Take 210 - Ongoing

List of Resolved Issues and New Features

Note - This Take contains all fixes from all earlier Takes.

ID	Product	Description
Take 210 Released on 26 May 2020
PRJ-11386, PMTR-52087	Security Management	NEW: Significant performance improvement for policy installation time when many groups are defined on the Management Server.
PRJ-10900, PMTR-49801	Security Management	NEW: Set values for environment variables on the Management Server that will remain there after a Management Server upgrade, as well as Backup/Restore and Export/Import of the Management Server. Refer to sk165938.
PRJ-11009, PMTR-46009	Security Management	NEW: Added ability for R80.30 Security Management or Multi-Domain Server to manage 7000 and 28000 Check Point appliances. Requires R80.30 SmartConsole Build 86 (or higher).
PRJ-10994, PMTR-51743, PRJ-11117, PMTR-51778	Security Management	NEW: Added ICA Management security enhancements.
PRJ-9070, PMTR-38703	Security Management	"Policy installation had failed due to an internal error. If the problem persists please contact Check Point support" message may be displayed on policy installation failure. Refer to sk149093.
PRJ-8793, PRJ-8831 VPNRA-316	Security Management	Improved the Access Control Policy installation time for environments with high amount of objects and enabled IPSEC VPN blade. Refer to sk166321.
PRJ-8416, PRHF-7865	Security Management	When the user runs the 'add-domain' Web API command on an existing Domain, the original Domain is deleted.
PRJ-9214, PRHF-8370	Security Management	Logging into SmartConsole to the Standby Management Server with a Radius or TACACS user may fail after changing the shared secret on the Radius or TACACS object.
PRJ-10472, PMTR-49832	Security Management	In a rare scenario, export from the previous version does not complete because the Postgres dump_all process gets stuck.
PRJ-11523, PRHF-9981	Multi-Domain Management	In rare scenarios, upgrading the Multi-Domain Server fails to upgrade some Domain Servers with "IllegalArgumentException" in the upgrade log.
PRJ-12065, PRHF-10327	Multi-Domain Management	The FWM process of domains may not stop after the user runs mdsstop or mdsstop_customer.
PRJ-11073, PMTR-51815	SmartConsole	NEW: Added ability to reset the following network object fields to be empty through the Management API: ipv4-address, ipv6-address, subnet4, subnet6, mask-length4, and mask-length6.
PRJ-11905, PRHF-10275	SmartConsole	In rare scenarios, certain domain level objects may not be visible in SmartConsole at the MDS level.
PRJ-5103, PMTR-40942	SmartConsole	"An internal error has occurred" message may pop up when the user tries to modify a Revision's description.
PRJ-11458, PRHF-9941	SmartConsole	Unable to delete Snort protections in Multi-Domain environment - they still exist after deletion.
PRJ-12955, PRHF-10916	SmartConsole	Global Policy reassign in MDS may fail with 'An internal error has occurred' message after adding overrides to Snort protections.
PRJ-11391, PRJ-9293	SmartConsole	When running Management API commands, the default values for 'dereference-group-members' and 'show-membership' flags may change from "True" to "False".
PRJ-7746	Smart Provisioning	The security profile may not be visible on the new 1500 LSM Gateway wizard.
PRJ-9741, PRJ-10976, PMTR-51721	QoS	Packets to the broadcast IP address (255.255.255.255) may cause dmesg to fill with "fg_classify_and_offload_all_ifdirs: fglogRulename Failed." messages.
PRJ-11928, PRJ-11960 PRJ-11897	QoS	In some scenarios, SmartView Monitor shows "No Match" rule on QoS traffic.
PRJ-9381, PRJ-9388	Security Gateway	NEW: Added DNS Passive Learning feature for enhanced non-FQDN domain objects & updatable objects matching. Refer to sk161612.
PRJ-9017, PRJ-9512 PRHF-4623	Security Gateway	NEW: Added support for the bridge configuration when packet is passing via the Security gateway twice.
PRJ-8883, PRJ-9380, PRHF-7048	Security Gateway	In a rare scenario, Security gateway may crash when activating a web parsing debug.
PRJ-1214, PRJ-10896, PRHF-3652	Security Gateway	In a rare scenario, the Security Gateway may crash due to a NULL pointer reference.
PRJ-11530, MUX-319	Security Gateway	In a rare scenario, Security gateway may crash while connection is closed while being held.
PRJ-4092, PMTR-35130	Security Gateway	Using spaces in the $FWDIR/boot/modules/fwkern.conf file may cause long reboot time.
PRJ-2411, PRJ-10978 PRHF-4282	Security Gateway	DCE-RPC traffic may be dropped because of a drop template that is incorrectly created for the ALL_DCE_RPC service.
PRJ-5730, PRJ-10926, PRHF-6035	Security Gateway	In some scenarios, SIP traffic may be dropped by Anti-Spoofing with "fw_early_sip_nat Reason: spoofed packet on SIP traffic" error in dmseg although it is set to"detect".
PRJ-9838, PMTR-48719	Security Gateway	When ISP Redundancy is configured on a cluster, the backup ISP link status may show as down even though the link is up.
PRJ-9122, PRJ-8907	Security Gateway	Connections may be dropped when "keep all connections" is configured during policy installation. Refer to sk166212.
PRJ-7334, PMTR-45346	Security Gateway	In some scenarios, a standby cluster member may crash when it starts handling the IPv6 traffic. Refer to sk166655. Fix is relevant for Gaia 3.10 only.
PRJ-8616, PRJ-9511, PMTR-46465	Security Gateway	In some scenarios, the uc_log_suppression_data table may reach its limit and "uc_log_suppression_set_entry: Failed storing log data in log suppression table" error appears in /var/log/messages file.
PRJ-8296, PRJ-8297, PRHF-5333	Security Gateway	In some scenarios, there may be connectivity problems with DHCP traffic.
PRJ-8687, PRJ-8628, PMTR-39579	Security Gateway	When bridge rerouting is enabled, Management/local traffic may be allowed over a Gateway bridge.
PRJ-11954, PRJ-11955, PMTR-52583	Security Gateway	In a rare scenario, Security Gateway may crash due to NULL pointer reference.
PRJ-10845, PRJ-10836 PRHF-1898	Application Control	NEW: Gateway status will reflect Application Control and URL Filtering updates.
PRJ-8238, PMTR-47855	IPS	In some scenarios, Threat Prevention policy installation may fail when the Threat Prevention profile performance impact is configured to "Very Low".
PRJ-6151, PMTR-32830	IPS	In rare scenario, a memory leak may occur if there is HTTP 206 partial content.
PRJ-9488, PMTR-46123	IPS	After an upgrade, policy installation may not update the IPS version on the gateway if the "IPS scheduled update" option was changed before the upgrade.
PRJ-10938, PRJ-10939, PMTR-51681	IPS	In a rare scenario, the fw_full process may unexpectedly exit.
PRJ-9449, PRJ-9546, PRHF-8530	IPS, VSX	In some scenarios, SmartConsole shows "No license" and "Contract is expired" for IPS blade in VSX. Refer to sk164917.
PRJ-10096, PRJ-10266, PMTR-40198	Identity Awareness	NEW: Added support for LDAP automatic group update feature in Identity Collector.
PRJ-11853, PRJ-11851	Identity Awareness	NEW: Added Terminal Server agent v2 (aka MUH2) support for R80.30 Security Gateway. For more information, see sk134312.
PRJ-5231, PRJ-10933, PRHF-4808	Identity Awareness	Failure in LDAP groups membership query for specific user that was reported by MUH agent, may cause all users under the same MUH agent to be removed from the PDP database.
PRJ-10224, PRJ-10257, PMTR-39175	Identity Awareness	In a rare scenario, there is a memory leak in the IDA daemon pepd.
PRJ-9393, PRJ-9394, PMTR-49565	Identity Awareness	NEW: Performance improvement in the automatic LDAP group update feature.
PRJ-10386, PRJ-10894 IDA-2719	Identity Awareness	In a rare scenario, identity session groups and access roles may disappear following a policy installation.
PRJ-11614, PRJ-11616, IDA-1828	Identity Awareness	In a rare scenario, a memory leak, related to the Identity Awareness flow, may occur in the kernel.
PRJ-10329, PRJ-12342, ACCL-547	Anti-Virus	In some scenarios, dmesg shows many "cmik_loader_fw_context_match_cb: match_cb for CMI APP 11 failed on context 249" messages.
PRJ-10129, PRJ-10367, TEX-1670	Threat Extraction	"An error has occurred while adding watermark to file" error may appear while adding watermark to a file. Refer to sk165594.
PRJ-9934, PRJ-10739, PMTR-49938	HTTPS Inspection	In some scenarios, when the minimum version of HTTPS Inspection is set to TLS 1.1, some websites may unexpectedly exit. Refer to sk165555.
PRJ-6957, PRJ-11154, PMTR-31108	Anti-Malware	In some scenarios, dmesg may show the following errors: "cmik_loader_fw_context_match_cb: m atch_cb for CMI APP 3 failed on context 56, executing context 366 and adding the app to apps in exception".
PRJ-10969, PRJ-10990, SWG-2484	DLP	NEW: Reading and sending files from the registry by DLP was optimized.
PRJ-9328, PRJ-10860, PRHF-8152	DLP	Improved the scanning time of files for some scenarios in SMTP and HTTP/S.
PRJ-9693, PRJ-10861, PRHF-8503	DLP	In some scenarios, DLP prints wrong error message in the log.
PRJ-5022, PRJ-10466, PRHF-5528	DLP	The DLP engine may incorrectly process the file if the file name is missing in the connection header.
PRJ-9774, PRJ-10863, PRHF-8847	DLP	In some scenarios for SMTP, when an internal user sends an email, the DLP logs may show the topology as "external to external" instead of as "internal to internal".
PRJ-10423, RJ-10811, PMTR-39431	DLP	In a rare scenario, when Security Gateway is configured as proxy, the HTTP traffic may be not scanned by DLP.
PRJ-10855, PRJ-10854	DLP	DLP stability for some scenarios was improved.
PRJ-9190	Logging	NEW: Added support for viewing MITRE ATT&CK fields.
PRJ-9316, PRHF-8166	Logging	Logging view may show results from the wrong day if the server Time Zone is configured to use half/quarter hour deviations from standard time.
PRJ-8922, PRHF-8148	Logging	When the user searches logs in the "Logs and Monitor" tab in SmartConsole and applies a filter using the "?" wildcard, incorrect logs may be returned.
PRJ-4136, PRHF-2711	Logging	In some scenarios, it may not be possible to filter logs by the field "IKE IDs:" when searching the log files directly.
PRJ-10358, PMTR-46596	Logging	Log_indexer may unexpectedly exit on a SmartEvent server with a large number of CPUs (32 and up), and\or when the total number of log servers declared in correlation units is above 30.
PRJ-8213, PRHF-7592	Logging	"Problem has occurred during search < External Log server > Disconnected" error may appear in "Logs & Monitor" tab after creating dummy object for NAT.
PRJ-11006, PRHF-9292	Logging	In some scenarios, changes made to Network Objects on the Security Management Server are not reflected in the logs view. Refer to sk166493.
PRJ-9193, PMTR-42449, SL-3104	Logging	After synchronization, MLM / Secondary MDM may have different log policy configuration. Refer to sk165692.
PRJ-1525, SL-2379	Logging	In some scenarios, Autosuggestion does not complete in SmartConsole's "Logs & Monitor" tab for users who do not have super user privileges. Refer to sk155252.
PRJ-11362, PMTR-51655	Logging	In a rare scenario, the CPD process on a Security Management Server that manages R77.30 Security Gateway may unexpectedly exit.
PRJ-9706, PRHF-7716	Logging	The FWD process may unexpectedly exit if one of the following changes were made using GuiDBEdit: Change to log forwarding timing Change to log switch timing
PRJ-9127, PRJ-9128, PMTR-46873	SecureXL	NEW: Added acceleration support for Ethernet Over IP Tunneling (EOIP). EOIP is RFC 3378 protocol # 97 used between Wireless AP and Wireless Cisco controller.
PRJ-9826, PRJ-9827, PMTR-50294	SecureXL	In some scenarios, SYN Defender cookie validation may fail.
PRJ-10234, PRJ-10274, PMTR-51942	SecureXL	Policy installation may fail with "Error code 0-2000240" when Drop templates option is enabled. Refer to sk165716.
PRJ-10816, PRJ-10946, PMTR-25593	SecureXL	Rule that contains dhcpv6 services, does not disable SecureXL Accept Templates. Refer to sk32578.
PRJ-8489, PRJ-8490, PMTR-48255	SecureXL	In some scenarios, held packets are incorrectly reported to the penalty box.
PRJ-4176, PRJ-11057, PRHF-5051	SecureXL	In some scenarios, there may be a length verification error with SCTP traffic.
PRJ-7418, PRJ-9669, PRHF-5522	SecureXL	In some scenarios, SecureXL drops the TCP traffic for the particular connection for invalid state reasons. This fix enables the new property per specific gateway. Refer to sk147093.
PRJ-5905, PRJ-5906, PMTR-43772	SecureXL	In some scenarios, the penalty box violation rate is calculated incorrectly.
PRJ-6124, PRJ-8690, PRHF-5797	SecureXL	In some scenarios, DOS/Rate Limiting drops too few (or too many) packets for "concurrent-conns" fw samp rules. Refer to sk112454.
PRJ-11679, PRJ-11680 PRJ-11551	SecureXL	MCAST packets may be handled incorrectly when promiscuous (tcpdump) mode is enabled for the interface.
PRJ-10001, PRJ-10002, PRHF-5120	SecureXL	Improved TCP state inspection for "Smart Connection Reuse" feature.
PRJ-12020, PRJ-12021, PRHF-10097	SecureXL	In some scenarios, ACK, FIN, and RST TCP packets are dropped, causing outages.
PRJ-12498, PRJ-12660, PMTR-52267	SecureXL	SCTP Stateful inspection and payload NAT (INIT Chunks) may not work correctly.
PRJ-11021, PRJ-11024, PRHF-3767	Routing	Active VRRP cluster member may not show full accounting information in logs. Refer to sk159432.
PRJ-5866, PMTR-43718	ClusterXL	SNMP Response for OID .1.3.6.1.4.1.2620.1.5.6 ("haState") is "Active" on all members of ClusterXL High Availability mode. Refer to sk106291.
PRJ-1502, PRJ-10922, PRHF-3839	ClusterXL	The output of the 'cphaprob routedifcs' command may be missing interfaces.
PRJ-7614, PRJ-7615, PRHF-7166	ConnectControl	Logical servers will have global table for lookups to prevent the race condition where two instances has different decisions because local sync is flushed every 0.1 sec. Added 'fw balance' command for visibility.
PRJ-5333, PRJ-5334, PMTR-41386	VPN	NEW: Added functionality enhancements for the authentication realms that is used with Remote Access VPN.
PRJ-5702, PRJ-10024, PMTR-42483	VPN	NEW: Improved policy installation performance when the MAB blade is enabled with Legacy Policy and Native Application rules. Refer to sk175105.
PRJ-10271, PRJ-10272, PMTR-50151	VPN	NEW: 3DES is disabled by default for HTTPS Inspection, Mobile Access Portal, Identity Awareness Portal, ICA Portal, SmartManagement Portal, SecurePlatform WebUI abd Mobile Access curl. Note: Disabling 3DES will fail 3rd party OPSEC SDK 6.0 clients connectivity. To enable it, refer to sk113114.
PRJ-11643, PRJ-11750, VPNRA-353	VPN	Added Stability improvement for Remote Access VPN.
PRJ-12746, PRJ-12747, PRJ-12738	VPN	Some Remote Access clients that do not support Multi-Factor Authentication (MFA) are able to connect to a Security Gateway even though the "Allow older clients" option is disabled. Refer to sk166912.
PRJ-12992, VPNRA-384	VPN	In some scenarios, a connectivity issue appears when working with Capsule Connect. Fix is relevant for Gaia 3.10 only.
PRJ-11920, PRJ-10869	VPN	Memory leak in VPN daemon may appear during the IP address assignment.
PRJ-8263, PRJ-9749, PRHF-7769	VPN	Server-to-Server and Client-to-Server VPN may fail when using Wire Mode while SecureXL is enabled.
PRJ-11282, PRHF-7681	VPN	In a rare scenario, vpnd process unexpectedly exits due to Segmentation fault. Fix is relevant for Gaia 3.10 only.
PRJ-12523, PMTR-36437	VPN	In some scenarios, VPN traffic distribution change may cause high CPU consumption on one CPU core. Refer to sk165853. Fix is relevant for Gaia 3.10 only.
PRJ-6139, PRJ-11183, PRHF-4292	VPN	In a rare scenario, the vpnd process unexpectedly exits due to memory access problem.
PRJ-4452, PRJ-11189, PMTR-40912	VPN	Improved IKEv2 negotiation flow.
PRJ-7693, PRHF-7359	VPN	Improved usability of VPN tunnel monitoring "vpn tu" command.
PRJ-10390, PRHF-1053	VPN	In a rare scenario, vpnd process unexpectedly exits due to issue in IKEv2 flow.
PRJ-8115, PMTR-49502	VPN	"vpn_trap_multik: - wrong header length 36 != 72" message may appear in the vpnd.elg when working with multiple users with the same credentials.
PRJ-8177, PRJ-11099, PRHF-7426	VPN	In a rare scenario, a memory leak in VPND may occur during the TLS key exchange in HTTPS portals.
PRJ-11483, PRJ-11485, PRJ-8726	VPN	In some scenarios, vpnd cores may be generated sporadically during boot time/cluster failovers on the Cluster Standby Member.
PRJ-11238, PRJ-11239, PMTR-42727	VPN	Added connectivity improvement for VPN over NAT traversal (UDP 4500). Refer to sk155953.
PRJ-6677, PRJ-6676 PRHF-6634	VPN	In some scenarios, NAT-T packets are going out with the wrong interface, when encrypted. Refer to sk165697.
PRJ-6719, PRHF-6672	VPN	In some scenarios, the vpnd process unexpectedly exits on cluster members.
PRJ-8889, PMTR-43850	VPN	Improved stability of VPN traffic on VSX Gateway. Refer to sk166655. Fix is relevant for Gaia 3.10 only.
PRJ-9231, PRJ-9232, PMTR-39379	Routing	Although only OSPFv2 with Graceful Restart Helper is configured, the Critical Device OSPF3 Graceful Restart may show the "OSPF3 Graceful Restart PROBLEM Master -> Standby. Waiting for GR" message during the cluster failover.
PRJ-3618, PRJ-3615, PRHF-4829	Routing	In some scenarios, routed unexpectedly exits when receiving an LSA with a checksum value of zero.
PRJ-11543, PRJ-11544 ROUT-554	Routing	In some scenarios, routed unexpectedly exits and traffic is lost after a failover in ClusterXL when BGP and ECMP are enabled. Refer to sk166175.
PRJ-12224, PRJ-12225, ROUT-856	Routing	In some scenarios, routed process unexpectedly exits when adding an interface to OSPFv3 with a prefix length above 63 and having two or more areas.
PRJ-4236, PRJ-10925, PRHF-4250	VoIP	In some scenarios, H323 connections are dropped after "Virtual session timeout" is configured. Refer to sk156372.
PRJ-9956, PRHF-897	VoIP	In some scenarios, UA traffic is dropped when packet contains more then 9 UA's. Refer to sk135114.
PRJ-2462, PRJ-10927, PRHF-4097	VoIP	In some scenarios, MGCP traffic may be dropped by the Security Gateway with the following message in fw ctl zdebug drop: `fw_mgcp_undo_earlynat: the needed early_nat request entry (with natted src) not found, dropping;` `fw_conn_post_inspect Reason: Handler 'mgcp_manager' drop;`
PRJ-11687, PRHF-9774	VSX	The following error may appear in /var/log/messages: "Destroying alive neighbour *".
PRJ-10935, PRJ-11283, PMTR-12883	VSX	In a rare scenario, portals are not reachable after the fwk process unexpectedly exits.
PRJ-10902, PRJ-10911, PMTR-22709	VSX	In VSX cluster with VMAC mode, traffic may not pass through VSX Cluster members if SecureXL is enabled. Refer to sk138894.
PRJ-3801, PMTR-40396	Gaia OS	NEW: Added the ability to configure an IPv6 address for a LOM interface on Smart 1-525/5050/5150 appliances.
PRJ-9351, PRHF-8098	Gaia OS	Added optimization for 40GbE and 25/100GbE cards configured in multiqueue allowing better transmit performance when Hyper-Threading (SMT) is enabled.
PRJ-8007, PRJ-8008, PMTR-46037	Gaia OS	Apache API was updated.
PRJ-9221, PRJ-9222, PMTR-43418	Gaia OS	All VRRP cluster members are in Master state when using i40e driver.
PRJ-10166, PMTR-51849	Gaia OS	Smart-1 625 appliances may show RAID syncing on both RAID disks.
PRJ-11159, GAIA-6136	Gaia OS	Incorrect status may be displayed in clish for pulled PSU.
PRJ-8054, PRJ-11373, PRJ-11370, PRHF-7532	Gaia OS	In some scenarios, latency issues may occur in Clish and in the WebUI when using web scanning tools (Qualys). Refer to sk164153.
PRJ-9013, PRJ-12031, PMTR-45907	Gaia OS	In a rare scenario, Security Gateway hangs for ~10 minutes during boot. Refer to sk164268.
PRJ-7913, PRJ-7579, PRJ-7580, PMTR-42309	Gaia OS	'#', '=' and '+' characters cannot be used in "Banner" and "Message of the day" features.
PRJ-5175, PRJ-5271, PMTR-40400	Gaia OS	Any of the following may occur in vSphere on a Management appliance: vSphere client/WebUI does not show the instance IP in the instance summary window. vSphere client/WebUI reports that VMware tools are "not running" in the instance summary window. Machine time/date is not synchronized with the ESX host.
PRJ-11368, PRJ-11749, PRHF-9804	Gaia OS	SNMP Trap may not be sent even though a failover occurred. Refer to sk166100.
PRJ-11535, PRHF-9858	Gaia OS	In some scenarios the snmpd process floods /var/log/messages with errors regarding parsing voltage sensor value.
PRJ-10398, PRJ-10396	Gaia OS	In some scenarios, transmit queues may stop, causing packet loss.
PRJ-11321, PRJ-11322, PRHF-6250	Gaia OS	In some scenarios, commands that were typed into Clish can be executed later on if the SSH session was uninterruptedly terminated.
PRJ-11692, PRHF-10028	Endpoint Security	In SmartEndpoint, Anti-Malware's "Top Infections" report has an empty infection name. Refer to sk166232.
PRJ-2924, PMTR-39317	Endpoint Security	Very frequently repeated "update register" requests may cause performance issues.
PRJ-5622, PMTR-43207	Endpoint Security	Endpoint Management may incorrectly show that no local Anti-Malware signatures updater is installed on the DHS-complaint engine.
PRJ-5805, PRJ-10932, VSECNSX-1211	CloudGuard IaaS	NEW: Added support for Identity Sharing with CloudGuard for NSX-V.
PRJ-7891, VSECC-1001	CloudGuard IaaS	NEW: Added support for Google Cloud Platform projects with Shared VPC. Refer to sk164139.
PRJ-10913, VSECC-1222	CloudGuard IaaS	When an Azure subnet is missing its prefix attribute, the Microsoft Azure Data Center may fail to poll data, resulting in a loss of updates to the Security Gateway.
PRJ-11025, VSECC-1231	CloudGuard IaaS	When an Azure Virtual Network Interface is missing its properties' primary attribute, the Microsoft Azure Data Center may fail to poll data, resulting in a loss of updates to the Security Gateway.
PRJ-10867, VSECC-1119	CloudGuard IaaS	In a rare scenario, the OpenStack Data Center becomes unresponsive, which results in a loss of updates to the Security Gateway.