Take 208 - Ongoing
List of Resolved Issues and New Features
|
Note - This Take contains all fixes from all earlier Takes. |
ID |
Product |
Description |
---|---|---|
Take 208 Released on 23 March 2022 |
||
PRJ-24928, |
Security Management |
UPDATE: Added a warning message in SmartConsole, alerting if during policy installation memory utilization of the FWM process exceeded 3.5GB. |
PRJ-30404, |
Security Management |
UPDATE:
|
PRJ-21874, |
Security Management |
In some scenarios, applying the "Where used" action may show incorrect data when an object exists more than once in an Inline Layer. |
PRJ-26778, |
Security Management |
In some scenarios, in Override Categorization, it may not be possible to sort or to find objects by name using Object Explorer. Refer to sk175245. |
PRJ-22420, |
Security Management |
Domain Server Migration between different Multi-Domain Management Servers may fail if a previous migration attempt of the same Domain already failed and a different Domain name is used for the second attempt. |
PRJ-20590, |
Security Management |
In rare scenarios, if one of the Multi-Domain Servers is down, reconfiguring VSX may fail. |
PRJ-30051, |
Security Management |
In some scenarios, the FWM process is down and fails to start. Core dumps are created in /var/log/dump/usermode. |
PRJ-29196, |
Security Management |
After an upgrade from R77.x. in a multi-site environment, High Availability full synchronization may fail with an "NGM failed to load data" message. |
PRJ-28898, |
Security Management |
When searching IP addresses using logical operators (AND / OR), the results may be incorrect:
Some matched objects may be missing, while some unmatched objects may be present. |
PRJ-29965, |
Security Management |
In some scenarios, simultaneous policy installation on multiple Gateways may fail if there is at least one Gateway on R77.X and one Gateway on R80.X. |
PRJ-29895, |
Security Management |
In some scenarios, login to a Domain from the System Domain dashboard may fail with "Failed to connect to server". |
PRJ-29907, |
Security Management |
In some scenarios, it is possible to disable a shared layer, although it is used in more than one rule. |
PRJ-28813, |
Security Management |
In some scenarios, the "show gateways-and-servers" Management API command fails with "generic_error" when running it with "details-level full". |
PRJ-30880, |
Security Management |
In rare scenarios, during an upgrade, the FWM process may unexpectedly exit with a core dump file. |
PRJ-25194, |
Security Management |
The "Packet capture is not supported on this platform" warning appears after policy installation for SMB Gateways, although no packet capture is used. |
PRJ-27483, |
Security Management |
Global Policy reassignment may fail with "An internal error has occurred" due to duplicated Access Policy Assignment object. Refer to sk174183. |
PRJ-25277, |
Security Management |
In rare scenarios, login to Multi-Domain Management fails with the "No Valid Domains were found for [username]" error. Refer to sk175005. |
PRJ-30097, |
Security Management |
In rare scenarios, a Multi-Domain administrator's profile may be changed after deleting a Domain if the administrator had custom permissions for it. |
PRJ-30388, |
Security Management |
In rare scenarios, editing a cluster object fails with the "Code: 0x8003001D, Could not access file for write operation" error. Refer to sk176930. |
PRJ-22263, |
Security Management |
In some scenarios, the user may fail to connect to VPN Remote Access if there are expiration dates saved in a non-English date format. The issue can occur when SmartConsole is installed on a Windows client that uses a non-English locale. |
PRJ-28166, |
Security Management |
In rare scenarios, the Management Server may fail to start due to incorrect sessions handling. |
PRJ-32089, |
Security Management |
When searching an IP in Object Explorer, network objects with both IPv6 and IPv4 configured, may not reflect in the results, although they match the IP. |
PRJ-32106, |
Security Management |
Policy installation may fail if more than 20,000 objects are created and added to rules. |
PRJ-30333, |
Security Management |
When one Server in a logical Server group is down, the second Server keeps trying to access it, no matter how long the Server is down. |
PRJ-31078, |
Security Management |
In rare scenarios, the FWM process on the Security Management Server unexpectedly exits. |
PRJ-30419, |
Security Management |
Scheduled IPS updates data may not be shown in the IPS update report. |
PRJ-29509, |
Security Management |
In some scenarios, the Management API command "show-packages" with "details-level full" may fail with an error. Refer to sk176805. |
PRJ-30678, |
Security Management |
Policy installation with Directional VPN rules may fail with a verification error. |
PRJ-30065, |
Security Management |
|
PRJ-32426, |
Security Management |
In rare scenarios, adding a service to a rule in Access Policy:
Refer to sk176004. |
PRJ-25707, |
Security Management |
Deleting a network group may fail because it is being used, although "Where Used" shows no usage. |
PRJ-34223, |
Security Management |
When performing IPS Update or Global Domain Assignment, creating a Domain at the same time may fail with "Internal Error". |
PRJ-33284, |
Security Management |
When reassigning Global policy after an IPS update on the Global Domain, the updated IPS version in the Audit Logs view may appear with "-1" value instead of the actual IPS version number. |
PRJ-32666, |
Security Management |
When searching for tags usage, the "where-used" action may fail with "Requested object not found". |
PRJ-33976, |
Security Management |
Policy installation from the Multi-Domain Server level may trigger installation of two policies for the same VS. |
PRJ-34484, |
Security Management |
When using the API to create an OPSEC CPMI application with a custom permissions profile, the default Super User profile is chosen instead. |
PRJ-33861, |
Security Management |
When creating or updating a service object via Management API, it is not possible to specify a custom aggressive-aging timeout. |
PRJ-30056, |
Security Management |
In rare scenarios, after a Management Server upgrade, importing the database may fail with "Tried to persist object". |
PRJ-33398, |
Security Management |
When automatic purge is configured in a local Domain, and there is an assignment between the Global Domain to that Domain, the "show-automatic-purge" API command may fail in the Global Domain with the "Can't build automatic purge reply" error. Refer to sk176443. |
PRJ-33362, |
Security Management |
Global Domain Assignment fails with "An internal error has occurred" when there are more than 32K Threat Prevention Overrides in the local Domain. Refer to sk176464. |
PRJ-32715, |
Security Management |
If there is a Global Domain Assignment, some results may be missing when searching in Packet Mode. Refer to sk178491. |
PRJ-36954, |
Security Management |
Policy installation and "where used" operation may take a long time if there are many inline layers and the "Install On" targets in the Rule Base are not defined as "Any". Refer to sk177928. |
PRJ-32743, |
Security Management |
In a rare scenario, the FWM process unexpectedly exits. |
PRJ-30348, |
Multi-Domain Management |
During a CPUSE upgrade of a Multi-Domain Server, if there are multiple external interfaces defined, the Domain Servers may be assigned to an incorrect interface. |
PRJ-25008, |
Logging |
NEW:SmartEvent can now skip indexing of firewall session logs to reduce load on the Log Server device. The feature is disabled by default. To enable it, see Issue #4 in sk150452. |
PRJ-30685, |
Logging |
UPDATE: The default timeframe for logs queries using the SmartConsole Logs tab is set to "Last 24 Hours".
|
PRJ-25620, |
Logging |
In environments with more than 500K network objects, the LOG_INDEXER process on SmartEvent and Correlation Unit Server may unexpectedly close with the "Out of memory" error and a dump core file, although limited resolving is enabled (according to sk164452). |
PRJ-29027, |
Logging |
In rare scenarios, SmartEvent may show no results or partial results in the Audit Log report. |
PRJ-28338, |
Logging |
In some scenarios, Log Exporter configured to export in TLS cannot authenticate a certificate from an external certificate authority. |
PRJ-28321, |
Logging |
In some scenarios, in SmartLog, free-text search does not work for some inspection settings logs and their description is missing. |
PRJ-31211, |
Logging |
In a rare scenario, logs export from SmartView web view to CSV may fail. Refer to sk175545. |
PRJ-26305, |
Logging |
In rare scenarios, in SmartConsole, some logs are not shown. |
PRJ-25438, |
Logging |
On a Management Server, with SmartEvent enabled and many Networks configured in the database, login to SmartConsole may fail with an "Error: the operation timeout" message and the FWM process is running with a high CPU. Refer to sk167239. |
PRJ-14120, |
Logging |
Syslog messages are not shown in SmartConsole, when syslog_free_text_parser.C contains references to ".ini" files which are located in Syslog folder $FWDIR/conf/syslog. |
PRJ-26678, |
Logging |
Logs that are sent by Log Exporter in CEF format, cannot be displayed if they include non-digit characters in the "dst_phone_number" field. |
PRJ-26028, |
Logging |
In a rare scenario, after an NSX Gateway upgrade, enforcement details/identities are not pushed by the controller to the Gateway automatically. It can be done only by manual update. Refer to sk173323. |
PRJ-17258, |
Logging |
In SmartConsole:
|
PRJ-19835, |
Logging |
On Gateways with many interfaces, after policy installation or after reboot, Real-Time Monitor (RTM) may consume a high CPU on the Gateway. Refer to sk170928. |
PRJ-1688, |
Logging |
In SmartConsole, machine statuses in "Gateways and Servers" may disappear and reappear. |
PRJ-32082, |
Logging |
A duplicate entry appears /etc/cpshell/log_rotation.conf. This issue is only cosmetic. |
PRJ-28314, |
Logging |
The "Last Update Time" field of a Session Log may show incorrect values. |
PRJ-34688, |
Logging |
In some scenarios, in an environment that includes the SmartEvent Server, the LOG_INDEXER process restarts at midnight, producing a core dump file. Refer to sk177805. |
PRJ-30089, |
Logging |
In rare scenarios, the LOG_INDEXER process stops working and logs are missing. Refer to sk176403. |
PRJ-14117, |
Logging |
Syslog messages are not shown in SmartConsole when syslog_free_text_parser.C contains references to ".ini" files which are located directly syslog folder $FWDIR/conf/syslog. |
PRJ-29120, |
Logging |
SmartEvent may not show some of the Anti-Virus logs. |
PRJ-32584, |
Logging |
There may be empty values in the "Office Mode IP" field in the Logs view. |
PRJ-30660, |
Logging |
|
PRJ-32025, |
Logging |
In some scenarios, the "vpn_user" field is empty in the Logs view and SmartEvent Reports, even though it contains values in the raw log. |
PRJ-32015, |
Logging |
When running the "show_logs" API command with "query-id argument" and the session is expired, the command ends with a timeout instead of presenting an error. |
PRJ-31614, |
Logging |
Non-English letters in SmartView reports exported as CSV may be displayed incorrectly. Refer to sk175543. |
PRJ-25651, |
Logging |
When SmartView Web is configured to not return empty values, a query may fail with a "query failed" message. |
PRJ-30546, |
Logging |
In rare scenarios, when QoS Blade is enabled, the FWD process may unexpectedly exit. Refer to sk177783. |
PRJ-32306, |
Logging |
When configuring an Email alert as an Automatic Reaction in SmartEvent, and the alert contains data from the event, some fields may be missing in the generated email. |
PRJ-34688, |
Logging |
In some scenarios, in an environment that includes the SmartEvent Server, the LOG_INDEXER process restarts at midnight, producing a core dump file. Refer to sk177805. |
PRJ-31909, |
Security Gateway |
NEW: Added a new kernel parameter "cphwd_medium_path_qid_by_cpu_id". The parameter is disabled by default. Refer to sk175890. |
PRJ-32069, |
Security Gateway |
UPDATE: Check Point Active Streaming (CPAS) TCP Window scale factor is now increased up to 6. |
PRJ-31662, |
Security Gateway |
UPDATE: Adding Connection and Packet Distribution statistics in CPView. |
PRJ-31964, |
Security Gateway |
In a rare scenario, "Connection/sec" data for accelerated traffic in CPView may differ from the statistics in SNMP. |
PRJ-31214, |
Security Gateway |
When a large number of VPN tunnels is configured and each one is used by a static route with ping, the ROUTED process may get incorrect cluster IPs for those tunnels. Refer to sk175887. |
PRJ-30610, |
Security Gateway |
In rare scenarios, when SACK is enabled, there may be connectivity issues. |
PRJ-20624, |
Security Gateway |
Running the threshold_config command may cause the CPD process to consume a high CPU. |
PRJ-22834, |
Security Gateway |
In some scenarios, the "rad_kernel_service_container_add_service" error is printed to dmesg. |
PRJ-29626, |
Security Gateway |
In a rare scenario, Security Gateway may crash. |
PRJ-30085, |
Security Gateway |
In a rare scenario, when QoS is enabled, Security Gateway may crash while interfaces go down and up. |
PRJ-26667, |
Security Gateway |
In a rare scenario, traffic outage may occur. It is caused by a memory leak related to delayed logs. |
PRJ-29739, |
Security Gateway |
In a rare scenario, due to TCP connection reuse, a TCP connection may not be initiated Refer to sk11088. |
PRJ-29501, |
Security Gateway |
In some scenarios, using automatic Network Static NAT/Address range objects may cause connectivity issues. |
PRJ-30247, |
Security Gateway |
Added a translation of the error exit code of cprid_util in $CPDIR/log/cprid_util.elg debug log. |
PRJ-30038, |
Security Gateway |
If wstunnel loses connectivity, after several attempts, it may unexpectedly exit and not restart. Refer to sk166056. |
PRJ-32571, |
Security Gateway |
When deleting connection table entries with "fw ctl conntab -x", and using "rule", "service", "type", "flags" or "state" filters, entries that do not match these filters may still be deleted. |
PRJ-33902, |
Security Gateway |
In rare scenarios, the LOG_INDEXER process may unexpectedly exit with a core dump file. |
PRJ-33270, |
Security Gateway |
The control connection may not be refreshed together with the data connection if the data connection is accelerated. Refer to sk168952. |
PRJ-21486, |
Security Gateway |
The FWD process may unexpectedly exit due to a rare race condition. Refer to sk173424. |
PRJ-31204, |
Security Gateway |
The Security Gateway may crash during policy installation due to memory allocation problems. |
PRJ-29694, |
Security Gateway |
In rare a scenario, a memory leak may occur with a "cpas_streamh_init_from_cookie failed" message printed in /var/log/messages. |
PRJ-33994, |
Security Gateway |
In rare scenarios, slow path connections that should be terminated/aborted may remain open until the timeout. |
PRJ-33608, |
Security Gateway |
In a rare scenario, the FWD process may unexpectedly exit. |
PRJ-33509, |
Security Gateway |
CPView may show corrupted numbers in "F2V-Reasons". This issue is only cosmetic. |
PRJ-34265, |
Security Gateway |
The log_exporter process may consume a high CPU. |
PRJ-33246, |
Internal CA, VPN |
Creating a certificate for a third party Gateway with Check Point Internal CA may fail on the third party side. Refer to sk176468. |
PRJ-33548, |
Threat Prevention |
When IPS Automatic update is enabled, a memory leak may occur in the FWD process. Refer to sk176947. |
PRJ-31013, |
Internal CA |
In a rare scenario, when CRL files are created, some of them may be generated with a large number in the filename. When deleting CRL files, CPCA repeatedly fails to start. |
PRJ-37471, |
Identity Awareness, Identity Logging |
UPDATE: Adjusted AD-Query and Identity Logging solutions to work with Microsoft hardening changes in DCOM which were required for CVE-2021-26414. Refer to sk176148. |
PRJ-30944, |
Identity Awareness |
In some scenarios, persistent high CPU is caused by ADQuery due to a large number of authentication requests. |
PRJ-35817, |
Identity Awareness |
On Scalable Platforms\Cluster LS, the Identity Database may become corrupted when an identity session is revoked from a non-master member. |
PRJ-29610, |
Identity Awareness |
In a rare scenario, some IPv6 sessions may get deleted due to an incorrect update of Identity Gateway (PEP) kernel tables. |
PRJ-32217, |
Identity Awareness |
In some scenarios, access roles are not enforced when using an identity tag. |
PRJ-20710, |
IPS |
In rare scenarios, policy installation fails due to duplicate ID in IPS Snort protections. |
PRJ-29937, |
IPS |
In rare scenarios, if IPS Geolocation is enabled, the Security Gateway may crash. |
PRJ-32502, |
IPS |
In some scenarios, when IPS Automatic update is enabled, a memory leak may occur in the FWD process. |
PRJ-30441, |
DLP |
In a rare scenario, the DLP process may leave several open unused file descriptors in the $FWDIR/tmp/dlp directory which may take up a large amount of disk space. |
PRJ-36397, |
Anti-Malware |
In some scenarios, dmesg may show the following errors: "cmik_loader_fw_context_match_cb: m atch_cb for CMI APP 3 failed on context 56, executing context 366 and adding the app to apps in exception". |
PRJ-32998, |
SSL Inspection |
UPDATE: Upgraded the default Infrastructure for local communication between some processes to TLS 1.2. |
PRJ-33403, |
SSL Inspection |
In rare scenarios, TLS probing connections may remain open for extended periods. |
PRJ-34157, |
SSL Inspection |
In some scenarios, the WSTLSD daemon may unexpectedly exit during TLS probing. |
PRJ-32897, |
SSL Inspection |
In a rare scenario, the WSTLSD process may unexpectedly exit and produce a core dump file. |
PRJ-32880, |
SSL Inspection |
When TLS 1.3 support is disabled, a memory leak may occur in the WSTLSD process during TLS session renegotiation. |
PRJ-34970, |
SSL Inspection |
In rare scenarios, the WSTLSD daemon may unexpectedly restart. |
PRJ-31169, |
SSL Inspection |
A memory leak, related to TLS probing, may occur in the WSTLSD process. |
PRJ-31163, |
SSL Inspection |
In some scenarios, the WSTLSD process may unexpectedly close, or a memory leak may occur. |
PRJ-30456, |
SSL Inspection |
In rare scenarios, HTTPS connections may hang indefinitely during the TLS handshake, causing timeout. |
PRJ-29472, |
SSL Inspection |
In some scenarios, a memory leak may occur when creating ECDHE keys. |
PRJ-35938, PRJ-35934 |
SSL Network Extender |
UPDATE: SSL Network Extender was updated to version 800008304. It provides TLS 1.2 cipher suites support on macOS. |
PRJ-31228, |
SSL Network Extender |
SSL Network Extender (SNX) may fail during large file transfers. Refer to sk87760. |
PRJ-25146, |
SecureXL |
In a rare scenario, the TCP Half Closed timer (sk137672) may fail when configured for medium/fast connections. |
PRJ-28213, |
SecureXL |
In a rare scenario, DoS/Rate Limiting when using rules with country codes (CC) or autonomous system numbers (ASN) may not update Geo IP files correctly. |
PRJ-26949, |
SecureXL |
TCP packets may be dropped as "TCP out of state" although following sk11088. |
PRJ-36070, |
SecureXL |
In some scenarios related to sending multicast packets, the ICMP errors may be shown. |
PRJ-32936, |
SecureXL |
In some scenarios, when configuring internal/external enforcement for DOS/Rate limiting, a syslog error message may be displayed. |
PRJ-28641, |
SecureXL |
A redundant message "ACC: Accelerator started. " is printed in dmesg logs. |
PRJ-33352, |
Routing |
|
PRJ-31483, |
Routing |
In some scenarios, the Security Gateway may not forward traffic to a client if its IP address is changed by DHCP. Refer to sk175603. |
PRJ-31123, |
Routing |
In rare scenarios, if Graceful Restart is not configured on the BGP peer, BGP routes may be lost near the Graceful Restart ending. |
PRJ-24053, |
Routing |
In some scenarios, when using DHCP, the Security Gateway may not correctly route traffic to hosts. |
PRJ-31470, |
VPN |
UPDATE: In policy installation, the type of messages related to VPN certificate expiration is changed from "info" to "warning". This issue is only cosmetic. |
PRJ-29479, |
VPN |
A memory leak may occur in the VPND process in IKEv2 Site to Site VPN. |
PRJ-28261, |
VPN |
A memory leak may occur when clearing the CRL cache file. |
PRJ-25309, |
VPN |
In rare scenarios, all traffic is dropped with "Rulebase Internal Error" in SmartLog. |
PRJ-36234, |
VPN |
A memory leak may occur in the VPND process. |
PRJ-32530, |
VSX |
UPDATE: It is now possible to define interface topology as "defined by routes" using the VSX provisioning tool. |
PRJ-27966, |
VSX |
When querying a VS for "sysObjectID" via SNMP, a generic net SNMP value is returned ("NET-SNMP-MIB::netSnmpAgentOIDs.10") instead of Check Point value ("SNMPv2-SMI::enterprises.2620.1.6.123.1.62"). |
PRJ-29549, |
VSX |
After reboot, the VS's clish static arps configurations exist, but the static arps may be missing. |
PRJ-22474, |
VSX |
In some scenarios, running the snmpwalk command may fail with incorrect OSPF-MIB information for VSX. Refer to sk172064. |
PRJ-30311, |
Gaia OS |
NEW: Gaia API (version 1.6) will now be deployed via Jumbo Hotfix. Refer to sk143612. |
PRJ-30291, |
Gaia OS |
UPDATE: Fixed CVE-2021-3711 and CVE-2021-3712. |
PRJ-37954, PMTR-81489 |
Gaia OS |
UPDATE: Upgraded OpenSSL to fix CVE-2022-0778. Refer to sk178411. |
PRJ-33684, |
Gaia OS |
Potential vulnerability related to a specific Gaia API command on VSX systems. |
PRJ-33504, |
Gaia OS |
Fixed CVE-2021-30361 - Gaia Portal Authenticated Command Injection. Refer to sk179128. |
PRJ-30208, |
Gaia OS |
Refer to sk174969. |
PRJ-28691 |
Gaia OS |
When configuring Bond Load Sharing mode, the Security Gateway may restart several times and create vmcore files. |
PRJ-34524, |
CloudGuard |
When a Gateway's object name was changed, CloudGuard Central License Tool may fail to distribute licenses to the Gateway. |
PRJ-32228, |
CloudGuard |
The "vsec_lic_cli update" command now supports IP change in the license string. |
PRJ-30231, |
QoS |
In a rare scenario, the FWD process may unexpectedly exit due to invalid QoS logs. |
PRJ-27031, |
QoS |
In a rare scenario, when SecureXL is enabled, in SmartView Monitor, some QoS traffic may be shown as "No Match". |
PRJ-35155, |
Scalable Platforms |
NEW: Added a self-updatable package of Check Point Support Data Collector (CPSDC) for Scalable Platforms and Maestro Security Appliances. Refer to sk164414. |
PRJ-34439, |
HCP |
Added Update 6 of HealthCheck Point (HCP) Release. Refer to sk171436. |
PRJ-30017, |
HCP |
Added Update 5 of HealthCheck Point (HCP) Release. Refer to sk171436. |
PRJ-22350, |
Infrastructure |
UPDATE: Updated Python 2.7.17 to 2.7.18, Python 3.7.7 to 3.7.12, added Python 3.9.7 and a Python3 alias. |
PRJ-31765, |
Infrastructure |
Policy installation fails with "Operation failed, install/uninstall has been improperly terminated" when a CMA name is more than 36 characters long. Refer to sk175452. |