List of All Resolved Issues and New Features

An Application Control and URL Filtering update may get stuck because of a lock object duplicate issue.

In some scenarios, the Forensics report fails to open from Harmony Endpoint logs.

UPDATE: Added a defense mechanism against partial header attacks known as "Slowloris DoS" (CVE-2007-6750).

When Anti-Virus blade is enabled, there may be a continuous high memory consumption which can lead to latency.

The CPD process may unexpectedly exit and create core dump files.

Traffic bypassed due Threat Prevention exception is not accelerated.

When ClusterXL is configured, a file may pass without inspection during a failover.

When reconnecting the OSPF interface on both members in a cluster, a failover may occur when receiving a ROUTED PNOTE on the Active member.

Policy installation may cause cluster failover and impact the traffic flowing through the cluster.

There may be a low throughput in a Site-to-Site VPN tunnel between two VSX Gateways with enabled.

UPDATE: Added support for the Excluded Files feature (sk116679) for XFS file system on Kernel 3.10.

In some scenarios, deleting a Security Gateway object fails with the "Action failed due to an internal error" error.

Compliance results for some rules are not available after changing the "Policy Range" of a user-defined rule to a value below 100%. Refer to sk177544.

The Security Cluster Wizard is not shown again after a Management restart in a Full High Availability cluster environment.

Renaming the Security Management Server may fail with the "Failed to save object" error. Refer to sk177224.

The Management API command "show-vpn-communities-star" for Diffie-Hellman groups 15-18 and group 24 fails with the "Invalid DH-Group in VPN Reply" error. Refer to sk27054.

In a rare scenario, the FWM process may unexpectedly exit and create a core dump.

After an Application Control update, some application control objects may disappear from SmartConsole, although they are not deprecated.

UPDATE: Scheduled email reports will now use TLS1.2 instead of TLS1.0. Refer to sk178125.

Removed unnecessary debug messages: "fwbintabreplace: table svm_range_gateways not found and " fwbintabreplace: table svm_range_gateways_valid not found" from the fwd debug log.

In some scenarios, it is not possible to add the "Policy Rule UID" column to the Logs view in the SmartView Web Application.

There may be an incorrect error message related to MakeConnection method.

Logs may be missing from SmartConsole after upgrading the Log Server if a VS object is configured without an IP.

UPDATE: In CPView overview, the "FW" field will now show physical memory used instead of virtual memory used. The change is only cosmetic.

Policy installation may fail when there is a heavy load on memory on the Security Gateway.

In CPView, under Network, Bytes Per Sec value in Traffic Rate may be incorre

The PDP process may unexpectedly exit with a core dump file.

In very rare scenarios, a traffic outage may occur.

In a VSX setup, the IP address used as the origin SIC name in the IPS address log may differ from the IP address in other reports.

In some scenarios, when Mobile Access Blade is enabled, the Security Gateway may crash.

Local connection from a Standby member may fail when packets are not fragmented even if the interface MTU is smaller than the packet size.

In a rare scenario, after an upgrade and reboot, a Standby member is set to down with a FullSync pnote and cannot synchronize.

SYN Defender may not properly handle the S2C traffic related to Allow List. As a result, this traffic may be dropped.

The VSX Gateway may crash when trying to route traffic from a VS to a Virtual Switch (VSW).

When using Link Selection probing, the VPND process may unexpectedly exit and create a core dump file.

UPDATE: Decreased the time to edit routes in topologies where multiple Virtual Systems are connected to a Virtual Switch (VSW).

When creating a static route on a virtual system, some network objects may be created with the same name inside the network group which causes failure in writing the object to the database.

There may be a mismatch of policy name on virtual switch when using the "fw stat" and "vsx stat -v" commands. The issue is only cosmetic

When using the VSX Provisioning Tool, it may not be possible to create a new warp interface and then change the main IP address of the VS in the same transaction.

After restoring the VSX Gateway backup, the SNMP agent stops responding when the context is set for a specific VS.

The OID "Syslocation" can now be configured in the context of a virtual system as described in the article (IV-1) Advanced SNMP configuration in sk90860.

In a VSX cluster, after pushing Bridge configuration, the state may change from Active/Active to Active/Standby.

In some scenarios, the VSX Security Gateway may not decrease the packet's TTL.

When creating a virtual system, the "Failed to create Virtual System directories" error is displayed.

NEW: Gaia API (version 1.6 with Python3 support) will now be deployed via Jumbo Hotfix. Refer to sk143612.

WebUI session may end when creating a Role with full permissions.

Dynamic routing SNMP OID polling may work only in VSX mode.

The "snmpwalk" command may time out after reaching SNMPv2-SMI::mib-2.68.1.2.0.

In some scenarios, logs related to Harmony Endpoint may be missing.

NEW: Added ability to create and manage VSX objects of R80.30SP version via vsx_util and vsx_provisioning_tool.

Added Take 18 of Public Cloud CA Bundle. Refer to sk172188.

In some scenarios when R80.20 Jumbo Hotfix Accumulator Take 208 is installed:

• Install Policy Preset invokes policy installation on Gateways different from those that are defined.

• Policy installation on multiple Gateways on MDS level triggers installation on one Gateway only.

Refer to sk178590.

UPDATE: Added a warning message in SmartConsole, alerting if during policy installation memory utilization of the FWM process exceeded 3.5GB.

In some scenarios, applying the "Where used" action may show incorrect data when an object exists more than once in an Inline Layer.

Domain Server Migration between different Multi-Domain Management Servers may fail if a previous migration attempt of the same Domain already failed and a different Domain name is used for the second attempt.

In some scenarios, the FWM process is down and fails to start. Core dumps are created in /var/log/dump/usermode.

When searching IP addresses using logical operators (AND / OR), the results may be incorrect:

• in SmartConsole in the Object Explorer view
• with the Management API command "show objects" and the "filter" field

Some matched objects may be missing, while some unmatched objects may be present.

In some scenarios, login to a Domain from the System Domain dashboard may fail with "Failed to connect to server".
Refer to sk174910.

In some scenarios, the "show gateways-and-servers" Management API command fails with "generic_error" when running it with "details-level full".

The "Packet capture is not supported on this platform" warning appears after policy installation for SMB Gateways, although no packet capture is used.

In rare scenarios, login to Multi-Domain Management fails with the "No Valid Domains were found for [username]" error. Refer to sk175005.

In rare scenarios, editing a cluster object fails with the "Code: 0x8003001D, Could not access file for write operation" error. Refer to sk176930.

In rare scenarios, the Management Server may fail to start due to incorrect sessions handling.

Policy installation may fail if more than 20,000 objects are created and added to rules.

In rare scenarios, the FWM process on the Security Management Server unexpectedly exits.

In some scenarios, the Management API command "show-packages" with "details-level full" may fail with an error. Refer to sk176805.

• The High Availability status on Security Management Server may be incorrect and performing failover is not possible.
• On Multi-Domain Server, after performing failover in the Global Domain and restarting services, the former active Global Domain Server still appears as active (although it is standby).

Deleting a network group may fail because it is being used, although "Where Used" shows no usage.

When reassigning Global policy after an IPS update on the Global Domain, the updated IPS version in the Audit Logs view may appear with "-1" value instead of the actual IPS version number.

Policy installation from the Multi-Domain Server level may trigger installation of two policies for the same VS.

When creating or updating a service object via Management API, it is not possible to specify a custom aggressive-aging timeout.

When automatic purge is configured in a local Domain, and there is an assignment between the Global Domain to that Domain, the "show-automatic-purge" API command may fail in the Global Domain with the "Can't build automatic purge reply" error. Refer to sk176443.

If there is a Global Domain Assignment, some results may be missing when searching in Packet Mode. Refer to sk178491.

In a rare scenario, the FWM process unexpectedly exits.

NEW:SmartEvent can now skip indexing of firewall session logs to reduce load on the Log Server device. The feature is disabled by default. To enable it, see Issue #4 in sk150452.

In environments with more than 500K network objects, the LOG_INDEXER process on SmartEvent and Correlation Unit Server may unexpectedly close with the "Out of memory" error and a dump core file, although limited resolving is enabled (according to sk164452).

In some scenarios, Log Exporter configured to export in TLS cannot authenticate a certificate from an external certificate authority.

In a rare scenario, logs export from SmartView web view to CSV may fail. Refer to sk175545.

On a Management Server, with SmartEvent enabled and many Networks configured in the database, login to SmartConsole may fail with an "Error: the operation timeout" message and the FWM process is running with a high CPU. Refer to sk167239.

Logs that are sent by Log Exporter in CEF format, cannot be displayed if they include non-digit characters in the "dst_phone_number" field.

In SmartConsole:

• In Gateways and Servers view, IP statuses may not be accurate
• In the Threat Prevention Policy tab, under "Updates", Gateways IPS update status may not be up-to-date, although the new IPS package was received successfully.

In SmartConsole, machine statuses in "Gateways and Servers" may disappear and reappear.

The "Last Update Time" field of a Session Log may show incorrect values.

In rare scenarios, the LOG_INDEXER process stops working and logs are missing. Refer to sk176403.

SmartEvent may not show some of the Anti-Virus logs.

• The "fw log" and "fwm logexport" commands may fail with "Error: Failed to read field".
• The exported log file may not contain all logs.
  Refer to sk176644.

When running the "show_logs" API command with "query-id argument" and the session is expired, the command ends with a timeout instead of presenting an error.

When SmartView Web is configured to not return empty values, a query may fail with a "query failed" message.

When configuring an Email alert as an Automatic Reaction in SmartEvent, and the alert contains data from the event, some fields may be missing in the generated email.

NEW: Added a new kernel parameter "cphwd_medium_path_qid_by_cpu_id". The parameter is disabled by default. Refer to sk175890.

UPDATE: Adding Connection and Packet Distribution statistics in CPView.

When a large number of VPN tunnels is configured and each one is used by a static route with ping, the ROUTED process may get incorrect cluster IPs for those tunnels. Refer to sk175887.

Running the threshold_config command may cause the CPD process to consume a high CPU.

In a rare scenario, Security Gateway may crash.

In a rare scenario, traffic outage may occur. It is caused by a memory leak related to delayed logs.

In some scenarios, using automatic Network Static NAT/Address range objects may cause connectivity issues.

If wstunnel loses connectivity, after several attempts, it may unexpectedly exit and not restart. Refer to sk166056.

In rare scenarios, the LOG_INDEXER process may unexpectedly exit with a core dump file.

The FWD process may unexpectedly exit due to a rare race condition. Refer to sk173424.

In rare a scenario, a memory leak may occur with a "cpas_streamh_init_from_cookie failed" message printed in /var/log/messages.

In a rare scenario, the FWD process may unexpectedly exit.

The log_exporter process may consume a high CPU.

When IPS Automatic update is enabled, a memory leak may occur in the FWD process. Refer to sk176947.

UPDATE: Adjusted AD-Query and Identity Logging solutions to work with Microsoft hardening changes in DCOM which were required for CVE-2021-26414. Refer to sk176148.

On Scalable Platforms\Cluster LS, the Identity Database may become corrupted when an identity session is revoked from a non-master member.

In some scenarios, access roles are not enforced when using an identity tag.

In rare scenarios, if IPS Geolocation is enabled, the Security Gateway may crash.

In a rare scenario, the DLP process may leave several open unused file descriptors in the $FWDIR/tmp/dlp directory which may take up a large amount of disk space.

UPDATE: Upgraded the default Infrastructure for local communication between some processes to TLS 1.2.

In some scenarios, the WSTLSD daemon may unexpectedly exit during TLS probing.

When TLS 1.3 support is disabled, a memory leak may occur in the WSTLSD process during TLS session renegotiation.

A memory leak, related to TLS probing, may occur in the WSTLSD process.

In rare scenarios, HTTPS connections may hang indefinitely during the TLS handshake, causing timeout.

UPDATE: SSL Network Extender was updated to version 800008304. It provides TLS 1.2 cipher suites support on macOS.

In a rare scenario, the TCP Half Closed timer (sk137672) may fail when configured for medium/fast connections.

TCP packets may be dropped as "TCP out of state" although following sk11088.

In some scenarios, when configuring internal/external enforcement for DOS/Rate limiting, a syslog error message may be displayed.

• Security Gateway may crash when OSPF inserts or removes an LSA from its database.
• Neighbor dead timers may have negative values.

In rare scenarios, if Graceful Restart is not configured on the BGP peer, BGP routes may be lost near the Graceful Restart ending.

UPDATE: In policy installation, the type of messages related to VPN certificate expiration is changed from "info" to "warning". This issue is only cosmetic.

A memory leak may occur when clearing the CRL cache file.

A memory leak may occur in the VPND process.

When querying a VS for "sysObjectID" via SNMP, a generic net SNMP value is returned ("NET-SNMP-MIB::netSnmpAgentOIDs.10") instead of Check Point value ("SNMPv2-SMI::enterprises.2620.1.6.123.1.62").

In some scenarios, running the snmpwalk command may fail with incorrect OSPF-MIB information for VSX. Refer to sk172064.

UPDATE: Fixed CVE-2021-3711 and CVE-2021-3712.

Potential vulnerability related to a specific Gaia API command on VSX systems.

• VLAN IPv6 address disappears after setting the parent interface state "off" and "on".
• IPv6 address disappears after enabling Layer 3 bridge interface monitoring.

Refer to sk174969.

When a Gateway's object name was changed, CloudGuard Central License Tool may fail to distribute licenses to the Gateway.

In a rare scenario, the FWD process may unexpectedly exit due to invalid QoS logs.

NEW: Added a self-updatable package of Check Point Support Data Collector (CPSDC) for Scalable Platforms and Maestro Security Appliances. Refer to sk164414.

Added Update 5 of HealthCheck Point (HCP) Release. Refer to sk171436.

NEW: Added the Check Point Performance Sizing Utility (CPSizeMe) v5.2.

In some scenarios, when using a VPN community, the status of the Global Domain Assignment may change to "not up to date", although no changes were made in the Global Domain.

The "show gateways and servers" Management API command does not show policy information for cluster members.

In rare scenarios, High Availability on the Global Domain may fail to synchronize the Multi-Domain Log Server if IPS protection was added or removed in the Threat Prevention rulebase.

Scheduled IPS updates data may not be shown in the IPS update report.

In some scenarios, the Purge Revisions operation fails with the "An error has occurred while performing revisions purge operation, Incident ID - xxxxx-xxxxxxx-xxxxx-xxxxx" error. Refer to sk174645.

If Brute Force Password Guessing Protection is set to the value of more than 25 seconds, login to SmartConsole fails.

• Requires R80.20 SmartConsole Build 124 (or higher).

In rare scenarios, a Management Server upgrade may fail with the "Object not found - [UID]" error message in the cpm.elg log file.

After migrating a Domain to a Multi-Domain Management and assigning a Global Policy, if there are objects with the same name in the Domain and Global Domain, the assignment succeeds, although it must fail due to name duplication.

When running the "fwm logexport" command multiple times, the FWM process may unexpectedly exit producing a core file.

The Management API command "get-attachment" may fail with an error. Refer to sk170894.

After migrating a Domain to Security Management Server, the FWM process may be shown as "down" in watchdog, although it is up and running. Refer to sk163814.

In rare scenarios, during a system startup, a cleanup operation may cause high CPU on multiple Postgres processes and prevent login to SmartConsole. Refer to sk175189.

In some scenarios, loading the Access Control policy causes SmartConsole to close unexpectedly. Refer to sk175405.

• Requires R80.20 SmartConsole Build 124 (or higher)

In some scenarios, a high load on the Management Server may cause SmartConsole slowness.

After upgrade from R77.x, "Cannot assign a Domain more than once" errors may appear in the validations pane.

In some scenarios, copying a rule from one Access Control policy to another fails due to a mismatch in the policy Traditional VPN mode.

Virtual session timeout for a TCP service cannot exceed 86400 seconds. Refer to sk168872.

In rare scenarios, if Domain migration fails, the operation may not revert fully and leave some remnants in the database of the Management Server.

In some scenarios, a migration of a Security Management Server into a Domain Management Server fails at the import phase. Refer to sk170758.

UPDATE: If there is no license installed, an error message is printed when running the "cpstart" command.

In some scenarios, the total number of "sr" licenses may be counted incorrectly.

In some scenarios, the Gateway hardware change in SmartConsole fails with a "Changing the hardware to <New_Selected_Check_Point_Appliance> Appliances is blocked." warning.

NEW:

• In SmartEvent GUI added new products: "Behavioral Guard", "Anti-Exploit", "Anti-Bot" and "Anti-Ransomware"
• For Endpoint logs correlation, added a new pre-defined event: "Harmony Endpoint" under Legacy -> Endpoint Security.

NEW: Added support for Endpoint Forensics reports to get-attachment API.

When a Management Server manages more than 1024 Gateways, the connectivity status may show "N/A" for several Gateways.

In rare scenarios, when exporting logs to Check Point Infinity Portal, the Log Exporter may unexpectedly exit.

In rare scenarios, logs generated at the same second, with the same ID, may not show up in SmartConsole's Logs tab.

In rare scenarios, SmartConsole may unexpectedly close if the pre-defined VPN columns profile in the Logs view was modified and saved.

In some scenarios following a Multi-Domain Management Server upgrade, logs queries may not retrieve results from some CMAs\CLMs.

In SmartView (Reports and Web Logs view), the value of the file size is displayed differently from the Logs view in SmartConsole (GB instead of GiB).

After upgrade, SmartView scheduled export to Excel of Reports and Views stop running and users are unable to edit the scheduled tasks Refer to sk174047.

In the Method field, logs with the following values are not shown in the SmartConsole's Logs tab. They are only shown when opening a single log record.

The values are: MOVE, TEXT, XGET, UNDEFINED, VTTEST, ABCD, SEARCH, RPC_CONNECT, PRONECT, TRACK, CFYZ, BADMETHOD, DEBUG, MGET, GET, MKCOL, QUALYS, RNDMMTD, PRI, NESSUS, BDMT, BADMTHD.

In SmartView, when filtering with specific time filters, the result may include more logs than were requested.

In some scenarios, the FWD process on Security Gateway may cause high memory consumption when Log Forwarding is configured or when running the "fw fetchlogs" command.

In SmartView, the "Duration" field is missing from Reports and Views.

The CPSEMD process on SmartEvent Server may unexpectedly exit when trying to send two automatic reactions simultaneously for the same event.

In a low log rate, there may be a delay in exporting logs using the Log Exporter.

In some scenarios, emails of DLP blade may be sent with obfuscated information, with no option to present the full data. Refer to sk106430.

The "Recommended" Package value is not changed from true to false in SmartConsole while installing Jumbo Hotfix. Refer to sk174508.

Improved the ICAP Server internal memory allocation logic.

In some scenarios, the CPD process may consume high CPU because of the memory leak in FDT (File Download Tool).

A duplicate entry appears in the /etc/cpshell/log_rotation.conf file. This issue is only cosmetic.

A "fw_xlate_rule_count_dec: refcount is negative" message may be displayed in dmesg when IP pool NAT is used on a cluster environment.

In rare scenarios, policy installation fails with a "gen_rpc_service_inspect_func: service mismatch in service_arr" error message. Refer to sk174165.

In some scenarios, there is no match on URL Filtering rules.

When running the "fwaccel stats -r" command to reset SXL statistics, the statistics may become corrupted.

In rare scenarios, when the "sd_global_monitor_only" property is set to "true", there is no HTTP inspection.

Configuring the "Virtual Activation Timeout" option above 65535 may lead to an incorrect timeout definition. Refer to sk172464.

In a rare scenario, incorrect error messages regarding the ICAP client flow appear in dmesg. Refer to sk173546.

In rare scenarios on versions earlier than R80.40, the FWK process may unexpectedly exit.

In rare scenarios, SmartView Monitor shows an "Error code: 2147483647" message when viewing data from a VSX Gateway. Refer to sk174206.

After policy installation, Security Gateway may stop responding due to memory leaks.

In some rare scenarios, when IPv6 is configured and Office Mode Anti-Spoofing is enabled, running "cpstop;cpstart" may cause a Security Gateway to crash.

In some scenarios, Security Gateway may crash when ICAP client is enabled.

In some scenarios, emails may be stuck in the MTA queue.

In some scenarios, configuring an un-numbered virtual interface may cause ARP requests to stay not answered by the interface. Refer to sk174188.

The show-global-assignment command may ignore the limit request and return the default limit.

UPDATE: Added automatic extension for Internal CA database to support more than 100,000 certificates.

In some scenarios, it is not possible to remove expired certificates via the ICA Management tool.

In some scenarios, the IPS update status in SmartConsole is incorrect after the automatic update fails with the "Update failed. Failed to load database" error.

NEW: Added a new Auto-Tune feature for Nested Groups to select the optimal nested state for maximum performance.
The feature is disabled by default. To enable it, refer to sk128212.

When the PDP Gateway is connected to multiple pre-R81 PEP Gateways, the CPU consumption may be high. Refer to sk173709.

Optimized the PDP expired timers mechanism performance.

Improved the Identity Server (PDP) performance for publishing new network on Identity Sharing with SmartPull.

An HTTP download of a large file may unexpectedly stop with an error message.

Security Gateway may crash when the IPS profile name is very long (more than 256 characters). Refer to sk174025.

A table hash size may be too small for some environments and cause an increased CPU usage.

Added an option to bypass Name Constraints extension on certificates using a registry flag. Refer to sk159692.

In rare scenarios, in the UserCheck portal for Threat Extraction, when clicking the "Send Original Mail to me" button, the action fails with the "An unexpected error has occurred" error. Refer sk140214.

In rare scenarios, a Load Sharing cluster can experience DHCP Relay drops with a "dropped by fw_post_vm_chain_handler Reason: Handler 'dhcp_reply_code' drop" message.

In a VSX environment, the SYN Defender configuration may not be applied correctly.

The checksum of PIM "register" packets may be calculated incorrectly, causing the RP router to discard a "register" packet.

In some scenarios, the ROUTED process may unexpectedly exit when there is a static route and a kernel route to the same destination.

In some scenarios, the ROUTED process may produce a core dump when it receives IGMPv3 Membership Reports over a long period of time.

In some scenarios, the NetFlow Packet may report a wrong source IP Address.

BGP sessions may unexpectedly close because of unrecognized AFI/SAFI pairs in multiprotocol capability advertisements from a peer.

A memory leak in HTTPS Inspection and HTTPS portals may occur when using ECDHE ciphers.

Many "remote access client IP address and port were changed" logs are generated after an upgrade.

In some scenarios, a memory leak may occur on the Security Gateway.

Policy installation may fail when VPN community is not configured on the Security Gateway. Refer to sk174235.

This fix allows create/change a VSX cluster/Gateway to have up to 32 CoreXL instances with VSX Provisioning Tool. Currently, it is possible to do this only in SmartConsole.

In some scenarios, the "cpstat vsx" command does not show the correct output. Refer to sk170793.

A memory leak may occur on a Security Gateway while configuring Secure Internal Communication (SIC).

In some scenarios, the force-password-change option does not work.

In some scenarios, the Policy Server fails to synchronize with Endpoint primary Management after installing a hotfix for local E1 signature updates.

A memory leak may occur when using domain names in QoS policy rules. Refer to sk174904.

Added Update 2 of HealthCheck Point (HCP) Release. Refer to sk171436.

UPDATE: If there is no license on the Security Management Server, a new verification blocks an attempt to migrate a domain.

In very large Management environments, Policy verification and installation may fail with FWM process core dump. Refer to sk173722.

Upgrade or migration from R80.10 and lower to R80.20 and higher may fail with "Scheme adjustment had failed" error in logs. Refer to sk172003.

In rare scenarios, deleting an object fails with "Can't reach source object, maybe it already deleted" error. Refer to sk172828.

On Security Management with connected Endpoint Security Server, the SICTUNNEL process may unexpectedly exit and start again every few minutes with core file ~4gb in size. Refer to sk173704.

"Query failed" error is displayed in Security Gateway Device & License Information view in SmartConsole when canceling the "Export to PDF/CSV" operation.

In some scenarios, policy installation fails with "Error code 0-2000077" message.

In some scenarios, a Domain migration may fail during the Access Policy import with the "Object not found" error in cpm.elg file.

In some scenarios, HA sync in a Multi-Domain environment may fail with the "Failed to import data" error message after the user creates new Permission Roles.

Running override_server_setting.sh may not update settings correctly when updating a setting multiple times.

In some scenarios, Desktop policy fails with "Policy installation had failed due to an internal error. If the problem persists please contact Check Point support". Refer to sk171970.

Global Policy Reassignment may take a long time to complete after an IPS Update in the Global Domain.

In Multi-Domain environment, the same Domain may appear twice in the Domains view of the SmartEvent application.

In some scenarios, installation of Jumbo Hotfix on Multi-Domain Server may fail after running restore from backup.

In some scenarios, Reassign Global Domain for a Domain that is active on another Multi-Domain Server may fail with "An internal error has occurred" message. Refer to sk172704.

In a rare scenario, Advanced upgrade from R80.10 may fail.

In some scenarios, a validation warning may appear on an updatable object with the following message: "Object is no longer supported. Enforcing security for this object is not possible." However, the object is still available in the updatable objects picker.

In some scenarios, FWM process logs show Provisioning/LSM activity even though LSM is not in use. Refer to sk171905.

In some scenarios, an incorrect Compliance status for Gaia OS Best Practices is displayed.

NEW: Resource pools for log queries and report generation have been separated to ensure query responsiveness while multiple reports are generated.

NEW: Log exporter allows the re-export of logs based on starting and end positions provided by the user, to close possible gaps. Refer to sk122323.

Starting from Jumbo Take 183, logs exported in LogRhythm format via the Log Exporter, appear in an incorrect format.

In some scenarios, when declaring a filter in Log Exporter, logs may not be exported. Refer to sk173025.

In some scenarios in SmartView, exporting a report or view to PDF duplicates the item and displays it twice in the Catalog until the export is done.

In SmartView's "Cyber Attack View - Endpoint", the widgets Active/Dormant Attacks and Cleaned/Blocked Attacks show clean hosts as infected (false positive results).

In some scenarios, in Multi-Domain servers with many domains, the Solr process for logs may unexpectedly exit.

When viewing an Access log card that was matched on both a Network layer (firewall) rule and an Application layer rule, and both actions are "Accept", the application layer rule will be presented in the card instead of the network layer rule. Refer to sk172763.

In some scenarios, in the "Views and Reports" of SmartView, it is not possible to use the field "Roles".

In the "Logs" view in SmartConsole, when the query filter contains "time:yesterday" as a literal, the query fails with a "Query resolution failed" error. The pre-defined time filter "Yesterday" shows results from today. Refer to sk170999.

A super user connected to SmartConsole in the context of the Domain Management Server cannot see search suggestions for global objects.

UPDATE: Security Gateway performance optimizations for specific scenarios. Refer to sk174607.

In rare scenarios, the CPD process unexpectedly exits when the VPN is enabled, and statuses are not sent to the Management Server.

In some scenarios, the VSX Cluster switch may cause a core dump.

The VPND process may consume high CPU because of ECDHE use, which affects multi-portal functionality. Refer to sk173145.

In a rare scenario, Security Gateway may crash during the Application Control / IPS / Anti-Bot package update.

Improved the policy enforcement of the ZIP archive inner files.

In some scenarios, a Security policy installation fails during high CPU utilization.

When the Security Gateway is configured as a proxy, some network objects may not be matched correctly.

In a rare scenario, the FWK process unexpectedly exits on the Security Gateway.

The connection may not exist in SecureXL connection table when configuring Smart Connection Reuse kernel parameters and allow out of state TCP packets.

In some scenarios, the Security Gateway attempts to access the Management Server through the server's NAT IP address (defined in the "NAT" section of the server object), while the server is reachable only through the main IP address (defined in the "General Properties" section of the server object).

Refer to sk171665 to configure the required parameter SKIP_NATTED_IP.

UPDATE: The IKE certificates validity period is set to 1 year by default. Refer to sk176527.

The output of the "lscert" command has duplicate lines for all certificates that are not in "pending" status

In a rare scenario, the PDPD process may unexpectedly exit due to synchronization issues in CaptivePortalManager.

In some scenarios, output of "pdp conn pep" command may show wrong PEP names.

In some scenarios, VPN Remote Access client fails to connect if a certificate contains a DN with an asterisk (*).

A failure log may be generated when inspecting connections to servers with certificates without a Common Name (CN) field.

UPDATE: Exceptions are now enforced for these IPS protections:

• ASCII Request Response
• ASCII Response Response
• HTTP Header Patterns
• HTTP URL Patterns
• CIFS File Patterns

Refer to sk166222.

UPDATE: Avoid sending the TLS probe during inbound inspection when it is not necessary for the SNI-based categorization.

In rare scenarios, a memory leak may occur in a crypto module.

TLS probing failures generate logs with a general description in SmartLog: "Internal system error in HTTPS Inspection (Error Code: 2)". With this fix, more descriptive logs will be generated.

In some scenarios, the WSTLSD process may unexpectedly exit when browsing to certain websites.

Packet capture may not be generated for certain IPS protections.

In rare scenarios, the Threat Prevention Blade Exception used for performance optimization does not work as expected.

In some scenarios, the "reached the limit of maximum enqueued packets!" log is printed in the /var/log/messages file.

Rate limiting rules using concurrent-connection counters may cause connections to be blocked.

Security Gateway may crash when the user runs "fwaccel tab -t" to view certain rate limiting tables that have a large number of entries.

In some scenarios, the concurrent-conns rate limiting count may be inaccurate for FTP data connections.

A race condition in the DOS/Rate limiting policy's install logic may cause incorrect counter values for "concurrent-conns".

UPDATE: The user does not have to enable logging/accounting in SmartConsole to generate the Netflow records. A new 'NetFlow Firewall rule' option was added to configure NetFlow to report per Firewall rule by turning it on and enabling Log/Accounting per rule.

In OSPF environment, the routed process may unexpectedly exit when a VPN tunnel is flapped leading to a temporary connectivity loss.

NEW: Added 3 new views to SmartView for Remote Access, providing visibility for Remote Access users, users login summary, failed login attempts, used clients, top login options, number of users, operating systems, authentication methods and login activity.

In VSX environments, Anti-Spoofing in SecureXL may cause Remote Access VPN drops. Refer to sk173266.

Added stability fix in validation checks for ECDSA certificates.

In rare scenarios, the VPND process may unexpectedly exit in an L2TP-related flow.

Added VPN Remote Access stability improvement.

In a rare scenario, there may be an incorrect IKE ID in an ID payload with 3rd party peers in IKEv1 and IKEv2.

When static NAT is configured on a destination, the SCV may fail to access the internal resources and "No scv status from client..." drops appear in SmartConsole. Refer to sk171550.

NEW: Added support for hardware (sensors/NICs) data auto-update.

In rare scenarios, "show asset network" command may lead to memory leak. Refer to sk174823.

Entering diacritic characters in the Expert password may cause Clish to unexpectedly exit, resulting in a core dump.

The "set snmp usm user" command fails if it has more then 8 characters. This fix increases the characters limit to 31.

Unable to set MTU on Igb cards.

CPview may show partial information, if there are more than 256 interfaces configured on the system.

NEW: Added new Management HA utility to schedule automatic full syncs to peers that failed to be synchronized incrementally.

UPDATE: Added improvements in policy load process, to reduce the policy installation time when having large amount of objects.

UPDATE: When purging revisions, task notifications will also be purged if created before the last revision to purge was published.

In some scenarios, when connecting to an existing session in SmartConsole from a different IP address, a wrong "Client IP" is shown in Audit Logs view.

Policy installation may fail after migration from Domain Management to Security Management Server.

Management HA synchronization between Multi-Domain Management Servers may fail with "Failed to import data" error due to manual or automatic updates of contracts.

In rare scenarios, a policy installation task may never complete.

When migrating a Domain Management Server to a Security Management Server:

• SmartEvent blade cannot be activated on the migrated domain
• If the Domain had standby Domain Servers , it may cause inconsistencies in the database, that may result in different failures. For example, policy installation may fail.

In some scenarios, HA temporary sub-directories under $FWDIR/tmp are not deleted if sync fails. Refer to sk170972.

The Management HA window in SmartConsole may mistakenly show the "Peer is busy" warning message for a few seconds.

High load may occur on the Management Server when searching for a prefix of IP address that has more than 10 thousand matches.

In rare cases, the CPM Solr process may not be stopped when running cpstop or mdsstop.

In some scenarios, the Purge Revisions task may stop and show 0% for hours or fail with the "An error has occurred while performing revision purge operation" message in SmartConsole.

UPDATE: When reassigning Global Domain for a Domain that is active on another Multi-Domain Server, the task is immediately relayed to the remote Multi-Domain Server without waiting in queue of the local server due to other tasks that are running.

In some scenarios, updating a Domain Server may fail with the "<IP> already in use" message. Refer to sk171916.

The Multi-Domain session APIs "view sessions" and "show last-published-session" results may include sessions that were not filtered according to the administrator's permissions profile.

• A Domain manager running the API will be notified when the results will be filtered and will be asked to run the command again with the "ignore-warnings" flag.

In rare scenarios, a Domain is shown in the Domains view without any Domain Server or a Domain is shown with Domain Server that was deleted and does not exist anymore. Refer to sk170556.

When running many Reassign Global Domain operations for Domains that are not active on the current Multi-Domain Server, the load on the Server may increase and result in slowness of user and automation work.

After importing two (or more) Security Management servers into a Multi-Domain Server, the Gateway objects may not be functional:

• The editor may not show configuration correctly
• Security Gateway update may fail.

UPDATE: A pop-up warning will be displayed every time a "Custom Application" object with a performance impacting URL is edited (instead of being displayed only once).

SmartConsole may disconnect when searching in the Object Explorer for the text with an odd number of double quotes.

The "show objects" command returns all objects in Global domain with any filter when "ip-only" flag is set to "true".

In some scenarios, when using the "set simple-gateway" API command with "logs-settings.forward-logs-to-log-server", it fails with "Generic server error". Refer to sk170352.

Setting values for the environment variables of the Management API as per sk165938 does not work: the values are neither loaded nor used by the API process.

In some scenarios, when the user attempts to delete a VSX Gateway / VSX Cluster, an error message may appear and the operation may not be completed successfully. Refer to sk167492.

• Requires R80.20 SmartConsole Build 121 (or higher).

In some scenarios, the "show gateways-and-servers" Management API command fails when running it with details-level full and when connected to the Global Domain. Refer to sk170895.

When there are no search results, search in Access Control Policy displays "An error occurred while searching" instead of "No Items Found".

In some scenarios, when recreating a ROBO object with the same name, the new object receives the previous status.

In some scenarios, the "Failed to fetch the file" error is displayed when trying to open Threat Emulation summary reports generated by VSX Gateways.

UPDATE: Added ability to SOLR process running on the Log server to prevent TLS1.1 and below in port 8211. Refer to sk168472.

In some scenarios, the cpsemd process on the log server may close unexpectedly during a restart, shutdown or upgrade.

In rare scenarios, a log may display incorrect values in the Action and Rule field. Refer to sk170676.

In rare scenarios, the FWD process on the Security gateway may be blocked for several seconds due to processing of log attachments.

In rare scenarios, the log_indexer process may unexpectedly exit when reading a specific log format. Refer to sk116117.

In rare scenarios, when the user configures a custom event with a script based automatic reaction in SmartEvent, the SmartEvent client may show the following error: "Server is not responding. Please try to reconnect later". Refer to sk155192.

UPDATE: Improved the time resolutions usability (formally known as samples) of the Timeline widgets.

In rare scenarios, "Critical attacks allowed by policy widgets" in "General Overview" view may show no results while actual data exists. Refer to sk171001.

NEW: Added support for authentication with a RADIUS server that expects to receive an empty password on the first message. VPN client will receive 2 dialogs instead of 3.

In a rare scenario, the FWD process opens connections to port 111.

Security Gateway may crash when "Categorize HTTPS Websites" feature is enabled and categorization mode is set to "Hold".

In a rare scenario, Access Control policy installation may fail after upgrade of Security Gateway from R80.10 or below to R80.20 or higher.

In rare scenarios, high memory consumption in CPD may occur due to a memory leak in authentication flow with an LDAP server.

In some scenarios, dmesg shows "up_manager_resume_chain: fwhold_send failed. chain will be dropped by the fwhold API" error messages when the connection was already dropped and cannot be resumed. Refer to sk133253.

Wrong memory (hmem) values may be reported by specific SNMP OID. Refer to sk168992.

In rare scenarios, Security Gateway memory consumption may increase.

In rare scenarios, a memory leak may occur in TOPOD process.

DynamicID via SMTP does not work when an HTTP proxy server is defined.

In a rare scenario, Security Gateway memory consumption may increase and lead to a memory leak.

In some scenarios, "email_unified_cmi_get_attribs: not valid caller: up_log_get_user_hash" error appears in dmesg for SMTP traffic.

UPDATE: Threat Extraction will no longer attempt to perform "Convert to PDF" if the file is corrupted, because the resulting files in these cases are usually unreadable.

To reactivate this behavior, set the "enable_alternative_scrub_method" variable in $FWDIR/conf/scrub_debug.conf file to 1 and install the Security policy.

In some scenarios, Threat Prevention logs appear half full (not unified).

In rare scenarios, Security Gateway crashes during CIFS traffic when the Anti-Virus blade is in Hold mode and the CIFS feature is enabled for Anti-Virus or Threat Extraction (see sk101606).

NEW: Added Identity Sharing SmartPull mechanism performance and functionality improvements. Refer to sk170516.

In some scenarios, the Security Gateway may not recognize an IP address as a local address, resulting in wrong drops.

After changing 'pdp nested_groups __set_state 2' ,flat groups are fetched correctly, but nested groups are not fetched. Refer to sk166199.

In some scenarios, running pdpd commands results in "daemon did not respond or not running!" error. Refer to sk171136.

UPDATE: "Categorize HTTPS websites" feature enhancements when "Categorize HTTPS Sites" feature is enabled:

• Improved enforcement of first connection when URL Filtering setting is in 'Hold' mode
• Added SNI information to connection logs when connection is matched on rule with "Extended Log"
• Hold mode granularity

For configuration, refer to sk173633.

In some scenarios, the HTTPS Inspection CA bundle is not created on the Security Gateway.

In some scenarios, users cannot restore original attachment via UserCheck portal and receive the "An unexpected error has occurred" error message.

In some scenarios, a non-compliant IMAP traffic is dropped.

In some scenarios, log output shows the Origin/Source as "0.0.0.0" in VSX 3rd party IPS logs.

In some scenarios, "cmik_loader_fw_context_match_cb: match_cb for CMI APP 10 failed" error appears in dmesg for HTTP traffic.

Removed potential XSS vulnerability in the MAB Login page.

A user may not connect with Remote Access Client if this user belongs to many groups defined in SmartConsole.

Same MAC Magic configuration on different clusters in Unicast mode may cause flapping in switch. Refer to sk167206.

UPDATE: "fwaccel dos blacklist" and "fwaccel dos whitelist" commands are deprecated and replaced by "fwaccel dos deny" and "fwaccel dos allow". Refer to sk112454.

Server may not reuse the TCP connection when the user allows out of state TCP packets.

SNMP may show wrong values for the number of bytes and packets accepted by Security gateway. Refer to sk170132.

In some scenarios, output of "fwaccel stat" command does not display the layer name that disables the templates (only "Layer ---" is displayed). Refer to sk145533.

In some scenarios, Rate Limiting rules for DoS do not work after reboot. Refer to sk170148.

In a rare scenario, CPU consuming on some instances is high. Refer to sk168513.

UPDATE: Added the option to bind IP addresses to sockets using the udp_connect API. Refer to sk171019.

On environments with large IP routing tables, the SNMPD process may consume 100% CPU when running a scan from an external tool. Refer to sk170150.

Query routing info via SNMP may consume 100% CPU in case of a massive IP routing table. Refer to sk170150.

CVE-2020-25705: ICMP reply rate.

In some scenarios, the ROUTED process unexpectedly exits when removing an OSPF interface that had authentication configured. Refer to sk170272.

ip-reachability-detection ping marks a target IP address as "unreachable" if the path goes via a VPN tunnel, although pinging this IP address directly works.

ECMP route nexthops learned from BGP peers may be not properly updated in the kernel, resulting in network connectivity loss.

NEW: Added Anti-Spoofing functionality for Remote Access Office Mode IPs in SecureXL.

UPDATE: Remote Access VPN stability improvement.

In some scenarios, findSAByPeer does not validate the peer IP address for DAIP peer behind NAT.

Security Gateway may crash when you install policy on a MAB Gateway and a policy file is corrupted.

In some scenarios, L2TP clients disconnect from the Security gateway after 10 minutes of the connection.

Policy installation with VPN enabled may take a long time.

In IKEv2, the renegotiation of IKE SA may fail.

In a rare scenario, a memory leak may appear when RASession_util is active.

The user may be unable to connect with Remote Access when the username or user field in the certificate is too long.

Site to Site VPN fails to establish with IKEv2 on GCP when NAT-t is enabled.

When clicking "View" in Trusted CA object's OPSEC PKI tab, this may show the "Failed to get a certificate of <object name> from keyset" error. Refer to sk166496.

UPDATE: Added support for VSX SecureXL tabs on CPView. Refer to sk167903.

After running "vsx_util vsls" and selecting option #6, the operation may fail with the "Internal Error: got empty reply set" error. Refer to sk171352.

UPDATE: Added ability to select 'Any' in the Service column when creating a custom firewall Best practice.

• Requires R80.20 SmartConsole Build 121 (or higher).

VoIP RTP can cause overload on global instance (CoreXL instance 0).