Released on 04 October 2020 and declared as Recommended on 25 October 2020
Upgrade from R80.10 to R80.40 may fail with messages related to cmsobfuscationkey. Refer to sk168933.
NEW: Added ability to run Management REST API on a Multi-Domain Log Server.
NEW: The "cma_migrate" command will continue working if the SSH connection with the Multi-Domain Server was lost.
If the user presses "Ctrl+C" while cma_migrate is running, the user will be asked whether to stop cma_migrate or to continue.
NEW: The $MDS_FWDIR/scripts/cpm_status.sh script will show if the CPM process fails to start.
$MDS_FWDIR/scripts/solr_start.sh script may fail to start Solr Cure if sk123417 is applied.
In some scenarios, sessions that were opened for the third parties or automatic scripts that use Management API, remain open. Refer to sk169072.
The Purge Revisions operation may not clean deleted objects of previous revisions
In rare scenarios, High Availability sync fails with "NGM failed to import data" error after the user deletes a Permission Role.
In rare scenarios, Install Policy Presets are not triggered.
In some scenarios, migrating two different Security Management Servers to domains in the same Multi-Domain Management Server fails.
In some scenarios, exporting the Security Management Server in order to migrate it to Domain in Multi-Domain Environment fails.
In rare scenarios, the "where-used" API command fails with "Management server failed to execute command" error.
- Global object deletion will be blocked if used in Domains on the Multi Domain Server.
- The "Unused Objects" filter in the Global Domain will show objects only if not used by all of the Domains on the Multi-Domain Server.
Policies may disappear from the Global Domain Assignments view after running the Solr Cure utility. Refer to sk168060.
When the user attempts to add/change the Leading Interface through mdsconfig, it may fail with the "no external interfaces found on this machine" error. Refer to sk168319.
Management HA incremental synchronization may break on the MDS level with "failed to import data" error message due to an operation related to the Compliance Blade.
After upgrading a Multi-Domain Management Server, the object version of the Domain Management Servers or Domain Log Servers in the MDS SmartConsole may not have changed.
In rare scenarios, the FWM process may unexpectedly exit and fail the Multi-Domain Management server upgrade.
Global Policy reassign in MDS may fail with "An internal error has occurred" message after adding overrides to Snort protections.
The user may not be able to delete objects that are referenced by a previously deleted policy. Refer to sk122954.
The "Get Interfaces" operation fails when admin creates a new cluster and decides to remove one of the members before he selects "Get Interfaces".
In some scenarios, when working with older applications like SmartView or SmartProvisioning, the admin count in SmartConsole presents an incorrect number of connected admins.
Setting or creating HTTPS layer (add-https-layer) with the "shared" parameter using the API may fail with the "Unrecognized parameter [shared]" error.
Hit count data may not be deleted automatically.
In some scenarios, Management API commands with "details-level":"full" Payload return a truncated output and fail to complete. Refer to sk170414.
In some scenarios, when the user installs policy on R77.30 Central Office Security Gateway from Management version R80 and higher, VPN tunnels may be dropped for LSM Gateways.
Compliance Partial Scans in Multi-Domain environments using Global Policies may lead to SmartConsole freeze or long publish times. Refer to sk170562.
In rare scenarios, the evstop script does not stop all logging processes. As a result, upgrade procedures may hang and show no progress.
In SmartView, when the user sends a generated report via email in a language with non-standard English letters (Accented, Cyrillic, Chinese, Japanese, etc), some of the text may appear as question marks (?).
In SmartView, the icon is missing from the cover page of Compliance and Content Awareness PDF reports.
UPDATE: Added the latest fixes and security improvements to OpenSSL.
Updated Dynamic Balancing Clish commands. Refer to sk164155.
In some scenarios, Dynamic Balancing is unable to configure MQ setting for some interfaces.
When using Management Data Plane Separation (MDPS), schedule backup may fail.
In some scenarios, compilation errors during policy installation are ignored instead of immediately failing the policy. This may cause drops on the Security Gateway.
In rare scenarios, Security Gateway memory consumption may increase.
In a rare scenario, Security gateway may crash due to NULL pointer reference.
In a rare scenario, the FWD process opens connections to port 111.
An interface name with more than 15 characters may cause the policy installation to fail. Refer to sk167955.
ICAP block page displays virus name as "Unknown" instead of the virus name as it appears in the logs.
In some scenarios, when VPN blade or ISP Redundancy are used, traffic may be routed to the wrong interface. Refer to sk168881.
In a rare scenario, Security Gateway may crash after policy installation.
After policy installation, the output of the "cphaprob stat" command may show "HA module not started" when a large number of non-monitored Cluster interfaces are configured in SmartConsole.
- This fix adds support for multiple non-monitored interfaces in SmartConsole.
In some scenarios, DNS protections configured on inspection settings may not be enforced.
In some scenarios, large number of interfaces defined on Security gateway may cause high CPU utilization by CPD process. Refer to sk168674.
In some scenarios, SCCP traffic may be dropped by the Security Gateway. Refer to sk108124.
Enabling both Dynamic Balancing and MDPS causes Dynamic Balancing to stop.
In rare scenarios, Dynamic Balancing fails to start after boot due to state verification failure.
SXL drop due to routing configuration when using security zone on bridge (layer2).
In a rare scenario, Threat Emulation and 2 core appliances may freeze. Refer to sk169575.
In some scenarios, there may be sporadic connectivity issues in the Anti-Malware/URLF service (RAD).
In some scenarios, web traffic may be blocked with "Content Awareness - Error: Internal system error (1000)" error log.
In some scenarios, a CRL timeout may occur, which may cause slowness in HTTPS Inspection. Refer to sk169876.
In some scenarios, invalid characters are sent to gw-stat report.
In some scenarios, deprecated applications are not removed/replaced during an upgrade from R77.30 to R80.x. Refer to sk131372.
In some scenarios, custom intelligence feeds with URL encoding characters may not be parsed correctly. Refer to sk168077.
In rare scenarios, Security Gateway may crash due to memory allocation failure.
In rare scenarios, Security Gateway crashes during CIFS traffic when the Anti-Virus blade is in Hold mode and the CIFS feature is enabled for Anti-Virus or Threat Extraction (see sk101606).
Mobile Access Secure Workspace feature does not work with SAML/IDP-based authentication when running Secure Workspace is optional.
The Mobile Access Blade's portal dialog for editing web application SSO credentials may not work correctly.
Mobile Access portal may become unresponsive after Jumbo Hotfix uninstallation. Refer to sk169152.
Mobile Access Blade may fail to install on VSX environments due to a missing configuration file.
In a rare scenario, Security gateway may crash when receiving packets from an MDPS management interface.
In a rare scenario, the Security Gateway may crash when deleting certain non-TCP connections.
In some scenarios, SecureXL makes an offload decision to not accelerate multicast traffic for route-based VPN.
An asymmetric routing issue may occur between a Virtual System and a Virtual Switch/Router.
BGP fails to establish with high MTU setting on Gaia 3.10.
A TCP connection between cluster master and slave may flap on OSPF attempt to delete a non-Max-Aage LSA.
In some scenarios, the routed daemon may unexpectedly exit with BGP.
Connectivity improvements for Remote Access VPN with L2TP.
The "vpn tu tlist" command shows the wrong number of clients connected in Visitor mode.
In some scenarios, VPN tunnel connection is dropped with "no MSA for MSPI" error. Refer to sk167393.
In some scenarios, Remote Access VPN traffic may be dropped when XFF is enabled.
In some scenarios, using LS/HA mode on a VPN tunnel may cause packets to be dropped. Refer to sk160612.
IP compression may not work in some scenarios when IKEv2 is configured.
Access Roles with MAB SNX as the client type may not work.
Improved NAT Detection with 3rd party peers in IKEv1 and IKEv2. Refer to sk165003.
Stability improvement for Remote Access VPN.
When IKEv2 is configured, traffic that originated from the DAIP external interface may fail to pass.
When a Gateway does not recognize the SPI, it sometimes sends the "Invalid SPI" notification in clear. As a result, the peer may ignore it, resulting in an outage.
In rare scenarios, Remote Access clients may not be able to re-connect after a failover.
NEW: Added Multi-Queue (MQ) support for Sync interface.
Reduced the logging of vague messages when the user adds a known host in Clish.
Creating LOM users for Smart-1 525/625/5050/5150 appliances may fail if the username length is shorter then 4 characters.
It is not allowed to create usernames with reserved words, such as 'eval', 'apply' etc., in the middle of the username in WebUI. Refer to sk170681.
In rare scenarios, a snapshot creation may fail.
Restore backup may fail due to unmatched upgrade tools.
Certain Clish commands, like "show interfaces all", may cause confd to crash. Refer to sk170324.
In a rare scenario, the "Allowed-clients" feature does not work as expected for SSH.
In some scenarios, when the RADIUS user enables bash logging (as per sk99134) and moves to expert mode, the username in the log files appears as admin instead of RADIUS.
In some scenarios, when the user tries to return to the factory default, the machine reverts to a different snapshot.
In the Management Data Plane Separation (MDPS) environment, the output for the "show asset network" command may not report some line cards if they have mixed management/data plane interfaces.
When enlarging the partition via lvm_manager from a small partition to a larger partition, the user may reach an internal filesystem settings limit. As a result, some filesystem monitoring commands unexpectedly exit. Refer to sk165258.
The "Error I40E_AQ_RC_EINVAL adding RX filters on PF" error may appear during i40e driver operation and RSS key may be reset during certain driver operations.
Setting LACP rate does not survive a reboot on Gaia 3.10.
Gaia backup with Endpoint Management may miss some information from the Endpoint database. Refer to sk168062.
"An unexpected error occurred" message may appear when the user clicks on 'View Current Status' in SmartEndpoint's 'Overview' tab. Refer to sk167176.
NEW: Added support for VMware vCenter version 7 to CloudGuard Controller.
NEW: Added new AWS regions af-south-1, ap-northeast-3, and eu-south-1.
In some scenarios, CloudGuard Controller may lose connection to GCP projects. Refer to sk168499.
Scanning of GCP Data Center may fail when instance does not have disks.
CloudGuard Controller may sometimes update the Standby cluster member in VSLS mode.
Azure Data Center scan may fail and no updated are sent to the Security gateway.
In some scenarios, QoS Policy installation fails with the following message: "Error - QoS Policy does not apply to any network interface. Please edit your Network Object and check the interfaces you wish to install on" when policy is defined properly on the interface.