Take 215 - General Availability

List of Resolved Issues and New Features

Note - This Take contains all fixes from all earlier Takes.

ID

Product

Description

Take 215

Released on 6 July 2020 and declared as General Availability on 4 August 2020

PRJ-11587,
PRHF-9260

Security Management

In some scenarios, when using Rulebase Search, the 'number of rules' section is incorrect. Refer to sk166003.

PRJ-12025,
PMTR-51885

Security Management

NEW: Tasks that fail to complete within 18 hours will be stopped automatically and appear as failed. Refer to sk166455.

PRJ-12274,
PMTR-53007

Security Management

In Management HA configuration, a hotfix installation may incorrectly fail during the verification phase.

PRJ-10058,
PRHF-8924

Security Management

In some scenarios, Security policy deletion or installation may fail when there are many Application Control objects used in this policy.

PRJ-12670,
PMTR-52789

Security Management

If an administrator searches for a certain text in SmartConsole, it may cause the Management Server to become inaccessible until a restart.

PRJ-13152,
CPM-2811

Security Management

In rare scenarios, a session becomes unusable, and one or more of the following may occur:

  • The user is not able to log in and make changes with this session.
  • Publishing this session fails.
  • Discarding this session fails.

Refer to sk167735.

PRJ-1392,
PMTR-33408

Multi-Domain Management

NEW: Added ability to log in to the Management Server with SmartConsole while MDS Backup is running.

PRJ-12205,
PRHF-10405

Multi-Domain Management

In some scenarios, changes to a .def file in $FWDIR/lib might be reverted when creating a secondary CMA.

PRJ-11508

Multi-Domain Management

A migration from the Security Management Server to a Domain on a Multi-Domain Management Server may fail with: "didn't find ObjectStoreSessionEntity for session <uuid> return null" error in the cpm.elg file.

PRJ-8497,
PMTR-48272

Multi-Domain Management

The "Recent Tasks" and "Install Policy Preset" views in MDS Domain might include Domain names, policy packages, and Gateways names. This information is not filtered according to the administrator's permission profile.

PRJ-9602,
PRHF-8502

Multi-Domain Management

In environments with more than five Multi Domain servers, changes to objects might not be reflected in the logs.

PRJ-12485,
PRHF-10330

Multi-Domain Management

Multi-Domain Administrator configuration for RADIUS authentication might show local Domain Radius servers and groups.

PRJ-12965,
PRHF-10944

Multi-Domain Management

In some scenarios, certain deleted domain level objects are visible in the SmartConsole at the MDS level.

PRJ-13033,
PRHF-10917

Multi-Domain Management

Global Policy reassignment may fail after performing the IPS update in the Global domain.

PRJ-12555,
PRHF-10523

Multi-Domain Management

In some scenarios, updating firewall_properties in GuiDBedit in the MDS context fails. Refer to sk42184.

PRJ-12776,
PMTR-52320

SmartConsole

NEW: Added API commands for user, user-template, user-group and identity-tag.

PRJ-12900,
PMTR-53694

SmartConsole

NEW: Added more information on each Management API call to api.csv.

PRJ-11258,
PRHF-9106

SmartConsole

In some scenarios, Inspection Settings view under the General tab is blank.

PRJ-12454,
PMTR-37222

SmartConsole

In some scenarios, a calculation of UIDs for irrelevant rules may result in the "Cannot insert a rule into its own sub rulebase" validation error.

PRJ-12810,
PMTR-53855

SmartConsole

When using the Management API "show-objects" command to show OPSEC application objects, it may fail with "Requested object [OBJECT ID] not found".

PRJ-12973,
PMTR-51691

SmartConsole

When a VSX Cluster object is edited, no changes are made and the "Topology has changed. Please reinstall Security Policy" message is always displayed after clicking OK, even if no changes are made.

PRJ-12445,
PRHF-8488

SmartConsole

In some scenarios, IPS update tasks may stuck when multiple machines are attempting an update within the same time frame.

PRJ-12458,
PRHF-8968

SmartConsole

In some scenarios, IPS update may be locked with the message "IPS management update is locked by Scheduled update" .

PRJ-12210,
PMTR-52897

SmartConsole

When running the "show-domain" API command, the "active" field may be missing from the reply.

PRJ-10670,
PMTR-49128

SmartView

In SmartView, when using a language other than English, an error may occur when drilling down on a widget.

PRJ-10200,
PRHF-9019

SmartView

SmartView may show "query failed" error message when creating table widget with filter by source/destination host name. Refer to sk119056.

PRJ-11432,
PRHF-8506

SmartProvisioning

The SmartProvisioning application may hang when the user adds/edits Dynamic Objects in the LSM Gateway object editor.

PRJ-11501,
PRJ-11502,
PMTR-52209

Security Gateway

NEW: Added "Hold" override for unsupported protocols (i.e. GRE). Refer to sk148432.

PRJ-11695,
PRJ-12363,
PRHF-9799

Security Gateway

In a rare scenario, access rules with service type of "other" may not be matched correctly. Refer to sk166365.

PRJ-13204,
PRJ-13205

Security Gateway

In rare scenario, a traffic outage may occur when time objects are used in the access policy.

PRJ-8675,
PRJ-10168,
PMTR-38384

Security Gateway

In some scenarios, "simple_debug_filter_unset: unsetting debug filter when no filter is set" messages may appear in dmesg. Refer to sk165675.

PRJ-12732,
PMTR-53779

Security Gateway

In a rare scenario, memory is not freed correctly in the routing mechanism.

  • Fix is relevant for Gaia 3.10 only.

PRJ-12101,
PMTR-41300

Security Gateway

In some scenarios, when running "fw monitor" with the "-e" flag, SecureXL traffic is not filtered, and all traffic is displayed. Refer to sk166592.

PRJ-12236,
PRJ-12379,
PRHF-10039

Security Gateway

In a rare scenario, Security Gateway memory consumption may increase when the Anti-Virus Blade is enabled.

PRJ-13075,
PRJ-13076,
PMTR-54306

Security Gateway

When HTTPS Inspection is enabled using layer-2/bridge, traffic may be dropped when deciding the outgoing interfaces.

PRJ-5540,
PRJ-5541,
PMTR-39046

Security Gateway

Added ability for fw monitor to support monitoring traffic on Acceleration Card.

PRJ-13089,
PRJ-13090,
PRHF-11016

Security Gateway

  • CPView Utility may not display speed and driver.
  • SNMP does not use custom OID, dplane OID mapping to mplane.
  • Some connections through mplane on Standby member may be dropped.

PRJ-9047,
PRHF-8153

Threat Prevention

The number of overrides in Threat Prevention policy -> Profile -> Overrides may also show inactivated overrides, with mismatched information between "override" and "User Modified".

PRJ-12831,
PRJ-12432,
PRHF-11043

Threat Prevention

In a rare scenario, when Threat Prevention Forensics feature is enabled, memory usage may rise on the Security gateway due to failures in memory release flow.

PRJ-12394,
PRJ-12383,
PMTR-45311

Threat Prevention

In some scenarios, policy installation fails with "Error code 0-2000111".

PRJ-12766,
PRJ-12790,
TEX-1762

Threat Extraction

In rare scenarios, the watermark_cp_file_convertd daemon used by Threat Extraction may restart frequently, causing high CPU usage. Refer to sk168318.

PRJ-12339,
PRJ-12340,
PMTR-53146

URL Filtering

In a rare scenario, policy installation may fail with "Error code: 0-2000112" if the URL Filtering Blade is active while no other feature or Blade is enabled.

PRJ-13116,
PRJ-13117,
PMTR-52580

DLP

Improved DLP functionality when working with IDA MUH1 and MUH2 agents.

PRJ-12468,
PRJ-13511,
PMTR-38976

Anti-Malware

In rare scenarios, Security Gateway crashes during CIFS traffic when the Anti-Virus Blade is in Hold mode and the CIFS feature is enabled for Anti-Virus or Threat Extraction (see sk101606).

PRJ-13109,
PRJ-13238,
PRHF-11112

HTTPS Inspection

In some scenarios, HTTPS websites may show corrupted text when HTTPS Inspection and Anti-Virus are enabled.

PRJ-11059,
PRHF-9354

Application Control

In some scenarios, Application Control update task may get stuck indefinitely when it is executed as part of Global Policy assignment.

PRJ-12165,
PMTR-52106

Application Control

In some scenarios, Application Control updates in Multi-Domain High Availability environments may get stuck when multiple updates from different Domains/Multi-Domains take place simultaneously.

PRJ-10157,
PRHF-8586

Logging

"UserCheck Reference ID" field is missing from logs when the message of the UserCheck customized page is modified and does not contain the text "reference:". Refer to sk165355.

PRJ-11888,
PRHF-10057

Logging

In some scenarios, searching for logs using "client_name" in the logging tab returns no values.

PRJ-4738,
PRJ-4737

Logging

In environments that use certain mail servers, sending a report using SmartView may not work properly.

PRJ-4610,
PRHF-5209

Logging

When trying to open a Forensic report in SmartLog, the "Error getting report." message may appear if there is a network object configured with the same IP address as that of the Endpoint Security Management Server

PRJ-12285,
CLUS-1752

ClusterXL

ClusterXL in Load Sharing mode may drop traffic after a cluster member is rebooted, due to inconsistency of MAC addresses saved in the Firewall kernel and in SecureXL kernel.

PRJ-12709,
PRHF-10849

ClusterXL

In some scenarios, a Cluster member forwards ICMP replies via its Sync interface after being rebooted.

PRJ-12550,
PRJ-12549,
PRHF-10647

SecureXL

NEW: Added tunable kernel parameter "adp_mc_rt_hold_queue_len" to adpkern.conf to eliminate multicast packet drops at the start of a connection (when large bursts of multicast traffic are expected).

PRJ-12174,
PRJ-12641,
PRHF-10228

SecureXL

In some scenarios, TCP traffic containing the TCP Fast Open option may be dropped by the Security Gateway.

PRJ-11365

Routing

NEW: Performance improvement for multicast packets in SecureXL (fast path) when there are no multicast listeners.

  • Fix is relevant for Gaia 3.10 only.

PRJ-12802,
PRJ-12803,
ROUT-541

Routing

In some scenarios, when processing BGP ECMP routes, routed may unexpectedly exit, resulting in loss of BGP adjacency.

PRJ-12798,
PRJ-12799,
ROUT-530

Routing

In some scenarios, there may be a loss of BGP adjacency when displaying BGP routes with very long AS paths or large numbers of BGP communities.

PRJ-12072,
PRJ-6149

Gaia OS

NEW: Added support for Jumbo Hotfix installation on Check Point 3800, 6400, 6700, 7000, 16200, 16600HS, 28000 and 28600HS appliances. Refer to sk110052, sk139932 and sk152733.

  • Requires R80.30 SmartConsole Build 86 (or higher).

PRJ-12436,
PRJ-12437,
PRJ-1619,
PRHF-2637

Gaia OS

In some scenarios, the xmlUpgradeExec process may unexpectedly exit during Jumbo Hotfix installation. As a result, the configuration file may not be created correctly. Upon login, the following error message may appear:

/etc/appliance_config.xml:1: parser error : Document is empty

/etc/appliance_config.xml:1: parser error: Start tag expected, ^^^ not found"

PRJ-12812,
GAIA-7625

Gaia OS

The activate_sw_raid utility may fail due to incorrect disk names.

  • Fix is relevant for Gaia 3.10 only.

PRJ-12248,
PMTR-52663

Gaia OS

UPDATE: on Smart-1 410:

  • Line card 1 model PE2G2SFPi35*-CP* is changed to CPAC-2-1F-SM*-C*
  • Line card 2 model PE210G2SPI9A-XR*-CP* is changed to CPAC-2-10F-SM*-C*

PRJ-3026,
PRJ-13311,
PRHF-4557

Gaia OS

Backup on Gaia machine may fail with "Cannot complete the backup process: not enough space". Refer to sk98609.

PRJ-11620,
PRHF-10009

Gaia OS

When a bond exceeds 60GB/s, ethtool may report an incorrect speed of the bond interface.

PRJ-8949,
GAIA-7018

Gaia OS

In some scenarios, interface names may not correspond to the correct ports on 4-ports 10GbE SFP+ Rev 1.1 on 12200/4200/4400/4600/4800/TE250 appliances.

PRJ-12791,
PRJ-12518,
PRHF-10672

Gaia OS

In some scenarios, a backup on a Gaia device with Threat Emulation Blade enabled may fail with "Cannot complete the backup process: not enough space". Refer to sk166833.

PRJ-8621,
PRJ-11119,
PRHF-7485

VPN

Improved the VPN connectivity with DAIP peers when Tunnel Monitoring is enabled. Refer to sk164933.

PRJ-11723,
PRHF-2844

VPN

Added L2TP Remote Access client connectivity improvements. Refer to Scenario 2 in sk145895.

  • Fix is relevant for Gaia 3.10 only.

PRJ-12178,
PRJ-12309,
VPNRA-364

VPN

Connectivity improvements for Remote Access VPN using Traditional mode.

PRJ-12194,
PRHF-9885

VPN

A connectivity issue may occur when a non-encrypted VPN tunnel is used with IKEv2. Refer to sk167902.

PRJ-13105

VPN

In some scenarios, packets are dropped on proposal unmatched, although the VPN tunnel is established. Refer to sk122438.

PRJ-11244,
PRJ-12418,
PRHF-9628

VoIP

SIP calls with NAT (SIP packet with no SDP but content-type=sdp) may fail to open correctly.

PRJ-9104,
PRJ-9929,
PRHF-7758

VoIP

In a rare scenario, Security gateway crashes when passing SIP traffic. Refer to sk166474.

PRJ-12623,
VSX-2219

VSX

In a rare scenario, creating new VSX and pushing configuration may cause the cluster members to crash.

  • Fix is relevant to Gaia 3.10 only.

PRJ-13077,
PRHF-10978

VSX

When performing a provisioning operation in VSX, process may hang on "Pushing configuration to ...". Refer to sk167175.

PRJ-10416,
MAGB-781

Mobile Access

Some Web applications published by Mobile Access Blade may not work in Host Translation mode.

PRJ-12601,
PRJ-12602,
PMTR-53442

Mobile Access

Mobile Access ActiveSync session timeout may not update properly, generating repeated error messages in the cvpnd.elg debug output.

PRJ-11836,
PRHF-10015

Endpoint Security

An error in FDE preboot users calculation might cause Endpoint to be left in a disconnected state. Refer to sk142313.

PRJ-11690,
PRHF-9169

Endpoint Security

The following may occur in installations with Media Encryption (refer to sk166074):

  • Unable to log in with SmartEndpoint
  • External devices do not appear in the "Discovered Devices" report
  • Errors in the server_messages.log related to PSQLException on MeSimilarDiscoveredDevicesSelect

PRJ-11822,
PRHF-5833

Endpoint Security

In some scenarios, SmartEndpoint doe not update info in reports about devices when the user is logged out. Refer to sk164035.

PRJ-11143,
PRHF-9706

Endpoint Security

Local users might not be displayed under the selected machine in the "Users and Computers tab" in SmartEndpoint. Refer to sk166316.

PRJ-11832,
PRHF-8234

Endpoint Security

The Endpoint directory scanner may fail to reconnect to the AD if the connection was lost during the scan.

PRJ-11840,
PRHF-9304

Endpoint Security

Cannot delete the client MSI package from SmartEndpoint because of previously deleted FDE offline group.

PRJ-11815,
PRHF-9151

Endpoint Security

When a user name is updated in SmartEndpoint, the change may result in an unexpected expiration date. Refer to sk165872.

PRJ-11828,
RHF-7087

Endpoint Security

SmartEndpoint might export a report to Excel in which incorrect distinguished names appear for deleted users/devices. Refer to sk163943.

PRJ-11824,
PRHF-6365

Endpoint Security

Users/devices may not change their locations in the tree according to Active Directory changes when certain special characters appear in the names.

PRJ-11819,
PRHF-9157

Endpoint Security

The default paths for offline folders in SmartEndpoint -> Offline group creation wizard may be incorrect.

PRJ-12691,
MB-731

Compliance

Compliance Blade may show incorrect Best Practice status if one or more relevant network objects for that Best Practice is in status "N/A".