Take 135 - Ongoing

List of Resolved Issues and New Features

Note - This Take contains all fixes from all earlier Takes.

ID

Product

Description

Take 135

Released on 13 January 2020

PRJ-6822,
PMTR-37053

Upgrade Tools

In some scenarios, cannot export a database using the migration tools of the current version while there are open sessions in the database.

PRJ-4930,
PMTR-41602

Upgrade Tools

In some scenarios, the FWM process fails to start after a successful upgrade with the "Found an indication that the current domain was migrated, and the migration had failed. Cannot start after a migration failure" message in the fwm.elg file.

PRJ-7423,
PRJ-7424,
PMTR-44671

Infrastructure

In some scenarios, Anti-Bot/ Anti-Virus / IPS / Threat Emulation blade update fails with "Curl error code 56".

PRJ-5918,
PMTR-39797

Security Management

In a rare scenario, the $CPDIR/tmp/ directory is filled with "CKP_mutex::_opt_CPsuite-RXX_fw1_log__..." files. Refer to sk36754.

  • Fix is relevant for Gaia 3.10 only.

PRJ-2341,
PMTR-38095

Security Management

In a rare scenario, the Security Management server does not start due to a missing object, or a duplication of objects.

PRJ-5717,
PMTR-42089

Security Management

In some scenarios, upgrade from R7x is not aborted when there is not enough disk space to complete the import operation.

PRJ-5665,
PRHF-6087

Security Management

In some scenarios, purge revisions fails and blank lines that cannot be deleted, appear in SmartConsole Revisions view. Refer to sk163116.

PRJ-5757,
PMTR-43497

Security Management

High Availability synchronization between Management Servers may fail when there is no enough disk space in the root partition.

PRJ-5661,
PRHF-5965

Security Management

Blank lines may appear in SmartConsole Purge Revisions view after purging a large database.

PRJ-4971,
PRHF-5435

Security Management

In some scenarios, disconnected sessions with no changes or locks appear in SmartConsole session view.

PRJ-4835,
PRHF-5419

Security Management

The FWM process may unexpectedly exit when an incorrect license SKU with a specific format is applied.

PRJ-5656,
PRHF-5776

Security Management

In some scenarios, cpm_status.sh reports incorrect CPM status. Refer to sk162633.

PRJ-5097,
PMTR-41712

Security Management

When an administrator edits the description of a revision, he becomes the publisher of the revision.

PRJ-7040,
PRHF-6722

Security Management

The 'FWM sic_reset' command does not print which object still has an IKE certificate.

PRJ-5245,
PRJ-5250

Multi-Domain Management

NEW: Added the Domain Management Migration, Backup and Upgrade feature:

  • Backup and restore an individual Domain Management Server on a Multi-Domain Server.
  • Migrate a Multi-Domain Security Management from one Multi-Domain Server to a different Multi-Domain Server.
  • Migrate a Security Management Server to become a Domain Management Server on a Multi-Domain Server.
  • Migrate a Domain Management Server to become a Security Management Server.

For more information see sk156072.

PRJ-3688,
PMTR-7744

Multi-Domain Management

"dleserver.utils.UidManager" errors on cma_migrate failure on Multi-Domain Server upgraded from R80.

PRJ-6670,
PMTR-44148

Multi-Domain Management

In some scenarios, traffic outage may happen after policy installation from Multi-Domain SmartConsole. Refer to sk163712.

PRJ-7106,
PRHF-6605

Multi-Domain Management

The cma_migrate may fail if the IPS version does not exist on the R80.x Multi-Domain Management Server.

PRJ-6869,
PRJ-6870,
PMTR-44390

Multi-Domain Management

Improved Domain/CMA logs visibility.

PRJ-5067,
PRJ-5030

SmartConsole

NEW: Added integration of Management API with Ansible 2.9. For more info, see: https://galaxy.ansible.com/check_point/mgmt

PRJ-6126,
PRHF-6532

SmartConsole

In some scenarios, the "Installed IPS Version" information is empty in the "Gateways and Servers" view.

PRJ-3549,
PRJ-7071

SmartConsole

In a rare scenario, when editing a Star VPN community, SmartConsole terminates.

PRJ-6934,
PRHF-6842

SmartConsole

Threat prevention policy installation may include wrong topology warning on VSX cluster interfaces.

PRJ-5525,
PRHF-5527

SmartConsole

In some scenarios, applying "Where used" from the local Domain on an object that is used in global policies, may return results from the global policies that are not assigned to the local Domain. Refer to sk162753.

PRJ-6642,
PRHF-6606

SmartConsole

In some scenarios, administrator cannot open the 'RemoteAccess' - VPN community object for editing.

PRJ-5374,
PMTR-43427

SmartConsole

In Multi-Domain environment, IPS protections become staging on each domain after global policy assignment while the protection does have override/staging status in the global domain.

PRJ-2438,
PRHF-4184

SmartConsole

When disabling NAT for a network object and searching for the NAT IP address, the network object is still shown as part of the search results even though it should not be.

PRJ-1678,
SL-1890

SmartView

In some scenarios, Hit Count on specific rules does not increment after they were recently created or re-ordered. Refer to sk138033.

PRJ-5630,
PRHF-5810

SmartView

In SmartView, when exporting logs to Excel after drill-down, the amount of logs is less than expected. Refer to sk162621.

PRJ-6047,
PRJ-6048,
PMTR-43654

Security Gateway

Improved misleading log for connections that terminate before detection.

PRJ-3350,
PRJ-6729,
SWG-2013

Security Gateway

In some scenarios, a designated interface may drop packets.

PRJ-8197,
PRJ-8198,
PMTR-47784

Security Gateway

Since R80.20, in some scenarios, predictable TCP sequences are generated by the Security Gateway. Refer to sk164775.

PRJ-7498,
PRJ-7499,
PMTR-45710

Security Gateway

In a rare scenario, running the "cpstop -fwflag -driver" command may cause a memory leak in IPv6 environment.

PRJ-8009,
PRJ-8096,
PMTR-46330

Security Gateway

Improved a Proxy connectivity while Anti-Virus blade works in Hold mode.

PRJ-1702,
PRJ-6728,
PRJ-4482

Security Gateway

In some scenarios, the /var/log/messages file is flooded with ICAP related errors.

PRJ-5890,
PRHF-6029

Security Gateway

In some scenarios, enabling the Multi-Queue on a line card enables the Multi-Queue also on the on-board interfaces. Refer to sk162622.

PRJ-6640,
SL-2819

Logging

In some scenarios, user cannot see his Check Point logs in LogRhythm platform using Log Exporter.

PRJ-5937,
PRHF-5344

Logging

In some scenarios, when retrieving the UserCheck logs, FWD process on the Security gateway may unexpectedly exit.

PRJ-6855,
PMTR-42177

Logging

In a rare scenario, the "Logs & Monitor" view in SmartConsole freezes while scrolling down the results.

PRJ-7815,
PMTR-42519

Logging

In a rare scenario involving multiple disconnections and reconnections between Security gateway and Log Server, connection is not automatically restored and logs may not be written locally. Refer to sk164852.

PRJ-7055,
PRJ-5881,
QOS-67

QoS

QoS Time Objects are not enforced in R80.20. Refer to sk163074.

PRJ-3714,
PRJ-6949,
PRHF-2795

DLP

DLP activation was optimized to reduce the CPU consumption.

PRJ-7507,
PRHF-5184

Identity Awareness

When the Identity Awareness blade is enabled, a memory leak may appear in LDAP sessions.

PRJ-8193,
PRJ-8194,
MBS-8939

URL Filtering

In some scenarios, HTTPS traffic is not categorized as expected.

PRJ-6863,
PMTR-41488

Anti-Malware

UPDATE: Improved behavior of Intelligence Feed failure.

PRJ-7464,
PRJ-7465,
PMTR-45826

IPS

Cannot update the Geo Policy IPToCountry database on Security Gateways. Refer to sk163672.

PRJ-4418

IPS

In some scenarios, a '+' (plus sign) in an HTTP URL may be replaced with ' ' (space) when the "Forensics" feature is turned on in Threat Prevention.

PRJ-1825,
PRHF-3890

SSL Inspection

NEW: Added support of RDP over SSL inspection as part of Inbound HTTPS Inspection blade. (Relevant for Remote Desktop Protocol Vulnerability CVE-2019-0708.)

PRJ-634,
PMTR-15461

SecureXL

NEW: Added support for i40evf driver.

PRJ-6748,
PRJ-6749,
PMTR-42788

SecureXL

In a rare scenario, FTP Data connections do not pass while SYN Defender is active and enforcing.

PRJ-635,
PMTR-22503

SecureXL

In some scenarios, virtio_net is not able to run multiqueue.

PRJ-7712,
PRJ-8244,
PMTR-18338

SecureXL

"sume_from_fw_forward: dropping packet of for vsid=0 due to loop prevention" dmesg errors during policy installation failure.

PRJ-5620,
PRJ-8021,
PRHF-5809

ClusterXL

In some scenarios, a connectivity issue takes place in ClusterXL environment after a fast "fail over"-"fail back" or a "fail over" on bridge configuration.

PRJ-6160,
PRJ-6787,
PRJ-6788,
PRHF-6143

Gaia OS

"Gaia Web-UI recognized a non-valid input data" error when creating a scheduled backup in WebUI via SCP or FTP with special characters used.

PRJ-5132,
PRJ-1545,
GAIA-4880

Gaia OS

In some scenarios, the VSX Management fails to be properly restored from backup.

PRJ-6038,
PRJ-6129,
GAIA-6587

Gaia OS

In some scenarios, the Smart-1 3150 appliance becomes unresponsive after enabling the optical interface.

  • To upgrade to R80.30 using the Jumbo Hotfix, make sure all the interfaces are in state OFF. Refer to sk146512.

PRJ-3727,
PRHF-5205

Gaia OS

In a rare scenario, many "skb_warn_bad_offload" warnings appear in the /var/log/messages file.

  • Fix is relevant for Gaia 3.10 only.

PRJ-6588,
GAIA-6588

Gaia OS

16000 and 26000 Appliances with CPAC-4-1/10F-C NICs (using i40e driver) connected to some specific Cisco switches are flopping. Refer to sk163267.

  • Fix is relevant for Gaia 3.10 only.

PRJ-1758,
PRJ-6054,
PRJ-6057,
PRHF-3943

Gaia OS

A network interface may restart when changing its properties from WebUI if the interfaces configuration was performed via CLISH.

PRJ-1261,
PRHF-3675

Gaia OS

CPD process may unexpectedly exit when attempting to query sensor values on Smart-1 525, Smart-1 5050 and Smart-1 5150 appliances.

PRJ-6000,
PRJ-7128,
ROUT-445

Routing

In a rare scenario, last two (or more) nexthops of a BGP ECMP route disappear simultaneously and are not removed from the forwarding database. Refer to sk153552.

PRJ-6110,
PRJ-6111,
PRHF-6139

Routing

In a rare scenario, the routed process may unexpectedly exit during ClusterXL failover when BGP is configured. Refer to sk165682.

PRJ-6578,
PRJ-7405,
PRHF-6603

Routing

For compliance and interoperability with BGP peers implementing older RFC, no BGP capability is advertised if peer does not advertise it first.

PRJ-5884,
VSX-2190

VSX

The "vsx_util vsls" command does not display in full the long names of the VSX server name. Refer to sk163073.

PRJ-6174,
PRHF-6145

Endpoint Security

Exported from SmartEndpoint .xlsx files may produce a warning when opened in Excel.

PRJ-5752,
EPS-2262

Endpoint Security

Endpoint Management may fail on FileVault recovery for MacOS clients, when a computer re-joins domain.

PRJ-3404,
PRJ-5954,
VPNS2S-417

VPN

SmartView Monitor VPN tunnel status may show incorrect or missing tunnels status for a cluster object.

PRJ-7172,
PRJ-7122,
VPNRA-300

VPN

Packets from SSL Network Extender are dropped: "Reason: decrypted and user methods are not identical (VPN Error code 01)". Refer to sk163636.

PRJ-7181,
PMTR-44859

CloudGuard

Public IP addresses for Virtual Machines and Virtual Machines Scale Sets may be missing.

PRJ-7382,
PRHF-7119

CloudGuard

During a license pool creation, when a blade service is shared between different licenses, the vsec_lic_cli tool may create multiple pools instead of one.