Take 232 - Ongoing

List of Resolved Issues and New Features

Note - This Take contains all fixes from all earlier Takes.

ID	Product	Description
Take 232 Released on 16 March 2021
PRJ-20071, MCFG-229	Security Management	NEW: Optimized the Solr build time to improve performance in the following operations: Restore of the entire MDS/MLM from backup Upgrade from R80.10 Solr Cure
PRJ-21004, PRHF-14969	Security Management	NEW: Improved FWM process performance during Security policy or database installation.
PRJ-22316, PRJ-22314	Security Management	NEW: Performance improvement of Management High Availability Full Sync.
PRJ-20030, PMTR-61770	Security Management	UPDATE: When purging revisions, task notifications will also be purged if created before the last revision to purge was published.
PRJ-19999, PRHF-14293	Security Management	UPDATE: Added improvements in policy load process, to reduce the policy installation time when having large amount of objects.
PRJ-20854, SMCUPG-1316	Security Management	Management Server upgrade from R80.20 to R80.40 may fail if a Network Interface object refers to a Gateway object that does not exist.
PRJ-21254, PMTR-62918	Security Management	In some scenarios, the log file of PostgreSQL (postgres.elg) may become very large.
PRJ-21186, PMTR-63358	Security Management	In rare scenarios, logout from a session fails with "An internal error has occurred" message.
PRJ-17788, PRHF-13382	Security Management	In some scenarios, policy verification for static NAT rules succeeds even though the source subnet NAT is bigger than the destination subnet NAT.
PRJ-21590, PRHF-15244	Security Management	Although the Access Settings of the Management API is set to "All IP addresses", the API server does not accept requests from any IP address unless the IP is defined explicitly as a Trusted Client.
PRJ-20886, PRHF-14946	Security Management	In some scenarios, when connecting to an existing session in SmartConsole from a different IP address, a wrong "Client IP" is shown in Audit Logs view.
PRJ-21585, PRHF-15222	Security Management	In rare scenarios, the CPM Solr process may not be stopped when running cpstop or mdsstop.
PRJ-20803, PRHF-14691	Security Management	In some scenarios, deleting a partial domain with createDomainRecovery.sh script fails when there are several RadiusGroup objects with the same name in different domains.
PRJ-21416, PRJ-20995	Security Management	In rare scenarios, the initiation of the Management server may take a long time.
PRJ-21358, PRHF-14606	Security Management	In some scenarios, the Purge Revisions task may stop and show 0% for hours or fail with the "An error has occurred while performing revision purge operation" message in SmartConsole.
PRJ-20303, PRHF-14634	Security Management	In some scenarios, deleting a Domain Server may fail with "Got at least one duplicate UID in requested list" error.
PRJ-20764, PRHF-14399	Security Management	High load may occur on the Management Server when searching for a prefix of IP address that has more than 10 thousand matches.
PRJ-20841, SMCUPG-1454	Security Management	When migrating a Domain Management Server to a Security Management Server: SmartEvent Blade cannot be activated on the migrated domain. If the Domain had standby Domain Servers, it may cause inconsistencies in the database, that may result in different failures. For example, policy installation may fail.
PRJ-16471, PMTR-58631	Multi-Domain Management	UPDATE: When reassigning Global Domain for a Domain that is active on another Multi-Domain Server, the task is immediately relayed to the remote Multi-Domain Server without waiting in queue of the local server due to other tasks that are running.
PRJ-22274, PMTR-65110	Multi-Domain Management	In some scenarios, updating a Domain Server may fail with the "<IP> already in use" message. Refer to sk171916.
PRJ-21276, SMCUPG-1625	Multi-Domain Management	In some scenarios, HA Full Sync on the System Domain fails after upgrade on a Multi-Site environment with multiple Multi-Domain Servers. Refer to sk171059.
PRJ-19993, PRHF-14349	Multi-Domain Management	After importing two (or more) Security Management servers into a Multi-Domain Server, the Gateway objects may not be functional: The editor may not show configuration correctly Security Gateway update may fail.
PRJ-19722, PMTR-62272	Multi-Domain Management	The Multi-Domain session APIs "view sessions" and "show last-published-session" results may include sessions that were not filtered according to the administrator's permissions profile. A Domain manager running the API will be notified when the results will be filtered and will be asked to run the command again with the "ignore-warnings" flag.
PRJ-21343, PRJ-16910	Multi-Domain Management	When running many Reassign Global Domain operations for Domains that are not active on the current Multi-Domain Server, the load on the Server may increase and result in slowness of user and automation work.
PRJ-20239, PRHF-14533	SmartConsole	When there are no search results, search in Access Control Policy displays "An error occurred while searching" instead of "No Items Found".
PRJ-21387, PMTR-63149	SmartConsole	Slowness may be observed in some SmartProvisioning operations (like open SmartProvisioning GUI, create a new LSM object, open an LSM object editor, etc.).
PRJ-21524	SmartConsole	In a rare scenario, automatic NAT rules are not visible in SmartConsole.
PRJ-20314, PRHF-14637	SmartConsole	In some scenarios, the "show gateways-and-servers" Management API command fails when running it with details-level full and when connected to the Global Domain. Refer to sk170895.
PRJ-18921, PRHF-13879	SmartConsole	In some scenarios, the "show-access-rulebase" Management API command fails when running it with details-level "full" and there is a network group with more than 50000 objects on one of the rules. Refer to sk170435.
PRJ-19140, PRHF-14010	SmartConsole	In some scenarios, the "add-user" API command with authentication method TACACS+ or Radius server fails with "object not found" message. Refer to sk170325.
PRJ-18859, SL-4613	Logging	NEW: Added support for Endpoint Forensics reports to get-attachment API.
PRJ-7953, PRHF-7415	Logging	In rare scenarios, a log may display incorrect values in the Action and Rule field. Refer to sk170676.
PRJ-20562, PMTR-58714	Logging	In rare scenarios, the Log Exporter fails to connect to external destination when using the TLS protocol.
PRJ-17355, PMTR-59205	Logging	FWM and\or log_indexer processes may repeatedly stop when there are more than ~500K network objects declared. Refer to sk164452.
PRJ-19009, PRHF-13936	Logging	In a rare scenario, CPD process may use a random port for AMON communication instead of port 18196.
PRJ-21156, PRJ-21078	Logging	In rare scenarios, the FWD process on the Security gateway may be blocked for several seconds due to processing of log attachments.
PRJ-20873, PMTR-62957	SmartView	UPDATE: To improve performance, SmartView now exports data in CSV format instead of Excel.
PRJ-20774, PRHF-13197	Compliance	In some scenarios, an incorrect Compliance status for Gaia OS Best Practices is displayed.
PRJ-14101, PRHF-11595	Compliance	Compliance Blade may not scan inline layers for Application Control and URL Filtering best practices.
PRJ-21109, PRHF-14953	Security Gateway	Authentication may fail when LDAP branch name contains "\".
PRJ-20338, PRJ-20339, PRHF-14616	Security Gateway	In rare scenarios, passive FTP packets may be dropped.
PRJ-21670, PRJ-21671, PRJ-8275	Security Gateway	In some scenarios, a Security policy installation fails during high CPU utilization.
PRJ-20898, PRJ-20899, PRHF-14824	Security Gateway	In some scenarios, the DNS requests from the Security Gateway may fail.
PRJ-17204, PRJ-17205, PRHF-2895	Security Gateway	After upgrading to R80.20, it is not possible to configure an OSPF interface to have a priority of 0.
PRJ-21610, PRJ-21611, PRHF-14715	Security Gateway	Security Gateway may crash when "Categorize HTTPS Websites" feature is enabled and categorization mode is set to "Hold".
PRJ-20630, PRJ-20631, PRHF-14378	Security Gateway	In rare scenarios, high memory consumption in CPD may occur due to a memory leak in authentication flow with an LDAP server.
PRJ-20383, PRJ-20384, PRHF-13431	Security Gateway	In a rare scenario, Access Control policy installation may fail after upgrade of Security Gateway from R80.10 or below to R80.20 or higher.
PRJ-19849, PRJ-19850, PRHF-14268	Security Gateway	In some scenarios, a memory leak may appear after sending a packet from the kernel.
PRJ-19702, PRJ-19703, PMTR-62215	Security Gateway	In rare scenarios, a memory leak may occur in TOPOD process.
PRJ-19583, PRJ-19584, PMTR-61102	Security Gateway	In some scenarios, "email_unified_cmi_get_attribs: not valid caller: up_log_get_user_hash" error appears in dmesg for SMTP traffic.
PRJ-11204, PRJ-17829, PRHF-9029	Security Gateway	In some scenarios, traffic that is matched on implied rule is dropped while it should not.
PRJ-19798, PRJ-19799, PMTR-60336	Security Gateway	Improved the policy enforcement of the ZIP archive inner files
PRJ-22407, PRJ-22833	Security Gateway	In some scenarios, the "rad_kernel_service_container_add_service" error is printed to dmesg.
PRJ-21362, PMTR-52835	Security Gateway	Traffic may be dropped when the Hide NAT is configured on IPv6 host. Fix is relevant for Gaia 3.10 only.
PRJ-21240, PRJ-21241, PRHF-12746	Security Gateway	In rare scenarios, proxy ARP entries may be deleted when installing a policy.
PRJ-20923, PRJ-18595, PRHF-13478	Anti-Malware	In a rare scenario, the Security Gateway may crash when the Threat Prevention Forensics feature is enabled.
PRJ-20974, PRJ-20975, PRHF-14820	Anti-Malware	In rare scenarios, the Threat Prevention policy installation fails due to IOC parsing errors. Refer to sk171316.
PRJ-21724, PRJ-21725, PMTR-64420	Content Awareness	In a rare scenario, Security Gateway may crash when CPcode is running within Content Awareness or parser flow.
PRJ-20751, PRJ-20752, PMTR-52421	Identity Awareness	NEW: Added the Identity Awareness performance and memory consumption improvements. Refer to sk170516.
PRJ-20845, PRJ-20846, PRHF-14347	Identity Awareness	In some scenarios, running pdpd commands results in "daemon did not respond or not running!" error. Refer to sk171136.
PRJ-20860, PRJ-20861, IDA-3642	Identity Awareness	In some scenarios, there may be enforcement issues for MUHv2 users due to table mismatch.
PRJ-23594, PRHF-10292	Identity Awareness	In Identity Awareness Captive portal, the default Check Point logo is displayed even if the user-defined logo is configured. Refer to sk133492. Fix is relevant for Gaia 3.10 only.
PRJ-20346, PRJ-20347, PRHF-14266	IPS	In rare scenario, the SmartConsole shows the "IPS is not responding" message even though IPS is functioning normally.
PRJ-20094, PRJ-20095, PMTR-59101	DLP	UPDATE: Added support for multi-part data to DLP.
PRJ-20836, PRJ-20837, PRHF-14744	DLP	Improved DLP scanning for POST request to some Web sites.
PRJ-18840, PRJ-18841, PRHF-13322	SSL Inspection	In rare scenarios, a memory leak may occur during policy installation.
PRJ-19039, PRJ-19040, PRHF-13886	UserCheck	In some scenarios, users cannot restore original attachment via UserCheck portal and receive the "An unexpected error has occurred" error message.
PRJ-20517, PRJ-20489, PRHF-13935	ClusterXL	UPDATE: Added the option to display only monitored interfaces to "show cluster members <option>" command: In Gaia Clish, run "show cluster members monitored" In Expert mode, run "cphaprob -m tablestat"
PRJ-20533, PRJ-20534, PRHF-14728	ClusterXL	In some scenarios, data connections are dropped with "First packet isn't SYN" message on ClusterXL Load Sharing.
PRJ-19391, PRHF-14115	ClusterXL	"set router active-active-mode" settings do not survive a reboot. Fix is relevant for Gaia 3.10 only.
PRJ-19924, PMTR-58748	ClusterXL	In rare scenarios, running cphastop;cphastart may cause a cluster member to stay in "Down" state. Fix is relevant for Gaia 3.10 only.
PRJ-19662, PRHF-13929	SecureXL	In some scenarios, connections are dropped when SYN Defender and ISN Defender are both enabled on the same interface.
PRJ-19404, PRJ-19405, PMTR-60870	SecureXL	In some scenarios, Rate Limiting rules for DoS do not work after reboot. Refer to sk170148.
PRJ-17402, PRJ-17403, PRHF-13153	SecureXL	In some scenarios, PPTP or GRE traffic may be dropped. Refer to sk170293.
PRJ-20545, PRHF-14680	SecureXL	Security Gateway may crash when there are interfaces that do not need the ARP resolution (VTI). Fix is relevant for Gaia 3.10 only.
PRJ-5075, PRHF-3929	Gaia OS	NEW: The ARP cache size limit on Clish was increased to 131072 hosts. Fix is relevant for Gaia 3.10 only.
PRJ-19559, PRJ-19560, PRJ-19561, PRJ-19531	Gaia OS	NEW: Gaia API (version 1.5) will now be deployed via Jumbo Hotfix.
PRJ-22837, PMTR-55383	Gaia OS	UPDATE: Added the option to bind IP addresses to sockets using the "udp_connect" API. Refer to sk171019.
PRJ-21847, PRJ-21848, PMTR-50378	Gaia OS	UPDATE: Updated the arp table limit to 131072 in: "set arp table" maximum entries through WebUI Help description of "set arp table cache-size" in CLI
PRJ-20037, GAIA-6704	Gaia OS	UPDATE: Added support for multiple commands definition in Dynamic CLI feature. Fix is relevant for Gaia 3.10 only.
PRJ-18938, PRJ-18939, PRHF-13812	Gaia OS	In some scenarios, the "... fwldbcast_handle_retrans_request: Updated bchosts_mask to 1" message may be printed in /var/log/messages file.
PRJ-20042, PMTR-55457	Gaia OS	Sensitive Information Disclosure may appear in the output of "show file *" CLI command. Fix is relevant for Gaia 3.10 only.
PRJ-20744, PMTR-63201	Gaia OS	CVE-2020-25705: ICMP reply rate.
PRJ-16959, PRJ-16960, PRHF-12751	Gaia OS	In some scenarios, the "rhost" value may be missing from logs when the user tries to access the WebUI.
PRJ-21093, PMTR-48177	Gaia OS	WebUI may not load for Management devices.
PRJ-20038, PMTR-49489	Gaia OS	Several features are duplicated (both in WebUI and Clish) in RBA roles configuration/settings. This is a cosmetic issue. Fix is relevant for Gaia 3.10 only.
PRJ-19623, PMTR-58288	Gaia OS	Extended commands are missing after adding Dynamic CLI. Fix is relevant for Gaia 3.10 only.
PRJ-20040, PMTR-54647	Gaia OS	Read-Only users may run Dynamic CLI command with UUID other than 0. Fix is relevant for Gaia 3.10 only.
PRJ-15660, PRJ-15661, PMTR-57216	Routing	UPDATE: Display of routing CPview results is limited to 30 lines.
PRJ-19627, PRJ-19628, PRHF-14280	Routing	ip-reachability-detection ping marks a target IP address as "unreachable" if the path goes via a VPN tunnel, although pinging this IP address directly works.
PRJ-15548, PRJ-15549, PRHF-11629	VPN	UPDATE: Added the TTM-per-group feature improvement that allows it to work with more client types (for example Nemo client).
PRJ-20946, PRJ-20947, PMTR-63287	VPN	In some scenarios, L2TP clients disconnect from the Security Gateway after 10 minutes of the connection.
PRJ-18751, PRJ-18752, PRHF-2209	VPN	In some scenarios, the Dynamic ID configuration in SmartConsole (SMS/Email) is ignored. Refer to sk144933. With this fix, an administrator will be able to choose for each login option separately which protocol (HTTP/SMTP) will be used to send the one-time code.
PRJ-17492, PRHF-13007	VPN	In IKEv2 renegotiation scenario, IPSec SAs may be deleted on a standby cluster member during post sync causing a VPN traffic outage.
PRJ-20825, PRJ-21087, PRJ-20824	VPN	In IKEv2, the renegotiation of IKE SA may fail.
PRJ-21541, PRJ-21542, PMTR-64128	VPN	Added VPN Remote Access stability improvement.
PRJ-19482, VPNS2S-1446	VPN	Added various VPN connection improvements on Gaia 3.10.
PRJ-21694, PRHF-15321	VPN	When IKEv2 and pre-shared-key is configured, VPN may fail on the second IKE SA re-key. Refer to sk171756. Fix is relevant for Gaia 3.10 only.
PRJ-19214, PRHF-13685	VPN	Site to Site VPN fails to establish with IKEv2 on GCP when NAT-t is enabled.
PRJ-12241, PRJ-16987, PRHF-10370	VPN	When clicking "View..." in Trusted CA object's OPSEC PKI tab, this may show the "Failed to get a certificate of <object name> from keyset" error. Refer to sk166496.
PRJ-7480, PRJ-15245, GAIA-6504	VPN	Policy installation with VPN enabled may take a long time.
PRJ-7476, PRJ-15244, VPNRA-297	VPN	The vpnd daemon may unexpectedly exit during policy installation when the Mobile Access Blade is used.
PRJ-19422, PRJ-19423, PRHF-13784	VPN	In some scenarios, the vpnd process unexpectedly exits with Segmentation fault.
PRJ-13820, PRJ-21084, PRHF-10420	VPN	Access roles do not recognize Remote Access SNX CLI clients.
PRJ-17185, PRHF-12828	VPN	Connectivity issue may appear between Check Point Gateway and 3rd party device in MEP DPD configuration when 3rd party device is defined as Central Gateway in MEP. Relevant error message: "Failed to resolve VPN MEP gateway".
PRJ-18269, PRJ-18270, PRHF-13543	VPN	The VPND process on a standby cluster member may unexpectedly exit when VPN peer has a probing link selection configured. Refer to sk170136.
PRJ-19971, PRJ-19969	VSX	UPDATE: Removed the .1.3.6.1.4.1.2620.1.16.22.2 (vsxStatusCPUUsageTable) and .1.3.6.1.4.1.2620.1.16.22.4 (vsxStatusCPUUsagePerCPUTable) OIDs as not supported on Gaia 3.10.
PRJ-20148, PRHF-14537	VSX	In rare scenarios, some interfaces remain in "Down" state after reboot. Fix is relevant for Gaia 3.10 only.
PRJ-20963, VSX-2519	VSX	After running "vsx_util vsls" and selecting option #6, the operation may fail with the "Internal Error: got empty reply set" error. Refer to sk171352.
PRJ-15445, PRJ-15446, PMTR-55887	VSX	In some scenarios, there may be high CPU utilization in a VSX environment with several instances.
PRJ-20584, PRJ-20585, VPNRA-642	Mobile Access	Removed potential XSS vulnerability in the MAB Login page.
PRJ-19234, PRJ-19235, PRHF-14046	Mobile Access	There may be a delay when connecting to HTTPS based SMS portal over a non-standard proxy port. Refer to sk170497.
PRJ-21748, PMTR-60418	Endpoint Security	On the SmartEndpoint Reporting page, the "Endpoint Connectivity" report that is filtered by a virtual group returns an empty list.
PRJ-19311, PRHF-13909	CloudGuard IaaS	When creating a GCP Data Center, Test Connection may fail on large GCP accounts.