Added compatibility check for some newly-manufacturer USG Pro systems so they upgrade successfully.
Made kernel security updates for NFLX-2019-001: TCP-based remote denial of service vulnerabilities.
These are relevant to the source/destination of TCP connections, not intermediate network devices like the role typically played by the USG.
Fixed config application and changes for QoS Tag setting on WAN. Previously config changes may have resulted in a commit error or not been applied until reboot.
Fixed a problem with IPsec VPNs with multi-WAN in load balance mode.
Now offer more prominent warning upon SSH login that config changes made locally will be removed by controller upon next provision.
Removed logging of ALIEN drops from IDS/IPS because of log spam and performance issues. May return as a configurable option in the future.
It is unclear whether this has been fixed or whether they are simply noting that the problem exists: in circumstances where multiple alerts are generated in a short period of time (in IDS/IPS) the utmdaemon process may not de-allocate the memory allocated to handling those alerts which will lead to memory utilization increasing for each alert and only decreasing with a reboot.
A DHCP WAN bug with GeoIP has been fixed. In some configurations, GeoIP filtering could block DHCP requests from the USG leaving it unable to obtain an IP from the ISP. This DHCP traffic is now always permitted regardless of GeoIP location.
Omitted sensitive data in ‘show tech-support’ output.
Increased maximum dnsmasq DHCP leases to 1 million. Previously was set to dnsmasq’s default of 1000, much less than USG is capable of.
Fixed “soft lockup” crashes. Increased watchdog threshold so normal, expected conditions don’t cause a crash. This is primarily applicable to the USG3 when under extreme CPU load, usually from IDS/IPS and heavy traffic loads.
Fixed use of OSPF and ‘passive-interface default.’
Reduced delay in host-table stats in informs. Reports guests as expired faster, as well as reflecting other client statistic faster in some cases.
Added backend functionality to IPS for upcoming controller feature.
Fixed USG-XG-8 ethernet driver bug on copper interface with VLAN tagging. Previously at 1500 MTU the largest passable frame was 1496 with 802.1Q tag. Now 1500 MTU plus VLAN tag. Did not impact SFP+ ports.
Fixed speed test servers with port in URL. Tis was leading to speed tests not working.
Fixed three denial of service vulnerabilities (CVE-2019-12106, CVE-2019-12108, CVE-2019-12019) in miniupnpd. Where UPnP is enabled (disabled by default), hosts on the LAN can crash the UPnP service. There is no potential impact beyond making UPnP stop functioning until reboot.