Take 232 - Ongoing

List of Resolved Issues and New Features

Note - This Take contains all fixes from all earlier Takes.

ID

Product

Description

Take 232

Released on 16 March 2021

PRJ-20071,
MCFG-229

Security Management

NEW: Optimized the Solr build time to improve performance in the following operations:

  • Restore of the entire MDS/MLM from backup
  • Upgrade from R80.10
  • Solr Cure

PRJ-21004,
PRHF-14969

Security Management

NEW: Improved FWM process performance during Security policy or database installation.

PRJ-22316,
PRJ-22314

Security Management

NEW: Performance improvement of Management High Availability Full Sync.

PRJ-20030,
PMTR-61770

Security Management

UPDATE: When purging revisions, task notifications will also be purged if created before the last revision to purge was published.

PRJ-19999,
PRHF-14293

Security Management

UPDATE: Added improvements in policy load process, to reduce the policy installation time when having large amount of objects.

PRJ-20854,
SMCUPG-1316

Security Management

Management Server upgrade from R80.20 to R80.40 may fail if a Network Interface object refers to a Gateway object that does not exist.

PRJ-21254,
PMTR-62918

Security Management

In some scenarios, the log file of PostgreSQL (postgres.elg) may become very large.

PRJ-21186,
PMTR-63358

Security Management

In rare scenarios, logout from a session fails with "An internal error has occurred" message.

PRJ-17788,
PRHF-13382

Security Management

In some scenarios, policy verification for static NAT rules succeeds even though the source subnet NAT is bigger than the destination subnet NAT.

PRJ-21590,
PRHF-15244

Security Management

Although the Access Settings of the Management API is set to "All IP addresses", the API server does not accept requests from any IP address unless the IP is defined explicitly as a Trusted Client.

PRJ-20886,
PRHF-14946

Security Management

In some scenarios, when connecting to an existing session in SmartConsole from a different IP address, a wrong "Client IP" is shown in Audit Logs view.

PRJ-21585,
PRHF-15222

Security Management

In rare scenarios, the CPM Solr process may not be stopped when running cpstop or mdsstop.

PRJ-20803,
PRHF-14691

Security Management

In some scenarios, deleting a partial domain with createDomainRecovery.sh script fails when there are several RadiusGroup objects with the same name in different domains.

PRJ-21416,
PRJ-20995

Security Management

In rare scenarios, the initiation of the Management server may take a long time.

PRJ-21358,
PRHF-14606

Security Management

In some scenarios, the Purge Revisions task may stop and show 0% for hours or fail with the "An error has occurred while performing revision purge operation" message in SmartConsole.

PRJ-20303,
PRHF-14634

Security Management

In some scenarios, deleting a Domain Server may fail with "Got at least one duplicate UID in requested list" error.

PRJ-20764,
PRHF-14399

Security Management

High load may occur on the Management Server when searching for a prefix of IP address that has more than 10 thousand matches.

PRJ-20841,
SMCUPG-1454

Security Management

When migrating a Domain Management Server to a Security Management Server:

  • SmartEvent Blade cannot be activated on the migrated domain.
  • If the Domain had standby Domain Servers, it may cause inconsistencies in the database, that may result in different failures. For example, policy installation may fail.

PRJ-16471,
PMTR-58631

Multi-Domain Management

UPDATE: When reassigning Global Domain for a Domain that is active on another Multi-Domain Server, the task is immediately relayed to the remote Multi-Domain Server without waiting in queue of the local server due to other tasks that are running.

PRJ-22274,
PMTR-65110

Multi-Domain Management

In some scenarios, updating a Domain Server may fail with the "<IP> already in use" message. Refer to sk171916.

PRJ-21276,
SMCUPG-1625

Multi-Domain Management

In some scenarios, HA Full Sync on the System Domain fails after upgrade on a Multi-Site environment with multiple Multi-Domain Servers. Refer to sk171059.

PRJ-19993,
PRHF-14349

Multi-Domain Management

After importing two (or more) Security Management servers into a Multi-Domain Server, the Gateway objects may not be functional:

  • The editor may not show configuration correctly
  • Security Gateway update may fail.

PRJ-19722,
PMTR-62272

Multi-Domain Management

The Multi-Domain session APIs "view sessions" and "show last-published-session" results may include sessions that were not filtered according to the administrator's permissions profile.

  • A Domain manager running the API will be notified when the results will be filtered and will be asked to run the command again with the "ignore-warnings" flag.

PRJ-21343,
PRJ-16910

Multi-Domain Management

When running many Reassign Global Domain operations for Domains that are not active on the current Multi-Domain Server, the load on the Server may increase and result in slowness of user and automation work.

PRJ-20239,
PRHF-14533

SmartConsole

When there are no search results, search in Access Control Policy displays "An error occurred while searching" instead of "No Items Found".

PRJ-21387,
PMTR-63149

SmartConsole

Slowness may be observed in some SmartProvisioning operations (like open SmartProvisioning GUI, create a new LSM object, open an LSM object editor, etc.).

PRJ-21524

SmartConsole

In a rare scenario, automatic NAT rules are not visible in SmartConsole.

PRJ-20314,
PRHF-14637

SmartConsole

In some scenarios, the "show gateways-and-servers" Management API command fails when running it with details-level full and when connected to the Global Domain. Refer to sk170895.

PRJ-18921,
PRHF-13879

SmartConsole

In some scenarios, the "show-access-rulebase" Management API command fails when running it with details-level "full" and there is a network group with more than 50000 objects on one of the rules. Refer to sk170435.

PRJ-19140,
PRHF-14010

SmartConsole

In some scenarios, the "add-user" API command with authentication method TACACS+ or Radius server fails with "object not found" message. Refer to sk170325.

PRJ-18859,
SL-4613

Logging

NEW: Added support for Endpoint Forensics reports to get-attachment API.

PRJ-7953,
PRHF-7415

Logging

In rare scenarios, a log may display incorrect values in the Action and Rule field. Refer to sk170676.

PRJ-20562,
PMTR-58714

Logging

In rare scenarios, the Log Exporter fails to connect to external destination when using the TLS protocol.

PRJ-17355,
PMTR-59205

Logging

FWM and\or log_indexer processes may repeatedly stop when there are more than ~500K network objects declared. Refer to sk164452.

PRJ-19009,
PRHF-13936

Logging

In a rare scenario, CPD process may use a random port for AMON communication instead of port 18196.

PRJ-21156,
PRJ-21078

Logging

In rare scenarios, the FWD process on the Security gateway may be blocked for several seconds due to processing of log attachments.

PRJ-20873,
PMTR-62957

SmartView

UPDATE: To improve performance, SmartView now exports data in CSV format instead of Excel.

PRJ-20774,
PRHF-13197

Compliance

In some scenarios, an incorrect Compliance status for Gaia OS Best Practices is displayed.

PRJ-14101,
PRHF-11595

Compliance

Compliance Blade may not scan inline layers for Application Control and URL Filtering best practices.

PRJ-21109,
PRHF-14953

Security Gateway

Authentication may fail when LDAP branch name contains "\".

PRJ-20338,
PRJ-20339,
PRHF-14616

Security Gateway

In rare scenarios, passive FTP packets may be dropped.

PRJ-21670,
PRJ-21671,
PRJ-8275

Security Gateway

In some scenarios, a Security policy installation fails during high CPU utilization.

PRJ-20898,
PRJ-20899,
PRHF-14824

Security Gateway

In some scenarios, the DNS requests from the Security Gateway may fail.

PRJ-17204,
PRJ-17205,
PRHF-2895

Security Gateway

After upgrading to R80.20, it is not possible to configure an OSPF interface to have a priority of 0.

PRJ-21610,
PRJ-21611,
PRHF-14715

Security Gateway

Security Gateway may crash when "Categorize HTTPS Websites" feature is enabled and categorization mode is set to "Hold".

PRJ-20630,
PRJ-20631,
PRHF-14378

Security Gateway

In rare scenarios, high memory consumption in CPD may occur due to a memory leak in authentication flow with an LDAP server.

PRJ-20383,
PRJ-20384,
PRHF-13431

Security Gateway

In a rare scenario, Access Control policy installation may fail after upgrade of Security Gateway from R80.10 or below to R80.20 or higher.

PRJ-19849,
PRJ-19850,
PRHF-14268

Security Gateway

In some scenarios, a memory leak may appear after sending a packet from the kernel.

PRJ-19702,
PRJ-19703,
PMTR-62215

Security Gateway

In rare scenarios, a memory leak may occur in TOPOD process.

PRJ-19583,
PRJ-19584,
PMTR-61102

Security Gateway

In some scenarios, "email_unified_cmi_get_attribs: not valid caller: up_log_get_user_hash" error appears in dmesg for SMTP traffic.

PRJ-11204,
PRJ-17829,
PRHF-9029

Security Gateway

In some scenarios, traffic that is matched on implied rule is dropped while it should not.

PRJ-19798,
PRJ-19799,
PMTR-60336

Security Gateway

Improved the policy enforcement of the ZIP archive inner files

PRJ-22407,
PRJ-22833

Security Gateway

In some scenarios, the "rad_kernel_service_container_add_service" error is printed to dmesg.

PRJ-21362,
PMTR-52835

Security Gateway

Traffic may be dropped when the Hide NAT is configured on IPv6 host.

  • Fix is relevant for Gaia 3.10 only.

PRJ-21240,
PRJ-21241,
PRHF-12746

Security Gateway

In rare scenarios, proxy ARP entries may be deleted when installing a policy.

PRJ-20923,
PRJ-18595,
PRHF-13478

Anti-Malware

In a rare scenario, the Security Gateway may crash when the Threat Prevention Forensics feature is enabled.

PRJ-20974,
PRJ-20975,
PRHF-14820

Anti-Malware

In rare scenarios, the Threat Prevention policy installation fails due to IOC parsing errors. Refer to sk171316.

PRJ-21724,
PRJ-21725,
PMTR-64420

Content Awareness

In a rare scenario, Security Gateway may crash when CPcode is running within Content Awareness or parser flow.

PRJ-20751,
PRJ-20752,
PMTR-52421

Identity Awareness

NEW: Added the Identity Awareness performance and memory consumption improvements. Refer to sk170516.

PRJ-20845,
PRJ-20846,
PRHF-14347

Identity Awareness

In some scenarios, running pdpd commands results in "daemon did not respond or not running!" error. Refer to sk171136.

PRJ-20860,
PRJ-20861,
IDA-3642

Identity Awareness

In some scenarios, there may be enforcement issues for MUHv2 users due to table mismatch.

PRJ-23594,
PRHF-10292

Identity Awareness

In Identity Awareness Captive portal, the default Check Point logo is displayed even if the user-defined logo is configured. Refer to sk133492.

  • Fix is relevant for Gaia 3.10 only.

PRJ-20346,
PRJ-20347,
PRHF-14266

IPS

In rare scenario, the SmartConsole shows the "IPS is not responding" message even though IPS is functioning normally.

PRJ-20094,
PRJ-20095,
PMTR-59101

DLP

UPDATE: Added support for multi-part data to DLP.

PRJ-20836,
PRJ-20837,
PRHF-14744

DLP

Improved DLP scanning for POST request to some Web sites.

PRJ-18840,
PRJ-18841,
PRHF-13322

SSL Inspection

In rare scenarios, a memory leak may occur during policy installation.

PRJ-19039,
PRJ-19040,
PRHF-13886

UserCheck

In some scenarios, users cannot restore original attachment via UserCheck portal and receive the "An unexpected error has occurred" error message.

PRJ-20517,
PRJ-20489,
PRHF-13935

ClusterXL

UPDATE: Added the option to display only monitored interfaces to "show cluster members <option>" command:

  • In Gaia Clish, run "show cluster members monitored"
  • In Expert mode, run "cphaprob -m tablestat"

PRJ-20533,
PRJ-20534,
PRHF-14728

ClusterXL

In some scenarios, data connections are dropped with "First packet isn't SYN" message on ClusterXL Load Sharing.

PRJ-19391,
PRHF-14115

ClusterXL

"set router active-active-mode" settings do not survive a reboot.

  • Fix is relevant for Gaia 3.10 only.

PRJ-19924,
PMTR-58748

ClusterXL

In rare scenarios, running cphastop;cphastart may cause a cluster member to stay in "Down" state.

  • Fix is relevant for Gaia 3.10 only.

PRJ-19662,
PRHF-13929

SecureXL

In some scenarios, connections are dropped when SYN Defender and ISN Defender are both enabled on the same interface.

PRJ-19404,
PRJ-19405,
PMTR-60870

SecureXL

In some scenarios, Rate Limiting rules for DoS do not work after reboot. Refer to sk170148.

PRJ-17402,
PRJ-17403,
PRHF-13153

SecureXL

In some scenarios, PPTP or GRE traffic may be dropped. Refer to sk170293.

PRJ-20545,
PRHF-14680

SecureXL

Security Gateway may crash when there are interfaces that do not need the ARP resolution (VTI).

  • Fix is relevant for Gaia 3.10 only.

PRJ-5075,
PRHF-3929

Gaia OS

NEW: The ARP cache size limit on Clish was increased to 131072 hosts.

  • Fix is relevant for Gaia 3.10 only.

PRJ-19559,
PRJ-19560,
PRJ-19561,
PRJ-19531

Gaia OS

NEW: Gaia API (version 1.5) will now be deployed via Jumbo Hotfix.

PRJ-22837,
PMTR-55383

Gaia OS

UPDATE: Added the option to bind IP addresses to sockets using the "udp_connect" API. Refer to sk171019.

PRJ-21847,
PRJ-21848,
PMTR-50378

Gaia OS

UPDATE: Updated the arp table limit to 131072 in:

  • "set arp table" maximum entries through WebUI
  • Help description of "set arp table cache-size" in CLI

PRJ-20037,
GAIA-6704

Gaia OS

UPDATE: Added support for multiple commands definition in Dynamic CLI feature.

  • Fix is relevant for Gaia 3.10 only.

PRJ-18938,
PRJ-18939,
PRHF-13812

Gaia OS

In some scenarios, the "... fwldbcast_handle_retrans_request: Updated bchosts_mask to 1" message may be printed in /var/log/messages file.

PRJ-20042,
PMTR-55457

Gaia OS

Sensitive Information Disclosure may appear in the output of "show file *" CLI command.

  • Fix is relevant for Gaia 3.10 only.

PRJ-20744,
PMTR-63201

Gaia OS

CVE-2020-25705: ICMP reply rate.

PRJ-16959,
PRJ-16960,
PRHF-12751

Gaia OS

In some scenarios, the "rhost" value may be missing from logs when the user tries to access the WebUI.

PRJ-21093,
PMTR-48177

Gaia OS

WebUI may not load for Management devices.

PRJ-20038,
PMTR-49489

Gaia OS

Several features are duplicated (both in WebUI and Clish) in RBA roles configuration/settings.

  • This is a cosmetic issue. Fix is relevant for Gaia 3.10 only.

PRJ-19623,
PMTR-58288

Gaia OS

Extended commands are missing after adding Dynamic CLI.

  • Fix is relevant for Gaia 3.10 only.

PRJ-20040,
PMTR-54647

Gaia OS

Read-Only users may run Dynamic CLI command with UUID other than 0.

  • Fix is relevant for Gaia 3.10 only.

PRJ-15660,
PRJ-15661,
PMTR-57216

Routing

UPDATE: Display of routing CPview results is limited to 30 lines.

PRJ-19627,
PRJ-19628,
PRHF-14280

Routing

ip-reachability-detection ping marks a target IP address as "unreachable" if the path goes via a VPN tunnel, although pinging this IP address directly works.

PRJ-15548,
PRJ-15549,
PRHF-11629

VPN

UPDATE: Added the TTM-per-group feature improvement that allows it to work with more client types (for example Nemo client).

PRJ-20946,
PRJ-20947,
PMTR-63287

VPN

In some scenarios, L2TP clients disconnect from the Security Gateway after 10 minutes of the connection.

PRJ-18751,
PRJ-18752,
PRHF-2209

VPN

In some scenarios, the Dynamic ID configuration in SmartConsole (SMS/Email) is ignored. Refer to sk144933.
With this fix, an administrator will be able to choose for each login option separately which protocol (HTTP/SMTP) will be used to send the one-time code.

PRJ-17492,
PRHF-13007

VPN

In IKEv2 renegotiation scenario, IPSec SAs may be deleted on a standby cluster member during post sync causing a VPN traffic outage.

PRJ-20825,
PRJ-21087,
PRJ-20824

VPN

In IKEv2, the renegotiation of IKE SA may fail.

PRJ-21541,
PRJ-21542,
PMTR-64128

VPN

Added VPN Remote Access stability improvement.

PRJ-19482,
VPNS2S-1446

VPN

Added various VPN connection improvements on Gaia 3.10.

PRJ-21694,
PRHF-15321

VPN

When IKEv2 and pre-shared-key is configured, VPN may fail on the second IKE SA re-key. Refer to sk171756.

  • Fix is relevant for Gaia 3.10 only.

PRJ-19214,
PRHF-13685

VPN

Site to Site VPN fails to establish with IKEv2 on GCP when NAT-t is enabled.

PRJ-12241,
PRJ-16987,
PRHF-10370

VPN

When clicking "View..." in Trusted CA object's OPSEC PKI tab, this may show the "Failed to get a certificate of <object name> from keyset" error. Refer to sk166496.

PRJ-7480,
PRJ-15245,
GAIA-6504

VPN

Policy installation with VPN enabled may take a long time.

PRJ-7476,
PRJ-15244,
VPNRA-297

VPN

The vpnd daemon may unexpectedly exit during policy installation when the Mobile Access Blade is used.

PRJ-19422,
PRJ-19423,
PRHF-13784

VPN

In some scenarios, the vpnd process unexpectedly exits with Segmentation fault.

PRJ-13820,
PRJ-21084,
PRHF-10420

VPN

Access roles do not recognize Remote Access SNX CLI clients.

PRJ-17185,
PRHF-12828

VPN

Connectivity issue may appear between Check Point Gateway and 3rd party device in MEP DPD configuration when 3rd party device is defined as Central Gateway in MEP. Relevant error message: "Failed to resolve VPN MEP gateway".

PRJ-18269,
PRJ-18270,
PRHF-13543

VPN

The VPND process on a standby cluster member may unexpectedly exit when VPN peer has a probing link selection configured. Refer to sk170136.

PRJ-19971,
PRJ-19969

VSX

UPDATE: Removed the .1.3.6.1.4.1.2620.1.16.22.2 (vsxStatusCPUUsageTable) and .1.3.6.1.4.1.2620.1.16.22.4 (vsxStatusCPUUsagePerCPUTable) OIDs as not supported on Gaia 3.10.

PRJ-20148,
PRHF-14537

VSX

In rare scenarios, some interfaces remain in "Down" state after reboot.

  • Fix is relevant for Gaia 3.10 only.

PRJ-20963,
VSX-2519

VSX

After running "vsx_util vsls" and selecting option #6, the operation may fail with the "Internal Error: got empty reply set" error. Refer to sk171352.

PRJ-15445,
PRJ-15446,
PMTR-55887

VSX

In some scenarios, there may be high CPU utilization in a VSX environment with several instances.

PRJ-20584,
PRJ-20585,
VPNRA-642

Mobile Access

Removed potential XSS vulnerability in the MAB Login page.

PRJ-19234,
PRJ-19235,
PRHF-14046

Mobile Access

There may be a delay when connecting to HTTPS based SMS portal over a non-standard proxy port. Refer to sk170497.

PRJ-21748,
PMTR-60418

Endpoint Security

On the SmartEndpoint Reporting page, the "Endpoint Connectivity" report that is filtered by a virtual group returns an empty list.

PRJ-19311,
PRHF-13909

CloudGuard IaaS

When creating a GCP Data Center, Test Connection may fail on large GCP accounts.