Take 237 - General Availability

NEW: Added the Check Point Performance Sizing Utility (CPSizeMe) v5.2.

NEW: Trusted CAs updates for HTTPS Inspection can be configured to be installed automatically upon update. Refer to sk173629.

UPDATE: Added an environmental variable to control the sduu command timeout in the FWM process: SDUU_UPDATE_TIMEOUT.

User may fail to connect to SmartConsole after the administrator changed the RADIUS server host IP address. Refer to sk172065.

Policy verification may incorrectly fail with a NAT verification error "The range size of Original and Translated columns must be the same".

In some scenarios, the Desktop policy fails with "Policy installation had failed due to an internal error. If the problem persists please contact Check Point support". Refer to sk171970.

In some scenarios, a policy installation failure message may show "ReferenceObject" instead of the actual object's name.

In some scenarios, when updating Check Point Host object to be a Network Policy Management and in addition configuring it as a Secondary Server, "Publish" fails with "Action Failed due to an internal error".

When running the "fwm logexport" command multiple times, the FWM process may unexpectedly exit, producing a core file.

In a rare scenario, the FWM process may unexpectedly unexpectedly exit.

NEW: Once a day, Multi-Domain Management Servers will check for peers that are not synchronized. If such are identified, HA full sync will be automatically initiated at the MDS level.

In rare scenarios, in a Multi-Domain environment with active Domains on multiple Multi-Domain Servers, when performing manual HA sync in one Domain, objects from another Domain are not shown in SmartConsole.

Global Policy Assignments may be missing in Multi-Domain environment after upgrade from R77.x.

In some scenarios, HA synchronization may fail on the MDS level with the "Failed to synchronize this peer due to purged revisions in the database." message.

In some scenarios, the gateway hardware change in SmartConsole fails with "Changing the hardware to <New_Selected_Check_Point_Appliance> Appliances is blocked." warning.

In some scenarios on Multi-Domain environments, Compliance data is not synchronized between primary and secondary Domains.

NEW: The Log exporter now supports formatting for RSA SIEM application.

UPDATE: The Log Server now supports up to 2700 Gateways (previously was 1024). Refer to sk163413.

In the SmartConsole Logs tab, the "IKE IDs" field cannot be added to column profiles.

Starting from Jumbo Take 216, logs exported in LogRhythm format via the Log Exporter, appear in an incorrect format.

In Multi-Domain environment, the same Domain may appear twice in the Domains view of the SmartEvent application.

In some scenarios, when exporting logs using the Log exporter tool and filtering on all Threat Prevention blades, logs of the "Anti Spam" blade are not exported.

In SmartView, when filtering with specific time filters, the result may include more logs than was requested.

When a Management Server manages more than 1024 Gateways, the connectivity status may show "N/A" for several Gateways.

UPDATE: Added automatic extension for Internal CA database to support more than 100,000 certificates.

UPDATE: Service with source port in the Access rulebase will no longer disable accept templates for all connections.

In rare scenarios, the CPD process unexpectedly exits when the VPN is enabled, and statuses are not sent to the Management Server.

In rare scenarios, when the "sd_global_monitor_only" property is set to "true", there is no HTTP inspection.

In some scenarios, the VSX Cluster switch may cause a core dump.

In a rare scenario, incorrect error messages regarding the ICAP client flow appear in dmesg.

In a rare scenario, the FWK process unexpectedly exits on the Security Gateway.

When Strict Hold is enabled in the fail-open configuration, some HTTPS connections may stuck.

Boot may take a long time on machines with many VLANs or secondary IP addresses.

• Fix is relevant for Gaia 3.10 only.

In a rare scenario, Security Gateway may crash when handling some DNS packets.

RADIUS authentication failure messages are written to SmartConsole logs but not presented to a user. Refer to sk173927.

In some scenarios, when adding a "#" in the login banner, the banner becomes corrupted.

In some scenarios, packets are dropped due to incorrect SACK translation when SACK and sequence translation are being used together.

In some non-VPN scenarios, MSS Adjustment (Clamping) does not work.

In some scenarios, connections are dropped with the "Virtual defragmentation error: fragment table is full" message. Refer to sk180404.

VSX provisioning may fail to commit changes to the VSX database. Refer to sk173683.

In some scenarios, values set in fwkern.conf file may not be applied correctly.

In some scenarios, when moving Mobile Access from Legacy to Unified Policy, previously configured native application may unexpectedly exit. Refer to sk172935.

In rare scenarios, DynamicID authentication fails with "server_code 403 log_msg General HTTP error" message in vpnd.elg. Refer to sk170303.

In some scenarios, "[INFO] encode resource in base64 failed" messages generated by the RAD process are shown in /var/log/messages file.

In rare scenarios, the "fw load_sigs" command fails to exit appropriately after completing.

NEW: Added a new Auto-Tune feature for Nested Groups to select the optimal nested state for maximum performance.
The feature is disabled by default. To enable it, refer to sk128212.

Optimized the PDP expired timers mechanism performance.

In a rare scenario, the Security Gateway may crash when working with Anti-Virus.

• Fix is relevant for Gaia 3.10 only.

In rare scenarios, when clicking the "Send Original Mail to me" button (sk140214) in the UserCheck portal for Threat Extraction, action fails with "An unexpected error has occured..." error message.

In rare scenarios, Security Gateway may crash if event app debug is enabled.

In a rare scenario, the Security gateway may crash with the "Problem with the Commit Function" error during policy installation. Refer to sk173248.

In some scenarios, the DNS response message with record type 0 may be dropped by "Non compliant DNS" protection.

Improved the HTTP protocol handling.

UPDATE: Avoid sending the TLS probe during inbound inspection when it is not necessary for the SNI-based categorization.

A table hash size may be too small for some environments and cause an increased CPU usage.

TLS probing failures generate logs with a general description in SmartLog: "Internal system error in HTTPS Inspection (Error Code: 2)". With this fix, more descriptive logs will be generated.

In rare scenarios, the WSTLSD daemon may unexpectedly exit during TLS probing.

The Gaia Clish command "set snmp traps trap clusterXLFailover enable" fails with "Bad Command Unknown Trap name." Refer to sk173810.

• Fix is relevant for Gaia 3.10 only.

In some scenarios, the "reached the limit of maximum enqueued packets!" log is printed in the /var/log/messages file.

A race condition in the DOS/Rate limiting policy's install logic may cause incorrect counter values for "concurrent-conns".

In a rare scenario, Security Gateway may crash when generating CPInfo in VSX mode.

• Fix is relevant for Gaia 3.10 only.

In a VSX environment, the SYN Defender configuration may not be applied correctly.

UPDATE: Allow "set bgp internal peer <value> send-route-refresh" commands.

VRRP member freezes when deleting a VLAN interface. Refer to sk106226.

In OSPF environment, the ROUTED process may unexpectedly exit when a VPN tunnel is flapped leading to a temporary connectivity loss.

In a rare scenario, the ROUTED process unexpectedly exits when creating an MFC (S,G) entry. Refer to sk176685.

In rare scenarios, a Load Sharing cluster can experience DHCP relay drops with the "dropped by fw_post_vm_chain_handler Reason: Handler 'dhcp_reply_code' drop" message.

The ROUTED process with Ping enabled always gets reset during Clish reconfiguration.

In some scenarios, the ROUTED process may unexpectedly exit when there is a static route and a kernel route to the same destination.

In some scenarios, FWK process unexpectedly exits due to SNX authorization timeout in MAB's Unified Policy mode. Refer to sk173125.

Remote Access session may not be synced on the standby member VS.

• Fix is relevant for Gaia 3.10 only.

When the administrator adds more than 30 native applications, users may fail to connect via SSL Network Extender Application mode.

In some scenarios, the HTTPD process consumes a high CPU causing slowness in access to web applications.

UPDATE:

• Improved Site to Site VPN stability when it is configured with NAT.

• Enabled the global parameter "offer_nat_t_initator" by default. Refer to sk32664.

IKEv2 may cause the VPND process to unexpectedly exit when IKEv2 rekey uses certificates.

In some scenarios, user may not be able to connect because the VPND process unexpectedly exits.

In some scenarios, VPN Remote Access users are disconnected after policy installation. Refer to sk171966.

Added IKE improvement for DAIP peer with ID_DER_ASN1_DN ID type.

In VSX environments, Anti-Spoofing in SecureXL may cause Remote Access VPN drops. Refer to sk173266.

In some scenarios, the IKED process unexpectedly exits producing a core dump.

MEP failover with 3rd party vendors may not work correctly.

In some scenarios, the "Illegal sequence number" error may be printed in Dead Peer Detection (DPD) debug.

In some scenarios, the VPND process unexpectedly exits after installing the policy.

Added VPN stability improvement in IKEv2.

In rare scenarios, all traffic is dropped with "Rulebase Internal Error" in SmartLog.

In rare scenarios, a memory leak related to gateway authentication may occur.

In a rare scenario, the IKED process stops with core dump when using Office Mode IP allocation for clients and users cannot connect.

In some scenarios, the driver's (i40e) response time for MQ settings takes a too long time.

• Fix is relevant for Gaia 3.10 only.

In a rare scenario, the Security Gateway may become unresponsive. Refer to sk172827.

• Fix is relevant for Gaia 3.10 only.

In some scenarios, the force-password-change option does not work.

In some scenarios, the "cpstat vsx" command does not show the correct output. Refer to sk170793.

A memory leak may occur when using domain names in QoS policy rules. Refer to sk174904.

CloudGuard Controller with Cisco ACI Data Center sends updates without IP addresses to Security Gateways.