List of All Resolved Issues and New Features in R82 Jumbo Hotfix Accumulator

NEW: Added statistics for Top Matched Access Control Rules and Top Log Types in the Logs view of SmartConsole and in the response of the "show logs" Management API command. This allows to identify the rules that generate a high volume of logs.

UPDATE: Resolved CVE-2024-52885. Mobile Access File Share applications are vulnerable to directory traversal attacks. Refer to sk183137.

UPDATE: Updated the "show asset" command output with the correct details for the X7 4-port card (CPAC-4-10/25F-DA model).

UPDATE: Log Exporter is now delivered as an autoupdatable package, replacing the maintrain-based deployment. This approach shifts from version-based to component-level updates, enabling a more granular and agile update mechanism. Refer to sk182866.

UPDATE: Improved processing of ICMP packets in the Security Gateway.

UPDATE: Added an out-of-the-box package for updatable objects that is included with clean installations or Jumbo Accumulator Hotfix Takes (when no other package exists). If the out-of-the-box package is present during policy installation, an update is now initiated in addition to the automatic update.

UPDATE: The "fwha_allow_different_corexl_instances" kernel parameter is now added to prevent cluster members from entering a Down state because of firewall instance count mismatches.

An FD (file descriptor) memory leak may occur when creating a new object in SmartConsole.

The "Management rejected fetch for this module - version matching problem" error is displayed when running the "fw vsx fetch" command on an R81.x Scalable Platform (Maestro and Chassis) in VSX mode with an R82 Security Management Server. Refer to sk183298.

Fetching branches from an LDAP Server fails with "Failed to connect to LDAP Server. Please ensure that the administrator's credentials are correct and try again" when the LDAP Server does not support anonymous bind (when a client connects to an LDAP server without providing any credentials). To enable the ability, refer to sk183461.

Deleting a user that is used in a user group with more than 1000 users may cause SmartConsole to time out.

In some scenarios, when exporting the Gateways and Servers View to CSV, the resulting file may contain an extra empty column. Refer to sk182233.

In some scenarios, policy installation fails with the "/opt/<xxxxx>-R81.20/conf/Policy-name.pf" line N: ERROR: syntax error Error compiling IPv6 flavor. Operation ended with errors" error.

In rare scenarios, accelerated policy installation fails to initialize, the full Access Control Policy installation is executed instead and it may take up to 20 minutes.

The "vsx-run-operation" Management API command may fail on the Multi-Domain Security Management Server. Refer to sk182524.

In some scenarios, the Postgres database on the Standby Security Management Server is growing after every High Availability synchronization. Refer to sk182868.

The "show lsm-gateway" and "show lsm-gateways" Management API commands may return an empty "version" field.

In rare scenarios, Domain creation fails with "Failed to create Domain server '<Domain Server Name>'. The connected administrator has no permission to create a Domain-Server on the specified Domain".

CPView history may be corrupted.

When the Mirror and Decrypt feature is enabled, the SKB memory leak may occur.

ElasticXL members communicating with the pivot cluster member may transition to DOWN state when synchronization between the pivot and other members is lost.

Security Gateways with default MDPS task settings using proxy can fetch CPUSE updates and licenses successfully. On MPLANE updatable objects are not updated while everything works on DPLANE.

Enabling debugging in Quick UDP Internet Connections (QUIC) flows may cause an FWK process crash.

In rare scenarios, downloading large files over HTTPS may get stuck.

In a rare scenario, after an upgrade, the Security Gateway may crash with a vmcore.

RADIUS authentication fails when a response packet contains the Message-Authenticator attribute. Refer to sk183244.

In a rare scenario, a script related to CPView may take a long time to execute and the SCRUBD process becomes unresponsive.

In some failure scenarios, the Anti-Virus blade does not report the failure in a SmartConsole log.

The Mobile Access Portal hosted on a Security Gateway R81.20 or lower becomes unresponsive, and CVPND core files are generated after the Security Management Server is upgraded to version R82.

If both bond subordinate interfaces are down, the output of "cphaprob show_bond bond" command is corrupted.

A Multi-Version Cluster (MVC) member with VPN enabled may crash when performing an upgrade from R80.40.

In VSX environments, deleting a Virtual System interface through SmartConsole fails to remove certain bindings, causing the interface to be automatically re-added.

The USIM process to exit during error logging.

The USIM process may crash during route updates when the Hardware Acceleration offloading connection is active.

In rare scenarios, after enabling Bridge Mode, a cluster member may stuck in a boot loop.

The Security Gateway may crash when connected to the Smart-1 Cloud Management Server and a maas_tunnel interface is repeatedly added and deleted.

Multiple SNMP OIDs return incorrect data types. Refer to sk183166.

Exporting logs using the "backup -l" command may fail.

In rare scenarios, users may be disconnected from SmartConsole, and an FWM process core dump is generated.

When working in User Mode (UPPAK), SecureXL may crash when multiple SND cores perform simultaneous next hop lookup for the same next hop.

The ROUTED daemon may exit when processing OSPF network updates in a cluster environment. This occurs because of a timing issue in the routing protocol synchronization process.

In some scenarios, the ROUTED daemon may exit with a core dump file.

A memory leak occurs in the ROUTED daemon when CoreXL is running OSPF and handling large numbers of LSAs combined with frequent route flaps.

When deleting a bond interface with slaves still attached while maintaining both WebUI and SSH sessions, the deletion succeeds but generates "unregister_netdevice" syslog messages and terminates the WebUI session. The issue occurs because local connections to the Gateway cause slow bond interface deletion, leading to WebUI timeout.

In rare scenarios, VPN traffic connectivity may be lost during policy installation.

In a rare scenario, the FWK process may exit during VPN traffic decryption and routing when the PPPoE interface is enabled.

The "fw stat" command output may not display the correct policy name for a Virtual System.

A static route to 0.0.0.0, regardless of the subnet mask, is incorrectly treated as the default route (0.0.0.0/0) and does not appear in the VSX Gateway's routing table. Refer to sk182742.

SD-WAN fails to obtain next hop address automatically from the DHCP Server.

In rare scenarios, SD-WAN policy installation hangs indefinitely.

Connections with fragmented packets drop with the "Virt Defrag Timeout" error. Refer to sk182559.

In rare scenarios, the connection between the Security Gateway (acting as a proxy) and the Security Management Server is not closed correctly.

In a Security Group in VSX mode, if an interface's link state changes during boot, there may be a delay in updating the link state. This delay can cause traffic interruption on that interface.

The CPD process may exit during policy installation on a Scalable Platforms cluster on Quantum Force 29000 appliances.

NEW: SD-WAN functionality now supports AWS Cross Availability Zone and traffic steering with configurable multi-target probing.

UPDATE: Added the ability to monitor the CPU cores that run CoreXL SND (Secure Network Dispatcher) instances separately from the CPU cores that run CoreXL Firewall instances. The monitoring of CPU cores handling CoreXL SND instances was improved. It is possible now to:

• view the exact number of CPU cores running SND instances that are under load, instead of seeing it as a percentage of total CPU cores.

• configure the load threshold for CPU cores running CoreXL SND instances.

• configure the load duration for SND CPU cores.
  

When these parameters are configured, the load on SND CPUs triggers a failover at a different time and under different load conditions compared to Firewall CPUs. Refer to the R82 ClusterXL Administration Guide > Advanced Features and Procedures > ClusterXL Failover based on the Load on ClusterXL SND Instances.

UPDATE: Management upgrade performance is improved by up to 15%.

• The fix will only be applied if the Management Server upgrade is performed using either the Blink image of the current Jumbo Hotfix Accumulator Take or the Advanced Upgrade method (where the current Jumbo Hotfix Accumulator Take is installed on the target Management Server).

UPDATE: CPView and SNMP can now show Hide NAT statistics for up to 200 top NAT IP Pools (the default is 3 top NAT IP Pools). Configure the required value for the kernel parameter "fwx_alloc_top_pools_num" with the CLI command "fw ctl set -f int fwx_alloc_top_pools_num <integer from 1 to 200>".

UPDATE: Added multi-interface packet fragment reassembly support to prevent drops in Equal Cost Multipath (ECMP) environments.

UPDATE: RAD extended flow information is now logged into a cyclic CSV file - $FWDIR/log/rad_events/rad_flows.csv. This enhancement provides visibility into RAD connections, helping to monitoring and troubleshooting. Refer to sk183108.

UPDATE: Improved Threat Prevention Blades performance by 15%-25% on Quantum Force 9000, 19000 and 29000 appliances.

UPDATE: In SmartConsole, added a new section "Application/Site" to the HTTPS Inspect log details. It provides details on resource and categorization matching.

UPDATE: SecureXL User Mode (UPPAK) is now blocked in Active-Active cluster configurations, as this combination is not supported.

UPDATE: Implemented a validation in Clish to restrict virtual switch (VSW) configuration to a single interface, preventing setup disruption.

UPDATE: The "add-virtual-gateway" Management API is updated: added the option to not connect the new VS to the virtual switch.

UPDATE: Improved debuggability for the "cpstart" command in a large scale VSNext environments.

UPDATE: CloudGuard Network for AWS Gateway Load Balancer Auto Scaling Group now supports inspection of IPv6 traffic encapsulated with GENEVE IPv4 headers.

After rebooting a Multi-Domain Security Management Server, the CPView (sk101878) and Skyline (sk178566) tools do not return data (for example, when running the "cpview -m", "cpview -t", "cpview -s" commands).

Using the "set simple-cluster" command without the "members.add" option to add cluster members may result in recreating existing cluster members and potential loss of SIC.

Management Server operations may be slow because of some API commands, and multiple core dumps may be generated.

Changes to a SmartConsole administrator's Authentication Server (RADIUS or TACACS) may occasionally fail to take effect.

In rare scenarios, Revert to Database Revision is stuck at 10%.

In some scenarios, the "Log Servers" tab in the Logs and Events view of SmartConsole is not visible. Refer to sk183154.

Inserting the "\n" character in the name of a rule fails with an unclear error message not indicating the cause of the failure.

In rare scenarios, login to SmartConsole may fail with the timeout.

After an IPS update, reassigning global policies may take a long time.

In rare scenarios, the CPD process may unexpectedly exit and create a core dump file. Refer to sk182787.

In rare scenarios, Infinity Portal shows the "Failed to update Infinity Portal with objects from your on-premises Management Server. Contact Check Point Support" error.

Renaming a Secondary Security Management Server that was promoted to Primary fails.

Policy Installation may not be accelerated after modifying a host in a rule with the inline layer action.

The Compliance Blade incorrectly reports Gaia Best Practices as insecure for cluster members.

In rare scenarios, Global Policy Assignment fails with an "IPS update is currently running in local domain" message, although IPS update is not running in that Domain.

In some scenarios, the Security Management Server with a proxy configured is unable to connect to Infinity Portal after changing the proxy settings.

Packet mode search or search within Object Explorer for IP address ranges may not work correctly on the Standby Security Management Server.

In some scenarios, Virtual Security Gateways lose their licenses. This causes Site to Site VPN and Remote Access VPN services to go down, while general internet access remains functional. SmartUpdate may not load.

In a Multi-Domain Security Management environment, an audit log is not created after changing the "Parent rule for Domain's policy" Domain layer.

In rare scenarios, the "mdsstat" command shows that the CPD process is down even though it is up and running.

In some scenarios, in the Multi-Domain Security Management Server, certain previously utilized global objects may remain hidden from both the SmartConsole's Object Explorer View and the "show unused-objects" Management API command.

In some scenarios, the "SIC Error for EntitlementManager: Peer sent wrong DN" error is printed in cpd.elg on a VSX Gateway.

In rare scenarios, the "Blades" widget in the Compliance Blade Overview page is blank.

In the cloud environments (Smart-1 Cloud and EPMaaS), logs query may fail because of the AWS certificate change.

When disconnecting the Security Management Server from the Infinity Portal and connecting to a different region, log sharing from Log Servers does not work until the Log Server restarts.

When a NAT-T tunnel is set up between VPN peers, packets having UDP encapsulation added to the headers are not transmitted out of the PPPoE interface as they should be. VPN connection appears to be established but does not actually pass traffic.

The DHCPv6 relay drops reply messages from the DHCPv6 server rather than forwarding them to the clients.

The FWK process exits with core dumps and error messages in $FWDIR/log/fwk.elg:"malware_res_rep_match_dns_response: check_dns_response_activate() failed".

Memory handling issue, causing the FWK process to unexpectedly restart.

The FWK process may unexpectedly restart when running the memory detection leak procedure.

In a Maestro environment with configured Virtual System Load Sharing (VSLS) Mode, one of the Security Gateways on an SGM may be unresponsive until it is restarted several times.

A rare issue in HTTP/2 multiplexing may lead to traffic disruption. Refer to sk183441.

In some scenarios, a memory leak may occur in the FWK process.

In a rare scenario, an outage may occur in an Azure environment after one cluster member crashes and recovers.

Some Access Control Rule Base flows may increase CPU utilization .

In rare scenarios, the CPD process may unexpectedly exit, generating a core dump.

In a rare scenario, if the USIM process exits during firewall memory mapping, it can result in a Security Gateway crash.

Policy installation fails with the error message: "All the rules in layer "<Name of Layer>" contain only expired time objects. See sk155253 for more details".

In a rare scenario, the RAD daemon may exit during large memory allocation operations.

In some scenarios, in a cluster environment, when URL Filtering is enabled, there may be traffic disruption.

In a rare scenario, the Security Gateway may crash during email inspection.

In some scenarios, a VPN outage may occur after an ICA renewal.

In rare scenarios, the Threat Emulation Blade may fail to correctly classify the file type.

A memory leak can occur in the Threat Extraction file inspection process for HTTP/S protocols. When memory consumption reaches the maximum allowed allocation, it causes the process to crash and automatically restart.

In a rare scenario, the PDPD process may unexpectedly exit during a cluster failover.

HTTP traffic dropped by PSL because of missing Host header. Refer to sk183569.

Some custom applications in the HTTPS Inspection policy are not matched if they are part of a Group object. Refer to sk183176.

In some scenarios, when URL Filtering Blade analyzes web requests, the RAD error may appear in /var/log/messages: "rad_kernel_urlf_request_serialize: string len =XXXX bigger than max 4096".

The FWK process may unexpectedly exit during HTTPS inspection flow which requires the RAD service categorization.

When Anti-Virus is enabled, files are not downloaded with the "Failed writing the file" error printed in logs, and the block page is not displayed.

In some scenarios, the Anti-Bot Blade fails to parse external IoC feeds with IP address observables.

In some scenarios, a SmartConsole log with the Anti-Bot Blade entries may appear when the Anti-Bot Blade is disabled in the profile.

When a TLS connection is rejected because of no shared key exchange between the client and the Security Gateway, no log is generated to inform the administrator.

The HTTPD process periodically exits when accessing the Mobile Access Blade Citrix application because of the memory leak in the Citrix proxy implementation.

In ClusterXL High Availability setup, a crash may occur on both the primary and secondary members, causing network outages.

The FWK process may exit after enabling or disabling the "Same VMAC" feature. Refer to sk165674.

ClusterXL drops traffic that is sent to its IPv6 Virtual IP Address that is configured with the Unicast Link-Local scope (/64). Refer to sk183104.

High volumes of RST packets may cause CPU spikes, resulting in incoming network packet drops on SND instances.

In a rare scenario, the Security Gateway may become unresponsive during extended high memory utilization.

The Hardware Acceleration offloaded connection may break when the route is updated, affecting the offload flow and slowing down operations.

When SecureXL works in User Mode (UPPAK), in a VSX environment with many virtual systems, the WebUI may not be accessible when it reaches its internal connection limit.

A warning message "adp_rt4_delete: rt entry .... does not exist for slot 1" may be printed in the /var/log/dmesg file while VPN connection remains active.

The Security Gateway with SecureXL in User Mode (UPPAK) may crash under load during bond interface state flapping.

Memory allocation issue when handling Jumbo Frames.

SecureXL in User Mode (UPPAK) may restart when adding or removing VLAN interfaces and the Security Gateway is under high load.

In rare cases, when an internal BGP (iBGP) peer disconnects during a graceful restart, BGP may fail to advertise all routes. However, the missing routes still appear under "adj-rib-out" with a next hop of "0.0.0.0."

When obtaining a new IP address using the "dhclient -r" command turning off and on the interface configured as Dynamic Address IP (DAIP), the interface loses its IP address and fails to acquire a new one from the DHCP Server.

The ROUTED daemon may exit with a core dump file during IBGP synchronization.

When a network connection is established simultaneously in both directions (server-to-client and client-to-server), the Security Gateway experiences connectivity issues because of incorrect packet dispatching, leading to dropped packets. Refer to sk183072.

After an upgrade, Site to Site VPN tunnels (IKEv2) fail to establish. Logs show the "Auth exchange: Sending notification to peer: Invalid syntax" and "INVALID_KE_PAYLOAD" errors for IKE traffic. Refer to sk183550.

In VSNext environments, CPView VSX Data shows only VS0.

Virtual Switches with names larger than 128 characters cannot be deleted, the "Virtual System with ID2 does not exist" error is displayed.

Occasional failures during simultaneous creation of multiple Virtual Systems (VS's), where identical IDs are assigned to more than one VS.

VSNext Virtual Gateway drops traffic when it is connected to a Virtual Switch. This issue affects systems running NGTP software blades. Refer to sk183460.

A memory leak may occur in a VSX environment, related to the transmitting packets module.

In a VSX environment, the Security Gateway may crash when removing an interface from topology.

Output of the "dynamic_split -p" command shows "Dynamic Split is currently off (Stopped due to State Verification failure)" on a VSX Gateway. Refer to sk181231.

When attempting to create cloning groups on an R82 Security Gateway, the "Error - Home directory for 'cadmin' cannot be in /home/cadmin directory" error is printed. Refer to sk182989.

In a Maestro environment, an error message about short string length may be incorrectly displayed when setting an expert password string that includes the colon ":" character on the Security Gateway.

High volumes of VoIP/ SIP traffic may trigger a Security Gateway crash.

Dynamic IP address changes for DAIP Gateway objects are not propagated to all Security Gateways in the SD-WAN VPN community, causing VPN connectivity failures.

On ElasticXL platform, there may be unnecessary or unsuccessful attempts to update the distribution of traffic among the cluster members.

In the VSNext mode (on ElasticXL and Maestro Security Groups), the Gaia gClish / Gaia Clish command "show interface" in the context of Virtual Switches fails with "CLINFR0699 Invalid command".

Changing the bond mode on Scalable Platform Security Group members may cause a MAC address mismatch on the bond interface because of the bond slaves reordering that does not match the database. Refer to sk182488.

The "fw fetch local" command fails on a Virtual System without SIC established because the SIC name is missing.

IP broadcast helper cannot forward the packets if the IP address of the "relay to" is not directly connected to the Security Gateway.

In some scenarios, the perfanalyze scripts output shows duplicates in cores data, this can cause the CPD process to crash.

When the Maestro Fastforward feature is enabled, rebooting a member may cause the member to be down because of the policy installation failure and the "Site HA module not started" error may be displayed.

Configured proxy ARP may not work as expected, when the "Same VMAC" feature is enabled.

A reboot loop with a generated configuration pnote may be triggered when Security Group hostname contains strings with "mq" or "otlp".

NEW:

• Added ARP Next-Hop prober to enhance support for additional network topologies.

• Introduced HTTP prober to reflect real-time Web Access metrics.

• Implemented Link Aggregation mode proportional to Download and Upload bandwidth.

• Administrators are now able to override SD-WAN interface Circuit configuration.

• Integrated Forward Error Correction to ensure successful traffic delivery by adding error correction code packets to the Overlay packet stream.

• Introduced Dynamic Objects (SD-WAN Internet, My VPN Domain, and Peer VPN Domain) to better represent Overlay and Internet address spaces.

• Added administrator control for Symmetric Packet Return, forcing Ingress Traffic to be replied on the same ISP.

• Enabled SD-WAN Overlay establishment across different Domains using Global VPN Community (MDS).

• Allowed SD-WAN Overlay to operate on top of Route-based VPN.

• Increased maximum Overlay size to support up to 500 Security Gateways.

• Improved accuracy of SD-WAN decision-making during policy installation.

• Enabled setup of IPv4 SD-WAN overlay when non-SD-WAN IPv6 interfaces are configured.

UPDATE: Resolved CVE-2024-52888 - Mobile Access File Share applications are vulnerable to stored XSS attacks. Refer to sk183055.

UPDATE: The Global Domain automatic purge settings now automatically restore and reschedule after a Security Management Server restart.

UPDATE: Reduced memory usage of LDAP keepalives and improved connection error handling, resulting in improved system reliability and security performance.

UPDATE: Added a new Gaia Clish parameter to ignore the Autonomous System (AS) Path when aggregating routes: "set aggregate <IP Address>/<IP Mask> aspath-ignore {on | off}". Note, enabling "aspath-ignore" will disable "aspath-truncate" if configured.

UPDATE: Optimized memory management when processing Jumbo Frames.

UPDATE: In ElasticXL, restoring Gaia OS backup is now supported.

In VSNext ElasticXL Load Sharing environments, traffic latency and interface flapping may occur between two members in the Virtual Switch (VSW), when the switch is configured on non-management interfaces and both members are on the same site.

In SmartConsole, in the Quantum Spark Cluster object, editing the interfaces (manually or with the "Get Interfaces" action) fails with an unclear error message "Failed to save object".

In rare scenarios:

• Login to the Security Management Server may fail with timeout.

• Publish operations may take a long time.

Scheduled Snapshot Issues:

• Gaia may not recognize the Remote Server as a known host during scheduled backup creation, even after following sk164234 instructions.

• The "Remote server identity is not known by Gaia" error is displayed despite proper HBA configuration.

• The "set snapshot-scheduled recurrence monthly" command fails when using the "all" option.

Refer to sk182665.

In some scenarios, SmartTasks triggered by "after submit", "approve" and "reject" events fail to run.

In some scenarios, deleting a Security Gateway object fails if the Security Gateway is a participant in the Global VPN Community.

In the "Gateways and Servers" tab, when opening a shell on a specific Security Gateway, a "Connection failed" message pops up.

Performing changes to the Global Properties may not be possible if:

• Encryption algorithms in Remote Access > VPN-Authentication and encryption are SHA384 or SHA512.

• There is at least one Security Gateway configured with a version lower than R81.

In rare scenarios, an upgrade of Multi-Domain Security Management Server, handling Domain Log Server certificates, may get stuck.

• The fix will only be applied if the upgrade to R82 Jumbo Hotfix Accumulator Take 14 or higher is done using a Blink image or the Advanced Upgrade method.

In some scenarios, an HTTP format size protection exception is not applied to the HTTP/2 flow.

When the autodebug feature is enabled, the RAD service may consume high CPU and trigger "RAD service not available" alert logs.

Incorrect Rule Base parameters synchronization logic may lead to the FWK process exit.

High CPU usage on SND cores related to processing network traffic and distributing it to the appropriate firewall instances.

Large NAT Rule Base may lead to high CPU usage during packet processing.

The FWK process may exit with a core dump file when the Security Gateway passes SMB traffic and the Hyperflow feature is enabled.

PPPoE interface fails to restart when it is disconnected from the Server side. Refer to sk182154.

In a rare scenario, the PDPD process may unexpectedly exit during the PDP sharing flow.

HTTPS Site Categorization fails to properly handle unsupported QUIC protocol versions, causing classification errors instead of following the configured fail-mode (open/close) policy.

The DLP blade may not block the password-protected files of a specific type, although it should.

HTTPS inspection session logs lack detailed explanations in the "explanation" field, displaying generic messages that do not clarify action reasons. This is a cosmetic issue.

During cluster startup with routing separation enabled, a mismatch between routing and firewall process initialization can trigger premature full synchronization pnotes when the routing process is not fully synchronized.

SD-WAN may not work as expected when SecureXL User Space Mode (UPPAK) is enabled.

Routing related connectivity and stability issues may occur when SecureXL operates in User Mode (UPPAK). Refer to sk183181.

The "iphelper" (IP Broadcast Helper) service may trigger high CPU utilization because of a recursive packet broadcasting loop between network interfaces.

Network traffic to the Internet experiences slowdowns and file download interruptions due to packets being dropped with "OS routing failed" errors during route lookup failures.

Two or more Endpoint Security VPN (Remote Access VPN) Users may get the same Office Mode IP address. Refer to sk182537.

When using machine-restricted Access Roles, IKEv2 VPN connections fail at the cleanup rule due to missing machine information and user source IP, while IKEv1 connections are unaffected.

VPN connection may not be stable when transitioning from Legacy Link Selection to R82 Link Selection.

After traffic is stopped and tunnels are deleted, the tunnels may appear as "Disconnected" for about 30 seconds, and then again as "Connected" because of DPD probing.

In VSNext, multiple CPRID processes running on different ports per virtual system may cause instability in large scale environments.

Using the "#" character in the Message of the Day (MOTD) banner message causes SGMs to fail during boot.

When running the "enabled_blades" command multiple times simultaneously, the command output may be incorrect.

In rare scenarios, Security Group members may fail to receive their Gaia database from the Single Management Object (SMO). When this occurs, gClish commands related to these missing Security Group configurations may fail.

UPDATE: Deprecated RC2-CBC cipher for SIC in OpenSSL.

UPDATE:

• Improved debugging in the Security Gateway to identify problematic hosts when resolving their next-hop IP addresses.

• The custom ADP queue size configuration now persists after rebooting the Security Gateway. The relevant global parameters are located in the $PPKDIR/conf/adpkern.conf file:

  • "adp_nh_total_max_arp_qents"

  • "adp_nh_local_max_arp_qents"

In rare scenarios, when exporting policy hitcounts to CSV format, the "Hitcount" column may appear blank in the exported file.

The Database Installation progress bar may not update during task execution.

In some scenarios, in a Multi-Domain Security Management environment, the Hit Count retention mechanism may not remove the Hit Count data from all the Domains.

In rare scenarios, in Multi-Domain Security Management environments, login to SmartConsole fails.

When the Security Management has an additional NAT configuration in the SD-WAN policy (Infinity Portal), an indicating banner may not appear in SmartConsole NAT Rule Base. This is a cosmetic issue.

• Requires R82 SmartConsole Build 1051 or higher.

In a rare scenario, the FWK process may exit due to a race condition.

Anti-Spoofing may drop IPv6 traffic that arrives at an interface with an IPv6 address configured. Refer to sk182725.

Traffic through specific interfaces is dropped when the QoS blade is active and "ISP redundancy-LS" is configured. Refer to sk182807.

DoS protection and connection rate limiting configurations may fail to effectively enforce rules.

In a VSX environment, enabling Threat Prevention blades may cause continuous file accumulation on the Security Gateway's hard drive.

Identity Broker Subscriber configured with recalculation of Access Roles does not match all Access Roles after the User and Machine are identified.

In a rare scenario, the PDPD process may unexpectedly exit during policy installation.

A memory leak may occur in the SIM process when using DOS/Rate Limiting rules.

Policy installation failures can disrupt the expected behavior of "fwaccel dos" commands.

An ECDH object may be deleted before its associated event is completed processing.

There is no audio during the first 5 seconds of each VoIP call. Refer to sk182730.

In SmartConsole, in the Device and License Information view, the Compliance Blade license status may incorrectly display "Quota Exceeded" when Virtual Routers or Virtual Switches are present.

During patch deployment in Posture Management, attempting to patch multiple systems for a specific application using the "Group By Application" option fails with the "Failed to Start Patching Process" error.

When handling multiple shared uplinks across numerous interfaces, errors related to LACP bond uplink updates may be printed in logs.