Take 251 - General Availability

UPDATE:

• Added the "--help" and "-h" flags to "mdsstop", "mdsstart" and "mdsstat".
• It is no longer possible to run the "mdsstop" and "mdsstart" commands with wrong parameters.

When using the API to create an OPSEC CPMI application with a custom permissions profile, the default Super User profile is chosen instead.

Deleting a network group may fail because it is being used, although "Where Used" shows no usage.

After the Management Server restart, the API command "show_tasks" may show some suppressed tasks as "in progress", if before the restart they were cleared in SmartConsole while they were still running.

In some scenarios, the Management API command "show-packages" with "details-level full" may fail with an error. Refer to sk176805.

Multi-Domain High Availability synchronization in the Global Domain may fail with the "There are invalid assignments on peer" error.

In rare scenarios, adding a service to a rule in Access Policy:

• may take a long time (more than several seconds)
• may cause SmartConsole to unexpectedly exit.

Refer to sk176004.

If there is a Global Domain Assignment, some results may be missing when searching in Packet Mode. Refer to sk178491.

When performing IPS Update or Global Domain Assignment, creating a Domain at the same time may fail with "Internal Error".

Policy installation with Directional VPN rules may fail with a verification error.

In some scenarios, in SmartConsole, the IPS update status list does not reflect correctly all the Gateways with enabled IPS blade. Refer to sk175449.

In some scenarios, the user may fail to connect to VPN Remote Access if there are expiration dates saved in a non-English date format. The issue can occur when SmartConsole is installed on a Windows client that uses a non-English locale. Refer to sk173967.

In rare scenarios, Install Policy Presets may fail with "Failed to run Install Policy on the active Domain Server".

In rare scenarios, the Management Server may fail to start after an upgrade.

Global Domain Assignment fails with "An internal error has occurred" when there are more than 32K Threat Prevention Overrides in the local Domain. Refer to sk176464.

In a rare scenario, the FWM process unexpectedly exits.

During a CPUSE upgrade of a Multi-Domain Server, if there are multiple external interfaces defined, the Domain Servers may be assigned to an incorrect interface.

• Install Policy Preset may invoke policy installation on Gateways different from those that are defined.
• Policy installation on multiple Gateways on MDS level may trigger installation on one Gateway only.

Refer to sk178590.

When running CPinfo in a large scale environment, the SmartEventCollectLogs process may get stuck.

There may be empty values in the "Office Mode IP" field in the Logs view.

When SmartView Web is configured to not return empty values, a query may fail with a "query failed" message.

In some scenarios, the "vpn_user" field is empty in the Logs view and SmartEvent Reports, even though it contains values in the raw log.

Non-English letters in SmartView reports exported as CSV may be displayed incorrectly. Refer to sk175543.

When running the "show_logs" API command with "query-id argument" and the session is expired, the command ends with a timeout instead of presenting an error.

Removed unnecessary debug messages: "fwbintabreplace: table svm_range_gateways not found" and " fwbintabreplace: table svm_range_gateways_valid not found" from the FWD debug log.

The "vsec_lic_cli update" command now supports IP change in the license string.

There may be an incorrect error message related to MakeConnection method.

UPDATE: The "fw unloadlocal" command can now be used on a Virtual System only with the "-f" flag added. Otherwise, a warning message is displayed, indicating that unloading policy on a Virtual System will cause traffic issues with any Virtual System connected to a Virtual Switch or a Virtual System in Bridge mode.

• Fix is relevant for Gaia 3.10 only.

UPDATE: Apache HTTPD version was updated from 2.4.51 to 2.4.53.

A debug message is printed as an error.

The FWD process may unexpectedly exit due to a rare race condition. Refer to sk173424.

The Security Gateway may crash during policy installation due to memory allocation problems.

The control connection may not be refreshed together with data connection if the data connection is accelerated. Refer to sk168952.

In rare scenarios, slow path connections that should be terminated/aborted may remain open until the timeout.

The log_exporter process may consume a high CPU.

• On 2200 appliances, the CPD process may unexpectedly exit because of sensor read failure.

• Sensor table values for 3600, 3600T, 3800, 6200B, 6200P, 6200T, 6400, 6600, 6700, 6900, 7000, 600-S are incorrect.

Fix is relevant for Gaia 3.10 only.

IPS and other Threat Prevention logs may not contain packet capture. And dmesg may be flooded with related errors.

In a rare scenario, the DLP process leaves open unused file descriptors in the $FWDIR/tmp/dlp directory which may take up a large amount of disk space

UPDATE: Adjusted AD-Query and Identity Logging solutions to work with Microsoft hardening changes in DCOM which were required for CVE-2021-26414. Refer to sk176148.

On Scalable Platforms\Cluster LS, the Identity Database may become corrupted when an identity session is revoked from a non-master member.

There may be connectivity issues and high CPU spikes on the PDPD, VPND processes, and on the Gateway when installing policy. Refer to sk174144.

Enhanced IPS package loader.

The dlpu process may unexpectedly exit with core dump file.

When TLS 1.3 support is disabled, a memory leak may occur in the WSTLSD process during TLS session renegotiation.

In rare scenarios, TLS probing connections may remain open for extended periods.

In some scenarios, the WSTLSD daemon may unexpectedly exit during TLS probing.

UPDATE: SSL Network Extender was updated to version 800008304. It provides TLS 1.2 cipher suites support on macOS.

Added Syslog support for Cluster events messages.

• Fix is relevant for Gaia 3.10 only.

The VSX Gateway may crash when trying to route traffic from a VS to a Virtual Switch (VSW).

A redundant message "ACC: Accelerator started." is printed in dmesg logs.

Connectivity issues may occur after configuration of route based VPN (VTI interface). Refer to sk176368.

A memory leak may occur in the VPND process.

In some scenarios, when VPN logs are enabled and DAIP (Dynamically Assigned IP) peer is configured, the VPND daemon may unexpectedly exit.

Remote Access users cannot connect when a certificate issued by a configured subordinate CA is used for authentication.

IKEv2 ID configuration may not be applied when an IPv6 address is written as a certificate's alternative name.

UPDATE: It is now possible to define interface topology as "defined by routes" using the VSX provisioning tool.

In some scenarios, running the "snmpwalk" command may fail with incorrect OSPF-MIB information for VSX. Refer to sk172064.

After deleting a warp interface in SmartConsole, the active VSX cluster member may crash.

• Fix is relevant for Gaia 3.10 only.

UPDATE: Upgraded OpenSSL to fix CVE-2022-0778. Refer sk178411.

• VLAN IPv6 address disappears after setting the parent interface state "off" and "on".
• IPv6 address disappears after enabling Layer 3 bridge interface monitoring.

Refer to sk174969.

Fixed CVE-2021-30361 - Gaia Portal Authenticated Command Injection. Refer to sk179128.

Upgrade process may fail due to corrupted sic_local_cert.p12 certificate. Refer to sk171253.

In some scenarios, logs related to Harmony EndPoint may be missing.

When a Gateway's object name was changed, CloudGuard Central License Tool may fail to distribute licenses to the Gateway.

NEW: Added a self-updatable package of Check Point Support Data Collector (CPSDC) for Scalable Platforms and Maestro Security Appliances. Refer to sk164414.

Added Update 6 of HealthCheck Point (HCP) Release. Refer to sk171436.