List of All Resolved Issues and New Features
|
Note - This version reached its End of Support. If you are using this version (or lower), we strongly recommend you to upgrade your environments. |

For old General Availability Takes, see the Download Archive.
Take |
Release Date | GA Date |
---|---|---|
04 Sep 2022 |
03 Nov 2022 |
|
30 Jun 2022 |
02 Aug 2022 |
|
27 Apr 2022 |
24 May 2022 |
|
13 Apr 2022 |
- |
|
23 Mar 2022 |
- |
|
03 Jan 2022 |
03 Jan 2022 |
|
20 Oct 2021 |
- |
|
30 May 2021 |
07 Jul 2021 |
|
28 Feb 2021 |
12 Apr 2021 |
|
08 Dec 2020 |
28 Dec 2020 |
|
17 Nov 2020 |
- |
|
03 Sep 2020 |
11 Oct 2020 |
|
23 July 2020 |
16 Sep 2020 |
|
21 Jun 2020 |
02 July 2020 |
|
02 Jun 2020 |
- |
|
24 May 2020 |
14 Jun 2020 |
|
30 Apr 2020 |
- |
|
01 Apr 2020 |
- |
|
20 Feb 2020 |
03 Mar 2020 |
|
10 Feb 2020 |
- |
|
23 Jan 2020 |
- |
|
14 Jan 2020 |
- |
|
03 Dec 2019 |
- |
|
27 Oct 2019 |
04 Nov 2019 |
|
13 Oct 2019 |
- |
|
26 Aug 2019 |
22 Sep 2019 |
|
10 July 2019 |
20 Aug 2019 |
|
26 June 2019 |
09 July 2019 |
|
27 May 2019 |
- |
|
14 Apr 2019 |
- |
|
08 Apr 2019 |
- |
|
19 Feb 2019 |
25 Mar 2019 |
|
11 Feb 2019 |
- |
|
08 Jan 2019 |
04 Feb 2019 |
|
04 Dec 2018 |
08 Jan 2019 |
|
01 Nov 2018 |
22 Nov 2018 |
ID |
Product |
Description |
---|---|---|
Take 230 Released on 4 September 2022 and declared as General Availability on 3 November 2022 |
||
PRJ-38397, |
Security Management |
An Application Control and URL Filtering update may get stuck because of a lock object duplicate issue. |
PRJ-36187, PRHF-22004 |
Logging |
UPDATE: Amended the override_server_setting.sh script to support changes in the values of RFL_SOLR_MAX_MERGE_COUNT and RFL_SOLR_MAX_MERGE_THREAD_COUNT. |
PRJ-30961, EPS-562 |
Logging |
In some scenarios, the Forensics report fails to open from Harmony Endpoint logs. |
PRJ-39952, PRHF-22814 |
Security Gateway |
UPDATE: Added support for RADIUS UPN authentication with MS-CHAPv2. To use it, enable the registry configuration in ckp_regedit -a SOFTWARE/Checkpoint/VPN1 RADIUS_MSCHAPV2_UPN -n 1. |
PRJ-40506, |
Security Gateway |
UPDATE: Added a defense mechanism against partial header attacks known as "Slowloris DoS" (CVE-2007-6750). |
PRJ-40134, PMTR-84236 |
Security Gateway |
When Strict Hold is enabled, traffic is logged with the log "HTTP parsing error detected. Bypassing the request as defined in the Inspection Settings". Refer to sk169995. |
PRJ-40643, PRJ-38912 |
Security Gateway |
When Anti-Virus Blade is enabled, there may be a continuous high memory consumption which can lead to latency. |
PRJ-41003, PRJ-40954 |
Security Gateway |
In a VSX environment, SNMP queries to OSPF OIDs may fail. |
PRJ-31455, |
Security Gateway |
The CPD process may unexpectedly exit and create core dump files. |
PRJ-34167, |
Security Gateway |
After an upgrade, in a setup with a single Virtual System (VS), the Security Gateway may crash. |
PRJ-34884, PMTR-77524 |
Threat Prevention |
Traffic bypassed due Threat Prevention exception is not accelerated. |
PRJ-40045, |
Threat Prevention |
IPS and other Threat Prevention logs may not contain packet capture. And dmesg may be flooded with related errors. |
PRJ-36430, PMTR-77653 |
IPS |
When ClusterXL is configured, a file may pass without inspection during a failover. |
PRJ-37722, |
DLP |
DLP logs for files uploaded to Microsoft OneDrive may not show the initial file names and extensions. Refer to sk178290. |
PRJ-39835, PMTR-84079 |
ClusterXL |
When reconnecting the OSPF interface on both members in a cluster, a failover may occur when receiving a ROUTED PNOTE on the Active member. |
PRJ-39069, PRHF-22676 |
SecureXL |
UPDATE: Added a new kernel parameter "fw_allow_reverse_syn" for Smart Connection Reuse. This parameter allows or drops SYN packets coming from the reverse direction. The parameter is set to 0 by default, the Security Gateway drops such packets. Refer to sk24960. |
PRJ-36854, |
SecureXL |
Policy installation may cause cluster failover and impact the traffic flowing through the cluster. |
PRJ-40847, |
VPN |
UPDATE: Added a configurable protection for blocking brute-force attacks on VPN SNX portal. Refer to sk180271. |
PRJ-40659, |
VPN |
There may be a low throughput in a Site-to-Site VPN tunnel between two VSX Gateways with enabled. |
PRJ-27467, |
Gaia OS |
UPDATE: A description was added to the output of the "show backup logs" command with information about each column. Refer to sk173970. |
PRJ-29070, |
Gaia OS |
UPDATE: Added support for the Excluded Files feature (sk116679) for XFS file system on Kernel 3.10. |
PRJ-40305, ODU-454 |
HCP |
Added Update 9 of HealthCheck Point (HCP) Release. Refer to sk171436. |
PRJ-40667, ODU-478 |
HCP |
Added Update 10 of HealthCheck Point (HCP) Release. Refer to sk171436. |
Take 220 Released on 30 June 2022 and declared as General Availability on 2 August 2022 |
||
PRJ-37799, |
Security Management |
In some scenarios, deleting a Security Gateway object fails with the "Action failed due to an internal error" error. |
PRJ-36846, |
Security Management |
In rare scenarios, the Management Server may fail to start due to incorrect session handling. |
PRJ-35947, |
Security Management |
Compliance results for some rules are not available after changing the "Policy Range" of a user-defined rule to a value below 100%. Refer to sk177544. |
PRJ-36917, |
Security Management |
When a Security Gateway is removed from a VPN community, it may still be seen under the permanent tunnel configuration. The issue is scoped to the Management side and does not impact the Gateway. |
PRJ-35651, |
Security Management |
The Security Cluster Wizard is not shown again after a Management restart in a Full High Availability cluster environment. |
PRJ-37501, |
Security Management |
In rare scenarios, Global Domain Assignment may fail with the "class name not found for object" error message. |
PRJ-35057, |
Security Management |
Renaming the Security Management Server may fail with the "Failed to save object" error. Refer to sk177224. |
PRJ-37760, |
Security Management |
The FWM process on the Management Server may unexpectedly exit creating a core dump file. |
PRJ-37196, |
Security Management |
The Management API command "show-vpn-communities-star" for Diffie-Hellman groups 15-18 and group 24 fails with the "Invalid DH-Group in VPN Reply" error. Refer to sk27054. |
PRJ-35014, |
Security Management |
Install Policy Verification may fail with the "Rule has security zone objects that are not attached to any interface used" error when configuring cluster's interfaces on only one member. Refer to sk177129. |
PRJ-38738, PRHF-23467 |
Security Management |
In a rare scenario, the FWM process may unexpectedly exit and create a core dump. |
PRJ-39174, PRHF-23750 |
SmartConsole |
In some scenarios, the Management API command "show-packages" with "details-level full" may fail with the "Could not commit JPA transaction" error. |
PRJ-37985, PRHF-22589 |
SmartConsole |
After an Application Control update, some application control objects may disappear from SmartConsole, although they are not deprecated. |
PRJ-37691, |
Logging |
UPDATE: SmartView reports will now show the new Check Point logo. |
PRJ-37098, |
Logging |
UPDATE: Scheduled email reports will now use TLS1.2 instead of TLS1.0. Refer to sk178125. |
PRJ-34803, |
Logging |
In some scenarios, Logs related to Content Awareness are missing. |
PRJ-29171, |
Logging |
Removed unnecessary debug messages: "fwbintabreplace: table svm_range_gateways not found and " fwbintabreplace: table svm_range_gateways_valid not found" from the fwd debug log. |
PRJ-30142, |
Logging |
Recurring "Unable to open '/dev/fw0': No such file or directory" may be printed in the fwd.elg file. |
PRJ-32577, |
Logging |
In some scenarios, it is not possible to add the "Policy Rule UID" column to the Logs view in the SmartView Web Application. |
PRJ-32370, |
Logging |
When running CPinfo in a large scale environment, the SmartEventCollectLogs process may get stuck.. |
PRJ-34247, |
Logging |
There may be an incorrect error message related to MakeConnection method. |
PRJ-34139, |
Logging |
When SmartConsole is connected to a Domain Management Server, in the Logs&Monitor view:
Refer to sk178904. |
PRJ-37894, PRHF-22858 |
Logging |
Logs may be missing from SmartConsole after upgrading the Log Server if a VS object is configured without an IP. |
PRJ-36458, |
Logging |
When running the "cp_log_export filter-Blade-in" command with the value "Endpoint" and restarting the LOG_EXPORTER process, LOG_EXPORTER may fail to start. |
PRJ-19031, |
Security Gateway |
UPDATE: In CPView overview, the "FW" field will now show physical memory used instead of virtual memory used. The change is only cosmetic. |
PRJ-34597, |
Security Gateway |
The log for the NAT second rule match shows an incorrect rule number. |
PRJ-35100, |
Security Gateway |
Policy installation may fail when there is a heavy load on memory on the Security Gateway. |
PRJ-33926, |
Security Gateway |
Cluster failover may trigger the FWK process to exit, with no traffic impact. |
PRJ-36116, |
Security Gateway |
In CPView, under Network, Bytes Per Sec value in Traffic Rate may be incorre |
PRJ-36564, |
Internal CA |
UPDATE: In SmartConsole, added an alert to inform that the ICA certificate will be expired in less than one year. Refer sk158096. |
PRJ-36161, |
Identity Awareness |
The PDP process may unexpectedly exit with a core dump file. |
PRJ-35848, |
Identity Awareness |
The PEP process may unexpectedly exit |
PRJ-38039, |
IPS |
In very rare scenarios, a traffic outage may occur. |
PRJ-37276, |
IPS |
Improved detection in some IPS protections. |
PRJ-39059, PRHF-12660 |
IPS |
In a VSX setup, the IP address used as the origin SIC name in the IPS address log may differ from the IP address in other reports. |
PRJ-36295, |
SSL Inspection |
A memory leak related to TLS probe may occur in the WSTLSD process. |
PRJ-35288, |
Mobile Access |
In some scenarios, when Mobile Access Blade is enabled, the Security Gateway may crash. |
PRJ-37431, |
ClusterXL |
There may be connectivity issues for multicast traffic in PIM Sparse Mode. |
PRJ-37878, PMTR-81375 |
ClusterXL |
Local connection from a Standby member may fail when packets are not fragmented even if the interface MTU is smaller than the packet size. |
PRJ-36173, |
ClusterXL |
In Virtual Device Status table, in vs0 context, the output shows the Active-Active status on two members instead of Active-Standby. |
PRJ-35592, |
ClusterXL |
In a rare scenario, after an upgrade and reboot, a Standby member is set to down with a FullSync pnote and cannot synchronize. |
PRJ-37810, PRJ-37001 |
SecureXL |
NEW: In some scenarios, the Security Gateway may not forward traffic to a client if its IP address is changed by DHCP. Added a global parameter "cphwd_refresh_nh", disabled by default. It determines whether or not the Security Gateway will invoke its own refresh ARP mechanism after a successful route lookup. Refer to sk175603. |
PRJ-39005, PRHF-22881 |
SecureXL |
SYN Defender may not properly handle the S2C traffic related to Allow List. As a result, this traffic may be dropped. |
PRJ-38999, PRHF-23644 |
SecureXL |
SYN Defender may change MSS in an SYN packet to a larger value, potentially causing traffic drop. |
PRJ-36467, |
SecureXL |
The VSX Gateway may crash when trying to route traffic from a VS to a Virtual Switch (VSW). |
PRJ-30710, |
Routing |
Connectivity issues may occur after configuration of route based VPN (VTI interface). Refer to sk176368. |
PRJ-34762, PRHF-21568 |
VPN-1 |
When using Link Selection probing, the VPND process may unexpectedly exit and create a core dump file. |
PRJ-34668, |
VSX |
UPDATE: The "vsx_util reconfigure" operation is not supported on a VSX cluster member or VSX Gateway which has no virtual systems configured. The operation will now alert about the absence of virtual systems. |
PRJ-29579, |
VSX |
UPDATE: Decreased the time to edit routes in topologies where multiple Virtual Systems are connected to a Virtual Switch (VSW). |
PRJ-34997, |
VSX |
The "vsx_util reconfigure" command may fail without printing the cause of the error. |
PRJ-32076, |
VSX |
When creating a static route on a virtual system, some network objects may be created with the same name inside the network group which causes failure in writing the object to the database. |
PRJ-38290, |
VSX |
When deleting a physical interface that was added with a VLAN trunk to a VSX cluster or a VSX Gateway, it is not removed correctly from the management side and may still be seen if running the "vsx_util show_interfaces" command. |
PRJ-35500, |
VSX |
There may be a mismatch of policy name on virtual switch when using the "fw stat" and "vsx stat -v" commands. The issue is only cosmetic |
PRJ-33468, |
VSX |
In some scenarios, the "vsx_util reconfigure" command cannot fetch the policy installed previously. |
PRJ-32473, |
VSX |
When using the VSX Provisioning Tool, it may not be possible to create a new warp interface and then change the main IP address of the VS in the same transaction. |
PRJ-28542, |
VSX |
Latency and packet loss issues may occur when traffic goes through external VS connected to Virtual switch (VSW). Refer to sk177344. |
PRJ-32702, |
VSX |
After restoring the VSX Gateway backup, the SNMP agent stops responding when the context is set for a specific VS. |
PRJ-35274, |
VSX |
In some scenarios, if VSX Gateway creation fails and rollback is done, the default route of the Security Gateway that was configured via clish is deleted without validation |
PRJ-32403, |
VSX |
The OID "Syslocation" can now be configured in the context of a virtual system as described in the article (IV-1) Advanced SNMP configuration in sk90860. |
PRJ-33312, |
VSX |
The FWM process may unexpectedly exit after using the VSX Provisioning tool. |
PRJ-33037, |
VSX |
In a VSX cluster, after pushing Bridge configuration, the state may change from Active/Active to Active/Standby. |
PRJ-38824, PMTR-82551 |
VSX |
The FWK process of Virtual Switch (VSW) may consume a high CPU. |
PRJ-38199, PRHF-23118 |
VSX |
In some scenarios, the VSX Security Gateway may not decrease the packet's TTL. |
PRJ-36764, |
VSX |
VSX Cluster Internal Communication Network IP address is shown in ifconfig after changing the name or VLAN of a VR physical interface. |
PRJ-38404, PMTR-73704 |
VSX |
When creating a virtual system, the "Failed to create Virtual System directories" error is displayed. |
PRJ-38790, PMTR-82492 |
VSX |
In some scenarios, it is not possible to start a vsx_util upgrade/downgrade after a failed attempt. |
PRJ-36774, |
Gaia OS |
NEW: Gaia API (version 1.6 with Python3 support) will now be deployed via Jumbo Hotfix. Refer to sk143612. |
PRJ-35581, |
Gaia OS |
UPDATE: It is now possible to use Gaia proxy addresses with more than 16 characters. |
PRJ-36083, |
Gaia OS |
WebUI session may end when creating a Role with full permissions. |
PRJ-37344, |
Gaia OS |
When adding and deleting a neighbor-entry ipv6-address, an error message is displayed, although the operation is successful. |
PRJ-39092, PRHF-23641 |
Gaia OS |
Dynamic routing SNMP OID polling may work only in VSX mode. |
PRJ-36357, |
Gaia OS |
In some scenarios, like defected LOM card, or when LOM port exists, but no LOM is connected, the CONFD process may stop working. |
PRJ-36783, PMTR-79249 |
Gaia OS |
The "snmpwalk" command may time out after reaching SNMPv2-SMI::mib-2.68.1.2.0. |
PRJ-38226, PMTR-81516 |
Gaia OS |
When running the "save configuration" command on a VSX device, other interfaces besides the Management interface are still presented. This is a cosmetic issue. |
PRJ-27906, |
Harmony Endpoint |
In some scenarios, logs related to Harmony Endpoint may be missing. |
PRJ-37114, |
VoIP |
When static NAT is configured, VoIP calls may not work. |
PRJ-26370, |
Scalable Platforms |
NEW: Added ability to create and manage VSX objects of R80.30SP version via vsx_util and vsx_provisioning_tool. |
PRJ-38033, ODU-341 |
Scalable Platforms |
Added Take 21 of Check Point Support Data Collector (CPSDC) for Scalable Platforms and Maestro Security Appliances. Refer to sk164414. |
PRJ-38020, ODU-342 |
Public Cloud CA Bundle |
Added Take 18 of Public Cloud CA Bundle. Refer to sk172188. |
PRJ-38220, ODU-349 |
HCP |
Added Update 8 of HealthCheck Point (HCP) Release. Refer to sk171436. |
Take 211 Released on 27 April 2022 and declared as General Availability on 24 May 2022 |
||
PRJ-28215, |
Identity Awareness |
There may be connectivity issues and high CPU spikes on the PDPD, VPND processes, and on the Security Gateway when installing policy. Refer to sk174144. |
Take 210 Released on 13 April 2022 |
||
PRJ-38295, |
SmartConsole |
In some scenarios when R80.20 Jumbo Hotfix Accumulator Take 208 is installed:
Refer to sk178590. |
PRJ-38232, |
Security Gateway |
UPDATE: Apache HTTPD version was updated from 2.4.51 to 2.4.53. |
Take 208 Released on 23 March 2022 |
||
PRJ-24928, |
Security Management |
UPDATE: Added a warning message in SmartConsole, alerting if during policy installation memory utilization of the FWM process exceeded 3.5GB. |
PRJ-30404, |
Security Management |
UPDATE:
|
PRJ-21874, |
Security Management |
In some scenarios, applying the "Where used" action may show incorrect data when an object exists more than once in an Inline Layer. |
PRJ-26778, |
Security Management |
In some scenarios, in Override Categorization, it may not be possible to sort or to find objects by name using Object Explorer. Refer to sk175245. |
PRJ-22420, |
Security Management |
Domain Server Migration between different Multi-Domain Management Servers may fail if a previous migration attempt of the same Domain already failed and a different Domain name is used for the second attempt. |
PRJ-20590, |
Security Management |
In rare scenarios, if one of the Multi-Domain Servers is down, reconfiguring VSX may fail. |
PRJ-30051, |
Security Management |
In some scenarios, the FWM process is down and fails to start. Core dumps are created in /var/log/dump/usermode. |
PRJ-29196, |
Security Management |
After an upgrade from R77.x. in a multi-site environment, High Availability full synchronization may fail with an "NGM failed to load data" message. |
PRJ-28898, |
Security Management |
When searching IP addresses using logical operators (AND / OR), the results may be incorrect:
Some matched objects may be missing, while some unmatched objects may be present. |
PRJ-29965, |
Security Management |
In some scenarios, simultaneous policy installation on multiple Gateways may fail if there is at least one Gateway on R77.X and one Gateway on R80.X. |
PRJ-29895, |
Security Management |
In some scenarios, login to a Domain from the System Domain dashboard may fail with "Failed to connect to server". |
PRJ-29907, |
Security Management |
In some scenarios, it is possible to disable a shared layer, although it is used in more than one rule. |
PRJ-28813, |
Security Management |
In some scenarios, the "show gateways-and-servers" Management API command fails with "generic_error" when running it with "details-level full". |
PRJ-30880, |
Security Management |
In rare scenarios, during an upgrade, the FWM process may unexpectedly exit with a core dump file. |
PRJ-25194, |
Security Management |
The "Packet capture is not supported on this platform" warning appears after policy installation for SMB Gateways, although no packet capture is used. |
PRJ-27483, |
Security Management |
Global Policy reassignment may fail with "An internal error has occurred" due to duplicated Access Policy Assignment object. Refer to sk174183. |
PRJ-25277, |
Security Management |
In rare scenarios, login to Multi-Domain Management fails with the "No Valid Domains were found for [username]" error. Refer to sk175005. |
PRJ-30097, |
Security Management |
In rare scenarios, a Multi-Domain administrator's profile may be changed after deleting a Domain if the administrator had custom permissions for it. |
PRJ-30388, |
Security Management |
In rare scenarios, editing a cluster object fails with the "Code: 0x8003001D, Could not access file for write operation" error. Refer to sk176930. |
PRJ-22263, |
Security Management |
In some scenarios, the user may fail to connect to VPN Remote Access if there are expiration dates saved in a non-English date format. The issue can occur when SmartConsole is installed on a Windows client that uses a non-English locale. |
PRJ-28166, |
Security Management |
In rare scenarios, the Management Server may fail to start due to incorrect sessions handling. |
PRJ-32089, |
Security Management |
When searching an IP in Object Explorer, network objects with both IPv6 and IPv4 configured, may not reflect in the results, although they match the IP. |
PRJ-32106, |
Security Management |
Policy installation may fail if more than 20,000 objects are created and added to rules. |
PRJ-30333, |
Security Management |
When one Server in a logical Server group is down, the second Server keeps trying to access it, no matter how long the Server is down. |
PRJ-31078, |
Security Management |
In rare scenarios, the FWM process on the Security Management Server unexpectedly exits. |
PRJ-30419, |
Security Management |
Scheduled IPS updates data may not be shown in the IPS update report. |
PRJ-29509, |
Security Management |
In some scenarios, the Management API command "show-packages" with "details-level full" may fail with an error. Refer to sk176805. |
PRJ-30678, |
Security Management |
Policy installation with Directional VPN rules may fail with a verification error. |
PRJ-30065, |
Security Management |
|
PRJ-32426, |
Security Management |
In rare scenarios, adding a service to a rule in Access Policy:
Refer to sk176004. |
PRJ-25707, |
Security Management |
Deleting a network group may fail because it is being used, although "Where Used" shows no usage. |
PRJ-34223, |
Security Management |
When performing IPS Update or Global Domain Assignment, creating a Domain at the same time may fail with "Internal Error". |
PRJ-33284, |
Security Management |
When reassigning Global policy after an IPS update on the Global Domain, the updated IPS version in the Audit Logs view may appear with "-1" value instead of the actual IPS version number. |
PRJ-32666, |
Security Management |
When searching for tags usage, the "where-used" action may fail with "Requested object not found". |
PRJ-33976, |
Security Management |
Policy installation from the Multi-Domain Server level may trigger installation of two policies for the same VS. |
PRJ-34484, |
Security Management |
When using the API to create an OPSEC CPMI application with a custom permissions profile, the default Super User profile is chosen instead. |
PRJ-33861, |
Security Management |
When creating or updating a service object via Management API, it is not possible to specify a custom aggressive-aging timeout. |
PRJ-30056, |
Security Management |
In rare scenarios, after a Management Server upgrade, importing the database may fail with "Tried to persist object". |
PRJ-33398, |
Security Management |
When automatic purge is configured in a local Domain, and there is an assignment between the Global Domain to that Domain, the "show-automatic-purge" API command may fail in the Global Domain with the "Can't build automatic purge reply" error. Refer to sk176443. |
PRJ-33362, |
Security Management |
Global Domain Assignment fails with "An internal error has occurred" when there are more than 32K Threat Prevention Overrides in the local Domain. Refer to sk176464. |
PRJ-32715, |
Security Management |
If there is a Global Domain Assignment, some results may be missing when searching in Packet Mode. Refer to sk178491. |
PRJ-36954, |
Security Management |
Policy installation and "where used" operation may take a long time if there are many inline layers and the "Install On" targets in the Rule Base are not defined as "Any". Refer to sk177928. |
PRJ-32743, |
Security Management |
In a rare scenario, the FWM process unexpectedly exits. |
PRJ-30348, |
Multi-Domain Management |
During a CPUSE upgrade of a Multi-Domain Server, if there are multiple external interfaces defined, the Domain Servers may be assigned to an incorrect interface. |
PRJ-25008, |
Logging |
NEW:SmartEvent can now skip indexing of firewall session logs to reduce load on the Log Server device. The feature is disabled by default. To enable it, see Issue #4 in sk150452. |
PRJ-30685, |
Logging |
UPDATE: The default timeframe for logs queries using the SmartConsole Logs tab is set to "Last 24 Hours".
|
PRJ-25620, |
Logging |
In environments with more than 500K network objects, the LOG_INDEXER process on SmartEvent and Correlation Unit Server may unexpectedly close with the "Out of memory" error and a dump core file, although limited resolving is enabled (according to sk164452). |
PRJ-29027, |
Logging |
In rare scenarios, SmartEvent may show no results or partial results in the Audit Log report. |
PRJ-28338, |
Logging |
In some scenarios, Log Exporter configured to export in TLS cannot authenticate a certificate from an external certificate authority. |
PRJ-28321, |
Logging |
In some scenarios, in SmartLog, free-text search does not work for some inspection settings logs and their description is missing. |
PRJ-31211, |
Logging |
In a rare scenario, logs export from SmartView web view to CSV may fail. Refer to sk175545. |
PRJ-26305, |
Logging |
In rare scenarios, in SmartConsole, some logs are not shown. |
PRJ-25438, |
Logging |
On a Management Server, with SmartEvent enabled and many Networks configured in the database, login to SmartConsole may fail with an "Error: the operation timeout" message and the FWM process is running with a high CPU. Refer to sk167239. |
PRJ-14120, |
Logging |
Syslog messages are not shown in SmartConsole, when syslog_free_text_parser.C contains references to ".ini" files which are located in Syslog folder $FWDIR/conf/syslog. |
PRJ-26678, |
Logging |
Logs that are sent by Log Exporter in CEF format, cannot be displayed if they include non-digit characters in the "dst_phone_number" field. |
PRJ-26028, |
Logging |
In a rare scenario, after an NSX Gateway upgrade, enforcement details/identities are not pushed by the controller to the Gateway automatically. It can be done only by manual update. Refer to sk173323. |
PRJ-17258, |
Logging |
In SmartConsole:
|
PRJ-19835, |
Logging |
On Gateways with many interfaces, after policy installation or after reboot, Real-Time Monitor (RTM) may consume a high CPU on the Gateway. Refer to sk170928. |
PRJ-1688, |
Logging |
In SmartConsole, machine statuses in "Gateways and Servers" may disappear and reappear. |
PRJ-32082, |
Logging |
A duplicate entry appears /etc/cpshell/log_rotation.conf. This issue is only cosmetic. |
PRJ-28314, |
Logging |
The "Last Update Time" field of a Session Log may show incorrect values. |
PRJ-34688, |
Logging |
In some scenarios, in an environment that includes the SmartEvent Server, the LOG_INDEXER process restarts at midnight, producing a core dump file. Refer to sk177805. |
PRJ-30089, |
Logging |
In rare scenarios, the LOG_INDEXER process stops working and logs are missing. Refer to sk176403. |
PRJ-14117, |
Logging |
Syslog messages are not shown in SmartConsole when syslog_free_text_parser.C contains references to ".ini" files which are located directly syslog folder $FWDIR/conf/syslog. |
PRJ-29120, |
Logging |
SmartEvent may not show some of the Anti-Virus logs. |
PRJ-32584, |
Logging |
There may be empty values in the "Office Mode IP" field in the Logs view. |
PRJ-30660, |
Logging |
|
PRJ-32025, |
Logging |
In some scenarios, the "vpn_user" field is empty in the Logs view and SmartEvent Reports, even though it contains values in the raw log. |
PRJ-32015, |
Logging |
When running the "show_logs" API command with "query-id argument" and the session is expired, the command ends with a timeout instead of presenting an error. |
PRJ-31614, |
Logging |
Non-English letters in SmartView reports exported as CSV may be displayed incorrectly. Refer to sk175543. |
PRJ-25651, |
Logging |
When SmartView Web is configured to not return empty values, a query may fail with a "query failed" message. |
PRJ-30546, |
Logging |
In rare scenarios, when QoS Blade is enabled, the FWD process may unexpectedly exit. Refer to sk177783. |
PRJ-32306, |
Logging |
When configuring an Email alert as an Automatic Reaction in SmartEvent, and the alert contains data from the event, some fields may be missing in the generated email. |
PRJ-34688, |
Logging |
In some scenarios, in an environment that includes the SmartEvent Server, the LOG_INDEXER process restarts at midnight, producing a core dump file. Refer to sk177805. |
PRJ-31909, |
Security Gateway |
NEW: Added a new kernel parameter "cphwd_medium_path_qid_by_cpu_id". The parameter is disabled by default. Refer to sk175890. |
PRJ-32069, |
Security Gateway |
UPDATE: Check Point Active Streaming (CPAS) TCP Window scale factor is now increased up to 6. |
PRJ-31662, |
Security Gateway |
UPDATE: Adding Connection and Packet Distribution statistics in CPView. |
PRJ-31964, |
Security Gateway |
In a rare scenario, "Connection/sec" data for accelerated traffic in CPView may differ from the statistics in SNMP. |
PRJ-31214, |
Security Gateway |
When a large number of VPN tunnels is configured and each one is used by a static route with ping, the ROUTED process may get incorrect cluster IPs for those tunnels. Refer to sk175887. |
PRJ-30610, |
Security Gateway |
In rare scenarios, when SACK is enabled, there may be connectivity issues. |
PRJ-20624, |
Security Gateway |
Running the threshold_config command may cause the CPD process to consume a high CPU. |
PRJ-22834, |
Security Gateway |
In some scenarios, the "rad_kernel_service_container_add_service" error is printed to dmesg. |
PRJ-29626, |
Security Gateway |
In a rare scenario, Security Gateway may crash. |
PRJ-30085, |
Security Gateway |
In a rare scenario, when QoS is enabled, Security Gateway may crash while interfaces go down and up. |
PRJ-26667, |
Security Gateway |
In a rare scenario, traffic outage may occur. It is caused by a memory leak related to delayed logs. |
PRJ-29739, |
Security Gateway |
In a rare scenario, due to TCP connection reuse, a TCP connection may not be initiated Refer to sk11088. |
PRJ-29501, |
Security Gateway |
In some scenarios, using automatic Network Static NAT/Address range objects may cause connectivity issues. |
PRJ-30247, |
Security Gateway |
Added a translation of the error exit code of cprid_util in $CPDIR/log/cprid_util.elg debug log. |
PRJ-30038, |
Security Gateway |
If wstunnel loses connectivity, after several attempts, it may unexpectedly exit and not restart. Refer to sk166056. |
PRJ-32571, |
Security Gateway |
When deleting connection table entries with "fw ctl conntab -x", and using "rule", "service", "type", "flags" or "state" filters, entries that do not match these filters may still be deleted. |
PRJ-33902, |
Security Gateway |
In rare scenarios, the LOG_INDEXER process may unexpectedly exit with a core dump file. |
PRJ-33270, |
Security Gateway |
The control connection may not be refreshed together with the data connection if the data connection is accelerated. Refer to sk168952. |
PRJ-21486, |
Security Gateway |
The FWD process may unexpectedly exit due to a rare race condition. Refer to sk173424. |
PRJ-31204, |
Security Gateway |
The Security Gateway may crash during policy installation due to memory allocation problems. |
PRJ-29694, |
Security Gateway |
In rare a scenario, a memory leak may occur with a "cpas_streamh_init_from_cookie failed" message printed in /var/log/messages. |
PRJ-33994, |
Security Gateway |
In rare scenarios, slow path connections that should be terminated/aborted may remain open until the timeout. |
PRJ-33608, |
Security Gateway |
In a rare scenario, the FWD process may unexpectedly exit. |
PRJ-33509, |
Security Gateway |
CPView may show corrupted numbers in "F2V-Reasons". This issue is only cosmetic. |
PRJ-34265, |
Security Gateway |
The log_exporter process may consume a high CPU. |
PRJ-33246, |
Internal CA, VPN |
Creating a certificate for a third party Gateway with Check Point Internal CA may fail on the third party side. Refer to sk176468. |
PRJ-33548, |
Threat Prevention |
When IPS Automatic update is enabled, a memory leak may occur in the FWD process. Refer to sk176947. |
PRJ-31013, |
Internal CA |
In a rare scenario, when CRL files are created, some of them may be generated with a large number in the filename. When deleting CRL files, CPCA repeatedly fails to start. |
PRJ-37471, |
Identity Awareness, Identity Logging |
UPDATE: Adjusted AD-Query and Identity Logging solutions to work with Microsoft hardening changes in DCOM which were required for CVE-2021-26414. Refer to sk176148. |
PRJ-30944, |
Identity Awareness |
In some scenarios, persistent high CPU is caused by ADQuery due to a large number of authentication requests. |
PRJ-35817, |
Identity Awareness |
On Scalable Platforms\Cluster LS, the Identity Database may become corrupted when an identity session is revoked from a non-master member. |
PRJ-29610, |
Identity Awareness |
In a rare scenario, some IPv6 sessions may get deleted due to an incorrect update of Identity Gateway (PEP) kernel tables. |
PRJ-32217, |
Identity Awareness |
In some scenarios, access roles are not enforced when using an identity tag. |
PRJ-20710, |
IPS |
In rare scenarios, policy installation fails due to duplicate ID in IPS Snort protections. |
PRJ-29937, |
IPS |
In rare scenarios, if IPS Geolocation is enabled, the Security Gateway may crash. |
PRJ-32502, |
IPS |
In some scenarios, when IPS Automatic update is enabled, a memory leak may occur in the FWD process. |
PRJ-30441, |
DLP |
In a rare scenario, the DLP process may leave several open unused file descriptors in the $FWDIR/tmp/dlp directory which may take up a large amount of disk space. |
PRJ-36397, |
Anti-Malware |
In some scenarios, dmesg may show the following errors: "cmik_loader_fw_context_match_cb: m atch_cb for CMI APP 3 failed on context 56, executing context 366 and adding the app to apps in exception". |
PRJ-32998, |
SSL Inspection |
UPDATE: Upgraded the default Infrastructure for local communication between some processes to TLS 1.2. |
PRJ-33403, |
SSL Inspection |
In rare scenarios, TLS probing connections may remain open for extended periods. |
PRJ-34157, |
SSL Inspection |
In some scenarios, the WSTLSD daemon may unexpectedly exit during TLS probing. |
PRJ-32897, |
SSL Inspection |
In a rare scenario, the WSTLSD process may unexpectedly exit and produce a core dump file. |
PRJ-32880, |
SSL Inspection |
When TLS 1.3 support is disabled, a memory leak may occur in the WSTLSD process during TLS session renegotiation. |
PRJ-34970, |
SSL Inspection |
In rare scenarios, the WSTLSD daemon may unexpectedly restart. |
PRJ-31169, |
SSL Inspection |
A memory leak, related to TLS probing, may occur in the WSTLSD process. |
PRJ-31163, |
SSL Inspection |
In some scenarios, the WSTLSD process may unexpectedly close, or a memory leak may occur. |
PRJ-30456, |
SSL Inspection |
In rare scenarios, HTTPS connections may hang indefinitely during the TLS handshake, causing timeout. |
PRJ-29472, |
SSL Inspection |
In some scenarios, a memory leak may occur when creating ECDHE keys. |
PRJ-35938, PRJ-35934 |
SSL Network Extender |
UPDATE: SSL Network Extender was updated to version 800008304. It provides TLS 1.2 cipher suites support on macOS. |
PRJ-31228, |
SSL Network Extender |
SSL Network Extender (SNX) may fail during large file transfers. Refer to sk87760. |
PRJ-25146, |
SecureXL |
In a rare scenario, the TCP Half Closed timer (sk137672) may fail when configured for medium/fast connections. |
PRJ-28213, |
SecureXL |
In a rare scenario, DoS/Rate Limiting when using rules with country codes (CC) or autonomous system numbers (ASN) may not update Geo IP files correctly. |
PRJ-26949, |
SecureXL |
TCP packets may be dropped as "TCP out of state" although following sk11088. |
PRJ-36070, |
SecureXL |
In some scenarios related to sending multicast packets, the ICMP errors may be shown. |
PRJ-32936, |
SecureXL |
In some scenarios, when configuring internal/external enforcement for DOS/Rate limiting, a syslog error message may be displayed. |
PRJ-28641, |
SecureXL |
A redundant message "ACC: Accelerator started. " is printed in dmesg logs. |
PRJ-33352, |
Routing |
|
PRJ-31483, |
Routing |
In some scenarios, the Security Gateway may not forward traffic to a client if its IP address is changed by DHCP. Refer to sk175603. |
PRJ-31123, |
Routing |
In rare scenarios, if Graceful Restart is not configured on the BGP peer, BGP routes may be lost near the Graceful Restart ending. |
PRJ-24053, |
Routing |
In some scenarios, when using DHCP, the Security Gateway may not correctly route traffic to hosts. |
PRJ-31470, |
VPN |
UPDATE: In policy installation, the type of messages related to VPN certificate expiration is changed from "info" to "warning". This issue is only cosmetic. |
PRJ-29479, |
VPN |
A memory leak may occur in the VPND process in IKEv2 Site to Site VPN. |
PRJ-28261, |
VPN |
A memory leak may occur when clearing the CRL cache file. |
PRJ-25309, |
VPN |
In rare scenarios, all traffic is dropped with "Rulebase Internal Error" in SmartLog. |
PRJ-36234, |
VPN |
A memory leak may occur in the VPND process. |
PRJ-32530, |
VSX |
UPDATE: It is now possible to define interface topology as "defined by routes" using the VSX provisioning tool. |
PRJ-27966, |
VSX |
When querying a VS for "sysObjectID" via SNMP, a generic net SNMP value is returned ("NET-SNMP-MIB::netSnmpAgentOIDs.10") instead of Check Point value ("SNMPv2-SMI::enterprises.2620.1.6.123.1.62"). |
PRJ-29549, |
VSX |
After reboot, the VS's clish static arps configurations exist, but the static arps may be missing. |
PRJ-22474, |
VSX |
In some scenarios, running the snmpwalk command may fail with incorrect OSPF-MIB information for VSX. Refer to sk172064. |
PRJ-30311, |
Gaia OS |
NEW: Gaia API (version 1.6) will now be deployed via Jumbo Hotfix. Refer to sk143612. |
PRJ-30291, |
Gaia OS |
UPDATE: Fixed CVE-2021-3711 and CVE-2021-3712. |
PRJ-37954, PMTR-81489 |
Gaia OS |
UPDATE: Upgraded OpenSSL to fix CVE-2022-0778. Refer to sk178411. |
PRJ-33684, |
Gaia OS |
Potential vulnerability related to a specific Gaia API command on VSX systems. |
PRJ-33504, |
Gaia OS |
Fixed CVE-2021-30361 - Gaia Portal Authenticated Command Injection. Refer to sk179128. |
PRJ-30208, |
Gaia OS |
Refer to sk174969. |
PRJ-28691 |
Gaia OS |
When configuring Bond Load Sharing mode, the Security Gateway may restart several times and create vmcore files. |
PRJ-34524, |
CloudGuard |
When a Gateway's object name was changed, CloudGuard Central License Tool may fail to distribute licenses to the Gateway. |
PRJ-32228, |
CloudGuard |
The "vsec_lic_cli update" command now supports IP change in the license string. |
PRJ-30231, |
QoS |
In a rare scenario, the FWD process may unexpectedly exit due to invalid QoS logs. |
PRJ-27031, |
QoS |
In a rare scenario, when SecureXL is enabled, in SmartView Monitor, some QoS traffic may be shown as "No Match". |
PRJ-35155, |
Scalable Platforms |
NEW: Added a self-updatable package of Check Point Support Data Collector (CPSDC) for Scalable Platforms and Maestro Security Appliances. Refer to sk164414. |
PRJ-34439, |
HCP |
Added Update 6 of HealthCheck Point (HCP) Release. Refer to sk171436. |
PRJ-30017, |
HCP |
Added Update 5 of HealthCheck Point (HCP) Release. Refer to sk171436. |
PRJ-22350, |
Infrastructure |
UPDATE: Updated Python 2.7.17 to 2.7.18, Python 3.7.7 to 3.7.12, added Python 3.9.7 and a Python3 alias. |
PRJ-31765, |
Infrastructure |
Policy installation fails with "Operation failed, install/uninstall has been improperly terminated" when a CMA name is more than 36 characters long. Refer to sk175452. |
Take 205 Released and declared as General Availability on 3 January 2022 |
||
PRJ-32153, |
Security Gateway |
UPDATE: Apache HTTPD version was updated from 2.4.41 to 2.4.51. |
Take 203 Released on 20 October 2021 |
||
PRJ-26243, |
Diagnostics |
NEW: Added the Check Point Performance Sizing Utility (CPSizeMe) v5.2. |
PRJ-29101, |
Security Management |
In some scenarios, the Administrators view may not filter domain names according to the permission profile of the connected administrator. |
PRJ-28646, |
Security Management |
In some scenarios, when using a VPN community, the status of the Global Domain Assignment may change to "not up to date", although no changes were made in the Global Domain. |
PRJ-26733, |
Security Management |
In a rare scenario, in the Management API, the "show hosts" command with "details-level full" fails with a "java.util.InputMismatchException: got at least one duplicate UID in requested list, duplicates UIDs:" message. |
PRJ-26674, |
Security Management |
The "show gateways and servers" Management API command does not show policy information for cluster members. |
PRJ-29185, |
Security Management |
In a rare scenario, High Availability full synchronization may fail due to a large number of records. |
PRJ-28296, |
Security Management |
In rare scenarios, High Availability on the Global Domain may fail to synchronize the Multi-Domain Log Server if IPS protection was added or removed in the Threat Prevention rulebase. |
PRJ-28533, |
Security Management |
In rare scenarios, Global Policy Assignment may fail with the "class name not found for object" error. |
PRJ-29155, |
Security Management |
Scheduled IPS updates data may not be shown in the IPS update report. |
PRJ-23125, |
Security Management |
Migration of Security Management Server to a Domain on a Multi-Domain Server may be blocked if there are multiple Certificate Authority objects. Refer to sk174270. |
PRJ-28567, |
Security Management |
In some scenarios, the Purge Revisions operation fails with the "An error has occurred while performing revisions purge operation, Incident ID - xxxxx-xxxxxxx-xxxxx-xxxxx" error. Refer to sk174645. |
PRJ-25563, |
Security Management |
In rare scenarios, an upgrade may fail when there is an OPSEC Server object configured. |
PRJ-27998, |
Security Management |
If Brute Force Password Guessing Protection is set to the value of more than 25 seconds, login to SmartConsole fails.
|
PRJ-28290, |
Security Management |
In rare scenarios, High Availability incremental synchronization may fail with a wrong status message. |
PRJ-25625, |
Security Management |
In rare scenarios, a Management Server upgrade may fail with the "Object not found - [UID]" error message in the cpm.elg log file. |
PRJ-24947, |
Security Management |
If there is an Administrator named "Endpoint", an upgrade of Endpoint Security Server from R77.30 version fails. |
PRJ-24999, |
Security Management |
After migrating a Domain to a Multi-Domain Management and assigning a Global Policy, if there are objects with the same name in the Domain and Global Domain, the assignment succeeds, although it must fail due to name duplication. |
PRJ-25684, |
Security Management |
In some scenarios, a policy installation failure message may show "ReferenceObject" instead of the actual object's name. |
PRJ-26181, |
Security Management |
When running the "fwm logexport" command multiple times, the FWM process may unexpectedly exit producing a core file. |
PRJ-22382, |
Security Management |
User may fail to connect to SmartConsole after the administrator changed the RADIUS Server host IP address. Refer to sk172065. |
PRJ-25515, |
Security Management |
The Management API command "get-attachment" may fail with an error. Refer to sk170894. |
PRJ-26504, |
Security Management |
Policy verification may incorrectly fail with a NAT verification error "The range size of Original and Translated columns must be the same". |
PRJ-26978, |
Security Management |
After migrating a Domain to Security Management Server, the FWM process may be shown as "down" in watchdog, although it is up and running. Refer to sk163814. |
PRJ-26121, |
Security Management |
In some scenarios, High Availability synchronization fails in the Global Domain after an IPS update. |
PRJ-26627, |
Security Management |
In rare scenarios, during a system startup, a cleanup operation may cause high CPU on multiple Postgres processes and prevent login to SmartConsole. Refer to sk175189. |
PRJ-21965, |
Security Management |
Packet Mode search in rulebase ignores matching of inline layer parent rules. In some scenarios, this may retrieve inline layer rules that should not be matched. |
PRJ-26903, |
Security Management, |
In some scenarios, loading the Access Control policy causes SmartConsole to close unexpectedly. Refer to sk175405.
|
PRJ-26908, |
Security Management |
Policy installation to multiple Gateways from Install Policy Presets may fail if each policy has its own HTTPS Inspection policy. |
PRJ-22131, |
Security Management |
In some scenarios, a high load on the Management Server may cause SmartConsole slowness. |
PRJ-25797, |
Security Management |
In rare scenarios, if the CPM process is up for many days, CPU and memory consumption may continue to grow until a reboot is performed. |
PRJ-23451, |
Security Management |
After upgrade from R77.x, "Cannot assign a Domain more than once" errors may appear in the validations pane. |
PRJ-13709, |
Security Management |
In rare scenarios, the SmartEvent Server fails to read from the external Log Server. |
PRJ-26899, |
Security Management |
In some scenarios, copying a rule from one Access Control policy to another fails due to a mismatch in the policy Traditional VPN mode. |
PRJ-26191, |
Security Management |
In a rare scenario, the FWM process may unexpectedly exit. |
PRJ-28380, |
Security Management |
Virtual session timeout for a TCP service cannot exceed 86400 seconds. Refer to sk168872. |
PRJ-21785, |
Security Management |
In some scenarios, the output of the "cpmistat" command may contain partial information. |
PRJ-28154, |
Security Management |
In rare scenarios, if Domain migration fails, the operation may not revert fully and leave some remnants in the database of the Management Server. |
PRJ-15875, |
Multi-Domain Management |
OS information for Domain Servers may not be shown correctly at the MDS level. |
PRJ-19979, |
Multi-Domain Management |
In some scenarios, a migration of a Security Management Server into a Domain Management Server fails at the import phase. Refer to sk170758. |
PRJ-18905, |
Multi-Domain Management |
In some scenarios, size of MDS backup file increases after each policy installation. |
PRJ-24231, |
Licensing |
UPDATE: If there is no license installed, an error message is printed when running the "cpstart" command. |
PRJ-28530, |
Licensing |
In a very rare scenario, SmartConsole login attempt mail fail due to high CPU usage of the CPD process. |
PRJ-21774, |
Licensing |
In some scenarios, the total number of "sr" licenses may be counted incorrectly. |
PRJ-27342, |
Licensing |
In a rare scenario, the licensing status in SmartConsole is displayed incorrectly. |
PRJ-26869, |
SmartConsole |
In some scenarios, the Gateway hardware change in SmartConsole fails with a "Changing the hardware to <New_Selected_Check_Point_Appliance> Appliances is blocked." warning. |
PRJ-25927, |
SmartView |
NEW:
Note: The default time frames on the SmartView web application and SmartConsole are not synchronized.
|
PRJ-23487, |
Logging |
NEW:
|
PRJ-21422, |
Logging |
NEW: The Log Exporter now supports formatting for RSA SIEM application. |
PRJ-18858, |
Logging |
NEW: Added support for Endpoint Forensics reports to get-attachment API. |
PRJ-25573, |
Logging |
UPDATE: The Log Server now supports up to 2700 Gateways (previously was 1024). Refer to sk163413. |
PRJ-24436, |
Logging |
When a Management Server manages more than 1024 Gateways, the connectivity status may show "N/A" for several Gateways. |
PRJ-26112, |
Logging |
In a Multi-Domain Management environment, log queries may fail to retrieve results from a CMA or CLM, if there is another CMA or CLM with the same sic_name. |
PRJ-24281, |
Logging |
In rare scenarios, when exporting logs to Check Point Infinity Portal, the Log Exporter may unexpectedly exit. |
PRJ-26691, |
Logging |
When adding the "UC Block" action, log queries may not show UserCheck logs. Refer to sk174543. |
PRJ-25451, |
Logging |
In rare scenarios, logs generated at the same second, with the same ID, may not show up in SmartConsole's Logs tab. |
PRJ-15229, |
Logging |
In SmartView, when creating a statistical table and grouping by Time, the query may fail. |
PRJ-23761, |
Logging |
In rare scenarios, SmartConsole may unexpectedly close if the pre-defined VPN columns profile in the Logs view was modified and saved. |
PRJ-16645, |
Logging |
In the SmartConsole Logs tab, the "IKE IDs" field cannot be added to column profiles. |
PRJ-23577, |
Logging |
In some scenarios following a Multi-Domain Management Server upgrade, logs queries may not retrieve results from some CMAs\CLMs. |
PRJ-23818, |
Logging |
In rare scenarios, when querying logs with a timeframe larger than 1 day, only 50 logs from each day will be shown. |
PRJ-25643, |
Logging |
In SmartView (Reports and Web Logs view), the value of the file size is displayed differently from the Logs view in SmartConsole (GB instead of GiB). |
PRJ-23677, |
Logging |
In rare scenarios, in environments with many network objects, when typing a query in the Logs tab Search bar, SmartConsole may close unexpectedly. |
PRJ-27298, |
Logging |
After upgrade, SmartView scheduled export to Excel of Reports and Views stop running and users are unable to edit the scheduled tasks Refer to sk174047. |
PRJ-22646, |
Logging |
Threat Emulation log description for HTTP emulation is incorrect. |
PRJ-21320, |
Logging |
In the Method field, logs with the following values are not shown in the SmartConsole's Logs tab. They are only shown when opening a single log record. The values are: MOVE, TEXT, XGET, UNDEFINED, VTTEST, ABCD, SEARCH, RPC_CONNECT, PRONECT, TRACK, CFYZ, BADMETHOD, DEBUG, MGET, GET, MKCOL, QUALYS, RNDMMTD, PRI, NESSUS, BDMT, BADMTHD. |
PRJ-14236, |
Logging |
In some scenarios, in SmartView, grouping or filtering by the field "Total Bytes" causes the query to fail. |
PRJ-20617, |
Logging |
In SmartView, when filtering with specific time filters, the result may include more logs than were requested. |
PRJ-27047, |
Logging |
In rare scenarios, Management object changes may not be reflected in the Logs view. When the issue occurs, the CPM process may also consume a high CPU. |
PRJ-26723, |
Logging |
In some scenarios, the FWD process on Security Gateway may cause high memory consumption when Log Forwarding is configured or when running the "fw fetchlogs" command. |
PRJ-23865, |
Logging |
In SmartView reports, the "Show only icon" option for table widgets does not work as expected. |
PRJ-22342, |
Logging |
In SmartView, the "Duration" field is missing from Reports and Views. |
PRJ-16982, |
Logging |
In a rare scenario, Application Control events may not be displayed in SmartEvent. |
PRJ-27618, |
Logging |
The CPSEMD process on SmartEvent Server may unexpectedly exit when trying to send two automatic reactions simultaneously for the same event. |
PRJ-25830, |
Logging |
The LOG_INDEXER process on the SmartEvent Server may consume a high CPU when the Mobile Access Blade is enabled on the Gateway. |
PRJ-24521, |
Logging |
In a low log rate, there may be a delay in exporting logs using the Log Exporter. |
PRJ-30583, |
Logging |
In some scenarios, in Multi-Domain Servers, heavy API requests may fail after an upgrade. |
PRJ-16279, |
Logging |
In some scenarios, emails of DLP Blade may be sent with obfuscated information, with no option to present the full data. Refer to sk106430. |
PRJ-13740, |
Logging |
The "Could not connect to Monitoring Blade" error is displayed when trying to show the "Top Interfaces" view in SmartConsole or SmartView Monitor for a Gateway that has more than 100 interfaces. |
PRJ-20495, |
CPUSE |
The "Recommended" Package value is not changed from true to false in SmartConsole while installing Jumbo Hotfix. Refer to sk174508. |
PRJ-29416, |
Security Gateway |
In a rare scenario, policy installation on the Security Gateway may fail with an "Error code: 0-2000108" message. Refer to sk170673. |
PRJ-28826, |
Security Gateway |
Improved the ICAP Server internal memory allocation logic. |
PRJ-27647, |
Security Gateway |
Negative values may appear in the output of the "fw tab -t connections -s" command and under the NAT section. |
PRJ-27945, |
Security Gateway |
In some scenarios, the CPD process may consume high CPU because of the memory leak in FDT (File Download Tool). |
PRJ-26389, |
Security Gateway |
The WSDNSD process unexpectedly exits and creates a core dump file. Refer to sk173627. |
PRJ-26820, |
Security Gateway |
A duplicate entry appears in the /etc/cpshell/log_rotation.conf file. This issue is only cosmetic. |
PRJ-26547, |
Security Gateway |
In some scenarios, a "fwauthd_init: got known service port XXX ... choosing another one" message appears repeatedly in the $FWDIR/log/fwd.elg file. |
PRJ-28439, |
Security Gateway |
A "fw_xlate_rule_count_dec: refcount is negative" message may be displayed in dmesg when IP pool NAT is used on a cluster environment. |
PRJ-25025, |
Security Gateway |
In a rare scenario, the FWK process unexpectedly exits on the Security Gateway. |
PRJ-22947, |
Security Gateway |
In rare scenarios, policy installation fails with a "gen_rpc_service_inspect_func: service mismatch in service_arr" error message. Refer to sk174165. |
PRJ-27159, |
Security Gateway |
In rare scenarios, running the kernel debug "fw ctl debug -m fw1 + misp" on cluster may cause the cluster members to crash. |
PRJ-25389, |
Security Gateway |
In some scenarios, there is no match on URL Filtering rules. |
PRJ-25549, |
Security Gateway |
In some scenarios, connections are dropped with a "Virtual defragmentation error: fragment table is full" message. Refer to sk180404. |
PRJ-25153, |
Security Gateway |
When running the "fwaccel stats -r" command to reset SXL statistics, the statistics may become corrupted. |
PRJ-25597, |
Security Gateway |
In some scenarios, packets are dropped due to incorrect SACK translation when SACK and sequence translation are being used together. |
PRJ-24006, |
Security Gateway |
In rare scenarios, when the "sd_global_monitor_only" property is set to "true", there is no HTTP inspection. |
PRJ-26615, |
Security Gateway |
In some scenarios, "[INFO] encode resource in base64 failed" messages generated by the RAD process are shown in /var/log/messages file. |
PRJ-26592, |
Security Gateway |
Configuring the "Virtual Activation Timeout" option above 65535 may lead to an incorrect timeout definition. Refer to sk172464. |
PRJ-27073, |
Security Gateway |
In rare scenarios, using IP Pool NAT with only IPv4/IPv6 addresses configured may cause Security Gateway to crash. |
PRJ-26376, |
Security Gateway |
In a rare scenario, incorrect error messages regarding the ICAP client flow appear in dmesg. Refer to sk173546. |
PRJ-24339, |
Security Gateway |
In some non-VPN scenarios, MSS Adjustment (Clamping) does not work. |
PRJ-24739, |
Security Gateway |
In rare scenarios on versions earlier than R80.40, the FWK process may unexpectedly exit. |
PRJ-18864, |
Security Gateway |
In rare scenarios, DynamicID authentication fails with a "server_code 403 log_msg General HTTP error" message in vpnd.elg. Refer to sk170303. |
PRJ-16918, |
Security Gateway |
In rare scenarios, SmartView Monitor shows an "Error code: 2147483647" message when viewing data from a VSX Gateway. Refer to sk174206. |
PRJ-23062, |
Security Gateway |
Improved displayed drop log messages on the Security Gateway:
Refer to sk172232. |
PRJ-14622, |
Security Gateway |
After policy installation, Security Gateway may stop responding due to memory leaks. |
PRJ-25813, |
Security Gateway |
Added Dynamic Anti-Spoofing stability enhancements. |
PRJ-26475, |
Security Gateway |
In some rare scenarios, when IPv6 is configured and Office Mode Anti-Spoofing is enabled, running "cpstop;cpstart" may cause a Security Gateway to crash. |
PRJ-26148, |
Security Gateway |
In a rare scenario, a memory leak may occur when IPS / Anti-Bot / Anti-Virus Blade is enabled. |
PRJ-25734, |
Security Gateway |
In some scenarios, Security Gateway may crash when ICAP client is enabled. |
PRJ-25619, |
Security Gateway |
In a rare scenario, Security Gateway may crash when handling some DNS packets. |
PRJ-21267, |
Security Gateway |
In some scenarios, emails may be stuck in the MTA queue. |
PRJ-24374, |
Security Gateway |
A memory leak may occur in a DNS resolving Infrastructure. |
PRJ-27556, |
Security Gateway |
In some scenarios, configuring an un-numbered virtual interface may cause ARP requests to stay not answered by the interface. Refer to sk174188. |
PRJ-19767, |
Security Gateway |
Security Gateway may crash after policy installation. |
PRJ-13162, |
Security Gateway |
The show-global-assignment command may ignore the limit request and return the default limit. |
PRJ-29135, |
Security Gateway |
The cpsicdemux process may unexpectedly exit, causing Secure Internal Communication (SIC) connection to fail. |
PRJ-26136, |
Internal CA |
UPDATE: Added automatic extension for Internal CA database to support more than 100,000 certificates. |
PRJ-26646, |
Internal CA |
UPDATE: Expired certificates are now cleaned from the Internal CA database every three weeks and after reboot. Refer to sk42424. |
PRJ-26706 |
Internal CA |
In some scenarios, it is not possible to remove expired certificates via the ICA Management tool. |
PRJ-24990, |
Threat Prevention |
UPDATE: Added support for more than 20 CIFS objects in rulebase. Refer to sk170300. |
PRJ-26539, |
Threat Prevention |
In some scenarios, the IPS update status in SmartConsole is incorrect after the automatic update fails with the "Update failed. Failed to load database" error. |
PRJ-23264, |
Threat Prevention |
In rare scenarios, the "fw load_sigs" command fails to exit appropriately after completing. |
PRJ-26991, |
Identity Awareness |
NEW: Added a new Auto-Tune feature for Nested Groups to select the optimal nested state for maximum performance. |
PRJ-29492, |
Identity Awareness |
UPDATE:
|
PRJ-26230, |
Identity Awareness |
When the PDP Gateway is connected to multiple pre-R81 PEP Gateways, the CPU consumption may be high. Refer to sk173709. |
PRJ-26800, |
Identity Awareness |
In a rare scenario, the Security Gateway may crash. |
PRJ-25922, |
Identity Awareness |
Optimized the PDP expired timers mechanism performance. |
PRJ-22280, |
Identity Awareness |
In rare scenarios, the PDPD process unexpectedly exits. |
PRJ-29403, |
Identity Awareness |
Improved the Identity Server (PDP) performance for publishing new network on Identity Sharing with SmartPull. |
PRJ-27189, |
Application Control |
UPDATE: Improved matching of URLs for custom applications. |
PRJ-69657, |
IPS |
An HTTP download of a large file may unexpectedly stop with an error message. |
PRJ-25206, |
IPS |
In some scenarios, the DNS response message with record type 0 may be dropped by "Non-compliant DNS" protection. |
PRJ-26103, |
IPS |
Security Gateway may crash when the IPS profile name is very long (more than 256 characters). Refer to sk174025. |
PRJ-27955, |
IPS |
In some scenarios for HTTP, Gateway closes a connection from the Server side, but the user side may remain open. |
PRJ-25754, |
SSL Inspection |
A table hash size may be too small for some environments and cause an increased CPU usage. |
PRJ-25213, |
SSL Inspection |
In some scenarios, when HTTPS Inspection is enabled, overall memory consumption may gradually increase. Refer to sk171280. |
PRJ-26744, |
SSL Inspection |
Added an option to bypass Name Constraints extension on certificates using a registry flag. Refer to sk159692. |
PRJ-22585, |
Anti-Malware |
In some scenarios, in a cluster environment, policy installation fails with "Error code: 0-2000049". Refer to sk163257. |
PRJ-24627, |
UserCheck |
In rare scenarios, in the UserCheck portal for Threat Extraction, when clicking the "Send Original Mail to me" button, the action fails with the "An unexpected error has occurred" error. Refer sk140214. |
PRJ-22803, |
Mobile Access |
When the administrator adds more than 30 native applications, users may fail to connect via SSL Network Extender Application mode. |
PRJ-24385, |
ClusterXL |
In rare scenarios, a Load Sharing cluster can experience DHCP Relay drops with a "dropped by fw_post_vm_chain_handler Reason: Handler 'dhcp_reply_code' drop" message. |
PRJ-27221, |
SecureXL |
In some scenarios, SYN Defender log messages in SmartConsole show "*** MISSING ***" instead of the real log. |
PRJ-24538, |
SecureXL |
In a VSX environment, the SYN Defender configuration may not be applied correctly. |
PRJ-22787, |
SecureXL |
In a rare scenario, Security Gateway may crash after running the "fwaccel tab -t connections" command. |
PRJ-28391 |
Routing |
The checksum of PIM "register" packets may be calculated incorrectly, causing the RP router to discard a "register" packet. |
PRJ-25315, |
Routing |
In some scenarios, CPView displays incorrect values of RIP statistics. |
PRJ-27056, |
Routing |
In some scenarios, the ROUTED process may unexpectedly exit when there is a static route and a kernel route to the same destination. |
PRJ-26958, |
Routing |
The ROUTED process may unexpectedly exit when candidate RP is enabled, and a rapid failover occurs or when the candidate RP interface is disconnected. |
PRJ-26966, |
Routing |
In some scenarios, the ROUTED process may produce a core dump when it receives IGMPv3 Membership Reports over a long period of time. |
PRJ-28836, |
Routing |
In some scenarios, an outage may occur because of premature graceful-restart exit. |
PRJ-26750, |
Routing |
In some scenarios, the NetFlow Packet may report a wrong source IP Address. |
PRJ-28954, |
Routing |
The ROUTED process may unexpectedly exit. |
PRJ-29493, |
Routing |
BGP sessions may unexpectedly close because of unrecognized AFI/SAFI pairs in multiprotocol capability advertisements from a peer. |
PRJ-29316, |
Routing |
AS path loops may occur, although BGP multihop is configured. |
PRJ-30697, |
VPN, |
A memory leak in HTTPS Inspection and HTTPS portals may occur when using ECDHE ciphers. |
PRJ-22115, |
VPN |
In rare scenarios, after policy installation, the VPND process may unexpectedly exit with core dump. |
PRJ-31026, |
VPN |
Many "remote access client IP address and port were changed" logs are generated after an upgrade. |
PRJ-28502, |
VPN |
A memory leak may occur in the VPND process. |
PRJ-28509, |
VPN |
In some scenarios, a memory leak may occur on the Security Gateway. |
PRJ-29279, |
VPN |
In rare scenarios, re-configuring a trusted CA bundle may cause a memory leak in the VPND process. |
PRJ-26396, |
VPN |
Policy installation may fail when VPN community is not configured on the Security Gateway. Refer to sk174235. |
PRJ-23964, |
VSX |
UPDATE: Added ability to change the Management and Sync interfaces via vsx_util change_interfaces. |
PRJ-22688, |
VSX |
This fix allows create/change a VSX cluster/Gateway to have up to 32 CoreXL instances with VSX Provisioning Tool. Currently, it is possible to do this only in SmartConsole. |
PRJ-26129, |
VSX |
After upgrade, the VS names may be displayed incorrectly in the output of the "vsx stat -v" command. |
PRJ-25021, |
VSX |
In some scenarios, the "cpstat vsx" command does not show the correct output. Refer to sk170793. |
PRJ-27040, |
VSX |
VSX provisioning may fail to commit changes to the VSX database. Refer to sk173683. |
PRJ-27974, |
Gaia OS |
A memory leak may occur on a Security Gateway while configuring Secure Internal Communication (SIC). |
PRJ-24593, |
Gaia OS |
When the RADIUS Server uses a multi-pool "Access Challenge", the system sends many authentication requests without waiting. |
PRJ-25004, |
Gaia OS |
In some scenarios, the force-password-change option does not work. |
PRJ-28793, |
Gaia OS |
In a rare scenario, a memory leak may occur in the monitord process. |
PRJ-25247, |
Harmony Endpoint |
In some scenarios, the Policy Server fails to synchronize with Endpoint primary Management after installing a hotfix for local E1 signature updates. |
PRJ-25387, |
CloudGuard IaaS |
CloudGuard Controller with Cisco ACI Data Center sends updates without IP addresses to Security Gateways. |
PRJ-25725, |
QoS |
A memory leak may occur when using domain names in QoS policy rules. Refer to sk174904. |
PRJ-27246, |
HCP |
Added Update 3 of HealthCheck Point (HCP) Release. Refer to sk171436. |
PRJ-24085, |
HCP |
Added Update 2 of HealthCheck Point (HCP) Release. Refer to sk171436. |
PRJ-22796, |
HCP |
Added Update 1 of HealthCheck Point (HCP) Release. Refer to sk171436. |
PRJ-22319, |
Infrastructure |
In some scenarios, the cpmiquerybin and dbedit processes may unexpectedly exit causing buffer overflow. |
Take 202 Released on 30 May 2021 and declared as General Availability on 7 July 2021 |
||
PRJ-25035, |
Security Management |
UPDATE: If there is no license on the Security Management Server, a new verification blocks an attempt to migrate a domain. |
PRJ-22073, |
Security Management |
In rare scenarios, the Management Server may fail to start because Solr fails to initialize. |
PRJ-24484, |
Security Management |
In very large Management environments, Policy verification and installation may fail with FWM process core dump. Refer to sk173722. |
PRJ-24910, |
Security Management |
"Unauthorized client" error on login failure from an IP address that is not explicitly defined in the Trusted Clients list. Refer to sk173026. |
PRJ-22439, |
Security Management |
Upgrade or migration from R80.10 and lower to R80.20 and higher may fail with "Scheme adjustment had failed" error in logs. Refer to sk172003. |
PRJ-13068, |
Security Management |
In rare scenarios, during a Global Policy Reassignment, the Management Server may unexpectedly exit and fail to start again. |
PRJ-21397, |
Security Management |
In rare scenarios, deleting an object fails with "Can't reach source object, maybe it already deleted" error. Refer to sk172828. |
PRJ-22209, |
Security Management |
In rare scenarios, concurrent update operations performed by several administrators on the Management Server may fail. |
PRJ-20807, |
Security Management |
On Security Management with connected Endpoint Security Server, the SICTUNNEL process may unexpectedly exit and start again every few minutes with core file ~4gb in size. Refer to sk173704. |
PRJ-15903, |
Security Management |
Security policy compilation fails if the Domain network object name (FDQN name) contains space. |
PRJ-23771, |
Security Management |
"Query failed" error is displayed in Security Gateway Device & License Information view in SmartConsole when canceling the "Export to PDF/CSV" operation. |
PRJ-23920, |
Security Management |
SmartConsole Extensions fail to load with "Error: unable to retrieve read-only session" if login with SmartConsole is performed with an IP address that is not defined as the primary IP of the Management Server. |
PRJ-22870, |
Security Management |
In some scenarios, policy installation fails with "Error code 0-2000077" message. |
PRJ-21255, |
Security Management |
In some scenarios, the log file of PostgreSQL (postgres.elg) may become very large. |
PRJ-22610, |
Security Management |
In some scenarios, a Domain migration may fail during the Access Policy import with the "Object not found" error in cpm.elg file. |
PRJ-17226, |
Security Management |
In some scenarios, Apache does not start and shows a "No space left on device" message if the user runs "cprestart" frequently. |
PRJ-23541, |
Security Management |
In some scenarios, HA sync in a Multi-Domain environment may fail with the "Failed to import data" error message after the user creates new Permission Roles. |
PRJ-9514, |
Security Management |
The Rule UID is hidden in Audit logs. Refer to sk165016. |
PRJ-22844, |
Security Management |
Running override_server_setting.sh may not update settings correctly when updating a setting multiple times. |
PRJ-22128, |
Security Management |
In a rare scenario, Management HA synchronization fails after the Purge Revisions operation. |
PRJ-21916, |
Security Management |
In some scenarios, Desktop policy fails with "Policy installation had failed due to an internal error. If the problem persists please contact Check Point support". Refer to sk171970. |
PRJ-24757, |
Multi-Domain Management |
Global Policy Assignments may be missing in Multi-Domain environment after upgrade from R77.x. |
PRJ-23695, |
Multi-Domain Management |
Global Policy Reassignment may take a long time to complete after an IPS Update in the Global Domain. |
PRJ-22636, |
Multi-Domain Management |
In rare scenarios, the Multi-Domain Management Server may fail to start if Domains were previously deleted. |
PRJ-24213, |
Multi-Domain Management |
In Multi-Domain environment, the same Domain may appear twice in the Domains view of the SmartEvent application. |
PRJ-22136, |
Multi-Domain Management |
A Multi-Domain Server with dozens of Domains may take a long time to start. |
PRJ-21910, |
Multi-Domain Management |
In some scenarios, installation of Jumbo Hotfix on Multi-Domain Server may fail after running restore from backup. |
PRJ-24018, |
Multi-Domain Management |
In some scenarios, after an upgrade of a Multi-Domain environment that has active Domains on multiple Multi-Domain servers, some objects may not be visible in the System Domain. |
PRJ-22520, |
Multi-Domain Management |
In some scenarios, Reassign Global Domain for a Domain that is active on another Multi-Domain Server may fail with "An internal error has occurred" message. Refer to sk172704. |
PRJ-22580, |
Multi-Domain Management |
In some scenarios, HA Full Sync on the System Domain fails after an upgrade on a Multi-Site environment with multiple Multi-Domain Servers. Refer to sk171059. |
PRJ-13188, |
Multi-Domain Management |
In a rare scenario, Advanced upgrade from R80.10 may fail. |
PRJ-22594, |
Multi-Domain Management |
Create Domain action may fail with a "License violation detected" error even though CPSM-DOMAINS-1 license is applied on the Management Server. |
PRJ-22201, |
SmartConsole |
In some scenarios, a validation warning may appear on an updatable object with the following message: "Object is no longer supported. Enforcing security for this object is not possible." However, the object is still available in the updatable objects picker. |
PRJ-19497, |
SmartConsole |
"The object specified in 'Always send alerts to' field, has no active 'Logging & Status' Blade" error may be displayed after running the "add-simple-gateway" command in Management HA environments where one of the Security Management servers has the "Logging & Status" Blade disabled. Refer to sk172226. |
PRJ-21621, |
SmartConsole |
In some scenarios, FWM process logs show Provisioning/LSM activity even though LSM is not in use. Refer to sk171905. |
PRJ-17274, |
SmartConsole |
The "Recent Tasks" view allows only Super Users to view other administrators' tasks. |
PRJ-21600, |
Compliance |
In some scenarios, an incorrect Compliance status for Gaia OS Best Practices is displayed. |
PRJ-16049, |
Compliance |
Deactivated Compliance Best Practices appear in the Compliance report. |
PRJ-21183, |
Logging |
NEW: Resource pools for log queries and report generation have been separated to ensure query responsiveness while multiple reports are generated. |
PRJ-25143, |
Logging |
NEW: Added support for JSON format in Log exporter. |
PRJ-20255, |
Logging |
NEW: Log exporter allows the re-export of logs based on starting and end positions provided by the user, to close possible gaps. Refer to sk122323. |
PRJ-23646, |
Logging |
In some scenarios, when exporting logs using the Log exporter tool and filtering on all Threat Prevention Blades, logs of "Anti Spam" Blade are not exported. |
PRJ-24892, |
Logging |
Starting from Jumbo Take 183, logs exported in LogRhythm format via the Log Exporter, appear in an incorrect format. |
PRJ-12424, |
Logging |
In some scenarios, exported FireWall logs from a Security Gateway to an external syslog serve (sk87560) contain a redundant new line character. |
PRJ-24227, |
Logging |
In some scenarios, when declaring a filter in Log Exporter, logs may not be exported. Refer to sk173025. |
PRJ-23202, |
Logging |
In rare scenarios, when creating a Log server object and establishing SIC, log queries from the newly created Log server object may fail. |
PRJ-15324, |
Logging |
In some scenarios in SmartView, exporting a report or view to PDF duplicates the item and displays it twice in the Catalog until the export is done. |
PRJ-23006, |
Logging |
In rare scenarios, when the user exports logs to Excel using SmartView web, the action fails when the exported logs contain special characters, like emojis. |
PRJ-23413, |
Logging |
In SmartView's "Cyber Attack View - Endpoint", the widgets Active/Dormant Attacks and Cleaned/Blocked Attacks show clean hosts as infected (false positive results). |
PRJ-15782, |
Logging |
In SmartView, when the user exports a container widget with charts to PDF, some data may be missing, and the charts may be shown in a distorted manner. |
PRJ-21364, |
Logging |
In some scenarios, in Multi-Domain servers with many domains, the Solr process for logs may unexpectedly exit. |
PRJ-20816, |
Logging |
In SmartView, chart and timeline widgets may show a "Query Failed" error. |
PRJ-23155, |
Logging |
When viewing an Access log card that was matched on both a Network layer (firewall) rule and an Application layer rule, and both actions are "Accept", the application layer rule will be presented in the card instead of the network layer rule. Refer to sk172763. |
PRJ-22182, |
Logging |
In SmartView, when the user exports multiple PDF/CSV/Templates of the same view/report at the exact same time, the second export to complete may overwrite the first one. |
PRJ-22246, |
Logging |
In some scenarios, in the "Views and Reports" of SmartView, it is not possible to use the field "Roles". |
PRJ-21143, |
Logging |
In SmartView, when opening a log card popup in lower resolutions, the text in the header may be cut off. |
PRJ-18557, |
Logging |
In the "Logs" view in SmartConsole, when the query filter contains "time:yesterday" as a literal, the query fails with a "Query resolution failed" error. The pre-defined time filter "Yesterday" shows results from today. Refer to sk170999. |
PRJ-21292, |
Logging |
|
PRJ-2291, |
Logging |
A super user connected to SmartConsole in the context of the Domain Management Server cannot see search suggestions for global objects. |
PRJ-21899, |
Security Gateway |
NEW: Added new troubleshooting tool to cplic command for Entitlement manager. |
PRJ-22692, |
Security Gateway |
UPDATE: Security Gateway performance optimizations for specific scenarios. Refer to sk174607. |
PRJ-10987, |
Security Gateway |
UPDATE: Added L3 routing support for bridge interface assigned with IP address. To enable it, set fw_bridge_with_ip_routing=1 in the $FWDIR/fwkern.conf file. Refer to sk165560. |
PRJ-20979, |
Security Gateway |
In rare scenarios, the CPD process unexpectedly exits when the VPN is enabled, and statuses are not sent to the Management Server. |
PRJ-23945, |
Security Gateway |
In a rare scenario, Security Gateway may crash when running in USFW (User-Space Firewall) mode. |
PRJ-22621, |
Security Gateway |
In some scenarios, the VSX Cluster switch may cause a core dump. |
PRJ-704, |
Security Gateway |
In rare scenarios, the FWD process on the Security Gateway may unexpectedly exit when the user configures a non-existing log server. |
PRJ-23424, |
Security Gateway |
The VPND process may consume high CPU because of ECDHE use, which affects multi-portal functionality. Refer to sk173145. |
PRJ-23455, |
Security Gateway |
In some scenarios, values set in fwkern.conf may not be applied correctly. |
PRJ-23038, |
Security Gateway |
In a rare scenario, Security Gateway may crash during the Application Control / IPS / Anti-Bot package update. |
PRJ-25908, |
Security Gateway |
In a rare scenario, machine hangs and the user is unable to run any command. Refer to sk173405. |
PRJ-19797, |
Security Gateway |
Improved the policy enforcement of the ZIP archive inner files. |
PRJ-23397, |
Security Gateway |
Added support for "Other" services configured with IP protocol, but without advanced "Match" expression. |
PRJ-21669, |
Security Gateway |
In some scenarios, a Security policy installation fails during high CPU utilization. |
PRJ-19409, |
Security Gateway |
The "new-conn-rate" DOS/Rate limiting rules may not be enforced in usermode when enforcement for internal interfaces is disabled. |
PRJ-21469, |
Security Gateway |
When the Security Gateway is configured as a proxy, some network objects may not be matched correctly. |
PRJ-21309, |
Security Gateway |
Allow automatic configuration of Identity Awareness nested group state 4 for Security Gateways with a previously installed fix for IDA-754. |
PRJ-24296, |
Security Gateway |
In a rare scenario, the FWK process unexpectedly exits on the Security Gateway. |
PRJ-11764, |
Security Gateway |
"cpas_glue_psync_h: No synced opaque" error messages may appear in dmesg as a result of the synchronization of the members in the cluster. Refer to sk167033. |
PRJ-23098, |
Security Gateway |
The connection may not exist in SecureXL connection table when configuring Smart Connection Reuse kernel parameters and allow out of state TCP packets. |
PRJ-22935, |
Security Gateway |
When using "User Alert 3" in the code alert, cosmetic error "FW-1: fwdrv_get_string_id_from_code: illegal parameters for code 8" appears in the /var/log/messages file. |
PRJ-22370, |
Security Gateway |
In some scenarios, the Security Gateway attempts to access the Management Server through the server's NAT IP address (defined in the "NAT" section of the server object), while the server is reachable only through the main IP address (defined in the "General Properties" section of the server object). Refer to sk171665 to configure the required parameter SKIP_NATTED_IP. |
PRJ-22452, |
Security Gateway |
In a rare scenario, Security Gateway may crash with fwk and fwk_wd core dump files. |
PRJ-25269, |
Internal CA, VPN, Multi-Portal |
UPDATE: The IKE certificates validity period is set to 1 year by default. Refer to sk176527. |
PRJ-22078, |
Internal CA |
In a rare scenario, "This operation is not supported on STANDBY members" message is displayed and the cpca_client process unexpectedly exits when trying to renew a certificate on a standby Domain. |
PRJ-23140, |
Internal CA |
The output of the "lscert" command has duplicate lines for all certificates that are not in "pending" status |
PRJ-21723, |
Content Awareness |
In a rare scenario, Security Gateway may crash when CPcode is running within Content Awareness or parser flow. |
PRJ-21969 |
Identity Awareness |
In a rare scenario, the PDPD process may unexpectedly exit due to synchronization issues in CaptivePortalManager. |
PRJ-26474 |
Identity Awareness |
There may be enforcement issues with Terminal Servers agent (MUH Agent) sessions. |
PRJ-22356, |
Identity Awareness |
In some scenarios, output of "pdp conn pep" command may show wrong PEP names. |
PRJ-21496, |
Identity Awareness |
Added optimization for PDP when handling Terminal servers Multi-User Host Agent (MUH). |
PRJ-21454, |
Identity Awareness |
In some scenarios, VPN Remote Access client fails to connect if a certificate contains a DN with an asterisk (*). |
PRJ-23515, |
Application Control |
The fw_full (FWD daemon) unexpectedly exits, producing a core dump file and causing a cluster failover. |
PRJ-21768, |
Application Control |
A failure log may be generated when inspecting connections to servers with certificates without a Common Name (CN) field. |
PRJ-21293, |
URL Filtering |
UPDATE: Improved RAD event output to provide additional information on events, such as detailed timing This update also activates the retry mechanism by default. |
PRJ-14540, |
IPS |
UPDATE: Exceptions are now enforced for these IPS protections:
Refer to sk166222. |
PRJ-23305, |
IPS |
UPDATE: Added support for PM statistics when IPS is disabled. |
PRJ-19940, |
SSL Inspection |
UPDATE: Avoid sending the TLS probe during inbound inspection when it is not necessary for the SNI-based categorization. |
PRJ-21690, |
SSL Inspection |
UPDATE: Avoid sending the TLS probe during the inbound inspection when a rule is matched according to the IP address. |
PRJ-21707, |
SSL Inspection |
In rare scenarios, a memory leak may occur in a crypto module. |
PRJ-24464, |
SSL Inspection |
In rare scenarios, the WSTLSD daemon may unexpectedly exit during TLS probing. |
PRJ-19853, |
SSL Inspection |
TLS probing failures generate logs with a general description in SmartLog: "Internal system error in HTTPS Inspection (Error Code: 2)". With this fix, more descriptive logs will be generated. |
PRJ-24461, |
SSL Inspection |
In some scenarios, memory leaks may occur after policy installation. |
PRJ-19775, |
SSL Inspection |
In some scenarios, the WSTLSD process may unexpectedly exit when browsing to certain websites. |
PRJ-19779, |
SSL Inspection |
A memory leak may occur during policy installation. |
PRJ-20266, |
Anti-Malware |
Packet capture may not be generated for certain IPS protections. |
PRJ-21060, |
Anti-Malware |
In a rare scenario, HTTP connections are timed-out. |
PRJ-22018, |
Anti-Malware |
In rare scenarios, the Threat Prevention Blade Exception used for performance optimization does not work as expected. |
PRJ-24142, |
SecureXL |
UPDATE: Firewall debug drop template message now indicates the rule ID the template was created from. |
PRJ-24649, |
SecureXL |
In some scenarios, the "reached the limit of maximum enqueued packets!" log is printed in the /var/log/messages file. |
PRJ-21696, |
SecureXL |
NEW: Added the fwha_disable_ccp_on_monitor global kernel parameter. The parameter turns on/off the sending of CCP packets on link monitor interfaces. |
PRJ-22165, |
SecureXL |
Rate limiting rules using concurrent-connection counters may cause connections to be blocked. |
PRJ-22286, |
SecureXL |
TCP reset packets may be dropped with an invalid sequence. |
PRJ-19369, |
SecureXL |
Security Gateway may crash when the user runs "fwaccel tab -t" to view certain rate limiting tables that have a large number of entries. |
PRJ-22913, |
SecureXL |
Improved the Smart Connection Reuse feature to be consistent with the user configuration. Refer to sk24960. |
PRJ-22433, |
SecureXL |
In some scenarios, the concurrent-conns rate limiting count may be inaccurate for FTP data connections. |
PRJ-20698, |
SecureXL |
In some scenarios, not all IP addresses listed in Deny List file $FWDIR/conf/deny_lists are loaded. |
PRJ-23457, |
SecureXL |
A race condition in the DOS/Rate limiting policy's install logic may cause incorrect counter values for "concurrent-conns". |
PRJ-23057, |
SecureXL |
In some scenarios, SecureXL drops the TCP traffic for the particular connection for invalid state reasons. This fix enables the new property per specific VS in VSX environment. Refer to sk147093. |
PRJ-16531, |
Routing |
UPDATE: The user does not have to enable logging/accounting in SmartConsole to generate the Netflow records. A new 'NetFlow Firewall rule' option was added to configure NetFlow to report per Firewall rule by turning it on and enabling Log/Accounting per rule. |
PRJ-24788, |
Routing |
In some scenarios, OSPF configured with unnumbered VTI on cluster frequently moves between "Full" and "EXSTART" status. |
PRJ-24713, |
Routing |
In OSPF environment, the routed process may unexpectedly exit when a VPN tunnel is flapped leading to a temporary connectivity loss. |
PRJ-23246 |
Routing |
Gaia VRRP member freezes when deleting a VLAN interface. Refer to sk106226. |
PRJ-13303, |
VPN |
NEW: Added 3 new views to SmartView for Remote Access, providing visibility for Remote Access users, users login summary, failed login attempts, used clients, top login options, number of users, operating systems, authentication methods and login activity. |
PRJ-15566 |
VPN |
In some scenarios, NAT-T traffic is sent to the wrong next-hop MAC address. Refer to sk116453. |
PRJ-25486, |
VPN |
In VSX environments, Anti-Spoofing in SecureXL may cause Remote Access VPN drops. Refer to sk173266. |
PRJ-22410, |
VPN |
In some scenarios, L2TP tunnel is not deleted completely upon disconnection. |
PRJ-22540, |
VPN |
Added stability fix in validation checks for ECDSA certificates. |
PRJ-25096, |
VPN |
Tunnel Test packets may be dropped by the Secure Configuration Verification (SCV) check when implied rules are disabled. Refer to sk168033. |
PRJ-23300, |
VPN |
In rare scenarios, the VPND process may unexpectedly exit in an L2TP-related flow. |
PRJ-7475, |
VPN |
The VPND process may unexpectedly exit during policy installation when the Mobile Access Blade is used. |
PRJ-21540, |
VPN |
Added VPN Remote Access stability improvement. |
PRJ-17113, |
VPN |
Remote Access VPN policy installation optimization. Refer to sk173947. |
PRJ-22179, |
VPN |
In a rare scenario, there may be an incorrect IKE ID in an ID payload with 3rd party peers in IKEv1 and IKEv2. |
PRJ-19901, |
VPN |
Mobile Access SNX may fail to connect to the Security gateway when the realm used by the client is different for the SSL VPN realm. |
PRJ-22303, |
VPN |
When static NAT is configured on a destination, the SCV may fail to access the internal resources and "No scv status from client..." drops appear in SmartConsole. Refer to sk171550. |
PRJ-21258, |
VSX |
Allow the addition of routes with specific group of type "Group with Exclusion" when using VSX Provisioning tool. |
PRJ-21426, |
Gaia OS |
NEW: Added support for hardware (sensors/NICs) data auto-update. |
PRJ-19563, |
Gaia OS |
NEW: Gaia API (version 1.5) will now be deployed via Jumbo Hotfix. |
PRJ-24192, |
Gaia OS |
In rare scenarios, "show asset network" command may lead to memory leak. Refer to sk174823. |
PRJ-24370, |
Gaia OS |
In some scenarios, the force-password-change option does not work. |
PRJ-10194 |
Gaia OS |
Entering diacritic characters in the Expert password may cause Clish to unexpectedly exit, resulting in a core dump. |
PRJ-25175, |
Gaia OS |
In some scenarios, when adding a "#" in the login banner, the banner becomes corrupted. |
PRJ-17585 |
Gaia OS |
The "set snmp usm user" command fails if it has more then 8 characters. This fix increases the characters limit to 31. |
PRJ-22000, |
Gaia OS |
In rare scenarios, SNMP user details may be visible in /var/log/messages file. |
PRJ-21926, |
Gaia OS |
Unable to set MTU on Igb cards. |
PRJ-20918, |
QoS |
Security gateway may crash in QoS flow when interface goes down and up during packet processing. |
PRJ-24288, |
Smart-1 Cloud |
Added Update #1 of Quantum Smart-1 Cloud. Refer to sk166056. |
Take 190 Released on 28 February 2021 and declared as General Availability on 12 April 2021 |
||
PRJ-7662, |
CPview |
CPview may show partial information, if there are more than 256 interfaces configured on the system. |
PRJ-18836, |
Security Management |
NEW: Improved FWM process performance during Security policy or database installation. |
PRJ-19949, |
Security Management |
NEW: Added new Management HA utility to schedule automatic full syncs to peers that failed to be synchronized incrementally. |
PRJ-20070, |
Security Management |
NEW: Optimized the Solr build time to improve performance in the following operations:
|
PRJ-19998, |
Security Management |
UPDATE: Added improvements in policy load process, to reduce the policy installation time when having large amount of objects. |
PRJ-19698, |
Security Management |
UPDATE: If a Management HA synchronization stalls (displaying "Peer is busy"), it will be released within 2 hours instead of 24 hours. |
PRJ-20029, |
Security Management |
UPDATE: When purging revisions, task notifications will also be purged if created before the last revision to purge was published. |
PRJ-21589, |
Security Management |
Although the Access Settings of the Management API is set to "All IP addresses", the API server does not accept requests from any IP address unless the IP is defined explicitly as a Trusted Client. |
PRJ-20885, |
Security Management |
In some scenarios, when connecting to an existing session in SmartConsole from a different IP address, a wrong "Client IP" is shown in Audit Logs view. |
PRJ-18473, |
Security Management |
In some scenarios, the first environment variable configured using sk165938 is not loaded and not used by the CPM process. |
PRJ-18896, |
Security Management |
Policy installation may fail after migration from Domain Management to Security Management Server. |
PRJ-20115, |
Security Management |
In a rare scenario, the FWM process unexpectedly exits. |
PRJ-18815, |
Security Management |
Management HA synchronization between Multi-Domain Management Servers may fail with "Failed to import data" error due to manual or automatic updates of contracts. |
PRJ-19023, |
Security Management |
In rare scenarios, FWM process may unexpectedly exit after a login attempt to the Management server. |
PRJ-18490, |
Security Management |
In rare scenarios, a policy installation task may never complete. |
PRJ-20852, |
Security Management |
Management Server upgrade from R80.20 to R80.40 may fail if a Network Interface object refers to a Gateway object that does not exist. |
PRJ-20840, |
Security Management |
When migrating a Domain Management Server to a Security Management Server:
|
PRJ-20302, |
Security Management |
In some scenarios, deleting a Domain Server may fail with "Got at least one duplicate UID in requested list" error. |
PRJ-17690, |
Security Management |
In some scenarios, HA temporary sub-directories under $FWDIR/tmp are not deleted if sync fails. Refer to sk170972. |
PRJ-16472, |
Security Management |
Login with SmartConsole is blocked while the purge revisions task is running. |
PRJ-19953, |
Security Management |
The Management HA window in SmartConsole may mistakenly show the "Peer is busy" warning message for a few seconds. |
PRJ-18286, |
Security Management |
In rare scenarios, the CPU and memory usage of the CPM process may be abnormally high. Refer to sk170672. |
PRJ-20763, |
Security Management |
High load may occur on the Management Server when searching for a prefix of IP address that has more than 10 thousand matches. |
PRJ-20802, |
Security Management |
In some scenarios, delete partial domain with createDomainRecovery.sh script fails when there are several RadiusGroup objects with the same name in different domains. |
PRJ-21584, |
Security Management |
In rare cases, the CPM Solr process may not be stopped when running cpstop or mdsstop. |
PRJ-21187, |
Security Management |
In rare scenarios, logout from a session fails with "An internal error has occurred" message. |
PRJ-21357, |
Security Management |
In some scenarios, the Purge Revisions task may stop and show 0% for hours or fail with the "An error has occurred while performing revision purge operation" message in SmartConsole. |
PRJ-17787, |
Security Management |
In some scenarios, policy verification for static NAT rules succeeds even though the source subnet NAT is bigger than the destination subnet NAT. |
PRJ-16470, |
Multi-Domain Management |
UPDATE: When reassigning Global Domain for a Domain that is active on another Multi-Domain Server, the task is immediately relayed to the remote Multi-Domain Server without waiting in queue of the local server due to other tasks that are running. |
PRJ-17211, |
Multi-Domain Management |
UPDATE: With this fix, mds_backup will backup the Upgrade Tools package(s) and mds_restore will restore them on a Multi-Domain Server. |
PRJ-22273, |
Multi-Domain Management |
In some scenarios, updating a Domain Server may fail with the "<IP> already in use" message. Refer to sk171916. |
PRJ-18688, |
Multi-Domain Management |
Database installation to the newly created Domain Log Server may fail. |
PRJ-19723, |
Multi-Domain Management |
The Multi-Domain session APIs "view sessions" and "show last-published-session" results may include sessions that were not filtered according to the administrator's permissions profile.
|
PRJ-19275, |
Multi-Domain Management |
In rare scenarios, Management Server becomes inaccessible after a Global Policy reassign operation. |
PRJ-19645, |
Multi-Domain Management |
In rare scenarios, a Domain is shown in the Domains view without any Domain Server or a Domain is shown with Domain Server that was deleted and does not exist anymore. Refer to sk170556. |
PRJ-17560, |
Multi-Domain Management |
In some scenarios, reassigning a Global Policy may fail if the Global and local domains are not active on the same Multi-Domain Server. |
PRJ-21342, |
Multi-Domain Management |
When running many Reassign Global Domain operations for Domains that are not active on the current Multi-Domain Server, the load on the Server may increase and result in slowness of user and automation work. |
PRJ-21277, |
Multi-Domain Management |
In some scenarios, HA Full Sync on the System Domain fails after upgrade on a Multi-Site environment with multiple Multi-Domain Servers. Refer to sk171059. |
PRJ-19992, |
Multi-Domain Management |
After importing two (or more) Security Management servers into a Multi-Domain Server, the Gateway objects may not be functional:
|
PRJ-19317, |
SmartConsole |
NEW: Added support for Python 3 in Management API scripts. |
PRJ-20244, |
SmartConsole |
UPDATE: A pop-up warning will be displayed every time a "Custom Application" object with a performance impacting URL is edited (instead of being displayed only once). |
PRJ-13810, |
SmartConsole |
In some scenarios, the Administrators view shows all administrators in all domains regardless to specific permission profile of the connected administrator. |
PRJ-20145, |
SmartConsole |
SmartConsole may disconnect when searching in the Object Explorer for the text with an odd number of double quotes. |
PRJ-20784, |
SmartConsole |
When the user creates an Access Role, the AD organization tree may show duplicate branches, and some branches may be missing. |
PRJ-19831, |
SmartConsole |
The "show objects" command returns all objects in Global domain with any filter when "ip-only" flag is set to "true". |
PRJ-13121, |
SmartConsole |
In some scenarios, the "Update operation failed" error is displayed when attempting to delete a Gateway from the VPN community. Refer to sk167212. |
PRJ-19200, |
SmartConsole |
In some scenarios, when using the "set simple-gateway" API command with "logs-settings.forward-logs-to-log-server", it fails with "Generic server error". Refer to sk170352. |
PRJ-14104, |
SmartConsole |
Search in Threat Prevention Exceptions in Protection/Site/File/Blade column may not return all expected results. |
PRJ-18882, |
SmartConsole |
Setting values for the environment variables of the Management API as per sk165938 does not work: the values are neither loaded nor used by the API process. |
PRJ-19059, |
SmartConsole |
Upgrade may fail due to IPS protections comment that is exceeding the comment length limit. |
PRJ-13815, |
SmartConsole |
In some scenarios, when the user attempts to delete a VSX Gateway / VSX Cluster, an error message may appear and the operation may not be completed successfully. Refer to sk167492.
|
PRJ-18380, |
SmartConsole |
In some scenarios, running an action on a ROBO Gateway behind NAT does not work during sync on SMB appliances. |
PRJ-20313, |
SmartConsole |
In some scenarios, the "show gateways-and-servers" Management API command fails when running it with details-level full and when connected to the Global Domain. Refer to sk170895. |
PRJ-21523 |
SmartConsole |
In a rare scenario, Automatic NAT rules are not visible in SmartConsole. |
PRJ-20238, |
SmartConsole |
When there are no search results, search in Access Control Policy displays "An error occurred while searching" instead of "No Items Found". |
PRJ-18920, |
SmartConsole |
In some scenarios, the "show-access-rulebase" Management API command fails when running it with details-level "full" and there is a network group with more than 50000 objects on one of the rules. Refer to sk170435. |
PRJ-17480, |
SmartProvisioning |
In some scenarios, when recreating a ROBO object with the same name, the new object receives the previous status. |
PRJ-17998, |
Logging |
NEW:
|
PRJ-12199, |
Logging |
In some scenarios, the "Failed to fetch the file" error is displayed when trying to open Threat Emulation summary reports generated by VSX Gateways. |
PRJ-17354, |
Logging |
FWM and\or log_indexer processes may repeatedly stop when there are more than ~500K network objects declared. Refer to sk164452. |
PRJ-1651, |
Logging |
UPDATE: Added ability to SOLR process running on the Log server to prevent TLS1.1 and below in port 8211. Refer to sk168472. |
PRJ-19714, |
Logging |
When installing a newer Jumbo Hotfix, the Log Exporter filtering configuration may not persist and set to default. |
PRJ-16174, |
Logging |
In some scenarios, the cpsemd process on the log server may close unexpectedly during a restart, shutdown or upgrade. |
PRJ-17162, |
Logging |
The "show-log" API command may fail with the "GENERIC_SERVER_ERROR" error. |
PRJ-7952, |
Logging |
In rare scenarios, a log may display incorrect values in the Action and Rule field. Refer to sk170676. |
PRJ-19008, |
Logging |
In a rare scenario, CPD process may use a random port for AMON communication instead of port 18196. |
PRJ-21157, |
Logging |
In rare scenarios, the FWD process on the Security gateway may be blocked for several seconds due to processing of log attachments. |
PRJ-11310, |
Logging |
In Multi-Domain Management environments, some of the LOG_INDEXER processes may fail to start due to an occupied port. |
PRJ-19820, |
Logging |
In rare scenarios, the log_indexer process may unexpectedly exit when reading a specific log format. Refer to sk116117. |
PRJ-7523, |
Logging |
Connection between the Gateway and the Log Server may go down, with the following error message in the fwd.elg file on the Gateway: "Log server xxx.xxx.xxx.xxx went down". |
PRJ-5872, |
Logging |
In rare scenarios, when the user configures a custom event with a script based automatic reaction in SmartEvent, the SmartEvent client may show the following error: "Server is not responding. Please try to reconnect later". Refer to sk155192. |
PRJ-20561, |
Logging |
In rare scenarios, the Log Exporter fails to connect to external destination when using the TLS protocol. |
PRJ-19843, |
SmartView |
UPDATE: Improved the time resolutions usability (formally known as samples) of the Timeline widgets. |
PRJ-20872, |
SmartView |
UPDATE: To improve performance, SmartView now exports data in CSV format instead of Excel. |
PRJ-18778, |
SmartView |
In rare scenarios, "Critical attacks allowed by policy widgets" in "General Overview" view may show no results while actual data exists. Refer to sk171001. |
PRJ-9548, |
Security Gateway |
NEW: Added DNS Passive Learning feature for enhanced non-FQDN domain objects & updatable objects matching. Refer to sk161612. |
PRJ-11341, |
Security Gateway |
NEW: Added support for authentication with a RADIUS server that expects to receive an empty password on the first message. VPN client will receive 2 dialogs instead of 3. |
PRJ-20335, |
Security Gateway |
NEW: Added Performance improvement when IP Pool NAT is used. |
PRJ-13344, |
Security Gateway |
In a rare scenario, the FWD process opens connections to port 111. |
PRJ-20735, |
Security Gateway |
In rare scenarios, Security Gateway memory consumption may increase. |
PRJ-21609, |
Security Gateway |
Security Gateway may crash when "Categorize HTTPS Websites" feature is enabled and categorization mode is set to "Hold". |
PRJ-11203, |
Security Gateway |
In some scenarios, traffic that is matched on implied rule is dropped while it should not. |
PRJ-20382, |
Security Gateway |
In a rare scenario, Access Control policy installation may fail after upgrade of Security Gateway from R80.10 or below to R80.20 or higher. |
PRJ-21242, |
Security Gateway |
In rare scenarios, proxy ARP entries may be deleted when installing a policy. |
PRJ-20629, |
Security Gateway |
In rare scenarios, high memory consumption in CPD may occur due to a memory leak in authentication flow with an LDAP server. |
PRJ-21108, |
Security Gateway |
Authentication may fail when LDAP branch name contains "\". |
PRJ-11404, |
Security Gateway |
In some scenarios, dmesg shows "up_manager_resume_chain: fwhold_send failed. chain will be dropped by the fwhold API" error messages when the connection was already dropped and cannot be resumed. Refer to sk133253. |
PRJ-20652, |
Security Gateway |
Accept logs with reason "Connection terminated before detection: Insufficient data passed. To learn more see sk113479." may be wrongly generated when the matched action is user authentication and the wrong username/password is provided by the user. |
PRJ-18627, |
Security Gateway |
Wrong memory (hmem) values may be reported by specific SNMP OID. Refer to sk168992. |
PRJ-11792, |
Security Gateway |
False "alert" logs may be displayed in some Anti-Spam events. |
PRJ-20720, |
Security Gateway |
In rare scenarios, Security Gateway memory consumption may increase. |
PRJ-20897, |
Security Gateway |
In some scenarios, the DNS requests from the Security gateway may fail. |
PRJ-19701, |
Security Gateway |
In rare scenarios, a memory leak may occur in TOPOD process. |
PRJ-14446, |
Security Gateway |
In some scenarios, large number of interfaces defined on Security gateway may cause high CPU utilization by CPD process. Refer to sk168674. |
PRJ-17366, |
Security Gateway |
DynamicID via SMTP does not work when an HTTP proxy server is defined. |
PRJ-19954, |
Security Gateway |
Half-closed accelerated TCP connections may take too long time to expire. |
PRJ-19064, |
Security Gateway |
In a rare scenario, Security Gateway memory consumption may increase and lead to a memory leak. |
PRJ-13374, |
Security Gateway |
The TCP State Logging feature may not work as expected. Refer to sk101221. |
PRJ-19582, |
Security Gateway |
In some scenarios, "email_unified_cmi_get_attribs: not valid caller: up_log_get_user_hash" error appears in dmesg for SMTP traffic. |
PRJ-19848, |
Security Gateway |
In some scenarios, a memory leak may appear after sending a packet from the kernel. |
PRJ-19158, |
Threat Extraction |
UPDATE: Threat Extraction will no longer attempt to perform "Convert to PDF" if the file is corrupted, because the resulting files in these cases are usually unreadable. To reactivate this behavior, set the "enable_alternative_scrub_method" variable in $FWDIR/conf/scrub_debug.conf file to 1 and install the Security policy. |
PRJ-9943, |
Anti-Malware |
In some scenarios, multiple files called "ckp_mutex" are created on the Security Gateway. |
PRJ-17841, |
Anti-Malware |
In some scenarios, Threat Prevention logs appear half full (not unified). |
PRJ-19736, |
Anti-Malware |
In some scenarios, users may fail to access a web site with many malicious URLs. |
PRJ-12467, |
Anti-Malware |
In rare scenarios, Security Gateway crashes during CIFS traffic when the Anti-Virus Blade is in Hold mode and the CIFS feature is enabled for Anti-Virus or Threat Extraction (see sk101606). |
PRJ-19742, |
Anti-Bot |
Dynamic Global Network Object usage inside a Network Group object may cause an Access Policy installation failure. |
PRJ-18124 |
Identity Awareness |
NEW: Added Identity Sharing SmartPull mechanism performance and functionality improvements. Refer to sk170516. |
PRJ-13173, |
Identity Awareness |
UPDATE: Optimized memory usage in the PDP process's LDAP operations. |
PRJ-19748, |
Identity Awareness |
In some scenarios, the Security Gateway may not recognize an IP address as a local address, resulting in wrong drops. |
PRJ-19636, |
Identity Awareness |
In some scenarios, when a standby cluster member receives RADIUS accounting updates, there may be high CPU on the PDP process. |
PRJ-16169, |
Identity Awareness |
After changing 'pdp nested_groups __set_state 2' ,flat groups are fetched correctly, but nested groups are not fetched. Refer to sk166199. |
PRJ-12501, |
Identity Awareness |
In some scenarios, Identity Awareness counters in cluster environments show zero. |
PRJ-20844, |
Identity Awareness |
In some scenarios, running pdpd commands results in "daemon did not respond or not running!" error. Refer to sk171136. |
PRJ-20093, |
DLP |
UPDATE: Added support for multi-part data to DLP. |
PRJ-17871, |
HTTPS Inspection |
UPDATE: "Categorize HTTPS websites" feature enhancements when "Categorize HTTPS Sites" feature is enabled:
For configuration, refer to sk173633. |
PRJ-18822, |
HTTPS Inspection |
Cannot browse with Chrome when using mixed chain with ECDSA subordinate CA in HTTPS Inspection. Refer to sk170332. |
PRJ-19468, |
HTTPS Inspection |
In some scenarios, the HTTPS Inspection CA bundle is not created on the Security Gateway. |
PRJ-18702, |
UserCheck |
When using the UserCheck agent, the original URL attribute variable $orig_url$ may appear on URL field of log details. |
PRJ-19038, |
UserCheck |
In some scenarios, users cannot restore original attachment via UserCheck portal and receive the "An unexpected error has occurred" error message. |
PRJ-13968, |
IPS |
UPDATE: The "ips stat" command now shows all active Threat Prevention profiles with IPS enabled on the Security Gateway. |
PRJ-13497, |
IPS |
In some scenarios, a non-compliant IMAP traffic is dropped. |
PRJ-14059, |
IPS |
In some scenarios, SmartEvent does not create IPS events based on the "Critical severity" field. |
PRJ-19297, |
IPS |
In some scenarios, log output shows the Origin/Source as "0.0.0.0" in VSX 3rd party IPS logs. |
PRJ-20345, |
IPS |
In rare scenario, the SmartConsole shows the "IPS is not responding" message even though IPS is functioning normally. |
PRJ-10921, |
IPS |
In some scenarios, "cmik_loader_fw_context_match_cb: match_cb for CMI APP 10 failed" error appears in dmesg for HTTP traffic. |
PRJ-18177, |
URL Filtering |
In some scenarios, the wstlsd process may unexpectedly exit and produce a core dump. |
PRJ-20583, |
Mobile Access |
Removed potential XSS vulnerability in the MAB Login page. |
PRJ-19233, |
Mobile Access |
There may be a delay when connecting to HTTPS based SMS portal over a non-standard proxy port. Refer to sk170497. |
PRJ-17323, |
Mobile Access |
A user may not connect with Remote Access Client if this user belongs to many groups defined in SmartConsole. |
PRJ-20532, |
ClusterXL |
In some scenarios, data connections are dropped with "First packet isn't SYN" message on ClusterXL Load Sharing. |
PRJ-14358 |
ClusterXL |
Same MAC Magic configuration on different clusters in Unicast mode may cause flapping in switch. Refer to sk167206. |
PRJ-16513, |
SecureXL |
NEW: Added the ability to enable monitor-only mode for penalty box independently of other DOS/Rate limiting features. |
PRJ-14937, |
SecureXL |
UPDATE: "fwaccel dos blacklist" and "fwaccel dos whitelist" commands are deprecated and replaced by "fwaccel dos deny" and "fwaccel dos allow". Refer to sk112454. |
PRJ-18320, |
SecureXL |
UPDATE: Drop templates can be generated for connections with matched action Reject. For additional information and configuration, refer to sk171146. |
PRJ-20024, |
SecureXL |
Server may not reuse the TCP connection when the user allows out of state TCP packets. |
PRJ-16580, |
SecureXL |
In some scenarios, traffic with the destination IP address as the broadcast address configured according to sk98810 is dropped. |
PRJ-18081, |
SecureXL |
SNMP may show wrong values for the number of bytes and packets accepted by Security gateway. Refer to sk170132. |
PRJ-20052, |
SecureXL |
In rare scenarios, SecureXL may crash due to NULL handling. |
PRJ-891, |
SecureXL |
In some scenarios, output of "fwaccel stat" command does not display the layer name that disables the templates (only "Layer ---" is displayed). Refer to sk145533. |
PRJ-19661, |
SecureXL |
In some scenarios, connections are dropped when SYN Defender and ISN Defender are both enabled on the same interface. |
PRJ-19403, |
SecureXL |
In some scenarios, Rate Limiting rules for DoS do not work after reboot. Refer to sk170148. |
PRJ-17401, |
SecureXL |
In some scenarios, PPTP or GRE traffic may be dropped. Refer to sk170293. |
PRJ-16353, |
CoreXL |
In a rare scenario, CPU consuming on some instances is high. Refer to sk168513. |
PRJ-20468, |
Gaia OS |
In some scenarios, the Security Gateway attempts to fetch the policy from / send logs to the real IP address of the Management Server (defined in the "General Properties" section of the server object) instead of the server's NAT IP address (defined in the "NAT" section of the server object). Refer to sk171055 to configure the required parameter FORCE_NATTED_IP. |
PRJ-19143, |
Gaia OS |
UPDATE: Added the option to bind IP addresses to sockets using the udp_connect API. Refer to sk171019. |
PRJ-18240, |
Gaia OS |
"cphaprob -h" shows wrong explanation for "cphaprob show_bond [<bond_name>]" command. |
PRJ-18078, |
Gaia OS |
On environments with large IP routing tables, the SNMPD process may consume 100% CPU when running a scan from an external tool. Refer to sk170150. |
PRJ-20940, |
Gaia OS |
Upgrade process may fail due to corrupted sic_local_cert.p12 certificate. Refer to sk171253. |
PRJ-18086, |
Gaia OS |
Query routing info via SNMP may consume 100% CPU in case of a massive IP routing table. Refer to sk170150. |
PRJ-18937, |
Gaia OS |
In some scenarios, the "... fwldbcast_handle_retrans_request: Updated bchosts_mask to 1" message may be printed in /var/log/messages file. |
PRJ-20745, |
Gaia OS |
CVE-2020-25705: ICMP reply rate. |
PRJ-15659, |
Routing |
UPDATE: Display of routing CPview results is limited to 30 lines. |
PRJ-18798, |
Routing |
In some scenarios, the ROUTED process unexpectedly exits when removing an OSPF interface that had authentication configured. Refer to sk170272. |
PRJ-19460, |
Routing |
Routed logs may incorrectly state that routemaps that export to OSPF cannot set the OSPF manual tag, even though the functionality works. |
PRJ-19626, |
Routing |
ip-reachability-detection ping marks a target IP address as "unreachable" if the path goes via a VPN tunnel, although pinging this IP address directly works. |
PRJ-20441, |
Routing |
The old route may be not removed when an BGP ECMP route was changed. |
PRJ-20436, |
Routing |
ECMP route nexthops learned from BGP peers may be not properly updated in the kernel, resulting in network connectivity loss. |
PRJ-18785, |
VPN |
NEW: Added VPN command line mechanism stability enhancement and VPN improvements in IKEv2. |
PRJ-17484, |
VPN |
NEW: Added Anti-Spoofing functionality for Remote Access Office Mode IPs in SecureXL. |
PRJ-16429 |
VPN |
UPDATE: Added support for fetching CRL with proxy in Site-to-site VPN configuration. |
PRJ-19087, |
VPN |
UPDATE: Remote Access VPN stability improvement. |
PRJ-15547, |
VPN |
UPDATE: Added the TTM-per-group feature improvement that allows it to work with more client types (for example Nemo client). |
PRJ-15739, |
VPN |
In some scenarios, findSAByPeer does not validate the peer IP address for DAIP peer behind NAT. |
PRJ-18750, |
VPN |
In some scenarios, the Dynamic ID configuration in SmartConsole (SMS/Email) is ignored. Refer to sk144933. |
PRJ-20330, |
VPN |
Security Gateway may crash when you install policy on a MAB Gateway and a policy file is corrupted. |
PRJ-20865, |
VPN |
In some scenarios, the VPND process keeps re-downloading the same CRL, which can cause performance issues. |
PRJ-20945, |
VPN |
In some scenarios, L2TP clients disconnect from the Security gateway after 10 minutes of the connection. |
PRJ-17491, |
VPN |
In IKEv2 renegotiation scenario, IPSec SAs may be deleted on a standby cluster member during post sync causing a VPN traffic outage. Refer to sk172926. |
PRJ-7479, |
VPN |
Policy installation with VPN enabled may take a long time. |
PRJ-19421, |
VPN |
In some scenarios, the vpnd process unexpectedly exits with Segmentation fault. |
PRJ-20824 |
VPN |
In IKEv2, the renegotiation of IKE SA may fail. |
PRJ-20646, |
VPN |
In some scenarios, the VPND process may unexpectedly exit. |
PRJ-20272, |
VPN |
In a rare scenario, a memory leak may appear when RASession_util is active. |
PRJ-20519, |
VPN |
In a rare scenario, the FWM process unexpectedly exits when enrolling a certificate using the SCEP protocol. |
PRJ-16338, |
VPN |
The user may be unable to connect with Remote Access when the username or user field in the certificate is too long. |
PRJ-13093, |
VPN |
RADIUS packet sent by Security gateway, may show the Framed-IP-Address field in the reverse order. Refer to sk167361. |
PRJ-19213, |
VPN |
Site to Site VPN fails to establish with IKEv2 on GCP when NAT-t is enabled. |
PRJ-18268, |
VPN |
The VPND process on a standby cluster member may unexpectedly exit when VPN peer has a probing link selection configured. Refer to sk170136. |
PRJ-12240, |
VPN |
When clicking "View" in Trusted CA object's OPSEC PKI tab, this may show the "Failed to get a certificate of <object name> from keyset" error. Refer to sk166496. |
PRJ-13819, |
VPN |
Access roles do not recognize Remote Access SNX CLI clients. |
PRJ-18500, |
VSX |
UPDATE: Added support for VSX SecureXL tabs on CPView. Refer to sk167903. |
PRJ-18292, |
VSX |
VSX VSLS with 3 Members may fail to connect to Identity Collector. Refer to sk170836. |
PRJ-20962, |
VSX |
After running "vsx_util vsls" and selecting option #6, the operation may fail with the "Internal Error: got empty reply set" error. Refer to sk171352. |
PRJ-18612, |
VSX |
In some scenarios, there may be high CPU utilization in a VSX environment with several instances. |
PRJ-18575, |
Compliance |
UPDATE: Added ability to select 'Any' in the Service column when creating a custom firewall Best practice.
|
PRJ-14100, |
Compliance |
In some scenarios, Compliance Blade does not scan inline layers for Application Control and URL Filtering Best Practices. |
PRJ-20601, |
VoIP |
VoIP RTP can cause overload on global instance (CoreXL instance 0). |
PRJ-16454, |
VoIP |
SIP parser may cause the wrong RTP dynamic connection to be opened. Refer to sk169373. |
Take 188 Released on 8 December 2020 and declared as General Availability on 28 December 2020 |
||
PRJ-20083, |
CloudGuard IaaS |
UPDATE: Added new certificates for Microsoft Azure. For details, refer to this Microsoft article. |
Take 187 Released on 17 November 2020 |
||
PRJ-18356, |
CPView |
In some scenarios, peak values for interfaces are not updated in CPView. |
PRJ-14450, |
CPView |
In some scenarios, CPView may unexpectedly exit after upgrade from R80.20 GA. |
PRJ-16145, |
Security Management |
NEW:
|
PRJ-15499, |
Security Management |
NEW: The $MDS_FWDIR/scripts/cpm_status.sh script will show if the CPM process fails to start. |
PRJ-15565, |
Security Management |
NEW: In some scenarios, modifying or deleting objects in bulk may cause slowness in SmartConsole responses and long duration of operations. Ability to improve performance in such cases was added. Refer to sk135972. |
PRJ-14490, |
Security Management |
In some scenarios, migrating two different Security Management Servers to domains in the same Multi-Domain Management Server fails. |
PRJ-14523, |
Security Management |
Upgrade from R80.10 may take many hours when there are hundreds or more Administrators and dozens or more Permission Profiles defined. |
PRJ-16197, |
Security Management |
When running the "show-access-rulebase" API command with filter, and the selected layer is an inline layer, rules of the inline layer are not returned even though they match the search criteria. |
PRJ-15495, |
Security Management |
$MDS_FWDIR/scripts/solr_start.sh script may fail to start Solr Cure if sk123417 is applied. |
PRJ-11702, |
Security Management |
The Purge Revisions operation may not clean deleted objects of previous revisions. |
PRJ-13611, |
Security Management |
In rare scenarios, the "where-used" API command fails with "Management server failed to execute command" error. |
PRJ-17041, |
Security Management |
In rare scenarios, some objects may be locked and not available for editing. Refer to sk169772. |
PRJ-15417, |
Security Management |
In some scenarios, Read-Only sessions appear twice in the Sessions view. |
PRJ-17073, |
Security Management |
In some scenarios, the Security Management Server's startup takes a very long time after editing or deleting many Administrators. |
PRJ-16367, |
Security Management |
When logging into SmartConsole directly to a Domain using RADIUS or TACACS, the Authentication method in the audit log may show as "Internal Password". Refer to sk168716. |
PRJ-18045, |
Security Management |
In rare scenarios, a Management server may become inaccessible and requires a reboot. Refer to sk170634. |
PRJ-13725, |
Multi-Domain Management |
NEW:
|
PRJ-16425, |
Multi-Domain Management |
Management HA incremental synchronization may break on the MDS level with "failed to import data" error message due to an operation related to the Compliance Blade. |
PRJ-17305, |
Multi-Domain Management |
In rare scenarios, the FWM process may unexpectedly exit and fail the Multi-Domain Management server upgrade. |
PRJ-16436, |
Multi-Domain Management |
After upgrading a Multi-Domain Management Server, the object version of the Domain Management Servers or Domain Log Servers in the MDS SmartConsole may not have changed. |
PRJ-13794, |
Multi-Domain Management |
In a Multi-Domain Server, domain-related processes may not start when the user runs "evstop" and then "evstart". |
PRJ-13474, |
Multi-Domain Management |
Domain Servers may disappear from Multi-Domain view after running the Solr Cure utility. |
PRJ-18683, |
Multi-Domain Management |
In some scenarios, domain import to a Multi-Domain Management Server may fail. |
PRJ-17236, |
Multi-Domain Management |
On Multi-Domain environments with multiple Multi-Domain servers connected in HA, operations such as "Log in" and "Reassign Global Domain" may fail due to high load on FWM process. |
PRJ-7431, |
Multi-Domain Management |
In rare scenarios, reassigning the Global Policy on a specific domain fails with "An internal error has occurred". Refer to sk163938. |
PRJ-17068, |
Multi-Domain Management |
In some scenarios, Domain appears in the System Domain without any Domain Servers. |
PRJ-16641, |
Multi-Domain Management |
In some scenarios, Domain Management Server is shown in System Domain under Domains View even though it was deleted. |
PRJ-13904, |
SmartConsole |
In some scenarios, when working with older applications like SmartView or SmartProvisioning, the admin count in SmartConsole presents an incorrect number of connected admins. |
PRJ-13454, |
SmartConsole |
In some scenarios, Management API commands with "details-level":"full" Payload return a truncated output and fail to complete. Refer to sk170414. |
PRJ-12853, |
SmartConsole |
Hit count data may not be deleted automatically. |
PRJ-17130, |
SmartConsole |
When scrolling or clicking a rule, some inline layer rules may open unexpectedly. |
PRJ-16704, |
SmartConsole |
Enabling Threat Prevention policy may fail with validation errors when the policy's targets include cluster members running a version lower than R80.10. |
PRJ-16060, |
SmartConsole |
In some scenarios, certain Gateways do not appear in the IPS Core protections list. Refer to sk168474. |
PRJ-17878, |
SmartConsole |
In Global Properties under Stateful Inspection tab, the "TCP end timeout (R80.20 and higher gateways)" option does not support values higher than 60 seconds.
|
PRJ-15816, |
SmartConsole |
In some scenarios, Management API does not start automatically after restart, although automatic start is enabled. Refer to sk168332. |
PRJ-18039, |
SmartConsole |
In some scenarios, after a successful IPS update, the new IPS version does not appear under 'switch version' window. |
PRJ-17412, |
SmartConsole |
When removing an object from a group using the "groups" field of the object's module in the Ansible collection, the group will not be changed and Ansible will show that no changes are needed. |
PRJ-18330, |
SmartConsole |
Exception group may be incorrectly deleted in the following scenarios:
|
PRJ-17007, |
SmartConsole |
When using SmartConsole CLI, the application may unexpectedly terminate if the input has quotation marks that are not closed. |
PRJ-16466, |
SmartConsole |
Update corporate Gateway procedure takes a long time and may cause login issues and general slowness in the Provisioning GUI. |
PRJ-15833, |
SmartProvisioning |
In some scenarios, when the user installs policy on R77.30 Central Office Security Gateway from Management version R80 and higher, VPN tunnels may be dropped for LSM Gateways. |
PRJ-14355, |
SmartView |
In SmartView, when the user sends a generated report via email in a language with non-standard English letters (Accented, Cyrillic, Chinese, Japanese, etc), some of the text may appear as question marks (?). |
PRJ-16888, |
SmartView |
In SmartView, after adding a new page to a report, the preview page appears to have no data although it has (this data appears in the Edit Mode). |
PRJ-17013, |
Logging |
NEW: Added ability to filter Threat Prevention and Endpoint logs by file size on a Log server machine via Logs & Monitor view in SmartConsole. |
PRJ-13348, |
Logging |
In some scenarios, when the user configures the log exporter filter with the "cp_log_export" command (action, origin, product), the filter is not configured properly according to the used format. |
PRJ-490, |
Logging |
In SmartConsole logs tab, filtering logs by the field "Method" may return empty results when using the values PROPFIND, CCM_POST or PATCH. |
PRJ-5135, |
Security Gateway |
NEW: Added performance optimization for the time object matching on the VSX environment. |
PRJ-17010, |
Security Gateway |
In some scenarios, the "CGsoapSessions::AuthenticateSession failed, session is not authenticated" message may appear in mds.elg or fwm.elg file. |
PRJ-13587, |
Security Gateway |
In a rare scenario, Security Gateway may crash during policy installation. |
PRJ-16156, |
Security Gateway |
In a rare scenario, Security Gateway may crash after policy installation. |
PRJ-13886, |
Security Gateway |
An interface name with more than 15 characters may cause the policy installation to fail. Refer to sk167955. |
PRJ-17310, |
Security Gateway |
In rare scenarios, Security Gateway memory consumption may increase. |
PRJ-15599, |
Security Gateway |
In some scenarios, policy installation fails with "Error code 0-2000121". |
PRJ-11291, |
Security Gateway |
Unused OIDs may appear in SNMP MIB file. |
PRJ-15846, |
Security Gateway |
SXL drop due to routing configuration when using security zone on bridge (layer2). |
PRJ-14070, |
Security Gateway |
In rare scenarios, Security Gateway may crash due to memory allocation failure. |
PRJ-17957, |
Security Gateway |
In some scenarios, policy installation fails with "Error code 0-2000077". |
PRJ-16086, |
Security Gateway |
In rare scenarios, a memory leak may appear on Security Gateway in gconn table. |
PRJ-19062 |
Security Gateway |
In rare scenarios, Security Gateway memory consumption may increase. |
PRJ-16663, |
Security Gateway |
Security Gateway running in USFW mode (User-Mode Firewall) may crash with fwk core dump. Refer to sk169119. |
PRJ-13693, |
Security Gateway |
Proxy arp change is applied only after the second policy installation. |
PRJ-13259, |
Security Gateway |
In a rare scenario, traffic is dropped with the "[ERROR]: up_handle_get_matched_service_clob: no clob list on handle for type SERVICE;" error in dmesg. |
PRJ-18423, |
Internal CA |
In a rare scenario, some emails with links are cached due to timeout failure. |
PRJ-872, |
Internal CA |
In some scenarios, manual edit of user's certificate expiration period does not take effect. Refer to sk143292. |
PRJ-15579, |
Application Control |
In some scenarios, deprecated applications are not removed/replaced during an upgrade from R77.30 to R80.x. Refer to sk131372. |
PRJ-1454, |
Anti-Virus |
In rare scenarios, Security Gateway crashes during CIFS traffic when CIFS feature is enabled for Anti-Virus or Threat Extraction (see sk101606). |
PRJ-16953, |
Anti-Malware |
In some scenarios, a file with HTTP chunked encoding is drooped if there is a Fail-Close configuration on the Anti-Virus Blade. Refer to sk169312. |
PRJ-8612, |
Anti-Malware |
In some scenarios, dmesg may show many "rad_client id 6 is not register" errors. |
PRJ-17649, |
Identity Awareness |
In some scenarios, user cannot authenticate to Captive Portal as a Guest User. |
PRJ-6862, |
Identity Awareness |
In some scenarios, the user cannot connect to the AD server when the account is set to "never expires" on Microsoft Active Directory. Refer to sk143672 |
PRJ-12452, |
Identity Awareness |
In a rare scenario, a standby cluster member receives updates from identity sources and creates a mismatch in the PDP tables. |
PRJ-18839, |
SSL Inspection |
In rare scenarios, a memory leak may occur during policy installation. |
PRJ-17197, |
HTTPS Inspection |
In a rare scenario, a connection remains open after it is closed by the server, and the web browser may load a page for a long time. |
PRJ-15974, |
UserCheck |
In some scenarios, the UserCheck daemon usrchkd may unexpectedly exit. |
PRJ-17637, |
UserCheck |
In some scenarios, UserCheck agent notifications may be blocked. |
PRJ-18190, |
IPS |
NEW: Added ability to send connection log per application match for ATM transactions identification. The functionality is disabled by default and can be enabled by using the "up_duplicate_connection_log_on_packet_matched_app_enabled" kernel parameter. |
PRJ-9123, |
IPS |
In some scenarios, Threat Prevention policy installation may fail when the Threat Prevention profile performance impact is configured to "Very Low". |
PRJ-16104, |
URL Filtering |
In some scenarios, there may be sporadic connectivity issues in the Anti-Malware/URLF service (RAD). |
PRJ-16996, |
Mobile Access |
Mobile Access portal may become unresponsive after Jumbo Hotfix uninstallation. Refer to sk169152. |
PRJ-13844, |
Mobile Access |
Browser based applications cannot be opened in MAB portal. |
PRJ-2922, |
SecureXL |
In a rare scenario, the Security Gateway may crash when deleting certain non-TCP connections. |
PRJ-9562, |
SecureXL |
In a rare scenario, Security gateway may crash when the Drop Template feature is enabled. |
PRJ-17827, |
SecureXL |
In some scenarios, CPView may show incorrect statistics for VPN encrypted/decrypted packets. |
PRJ-15390, |
Routing |
A TCP connection between cluster master and subordinate may flap on OSPF attempt to delete a non-Max-Aage LSA. |
PRJ-18023, |
Routing |
SNMP queries for bgpPeerFsmEstablishedTime return an incorrect constant value. Refer to sk170074. |
PRJ-17853, |
Routing |
In rare scenarios involving large AS paths, there may be a loss of BGP adjacency. Refer to sk170876. |
PRJ-16577, |
Routing |
In some scenarios, the routed daemon may unexpectedly exit with BGP. |
PRJ-17711, |
Routing |
Security Gateway may stop forwarding the Multicast stream when PIM is configured on it. Refer to sk169774. |
PRJ-15319, |
VPN |
In some scenarios, using LS/HA mode on a VPN tunnel may cause packets to be dropped. Refer to sk160612. |
PRJ-17629, |
VPN |
The vpnd process may unexpectedly exit when the user runs the "vpn tu" command. |
PRJ-15619, |
VPN |
Access Roles with MAB SNX as the client type may not work. |
PRJ-16208, |
VPN |
Stability improvement for Remote Access VPN. |
PRJ-16719, |
VPN |
Remote Access potential connectivity issue when there are more than 1 external interfaces. |
PRJ-17774, |
VPN |
The VPND may unexpectedly exit during IKEv2 negotiation. |
PRJ-16863, |
VPN |
Software Blade name inconsistency between login and logout logs of an SNX client. |
PRJ-873, |
VPN |
Connectivity problem in Remote Access VPN when aggressive SLP is enabled. Refer to sk148273. |
PRJ-14209, |
VPN |
The vpnd process may unexpectedly exit and a "CvpnUMD process crashed" error is printed into /var/log/messages. Refer to sk160735. |
PRJ-15835, |
VPN |
When a Gateway does not recognize the SPI, it sometimes sends the "Invalid SPI" notification in clear. As a result, the peer may ignore it, resulting in an outage. |
PRJ-11050, |
VPN |
Improved NAT Detection with 3rd party peers in IKEv1 and IKEv2. Refer to sk165003. |
PRJ-10951, |
VPN |
In some scenarios, VPN tunnel connection is dropped with "no MSA for MSPI" error. Refer to sk167393. |
PRJ-12769, |
VPN |
In some scenarios, RADIUS authentication may take more than five minutes to be fulfilled with Endpoint Clients, reaching connection timeout on the Gateway side. |
PRJ-10032, |
VPN |
In some scenarios, Security Gateway Portals and Remote Access VPN clients show wrong certificate after certificate renewal. Refer to sk131212. |
PRJ-17025, |
VPN |
The VPND process cannot stop listening on port 264. |
PRJ-18531, |
VPN |
In rare scenarios, when a Wire-Mode is configured on a community, it may cause a Security gateway from another community not to accelerate connections in SecureXL. |
PRJ-11044, |
Gaia OS |
UPDATE: CPView Network -> Top-Protocols and Network -> Top-Connections tabs were added back. Refer to sk167903. |
PRJ-16669, |
Gaia OS |
UPDATE: CPView Network -> Top-Protocols and Network -> Top-Protocols tabs was added back. Refer to sk167903. |
PRJ-15592, |
Gaia OS |
The "show configuration" Clish command may show 'Exported by admin' instead of the correct user name. |
PRJ-14457, |
Gaia OS |
It is not allowed to create usernames with reserved words, such as 'eval', 'apply' etc., in the middle of the username in WebUI. Refer to sk170681. |
PRJ-13940, |
Gaia OS |
In some scenarios, when the RADIUS user enables bash logging (as per sk99134) and moves to Expert mode, the username in the log files appears as admin instead of RADIUS. |
PRJ-15463, |
Gaia OS |
"show asset" command shows the Network card model CPAC-4-1C instead of CPAC-4-1C-L. |
PRJ-15612, |
Gaia OS |
The confd process may unexpectedly exit when the user runs the "show/set/add interface" long command. Refer to sk167635. |
PRJ-11992, |
Gaia OS |
In rare scenarios, a snapshot creation may fail. |
PRJ-6170, |
Gaia OS |
In some scenarios, the monitord process may consume high CPU. Refer to sk163614. |
PRJ-16077, |
Gaia OS |
In some scenarios, when the user tries to return to the factory default, the machine reverts to a different snapshot. |
PRJ-9117, |
Gaia OS |
In some scenarios, SNMP fails to report disk utilization. |
PRJ-10080, |
Gaia OS |
When enlarging the partition via lvm_manager from a small partition to a larger partition, the user may reach an internal filesystem settings limit. As a result, some filesystem monitoring commands unexpectedly exit. Refer to sk165258. |
PRJ-12860, |
Gaia OS |
Creating LOM users for Smart-1 525/625/5050/5150 appliances may fail if the username length is shorter then 4 characters. |
PRJ-12740, |
Gaia OS |
Restore backup may fail due to unmatched upgrade tools. |
PRJ-14312, |
Gaia OS |
In rare scenarios, gateway uptime in SmartConsole may show an abnormally high number. Refer to sk167937. |
PRJ-16258, |
Gaia OS |
A Timestamp in Unix/Epoch time may not be updated when the user changes a password using hash. |
PRJ-16267, |
VSX |
Latency and/or packet loss may occur for traffic which passes through a Virtual Switch in a VSX Gateway. Refer to sk168592. |
PRJ-17297, |
VSX |
Connections distribution may get unbalanced on VSX environment. Refer to sk169352. |
PRJ-18104, |
VSX |
In rare scenarios, dynamic objects database may be cloned between Virtual Systems. Refer to sk169514. |
PRJ-16529, |
CloudGuard IaaS |
NEW: Improved CloudGuard Controller logging options. |
PRJ-16252, |
CloudGuard IaaS |
Scanning of GCP Data Center may fail when instance does not have disks. |
PRJ-9401, |
QoS |
In some scenarios, QoS Policy installation fails with the following message: "Error - QoS Policy does not apply to any network interface. Please edit your Network Object and check the interfaces you wish to install on" when policy is defined properly on the interface. |
PRJ-16598, |
Endpoint Security |
In some scenarios, Policy server stops syncing with the Endpoint Security Server. Refer to sk168912. |
PRJ-15857, |
Endpoint Security |
An exception may be displayed in SmartEndpoint when uploading an offline group software deployment package. Refer to sk165852. |
PRJ-16285, |
VoIP |
NEW: Added support for HopCount field in H323 protocol. Refer to sk169513. |
Take 183 Released on 3 September 2020 and declared as General Availability on 11 October 2020 |
||
PRJ-14373, |
Diagnostics |
Missing information in total throughput/inbound/outbound packets in CPView history's Network view. |
PRJ-13960, |
Security Management |
NEW: Added the ability to purge revisions automatically based on user configuration. Refer to Automatic Purge Documentation. |
PRJ-14643, |
Security Management |
NEW: Solr server process is restarted automatically if it is not responsive for a long time. |
- |
Security Management |
Policy installation from Multi-Domain or Security Management server to R77.30 Security Gateway fails when using R80.20 Management with Jumbo Hotfix Take 173. Refer to sk169259. |
PRJ-12373, |
Security Management |
Policy Presets may disappear from view after the user runs the Solr Cure utility. Refer to sk167455. |
PRJ-14295, |
Security Management |
In rare scenarios, High Availability sync fails with "Ngm failed to import data" error after the user deletes a Permission Role. |
PRJ-13917, |
Security Management |
In some scenarios, exporting the Security Management Server in order to migrate it to Domain in Multi-Domain Environment, fails. |
PRJ-13461, |
Security Management |
In rare scenarios, Install Policy Presets are not triggered. |
PRJ-15608, |
Multi-Domain Management |
NEW: Added ability to run Management REST API on a Multi-Domain Log Server. |
PRJ-15414, |
Multi-Domain Management |
In Multi-Domain environments with High Availability, if the Management Server is stopped while there's a Purge Revisions operations in progress, the server may fail to start again. Refer to sk168175. |
PRJ-15457, |
Multi-Domain Management |
Policy Installation may fail due to an internal error in an MDS environment where there is a Global Dynamic object usage inside Networks Groups with a depth that is higher than 2-level (group inside a group). |
PRJ-14759, |
Multi-Domain Management |
In some scenarios, migrating a Domain between different Multi-Domain Management servers fails if a previous migration of the same Domain failed. |
PRJ-14453, |
Multi-Domain Management |
Policies may disappear from the Global Domain Assignments view after running the Solr Cure utility. Refer to sk168060. |
PRJ-15370, |
SmartConsole |
The user may not be able to delete objects that are referenced by a previously deleted policy. Refer to sk122954. |
PRJ-14174, |
SmartConsole |
In some scenarios, a validation warning may appear on an updatable object with the following message: "Object is no longer supported. Enforcing security for this object is not possible." However, the object is still available in the updatable objects picker. |
PRJ-13898, |
SmartConsole |
Audit log is not shown in SmartConsole's Logs & Monitor View for the login action through API when the "-r" flag is set to true (login as root). |
PRJ-14292, |
SmartConsole |
If there are thousands (or more) of unused objects, the "show unused-objects" API command and the Unused Objects view may load and work very slowly. Also, the load on the Management server will increase, causing general slowness when working with SmartConsole. |
PRJ-12703, |
SmartView |
The SmartView Timeline may be distorted when logs contain an empty value for the field specified in the "Series" settings and when the Legend is enabled. Refer to sk167095. |
PRJ-14360, |
SmartView |
In SmartView, the icon is missing from the cover page of Compliance and Content Awareness PDF reports. |
PRJ-14530, |
SmartView |
In some scenarios, when attempting to download a DLP attachment from the log card in SmartView, the download does not start. |
PRJ-12091, |
Logging |
NEW:
|
PRJ-13560, |
Logging |
In rare scenarios, the evstop script does not stop all logging processes. As a result, upgrade procedures may hang and show no progress. |
PRJ-14047, |
Logging |
In some scenarios, the command "cp_log_export status" prints "last log read at: N/A" rather then a timestamp. |
PRJ-14367, |
Security Gateway |
UPDATE: Reduced CPU usage in some configurations by parsing TLS traffic only when required by the policy. Refer to sk166700 for more information. |
PRJ-14630, |
Security Gateway |
In rare scenarios, Security Gateway memory consumption may increase. |
PRJ-9847, |
Security Gateway |
In some scenarios, SCCP traffic may be dropped by the Security Gateway. Refer to sk108124. |
PRJ-12945, |
Security Gateway |
After policy installation, the output of the "cphaprob stat" command may show 'HA module not started' when a large number of non-monitored Cluster interfaces are configured in SmartConsole.
|
PRJ-14214, |
Security Gateway |
In a rare scenario, the Security gateway may crash if the rulebase contains a logical server object. |
PRJ-13379, |
Security Gateway |
In some scenarios, Security gateway generates an ICMP error with wrong IP address. Refer to sk167953. |
PRJ-15686, |
HTTPS Inspection |
In some scenarios, web traffic may be blocked with "Content Awareness - Error: Internal system error (1000)" error log. |
PRJ-7758, |
SSL Inspection |
DynamicID authentication may fail due to server certificate validation failure. Refer to sk167177. |
PRJ-16487, |
IPS |
In some scenarios, invalid characters are sent to gw-stat report. |
PRJ-12563, |
Identity Awareness |
PDP process may consume high CPU during policy installation because of a large amount of Access Roles. |
PRJ-13513, |
Identity Awareness |
In some scenarios, a XFF allowed proxy list is enforced only for instance 0 in VSLS environment after VS has transitioned from Backup to Active. |
PRJ-11194, |
ClusterXL |
In some scenarios, "fw ctl affinity" and "sim affinity" commands show wrong IRQ numbers. Refer to sk166356. |
PRJ-14609, |
SecureXL |
UPDATE: Added a global variable that enables log for packets that include unapproved IP option. This variable is off by default. |
PRJ-13412, |
SecureXL |
DECnet DIGITAL Network Architecture (Phase IV) traffic may be dropped. Refer to sk167202. |
PRJ-14517, |
SecureXL |
In a rare scenario, a VSX gateway with Virtual Switch may crash. |
PRJ-13760, |
SecureXL |
Security Gateway may crash when concurrent connection rules exist in the DOS/Rate limiting policy and the Application Control Blade is enabled. |
PRJ-15899, |
SecureXL |
An asymmetric routing issue may occur between a Virtual System and a Virtual Switch/Router. |
PRJ-13924, |
Routing |
UPDATE: Increased the configuration limits of the BFD timers for detect multiplier, minimum RX interval, and minimum TX interval to 255, 255000, and 255000, respectively. |
PRJ-5817, |
Routing |
BGP connection may fail to establish when there are multiple peer groups with the same AS number in iBGP configurations. |
PRJ-14432, |
Gaia OS |
NEW: Added support for CPAC-4-10-AB cards. |
PRJ-14410, |
Gaia OS |
In some scenarios, the snapshot creation fails because of compression errors. |
PRJ-13153 |
Gaia OS |
In some scenarios, a snapshot creation may fail. |
PRJ-10799 |
Gaia OS |
In some scenarios, due to backup compression errors, restoring a backup does not restore all files. |
PRJ-15989, |
VPN |
Starting from R80.20 Jumbo Hotfix Take 156, clients that do not support MFA (such as Mac OS and iOS) cannot connect as Remote Access clients if MFA is enabled. Refer to sk168493. |
PRJ-14404, |
VPN |
Connectivity improvements for Remote Access VPN with L2TP. |
PRJ-15328, |
VPN |
In some scenarios, Remote Access VPN traffic may be dropped when XFF is enabled. |
PRJ-14573, |
VPN |
IP compression may not work in some scenarios when IKEv2 is configured. |
PRJ-14241, |
VPN |
VPN traffic may be dropped when working with peer behind NAT - Hide NAT with Port Translation. |
PRJ-16017, |
CloudGuard IaaS |
In some scenarios, CloudGuard Controller may lose connection to GCP projects. Refer to sk168499. |
PRJ-12183, |
CloudGuard IaaS |
CloudGuard Controller may sometimes update the Standby cluster member in VSLS mode. |
PRJ-14149, |
Endpoint Security |
In some scenarios, no audit logs are shown regarding object changes in SmartEndpoint virtual groups and FDE pre-boot users. Refer to sk167907. |
PRJ-14132, |
Endpoint Security |
In some scenarios, the user cannot get an FDE Offline Management File (cpomf) for an offline group in SmartEndpoint if this group or a directory in its path has special characters \ _ %. |
Take 173 Released on 23 July 2020 and declared as General Availability on 26 August 2020 |
||
PRJ-12024, |
Security Management |
NEW: Tasks that fail to complete within 18 hours will be stopped automatically and appear as failed. Refer to sk166455. |
PRJ-12273, |
Security Management |
In Management HA configuration, a hotfix installation may fail during the verification phase. |
PRJ-12505, |
Security Management |
When using packet mode in Rulebase Search, results from inline layer may be matched even though their parent layer is not. |
PRJ-4953, |
Security Management |
"The Correlation Unit can't connect to one of its Log Servers. Please make sure connectivity between the Correlation Unit and Log Server isn't blocked. There is no need to stop the job." message after the putkey process. Refer to sk12882. |
PRJ-12477, |
Security Management |
In some scenarios, when using Rulebase Search, the 'number of rules' section is incorrect. Refer to sk166003. |
PRJ-13158, |
Security Management |
In rare scenarios, a session becomes unusable, and one or more of the following may occur:
Refer to sk167735. |
PRJ-12669, |
Security Management |
If an administrator searches for a certain text in SmartConsole, it may cause the Management Server to become inaccessible until a restart. |
PRJ-13165, |
Security Management |
When an administrator enters a very long text into an object field (more than 32767 characters), the Security Management Server terminates and fails to start. |
PRJ-10057, |
Security Management |
In some scenarios, Security policy deletion or installation may fail when there are many Application Control objects used in this policy. Refer to sk175588. |
PRJ-12144, |
Security Management |
Management HA synchronization between the active Domain server to a standby Domain server may fail with "Failed to import data" error. |
PRJ-13032, |
Multi-Domain Management |
Global Policy reassignment may fail after performing the IPS update in the Global domain. |
PRJ-12486, |
Multi-Domain Management |
Multi-Domain Administrator configuration for RADIUS authentication may show local Domain RADIUS servers and groups. |
PRJ-12204, |
Multi-Domain Management |
In some scenarios, changes to a .def file in $FWDIR/lib may be reverted when creating a secondary CMA. |
PRJ-12554, |
Multi-Domain Management |
In some scenarios, updating firewall_properties in GuiDBedit in the MDS context fails. Refer to sk42184. |
PRJ-9599, |
Multi-Domain Management |
In environments with more than five Multi Domain servers, changes to objects may not be reflected in the logs. |
PRJ-1391, |
Multi-Domain Management |
NEW: Added ability to log in to the Management Server with SmartConsole while MDS Backup is running. |
PRJ-12964, |
Multi-Domain Management |
In some scenarios, certain deleted domain level objects are visible in the SmartConsole at the MDS level. |
PRJ-12899, |
SmartConsole |
NEW: Added more information on each Management API call to api.csv. |
PRJ-12972, |
SmartConsole |
When the VSX Cluster object editor is closed without making any changes, the "Topology has changed. Please reinstall Security Policy" message is displayed unnecessarily. |
PRJ-12453, |
SmartConsole |
In some scenarios, a calculation of UIDs for irrelevant rules may result in the "Cannot insert a rule into its own sub rulebase" validation error. |
PRJ-11257, |
SmartConsole |
In some scenarios, Inspection Settings view under the General tab is blank. |
PRJ-12459, |
SmartConsole |
In some scenarios, IPS update may be locked with the message "IPS management update is locked by Scheduled update" . |
PRJ-12960, |
SmartConsole |
Global Policy reassign in MDS may fail with "An internal error has occurred" message after adding overrides to Snort protections. |
PRJ-12537, |
SmartConsole |
Unable to delete Snort protections in Multi-Domain environment - they still exist after deletion. |
PRJ-12082, |
SmartConsole |
When configuring "Visitor Mode" in SmartConsole and choosing the IP address, the wrong IP address may be displayed after clicking "OK". |
PRJ-12872, |
SmartConsole |
An incorrect netmask may be shown for Virtual System objects in the network group editor. |
PRJ-12907, |
SmartConsole |
When using the Management API "show-objects" command to show OPSEC application objects, it may fail with "Requested object [OBJECT ID] not found". |
PRJ-13006, |
SmartConsole |
In the Management API, the "show objects" command with details-level full may return the "ip-address" field even if it is empty. |
PRJ-12449, |
SmartConsole |
In some scenarios, IPS update tasks may stuck when multiple machines are attempting an update within the same time frame. |
PRJ-12209, |
SmartConsole |
When running the "show-domain" API command, the "active" field may be missing from the reply. |
PRJ-11431, |
SmartProvisioning |
The SmartProvisioning application may hang when the user adds/edits Dynamic Objects in the LSM Gateway object editor. |
PRJ-10199, |
SmartView |
SmartView may show "query failed" error message when creating a table widget with filter by source/destination host name. Refer to sk119056. |
PRJ-10669, |
SmartView |
In SmartView, when using a language other than English, an error may occur when drilling down on a widget. |
PRJ-12690, |
Compliance |
Compliance Blade may show incorrect Best Practice status if one or more relevant network objects for that Best Practice is in status "N/A". |
PRJ-2194, |
Logging |
NEW: Added new SmartView Report for SandBlast Threat Extraction. The report provides visibility of sanitized files in mail and web downloads, including cleaned file types and cleaned active and embedded content. |
PRJ-10155, |
Logging |
"UserCheck Reference ID" field is missing from logs when the message of the UserCheck customized page is modified and does not contain the text "reference:". Refer to sk165355. |
PRJ-4609, |
Logging |
When the user tries to open a Forensic report in SmartLog, the "Error getting report." message may appear if there is a network object configured with the same IP address as that of the Endpoint Security Management Server. |
PRJ-11887, |
Logging |
In some scenarios, searching for logs using "client_name" in the logging tab returns no values. |
PRJ-10359, |
Logging |
Log_indexer may unexpectedly exit on a SmartEvent server with a large number of CPUs (32 and up), and\or when the total number of log servers declared in correlation units is above 30. |
PRJ-4737 |
Logging |
In environments that use certain mail servers, sending a report using SmartView may not work properly. |
PRJ-11500, |
Security Gateway |
NEW: Added "Hold" override for unsupported protocols (i.e. GRE). Refer to sk148432. |
PRJ-5032, |
Security Gateway |
In some scenarios, when running "fw monitor" with the "-e" flag, SecureXL traffic is not filtered, and all traffic is displayed. Refer to sk166592. |
PRJ-13074, |
Security Gateway |
When HTTPS Inspection is enabled using layer-2/bridge, traffic may be dropped when deciding the outgoing interfaces. |
PRJ-11694, |
Security Gateway |
In a rare scenario, access rules with service type of "other" may not be matched correctly. Refer to sk166365. |
PRJ-11140, |
Security Gateway |
In some scenarios, "fwxlate_dyn_port_global_to_local_get_port: port was not found in global, and not in local" error message may appear in dmesg. |
PRJ-12517, |
Security Gateway |
In some scenarios, a backup on a Gaia device with Threat Emulation Blade enabled may fail with "Cannot complete the backup process: not enough space". Refer to sk166833. |
PRJ-13430, |
Security Gateway |
In some scenarios, "cmik_loader_fw_get_connkey: Invalid streaming opaque type: (3)" message appears in dmseg. Refer to sk137494. |
PRJ-11741, |
Security Gateway |
Improved connectivity in a specific flow when ICAP Client is enabled with Trickling 3. |
PRJ-11415, |
Security Gateway |
In some scenarios, NAT log shows source port 0 even though a port was allocated. |
PRJ-8674, |
Security Gateway |
In some scenarios, "simple_debug_filter_unset: unsetting debug filter when no filter is set" messages may appear in dmesg. Refer to sk165675. |
PRJ-10769, |
Internal CA |
In some scenarios, no SIC between R80.x Security Management and R77 Security gateway after ICA certificate replacement procedure described in sk158096. |
PRJ-9046, |
Threat Prevention |
The number of overrides in Threat Prevention policy -> Profile -> Overrides may also show inactivated overrides, with mismatched information between "override" and "User Modified". |
PRJ-5230, |
Identity Awareness |
Failure in LDAP groups membership query for specific user that was reported by MUH agent, may cause all users under the same MUH agent to be removed from the PDP database. |
PRJ-12618, |
Identity Awareness |
After the user disables and re-enables the Identity Collector in SmartConsole, the Identity Collector may fail to connect to the PDP Gateway again. |
PRJ-13564, |
Identity Awareness |
In some scenarios, when the user changes the TACACS+ server to a different one, the configuration is applied only after an MDS reboot. |
PRJ-8711, |
Identity Awareness |
In some scenarios, Dynamic ID authentication fails when SMS server returns HTTP status code 2xx but not 200 or 202. |
PRJ-7277, |
Application Control |
In some scenarios, Application Control updates cannot be initiated on Gateways without Application Control enabled, even though URL Filtering is enabled. |
PRJ-11060, |
Application Control |
In some scenarios, Application Control update task may get stuck indefinitely when it is executed as part of Global Policy assignment. |
PRJ-12164, |
Application Control |
In some scenarios, Application Control updates in Multi-Domain High Availability environments may get stuck when multiple updates from different Domains/Multi-Domains take place simultaneously. |
PRJ-12338, |
URL Filtering |
In a rare scenario, policy installation may fail with "Error code: 0-2000112" if the URL Filtering Blade is active while no other feature or Blade is enabled. |
PRJ-13108, |
HTTPS Inspection |
In some scenarios, HTTPS websites may show corrupted text when HTTPS Inspection and Anti-Virus are enabled. |
PRJ-13596, |
HTTPS Inspection |
In some scenarios, web traffic is blocked with "HTTP parsing error occurred" and "parameters are undecodable in request" errors. |
PRJ-8298, |
SSL Inspection |
In some scenarios, some HTTPS sites are not categorized when both "Categorize HTTPS Sites" and "HTTPS Inspection" are enabled. |
PRJ-13115, |
DLP |
Improved DLP functionality when working with IDA MUH1 and MUH2 agents. |
PRJ-8902, |
IPS |
In a rare scenario, Security Gateway may crash due to NULL pointer reference. |
PRJ-12708, |
ClusterXL |
In some scenarios, a Cluster member forwards ICMP replies via its Sync interface after being rebooted. |
PRJ-12284, |
ClusterXL |
ClusterXL in Load Sharing mode may drop traffic after a cluster member is rebooted, due to inconsistency of MAC addresses saved in the Firewall kernel and in SecureXL kernel. |
PRJ-12551, |
SecureXL |
NEW: Added tunable kernel parameter "adp_mc_rt_hold_queue_len" to adpkern.conf to eliminate multicast packet drops at the start of a connection (when large bursts of multicast traffic are expected). |
PRJ-12173, |
SecureXL |
In some scenarios, TCP traffic containing the TCP Fast Open option may be dropped by the Security Gateway. |
PRJ-10495, |
SecureXL |
In some scenarios, SecureXL makes an offload decision to not accelerate multicast traffic for route-based VPN. |
PRJ-14076, |
SecureXL |
For some topologies, RIPV2 neighbors may be missing. Refer to sk167934. |
PRJ-11630, |
SecureXL |
In some scenarios, MCAST packets may not be accelerated on a PIM-SM RP Gateway. |
PRJ-11449, |
Gaia OS |
NEW: Added support for Smart-1 3150/3050 SAN and 'show asset' line cards for SAN. |
PRJ-7270, |
Gaia OS |
In some scenarios, adding a Gaia user may result in a high number of zombie sh processes. Refer to sk164259. |
PRJ-13647, |
Gaia OS |
In rare scenarios, clish consumes 100% CPU when the user runs a Tenable scan. Refer to sk166195. |
PRJ-13154, |
Gaia OS |
In some scenarios, SNMPD daemon unexpectedly exits with core dump, causing the SNMP service to become unavailable. |
PRJ-13478, |
Gaia OS |
Intake and outlet temperature sensors display incorrect values on 15400 appliance. |
PRJ-12760, |
Gaia OS |
In some scenarios, WebUI shows unknown HDDs that are not part of RAID. |
PRJ-8948, |
Gaia OS |
In some scenarios, interface names may not correspond to the correct ports on 4-ports 10GbE SFP+ Rev 1.1 on 12200/4200/4400/4600/4800/TE250 appliances. |
PRJ-12250, |
Gaia OS |
UPDATE: on Smart-1 5050:
|
PRJ-3025, |
Gaia OS |
Backup on Gaia machine may fail with "Cannot complete the backup process: not enough space". Refer to sk98609. |
PRJ-13265, |
Gaia OS |
In some scenarios, the value for Voltage/Fan/Temperature sensor may appear as "NotValid". |
PRJ-11780, |
Gaia OS |
Only 1024 characters of a cron jobs output are displayed when using show cron jobs from clish. |
PRJ-12917, |
Gaia OS |
In some scenarios, snapshot creation on Gaia OS may get stuck at 1-2% because of a large number of tmp files. Refer to sk116679. |
PRJ-11619, |
Gaia OS |
When a bond exceeds 60GB/s, ethtool may report an incorrect speed of the bond interface. |
PRJ-12420, |
Gaia OS |
In some scenarios, concurrent CIFS mount/umount processes to the same Windows machine may crash the kernel. |
PRJ-471 |
Gaia OS |
In the load configuration command, when the loading configuration file contains SNMP, the interface configuration commands may not apply the configuration correctly. |
PRJ-9782, |
Gaia OS |
'#', '=' and '+' characters cannot be used in "Banner" and "Message of the day" features. |
PRJ-11496, |
Gaia OS |
In some scenarios, the PSU status is reflected even if there is no PSU on the appliance. |
PRJ-11682, |
Routing |
NEW: Performance improvement for multicast packets in SecureXL (fast path) when there are no multicast listeners. |
PRJ-12797, |
Routing |
In some scenarios, there may be a loss of BGP adjacency when displaying BGP routes with very long AS paths or large numbers of BGP communities. |
PRJ-12801, |
Routing |
In some scenarios, when processing BGP ECMP routes, ROUTED may unexpectedly exit, resulting in loss of BGP adjacency. |
PRJ-13351, |
Routing |
In some scenarios, routed process generates an assert when the user runs the "dbget -rv iclid" command. |
PRJ-11243, |
VoIP |
SIP calls with NAT (SIP packet with no SDP but content-type=sdp) may fail to open correctly. |
PRJ-9103, |
VoIP |
In a rare scenario, Security Gateway crashes when passing SIP traffic. Refer to sk166474. |
PRJ-8620, |
VPN |
Improved the VPN connectivity with DAIP peers when Tunnel Monitoring is enabled. Refer to sk164933. |
PRJ-12193, |
VPN |
A connectivity issue may occur when a non-encrypted VPN tunnel is used with IKEv2. Refer to sk167902. |
PRJ-58 |
VPN |
In a rare scenario, the vpnd process unexpectedly exits when unallocated memory is accessed. |
PRJ-13312 |
VPN |
In some scenarios, packets are dropped on proposal unmatched, although the VPN tunnel is established. Refer to sk122438. |
PRJ-4510, |
VPN |
In some scenarios, Site-to-Site VPN between central Security gateway and 700 DAIP appliances disconnects in random fashion. Refer to sk149432. |
PRJ-13528, |
VPN |
In some scenarios, Remote Access VPN users are not matched against the Access Control policy and traffic is dropped. Refer to sk167432. |
PRJ-13406, |
VPN |
In rare scenarios, the Global Domain Assignment view shows that a Global Domain Assignment is in the 'up to date' state even though it is not. |
PRJ-11803, |
VPN |
In some scenarios, an incorrect number of connected Remote Access users is displayed in SmartView Monitor. Refer to sk167297. |
PRJ-12889, |
VPN |
IKEv2 rekey may fail when the resolved peer IP address is not the main IP address. Refer to sk166897. |
PRJ-12463, |
VPN |
In a rare scenario, Security Gateway may crash when using Remote Access VPN with L2TP clients. |
PRJ-13340, |
VPN |
In some scenarios, L2TP client fails to connect with "Failed to write L2TP session params to kernel" error in vpnd.elg file. Refer to sk167636. |
PRJ-13079, |
VSX |
When performing a provisioning operation in VSX, process may hang on "Pushing configuration to ...". Refer to sk167175. |
PRJ-11839, |
Endpoint Security |
Cannot delete the client MSI package from SmartEndpoint because of a previously deleted FDE offline group. |
PRJ-11144, |
Endpoint Security |
Local users may not be displayed under the selected machine in the "Users and Computers tab" in SmartEndpoint. Refer to sk166316. |
Take 161 Released on 21 June 2020 and declared as General Availability on 2 July 2020 |
||
PRJ-13689, |
Security Management |
In some scenarios, when using many management API calls in parallel, the output is not consistent. Refer to sk167509. |
Take 160 Released on 2 June 2020 |
||
PRJ-8806, |
Diagnostics |
SmartView Monitor may not show a match on accelerated QoS traffic. All or part of the traffic may be matched on "No Match". |
PRJ-10630, |
Installation |
Firmware upgrade for Small Office appliance using SmartProvisioning in Multi-Domain Management environment may fail. |
PRJ-9777, |
Security Management |
NEW: Added ability to search in the Management Server by adding asterisk before any sequence of characters. For more information, refer to sk164873.
|
PRJ-8643, |
Security Management |
NEW: Performance enhancements while the Management Server is under high load. |
PRJ-12009, |
Security Management |
NEW: Significant performance improvement for policy installation time when many groups are defined on the Management Server. |
PRJ-10899, |
Security Management |
NEW: Set values for environment variables on the Management Server that will remain there after a Management Server upgrade, as well as Backup/Restore and Export/Import of the Management Server. Refer to sk165938. |
PRJ-11707, |
Security Management |
NEW: Performance and stability improvements for large environments. |
PRJ-10993, |
Security Management |
NEW: Added ICA Management security enhancements. |
PRJ-12358, |
Security Management |
The "Recent Tasks" and "Install Policy Preset" views in MDS Domain may include Domain names, policy packages, and Gateways names. This information is not filtered according to the administrator's permission profile. |
PRJ-8792, |
Security Management |
Improved the Access Control Policy installation time for environments with high amount of objects and enabled IPSEC VPN Blade. Refer to sk166321. |
PRJ-6703, |
Security Management |
In a rare scenario, when viewing the Layer History, some revisions not relevant to the selected Layer may be shown. |
PRJ-10471, |
Security Management |
In a rare scenario, export does not completes because the Postgres dump_all process gets stuck. |
PRJ-7469, |
Security Management |
Global policy reassignment may fail after a rulebase is deleted in the Global Domain. |
PRJ-7783, |
Security Management |
In some scenarios, HA synchronization in the Global Domain fails with the "Failed to sync peer - Global Domain is incompatible with the Domains." error. |
PRJ-9213, |
Security Management |
Logging into SmartConsole to the Standby Management Server with a RADIUS or TACACS user may fail after changing the shared secret on the RADIUS or TACACS object. |
PRJ-9088, |
Security Management |
In a rare scenario, when an environment has many Gateways (dozens), the FWM daemon may unexpectedly exit when 4 GB of memory is reached. Refer to sk165015. |
PRJ-8229, |
Security Management |
The "Unused Objects" filter in Object Explorer may display a failure message if there are more than 20000 unused objects.
|
PRJ-7818, |
Security Management |
In some scenarios, SmartView Monitor unexpectedly terminates when the user selects the Specific QoS Rules option in Top QoS Rules. |
PRJ-7886, |
Security Management |
In some scenarios, when the user modifies a policy rule and creates a section above it in the same session, the log tracker shows that the rule was created instead of modified. |
PRJ-5793, |
Security Management |
In some scenarios, after the user manually performs "Full Sync", a newly created secondary Domain Server or Domain Log Server is not shown in SmartConsole's Domains view. |
PRJ-9298, |
Security Management |
In a rare scenario, the "SmartDashboard component failed to connect to server <IP address>. Please contact technical support" error is displayed in SmartConsole when opening the Management object for editing. |
PRJ-9321, |
Security Management |
In some scenarios, a disconnected SmartView Monitor session appears in SmartConsole with a grayed out 'Disconnect' option, which cannot be discarded. Refer to sk165037. |
PRJ-8864, |
Security Management |
When an administrator fails to publish another administrator's session, the session of the other administrator disappears from the Sessions view in SmartConsole. |
PRJ-9085 |
Security Management |
In some scenarios, Management HA synchronization fails with "Failed to export data" error after an advanced upgrade from R77.x to R80.20 Jumbo Hotfix Take 103. |
PRJ-7456, |
Security Management |
In some scenarios, upgrade fails with the "Satellite object of type GatewayAggregator not found for core object" message in cpm.elg file. |
PRJ-9278, |
Multi-Domain Management |
NEW: Performance improvement for Multi-Domain environments in which many administrators are connected. |
PRJ-11506, |
Multi-Domain Management |
A migration from Security Management server to a Domain on a Multi-Domain Management Server may fail with: "didn't find ObjectStoreSessionEntity for session <uuid> return null" error in cpm.elg file. |
PRJ-10529, |
Multi-Domain Management |
The mds_import.sh script may fail if the IPS version for a Domain/CMA does not exist on the R80.x Multi-Domain Management Server. |
PRJ-8415, |
Multi-Domain Management |
When the user runs the 'add-domain' Web API command on an existing Domain, the original Domain is deleted. |
PRJ-11524, |
Multi-Domain Management |
In rare scenarios, upgrading the Multi-Domain Server fails to upgrade some Domain Servers with "IllegalArgumentException" in the upgrade log. |
PRJ-11175, |
Multi-Domain Management |
In some scenarios, Full synchronization fails in the Global Domain with "Full sync with peer '[Peer Name]' NGM failed to import data" error. Refer to sk145972. |
PRJ-10364, |
Multi-Domain Management |
After performing Full synchronization or failover of the Global Domain, the following operations may fail (refer to sk145972):
|
PRJ-11165, |
Multi-Domain Management |
In a rare scenario, synchronization between Multi-Domain Management Servers breaks after revisions purge operation. |
PRJ-12064, |
Multi-Domain Management |
The FWM process of domains may not stop after the user runs mdsstop or mdsstop_customer. |
PRJ-10525, |
Multi-Domain Management |
Upgrade of Multi-Domain Server may fail if Sync With User Center is running. |
PRJ-9697, |
Multi-Domain Management |
MLM may open a connection to the reversed IP address of the Multi-Domain Server. |
PRJ-10036, |
Multi-Domain Management |
In some scenarios, CPUSE and advanced Multi-Domain Management upgrade are stuck at "Upgrading products: 58%". Refer to sk146933. |
PRJ-6984, |
Multi-Domain Management |
In some scenarios, there may be high Solr CPU on Multi-Domain Management Servers with dozens of Domains. |
PRJ-9239, |
Multi-Domain Management |
In some scenarios, secondary MDS or MLM fail to renew a management certificate. Refer to sk164732. |
PRJ-5742 |
SmartConsole |
NEW: LDAP advanced query now supports ANR filtering. |
PRJ-9291, |
SmartConsole |
NEW : Enhancement: Two new flags were added for the performance improvement of Threat Protection API commands: 'show-profiles' and 'show-ips-additional-properties'. The default value for both flags is false. |
PRJ-11072, |
SmartConsole |
NEW: Added ability to reset the following network object fields to be empty through the Management API: ipv4-address, ipv6-address, subnet4, subnet6, mask-length4, and mask-length6. |
PRJ-5102, |
SmartConsole |
"An internal error has occurred" message may pop up when the user tries to modify a Revision's description. |
PRJ-732, |
SmartConsole |
"An internal error has occurred. (Code: 0x8003001D, Could not access file for write operation)" error is displayed when editing IKE PSK on "External User Profile" objects using Legacy SmartDashboard. Refer to Scenario 2 in sk119973. |
PRJ-4102, |
SmartConsole |
In "Top services" view of SmartView Monitor, "cp_tcp_A936BBAC_EBC3_4F18_B3CC_A63365F07477*" service is displayed instead of "https" service. Refer to sk146052. |
PRJ-9550, |
SmartConsole |
When the user invokes the 'show-access-layer' API command, the parent layer may be missing from the output result. |
PRJ-8700, |
SmartConsole |
The shared secret's edit button may be grayed out. |
PRJ-9464, |
SmartConsole |
In some scenarios, when the user attempts to delete a Gateway / Cluster member, an error message may appear and the operation may not complete successfully. |
PRJ-72, |
SmartConsole |
Objects of Unused Access Roles are not visible in the Object Explorer. Refer to sk151896. |
PRJ-1448, |
SmartConsole |
In some scenarios, the api.elg log is flooded with the "Returning default standard reply class" message. |
PRJ-11904, |
SmartConsole |
In rare scenarios, certain domain level objects may not be visible in SmartConsole at the MDS level. |
PRJ-9078, |
SmartConsole |
In some scenarios, the Management Server may unexpectedly exit following authenticated API commands to create or update objects with extremely long comments. |
PRJ-8133, |
SmartEvent |
"The process <process-name> which is monitored by watchdog restarted more than once in the last half an hour" error may appear in the SmartEvent GUI status window even though the process has been up for more than 30 minutes. |
PRJ-7496, |
SmartEvent |
When using SmartEvent automatic reactions, *.MHT files in $RTDIR/tmp directory are not cleaned up in case of email sending failure. |
PRJ-4328, |
SmartEvent |
In some scenarios, automatic reactions in SmartEvent are sent with the "Destination address" field containing the resolved country name instead of the raw IP value. Refer to sk146992. |
PRJ-433, |
SmartEvent |
In SmartEvent, when the user customizes an event to accumulate logs by the field UUID, logs with UUID equal to 0 may not be correlated. |
PRJ-8016, |
SmartView |
SmartView may show wrong time in tables and graphs for clients located in Brazil. |
PRJ-9645, |
Security Gateway |
NEW: Added support for the bridge configuration when packet is passing via the Security gateway twice. |
PRJ-3476, |
Security Gateway |
In a topology in which Client and Server are connected to the Security Gateway using two different interfaces each, for example: Client -- eth1 <Gateway> eth2 -- Server Client -- eth3 <Gateway> eth4 -- Server The response packets from Server to Client may be incorrectly routed back to the Server because of an incorrect route cache in the Security Gateway. |
PRJ-8648, |
Security Gateway |
In a rare scenario, ICAP client requires manual steps to activate RESP mode after running cpstop ; cpstart. |
PRJ-11953, |
Security Gateway |
In a rare scenario, Security Gateway may crash due to NULL pointer reference. |
PRJ-8750, |
Security Gateway |
In some scenarios, incorrect number of outbound interfaces may be received when SecureXL is disabled. |
PRJ-4612, |
Security Gateway |
In some scenarios, policy installation fails with "configload_mgmt_compile: Failed to run compiler command". |
PRJ-8503, |
Security Gateway |
In some scenarios, there may be connectivity problems with DHCP traffic. |
PRJ-10838, |
Security Gateway |
Improved the in.aftpd process memory management. |
PRJ-1213, |
Security Gateway |
In a rare scenario, the Security Gateway may crash due to a NULL pointer reference. |
PRJ-5729, |
Security Gateway |
In some scenarios, SIP traffic may be dropped by Anti-Spoofing with "fw_early_sip_nat Reason: spoofed packet on SIP traffic" error in dmesg although it is set to"detect". |
PRJ-2410, |
Security Gateway |
DCE-RPC traffic may be dropped because of a drop template that is incorrectly created for the ALL_DCE_RPC service. |
PRJ-10565 |
Security Gateway |
In some scenarios, wrong service name appears in SmartConsole logs. |
PRJ-4091, |
Security Gateway |
Using spaces in the $FWDIR/boot/modules/fwkern.conf file may cause long reboot time. |
PRJ-8151, |
Security Gateway |
Policy installation on Cluster may fail if the Cluster member name is longer than 64 characters. |
PRJ-11529, |
Security Gateway |
In a rare scenario, Security gateway may crash while connection is closed while being held. |
PRJ-10408, |
Security Gateway |
In a rare scenario, after upgrading a Security Gateway to R80.20, the LOG_INDEXER process running on the Log server may consume 100% CPU and cause the indexing backlog. |
PRJ-9687, |
Security Gateway |
Traffic may be dropped on DAIP gateway after the gateway IP address is changed or the gateway is rebooted. Refer to sk165176. |
PRJ-8354, |
Security Gateway |
Improved the ICAP client connectivity when using Trickling mode 3 in settings. |
PRJ-8688, |
Security Gateway |
A memory leak may occur in Management/local connection which loop back to the bridge interface. |
PRJ-12235, |
Security Gateway |
In a rare scenario, Security Gateway memory consumption may increase when the Anti-Virus Blade is enabled. |
PRJ-9119, |
Security Gateway |
Connections may be dropped when "keep all connections" is configured during policy installation. Refer to sk166212. |
PRJ-8615, |
Security Gateway |
In some scenarios, the uc_log_suppression_data table may reach its limit and "uc_log_suppression_set_entry: Failed storing log data in log suppression table" error appears in /var/log/messages file. |
PRJ-9050, |
Security Gateway |
Global connections may not be freed correctly when the Gateway acts as a Proxy. |
PRJ-9416 |
Security Gateway |
Added logs for packets that include invalid TCP options. This feature is off by default. |
PRJ-8882, |
Security Gateway |
In a rare scenario, Security gateway may crash when activating a web parsing debug. |
PRJ-8552, |
Logging |
NEW: Log Exporter feature exports log attachment identifiers and adds the ability to fetch them through the Management API command. |
PRJ-9189 |
Logging |
NEW: Added support for viewing MITRE ATT&CK fields. |
PRJ-6024, |
Logging |
When restarting the FWD process on the Log server, the syslogd process (syslog daemon), may unexpectedly exit. |
PRJ-5573, |
Logging |
When a Log Server is configured to parse Syslog messages, the field "User" may be truncated in the parsed log in the Log Details view if the field contains underscore. |
PRJ-5899, |
Logging |
It is not possible to query the "file_name" field on a Log server that does not have the SmartEvent activated. |
PRJ-8495, |
Logging |
In SmartView, when the user exports logs to CSV using the "visible columns" option, the following fields may be missing from the CSV file: Resource, Application Risk, Application Name, and Application Category. |
PRJ-3653, |
Logging |
SmartEvent may not correlate certain Anti-Virus logs. |
PRJ-5649, |
Logging |
In some scenarios, when the user creates a table widget in SmartView, there is no option to add the "hostname" field. Refer to sk162752. |
PRJ-7924, |
Logging |
Following changes in correlation unit settings, new logs may not be read by SmartEvent until the log_indexer process is restarted. |
PRJ-11361, |
Logging |
In a rare scenario, the CPD process on a Security Management Server that manages R77.30 Security Gateway may unexpectedly exit. |
PRJ-4134, |
Logging |
In some scenarios, it may not be possible to filter logs by the field "IKE IDs:" when searching the log files directly. |
PRJ-9315, |
Logging |
Logging view may show results from the wrong day if the server Time Zone is configured to use half/quarter hour deviations from standard time. |
PRJ-8921, |
Logging |
When the user searches logs in the "Logs and Monitor" tab in SmartConsole and applies a filter using the "?" wildcard, incorrect logs may be returned. |
PRJ-9705, |
Logging |
The FWD process may unexpectedly exit if one of the following changes were made using GuiDBEdit:
|
PRJ-4981, |
Logging |
In SmartView, the percentage values in pie charts may add up to 99% or 101%. |
PRJ-11005, |
Logging |
In some scenarios, changes made to Network Objects on the Security Management Server are not reflected in the logs view. Refer to sk166493. |
PRJ-1524, |
Logging |
In some scenarios, Autosuggestion does not complete in SmartConsole's "Logs & Monitor" tab for users who do not have super user privileges. Refer to sk155252. |
PRJ-9192, |
Logging |
After synchronization, MLM / Secondary MDM may have different log policy configuration. Refer to sk165692. |
PRJ-4447, |
Logging |
In SmartView, drilling down from the timeline widget to logs, may show less logs than expected. |
PRJ-6189, PRHF-6325 |
Logging |
Widgets inside SmartView's "Views and Reports" may result in "Query Failed" messages when filtered by the "Log Server Origin" field. |
PRJ-10857, |
Application Control |
NEW: Gateway status will reflect Application Control and URL Filtering updates. |
PRJ-2794, |
IPS |
In some scenarios, the interface name is not displayed correctly in the IPS log. |
PRJ-11303, |
IPS |
In a rare scenario, the fw_full process may unexpectedly exit. |
PRJ-9487, |
IPS |
After an upgrade, policy installation may not update the IPS version on the gateway if the "IPS scheduled update" option was changed before the upgrade. |
PRJ-9448, |
IPS, |
In some scenarios, SmartConsole shows "No license" and "Contract is expired" for IPS Blade in VSX. Refer to sk164917. |
PRJ-10968, |
DLP |
NEW: Reading and sending files from the registry by DLP was optimized. |
PRJ-10847, |
DLP |
DLP stability for some scenarios was improved. |
PRJ-10422, |
DLP |
In a rare scenario, when Security Gateway is configured as proxy, the HTTP traffic may be not scanned by DLP. |
PRJ-5021, |
DLP |
The DLP engine may incorrectly process the file if the file name is missing in the connection header. |
PRJ-9327, |
DLP |
Improved the scanning time of files for some scenarios in SMTP and HTTP/S. |
PRJ-9692, |
DLP |
In some scenarios, DLP prints wrong error message in the log. |
PRJ-9773, |
DLP |
In some scenarios for SMTP, when an internal user sends an email, the DLP logs may show the topology as "external to external" instead of as "internal to internal". |
PRJ-9404, |
HTTPS Inspection |
In some scenarios, wrong certificate is shown by HTTPS Inspection for some websites, including certificates issued by "CloudFlare Inc ECC CA-2". Refer to sk118392. |
PRJ-7995, |
HTTPS Inspection |
WSDNSD memory leak may appear when updatable objects are configured in the policy. Refer to sk165616. |
PRJ-9933, |
HTTPS Inspection |
In some scenarios, when the minimum version of HTTPS Inspection is set to TLS 1.1, some websites may unexpectedly exit. Refer to sk165555. |
PRJ-7422, |
Infrastructure |
In some scenarios, Anti-Bot\Anti-Virus\IPS\Threat Emulation Blade update fails with "Curl error code 56". |
PRJ-9392, |
Identity Awareness |
NEW: Performance improvement in the automatic LDAP group update feature. |
PRJ-9495, |
Identity Awareness |
Policy installation process has been improved. |
PRJ-10223, |
Identity Awareness |
In a rare scenario, there is a memory leak in the IDA daemon pepd. |
PRJ-11613, |
Identity Awareness |
In a rare scenario, a memory leak, related to the Identity Awareness flow, may occur in the kernel. |
PRJ-7506, PRHF-5184 |
Identity Awareness |
When the Identity Awareness Blade is enabled, a memory leak may appear in LDAP sessions. |
PRJ-10385, |
Identity Awareness |
In a rare scenario, identity session groups and access roles may disappear following a policy installation. |
PRJ-6074, |
Identity Awareness |
Machine identity for Terminal Server agent is not identified unless Identity Agent is also enabled on the Security Gateway. |
PRJ-8002, |
Threat Prevention |
Improvements in HTTP chunked encoding inspection. |
PRJ-12395, |
Threat Prevention |
In some scenarios, policy installation fails with "Error code 0-2000111". |
PRJ-8212, |
Anti-Bot |
"Problem has occurred during search <External Log server> Disconnected" error may appear in "Logs & Monitor" tab after creating dummy object for NAT. |
PRJ-7165, |
SSL Inspection |
NEW: Added support for proxy configuration when downloading CRL from a VSX device. Refer to sk151115. |
PRJ-4112, |
SmartEvent |
In SmartEvent policy, adding an exclusion for sensor alert event by event id (e.g. id=20300) causes policy install failure. Refer to sk139854. |
PRJ-7921, |
SmartView |
In the Logs page of the SmartView web application, the "File Name" filter may appear twice in the quick filters pane. |
PRJ-10372, |
SmartView |
In some scenarios, after user imports view/report in SmartView, the imported view/report is not shown in the Catalog. |
PRJ-7723, |
SmartView |
In SmartView, when filtering a view using special characters in the search bar and exporting to Excel, the file may be generated empty. |
PRJ-10118, |
Compliance |
In some scenarios, database import on a single Domain machines where the Compliance Blade is activated fails, and as a result, the FWM process unexpectedly exits after the import. |
PRJ-2213, |
VoIP |
In some scenarios, Cisco VoIP calls are dropped with "SIP Re-Invites exceeded the limit" reject reason. Refer to sk145412. |
PRJ-9955, |
VoIP |
In some scenarios, UA traffic is dropped when packet contains more then 9 UA's. Refer to sk135114. |
PRJ-8010, |
ClusterXL |
In some scenarios, a connectivity issue takes place in ClusterXL environment after a fast "fail over"-"fail back" or a "fail over" on bridge configuration. |
PRJ-1501, |
ClusterXL |
The output of the 'cphaprob routedifcs' command may be missing interfaces. |
PRJ-5865, |
ClusterXL |
SNMP Response for OID .1.3.6.1.4.1.2620.1.5.6 ("haState") is "Active" on all members of ClusterXL High Availability mode. Refer to sk106291. |
PRJ-599, |
SecureXL |
SYN Defender status in CPView sometimes appears as invalid. |
PRJ-10937, |
SecureXL |
Rule that contains dhcpv6 services, does not disable SecureXL Accept Templates. Refer to sk32578. |
PRJ-602, |
SecureXL |
In some scenarios, DOS/Rate Limiting configuration is not applied after reboot if no fw samp policy is configured. |
PRJ-9670, |
SecureXL |
In some scenarios, SecureXL drops the TCP traffic for the particular connection for invalid state reasons. This fix enables the new property per specific gateway. Refer to sk147093. |
PRJ-8760, |
SecureXL |
NEW: Improved performance for multicast traffic after all listeners have been removed for an existing connection. |
PRJ-10619 |
SecureXL |
NEW: Added a new feature to support certain types of asymmetric bridged configurations. |
PRJ-8914, |
SecureXL |
In some scenarios, multicast packets arrive to the Security gateway in order, but leave out-of-order. |
PRJ-8978, |
SecureXL |
When PIM-SM multicast routing transitions from RPT to SPT, packets may be dropped or become out-of-order. |
PRJ-8779, |
SecureXL |
In a rare scenario, DOS/Rate Limiting Logs are not searchable. |
PRJ-6155, |
SecureXL |
In some scenarios, SecureXL causes an issue in the routing of multicast traffic. |
PRJ-7500, |
SecureXL |
In some scenarios, new connection may fail to open if it is reopened with the same source port. Refer to sk164839. |
PRJ-6123, |
SecureXL |
In some scenarios, DOS/Rate Limiting drops too few (or too many) packets for "concurrent-conns" fw samp rules. Refer to sk112454. |
PRJ-8488, |
SecureXL |
In some scenarios, held packets are incorrectly reported to the penalty box. |
PRJ-10233, |
SecureXL |
Policy installation may fail with "Error code 0-2000240" when Drop templates option is enabled. Refer to sk165716. |
PRJ-4175, |
SecureXL |
In some scenarios, there may be a length verification error with SCTP traffic. |
PRJ-7283, |
SecureXL |
Improved TCP state inspection for "Smart Connection Reuse" feature. |
PRJ-9825, |
SecureXL |
In some scenarios, SYN Defender cookie validation may fail. |
PRJ-12022, |
SecureXL |
In some scenarios, ACK, FIN, and RST TCP packets are dropped, causing outages. |
PRJ-11677, |
SecureXL |
MCAST packets may be handled incorrectly when promiscuous (tcpdump) mode is enabled for the interface. |
PRJ-5904, |
SecureXL |
In some scenarios, the penalty box violation rate is configured incorrectly. |
PRJ-3815, |
Routing |
Active VRRP cluster member may not show full accounting information in logs. Refer to sk159432. |
PRJ-12223, |
Routing |
In some scenarios, routed process unexpectedly exits when adding an interface to OSPFv3 with a prefix length above 63 and having two or more areas. |
PRJ-10791, |
Routing |
Although only OSPFv2 with Graceful Restart Helper is configured, the Critical Device OSPF3 Graceful Restart may show the "OSPF3 Graceful Restart PROBLEM Master -> Standby. Waiting for GR" message during the cluster failover. |
PRJ-11545, |
Routing |
In some scenarios, routed unexpectedly exits and traffic is lost after a failover in ClusterXL when BGP and ECMP are enabled. Refer to sk166175. |
PRJ-3617, |
Routing |
In some scenarios, routed unexpectedly exits when receiving an LSA with a checksum value of zero. |
PRJ-11423, |
Routing |
In some scenarios, routed_mon may unexpectedly exit on some CPView queries when OSPF multiple instances are configured. |
PRJ-7613, |
ConnectControl |
|
PRJ-9350, |
Gaia OS |
NEW: Added optimization for 40GbE and 25/100GbE cards configured in multiqueue allowing better transmit performance when Hyper-Threading (SMT) is enabled. |
PRJ-3804, |
Gaia OS |
NEW: Added the ability to configure an IPv6 address for a LOM interface on Smart 1-525/5050/5150 appliances. |
PRJ-11367, |
Gaia OS |
SNMP Trap may not be sent even though a failover occurred. Refer to sk166100. |
PRJ-11295, |
Gaia OS |
In some scenarios, commands that were typed into Clish can be executed later on if the SSH session was uninterruptedly terminated. |
PRJ-445, |
Gaia OS |
The 'show asset all' command may fail with core dump. |
PRJ-11372, |
Gaia OS |
In some scenarios, latency issues may occur in Clish and in the WebUI when using web scanning tools. Refer to sk164153. |
PRJ-472 |
Gaia OS |
The "load configuration" command may not work correctly when the loading configuration file contains SNMP, and interface config commands may not apply the configuration correctly. |
PRJ-501, |
Gaia OS |
The "load configuration" command may not work correctly when trying to add an SNMP user with a hashed password. |
PRJ-12442, |
Gaia OS |
In some scenarios, the xmlUpgradeExec process may unexpectedly exit during Jumbo Hotfix installation. As a result, the configuration file may not be created correctly. Upon login, the following error message may appear: "/etc/appliance_config.xml:1: parser error : Document is empty /etc/appliance_config.xml:1: parser error: Start tag expected, ^^^ not found". |
PRJ-5269, |
Gaia OS |
Any of the following may occur in vSphere on a Management appliance:
|
PRJ-7578, |
Gaia OS |
'#', '=' and '+' characters cannot be used in "Banner" and "Message of the day" features. |
PRJ-8006, |
Gaia OS |
Apache API was updated. |
PRJ-7371, |
Gaia OS |
In some scenarios, the iDRAC (LOM) interface is not pingable. |
PRJ-10397, |
Gaia OS |
In some scenarios, transmit queues may stop, causing packet loss. |
PRJ-8053, |
Gaia OS |
In some scenarios, latency issues may occur in Clish and in the WebUI when using web scanning tools (Qualys). Refer to sk164153. |
PRJ-4878, |
VSX |
Resource Monitor Control may cause segmentation fault when there are more than 64 CPUs. Refer to sk125112. |
PRJ-11280, |
VSX |
In a rare scenario, portals are not reachable after the fwk process unexpectedly exits. |
PRJ-10542, |
VSX |
In the menu of 'vsx_util vsls' #1 (Display current VS Load sharing configuration), the table shows cut names of VSs (original names are longer). |
PRJ-10910, |
VSX |
In VSX cluster with VMAC mode, traffic may not pass through VSX Cluster members if SecureXL is enabled. Refer to sk138894. |
PRJ-5332, |
VPN |
NEW: Added functionality enhancements for the authentication realms that is used with Remote Access VPN. |
PRJ-10270, |
VPN |
NEW: 3DES is disabled by default for HTTPS Inspection, Mobile Access Portal, Identity Awareness Portal, ICA Portal, SmartManagement Portal, SecurePlatform WebUI and Mobile Access curl. |
PRJ-5701, |
VPN |
NEW: Improved policy installation performance when the MAB Blade is enabled with Legacy Policy and Native Application rules. Refer to sk175105. |
PRJ-8114, |
VPN |
"vpn_trap_multik: - wrong header length 36 != 72" message may appear in the vpnd.elg when working with multiple users with the same credentials. |
PRJ-11240, |
VPN |
Added connectivity improvement for VPN over NAT traversal (UDP 4500). Refer to sk155953. |
PRJ-11642, |
VPN |
Added stability improvement for Remote Access VPN. |
PRJ-7013, |
VPN |
Added L2TP Remote Access client connectivity improvements. Refer to Scenario 2 in sk145895. |
PRJ-11913, |
VPN |
In rare scenarios, fwm unexpectedly exits after a 3rd-party certificate is signed. |
PRJ-8262, |
VPN |
Server-to-Server and Client-to-Server VPN may fail when using Wire Mode while SecureXL is enabled. |
PRJ-12177, |
VPN |
Connectivity improvements for Remote Access VPN using Traditional mode. |
PRJ-7853 |
VPN |
Connectivity improvements for Remote Access Endpoint clients that connect without Office Mode IPs. |
PRJ-6718, |
VPN |
In some scenarios, the vpnd process unexpectedly exits on cluster members. |
PRJ-11281, |
VPN |
In a rare scenario, vpnd process unexpectedly exits due to Segmentation fault. |
PRJ-4451, |
VPN |
Improved IKEv2 negotiation flow. |
PRJ-7692, |
VPN |
Improved usability of VPN tunnel monitoring "vpn tu" command. |
PRJ-6089, |
VPN |
In some scenarios, accelerated VPN tunnels routed over PPPoE interface may cause drop of encrypted traffic of some connections. Refer to sk148872. |
PRJ-7857, |
VPN |
In a rare scenario, a VPN memory leak may appear. |
PRJ-6117, |
VPN |
In some scenarios, NAT-D traffic goes out from the first external interface. |
PRJ-4235, |
VoIP |
In some scenarios, H323 connections are dropped after "Virtual session timeout" is configured. Refer to sk156372. |
PRJ-2461, |
VoIP |
In some scenarios, MGCP traffic may be dropped by the Security Gateway with the following message in fw ctl zdebug drop:
|
PRJ-8259, |
Endpoint Security |
In some scenarios, the wrong cipher suite is chosen for RSA certificates in HTTPS portals. Refer to sk164240. |
PRJ-2925, |
Endpoint Security |
Very frequently repeated "update register" requests may cause performance issues. |
PRJ-11814, |
Endpoint Security |
When a user name is updated in SmartEndpoint, the change may result in an unexpected expiration date. Refer to sk165872. |
PRJ-11834, |
Endpoint Security |
An error in FDE preboot users calculation may cause Endpoint to be left in a disconnected state. Refer to sk142313. |
PRJ-11827, |
Endpoint Security |
SmartEndpoint may export a report to Excel in which incorrect distinguished names appear for deleted users/computers. Refer to sk163943. |
PRJ-11823, |
Endpoint Security |
Users/devices may not change their locations in the tree according to Active Directory changes when certain special characters appear in the names. |
PRJ-11818, |
Endpoint Security |
The default paths for offline folders in SmartEndpoint -> Offline group creation wizard may be incorrect. |
PRJ-11831, |
Endpoint Security |
The Endpoint directory scanner may fail to reconnect to the AD if the connection was lost during the scan. |
PRJ-11710, |
Endpoint Security |
In SmartEndpoint, Anti-Malware's "Top Infections" report has an empty infection name. Refer to sk166232. |
PRJ-5185, |
Endpoint Security |
The log description of the "Media Encryption & Port Protection" Blade may state that the "Media Storage" is encrypted even though it is not. The details in the log show the correct value. Refer to sk162812. |
PRJ-7890, |
CloudGuard IaaS |
NEW: Added support for Google Cloud Platform projects with Shared VPC. Refer to sk164139. |
PRJ-5804, |
CloudGuard IaaS |
NEW: Added support for Identity Sharing with CloudGuard for NSX-V. |
PRJ-10866, |
CloudGuard IaaS |
In a rare scenario, the OpenStack Data Center becomes unresponsive, which results in a loss of updates to the Security Gateway. |
PRJ-11897 |
QoS |
In some scenarios, SmartView Monitor shows "No Match" rule on QoS traffic. |
PRJ-9740, |
QoS |
Packets to the broadcast IP address (255.255.255.255) may cause dmesg to fill with "fg_classify_and_offload_all_ifdirs: fglogRulename Failed." messages. |
Take 156 Released on 24 May 2020 and declared as General Availability on 14 June 2020 |
||
PRJ-10296, |
Security Gateway |
In some scenarios, the license status of the Security gateway is not updated properly in SmartConsole. |
PRJ-11561, |
SecureXL |
SCTP Stateful inspection and payload NAT (INIT Chunks) may not work correctly with SecureXL. |
PRJ-11669, |
VSX |
The "Destroying alive neighbour *" error may appear in /var/log/messages file. |
PRJ-12748, |
VPN |
Some Remote Access clients that do not support Multi-Factor Authentication (MFA) are able to connect to a Security Gateway even though the "Allow older clients" option is disabled. Refer to sk166912. |
Take 155 Released on 30 April 2020 |
||
PRJ-8255, |
Security Management |
FWM and\or INDEXER processes may repeatedly stop when there are more than ~500K network objects declared. Refer to sk164452. |
PRJ-11958 |
Gaia OS |
In a rare scenario on a cluster environment, Security gateway may corrupt data or crash during an upgrade. |
Take 149 Released on 1 April 2020 |
||
PRJ-9470, |
Security Management |
NEW: Added ability for R80.20 Security Management or Multi-Domain Server to manage R80.40 Security gateway. Refer to sk164652.
|
PRJ-10087, |
Security Management |
The cpm_solr process may unexpectedly exit and cause one of the following:
|
PRJ-9159, |
Security Management |
When reverting a security layer to a previous revision, if there are rules which are currently disabled, but were enabled in the selected previous revision (or vice versa), their status may not be reverted. |
PRJ-8375, |
Security Management |
In some scenarios, the exported database may be very large and include redundant data. |
PRJ-8858, |
Security Management |
If the database contains an internal user object with the same account name as an administrator object, then after the user publishes any change to the administrator object, the login in a VPN client with the internal user account may fail. |
PRJ-8798, |
Security Management |
If the database contains an internal user object with the same account name as an administrator object, then after the user publishes any change to the internal user object, the login in SmartConsole with the administrator account may fail. |
PRJ-5446, |
Security Management |
In some scenarios, an unclear error appears when the user imports a global policy on a Multi-Domain Management Server. The error is caused by a mismatch between the leading interface defined on the machine and the one defined in the database. |
PRJ-9264, |
Security Management |
Policy verification may fail after the user does the following steps: Configures specific install targets for a policy, publishes them, changes the install targets back to "All Gateways", and tries to install them on a Gateway which is not in the original list of targets. |
PRJ-5449, |
Security Management |
In some scenarios, an upgrade from R7x secondary Multi-Domain Server with active Domains may fail. |
PRJ-7767, |
Security Management |
In rare scenarios, publishing a session fails with the following "Action Failed due to an Internal Error" error. Discarding the session in SmartConsole completes as "discarded", but the changes are still there. The same behavior occurs in the Management API: mgmt_cli -r true discard uid <UID> number-of-discarded-changes: 4 message: "OK" |
PRJ-9592, |
Security Management |
Security hardening: The Management Server will block connection requests with a TLS version below 1.2 on port 19009. |
PRJ-7589, |
Security Management |
In a rare scenario, following a failure to delete a Domain, the Management Server may fail to start. |
PRJ-8403, |
Security Management |
In a rare scenario, the Security Management Server does not start due to a missing object, or a duplication of objects. |
PRJ-9082, |
Security Management |
In some scenarios, IPS update fails in the Global Domain after an upgrade from R80.10. |
PRJ-677, |
Security Management |
In some scenarios, Check Point services fail to start and the CPM log shows that there are duplicate session aggregators. |
PRJ-10745, |
Multi-Domain Management |
In some scenarios, policy installation from the Domain Management Server fails after mds_backup procedure that was interrupted. Refer to sk165559. |
PRJ-10525, |
Multi-Domain Management |
Upgrade of Multi-Domain Server may fail if Sync With User Center is running. |
PRJ-8450, |
Multi-Domain Management |
The Administrator and Trusted Clients pop-up editors at the Multi-Domain Server level show all domain names linked to these objects. Domain Managers with partial permissions, may see the names of domains that they are not permitted to see. |
PRJ-5099, |
SmartConsole |
When editing the description of a revision, the "Changes" field is reset to 0. |
PRJ-9020, |
SmartConsole |
In some scenarios, on a Global domain, when the user sets a logging option of an IPS protection whose activation is Detect or Prevent, the activation of the protection is set to "Inactive" on the local domain after an Assign Global Policy operation. |
PRJ-8133, |
SmartEvent |
"The process <process-name> which is monitored by watchdog restarted more than once in the last half an hour" error may appear in the SmartEvent GUI status window even though the process has been up for more than 30 minutes. |
PRJ-10141, |
SmartProvisioning |
Deletion of LSM ROBO cluster may cause the FWM process so unexpectedly exit. |
PRJ-7881, |
Security Gateway |
In a rare scenario, there is no HTTPS Inspection when ICAP client is enabled. |
PRJ-7373, |
Security Gateway |
Improved multicast routing under high load and/or during system initialization. |
PRJ-10029, |
Security Gateway |
In a rare scenario, when the web server is defined, policy installation fails with "Error code 0-20000111". |
PRJ-6697, |
Logging |
In some scenarios, exporting a large number of logs to Excel may fail and cause SmartView to restart. |
PRJ-9970, |
Logging |
In a Multi-Domain environment, one or more CMA's SMARTLOG_SERVER processes may fail to start after upgrade. Refer to sk165262. |
PRJ-8681, |
Logging |
In some scenarios, Threat Emulation Logs cannot be viewed in the logging or reporting views because of a certain format of the "file size" field sent from the Security Gateway. |
PRJ-2628 |
Logging |
In some scenarios, in a Multi-Domain environment with more than 50 domains, some domains are not seen in the SmartEvent GUI. |
PRJ-10757, |
Identity Awareness |
In some scenarios, multiple "idapi_load_data_impl: session id <Session ID> not found in client_db, although ip <Session IP> was assigned to it" errors appear in /var/log/messages file. Refer to sk167174. |
PRJ-8423, |
Identity Awareness |
Identity Awareness performance improvements in large scale environments. |
PRJ-10736, |
SSL Inspection |
In a rare scenario, a memory leak may appear when SSL inspection is enabled. |
PRJ-8339, |
SSL Inspection |
In a rare scenario, memory leak may appear in ICAP client when HTTPS Inspection is enabled. |
PRJ-7652, |
SSL Inspection |
HTTPS Inspection's default CA certificate was upgraded to use a signing algorithm based on SHA256 instead of SHA1. Refer to sk163932. |
PRJ-7843, |
Routing |
In a rare scenario, Netflow does not report outbound flow records. |
PRJ-8767, |
Routing |
PIM may be unable to resolve outbound interface of multicast route when unicast route lookup fails. |
PRJ-7491, |
Routing |
In some scenarios, the CLISH command for PBR results in an error. |
PRJ-9073, |
Routing |
In some scenarios, a corrupted BGP AS4_PATH attribute value may result in an invalid, long BGP update that is rejected by the BGP peer. |
PRJ-10180, |
SecureXL |
In a rare scenario under heavy load, SecureXL crash may be experienced. |
PRJ-9126, |
SecureXL |
NEW: Added acceleration support for Ethernet Over IP Tunneling (EOIP). EOIP is RFC 3378 protocol # 97 used between Wireless AP and Wireless Cisco controller. |
PRJ-8984, |
SecureXL |
When NAT-T packets pass through a Security gateway, this traffic may be dropped. |
PRJ-10805, |
Gaia OS |
CVE-2020-8597: pppd is vulnerable to buffer overflow. Refer to sk165875. |
PRJ-9038, |
VPN |
Connectivity improvement of IPSec tunnels when IKEv2 is configured. |
PRJ-11034, |
VPN |
In some scenarios, VPN traffic distribution change may cause high CPU consumption on one CPU core. Refer to sk165853. |
Take 141 Released on 20 February 2020 and declared as General Availability on 3 March 2020 |
||
PRJ-9975, |
Security Gateway |
In a rare scenario, a non-HTTP traffic on port TCP/80 is dropped. |
PRJ-10117, |
Application Control |
In some scenarios, when Application Control and HTTPS Inspection are enabled and detailed or extended log is used, applications may not be matched correctly. |
PRJ-5529, |
CloudGuard |
In some scenarios, centrally distributed license disappears from CloudGuard Gateways. Refer to sk151794. |
Take 138 Released on 10 February 2020 |
||
PRJ-9053, |
Security Management |
In a rare scenario, the FWM process will utilize 100% CPU, and connections to SmartConsole may fail. |
Take 135 Released on 23 January 2020 |
||
PRJ-8216, |
Security Management |
Management HA synchronization fails with error "Failed to export data" on Multi-Domain Management or Security Management server environment with at least 3 machines. Refer to sk164792. |
Take 134 Released on 14 January 2020 |
||
PRJ-7660 |
Upgrade Tools |
In some scenarios, migration with R80.20 Migration Tool fails with "Database export was done with migration tools for different version" error. |
PRJ-6821, |
Upgrade Tools |
In some scenarios, cannot export a database using the migration tools of the current version while there are open sessions in the database. |
PRJ-3378, |
Security Management |
In a rare scenario, the $CPDIR/tmp/ directory is filled with "CKP_mutex::_opt_CPsuite-RXX_fw1_log__..." files. Refer to sk36754. |
PRJ-5494, |
Security Management |
NEW: Added the policy verifier memory enhancement and additional debugging options. Refer to sk162453. |
PRJ-4970, |
Security Management |
In some scenarios, disconnected sessions with no changes or locks appear in SmartConsloe session view. |
PRJ-3038, |
Security Management |
In some scenarios, the Management Server takes a long time to start or even fails to start. |
PRJ-8094, |
Security Management |
In some scenarios, policy installation fails when installation target is Check Point Host. |
PRJ-7917, |
Security Management |
When installing policy to a Cisco router, an automatic ACL number change may cause networking issues. |
PRJ-7412, |
Security Management |
In a rare scenario, all users connected to the Management Server get disconnected and new logins fail until the Management Server is restarted. |
PRJ-5096, |
Security Management |
When an administrator edits the description of a revision, he becomes the publisher of the revision. |
PRJ-7039, |
Security Management |
The 'fwm sic_reset' command does not print which object still has an IKE certificate. |
PRJ-7105, |
Multi-Domain Management |
The cma_migrate may fail if the IPS version does not exist on the R80.x Multi-Domain Management Server. |
PRJ-7832, |
Multi-Domain Management |
In some scenarios, upgrade of R7x secondary Multi-Domain Management Server or Multi-Domain Log Server fails. |
PRJ-6694, |
Multi-Domain Management |
Improved Domain/CMA logs visibility. |
PRJ-4261, |
SmartConsole |
When performing login using mgmt_cli as root admin (with '-r' set to "true"), session timeout is not set. |
PRJ-6842, |
SmartConsole |
NEW: Added integration of Management API with Ansible 2.9. For more info, see: https://galaxy.ansible.com/check_point/mgmt |
PRJ-7944, |
SmartConsole |
In some scenarios, when running the "show-mdss" command with "details-level full" option, not all Domains are retrieved. |
PRJ-6941, |
SmartConsole |
In a rare scenario, policy installation fails with "Policy installation had failed due to an internal error". Refer to sk163482. |
PRJ-6643, |
SmartConsole |
In some scenarios, administrator cannot open the 'RemoteAccess' - VPN community object for editing. |
PRJ-6933, |
SmartConsole |
Threat prevention policy installation may include wrong topology warning on VSX cluster interfaces. |
PRJ-5373, |
SmartConsole |
In Multi-Domain environment, IPS protections become staging on each domain after global policy assignment while the protection does have override/staging status in the global domain. |
PRJ-2437, |
SmartConsole |
When disabling NAT for a network object and searching for the NAT IP address, the network object is still shown as part of the search results even though it should not be. |
PRJ-6046, |
Security Gateway |
Improved misleading log for connections that terminate before detection. |
PRJ-5889, |
Security Gateway |
In some scenarios, enabling the Multi-Queue on a line card enables the Multi-Queue also on the on-board interfaces. Refer to sk162622. |
PRJ-7486, |
Security Gateway |
Connectivity issues on some HTTPS sites (as login pages) when Security gateway is configured as proxy. Refer to sk147878. |
PRJ-8196, |
Security Gateway |
Since R80.20, in some scenarios, predictable TCP sequences are generated by the Security Gateway. Refer to sk164775. |
PRJ-7869, |
Security Gateway |
Improved DNS caching and negative DNS response handling. |
PRJ-8097, |
Security Gateway |
Improved a Proxy connectivity while Anti-Virus Blade works in Hold mode. |
PRJ-7338, |
Security Gateway |
In a rare scenario, Security gateway may crash. |
PRJ-7243 |
Security Gateway |
In some scenarios, connectivity issues may appear when ISP redundancy is configured. |
PRJ-7751, |
Security Gateway |
In some scenarios, no SIC after applying the ICA certificate replacement procedure. |
PRJ-7622, |
Logging |
In a rare scenario, when exporting logs to Excel, the resulted file is smaller than expected. |
PRJ-7814, |
Logging |
In a rare scenario involving multiple disconnections and reconnections between Security gateway and Log Server, connection is not automatically restored and logs may not be written locally. Refer to sk164852. |
PRJ-6854, |
Logging |
In a rare scenario, the "Logs & Monitor" view in SmartConsole freezes while scrolling down the results. |
PRJ-6639, |
Logging |
In some scenarios, the user cannot see his Check Point logs in the LogRhythm platform using Log Exporter. |
PRJ-5880, |
QoS |
QoS Time Objects are not enforced in R80.20. Refer to sk163074. |
PRJ-1020, |
DLP |
DLP activation was optimized to reduce the CPU consumption. |
PRJ-8195, |
URL Filtering |
In some scenarios, HTTPS traffic is not categorized as expected. |
PRJ-7718, |
Application Control |
In some scenarios, HTTP traffic is blocked with "HTTP parsing error occurred (2)" and "parameters are undecodable in request" errors. Refer to sk160092. |
PRJ-7637, |
ClusterXL |
The "set router-options auto-restore-iface-routes" command is now deprecated. |
PRJ-7552, |
ClusterXL |
In a rare scenario in a ClusterXL environment, SYN Defender may incorrectly drop a valid traffic. |
PRJ-2546 |
SecureXL |
In some scenarios, SNMP queries for SecureXL OIDs return incorrect values. |
PRJ-6946, PRHF-6356 |
SecureXL |
Some traffic may not pass when Policy Based Routing (PBR) and SecureXL are enabled. Refer to sk163252. |
PRJ-4827, |
SecureXL |
With SecureXL enabled, after VRRP cluster failover all TCP connections become expired. Refer to sk162052. |
PRJ-7560, |
SecureXL |
In some scenarios, SecureXL drops the TCP traffic for the particular connection for invalid state reasons. Refer to sk147093. |
PRJ-6747, |
SecureXL |
In a rare scenario, FTP Data connections do not pass while SYN Defender is active and enforcing. |
PRJ-6750, |
SecureXL |
Drop templates are not disabled for USFW (User space Firewall mode). |
PRJ-1544, |
Gaia OS |
In some scenarios, the VSX Management fails to be properly restored from backup. |
PRJ-6789, |
Gaia OS |
"Gaia Web-UI recognized a non-valid input data" error when creating a scheduled backup in WebUI via SCP or FTP with special characters used. |
PRJ-6589, |
Gaia OS |
16000 and 26000 Appliances with CPAC-4-1/10F-C NICs (using i40e driver) connected to some specific Cisco switches are flapping. Refer to sk163267. |
PRJ-7406, |
Routing |
When MaaS tunnels are added, the ROUTED process may unexpectedly exit. |
PRJ-6577, |
Routing |
For compliance and interoperability with BGP peers implementing older RFC, no BGP capability is advertised if peer does not advertise it first. |
PRJ-5883, |
VSX |
The "vsx_util vsls" command does not display in full the long names of the VSX server name. Refer to sk163073. |
PRJ-6964, |
VSX |
In some scenarios, when running the 'cphaprob show_bond' command, one of the bond's subordinates may be missing from the output. Refer to sk163333. |
PRJ-3403, |
VPN |
SmartView Monitor VPN tunnel status may show incorrect or missing tunnels status for a cluster object. |
PRJ-1993, |
VPN |
NEW: Improved supernetting handling with 3rd party peers in IKEv2. |
PRJ-7265, |
VPN |
In some scenarios, connectivity issue may appear in VPN and HTTPS portals. Refer to sk109140. |
PRJ-7121, |
VPN |
Packets from SSL Network Extender are dropped: "Reason: decrypted and user methods are not identical (VPN Error code 01)". Refer to sk163636. |
PRJ-2603, |
VPN |
If the VPN tunnel is configured with GCM ciphers for Phase 2, encrypted traffic may be dropped. Refer to sk152832. |
PRJ-7182, |
CloudGuard |
Public IP addresses for Virtual Machines and Virtual Machines Scale Sets may be missing. |
PRJ-7065 |
CloudGuard |
In some scenarios, subnet objects may not contain all the relevant IP addresses for VMSS VMs. |
PRJ-7381, |
CloudGuard |
During a license pool creation, when a Blade service is shared between different licenses, the vsec_lic_cli tool may create multiple pools instead of one. |
PRJ-5940, |
Endpoint Security |
NEW: Added the feature to use epmCommands with object nids. |
PRJ-5754, |
Endpoint Security |
Endpoint Management may fail on FileVault recovery for MacOS clients when a computer re-joins a domain. |
PRJ-5942, |
Endpoint Security |
Some messages in self-help portal are not properly localized in Japanese. |
PRJ-7302, |
Mobile Access |
In a rare scenario, when Mobile Access Blade is enabled, Security gateway may crash with vmcore. |
Take 127 Released on 3 December 2019 |
||
PRJ-4929, |
Upgrade |
In some scenarios, the FWM process fails to start after a successful upgrade with the "Found an indication that the current domain was migrated, and the migration had failed. Cannot start after a migration failure" message in fwm.elg file. |
PRJ-5664, |
Security Management |
In some scenarios, purge revisions fails and blank lines, that cannot be deleted, appear in SmartConsole Revisions view. Refer to sk163116. |
PRJ-5660, |
Security Management |
Blank lines may appear in SmartConsole Purge Revisions view after purging a large database> |
PRJ-4834, |
Security Management |
The FWM process may unexpectedly exit when an incorrect license SKU with a specific format is applied. |
PRJ-5756, |
Security Management |
High Availability synchronization between Management Servers may fail when there is no enough disk space in the root partition. |
PRJ-4728, |
Security Management |
After deleting a network object that is part of a network group, the audit log of the group modification does not show who is the removed member. Refer to sk164057. |
PRJ-5412, |
Security Management |
In some scenarios, policy Installation fails with "Operation failed, install/uninstall has been improperly terminated" error. Refer to sk162855. |
PRJ-5556, |
Security Management |
In some scenarios, policy installation fails with "Policy installation failed on gateway. If the problem persists contact Check Point support (Error code: 0-2000117)". Refer to sk162554. |
PRJ-5655, |
Security Management |
In some scenarios, cpm_status.sh reports incorrect CPM status. Refer to sk162633. |
PRJ-4874, |
Security Management |
In some scenarios, when setting or modifying the Email/Phone fields of an administrator, the old values still appear at the bottom pane under "View Sessions" instead of the updated values. |
PRJ-5426, |
Security Management |
In some scenarios, policy fetch fails if name of the Security gateway that tries to fetch this policy is not defined in DNS. Refer to sk150472. |
PRJ-3392, |
Multi-Domain Management |
Objects on Domain level that should be shown on the Multi-Domain Server level, sometimes are not shown correctly. |
PRJ-6669, |
Multi-Domain Management |
In some scenarios, traffic outage may happen after policy installation from Multi-Domain SmartConsole. Refer to sk163712. |
PRJ-6992 |
Multi-Domain Management |
The Gaia restore of Multi-Domain Server fails when using Take 103, 117 and 118 of R80.20 Jumbo Hotfix Accumulator. Refer to sk163473. |
PRJ-4665, |
Multi-Domain Management |
The FWM process may unexpectedly exit when there is no valid license on the Multi-Domain Server. |
PRJ-103, |
SmartConsole |
Cannot delete Global Host object from the Global Domain if the name matches the name of Multi-Domain Management. Refer to sk151192. |
PRJ-5526, |
SmartConsole |
In some scenarios, applying "Where used" from the local Domain on an object that is used in global policies, may return results from the global policies that are not assigned to the local Domain. Refer to sk162753. |
PRJ-3949, |
SmartConsole |
In a rare scenario, when editing a Star VPN community, SmartConsole terminates. |
PRJ-6127, |
SmartConsole |
In some scenarios, the "Installed IPS Version" information is empty in the "Gateways and Servers" view. |
PRJ-1676, |
SmartView |
In some scenarios, Hit Count on specific rules does not increment after they were recently created or re-ordered. Refer to sk138033. |
PRJ-5629, |
SmartView |
In SmartView, when exporting logs to Excel after drill-down, the amount of logs is less than expected. Refer to sk162621. |
PRJ-4201, |
Logging |
NEW: Added support for "SmartView for QRadar" extension. Refer to sk122323. |
PRJ-5295 |
Logging |
NEW: Added new Log Exporter feature to export links to the relevant log and log attachments (such as Forensics\TE report). |
PRJ-870, |
Logging |
In a rare scenario, SmartConsole does not show indexed logs because the LOG_INDEXER process stopped working. Refer to sk152934. |
PRJ-4964, |
Logging |
In a rare scenario, a specific log fails to be written and an alert informing on this is displayed in SmartConsole. |
PRJ-5936, |
Logging |
In some scenarios, when retrieving the UserCheck logs, FWD process on the Security gateway may unexpectedly exit. |
PRJ-1157, |
Logging |
In SmartView, if a view contains 2 map widgets, one displaying source countries and the other displaying destination countries, drilling down on one of them may display incorrect data. |
PRJ-5783, |
Compliance |
In some scenarios, the Compliance Blade treats a non-existing rule as if it was a real rule and shows the rule index in the Firewall Best Practices relevant objects. |
PRJ-5316, |
Security Gateway |
In a rare scenario, Security gateway freezes when IP pool NAT and VPN are used. Refer to sk165953. |
PRJ-5810, |
Security Gateway |
In some scenarios, traffic is dropped with 'up_transaction_notify_clob failed' error in dmesg when Application Control is enabled. |
PRJ-1871, |
Security Gateway |
In some scenarios, when using Hide NAT with GRE tunnel, packets going through this GRE tunnel may get dropped. Refer to sk154492. |
PRJ-5432, |
Security Gateway |
Non-FQDN domain objects may not be enforced correctly when used in the Access policy along with updatable objects. |
PRJ-1700, |
Security Gateway |
In some scenarios, the /var/log/messages file is flooded with ICAP related errors. |
PRJ-5987, |
Security Gateway |
In a rare scenario, some commands on Security gateway fail and traffic may be dropped. |
PRJ-5869, |
Security Gateway |
In a rare scenario, Security gateway crashes when proxy is enabled. |
PRJ-4106, |
Security Gateway |
In some scenarios, logs cannot be seen because the LOG_INDEXER process stopped working. |
PRJ-5085, |
Security Gateway |
Access Rule Base may not be enforced properly when wildcard objects are used in source and destination columns. Refer to sk162692. |
PRJ-4748, |
Security Gateway |
In a rare scenario, the FWK process unexpectedly exits during debug. |
PRJ-3349, |
Security Gateway |
In some scenarios, a designated interface may drop packets. |
PRJ-6660, |
Security Gateway |
Performance enhancement for gzip traffic on VSX environment. |
PRJ-2989, |
Security Gateway |
In some scenarios, traffic is dropped with "[ERROR]: network_classifier_handle_dag: failed to get uuid of DAG bogus_ip" error in dmesg. |
PRJ-5483, |
Security Gateway |
NEW: Enhancement: NAT port exhaustion logs mechanism was updated. Refer to sk156852. |
PRJ-1782, |
SSL Inspection |
NEW: Added support of RDP over SSL inspection as part of Inbound HTTPS Inspection Blade. (Relevant for Remote Desktop Protocol Vulnerability CVE-2019-0708.) |
PRJ-5468, |
HTTPS Inspection |
In some scenarios, several applications are not matched correctly when HTTPS Inspection enabled and URL Filtering is in HOLD mode. |
PRJ-5610, |
HTTPS Inspection |
In a rare scenario, Security Gateway may crash during non-compliant HTTP traffic. |
PRJ-5490, |
URL Filtering |
NEW: Improved scalability and resiliency of URL Filtering service. |
PRJ-7463, |
IPS |
Cannot update the Geo Policy IPToCountry database on Security Gateways. Refer to sk163672. |
PRJ-4359, |
SecureXL |
In a rare scenario, Security gateway may crash if cpinfo reads from the /proc/ppk/cpls directory before SecureXL is initialized. |
PRJ-6107, |
SecureXL |
In some scenarios, connection does not to expire correctly when NAT and some Software Blades are enabled. |
PRJ-4782, |
SecureXL |
NEW: "sim if" and "sim nonaccel" commands will be deprecated. Instead, "fwaccel if" and "fwaccel nonaccel" commands will be used to accommodate multiple SecureXL instances. |
PRJ-1251, |
SecureXL |
On cluster, Drop templates are disabled on reboot. Refer to sk153412. |
PRJ-7175 |
SecureXL |
Cannot configure or use the "SecureXL Fast Accelerator" feature after installing R80.20 Jumbo HotFix Take 117 or 118. |
PRJ-6099, |
SecureXL |
In some scenarios, SecureXL drops TCP packets with "Out of state" reason. |
PRJ-4590, |
ClusterXL |
In some scenarios, arp table is not synchronized with master MAC address after fail-over. |
PRJ-5895, |
Endpoint Security |
Exported from SmartEndpoint .xlsx files may produce a warning when opened in Excel. |
PRJ-586, |
Endpoint Security |
In some scenarios, SmartEndpoint shows "Unknown Error" when trying to open the "User and Computers" Tab "Top Bots" and software deployment by policy reports. Refer to sk151932. |
PRJ-2915, |
Endpoint Security |
In some scenarios, when searching for a machine in SmartEndpoint and selecting it, a "Server Error" message appears. Refer to sk158432. |
PRJ-2322, |
Endpoint Security |
If there is a large amount of devices which are going to be removed from the Deleted Container, the server may fail to process the epmCommands, returning "FATAL: remaining connection slots are reserved for non-replication superuser connections" error. |
PRJ-6055, |
Gaia OS |
A network interface may restart when changing its properties from WebUI if the interfaces configuration was performed via CLISH. |
PRJ-6685, |
Gaia OS |
In some scenarios, Gaia restore on Multi-Domain Server fails with error "failed to edit update registry". Refer to sk163312. |
PRJ-1260, |
Gaia OS |
CPD process may unexpectedly exit when attempting to query sensor values on Smart-1 525, Smart-1 5050 and Smart-1 5150 appliances. |
PRJ-6037, |
Gaia OS |
In some scenarios, the Smart-1 3150 appliance becomes unresponsive after enabling the optical interface.
|
PRJ-407, |
Gaia OS |
In some scenarios, Smart-1 405 and 410 appliances may show high voltage due to incorrect VBat thresholds. |
PRJ-3361 |
Gaia OS |
'|' and '-' characters cannot be used in the message banner. |
PRJ-963, |
Gaia OS |
In some scenarios, user cannot access terminal from WebUI in monitor role mode. |
PRJ-5999, |
Routing |
In a rare scenario, last two (or more) nexthops of a BGP ECMP route disappear simultaneously and are not removed from the forwarding database. Refer to sk153552. |
PRJ-6109, |
Routing |
In a rare scenario, the ROUTED process may unexpectedly exit during ClusterXL failover when BGP is configured. Refer to sk165682. |
PRJ-3613, |
Routing |
In some scenarios, OSPFv3 LS updates of the default route are not accepted by the Security gateway for Stub/TSA areas. Refer to sk161472. |
PRJ-6061, |
Routing |
In a rare scenario, the routed process may unexpectedly exit when a route with a local address as a nexthop is received. |
PRJ-4848, |
Routing |
In some scenarios, legitimate subnets of 0.0.0.0 (for example 0.0.0.0/1) cannot be configured for certain routing features, like static routes, PBR, routemaps, etc. |
PRJ-4675, |
VSX |
VSX configuration cannot not be applied after upgrade from R77.x to R80.x, due to duplicated VSX routes. |
PRJ-5921, |
VSX |
In some scenarios, IGMP traffic is dropped by "local interface address spoofing" in VSX HA. Refer to sk162953. |
PRJ-4647, |
VPN |
In some scenarios, traffic is not working over Site-to-Site VPN after an upgrade. |
Take 118 Released on 27 October 2019 and declared as General Availability on 4 November 2019 |
||
PRJ-6085, |
ClusterXL |
After installing Jumbo HotFix Take 117 only on a standby member, it's outgoing traffic does not pass. |
Take 117 Released on 27 October 2019 |
||
PRJ-2725, |
Upgrade |
Added a pre-upgrade verification that Global network objects with NAT configuration are not supported. |
PRJ-3605, |
Security Management |
Added ability to automatically determine the API process memory allocation to avoid "Out of memory" errors. Refer to sk119553. |
PRJ-2983, |
Security Management |
In some scenarios, the show generic-objects API command fails with "Management Server failed to execute command". Refer to sk157693. |
PRJ-2338, |
Security Management |
In some scenarios, user cannot discard or publish a worksession, receiving the general message "Internal error". |
PRJ-4305, |
Security Management |
Added a mechanism to prevent the Management Server from starting if an import process was interrupted. |
PRJ-3872, |
Security Management |
In some scenarios, size of the shadow_object.C file increases after each policy installation, eventually causing a failure in installing a policy. |
PRHF-3242, |
Security Management |
In a rare scenario, the policy verifier ignores rules with object named "Internet" used with negate operator. |
PRJ-4515, |
Security Management |
Cannot export a .pdf file from the Licence inventory view after Jumbo HotFix installation on the Management server. |
PRJ-1374, |
Security Management |
High Availability synchronization between Management Servers fails with "Couldn't get peers for peers ids" message in the cpm.elg file. |
PRJ-4240, |
Security Management |
When many users are connected to and actively working in the same domain in SmartConsole, they may experience:
|
PRJ-3690, |
Security Management |
New policy creation may fail when there are no installation targets defined in this policy. |
PRJ-5025, |
Security Management |
In some scenarios, policy verification process fails after reaching memory size of 4GB. Refer to sk161412. |
PRJ-1517, |
Security Management |
Performance and stability improvements in large High Availability setups. |
PRJ-2646, |
Security Management |
In a rare scenario, the Security Management server does not start due to a missing object, or a duplication of objects. |
PRJ-5250 |
Multi-Domain Management |
NEW: Added the Domain Management Migration, Backup and Upgrade feature:
For more information see sk156072. |
PRJ-2787, |
Multi-Domain Management |
In some scenarios, upgrade from R80 fails due to an internal error related to deprecated application objects. Refer to sk157752. |
PRJ-3880, |
Compliance |
In some scenarios, some of the Best Practices show "N\A" status in the Compliance Blade dashboard. |
PRJ-2644, |
Logging |
Running views and reports with a filter fails if the filter contains a "NOT" operator combined with parentheses. |
PRJ-395, |
Logging |
In some scenarios, lea_session processes consume 100% CPU causing the machine to slow down. Refer to sk142632. |
PRJ-1324, |
Logging |
In some scenarios, when running mdsstart, the following error message is shown: "/opt/CPSmartLog-R80.20/bin/smartlogstop: line 65: /opt/CPmds-R80.20/customers/<name>/CPSmartLog-R80.20/log/smartlogRun.log: No such file or directory". |
PRHF-4497, |
Logging |
In some Full HA environment scenarios, the "Logserver <Cluster virtual IP> is disconnected" error pops up in SmartConsole log view. |
PRJ-1310, |
Logging |
In the Logs & Monitor view, the "File size" field is missing from the logs generated by Media Encryption & Port Protection Blade. Refer to sk157952. |
PRHF-4975, |
Logging |
In some scenarios, when exporting logs with "Visible columns" option selected from SmartView, some columns return empty record. Refer to sk161712. |
PRJ-3642, |
Logging |
In some scenarios, when SAM activity is defined and a Log server receives a high amount of packets, the FWD process on the Log server unexpectedly exits. |
PRJ-3011, |
Logging |
In some scenarios, the log maintenance mechanism deletes the earliest logs due to mistake in Emergency mode maintenance. Refer to sk163813. |
PRJ-3363, |
Multi-Domain Management |
In some scenarios, Administrator does not see that a revision was created in its Domain (on Domain level) after a Global policy was assigned to it. |
PRJ-798 |
Multi-Domain Management |
In some scenarios, the "Unable to connect to server. Please make sure the server is up and running." error appears when trying to log into single Domain from SmartConsole. Refer to sk153293. |
PRJ-3687, |
Multi-Domain Management |
"dleserver.utils.UidManager" errors on cma_migrate failure on Multi-Domain Server upgraded from R80. |
PRJ-4413, |
Multi-Domain Management |
In a rare scenario, FWM process unexpectedly exits on the Domain level during login. |
PRJ-1881, |
SmartConsole |
In some scenarios, user cannot delete a VS object since it is referenced by an automatically generated exception rule. Refer to sk167272. |
PRJ-4135, |
SmartConsole |
Administrators with "\" in their username receive the "Error Occurred" pop-up when trying to view a packet capture. Refer to sk140992. |
PRJ-4430, |
SmartConsole |
In some scenarios, when there is a large quantity of unused permission profiles in the system, the CPM server takes a long time to start. |
PRHF-2194, |
SmartConsole |
In some scenarios, Client certificate is removed when deleting Domain that is included in certificate's permissions. |
PRJ-1969, |
SmartConsole |
In setups with a large quantity of network object, users may experience slowness when editing the HTTPS Inspection policy. Refer to sk147134.
|
PRJ-4531, |
SmartConsole |
In a rare scenario, the DNS Maximum Reply Length IPS protection is not enforced.
|
PRJ-3869, |
SmartConsole |
In a rare scenario, when user clicks on Mail Transfer Agent (MTA) options in the Security gateway settings or on 'Next hop' column inside MTA settings, SmartConsole shows "Not Responding" and freezes. Refer to sk161232
|
PRJ-777 |
SmartConsole |
In a rare scenario, the FTP Bounce, Port Overflow and Known Ports IPS protections are not enforced.
|
MCFG-199, |
SmartProvisioning |
SmartUpdate generates audit log even when no action was taken. |
PROV-2068, |
SmartProvisioning |
In some scenarios in SmartProvisioning:
|
PRJ-5512, |
Security Gateway |
In some scenarios, fw monitor on Security gateway shows some packets that are handled by SecureXL and not FireWall-1. |
PRJ-5502, |
Security Gateway |
In a rare scenario, using "kill" or pressing Ctrl+C on the "fw monitor" process does not finish it. |
PRJ-5509, |
Security Gateway |
In some scenarios, fw monitor fails to show IPv6 traffic in SecureXL. |
PRJ-5504, |
Security Gateway |
In some scenarios, the "fwmonitor_kiss_add_to_global_buf: all the buffers are full" error is displayed even after the heavy traffic is stopped. |
PRJ-5506, |
Security Gateway |
In a rare scenario, Secure Network Distributor (SND) consumes high CPU when running fw monitor. |
PRJ-5507, |
Security Gateway |
In some scenarios, when running "fw monitor" with "-e" flag, SecureXL traffic is not filtered, and all traffic is displayed. |
PRJ-5503, |
Security Gateway |
In some scenarios, incorrect chain number and name are displayed by "fw monitor -p all". |
PRJ-5497, |
Security Gateway |
Added ability for fw monitor to support monitoring traffic on Acceleration Card. |
PRJ-4310, |
Security Gateway |
In some scenarios, a remote client disconnects after one hour although the session is not idle. Refer to sk160213. |
PRJ-770, |
Security Gateway |
In a rare scenario, memory usage may rise on Security gateway, when using service with resource with "Optimize URL logging" feature enabled. Refer to sk153052. |
SWG-2174, |
Security Gateway |
Some Web sites cannot be opened when Content Awareness or Anti-Virus/Anti-Bot is enabled, and Security gateway is configured as proxy. |
PRJ-2918, |
Security Gateway |
In a rare scenario, Security gateway may crash due to NULL pointer dereference. |
PMTR-40937, |
Security Gateway |
In some scenarios, VoIP traffic is dropped with "allocate_port_impl: could not find a free port;" error in dmesg. |
PRJ-697, |
Security Gateway |
In a rare scenario, Security gateway crashes during QoS policy installation. |
PMTR-35854, |
Security Gateway |
In a rare scenario, changing the xmit-hash-policy of the bonding group while machine handling traffic, causes it to crash. Refer to sk154573. |
PRJ-4806, |
Security Gateway |
Added ability to enable NAT over specific IP address avoiding a source port allocation. |
PRJ-1016, |
Security Gateway |
In some scenarios, packets with TTL1 are dropped when using security zones in the Access rulebase. |
PRJ-3562, |
Security Gateway |
Disabling connections timestamp does not work on active streaming connections. Refer to sk62700. |
PRJ-4760, |
IPS |
In some scenarios, IPS update fails as a result of error in management server installation. |
PRJ-3766, |
Content Awareness |
In some scenarios, when the Content Awareness Blade is enabled, uploading files via ShareFile stucks at 100%. |
PRJ-5764 |
HTTPS Inspection |
Improved TLS implementation for TLS Inspection and Categorization - Server Name Indications (SNI). TLS 1.2 support for additional cipher suites:
In addition, improved the fail open/close mechanism and logging for validations. For the complete list of supported cipher suites, see sk104562. |
PRJ-4839, |
SSL Inspection |
In a rare scenario, when SSL Inspection is enabled and there is big latency, Microsoft websites (for example Azure) may not respond. Refer to sk150175. |
PRJ-3368, |
Threat Prevention |
Deleting a Threat Prevention profile may fail if the IPS profile has many overrides. Refer to sk136552. |
PRJ-689, |
Application Control |
In some scenarios, custom Application Object that was initiated with wrong "Application Risk" value may cause connectivity problems. Refer to sk140892. |
PRJ-4517, |
ClusterXL |
Added support for Cluster Load Sharing without IPSec VPN. To enable the support, refer to sk162637. |
PRJ-1205, |
ClusterXL |
In some scenarios, after adding a vlan to the subordinate bond cluster member may go down. |
PRJ-3298, |
ClusterXL |
In some scenarios, when changing cluster topology and installing the policy, the cluster fails over. Refer to sk156335. |
PRJ-3315, |
ClusterXL |
In some scenarios, pushing policy in order to update the cluster topology during high load, causes the members to fail-over. Refer to sk154575. |
PRJ-480, |
ClusterXL |
In some scenarios, the xmit-hash-policy of a Bond interface with the vlan causes the cluster member to go down. Refer to sk151412. |
PRJ-3294, |
CoreXL |
In a rare scenario, custom affinity configuration is overwritten when HT is enabled. Refer to sk158112. |
PRJ-1201, |
SecureXL |
In some scenarios, Policy Based Routing (PBR) does not work properly when acceleration is enabled. |
PRJ-3598, |
SecureXL |
In a rare scenario, a VSX gateway may crash. Refer to sk160912. |
PRJ-1640, |
SecureXL |
In some scenarios, packets with IP options are not forwarded across bridge interfaces. Refer to Issue #3 in sk154892. |
PMTR-40703, |
SecureXL |
In some scenarios, sending IP fragmented traffic through a Virtual Switch or Virtual Router fails with "Virtual defragmentation error". |
PRJ-2114, |
Routing |
In a rare scenario, the Standby member of ClusterXL incorrectly calculates the routing protocol priorities, causing the routes to be synchronized in the wrong way. |
PRJ-306, |
Routing |
In some scenarios, Routed Pnote in 'Problem' state and ClusterXL member is down after enabling OSPF. Refer to sk123317. |
PRJ-307, |
Routing |
Enhancement: Improved the memory handling mechanism in Routed. |
GAIA-4695, |
Gaia OS |
When running "service vmtoolsd restart" command on Gaia installation with VMware, the "Installing memory driver: FATAL: Module vmmemctl not found. [FAILED]" error is displayed although the vmw_balloon.ko driver is loaded. |
PRJ-3793, |
Gaia OS |
Enhancement: The maximum size of the arp table was increased to 4096. |
PRJ-440, |
Gaia OS |
"Authentication failure" error when authenticating with TACACS+ user that has special characters in their password. Refer to sk101332. |
PRJ-3625 |
Gaia OS |
On Smart-1 525/5050/5150, user cannot open the iDRAC without installing a dedicated Hotfix. |
PRJ-3141, |
Gaia OS |
In some scenarios, the IGB driver interfaces are occasionally down after reboot of a Management machine. Refer to sk135532. |
PRJ-1029, |
Gaia OS |
Changing the xmit-hash-policy of the bond may cause all static arp entries to disappear from the arp -a output. Refer to sk152892. |
PRJ-1604, |
VPN |
NEW: Connectivity enhancements for Remote Access clients using internal Office mode allocation with a long timeout. |
PRJ-4152, |
VPN |
In some scenarios, the Phase-2 negotiation fails with "Reason: Wrong value for: Encapsulation Mode" after upgrade. Refer to sk157092. |
PRJ-2874, |
VPN |
Connectivity improvement for Remote Access clients in environments with 3rd party VPN tunnels. |
PRJ-2347, |
VPN |
Remote Access client randomly disconnect / unable to connect when DHCP multi-homed server is configured. |
PRJ-2434, |
VSX |
Added the option to configure reject routes via vsx_provisioning_tool on Scalable Platforms Appliances. Refer to sk151473. |
PRJ-5304, |
VSX |
Running fw monitor with -v flag on a VSX gateway may cause the fw monitor to quit with the "Segmentation fault" error. Refer to sk162402. |
PRJ-3433, |
VSX |
In some scenarios, traffic is dropped on VSX when using SecureXL. Refer to sk160352. |
PRJ-4265, |
VSX |
In a rare scenario, machine crashes when using VSX with Virtual Switch (VSW). |
PRJ-4955, |
VSX |
In some scenarios, traffic does not pass in VSX setup with VS-VSW-VS topology and some Threat Prevention Blades enabled on VSs. |
PRJ-4683, |
VSX |
In some scenarios, running the "fw vsx resctrl monitor disable" command or disabling VSX Resource Monitor via CPView causes crash of the VSX Gateway. Refer to sk144432. |
PRJ-4960, |
Hardware |
In a rare scenario, the watchdog process of Falcon Acceleration Card unexpectedly exits. |
Take 103 Released on 26 August 2019 and declared as General Availability on 22 September 2019 |
||
PMTR-35836, |
Security Management |
"Runtime error: java.lang.String incompatible with com.checkpoint.management.web_api_is.common.multi_values.objects.MultiStringForSet" error when trying to set a tag to ICMP and ICMP6 services or set those services into a group with API command. |
PMTR-36761, |
Security Management |
A new feature for process tracking was added. If the restart occurs, a 'pstree' command is logged and the process that caused the restart can be tracked. |
PMTR-23492, |
Security Management |
Support for Internal CA certificate replacement. |
PRHF-2012, |
Security Management |
High CPU usage of fwm when SmartEvent is enabled on the Security Management Server. Refer to sk147563. |
SMCUPG-719, |
Security Management |
Deletion of Domain failed with "Could not send message" error when having large amount of gateways in the domain. The Domain remain without Domain Servers. |
PRHF-3283, |
Security Management |
In a rare scenario, a failure in policy installation causes a false "Policy installation is currently in progress" error message while there is no installation attempt. |
PRJ-1899, |
Security Management |
After opening and searching in pickers for a few times, the "error retrieving results" message appears when opening a picker. |
CPM-2300, |
Security Management |
In some rare scenarios CPM server does not start after a failure in delete domain. |
PMTR-38249, |
Security Management |
In some scenarios, traffic is dropped with "network_classifier_get_dynobjs_for_ip: failed to get UUIDs for IP 0.0.0.0" and "kfunc_ip_ranges_to_dynobj: network_classifier_get_dynobjs_for_ip failed" errors in dmesg when dynamic object is used in access policy. |
PRHF-3514, |
Security Management |
Upgrade from R7x is failing with core file of cpdb due to an empty field in 'autoupdate_and_install_settings' object. |
PRHF-3455, |
Security Management |
Inline layers are not verified when there are no selected targets in the 'install on' column. |
RJ-1864, |
Security Management |
In some scenarios, SmartConsole unexpectedly exits while adding or removing many objects via Web API. |
PMTR-33605, |
Security Management |
In some cases on Multi-Domain environments with several servers, tasks still appear in progress after restart of the server even though they are not really running. |
PMTR-38103, |
Security Management |
In some scenarios, a validation incident about Invalid Email Address is presented in SmartConsole after upgrade from R77. |
PMTR-37924, |
Security Management |
Due to a failed full sync, FWM was restarted unexpectedly and obsolete domain sessions were used in the global policy assignment. |
PMTR-26076, |
Multi-Domain Management |
Synchronization in a Multi-Domain High-Availability setup fails post upgrade from R80 due to duplicate compliance objects. |
PRJ-1303 |
Multi-Domain Management |
When running the 'add-domain' Web API command on an existing Domain, the original Domain is deleted. |
CPM-1730, |
Multi-Domain Management |
The Multi-Domain Server database size grows significantly causing operations like 'mds restore' and HA full sync to take a long time. |
PMTR-36438, |
Multi-Domain Management |
In rare cases, if Domain deletion failed in the past, and following MDS Upgrade or MDS Restore - some objects are missing on Domain or Global level in SmartConsole. This is relevant specifically under the following cases:
|
PRHF-3783, |
Multi-Domain Management |
In some scenarios, gateways are missing in the 'Gateways and Servers' view in SmartConsole on the MDS level. |
PRHF-3300, |
Multi-Domain Management |
Multi-Domain Server processes must be stopped before running cma_migrate. |
PRJ-2386, |
Multi-Domain Management |
In a rare scenario, CPM server fails to start after successful Domain deletion. |
PMTR-36614, |
Multi-Domain Management |
The mds_backup command will generate an output file of format .tar instead of .tgz to improve the duration time of backup (mds_backup) and restore (mds_restore) of Multi-Domain Server. Refer to sk163300. |
PRJ-2421, |
SmartProvisioning |
In VPN Community managed by SmartProvisioining:
|
PRJ-2664, |
SmartProvisioning |
VPN tunnel of LSM gateway can not be established when CO gateway is managed by Security Management of higher version. Refer to sk106628. |
PRHF-3392, |
SmartProvisioning |
In VPN star community managed by SmartProvisioning, VPN tunnels may not be established after installing policy to CO gateway (center). Refer to sk152612. |
PMTR-31155, |
SmartConsole |
In some scenarios, SmartConsole terminates when installing policy on many targets at once. |
PMTR-36527, |
SmartConsole |
Redundant layers appear in the output of the 'show-package' command when Global policy holding more than one layer, is assigned to Domain. |
PRHF-3415, |
SmartConsole |
In rare scenarios, upgrade fails with "com.checkpoint.management.classes.dle.triggers.internal.VersionInfo.VersionInfo" NPE in cpm.elg file. |
PMTR-24658, |
SmartConsole |
Wrong error message displayed in SmartConsole when Domain Server cannot be deleted when it is referenced in the policy. |
PRJ-1532, |
SmartConsole |
In a specific scenario, Global policy rules may change order after Multi-Domain Server upgrade. Refer to sk155432. |
MCFG-200, |
SmartConsole |
In "Gateways and Servers" view, gateways are missing status when managing more than 1000 gateways. This fix supports statuses up to 5,000 gateways. |
PRJ-1919, |
Identity Awareness |
Security hardening for IDA enforcement according to XFF IP. |
PRJ-1926, |
Identity Awareness |
Performance improvement of Identity Awareness kernel tables for Cluster and multi-fw1 instances gateways. |
PRJ-1926, |
Identity Awareness |
In a rare scenario, identities are missing from all connected Identity Gateways (PEPs). |
IDA-1987, |
Identity Awareness |
In a rare scenario, sessions longer than 24 hours disappear from the Identity Gateway (PEP) but exist on the Identity server (PDP) |
IDA-1981 |
Identity Awareness |
Users are not propagated from the PDP to the PEP on a specific network due to a rare race condition between register and unregister requests triggered by different instances or cluster members. |
PRJ-1926 |
Identity Awareness |
The output of pep show pdp all command on the Identity Gateway (PEP) contains "inx invalid type (0)" instead of an Identity server (PDP) IP address. |
PMTR-32539, |
Identity Awareness |
Users are not authenticated when an identity source provides the login name in an 'User Principal Name' format "user@domain". Refer to sk147417 |
PRHF-2895, |
Security Gateway |
After upgrading to R80.20, it is not possible to configure an OSPF interface to have a priority of 0. |
PRJ-3735, |
Security Gateway |
In some scenarios, when a connection is accelerated and ICMP packet is sent from a server to a client, it is being dropped by Security gateway. |
PRJ-1490, |
Security Gateway |
In some scenarios, the fwk process virtual memory increases on USFW/VSX environment. Refer to sk160513. |
PRJ-604, |
Security Gateway |
In a rare scenario, ROUTED process unexpectedly exits when ECMP is enabled for both IBGP and EBGP. Refer to sk162547. |
PMTR-25754, |
Security Gateway |
Potential NAT issues when using "Hide internal networks behind the Gateway's external IP" along with destination NAT. Potential NAT issues for connections opened from templates due to route change. |
PMTR-28915, |
Security Gateway |
Possible performance impact on NAT port exhaustion scenarios. |
PRJ-3675 |
Security Gateway |
In some scenarios, when disabling the interface, large amount of "fwmultik_f2p_routing: fw_os_route_retrieve_streaming failed" error messages appears in \var\log\messages file. |
PRJ-3330 |
Security Gateway |
The Fast Acceleration feature lets you define trusted connections to allow bypassing deep packet inspection. This feature significantly improves throughput for these trusted high volume connections and reduces CPU consumption. |
PMTR-21865, |
Security Gateway |
In a rare scenario, Security Gateway may crash when sending log from FW instance with IPv6 packet. |
PRJ-2108 |
Security Gateway |
Issue with categorization of HTTPS sites over IPv6. |
PRJ-2310 |
Logging |
Log Exporter filtering feature allows to decide which logs will be exported based on values from the various fields on the raw log. |
SL-2002, |
Logging |
Running views or reports that contain the attack / attack_info fields may fail or not be completed. |
PRHF-3831, |
Logging |
In a rare scenario, the accounting of bytes in a report is not accurate. |
SL-1052, |
Logging |
In a rare scenario, when an environment has many gateways (dozens), FWM on the log server may crash when reaching to 4 GB memory. |
PMTR-37425, |
Gaia OS |
Backup task fails if SmartConsole is open during backup. |
PRJ-2173, |
Gaia OS |
Many "fwldbcast_new: too many hosts : 0" kernel messages appear in /var/log/messages file. Refer to sk153253. |
PRJ-181 |
Gaia OS |
Jumbo installation block on ISO from sk100566 |
PMTR-35299, |
Gaia OS |
Enable the user to use CLISH commands related to LOM at (Smart-1 3150). |
PRJ-2464 |
Gaia OS |
Adding 6800 appliance picture to WebUI. |
PRHF-4394, |
ClusterXL |
In a rare scenario, crash on Active member when accessing Standby member via IPv6. Refer to sk159635. |
PRHF-4105, |
ClusterXL |
In a rare scenario, the fw_workers process consumes high CPU on the Standby member of a ClusterXL. Refer to sk156333. |
PRJ-2152, |
ClusterXL |
The message "fwlddist_debug_update_op: resetting to avoid overflow" should be printed only in debug mode since it's not an error. |
PRHF-4193, |
CoreXL |
"fwmutlik_do_sequence_accounting_on_entry: bad dir" errors are mistakenly printed in dmesg output. Refer to sk158312. |
GAIA-4153, |
SecureXL |
Debug for the adp module in host Performance Pack does not work. |
PRJ-630, |
SecureXL |
In some scenarios, latency is observed on the Security gateway. Refer to sk162914. |
GAIA-4855, |
SecureXL |
When IPS is enabled on VS connected to VR, HTTP traffic is not passing out of the internal Host. |
PRJ-1176 |
SecureXL |
Added sim module parameter "sim_anti_spoofing_enabled" to allow disable of anti-spoofing in Performance Pack without installing new Firewall policy. |
PRJ-1300, |
SecureXL |
In a rare scenario, multicast routing lookup may lead to SIM crash. |
PRHF-4430, |
SecureXL |
In some scenarios, TCP syn-ack packets are dropped when server is behind a hide NAT rule on a VPN interface. |
PRJ-1848 |
SecureXL |
Host destination entries memory leaking when neighbor entry is incomplete state. |
PMTR-37165, |
SecureXL |
In some scenarios, multicast traffic is not forwarded across bridge interfaces. |
PRJ-579 |
Endpoint Management |
R80.20 JHF failed to install when using Anti-Malware E2 engine for signatures update. |
PRJ-1419, |
VPN |
In some scenarios, VPN Encryption Domain Routes are not added to kernel via RIM in VSX environment. Refer to sk154692. |
CRYPT-210, |
VPN |
After running "cpca_client re_sign_ca" and "mcc replace", SmartConsole shows the same Internal CA certificate. |
GAIA-5338, |
VPN |
In some scenarios with acceleration enabled, traffic through VR for a VPN setup does not pass. |
Take 91 Released on 10 July 2019 and declared as General Availability on 20 August 2019 |
||
PRJ-645, |
Security Management |
Added ability for R80.20 Security Management or Multi-Domain Server to manage R80.30 Security gateway. Refer to sk149272.
|
PRJ-2301, |
SmartConsole |
Added support for 16000 and 26000 appliances.
|
PRJ-2820, |
Gaia OS |
While unplugging one of the Power supply cables on Smart-1 5150/5050/525 appliances a false 'No Read' message appears for ~5 seconds in both PSUs statuses (instead of Present/Input Lost/Absence). |
Take 87 Released on 26 June 2019 and declared as General Availability on 9 July 2019 |
||
PRJ-1603, |
Security Management |
CPUSE Upgrade of Multi-Domain Server is stuck indefinitely when more than one Leading VIP interface is defined. |
PRJ-1168, |
Multi-Domain Management |
After upgrade of Multi-Domain Server from R77.x to R80.20, some of the validation incidents may not have a link to the relevant object. |
PRJ-845, |
Multi-Domain Management |
Improved duration of Multi-Domain Server upgrade from R80.10. |
PRJ-1786, |
SmartConsole |
In a rare scenario, when using "add-threat-exception" API command to empty rulebase, it fails with the "Runtime error: Index: -1, Size: 0" error. |
PRJ-1478, |
Logging |
In some scenarios, logs for a specific Management server or Domain are not displayed. Refer to sk135213. |
PRJ-1553, |
Logging |
|
PRJ-2374 |
Gaia OS |
CVE-2019-11477, CVE-2019-11478 & CVE-2019-11479: TCP SACK PANIC - Linux Kernel vulnerabilities. Refer to sk156192. |
PRJ-1867, |
Gaia OS |
Clish command "show system init-services" and Expert command "service --status-all" run "mdsstart" on the server. |
PRJ-766, |
CoreXL |
In a rare scenario, Security gateway may freeze when "Drop Templates" or "DOS rate" feature is enabled. |
Take 80 Released on 27 May 2019 |
||
PRJ-96, |
Security Management |
In some scenarios, the postgres.elg file grows and fills up the disk space. Refer to sk143852. |
PMTR-34832, |
Security Management |
In a rare scenario, policy installation from a previous revision fails with "Internal error". |
PMTR-27539, |
Multi-Domain Management |
False message "peer <name> failed to synchronized me" appears in Multi-Domain Server HA window although machines are successfully synced. Refer to sk151392. |
PMTR-35703, |
SmartConsole |
"Legacy URL Filtering not supported" error pops up when installing policy.. Refer to sk110116. |
PMTR-25295, |
SmartConsole |
"SessionInWorkLoginException" error when using the API "discard" to discard a connected session other than the current session. Refer to sk142534. |
PMTR-30862, |
SmartConsole |
"Get Gateway Data" returns "Execution error" for cluster object in SmartUpdate. |
PMTR-29658, |
SmartView Monitor |
In some scenarios, SNX client is not seen in SmartView Monitor tracking page after connecting to the Security gateway. |
PMTR-33424, |
SmartView Monitor |
SmartView Time filter does not work correctly if the server Time Zone is different than the client Time Zone. |
PMTR-32677, |
Security Gateway |
Connectivity issues on some HTTPS sites (as login pages) when Security gateway is configured as proxy. Refer to sk147878 |
PMTR-34742, |
Security Gateway |
OpenSSL is vulnerable to Padding Oracle Timing / Side Channel Attack. |
PMTR-35948, |
Security Gateway |
Security gateway crashes in a certain rare scenario. |
PMTR-33337, |
Security Gateway |
In a rare scenario, setting interface topology to "Network defined by routes" causes policy installation failures or traffic drops. |
PRJ-378, |
Security Gateway |
In some scenarios, Security Gateway drops ICMP traffic with "fw_conn_post_inspect Reason: First server side outbound packet is an ICMP" message. |
PMTR-34114, |
Logging |
In a rare scenario, Security gateway starts to log locally even if logs are sent to backup server. |
PRJ-833, |
Logging |
In a rare scenario, cannot open new tab in SmartView after exporting data using a relative time filter. |
PMTR-34126, |
Logging |
In some scenarios, a Domain picker is displayed when logging in to the SmartView web application on a dedicated SmartEvent server. |
PMTR-34878, |
Threat Emulation |
Management Server upgrade from R80.10 to R80.20 fails in these scenarios:
Refer to sk150793. |
PMTR-31036, |
Identity Awareness |
In some scenarios during Identity Agent or Terminal Server Agent IP change, PEP database becomes corrupted. |
PMTR-35095, |
ClusterXL |
New validation added: Starting from R80.20, ClusterXL does not support Load Sharing mode. SmartConsole blocks such configuration with a warning message. |
PMTR-33209, |
ClusterXL |
Unable to access ClusterXL Standby members over an IPSec tunnel or when the connections are routed through the Active member. Refer to sk147493. |
PMTR-32708, |
SecureXL |
Security gateway forwards re-transmitted TCP reset packets although fw_disable_rst_replay property is enabled. |
PMTR-33335, |
VSX |
In a rare scenario, VSX reboots when running with 40G NICs. |
PMTR-35083, |
CPView |
In some scenarios, the CPView tool does not display any sensor information under the "Hardware Health" tab. |
PMTR-33418, |
CoreXL |
In a rare scenario, Security gateway freezes when Priority Queue is enabled. |
Take 74 Released on 14 April 2019 |
||
PMTR-36350, |
General |
Alignment to Mail Transfer Agent Engine Update. Refer to sk123174. |
PMTR-26344, |
SecureXL |
UDP packets are dropped during policy installation and the following error is displayed: "simi_reorder_enqueue_packet: reached the limit of maximum enqueued packets for conn". Refer to sk148432. |
Take 73 Released on 8 April 2019 |
||
PMTR-31335 |
General |
Added support for 6500 and 6800 appliances. Refer to sk139932. |
PMTR-23799 |
General |
Added ability to FW Monitor to support monitoring of accelerated traffic by default. Refer to sk30583. |
PMTR-29498, |
Security Management |
Manual changes in INSPECT files under $FWDIR/lib directory of compatibility packages are not synchronized from active to standby Management servers. Refer to sk143792. |
PMTR-29853 |
Security Management |
Policy installation fails with "IPv6 addresses domain is not supported for Remote Access VPN community" message when using Domain object in Remote Access encryption domain. Refer to sk142832. |
PMTR-29923, |
Security Management |
"Error retrieving results" message is displayed in SmartConsole after searching for unused objects in Object Explorer. |
PMTR-34653, |
Security Management |
After installing R80.20 Jumbo HFA Take 33, newly created users fail to log in into local SmartView WebUI, receiving the "Invalid username and password" error. |
PMTR-23745, |
Security Management |
Unjustified validation error is displayed when installing Threat Prevention policy on Cluster object: |
PMTR-34017, |
SmartConsole |
Number of sessions in "Changes" list does not match the value of 'total'. |
PMTR-31336, |
SmartConsole |
When searching in the SmartConsole main search bar for network groups we can see some number of network groups, but the search inside the Logical Server object shows the different number of Logical server objects groups. |
PMTR-31641, |
SmartConsole |
FWM process unexpectedly exits after repeatedly clicking "Update Corporate Gateways" in SmartConsole. |
PMTR-31044 |
SmartConsole |
When an administrator publishes session for a different administrator, the name of the administrator that invoked the action will be written in the audit logs as the publisher. |
PMTR-31136 |
Mobile Access |
Mobile Access Portal Agent installation page is vulnerable for XSS attack in Chrome and Firefox. |
PMTR-29243, |
Security Gateway |
When routed syslog is enabled, the "show configuration routedsyslog" command does not show any output. |
PMTR-33631, |
Security Gateway |
In some scenarios, Security Gateway crashes when Priority Queue is enabled. Refer to sk149414. |
PMTR-34473, |
Security Gateway |
R80.20 bridge with no VLAN configuration may cause connectivity disruptions on VLAN-tagged traffic passing through it. |
PMTR-30245, |
Security Gateway |
In rare scenarios, Security Gateway crashes during file upload to Google drive when Content Awareness Blade is enabled. |
PMTR-33140, |
Security Gateway |
In a rare scenario, TCP segments of HTTPS payload are missing in Mirror and Decrypt designated interface. |
PMTR-33559, |
Security Gateway |
Users are not matched to access roles with nested LDAP groups or LDAP groups with filter. |
PMTR-31049, |
Security Gateway |
Group update request is sent specifically to the originator LDAP server even if it is down. Refer to sk127833. |
PMTR-26374, |
Security Gateway |
Added support for ICAP client working with Symantec DLP ICAP server. |
PMTR-27196, PMTR-24606 |
Security Gateway |
Starting from SmartConsole Build 46, added automatic Implied Rule for ICAP Server to allow connectivity with trusted ICAP clients. |
PMTR-31315, |
Logging |
In a rare scenario, TCP state information is not displayed in the log despite being enabled in SmartConsole. |
PMTR-32876, |
UserCheck |
Potential memory leak in rare scenarios when UserCheck is used on HTTP connection. |
PMTR-30599 |
UserCheck |
When switching from manual expiration date in User Template to "According to global properties", the actual expiration date is not changed. |
PMTR-31422 |
Threat Extraction |
When configuring scrub_additional_file_types to "all" and enabling block_unsupported_files, file types that have no extension are not stripped. |
PMTR-30657 |
Identity Awareness |
When X-Forwarded-For (XFF) settings are enabled on one of the policy layers or/and on the Security gateway object, the /var/log/messages file shows errors related to asynchronous identity fetch. Refer to sk145673. |
PRHF-523, |
IPS |
Some SMTP-related IPS Core Protections remain enabled despite the IPS is disabled. |
PMTR-33238, |
IPS |
R77.x gateways managed by R80.x Security Management show that IPS Blade is enabled while it is disabled on the gateway object. |
PMTR-35032 |
VPN |
Important security update for IPSec Site-to-Site (S2S) VPN. |
PMTR-31860, |
VPN |
Connectivity improvements for certain Windows L2TP client versions. Refer to sk145895. |
PMTR-23293, |
Gaia OS |
The CLISH command "show arp table dynamic all" and Bash command "arp -an" show different entries. Refer to sk112753. |
PMTR-32129, |
Gaia OS |
Added 'pigz' and 'unpigz' binaries. |
PMTR-30225, |
Gaia OS |
Enhancement: Administrators are allowed to use personal, remotely managed password to login to Expert mode, instead of the shared "expert password". |
PMTR-28064 |
SecureXL |
In some scenarios, virtio_net is not able to run multiqueue. |
PMTR-33811, |
CPView |
"Connections from templates" property shows incorrect value Network tab ->Traffic-> Templates of CPView. |
PMTR-29063, |
Endpoint |
"User was not authenticated" errors in Capsule Docs when activating Single Sign-On in the policy. |
PMTR-30683, |
Compliance |
The grc_conditions3.xml and grc_controls.xml files in R80.20 are overwritten by the files of R80.10 from the Cloud. |
Take 47 Released on 24 February 2019 and declared as General Availability on 25 March 2019 |
||
PMTR-28379, |
Security Management |
Added ability to manage Check Point Maestro. |
PMTR-32183, |
Security Management |
High Availability synchronization fails on Multi-Domain Server level after Domain deletion or after updating licenses or contracts in SmartUpdate. Refer to sk151072. |
PMTR-32160 |
IPS |
Accelerated HTTP traffic may not be accelerated on an R77.10 Security Gateway managed by a Security Management server. |
Take 43 Released on11 February 2019 |
||
PMTR-27655 |
Security Management |
Values updated in resourceProfiles files to handle high CPU utilization for "Java" process (described in sk123417) are not resistant and get overridden after Jumbo Hotfix Accumulator installation or backup/restore or export/import procedures. |
PMTR-28644, |
Security Management |
Running the fwm sic_reset command from Domain Management Server fails with "reset_objects: updateMultiple failed". Refer to sk142512. |
PMTR-25816, |
Security Management |
Once user performs any change to his configuration, the Compliance Blade performs a partial scan and calculates the relevant Best practices. During this scan, exceptions of relevant objects for these Best practices are deleted. Meaning, if previously obj1 was excluded from applying Best practice #1, during partial scan obj1 will be relinked to Best practice #1. |
PMTR-32542, |
Multi-Domain Management |
|
PMTR-29670, |
Multi-Domain Management |
Upgrade of the Primary Multi-Domain Server from R80.10 fails when its Global Domain is in Standby mode. Refer to sk143892. |
PMTR-27321, |
Multi-Domain Management |
CPView is not supported on Multi-Domain Security Management environments. |
PMTR-29458, |
SmartConsole |
"Synchronization with Check Point UserCenter" feature displays "Synchronization with Check Point UserCenter requires a valid license." warning message even though all licenses are valid. |
PMTR-23395, |
SmartConsole |
If administrator updates his details (e.g. name, phone, email) and tries to publish the session, it fails with "Internal error" message.
|
PMTR-25778, |
SmartConsole |
When using Global VPN Community with permanent tunnel gateways list (matrix / permanent tunnel gateways), upgrade from R7x fails. |
PMTR-26495, |
SmartConsole |
"Error: SIC initialization failed because of failure in parsing the certificate file" error when user attempts to log in with certificate to API (mgmt_cli) with password including "!". |
API-512, |
SmartConsole |
Web API show-package fails if the package was installed on a cluster member which is already deleted. Refer to sk144132. |
PMTR-25081, |
SmartConsole |
Attempt to update Threat Emulation images fails with "Could not send Threat Emulation images update command, validate SIC connectivity and install policy with Threat Emulation enabled for [name]" message. |
PMTR-28877, |
SmartConsole |
The existing regulation is not updated and appears as "EU Data Privacy" instead of "GDPR". |
PMTR-28488, |
Security Gateway |
Traffic is dropped when using non-FQDN Domain object in Security policy. |
PMTR-28593, |
Security Gateway |
Added support for NAT on payload of H323 packets when different IP addresses are used for payload and control. |
PMTR-28197, |
Security Gateway |
No service enforcement when creating "Other services" without match expression for TCP, UDP or SCTP. |
PMTR-27663, |
Threat Emulation |
Added ability to update Threat Emulation file types in an offline environment. |
PMTR-26022, |
HTTPS Inspection |
When HTTPS Inspection is enabled and "Hide X-Forwarded-For in outgoing traffic" option is selected, the XFF header is not obfuscated on HTTPS traffic. |
PMTR-27702, |
HTTPS Inspection |
Potential memory leak due to "Out of state" HTTP response. |
PMTR-30868, |
HTTPS Inspection |
In some scenarios, connectivity issues between Capsule Workspace and Security gateway. |
PMTR-27367, |
Identity Awareness |
In some scenarios, Identity Agent fails to authenticate using Kerberos SSO due to very large Kerberos ticket and the agent fallback to User/Password authentication. |
PMTR-28368, |
Anti-Malware |
During upgrade, if Anti-Virus is enabled, all emails are stuck in MTA queue due to missing certificate. |
PMTR-30218, |
IPS |
The "A general error has occurred" message is displayed when trying to change the IPS protection configuration in "MySQL -> General settings". |
PMTR-26141, |
SSL Inspection |
Added support for custom extension used by Apple. |
PMTR-30550, |
Logging |
Exporting 100K or more logs to Excel from SmartView fails. |
PMTR-30609, |
Logging |
In rare scenarios, when the Log server miscalculates the available disk space, it may stop receiving logs from the connected gateways and cause the logs to accumulate locally on the Security gateway. |
PMTR-27043, |
Logging |
After two or more upgrades of a Security gateway / Security Management server / Log server or SmartEvent server, log maintenance fails to delete logs from older version. |
PMTR-26706, |
Logging |
After Daylight saving time change, the logs from the time of change until the end of the day are not indexed and the "Illegal instant due to time zone offset transition (daylight savings time 'gap')" error is displayed in solr.elg file. |
PMTR-28160, |
Logging |
After upgrade from R80.x to R80.20 GA, the pre-upgrade logs data will not be deleted according to the logs retention policy. |
PMTR-22357, |
Logging |
In rare scenarios, due to a connection attempt failure to the Security Management, the Security gateway starts logging locally. |
PMTR-29044, |
Logging |
When Security gateway is configured to send alerts only to a specific Log server, logs may be written locally on the gateway instead to be sent to the Log server. |
PMTR-26040, |
Logging |
Added Threat Emulation forensic report in SmartView Log card. |
PMTR-29233, |
SecureXL |
Memory consumption on Security Gateway increases after enabling NetFlow v9 in Gaia OS. Refer to sk118719. |
PMTR-30162, |
SecureXL |
Concurrent connections monitoring can become inaccurate when "fw samp quota" rules are changed. |
PMTR-27529, |
SecureXL |
In rare scenarios, Security gateway crashes when penalty checkbox is selected. |
PMTR-29118, |
SecureXL |
In some scenarios, large number of incorrectly classified "simlinux_br_port: dev == NULL !!!" debug messages appear in kernel message logs. |
PMTR-28120, |
SecureXL |
In some scenarios, HTTP requests do not pass. |
PMTR-28084, |
ClusterXL |
In some scenarios, standby cluster member sends PIM Hello packets. |
PMTR-29200, |
VSX |
In some scenarios, the CPD and fw_full processes unexpectedly exit when the TDERROR debug flag is enabled. |
PMTR-28022, |
VSX |
Traffic from a Virtual System in VSX Cluster to Security Management Server is dropped with "Local interface address spoofing" log. |
PMTR-23158, |
Gaia OS |
CVE-2018-15473: Username enumeration is possible due to a premature bail-out while dealing with a malformed packet. The issue exists in several authentication protocols. |
PMTR-28381, |
Gaia OS |
When using conv2db to recreate Gaia database from /config/active, comments are not skipped and the new database file may contain irrelevant information. Refer to sk139832. |
PMTR-28798, |
Gaia OS |
SNMPD process fails to send Coldstart on reboot. Coldstart is configured by threshold that can be too short comparing to the OS boot time. |
PMTR-28277, |
Gaia OS |
Connectivity problem for 10 Gigabit fiber network interfaces (be2net driver) after upgrade from R77.30. |
PMTR-28041, |
Gaia OS |
Added support for "/", "(", and "*" characters as part of the system message banner. |
PMTR-23058, |
Gaia OS |
syslog messages forwarded to external Syslog server, do not contain the host name. |
PMTR-28303, |
Gaia OS |
In some scenarios, snmpwalk reports false values of bond interface. |
PMTR-28312, |
Gaia OS |
In some scenarios, sporadic timeouts occur during snmpwalk run. |
PMTR-28834, |
Gaia OS |
Different LOM versions are reported in Gaia Portal and Gaia Clish. |
PMTR-11377, |
VPN |
After Cluster failover, VPN tunnel is down and "Unknown SPI for IPsec packet" log is shown. Refer to sk112339. |
PMTR-30425, PMTR-30360 |
VPN |
VPN tunnels with 3rd party peers fail because of mismatched IDs. Refer to sk144094. |
PMTR-25196, |
VPN |
In some scenarios, IKE fragmentation is dropped when NAT-T is enforced. Refer to sk143372. |
Take 33 Released on 8 January 2019 and declared as General Availability on 4 February 2019 |
||
PMTR-25005, |
Security Management |
In some scenarios, purge operation fails with "Task was interrupted because of server restart" message and the CPM process unexpectedly exits, producing core dump file. |
PMTR-28037, |
Security Management |
Policy installation fails due to a memory allocation failure. |
PMTR-26802 |
Security Management |
When creating a Security Gateway object and click OK, SmartConsole terminates with "The connection with the server was lost...." error. |
PMTR-25488, |
Security Management |
When Database is more than 100 objects and searching for the objects in the Objects Explorer and scrolling down, list of items disappears and the results in the bottom-left show "No items found". Refer to sk139793. |
PMTR-26386, |
Security Management |
Cannot export logs to Excel from SmartView connected to Multi-Domain Log Server. |
PMTR-24555, |
Security Management |
In some scenarios, migrate_export fails when exporting R77.30 database from Windows machine in order to import it to R80.20 on Gaia. |
PMTR-26457, |
Multi-Domain Management |
When Domain has policies that are in use in some policy installation preset, the attempt to delete this Domain fails with "Error: Unspecified error". |
PMTR-23217, |
Multi-Domain Management |
Log in to the primary Multi-Domain Management GUI fails due to HA and logging objects synchronization generating high load. |
PMTR-21125 |
SmartEvent |
In large-scale environments, LOG_INDEXER process may unexpectedly exit producing 3.5GB core file. |
PMTR-23080, |
SmartConsole |
HTTPS Inspection rule with mixed Access Role and network object cannot be enforced. |
PMTR-25913 |
SmartView |
Added consolidated Threat Prevention dashboard, providing full threat visibility across Networks, Mobile and Endpoints. |
PMTR-23063, |
SmartUpdate |
SmartUpdate hangs on launch due to over 4000+ unattached licenses. |
PMTR-21902, |
Security Gateway |
Memory leak in FWD process. |
PMTR-29099 |
Security Gateway |
Security gateway drops multicast or broadcast packets when working in bridge mode. |
PMTR-26564, |
ClusterXL |
|
PMTR-25290, |
Threat Prevention |
In some scenarios, Advanced Upgrade fails with different errors due to NULL pointer exception check. |
PMTR-25286, |
Identity Awareness |
User's access to a network resource may fail in the following scenario:
Refer to Scenario 1 in sk156953. |
PMTR-24536, |
Identity Awareness |
Identity sharing does not work for non-HTTP traffic when XFF is enabled only on the layer and not on the Security gateway. |
PMTR-25193, |
Identity Awareness |
Identity sharing fails when XFF is enabled and remote PDP does not respond. |
PMTR-26589, |
Identity Awareness |
In some scenarios, Terminal Servers Identity Agent (MUH Agent) session Access Role is missing on PDP but exists on PEP, causing next PEP to PDP sync to be removed from PEP and thus the accessibility loss. |
PMTR-25100, |
Identity Awareness |
Improved error handing when Identity Sharing is used and remote PDP server does not respond due to prolong outage. |
PMTR-22758, |
Identity Awareness |
In rare scenarios, PDP crashes after generating traffic for a long time. |
PMTR-26173, |
SSL Inspection |
Change SSL Network Extender on MacOS to 64-bit architecture to support 32 bit apps depreciation in OSX. |
PMTR-24797 |
SSL Inspection |
HTTPS traffic is inspected when it is configured to be bypassed: when HTTPS Inspection is enabled and probe bypass is 0. |
PMTR-23567, |
Logging |
A Domain administrator connected to a specific Domain in Multi-Domain environment cannot see suggestions when typing in logs search box. |
PMTR-29010, |
Logging |
After configuring mail alerts to be sent using "internal_sendmail" script, emails from Check Point server arrive with blank email body. Refer to sk142492. |
PMTR-23288, |
Gaia OS |
After adding the RBA roles Gaia commands (add rba role TACP-0 virtual-system-access all), the lines are missing from the "show configuration" command output, but the values can be seen in Expert mode (/config/active). Refer to sk119394. |
PMTR-24810, |
Gaia OS |
Security Management / Multi-Domain Management server OS backup fails due to package compression errors. Refer to sk121212. |
PMTR-24293, |
CloudGuard |
Attempt to install central license on CloudGuard gateway fails with "not vSec product" error. |
PMTR-24166, |
SecureXL |
The Anti-Spoofing policy is not unloaded by running the "fw unloadlocal" command. |
PMTR-25207 |
SecureXL |
"sume_from_fw_forward: dropping packet of for vsid=0 due to loop prevention" dmesg errors during policy installation failure. |
Take 17 Released on 4 December 2018 and declared as General Availability on 8 January 2019 |
||
PMTR-24006, |
Security Management |
Remote Access users configured with Pre-Shared Secret Key (PSK) cannot connect after upgrade from R77.x. |
PMTR-23394, |
Security Management |
Policy installation fails with "Policy installation had failed due to an internal error" message when Security gateway has more than hundred interfaces. Refer to sk138592. |
PRHF-734, |
Security Management |
In rare scenarios, the CPM service does not start on machine startup. |
PMTR-20174, |
Security Gateway |
Security gateway does not load policy after reboot when number of SAM rules reaches its limit of 25000. Refer to sk110560. |
PMTR-22110, |
Security Gateway |
DNS NAT does not work when the DNS parser encounters an IPv6 record in DNS servers answer. Refer to sk121346. |
PMTR-14588, |
Security Gateway |
Security gateway with Dynamic NAT enabled, is rebooted after running "cpstop". |
PMTR-20144, |
Identity Awareness |
Update with "-" machine name from the Domain Controller causes the Identity Collector to create un-authenticated sessions on the PDP. |
PMTR-22826, |
CloudGuard Controller |
CloudGuard Controller Data Center objects are not enforced on Multi-Domain Security Management. Refer to sk139372. |
PMTR-24762, |
SecureXL |
Drops from link collisions in PPAK due to Dynamic port allocation ("db_save_conn: failed to save conn <>, collision(-2)"). |
PMTR-23850, |
ClusterXL |
When upgrading a VRRP cluster to R80.20 with Connectivity Upgrade (CU), CU fails due to the member not being in READY state. |
PMTR-23382, |
VPN |
User cannot connect to a VPN site that belongs to a group that has a special character in its name. Refer to sk124514. |
PMTR-20038, |
Gaia OS |
"/opt/CPInstLog/uninstall_SecurePlatform_R80_10_JHF_PLATO:Uninstallation failed!" error during uninstallation of Jumbo Hotfix Take on Smart-1 device. Newer version of RPMs remain installed after uninstall. |
Take 10 Released on 1 November 2018 and declared as General Availability on 22 November 2019 |
||
PMTR-22164 |
Security Management |
When using Global Dynamic Network objects, creating a new policy package in a local Domain fails with 'Internal error' if it is assigned to the Global Domain. |
PRHF-755, |
Multi-Domain Management |
Domain deleting fails with "Delete Domain failed: Error: Unspecified error". |
PMTR-22800, |
Endpoint Security |
In some scenarios, assignment to Virtual Group does not apply properly. |
PMTR-22405 |
Security Gateway |
In rare scenario, when configured as a proxy/ICAP client, a Security gateway may crash when using HTTPS Policy Categorization. |
PMTR-21081, |
Security Gateway |
A large number of Time objects used in the rule base may cause rulebase matching failures resulting in connectivity issues. |
PMTR-22320, |
Security Gateway |
ISP redundancy OID is missing from the MIB file. |
SL-1594, |
Logging |
In rare scenarios, monitoring information (such as licensing information, CPU usage, etc.) displayed in SmartConsole and SmartView Monitor is not updated. Refer to sk137092. |
PMTR-23183, |
Logging |
Added new format for Log Exporter to support "Check Point App for Splunk" |
PMTR-23418, |
Logging |
In some scenarios, the Logs & Monitor -> Logs section in SmartConsole is stucked on searching. Refer to sk144313. |