R82 Jumbo Hotfix Take 36

NEW: In SmartConsole, the CSV export file of Access Control Policy NAT rules now contains the hit count data: "Hits", "First Hits" and "Last Hits" columns.

• Requires R82 SmartConsole Build 1056 or higher.

NEW: Added support for the Quantum Spark 2500 appliances (2530, 2550, 2560, 2570, and 2580) in the EA (Early Availability) program.

UPDATE: Resolved CVE-2025-2028. Lack of TLS validation when downloading a visualization support data file. Refer to sk183349.

UPDATE: In SmartConsole and Management API, Access and NAT Policies now support Rule Base search for hitcount values.

UPDATE: On Security Management Servers, environment variables set using the override_server_setting.sh script now apply to all processes. Refer to sk165938.

UPDATE: In SmartConsole > Logs & Monitor > Logs, added information to the "Per Session" logs:

• NAT fields

• Dynamic object name

• Updatable object name

• Network feed object name

• Destination Domain Name field

UPDATE: Quantum Force 9400 and 9300 appliances with Standalone configuration now run in User Space Firewall (USFW) Mode by default.

UPDATE: Added the "inclusions" feature to the Split Tunnel Remote Access functionality. Refer to the R82 Remote Access VPN Admin Guide > Dynamic Split Tunneling for SaaS Using Updatable Objects.

UPDATE: Increased the maximum supported number of Uplink interfaces from 64 to 99 on Maestro Orchestrator. Refer to Quantum Maestro Getting Started Guide.

VPN certificate renewal may generate certificates with 2K key sizes instead of the 3K size specified in Global Properties.

In some scenarios, a cluster object may not be listed in the "Uninstall Threat Prevention Policy" window.

In rare scenarios, the CPRLIC process may exit with core files generated to the /var/log/dump/usermode/ directory on the Security Management Server.

Virtual System routes and interfaces may not be synchronized to the Standby Security Management Servers.

In rare scenarios, in multi-site Multi-Domain Security Management environments, operations across two or more Servers, such as Global Domain Assignment, IPS and Application Control update may fail.

The Management API command "set simple-gateway name 'XXX' usercheck-portal-settings.enabled {false|true}" fails to properly enable or disable User Check for Security Gateway objects. When running this command, the change is not applied to the Security Gateway configuration, and the "Enable UserCheck for active blades" setting in SmartConsole remains unchanged.

In rare scenarios, the first packet of a connection is incorrectly dropped when a non-FQDN object is used in the Rule Base.

In rare scenarios, after deleting Data Center objects:

• Login to the Security Management Server may fail with timeout.

• Publish operations may take a long time.

Access Control policy installation may take a long time when updatable objects are used in the policy.

In rare scenarios, policy installation may get stuck at 99%.

In SmartProvisioning application:

• Performing "push policy" on a Gaia LSM Cluster fails with the "local failure of CPRID" error.

• The "Get Gateway Data" operation fails with "Execution error Error: Unspecified error".

• The "cphaprob stat" command returns a core dump file.

In a rare scenario, the FWK process may restart unexpectedly.

When Mirror and Decrypt features are enabled, the Security Gateway may experience unexpected reboots. The crashes are caused by "put_cred_rcu()" errors with negative usage values and memory leaks in the ARP cache.

In rare cases, failovers may occur because the FWK process unexpectedly exits.

When handling interface statistics, the CPD or FWK processes may unexpectedly restart with an error related to IOCTL printed in logs. Refer to sk183544.

In rare scenarios, the FWK process may unexpectedly exit when stopping the Security Gateway using the "cpstop" command while a packet capture tool is running.

In rare scenarios, the FWK process may unexpectedly exit when the IPS Blade logs triggered protections.

The VSX Security Gateway may crash when an external interface connected to the Virtual Router or Virtual Switch starts flapping.

In some scenarios, external IoC feeds are not correctly fetched in VSX environments after a reboot.

In rare scenarios, Security Gateways with the Content Awareness Blade enabled may fail to properly process certain .zip file formats, resulting in "Failed to process files" errors during the Anti-Virus inspection.

In rare scenarios, the RAD process may unexpectedly exit.

The "HTTPS Inspection Statistics" view in Demo Mode of SmartView in SmartConsole shows " No data found". The issue is cosmetic only.

The ROUTED daemon may incorrectly initialize as Subordinate rather than Master after a "cpstop;cpstart" command when executed on the sole Active member in a cluster configuration.

In High Availability Bridge Mode ClusterXL environments, the management interface of a Standby member becomes inaccessible. Refer to sk183124.

When printing the Deny list on a Security Gateway during Threat Prevention policy installation after deleting a large IoC feed from Security Management, an uninformative IOCTL error is displayed instead of a proper error message. The issue is cosmetic only.

In a rare scenario, no traffic is passed in the 6in4 tunnel and the two hosts cannot reach each other. The output for the "tcpdump" command in the tunnel shows "ip: unknown ip 0".

In rare scenarios, when SecureXL works in User Mode, running the "reset_gw" or "vsx_util reconfigure" commands may cause the Security Gateway to crash.

Multicast traffic is dropped when the Packet-Broker operates in Monitor Mode with Promiscuous Mode disabled.

After MTU for Jumbo Frames is configured on a physical interface for the first time, until the Security Gateway is rebooted, there may be potential packet drops.

Stability issue on Quantum Force appliances 9300 and 9400. Refer to sk183438.

SNMP OID .1.3.6.1.4.1.2620.1.6.7.5.1.5.X falsely reports high CPU due to malformed calculation. Refer to sk182784.

The ROUTED daemon core dump file may be generated because of an assertion failure in the OSPF code.

In a rare scenario, a Security Gateway crash and temporary loss of routing adjacency occur when the cluster messaging system attempts to process a deletion request for a BFD session that no longer exists.

If BFD (Bidirectional Forwarding Detection) timing parameters, such as "min-rx-interval", are modified during an active BFD session deletion process, and a new BFD session is established before the deletion fully completes (deletion typically requires up to 2 hours), the newly created session inherits the previous timing configuration rather than applying the updated timing settings.

In some scenarios, BGP routing updates may not be processed properly.

NFS mount does not support hyphen "-".

In rare scenarios, when using IP Aliasing, deleting an interface by IP address reference may incorrectly delete the wrong IP address because of incorrect error handling.

VPN connection may be unstable because of packet fragmentation issues.

Virtual Router advanced routes may be assigned incorrect priorities in policy-based routing configurations.

The "vsx_util view_vs_conf" command output may show "N/A" for a Gateway when an object in the Domain shares the same name as the Virtual System object.

In a large scale VSNext environment, creating over 50 Virtual Systems (VSs) fails.

SD-WAN policy installation may fail during the configuration of MDPS on the Security Gateway.

In a Maestro environment, migrating a Virtual System between Security Groups may cause a member to crash.

After a reboot, IPv6 addresses configured on data interfaces disappear from the "ifconfig" output when the Same VMAC feature is enabled in SmartConsole.

Running "cpstop" on a specific Virtual System may cause traffic interruption in dual site deployments.

A cluster member may crash when performing a manual site failover and the deployment is using "Interface Active Check" with IPv6 enabled.