Take 251 - General Availability

List of Resolved Issues and New Features

Note - This Take contains all fixes from all earlier Takes.

ID

Product

Description

Take 251

Released on 07 Apr 2022 and moved to General Availability on 18 May 2022

PRJ-30405,
PRHF-19450

Security Management

UPDATE:

  • Added the "--help" and "-h" flags to "mdsstop", "mdsstart" and "mdsstat".
  • It is no longer possible to run the "mdsstop" and "mdsstart" commands with wrong parameters.

PRJ-32890,
PRHF-20657

Security Management

UPDATE: It is now possible to increase the timeout value for Management High Availability synchronization. Refer to sk176165.

PRJ-33551,
PRHF-20961

Security Management

When using the API to create an OPSEC CPMI application with a custom permissions profile, the default Super User profile is chosen instead.

PRJ-32446,
PRHF-20062

Security Management

In rare scenarios, in a Multi-Domain environment, after performing an IPS Update, High Availability synchronization in the Global Domain fails with "NGM failed to import data".

PRJ-25708,
PRHF-17010

Security Management

Deleting a network group may fail because it is being used, although "Where Used" shows no usage.

PRJ-32667,
PRHF-20485

Security Management

When searching for tags usage, the "where-used" Management API command may fail with "Requested object not found".

PRJ-32855,
PRHF-20444

Security Management

After the Management Server restart, the API command "show_tasks" may show some suppressed tasks as "in progress", if before the restart they were cleared in SmartConsole while they were still running.

PRJ-33862,
PRHF-21129

Security Management

When creating or updating a service object via Management API, it is not possible to specify a custom aggressive-aging timeout.

PRJ-29507,
PRHF-18890

Security Management

In some scenarios, the Management API command "show-packages" with "details-level full" may fail with an error. Refer to sk176805.

PRJ-34503,
PRHF-21481

Security Management

The "Accept" button is missing when modifying "Actions" for rules. Refer to sk177204.

PRJ-35477,
PMTR-77765

Security Management

Multi-Domain High Availability synchronization in the Global Domain may fail with the "There are invalid assignments on peer" error.

PRJ-33977,
PRHF-21115

Security Management

Policy installation from the Multi-Domain Server level may trigger installation of two policies for the same VS.

PRJ-32427,
PRHF-20440

Security Management

In rare scenarios, adding a service to a rule in Access Policy:

  • may take a long time (more than several seconds)
  • may cause SmartConsole to unexpectedly exit.

Refer to sk176004.

PRJ-32090,
PRHF-20162

Security Management

When searching an IP in Object Explorer, network objects with both IPv6 and IPv4 configured, may not appear in the results, although they match the IP.

PRJ-32716,
PRHF-20332

Security Management

If there is a Global Domain Assignment, some results may be missing when searching in Packet Mode. Refer to sk178491.

PRJ-33519,
PRHF-20971

Security Management

In rare scenarios, the Management Server may fail to start.

PRJ-34224,
PRHF-21356

Security Management

When performing IPS Update or Global Domain Assignment, creating a Domain at the same time may fail with "Internal Error".

PRJ-30529,
PRHF-19542

Security Management

Creating an administrator in a Multi-Domain environment may cause SmartConsole to freeze and time out.

PRJ-30679,
PRHF-19185

Security Management

Policy installation with Directional VPN rules may fail with a verification error.

PRJ-30057,
PRHF-19250

Security Management

In rare scenarios, after Management Server upgrade, importing the database may fail with "Tried to persist object".

PRJ-36184,
PRJ-36185

Security Management

In some scenarios, in SmartConsole, the IPS update status list does not reflect correctly all the Gateways with enabled IPS blade. Refer to sk175449.

PRJ-34033,
PMTR-73939

Security Management

When many sessions are opened:

  • Publish operation may be slow
  • APPI Update may be stuck on 30% and eventually fail
  • Domain Import task may be stuck after 50% and then fail

PRJ-22264,
PRHF-15674

Security Management

In some scenarios, the user may fail to connect to VPN Remote Access if there are expiration dates saved in a non-English date format. The issue can occur when SmartConsole is installed on a Windows client that uses a non-English locale. Refer to sk173967.

PRJ-33285,
PRHF-20525

Security Management

When reassigning Global policy after an IPS update on the Global Domain, the updated IPS version in the Audit Logs view may appear with "-1" value instead of the actual IPS version number.

PRJ-34176,
PRHF-20991

Security Management

In rare scenarios, Install Policy Presets may fail with "Failed to run Install Policy on the active Domain Server".

PRJ-34180,
PRHF-21215

Security Management

In rare scenarios, the Management Server becomes inaccessible if there are more than 5000 objects in the Gateways and Servers view.

PRJ-35337,
PRHF-21851

Security Management

In rare scenarios, the Management Server may fail to start after an upgrade.

PRJ-33399,
PRHF-20866

Security Management

When automatic purge is configured in a local Domain and there is an assignment between the Global Domain to that Domain, the "show-automatic-purge" API command may fail in the Global Domain with the "Can't build automatic purge reply" error. Refer to sk176443.

PRJ-33363,
PRHF-20847

Security Management

Global Domain Assignment fails with "An internal error has occurred" when there are more than 32K Threat Prevention Overrides in the local Domain. Refer to sk176464.

PRJ-33459,
PMTR-71195

Security Management

While editing a Small Office LSM Profile object, SmartConsole may unexpectedly close when enabling Threat Emulation and navigating to the Configuration tab.

PRJ-32744,
PRHF-20512

Security Management

In a rare scenario, the FWM process unexpectedly exits.

PRJ-33166,
PRHF-20782

Multi-Domain Management

The mds_backup script may not collect Multi-Domain Server log files from $MDSDIR/log/.

PRJ-30349,
PRHF-19421

Multi-Domain Management

During a CPUSE upgrade of a Multi-Domain Server, if there are multiple external interfaces defined, the Domain Servers may be assigned to an incorrect interface.

PRJ-30524,
PRHF-19541

Multi-Domain Management

In rare scenarios, running the "fwm sic_reset" command on Multi-Domain Server may fail.

PRJ-38328,
PMTR-82069

SmartConsole

  • Install Policy Preset may invoke policy installation on Gateways different from those that are defined.
  • Policy installation on multiple Gateways on MDS level may trigger installation on one Gateway only.

Refer to sk178590.

PRJ-32976,
PRJ-32977,
PMTR-74061

CPView

In Overview, some data about disk space may be missing.

PRJ-32371,
PRHF-18699

Logging

When running CPinfo in a large scale environment, the SmartEventCollectLogs process may get stuck.

PRJ-32305,
PRHF-18539

Logging

When configuring an Email alert as an Automatic Reaction in SmartEvent, and the alert contains data from the event, some fields may be missing in the generated email.

PRJ-32585,
PRHF-20276

Logging

There may be empty values in the "Office Mode IP" field in the Logs view.

PRJ-28315,
PRHF-18428

Logging

The "Last Update Time" field of a Session Log may show incorrect values.

PRJ-25652,
PRHF-17000

Logging

When SmartView Web is configured to not return empty values, a query may fail with a "query failed" message.

PRJ-29121,
PRHF-18445

Logging

SmartEvent may not show some of the Anti-Virus logs.

PRJ-32026,
PRHF-19715

Logging

In some scenarios, the "vpn_user" field is empty in the Logs view and SmartEvent Reports, even though it contains values in the raw log.

PRJ-30661,
PRHF-19620

Logging

  • The "fw log" and "fwm logexport" commands may fail with "Error: Failed to read field".
  • The exported log file may not contain all logs.

Refer to sk176644.

PRJ-31615,
PRHF-19834

Logging

Non-English letters in SmartView reports exported as CSV may be displayed incorrectly. Refer to sk175543.

PRJ-32578,
PRHF-20447

Logging

In some scenarios, it is not possible to add the "Policy Rule UID" column to the Logs view in the SmartView Web Application.

PRJ-32016,
PRHF-20117

Logging

When running the "show_logs" API command with "query-id argument" and the session is expired, the command ends with a timeout instead of presenting an error.

PRJ-30547,
PRJ-30548,
PRHF-19084

Logging

In rare scenarios, when QoS blade is enabled, the FWD process may unexpectedly exit. Refer to sk177783.

PRJ-29172,
PRHF-18866

Logging

Removed unnecessary debug messages: "fwbintabreplace: table svm_range_gateways not found" and " fwbintabreplace: table svm_range_gateways_valid not found" from the FWD debug log.

PRJ-30143,
PMTR-60786

Logging

Recurring "Unable to open '/dev/fw0': No such file or directory" may be printed in the fwd.elg file.

PRJ-32229,
CGIS-636

Logging

The "vsec_lic_cli update" command now supports IP change in the license string.

PRJ-32083,
PRJ-32084,
PMTR-74297

Logging

A duplicate entry appears in /etc/cpshell/log_rotation.conf. This issue is only cosmetic.

PRJ-34248,
PRHF-21188

Logging

There may be an incorrect error message related to MakeConnection method.

PRJ-14159

Security Gateway

UPDATE: Added support for CPView's Top Connections tab in User Space Firewall (USFW).

PRJ-34448

Security Gateway

UPDATE: The "fw unloadlocal" command can now be used on a Virtual System only with the "-f" flag added. Otherwise, a warning message is displayed, indicating that unloading policy on a Virtual System will cause traffic issues with any Virtual System connected to a Virtual Switch or a Virtual System in Bridge mode.

  • Fix is relevant for Gaia 3.10 only.

PRJ-31663,
PRJ-31664,
PMTR-68092

Security Gateway

UPDATE: Adding Connection and Packet Distribution statistics in CPView.

PRJ-38234,
PRJ-38233,
PMTR-81910

Security Gateway

UPDATE: Apache HTTPD version was updated from 2.4.51 to 2.4.53.

PRJ-29695,
PRJ-29696,
PRHF-19097

Security Gateway

In rare a scenario, a memory leak may occur with a "cpas_streamh_init_from_cookie failed" message printed in /var/log/messages.

PRJ-27607,
PRJ-2760,
PRHF-18068

Security Gateway

A debug message is printed as an error.

PRJ-33900,
PMTR-58175

Security Gateway

In rare scenarios, the LOG_INDEXER process may unexpectedly exit with a core dump file.

PRJ-21485,
PRJ-21484,
PMTR-57716

Security Gateway

The FWD process may unexpectedly exit due to a rare race condition. Refer to sk173424.

PRJ-30780,
PRJ-30781,
PRHF-19506

Security Gateway

Access Policy installation may fail with "Error code 1-2000078".

PRJ-31205,
PRJ-31206,
PRHF-19333

Security Gateway

The Security Gateway may crash during policy installation due to memory allocation problems.

PRJ-33510,
PRJ-33511,
PMTR-75878

Security Gateway

CPView may show corrupted numbers in "F2V-Reasons". This issue is only cosmetic.

PRJ-33271,
PRJ-33272,
PMTR-26836

Security Gateway

The control connection may not be refreshed together with data connection if the data connection is accelerated. Refer to sk168952.

PRJ-33609,
PRJ-33610,
PRHF-20810

Security Gateway

In a rare scenario, the FWD process may unexpectedly exit.

PRJ-33995,
PRJ-33996,
PRHF-18340

Security Gateway

In rare scenarios, slow path connections that should be terminated/aborted may remain open until the timeout.

PRJ-23477,
PRJ-23478,
PRHF-16013

Security Gateway

Policy installation may fail when reaching out of memory on the Security Gateway.

PRJ-34266,
PRHF-19587

Security Gateway

The log_exporter process may consume a high CPU.

PRJ-32572,
PRJ-32573,
PMTR-74852

Security Gateway

When deleting connection table entries with "fw ctl conntab -x", and using "rule", "service", "type", "flags" or "state" filters, entries that do not match these filters may still be deleted.

PRJ-36997,
PRJ-36993

Security Gateway

  • On 2200 appliances, the CPD process may unexpectedly exit because of sensor read failure.

  • Sensor table values for 3600, 3600T, 3800, 6200B, 6200P, 6200T, 6400, 6600, 6700, 6900, 7000, 600-S are incorrect.

Fix is relevant for Gaia 3.10 only.

PRJ-33247,
PRJ-33248,
PRHF-20709

VPN, Internal CA

Creating a certificate for a third party Gateway with Check Point Internal CA may fail on the third party side. Refer to sk176468.

PRJ-34863,
PRJ-34088

Threat Prevention

IPS and other Threat Prevention logs may not contain packet capture. And dmesg may be flooded with related errors.

PRJ-33546,
PRJ-33547,
PMTR-74799

Threat Prevention

When IPS Automatic update is enabled, a memory leak may occur in the FWD process. Refer to sk176947.

PRJ-30442,
PRJ-30443,
PRHF-17552

Threat Prevention

In a rare scenario, the DLP process leaves open unused file descriptors in the $FWDIR/tmp/dlp directory which may take up a large amount of disk space

PRJ-30499,
PRJ-30500,
IDA-4120

Identity Awareness

UPDATE: Enhanced Identity Sharing SmartPull mechanism for large scale environments.

PRJ-37472,
PRJ-37473,
PMTR-80602

Identity Awareness,
Identity Logging

UPDATE: Adjusted AD-Query and Identity Logging solutions to work with Microsoft hardening changes in DCOM which were required for CVE-2021-26414. Refer to sk176148.

PRJ-30945,
PRJ-30946,
IDA-4253

Identity Awareness

In some scenarios, persistent high CPU is caused by ADQuery due to a large number of authentication requests.

PRJ-35818,
PRJ-35819,
PRHF-21396

Identity Awareness

On Scalable Platforms\Cluster LS, the Identity Database may become corrupted when an identity session is revoked from a non-master member.

PRJ-32869,
PRJ-32870,
PMTR-75155

Identity Awareness

When Identity Awareness blade is enabled on the Security Gateway, rebooting of a member may trigger additional reboots. This may cause one of the members to go down with a configuration pnote.

PRJ-28217,
PRJ-28216,
PRHF-15223

Identity Awareness

There may be connectivity issues and high CPU spikes on the PDPD, VPND processes, and on the Gateway when installing policy. Refer to sk174144.

PRJ-33145,
PRJ-33146,
PRHF-20682

URL Filtering

In some scenarios, SSL websites are not matched correctly when categorization mode is on Hold and IDA is enabled. Refer to sk176283.

PRJ-34457,
PRJ-34456,
PRJ-34456,
IPS-1066

IPS

Enhanced IPS package loader.

PRJ-29425,
PRJ-29426,
PRHF-18966

IPS

When Website categorization mode is set to "Hold" and Gateway is Proxy, some connections may be incorrectly terminated.

PRJ-30423,
PRJ-30424,
PRHF-17395

DLP

The dlpu process may unexpectedly exit with core dump file.

PRJ-32999,
PRJ-33000,
PMTR-75153

SSL Inspection

UPDATE: Upgraded the default Infrastructure for local communication between some processes to TLS 1.2.

PRJ-32881,
PRJ-32882,
PMTR-75079

SSL Inspection

When TLS 1.3 support is disabled, a memory leak may occur in the WSTLSD process during TLS session renegotiation.

PRJ-32898,
PRJ-32899,
PRHF-20458

SSL Inspection

In a rare scenario, the WSTLSD process may unexpectedly exit and produce a core dump file.

PRJ-33404,
PRJ-33405,
PMTR-72934

SSL Inspection

In rare scenarios, TLS probing connections may remain open for extended periods.

PRJ-34971,
PRJ-34972,
PMTR-77321

SSL Inspection

In rare scenarios, the WSTLSD daemon may unexpectedly restart.

PRJ-34158,
PRJ-34159,
PMTR-75807

SSL Inspection

In some scenarios, the WSTLSD daemon may unexpectedly exit during TLS probing.

PRJ-36296,
PRJ-36297,
PMTR-76171

SSL Inspection

A memory leak related to TLS probe may occur in the WSTLSD process.

PRJ-35937,

PRJ-35939,

PRJ-35934

SSL Network Extender

UPDATE: SSL Network Extender was updated to version 800008304. It provides TLS 1.2 cipher suites support on macOS.

PRJ-31229,
PRJ-31230,
SNX-67

SSL Network Extender

SSL Network Extender (SNX) may fail during large file transfers. Refer to sk87760.

PRJ-32469

ClusterXL

Added Syslog support for Cluster events messages.

  • Fix is relevant for Gaia 3.10 only.

PRJ-35981,
PMTR-74818

ClusterXL

A cluster failover may take longer than it should.

  • Fix is relevant for Gaia 3.10 only.

PRJ-36468,
PRJ-36469,
PRHF-21775

SecureXL

The VSX Gateway may crash when trying to route traffic from a VS to a Virtual Switch (VSW).

PRJ-36071,
PRJ-36072,
PRJ-34902

SecureXL

In some scenarios, related to sending multicast packets, the ICMP errors may be shown.

PRJ-28642,
PRJ-28643,
PMTR-67800

SecureXL

A redundant message "ACC: Accelerator started." is printed in dmesg logs.

PRJ-33353,
PRJ-33354,
PMTR-75438

Routing

  • Security Gateway may crash when OSPF inserts or removes an LSA from its database.
  • Neighbor dead timers may have negative values.

PRJ-30711,
PRJ-30712,
PRHF-18975

Routing

Connectivity issues may occur after configuration of route based VPN (VTI interface). Refer to sk176368.

PRJ-34708,
PRJ-34709,
PMTR-73184

Routing

In rare scenarios, the ROUTED daemon may unexpectedly exit or write logs in the incorrect order.

PRJ-36235,
PRJ-36236,
PRHF-22206

VPN

A memory leak may occur in the VPND process.

PRJ-32363,
PRJ-32364,
PRHF-20315

VPN

Improved IKEv2 narrowing.

PRJ-36415,
PRJ-36417,
PMTR-79305

VPN

In some scenarios, when VPN logs are enabled and DAIP (Dynamically Assigned IP) peer is configured, the VPND daemon may unexpectedly exit.

PRJ-32516,
PRJ-32517,
PMTR-74732

VPN

Improved establishing IKEv2 tunnel with DAIP peer.

PRJ-34490,
PRJ-34491,
PRJ-34491

VPN

Remote Access users cannot connect when a certificate issued by a configured subordinate CA is used for authentication.

PRJ-34509,
PRJ-34510,
PRHF-21405

VPN

When IKEv2 and pre-shared-key are configured, VPN may fail during the second IKE SA re-key. Refer to sk171756.

PRJ-34208,
PRJ-34209,
PMTR-74824

VPN

IKEv2 ID configuration may not be applied when an IPv6 address is written as a certificate's alternative name.

PRJ-33839,
PMTR-76280

VSX

UPDATE: Shadow bridges will now be automatically disabled on VSX Gateways if the bridges are not in Active/Active mode.

  • Fix is relevant for Gaia 3.10 only.

PRJ-32531,
PMTR-74770

VSX

UPDATE: It is now possible to define interface topology as "defined by routes" using the VSX provisioning tool.

PRJ-36790,
PMTR-77287

VSX

The "vsx_util reconfigure" command may fail without printing the cause of the error.

PRJ-22475,
PRJ-22481,
PRHF-15744

VSX

In some scenarios, running the "snmpwalk" command may fail with incorrect OSPF-MIB information for VSX. Refer to sk172064.

PRJ-32077,
PMTR-74295

VSX

When creating a static route on a virtual system, some network objects may be created with the same name inside the network group which causes writing the object to the database to fail.

PRJ-37420,
PMTR-79515

VSX

After deleting a warp interface in SmartConsole, the active VSX cluster member may crash.

  • Fix is relevant for Gaia 3.10 only.

PRJ-36773,
PRJ-36772,
PRJ-36756

Gaia OS

NEW: Gaia API (version 1.6 with Python3 support) will now be deployed via Jumbo Hotfix. Refer to sk143612.

PRJ-37956,
PRJ-37955,
PMTR-81489

Gaia OS

UPDATE: Upgraded OpenSSL to fix CVE-2022-0778. Refer sk178411.

PRJ-28692

Gaia OS

Stability enhancement for Bond LS.

PRJ-30209,
PRJ-30210,
PRHF-19017

Gaia OS

  • VLAN IPv6 address disappears after setting the parent interface state "off" and "on".
  • IPv6 address disappears after enabling Layer 3 bridge interface monitoring.

Refer to sk174969.

PRJ-33685,
PRJ-33686,
PMTR-75891

Gaia OS

Potential vulnerability related to specific Gaia API command on VSX systems.

PRJ-33505,
PRJ-33506,
PMTR-75443

Gaia OS

Fixed CVE-2021-30361 - Gaia Portal Authenticated Command Injection. Refer to sk179128.

PRJ-32690,
PRJ-32691,
PMTR-58250

Gaia OS

In some scenarios, like defected LOM card, or when LOM port exists, but no LOM is connected, the confd process may stop working.

PRJ-37227,
PRJ-20942,
PMTR-63343

Gaia OS

Upgrade process may fail due to corrupted sic_local_cert.p12 certificate. Refer to sk171253.

PRJ-33711,
PRJ-32546

Gaia OS

In a rare scenario, the Security Gateway fails to boot when working in USFW (User-Space Firewall) mode.

  • Fix is relevant for Gaia 3.10 only.

PRJ-27907,
PRHF-17814

Harmony Endpoint

In some scenarios, logs related to Harmony EndPoint may be missing.

PRJ-36272,
PRHF-22059

CloudGuard

In some scenarios, incorrect data center updates are pushed to the Gateway.

PRJ-34525,
PRHF-21383

CloudGuard

When a Gateway's object name was changed, CloudGuard Central License Tool may fail to distribute licenses to the Gateway.

PRJ-36702,
ODU-244

Public Cloud CA Bundle

Added Take 14 of Public Cloud CA Bundle. Refer to sk172188.

PRJ-35156

Scalable Platforms

NEW: Added a self-updatable package of Check Point Support Data Collector (CPSDC) for Scalable Platforms and Maestro Security Appliances. Refer to sk164414.

PRJ-36828,
ODU-287

HCP

Added Update 7 of HealthCheck Point (HCP) Release. Refer to sk171436.

PRJ-34440,
ODU-217

HCP

Added Update 6 of HealthCheck Point (HCP) Release. Refer to sk171436.

PRJ-22351,
PRJ-22352,
INFRA-528

Infrastructure

UPDATE: Updated Python 2.7.17 to 2.7.18, Python 3.7.7 to 3.7.12, added Python 3.9.7 and a Python3 alias.

PRJ-29948,
PRJ-29949,
PRHF-19115

Infrastructure

In a rare scenario, the user cannot connect to the Mobile Access Portal.