This article is divided into two sections:
This article will be updated if new issues are identified post-release, or if additional information becomes available.
| Version | Released | Release Notes |
|---|---|---|
| 6.10.15 | May 23, 2024 | SMC61015RN SMCA61015RN |
| 6.10.14 | February 22, 2024 March 6, 2024 | SMC61014RN SMCA61014RN |
| 6.10.13 | November 9, 2023 November 14, 2023 | SMC61013RN SMCA61013RN |
| 6.10.12 | July 6, 2023 July 17, 2023 | SMC61012RN SMCA61012RN |
| 6.10.11 | May 25, 2023 June 15, 2023 | SMC61011RN SMCA61011RN |
| 6.10.10 | February 8, 2023 April 26, 2023 | SMC61010RN SMCA61010RN |
| 6.10.9 | March 8, 2023 March 15, 2023 | SMC6109RN SMCA6109RN |
| 6.10.8 | October 13, 2022 | SMC6108RN |
| 6.10.7 | March 24, 2022 | SMC6107RN |
| 6.10.6 | February 24, 2022 | SMC6106RN |
| 6.10.5 | December 27, 2021 | SMC6105RN |
| 6.10.4 | March 30, 2022 January 5, 2023 | SMC6104RN SMCA6104RN |
| 6.10.3 | October 28, 2021 | SMC6103RN |
| 6.10.2 | July 29, 2021 | SMC6102RN |
| 6.10.1 | October 20.2021 | SMC6101RN |
| 6.10.0 | May 17, 2021 | SMC6100RN |
Known Issues:
CRITICAL: There are no critical issues at this time.
Non-critical:
| Reference Number | Issue Description |
|---|---|
| SMC-51978 | Issue: Automatic download of Engine Upgrades or Dynamic Updates might fail. Solution: Dynamic Update 1682 adjusts timeout for contacting Forcepoint servers. |
| SMC-50825 | Issue: SMC Appliance hostname cannot be changed. |
| SMC-50425 | Issue: The Multi-Link element does not display all the options, when using the installed Management Client on Linux. |
| SMC-50173 | Issue: A Policy install fails with the error message that states, Incorrect parameters: No types found, when configuration refers to an empty group inside other network element. |
| SMC-48922 | Issue: An Element based NAT cannot be used with a FQDN defined element. The Error message on policy installation does not point to the element that causes the issue. |
| SMC-48051 | Issue: Wrong user is shown as creator of policy rules in the Info/History tab when selecting a policy rule ID or its properties. Solution: This issue has been resolved in SMC version 7.0.2. |
| SMC-47955 | Issue: Pending change is not created from route-based VPN tunnel add, deletion, or change. Solution: This issue has been resolved in SMC version 7.0.2. |
| SMC-47717 | Issue: The Top Bandwidth by Application for Home View widget in the User dashboard is empty. Solution: This issue has been resolved in SMC version 7.0.2. |
| SMC-47712 | Issue: SMC servers diagnostics considers it as a IP address conflict, if multiple log servers are configured to use a same IP address but different ports. |
| SMC-47455 | Issue: TLS Certificate revocation check fails if the first revocation method is not supported even if the certificate indicates a supported revocation method. |
| SMC-45786 | Issue: Using SMC API, the Distinguished Name cannot be set as VPN endpoint Phase-1 ID. |
| SMC-44307 | Issue: Automatic node certificate renewal might trigger new certificate creation daily in certain conditions. Solution: This issue has been resolved in SMC version 7.0.0. |
| SMC-43390 | Issue: Remote upgrade on cluster level might lead to upgrade happening too early for the second node. Workaround: Run the upgrade software command for one node at a time. Solution: This issue has been resolved in SMC version 7.0.0. |
| SMC-41167 | Issue: When there are several report designs that are open for editing at the same time, then saving one of them will reset the changes on other designs. |
| SMC-40175 | Issue: When same name is used for Network Application and URL List Application element it may prevent policy snapshot restore. Solution: This issue has been resolved in SMC version 7.0.0. |
| SMC-39961 | Issue: Applying filter to search user domain might take a long time and may freeze the Management Client in big user domains. Solution: This issue has been resolved in SMC version 7.0.0. |
| SMC-38244 | Issue: Expression element with IP address list does not work correctly on VPN site definitions. For more details, see Knowledge Base article 38565. |
| SMC-37416 | Issue: It is not possible to specify some valid country-specific channels for wireless interfaces. Solution: This issue has been resolved in SMC version 6.11.0. |
| SMC-37385 | Issue: Backlash character "\" is not displayed when included in VPN pre-shared key. Solution: This issue has been resolved in SMC version 6.11.0. |
The following issues are all addressed in the latest version SMC 6.10.15, which is available from the Downloads site.
6.10.15 build 11200
6.10.14 build 11198
| Reference Number | Issue Description |
|---|---|
| SMC-52032 | Issue: Restart of Management Server will cause Web Portal Server policy section to stop update. Workaround: Restart Web Portal Server service. |
| SMC-51896 | Issue: Running report with the option One Report per Sender will cause too much memory consumption when there are hundreds of log senders. |
| SMC-51804 | Issue: When IP Addresses are added to the middle of a list rather than to the start or end of a list, the generated audit log details are incorrect. |
| SMC-51751 | Issue: Lock the Management Client window function does not work on Web Access client when connected to standby Management Server. When connected to active Management Server window content is hidden, but expanding window exposes some client content. |
| SMC-51715 | Issue: Policy installation might fail when VPN gateway endpoint Phase-1 ID is configured as Distinguished Name. |
| SMC-51620 | Issue: SMC API login fails for clients with only Viewer role rights. Workaround: Manage Administrators permission is required for API client. |
| SMC-51616 | Issue: Firewall element cannot be deleted if it has VPN site including group element. |
| SMC-51605 | Issue: An administrative domain deletion fails when the domain includes engine element with SSL VPN Portal or ECA configuration. |
| SMC-51565 | Issue: When Virtual Engine policies are refreshed individually, the abort of one policy install might prevent all further policies from refreshing for the same Master Engine. |
| SMC-51483 | Issue: Policy snapshot fails to open when Layer 2 Firewall policy has a rule including firewall element itself. |
| SMC-51455 | Issue: SMC API SNMP Location can be set only on cluster level, not for individual nodes. |
| SMC-51294 | Issue: IP Prefix List and IP Access List elements might not be able to delete. |
| SMC-51225 | Issue: Java process remains running if Management Client is closed from the taskbar view. |
| SMC-51196 | Issue: Database error is shown when removing loopback interface used in DNS relay. Workaround: Remove DNS setting before referring to loopback interface. |
| SMC-50070 | Issue: When the License view has several license files for the same POL, state of all licenses are determined as per the first license. Workaround: Delete the expired and the unneeded licenses from the license view. |
| SMC-49743 | Issue: Editing route map elements with custom administrator role fails. Superuser can however edit and save the route map. |
6.10.13 build 11196
| Reference Number | Issue Description |
|---|---|
| SMC-51060 | Issue: For remote upgrade tasks the Management Server cannot be configured to run a task in parallel for more than 5 NGFW nodes. Resolution: For more details see KB 33323. |
| SMC-51045 | Issue: On different Management Clients, the Task History might show different number of tasks. |
| SMC-50995 | Issue: Exporting a CSV File option in Licenses view does not include all details for unlicensed engines. |
| SMC-50994 | Issue: System host element IPv6 DHCPv6 Multicast Address is broken. Resolution: Fixed on Dynamic Update 1646. |
| SMC-50856 | Issue: In SMC HA setup restart of the active server eventually leads to replication error. |
| SMC-50814 | Issue: Unable to generate sginfo output on SMC Appliance. |
| SMC-50811 | Issue: Audit log filters cannot be edited using SMC API. |
| SMC-50768 | Issue: Setting the Log Server Log Spooling Policy as Stop Traffic, disables the settings for Log Compression. Administrators can no longer edit compression settings. |
| SMC-50690 | Issue: The Log Server running on Red Hat Enterprise Linux performing log forwarding might itself appear as green, but nodes sending logs to it appear as red. This situation resolves by log service restart, but reoccurs. Workaround: Do the following: 1. Edit the <installation folder>/bin/sgStartLogSrv.sh file. 2. In the function memory_allocator, add "rhel" to the list of distribution in the case loop: case "$distro" in centos|red\ hat*|fedora|rhel) #"Red Hat-like Linux distribution" export MALLOC_ARENA_MAX=${MALLOC_ARENA_MAX:-2} ;; 3. Restart Log Server service. |
| SMC-50581 | Issue: When a new Management Client for the first time connects to a SMC, it cannot display logs details in the Logs view. |
| SMC-50533 | Issue: Export MSSP Report might fail due to validation of information in some columns. |
| SMC-50486 | Issue: Log filtering might return result of no matching logs found even when there are logs available in the setup with large log volume and with multiple log servers queried. Workaround: Click the Go to the last log record or Go to the first log record button in toolbar. |
| SMC-50183 | Issue: An administrator without Manage Reports permission is able to preview, open, or edit reports and designs. But cannot save any changes that are made. |
| SMC-50162 | Issue: The SMC HA replication status might be displayed as ok even if the incremental replication is not taking place. |
| SMC-50142 | Log Server Log Storage Full default action is changed to Overwrite oldest from Stop receiving. This change only affects new Log Servers. |
| SMC-50110 | Issue: In administrative domain setup, the Move to Domain option for the Route-Based VPN element does not work as intended. |
| SMC-49958 | Issue: The Pending Changes widget might show incorrect number of changes if policy install is aborted or any changes are done at the same time during policy upload. |
| SMC-49944 | Issue: SMC installer might hang during upgrade while updating java time zone. This might occur on some Linux platforms. Workaround: Contact Technical Support for workaround. |
| SMC-49932 | Issue: Web Access might stop listening for Management Server IP address. Workaround: Enter IP on Listen only on Address field in Web Access settings. |
| SMC-49893 | Issue: Licenses view Export as CSV File is slow and on big environments misses data on output. |
| SMC-49397 | Issue: Search for QoS class might give database error when QoS class is referenced in Route-Based VPN. |
| SMC-48931 | Issue: In administrative domain setup, Info view on Master Engine might show <Unknown> for some of the Virtual Engine names. |
| SMC-48707 | Issue: During the policy installation, it can sometimes take longer or sometimes progress can stall when calculating how many pending changes are cleared and how many pending changes remain. Workaround: Contact Technical Support. |
6.10.12 build 11192
| Reference Number | Issue Description |
|---|---|
| SMC-50110 | Issue: In administrative domain setup, the Move to Domain option for the Route-Based VPN element does not work as intended. |
| SMC-49807 | Issue: The appliance name and POS are inconsistent between Info view and MSSP CSV exported report. |
| SMC-49795 | Issue: In bigger SMC setups, during upgrade when many log servers still run older versions of the software, connection trials from these log servers might block Management Client logins. However, web access logins are not affected. |
| SMC-49729 | Issue: Importing URL List Application creates corrupt elements. |
| SMC-49554 | Issue: Log Server does not connect to the new active server after a switchover from standby to active. Workaround: Restart the Log Server service. |
| SMC-49502 | General improvements to the policy building process for better performance and scalability. |
| SMC-49469 | Issue: When sgInfo is downloaded from the engine via SMC GUI with option "Destination path" -> "Local workstation" the upload to the local workstation may fail with page not found. For more details, see Knowledge Base article 41844. |
| SMC-46929 | Issue: Pending Change blue bubble might show more pending changes in the Home view >> tree view than on the Pending Changes widget |
6.10.11 build 11190
| Reference Number | Issue Description |
|---|---|
| SMC-49473 | In SMC HA setup alert is generated if incremental replication fails. |
| SMC-49463 | Issue: Management Client might freeze for a while during LDAP replication update to the Internal Domain users. |
| SMC-49400 | Issue: Trash cannot be emptied when it contains both networks and policy snapshots. |
| SMC-49373 | Issue: Expressions that use both union and negation cannot be managed through SMC API. |
| SMC-49352 | Issue: In 2023 Mexico stopped using DST, while Egypt started using it. SMC is not up to date with these changes. For more details, see KB 41746. |
| SMC-49304 | Issue: Adding same block list through SMC API to several firewalls can be detected as a duplicate action and hence rejected. Workaround: Use short wait time between similar commands. |
| SMC-48940 | Issue: Log forwarding in CEF format does not include NGFW Engine version. |
| SMC-48871 | Issue: Policy installation might fail with the following error when policy includes element-based NAT: The configuration files sanity check detected an error. The generated configuration files are invalid. Please retry the policy installation. Workaround: For more details and workaround, see KB 41667. |
| SMC-48710 | Issue: Opening Route-Based VPN tunnel from the Engine Editor can display empty view even when tunnel exists once viewed from SD-WAN. |
| SMC-48691 | Issue: Tooltips on NGFW elements are not shown in Home view. |
| SMC-48617 | Issue: After upgrading to SMC 6.10.10, the URL filtering stops working and the Cloud Connection to ThreatSeeker shows the following error SSL peer certificate or SSH remote key was not OK. Workaround: Contact Technical Support. |
| SMC-48597 | Issue: Trying to add a node to a cluster, creates IP address of only the first interface and not others. Also, it is not possible to save properties. |
| SMC-48571 | Issue: In rare cases upon policy upload to multiple NGFW engines of different versions, a rule content might be cleared. |
| SMC-48544 | Issue: Use of custom gateway profile can lead to following VPN validation error: The Gateways have no common IPsec security association granularity setting in their Gateway Profiles. |
| SMC-48540 | Issue: After SMC upgrade the Management Clients might be unable to login to the Management Server while the login still works using web access. This could happen in setups with many Log Servers. |
| SMC-48375 | Issue: Scheduled report might not be sent by email after Management service restart. Manually running the same report works successfully and the report is also emailed. |
| SMC-48357 | Issue: InternalDomain cannot be assigned to more than one internal user. |
| SMC-48352 | Issue: Changing the interface netmask or IP addressing can clear the interface for DHCP relay settings in VPN Client. For more details, see KB 41621. |
| SMC-48328 | Issue: Deleting a network element might lead to database error. Workaround: Contact Forcepoint Technical Support. |
| SMC-48327 | Issue: Import Private Key tool to create TLS Credentials element using an existing private key and certificate fails. Workaround: See more details in KB 41559. |
| SMC-48282 | Issue: Deleting blocklist entry from the dynamic engine fails with error Failed to connect to Reverse DCP <control IP>. Unknown protocol_id: -1. Workaround: For more details and workaround, see KB 41321. |
| SMC-48238 | Issue: When an NGFW Engine element has a reference to a proxy server element with IPv6 address, you cannot view or compare policy snapshots for the NGFW Engine element. |
| SMc-47309 | Issue: Log filtering might not work as expected with Elasticsearch when the filter uses netmask or expressions. |
| SMC-42150 | Issue: Checking SSH Status or changing SSH state for node causes node name to be displayed as Unknown: Id[X, X, X]. |
6.10.10 build 11185
| Reference Number | Issue Description |
|---|---|
| SMC-47911 | Issue: Deleting policy snapshots from the Management Client does not delete them from the database. Workaround: For more details, see KB 37595. |
| SMC-47773 | Issue: On pre-installed Forcepoint appliances, the platform might not be recognized with SMC Appliance installed. |
| SMC-47652 | Issue: Policy routes order is not preserved when restoring policy snapshot. |
| SMC-47647 | Issue: Admin users without create admin permissions to shared domains are able to create admin accounts. However editing new or other administrators is not allowed. |
| SMC-47601 | Issue: Administrator access broke when linking an admin role from a sub-domain to an object in sub-domain. |
| SMC-47488 | Issue: Querying of the route monitoring data for Virtual Engines in parallel, fails through SMC API. |
| SMC-47487 | Issue: Route monitoring through SMC API stops when the Log Server is restarted. |
| SMC-47476 | Issue: The action Delete Old Executed Tasks does not delete tasks in the chronological order. It deletes first failed tasks instead. |
| SMC-47458 | Issue: In Engine Editor Interfaces view, dragging and dropping VLAN from one interface to another keeps the VLAN on the original interface. |
| SMC-47390 | Issue: Custom situation with more than one category causes policy validation to fail. |
| SMC-47339 | Issue: SMC Appliance installer supports installing only from CD-ROM drive, not from a bootable USB flash based storage for example. Workaround: Use USB attached CD-ROM drive and .iso image burned to DVD media. |
| SMC-47307 | Issue: Creating multiple number of blocklist entries can cause the Management Server to run out of memory. |
| SMC-47304 | Issue: Audit History link autogenerates a filter that does not match the audit details. |
| SMC-47287 | Issue: Log statistics items based on NetLinks or cluster do not display information. |
| SMC-47205 | Issue: In the Home view, the Interfaces tab on the Virtual Engine Info pane Master Interface column can disappear. Workaround: Restart the Management Client. |
| SMC-47132 | Issue: When network element included in VPN Site is edited, it is removed from the VPN Site if the Engine Editor is open in edit mode at the same time. |
| SMC-47068 | Issue: In administrative domain setup it is possible to follow steps resulting in InternalDomain empty without option to add users. |
| SMC-46864 | Issue: CVE-2022-40664 and CVE-2022-42920 are addressed on Web Access. |
| SMC-46849 | Issue: Monitoring view might display nothing when NGFW Engine uses backup Log Server even when connection is established between the engine and log server. |
| SMC-46823 | Issue: When editing a rule using drag and drop, the focus reverts to source rule instead of the edited rule. |
| SMC-46787 | Issue: Duplicating firewall with additional VPN gateway creates firewall element with multiple additional VPN gateways. |
| SMC-46760 | Issue: When a firewall element with VPN Broker interface is duplicated, it refers to the original internal VPN gateway element. |
| SMC-46703 | Issue: Expression element cannot be updated using SMC API. |
| SMC-46693 | Issue: Management Client session might freeze for a while after using type-ahead search and immediately changing to a different view. |
| SMC-46635 | Issue: Custom situation, expression and service with protocol elements cannot be updated using the SMC API. |
| SMC-46620 | Issue: In User Monitoring view, Delete option is available for users where Identification Type is User Authentication, FUID, IUID or ECA. However, only authenticated users can be removed. |
| SMC-46599 | Issue: When creating rule from file filtering log entry, Engine policy is selected by default instead of file filtering policy. However, File filtering policy can be manually selected. |
| SMC-46572 | Issue: Adding IP for new interface might fail with the following error message: Incompatible Class. |
| SMC-46558 | Issue: Installation or upgrade does not work on physical SMC Appliance if it is set to FIPS mode. |
| SMC-46556 | Issue: Saving Route-based VPN tunnel might fail with a Database problem error. |
| SMC-46546 | Issue: When Pending Changes feature is disabled on Management Server, policy snapshot creation fails during policy install. For more information on how to disable Pending Changes, see KB33275. |
| SMC-46488 | Issue: Log Server stores correlation policies and receives them on policy install. Issue with Correlation Policy Storage can prevent installing the policy and viewing logs. Workaround: Contact Technical Support for workaround. |
| SMC-46378 | Issue: Save and Refresh options on Engine editor do not save any change on text fields like BBA or SSL VPN port. Workaround: With some additional changes, such as enable and disable some checkboxes, the change is correctly saved. |
| SMC-46374 | Issue: Logged in administrator status might be shown as Idle even during active editing. However, audit log still correctly records actions done by the administrator. |
| SMC-46352 | Issue: Policy validation option Ignore issue type for this rule for a line does not apply for all types of validation and warnings are shown onwards. |
| SMC-46277 | Issue: Pending Changes can continue to show the latest changes, even after the policy installed is failed and later installed successfully. Workaround: Restart management service to clear Pending Changes counter. |
| SMC-46262 | Issue: Policy installation fails when blocklist duration is set to very long. |
| SMC-46207 | Issue: Old NGFW Appliance license details can be visible on SMC, even though it is deleted. |
| SMC-46201 | Issue: SMC HA Administration panel does not display details correctly in administrative domain setup. |
| SMC-46177 | Issue: Management Client Reconnect displays error messages when several tabs are opened on the client. |
| SMC-45250 | Issue: Policy installation is prevented in scenarios where policy-based VPN and route-based VPN in Tunnel mode share the same endpoints. Policy should be prevented only when route-based VPN is in Transport mode. |
| SMC-44069 | Issue: For Route based VPN, Src VPN and Dst VPN log columns are not populated with VPN names. |
| SMC-43921 | Issue: Unreachable syslog server can cause log server to stop working. |
| SMC-42761 | Issue: Editing policy by exporting it, editing and importing might result expression element been removed from policy. |
6.10.9 build 11170
| Reference Number | Issue Description |
|---|---|
| SMC-47356 | Issue: If invalid TLS credentials are set for log forwarding, the rule replacing them by the working one is not applied. Workaround: Restart SMC service to apply the new valid TLS credentials. |
| SMC-46278 | Issue: New externally signed VPN certificates are not accepted for Policy-based VPNs when Phase-1 ID is a Distinguished Name type and the ID value contains a space. |
6.10.8 build 11166
| Reference Number | Issue Description |
|---|---|
| SMC-46161 | Jackson-databind has been updated to address CVE-2022-42003 and CVE-2022-42004. |
| SMC-45995 | Issue: Fresh Web Access login does not proceed after entering username and password, due to intensive SMC API calls to Management Server. |
| SMC-45946 | Issue: Interface configuration with IPv4 CVI and IPv6 CVI and NDI IP addresses defined results in IPv4 packets leaving from this interface to be malformed and ignored by other network devices. |
| SMC-45939 | Issue: Web Access CPU usage might increase on server due to specific type of alerts. |
| SMC-45901 | Issue: Appliance Name disappears in Management Client for a node even when the server has information. |
| SMC-45889 | Issue: Web Access client uses excessive amount of bandwidth when there is a new NGFW engine element waiting for automatic policy install after the initial contact view. Resolution: With SMC versions 6.10.8, 6.11.2, 7.0.0, and later versions the progress animation can be removed from dashboard widgets and reduce the Management Client bandwidth usage. 1. On Management Server edit <installation folder>/data/SGClientConfiguration.txt 2. Add the line: FX_ANIMATION=false 3. Save the file. 4. Restart Management Server service. |
| SMC-45867 | Issue: Access Right Access Control List (ACL) can be set to include another ACL however, layered ACL content is not included as Granted Element. |
| SMC-45490 | Network Applications view has a new column Dependencies to display dependent applications. |
| SMC-45395 | Issue: Alert chain threshold is not shown in previewing chain. Alert chain threshold cannot be removed by selecting Clear Cell. Workaround: Threshold set in the alert chain can be deleted by editing the threshold value. |
| SMC-45200 | Issue: Refresh on Master and Virtual Engines task through SMC API continues to be in progress. |
| SMC-45178 | Issue: When inspection rule containing blacklist entries is deleted from a policy, database might be left with related entries. As a result, later can be seen conflict with these entries. |
| SMC-44893 | Issue: For alias defined in administrative Shared Domain, values cannot be viewed for NGFW element in sub-domain. |
| SMC-44892 | Issue: In the report design sections where you use traffic volume based item (either log or counter), SMC allows changing the Traffic Unit from Bytes to Bits. However, this does not have any effect on the report output itself. |
| SMC-44836 | Issue: Static multicast routes cannot be edited using SMC API. |
| SMC-44821 | Issue: Log server deletion fails when it has been set for monitoring of DNS servers. Workaround: Add or modify a comment in the DNS server object when changing the log server used for monitoring. |
| SMC-44752 | Issue: Drag and drop element from NGFW element routing view into another NGFW element can create broken references. |
| SMC-44749 | Issue: Antispoofing view is automatically adjusted when elements are added in routing. However, if the same element is manually added first to antispoofing and then to routing, removing it from routing might prevent its removal from antispoofing. |
| SMC-44704 | Issue: Running task Refresh Policy on Master Engines and Virtual Security Engines on Master Engine with virtual engines not configured, does not complete. This task cannot be used for installing first policy for virtual engines. |
| SMC-44513 | Issue: Netlink role change in QoS related settings of Outbound Multi-Link element are not saved unless something else also changes on element. |
| SMC-44467 | Issue: Rule Counters cannot be used for policy templates. |
| SMC-44364 | Issue: Importing with SMC API VPN gateway certificate signed by external CA fails. |
| SMC-44316 | Issue: Log server backup creation might fail on Windows with error "The process cannot access the file because it is being used by another process". Backup creation though succeeds on the command line when log service is stopped. |
| SMC-44311 | Issue: Virtual Engine snapshots cannot be opened or restored after changing name of subdomain Virtual Engine is configured in. Workaround: Snapshot can be exported to review content. |
| SMC-44268 | Issue: Management Client might slow down when current events logs view is open and a log server becomes unreachable. Workaround: Exclude unreachable log server from storage selection. |
| SMC-44154 | Issue: Time synchronization from SMC to engines can get delayed, and as results time synchronization does not happen. When time difference between NGFW engine and Management Server becomes significantly high, these NGFW engines appear grey in monitoring, even if, both management and log connection are working. Workaround: Restart Management service. |
| SMC-44102 | Issue: When opening firewall element for quick edit, VPN Sites might be lost if element was not yet fully loaded while saving. |
| SMC-44098 | Issue: Link Usage Profile cannot be set for VPN Broker Domain. |
| SMC-44077 | Issue: Use of file filtering policy in layer 2 interface policy requires that the file filtering policy is also applied on the firewall policy for same NGFW element. |
| SMC-44070 | Issue: Service group might appear modified when comparing snapshots due to services arranged differently within the group. |
| SMC-44047 | JSON is added as log export format. UEBA format is removed. |
| SMC-44034 | Issue: URL List application can be corrupted when editing using SMC API. As result policy installation fails. |
| SMC-43973 | Issue: If an SMC administrator account has been linked to external LDAP database, and the Management Server not able to connect to the LDAP server, the administrator account cannot be opened. See more details in KB41236. |
| SMC-43935 | Link-Usage Profiles are moved under SD-WAN in Management Client. |
| SMC-43827 | Issue: Policy validation gives false warning when Virtual Engine is set to use DNS server, in situations when the Master Engine has no DNS server defined. |
| SMC-43789 | Issue: Management Client locked screen cannot be unlocked only from keyboard. |
| SMC-43696 | Issue: After modifications done on tunnel interface routing, antispoofing might not be correctly adjusted to changes. |
| SMC-43671 | Issue: The Use SSL for Session ID option is enforced in the SMC API settings while renewing server credentials. |
| SMC-43667 | Issue: When SMC API server credentials are changed, it stops logging its operations, even if Generate Server Logs is enabled. |
| SMC-43579 | Issue: Temporary filter used in log forwarding or report design might duplicate when log server or report design is edited. As result opening the element might fail with a database error. |
| SMC-43424 | Issue: Modifying InternalDomain user password might fail with Failed to write user group association for user error message. |
| SMC-43263 | Issue: The iOS VPN Configuration Profile, which has been exported, fails to install on iPhone. Workaround: 1. Edit <installation folder>/data/smc_starter.xml file 2. Append the following lines to the file, right above the "<server CODE_SERVER=..." line: <vmargs mode="append"> <parameter>-Dkeystore.pkcs12.legacy=true</parameter> </vmargs> 3. Restart Management service. |
| SMC-43255 | Issue: When adding Netlink with probing defined to routing view, the view is not updated until selecting to refresh. |
| SMC-43230 | Issue: In rare case, Pending Changes are not cleared even if, policy install succeeds. |
| SMC-43162 | Issue: Service element icons are not shown in the Logs view Service column. For more information, see KB40649 . |
| SMC-43142 | Issue: Starting SMC service on Windows might fail; however, it works when started by script. |
| SMC-43135 | Issue: When a rule is selected in policy or element, while scrolling through the policy, the view might occasionally switch back to the selected rule. |
| SMC-43054 | Issue: Use of block List scope duration set to longer than 24856 days causes policy snapshots to fail while comparing. |
| SMC-43038 | Issue: Reports can have empty sections when using data from both servers and engines logs. Workaround: Summary sections must be placed last in the report. |
| SMC-43037 | Restricted administrators might not be able to edit granted elements when element has references in other sub domains. New option is introduced to control reference check For more information, see KB40753. |
| SMC-42899 | Issue: Opening an alias element that has translation value in hundreds or more for NGFW elements is slow. |
| SMC-42823 | Issue: Tunnel Tab on Tunnel Interface Does Not Show Details when Route-Based VPN Is used with an External Gateway. For more details and workaround, see KB40873. |
| SMC-42747 | Issue: Rule comment is hidden when the rule is disabled. |
| SMC-42426 | Issue: Collecting Management Client sgInfo on Windows might take long time. |
| SMC-42221 | Issue: Packet source and destination cannot be used for blocklisting. |
| SMC-41333 | Issue: Adding an Administrator element that is linked to a user account in an external LDAP server might fail if the DN of the LDAP user is very long. The following message is displayed: "Failed to create write administrator attribute of type: LDAP_USER_TYPE for administrator". |
| SMC-40571 | Issue: When installing policy from SMC to firewall that uses reverse management connection, and TCP 8906 connection between firewall and Management Server does not work, policy installation on SMC stops at Building Inspection Configuration step (25%). |
| SMC-39932 | Issue: TCP log forwarding can cause log server to run out of memory. |
| SMC-39385 | Issue: In big deployment where the Management Server may store over thousand licenses, server license queries to Forcepoint servers may timeout. |
| SMC-38774 | Issue: While editing a policy, the position of focus and scrollbar gets changed from the last edited rule. |
| SMC-35482 | Issue: Log server reconnects to Management Server every 7 hours approximately, however it should get connected only by refresh. |
| SMC-33168 | Issue: Logs view might show log entries in incorrect order when scrolling backwards and forward in the view. This can happen when there are several log servers selected as storage. |
| SMC-33146 | Issue: Automatic node certificate renewal fails if Management Server is reachable by routing on a different interface other than control interface. |
| SMC-43765 | Issue: smc-python scripts might stop working with SMC API. Workaround: Disable "Use SSL for session ID" parameter in SMC API properties. Resolution: New fp-NGFW-SMC-python version released in June. |
6.10.7 build 11163
| Reference Number | Issue Description |
|---|---|
| SMC-42891 | Issue: During policy push, correlation policies are uploaded to log server. If policy upload takes time, it can block other connections to management, and as a result policy install fails. |
| SMC-42779 | Issue: When huge number of dynamic engines are connected to Management Server at the same time, connections might not be able to establish. Workaround: Add DCP_CONNECT_TIMEOUT_s=60 option in <SMC installation directory>/data/SGConfiguration.txt to limit how often dynamic engines try to establish connection with the Management Server. |
| SMC-42748 | Issue: The progress icon is not updated accordingly during standalone management client policy upload. However, the icon is updated properly while switching between tabs. |
| SMC-42693 | Issue: Editing Virtual Engine or installing policy fails if the Virtual Engine is moved from one master engine to a new one, which is done by linking to virtual resource on new management and deleting the old master engine. |
| SMC-42635 | Issue: In large environments, Management Client can freeze when Connectivity tab is viewed in Log server Info pane. |
| SMC-42633 | Issue: Internal Certificates view shows both old and current certificates. |
| SMC-42612 | Issue: Policy validation displays policy upload failure message, when NGFW element DHCP server is defined with IP address range element. Opening the Engine Editor in Edit mode also fails for the same element. Workaround: See for more information in Knowledge Base article 39236. |
| SMC-42563 | Issue: Reception of logs might stop when log server has log forwarding using TCP configured and the log forwarding connection is disconnected. |
| SMC-42299 | Issue: SMC installation adds to operating system user sgadmin. During installation, it is checked whether the user already exists, and that check matches to every user name including sgadmin. For example, foo_sgadmin. |
| SMC-41099 | Issue: The log server might show the log file is corrupted if the file is written during shutdown. |
| SMC-40586 | Issue: Policy install to the Virtual Firewall with only L2 interface fails. |
| SMC-40210 | Issue: On Linux, SMC service can take 30 minutes to shutdown while actually service is stopped manually. |
| SMC-39582 | Issue: Cloud sandbox report URL is not verified as valid |
| SMC-38774 | Issue: While editing a policy, the position of focus and scrollbar gets changed from the last edited rule. |
| SMC-38621 | Issue: SDWAN tunnel statistics might not be identical at different ends of the tunnel if all the cluster nodes are not processing traffic for that tunnel. |
| SMC-25336 | Issue: If there is no change in VPN configuration during policy install, tunnel order might change; however, tunnel IDs in generated configuration remain same. |
6.10.6 build 11161
| Reference Number | Issue Description |
|---|---|
| SMC-42292 | Issue: References to VPN gateway is not displayed when searching references for firewall element. |
| SMC-42270 | Issue: Not able to edit a policy template if that policy is already in edit mode. SMC API does not tell the reason why editing template fails in this situation. |
| SMC-41867 | Issue: In the Management Server information pane > Resources tab, the Memory Usage Real value is not updated to lower value. |
| SMC-41846 | Issue: Single IP cannot be set for DHCP server range on firewall interface or in VPN client virtual addressing. |
| SMC-41792 | Issue: During policy install, IP address list is not updated to the NGFW engine if either the address list or the country element is included in the expression of that group. |
| SMC-41760 | Issue: Not able to create Static Netlink with only IPv6 addresses. |
| SMC-41661 | Issue: Performing search containing multiple rules may result in heavy memory usage on the Management Server leading system crash. |
| SMC-41553 | Issue: If you sort a group containing several network objects by IP address, removing a network object from the group fails. Workaround: Do not sort the view inside the group by IP address. |
| SMC-41457 | Issue: User Dashboard does not report Windows 11 as an operating system. |
| SMC-41438 | Issue: Policy install fails when configuration includes situations with names having double quotes (""). |
| SMC-41349 | Issue: During multiple uploads of a policy, if you include dynamic engine that is not reachable, the task is reported as failed, even if, the policy install is failed only for the unreachable engine |
| SMC-41323 | The 2.17.1 version of the log4J library is now included in the Security Management Center (SMC) package. |
| SMC-41254 | Issue: The "Failed to display" error is displayed while exporting log events or attaching logs to incident case. Workaround: Select a log entry in Logs view before you export a log event. |
| SMC-41197 | Issue: If more than one log server is used, blank reports are generated when the report type Traffic by network application is selected. |
| SMC-41031 | Type-ahead search starts matching elements after an administrator has typed 3 characters. For more information, see KB 40719. |
| SMC-41012 | Issue: If you abort policy refresh when several policy refresh tasks are ongoing, it might prevent further policy refresh trials. Workaround: You need to restart SMC. |
| SMC-40947 | Issue: When adding an Internal LDAP user to group, the user is shown under the group in the LDAP tree, but not in the user properties. User gets added to the NGFW engines. When Internal LDAP user is edited (for example: when password changed), user groups get cleared. |
| SMC-40917 | Issue: In Home view, cluster nodes are displayed in alphabetical order instead of node ID. |
| SMC-40843 | Issue: Combination of default route through static Netlink and through tunnel interface can cause default route to be missing. Workaround: Instead of system any network element, create routes using IPv4 only 0.0.0.0/0 network. |
| SMC-40455 | Issue: Home view NGFW Engines widget does not display correct number of alerts for the engine. Alerts widget shows correct number of alerts. |
| SMC-37781 | Issue: When editing a rule, the rule height changes to back and forth continuously. |
| SMC-37589 | Issue: Command-line scripts failed to execute after downgrading to an old version of SMC. Workaround: To change permissions of command-line commands: 1. cd $SG_HOME/bin/install 2. chmod a+x allPermissions.sh 3. ./allPermissions.sh |
6.10.4 build 11141
| Reference Number | Issue Description |
|---|---|
| SMC-41323 | The 2.17.1 version of the log4J library is included in the Security Management Center (SMC) package. |
| SMC-41299 | Issue: Non-graphical SMC server upgrade might fail to locate the missing library as headless is not enabled. Workaround: Contact Technical Support for details. |
| SMC-40987 | Issue: When editing the policy, if the first elements are added to the source, destination or service and then the same rule is dragged and dropped into a different place of policy, the added elements will disappear. Move Rule Up/Down option does not have same behavior. Workaround: Save the policy after modifying the rule before changing the rule place in the policy. |
| SMC-40923 | Issue: Management Server might not notice all closed connections and keeps the data related to these closed connections. In large environments this can lead to high memory consumption. Workaround: Restart the Management Server. |
| SMC-40876 | Issue: If the Management server element has 2 or more contact address expressions defined, adding new exception fails with error Index -1 out of bounds for length X. |
| SMC-40808 | Issue: When there is a long running task, the Management Client might freeze if you try to open the progress report of a long running task while it is running. |
| SMC-40789 | Issue: When NGFW element is updated through SMC API, multi_ping tester entries are duplicated. As entries are identical, the tester operates normally on the engine, but the configuration size might increase unnecessarily. |
| SMC-40787 | Issue: Restoring of a snapshot fails when it has reference to an element whose name includes tabulation. |
| SMC-40786 | Issue: There are situations (like adding tags) when empty regular expression is used by purpose. Editing of such situations is not possible. |
| SMC-40698 | Issue: When single firewall has several loopback interfaces configured, browsing through those IP addresses can change the VPN Client Interface for DHCP Relay from one loopback interface into another. |
| SMC-40651 | Issue: Close tab with mouse middle button, closes the tab when trying to paste on Linux using the mouse middle button. |
| SMC-40567 | Issue: FUID element changes cannot be saved with installed Management Client while same works through Web Access. |
| SMC-40495 | Issue: Rule with same URL category for different services on the Service cell fail to generate correctly for the NGFW elements. Only one of the services with the URL category is included. |
| SMC-40446 | Issue: In SMC 6.10.3, policy install fails occasionally and "Index 1 out of bounds for length 2" error is displayed. |
| SMC-40436 | Issue: Vulnerability reference is compressed when viewing log entry of situation match. Prefixes, like CVE- is not displayed. |
| SMC-39155 | Issue: With route-based VPN, if gateway has dynamic endpoints without contact address enabled, this endpoint is ignored in configuring the tunnel to the dynamic remote endpoint. Such endpoints are however considered, when creating the configuration however, the policy install will fail with policy validation error. Workaround: Add a random contact address for the dynamic endpoint for location of remote dynamic gateway. Then disable the route-based VPN to the dynamic tunnel. |
| SMC-38636 | Issue: When you install multiple policies at the same time, policy installation take longer than expected. Workaround: In the $SGHOME/data/SGConfiguration.txt configuration file, add the line TASKER_POOL_SIZE=20, then restart the Management Server. |
| SMC-38348 | Issue: SNMP Engine ID cannot be modified for cluster nodes. |
| SMC-38226 | Issue: When a new NGFW element is duplicated from an existing element, it is possible that the policy installed on the new element actually gets installed on the old NGFW element. |
| SMC-38173 | Issue: When you use the SMC Appliance, deleting or disabling an administrator account might fail even though you can successfully edit the administrator properties. |
| SMC-35333 | Issue: During upgrade of free disk space, the check might underestimate the space needed and upgrade might fail due limited disk space in later phase. |
| SMC-34337 | Issue: Standalone client for macOS cannot be used due to signature issues. Workaround: Use the Web Access to contact SMC. |
6.10.5 build 11136
| Reference Number | Issue Description |
|---|---|
| SMC-41051 | The 2.16 version of the log4J library is now included in the Security Management Center (SMC) package. Issue: Forcepoint NGFW Security Management Center (SMC) uses log4j and the log4j-core-2.14.0.jar file has been identified impacted by CVE-2021-44228 and CVE-2021-45046. For more details, see CVE-2021-44228 and CVE-2021-45046 Java log4j vulnerability mitigation with NGFW Security Management Center. |
6.10.3 build 11135
| Reference Number | Issue Description |
|---|---|
| SMC-40292 | Issue: It is not possible to enter IP addresses 128.0.0.0 or higher as the Area ID for an OSPFv2 Area element. |
| SMC-40245 | Issue: Opening large VPN configuration for editing is slow when there are multiple disabled tunnels. |
| SMC-39787 | Issue: When enabling third party monitoring using SMC API it is possible to set the Log Server incorrectly for the host. This will prevent successful policy installation. Workaround: Contact Technical Support for workaround. |
| SMC-39779 | Issue: Policy validation fails if a Virtual NGFW Engine in the Firewall/VPN role has only layer 2 interfaces. |
| SMC-39752 | Issue: Audit entries for the Move to Domain action do not list all of the moved elements when referenced elements are moved. |
| SMC-39646 | Issue: Password policy setting "Disable Account Automatically After Password Expiration" incorrectly disables SMC administrator accounts that do not use local password for authentication. |
| SMC-39553 | Issue: In rare cases, duplicating an NGFW Engine element might fail with the following error message: Failed to construct the alias values. |
| SMC-39490 | Issue: When you create new users in the InternalDomain LDAP domain, the Member of list is empty even though the user was correctly added to existing groups. |
| SMC-39457 | Issue: When there are many icons for administrative Domains in the Domain Overview window, the Management Client might be unusable after you log on. Resolution. Starting from SMC 6.10.3 Domain overview is by default shown in table format if number of administrative domains exceeds 20. Default value can be adjusted by adding to SGClientConfiguration.txt line: DOMAIN_COUNT_THRESHOLD_FOR_DOMAIN_OVERVIEW_TABLE=X And restart client. With installed client file is in Users/<username>/.stonegate folder. For web access the change must be done on the server side. To set parameter globally for all Web Access clients, edit SGClientConfiguration.txt in the Management Server installation directory's data subfolder, by default /usr/local/forcepoint/smc/data/SGClientConfiguration.txt. With less than X administrative domains, Domain overview is by default shown using tiles. |
| SMC-39419 | Issue: When password policy is used to enforce regular renewal of administrator passwords, closing expiration of API Client authentication key cannot be notified during administrator login. Resolution: New API service 'pwd_meta_data' can be used to query expiration date of all administrator passwords and API authentication keys. |
| SMC-39404 | Issue: When an administrator whose Management Client window was locked because the session was idle for too long logs on again, the administrator can very briefly perform actions in the Management Client even if the incorrect password was entered. |
| SMC-39302 | Issue: Create a new Route Map element for dynamic routing fails. The following error message is shown: Database problem. Impossible to store element. |
| SMC-39135 | Issue: Importing Next Generation Firewall engine upgrade file using Management Client fails with Importing of engine upgrade/update packages failed message. Workaround: See more details in article Engine Upgrade Import Fails with SMC 6.10.2. |
| SMC-39103 | Issue: Dynamic routing BGP announced network configuration ignores IPv6 address if network element has both IPv4 and IPv6 defined. |
| SMC-39045 | Issue: It is possible to create a Route Map element for dynamic routing with the Matching Condition set as none. If the NGFW Engine configuration refers to a Route Map element with the Matching Condition set as none, policy installation fails. |
| SMC-39037 | Issue: In the Situations view, the Last update column shows -1 for custom elements. |
| SMC-38999 | Issue: When you use Route Map elements and you edit the dynamic routing configuration, there might be a conflict between the new Route Map element and the change history of the removed Route Map element. |
| SMC-38968 | Issue: When you configure IPv6 policy routing, the routing configuration is not correctly generated in NGFW Engine configuration. |
| SMC-38900 | Issue: Management Client certificate authentication has a short timeout for the user to enter the PIN that is typically required for certificate. |
| SMC-38833 | Issue: When you use the Additional Networks to automatically add to antispoofing option in the dynamic routing configuration, the exceptions to automatic antispoofing are not added to the generated NGFW Engine configuration. |
| SMC-38820 | Issue: Log Analysis shows the following error message: Incorrect parameters: null source. |
| SMC-38388 | Issue: If you use a Host element that uses element-based NAT in an access rule that has log compression enabled, policy installation fails. |
| SMC-38311 | Issue: If a resource is configured as a sub-domain of the SSL VPN Portal host name, policy validation for the SSL VPN Portal policy incorrectly shows the following error: "SSL VPN Configuration error: <vpn gw name> You cannot use the same host name for the portal and for the external URLs of web services." |
| SMC-38299 | Issue: The Log Server might spend a lot of time processing active alerts, which can affect log reception. |
| SMC-32148 | Issue: Viewing or comparing snapshots fails and the following error message is shown: DTD claims: Element <smtp_server> has no attribute "ipv6_address". In the past, it was possible to add an IPv6 address to an SMTP Server element, but this option is no longer supported. |
6.10.2 build 11131
| Reference Number | Issue Description |
|---|---|
| SMC-38714 | Issue: When you export monitoring data from the Blacklist, Connections, or Users monitoring view, the Management Client shows an empty error dialog box. |
| SMC-38712 | Issue: When opening the Alias element in Edit mode, if there is a large number of translation values, loading them might take a while. If you close the element with OK while values are being loaded, translation values might get cleared. |
| SMC-38675 | Issue: The default memory heap size for the Management Client has been increased to 1524Mb. |
| SMC-38645 | Issue: When you convert a firewall cluster to a Master NGFW Engine and Virtual NGFW Engines, the link status test that is originally set for ALL with CVI interfaces is not converted and thus ignored when policy is installed on the master cluster. |
| SMC-38230 | Issue: When engine is edited and saved, enabled internal User DB Replication selection can be lost. |
| SMC-37917 | Issue: Alerts appear to be acknowledged more slowly than they are because the notifications are displaying slowly. |
| SMC-37877 | Issue: Memory usage on the Log Server might increase. As a result, the status of nodes might change rapidly. |
| SMC-37755 | Issue: If there are temporary log forwarding filter references to an NGFW Engine element, deleting the NGFW Engine element might fail. |
| SMC-37634 | Issue: When NGFW Engines that are configured as VPN Broker Members receive an update from the VPN Broker Gateway, the NGFW Engines internally update their policies. For NGFW Engines that have node-initiated contact to the Management Server enabled, these internal updates might conflict with policy installations from the Management Client. |
| SMC-37623 | Issue: Entries might not be created in the pending changes list for an NGFW Engine element even though configurations related to the NGFW Engine have been modified. |
| SMC-37602 | Issue: The certificate authority renewal process might stop progressing and show the following message even though all Log Servers have been restarted: Restart <LogServer> so that it starts using the new Internal Certificate Authority. Workaround: Restart the Management Server after restarting the Log Servers. |
| SMC-37576 | Issue: The QoS mode that is selected for an interface might not be shown in the Info column on the Interfaces branch of the Engine Editor. |
| SMC-37554 | Issue: NGFW Engines in FIPS mode only allow a key length of 2048 bits when importing RSA host keys for Sidewinder proxies. |
| SMC-37458 | Issue: If DHCP relay is enabled on a VLAN interface when you convert a firewall cluster to a Master NGFW Engine and Virtual NGFW Engines, the Virtual NGFW Engines are created without the DHCP relay settings. |
| SMC-37417 | Issue: Adding an IP address to an interface from a different network adds an interface route to the network. When removing the secondary IP address, the related route is not deleted. |
| SMC-37181 | Issue: When administrators use certificate authentication, it is not possible to choose the used certificate when the TLS profile is set to trust several CAs. |
| SMC-37176 | Issue: Log reception slows down if the Log Server receives log entries for the same Virtual NGFW Engine from two nodes when one of the nodes is clearing its log spool. |
| SMC-37106 | Issue: In configuration panes in the Home view, administrators with restricted permissions can open NGFW Engine elements that they do not have permissions for in preview mode. |
| SMC-37039 | Issue: When rule cells contain a long list of elements, the View more option shows all elements in the cell. This option is not available for the Situation cell. |
| SMC-37022 | Issue: Inspection policy validation does not treat situation tags the same as single situations or situation types. |
| SMC-37013 | Issue: After you delete the element for an SMC component, the old license stays in the Licenses view as bound to <unknown>. |
| SMC-36984 | Issue: The Web Access client might remain in loading view after sign-in when it tries to open a new tab. |
| SMC-36971 | Issue: When you download the Management Client from the Management Server in Windows, the Management Client fails to connect to the Management Server. The following error message is shown: Could not initialize class com.stonesoft.ag.n. Workaround: Use SMC Web Access or install the Management Client locally. |
| SMC-36900 | Issue: To allow related connections when you use the FTP and TFTP Sidewinder proxies, deep inspection must be enabled. Policy validation does not detect that deep inspection is not enabled. |
| SMC-36898 | Issue: In an environment with multiple Management Servers, the full synchronization command in the Management Client does not use the contact addresses of the Management Servers. |
| SMC-32786 | Issue: When the SMC is installed under the Program Files folder in Windows, you cannot enable Management Client Download on the SMC Downloads tab of the Management Server Properties dialog box. |
| SMC-30184 | Issue: Setting the same dynamic NAT IP for separate elements in an element-based NAT causes a validation warning: Dynamic NAT definitions that do not have a Port Filter defined have the same external IP address. |
| SMC-27326 | Issue: Endpoint Context Agent (ECA) user and group information cannot be used on access rules in IPS and L2FW roles. |
6.10.1 build 11125
| Reference Number | Issue Description |
|---|---|
| SMC-38692 | Issue: When an NGFW Engine node has a static IP address on the control interface, the Management Server does not verify the certificate of the node. For example, if an NGFW Engine running on a virtualization platform is reverted to an older certificate, the Management Server communicates with the NGFW Engine even though it expects a newer certificate. |
6.10.0 build 11117
| Reference Number | Issue Description |
|---|---|
| SMC-37090 | Issue: When you duplicate an NGFW Engine element, some alias values might be se to NONE even though the original element had specific values. |