Take 208 - Ongoing

UPDATE: Added a warning message in SmartConsole, alerting if during policy installation memory utilization of the FWM process exceeded 3.5GB.

In some scenarios, applying the "Where used" action may show incorrect data when an object exists more than once in an Inline Layer.

Domain Server Migration between different Multi-Domain Management Servers may fail if a previous migration attempt of the same Domain already failed and a different Domain name is used for the second attempt.

In some scenarios, the FWM process is down and fails to start. Core dumps are created in /var/log/dump/usermode.

When searching IP addresses using logical operators (AND / OR), the results may be incorrect:

• in SmartConsole in the Object Explorer view
• with the Management API command "show objects" and the "filter" field

Some matched objects may be missing, while some unmatched objects may be present.

In some scenarios, login to a Domain from the System Domain dashboard may fail with "Failed to connect to server".
Refer to sk174910.

In some scenarios, the "show gateways-and-servers" Management API command fails with "generic_error" when running it with "details-level full".

The "Packet capture is not supported on this platform" warning appears after policy installation for SMB Gateways, although no packet capture is used.

In rare scenarios, login to Multi-Domain Management fails with the "No Valid Domains were found for [username]" error. Refer to sk175005.

In rare scenarios, editing a cluster object fails with the "Code: 0x8003001D, Could not access file for write operation" error. Refer to sk176930.

In rare scenarios, the Management Server may fail to start due to incorrect sessions handling.

Policy installation may fail if more than 20,000 objects are created and added to rules.

In rare scenarios, the FWM process on the Security Management Server unexpectedly exits.

In some scenarios, the Management API command "show-packages" with "details-level full" may fail with an error. Refer to sk176805.

• The High Availability status on Security Management Server may be incorrect and performing failover is not possible.
• On Multi-Domain Server, after performing failover in the Global Domain and restarting services, the former active Global Domain Server still appears as active (although it is standby).

Deleting a network group may fail because it is being used, although "Where Used" shows no usage.

When reassigning Global policy after an IPS update on the Global Domain, the updated IPS version in the Audit Logs view may appear with "-1" value instead of the actual IPS version number.

Policy installation from the Multi-Domain Server level may trigger installation of two policies for the same VS.

When creating or updating a service object via Management API, it is not possible to specify a custom aggressive-aging timeout.

When automatic purge is configured in a local Domain, and there is an assignment between the Global Domain to that Domain, the "show-automatic-purge" API command may fail in the Global Domain with the "Can't build automatic purge reply" error. Refer to sk176443.

If there is a Global Domain Assignment, some results may be missing when searching in Packet Mode. Refer to sk178491.

In a rare scenario, the FWM process unexpectedly exits.

NEW:SmartEvent can now skip indexing of firewall session logs to reduce load on the Log Server device. The feature is disabled by default. To enable it, see Issue #4 in sk150452.

In environments with more than 500K network objects, the LOG_INDEXER process on SmartEvent and Correlation Unit Server may unexpectedly close with the "Out of memory" error and a dump core file, although limited resolving is enabled (according to sk164452).

In some scenarios, Log Exporter configured to export in TLS cannot authenticate a certificate from an external certificate authority.

In a rare scenario, logs export from SmartView web view to CSV may fail. Refer to sk175545.

On a Management Server, with SmartEvent enabled and many Networks configured in the database, login to SmartConsole may fail with an "Error: the operation timeout" message and the FWM process is running with a high CPU. Refer to sk167239.

Logs that are sent by Log Exporter in CEF format, cannot be displayed if they include non-digit characters in the "dst_phone_number" field.

In SmartConsole:

• In Gateways and Servers view, IP statuses may not be accurate
• In the Threat Prevention Policy tab, under "Updates", Gateways IPS update status may not be up-to-date, although the new IPS package was received successfully.

In SmartConsole, machine statuses in "Gateways and Servers" may disappear and reappear.

The "Last Update Time" field of a Session Log may show incorrect values.

In rare scenarios, the LOG_INDEXER process stops working and logs are missing. Refer to sk176403.

SmartEvent may not show some of the Anti-Virus logs.

• The "fw log" and "fwm logexport" commands may fail with "Error: Failed to read field".
• The exported log file may not contain all logs.
  Refer to sk176644.

When running the "show_logs" API command with "query-id argument" and the session is expired, the command ends with a timeout instead of presenting an error.

When SmartView Web is configured to not return empty values, a query may fail with a "query failed" message.

When configuring an Email alert as an Automatic Reaction in SmartEvent, and the alert contains data from the event, some fields may be missing in the generated email.

NEW: Added a new kernel parameter "cphwd_medium_path_qid_by_cpu_id". The parameter is disabled by default. Refer to sk175890.

UPDATE: Adding Connection and Packet Distribution statistics in CPView.

When a large number of VPN tunnels is configured and each one is used by a static route with ping, the ROUTED process may get incorrect cluster IPs for those tunnels. Refer to sk175887.

Running the threshold_config command may cause the CPD process to consume a high CPU.

In a rare scenario, Security Gateway may crash.

In a rare scenario, traffic outage may occur. It is caused by a memory leak related to delayed logs.

In some scenarios, using automatic Network Static NAT/Address range objects may cause connectivity issues.

If wstunnel loses connectivity, after several attempts, it may unexpectedly exit and not restart. Refer to sk166056.

In rare scenarios, the LOG_INDEXER process may unexpectedly exit with a core dump file.

The FWD process may unexpectedly exit due to a rare race condition. Refer to sk173424.

In rare a scenario, a memory leak may occur with a "cpas_streamh_init_from_cookie failed" message printed in /var/log/messages.

In a rare scenario, the FWD process may unexpectedly exit.

The log_exporter process may consume a high CPU.

When IPS Automatic update is enabled, a memory leak may occur in the FWD process. Refer to sk176947.

UPDATE: Adjusted AD-Query and Identity Logging solutions to work with Microsoft hardening changes in DCOM which were required for CVE-2021-26414. Refer to sk176148.

On Scalable Platforms\Cluster LS, the Identity Database may become corrupted when an identity session is revoked from a non-master member.

In some scenarios, access roles are not enforced when using an identity tag.

In rare scenarios, if IPS Geolocation is enabled, the Security Gateway may crash.

In a rare scenario, the DLP process may leave several open unused file descriptors in the $FWDIR/tmp/dlp directory which may take up a large amount of disk space.

UPDATE: Upgraded the default Infrastructure for local communication between some processes to TLS 1.2.

In some scenarios, the WSTLSD daemon may unexpectedly exit during TLS probing.

When TLS 1.3 support is disabled, a memory leak may occur in the WSTLSD process during TLS session renegotiation.

A memory leak, related to TLS probing, may occur in the WSTLSD process.

In rare scenarios, HTTPS connections may hang indefinitely during the TLS handshake, causing timeout.

UPDATE: SSL Network Extender was updated to version 800008304. It provides TLS 1.2 cipher suites support on macOS.

In a rare scenario, the TCP Half Closed timer (sk137672) may fail when configured for medium/fast connections.

TCP packets may be dropped as "TCP out of state" although following sk11088.

In some scenarios, when configuring internal/external enforcement for DOS/Rate limiting, a syslog error message may be displayed.

• Security Gateway may crash when OSPF inserts or removes an LSA from its database.
• Neighbor dead timers may have negative values.

In rare scenarios, if Graceful Restart is not configured on the BGP peer, BGP routes may be lost near the Graceful Restart ending.

UPDATE: In policy installation, the type of messages related to VPN certificate expiration is changed from "info" to "warning". This issue is only cosmetic.

A memory leak may occur when clearing the CRL cache file.

A memory leak may occur in the VPND process.

When querying a VS for "sysObjectID" via SNMP, a generic net SNMP value is returned ("NET-SNMP-MIB::netSnmpAgentOIDs.10") instead of Check Point value ("SNMPv2-SMI::enterprises.2620.1.6.123.1.62").

In some scenarios, running the snmpwalk command may fail with incorrect OSPF-MIB information for VSX. Refer to sk172064.

UPDATE: Fixed CVE-2021-3711 and CVE-2021-3712.

Potential vulnerability related to a specific Gaia API command on VSX systems.

• VLAN IPv6 address disappears after setting the parent interface state "off" and "on".
• IPv6 address disappears after enabling Layer 3 bridge interface monitoring.

Refer to sk174969.

When a Gateway's object name was changed, CloudGuard Central License Tool may fail to distribute licenses to the Gateway.

In a rare scenario, the FWD process may unexpectedly exit due to invalid QoS logs.

NEW: Added a self-updatable package of Check Point Support Data Collector (CPSDC) for Scalable Platforms and Maestro Security Appliances. Refer to sk164414.

Added Update 5 of HealthCheck Point (HCP) Release. Refer to sk171436.