Take 103 - General Availability
List of Resolved Issues and New Features
|
Note - This Take contains all fixes from all earlier Takes. |
ID |
Product |
Description |
---|---|---|
Take 103 Released on 26 August 2019 and declared as General Availability on 22 September 2019 |
||
PMTR-35836, |
Security Management |
"Runtime error: java.lang.String incompatible with com.checkpoint.management.web_api_is.common.multi_values.objects.MultiStringForSet" error when trying to set a tag to ICMP and ICMP6 services or set those services into a group with API command. |
PMTR-36761, |
Security Management |
A new feature for process tracking was added. If the restart occurs, a 'pstree' command is logged and the process that caused the restart can be tracked. |
PMTR-23492, |
Security Management |
Support for Internal CA certificate replacement. |
PRHF-2012, |
Security Management |
High CPU usage of fwm when SmartEvent is enabled on the Security Management Server. Refer to sk147563. |
SMCUPG-719, |
Security Management |
Deletion of Domain failed with "Could not send message" error when having large amount of gateways in the domain. The Domain remain without Domain Servers. |
PRHF-3283, |
Security Management |
In a rare scenario, a failure in policy installation causes a false "Policy installation is currently in progress" error message while there is no installation attempt. |
PRJ-1899, |
Security Management |
After opening and searching in pickers for a few times, the "error retrieving results" message appears when opening a picker. |
CPM-2300, |
Security Management |
In some rare scenarios CPM server does not start after a failure in delete domain. |
PMTR-38249, |
Security Management |
In some scenarios, traffic is dropped with "network_classifier_get_dynobjs_for_ip: failed to get UUIDs for IP 0.0.0.0" and "kfunc_ip_ranges_to_dynobj: network_classifier_get_dynobjs_for_ip failed" errors in dmesg when dynamic object is used in access policy. |
PRHF-3514, |
Security Management |
Upgrade from R7x is failing with core file of cpdb due to an empty field in 'autoupdate_and_install_settings' object. |
PRHF-3455, |
Security Management |
Inline layers are not verified when there are no selected targets in the 'install on' column. |
RJ-1864, |
Security Management |
In some scenarios, SmartConsole unexpectedly exits while adding or removing many objects via Web API. |
PMTR-33605, |
Security Management |
In some cases on Multi-Domain environments with several servers, tasks still appear in progress after restart of the server even though they are not really running. |
PMTR-38103, |
Security Management |
In some scenarios, a validation incident about Invalid Email Address is presented in SmartConsole after upgrade from R77. |
PMTR-37924, |
Security Management |
Due to a failed full sync, FWM was restarted unexpectedly and obsolete domain sessions were used in the global policy assignment. |
PMTR-26076, |
Multi-Domain Management |
Synchronization in a Multi-Domain High-Availability setup fails post upgrade from R80 due to duplicate compliance objects. |
PRJ-1303 |
Multi-Domain Management |
When running the 'add-domain' Web API command on an existing Domain, the original Domain is deleted. |
CPM-1730, |
Multi-Domain Management |
The Multi-Domain Server database size grows significantly causing operations like 'mds restore' and HA full sync to take a long time. |
PMTR-36438, |
Multi-Domain Management |
In rare cases, if Domain deletion failed in the past, and following MDS Upgrade or MDS Restore - some objects are missing on Domain or Global level in SmartConsole. This is relevant specifically under the following cases:
|
PRHF-3783, |
Multi-Domain Management |
In some scenarios, gateways are missing in the 'Gateways and Servers' view in SmartConsole on the MDS level. |
PRHF-3300, |
Multi-Domain Management |
Multi-Domain Server processes must be stopped before running cma_migrate. |
PRJ-2386, |
Multi-Domain Management |
In a rare scenario, CPM server fails to start after successful Domain deletion. |
PMTR-36614, |
Multi-Domain Management |
The mds_backup command will generate an output file of format .tar instead of .tgz to improve the duration time of backup (mds_backup) and restore (mds_restore) of Multi-Domain Server. Refer to sk163300. |
PRJ-2421, |
SmartProvisioning |
In VPN Community managed by SmartProvisioining:
|
PRJ-2664, |
SmartProvisioning |
VPN tunnel of LSM gateway can not be established when CO gateway is managed by Security Management of higher version. Refer to sk106628. |
PRHF-3392, |
SmartProvisioning |
In VPN star community managed by SmartProvisioning, VPN tunnels may not be established after installing policy to CO gateway (center). Refer to sk152612. |
PMTR-31155, |
SmartConsole |
In some scenarios, SmartConsole terminates when installing policy on many targets at once. |
PMTR-36527, |
SmartConsole |
Redundant layers appear in the output of the 'show-package' command when Global policy holding more than one layer, is assigned to Domain. |
PRHF-3415, |
SmartConsole |
In rare scenarios, upgrade fails with "com.checkpoint.management.classes.dle.triggers.internal.VersionInfo.VersionInfo" NPE in cpm.elg file. |
PMTR-24658, |
SmartConsole |
Wrong error message displayed in SmartConsole when Domain Server cannot be deleted when it is referenced in the policy. |
PRJ-1532, |
SmartConsole |
In a specific scenario, Global policy rules may change order after Multi-Domain Server upgrade. Refer to sk155432. |
MCFG-200, |
SmartConsole |
In "Gateways and Servers" view, gateways are missing status when managing more than 1000 gateways. This fix supports statuses up to 5,000 gateways. |
PRJ-1919, |
Identity Awareness |
Security hardening for IDA enforcement according to XFF IP. |
PRJ-1926, |
Identity Awareness |
Performance improvement of Identity Awareness kernel tables for Cluster and multi-fw1 instances gateways. |
PRJ-1926, |
Identity Awareness |
In a rare scenario, identities are missing from all connected Identity Gateways (PEPs). |
IDA-1987, |
Identity Awareness |
In a rare scenario, sessions longer than 24 hours disappear from the Identity Gateway (PEP) but exist on the Identity server (PDP) |
IDA-1981 |
Identity Awareness |
Users are not propagated from the PDP to the PEP on a specific network due to a rare race condition between register and unregister requests triggered by different instances or cluster members. |
PRJ-1926 |
Identity Awareness |
The output of pep show pdp all command on the Identity Gateway (PEP) contains "inx invalid type (0)" instead of an Identity server (PDP) IP address. |
PMTR-32539, |
Identity Awareness |
Users are not authenticated when an identity source provides the login name in an 'User Principal Name' format "user@domain". Refer to sk147417 |
PRHF-2895, |
Security Gateway |
After upgrading to R80.20, it is not possible to configure an OSPF interface to have a priority of 0. |
PRJ-3735, |
Security Gateway |
In some scenarios, when a connection is accelerated and ICMP packet is sent from a server to a client, it is being dropped by Security gateway. |
PRJ-1490, |
Security Gateway |
In some scenarios, the fwk process virtual memory increases on USFW/VSX environment. Refer to sk160513. |
PRJ-604, |
Security Gateway |
In a rare scenario, ROUTED process unexpectedly exits when ECMP is enabled for both IBGP and EBGP. Refer to sk162547. |
PMTR-25754, |
Security Gateway |
Potential NAT issues when using "Hide internal networks behind the Gateway's external IP" along with destination NAT. Potential NAT issues for connections opened from templates due to route change. |
PMTR-28915, |
Security Gateway |
Possible performance impact on NAT port exhaustion scenarios. |
PRJ-3675 |
Security Gateway |
In some scenarios, when disabling the interface, large amount of "fwmultik_f2p_routing: fw_os_route_retrieve_streaming failed" error messages appears in \var\log\messages file. |
PRJ-3330 |
Security Gateway |
The Fast Acceleration feature lets you define trusted connections to allow bypassing deep packet inspection. This feature significantly improves throughput for these trusted high volume connections and reduces CPU consumption. |
PMTR-21865, |
Security Gateway |
In a rare scenario, Security Gateway may crash when sending log from FW instance with IPv6 packet. |
PRJ-2108 |
Security Gateway |
Issue with categorization of HTTPS sites over IPv6. |
PRJ-2310 |
Logging |
Log Exporter filtering feature allows to decide which logs will be exported based on values from the various fields on the raw log. |
SL-2002, |
Logging |
Running views or reports that contain the attack / attack_info fields may fail or not be completed. |
PRHF-3831, |
Logging |
In a rare scenario, the accounting of bytes in a report is not accurate. |
SL-1052, |
Logging |
In a rare scenario, when an environment has many gateways (dozens), FWM on the log server may crash when reaching to 4 GB memory. |
PMTR-37425, |
Gaia OS |
Backup task fails if SmartConsole is open during backup. |
PRJ-2173, |
Gaia OS |
Many "fwldbcast_new: too many hosts : 0" kernel messages appear in /var/log/messages file. Refer to sk153253. |
PRJ-181 |
Gaia OS |
Jumbo installation block on ISO from sk100566 |
PMTR-35299, |
Gaia OS |
Enable the user to use CLISH commands related to LOM at (Smart-1 3150). |
PRJ-2464 |
Gaia OS |
Adding 6800 appliance picture to WebUI. |
PRHF-4394, |
ClusterXL |
In a rare scenario, crash on Active member when accessing Standby member via IPv6. Refer to sk159635. |
PRHF-4105, |
ClusterXL |
In a rare scenario, the fw_workers process consumes high CPU on the Standby member of a ClusterXL. Refer to sk156333. |
PRJ-2152, |
ClusterXL |
The message "fwlddist_debug_update_op: resetting to avoid overflow" should be printed only in debug mode since it's not an error. |
PRHF-4193, |
CoreXL |
"fwmutlik_do_sequence_accounting_on_entry: bad dir" errors are mistakenly printed in dmesg output. Refer to sk158312. |
GAIA-4153, |
SecureXL |
Debug for the adp module in host Performance Pack does not work. |
PRJ-630, |
SecureXL |
In some scenarios, latency is observed on the Security gateway. Refer to sk162914. |
GAIA-4855, |
SecureXL |
When IPS is enabled on VS connected to VR, HTTP traffic is not passing out of the internal Host. |
PRJ-1176 |
SecureXL |
Added sim module parameter "sim_anti_spoofing_enabled" to allow disable of anti-spoofing in Performance Pack without installing new Firewall policy. |
PRJ-1300, |
SecureXL |
In a rare scenario, multicast routing lookup may lead to SIM crash. |
PRHF-4430, |
SecureXL |
In some scenarios, TCP syn-ack packets are dropped when server is behind a hide NAT rule on a VPN interface. |
PRJ-1848 |
SecureXL |
Host destination entries memory leaking when neighbor entry is incomplete state. |
PMTR-37165, |
SecureXL |
In some scenarios, multicast traffic is not forwarded across bridge interfaces. |
PRJ-579 |
Endpoint Management |
R80.20 JHF failed to install when using Anti-Malware E2 engine for signatures update. |
PRJ-1419, |
VPN |
In some scenarios, VPN Encryption Domain Routes are not added to kernel via RIM in VSX environment. Refer to sk154692. |
CRYPT-210, |
VPN |
After running "cpca_client re_sign_ca" and "mcc replace", SmartConsole shows the same Internal CA certificate. |
GAIA-5338, |
VPN |
In some scenarios with acceleration enabled, traffic through VR for a VPN setup does not pass. |