List of All Resolved Issues and New Features in R80.40 Jumbo Hotfix Accumulator

NEW: Previously, the Internal CA certificate required manual renewal process. Now it will be automatically renewed one year before its expiration date.

UPDATE: Added ability to block policy installation if this policy contradicts another policy installed on the Security Gateway. In this scenario, the "install-policy" Management API command will now fail with "Requested policy X does not match currently installed policy Y on gateway Z. To ignore this warning, set the 'ignore-warnings' flag to 'true'". Refer to sk180792.

UPDATE: Improved the fullsync time after reboot in large scale environments. Refer to sk180742.

UPDATE: When the VTI MTU is different from the physical MTU, the physical MTU is used for sending packets by default.

• To modify the default behavior (the change does not survive reboot), run the CLI command "fw ctl set int sim_vpn_use_physical_mtu 0 -a". This allows using configured VTI MTU as the default.

• To make the change permanently, open the $PPKDIR/conf/simkern.conf file for editing and add the entry "sim_vpn_use_physical_mtu=0".

Refer to sk98074.

UPDATE: Added notifications about the Expert mode login on Gaia Servers. Refer to sk181230:

1) Gaia sends an audit log to the Management Server / Log Server (SmartConsole > Logs & Monitor).

2) Gaia writes a log message to the /var/log/messages file (for a local login and an SSH login).

These Gaia Clish commands are available to work with this feature:

• To see the current state of this feature: show audit login-notifier

• To enable this feature (this is the default): set audit login-notifier on

• To disable this feature: set audit login-notifier off

UPDATE: Upgraded OpenSSL from 1.1.1n to 1.1.1t to include the latest security improvements.

UPDATE: First release of CPviewExporter Release Updates. Refer to sk180521.

UPDATE: Added Take 23 of Check Point Support Data Collector (CPSDC) for Scalable Platforms and Maestro Security Appliances. Refer to sk164414.

UPDATE: Added Update 12 of HealthCheck Point (HCP) Release. Refer to sk171436.

Editing an object in SmartConsole may fail with "Server error is: Object not found (Code: x08003001D, Could not access file for write operation)".

In rare scenarios, in multi-site environments, Install Policy presets fail with "Timeout during task progress" or "You have reached the maximum number of active sessions". Refer to sk180897.

If a Security Gateway is added to a group after configuring an installation policy preset, the policy may not be installed on that Security Gateway. Refer to sk181461.

The Data Center object may change the status to "inaccessible/deleted", although the Virtual Machine in Azure was not deleted.

In some scenarios, the "run-script" Management API command may fail with "Null Pointer Exception" when using root user permissions.

In some scenarios, Access Policy Verification fails but the name of the failed rule is not specified.

Login to SmartConsole with a RADIUS administrator from the SmartEvent Server may fail if this Server was upgraded. Refer to sk180584.

In rare scenarios, login to SmartConsole fails, and opening Security Gateway objects times out.

In rare scenarios, policy installation fails with "Operation failed, install/uninstall has been improperly terminated". Refer to sk180448.

In rare scenarios, in Multi-Domain Security Management environments with many administrators that have custom permissions, SmartConsole is slow, and operations take longer than usual. Refer to sk180681.

A scheduled Install Policy Preset may not have its next run time updated when:

• The Multi-Domain Security Management Server was down while the preset was scheduled to run

• There are over 50 presets defined

In rare scenarios, in a Multi-Domain Security Management environment:

• Login to the Security Management Server may fail with timeout.

• Publish operations may take a long time.

Deleting a Domain from SmartConsole fails after a Domain Server was removed and the Domain has no Domain Servers.

The Network-per-CPU tab under CPVIEW > Advanced > SecureXL does not show traffic distribution for all CPUs. Refer to sk180540.

In rare scenarios, many open connections on port 18196 are observed on the Multi-Domain Security Management Server or Multi-Domain Log Security Management Server.

In specific network configurations, after installing a policy, the target IP address of the Log Server may differ from what was configured.

SmartEvent may generate false Anti-Bot / Anti-Virus related logs which do not contain any information.

When HTTPS Inspection is enabled, website loading in Firefox fails or is slow, after a few seconds, the "NS_ERROR_ABORT" error appears in the network tab of Firefox. Refer to sk180873.

In rare scenarios, modifying the "fwmultik_temp_conns_enabled" parameter on-the-fly leads to the Security Gateway crash.

The Security Gateway may crash while inspecting non-HTTP traffic.

Incorrect bonds may be shown in the Data Plane when using MDPS with the "show bonding groups" command.

Resolved an issue where CPD would consume a large amount of CPU in VSX with a large number of interfaces configured (greater than 1024).

Login to Mobile Access Portal when authenticating with SAML may fail with an "Error while processing the request" message. Refer to sk180801.

In rare scenarios, memory corruption occurs during packet correction requiring fragmentation, this may cause the Security Gateway crash or freeze.

Security Gateway may crash when running kernel debugs of the "UP" module.

When Check Point Active Streaming (CPAS) is used, and the Server's MSS is bigger than the client's MSS, packet fragmentation may occur.

Traffic stops working after a Security Gateway Member recovers from a failure. Refer to sk180705.

Latency in connection caused by a packet flow change from F2V to F2F.

SAML authentication fails with the "HTTP 500" error when MDPS is enabled on the Security Gateways. Refer to sk179625.

After policy installation, a VSX High Availability Cluster member may have a failover and generate a vmcore.

In some scenarios, the FWD process may unexpectedly exit and cause a short outage related to the BGP failure.

When the Security Gateway handles specific HTTP requests, memory failure may occur. CPView registers SMEM failure.

Web Security parsing error "illegal header format detected: Missing quotation mark" of content-disposition header - that contains a filename* parameter or an unquoted parameter.

The FWK process may unexpectedly exit with a core dump file when removing an IPv6 interface on VSX.

IoC feed may not load because of a parsing issue with the IP address range indicator.

In a Quantum Maestro environment, adding an IoC feed from the command line may fail with a "Can not load indicators feed without AV & AB Blades enabled, please enable AV & AB and try again" message, although Anti-Virus and Anti-Bot Blades are enabled.

After an upgrade, adding an IoC feed with IP range indicator type may fail with "Feed format problem. Bad or Empty Feed".

In some scenarios, a "malware_res_rep_rad_query: rad_kernel_malware_request_prepare() failed" message may appear in the /var/log/messages file.

The output of the "pdp monitor cv_le <agent-version>" command may be incorrect.

When the "Categorize HTTPS Websites" option is enabled and the global parameter "appi_urlf_ssl_cn_use_sni_without_validation" is set to true, a memory leak may occur.

A buffer overflow may occur and cause the FWD process to exit. This leads to the Security Group Members in a Maestro environment change from Active to Down state and creates instability.

In a rare scenario, the Security Gateway may crash during an IPS package update.

A memory leak may occur in the DLPU process.

The DLPU process may stop working, creating a User Space core dump file on the Security Gateway. Refer to sk181026.

In rare scenarios, IOS users are unable to send emails using Capsule Workspace business mail.

Sending emails with attachments via Capsule Workspace may fail on iOS.

Some IPv6 connections randomly stop passing through ClusterXL in High Availability mode. Refer to sk180969.

Traffic may be dropped and the FWACCEL core file is generated.

Multicast receivers send IGMP membership reports, but the outbound interfaces are missing from the routing table.

When PIM and state refresh are enabled, the state refresh message may not be sent automatically after a failback in ClusterXL HA Primary Up mode.

After an update, multicast traffic may be dropped.

There may be high CPU utilization and slow recovery of the ROUTED process after a failover.

The ROUTED process may repeatedly exit when using PIM in Sparse mode (SM).

The ROUTED daemon may unexpectedly exit when using PIM and source IP address is set "0.0.0.0".

The ROUTED daemon may unexpectedly exit when aggregating routes with long AS paths.

The ROUTED daemon may unexpectedly exit because of multi-threading issues.

Users that were moved from one AD group to another group still are shown in both access role groups when running the "pdp monitor" command. Refer to sk181429.

• Remote Access clients are unable to connect using Machine Certificate Authentication when the certificate has OCSP and CRL but the gateway is unable to resolve properly the OCSP or to get a proper answer from the OCSP server. Refer to sk179434.

• OCSP is disabled on the user's IIS Server, but the Security Gateway does not fall back to the CRL method. Refer to sk179434.

• Security Gateway sends defaultCert to the third party instead of an OCSP certificate. An unexpected OCSP response may cause a VPN gateway to stop using its certificate until the next policy installation. Refer to sk180683.

The "failed to terminate session" error is displayed when using RAsession_util to terminate Endpoint client.

Stability issues for Data connections (RDP / RTP / FTP/ETC). Refer to sk179651.

A VSX Security Gateway may crash while attempting to collect statistics after running the "cpstop" command.

Some packets may disappear when using the i40e driver, and VMAC is configured on the cluster.

Changing the main IP address of a Virtual Router may cause the FWM process to exit.

Gaia backup may fail, leaving a temporary partition behind. Any new attempt to create a new backup returns an error.

The System Backup page in the Cloning Group view may be empty, although a scheduled backup was added.

The $FWDIR/log/fwd.elg file may get corrupted during log rotation. Refer to sk180728.

Deleting one hundred IP addresses or more from the Security Gateway at once may fail, resulting in recurrent deletion retries.

The "Logical Volume duplicate fail" error is displayed when increasing the lv_current partition with lvm_manager on Azure. Refer to sk180381.

In rare cases, SIP UDP traffic may cause Security Gateway to crash because of a memory allocation issue.

NEW: Added ability to block "HTTP 206 partial content" responses from resources with malicious content.

NEW: We have extended the grace period of Application Control and URL Filtering Blade to support you for 90 days following contract expiration to continue providing the best security value during the renewal process.

NEW: We have extended the grace period of SmartEvent Blade to support you for 90 days following contract expiration to continue providing the best security value during the renewal process.

UPDATE: Improved the "Purge revisions" operation to reduce the size of the database.

UPDATE: Added ability to force GNAT Port randomization. It is controlled by kernel parameter (off by default).

• To activate it, GNAT should be enabled. Also, in the fwkern.conf file, run "set fwx_force_random_nat_port_alloc=1",

• To disable, run "set fwx_force_random_nat_port_alloc=0".

UPDATE: In several IPS protections, improved performance for traffic that contains repeated sections.

UPDATE: Gaia Cloning Groups will now use the highest TLS version available.

UPDATE: Added more logs related to Pushing VSX Configuration.

• On the Security Gateway side: in the last_vsx_push_configuration.elg. The log file will now be circular.

• On the Security Management side: in the vsx_util log. Also, commands are added to the name of log files (for example, vsx_util_reconfigure_xxxxx_xx_xx.elg).

• VSX Provisioning tool is now logged in the vpt_history.elg.

.

UPDATE: Improved performance of pushing Data Center Objects changes to Security Gateways.

UPDATE: Added support for Data Centers in AWS eu-central-2 (Spain) and eu-south-2 (Zurich) and ap-south-2 (Hyderabad) regions.

The cpview -s export operations may fail on VS0 when cpview_services are running.

Installing a large Access Control policy on Quantum Spark Security Gateways may fail due to high memory consumption on the Security Management Server caused by FW_LOADER.

In a large environment, High Availability synchronization for the Global Domain may fail with the "Global domain is busy syncing, please check sync status" error.

When using CME (Cloud Management Extension), the FWM process may unexpectedly exit because of a memory issue.

In rare scenarios, deleting a cluster member may fail with the "Could not delete object. Failed to remove/detach objects licenses" error.

In a Multi-Domain environment, the HitCount retention mechanism may prematurely remove the HitCount data.

Warning about multiple objects with the same IP address is displayed when there are duplicated auto-generated networks

When using Custom Application/Site Group objects in an Access policy, policy installation may fail with an "Internal error" message.

In some scenarios, the CME process fails to start.

After configuring an IoC feed on the Global Domain and assigning a Global Policy, Threat Prevention policy installation in the local Domain fails.

In a Multi-Domain Security Management environment, traffic may not match rules with custom applications.

CPView may not show some interfaces.

In a Multi-Domain Security Management environment, Skyline is down after mdsstop/mdsstart.

The "epoll is enabled" warning is incorrectly displayed during policy installation.

When working with Multi-Domain Security Management, Virtual Systems (VS's) may be unable to send logs to the management because the Log Server constantly disconnects.

Stability issues when ICAP client is active.

DNS parser incorrectly handles additional records, which results in appearing additional DNS IP addresses in the FQDn objects list.

Policy installation may fail with an "Error 0-2000080" message because of memory allocation issues.

When MDPS is configured, mdps_tun interface is shown when running the "cpstat ha -f all" command.

In rare scenarios, the FWD process is stuck during policy installation.

The Security Gateway may crash because of an issue in the FILEAPP (File Application) module.

When Anti-Spoofing is enabled, the Security Gateway may crash.

The Security Gateway may crash during policy installation if the Rule Base has multiple layers and many interfaces on the Security Gateway (VLANs).

In a rare scenario, when QoS is enabled, the Security Gateway may crash.

The "fw monitor" command output may contain "no packets left to merge" messages.

A connection may be closed with the "ws_mux_handle_poll: ERROR: Poll flag still set after unsetting" error in the fwk.elg file, when HTTP parser does not receive requested data.

The "sd_exception_chain_with_global_stateless: fwx_get_original_conn_key() failed" messages may flood /var/log/messages if IPS Blade is active.

The Security Gateway may crash with the "xxx kernel: [fw4_27];fwatomload_unregister: module RTM not registered xxx kernel: [fw4_27];e2eDisable: fwatomload_unregister failed" errors printed in logs.

In some scenarios, the CPD process may unexpectedly exit.

The certificate in SmartConsole is shown as valid, although it is expired.

The "ioc_feeds set interval -r" command may fail.

Loading of Custom Intelligence Feeds with authentication may fail.

The DLPU process may unexpectedly exit with a core dump file.

When Anti-Virus Blade is enabled, the Security Gateway may crash because of a memory allocation issue.

External IoC feeds may fail with "General Error". And in the feeder.elg there are many "Failed to load signatures" messages.

If SSH Deep Packet Inspection (DPI) is enabled and NAT is configured on the Security Gateway, SSH connectivity from the Internet may not be possible.

In a rare scenario, a wrong access role may be assigned to a user.

In a VSX High Availability cluster, a member in the Backup state should remain idle, but it opens connections for identity sharing.

In a rare scenario, disconnection between the Identity Server (PDP) and Identity Gateway (PEP) leads to missing identities on the PEP side.

The RAD process may freeze when an error occurs and an error event is initialized.

Running the "ips stats" command in CLI may cause the IPS process to unexpectedly exit with core dumps.

When Anti-Virus is enabled, the Mail Transfer Agent (MTA) log files may get blocked because of fail-close operation.

In a rare scenario, when Anti-Virus is enabled, there may be frequent VSX cluster failovers, and the Security Gateway may crash.

In rare scenarios, the FWK and/or WSTLSD processes may unexpectedly exit and create a core dump during certificate validation. Refer to sk180473.

When Mobile Device Management (MDM) cooperative enforcement feature is enabled, establishing a VPN connection fails while the HTTPD log incorrectly indicates a compliance issue.

Stability issues may occur in a Multi-Version Cluster (MVC) when VPN is enabled.

In an Active/Active cluster, a member may reboot because of a memory corruption issue.

When handling HTTP/2 traffic, cluster members may crash, generating vmcores.

Multicast traffic may get dropped, and no logs are generated.

SecureXL may drop traffic when HTTPS Inspection is enabled on a VSX Security Gateway with a Virtual Router.

In a rare scenario, a CPAQ message sent during policy push does not have critical and can be dropped when the Security Gateway is busy.

The "show ospf neighbors" command shows incorrect values for OSPF "Hello" and "Dead" intervals. Refer to sk180486.

When initiating IKEv2 tunnel from Check Point to a third party, creating Child SA fails. Refer to sk180281.

Stability issues of the VPND and IKED processes.

In a rare scenario, when IPv6 is configured, and VPN is enabled, policy installation may cause a stability issue.

Remote Access Client may fail to connect when using machine certificate authentication.

In VSX, after adding instances to a Virtual System (VS), their state may be inactive.

The SNMPD process may consume a high CPU in a VSX environment and there may be slowness when using the "fw vsx stat" command. Refer to sk180324.

In VSX, if Dynamic Balancing was manually disabled on R80.40, after an upgrade from R80.40 to R81.20, it automatically gets enabled.

SNMP trap may not be sent after a cluster failover if it occurred by running the "clusterXL_admin down" command.

IPv6 address may be removed from bond VLAN interface when changing bond xmit-hash-policy configuration. Refer to sk180309.

Gaia backup fails with "Cannot complete the backup process: not enough space in /var/log/CPbackup/backups" although there is enough free disk space in the /var/log/ partition. Refer to sk180181.

When configuring Gaia Cloning Group mode on the cluster, members with "off" state appear without an IP address and the "adding notification Member mvc is down" error is displayed.

Incorrect logs are printed in the /var/log/httpd2_error_log file when logging into the WebUI.

When restoring a backup with VSX objects, the objects database may not be restored on the newly installed Security Management Server.

Disabling or removing all network interfaces from a vCenter object is not dynamically reflected on the CloudGuard Controller Data Center object.

When enabling debug mode with the "$MDS_FWDIR/scripts/cpm_debug.sh -c ObjectCrudSvcImpl" command, it may impact the work of CloudGuard Central License utility. And adding license fails.

AWS Data Center mapping fails when a Subnet with only IPv6 addresses is added to Virtual Private Cloud (VPC).

Importing objects from VMware vCenter may fail with a "Failed to fetch objects from the Data Center." message because of a rare communication issue between CloudGuard Network Security controller and VMware vCenter Data.

In some scenarios, when using static NAT, VoIP traffic may be affected.

In some scenarios, Mail Transfer Agent (MTA) does not scan files with an unsupported extension if they were renamed to ".exe".

The CPVIEWD process may cause CPU spikes.

UPDATE: Improved the "Assign Global Policy" action time by approximately 50%.

An Application Control and URL Filtering update may still occur even if the latest version is already installed.

After an Application Control update, policy installation may fail.

Access Control policy installation may fail with the "Internal error" message when the encryption domain contains a Data Center object.

The LOG_EXPORTER process may cause high CPU because of frequent invocation of the "fw ver" command.

An Application Control and URL Filtering update may get stuck at 70 percent with the "Running post update actions" status. Refer to sk174587.

The /var/log/dump/usermode/ directory on the Management Server may contain core dump files for the FWM process. Refer to sk180119.

Access Policy installation may fail with the "Internal error occurred during the verification process" error.

When running the "show access-rule" Management API command with the "show-as-ranges" parameter on rules with negated cells, the returned result may be missing the values of the negated cells.

It may not be possible to discard a work session with a newly created admin, a "Failed to discard revoke certificate" message is shown.

Centrally managed Quantum Spark Gateway version may be missing or incorrect after performing the "Get Gateway Data" action from SmartUpdate.

UPDATE: When there is no full license for SmartEvent, which includes the Correlation Unit component, Analyzer Client in Legacy SmartEvent Console will now show a relevant message.

In a rare scenario, when using SmartEvent Automatic Reaction (Mail), the source IP address can be shown as a number and not in the dotted decimal notation format.

Syslog messages with the "ErtFeed" type of attack are not indexed correctly in SmartLog.

Although the Security Gateway is configured to send Syslog messages to the Domain Log Server (CLM), they may stop coming to the Log Server after several initial logs.

When exporting logs with the fwm logexport script and there is an empty or corrupted log file, the script runs in a loop with the "Failed to read record at position 0" error printed.

In rare scenarios, the LOG_INDEXER process may unexpectedly exit, and there is no access to the logs. Refer to sk172915.

It may not be possible to filter Anti-Virus logs for malicious CIFS traffic in SmartConsole. The issue is cosmetic only.

Running the "cpstat ls -f logging" command on the Security Gateway may show the "disconnected" status after a reboot, although a new connection is established successfully.

UPDATE: Added support for RADIUS UPN authentication with MS-CHAPv2. To use it, enable the registry configuration in ckp_regedit -a SOFTWARE/Checkpoint/VPN1 RADIUS_MSCHAPV2_UPN -n 1.

A kernel crash may occur during system shutdown when PIM is enabled.

When using Routing Separation and installing a Jumbo Hotfix Accumulator, MDPS configuration may be overridden. Refer to sk138672.

The Security Gateway may send multiple "Failed to fetch Check Point resources. Timeout was reached" logs.

In a rare scenario, when IPS or Application Control is enabled, the Security Gateway may crash.

It may not be possible to load specific sites. The Security Gateways drops the traffic from those web servers with "Reason: PSL Drop: MUX_PASSIVE"

The Security Gateway may run out of memory when retrieving topology.

After an upgrade, VSX cluster may have frequent failovers.

When the Security Gateway is in "Detect Only" mode, Threat Prevention Blade exceptions may not be accelerated.

Deleting a Threat Emulation Gateway object in SmartConsole may fail. Refer to sk170577.

Threat Prevention policy installation may fail with a "Connection aborted by Peer" message.

In a rare scenario, the mal_conns table may consume a large amount of memory.

The PDPD daemon may frequently exit during the user authentication flow.

Changing the state of the "Automatic LDAP Group Update" feature for Identity Collector from CLI on the PDP Gateway does not survive a reboot.

The Anti-Virus Blade interprets certain types of URLs as forbidden and blocks access to those URLs, although the content behind them is not of the type supposed to be blocked.

Removed a redundant message flooding logs in /var/log/messages: "ws_write_connection: end of body reached - clearing delay write flag".

In some scenarios, it is not possible to connect to SSL Network Extender(SNX), and the VPND log shows: "failed to add to table connectra_sessions_to_instance".

UPDATE: Added support for the "fw vsx fetch_all_cluster_policies" command, which can fetch policy for all Virtual Systems and Virtual Routers from cluster peers.

In a VRRP cluster, when an identity session is revoked from a non-master member, the Identity Database may become corrupted and cause an outage.

There may be high CPU or/and latency in CIFS/SMB connections.

The Security Gateway may crash and cause an outage when resolving the destination host MAC address through an interface with disabled ARP.

The ROUTED process may unexpectedly exit when the route does not have the next hop.

UPDATE: Added a new command "use_crl_for_revocation_method" which allows setting revocation method back to CRL when OCSP Server is unreachable. Refer to sk179434.

When working in Hybrid mode, it is possible to connect using Remote Access, but it may not be possible to access internal resources.

When connecting with "Mixed" SSL Network Extender Authentication method, the SNX Client freezes with no output, and the results of the "vpn tu tlist" command show no tunnels.

UPDATE: The "vsx_util view_vs_conf" command output now shows interfaces configured on Virtual Systems in Bridge mode.

In some scenarios, the vsx_provisioning_tool fails to delete an interface and claims that it has already been freed..

When running the "reset_gw" command on a VSX cluster member, the sync interface IP address is not deleted as part of the VSX configuration that should be deleted from the Security Gateway.

Extending SNMP with shell script (Article IV-6 in sk90860) fails for non-VS0 Virtual Systems (VSs) when queried via SNMP V3 and a "No more variables left in this MIB View (It is past the end of the MIB tree)" message is shown in the output.

Pushing a VSX configuration to a virtual device may fail.

When MDPS is configured, the SNMPD process may stop responding on some Security Gateways and must be restarted.

Information about scheduled backup failure is now displayed in Clish, WebUI and in the error message inside the log file.

UPDATE: Client Uninstall Remote Help is now Device-based. User Logon name is not needed anymore.

UPDATE: Added support for Data Centers in AWS me-central-1 Middle East (UAE) region.

Failure to update IP addresses on a single AWS Gateway may cause delays in updating other Gateways.

Added Update 6 of Quantum Smart-1 Cloud. Refer to sk166056.

Added Take 19 of Public Cloud CA Bundle. Refer to sk172188.

UPDATE: If ISP Redundancy is configured for a target Security Gateway, backup interfaces are now used for pushing policy if the primary interface is down.

If Log Domain reassignment fails, an Application Control and URL Filtering update may get stuck at 70 percent showing the "Running post update actions" status.

Migration of the Security Management Server to the Multi-Domain Management Server may fail.

The flag "--method" for a CME command is not supported in SmartConsole Command Line.

Some unused sessions may remain open in the system, consuming memory and CPU.

Install Policy Preset may fail with "The server did not provide a meaningful reply.". Refer to sk179524.

Although all Virtual Devices are deleted, deleting a Domain may fail with an "At least one Virtual Device is defined on this Domain/Domain Management Server. You need to delete all Virtual Systems/Routers prior to deleting Domain/Domain Management Server" message.

UPDATE: Amended the override_server_setting.sh script to support changes in the values of

RFL_SOLR_MAX_MERGE_COUNT and RFL_SOLR_MAX_MERGE_THREAD_COUNT.

The FWD process may unexpectedly exit and create core dump files.

In SmartConsole, when Endpoint Policy Management Blade is enabled, the "SmartView server certificate is invalid" error may be shown when opening a new tab in the Logs & Monitor view. Refer to sk177713.

UPDATE: Decreased the threshold for connections suspected as heavy from 5 to 3 seconds. Refer to sk164215.

When Anti-Virus Blade is enabled, there may be a continuous high memory consumption which can lead to latency.

There may be a delay in the Logging view when more than 1000 Security Gateways are connected to the same Log Server.

During a DDoS attack, the CPD and CPRID processes may unexpectedly exit with core dump files and cause latency.

Output of the "dynamic_objects -uo_show" command on the Security Gateway may not show any updatable objects. Refer to sk178886.

The Security Gateway with VPN may drop the traffic after enabling BGP and Equal Cost Multipath (ECMP).

The RAD daemon may fail and create core dump files on VSX Gateways.

UPDATE: The "Global Detect" value will now be updated in the "ips stat" command output.

The Nested Groups Depth value changed in CLI may not survive a reboot.

Memory consumption may increase after policy installation when Secure ID is configured.

When the Security Gateway works in proxy mode, the Application Control and URL Filtering rules may not match correctly.

DLP logs for files uploaded to Microsoft OneDrive may not show the initial file names and extensions. Refer to sk178290.

The WSTLSD process may unexpectedly exit and produce a core dump file during certificate chain verification.

When installing a specific hotfix, the CVPND process may unexpectedly exit.

When reconnecting the OSPF interface on both members in a cluster, a failover may occur when receiving a ROUTED PNOTE on the Active member.

In a VSX cluster with three or more members, sudden failover and recovery of the Standby VS may occur, causing termination of connections from the Active member. Refer to sk179446.

UPDATE: Added a new kernel parameter "fw_allow_reverse_syn" for Smart Connection Reuse. This parameter allows or drops SYN packets coming from the reverse direction. The parameter is set to 0 by default, the Security Gateway drops such packets. Refer to sk24960.

In a rare scenario, ipsctl kernel module does not load at startup.

The ROUTED process may unexpectedly exit when querying BGP data.

UPDATE: Added a configurable protection for blocking brute-force attacks on VPN SNX portal. Refer to sk180271.

There may be a low throughput in a Site-to-Site VPN tunnel between two VSX Gateways with enabled Multi-Queue.

The "Unable to open '/dev/fw0': No such file or directory" error may be printed during cpstart.

In SmartView Monitor (SVM), the status of tunnels with third-party peers may be inaccurate. Refer to sk169121.

A "SIC Error for EntitlementManager: Peer sent wrong DN: CN=xxx,O=xxx" message may be displayed during boot or after running the "cpstart" command. Refer to sk179586.

The MTU value configured in SmartConsole may differ from the Virtual Switch (VSW) MTU value in the output of the "ifconfig" command.

When running the "vsx showncs" command, the "cannot retrieve vsid for VSW_gw" error may be shown.

UPDATE: Added support for the Excluded Files feature (sk116679) for XFS file system on Kernel 3.10.

A user locked by the deny-on-nonuse mechanism cannot get unlocked.

UPDATE: Improved Access Policy installation time.

In rare scenarios, the Management Server may fail to start due to incorrect session handling.

When a Security Gateway is removed from a VPN community, it may still be seen under the permanent tunnel configuration. The issue is scoped to the Management side and does not impact the Gateway.

Dynamic Objects defined on LSM Gateway in SmartProvisioning may be removed from the Security Gateway after fetching policy or pushing policy.

In rare scenarios, Global Domain Assignment may fail with a "class name not found for object" error message.

The Security Cluster Wizard is not shown again after a Management restart in a Full High Availability cluster environment.

An IPS update may fail if the user that performs the update is connected to the Multi-Domain Server on which the Global Domain is in Standby mode.

In SmartConsole, the "error retrieving results" message may be displayed when opening a new tab.

Cloud Shadow Objects verification may take several minutes.

Management HA synchronization may fail with the "NGM failed to import data" error.

An Application Control and URL Filtering update may get stuck because of a lock object duplicate issue.

In a rare scenario, the FWM process may unexpectedly exit and create a core dump.

UPDATE: Scheduled email reports will now use TLS1.2 instead of TLS1.0. Refer to sk178125.

In a rare scenario, a memory leak in the FWD process may occur during installing Threat Prevention policy.

When running the "cp_log_export filter-Blade-in" command with the value "Endpoint" and restarting the LOG_EXPORTER process, LOG_EXPORTER may fail to start.

When exporting the logs table with "All Columns" to a CSV file, the first cell of the first log (time column) may display a non-ASCII character ("ן»¿"), and the time may be split into two cells.

NEW: Added a new kernel parameter "fw_ignore_before_drop_rules". It allows to skip the "before drop" implied rules and enforce policy according to the explicit rule in the Access Rule Base. By default, this capability is disabled.

Refer to sk105740.

It may not be possible to monitor Security Gateways with enabled Management Data Plane Separation (MDPS). Refer to sk138672.

When running the "show_configuration" command in CLISH, static routes are shown twice.

Multiqueue Clish "show" commands may fail in a Management Data Plane Separation (MDPS) environment.

In ISP Redundancy settings, when using the "dead on all host" feature and defining one link without any host (which is a misconfiguration) the ISP link is down.

Cluster failover may trigger the FWK process to exit, with no traffic impact.

When Strict Hold is enabled, traffic is logged with the log "HTTP parsing error detected. Bypassing the request as defined in the Inspection Settings" and Precise Error "Connection queue exceeded max size". Refer to sk169995.

There is a Content Awareness alert for multiple connections and the processing error "Failed to extract text" is printed in logs.

In a VSX environment, SNMP queries to OSPF OIDs may fail.

IPS entries of AMW_report.xml may be missing for a Security Gateway onboarded to Infinity SOC.

In a rare scenario, an IPS, Anti-Virus, or Anti-Bot update package may fail to load because of a timeout.

In very rare scenarios, a traffic outage may occur.

Improved detection in some IPS protections.

In some scenarios, when Mobile Access Blade is enabled, the Security Gateway may crash.

UPDATE: Added support for the "Same VMAC" feature.

Local connection from a Standby member may fail when packets are not fragmented even if the interface MTU is smaller than the packet size.

In Virtual Device Status table, in vs0 context, the output shows the Active-Active status on two members instead of Active-Standby.

Data connection may be interrupted during a Multi-Version Cluster (MVC) upgrade.

In a VSLS cluster with a few members and Virtual Systems, when shutting down a bond connected to one of the Virtual Systems, all Virtual Systems on this member may go to Down state.

UPDATE: Added a new parameter cphwd_mcast_routing_interval_ms (default value is 0), which allows the multicast routing interval to be expressed in milliseconds.

SYN Defender may change MSS in an SYN packet to a larger value, potentially causing traffic drop.

An Active member in a cluster may make a full reboot during policy installation.

In a rare scenario, the ROUTED daemon may unexpectedly exit during a Multi-Version Cluster (MVC) upgrade when using OSPF.

In some scenarios, when StrongSwan client is connecting to a site or Security Gateway, the connection is established successfully, and the tunnel is created, but there is no traffic. Refer to sk118536.

An outage may occur when using IKEv2.

Machine Authentication stability improvements for Remote Access Endpoint Clients.

UPDATE: When resetting SIC for a specific virtual system (sk34098), the new certificate on the Security Gateway will now be automatically pulled from SmartConsole.

In some scenarios, if VSX Gateway creation fails and rollback is done, the default route of the Security Gateway that was configured via Clish is deleted without validation.

The FWM process may unexpectedly exit after using the VSX Provisioning tool.

A member may fail to pull configuration from the SMO on startup.

The OID "Syslocation" can now be configured in the context of a virtual system as described in the article (IV-1) Advanced SNMP configuration in sk90860.

When creating a virtual system, the "Failed to create Virtual System directories" error is displayed.

In some scenarios, it is not possible to start a vsx_util upgrade/downgrade after a failed attempt.

Running the "brctl_show" command in a non-VS0 context may give VS0 results.

UPDATE: It is now possible to use Gaia proxy addresses with more than 16 characters.

When adding and deleting a neighbor-entry ipv6-address, an error message is displayed, although the operation is successful.

In some scenarios, in 7000 appliances, Power Supply Unit (PSU) status information may be incorrect. Refer to sk174443.

The CONFD process may unexpectedly exit and generate a core dump file.

UPDATE: After a failed Data Center mapping, the next scan retry will be initiated with a delay to provide sufficient recovery time.

After changing the default behavior in Identity session conciliation, the "delete-identity" request may trigger Cloud Controller to delete IP addresses from other Identity sources.

Policy install or publish may fail because of the CPM process operations overload.

The "Object is inaccessible/deleted on Data Center" warning may be shown for Tag objects in SmartConsole.

After an upgrade, the MGCP traffic may be dropped. The output of the "fw ctl zdebug + drop" command shows: "dropped by fw_early_sip_nat reason: failed to get MGCP ports". Refer to sk179747.

NEW: Added ability to create and manage VSX objects of R80.30SP version via vsx_util and vsx_provisioning_tool.

Deleting a Domain may fail when there is an administrator with API key authentication associated with this Domain.

In rare scenarios, Install Policy Presets may fail with "Failed to run Install Policy on the active Domain Server".

In some scenarios, the "show-hosts" Management API command fails with "generic_error" when running it with "details-level full". Refer to sk178249.

When exporting rules with "hit counts" and the timeframe is set to a different value than "all", the "hit counts" are missing from the export file. Refer to sk177265.

Install Policy Verification may fail with the "Rule has security zone objects that are not attached to any interface used" error when configuring cluster's interfaces on only one member. Refer to sk177129.

When cloning an IPS profile, the advanced settings of cloud protection are not copied to the new profile.

In a rare scenario, the FWM process unexpectedly exits.

UPDATE: SmartView reports will now show the new Check Point logo.

When running CPinfo in a large scale environment, the SmartEventCollectLogs process may get stuck.

In a rare scenario, the Security Management Server does not automatically delete older log files. Refer to sk177627.

Removed unnecessary debug messages: "fwbintabreplace: table svm_range_gateways not found" and "fwbintabreplace: table svm_range_gateways_valid not found" from the fwd debug log.

On the Domain level, in the Logs view, available services may not appear in the drop-down filter list. Refer to sk178904.

Improved samples visibility in SmartView Widgets.

UPDATE: Added a new global parameter: "fw_daf_module_mac_mode". It allows mirroring traffic to a Linux-based device. It is set to "0" by default. Refer to sk178127.

UPDATE: Adding Connection and Packet Distribution statistics in CPView.

UPDATE: Added two minutes grace period before dropping the non-TCP server-to-client packets upon policy installation and rematch flow. Refer to sk173287.

Improved Security Gateway internal memory allocation logic.

In rare scenarios, connectivity issues to specific websites may occur during web traffic inspection.

The control connection may not be refreshed together with the data connection if the data connection is accelerated. Refer to sk168952.

Uninstalling Jumbo Hotfix may cause interfaces to disappear.

In some scenarios, Security Gateway drops GRE traffic. Kernel debug shows "simi_reorder_enqueue_packet: reached the limit of maximum enqueued packets for conn".

IPS and other Threat Prevention logs may not contain packet capture. And dmesg may be flooded with related errors.

On Scalable Platforms\Cluster LS, the Identity Database may become corrupted when an identity session is revoked from a non-master member.

There may be connectivity issues and high CPU spikes on the PDPD, VPND processes, and on the Gateway when installing policy. Refer to sk174144.

After installing a Threat Prevention policy with many rules and/or exceptions, on multiple Gateways together, Gateways may consume more CPU during rule-match of new connections.

When Anti-Virus and/or gzip inspection are enabled on the Gateway, during CloudFlare inspection of specific websites,the Security Gateway may drop the traffic.

A memory leak related to TLS probe may occur in the WSTLSD process.

A single cluster member with Dynamic Routing configuration may stay permanently in DOWN state producing ROUTED pnote during a boot.

Multicast packets may be dropped after policy installation.

In some scenarios, fragmented Cluster LS packets are dropped by SecureXL.

Connectivity issues may occur after configuration of route-based VPN (VTI interface). Refer to sk176368.

IKEv2 ID configuration may not be applied when an IPv6 address is written as a certificate's alternative name.

Improvements for DAIP Gateway behind Hide NAT.

The VPND process may unexpectedly exit causing VPN connections to restart.

In some scenarios, L2TP users cannot connect to the Gateway in a cluster environment.

A memory leak may occur in the VPND process when using Remote Access Secondary Connect.

In some scenarios, NAT-T tunnel establishment may fail.

Improved VPN interoperability.

A memory leak may occur in the VPND process.

UPDATE: The "vsx_util reconfigure" operation is not supported on a VSX cluster member or VSX Gateway which has no virtual systems configured. The operation will now alert about the absence of virtual systems.

When creating a static route on a virtual system, some network objects may be created with the same name inside the network group which causes failure in writing the object to the database.

There may be a mismatch of policy name on virtual switch when using the "fw stat" and "vsx stat -v" commands. The issue is only cosmetic.

In some scenarios, the VSX Security Gateway may not decrease the packet's TTL.

The "snmpwalk" command may time out after reaching SNMPv2-SMI::mib-2.68.1.2.0.

UPDATE: Changed the Syslog message severity from "error" to "info" and removed the exclamation mark in a specific message which is displayed during the normal backup operation flow.

Upgrade process may fail due to corrupted sic_local_cert.p12 certificate. Refer to sk171253.

When static NAT is configured, VoIP calls may not work.

Added Take 14 of Public Cloud CA Bundle. Refer to sk172188.

In Amazon Web Services (AWS), some Gateways may frequently crash with vmcores.

In some scenarios, incorrect data center updates are pushed to the Gateway.

In some scenarios, Data Center objects are not enforced on an AWS GEO cluster (Active/Active) Gateway. Refer to sk175904.

Added Update 8 of HealthCheck Point (HCP) Release. Refer to sk171436.

UPDATE:

• Added the "--help" and "-h" flags to "mdsstop", "mdsstart" and "mdsstat".
• It is no longer possible to run the "mdsstop" and "mdsstart" commands with wrong parameters.

After the Management Server restart, the API command "show_tasks" may show some suppressed tasks as "in progress", if before the restart they were cleared in SmartConsole while they were still running.

In rare scenarios, a "Create Domain", "Delete Domain" or "Delete Domain Server" task can be stuck at 5% with the "Task in queue" status.

Deleting a network group may fail because it is being used, although "Where Used" shows no usage.

In rare scenarios, adding a service to a rule in Access Policy:

• may take a long time (more than several seconds)
• may cause SmartConsole to unexpectedly exit

Refer to sk176004.

In rare scenarios, the Management Server may fail to start.

When reassigning Global policy after an IPS update on the Global Domain, the updated IPS version in the Audit Logs view may appear with "-1" value instead of the actual IPS version number.

When searching for tags usage, the "where-used" Management API command may fail with "Requested object not found".

Global Domain Assignment fails with "An internal error has occurred" when there are more than 32K Threat Prevention Overrides in the local Domain. Refer to sk176464.

Policy installation on Gateways R81 and below may fail when there are multiple login options configured with SAML which uses Identity Provider as an authentication method. Refer to sk176725.

If there is a Global Domain Assignment, some results may be missing when searching in Packet Mode. Refer to sk178491.

Policy installation from the Multi-Domain Server level may trigger installation of two policies for the same VS.

The mds_backup script may not collect Multi-Domain Server log files from $MDSDIR/log/.

• Install Policy Preset may invoke policy installation on Gateways different from those that are defined.
• Policy installation on multiple Gateways on MDS level may trigger installation on one Gateway only.

Refer to sk178590.

UPDATE: Added CPInfo Build 914000227. Refer to sk92739.

SmartEvent may not show some of the Anti-Virus logs.

The "Last Update Time" field of a Session Log may show incorrect values.

When configuring an Email alert as an Automatic Reaction in SmartEvent, and the alert contains data from the event, some fields may be missing in the generated email.

In rare scenarios, the LOG_INDEXER process stops working and logs are missing. Refer to sk176403.

Access Policy installation may fail with "Error code 1-2000078".