does not match all Access Roles after the User and Machine are identified.

In a rare scenario, the PDPD process may unexpectedly exit during policy installation.

A memory leak may occur in the SIM process when using DOS/Rate Limiting rules.

Policy installation failures can disrupt the expected behavior of "fwaccel dos" commands.

An ECDH object may be deleted before its associated event is completed processing.

There is no audio during the first 5 seconds of each VoIP call. Refer to sk182730.

In SmartConsole, in the Device and License Information view, the Compliance Blade license status may incorrectly display "Quota Exceeded" when Virtual Routers or Virtual Switches are present.

During patch deployment in Posture Management, attempting to patch multiple systems for a specific application using the "Group By Application" option fails with the "Failed to Start Patching Process" error.

When handling multiple shared uplinks across numerous interfaces, errors related to LACP bond uplink updates may be printed in logs.