List of All Resolved Issues and New Features

In a rare scenario, the CPView history service may unexpectedly exit.

• Fix is relevant for Gaia 3.10 only.

After an Application Control update, some application control objects may disappear from SmartConsole, although they are not deprecated.

Management HA synchronization may fail with the "NGM failed to import data" error.

Deleting a domain may fail when using the createDomainRecovery.sh script with the "UID" flag.

If Log Domain reassignment fails, an Application Control and URL Filtering update may get stuck at 70 percent showing the "Running post update actions" status.

Although all Virtual Devices are deleted, deleting a Domain may fail with an "At least one Virtual Device is defined on this Domain/Domain Management Server. You need to delete all Virtual Systems/Routers prior to deleting Domain/Domain Management Server" message.

In IPS Core Protections logs, the link to the Threat Prevention profile is written incorrectly.

UPDATE: Added support for RADIUS UPN authentication with MS-CHAPv2. To use it, enable the registry configuration in ckp_regedit -a SOFTWARE/Checkpoint/VPN1 RADIUS_MSCHAPV2_UPN -n 1.

After an upgrade, in a setup with a single Virtual System (VS), the Security Gateway may crash.

Deleting IP addresses in the SAM Database may fail.

The CPD process may unexpectedly exit and create core dump files.

An ICAP client crash may cause the Security Gateway also to crash and generate an FWK core dump.

When the Security Gateway is in "Detect Only" mode, Threat Prevention Blade exceptions may not be accelerated.

In a rare scenario, an IPS, Anti-Virus, or Anti-Bot update package may fail to load because of a timeout.

When ClusterXL is configured, a file may pass without inspection during a failover.

DLP logs for files uploaded to Microsoft OneDrive may not show the initial file names and extensions. Refer to sk178290.

When reconnecting the OSPF interface on both members in a cluster, a failover may occur when receiving a ROUTED PNOTE on the Active member.

There may be high CPU or/and latency in CIFS/SMB connections.

In an environment with a cluster in Active/Standby bridge mode, a kernel memory leak may occur.

• Fix is relevant for Gaia 3.10 only.

UPDATE: Source Pruning will now be disabled by default when VRRP is enabled. This will prevent an interface from keeping the Standby member in Master state after port flapping. The issue is relevant only for Intel X710 network cards using the I40E driver. Refer to sk178484.

Resolved the "HTTP Response splitting" vulnerability in Security Gateway portals. Refer to sk179705.

In some scenarios, it is not possible to start a vsx_util upgrade/downgrade after a failed attempt.

In VSX, when deleting a warp interface (either by deleting the warp itself or by performing the "reset_gw" command, which deletes all Virtual Devices), the VSX Gateway may crash.

• Fix is relevant for Gaia 3.10 only.

UPDATE: A description was added to the output of the "show backup logs" command with information about each column. Refer to sk173970.

UPDATE: Added support for the Excluded Files feature (sk116679) for XFS file system on Kernel 3.10.

Added Update 9 of HealthCheck Point (HCP) Release. Refer to sk171436.

In rare scenarios, the Management Server may fail to start due to incorrect session handling.

In rare scenarios, Global Domain Assignment may fail with a "class name not found for object" error message.

Install Policy Verification may fail with the "Rule has security zone objects that are not attached to any interface used" error when configuring cluster's interfaces on only one member. Refer to sk177129.

Reassign Global Policy tasks may be stuck for Domains active on a different Multi-Domain Server even though the task is completed on the destination Multi-Domain Server.

Install Policy preset fails if the Threat Prevention policy was uninstalled.

Policy installation from the Multi-Domain Server level may trigger installation of two policies for the same VS.

In some scenarios, deleting a Security Gateway object fails with the "Action failed due to an internal error" error.

The Security Cluster Wizard is not shown again after a Management restart in a Full High Availability cluster environment.

In a rare scenario, the FWM process may unexpectedly exit and create a core dump.

• Fix is relevant for Gaia 3.10 only.

In some scenarios, the Management API command "show-packages" with "details-level full" may fail with the "Could not commit JPA transaction" error.

UPDATE: SmartView reports will show the new Check Point logo

The "cp_log_export" command fails with the "sed: invalid option - E" error.

When SmartConsole is connected to a Domain Management Server, in the Logs&Monitor view:

• When filtering logs with the query "service:", SmartConsole does not show a drop-down list with available services.

• When filtering logs with the query "origin: <Name of Security Gateway Object>", SmartConsole shows "No matches found for your search".

Refer to sk178904.

In some scenarios, logs related to Content Awareness are missing.

Cluster failover may trigger the FWK process to exit, with no traffic impact.

IPS entries for a Security Gateway onboarded to Infinity SOC may be missing from AMW_report.xml.

The PEP process may unexpectedly exit

Improved detection in some IPS protections.

There may be connectivity issues for multicast traffic in PIM Sparse Mode.

In a rare scenario, after an upgrade and reboot, a Standby member goes down with a FullSync pnote and cannot synchronize.

After enabling the kernel parameter "fwha_drop_pkt_on_down_member" for a cluster is in Active/Active state in bridge mode (sk169495), packets may be dropped even when the member is not in Down state.

• Fix is relevant for Gaia 3.10 only.

SYN Defender may not properly handle the S2C traffic related to Allow List. As a result, this traffic may be dropped.

When using Link Selection probing, the VPND process may unexpectedly exit and create a core dump file.

UPDATE: The "vsx_util reconfigure" operation is not supported on a VSX cluster member or VSX Gateway which has no virtual systems configured. The operation will now alert about the absence of virtual systems.

There may be a mismatch of policy name on Virtual Switch when using the "fw stat" and "vsx stat -v" commands. The issue is only cosmetic.

In some scenarios, the "vsx_util reconfigure" command cannot fetch the policy installed previously.

When deleting a physical interface that was added with a VLAN trunk to a VSX cluster or a VSX Gateway, it is not removed correctly from the management side and may still be seen if running the "vsx_util show_interfaces" command.

The FWM process may unexpectedly exit after using the VSX Provisioning tool.

When using the VSX Provisioning Tool, it may not be possible to create a new warp interface, and then change the main IP address of the VS in the same transaction.

In a VSX cluster, after pushing Bridge configuration, the state may change from Active/Active to Active/Standby.

The FWK process of Virtual Switch (VSW) may consume a high CPU.

In some scenarios, the VSX Security Gateway may not decrease the packet's TTL.

In a rare scenario, while idle, the Security Gateway may crash producing a vmcore file.

When running the "save configuration" command on a VSX device, other interfaces besides the Management interface are still presented. This is a cosmetic issue.

The "snmpwalk" command may time out after reaching SNMPv2-SMI::mib-2.68.1.2.0.

In some scenarios, in 7000 appliances, Power Supply Unit (PSU) status information may be incorrect. Refer to sk174443.

• Fix is relevant for Gaia 3.10 only.

In Amazon Web Services (AWS), some Gateways may be crashing frequently with vmcores.

• Fix is relevant for Gaia 3.10 only.

NEW: Added ability to create and manage VSX objects of R80.30SP version via vsx_util and vsx_provisioning_tool.

UPDATE:

• Added the "--help" and "-h" flags to "mdsstop", "mdsstart" and "mdsstat".
• It is no longer possible to run the "mdsstop" and "mdsstart" commands with wrong parameters.

When using the API to create an OPSEC CPMI application with a custom permissions profile, the default Super User profile is chosen instead.

Deleting a network group may fail because it is being used, although "Where Used" shows no usage.

After the Management Server restart, the API command "show_tasks" may show some suppressed tasks as "in progress", if before the restart they were cleared in SmartConsole while they were still running.

In some scenarios, the Management API command "show-packages" with "details-level full" may fail with an error. Refer to sk176805.

Multi-Domain High Availability synchronization in the Global Domain may fail with the "There are invalid assignments on peer" error.

In rare scenarios, adding a service to a rule in Access Policy:

• may take a long time (more than several seconds)
• may cause SmartConsole to unexpectedly exit.

Refer to sk176004.

If there is a Global Domain Assignment, some results may be missing when searching in Packet Mode. Refer to sk178491.

When performing IPS Update or Global Domain Assignment, creating a Domain at the same time may fail with "Internal Error".

Policy installation with Directional VPN rules may fail with a verification error.

In some scenarios, in SmartConsole, the IPS update status list does not reflect correctly all the Gateways with enabled IPS Blade. Refer to sk175449.

In some scenarios, the user may fail to connect to VPN Remote Access if there are expiration dates saved in a non-English date format. The issue can occur when SmartConsole is installed on a Windows client that uses a non-English locale. Refer to sk173967.

In rare scenarios, Install Policy Presets may fail with "Failed to run Install Policy on the active Domain Server".

In rare scenarios, the Management Server may fail to start after an upgrade.

Global Domain Assignment fails with "An internal error has occurred" when there are more than 32K Threat Prevention Overrides in the local Domain. Refer to sk176464.

In a rare scenario, the FWM process unexpectedly exits.

During a CPUSE upgrade of a Multi-Domain Server, if there are multiple external interfaces defined, the Domain Servers may be assigned to an incorrect interface.

• Install Policy Preset may invoke policy installation on Gateways different from those that are defined.
• Policy installation on multiple Gateways on MDS level may trigger installation on one Gateway only.

Refer to sk178590.

When running CPinfo in a large scale environment, the SmartEventCollectLogs process may get stuck.

There may be empty values in the "Office Mode IP" field in the Logs view.

When SmartView Web is configured to not return empty values, a query may fail with a "query failed" message.

In some scenarios, the "vpn_user" field is empty in the Logs view and SmartEvent Reports, even though it contains values in the raw log.

Non-English letters in SmartView reports exported as CSV may be displayed incorrectly. Refer to sk175543.

When running the "show_logs" API command with "query-id argument" and the session is expired, the command ends with a timeout instead of presenting an error.

Removed unnecessary debug messages: "fwbintabreplace: table svm_range_gateways not found" and " fwbintabreplace: table svm_range_gateways_valid not found" from the FWD debug log.

The "vsec_lic_cli update" command now supports IP change in the license string.

There may be an incorrect error message related to MakeConnection method.

UPDATE: The "fw unloadlocal" command can now be used on a Virtual System only with the "-f" flag added. Otherwise, a warning message is displayed, indicating that unloading policy on a Virtual System will cause traffic issues with any Virtual System connected to a Virtual Switch or a Virtual System in Bridge mode.

• Fix is relevant for Gaia 3.10 only.

UPDATE: Apache HTTPD version was updated from 2.4.51 to 2.4.53.

A debug message is printed as an error.

The FWD process may unexpectedly exit due to a rare race condition. Refer to sk173424.

The Security Gateway may crash during policy installation due to memory allocation problems.

The control connection may not be refreshed together with data connection if the data connection is accelerated. Refer to sk168952.

In rare scenarios, slow path connections that should be terminated/aborted may remain open until the timeout.

The log_exporter process may consume a high CPU.

• On 2200 appliances, the CPD process may unexpectedly exit because of sensor read failure.

• Sensor table values for 3600, 3600T, 3800, 6200B, 6200P, 6200T, 6400, 6600, 6700, 6900, 7000, 600-S are incorrect.

Fix is relevant for Gaia 3.10 only.

IPS and other Threat Prevention logs may not contain packet capture. And dmesg may be flooded with related errors.

In a rare scenario, the DLP process leaves open unused file descriptors in the $FWDIR/tmp/dlp directory which may take up a large amount of disk space

UPDATE: Adjusted AD-Query and Identity Logging solutions to work with Microsoft hardening changes in DCOM which were required for CVE-2021-26414. Refer to sk176148.

On Scalable Platforms\Cluster LS, the Identity Database may become corrupted when an identity session is revoked from a non-master member.

There may be connectivity issues and high CPU spikes on the PDPD, VPND processes, and on the Gateway when installing policy. Refer to sk174144.

Enhanced IPS package loader.

The dlpu process may unexpectedly exit with core dump file.

When TLS 1.3 support is disabled, a memory leak may occur in the WSTLSD process during TLS session renegotiation.

In rare scenarios, TLS probing connections may remain open for extended periods.

In some scenarios, the WSTLSD daemon may unexpectedly exit during TLS probing.

UPDATE: SSL Network Extender was updated to version 800008304. It provides TLS 1.2 cipher suites support on macOS.

Added Syslog support for Cluster events messages.

• Fix is relevant for Gaia 3.10 only.

The VSX Gateway may crash when trying to route traffic from a VS to a Virtual Switch (VSW).

A redundant message "ACC: Accelerator started." is printed in dmesg logs.

Connectivity issues may occur after configuration of route based VPN (VTI interface). Refer to sk176368.

A memory leak may occur in the VPND process.

In some scenarios, when VPN logs are enabled and DAIP (Dynamically Assigned IP) peer is configured, the VPND daemon may unexpectedly exit.

Remote Access users cannot connect when a certificate issued by a configured subordinate CA is used for authentication.

IKEv2 ID configuration may not be applied when an IPv6 address is written as a certificate's alternative name.

UPDATE: It is now possible to define interface topology as "defined by routes" using the VSX provisioning tool.

In some scenarios, running the "snmpwalk" command may fail with incorrect OSPF-MIB information for VSX. Refer to sk172064.

After deleting a warp interface in SmartConsole, the active VSX cluster member may crash.

• Fix is relevant for Gaia 3.10 only.

UPDATE: Upgraded OpenSSL to fix CVE-2022-0778. Refer sk178411.

• VLAN IPv6 address disappears after setting the parent interface state "off" and "on".
• IPv6 address disappears after enabling Layer 3 bridge interface monitoring.

Refer to sk174969.

Fixed CVE-2021-30361 - Gaia Portal Authenticated Command Injection. Refer to sk179128.

Upgrade process may fail due to corrupted sic_local_cert.p12 certificate. Refer to sk171253.

In some scenarios, logs related to Harmony EndPoint may be missing.

When a Gateway's object name was changed, CloudGuard Central License Tool may fail to distribute licenses to the Gateway.

NEW: Added a self-updatable package of Check Point Support Data Collector (CPSDC) for Scalable Platforms and Maestro Security Appliances. Refer to sk164414.

Added Update 6 of HealthCheck Point (HCP) Release. Refer to sk171436.

UPDATE: Added a warning message in SmartConsole, alerting if during policy installation memory utilization of the FWM process exceeded 3.5GB.

In rare scenarios, a Multi-Domain administrator's profile may be changed after deleting a Domain if the administrator had custom permissions for it.

Virtual session timeout for a TCP service cannot exceed 86400 seconds. Refer to sk168872.

In rare scenarios, a Management Server upgrade may fail with an error message "Object not found - [UID]" in the cpm.elg log file.

In rare scenarios, if Domain migration fails, the operation may not revert fully and leave some remnants in the database of the Management Server.

If there is an Administrator named "Endpoint", an upgrade of Endpoint Security Server from R77.30 version fails.

In rare scenarios, tasks may run indefinitely until the Security Management Server is restarted.

In a rare scenario, in the Management API, the "show hosts" command with "details-level full" fails with a message "java.util.InputMismatchException: got at least one duplicate UID in requested list, duplicates UIDs:".

In some scenarios, "show-mdss" and "show-domains" Management API commands take a significant amount of time to complete or time out after 5 minutes.

In rare scenarios, a task in progress may get stuck until the Management Server is restarted.

In rare scenarios during system startup, a cleanup operation may cause high CPU on multiple Postgres processes and prevent login to SmartConsole. Refer to sk175189.

In some scenarios, HA synchronization fails in the Global Domain after an IPS update.

In rare scenarios, an upgrade may fail when there is an OPSEC Server object configured.

In some scenarios, the Purge Revisions operation fails with an error message: "An error has occurred while performing revisions purge operation, Incident ID - xxxxx-xxxxxxx-xxxxx-xxxxx". Refer to sk174645.

In a rare scenario, High Availability full synchronization may fail due to a large number of records.

In rare scenarios, High Availability incremental synchronization may fail with a wrong status message.

After migrating a Domain to a Multi-Domain Management and assigning a Global Policy, if there are objects with the same name in the Domain and Global Domain, the assignment succeeds, although it must fail due to name duplication.

In some scenarios, the "Recent Tasks" view shows the initiator as a System administrator when the Global Manager user initiates reassign and install policy.

In some scenarios, the output of the "cpmistat" command may contain partial information.

In rare scenarios:

• Login to the Management Server may timeout and fail
• Publish operation may take a long time.

The "Packet capture is not supported on this platform" warning appears after policy installation for SMB Gateways, although no packet capture is used.

In some scenarios, applying the "Where used" action may show incorrect data when an object exists more than once in an Inline Layer.

In rare scenarios, login to Multi-Domain Management fails with the "No Valid Domains were found for [username]" error. Refer to sk175005.

Management Server upgrade may fail if there is a large amount of customized column profiles in Logs View.

In some scenarios, the "show gateways-and-servers" Management API command fails with "generic_error" when running it with "details-level full".

In some scenarios, in Override Categorization, it may not be possible to sort or to find objects by name using Object Explorer. Refer to sk175245.

In rare scenarios, if one of the Multi-Domain Servers is down, reconfiguring VSX may fail.

In rare scenarios, the FWM process on the Security Management Server unexpectedly exits.

When one Server in a logical Server group is down, the second Server keeps trying to access it, no matter how long the Server is down.

In rare scenarios, the API commands "show-automatic-purge" and "set-automatic-purge" may fail if there were two earlier attempts to update the Automatic Purge at the same time.

In rare scenarios, the Management Server may fail to start due to incorrect sessions handling.

In rare scenarios, after an upgrade, the CPD process in a Multi-Domain environment may unexpectedly exit, creating a core dump file.

In a very rare scenario, SmartConsole login attempts mail fail due to high CPU usage of the CPD process.

The Compliance "Security Best Practices" report for the Anti-Bot practice contains unrelated objects starting with "AB_". Refer to sk174911.

NEW: SmartEvent can now skip indexing of firewall session logs to reduce load on the Log Server device. The feature is disabled by default. To enable it, see Issue #4 in sk150452.

NEW: In SmartEvent GUI, added the "referrer" field for filtering correlation unit events.

In some scenarios, emails of DLP Blade may be sent with obfuscated information, with no option to present the full data. Refer to sk106430.

In a low log rate, there may be a delay in exporting logs using the Log Exporter.

The "Could not connect to Monitoring Blade" error is displayed when trying to show the "Top Interfaces" view in SmartConsole or SmartView Monitor for a Gateway that has more than 100 interfaces.

In some scenarios, the FWD process on Security Gateway may cause high memory consumption when Log Forwarding is configured or when running the "fw fetchlogs" command.

When adding the "UC Block" action, log queries may not show UserCheck logs. Refer to sk174543.

Threat Emulation log description for HTTP emulation is incorrect.

In rare scenarios, in environments with many network objects, when typing a query in the search bar in the Logs tab, SmartConsole may close unexpectedly.

In the Method field, logs with the following values are not shown in the SmartConsole's Logs tab. They are only shown when opening a single log record.
The values are: MOVE, TEXT, XGET, UNDEFINED, VTTEST, ABCD, SEARCH, RPC_CONNECT, PRONECT, TRACK, CFYZ, BADMETHOD, DEBUG, MGET, GET, MKCOL, QUALYS, RNDMMTD, PRI, NESSUS, BDMT, BADMTHD.

In a rare scenario, Application Control events may not be displayed in SmartEvent.

On a Management Server, with SmartEvent enabled and many Networks configured in the database, login to SmartConsole may fail with an "Error: the operation timeout" message, and the FWM process is running with a high CPU. Refer to sk167239.

In some scenarios, Log Exporter configured to export in TLS, cannot authenticate a certificate from an external certificate authority.

In a rare scenario, logs export from SmartView web view to CSV may fail. Refer to sk175545.

In rare cases, in SmartConsole, some logs are not shown.

In a rare scenario, after an NSX Gateway upgrade, enforcement details/identities are not pushed by the controller to the Gateway automatically, it can be done only by manual update. Refer to sk173323.

Syslog messages are not shown in SmartConsole when syslog_free_text_parser.C contains references to ".ini" files which are located directly syslog folder $FWDIR/conf/syslog.

In some scenarios, in Multi-Domain Servers with many Domains, the Solr process for logs may unexpectedly exit.

NEW: Added a new kernel parameter "up_disable_early_drop_optimization_for_reject" to disable "Early Drop Optimization" for reject rules. The parameter is enabled by default.

UPDATE: Added DNS Passive Learning support for DNS responses containing the Domain name in uppercase letters.

UPDATE: Added L3 routing support for bridge interface assigned with IP address. To enable it, set fw_bridge_with_ip_routing=1 in the $FWDIR/fwkern.conf file. Refer to sk165560.

• Fix is relevant for Gaia 3.10 only.

UPDATE: Apache HTTPD version was updated from 2.4.41 to 2.4.51.

The "fw_xlate_rule_count_dec: refcount is negative -1" message may be displayed in dmesg when IP pool NAT is used on a cluster environment.

In rare scenarios, a re-matched connection has 2 logs in SmartConsole.

In rare scenarios, the name of the application that drops a packet was not shown in the drop debug. Instead, the "PSL Drop: internal - drop enabled" message was displayed.

With this fix, the reason for the drop will be displayed.

In some scenarios, the ROUTED process may unexpectedly exit.

• Fix is relevant for Gaia 3.10 only.

After policy installation, Security Gateway may stop responding due to memory leaks.

In some scenarios, the CPD process may consume high CPU because of the memory leak in FDT (File Download Tool).

Improved the ICAP Server internal memory allocation logic.

Negative values may appear in the output of the "fw tab -t connections -s" command and under the NAT section.

In a rare scenario, due to TCP connection reuse, a TCP connection may not be initiated Refer to sk11088.

In a rare scenario, Security Gateway may crash.

Added a translation of the error exit code of cprid_util in $CPDIR/log/cprid_util.elg debug log.

When a large number of VPN tunnels is configured, and each one is used by a static route with ping, the ROUTED process may get incorrect cluster IPs for those tunnels. Refer to sk175887.

In a rare scenario, the TCP Half Closed timer (sk137672) may fail when configured for medium/fast connections.

In rare scenarios, when SACK is enabled, there may be connectivity issues.

In a rare scenario, policy installation may cause connections termination.

Improved the handling of a large number of sessions per single HTTP/S connection.

Defining an IPv6 NAT rule with address range (hide) on the translated column may fail with an incorrect error message.

In a rare scenario, when CRL files are created, some of them may be generated with a large number in the filename. When deleting CRL files, CPCA repeatedly fails to start.

UPDATE: Added the option to remove proxy usage in ioc_feeds tool.

In some scenarios, the IPS update status in SmartConsole is incorrect after the automatic update fails with the "Update failed. Failed to load database" error.

In a rare scenario, the Security Gateway may crash when working with Anti-Virus.

The "ciu_lic_open_lic_db_file: crc check failed" error message may be printed in fwd.elg log file during the policy installation if the IPS Blade is disabled. Refer to sk172903.

In some scenarios, loading Custom Intelligence Feeds that include an IP address with a subnet mask of 32 bits (x.x.x.x/32) may fail.

In rare scenarios, IoC feed loading fails due to hash parsing errors.

In a rare scenario, the Security Gateway may crash when working with Anti-Virus or Threat Emulation.

In a rare scenario, the Security Gateway may crash.

In a rare scenario, some IPv6 sessions may get deleted due to an incorrect update of Identity Gateway (PEP) kernel tables.

In a very rare scenario, when the Application Control (APPI) and URL filtering Blades are active, in hold mode, some applications cannot be identified and the traffic is dropped.

Proxy source IP address is not printed in the IPS logs.

In some scenarios for HTTP, Gateway closes a connection from the Server side, but the user side may remain open.

In some scenarios, the destination IP is missing from the IPS logs. Refer to sk174588.

In some scenarios, when IPS Automatic update is enabled, a memory leak may occur in the FWD process.

UPDATE: Reduce performance when Anti-Virus is configured with deep inspection on all file types.

UPDATE: Improved performance of Anti-Bot URL Reputation.

In rare scenarios, HTTPS connections may hang indefinitely during the TLS handshake, causing timeout.

In some scenarios, the WSTLSD process may unexpectedly close, or a memory leak may occur.

In rare scenarios, when SNX client is used with Application mode on the Mobile Access Blade, the VPND process may unexpectedly exit.

In some scenarios, a memory leak may occur in the CVPND process.

In a VRRP cluster, changes to the CCP encryption channel do not remain after reboot on Kernel 3.10. Refer to sk174968.

• Fix is relevant for Gaia 3.10 only.

Clock jumps forward/backward may cause some operations to fail and the cluster to go down.

In a rare scenario, DoS/Rate Limiting when using rules with country codes (CC) or autonomous system numbers (ASN) may not update Geo IP files correctly.

In some scenarios, when configuring internal/external enforcement for DOS/Rate limiting, a syslog error message may be displayed.

In rare cases, if Graceful Restart is not configured on the BGP peer, BGP routes may be lost near the Graceful Restart ending.

The checksum of PIM "register" packets may be calculated incorrectly, causing the RP router to discard a "register" packet.

BGP sessions may unexpectedly close because of unrecognized AFI/SAFI pairs in multiprotocol capability advertisements from a peer.

AS path loops may occur, although BGP multihop is configured.

The ROUTED process may unexpectedly exit.

In some scenarios, when using DHCP, the Security Gateway may not correctly route traffic to hosts.

In some scenarios, Server connections to Remote Access L2TP clients may be unstable.

In some scenarios, NAT-T traffic outages may occur after a cluster failover. Refer to sk175552.

In rare scenarios, after policy installation, the VPND process may unexpectedly exit with core dump.

Improved VPN Site to Site tunnel establishment scenario with IKEv2. Refer to sk175092.

A Remote Access client fails to login when a DN record length is bigger than 256. Refer to sk174249.

In a rare scenario, a memory leak may occur.

Reauthentication of the client may lead to a memory leak.

In some scenarios, the VPN tunnel between GCP cluster and GCP peer fails to establish.

Policy installation may fail when VPN community is not configured on the Security Gateway. Refer to sk174235.

Remote Access users may randomly disconnect because the Tunnel test packets are mapped to the incorrect interface. Refer to sk172328.

A memory leak may occur in the VPND process.

A memory leak may occur in the VPND process in IKEv2 Site to Site VPN.

In some scenarios, when sending the SCV drop log, a memory leak may occur.

In some scenarios, a memory leak may occur when using the SSL Network Extender (SNX) client to create a site.

In some scenarios, a memory leak may occur in the VPND process.

In a very rare scenario, a cluster member may unexpectedly crash and restart, creating a core dump file.

A memory leak may occur in the VPND process.

Many "remote access client IP address and port were changed" logs are printed after an upgrade.

After a reboot, the VS's clish static ARPs configuration exists, but the static ARPs may be missing.

After upgrade, the VS names may be displayed incorrectly in the output of the "vsx stat -v" command.

Multi-Queue configuration on VSX does not remain after reboot. Refer to sk173950.

• Fix is relevant for Gaia 3.10 only.

NEW: Added support for new card 4 ports 1/10GbE SFP+ Rev 4.1.

• Fix is relevant for Gaia 3.10 only.

UPDATE: The command "show multiple-queue Affinity" deprecation message was changed.
The new message is: "This command is deprecated. Please use: show interface VALUE Multi-queue."

• Fix is relevant for Gaia 3.10 only.

A memory leak may occur on a Security Gateway while configuring Secure Internal Communication (SIC).

In some scenarios, the "show arp dynamic all" command displays values of VS0 instead of VS.

• Fix is relevant for Gaia 3.10 only.

In some scenarios, in appliances: 6600,6700,6900, Power Supply Unit (PSU) status information may be incorrect. Refer to sk174443.

• Fix is relevant for Gaia 3.10 only.

• Added support for Amazon Web Services (AWS) IMDSv2 in CloudGuard Controller
• Improved connecting to GCP Data Center

In a rare scenario, the FWD process may unexpectedly exit due to invalid QoS logs.

Added Update 5 of HealthCheck Point (HCP) Release. Refer to sk171436.

Added Update 2 of HealthCheck Point (HCP) Release. Refer to sk171436.

In some scenarios, the cpmiquerybin and dbedit processes may unexpectedly exit causing a buffer overflow.

NEW: Added the Check Point Performance Sizing Utility (CPSizeMe) v5.2.

NEW: Trusted CAs updates for HTTPS Inspection can be configured to be installed automatically upon update. Refer to sk173629.

UPDATE: Added an environmental variable to control the sduu command timeout in the FWM process: SDUU_UPDATE_TIMEOUT.

User may fail to connect to SmartConsole after the administrator changed the RADIUS server host IP address. Refer to sk172065.

Policy verification may incorrectly fail with a NAT verification error "The range size of Original and Translated columns must be the same".

In some scenarios, the Desktop policy fails with "Policy installation had failed due to an internal error. If the problem persists please contact Check Point support". Refer to sk171970.

In some scenarios, a policy installation failure message may show "ReferenceObject" instead of the actual object's name.

In some scenarios, when updating Check Point Host object to be a Network Policy Management and in addition configuring it as a Secondary Server, "Publish" fails with "Action Failed due to an internal error".

When running the "fwm logexport" command multiple times, the FWM process may unexpectedly exit, producing a core file.

In a rare scenario, the FWM process may unexpectedly unexpectedly exit.

NEW: Once a day, Multi-Domain Management Servers will check for peers that are not synchronized. If such are identified, HA full sync will be automatically initiated at the MDS level.

In rare scenarios, in a Multi-Domain environment with active Domains on multiple Multi-Domain Servers, when performing manual HA sync in one Domain, objects from another Domain are not shown in SmartConsole.

Global Policy Assignments may be missing in Multi-Domain environment after upgrade from R77.x.

In some scenarios, HA synchronization may fail on the MDS level with the "Failed to synchronize this peer due to purged revisions in the database." message.

In some scenarios, the gateway hardware change in SmartConsole fails with "Changing the hardware to <New_Selected_Check_Point_Appliance> Appliances is blocked." warning.

In some scenarios on Multi-Domain environments, Compliance data is not synchronized between primary and secondary Domains.

NEW: The Log exporter now supports formatting for RSA SIEM application.

UPDATE: The Log Server now supports up to 2700 Gateways (previously was 1024). Refer to sk163413.

In the SmartConsole Logs tab, the "IKE IDs" field cannot be added to column profiles.

Starting from Jumbo Take 216, logs exported in LogRhythm format via the Log Exporter, appear in an incorrect format.

In Multi-Domain environment, the same Domain may appear twice in the Domains view of the SmartEvent application.

In some scenarios, when exporting logs using the Log exporter tool and filtering on all Threat Prevention Blades, logs of the "Anti Spam" Blade are not exported.

In SmartView, when filtering with specific time filters, the result may include more logs than was requested.

When a Management Server manages more than 1024 Gateways, the connectivity status may show "N/A" for several Gateways.

UPDATE: Added automatic extension for Internal CA database to support more than 100,000 certificates.

UPDATE: Service with source port in the Access rulebase will no longer disable accept templates for all connections.

In rare scenarios, the CPD process unexpectedly exits when the VPN is enabled, and statuses are not sent to the Management Server.

In rare scenarios, when the "sd_global_monitor_only" property is set to "true", there is no HTTP inspection.

In some scenarios, the VSX Cluster switch may cause a core dump.

In a rare scenario, incorrect error messages regarding the ICAP client flow appear in dmesg.

In a rare scenario, the FWK process unexpectedly exits on the Security Gateway.

When Strict Hold is enabled in the fail-open configuration, some HTTPS connections may stuck.

Boot may take a long time on machines with many VLANs or secondary IP addresses.

• Fix is relevant for Gaia 3.10 only.

In a rare scenario, Security Gateway may crash when handling some DNS packets.

RADIUS authentication failure messages are written to SmartConsole logs but not presented to a user. Refer to sk173927.

In some scenarios, when adding a "#" in the login banner, the banner becomes corrupted.

In some scenarios, packets are dropped due to incorrect SACK translation when SACK and sequence translation are being used together.

In some non-VPN scenarios, MSS Adjustment (Clamping) does not work.

In some scenarios, connections are dropped with the "Virtual defragmentation error: fragment table is full" message. Refer to sk180404.

VSX provisioning may fail to commit changes to the VSX database. Refer to sk173683.

In some scenarios, values set in fwkern.conf file may not be applied correctly.

In some scenarios, when moving Mobile Access from Legacy to Unified Policy, previously configured native application may unexpectedly exit. Refer to sk172935.

In rare scenarios, DynamicID authentication fails with "server_code 403 log_msg General HTTP error" message in vpnd.elg. Refer to sk170303.

In some scenarios, "[INFO] encode resource in base64 failed" messages generated by the RAD process are shown in /var/log/messages file.

In rare scenarios, the "fw load_sigs" command fails to exit appropriately after completing.

NEW: Added a new Auto-Tune feature for Nested Groups to select the optimal nested state for maximum performance.
The feature is disabled by default. To enable it, refer to sk128212.

Optimized the PDP expired timers mechanism performance.

In a rare scenario, the Security Gateway may crash when working with Anti-Virus.

• Fix is relevant for Gaia 3.10 only.

In rare scenarios, when clicking the "Send Original Mail to me" button (sk140214) in the UserCheck portal for Threat Extraction, action fails with "An unexpected error has occured..." error message.

In rare scenarios, Security Gateway may crash if event app debug is enabled.

In a rare scenario, the Security gateway may crash with the "Problem with the Commit Function" error during policy installation. Refer to sk173248.

In some scenarios, the DNS response message with record type 0 may be dropped by "Non compliant DNS" protection.

Improved the HTTP protocol handling.

UPDATE: Avoid sending the TLS probe during inbound inspection when it is not necessary for the SNI-based categorization.

A table hash size may be too small for some environments and cause an increased CPU usage.

TLS probing failures generate logs with a general description in SmartLog: "Internal system error in HTTPS Inspection (Error Code: 2)". With this fix, more descriptive logs will be generated.

In rare scenarios, the WSTLSD daemon may unexpectedly exit during TLS probing.

The Gaia Clish command "set snmp traps trap clusterXLFailover enable" fails with "Bad Command Unknown Trap name." Refer to sk173810.

• Fix is relevant for Gaia 3.10 only.

In some scenarios, the "reached the limit of maximum enqueued packets!" log is printed in the /var/log/messages file.

A race condition in the DOS/Rate limiting policy's install logic may cause incorrect counter values for "concurrent-conns".

In a rare scenario, Security Gateway may crash when generating CPInfo in VSX mode.

• Fix is relevant for Gaia 3.10 only.

In a VSX environment, the SYN Defender configuration may not be applied correctly.

UPDATE: Allow "set bgp internal peer <value> send-route-refresh" commands.

VRRP member freezes when deleting a VLAN interface. Refer to sk106226.

In OSPF environment, the ROUTED process may unexpectedly exit when a VPN tunnel is flapped leading to a temporary connectivity loss.

In a rare scenario, the ROUTED process unexpectedly exits when creating an MFC (S,G) entry. Refer to sk176685.

In rare scenarios, a Load Sharing cluster can experience DHCP relay drops with the "dropped by fw_post_vm_chain_handler Reason: Handler 'dhcp_reply_code' drop" message.

The ROUTED process with Ping enabled always gets reset during Clish reconfiguration.

In some scenarios, the ROUTED process may unexpectedly exit when there is a static route and a kernel route to the same destination.

In some scenarios, FWK process unexpectedly exits due to SNX authorization timeout in MAB's Unified Policy mode. Refer to sk173125.

Remote Access session may not be synced on the standby member VS.

• Fix is relevant for Gaia 3.10 only.

When the administrator adds more than 30 native applications, users may fail to connect via SSL Network Extender Application mode.

In some scenarios, the HTTPD process consumes a high CPU causing slowness in access to web applications.

UPDATE:

• Improved Site to Site VPN stability when it is configured with NAT.

• Enabled the global parameter "offer_nat_t_initator" by default. Refer to sk32664.

IKEv2 may cause the VPND process to unexpectedly exit when IKEv2 rekey uses certificates.

In some scenarios, user may not be able to connect because the VPND process unexpectedly exits.

In some scenarios, VPN Remote Access users are disconnected after policy installation. Refer to sk171966.

Added IKE improvement for DAIP peer with ID_DER_ASN1_DN ID type.

In VSX environments, Anti-Spoofing in SecureXL may cause Remote Access VPN drops. Refer to sk173266.

In some scenarios, the IKED process unexpectedly exits producing a core dump.

MEP failover with 3rd party vendors may not work correctly.

In some scenarios, the "Illegal sequence number" error may be printed in Dead Peer Detection (DPD) debug.

In some scenarios, the VPND process unexpectedly exits after installing the policy.

Added VPN stability improvement in IKEv2.

In rare scenarios, all traffic is dropped with "Rulebase Internal Error" in SmartLog.

In rare scenarios, a memory leak related to gateway authentication may occur.

In a rare scenario, the IKED process stops with core dump when using Office Mode IP allocation for clients and users cannot connect.

In some scenarios, the driver's (i40e) response time for MQ settings takes a too long time.

• Fix is relevant for Gaia 3.10 only.

In a rare scenario, the Security Gateway may become unresponsive. Refer to sk172827.

• Fix is relevant for Gaia 3.10 only.

In some scenarios, the force-password-change option does not work.

In some scenarios, the "cpstat vsx" command does not show the correct output. Refer to sk170793.

A memory leak may occur when using domain names in QoS policy rules. Refer to sk174904.

CloudGuard Controller with Cisco ACI Data Center sends updates without IP addresses to Security Gateways.

In some scenarios, the user cannot run any dynamic routing or install any static routes, including the default route.

"Unauthorized client" error on login failure from an IP address that is not explicitly defined in the Trusted Clients list. Refer to sk173026.

SmartConsole Extensions fail to load with "Error: unable to retrieve read-only session" if login with SmartConsole is performed with an IP address that is not defined as the primary IP of the Management Server.

Upgrade or migration from R80.10 and lower to R80.20 and higher may fail with "Scheme adjustment had failed" error in logs. Refer to sk172003.

Security policy compilation fails if the Domain network object name (FDQN name) contains space.

"Query failed" error is displayed in Security Gateway Device & License Information view in SmartConsole when canceling the "Export to PDF/CSV" operation.

On Security Management with connected Endpoint Security Server, the SICTUNNEL process may unexpectedly exit and start again every few minutes with core file ~4gb in size. Refer to sk173704.

In a rare scenario, Management HA synchronization fails after the Purge Revisions operation.

UPDATE: Improved the Domain Management Server and Domain Log Server creation and deletion operations.

In some scenarios, HA Full Sync on the System Domain fails after upgrade on a Multi-Site environment with multiple Multi-Domain Servers. Refer to sk171059.

In some scenarios, after upgrade of Multi-Domain environment that has active Domains on multiple Multi-Domain servers, some objects may not be visible in the System Domain.

In some scenarios, Reassign Global Domain for a Domain that is active on another Multi-Domain Server may fail with "An internal error has occurred" message. Refer to sk172704.

In some scenarios, HA sync in a Multi-Domain environment may fail with the "Failed to import data" error message after the user creates new Permission Roles.

"The object specified in 'Always send alerts to' field, has no active 'Logging & Status' Blade" error may be displayed after running the "add-simple-gateway" command in Management HA environments where one of the Security Management servers has the "Logging & Status" Blade disabled. Refer to sk172226.

In some scenarios, a validation warning may appear on an updatable object with the following message: "Object is no longer supported. Enforcing security for this object is not possible." However, the object is still available in the updatable objects picker.

NEW: Resource pools for log queries and report generation have been separated to ensure query responsiveness while multiple reports are generated.

When viewing an Access log card that was matched on both a Network layer (firewall) rule and an Application layer rule, and both actions are "Accept", the application layer rule will be presented in the card instead of the network layer rule. Refer to sk172763.

In rare scenarios, when the user exports logs to Excel using SmartView web, the action fails when the exported logs contain special characters, like emojis.

In SmartView's "Cyber Attack View - Endpoint", the widgets Active/Dormant Attacks and Cleaned/Blocked Attacks show clean hosts as infected (false positive results).

• In environments with more than 500K network objects, the log_indexer process may lead to a memory leak.
• In some scenarios, when there are offline logs to index, queries are slower than expected.

In SmartView, when the user exports multiple PDF/CSV/Templates of the same view/report at the exact same time, the second export to complete may overwrite the first one.

In SmartView, when opening a log card popup in lower resolutions, the text in the header may be cut off.

In some scenarios in SmartView, exporting a report or view to PDF duplicates the item and displays it twice in the Catalog until the export is done.

Deactivated Compliance Best Practices appear in the Compliance report.

NEW: Implemented new Fast-Accel producer.

The following Fast-Accel statistics are added to CPView:

• Status: current status of Fast-Accel feature (enabled/disabled).
• Configured rules: number of rules were added by the user. These rules determines whether a connection should be accelerated or not.
• Accelerated connections amount: number of accelerated connections.
• Total connections amount: total connections opened in PPAK.
• Accelerated connections percentage: percentage of accelerated connections as part of the overall traffic.
• Services distribution: number of times each service was used by the accelerated connections.

UPDATE: Added L3 routing support for bridge interface assigned with IP address. To enable it, set fw_bridge_with_ip_routing=1 in the $FWDIR/fwkern.conf file. Refer to sk165560.

In some scenarios, the "fwauthd_init: got known service port XXX ... choosing another one" message appears repeatedly in the $FWDIR/log/fwd.elg file.

The "new-conn-rate" DOS/Rate limiting rules may not be enforced in usermode when enforcement for internal interfaces is disabled.

In a rare scenario, the FWK process unexpectedly exits during debug.

• Fix is relevant for Gaia 3.10 only.

In a rare scenario, Fast Accel logs are sent although they are disabled on the matched rule. Refer to sk171336.

When the Security Gateway is configured as a proxy, some network objects may not be matched correctly.

The connection may not exist in SecureXL connection table when configuring Smart Connection Reuse kernel parameters and allow out of state TCP packets.

In a rare scenario, the FWK process unexpectedly exits on the Security Gateway.

Added optimization for PDP when handling Terminal servers Multi-User Host Agent (MUH).

In some scenarios, VPN Remote Access client fails to connect if a certificate contains a DN with an asterisk (*).

UPDATE: Exceptions are now enforced for these IPS protections:

• ASCII Request Response
• ASCII Response Response
• HTTP Header Patterns
• HTTP URL Patterns
• CIFS File Patterns

Refer to sk166222.

The fw_full (fwd daemon) unexpectedly exits producing a core dump fila and causing a cluster failover.

In rare scenarios, a memory leak may occur in a crypto module.