Take 254 - General Availability

List of Resolved Issues and New Features

Note - This Take contains all fixes from all earlier Takes.

ID

Product

Description

Take 254

Released on 5 July 2022 and declared as General Availability on 1 Aug 2022

PRJ-36847,
PRHF-22352

Security Management

In rare scenarios, the Management Server may fail to start due to incorrect session handling.

PRJ-37633,
PRHF-22693

Security Management

After changing the IP address of the Secondary Management Server, the old IP address is still shown in the High Availability window until the services are restarted.

PRJ-37502,
PRHF-22597

Security Management

In rare scenarios, Global Domain Assignment may fail with a "class name not found for object" error message.

PRJ-37394,
PRHF-22603

Security Management

After performing the Solr Cure procedure, objects may appear as duplicated in SmartConsole. Refer to sk178084.

PRJ-35015,
PRHF-21705

Security Management

Install Policy Verification may fail with the "Rule has security zone objects that are not attached to any interface used" error when configuring cluster's interfaces on only one member. Refer to sk177129.

PRJ-37493,
PRHF-22409

Security Management

In some scenarios, the "show-hosts" Management API command when running it with "details-level full" fails with "generic_error". Refer to sk178249.

PRJ-37521,
PRHF-22656

Security Management

Reassign Global Policy tasks may be stuck for Domains active on a different Multi-Domain Server even though the task is completed on the destination Multi-Domain Server.

PRJ-35948,
PRHF-21894

Security Management

In the Compliance view, after changing "Policy Range" to a value smaller than 100%, best practices results become not available. Refer to sk177544.

PRJ-37707,
PRHF-22796

Security Management

Install Policy preset fails if the Threat Prevention policy was uninstalled.

PRJ-37864,
PRHF-22678

Security Management

Dynamic Objects defined on LSM Gateway in SmartProvisioning may be removed from the Security Gateway after fetching policy or pushing policy.

PRJ-39962,
PRHF-21115

Security Management

Policy installation from the Multi-Domain Server level may trigger installation of two policies for the same VS.

PRJ-36918,
PRHF-22479

Security Management

When a Security Gateway is removed from a VPN community, it may still be seen under the permanent tunnel configuration. The issue is scoped to the Management side and does not impact the Gateway.

PRJ-37800,
PRHF-22885

Security Management

In some scenarios, deleting a Security Gateway object fails with the "Action failed due to an internal error" error.

PRJ-35058,
PRHF-21753

Security Management

Renaming the Security Management Server may fail with the "Failed to save object" error. Refer to sk177224.

PRJ-35652,
PRHF-21996

Security Management

The Security Cluster Wizard is not shown again after a Management restart in a Full High Availability cluster environment.

PRJ-37633,

PRHF-22693

Security Management

After changing the IP address of the Secondary Management Server, the old IP address is still shown in the High Availability window until the services are restarted.

PRJ-38739,

PRHF-23467

Security Management

In a rare scenario, the FWM process may unexpectedly exit and create a core dump.

  • Fix is relevant for Gaia 3.10 only.

PRJ-37197,
PRHF-22299

Security Management

The Management API command "show-vpn-communities-star" for Diffie-Hellman groups 15-18 and group 24 fails with the "Invalid DH-Group in VPN Reply" error. Refer to sk27054.

PRJ-39175,

PRHF-23750

SmartConsole

In some scenarios, the Management API command "show-packages" with "details-level full" may fail with the "Could not commit JPA transaction" error.

PRJ-37099,
PRHF-22528

Logging

UPDATE: Scheduled email reports will now use TLS1.2 instead of TLS1.0. Refer to sk178125.

PRJ-37692,
PMTR-79023

Logging

UPDATE: SmartView reports will show the new Check Point logo

PRJ-36459,
PRHF-22152

Logging

When running the "cp_log_export filter-Blade-in" command with the value "Endpoint" and restarting the LOG_EXPORTER process, LOG_EXPORTER may fail to start.

PRJ-36288,
PRHF-22228

Logging

The "cp_log_export" command fails with the "sed: invalid option - E" error.

PRJ-33814,
PMTR-72206

Logging

The "log_exporter_reexport" command may export the logs from the beginning of the log file and not from the provided start position.

PRJ-34140,
PRHF-21218

Logging

When SmartConsole is connected to a Domain Management Server, in the Logs&Monitor view:

  • When filtering logs with the query "service:", SmartConsole does not show a drop-down list with available services.

  • When filtering logs with the query "origin: <Name of Security Gateway Object>", SmartConsole shows "No matches found for your search".

Refer to sk178904.

PRJ-37895,

PRHF-22858

Logging

Logs may be missing from SmartConsole after upgrading the Log Server if a VS object is configured without an IP.

PRJ-34804,
PRHF-21554

Logging

In some scenarios, logs related to Content Awareness are missing.

PRJ-19033,

PRJ-19034,
PMTR-61532

Security Gateway

UPDATE: In CPView overview, the "FW" field will now show physical memory used instead of virtual memory. The change is only cosmetic

PRJ-33927,

PRJ-33928,
PRHF-20845

Security Gateway

Cluster failover may trigger the FWK process to exit, with no traffic impact.

PRJ-36117,

PRJ-36118,
PMTR-71654

Security Gateway

In CPView, under Network, Bytes Per Sec value in Traffic Rate may be incorrect.

PRJ-40631,

PRJ-40632,

PRHF-24611

Threat Prevention

IPS entries for a Security Gateway onboarded to Infinity SOC may be missing from AMW_report.xml.

PRJ-36162,

PRJ-36163,
PRHF-21680

Identity Awareness

In a rare scenario, the PDP process may unexpectedly exit with a core dump file.

PRJ-35849,

PRJ-35850,
PRHF-22037

Identity Awareness

The PEP process may unexpectedly exit

PRJ-38040,

PRJ-38041,
PMTR-81714

IPS

In very rare scenarios, a traffic outage may occur.

PRJ-36518,

PRJ-36519,
PMTR-77922

IPS

Improved detection in some IPS protections.

PRJ-35289,

PRJ-35290,
PRHF-21849

Mobile Access

In some scenarios, when Mobile Access Blade is enabled, the Security Gateway may crash.

PRJ-37432,

PRJ-37433,
PMTR-80319

ClusterXL

There may be connectivity issues for multicast traffic in PIM Sparse Mode.

PRJ-36174,

PRJ-36175,
PMTR-51050

ClusterXL

In Virtual Device Status table, in vs0 context, the output shows the Active-Active status on two members instead of Active-Standby.

PRJ-35593,

PRJ-30380,
PRHF-PRHF-21922

ClusterXL

In a rare scenario, after an upgrade and reboot, a Standby member goes down with a FullSync pnote and cannot synchronize.

PRJ-37879,

PRJ-37880,

PMTR-81375

ClusterXL

Local connection from a Standby member may fail when packets are not fragmented even if the interface MTU is smaller than the packet size.

PRJ-35928,

PMTR-78762

ClusterXL

After enabling the kernel parameter "fwha_drop_pkt_on_down_member" for a cluster is in Active/Active state in bridge mode (sk169495), packets may be dropped even when the member is not in Down state.

  • Fix is relevant for Gaia 3.10 only.

PRJ-37811,

PRJ-37812,

PRJ-37001

SecureXL

NEW: In some scenarios, the Security Gateway may not forward traffic to a client if its IP address is changed by DHCP. Added a global parameter "cphwd_refresh_nh", disabled by default. It determines whether or not the Security Gateway will invoke its own refresh ARP mechanism after a successful route lookup. Refer to sk175603.

PRJ-39006,

PRJ-38405,

PRHF-22881

SecureXL

SYN Defender may not properly handle the S2C traffic related to Allow List. As a result, this traffic may be dropped.

PRJ-39000,

PRJ-39001,

PRHF-23644

SecureXL

SYN Defender may change MSS in an SYN packet to a larger value, potentially causing traffic drop.

PRJ-34763,

PRJ-34764,

PRHF-21568

VPN

When using Link Selection probing, the VPND process may unexpectedly exit and create a core dump file.

PRJ-29580,
PRHF-16144

VSX

UPDATE: Decreased the time to edit routes in topologies where multiple Virtual Systems are connected to a Virtual Switch (VSW).

PRJ-34669,
PMTR-77130

VSX

UPDATE: The "vsx_util reconfigure" operation is not supported on a VSX cluster member or VSX Gateway which has no virtual systems configured. The operation will now alert about the absence of virtual systems.

PRJ-36447,

PRJ-36448,

PMTR-65595

VSX

UPDATE: When resetting SIC for a specific virtual system (sk34098), the new certificate on the Security Gateway will now be automatically pulled from SmartConsole.

PRJ-36169,

PRJ-35502,
PMTR-62860

VSX

There may be a mismatch of policy name on Virtual Switch when using the "fw stat" and "vsx stat -v" commands. The issue is only cosmetic.

PRJ-36765,
PMTR-52576

VSX

VSX Cluster Internal Communication Network IP address is shown in ifconfig after changing the name or VLAN of a VR physical interface..

PRJ-33469,
PMTR-73998

VSX

In some scenarios, the "vsx_util reconfigure" command cannot fetch the policy installed previously.

PRJ-28543,

PRJ-28544,

PMTR-65366

VSX

Latency and packet loss issues may occur when traffic goes through external VS connected to Virtual switch (VSW). Refer to sk177344.

PRJ-38289,
PMTR-41352

VSX

When deleting a physical interface that was added with a VLAN trunk to a VSX cluster or a VSX Gateway, it is not removed correctly from the management side and may still be seen if running the "vsx_util show_interfaces" command.

PRJ-32404,

PRJ-32405,
PMTR-74557

VSX

The OID "Syslocation" can now be configured in the context of a virtual system as described in the article (IV-1) Advanced SNMP configuration in sk90860.

PRJ-33313,
PRHF-20561

VSX

The FWM process may unexpectedly exit after using the VSX Provisioning tool.

PRJ-32703,

PRHF-20553

VSX

After restoring the VSX Gateway backup, the SNMP agent stops responding when the context is set for a specific VS.

PRJ-32474,
PRHF-20437

VSX

When using the VSX Provisioning Tool, it may not be possible to create a new warp interface, and then change the main IP address of the VS in the same transaction.

PRJ-35276,

PMTR-76457

VSX

In some scenarios, if VSX Gateway creation fails and rollback is done, the default route of the Security Gateway that was configured via clish is deleted without validation.

  • Fix is relevant for Gaia 3.10 only.

PRJ-33038,

PMTR-69098

VSX

In a VSX cluster, after pushing Bridge configuration, the state may change from Active/Active to Active/Standby.

PRJ-38405,

PRJ-38406,

PMTR-73704

VSX

When creating a virtual system, the "Failed to create Virtual System directories" error is displayed.

PRJ-38825,

PRJ-38826,

PMTR-82551

VSX

The FWK process of Virtual Switch (VSW) may consume a high CPU.

PRJ-36131,

PRHF-21970

VSX

A member may fail to pull configuration from the SMO on startup.

  • Fix is relevant for Gaia 3.10 only.

PRJ-38200,

PRJ-38201,

PRHF-23118

VSX

In some scenarios, the VSX Security Gateway may not decrease the packet's TTL.

PRJ-35582,

PRJ-35583,
PRHF-21922

Gaia OS

UPDATE: It is now possible to use Gaia proxy addresses with more than 16 characters.

PRJ-37413,

PRJ-39087,
PMTR-74360

Gaia OS

In a rare scenario, while idle, the Security Gateway may crash producing a vmcore file.

PRJ-36084,

PRJ-36085,
PMTR-78169

Gaia OS

WebUI session may end when creating a Role with full permissions.

PRJ-38227,

PRJ-38228,

PMTR-81516

Gaia OS

When running the "save configuration" command on a VSX device, other interfaces besides the Management interface are still presented. This is a cosmetic issue.

PRJ-37345,

PRJ-37346,
PMTR-80176

Gaia OS

When adding and deleting a neighbor-entry ipv6-address, an error message is displayed, although the operation is successful.

PRJ-36784,

PRJ-36785,

PMTR-79249

Gaia OS

The "snmpwalk" command may time out after reaching SNMPv2-SMI::mib-2.68.1.2.0.

PRJ-39093,

PRJ-39094,

PRHF-23641

Gaia OS

Dynamic routing SNMP OID polling may work only in VSX mode.

PRJ-33558,

PMTR-75925

Gaia OS

In some scenarios, in 7000 appliances, Power Supply Unit (PSU) status information may be incorrect. Refer to sk174443.

  • Fix is relevant for Gaia 3.10 only.

PRJ-37116,

PRJ-37117,
PRHF-18358

VoIP

VoIP calls may not work when static NAT configured.

PRJ-37601,

PRHF-22145

CloudGuard

In Amazon Web Services (AWS), some Gateways may be crashing frequently with vmcores.

  • Fix is relevant for Gaia 3.10 only.

PRJ-38021,

ODU-342

Public Cloud CA Bundle

Added Take 18 of Public Cloud CA Bundle. Refer to sk172188.

PRJ-26371,
PMTR-68629

Scalable Platforms

NEW: Added ability to create and manage VSX objects of R80.30SP version via vsx_util and vsx_provisioning_tool.

PRJ-38034,

ODU-341

Scalable Platforms

Added Take 21 of Check Point Support Data Collector (CPSDC) for Scalable Platforms and Maestro Security Appliances. Refer to sk164414.

PRJ-38221,

ODU-349

HCP

Added Update 8 of HealthCheck Point (HCP) Release. Refer to sk171436.