Take 235 - Ongoing
List of Resolved Issues and New Features
|
Note - This Take contains all fixes from all earlier Takes. |
ID |
Product |
Description |
---|---|---|
Take 235 Released on 26 Apr 2021 |
||
PRJ-24911, |
Security Management |
"Unauthorized client" error on login failure from an IP address that is not explicitly defined in the Trusted Clients list. Refer to sk173026. |
PRJ-9515, |
Security Management |
The Rule UID is hidden in Audit logs. Refer to sk165016. |
PRJ-23921, |
Security Management |
SmartConsole Extensions fail to load with "Error: unable to retrieve read-only session" if login with SmartConsole is performed with an IP address that is not defined as the primary IP of the Management Server. |
PRJ-22609, |
Security Management |
In some scenarios, a Domain migration may fail during the Access Policy import with the "Object not found" error in cpm.elg file. |
PRJ-22440, |
Security Management |
Upgrade or migration from R80.10 and lower to R80.20 and higher may fail with "Scheme adjustment had failed" error in logs. Refer to sk172003. |
PRJ-22122, |
Security Management |
Running override_server_setting.sh may not update settings correctly when updating a setting multiple times. |
PRJ-15904, |
Security Management |
Security policy compilation fails if the Domain network object name (FDQN name) contains space. |
PRJ-17232, |
Security Management |
In some scenarios, Apache does not start and shows a "No space left on device" message if the user runs "cprestart" frequently. |
PRJ-23772, |
Security Management |
"Query failed" error is displayed in Security Gateway Device & License Information view in SmartConsole when canceling the "Export to PDF/CSV" operation. |
PRJ-22871, |
Security Management |
In some scenarios, policy installation fails with "Error code 0-2000077" message. |
PRJ-20808, |
Security Management |
On Security Management with connected Endpoint Security Server, the SICTUNNEL process may unexpectedly exit and start again every few minutes with core file ~4gb in size. Refer to sk173704. |
PRJ-22210, |
Security Management |
In rare scenarios, concurrent update operations performed by several administrators on the Management Server may fail. |
PRJ-22129, |
Security Management |
In a rare scenario, Management HA synchronization fails after the Purge Revisions operation. |
PRJ-13069, |
Security Management |
In rare scenarios, during a Global Policy Reassignment, the Management Server may unexpectedly exit and fail to start again. |
PRJ-22631, |
Multi-Domain Management |
UPDATE: Improved the Domain Management Server and Domain Log Server creation and deletion operations. |
PRJ-23158, |
Multi-Domain Management |
UPDATE: Added stabilization improvement for Assign and Reassign Global Policy operations. |
PRJ-22579, |
Multi-Domain Management |
In some scenarios, HA Full Sync on the System Domain fails after upgrade on a Multi-Site environment with multiple Multi-Domain Servers. Refer to sk171059. |
PRJ-22595, |
Multi-Domain Management |
Create Domain action may fail with a "License violation detected" error even though CPSM-DOMAINS-1 license is applied on the Management Server. |
PRJ-24019, |
Multi-Domain Management |
In some scenarios, after upgrade of Multi-Domain environment that has active Domains on multiple Multi-Domain servers, some objects may not be visible in the System Domain. |
PRJ-21911, |
Multi-Domain Management |
In some scenarios, installation of Jumbo Hotfix on Multi-Domain Server may fail after running restore from backup. |
PRJ-22521, |
Multi-Domain Management |
In some scenarios, Reassign Global Domain for a Domain that is active on another Multi-Domain Server may fail with "An internal error has occurred" message. Refer to sk172704. |
PRJ-22137, |
Multi-Domain Managemen |
A Multi-Domain Server with dozens of Domains may take a long time to start. |
PRJ-23542, |
Multi-Domain Managemen |
In some scenarios, HA sync in a Multi-Domain environment may fail with the "Failed to import data" error message after the user creates new Permission Roles. |
PRJ-13189, |
Multi-Domain Management |
In a rare scenario, Advanced upgrade from R80.10 may fail. |
PRJ-19498, |
SmartConsole |
"The object specified in 'Always send alerts to' field, has no active 'Logging & Status' blade" error may be displayed after running the "add-simple-gateway" command in Management HA environments where one of the Security Management servers has the "Logging & Status" blade disabled. Refer to sk172226. |
PRJ-21622, |
SmartConsole |
In some scenarios, FWM process logs show Provisioning/LSM activity even though LSM is not in use. Refer to sk171905. |
PRJ-22217, |
SmartConsole |
In some scenarios, a validation warning may appear on an updatable object with the following message: "Object is no longer supported. Enforcing security for this object is not possible." However, the object is still available in the updatable objects picker. |
PRJ-17275, |
SmartConsole |
The "Recent Tasks" view allows only Super Users to view other administrators' tasks. |
PRJ-21182, |
Logging |
NEW: Resource pools for log queries and report generation have been separated to ensure query responsiveness while multiple reports are generated. |
PRJ-18558, |
Logging |
In the "Logs" view in SmartConsole, when the query filter contains "time:yesterday" as a literal, the query fails with a "Query resolution failed" error. The pre-defined time filter "Yesterday" shows results from today. Refer to sk170999. |
PRJ-23154, |
Logging |
When viewing an Access log card that was matched on both a Network layer (firewall) rule and an Application layer rule, and both actions are "Accept", the application layer rule will be presented in the card instead of the network layer rule. Refer to sk172763. |
PRJ-23203, |
Logging |
In rare scenarios, when creating a Log server object and establishing SIC, log queries from the newly created Log server object may fail. |
PRJ-23007, |
Logging |
In rare scenarios, when the user exports logs to Excel using SmartView web, the action fails when the exported logs contain special characters, like emojis. |
PRJ-21113, |
Logging |
In some scenarios, when declaring a filter in Log Exporter, logs may not be exported. Refer to sk173025. |
PRJ-23414, |
Logging |
In SmartView's "Cyber Attack View - Endpoint", the widgets Active/Dormant Attacks and Cleaned/Blocked Attacks show clean hosts as infected (false positive results). |
PRJ-17118, |
Logging |
In SmartView, chart and timeline widgets may show a "Query Failed" error. |
PRJ-21305, |
Logging |
|
PRJ-15783, |
Logging |
In SmartView, when the user exports a container widget with charts to PDF, some data may be missing, and the charts may be shown in a distorted manner. |
PRJ-22183, |
Logging |
In SmartView, when the user exports multiple PDF/CSV/Templates of the same view/report at the exact same time, the second export to complete may overwrite the first one. |
PRJ-22247, |
Logging |
In some scenarios, in the "Views and Reports" of SmartView, it is not possible to use the field "Roles". |
PRJ-21144, |
Logging |
In SmartView, when opening a log card popup in lower resolutions, the text in the header may be cut off. |
PRJ-21372, |
Logging |
In some scenarios, in Multi-Domain servers with many domains, the Solr process for logs may unexpectedly unexpectedly exit. |
PRJ-15325, |
Logging |
In some scenarios in SmartView, exporting a report or view to PDF duplicates the item and displays it twice in the Catalog until the export is done. |
PRJ-23139, |
Internal CA |
The output of the "lscert" command has duplicate lines for all certificates that are not in "pending" status. |
PRJ-16050, |
Compliance |
Deactivated Compliance Best Practices appear in the Compliance report. |
PRJ-21900, |
Security Gateway |
NEW: Added new troubleshooting tool to cplic command for Entitlement manager. |
PRJ-23384, |
Security Gateway |
NEW: Implemented new Fast-Accel producer. The following Fast-Accel statistics are added to CPView:
|
PRJ-22678, |
Security Gateway |
UPDATE: Security Gateway performance optimizations for specific scenarios. Refer to sk174607. |
PRJ-10988, |
Security Gateway |
UPDATE: Added L3 routing support for bridge interface assigned with IP address. To enable it, set fw_bridge_with_ip_routing=1 in the $FWDIR/fwkern.conf file. Refer to sk165560. |
PRJ-19572, |
Security Gateway |
When using "User Alert 3" in the code alert, cosmetic error "FW-1: fwdrv_get_string_id_from_code: illegal parameters for code 8" appears in the /var/log/messages file. |
PRJ-20568, |
Security Gateway |
In some scenarios, the "fwauthd_init: got known service port XXX ... choosing another one" message appears repeatedly in the $FWDIR/log/fwd.elg file. |
PRJ-22453, |
Security Gateway |
In a rare scenario, Security gateway may crash with fwk and fwk_wd core dump files. |
PRJ-19410, |
Security Gateway |
The "new-conn-rate" DOS/Rate limiting rules may not be enforced in usermode when enforcement for internal interfaces is disabled. |
PRJ-22371, |
Security Gateway |
In some scenarios, the Security Gateway attempts to access the Management Server through the server's NAT IP address (defined in the "NAT" section of the server object), while the server is reachable only through the main IP address (defined in the "General Properties" section of the server object). Refer to sk171665 to configure the required parameter SKIP_NATTED_IP. |
PRJ-20902, |
Security Gateway |
In a rare scenario, the FWK process unexpectedly exits during debug.
|
PRJ-21110, |
Security Gateway |
Authentication may fail when LDAP branch name contains "\".
|
PRJ-21053, |
Security Gateway |
In a rare scenario, Fast Accel logs are sent although they are disabled on the matched rule. Refer to sk171336. |
PRJ-23519, |
Security Gateway |
Security Gateway may freeze on boot when enable IPv6 and IPv4 with 40 instances in Kernel mode. Refer to sk172364. |
PRJ-21470, |
Security Gateway |
When the Security Gateway is configured as a proxy, some network objects may not be matched correctly. |
PRJ-23396, |
Security Gateway |
Added support for "Other" services configured with IP protocol, but without advanced "Match" expression. |
PRJ-23099, |
Security Gateway |
The connection may not exist in SecureXL connection table when configuring Smart Connection Reuse kernel parameters and allow out of state TCP packets. |
PRJ-21310, |
Security Gateway |
Allow automatic configuration of Identity Awareness nested group state 4 for Security Gateways with a previously installed fix for IDA-754. |
PRJ-24297, |
Security Gateway |
In a rare scenario, the FWK process unexpectedly exits on the Security Gateway. |
PRJ-22079, |
Internal CA |
In a rare scenario, "This operation is not supported on STANDBY members" message is displayed and the cpca_client process unexpectedly exits when trying to renew a certificate on a standby Domain. |
PRJ-19450, |
Identity Awareness |
Added optimization for PDP when handling Terminal servers Multi-User Host Agent (MUH). |
PRJ-24583, |
Identity Awareness |
In some scenarios, a Security gateway may crash after Take 232 installation due to Identity Awareness specific flow. |
PRJ-21455, |
Identity Awareness |
In some scenarios, VPN Remote Access client fails to connect if a certificate contains a DN with an asterisk (*). |
PRJ-22357, |
Identity Awareness |
In some scenarios, output of "pdp conn pep" command may show wrong PEP names. |
PRJ-21237, |
IPS |
UPDATE: Exceptions are now enforced for these IPS protections:
Refer to sk166222. |
PRJ-22516, |
IPS |
Proxy source IP address is not printed in the IPS logs. |
PRJ-19491, |
Application Control |
The fw_full (fwd daemon) unexpectedly exits producing a core dump fila and causing a cluster failover. |
PRJ-21294, |
URL Filtering |
UPDATE: Improved RAD event output to provide additional information on events, such as detailed timing. This update also activates the retry mechanism by default. |
PRJ-21708, |
SSL Inspection |
In rare scenarios, a memory leak may occur in a crypto module. |
PRJ-19776, |
SSL Inspection |
In some scenarios, the wstlsd process may unexpectedly exit when browsing to certain websites. |
PRJ-19780, |
SSL Inspection |
A memory leak may occur during policy installation. |
PRJ-22532, |
Anti-Malware |
UPDATE: Improved behavior of Intelligence Feed failure.
|
PRJ-22019, |
Anti-Malware |
In rare scenarios, the Threat Prevention Blade Exception used for performance optimization does not work as expected. |
PRJ-20267, |
Anti-Malware |
Packet capture may not be generated for certain IPS protections. |
PRJ-18701, |
UserCheck |
When using the UserCheck agent, the original URL attribute variable $orig_url$ may appear on URL field of log details.
|
PRJ-14601, |
Mobile Access |
In some scenarios, pinger (MAB process that handles the ActiveSync traffic) may unexpectedly exit. |
PRJ-21641, |
Mobile Access |
Mobile Access may overwrite the /etc/hosts file on Security Gateway. |
PRJ-21697, |
ClusterXL |
UPDATE: Added the fwha_disable_ccp_on_monitor global kernel parameter. The parameter turns on/off the sending of CCP packets on link monitor interfaces. |
PRJ-21347, |
ClusterXL |
In some scenarios, a large quantity of logs is generated on cluster VIP API. |
PRJ-19516, |
ClusterXL |
In some scenarios, the required interface value is higher than it should be when adding a VLAN interface.
|
PRJ-22149, |
ClusterXL |
During active-active-bridge mode, the "show routed cluster-state" command may display some members as slave instead of master.
|
PRJ-18060, |
SecureXL |
UPDATE: Changed the "accept out of state" global parameter usage and added support to change it for specific VS. Refer to sk147093. |
PRJ-22287, |
SecureXL |
TCP reset packets may be dropped with an invalid sequence. |
PRJ-22166, |
SecureXL |
Rate limiting rules using concurrent-connection counters may cause connections to be blocked. |
PRJ-22434, |
SecureXL |
In some scenarios, the concurrent-conns rate limiting count may be inaccurate for FTP data connections. |
PRJ-19370, |
SecureXL |
Security Gateway may crash when the user runs "fwaccel tab -t" to view certain rate limiting tables that have a large number of entries. |
PRJ-20683, |
SecureXL |
In some scenarios, not all IP addresses listed in Deny List file $FWDIR/conf/deny_lists are loaded. |
PRJ-22914, |
SecureXL |
Improved the Smart Connection Reuse feature to be consistent with the user configuration. Refer to sk24960. |
PRJ-19663, |
SecureXL |
In some scenarios, connections are dropped when SYN Defender and ISN Defender are both enabled on the same interface.
|
PRJ-22901, |
Routing |
In some scenarios, OSPF configured with unnumbered VTI on cluster frequently moves between "Full" and "EXSTART" status.
|
PRJ-17586, |
Gaia OS |
UPDATE: SNMP USM user names limitation was increased from 8 characters to 31. |
PRJ-22920, |
Gaia OS |
"kernel: [SIM4];resume_from_error: failed to get ci_or_corr" error message may be printed numerous times in /var/log/messages file while running UDP Traffic Load. Refer to sk172543. |
PRJ-21997, |
Gaia OS |
In rare scenarios, SNMP user details may be visible in /var/log/messages file. |
PRJ-21925, |
Gaia OS |
Unable to set MTU on Igb cards. |
PRJ-443 |
Gaia OS |
Non-English characters in Expert password may cause Clish to crash. |
PRJ-24153, |
Gaia OS |
In rare scenarios, "show asset network" command may lead to memory leak. Refer to sk174823. |
PRJ-24049, |
Gaia OS |
Captive Portal / SAML portal may not work after installation with Blink image. |
PRJ-21664, |
Gaia OS |
In some scenarios, policy installation on a Check Point Gateway in Azure causes the Gateway to crash and load a default policy. Refer to sk171553.
|
PRJ-20743, |
Gaia OS |
CVE-2020-25705: ICMP reply rate.
|
PRJ-22214, |
Gaia OS |
"show configuration on" may not expose bond members.
|
PRJ-13301, |
VPN |
NEW: Added 3 new views to SmartView for Remote Access, providing visibility for Remote Access users, users login summary, failed login attempts, used clients, top login options, number of users, operating systems, authentication methods and login activity. |
PRJ-15567 |
VPN |
In some scenarios, NAT-T traffic is sent to the wrong next-hop MAC address. |
PRJ-19902, |
VPN |
Mobile Access SNX may fail to connect to the Security gateway when the realm used by the client is different for the SSL VPN realm. |
PRJ-18413, |
VPN |
Remote Access VPN policy installation optimization. Refer to sk173947. |
PRJ-21762, |
VPN |
In a rare scenario, there may be an incorrect IKE ID in an ID payload with 3rd party peers in IKEv1 and IKEv2. |
PRJ-17493, |
VPN |
In IKEv2 renegotiation scenario, IPSec SAs may be deleted on a standby cluster member during post sync causing a VPN traffic outage. Refer to sk172926.
|
PRJ-22424, |
VPN |
Tunnel Test packets may be dropped by Secure Configuration Verification (SCV) check when implied rules are disabled. Refer to sk168033. |
PRJ-21649, |
VPN |
When static NAT is configured on a destination, the SCV may fail to access the internal resources and "No scv status from client..." drops appear in SmartConsole. Refer to sk171550. |
PRJ-19215, |
VPN |
Site to Site VPN fails to establish with IKEv2 on GCP when NAT-t is enabled.
|
PRJ-22411, |
VPN |
In some scenarios, L2TP tunnel is not deleted completely upon disconnection. |
PRJ-23940, |
VPN |
When the Remote Access is configured to use DHCP for the Office Mode allocation, disconnection of SNX/L2TP clients may cause the IP address not be removed from the table. |
PRJ-23301, |
VPN |
In rare scenarios, the vpnd process may unexpectedly exit in an L2TP-related flow. |
PRJ-22541, |
VPN |
Added stability fix in validation checks for ECDSA certificates. |
PRJ-21259, |
VSX |
Allow the addition of routes with specific group of type "Group with Exclusion" when using VSX Provisioning tool. |
PRJ-15568 |
VPN |
In some scenarios, NAT-T traffic is sent to the wrong next-hop MAC address.
|
PRJ-23827, |
VSX |
In rare scenarios, the Wrp interface may not come up. Refer to sk171753.
|
PRJ-20919, |
QoS |
Security Gateway may crash in QoS flow when interface goes down and up during packet processing. |