Take 232 - Ongoing
List of Resolved Issues and New Features
|
Note - This Take contains all fixes from all earlier Takes. |
ID |
Product |
Description |
---|---|---|
Take 232 Released on 16 March 2021 |
||
PRJ-20071, |
Security Management |
NEW: Optimized the Solr build time to improve performance in the following operations:
|
PRJ-21004, |
Security Management |
NEW: Improved FWM process performance during Security policy or database installation. |
PRJ-22316, |
Security Management |
NEW: Performance improvement of Management High Availability Full Sync. |
PRJ-20030, |
Security Management |
UPDATE: When purging revisions, task notifications will also be purged if created before the last revision to purge was published. |
PRJ-19999, |
Security Management |
UPDATE: Added improvements in policy load process, to reduce the policy installation time when having large amount of objects. |
PRJ-20854, |
Security Management |
Management Server upgrade from R80.20 to R80.40 may fail if a Network Interface object refers to a Gateway object that does not exist. |
PRJ-21254, |
Security Management |
In some scenarios, the log file of PostgreSQL (postgres.elg) may become very large. |
PRJ-21186, |
Security Management |
In rare scenarios, logout from a session fails with "An internal error has occurred" message. |
PRJ-17788, |
Security Management |
In some scenarios, policy verification for static NAT rules succeeds even though the source subnet NAT is bigger than the destination subnet NAT. |
PRJ-21590, |
Security Management |
Although the Access Settings of the Management API is set to "All IP addresses", the API server does not accept requests from any IP address unless the IP is defined explicitly as a Trusted Client. |
PRJ-20886, |
Security Management |
In some scenarios, when connecting to an existing session in SmartConsole from a different IP address, a wrong "Client IP" is shown in Audit Logs view. |
PRJ-21585, |
Security Management |
In rare scenarios, the CPM Solr process may not be stopped when running cpstop or mdsstop. |
PRJ-20803, |
Security Management |
In some scenarios, deleting a partial domain with createDomainRecovery.sh script fails when there are several RadiusGroup objects with the same name in different domains. |
PRJ-21416, |
Security Management |
In rare scenarios, the initiation of the Management server may take a long time. |
PRJ-21358, |
Security Management |
In some scenarios, the Purge Revisions task may stop and show 0% for hours or fail with the "An error has occurred while performing revision purge operation" message in SmartConsole. |
PRJ-20303, |
Security Management |
In some scenarios, deleting a Domain Server may fail with "Got at least one duplicate UID in requested list" error. |
PRJ-20764, |
Security Management |
High load may occur on the Management Server when searching for a prefix of IP address that has more than 10 thousand matches. |
PRJ-20841, |
Security Management |
When migrating a Domain Management Server to a Security Management Server:
|
PRJ-16471, |
Multi-Domain Management |
UPDATE: When reassigning Global Domain for a Domain that is active on another Multi-Domain Server, the task is immediately relayed to the remote Multi-Domain Server without waiting in queue of the local server due to other tasks that are running. |
PRJ-22274, |
Multi-Domain Management |
In some scenarios, updating a Domain Server may fail with the "<IP> already in use" message. Refer to sk171916. |
PRJ-21276, |
Multi-Domain Management |
In some scenarios, HA Full Sync on the System Domain fails after upgrade on a Multi-Site environment with multiple Multi-Domain Servers. Refer to sk171059. |
PRJ-19993, |
Multi-Domain Management |
After importing two (or more) Security Management servers into a Multi-Domain Server, the Gateway objects may not be functional:
|
PRJ-19722, |
Multi-Domain Management |
The Multi-Domain session APIs "view sessions" and "show last-published-session" results may include sessions that were not filtered according to the administrator's permissions profile.
|
PRJ-21343, |
Multi-Domain Management |
When running many Reassign Global Domain operations for Domains that are not active on the current Multi-Domain Server, the load on the Server may increase and result in slowness of user and automation work. |
PRJ-20239, |
SmartConsole |
When there are no search results, search in Access Control Policy displays "An error occurred while searching" instead of "No Items Found". |
PRJ-21387, |
SmartConsole |
Slowness may be observed in some SmartProvisioning operations (like open SmartProvisioning GUI, create a new LSM object, open an LSM object editor, etc.). |
PRJ-21524 |
SmartConsole |
In a rare scenario, automatic NAT rules are not visible in SmartConsole. |
PRJ-20314, |
SmartConsole |
In some scenarios, the "show gateways-and-servers" Management API command fails when running it with details-level full and when connected to the Global Domain. Refer to sk170895. |
PRJ-18921, |
SmartConsole |
In some scenarios, the "show-access-rulebase" Management API command fails when running it with details-level "full" and there is a network group with more than 50000 objects on one of the rules. Refer to sk170435. |
PRJ-19140, |
SmartConsole |
In some scenarios, the "add-user" API command with authentication method TACACS+ or Radius server fails with "object not found" message. Refer to sk170325. |
PRJ-18859, |
Logging |
NEW: Added support for Endpoint Forensics reports to get-attachment API. |
PRJ-7953, |
Logging |
In rare scenarios, a log may display incorrect values in the Action and Rule field. Refer to sk170676. |
PRJ-20562, |
Logging |
In rare scenarios, the Log Exporter fails to connect to external destination when using the TLS protocol. |
PRJ-17355, |
Logging |
FWM and\or log_indexer processes may repeatedly stop when there are more than ~500K network objects declared. Refer to sk164452. |
PRJ-19009, |
Logging |
In a rare scenario, CPD process may use a random port for AMON communication instead of port 18196. |
PRJ-21156, |
Logging |
In rare scenarios, the FWD process on the Security gateway may be blocked for several seconds due to processing of log attachments. |
PRJ-20873, |
SmartView |
UPDATE: To improve performance, SmartView now exports data in CSV format instead of Excel. |
PRJ-20774, |
Compliance |
In some scenarios, an incorrect Compliance status for Gaia OS Best Practices is displayed. |
PRJ-14101, |
Compliance |
Compliance Blade may not scan inline layers for Application Control and URL Filtering best practices. |
PRJ-21109, |
Security Gateway |
Authentication may fail when LDAP branch name contains "\". |
PRJ-20338, |
Security Gateway |
In rare scenarios, passive FTP packets may be dropped. |
PRJ-21670, |
Security Gateway |
In some scenarios, a Security policy installation fails during high CPU utilization. |
PRJ-20898, |
Security Gateway |
In some scenarios, the DNS requests from the Security Gateway may fail. |
PRJ-17204, |
Security Gateway |
After upgrading to R80.20, it is not possible to configure an OSPF interface to have a priority of 0. |
PRJ-21610, |
Security Gateway |
Security Gateway may crash when "Categorize HTTPS Websites" feature is enabled and categorization mode is set to "Hold". |
PRJ-20630, |
Security Gateway |
In rare scenarios, high memory consumption in CPD may occur due to a memory leak in authentication flow with an LDAP server. |
PRJ-20383, |
Security Gateway |
In a rare scenario, Access Control policy installation may fail after upgrade of Security Gateway from R80.10 or below to R80.20 or higher. |
PRJ-19849, |
Security Gateway |
In some scenarios, a memory leak may appear after sending a packet from the kernel. |
PRJ-19702, |
Security Gateway |
In rare scenarios, a memory leak may occur in TOPOD process. |
PRJ-19583, |
Security Gateway |
In some scenarios, "email_unified_cmi_get_attribs: not valid caller: up_log_get_user_hash" error appears in dmesg for SMTP traffic. |
PRJ-11204, |
Security Gateway |
In some scenarios, traffic that is matched on implied rule is dropped while it should not. |
PRJ-19798, |
Security Gateway |
Improved the policy enforcement of the ZIP archive inner files |
PRJ-22407, |
Security Gateway |
In some scenarios, the "rad_kernel_service_container_add_service" error is printed to dmesg. |
PRJ-21362, |
Security Gateway |
Traffic may be dropped when the Hide NAT is configured on IPv6 host.
|
PRJ-21240, |
Security Gateway |
In rare scenarios, proxy ARP entries may be deleted when installing a policy. |
PRJ-20923, |
Anti-Malware |
In a rare scenario, the Security Gateway may crash when the Threat Prevention Forensics feature is enabled. |
PRJ-20974, |
Anti-Malware |
In rare scenarios, the Threat Prevention policy installation fails due to IOC parsing errors. Refer to sk171316. |
PRJ-21724, |
Content Awareness |
In a rare scenario, Security Gateway may crash when CPcode is running within Content Awareness or parser flow. |
PRJ-20751, |
Identity Awareness |
NEW: Added the Identity Awareness performance and memory consumption improvements. Refer to sk170516. |
PRJ-20845, |
Identity Awareness |
In some scenarios, running pdpd commands results in "daemon did not respond or not running!" error. Refer to sk171136. |
PRJ-20860, |
Identity Awareness |
In some scenarios, there may be enforcement issues for MUHv2 users due to table mismatch. |
PRJ-23594, |
Identity Awareness |
In Identity Awareness Captive portal, the default Check Point logo is displayed even if the user-defined logo is configured. Refer to sk133492.
|
PRJ-20346, |
IPS |
In rare scenario, the SmartConsole shows the "IPS is not responding" message even though IPS is functioning normally. |
PRJ-20094, |
DLP |
UPDATE: Added support for multi-part data to DLP. |
PRJ-20836, |
DLP |
Improved DLP scanning for POST request to some Web sites. |
PRJ-18840, |
SSL Inspection |
In rare scenarios, a memory leak may occur during policy installation. |
PRJ-19039, |
UserCheck |
In some scenarios, users cannot restore original attachment via UserCheck portal and receive the "An unexpected error has occurred" error message. |
PRJ-20517, |
ClusterXL |
UPDATE: Added the option to display only monitored interfaces to "show cluster members <option>" command:
|
PRJ-20533, |
ClusterXL |
In some scenarios, data connections are dropped with "First packet isn't SYN" message on ClusterXL Load Sharing. |
PRJ-19391, |
ClusterXL |
"set router active-active-mode" settings do not survive a reboot.
|
PRJ-19924, |
ClusterXL |
In rare scenarios, running cphastop;cphastart may cause a cluster member to stay in "Down" state.
|
PRJ-19662, |
SecureXL |
In some scenarios, connections are dropped when SYN Defender and ISN Defender are both enabled on the same interface. |
PRJ-19404, |
SecureXL |
In some scenarios, Rate Limiting rules for DoS do not work after reboot. Refer to sk170148. |
PRJ-17402, |
SecureXL |
In some scenarios, PPTP or GRE traffic may be dropped. Refer to sk170293. |
PRJ-20545, |
SecureXL |
Security Gateway may crash when there are interfaces that do not need the ARP resolution (VTI).
|
PRJ-5075, |
Gaia OS |
NEW: The ARP cache size limit on Clish was increased to 131072 hosts.
|
PRJ-19559, |
Gaia OS |
NEW: Gaia API (version 1.5) will now be deployed via Jumbo Hotfix. |
PRJ-22837, |
Gaia OS |
UPDATE: Added the option to bind IP addresses to sockets using the "udp_connect" API. Refer to sk171019. |
PRJ-21847, |
Gaia OS |
UPDATE: Updated the arp table limit to 131072 in:
|
PRJ-20037, |
Gaia OS |
UPDATE: Added support for multiple commands definition in Dynamic CLI feature.
|
PRJ-18938, |
Gaia OS |
In some scenarios, the "... fwldbcast_handle_retrans_request: Updated bchosts_mask to 1" message may be printed in /var/log/messages file. |
PRJ-20042, |
Gaia OS |
Sensitive Information Disclosure may appear in the output of "show file *" CLI command.
|
PRJ-20744, |
Gaia OS |
CVE-2020-25705: ICMP reply rate. |
PRJ-16959, |
Gaia OS |
In some scenarios, the "rhost" value may be missing from logs when the user tries to access the WebUI. |
PRJ-21093, |
Gaia OS |
WebUI may not load for Management devices. |
PRJ-20038, |
Gaia OS |
Several features are duplicated (both in WebUI and Clish) in RBA roles configuration/settings.
|
PRJ-19623, |
Gaia OS |
Extended commands are missing after adding Dynamic CLI.
|
PRJ-20040, |
Gaia OS |
Read-Only users may run Dynamic CLI command with UUID other than 0.
|
PRJ-15660, |
Routing |
UPDATE: Display of routing CPview results is limited to 30 lines. |
PRJ-19627, |
Routing |
ip-reachability-detection ping marks a target IP address as "unreachable" if the path goes via a VPN tunnel, although pinging this IP address directly works. |
PRJ-15548, |
VPN |
UPDATE: Added the TTM-per-group feature improvement that allows it to work with more client types (for example Nemo client). |
PRJ-20946, |
VPN |
In some scenarios, L2TP clients disconnect from the Security Gateway after 10 minutes of the connection. |
PRJ-18751, |
VPN |
In some scenarios, the Dynamic ID configuration in SmartConsole (SMS/Email) is ignored. Refer to sk144933. |
PRJ-17492, |
VPN |
In IKEv2 renegotiation scenario, IPSec SAs may be deleted on a standby cluster member during post sync causing a VPN traffic outage. |
PRJ-20825, |
VPN |
In IKEv2, the renegotiation of IKE SA may fail. |
PRJ-21541, |
VPN |
Added VPN Remote Access stability improvement. |
PRJ-19482, |
VPN |
Added various VPN connection improvements on Gaia 3.10. |
PRJ-21694, |
VPN |
When IKEv2 and pre-shared-key is configured, VPN may fail on the second IKE SA re-key. Refer to sk171756.
|
PRJ-19214, |
VPN |
Site to Site VPN fails to establish with IKEv2 on GCP when NAT-t is enabled. |
PRJ-12241, |
VPN |
When clicking "View..." in Trusted CA object's OPSEC PKI tab, this may show the "Failed to get a certificate of <object name> from keyset" error. Refer to sk166496. |
PRJ-7480, |
VPN |
Policy installation with VPN enabled may take a long time. |
PRJ-7476, |
VPN |
The vpnd daemon may unexpectedly exit during policy installation when the Mobile Access blade is used. |
PRJ-19422, |
VPN |
In some scenarios, the vpnd process unexpectedly exits with Segmentation fault. |
PRJ-13820, |
VPN |
Access roles do not recognize Remote Access SNX CLI clients. |
PRJ-17185, |
VPN |
Connectivity issue may appear between Check Point Gateway and 3rd party device in MEP DPD configuration when 3rd party device is defined as Central Gateway in MEP. Relevant error message: "Failed to resolve VPN MEP gateway". |
PRJ-18269, |
VPN |
The VPND process on a standby cluster member may unexpectedly exit when VPN peer has a probing link selection configured. Refer to sk170136. |
PRJ-19971, |
VSX |
UPDATE: Removed the .1.3.6.1.4.1.2620.1.16.22.2 (vsxStatusCPUUsageTable) and .1.3.6.1.4.1.2620.1.16.22.4 (vsxStatusCPUUsagePerCPUTable) OIDs as not supported on Gaia 3.10. |
PRJ-20148, |
VSX |
In rare scenarios, some interfaces remain in "Down" state after reboot.
|
PRJ-20963, |
VSX |
After running "vsx_util vsls" and selecting option #6, the operation may fail with the "Internal Error: got empty reply set" error. Refer to sk171352. |
PRJ-15445, |
VSX |
In some scenarios, there may be high CPU utilization in a VSX environment with several instances. |
PRJ-20584, |
Mobile Access |
Removed potential XSS vulnerability in the MAB Login page. |
PRJ-19234, |
Mobile Access |
There may be a delay when connecting to HTTPS based SMS portal over a non-standard proxy port. Refer to sk170497. |
PRJ-21748, |
Endpoint Security |
On the SmartEndpoint Reporting page, the "Endpoint Connectivity" report that is filtered by a virtual group returns an empty list. |
PRJ-19311, |
CloudGuard IaaS |
When creating a GCP Data Center, Test Connection may fail on large GCP accounts. |