Take 103 - General Availability

List of Resolved Issues and New Features

Note - This Take contains all fixes from all earlier Takes.

ID	Product	Description
Take 103 Released on 26 August 2019 and declared as General Availability on 22 September 2019
PMTR-35836, PRJ-249	Security Management	"Runtime error: java.lang.String incompatible with com.checkpoint.management.web_api_is.common.multi_values.objects.MultiStringForSet" error when trying to set a tag to ICMP and ICMP6 services or set those services into a group with API command.
PMTR-36761, PRJ-716	Security Management	A new feature for process tracking was added. If the restart occurs, a 'pstree' command is logged and the process that caused the restart can be tracked.
PMTR-23492, PRJ-2947	Security Management	Support for Internal CA certificate replacement.
PRHF-2012, PRJ-1247	Security Management	High CPU usage of fwm when SmartEvent is enabled on the Security Management Server. Refer to sk147563.
SMCUPG-719, PRJ-1686	Security Management	Deletion of Domain failed with "Could not send message" error when having large amount of gateways in the domain. The Domain remain without Domain Servers.
PRHF-3283, PRJ-450	Security Management	In a rare scenario, a failure in policy installation causes a false "Policy installation is currently in progress" error message while there is no installation attempt.
PRJ-1899, PRJ-1901	Security Management	After opening and searching in pickers for a few times, the "error retrieving results" message appears when opening a picker.
CPM-2300, PRJ-1973	Security Management	In some rare scenarios CPM server does not start after a failure in delete domain.
PMTR-38249, PRJ-2161	Security Management	In some scenarios, traffic is dropped with "network_classifier_get_dynobjs_for_ip: failed to get UUIDs for IP 0.0.0.0" and "kfunc_ip_ranges_to_dynobj: network_classifier_get_dynobjs_for_ip failed" errors in dmesg when dynamic object is used in access policy.
PRHF-3514, PRJ-1379	Security Management	Upgrade from R7x is failing with core file of cpdb due to an empty field in 'autoupdate_and_install_settings' object.
PRHF-3455, PRJ-1335	Security Management	Inline layers are not verified when there are no selected targets in the 'install on' column.
RJ-1864, PRJ-1880	Security Management	In some scenarios, SmartConsole unexpectedly exits while adding or removing many objects via Web API.
PMTR-33605, PRJ-2159	Security Management	In some cases on Multi-Domain environments with several servers, tasks still appear in progress after restart of the server even though they are not really running.
PMTR-38103, PRJ-2490	Security Management	In some scenarios, a validation incident about Invalid Email Address is presented in SmartConsole after upgrade from R77.
PMTR-37924, PRJ-1761	Security Management	Due to a failed full sync, FWM was restarted unexpectedly and obsolete domain sessions were used in the global policy assignment.
PMTR-26076, PRJ-1570	Multi-Domain Management	Synchronization in a Multi-Domain High-Availability setup fails post upgrade from R80 due to duplicate compliance objects.
PRJ-1303	Multi-Domain Management	When running the 'add-domain' Web API command on an existing Domain, the original Domain is deleted.
CPM-1730, PRJ-1403	Multi-Domain Management	The Multi-Domain Server database size grows significantly causing operations like 'mds restore' and HA full sync to take a long time.
PMTR-36438, PRJ-552	Multi-Domain Management	In rare cases, if Domain deletion failed in the past, and following MDS Upgrade or MDS Restore - some objects are missing on Domain or Global level in SmartConsole. This is relevant specifically under the following cases: Multi-Domain Server upgrade from R80.10 to R80.20. Multi-Domain Server upgrade from R80.10 to R80.20. Multi-Domain Server Restore in any R80.x
PRHF-3783, PRJ-1440	Multi-Domain Management	In some scenarios, gateways are missing in the 'Gateways and Servers' view in SmartConsole on the MDS level.
PRHF-3300, PRJ-592	Multi-Domain Management	Multi-Domain Server processes must be stopped before running cma_migrate.
PRJ-2386, PMTR-38670	Multi-Domain Management	In a rare scenario, CPM server fails to start after successful Domain deletion.
PMTR-36614, PRJ-2244	Multi-Domain Management	The mds_backup command will generate an output file of format .tar instead of .tgz to improve the duration time of backup (mds_backup) and restore (mds_restore) of Multi-Domain Server. Refer to sk163300.
PRJ-2421, PMTR-38710	SmartProvisioning	In VPN Community managed by SmartProvisioining: When adding SMB gateway to the VPN community, VPN tunnel may not been established. When changing security profile in VPN community, the VPN settings are not changed. Policy installation fails for cluster member of CO Gateway.
PRJ-2664, PRJ-2721	SmartProvisioning	VPN tunnel of LSM gateway can not be established when CO gateway is managed by Security Management of higher version. Refer to sk106628.
PRHF-3392, PRJ-867	SmartProvisioning	In VPN star community managed by SmartProvisioning, VPN tunnels may not be established after installing policy to CO gateway (center). Refer to sk152612.
PMTR-31155, PRJ-1433	SmartConsole	In some scenarios, SmartConsole terminates when installing policy on many targets at once.
PMTR-36527, PRJ-760	SmartConsole	Redundant layers appear in the output of the 'show-package' command when Global policy holding more than one layer, is assigned to Domain.
PRHF-3415, PRJ-738	SmartConsole	In rare scenarios, upgrade fails with "com.checkpoint.management.classes.dle.triggers.internal.VersionInfo.VersionInfo" NPE in cpm.elg file.
PMTR-24658, PRJ-1745	SmartConsole	Wrong error message displayed in SmartConsole when Domain Server cannot be deleted when it is referenced in the policy.
PRJ-1532, PRJ-1535	SmartConsole	In a specific scenario, Global policy rules may change order after Multi-Domain Server upgrade. Refer to sk155432.
MCFG-200, PRJ-2559	SmartConsole	In "Gateways and Servers" view, gateways are missing status when managing more than 1000 gateways. This fix supports statuses up to 5,000 gateways.
PRJ-1919, PRJ-2416	Identity Awareness	Security hardening for IDA enforcement according to XFF IP.
PRJ-1926, PRJ-1952	Identity Awareness	Performance improvement of Identity Awareness kernel tables for Cluster and multi-fw1 instances gateways.
PRJ-1926, IDA-1966	Identity Awareness	In a rare scenario, identities are missing from all connected Identity Gateways (PEPs).
IDA-1987, PRJ-1956	Identity Awareness	In a rare scenario, sessions longer than 24 hours disappear from the Identity Gateway (PEP) but exist on the Identity server (PDP)
IDA-1981	Identity Awareness	Users are not propagated from the PDP to the PEP on a specific network due to a rare race condition between register and unregister requests triggered by different instances or cluster members.
PRJ-1926	Identity Awareness	The output of pep show pdp all command on the Identity Gateway (PEP) contains "inx invalid type (0)" instead of an Identity server (PDP) IP address. Refer to Scenario #3 in sk156953.
PMTR-32539, PRHF-3443	Identity Awareness	Users are not authenticated when an identity source provides the login name in an 'User Principal Name' format "user@domain". Refer to sk147417
PRHF-2895, PRJ-334	Security Gateway	After upgrading to R80.20, it is not possible to configure an OSPF interface to have a priority of 0.
PRJ-3735, PMTR-40259	Security Gateway	In some scenarios, when a connection is accelerated and ICMP packet is sent from a server to a client, it is being dropped by Security gateway.
PRJ-1490, GAIA-4689	Security Gateway	In some scenarios, the fwk process virtual memory increases on USFW/VSX environment. Refer to sk160513.
PRJ-604, PRHF-3117	Security Gateway	In a rare scenario, ROUTED process unexpectedly exits when ECMP is enabled for both IBGP and EBGP. Refer to sk162547.
PMTR-25754, PRJ-773	Security Gateway	Potential NAT issues when using "Hide internal networks behind the Gateway's external IP" along with destination NAT. Potential NAT issues for connections opened from templates due to route change.
PMTR-28915, PRJ-915	Security Gateway	Possible performance impact on NAT port exhaustion scenarios.
PRJ-3675	Security Gateway	In some scenarios, when disabling the interface, large amount of "fwmultik_f2p_routing: fw_os_route_retrieve_streaming failed" error messages appears in \var\log\messages file.
PRJ-3330	Security Gateway	The Fast Acceleration feature lets you define trusted connections to allow bypassing deep packet inspection. This feature significantly improves throughput for these trusted high volume connections and reduces CPU consumption.
PMTR-21865, PRJ-1141	Security Gateway	In a rare scenario, Security Gateway may crash when sending log from FW instance with IPv6 packet.
PRJ-2108	Security Gateway	Issue with categorization of HTTPS sites over IPv6.
PRJ-2310	Logging	Log Exporter filtering feature allows to decide which logs will be exported based on values from the various fields on the raw log.
SL-2002, PRJ-1239	Logging	Running views or reports that contain the attack / attack_info fields may fail or not be completed.
PRHF-3831, PRJ-2677	Logging	In a rare scenario, the accounting of bytes in a report is not accurate.
SL-1052, PRJ-1275	Logging	In a rare scenario, when an environment has many gateways (dozens), FWM on the log server may crash when reaching to 4 GB memory.
PMTR-37425, PRJ-1401	Gaia OS	Backup task fails if SmartConsole is open during backup.
PRJ-2173, PRHF-5189	Gaia OS	Many "fwldbcast_new: too many hosts : 0" kernel messages appear in /var/log/messages file. Refer to sk153253.
PRJ-181	Gaia OS	Jumbo installation block on ISO from sk100566
PMTR-35299, PRJ-624	Gaia OS	Enable the user to use CLISH commands related to LOM at (Smart-1 3150).
PRJ-2464	Gaia OS	Adding 6800 appliance picture to WebUI.
PRHF-4394, PRJ-2651	ClusterXL	In a rare scenario, crash on Active member when accessing Standby member via IPv6. Refer to sk159635.
PRHF-4105, PRJ-2146	ClusterXL	In a rare scenario, the fw_workers process consumes high CPU on the Standby member of a ClusterXL. Refer to sk156333.
PRJ-2152, PRJ-2551	ClusterXL	The message "fwlddist_debug_update_op: resetting to avoid overflow" should be printed only in debug mode since it's not an error.
PRHF-4193, PRJ-2396	CoreXL	"fwmutlik_do_sequence_accounting_on_entry: bad dir" errors are mistakenly printed in dmesg output. Refer to sk158312.
GAIA-4153, PRJ-415	SecureXL	Debug for the adp module in host Performance Pack does not work.
PRJ-630, PRHF-5533	SecureXL	In some scenarios, latency is observed on the Security gateway. Refer to sk162914.
GAIA-4855, PRJ-897	SecureXL	When IPS is enabled on VS connected to VR, HTTP traffic is not passing out of the internal Host.
PRJ-1176	SecureXL	Added sim module parameter "sim_anti_spoofing_enabled" to allow disable of anti-spoofing in Performance Pack without installing new Firewall policy.
PRJ-1300, PRJ-1299	SecureXL	In a rare scenario, multicast routing lookup may lead to SIM crash.
PRHF-4430, PRJ-2752	SecureXL	In some scenarios, TCP syn-ack packets are dropped when server is behind a hide NAT rule on a VPN interface.
PRJ-1848	SecureXL	Host destination entries memory leaking when neighbor entry is incomplete state.
PMTR-37165, PRJ-1217	SecureXL	In some scenarios, multicast traffic is not forwarded across bridge interfaces.
PRJ-579	Endpoint Management	R80.20 JHF failed to install when using Anti-Malware E2 engine for signatures update.
PRJ-1419, GAIA-5136	VPN	In some scenarios, VPN Encryption Domain Routes are not added to kernel via RIM in VSX environment. Refer to sk154692.
CRYPT-210, PRJ-2954	VPN	After running "cpca_client re_sign_ca" and "mcc replace", SmartConsole shows the same Internal CA certificate.
GAIA-5338, PRJ-1386	VPN	In some scenarios with acceleration enabled, traffic through VR for a VPN setup does not pass.