Take 241 - Ongoing

UPDATE: Added a new flag to the Threat Prevention "show-protections" API command ("show-capture-packets-and-track") that allows not to return capture-packets and track information.

In some scenarios, when using a VPN community, the status of the Global Domain Assignment may change to "not up to date", although no changes were made in the Global Domain.

If Brute Force Password Guessing Protection is set to the value of more than 25 seconds, login to SmartConsole fails.

• Requires R80.30 SmartConsole Build 103 (or higher).

In rare scenarios, Global Policy Assignment may fail with the "class name not found for object" error.

In some scenarios, the Administrators view may not filter domain names according to the permission profile of the connected administrator.

Policy installation to multiple gateways from Install Policy Presets may fail if each policy has its own HTTPS Inspection policy.

In rare scenarios, Global Domain Assignment and Domain Creation tasks may continue to run indefinitely.

The Management API command "show gateways and servers" does not show policy information for cluster members.

In rare scenarios, after the Security Management Server starts up, when connecting to SmartConsole, some objects appear more than once.

After migrating a Domain to Security Management Server, the FWM process may be shown as "down" in watchdog, although it is up and running. Refer to sk163814.

The "show-global-assignment" command may ignore the limit request and return the default limit.

In rare scenarios, if the CPM process is up for many days, CPU and memory consumption may continue to grow until a reboot is performed.

In some scenarios, a high load on the Management Server may cause SmartConsole slowness.

Scheduled IPS updates data may not be shown in the IPS update report.

When searching IP addresses using logical operators (AND / OR), the results may be incorrect:

• in SmartConsole in the Object Explorer view
• with the Management API command "show objects" and the "filter" field

Some matched objects may be missing, while some unmatched objects may be present.

In rare scenarios, High Availability on the Global Domain may fail to synchronize the Multi-Domain Log Server if IPS protection was added or removed in the Threat Prevention rulebase.

After upgrade from R77.x, "Cannot assign a Domain more than once" errors may appear in the validations pane.

Migration of Security Management Server to a Domain on a Multi-Domain Server may be blocked if there are multiple Certificate Authority objects. Refer to sk174270.

In rare scenarios, the FWM process unexpectedly exits and fails to start, creating core dumps in the /var/log/dump/usermode directory. Refer to sk175007.

In some scenarios, login to a Domain from the System Domain dashboard may fail with "Failed to connect to server".
Refer to sk174910.

In some scenarios, simultaneous policy installation on multiple Gateways may fail if there is at least one Gateway on R77.X and one Gateway on R80.X.

Domain Server Migration between different Multi-Domain Management Servers may fail if a previous migration attempt of the same Domain already failed and another different Domain name is used for the second attempt.

After an upgrade from R77.x. in a multi-site environment, High Availability full synchronization may fail with an "NGM failed to load data" message.

Global Policy reassignment may fail with "An internal error has occurred" due to duplicated Access Policy Assignment object. Refer to sk174183.

In rare scenarios, editing a cluster object fails with the "Code: 0x8003001D, Could not access file for write operation" error. Refer to sk176930.

In rare scenarios, during an upgrade, the FWM process may unexpectedly exit with a core dump file.

In some scenarios, it is possible to disable a shared layer, although it is used in more than one rule.

In some scenarios, in SmartConsole, the IPS update status list does not reflect correctly all the Gateways having the IPS blade enabled. Refer to sk175449.

Policy installation may fail if more than 20,000 objects are created and added to rules.

• The High Availability status on Security Management Server may be incorrect, and performing failover is not possible.
• On Multi-Domain Server, after performing failover in the Global Domain and restarting services, the former active Global Domain Server still appears as active (although it is standby).

Values updated in resourceProfiles files to handle high CPU utilization for the Java process (sk123417) are not resistant and are overridden after Jumbo Hotfix Accumulator installation or backup/restore or export/import procedures.

In some scenarios, the total number of "sr" licenses may be counted incorrectly.

In a rare scenario, the licensing status in SmartConsole is displayed incorrectly.

UPDATE: Added CPInfo build 914000219. Refer to sk92739.

NEW:

• It is now possible to set the default timeframe for all the SmartView web application functionalities.
• The default value is "Last 24 hours".

Note: The default time frames on the SmartView web application and SmartConsole are not synchronized.

• Requires R80.30 SmartConsole Build 103 (or higher).

NEW:

• In SmartEvent GUI added new products: "Behavioral Guard", "Anti-Exploit", "Anti-Bot" and "Anti-Ransomware"
• For Endpoint logs correlation, added a new pre-defined event: "Harmony Endpoint" under Legacy -> Endpoint Security.

The LOG_INDEXER process on the SmartEvent Server may consume a high CPU when the Mobile Access blade is enabled on the Gateway.

In SmartView (Reports and Web Logs view), the value of the file size is displayed differently from the Logs view in SmartConsole (GB instead of GiB).

In rare scenarios, Management object changes may not be reflected in the Logs view. When the issue occurs, the CPM process may also consume a high CPU.

In rare scenarios, when exporting logs to Check Point Infinity Portal, the Log Exporter may unexpectedly exit.

In SmartView, the "Duration" field is missing from Reports and Views.

In SmartView reports, the "Show only icon" option for table widgets does not work as expected.

In SmartView, grouping or filtering by the field "Total Bytes" causes the query to fail.

In a multi-site MDM environment, Log queries may fail to retrieve results from a CMA or CLM, if there is another CMA or CLM with the same sic_name.

The CPSEMD process on SmartEvent Server may unexpectedly exit when trying to send two automatic reactions simultaneously for the same event.

In environments with more than 500K network objects, the LOG_INDEXER process on SmartEvent and Correlation Unit Server may unexpectedly close with the "Out of memory" error and a dump core file, although limited resolving is enabled (according to sk164452).

In rare scenarios, SmartEvent may show no results or partial results in the Audit Log report.

In SmartConsole:

• In Gateways and Servers view, IP statuses may not be accurate
• In the Threat Prevention Policy tab, under "Updates", Gateways IPS update status may not be up-to-date, although the new IPS package was received successfully.

In some scenarios, in SmartLog, free-text search does not work for some inspection settings logs and their description is missing.

Logs that are sent by Log Exporter in CEF format, cannot be displayed if they include non-digit characters in the "dst_phone_number" field.

On Gateways with many interfaces, after policy installation or after reboot, Real-Time Monitor (RTM) may consume a high CPU on the Gateway. Refer to sk170928.

The "Recommended" Package value is not changed from true to false in SmartConsole while installing Jumbo Hotfix. Refer to sk174508.

NEW: Added a new kernel parameter "cphwd_medium_path_qid_by_cpu_id". The parameter is disabled by default. Refer to sk175890.

UPDATE: The default value for kiss_kthread_allow_resched kernel parameter is changed to 1. Refer to sk170560.

• Fix is relevant for Gaia 3.10 only.

UPDATE: Check Point Active Streaming (CPAS) TCP Window scale factor is now increased up to 6.

A duplicate entry appears in the /etc/cpshell/log_rotation.conf file. This issue is only cosmetic.

Large number of "fwpslglue_do_log: message [0] will be truncated in log" logs is printed in /var/log/messages, although debug is not enabled.

In rare scenarios, using IP Pool NAT with only IPv4/IPv6 addresses configured may cause Security Gateway to crash.

In some rare scenarios, when IPv6 is configured and Office Mode Anti-Spoofing is enabled, running "cpstop;cpstart" may cause a Security Gateway to crash.

In some scenarios, policy installation fails with the "Error code: 0-2000108" message. Refer to sk170673.

In some scenarios, configuring an un-numbered virtual interface may cause ARP requests to stay not answered by the interface. Refer to sk174188.

Security Gateway may crash after policy installation.

The WSDNSD process unexpectedly exits and creates a core file. Refer to sk173627.

The cpsicdemux process may unexpectedly exit, causing Secure Internal Communication (SIC) connection to fail.

In some scenarios, using automatic Network Static NAT/Address range objects may cause connectivity issues.

In a rare scenario, CPView may show incorrect SecureXL statistics per VS.

In a rare scenario, traffic outage may occur. It is caused by a memory leak related to delayed logs.

If wstunnel loses connectivity, after several attempts, it may unexpectedly exit and not restart. Refer to sk166056.

In a rare scenario, when QoS is enabled, Security Gateway may crash while interfaces go down and up.

Running the threshold_config command may cause the CPD process to consume a high CPU.

In a rare scenario, "Connection/sec" data for accelerated traffic in CPView may differ from the statistics in SNMP.

• Fix is relevant for Gaia 3.10 only.

UPDATE: Expired certificates are now cleaned from the Internal CA database every three weeks and after reboot. Refer to sk42424.

UPDATE: Added support for more than 20 CIFS objects in rulebase. Refer to sk170300.

In rare scenarios, the "fw load_sigs" command fails to exit appropriately after completing.

• Fix is relevant for Gaia 3.10 only.

Improved the Threat Prevention policy installation time when installing on more than two Security gateways.

In rare scenarios, the Security Gateway may crash when the TCP connection is unexpectedly closed.

Threat Prevention policy installation may fail when loading 2 IOC feeds that contain the same signature name for one of the observables.

Improved telemetry for Infinity Vision SOC.

In some scenarios, the "fw_send_kmsg: No buffer for tsid 44" error is printed in dmesg.

UPDATE:

• Increased the default timeout values of entries: connected_pdp_refresh_interval is now set to 240 seconds and connected_pdp_grace_period is now set to 360 seconds.
• Added the "Identity information / Network information will be deleted" alert to SmartConsole.

Improved the Identity Server (PDP) performance for publishing new network on Identity Sharing with SmartPull.

UPDATE: Improved matching of URLs for custom applications.

Security Gateway may crash when the IPS profile name is very long. Refer to sk174025.

An HTTP download of a large file may unexpectedly stop with an error message.

In rare scenarios, if IPS Geolocation is enabled, the Security Gateway may crash.

Improved the handling of decoded HTTP/S traffic.

UPDATE: Improved Anti-Virus buffer allocation to reduce stack size.

Security Gateway may crash when transferring the HTTP multipart traffic if the Anti-Virus Deep Scanning, Threat Extraction, or Threat Emulation is enabled.

In some scenarios, a memory leak may occur when creating ECDHE keys.

A memory leak, related to TLS probing, may occur in the WSTLSD process.

A memory leak in HTTPS Inspection and HTTPS portals may occur when using ECDHE ciphers.

In a rare scenario, the VPND process may unexpectedly exit causing user disconnections from Checkpoint Mobile client.

Log shows that CCP encryption fails on each policy installation.

• Fix is relevant for Gaia 3.10 only.

In some scenarios, in Load Sharing mode, the "cphaprob show_bond" command on the Security Management Server shows the back-up slave status as "Not Available". Refer to sk175469.

• Fix is relevant for Gaia 3.10 only.

In VSX Load Sharing (VSLS) environment, a disconnected bond LS interface impacts all VS's at the member regardless that the interface is connected to a specific VS.

TCP packets may be dropped as "TCP out of state" although following sk11088.

If the interface cable is unplugged, after a failover, Border Gateway Protocol (BGP) stops receiving routes from Primary member to Secondary and back to Primary.

The ROUTED process may unexpectedly exit when candidate RP is enabled, and a rapid failover occurs or when the candidate RP interface is disconnected.

In some scenarios, an outage may occur because of premature graceful-restart exit.

In some scenarios, the NetFlow Packet may report a wrong source IP Address.

BGP sessions may unexpectedly close because of unrecognized AFI/SAFI pairs in multiprotocol capability advertisements from a peer.

In some scenarios, the Security Gateway may not forward traffic to a client if its IP address is changed by DHCP. Refer to sk175603.

UPDATE: In policy installation, the type of messages related to VPN certificate expiration is changed from "info" to "warning". This issue is only cosmetic.

In some scenarios, in High Availability clusters with enabled CoreXL, SSL clients cannot connect to the Security Gateway because of incorrect license calculation.

Remote Access users may randomly disconnect because the Tunnel test packets are mapped to the incorrect interface. Refer to sk172328.

• Fix is relevant for Gaia 3.10 only.

VPN Logs show IP address octets in an unexpected (reversed) order. Refer to sk172807.

IPSec VPN uses the wrong source IP address when initiating NAT-T encrypted traffic. Refer to sk172805.

In some scenarios, the user may not be able to connect because the CVPND process unexpectedly exits.

When saving the login info of the client, a memory leak may occur.

When deleting an entry from m_ht hash table, a memory leak may occur.

In some scenarios, outbound traffic with NAT-T outgoing packets is sent from an incorrect link. Refer to sk176711.

In some scenarios, when DAIP peer initiates IKEv2 negotiation with certificate authentication, the VPND process may unexpectedly exit. Refer to sk174665.

In some scenarios, a memory leak may occur on the Security Gateway.

In rare scenarios, re-configuring a trusted CA bundle may cause a memory leak in the VPND process.

RIM script is not invoked for DAIP peer with Dead Peer Detection (DPD) permanent tunnels in passive mode.

In some scenarios, a memory leak may occur in the VPND process.

A memory leak may occur when clearing the CRL cache file.

Hardened the ability to use narrowed IKEv2 tunnels. Refer to sk166417.

In some scenarios, IKEv2 tunnel may not work due to SA expiration.

In a rare scenario, the IKEv2 negotiation appears successful, although it failed.

In a rare scenario, a cluster member may crash when running the "cphaconf show bond" command.

• Fix is relevant for Gaia 3.10 only.

When querying a VS for "sysObjectID" viaSNMP, a generic netSNMP value is returned ("NET-SNMP-MIB::netSnmpAgentOIDs.10") instead of Check point value ("SNMPv2-SMI::enterprises.2620.1.6.123.1.62").

This fix allows create/change a VSX cluster/gateway to have up to 32 CoreXL instances with VSX Provisioning Tool. Currently, it is possible to do this only in SmartConsole.

NEW: Gaia API (version 1.6) will now be deployed via Jumbo Hotfix. Refer to sk143612.

UPDATE: Upgraded OpenSSL to 1.1.1L. Merged the CVE-2021-3711 and CVE-2021-3712 fixes.

Setting hashed SHA256/SHA512 expert password may fail with an error message: "set password-controls password-hash-type <password_hased> GAIA9999 Invalid Salted Hash". Refer to sk176703.

• Fix is relevant for Gaia 3.10 only.

In a rare scenario, a memory leak may occur in the monitord process.

After 248 days of up time, the VMSS gateway sends a Cold restart alert reboot, but the VMSS does not reboot. Refer to sk173413.

• Fix is relevant for Gaia 3.10 only.

In some scenarios, the Policy Server fails to synchronize with Endpoint primary Management after installing a hotfix for local E1 signature updates.

In a rare scenario, in SmartView Monitor, some QoS traffic may be shown as "No Match".

In some scenarios, bond interface slave fails to properly initialize and shows a partner system MAC address of 00:00:00:00:00:00.

• Fix is relevant for Gaia 3.10 only.

Added Update 3 of HealthCheck Point (HCP) Release. Refer to sk171436.

Added Update 1 of HealthCheck Point (HCP) Release. Refer to sk171436.