R82 Jumbo Hotfix Take 44

NEW: Hardened the authentication in the Gaia Cloning Group.

Important - After the installation of this Jumbo Hotfix Accumulator Take, you must follow these steps in each current Cloning Group:

1. Make sure this Jumbo Hotfix Accumulator Take is installed on each Cloning Group Member

2. On each of the Cloning Group Members, enter a Cloning Group password - enter the current password again or a new password.

3. On each Cloning Group Member, re-synchronize the Cloning Group.

For more information, see the Gaia Administration Guide > Chapter "System Management" > Section "Cloning Group".

UPDATE: A Security Management Server/Domain Management Server can now manage up to 1500 Security Gateways/Cluster members, allowing concurrent policy installation on all Security Gateways/Cluster members at once.

UPDATE: Added an HCP test to check whether the CPAC-2-100/25F, CPAC-2-100/25F-B, CPAC-2-40F-B, or CPAC-2-40F-C FW firmware is safe to update from R81.10 to a higher version. Refer to sk182403.

UPDATE: The "tops" calculation method is now consistent between SmartConsole and Management CLI (mgmt_cli), so both tools produce matching results.

UPDATE: ISP Redundancy is now supported in VSNext Mode.

UPDATE: Added Identity Awareness metrics to Skyline. Refer to the Skyline Metrics Repository.

UPDATE: SecureXL Rate Limiting rules for DoS Mitigation now support these parameters with automatic IP range updating enabled by default:

• "cc:<COUNTRY_CODE>"

• "asn:<AUTONOMOUS_SYSTEM_NUMBER>"

Refer to sk112454.

UPDATE: Updated supported regions in OCI (Oracle Cloud Infrastructure) data centers and changed the fetching domain logic.

UPDATE: Increased the maximum supported number of Uplink interfaces from 64 to 99 on Maestro Orchestrator. Refer to Quantum Maestro Getting Started Guide.

UPDATE: Added Take 201 of CPotelcol (OpenTelemetry Collector) Release Updates. Refer to sk180522.

UPDATE: Added Take 76 of Policy Insights Release Updates. Refer to sk183421.

After editing an Interoperable Device object, the number of changes of the current session presented in SmartConsole may be inaccurate.

When Global Domain Assignment removal fails with the "Global Domain Assignment failed: object XXX could not be deleted because it is referenced by other objects" error, only a partial list of the referencing objects is displayed in the error message.

In rare scenarios, the FWM process may not start automatically after an unexpected exit.

After an IPS update, reassigning global policies may take a long time.

In rare cases, Security Gateway licenses are not displayed in SmartUpdate when connected at the Multi-Domain Security Management level, despite being visible at the Domain level.

In the SmartProvisioning application, the hardware for 2530, 2550, 2560, 2570, 2580 Quantum Spark appliances is displayed as 1100 appliances instead of their actual hardware. This may lead to policy installation failures.

Policy installation may fail when an updatable object is processed incorrectly.

When configuring NAT64 rules for specific targets, the rules may fail to apply. Return traffic may be dropped.

An application may fail to match correctly when URL Filtering is configured in Hold Mode.

ICAP Server may fail to process multipart HTTP requests (when request body is split into multiple parts, each with its own headers and content).

In some scenarios, the Anti-Virus blade fails to parse and load external IoC observables of type IPv6. Refer to sk182947.

The testing of external IoC feed connectivity from SmartConsole fails because of improper retrieval of configuration values.

Entra ID (Azure ID) authorization may fail when more than one tenant is configured for authorization and the "fetch-user-group"s or "fetch-machine-groups" mode is enabled.

When using Gateway as a Proxy "Non-transparent" and HTTPS Inspection is set to "inspect" with "X-Forward-For header", video playback on YouTube fails.

In a rare scenario, the Security Gateway may crash during traffic inspection.

Modifying the number of CoreXL instances in a VSLS cluster containing three or more members causes traffic interruption on the updated Virtual System.

In a ClusterXL setup, a rare performance issue may be caused by policy installation failure.

An FWK core file is generated when configuring a Bridge Group with more than two interfaces.

In ClusterXL High Availability (HA), in some scenarios, the Active cluster member stops sending Cluster Control Protocol (CCP) heartbeats, and the Standby member may misinterpret this as an Interface Active Check (IAC) failure.

The Security Gateway can take a significant amount of time to boot up when SecureXL User Mode (UPPAK) is enabled.

Memory corruption may occur in rare VPN routing scenarios.

In cluster environments, on the Active member, the USIM_x86 process may experience frequent core dumps, causing Security Gateway instability.

In rare scenarios, CoreXL Firewall instances may become fully utilized because of resource contention from the Parallel Processing Engine (PPE). Refer to sk184183.

ASE LSAs for routes sharing the same prefix but having different mask lengths may not be re-originated correctly when a topology change restores previously unreachable routes to a reachable state.

In VSX environments with VS and VR configurations, when Policy-Based Routing (PBR) is configured on the Virtual Router, Remote Access VPN traffic bypasses the PBR table and uses the default route instead.

In a rare scenario, the FWM process may exit on the Security Management Server managing VSX Gateways/Clusters.

• The sysLocation OID (1.3.6.1.2.1.1.6.0) returns "UNKNOWN", even though the value is configured in the SNMP settings and exists in the Gaia database (/config/active).

• When editing sysLocation or sysContact using the SNMP configuration interface, the Gaia database is updated, but the SNMP configuration file is not updated.

The Security Management Server hangs during a Backup operation because of endless SSH handshake retry, making it impossible to access via SSH or CLI.

HealthCheck Point (HCP) reports "rx_length_errors" for Security Group Members. Refer to sk183040.

The "show syslog logs" Clish command returns the "cat: /var/log/messages*: No such file or directory" error even though these files exist.

In the Smart-1 Cloud environment, in the Gateways & Servers view, newly provisioned CloudGuard Autoscaling Security Gateways may be shown as disconnected.

In rare scenarios, after an upgrade or "cpstop;cpstart", SD-WAN policy installation fails with "Error code: 2-4-2000279".

Gaia database lock on a Maestro Security Group configured with Management Aggregation (MAGG) is lost when using API or Gaia gClish to add a new Management interface to the Security Group. Refer to sk183031.

In a Security Group in VSX mode, if an interface's link state changes during boot, there may be a delay in updating the link state. This delay can cause traffic interruption on that interface.

In Maestro Security Group or Scalable Chassis Security Group with VSX with many Virtual Systems (VSs), boot may take a long time when the database file (/config/active) is very large (200,000 lines or more).

On the Mobile Access Portal, SAML authentication does not display the login fields in a Maestro Security Group in the VSX. Refer to sk182548.

Unnecessary reboots may be caused by differences in the database's scheduled backup entries (creation and update time) between the Security Group members.

In ElasticXL, each Security Group Member allocates only 1785 ports for Hide NAT instead of approximately 16600 ports. Refer to sk183481.

In rare scenarios, authentication between MHOs is not established. Trying to establish authentication manually fails with the "TrustEstablishmentError: Failed to set up communication user on host 1_1: invalid literal for int() with base 10" error.