Take 83
Released on 04 October 2020 and declared as Recommended on 25 October 2020
PRJ-8954,
MCFG-246
Upgrade Tools
Upgrade from R80.10 to R80.40 may fail with messages related to cmsobfuscationkey. Refer to sk168933.
PRJ-15610,
PMTR-57447
Security Management
NEW: Added ability to run Management REST API on a Multi-Domain Log Server.
PRJ-16147,
PMTR-58152
Security Management
NEW: The "cma_migrate" command will continue working if the SSH connection with the Multi-Domain Server was lost.
If the user presses "Ctrl+C" while cma_migrate is running, the user will be asked whether to stop cma_migrate or to continue.
PRJ-15501,
PMTR-56638
Security Management
NEW: The $MDS_FWDIR/scripts/cpm_status.sh script will show if the CPM process fails to start.
PRJ-15497,
PMTR-57275
Security Management
$MDS_FWDIR/scripts/solr_start.sh script may fail to start Solr Cure if sk123417 is applied.
PRJ-16876,
PRHF-12879
Security Management
In some scenarios, sessions that were opened for the third parties or automatic scripts that use Management API, remain open. Refer to sk169072.
PRJ-11704,
PRHF-9017
Security Management
The Purge Revisions operation may not clean deleted objects of previous revisions
PRJ-14297,
PRHF-11704
Security Management
In rare scenarios, High Availability sync fails with "NGM failed to import data" error after the user deletes a Permission Role.
PRJ-13463,
PMTR-54975
Security Management
In rare scenarios, Install Policy Presets are not triggered.
PRJ-14492,
SMCUPG-1384
Security Management
In some scenarios, migrating two different Security Management Servers to domains in the same Multi-Domain Management Server fails.
PRJ-13919,
MCFG-242
Security Management
In some scenarios, exporting the Security Management Server in order to migrate it to Domain in Multi-Domain Environment fails.
PRJ-13613,
PRHF-11300
Security Management
In rare scenarios, the "where-used" API command fails with "Management server failed to execute command" error.
PRJ-13727,
PMTR-55574
Multi-Domain Management
NEW:
- Global object deletion will be blocked if used in Domains on the Multi Domain Server.
- The "Unused Objects" filter in the Global Domain will show objects only if not used by all of the Domains on the Multi-Domain Server.
PRJ-14455,
PRHF-11940
Multi-Domain Management
Policies may disappear from the Global Domain Assignments view after running the Solr Cure utility. Refer to sk168060.
PRJ-15720,
PRHF-12271
Multi-Domain Management
When the user attempts to add/change the Leading Interface through mdsconfig, it may fail with the "no external interfaces found on this machine" error. Refer to sk168319.
PRJ-16427,
PMTR-58559
Multi-Domain Management
Management HA incremental synchronization may break on the MDS level with "failed to import data" error message due to an operation related to the Compliance Blade.
PRJ-16438,
PRHF-12236
Multi-Domain Management
After upgrading a Multi-Domain Management Server, the object version of the Domain Management Servers or Domain Log Servers in the MDS SmartConsole may not have changed.
PRJ-17307,
PMTR-59799
Multi-Domain Management
In rare scenarios, the FWM process may unexpectedly exit and fail the Multi-Domain Management server upgrade.
PRJ-15972,
PRHF-10916
SmartConsole
Global Policy reassign in MDS may fail with "An internal error has occurred" message after adding overrides to Snort protections.
PRJ-15372,
PMTR-57065
SmartConsole
The user may not be able to delete objects that are referenced by a previously deleted policy. Refer to sk122954.
PRJ-16091,
PMTR-55032
SmartConsole
The "Get Interfaces" operation fails when admin creates a new cluster and decides to remove one of the members before he selects "Get Interfaces".
PRJ-13906,
PMTR-54935
SmartConsole
In some scenarios, when working with older applications like SmartView or SmartProvisioning, the admin count in SmartConsole presents an incorrect number of connected admins.
PRJ-16342,
PMTR-58390
SmartConsole
Setting or creating HTTPS layer (add-https-layer) with the "shared" parameter using the API may fail with the "Unrecognized parameter [shared]" error.
PRJ-12855,
PRHF-10453
SmartConsole
Hit count data may not be deleted automatically.
PRJ-13456,
PRHF-10952
SmartConsole
In some scenarios, Management API commands with "details-level":"full" Payload return a truncated output and fail to complete. Refer to sk170414.
PRJ-15482,
PMTR-39061
SmartProvisioning
In some scenarios, when the user installs policy on R77.30 Central Office Security Gateway from Management version R80 and higher, VPN tunnels may be dropped for LSM Gateways.
PRJ-13171,
PRHF-9994
Compliance
Compliance Partial Scans in Multi-Domain environments using Global Policies may lead to SmartConsole freeze or long publish times. Refer to sk170562.
PRJ-13562,
PMTR-53242
Logging
In rare scenarios, the evstop script does not stop all logging processes. As a result, upgrade procedures may hang and show no progress.
PRJ-14357,
SL-4323
SmartView
In SmartView, when the user sends a generated report via email in a language with non-standard English letters (Accented, Cyrillic, Chinese, Japanese, etc), some of the text may appear as question marks (?).
PRJ-14362,
PMTR-54723
SmartView
In SmartView, the icon is missing from the cover page of Compliance and Content Awareness PDF reports.
PRJ-12208,
PMTR-52793
Security Gateway
UPDATE: Added the latest fixes and security improvements to OpenSSL.
PRJ-16624,
PMTR-58538
Security Gateway
Updated Dynamic Balancing Clish commands. Refer to sk164155.
PRJ-16995,
PMTR-59154
Security Gateway
In some scenarios, Dynamic Balancing is unable to configure MQ setting for some interfaces.
PRJ-16401,
PRHF-12631
Security Gateway
When using Management Data Plane Separation (MDPS), schedule backup may fail.
PRJ-14126,
PMTR-56181
Security Gateway
In some scenarios, compilation errors during policy installation are ignored instead of immediately failing the policy. This may cause drops on the Security Gateway.
PRJ-14634,
PRHF-12058
Security Gateway
In rare scenarios, Security Gateway memory consumption may increase.
PRJ-15633,
PMTR-57462
Security Gateway
In a rare scenario, Security gateway may crash due to NULL pointer reference.
PRJ-13346,
PRHF-8408
Security Gateway
In a rare scenario, the FWD process opens connections to port 111.
PRJ-13888,
PRHF-9759
Security Gateway
An interface name with more than 15 characters may cause the policy installation to fail. Refer to sk167955.
PRJ-15841,
PRHF-12221
Security Gateway
ICAP block page displays virus name as "Unknown" instead of the virus name as it appears in the logs.
PRJ-16406,
PRHF-12305
Security Gateway
In some scenarios, when VPN blade or ISP Redundancy are used, traffic may be routed to the wrong interface. Refer to sk168881.
PRJ-16159,
PMTR-58124
Security Gateway
In a rare scenario, Security Gateway may crash after policy installation.
PRJ-12947,
PRHF-10972
Security Gateway
After policy installation, the output of the "cphaprob stat" command may show "HA module not started" when a large number of non-monitored Cluster interfaces are configured in SmartConsole.
- This fix adds support for multiple non-monitored interfaces in SmartConsole.
PRJ-15771,
PMTR-57606
Security Gateway
In some scenarios, DNS protections configured on inspection settings may not be enforced.
PRJ-14449,
PMTR-10041
Security Gateway
In some scenarios, large number of interfaces defined on Security gateway may cause high CPU utilization by CPD process. Refer to sk168674.
PRJ-9849,
PRHF-7150
Security Gateway
In some scenarios, SCCP traffic may be dropped by the Security Gateway. Refer to sk108124.
PRJ-17223,
PMTR-59359
Security Gateway
Enabling both Dynamic Balancing and MDPS causes Dynamic Balancing to stop.
PRJ-17097,
PMTR-59478
Security Gateway
In rare scenarios, Dynamic Balancing fails to start after boot due to state verification failure.
PRJ-15849,
PMTR-57739
Security Gateway
SXL drop due to routing configuration when using security zone on bridge (layer2).
PRJ-17421,
PMTR-54539
Threat Emulation,
Security Gateway
In a rare scenario, Threat Emulation and 2 core appliances may freeze. Refer to sk169575.
PRJ-16107,
PRHF-12463
URL Filtering
In some scenarios, there may be sporadic connectivity issues in the Anti-Malware/URLF service (RAD).
PRJ-15689,
PRHF-12067
HTTPS Inspection
In some scenarios, web traffic may be blocked with "Content Awareness - Error: Internal system error (1000)" error log.
PRJ-14543,
PMTR-56472
HTTPS Inspection
In some scenarios, a CRL timeout may occur, which may cause slowness in HTTPS Inspection. Refer to sk169876.
PRJ-15800,
PMTR-57645
IPS
In some scenarios, invalid characters are sent to gw-stat report.
PRJ-15581,
PRHF-9645
Application Control
In some scenarios, deprecated applications are not removed/replaced during an upgrade from R77.30 to R80.x. Refer to sk131372.
PRJ-11730,
PMTR-52415
Anti-Malware
In some scenarios, custom intelligence feeds with URL encoding characters may not be parsed correctly. Refer to sk168077.
PRJ-14067,
AVIR-1090
Anti-Malware
In rare scenarios, Security Gateway may crash due to memory allocation failure.
PRJ-16500,
PMTR-58709
Anti-Malware
In rare scenarios, Security Gateway crashes during CIFS traffic when the Anti-Virus blade is in Hold mode and the CIFS feature is enabled for Anti-Virus or Threat Extraction (see sk101606).
PRJ-15540,
PMTR-54954
Mobile Access
Mobile Access Secure Workspace feature does not work with SAML/IDP-based authentication when running Secure Workspace is optional.
PRJ-14652,
PMTR-56622
Mobile Access
The Mobile Access Blade's portal dialog for editing web application SSO credentials may not work correctly.
PRJ-16998,
PRJ-16965
Mobile Access
Mobile Access portal may become unresponsive after Jumbo Hotfix uninstallation. Refer to sk169152.
PRJ-17446
Mobile Access
Mobile Access Blade may fail to install on VSX environments due to a missing configuration file.
PRJ-16681,
PRHF-12714
SecureXL
In a rare scenario, Security gateway may crash when receiving packets from an MDPS management interface.
PRJ-14463,
PRHF-4457
SecureXL
In a rare scenario, the Security Gateway may crash when deleting certain non-TCP connections.
PRJ-10498,
PMTR-50926
SecureXL
In some scenarios, SecureXL makes an offload decision to not accelerate multicast traffic for route-based VPN.
PRJ-15902,
PRHF-12374
SecureXL
An asymmetric routing issue may occur between a Virtual System and a Virtual Switch/Router.
PRJ-15485,
PMTR-54930
Routing
BGP fails to establish with high MTU setting on Gaia 3.10.
PRJ-15393,
PRHF-11950
Routing
A TCP connection between cluster master and slave may flap on OSPF attempt to delete a non-Max-Aage LSA.
PRJ-16575,
SPC-3089
Routing
In some scenarios, the routed daemon may unexpectedly exit with BGP.
PRJ-14407,
PMTR-54728
VPN
Connectivity improvements for Remote Access VPN with L2TP.
PRJ-15534,
PMTR-56073
VPN
The "vpn tu tlist" command shows the wrong number of clients connected in Visitor mode.
PRJ-10953,
PRHF-8923
VPN
In some scenarios, VPN tunnel connection is dropped with "no MSA for MSPI" error. Refer to sk167393.
PRJ-15331,
VPNRA-379
VPN
In some scenarios, Remote Access VPN traffic may be dropped when XFF is enabled.
PRJ-15322,
PMTR-48973
VPN
In some scenarios, using LS/HA mode on a VPN tunnel may cause packets to be dropped. Refer to sk160612.
PRJ-14576,
PMTR-54771
VPN
IP compression may not work in some scenarios when IKEv2 is configured.
PRJ-15622,
PMTR-57459
VPN
Access Roles with MAB SNX as the client type may not work.
PRJ-11052,
PRHF-7972
VPN
Improved NAT Detection with 3rd party peers in IKEv1 and IKEv2. Refer to sk165003.
PRJ-16211,
VPNRA-469
VPN
Stability improvement for Remote Access VPN.
PRJ-15467,
PMTR-46467
VPN
When IKEv2 is configured, traffic that originated from the DAIP external interface may fail to pass.
PRJ-15838,
PMTR-40895
VPN
When a Gateway does not recognize the SPI, it sometimes sends the "Invalid SPI" notification in clear. As a result, the peer may ignore it, resulting in an outage.
PRJ-16015,
PMTR-55514
VPN
In rare scenarios, Remote Access clients may not be able to re-connect after a failover.
PRJ-15996,
PRHF-11856
Gaia OS
NEW: Added Multi-Queue (MQ) support for Sync interface.
PRJ-14591,
PRHF-12060
Gaia OS
Reduced the logging of vague messages when the user adds a known host in Clish.
PRJ-12864,
PMTR-51379
Gaia OS
Creating LOM users for Smart-1 525/625/5050/5150 appliances may fail if the username length is shorter then 4 characters.
PRJ-11861,
PRHF-9702
Gaia OS
It is not allowed to create usernames with reserved words, such as 'eval', 'apply' etc., in the middle of the username in WebUI. Refer to sk170681.
PRJ-11994,
PRHF-10312
Gaia OS
In rare scenarios, a snapshot creation may fail.
PRJ-12741,
PMTR-51157
Gaia OS
Restore backup may fail due to unmatched upgrade tools.
PRJ-17321,
PMTR-58887
Gaia OS
Certain Clish commands, like "show interfaces all", may cause confd to crash. Refer to sk170324.
PRJ-16922,
PRHF-12593
Gaia OS
In a rare scenario, the "Allowed-clients" feature does not work as expected for SSH.
PRJ-13942,
PRHF-11368
Gaia OS
In some scenarios, when the RADIUS user enables bash logging (as per sk99134) and moves to expert mode, the username in the log files appears as admin instead of RADIUS.
PRJ-16080,
PMTR-57581
Gaia OS
In some scenarios, when the user tries to return to the factory default, the machine reverts to a different snapshot.
PRJ-16567,
PRHF-12526
Gaia OS
In the Management Data Plane Separation (MDPS) environment, the output for the "show asset network" command may not report some line cards if they have mixed management/data plane interfaces.
PRJ-10079,
PMTR-50675
Gaia OS
When enlarging the partition via lvm_manager from a small partition to a larger partition, the user may reach an internal filesystem settings limit. As a result, some filesystem monitoring commands unexpectedly exit. Refer to sk165258.
PRJ-15861,
PMTR-57779
Gaia OS
The "Error I40E_AQ_RC_EINVAL adding RX filters on PF" error may appear during i40e driver operation and RSS key may be reset during certain driver operations.
PRJ-11130,
PMTR-51775
Gaia OS
Setting LACP rate does not survive a reboot on Gaia 3.10.
PRJ-15600,
PRHF-11404
Endpoint Security
Gaia backup with Endpoint Management may miss some information from the Endpoint database. Refer to sk168062.
PRJ-16474,
PRHF-11087
Endpoint Security
"An unexpected error occurred" message may appear when the user clicks on 'View Current Status' in SmartEndpoint's 'Overview' tab. Refer to sk167176.
PRJ-15423,
PMTR-57126
CloudGuard Network
NEW: Added support for VMware vCenter version 7 to CloudGuard Controller.
PRJ-12838,
PMTR-53868
CloudGuard Network
NEW: Added new AWS regions af-south-1, ap-northeast-3, and eu-south-1.
PRJ-16019,
PRHF-12425
CloudGuard Network
In some scenarios, CloudGuard Controller may lose connection to GCP projects. Refer to sk168499.
PRJ-16254,
PRHF-12538
CloudGuard Network
Scanning of GCP Data Center may fail when instance does not have disks.
PRJ-12185,
VSECC-1293
CloudGuard Network
CloudGuard Controller may sometimes update the Standby cluster member in VSLS mode.
PRJ-16223,
PRHF-12510
CloudGuard Network
Azure Data Center scan may fail and no updated are sent to the Security gateway.
PRJ-15355,
STRM-152
QoS
In some scenarios, QoS Policy installation fails with the following message: "Error - QoS Policy does not apply to any network interface. Please edit your Network Object and check the interfaces you wish to install on" when policy is defined properly on the interface.