Take 251 - General Availability
List of Resolved Issues and New Features
|
Note - This Take contains all fixes from all earlier Takes. |
ID |
Product |
Description |
---|---|---|
Take 251 Released on 07 Apr 2022 and declared as General Availability on 18 May 2022 |
||
PRJ-30405, |
Security Management |
UPDATE:
|
PRJ-32890, |
Security Management |
UPDATE: It is now possible to increase the timeout value for Management High Availability synchronization. Refer to sk176165. |
PRJ-33551, |
Security Management |
When using the API to create an OPSEC CPMI application with a custom permissions profile, the default Super User profile is chosen instead. |
PRJ-32446, |
Security Management |
In rare scenarios, in a Multi-Domain environment, after performing an IPS Update, High Availability synchronization in the Global Domain fails with "NGM failed to import data". |
PRJ-25708, |
Security Management |
Deleting a network group may fail because it is being used, although "Where Used" shows no usage. |
PRJ-32667, |
Security Management |
When searching for tags usage, the "where-used" Management API command may fail with "Requested object not found". |
PRJ-32855, |
Security Management |
After the Management Server restart, the API command "show_tasks" may show some suppressed tasks as "in progress", if before the restart they were cleared in SmartConsole while they were still running. |
PRJ-33862, |
Security Management |
When creating or updating a service object via Management API, it is not possible to specify a custom aggressive-aging timeout. |
PRJ-29507, |
Security Management |
In some scenarios, the Management API command "show-packages" with "details-level full" may fail with an error. Refer to sk176805. |
PRJ-34503, |
Security Management |
The "Accept" button is missing when modifying "Actions" for rules. Refer to sk177204. |
PRJ-35477, |
Security Management |
Multi-Domain High Availability synchronization in the Global Domain may fail with the "There are invalid assignments on peer" error. |
PRJ-33977, |
Security Management |
Policy installation from the Multi-Domain Server level may trigger installation of two policies for the same VS. |
PRJ-32427, |
Security Management |
In rare scenarios, adding a service to a rule in Access Policy:
Refer to sk176004. |
PRJ-32090, |
Security Management |
When searching an IP in Object Explorer, network objects with both IPv6 and IPv4 configured, may not appear in the results, although they match the IP. |
PRJ-32716, |
Security Management |
If there is a Global Domain Assignment, some results may be missing when searching in Packet Mode. Refer to sk178491. |
PRJ-33519, |
Security Management |
In rare scenarios, the Management Server may fail to start. |
PRJ-34224, |
Security Management |
When performing IPS Update or Global Domain Assignment, creating a Domain at the same time may fail with "Internal Error". |
PRJ-30529, |
Security Management |
Creating an administrator in a Multi-Domain environment may cause SmartConsole to freeze and time out. |
PRJ-30679, |
Security Management |
Policy installation with Directional VPN rules may fail with a verification error. |
PRJ-30057, |
Security Management |
In rare scenarios, after Management Server upgrade, importing the database may fail with "Tried to persist object". |
PRJ-36184, |
Security Management |
In some scenarios, in SmartConsole, the IPS update status list does not reflect correctly all the Gateways with enabled IPS blade. Refer to sk175449. |
PRJ-34033, |
Security Management |
When many sessions are opened:
|
PRJ-22264, |
Security Management |
In some scenarios, the user may fail to connect to VPN Remote Access if there are expiration dates saved in a non-English date format. The issue can occur when SmartConsole is installed on a Windows client that uses a non-English locale. Refer to sk173967. |
PRJ-33285, |
Security Management |
When reassigning Global policy after an IPS update on the Global Domain, the updated IPS version in the Audit Logs view may appear with "-1" value instead of the actual IPS version number. |
PRJ-34176, |
Security Management |
In rare scenarios, Install Policy Presets may fail with "Failed to run Install Policy on the active Domain Server". |
PRJ-34180, |
Security Management |
In rare scenarios, the Management Server becomes inaccessible if there are more than 5000 objects in the Gateways and Servers view. |
PRJ-35337, |
Security Management |
In rare scenarios, the Management Server may fail to start after an upgrade. |
PRJ-33399, |
Security Management |
When automatic purge is configured in a local Domain and there is an assignment between the Global Domain to that Domain, the "show-automatic-purge" API command may fail in the Global Domain with the "Can't build automatic purge reply" error. Refer to sk176443. |
PRJ-33363, |
Security Management |
Global Domain Assignment fails with "An internal error has occurred" when there are more than 32K Threat Prevention Overrides in the local Domain. Refer to sk176464. |
PRJ-33459, |
Security Management |
While editing a Small Office LSM Profile object, SmartConsole may unexpectedly close when enabling Threat Emulation and navigating to the Configuration tab. |
PRJ-32744, |
Security Management |
In a rare scenario, the FWM process unexpectedly exits. |
PRJ-33166, |
Multi-Domain Management |
The mds_backup script may not collect Multi-Domain Server log files from $MDSDIR/log/. |
PRJ-30349, |
Multi-Domain Management |
During a CPUSE upgrade of a Multi-Domain Server, if there are multiple external interfaces defined, the Domain Servers may be assigned to an incorrect interface. |
PRJ-30524, |
Multi-Domain Management |
In rare scenarios, running the "fwm sic_reset" command on Multi-Domain Server may fail. |
PRJ-38328, |
SmartConsole |
Refer to sk178590. |
PRJ-32976, |
CPView |
In Overview, some data about disk space may be missing. |
PRJ-32371, |
Logging |
When running CPinfo in a large scale environment, the SmartEventCollectLogs process may get stuck. |
PRJ-32305, |
Logging |
When configuring an Email alert as an Automatic Reaction in SmartEvent, and the alert contains data from the event, some fields may be missing in the generated email. |
PRJ-32585, |
Logging |
There may be empty values in the "Office Mode IP" field in the Logs view. |
PRJ-28315, |
Logging |
The "Last Update Time" field of a Session Log may show incorrect values. |
PRJ-25652, |
Logging |
When SmartView Web is configured to not return empty values, a query may fail with a "query failed" message. |
PRJ-29121, |
Logging |
SmartEvent may not show some of the Anti-Virus logs. |
PRJ-32026, |
Logging |
In some scenarios, the "vpn_user" field is empty in the Logs view and SmartEvent Reports, even though it contains values in the raw log. |
PRJ-30661, |
Logging |
Refer to sk176644. |
PRJ-31615, |
Logging |
Non-English letters in SmartView reports exported as CSV may be displayed incorrectly. Refer to sk175543. |
PRJ-32578, |
Logging |
In some scenarios, it is not possible to add the "Policy Rule UID" column to the Logs view in the SmartView Web Application. |
PRJ-32016, |
Logging |
When running the "show_logs" API command with "query-id argument" and the session is expired, the command ends with a timeout instead of presenting an error. |
PRJ-30547, |
Logging |
In rare scenarios, when QoS blade is enabled, the FWD process may unexpectedly exit. Refer to sk177783. |
PRJ-29172, |
Logging |
Removed unnecessary debug messages: "fwbintabreplace: table svm_range_gateways not found" and " fwbintabreplace: table svm_range_gateways_valid not found" from the FWD debug log. |
PRJ-30143, |
Logging |
Recurring "Unable to open '/dev/fw0': No such file or directory" may be printed in the fwd.elg file. |
PRJ-32229, |
Logging |
The "vsec_lic_cli update" command now supports IP change in the license string. |
PRJ-32083, |
Logging |
A duplicate entry appears in /etc/cpshell/log_rotation.conf. This issue is only cosmetic. |
PRJ-34248, |
Logging |
There may be an incorrect error message related to MakeConnection method. |
PRJ-14159 |
Security Gateway |
UPDATE: Added support for CPView's Top Connections tab in User Space Firewall (USFW). |
PRJ-34448 |
Security Gateway |
UPDATE: The "fw unloadlocal" command can now be used on a Virtual System only with the "-f" flag added. Otherwise, a warning message is displayed, indicating that unloading policy on a Virtual System will cause traffic issues with any Virtual System connected to a Virtual Switch or a Virtual System in Bridge mode.
|
PRJ-31663, |
Security Gateway |
UPDATE: Adding Connection and Packet Distribution statistics in CPView. |
PRJ-38234, |
Security Gateway |
UPDATE: Apache HTTPD version was updated from 2.4.51 to 2.4.53. |
PRJ-29695, |
Security Gateway |
In rare a scenario, a memory leak may occur with a "cpas_streamh_init_from_cookie failed" message printed in /var/log/messages. |
PRJ-27607, |
Security Gateway |
A debug message is printed as an error. |
PRJ-33900, |
Security Gateway |
In rare scenarios, the LOG_INDEXER process may unexpectedly exit with a core dump file. |
PRJ-21485, |
Security Gateway |
The FWD process may unexpectedly exit due to a rare race condition. Refer to sk173424. |
PRJ-30780, |
Security Gateway |
Access Policy installation may fail with "Error code 1-2000078". |
PRJ-31205, |
Security Gateway |
The Security Gateway may crash during policy installation due to memory allocation problems. |
PRJ-33510, |
Security Gateway |
CPView may show corrupted numbers in "F2V-Reasons". This issue is only cosmetic. |
PRJ-33271, |
Security Gateway |
The control connection may not be refreshed together with data connection if the data connection is accelerated. Refer to sk168952. |
PRJ-33609, |
Security Gateway |
In a rare scenario, the FWD process may unexpectedly exit. |
PRJ-33995, |
Security Gateway |
In rare scenarios, slow path connections that should be terminated/aborted may remain open until the timeout. |
PRJ-23477, |
Security Gateway |
Policy installation may fail when reaching out of memory on the Security Gateway. |
PRJ-34266, |
Security Gateway |
The log_exporter process may consume a high CPU. |
PRJ-32572, |
Security Gateway |
When deleting connection table entries with "fw ctl conntab -x", and using "rule", "service", "type", "flags" or "state" filters, entries that do not match these filters may still be deleted. |
PRJ-36997, |
Security Gateway |
Fix is relevant for Gaia 3.10 only. |
PRJ-33247, |
VPN, Internal CA |
Creating a certificate for a third party Gateway with Check Point Internal CA may fail on the third party side. Refer to sk176468. |
PRJ-34863, |
Threat Prevention |
IPS and other Threat Prevention logs may not contain packet capture. And dmesg may be flooded with related errors. |
PRJ-33546, |
Threat Prevention |
When IPS Automatic update is enabled, a memory leak may occur in the FWD process. Refer to sk176947. |
PRJ-30442, |
Threat Prevention |
In a rare scenario, the DLP process leaves open unused file descriptors in the $FWDIR/tmp/dlp directory which may take up a large amount of disk space |
PRJ-30499, |
Identity Awareness |
UPDATE: Enhanced Identity Sharing SmartPull mechanism for large scale environments. |
PRJ-37472, |
Identity Awareness, |
UPDATE: Adjusted AD-Query and Identity Logging solutions to work with Microsoft hardening changes in DCOM which were required for CVE-2021-26414. Refer to sk176148. |
PRJ-30945, |
Identity Awareness |
In some scenarios, persistent high CPU is caused by ADQuery due to a large number of authentication requests. |
PRJ-35818, |
Identity Awareness |
On Scalable Platforms\Cluster LS, the Identity Database may become corrupted when an identity session is revoked from a non-master member. |
PRJ-32869, |
Identity Awareness |
When Identity Awareness blade is enabled on the Security Gateway, rebooting of a member may trigger additional reboots. This may cause one of the members to go down with a configuration pnote. |
PRJ-28217, |
Identity Awareness |
There may be connectivity issues and high CPU spikes on the PDPD, VPND processes, and on the Gateway when installing policy. Refer to sk174144. |
PRJ-33145, |
URL Filtering |
In some scenarios, SSL websites are not matched correctly when categorization mode is on Hold and IDA is enabled. Refer to sk176283. |
PRJ-34457, |
IPS |
Enhanced IPS package loader. |
PRJ-29425, |
IPS |
When Website categorization mode is set to "Hold" and Gateway is Proxy, some connections may be incorrectly terminated. |
PRJ-30423, |
DLP |
The dlpu process may unexpectedly exit with core dump file. |
PRJ-32999, |
SSL Inspection |
UPDATE: Upgraded the default Infrastructure for local communication between some processes to TLS 1.2. |
PRJ-32881, |
SSL Inspection |
When TLS 1.3 support is disabled, a memory leak may occur in the WSTLSD process during TLS session renegotiation. |
PRJ-32898, |
SSL Inspection |
In a rare scenario, the WSTLSD process may unexpectedly exit and produce a core dump file. |
PRJ-33404, |
SSL Inspection |
In rare scenarios, TLS probing connections may remain open for extended periods. |
PRJ-34971, |
SSL Inspection |
In rare scenarios, the WSTLSD daemon may unexpectedly restart. |
PRJ-34158, |
SSL Inspection |
In some scenarios, the WSTLSD daemon may unexpectedly exit during TLS probing. |
PRJ-36296, |
SSL Inspection |
A memory leak related to TLS probe may occur in the WSTLSD process. |
PRJ-35937, PRJ-35939, PRJ-35934 |
SSL Network Extender |
UPDATE: SSL Network Extender was updated to version 800008304. It provides TLS 1.2 cipher suites support on macOS. |
PRJ-31229, |
SSL Network Extender |
SSL Network Extender (SNX) may fail during large file transfers. Refer to sk87760. |
PRJ-32469 |
ClusterXL |
Added Syslog support for Cluster events messages.
|
PRJ-35981, |
ClusterXL |
A cluster failover may take longer than it should.
|
PRJ-36468, |
SecureXL |
The VSX Gateway may crash when trying to route traffic from a VS to a Virtual Switch (VSW). |
PRJ-36071, |
SecureXL |
In some scenarios, related to sending multicast packets, the ICMP errors may be shown. |
PRJ-28642, |
SecureXL |
A redundant message "ACC: Accelerator started." is printed in dmesg logs. |
PRJ-33353, |
Routing |
|
PRJ-30711, |
Routing |
Connectivity issues may occur after configuration of route based VPN (VTI interface). Refer to sk176368. |
PRJ-34708, |
Routing |
In rare scenarios, the ROUTED daemon may unexpectedly exit or write logs in the incorrect order. |
PRJ-36235, |
VPN |
A memory leak may occur in the VPND process. |
PRJ-32363, |
VPN |
Improved IKEv2 narrowing. |
PRJ-36415, |
VPN |
In some scenarios, when VPN logs are enabled and DAIP (Dynamically Assigned IP) peer is configured, the VPND daemon may unexpectedly exit. |
PRJ-32516, |
VPN |
Improved establishing IKEv2 tunnel with DAIP peer. |
PRJ-34490, |
VPN |
Remote Access users cannot connect when a certificate issued by a configured subordinate CA is used for authentication. |
PRJ-34509, |
VPN |
When IKEv2 and pre-shared-key are configured, VPN may fail during the second IKE SA re-key. Refer to sk171756. |
PRJ-34208, |
VPN |
IKEv2 ID configuration may not be applied when an IPv6 address is written as a certificate's alternative name. |
PRJ-33839, |
VSX |
UPDATE: Shadow bridges will now be automatically disabled on VSX Gateways if the bridges are not in Active/Active mode.
|
PRJ-32531, |
VSX |
UPDATE: It is now possible to define interface topology as "defined by routes" using the VSX provisioning tool. |
PRJ-36790, |
VSX |
The "vsx_util reconfigure" command may fail without printing the cause of the error. |
PRJ-22475, |
VSX |
In some scenarios, running the "snmpwalk" command may fail with incorrect OSPF-MIB information for VSX. Refer to sk172064. |
PRJ-32077, |
VSX |
When creating a static route on a virtual system, some network objects may be created with the same name inside the network group which causes writing the object to the database to fail. |
PRJ-37420, |
VSX |
After deleting a warp interface in SmartConsole, the active VSX cluster member may crash.
|
PRJ-36773, |
Gaia OS |
NEW: Gaia API (version 1.6 with Python3 support) will now be deployed via Jumbo Hotfix. Refer to sk143612. |
PRJ-37956, |
Gaia OS |
UPDATE: Upgraded OpenSSL to fix CVE-2022-0778. Refer sk178411. |
PRJ-28692 |
Gaia OS |
Stability enhancement for Bond LS. |
PRJ-30209, |
Gaia OS |
Refer to sk174969. |
PRJ-33685, |
Gaia OS |
Potential vulnerability related to specific Gaia API command on VSX systems. |
PRJ-33505, |
Gaia OS |
Fixed CVE-2021-30361 - Gaia Portal Authenticated Command Injection. Refer to sk179128. |
PRJ-32690, |
Gaia OS |
In some scenarios, like defected LOM card, or when LOM port exists, but no LOM is connected, the confd process may stop working. |
PRJ-37227, |
Gaia OS |
Upgrade process may fail due to corrupted sic_local_cert.p12 certificate. Refer to sk171253. |
PRJ-33711, |
Gaia OS |
In a rare scenario, the Security Gateway fails to boot when working in USFW (User-Space Firewall) mode.
|
PRJ-27907, |
Harmony Endpoint |
In some scenarios, logs related to Harmony EndPoint may be missing. |
PRJ-36272, |
CloudGuard |
In some scenarios, incorrect data center updates are pushed to the Gateway. |
PRJ-34525, |
CloudGuard |
When a Gateway's object name was changed, CloudGuard Central License Tool may fail to distribute licenses to the Gateway. |
PRJ-36702, |
Public Cloud CA Bundle |
Added Take 14 of Public Cloud CA Bundle. Refer to sk172188. |
PRJ-35156 |
Scalable Platforms |
NEW: Added a self-updatable package of Check Point Support Data Collector (CPSDC) for Scalable Platforms and Maestro Security Appliances. Refer to sk164414. |
PRJ-36828, |
HCP |
Added Update 7 of HealthCheck Point (HCP) Release. Refer to sk171436. |
PRJ-34440, |
HCP |
Added Update 6 of HealthCheck Point (HCP) Release. Refer to sk171436. |
PRJ-22351, |
Infrastructure |
UPDATE: Updated Python 2.7.17 to 2.7.18, Python 3.7.7 to 3.7.12, added Python 3.9.7 and a Python3 alias. |
PRJ-29948, |
Infrastructure |
In a rare scenario, the user cannot connect to the Mobile Access Portal. |