List of All Resolved Issues and New Features in R82 Jumbo Hotfix Accumulator

 

Review the Critical Information section before installing a new Take.

ID

Product

Description

Take 36

Released on 31 July 2025

Take 36 - New Functionality

 

PRJ-60966,
PMTR-90911

Security Management

NEW: In SmartConsole, the CSV export file of Access Control Policy NAT rules now contains the hit count data: "Hits", "First Hits" and "Last Hits" columns.

PRJ-60497,
PMTR-114492

Security Management

NEW: Added statistics for Top Matched Access Control Rules and Top Log Types in the Logs view of SmartConsole and in the response of the "show logs" Management API command. This allows to identify the rules that generate a high volume of logs.

PRJ-62732,

SMBGWY-12611

Security Management

NEW: Added support for the Quantum Spark 2500 appliances (2530, 2550, 2560, 2570, and 2580) in the EA (Early Availability) program.

Take 36 - Improvements and Resolved Issues

 

PRJ-60718,
PMTR-114504

Logging

UPDATE: Resolved CVE-2025-2028. Lack of TLS validation when downloading a visualization support data file. Refer to sk183349.

PRJ-59425,
PMTR-112077

Mobile Access

UPDATE: Resolved CVE-2024-52885. Mobile Access File Share applications are vulnerable to directory traversal attacks. Refer to sk183137.

PRJ-59537,
MGMTPROD-1385

Security Management

UPDATE: In SmartConsole and Management API, Access and NAT Policies now support Rule Base search for hitcount values.

PRJ-62283,
PMTR-114192

Security Management

UPDATE: Updated the "show asset" command output with the correct details for the X7 4-port card (CPAC-4-10/25F-DA model).

PRJ-61388,
PRHF-39859

Security Management

UPDATE: On Security Management Servers, environment variables set using the override_server_setting.sh script now apply to all processes. Refer to sk165938.

PRJ-60245,

PMTR-110297

Logging

UPDATE: Log Exporter is now delivered as an autoupdatable package, replacing the maintrain-based deployment. This approach shifts from version-based to component-level updates, enabling a more granular and agile update mechanism. Refer to sk182866.

PRJ-60790

Logging

UPDATE: In SmartConsole > Logs & Monitor > Logs, added information to the "Per Session" logs:

  • NAT fields

  • Dynamic object name

  • Updatable object name

  • Network feed object name

  • Destination Domain Name field

PRJ-59881,
PRHF-38023

Security Gateway

UPDATE: Improved processing of ICMP packets in the Security Gateway.

PRJ-61680

Security Gateway

UPDATE: Quantum Force 9400 and 9300 appliances with Standalone configuration now run in User Space Firewall (USFW) Mode by default.

PRJ-60047,
PMTR-110330

Security Gateway

UPDATE: Added an out-of-the-box package for updatable objects that is included with clean installations or Jumbo Accumulator Hotfix Takes (when no other package exists). If the out-of-the-box package is present during policy installation, an update is now initiated in addition to the automatic update.

PRJ-61470,
PMTR-116355

VPN

UPDATE: Added the "inclusions" feature to the Split Tunnel Remote Access functionality. Refer to the R82 Remote Access VPN Admin Guide > Dynamic Split Tunneling for SaaS Using Updatable Objects.

PRJ-61795,
PRHF-40060

Scalable Platforms

UPDATE: The "fwha_allow_different_corexl_instances" kernel parameter is now added to prevent cluster members from entering a Down state because of firewall instance count mismatches.

PRJ-61404,
PMTR-112536

Scalable Platforms

UPDATE: Increased the maximum supported number of Uplink interfaces from 64 to 99 on Maestro Orchestrator. Refer to Quantum Maestro Getting Started Guide.

PRJ-60352,
PMTR-114300

Diagnostics

An FD (file descriptor) memory leak may occur when creating a new object in SmartConsole.

PRJ-60500,
PMTR-114274

Security Management

VPN certificate renewal may generate certificates with 2K key sizes instead of the 3K size specified in Global Properties.

PRJ-61469,
PMTR-109056

Security Management

The "Management rejected fetch for this module - version matching problem" error is displayed when running the "fw vsx fetch" command on an R81.x Scalable Platform (Maestro and Chassis) in VSX mode with an R82 Security Management Server. Refer to sk183298.

PRJ-61359,
PRHF-39806

Security Management

In some scenarios, a cluster object may not be listed in the "Uninstall Threat Prevention Policy" window.

PRJ-61318,
PRHF-39827

Security Management

Fetching branches from an LDAP Server fails with "Failed to connect to LDAP Server. Please ensure that the administrator's credentials are correct and try again" when the LDAP Server does not support anonymous bind (when a client connects to an LDAP server without providing any credentials). To enable the ability, refer to sk183461.

PRJ-61477,
PRHF-40016

Security Management

In rare scenarios, the CPRLIC process may exit with core files generated to the /var/log/dump/usermode/ directory on the Security Management Server.

PRJ-60470,
PRHF-38859

Security Management

Deleting a user that is used in a user group with more than 1000 users may cause SmartConsole to time out.

PRJ-60433,
PRHF-38563

Security Management

Virtual System routes and interfaces may not be synchronized to the Standby Security Management Servers.

PRJ-59100,
PRHF-33411

Security Management

In some scenarios, when exporting the Gateways and Servers View to CSV, the resulting file may contain an extra empty column. Refer to sk182233.

PRJ-60961,
PRHF-38808

Security Management

In rare scenarios, in multi-site Multi-Domain Security Management environments, operations across two or more Servers, such as Global Domain Assignment, IPS and Application Control update may fail.

PRJ-58352,
PRHF-37197

Security Management

In some scenarios, policy installation fails with the "/opt/<xxxxx>-R81.20/conf/Policy-name.pf" line N: ERROR: syntax error Error compiling IPv6 flavor. Operation ended with errors" error.

PRJ-60699,
PRHF-39297

Security Management

The Management API command "set simple-gateway name 'XXX' usercheck-portal-settings.enabled {false|true}" fails to properly enable or disable User Check for Security Gateway objects. When running this command, the change is not applied to the Security Gateway configuration, and the "Enable UserCheck for active blades" setting in SmartConsole remains unchanged.

PRJ-61043,
PRHF-39465

Security Management

In rare scenarios, accelerated policy installation fails to initialize, the full Access Control Policy installation is executed instead and it may take up to 20 minutes.

PRJ-56522,

PRHF-35230

Security Management

In rare scenarios, the first packet of a connection is incorrectly dropped when a non-FQDN object is used in the Rule Base.

PRJ-58202,
PRHF-34401

Security Management

The "vsx-run-operation" Management API command may fail on the Multi-Domain Security Management Server. Refer to sk182524.

PRJ-60762,
PRHF-39098

Security Management

In rare scenarios, after deleting Data Center objects:

  • Login to the Security Management Server may fail with timeout.

  • Publish operations may take a long time.

PRJ-57975,
PRHF-36695

Security Management

In some scenarios, the Postgres database on the Standby Security Management Server is growing after every High Availability synchronization. Refer to sk182868.

PRJ-61585,
PRHF-37905

Security Management

Access Control policy installation may take a long time when updatable objects are used in the policy.

PRJ-59370,
PMTR-110008

Security Management

The "show lsm-gateway" and "show lsm-gateways" Management API commands may return an empty "version" field.

PRJ-60013,
PMTR-114030

Security Management

In rare scenarios, policy installation may get stuck at 99%.

PRJ-59625,
PRHF-38414

Multi-Domain Security Management

In rare scenarios, Domain creation fails with "Failed to create Domain server '<Domain Server Name>'. The connected administrator has no permission to create a Domain-Server on the specified Domain".

PRJ-60660,
PMTR-114305

SmartProvisioning

In SmartProvisioning application:

  • Performing "push policy" on a Gaia LSM Cluster fails with the "local failure of CPRID" error.

  • The "Get Gateway Data" operation fails with "Execution error Error: Unspecified error".

  • The "cphaprob stat" command returns a core dump file.

PRJ-61987,

PMTR-116260

CPView

CPView history may be corrupted.

PRJ-61489,
PRHF-39983

Security Gateway

In a rare scenario, the FWK process may restart unexpectedly.

PRJ-60129,
PRHF-38666

Security Gateway

When the Mirror and Decrypt feature is enabled, the SKB memory leak may occur.

PRJ-60126,
PRHF-38574

Security Gateway

When Mirror and Decrypt features are enabled, the Security Gateway may experience unexpected reboots. The crashes are caused by "put_cred_rcu()" errors with negative usage values and memory leaks in the ARP cache.

PRJ-61309,

PMTR-115595,

HEC-371

Security Gateway

ElasticXL members communicating with the pivot cluster member may transition to DOWN state when synchronization between the pivot and other members is lost.

PRJ-60579,
PRHF-38995

Security Gateway

In rare cases, failovers may occur because the FWK process unexpectedly exits.

PRJ-59157,
PRHF-37774

Security Gateway

Security Gateways with default MDPS task settings using proxy can fetch CPUSE updates and licenses successfully. On MPLANE updatable objects are not updated while everything works on DPLANE.

PRJ-61449,
PRHF-39840

Security Gateway

When handling interface statistics, the CPD or FWK processes may unexpectedly restart with an error related to IOCTL printed in logs. Refer to sk183544.

PRJ-60455,
PMTR-114419

Security Gateway

Enabling debugging in Quick UDP Internet Connections (QUIC) flows may cause an FWK process crash.

PRJ-62174,

PRJ-59649

Security Gateway

In rare scenarios, the FWK process may unexpectedly exit when stopping the Security Gateway using the "cpstop" command while a packet capture tool is running.

PRJ-60669,

PMTR-114653

Security Gateway

In rare scenarios, downloading large files over HTTPS may get stuck.

PRJ-60427,
PMTR-114342

Security Gateway

In rare scenarios, the FWK process may unexpectedly exit when the IPS Blade logs triggered protections.

PRJ-60539,
PRHF-38647

Security Gateway

In a rare scenario, after an upgrade, the Security Gateway may crash with a vmcore.

PRJ-59895,
PRHF-38438

Security Gateway

The VSX Security Gateway may crash when an external interface connected to the Virtual Router or Virtual Switch starts flapping.

PRJ-60446,
PRHF-38975

Security Gateway

RADIUS authentication fails when a response packet contains the Message-Authenticator attribute. Refer to sk183244.

PRJ-60216,
PRHF-34528

Threat Prevention

In some scenarios, external IoC feeds are not correctly fetched in VSX environments after a reboot.

PRJ-57978,
PRHF-36739

Threat Extraction

In a rare scenario, a script related to CPView may take a long time to execute and the SCRUBD process becomes unresponsive.

PRJ-58005,
PRHF-36322

Anti-Virus

In rare scenarios, Security Gateways with the Content Awareness Blade enabled may fail to properly process certain .zip file formats, resulting in "Failed to process files" errors during the Anti-Virus inspection.

PRJ-59857,
PRHF-38565

Anti-Virus

In some failure scenarios, the Anti-Virus blade does not report the failure in a SmartConsole log.

PRJ-60663,

PMTR-114734

Anti-Bot

In rare scenarios, the RAD process may unexpectedly exit.

PRJ-60616,
PRHF-39184

Mobile Access

The Mobile Access Portal hosted on a Security Gateway R81.20 or lower becomes unresponsive, and CVPND core files are generated after the Security Management Server is upgraded to version R82.

PRJ-60700,
PMTR-108872

SSL Inspection

The "HTTPS Inspection Statistics" view in Demo Mode of SmartView in SmartConsole shows " No data found". The issue is cosmetic only.

PRJ-59766,
PRHF-38539

ClusterXL

If both bond subordinate interfaces are down, the output of "cphaprob show_bond bond" command is corrupted.

PRJ-60780,
PMTR-110618

ClusterXL

The ROUTED daemon may incorrectly initialize as Subordinate rather than Master after a "cpstop;cpstart" command when executed on the sole Active member in a cluster configuration.

PRJ-58336,
PRHF-36801

ClusterXL

A Multi-Version Cluster (MVC) member with VPN enabled may crash when performing an upgrade from R80.40.

PRJ-59213,
HEC-1195

ClusterXL

In High Availability Bridge Mode ClusterXL environments, the management interface of a Standby member becomes inaccessible. Refer to sk183124.

PRJ-57369,
PRHF-36165

ClusterXL

In VSX environments, deleting a Virtual System interface through SmartConsole fails to remove certain bindings, causing the interface to be automatically re-added.

PRJ-60378,
PMTR-114234

SecureXL

When printing the Deny list on a Security Gateway during Threat Prevention policy installation after deleting a large IoC feed from Security Management, an uninformative IOCTL error is displayed instead of a proper error message. The issue is cosmetic only.

PRJ-61467,
PMTR-111760

SecureXL

The USIM process to exit during error logging.

PRJ-60592,
PMTR-113834

SecureXL

In a rare scenario, no traffic is passed in the 6in4 tunnel and the two hosts cannot reach each other. The output for the "tcpdump" command in the tunnel shows "ip: unknown ip 0".

PRJ-61966,

PRJ-61915

SecureXL

The USIM process may crash during route updates when the Hardware Acceleration offloading connection is active.

PRJ-61021,
PMTR-115089

SecureXL

In rare scenarios, when SecureXL works in User Mode, running the "reset_gw" or "vsx_util reconfigure" commands may cause the Security Gateway to crash.

PRJ-59503,
PRHF-38095

ClusterXL

In rare scenarios, after enabling Bridge Mode, a cluster member may stuck in a boot loop.

PRJ-61182,
PRHF-39695

SecureXL

Multicast traffic is dropped when the Packet-Broker operates in Monitor Mode with Promiscuous Mode disabled.

PRJ-60722,
PMTR-114790

SecureXL

The Security Gateway may crash when connected to the Smart-1 Cloud Management Server and a maas_tunnel interface is repeatedly added and deleted.

PRJ-60999,

PMTR-115074

SecureXL

After MTU for Jumbo Frames is configured on a physical interface for the first time, until the Security Gateway is rebooted, there may be potential packet drops.

PRJ-59988,

PRHF-38501

Gaia OS

Multiple SNMP OIDs return incorrect data types. Refer to sk183166.

PRJ-62065,
PRHF-40577

Gaia OS

Stability issue on Quantum Force appliances 9300 and 9400. Refer to sk183438.

PRJ-58413,

PRHF-37416

Gaia OS

Exporting logs using the "backup -l" command may fail.

PRJ-58040,

PRHF-36803

Gaia OS

SNMP OID .1.3.6.1.4.1.2620.1.6.7.5.1.5.X falsely reports high CPU due to malformed calculation. Refer to sk182784.

PRJ-59922,
PRHF-38669

Gaia OS

In rare scenarios, users may be disconnected from SmartConsole, and an FWM process core dump is generated.

PRJ-60162,
PRHF-38736

Routing

The ROUTED daemon core dump file may be generated because of an assertion failure in the OSPF code.

PRJ-61331,
PMTR-115613

Routing

When working in User Mode (UPPAK), SecureXL may crash when multiple SND cores perform simultaneous next hop lookup for the same next hop.

PRJ-60813,
PMTR-114871

Routing

In a rare scenario, a Security Gateway crash and temporary loss of routing adjacency occur when the cluster messaging system attempts to process a deletion request for a BFD session that no longer exists.

PRJ-59742,
PRHF-37444

Routing

The ROUTED daemon may exit when processing OSPF network updates in a cluster environment. This occurs because of a timing issue in the routing protocol synchronization process.

PRJ-61214,
PMTR-115308

Routing

If BFD (Bidirectional Forwarding Detection) timing parameters, such as "min-rx-interval", are modified during an active BFD session deletion process, and a new BFD session is established before the deletion fully completes (deletion typically requires up to 2 hours), the newly created session inherits the previous timing configuration rather than applying the updated timing settings.

PRJ-60776,
PMTR-114870

Routing

In some scenarios, the ROUTED daemon may exit with a core dump file.

PRJ-60745,
PMTR-114835

Routing

In some scenarios, BGP routing updates may not be processed properly.

PRJ-62111,

PRHF-40540

Routing

A memory leak occurs in the ROUTED daemon when CoreXL is running OSPF and handling large numbers of LSAs combined with frequent route flaps.

PRJ-58688,
PMTR-110631

Gaia OS

NFS mount does not support hyphen "-".

PRJ-59137,
PMTR-110490

Gaia OS

When deleting a bond interface with slaves still attached while maintaining both WebUI and SSH sessions, the deletion succeeds but generates "unregister_netdevice" syslog messages and terminates the WebUI session. The issue occurs because local connections to the Gateway cause slow bond interface deletion, leading to WebUI timeout.

PRJ-57175,
PRHF-36109

Gaia OS

In rare scenarios, when using IP Aliasing, deleting an interface by IP address reference may incorrectly delete the wrong IP address because of incorrect error handling.

PRJ-61371,
PMTR-115542

VPN

In rare scenarios, VPN traffic connectivity may be lost during policy installation.

PRJ-58955,
PMTR-111093

VPN

VPN connection may be unstable because of packet fragmentation issues.

PRJ-61225,
PRHF-39785

VPN

In a rare scenario, the FWK process may exit during VPN traffic decryption and routing when the PPPoE interface is enabled.

PRJ-58320,
PRHF-37066

VSX

Virtual Router advanced routes may be assigned incorrect priorities in policy-based routing configurations.

PRJ-58334,
PRHF-37228

VSX

The "fw stat" command output may not display the correct policy name for a Virtual System.

PRJ-58791,

PRHF-37719

VSX

The "vsx_util view_vs_conf" command output may show "N/A" for a Gateway when an object in the Domain shares the same name as the Virtual System object.

PRJ-57350,
PRHF-36278

VSX

A static route to 0.0.0.0, regardless of the subnet mask, is incorrectly treated as the default route (0.0.0.0/0) and does not appear in the VSX Gateway's routing table. Refer to sk182742.

PRJ-59033,

PMTR-111124,

HEC-953

VSNext

In a large scale VSNext environment, creating over 50 Virtual Systems (VSs) fails.

PRJ-60961,

PMTR-115016

SD-WAN

SD-WAN fails to obtain next hop address automatically from the DHCP Server.

PRJ-59427,

PRHF-38271

SD-WAN

SD-WAN policy installation may fail during the configuration of MDPS on the Security Gateway.

PRJ-60748,

PMTR-114442

SD-WAN

In rare scenarios, SD-WAN policy installation hangs indefinitely.

PRJ-58304,
PRHF-37070

Scalable Platforms

In a Maestro environment, migrating a Virtual System between Security Groups may cause a member to crash.

PRJ-56586,
PRHF-35421

Scalable Platforms

Connections with fragmented packets drop with the "Virt Defrag Timeout" error. Refer to sk182559.

PRJ-60448,
HEC-914

Scalable Platforms

After a reboot, IPv6 addresses configured on data interfaces disappear from the "ifconfig" output when the Same VMAC feature is enabled in SmartConsole.

PRJ-59499,
FMW-3594

Scalable Platforms

In rare scenarios, the connection between the Security Gateway (acting as a proxy) and the Security Management Server is not closed correctly.

PRJ-60672,
PRHF-38834

Scalable Platforms

Running "cpstop" on a specific Virtual System may cause traffic interruption in dual site deployments.

PRJ-59845,
PRHF-38430

Scalable Platforms

In a Security Group in VSX mode, if an interface's link state changes during boot, there may be a delay in updating the link state. This delay can cause traffic interruption on that interface.

PRJ-61502,
PRHF-39967

Scalable Platforms

A cluster member may crash when performing a manual site failover and the deployment is using "Interface Active Check" with IPv6 enabled.

PRJ-60052,

PRHF-38689

Scalable Platforms

One member in a Maestro Security Group may be reported as down and inaccessible, the /var/log/messages and fwk.elg logs indicate:

  • "State change: ACTIVE -> DOWN | Reason: VSX PNOTE due to problem in Virtual System X",

  • "used greatest stack depth: 9544 bytes left",

  • Errors related to unknown/invalid parameters and kernel policy copy failures.

Take 34

Released on 23 July 2025 and declared as Recommended on 27 July 2025

Take 34 - Improvements and Resolved Issues

 

PRJ-62606,

PRJ-62595,

PMTR-117551

Routing

DHCP broadcast packets are not visible on the intended VLAN when working in SecureXL User Mode (UPPAK). Refer to sk183675.

PRJ-62608,

PRHF-41064

CloudGuard Network

After an upgrade to R82 Jumbo Hotfix Accumulator Take 25, CloudGuard Network for AWS Gateway may crash with a vmcore. Collecting the CPInfo statistics also triggers a crash with a reboot.

Take 33

Released on 08 July 2025 and declared as Recommended on 16 July 2025

Take 33 - Improvements and Resolved Issues

 

PRJ-62112,

PMTR-116903

VSNext

In a VSNext setup, Virtual Gateways (except VS0) cannot establish SIC connectivity with the Security Management Server.

See the Critical Information section.

PRJ-62374,

PRHF-40338

Scalable Platforms

The CPD process may exit during policy installation on a Scalable Platforms cluster on Quantum Force 29000 appliances.

PRJ-59589,

PMTR-114423

Scalable Platforms

R82 / R81.20 / R81.10 Security Gateways, cluster members, and Scalable Platform Security Groups may fail to fetch the Threat Prevention policy from their R82 Security Management Server/ Multi-Domain Security Management Server.

Take 25

Released on 15 June 2025

Take 25 - New Functionality

 

PRJ-59495

Hardware

NEW: Added support for Quantum Smart-1 700-S, 700-M, 7000-L, 7000-XL, 7000-UL. Refer to sk182601.

PRJ-57860,

PMTR-112034

SD-WAN

NEW: SD-WAN functionality now supports AWS Cross Availability Zone and traffic steering with configurable multi-target probing.

PRJ-58894,
PRHF-31058

SSL Inspection

NEW: This Take introduces a fail-open mechanism for HTTPS Inspection with Hardware Security Module (HSM) integration. If the HSM becomes unavailable, TLS connections now automatically bypass HTTPS Inspection, ensuring continuous network connectivity.

Take 25 - Improvements and Resolved Issues

PRJ-60772,

HEC-868,

PMTR-114867

Diagnostics

UPDATE: Added the ability to monitor the CPU cores that run CoreXL SND (Secure Network Dispatcher) instances separately from the CPU cores that run CoreXL Firewall instances. The monitoring of CPU cores handling CoreXL SND instances was improved. It is possible now to:

  • view the exact number of CPU cores running SND instances that are under load, instead of seeing it as a percentage of total CPU cores.

  • configure the load threshold for CPU cores running CoreXL SND instances.

  • configure the load duration for SND CPU cores.

When these parameters are configured, the load on SND CPUs triggers a failover at a different time and under different load conditions compared to Firewall CPUs. Refer to the R82 ClusterXL Administration Guide > Advanced Features and Procedures > ClusterXL Failover based on the Load on ClusterXL SND Instances.

PRJ-59727,
PMTR-112995

Security Management

UPDATE: Added the "Type" and "Resource" columns to the HTTPS Inspection Logs table under Logs & Events.

PRJ-58951,
PMTR-110805

Security Management

UPDATE: Management upgrade performance is improved by up to 15%.

  • The fix will only be applied if the Management Server upgrade is performed using either the Blink image of the current Jumbo Hotfix Accumulator Take or the Advanced Upgrade method (where the current Jumbo Hotfix Accumulator Take is installed on the target Management Server).

PRJ-57995,
PMTR-112672

Security Management

UPDATE: Added support for using Network Groups in the "Install On" column of the NAT Policy.

PRJ-60049,
FMW-4284

CPView

UPDATE: CPView and SNMP can now show Hide NAT statistics for up to 200 top NAT IP Pools (the default is 3 top NAT IP Pools). Configure the required value for the kernel parameter "fwx_alloc_top_pools_num" with the CLI command "fw ctl set -f int fwx_alloc_top_pools_num <integer from 1 to 200>".

PRJ-60364,
PMTR-108410

Logging

UPDATE: Added a count of Session and Connection logs to the "cpstat" command output.

PRJ-58669,

PMTR-110592

Security Gateway

UPDATE: Added multi-interface packet fragment reassembly support to prevent drops in Equal Cost Multipath (ECMP) environments.

PRJ-58552,
FMW-2292,

PMTR-110440

Security Gateway

UPDATE: Support TLS 1.3 for the RAD process requests. To activate it, change the TLS version to "TLSv1_3". Refer to sk178505.

PRJ-57079,
PRHF-35181

Security Gateway

UPDATE: RAD extended flow information is now logged into a cyclic CSV file - $FWDIR/log/rad_events/rad_flows.csv. This enhancement provides visibility into RAD connections, helping to monitoring and troubleshooting. Refer to sk183108.

PRJ-58815,
PRHF-37100

Security Gateway

UPDATE: Added a kernel parameter "domo_reverse_lookup_disabled" to disable reverse DNS lookups to avoid rare incorrect matches in scenarios involving non-Fully Qualified Domain Name (non-FQDN) Domains.

  • "domo_reverse_lookup_disabled 1" to disable reverse DNS lookups.

  • "domo_reverse_lookup_disabled 0" to enable reverse DNS lookups (the default value).

PRJ-57317,

PMTR-108735

Threat Prevention

UPDATE: Improved Threat Prevention Blades performance by 15%-25% on Quantum Force 9000, 19000 and 29000 appliances.

PRJ-54144,
PRHF-31274

SSL Inspection

UPDATE: HTTPS Inspection statistics are now available through SNMP requests.

PRJ-59774,
PMTR-113092

SSL Inspection

UPDATE: In SmartConsole, added a new section "Application/Site" to the HTTPS Inspect log details. It provides details on resource and categorization matching.

PRJ-58754,
PRHF-36873

Mobile Access

UPDATE: Added support for the Mobile Access Portal "WebSocket" applications to work in environments with asymmetric network bandwidth (the download speed is faster than the upload speed) between external and internal networks. Refer to sk95311.

PRJ-60000,
PMTR-111169

ClusterXL

UPDATE: SecureXL User Mode (UPPAK) is now blocked in Active-Active cluster configurations, as this combination is not supported.

PRJ-58673,

SDWANM-2809

SD-WAN

UPDATE: Added selection of specific Security Gateways to onboard to the Infinity Portal, and the ability to disable the feature completely. Refer to sk180557.

PRJ-57542,
PMTR-110262

VSX

UPDATE: Implemented a validation in Clish to restrict virtual switch (VSW) configuration to a single interface, preventing setup disruption.

PRJ-59233,

PMTR-111643

VSNext

UPDATE: In the Clish API, added the comprehensive VSNext task monitoring capabilities, previously available only in the WebUI.

PRJ-59274,

HEC-915

VSNext

UPDATE: The "add-virtual-gateway" Management API is updated: added the option to not connect the new VS to the virtual switch.

PRJ-60148,

PMTR-113933

VSNext

UPDATE: Rather than using the management switch, it is now possible to choose a different management interface for each virtual system (VS).

PRJ-59121,
PMTR-110666

VSNext

UPDATE: Improved debuggability for the "cpstart" command in a large scale VSNext environments.

PRJ-57224,

PMTR-110740

CloudGuard Network

UPDATE: Traffic between an external network host and an internal network host is now accelerated when a static NAT is configured to translate a cluster member's IP address or specific high port to an internal host IP address or specific service port. This scenario is relevant in Check Point CloudGuard Network Security Azure High Availability deployments, where traffic passes through a Load Balancer.

  • To enable acceleration, add this kernel parameter to the $FWDIR/boot/modules/fwkern.conf file - "accel_dnat_to_cluster=1".

  • The change can also be applied immediately to the running FW1 process without requiring a reboot: "fw ctl set int accel_dnat_to_cluster 1".

PRJ-57795,
PMTR-109576

CloudGuard Network

UPDATE: CloudGuard Network for AWS Gateway Load Balancer Auto Scaling Group now supports inspection of IPv6 traffic encapsulated with GENEVE IPv4 headers.

PRJ-56783,

PRHF-35847

Diagnostics

In SmartConsole, in the Gateways & Servers view, under Device & License Information of a Security Gateway or Cluster object, or in CPView and SNMP traps, the value of "new connection rate" for OID .1.3.6.1.4.1.2620.1.1.26.11.6.0 is incorrect.

PRJ-58243,
PMTR-110065

Diagnostics

After rebooting a Multi-Domain Security Management Server, the CPView (sk101878) and Skyline (sk178566) tools do not return data (for example, when running the "cpview -m", "cpview -t", "cpview -s" commands).

PRJ-58851,
PRHF-37388

Security Management

In rare scenarios, a core file of the CPRLIC process is generated.

PRJ-56974,
PRHF-36032

Security Management

Using the "set simple-cluster" command without the "members.add" option to add cluster members may result in recreating existing cluster members and potential loss of SIC.

PRJ-60696,

PRHF-39191,

PMTR-114757

Security Management

Login using a TACACS Server created with the "add tacacs-server" Management API command, fails with "authentication to server failed".

PRJ-59097,

PRHF-37788

Security Management

Management Server operations may be slow because of some API commands, and multiple core dumps may be generated.

PRJ-58472,
PRHF-37430

Security Management

Creating a Threat Prevention Exception from a log fails with the "Failed to add exception" error when the "File Name" field in the log contains a Windows directory separator ("\").

PRJ-58718,
PRHF-37561

Security Management

Changes to a SmartConsole administrator's Authentication Server (RADIUS or TACACS) may occasionally fail to take effect.

PRJ-57818,
PMTR-107227

Security Management

In some scenarios, Web SmartConsole session gets disconnected after several minutes.

PRJ-58448,
PRHF-37393

Security Management

In rare scenarios, Revert to Database Revision is stuck at 10%.

PRJ-57397,
PRHF-36340

Security Management

In rare scenarios, when more than one Security Blade is enabled on the Security Gateway, Presets for policy installation may fail after purging all revisions.

PRJ-59308,
PRHF-38068

Security Management

In some scenarios, the "Log Servers" tab in the Logs and Events view of SmartConsole is not visible. Refer to sk183154.

PRJ-59059,
PRHF-37185

Security Management

When using SmartWorkflow on a Security Management Server with more than 200 administrators, requests may stall or cause SmartConsole crashes during submission.

PRJ-57721,
PRHF-36549

Security Management

Inserting the "\n" character in the name of a rule fails with an unclear error message not indicating the cause of the failure.

PRJ-59023,
PRHF-37832

Security Management

Access Control Policy installation may take a long time when updatable objects are used in the policy.

PRJ-58524,
PRHF-37446

Security Management

In rare scenarios, login to SmartConsole may fail with the timeout.

PRJ-58341,
PRHF-37251

Security Management

In rare scenarios, login to SmartConsole using LDAP, TACACS or RADIUS authentication fails with a timeout.

PRJ-58901,
PRHF-37631

Security Management

After an IPS update, reassigning global policies may take a long time.

PRJ-58574,
PRHF-37436

Security Management

Global Policy Reassignment fails with the "org.postgresql.util.PSQLException: ERROR: more than one row returned by a subquery used as an expression" error printed in the cpm.elg file.

PRJ-57917

Security Management

In rare scenarios, the CPD process may unexpectedly exit and create a core dump file. Refer to sk182787.

PRJ-58920,
PRHF-37819

Security Management

In rare scenarios, policy installation fails with "Policy installation had failed due to an internal error".

PRJ-57630,
PRHF-36614

Security Management

In rare scenarios, Infinity Portal shows the "Failed to update Infinity Portal with objects from your on-premises Management Server. Contact Check Point Support" error.

PRJ-57323,
PRHF-36147

Security Management

When modifying the URL definition type in an Application Site object using the "set application-site" Management API command with the "urls-defined-as-regular-expression" parameter, the type of pre-existing URLs remains unchanged.

PRJ-58503,
PRHF-37445

Security Management

Renaming a Secondary Security Management Server that was promoted to Primary fails.

PRJ-58527,
PRHF-37141

Security Management

In some scenarios, policy state directories are synchronized between Active and Standby Security Management Servers, leading to high disk space usage.

PRJ-58917,

PRHF-37822

Security Management

Policy Installation may not be accelerated after modifying a host in a rule with the inline layer action.

PRJ-58686,

PMTR-110626

Security Management

Duplicated licenses on the Security Management Server may impact the vsec_lic_cli utility.

PRJ-59700,
PRHF-38273

Security Management

The Compliance Blade incorrectly reports Gaia Best Practices as insecure for cluster members.

PRJ-59433,
PRHF-38264

Security Management

In some scenarios, opening a specific VPN community in SmartConsole fails and the "Unable to load page" message is printed, while other communities can be opened.

PRJ-59600,
PRHF-38330

Security Management

In rare scenarios, Global Policy Assignment fails with an "IPS update is currently running in local domain" message, although IPS update is not running in that Domain.

PRJ-57307,
PRHF-36241

Security Management

If a custom login message exceeds 1000 characters, the login output file, which contains the sid and other session data, cannot be parsed as expected. Using the "mgmt_cli" with the "-s" parameter results in the "Failed to parse login output file" error.

PRJ-57139,

PRHF-36149

Security Management

In some scenarios, the Security Management Server with a proxy configured is unable to connect to Infinity Portal after changing the proxy settings.

PRJ-59341,
PMTR-111778

Security Management

When a Security Gateway object is deleted, its license may still appear as attached even though the Security Gateway Object no longer exists.

PRJ-58606,
PRHF-34898

Security Management

Packet mode search or search within Object Explorer for IP address ranges may not work correctly on the Standby Security Management Server.

PRJ-59631,
PRHF-38384

Security Management

In a rare scenario, December date comments in the IPS User Settings view may display incorrect year.

PRJ-60151,
PRHF-38525

Security Management

In some scenarios, Virtual Security Gateways lose their licenses. This causes Site to Site VPN and Remote Access VPN services to go down, while general internet access remains functional. SmartUpdate may not load.

PRJ-57440,
PRHF-23903

Multi-Domain Security Management

In a Multi-Domain Security Management environment, RADIUS authentication may be sent with an incorrect IP address. Refer to sk180723.

PRJ-58777,
PRHF-37360

Multi-Domain Security Management

In a Multi-Domain Security Management environment, an audit log is not created after changing the "Parent rule for Domain's policy" Domain layer.

PRJ-58847,
PRHF-34721

Multi-Domain Security Management

In a Multi-Domain Security Management environment with a VSX Gateway, such operations as login to SmartConsole, Global Domain Assignment, Domain creation or deletion may take longer than expected or fail with a timeout message "Task failed".

PRJ-58969,
PRHF-37258

Multi-Domain Security Management

In rare scenarios, the "mdsstat" command shows that the CPD process is down even though it is up and running.

PRJ-58874,
PRHF-37752

Multi-Domain Security Management

In certain scenarios, when Cluster objects are used in a Multi-Domain Security Management Server with Domains that have Global Domain Assignments, an upgrade may fail with "Tried to persist object OBJ_ID with domain 1e294ce0-367a-11e3-aa6e-0800200c9a66 while active domain is DOMAIN_ID".

  • The fix will only be applied if the upgrade to this Jumbo Hotfix Take is done using a Blink image or with the Advanced Upgrade method.

PRJ-56977,
PRHF-35998

Multi-Domain Security Management

In some scenarios, in the Multi-Domain Security Management Server, certain previously utilized global objects may remain hidden from both the SmartConsole's Object Explorer View and the "show unused-objects" Management API command.

PRJ-59215,
PRHF-38104

Multi-Domain Security Management

Policy installation fails on all Domains on the Multi-Domain Security Management Server with "Layer '<LAYER NAME>': Verification failed due to an internal error" if an Externally Managed Security Gateway object with IPsec enabled does not have an encryption Domain. Refer to sk183003.

PRJ-58981,
PRHF-37890

Multi-Domain Security Management

In some scenarios, the "SIC Error for EntitlementManager: Peer sent wrong DN" error is printed in cpd.elg on a VSX Gateway.

PRJ-60322,

PMTR-114256

Multi-Domain Security Management

Multiple errors "T_get_event: cannot register socket %d (%d sockets already registered for %s)" are printed in $MDSDIR/log/ in.msd.

PRJ-59767,
PMTR-112934

Compliance

In rare scenarios, the "Blades" widget in the Compliance Blade Overview page is blank.

PRJ-58260,

PMTR-110658

CPView

Interfaces with VLAN are not visible in CPView stats.

PRJ-59348,
PMTR-111094

Logging

In the cloud environments (Smart-1 Cloud and EPMaaS), logs query may fail because of the AWS certificate change.

PRJ-59591,
PRJ-59592

Logging

When opening a log card in the Logs View, duplicate values may appear in the "Resource" and "Reason" fields.

PRJ-60574,
PMTR-106428

Logging

When disconnecting the Security Management Server from the Infinity Portal and connecting to a different region, log sharing from Log Servers does not work until the Log Server restarts.

PRJ-57787,
PMTR-100187

Security Gateway

The "fileapp_parser_get_attribs: call orig_get_attrib failed" error is printed in the $FWDIR/log/fwk.elg file.

PRJ-57256,
PRHF-25598

Security Gateway

When a NAT-T tunnel is set up between VPN peers, packets having UDP encapsulation added to the headers are not transmitted out of the PPPoE interface as they should be. VPN connection appears to be established but does not actually pass traffic.

PRJ-57513,
PRHF-32506

Security Gateway

VoIP H.323 calls are dropped with reason "Handler 'h323_h245_code' reject". Refer to sk182835.

PRJ-59131,
PRHF-38022

Security Gateway

The DHCPv6 relay drops reply messages from the DHCPv6 server rather than forwarding them to the clients.

PRJ-58744,
PRHF-37487

Security Gateway

In a rare scenario, when the Anti-Virus Blade and the ICAP Server are enabled, there may be high CPU usage.

PRJ-60804,

PRHF-38473

Security Gateway

The FWK process exits with core dumps and error messages in $FWDIR/log/fwk.elg:"malware_res_rep_match_dns_response: check_dns_response_activate() failed".

PRJ-57740,

PRHF-36496

Security Gateway

Local connections originating from the Security Gateway may fail to refresh their timeout values.

PRJ-60290,

PRHF-38919

Security Gateway

Memory handling issue, causing the FWK process to unexpectedly restart.

PRJ-60286,

PRHF-38898

Security Gateway

In rare scenarios, HTTPS inspection may block the downloading and uploading of PDF files to and from the Web Server.

PRJ-59786,

PRHF-38340

Security Gateway

The FWK process may unexpectedly restart when running the memory detection leak procedure.

PRJ-59607,

PRHF-38380

Security Gateway

In a specific scenario, file downloads intermittently stop until resumed manually because of HTTP parsing issues and Content Awareness parsing failures.

PRJ-58628,

PRHF-36742

Security Gateway

In a Maestro environment with configured Virtual System Load Sharing (VSLS) Mode, one of the Security Gateways on an SGM may be unresponsive until it is restarted several times.

PRJ-58390,

PRHF-36744

Security Gateway

The DSD process (Dynamic Split Daemon) may exit when the "affinity" command input is large.

PRJ-61165,

PRHF-39691

Security Gateway

A rare issue in HTTP/2 multiplexing may lead to traffic disruption. Refer to sk183441.

PRJ-56438,
PRHF-35363,

PRJ-58861,
PMTR-110741,

PRJ-59203,

PRHF-37975

Security Gateway

In a rare scenario, the FWK process may unexpectedly exit and bring down the Security Gateway.

PRJ-58393,
PRHF-36652

Security Gateway

In some scenarios, a memory leak may occur in the FWK process.

PRJ-60946,

PRHF-39464,

PRJ-61452,

PRHF-39847

Security Gateway

  • The CPD or FWK process may unexpectedly restart when handling the interface statistics.

  • The CPVIEW_SERVICES, RAD, SNMPD and VPN processes may exit with a core dump file because of memory corruption.
    Refer to sk183544.

PRJ-59353,
PRHF-37361

Security Gateway

In a rare scenario, an outage may occur in an Azure environment after one cluster member crashes and recovers.

PRJ-58217,
PRHF-37208

Security Gateway

A rare race condition may cause a Security Gateway to restart when updating the statistics.

PRJ-59114,
PRHF-37640

Security Gateway

Some Access Control Rule Base flows may increase CPU utilization .

PRJ-57932,
PRHF-36685

Security Gateway

In rare scenarios, Security Gateway may crash when running the "ethtool -x" or the "ethtool -X" command for an interface that uses the AWS ENA network driver.

PRJ-59816,
PRHF-38598

Security Gateway

In rare scenarios, the CPD process may unexpectedly exit, generating a core dump.

PRJ-59151,
PRHF-37843

Security Gateway

After enabling Security Zones in NAT Rule Base, wrong IP address is shown in logs and NAT is performed incorrectly. Refer to sk183088.

PRJ-59619,
PMTR-111544

Security Gateway

In a rare scenario, if the USIM process exits during firewall memory mapping, it can result in a Security Gateway crash.

PRJ-58631,
PRHF-36749

Security Gateway

In a rare scenario, the FWK process may exit because of memory corruption.

PRJ-60412,

PRHF-39061

Security Gateway

Policy installation fails with the error message: "All the rules in layer "<Name of Layer>" contain only expired time objects. See sk155253 for more details".

PRJ-58445,
PMTR-109929

Security Gateway

In a rare scenario, Security Gateway may crash with vmcore when working in Kernel Mode Firewall (KMFW).

PRJ-59119,
PMTR-110235

Security Gateway

In a rare scenario, the RAD daemon may exit during large memory allocation operations.

PRJ-57676,
PRHF-36647

Security Gateway

A stability issue where the ICAP Server may unexpectedly restart when processing traffic from a Security Gateway with Threat Emulation enabled.

PRJ-60536,
PRHF-38638

Security Gateway

In some scenarios, in a cluster environment, when URL Filtering is enabled, there may be traffic disruption.

PRJ-60203,
PRHF-38844

Security Gateway

In a rare scenario, VoIP Traffic fails after the initial call when SecureXL operates in User Mode (UPPAK). Refer to sk183218.

PRJ-60530,
PRHF-38547

Security Gateway

In a rare scenario, the Security Gateway may crash during email inspection.

PRJ-60548,
PRHF-38708

Security Gateway

Incorrect memory handling may cause the FWK process to unexpectedly exit.

PRJ-56340,
PRHF-35382

Internal CA

In some scenarios, a VPN outage may occur after an ICA renewal.

PRJ-57869,
AAD-2659

Threat Prevention

In rare scenarios, SSH connections may be dropped when SSH Deep Packet Inspection (SSH DPI) is activated on the Security Gateway.

PRJ-59994,
PRHF-33276

Threat Emulation

In rare scenarios, the Threat Emulation Blade may fail to correctly classify the file type.

PRJ-61767,

PMTR-116315

Threat Extraction

The Threat Extraction Software Blade may inadvertently delete some system files on the Security Gateway. Refer to sk183512.

PRJ-61981

Threat Extraction

A memory leak can occur in the Threat Extraction file inspection process for HTTP/S protocols. When memory consumption reaches the maximum allowed allocation, it causes the process to crash and automatically restart.

PRJ-60243,

PRHF-38820

Identity Awareness

PDP to PEP Identity synchronization may fail on the PDP side if an alternative IP address for PEP communication is configured, as described in sk60701.

PRJ-59252,
PMTR-111703

Identity Awareness

In a rare scenario, the PDPD process may unexpectedly exit during a cluster failover.

PRJ-57645,
PRHF-36542

Identity Awareness

In a rare scenario, when fetch_by_SID is enabled, the PDPD process repeatedly exits. Refer to sk182745.

PRJ-58460,
PRHF-37149

Application Control

HTTP traffic dropped by PSL because of missing Host header. Refer to sk183569.

PRJ-59611,
PRHF-38383

Application Control

If the Access Rule Base does not contain Extended/Detailed Log Tracking options, category override functionality fails when the "partial load" feature is enabled.

PRJ-59617,
PRHF-38387

Application Control

Some custom applications in the HTTPS Inspection policy are not matched if they are part of a Group object. Refer to sk183176.

PRJ-57182,

PRHF-36126

URL Filtering

URL Filtering may not classify a site in a specific rare scenario when the Security Gateway is configured as a proxy.

PRJ-58757,
PRHF-37462

URL Filtering

In some scenarios, when URL Filtering Blade analyzes web requests, the RAD error may appear in /var/log/messages: "rad_kernel_urlf_request_serialize: string len =XXXX bigger than max 4096".

PRJ-56476,
PRHF-35174

IPS

In some scenarios, a Security Gateway is not listed as an option for the Threat Prevention uninstall, even though the Threat Prevention Blade is disabled on the Security Gateway object.

PRJ-60940,
PRHF-38863

IPS

The FWK process may unexpectedly exit during HTTPS inspection flow which requires the RAD service categorization.

PRJ-56517,
PRHF-35504

DLP

DLP policies may not correctly block password-protected and unprotected files during Google Drive uploads, despite the Content Awareness Blade configuration.

PRJ-59500,
PRHF-30036

Anti-Virus

When Anti-Virus is enabled, files are not downloaded with the "Failed writing the file" error printed in logs, and the block page is not displayed.

PRJ-58656,

PRHF-37376

Anti-Virus

RAD queries fail, generating "wrong status code in reply" errors logged in $FWDIR/log/rad_events/Error/* files. Refer to sk183009.

PRJ-60011,

PMTR-113461

Anti-Bot

In some scenarios, the Anti-Bot Blade fails to parse external IoC feeds with IP address observables.

PRJ-58841,

PMTR-105936

Anti-Bot

When the Security Gateway with FIPS mode is enabled, running the Anti-Virus and Anti-Bot Blades updates with the "fw update -b AB -b AV -f" command fails.

PRJ-59224,

PRHF-38081

Anti-Bot

In some scenarios, a SmartConsole log with the Anti-Bot Blade entries may appear when the Anti-Bot Blade is disabled in the profile.

PRJ-58804,
AAD-3331,

PMTR-110853

SSL Inspection

The "Detect" logs for Client's TLS alerts are not aligned with the Server's TLS alerts logs. This is a cosmetic issue.

PRJ-57461,
PMTR-109067,

PRJ-58871,
PMTR-110943

SSL Inspection

When a TLS connection is rejected because of no shared key exchange between the client and the Security Gateway, no log is generated to inform the administrator.

PRJ-59777,

PMTR-113097

SSL Inspection

The "HTTPS Inspection Rule ID" and "HTTPS Inspection Rule Name" fields are seen in the "Bypass Under Load" and "Learning Mode" bypasses logs although they should not be printed.

PRJ-60106,
PRHF-38755

Mobile Access

The HTTPD process periodically exits when accessing the Mobile Access Blade Citrix application because of the memory leak in the Citrix proxy implementation.

PRJ-60391,
PMTR-114281

ClusterXL

The CPHAPROB process may exit with a core dump file.

PRJ-60533,
PRHF-38566,

PRJ-60545,
PRHF-38704

ClusterXL

In ClusterXL High Availability setup, a crash may occur on both the primary and secondary members, causing network outages.

PRJ-59391,
PMTR-110959

ClusterXL

Running the "cphaprob -a if <interface name>" command in the VSX Cluster may cause the FWK process to exit.

PRJ-59874,

PRJ-59583

ClusterXL

The FWK process may exit after enabling or disabling the "Same VMAC" feature. Refer to sk165674.

PRJ-60293,

PRHF-38847

ClusterXL

A race condition may occur during startup when the ROUTED daemon does not receive all cluster Virtual IP addresses, causing static routes to disappear.

PRJ-59565,
PMTR-112079

ClusterXL

ClusterXL drops traffic that is sent to its IPv6 Virtual IP Address that is configured with the Unicast Link-Local scope (/64). Refer to sk183104.

PRJ-58081,
PMTR-68784

SecureXL

Packet drops may occur if the same multicast packet is received on multiple interfaces.

PRJ-57037,
PRHF-32840

SecureXL

High volumes of RST packets may cause CPU spikes, resulting in incoming network packet drops on SND instances.

PRJ-60686,

PRHF-39209

SecureXL

The packets may not be accelerated because of a routing issue.

PRJ-60568,

PMTR-113304

SecureXL

In a rare scenario, the Security Gateway may become unresponsive during extended high memory utilization.

PRJ-60256,

PMTR-113688

SecureXL

SecureXL in User Mode (UPPAK) may restart when the Security Gateway is under high load and cpWatchDog triggers a reboot.

PRJ-60606,

PMTR-114373

SecureXL

The Hardware Acceleration offloaded connection may break when the route is updated, affecting the offload flow and slowing down operations.

PRJ-60070,
PMTR-111505

SecureXL

Running the "tcpdump" command on all interfaces (for example, "tcpdump -peni any") on machines with SecureXL in User Mode (UPPAK) while under heavy traffic load may cause the system to hang. Refer to sk183222.

PRJ-59363,
PMTR-111468

SecureXL

When SecureXL works in User Mode (UPPAK), in a VSX environment with many virtual systems, the WebUI may not be accessible when it reaches its internal connection limit.

PRJ-60310,

PMTR-114110

SecureXL

The USIM_x86 process may potentially exit because of a race condition when a route is simultaneously used by multiple SND cores.

PRJ-59969,

PMTR-113266

SecureXL

A warning message "adp_rt4_delete: rt entry .... does not exist for slot 1" may be printed in the /var/log/dmesg file while VPN connection remains active.

PRJ-60257,

PMTR-113479

SecureXL

In some scenarios, the Security Gateway may crash while running "cpstop" or disabling MDPS when SecureXL works in User Mode (UPPAK).

PRJ-61217,

PRHF-39512

SecureXL

The Security Gateway with SecureXL in User Mode (UPPAK) may crash under load during bond interface state flapping.

PRJ-61107,

PMTR-108077

SecureXL

SecureXL in User Mode (UPPAK) may be incorrectly enabled or disabled during runtime or Jumbo Hotfix Accumulator installation.

PRJ-59017,
PMTR-111199

SecureXL

Memory allocation issue when handling Jumbo Frames.

PRJ-60384,
PRHF-38461,

PRJ-60394,
PRHF-39028

SecureXL

In an asymmetric UDP traffic scenario (Client-to-Site VPN and Site to Site VPN distributed to different members), the connection may not get accelerated.

PRJ-61025,

PRJ-61004

SecureXL

SecureXL in User Mode (UPPAK) may restart when adding or removing VLAN interfaces and the Security Gateway is under high load.

PRJ-60056,
PRHF-38747

SecureXL

After a VSX reboot, other Virtual Systems (VS's) enter a Down/Lost state while USIM core files are generated.

PRJ-60238,

PRHF-37606

Routing

In rare cases, when an internal BGP (iBGP) peer disconnects during a graceful restart, BGP may fail to advertise all routes. However, the missing routes still appear under "adj-rib-out" with a next hop of "0.0.0.0."

PRJ-58788,
PRHF-37697

Routing

Duplicate entries in the kernel routing table can occur when iBGP peers disconnect and reconnect, causing the same routes to be added multiple times rather than properly replaced.

PRJ-60690,
PMTR-114670

Routing

When obtaining a new IP address using the "dhclient -r" command turning off and on the interface configured as Dynamic Address IP (DAIP), the interface loses its IP address and fails to acquire a new one from the DHCP Server.

PRJ-59245,
ROUT-3336

Routing

The ROUTED daemon asserts when enabling eBGP multihop on a directly connected interface.

PRJ-58782,
ROUT-3107

Routing

The ROUTED daemon may exit with a core dump file during IBGP synchronization.

PRJ-60101,

HAAN-880

Routing

BGP sessions may terminate upon receiving a BGP Update containing an AS_SET Path Attribute when Peer Local AS was configured on the Security Gateway.

PRJ-57627,
PMTR-109855

VPN

When a network connection is established simultaneously in both directions (server-to-client and client-to-server), the Security Gateway experiences connectivity issues because of incorrect packet dispatching, leading to dropped packets. Refer to sk183072.

PRJ-60613,
PMTR-114453

VPN

After establishing a successful VPN connection from IKEv2 Client to VS with traffic flowing, the Client disconnects repeatedly with "VPN tunnel has disconnected: Failed to renew IP address" then reconnects with a new Office Mode IP address.

PRJ-61823,

PRHF-40371

VPN

After an upgrade, Site to Site VPN tunnels (IKEv2) fail to establish. Logs show the "Auth exchange: Sending notification to peer: Invalid syntax" and "INVALID_KE_PAYLOAD" errors for IKE traffic. Refer to sk183550.

PRJ-57842,

PMTR-110144

VSNext

In VSX/VSNext environments with 50 or more VS's, CPView VSX statistics is blocked until re-enabled manually.

PRJ-58292,

PMTR-110132

VSNext

In VSNext environments, CPView VSX Data shows only VS0.

PRJ-58599,

PMTR-110482

VSNext

VSNext configuration is not included in the output of the "show configuration" command in Clish.

PRJ-57418,

PMTR-110875

VSNext

Virtual Switches with names larger than 128 characters cannot be deleted, the "Virtual System with ID2 does not exist" error is displayed.

PRJ-59014,

HEC-926

VSNext

VS creation request may fail because the timeout was too short

PRJ-57478,

PMTR-109849

VSNext

Occasional failures during simultaneous creation of multiple Virtual Systems (VS's), where identical IDs are assigned to more than one VS.

PRJ-59015,

HEC-1032

VSNext

Some Management API requests may not be sent when creating many VS's in parallel.

PRJ-61129,

PMTR-116039

VSNext

VSNext Virtual Gateway drops traffic when it is connected to a Virtual Switch. This issue affects systems running NGTP software blades. Refer to sk183460.

PRJ-57672,

PMTR-109851

VSNext

Creating multiple Virtual Gateways may fail with the "Setting management connection failed!" message.

PRJ-59171,
PRHF-37466

VSX

A memory leak may occur in a VSX environment, related to the transmitting packets module.

PRJ-58249,
PRHF-37106

VSX

SNMP counters may return incorrect data on VSX.

PRJ-59035,
PRHF-27999

VSX

In a VSX environment, the Security Gateway may crash when removing an interface from topology.

PRJ-57746,
PRHF-36734

VSX

In a rare scenario, during the VSX Gateway Wizard, SmartConsole disconnects with the warning "The connection with the server was lost. Any unsaved changes will be preserved". And SmartConsole may crash with the "SmartConsole has experienced a serious problem and must close immediately" error.

PRJ-57294,

PRHF-36254

VSX

Output of the "dynamic_split -p" command shows "Dynamic Split is currently off (Stopped due to State Verification failure)" on a VSX Gateway. Refer to sk181231.

PRJ-61046,

HEC-1463

VSX

After enabling CoreXL instances on a Virtual System, the policy status may be displayed as "N/A".

PRJ-58803,
PRHF-37713

Gaia OS

When attempting to create cloning groups on an R82 Security Gateway, the "Error - Home directory for 'cadmin' cannot be in /home/cadmin directory" error is printed. Refer to sk182989.

PRJ-58700,
PRHF-37362

Gaia OS

In a Maestro environment with RADIUS users, accessing the Gaia Portal for MHO causes an "ERR_EMPTY_RESPONSE" error and may cause the Gaia Portal (WebUI) not to respond.

PRJ-59012,
PRHF-37820

Gaia OS

In a Maestro environment, an error message about short string length may be incorrectly displayed when setting an expert password string that includes the colon ":" character on the Security Gateway.

PRJ-61662,

ODU-2714

Gaia OS

The Redis Server does not start after installing the Gaia API Build 299. Refer to sk143612.

PRJ-59293,
PRHF-27173

VoIP

High volumes of VoIP/ SIP traffic may trigger a Security Gateway crash.

PRJ-60460,

PMTR-114441,

VSECPC-10081

CloudGuard Network

The CloudGuard Network Central License utility incorrectly distributes licenses to Azure Virtual vWAN Gateways that already have licenses included during deployment.

PRJ-59475,

SDWANGW-2360,

PMTR-112190

SD-WAN

Dynamic IP address changes for DAIP Gateway objects are not propagated to all Security Gateways in the SD-WAN VPN community, causing VPN connectivity failures.

PRJ-59849,
HEC-951

Scalable Platforms

The logging_worker daemon may consume a lot of memory per Virtual System.

PRJ-58555,
PMTR-110252

Scalable Platforms

On ElasticXL platform, there may be unnecessary or unsuccessful attempts to update the distribution of traffic among the cluster members.

PRJ-59846,
HEC-952,

PMTR-112869,

PMTR-112683

Scalable Platforms

In VSNext mode, Virtual Systems there may be high CPU consumption.

PRJ-60318,
HEC-1289

Scalable Platforms

In the VSNext mode (on ElasticXL and Maestro Security Groups), the Gaia gClish / Gaia Clish command "show interface" in the context of Virtual Switches fails with "CLINFR0699 Invalid command".

PRJ-58961,
PRJ-57191

Scalable Platforms

Import an R82 upgrade package may fail with "[ERROR] Failed to transfer package to several members, Import was aborted" because of timeout which occurs while copying the package to all Security Group members.

PRJ-59061,
PMTR-106842

Scalable Platforms

Changing the bond mode on Scalable Platform Security Group members may cause a MAC address mismatch on the bond interface because of the bond slaves reordering that does not match the database. Refer to sk182488.

PRJ-59278,
PMTR-111692

Scalable Platforms

Gaia database lock on a Maestro Security Group configured with Management Aggregation (MAGG) is lost when using API or Gaia gClish to add a new Management interface to the Security Group. Refer to sk183031.

PRJ-58041,
HEC-983

Scalable Platforms

The "fw fetch local" command fails on a Virtual System without SIC established because the SIC name is missing.

PRJ-57813,
PRHF-29470

Scalable Platforms

DNS configuration may not be pulled to other Security Gateway Members (SGMs) from the Single Management Object (SMO).

PRJ-59359,
PRJ-58161

Scalable Platforms

IP broadcast helper cannot forward the packets if the IP address of the "relay to" is not directly connected to the Security Gateway.

PRJ-59395,
PMTR-111927

Scalable Platforms

Maestro may not properly respond to Router Solicitation messages with the expected Router Advertisement messages.

PRJ-58600,
PMTR-110500

Scalable Platforms

In some scenarios, the perfanalyze scripts output shows duplicates in cores data, this can cause the CPD process to crash.

PRJ-59168,

FMW-3410

Scalable Platforms

The "ws_mux_host_only_active_pass: ERROR: There is not enough data in stream to pass" error may be printed in logs. This is a cosmetic issue.

PRJ-58671,
PMTR-110323

Scalable Platforms

When the Maestro Fastforward feature is enabled, rebooting a member may cause the member to be down because of the policy installation failure and the "Site HA module not started" error may be displayed.

PRJ-59670,
PMTR-110155

Scalable Platforms

When running the license deletion command "g_cplic del <license signature to delete>" in a Maestro setup, the license is removed from the cp.license file but not from cp.license.smo, causing the deleted license to unexpectedly reappear after a policy installation.

PRJ-58088,
PRHF-36586

Scalable Platforms

Configured proxy ARP may not work as expected, when the "Same VMAC" feature is enabled.

PRJ-60476,

PMTR-110389

Scalable Platforms

The "asg_dr_verifier" script fails when OSPF Graceful Restart is configured with a grace period.

PRJ-59877,

PMTR-113194

Scalable Platforms

A reboot loop with a generated configuration pnote may be triggered when Security Group hostname contains strings with "mq" or "otlp".

PRJ-58489,
PMTR-109895

Scalable Platforms

Upon contract renewal, non-SMO members in the Maestro Security Group may not get the updated contract automatically.

  • The fix requires this Jumbo Hotfix Accumulator Take to be installed on all the members of the group.

Take 19

Released on 29 May 2025 and declared as Recommended on 04 June 2025

Take 19 - New Functionality

 

PRJ-61143

Security Management

NEW: Added ability for R82 Security Management Server and Multi-Domain Security Management Server to manage Quantum Force 3900 Appliances.

Take 18

Released on 14 May 2025

Take 18 - Improvements and Resolved Issues

 

PRJ-61176,

PRJ-58517

Logging

In some scenarios, in Log Servers or Multi-Domain Log Servers (MDLS):

  • The SOLR process consumes high CPU.

  • There is a delay in displaying logs in the Logs view.

Take 14

Released on 20 April 2025

Take 14 - New Functionality

 

PRJ-56952,
PRJ-56616

SD-WAN

NEW: In SD-WAN, added support for:

  • Traffic steering based on Differentiated Services Code Point (DSCP).

  • Rule based NAT per ISP.

PRJ-56409,
PRJ-53464

SD-WAN

NEW:

  • Added ARP Next-Hop prober to enhance support for additional network topologies.

  • Introduced HTTP prober to reflect real-time Web Access metrics.

  • Implemented Link Aggregation mode proportional to Download and Upload bandwidth.

  • Administrators are now able to override SD-WAN interface Circuit configuration.

  • Integrated Forward Error Correction to ensure successful traffic delivery by adding error correction code packets to the Overlay packet stream.

  • Introduced Dynamic Objects (SD-WAN Internet, My VPN Domain, and Peer VPN Domain) to better represent Overlay and Internet address spaces.

  • Added administrator control for Symmetric Packet Return, forcing Ingress Traffic to be replied on the same ISP.

  • Enabled SD-WAN Overlay establishment across different Domains using Global VPN Community (MDS).

  • Allowed SD-WAN Overlay to operate on top of Route-based VPN.

  • Increased maximum Overlay size to support up to 500 Security Gateways.

  • Improved accuracy of SD-WAN decision-making during policy installation.

  • Enabled setup of IPv4 SD-WAN overlay when non-SD-WAN IPv6 interfaces are configured.

PRJ-57083,
AAD-1761

VPN

NEW: Local SCV settings can be customized by Security Gateway when creating a $FWDIR/conf/local.scv_<GW NAME> file, otherwise the settings fall back to the standard local.scv configuration.

Take 14 - Improvements and Resolved Issues

PRJ-58376,

PMTR-110261

Mobile Access

UPDATE: Resolved CVE-2024-52887 - Self-XSS vulnerability in Mobile Access Native Applications 'favorites' dialog. Refer to sk183054.

PRJ-58382,

PMTR-110274

Mobile Access

UPDATE: Resolved CVE-2024-52888 - Mobile Access File Share applications are vulnerable to stored XSS attacks. Refer to sk183055.

PRJ-56536,
PRHF-34745

Security Management

UPDATE: The Management API logs outbound payloads to api.elg only for non-"200" response codes. It is now possible to enable the "WRITE_FULL_OUT_PAYLOAD" environment variable to force comprehensive logging of all API call payloads, regardless of the response status. Refer to sk182786.

PRJ-58728,

PMTR-110883

Security Management

UPDATE: The Global Domain automatic purge settings now automatically restore and reschedule after a Security Management Server restart.

PRJ-57848,
PMTR-109621

Logging

UPDATE: Enhanced the CLI "cp_log_export" command with additional examples and expanded help documentation.

PRJ-56569,
PRHF-32539

Security Gateway

UPDATE: Reduced memory usage of LDAP keepalives and improved connection error handling, resulting in improved system reliability and security performance.

PRJ-56706,
PRHF-34380

Security Gateway

UPDATE: Added information about VSX context to the mem.report files in /var/log/CP_mem_dwarf/.

PRJ-58468,
ROUT-3004

Routing

UPDATE: Added a new Gaia Clish parameter to ignore the Autonomous System (AS) Path when aggregating routes: "set aggregate <IP Address>/<IP Mask> aspath-ignore {on | off}". Note, enabling "aspath-ignore" will disable "aspath-truncate" if configured.

PRJ-58466,
PRHF-33825

Routing

UPDATE: IP Reachability Detection now supports simultaneous BFD and ping monitoring to the same remote address, where previously only one method was functional at a time. When both are configured, each monitoring protocol operates independently, allowing features to track their preferred detection method while maintaining existing configuration syntax.

PRJ-58738,
ACCHA-3835

SecureXL

UPDATE: Optimized memory management when processing Jumbo Frames.

PRJ-58795,

PMTR-110837

VSNext

UPDATE: All interfaces are now automatically assigned to VS0 (the default virtual system) with no instance bind, and can be moved between Virtual Systems without requiring unassigning, enabling immediate VSNext functionality.

PRJ-57735,
PMTR-109486

Scalable Platforms

UPDATE: In ElasticXL, restoring Gaia OS backup is now supported.

PRJ-58348,
PMTR-110224

Scalable Platforms

UPDATE: VSLS Mode is now supported in VSNext ElasticXL environments.

PRJ-57616,

PMTR-109197

Scalable Platforms

In VSNext ElasticXL Load Sharing environments, traffic latency and interface flapping may occur between two members in the Virtual Switch (VSW), when the switch is configured on non-management interfaces and both members are on the same site.

PRJ-57907,
PRHF-36295

Security Management

In rare scenarios, the FWM process on the Security Management Server may unexpectedly exit, creating a core dump file.

PRJ-58942

Security Management

In SmartConsole, in the Quantum Spark Cluster object, editing the interfaces (manually or with the "Get Interfaces" action) fails with an unclear error message "Failed to save object".

PRJ-57658,
PRHF-36501

Security Management

In some scenarios, High Availability synchronization fails with "NGM failed to export data" because of invalid Global Domain Assignments.

PRJ-58274,
PRHF-37209

Security Management

In rare scenarios:

  • Login to the Security Management Server may fail with timeout.

  • Publish operations may take a long time.

PRJ-58222,
PMTR-110042

Security Management

In SmartConsole, when exporting Access Policy data to a CSV file, the hit count values may be displayed incorrectly in the exported file.

PRJ-57541,
PRHF-33773

Security Management

Scheduled Snapshot Issues:

  • Gaia may not recognize the Remote Server as a known host during scheduled backup creation, even after following sk164234 instructions.

  • The "Remote server identity is not known by Gaia" error is displayed despite proper HBA configuration.

  • The "set snapshot-scheduled recurrence monthly" command fails when using the "all" option.

Refer to sk182665.

PRJ-57782,
PRHF-36576

Security Management

In rare scenarios, publishing Multi-Domain Security Management level changes such as Administrator configuration changes fails. The "Action Failed due to an Internal Error" error is displayed.

PRJ-60340,

PRHF-38803

Security Management

In some scenarios, SmartTasks triggered by "after submit", "approve" and "reject" events fail to run.

PRJ-57069,
PRHF-36058

Security Management

After an upgrade, when browsing to SmartConsole > Manage & Settings > Permissions & Administrator > Administrators, the page may display "Error retrieving results".

PRJ-57036,
PRHF-35374

Security Management

In some scenarios, deleting a Security Gateway object fails if the Security Gateway is a participant in the Global VPN Community.

PRJ-57539,
PRHF-36475

Security Management

In some scenarios, the "show packages" Management API command with "details-level full", fails with "Null Pointer exception: null".

PRJ-59028,
PMTR-111209

Security Management

In the "Gateways and Servers" tab, when opening a shell on a specific Security Gateway, a "Connection failed" message pops up.

PRJ-59038,
PRHF-37790

Security Management

SmartConsole "Validations" panel shows "'statusDescription' can not include html tags". Refer to sk183075.

PRJ-58696,
PMTR-110640

Security Management

Performing changes to the Global Properties may not be possible if:

  • Encryption algorithms in Remote Access > VPN-Authentication and encryption are SHA384 or SHA512.

  • There is at least one Security Gateway configured with a version lower than R81.

PRJ-58030,
PRHF-36922

Multi-Domain Security Management

In rare scenarios, in Multi-Domain Security Management environments, domain creation fails with "Failed to create Domain server "Domain name" Permission calculation failed."

PRJ-57982,
PRHF-36890

Multi-Domain Security Management

In rare scenarios, an upgrade of Multi-Domain Security Management Server, handling Domain Log Server certificates, may get stuck.

  • The fix will only be applied if the upgrade to R82 Jumbo Hotfix Accumulator Take 14 or higher is done using a Blink image or the Advanced Upgrade method.

PRJ-57785,
PRHF-36479

Multi-Domain Security Management

In environments where not all Domains are Active on the same Server (for example, in a multi-site environment), and there is no Domain Management Server for a specific Domain, logs from that Domain are not forwarded to the Infinity Portal.

PRJ-57829,
PRHF-36779

Security Gateway

In some scenarios, an HTTP format size protection exception is not applied to the HTTP/2 flow.

PRJ-56815,
PRHF-29467

Security Gateway

GTP-U traffic may be dropped because of incorrect message type handling.

PRJ-58091,
PMTR-109845

Security Gateway

When the autodebug feature is enabled, the RAD service may consume high CPU and trigger "RAD service not available" alert logs.

PRJ-58271,
PRHF-36963

Security Gateway

Security Gateway with QoS enabled may crash because of a rare race condition.

PRJ-58206,
PRHF-36513

Security Gateway

Incorrect Rule Base parameters synchronization logic may lead to the FWK process exit.

PRJ-57962,
PRHF-36794

Security Gateway

In the HTTP/2 connection scenario, the tenant restriction header injection mechanism encountered an issue affecting the connectivity.

PRJ-58768,
PMTR-111974

Security Gateway

High CPU usage on SND cores related to processing network traffic and distributing it to the appropriate firewall instances.

PRJ-58152,
PRHF-37032

Security Gateway

In a rare scenario, the FWK process may exit when HTTPS Inspection is enabled and TLS connections are inspected on non-standard ports (ports other than 443 or 8080).

PRJ-56740,
FMW-795

Security Gateway

Large NAT Rule Base may lead to high CPU usage during packet processing.

PRJ-58420,
PRHF-37014

Security Gateway

Android devices' HTTP HEAD requests to Google services are blocked by Security Gateway proxy, generating excessive logs that impact Security Gateway performance through high CPU usage. Refer to sk182990.

PRJ-58902,

PRJ-58903,

PMTR-110909

Security Gateway

The FWK process may exit with a core dump file when the Security Gateway passes SMB traffic and the Hyperflow feature is enabled.

PRJ-59119,

PMTR-110235

Security Gateway

In a rare scenario, the RAD daemon may crash during large memory allocation operations.

PRJ-58407,
PRHF-32698

Security Gateway

PPPoE interface fails to restart when it is disconnected from the Server side. Refer to sk182154.

PRJ-56404,
PRHF-35372

Internal CA

The "cpca_dbutil print" command may delete the provided output file content if the input file does not exist.

PRJ-58131,
PRHF-36964

Identity Awareness

In a rare scenario, the PDPD process may unexpectedly exit during the PDP sharing flow.

PRJ-58441,
PRHF-37240

Identity Awareness

In some scenarios, SAML authentication fails with "Error 500".

PRJ-58191,
PMTR-108416

Application Control

HTTPS Site Categorization fails to properly handle unsupported QUIC protocol versions, causing classification errors instead of following the configured fail-mode (open/close) policy.

PRJ-59452,

PMTR-112600

IPS

In rare scenarios, a memory leak in the FWK process may occur when IPS is active.

PRJ-57969,
PRHF-36711

DLP

The DLP blade may not block the password-protected files of a specific type, although it should.

PRJ-58170,
PRHF-37164

Anti-Virus

In a specific scenario involving a long-lived SMTP connection, the memory usage allocated by the Anti-Virus blade steadily increases over time.

PRJ-57690,
PMTR-109185

SSL Inspection

HTTPS inspection session logs lack detailed explanations in the "explanation" field, displaying generic messages that do not clarify action reasons. This is a cosmetic issue.

PRJ-58073,
PRHF-33345

Mobile Access

The debug output file for Mobile Access, named "exchangeRegistration_portal_error_log" is increasing in size.

PRJ-59491,

PMTR-111453

ClusterXL

During cluster startup with routing separation enabled, a mismatch between routing and firewall process initialization can trigger premature full synchronization pnotes when the routing process is not fully synchronized.

PRJ-59725,

HEC-336

ClusterXL

ElasticXL may fail to pass IPv6 traffic when the internal mechanism assigns the Server-to-Client response traffic to a different Cluster Member than the Cluster Member that processed the Client-to-Server request traffic.

PRJ-58173,
ACCHA-3774,

PRJ-58174,

ACCHA-3821

SecureXL

SD-WAN may not work as expected when SecureXL User Space Mode (UPPAK) is enabled.

PRJ-60467,

PMTR-114455

SecureXL

In some scenarios, a memory leak occurs in the FWK process when SecureXL fails to update an existing route's next hop.

PRJ-60160,

PRHF-38880

SecureXL

Routing related connectivity and stability issues may occur when SecureXL operates in User Mode (UPPAK). Refer to sk183181.

PRJ-58276,
PMTR-110096

SecureXL

SecureXL User Mode crashes if an acceleration card interface has an MTU above 9000 and receives frames larger than 9234 bytes.

PRJ-57991,
PRHF-36805

Routing

The "iphelper" (IP Broadcast Helper) service may trigger high CPU utilization because of a recursive packet broadcasting loop between network interfaces.

PRJ-57987,
ROUT-3189

Routing

Static routes may get permanently deleted from the kernel during rapid interface configuration changes when there is a large number of routes.

PRJ-59288,

PMTR-111756

Routing

Network traffic to the Internet experiences slowdowns and file download interruptions due to packets being dropped with "OS routing failed" errors during route lookup failures.

PRJ-58001,
PRHF-36849

VPN

Capsule VPN connectivity failures may occur after a configuration change of the VPND daemon table parameters.

PRJ-58061,
PRHF-33418

VPN

Two or more Endpoint Security VPN (Remote Access VPN) Users may get the same Office Mode IP address. Refer to sk182537.

PRJ-57797,
PMTR-108966

VPN

Authentication failure may occur when an IKEv2 VPN Endpoint client connects using a machine certificate configured for a specific realm.

PRJ-59251,

PMTR-109563

VPN

When using machine-restricted Access Roles, IKEv2 VPN connections fail at the cleanup rule due to missing machine information and user source IP, while IKEv1 connections are unaffected.

PRJ-57943,
PMTR-108894,

PRJ-58107,
PMTR-109743

VPN

When configuring machine authentication without an LDAP server, the computer is authenticated during the connection with the RA VPN. However, the logs in SmartConsole do not display the "Authenticated machine ..." message as expected.

PRJ-58155,
PMTR-103301

VPN

VPN connection may not be stable when transitioning from Legacy Link Selection to R82 Link Selection.

PRJ-58067,
PMTR-109183

VPN

Different members in a Quantum Maestro environment may show different statuses for VPN probes.

PRJ-58268,
PMTR-108409

VPN

After traffic is stopped and tunnels are deleted, the tunnels may appear as "Disconnected" for about 30 seconds, and then again as "Connected" because of DPD probing.

PRJ-58750,

PMTR-109317

VPN

Remote Access VPN client repeatedly reconnects to a VPN Virtual System when it connects through another Virtual System on a Scalable Platform in the VSX/ VSNext mode. Refer to sk183052.

PRJ-57423,

PMTR-108927

VSNext

In VSNext, multiple CPRID processes running on different ports per virtual system may cause instability in large scale environments.

PRJ-58165,
PRHF-37102

Gaia OS

The ROUTED daemon fails to start when a VTI is configured with a local IP address that matches the next-hop address used in the static route configuration. Refer to sk182848.

PRJ-58036,
MBS-14520

Scalable Platforms

Using the "#" character in the Message of the Day (MOTD) banner message causes SGMs to fail during boot.

PRJ-57640,
PMTR-100964

Scalable Platforms

Security Group Member may be in Down state during the license distribution to Maestro Security Group members. Refer to sk181245.

PRJ-57606,
PRJ-57507

Scalable Platforms

When running the "enabled_blades" command multiple times simultaneously, the command output may be incorrect.

PRJ-58736,
PRJ-58323

Scalable Platforms

In a Maestro environment, a Security Gateway may enter a reboot loop because of sync issues of the settings.fwset file.

PRJ-58375,
PMTR-110163

Scalable Platforms

In rare scenarios, Security Group members may fail to receive their Gaia database from the Single Management Object (SMO). When this occurs, gClish commands related to these missing Security Group configurations may fail.

PRJ-56444,
PRHF-31476

Carrier Security

When Carrier Security is enabled, GTP-U packets are incorrectly matched against GTP rules instead of a non-GTP UDP rule, causing drops with the "Unestablished tunnel" error.

Take 12

Released on 26 February 2025 and declared as Recommended on 18 March 2025

Take 12 - Improvements and Resolved Issues

PRJ-59635,

PMTR-113416

Gaia OS

In a rare scenario, when installing a blink package, the Security Gateway may get stuck in a boot loop.

Take 10

Released on 27 January 2025

Take 10 - New Functionality

 

PRJ-57908,
PRHF-32290

Identity Awareness

NEW: Added new OID (1.3.6.1.4.1.2620.1.38.55) to monitor the Identity Collector connection status in the $CPDIR/lib/snmp/chkpnt.mib file.

  • This capability is supported for Identity Collector agents running with version R82.120.0000 or higher.

Take 10 - Improvements and Resolved Issues

PRJ-56747,
PMTR-106894

SmartConsole

UPDATE: Resolved CVE-2024-3596 - Blast-RADIUS attacks. Fix for Remote Access VPN and login to SmartConsole, Mobile Access and Identity Awareness Captive Portal. Refer to sk182516.

PRJ-58281,

PMTR-97400

Security Gateway

UPDATE: Deprecated RC2-CBC cipher for SIC in OpenSSL.

PRJ-57491,
PMTR-108994

Security Management

UPDATE: The Management API command "set-https-rule" now automatically sets the negative value to "false" when modifying the destination, source, service, or site-category fields, regardless of its previous setting.

PRJ-57066,
PRHF-34509

SecureXL

UPDATE:

  • Improved debugging in the Security Gateway to identify problematic hosts when resolving their next-hop IP addresses.

  • The custom ADP queue size configuration now persists after rebooting the Security Gateway. The relevant global parameters are located in the $PPKDIR/conf/adpkern.conf file:

    • "adp_nh_total_max_arp_qents"

    • "adp_nh_local_max_arp_qents"

PRJ-58125,

PMTR-106186

Scalable Platforms

UPDATE: Added support for Multicast Listener Discovery (MLD) on Maestro Hyperscale Orchestrator (MHO).

PRJ-57074,
PRHF-35818

Security Management

In rare scenarios, when exporting policy hitcounts to CSV format, the "Hitcount" column may appear blank in the exported file.

PRJ-58104,
PRHF-32246

Security Management

Audit logs may not be generated when changes are made to an inline (shared) layer that appears multiple times within the same policy.

PRJ-57319,
PRHF-25950

Security Management

The Database Installation progress bar may not update during task execution.

PRJ-59004,

PMTR-111056

Security Management

When editing the administrator expiration date, after publishing, the expiration date resets to "Never". Refer to sk182997.

PRJ-56542,
PRHF-34752

Multi-Domain Security Management

In some scenarios, in a Multi-Domain Security Management environment, the Hit Count retention mechanism may not remove the Hit Count data from all the Domains.

PRJ-56532,
PRHF-35418

Multi-Domain Security Management

The Multi-Domain Security Management Server experiences high CPU usage when communicating with the Multi-Domain Log Server. And the cpm.elg log prints the "You have reached the maximum number of active session" error. Refer to sk182738.

PRJ-57531,
PRHF-36514

Multi-Domain Security Management

In rare scenarios, in Multi-Domain Security Management environments, login to SmartConsole fails.

PRJ-57310,
MCFG-666

SmartConsole

SmartConsole fails to connect with "Unable to connect to server. Server is initializing". Refer to sk182507.

PRJ-57273,

PMTR-108672

SmartConsole

When the Security Management has an additional NAT configuration in the SD-WAN policy (Infinity Portal), an indicating banner may not appear in SmartConsole NAT Rule Base. This is a cosmetic issue.

  • Requires R82 SmartConsole Build 1051 or higher.

PRJ-58050,
PMTR-109735

Security Gateway

In a rare scenario, the FWK process may exit when processing traffic over QUIC protocol.

PRJ-58659,

PMTR-110556

Security Gateway

In a rare scenario, the FWK process may exit due to a race condition.

PRJ-56911,

PRJ-56840,
PRHF-33037,

PRHF-35918

Security Gateway

The Security Gateway may crash after a failure in policy installation.

PRJ-56702,
PRHF-35624

Security Gateway

Anti-Spoofing may drop IPv6 traffic that arrives at an interface with an IPv6 address configured. Refer to sk182725.

PRJ-57844,
PMTR-109616

Security Gateway

In a rare scenario, when multiple Elephant Flows are running in parallel in the accelerated pipelining path, there may be high CPU utilization. Refer to sk183007.

PRJ-58100,
PMTR-109857

Security Gateway

Traffic through specific interfaces is dropped when the QoS blade is active and "ISP redundancy-LS" is configured. Refer to sk182807.

PRJ-57109,
PRHF-36116

Security Gateway

Memory leak may occur in SecureXL templates. Refer to sk182648.

PRJ-57895,

PMTR-108660

Security Gateway

DoS protection and connection rate limiting configurations may fail to effectively enforce rules.

PRJ-57098,

PMTR-108273

SD-WAN

In a rare scenario, when SD-WAN transport is incorrectly marked as "UP" despite its underlying ISP interface is "DOWN", traffic fails to reach the remote peer because of incorrect routing decisions.

PRJ-58021,
PMTR-109729

Threat Prevention

In a VSX environment, enabling Threat Prevention blades may cause continuous file accumulation on the Security Gateway's hard drive.

PRJ-57007,

PRHF-35823

Threat Prevention

In some scenarios, when Zero Phishing is enabled, kernel crash may occur.

PRJ-57926,
PMTR-109709

Identity Awareness

Identity Broker Subscriber configured with recalculation of Access Roles does not match all Access Roles after the User and Machine are identified.

PRJ-56869,
PRHF-35625,

PRJ-56873,

PRHF-35636

Identity Awareness

In rare scenarios:

  • The PDPD process may become unresponsive during termination.

  • PDP to PEP Identity synchronization fails on the PEP side when Identity Sharing is configured with PUSH Identity Sharing.

Refer to sk182613.

PRJ-57046,
PRHF-36045

Identity Awareness

In a rare scenario, the PDPD process may unexpectedly exit during policy installation.

PRJ-57411,
PMTR-108321

SSL Inspection

The Trusted CA package update fails when the Security Management Server connects to the Internet only through a Proxy Server.

PRJ-57682,
PRHF-36561

SecureXL

A memory leak may occur in the SIM process when using DOS/Rate Limiting rules.

PRJ-58592,

PMTR-110486

SecureXL

When working with SecureXL in User mode (UPPAK), some CPUs may reach 100% utilization when enabling or disabling debug filters.

PRJ-57801,
PMTR-109570

SecureXL

Policy installation failures can disrupt the expected behavior of "fwaccel dos" commands.

PRJ-57558,
PRHF-34632

VPN

SSL Network Extender (SNX) traffic on Maestro may be dropped with "vpnk_tcpt invalid negative tunnel id". Refer to sk182806.

PRJ-56335,
PRHF-35251

VPN

An ECDH object may be deleted before its associated event is completed processing.

PRJ-57901,
PMTR-109649

VPN

After a cluster failover, VPN tunnels may be not stable.

PRJ-56499,
PRHF-35416

VPN

There is no audio during the first 5 seconds of each VoIP call. Refer to sk182730.

PRJ-57825,
PRHF-17665

VSX

Multi-Queue configuration does not survive reboot on VSX. Refer to sk173950.

PRJ-56915,
PRHF-35806

VSX

In SmartConsole, in the Device and License Information view, the Compliance Blade license status may incorrectly display "Quota Exceeded" when Virtual Routers or Virtual Switches are present.

PRJ-57059,

PRHF-34508

VSX

After a Jumbo Hotfix upgrade, the Mail Transfer Agent may fail on all Virtual Systems except one.

PRJ-56875,
EPS-57790

Harmony Endpoint

During patch deployment in Posture Management, attempting to patch multiple systems for a specific application using the "Group By Application" option fails with the "Failed to Start Patching Process" error.

PRJ-57473,
PRHF-36424

Scalable Platforms

In rare scenarios, Interface Active check may cause a Security Gateway crash when probing a local network.

PRJ-58056,

PRHF-37015

Scalable Platforms

When handling multiple shared uplinks across numerous interfaces, errors related to LACP bond uplink updates may be printed in logs.

PRJ-58195,

PMTR-109784

Scalable Platforms

In a rare scenario, the FWK process may unexpectedly exit and bring down the Security Gateway Member (SGM).

PRJ-58127,

PMTR-109620

Scalable Platforms

In rare scenarios, authentication between MHOs is not established. Trying to establish authentication manually fails with the "TrustEstablishmentError: Failed to set up communication user on host 1_1: invalid literal for int() with base 10" error.