List of All Resolved Issues and New Features in R82 Jumbo Hotfix Accumulator

NEW:

• Added ARP Next-Hop prober to enhance support for additional network topologies.

• Introduced HTTP prober to reflect real-time Web Access metrics.

• Implemented Link Aggregation mode proportional to Download and Upload bandwidth.

• Administrators are now able to override SD-WAN interface Circuit configuration.

• Integrated Forward Error Correction to ensure successful traffic delivery by adding error correction code packets to the Overlay packet stream.

• Introduced Dynamic Objects (SD-WAN Internet, My VPN Domain, and Peer VPN Domain) to better represent Overlay and Internet address spaces.

• Added administrator control for Symmetric Packet Return, forcing Ingress Traffic to be replied on the same ISP.

• Enabled SD-WAN Overlay establishment across different Domains using Global VPN Community (MDS).

• Allowed SD-WAN Overlay to operate on top of Route-based VPN.

• Increased maximum Overlay size to support up to 500 Security Gateways.

• Improved accuracy of SD-WAN decision-making during policy installation.

• Enabled setup of IPv4 SD-WAN overlay when non-SD-WAN IPv6 interfaces are configured.

UPDATE: Resolved CVE-2024-52888 - Mobile Access File Share applications are vulnerable to stored XSS attacks. Refer to sk183055.

UPDATE: The Global Domain automatic purge settings now automatically restore and reschedule after a Security Management Server restart.

UPDATE: Reduced memory usage of LDAP keepalives and improved connection error handling, resulting in improved system reliability and security performance.

UPDATE: Added a new Gaia Clish parameter to ignore the Autonomous System (AS) Path when aggregating routes: "set aggregate <IP Address>/<IP Mask> aspath-ignore {on | off}". Note, enabling "aspath-ignore" will disable "aspath-truncate" if configured.

UPDATE: Optimized memory management when processing Jumbo Frames.

UPDATE: In ElasticXL, restoring Gaia OS backup is now supported.

In VSNext ElasticXL Load Sharing environments, traffic latency and interface flapping may occur between two members in the Virtual Switch (VSW), when the switch is configured on non-management interfaces and both members are on the same site.

In SmartConsole, in the Quantum Spark Cluster object, editing the interfaces (manually or with the "Get Interfaces" action) fails with an unclear error message "Failed to save object".

In rare scenarios:

• Login to the Security Management Server may fail with timeout.

• Publish operations may take a long time.

Scheduled Snapshot Issues:

• Gaia may not recognize the Remote Server as a known host during scheduled backup creation, even after following sk164234 instructions.

• The "Remote server identity is not known by Gaia" error is displayed despite proper HBA configuration.

• The "set snapshot-scheduled recurrence monthly" command fails when using the "all" option.

Refer to sk182665.

In some scenarios, SmartTasks triggered by "after submit", "approve" and "reject" events fail to run.

In some scenarios, deleting a Security Gateway object fails if the Security Gateway is a participant in the Global VPN Community.

In the "Gateways and Servers" tab, when opening a shell on a specific Security Gateway, a "Connection failed" message pops up.

Performing changes to the Global Properties may not be possible if:

• Encryption algorithms in Remote Access > VPN-Authentication and encryption are SHA384 or SHA512.

• There is at least one Security Gateway configured with a version lower than R81.

In rare scenarios, an upgrade of Multi-Domain Security Management Server, handling Domain Log Server certificates, may get stuck.

• The fix will only be applied if the upgrade to R82 Jumbo Hotfix Accumulator Take 14 or higher is done using a Blink image or the Advanced Upgrade method.

In some scenarios, an HTTP format size protection exception is not applied to the HTTP/2 flow.

When the autodebug feature is enabled, the RAD service may consume high CPU and trigger "RAD service not available" alert logs.

Incorrect Rule Base parameters synchronization logic may lead to the FWK process exit.

High CPU usage on SND cores related to processing network traffic and distributing it to the appropriate firewall instances.

Large NAT Rule Base may lead to high CPU usage during packet processing.

The FWK process may exit with a core dump file when the Security Gateway passes SMB traffic and the Hyperflow feature is enabled.

PPPoE interface fails to restart when it is disconnected from the Server side. Refer to sk182154.

In a rare scenario, the PDPD process may unexpectedly exit during the PDP sharing flow.

HTTPS Site Categorization fails to properly handle unsupported QUIC protocol versions, causing classification errors instead of following the configured fail-mode (open/close) policy.

The DLP blade may not block the password-protected files of a specific type, although it should.

HTTPS inspection session logs lack detailed explanations in the "explanation" field, displaying generic messages that do not clarify action reasons. This is a cosmetic issue.

During cluster startup with routing separation enabled, a mismatch between routing and firewall process initialization can trigger premature full synchronization pnotes when the routing process is not fully synchronized.

In some scenarios, a memory leak occurs in the FWK process when SecureXL fails to update an existing route's next hop.

SecureXL User Mode crashes if an acceleration card interface has an MTU above 9000 and receives frames larger than 9234 bytes.

Static routes may get permanently deleted from the kernel during rapid interface configuration changes when there is a large number of routes.

Capsule VPN connectivity failures may occur after a configuration change of the VPND daemon table parameters.

Authentication failure may occur when an IKEv2 VPN Endpoint client connects using a machine certificate configured for a specific realm.

When configuring machine authentication without an LDAP server, the computer is authenticated during the connection with the RA VPN. However, the logs in SmartConsole do not display the "Authenticated machine ..." message as expected.

Different members in a Quantum Maestro environment may show different statuses for VPN probes.

Remote Access VPN client repeatedly reconnects to a VPN Virtual System when it connects through another Virtual System on a Scalable Platform in the VSX/ VSNext mode. Refer to sk183052.

The ROUTED daemon fails to start when a VTI is configured with a local IP address that matches the next-hop address used in the static route configuration. Refer to sk182848.

Security Group Member may be in Down state during the license distribution to Maestro Security Group members. Refer to sk181245.

In a Maestro environment, a Security Gateway may enter a reboot loop because of sync issues of the settings.fwset file.

UPDATE: Deprecated RC2-CBC cipher for SIC in OpenSSL.

UPDATE:

• Improved debugging in the Security Gateway to identify problematic hosts when resolving their next-hop IP addresses.

• The custom ADP queue size configuration now persists after rebooting the Security Gateway. The relevant global parameters are located in the $PPKDIR/conf/adpkern.conf file:

  • "adp_nh_total_max_arp_qents"

  • "adp_nh_local_max_arp_qents"

In rare scenarios, when exporting policy hitcounts to CSV format, the "Hitcount" column may appear blank in the exported file.

The Database Installation progress bar may not update during task execution.

In some scenarios, in a Multi-Domain Security Management environment, the Hit Count retention mechanism may not remove the Hit Count data from all the Domains.

In rare scenarios, in Multi-Domain Security Management environments, login to SmartConsole fails.

When the Security Management has an additional NAT configuration in the SD-WAN policy (Infinity Portal), an indicating banner may not appear in SmartConsole NAT Rule Base. This is a cosmetic issue.

• Requires R82 SmartConsole Build 1051 or higher.

In a rare scenario, the FWK process may exit due to a race condition.

Anti-Spoofing may drop IPv6 traffic that arrives at an interface with an IPv6 address configured. Refer to sk182725.

Traffic through specific interfaces is dropped when the QoS blade is active and "ISP redundancy-LS" is configured. Refer to sk182807.

DoS protection and connection rate limiting configurations may fail to effectively enforce rules.

In a VSX environment, enabling Threat Prevention blades may cause continuous file accumulation on the Security Gateway's hard drive.

Identity Broker Subscriber configured with recalculation of Access Roles does not match all Access Roles after the User and Machine are identified.

In a rare scenario, the PDPD process may unexpectedly exit during policy installation.

A memory leak may occur in the SIM process when using DOS/Rate Limiting rules.

Policy installation failures can disrupt the expected behavior of "fwaccel dos" commands.

An ECDH object may be deleted before its associated event is completed processing.

There is no audio during the first 5 seconds of each VoIP call. Refer to sk182730.

In SmartConsole, in the Device and License Information view, the Compliance Blade license status may incorrectly display "Quota Exceeded" when Virtual Routers or Virtual Switches are present.

During patch deployment in Posture Management, attempting to patch multiple systems for a specific application using the "Group By Application" option fails with the "Failed to Start Patching Process" error.

When handling multiple shared uplinks across numerous interfaces, errors related to LACP bond uplink updates may be printed in logs.