List of All Resolved Issues and New Features
|
Note - This version reached its End of Support. If you are using this version (or lower), we strongly recommend you to upgrade your environments. |

For old General Availability Takes, see the Download Archive.
Take |
Release Date | GA Date |
---|---|---|
08 Sep 2022 |
30 Oct 2022 |
|
05 Jul 2022 |
01 Aug 2022 |
|
07 Apr 2022 |
18 May 2022 |
|
03 Mar 2022 |
08 Mar 2022 |
|
23 Feb 2022 |
- |
|
08 Feb 2022 |
- |
|
02 Jan 2022 |
- |
|
11 Jul 2021 |
31 Aug 2021 |
|
11 May 2021 |
01 Jun 2021 |
|
26 Apr 2021 |
- |
|
16 Mar 2021 |
- |
|
02 Feb 2021 |
16 Mar 2021 |
|
15 Dec 2020 |
28 Jan 2021 |
|
29 Nov 2020 |
08 Dec 2020 |
|
21 Oct 2020 |
- |
|
13 Sep 2020 |
12 Oct 2020 |
|
11 Aug 2020 |
13 Sep 2020 |
|
06 Jul 2020 |
04 Aug 2020 |
|
30 Jun 2020 |
14 Jul 2020 |
|
23 Jun 2020 |
- |
|
26 May 2020 |
- |
|
21 May 2020 |
26 May 2020 |
|
26 Apr 2020 |
|
|
22 Apr 2020 |
30 Apr 2020 |
|
08 Apr 2020 |
- |
|
17 Mar 2020 |
- |
|
11 Mar 2020 |
- |
|
05 Mar 2020 |
- |
|
20 Feb 2020 |
01 Mar 2020 |
|
03 Feb 2020 |
10 Feb 2020 |
|
22 Jan 2020 |
- |
|
13 Jan 2020 |
- |
|
25 Nov 2019 |
03 Dec 2019 |
|
20 Nov 2019 |
- |
|
11 Oct 2019 |
- |
|
03 Sep 2019 |
24 Sep 2019 |
|
02 July 2019 |
04 Aug 2019 |
ID |
Product |
Description |
---|---|---|
Take 255 Released on 8 September 2022 and declared as General Availability on 30 October 2022 |
||
PRJ-29703, |
Diagnostics |
In a rare scenario, the CPView history service may unexpectedly exit.
|
PRJ-37761, |
Security Management |
The FWM process on the Management Server may unexpectedly exit, creating a core dump file. |
PRJ-37986, |
Security Management |
After an Application Control update, some application control objects may disappear from SmartConsole, although they are not deprecated. |
PRJ-38398, |
Security Management |
An Application Control and URL Filtering update may get stuck because of a lock object duplicate issue. |
PRJ-39469, |
Security Management |
Management HA synchronization may fail with the "NGM failed to import data" error. |
PRJ-37884, |
Security Management |
Editing an object may fail with the "Could not access file for write operation" error. |
PRJ-37507, |
Security Management |
Deleting a domain may fail when using the createDomainRecovery.sh script with the "UID" flag. |
PRJ-38118, |
Security Management |
Policy installation may fail with "an internal error" if some objects are pointed to by an old deleted policy. Refer to sk122954. |
PRJ-38215, |
Security Management |
If Log Domain reassignment fails, an Application Control and URL Filtering update may get stuck at 70 percent showing the "Running post update actions" status. |
PRJ-38786, PRHF-23476 |
Security Management |
Install Policy Preset may fail with "The server did not provide a meaningful reply.". Refer to sk179524. |
PRJ-38122, PRHF-23066 |
Multi-Domain Management |
Although all Virtual Devices are deleted, deleting a Domain may fail with an "At least one Virtual Device is defined on this Domain/Domain Management Server. You need to delete all Virtual Systems/Routers prior to deleting Domain/Domain Management Server" message. |
PRJ-30962, EPS-562 |
Logging |
In some scenarios, the Forensics report fails to open from Harmony Endpoint logs. |
PRJ-39138, PRJ-39139, |
Logging |
In IPS Core Protections logs, the link to the Threat Prevention profile is written incorrectly. |
PRJ-40507, |
Security Gateway |
UPDATE: Added a defense mechanism against partial header attacks known as "Slowloris DoS" (CVE-2007-6750). |
PRJ-39953, PRJ-39954, PRHF-22814 |
Security Gateway |
UPDATE: Added support for RADIUS UPN authentication with MS-CHAPv2. To use it, enable the registry configuration in ckp_regedit -a SOFTWARE/Checkpoint/VPN1 RADIUS_MSCHAPV2_UPN -n 1. |
PRJ-40455, PRJ-40456, |
Security Gateway |
In a rare scenario, the FWK process may unexpectedly exit because of a memory allocation issue on the Security Gateway. |
PRJ-34168, |
Security Gateway |
After an upgrade, in a setup with a single Virtual System (VS), the Security Gateway may crash. |
PRJ-41002, PRJ-41004 |
Security Gateway |
In a VSX environment, SNMP queries to OSPF OIDs may fail. |
PRJ-34401, |
Security Gateway |
Deleting IP addresses in the SAM Database may fail. |
PRJ-40135, |
Security Gateway |
When Strict Hold is enabled, traffic is logged with the log "HTTP parsing error detected. Bypassing the request as defined in the Inspection Settings". Refer to sk169995. |
PRJ-31456, |
Security Gateway |
The CPD process may unexpectedly exit and create core dump files. |
PRJ-39803, |
Security Gateway |
In rare scenarios, the Security Gateway may crash when an inspected connection is timed out. |
PRJ-39682, |
Security Gateway |
An ICAP client crash may cause the Security Gateway also to crash and generate an FWK core dump. |
PRJ-36565, |
Internal CA |
UPDATE: In SmartConsole, added an alert to inform that the ICA certificate will be expired in less than one year. Refer sk158096. |
PRJ-34885, PRJ-34886, PMTR-77524 |
Threat Prevention |
When the Security Gateway is in "Detect Only" mode, Threat Prevention Blade exceptions may not be accelerated. |
PRJ-35772, PRJ-35773, |
Threat Prevention |
File transfer may be very slow when Anti-Virus Blade is enabled. |
PRJ-38681, |
Threat Prevention |
In a rare scenario, an IPS, Anti-Virus, or Anti-Bot update package may fail to load because of a timeout. |
PRJ-36382, |
Application Control |
Refer to sk178406. |
PRJ-36431, |
IPS |
When ClusterXL is configured, a file may pass without inspection during a failover. |
PRJ-39060, |
IPS |
In a VSX setup, the IP used as the origin SIC name in the IPS log may differ from the IP in other reports. |
PRJ-37723, |
DLP |
DLP logs for files uploaded to Microsoft OneDrive may not show the initial file names and extensions. Refer to sk178290. |
PRJ-39279, |
ClusterXL |
In a VSX cluster with three or more members, sudden failover and recovery of the Standby VS may occur, causing termination of connections from the Active member. Refer to sk179446.
|
PRJ-39836, |
ClusterXL |
When reconnecting the OSPF interface on both members in a cluster, a failover may occur when receiving a ROUTED PNOTE on the Active member. |
PRJ-39070, |
SecureXL |
UPDATE: Added a new kernel parameter "fw_allow_reverse_syn" for Smart Connection Reuse. This parameter allows or drops SYN packets coming from the reverse direction. The parameter is set to 0 by default, the Security Gateway drops such packets. Refer to sk24960. |
PRJ-39735, PRJ-39736, |
SecureXL |
There may be high CPU or/and latency in CIFS/SMB connections. |
PRJ-36855, PRJ-36856, PRHF-21863 |
SecureXL |
Policy installation may cause cluster failover and impact the traffic flowing through the cluster. |
PRJ-40292, PMTR-81618 |
SecureXL |
In an environment with a cluster in Active/Standby bridge mode, a kernel memory leak may occur.
|
PRJ-40906, |
SecureXL |
In a rare scenario, ipsctl kernel module does not load at startup. |
PRJ-38557, |
Routing |
UPDATE: Source Pruning will now be disabled by default when VRRP is enabled. This will prevent an interface from keeping the Standby member in Master state after port flapping. The issue is relevant only for Intel X710 network cards using the I40E driver. Refer to sk178484. |
PRJ-40846, |
VPN |
UPDATE: Added a configurable protection for blocking brute-force attacks on VPN SNX portal. Refer to sk180271. |
PRJ-40986, |
VPN |
Resolved the "HTTP Response splitting" vulnerability in Security Gateway portals. Refer to sk179705. |
PRJ-40660, |
VPN |
There may be a low throughput in a Site-to-Site VPN tunnel between two VSX Gateways with enabled. |
PRJ-38791, |
VSX |
In some scenarios, it is not possible to start a vsx_util upgrade/downgrade after a failed attempt. |
PRJ-28950, |
VSX |
Multi-Queue configuration does not survive reboot on VSX. Refer to sk173950. |
PRJ-40248, |
VSX |
In VSX, when deleting a warp interface (either by deleting the warp itself or by performing the "reset_gw" command, which deletes all Virtual Devices), the VSX Gateway may crash.
|
PRJ-32704, |
VSX |
After restoring the VSX Gateway backup, the SNMP agent stops responding when the context is set for a specific VS.
|
PRJ-27468, |
Gaia OS |
UPDATE: A description was added to the output of the "show backup logs" command with information about each column. Refer to sk173970. |
PRJ-24451, |
Gaia OS |
UPDATE: Changed the Syslog message severity from "error" to "info" and removed the exclamation mark in a specific message which is displayed during the normal backup operation flow. |
PRJ-29071, |
Gaia OS |
UPDATE: Added support for the Excluded Files feature (sk116679) for XFS file system on Kernel 3.10. |
PRJ-36695, |
Gaia OS |
The /var/log/messages file may be flooded with "failed to update arp table file" messages. |
PRJ-40306, |
HCP |
Added Update 9 of HealthCheck Point (HCP) Release. Refer to sk171436. |
PRJ-40668, |
HCP |
Added Update 10 of HealthCheck Point (HCP) Release. Refer to sk171436. |
Take 254 Released on 5 July 2022 and declared as General Availability on 1 Aug 2022 |
||
PRJ-36847, |
Security Management |
In rare scenarios, the Management Server may fail to start due to incorrect session handling. |
PRJ-37633, |
Security Management |
After changing the IP address of the Secondary Management Server, the old IP address is still shown in the High Availability window until the services are restarted. |
PRJ-37502, |
Security Management |
In rare scenarios, Global Domain Assignment may fail with a "class name not found for object" error message. |
PRJ-37394, |
Security Management |
After performing the Solr Cure procedure, objects may appear as duplicated in SmartConsole. Refer to sk178084. |
PRJ-35015, |
Security Management |
Install Policy Verification may fail with the "Rule has security zone objects that are not attached to any interface used" error when configuring cluster's interfaces on only one member. Refer to sk177129. |
PRJ-37493, |
Security Management |
In some scenarios, the "show-hosts" Management API command when running it with "details-level full" fails with "generic_error". Refer to sk178249. |
PRJ-37521, |
Security Management |
Reassign Global Policy tasks may be stuck for Domains active on a different Multi-Domain Server even though the task is completed on the destination Multi-Domain Server. |
PRJ-35948, |
Security Management |
In the Compliance view, after changing "Policy Range" to a value smaller than 100%, best practices results become not available. Refer to sk177544. |
PRJ-37707, |
Security Management |
Install Policy preset fails if the Threat Prevention policy was uninstalled. |
PRJ-37864, |
Security Management |
Dynamic Objects defined on LSM Gateway in SmartProvisioning may be removed from the Security Gateway after fetching policy or pushing policy. |
PRJ-39962, |
Security Management |
Policy installation from the Multi-Domain Server level may trigger installation of two policies for the same VS. |
PRJ-36918, |
Security Management |
When a Security Gateway is removed from a VPN community, it may still be seen under the permanent tunnel configuration. The issue is scoped to the Management side and does not impact the Gateway. |
PRJ-37800, |
Security Management |
In some scenarios, deleting a Security Gateway object fails with the "Action failed due to an internal error" error. |
PRJ-35058, |
Security Management |
Renaming the Security Management Server may fail with the "Failed to save object" error. Refer to sk177224. |
PRJ-35652, |
Security Management |
The Security Cluster Wizard is not shown again after a Management restart in a Full High Availability cluster environment. |
PRJ-37633, PRHF-22693 |
Security Management |
After changing the IP address of the Secondary Management Server, the old IP address is still shown in the High Availability window until the services are restarted. |
PRJ-38739, PRHF-23467 |
Security Management |
In a rare scenario, the FWM process may unexpectedly exit and create a core dump.
|
PRJ-37197, |
Security Management |
The Management API command "show-vpn-communities-star" for Diffie-Hellman groups 15-18 and group 24 fails with the "Invalid DH-Group in VPN Reply" error. Refer to sk27054. |
PRJ-39175, PRHF-23750 |
SmartConsole |
In some scenarios, the Management API command "show-packages" with "details-level full" may fail with the "Could not commit JPA transaction" error. |
PRJ-37099, |
Logging |
UPDATE: Scheduled email reports will now use TLS1.2 instead of TLS1.0. Refer to sk178125. |
PRJ-37692, |
Logging |
UPDATE: SmartView reports will show the new Check Point logo |
PRJ-36459, |
Logging |
When running the "cp_log_export filter-Blade-in" command with the value "Endpoint" and restarting the LOG_EXPORTER process, LOG_EXPORTER may fail to start. |
PRJ-36288, |
Logging |
The "cp_log_export" command fails with the "sed: invalid option - E" error. |
PRJ-33814, |
Logging |
The "log_exporter_reexport" command may export the logs from the beginning of the log file and not from the provided start position. |
PRJ-34140, |
Logging |
When SmartConsole is connected to a Domain Management Server, in the Logs&Monitor view:
Refer to sk178904. |
PRJ-37895, PRHF-22858 |
Logging |
Logs may be missing from SmartConsole after upgrading the Log Server if a VS object is configured without an IP. |
PRJ-34804, |
Logging |
In some scenarios, logs related to Content Awareness are missing. |
PRJ-19033, PRJ-19034, |
Security Gateway |
UPDATE: In CPView overview, the "FW" field will now show physical memory used instead of virtual memory. The change is only cosmetic |
PRJ-33927, PRJ-33928, |
Security Gateway |
Cluster failover may trigger the FWK process to exit, with no traffic impact. |
PRJ-36117, PRJ-36118, |
Security Gateway |
In CPView, under Network, Bytes Per Sec value in Traffic Rate may be incorrect. |
PRJ-40631, PRJ-40632, PRHF-24611 |
Threat Prevention |
IPS entries for a Security Gateway onboarded to Infinity SOC may be missing from AMW_report.xml. |
PRJ-36162, PRJ-36163, |
Identity Awareness |
In a rare scenario, the PDP process may unexpectedly exit with a core dump file. |
PRJ-35849, PRJ-35850, |
Identity Awareness |
The PEP process may unexpectedly exit |
PRJ-38040, PRJ-38041, |
IPS |
In very rare scenarios, a traffic outage may occur. |
PRJ-36518, PRJ-36519, |
IPS |
Improved detection in some IPS protections. |
PRJ-35289, PRJ-35290, |
Mobile Access |
In some scenarios, when Mobile Access Blade is enabled, the Security Gateway may crash. |
PRJ-37432, PRJ-37433, |
ClusterXL |
There may be connectivity issues for multicast traffic in PIM Sparse Mode. |
PRJ-36174, PRJ-36175, |
ClusterXL |
In Virtual Device Status table, in vs0 context, the output shows the Active-Active status on two members instead of Active-Standby. |
PRJ-35593, PRJ-30380, |
ClusterXL |
In a rare scenario, after an upgrade and reboot, a Standby member goes down with a FullSync pnote and cannot synchronize. |
PRJ-37879, PRJ-37880, PMTR-81375 |
ClusterXL |
Local connection from a Standby member may fail when packets are not fragmented even if the interface MTU is smaller than the packet size. |
PRJ-35928, PMTR-78762 |
ClusterXL |
After enabling the kernel parameter "fwha_drop_pkt_on_down_member" for a cluster is in Active/Active state in bridge mode (sk169495), packets may be dropped even when the member is not in Down state.
|
PRJ-37811, PRJ-37812, PRJ-37001 |
SecureXL |
NEW: In some scenarios, the Security Gateway may not forward traffic to a client if its IP address is changed by DHCP. Added a global parameter "cphwd_refresh_nh", disabled by default. It determines whether or not the Security Gateway will invoke its own refresh ARP mechanism after a successful route lookup. Refer to sk175603. |
PRJ-39006, PRJ-38405, PRHF-22881 |
SecureXL |
SYN Defender may not properly handle the S2C traffic related to Allow List. As a result, this traffic may be dropped. |
PRJ-39000, PRJ-39001, PRHF-23644 |
SecureXL |
SYN Defender may change MSS in an SYN packet to a larger value, potentially causing traffic drop. |
PRJ-34763, PRJ-34764, PRHF-21568 |
VPN |
When using Link Selection probing, the VPND process may unexpectedly exit and create a core dump file. |
PRJ-29580, |
VSX |
UPDATE: Decreased the time to edit routes in topologies where multiple Virtual Systems are connected to a Virtual Switch (VSW). |
PRJ-34669, |
VSX |
UPDATE: The "vsx_util reconfigure" operation is not supported on a VSX cluster member or VSX Gateway which has no virtual systems configured. The operation will now alert about the absence of virtual systems. |
PRJ-36447, PRJ-36448, PMTR-65595 |
VSX |
UPDATE: When resetting SIC for a specific virtual system (sk34098), the new certificate on the Security Gateway will now be automatically pulled from SmartConsole. |
PRJ-36169, PRJ-35502, |
VSX |
There may be a mismatch of policy name on Virtual Switch when using the "fw stat" and "vsx stat -v" commands. The issue is only cosmetic. |
PRJ-36765, |
VSX |
VSX Cluster Internal Communication Network IP address is shown in ifconfig after changing the name or VLAN of a VR physical interface.. |
PRJ-33469, |
VSX |
In some scenarios, the "vsx_util reconfigure" command cannot fetch the policy installed previously. |
PRJ-28543, PRJ-28544, PMTR-65366 |
VSX |
Latency and packet loss issues may occur when traffic goes through external VS connected to Virtual switch (VSW). Refer to sk177344. |
PRJ-38289, |
VSX |
When deleting a physical interface that was added with a VLAN trunk to a VSX cluster or a VSX Gateway, it is not removed correctly from the management side and may still be seen if running the "vsx_util show_interfaces" command. |
PRJ-32404, PRJ-32405, |
VSX |
The OID "Syslocation" can now be configured in the context of a virtual system as described in the article (IV-1) Advanced SNMP configuration in sk90860. |
PRJ-33313, |
VSX |
The FWM process may unexpectedly exit after using the VSX Provisioning tool. |
PRJ-32703, PRHF-20553 |
VSX |
After restoring the VSX Gateway backup, the SNMP agent stops responding when the context is set for a specific VS. |
PRJ-32474, |
VSX |
When using the VSX Provisioning Tool, it may not be possible to create a new warp interface, and then change the main IP address of the VS in the same transaction. |
PRJ-35276, PMTR-76457 |
VSX |
In some scenarios, if VSX Gateway creation fails and rollback is done, the default route of the Security Gateway that was configured via clish is deleted without validation.
|
PRJ-33038, PMTR-69098 |
VSX |
In a VSX cluster, after pushing Bridge configuration, the state may change from Active/Active to Active/Standby. |
PRJ-38405, PRJ-38406, PMTR-73704 |
VSX |
When creating a virtual system, the "Failed to create Virtual System directories" error is displayed. |
PRJ-38825, PRJ-38826, PMTR-82551 |
VSX |
The FWK process of Virtual Switch (VSW) may consume a high CPU. |
PRJ-36131, PRHF-21970 |
VSX |
A member may fail to pull configuration from the SMO on startup.
|
PRJ-38200, PRJ-38201, PRHF-23118 |
VSX |
In some scenarios, the VSX Security Gateway may not decrease the packet's TTL. |
PRJ-35582, PRJ-35583, |
Gaia OS |
UPDATE: It is now possible to use Gaia proxy addresses with more than 16 characters. |
PRJ-37413, PRJ-39087, |
Gaia OS |
In a rare scenario, while idle, the Security Gateway may crash producing a vmcore file. |
PRJ-36084, PRJ-36085, |
Gaia OS |
WebUI session may end when creating a Role with full permissions. |
PRJ-38227, PRJ-38228, PMTR-81516 |
Gaia OS |
When running the "save configuration" command on a VSX device, other interfaces besides the Management interface are still presented. This is a cosmetic issue. |
PRJ-37345, PRJ-37346, |
Gaia OS |
When adding and deleting a neighbor-entry ipv6-address, an error message is displayed, although the operation is successful. |
PRJ-36784, PRJ-36785, PMTR-79249 |
Gaia OS |
The "snmpwalk" command may time out after reaching SNMPv2-SMI::mib-2.68.1.2.0. |
PRJ-39093, PRJ-39094, PRHF-23641 |
Gaia OS |
Dynamic routing SNMP OID polling may work only in VSX mode. |
PRJ-33558, PMTR-75925 |
Gaia OS |
In some scenarios, in 7000 appliances, Power Supply Unit (PSU) status information may be incorrect. Refer to sk174443.
|
PRJ-37116, PRJ-37117, |
VoIP |
VoIP calls may not work when static NAT configured. |
PRJ-37601, PRHF-22145 |
CloudGuard |
In Amazon Web Services (AWS), some Gateways may be crashing frequently with vmcores.
|
PRJ-38021, ODU-342 |
Public Cloud CA Bundle |
Added Take 18 of Public Cloud CA Bundle. Refer to sk172188. |
PRJ-26371, |
Scalable Platforms |
NEW: Added ability to create and manage VSX objects of R80.30SP version via vsx_util and vsx_provisioning_tool. |
PRJ-38034, ODU-341 |
Scalable Platforms |
Added Take 21 of Check Point Support Data Collector (CPSDC) for Scalable Platforms and Maestro Security Appliances. Refer to sk164414. |
PRJ-38221, ODU-349 |
HCP |
Added Update 8 of HealthCheck Point (HCP) Release. Refer to sk171436. |
Take 251 Released on 07 Apr 2022 and declared as General Availability on 18 May 2022 |
||
PRJ-30405, |
Security Management |
UPDATE:
|
PRJ-32890, |
Security Management |
UPDATE: It is now possible to increase the timeout value for Management High Availability synchronization. Refer to sk176165. |
PRJ-33551, |
Security Management |
When using the API to create an OPSEC CPMI application with a custom permissions profile, the default Super User profile is chosen instead. |
PRJ-32446, |
Security Management |
In rare scenarios, in a Multi-Domain environment, after performing an IPS Update, High Availability synchronization in the Global Domain fails with "NGM failed to import data". |
PRJ-25708, |
Security Management |
Deleting a network group may fail because it is being used, although "Where Used" shows no usage. |
PRJ-32667, |
Security Management |
When searching for tags usage, the "where-used" Management API command may fail with "Requested object not found". |
PRJ-32855, |
Security Management |
After the Management Server restart, the API command "show_tasks" may show some suppressed tasks as "in progress", if before the restart they were cleared in SmartConsole while they were still running. |
PRJ-33862, |
Security Management |
When creating or updating a service object via Management API, it is not possible to specify a custom aggressive-aging timeout. |
PRJ-29507, |
Security Management |
In some scenarios, the Management API command "show-packages" with "details-level full" may fail with an error. Refer to sk176805. |
PRJ-34503, |
Security Management |
The "Accept" button is missing when modifying "Actions" for rules. Refer to sk177204. |
PRJ-35477, |
Security Management |
Multi-Domain High Availability synchronization in the Global Domain may fail with the "There are invalid assignments on peer" error. |
PRJ-33977, |
Security Management |
Policy installation from the Multi-Domain Server level may trigger installation of two policies for the same VS. |
PRJ-32427, |
Security Management |
In rare scenarios, adding a service to a rule in Access Policy:
Refer to sk176004. |
PRJ-32090, |
Security Management |
When searching an IP in Object Explorer, network objects with both IPv6 and IPv4 configured, may not appear in the results, although they match the IP. |
PRJ-32716, |
Security Management |
If there is a Global Domain Assignment, some results may be missing when searching in Packet Mode. Refer to sk178491. |
PRJ-33519, |
Security Management |
In rare scenarios, the Management Server may fail to start. |
PRJ-34224, |
Security Management |
When performing IPS Update or Global Domain Assignment, creating a Domain at the same time may fail with "Internal Error". |
PRJ-30529, |
Security Management |
Creating an administrator in a Multi-Domain environment may cause SmartConsole to freeze and time out. |
PRJ-30679, |
Security Management |
Policy installation with Directional VPN rules may fail with a verification error. |
PRJ-30057, |
Security Management |
In rare scenarios, after Management Server upgrade, importing the database may fail with "Tried to persist object". |
PRJ-36184, |
Security Management |
In some scenarios, in SmartConsole, the IPS update status list does not reflect correctly all the Gateways with enabled IPS Blade. Refer to sk175449. |
PRJ-34033, |
Security Management |
When many sessions are opened:
|
PRJ-22264, |
Security Management |
In some scenarios, the user may fail to connect to VPN Remote Access if there are expiration dates saved in a non-English date format. The issue can occur when SmartConsole is installed on a Windows client that uses a non-English locale. Refer to sk173967. |
PRJ-33285, |
Security Management |
When reassigning Global policy after an IPS update on the Global Domain, the updated IPS version in the Audit Logs view may appear with "-1" value instead of the actual IPS version number. |
PRJ-34176, |
Security Management |
In rare scenarios, Install Policy Presets may fail with "Failed to run Install Policy on the active Domain Server". |
PRJ-34180, |
Security Management |
In rare scenarios, the Management Server becomes inaccessible if there are more than 5000 objects in the Gateways and Servers view. |
PRJ-35337, |
Security Management |
In rare scenarios, the Management Server may fail to start after an upgrade. |
PRJ-33399, |
Security Management |
When automatic purge is configured in a local Domain and there is an assignment between the Global Domain to that Domain, the "show-automatic-purge" API command may fail in the Global Domain with the "Can't build automatic purge reply" error. Refer to sk176443. |
PRJ-33363, |
Security Management |
Global Domain Assignment fails with "An internal error has occurred" when there are more than 32K Threat Prevention Overrides in the local Domain. Refer to sk176464. |
PRJ-33459, |
Security Management |
While editing a Small Office LSM Profile object, SmartConsole may unexpectedly close when enabling Threat Emulation and navigating to the Configuration tab. |
PRJ-32744, |
Security Management |
In a rare scenario, the FWM process unexpectedly exits. |
PRJ-33166, |
Multi-Domain Management |
The mds_backup script may not collect Multi-Domain Server log files from $MDSDIR/log/. |
PRJ-30349, |
Multi-Domain Management |
During a CPUSE upgrade of a Multi-Domain Server, if there are multiple external interfaces defined, the Domain Servers may be assigned to an incorrect interface. |
PRJ-30524, |
Multi-Domain Management |
In rare scenarios, running the "fwm sic_reset" command on Multi-Domain Server may fail. |
PRJ-38328, |
SmartConsole |
Refer to sk178590. |
PRJ-32976, |
CPView |
In Overview, some data about disk space may be missing. |
PRJ-32371, |
Logging |
When running CPinfo in a large scale environment, the SmartEventCollectLogs process may get stuck. |
PRJ-32305, |
Logging |
When configuring an Email alert as an Automatic Reaction in SmartEvent, and the alert contains data from the event, some fields may be missing in the generated email. |
PRJ-32585, |
Logging |
There may be empty values in the "Office Mode IP" field in the Logs view. |
PRJ-28315, |
Logging |
The "Last Update Time" field of a Session Log may show incorrect values. |
PRJ-25652, |
Logging |
When SmartView Web is configured to not return empty values, a query may fail with a "query failed" message. |
PRJ-29121, |
Logging |
SmartEvent may not show some of the Anti-Virus logs. |
PRJ-32026, |
Logging |
In some scenarios, the "vpn_user" field is empty in the Logs view and SmartEvent Reports, even though it contains values in the raw log. |
PRJ-30661, |
Logging |
Refer to sk176644. |
PRJ-31615, |
Logging |
Non-English letters in SmartView reports exported as CSV may be displayed incorrectly. Refer to sk175543. |
PRJ-32578, |
Logging |
In some scenarios, it is not possible to add the "Policy Rule UID" column to the Logs view in the SmartView Web Application. |
PRJ-32016, |
Logging |
When running the "show_logs" API command with "query-id argument" and the session is expired, the command ends with a timeout instead of presenting an error. |
PRJ-30547, |
Logging |
In rare scenarios, when QoS Blade is enabled, the FWD process may unexpectedly exit. Refer to sk177783. |
PRJ-29172, |
Logging |
Removed unnecessary debug messages: "fwbintabreplace: table svm_range_gateways not found" and " fwbintabreplace: table svm_range_gateways_valid not found" from the FWD debug log. |
PRJ-30143, |
Logging |
Recurring "Unable to open '/dev/fw0': No such file or directory" may be printed in the fwd.elg file. |
PRJ-32229, |
Logging |
The "vsec_lic_cli update" command now supports IP change in the license string. |
PRJ-32083, |
Logging |
A duplicate entry appears in /etc/cpshell/log_rotation.conf. This issue is only cosmetic. |
PRJ-34248, |
Logging |
There may be an incorrect error message related to MakeConnection method. |
PRJ-14159 |
Security Gateway |
UPDATE: Added support for CPView's Top Connections tab in User Space Firewall (USFW). |
PRJ-34448 |
Security Gateway |
UPDATE: The "fw unloadlocal" command can now be used on a Virtual System only with the "-f" flag added. Otherwise, a warning message is displayed, indicating that unloading policy on a Virtual System will cause traffic issues with any Virtual System connected to a Virtual Switch or a Virtual System in Bridge mode.
|
PRJ-31663, |
Security Gateway |
UPDATE: Adding Connection and Packet Distribution statistics in CPView. |
PRJ-38234, |
Security Gateway |
UPDATE: Apache HTTPD version was updated from 2.4.51 to 2.4.53. |
PRJ-29695, |
Security Gateway |
In rare a scenario, a memory leak may occur with a "cpas_streamh_init_from_cookie failed" message printed in /var/log/messages. |
PRJ-27607, |
Security Gateway |
A debug message is printed as an error. |
PRJ-33900, |
Security Gateway |
In rare scenarios, the LOG_INDEXER process may unexpectedly exit with a core dump file. |
PRJ-21485, |
Security Gateway |
The FWD process may unexpectedly exit due to a rare race condition. Refer to sk173424. |
PRJ-30780, |
Security Gateway |
Access Policy installation may fail with "Error code 1-2000078". |
PRJ-31205, |
Security Gateway |
The Security Gateway may crash during policy installation due to memory allocation problems. |
PRJ-33510, |
Security Gateway |
CPView may show corrupted numbers in "F2V-Reasons". This issue is only cosmetic. |
PRJ-33271, |
Security Gateway |
The control connection may not be refreshed together with data connection if the data connection is accelerated. Refer to sk168952. |
PRJ-33609, |
Security Gateway |
In a rare scenario, the FWD process may unexpectedly exit. |
PRJ-33995, |
Security Gateway |
In rare scenarios, slow path connections that should be terminated/aborted may remain open until the timeout. |
PRJ-23477, |
Security Gateway |
Policy installation may fail when reaching out of memory on the Security Gateway. |
PRJ-34266, |
Security Gateway |
The log_exporter process may consume a high CPU. |
PRJ-32572, |
Security Gateway |
When deleting connection table entries with "fw ctl conntab -x", and using "rule", "service", "type", "flags" or "state" filters, entries that do not match these filters may still be deleted. |
PRJ-36997, |
Security Gateway |
Fix is relevant for Gaia 3.10 only. |
PRJ-33247, |
VPN, Internal CA |
Creating a certificate for a third party Gateway with Check Point Internal CA may fail on the third party side. Refer to sk176468. |
PRJ-34863, |
Threat Prevention |
IPS and other Threat Prevention logs may not contain packet capture. And dmesg may be flooded with related errors. |
PRJ-33546, |
Threat Prevention |
When IPS Automatic update is enabled, a memory leak may occur in the FWD process. Refer to sk176947. |
PRJ-30442, |
Threat Prevention |
In a rare scenario, the DLP process leaves open unused file descriptors in the $FWDIR/tmp/dlp directory which may take up a large amount of disk space |
PRJ-30499, |
Identity Awareness |
UPDATE: Enhanced Identity Sharing SmartPull mechanism for large scale environments. |
PRJ-37472, |
Identity Awareness, |
UPDATE: Adjusted AD-Query and Identity Logging solutions to work with Microsoft hardening changes in DCOM which were required for CVE-2021-26414. Refer to sk176148. |
PRJ-30945, |
Identity Awareness |
In some scenarios, persistent high CPU is caused by ADQuery due to a large number of authentication requests. |
PRJ-35818, |
Identity Awareness |
On Scalable Platforms\Cluster LS, the Identity Database may become corrupted when an identity session is revoked from a non-master member. |
PRJ-32869, |
Identity Awareness |
When Identity Awareness Blade is enabled on the Security Gateway, rebooting of a member may trigger additional reboots. This may cause one of the members to go down with a configuration pnote. |
PRJ-28217, |
Identity Awareness |
There may be connectivity issues and high CPU spikes on the PDPD, VPND processes, and on the Gateway when installing policy. Refer to sk174144. |
PRJ-33145, |
URL Filtering |
In some scenarios, SSL websites are not matched correctly when categorization mode is on Hold and IDA is enabled. Refer to sk176283. |
PRJ-34457, |
IPS |
Enhanced IPS package loader. |
PRJ-29425, |
IPS |
When Website categorization mode is set to "Hold" and Gateway is Proxy, some connections may be incorrectly terminated. |
PRJ-30423, |
DLP |
The dlpu process may unexpectedly exit with core dump file. |
PRJ-32999, |
SSL Inspection |
UPDATE: Upgraded the default Infrastructure for local communication between some processes to TLS 1.2. |
PRJ-32881, |
SSL Inspection |
When TLS 1.3 support is disabled, a memory leak may occur in the WSTLSD process during TLS session renegotiation. |
PRJ-32898, |
SSL Inspection |
In a rare scenario, the WSTLSD process may unexpectedly exit and produce a core dump file. |
PRJ-33404, |
SSL Inspection |
In rare scenarios, TLS probing connections may remain open for extended periods. |
PRJ-34971, |
SSL Inspection |
In rare scenarios, the WSTLSD daemon may unexpectedly restart. |
PRJ-34158, |
SSL Inspection |
In some scenarios, the WSTLSD daemon may unexpectedly exit during TLS probing. |
PRJ-36296, |
SSL Inspection |
A memory leak related to TLS probe may occur in the WSTLSD process. |
PRJ-35937, PRJ-35939, PRJ-35934 |
SSL Network Extender |
UPDATE: SSL Network Extender was updated to version 800008304. It provides TLS 1.2 cipher suites support on macOS. |
PRJ-31229, |
SSL Network Extender |
SSL Network Extender (SNX) may fail during large file transfers. Refer to sk87760. |
PRJ-32469 |
ClusterXL |
Added Syslog support for Cluster events messages.
|
PRJ-35981, |
ClusterXL |
A cluster failover may take longer than it should.
|
PRJ-36468, |
SecureXL |
The VSX Gateway may crash when trying to route traffic from a VS to a Virtual Switch (VSW). |
PRJ-36071, |
SecureXL |
In some scenarios, related to sending multicast packets, the ICMP errors may be shown. |
PRJ-28642, |
SecureXL |
A redundant message "ACC: Accelerator started." is printed in dmesg logs. |
PRJ-33353, |
Routing |
|
PRJ-30711, |
Routing |
Connectivity issues may occur after configuration of route based VPN (VTI interface). Refer to sk176368. |
PRJ-34708, |
Routing |
In rare scenarios, the ROUTED daemon may unexpectedly exit or write logs in the incorrect order. |
PRJ-36235, |
VPN |
A memory leak may occur in the VPND process. |
PRJ-32363, |
VPN |
Improved IKEv2 narrowing. |
PRJ-36415, |
VPN |
In some scenarios, when VPN logs are enabled and DAIP (Dynamically Assigned IP) peer is configured, the VPND daemon may unexpectedly exit. |
PRJ-32516, |
VPN |
Improved establishing IKEv2 tunnel with DAIP peer. |
PRJ-34490, |
VPN |
Remote Access users cannot connect when a certificate issued by a configured subordinate CA is used for authentication. |
PRJ-34509, |
VPN |
When IKEv2 and pre-shared-key are configured, VPN may fail during the second IKE SA re-key. Refer to sk171756. |
PRJ-34208, |
VPN |
IKEv2 ID configuration may not be applied when an IPv6 address is written as a certificate's alternative name. |
PRJ-33839, |
VSX |
UPDATE: Shadow bridges will now be automatically disabled on VSX Gateways if the bridges are not in Active/Active mode.
|
PRJ-32531, |
VSX |
UPDATE: It is now possible to define interface topology as "defined by routes" using the VSX provisioning tool. |
PRJ-36790, |
VSX |
The "vsx_util reconfigure" command may fail without printing the cause of the error. |
PRJ-22475, |
VSX |
In some scenarios, running the "snmpwalk" command may fail with incorrect OSPF-MIB information for VSX. Refer to sk172064. |
PRJ-32077, |
VSX |
When creating a static route on a virtual system, some network objects may be created with the same name inside the network group which causes writing the object to the database to fail. |
PRJ-37420, |
VSX |
After deleting a warp interface in SmartConsole, the active VSX cluster member may crash.
|
PRJ-36773, |
Gaia OS |
NEW: Gaia API (version 1.6 with Python3 support) will now be deployed via Jumbo Hotfix. Refer to sk143612. |
PRJ-37956, |
Gaia OS |
UPDATE: Upgraded OpenSSL to fix CVE-2022-0778. Refer sk178411. |
PRJ-28692 |
Gaia OS |
Stability enhancement for Bond LS. |
PRJ-30209, |
Gaia OS |
Refer to sk174969. |
PRJ-33685, |
Gaia OS |
Potential vulnerability related to specific Gaia API command on VSX systems. |
PRJ-33505, |
Gaia OS |
Fixed CVE-2021-30361 - Gaia Portal Authenticated Command Injection. Refer to sk179128. |
PRJ-32690, |
Gaia OS |
In some scenarios, like defected LOM card, or when LOM port exists, but no LOM is connected, the confd process may stop working. |
PRJ-37227, |
Gaia OS |
Upgrade process may fail due to corrupted sic_local_cert.p12 certificate. Refer to sk171253. |
PRJ-33711, |
Gaia OS |
In a rare scenario, the Security Gateway fails to boot when working in USFW (User-Space Firewall) mode.
|
PRJ-27907, |
Harmony Endpoint |
In some scenarios, logs related to Harmony EndPoint may be missing. |
PRJ-36272, |
CloudGuard |
In some scenarios, incorrect data center updates are pushed to the Gateway. |
PRJ-34525, |
CloudGuard |
When a Gateway's object name was changed, CloudGuard Central License Tool may fail to distribute licenses to the Gateway. |
PRJ-36702, |
Public Cloud CA Bundle |
Added Take 14 of Public Cloud CA Bundle. Refer to sk172188. |
PRJ-35156 |
Scalable Platforms |
NEW: Added a self-updatable package of Check Point Support Data Collector (CPSDC) for Scalable Platforms and Maestro Security Appliances. Refer to sk164414. |
PRJ-36828, |
HCP |
Added Update 7 of HealthCheck Point (HCP) Release. Refer to sk171436. |
PRJ-34440, |
HCP |
Added Update 6 of HealthCheck Point (HCP) Release. Refer to sk171436. |
PRJ-22351, |
Infrastructure |
UPDATE: Updated Python 2.7.17 to 2.7.18, Python 3.7.7 to 3.7.12, added Python 3.9.7 and a Python3 alias. |
PRJ-29948, |
Infrastructure |
In a rare scenario, the user cannot connect to the Mobile Access Portal. |
Take 246 Released on 03 March 2022 and declared as General Availability on 08 March 2022 |
||
PRJ-37388, |
ClusterXL |
Forward/backward clock jumps may cause some operations to fail and the cluster to go down. |
Take 245 Released on 23 February 2022 |
||
PRJ-36955, |
Logging |
Policy installation and "where used" operation may take a long time if there are many inline layers and the "Install On" targets in the Rule Base are not defined as "Any". Refer to sk177928. |
Take 242 Released on 8 February 2022 |
||
PRJ-34689, |
Logging |
In some scenarios, in an environment that includes the SmartEvent Server, the log_indexer process restarts at midnight, producing a core dump file. Refer to sk177805. |
Take 241 Released on 2 January 2022 |
||
PRJ-24929, |
Security Management |
UPDATE: Added a warning message in SmartConsole, alerting if during policy installation memory utilization of the FWM process exceeded 3.5GB. |
PRJ-29232 |
Security Management |
UPDATE: Added a new flag to the Threat Prevention "show-protections" API command ("show-capture-packets-and-track") that allows not to return capture-packets and track information. |
PRJ-30098, |
Security Management |
In rare scenarios, a Multi-Domain administrator's profile may be changed after deleting a Domain if the administrator had custom permissions for it. |
PRJ-28647, |
Security Management |
In some scenarios, when using a VPN community, the status of the Global Domain Assignment may change to "not up to date", although no changes were made in the Global Domain. |
PRJ-28421, |
Security Management |
Virtual session timeout for a TCP service cannot exceed 86400 seconds. Refer to sk168872. |
PRJ-27999, |
Security Management |
If Brute Force Password Guessing Protection is set to the value of more than 25 seconds, login to SmartConsole fails.
|
PRJ-25626, |
Security Management |
In rare scenarios, a Management Server upgrade may fail with an error message "Object not found - [UID]" in the cpm.elg log file. |
PRJ-28534,
|
Security Management |
In rare scenarios, Global Policy Assignment may fail with the "class name not found for object" error. |
PRJ-28155,
|
Security Management |
In rare scenarios, if Domain migration fails, the operation may not revert fully and leave some remnants in the database of the Management Server. |
PRJ-28086,
|
Security Management |
In some scenarios, the Administrators view may not filter domain names according to the permission profile of the connected administrator. |
PRJ-24948, |
Security Management |
If there is an Administrator named "Endpoint", an upgrade of Endpoint Security Server from R77.30 version fails. |
PRJ-26909, |
Security Management |
Policy installation to multiple gateways from Install Policy Presets may fail if each policy has its own HTTPS Inspection policy. |
PRJ-26297, |
Security Management |
In rare scenarios, tasks may run indefinitely until the Security Management Server is restarted. |
PRJ-26300, |
Security Management |
In rare scenarios, Global Domain Assignment and Domain Creation tasks may continue to run indefinitely. |
PRJ-26734, |
Security Management |
In a rare scenario, in the Management API, the "show hosts" command with "details-level full" fails with a message "java.util.InputMismatchException: got at least one duplicate UID in requested list, duplicates UIDs:". |
PRJ-26675, |
Security Management |
The Management API command "show gateways and servers" does not show policy information for cluster members. |
PRJ-28782, |
Security Management |
In some scenarios, "show-mdss" and "show-domains" Management API commands take a significant amount of time to complete or time out after 5 minutes. |
PRJ-30624, |
Security Management |
In rare scenarios, after the Security Management Server starts up, when connecting to SmartConsole, some objects appear more than once. |
PRJ-25037, |
Security Management |
In rare scenarios, a task in progress may get stuck until the Management Server is restarted. |
PRJ-26977, |
Security Management |
After migrating a Domain to Security Management Server, the FWM process may be shown as "down" in watchdog, although it is up and running. Refer to sk163814. |
PRJ-26628, |
Security Management |
In rare scenarios during system startup, a cleanup operation may cause high CPU on multiple Postgres processes and prevent login to SmartConsole. Refer to sk175189. |
PRJ-13163, |
Security Management |
The "show-global-assignment" command may ignore the limit request and return the default limit. |
PRJ-26122, |
Security Management |
In some scenarios, HA synchronization fails in the Global Domain after an IPS update. |
PRJ-25798, |
Security Management |
In rare scenarios, if the CPM process is up for many days, CPU and memory consumption may continue to grow until a reboot is performed. |
PRJ-25564, |
Security Management |
In rare scenarios, an upgrade may fail when there is an OPSEC Server object configured. |
PRJ-22133, |
Security Management |
In some scenarios, a high load on the Management Server may cause SmartConsole slowness. |
PRJ-28568, |
Security Management |
In some scenarios, the Purge Revisions operation fails with an error message: "An error has occurred while performing revisions purge operation, Incident ID - xxxxx-xxxxxxx-xxxxx-xxxxx". Refer to sk174645. |
PRJ-29156, |
Security Management |
Scheduled IPS updates data may not be shown in the IPS update report. |
PRJ-29186, |
Security Management |
In a rare scenario, High Availability full synchronization may fail due to a large number of records. |
PRJ-28899, |
Security Management |
When searching IP addresses using logical operators (AND / OR), the results may be incorrect:
Some matched objects may be missing, while some unmatched objects may be present. |
PRJ-28291, |
Security Management |
In rare scenarios, High Availability incremental synchronization may fail with a wrong status message. |
PRJ-28297, |
Security Management |
In rare scenarios, High Availability on the Global Domain may fail to synchronize the Multi-Domain Log Server if IPS protection was added or removed in the Threat Prevention rulebase. |
PRJ-25000, |
Security Management |
After migrating a Domain to a Multi-Domain Management and assigning a Global Policy, if there are objects with the same name in the Domain and Global Domain, the assignment succeeds, although it must fail due to name duplication. |
PRJ-23452, |
Security Management |
After upgrade from R77.x, "Cannot assign a Domain more than once" errors may appear in the validations pane. |
PRJ-24329, |
Security Management |
In some scenarios, the "Recent Tasks" view shows the initiator as a System administrator when the Global Manager user initiates reassign and install policy. |
PRJ-23124, |
Security Management |
Migration of Security Management Server to a Domain on a Multi-Domain Server may be blocked if there are multiple Certificate Authority objects. Refer to sk174270. |
PRJ-21786, |
Security Management |
In some scenarios, the output of the "cpmistat" command may contain partial information. |
PRJ-30052, |
Security Management |
In rare scenarios, the FWM process unexpectedly exits and fails to start, creating core dumps in the /var/log/dump/usermode directory. Refer to sk175007. |
PRJ-28062, |
Security Management |
In rare scenarios:
|
PRJ-29896, |
Security Management |
In some scenarios, login to a Domain from the System Domain dashboard may fail with "Failed to connect to server". |
PRJ-25195, |
Security Management |
The "Packet capture is not supported on this platform" warning appears after policy installation for SMB Gateways, although no packet capture is used. |
PRJ-29966, |
Security Management |
In some scenarios, simultaneous policy installation on multiple Gateways may fail if there is at least one Gateway on R77.X and one Gateway on R80.X. |
PRJ-21875, |
Security Management |
In some scenarios, applying the "Where used" action may show incorrect data when an object exists more than once in an Inline Layer. |
PRJ-22421, |
Security Management |
Domain Server Migration between different Multi-Domain Management Servers may fail if a previous migration attempt of the same Domain already failed and another different Domain name is used for the second attempt. |
PRJ-25278, |
Security Management |
In rare scenarios, login to Multi-Domain Management fails with the "No Valid Domains were found for [username]" error. Refer to sk175005. |
PRJ-29197, |
Security Management |
After an upgrade from R77.x. in a multi-site environment, High Availability full synchronization may fail with an "NGM failed to load data" message. |
PRJ-23850, |
Security Management |
Management Server upgrade may fail if there is a large amount of customized column profiles in Logs View. |
PRJ-27484, |
Security Management |
Global Policy reassignment may fail with "An internal error has occurred" due to duplicated Access Policy Assignment object. Refer to sk174183. |
PRJ-28814, |
Security Management |
In some scenarios, the "show gateways-and-servers" Management API command fails with "generic_error" when running it with "details-level full". |
PRJ-30387, |
Security Management |
In rare scenarios, editing a cluster object fails with the "Code: 0x8003001D, Could not access file for write operation" error. Refer to sk176930. |
PRJ-26779, |
Security Management |
In some scenarios, in Override Categorization, it may not be possible to sort or to find objects by name using Object Explorer. Refer to sk175245. |
PRJ-30881, |
Security Management |
In rare scenarios, during an upgrade, the FWM process may unexpectedly exit with a core dump file. |
PRJ-20708, |
Security Management |
In rare scenarios, if one of the Multi-Domain Servers is down, reconfiguring VSX may fail. |
PRJ-29908, |
Security Management |
In some scenarios, it is possible to disable a shared layer, although it is used in more than one rule. |
PRJ-31079, |
Security Management |
In rare scenarios, the FWM process on the Security Management Server unexpectedly exits. |
PRJ-30822, |
Security Management |
In some scenarios, in SmartConsole, the IPS update status list does not reflect correctly all the Gateways having the IPS Blade enabled. Refer to sk175449. |
PRJ-30334, |
Security Management |
When one Server in a logical Server group is down, the second Server keeps trying to access it, no matter how long the Server is down. |
PRJ-32107, |
Security Management |
Policy installation may fail if more than 20,000 objects are created and added to rules. |
PRJ-31670, |
Security Management |
In rare scenarios, the API commands "show-automatic-purge" and "set-automatic-purge" may fail if there were two earlier attempts to update the Automatic Purge at the same time. |
PRJ-30066, |
Security Management |
|
PRJ-28167, |
Security Management |
In rare scenarios, the Management Server may fail to start due to incorrect sessions handling. |
PRJ-32545, |
Security Management |
Values updated in resourceProfiles files to handle high CPU utilization for the Java process (sk123417) are not resistant and are overridden after Jumbo Hotfix Accumulator installation or backup/restore or export/import procedures. |
PRJ-21829, |
Multi-Domain Management |
In rare scenarios, after an upgrade, the CPD process in a Multi-Domain environment may unexpectedly exit, creating a core dump file. |
PRJ-21775, |
Licensing |
In some scenarios, the total number of "sr" licenses may be counted incorrectly. |
PRJ-28522 |
Licensing |
In a very rare scenario, SmartConsole login attempts mail fail due to high CPU usage of the CPD process. |
PRJ-27343, |
Licensing |
In a rare scenario, the licensing status in SmartConsole is displayed incorrectly. |
PRJ-29309, |
SmartConsole |
The Compliance "Security Best Practices" report for the Anti-Bot practice contains unrelated objects starting with "AB_". Refer to sk174911. |
PRJ-30370, |
CPInfo |
UPDATE: Added CPInfo build 914000219. Refer to sk92739. |
PRJ-25007, |
Logging |
NEW: SmartEvent can now skip indexing of firewall session logs to reduce load on the Log Server device. The feature is disabled by default. To enable it, see Issue #4 in sk150452. |
PRJ-25928, |
Logging |
NEW:
Note: The default time frames on the SmartView web application and SmartConsole are not synchronized.
|
PRJ-26807, |
Logging |
NEW: In SmartEvent GUI, added the "referrer" field for filtering correlation unit events. |
PRJ-23488, |
Logging |
NEW:
|
PRJ-16280, |
Logging |
In some scenarios, emails of DLP Blade may be sent with obfuscated information, with no option to present the full data. Refer to sk106430. |
PRJ-25831, |
Logging |
The LOG_INDEXER process on the SmartEvent Server may consume a high CPU when the Mobile Access Blade is enabled on the Gateway. |
PRJ-24522, |
Logging |
In a low log rate, there may be a delay in exporting logs using the Log Exporter. |
PRJ-25644, |
Logging |
In SmartView (Reports and Web Logs view), the value of the file size is displayed differently from the Logs view in SmartConsole (GB instead of GiB). |
PRJ-13741, |
Logging |
The "Could not connect to Monitoring Blade" error is displayed when trying to show the "Top Interfaces" view in SmartConsole or SmartView Monitor for a Gateway that has more than 100 interfaces. |
PRJ-27048, |
Logging |
In rare scenarios, Management object changes may not be reflected in the Logs view. When the issue occurs, the CPM process may also consume a high CPU. |
PRJ-26724, |
Logging |
In some scenarios, the FWD process on Security Gateway may cause high memory consumption when Log Forwarding is configured or when running the "fw fetchlogs" command. |
PRJ-24282, |
Logging |
In rare scenarios, when exporting logs to Check Point Infinity Portal, the Log Exporter may unexpectedly exit. |
PRJ-26692, |
Logging |
When adding the "UC Block" action, log queries may not show UserCheck logs. Refer to sk174543. |
PRJ-22343, |
Logging |
In SmartView, the "Duration" field is missing from Reports and Views. |
PRJ-22647, |
Logging |
Threat Emulation log description for HTTP emulation is incorrect. |
PRJ-23866 |
Logging |
In SmartView reports, the "Show only icon" option for table widgets does not work as expected. |
PRJ-23678, |
Logging |
In rare scenarios, in environments with many network objects, when typing a query in the search bar in the Logs tab, SmartConsole may close unexpectedly. |
PRJ-14237, |
Logging |
In SmartView, grouping or filtering by the field "Total Bytes" causes the query to fail. |
PRJ-21322, |
Logging |
In the Method field, logs with the following values are not shown in the SmartConsole's Logs tab. They are only shown when opening a single log record. |
PRJ-26113, |
Logging |
In a multi-site MDM environment, Log queries may fail to retrieve results from a CMA or CLM, if there is another CMA or CLM with the same sic_name. |
PRJ-16983, |
Logging |
In a rare scenario, Application Control events may not be displayed in SmartEvent. |
PRJ-27617, |
Logging |
The CPSEMD process on SmartEvent Server may unexpectedly exit when trying to send two automatic reactions simultaneously for the same event. |
PRJ-25439, |
Logging |
On a Management Server, with SmartEvent enabled and many Networks configured in the database, login to SmartConsole may fail with an "Error: the operation timeout" message, and the FWM process is running with a high CPU. Refer to sk167239. |
PRJ-25621, |
Logging |
In environments with more than 500K network objects, the LOG_INDEXER process on SmartEvent and Correlation Unit Server may unexpectedly close with the "Out of memory" error and a dump core file, although limited resolving is enabled (according to sk164452). |
PRJ-28339, |
Logging |
In some scenarios, Log Exporter configured to export in TLS, cannot authenticate a certificate from an external certificate authority. |
PRJ-29028, |
Logging |
In rare scenarios, SmartEvent may show no results or partial results in the Audit Log report. |
PRJ-31210, |
Logging |
In a rare scenario, logs export from SmartView web view to CSV may fail. Refer to sk175545. |
PRJ-17259, |
Logging |
In SmartConsole:
|
PRJ-26306, |
Logging |
In rare cases, in SmartConsole, some logs are not shown. |
PRJ-28322, |
Logging |
In some scenarios, in SmartLog, free-text search does not work for some inspection settings logs and their description is missing. |
PRJ-26029, |
Logging |
In a rare scenario, after an NSX Gateway upgrade, enforcement details/identities are not pushed by the controller to the Gateway automatically, it can be done only by manual update. Refer to sk173323. |
PRJ-26679, |
Logging |
Logs that are sent by Log Exporter in CEF format, cannot be displayed if they include non-digit characters in the "dst_phone_number" field. |
PRJ-14118, |
Logging |
Syslog messages are not shown in SmartConsole when syslog_free_text_parser.C contains references to ".ini" files which are located directly syslog folder $FWDIR/conf/syslog. |
PRJ-19836, |
Logging |
On Gateways with many interfaces, after policy installation or after reboot, Real-Time Monitor (RTM) may consume a high CPU on the Gateway. Refer to sk170928. |
PRJ-30582, |
Logging |
In some scenarios, in Multi-Domain Servers with many Domains, the Solr process for logs may unexpectedly exit. |
PRJ-20496, |
CPUSE |
The "Recommended" Package value is not changed from true to false in SmartConsole while installing Jumbo Hotfix. Refer to sk174508. |
PRJ-29573, |
Security Gateway |
NEW: Added a new kernel parameter "up_disable_early_drop_optimization_for_reject" to disable "Early Drop Optimization" for reject rules. The parameter is enabled by default. |
PRJ-31910, |
Security Gateway |
|
PRJ-28850, |
Security Gateway |
UPDATE: Added DNS Passive Learning support for DNS responses containing the Domain name in uppercase letters. |
PRJ-29441, |
Security Gateway |
UPDATE: The default value for kiss_kthread_allow_resched kernel parameter is changed to 1. Refer to sk170560.
|
PRJ-30980, |
Security Gateway |
UPDATE: Added L3 routing support for bridge interface assigned with IP address. To enable it, set fw_bridge_with_ip_routing=1 in the $FWDIR/fwkern.conf file. Refer to sk165560.
|
PRJ-32070, |
Security Gateway |
UPDATE: Check Point Active Streaming (CPAS) TCP Window scale factor is now increased up to 6. |
PRJ-32154, |
Security Gateway |
UPDATE: Apache HTTPD version was updated from 2.4.41 to 2.4.51. |
PRJ-26821, |
Security Gateway |
A duplicate entry appears in the /etc/cpshell/log_rotation.conf file. This issue is only cosmetic. |
PRJ-26033, |
Security Gateway |
The "fw_xlate_rule_count_dec: refcount is negative -1" message may be displayed in dmesg when IP pool NAT is used on a cluster environment. |
PRJ-4172, |
Security Gateway |
Large number of "fwpslglue_do_log: message [0] will be truncated in log" logs is printed in /var/log/messages, although debug is not enabled. |
PRJ-25291, |
Security Gateway |
In rare scenarios, a re-matched connection has 2 logs in SmartConsole. |
PRJ-27074, |
Security Gateway |
In rare scenarios, using IP Pool NAT with only IPv4/IPv6 addresses configured may cause Security Gateway to crash. |
PRJ-24909, |
Security Gateway |
In rare scenarios, the name of the application that drops a packet was not shown in the drop debug. Instead, the "PSL Drop: internal - drop enabled" message was displayed. With this fix, the reason for the drop will be displayed. |
PRJ-26476, |
Security Gateway |
In some rare scenarios, when IPv6 is configured and Office Mode Anti-Spoofing is enabled, running "cpstop;cpstart" may cause a Security Gateway to crash. |
PRJ-27125, |
Security Gateway |
In some scenarios, the ROUTED process may unexpectedly exit.
|
PRJ-29417, |
Security Gateway |
In some scenarios, policy installation fails with the "Error code: 0-2000108" message. Refer to sk170673. |
PRJ-14623, |
Security Gateway |
After policy installation, Security Gateway may stop responding due to memory leaks. |
PRJ-27558, |
Security Gateway |
In some scenarios, configuring an un-numbered virtual interface may cause ARP requests to stay not answered by the interface. Refer to sk174188. |
PRJ-27918, |
Security Gateway |
In some scenarios, the CPD process may consume high CPU because of the memory leak in FDT (File Download Tool). |
PRJ-19769, |
Security Gateway |
Security Gateway may crash after policy installation. |
PRJ-28827, |
Security Gateway |
Improved the ICAP Server internal memory allocation logic. |
PRJ-26390, |
Security Gateway |
The WSDNSD process unexpectedly exits and creates a core file. Refer to sk173627. |
PRJ-27648, |
Security Gateway |
Negative values may appear in the output of the "fw tab -t connections -s" command and under the NAT section. |
PRJ-29136, |
Security Gateway |
The cpsicdemux process may unexpectedly exit, causing Secure Internal Communication (SIC) connection to fail. |
PRJ-29740, |
Security Gateway |
In a rare scenario, due to TCP connection reuse, a TCP connection may not be initiated Refer to sk11088. |
PRJ-29502, |
Security Gateway |
In some scenarios, using automatic Network Static NAT/Address range objects may cause connectivity issues. |
PRJ-29627, |
Security Gateway |
In a rare scenario, Security Gateway may crash. |
PRJ-26581, |
Security Gateway |
In a rare scenario, CPView may show incorrect SecureXL statistics per VS. |
PRJ-30248, |
Security Gateway |
Added a translation of the error exit code of cprid_util in $CPDIR/log/cprid_util.elg debug log. |
PRJ-26668, |
Security Gateway |
In a rare scenario, traffic outage may occur. It is caused by a memory leak related to delayed logs. |
PRJ-31215, |
Security Gateway |
When a large number of VPN tunnels is configured, and each one is used by a static route with ping, the ROUTED process may get incorrect cluster IPs for those tunnels. Refer to sk175887. |
PRJ-30039, |
Security Gateway |
If wstunnel loses connectivity, after several attempts, it may unexpectedly exit and not restart. Refer to sk166056. |
PRJ-25147, |
Security Gateway |
In a rare scenario, the TCP Half Closed timer (sk137672) may fail when configured for medium/fast connections. |
PRJ-30086, |
Security Gateway |
In a rare scenario, when QoS is enabled, Security Gateway may crash while interfaces go down and up. |
PRJ-30611, |
Security Gateway |
In rare scenarios, when SACK is enabled, there may be connectivity issues. |
PRJ-20625, |
Security Gateway |
Running the threshold_config command may cause the CPD process to consume a high CPU. |
PRJ-32099, |
Security Gateway |
In a rare scenario, policy installation may cause connections termination. |
PRJ-31965, |
Security Gateway |
In a rare scenario, "Connection/sec" data for accelerated traffic in CPView may differ from the statistics in SNMP. |
PRJ-31367, |
Security Gateway |
Improved the handling of a large number of sessions per single HTTP/S connection. |
PRJ-26963, |
Security Gateway |
Improved CPS rate on Autoscale deployments of Amazon Web Services (AWS).
|
PRJ-32334, |
Security Gateway |
Defining an IPv6 NAT rule with address range (hide) on the translated column may fail with an incorrect error message. |
PRJ-26647, |
Internal CA |
UPDATE: Expired certificates are now cleaned from the Internal CA database every three weeks and after reboot. Refer to sk42424. |
PRJ-31014, |
Internal CA |
In a rare scenario, when CRL files are created, some of them may be generated with a large number in the filename. When deleting CRL files, CPCA repeatedly fails to start. |
PRJ-24987, |
Threat Prevention |
UPDATE: Added support for more than 20 CIFS objects in rulebase. Refer to sk170300. |
PRJ-28677, |
Threat Prevention |
UPDATE: Added the option to remove proxy usage in ioc_feeds tool. |
PRJ-23266, |
Threat Prevention |
In rare scenarios, the "fw load_sigs" command fails to exit appropriately after completing.
|
PRJ-26540, |
Threat Prevention |
In some scenarios, the IPS update status in SmartConsole is incorrect after the automatic update fails with the "Update failed. Failed to load database" error. |
PRJ-22269, |
Threat Prevention |
Improved the Threat Prevention policy installation time when installing on more than two Security gateways. |
PRJ-26200, |
Threat Prevention |
In a rare scenario, the Security Gateway may crash when working with Anti-Virus. |
PRJ-28517, |
Threat Prevention |
In rare scenarios, the Security Gateway may crash when the TCP connection is unexpectedly closed. |
PRJ-25226, |
Threat Prevention |
The "ciu_lic_open_lic_db_file: crc check failed" error message may be printed in fwd.elg log file during the policy installation if the IPS Blade is disabled. Refer to sk172903. |
PRJ-29923, |
Threat Prevention |
Threat Prevention policy installation may fail when loading 2 IOC feeds that contain the same signature name for one of the observables. |
PRJ-30094, |
Threat Prevention |
In some scenarios, loading Custom Intelligence Feeds that include an IP address with a subnet mask of 32 bits (x.x.x.x/32) may fail. |
PRJ-28974, |
Threat Prevention |
Improved telemetry for Infinity Vision SOC. |
PRJ-29368, |
Threat Prevention |
In rare scenarios, IoC feed loading fails due to hash parsing errors. |
PRJ-28137, |
Threat Extraction |
In some scenarios, the "fw_send_kmsg: No buffer for tsid 44" error is printed in dmesg. |
PRJ-33562, |
Threat Prevention |
In a rare scenario, the Security Gateway may crash when working with Anti-Virus or Threat Emulation. |
PRJ-29490, |
Identity Awareness |
UPDATE:
|
PRJ-26801, |
Identity Awareness |
In a rare scenario, the Security Gateway may crash. |
PRJ-29400, |
Identity Awareness |
Improved the Identity Server (PDP) performance for publishing new network on Identity Sharing with SmartPull. |
PRJ-29611, |
Identity Awareness |
In a rare scenario, some IPv6 sessions may get deleted due to an incorrect update of Identity Gateway (PEP) kernel tables. |
PRJ-27190, |
Application Control |
UPDATE: Improved matching of URLs for custom applications. |
PRJ-29766, |
URL Filtering |
In a very rare scenario, when the Application Control (APPI) and URL filtering Blades are active, in hold mode, some applications cannot be identified and the traffic is dropped. |
PRJ-26104, |
IPS |
Security Gateway may crash when the IPS profile name is very long. Refer to sk174025. |
PRJ-27257, |
IPS |
Proxy source IP address is not printed in the IPS logs. |
PRJ-28488, |
IPS |
An HTTP download of a large file may unexpectedly stop with an error message. |
PRJ-27956, |
IPS |
In some scenarios for HTTP, Gateway closes a connection from the Server side, but the user side may remain open. |
PRJ-29938, |
IPS |
In rare scenarios, if IPS Geolocation is enabled, the Security Gateway may crash. |
PRJ-28736, |
IPS |
In some scenarios, the destination IP is missing from the IPS logs. Refer to sk174588. |
PRJ-31691, |
IPS |
Improved the handling of decoded HTTP/S traffic. |
PRJ-32500, |
IPS |
In some scenarios, when IPS Automatic update is enabled, a memory leak may occur in the FWD process. |
PRJ-28499, |
Anti-Virus |
UPDATE: Improved Anti-Virus buffer allocation to reduce stack size. |
PRJ-24613, |
Anti-Virus |
UPDATE: Reduce performance when Anti-Virus is configured with deep inspection on all file types. |
PRJ-23568, |
Anti-Virus |
Security Gateway may crash when transferring the HTTP multipart traffic if the Anti-Virus Deep Scanning, Threat Extraction, or Threat Emulation is enabled. |
PRJ-29132, |
Anti-Bot |
UPDATE: Improved performance of Anti-Bot URL Reputation. |
PRJ-29473, |
SSL Inspection |
In some scenarios, a memory leak may occur when creating ECDHE keys. |
PRJ-30457, |
SSL Inspection |
In rare scenarios, HTTPS connections may hang indefinitely during the TLS handshake, causing timeout. |
PRJ-31170, |
SSL Inspection |
A memory leak, related to TLS probing, may occur in the WSTLSD process. |
PRJ-31164, |
SSL Inspection |
In some scenarios, the WSTLSD process may unexpectedly close, or a memory leak may occur. |
PRJ-30698, |
SSL Inspection, |
A memory leak in HTTPS Inspection and HTTPS portals may occur when using ECDHE ciphers. |
PRJ-27294, |
Mobile Access |
In rare scenarios, when SNX client is used with Application mode on the Mobile Access Blade, the VPND process may unexpectedly exit. |
PRJ-28255, |
Mobile Access |
In a rare scenario, the VPND process may unexpectedly exit causing user disconnections from Checkpoint Mobile client. |
PRJ-29273, |
Mobile Access |
In some scenarios, a memory leak may occur in the CVPND process. |
PRJ-27787, |
ClusterXL |
Log shows that CCP encryption fails on each policy installation.
|
PRJ-29834, |
ClusterXL |
In a VRRP cluster, changes to the CCP encryption channel do not remain after reboot on Kernel 3.10. Refer to sk174968.
|
PRJ-28601, |
ClusterXL |
In some scenarios, in Load Sharing mode, the "cphaprob show_bond" command on the Security Management Server shows the back-up subordinate status as "Not Available". Refer to sk175469.
|
PRJ-28357, |
ClusterXL |
Clock jumps forward/backward may cause some operations to fail and the cluster to go down. |
PRJ-30502, |
ClusterXL |
In VSX Load Sharing (VSLS) environment, a disconnected bond LS interface impacts all VS's at the member regardless that the interface is connected to a specific VS. |
PRJ-28222, |
SecureXL |
In a rare scenario, DoS/Rate Limiting when using rules with country codes (CC) or autonomous system numbers (ASN) may not update Geo IP files correctly. |
PRJ-26950, |
SecureXL |
TCP packets may be dropped as "TCP out of state" although following sk11088. |
PRJ-32937, |
SecureXL |
In some scenarios, when configuring internal/external enforcement for DOS/Rate limiting, a syslog error message may be displayed. |
PRJ-27817, |
Routing |
If the interface cable is unplugged, after a failover, Border Gateway Protocol (BGP) stops receiving routes from Primary member to Secondary and back to Primary. |
PRJ-31124, |
Routing |
In rare cases, if Graceful Restart is not configured on the BGP peer, BGP routes may be lost near the Graceful Restart ending. |
PRJ-26959, |
Routing |
The ROUTED process may unexpectedly exit when candidate RP is enabled, and a rapid failover occurs or when the candidate RP interface is disconnected. |
PRJ-28392, |
Routing |
The checksum of PIM "register" packets may be calculated incorrectly, causing the RP router to discard a "register" packet. |
PRJ-28837, |
Routing |
In some scenarios, an outage may occur because of premature graceful-restart exit. |
PRJ-29494, |
Routing |
BGP sessions may unexpectedly close because of unrecognized AFI/SAFI pairs in multiprotocol capability advertisements from a peer. |
PRJ-26751, |
Routing |
In some scenarios, the NetFlow Packet may report a wrong source IP Address. |
PRJ-29317, |
Routing |
AS path loops may occur, although BGP multihop is configured. |
PRJ-29494, |
Routing |
BGP sessions may unexpectedly close because of unrecognized AFI/SAFI pairs in multiprotocol capability advertisements from a peer. |
PRJ-28955, |
Routing |
The ROUTED process may unexpectedly exit. |
PRJ-31484, |
Routing |
In some scenarios, the Security Gateway may not forward traffic to a client if its IP address is changed by DHCP. Refer to sk175603. |
PRJ-24054, |
Routing |
In some scenarios, when using DHCP, the Security Gateway may not correctly route traffic to hosts. |
PRJ-31471, |
VPN |
UPDATE: In policy installation, the type of messages related to VPN certificate expiration is changed from "info" to "warning". This issue is only cosmetic. |
PRJ-28572, |
VPN |
In some scenarios, Server connections to Remote Access L2TP clients may be unstable. |
PRJ-28769, |
VPN |
In some scenarios, in High Availability clusters with enabled CoreXL, SSL clients cannot connect to the Security Gateway because of incorrect license calculation. |
PRJ-26528, |
VPN |
In some scenarios, NAT-T traffic outages may occur after a cluster failover. Refer to sk175552. |
PRJ-23978, |
VPN |
Remote Access users may randomly disconnect because the Tunnel test packets are mapped to the incorrect interface. Refer to sk172328.
|
PRJ-22116, |
VPN |
In rare scenarios, after policy installation, the VPND process may unexpectedly exit with core dump. |
PRJ-21636, |
VPN |
VPN Logs show IP address octets in an unexpected (reversed) order. Refer to sk172807. |
PRJ-28375, |
VPN |
Improved VPN Site to Site tunnel establishment scenario with IKEv2. Refer to sk175092. |
PRJ-27311, |
VPN |
IPSec VPN uses the wrong source IP address when initiating NAT-T encrypted traffic. Refer to sk172805. |
PRJ-28072, |
VPN |
A Remote Access client fails to login when a DN record length is bigger than 256. Refer to sk174249. |
PRJ-27672, |
VPN |
In some scenarios, the user may not be able to connect because the CVPND process unexpectedly exits. |
PRJ-27684, |
VPN |
In a rare scenario, a memory leak may occur. |
PRJ-27680, |
VPN |
When saving the login info of the client, a memory leak may occur. |
PRJ-27676, |
VPN |
Reauthentication of the client may lead to a memory leak. |
PRJ-27853, |
VPN |
When deleting an entry from m_ht hash table, a memory leak may occur. |
PRJ-27811, |
VPN |
In some scenarios, the VPN tunnel between GCP cluster and GCP peer fails to establish. |
PRJ-25140, |
VPN |
In some scenarios, outbound traffic with NAT-T outgoing packets is sent from an incorrect link. Refer to sk176711. |
PRJ-26397, |
VPN |
Policy installation may fail when VPN community is not configured on the Security Gateway. Refer to sk174235. |
PRJ-25881, |
VPN |
In some scenarios, when DAIP peer initiates IKEv2 negotiation with certificate authentication, the VPND process may unexpectedly exit. Refer to sk174665. |
PRJ-28312, |
VPN |
Remote Access users may randomly disconnect because the Tunnel test packets are mapped to the incorrect interface. Refer to sk172328. |
PRJ-28510, |
VPN |
In some scenarios, a memory leak may occur on the Security Gateway. |
PRJ-28503, |
VPN |
A memory leak may occur in the VPND process. |
PRJ-29280, |
VPN |
In rare scenarios, re-configuring a trusted CA bundle may cause a memory leak in the VPND process. |
PRJ-29480, |
VPN |
A memory leak may occur in the VPND process in IKEv2 Site to Site VPN. |
PRJ-29530, |
VPN |
RIM script is not invoked for DAIP peer with Dead Peer Detection (DPD) permanent tunnels in passive mode. |
PRJ-28560, |
VPN |
In some scenarios, when sending the SCV drop log, a memory leak may occur. |
PRJ-31105, |
VPN |
In some scenarios, a memory leak may occur in the VPND process. |
PRJ-31145, |
VPN |
In some scenarios, a memory leak may occur when using the SSL Network Extender (SNX) client to create a site. |
PRJ-28262, |
VPN |
A memory leak may occur when clearing the CRL cache file. |
PRJ-31129, |
VPN |
In some scenarios, a memory leak may occur in the VPND process. |
PRJ-31287, |
VPN |
Hardened the ability to use narrowed IKEv2 tunnels. Refer to sk166417. |
PRJ-30762, |
VPN |
In a very rare scenario, a cluster member may unexpectedly crash and restart, creating a core dump file. |
PRJ-30327, |
VPN |
In some scenarios, IKEv2 tunnel may not work due to SA expiration. |
PRJ-30866, |
VPN |
A memory leak may occur in the VPND process. |
PRJ-29593, |
VPN |
In a rare scenario, the IKEv2 negotiation appears successful, although it failed. |
PRJ-31027, |
VPN |
Many "remote access client IP address and port were changed" logs are printed after an upgrade. |
PRJ-28604, |
VSX |
In a rare scenario, a cluster member may crash when running the "cphaconf show bond" command.
|
PRJ-29550, |
VSX |
After a reboot, the VS's clish static ARPs configuration exists, but the static ARPs may be missing. |
PRJ-27967, |
VSX |
When querying a VS for "sysObjectID" viaSNMP, a generic netSNMP value is returned ("NET-SNMP-MIB::netSnmpAgentOIDs.10") instead of Check point value ("SNMPv2-SMI::enterprises.2620.1.6.123.1.62"). |
PRJ-26128, |
VSX |
After upgrade, the VS names may be displayed incorrectly in the output of the "vsx stat -v" command. |
PRJ-22689, |
VSX |
This fix allows create/change a VSX cluster/gateway to have up to 32 CoreXL instances with VSX Provisioning Tool. Currently, it is possible to do this only in SmartConsole. |
PRJ-26559, |
VSX |
Multi-Queue configuration on VSX does not remain after reboot. Refer to sk173950.
|
PRJ-30312, |
Gaia OS |
NEW: Gaia API (version 1.6) will now be deployed via Jumbo Hotfix. Refer to sk143612. |
PRJ-26927, |
Gaia OS |
NEW: Added support for new card 4 ports 1/10GbE SFP+ Rev 4.1.
|
PRJ-30292, |
Gaia OS |
UPDATE: Upgraded OpenSSL to 1.1.1L. Merged the CVE-2021-3711 and CVE-2021-3712 fixes. |
PRJ-27708, |
Gaia OS |
UPDATE: The command "show multiple-queue Affinity" deprecation message was changed.
|
PRJ-26997, |
Gaia OS |
Setting hashed SHA256/SHA512 expert password may fail with an error message: "set password-controls password-hash-type <password_hased> GAIA9999 Invalid Salted Hash". Refer to sk176703.
|
PRJ-27975, |
Gaia OS |
A memory leak may occur on a Security Gateway while configuring Secure Internal Communication (SIC). |
PRJ-28973, |
Gaia OS |
In a rare scenario, a memory leak may occur in the monitord process. |
PRJ-27671, |
Gaia OS |
In some scenarios, the "show arp dynamic all" command displays values of VS0 instead of VS.
|
PRJ-25764, |
Gaia OS |
After 248 days of up time, the VMSS gateway sends a Cold restart alert reboot, but the VMSS does not reboot. Refer to sk173413.
|
PRJ-28683, |
Gaia OS |
In some scenarios, in appliances: 6600,6700,6900, Power Supply Unit (PSU) status information may be incorrect. Refer to sk174443.
|
PRJ-25248, |
Endpoint Security |
In some scenarios, the Policy Server fails to synchronize with Endpoint primary Management after installing a hotfix for local E1 signature updates. |
PRJ-27331, |
CloudGuard |
|
PRJ-27032, |
QoS |
In a rare scenario, in SmartView Monitor, some QoS traffic may be shown as "No Match". |
PRJ-30232, |
QoS |
In a rare scenario, the FWD process may unexpectedly exit due to invalid QoS logs. |
PRJ-28052, |
Scalable Plaforms |
In some scenarios, bond interface subordinate fails to properly initialize and shows a partner system MAC address of 00:00:00:00:00:00.
|
PRJ-30016, |
HCP |
Added Update 5 of HealthCheck Point (HCP) Release. Refer to sk171436. |
PRJ-30253, |
HCP |
Added Update 3 of HealthCheck Point (HCP) Release. Refer to sk171436. |
PRJ-24086, |
HCP |
Added Update 2 of HealthCheck Point (HCP) Release. Refer to sk171436. |
PRJ-22797, |
HCP |
Added Update 1 of HealthCheck Point (HCP) Release. Refer to sk171436. |
PRJ-22320, |
Infrastructure |
In some scenarios, the cpmiquerybin and dbedit processes may unexpectedly exit causing a buffer overflow. |
PRJ-31766, |
Infrastructure |
Policy installation fails with "Operation failed, install/uninstall has been improperly terminated" when a CMA name is more than 36 characters long. Refer to sk175452. |
Take 237 Released on 11 July 2021 and declared as General Availability on 31 August 2021 |
||
PRJ-26241, |
Diagnostics |
NEW: Added the Check Point Performance Sizing Utility (CPSizeMe) v5.2. |
PRJ-24232, |
Licensing |
UPDATE: If there is no license installed, the error message will be printed when running the cpstart command. |
PRJ-24203, |
Security Management |
NEW: Trusted CAs updates for HTTPS Inspection can be configured to be installed automatically upon update. Refer to sk173629. |
PRJ-25034, |
Security Management |
UPDATE: If there is no license on the Security Management Server, a new verification blocks an attempt to migrate a Domain. |
PRJ-31072, |
Security Management |
UPDATE: Added an environmental variable to control the sduu command timeout in the FWM process: SDUU_UPDATE_TIMEOUT. |
PRJ-24609, |
Security Management |
Incorrect Mobile Access license status upon a license change. |
PRJ-22383, |
Security Management |
User may fail to connect to SmartConsole after the administrator changed the RADIUS server host IP address. Refer to sk172065. |
PRJ-19633, |
Security Management |
The Management API command "get-attachment" may fail with an error. Refer to sk170894. |
PRJ-26505, |
Security Management |
Policy verification may incorrectly fail with a NAT verification error "The range size of Original and Translated columns must be the same". |
PRJ-26192, |
Security Management |
In a rare scenario, the FWM process may unexpectedly unexpectedly exit. |
PRJ-21917, |
Security Management |
In some scenarios, the Desktop policy fails with "Policy installation had failed due to an internal error. If the problem persists please contact Check Point support". Refer to sk171970. |
PRJ-21398, |
Security Management |
In rare scenarios, deleting an object fails with "Can't reach source object, maybe it already deleted" error. Refer to sk172828. |
PRJ-25685, |
Security Management |
In some scenarios, a policy installation failure message may show "ReferenceObject" instead of the actual object's name. |
PRJ-24050, |
Security Management |
If the Management Server is up for many days, the CPM process's memory consumption and CPU usage may increase consistently. |
PRJ-23883, |
Security Management |
In some scenarios, when updating Check Point Host object to be a Network Policy Management and in addition configuring it as a Secondary Server, "Publish" fails with "Action Failed due to an internal error". |
PRJ-22074, |
Security Management |
In rare scenarios, the Management Server may fail to start because Solr fails to initialize. |
PRJ-26182, |
Security Management |
When running the "fwm logexport" command multiple times, the FWM process may unexpectedly exit, producing a core file. |
PRJ-21966, |
Security Management |
Packet Mode search in rule base ignores matching of inline layer parent rules. In some scenarios, this may retrieve inline layer rules that should not be matched. |
PRJ-26192, |
Security Management |
In a rare scenario, the FWM process may unexpectedly unexpectedly exit. |
PRJ-24485, |
Security Management |
In very large Management environments, Policy verification and installation may fail with core dump. Refer to sk173722. |
PRJ-23937, |
Multi-Domain Management |
NEW: Once a day, Multi-Domain Management Servers will check for peers that are not synchronized. If such are identified, HA full sync will be automatically initiated at the MDS level. |
PRJ-25890, |
Multi-Domain Management |
NEW: Added ability to create Domain Management Servers with a netmask different than the one of the Multi-Domain Server. Refer to sk173934. |
PRJ-25516, |
Multi-Domain Management |
In rare scenarios, in a Multi-Domain environment with active Domains on multiple Multi-Domain Servers, when performing manual HA sync in one Domain, objects from another Domain are not shown in SmartConsole. |
PRJ-22637, |
Multi-Domain Management |
In rare scenarios, the Multi-Domain Management Server may fail to start if Domains were previously deleted. |
PRJ-24758, |
Multi-Domain Management |
Global Policy Assignments may be missing in Multi-Domain environment after upgrade from R77.x. |
PRJ-23696, |
Multi-Domain Management |
Global Policy Reassignment may take a long time to complete after an IPS Update in the Global Domain. |
PRJ-25408, |
Multi-Domain Management |
In some scenarios, HA synchronization may fail on the MDS level with the "Failed to synchronize this peer due to purged revisions in the database." message. |
PRJ-15876, |
Multi-Domain Management |
OS information for Domain Servers may not be shown correctly at the MDS level. |
PRJ-26870, |
SmartConsole |
In some scenarios, the gateway hardware change in SmartConsole fails with "Changing the hardware to <New_Selected_Check_Point_Appliance> Appliances is blocked." warning. |
PRJ-27299, |
SmartView |
After upgrade, SmartView scheduled export to Excel of Reports and Views stop running and users are unable to edit the scheduled tasks. Refer to sk174047. |
PRJ-27070, |
Compliance |
In some scenarios on Multi-Domain environments, Compliance data is not synchronized between primary and secondary Domains. |
PRJ-20256, |
Logging |
NEW: Log exporter allows the re-export of logs based on starting and end positions provided by the user, to close possible gaps. Refer to sk122323. |
PRJ-21420, |
Logging |
NEW: The Log exporter now supports formatting for RSA SIEM application. |
PRJ-25135, |
Logging |
NEW: Added support for JSON format in Log Exporter. |
PRJ-25593, |
Logging |
UPDATE: The Log Server now supports up to 2700 Gateways (previously was 1024). Refer to sk163413. |
PRJ-12425, |
Logging |
In some scenarios, exported FireWall logs from a Security Gateway to an external syslog server (sk87560) contain a redundant new line character. |
PRJ-16646, |
Logging |
In the SmartConsole Logs tab, the "IKE IDs" field cannot be added to column profiles. |
PRJ-23819, |
Logging |
In rare scenarios, when querying logs with a timeframe larger than 1 day, only 50 logs from each day will be shown. |
PRJ-24893, |
Logging |
Starting from Jumbo Take 216, logs exported in LogRhythm format via the Log Exporter, appear in an incorrect format. |
PRJ-23578, |
Logging |
In some scenarios following a Multi-Domain Management Server upgrade, logs queries may not retrieve results from some CMAs\CLMs. |
PRJ-24214, |
Logging |
In Multi-Domain environment, the same Domain may appear twice in the Domains view of the SmartEvent application. |
PRJ-23762, |
Logging |
In rare scenarios, SmartConsole may unexpectedly close if the pre-defined VPN columns profile in the Logs view was modified and saved. |
PRJ-22965, |
Logging |
In some scenarios, when exporting logs using the Log exporter tool and filtering on all Threat Prevention Blades, logs of the "Anti Spam" Blade are not exported. |
PRJ-15230, |
Logging |
In SmartView, when creating a statistical table and grouping by Time, the query may fail. |
PRJ-20618, |
Logging |
In SmartView, when filtering with specific time filters, the result may include more logs than was requested. |
PRJ-25452, |
Logging |
In rare scenarios, logs generated at the same second, with the same ID, may not show up in SmartConsole's Logs tab. |
PRJ-24481, |
Logging |
When a Management Server manages more than 1024 Gateways, the connectivity status may show "N/A" for several Gateways. |
PRJ-25270, |
Internal CA, VPN, Multi-Portal |
UPDATE: The IKE certificate's validity period is set to 1 year by default. Refer to sk176527. |
PRJ-26137, |
Internal CA |
UPDATE: Added automatic extension for Internal CA database to support more than 100,000 certificates. |
PRJ-26700 |
Internal CA |
Expired certificates cannot be deleted via the ICA Management Tool. |
PRJ-21126, |
Security Gateway |
UPDATE: Service with source port in the Access rulebase will no longer disable accept templates for all connections. |
PRJ-24375, |
Security Gateway |
A memory leak in a DNS resolving I/S may occur. |
PRJ-20980, |
Security Gateway |
In rare scenarios, the CPD process unexpectedly exits when the VPN is enabled, and statuses are not sent to the Management Server. |
PRJ-23076, |
Security Gateway |
Enhancement: Early drop optimization will work even if the UserCheck is not relevant for this connection. |
PRJ-24007, |
Security Gateway |
In rare scenarios, when the "sd_global_monitor_only" property is set to "true", there is no HTTP inspection. |
PRJ-23271, |
Security Gateway |
In some scenarios, the "fw ctl affinity" command on MPDS Dplane does not show the Mplane Multi-Queue interfaces.
|
PRJ-22622, |
Security Gateway |
In some scenarios, the VSX Cluster switch may cause a core dump. |
PRJ-23425, |
Security Gateway |
The VPND process may consume high CPU because of ECDHE use, which affects multi-portal functionality. Refer to sk173145. |
PRJ-26374, |
Security Gateway |
In a rare scenario, incorrect error messages regarding the ICAP client flow appear in dmesg. |
PRJ-16919, |
Security Gateway |
In rare scenarios, SmartView Monitor shows the "Error code: 2147483647" message when viewing data from a VSX Gateway. Refer to sk174206. |
PRJ-24527, |
Security Gateway |
In a rare scenario, the FWK process unexpectedly exits on the Security Gateway. |
PRJ-25814, |
Security Gateway |
Added Dynamic Anti-Spoofing stability enhancements. |
PRJ-22736, |
Security Gateway |
When Strict Hold is enabled in the fail-open configuration, some HTTPS connections may stuck. |
PRJ-23946, |
Security Gateway |
In a rare scenario, Security Gateway may crash when running in USFW (User-Space Firewall) mode. |
PRJ-23340, |
Security Gateway |
Boot may take a long time on machines with many VLANs or secondary IP addresses.
|
PRJ-25735, |
Security Gateway |
In some scenarios, Security Gateway may crash when ICAP client is enabled. |
PRJ-25617, |
Security Gateway |
In a rare scenario, Security Gateway may crash when handling some DNS packets. |
PRJ-25907, |
Security Gateway |
In a rare scenario, machine hangs and user is unable to run any command. Refer to sk173405. |
PRJ-24124, |
Security Gateway |
RADIUS authentication failure messages are written to SmartConsole logs but not presented to a user. Refer to sk173927. |
PRJ-21268, |
Security Gateway |
In some scenarios, emails may be stuck in the MTA queue. |
PRJ-24518, |
Gaia OS |
In some scenarios, when adding a "#" in the login banner, the banner becomes corrupted. |
PRJ-25390, |
Security Gateway |
In some scenarios, there is no match on URL Filtering rules. |
PRJ-25599, |
Security Gateway |
In some scenarios, packets are dropped due to incorrect SACK translation when SACK and sequence translation are being used together. |
PRJ-24416, |
Security Gateway |
In a rare scenario, Security Gateway may crash under heavy load during cluster failover.
|
PRJ-23846, |
Security Gateway |
In some non-VPN scenarios, MSS Adjustment (Clamping) does not work. |
PRJ-26149, |
Security Gateway |
In a rare scenario, a memory leak may occur when IPS / Anti-Bot / Anti-Virus Blade is enabled. |
PRJ-25550, |
Security Gateway |
In some scenarios, connections are dropped with the "Virtual defragmentation error: fragment table is full" message. Refer to sk180404. |
PRJ-25154, |
Security Gateway |
When running the "fwaccel stats -r" command to reset the SXL statistics, the statistics may become corrupted. |
PRJ-27039, |
Security Gateway |
VSX provisioning may fail to commit changes to the VSX database. Refer to sk173683. |
PRJ-22945, |
Security Gateway |
In rare scenarios, policy installation fails with "gen_rpc_service_inspect_func: <service name> mismatch in service_arr" error message. Refer to sk174165. |
PRJ-23456, |
Security Gateway |
In some scenarios, values set in fwkern.conf file may not be applied correctly. |
PRJ-14275, |
Security Gateway |
In some scenarios, SCCP traffic may be dropped by the Security Gateway. Refer to sk108124.
|
PRJ-24835, |
Security Gateway |
In some scenarios, when moving Mobile Access from Legacy to Unified Policy, previously configured native application may unexpectedly exit. Refer to sk172935. |
PRJ-23063, |
Security Gateway |
Improved displayed drop log messages on the Security Gateway:
Refer to sk172232. |
PRJ-18865, |
Security Gateway |
In rare scenarios, DynamicID authentication fails with "server_code 403 log_msg General HTTP error" message in vpnd.elg. Refer to sk170303. |
PRJ-27160, |
Security Gateway |
In rare scenarios, running "fw1 + misp" debug on cluster may cause Security Gateway to crash. |
PRJ-26616, |
Security Gateway |
In some scenarios, "[INFO] encode resource in base64 failed" messages generated by the RAD process are shown in /var/log/messages file. |
PRJ-26593, |
Security Gateway |
Configuring the "Virtual Activation Timeout" option above 65535 may lead to an incorrect timeout definition. |
PRJ-23265, |
Threat Prevention |
In rare scenarios, the "fw load_sigs" command fails to exit appropriately after completing. |
PRJ-23775, |
Anti-Bot |
UPDATE: Anti-Bot URL cache was enhanced to support further requests. |
PRJ-25746, |
Identity Awareness |
NEW: Added a new Auto-Tune feature for Nested Groups to select the optimal nested state for maximum performance. |
PRJ-25388, |
Identity Awareness |
In Identity Awareness Captive portal, the default Check Point logo is displayed even if the user-defined logo is configured. Refer to sk133492.
|
PRJ-25923, |
Identity Awareness |
Optimized the PDP expired timers mechanism performance. |
PRJ-26229, |
Identity Awareness |
When the PDP gateway is connected to multiple pre-R81 PEP gateways, the CPU consumption may be high. Refer to sk173709. |
PRJ-26201, |
Anti-Virus |
In a rare scenario, the Security Gateway may crash when working with Anti-Virus.
|
PRJ-21769, |
Application Control |
A failure log may be generated when inspecting connections to servers with certificates without a common name (CN) field. |
PRJ-24630, |
UserCheck |
In rare scenarios, when clicking the "Send Original Mail to me" button (sk140214) in the UserCheck portal for Threat Extraction, action fails with "An unexpected error has occured..." error message. |
PRJ-23979, |
UserCheck |
Sensitive file push.js may be visible on the Security gateway. |
PRJ-23034, |
Anti-Malware |
In rare scenarios, Security Gateway may crash if event app debug is enabled. |
PRJ-23039, |
Anti-Malware |
In a rare scenario, Security Gateway may crash during the Application Control / IPS / Anti-Bot package update. |
PRJ-24779, |
Anti-Malware |
In a rare scenario, the Security gateway may crash with the "Problem with the Commit Function" error during policy installation. Refer to sk173248. |
PRJ-23297, |
IPS |
UPDATE: Added support for PM statistics when IPS is disabled. |
PRJ-25198, |
IPS |
In some scenarios, the DNS response message with record type 0 may be dropped by "Non compliant DNS" protection. |
PRJ-24982, |
IPS |
In a rare scenario, Security Gateway crashes when Threat Prevention Forensic Log feature is enabled. |
PRJ-24344, |
IPS |
Improved the HTTP protocol handling. |
PRJ-20711, |
IPS |
In rare scenarios, policy installation fails due to duplicate id in IPS Snort protections. |
PRJ-19938, |
SSL Inspection |
UPDATE: Avoid sending the TLS probe during inbound inspection when it is not necessary for the SNI-based categorization. |
PRJ-21689, |
SSL Inspection |
UPDATE: Avoid sending the TLS probe during the inbound inspection when a rule is matched according to the IP address. |
PRJ-20678, |
SSL Inspection |
A table hash size may be too small for some environments and cause an increased CPU usage. |
PRJ-26742, |
SSL Inspection |
Added an option to bypass Name Constraints extension on certificates using a registry flag. Refer to sk159692. |
PRJ-19854, |
SSL Inspection |
TLS probing failures generate logs with a general description in SmartLog: "Internal system error in HTTPS Inspection (Error Code: 2)". With this fix, more descriptive logs will be generated. |
PRJ-24460, |
SSL Inspection |
In some scenarios, memory leaks may occur after policy installation. |
PRJ-24467, |
SSL Inspection |
In rare scenarios, the WSTLSD daemon may unexpectedly exit during TLS probing. |
PRJ-25177, |
SSL Inspection |
In some scenarios, when HTTPS Inspection is enabled, overall memory consumption may gradually increase. Refer to sk171280. |
PRJ-24666, |
ClusterXL |
The Gaia Clish command "set snmp traps trap clusterXLFailover enable" fails with "Bad Command Unknown Trap name." Refer to sk173810.
|
PRJ-24143, |
SecureXL |
UPDATE: Firewall debug drop template message now indicates the rule ID the template was created from. |
PRJ-24650, |
SecureXL |
In some scenarios, the "reached the limit of maximum enqueued packets!" log is printed in the /var/log/messages file. |
PRJ-17459, |
SecureXL |
SecureXL keeps forwarding packets in VSX bridge mode when the member is down. Refer to sk169495. |
PRJ-23458, |
SecureXL |
A race condition in the DOS/Rate limiting policy's install logic may cause incorrect counter values for "concurrent-conns". |
PRJ-22788, |
SecureXL |
In a rare scenario, Security Gateway may crash after running the "fwaccel tab -t connections" command. |
PRJ-25509, |
SecureXL |
In a rare scenario, Security Gateway may crash when generating CPInfo in VSX mode.
|
PRJ-27222, |
SecureXL |
In some scenarios, SYN Defender log messages in SmartConsole show "*** MISSING ***" instead of the real log. |
PRJ-24539, |
SecureXL |
In a VSX environment, the SYN Defender configuration may not be applied correctly. |
PRJ-27224, |
SecureXL |
Invalid VLAN traffic may cause repeated "deliver_list is empty!!!" error messages in the /var/log/messages file.
|
PRJ-24475, |
Routing |
UPDATE: Allow "set bgp internal peer <value> send-route-refresh" commands. |
PRJ-16532, |
Routing |
UPDATE: User does not have to enable logging/accounting in SmartConsole to generate the Netflow records. New "NetFlow Firewall rule" option was added to configure NetFlow to report per Firewall rule by turning it on and enabling Log/Accounting per rule. |
PRJ-23247 |
Routing |
VRRP member freezes when deleting a VLAN interface. Refer to sk106226. |
PRJ-24789, |
Routing |
In some scenarios, OSPF configured with unnumbered VTI on cluster frequently moves between "Full" and "EXSTART" status. |
PRJ-24714, |
Routing |
In OSPF environment, the ROUTED process may unexpectedly exit when a VPN tunnel is flapped leading to a temporary connectivity loss. |
PRJ-24968, |
Routing |
Graceful restart has been enhanced to tolerate a non-standard behavior by peers of closing BGP connection before getting established. |
PRJ-25040, |
Routing |
In a rare scenario, the ROUTED process unexpectedly exits when creating an MFC (S,G) entry. Refer to sk176685. |
PRJ-25993, |
Routing |
In some scenarios, the monitored IP option "force-if-symmetry" does not detect the asymmetric ping properly. |
PRJ-24386, |
Routing |
In rare scenarios, a Load Sharing cluster can experience DHCP relay drops with the "dropped by fw_post_vm_chain_handler Reason: Handler 'dhcp_reply_code' drop" message. |
PRJ-25316, |
Routing |
In some scenarios, CPView displays incorrect values of RIP statistics. |
PRJ-27043, |
Routing |
The ROUTED process with Ping enabled always gets reset during Clish reconfiguration. |
PRJ-26967, |
Routing |
In some scenarios, the ROUTED process may produce a core dump when it receives IGMPv3 Membership Reports over a long period of time. |
PRJ-27057, |
Routing |
In some scenarios, the ROUTED process may unexpectedly exit when there is a static route and a kernel route to the same destination. |
PRJ-25914, |
Routing |
NetFlow packets are sent from the individual VS IP address instead of VS0.
|
PRJ-23090, |
Mobile Access |
In some scenarios, FWK process unexpectedly exits due to SNX authorization timeout in MAB's Unified Policy mode. Refer to sk173125. |
PRJ-22330, |
Mobile Access |
In some scenarios, the VPND process unexpectedly exits in SNX Application Mode. |
PRJ-23722, |
Mobile Access |
Remote Access session may not be synced on the standby member VS.
|
PRJ-23729, |
Mobile Access |
In some scenarios, when configuring the "X-Forwarded-For" header to MAB reverse proxy, the header is passed in reverse order. |
PRJ-22804, |
Mobile Access |
When the administrator adds more than 30 native applications, users may fail to connect via SSL Network Extender Application mode. |
PRJ-25219, |
Mobile Access |
Improved the Portal Rendering performance in Unified Policy mode. |
PRJ-24685, |
Mobile Access |
In some scenarios, the HTTPD process consumes a high CPU causing slowness in access to web applications. |
PRJ-24815, |
VPN |
UPDATE: Added VPN improvements in IKEv2:
|
PRJ-24917, PRJ-24933, VPNS2S-2235 |
VPN |
UPDATE:
|
VPNS2S-2313 |
VPN |
"Invalid ID information" message may be displayed when peer is 3rd party and Link selection is overridden. |
VPNS2S-2313 |
VPN |
IKEv2 may cause the VPND process to unexpectedly exit when IKEv2 rekey uses certificates. |
VPNS2S-2313 |
VPN |
|
PRJ-25051, |
VPN |
In some scenarios, user may not be able to connect because the VPND process unexpectedly exits. |
PRJ-25131, |
VPN |
In some scenarios, the VPN Remote Access client cannot reconnect after changing the authentication method. |
PRJ-21940, |
VPN |
In some scenarios, VPN Remote Access users are disconnected after policy installation. Refer to sk171966. |
PRJ-24250, |
VPN |
In some scenarios, the TTM (Transform Template) file is not loaded when there are no TTM groups for the user. |
PRJ-14270, |
VPN |
Added IKE improvement for DAIP peer with ID_DER_ASN1_DN ID type. |
PRJ-24400, |
VPN |
In some scenarios, DAIP gateways may be identified as Remote Access, causing the connection to fail. Refer to sk173417. |
PRJ-25487, |
VPN |
In VSX environments, Anti-Spoofing in SecureXL may cause Remote Access VPN drops. Refer to sk173266. |
PRJ-24858, |
VPN |
The VPND process may unexpectedly exit when cipher priority configuration is invalid. Refer to sk173083. |
PRJ-23972, |
VPN |
In some scenarios, the IKED process unexpectedly exits producing a core dump. |
PRJ-22526, |
VPN |
When Multiple Factor Authentication is configured with DynamicID , VPN clients may receive four password prompts. Refer to sk144932. |
PRJ-26202, |
VPN |
MEP failover with 3rd party vendors may not work correctly. |
PRJ-26339, |
VPN |
In some scenarios, Phase 2 NULL encryption in IKEv2 fails with "Received notification from peer: No proposal chosen" message in the log. |
PRJ-25334, |
VPN |
In some scenarios, the "Illegal sequence number" error may be printed in Dead Peer Detection (DPD) debug. |
PRJ-26265, |
VPN |
In some scenarios in MEP configuration, failover to available MEP members may fail. |
PRJ-26933, |
VPN |
In some scenarios, the VPND process unexpectedly exits after installing the policy. |
PRJ-27738 |
VPN |
In some scenarios, NAT-T traffic is sent to the wrong next-hop MAC address.
|
PRJ-26621, |
VPN |
Added VPN stability improvement in IKEv2. |
PRJ-25983, |
VPN |
In rare scenarios, IKE negotiation fails when using IPv6 addresses. |
PRJ-25310, |
VPN |
In rare scenarios, all traffic is dropped with "Rulebase Internal Error" in SmartLog. |
PRJ-24804, |
VPN |
Site to Site VPN connectivity issue when NAT is enabled. |
PRJ-26440, |
VPN |
In rare scenarios, a memory leak related to gateway authentication may occur. |
PRJ-26438, |
VPN |
In a rare scenario, a memory leak may occur when RASession_util is active. |
PRJ-26431, |
VPN |
In a rare scenario, the IKED process stops with core dump when using Office Mode IP allocation for clients and users cannot connect. |
PRJ-21428, |
Gaia OS |
NEW: Added support for hardware (sensors/NICs) data auto-update. |
PRJ-25670, |
Gaia OS |
In some scenarios, the driver's (i40e) response time for MQ settings takes a too long time.
|
PRJ-26111, |
Gaia OS |
When the RADIUS server uses a multi-pool "Access Challenge", the system sends many authentication requests without waiting |
PRJ-24492, |
Gaia OS |
In a rare scenario, the Security Gateway may become unresponsive. Refer to sk172827.
|
PRJ-24508 |
Gaia OS |
In some scenarios, when adding a "#" in the login banner, the banner becomes corrupted.
|
PRJ-24371, |
Gaia OS |
In some scenarios, the force-password-change option does not work. |
PRJ-23965, |
VSX |
UPDATE: Added ability to change the Management and Sunc interfaces via vsx_util change_interfaces. |
PRJ-25022, |
VSX |
In some scenarios, the "cpstat vsx" command does not show the correct output. Refer to sk170793. |
PRJ-5187, |
VSX |
In some scenarios during shutdown, the FWK process may unexpectedly exit producing a core dump when VSX gateway is upgraded to R80.30. |
PRJ-25726, |
QoS |
A memory leak may occur when using domain names in QoS policy rules. Refer to sk174904. |
PRJ-24289, |
Smart-1 Cloud |
Added Update #1 of Quantum Smart-1 Cloud. Refer to sk166056. |
PRJ-25384, |
CloudGuard IaaS |
CloudGuard Controller with Cisco ACI Data Center sends updates without IP addresses to Security Gateways. |
PRJ-23351, |
CloudGuard IaaS |
The SNMP response may show incomplete values. |
PRJ-21719, |
CloudGuard Azure |
Improved performance consistency (with Multi-Queue) after the Microsoft Azure Maintenance event. |
Take 236 Released on 11 May 2021 and declared as General Availability on 1 June 2021 |
||
PRJ-25945, |
ClusterXL |
In some scenarios, the user cannot run any dynamic routing or install any static routes, including the default route. |
- |
VPN |
Hardened the ability to use narrowed IKEv2 tunnels. For more information, refer to sk166417. |
Take 235 Released on 26 Apr 2021 |
||
PRJ-24911, |
Security Management |
"Unauthorized client" error on login failure from an IP address that is not explicitly defined in the Trusted Clients list. Refer to sk173026. |
PRJ-9515, |
Security Management |
The Rule UID is hidden in Audit logs. Refer to sk165016. |
PRJ-23921, |
Security Management |
SmartConsole Extensions fail to load with "Error: unable to retrieve read-only session" if login with SmartConsole is performed with an IP address that is not defined as the primary IP of the Management Server. |
PRJ-22609, |
Security Management |
In some scenarios, a Domain migration may fail during the Access Policy import with the "Object not found" error in cpm.elg file. |
PRJ-22440, |
Security Management |
Upgrade or migration from R80.10 and lower to R80.20 and higher may fail with "Scheme adjustment had failed" error in logs. Refer to sk172003. |
PRJ-22122, |
Security Management |
Running override_server_setting.sh may not update settings correctly when updating a setting multiple times. |
PRJ-15904, |
Security Management |
Security policy compilation fails if the Domain network object name (FDQN name) contains space. |
PRJ-17232, |
Security Management |
In some scenarios, Apache does not start and shows a "No space left on device" message if the user runs "cprestart" frequently. |
PRJ-23772, |
Security Management |
"Query failed" error is displayed in Security Gateway Device & License Information view in SmartConsole when canceling the "Export to PDF/CSV" operation. |
PRJ-22871, |
Security Management |
In some scenarios, policy installation fails with "Error code 0-2000077" message. |
PRJ-20808, |
Security Management |
On Security Management with connected Endpoint Security Server, the SICTUNNEL process may unexpectedly exit and start again every few minutes with core file ~4gb in size. Refer to sk173704. |
PRJ-22210, |
Security Management |
In rare scenarios, concurrent update operations performed by several administrators on the Management Server may fail. |
PRJ-22129, |
Security Management |
In a rare scenario, Management HA synchronization fails after the Purge Revisions operation. |
PRJ-13069, |
Security Management |
In rare scenarios, during a Global Policy Reassignment, the Management Server may unexpectedly exit and fail to start again. |
PRJ-22631, |
Multi-Domain Management |
UPDATE: Improved the Domain Management Server and Domain Log Server creation and deletion operations. |
PRJ-23158, |
Multi-Domain Management |
UPDATE: Added stabilization improvement for Assign and Reassign Global Policy operations. |
PRJ-22579, |
Multi-Domain Management |
In some scenarios, HA Full Sync on the System Domain fails after upgrade on a Multi-Site environment with multiple Multi-Domain Servers. Refer to sk171059. |
PRJ-22595, |
Multi-Domain Management |
Create Domain action may fail with a "License violation detected" error even though CPSM-DOMAINS-1 license is applied on the Management Server. |
PRJ-24019, |
Multi-Domain Management |
In some scenarios, after upgrade of Multi-Domain environment that has active Domains on multiple Multi-Domain servers, some objects may not be visible in the System Domain. |
PRJ-21911, |
Multi-Domain Management |
In some scenarios, installation of Jumbo Hotfix on Multi-Domain Server may fail after running restore from backup. |
PRJ-22521, |
Multi-Domain Management |
In some scenarios, Reassign Global Domain for a Domain that is active on another Multi-Domain Server may fail with "An internal error has occurred" message. Refer to sk172704. |
PRJ-22137, |
Multi-Domain Managemen |
A Multi-Domain Server with dozens of Domains may take a long time to start. |
PRJ-23542, |
Multi-Domain Managemen |
In some scenarios, HA sync in a Multi-Domain environment may fail with the "Failed to import data" error message after the user creates new Permission Roles. |
PRJ-13189, |
Multi-Domain Management |
In a rare scenario, Advanced upgrade from R80.10 may fail. |
PRJ-19498, |
SmartConsole |
"The object specified in 'Always send alerts to' field, has no active 'Logging & Status' Blade" error may be displayed after running the "add-simple-gateway" command in Management HA environments where one of the Security Management servers has the "Logging & Status" Blade disabled. Refer to sk172226. |
PRJ-21622, |
SmartConsole |
In some scenarios, FWM process logs show Provisioning/LSM activity even though LSM is not in use. Refer to sk171905. |
PRJ-22217, |
SmartConsole |
In some scenarios, a validation warning may appear on an updatable object with the following message: "Object is no longer supported. Enforcing security for this object is not possible." However, the object is still available in the updatable objects picker. |
PRJ-17275, |
SmartConsole |
The "Recent Tasks" view allows only Super Users to view other administrators' tasks. |
PRJ-21182, |
Logging |
NEW: Resource pools for log queries and report generation have been separated to ensure query responsiveness while multiple reports are generated. |
PRJ-18558, |
Logging |
In the "Logs" view in SmartConsole, when the query filter contains "time:yesterday" as a literal, the query fails with a "Query resolution failed" error. The pre-defined time filter "Yesterday" shows results from today. Refer to sk170999. |
PRJ-23154, |
Logging |
When viewing an Access log card that was matched on both a Network layer (firewall) rule and an Application layer rule, and both actions are "Accept", the application layer rule will be presented in the card instead of the network layer rule. Refer to sk172763. |
PRJ-23203, |
Logging |
In rare scenarios, when creating a Log server object and establishing SIC, log queries from the newly created Log server object may fail. |
PRJ-23007, |
Logging |
In rare scenarios, when the user exports logs to Excel using SmartView web, the action fails when the exported logs contain special characters, like emojis. |
PRJ-21113, |
Logging |
In some scenarios, when declaring a filter in Log Exporter, logs may not be exported. Refer to sk173025. |
PRJ-23414, |
Logging |
In SmartView's "Cyber Attack View - Endpoint", the widgets Active/Dormant Attacks and Cleaned/Blocked Attacks show clean hosts as infected (false positive results). |
PRJ-17118, |
Logging |
In SmartView, chart and timeline widgets may show a "Query Failed" error. |
PRJ-21305, |
Logging |
|
PRJ-15783, |
Logging |
In SmartView, when the user exports a container widget with charts to PDF, some data may be missing, and the charts may be shown in a distorted manner. |
PRJ-22183, |
Logging |
In SmartView, when the user exports multiple PDF/CSV/Templates of the same view/report at the exact same time, the second export to complete may overwrite the first one. |
PRJ-22247, |
Logging |
In some scenarios, in the "Views and Reports" of SmartView, it is not possible to use the field "Roles". |
PRJ-21144, |
Logging |
In SmartView, when opening a log card popup in lower resolutions, the text in the header may be cut off. |
PRJ-21372, |
Logging |
In some scenarios, in Multi-Domain servers with many domains, the Solr process for logs may unexpectedly unexpectedly exit. |
PRJ-15325, |
Logging |
In some scenarios in SmartView, exporting a report or view to PDF duplicates the item and displays it twice in the Catalog until the export is done. |
PRJ-23139, |
Internal CA |
The output of the "lscert" command has duplicate lines for all certificates that are not in "pending" status. |
PRJ-16050, |
Compliance |
Deactivated Compliance Best Practices appear in the Compliance report. |
PRJ-21900, |
Security Gateway |
NEW: Added new troubleshooting tool to cplic command for Entitlement manager. |
PRJ-23384, |
Security Gateway |
NEW: Implemented new Fast-Accel producer. The following Fast-Accel statistics are added to CPView:
|
PRJ-22678, |
Security Gateway |
UPDATE: Security Gateway performance optimizations for specific scenarios. Refer to sk174607. |
PRJ-10988, |
Security Gateway |
UPDATE: Added L3 routing support for bridge interface assigned with IP address. To enable it, set fw_bridge_with_ip_routing=1 in the $FWDIR/fwkern.conf file. Refer to sk165560. |
PRJ-19572, |
Security Gateway |
When using "User Alert 3" in the code alert, cosmetic error "FW-1: fwdrv_get_string_id_from_code: illegal parameters for code 8" appears in the /var/log/messages file. |
PRJ-20568, |
Security Gateway |
In some scenarios, the "fwauthd_init: got known service port XXX ... choosing another one" message appears repeatedly in the $FWDIR/log/fwd.elg file. |
PRJ-22453, |
Security Gateway |
In a rare scenario, Security gateway may crash with fwk and fwk_wd core dump files. |
PRJ-19410, |
Security Gateway |
The "new-conn-rate" DOS/Rate limiting rules may not be enforced in usermode when enforcement for internal interfaces is disabled. |
PRJ-22371, |
Security Gateway |
In some scenarios, the Security Gateway attempts to access the Management Server through the server's NAT IP address (defined in the "NAT" section of the server object), while the server is reachable only through the main IP address (defined in the "General Properties" section of the server object). Refer to sk171665 to configure the required parameter SKIP_NATTED_IP. |
PRJ-20902, |
Security Gateway |
In a rare scenario, the FWK process unexpectedly exits during debug.
|
PRJ-21110, |
Security Gateway |
Authentication may fail when LDAP branch name contains "\".
|
PRJ-21053, |
Security Gateway |
In a rare scenario, Fast Accel logs are sent although they are disabled on the matched rule. Refer to sk171336. |
PRJ-23519, |
Security Gateway |
Security Gateway may freeze on boot when enable IPv6 and IPv4 with 40 instances in Kernel mode. Refer to sk172364. |
PRJ-21470, |
Security Gateway |
When the Security Gateway is configured as a proxy, some network objects may not be matched correctly. |
PRJ-23396, |
Security Gateway |
Added support for "Other" services configured with IP protocol, but without advanced "Match" expression. |
PRJ-23099, |
Security Gateway |
The connection may not exist in SecureXL connection table when configuring Smart Connection Reuse kernel parameters and allow out of state TCP packets. |
PRJ-21310, |
Security Gateway |
Allow automatic configuration of Identity Awareness nested group state 4 for Security Gateways with a previously installed fix for IDA-754. |
PRJ-24297, |
Security Gateway |
In a rare scenario, the FWK process unexpectedly exits on the Security Gateway. |
PRJ-22079, |
Internal CA |
In a rare scenario, "This operation is not supported on STANDBY members" message is displayed and the cpca_client process unexpectedly exits when trying to renew a certificate on a standby Domain. |
PRJ-19450, |
Identity Awareness |
Added optimization for PDP when handling Terminal servers Multi-User Host Agent (MUH). |
PRJ-24583, |
Identity Awareness |
In some scenarios, a Security gateway may crash after Take 232 installation due to Identity Awareness specific flow. |
PRJ-21455, |
Identity Awareness |
In some scenarios, VPN Remote Access client fails to connect if a certificate contains a DN with an asterisk (*). |
PRJ-22357, |
Identity Awareness |
In some scenarios, output of "pdp conn pep" command may show wrong PEP names. |
PRJ-21237, |
IPS |
UPDATE: Exceptions are now enforced for these IPS protections:
Refer to sk166222. |
PRJ-22516, |
IPS |
Proxy source IP address is not printed in the IPS logs. |
PRJ-19491, |
Application Control |
The fw_full (fwd daemon) unexpectedly exits producing a core dump fila and causing a cluster failover. |
PRJ-21294, |
URL Filtering |
UPDATE: Improved RAD event output to provide additional information on events, such as detailed timing. This update also activates the retry mechanism by default. |
PRJ-21708, |
SSL Inspection |
In rare scenarios, a memory leak may occur in a crypto module. |
PRJ-19776, |
SSL Inspection |
In some scenarios, the wstlsd process may unexpectedly exit when browsing to certain websites. |
PRJ-19780, |
SSL Inspection |
A memory leak may occur during policy installation. |
PRJ-22532, |
Anti-Malware |
UPDATE: Improved behavior of Intelligence Feed failure.
|
PRJ-22019, |
Anti-Malware |
In rare scenarios, the Threat Prevention Blade Exception used for performance optimization does not work as expected. |
PRJ-20267, |
Anti-Malware |
Packet capture may not be generated for certain IPS protections. |
PRJ-18701, |
UserCheck |
When using the UserCheck agent, the original URL attribute variable $orig_url$ may appear on URL field of log details.
|
PRJ-14601, |
Mobile Access |
In some scenarios, pinger (MAB process that handles the ActiveSync traffic) may unexpectedly exit. |
PRJ-21641, |
Mobile Access |
Mobile Access may overwrite the /etc/hosts file on Security Gateway. |
PRJ-21697, |
ClusterXL |
UPDATE: Added the fwha_disable_ccp_on_monitor global kernel parameter. The parameter turns on/off the sending of CCP packets on link monitor interfaces. |
PRJ-21347, |
ClusterXL |
In some scenarios, a large quantity of logs is generated on cluster VIP API. |
PRJ-19516, |
ClusterXL |
In some scenarios, the required interface value is higher than it should be when adding a VLAN interface.
|
PRJ-22149, |
ClusterXL |
During active-active-bridge mode, the "show routed cluster-state" command may display some members as subordinate instead of master.
|
PRJ-18060, |
SecureXL |
UPDATE: Changed the "accept out of state" global parameter usage and added support to change it for specific VS. Refer to sk147093. |
PRJ-22287, |
SecureXL |
TCP reset packets may be dropped with an invalid sequence. |
PRJ-22166, |
SecureXL |
Rate limiting rules using concurrent-connection counters may cause connections to be blocked. |
PRJ-22434, |
SecureXL |
In some scenarios, the concurrent-conns rate limiting count may be inaccurate for FTP data connections. |
PRJ-19370, |
SecureXL |
Security Gateway may crash when the user runs "fwaccel tab -t" to view certain rate limiting tables that have a large number of entries. |
PRJ-20683, |
SecureXL |
In some scenarios, not all IP addresses listed in Deny List file $FWDIR/conf/deny_lists are loaded. |
PRJ-22914, |
SecureXL |
Improved the Smart Connection Reuse feature to be consistent with the user configuration. Refer to sk24960. |
PRJ-19663, |
SecureXL |
In some scenarios, connections are dropped when SYN Defender and ISN Defender are both enabled on the same interface.
|
PRJ-22901, |
Routing |
In some scenarios, OSPF configured with unnumbered VTI on cluster frequently moves between "Full" and "EXSTART" status.
|
PRJ-17586, |
Gaia OS |
UPDATE: SNMP USM user names limitation was increased from 8 characters to 31. |
PRJ-22920, |
Gaia OS |
"kernel: [SIM4];resume_from_error: failed to get ci_or_corr" error message may be printed numerous times in /var/log/messages file while running UDP Traffic Load. Refer to sk172543. |
PRJ-21997, |
Gaia OS |
In rare scenarios, SNMP user details may be visible in /var/log/messages file. |
PRJ-21925, |
Gaia OS |
Unable to set MTU on Igb cards. |
PRJ-443 |
Gaia OS |
Non-English characters in Expert password may cause Clish to crash. |
PRJ-24153, |
Gaia OS |
In rare scenarios, "show asset network" command may lead to memory leak. Refer to sk174823. |
PRJ-24049, |
Gaia OS |
Captive Portal / SAML portal may not work after installation with Blink image. |
PRJ-21664, |
Gaia OS |
In some scenarios, policy installation on a Check Point Gateway in Azure causes the Gateway to crash and load a default policy. Refer to sk171553.
|
PRJ-20743, |
Gaia OS |
CVE-2020-25705: ICMP reply rate.
|
PRJ-22214, |
Gaia OS |
"show configuration on" may not expose bond members.
|
PRJ-13301, |
VPN |
NEW: Added 3 new views to SmartView for Remote Access, providing visibility for Remote Access users, users login summary, failed login attempts, used clients, top login options, number of users, operating systems, authentication methods and login activity. |
PRJ-15567 |
VPN |
In some scenarios, NAT-T traffic is sent to the wrong next-hop MAC address. |
PRJ-19902, |
VPN |
Mobile Access SNX may fail to connect to the Security gateway when the realm used by the client is different for the SSL VPN realm. |
PRJ-18413, |
VPN |
Remote Access VPN policy installation optimization. Refer to sk173947. |
PRJ-21762, |
VPN |
In a rare scenario, there may be an incorrect IKE ID in an ID payload with 3rd party peers in IKEv1 and IKEv2. |
PRJ-17493, |
VPN |
In IKEv2 renegotiation scenario, IPSec SAs may be deleted on a standby cluster member during post sync causing a VPN traffic outage. Refer to sk172926.
|
PRJ-22424, |
VPN |
Tunnel Test packets may be dropped by Secure Configuration Verification (SCV) check when implied rules are disabled. Refer to sk168033. |
PRJ-21649, |
VPN |
When static NAT is configured on a destination, the SCV may fail to access the internal resources and "No scv status from client..." drops appear in SmartConsole. Refer to sk171550. |
PRJ-19215, |
VPN |
Site to Site VPN fails to establish with IKEv2 on GCP when NAT-t is enabled.
|
PRJ-22411, |
VPN |
In some scenarios, L2TP tunnel is not deleted completely upon disconnection. |
PRJ-23940, |
VPN |
When the Remote Access is configured to use DHCP for the Office Mode allocation, disconnection of SNX/L2TP clients may cause the IP address not be removed from the table. |
PRJ-23301, |
VPN |
In rare scenarios, the vpnd process may unexpectedly exit in an L2TP-related flow. |
PRJ-22541, |
VPN |
Added stability fix in validation checks for ECDSA certificates. |
PRJ-21259, |
VSX |
Allow the addition of routes with specific group of type "Group with Exclusion" when using VSX Provisioning tool. |
PRJ-15568 |
VPN |
In some scenarios, NAT-T traffic is sent to the wrong next-hop MAC address.
|
PRJ-23827, |
VSX |
In rare scenarios, the Wrp interface may not come up. Refer to sk171753.
|
PRJ-20919, |
QoS |
Security Gateway may crash in QoS flow when interface goes down and up during packet processing. |
Take 232 Released on 16 March 2021 |
||
PRJ-20071, |
Security Management |
NEW: Optimized the Solr build time to improve performance in the following operations:
|
PRJ-21004, |
Security Management |
NEW: Improved FWM process performance during Security policy or database installation. |
PRJ-22316, |
Security Management |
NEW: Performance improvement of Management High Availability Full Sync. |
PRJ-20030, |
Security Management |
UPDATE: When purging revisions, task notifications will also be purged if created before the last revision to purge was published. |
PRJ-19999, |
Security Management |
UPDATE: Added improvements in policy load process, to reduce the policy installation time when having large amount of objects. |
PRJ-20854, |
Security Management |
Management Server upgrade from R80.20 to R80.40 may fail if a Network Interface object refers to a Gateway object that does not exist. |
PRJ-21254, |
Security Management |
In some scenarios, the log file of PostgreSQL (postgres.elg) may become very large. |
PRJ-21186, |
Security Management |
In rare scenarios, logout from a session fails with "An internal error has occurred" message. |
PRJ-17788, |
Security Management |
In some scenarios, policy verification for static NAT rules succeeds even though the source subnet NAT is bigger than the destination subnet NAT. |
PRJ-21590, |
Security Management |
Although the Access Settings of the Management API is set to "All IP addresses", the API server does not accept requests from any IP address unless the IP is defined explicitly as a Trusted Client. |
PRJ-20886, |
Security Management |
In some scenarios, when connecting to an existing session in SmartConsole from a different IP address, a wrong "Client IP" is shown in Audit Logs view. |
PRJ-21585, |
Security Management |
In rare scenarios, the CPM Solr process may not be stopped when running cpstop or mdsstop. |
PRJ-20803, |
Security Management |
In some scenarios, deleting a partial domain with createDomainRecovery.sh script fails when there are several RadiusGroup objects with the same name in different domains. |
PRJ-21416, |
Security Management |
In rare scenarios, the initiation of the Management server may take a long time. |
PRJ-21358, |
Security Management |
In some scenarios, the Purge Revisions task may stop and show 0% for hours or fail with the "An error has occurred while performing revision purge operation" message in SmartConsole. |
PRJ-20303, |
Security Management |
In some scenarios, deleting a Domain Server may fail with "Got at least one duplicate UID in requested list" error. |
PRJ-20764, |
Security Management |
High load may occur on the Management Server when searching for a prefix of IP address that has more than 10 thousand matches. |
PRJ-20841, |
Security Management |
When migrating a Domain Management Server to a Security Management Server:
|
PRJ-16471, |
Multi-Domain Management |
UPDATE: When reassigning Global Domain for a Domain that is active on another Multi-Domain Server, the task is immediately relayed to the remote Multi-Domain Server without waiting in queue of the local server due to other tasks that are running. |
PRJ-22274, |
Multi-Domain Management |
In some scenarios, updating a Domain Server may fail with the "<IP> already in use" message. Refer to sk171916. |
PRJ-21276, |
Multi-Domain Management |
In some scenarios, HA Full Sync on the System Domain fails after upgrade on a Multi-Site environment with multiple Multi-Domain Servers. Refer to sk171059. |
PRJ-19993, |
Multi-Domain Management |
After importing two (or more) Security Management servers into a Multi-Domain Server, the Gateway objects may not be functional:
|
PRJ-19722, |
Multi-Domain Management |
The Multi-Domain session APIs "view sessions" and "show last-published-session" results may include sessions that were not filtered according to the administrator's permissions profile.
|
PRJ-21343, |
Multi-Domain Management |
When running many Reassign Global Domain operations for Domains that are not active on the current Multi-Domain Server, the load on the Server may increase and result in slowness of user and automation work. |
PRJ-20239, |
SmartConsole |
When there are no search results, search in Access Control Policy displays "An error occurred while searching" instead of "No Items Found". |
PRJ-21387, |
SmartConsole |
Slowness may be observed in some SmartProvisioning operations (like open SmartProvisioning GUI, create a new LSM object, open an LSM object editor, etc.). |
PRJ-21524 |
SmartConsole |
In a rare scenario, automatic NAT rules are not visible in SmartConsole. |
PRJ-20314, |
SmartConsole |
In some scenarios, the "show gateways-and-servers" Management API command fails when running it with details-level full and when connected to the Global Domain. Refer to sk170895. |
PRJ-18921, |
SmartConsole |
In some scenarios, the "show-access-rulebase" Management API command fails when running it with details-level "full" and there is a network group with more than 50000 objects on one of the rules. Refer to sk170435. |
PRJ-19140, |
SmartConsole |
In some scenarios, the "add-user" API command with authentication method TACACS+ or Radius server fails with "object not found" message. Refer to sk170325. |
PRJ-18859, |
Logging |
NEW: Added support for Endpoint Forensics reports to get-attachment API. |
PRJ-7953, |
Logging |
In rare scenarios, a log may display incorrect values in the Action and Rule field. Refer to sk170676. |
PRJ-20562, |
Logging |
In rare scenarios, the Log Exporter fails to connect to external destination when using the TLS protocol. |
PRJ-17355, |
Logging |
FWM and\or log_indexer processes may repeatedly stop when there are more than ~500K network objects declared. Refer to sk164452. |
PRJ-19009, |
Logging |
In a rare scenario, CPD process may use a random port for AMON communication instead of port 18196. |
PRJ-21156, |
Logging |
In rare scenarios, the FWD process on the Security gateway may be blocked for several seconds due to processing of log attachments. |
PRJ-20873, |
SmartView |
UPDATE: To improve performance, SmartView now exports data in CSV format instead of Excel. |
PRJ-20774, |
Compliance |
In some scenarios, an incorrect Compliance status for Gaia OS Best Practices is displayed. |
PRJ-14101, |
Compliance |
Compliance Blade may not scan inline layers for Application Control and URL Filtering best practices. |
PRJ-21109, |
Security Gateway |
Authentication may fail when LDAP branch name contains "\". |
PRJ-20338, |
Security Gateway |
In rare scenarios, passive FTP packets may be dropped. |
PRJ-21670, |
Security Gateway |
In some scenarios, a Security policy installation fails during high CPU utilization. |
PRJ-20898, |
Security Gateway |
In some scenarios, the DNS requests from the Security Gateway may fail. |
PRJ-17204, |
Security Gateway |
After upgrading to R80.20, it is not possible to configure an OSPF interface to have a priority of 0. |
PRJ-21610, |
Security Gateway |
Security Gateway may crash when "Categorize HTTPS Websites" feature is enabled and categorization mode is set to "Hold". |
PRJ-20630, |
Security Gateway |
In rare scenarios, high memory consumption in CPD may occur due to a memory leak in authentication flow with an LDAP server. |
PRJ-20383, |
Security Gateway |
In a rare scenario, Access Control policy installation may fail after upgrade of Security Gateway from R80.10 or below to R80.20 or higher. |
PRJ-19849, |
Security Gateway |
In some scenarios, a memory leak may appear after sending a packet from the kernel. |
PRJ-19702, |
Security Gateway |
In rare scenarios, a memory leak may occur in TOPOD process. |
PRJ-19583, |
Security Gateway |
In some scenarios, "email_unified_cmi_get_attribs: not valid caller: up_log_get_user_hash" error appears in dmesg for SMTP traffic. |
PRJ-11204, |
Security Gateway |
In some scenarios, traffic that is matched on implied rule is dropped while it should not. |
PRJ-19798, |
Security Gateway |
Improved the policy enforcement of the ZIP archive inner files |
PRJ-22407, |
Security Gateway |
In some scenarios, the "rad_kernel_service_container_add_service" error is printed to dmesg. |
PRJ-21362, |
Security Gateway |
Traffic may be dropped when the Hide NAT is configured on IPv6 host.
|
PRJ-21240, |
Security Gateway |
In rare scenarios, proxy ARP entries may be deleted when installing a policy. |
PRJ-20923, |
Anti-Malware |
In a rare scenario, the Security Gateway may crash when the Threat Prevention Forensics feature is enabled. |
PRJ-20974, |
Anti-Malware |
In rare scenarios, the Threat Prevention policy installation fails due to IOC parsing errors. Refer to sk171316. |
PRJ-21724, |
Content Awareness |
In a rare scenario, Security Gateway may crash when CPcode is running within Content Awareness or parser flow. |
PRJ-20751, |
Identity Awareness |
NEW: Added the Identity Awareness performance and memory consumption improvements. Refer to sk170516. |
PRJ-20845, |
Identity Awareness |
In some scenarios, running pdpd commands results in "daemon did not respond or not running!" error. Refer to sk171136. |
PRJ-20860, |
Identity Awareness |
In some scenarios, there may be enforcement issues for MUHv2 users due to table mismatch. |
PRJ-23594, |
Identity Awareness |
In Identity Awareness Captive portal, the default Check Point logo is displayed even if the user-defined logo is configured. Refer to sk133492.
|
PRJ-20346, |
IPS |
In rare scenario, the SmartConsole shows the "IPS is not responding" message even though IPS is functioning normally. |
PRJ-20094, |
DLP |
UPDATE: Added support for multi-part data to DLP. |
PRJ-20836, |
DLP |
Improved DLP scanning for POST request to some Web sites. |
PRJ-18840, |
SSL Inspection |
In rare scenarios, a memory leak may occur during policy installation. |
PRJ-19039, |
UserCheck |
In some scenarios, users cannot restore original attachment via UserCheck portal and receive the "An unexpected error has occurred" error message. |
PRJ-20517, |
ClusterXL |
UPDATE: Added the option to display only monitored interfaces to "show cluster members <option>" command:
|
PRJ-20533, |
ClusterXL |
In some scenarios, data connections are dropped with "First packet isn't SYN" message on ClusterXL Load Sharing. |
PRJ-19391, |
ClusterXL |
"set router active-active-mode" settings do not survive a reboot.
|
PRJ-19924, |
ClusterXL |
In rare scenarios, running cphastop;cphastart may cause a cluster member to stay in "Down" state.
|
PRJ-19662, |
SecureXL |
In some scenarios, connections are dropped when SYN Defender and ISN Defender are both enabled on the same interface. |
PRJ-19404, |
SecureXL |
In some scenarios, Rate Limiting rules for DoS do not work after reboot. Refer to sk170148. |
PRJ-17402, |
SecureXL |
In some scenarios, PPTP or GRE traffic may be dropped. Refer to sk170293. |
PRJ-20545, |
SecureXL |
Security Gateway may crash when there are interfaces that do not need the ARP resolution (VTI).
|
PRJ-5075, |
Gaia OS |
NEW: The ARP cache size limit on Clish was increased to 131072 hosts.
|
PRJ-19559, |
Gaia OS |
NEW: Gaia API (version 1.5) will now be deployed via Jumbo Hotfix. |
PRJ-22837, |
Gaia OS |
UPDATE: Added the option to bind IP addresses to sockets using the "udp_connect" API. Refer to sk171019. |
PRJ-21847, |
Gaia OS |
UPDATE: Updated the arp table limit to 131072 in:
|
PRJ-20037, |
Gaia OS |
UPDATE: Added support for multiple commands definition in Dynamic CLI feature.
|
PRJ-18938, |
Gaia OS |
In some scenarios, the "... fwldbcast_handle_retrans_request: Updated bchosts_mask to 1" message may be printed in /var/log/messages file. |
PRJ-20042, |
Gaia OS |
Sensitive Information Disclosure may appear in the output of "show file *" CLI command.
|
PRJ-20744, |
Gaia OS |
CVE-2020-25705: ICMP reply rate. |
PRJ-16959, |
Gaia OS |
In some scenarios, the "rhost" value may be missing from logs when the user tries to access the WebUI. |
PRJ-21093, |
Gaia OS |
WebUI may not load for Management devices. |
PRJ-20038, |
Gaia OS |
Several features are duplicated (both in WebUI and Clish) in RBA roles configuration/settings.
|
PRJ-19623, |
Gaia OS |
Extended commands are missing after adding Dynamic CLI.
|
PRJ-20040, |
Gaia OS |
Read-Only users may run Dynamic CLI command with UUID other than 0.
|
PRJ-15660, |
Routing |
UPDATE: Display of routing CPview results is limited to 30 lines. |
PRJ-19627, |
Routing |
ip-reachability-detection ping marks a target IP address as "unreachable" if the path goes via a VPN tunnel, although pinging this IP address directly works. |
PRJ-15548, |
VPN |
UPDATE: Added the TTM-per-group feature improvement that allows it to work with more client types (for example Nemo client). |
PRJ-20946, |
VPN |
In some scenarios, L2TP clients disconnect from the Security Gateway after 10 minutes of the connection. |
PRJ-18751, |
VPN |
In some scenarios, the Dynamic ID configuration in SmartConsole (SMS/Email) is ignored. Refer to sk144933. |
PRJ-17492, |
VPN |
In IKEv2 renegotiation scenario, IPSec SAs may be deleted on a standby cluster member during post sync causing a VPN traffic outage. |
PRJ-20825, |
VPN |
In IKEv2, the renegotiation of IKE SA may fail. |
PRJ-21541, |
VPN |
Added VPN Remote Access stability improvement. |
PRJ-19482, |
VPN |
Added various VPN connection improvements on Gaia 3.10. |
PRJ-21694, |
VPN |
When IKEv2 and pre-shared-key is configured, VPN may fail on the second IKE SA re-key. Refer to sk171756.
|
PRJ-19214, |
VPN |
Site to Site VPN fails to establish with IKEv2 on GCP when NAT-t is enabled. |
PRJ-12241, |
VPN |
When clicking "View..." in Trusted CA object's OPSEC PKI tab, this may show the "Failed to get a certificate of <object name> from keyset" error. Refer to sk166496. |
PRJ-7480, |
VPN |
Policy installation with VPN enabled may take a long time. |
PRJ-7476, |
VPN |
The vpnd daemon may unexpectedly exit during policy installation when the Mobile Access Blade is used. |
PRJ-19422, |
VPN |
In some scenarios, the vpnd process unexpectedly exits with Segmentation fault. |
PRJ-13820, |
VPN |
Access roles do not recognize Remote Access SNX CLI clients. |
PRJ-17185, |
VPN |
Connectivity issue may appear between Check Point Gateway and 3rd party device in MEP DPD configuration when 3rd party device is defined as Central Gateway in MEP. Relevant error message: "Failed to resolve VPN MEP gateway". |
PRJ-18269, |
VPN |
The VPND process on a standby cluster member may unexpectedly exit when VPN peer has a probing link selection configured. Refer to sk170136. |
PRJ-19971, |
VSX |
UPDATE: Removed the .1.3.6.1.4.1.2620.1.16.22.2 (vsxStatusCPUUsageTable) and .1.3.6.1.4.1.2620.1.16.22.4 (vsxStatusCPUUsagePerCPUTable) OIDs as not supported on Gaia 3.10. |
PRJ-20148, |
VSX |
In rare scenarios, some interfaces remain in "Down" state after reboot.
|
PRJ-20963, |
VSX |
After running "vsx_util vsls" and selecting option #6, the operation may fail with the "Internal Error: got empty reply set" error. Refer to sk171352. |
PRJ-15445, |
VSX |
In some scenarios, there may be high CPU utilization in a VSX environment with several instances. |
PRJ-20584, |
Mobile Access |
Removed potential XSS vulnerability in the MAB Login page. |
PRJ-19234, |
Mobile Access |
There may be a delay when connecting to HTTPS based SMS portal over a non-standard proxy port. Refer to sk170497. |
PRJ-21748, |
Endpoint Security |
On the SmartEndpoint Reporting page, the "Endpoint Connectivity" report that is filtered by a virtual group returns an empty list. |
PRJ-19311, |
CloudGuard IaaS |
When creating a GCP Data Center, Test Connection may fail on large GCP accounts. |
Take 228 Released on 2 February 2021 and declared as General Availability on 16 March 2021 |
||
PRJ-19947, |
Security Management |
NEW: Added new Management HA utility to schedule automatic full syncs to peers that failed to be synchronized incrementally. |
PRJ-19697, |
Security Management |
UPDATE: If a Management HA synchronization stalls (displaying "Peer is busy"), it will be released within 2 hours instead of 24 hours. |
PRJ-17762, |
Security Management |
When migrating a Security Management Server that was created as a standby and then set to active, into a Domain Management Server, the new Domain is created without an active Domain Server. |
PRJ-19083, |
Security Management |
In some scenarios, HA synchronization may fill up the disk space of a standby Management Server. Refer to sk168492. |
PRJ-17691, |
Security Management |
In some scenarios, HA temporary sub-directories under $FWDIR/tmp are not deleted if sync fails. Refer to sk170972. |
PRJ-18287, |
Security Management |
In rare scenarios, the CPU and memory usage of the CPM process may be abnormally high. Refer to sk170672. |
PRJ-20114, |
Security Management |
In a rare scenario, the FWM process unexpectedly exits. |
PRJ-18378, |
Security Management |
In some scenarios, SecurID configuration files on the Security Gateway are overridden upon policy installation. |
PRJ-18474, |
Security Management |
In some scenarios, the first environment variable configured using sk165938 is not loaded and not used by the CPM process. |
PRJ-19952, |
Security Management |
The Management HA window in SmartConsole may mistakenly show the "Peer is busy" warning message for a few seconds. |
PRJ-17727, |
Security Management |
Upgrade may fail if a Data Center object was last modified by an Administrator with a single quote in the name. |
PRJ-18897, |
Security Management |
Policy installation may fail after migration from Domain Management to Security Management Server. |
PRJ-21077 |
Security Management |
When installing an R80.30 Jumbo Hotfix Take higher than 83 on Security Management server, the /opt/CPSFWR80CMP-R80.30/conf/vpn_route.conf file is overwritten. Refer to sk170573. |
PRJ-19272, |
Security Management |
Policy installation duration may increase due to a large $FWDIR/conf/invalid_object_names.C file on the Management Server. Refer to sk170427. |
PRJ-17212, |
Multi-Domain Management |
UPDATE: With this fix, mds_backup will back up the Upgrade Tools package(s) and mds_restore will restore them on a Multi-Domain Server. |
PRJ-19276, |
Multi-Domain Management |
In rare scenarios, the Management Server becomes inaccessible after a Global Policy reassign operation. |
PRJ-18250, |
Multi-Domain Management |
Migration of Domain Server between different Multi-Domain Servers may fail due to incorrect internal values of default objects. |
PRJ-17561, |
Multi-Domain Management |
In some scenarios, reassigning a Global Policy may fail if the Global and local domains are not active on the same Multi-Domain Server. |
PRJ-19646, |
Multi-Domain Management |
In rare scenarios, a Domain is shown in the Domains view without any Domain Server or a Domain is shown with Domain Server that was deleted and does not exist anymore. Refer to sk170556. |
PRJ-19318, |
SmartConsole |
NEW: Added support for Python 3 in Management API scripts. |
PRJ-20245, |
SmartConsole |
UPDATE: A pop-up warning will be displayed every time a "Custom Application" object with a performance impacting URL is edited (instead of being displayed only once). |
PRJ-13811, |
SmartConsole |
In some scenarios, the Administrators view shows all administrators in all domains regardless of the specific permission profile of the connected administrator. |
PRJ-18883, |
SmartConsole |
Setting values for the environment variables of the Management API as per sk165938 does not work: the values are neither loaded nor used by the API process. |
PRJ-20146, |
SmartConsole |
SmartConsole may disconnect when searching in the Object Explorer for the text with an odd number of double quotes. |
PRJ-13814, |
SmartConsole |
In some scenarios, when the user attempts to delete a VSX Gateway / VSX Cluster, an error message may appear and the operation may not be completed successfully. Refer to sk167492.
|
PRJ-20379, |
SmartConsole |
Adding Global dynamic objects to source or destination columns of access rules on the Global Domain via Management API may fail when using the Global dynamic object names. |
PRJ-13122, |
SmartConsole |
In some scenarios, the "Update operation failed" error is displayed when attempting to delete a Gateway from the VPN community. Refer to sk167212. |
PRJ-19832, |
SmartConsole |
The "show objects" command returns all objects in Global domain with any filter when "ip-only" flag is set to "true". |
PRJ-20785, |
SmartConsole |
When the user creates an Access Role, the AD organization tree may show duplicate branches, and some branches may be missing. |
PRJ-19533, |
SmartConsole |
In some scenarios, when adding a new user certificate of type .p12 via API command, the returned certificate may be incorrect. |
PRJ-19201, |
SmartConsole |
In some scenarios, when using the "set simple-gateway" API command with "logs-settings.forward-logs-to-log-server", it fails with "Generic server error". Refer to sk170352. |
PRJ-18381, |
SmartConsole |
In some scenarios, running an action on a ROBO Gateway behind NAT does not work during sync on SMB appliances. |
PRJ-14105, |
SmartConsole |
Search in Threat Prevention Exceptions in Protection/Site/File/Blade column may not return all expected results. |
PRJ-18464, |
SmartConsole |
In some scenarios, Staging mode IPS protections activation in the Local domain does not match the activation in the Global domain after a Global Threat Prevention policy assignment. Refer to sk170322. |
PRJ-18779, |
SmartView |
In rare scenarios, "Critical attacks allowed by policy widgets" in the "General Overview" view may show no results while actual data exists. Refer to sk171001. |
PRJ-19844, |
SmartView |
UPDATE: Improved the time resolutions usability (formally known as samples) of the Timeline widgets. |
PRJ-17996, |
Logging |
NEW:
|
PRJ-1655, |
Logging |
UPDATE: Added ability to SOLR process running on the Log server to prevent TLS1.1 and below in port 8211. Refer to sk168472. |
PRJ-7524, |
Logging |
Connection between the Gateway and the Log Server may go down, with this error message in the fwd.elg file on the Gateway: "Log server xxx.xxx.xxx.xxx went down". |
PRJ-19818, |
Logging |
In rare scenarios, the LOG_INDEXER process may unexpectedly exit when reading a specific log format. Refer to sk116117. |
PRJ-5873, |
Logging |
In rare scenarios, when the user configures a custom event with a script based automatic reaction in SmartEvent, the SmartEvent client may show the "Server is not responding. Please try to reconnect later" error. Refer to sk155192. |
PRJ-19715, |
Logging |
When installing a newer Jumbo Hotfix, the Log Exporter filtering configuration may not persist and set to default. |
PRJ-2522, |
Logging |
In rare scenarios, the log_indexer process may unexpectedly exit. |
PRJ-17163, |
Logging |
The "show-log" API command may fail with the "GENERIC_SERVER_ERROR" error. |
PRJ-11311, |
Logging |
In Multi-Domain Management environments, some of the log_indexer processes may fail to start due to an occupied port. |
PRJ-16175, |
Logging |
In some scenarios, the cpsemd process on the log server may close unexpectedly during a restart, shutdown or upgrade. |
PRJ-12200, |
Logging |
In some scenarios, the "Failed to fetch the file" error is displayed when trying to open Threat Emulation summary reports generated by VSX Gateways. |
PRJ-11342, |
Security Gateway |
NEW: Added support for authentication with a RADIUS server that expects to receive an empty password on the first message. VPN client will receive 2 dialogs instead of 3. |
PRJ-20336, |
Security Gateway |
NEW: Added Performance improvement when IP Pool NAT is used. |
PRJ-20676, |
Security Gateway |
NEW: Added the Connection Tracker module - a background mechanism collecting connection flows' key points vertically from all Security gateway components. The connection flows helps understanding connectivity and latency issue pointing on successful / problematic stages in a connection lifecycle. |
PRJ-18233, |
Security Gateway |
In rare scenarios, Security Gateway memory consumption may increase. |
PRJ-7737, |
Security Gateway |
False "alert" logs may be displayed in some Anti-Spam events. |
PRJ-18628, |
Security Gateway |
Wrong memory (hmem) values may be reported by specific SNMP OID. Refer to sk168992. |
PRJ-13345, |
Security Gateway |
In a rare scenario, the FWD process opens connections to port 111. |
PRJ-20513, |
Security Gateway |
In some scenarios, when using routing separation, connection to Management Plane via Data Plane is dropped. |
PRJ-19955, |
Security Gateway |
Half-closed accelerated TCP connections may take too long time to expire. |
PRJ-13375, |
Security Gateway |
The TCP State Logging feature may not work as expected. Refer to sk101221. |
PRJ-20954, |
Security Gateway |
In some scenarios, logs with incorrect action are generated by ICAP server. |
PRJ-20653, |
Security Gateway |
Accept logs with reason "Connection terminated before detection: Insufficient data passed. To learn more see sk113479." may be wrongly generated when the matched action is user authentication and wrong username/password provided by user. |
PRJ-13969, |
IPS |
UPDATE: The "ips stat" command now shows all active Threat Prevention profiles with IPS enabled on the Security gateway. |
PRJ-19298, |
IPS |
In some scenarios, log output shows the Origin/Source as "0.0.0.0" in VSX 3rd party IPS logs. |
PRJ-16444, |
IPS |
The get_ips_statistics.sh script on VSX may fail with "/bin/cat: /proc/self/vrf: No such file or directory" error. |
PRJ-13498, |
IPS |
In some scenarios, a non-compliant IMAP traffic is dropped. |
PRJ-19743, |
Anti-Bot |
Dynamic Global Network Object usage inside a Network Group object may cause an Access Policy installation failure. |
PRJ-19590, |
Anti-Virus |
In rare scenarios, after downloading files, Anti-Virus prevent logs appear with "Strict hold is not possible failure - Write to other side occured" error message.
|
PRJ-19597, |
DLP |
UPDATE: Improved the DLP scans queue for a better scan rate. |
PRJ-19920, |
DLP |
UPDATE: Expanded DLP postfix authentication to include NTLM to allow the Security gateway to connect to a mail servers that use the NTLM authentication protocol. |
PRJ-18988, |
DLP |
In a rare scenario, "SEC Filings - Draft or Recent" Data Type in DLP is not properly enforced. |
PRJ-17872, |
HTTPS Inspection |
UPDATE: "Categorize HTTPS websites" feature enhancements when "Categorize HTTPS Sites" feature is enabled:
For configuration, refer to sk173633. |
PRJ-19467, |
HTTPS Inspection |
In some scenarios, the HTTPS Inspection CA bundle is not created on the Security Gateway. |
PRJ-16561, |
Anti-Malware |
Security Gateway may crash when certain traffic is handled during policy installation and the Anti-Virus Deep Scanning is enabled. |
PRJ-16621, |
Anti-Malware |
Exported with "ioc_feeds export" command indicator feeds may contain user credentials. Refer to sk169035. |
PRJ-15224, |
Anti-Malware |
In a rare scenario, HTTP connections are timed-out. |
PRJ-17842, |
Anti-Malware |
In some scenarios, Threat Prevention logs appear half-full (not unified). |
PRJ-18700, |
UserCheck |
When using the UserCheck agent, the original URL attribute variable $orig_url$ may appear on URL field of log details. |
PRJ-19159, |
Threat Extraction |
UPDATE: Threat Extraction will no longer attempt to perform "Convert to PDF" if the file is corrupted, because the resulting files in these cases are usually unreadable. To reactivate this behavior, set the "enable_alternative_scrub_method" variable in $FWDIR/conf/scrub_debug.conf file to 1 and install the Security policy. |
PRJ-9944, |
Threat Extraction |
In some scenarios, multiple files called "ckp_mutex" are created on the Security Gateway. |
PRJ-17419, |
Threat Prevention |
Improvements in HTTP chunked encoding inspection. |
PRJ-18246, |
Identity Awareness |
NEW: Added Identity Sharing's performance and functionality improvements. Refer to sk170516.
|
PRJ-13174, |
Identity Awareness |
UPDATE: Optimized memory usage in the PDP process's LDAP operations. |
PRJ-19637, |
Identity Awareness |
In some scenarios, when a standby cluster member receives RADIUS accounting updates, there may be high CPU on the PDP process. |
PRJ-19747, |
Identity Awareness |
In some scenarios, the Security Gateway may not recognize an IP address as a local address, resulting in wrong drops. |
PRJ-18178, |
URL Filtering |
In some scenarios, the wstlsd process may unexpectedly exit and produce a core dump. |
PRJ-17324, |
Mobile Access |
Remote access connectivity failure when the user belongs to number of groups that exceeds the limited available space (200~ groups). |
PRJ-14363, |
ClusterXL |
Same MAC Magic configuration on different clusters in Unicast mode may cause flapping in switch. Refer to sk167206. |
PRJ-16514, |
SecureXL |
NEW: Added the ability to enable monitor-only mode for penalty box independently of other DOS/Rate limiting features. |
PRJ-18321, |
SecureXL |
UPDATE: Drop templates can be generated for connections with matched action Reject. For additional information and configuration, refer to sk171146. |
PRJ-20053, |
SecureXL |
In rare scenarios, SecureXL may crash due to NULL handling. |
PRJ-16581, |
SecureXL |
In some scenarios, traffic with the destination IP address as the broadcast address configured according to sk98810 is dropped. |
PRJ-18082, |
SecureXL |
SNMP may show wrong values for the number of bytes and packets accepted by Security gateway. Refer to sk170132. |
PRJ-20049, |
SecureXL |
Memory leak may appear in VPN or Active Streaming configuration.
|
PRJ-20025, |
SecureXL |
Server may not reuse the TCP connection when the user allows out of state TCP packets. |
PRJ-19461, |
Routing |
Routed logs may incorrectly state that routemaps that export to OSPF cannot set the OSPF manual tag, even though the functionality works. |
PRJ-20046, |
Routing |
In some scenarios, large number of unnecessary log messages may be sent to /var/log/messages file which makes it difficult to run debug. Refer to sk170796. |
PRJ-20437, |
Routing |
ECMP route nexthops learned from BGP peers may be not properly updated in the kernel, resulting in network connectivity loss. |
PRJ-20442, |
Routing |
The old route may be not removed when an BGP ECMP route was changed. |
PRJ-18278, |
Routing |
Certain types of multicast traffic may not be handled correctly in Bridge mode.
|
PRJ-20469, |
Gaia OS |
In some scenarios, the Security Gateway attempts to fetch the policy from / send logs to the real IP address of the Management Server (defined in the "General Properties" section of the server object) instead of the server's NAT IP address (defined in the "NAT" section of the server object). Refer to sk171055 to configure the required parameter FORCE_NATTED_IP. |
PRJ-18239, |
Gaia OS |
"cphaprob -h" shows incorrect explanation for "cphaprob show_bond [<bond_name>]" command. |
PRJ-19328, |
Gaia OS |
In some scenarios, login from data plane context fails (no connectivity to server). |
PRJ-18609, |
Gaia OS |
Bond interface in XOR mode or 802.3AD (LACP) mode may experience suboptimal performance, if on the Bond interface the Transmit Hash Policy is configured to "Layer 3+4" and Multi-Queue is enabled.
|
PRJ-18079, |
Gaia OS |
On environments with large IP routing tables, the SNMPD process may consume 100% CPU when running a scan from an external tool. Refer to sk170150. |
PRJ-20941, |
Gaia OS |
Upgrade process may fail due to corrupted sic_local_cert.p12 certificate. Refer to sk171253. |
PRJ-18786, |
VPN |
NEW: Added VPN command line mechanism stability enhancement and VPN improvements in IKEv2. |
PRJ-17485, |
VPN |
NEW: Added Anti-Spoofing functionality for Remote Access Office Mode IPs in SecureXL. |
PRJ-16430, |
VPN |
UPDATE: Added ability to fetch CRL with proxy in Site to Site VPN. |
PRJ-19088, |
VPN |
UPDATE: Remote Access VPN stability improvement. |
PRJ-15740, |
VPN |
In some scenarios, findSAByPeer does not validate the peer IP address for DAIP peer behind NAT. |
PRJ-16339, |
VPN |
The user may be unable to connect with Remote Access when the username or user field in the certificate is too long. |
PRJ-14334, |
VPN |
A connectivity issue may occur when a non-encrypted VPN tunnel is used with IKEv2. Refer to sk167902.
|
PRJ-21085, |
VPN |
"Decryption failed" drop logs may appear under heavy VPN load for accelerated tunnels using SHA 384 or SHA 512 Ciphers.
|
PRJ-20520, |
VPN |
In a rare scenario, the FWM process unexpectedly exits when enrolling a certificate using the SCEP protocol. |
PRJ-20645, |
VPN |
In some scenarios, the VPND process may unexpectedly exit. |
PRJ-21681, |
VPN |
When IKEv2 and pre-shared-key is configured, VPN may fail on the second IKE SA re-key. |
PRJ-20331, |
VPN |
Security gateway may crash when you install policy on a MAB gateway and a policy file is corrupted. |
PRJ-20273, |
VPN |
In a rare scenario, a memory leak may appear when RASession_util is active. |
PRJ-20866, |
VPN |
In some scenarios, the VPND process keeps re-downloading the same CRL, which can cause performance issues. |
PRJ-18501, |
VSX |
UPDATE: Added support for VSX SecureXL tabs on CPView. Refer to sk167903. |
PRJ-18187, |
VSX |
VSX VSLS Cluster with 3 Members may fail to connect to Identity Collector. Refer to sk170836. |
PRJ-20044 |
Endpoint Security |
Jumbo Hotfix installation may fail on top of the Jumbo Hotfix with Takes lower than 163. |
PRJ-20599, |
VoIP |
VoIP RTP can cause overload on global instance (CoreXL instance 0). |
PRJ-16455, |
VoIP |
SIP parser may cause the wrong RTP dynamic connection to be opened. Refer to sk169373. |
Take 227 Released on 15 December 2020 and declared as General Availability on 28 January 2021 |
||
PRJ-14510, |
CPView |
In some scenarios, CPView may unexpectedly exit after upgrade from R80.20 GA. |
PRJ-17661, |
CPView |
CPView history may save data for a short period only. Refer to sk172264.
|
PRJ-18835, |
Security Management |
NEW: Improved FWM process performance during policy or database installation. |
PRJ-16368, |
Security Management |
When logging into SmartConsole directly to a Domain using Radius or TACACS, the Authentication method in the audit log may show as "Internal Password". Refer to sk168716. |
PRJ-17042, |
Security Management |
In rare scenarios, some objects may be locked and not available for editing. Refer to sk169772. |
PRJ-18816, |
Security Management |
Management HA synchronization between Multi-Domain Management Servers may fail with "Failed to import data" error due to manual or automatic updates of contracts. |
PRJ-19022, |
Security Management |
In rare scenarios, FWM process may unexpectedly exit after a login attempt to the Management server. |
PRJ-18491, |
Security Management |
In rare scenarios, a policy installation task may never complete. |
PRJ-16473, |
Security Management |
Login with SmartConsole is blocked while purge revisions task is running. |
PRJ-18689, |
Multi-Domain Management |
Database installation to the newly created Domain Log Server may fail. |
PRJ-18906, |
Multi-Domain Management |
In some scenarios, size of MDS backup file increases after each policy installation. |
PRJ-18682, |
Multi-Domain Management |
In some scenarios, domain import to a Multi-Domain Management Server may fail. |
PRJ-17237, |
Multi-Domain Management |
On Multi-Domain environments with multiple Multi-Domain servers connected in HA, operations such as "Log in" and "Reassign Global Domain" may fail due to high load on FWM process. |
PRJ-7432, |
Multi-Domain Management |
In rare scenarios, reassigning the Global Policy on a specific domain fails with "An internal error has occurred". Refer to sk163938. |
PRJ-13475, |
Multi-Domain Management |
Domain Servers may disappear from Multi-Domain view after running the Solr Cure utility. |
PRJ-17879, |
SmartConsole |
In Global Properties under Stateful Inspection tab, the "TCP end timeout (R80.20 and higher gateways)" option does not support values higher than 60 seconds.
|
PRJ-15817, |
SmartConsole |
In some scenarios, Management API does not start automatically after restart, although automatic start is enabled. Refer to sk168332. |
PRJ-18040, |
SmartConsole |
In some scenarios, after a successful IPS update, the new IPS version does not appear under 'switch version' window. |
PRJ-18329, |
SmartConsole |
Exception group may be incorrectly deleted in the following scenarios:
|
PRJ-17642, |
SmartConsole |
When creating a user with Check Point password authentication through the Management API, log in to Mobile Access portal may fail. Refer to sk170412. |
PRJ-19058, |
SmartConsole |
Upgrade may fail due to IPS protections comment that is exceeding the comment length limit. |
PRJ-18774, |
SmartConsole |
In some scenarios, FWM and CPD processes may consume high CPU due to large number of Security Management/Security gateway objects in the policy. |
PRJ-16705, |
SmartConsole |
Enabling Threat Prevention policy may fail with validation errors when the policy's targets include cluster members running a version lower than R80.10. |
PRJ-17413, |
SmartConsole |
When removing an object from a group using the "groups" field of the object's module in the Ansible collection, the group will not be changed and Ansible will show that no changes are needed. |
PRJ-18308, |
SmartProvisioning |
NEW: Added support for Threat Emulation Blade on LSM profile of R80.20 SMB gateways and clusters.
|
PRJ-17481, |
SmartProvisioning |
In some scenarios, when recreating a ROBO object with the same name, the new object receives the previous status. |
PRJ-488, |
Logging |
In SmartConsole logs tab, filtering logs by the field "Method" may return empty results when using the values PROPFIND, CCM_POST or PATCH. |
PRJ-19001, |
Security Gateway |
In some scenarios, when using routing separation, connection from data plane to management plane is dropped. |
PRJ-19180, |
Security Gateway |
Connections may be wrongly matched on Domain or Updatable objects used in Security policy. |
PRJ-14447, |
Security Gateway |
In some scenarios, large number of interfaces defined on Security gateway may cause high CPU utilization by CPD process. Refer to sk168674. |
PRJ-17367, |
Security Gateway |
DynamicID via SMTP does not work when an HTTP proxy server is defined. |
PRJ-13260, |
Security Gateway |
In a rare scenario, traffic is dropped with the "[ERROR]: up_handle_get_matched_service_clob: no clob list on handle for type SERVICE;" error in dmesg. |
PRJ-17958, |
Security Gateway |
In some scenarios, policy installation fails with "Error code 0-2000077". |
PRJ-17605, |
Internal CA |
In some scenarios, manual edit of user's certificate expiration period does not take effect. Refer to sk143292. |
PRJ-18421, |
Internal CA |
In a rare scenario, some emails with links are cached due to timeout failure. |
PRJ-18823, |
HTTPS Inspection |
Cannot browse with Chrome when using mixed chain with ECDSA subordinate CA in HTTPS Inspection. Refer to sk170332. |
PRJ-18245, |
Identity Awareness |
NEW: Added Identity Sharing's performance and functionality improvements. Refer to sk170516. |
PRJ-16170, |
Identity Awareness |
When working with AD server without global catalog enabled and nesting query is set to 'pdp nested_groups __set_state 2', direct groups are fetched correctly, but nested groups are not fetched. Refer to sk166199. |
PRJ-18343, |
IPS |
NEW: Added ability to send connection log per application match for ATM transactions identification. The functionality is disabled by default and can be enabled by using the "up_duplicate_connection_log_on_packet_matched_app_enabled" kernel parameter. |
PRJ-19153, |
Anti-Malware |
In some scenarios, files stop passing when the Threat Emulation inspection takes a too long time. |
PRJ-19737, |
Anti-Malware |
In some scenarios, users may fail to access a web site with many malicious URLs. |
PRJ-15942, |
Anti-Malware |
In a rare scenario, Security gateway may crash after a match of the Anti-Bot Blade. |
PRJ-11729, |
Anti-Malware |
In some scenarios, custom intelligence feeds with URL encoding characters may not be parsed correctly. Refer to sk168077. |
PRJ-8614, |
Anti-Malware |
In some scenarios, dmesg may show many "rad_client id 6 is not register" errors. |
PRJ-13731, |
Anti-Malware |
In some scenarios, some emails may not be scanned by Anti-Bot's Suspicious Mail Protection when IPv6 is configured.
|
PRJ-16648, |
Anti-Malware |
In some scenarios, if the configuration file size is more than 2GB, the "File exceeded size limit" message appears when Anti-Virus Blade works in Hold mode. |
PRJ-13579, |
Anti-Malware |
In some scenarios, a "Feed Error" message appears when the user fetches a Custom Intelligence Feed. Refer to sk165932.
|
PRJ-13199, |
Anti-Malware |
Security Gateway may crash when trying to access a site encoded with Base64. |
- |
Gaia OS |
NEW: Added support for 1570R and 1600 / 1800 SMB appliances. |
PRJ-16670, |
Gaia OS |
UPDATE: CPView Network -> Top-Protocols and Network -> Top-Protocols tabs was added back. Refer to sk167903. |
PRJ-16264, |
Gaia OS |
Multi-Queue IRQ affinity is set incorrectly for i40e and MLNX interfaces.
|
PRJ-19049, |
Gaia OS |
In some scenarios, when using routing separation, modifying interface IP address fails.
|
PRJ-18024, |
Routing |
SNMP queries for bgpPeerFsmEstablishedTime return an incorrect constant value. Refer to sk170074. |
PRJ-17854, |
Routing |
In rare scenarios involving large AS paths, there may be a loss of BGP adjacency. Refer to sk170876. |
PRJ-18968, |
Routing |
In some scenarios, the ROUTED process unexpectedly exits when removing an OSPF interface that had authentication configured. Refer to sk170272. |
PRJ-14128, |
Mobile Access |
Browser based applications cannot be opened in MAB portal.
|
PRJ-18070, |
VPN |
NEW: Added Remote Access VPN performance improvements.
|
PRJ-17675, |
VPN |
NEW: Added Remote Access VPN performance improvements in USFW (User-Space Firewall).
|
PRJ-13094, |
VPN |
RADIUS packet sent by Security gateway, may show the Framed-IP-Address field in the reverse order. Refer to sk167361. |
PRJ-17026, |
VPN |
The VPND process cannot stop listening on port 264. |
PRJ-17084, |
VPN |
Connectivity issue may appear between Check Point Gateway and 3rd party device in MEP DPD configuration when 3rd party device is defined as Central Gateway in MEP. Relevant error message: "Failed to resolve VPN MEP gateway".
|
PRJ-17341, |
VPN |
In rare scenarios, VPN clients may disconnect during Security policy installation.
|
PRJ-17267, |
VPN |
When Security gateway is behind NAT and its main IP address is configured to NAT IP, Client may disconnect when using Visitor Mode. |
PRJ-10034, |
VPN |
In some scenarios, Security Gateway Portals and Remote Access VPN clients show wrong certificate after certificate renewal. Refer to sk131212. |
PRJ-17166, |
VPN |
Different VPN connection improvements. |
PRJ-18105, |
VSX |
In rare scenarios, dynamic objects database may be cloned between Virtual Systems. Refer to sk169514. |
PRJ-17298, |
VSX |
Connections distribution may get unbalanced on VSX environment. Refer to sk169352. |
PRJ-17328, |
VSX |
In some scenarios on a VSX machine, when SNMP is in VS mode, USM users are not recognized and SNMP queries such as SNMPWALK, get error message "unknown user".
|
PRJ-14260, |
VSX |
In some scenarios, wrong (too big) SNMP values are displayed when running SNMP query. |
PRJ-17207, |
Compliance |
UPDATE: Added ability to select 'Any' in the Service column when creating a custom firewall Best practice.
|
PRJ-16464, |
Endpoint Security |
In some scenarios, content of the "User Name" tab in SmartEndpoint is displayed in wrong format. |
PRJ-15858, |
Endpoint Security |
An exception may be displayed in SmartEndpoint when uploading an offline group software deployment package. Refer to sk165852. |
PRJ-16286, |
VoIP |
NEW: Added support for HopCount field in H323 protocol. Refer to sk169513. |
PRJ-17751, |
CloudGuard IaaS |
In some scenarios, userspace cores may appear on CloudGuard for Azure Gateways with VPN enabled and using AES-GCM-256 and AES-256. Refer to sk169417.
|
Take 226 Released on 29 November 2020 and declared as General Availability on 8 December 2020 |
||
PRJ-19494, |
VPN |
In a rare scenario, certain conditions under VPN utilization may cause the Security gateway to crash. |
PRJ-18200, |
CloudGuard IaaS |
UPDATE: Added new certificates for Microsoft Azure. For details, refer to this Microsoft article. |
Take 221 Released on 21 October 2020 |
||
PRJ-17453, |
Diagnostics |
In some scenarios, peak values for interfaces are not updated in CPView. |
PRJ-15500, |
Security Management |
NEW: The $MDS_FWDIR/scripts/cpm_status.sh script will show if the CPM process fails to start. |
PRJ-15564, |
Security Management |
NEW: In some scenarios, modifying or deleting objects in bulk may cause slowness in SmartConsole responses and long duration of operations. Ability to improve performance in such cases was added. Refer to sk135972. |
PRJ-14525, |
Security Management |
Upgrade from R80.10 may take many hours when there are hundreds or more Administrators and dozens or more Permission Profiles defined. |
PRJ-15416, |
Security Management |
In some scenarios, Read-Only sessions appear twice in the Sessions view. |
PRJ-18046, |
Security Management |
In rare scenarios, a Management server may become inaccessible and requires a reboot. Refer to sk170634. |
PRJ-17072, |
Security Management |
In some scenarios, the Security Management Server's startup takes a very long time after editing or deleting many Administrators. |
PRJ-13726, |
Multi-Domain Management |
NEW:
|
PRJ-16437, |
Multi-Domain Management |
After upgrading a Multi-Domain Management Server, the object version of the Domain Management Servers or Domain Log Servers in the MDS SmartConsole may not have changed. |
PRJ-17022, |
Multi-Domain Management |
On MDS environment with Global VPN Community usage, policy installation mail fail with "internal error" message after upgrade. Refer to sk169157. |
PRJ-15719, |
Multi-Domain Management |
When the user attempts to add/change the Leading Interface through mdsconfig, it may fail with the "no external interfaces found on this machine" error. Refer to sk168319. |
PRJ-17306, |
Multi-Domain Management |
In rare scenarios, the FWM process may unexpectedly exit and fail the Multi-Domain Management server upgrade. |
PRJ-16642, |
Multi-Domain Management |
In some scenarios, Domain Management Server is shown in System Domain under Domains View even though it was deleted. |
PRJ-17069, |
Multi-Domain Management |
In some scenarios, Domain appears in the System Domain without any Domain Servers. |
PRJ-13795, |
Multi-Domain Management |
In a Multi-Domain Server, domain-related processes may not start when the user runs "evstop" and then "evstart". |
PRJ-12245, |
Multi-Domain Management |
In some scenarios, a Global Administrator connected to the Logging and Monitoring view in MDS cannot see auto-complete suggestions when typing in the logs search box. Refer to sk166752. |
PRJ-16426, |
Multi-Domain Management |
Management HA incremental synchronization may break in the MDS level with "failed to import data" error message due to an operation related to the Compliance Blade. |
PRJ-13455, |
SmartConsole |
In some scenarios, Management API commands with "details-level":"full" Payload return a truncated output and fail to complete. Refer to sk170414. |
PRJ-12854, |
SmartConsole |
Hit count data may not be deleted automatically. |
PRJ-7307, |
SmartConsole |
When creating SecuRemote DNS object with more than 6 characters as Domain suffix, it fails with the "Domain suffix contains illegal characters" error. |
PRJ-17006, |
SmartConsole |
When using SmartConsole CLI, the application may unexpectedly terminate if the input has quotation marks that are not closed. |
PRJ-16061, |
SmartConsole |
In some scenarios, certain Gateways do not appear in the IPS Core protections list. Refer to sk168474. |
PRJ-9660, |
SmartConsole |
In rare scenarios, Access policy installation may be incorrectly blocked. A verification incorrectly states that HTTPS Inspection rules do not contain 'Any' or 'Application/Site' objects in the Site Category column, even though they do. |
PRJ-16467, |
SmartConsole |
Update corporate Gateway procedure takes a long time and may cause login issues and general slowness in the Provisioning GUI. |
PRJ-14356, |
SmartView |
In SmartView, when the user sends a generated report via email in a language with non-standard English letters (Accented, Cyrillic, Chinese, Japanese, etc), some of the text may appear as question marks (?). |
PRJ-16434, |
SmartView |
In SmartView's GDPR Report, some of the text appears in German although the selected language is not German. |
PRJ-16889, |
SmartView |
In SmartView, after adding a new page to a report, the preview page appears to have no data although it has (this data appears in the Edit Mode). |
PRJ-17017, |
Logging |
UPDATE: Added ability to filter Threat Prevention and Endpoint logs by file size on a Log server machine via Logs & Monitor view in SmartConsole. |
PRJ-13349, |
Logging |
In some scenarios, when the user configures the log exporter filter with the "cp_log_export" command (action, origin, product), the filter is not configured properly according to the used format. |
PRJ-13622, |
Logging |
Leef format is not certified with IBM causing the following issues:
Refer to sk170199. |
PRJ-17005, |
Logging |
In some scenarios, the "CGsoapSessions::AuthenticateSession failed, session is not authenticated" message may appear in mds.elg or fwm.elg file. Refer to sk152933. |
PRJ-15598, |
Security Gateway |
In some scenarios, policy installation fails with "Error code 0-2000121". |
PRJ-13887, |
Security Gateway |
An interface name with more than 15 characters may cause the policy installation to fail. Refer to sk167955. |
PRJ-13694, |
Security Gateway |
Proxy arp change is applied only after the second policy installation. |
PRJ-16399, |
Security Gateway |
When using Management Data Plane Separation (MDPS), schedule backup may fail. |
PRJ-16087, |
Security Gateway |
In rare scenarios, a memory leak may appear on Security Gateway in gconn table. |
PRJ-17311, |
Security Gateway |
In rare scenarios, Security Gateway memory consumption may increase. |
PRJ-15839, |
Security Gateway |
ICAP block page displays virus name as "Unknown" instead of the virus name as it appears in the logs. |
PRJ-17086, |
Security Gateway |
When using a routing separation, syslogd does not move to the management plane. |
PRJ-16911, |
Security Gateway |
In some scenarios, a timeout occurs when the user enables resource separation via Clish. Refer to sk170372.
|
PRJ-11292, |
Security Gateway |
Unused OIDs may appear in SNMP MIB file. |
PRJ-16664, |
Security Gateway |
Security Gateway running in USFW mode (User-Mode Firewall) may crash with fwk core dump. Refer to sk169119. |
PRJ-16316 |
Identity Awareness |
NEW: Enable client based policy (e.g. authentication) for cloud-based environments for connections with NAT on the source.
|
PRJ-17650, |
Identity Awareness |
In some scenarios, user cannot authenticate to Captive Portal as a Guest User. |
PRJ-12544, |
Identity Awareness |
In a rare scenario, a standby cluster member receives updates from identity sources and creates a mismatch in the PDP tables. |
PRJ-15580, |
Application Control |
In some scenarios, deprecated applications are not removed/replaced during an upgrade from R77.30 to R80.x. Refer to sk131372. |
PRJ-17198, |
HTTPS Inspection |
In a rare scenario, a connection remains open after it is closed by the server, and the web browser may load a page for a long time. |
PRJ-14258, |
Threat Extraction |
Watermark insertion may fail in spreadsheet files where the column range is not defined. |
PRJ-16924 |
Anti-Virus |
In rare scenarios, after downloading files, Anti-Virus prevent logs appear with "Strict hold is not possible failure - Write to other side occured" error message. |
PRJ-13789, |
IPS |
Support bypass SMBv3 multi-channel when SMB feature is enabled for Anti-Virus or Threat Extraction (see sk101606). |
PRJ-15975, |
UserCheck |
In some scenarios, the UserCheck daemon usrchkd may unexpectedly exit. |
PRJ-17452, |
UserCheck |
In some scenarios, UserCheck agent notifications may be blocked. |
PRJ-14650, |
Mobile Access |
The Mobile Access Blade's portal dialog for editing web application SSO credentials may not work correctly. |
PRJ-13845, |
Mobile Access |
Browser based applications cannot be opened in MAB portal. |
PRJ-17447, |
Mobile Access |
Mobile Access Blade may fail to install on VSX environments due to a missing configuration file. |
PRJ-2923, |
SecureXL |
In a rare scenario, the Security Gateway may crash when deleting certain non-TCP connections. |
PRJ-18532, |
SecureXL |
In rare scenarios, when a Wire-Mode is configured on a community, it may cause a Security gateway from another community not to accelerate connections in SecureXL. |
PRJ-16682, |
SecureXL |
In a rare scenario, Security gateway may crash when receiving packets from an MDPS management interface. |
PRJ-9563, |
SecureXL |
In a rare scenario, Security gateway may crash when the Drop Template feature is enabled. |
PRJ-17449, |
SecureXL |
In some scenarios, CPView may show incorrect statistics for VPN encrypted/decrypted packets. |
PRJ-6002, |
SecureXL |
In some scenarios, output of "fwaccel stat" command does not display the layer name that disables the templates (only "Layer ---" is displayed). Refer to sk145533. |
PRJ-16578, |
Routing |
In some scenarios, the routed daemon may unexpectedly exit with BGP. |
PRJ-17712, |
Routing |
Security Gateway may stop forwarding the Multicast stream when PIM is configured on it. Refer to sk169774. |
PRJ-15819, |
VPN |
NEW: Performance improvement of VPN tunnel when using SHA-384. Refer to sk168336.
|
PRJ-15715, |
VPN |
|
PRJ-14343, |
VPN |
Improved usability of VPN tunnel monitoring "vpn tu" command.
|
PRJ-15620, |
VPN |
Access Roles with MAB SNX as the client type may not work. |
PRJ-16209, |
VPN |
In rare scenarios, the Security Gateway may crash after VPN users connect to the network. |
PRJ-16411, |
VPN |
In rare scenarios, Remote Access clients may not be able to re-connect after a failover. |
PRJ-15836, |
VPN |
When a Gateway does not recognize the SPI, it sometimes sends the "Invalid SPI" notification in clear. As a result, the peer may ignore it, resulting in an outage. |
PRJ-16720, |
VPN |
Remote Access potential connectivity issue when there are more than 1 external interfaces. |
PRJ-17633, |
VPN |
The VPND process may unexpectedly exit when the user runs the "vpn tu" command. |
PRJ-16864, |
VPN |
Software Blade name inconsistency between login and logout logs of an SNX client. |
PRJ-17314, |
VPN |
Added VPN IKEv2 improvements. |
PRJ-16726, |
VPN |
Added VPN connection improvements. |
PRJ-17773, |
VPN |
The VPND process may unexpectedly exit during IKEv2 negotiation. |
PRJ-16595, |
VPN |
In some scenarios, RADIUS authentication may take more than five minutes to be fulfilled with Endpoint Clients, reaching connection timeout on the Gateway side. |
PRJ-16268, |
VSX |
Latency and/or packet loss may occur for traffic which passes through a Virtual Switch in a VSX Gateway. Refer to sk168592. |
PRJ-16305, |
Gaia OS |
NEW: Added Multi-Queue (MQ) support for Sync interface.
|
PRJ-11045, |
Gaia OS |
UPDATE: CPView Network -> Top-Protocols and Network -> Top-Connections tabs were added back. Refer to sk167903. |
PRJ-11993, |
Gaia OS |
In rare scenarios, a snapshot creation may fail. |
PRJ-16315, |
Gaia OS |
In some scenarios, Cluster does not recognize bond subordinates.
|
PRJ-15464, |
Gaia OS |
"show asset" command shows the Network card model CPAC-4-1C instead of CPAC-4-1C-L. |
PRJ-4869, |
Gaia OS |
A Timestamp in Unix/Epoch time may not be updated when the user changes a password using hash. |
PRJ-14313, |
Gaia OS |
In rare scenarios, gateway uptime in SmartConsole may show an abnormally high number. Refer to sk167937. |
PRJ-15615, |
Gaia OS |
The confd process may unexpectedly exit when the user runs the "show/set/add interface" long command. Refer to sk167635. |
PRJ-14263, |
Gaia OS |
The "show security-gateway monitored-interfaces" command may return wrong output. Refer to sk166902.
|
PRJ-16566, |
Gaia OS |
In the Management Data Plane Separation (MDPS) environment, the output for the "show asset network" command may not report some line cards if they have mixed management/data plane interfaces.
|
PRJ-14459, |
Gaia OS |
It is not allowed to create usernames with reserved words, e.g., 'eval', 'apply' etc., in the middle of the username in the WebUI. Refer to sk170681. |
PRJ-16078, |
Gaia OS |
In some scenarios, when the user tries to return to the factory default, the machine reverts to a different snapshot. |
PRJ-12739, |
Gaia OS |
Restore backup may fail due to unmatched upgrade tools. |
PRJ-12861, |
Gaia OS |
Creating LOM users for Smart-1 525/625/5050/5150 appliances may fail if the username length is shorter then 4 characters. |
PRJ-9118, |
Gaia OS |
In some scenarios, SNMP fails to report disk utilization. |
PRJ-13941, |
Gaia OS |
In some scenarios, when the RADIUS user enables bash logging (as per sk99134) and moves to expert mode, the username in the log files appears as admin instead of RADIUS. |
PRJ-16528, |
CloudGuard IaaS |
NEW: Improved CloudGuard Controller logging options. |
PRJ-12836, |
CloudGuard IaaS |
NEW: Added new AWS regions af-south-1, ap-northeast-3, and eu-south-1. |
PRJ-16253, |
CloudGuard IaaS |
Scanning of GCP Data Center may fail when instance does not have disks. |
PRJ-16599, |
Endpoint Security |
In some scenarios, Policy server stops syncing with the Endpoint Security Server. Refer to sk168912. |
Take 219 Released on 13 September 2020 and declared as General Availability on 12 October 2020 |
||
PRJ-7663, |
Diagnostics |
CPview may show partial information, if there are more than 256 interfaces configured on the system. |
PRJ-16146, |
Security Management |
NEW:
|
PRJ-14644, |
Security Management |
NEW: Solr server process is restarted automatically if it is not responsive for a long time. |
PRJ-16875, |
Security Management |
In some scenarios, sessions that were opened for the third parties or automatic scripts that use Management API, remain open. Refer to sk169072. |
PRJ-11703, |
Security Management |
The Purge Revisions operation may not clean deleted objects of previous revisions. |
PRJ-15496, |
Security Management |
$MDS_FWDIR/scripts/solr_start.sh script may fail to start Solr Cure if sk123417 is applied. |
PRJ-12491, |
Security Management |
When using packet mode in Rulebase Search, results from inline layer may be matched even though their parent layer is not. |
PRJ-16343, |
Security Management |
Rulebase search may fail with "An error occurred while searching" if one (or more) of the rules that matches the search criteria has a reference to a security zone. Refer to sk168935. |
PRJ-16196, |
Security Management |
When running the "show-access-rulebase" API command with filter, and the selected layer is an inline layer, rules of the inline layer are not returned even though they match the search criteria. |
PRJ-14296, |
Security Management |
In rare scenarios, High Availability sync fails with "Ngm failed to import data" error after the user deletes a Permission Role. |
PRJ-13462, |
Security Management |
In rare scenarios, Install Policy Presets are not triggered. |
PRJ-13918, |
Security Management |
In some scenarios, exporting the Security Management Server in order to migrate it to Domain in Multi-Domain Environment fails. |
PRJ-14491, |
Security Management |
In some scenarios, migrating two different Security Management Servers to domains in the same Multi-Domain Management Server fails. |
PRJ-15609, |
Multi-Domain Management |
NEW: Added ability to run Management REST API on a Multi-Domain Log Server. |
PRJ-15458, |
Multi-Domain Management |
Policy Installation may fail due to an internal error in an MDS environment where there is a Global Dynamic object usage inside Networks Groups with a depth that is higher than 2-level (group inside a group). |
PRJ-14760, |
Multi-Domain Management |
In some scenarios, migrating a Domain between different Multi-Domain Management servers fails if a previous migration of the same Domain failed. |
PRJ-15415, |
Multi-Domain Management |
In Multi-Domain environments with High Availability, if the Management Server is stopped while there's a Purge Revisions operations in progress, the server may fail to start again. Refer to sk168175. |
PRJ-14454, |
Multi-Domain Management |
Policies may disappear from the Global Domain Assignments view after running the Solr Cure utility. Refer to sk168060. |
PRJ-13905, |
SmartConsole |
In some scenarios, when working with older applications like SmartView or SmartProvisioning, the admin count in SmartConsole presents an incorrect number of connected admins. |
PRJ-15969, |
SmartConsole |
Global Policy reassign in MDS may fail with "An internal error has occurred" message after adding overrides to Snort protections. |
PRJ-15371, |
SmartConsole |
The user may not be able to delete objects that are referenced by a previously deleted policy. Refer to sk122954. |
PRJ-15832, |
SmartProvisioning |
In some scenarios, when the user installs policy on R77.30 Central Office Security Gateway from Management version R80 and higher, VPN tunnels may be dropped for LSM Gateways. |
PRJ-14550, |
SmartProvisioning |
After creating Small Office Appliance via SmartProvisioning GUI with SIC and CA name parameters provided, the VPN tab fields are not updated. |
PRJ-14531, |
SmartView |
In some scenarios, when the user attempts to download a DLP attachment from the log card in SmartView, the download does not start. |
PRJ-14361, |
SmartView |
In SmartView, the icon is missing from the cover page of Compliance and Content Awareness PDF reports. |
PRJ-13561, |
Logging |
In rare scenarios, the evstop script does not stop all logging processes. As a result, upgrade procedures may hang and show no progress. |
PRJ-14048, |
Logging |
In some scenarios, the "cp_log_export status" command prints "last log read at: N/A" rather then a timestamp. |
PRJ-13170, |
Compliance |
Compliance Partial Scans in Multi-Domain environments using Global Policies may lead to SmartConsole freeze or long publish times. Refer to sk170562. |
PRJ-14368, |
Security Gateway |
UPDATE: Reduced CPU usage in some configurations by parsing TLS traffic only when required by the policy. See sk166700 for more information. |
PRJ-10297, |
Security Gateway |
In some scenarios, the license status of the Security Gateway is not updated properly in SmartConsole. |
PRJ-12946, |
Security Gateway |
After policy installation, the output of the "cphaprob stat" command may show "HA module not started" when a large number of non-monitored Cluster interfaces are configured in SmartConsole. This fix adds support for multiple non-monitored interfaces in SmartConsole. |
PRJ-9848, |
Security Gateway |
In some scenarios, SCCP traffic may be dropped by the Security Gateway. Refer to sk108124. |
PRJ-15769, |
Security Gateway |
In some scenarios, some DNS protections may not be enforced. |
PRJ-16157, |
Security Gateway |
In a rare scenario, Security Gateway may crash after policy installation. |
PRJ-15847, |
Security Gateway |
SXL drop due to routing configuration when using security zone on bridge (layer2). |
PRJ-14632, |
Security Gateway |
In rare scenarios, Security Gateway memory consumption may increase. |
PRJ-14068, |
Security Gateway |
In rare scenarios, Security Gateway may crash due to memory allocation failure. |
PRJ-9656, |
Security Gateway |
When running 'fw6 ctl affinity -l' command, the IPv6 instances are not displayed.
|
PRJ-13588, |
Security Gateway |
In a rare scenario, Security Gateway may crash during policy installation. |
PRJ-11141. |
Security Gateway |
In some scenarios, "fwxlate_dyn_port_global_to_local_get_port: port was not found in global, and not in local" error message may appear in dmesg. |
PRJ-14125, |
Security Gateway |
In some scenarios, compilation errors during policy installation are ignored instead of immediately failing the policy. This may cause drops on the Security Gateway.
|
PRJ-16405, |
Security Gateway |
In some scenarios, when VPN Blade or ISP Redundancy are used, traffic may be routed to the wrong interface. Refer to sk168881.
|
PRJ-15723, |
Application Control |
In some scenarios, HTTP traffic is blocked with "HTTP parsing error occurred (2)" and "parameters are undecodable in request" errors. Refer to sk160092.
|
PRJ-15687, |
HTTPS Inspection |
In some scenarios, web traffic may be blocked with "Content Awareness - Error: Internal system error (1000)" error log. |
PRJ-12564, |
Identity Awareness |
PDP may consume high CPU during policy installation because of a large amount of Access Roles. |
PRJ-7759, |
SSL Inspection |
DynamicID authentication may fail due to server certificate validation failure. Refer to sk167177. |
PRJ-11510, |
SSL Inspection |
In some scenarios, there may be SSL Inspection issues in cluster environments on 1500 Series Security Gateways. Refer to sk170218. |
PRJ-16486, |
IPS |
In some scenarios, invalid characters are sent to gw-stat report. |
PRJ-14547, |
Threat Extraction |
Cluster synchronization fails for Threat Extraction. |
PRJ-16106, |
URL Filtering |
In some scenarios, there may be sporadic connectivity issues in the Anti-Malware/URLF service (RAD). |
PRJ-16990, |
Mobile Access |
Mobile Access portal may become unresponsive after Jumbo Hotfix uninstallation. Refer to sk169152. |
PRJ-14610, |
SecureXL |
UPDATE: Added a global variable that enables log for packets that include unapproved IP option. This variable is off by default. |
PRJ-10496, |
SecureXL |
In some scenarios, SecureXL makes an offload decision to not accelerate multicast traffic for route-based VPN. |
PRJ-14515, |
SecureXL |
In a rare scenario, a VSX gateway with Virtual Switch may crash. |
PRJ-13761, |
SecureXL |
Security Gateway may crash when concurrent connection rules exist in the DOS/Rate limiting policy and the Application Control Blade is enabled. |
PRJ-13413, |
SecureXL |
DECnet DIGITAL Network Architecture (Phase IV) traffic may be dropped. Refer to sk167202. |
PRJ-15900, |
SecureXL |
An asymmetric routing issue may occur between a Virtual System and a Virtual Switch/Router. |
PRJ-16352, |
CoreXL |
In a rare scenario, CPU consuming on some instances is high. Refer to sk168513. |
PRJ-9402, |
QoS |
In some scenarios, QoS Policy installation fails with the following massage: "Error - QoS Policy does not apply to any network interface. Please edit your Network Object and check the interfaces you wish to install on" when policy is defined properly on the interface. |
PRJ-14433, |
Gaia OS |
NEW: Added support for CPAC-4-10-AB cards. |
PRJ-14595, |
Gaia OS |
NEW: Added Multi-Queue (MQ) support for Management interface. |
PRJ-15541,PRJ-15542, |
Gaia OS |
NEW: Added a new feature for preventing MITM attacks when OS backup is stored on remote storage via SCP protocol. Refer to sk164234. |
PRJ-14080, |
Gaia OS |
NEW: The i40e driver version was upgraded to improve performance.
|
PRJ-10078, |
Gaia OS |
When enlarging the partition via lvm_manager from a small partition to a larger partition, the user may reach an internal filesystem settings limit. As a result, some filesystem monitoring commands unexpectedly exit. Refer to sk165258. |
PRJ-13626, |
Gaia OS |
The "show configuration" Clish command may show 'Exported by admin' instead of the correct user name. |
PRJ-16272, |
Gaia OS |
User fails to add ecsda hot keys via Clish to the hosts file. This prevents from setting up the scheduled backups before the system goes into production. |
PRJ-5959, |
Gaia OS |
In some scenarios, commands that were typed into Clish can be executed later on if the SSH session was uninterruptedly terminated. |
PRJ-13271, |
Gaia OS |
In some scenarios, the value for Voltage/Fan/Temperature sensor may appear as "NotValid" instead of a number. |
PRJ-11129, |
Gaia OS |
Setting LACP rate does not survive a reboot on Gaia 3.10. |
PRJ-15860, |
Gaia OS |
"... Error I40E_AQ_RC_EINVAL adding RX filters on PF..." error may appear during i40e driver operation and RSS key may be reset during certain driver operations.
|
PRJ-14512, |
Routing |
BGP connection may fail to establish when there are multiple peer groups with the same AS number in iBGP configurations. |
PRJ-15484, |
Routing |
BGP fails to establish with high MTU setting on Gaia 3.10. |
PRJ-16018, |
CloudGuard IaaS |
In some scenarios, CloudGuard Controller may lose connection to GCP projects. Refer to sk168499. |
PRJ-12184, |
CloudGuard IaaS |
CloudGuard Controller may sometimes update the Standby cluster member in VSLS mode. |
PRJ-14405, |
VPN |
Connectivity improvements for Remote Access VPN with L2TP. |
PRJ-14574, |
VPN |
IP compression may not work in some scenarios when IKEv2 is configured. |
PRJ-14242, |
VPN |
VPN traffic may be dropped when working with peer behind NAT - Hide NAT with Port Translation. |
PRJ-11051, |
VPN |
Improved NAT Detection with 3rd party peers in IKEv1 and IKEv2. Refer to sk165003. |
PRJ-10952, |
VPN |
In some scenarios, VPN tunnel connection is dropped with "no MSA for MSPI" error. Refer to sk167393. |
PRJ-15329, |
VPN |
In some scenarios, Remote Access VPN traffic may be dropped when XFF is enabled. |
PRJ-15321, |
VPN |
In some scenarios, using LS/HA mode on a VPN tunnel may cause packets to be dropped. Refer to sk160612. |
PRJ-12808 |
Endpoint Security |
NEW: Added support for BitLocker Encryption Management in Full Disk Encryption.
|
Take 217 Released on 11 August 2020 and declared as General Availability on 13 September 2020 |
||
PRJ-14369, |
Diagnostics |
Missing information in total throughput/inbound/outbound packets in CPView history's Network view. |
PRJ-13961, |
Security Management |
NEW: Added the ability to purge revisions automatically based on user configuration. Refer to Automatic Purge Documentation. |
PRJ-12307, |
Security Management |
NEW: Added enhancements for CPM Monitor Tool:
|
PRJ-13048, |
Security Management |
After the user adds new Threat Indicators, Management HA may fail with "NGM failed to import data" error. Refer to sk167156. |
PRJ-13612, |
Security Management |
In rare scenarios, the "where-used" API command fails with "Management server failed to execute command" error. |
PRJ-12143, |
Security Management |
Management HA synchronization between the active Domain server to a standby Domain server may fail with "Failed to import data" error. |
PRJ-13166, |
Security Management |
When an administrator enters a very long text into an object field (more than 32767 characters), the Security Management Server terminates and fails to start. |
PRJ-12374, |
Security Management |
Policy Presets may disappear from view after the user runs the Solr Cure utility. Refer to sk167455. |
PRJ-9112, |
Security Management |
"The Correlation Unit can't connect to one of its Log Servers. Please make sure connectivity between the Correlation Unit and Log Server isn't blocked. There is no need to stop the job." message after the putkey process. Refer to sk12882. |
PRJ-14097, |
SmartConsole |
NEW: The new and useful APIs of version 1.6.1 are now available also as part of API version 1.5. For more information, refer to the Management API Reference v1.6.1. |
PRJ-13007, |
SmartConsole |
In the Management API, the "show objects" command with details-level full may return the "ip-address" field even if it is empty. |
PRJ-14291, |
SmartConsole |
If there are thousands (or more) of unused objects, the "show unused-objects" API command and the Unused Objects view may load and work very slowly. Also, the load on the Management server will increase, causing general slowness when working with SmartConsole. |
PRJ-14173, |
SmartConsole |
In some scenarios, a validation warning may appear on an updatable object with the following message: "Object is no longer supported. Enforcing security for this object is not possible." However, the object is still available in the updatable objects picker. |
PRJ-13899, |
SmartConsole |
Audit log is not shown in SmartConsole's Logs & Monitor View for the login action through API when the "-r" flag is set to true (login as root). |
PRJ-12704, |
SmartView |
The SmartView Timeline may be distorted when logs contain an empty value for the field specified in the "Series" settings and when the Legend is enabled. Refer to sk167095. |
PRJ-12098, |
Logging |
NEW:
|
PRJ-14215, |
Security Gateway |
In a rare scenario, the Security gateway may crash if the rulebase contains a logical server object. |
PRJ-11751, |
Security Gateway |
Citrix file download may fail when the Mobile Access Blade is enabled.
|
PRJ-14041, |
Security Gateway |
When routing separation (MDPS)is enabled, interface statistics in CPView may not show information. |
PRJ-11765, |
Security Gateway |
"cpas_glue_psync_h: No synced opaque" error messages may appear in dmesg as a result of the synchronization of the members in the cluster. Refer to sk167033. |
PRJ-13380, |
Security Gateway |
In some scenarios, Security gateway generates an ICMP error with wrong IP address. Refer to sk167953. |
PRJ-11742, |
Security Gateway |
Improved connectivity in a specific flow when ICAP Client is enabled with Trickling 3. |
PRJ-11416, |
Security Gateway |
In some scenarios, NAT log shows source port 0 even though a port was allocated. |
PRJ-14481, |
Security Gateway |
When moving context in MDPS with mplane or dplane and bash logging is enabled, the "grep" command is executed. |
PRJ-12619, |
Identity Awareness |
After the user disables and re-enables the Identity Collector in SmartConsole, the Identity Collector may fail to connect to the PDP Gateway again. |
PRJ-13565, |
Identity Awareness |
In some scenarios, when the user changes the TACACS+ server to a different one, the configuration is applied only after an MDS reboot. |
PRJ-8712, |
Identity Awareness |
In some scenarios, Dynamic ID authentication fails when SMS server returns HTTP status code 2xx but not 200 or 202. |
PRJ-12502, |
Identity Awareness |
In some scenarios, Identity Awareness counters in cluster environments show zero. |
PRJ-13514, |
Identity Awareness |
In some scenarios, a XFF allowed proxy list is enforced only for instance 0 in VSLS environment after VS has transitioned from Backup to Active. |
PRJ-13597, |
HTTPS Inspection |
In some scenarios, web traffic is blocked with "HTTP parsing error occurred" and "parameters are undecodable in request" errors. |
PRJ-7278, |
Application Control |
In some scenarios, Application Control updates cannot be initiated on Gateways without Application Control enabled, even though URL Filtering is enabled. |
PRJ-13601 |
Anti-Malware |
In some scenarios, some emails may not be scanned by Anti-Bot's Suspicious Mail Protection when IPv6 is configured. |
PRJ-8326 |
Anti-Malware |
In some scenarios, the EICAR Anti-Virus test file may not be detected when transferred by SMB protocol. |
PRJ-10662, |
Anti-Malware |
In some scenarios, a "Feed Error" message appears when the user fetches a Custom Intelligence Feed. Refer to sk165932. |
PRJ-10768, |
Internal CA |
In some scenarios, no SIC between R80.x Security Management and R77 Security gateway after ICA certificate replacement procedure described in sk158096. |
PRJ-11628, |
SecureXL |
In some scenarios, MCAST packets may not be accelerated on a PIM-SM RP Gateway. |
PRJ-14077, |
SecureXL |
For some topologies, RIPV2 neighbors may be missing. Refer to sk167934. |
PRJ-14218, |
ClusterXL |
In some scenarios, SmartConsole shows ClusetXL status as "is not responding". Refer to sk168187. |
PRJ-11195, |
ClusterXL |
In some scenarios, "fw ctl affinity" and "sim affinity" commands show wrong IRQ numbers. Refer to sk166356. |
PRJ-14010, |
CoreXL |
ESP traffic is dropped on a Security Gateway that forwards the VPN traffic. Refer to sk167973. |
PRJ-11450, |
Gaia OS |
NEW: Added support for Smart-1 3150/3050 SAN and 'show asset' line cards for SAN. |
PRJ-12833 |
Gaia OS |
NEW: Added a Fail-open card support for new appliance line ( for Gaia 3.10 ):
|
PRJ-7271, |
Gaia OS |
In some scenarios, adding a Gaia user may result in a high number of zombie sh processes. Refer to sk164259. |
PRJ-13479, |
Gaia OS |
Intake and outlet temperature sensors display incorrect values on 15400 appliance. |
PRJ-10801, |
Gaia OS |
In some scenarios, due to backup compression errors, restoring a backup does not restore all files. |
PRJ-13269, |
Gaia OS |
In some scenarios, the value for Voltage/Fan/Temperature sensor may appear as "NotValid". |
PRJ-12761, |
Gaia OS |
In some scenarios, the WebUI shows unknown HDDs that are not part of RAID. |
PRJ-11497, |
Gaia OS |
In some scenarios, the PSU status is reflected even if there is no PSU on the appliance. |
PRJ-10351, |
Gaia OS |
In rare scenarios, clish consumes 100% CPU when the user runs a Tenable scan. Refer to sk166195. |
PRJ-11809, |
Gaia OS |
Only 1024 characters of a cron jobs output are displayed when using show cron jobs from clish. Refer to sk167632. |
PRJ-12421, |
Gaia OS |
In some scenarios, concurrent CIFS mount/umount processes to the same Windows machine may crash the kernel. |
PRJ-14419, |
Gaia OS |
In some scenarios, the snapshot creation fails because of compression errors. |
PRJ-10801 |
Gaia OS |
In some scenarios, because of backup compression errors, restoring a backup does not restore all files. |
PRJ-13650, |
Gaia OS |
In some scenarios, SNMPD daemon unexpectedly exits with core dump, causing the SNMP service to become unavailable. |
PRJ-13720, |
Gaia OS |
In some scenarios, a snapshot creation may fail. |
PRJ-11683, |
Routing |
NEW: Performance improvement for multicast packets in SecureXL (fast path) when there are no multicast listeners. |
PRJ-13977, |
Routing |
UPDATE: The logging of "aspath-regex" and "community-regex" routemap fields is now disabled by default and can be enabled through the trace log. |
PRJ-13925, |
Routing |
UPDATE: Increased the configuration limits of the BFD timers for detect multiplier, minimum RX interval, and minimum TX interval to 255, 255000, and 255000, respectively. |
PRJ-13352, |
Routing |
In some scenarios, routed process generates an assert when the user runs the "dbget -rv iclid" command. |
PRJ-7519, |
Mobile Access |
In some scenarios, Mobile Access end-users become disconnected from their Citrix sessions after policy installation. |
PRJ-7392, |
Mobile Access |
Logs regarding protection level compliance for SNX applications may refer to the general authorization policy rather than to the protection levels. |
PRJ-13728, |
Mobile Access |
In some scenarios, Web application SSO credentials are not displayed correctly in the 'Credentials' dialog when the application's destination hostname is configured as an IP address. |
PRJ-11804, |
VPN |
In some scenarios, an incorrect IPSec counter may be displayed with cpstats / SmartView Monitor / SNMP in a ClusterXL environment. Refer to sk167297. |
PRJ-14203, |
VPN |
"vpn_trap_multik: - wrong header length 36 != 72" message may appear in the vpnd.elg when working with multiple users with the same credentials.
|
PRJ-2619, |
VPN |
VPN stability was improved for some scenarios.
|
PRJ-12890, |
VPN |
IKEv2 rekey may fail when the resolved peer IP address is not the main IP address. Refer to sk166897. |
PRJ-12464, |
VPN |
In a rare scenario, Security Gateway may crash when using Remote Access VPN with L2TP clients. |
PRJ-15988, |
VPN |
Starting from R80.30 Jumbo Hotfix Take 210, clients that do not support MFA (such as Mac OS and iOS) cannot connect as Remote Access clients if MFA is enabled. Refer to sk168493. |
PRJ-13407, |
VPN |
In rare scenarios, the Global Domain Assignment view shows that a Global Domain Assignment is in the 'up to date' state even though it is not. |
PRJ-13341, |
VPN |
In some scenarios, L2TP client fails to connect with "failed to write L2TP session params to kernel" error in vpnd.elg file. Refer to sk167636. |
PRJ-13529, |
VPN |
In some scenarios, Remote Access VPN users are not matched against the Access Control policy and traffic is dropped. Refer to sk167432. |
PRJ-2020, |
VPN |
VPN stability was improved for some scenarios. |
PRJ-15240, |
VSX |
VSs load up in parallel from boot/after cpstart from VS0.
|
PRJ-14150, |
Endpoint Security |
In some scenarios, no audit logs are shown regarding object changes in SmartEndpoint virtual groups and FDE pre-boot users. Refer to sk167907. |
PRJ-14131, |
Endpoint Security |
In some scenarios, the user cannot get an FDE Offline Management File (cpomf) for an offline group in SmartEndpoint if this group or a directory in its path has special characters \ _ %. |
Take 215 Released on 6 July 2020 and declared as General Availability on 4 August 2020 |
||
PRJ-11587, |
Security Management |
In some scenarios, when using Rulebase Search, the 'number of rules' section is incorrect. Refer to sk166003. |
PRJ-12025, |
Security Management |
NEW: Tasks that fail to complete within 18 hours will be stopped automatically and appear as failed. Refer to sk166455. |
PRJ-12274, |
Security Management |
In Management HA configuration, a hotfix installation may incorrectly fail during the verification phase. |
PRJ-10058, |
Security Management |
In some scenarios, Security policy deletion or installation may fail when there are many Application Control objects used in this policy. |
PRJ-12670, |
Security Management |
If an administrator searches for a certain text in SmartConsole, it may cause the Management Server to become inaccessible until a restart. |
PRJ-13152, |
Security Management |
In rare scenarios, a session becomes unusable, and one or more of the following may occur:
Refer to sk167735. |
PRJ-1392, |
Multi-Domain Management |
NEW: Added ability to log in to the Management Server with SmartConsole while MDS Backup is running. |
PRJ-12205, |
Multi-Domain Management |
In some scenarios, changes to a .def file in $FWDIR/lib might be reverted when creating a secondary CMA. |
PRJ-11508 |
Multi-Domain Management |
A migration from the Security Management Server to a Domain on a Multi-Domain Management Server may fail with: "didn't find ObjectStoreSessionEntity for session <uuid> return null" error in the cpm.elg file. |
PRJ-8497, |
Multi-Domain Management |
The "Recent Tasks" and "Install Policy Preset" views in MDS Domain might include Domain names, policy packages, and Gateways names. This information is not filtered according to the administrator's permission profile. |
PRJ-9602, |
Multi-Domain Management |
In environments with more than five Multi Domain servers, changes to objects might not be reflected in the logs. |
PRJ-12485, |
Multi-Domain Management |
Multi-Domain Administrator configuration for RADIUS authentication might show local Domain Radius servers and groups. |
PRJ-12965, |
Multi-Domain Management |
In some scenarios, certain deleted domain level objects are visible in the SmartConsole at the MDS level. |
PRJ-13033, |
Multi-Domain Management |
Global Policy reassignment may fail after performing the IPS update in the Global domain. |
PRJ-12555, |
Multi-Domain Management |
In some scenarios, updating firewall_properties in GuiDBedit in the MDS context fails. Refer to sk42184. |
PRJ-12776, |
SmartConsole |
NEW: Added API commands for user, user-template, user-group and identity-tag. |
PRJ-12900, |
SmartConsole |
NEW: Added more information on each Management API call to api.csv. |
PRJ-11258, |
SmartConsole |
In some scenarios, Inspection Settings view under the General tab is blank. |
PRJ-12454, |
SmartConsole |
In some scenarios, a calculation of UIDs for irrelevant rules may result in the "Cannot insert a rule into its own sub rulebase" validation error. |
PRJ-12810, |
SmartConsole |
When using the Management API "show-objects" command to show OPSEC application objects, it may fail with "Requested object [OBJECT ID] not found". |
PRJ-12973, |
SmartConsole |
When a VSX Cluster object is edited, no changes are made and the "Topology has changed. Please reinstall Security Policy" message is always displayed after clicking OK, even if no changes are made. |
PRJ-12445, |
SmartConsole |
In some scenarios, IPS update tasks may stuck when multiple machines are attempting an update within the same time frame. |
PRJ-12458, |
SmartConsole |
In some scenarios, IPS update may be locked with the message "IPS management update is locked by Scheduled update" . |
PRJ-12210, |
SmartConsole |
When running the "show-domain" API command, the "active" field may be missing from the reply. |
PRJ-10670, |
SmartView |
In SmartView, when using a language other than English, an error may occur when drilling down on a widget. |
PRJ-10200, |
SmartView |
SmartView may show "query failed" error message when creating table widget with filter by source/destination host name. Refer to sk119056. |
PRJ-11432, |
SmartProvisioning |
The SmartProvisioning application may hang when the user adds/edits Dynamic Objects in the LSM Gateway object editor. |
PRJ-11501, |
Security Gateway |
NEW: Added "Hold" override for unsupported protocols (i.e. GRE). Refer to sk148432. |
PRJ-11695, |
Security Gateway |
In a rare scenario, access rules with service type of "other" may not be matched correctly. Refer to sk166365. |
PRJ-13204, |
Security Gateway |
In rare scenario, a traffic outage may occur when time objects are used in the access policy. |
PRJ-8675, |
Security Gateway |
In some scenarios, "simple_debug_filter_unset: unsetting debug filter when no filter is set" messages may appear in dmesg. Refer to sk165675. |
PRJ-12732, |
Security Gateway |
In a rare scenario, memory is not freed correctly in the routing mechanism.
|
PRJ-12101, |
Security Gateway |
In some scenarios, when running "fw monitor" with the "-e" flag, SecureXL traffic is not filtered, and all traffic is displayed. Refer to sk166592. |
PRJ-12236, |
Security Gateway |
In a rare scenario, Security Gateway memory consumption may increase when the Anti-Virus Blade is enabled. |
PRJ-13075, |
Security Gateway |
When HTTPS Inspection is enabled using layer-2/bridge, traffic may be dropped when deciding the outgoing interfaces. |
PRJ-5540, |
Security Gateway |
Added ability for fw monitor to support monitoring traffic on Acceleration Card. |
PRJ-13089, |
Security Gateway |
|
PRJ-9047, |
Threat Prevention |
The number of overrides in Threat Prevention policy -> Profile -> Overrides may also show inactivated overrides, with mismatched information between "override" and "User Modified". |
PRJ-12831, |
Threat Prevention |
In a rare scenario, when Threat Prevention Forensics feature is enabled, memory usage may rise on the Security gateway due to failures in memory release flow. |
PRJ-12394, |
Threat Prevention |
In some scenarios, policy installation fails with "Error code 0-2000111". |
PRJ-12766, |
Threat Extraction |
In rare scenarios, the watermark_cp_file_convertd daemon used by Threat Extraction may restart frequently, causing high CPU usage. Refer to sk168318. |
PRJ-12339, |
URL Filtering |
In a rare scenario, policy installation may fail with "Error code: 0-2000112" if the URL Filtering Blade is active while no other feature or Blade is enabled. |
PRJ-13116, |
DLP |
Improved DLP functionality when working with IDA MUH1 and MUH2 agents. |
PRJ-12468, |
Anti-Malware |
In rare scenarios, Security Gateway crashes during CIFS traffic when the Anti-Virus Blade is in Hold mode and the CIFS feature is enabled for Anti-Virus or Threat Extraction (see sk101606). |
PRJ-13109, |
HTTPS Inspection |
In some scenarios, HTTPS websites may show corrupted text when HTTPS Inspection and Anti-Virus are enabled. |
PRJ-11059, |
Application Control |
In some scenarios, Application Control update task may get stuck indefinitely when it is executed as part of Global Policy assignment. |
PRJ-12165, |
Application Control |
In some scenarios, Application Control updates in Multi-Domain High Availability environments may get stuck when multiple updates from different Domains/Multi-Domains take place simultaneously. |
PRJ-10157, |
Logging |
"UserCheck Reference ID" field is missing from logs when the message of the UserCheck customized page is modified and does not contain the text "reference:". Refer to sk165355. |
PRJ-11888, |
Logging |
In some scenarios, searching for logs using "client_name" in the logging tab returns no values. |
PRJ-4738, |
Logging |
In environments that use certain mail servers, sending a report using SmartView may not work properly. |
PRJ-4610, |
Logging |
When trying to open a Forensic report in SmartLog, the "Error getting report." message may appear if there is a network object configured with the same IP address as that of the Endpoint Security Management Server |
PRJ-12285, |
ClusterXL |
ClusterXL in Load Sharing mode may drop traffic after a cluster member is rebooted, due to inconsistency of MAC addresses saved in the Firewall kernel and in SecureXL kernel. |
PRJ-12709, |
ClusterXL |
In some scenarios, a Cluster member forwards ICMP replies via its Sync interface after being rebooted. |
PRJ-12550, |
SecureXL |
NEW: Added tunable kernel parameter "adp_mc_rt_hold_queue_len" to adpkern.conf to eliminate multicast packet drops at the start of a connection (when large bursts of multicast traffic are expected). |
PRJ-12174, |
SecureXL |
In some scenarios, TCP traffic containing the TCP Fast Open option may be dropped by the Security Gateway. |
PRJ-11365 |
Routing |
NEW: Performance improvement for multicast packets in SecureXL (fast path) when there are no multicast listeners.
|
PRJ-12802, |
Routing |
In some scenarios, when processing BGP ECMP routes, routed may unexpectedly exit, resulting in loss of BGP adjacency. |
PRJ-12798, |
Routing |
In some scenarios, there may be a loss of BGP adjacency when displaying BGP routes with very long AS paths or large numbers of BGP communities. |
PRJ-12072, |
Gaia OS |
NEW: Added support for Jumbo Hotfix installation on Check Point 3800, 6400, 6700, 7000, 16200, 16600HS, 28000 and 28600HS appliances. Refer to sk110052, sk139932 and sk152733.
|
PRJ-12436, |
Gaia OS |
In some scenarios, the xmlUpgradeExec process may unexpectedly exit during Jumbo Hotfix installation. As a result, the configuration file may not be created correctly. Upon login, the following error message may appear:
|
PRJ-12812, |
Gaia OS |
The activate_sw_raid utility may fail due to incorrect disk names.
|
PRJ-12248, |
Gaia OS |
UPDATE: on Smart-1 410:
|
PRJ-3026, |
Gaia OS |
Backup on Gaia machine may fail with "Cannot complete the backup process: not enough space". Refer to sk98609. |
PRJ-11620, |
Gaia OS |
When a bond exceeds 60GB/s, ethtool may report an incorrect speed of the bond interface. |
PRJ-8949, |
Gaia OS |
In some scenarios, interface names may not correspond to the correct ports on 4-ports 10GbE SFP+ Rev 1.1 on 12200/4200/4400/4600/4800/TE250 appliances. |
PRJ-12791, |
Gaia OS |
In some scenarios, a backup on a Gaia device with Threat Emulation Blade enabled may fail with "Cannot complete the backup process: not enough space". Refer to sk166833. |
PRJ-8621, |
VPN |
Improved the VPN connectivity with DAIP peers when Tunnel Monitoring is enabled. Refer to sk164933. |
PRJ-11723, |
VPN |
Added L2TP Remote Access client connectivity improvements. Refer to Scenario 2 in sk145895.
|
PRJ-12178, |
VPN |
Connectivity improvements for Remote Access VPN using Traditional mode. |
PRJ-12194, |
VPN |
A connectivity issue may occur when a non-encrypted VPN tunnel is used with IKEv2. Refer to sk167902. |
PRJ-13105 |
VPN |
In some scenarios, packets are dropped on proposal unmatched, although the VPN tunnel is established. Refer to sk122438. |
PRJ-11244, |
VoIP |
SIP calls with NAT (SIP packet with no SDP but content-type=sdp) may fail to open correctly. |
PRJ-9104, |
VoIP |
In a rare scenario, Security gateway crashes when passing SIP traffic. Refer to sk166474. |
PRJ-12623, |
VSX |
In a rare scenario, creating new VSX and pushing configuration may cause the cluster members to crash.
|
PRJ-13077, |
VSX |
When performing a provisioning operation in VSX, process may hang on "Pushing configuration to ...". Refer to sk167175. |
PRJ-10416, |
Mobile Access |
Some Web applications published by Mobile Access Blade may not work in Host Translation mode. |
PRJ-12601, |
Mobile Access |
Mobile Access ActiveSync session timeout may not update properly, generating repeated error messages in the cvpnd.elg debug output. |
PRJ-11836, |
Endpoint Security |
An error in FDE preboot users calculation might cause Endpoint to be left in a disconnected state. Refer to sk142313. |
PRJ-11690, |
Endpoint Security |
The following may occur in installations with Media Encryption (refer to sk166074):
|
PRJ-11822, |
Endpoint Security |
In some scenarios, SmartEndpoint doe not update info in reports about devices when the user is logged out. Refer to sk164035. |
PRJ-11143, |
Endpoint Security |
Local users might not be displayed under the selected machine in the "Users and Computers tab" in SmartEndpoint. Refer to sk166316. |
PRJ-11832, |
Endpoint Security |
The Endpoint directory scanner may fail to reconnect to the AD if the connection was lost during the scan. |
PRJ-11840, |
Endpoint Security |
Cannot delete the client MSI package from SmartEndpoint because of previously deleted FDE offline group. |
PRJ-11815, |
Endpoint Security |
When a user name is updated in SmartEndpoint, the change may result in an unexpected expiration date. Refer to sk165872. |
PRJ-11828, |
Endpoint Security |
SmartEndpoint might export a report to Excel in which incorrect distinguished names appear for deleted users/devices. Refer to sk163943. |
PRJ-11824, |
Endpoint Security |
Users/devices may not change their locations in the tree according to Active Directory changes when certain special characters appear in the names. |
PRJ-11819, |
Endpoint Security |
The default paths for offline folders in SmartEndpoint -> Offline group creation wizard may be incorrect. |
PRJ-12691, |
Compliance |
Compliance Blade may show incorrect Best Practice status if one or more relevant network objects for that Best Practice is in status "N/A". |
Take 214 Released on 6 July 2020 and declared as General Availability on 14 July 2020 |
||
PRJ-13803 |
Security Management |
Upgrade to R80.30 Jumbo HotFix Ongoing Takes 210 and 213 from R80.20 Jumbo HotFix Take 161 fails. |
Take 213 Released on 23 June 2020 |
||
PRJ-13688, |
Security Management |
In some scenarios, when using many management API calls in parallel, the output is not consistent. Refer to sk167509. |
PRJ-8256, |
Security Management |
FWM and\or INDEXER processes may repeatedly stop when there are more than ~500K network objects declared. Refer to sk164452. |
Take 210 Released on 26 May 2020 |
||
PRJ-11386, |
Security Management |
NEW: Significant performance improvement for policy installation time when many groups are defined on the Management Server. |
PRJ-10900, |
Security Management |
NEW: Set values for environment variables on the Management Server that will remain there after a Management Server upgrade, as well as Backup/Restore and Export/Import of the Management Server. Refer to sk165938. |
PRJ-11009, |
Security Management |
NEW: Added ability for R80.30 Security Management or Multi-Domain Server to manage 7000 and 28000 Check Point appliances.
|
PRJ-10994, |
Security Management |
NEW: Added ICA Management security enhancements. |
PRJ-9070, |
Security Management |
"Policy installation had failed due to an internal error. If the problem persists please contact Check Point support" message may be displayed on policy installation failure. Refer to sk149093. |
PRJ-8793, |
Security Management |
Improved the Access Control Policy installation time for environments with high amount of objects and enabled IPSEC VPN Blade. Refer to sk166321. |
PRJ-8416, |
Security Management |
When the user runs the 'add-domain' Web API command on an existing Domain, the original Domain is deleted. |
PRJ-9214, |
Security Management |
Logging into SmartConsole to the Standby Management Server with a Radius or TACACS user may fail after changing the shared secret on the Radius or TACACS object. |
PRJ-10472, |
Security Management |
In a rare scenario, export from the previous version does not complete because the Postgres dump_all process gets stuck. |
PRJ-11523, |
Multi-Domain Management |
In rare scenarios, upgrading the Multi-Domain Server fails to upgrade some Domain Servers with "IllegalArgumentException" in the upgrade log. |
PRJ-12065, |
Multi-Domain Management |
The FWM process of domains may not stop after the user runs mdsstop or mdsstop_customer. |
PRJ-11073, |
SmartConsole |
NEW: Added ability to reset the following network object fields to be empty through the Management API: ipv4-address, ipv6-address, subnet4, subnet6, mask-length4, and mask-length6. |
PRJ-11905, |
SmartConsole |
In rare scenarios, certain domain level objects may not be visible in SmartConsole at the MDS level. |
PRJ-5103, |
SmartConsole |
"An internal error has occurred" message may pop up when the user tries to modify a Revision's description. |
PRJ-11458, |
SmartConsole |
Unable to delete Snort protections in Multi-Domain environment - they still exist after deletion. |
PRJ-12955, |
SmartConsole |
Global Policy reassign in MDS may fail with 'An internal error has occurred' message after adding overrides to Snort protections. |
PRJ-11391, |
SmartConsole |
When running Management API commands, the default values for 'dereference-group-members' and 'show-membership' flags may change from "True" to "False". |
PRJ-7746 |
Smart Provisioning |
The security profile may not be visible on the new 1500 LSM Gateway wizard. |
PRJ-9741, |
QoS |
Packets to the broadcast IP address (255.255.255.255) may cause dmesg to fill with "fg_classify_and_offload_all_ifdirs: fglogRulename Failed." messages. |
PRJ-11928, |
QoS |
In some scenarios, SmartView Monitor shows "No Match" rule on QoS traffic. |
PRJ-9381, |
Security Gateway |
NEW: Added DNS Passive Learning feature for enhanced non-FQDN domain objects & updatable objects matching. Refer to sk161612. |
PRJ-9017, |
Security Gateway |
NEW: Added support for the bridge configuration when packet is passing via the Security gateway twice. |
PRJ-8883, |
Security Gateway |
In a rare scenario, Security gateway may crash when activating a web parsing debug. |
PRJ-1214, |
Security Gateway |
In a rare scenario, the Security Gateway may crash due to a NULL pointer reference. |
PRJ-11530, |
Security Gateway |
In a rare scenario, Security gateway may crash while connection is closed while being held. |
PRJ-4092, |
Security Gateway |
Using spaces in the $FWDIR/boot/modules/fwkern.conf file may cause long reboot time. |
PRJ-2411, |
Security Gateway |
DCE-RPC traffic may be dropped because of a drop template that is incorrectly created for the ALL_DCE_RPC service. |
PRJ-5730, |
Security Gateway |
In some scenarios, SIP traffic may be dropped by Anti-Spoofing with "fw_early_sip_nat Reason: spoofed packet on SIP traffic" error in dmseg although it is set to"detect". |
PRJ-9838, |
Security Gateway |
When ISP Redundancy is configured on a cluster, the backup ISP link status may show as down even though the link is up. |
PRJ-9122, |
Security Gateway |
Connections may be dropped when "keep all connections" is configured during policy installation. Refer to sk166212. |
PRJ-7334, |
Security Gateway |
In some scenarios, a standby cluster member may crash when it starts handling the IPv6 traffic. Refer to sk166655.
|
PRJ-8616, |
Security Gateway |
In some scenarios, the uc_log_suppression_data table may reach its limit and "uc_log_suppression_set_entry: Failed storing log data in log suppression table" error appears in /var/log/messages file. |
PRJ-8296, |
Security Gateway |
In some scenarios, there may be connectivity problems with DHCP traffic. |
PRJ-8687, |
Security Gateway |
When bridge rerouting is enabled, Management/local traffic may be allowed over a Gateway bridge. |
PRJ-11954, |
Security Gateway |
In a rare scenario, Security Gateway may crash due to NULL pointer reference. |
PRJ-10845, |
Application Control |
NEW: Gateway status will reflect Application Control and URL Filtering updates. |
PRJ-8238, |
IPS |
In some scenarios, Threat Prevention policy installation may fail when the Threat Prevention profile performance impact is configured to "Very Low". |
PRJ-6151, |
IPS |
In rare scenario, a memory leak may occur if there is HTTP 206 partial content. |
PRJ-9488, |
IPS |
After an upgrade, policy installation may not update the IPS version on the gateway if the "IPS scheduled update" option was changed before the upgrade. |
PRJ-10938, |
IPS |
In a rare scenario, the fw_full process may unexpectedly exit. |
PRJ-9449, |
IPS, |
In some scenarios, SmartConsole shows "No license" and "Contract is expired" for IPS Blade in VSX. Refer to sk164917. |
PRJ-10096, |
Identity Awareness |
NEW: Added support for LDAP automatic group update feature in Identity Collector. |
PRJ-11853, |
Identity Awareness |
NEW: Added Terminal Server agent v2 (aka MUH2) support for R80.30 Security Gateway. For more information, see sk134312. |
PRJ-5231, |
Identity Awareness |
Failure in LDAP groups membership query for specific user that was reported by MUH agent, may cause all users under the same MUH agent to be removed from the PDP database. |
PRJ-10224, |
Identity Awareness |
In a rare scenario, there is a memory leak in the IDA daemon pepd. |
PRJ-9393, |
Identity Awareness |
NEW: Performance improvement in the automatic LDAP group update feature. |
PRJ-10386, |
Identity Awareness |
In a rare scenario, identity session groups and access roles may disappear following a policy installation. |
PRJ-11614, |
Identity Awareness |
In a rare scenario, a memory leak, related to the Identity Awareness flow, may occur in the kernel. |
PRJ-10329, |
Anti-Virus |
In some scenarios, dmesg shows many "cmik_loader_fw_context_match_cb: match_cb for CMI APP 11 failed on context 249" messages. |
PRJ-10129, |
Threat Extraction |
"An error has occurred while adding watermark to file" error may appear while adding watermark to a file. Refer to sk165594. |
PRJ-9934, |
HTTPS Inspection |
In some scenarios, when the minimum version of HTTPS Inspection is set to TLS 1.1, some websites may unexpectedly exit. Refer to sk165555. |
PRJ-6957, |
Anti-Malware |
In some scenarios, dmesg may show the following errors: "cmik_loader_fw_context_match_cb: m atch_cb for CMI APP 3 failed on context 56, executing context 366 and adding the app to apps in exception". |
PRJ-10969, |
DLP |
NEW: Reading and sending files from the registry by DLP was optimized. |
PRJ-9328, |
DLP |
Improved the scanning time of files for some scenarios in SMTP and HTTP/S. |
PRJ-9693, |
DLP |
In some scenarios, DLP prints wrong error message in the log. |
PRJ-5022, |
DLP |
The DLP engine may incorrectly process the file if the file name is missing in the connection header. |
PRJ-9774, |
DLP |
In some scenarios for SMTP, when an internal user sends an email, the DLP logs may show the topology as "external to external" instead of as "internal to internal". |
PRJ-10423, |
DLP |
In a rare scenario, when Security Gateway is configured as proxy, the HTTP traffic may be not scanned by DLP. |
PRJ-10855, |
DLP |
DLP stability for some scenarios was improved. |
PRJ-9190 |
Logging |
NEW: Added support for viewing MITRE ATT&CK fields. |
PRJ-9316, |
Logging |
Logging view may show results from the wrong day if the server Time Zone is configured to use half/quarter hour deviations from standard time. |
PRJ-8922, |
Logging |
When the user searches logs in the "Logs and Monitor" tab in SmartConsole and applies a filter using the "?" wildcard, incorrect logs may be returned. |
PRJ-4136, |
Logging |
In some scenarios, it may not be possible to filter logs by the field "IKE IDs:" when searching the log files directly. |
PRJ-10358, |
Logging |
Log_indexer may unexpectedly exit on a SmartEvent server with a large number of CPUs (32 and up), and\or when the total number of log servers declared in correlation units is above 30. |
PRJ-8213, |
Logging |
"Problem has occurred during search < External Log server > Disconnected" error may appear in "Logs & Monitor" tab after creating dummy object for NAT. |
PRJ-11006, |
Logging |
In some scenarios, changes made to Network Objects on the Security Management Server are not reflected in the logs view. Refer to sk166493. |
PRJ-9193, |
Logging |
After synchronization, MLM / Secondary MDM may have different log policy configuration. Refer to sk165692. |
PRJ-1525, |
Logging |
In some scenarios, Autosuggestion does not complete in SmartConsole's "Logs & Monitor" tab for users who do not have super user privileges. Refer to sk155252. |
PRJ-11362, |
Logging |
In a rare scenario, the CPD process on a Security Management Server that manages R77.30 Security Gateway may unexpectedly exit. |
PRJ-9706, |
Logging |
The FWD process may unexpectedly exit if one of the following changes were made using GuiDBEdit:
|
PRJ-9127, |
SecureXL |
NEW: Added acceleration support for Ethernet Over IP Tunneling (EOIP). EOIP is RFC 3378 protocol # 97 used between Wireless AP and Wireless Cisco controller. |
PRJ-9826, |
SecureXL |
In some scenarios, SYN Defender cookie validation may fail. |
PRJ-10234, |
SecureXL |
Policy installation may fail with "Error code 0-2000240" when Drop templates option is enabled. Refer to sk165716. |
PRJ-10816, |
SecureXL |
Rule that contains dhcpv6 services, does not disable SecureXL Accept Templates. Refer to sk32578. |
PRJ-8489, |
SecureXL |
In some scenarios, held packets are incorrectly reported to the penalty box. |
PRJ-4176, |
SecureXL |
In some scenarios, there may be a length verification error with SCTP traffic. |
PRJ-7418, |
SecureXL |
In some scenarios, SecureXL drops the TCP traffic for the particular connection for invalid state reasons. This fix enables the new property per specific gateway. Refer to sk147093. |
PRJ-5905, |
SecureXL |
In some scenarios, the penalty box violation rate is calculated incorrectly. |
PRJ-6124, |
SecureXL |
In some scenarios, DOS/Rate Limiting drops too few (or too many) packets for "concurrent-conns" fw samp rules. Refer to sk112454. |
PRJ-11679, |
SecureXL |
MCAST packets may be handled incorrectly when promiscuous (tcpdump) mode is enabled for the interface. |
PRJ-10001, |
SecureXL |
Improved TCP state inspection for "Smart Connection Reuse" feature. |
PRJ-12020, |
SecureXL |
In some scenarios, ACK, FIN, and RST TCP packets are dropped, causing outages. |
PRJ-12498, |
SecureXL |
SCTP Stateful inspection and payload NAT (INIT Chunks) may not work correctly. |
PRJ-11021, |
Routing |
Active VRRP cluster member may not show full accounting information in logs. Refer to sk159432. |
PRJ-5866, |
ClusterXL |
SNMP Response for OID .1.3.6.1.4.1.2620.1.5.6 ("haState") is "Active" on all members of ClusterXL High Availability mode. Refer to sk106291. |
PRJ-1502, |
ClusterXL |
The output of the 'cphaprob routedifcs' command may be missing interfaces. |
PRJ-7614, |
ConnectControl |
|
PRJ-5333, |
VPN |
NEW: Added functionality enhancements for the authentication realms that is used with Remote Access VPN. |
PRJ-5702, |
VPN |
NEW: Improved policy installation performance when the MAB Blade is enabled with Legacy Policy and Native Application rules. Refer to sk175105. |
PRJ-10271, |
VPN |
NEW: 3DES is disabled by default for HTTPS Inspection, Mobile Access Portal, Identity Awareness Portal, ICA Portal, SmartManagement Portal, SecurePlatform WebUI abd Mobile Access curl. Note: Disabling 3DES will fail 3rd party OPSEC SDK 6.0 clients connectivity. To enable it, refer to sk113114. |
PRJ-11643, |
VPN |
Added Stability improvement for Remote Access VPN. |
PRJ-12746, |
VPN |
Some Remote Access clients that do not support Multi-Factor Authentication (MFA) are able to connect to a Security Gateway even though the "Allow older clients" option is disabled. Refer to sk166912. |
PRJ-12992, |
VPN |
In some scenarios, a connectivity issue appears when working with Capsule Connect.
|
PRJ-11920, |
VPN |
Memory leak in VPN daemon may appear during the IP address assignment. |
PRJ-8263, |
VPN |
Server-to-Server and Client-to-Server VPN may fail when using Wire Mode while SecureXL is enabled. |
PRJ-11282, |
VPN |
In a rare scenario, vpnd process unexpectedly exits due to Segmentation fault.
|
PRJ-12523, |
VPN |
In some scenarios, VPN traffic distribution change may cause high CPU consumption on one CPU core. Refer to sk165853.
|
PRJ-6139, |
VPN |
In a rare scenario, the vpnd process unexpectedly exits due to memory access problem. |
PRJ-4452, |
VPN |
Improved IKEv2 negotiation flow. |
PRJ-7693, |
VPN |
Improved usability of VPN tunnel monitoring "vpn tu" command. |
PRJ-10390, |
VPN |
In a rare scenario, vpnd process unexpectedly exits due to issue in IKEv2 flow. |
PRJ-8115, |
VPN |
"vpn_trap_multik: - wrong header length 36 != 72" message may appear in the vpnd.elg when working with multiple users with the same credentials. |
PRJ-8177, |
VPN |
In a rare scenario, a memory leak in VPND may occur during the TLS key exchange in HTTPS portals. |
PRJ-11483, |
VPN |
In some scenarios, vpnd cores may be generated sporadically during boot time/cluster failovers on the Cluster Standby Member. |
PRJ-11238, |
VPN |
Added connectivity improvement for VPN over NAT traversal (UDP 4500). Refer to sk155953. |
PRJ-6677, |
VPN |
In some scenarios, NAT-T packets are going out with the wrong interface, when encrypted. Refer to sk165697. |
PRJ-6719, |
VPN |
In some scenarios, the vpnd process unexpectedly exits on cluster members. |
PRJ-8889, |
VPN |
Improved stability of VPN traffic on VSX Gateway. Refer to sk166655.
|
PRJ-9231, |
Routing |
Although only OSPFv2 with Graceful Restart Helper is configured, the Critical Device OSPF3 Graceful Restart may show the "OSPF3 Graceful Restart PROBLEM Master -> Standby. Waiting for GR" message during the cluster failover. |
PRJ-3618, |
Routing |
In some scenarios, routed unexpectedly exits when receiving an LSA with a checksum value of zero. |
PRJ-11543, |
Routing |
In some scenarios, routed unexpectedly exits and traffic is lost after a failover in ClusterXL when BGP and ECMP are enabled. Refer to sk166175. |
PRJ-12224, |
Routing |
In some scenarios, routed process unexpectedly exits when adding an interface to OSPFv3 with a prefix length above 63 and having two or more areas. |
PRJ-4236, |
VoIP |
In some scenarios, H323 connections are dropped after "Virtual session timeout" is configured. Refer to sk156372. |
PRJ-9956, |
VoIP |
In some scenarios, UA traffic is dropped when packet contains more then 9 UA's. Refer to sk135114. |
PRJ-2462, |
VoIP |
In some scenarios, MGCP traffic may be dropped by the Security Gateway with the following message in fw ctl zdebug drop:
|
PRJ-11687, |
VSX |
The following error may appear in /var/log/messages: "Destroying alive neighbour *". |
PRJ-10935, |
VSX |
In a rare scenario, portals are not reachable after the fwk process unexpectedly exits. |
PRJ-10902, |
VSX |
In VSX cluster with VMAC mode, traffic may not pass through VSX Cluster members if SecureXL is enabled. Refer to sk138894. |
PRJ-3801, |
Gaia OS |
NEW: Added the ability to configure an IPv6 address for a LOM interface on Smart 1-525/5050/5150 appliances. |
PRJ-9351, |
Gaia OS |
Added optimization for 40GbE and 25/100GbE cards configured in multiqueue allowing better transmit performance when Hyper-Threading (SMT) is enabled. |
PRJ-8007, |
Gaia OS |
Apache API was updated. |
PRJ-9221, |
Gaia OS |
All VRRP cluster members are in Master state when using i40e driver. |
PRJ-10166, |
Gaia OS |
Smart-1 625 appliances may show RAID syncing on both RAID disks. |
PRJ-11159, |
Gaia OS |
Incorrect status may be displayed in clish for pulled PSU. |
PRJ-8054, |
Gaia OS |
In some scenarios, latency issues may occur in Clish and in the WebUI when using web scanning tools (Qualys). Refer to sk164153. |
PRJ-9013, |
Gaia OS |
In a rare scenario, Security Gateway hangs for ~10 minutes during boot. Refer to sk164268. |
PRJ-7913, |
Gaia OS |
'#', '=' and '+' characters cannot be used in "Banner" and "Message of the day" features. |
PRJ-5175, |
Gaia OS |
Any of the following may occur in vSphere on a Management appliance:
|
PRJ-11368, |
Gaia OS |
SNMP Trap may not be sent even though a failover occurred. Refer to sk166100. |
PRJ-11535, |
Gaia OS |
In some scenarios the snmpd process floods /var/log/messages with errors regarding parsing voltage sensor value. |
PRJ-10398, |
Gaia OS |
In some scenarios, transmit queues may stop, causing packet loss. |
PRJ-11321, |
Gaia OS |
In some scenarios, commands that were typed into Clish can be executed later on if the SSH session was uninterruptedly terminated. |
PRJ-11692, |
Endpoint Security |
In SmartEndpoint, Anti-Malware's "Top Infections" report has an empty infection name. Refer to sk166232. |
PRJ-2924, |
Endpoint Security |
Very frequently repeated "update register" requests may cause performance issues. |
PRJ-5622, |
Endpoint Security |
Endpoint Management may incorrectly show that no local Anti-Malware signatures updater is installed on the DHS-complaint engine. |
PRJ-5805, |
CloudGuard IaaS |
NEW: Added support for Identity Sharing with CloudGuard for NSX-V. |
PRJ-7891, |
CloudGuard IaaS |
NEW: Added support for Google Cloud Platform projects with Shared VPC. Refer to sk164139. |
PRJ-10913, |
CloudGuard IaaS |
When an Azure subnet is missing its prefix attribute, the Microsoft Azure Data Center may fail to poll data, resulting in a loss of updates to the Security Gateway. |
PRJ-11025, |
CloudGuard IaaS |
When an Azure Virtual Network Interface is missing its properties' primary attribute, the Microsoft Azure Data Center may fail to poll data, resulting in a loss of updates to the Security Gateway. |
PRJ-10867, |
CloudGuard IaaS |
In a rare scenario, the OpenStack Data Center becomes unresponsive, which results in a loss of updates to the Security Gateway. |
Take 196 Released on 21 May 2020 and declared as General Availability on 26 May 2020 |
||
PRJ-12850 |
Installation |
In some scenarios, installation of a software update hotfixes on top of Jumbo Hotfix Accumulator Take 195 may fail with "Conflict found, version R80_30_JUMBO_HF_MAIN with hotfix :XXX - details: "cr:PRJ-11542 files: libfw_kern_64_us.so, libfw_kern_64_us_v6.so" message. |
Take 195 Released on 26 April 2020 |
||
PRJ-8953, |
Upgrade Tools |
Upgrade from R80.20 to R80.30 may fail with messages related to cmsobfuscationkey. |
PRJ-10629 |
Installation |
Firmware upgrade for Small Office appliance using SmartProvisioning in Multi-Domain Management environment may fail. |
PRJ-8644, |
Security Management |
NEW: Performance enhancements while the Management Server is under high load. |
PRJ-8606, |
Security Management |
NEW: Added ability to search in the Management Server by adding asterisk before any sequence of characters. For more information, refer to sk164873.
|
PRJ-9591, |
Security Management |
Security hardening: The Management Server will block connection requests with a TLS version below 1.2 on port 19009. |
PRJ-8896, |
Security Management |
When an administrator fails to publish another administrator's session, the session of the other administrator disappears from the Sessions view in SmartConsole. |
PRJ-7887, |
Security Management |
In some scenarios, when the user modifies a policy rule and creates a section above it in the same session, the log tracker shows that the rule was created instead of modified. |
PRJ-5794, |
Security Management |
In some scenarios, after the user manually performs "Full Sync", a newly created secondary Domain Server or Domain Log Server is not shown in SmartConsole's Domains view. |
PRJ-678, |
Security Management |
In some scenarios, Check Point services fail to start and the CPM log shows that there are duplicate session aggregators. |
PRJ-9265, |
Security Management |
Policy verification may fail after the user does the following steps: Configures specific install targets for a policy, publishes them, changes the install targets back to "All Gateways", and tries to install them on a Gateway which is not in the original list of targets. |
PRJ-6704, |
Security Management |
In a rare scenario, when viewing the Layer History, some revisions not relevant to the selected Layer may be shown. |
PRJ-8394, |
Security Management |
In a rare scenario, tasks do not appear in the Tasks notifications bar even though they are running. |
PRJ-9261, |
Security Management |
Upgrade of Multi-Domain Server may fail when the source version is R80.10 and there is no license configured on the target machine. |
PRJ-9668, |
Security Management |
In a rare scenario, the FWD process on the Security Management may unexpectedly exit during peak hours. |
PRJ-10088, |
Security Management |
The cpm_solr process may unexpectedly exit and cause one of the following:
|
PRJ-9089, |
Security Management |
In a rare scenario, when an environment has many Gateways (dozens), the FWM daemon may unexpectedly exit when 4 GB of memory is reached. Refer to sk165015. |
PRJ-7819, |
Security Management |
In some scenarios, SmartView Monitor unexpectedly terminates when the user selects the Specific QoS Rules option in Top QoS Rules. |
PRJ-7768, |
Security Management |
In rare scenarios, publishing a session fails with the following "Action Failed due to an Internal Error" error. Discarding the session in SmartConsole completes as "discarded", but the changes are still there. The same behavior occurs in the Management API: mgmt_cli -r true discard uid <UID> number-of-discarded-changes: 4 message: "OK" |
PRJ-5447, |
Security Management |
In some scenarios, an unclear error appears when the user imports a global policy on a Multi-Domain Management Server. The error is caused by a mismatch between the leading interface defined on the machine and the one defined in the database. |
PRJ-9299, |
Security Management |
In a rare scenario, the "SmartDashboard component failed to connect to server <IP address>. Please contact technical support" error is displayed in SmartConsole when opening the Management object for editing. |
PRJ-8230, |
Security Management |
The "Unused Objects" filter in Object Explorer may display a failure message if there are more than 20000 unused objects.
|
PRJ-9322, |
Security Management |
In some scenarios, a disconnected SmartView Monitor session appears in SmartConsole with a grayed out 'Disconnect' option, which cannot be discarded. Refer to sk165037. |
PRJ-9171, |
Multi-Domain Management |
NEW: Performance improvement for Multi-Domain environments in which many administrators are connected. |
PRJ-9236, |
Multi-Domain Management |
NEW: Performance enhancements for the delete Domain operation. |
PRJ-10746, |
Multi-Domain Management |
In some scenarios, policy installation from the Domain Management Server fails after mds_backup procedure that was interrupted. Refer to sk165559. |
PRJ-10530, |
Multi-Domain Management |
The mds_import.sh script may fail if the IPS version for a Domain/CMA does not exist on the R80.x Multi-Domain Management Server. |
PRJ-11176, |
Multi-Domain Management |
In some scenarios, Full synchronization fails in the Global Domain with "Full sync with peer '[Peer Name]' NGM failed to import data" error. Refer to sk145972. |
PRJ-10363, |
Multi-Domain Management |
After performing Full synchronization or failover of the Global Domain, the following operations may fail (refer to sk145972):
|
PRJ-11166, |
Multi-Domain Management |
In a rare scenario, synchronization between Multi-Domain Management Servers breaks after revisions purge operation. |
PRJ-2630 |
Multi-Domain Management |
In a Multi-Domain Management environment with more than 50 Domains, some Domains are not displayed in the SmartEvent GUI. |
PRJ-9240, |
Multi-Domain Management |
In some scenarios, secondary MDS or MLM fail to renew a management certificate. Refer to sk164732. |
PRJ-6985, |
Multi-Domain Management |
In some scenarios, there may be high Solr CPU on Multi-Domain Management Servers with dozens of Domains. |
PRJ-9698. |
Multi-Domain Management |
MLM may open a connection to the reversed IP address of the Multi-Domain Server. |
PRJ-10526, |
Multi-Domain Management |
Upgrade of Multi-Domain Server may fail if Sync With User Center is running. |
PRJ-9281, |
SmartConsole |
NEW: Enhancement: Two new flags were added for the performance improvement of Threat Protection API commands: 'show-profiles' and 'show-ips-additional-properties'. The default value for both flags is false. |
PRJ-3771, |
SmartConsole |
In "Top services" view of SmartView Monitor, "cp_tcp_A936..." service is displayed instead of "https" service. Refer to sk146052. |
PRJ-9465, |
SmartConsole |
In some scenarios, when the user attempts to delete a Gateway / Cluster member, an error message may appear and the operation may not complete successfully. |
PRJ-4063, |
SmartConsole |
Objects of Unused Access Roles are not visible in the Object Explorer. Refer to sk151896. |
PRJ-9079, |
SmartConsole |
In some scenarios, the Management Server may unexpectedly exit following authenticated API commands to create or update objects with extremely long comments. |
PRJ-9549, |
SmartConsole |
When the user invokes the 'show-access-layer' API command, the parent layer may be missing from the output result. |
PRJ-1449, |
SmartConsole |
In some scenarios, the api.elg log is flooded with the the "Returning default standard reply class" message. |
PRJ-10287, |
SmartConsole |
"An internal error has occurred. (Code: 0x8003001D, Could not access file for write operation)" error is displayed when editing IKE PSK on "External User Profile" objects using Legacy SmartDashboard. Refer to Scenario 2 in sk119973. |
PRJ-7054, |
SmartConsole |
When performing Backup and Restore, user may get a misleading message that these operations are supported only for Gaia. |
PRJ-10634, |
SmartProvisioning |
In some scenarios, after creating a Small Office gateway using LSMCli, some fields in the Gateway object on the SmartProvsioning are not populated. |
PRJ-10139, |
SmartProvisioning |
Deletion of LSM Robo cluster may cause the FWM process to unexpectedly exit. |
PRJ-8017, |
SmartView |
SmartView may show wrong time in tables and graphs for clients located in Brazil. |
PRJ-8134, |
SmartView |
"The process <process-name> which is monitored by watchdog restarted more than once in the last half an hour" error may appear in the SmartEvent GUI status window even though the process has been up for more than 30 minutes. |
PRJ-7922, |
SmartView |
In the Logs page of the SmartView web application, the "File Name" filter may appear twice in the quick filters pane. |
PRJ-7724, |
SmartView |
In SmartView, when filtering a view using special characters in the search bar and exporting to Excel, the file may be generated empty. |
PRJ-10373, |
SmartView |
In some scenarios, after user imports view/report in SmartView, the imported view/report is not shown in the Catalog. |
PRJ-4329, |
SmartEvent |
In some scenarios, automatic reactions in SmartEvent are sent with the "Destination address" field containing the resolved country name instead of the raw IP value. Refer to sk146992. |
PRJ-7497, |
SmartEvent |
When using SmartEvent automatic reactions, *.MHT files in $RTDIR/tmp directory are not cleaned up in case of email sending failure. |
PRJ-10467, |
Security Gateway |
In a rare scenario, after upgrading a Security Gateway to R80.30, the LOG_INDEXER process running on the Log server may consume 100% CPU and cause the indexing backlog. |
PRJ-9443, |
Security Gateway |
Added logs for packets that include invalid TCP options. This feature is disabled by default. |
PRJ-9558, |
Security Gateway |
In a rare scenario, fast accel configuration may be deleted after an upgrade from R80.20 |
PRJ-10028, |
Security Gateway |
In a rare scenario, when the web server is defined, policy installation fails with "Error code 0-20000111". |
PRJ-9688, |
Security Gateway |
Traffic may be dropped on DAIP gateway after the gateway IP address is changed or the gateway is rebooted. Refer to sk165176. |
PRJ-8751, |
Security Gateway |
In some scenarios, incorrect number of outbound interfaces may be received when SecureXL is disabled. |
PRJ-10202, |
Security Gateway |
ICAP Client may not working properly when Threat Extraction Blade is enabled.
|
PRJ-10279, |
Anti-Malware |
NEW: Added support to allow Threat Extraction to scan a file download in additional scenarios. |
PRJ-10960, |
SSL Inspection |
In a rare scenario, a memory leak may appear when SSL inspection is enabled. |
PRJ-7996, |
HTTPS Inspection |
WSDNSD memory leak may appear when updatable objects are configured in the policy. Refer to sk165616. |
PRJ-9405, |
HTTPS Inspection |
In some scenarios, wrong certificate is shown by HTTPS Inspection for some websites, including certificates issued by "CloudFlare Inc ECC CA-2". Refer to sk118392. |
PRJ-11092, |
IPS |
In some scenarios, a '+' (plus sign) in an HTTP URL may be replaced with ' ' (space) when the "Forensics" feature is turned on in Threat Prevention.
|
PRJ-9539, |
Identity Awareness |
Policy installation process has been improved. |
PRJ-10759, |
Identity Awareness |
In some scenarios, multiple "idapi_load_data_impl: session id <Session ID> not found in client_db, although ip <Session IP> was assigned to it" errors appear in /var/log/messages file. Refer to sk167174. |
PRJ-7673, |
Threat Prevention |
Improvements in HTTP chunked encoding inspection. |
PRJ-7640, |
Threat Prevention |
Improved enforcement of Threat Prevention Blades in partial HTTP responses. |
PRJ-5790, |
Threat Extraction |
Link to the original file in Threat Extraction may not function properly (in cleaned files only). |
PRJ-2281, |
Logging |
NEW: Added CloudGuard SaaS Security Checkup that presents a summary of security activity and findings in your SaaS applications. This report allows reviewing phishing emails, malicious files and URLs, data loss incidents, Shadow IT detections and potentially compromised accounts. |
PRJ-7925, |
Logging |
Following changes in correlation unit settings, new logs may not be read by SmartEvent until the log_indexer process is restarted. |
PRJ-5574, |
Logging |
When a Log Server is configured to parse Syslog messages, the field "User" may be truncated in the parsed log in the Log Details view if the field contains underscore. |
PRJ-6023, |
Logging |
When restarting the FWD process on the Log server, the syslogd process (syslog daemon), may unexpectedly exit. |
PRJ-4448, |
Logging |
In SmartView, drilling down from the timeline widget to logs, may show less logs than expected. |
PRJ-5650, |
Logging |
In some scenarios, when the user creates a table widget in SmartView, there is no option to add the "hostname" field. Refer to sk162752. |
PRJ-8682, |
Logging |
In some scenarios, Threat Emulation Logs cannot be viewed in the logging or reporting views because of a certain format of the "file size" field sent from the Security Gateway. |
PRJ-8496, |
Logging |
In SmartView, when the user exports logs to CSV using the "visible columns" option, the following fields may be missing from the CSV file: Resource, Application Risk, Application Name, and Application Category. |
PRJ-5900, |
Logging |
It is not possible to query the "file_name" field on a Log server that does not have the SmartEvent activated. |
PRJ-434, |
Logging |
In SmartEvent, when the user customizes an event to accumulate logs by the field UUID, logs with UUID equal to 0 may not be correlated. |
PRJ-4982, |
Logging |
In SmartView, the percentage values in pie charts may add up to 99% or 101%. |
PRJ-9971, |
Logging |
In a Multi-Domain environment, one or more CMA's SMARTLOG_SERVER processes may fail to start after upgrade. Refer to sk165262. |
PRJ-8761, |
SecureXL |
NEW: Improved performance for multicast traffic after all listeners have been removed for an existing connection. |
PRJ-10399, |
SecureXL |
In some scenarios, asymmetric traffic is dropped on Security gateway with several Bridge interfaces. Refer to sk114976.
|
PRJ-8915, |
SecureXL |
In some scenarios, multicast packets arrive to the Security gateway in order, but leave out-of-order. |
PRJ-8979, |
SecureXL |
When PIM-SM multicast routing transitions from RPT to SPT, packets may be dropped or become out-of-order. |
PRJ-8982, |
SecureXL |
When NAT-T packets pass through a Security gateway, this traffic may be dropped. |
PRJ-10186, |
SecureXL |
In some scenarios, a general traffic latency is observed on the Security Gateway. Refer to sk165652. |
PRJ-9326, |
SecureXL |
In some scenarios, SNMP queries for SecureXL OIDs return incorrect values. |
PRJ-5029, |
SecureXL |
In a rare scenario, Security gateway may crash under heavy load. |
PRJ-2485 |
Routing |
PBR may not work for port or protocol used separately in a PBR rule.
|
PRJ-9074, |
Routing |
In some scenarios, a corrupted BGP AS4_PATH attribute value may result in an invalid, long BGP update that is rejected by the BGP peer. Refer to sk167157. |
PRJ-7490, |
Routing |
In some scenarios, the CLISH command for PBR results in an error. |
PRJ-5002, |
VSX |
Resource Monitor Control may cause segmentation fault when there are more than 64 CPUs. Refer to sk125112. |
PRJ-9994, |
VSX |
In some scenarios, traffic may be forwarded on bridge interface when member is down.
|
PRJ-10541, |
VSX |
In the menu of 'vsx_util vsls' #1 (Display current VS Load sharing configuration), the table shows cut names of VSs (original names are longer). |
PRJ-10556, |
VPN |
Improved the VPN Site-to-Site tunnel establishment scenario with IKEv2. |
PRJ-7014, |
VPN |
Added L2TP Remote Access client connectivity improvements. Refer to Scenario 2 in sk145895.
|
PRJ-6118, |
VPN |
In some scenarios, NAT-D traffic goes out from the first external interface. |
PRJ-11035, |
VPN |
In some scenarios, VPN traffic distribution change may cause high CPU consumption on one CPU core. Refer to sk165853.
|
PRJ-5763, |
VPN |
In some scenarios, accelerated VPN tunnels routed over PPPoE interface may cause drop of encrypted traffic of some connections. Refer to sk148872. |
PRJ-30753, |
VPN |
In some scenarios, when NAT is enabled, Route Based VPN traffic may be dropped. |
PRJ-2216, |
VoIP |
In some scenarios, VoIP calls are dropped with "SIP Re-Invites exceeded the limit" reject reason. Refer to sk145412. |
PRJ-7822, |
Gaia OS |
NEW: Added the /proc/sys/net/bridge/bpdu_forwarding flag to block BPDU packets per bridge setup on Gaia 3.10. |
PRJ-10803, |
Gaia OS |
CVE-2020-8597: pppd is vulnerable to buffer overflow. Refer to sk165875. |
PRJ-5186, |
Endpoint Security |
The log description of the "Media Encryption & Port Protection" Blade may state that the "Media Storage" is encrypted even though it is not. The details in the log show the correct value. Refer to sk162812. |
- |
SMB |
NEW: R80.30 Jumbo Hotfix Accumulator Take 195 supports the new SMB 1500 appliances LSM. |
PRJ-10119, |
Compliance |
In some scenarios, database import on a single Domain machines where the Compliance Blade is activated fails, and as a result, the FWM process unexpectedly exits after the import. |
Take 191 Released on 22 April 2020 and declared as General Availability on 30 April 2020 |
||
PRJ-11782 |
Multi-Domain Management |
Web API may be down after uninstalling Takes 163-180 of R80.30 Jumbo Hotfix. Refer to sk166393. |
Take 180 Released on 8 April 2020 |
||
PRJ-11542, |
Gaia OS |
In a rare scenario on a cluster environment, Security gateway may corrupt data or crash during an upgrade. |
Take 168 Released on 17 March 2020 |
||
PRJ-10897, |
Gaia OS |
In a rare scenario, Security gateway may crash on cluster fail-over when ISP redundancy is configured. |
Take 166 Released on 11 March 2020 |
||
PRJ-9461 |
Security Management |
NEW: Added ability for R80.30 Security Management or Multi-Domain Server to manage R80.40 Security gateway. Refer to sk164652.
|
PRJ-9813 |
Gaia OS |
NEW: Added support for Jumbo Hotfix installation on Check Point 3600, 6200, 6600 and 6900 appliances. Refer to sk110052 and sk139932.
|
PRJ-9318 |
Gaia OS |
On 3600 and 3600T appliances, alarm led turns on if one of the PSU is disconnected. Refer to sk166000.
|
Take 163 Released on 5 March 2020 |
||
PRJ-9397, |
Security Management |
In a rare scenario, the FWM process will utilize 100% CPU, and connections to SmartConsole may fail. |
PRJ-8492, PMTR-48267 |
Security Management |
When reverting a security layer to a previous revision, if there are rules which are currently disabled, but were enabled in the selected previous revision (or vice versa), their status may not be reverted. |
PRJ-5450, |
Security Management |
In some scenarios, an upgrade from R7x secondary Multi-Domain Server with active Domains may fail. |
PRJ-8376, |
Security Management |
In some scenarios, the exported database may be very large and include redundant data. |
PRJ-7468, |
Security Management |
Global policy reassignment may fail after a rulebase is deleted in the Global Domain. |
PRJ-7918, |
Security Management |
When installing policy to a Cisco router, an automatic ACL number change may cause networking issues. |
PRJ-7413, |
Security Management |
In a rare scenario, all users connected to the Management Server get disconnected and new logins fail until the Management Server is restarted. |
PRJ-3039, |
Security Management |
In some scenarios, the Management Server takes a long time to start or even fails to start. |
PRJ-8095, |
Security Management |
In some scenarios, policy installation fails when the installation target is Check Point Host. |
PRJ-8876, |
Security Management |
Added support for Internal CA certificate replacement. |
PRJ-7784, |
Security Management |
In some scenarios, HA synchronization in the Global Domain fails with the "Failed to sync peer - Global Domain is incompatible with the Domains." error. |
PRJ-8859, |
Security Management |
If the database contains an internal user object with the same account name as an administrator object, then after the user publishes any change to the administrator object, the login in a VPN client with the internal user account may fail. |
PRJ-8799, |
Security Management |
If the database contains an internal user object with the same account name as an administrator object, then after the user publishes any change to the internal user object, the login in SmartConsole with the administrator account may fail. |
PRJ-7457, |
Security Management |
In some scenarios, upgrade fails with the "Satellite object of type GatewayAggregator not found for core object" message in cpm.elg file. |
PRJ-8189, |
Multi-Domain Management |
The Administrator and Trusted Clients pop-up editors at the Multi-Domain Server level show all domain names linked to these objects. Domain Managers with partial permissions, may see the names of domains that they are not permitted to see. |
PRJ-7831, |
Multi-Domain Management |
In some scenarios, upgrade of R7x secondary Multi-Domain Management Server or Multi-Domain Log Server fails. |
PRJ-6786, |
SmartConsole |
NEW: LDAP advanced query now supports ANR filtering. |
PRJ-5100, |
SmartConsole |
When editing the description of a revision, the "Changes" field is reset to 0. |
PRJ-8650, |
SmartConsole |
In some scenarios, on a Global domain, when the user sets a logging option of an IPS protection whose activation is Detect or Prevent, the activation of the protection is set to "Inactive" on the local domain after an Assign Global Policy operation. |
PRJ-7943, |
SmartConsole |
In some scenarios, when running the "show-mdss" command with the "details-level full" option, not all Domains are retrieved. |
PRJ-6143, |
SmartConsole |
After an upgrade of R80.10 Management, cloned Multi-Domain super user permission profiles (Read/Write permission profiles) may be missing the "Global VPN Management" permission. |
PRJ-8701, |
SmartConsole |
The shared secret's edit button may be grayed out. |
PRJ-7771 |
SmartConsole |
The API command 'show-api-versions' may return version 1.6 instead of 1.5. Refer to sk163942. |
PRJ-9081, |
SmartConsole |
In some scenarios, IPS update fails in the Global Domain after an upgrade from R80.10. |
PRJ-8351, |
Security Gateway |
Improved the ICAP client connectivity when using Trickling mode 3 in settings. |
PRJ-7333, |
Security Gateway |
Connectivity issues may appear when ISP Redundancy is configured. |
PRJ-7801, |
Security Gateway |
In a rare scenario, ROUTED process unexpectedly exits under high load. |
PRJ-7374, |
Security Gateway |
Improved multicast routing under high load and/or during system initialization. |
PRJ-9051, |
Security Gateway |
Global connections may not be freed correctly when the Gateway acts as a Proxy. |
PRJ-8906, |
Security Gateway |
"fwk_build_cparams_hashes: failed to create str cparams hash" dmesg error may appear during policy installation. |
PRJ-8723, |
Security Gateway |
Improved scalability of DOS/Rate limiting rules. |
PRJ-3477, |
Security Gateway |
In a topology in which Client and Server are connected to the Security Gateway using two different interfaces each, for example: Client -- eth1 <Gateway> eth2 -- Server Client -- eth3 <Gateway> eth4 -- Server The response packets from Server to Client may be incorrectly routed back to the Server because of an incorrect route cache in the Security Gateway. |
PRJ-7088, |
Security Gateway |
In some scenarios, connectivity problems may appear due to proxy arp table that is not updated after policy installation. |
PRJ-8646, |
Security Gateway |
In a rare scenario, ICAP client requires manual steps to activate RESP mode after running cpstop ; cpstart. |
PRJ-8152, |
Security Gateway |
Policy installation on Cluster may fail if the Cluster member name is longer than 64 characters. |
PRJ-7879, |
Security Gateway |
In a rare scenario, there is no HTTPS Inspection when ICAP client is enabled. |
PRJ-8877, |
Security Gateway |
In some scenarios, there is no SIC after applying the ICA certificate replacement procedure. |
PRJ-7870, |
Security Gateway |
Improved DNS caching and negative DNS response handling. |
PRJ-7752, |
Security Gateway |
In some scenarios, there is no SIC after applying the ICA certificate replacement procedure. |
PRJ-2795, |
IPS |
In some scenarios, the interface name is not displayed correctly in the IPS log. |
PRJ-8880 |
IPS |
In a rare scenario, Security gateway may crash due to NULL pointer reference.
|
PRJ-9195, |
Anti-Malware |
In a rare scenario, policy installation fails when the Security Management Server is handling a large number of Security Gateways. |
PRJ-6114 |
Threat Extraction |
In rare scenarios, files fail to download when the Threat Extraction Blade is active. |
PRJ-6075, |
Identity Awareness |
Machine identity for Terminal Server agent is not identified unless Identity Agent is also enabled on the Security Gateway. |
PRJ-8424, |
Identity Awareness |
Identity Awareness performance improvements in large scale environments. |
PRJ-8279, |
SSL Inspection |
In some scenarios, some HTTPS sites are not categorized when both "Categorize HTTPS Sites" and "HTTPS Inspection" are enabled. |
PRJ-8340, |
SSL Inspection |
In a rare scenario, memory leak may appear in ICAP client when HTTPS Inspection is enabled. |
PRJ-7653, |
SSL Inspection |
HTTPS Inspection's default CA certificate was upgraded to use a signing algorithm based on SHA256 instead of SHA1. Refer to sk163932. |
PRJ-7166, |
SSL Inspection |
NEW: Added support for proxy configuration when downloading CRL from a VSX device. Refer to sk151115. |
PRJ-8551, |
Logging |
NEW: Log Exporter feature exports log attachment identifiers and adds the ability to fetch them through the Management API command. |
PRJ-3654, |
Logging |
SmartEvent may not correlate certain Anti-Virus logs. |
PRJ-6190, |
Logging |
Widgets inside SmartView's "Views and Reports" may result in "Query Failed" messages when filtered by the "Log Server Origin" field. |
PRJ-6698, |
Logging |
In some scenarios, exporting a large number of logs to Excel may fail and cause SmartView to restart. |
PRJ-7709, PMTR-39944 |
Application Control |
In some scenarios, HTTP traffic is blocked with "HTTP parsing error occurred (2)" and "parameters are undecodable in request" errors. Refer to sk160092. |
PRJ-7553, |
ClusterXL |
In a rare scenario in a ClusterXL environment, SYN Defender may incorrectly drop a valid traffic. |
PRJ-7638, |
ClusterXL |
The "set router-options auto-restore-iface-routes" command is now deprecated. |
PRJ-7705, |
SecureXL |
Some traffic may not pass when Policy Based Routing (PBR) and SecureXL are enabled. Refer to sk163252. |
PRJ-7502, |
SecureXL |
In some scenarios, new connection may fail to open if it is reopened with the same source port. Refer to sk164839. |
PRJ-7561, |
SecureXL |
In some scenarios, SecureXL drops the TCP traffic for the particular connection for invalid state reasons. Refer to sk147093. |
PRJ-4341, |
SecureXL |
In some scenarios, IP-VLAN traffic traversing a bridge of two physical interfaces has the VLAN tag stripped.
|
PRJ-8976, |
SecureXL |
When NAT-T packets pass through a standalone gateway, this traffic may be dropped if SecureXL is enabled.
|
PRJ-600, |
SecureXL |
SYN Defender status in CPView sometimes appears as invalid. |
PRJ-6157, |
SecureXL |
In some scenarios, SecureXL causes an issue in the routing of multicast traffic. |
PRJ-8780, |
SecureXL |
In a rare scenario, DOS/Rate Limiting Logs are not searchable. |
PRJ-4383, |
SecureXL |
In some scenarios, DOS/Rate Limiting configuration is not applied after reboot if no fw samp policy is configured. |
PRJ-7192 |
Gaia OS |
NEW: Added support of Jumbo Hotfix Accumulator on Smart-1 625 appliances. |
PRJ-7719, |
Gaia OS |
16000 and 26000 Appliances with CPAC-4-1/10F-C NICs (using i40e driver) connected to some specific Cisco switches are flopping. Refer to sk163267. |
PRJ-5983, |
Gaia OS |
In a rare scenario, there is network interface flapping with Intel (igb) interfaces connected to Cisco switches. Refer to sk163852. |
PRJ-7372, |
Gaia OS |
In some scenarios, the iDRAC (LOM) interface is not pingable. |
PRJ-8770, |
Routing |
PIM may be unable to resolve outbound interface of multicast route when unicast route lookup fails. |
PRJ-7407, |
Routing |
When MaaS tunnels are added, the routed process may unexpectedly exit. |
PRJ-7303, |
Mobile Access |
In a rare scenario, when Mobile Access Blade is enabled, the Security Gateway may crash with vmcore. |
PRJ-7066, |
CloudGuard |
In some scenarios, subnet objects may not contain all the relevant IP addresses for VMSS VMs. |
PRJ-5941, |
Endpoint Security |
NEW: Added the feature to use epmCommands with object nids. |
PRJ-5943, |
Endpoint Security |
Some messages in the self-help portal are not properly localized in Japanese. |
PRJ-7113, |
Endpoint Security |
In a rare scenario, Endpoint Management Server on AWS crashes when the user sets the property "Gateways management" to "Over the internet" in the AWS template. |
PRJ-7114, |
Endpoint Security |
In some scenarios, Endpoint Management does not start after an upgrade to R80.30 in the environment that manages both Endpoints and Gateways. Refer to sk163537. |
PRJ-5136, |
VSX |
Performance optimization for the time object matching on VSX environment. |
PRJ-8456, |
VSX |
Adding a VD after deleting a VD fails, and then the 'netns add' command returns "RTNETLINK answers: No space left on device" error message.
|
Take 155 Released on 20 February 2020 and declared as General Availability on 1 March 2020 |
||
PRJ-9968, |
Security Gateway |
In a rare scenario, a non-HTTP traffic on port TCP/80 is dropped. |
PRJ-10115, |
Application Control |
In some scenarios, when Application Control and HTTPS Inspection are enabled and detailed or extended log is used, applications may not be matched correctly. |
Take 140 Released on 3 February 2020 and declared as General Availability on 10 February 2020 |
||
PRJ-9410, |
Security Gateway |
In some scenarios, Security gateway crashes when the Priority Queue feature is enabled. |
PRJ-5530, |
CloudGuard |
In some scenarios, centrally distributed license disappears from CloudGuard Gateways. Refer to sk151794. |
Take 136 Released on 22 January 2020 |
||
PRJ-8217, |
Security Management |
Management HA synchronization fails with error "Failed to export data" on Multi-Domain Management or Security Management server environment with at least 3 machines. Refer to sk164792. |
Take 135 Released on 13 January 2020 |
||
PRJ-6822, |
Upgrade Tools |
In some scenarios, cannot export a database using the migration tools of the current version while there are open sessions in the database. |
PRJ-4930, |
Upgrade Tools |
In some scenarios, the FWM process fails to start after a successful upgrade with the "Found an indication that the current domain was migrated, and the migration had failed. Cannot start after a migration failure" message in the fwm.elg file. |
PRJ-7423, |
Infrastructure |
In some scenarios, Anti-Bot/ Anti-Virus / IPS / Threat Emulation Blade update fails with "Curl error code 56". |
PRJ-5918, |
Security Management |
In a rare scenario, the $CPDIR/tmp/ directory is filled with "CKP_mutex::_opt_CPsuite-RXX_fw1_log__..." files. Refer to sk36754.
|
PRJ-2341, |
Security Management |
In a rare scenario, the Security Management server does not start due to a missing object, or a duplication of objects. |
PRJ-5717, |
Security Management |
In some scenarios, upgrade from R7x is not aborted when there is not enough disk space to complete the import operation. |
PRJ-5665, |
Security Management |
In some scenarios, purge revisions fails and blank lines that cannot be deleted, appear in SmartConsole Revisions view. Refer to sk163116. |
PRJ-5757, |
Security Management |
High Availability synchronization between Management Servers may fail when there is no enough disk space in the root partition. |
PRJ-5661, |
Security Management |
Blank lines may appear in SmartConsole Purge Revisions view after purging a large database. |
PRJ-4971, |
Security Management |
In some scenarios, disconnected sessions with no changes or locks appear in SmartConsole session view. |
PRJ-4835, |
Security Management |
The FWM process may unexpectedly exit when an incorrect license SKU with a specific format is applied. |
PRJ-5656, |
Security Management |
In some scenarios, cpm_status.sh reports incorrect CPM status. Refer to sk162633. |
PRJ-5097, |
Security Management |
When an administrator edits the description of a revision, he becomes the publisher of the revision. |
PRJ-7040, |
Security Management |
The 'FWM sic_reset' command does not print which object still has an IKE certificate. |
PRJ-5245, |
Multi-Domain Management |
NEW: Added the Domain Management Migration, Backup and Upgrade feature:
For more information see sk156072. |
PRJ-3688, |
Multi-Domain Management |
"dleserver.utils.UidManager" errors on cma_migrate failure on Multi-Domain Server upgraded from R80. |
PRJ-6670, |
Multi-Domain Management |
In some scenarios, traffic outage may happen after policy installation from Multi-Domain SmartConsole. Refer to sk163712. |
PRJ-7106, |
Multi-Domain Management |
The cma_migrate may fail if the IPS version does not exist on the R80.x Multi-Domain Management Server. |
PRJ-6869, |
Multi-Domain Management |
Improved Domain/CMA logs visibility. |
PRJ-5067, |
SmartConsole |
NEW: Added integration of Management API with Ansible 2.9. For more info, see: https://galaxy.ansible.com/check_point/mgmt |
PRJ-6126, |
SmartConsole |
In some scenarios, the "Installed IPS Version" information is empty in the "Gateways and Servers" view. |
PRJ-3549, |
SmartConsole |
In a rare scenario, when editing a Star VPN community, SmartConsole terminates. |
PRJ-6934, |
SmartConsole |
Threat prevention policy installation may include wrong topology warning on VSX cluster interfaces. |
PRJ-5525, |
SmartConsole |
In some scenarios, applying "Where used" from the local Domain on an object that is used in global policies, may return results from the global policies that are not assigned to the local Domain. Refer to sk162753. |
PRJ-6642, |
SmartConsole |
In some scenarios, administrator cannot open the 'RemoteAccess' - VPN community object for editing. |
PRJ-5374, |
SmartConsole |
In Multi-Domain environment, IPS protections become staging on each domain after global policy assignment while the protection does have override/staging status in the global domain. |
PRJ-2438, |
SmartConsole |
When disabling NAT for a network object and searching for the NAT IP address, the network object is still shown as part of the search results even though it should not be. |
PRJ-1678, |
SmartView |
In some scenarios, Hit Count on specific rules does not increment after they were recently created or re-ordered. Refer to sk138033. |
PRJ-5630, |
SmartView |
In SmartView, when exporting logs to Excel after drill-down, the amount of logs is less than expected. Refer to sk162621. |
PRJ-6047, |
Security Gateway |
Improved misleading log for connections that terminate before detection. |
PRJ-3350, |
Security Gateway |
In some scenarios, a designated interface may drop packets. |
PRJ-8197, |
Security Gateway |
Since R80.20, in some scenarios, predictable TCP sequences are generated by the Security Gateway. Refer to sk164775. |
PRJ-7498, |
Security Gateway |
In a rare scenario, running the "cpstop -fwflag -driver" command may cause a memory leak in IPv6 environment. |
PRJ-8009, |
Security Gateway |
Improved a Proxy connectivity while Anti-Virus Blade works in Hold mode. |
PRJ-1702, |
Security Gateway |
In some scenarios, the /var/log/messages file is flooded with ICAP related errors. |
PRJ-5890, |
Security Gateway |
In some scenarios, enabling the Multi-Queue on a line card enables the Multi-Queue also on the on-board interfaces. Refer to sk162622. |
PRJ-6640, |
Logging |
In some scenarios, user cannot see his Check Point logs in LogRhythm platform using Log Exporter. |
PRJ-5937, |
Logging |
In some scenarios, when retrieving the UserCheck logs, FWD process on the Security gateway may unexpectedly exit. |
PRJ-6855, |
Logging |
In a rare scenario, the "Logs & Monitor" view in SmartConsole freezes while scrolling down the results. |
PRJ-7815, |
Logging |
In a rare scenario involving multiple disconnections and reconnections between Security gateway and Log Server, connection is not automatically restored and logs may not be written locally. Refer to sk164852. |
PRJ-7055, |
QoS |
QoS Time Objects are not enforced in R80.20. Refer to sk163074. |
PRJ-3714, |
DLP |
DLP activation was optimized to reduce the CPU consumption. |
PRJ-7507, |
Identity Awareness |
When the Identity Awareness Blade is enabled, a memory leak may appear in LDAP sessions. |
PRJ-8193, |
URL Filtering |
In some scenarios, HTTPS traffic is not categorized as expected. |
PRJ-6863, |
Anti-Malware |
UPDATE: Improved behavior of Intelligence Feed failure. |
PRJ-7464, |
IPS |
Cannot update the Geo Policy IPToCountry database on Security Gateways. Refer to sk163672. |
PRJ-4418 |
IPS |
In some scenarios, a '+' (plus sign) in an HTTP URL may be replaced with ' ' (space) when the "Forensics" feature is turned on in Threat Prevention. |
PRJ-1825, |
SSL Inspection |
NEW: Added support of RDP over SSL inspection as part of Inbound HTTPS Inspection Blade. (Relevant for Remote Desktop Protocol Vulnerability CVE-2019-0708.) |
PRJ-634, |
SecureXL |
NEW: Added support for i40evf driver. |
PRJ-6748, |
SecureXL |
In a rare scenario, FTP Data connections do not pass while SYN Defender is active and enforcing. |
PRJ-635, |
SecureXL |
In some scenarios, virtio_net is not able to run multiqueue. |
PRJ-7712, |
SecureXL |
"sume_from_fw_forward: dropping packet of for vsid=0 due to loop prevention" dmesg errors during policy installation failure. |
PRJ-5620, |
ClusterXL |
In some scenarios, a connectivity issue takes place in ClusterXL environment after a fast "fail over"-"fail back" or a "fail over" on bridge configuration. |
PRJ-6160, |
Gaia OS |
"Gaia Web-UI recognized a non-valid input data" error when creating a scheduled backup in WebUI via SCP or FTP with special characters used. |
PRJ-5132, |
Gaia OS |
In some scenarios, the VSX Management fails to be properly restored from backup. |
PRJ-6038, |
Gaia OS |
In some scenarios, the Smart-1 3150 appliance becomes unresponsive after enabling the optical interface.
|
PRJ-3727, |
Gaia OS |
In a rare scenario, many "skb_warn_bad_offload" warnings appear in the /var/log/messages file.
|
PRJ-6588, |
Gaia OS |
16000 and 26000 Appliances with CPAC-4-1/10F-C NICs (using i40e driver) connected to some specific Cisco switches are flopping. Refer to sk163267.
|
PRJ-1758, |
Gaia OS |
A network interface may restart when changing its properties from WebUI if the interfaces configuration was performed via CLISH. |
PRJ-1261, |
Gaia OS |
CPD process may unexpectedly exit when attempting to query sensor values on Smart-1 525, Smart-1 5050 and Smart-1 5150 appliances. |
PRJ-6000, |
Routing |
In a rare scenario, last two (or more) nexthops of a BGP ECMP route disappear simultaneously and are not removed from the forwarding database. Refer to sk153552. |
PRJ-6110, |
Routing |
In a rare scenario, the routed process may unexpectedly exit during ClusterXL failover when BGP is configured. Refer to sk165682. |
PRJ-6578, |
Routing |
For compliance and interoperability with BGP peers implementing older RFC, no BGP capability is advertised if peer does not advertise it first. |
PRJ-5884, |
VSX |
The "vsx_util vsls" command does not display in full the long names of the VSX server name. Refer to sk163073. |
PRJ-6174, |
Endpoint Security |
Exported from SmartEndpoint .xlsx files may produce a warning when opened in Excel. |
PRJ-5752, |
Endpoint Security |
Endpoint Management may fail on FileVault recovery for MacOS clients, when a computer re-joins domain. |
PRJ-3404, |
VPN |
SmartView Monitor VPN tunnel status may show incorrect or missing tunnels status for a cluster object. |
PRJ-7172, |
VPN |
Packets from SSL Network Extender are dropped: "Reason: decrypted and user methods are not identical (VPN Error code 01)". Refer to sk163636. |
PRJ-7181, |
CloudGuard |
Public IP addresses for Virtual Machines and Virtual Machines Scale Sets may be missing. |
PRJ-7382, |
CloudGuard |
During a license pool creation, when a Blade service is shared between different licenses, the vsec_lic_cli tool may create multiple pools instead of one. |
Take 111 Released on 25 November 2019 and declared as General Availability on 3 December 2019 |
||
PRJ-7380 |
CPUSE |
The "The previous take wasn't fully restored. Please uninstall and install it." error is displayed when attempting to uninstall R80.30 Jumbo HotFix Take 76 or Take 107. Refer to sk163674. |
Take 107 Released on 20 November 2019 |
||
PRJ-1336, |
Security Management |
Inline layers are not verified when there are no selected targets in the 'install on' column. |
PRJ-4875, |
Security Management |
In some scenarios, when setting or modifying the Email/Phone fields of an administrator, the old values still appear at the bottom pane under "View Sessions" instead of the updated values. |
PRJ-5557, |
Security Management |
In some scenarios, policy installation fails with "Policy installation failed on gateway. If the problem persists contact Check Point support (Error code: 0-2000117)". Refer to sk162554. |
PRJ-5413, |
Security Management |
In some scenarios, policy Installation fails with "Operation failed, install/uninstall has been improperly terminated" error. Refer to sk162855. |
PRJ-2984, |
Security Management |
In some scenarios, show generic-objects API command fails with "Management Server failed to execute command". Refer to sk157693. |
PRJ-3379, |
Security Management |
In a rare scenario, the $CPDIR/tmp/ directory is filled with "CKP_mutex::_opt_CPsuite-RXX_fw1_log__..." files. Refer to sk36754. |
PRJ-5495, |
Security Management |
NEW: Added the policy verifier memory enhancement and additional debugging options. Refer to sk162453. |
PRJ-1248, |
Security Management |
High CPU utilization by FWM process when SmartEvent is enabled on the Security Management Server. Refer to sk147563. |
PRJ-5023, |
Security Management |
In some scenarios, policy verification process fails for extremely large policies. Refer to sk161412. |
PRJ-5424, |
Security Management |
In some scenarios, policy fetch fails if name of the Security gateway that tries to fetch this policy is not defined in DNS. Refer to sk150472. |
PRJ-6942, |
Security Management |
In a rare scenario, policy installation fails with "Policy installation had failed due to an internal error". Refer to sk163482. |
PRJ-4666, |
Multi-Domain Management |
The FWM process may unexpectedly exit when there is no valid license on the Multi-Domain Server. |
PRJ-7007, |
Multi-Domain Management |
The Gaia restore of Multi-Domain Server fails when using Take 76 of R80.30 Jumbo Hotfix Accumulator. Refer to sk163473. |
PRJ-3138, |
SmartConsole |
In some scenarios, DNS Maximum Reply Length IPS protection is not enforced.
|
PRJ-1511, |
SmartConsole |
In some scenarios, Installation Targets do not show the correct gateways when cloning and editing the installation targets in the same session. |
PRJ-1882, |
SmartConsole |
In some scenarios, user cannot delete a VS object since it is referenced by an automatically generated exception rule. Refer to sk167272. |
PRJ-4202, |
SmartView |
NEW: Added support for "SmartView for QRadar" extension. |
PRJ-5784, |
Compliance |
In some scenarios, the Compliance Blade checks the 'Parent rule for Domain's policy' placeholder as if it was a real rule and shows the rule index in the Firewall Best Practices relevant objects. |
PRJ-5480, |
Security Gateway |
NEW: Enhancement: NAT port exhaustion logs mechanism was updated. Refer to sk156852. |
PRJ-4805, |
Security Gateway |
NEW: Added ability to enable NAT over specific IP address avoiding a source port allocation. |
PRJ-6036, |
Security Gateway |
In some scenarios, when the ICAP server on the Security gateway is enabled, some web pages do not load. |
PRJ-4749, |
Security Gateway |
In a rare scenario, the FWK process unexpectedly exits during debug. |
PRJ-946, |
Security Gateway |
Connectivity issues on some HTTPS sites (as login pages) when Security gateway is configured as proxy. Refer to sk147878. |
PRJ-2919, |
Security Gateway |
In a rare scenario, Security gateway may crash due to NULL pointer reference. |
PRJ-5326, |
Security Gateway |
Non-FQDN domain objects may not be enforced correctly when used in the Access policy along with updatable objects. |
PRJ-5820, |
Security Gateway |
In some scenarios, traffic is dropped with 'up_transaction_notify_clob failed' error in dmesg when Application Control is enabled. |
PRJ-5312, |
Security Gateway |
In a rare scenario, Security gateway freezes when IP pool NAT and VPN are used. |
PRJ-4356, |
Security Gateway |
In a rare scenario, Security gateway crashes when proxy is enabled. |
PRJ-1872, |
Security Gateway |
In some scenarios, when using Hide NAT with GRE tunnel, packets going through this GRE tunnel may get dropped. Refer to sk154492. |
PRJ-4398, |
Security Gateway |
In some scenarios, traffic is dropped with "[ERROR]: network_classifier_handle_dag: failed to get uuid of DAG bogus_ip" error in dmesg. |
PRJ-3426, |
Security Gateway |
In a rare scenario, changing the xmit-hash-policy of the bonding group while machine handling traffic, causes it to crash. Refer to sk154573. |
PRJ-4180, |
Security Gateway |
Some Web sites cannot be opened when Content Awareness or Anti-Virus/Anti-Bot is enabled, and Security gateway is configured as proxy. |
PRJ-4403, |
Security Gateway |
In a rare scenario, when X-Forwarded-For (XFF) settings are enabled on one of the policy layers and on the Security Gateway object, traffic may be accepted although it should be dropped according to Access policy. |
PRJ-771, |
Security Gateway |
In a rare scenario, memory usage may rise on Security gateway, when using service with resource with "Optimize URL logging" feature enabled. Refer to sk153052. |
PRJ-4351, |
Security Gateway |
Access rulebase may not be enforced properly when wildcard objects are used in source and destination columns. Refer to sk162692. |
PRJ-5141, |
Security Gateway |
In some scenarios, traffic is dropped with "network_classifier_get_dynobjs_for_ip: failed to get UUIDs for IP 0.0.0.0" and "kfunc_ip_ranges_to_dynobj: network_classifier_get_dynobjs_for_ip failed" errors in dmesg when dynamic object is used in access policy.
|
PRJ-4114, |
Security Gateway |
In some scenarios, logs cannot be seen because the LOG_INDEXER process stopped working. |
PRJ-3276, |
Logging |
Log Exporter filtering feature allows to decide which logs will be exported based on values from the various fields on the raw log. |
PRJ-3210, |
Logging |
In some Full HA environment scenarios, the "Logserver <Cluster virtual IP> is disconnected" error pops up in SmartConsole log view. |
PRJ-1325, |
Logging |
In some scenarios, when running mdsstart, the following error message is shown: "/opt/CPSmartLog-R80.20/bin/smartlogstop: line 65: /opt/CPmds-R80.20/customers//CPSmartLog-R80.20/log/smartlogRun.log: No such file or directory". |
PRJ-1311, |
Logging |
In the Logs & Monitor view, the "File size" field is missing from the logs generated by Media Encryption & Port Protection Blade. Refer to sk157952. |
PRJ-2019, |
Logging |
In some scenarios, when SAM activity is defined and a Log server receives a high amount of packets, the FWD process on the Log server unexpectedly exits. |
PRJ-5338, |
Logging |
NEW: Added new Log Exporter feature to export links to the relevant log and log attachments (such as Forensics\TE report). |
PRJ-4759, |
IPS |
In some scenarios, IPS update fails as a result of error in management server installation. |
PRJ-6658, |
HTTPS Inspection |
NEW: HTTP traffic performance enhancement on VSX environment when Gzip enforcement is used. |
PRJ-5877, |
HTTPS Inspection |
In a rare scenario, Security Gateway may crash during non-compliant HTTP traffic. |
PRJ-6078, |
ClusterXL |
After installing Jumbo HotFix Take 76 only on a standby member, it's outgoing traffic does not pass. |
PRJ-4591, |
ClusterXL |
In some scenarios, arp table is not synchronized with master MAC address after fail-over. |
PRJ-5080, |
ClusterXL |
The message "fwlddist_debug_update_op: resetting to avoid overflow" should be printed only in debug mode since it's not an error. |
PRJ-4584, |
ClusterXL |
In some scenarios, installing policy in order to update the cluster topology during high load, causes the members to fail-over. Refer to sk154575. |
PRJ-4409, |
ClusterXL |
In some scenarios, when changing cluster topology and installing the policy, the cluster fails over. Refer to sk156335. |
PRJ-5859, |
SecureXL |
In a rare scenario, Host destination entries are memory leaking when neighbor entry is in incomplete state. Refer to sk157252.
|
PRJ-5153, |
SecureXL |
In some scenarios, IGMP packets are not forwarded across bridge interfaces.
|
PRJ-5154, |
SecureXL |
In some scenarios, packets with IP options are not forwarded across bridge interfaces. Refer to Issue #3 in sk154892.
|
PRJ-2815, |
SecureXL |
On cluster, Drop templates are disabled on reboot. Refer to sk153412.
|
PRJ-5152, |
SecureXL |
In a rare scenario, Security gateway may freez / crash when a multicast routing is configured. Refer to sk119299.
|
PRJ-4783, |
SecureXL |
NEW: "sim if" and "sim nonaccel" commands will be deprecated. Instead, "fwaccel if" and "fwaccel nonaccel" commands will be used to accommodate multiple SecureXL instances. |
PRJ-6850, |
SecureXL |
In some scenarios, the Security Gateway accepts the traffic, but no ARP request is sent. Refer to sk152093. |
PRJ-6100, |
SecureXL |
In some scenarios, SecureXL drops TCP packets with "Out of state" reason. |
PRJ-5155, |
SecureXL |
|
PRJ-6779, |
SecureXL |
In some scenarios, connection does not to expire correctly when NAT and some Software Blades are enabled. |
PRJ-4360, |
SecureXL |
In a rare scenario, Security gateway may crash if cpinfo reads from the /proc/ppk/cpls directory before SecureXL is initialized. |
PRJ-6150, |
SecureXL |
NEW: Added new SecureXL Fast Accelerator for Non-Scalable Platforms. Refer to sk156672. |
PRJ-834, PMTR-36031 |
CoreXL |
In a rare scenario, Security gateway may freeze when "Drop Templates" or "DOS rate" feature is enabled. |
PRJ-5469, |
SSL Inspection |
In some scenarios, several applications are not matched correctly when HTTPS Inspection enabled and URL Filtering is in HOLD mode. |
PRJ-5288, |
URL Filtering |
NEW: Improved scalability and resiliency of URL Filtering service. |
PRJ-6857, |
URL Filtering |
In a rare scenario, RAD process fails to process new kernel requests. |
PRJ-3614, |
Routing |
In some scenarios, OSPFv3 LS updates of the default route are not accepted by the Security gateway for Stub/TSA areas. Refer to sk161472. |
PRJ-6063, |
Routing |
In a rare scenario, the routed process may unexpectedly exit when a route with a local address as a nexthop is received. |
PRJ-5551, |
Gaia OS |
In some scenarios, Smart-1 405 and 410 appliances may show high voltage due to incorrect VBat thresholds. |
PRJ-1030, |
Gaia OS |
Changing the xmit-hash-policy of the bond may cause all static arp entries to disappear from the arp -a output. Refer to sk152892. |
PRJ-2191, |
Gaia OS |
Many "fwldbcast_new: too many hosts : 0" kernel messages appear in /var/log/messages file. Refer to sk153253. |
PRJ-962, |
Gaia OS |
In some scenarios, user cannot access terminal from WebUI in monitor role mode. |
PRJ-6686, |
Gaia OS |
In some scenarios, Gaia restore on Multi-Domain Server fails with error "failed to edit update registry". Refer to sk163312. |
PRJ-2819, |
Gaia OS |
While unplugging one of the Power supply cables on Smart-1 5150/5050/525 appliances a false 'No Read' message appears for ~5 seconds in both PSUs statuses (instead of Present/Input Lost/Absence). |
PRJ-4156, |
Gaia OS |
NEW: The ARP cache size limit in Clish was increased to 131072 hosts. |
PRJ-4523, |
Gaia OS |
Changing the xmit-hash-policy of the bond may cause all static arp entries to disappear from the arp -a output. Refer to sk152892. |
PRJ-3122, |
Endpoint Security |
In some scenarios, Endpoint Security Clients are in "Disconnected" state after Endpoint Security Server upgrade. Refer to sk161113. |
PRJ-2321, |
Endpoint Security |
If there is a large amount of devices which are going to be removed from the Deleted Container, the server may fail to process the epmCommands, returning "FATAL: remaining connection slots are reserved for non-replication superuser connections" error. |
PRJ-2014, |
Endpoint Security |
In some scenarios, SmartEndpoint shows "Unknown Error" when trying to open the "User and Computers" Tab "Top Bots" and software deployment by policy reports. Refer to sk151932. |
PRJ-5352, |
Endpoint Security |
In some scenarios, migrate_import fails with the "ERROR: Command completed with error code #2 and output: psql.bin: could not connect to server: No such file or directory" message in $UEPMDIR/logs/exportedFileManip*.log. |
PRJ-2913, |
Endpoint Security |
In some scenarios, when searching for a machine in SmartEndpoint and selecting it, a "Server Error" message appears. Refer to sk158432. |
PRJ-1810, |
VPN |
NEW: Connectivity enhancements for Remote Access clients using internal Office mode allocation with a long timeout. |
PRJ-4648, |
VPN |
In some scenarios, traffic is not working over Site-to-Site VPN after an upgrade. |
PRJ-2873, |
VPN |
Connectivity improvement for Remote Access clients in environments with 3rd party VPN tunnels. |
PRJ-3557, |
VSX |
NEW: Added the option to configure reject routes via vsx_provisioning_tool on Scalable Platforms Appliances. Refer to sk151473. |
PRJ-5922, |
VSX |
In some scenarios, IGMP traffic is dropped by "local interface address spoofing" in VSX HA. Refer to sk162953. |
PRJ-4674, |
VSX |
VSX configuration cannot not be applied after upgrade from R77.x to R80.x, due to duplicated VSX routes. |
Take 76 Released on 11 October 2019 |
||
- |
General |
Added GUI support for Check Point 26000 and 16000 appliances. Refer to sk162832. |
- |
General |
Added support for Check Point 26000T and 16000 model appliances and CloudGuard IaaS products AWS, Azure, GCP. |
PRJ-2726, |
Upgrade |
Added a pre-upgrade verification that Global network objects with NAT configuration are not supported. |
PRJ-718, |
Security Management |
Enhancement: added feature for tracking random CPM process crashes on Security Management server. Refer to sk150913. |
PRJ-3604, |
Security Management |
Added ability to automatically determine the API process memory allocation to avoid "Out of memory" errors. Refer to sk119553. |
PRJ-4241, |
Security Management |
When many users are connected to and actively working in the same domain in SmartConsole, they may experience:
|
PRJ-4729, |
Security Management |
After deleting a network object that is part of a network group, the audit log of the group modification does not show who is the removed member. Refer to sk164057. |
PRHF-3242, |
Security Management |
In a rare scenario, the policy verifier ignores rules with object named "Internet" used with negate operator. |
PRJ-4306, |
Security Management |
Added a mechanism to prevent the Management Server from starting if an import process was interrupted. |
PRJ-2339, |
Security Management |
In some scenarios, user cannot discard or publish a work session, receiving the general message "Internal error". |
PRJ-1762, |
Security Management |
Due to a failed full sync, FWM was restarted unexpectedly and obsolete domain sessions were used in the global policy assignment. |
PMTR-23492, |
Security Management |
Added support for Internal CA certificate replacement. |
PRJ-3874, |
Security Management |
In some scenarios, size of the shadow_object.C file increases after each policy installation, eventually causing a failure in installing a policy. |
PRJ-2341, |
Security Management |
In a rare scenario, the Security Management server does not start due to a missing object, or a duplication of objects. |
PRJ-1493, |
Security Management |
In some scenarios, traffic is dropped with "network_classifier_get_dynobjs_for_ip: failed to get UUIDs for IP 0.0.0.0" and "kfunc_ip_ranges_to_dynobj: network_classifier_get_dynobjs_for_ip failed" errors in dmesg when dynamic object is used in access policy. |
PRJ-1380, |
Security Management |
In some scenarios, upgrade from R7x fails with core file of cpdb process due to an empty field in 'autoupdate_and_install_settings' object. |
PRJ-1974, |
Security Management |
In some rare scenarios CPM server does not start after a failure in delete domain. |
PRJ-1518, |
Security Management |
Performance and stability improvements in large High Availability setups. |
PRJ-3879, |
Security Management |
Cannot export a .pdf file from the License inventory view after Jumbo HotFix installation on the Management server. |
PRJ-1375, |
Security Management |
In some scenarios, High Availability synchronization between Management Servers fails and HA menu is disabled. |
PRJ-3689, |
Security Management |
New policy creation may fail when there are no installation targets defined in this policy. |
PRJ-1903, |
Security Management |
After opening and searching in pickers for a few times, the "error retrieving results" message appears when opening a picker. |
PRJ-2488, |
Security Management |
In some scenarios, a validation incident about Invalid Email Address is presented in SmartConsole after upgrade from R77. |
PRJ-2441, |
Security Management |
In some scenarios, QoS policy installation fails when installing the Blade without installing Access or Threat Blades of the same policy first. |
PRJ-2788, |
Multi-Domain Management |
In some scenarios, Multi-Domain Server upgrade from R80 fails due to an internal error related to deprecated application objects. Refer to sk157752. |
PRJ-5639 |
CPInfo |
In some scenarios, the CPInfo tool does not show/collect the correct information after Jumbo Hotfix installation. Refer to sk162775. |
PRJ-4415, |
Compliance |
In some scenarios, some of the Best Practices show "N\A" status in the Compliance Blade dashboard. |
PRJ-1273, |
Logging |
In a rare scenario, when an environment has many gateways (dozens), FWM on the log server may crash when reaching to 4 GB memory. |
PRJ-4965 |
Logging |
In a rare scenario, a specific log fails to be written and an alert informing on this is displayed in SmartConsole. |
PRJ-2678, |
Logging |
In a rare scenario, the accounting of bytes in a report is not accurate. |
PRJ-871, |
Logging |
In a rare scenario, SmartConsole does not show indexed logs because the LOG_INDEXER process stopped working. Refer to sk152934. |
PRJ-1158, |
Logging |
In SmartView, if a view contains 2 map widgets, one displaying source countries and the other displaying destination countries, drilling down on one of them may display incorrect data. |
PRHF-4975, |
Logging |
In some scenarios, when exporting logs with "Visible columns" option selected from SmartView, some columns return empty record. Refer to sk161712. |
PRJ-2645, |
Logging |
Running views and reports with a filter fails if the filter contains a "NOT" operator combined with parentheses. |
PRJ-3529, |
Multi-Domain Management |
In some scenarios, Administrator does not see that a revision was created in its Domain (on Domain level) after a Global policy was assigned to it. |
PRJ-3048, |
Multi-Domain Management |
If user deletes a CLM from a Domain (it's forbidden, the validation was added), the CLM remains as partially deleted and user cannot create a new one. |
PRJ-3527, |
Multi-Domain Management |
Objects on Domain level that should be shown on the Multi-Domain Server level, sometimes are not shown correctly. |
PRJ-2385, |
Multi-Domain Management |
In a rare scenario, CPM server fails to start after successful Domain deletion. |
PMTR-38211, |
Multi-Domain Management |
In some scenarios, logs are not saved under $MDS_FWDIR/log/failed_tasks directory. |
PRJ-799, |
Multi-Domain Management |
In some scenarios, the "Unable to connect to server. Please make sure the server is up and running." error appears when trying to log into single Domain from SmartConsole. Refer to sk153293. |
PRJ-1567, |
Multi-Domain Management |
Deletion of Domain failed with "Could not send message" error when having large amount of gateways in the Domain. The Domain remain without Domain Servers. |
PRJ-1303, |
Multi-Domain Management |
When running the 'add-domain' Web API command on an existing Domain, the original Domain may be deleted. |
PRJ-1444, |
Multi-Domain Management |
In some scenarios, gateways are missing in the 'Gateways and Servers' view in SmartConsole on the MDS level. |
PRJ-2245, |
Multi-Domain Management |
The mds_backup command will generate an output file of format .tar instead of .tgz to improve the duration time of backup (mds_backup) and restore (mds_restore) of Multi-Domain Server. Refer to sk163300. |
PRJ-1532 |
Multi-Domain Management |
In a specific scenario, Global policy rules may change order after Multi-Domain Server upgrade. Refer to sk155432. |
PRJ-374, |
Multi-Domain Management |
In a rare scenario, FWM process unexpectedly exits on the Domain level during login. |
PRJ-1970, |
SmartConsole |
In setups with a large quantity of network object, users may experience slowness when editing the HTTPS Inspection policy.
|
PRJ-3870, |
SmartConsole |
In a rare scenario, when user clicks on Mail Transfer Agent (MTA) options in the Security gateway settings or on 'Next hop' column inside MTA settings, SmartConsole shows "Not Responding" and freezes. Refer to sk161232.
|
PRJ-619, |
SmartConsole |
In some scenarios, upgrade fails with "com.checkpoint.management.classes.dle.triggers.internal.VersionInfo.VersionInfo" exception in cpm.elg file. |
PRJ-1879, |
SmartConsole |
In some scenarios, SmartConsole unexpectedly exits while adding or removing many objects via Web API. |
PRJ-1210, |
SmartConsole |
Pre-shared keys are missing after upgrade. |
PRJ-832, |
SmartConsole |
Redundant layers appear in the output of the 'show-package' command when Global policy holding more than one layer, is assigned to Domain. |
PRJ-1144, |
SmartConsole |
Management API command "put file" can be used for command execution with certain permissions. |
PRJ-1434, |
SmartConsole |
In some scenarios, SmartConsole terminates when installing policy on many targets at once. |
PRHF-2194, |
SmartConsole |
In some scenarios, Client certificate is removed when deleting Domain that is included in certificate's permissions. |
PRJ-2142, |
SmartConsole |
Added the protectionExternalInfo property in the overrides object that displays the CVEs in the output of 'show threat-profile' command. |
PRJ-2419, |
SmartProvisioning |
In VPN Community managed by SmartProvisioining:
|
PROV-2068, |
SmartProvisioning |
In some scenarios in SmartProvisioning:
|
MCFG-199, |
SmartProvisioning |
SmartUpdate generates audit log even when no action was taken. |
PRHF-3392, |
SmartProvisioning |
In VPN star community managed by SmartProvisioning, VPN tunnels may not be established after installing policy to CO gateway (center). Refer to sk152612. |
PRJ-4311, |
Security Gateway |
In some scenarios, a remote client disconnects after one hour although the session is not idle. Refer to sk160213. |
PRJ-3589, |
Security Gateway |
Disabling connections timestamp does not work on active streaming connections. Refer to sk62700. |
PRJ-4416, |
Security Gateway |
In a rare scenario, Security gateway crashes during QoS policy installation. |
PRJ-4804, |
Security Gateway |
Enabled avoiding source port allocation for specific predefined connections. |
PRJ-4147, |
Security Gateway |
In a rare scenario, Security gateway may crash due to NULL pointer reference.
|
PRJ-4615, |
Security Gateway |
In some scenarios, VoIP traffic is dropped with "allocate_port_impl: could not find a free port;" error in dmesg. |
PRJ-4758 |
URL Filtering |
Improved scalability and resiliency of URL Filtering service.
|
PRJ-4845, |
SSL Inspection |
In a rare scenario, when SSL Inspection is enabled and there is big latency, Microsoft websites (for example Azure) may not respond. Refer to sk150175. |
PRJ-1161 |
IPS |
CMA migration may take a long time when there are many IPS protections local overrides. |
PRJ-5173, |
IPS |
In some scenarios, categorization of HTTPS sites over IPv6 does not work as expected. |
PRJ-1666 |
Threat Emulation |
Management Server upgrade may fail in these scenarios:
Refer to sk150793. |
PRJ-3370, |
Threat Prevention |
Deleting a Threat Prevention profile may fail if the IPS profile has many overrides. Refer to sk136552. |
PRJ-4148, |
Threat Prevention |
Upgrade fails due to invalid Threat Emulation settings connected to gateways that no longer exist or to cluster members.
|
PRJ-5077, |
Threat Prevention |
In a rare scenario, R80.30 Security gateway managed by R80.30 Management crashes when running a Threat Prevention Software Blade with the Forensics feature enabled. Refer to sk161812.
|
PRJ-1919, |
Identity Awareness |
Security hardening for Identity Awareness Agent (IDA) enforcement according to XFF IP. |
PRJ-3478, |
Identity Awareness |
Performance improvement of Identity Awareness kernel tables for Cluster and multi-fw1 instances gateways. |
PRJ-3478, |
Identity Awareness |
In a rare scenario, identities are missing from all connected Identity Gateways (PEPs). |
IDA-1987, |
Identity Awareness |
In a rare scenario, sessions longer than 24 hours disappear from the Identity Gateway (PEP) but exist on the Identity server (PDP) |
IDA-1981 |
Identity Awareness |
Users are not propagated from the PDP to the PEP on a specific network due to a rare race condition between register and unregister requests triggered by different instances or cluster members. |
PRJ-1926 |
Identity Awareness |
The output of pep show pdp all command on the Identity Gateway (PEP) contains "inx invalid type (0)" instead of an Identity server (PDP) IP address. |
PMTR-32539, |
Identity Awareness |
Users are not authenticated when an identity source provides the login name in an 'User Principal Name' format "user@domain". Refer to sk147417. |
PRJ-3137, |
ClusterXL |
Added support for Cluster Load Sharing without IPSec VPN. To enable the support, refer to sk162637. |
PRJ-1657, |
ClusterXL |
In some scenarios, unable to connect to the Standby Cluster member from a non-local subnet via SSH or WebUI. Refer to sk147493. |
PRJ-2147, |
ClusterXL |
In a rare scenario, the fw_workers process consumes high CPU on the Standby member of a ClusterXL. Refer to sk156333. |
PRJ-3295, |
CoreXL |
In a rare scenario, Custom affinity configuration is overwritten when HT is enabled. Refer to sk158112. |
PRJ-998, |
CoreXL |
In some scenarios, VPN connection's records remain in the Global connections table even after the connection expires. Refer to sk155332. |
PRJ-2397 |
CoreXL |
"fwmutlik_do_sequence_accounting_on_entry: bad dir" errors are mistakenly printed in dmesg output. Refer to sk158312. |
PRJ-1299 |
SecureXL |
In a rare scenario, multicast routing lookup may lead to SIM crash. |
PRJ-631, |
SecureXL |
In some scenarios, latency is observed on the Security gateway. Refer to sk162914. |
PRJ-1177, |
SecureXL |
Added sim module parameter "sim_anti_spoofing_enabled" to allow disable of anti-spoofing in Performance Pack without installing new Firewall policy. |
PRJ-1642, |
SecureXL |
In some scenarios, SecureXL drops the TCP traffic for the particular connection for invalid state reasons. Refer to sk147093. |
PRJ-4622, |
SecureXL |
In some scenarios, sending IP fragmented traffic through a Virtual Switch or Virtual Router fails with "Virtual defragmentation error". |
PRJ-4735, |
SecureXL |
In some scenarios, Policy Based Routing (PBR) does not work properly when acceleration is enabled. |
PRJ-2119, |
SecureXL |
In a rare scenario, Host destination entries are memory leaking when neighbor entry is incomplete state. Refer to sk157252. |
PRJ-1218, |
SecureXL |
In some scenarios, multicast traffic is not forwarded across bridge interfaces. |
PRJ-1252, |
SecureXL |
On cluster, Drop templates are disabled on reboot. Refer to sk153412. |
PRJ-3658, |
SecureXL |
In a rare scenario, a VSX gateway may crash. Refer to sk160912. |
PRJ-806, |
SecureXL |
In a rare scenario, a Policy Based Routing (PBR) does not work although configured. |
PRJ-2323, |
Gaia OS |
The restore backup operation fails if the machine was installed via ISO during the backup, and via CPUSE during the restore. |
PRJ-1477, |
Gaia OS |
Backup task may fail if SmartConsole is open during backup. |
PRJ-3136, |
Gaia OS |
In some scenarios, the IGB driver interfaces are occasionally down after reboot of a Management machine. Refer to sk135532. |
PRJ-3365, |
Gaia OS |
'|' and '-' characters cannot be used in the message banner. |
PRJ-3113, |
Gaia OS |
Added support for LOM (iDRAC) interfaces. |
PRJ-1677 |
Gaia OS |
Clish command "show system init-services" and Expert command "service --status-all" run "mdsstart" on the server. |
GAIA-4695, |
Gaia OS |
When running "service vmtoolsd restart" command on Gaia installation with VMware, the "Installing memory driver: FATAL: Module vmmemctl not found. [FAILED]" error is displayed although the vmw_balloon.ko driver is loaded. |
PRJ-1771, |
Routing |
The default OSPF instance binding is missing. |
ROUT-484, |
Routing |
In some scenarios, legitimate subnets of 0.0.0.0 (for example 0.0.0.0/1) cannot be configured for certain routing features, like static routes, PBR, routemaps, etc. |
PRJ-4279, |
VSX |
In a rare scenario, machine crashes when using VSX with Virtual Switch (VSW). |
PRJ-4921, |
VSX |
In some scenarios, the fwk process may crash when VSX gateway is upgraded to R80.30. |
PRJ-4956, |
VSX |
In some scenarios, traffic does not pass in VSX setup with VS-VSW-VS topology and some Threat Prevention Blades enabled on VSs. |
PRJ-1420, |
VPN |
Improved the VPN connectivity for VSX and User-Space Firewall gateways. |
PRJ-4740, |
VPN |
In some scenarios, VPN Encryption Domain Routes are not added to kernel via RIM in VSX environment. Refer to sk154692. |
PRJ-1385, |
VPN |
In some scenarios with acceleration enabled, traffic through VR for a VPN setup does not pass. |
PRJ-2348, |
VPN |
Remote Access client randomly disconnect / unable to connect when DHCP multi-homed server is configured. |
PMTR-38041, |
VPN |
In some scenarios, the Phase-2 negotiation fails with "Reason: Wrong value for: Encapsulation Mode" after upgrade. Refer to sk157092. |
Take 50 Released on 3 September 2019 and declared as General Availability on 24 September 2019 |
||
- |
General |
Added support for Gaia kernel 3.10. |
- |
General |
Added support for Check Point 26000 and 16000T model appliances and CloudGuard IaaS products AWS, Azure, GCP. |
PRJ-2300 |
Security Management |
Added Management support for 16000 and 26000 appliances.
|
PRJ-5065, |
Multi-Domain Management |
Import of Multi-Domain Management Server fails when Jumbo HotFix is installed on the target machine and the source machine is R77.x. |
PRHF-3248, |
Security Gateway |
In a rare scenario, Security gateway freezes when Priority Queue is enabled. Refer to sk149413. |
PRJ-3736, |
Security Gateway |
In some scenarios, when a connection is accelerated and ICMP packet is sent from a server to a client, it is being dropped by Security gateway. |
PMTR-25703, |
Security Gateway |
In a rare scenario, when configured as a proxy/ICAP client, a Security gateway may crash when using HTTPS Policy Categorization.
|
PRJ-5028 |
Threat Prevention |
In a rare scenario, R80.30 Security gateway managed by R80.30 Management crashes when running a Threat Prevention Software Blade with the Forensics feature enabled. Refer to sk161812. |
PRJ-2891, |
Logging |
|
PRJ-2896, |
Logging |
In a rare scenario, cannot open new tab in SmartView after exporting data using a relative time filter. |
PRJ-1825, |
SSL Inspection |
Added support of RDP over SSL inspection as part of Inbound HTTPS Inspection Blade. (Relevant for Remote Desktop Protocol Vulnerability CVE-2019-0708.)
|
PRHF-4193, |
CoreXL |
"fwmutlik_do_sequence_accounting_on_entry: bad dir" errors are mistakenly printed in dmesg output. Refer to sk158312.
|
PMTR-35350, |
CoreXL |
In some scenarios, VPN connection's records remain in the Global connections table even after the connection expires. Refer to sk155332.
|
PRJ-2734, |
CoreXL |
In a rare scenario, Security gateway may freeze when "Drop Templates" or "DOS rate" feature is enabled.
|
PRJ-2668, |
Gaia OS |
CVE-2019-11477, CVE-2019-11478 and CVE-2019-11479: TCP SACK PANIC - Linux Kernel vulnerabilities. Refer to sk156192. |
PRJ-1981, |
Gaia OS |
IPv6 address configured on VLAN interfaces is missing after reboot.
|
PRJ-2579, |
Gaia OS |
Status of newly created VLAN interface is "off".
|
PRJ-2561, |
Gaia OS |
When adding more than 256 bridge interfaces, CPD process unexpectedly exits, bringing down SIC.
|
PRJ-2782, |
CPView |
The SMT Status is "Unknown" instead of "Enabled" in CPView.
|
PRJ-4055, |
VSX |
In some scenarios, a new hotfix installation via CPUSE fails on VSX. Refer to sk159713.
|
PMTR-39868, |
VSX |
In some scenarios, traffic is dropped on VSX. Refer to sk160352. |
Take 19 Released on 2 July 2019 and declared as General Availability on 4 August 2019 |
||
PRJ-634, |
SecureXL |
Added support for i40evf driver. |
PRJ-451, |
Security Management |
In a rare scenario, a failure in policy installation causes a false "Policy installation is currently in progress" error message. |
PRJ-1647, |
Multi-Domain Management |
Improved duration of Multi-Domain Server upgrade from R80.10. |
PRJ-593, |
Multi-Domain Management |
Multi-Domain Server processes must be down when running cma_migrate. |
PRJ-1787, |
SmartConsole |
In a rare scenario, when using "add-threat-exception" API command to empty rulebase, it fails with the "Runtime error: Index: -1, Size: 0" error. |
PRJ-1552, |
Logging |
|
PRJ-748 |
Logging |
In a rare scenario, cannot open new tab in SmartView after exporting data using a relative time filter. |
PRJ-633, |
SecureXL |
Debug messages are not printed when running "fwaccel dbg -m adp all" and sending multicast packets through the Security gateway. |
PRJ-898, |
VSX |
When SecureXL and IPS are enabled on VS connected to VR, HTTP traffic does not pass the internal Host. |
PRJ-2371, |
Gaia OS |
CVE-2019-11477, CVE-2019-11478 and CVE-2019-11479: TCP SACK PANIC - Linux Kernel vulnerabilities. Refer to sk156192. |