Take 241 - Ongoing

List of Resolved Issues and New Features

Note - This Take contains all fixes from all earlier Takes.

ID

Product

Description

Take 241

Released on 2 January 2022

PRJ-24929,
PRHF-16947

Security Management

UPDATE: Added a warning message in SmartConsole, alerting if during policy installation memory utilization of the FWM process exceeded 3.5GB.

PRJ-29232

Security Management

UPDATE: Added a new flag to the Threat Prevention "show-protections" API command ("show-capture-packets-and-track") that allows not to return capture-packets and track information.

PRJ-30098,
PRHF-19248

Security Management

In rare scenarios, a Multi-Domain administrator's profile may be changed after deleting a Domain if the administrator had custom permissions for it.

PRJ-28647,
PRHF-18202

Security Management

In some scenarios, when using a VPN community, the status of the Global Domain Assignment may change to "not up to date", although no changes were made in the Global Domain.

PRJ-28421,
PMTR-10273

Security Management

Virtual session timeout for a TCP service cannot exceed 86400 seconds. Refer to sk168872.

PRJ-27999,
PRHF-18245

Security Management

If Brute Force Password Guessing Protection is set to the value of more than 25 seconds, login to SmartConsole fails.

  • Requires R80.30 SmartConsole Build 103 (or higher).

PRJ-25626,
PRHF-17284

Security Management

In rare scenarios, a Management Server upgrade may fail with an error message "Object not found - [UID]" in the cpm.elg log file.

PRJ-28534,
PRHF-18063

Security Management

In rare scenarios, Global Policy Assignment may fail with the "class name not found for object" error.

PRJ-28155,
PRHF-17926

Security Management

In rare scenarios, if Domain migration fails, the operation may not revert fully and leave some remnants in the database of the Management Server.

PRJ-28086,
PMTR-70942

Security Management

In some scenarios, the Administrators view may not filter domain names according to the permission profile of the connected administrator.

PRJ-24948,
PRHF-16976

Security Management

If there is an Administrator named "Endpoint", an upgrade of Endpoint Security Server from R77.30 version fails.

PRJ-26909,
PRHF-16657

Security Management

Policy installation to multiple gateways from Install Policy Presets may fail if each policy has its own HTTPS Inspection policy.

PRJ-26297,
PRHF-17531

Security Management

In rare scenarios, tasks may run indefinitely until the Security Management Server is restarted.

PRJ-26300,
PRHF-17558

Security Management

In rare scenarios, Global Domain Assignment and Domain Creation tasks may continue to run indefinitely.

PRJ-26734,
PRHF-17606

Security Management

In a rare scenario, in the Management API, the "show hosts" command with "details-level full" fails with a message "java.util.InputMismatchException: got at least one duplicate UID in requested list, duplicates UIDs:".

PRJ-26675,
PRHF-17744

Security Management

The Management API command "show gateways and servers" does not show policy information for cluster members.

PRJ-28782,
PRHF-18557

Security Management

In some scenarios, "show-mdss" and "show-domains" Management API commands take a significant amount of time to complete or time out after 5 minutes.

PRJ-30624,
PRJ-30622

Security Management

In rare scenarios, after the Security Management Server starts up, when connecting to SmartConsole, some objects appear more than once.

PRJ-25037,
PRHF-16802

Security Management

In rare scenarios, a task in progress may get stuck until the Management Server is restarted.

PRJ-26977,
SMCUPG-1675

Security Management

After migrating a Domain to Security Management Server, the FWM process may be shown as "down" in watchdog, although it is up and running. Refer to sk163814.

PRJ-26628,
PRHF-17230

Security Management

In rare scenarios during system startup, a cleanup operation may cause high CPU on multiple Postgres processes and prevent login to SmartConsole. Refer to sk175189.

PRJ-13163,
PRHF-11027

Security Management

The "show-global-assignment" command may ignore the limit request and return the default limit.

PRJ-26122,
PRHF-17476

Security Management

In some scenarios, HA synchronization fails in the Global Domain after an IPS update.

PRJ-25798,
PRHF-17324

Security Management

In rare scenarios, if the CPM process is up for many days, CPU and memory consumption may continue to grow until a reboot is performed.

PRJ-25564,
PRHF-17182

Security Management

In rare scenarios, an upgrade may fail when there is an OPSEC Server object configured.

PRJ-22133,
PMTR-63108

Security Management

In some scenarios, a high load on the Management Server may cause SmartConsole slowness.

PRJ-28568,
PRHF-18422

Security Management

In some scenarios, the Purge Revisions operation fails with an error message: "An error has occurred while performing revisions purge operation, Incident ID - xxxxx-xxxxxxx-xxxxx-xxxxx". Refer to sk174645.

PRJ-29156,
PRJ-30418,
PRHF-18883

Security Management

Scheduled IPS updates data may not be shown in the IPS update report.

PRJ-29186,
PRHF-18470

Security Management

In a rare scenario, High Availability full synchronization may fail due to a large number of records.

PRJ-28899,
PRHF-18508

Security Management

When searching IP addresses using logical operators (AND / OR), the results may be incorrect:

  • in SmartConsole in the Object Explorer view
  • with the Management API command "show objects" and the "filter" field

Some matched objects may be missing, while some unmatched objects may be present.

PRJ-28291,
PRHF-18210

Security Management

In rare scenarios, High Availability incremental synchronization may fail with a wrong status message.

PRJ-28297,
PRHF-18362

Security Management

In rare scenarios, High Availability on the Global Domain may fail to synchronize the Multi-Domain Log Server if IPS protection was added or removed in the Threat Prevention rulebase.

PRJ-25000,
PRHF-17007

Security Management

After migrating a Domain to a Multi-Domain Management and assigning a Global Policy, if there are objects with the same name in the Domain and Global Domain, the assignment succeeds, although it must fail due to name duplication.

PRJ-23452,
PRHF-16065

Security Management

After upgrade from R77.x, "Cannot assign a Domain more than once" errors may appear in the validations pane.

PRJ-24329,
PRHF-16613

Security Management

In some scenarios, the "Recent Tasks" view shows the initiator as a System administrator when the Global Manager user initiates reassign and install policy.

PRJ-23124,
PRHF-15939

Security Management

Migration of Security Management Server to a Domain on a Multi-Domain Server may be blocked if there are multiple Certificate Authority objects. Refer to sk174270.

PRJ-21786,
PRHF-15257

Security Management

In some scenarios, the output of the "cpmistat" command may contain partial information.

PRJ-30052,
PRHF-18928

Security Management

In rare scenarios, the FWM process unexpectedly exits and fails to start, creating core dumps in the /var/log/dump/usermode directory. Refer to sk175007.

PRJ-28062,
PRJ-28063

Security Management

In rare scenarios:

  • Login to the Management Server may timeout and fail
  • Publish operation may take a long time.

PRJ-29896,
PRHF-18828

Security Management

In some scenarios, login to a Domain from the System Domain dashboard may fail with "Failed to connect to server".
Refer to sk174910.

PRJ-25195,
PMTR-68090

Security Management

The "Packet capture is not supported on this platform" warning appears after policy installation for SMB Gateways, although no packet capture is used.

PRJ-29966,
PRHF-19308

Security Management

In some scenarios, simultaneous policy installation on multiple Gateways may fail if there is at least one Gateway on R77.X and one Gateway on R80.X.

PRJ-21875,
PRHF-15460

Security Management

In some scenarios, applying the "Where used" action may show incorrect data when an object exists more than once in an Inline Layer.

PRJ-22421,
PRHF-15598

Security Management

Domain Server Migration between different Multi-Domain Management Servers may fail if a previous migration attempt of the same Domain already failed and another different Domain name is used for the second attempt.

PRJ-25278,
PRHF-17037

Security Management

In rare scenarios, login to Multi-Domain Management fails with the "No Valid Domains were found for [username]" error. Refer to sk175005.

PRJ-29197,
PRHF-18782

Security Management

After an upgrade from R77.x. in a multi-site environment, High Availability full synchronization may fail with an "NGM failed to load data" message.

PRJ-23850,
PMTR-66674

Security Management

Management Server upgrade may fail if there is a large amount of customized column profiles in Logs View.

PRJ-27484,
PRHF-18079

Security Management

Global Policy reassignment may fail with "An internal error has occurred" due to duplicated Access Policy Assignment object. Refer to sk174183.

PRJ-28814,
PRHF-18712

Security Management

In some scenarios, the "show gateways-and-servers" Management API command fails with "generic_error" when running it with "details-level full".

PRJ-30387,
PRHF-16024

Security Management

In rare scenarios, editing a cluster object fails with the "Code: 0x8003001D, Could not access file for write operation" error. Refer to sk176930.

PRJ-26779,
PRHF-17767

Security Management

In some scenarios, in Override Categorization, it may not be possible to sort or to find objects by name using Object Explorer. Refer to sk175245.

PRJ-30881,
PRJ-30882,
PMTR-62059

Security Management

In rare scenarios, during an upgrade, the FWM process may unexpectedly exit with a core dump file.

PRJ-20708,
PRHF-14327

Security Management

In rare scenarios, if one of the Multi-Domain Servers is down, reconfiguring VSX may fail.

PRJ-29908,
PRHF-18974

Security Management

In some scenarios, it is possible to disable a shared layer, although it is used in more than one rule.

PRJ-31079,
PRJ-31080,
PRHF-19251

Security Management

In rare scenarios, the FWM process on the Security Management Server unexpectedly exits.

PRJ-30822,
PRHF-19479

Security Management

In some scenarios, in SmartConsole, the IPS update status list does not reflect correctly all the Gateways having the IPS Blade enabled. Refer to sk175449.

PRJ-30334,
PRJ-30335,
PRHF-18150

Security Management

When one Server in a logical Server group is down, the second Server keeps trying to access it, no matter how long the Server is down.

PRJ-32107,
PMTR-63070

Security Management

Policy installation may fail if more than 20,000 objects are created and added to rules.

PRJ-31670,
PRHF-19891

Security Management

In rare scenarios, the API commands "show-automatic-purge" and "set-automatic-purge" may fail if there were two earlier attempts to update the Automatic Purge at the same time.

PRJ-30066,
PRHF-19326

Security Management

  • The High Availability status on Security Management Server may be incorrect, and performing failover is not possible.
  • On Multi-Domain Server, after performing failover in the Global Domain and restarting services, the former active Global Domain Server still appears as active (although it is standby).

PRJ-28167,
PRHF-18380

Security Management

In rare scenarios, the Management Server may fail to start due to incorrect sessions handling.

PRJ-32545,
CPM-2222

Security Management

Values updated in resourceProfiles files to handle high CPU utilization for the Java process (sk123417) are not resistant and are overridden after Jumbo Hotfix Accumulator installation or backup/restore or export/import procedures.

PRJ-21829,
PRJ-29591,
PRHF-15448

Multi-Domain Management

In rare scenarios, after an upgrade, the CPD process in a Multi-Domain environment may unexpectedly exit, creating a core dump file.

PRJ-21775,
PRJ-21776,
PMTR-63316

Licensing

In some scenarios, the total number of "sr" licenses may be counted incorrectly.

PRJ-28522

Licensing

In a very rare scenario, SmartConsole login attempts mail fail due to high CPU usage of the CPD process.

PRJ-27343,
PRJ-27344

Licensing

In a rare scenario, the licensing status in SmartConsole is displayed incorrectly.

PRJ-29309,
PRHF-18767

SmartConsole

The Compliance "Security Best Practices" report for the Anti-Bot practice contains unrelated objects starting with "AB_". Refer to sk174911.

PRJ-30370,
PRJ-30376

CPInfo

UPDATE: Added CPInfo build 914000219. Refer to sk92739.

PRJ-25007,
SL-5634

Logging

NEW: SmartEvent can now skip indexing of firewall session logs to reduce load on the Log Server device. The feature is disabled by default. To enable it, see Issue #4 in sk150452.

PRJ-25928,
PRJ-30687,
PMTR-69181,
PMTR-69007

Logging

NEW:

  • It is now possible to set the default timeframe for all the SmartView web application functionalities.
  • The default value is "Last 24 hours".

Note: The default time frames on the SmartView web application and SmartConsole are not synchronized.

  • Requires R80.30 SmartConsole Build 103 (or higher).

PRJ-26807,
PMTR-70072

Logging

NEW: In SmartEvent GUI, added the "referrer" field for filtering correlation unit events.

PRJ-23488,
SL-5368

Logging

NEW:

  • In SmartEvent GUI added new products: "Behavioral Guard", "Anti-Exploit", "Anti-Bot" and "Anti-Ransomware"
  • For Endpoint logs correlation, added a new pre-defined event: "Harmony Endpoint" under Legacy -> Endpoint Security.

PRJ-16280,
PRHF-11939

Logging

In some scenarios, emails of DLP Blade may be sent with obfuscated information, with no option to present the full data. Refer to sk106430.

PRJ-25831,
PMTR-68506

Logging

The LOG_INDEXER process on the SmartEvent Server may consume a high CPU when the Mobile Access Blade is enabled on the Gateway.

PRJ-24522,
PMTR-67575

Logging

In a low log rate, there may be a delay in exporting logs using the Log Exporter.

PRJ-25644,
PMTR-68886

Logging

In SmartView (Reports and Web Logs view), the value of the file size is displayed differently from the Logs view in SmartConsole (GB instead of GiB).

PRJ-13741,
PRJ-13742,
PRHF-11391

Logging

The "Could not connect to Monitoring Blade" error is displayed when trying to show the "Top Interfaces" view in SmartConsole or SmartView Monitor for a Gateway that has more than 100 interfaces.

PRJ-27048,
PRHF-17285

Logging

In rare scenarios, Management object changes may not be reflected in the Logs view. When the issue occurs, the CPM process may also consume a high CPU.

PRJ-26724,
PRHF-17205

Logging

In some scenarios, the FWD process on Security Gateway may cause high memory consumption when Log Forwarding is configured or when running the "fw fetchlogs" command.

PRJ-24282,
PMTR-66677

Logging

In rare scenarios, when exporting logs to Check Point Infinity Portal, the Log Exporter may unexpectedly exit.

PRJ-26692,
PMTR-70010

Logging

When adding the "UC Block" action, log queries may not show UserCheck logs. Refer to sk174543.

PRJ-22343,
PRHF-15696

Logging

In SmartView, the "Duration" field is missing from Reports and Views.

PRJ-22647,
PRHF-15710

Logging

Threat Emulation log description for HTTP emulation is incorrect.

PRJ-23866

Logging

In SmartView reports, the "Show only icon" option for table widgets does not work as expected.

PRJ-23678,
PMTR-62763

Logging

In rare scenarios, in environments with many network objects, when typing a query in the search bar in the Logs tab, SmartConsole may close unexpectedly.

PRJ-14237,
PRHF-11770

Logging

In SmartView, grouping or filtering by the field "Total Bytes" causes the query to fail.

PRJ-21322,
PRHF-15198

Logging

In the Method field, logs with the following values are not shown in the SmartConsole's Logs tab. They are only shown when opening a single log record.
The values are: MOVE, TEXT, XGET, UNDEFINED, VTTEST, ABCD, SEARCH, RPC_CONNECT, PRONECT, TRACK, CFYZ, BADMETHOD, DEBUG, MGET, GET, MKCOL, QUALYS, RNDMMTD, PRI, NESSUS, BDMT, BADMTHD.

PRJ-26113,
PMTR-69276

Logging

In a multi-site MDM environment, Log queries may fail to retrieve results from a CMA or CLM, if there is another CMA or CLM with the same sic_name.

PRJ-16983,
PRHF-12847

Logging

In a rare scenario, Application Control events may not be displayed in SmartEvent.

PRJ-27617,
PRHF-18157

Logging

The CPSEMD process on SmartEvent Server may unexpectedly exit when trying to send two automatic reactions simultaneously for the same event.

PRJ-25439,
PRHF-17184

Logging

On a Management Server, with SmartEvent enabled and many Networks configured in the database, login to SmartConsole may fail with an "Error: the operation timeout" message, and the FWM process is running with a high CPU. Refer to sk167239.

PRJ-25621,
PMTR-68809

Logging

In environments with more than 500K network objects, the LOG_INDEXER process on SmartEvent and Correlation Unit Server may unexpectedly close with the "Out of memory" error and a dump core file, although limited resolving is enabled (according to sk164452).

PRJ-28339,
PMTR-69859

Logging

In some scenarios, Log Exporter configured to export in TLS, cannot authenticate a certificate from an external certificate authority.

PRJ-29028,
PRHF-17596

Logging

In rare scenarios, SmartEvent may show no results or partial results in the Audit Log report.

PRJ-31210,
PRJ-30722

Logging

In a rare scenario, logs export from SmartView web view to CSV may fail. Refer to sk175545.

PRJ-17259,
PRHF-12617

Logging

In SmartConsole:

  • In Gateways and Servers view, IP statuses may not be accurate
  • In the Threat Prevention Policy tab, under "Updates", Gateways IPS update status may not be up-to-date, although the new IPS package was received successfully.

PRJ-26306,
PRHF-17314

Logging

In rare cases, in SmartConsole, some logs are not shown.

PRJ-28322,
PRHF-17811

Logging

In some scenarios, in SmartLog, free-text search does not work for some inspection settings logs and their description is missing.

PRJ-26029,
PRHF-17325

Logging

In a rare scenario, after an NSX Gateway upgrade, enforcement details/identities are not pushed by the controller to the Gateway automatically, it can be done only by manual update. Refer to sk173323.

PRJ-26679,
PRHF-17724

Logging

Logs that are sent by Log Exporter in CEF format, cannot be displayed if they include non-digit characters in the "dst_phone_number" field.

PRJ-14118,
PRHF-11778

Logging

Syslog messages are not shown in SmartConsole when syslog_free_text_parser.C contains references to ".ini" files which are located directly syslog folder $FWDIR/conf/syslog.

PRJ-19836,
PRJ-19837,
PRHF-14286

Logging

On Gateways with many interfaces, after policy installation or after reboot, Real-Time Monitor (RTM) may consume a high CPU on the Gateway. Refer to sk170928.

PRJ-30582,
PMTR-63927

Logging

In some scenarios, in Multi-Domain Servers with many Domains, the Solr process for logs may unexpectedly exit.

PRJ-20496,
PMTR-63033

CPUSE

The "Recommended" Package value is not changed from true to false in SmartConsole while installing Jumbo Hotfix. Refer to sk174508.

PRJ-29573,
PRJ-29574,
PRHF-15052

Security Gateway

NEW: Added a new kernel parameter "up_disable_early_drop_optimization_for_reject" to disable "Early Drop Optimization" for reject rules. The parameter is enabled by default.

PRJ-31910,
PRJ-31911,
PRHF-19710

Security Gateway


NEW: Added a new kernel parameter "cphwd_medium_path_qid_by_cpu_id". The parameter is disabled by default. Refer to sk175890.

PRJ-28850,
PRJ-28851,
PRHF-18624

Security Gateway

UPDATE: Added DNS Passive Learning support for DNS responses containing the Domain name in uppercase letters.

PRJ-29441,
PMTR-72448

Security Gateway

UPDATE: The default value for kiss_kthread_allow_resched kernel parameter is changed to 1. Refer to sk170560.

  • Fix is relevant for Gaia 3.10 only.

PRJ-30980,
PMTR-73404

Security Gateway

UPDATE: Added L3 routing support for bridge interface assigned with IP address. To enable it, set fw_bridge_with_ip_routing=1 in the $FWDIR/fwkern.conf file. Refer to sk165560.

  • Fix is relevant for Gaia 3.10 only.

PRJ-32070,
PRJ-32071,
STRM-737

Security Gateway

UPDATE: Check Point Active Streaming (CPAS) TCP Window scale factor is now increased up to 6.

PRJ-32154,
PRJ-32155,
PMTR-74372

Security Gateway

UPDATE: Apache HTTPD version was updated from 2.4.41 to 2.4.51.

PRJ-26821,
PRJ-26822,
PRHF-17872

Security Gateway

A duplicate entry appears in the /etc/cpshell/log_rotation.conf file. This issue is only cosmetic.

PRJ-26033,
PRJ-26034,
PMTR-67536

Security Gateway

The "fw_xlate_rule_count_dec: refcount is negative -1" message may be displayed in dmesg when IP pool NAT is used on a cluster environment.

PRJ-4172,
PRJ-27993,
PRHF-5036

Security Gateway

Large number of "fwpslglue_do_log: message [0] will be truncated in log" logs is printed in /var/log/messages, although debug is not enabled.

PRJ-25291,
PRJ-25292,
PRHF-16907

Security Gateway

In rare scenarios, a re-matched connection has 2 logs in SmartConsole.

PRJ-27074,
PRJ-27075,
PMTR-70300

Security Gateway

In rare scenarios, using IP Pool NAT with only IPv4/IPv6 addresses configured may cause Security Gateway to crash.

PRJ-24909,
PRJ-24914,
PMTR-66910

Security Gateway

In rare scenarios, the name of the application that drops a packet was not shown in the drop debug. Instead, the "PSL Drop: internal - drop enabled" message was displayed.

With this fix, the reason for the drop will be displayed.

PRJ-26476,
PRJ-26477,
PMTR-66746

Security Gateway

In some rare scenarios, when IPv6 is configured and Office Mode Anti-Spoofing is enabled, running "cpstop;cpstart" may cause a Security Gateway to crash.

PRJ-27125,
PRHF-17942

Security Gateway

In some scenarios, the ROUTED process may unexpectedly exit.

  • Fix is relevant for Gaia 3.10 only.

PRJ-29417,
PRJ-29418,
PMTR-71855

Security Gateway

In some scenarios, policy installation fails with the "Error code: 0-2000108" message. Refer to sk170673.

PRJ-14623,
PRJ-14624,
PRHF-11760

Security Gateway

After policy installation, Security Gateway may stop responding due to memory leaks.

PRJ-27558,
PRJ-27557,
PRHF-17949

Security Gateway

In some scenarios, configuring an un-numbered virtual interface may cause ARP requests to stay not answered by the interface. Refer to sk174188.

PRJ-27918,
PRJ-27944,
PRHF-13493

Security Gateway

In some scenarios, the CPD process may consume high CPU because of the memory leak in FDT (File Download Tool).

PRJ-19769,
PRJ-19768,
PRHF-14017

Security Gateway

Security Gateway may crash after policy installation.

PRJ-28827,
PRJ-28828,
PRHF-18098

Security Gateway

Improved the ICAP Server internal memory allocation logic.

PRJ-26390,
PRJ-26391,
PRHF-17436

Security Gateway

The WSDNSD process unexpectedly exits and creates a core file. Refer to sk173627.

PRJ-27648,
PRJ-27649,
PMTR-70634

Security Gateway

Negative values may appear in the output of the "fw tab -t connections -s" command and under the NAT section.

PRJ-29136,
PRJ-29137,
PRHF-18403

Security Gateway

The cpsicdemux process may unexpectedly exit, causing Secure Internal Communication (SIC) connection to fail.

PRJ-29740,
PRJ-29741,
PMTR-72615

Security Gateway

In a rare scenario, due to TCP connection reuse, a TCP connection may not be initiated Refer to sk11088.

PRJ-29502,
PRJ-29503,
PRHF-18863

Security Gateway

In some scenarios, using automatic Network Static NAT/Address range objects may cause connectivity issues.

PRJ-29627,
PRJ-29628,
PRHF-19049

Security Gateway

In a rare scenario, Security Gateway may crash.

PRJ-26581,
PRJ-26582,
PMTR-68272

Security Gateway

In a rare scenario, CPView may show incorrect SecureXL statistics per VS.

PRJ-30248,
PRJ-30249,
PMTR-70219

Security Gateway

Added a translation of the error exit code of cprid_util in $CPDIR/log/cprid_util.elg debug log.

PRJ-26668,
PRJ-26669,
PRHF-17760

Security Gateway

In a rare scenario, traffic outage may occur. It is caused by a memory leak related to delayed logs.

PRJ-31215,
PRJ-31216,
PRHF-19896

Security Gateway

When a large number of VPN tunnels is configured, and each one is used by a static route with ping, the ROUTED process may get incorrect cluster IPs for those tunnels. Refer to sk175887.

PRJ-30039,
ODU-103

Security Gateway

If wstunnel loses connectivity, after several attempts, it may unexpectedly exit and not restart. Refer to sk166056.

PRJ-25147,
PRJ-25148,
PRHF-14366

Security Gateway

In a rare scenario, the TCP Half Closed timer (sk137672) may fail when configured for medium/fast connections.

PRJ-30086,
PRJ-30010,
PRHF-18938

Security Gateway

In a rare scenario, when QoS is enabled, Security Gateway may crash while interfaces go down and up.

PRJ-30611,
PRJ-30612,
PRHF-19614

Security Gateway

In rare scenarios, when SACK is enabled, there may be connectivity issues.

PRJ-20625,
PRJ-20626,
PRHF-14374

Security Gateway

Running the threshold_config command may cause the CPD process to consume a high CPU.

PRJ-32099,
PMTR-32214

Security Gateway

In a rare scenario, policy installation may cause connections termination.

PRJ-31965,
PRJ-31966,
PMTR-74144

Security Gateway

In a rare scenario, "Connection/sec" data for accelerated traffic in CPView may differ from the statistics in SNMP.

PRJ-31367,
PRJ-31368,
PRHF-19693

Security Gateway

Improved the handling of a large number of sessions per single HTTP/S connection.

PRJ-26963,
PMTR-70393

Security Gateway

Improved CPS rate on Autoscale deployments of Amazon Web Services (AWS).
  • Fix is relevant for Gaia 3.10 only.

PRJ-32334,
PMTR-72682

Security Gateway

Defining an IPv6 NAT rule with address range (hide) on the translated column may fail with an incorrect error message.

PRJ-26647,
PMTR-70065

Internal CA

UPDATE: Expired certificates are now cleaned from the Internal CA database every three weeks and after reboot. Refer to sk42424.

PRJ-31014,
PRHF-19772

Internal CA

In a rare scenario, when CRL files are created, some of them may be generated with a large number in the filename. When deleting CRL files, CPCA repeatedly fails to start.

PRJ-24987,
PRJ-24988,
PMTR-61787

Threat Prevention

UPDATE: Added support for more than 20 CIFS objects in rulebase. Refer to sk170300.

PRJ-28677,
PRJ-28678,
AVIR-1444

Threat Prevention

UPDATE: Added the option to remove proxy usage in ioc_feeds tool.

PRJ-23266,
PMTR-49906

Threat Prevention

In rare scenarios, the "fw load_sigs" command fails to exit appropriately after completing.

  • Fix is relevant for Gaia 3.10 only.

PRJ-26540,
PRJ-26541,
PMTR-69186

Threat Prevention

In some scenarios, the IPS update status in SmartConsole is incorrect after the automatic update fails with the "Update failed. Failed to load database" error.

PRJ-22269,
PRJ-22270,
PRHF-14664

Threat Prevention

Improved the Threat Prevention policy installation time when installing on more than two Security gateways.

PRJ-26200,
PRJ-25544

Threat Prevention

In a rare scenario, the Security Gateway may crash when working with Anti-Virus.

PRJ-28517,
PRJ-28518,
TPP-1291

Threat Prevention

In rare scenarios, the Security Gateway may crash when the TCP connection is unexpectedly closed.

PRJ-25226,
PRJ-22396,
PRHF-15404

Threat Prevention

The "ciu_lic_open_lic_db_file: crc check failed" error message may be printed in fwd.elg log file during the policy installation if the IPS Blade is disabled. Refer to sk172903.

PRJ-29923,
PRJ-29924,
PRHF-19208

Threat Prevention

Threat Prevention policy installation may fail when loading 2 IOC feeds that contain the same signature name for one of the observables.

PRJ-30094,
PRJ-30095,
PRHF-18623

Threat Prevention

In some scenarios, loading Custom Intelligence Feeds that include an IP address with a subnet mask of 32 bits (x.x.x.x/32) may fail.

PRJ-28974,
PRJ-28989,
PRJ-28937

Threat Prevention

Improved telemetry for Infinity Vision SOC.

PRJ-29368,
PRJ-29369,
AVIR-936

Threat Prevention

In rare scenarios, IoC feed loading fails due to hash parsing errors.

PRJ-28137,
PRJ-28138,
PRJ-27437

Threat Extraction

In some scenarios, the "fw_send_kmsg: No buffer for tsid 44" error is printed in dmesg.

PRJ-33562,
PRJ-33563,
PRJ-33561

Threat Prevention

In a rare scenario, the Security Gateway may crash when working with Anti-Virus or Threat Emulation.

PRJ-29490,
PRJ-29491,
IDA-4049

Identity Awareness

UPDATE:

  • Increased the default timeout values of entries: connected_pdp_refresh_interval is now set to 240 seconds and connected_pdp_grace_period is now set to 360 seconds.
  • Added the "Identity information / Network information will be deleted" alert to SmartConsole.

PRJ-26801,
PRJ-26802,
MBS-13669

Identity Awareness

In a rare scenario, the Security Gateway may crash.

PRJ-29400,
PRJ-29402,
IDA-4087

Identity Awareness

Improved the Identity Server (PDP) performance for publishing new network on Identity Sharing with SmartPull.

PRJ-29611,
PRJ-29612,
PRHF-18943

Identity Awareness

In a rare scenario, some IPv6 sessions may get deleted due to an incorrect update of Identity Gateway (PEP) kernel tables.

PRJ-27190,
PRJ-27191,
PRHF-17768

Application Control

UPDATE: Improved matching of URLs for custom applications.

PRJ-29766,
PRJ-29767,
PRHF-18914

URL Filtering

In a very rare scenario, when the Application Control (APPI) and URL filtering Blades are active, in hold mode, some applications cannot be identified and the traffic is dropped.

PRJ-26104,
PRJ-26105,
PRHF-17301

IPS

Security Gateway may crash when the IPS profile name is very long. Refer to sk174025.

PRJ-27257,
PRJ-27258,
PMTR-65461

IPS

Proxy source IP address is not printed in the IPS logs.

PRJ-28488,
PRJ-28489,
PRHF-16635

IPS

An HTTP download of a large file may unexpectedly stop with an error message.

PRJ-27956,
PRJ-27957,
PRHF-18158

IPS

In some scenarios for HTTP, Gateway closes a connection from the Server side, but the user side may remain open.

PRJ-29938,
PRJ-29939,
PRHF-18992

IPS

In rare scenarios, if IPS Geolocation is enabled, the Security Gateway may crash.

PRJ-28736,
PRJ-28737,
PRHF-17049

IPS

In some scenarios, the destination IP is missing from the IPS logs. Refer to sk174588.

PRJ-31691,
PRJ-31692,
PMTR-73790

IPS

Improved the handling of decoded HTTP/S traffic.

PRJ-32500,
PRJ-32501,
PRJ-32415

IPS

In some scenarios, when IPS Automatic update is enabled, a memory leak may occur in the FWD process.

PRJ-28499,
PRJ-28500,
PMTR-59113

Anti-Virus

UPDATE: Improved Anti-Virus buffer allocation to reduce stack size.

PRJ-24613,
PRJ-24614,
PMTR-66115

Anti-Virus

UPDATE: Reduce performance when Anti-Virus is configured with deep inspection on all file types.

PRJ-23568,
PRJ-23569,
PRHF-15500

Anti-Virus

Security Gateway may crash when transferring the HTTP multipart traffic if the Anti-Virus Deep Scanning, Threat Extraction, or Threat Emulation is enabled.

PRJ-29132,
PRJ-29190,
TPP-1157

Anti-Bot

UPDATE: Improved performance of Anti-Bot URL Reputation.

PRJ-29473,
PRJ-29474,
PMTR-72234

SSL Inspection

In some scenarios, a memory leak may occur when creating ECDHE keys.

PRJ-30457,
PRJ-30458,
PRHF-19516

SSL Inspection

In rare scenarios, HTTPS connections may hang indefinitely during the TLS handshake, causing timeout.

PRJ-31170,
PRJ-31171,
PMTR-72409

SSL Inspection

A memory leak, related to TLS probing, may occur in the WSTLSD process.

PRJ-31164,
PRJ-31165,
PMTR-72136

SSL Inspection

In some scenarios, the WSTLSD process may unexpectedly close, or a memory leak may occur.

PRJ-30698,
PRJ-30699,
PMTR-72756

SSL Inspection,
VPN

A memory leak in HTTPS Inspection and HTTPS portals may occur when using ECDHE ciphers.

PRJ-27294,
PRJ-27295,
VPNRA-761

Mobile Access

In rare scenarios, when SNX client is used with Application mode on the Mobile Access Blade, the VPND process may unexpectedly exit.

PRJ-28255,
PRJ-28256,
PRHF-16057

Mobile Access

In a rare scenario, the VPND process may unexpectedly exit causing user disconnections from Checkpoint Mobile client.

PRJ-29273,
PRJ-29274,
PRJ-29259,
PRJ-29260,
PRJ-29266,
PRJ-29267,
PRHF-3742,
PRHF-3700,
PRHF-3784

Mobile Access

In some scenarios, a memory leak may occur in the CVPND process.

PRJ-27787,
PMTR-64102

ClusterXL

Log shows that CCP encryption fails on each policy installation.

  • Fix is relevant for Gaia 3.10 only.

PRJ-29834,
PRHF-18898

ClusterXL

In a VRRP cluster, changes to the CCP encryption channel do not remain after reboot on Kernel 3.10. Refer to sk174968.

  • Fix is relevant for Gaia 3.10 only.

PRJ-28601,
PMTR-64228

ClusterXL

In some scenarios, in Load Sharing mode, the "cphaprob show_bond" command on the Security Management Server shows the back-up slave status as "Not Available". Refer to sk175469.

  • Fix is relevant for Gaia 3.10 only.

PRJ-28357,
PRJ-28358,
CORXL-251

ClusterXL

Clock jumps forward/backward may cause some operations to fail and the cluster to go down.

PRJ-30502,
PRJ-30503,
PRJ-30284

ClusterXL

In VSX Load Sharing (VSLS) environment, a disconnected bond LS interface impacts all VS's at the member regardless that the interface is connected to a specific VS.

PRJ-28222,
PRJ-28225,
PRJ-28054

SecureXL

In a rare scenario, DoS/Rate Limiting when using rules with country codes (CC) or autonomous system numbers (ASN) may not update Geo IP files correctly.

PRJ-26950,
PRJ-26951,
PMTR-70242

SecureXL

TCP packets may be dropped as "TCP out of state" although following sk11088.

PRJ-32937,
PRJ-32938,
PMTR-75157

SecureXL

In some scenarios, when configuring internal/external enforcement for DOS/Rate limiting, a syslog error message may be displayed.

PRJ-27817,
PRJ-27818,
PMTR-63965

Routing

If the interface cable is unplugged, after a failover, Border Gateway Protocol (BGP) stops receiving routes from Primary member to Secondary and back to Primary.

PRJ-31124,
PRJ-31125,
PMTR-73496

Routing

In rare cases, if Graceful Restart is not configured on the BGP peer, BGP routes may be lost near the Graceful Restart ending.

PRJ-26959,
PRJ-26960,
PMTR-65589

Routing

The ROUTED process may unexpectedly exit when candidate RP is enabled, and a rapid failover occurs or when the candidate RP interface is disconnected.

PRJ-28392,
PRJ-28393

Routing

The checksum of PIM "register" packets may be calculated incorrectly, causing the RP router to discard a "register" packet.

PRJ-28837,
PRJ-28838,
PMTR-51501

Routing

In some scenarios, an outage may occur because of premature graceful-restart exit.

PRJ-29494,
PRJ-29495,
ROUT-1745

Routing

BGP sessions may unexpectedly close because of unrecognized AFI/SAFI pairs in multiprotocol capability advertisements from a peer.

PRJ-26751,
PRJ-26752,
PRJ-26750

Routing

In some scenarios, the NetFlow Packet may report a wrong source IP Address.

PRJ-29317,
PRJ-29318,
ROUT-1721

Routing

AS path loops may occur, although BGP multihop is configured.

PRJ-29494,
PRJ-29495,
ROUT-1745

Routing

BGP sessions may unexpectedly close because of unrecognized AFI/SAFI pairs in multiprotocol capability advertisements from a peer.

PRJ-28955,
PRJ-28956,
PRHF-17739

Routing

The ROUTED process may unexpectedly exit.

PRJ-31484,
PRJ-31485,
PRHF-19472

Routing

In some scenarios, the Security Gateway may not forward traffic to a client if its IP address is changed by DHCP. Refer to sk175603.

PRJ-24054,
PRJ-24055,
PRHF-10260

Routing

In some scenarios, when using DHCP, the Security Gateway may not correctly route traffic to hosts.

PRJ-31471,
PMTR-68362

VPN

UPDATE: In policy installation, the type of messages related to VPN certificate expiration is changed from "info" to "warning". This issue is only cosmetic.

PRJ-28572,
PRJ-28573,
PRHF-17880

VPN

In some scenarios, Server connections to Remote Access L2TP clients may be unstable.

PRJ-28769,
PRJ-28770,
PMTR-71850

VPN

In some scenarios, in High Availability clusters with enabled CoreXL, SSL clients cannot connect to the Security Gateway because of incorrect license calculation.

PRJ-26528,
PRJ-26529,
PRHF-17627

VPN

In some scenarios, NAT-T traffic outages may occur after a cluster failover. Refer to sk175552.

PRJ-23978,
PRHF-12576

VPN

Remote Access users may randomly disconnect because the Tunnel test packets are mapped to the incorrect interface. Refer to sk172328.

  • Fix is relevant for Gaia 3.10 only.

PRJ-22116,
PRJ-22117,
PMTR-31204

VPN

In rare scenarios, after policy installation, the VPND process may unexpectedly exit with core dump.

PRJ-21636,
PRJ-21637,
PRHF-15318

VPN

VPN Logs show IP address octets in an unexpected (reversed) order. Refer to sk172807.

PRJ-28375,
PRJ-28376,
PMTR-71772

VPN

Improved VPN Site to Site tunnel establishment scenario with IKEv2. Refer to sk175092.

PRJ-27311,
PRJ-27312,
PRHF-14851

VPN

IPSec VPN uses the wrong source IP address when initiating NAT-T encrypted traffic. Refer to sk172805.

PRJ-28072,
PRJ-28073,
PRHF-18369

VPN

A Remote Access client fails to login when a DN record length is bigger than 256. Refer to sk174249.

PRJ-27672,
PRJ-27673,
PMTR-70855

VPN

In some scenarios, the user may not be able to connect because the CVPND process unexpectedly exits.

PRJ-27684,
PRJ-27685,
PMTR-70957

VPN

In a rare scenario, a memory leak may occur.

PRJ-27680,
PRJ-27681,
PMTR-71025

VPN

When saving the login info of the client, a memory leak may occur.

PRJ-27676,
PRJ-27677,
PMTR-71013

VPN

Reauthentication of the client may lead to a memory leak.

PRJ-27853,
PRJ-27854,
PMTR-71136

VPN

When deleting an entry from m_ht hash table, a memory leak may occur.

PRJ-27811,
PRJ-27812,
PMTR-71098

VPN

In some scenarios, the VPN tunnel between GCP cluster and GCP peer fails to establish.

PRJ-25140,
PRJ-25141,
PRHF-16647

VPN

In some scenarios, outbound traffic with NAT-T outgoing packets is sent from an incorrect link. Refer to sk176711.

PRJ-26397,
PRJ-26398,
PRHF-17622

VPN

Policy installation may fail when VPN community is not configured on the Security Gateway. Refer to sk174235.

PRJ-25881,
PRJ-25882,
PRHF-16370

VPN

In some scenarios, when DAIP peer initiates IKEv2 negotiation with certificate authentication, the VPND process may unexpectedly exit. Refer to sk174665.

PRJ-28312,
PRHF-12576

VPN

Remote Access users may randomly disconnect because the Tunnel test packets are mapped to the incorrect interface. Refer to sk172328.

PRJ-28510,
PRJ-28511,
PRHF-18408

VPN

In some scenarios, a memory leak may occur on the Security Gateway.

PRJ-28503,
PRJ-28504,
PRHF-18400

VPN

A memory leak may occur in the VPND process.

PRJ-29280,
PRJ-29281
PRHF-18818

VPN

In rare scenarios, re-configuring a trusted CA bundle may cause a memory leak in the VPND process.

PRJ-29480,
PRJ-29481,
PMTR-72463

VPN

A memory leak may occur in the VPND process in IKEv2 Site to Site VPN.

PRJ-29530,
PRJ-29531,
PRHF-18564

VPN

RIM script is not invoked for DAIP peer with Dead Peer Detection (DPD) permanent tunnels in passive mode.

PRJ-28560,
PRJ-28561,
PMTR-20176

VPN

In some scenarios, when sending the SCV drop log, a memory leak may occur.

PRJ-31105,
PRJ-31106,
PRJ-31112,
PRJ-31113,
PMTR-73487,
PMTR-73488

VPN

In some scenarios, a memory leak may occur in the VPND process.

PRJ-31145,
PRJ-31146,
PMTR-73511

VPN

In some scenarios, a memory leak may occur when using the SSL Network Extender (SNX) client to create a site.

PRJ-28262,
PRJ-28263,
PRHF-18295

VPN

A memory leak may occur when clearing the CRL cache file.

PRJ-31129,
PRJ-31130,
PMTR-73498

VPN

In some scenarios, a memory leak may occur in the VPND process.

PRJ-31287,
PRJ-31288,
PRHF-19707

VPN

Hardened the ability to use narrowed IKEv2 tunnels. Refer to sk166417.

PRJ-30762,
PRJ-30763,
PRHF-19548

VPN

In a very rare scenario, a cluster member may unexpectedly crash and restart, creating a core dump file.

PRJ-30327,
PRJ-30328,
PMTR-73629

VPN

In some scenarios, IKEv2 tunnel may not work due to SA expiration.

PRJ-30866,
PRJ-30867,
PRHF-19755

VPN

A memory leak may occur in the VPND process.

PRJ-29593,
PRJ-29594,
VPNS2S-2505

VPN

In a rare scenario, the IKEv2 negotiation appears successful, although it failed.

PRJ-31027,
PRJ-31028,
PRHF-19776

VPN

Many "remote access client IP address and port were changed" logs are printed after an upgrade.

PRJ-28604,
PMTR-48561

VSX

In a rare scenario, a cluster member may crash when running the "cphaconf show bond" command.

  • Fix is relevant for Gaia 3.10 only.

PRJ-29550,
PRJ-29551,
PRHF-18753

VSX

After a reboot, the VS's clish static ARPs configuration exists, but the static ARPs may be missing.

PRJ-27967,
PRJ-27968,
PMTR-35890

VSX

When querying a VS for "sysObjectID" viaSNMP, a generic netSNMP value is returned ("NET-SNMP-MIB::netSnmpAgentOIDs.10") instead of Check point value ("SNMPv2-SMI::enterprises.2620.1.6.123.1.62").

PRJ-26128,
PRJ-26131,
PMTR-53985

VSX

After upgrade, the VS names may be displayed incorrectly in the output of the "vsx stat -v" command.

PRJ-22689,
PMTR-65535

VSX

This fix allows create/change a VSX cluster/gateway to have up to 32 CoreXL instances with VSX Provisioning Tool. Currently, it is possible to do this only in SmartConsole.

PRJ-26559,
PRHF-17590

VSX

Multi-Queue configuration on VSX does not remain after reboot. Refer to sk173950.

  • Fix is relevant for Gaia 3.10 only.

PRJ-30312,
PRJ-30313,
PMTR-72515

Gaia OS

NEW: Gaia API (version 1.6) will now be deployed via Jumbo Hotfix. Refer to sk143612.

PRJ-26927,
PMTR-69753

Gaia OS

NEW: Added support for new card 4 ports 1/10GbE SFP+ Rev 4.1.

  • Fix is relevant for Gaia 3.10 only.

PRJ-30292,
PRJ-30293,
PMTR-72997

Gaia OS

UPDATE: Upgraded OpenSSL to 1.1.1L. Merged the CVE-2021-3711 and CVE-2021-3712 fixes.

PRJ-27708,
PRHF-18191

Gaia OS

UPDATE: The command "show multiple-queue Affinity" deprecation message was changed.
The new message is: "This command is deprecated. Please use: show interface VALUE Multi-queue."

  • Fix is relevant for Gaia 3.10 only.

PRJ-26997,
PRHF-17900

Gaia OS

Setting hashed SHA256/SHA512 expert password may fail with an error message: "set password-controls password-hash-type <password_hased> GAIA9999 Invalid Salted Hash". Refer to sk176703.

  • Fix is relevant for Gaia 3.10 only.

PRJ-27975,
PRJ-27976,
PMTR-69876

Gaia OS

A memory leak may occur on a Security Gateway while configuring Secure Internal Communication (SIC).

PRJ-28973,
PRJ-28794,
PRJ-28795,
PRHF-18683

Gaia OS

In a rare scenario, a memory leak may occur in the monitord process.

PRJ-27671,
PRHF-13802

Gaia OS

In some scenarios, the "show arp dynamic all" command displays values of VS0 instead of VS.

  • Fix is relevant for Gaia 3.10 only.

PRJ-25764,
PRHF-17216

Gaia OS

After 248 days of up time, the VMSS gateway sends a Cold restart alert reboot, but the VMSS does not reboot. Refer to sk173413.

  • Fix is relevant for Gaia 3.10 only.

PRJ-28683,
PMTR-71763

Gaia OS

In some scenarios, in appliances: 6600,6700,6900, Power Supply Unit (PSU) status information may be incorrect. Refer to sk174443.

  • Fix is relevant for Gaia 3.10 only.

PRJ-25248,
PMTR-68435

Endpoint Security

In some scenarios, the Policy Server fails to synchronize with Endpoint primary Management after installing a hotfix for local E1 signature updates.

PRJ-27331,
PRJ-27325

CloudGuard

  • Added support for Amazon Web Services (AWS) IMDSv2 in CloudGuard Controller
  • Improved connecting to GCP Data Center

PRJ-27032,
PRJ-27033,
PRHF-16098

QoS

In a rare scenario, in SmartView Monitor, some QoS traffic may be shown as "No Match".

PRJ-30232,
PRJ-30233,
PRHF-18342

QoS

In a rare scenario, the FWD process may unexpectedly exit due to invalid QoS logs.

PRJ-28052,
PMTR-71262

Scalable Plaforms

In some scenarios, bond interface slave fails to properly initialize and shows a partner system MAC address of 00:00:00:00:00:00.

  • Fix is relevant for Gaia 3.10 only.

PRJ-30016,
ODU-181

HCP

Added Update 5 of HealthCheck Point (HCP) Release. Refer to sk171436.

PRJ-30253,
PRJ-27245,
ODU-123

HCP

Added Update 3 of HealthCheck Point (HCP) Release. Refer to sk171436.

PRJ-24086,
PRJ-24087,
ODU-91

HCP

Added Update 2 of HealthCheck Point (HCP) Release. Refer to sk171436.

PRJ-22797,
PRJ-22798,
ODU-81

HCP

Added Update 1 of HealthCheck Point (HCP) Release. Refer to sk171436.

PRJ-22320,
PRJ-22321,
PRHF-15689

Infrastructure

In some scenarios, the cpmiquerybin and dbedit processes may unexpectedly exit causing a buffer overflow.

PRJ-31766,
PRJ-31767,
PRHF-19016

Infrastructure

Policy installation fails with "Operation failed, install/uninstall has been improperly terminated" when a CMA name is more than 36 characters long. Refer to sk175452.