Take 92
Released on 31 January 2021
PRJ-19892,
PMTR-62429
Security Management
NEW: Added new Management HA utility to schedule automatic full syncs to peers that failed to be synchronized incrementally.
PRJ-19544,
ODU-73
Security Management
NEW: Added Update 6 of Autonomous Threat Prevention Management (ATPM). Refer to sk167109.
PRJ-20164,
ODU-76
Security Management
NEW: Added Update 7 of Autonomous Threat Prevention Management (ATPM). Refer to sk167109.
PRJ-20000,
PRHF-14293
Security Management
UPDATE:Added improvements in policy load process, to reduce the policy installation time when having large amount of objects.
PRJ-13465
Security Management
UPDATE: If Management HA synchronization stalls (displaying "Peer is busy"), it will be released within 2 hours instead of 24 hours.
PRJ-17728,
PRHF-13278
Security Management
Upgrade may fail if a Data Center object was last modified by an Administrator with a single quote in the name.
PRJ-19273,
PRHF-14074
Security Management
Policy installation duration may increase due to large $FWDIR/conf/invalid_object_names.C file on the Management server. Refer to sk170427.
PRJ-18475,
PRHF-13644
Security Management
In some scenarios, the first environment variable configured using sk165938 is not loaded and not used by the CPM process.
PRJ-19951,
PRHF-14394
Security Management
The Management HA window in SmartConsole may mistakenly show the "Peer is busy" warning message for a few seconds.
PRJ-18898,
PRHF-13860
Security Management
Policy installation may fail after migration from Domain Management to Security Management Server.
PRJ-20112,
PMTR-60541
Security Management
In a rare scenario, the FWM process unexpectedly exits.
PRJ-17213,
PRHF-12851
Multi-Domain Management
UPDATE: With this fix, mds_backup will backup the Upgrade Tools package(s) and mds_restore will restore them on a Multi-Domain Server.
PRJ-19277,
PRHF-13977
Multi-Domain Management
In rare scenarios, Management server becomes inaccessible after Global Policy reassign operation.
PRJ-17562,
PRHF-12885
Multi-Domain Management
In some scenarios, reassigning a Global Policy may fail if the Global and local domains are not active on the same Multi-Domain Server.
PRJ-20247,
PMTR-62490
SmartConsole
UPDATE: A pop-up warning will be displayed every time a "Custom Application" object with a performance impacting URL is edited (instead of being displayed only once).
PRJ-20147,
PRJ-20145
SmartConsole
SmartConsole may disconnect when searching in the Object Explorer for the text with an odd number of double quotes.
PRJ-19534,
PMTR-62078
SmartConsole
In some scenarios, when adding a new user certificate of type .p12 via API command, the returned certificate may be incorrect.
PRJ-18884,
PRHF-13818
SmartConsole
Setting values for the environment variables of the Management API as per sk165938 does not work: the values are neither loaded nor used by the API process.
PRJ-13808,
PRJ-13810
SmartConsole
In some scenarios, the Administrators view shows all administrators in all domains regardless to specific permission profile of the connected administrator.
PRJ-15854,
PMTR-56428
SmartConsole
In rare scenarios, Web Components in SmartConsole such as "Revert to Revision" or "Packages Repository" fail to load.
PRJ-13123,
PRHF-11105
SmartConsole
In some scenarios, the "Update operation failed" error is displayed when attempting to delete a Gateway from the VPN community. Refer to sk167212.
PRJ-13813,
PMTR-19017
SmartConsole
In some scenarios, when the user attempts to delete a VSX Gateway / VSX Cluster, an error message may appear and the operation may not be completed successfully. Refer to sk167492.
- Requires R80.40 SmartConsole Build 416 (or higher).
PRJ-20380,
PMTR-62935
SmartConsole
Adding Global dynamic objects to source or destination columns of access rules on the Global Domain via Management API may fail when using the Global dynamic object names.
PRJ-19833,
PMTR-50205
SmartConsole
The "show objects" command returns all objects in Global domain with any filter when "ip-only" flag is set to "true".
PRJ-17994,
SL-2106
Logging
NEW:
- Log Exporter can now schedule a recurring reconnection to the target 3rd party server periodically. This allows usage of a Load Balancer component for target servers.
- The target 3rd party server can be declared as a DNS name also when using UDP protocol.
PRJ-14289,
SL-1901
Logging
UPDATE: Added ability to SOLR process running on the Log server to prevent TLS1.1 and below in port 8211. Refer to sk168472.
PRJ-19716,
PMTR-53967
Logging
When installing a newer Jumbo Hotfix, the Log Exporter filtering configuration may not persist and set to default.
PRJ-16176,
PMTR-55550
Logging
In some scenarios, the cpsemd process on the Log server may close unexpectedly during a restart, shutdown or upgrade.
PRJ-19845,
PMTR-62010
SmartView
UPDATE: Improved the time resolutions usability (formally known as samples) of the Timeline widgets.
PRJ-19858,
PMTR-57101
Security Gateway
NEW: Added Performance improvement when IP Pool NAT is used.
PRJ-11790,
AVIR-479
Security Gateway
False "alert" logs may be displayed in some Anti-Spam events.
PRJ-20515,
PRHF-14630
Security Gateway
In some scenarios, when using routing separation, connection to Management Plane via Data Plane is dropped.
PRJ-18630,
PRHF-11912
Security Gateway
Wrong memory (hmem) values may be reported by specific SNMP OID. Refer to sk168992.
PRJ-19941,
PMTR-61708
Security Gateway
In some scenarios, policy installation fails with "Error code 1-2000245".
PRJ-20057,
PMTR-62886,
PRJ-20058,
PMTR-62887,
PRJ-20058
Security Gateway
In rare scenarios, a Security Gateway memory consumption may increase.
PRJ-19161,
TEX-1482
Threat Extraction
UPDATE: Threat Extraction will no longer attempt to perform "Convert to PDF" if the file is corrupted, because the resulting files in these cases are usually unreadable.
To reactivate this behavior, set the "enable_alternative_scrub_method" variable in $FWDIR/conf/scrub_debug.conf file to 1 and install the Security policy.
PRJ-13175,
PMTR-53443
Identity Awareness
UPDATE: Optimized memory usage in the PDP process"s LDAP operations.
PRJ-19749,
PRHF-14338
Identity Awareness
In some scenarios, the Security Gateway may not recognize an IP address as a local address, resulting in wrong drops.
PRJ-19639,
PMTR-61982
Identity Awareness
In some scenarios, when a standby cluster member receives RADIUS accounting updates, there may be high CPU on the PDP process.
PRJ-18180,
MBS-12220
URL Filtering
In some scenarios, the wstlsd process may unexpectedly exit and produce a core dump.
PRJ-13499,
PRHF-10943
IPS
In some scenarios, a non-compliant IMAP traffic is dropped.
PRJ-19300,
PRHF-13560
IPS
In some scenarios, log output shows the Origin/Source as "0.0.0.0" in VSX 3rd party IPS logs.
PRJ-19922,
PRHF-14156
DLP
UPDATE: Expanded DLP postfix authentication to include NTLM to allow the Security gateway to connect to a mail servers that use the NTLM authentication protocol.
PRJ-19598,
PRHF-14259
DLP
UPDATE: Improved the DLP scans queue for a better scan rate.
PRJ-18987,
PMTR-59795
DLP
In a rare scenario, "SEC Filings - Draft or Recent" Data Type in DLP is not properly enforced.
PRJ-19744,
PRHF-13998
Anti-Bot
Dynamic Global Network Object usage inside a Network Group object may cause an Access Policy installation failure.
PRJ-17375,
PMTR-56403
Anti-Malware
NEW: Enable the option to inspect files running through SSH protocol with Threat Emulation blade.
PRJ-16623,
PRHF-12737
Anti-Malware
Exported with "ioc_feeds export" command indicator feeds may contain user credentials. Refer to sk169035.
PRJ-17599,
PMTR-60017
Anti-Malware
Files transferred with SMBv3 multi-channel may be improperly handled.
PRJ-15223,
PMTR-54248
Anti-Malware
In a rare scenario, HTTP connections are timed-out.
PRJ-17843,
PMTR-58416
Anti-Malware
In some scenarios, Threat Prevention logs appear half-full (not unified).
PRJ-9945,
PRHF-8315
Anti-Malware
In some scenarios, multiple files called "ckp_mutex" are created on the Security Gateway.
PRJ-18123,
PMTR-60801
Anti-Malware
In some scenarios, a Threat Prevention policy installation fails after upgrade if the Custom Intelligence Feeds feature is enabled with Hash IOCs.
PRJ-17320,
PMTR-59463
Anti-Malware
In some scenarios, files bigger than 4GB cannot be downloaded with HTTP-206 flow.
PRJ-17326,
PRHF-13031
Mobile Access
Remote access connectivity failure when the user belongs to number of groups that exceeds the limited available space (200~ groups).
PRJ-14941,
PMTR-56844
SecureXL
UPDATE: The "fwaccel dos blacklist" and "fwaccel dos whitelist" commands are deprecated and replaced by "fwaccel dos deny" and "fwaccel dos allow". Refer to sk112454.
PRJ-20027,
PRHF-14228
SecureXL
Server may not reuse the TCP connection when the user allows out of state TCP packets.
PRJ-20050,
PRHF-14165
SecureXL
Memory leak may appear in VPN or Active Streaming configuration.
PRJ-18085,
PRHF-13507
SecureXL
SNMP may show wrong values for the number of bytes and packets accepted by Security gateway. Refer to sk170132.
PRJ-20055,
PRHF-14417
SecureXL
In rare scenarios, SecureXL may crash due to NULL handling.
PRJ-18279,
PMTR-56203
Routing
UPDATE: Updated PBR and ABR functionality for the "Software Blades and related components" feature. Refer to sk167135.
PRJ-18280,
PMTR-58528
Routing
Certain types of multicast traffic may not be handled correctly in Bridge mode.
PRJ-19463,
PMTR-60878
Routing
Routed logs may incorrectly state that routemaps that export to OSPF cannot set the OSPF manual tag, even though the functionality works.
PRJ-20048,
PRHF-14304
Routing
In some scenarios, large number of unnecessary log messages may be sent to /var/log/messages file which makes it difficult to run debug. Refer to sk170796.
PRJ-18664,
PMTR-61601
Routing
PBR does not work with VTI/VPN.
PRJ-20444,
ROUT-1325
Routing
The old route may be not removed when an BGP ECMP route was changed.
PRJ-20439,
PMTR-45014
Routing
ECMP route nexthops learned from BGP peers may be not properly updated in the kernel, resulting in network connectivity loss.
PRJ-20242,
PRHF-14562
Routing
In rare scenarios, confd or routed process may restart.
PRJ-20598,
PRHF-14400
VoIP
VoIP RTP can cause overload on global instance (CoreXL instance 0).
PRJ-18772,
PMTR-61381
VPN
NEW: Added Remote Access VPN performance improvement.
PRJ-18788,
PMTR-60976,
PRJ-19674,
PMTR-62275
VPN
NEW: Added VPN command line mechanism stability enhancement and VPN improvements in IKEv2.
PRJ-17487,
PMTR-40127
VPN
NEW: Added Anti-Spoofing functionality for Remote Access Office Mode IPs in SecureXL.
PRJ-16341,
PRHF-12447
VPN
The user may be unable to connect with Remote Access when the username or user field in the certificate is too long.
PRJ-21086,
PMTR-60933
VPN
"Decryption failed" drop logs may appear under heavy VPN load for accelerated tunnels using SHA 384 or SHA 512 Ciphers.
PRJ-20333,
PMTR-62776
VPN
Security gateway may crash when you install policy on a MAB gateway and a policy file is corrupted.
PRJ-20275,
PRHF-14308
VPN
In a rare scenario, a memory leak may appear when RASession_util is active.
PRJ-19671,
PMTR-61913
VPN
In some scenarios, Remote Access Endpoint client disconnects after roaming from Visitor Mode to NAT-T.
PRJ-21682,
PRHF-15321
VPN
When IKEv2 and pre-shared-key is configured, VPN may fail on the second IKE SA re-key. Refer to sk171756.
PRJ-19531,
PRJ-19562
Gaia OS
NEW: Gaia API (version 1.5) will now be deployed via Jumbo Hotfix.
PRJ-20471,
PRHF-14653
Gaia OS
In some scenarios, the Security Gateway attempts to fetch the policy from / send logs to the real IP address of the Management Server (defined in the "General Properties" section of the server object) instead of the server's NAT IP address (defined in the "NAT" section of the server object).
Refer to sk171055 to configure the required parameter FORCE_NATTED_IP.
PRJ-17719,
PRHF-13075
Gaia OS
In some scenarios, one session disconnection of RADIUS users can cause another session to loose permission when one of the session terminates.
PRJ-20943,
PMTR-63343
Gaia OS
Upgrade process may fail due to corrupted sic_local_cert.p12 certificate. Refer to sk171253.
PRJ-18610,
PMTR-60804
Gaia OS
Bond interface in XOR mode or 802.3AD (LACP) mode may experience suboptimal performance, if on the Bond interface the Transmit Hash Policy is configured to "Layer 3+4" and Multi-Queue is enabled.
PRJ-18503,
PMTR-60820
VSX
UPDATE: Added support for VSX SecureXL tabs on CPView. Refer to sk167903.
PRJ-17831,
PMTR-53549
VSX
VSX VSLS Cluster with 3 Members may fail to connect to Identity Collector. Refer to sk170836.
PRJ-16457,
PRHF-12691
VoIP
SIP parser may cause the wrong RTP dynamic connection to be opened. Refer to sk169373.
PRJ-19133,
PRHF-13981
Endpoint Security
NEW: Integrated support for Endpoint Anti-Malware E2 signatures updater.
PRJ-19726,
PRHF-14269
Endpoint Security
After changing the Full Disk Encryption to Bitlocker in SmartEndpoint FDE policy, the login to Windows machine with the Endpoint client says "This account is disabled". Refer to sk170655.