Take 202 - General Availability
List of Resolved Issues and New Features
|
Note - This Take contains all fixes from all earlier Takes. |
ID |
Product |
Description |
---|---|---|
Take 202 Released on 30 May 2021 and declared as General Availability on 7 July 2021 |
||
PRJ-25035, |
Security Management |
UPDATE: If there is no license on the Security Management Server, a new verification blocks an attempt to migrate a domain. |
PRJ-22073, |
Security Management |
In rare scenarios, the Management Server may fail to start because Solr fails to initialize. |
PRJ-24484, |
Security Management |
In very large Management environments, Policy verification and installation may fail with FWM process core dump. Refer to sk173722. |
PRJ-24910, |
Security Management |
"Unauthorized client" error on login failure from an IP address that is not explicitly defined in the Trusted Clients list. Refer to sk173026. |
PRJ-22439, |
Security Management |
Upgrade or migration from R80.10 and lower to R80.20 and higher may fail with "Scheme adjustment had failed" error in logs. Refer to sk172003. |
PRJ-13068, |
Security Management |
In rare scenarios, during a Global Policy Reassignment, the Management Server may unexpectedly exit and fail to start again. |
PRJ-21397, |
Security Management |
In rare scenarios, deleting an object fails with "Can't reach source object, maybe it already deleted" error. Refer to sk172828. |
PRJ-22209, |
Security Management |
In rare scenarios, concurrent update operations performed by several administrators on the Management Server may fail. |
PRJ-20807, |
Security Management |
On Security Management with connected Endpoint Security Server, the SICTUNNEL process may unexpectedly exit and start again every few minutes with core file ~4gb in size. Refer to sk173704. |
PRJ-15903, |
Security Management |
Security policy compilation fails if the Domain network object name (FDQN name) contains space. |
PRJ-23771, |
Security Management |
"Query failed" error is displayed in Security Gateway Device & License Information view in SmartConsole when canceling the "Export to PDF/CSV" operation. |
PRJ-23920, |
Security Management |
SmartConsole Extensions fail to load with "Error: unable to retrieve read-only session" if login with SmartConsole is performed with an IP address that is not defined as the primary IP of the Management Server. |
PRJ-22870, |
Security Management |
In some scenarios, policy installation fails with "Error code 0-2000077" message. |
PRJ-21255, |
Security Management |
In some scenarios, the log file of PostgreSQL (postgres.elg) may become very large. |
PRJ-22610, |
Security Management |
In some scenarios, a Domain migration may fail during the Access Policy import with the "Object not found" error in cpm.elg file. |
PRJ-17226, |
Security Management |
In some scenarios, Apache does not start and shows a "No space left on device" message if the user runs "cprestart" frequently. |
PRJ-23541, |
Security Management |
In some scenarios, HA sync in a Multi-Domain environment may fail with the "Failed to import data" error message after the user creates new Permission Roles. |
PRJ-9514, |
Security Management |
The Rule UID is hidden in Audit logs. Refer to sk165016. |
PRJ-22844, |
Security Management |
Running override_server_setting.sh may not update settings correctly when updating a setting multiple times. |
PRJ-22128, |
Security Management |
In a rare scenario, Management HA synchronization fails after the Purge Revisions operation. |
PRJ-21916, |
Security Management |
In some scenarios, Desktop policy fails with "Policy installation had failed due to an internal error. If the problem persists please contact Check Point support". Refer to sk171970. |
PRJ-24757, |
Multi-Domain Management |
Global Policy Assignments may be missing in Multi-Domain environment after upgrade from R77.x. |
PRJ-23695, |
Multi-Domain Management |
Global Policy Reassignment may take a long time to complete after an IPS Update in the Global Domain. |
PRJ-22636, |
Multi-Domain Management |
In rare scenarios, the Multi-Domain Management Server may fail to start if Domains were previously deleted. |
PRJ-24213, |
Multi-Domain Management |
In Multi-Domain environment, the same Domain may appear twice in the Domains view of the SmartEvent application. |
PRJ-22136, |
Multi-Domain Management |
A Multi-Domain Server with dozens of Domains may take a long time to start. |
PRJ-21910, |
Multi-Domain Management |
In some scenarios, installation of Jumbo Hotfix on Multi-Domain Server may fail after running restore from backup. |
PRJ-24018, |
Multi-Domain Management |
In some scenarios, after an upgrade of a Multi-Domain environment that has active Domains on multiple Multi-Domain servers, some objects may not be visible in the System Domain. |
PRJ-22520, |
Multi-Domain Management |
In some scenarios, Reassign Global Domain for a Domain that is active on another Multi-Domain Server may fail with "An internal error has occurred" message. Refer to sk172704. |
PRJ-22580, |
Multi-Domain Management |
In some scenarios, HA Full Sync on the System Domain fails after an upgrade on a Multi-Site environment with multiple Multi-Domain Servers. Refer to sk171059. |
PRJ-13188, |
Multi-Domain Management |
In a rare scenario, Advanced upgrade from R80.10 may fail. |
PRJ-22594, |
Multi-Domain Management |
Create Domain action may fail with a "License violation detected" error even though CPSM-DOMAINS-1 license is applied on the Management Server. |
PRJ-22201, |
SmartConsole |
In some scenarios, a validation warning may appear on an updatable object with the following message: "Object is no longer supported. Enforcing security for this object is not possible." However, the object is still available in the updatable objects picker. |
PRJ-19497, |
SmartConsole |
"The object specified in 'Always send alerts to' field, has no active 'Logging & Status' Blade" error may be displayed after running the "add-simple-gateway" command in Management HA environments where one of the Security Management servers has the "Logging & Status" Blade disabled. Refer to sk172226. |
PRJ-21621, |
SmartConsole |
In some scenarios, FWM process logs show Provisioning/LSM activity even though LSM is not in use. Refer to sk171905. |
PRJ-17274, |
SmartConsole |
The "Recent Tasks" view allows only Super Users to view other administrators' tasks. |
PRJ-21600, |
Compliance |
In some scenarios, an incorrect Compliance status for Gaia OS Best Practices is displayed. |
PRJ-16049, |
Compliance |
Deactivated Compliance Best Practices appear in the Compliance report. |
PRJ-21183, |
Logging |
NEW: Resource pools for log queries and report generation have been separated to ensure query responsiveness while multiple reports are generated. |
PRJ-25143, |
Logging |
NEW: Added support for JSON format in Log exporter. |
PRJ-20255, |
Logging |
NEW: Log exporter allows the re-export of logs based on starting and end positions provided by the user, to close possible gaps. Refer to sk122323. |
PRJ-23646, |
Logging |
In some scenarios, when exporting logs using the Log exporter tool and filtering on all Threat Prevention Blades, logs of "Anti Spam" Blade are not exported. |
PRJ-24892, |
Logging |
Starting from Jumbo Take 183, logs exported in LogRhythm format via the Log Exporter, appear in an incorrect format. |
PRJ-12424, |
Logging |
In some scenarios, exported FireWall logs from a Security Gateway to an external syslog serve (sk87560) contain a redundant new line character. |
PRJ-24227, |
Logging |
In some scenarios, when declaring a filter in Log Exporter, logs may not be exported. Refer to sk173025. |
PRJ-23202, |
Logging |
In rare scenarios, when creating a Log server object and establishing SIC, log queries from the newly created Log server object may fail. |
PRJ-15324, |
Logging |
In some scenarios in SmartView, exporting a report or view to PDF duplicates the item and displays it twice in the Catalog until the export is done. |
PRJ-23006, |
Logging |
In rare scenarios, when the user exports logs to Excel using SmartView web, the action fails when the exported logs contain special characters, like emojis. |
PRJ-23413, |
Logging |
In SmartView's "Cyber Attack View - Endpoint", the widgets Active/Dormant Attacks and Cleaned/Blocked Attacks show clean hosts as infected (false positive results). |
PRJ-15782, |
Logging |
In SmartView, when the user exports a container widget with charts to PDF, some data may be missing, and the charts may be shown in a distorted manner. |
PRJ-21364, |
Logging |
In some scenarios, in Multi-Domain servers with many domains, the Solr process for logs may unexpectedly exit. |
PRJ-20816, |
Logging |
In SmartView, chart and timeline widgets may show a "Query Failed" error. |
PRJ-23155, |
Logging |
When viewing an Access log card that was matched on both a Network layer (firewall) rule and an Application layer rule, and both actions are "Accept", the application layer rule will be presented in the card instead of the network layer rule. Refer to sk172763. |
PRJ-22182, |
Logging |
In SmartView, when the user exports multiple PDF/CSV/Templates of the same view/report at the exact same time, the second export to complete may overwrite the first one. |
PRJ-22246, |
Logging |
In some scenarios, in the "Views and Reports" of SmartView, it is not possible to use the field "Roles". |
PRJ-21143, |
Logging |
In SmartView, when opening a log card popup in lower resolutions, the text in the header may be cut off. |
PRJ-18557, |
Logging |
In the "Logs" view in SmartConsole, when the query filter contains "time:yesterday" as a literal, the query fails with a "Query resolution failed" error. The pre-defined time filter "Yesterday" shows results from today. Refer to sk170999. |
PRJ-21292, |
Logging |
|
PRJ-2291, |
Logging |
A super user connected to SmartConsole in the context of the Domain Management Server cannot see search suggestions for global objects. |
PRJ-21899, |
Security Gateway |
NEW: Added new troubleshooting tool to cplic command for Entitlement manager. |
PRJ-22692, |
Security Gateway |
UPDATE: Security Gateway performance optimizations for specific scenarios. Refer to sk174607. |
PRJ-10987, |
Security Gateway |
UPDATE: Added L3 routing support for bridge interface assigned with IP address. To enable it, set fw_bridge_with_ip_routing=1 in the $FWDIR/fwkern.conf file. Refer to sk165560. |
PRJ-20979, |
Security Gateway |
In rare scenarios, the CPD process unexpectedly exits when the VPN is enabled, and statuses are not sent to the Management Server. |
PRJ-23945, |
Security Gateway |
In a rare scenario, Security Gateway may crash when running in USFW (User-Space Firewall) mode. |
PRJ-22621, |
Security Gateway |
In some scenarios, the VSX Cluster switch may cause a core dump. |
PRJ-704, |
Security Gateway |
In rare scenarios, the FWD process on the Security Gateway may unexpectedly exit when the user configures a non-existing log server. |
PRJ-23424, |
Security Gateway |
The VPND process may consume high CPU because of ECDHE use, which affects multi-portal functionality. Refer to sk173145. |
PRJ-23455, |
Security Gateway |
In some scenarios, values set in fwkern.conf may not be applied correctly. |
PRJ-23038, |
Security Gateway |
In a rare scenario, Security Gateway may crash during the Application Control / IPS / Anti-Bot package update. |
PRJ-25908, |
Security Gateway |
In a rare scenario, machine hangs and the user is unable to run any command. Refer to sk173405. |
PRJ-19797, |
Security Gateway |
Improved the policy enforcement of the ZIP archive inner files. |
PRJ-23397, |
Security Gateway |
Added support for "Other" services configured with IP protocol, but without advanced "Match" expression. |
PRJ-21669, |
Security Gateway |
In some scenarios, a Security policy installation fails during high CPU utilization. |
PRJ-19409, |
Security Gateway |
The "new-conn-rate" DOS/Rate limiting rules may not be enforced in usermode when enforcement for internal interfaces is disabled. |
PRJ-21469, |
Security Gateway |
When the Security Gateway is configured as a proxy, some network objects may not be matched correctly. |
PRJ-21309, |
Security Gateway |
Allow automatic configuration of Identity Awareness nested group state 4 for Security Gateways with a previously installed fix for IDA-754. |
PRJ-24296, |
Security Gateway |
In a rare scenario, the FWK process unexpectedly exits on the Security Gateway. |
PRJ-11764, |
Security Gateway |
"cpas_glue_psync_h: No synced opaque" error messages may appear in dmesg as a result of the synchronization of the members in the cluster. Refer to sk167033. |
PRJ-23098, |
Security Gateway |
The connection may not exist in SecureXL connection table when configuring Smart Connection Reuse kernel parameters and allow out of state TCP packets. |
PRJ-22935, |
Security Gateway |
When using "User Alert 3" in the code alert, cosmetic error "FW-1: fwdrv_get_string_id_from_code: illegal parameters for code 8" appears in the /var/log/messages file. |
PRJ-22370, |
Security Gateway |
In some scenarios, the Security Gateway attempts to access the Management Server through the server's NAT IP address (defined in the "NAT" section of the server object), while the server is reachable only through the main IP address (defined in the "General Properties" section of the server object). Refer to sk171665 to configure the required parameter SKIP_NATTED_IP. |
PRJ-22452, |
Security Gateway |
In a rare scenario, Security Gateway may crash with fwk and fwk_wd core dump files. |
PRJ-25269, |
Internal CA, VPN, Multi-Portal |
UPDATE: The IKE certificates validity period is set to 1 year by default. Refer to sk176527. |
PRJ-22078, |
Internal CA |
In a rare scenario, "This operation is not supported on STANDBY members" message is displayed and the cpca_client process unexpectedly exits when trying to renew a certificate on a standby Domain. |
PRJ-23140, |
Internal CA |
The output of the "lscert" command has duplicate lines for all certificates that are not in "pending" status |
PRJ-21723, |
Content Awareness |
In a rare scenario, Security Gateway may crash when CPcode is running within Content Awareness or parser flow. |
PRJ-21969 |
Identity Awareness |
In a rare scenario, the PDPD process may unexpectedly exit due to synchronization issues in CaptivePortalManager. |
PRJ-26474 |
Identity Awareness |
There may be enforcement issues with Terminal Servers agent (MUH Agent) sessions. |
PRJ-22356, |
Identity Awareness |
In some scenarios, output of "pdp conn pep" command may show wrong PEP names. |
PRJ-21496, |
Identity Awareness |
Added optimization for PDP when handling Terminal servers Multi-User Host Agent (MUH). |
PRJ-21454, |
Identity Awareness |
In some scenarios, VPN Remote Access client fails to connect if a certificate contains a DN with an asterisk (*). |
PRJ-23515, |
Application Control |
The fw_full (FWD daemon) unexpectedly exits, producing a core dump file and causing a cluster failover. |
PRJ-21768, |
Application Control |
A failure log may be generated when inspecting connections to servers with certificates without a Common Name (CN) field. |
PRJ-21293, |
URL Filtering |
UPDATE: Improved RAD event output to provide additional information on events, such as detailed timing This update also activates the retry mechanism by default. |
PRJ-14540, |
IPS |
UPDATE: Exceptions are now enforced for these IPS protections:
Refer to sk166222. |
PRJ-23305, |
IPS |
UPDATE: Added support for PM statistics when IPS is disabled. |
PRJ-19940, |
SSL Inspection |
UPDATE: Avoid sending the TLS probe during inbound inspection when it is not necessary for the SNI-based categorization. |
PRJ-21690, |
SSL Inspection |
UPDATE: Avoid sending the TLS probe during the inbound inspection when a rule is matched according to the IP address. |
PRJ-21707, |
SSL Inspection |
In rare scenarios, a memory leak may occur in a crypto module. |
PRJ-24464, |
SSL Inspection |
In rare scenarios, the WSTLSD daemon may unexpectedly exit during TLS probing. |
PRJ-19853, |
SSL Inspection |
TLS probing failures generate logs with a general description in SmartLog: "Internal system error in HTTPS Inspection (Error Code: 2)". With this fix, more descriptive logs will be generated. |
PRJ-24461, |
SSL Inspection |
In some scenarios, memory leaks may occur after policy installation. |
PRJ-19775, |
SSL Inspection |
In some scenarios, the WSTLSD process may unexpectedly exit when browsing to certain websites. |
PRJ-19779, |
SSL Inspection |
A memory leak may occur during policy installation. |
PRJ-20266, |
Anti-Malware |
Packet capture may not be generated for certain IPS protections. |
PRJ-21060, |
Anti-Malware |
In a rare scenario, HTTP connections are timed-out. |
PRJ-22018, |
Anti-Malware |
In rare scenarios, the Threat Prevention Blade Exception used for performance optimization does not work as expected. |
PRJ-24142, |
SecureXL |
UPDATE: Firewall debug drop template message now indicates the rule ID the template was created from. |
PRJ-24649, |
SecureXL |
In some scenarios, the "reached the limit of maximum enqueued packets!" log is printed in the /var/log/messages file. |
PRJ-21696, |
SecureXL |
NEW: Added the fwha_disable_ccp_on_monitor global kernel parameter. The parameter turns on/off the sending of CCP packets on link monitor interfaces. |
PRJ-22165, |
SecureXL |
Rate limiting rules using concurrent-connection counters may cause connections to be blocked. |
PRJ-22286, |
SecureXL |
TCP reset packets may be dropped with an invalid sequence. |
PRJ-19369, |
SecureXL |
Security Gateway may crash when the user runs "fwaccel tab -t" to view certain rate limiting tables that have a large number of entries. |
PRJ-22913, |
SecureXL |
Improved the Smart Connection Reuse feature to be consistent with the user configuration. Refer to sk24960. |
PRJ-22433, |
SecureXL |
In some scenarios, the concurrent-conns rate limiting count may be inaccurate for FTP data connections. |
PRJ-20698, |
SecureXL |
In some scenarios, not all IP addresses listed in Deny List file $FWDIR/conf/deny_lists are loaded. |
PRJ-23457, |
SecureXL |
A race condition in the DOS/Rate limiting policy's install logic may cause incorrect counter values for "concurrent-conns". |
PRJ-23057, |
SecureXL |
In some scenarios, SecureXL drops the TCP traffic for the particular connection for invalid state reasons. This fix enables the new property per specific VS in VSX environment. Refer to sk147093. |
PRJ-16531, |
Routing |
UPDATE: The user does not have to enable logging/accounting in SmartConsole to generate the Netflow records. A new 'NetFlow Firewall rule' option was added to configure NetFlow to report per Firewall rule by turning it on and enabling Log/Accounting per rule. |
PRJ-24788, |
Routing |
In some scenarios, OSPF configured with unnumbered VTI on cluster frequently moves between "Full" and "EXSTART" status. |
PRJ-24713, |
Routing |
In OSPF environment, the routed process may unexpectedly exit when a VPN tunnel is flapped leading to a temporary connectivity loss. |
PRJ-23246 |
Routing |
Gaia VRRP member freezes when deleting a VLAN interface. Refer to sk106226. |
PRJ-13303, |
VPN |
NEW: Added 3 new views to SmartView for Remote Access, providing visibility for Remote Access users, users login summary, failed login attempts, used clients, top login options, number of users, operating systems, authentication methods and login activity. |
PRJ-15566 |
VPN |
In some scenarios, NAT-T traffic is sent to the wrong next-hop MAC address. Refer to sk116453. |
PRJ-25486, |
VPN |
In VSX environments, Anti-Spoofing in SecureXL may cause Remote Access VPN drops. Refer to sk173266. |
PRJ-22410, |
VPN |
In some scenarios, L2TP tunnel is not deleted completely upon disconnection. |
PRJ-22540, |
VPN |
Added stability fix in validation checks for ECDSA certificates. |
PRJ-25096, |
VPN |
Tunnel Test packets may be dropped by the Secure Configuration Verification (SCV) check when implied rules are disabled. Refer to sk168033. |
PRJ-23300, |
VPN |
In rare scenarios, the VPND process may unexpectedly exit in an L2TP-related flow. |
PRJ-7475, |
VPN |
The VPND process may unexpectedly exit during policy installation when the Mobile Access Blade is used. |
PRJ-21540, |
VPN |
Added VPN Remote Access stability improvement. |
PRJ-17113, |
VPN |
Remote Access VPN policy installation optimization. Refer to sk173947. |
PRJ-22179, |
VPN |
In a rare scenario, there may be an incorrect IKE ID in an ID payload with 3rd party peers in IKEv1 and IKEv2. |
PRJ-19901, |
VPN |
Mobile Access SNX may fail to connect to the Security gateway when the realm used by the client is different for the SSL VPN realm. |
PRJ-22303, |
VPN |
When static NAT is configured on a destination, the SCV may fail to access the internal resources and "No scv status from client..." drops appear in SmartConsole. Refer to sk171550. |
PRJ-21258, |
VSX |
Allow the addition of routes with specific group of type "Group with Exclusion" when using VSX Provisioning tool. |
PRJ-21426, |
Gaia OS |
NEW: Added support for hardware (sensors/NICs) data auto-update. |
PRJ-19563, |
Gaia OS |
NEW: Gaia API (version 1.5) will now be deployed via Jumbo Hotfix. |
PRJ-24192, |
Gaia OS |
In rare scenarios, "show asset network" command may lead to memory leak. Refer to sk174823. |
PRJ-24370, |
Gaia OS |
In some scenarios, the force-password-change option does not work. |
PRJ-10194 |
Gaia OS |
Entering diacritic characters in the Expert password may cause Clish to unexpectedly exit, resulting in a core dump. |
PRJ-25175, |
Gaia OS |
In some scenarios, when adding a "#" in the login banner, the banner becomes corrupted. |
PRJ-17585 |
Gaia OS |
The "set snmp usm user" command fails if it has more then 8 characters. This fix increases the characters limit to 31. |
PRJ-22000, |
Gaia OS |
In rare scenarios, SNMP user details may be visible in /var/log/messages file. |
PRJ-21926, |
Gaia OS |
Unable to set MTU on Igb cards. |
PRJ-20918, |
QoS |
Security gateway may crash in QoS flow when interface goes down and up during packet processing. |
PRJ-24288, |
Smart-1 Cloud |
Added Update #1 of Quantum Smart-1 Cloud. Refer to sk166056. |