R82 Jumbo Hotfix Take 14

Note - This Take contains all fixes from all earlier Takes.

ID	Product	Description
Take 14 Released on 20 April 2025
Take 14 - New Functionality
PRJ-56952, PRJ-56616	SD-WAN	NEW: In SD-WAN, added support for: Traffic steering based on Differentiated Services Code Point (DSCP). Rule based NAT per ISP.
PRJ-56409, PRJ-53464	SD-WAN	NEW: Added ARP Next-Hop prober to enhance support for additional network topologies. Introduced HTTP prober to reflect real-time Web Access metrics. Implemented Link Aggregation mode proportional to Download and Upload bandwidth. Administrators are now able to override SD-WAN interface Circuit configuration. Integrated Forward Error Correction to ensure successful traffic delivery by adding error correction code packets to the Overlay packet stream. Introduced Dynamic Objects (SD-WAN Internet, My VPN Domain, and Peer VPN Domain) to better represent Overlay and Internet address spaces. Added administrator control for Symmetric Packet Return, forcing Ingress Traffic to be replied on the same ISP. Enabled SD-WAN Overlay establishment across different Domains using Global VPN Community (MDS). Allowed SD-WAN Overlay to operate on top of Route-based VPN. Increased maximum Overlay size to support up to 500 Security Gateways. Improved accuracy of SD-WAN decision-making during policy installation. Enabled setup of IPv4 SD-WAN overlay when non-SD-WAN IPv6 interfaces are configured.
PRJ-57083, AAD-1761	VPN	NEW: Local SCV settings can be customized by Security Gateway when creating a $FWDIR/conf/local.scv_<GW NAME> file, otherwise the settings fall back to the standard local.scv configuration.
Take 14 - Improvements and Resolved Issues
PRJ-58376, PMTR-110261	Mobile Access	UPDATE: Resolved CVE-2024-52887 - Self-XSS vulnerability in Mobile Access Native Applications 'favorites' dialog. Refer to sk183054.
PRJ-58382, PMTR-110274	Mobile Access	UPDATE: Resolved CVE-2024-52888 - Mobile Access File Share applications are vulnerable to stored XSS attacks. Refer to sk183055.
PRJ-56536, PRHF-34745	Security Management	UPDATE: The Management API logs outbound payloads to api.elg only for non-"200" response codes. It is now possible to enable the "WRITE_FULL_OUT_PAYLOAD" environment variable to force comprehensive logging of all API call payloads, regardless of the response status. Refer to sk182786.
PRJ-58728, PMTR-110883	Security Management	UPDATE: The Global Domain automatic purge settings now automatically restore and reschedule after a Security Management Server restart.
PRJ-57848, PMTR-109621	Logging	UPDATE: Enhanced the CLI "cp_log_export" command with additional examples and expanded help documentation.
PRJ-56569, PRHF-32539	Security Gateway	UPDATE: Reduced memory usage of LDAP keepalives and improved connection error handling, resulting in improved system reliability and security performance.
PRJ-56706, PRHF-34380	Security Gateway	UPDATE: Added information about VSX context to the mem.report files in /var/log/CP_mem_dwarf/.
PRJ-58468, ROUT-3004	Routing	UPDATE: Added a new Gaia Clish parameter to ignore the Autonomous System (AS) Path when aggregating routes: "set aggregate <IP Address>/<IP Mask> aspath-ignore {on \| off}". Note, enabling "aspath-ignore" will disable "aspath-truncate" if configured.
PRJ-58466, PRHF-33825	Routing	UPDATE: IP Reachability Detection now supports simultaneous BFD and ping monitoring to the same remote address, where previously only one method was functional at a time. When both are configured, each monitoring protocol operates independently, allowing features to track their preferred detection method while maintaining existing configuration syntax.
PRJ-58738, ACCHA-3835	SecureXL	UPDATE: Optimized memory management when processing Jumbo Frames.
PRJ-58795, PMTR-110837	VSNext	UPDATE: All interfaces are now automatically assigned to VS0 (the default virtual system) with no instance bind, and can be moved between Virtual Systems without requiring unassigning, enabling immediate VSNext functionality.
PRJ-57735, PMTR-109486	Scalable Platforms	UPDATE: In ElasticXL, restoring Gaia OS backup is now supported.
PRJ-58348, PMTR-110224	Scalable Platforms	UPDATE: VSLS Mode is now supported in VSNext ElasticXL environments.
PRJ-57616, PMTR-109197	Scalable Platforms	In VSNext ElasticXL Load Sharing environments, traffic latency and interface flapping may occur between two members in the Virtual Switch (VSW), when the switch is configured on non-management interfaces and both members are on the same site.
PRJ-57907, PRHF-36295	Security Management	In rare scenarios, the FWM process on the Security Management Server may unexpectedly exit, creating a core dump file.
PRJ-58942	Security Management	In SmartConsole, in the Quantum Spark Cluster object, editing the interfaces (manually or with the "Get Interfaces" action) fails with an unclear error message "Failed to save object".
PRJ-57658, PRHF-36501	Security Management	In some scenarios, High Availability synchronization fails with "NGM failed to export data" because of invalid Global Domain Assignments.
PRJ-58274, PRHF-37209	Security Management	In rare scenarios: Login to the Security Management Server may fail with timeout. Publish operations may take a long time.
PRJ-58222, PMTR-110042	Security Management	In SmartConsole, when exporting Access Policy data to a CSV file, the hit count values may be displayed incorrectly in the exported file.
PRJ-57541, PRHF-33773	Security Management	Scheduled Snapshot Issues: Gaia may not recognize the Remote Server as a known host during scheduled backup creation, even after following sk164234 instructions. The "Remote server identity is not known by Gaia" error is displayed despite proper HBA configuration. The "set snapshot-scheduled recurrence monthly" command fails when using the "all" option. Refer to sk182665.
PRJ-57782, PRHF-36576	Security Management	In rare scenarios, publishing Multi-Domain Security Management level changes such as Administrator configuration changes fails. The "Action Failed due to an Internal Error" error is displayed.
PRJ-60340, PRHF-38803	Security Management	In some scenarios, SmartTasks triggered by "after submit", "approve" and "reject" events fail to run.
PRJ-57069, PRHF-36058	Security Management	After an upgrade, when browsing to SmartConsole > Manage & Settings > Permissions & Administrator > Administrators, the page may display "Error retrieving results".
PRJ-57036, PRHF-35374	Security Management	In some scenarios, deleting a Security Gateway object fails if the Security Gateway is a participant in the Global VPN Community.
PRJ-57539, PRHF-36475	Security Management	In some scenarios, the "show packages" Management API command with "details-level full", fails with "Null Pointer exception: null".
PRJ-59028, PMTR-111209	Security Management	In the "Gateways and Servers" tab, when opening a shell on a specific Security Gateway, a "Connection failed" message pops up.
PRJ-59038, PRHF-37790	Security Management	SmartConsole "Validations" panel shows "'statusDescription' can not include html tags". Refer to sk183075.
PRJ-58696, PMTR-110640	Security Management	Performing changes to the Global Properties may not be possible if: Encryption algorithms in Remote Access > VPN-Authentication and encryption are SHA384 or SHA512. There is at least one Security Gateway configured with a version lower than R81.
PRJ-58030, PRHF-36922	Multi-Domain Security Management	In rare scenarios, in Multi-Domain Security Management environments, domain creation fails with "Failed to create Domain server "Domain name" Permission calculation failed."
PRJ-57982, PRHF-36890	Multi-Domain Security Management	In rare scenarios, an upgrade of Multi-Domain Security Management Server, handling Domain Log Server certificates, may get stuck. The fix will only be applied if the upgrade to R82 Jumbo Hotfix Accumulator Take 14 or higher is done using a Blink image or the Advanced Upgrade method.
PRJ-57785, PRHF-36479	Multi-Domain Security Management	In environments where not all Domains are Active on the same Server (for example, in a multi-site environment), and there is no Domain Management Server for a specific Domain, logs from that Domain are not forwarded to the Infinity Portal.
PRJ-58519, PMTR-110408	Logging	In some scenarios, in Log Servers or Multi-Domain Log Modules (MLM): The SOLR process consumes high CPU. There is a delay in displaying logs in the Logs view.
PRJ-57829, PRHF-36779	Security Gateway	In some scenarios, an HTTP format size protection exception is not applied to the HTTP/2 flow.
PRJ-56815, PRHF-29467	Security Gateway	GTP-U traffic may be dropped because of incorrect message type handling.
PRJ-58091, PMTR-109845	Security Gateway	When the autodebug feature is enabled, the RAD service may consume high CPU and trigger "RAD service not available" alert logs.
PRJ-58271, PRHF-36963	Security Gateway	Security Gateway with QoS enabled may crash because of a rare race condition.
PRJ-58206, PRHF-36513	Security Gateway	Incorrect Rule Base parameters synchronization logic may lead to the FWK process exit.
PRJ-57962, PRHF-36794	Security Gateway	In the HTTP/2 connection scenario, the tenant restriction header injection mechanism encountered an issue affecting the connectivity.
PRJ-58768, PMTR-111974	Security Gateway	High CPU usage on SND cores related to processing network traffic and distributing it to the appropriate firewall instances.
PRJ-58152, PRHF-37032	Security Gateway	In a rare scenario, the FWK process may exit when HTTPS Inspection is enabled and TLS connections are inspected on non-standard ports (ports other than 443 or 8080).
PRJ-56740, FMW-795	Security Gateway	Large NAT Rule Base may lead to high CPU usage during packet processing.
PRJ-58420, PRHF-37014	Security Gateway	Android devices' HTTP HEAD requests to Google services are blocked by Security Gateway proxy, generating excessive logs that impact Security Gateway performance through high CPU usage. Refer to sk182990.
PRJ-58902, PRJ-58903, PMTR-110909	Security Gateway	The FWK process may exit with a core dump file when the Security Gateway passes SMB traffic and the Hyperflow feature is enabled.
PRJ-58407, PRHF-32698	Security Gateway	PPPoE interface fails to restart when it is disconnected from the Server side. Refer to sk182154.
PRJ-56404, PRHF-35372	Internal CA	The "cpca_dbutil print" command may delete the provided output file content if the input file does not exist.
PRJ-58131, PRHF-36964	Identity Awareness	In a rare scenario, the PDPD process may unexpectedly exit during the PDP sharing flow.
PRJ-58441, PRHF-37240	Identity Awareness	In some scenarios, SAML authentication fails with "Error 500".
PRJ-58191, PMTR-108416	Application Control	HTTPS Site Categorization fails to properly handle unsupported QUIC protocol versions, causing classification errors instead of following the configured fail-mode (open/close) policy.
PRJ-59452, PMTR-112600	IPS	In rare scenarios, a memory leak in the FWK process may occur when IPS is active.
PRJ-57969, PRHF-36711	DLP	The DLP blade may not block the password-protected files of a specific type, although it should.
PRJ-58170, PRHF-37164	Anti-Virus	In a specific scenario involving a long-lived SMTP connection, the memory usage allocated by the Anti-Virus blade steadily increases over time.
PRJ-57690, PMTR-109185	SSL Inspection	HTTPS inspection session logs lack detailed explanations in the "explanation" field, displaying generic messages that do not clarify action reasons. This is a cosmetic issue.
PRJ-58073, PRHF-33345	Mobile Access	The debug output file for Mobile Access, named "exchangeRegistration_portal_error_log" is increasing in size.
PRJ-59491, PMTR-111453	ClusterXL	During cluster startup with routing separation enabled, a mismatch between routing and firewall process initialization can trigger premature full synchronization pnotes when the routing process is not fully synchronized.
PRJ-58173, ACCHA-3774, PRJ-58174, ACCHA-3821	SecureXL	SD-WAN may not work as expected when SecureXL User Space Mode (UPPAK) is enabled.
PRJ-60467, PMTR-114455	SecureXL	In some scenarios, a memory leak occurs in the FWK process when SecureXL fails to update an existing route's next hop.
PRJ-60160, PRHF-38880	SecureXL	Routing related connectivity and stability issues may occur when SecureXL operates in User Mode (UPPAK). Refer to sk183181.
PRJ-58276, PMTR-110096	SecureXL	SecureXL User Mode crashes if an acceleration card interface has an MTU above 9000 and receives frames larger than 9234 bytes.
PRJ-57991, PRHF-36805	Routing	The "iphelper" (IP Broadcast Helper) service may trigger high CPU utilization because of a recursive packet broadcasting loop between network interfaces.
PRJ-57987, ROUT-3189	Routing	Static routes may get permanently deleted from the kernel during rapid interface configuration changes when there is a large number of routes.
PRJ-59288, PMTR-111756	Routing	Network traffic to the Internet experiences slowdowns and file download interruptions due to packets being dropped with "OS routing failed" errors during route lookup failures.
PRJ-58001, PRHF-36849	VPN	Capsule VPN connectivity failures may occur after a configuration change of the VPND daemon table parameters.
PRJ-58061, PRHF-33418	VPN	Two or more Endpoint Security VPN (Remote Access VPN) Users may get the same Office Mode IP address. Refer to sk182537.
PRJ-57797, PMTR-108966	VPN	Authentication failure may occur when an IKEv2 VPN Endpoint client connects using a machine certificate configured for a specific realm.
PRJ-59251, PMTR-109563	VPN	When using machine-restricted Access Roles, IKEv2 VPN connections fail at the cleanup rule due to missing machine information and user source IP, while IKEv1 connections are unaffected.
PRJ-57943, PMTR-108894, PRJ-58107, PMTR-109743	VPN	When configuring machine authentication without an LDAP server, the computer is authenticated during the connection with the RA VPN. However, the logs in SmartConsole do not display the "Authenticated machine ..." message as expected.
PRJ-58155, PMTR-103301	VPN	VPN connection may not be stable when transitioning from Legacy Link Selection to R82 Link Selection.
PRJ-58067, PMTR-109183	VPN	Different members in a Quantum Maestro environment may show different statuses for VPN probes.
PRJ-58268, PMTR-108409	VPN	After traffic is stopped and tunnels are deleted, the tunnels may appear as "Disconnected" for about 30 seconds, and then again as "Connected" because of DPD probing.
PRJ-58750, PMTR-109317	VPN	Remote Access VPN client repeatedly reconnects to a VPN Virtual System when it connects through another Virtual System on a Scalable Platform in the VSX/ VSNext mode. Refer to sk183052.
PRJ-57423, PMTR-108927	VSNext	In VSNext, multiple CPRID processes running on different ports per virtual system may cause instability in large scale environments.
PRJ-58165, PRHF-37102	Gaia OS	The ROUTED daemon fails to start when a VTI is configured with a local IP address that matches the next-hop address used in the static route configuration. Refer to sk182848.
PRJ-58036, MBS-14520	Scalable Platforms	Using the "#" character in the Message of the Day (MOTD) banner message causes SGMs to fail during boot.
PRJ-57640, PMTR-100964	Scalable Platforms	Security Group Member may be in Down state during the license distribution to Maestro Security Group members. Refer to sk181245.
PRJ-57606, PRJ-57507	Scalable Platforms	When running the "enabled_blades" command multiple times simultaneously, the command output may be incorrect.
PRJ-58736, PRJ-58323	Scalable Platforms	In a Maestro environment, a Security Gateway may enter a reboot loop because of sync issues of the settings.fwset file.
PRJ-58375, PMTR-110163	Scalable Platforms	In rare scenarios, Security Group members may fail to receive their Gaia database from the Single Management Object (SMO). When this occurs, gClish commands related to these missing Security Group configurations may fail.
PRJ-56444, PRHF-31476	Carrier Security	When Carrier Security is enabled, GTP-U packets are incorrectly matched against GTP rules instead of a non-GTP UDP rule, causing drops with the "Unestablished tunnel" error.