List of All Resolved Issues and New Features in R80.40 Jumbo Hotfix Accumulator
|
Review the Important Notes section before installing a new Take.
This version reached its End of Support. If you are using this version (or lower), we strongly recommend you to upgrade your environments. |

Take | Available Since | Recommended Since |
---|---|---|
13 Mar 2024 |
01 May 2024 |
|
28 Dec 2023 |
16 Jan 2024 |
|
19 Nov 2023 |
- |
|
19 Jul 2023 |
30 Aug 2023 |
|
27 Apr 2023 |
03 May 2023 |
|
06 Mar 2023 |
18 Apr 2023 |
|
28 Dec 2022 |
26 Feb 2023 |
|
13 Nov 2022 |
- |
|
20 Sep 2022 |
30 Oct 2022 |
|
31 Aug 2022 |
13 Sep 2022 |
|
25 Jul 2022 |
- |
|
30 May 2022 |
13 Jul 2022 |
|
06 Apr 2022 |
16 May 2022 |
|
20 Mar 2022 |
23 Mar 2022 |
|
01 Mar 2022 |
08 Mar 2022 |
|
22 Feb 2022 |
- |
|
19 Jan 2022 |
- |
|
09 Dec 2021 |
13 Dec 2021 |
|
30 Nov 2021 |
- |
|
01 Nov 2021 |
- |
|
13 Oct 2021 |
- |
|
23 Sep 2021 |
04 Oct 2021 |
|
17 Sep 2021 |
|
|
04 Aug 2021 |
04 Aug 2021 |
|
04 Jul 2021 |
- |
|
10 May 2021 |
25 May 2021 |
|
25 Apr 2021 |
- |
|
14 Apr 2021 |
21 Apr 2021 |
|
17 Mar 2021 |
- |
|
07 Mar 2021 |
14 Mar 2021 |
|
21 Feb 2021 |
- |
|
16 Feb 2021 |
- |
|
16 Dec 2020 |
26 Jan 2021 |
|
01 Dec 2020 |
09 Dec 2020 |
|
05 Nov 2020 |
22 Nov 2020 |
|
04 Oct 2020 |
25 Oct 2020 |
|
26 Aug 2020 |
09 Sep 2020 |
|
18 Aug 2020 |
25 Aug 2020 |
|
05 Aug 2020 |
- |
|
27 Jul 2020 |
- |
|
23 Jul 2020 |
27 Jul 2020 |
|
19 Jul 2020 |
- |
|
30 Jun 2020 |
- |
|
24 Jun 2020 |
- |
|
15 Jun 2020 |
- |
|
21 May 2020 |
25 May 2020 |
|
10 May 2020 |
- |
|
26 Apr 2020 |
- |
|
16 Mar 2020 |
- |
ID |
Product |
Description |
---|---|---|
Take 211 Released on 13 March 2024 and declared as Recommended on 1 May 2024 |
||
PRJ-47119, |
Anti-Spam |
NEW: We have extended the grace period of Anti-Spam Blade to support you for 90 days following contract expiration to continue providing the best security value during the renewal process. |
PRJ-50101, PRHF-30325 |
Diagnostics |
UPDATE: Added SecureXL SYN Defender metrics to Skyline. Refer to the Skyline Metrics Repository. |
PRJ-46555, |
Security Gateway |
UPDATE: Added a new option in domains_tool, which allows to retrieve IP addresses of multiple Domains - "-md <list of domains>". Refer to sk161632. |
PRJ-46320, |
Security Gateway |
UPDATE: When changes are made to updatable objects within a policy and a missing or corrupted package is detected, the policy installation will fail, resulting in the generation of a log. |
PRJ-46943, |
Threat Prevention |
UPDATE: IPS bypass triggers is now activated based on the average CPU load exceeding the high threshold, as opposed to the previous implementation, where a single CPU load triggered the bypass. The change results in more effective security measures without unnecessary bypasses. |
PRJ-44318, |
Threat Prevention |
UPDATE: The DCE-RPC kernel tables is now global instead of local. This adjustment helps avoid issues with syncing between firewall instances and keeps data connections stable. |
PRJ-52039, |
Threat Extraction |
UPDATE: Added Update 5 of Threat Extraction Engine. Refer to sk165832. |
PRJ-49230, |
SSL Network Extender |
UPDATE: SSL Network Extender was updated to version 80008407. |
PRJ-44241, |
Mobile Access |
UPDATE: Enhanced PushReport (a troubleshooting tool for Mobile Access Blade):
|
PRJ-46313, |
ClusterXL |
UPDATE: When enabling the VMAC feature, link_monitoring on the cluster members is now configured automatically. |
PRJ-48106, |
VSX |
UPDATE: Changed the vsx push configuration log:
|
PRJ-43880, |
VSX |
UPDATE: The "IPv6 autoconfig" parameter is now disabled by default on VSX. |
PRJ-47224, |
Gaia OS |
UPDATE: Upgraded OpenSSL from 1.1.1t to 1.1.1u to include the latest security improvements. Refer to sk181427. |
PRJ-50871, |
Gaia OS |
UPDATE: Upgraded OpenSSL from 1.1.1u to 1.1.1w to include the latest security improvements. |
PRJ-48008, |
Gaia OS |
UPDATE: The output of "show arp dynamic all" and "dbget ip:arpdynamic:show:0" which was previously limited to +-4450 entries, now increases dynamically. |
PRJ-45234, |
Gaia OS |
UPDATE: SNMP traps for interfaces going up and going down now contains the interface name and description. |
PRJ-47447, |
GaiaOS |
UPDATE: Added driver and firmware update support for Dual-Wide 10/25/40/100G cards as a replacement option for:
|
PRJ-48079, |
CloudGuard Network |
UPDATE: Added support for Azure Scale sets with Flexible orchestration mode. |
PRJ-48800 |
CloudGuard Network |
UPDATE: Added support for Data Centers in AWS il-central-1 Israel (Tel Aviv) region |
PRJ-52693, ODU-1408 |
Smart-1 Cloud |
UPDATE: Added Update 7 of Quantum Smart-1 Cloud. Refer to sk166056. |
RJ-45725, |
Harmony Endpoint |
UPDATE: Added new file types supported by Harmony Endpoint Threat Emulation blade. |
PRJ-48402, PRJ-52864, |
HCP |
UPDATE: Added Update 13, Update 15 of HealthCheck Point (HCP) Release. Refer to sk171436. |
PRJ-53394, ODU-1563 |
Automatic Updates - CPSDC |
UPDATE: Added Take 31 of Check Point Support Data Collector (CPSDC) for Scalable Platforms and Maestro Security Appliances. Refer to sk164414. |
PRJ-46001, |
Security Management |
Changing the cluster mode via the "set simple-cluster" Management API command to "cluster-xl-ha" or "ospec-ha" returns success but has no effect on the cluster object. |
PRJ-45986, |
Security Management |
Deleting a Domain that is connected to an AD Group fails. |
PRJ-47167, |
Security Management |
In rare scenarios, Global Policy reassignment fails with "IPS Update Failed On Assign". |
PRJ-46697, |
Security Management |
Global Policy assignment fails if it is configured to assign to specific Domain policies and one of these local Domain policies is deleted. |
PRJ-46794, |
Security Management |
The "show-vpn-communities-star" Management API command fails for VPN communities using Diffie-Hellman groups 15-18. Refer to sk27054. |
PRJ-46014, |
Security Management |
The "show-nat-rulebase" Management API command fails when Packet mode is enabled and "match on any" is set to "false". For example, "show-nat-rulebase XXX package YYY filter-settings.search-mode packet filter-settings.packet-search-settings.match-on-any false filter ZZZ". |
PRJ-45032, |
Security Management |
Upgrade of a Security Management Server or a Multi-Domain Security Management Server with over 2000 NAT rules may take over 10 hours to complete.
|
PRJ-46826, |
Security Management |
In some scenarios, the "Object is no longer available" validation warning appears for updatable objects. |
PRJ-45896, |
Security Management |
In rare scenarios, during an IPS update, a task notification reports that a database purge failed on the Standby Security Management Server. Refer to sk180920. |
PRJ-44985, |
Security Management |
A migrate export or CPUSE upgrade of a Security Management Server fails if a Rule Base contains more than 35,000 rules. Refer to sk178325 to check the recommended size of Rule Bases. |
PRJ-45797, |
Security Management |
Security Management Server import fails with the "Tried to persist object XXX with domain YYY while active domain is ZZZ" error in the upgrade report. |
PRJ-41458, |
Security Management |
In some scenarios, an automatic Trusted Certificate Authorities (CAs) update fails. |
PRJ-46729, |
Security Management |
In rare scenarios, opening the Install Policy view gets timed out, and SmartConsole unexpectedly closes. Refer to sk181397. |
PRJ-48862, |
Security Management |
In multi-site Multi-Domain Security Management environments, login to SmartConsole fails if the "Read_Write_All_Profile" permission profile is deleted. |
PRJ-43287, |
Security Management |
In rare scenarios:
|
PRJ-41242, |
Security Management |
When closing an application from SmartConsole without changes, a redundant revision is created. |
PRJ-47040, |
Security Management |
When using the RADIUS username for authentication, login to SmartConsole may fail. |
PRJ-47048, |
Security Management |
In rare scenarios. in a Multi-Domain Security Management environment:
|
PRJ-47256, PRJ-47233, |
Security Management |
If the HTTPS policy contains an Identity Awareness Gateway object in the "Source"/"Destination" column, policy installation may fail when selecting more than one policy target. Refer to sk181097. |
PRJ-48035, |
Security Management |
An audit log may not be created after running Revert to Revision. |
PRJ-49193, |
Security Management |
In some scenarios, the CPRLIC process may unexpectedly exit without affecting the connectivity, and a core dump is generated. |
PRJ-45780, |
Security Management |
In rare scenarios, the High Availability synchronization status shows "NGM failed to import data", and then is cleared automatically within 15 minutes. |
PRJ-45438, |
Security Management |
In rare scenarios, Global Policy Reassignment takes a long time to complete after deleting a Global IPS profile. Refer to sk180787. |
PRJ-48379, |
Security Management |
In SmartConsole, export of policies with the "Hit count" column may get stuck. |
PRJ-47036, |
Security Management |
In multi-site Multi-Domain Security Management environments, login to SmartConsole fails while an Install Policy Preset relays the Security Gateway installation statuses. |
PRJ-34858, |
Security Management |
In the Revisions view, when comparing the selected revision to its previous revision, an empty screen is shown instead of a report. |
PRJ-48895, |
Security Management |
In rare scenarios, upgrade of the Security Management Server to R81.20 fails with the "Task was interrupted because of server restart" and "DEADLOCK IN POSTGRES DETECTED!!!" messages in the cpm.elg log file. |
PRJ-48689, |
Security Management |
Users may be able to configure user-defined scripts to run on the Security Management Server, although they do not have the permissions of a super-user. |
PRJ-49219, |
Security Management |
In SmartConsole, an attempt to view administrators may fail with "Error retrieving results". |
PRJ-49202, |
Security Management |
|
PRJ-48368, |
Security Management |
The "crldp_initialized"and "crldp_name" keys may be missing in the registry after running promote_util. |
PRJ-48439, |
Security Management |
The "set checkpoint-host" API command may fail if the host object has a VPN Tunnel interface (vpnt) defined. |
PRJ-49987, |
Security Management |
The "fwm sic_reset" command may fail and generate a core dump. |
PRJ-47964, |
Security Management |
In High Availability Security Management Server environments, outdated IPS packages are retained, which leads to a substantial increase of the database on Standby Security Management Server. Refer to sk182178. |
PRJ-49368, |
Security Management |
In environments with tens of thousands of network objects, opening and closing Security Gateway objects in SmartConsole takes a long time. Refer to sk181460. |
PRJ-49342, |
Security Management |
SmartConsole may unexpectedly close after deleting an object in the Object Explorer view. |
PRJ-50211, |
Security Management |
Packet mode search in SmartConsole may show rules that do not match the query if the query contains four or more filters. |
PRJ-50044, |
Security Management |
In High Availability environments, task progress notifications may get updated only every 5 minutes, even when the task is complete. |
PRJ-49712, |
Multi-Domain Security Management |
In rare scenarios, in a Multi-Domain Security Management environment:
|
PRJ-49477, |
Multi-Domain Security Management |
When viewing Subordinate CA objects in SmartConsole:
|
PRJ-46584, |
Multi-Domain Security Management |
Migration of a Security Management Server to a Multi-Domain Security Management Server may fail with the "Expected single result for object with uid UID, got: 0" error. |
PRJ-46932, |
SmartConsole |
Defining more than two hundred GUI clients causes the "Command Line" tab in SmartConsole to be greyed out and the "api status" command to show an error status. |
PRJ-45073, |
Web SmartConsole |
After an upgrade, "Every cluster network should define unique subnet" messages may be displayed in the Validation Pane.
|
PRJ-46433, |
SmartProvisioning |
After importing or deleting SNORT protections in the IPS Protections view, the view may not show the change. |
PRJ-47340, |
SmartView |
In some scenarios, when a language other than English is chosen in SmartView, login to SmartView fails with an "Initialization failed" message. |
PRJ-49971, |
CPView |
CPU statistics may be incorrect or missing in CPView. Refer to sk182286. |
PRJ-48000, |
CPView |
Offload may fail in CPView with "ERROR! Reason not initialized". |
PRJ-45322, |
Logging |
Configuring log settings to delete logs if free disk space is lower than a certain percentage may not be applied. |
PRJ-47217, |
Logging |
The "fwm logexport" may return "Failed to print record at position" and "missing table field" error messages despite succeeding to export the logs. |
PRJ-45038, |
Logging |
The "Low disk space" warning may be incorrectly displayed in SmartConsole. |
PRJ-39448, |
Logging |
The Logs view may show a "Failed to read record number" message. |
PRJ-46184, |
Logging |
When the CPD process is automatically restarted on the Security Gateway, the output of the "cpstat ls -f logging" command on the Security Management shows the Security Gateway is disconnected, the Log Server cannot be reached, although logs are sent. |
PRJ-47211, |
Logging |
In SmartView, filtering logs by Media Encryption & Port Protection blade may fail. |
PRJ-41165, |
Logging |
The "show-simple-gateway" and "set-simple-gateway" Management API commands with the "logs-settings.forward-logs-to-log-server-schedule-name" parameter fail with "generic_server_error". |
PRJ-47981, |
Logging |
Some Access Rule Base logs may be generated with a wrong interface direction. The issue is cosmetic only. |
PRJ-46559, |
Logging |
In SmartConsole, in the "Device License Information" view, the "New connection rate" field may indicate "please wait 10 seconds". |
PRJ-49387, |
Logging |
In SmartView, incorrect results may be displayed when filtering logs using the "src_machine_name" field. |
PRJ-46204, |
Logging |
Security Gateway forwards logs to the real IP address of the Management Server instead of the public (NATed) IP address. Refer to sk181609. |
PRJ-48803, |
Logging |
Some attributes in SNMP MIB file may not be accessible. |
PRJ-51145, |
Logging |
When Identity Awareness blade is enabled, the "Src User Dn" and "Dst User Dn" fields in ICMP Logs are not masked for users without "Identities" permissions. Refer to sk181677. |
PRJ-48239, |
Logging |
The "source", "destination", "user" and "action" fields are not exported when exporting logs with the "visible columns" option to CSV in the SmartView Web application. Refer to sk181706. |
PRJ-44588, PRHF-26975 |
Logging |
In a rare scenario, a Security Gateway / Cluster Member may stop logging locally or to configured Log Servers. Refer to sk170331. |
PRJ-47313, |
Logging |
When the active log file, for example, the fw.log for the Security Gateway is older than two days, the CPLogFilePrint utility does not print the log records correctly. |
PRJ-52673, PRHF-32203 |
Security Gateway |
CVE-2023-51764 - Postfix SMTP Smuggling vulnerability. Refer to sk181944. |
PRJ-46408, |
Security Gateway |
The Security Gateway may listen to the ports used by NAT. |
PRJ-45691, |
Security Gateway |
The VPND, CVPND, and PDPD processes on the Security Gateway may become non-responsive and cause SAML authentication for Remote Access VPN users to fail. |
PRJ-48820, |
Security Gateway |
In some scenarios, a misconfiguration on a DNS Server may lead to exhaustion of ephemeral ports on the Security Gateway. |
PRJ-48151, |
Security Gateway |
Topology and Anti-Spoofing ranges are not calculated on an external interface when adding a route to an internal interface that shares the same subnet. |
PRJ-47207, |
Security Gateway |
When running the tp_collector tool, the FW_FULL process may unexpectedly exit. |
PRJ-48020, |
Security Gateway |
In some scenarios, when IPS is enabled, CPU spikes may occur. |
PRJ-46375, |
Security Gateway |
Re-mirrored traffic may be re-ordered in the Mirror & Decrypt feature. |
PRJ-44699, |
Security Gateway |
In rare scenarios, the WSDNSD process may restart because of an internal error. |
PRJ-47329, |
Security Gateway |
When using the "cpstop" command on the Security Gateway, the fw_full core may be generated. |
PRJ-48245, |
Security Gateway |
The /var/log/messages file of a VSX gateway is flooded with the "fwmultik_predefined_dispatching: BAD_MULTIK_TAG" messages with no impact of the connectivity. Refer to sk181281. |
PRJ-47518, |
Security Gateway |
After installing a policy, because of high latency, the Security Gateway may delete connection before SIM Affinity is able to send an update notification. This may cause some connections to be dropped. |
PRJ-50137, |
Security Gateway |
Accounting info may not be displayed in logs for IPv6 Cluster VRRP environments. |
PRJ-47266, |
Security Gateway |
Latency in loading websites when using Security Gateway as a Proxy with HTTPS Inspection enabled. Refer to sk180673. |
PRJ-47323, |
Security Gateway |
Benign files scanned by the ICAP Server may not be logged by Anti-Virus blade. |
PRJ-45343, |
Security Gateway |
When two routes with similar attributes are added to different routing tables, and one is deleted, Anti-Spoofing may drop the traffic to that route. |
PRJ-46200, |
Security Gateway |
In rare scenarios, updating the NTP Server may cause a temporary outage. |
PRJ-44187, |
Security Gateway |
The Security Gateway may crash due to a memory issue. |
PRJ-44616, |
Security Gateway |
In a rare scenario, the FWD process listens to high ports that are not blocked by the "auth_services_real_ports_block" implied rule. Refer to sk180505. |
PRJ-47556, |
Security Gateway |
FTP connection may fail in Port mode with NAT and specific FTP clients. Refer to sk181165. |
PRJ-47600, |
Internal CA |
In rare scenarios, ICA certificate creation and enrollment fail. |
PRJ-49006, PMTR-92233 |
Threat Prevention |
In a rare scenario, when cloning SGM in Maestro, the FWD process may exit during an IPS/Anti-Virus/Anti-Bot package update. |
PRJ-47635, |
Threat Prevention |
The output of the "fw amw unload" command shows the policy gets unloaded, however CPView still shows that the blades are enabled. Refer to sk181148. |
PRJ-50655, |
Threat Prevention |
In rare scenarios, CPU utilization can reach high levels because the Multi-Queue affinity of interfaces that use the "mlx5_core" driver is not configured correctly during the boot process. |
PRJ-46835, |
Threat Prevention |
When SSH Deep Packet Inspection (SSH DPI) is enabled, the Security Gateway may have SSH connectivity issues because of an incorrect choice of Message Authentication Code (MAC) algorithm during the SSH handshake. |
PRJ-43725, |
Threat Prevention |
In some scenarios, CIFS parser is triggered when it is not needed, this leads to the Security Gateway not accelerating fully the SMB traffic. |
PRJ-44689, |
Threat Prevention |
In some scenarios, the Security Gateway fails to export or import IoC feeds. |
PRJ-48189, |
Threat Prevention |
Anti-Virus blade fails to parse external IoC feeds that contain specific delimiters. |
PRJ-44764, |
Threat Prevention |
Fetching of Custom Intelligence Feeds fails when no proxy is configured on the Security Gateway. |
PRJ-46882, |
Threat Prevention |
Uploading an IoC file containing invalid characters (for example, quotation marks) may cause Threat Prevention policy installation failure. |
PRJ-48923, |
Threat Prevention |
Anti-Virus Blade triggers the "Detect" logs for DNS traffic, although these malicious DNS requests were prevented. |
PRJ-48427, |
Threat Prevention |
Some connections may be dropped because of an issue in IPS inspection, which can be resolved by installing/fetching a local policy. |
PRJ-46902, |
Threat Prevention |
Ioc_feeds changes the username to lowercase, which causes the "401" error. Refer to sk181039. |
PRJ-46441, |
Threat Prevention |
Files that undergo emulation while operating from a corporate location are transformed into PDF format. However, when the same files are accessed through a VPN remote client, they do not get the pdf file extension. |
PRJ-50049, |
Threat Prevention |
Security Gateway with a large number of CPU cores allocated to CoreXL SND may experience performance issues when an IoC Feed and the " |
PRJ-43970, |
Threat Prevention |
When URLF and APPI are disabled in VS0 in VSX setup, automatic updates fail on other Virtual Systems. |
PRJ-46965, |
Threat Prevention |
Exporting Custom Intelligence feeds from the management to all the Security Gateways succeeds but the generated log shows that the operation failed. |
PRJ-48084, |
Threat Prevention |
An outage may occur when an unsupported SSH cipher is selected. |
PRJ-46756, |
Identity Awareness |
The ida_tables_util tool may fail with the "bad adress" error. |
PRJ-48248, |
Identity Awareness |
There may be no access to resources for identities received from the Remote Access identity source by splitting Domain (sk147417). |
PRJ-45718, |
Application Control |
Policy installation fails when a custom application and user category have the same name. |
PRJ-46196, |
Application Control |
CPView and the 'cpstat' command show different Application Control database versions. Refer to sk181186. |
PRJ-42478, |
IPS |
Core IPS Protection "Unknown Resource Record" drops valid requests of specific DNS types. |
PRJ-49042, |
DLP |
The DLP process may unexpectedly exit during policy installation. |
PRJ-49568, |
Anti-Virus |
The Anti-Virus Blade fails to show the UserCheck page for the URLs blocked by Custom Intelligence feeds. |
PRJ-49639, |
Anti-Virus |
Microsoft Office files may be classified by the Anti-Virus file type classification engine as archives. |
PRJ-50526, |
Anti-Virus |
In a rare scenario, the Security Gateway may crash during inspection of file downloads. |
PRJ-51590, |
Anti-Virus |
The Anti-Bot Blade prevents Domains with the DNS Sinkhole feature, but SmartConsole log shows the "detect" action. |
PRJ-49518, |
Anti-Virus |
The Anti-Virus Blade may inspect files on an SMB appliance although the "SMB" checkbox is disabled on the matched profile. |
PRJ-49295, |
Anti-Virus |
Anti-Virus fails to release held connections after the inspection. |
PRJ-45834, |
Anti-Virus |
DLPU process memory consumption may be increased when SMB protocol is enabled in the Anti-Virus policy. |
PRJ-47782, |
Anti-Virus |
A memory leak may occur in the Security Gateway when a connection is not correctly released after the inspection. |
PRJ-48125, |
Anti-Virus |
A memory leak in the DLPU process may occur when Anti-Virus scans files over HTTP(s) or SMB (Server Message Block) protocol. |
PRJ-47933, |
Anti-Virus |
When transferring many files, SMB traffic may freeze while scanned by Anti-Virus blade. |
PRJ-48970, |
Anti-Virus |
When Anti-Virus DNS classification is set to Hold mode, the first DNS trap log of malicious Domains shows "Detect" in the Action field, although the connection was successfully blocked. |
PRJ-47237, |
Anti-Virus |
Some websites may be unreachable when one of Threat Prevention Blades is in Hold mode. |
PRJ-48173, |
SSL Inspection |
A FWK process memory leak may occur when canceling the download of a large file in the middle of the process. |
PRJ-47105, |
Mobile Access |
It may not be possible to connect to the RDP application with SNX in Application mode. Refer to sk181155. |
PRJ-44273, |
ClusterXL |
A Standby member may initiate FTP data connection, although it should be sent from the Active member. As a result, the connection is teminated. Refer to sk180531. |
PRJ-43931, |
ClusterXL |
Site to Site VPN outage on ClusterXL Active member when running "cpstop" on the Standby cluster member. Refer to sk170055. |
PRJ-48411, |
ClusterXL |
In a cluster connected to Smart-1 Cloud, local probing may start on the "maas_tunnel" interface, although it is not monitored by the cluster. Output of the Expert command "cphaprob -i list" or the Gaia Clish command "show cluster members pnotes problem" shows that the Critical Device "Local Probing" reports its state as "problem". |
PRJ-51175, |
SecureXL |
The Security Gateway may crash with vmcore during boot while upgrading. |
PRJ-48887, |
SecureXL |
The "fwaccel dos rate get -S IP" command fails to connect to the Security Gateway. |
PRJ-50552, |
SecureXL |
High CPU utilization may be triggered when User Mode (UPPAK) and VPN are enabled under high load. |
PRJ-49755, |
SecureXL |
Multicast restrictions set in SmartConsole may be bypassed if varying restrictions are configured for different interfaces. |
PRJ-43637, |
SecureXL |
In some scenarios, incorrect MSS value calculation may lead to traffic drops and performance instability. |
PRJ-49376, PRHF-30056 |
SecureXL |
Syn Defender may not correctly handle reused connections. |
PRJ-50830, |
Routing |
The "force-if-symmetry" setting in IPv4 static routes fails to mark IP addresses as unreachable, leading to the static route inaccurately remaining active in asymmetric scenarios. |
PRJ-47799, PRHF-29662 |
Routing |
When a BFD session is added or removed, disabled sessions may incorrectly come back up. |
PRJ-41792, |
Routing |
Adding or deleting a multicast group from a configured static RP environment can lead to outages in traffic. |
PRJ-47485, |
Routing |
When multicast traffic for an existing (S,G) entry arrives at a non-IIF interface, the entry may be deleted and re-added when the next multicast packet is released, although the entry should not be deleted. |
PRJ-47938, |
Routing |
An OIF entry may be missing when multiple downstream neighbors are present on a LAN. Refer to sk181354. |
PRJ-48115, |
Routing |
The ROUTED process may exit with a core dump when querying details of OSPF Type 5 LSA. |
PRJ-43246, |
Routing |
Traffic may be dropped when there are many OSPF routes of type 5. |
PRJ-49576, |
Routing |
The CLI Parameters for the "netflow fwrule" command are displayed incorrectly: "set netflow fwrule ?" instead of "set netflow fwrule 0" or "set netflow fwrule 1". The issue is cosmetic only, the functionality works as expected. |
PRJ-49215, |
VPN |
Redundant log prints in /var/log/messages may be generated, although they should be printed only when the debug flags are enabled. |
PRJ-49557, |
VPN |
When using the "fw tab" command to view the IKE_SA_table, the output shows a column containing the IP addresses that are not meant to be displayed while the correct IP addresses are not printed. |
PRJ-47589, |
VPN |
In a Site to Site VPN, following an update, the Security Gateway may erroneously transmit an invalid IKE SPI to its peer. Consequently, during the rekey process, the tunnel fails due to the "invalid IKE SPI" error. |
PRJ-42937, |
VPN |
Policy installation may take a long time and fail with "Operation failed, install/uninstall has been improperly terminated.&CURRENTVERCMP *##MSG_IDENTIFY##". |
PRJ-46259, |
VPN |
The "Encryption Domain Per community" feature overrides the Encryption Domain for other communities. Refer to sk170857. |
PRJ-45125, |
VPN |
Back connection does not function on the Statically NATed Office Mode address as expected. |
PRJ-53368, PRHF-32706 |
VPN |
VPN IKEv2 negotiation with a third-party peer may fail when the peer offers multiple combined encryption algorithms in one proposal. For example, AWS, by default, offers AES-GCM and AES-GCM-256. The issue triggers an IKE failure log. |
PRJ-47875, |
Multi-Portal |
The Security Gateway may send a wrong certificate to the MAB Portal during certificate authentication. |
PRJ-50310, |
Multi-Portal |
A low-severity security vulnerability may exist when establishing an HTTPS connection to the Security Gateway. |
PRJ-49565, |
VSX |
Corrupted VS affinity configuration may cause excessive "cp_set_process_vs_affinity: Error corrupt affinity file" error messages. |
PRJ-50786, |
VSX |
VSX Gateway / VSX cluster member may crash during policy installation after deleting a virtual interface. |
PRJ-50957, |
VSX |
In some scenarios, the VSX Security Gateway may not set the MAC header correctly when sending traffic directly out of an interface on a Virtual Router. |
PRJ-43876, |
VSX |
When running "vsx_fetch" from a context that is not VS0, this output is displayed: "Management rejected fetch for this module - sic name does not match. Couldn't fetch VSX configuration by IPs, trying to fetch by names." |
PRJ-47835, |
VSX |
In a rare scenario, affinity configuration on VSX may fail. |
PRJ-44298, |
VSX |
When adding a route using vsx_provisioning_tool and the "interface_name" option, this route cannot be removed. |
PRJ-44266, |
VSX |
Vsx_util upgrade or downgrade validation fails on Virtual Systems where policy was never installed. |
PRJ-48828, |
VSX |
In some scenarios, the VXLAN Driver Kernel may crash. |
PRJ-49348, |
VSX |
In some scenarios, in Maestro VSX environment with a Virtual Switch (VSW), TCP packets can be dropped as "out of state" or incorrectly dropped on the clean up rule. |
PRJ-47794, |
VSX |
A memory leak may occur in the CPD process. |
PRJ-46018, |
Gaia OS |
The SNMPD process memory consumption may be high, which causes the process to become unresponsive. |
PRJ-46969, |
Gaia OS |
Incorrect Multi-Queue configuration when MDPS, VSX, or both are enabled. Refer to sk181249. |
PRJ-48717, |
Gaia OS |
The "show configuration password-controls command output does not print the "set password-controls deny-on-fail block-admin on" option. |
PRJ-46140, |
Gaia OS |
Taking a snapshot on the Security Management Server fails because of the error during copying the /boot/config/ content. |
PRJ-47174, |
Gaia OS |
When rebooting the Security Gateway, some VLANs may lose their IPv6 configuration. |
PRJ-50484, |
Gaia OS |
SNMP query does not bring the CPUSE package information for a single OID (not a table). |
PRJ-28432, |
Gaia OS |
Backup on Gaia machine with Threat Emulation Blade enabled fails with "Cannot complete the backup process: not enough space". But the solution of sk166833 does not resolve the issue in a VSX environment. |
PRJ-46273, |
Gaia OS |
When changing bond settings, the bond may be missing the global IPv6 Address. |
PRJ-47771, |
Gaia OS |
Snapshot fails when the unpartitioned disk size is greater than 1TB. Refer to sk181485. |
PRJ-41335, |
Harmony Endpoint |
When downloading a dynamic package from the Endpoint Security Server and using the "/createmsi" command, the operation results with a "CRITICAL ERROR: Unable to create MSI! Missing file: System32\FirewallMonitor.dll" error. |
PRJ-47145, |
Harmony Endpoint |
When selecting to filter machines by infection name in SmartEndpoint Reporting > Anti-Malware > Top infections, the listed computers do not match the displayed numbers. |
PRJ-47897, |
CloudGuard Network |
Azure mapping may fail on Private Endpoint without network interfaces. In the cloud proxy logs, the "ERROR datacenter.scanner.DcScanner [scanner-Azure-XXX]: Error during scan - attempting to reconnect for scanner of [Azure] in domainYYY" messages are printed. |
PRJ-47992, |
VoIP |
When the SIP Multi-core feature is enabled, and a SIP over UDP rule with one-way calls (only outgoing calls, for example) is defined, the returned traffic is dropped. Refer to sk181525. |
PRJ-46987, |
VoIP |
In some scenarios, SIP TCP connections are dropped after a cluster failover. |
PRJ-43606, |
VoIP |
SIP agent implements a keep-alive mechanism against the RFC, making each message arrive with a different tag in the "From" header, which may increase the memory of the Security Gateway, and these messages may be dropped once they hit the limit defined (the "sim_max_reinvite" parameter). |
PRJ-49464, |
Scalable Platforms |
On a Security Group with MDPS enabled:
After installing this Take, when MDPS plane separation is enabled, in the context of the Management plane, the directory /sys/class/net/ now shows interfaces that belong to the Data plane, although it should show interfaces that belong to the Management plane. See sk182076. |
Take 206 Released on 28 December 2023 and declared as Recommended on 16 January 2024 |
||
PRJ-51600, SMB-16203 |
Security Management |
In rare scenarios, a boot may fail on a Security Gateway with IPS, Anti-Bot, or Application Control blade enabled. Refer to sk181803. |
Take 205 Released on 19 November 2023 |
||
PRJ-49981, PMTR-74309 |
Security Management |
UPDATE: Upgraded the Jackson Java library from version 2.5.0 to version 2.11.3. |
PRJ-49980 |
Security Management |
UPDATE: Removed a redundant rule-assistant.war package. |
PRJ-49822, PMTR-95347 |
Security Management |
UPDATE: Upgraded the commons-compress-jar package from version 1.8 to version 1.22. |
PRJ-49784, PMTR-95614 |
Security Management |
UPDATE: properJavaRDP - an SNX-embedded application for Mobile Access is now blocked and is no longer supported because of deprecated Java library dependencies. |
PRJ-49106, PMTR-94517 |
SmartConsole |
UPDATE: Applied security related improvements to the Jetty open source library. |
PRJ-50122, PRJ-50322, ODU-1217, |
CPView |
UPDATE: Added Take 68 and Take 70 of CPotelcol (OpenTelemetry Collector) Release Updates. Refer to sk180522. |
PRJ-50041, |
CPView |
UPDATE: Added Take 14 of CPquid (QUID) Release Updates. Refer to sk181458. |
PRJ-49743, PMTR-95099 |
Mobile Access |
UPDATE: SNX used to connect back to Mobile Access Blade's portal FQDN by resolving its IP address locally. This method makes it sensitive to DNS poisoning attacks such as those specified by TunnelCrack. Therefore, it was modified to connect back to the Security Gateway / Cluster member IP address by default. |
PRJ-48337, |
CloudGuard Network |
UPDATE: Added Take 20 of Public Cloud CA Bundle. Refer to sk172188. |
PRJ-45978, |
Scalable Platforms |
UPDATE: Added Take 29 of Check Point Support Data Collector (CPSDC) for Scalable Platforms and Maestro Security Appliances. Refer to sk164414. |
PRJ-50540, |
HCP |
UPDATE: Added Update 13 and Update 14 of HealthCheck Point (HCP) Release. Refer to sk171436. |
PRJ-50188, PMTR-96205 |
IPS |
Policy installation may fail on Security Gateways with enabled IPS and configured Strict profile and IPv6. |
Take 198 Released on 19 July 2023 and declared as Recommended on 30 August 2023 |
||
PRJ-44574, |
Internal CA |
NEW: Previously, the Internal CA certificate required manual renewal process. Now it will be automatically renewed one year before its expiration date. |
PRJ-45488, |
Security Management |
UPDATE: Significant performance improvement for policy installation when using many layers (up to four times faster). |
PRJ-45293, |
Security Management |
UPDATE: Added ability to block policy installation if this policy contradicts another policy installed on the Security Gateway. In this scenario, the "install-policy" Management API command will now fail with "Requested policy X does not match currently installed policy Y on gateway Z. To ignore this warning, set the 'ignore-warnings' flag to 'true'". Refer to sk180792. |
PRJ-44950, |
IPS |
UPDATE: Mapping of IPs to country/flag in the Logs & Monitor view > Logs is now automatically updated every day. |
PRJ-44434, |
ClusterXL |
UPDATE: Improved the fullsync time after reboot in large scale environments. Refer to sk180742. |
PRJ-43603, PRHF-22566 |
SecureXL |
UPDATE: Added a new kernel parameter allowing to control the size of fragments table in SecureXL. To use it, set the kernel parameter "sim_frag_limit_override" with the new value and install policy. This can prevent fragment drops when having multiple instances in the Firewall. |
PRJ-43967, |
VPN |
UPDATE: When the VTI MTU is different from the physical MTU, the physical MTU is used for sending packets by default.
Refer to sk98074. |
PRJ-46914, |
VPN |
UPDATE: Added a global parameter "sim_no_local_ip_check" which allows packets not destined to a local IP address to proceed to Security Association lookup in SecureXL. |
PRJ-47510, |
GaiaOS |
UPDATE: Added notifications about the Expert mode login on Gaia Servers. Refer to sk181230: 1) Gaia sends an audit log to the Management Server / Log Server (SmartConsole > Logs & Monitor). 2) Gaia writes a log message to the /var/log/messages file (for a local login and an SSH login). These Gaia Clish commands are available to work with this feature:
|
PRJ-45268, |
GaiaOS |
UPDATE: Added a defense mechanism against the hostname command injection in the Gaia Portal (CVE-2023-28130). Refer to sk181311. |
PRJ-44637, |
Gaia OS |
UPDATE: Upgraded OpenSSL from 1.1.1n to 1.1.1t to include the latest security improvements. |
PRJ-44357, |
CloudGuard Network |
UPDATE: Added support for Data Centers in AWS ap-southeast-4 Melbourne region. |
PRJ-45470, |
CPView |
UPDATE: First release of CPviewExporter Release Updates. Refer to sk180521. |
PRJ-45503, |
CPView |
UPDATE: First release of CPotelcol (OpenTelemetry Collector) Release Updates. Refer to sk180522. |
PRJ-45905, |
Scalable Platforms |
UPDATE: Added Take 23 of Check Point Support Data Collector (CPSDC) for Scalable Platforms and Maestro Security Appliances. Refer to sk164414. |
PRJ-44863, |
Scalable Platforms |
UPDATE: Added a new log file - /var/log/pull_config_report.log. It includes the summary of the "pull_config" action when it is performed on a member to indicate the reason for pull_config pnote/failures. |
PRJ-45386, |
HCP |
UPDATE: Added Update 12 of HealthCheck Point (HCP) Release. Refer to sk171436. |
PRJ-45156, |
Security Management |
APP_ID may not be initialized when adding a new Check Point application via API, this may cause blocked access to several websites. |
PRJ-42037, |
Security Management |
Editing an object in SmartConsole may fail with "Server error is: Object not found (Code: x08003001D, Could not access file for write operation)". |
PRJ-44083, |
Security Management |
Login with SmartConsole to a Security Management Server may fail if using a DNS name instead of an IP address. Refer to sk180514. |
PRJ-43557, PRJ-42546, |
Security Management |
In rare scenarios, in multi-site environments, Install Policy presets fail with "Timeout during task progress" or "You have reached the maximum number of active sessions". Refer to sk180897. |
PRJ-42420, |
Security Management |
In some scenarios, an upgrade may fail when a Network object Group contains more than 32000 members. |
PRJ-43184, |
Security Management |
If a Security Gateway is added to a group after configuring an installation policy preset, the policy may not be installed on that Security Gateway. Refer to sk181461. |
PRJ-42550, |
Security Management |
After restoring a Multi-Domain Security Management Server, High Availability synchronization may fail with "The Security Management Servers contain different Hotfixes". |
PRJ-35492, |
Security Management |
The Data Center object may change the status to "inaccessible/deleted", although the Virtual Machine in Azure was not deleted. |
PRJ-44627, PMTR-90519 |
Security Management |
There may be many duplicates of OCSP response in the $CPDIR/tmp/curl_crl_ocsp folder. |
PRJ-44458, |
Security Management |
In some scenarios, the "run-script" Management API command may fail with "Null Pointer Exception" when using root user permissions. |
PRJ-45485, |
Security Management |
In rare scenarios, updating or deleting a cluster fails with "Failed to save object xxxx . Server error is: Data required for operation". |
PRJ-45871, |
Security Management |
In some scenarios, Access Policy Verification fails but the name of the failed rule is not specified. |
PRJ-45058, |
Security Management |
In large Multi-Domain Security Management environments, login to SmartConsole may fail while High Availability synchronization is running. Refer to sk180858. |
PRJ-43809, |
Security Management |
Login to SmartConsole with a RADIUS administrator from the SmartEvent Server may fail if this Server was upgraded. Refer to sk180584. |
PRJ-45652, |
Security Management |
Packet mode search in SmartConsole may show rules that do not match the query if the query contains source, destination, and service. |
PRJ-44993, |
Security Management |
In rare scenarios, login to SmartConsole fails, and opening Security Gateway objects times out. |
PRJ-39773, |
Security Management |
Disabling or enabling rules may not affect the "last-modify-time" field in the output of the "show-access-rule" Management API command. |
PRJ-46396, |
Security Management |
In rare scenarios, policy installation fails with "Operation failed, install/uninstall has been improperly terminated". Refer to sk180448. |
PRJ-43689, |
Multi-Domain Management |
Deleting the entire Domain including all its Domain Servers fails, if any of the Domain Servers is used in the Domain's policy. |
PRJ-44449, |
Multi-Domain Security Management |
In rare scenarios, in Multi-Domain Security Management environments with many administrators that have custom permissions, SmartConsole is slow, and operations take longer than usual. Refer to sk180681. |
PRJ-45052, |
Multi-Domain Security Management |
In rare scenarios, in Multi-Domain multi-site environments, an IPS update on the Multi-Domain Security Management Server remains locked. |
PRJ-46085, |
Multi-Domain Security Management |
A scheduled Install Policy Preset may not have its next run time updated when:
|
PRJ-46102, |
Multi-Domain Management |
In some scenarios, the "Uninstall Threat Prevention Policy" window may show "no candidates found for operation", even though there are Security Gateways that have Threat Prevention policy installed and Threat Prevention is disabled in the Security Gateway editor. Refer to sk180983. |
PRJ-45066, |
Multi-Domain Security Management |
In rare scenarios, in a Multi-Domain Security Management environment:
|
PRJ-44967, |
Multi-Domain Security Management |
In rare scenarios, in Multi-Domain Security Management environments with over 500K network objects, login to SmartConsole fails with "Connection timed out" or "Unable to connect to server" messages. |
PRJ-40736, |
Multi-Domain Security Management |
Deleting a Domain from SmartConsole fails after a Domain Server was removed and the Domain has no Domain Servers. |
PRJ-46507, |
SmartConsole |
Data Center objects may not appear as unused objects in the Object Explorer view, although they should. |
PRJ-44335, |
CPView |
The Network-per-CPU tab under CPVIEW > Advanced > SecureXL does not show traffic distribution for all CPUs. Refer to sk180540. |
PRJ-41664, |
Logging |
In some scenarios, in the Logs & Monitor view, no results are shown when filtering updatable object names by the "dst_uo_name" field. |
PRJ-39253, |
Logging |
In rare scenarios, many open connections on port 18196 are observed on the Multi-Domain Security Management Server or Multi-Domain Log Security Management Server. |
PRJ-45415, |
Logging |
Source and destination IP addresses in SmartLog may not be shown correctly for duplicate packets of fragmented traffic. |
PRJ-38478, |
Logging |
In specific network configurations, after installing a policy, the target IP address of the Log Server may differ from what was configured. |
PRJ-20170, |
Logging |
In large environments, after policy installation or when loading Real Time Monitor, RTMD CPU consumption may be high for several minutes and the process may exit when 4 GB of memory is reached. |
PRJ-41592, |
Logging |
SmartEvent may generate false Anti-Bot / Anti-Virus related logs which do not contain any information. |
PRJ-46537, |
Security Gateway |
The FWK process may unexpectedly exit while processing the mail flow and generate a core dump. |
PRJ-45953, |
Security Gateway |
When HTTPS Inspection is enabled, website loading in Firefox fails or is slow, after a few seconds, the "NS_ERROR_ABORT" error appears in the network tab of Firefox. Refer to sk180873. |
PRJ-41965, |
Security Gateway |
When adding another loopback interface in an MDPS environment, it is shown in MPLANE and not in DPLANE as expected. |
PRJ-44309, |
Security Gateway |
In rare scenarios, modifying the "fwmultik_temp_conns_enabled" parameter on-the-fly leads to the Security Gateway crash. |
PRJ-46685, |
Security Gateway |
When adding a new connection, the "Smart Connection Reuse" feature may cause errors in fwk.elg and connection drops. |
PRJ-46051, |
Security Gateway |
The Security Gateway may crash while inspecting non-HTTP traffic. |
PRJ-46332, |
Security Gateway |
The Security Gateway may crash after a failure in policy installation. |
PRJ-45481, |
Security Gateway |
Incorrect bonds may be shown in the Data Plane when using MDPS with the "show bonding groups" command. |
PRJ-38109, |
Security Gateway |
In some scenarios, the Security Gateway may crash. |
PRJ-45801, |
Security Gateway |
Resolved an issue where CPD would consume a large amount of CPU in VSX with a large number of interfaces configured (greater than 1024). Refer to sk181588. |
PRJ-44998, |
Security Gateway |
In a Maestro environment where members are VSXs, connection over SSH or RDP from a host behind Maestro to a peer may be dropped. |
PRJ-45395, |
Security Gateway |
Login to Mobile Access Portal when authenticating with SAML may fail with an "Error while processing the request" message. Refer to sk180801. |
PRJ-45494, |
Security Gateway |
On the Security Gateway with Management Data Plane Separation (MDPS) enabled:
|
PRJ-46338, |
Security Gateway |
In rare scenarios, memory corruption occurs during packet correction requiring fragmentation, this may cause the Security Gateway crash or freeze. |
PRJ-44249, |
Security Gateway |
When setting "cphwd_enable_ecmp = 1" (to route by the source and destination IP address), the Security Gateway may route the traffic to the wrong MAC. |
PRJ-45476, |
Security Gateway |
Security Gateway may crash when running kernel debugs of the "UP" module. |
PRJ-42528, |
Security Gateway |
In some scenarios, while processing H323 traffic, the Security Gateway may unexpectedly restart. |
PRJ-44958, |
Security Gateway |
When Check Point Active Streaming (CPAS) is used, and the Server's MSS is bigger than the client's MSS, packet fragmentation may occur. |
PRJ-40876, |
Security Gateway |
In rare scenarios, policy installation fails with "Segmentation fault" and "Error compiling IPv4 flavor" messages. |
PRJ-45184, |
Security Gateway |
Traffic stops working after a Security Gateway Member recovers from a failure. Refer to sk180705. |
PRJ-44750, |
Security Gateway |
Policy installation may fail with "Error 2000240" because of an IPv6 flow issue. |
PRJ-42356, |
Security Gateway |
Latency in connection caused by a packet flow change from F2V to F2F. |
PRJ-44079, |
Security Gateway |
In an Active/Standby cluster, when downloading a file using FTP protocol, the FWK process may unexpectedly exit, and a core dump file is generated. |
PRJ-41202, |
Security Gateway |
SAML authentication fails with the "HTTP 500" error when MDPS is enabled on the Security Gateways. Refer to sk179625. |
PRJ-36110, |
Security Gateway |
When on Microsoft Active Directory the "mobile" attribute value in DynamicID authentication preferred method is changed to an email address and then back to a phone number, OTP may still be sent to the email. |
PRJ-44230, |
Security Gateway |
After policy installation, a VSX High Availability Cluster member may have a failover and generate a vmcore. |
PRJ-44918, |
Security Gateway |
After an upgrade, memory usage may increase on all Security Gateway Modules, and the "pkt_handle_f2v_if_needed: dropping packet (failed to send notification)" error is printed in logs. |
PRJ-44093, |
Security Gateway |
In some scenarios, the FWD process may unexpectedly exit and cause a short outage related to the BGP failure. |
PRJ-41876, |
Security Gateway |
On supported Open Servers (sk167052), after changing the Firewall mode from Kernel Space (KSFW) to User Space (USFW) and reboot, the Security Gateway continues to boot in the Kernel Space mode. |
PRJ-45447, |
Security Gateway |
When the Security Gateway handles specific HTTP requests, memory failure may occur. CPView registers SMEM failure. |
PRJ-43531, |
Security Gateway |
The Security Gateway may crash because of a race condition that occurs during interface change while interface statistic is calculated. |
PRJ-44853, |
Security Gateway |
Web Security parsing error "illegal header format detected: Missing quotation mark" of content-disposition header - that contains a filename* parameter or an unquoted parameter. |
PRJ-47125, |
Security Gateway |
In some scenarios, after an upgrade, the FWD process may unexpectedly exit. |
PRJ-43854, |
Security Gateway |
The FWK process may unexpectedly exit with a core dump file when removing an IPv6 interface on VSX. |
PRJ-44802, |
Threat Prevention |
In some scenarios, parsing a custom intelligence feed with IP ranges may fail. |
PRJ-43995, |
Threat Prevention |
IoC feed may not load because of a parsing issue with the IP address range indicator. |
PRJ-42583, |
Threat Prevention |
When using a host with automatic static NAT in a Threat Prevention policy object, the rule may not be enforced. |
PRJ-44220, |
Threat Prevention |
In a Quantum Maestro environment, adding an IoC feed from the command line may fail with a "Can not load indicators feed without AV & AB Blades enabled, please enable AV & AB and try again" message, although Anti-Virus and Anti-Bot Blades are enabled. |
PRJ-44549, PRHF-27765 |
Threat Prevention |
In some scenarios, the FWD process unexpectedly exits, and the Security Group Members state flaps between Active and Down during an Anti-Bot Blade update. |
PRJ-44568, |
Threat Prevention |
After an upgrade, adding an IoC feed with IP range indicator type may fail with "Feed format problem. Bad or Empty Feed". |
PRJ-45560, |
Threat Prevention |
In some scenarios, Anti-Virus and Anti-Bot updates on Maestro Security Group Members may fail. |
PRJ-45810, |
Threat Prevention |
In some scenarios, a "malware_res_rep_rad_query: rad_kernel_malware_request_prepare() failed" message may appear in the /var/log/messages file. |
PRJ-39345, |
Identity Awareness |
There may be connectivity issues and high CPU spikes on PDP when installing policy. |
PRJ-43745, |
Identity Awareness |
The output of the "pdp monitor cv_le <agent-version>" command may be incorrect. |
PRJ-44314, |
Content Awareness |
When Content Awareness Blade is enabled, there is a limitation of the file size (sk118516). However, when the source object of the Content Awareness rule does not match the current connection, the limitation is not applied on this connection. |
PRJ-47062, |
Application Control |
When the "Categorize HTTPS Websites" option is enabled and the global parameter "appi_urlf_ssl_cn_use_sni_without_validation" is set to true, a memory leak may occur. |
PRJ-45426, |
Application Control |
Some TLS1.3 applications without SNI do not match the rules. |
PRJ-44381, |
Application Control |
A buffer overflow may occur and cause the FWD process to exit. This leads to the Security Group Members in a Maestro environment change from Active to Down state and creates instability. |
PRJ-44178, |
IPS |
In some scenarios, the FWK process may unexpectedly exit, while Threat Prevention Blades inspect HTTP traffic. |
PRJ-42712, |
IPS |
In a rare scenario, the Security Gateway may crash during an IPS package update. |
PRJ-47646 |
IPS |
In rare scenarios, there may be a memory leak in ips_cmi_handler_match_cb_ex. |
PRJ-43581, |
DLP |
A memory leak may occur in the DLPU process. |
PRJ-45753, |
Anti-Virus |
The RAD process CPU utilization may be high when Anti-Virus engine processes many reverse DNS queries. |
PRJ-46775, |
Anti-Virus |
The DLPU process may stop working, creating a User Space core dump file on the Security Gateway. Refer to sk181026. |
PRJ-47262, |
SSL Inspection |
The fwk.elg file may be flooded with the "mux_hold_opq_free: App has no hold params free function" messages for the TLS_PARSER app because of a memory leak. |
PRJ-45192, |
Mobile Access |
In rare scenarios, IOS users are unable to send emails using Capsule Workspace business mail. |
PRJ-44289, |
Mobile Access |
Some web applications which use PT or UT link translation methods may have issues after a browser upgrade. |
PRJ-46400, |
Mobile Access |
Sending emails with attachments via Capsule Workspace may fail on iOS. |
PRJ-45347, |
ClusterXL |
After an upgrade, cluster members may frequently crash, causing instability in the environment. |
PRJ-46503, |
ClusterXL |
Some IPv6 connections randomly stop passing through ClusterXL in High Availability mode. Refer to sk180969. |
PRJ-44453, |
ClusterXL |
After several failovers in a cluster, connections may fail to synchronize. This can cause a timeout and the "first packet isn't syn" drops. |
PRJ-44872, |
SecureXL |
Traffic may be dropped and the FWACCEL core file is generated. |
PRJ-44675, |
SecureXL |
After an upgrade, packets passing through a Remote Access VPN tunnel in a VSX environment may be silently dropped. |
PRJ-44703, |
Routing |
Multicast receivers send IGMP membership reports, but the outbound interfaces are missing from the routing table. |
PRJ-42186, |
Routing |
Routing log messages generated when Standby cluster members reconnect to members in Master state are not clear. |
PRJ-44922, |
Routing |
When PIM and state refresh are enabled, the state refresh message may not be sent automatically after a failback in ClusterXL HA Primary Up mode. |
PRJ-45377, |
Routing |
A VRRP/VRRP6 interface may go into Master/Master state. |
PRJ-44938, |
Routing |
After an update, multicast traffic may be dropped. |
PRJ-44707, |
Routing |
An IGMP group with an expiration time of 7101 weeks should be deleted when it reaches 0 seconds, but instead, it may remain at 7101 weeks until a membership report is sent, then it resets to the interval of that interface. |
PRJ-41115, |
Routing |
There may be high CPU utilization and slow recovery of the ROUTED process after a failover. |
PRJ-41111, |
Routing |
It may take up to three hours for the second member to become Standby after a failover. An outage may occur during this time. |
PRJ-43408, |
Routing |
The ROUTED process may repeatedly exit when using PIM in Sparse mode (SM). |
PRJ-41329, |
Routing |
The ROUTED daemon may unexpectedly exit and generate core dumps after OSPF neighborship was established, but did not advertise routes. Lost routing causes the network to be down. |
PRJ-44257, |
Routing |
The ROUTED daemon may unexpectedly exit when using PIM and source IP address is set "0.0.0.0". |
PRJ-45182, |
Routing |
Cluster member may stop sending multicast PIM traffic after failover or a reboot. Refer to sk180669. |
PRJ-46126, |
Routing |
The ROUTED daemon may unexpectedly exit when aggregating routes with long AS paths. |
PRJ-46356, |
Routing |
Routes marked as "stale" may be redistributed via BGP during graceful restart. |
PRJ-45831, |
Routing |
The ROUTED daemon may unexpectedly exit because of multi-threading issues. |
PRJ-45917, |
VPN |
The FWM process may unexpectedly exit at startup because of an incorrect VPN key initiation. |
PRJ-46292, |
VPN |
Users that were moved from one AD group to another group still are shown in both access role groups when running the "pdp monitor" command. Refer to sk181429. |
PRJ-40282, PRJ-43711, |
VPN |
Refer to sk180530. |
PRJ-44827, PRJ-44989, PRJ-46300, PRHF-28849 |
VPN |
|
PRJ-24873, |
VPN |
VPN endpoint users fail to login with ECDSA certificate. |
PRJ-40911, |
VPN |
The "failed to terminate session" error is displayed when using RAsession_util to terminate Endpoint client. |
PRJ-44665, |
VPN |
When running the "vpn tu tlist" on cluster Standby members, old IKEv2 SAs may be printed in the output. |
PRJ-43297, PRJ-43593, |
VPN |
Stability issues for Data connections (RDP / RTP / FTP/ETC). Refer to sk179651. |
PRJ-44087, |
VSX |
Values provided by the VSX OID tree: 1.3.6.1.4.1.2620.1.16.22.5.1 may be incorrect. |
PRJ-45003, |
VSX |
A VSX Security Gateway may crash while attempting to collect statistics after running the "cpstop" command. |
PRJ-45399, |
VSX |
Warp interfaces may appear in VS0 and disrupt connectivity when editing a Virtual Switch with a bond and VLANs. |
PRJ-45143, |
VSX |
Some packets may disappear when using the i40e driver, and VMAC is configured on the cluster. |
PRJ-44743, |
VSX |
Virtual System's interfaces may be missing when running the Clish command "show/save configuration". |
PRJ-44120, |
VSX |
Changing the main IP address of a Virtual Router may cause the FWM process to exit. |
PRJ-44368, |
Gaia OS |
SNMP OIDs for ISP Redundancy status are not refreshed when the ISP link changes the status. |
PRJ-45861, |
Gaia OS |
Gaia backup may fail, leaving a temporary partition behind. Any new attempt to create a new backup returns an error. |
PRJ-40032, |
Gaia OS |
When running the "ifconfig -a" command on a Virtual System (VS) with more than 250 interfaces, the "/bin/cp-ifconfig.sh: line 179: /bin/echo: Argument list too long" error is printed. |
PRJ-44236, |
Gaia OS |
The System Backup page in the Cloning Group view may be empty, although a scheduled backup was added. |
PRJ-41907, |
Gaia OS |
Gaia WebUI logs are printed with "info" severity. |
PRJ-45563, ACCHA-2110 |
Gaia OS |
The $FWDIR/log/fwd.elg file may get corrupted during log rotation. Refer to sk180728. |
PRJ-45538, |
CloudGuard Network |
AWS Data Center mapping fails when an interface subnet is missing from the list of subnets. |
PRJ-45790, |
CloudGuard Network |
Deleting one hundred IP addresses or more from the Security Gateway at once may fail, resulting in recurrent deletion retries. |
PRJ-44476, |
CloudGuard Network |
Azure scan fails if a Virtual Machine Scale Set (VMSS) is deleted after the scan started. |
PRJ-44345, |
CloudGuard Network |
The "Logical Volume duplicate fail" error is displayed when increasing the lv_current partition with lvm_manager on Azure. Refer to sk180381. |
PRJ-46473, |
VoIP |
SIP traffic may be dropped and "kiss_htab_bl_infra_slink: failed "earlynat_sport_ghtab_bl":3 reason: KISS_HTAB_BL_SLINK_LIMIT_REACHED" is printed in the fwk.elg file. |
PRJ-44612, |
VoIP |
In rare cases, SIP UDP traffic may cause Security Gateway to crash because of a memory allocation issue. |
PRJ-32397, PRJ-43515, |
VoIP |
After an upgrade, VoIP, and SIP / H323 traffic may be dropped in the VPN tunnel. Refer to sk179651. |
PRJ-42615, |
Scalable Platforms |
The FW process may unexpectedly exit, producing a core dump file. |
Take 197 Released on 27 April 2023 and declared as Recommended on 3 May 2023 |
||
PRJ-46037 |
ClusterXL |
Cluster VIP IPv6 address configuration is not applied on cluster members causing IPv6 traffic outage. Refer to sk180902. |
Take 196 Released on 6 March 2023 and declared as Recommended on 18 April 2023 |
||
PRJ-42183, |
IPS |
NEW: Added ability to block "HTTP 206 partial content" responses from resources with malicious content. |
PRJ-43893, |
Security Gateway |
NEW: We have extended the grace period of Compliance Blade to support you for 90 days following contract expiration to continue providing the best security value during the renewal process. |
PRJ-43805, |
Application Control, URL Filtering |
NEW: We have extended the grace period of Application Control and URL Filtering Blade to support you for 90 days following contract expiration to continue providing the best security value during the renewal process. |
PRJ-44253, |
Threat Extraction |
NEW: We have extended the grace period of Threat Extraction Blade to support you for 90 days following contract expiration to continue providing the best security value during the renewal process. |
PRJ-43908, |
SmartView |
NEW: We have extended the grace period of SmartEvent Blade to support you for 90 days following contract expiration to continue providing the best security value during the renewal process. |
PRJ-36633, |
Security Management |
UPDATE: Added an option to configure the maximum number of IPS SNORT rules. These lines should be added at the end (or their value should be changed if they already exist) in the file $FWDIR/conf/malware_config (for MDS - additionally in the $MDS_FWDIR/conf/malware_config file): "[IPS] snort_convertor_max_rules_per_update=<value> snort_convertor_total_rules_num_limit=<value>". Refer to sk136515. |
PRJ-42304, |
Security Management |
UPDATE: Improved the "Purge revisions" operation to reduce the size of the database. |
PRJ-34958, |
CPView |
UPDATE: Added logging information. The Logging tab can be found in the Advanced tab on both the Security Management Server and Security Gateway. Refer to sk101878. |
PRJ-41199, |
Security Gateway |
UPDATE: Added ability to force GNAT Port randomization. It is controlled by kernel parameter (off by default).
|
PRJ-44557, |
Security Gateway |
UPDATE: Apache HTTPD version was updated from 2.4.53 to 2.4.55 to fix CVE-2022-37436. |
PRJ-42656, |
IPS |
UPDATE: In several IPS protections, improved performance for traffic that contains repeated sections. |
PRJ-42258, |
Threat Prevention |
UPDATE: Reduced loading time of big external Custom Intelligence Feeds. |
PRJ-43611, |
Gaia OS |
UPDATE: Gaia Cloning Groups will now use the highest TLS version available. |
PRJ-41933, |
VoIP |
UPDATE: Added a new CLI command "fw ctl voip [-p {sip| mgcp| sccp| h323}] [-na]". It allows printing the description of defined VoIP protections, the required action, and the logging option configured for each protection. |
PRJ-42402, |
VSX |
UPDATE: Added more logs related to Pushing VSX Configuration.
. |
PRJ-43027, |
CloudGuard Network |
UPDATE: Added support for connecting to VMware NSX-T 4.0.0.x and higher. |
PRJ-42148, |
CloudGuard Network |
UPDATE: Improved performance of pushing Data Center Objects changes to Security Gateways. |
PRJ-41844, |
CloudGuard Network |
UPDATE: Improved handling of NSX-T API responses. |
PRJ-43051, |
CloudGuard Network |
UPDATE: Added support for Data Centers in AWS eu-central-2 (Spain) and eu-south-2 (Zurich) and ap-south-2 (Hyderabad) regions. |
PRJ-43402, |
Diagnostics |
Skyline may not show any information. Refer to sk180748. |
PRJ-40538, |
Diagnostics |
The cpview -s export operations may fail on VS0 when cpview_services are running. |
PRJ-43901, |
Security Management |
On R77.20 Quantum Spark appliances with some IPS packages, policy installation fails with the "Operation failed, install/uninstall has been improperly terminated" error. Refer to sk180448. |
PRJ-42242, |
Security Management |
Installing a large Access Control policy on Quantum Spark Security Gateways may fail due to high memory consumption on the Security Management Server caused by FW_LOADER. |
PRJ-38356, |
Security Management |
After creating a new administrator in SmartConsole, the Administrators view may fail to load with "Error retrieving results". |
PRJ-40221, |
Security Management |
In a large environment, High Availability synchronization for the Global Domain may fail with the "Global domain is busy syncing, please check sync status" error. |
PRJ-41539, |
Security Management |
The FWK process may unexpectedly exit during Threat Prevention policy installation. |
PRJ-41669, |
Security Management |
When using CME (Cloud Management Extension), the FWM process may unexpectedly exit because of a memory issue. |
PRJ-42857, |
Security Management |
After performing the "Revert to Revision" operation, new Audit logs cannot be seen in the Logging&Monitoring View in SmartConsole. |
PRJ-40424, |
Security Management |
In rare scenarios, deleting a cluster member may fail with the "Could not delete object. Failed to remove/detach objects licenses" error. |
PRJ-23720, |
Security Management |
Policy with a large number of AD users may fail with timeout or take a long time to be installed. |
PRJ-42103, |
Security Management |
In a Multi-Domain environment, the HitCount retention mechanism may prematurely remove the HitCount data. |
PRJ-39390, |
Security Management |
In some scenarios, the "Assign Global Policy" action fails with the error message: "An internal error has occurred". |
PRJ-40821, |
Security Management |
Warning about multiple objects with the same IP address is displayed when there are duplicated auto-generated networks |
PRJ-41926, |
Security Management |
After an upgrade, while installing a policy, SmartConsole may unexpectedly close with a "The connection with the server was lost. Any unsaved changes will be preserved" message. Refer to sk180294. |
PRJ-44023, |
Security Management |
When using Custom Application/Site Group objects in an Access policy, policy installation may fail with an "Internal error" message. |
PRJ-42408, |
Security Management |
Login to the Security Management Server or Multi-Domain Security Management Server may fail with the "Connection timeout" error. |
PRJ-41760, |
Security Management |
In some scenarios, the CME process fails to start. |
PRJ-41890, |
Security Management |
High Availability synchronization fails if automatic purge is configured to run on the Standby Management Server. |
PRJ-43092, |
Security Management |
After configuring an IoC feed on the Global Domain and assigning a Global Policy, Threat Prevention policy installation in the local Domain fails. |
PRJ-39744, |
Security Management |
Adding a rule with the Management API and setting the action "to ask" does not set a default UserCheck if UserCheck was not specified. This may cause policy verification failure. |
PRJ-42847, |
Multi-Domain Security Management |
In a Multi-Domain Security Management environment, traffic may not match rules with custom applications. |
PRJ-42047, |
Multi-Domain Security Management |
In rare scenarios in a Multi-Domain Security Management environment:
|
PRJ-42282, |
CPView |
CPView may not show some interfaces. |
PRJ-42082, |
CPView |
A typo in "Dropped fragmentation violation" under CPView > Advanced > SecureXL > Drops. |
PRJ-43587, |
CPView |
In a Multi-Domain Security Management environment, Skyline is down after mdsstop/mdsstart. |
PRJ-41353, |
Logging |
In some scenarios, in the Logs view, the "Description" field may be missing. The issue is only cosmetic. |
PRJ-37498, |
Logging |
The "epoll is enabled" warning is incorrectly displayed during policy installation. |
PRJ-42412, |
Logging |
When LEA spawning is turned off (sk91343), the FWD process may run out of memory. |
PRJ-43391, |
Logging |
When working with Multi-Domain Security Management, Virtual Systems (VS's) may be unable to send logs to the management because the Log Server constantly disconnects. |
PRJ-32808, |
Logging |
The "Daily logs retention" configuration on the Security Management Server / Log Server object is not applied if the "When disk space is below <number> Mbytes, start deleting old files" option is not enabled in the Disk Space Management. Refer to sk176803. |
PRJ-41493, |
Security Gateway |
Stability issues when ICAP client is active. |
PRJ-41016, |
Security Gateway |
When using the SMTP service with resource objects in a rule and NAT is configured for the destination IP address, the traffic may match the Cleanup rule instead. |
PRJ-42705, |
Security Gateway |
DNS parser incorrectly handles additional records, which results in appearing additional DNS IP addresses in the FQDn objects list. |
PRJ-39925, |
Security Gateway |
When Anti-Virus Blade is enabled, the Security Gateway may crash multiple times with core dump files. |
PRJ-43495, |
Security Gateway |
Policy installation may fail with an "Error 0-2000080" message because of memory allocation issues. |
PRJ-43009, |
Security Gateway |
When adding a new RADIUS Server in Gaia Portal, its IP address is automatically added to MDPS tasks, but when deleting this Server, the MDPS task is not deleted. |
PRJ-42294, |
Security Gateway |
When MDPS is configured, mdps_tun interface is shown when running the "cpstat ha -f all" command. |
PRJ-43837, |
Security Gateway |
The Security Gateway may receive duplicated traffic (such as non-IP protocol connections) for IPS inspection. This can trigger high CPU usage and result in failures to connect over SSH or policy installation. |
PRJ-43884, |
Security Gateway |
In rare scenarios, the FWD process is stuck during policy installation. |
PRJ-43552, |
Security Gateway |
Security Gateway may drop traffic when Dynamic Anti-Spoofing is enabled. |
PRJ-42755, |
Security Gateway |
The Security Gateway may crash because of an issue in the FILEAPP (File Application) module. |
PRJ-41632, |
Security Gateway |
Dynamic Dispatcher may send fragments of the same packet to different Firewall instances during a high load of fragmented traffic. This may cause some packets to drop. |
PRJ-42942, |
Security Gateway |
When Anti-Spoofing is enabled, the Security Gateway may crash. |
PRJ-36008, |
Security Gateway |
The Security Gateway may frequently crash with vmcore files, recording invalid context. |
PRJ-43703, |
Security Gateway |
The Security Gateway may crash during policy installation if the Rule Base has multiple layers and many interfaces on the Security Gateway (VLANs). |
PRJ-39606, |
Security Gateway |
The Security Group Member (SGM) frequently goes into a Lost-> Down-> Active state because of fullsync pnote. This causes outages. |
PRJ-38807, |
Security Gateway |
In a rare scenario, when QoS is enabled, the Security Gateway may crash. |
PRJ-39799, |
Security Gateway |
After making changes in Policy-Based Routing (PBR) and GRE configuration, the Security Gateway may repeatedly crash. |
PRJ-42086, |
Security Gateway |
The "fw monitor" command output may contain "no packets left to merge" messages. |
PRJ-40318, |
Security Gateway |
In rare scenarios, the FWK process can unexpectedly exit and cause an outage. |
PRJ-43345, |
Security Gateway |
A connection may be closed with the "ws_mux_handle_poll: ERROR: Poll flag still set after unsetting" error in the fwk.elg file, when HTTP parser does not receive requested data. |
PRJ-40233, |
Security Gateway |
Stability issues when ICAP client is active. |
PRJ-39573, |
Security Gateway |
The "sd_exception_chain_with_global_stateless: fwx_get_original_conn_key() failed" messages may flood /var/log/messages if IPS Blade is active. |
PRJ-41862, |
Security Gateway |
After an upgrade, it is not possible to monitor Security Gateways with enabled Management Data Plane Separation (MDPS). |
PRJ-39966, |
Security Gateway |
The Security Gateway may crash with the "xxx kernel: [fw4_27];fwatomload_unregister: module RTM not registered xxx kernel: [fw4_27];e2eDisable: fwatomload_unregister failed" errors printed in logs. |
PRJ-40107, |
Security Gateway |
In a rare scenario, the Security Gateway may crash when offloading packets to SecureXL. |
PRJ-41578, |
Security Gateway |
In some scenarios, the CPD process may unexpectedly exit. |
PRJ-43125, |
Security Gateway |
Some TCP connections may be stuck in "Both-Fin" state in the SecureXL connection table and cause high memory consumption. |
PRJ-42901, |
Internal CA |
The certificate in SmartConsole is shown as valid, although it is expired. |
PRJ-41434, |
Internal CA |
When managing cloud Gateways, the FWM process memory usage may increase. |
PRJ-42284, |
Threat Prevention |
The "ioc_feeds set interval -r" command may fail. |
PRJ-41596, |
Threat Prevention |
Anti-Virus Blade fails to parse external IoC feeds that contain commas in the CSV column field value. |
PRJ-41487, |
Threat Prevention |
Loading of Custom Intelligence Feeds with authentication may fail. |
PRJ-38720, |
Threat Prevention |
File Download using SSH with MobaXterm Client fails when SSH Deep Packet Inspection (SSH DPI) is enabled. |
PRJ-38663, |
Threat Prevention |
The DLPU process may unexpectedly exit with a core dump file. |
PRJ-32736, |
Threat Prevention |
After an upgrade, the FWD process may frequently exit while creating an AMW_report.xml. |
PRJ-37565, |
Threat Prevention |
When Anti-Virus Blade is enabled, the Security Gateway may crash because of a memory allocation issue. |
PRJ-42436, |
Threat Prevention |
Automatic IPS, Anti-Virus or Anti-Bot updates may fail because of a corrupted next_update file. |
PRJ-41382, |
Threat Prevention |
External IoC feeds may fail with "General Error". And in the feeder.elg there are many "Failed to load signatures" messages. |
PRJ-41122, PRHF-24693 |
Threat Prevention |
In a rare scenario, the mal_conns table may consume a large amount of memory. |
PRJ-40470, |
Threat Prevention |
If SSH Deep Packet Inspection (DPI) is enabled and NAT is configured on the Security Gateway, SSH connectivity from the Internet may not be possible. |
PRJ-42342, |
Identity Awareness |
During subsequent policy installations (with an interval of at least 11 minutes between them), the Identity Awareness Gateway configured as an Identity Broker Subscriber revoked all Identities it learned from the Identity Awareness Gateway configured as its Identity Broker Publisher. Refer to sk180659. |
PRJ-33063, |
Identity Awareness |
In a rare scenario, a wrong access role may be assigned to a user. |
PRJ-42931, |
Identity Awareness |
The PDPD process may cause CPU spikes during cluster failover. |
PRJ-42337 |
Identity Awareness |
In a VSX High Availability cluster, a member in the Backup state should remain idle, but it opens connections for identity sharing. |
PRJ-41818, |
Identity Awareness |
In a rare scenario, the PDPD process may unexpectedly exit during peer certificate verification. |
PRJ-42997, |
Identity Awareness |
In a rare scenario, disconnection between the Identity Server (PDP) and Identity Gateway (PEP) leads to missing identities on the PEP side. |
PRJ-42504, |
Application Control |
In a rare scenario, when Application Control is enabled, the Security Gateway in AWS Cloud may crash. The issue does not occur if Application Control database on the Security Gateway is updated with Release 141122_1 and higher. |
PRJ-41219, |
Application Control |
The RAD process may freeze when an error occurs and an error event is initialized. |
PRJ-43501, |
Application Control |
Policy installation may fail with an "Error 0-200184" message because of memory allocation issues. |
PRJ-41653, |
IPS |
Running the "ips stats" command in CLI may cause the IPS process to unexpectedly exit with core dumps. |
PRJ-42589, |
IPS |
The Security Gateway may crash during policy installation because of a memory allocation problem. |
PRJ-41376, |
IPS |
When Anti-Virus is enabled, the Mail Transfer Agent (MTA) log files may get blocked because of fail-close operation. |
PRJ-35484, |
DLP |
DLP logs for files uploaded to Microsoft OneDrive do not show the initial file names and extensions. Refer to sk178290. |
PRJ-41214, |
Anti-Virus |
In a rare scenario, when Anti-Virus is enabled, there may be frequent VSX cluster failovers, and the Security Gateway may crash. |
PRJ-43179, |
SSL Inspection |
The WSTLSD process may unexpectedly exit and create core dump files. |
PRJ-43889, |
SSL Inspection |
In rare scenarios, the FWK and/or WSTLSD processes may unexpectedly exit and create a core dump during certificate validation. Refer to sk180473. |
PRJ-41411, |
Mobile Access |
Access to a web application that uses WebSocket protocol may not be possible. |
PRJ-42466, |
Mobile Access |
When Mobile Device Management (MDM) cooperative enforcement feature is enabled, establishing a VPN connection fails while the HTTPD log incorrectly indicates a compliance issue. |
PRJ-41257, |
Mobile Access |
Web applications may not work correctly when Mobile Access Blade is configured in Hostname Translation (HT) mode while the "obscure_destination_hostname" management attribute is disabled. |
PRJ-42462, |
ClusterXL |
Stability issues may occur in a Multi-Version Cluster (MVC) when VPN is enabled. |
PRJ-43114, |
ClusterXL |
The "cphaprob tablestat" command may fail on the Security Gateway with many interfaces. |
PRJ-37149, |
ClusterXL |
In an Active/Active cluster, a member may reboot because of a memory corruption issue. |
PRJ-43001, |
ClusterXL |
Traffic does not pass through the GRE tunnel when Virtual MAC (VMAC) is enabled. Refer to sk180292. |
PRJ-44166, |
ClusterXL |
When handling HTTP/2 traffic, cluster members may crash, generating vmcores. |
PRJ-29666, |
SecureXL |
When the "fw_tcp_out_of_state_monitor" mode is enabled with the "fw_allow_out_of_state_tcp" flag, some connections may be dropped, although they should go through and be monitored. |
PRJ-42573, |
SecureXL |
Multicast traffic may get dropped, and no logs are generated. |
PRJ-42443, |
SecureXL |
The Security Gateway may prematurely expire half-closed TCP connections and drop VoIP and HTTPS packets with "First packet isn't SYN". Refer to sk180364. |
PRJ-42894, |
SecureXL |
SecureXL may drop traffic when HTTPS Inspection is enabled on a VSX Security Gateway with a Virtual Router. |
PRJ-44129, |
SecureXL |
IPv6 template is not created when the connection is NATed. |
PRJ-43981, |
SecureXL |
In a rare scenario, a CPAQ message sent during policy push does not have critical and can be dropped when the Security Gateway is busy. |
PRJ-43920, |
Routing |
Failover may take longer than expected and traffic does not pass for several seconds because dynamic routes are lost. |
PRJ-43054, |
Routing |
The "show ospf neighbors" command shows incorrect values for OSPF "Hello" and "Dead" intervals. Refer to sk180486. |
PRJ-44946, |
VPN |
When many users in nested groups login using Remote Access Client \ connect to VPN, and the LDAP topology is large, there may be a spike of CPU usage and performance impact. Refer to sk180664. |
PRJ-42877, |
VPN |
When initiating IKEv2 tunnel from Check Point to a third party, creating Child SA fails. Refer to sk180281. |
PRJ-42559, |
VPN |
When the user connects with RADIUS authentication method, the "Authentication method" value in Mobile Access logs is shown as empty. |
PRJ-42651, |
VPN |
Stability issues of the VPND and IKED processes. |
PRJ-41048, |
VPN |
A memory leak may occur in the VPND process. |
PRJ-42727, |
VPN |
In a rare scenario, when IPv6 is configured, and VPN is enabled, policy installation may cause a stability issue. |
PRJ-40726, |
VPN |
In some scenarios, when NAT is configured, VoIP traffic is dropped. |
PRJ-39169, |
VPN |
Remote Access Client may fail to connect when using machine certificate authentication. |
PRJ-38165, |
VPN |
Trying to perform the "Reset Tunnel" action for an LDAP user from SmartView Monitor fails. Refer to sk178592. |
PRJ-44012, |
VSX |
In VSX, after adding instances to a Virtual System (VS), their state may be inactive. |
PRJ-13984, |
VSX |
In large environments, the "vsx_util reconfigure" procedure and booting may take a long time . |
PRJ-43354, |
VSX |
The SNMPD process may consume a high CPU in a VSX environment and there may be slowness when using the "fw vsx stat" command. Refer to sk180324. |
PRJ-41695, |
VSX |
The "vsx_util change_mgmt_subnet" command may fail if a VSX object is not correctly saved in the database. |
PRJ-42881, |
VSX |
In VSX, if Dynamic Balancing was manually disabled on R80.40, after an upgrade from R80.40 to R81.20, it automatically gets enabled. |
PRJ-42252, |
Gaia OS |
Running the "save configuration" command the second time in the same Clish session may fail with the "free(): invalid pointer" error. |
PRJ-42622, |
Gaia OS |
SNMP trap may not be sent after a cluster failover if it occurred by running the "clusterXL_admin down" command. |
PRJ-43649, |
Gaia OS |
When setting password hash on cloning group members, some members may not get updated. |
PRJ-42960, |
Gaia OS |
IPv6 address may be removed from bond VLAN interface when changing bond xmit-hash-policy configuration. Refer to sk180309. |
PRJ-44161, PRJ-43959 |
Gaia OS |
When uninstalling a Jumbo Hotfix, some of the REST APIs may not work. The "gaia_api status" command returns an error and requests may fail. |
PRJ-42524, |
Gaia OS |
Gaia backup fails with "Cannot complete the backup process: not enough space in /var/log/CPbackup/backups" although there is enough free disk space in the /var/log/ partition. Refer to sk180181. |
PRJ-43430, |
Gaia OS |
In some scenarios, the "nslookup" command can cause the NSLOOKUP process to exit. |
PRJ-41407, |
Gaia OS |
When configuring Gaia Cloning Group mode on the cluster, members with "off" state appear without an IP address and the "adding notification Member mvc is down" error is displayed. |
PRJ-34370, |
Gaia OS |
After an upgrade, the backup operation on VSX fails because there is not enough space in /var/log/CPbackup/backups. |
PRJ-42218, |
Gaia OS |
Incorrect logs are printed in the /var/log/httpd2_error_log file when logging into the WebUI. |
PRJ-43023, |
Gaia OS |
The /usr/local/apache2/logs/access_log file is now rotated when its size reaches 1GB. This log file was added to the /etc/cpshell/log_rotation.conf configuration file. Refer to sk166198. |
PRJ-43561, |
Gaia OS |
When restoring a backup with VSX objects, the objects database may not be restored on the newly installed Security Management Server. |
PRJ-40691, |
Harmony Endpoint |
When connecting to the Security Management Server with SmartEndpoint but Endpoint component is not activated on the Server, the FWM process may unexpectedly exit. |
PRJ-43257, |
CloudGuard Network |
Disabling or removing all network interfaces from a vCenter object is not dynamically reflected on the CloudGuard Controller Data Center object. |
PRJ-43395, |
CloudGuard Network |
VPN Cluster stability issue when the peer is an Azure Security Gateway. |
PRJ-43575, |
CloudGuard Network |
When enabling debug mode with the "$MDS_FWDIR/scripts/cpm_debug.sh -c ObjectCrudSvcImpl" command, it may impact the work of CloudGuard Central License utility. And adding license fails. |
PRJ-42008, |
CloudGuard Network |
When mapping of some Azure Subscriptions fails, assets of these Subscriptions are revoked from the Security Gateway. |
PRJ-42113, |
CloudGuard Network |
AWS Data Center mapping fails when a Subnet with only IPv6 addresses is added to Virtual Private Cloud (VPC). |
PRJ-42853, |
CloudGuard Network |
A Kernel-based Virtual Machine (KVM) or a Virtual Machine using SRIOV with the i40evf/ixgbevf network driver, may boot with non-optimized performance settings. |
PRJ-43066, |
CloudGuard Network |
Importing objects from VMware vCenter may fail with a "Failed to fetch objects from the Data Center." message because of a rare communication issue between CloudGuard Network Security controller and VMware vCenter Data. |
PRJ-43075, |
VoIP |
While handling a multi-INVITE scenario (where a user registers with multiple devices), and the VoIP SIP MultiCore feature is enabled, each SIP INVITE maybe be handled simultaneously on different FW instances and cause memory corruption. |
PRJ-42698, |
VoIP |
In some scenarios, when using static NAT, VoIP traffic may be affected. |
PRJ-39600, |
Scalable Platforms |
The SMO may frequently go into Lost-> Down-> Active state because of a memory leak in the FWK process. The issue causes failover and outages. |
PRJ-39188, |
Scalable Platforms |
When a policy is configured with "SNMP trap alert script", the SNMP trap is sent with an undefined OID. |
Take 192 Released on 28 December 2022 and declared as Recommended on 26 February 2023 |
||
PRJ-43369, |
Threat Emulation |
In some scenarios, Mail Transfer Agent (MTA) does not scan files with an unsupported extension if they were renamed to ".exe". |
PRJ-43270, |
Gaia OS |
After an upgrade, the RADIUS Server is unavailable and authentication fails. |
Take 190 Released on 13 November 2022 |
||
PRJ-38346, |
Diagnostics |
The CPVIEWD process may cause CPU spikes. |
PRJ-38114, |
Security Management |
UPDATE: Install Policy Presets will now run also in multi-site environments, even if the local domain does not have a Server on the Multi-Domain Server with the Active Global Domain, where the operation is triggered from. |
PRJ-22559, |
Security Management |
UPDATE: Improved the "Assign Global Policy" action time by approximately 50%. |
PRJ-41344, |
Internal CA |
UPDATE: Internal CA on Check Point Management Servers can now create certificates with 3072-bit RSA keys - the root ICA certificate and SIC certificates. Refer to sk96591. |
PRJ-33894, |
Security Management |
Global Domain Assignment may fail if a rule in the global policy was recently enabled or disabled. |
PRJ-40056, |
Security Management |
An Application Control and URL Filtering update may still occur even if the latest version is already installed. |
PRJ-40168, |
Security Management |
A Multi-Domain Management Server upgrade may fail if upgrading one of the domains takes longer than four hours. |
PRJ-41554, |
Security Management |
After an Application Control update, policy installation may fail. |
PRJ-39221, |
Security Management |
An Application Control and URL Filtering Database update may fail. The CPM log file states: "Update APPI Update Task Notification. progress: 100, status: FAILED, statusText: Failed to assign domain". |
PRJ-40719, |
Security Management |
Access Control policy installation may fail with the "Internal error" message when the encryption domain contains a Data Center object. |
PRJ-40808, |
Security Management |
SmartConsole may unexpectedly disconnect. |
PRJ-40849, |
Security Management |
The LOG_EXPORTER process may cause high CPU because of frequent invocation of the "fw ver" command. |
PRJ-40545, |
Security Management |
After an upgrade, when the local domain Virtual System (VS) is updated, its objects may not be updated. The mirror VS object and local domain VS object may have different versions and colors. |
PRJ-39536, |
Security Management |
An Application Control and URL Filtering update may get stuck at 70 percent with the "Running post update actions" status. Refer to sk174587. |
PRJ-41069, |
Security Management |
Global Policy reassignment fails with "An internal error has occurred". The issue occurs when a Global rule, Rule Base, or section was created, moved, and then deleted without running a reassignment in between. |
PRJ-41974, |
Security Management |
The /var/log/dump/usermode/ directory on the Management Server may contain core dump files for the FWM process. Refer to sk180119. |
PRJ-37830, |
Security Management |
"Automatic purge" fails on a Domain with active Global Domain Assignment and "automatic purge" configured on the Global Domain. |
PRJ-41290, |
Security Management |
Access Policy installation may fail with the "Internal error occurred during the verification process" error. |
PRJ-34152, |
Security Management |
Packet mode search in HTTPS Inspection policy may not work. |
PRJ-34735, |
Security Management |
When running the "show access-rule" Management API command with the "show-as-ranges" parameter on rules with negated cells, the returned result may be missing the values of the negated cells. |
PRJ-40732, |
Security Management |
In rare scenarios, Global Policy reassignment may fail with a "Failed to find object ID UUID of class com.checkpoint.objects.ips.ThreatIpsProtectionOverride" message. |
PRJ-39716, |
Security Management |
It may not be possible to discard a work session with a newly created admin, a "Failed to discard revoke certificate" message is shown. |
PRJ-37309, |
Security Management |
SmartEvent may unexpectedly close when clicking Global Exclusion options or creating a new event. This issue occurs after migrating a Domain from the Multi-Domain Management Server to the Security Management Server. |
PRJ-41125, |
SmartConsole |
Centrally managed Quantum Spark Gateway version may be missing or incorrect after performing the "Get Gateway Data" action from SmartUpdate. |
PRJ-41020, |
CPView |
NEW: Integrated Skyline, a solution that provides an OpenTelemetry CPView Agent service to monitor your Check Point Servers and export health metrics from the CPView tool to an external location. Refer to sk178566. |
PRJ-38054, |
Logging |
UPDATE: When there is no full license for SmartEvent, which includes the Correlation Unit component, Analyzer Client in Legacy SmartEvent Console will now show a relevant message. |
PRJ-40142, |
Logging |
Emails sent as an automatic reaction may show only the first IP address for "Source"/"Destination" fields out of all the detected IP addresses. |
PRJ-40490, |
Logging |
In a rare scenario, when using SmartEvent Automatic Reaction (Mail), the source IP address can be shown as a number and not in the dotted decimal notation format. |
PRJ-37704, |
Logging |
It may not be possible to filter the "Subscriber" field in SmartLog. |
PRJ-38050, |
Logging |
Syslog messages with the "ErtFeed" type of attack are not indexed correctly in SmartLog. |
PRJ-42090, |
Logging |
Export to CSV in SmartView may be stuck in the "running" status. |
PRJ-35878, |
Logging |
Although the Security Gateway is configured to send Syslog messages to the Domain Log Server (CLM), they may stop coming to the Log Server after several initial logs. |
PRJ-28110, |
Logging |
Logs may not be indexed on the Domain Log Server in a Multi-Domain Log Module (MLM) or on the Secondary Multi-Domain Management Server. |
PRJ-37296, |
Logging |
When exporting logs with the fwm logexport script and there is an empty or corrupted log file, the script runs in a loop with the "Failed to read record at position 0" error printed. |
PRJ-21481, |
Logging |
The LOG_INDEXER process on the SmartEvent Server may unexpectedly exit, generating a core dump file, if the Log Server used by the correlation unit is deleted. |
PRJ-41095, |
Logging |
In rare scenarios, the LOG_INDEXER process may unexpectedly exit, and there is no access to the logs. Refer to sk172915. |
PRJ-41101, |
Logging |
When an object name begins with a digit, SmartView Monitor displays a name consisting of the letter "v" and UID instead of the actual object name. |
PRJ-41192, |
Logging |
It may not be possible to filter Anti-Virus logs for malicious CIFS traffic in SmartConsole. The issue is cosmetic only. |
PRJ-32205, |
Logging |
The "show-logs" Management API command fails when iterating over many pages of queries, and the total fetched records number exceeds 219,900 records. |
PRJ-41358, |
Logging |
Running the "cpstat ls -f logging" command on the Security Gateway may show the "disconnected" status after a reboot, although a new connection is established successfully. |
PRJ-40096, |
Security Gateway |
UPDATE:
|
PRJ-38142, |
Security Gateway |
UPDATE: Added support for RADIUS UPN authentication with MS-CHAPv2. To use it, enable the registry configuration in ckp_regedit -a SOFTWARE/Checkpoint/VPN1 RADIUS_MSCHAPV2_UPN -n 1. |
PRJ-32779, |
Security Gateway |
UPDATE: The reset expired connections feature (fw_rst_expired_conn) is now supported on connections accelerated by SecureXL. |
PRJ-34903 |
Security Gateway |
A kernel crash may occur during system shutdown when PIM is enabled. |
PRJ-39330, |
Security Gateway |
After an upgrade, Access Control policy installation may fail with an "Update process is already running" message. |
PRJ-41622, |
Security Gateway |
When using Routing Separation and installing a Jumbo Hotfix Accumulator, MDPS configuration may be overridden. Refer to sk138672. |
PRJ-35108, |
Security Gateway |
There may be connectivity failure when browsing to Office 365, and ICAP Client is active on the Security Gateway with enabled "Data Trickling". |
PRJ-41414, |
Security Gateway |
The Security Gateway may send multiple "Failed to fetch Check Point resources. Timeout was reached" logs. |
PRJ-40915, |
Security Gateway |
The Security Gateway may crash because of memory corruption, and the following error appears in the /var/log/message file: "[xxxx] Kernel panic - not syncing: stack-protector: Kernel stack is corrupted in: <xxxx>". |
PRJ-39578, |
Security Gateway |
In a rare scenario, when IPS or Application Control is enabled, the Security Gateway may crash. |
PRJ-40457, |
Security Gateway |
In a rare scenario, the FWK process may unexpectedly exit because of a memory allocation issue on the Security Gateway. |
PRJ-24590, |
Security Gateway |
It may not be possible to load specific sites. The Security Gateways drops the traffic from those web servers with "Reason: PSL Drop: MUX_PASSIVE" |
PRJ-41028, |
Security Gateway |
Topology auto update may fail because of a too long interface name. |
PRJ-41031, |
Security Gateway |
The Security Gateway may run out of memory when retrieving topology. |
PRJ-38551, |
Security Gateway |
After an upgrade, Anti-Virus Blade may cause increased memory consumption. |
PRJ-36865, |
Security Gateway |
After an upgrade, VSX cluster may have frequent failovers. |
PRJ-40934, |
Security Gateway |
In a rare scenario, the Security Gateway may have a memory allocation issue. |
PRJ-34887, |
Threat Prevention |
When the Security Gateway is in "Detect Only" mode, Threat Prevention Blade exceptions may not be accelerated. |
PRJ-40346, |
Threat Prevention |
The Custom Intelligence Feeds feature may stop enforcing traffic after Threat Prevention policy installation. |
PRJ-40444, |
Threat Prevention |
Deleting a Threat Emulation Gateway object in SmartConsole may fail. Refer to sk170577. |
PRJ-40436, |
Threat Prevention |
A kernel memory leak may occur during deep file inspection. |
PRJ-40972, |
Threat Prevention |
Threat Prevention policy installation may fail with a "Connection aborted by Peer" message. |
PRJ-41275, |
Threat Prevention |
Adding hash indicators may cause policy installation to fail with a warning message. |
PRJ-38488, |
Threat Prevention |
In a rare scenario, the mal_conns table may consume a large amount of memory. |
PRJ-41310, |
Threat Extraction |
In some scenarios, Mail Transfer Agent (MTA) does not scan files with an unsupported extension if they were renamed to ".exe". |
PRJ-38541, |
Identity Awareness |
The PDPD daemon may frequently exit during the user authentication flow. |
PRJ-34569, |
Identity Awareness |
SNMP/cpstat queries for Identity Awareness OIDs return wrong values if the PDP daemon is not running at the time of the query. |
PRJ-31973, |
Identity Awareness |
Changing the state of the "Automatic LDAP Group Update" feature for Identity Collector from CLI on the PDP Gateway does not survive a reboot. |
PRJ-36507, |
Identity Awareness |
The CPU utilization of the PDP daemon may be high during a specific authentication flow. |
PRJ-39751, |
Anti-Virus |
The Anti-Virus Blade interprets certain types of URLs as forbidden and blocks access to those URLs, although the content behind them is not of the type supposed to be blocked. |
PRJ-38814, |
URL Filtering |
When an URL Filtering rule has "Fail-Close" configuration, the Security Gateway may drop connections, and "URLF internal system error (0)" is recorded as the reason. |
PRJ-33293, |
Anti-Virus |
Removed a redundant message flooding logs in /var/log/messages: "ws_write_connection: end of body reached - clearing delay write flag". |
PRJ-40831, |
Mobile Access |
After disabling the ActiveSync service on the Security Gateway, login to Capsule Workspace (CWS) may fail. |
PRJ-38458, |
Mobile Access |
In some scenarios, it is not possible to connect to SSL Network Extender(SNX), and the VPND log shows: "failed to add to table connectra_sessions_to_instance". |
PRJ-32967, |
Mobile Access |
Capsule Workspace push notifications do not work when the Single Sign-On (SSO) is configured to "prompt for credentials". Refer to sk176244. |
PRJ-35509, |
ClusterXL |
UPDATE: Added support for the "fw vsx fetch_all_cluster_policies" command, which can fetch policy for all Virtual Systems and Virtual Routers from cluster peers. |
PRJ-40743, |
ClusterXL |
The cphaprob show_bond command does not show newly added subordinates from Virtual Systems (VSs). |
PRJ-36732, |
ClusterXL |
In a VRRP cluster, when an identity session is revoked from a non-master member, the Identity Database may become corrupted and cause an outage. |
PRJ-39182, |
ClusterXL |
In a VRRP cluster environment with a large number of interfaces, the Security Gateway may consume a lot of memory. |
PRJ-39737, |
SecureXL |
There may be high CPU or/and latency in CIFS/SMB connections. |
PRJ-41480, |
SecureXL |
After an upgrade, SecureXL may drop multicast traffic with "reason:Fragment drops". |
PRJ-41765, |
SecureXL |
The Security Gateway may crash and cause an outage when resolving the destination host MAC address through an interface with disabled ARP. |
PRJ-39756, |
SecureXL |
SNDs may reach 100% CPU utilization and are not released in some Site to Site VPN scenarios. |
PRJ-41706, |
Routing |
The ROUTED process may unexpectedly exit when the route does not have the next hop. |
PRJ-36889, |
VPN |
UPDATE: After FIPS mode is enabled, Jitter is now automatically turned on. |
PRJ-41239, |
VPN, Multi-Portal |
UPDATE: Added a new Registry parameter "use_crl_for_revocation_method" that enables the CRL revocation method when the Security Gateway does not get a response from an OCSP Server. Refer to sk179434. |
PRJ-40868, |
VPN |
Site-to-Site NAT-T traffic may be routed incorrectly, which can cause an outage. |
PRJ-40553, |
VPN |
When working in Hybrid mode, it is possible to connect using Remote Access, but it may not be possible to access internal resources. |
PRJ-36709, |
VPN |
Improved Site-to-Site VPN stability. |
PRJ-41807, |
VPN |
When connecting with "Mixed" SSL Network Extender Authentication method, the SNX Client freezes with no output, and the results of the "vpn tu tlist" command show no tunnels. |
PRJ-40858, |
VPN |
The VPND process may unexpectedly exit. |
PRJ-39892, |
VSX |
UPDATE: The "vsx_util view_vs_conf" command output now shows interfaces configured on Virtual Systems in Bridge mode. |
PRJ-38514, |
VSX |
SecureXL may not let HTTPS traffic pass through a Virtual Router (VR). |
PRJ-42214, |
VSX |
In some scenarios, the vsx_provisioning_tool fails to delete an interface and claims that it has already been freed.. |
PRJ-39766, |
VSX |
Lines indicating uninstalling policies from virtual switches (VSWs) may be printed when running the "fw vsx unloadall" command. |
PRJ-39710, |
VSX |
When running the "reset_gw" command on a VSX cluster member, the sync interface IP address is not deleted as part of the VSX configuration that should be deleted from the Security Gateway. |
PRJ-39886, |
VSX |
Removing a warp interface may fail on one member, which creates a mismatch between the cluster members database because the warp interface remains on other members. Refer to sk180481. |
PRJ-40797, |
VSX |
Extending SNMP with shell script (Article IV-6 in sk90860) fails for non-VS0 Virtual Systems (VSs) when queried via SNMP V3 and a "No more variables left in this MIB View (It is past the end of the MIB tree)" message is shown in the output. |
PRJ-41361, |
VSX |
A VSX Gateway upgrade may fail with an error related to VSX Filesystem creation. |
PRJ-42178, |
VSX |
Pushing a VSX configuration to a virtual device may fail. |
PRJ-40411, PRJ-42484, ODU-611 |
Gaia OS |
UPDATE: Gaia API updates will now be automatically installed through AutoUpdater. Refer to sk165653. |
PRJ-40991, |
Gaia OS |
When MDPS is configured, the SNMPD process may stop responding on some Security Gateways and must be restarted. |
PRJ-41684, |
Gaia OS |
In a cloning group cluster, when allowed hosts are changed from "Any" host to a specific host, communication between members is blocked, and the group cannot function. |
PRJ-41611, |
Gaia OS |
Information about scheduled backup failure is now displayed in Clish, WebUI and in the error message inside the log file. |
PRJ-40476, |
Gaia OS |
The SNMPD process may unexpectedly exit on the Security Gateway with enabled Management Data Plane Separation (MDPS). |
PRJ-28332, |
Harmony Endpoint |
UPDATE: Client Uninstall Remote Help is now Device-based. User Logon name is not needed anymore. |
PRJ-41369, |
CloudGuard Network |
UPDATE: Added support for Data Centers in AWS ap-southeast-2 (Jakarta) region. |
PRJ-41733, |
CloudGuard Network |
UPDATE: Added support for Data Centers in AWS me-central-1 Middle East (UAE) region. |
PRJ-40842, |
CloudGuard Network |
Azure Data Center mapping may fail because of a corrupt response from Azure for a specific Virtual Machine Scale Set (VMSS). |
PRJ-40838, |
CloudGuard Network |
Failure to update IP addresses on a single AWS Gateway may cause delays in updating other Gateways. |
PRJ-41461, |
CloudGuard Network |
Import of OpenStack Data Center CloudGuard Network objects may fail. |
PRJ-41711, ODU-603 |
Smart-1 Cloud |
Added Update 6 of Quantum Smart-1 Cloud. Refer to sk166056. |
PRJ-41142, |
Smart-1 Cloud |
Added Update 5 of Quantum Smart-1 Cloud. Refer to sk166056. |
PRJ-41746, |
Public Cloud CA Bundle |
Added Take 19 of Public Cloud CA Bundle. Refer to sk172188. |
PRJ-19383, |
VoIP |
In some scenarios, when using early media with NAT, the first data connections specified in the SDP get closed, although they should not. And the new data connection does not open, resulting in one-way audio. Refer to sk179651. |
PRJ-40671, |
HCP |
Added Update 11 of HealthCheck Point (HCP) Release. Refer to sk171436. |
Take 180 Released on 20 September 2022 and declared as Recommended on 30 October 2022 |
||
PRJ-41081, |
Security Management |
UPDATE: If ISP Redundancy is configured for a target Security Gateway, backup interfaces are now used for pushing policy if the primary interface is down. |
PRJ-36205, |
Security Management |
Migration from the Management Server to the Domain Server may get stuck for 6-7 hours and then fail. |
PRJ-38216, |
Security Management |
If Log Domain reassignment fails, an Application Control and URL Filtering update may get stuck at 70 percent showing the "Running post update actions" status. |
PRJ-38453, |
Security Management |
High Availability synchronization may fail with the "Failed to update shared licenses" error. |
PRJ-34237, |
Security Management |
Migration of the Security Management Server to the Multi-Domain Management Server may fail. |
PRJ-38179, |
Security Management |
Deleting a Domain operation may fail with an "internal error" when more than one of the Security Gateways in the Domain points to the same cluster object in the NAT configuration. |
PRJ-37910, |
Security Management |
The flag "--method" for a CME command is not supported in SmartConsole Command Line. |
PRJ-39208, |
Security Management |
The output of the "show opsec-application" API command may not show the host object name or UID. |
PRJ-33920, |
Security Management |
Some unused sessions may remain open in the system, consuming memory and CPU. |
PRJ-41096, |
Security Management |
The "CPLogGetMyIp: fwobj_get_myown failed" error may be printed in CLI when starting cpboot. |
PRJ-38787, |
Security Management |
Install Policy Preset may fail with "The server did not provide a meaningful reply.". Refer to sk179524. |
PRJ-39487, |
Multi-Domain Management |
In some scenarios, in a Multi-Domain Management Server environment, SmartConsole may unexpectedly disconnect. |
PRJ-38123, PRHF-23066 |
Multi-Domain Management |
Although all Virtual Devices are deleted, deleting a Domain may fail with an "At least one Virtual Device is defined on this Domain/Domain Management Server. You need to delete all Virtual Systems/Routers prior to deleting Domain/Domain Management Server" message. |
PRJ-40611, |
Compliance |
In the Compliance Blade view, regulations with disabled best practices may display a result that does not correspond with the best practices listed below it. |
PRJ-36190, |
Logging |
UPDATE: Amended the override_server_setting.sh script to support changes in the values of RFL_SOLR_MAX_MERGE_COUNT and RFL_SOLR_MAX_MERGE_THREAD_COUNT. |
PRJ-36019, |
Logging |
In SmartView, the "Top Users that Downloaded Malicious Files" widget in the "Hosts that Encountered Malicious files" view may show no results, although there are matches. |
PRJ-39588, |
Logging |
The FWD process may unexpectedly exit and create core dump files. |
PRJ-30963, EPS-562 |
Logging |
In some scenarios, the Forensics report fails to open from Harmony Endpoint logs. |
PRJ-36475, |
Logging |
In SmartConsole, when Endpoint Policy Management Blade is enabled, the "SmartView server certificate is invalid" error may be shown when opening a new tab in the Logs & Monitor view. Refer to sk177713. |
PRJ-40356, |
Logging |
In some scenarios, the FWD process may unexpectedly exit in a Log Server environment. Refer to sk179596. |
PRJ-34678, |
Security Gateway |
UPDATE: Decreased the threshold for connections suspected as heavy from 5 to 3 seconds. Refer to sk164215. |
PRJ-40509, |
Security Gateway |
UPDATE: Added a defense mechanism against partial header attacks known as "Slowloris DoS" (CVE-2007-6750). |
PRJ-38912 |
Security Gateway |
When Anti-Virus Blade is enabled, there may be a continuous high memory consumption which can lead to latency. |
PRJ-34402, |
Security Gateway |
Deleting IP addresses in the SAM Database may fail. |
PRJ-40253, |
Security Gateway |
There may be a delay in the Logging view when more than 1000 Security Gateways are connected to the same Log Server. |
PRJ-34170, |
Security Gateway |
After an upgrade, in a setup with a single Virtual System (VS), the Security Gateway may crash. |
PRJ-41454, |
Security Gateway |
During a DDoS attack, the CPD and CPRID processes may unexpectedly exit with core dump files and cause latency. |
PRJ-40861, |
Security Gateway |
Improved the recovery mechanism for Dynamic Balancing. |
PRJ-39518, |
Security Gateway |
Output of the "dynamic_objects -uo_show" command on the Security Gateway may not show any updatable objects. Refer to sk178886. |
PRJ-40791, |
Security Gateway |
Enhanced connectivity during HTTP2 Inspection. |
PRJ-40014, |
Security Gateway |
The Security Gateway with VPN may drop the traffic after enabling BGP and Equal Cost Multipath (ECMP). |
PRJ-38589, PMTR-79658 |
Security Gateway |
In a cluster environment, an ICAP implied rule may not be enforced after policy installation. |
PRJ-27777, PMTR-70632 |
Security Gateway |
The RAD daemon may fail and create core dump files on VSX Gateways. |
PRJ-39987, |
Threat Prevention |
UPDATE: In the Custom Intelligence Feeds feature, decreased the hash indicators loading time. |
PRJ-40431, |
Threat Prevention |
UPDATE: The "Global Detect" value will now be updated in the "ips stat" command output. |
PRJ-29734, |
Threat Prevention |
SCP connections may get terminated with a protocol error. |
PRJ-39160, |
Identity Awareness |
The Nested Groups Depth value changed in CLI may not survive a reboot. |
PRJ-39830, |
Identity Awareness |
Removed unnecessary debug messages in the Identity revocation flow. |
PRJ-35834, PMTR-71684 |
Identity Awareness |
Memory consumption may increase after policy installation when Secure ID is configured. |
PRJ-36383, |
Application Control |
Refer to sk178406. |
PRJ-29434, PRJ-37279, |
URL Filtering |
When the Security Gateway works in proxy mode, the Application Control and URL Filtering rules may not match correctly. |
PRJ-30744, |
IPS |
Logs generated by IPS Bypass may not show the correct CPU/Memory Utilization. |
PRJ-37725, |
DLP |
DLP logs for files uploaded to Microsoft OneDrive may not show the initial file names and extensions. Refer to sk178290. |
PRJ-39150, |
Anti-Bot |
|
PRJ-40259, |
SSL Inspection |
The WSTLSD process may unexpectedly exit and produce a core dump file during certificate chain verification. |
PRJ-34072, |
Mobile Access |
Manual Web Form Single Sign-On (SSO) may fail when passwords contain special characters. |
PRJ-38434, PMTR-82133 |
Mobile Access |
When installing a specific hotfix, the CVPND process may unexpectedly exit. |
PRJ-39957, |
ClusterXL |
During a Multi-Version Cluster (MVC) upgrade, there may be state flapping when using the sync interface MAC address bit "02". |
PRJ-39838, |
ClusterXL |
When reconnecting the OSPF interface on both members in a cluster, a failover may occur when receiving a ROUTED PNOTE on the Active member. |
PRJ-40199, |
ClusterXL |
In a cluster configured in the Active-Active mode, there may be connectivity issues when one of the cluster interfaces is down on one of the cluster members. |
PRJ-37942, |
ClusterXL |
In a VSX cluster with three or more members, sudden failover and recovery of the Standby VS may occur, causing termination of connections from the Active member. Refer to sk179446. |
PRJ-37630, |
SecureXL |
UPDATE: The MSS value in the SYN Cookie response can now be configured. |
PRJ-39072, |
SecureXL |
UPDATE: Added a new kernel parameter "fw_allow_reverse_syn" for Smart Connection Reuse. This parameter allows or drops SYN packets coming from the reverse direction. The parameter is set to 0 by default, the Security Gateway drops such packets. Refer to sk24960. |
PRJ-36857, |
SecureXL |
Policy installation may cause cluster failover and impact the traffic flowing through the cluster. |
PRJ-40218, |
SecureXL |
In a rare scenario, ipsctl kernel module does not load at startup. |
PRJ-40293, PMTR-81618 |
SecureXL |
A kernel memory leak may occur in an environment with a cluster in Active/Standby bridge mode. |
PRJ-40746, |
Routing |
The ROUTED process may unexpectedly exit when querying BGP data. |
PRJ-40090, PMTR-84418 |
Routing |
When running CPView and working in Source-Specific Multicast Mode (PIM-SSM) simultaneously, the ROUTED process may unexpectedly exit and create a core dump file. |
PRJ-40843, |
VPN |
UPDATE: Added a configurable protection for blocking brute-force attacks on VPN SNX portal. Refer to sk180271. |
PRJ-40752, |
VPN |
Resolved the “HTTP Response splitting” vulnerability in Security Gateway portals. Refer to sk179705. |
PRJ-40662, |
VPN |
There may be a low throughput in a Site-to-Site VPN tunnel between two VSX Gateways with enabled Multi-Queue. |
PRJ-38632, |
VPN |
Connection to Endpoint Security Client from the Remote Access VPN may be lost when the VPN tunnel timeout is reached. Refer to sk178891. |
PRJ-40384, |
VPN |
The "Unable to open '/dev/fw0': No such file or directory" error may be printed during cpstart. |
PRJ-40581, |
VPN |
Connection over NAT-T tunnels may not be distributed well between instances of the Security Gateway with CoreXL enabled. |
PRJ-37783, |
VPN |
In SmartView Monitor (SVM), the status of tunnels with third-party peers may be inaccurate. Refer to sk169121. |
PRJ-39980, |
VSX |
The vsx_util upgrade or downgrade operation may silently fail to update the database for one or more Virtual Systems (VSs). Refer to sk179591. |
PRJ-40071, |
VSX |
A "SIC Error for EntitlementManager: Peer sent wrong DN: CN=xxx,O=xxx" message may be displayed during boot or after running the "cpstart" command. Refer to sk179586. |
PRJ-40249, |
VSX |
In VSX, when deleting a warp interface (either by deleting the warp itself or by performing the "reset_gw" command, which deletes all Virtual Devices), the VSX Gateway may crash. |
PRJ-34321, |
VSX |
The MTU value configured in SmartConsole may differ from the Virtual Switch (VSW) MTU value in the output of the "ifconfig" command. |
PRJ-40702, |
VSX |
A member in a VSX cluster may get stuck in DOWN state with "Event Code CLUS-113200" and a FULLSYNC PNOTE "Could not start a connection to remote member". |
PRJ-34094, |
VSX |
When running the "vsx showncs" command, the "cannot retrieve vsid for VSW_gw" error may be shown. |
PRJ-40359, |
VSX |
Improved packet rate performance on warp interfaces. |
PRJ-24565, PRHF-16407 |
Gaia OS |
UPDATE: Added support for the Excluded Files feature (sk116679) for XFS file system on Kernel 3.10. |
PRJ-40767, |
Gaia OS |
IPv6 connections with Manual NAT rules may not be stable after enabling Neighbor Discovery Protocol (NDP) on a VLAN in the $FWDIR/conf/local.ndp file. |
PRJ-40026, |
Gaia OS |
A user locked by the deny-on-nonuse mechanism cannot get unlocked. |
PRJ-40364, |
Gaia OS |
Gaia Snapshot fails in Gaia Portal ("Maintenance" section > "Snapshot Management" page) - after clicking the "New" button, the progress gets to 100%, but the snapshot file is never created. Refer to sk180579. |
PRJ-40669, |
HCP |
Added Update 10 of HealthCheck Point (HCP) Release. Refer to sk171436. |
Take 173 Released on 31 August 2022 and declared as Recommended on 13 September 2022 |
||
PRJ-41444, |
Threat Prevention |
In a specific HTTP connection scenario, the Security Gateway may become unresponsive. And the /var/log/messages file contains these messages during the time of the issue: " FW-1: fw_kfree: wrong magic number at tail end of XXX (XXX) caller is 'cmik_loader_fw_pm_match_cb' sz=80. FW-1 panic: cmik_loader_fw_pm_match_cb: fw_kfree: wrong magic number at tail (kiss_memory.c:XXX)". |
Take 172 Released on 25 July 2022 |
||
PRJ-38150, |
Security Management |
UPDATE: Improved Access Policy installation time. |
PRJ-34852, |
Security Management |
UPDATE: Added validation to the Custom Application/Site object to prevent configuring invalid URLs that cause Access policy installation failure. Refer to sk175187. |
PRJ-36848, |
Security Management |
In rare scenarios, the Management Server may fail to start due to incorrect session handling. |
PRJ-37708, |
Security Management |
Install Policy preset fails if the Threat Prevention policy was uninstalled. |
PRJ-36919, |
Security Management |
When a Security Gateway is removed from a VPN community, it may still be seen under the permanent tunnel configuration. The issue is scoped to the Management side and does not impact the Gateway. |
PRJ-37634, |
Security Management |
After changing the IP address of the Secondary Management Server, the old IP address is still shown in the High Availability window until the services are restarted. |
PRJ-37863, |
Security Management |
Dynamic Objects defined on LSM Gateway in SmartProvisioning may be removed from the Security Gateway after fetching policy or pushing policy. |
PRJ-37522, |
Security Management |
Reassign Global Policy tasks may be stuck for Domains active on a different Multi-Domain Server even though the task is completed on the destination Multi-Domain Server. |
PRJ-37503, |
Security Management |
In rare scenarios, Global Domain Assignment may fail with a "class name not found for object" error message. |
PRJ-37198, |
Security Management |
The Management API command "show-vpn-communities-star" for Diffie-Hellman groups 15-18 and group 24 fails with the "Invalid DH-Group in VPN Reply" error. Refer to sk27054. |
PRJ-35654, |
Security Management |
The Security Cluster Wizard is not shown again after a Management restart in a Full High Availability cluster environment. |
PRJ-37762, |
Security Management |
The FWM process on the Management Server may unexpectedly exit, creating a core dump file. |
PRJ-35601, |
Security Management |
An IPS update may fail if the user that performs the update is connected to the Multi-Domain Server on which the Global Domain is in Standby mode. |
PRJ-37508, |
Security Management |
Deleting a domain may fail when using the createDomainRecovery.sh script with the "UID" flag. |
PRJ-35604, PRHF-21981 |
Security Management |
In SmartConsole, the "error retrieving results" message may be displayed when opening a new tab. |
PRJ-38063, |
Security Management |
When uninstalling a Threat Prevention policy, there may be a verification warning "There are Threat Prevention uninstall candidates in policy targets", although the operation on the Security Gateway was completed successfully. |
PRJ-38147, |
Security Management |
Cloud Shadow Objects verification may take several minutes. |
PRJ-38119, |
Security Management |
Policy installation may fail with "an internal error" if some objects are pointed to by an old deleted policy. Refer to sk122954. |
PRJ-39470, |
Security Management |
Management HA synchronization may fail with the "NGM failed to import data" error. |
PRJ-37885, |
Security Management |
Editing an object may fail with the "Could not access file for write operation" error. |
PRJ-38399, |
Security Management |
An Application Control and URL Filtering update may get stuck because of a lock object duplicate issue. |
PRJ-35059, |
Security Management |
Renaming the Security Management Server may fail with the "Failed to save object" error. Refer to sk177224. |
PRJ-38740, PRHF-23467 |
Security Management |
In a rare scenario, the FWM process may unexpectedly exit and create a core dump. |
PRJ-37987, PRHF-22589 |
SmartConsole |
After an Application Control update, some application control objects may disappear from SmartConsole, although they are not deprecated. |
PRJ-37101, |
Logging |
UPDATE: Scheduled email reports will now use TLS1.2 instead of TLS1.0. Refer to sk178125. |
PRJ-33815, |
Logging |
The "log_exporter_reexport" command may export the logs from the beginning of the log file and not from the provided start position. |
PRJ-36514, |
Logging |
In a rare scenario, a memory leak in the FWD process may occur during installing Threat Prevention policy. |
PRJ-36026, |
Logging |
In IPS Core Protections logs, the link to the Threat Prevention profile is written incorrectly. |
PRJ-36461, |
Logging |
When running the "cp_log_export filter-Blade-in" command with the value "Endpoint" and restarting the LOG_EXPORTER process, LOG_EXPORTER may fail to start. |
PRJ-39295, |
Logging |
An error may occur when changing default Time Frame while the SmartView language is not English. |
PRJ-39678, |
Logging |
When exporting the logs table with "All Columns" to a CSV file, the first cell of the first log (time column) may display a non-ASCII character ("ן»¿"), and the time may be split into two cells. |
PRJ-39675, |
Logging |
A CSV file exported from SmartView may contain duplicated lines of headers. |
PRJ-36654, |
Security Gateway |
NEW: Added a new kernel parameter "fw_ignore_before_drop_rules". It allows to skip the "before drop" implied rules and enforce policy according to the explicit rule in the Access Rule Base. By default, this capability is disabled. Refer to sk105740. |
PRJ-38688, |
Security Gateway |
UPDATE: When using Routing Separation, hosts and servers configured in Clish will be automatically added to Management Plane (MPLANE). |
PRJ-39666, PRHF-23392 |
Security Gateway |
It may not be possible to monitor Security Gateways with enabled Management Data Plane Separation (MDPS). Refer to sk138672. |
PRJ-39684, |
Security Gateway |
An ICAP client crash may cause the Security Gateway also to crash and generate an FWK core dump. |
PRJ-34622, |
Security Gateway |
When running the "show_configuration" command in CLISH, static routes are shown twice. |
PRJ-33698, |
Security Gateway |
In some scenarios, file download may fail with the "Connection queue exceeded max size" error. |
PRJ-37011, |
Security Gateway |
Multiqueue Clish "show" commands may fail in a Management Data Plane Separation (MDPS) environment. |
PRJ-37608, |
Security Gateway |
When using the DAIP Gateway object in the Access Rulebase, debug error "fwdnd_log_info_lookup failed" may appear in the fwk.elglog, if the relevant rule has log track. Refer to sk178670. |
PRJ-33858, |
Security Gateway |
In ISP Redundancy settings, when using the "dead on all host" feature and defining one link without any host (which is a misconfiguration) the ISP link is down. |
PRJ-36119, |
Security Gateway |
In CPView, under Network, Bytes Per Sec value in Traffic Rate may be incorrect. |
PRJ-33929, |
Security Gateway |
Cluster failover may trigger the FWK process to exit, with no traffic impact. |
PRJ-31030, |
Security Gateway |
In a rare scenario, the Security Gateway may crash when disabling or enabling Threat Prevention Blade. |
PRJ-27915, PRJ-40137, |
Security Gateway |
When Strict Hold is enabled, traffic is logged with the log "HTTP parsing error detected. Bypassing the request as defined in the Inspection Settings" and Precise Error "Connection queue exceeded max size". Refer to sk169995. |
PRJ-39861, PRHF-23952 |
Security Gateway |
After renewing an Internal Certificate Authority (ICA) certificate, policy installation on Virtual Systems may fail with "Internal SSL authentication SSL error (Unknown)". |
PRJ-37951, |
Security Gateway |
There is a Content Awareness alert for multiple connections and the processing error "Failed to extract text" is printed in logs. |
PRJ-38075, |
Security Gateway |
The Security Gateway may crash with a vmcore. |
PRJ-40998, PRJ-40954 |
Security Gateway |
In a VSX environment, SNMP queries to OSPF OIDs may fail. |
PRJ-39322, |
Threat Prevention |
Improved memory consumption by decreasing the size of the mal_conns table. |
PRJ-40610, |
Threat Prevention |
IPS entries of AMW_report.xml may be missing for a Security Gateway onboarded to Infinity SOC. |
PRJ-36292, |
Threat Prevention |
A "sft_rule_str_match_init: allocates 0 bytes" message may be printed many times in the /var/log/messages file. |
PRJ-38683, |
Threat Prevention |
In a rare scenario, an IPS, Anti-Virus, or Anti-Bot update package may fail to load because of a timeout. |
PRJ-36567, |
Internal CA |
UPDATE: In SmartConsole, added an alert to inform that the ICA certificate will be expired in less than one year. Refer sk158096. |
PRJ-37978, |
IPS |
In very rare scenarios, a traffic outage may occur. |
PRJ-39062, PRHF-12660 |
IPS |
In a VSX setup, the IP address used as the origin SIC name in the IPS address log may differ from the IP address in other reports. |
PRJ-36520, |
IPS |
Improved detection in some IPS protections. |
PRJ-36433, |
IPS |
When ClusterXL is configured, a file may pass without inspection during a failover. |
PRJ-35291, |
Mobile Access |
In some scenarios, when Mobile Access Blade is enabled, the Security Gateway may crash. |
PRJ-38434, |
Mobile Access |
When installing a specific hotfix, the CVPND process may unexpectedly exit. |
PRJ-34869, |
ClusterXL |
UPDATE: Added support for the "Same VMAC" feature. |
PRJ-35984, |
ClusterXL |
UPDATE: It is now possible to edit minimal number of required subordinate interfaces for Bond Load Sharing via Clish. The new Clish command is "set interface <interface_name> links <value>". |
PRJ-37881, PMTR-81375 |
ClusterXL |
Local connection from a Standby member may fail when packets are not fragmented even if the interface MTU is smaller than the packet size. |
PRJ-37434, |
ClusterXL |
There may be connectivity issues for multicast traffic in PIM Sparse Mode. |
PRJ-36176, |
ClusterXL |
In Virtual Device Status table, in vs0 context, the output shows the Active-Active status on two members instead of Active-Standby. |
PRJ-36614, |
ClusterXL |
During a Multi-Version Cluster (MVC) upgrade from R80.30 or lower, Active-Active split brain may happen. Refer to sk174510. |
PRJ-36602, |
ClusterXL |
Data connection may be interrupted during a Multi-Version Cluster (MVC) upgrade. |
PRJ-35227, |
ClusterXL |
In an Active/Active cluster, potential FTP data connection interruption may occur during failover. |
PRJ-37488, |
ClusterXL |
In a VSLS cluster with a few members and Virtual Systems, when shutting down a bond connected to one of the Virtual Systems, all Virtual Systems on this member may go to Down state. |
PRJ-37813, PRJ-37001 |
SecureXL |
NEW: In some scenarios, the Security Gateway may not forward traffic to a client if its IP address is changed by DHCP. Added a global parameter "cphwd_refresh_nh", disabled by default. It determines whether or not the Security Gateway will invoke its own refresh ARP mechanism after a successful route lookup. Refer to sk175603. |
PRJ-38593, |
SecureXL |
UPDATE: Added a new parameter cphwd_mcast_routing_interval_ms (default value is 0), which allows the multicast routing interval to be expressed in milliseconds. |
PRJ-39008, PRHF-22881 |
SecureXL |
SYN Defender may not properly handle the S2C traffic related to Allow List. As a result, this traffic may be dropped. |
PRJ-39002, PRHF-23644 |
SecureXL |
SYN Defender may change MSS in an SYN packet to a larger value, potentially causing traffic drop. |
PRJ-39112, |
CoreXL |
CoreXL instances of SND type may appear in CPView as "OTHER" and not as "CoreXL_SND". |
PRJ-38501, |
CoreXL |
An Active member in a cluster may make a full reboot during policy installation. |
PRJ-38558, |
Routing |
UPDATE: Source Pruning will now be disabled by default when VRRP is enabled. This will prevent an interface from keeping the Standby member in Master state after port flapping. The issue is relevant only for Intel X710 network cards using the I40E driver. Refer to sk178484. |
PRJ-36938, |
Routing |
In a rare scenario, the ROUTED daemon may unexpectedly exit during a Multi-Version Cluster (MVC) upgrade when using OSPF. |
PRJ-37939, |
VPN |
NEW: KAT tests for IKE and TLS are now validated for FIPS certification. |
PRJ-37547, |
VPN |
In some scenarios, when StrongSwan client is connecting to a site or Security Gateway, the connection is established successfully, and the tunnel is created, but there is no traffic. Refer to sk118536. |
PRJ-32679, |
VPN |
An IKEv1 tunnel may be deleted after the Dead Peer Detection (DPD) exchange and can cause an outage. |
PRJ-37554, |
VPN |
An outage may occur when using IKEv2. |
PRJ-37773, |
VPN |
Capsule Connect (IPSec VPN) may fail to re-authenticate. |
PRJ-36436, |
VPN |
Machine Authentication stability improvements for Remote Access Endpoint Clients. |
PRJ-34765, PRHF-21568 |
VPN |
When using Link Selection probing, the VPND process may unexpectedly exit and create a core dump file. |
PRJ-36449, |
VSX |
UPDATE: When resetting SIC for a specific virtual system (sk34098), the new certificate on the Security Gateway will now be automatically pulled from SmartConsole. |
PRJ-29582, |
VSX |
UPDATE: Decreased the time to edit routes in topologies where multiple Virtual Systems are connected to a Virtual Switch (VSW). |
PRJ-35277, |
VSX |
In some scenarios, if VSX Gateway creation fails and rollback is done, the default route of the Security Gateway that was configured via Clish is deleted without validation. |
PRJ-28545, |
VSX |
Latency and packet loss issues may occur when traffic goes through external VS connected to Virtual switch (VSW). Refer to sk177344. |
PRJ-33314, |
VSX |
The FWM process may unexpectedly exit after using the VSX Provisioning tool. |
PRJ-32476, |
VSX |
When using the VSX Provisioning Tool, it may not be possible to create a new warp interface and then change the main IP address of the VS in the same transaction. |
PRJ-36132, |
VSX |
A member may fail to pull configuration from the SMO on startup. |
PRJ-32705, |
VSX |
After restoring the VSX Gateway backup, the SNMP agent stops responding when the context is set for a specific VS. |
PRJ-32406, |
VSX |
The OID "Syslocation" can now be configured in the context of a virtual system as described in the article (IV-1) Advanced SNMP configuration in sk90860. |
PRJ-38827, PMTR-82551 |
VSX |
The FWK process of Virtual Switch (VSW) may consume a high CPU. |
PRJ-38407, PMTR-73704 |
VSX |
When creating a virtual system, the "Failed to create Virtual System directories" error is displayed. |
PRJ-33040, PMTR-69098 |
VSX |
In a VSX cluster, after pushing Bridge configuration, the state may change from Active/Active to Active/Standby. |
PRJ-38792, PMTR-82492 |
VSX |
In some scenarios, it is not possible to start a vsx_util upgrade/downgrade after a failed attempt. |
PRJ-38009, |
VSX |
"Loading kernel module for a network device with CAP_SYS_MODULE (deprecated). Use CAP_NET_ADMIN..." may be printed in dmesg. |
PRJ-10543, |
VSX |
Running the "brctl_show" command in a non-VS0 context may give VS0 results. |
PRJ-27470, |
Gaia OS |
UPDATE: A description was added to the output of the "show backup logs" command with information about each column. Refer to sk173970. |
PRJ-35584, |
Gaia OS |
UPDATE: It is now possible to use Gaia proxy addresses with more than 16 characters. |
PRJ-36086, |
Gaia OS |
WebUI session may end when creating a Role with full permissions. |
PRJ-37347, |
Gaia OS |
When adding and deleting a neighbor-entry ipv6-address, an error message is displayed, although the operation is successful. |
PRJ-39095, PRHF-23641 |
Gaia OS |
Dynamic routing SNMP OID polling may work only in VSX mode. |
PRJ-33557, PMTR-75925 |
Gaia OS |
In some scenarios, in 7000 appliances, Power Supply Unit (PSU) status information may be incorrect. Refer to sk174443. |
PRJ-38229, PMTR-81516 |
Gaia OS |
When running the "save configuration" command on a VSX device, other interfaces besides the Management interface are still presented. This is a cosmetic issue. |
PRJ-39377, |
Gaia OS |
The CONFD process may unexpectedly exit and generate a core dump file. |
PRJ-38097, |
CloudGuard Network |
NEW: Added support for Amazon Gateway Load Balancer (GWLB). Starting from this Take, Jumbo Hotfix Accumulator R80.40 can be installed on GWLB deployments. |
PRJ-30119, |
CloudGuard Network |
UPDATE: After a failed Data Center mapping, the next scan retry will be initiated with a delay to provide sufficient recovery time. |
PRJ-38567, |
CloudGuard Network |
UPDATE: Previously, because of connectivity issues with Azure, CloudGuard Controller was deleting IP addresses of Data Center objects from the Security Gateway. CloudGuard Controller will now show an error message instead of revoking identities from the Security Gateway. |
PRJ-38869, |
CloudGuard Network |
After changing the default behavior in Identity session conciliation, the "delete-identity" request may trigger Cloud Controller to delete IP addresses from other Identity sources. |
PRJ-27767, |
CloudGuard Network |
In some scenarios, when there are Data Center objects in Access Policy Rule Base, policy verification may fail although policy installation succeeds. Refer to the PMTR-60092 limitation in sk166717. |
PRJ-38069, |
CloudGuard Network |
Policy install or publish may fail because of the CPM process operations overload. |
PRJ-33576, |
CloudGuard Network |
When trying to add a comment to a Data Center object with API, the name of the object may get the value of the "comments". |
PRJ-31687, |
CloudGuard Network |
The "Object is inaccessible/deleted on Data Center" warning may be shown for Tag objects in SmartConsole. |
PRJ-38642, |
VoIP |
NEW: Added a new tab for VoIP monitoring in CPView. |
PRJ-40928 |
VoIP |
After an upgrade, the MGCP traffic may be dropped. The output of the "fw ctl zdebug + drop" command shows: "dropped by fw_early_sip_nat reason: failed to get MGCP ports". Refer to sk179747. |
PRJ-39815, |
VoIP |
The Security Gateway may crash when running UDP and TCP SIP traffic. |
PRJ-26372, |
Scalable Platforms |
NEW: Added ability to create and manage VSX objects of R80.30SP version via vsx_util and vsx_provisioning_tool. |
PRJ-40307, ODU-454 |
HCP |
Added Update 9 of HealthCheck Point (HCP) Release. Refer to sk171436. |
Take 161 Released on 30 May 2022 and declared as Recommended on 13 July 2022 |
||
PRJ-34227, |
Security Management |
Deleting a Domain may fail when there is an administrator with API key authentication associated with this Domain. |
PRJ-35949, |
Security Management |
In the Compliance view, after changing "Policy Range" to a value smaller than 100%, best practices results become not available. Refer to sk177544. |
PRJ-34177, |
Security Management |
In rare scenarios, Install Policy Presets may fail with "Failed to run Install Policy on the active Domain Server". |
PRJ-35338, |
Security Management |
In rare scenarios, the Management Server may fail to start after an upgrade. |
PRJ-37494, |
Security Management |
In some scenarios, the "show-hosts" Management API command fails with "generic_error" when running it with "details-level full". Refer to sk178249. |
PRJ-34181, |
Security Management |
In rare scenarios, the Management Server becomes inaccessible if there are more than 5000 objects in the Gateways and Servers view. |
PRJ-35224, |
Security Management |
When exporting rules with "hit counts" and the timeframe is set to a different value than "all", the "hit counts" are missing from the export file. Refer to sk177265. |
PRJ-37577, |
Security Management |
In some scenarios, after editing Blades in simple-gateway/cluster Ansible modules, the Blades are not changed and Ansible shows that no changes occurred. |
PRJ-35016, |
Security Management |
Install Policy Verification may fail with the "Rule has security zone objects that are not attached to any interface used" error when configuring cluster's interfaces on only one member. Refer to sk177129. |
PRJ-37395, |
Security Management |
After performing the Solr Cure procedure, objects may appear as duplicated in SmartConsole. Refer to sk178084. |
PRJ-35297, |
Security Management |
When cloning an IPS profile, the advanced settings of cloud protection are not copied to the new profile. |
PRJ-32816, |
Security Management |
In rare scenarios, when installing a policy after performing "revert to revision", some changes made to a policy may not be installed on the Security Gateway. Refer to sk176768. |
PRJ-32745, |
Security Management |
In a rare scenario, the FWM process unexpectedly exits. |
PRJ-39176, PRHF-23750 |
Security Management |
In some scenarios, the Management API command "show-packages" with "details-level full" may fail with the "Could not commit JPA transaction" error. |
PRJ-36621, PMTR-79023 |
Logging |
UPDATE: SmartView reports will now show the new Check Point logo. |
PRJ-30549, |
Logging |
In rare scenarios, when QoS Blade is enabled, the FWD process may unexpectedly exit. Refer to sk177783. |
PRJ-32372, |
Logging |
When running CPinfo in a large scale environment, the SmartEventCollectLogs process may get stuck. |
PRJ-34249, |
Logging |
There may be an incorrect error message related to MakeConnection method. |
PRJ-35200, |
Logging |
In a rare scenario, the Security Management Server does not automatically delete older log files. Refer to sk177627. |
PRJ-34805, |
Logging |
In some scenarios, logs related to Content Awareness are missing. |
PRJ-29173, |
Logging |
Removed unnecessary debug messages: "fwbintabreplace: table svm_range_gateways not found" and "fwbintabreplace: table svm_range_gateways_valid not found" from the fwd debug log. |
PRJ-30144, |
Logging |
Recurring "Unable to open '/dev/fw0': No such file or directory" may be printed in the fwd.elg file. |
PRJ-34141, |
Logging |
On the Domain level, in the Logs view, available services may not appear in the drop-down filter list. Refer to sk178904. |
PRJ-32579, |
Logging |
In some scenarios, it is not possible to add the "Policy Rule UID" column to the Logs view in the SmartView Web Application. |
PRJ-33516, |
Logging |
Improved samples visibility in SmartView Widgets. |
PRJ-37896, |
Logging |
Logs may be missing from Smart Console after upgrading the Log Server if a VS object is configured without an IP. |
PRJ-35097, |
Security Gateway |
UPDATE: Added a new global parameter: "fw_daf_module_mac_mode". It allows mirroring traffic to a Linux-based device. It is set to "0" by default. Refer to sk178127. |
PRJ-19035, |
Security Gateway |
UPDATE: In CPView overview, the "FW" field will now show physical memory used instead of virtual memory. The change is only cosmetic. |
PRJ-31665, |
Security Gateway |
UPDATE: Adding Connection and Packet Distribution statistics in CPView. |
PRJ-38235, |
Security Gateway |
UPDATE: Apache HTTPD version was updated from 2.4.51 to 2.4.53. |
PRJ-29962, |
Security Gateway |
UPDATE: Added two minutes grace period before dropping the non-TCP server-to-client packets upon policy installation and rematch flow. Refer to sk173287. |
PRJ-31494, |
Security Gateway |
UPDATE: Following sk110157, adding a shadow SAM V1 rule is now possible only if the new rule and the existing rule have different timeouts. If a shadow rule exists, the new shadow rule will override the existing shadow rule. |
PRJ-37528, |
Security Gateway |
Improved Security Gateway internal memory allocation logic. |
PRJ-36047, |
Security Gateway |
In a rare scenario, DNS connection may be dropped with "up_manager_cmi_handler_match_cb: connection not found". |
PRJ-26984, |
Security Gateway |
In rare scenarios, connectivity issues to specific websites may occur during web traffic inspection. |
PRJ-34726, |
Security Gateway |
In rare scenarios, if temporary files were not deleted successfully, downloading certain file types may fail with an error. |
PRJ-33273, |
Security Gateway |
The control connection may not be refreshed together with the data connection if the data connection is accelerated. Refer to sk168952. |
PRJ-23479, |
Security Gateway |
Policy installation may fail when reaching out of memory on the Security Gateway. |
PRJ-37356, |
Security Gateway |
Uninstalling Jumbo Hotfix may cause interfaces to disappear. |
PRJ-35006, |
Security Gateway |
The dynamic NAT allocation port warning is continuously printed in /var/log/messages. Refer to sk177228. |
PRJ-34787, |
Security Gateway |
In some scenarios, Security Gateway drops GRE traffic. Kernel debug shows "simi_reorder_enqueue_packet: reached the limit of maximum enqueued packets for conn". |
PRJ-34015 |
Security Gateway |
Bond subordinates may be visible in the wrong plane. |
PRJ-34088, |
Threat Prevention |
IPS and other Threat Prevention logs may not contain packet capture. And dmesg may be flooded with related errors. |
PRJ-36164, |
Identity Awareness |
The PDP process may unexpectedly exit with a core dump file. |
PRJ-35820, |
Identity Awareness |
On Scalable Platforms\Cluster LS, the Identity Database may become corrupted when an identity session is revoked from a non-master member. |
PRJ-35851, |
Identity Awareness |
The PEP process may unexpectedly exit. |
PRJ-28218, |
Identity Awareness |
There may be connectivity issues and high CPU spikes on the PDPD, VPND processes, and on the Gateway when installing policy. Refer to sk174144. |
PRJ-34514, |
URL Filtering |
In a rare scenario, when URL Filtering Blade is active, in Website categorization background mode, the FWK process crashes and creates a core dump. |
PRJ-32742, |
IPS |
After installing a Threat Prevention policy with many rules and/or exceptions, on multiple Gateways together, Gateways may consume more CPU during rule-match of new connections. |
PRJ-37543, |
IPS |
In a rare scenario, when the Security Gateway is configured as a proxy, downloading files may fail. |
PRJ-32609, |
IPS |
When Anti-Virus and/or gzip inspection are enabled on the Gateway, during CloudFlare inspection of specific websites,the Security Gateway may drop the traffic. |
PRJ-30124, |
SSL Inspection |
When HTTPS Inspection is enabled and traffic is inspected, detect logs for HTTPS traffic may show the "Invalid CRL Retrieved" and "No Valid CRL" error messages. Refer to sk172345. |
PRJ-36298, |
SSL Inspection |
A memory leak related to TLS probe may occur in the WSTLSD process. |
PRJ-32908, |
Mobile Access |
In a rare scenario, some options in a web application may be missing in Mobile Access Portal. |
PRJ-35167, |
ClusterXL |
A single cluster member with Dynamic Routing configuration may stay permanently in DOWN state producing ROUTED pnote during a boot. |
PRJ-35980, |
ClusterXL |
A cluster failover may take longer than it should. |
PRJ-38369, |
ClusterXL |
Multicast packets may be dropped after policy installation. |
PRJ-36470, |
SecureXL |
The VSX Gateway may crash when trying to route traffic from a VS to a Virtual Switch (VSW). |
PRJ-33581, |
SecureXL |
In some scenarios, fragmented Cluster LS packets are dropped by SecureXL. |
PRJ-34902, |
SecureXL |
In some scenarios, related to sending multicast packets, the ICMP errors may be shown. |
PRJ-30713, |
Routing |
Connectivity issues may occur after configuration of route-based VPN (VTI interface). Refer to sk176368. |
PRJ-35400, |
VPN |
IKEv2 Improvements for DAIP Gateway behind Hide NAT. |
PRJ-34210, |
VPN |
IKEv2 ID configuration may not be applied when an IPv6 address is written as a certificate's alternative name. |
PRJ-34492 |
VPN |
Remote Access users are unable to connect when authenticating using a certificate issued by a subordinate CA. |
PRJ-35397, |
VPN |
Improvements for DAIP Gateway behind Hide NAT. |
PRJ-35534, |
VPN |
A memory leak may occur in the VPND process when using remote Access Back Connection. |
PRJ-37462, |
VPN |
The VPND process may unexpectedly exit causing VPN connections to restart. |
PRJ-34373, |
VPN |
In rare scenarios, Remote Access users cannot connect to the Gateway because of certificate authentication failure. |
PRJ-35429, |
VPN |
In some scenarios, L2TP users cannot connect to the Gateway in a cluster environment. |
PRJ-35386, |
VPN |
In some scenarios, the RIM script is not activated in DPD Tunnel monitoring. |
PRJ-35557, |
VPN |
A memory leak may occur in the VPND process when using Remote Access Secondary Connect. |
PRJ-35555, |
VPN |
A memory leak may occur in the VPND process when using Remote Access with Multiple Entry Points configured. |
PRJ-35046, |
VPN |
In some scenarios, NAT-T tunnel establishment may fail. |
PRJ-33322, |
VPN |
After initiating a tunnel between a regular Gateway and a DAIP Gateway, running the "vpn tu tlist'" command on the peer, may show the peer IP instead of the DAIP IP. |
PRJ-29880, |
VPN |
Improved VPN interoperability. |
PRJ-37589, |
VPN |
During policy installation when using DAIP behind hide NAT, CPU usage for the VPND process may be high. |
PRJ-36237, |
VPN |
A memory leak may occur in the VPND process. |
PRJ-38811, |
VPN |
In some scenarios, it is not possible to connect with Remote Access using DHCP for Office Mode. Refer to sk178767. |
PRJ-34671, |
VSX |
UPDATE: The "vsx_util reconfigure" operation is not supported on a VSX cluster member or VSX Gateway which has no virtual systems configured. The operation will now alert about the absence of virtual systems. |
PRJ-34999, |
VSX |
The "vsx_util reconfigure" command may fail without printing the cause of the error. |
PRJ-32078, |
VSX |
When creating a static route on a virtual system, some network objects may be created with the same name inside the network group which causes failure in writing the object to the database. |
PRJ-36767, |
VSX |
VSX Cluster Internal Communication Network IP address is shown in ifconfig after changing the name or VLAN of a VR physical interface. |
PRJ-35503, |
VSX |
There may be a mismatch of policy name on virtual switch when using the "fw stat" and "vsx stat -v" commands. The issue is only cosmetic. |
PRJ-33470, |
VSX |
In some scenarios, the "vsx_util reconfigure" command cannot fetch the policy installed previously. |
PRJ-38202, |
VSX |
In some scenarios, the VSX Security Gateway may not decrease the packet's TTL. |
PRJ-34602, |
VSX |
In some scenarios, the VSX Gateway may incorrectly handle broadcast packets received from a Virtual Switch. |
PRJ-36786, |
VSX |
The "snmpwalk" command may time out after reaching SNMPv2-SMI::mib-2.68.1.2.0. |
PRJ-36771, |
Gaia OS |
NEW: Gaia API (version 1.6 with python3 support) will now be deployed via Jumbo Hotfix. Refer to sk143612. |
PRJ-24453, PRHF-16628 |
Gaia OS |
UPDATE: Changed the Syslog message severity from "error" to "info" and removed the exclamation mark in a specific message which is displayed during the normal backup operation flow. |
PRJ-37415, |
Gaia OS |
In a rare scenario, while idle, the Security Gateway may crash producing a vmcore file. |
PRJ-37225, |
Gaia OS |
Upgrade process may fail due to corrupted sic_local_cert.p12 certificate. Refer to sk171253. |
PRJ-27908, |
Harmony Endpoint |
In some scenarios, logs related to Harmony Endpoint may be missing. |
PRJ-37118, |
VoIP |
When static NAT is configured, VoIP calls may not work. |
PRJ-38022, |
Public Cloud CA Bundle |
Added Take 18 of Public Cloud CA Bundle. Refer to sk172188. |
PRJ-36703, |
Public Cloud CA Bundle |
Added Take 14 of Public Cloud CA Bundle. Refer to sk172188. |
PRJ-34518, |
Smart-1 Cloud |
Added update 4 of Quantum Smart-1 Cloud. Refer to sk166056. |
PRJ-37602, |
CloudGuard Network |
In Amazon Web Services (AWS), some Gateways may frequently crash with vmcores. |
PRJ-35547, |
CloudGuard Network |
When there are virtual systems with the same name prefix, the CloudGuard Controller fails to update the VS with Data Center Objects. |
PRJ-36273, |
CloudGuard Network |
In some scenarios, incorrect data center updates are pushed to the Gateway. |
PRJ-37950, |
CloudGuard Network |
In some scenarios, mapping of AWS Data Centers may take a long time to complete. |
PRJ-37052, |
CloudGuard Network |
In some scenarios, Data Center objects are not enforced on an AWS GEO cluster (Active/Active) Gateway. Refer to sk175904. |
PRJ-38035, |
Scalable Platforms |
Added Take 21 of Check Point Support Data Collector (CPSDC) for Scalable Platforms and Maestro Security Appliances. Refer to sk164414. |
PRJ-38223, |
HCP |
Added Update 8 of HealthCheck Point (HCP) Release. Refer to sk171436. |
PRJ-36829, |
HCP |
Added Update 7 of HealthCheck Point (HCP) Release. Refer to sk171436. |
Take 158 Released on 6 April 2022 and declared as Recommended on 16 May 2022 |
||
PRJ-30406, |
Security Management |
UPDATE:
|
PRJ-30112, |
Security Management |
In rare scenarios, the "show_changes" and "show_sessions" Management API commands may fail. |
PRJ-32856, |
Security Management |
After the Management Server restart, the API command "show_tasks" may show some suppressed tasks as "in progress", if before the restart they were cleared in SmartConsole while they were still running. |
PRJ-30474, |
Security Management |
Desktop policy installation may fail with the "Service ReferenceObject of type is not supported!" error. |
PRJ-33564, |
Security Management |
In rare scenarios, a "Create Domain", "Delete Domain" or "Delete Domain Server" task can be stuck at 5% with the "Task in queue" status. |
PRJ-35478, |
Security Management |
Multi-Domain High Availability synchronization in the Global Domain may fail with "There are invalid assignments on peer." error. |
PRJ-25709, |
Security Management |
Deleting a network group may fail because it is being used, although "Where Used" shows no usage. |
PRJ-33400, |
Security Management |
When automatic purge is configured in a local Domain and there is an assignment between the Global Domain to that Domain, the "show-automatic-purge" API command may fail in the Global Domain with the "Can't build automatic purge reply" error. Refer to sk176443. |
PRJ-32428, |
Security Management |
In rare scenarios, adding a service to a rule in Access Policy:
Refer to sk176004. |
PRJ-32447, |
Security Management |
In rare scenarios, in a Multi-Domain environment, after performing an IPS Update, High Availability synchronization in the Global Domain fails with "NGM failed to import data". |
PRJ-33520, |
Security Management |
In rare scenarios, the Management Server may fail to start. |
PRJ-30530, |
Security Management |
Creating an administrator in a Multi-Domain environment may cause SmartConsole to freeze and time out. |
PRJ-33286, |
Security Management |
When reassigning Global policy after an IPS update on the Global Domain, the updated IPS version in the Audit Logs view may appear with "-1" value instead of the actual IPS version number. |
PRJ-32847, |
Security Management |
In rare scenarios, taking over a session may fail with "SmartConsole has experienced an unexpected error. Session operation failure". |
PRJ-32668, |
Security Management |
When searching for tags usage, the "where-used" Management API command may fail with "Requested object not found". |
PRJ-34225, |
Security Management |
When performing IPS Update or Global Domain Assignment, creating a Domain at the same time may fail with "Internal Error". |
PRJ-33364, |
Security Management |
Global Domain Assignment fails with "An internal error has occurred" when there are more than 32K Threat Prevention Overrides in the local Domain. Refer to sk176464. |
PRJ-30058, |
Security Management |
In rare scenarios, after a Management Server upgrade, importing the database may fail with "Tried to persist object". |
PRJ-34771, |
Security Management |
Policy installation on Gateways R81 and below may fail when there are multiple login options configured with SAML which uses Identity Provider as an authentication method. Refer to sk176725. |
PRJ-33863, |
Security Management |
When creating or updating a service object via Management API, it is not possible to specify a custom aggressive-aging timeout. |
PRJ-32717, |
Security Management |
If there is a Global Domain Assignment, some results may be missing when searching in Packet Mode. Refer to sk178491. |
PRJ-36185, |
Security Management |
In some scenarios, in SmartConsole, the IPS update status list does not reflect correctly all the Gateways with enabled IPS Blade. Refer to sk175449. |
PRJ-33978, |
Security Management |
Policy installation from the Multi-Domain Server level may trigger installation of two policies for the same VS. |
PRJ-34034, |
Security Management |
When many sessions are opened:
|
PRJ-33167, |
Multi-Domain Management |
The mds_backup script may not collect Multi-Domain Server log files from $MDSDIR/log/. |
PRJ-30525, |
Multi-Domain Management |
In rare scenarios, running the "fwm sic_reset" command on Multi-Domain Server may fail. |
PRJ-38327, |
SmartConsole |
Refer to sk178590. |
PRJ-34292, |
Compliance |
After disabling Compliance Best Practices, the user receives security alerts.
|
PRJ-30377, |
CPInfo |
UPDATE: Added CPInfo Build 914000227. Refer to sk92739. |
PRJ-31293, |
Logging |
NEW: It is now possible to search logs using content from the "Comment" field. |
PRJ-29123, |
Logging |
SmartEvent may not show some of the Anti-Virus logs. |
PRJ-31616, |
Logging |
Non-English letters in SmartView reports exported as CSV may be displayed incorrectly. Refer to sk175543. |
PRJ-28316, |
Logging |
The "Last Update Time" field of a Session Log may show incorrect values. |
PRJ-32587, |
Logging |
There may be empty values in the "Office Mode IP" field in the Logs view. |
PRJ-32304, |
Logging |
When configuring an Email alert as an Automatic Reaction in SmartEvent, and the alert contains data from the event, some fields may be missing in the generated email. |
PRJ-32017, |
Logging |
When running the "show_logs" API command with "query-id argument" and the session is expired, the command ends with a timeout instead of presenting an error. |
PRJ-30091, |
Logging |
In rare scenarios, the LOG_INDEXER process stops working and logs are missing. Refer to sk176403. |
PRJ-33747, |
Security Gateway |
UPDATE: Added a new flag to the "dynamic_objects" command: "-uo <name of object>". The user can now see all content of a specific updatable object. |
PRJ-30782, |
Security Gateway |
Access Policy installation may fail with "Error code 1-2000078". |
PRJ-33611, |
Security Gateway |
In a rare scenario, the FWD process may unexpectedly exit. |
PRJ-32657, |
Security Gateway |
Security Gateway may unexpectedly reboot and create a vmcore file. |
PRJ-33898, |
Security Gateway |
In rare scenarios, the LOG_INDEXER process may unexpectedly exit with a core dump file. |
PRJ-33209, |
Security Gateway |
The dlpu process may unexpectedly exit, producing a core dump file. |
PRJ-32791, |
Security Gateway |
In some scenarios, the matched rules log of Inline layer may appear as "Accept" / "Drop" action instead of "Inline". |
PRJ-30782, |
Security Gateway |
Access Policy installation may fail with "Error code 1-2000078". |
PRJ-31207, |
Security Gateway |
The Security Gateway may crash during policy installation due to memory allocation problems. |
PRJ-33611, |
Security Gateway |
In a rare scenario, the FWD process may unexpectedly exit. |
PRJ-33997, |
Security Gateway |
In rare scenarios, slow path connections that should be terminated/aborted may remain open until the timeout. |
PRJ-32791, |
Security Gateway |
Matched rules on Inline layermay appear as the "Accept'"/ "Drop" action instead of "Inline". |
PRJ-34255, |
Security Gateway |
It may not be possible to use Office 365 Tenant Restrictions when ICAP client is enabled. |
PRJ-33124, |
Security Gateway |
In some scenarios, memory consumption and CPU usage may increase consistently due to large amount of content in CPView tool. Refer to sk176370. |
PRJ-32925, |
Security Gateway |
When running the "cpstop" and "cpstart" commands, NAT statistics may fail with "fwx_alloc_global_find_free_port_atomic: failed to update NAT statistics". |
PRJ-34267, |
Security Gateway |
The log_exporter process may consume high CPU. |
PRJ-33249, |
Internal CA, VPN |
Creating a certificate for a third party Gateway with Check Point Internal CA may fail on the third party side. Refer to sk176468. |
PRJ-30444, |
Threat Prevention |
In a rare scenario, the DLP process leaves open unused file descriptors in the $FWDIR/tmp/dlp directory which may take up a large amount of disk space. |
PRJ-37474, |
Identity Awareness, |
UPDATE: Adjusted AD-Query and Identity Logging solutions to work with Microsoft hardening changes in DCOM which were required for CVE-2021-26414. Refer to sk176148. |
PRJ-30947, |
Identity Awareness |
In some scenarios, persistent high CPU is caused by ADQuery due to a large number of authentication requests. |
PRJ-32698, |
Identity Awareness |
Memory usage may be high for the pdpd process in a scenario related to Identity Awareness nested groups in state 2 and 4. |
PRJ-33147, |
URL Filtering |
In some scenarios, websites encrypted with SSL are not matched correctly when categorization mode is on Holdand IDA is enabled. Refer to sk176283. |
PRJ-29427, |
IPS |
When Website categorization mode is set to "Hold" and Gateway is Proxy, some connections may be incorrectly terminated. |
PRJ-34644, |
DLP |
In a rare scenario, the DLP process may not delete temporary files used for scanning. |
PRJ-33001, |
SSL Inspection |
UPDATE: Upgraded the default Infrastructure for local communication between some processes to TLS 1.2. |
PRJ-34973, |
SSL Inspection |
In rare scenarios, the WSTLSD daemon may unexpectedly restart. |
PRJ-34160, |
SSL Inspection |
In some scenarios, the WSTLSD daemon may unexpectedly exit during TLS probing. |
PRJ-35936, PRJ-35934 |
SSL Network Extender |
UPDATE: SSL Network Extender was updated to version 800008304. It provides TLS 1.2 cipher suites support on macOS. |
PRJ-31231, |
SSL Network Extender |
SSL Network Extender (SNX) may fail during large file transfers. Refer to sk87760. |
PRJ-33875, |
Mobile Access |
Policy installation may fail due to table creation issues. |
PRJ-34339, |
SecureXL |
The "fwaccel dos rate" command may fail with the"Another fwaccel command is already in progress" error. |
PRJ-28644, |
SecureXL |
A redundant message "ACC: Accelerator started. " is printed in dmesg logs. |
PRJ-35768, |
Routing |
UPDATE: Routed debug log will now show IP addresses. |
PRJ-35644, |
Routing |
Handling BGP routes with very long AS paths may cause connectivity issues and the ROUTED daemon may exit with a core dump file. |
PRJ-34710, |
Routing |
In rare scenarios, the ROUTED daemon may unexpectedly exit or write logs in the incorrect order. |
PRJ-35340, |
Routing |
The routed daemon may unexpectedly exit with core dump when some interfaces lose connection with the PIM router. |
PRJ-32423, |
VPN, Multi-Portal |
UPDATE: Certificate validation flow will use OCSP as the default revocation validation method. If OCSP URL does not exist, CRL will be used as a revocation validation method. |
PRJ-33655, |
VPN |
The VPND process may unexpectedly exit with a core dump file. |
PRJ-35310, |
VPN |
An outage may occur during IKEv2 SA re-key because of invalid kbuf duplication. |
PRJ-35475, |
VPN |
Added VPN improvements for IKEv2 SA re-key. |
PRJ-35342, |
VPN |
Policy installation and establishing a connection from a Gateway with Static IP may fail, if the IP address was previously used by a peer Gateway with DAIP. |
PRJ-35392, |
VPN |
Improved IKEv2 for working with DAIPs. |
PRJ-35487, |
VPN |
In ike_sa_table there may be an entry with an IP address and not with a DAIP ID. |
PRJ-33737, |
VPN |
When applying Secure Configuration Verification (SCV) VPN client is not able to distinguish between Windows 10 and Windows 11. |
PRJ-35230, |
VPN |
SSL entries may not be deleted from the "vpn tu tlist" command output, although there was a graceful exit. |
PRJ-36419, |
VPN |
In some scenarios, when VPN logs are enabled and DAIP (Dynamically Assigned IP) peer is configured, the VPND daemon may unexpectedly exit. |
PRJ-24187, |
VPN |
VPN connectivity issues may occur when there are too many SAs. Refer to sk173828. |
PRJ-33838, |
VSX |
UPDATE: Shadow bridges will now be automatically disabled on VSX Gateways if the bridges are not in Active/Active mode. |
PRJ-32532, |
VSX |
UPDATE: It is now possible to define interface topology as "defined by routes" using the VSX provisioning tool. |
PRJ-37421, |
VSX |
After deleting a warp interface in SmartConsole, the active VSX cluster member may crash. |
PRJ-30211, |
Gaia OS |
Refer to sk174969. |
PRJ-31695, |
Gaia OS |
The "cpopenssl" command may fail with "No such file or directory". |
PRJ-35002, |
Gaia OS |
Fixed the CVE-2020-14145 vulnerability. |
PRJ-32916, |
CloudGuard Network |
NEW:
|
PRJ-31768, |
CloudGuard Network |
Improved the handling of NSX-T Data Center throttling issues. |
PRJ-34526, |
CloudGuard Network |
When a Gateway's object name was changed, CloudGuard Central License Tool may fail to distribute licenses to the Gateway. |
PRJ-35157, |
Scalable Platforms |
NEW: Added a self-updatable package of Check Point Support Data Collector (CPSDC) for Scalable Platforms and Maestro Security Appliances. Refer to sk164414. |
PRJ-34441, |
HCP |
Added Update 6 of HealthCheck Point (HCP) Release. Refer to sk171436. |
PRJ-29950, |
Infrastructure |
In a rare scenario, the user cannot connect to the Mobile Access Portal. |
Take 156 Released on 20 March 2022 and declared as Recommended on 23 March 2022 |
||
PRJ-37957, |
Gaia |
UPDATE: Upgraded OpenSSL to fix CVE-2022-0778. Refer to sk178411. |
PRJ-37841, |
VoIP |
A cluster member may crash generating a vmcore because of a mismatch in SIP tables. |
PRJ-37605, |
VoIP |
In a cluster environment, the Gateway may crash with a vmcore. |
Take 154 Released on 1 March 2022 and declared as Recommended on 8 March 2022 |
||
PRJ-36728 |
Security Gateway |
|
PRJ-37380, |
ClusterXL |
Clock jumps forward/backward may cause some operations to fail and the cluster to go down. |
Take 153 Released on 22 February 2022 |
||
PRJ-34690, |
Diagnostics |
In some scenarios, in an environment that includes the SmartEvent Server, the LOG_INDEXER process restarts at midnight, producing a core dump file. Refer to sk177805. |
PRJ-36957, |
Security Management |
Policy installation and "where used" operation may take a long time if there are many inline layers and the "Install On" targets in the Rule Base are not defined as "Any". Refer to sk177928. |
Take 150 Released on 19 January 2022 |
||
PRJ-29847, |
Diagnostics |
In some scenarios, CPView shows the SNMP data partially. |
PRJ-32481 |
Diagnostics |
In some scenarios on VSX, a "Loading kernel module for a network device with CAP_SYS_MODULE (deprecated). Use CAP_NET_ADMIN and alias netdev-eth instead" message appears in /var/log file. |
PRJ-31056, |
Upgrade Tools |
In rare scenarios, an upgrade or migration may fail due to missing temporary files. |
PRJ-29295, |
Security Management |
NEW: Added Multi-Domain Server (MDS) level support for exporting data from the Gateways and Servers view into a CSV file. |
PRJ-24930, |
Security Management |
UPDATE: Added a warning message in SmartConsole, alerting if during policy installation memory utilization of the FWM process exceeded 3.5GB. |
PRJ-29236, |
Security Management |
UPDATE: Added a new flag to the Threat Prevention "show-protections" API command ("show-capture-packets-and-track") that allows not to return capture-packets and track information. |
PRJ-31073, |
Security Management |
UPDATE: Added an environmental variable to control the sduu command timeout in the FWM process: SDUU_UPDATE_TIMEOUT. |
PRJ-30049 |
Security Management |
UPDATE: In order to prevent SHA-1 vulnerabilities, Management Server no longer supports SHA-1 cipher suites in SSL communication. |
PRJ-32891, |
Security Management |
UPDATE: It is now possible to increase the timeout value for Management High Availability synchronization. Refer to sk176165. |
PRJ-34960 |
Security Management, |
UPDATE: The Apache Log4j Java library is updated in order to harden the system. Check Point products are not vulnerable to Log4j. This change is motivated by cyber hygiene best practices. For more information, refer to sk176865. |
PRJ-32801, |
Security Management |
The mgmt_cli tool (API) with certificate login may not work. |
PRJ-25279, |
Security Management |
In rare scenarios, login to Multi-Domain Management fails with the "No Valid Domains were found for [username]" error. Refer to sk175005. |
PRJ-21876, |
Security Management |
In some scenarios, applying the "Where used" action may show incorrect data when an object exists more than once in an Inline Layer. |
PRJ-22422, |
Security Management |
Domain Server Migration between different Multi-Domain Management Servers may fail if a previous migration attempt of the same Domain already failed and a different Domain name is used for the second attempt. |
PRJ-23123, |
Security Management |
Migration of Security Management Server to a Domain on a Multi-Domain Server may be blocked if there are multiple Certificate Authority objects. Refer to sk174270. |
PRJ-25196, |
Security Management |
The "Packet capture is not supported on this platform" warning appears after policy installation for SMB Gateways, although no packet capture is used. |
PRJ-23851, |
Security Management |
Management Server upgrade may fail if there is a large amount of customized column profiles in the Logs View. |
PRJ-21787, |
Security Management |
In some scenarios, the output of the "cpmistat" command may contain partial information. |
PRJ-23953, |
Security Management |
In some scenarios, if changes were done before installing Jumbo Hotfix, revert or login to the last published session may fail. |
PRJ-29304, |
Security Management |
In environments with a large number of objects, licenses for cluster members in the Licenses tab may not be displayed. |
PRJ-30053, |
Security Management |
In rare scenarios, the FWM process unexpectedly exits and fails to start, creating core dumps in the /var/log/dump/usermode directory. Refer to sk175007. |
PRJ-29967, |
Security Management |
In some scenarios, simultaneous policy installation on multiple Gateways may fail if there is at least one Gateway on R77.X and one Gateway on R80.X. |
PRJ-29897, |
Security Management |
In some scenarios, login to a Domain from the System Domain dashboard may fail with "Failed to connect to server". |
PRJ-30018, |
Security Management |
In rare scenarios, the "set-group" API command may return the "generic_err_invalid_parameter" error. |
PRJ-28900, |
Security Management |
When searching IP addresses using logical operators (AND / OR), the results may be incorrect:
Some matched objects may be missing, while some unmatched objects may be present. |
PRJ-29187, |
Security Management |
In a rare scenario, High Availability full synchronization may fail due to a large number of records. |
PRJ-29157, |
Security Management |
Scheduled IPS updates data may not be shown in the IPS update report. |
PRJ-30883, |
Security Management |
In rare scenarios, during an upgrade, the FWM process may unexpectedly exit with a core dump file. |
PRJ-29468, |
Security Management |
In some scenarios, an API query to VRRP cluster for "show simple-cluster name <name>" returns an incorrect cluster type. Refer to sk174866. |
PRJ-29198, |
Security Management |
After an upgrade from R77.x. in a Multi-site environment, High Availability full synchronization may fail with an "NGM failed to load data" message. |
PRJ-28298, |
Security Management |
In rare scenarios, High Availability on the Global Domain may fail to synchronize the Multi-Domain Log Server if IPS protection was added or removed in the Threat Prevention rulebase. |
PRJ-28535, |
Security Management |
In rare scenarios, Global Policy Assignment may fail with the "class name not found for object" error. |
PRJ-28156, |
Security Management |
In rare scenarios, if Domain migration fails, the operation may not revert fully and leave some remnants in the database of the Management Server. |
PRJ-28784, |
Security Management |
In some scenarios, "show-mdss" and "show-domains" Management API commands take a significant amount of time to complete or time out after 5 minutes. |
PRJ-30099, |
Security Management |
In rare scenarios, a Multi-Domain administrator's profile may be changed after deleting a Domain if the administrator had custom permissions for it. |
PRJ-30386, |
Security Management |
In rare scenarios, editing a cluster object fails with the "Code: 0x8003001D, Could not access file for write operation" error. Refer to sk176930. |
PRJ-27763, |
Security Management |
The Management API commands "import-smart-task" and "export-smart-task" are enabled at the System Domain level, although Smart Tasks are only supported at the Local Domain level. |
PRJ-26780, |
Security Management |
In some scenarios, in Override Categorization, it may not be possible to sort or to find objects by name using Object Explorer. Refer to sk175245. |
PRJ-28063, |
Security Management |
In rare scenarios:
|
PRJ-27485, |
Security Management |
Global Policy reassignment may fail with "An internal error has occurred" due to duplicated Access Policy Assignment object. |
PRJ-28815, |
Security Management |
In some scenarios, the "show gateways-and-servers" Management API command fails with "generic_error" when running it with "details-level full". |
PRJ-26735, |
Security Management |
In a rare scenario, in the Management API, the "show hosts" command with "details-level full" fails with a "java.util.InputMismatchException: got at least one duplicate UID in requested list, duplicates UIDs:" message. |
PRJ-29909, |
Security Management |
In some scenarios, it is possible to disable a shared layer, although it is used in more than one rule. |
PRJ-20591, |
Security Management |
In rare scenarios, if one of the Multi-Domain Servers is down, reconfiguring VSX may fail. |
PRJ-31741, |
Security Management |
In some scenarios, deleting a Domain fails when there is an administrator with API key authentication associated with this Domain. |
PRJ-31081, |
Security Management |
In rare scenarios, the FWM process on the Security Management Server unexpectedly exits. |
PRJ-30336, |
Security Management |
When one Server in a logical Server group is down, the second Server keeps trying to access it, no matter how long the Server is down. |
PRJ-29157, |
Security Management |
Scheduled IPS updates data may not be shown in the IPS update report. |
PRJ-22265, |
Security Management |
In some scenarios, the user may fail to connect to VPN Remote Access if there are expiration dates saved in a non-English date format. The issue can occur when SmartConsole is installed on a Windows client that uses a non-English locale. |
PRJ-32091, |
Security Management |
When searching an IP address in Object Explorer, network objects with both IPv6 and IPv4 configured may not appear in the results, although they match the IP address. |
PRJ-28168, |
Security Management |
In rare scenarios, the Management Server may fail to start due to incorrect sessions handling. |
PRJ-32108, |
Security Management |
Policy installation may fail if more than 20,000 objects are created and added to rules. |
PRJ-32649, |
Security Management |
In rare scenarios, deleting a Domain fails, leaving some remnants in the Management database. |
PRJ-31671, |
Security Management |
In rare scenarios, the API commands "show-automatic-purge" and "set-automatic-purge" may fail if there were two earlier attempts to update the Automatic Purge at the same time. |
PRJ-30680, |
Security Management |
Policy installation with Directional VPN rules may fail with a verification error. |
PRJ-32994, |
Security Management |
Upgrade of Management Server from R80.10 to R80.40 may take a long time for large environments. |
PRJ-30067, |
Security Management |
|
PRJ-29508, |
Security Management |
In some scenarios, the Management API command "show-packages" with "details-level full" may fail with an error. Refer to sk176805. |
PRJ-33463, |
Security Management |
While editing a Small Office LSM Profile object, SmartConsole may unexpectedly close when enabling Threat Emulation and navigating to the configuration tab. |
PRJ-34079, |
Security Management |
In some scenarios, after running an Ansible playbook, objects are locked even though they were not changed. |
PRJ-34504, |
Security Management |
The "Accept" button is missing when modifying "Actions" for rules. Refer to sk177204. |
PRJ-33552, |
Security Management |
When using the API to create an OPSEC CPMI application with a custom permissions profile, the default Super User profile is chosen instead. |
PRJ-30350, |
Multi-Domain Management |
During a CPUSE upgrade of a Multi-Domain Server, if there are multiple external interfaces defined, the Domain Servers may be assigned to an incorrect interface. |
PRJ-21830, |
Multi-Domain Management |
In rare scenarios, after an upgrade, the CPD process in a Multi-Domain environment may unexpectedly exit, creating a core dump file. |
PRJ-27345, |
Licensing |
In a rare scenario, the licensing status in SmartConsole is displayed incorrectly. |
PRJ-29310, |
SmartConsole |
The Compliance "Security Best Practices" report for the Anti-Bot practice contains unrelated objects starting with "AB_". Refer to sk174911. |
PRJ-30520, |
Compliance |
The Compliance report in SmartConsole may show an incorrect policy name. |
PRJ-22892, |
CPView |
In some scenarios, SNMP statistics per VS may not be displayed in CPView. |
PRJ-32978, |
CPView |
In Overview, some data about disk space may be missing. |
PRJ-26307, |
Logging |
In rare cases, in SmartConsole, some logs are not shown. |
PRJ-30689, |
Logging |
UPDATE: The default timeframe for logs queries using the SmartConsole's Logs tab is set to "Last 24 Hours".
|
PRJ-32085, |
Logging |
A duplicate entry appears in /etc/cpshell/log_rotation.conf. This issue is only cosmetic. |
PRJ-13743, |
Logging |
The "Could not connect to Monitoring Blade" error is displayed when trying to show the "Top Interfaces" view in SmartConsole or SmartView Monitor for a Gateway that has more than 100 interfaces. |
PRJ-22345, |
Logging |
In SmartView, the "Duration" field is missing from Reports and Views. |
PRJ-17260, |
Logging |
In SmartConsole:
|
PRJ-16985, |
Logging |
In a rare scenario, Application Control events may not be displayed in SmartEvent. |
PRJ-16282, |
Logging |
In some scenarios, emails of DLP Blade may be sent with obfuscated information, with no option to present the full data. Refer to sk106430. |
PRJ-29029, |
Logging |
In rare scenarios, SmartEvent may show no results or partial results in the Audit Log report. |
PRJ-25832, |
Logging |
The LOG_INDEXER process on the SmartEvent Server may consume a high CPU when the Mobile Access Blade is enabled on the Gateway. |
PRJ-25622, |
Logging |
In environments with more than 500K network objects, the LOG_INDEXER process on SmartEvent and Correlation Unit Server may unexpectedly close with the "Out of memory" error and a dump core file, although limited resolving is enabled (according to sk164452). |
PRJ-25440, |
Logging |
On the Management Server, with SmartEvent enabled and many Networks configured in the database, login to SmartConsole may fail with an "Error: the operation timeout" message and the FWM process is running with a high CPU. Refer to sk167239. |
PRJ-24523, |
Logging |
In a low log rate, there may be a delay in exporting logs using the Log Exporter. |
PRJ-27616, |
Logging |
The CPSEMD process on SmartEvent Server may unexpectedly exit when trying to send two automatic reactions simultaneously for the same event. |
PRJ-28340, |
Logging |
In some scenarios, Log Exporter configured to export in TLS, cannot authenticate a certificate from an external certificate authority. |
PRJ-26030, |
Logging |
In a rare scenario, after an NSX Gateway upgrade, enforcement details/identities are not pushed by the controller to the Gateway automatically, it can be done only by manual update. Refer to sk173323. |
PRJ-28323, |
Logging |
In some scenarios, in SmartLog, free-text search does not work for some inspection settings logs and their description is missing. |
PRJ-26681, |
Logging |
Logs that are sent by Log Exporter in CEF format, cannot be displayed if they include non-digit characters in the "dst_phone_number" field. |
PRJ-19838, |
Logging |
On Gateways with many interfaces, after policy installation or after reboot, Real-Time Monitor (RTM) may consume a high CPU on the Gateway. Refer to sk170928. |
PRJ-23313, |
Logging |
Daily Log/Indexes Maintenance does not delete old index files from $RTDIR/log_indexes if they contain files or subdirectories with a format different than %Y-%m-%d. |
PRJ-32028, |
Logging |
In some scenarios, the "vpn_user" field is empty in the Logs view and SmartEvent Reports, even though it contains values in the raw log. |
PRJ-30663, |
Logging |
Refer to sk176644. |
PRJ-25653, |
Logging |
When SmartView Web is configured to not return empty values, a query may fail with a "query failed" message. |
PRJ-29575, |
Security Gateway |
NEW: Added a new kernel parameter "up_disable_early_drop_optimization_for_reject" to disable "Early Drop Optimization" for reject rules. The parameter is enabled by default. |
PRJ-31489, |
Security Gateway |
NEW: Added a new kernel parameter "cphwd_medium_path_qid_by_cpu_id". The parameter is disabled by default. Refer to sk175890. |
PRJ-30981, |
Security Gateway |
UPDATE: Added L3 routing support for bridge interface assigned with IP address. To enable it, set fw_bridge_with_ip_routing=1 in the $FWDIR/fwkern.conf file. Refer to sk165560. |
PRJ-32072, |
Security Gateway |
UPDATE: Check Point Active Streaming (CPAS) TCP Window scale factor is now increased up to 6. |
PRJ-30588 |
Security Gateway |
UPDATE: For CPU Spike Detective:
|
PRJ-31275, |
Security Gateway |
UPDATE: The "-c" and "-i" flags in Top Connections Tool are now supported on VSX Gateways. Refer to sk172229. |
PRJ-34449, |
Security Gateway |
UPDATE: The "fw unloadlocal" command can now be used on a Virtual System only with the "-f" flag added. Otherwise, a warning message is displayed, indicating that unloading policy on a Virtual System will cause traffic issues with any Virtual System connected to a Virtual Switch or a Virtual System in Bridge mode. |
PRJ-25307 |
Security Gateway |
UPDATE: Added the "Configure Hyper-Threading" option to the cpconfig command. |
PRJ-29093, |
Security Gateway |
In rare scenarios, policy installation fails with "Segmentation fault" and "Error compiling IPv4 flavor" messages. |
PRJ-29587, |
Security Gateway |
In a rare scenario, Security Gateway may crash. |
PRJ-31217, |
Security Gateway |
When a large number of VPN tunnels is configured and each one is used by a static route with ping, the ROUTED process may get incorrect cluster IPs for those tunnels. Refer to sk175887. |
PRJ-29129, |
Security Gateway |
In rare scenarios, policy installation may fail with an "Operation failed, install/uninstall has been improperly terminated" message. |
PRJ-29419, |
Security Gateway |
In a rare scenario, policy installation on the Security Gateway may fail with an "Error code: 0-2000108" message. Refer to sk170673. |
PRJ-30011, |
Security Gateway |
In a rare scenario, when QoS is enabled, Security Gateway may crash while interfaces go down and up. |
PRJ-29504, |
Security Gateway |
In some scenarios, using automatic Network Static NAT/Address range objects may cause connectivity issues. |
PRJ-20627, |
Security Gateway |
Running the "threshold_config" command may cause the CPD process to consume a high CPU. |
PRJ-27650, |
Security Gateway |
Negative values may appear in the output of the "fw tab -t connections -s" command and under the NAT section. |
PRJ-32574, |
Security Gateway |
When deleting connection table entries with "fw ctl conntab -x", and using "rule", "service", "type", "flags" or "state" filters, entries that do not match these filters may still be deleted. |
PRJ-26583, |
Security Gateway |
In a rare scenario, CPView may show incorrect SecureXL statistics per VS. |
PRJ-30684 |
Security Gateway |
In some scenarios, when using Suspicious Activity Monitoring (SAM) rules with source and destination networks or with a NATed IP, "matched rule is not found" errors appear. |
PRJ-31967, |
Security Gateway |
In a rare scenario, "Connection/sec" data for accelerated traffic in CPView may differ from the statistics in SNMP. |
PRJ-30179, |
Security Gateway |
In a rare scenario, policy push to multiple Security Gateways may fail. Refer to sk177963. |
PRJ-30613, |
Security Gateway |
In rare scenarios, when SACK is enabled, there may be connectivity issues. |
PRJ-26964, |
Security Gateway |
Improved CPS rate on Autoscale deployments of Amazon Web Services (AWS). |
PRJ-22014, |
Security Gateway |
When deleting all Suspicious Activity Monitoring (SAM) rules, adding a large number of new rules, and installing policy, the system may hang. |
PRJ-30250, |
Security Gateway |
Added a translation of the error exit code of cprid_util in $CPDIR/log/cprid_util.elg debug log. |
PRJ-30669, |
Security Gateway |
In rare scenarios, when a Security Gateway is configured as Proxy, a wrong NAT port reuse may happen for 5 minutes long proxied connections. |
PRJ-30041, |
Security Gateway |
If wstunnel loses connectivity, after several attempts it may unexpectedly exit and not restart. Refer to sk166056. |
PRJ-25149, |
Security Gateway |
In a rare scenario, the TCP Half Closed timer (sk137672) may fail when configured for medium/fast connections. |
PRJ-32336, |
Security Gateway |
Defining an IPv6 NAT rule with address range (hide) on the translated column may fail with an incorrect error message. |
PRJ-29697, |
Security Gateway |
In rare a scenario, a memory leak may occur with "cpas_streamh_init_from_cookie failed" printed in /var/log/messages. |
PRJ-33359, |
Security Gateway |
First policy installation after an upgrade may be followed by a warning message: "Updatable Objects are used in the policy but Gateway package is missing (see sk121877)". |
PRJ-33081, |
Security Gateway |
Extended logging may show a wrong status of Content Awareness Blade. The issue is only cosmetic. |
PRJ-33512, |
Security Gateway |
CPView may show corrupted numbers in "F2V-Reasons". This issue is only cosmetic. |
PRJ-27609, |
Security Gateway |
A debug message may be printed as an error. |
PRJ-17572, |
Security Gateway |
The FWD process may unexpectedly exit due to a rare race condition. Refer to sk173424. |
PRJ-32051, |
Security Gateway |
In a rare scenario, the Security Gateway may crash during policy installation. |
PRJ-31016, |
Internal CA |
In a rare scenario, when CRL files are created, some of them may be generated with a large number in the filename. When deleting CRL files, CPCA repeatedly fails to start. |
PRJ-24986, |
Threat Prevention |
UPDATE: Added support for more than 20 CIFS objects in rulebase. Refer to sk170300. |
PRJ-28679, |
Threat Prevention |
UPDATE: Added an option to remove proxy usage in ioc_feeds tool. |
PRJ-24253, |
Threat Prevention |
UPDATE: Reduce performance when Anti-Virus is configured with deep inspection on all file types. |
PRJ-22397, |
Threat Prevention |
The "ciu_lic_open_lic_db_file: crc check failed" error message may be printed in fwd.elg log file during the policy installation if the IPS Blade is disabled. Refer to sk172903. |
PRJ-29925, |
Threat Prevention |
Threat Prevention policy installation may fail when loading 2 IoC feeds that contain the same signature name for one of the observables. |
PRJ-28937, |
Threat Prevention |
Improved telemetry for Infinity Vision SOC. |
PRJ-29035, |
Threat Prevention |
In some scenarios, loading Custom Intelligence Feeds that include an IP address with a subnet mask of 32 bits (x.x.x.x/32) may fail. |
PRJ-27750, |
Threat Prevention |
When the "Automatically download Blade Contracts, new software, and other important data" checkbox is unchecked, Security Gateway may fail to update Threat Prevention packages. |
PRJ-28763, |
Threat Prevention |
In some scenarios, when using OpenSSH 8.2 Server, file download fails after starting the transfer. |
PRJ-28136, |
Threat Extraction |
In some scenarios, the "fw_send_kmsg: No buffer for tsid 44" error is printed in dmesg. |
PRJ-29489, |
Identity Awareness |
UPDATE:
|
PRJ-30497, |
Identity Awareness |
UPDATE: Enhanced Identity Sharing SmartPull mechanism for large scale environments. |
PRJ-29613, |
Identity Awareness |
In a rare scenario, some IPv6 sessions may get deleted due to an incorrect update of Identity Gateway (PEP) kernel tables. |
PRJ-29399, |
Identity Awareness |
Improved the Identity Server (PDP) performance for publishing new network on Identity Sharing with SmartPull. |
PRJ-27941, |
Identity Awareness |
In some scenarios, users may not be able to reach Identity Gateway (PEP). Refer to sk174105. |
PRJ-30991, |
Identity Awareness |
In a rare scenario, the priorities defined in User Directory (Gateway level) override the default Domain Controller (DC) priorities defined in the LDAP Account unit. Servers with priority above 1000 are not ignored, although they should be. |
PRJ-32120, |
Identity Awareness |
An Identity Broker subscriber may be shown as the session owner for Remote Access VPN sessions received from another publisher. |
PRJ-32871, |
Identity Awareness |
When Identity Awareness Blade is enabled on the Security Gateway, rebooting of a member may trigger additional reboots. This may cause one of the members to go down with a configuration pnote. |
PRJ-29768, |
URL Filtering |
In a very rare scenario, when the Application Control (APPI) and URL filtering Blades are active, in hold mode, some applications cannot be identified and the traffic is dropped. |
PRJ-29940, |
IPS |
In rare scenarios, if IPS Geolocation is enabled, the Security Gateway may crash. |
PRJ-28738, |
IPS |
In some scenarios, the destination IP is missing from the IPS logs. Refer to sk174588. |
PRJ-28244, |
IPS |
In some scenarios, HTTP Parser in the CPView statistics may show incorrect values for connections with more than 50 sessions. |
PRJ-23347, |
IPS |
The track logging configuration of Network Quota protection is not applied. |
PRJ-30425, |
DLP |
The dlpu process may unexpectedly exit with core dump file. |
PRJ-29191, |
Anti-Bot |
UPDATE: Improved performance of Anti-Bot URL Reputation. |
PRJ-31172, |
SSL Inspection |
A memory leak, related to TLS probing, may occur in the WSTLSD process. |
PRJ-31166, |
SSL Inspection |
In some scenarios, the WSTLSD process may unexpectedly close, or a memory leak may occur. |
PRJ-29475, |
SSL Inspection |
In some scenarios, a memory leak may occur when creating ECDHE keys. |
PRJ-30459, |
SSL Inspection |
In rare scenarios, HTTPS connections may hang indefinitely during the TLS handshake, causing timeout. |
PRHF-20458 |
SSL Inspection |
In a rare scenario, the WSTLSD process may unexpectedly exit and produce a core dump file. |
PRJ-33406, |
SSL Inspection |
In rare scenarios, TLS probing connections may remain open for extended periods. |
PRJ-32883, |
SSL Inspection |
When TLS 1.3 support is disabled, a memory leak may occur in the WSTLSD process during TLS session renegotiation. |
PRJ-31182, |
Mobile Access |
UPDATE: Upgraded JQuery library version (from 1.1 to 3.6). |
PRJ-27296, |
Mobile Access |
In rare scenarios, when SNX client is used with Application mode on the Mobile Access Blade, the VPND process may unexpectedly exit. |
PRJ-29275, |
Mobile Access |
In some scenarios, a memory leak may occur in the CVPND process. |
PRJ-28257, |
Mobile Access |
In a rare scenario, the VPND process may unexpectedly exit causing user disconnections from Checkpoint Mobile client. |
PRJ-30381, |
ClusterXL |
In a rare scenario, after an upgrade and reboot, a Standby member is set to down with a FULLSYNC PNOTE and cannot synchronize. |
PRJ-32470, |
ClusterXL |
Added Syslog support for Cluster events messages. |
PRJ-30818, |
SecureXL |
In a rare scenario, after an upgrade, HTTPS traffic may be dropped. |
PRJ-26952, |
SecureXL |
TCP packets may be dropped as "TCP out of state" although following sk11088. |
PRJ-32939, |
SecureXL |
In some scenarios, when configuring internal/external enforcement for DOS/Rate limiting, a syslog error message may be displayed. |
PRJ-24056, |
Routing |
In some scenarios, when using DHCP, the Security Gateway may not correctly route traffic to hosts. |
PRJ-31126, |
Routing |
In rare cases, if Graceful Restart is not configured on the BGP peer, BGP routes may be lost near the Graceful Restart ending. |
PRJ-29319, |
Routing |
AS path loops may occur, although BGP multihop is configured. |
PRJ-28957, |
Routing |
The ROUTED process may unexpectedly exit. |
PRJ-31486, |
Routing |
In some scenarios, the Security Gateway may not forward traffic to a client if its IP address is changed by DHCP. Refer to sk175603. |
PRJ-29496, |
Routing |
BGP sessions may unexpectedly close because of unrecognized AFI/SAFI pairs in multiprotocol capability advertisements from a peer. |
PRJ-33355, |
Routing |
|
PRJ-32595, |
VPN |
In some scenarios, Remote Access VPN users cannot connect to the Gateway due to a kernel table issue. |
PRJ-32518, |
VPN |
Improved establishing IKEv2 tunnel with DAIP peer. |
PRJ-31472, |
VPN |
UPDATE: In policy installation, the type of messages related to VPN certificate expiration is changed from "info" to "warning". This issue is only cosmetic. |
PRJ-29296, |
VPN |
Added VPN IKEv2 improvements. |
PRJ-29532, |
VPN |
RIM script is not invoked for DAIP peer with Dead Peer Detection (DPD) permanent tunnels in passive mode. |
PRJ-29482, |
VPN |
A memory leak may occur in the VPND process in IKEv2 Site to Site VPN. |
PRJ-28559, |
VPN |
In some scenarios, when sending the SCV drop log, a memory leak may occur. |
PRJ-28574, |
VPN |
In some scenarios, Server connections to Remote Access L2TP clients may be unstable. |
PRJ-29592, |
VPN |
In a rare scenario, the IKEv2 negotiation appears successful, although it failed. |
PRJ-30329, |
VPN |
In some scenarios, IKEv2 tunnel may not work due to SA expiration. |
PRJ-30764, |
VPN |
In a very rare scenario, a cluster member may unexpectedly crash and restart, creating a core dump file. |
PRJ-31289, |
VPN |
Hardened the ability to use narrowed IKEv2 tunnels. Refer to sk166417. |
PRJ-32365, |
VPN |
Improved IKEv2 narrowing. |
PRJ-33833, |
VPN |
In rare scenarios, when SSL Network Extender (SNX) is in Application Mode, the VPND process may unexpectedly exit. |
PRJ-30956, |
VPN |
Improvements for DAIP Gateway behind Hide NAT. |
PRJ-30648, |
VPN |
A machine-only tunnel cannot be established when VPN default realm is disabled. |
PRJ-28268, |
VPN |
A memory leak may occur in the VPND process. |
PRJ-32549, |
VPN |
A memory leak may occur during Office Mode IP allocation. |
PRJ-30755, |
VPN |
In a rare scenario, when NAT is enabled, Route Based VPN traffic may be dropped. |
PRJ-31587, |
VPN |
In some scenarios, VPN tunnels statuses in SmartView Monitor are displayed incorrectly. |
PRJ-22482, |
VSX |
In some scenarios, running the snmpwalk command may fail with incorrect OSPF-MIB information for VSX. Refer to sk172064. |
PRJ-29552, |
VSX |
After a reboot, the VS's clish static ARPs configuration exists, but the static ARPs may be missing. |
PRJ-27969, |
VSX |
When querying a VS for "sysObjectID" viaSNMP, a generic netSNMP value is returned ("NET-SNMP-MIB::netSnmpAgentOIDs.10") instead of Check Point value ("SNMPv2-SMI::enterprises.2620.1.6.123.1.62"). |
PRJ-30314, |
Gaia OS |
NEW: Gaia API (version 1.6) will now be deployed via Jumbo Hotfix. Refer to sk143612. |
PRJ-30275, |
Gaia OS |
UPDATE: Upgraded OpenSSL to 1.1.1L. Merged the CVE-2021-3711 and CVE-2021-3712 fixes. |
PRJ-30203, |
Gaia OS |
UPDATE: Added a Clish command "add/show/delete ntp interface" to choose to which interfaces the NTP daemon shall bind. |
PRJ-28684, |
Gaia OS |
In some scenarios, in appliances: 6600,6700,6900, Power Supply Unit (PSU) status information may be incorrect. Refer to sk174443. |
PRJ-17613, |
Gaia OS |
When adding an SSH host key, it will not be displayed because the total length of the command line cannot contain more than 512 characters. |
PRJ-33507, |
Gaia OS |
Fixed CVE-2021-30361 - Gaia Portal Authenticated Command Injection. Refer to sk179128. |
PRJ-31753, |
Gaia OS |
In some scenarios, after adding an SNMP USM user, the confd process may unexpectedly exit. |
PRJ-33687, |
Gaia OS |
Potential vulnerability related to specific Gaia API command on VSX systems. |
PRJ-33871 |
Gaia OS |
Enhanced SNMP module stability. |
PRJ-24328, |
Harmony Endpoint |
Restoring a UEPM Server backup via the Web Gaia Portal may not work on a new Server where the UEPM Blade is not activated. |
PRJ-25250, |
Harmony Endpoint |
In some scenarios, the Policy Server fails to synchronize with Endpoint primary Management after installing a hotfix for local E1 signature updates. |
PRJ-30518, |
Harmony Endpoint |
In the Smart Endpoint tabs, the Server may generate reports where users have long names starting with "ntdomain://". |
PRJ-29971, |
Harmony Endpoint |
In some scenarios, a query which counts host_ckp objects may return more results than expected. It leads to a memory leak with the "Out Of Memory" error. |
PRJ-32389, |
VoIP |
When using SIP, memory usage may increase over time on Active and Standby members. |
PRJ-29511, |
CloudGuard Network |
NEW: In Amazon Web Services (AWS):
To enable the feature:
Note: This feature requires adding DescribeTags and DescribeLoadBalancers permissions to the AWS Data Centers accounts. NEW: In Azure:
To enable the feature:
Note: This feature requires adding permissions to list Application Security Groups and Private Endpoints.
NEW: In AWS, Azure and Google Cloud Platform (GCP): Added support for API calls with HTTP response with reason-code only (without reason-phrase). |
PRJ-29985, |
CloudGuard Network |
UPDATE: When there are Data Centers without imported objects, CloudGuard Controller will show the warning status in SmartConsole and in the output of the "cpstat vsec" command. |
PRJ-27771, |
CloudGuard Network |
Amazon Web Services (AWS) Data Center scan may fail and no updates are sent to the Security Gateway. |
PRJ-31771, |
CloudGuard Network |
In a rare scenario, there is a high CPU0 utilization on Azure Security Gateway. |
PRJ-32230, |
CloudGuard Network |
The "vsec_lic_cli update" command now supports IP change in the license string. |
PRJ-32753, |
CloudGuard Network |
After an upgrade, the AWS Gateway or Google Cloud Platform (GCP) may lose access to the Serial Console. |
PRJ-27034, |
QoS |
In a rare scenario, when QoS is enabled, in SmartView Monitor, some traffic may be shown as "No Match". |
PRJ-30234, |
QoS |
In a rare scenario, the FWD process may unexpectedly exit due to invalid QoS logs. |
PRJ-30015, |
HCP |
Added Update 5 of HealthCheck Point (HCP) Release. Refer to sk171436. |
PRJ-29410, |
Infrastructure |
Policy installation fails with "Operation failed, install/uninstall has been improperly terminated" when a CMA name is more than 36 characters long. Refer to sk175452. |
PRJ-22353, |
Infrastructure |
UPDATE: Updated Python 2.7.17 to 2.7.18, Python 3.7.7 to 3.7.12, added Python 3.9.7 and a Python3 alias. |
Take 139 Released on 9 December 2021 and declared as Recommended on 13 December 2021 |
||
PRJ-34129 |
Threat Prevention |
In a rare scenario, the Security Gateway may crash when Anti-Virus is enabled. |
Take 138 Released on 30 November 2021 |
||
PRJ-33629, |
Security Management |
When connected to the standby Management Server, after High Availability full synchronization, some objects may appear twice in SmartConsole. |
PRJ-32156, |
Security Gateway |
UPDATE: Apache HTTPD version was updated from 2.4.41 to 2.4.51. |
PRJ-29540, |
Security Gateway |
After reboot and policy installation, the "No interface configured in SmartCenter server with name mdps_tun. Matching by IP address to interface Mgmt" error may be printed in fwk.elg file. |
PRJ-33561 |
Threat Prevention |
In a rare scenario, the Security Gateway may crash when working with Anti-Virus or Threat Emulation. |
PRJ-33543, |
Threat Prevention |
When IPS Automatic update is enabled, a memory leak may occur in the FWD process. Refer to sk176947. |
PRJ-32546 |
Gaia OS |
In a rare scenario, the Security Gateway fails to boot when working in USFW (User-Space Firewall) mode. |
Take 131 Released on 1 November 2021 |
||
PRJ-29442, |
Security Gateway |
UPDATE: The default value for kiss_kthread_allow_resched kernel parameter is changed to 1. Refer to sk170560. |
PRJ-30373, |
Security Gateway |
Optimized packet dispatching in User Space Firewall (USFW) mode. |
PRJ-28872, |
Security Gateway |
In a rare scenario, when using ICAP client, Security Gateway may crash. |
PRJ-30214, |
Security Gateway |
In some scenarios, policy installation may take longer or fail when GEO Updatable Objects are used in the policy. |
PRJ-29622 |
Security Gateway |
Improved User-Space Firewall (USFW) mode memory allocation. |
PRJ-29742, |
Security Gateway |
In a rare scenario, due to TCP connection reuse, a TCP connection may not be initiated. Refer to sk11088. |
PRJ-31369, |
Security Gateway |
Improved the handling of a large number of sessions per single HTTP/S connection. |
PRJ-26392, |
Security Gateway |
In some scenarios, the WSDNSD process unexpectedly exits and creates a core dump file. Refer to sk173627. |
PRJ-25868, |
Threat Prevention |
In a rare scenario, the FWD process may unexpectedly exit after an upgrade. |
PRJ-26496 |
Threat Prevention |
In rare scenarios, IoC feed loading fails due to hash parsing errors. |
PRJ-32353, |
Identity Awareness |
UPDATE: The default threshold value for Identity Collector Service Accounts exclusion was changed from 10 to 100. Refer to sk174266. |
PRJ-31693, |
IPS |
Improved the handling of decoded HTTP/S traffic. |
PRJ-23570, |
Anti-Virus |
Security Gateway may crash when transferring the HTTP multipart traffic if the Anti-Virus Deep Scanning, Threat Extraction, or Threat Emulation is enabled. |
PRJ-30868, |
VPN |
A memory leak may occur in the VPND process. |
PRJ-29282, |
VPN |
In rare scenarios, re-configuring a trusted CA bundle may cause a memory leak in the VPND process. |
Take 126 Released on 13 October 2021 |
||
PRJ-26247, |
Diagnostics |
NEW: Added the Check Point Performance Sizing Utility (CPSizeMe) v5.2. |
PRJ-26025, |
Security Management |
NEW: Added the "Get Interfaces" Management API for Security Gateway and Cluster objects.
|
PRJ-27201, |
Security Management |
NEW: Added the HitCount column to the "Export to CSV" functionality in Access Policy.
|
PRJ-23051, |
Security Management |
NEW: Added support for CloudGuard Edge appliances in LSM and SmartConsole. |
PRJ-27110, |
Security Management |
UPDATE: Performance improvement in an upgrade of Security Management and Multi-Domain Servers with large rulebases. |
PRJ-27121, |
Security Management |
UPDATE: The "Purge revisions" operation has been improved to reduce the database's size. |
PRJ-28422, |
Security Management |
Virtual session timeout for a TCP service cannot exceed 86400 seconds. Refer to sk168872. |
PRJ-30631 |
Security Management |
In the Management HA environment, when changing a standby Server to active, the "Failed to set the connected server to active" error may be shown, although the operation was finished successfully. |
PRJ-13164, |
Security Management |
The "show-global-assignment" command returns the default limit when the limit request is greater than the default limit. |
PRJ-28087, |
Security Management |
In some scenarios, the Administrators view may not filter Domain names according to the permission profile of the connected administrator. |
PRJ-28648, |
Security Management |
In some scenarios, when using a VPN community, the status of the Global Domain Assignment may change to "not up to date" , although no changes were made in the Global Domain. |
PRJ-29758 |
Security Management |
In rare scenarios, after the Security Management Server starts up, when connecting to SmartConsole, some objects appear more than once. |
PRJ-25565, |
Security Management |
In rare scenarios, upgrade may fail when there is an OPSEC Server object configured. |
PRJ-28569, |
Security Management |
In some scenarios, the Purge Revisions operation fails with the "An error has occurred while performing revisions purge operation, Incident ID - xxxxx-xxxxxxx-xxxxx-xxxxx" error message. Refer to sk174645. |
PRJ-24330, |
Security Management |
In some scenarios, the "Recent Tasks" view shows the initiator as a System administrator when the Global Manager user initiates reassign and install policy. |
PRJ-25038, |
Security Management |
In rare scenarios, a task in progress may get stuck until the Management Server is restarted. |
PRJ-26193, |
Security Management |
In a rare scenario, the FWM process may unexpectedly exit. |
PRJ-26872, |
Security Management |
In some scenarios, changing the Gateway hardware in SmartConsole fails with a "Changing the hardware to <New_Selected_Check_Point_Appliance> Appliances is blocked." warning. |
PRJ-21967, |
Security Management |
Packet Mode search in rule base ignores matching of inline layer parent rules. In some scenarios, this may retrieve inline layer rules that should not be matched. |
PRJ-24051, |
Security Management |
If the Management Server is up for many days, the CPM process memory consumption and CPU usage may increase consistently. |
PRJ-26417, |
Security Management |
In rare scenarios, after migration of a Domain to a Security Management Server, publish may fail with a "Publish failed due to session validation errors" message although there are no errors in the validation pane. |
PRJ-26298, |
Security Management |
In rare scenarios, tasks may run indefinitely until the Security Management Server is restarted. |
PRJ-26905, |
Security Management |
In some scenarios, loading the Access Control policy causes SmartConsole to close unexpectedly. Refer to sk175405.
|
PRJ-26910, |
Security Management |
Policy installation to multiple Gateways from Install Policy Presets may fail if each policy has its own HTTPS Inspection policy. |
PRJ-22134, |
Security Management |
In some scenarios, a high load on the Management Server may cause SmartConsole slowness. |
PRJ-15878, |
Security Management |
OS information for Domain Servers may not be shown correctly at the MDS level. |
PRJ-26506, |
Security Management |
Policy verification may fail with a NAT verification error "The range size of Original and Translated columns must be the same". |
PRJ-25267, |
Security Management |
After migrating a Domain to Security Management Server, the FWM process may be shown as "down" in watchdog, although it is up and running. Refer to sk163814. |
PRJ-25253, |
Security Management |
Login with Management API fails when using the api-key and setting enter-last-published-session to "true". |
PRJ-22384, |
Security Management |
User may fail to connect to SmartConsole after the administrator changed the RADIUS Server host IP address. Refer to sk172065. |
PRJ-25799, |
Security Management |
In rare scenarios, if the CPM process is up for many days, CPU and memory consumption may continue to grow until a reboot is performed. |
PRJ-25837, |
Security Management |
In some scenarios, deleting a Security Gateway object fails with the "Object <name> is used by a policy or by other objects" error even though the Security Gateway is not in use. Refer to sk173467. |
PRJ-26629, |
Security Management |
In rare scenarios, during a system startup, a cleanup operation may cause high CPU on multiple Postgres processes and prevent login to SmartConsole. Refer to sk175189. |
PRJ-26298, |
Security Management |
In rare scenarios, tasks may run indefinitely until the Security Management Server is restarted. |
PRJ-26123, |
Security Management |
In some scenarios, HA synchronization fails in the Global Domain after the IPS update. |
PRJ-26676, |
Security Management |
Management API command "show gateways and servers" does not show policy information for cluster members. |
PRJ-26653, |
Security Management |
In some scenarios, an older version of a Jumbo Hotfix is recommended for installation on Security Gateway, although a newer version is already installed. |
PRJ-23453, |
Security Management |
After upgrade from R77.x, "Cannot assign a Domain more than once" errors may appear in the validations pane. |
PRJ-28292, |
Security Management |
In rare scenarios, High Availability incremental synchronization may fail with a wrong status message. |
PRJ-26521, |
Security Management |
In a rare scenario, policy installation may fail with a "Policy installation had failed due to an internal error" message. |
PRJ-28000, |
Security Management |
If Brute Force Password Guessing Protection is set to the value of more than 25 seconds, login to SmartConsole fails.
|
PRJ-25628, |
Security Management |
In rare scenarios, a Management Server upgrade may fail with the "Object not found - [UID]" error message in the cpm.elg log file. |
PRJ-24949, |
Security Management |
If there is an Administrator named "Endpoint", an upgrade of Endpoint Security Server from R77.30 version fails. |
PRJ-30417, |
Security Management |
Scheduled IPS updates data may not be shown in the IPS update report. |
PRJ-25891, |
Multi-Domain Management |
NEW: Added ability to create Domain Management Servers with a netmask different than the one of the Multi-Domain Server. Refer to sk173934. |
PRJ-25517, |
Multi-Domain Management |
In rare scenarios, in a Multi-Domain environment with active Domains on multiple Multi-Domain Servers, when performing manual HA sync in one Domain, objects from another Domain are not shown in SmartConsole. Refer to sk173268. |
PRJ-25001, |
Multi-Domain Management |
After migrating a Domain to a Multi-Domain Management and assigning a Global Policy, if there are objects with the same name in the Domain and Global Domain, the assignment succeeds, although it must fail due to name duplication. |
PRJ-26301, |
Multi-Domain Management |
In rare scenarios, Global Domain Assignment and Domain Creation tasks may continue to run indefinitely. |
PRJ-26689, |
Multi-Domain Management |
After migrating the Global Domain and making global changes, when assigning/reassigning the Global Domain, the assignment may be shown as "Up to date" even though the latest global changes are not applied on the Domain. |
PRJ-24234, |
Licensing |
UPDATE: If there is no license installed, an error message will be printed when running the "cpstart" command. |
PRJ-21777, |
Licensing |
In some scenarios, the total number of "sr" licenses may be counted incorrectly. |
PRJ-27071, |
Compliance |
In some scenarios on Multi-Domain environments, Compliance data is not synchronized between primary and secondary Domains. |
PRJ-24350, |
CPView |
In some scenarios, a memory leak may occur in a cpview_services module. Refer to sk173952. |
PRJ-25930, |
SmartView |
NEW:
Note: The default time frames on the SmartView web application and SmartConsole are not synchronized.
|
PRJ-23489, |
Logging |
NEW:
|
PRJ-26808, |
Logging |
NEW: In SmartEvent GUI, added the "referrer" field for filtering correlation unit events. |
PRJ-24978, |
Logging |
When AES authentication is configured, the "thresold_config" command does not send traps for SNMP v.3. Refer to sk173045. |
PRJ-26725, |
Logging |
In some scenarios, the FWD process on Security Gateway may cause high memory consumption when Log Forwarding is configured or when running the "fw fetchlogs" command. |
PRJ-23867, |
Logging |
In SmartView reports, the "Show only icon" option for table widgets does not work as expected. |
PRJ-27300, |
Logging |
After upgrade, SmartView scheduled export to Excel of Reports and Views stop running and users are unable to edit the scheduled tasks. Refer to sk174047. |
PRJ-14239, |
Logging |
In SmartView, grouping or filtering by the field "Total Bytes" causes the query to fail. |
PRJ-21318, |
Logging |
In the Method field, logs with the following values are not shown in the SmartConsole's Logs tab. They are only shown when opening a single log record. |
PRJ-27049, |
Logging |
In rare scenarios, the Logs view may not reflect the Management Server object changes. When the issue occurs, the CPM process may also consume a high CPU. |
PRJ-30722 |
Logging |
In some scenarios, export logs to CSV from SmartView Web view fails. Refer to sk175545. |
PRJ-25645, |
Logging |
In SmartView (Reports and Web Logs view), the value of the file size is displayed differently from the Logs view in SmartConsole (GB instead of GiB). |
PRJ-24482, |
Logging |
When a Management Server manages more than 1024 Gateways, the connectivity status may show "N/A" for several Gateways. |
PRJ-23680, |
Logging |
In rare scenarios, in environments with many network objects, when typing a query in the Logs tab Search bar, SmartConsole may close unexpectedly. |
PRJ-22649, |
Logging |
Threat Emulation log description for HTTP emulation is incorrect. |
PRJ-26115, |
Logging |
In a Multi-Domain Management environment, Log queries may fail to retrieve results from a CMA or CLM, if there is another CMA or CLM with the same sic_name. |
PRJ-26694, |
Logging |
When adding the "UC Block" action, log queries may not show UserCheck logs. Refer to sk174543. |
PRJ-24283, |
Logging |
In rare scenarios, when exporting logs to Check Point Infinity Portal, the Log Exporter may unexpectedly exit. |
PRJ-21307, |
Logging |
|
PRJ-28852, |
Security Gateway |
UPDATE: Added DNS Passive Learning support for DNS responses containing a Domain name in uppercase letters. |
PRJ-19770, |
Security Gateway |
Security Gateway may crash after policy installation. |
PRJ-27559, |
Security Gateway |
In some scenarios, configuring an un-numbered virtual interface may cause ARP requests to stay not answered by the interface. Refer to sk174188. |
PRJ-25293, |
Security Gateway |
In rare scenarios, a re-matched connection may have 2 logs in SmartConsole. |
PRJ-30903, |
Security Gateway |
In some scenarios, the Security Gateway may crash when encountered an error on connection processing. |
PRJ-24691, |
Security Gateway |
In rare scenarios, creating a new SAM rule on a Management machine may fail. |
PRJ-26501, |
Security Gateway |
In a rare scenario, the Security Gateway may sporadically crash. |
PRJ-18867, |
Security Gateway |
In rare scenarios, DynamicID authentication fails with a "Server_code 403 log_msg General HTTP error" message in vpnd.elg. Refer to sk170303. |
PRJ-25843, |
Security Gateway |
Added the Access Control rulebase matching visibility enhancement. |
PRJ-30206, |
Security Gateway |
In some scenarios, NATed VPN traffic may be routed out through the wrong interface. Refer to sk176785. |
PRJ-26618, |
Security Gateway |
In some scenarios, "[INFO] encode resource in base64 failed" messages generated by the RAD process are shown in /var/log/messages file. |
PRJ-27037, |
Security Gateway |
VSX provisioning may fail to commit changes to the VSX database. Refer to sk173683. |
PRJ-25482, |
Security Gateway |
In a rare scenario, the PDPD or VPND process on the Security Gateway consumes a high CPU. Refer to sk173706. |
PRJ-27126, |
Security Gateway |
In some scenarios, the ROUTED process may unexpectedly exit. |
PRJ-28103, |
Security Gateway |
In a rare scenario, a memory leak may occur on the Security Gateway. |
PRJ-14625, |
Security Gateway |
After policy installation, Security Gateway may stop responding due to memory leaks. |
PRJ-24837, |
Security Gateway |
In some scenarios, when moving Mobile Access from Legacy to Unified Policy, previously configured native application may unexpectedly exit. Refer to sk172935. |
PRJ-26930, |
Security Gateway |
SNMP lowDiskSpace trap with MDPS does not work with SNMP versions v1/v2 . Refer to sk173811. |
PRJ-26595, |
Security Gateway |
Configuring the "Virtual Activation Timeout" option above 65535 may lead to an incorrect timeout definition. Refer to sk172464. |
PRJ-27076, |
Security Gateway |
In rare scenarios, using IP Pool NAT with only IPv4/IPv6 addresses configured may cause the Security Gateway to crash. |
PRJ-25552, |
Security Gateway |
In some scenarios, connections are dropped with a "Virtual defragmentation error: fragment table is full" message. Refer to sk180404. |
PRJ-25156, |
Security Gateway |
When running the "fwaccel stats -r" command to reset the SXL statistics, the statistics may become corrupted. |
PRJ-23065, |
Security Gateway |
Improved displayed drop log messages on the Security Gateway:
Refer to sk172232. |
PRJ-26478, |
Security Gateway |
In rare scenarios, when IPv6 is configured and Office Mode Anti-Spoofing is enabled, running "cpstop;cpstart" may cause a Security Gateway to crash. |
PRJ-26035, |
Security Gateway |
A "fw_xlate_rule_count_dec: refcount is negative" message may be displayed in dmesg when IP pool NAT is used on a cluster environment. |
PRJ-21270, |
Security Gateway |
In some scenarios, emails may be stuck in the MTA queue. |
PRJ-28809, |
Security Gateway |
Added cosmetic fixes of the cpwd_admin list command output. |
PRJ-29087, |
Security Gateway |
In some scenarios, the CPD process may consume high CPU because of the memory leak in FDT (File Download Tool). |
PRJ-28829, |
Security Gateway |
Improved the ICAP Server internal memory allocation logic. |
PRJ-28553, |
Security Gateway |
Capsule Workspace end users may fail to authenticate to their Exchange mail Server via Mobile Access SSO when authenticated with Kerberos, and the end users belong to many user groups or user groups with very long names. |
PRJ-29138, |
Security Gateway |
The cpsicdemux process may unexpectedly exit, causing Secure Internal Communication (SIC) connection to fail. |
PRJ-26670, |
Security Gateway |
In a rare scenario, traffic outage may occur. It is caused by a memory leak related to delayed logs. |
PRJ-26648, |
Internal CA |
UPDATE: Expired certificates are now cleaned from the Internal CA database every three weeks and after reboot. Refer to sk42424. |
PRJ-26525, |
Threat Extraction |
Added Update 4 of Threat Extraction Engine. Refer to sk165832. |
PRJ-26199, |
Threat Prevention |
In a rare scenario, the Security Gateway may crash when working with Anti-Virus. |
PRJ-26542, |
Threat Prevention |
In some scenarios, the IPS update status in SmartConsole is incorrect after the automatic update fails with the "Update failed. Failed to load database" error. |
PRJ-26550, |
Threat Prevention |
In a rare scenario, Security Gateway may crash due to the Threat Prevention Data Collector feature. |
PRJ-26006, |
Threat Prevention |
SSH Deep Packet Inspection (SSH DPI) may fail after upgrade to R80.40 Jumbo HotFix Take 91 or higher or after upgrade to R81. |
PRJ-28519, |
Threat Prevention |
In rare scenarios, the Security Gateway may crash when the TCP connection is unexpectedly closed. |
PRJ-21882, |
Threat Prevention |
Policy installation fails if it contains objects with "://" text. |
PRJ-28606, |
Threat Prevention |
Large file transfer in connections inspected by SSH Deep Packet Inspection (SSH DPI) may fail if SSH renegotiation is performed during the transfer. |
PRJ-24509, |
Identity Awareness |
NEW: Added automatic mechanism to exclude service accounts on PDP gateway to improve both PDP performance and functionality. Refer to sk174266. |
PRJ-26803, |
Identity Awareness |
In a rare scenario, the Security Gateway may crash. |
PRJ-25925, |
Identity Awareness |
Optimized the PDP expired timers mechanism performance. |
PRJ-26228, |
Identity Awareness |
When the PDP Gateway is connected to multiple pre-R81 PEP Gateways, the CPU consumption may be high. Refer to sk173709. |
PRJ-23673, |
IPS |
A redundant debug message may be displayed in dmesg logs. |
PRJ-27958, |
IPS |
In some scenarios for HTTP, the Security Gateway closes a connection from the Server side, but the user side may remain open. |
PRJ-26106, |
IPS |
Security Gateway may crash when the IPS profile name is very long. Refer to sk174025. |
PRJ-26165, |
IPS |
In rare scenarios, the FWK process may unexpectedly exit when installing the policy. |
PRJ-28490, |
IPS |
An HTTP download of a large file may unexpectedly stop with an error message. |
PRJ-27259, |
IPS |
Proxy source IP address is not printed in the IPS logs. |
PRJ-27192, |
Application Control |
UPDATE: Improved matching of URLs for custom applications. |
PRJ-26741, |
SSL Inspection |
Added an option to bypass Name Constraints extension on certificates using a registry flag. Refer to sk159692. |
PRJ-30700, |
SSL Inspection, |
A memory leak in HTTPS Inspection and HTTPS portals may occur when using ECDHE ciphers. |
PRJ-25221, |
Mobile Access |
Improved the Portal Rendering performance in Unified Policy mode. |
PRJ-21699, |
ClusterXL |
UPDATE: Added the fwha_disable_ccp_on_monitor global kernel parameter. The parameter turns on/off the sending of CCP packets on link monitor interfaces. |
PRJ-26980, |
ClusterXL |
In some scenarios, in Load Sharing mode, the cphaprob show_bond command on the Security Management Server shows the back-up subordinate status as "Not Available". Refer to sk175469. |
PRJ-28359, |
ClusterXL |
Clock jumps forward/backward may cause some operations to fail and the cluster to go down. |
PRJ-27225, |
SecureXL |
Invalid VLAN traffic may cause repeated "deliver_list is empty!!!" error messages in the _/var/log/messages_ file. |
PRJ-24541, |
SecureXL |
In a VSX environment, the SYN Defender configuration may not be applied correctly. |
PRJ-28054, |
SecureXL |
In a rare scenario, DoS/Rate Limiting when using rules with country codes (CC) or autonomous system numbers (ASN) may not update Geo IP files correctly. |
PRJ-26753, |
Routing |
In some scenarios, the NetFlow Packet may report a wrong source IP Address. |
PRJ-25318, |
Routing |
In some scenarios, CPView displays incorrect values of RIP statistics. |
PRJ-27059, |
Routing |
In some scenarios, the ROUTED process may unexpectedly exit when there is a static route and a kernel route to the same destination. |
PRJ-28839, |
Routing |
In some scenarios, an outage may occur because of premature graceful-restart exit. |
PRJ-23780, |
Routing |
During the boot process "pbrroute-conf" messages may appear. Refer to sk173514. |
PRJ-27819, |
Routing |
If the interface cable is unplugged, after a failover, Border Gateway Protocol (BGP) stops receiving routes from Primary member to Secondary and back to Primary. |
PRJ-27044, |
Routing |
The ROUTED process with Ping enabled always gets reset during Clish reconfiguration. |
PRJ-26961, |
Routing |
The ROUTED process may unexpectedly exit when candidate RP is enabled, and a rapid failover occurs or when the candidate RP interface is disconnected. |
PRJ-26969, |
Routing |
In some scenarios, the ROUTED process may produce a core dump when it receives IGMPv3 Membership Reports over a long period of time. |
PRJ-28552 |
Routing |
The checksum of PIM "register" packets may be calculated incorrectly, causing the RP router to discard a "register" packet. |
PRJ-21393, |
Routing |
Netflow packets are sent from the individual VS IP address instead of VS0. |
PRJ-25985, |
VPN |
In rare scenarios, IKE negotiation fails when using IPv6 addresses. |
PRJ-27855, |
VPN |
When deleting an entry from m_ht hash table, a memory leak may occur. |
PRJ-27682, |
VPN |
When saving the login info of the client, a memory leak may occur. |
PRJ-27678, |
VPN |
Reauthentication of the client may lead to a memory leak. |
PRJ-31029, |
VPN |
Many "remote access client IP address and port were changed" logs are generated after an upgrade. |
PRJ-27674, |
VPN |
In some scenarios, the user may not be able to connect because the CVPND process unexpectedly exits. |
PRJ-27686, |
VPN |
In a rare scenario, a memory leak may occur. |
PRJ-28264, |
VPN |
A memory leak may occur when clearing the CRL cache file. |
PRJ-28752, |
VPN |
Added IKEv2 improvement for DAIP peer. |
PRJ-26623, |
VPN |
Added VPN stability improvement in IKEv2. Refer to sk174245. |
PRJ-26436, |
VPN |
In a rare scenario, a memory leak may occur when RASession_util is active. |
PRJ-26433, |
VPN |
In a rare scenario, the IKED process stops with core dump, when using Office Mode IP allocation for clients, and users cannot connect. |
PRJ-26442, |
VPN |
In rare scenarios, a memory leak related to Gateway authentication may occur. |
PRJ-27313, |
VPN |
IPSec VPN uses the wrong source IP address when initiating NAT-T encrypted traffic. Refer to sk172805. |
PRJ-22415, |
VPN |
Remote Access users may randomly disconnect because the Tunnel test packets are mapped to the incorrect interface. Refer to sk172328. |
PRJ-21638, |
VPN |
VPN Logs show IP address octets in an unexpected (reversed) order. Refer to sk172807. |
PRJ-27813, |
VPN |
In some scenarios, the VPN tunnel between GCP cluster and GCP peer fails to establish. |
PRJ-24807, |
VPN |
Site to Site VPN connectivity issue when NAT is enabled. |
PRJ-25142, |
VPN |
In some scenarios, outbound traffic with NAT-T outgoing packets is sent from an incorrect link. Refer to sk176711. |
PRJ-26399, |
VPN |
Policy installation may fail when VPN community is not configured on the Security Gateway. Refer to sk174235. |
PRJ-22118, |
VPN |
In rare scenarios, after policy installation, the VPND process may unexpectedly exit with core dump. |
PRJ-25312, |
VPN |
In rare scenarios, all traffic is dropped with "Rulebase Internal Error" in SmartLog. |
PRJ-28074, |
VPN |
A Remote Access client fails to login when a DN record length is bigger than 256. Refer to sk174249. |
PRJ-28377, |
VPN |
Improved VPN Site to Site tunnel establishment scenario with IKEv2. Refer to sk175092. |
PRJ-25883, |
VPN |
In some scenarios, when DAIP peer initiates IKEv2 negotiation with certificate authentication, the VPND process may unexpectedly exit. Refer to sk174665. |
PRJ-26530, |
VPN |
In some scenarios, the NAT-T traffic outages may occur after a cluster failover. Refer to sk175552. |
PRJ-28505, |
VPN |
A memory leak may occur in the VPND process. |
PRJ-28512, |
VPN |
In some scenarios, a memory leak may occur on the Security Gateway. |
PRJ-28771, |
VPN |
In some scenarios, in High Availability clusters with enabled CoreXL, SSL clients cannot connect to the Security Gateway because of incorrect license calculation. |
PRJ-31147, |
VPN |
In some scenarios, a memory leak may occur when using the SSL Network Extender (SNX) client to create a site. |
PRJ-31107, |
VPN |
In some scenarios, a memory leak may occur in the VPND process. |
PRJ-19969, |
VSX |
UPDATE: Removed the .1.3.6.1.4.1.2620.1.16.22.2 (vsxStatusCPUUsageTable) and .1.3.6.1.4.1.2620.1.16.22.4 (vsxStatusCPUUsagePerCPUTable) OIDs as not supported on Gaia 3.10. |
PRJ-22690, |
VSX |
This fix allows create/change a VSX cluster/Gateway to have up to 32 CoreXL instances with VSX Provisioning Tool. Currently, it is possible to do this only in SmartConsole. |
PRJ-19977, |
VSX |
In some scenarios, the "cpstat vsx" command does not show the correct output. Refer to sk170793. |
PRJ-26039, |
VSX |
After upgrade, the VS names may be displayed incorrectly in the output of the "vsx stat -v" command. |
PRJ-27443, |
VSX |
Multi-Queue configuration does not survive reboot on VSX. Refer to sk173950. |
PRJ-26926, |
Gaia OS |
NEW: Added support for new card 4 ports 1/10GbE SFP+ Rev 4.1. |
PRJ-27709, |
Gaia OS |
UPDATE: The command "show multi-queue affinity" deprecation message was changed. |
PRJ-27695, |
Gaia OS |
When a non-TACACS user logs out from WebUI, "Cannot get pid" is printed as an error to the /var/log/messages file. |
PRJ-27000, |
Gaia OS |
Setting hashed SHA256/SHA512 expert password may fail with an error message: "set password-controls password-hash-type <password_hased> GAIA9999 Invalid Salted Hash". |
PRJ-27612, |
Gaia OS |
If NTPD service is configured in MDPS settings, NTPD error logs appear in var/log/messages after a reboot. |
PRJ-25765, |
Gaia OS |
After 248 days of up time, VMSS gateway sends a Cold restart alert reboot, but the VMSS does not reboot. Refer to sk173413 |
PRJ-26333, |
Gaia OS |
In some scenarios on VSX, a "Loading kernel module for a network device with CAP_SYS_MODULE (deprecated). Use CAP_NET_ADMIN and alias netdev-eth instead" message appears in /var/log file. |
PRJ-28051, |
Gaia OS |
In some scenarios, bond interface subordinate fails to properly initialize and shows a partner system MAC address of 00:00:00:00:00:00. |
PRJ-28796, |
Gaia OS |
In a rare scenario, a memory leak may occur in the monitord. |
PRJ-26640, |
Gaia OS |
When running the "set security-gateway maas on" Clish command, the "maas" shell script is executed 4 times. |
PRJ-17182, |
Gaia OS |
Last trailing zero may appear in the output of "show configuration backup-scheduled". Refer to sk169255. |
PRJ-27741, |
Harmony Endpoint |
Endpoint Firewall may start dropping all network traffic after a Management Server upgrade from R80.10 or older versions. |
PRJ-24723, |
VoIP |
In a rare scenario, the Security Gateway crashes when handling SIP traffic. |
PRJ-22500, |
VoIP |
Holding last source port table lock while searching for next free port may cause performance issues. |
PRJ-26794, |
CloudGuard Network |
In some scenarios, CloudGuard Controller fails to fetch data from the standby ACI Server when the main ACI Server is unreachable. |
PRJ-21215, |
CloudGuard Network |
The mq_mng tool does not show RX/TX packets counter statistics for the virtio_net driver. |
PRJ-26797, |
CloudGuard Network |
In some scenarios, CloudGuard IaaS Standby member cannot access the Internet. Refer to sk175108. |
PRJ-26815 |
CloudGuard Edge |
NEW: Quantum Edge Hardware type added to the drop down hardware list in SmartConsole. |
PRJ-27239, |
HCP |
Added Update 3 of HealthCheck Point (HCP) Release. Refer to sk171436. |
PRJ-24088, |
HCP |
Added Update 2 of HealthCheck Point (HCP) Release. Refer to sk171436. |
PRJ-22799, |
HCP |
Added Update 1 of HealthCheck Point (HCP) Release. Refer to sk171436. |
PRJ-22322, |
Infrastructure |
In some scenarios, the cpmiquerybin and dbedit processes may unexpectedly exit causing buffer overflow. |
Take 125 Released on 23 September 2021 and declared as Recommended on 04 October 2021 |
||
PRJ-30574, |
Logging |
In some scenarios, on Multi-Domain servers, after installing Jumbo Hotfix Take 118, heavy API requests may fail. |
PRJ-30284 |
ClusterXL |
In VSX Load Sharing (VSLS) environment, a disconnected bond LS interface impacts all VS's at the member regardless that the interface is connected to a specific VS. |
PRJ-27977, |
Gaia OS |
A memory leak may occur on a Security Gateway while configuring Secure Internal Communication (SIC). |
Take 121 Released on 17 September 2021 |
||
PRJ-29752, |
Security Gateway |
In rare scenarios, the Security Gateway may failover while handling the HTTP/2 stream. |
Take 120 Released and declared as Recommended on 5 August 2021 |
||
PRJ-29385, |
Endpoint Security |
Endpoint Policy installation may fail after installing R80.40 Jumbo Hotfix Take 119. Refer to sk174846. |
Take 119 Released on 4 July 2021 |
||
PRJ-24202, |
Security Management |
NEW: Trusted CAs updates for HTTPS Inspection can be configured to be installed automatically upon update. Refer to sk173629. |
PRJ-25033, |
Security Management |
UPDATE: If there is no license on the Security Management Server, a new verification blocks an attempt to migrate a domain. |
PRJ-25686, |
Security Management |
In some scenarios, a policy installation failure message may show "ReferenceObject" instead of the actual object's name. |
PRJ-23773, |
Security Management |
"Query failed" error is displayed in Security Gateway Device & License Information view in SmartConsole when canceling the "Export to PDF/CSV" operation. |
PRJ-24611, |
Security Management |
Incorrect Mobile Access license status upon a license change. |
PRJ-26183, |
Security Management |
When running the "fwm logexport" command multiple times, the FWM process may unexpectedly exit, producing a core file. |
PRJ-23884, |
Security Management |
In some scenarios, when updating Check Point Host object to be a Network Policy Management and in addition configuring it as a Secondary Server, "Publish" fails with "Action Failed due to an internal error". |
PRJ-23922, |
Security Management |
SmartConsole Extensions fail to load with "Error: unable to retrieve read-only session" if login with SmartConsole is performed with an IP address that is not defined as the primary IP of the Management Server. |
PRJ-21918, |
Security Management |
In some scenarios, Desktop policy fails with "Policy installation had failed due to an internal error. If the problem persists please contact Check Point support". Refer to sk171970. |
PRJ-22075, |
Security Management |
In rare scenarios, the Management Server may fail to start because Solr fails to initialize. |
PRJ-24486, |
Security Management |
In very large Management environments, Policy verification and installation may fail with FWM process core dump. Refer to sk173722. |
PRJ-21399, |
Security Management |
In rare scenarios, deleting an object fails with "Can't reach source object, maybe it already deleted" error. Refer to sk172828. |
PRJ-23936, |
Multi-Domain Management |
NEW: Once a day, Multi-Domain Management servers will check for peers that are not synchronized. If such are identified, HA full sync will be automatically initiated at the MDS level. |
PRJ-23697, |
Multi-Domain Management |
Global Policy Reassignment may take a long time to complete after an IPS Update in the Global Domain. |
PRJ-22638, |
Multi-Domain Management |
In rare scenarios, the Multi-Domain Management Server may fail to start if Domains were previously deleted. |
PRJ-24759, |
Multi-Domain Management |
Global Policy Assignments may be missing in Multi-Domain environment after upgrade from R77.x. |
PRJ-22522, |
Multi-Domain Management |
In some scenarios, Reassign Global Domain for a Domain that is active on another Multi-Domain Server may fail with "An internal error has occurred" message. Refer to sk172704. |
PRJ-24020, |
Multi-Domain Management |
In some scenarios, after upgrade of Multi-Domain environment that has active Domains on multiple Multi-Domain servers, some objects may not be visible in the System Domain. |
PRJ-23434, |
Multi-Domain Management |
In some scenarios, when trying to migrate or restore a Domain and this Domain already exists, an error is shown and the existing Domain is deleted. |
PRJ-25409, |
Multi-Domain Management |
In some scenarios, HA synchronization may fail on the MDS level with the "Failed to synchronize this peer due to purged revisions in the database." message. |
PRJ-22783, |
SmartConsole |
UPDATE:
Note:
|
PRJ-23604, |
SmartConsole |
In some scenarios, a SmartTask may fail to execute its action when it is triggered for a policy installation. |
PRJ-22126, |
SmartConsole |
SmartConsole configures a default value for the IPv4 mask length of VIP interface each time a user opens the interface editor for cluster object configured in the Active-Active mode. As a result, the value configured by a user is overwritten with the default value each time the user opens the cluster object and clicks OK.
|
PRJ-20257, |
Logging |
NEW: Log exporter allows the re-export of logs based on starting and end positions provided by the user, to close possible gaps. Refer to sk122323. |
PRJ-21418, |
Logging |
NEW: The Log exporter now supports formatting for RSA SIEM application. |
PRJ-25595, |
Logging |
UPDATE: The Log server now supports up to 2700 Gateways (previously was 1024). Refer to sk163413. |
PRJ-23580, |
Logging |
In some scenarios following a Multi-Domain Management Server upgrade, logs queries may not retrieve results from some CMAs\CLMs. |
PRJ-25453, |
Logging |
In rare scenarios, logs generated in the same second, with the same ID, may not show up in SmartConsole's Logs tab. |
PRJ-10357, |
Logging |
Log_indexer may unexpectedly exit on a SmartEvent server with a large number of CPUs (32 and up), and\or when the total number of log servers declared in correlation units is above 30. |
PRJ-24215, |
Logging |
In Multi-Domain environment, the same Domain may appear twice in the Domains view of the SmartEvent application. |
PRJ-12427, |
Logging |
In some scenarios, exported FireWall logs from a Security Gateway to an external syslog server (sk87560) contain a redundant new line character. |
PRJ-23204, |
Logging |
In rare scenarios, when creating a Log server object and establishing SIC, log queries from the newly created Log server object may fail. |
PRJ-22966, |
Logging |
In some scenarios, when exporting logs using the Log exporter tool and filtering on all Threat Prevention Blades, logs of "Anti Spam" Blade are not exported. |
PRJ-23009, |
Logging |
In rare scenarios, when the user exports logs to Excel using SmartView web, the action fails when the exported logs contain special characters, like emojis. |
PRJ-23112, |
Logging |
In some scenarios in SmartView, exporting a report or view to PDF duplicates the item and displays it twice in the Catalog until the export is done. |
PRJ-15232, |
Logging |
In SmartView, when creating a statistical table and grouping by Time, the query may fail. |
PRJ-23820, |
Logging |
In rare scenarios, when querying logs with a timeframe larger than 1 day, only 50 logs from each day will be shown. |
PRJ-16647, |
Logging |
In the SmartConsole Logs tab, the "IKE IDs" field cannot be added to column profiles. |
PRJ-23284, |
Security Gateway |
NEW: Added the "Top Connections" tool. For more information, refer to sk172229. |
PRJ-23383, |
Security Gateway |
NEW: Implemented new Fast-Accel producer. The following Fast-Accel statistics are added to CPView:
|
PRJ-10989, |
Security Gateway |
UPDATE: Added L3 routing support for bridge interface assigned with IP address. To enable it, set fw_bridge_with_ip_routing=1 in the $FWDIR/fwkern.conf file. Refer to sk165560. |
PRJ-24536, |
Security Gateway |
UPDATE: Added new Dynamic Balancing Clish command to enable default number of instances. To use it, run "set dynamic-balancing state enable set_default_fw_instances". Refer to sk164155. |
PRJ-22260, |
Security Gateway |
UPDATE: Added $CPDIR/log/sic_info.elg log file to show detailed SIC errors. |
PRJ-26330, |
Security Gateway |
UPDATE: The prompt indication will show on which plane (management or data) the context is. For example:
|
PRJ-23078, |
Security Gateway |
Enhancement: Early drop optimization will work even if the UserCheck is not relevant for this connection. |
PRJ-18126, |
Security Gateway |
In some scenarios, an incorrect interface name is displayed in CPView. |
PRJ-26577, |
Security Gateway |
In rare scenarios, a Security Gateway may crash. |
PRJ-24009, |
Security Gateway |
In rare scenarios, when the "sd_global_monitor_only" property is set to "true", there is no HTTP inspection. |
PRJ-21450, |
Security Gateway |
RSA integration using SAML (Security Assertion Markup Language) protocol may not work as expected. Refer to sk171501. |
PRJ-23538, |
Security Gateway |
In some scenarios, values set in fwkern.conf may not be applied correctly. |
PRJ-20982, |
Security Gateway |
In rare scenarios, the CPD process unexpectedly exits when the VPN is enabled, and statuses are not sent to the Management Server. |
PRJ-23427, |
Security Gateway |
The VPND process may consume high CPU because of ECDHE use, which affects multi-portal functionality. Refer to sk173145. |
PRJ-24377, |
Security Gateway |
A memory leak may occur in a DNS resolving infrastructure. |
PRJ-24882, |
Security Gateway |
In rare scenarios, the name of the application that drops a packet was not shown in the drop debug. Instead, the "PSL Drop: internal - drop enabled" message was displayed. |
PRJ-21312, |
Security Gateway |
Allow automatic configuration of Identity Awareness nested group state 4 for Security Gateways with a previously installed fix for IDA-754. |
PRJ-36022, |
Security Gateway |
In some scenarios, policy installation fails with "Error code 0-2000077" message. |
PRJ-21472, |
Security Gateway |
When the Security Gateway is configured as a proxy, some network objects may not be matched correctly. |
PRJ-24299, |
Security Gateway |
In a rare scenario, the FWK process unexpectedly exits on the Security Gateway. |
PRJ-22879, |
Security Gateway |
In some scenarios, FWD sub-processes start with wrong CPU affinity. |
PRJ-25598, |
Security Gateway |
In some scenarios, packets are dropped due to incorrect SACK translation when SACK and sequence translation are being used together. |
PRJ-24465, |
Security Gateway |
In a rare scenario, Security Gateway may crash when handling some DNS packets. |
PRJ-22739, |
Security Gateway |
When Strict Hold is enabled in the fail-open configuration, some HTTPS connections may stuck. |
PRJ-24413, |
Security Gateway, |
In a rare scenario, Security Gateway may crash under heavy load during cluster failover. |
PRJ-24730, |
Security Gateway |
On rare scenarios, running "fw1 + misp" debug on cluster may cause Security Gateway to crash. |
PRJ-22944, |
Security Gateway |
In rare scenarios, policy installation fails with "gen_other_service_inspect_func: failed to find corresponding service object for <service name>" error message. |
PRJ-23948, |
Security Gateway |
In a rare scenario, Security Gateway may crash when running in USFW (User-Space Firewall) mode. |
PRJ-23041, |
Security Gateway |
In a rare scenario, Security Gateway may crash during the Application Control / IPS / Anti-Bot package update. |
PRJ-23341, |
Security Gateway |
Boot may take a long time on machines with many VLANs or secondary IP addresses. |
PRJ-20810, |
Security Gateway |
On Security Management with connected Endpoint Security Server, the SICTUNNEL process may unexpectedly exit and start again every few minutes with core file ~4gb in size. Refer to sk173704. |
PRJ-22749, |
Security Gateway |
In a rare scenario, Security Gateway may crash due to log buffer corruption. |
PRJ-22624, |
Security Gateway |
In some scenarios, the VSX Cluster switch may cause a core dump. |
PRJ-26879, |
Security Gateway |
In a rare scenario, Security Gateway may crash due to log buffer corruption. |
PRJ-25906, |
Security Gateway |
In a rare scenario, machine hangs and user is unable to run any command. Refer to sk173405. |
PRJ-26015, |
Security Gateway |
In a rare scenario, a memory leak may occur in in.emaild.mta process. |
PRJ-25737, |
Security Gateway |
In some scenarios, Security Gateway may crash when ICAP client is enabled. |
PRJ-26344, |
Security Gateway |
When using Routing separation and ClusterXL, the "cphaprob -a if" command displays "mdps_tun" as "DOWN". |
PRJ-26257, |
Security Gateway |
In a rare scenario, incorrect error messages regarding the ICAP client flow appear in dmesg. Refer to sk173546. |
PRJ-25816, |
Security Gateway |
Added Dynamic Anti-Spoofing stability enhancements. |
PRJ-25392, |
Security Gateway |
In some scenarios, there is no match on URL Filtering rules. |
PRJ-16921, |
Security Gateway |
In rare scenarios, SmartView Monitor shows the "Error code: 2147483647" message when viewing data from a VSX Gateway. Refer to sk174206. |
PRJ-26151, |
Security Gateway |
In a rare scenario, a memory leak may occur when IPS / Anti-Bot / Anti-Virus Blade is enabled. |
PRJ-25272, |
Internal CA, VPN, Multi-Portal |
UPDATE: The IKE certificates validity period is set to 1 year by default. Refer to sk176527. |
PRJ-26139, |
Internal CA |
UPDATE: Added automatic extension for Internal CA database to support more than 100,000 certificates. |
PRJ-20813, |
Threat Prevention |
Large file download with SFTP may fail when the connection is inspected. |
PRJ-17296, |
Threat Prevention |
In some conditions, the Security Gateway may crash when SSH Deep Packet Inspection (SSH DPI) and Anti-Virus are enabled. |
PRJ-23267, |
Threat Prevention |
In rare scenarios, the "fw load_sigs" command fails to exit appropriately after completing. |
PRJ-22271, |
Threat Prevention |
Improved the Threat Prevention policy installation time when installing on more than two Security gateways. |
PRJ-19557, |
Threat Prevention |
In some scenarios, "cpssh_trans_endpoint_handle_session_travers_timeout: INTERNAL ERROR" errors are displayed in the fwk.elg file when inspecting SSH traffic. |
PRJ-20484, |
Threat Prevention |
In rare scenarios, Security Gateway may crash when working with SSH. |
PRJ-25058, |
Identity Awareness |
NEW: Added new Auto-Tune feature for Nested Groups to select the optimal nested state for maximum performance. The feature is disabled by default. To enable it, refer to sk128212. |
PRJ-25382, |
Identity Awareness |
UPDATE: Changed the Web-API conciliation score from 10 to 15. |
PRJ-26973, |
Identity Awareness |
UPDATE: It is now possible to configure SAML (Security Assertion Markup Language) authentication with the same Microsoft Azure AD directory for multiple Blades on the same Security Gateway. |
PRJ-25581, |
Identity Awareness |
In some scenarios, Identity Awareness with enabled Remote Access identity source constantly prints "A secondary session request was received from the same IP" message in the log and overrides the existing session. |
PRJ-22359, |
Identity Awareness |
In some scenarios, output of "pdp conn pep" command may show incorrect PEP names. |
PRJ-16186, |
Identity Awareness |
Added optimization for PDP when handling Terminal servers Multi-User Host Agent (MUH). |
PRJ-25379, |
Identity Awareness |
In Identity Awareness Captive portal, the default Check Point logo is displayed even if the user-defined logo is configured. Refer to sk133492. |
PRJ-21457, |
Identity Awareness |
In some scenarios, the VPN Remote Access client fails to connect if a certificate contains a DN with an asterisk (*). |
PRJ-21771, |
Application Control |
A failure log may be generated when inspecting connections to servers with certificates without a common name (CN) field. |
PRJ-19859, |
SSL Inspection |
UPDATE: Avoid sending the TLS probe during inbound inspection when it is not necessary for the SNI-based categorization. |
PRJ-21686, |
SSL Inspection |
UPDATE: Avoid sending the TLS probe during the inbound inspection when a rule is matched according to the IP address. |
PRJ-22427, |
SSL Inspection |
In some scenarios, the "Parallel TLS Sessions" and "Cache entries" CPView statistics for SSL Inspection are incorrect. |
PRJ-19856, |
SSL Inspection |
TLS probing failures generate logs with a general description in SmartLog: "Internal system error in HTTPS Inspection (Error Code: 2)". With this fix, more descriptive logs will be generated. |
PRJ-24462, |
SSL Inspection |
In some scenarios, memory leaks may occur after policy installation. |
PRJ-24468, |
SSL Inspection |
In rare scenarios, the WSTLSD daemon may unexpectedly exit during TLS probing. |
PRJ-25173, |
SSL Inspection |
In some scenarios, when HTTPS Inspection is enabled, overall memory consumption may gradually increase. Refer to sk171280. |
PRJ-20680, |
SSL Inspection |
A table hash size may be too small for some environments and cause an increased CPU usage. |
PRJ-24781, |
Anti-Malware |
In a rare scenario, the Security gateway may crash with the "Problem with the Commit Function" error during policy installation. Refer to sk173248. |
PRJ-24120, |
IPS |
Added IPS Core Protections scan improvements for HTTP traffic. |
PRJ-22188, |
IPS |
In some scenarios, the DNS response message with record type 0 may be dropped by "Non compliant DNS" protection. |
PRJ-23928, |
Anti-Bot |
UPDATE: Anti-Bot URL cache was enhanced to support further requests. |
PRJ-23980, |
UserCheck |
Sensitive file push.js may be visible on the Security gateway. |
PRJ-24628, |
UserCheck |
In rare scenarios, when clicking the "Send Original Mail to me" button (sk140214) in the UserCheck portal for Threat Extraction, action fails with "An unexpected error has occured ..." error message. |
PRJ-22332, |
Mobile Access |
In some scenarios, the VPND process unexpectedly exits in SNX Application Mode. |
PRJ-23092, |
Mobile Access |
In some scenarios, FWK process unexpectedly exits due to SNX authorization timeout in MAB's Unified Policy mode. Refer to sk173125. |
PRJ-23653, |
Mobile Access |
Remote Access session may not be synced on the standby member VS. |
PRJ-24687, |
Mobile Access |
In some scenarios, the HTTPD process consumes a high CPU causing slowness in access to web applications. |
PRJ-23731, |
Mobile Access |
In some scenarios, when configuring the "X-Forwarded-For" header to MAB reverse proxy, the header is passed in reverse order. |
PRJ-25104, |
ClusterXL |
Data connections from the Standby member of an Active-Standby cluster may be dropped on the stealth rule when "fwha_cluster_hide_active_only" is set to 1. |
PRJ-27788, |
ClusterXL |
Log shows that CCP encryption fails on each policy installation. |
PRJ-24145, |
SecureXL |
UPDATE: Firewall debug drop template message now indicates the rule ID the template was created from. |
PRJ-24015, |
SecureXL |
Configuring the "Virtual Activation Timeout" option above 65535 may lead to an incorrect timeout definition. |
PRJ-23460, |
SecureXL |
A race condition in the DOS/Rate limiting policy's install logic may cause incorrect counter values for "concurrent-conns". |
PRJ-17461, |
SecureXL |
SecureXL keeps forwarding packets in VSX bridge mode when the member is down. Refer to sk169495. |
PRJ-24652, |
SecureXL |
In some scenarios, the "reached the limit of maximum enqueued packets!" log is printed in the /var/log/messages file. |
PRJ-23848, |
SecureXL |
In some non-VPN scenarios, MSS Adjustment (Clamping) does not work. |
PRJ-25510, |
SecureXL |
In a rare scenario, Security Gateway may crash when generating CPInfo in VSX mode. |
PRJ-22785, |
SecureXL |
In a rare scenario, Security Gateway may crash after running the "fwaccel tab -t connections" command. |
PRJ-23272, |
CoreXL |
In some scenarios, the "fw ctl affinity" command on MPDS Dplane does not show the Mplane Multi-Queue interfaces. |
PRJ-24477, |
Routing |
UPDATE: Allow "set bgp internal peer <value> send-route-refresh" commands. |
PRJ-23249, |
Routing |
VRRP member freezes when deleting a VLAN interface. Refer to sk106226. |
PRJ-24970, |
Routing |
Graceful restart has been enhanced to tolerate a non-standard behavior by peers of closing BGP connection before getting established. |
PRJ-24716, |
Routing |
In OSPF environment, the ROUTED process may unexpectedly exit when a VPN tunnel is flapped leading to a temporary connectivity loss. |
PRJ-25041, |
Routing |
In a rare scenario, the ROUTED process unexpectedly exits when creating an MFC (S,G) entry. Refer to sk176685. |
PRJ-23741, |
Routing |
After restarting OSPF with the "restart ospf instance default" command, OSPF may not redistribute routes until making a configuration change. |
PRJ-25995, |
Routing |
In some scenarios, the monitored IP option "force-if-symmetry" does not detect the asymmetric ping properly. |
PRJ-24388, |
Routing |
In rare scenarios, a Load Sharing cluster can experience DHCP relay drops with a "dropped by fw_post_vm_chain_handler Reason: Handler 'dhcp_reply_code' drop" message. |
- |
VPN |
Hardened the ability to use narrowed IKEv2 tunnels. For more information, refer to sk166417. |
PRJ-25493 |
VPN |
UPDATE: Added support for Security Assertion Markup Language (SAML) authentication on more than one VS in VSX. Refer to sk172909. |
PRJ-23763, |
VPN |
UPDATE: Option 3 of the "vpn tu" command shows now the realm name and if the authentication was performed with the server certificate. |
PRJ-24816, |
VPN |
UPDATE: Added VPN improvements in IKEv2:
|
PRJ-24916, |
VPN |
UPDATE:
|
VPNS2S-2313 |
VPN |
"Invalid ID information" message may be displayed when peer is 3rd party and Link selection is overridden. |
VPNS2S-2313 |
VPN |
IKEv2 may cause the VPND process to unexpectedly exit when IKEv2 rekey uses certificates. |
VPNS2S-2313 |
VPN |
|
PRJ-22543, |
VPN |
Added stability fix in validation checks for ECDSA certificates. |
PRJ-24252, |
VPN |
In some scenarios, the TTM (Transform Template) file is not loaded when there are no TTM groups for the user. |
PRJ-26349, |
VPN |
If SSL Inspection or other Blades that use the CPAS infrastructure is enabled, a call trace warning is displayed in dmesg when the cpstop command is issued. |
PRJ-23938, |
VPN |
When the Remote Access is configured to use DHCP for the Office Mode allocation, disconnection of SNX/L2TP clients may cause the IP address not be removed from the table. |
PRJ-15569 |
VPN |
In some scenarios, NAT-T traffic is sent to the wrong next-hop MAC address. |
PRJ-26341, |
VPN |
In some scenarios, Phase 2 NULL encryption in IKEv2 fails with "Received notification from peer: No proposal chosen" message in the log. |
PRJ-25235, |
VPN |
Added improvements for DAIP gateway behind Hide NAT and ROBO peer gateways. |
PRJ-26267, |
VPN |
In some scenarios in MEP configuration, failover to available MEP members may fail. |
PRJ-26929, |
VPN |
In some scenarios, the VPND process unexpectedly exits after installing the policy. |
PRJ-23985, |
VPN |
In some scenarios, the he VPND process may unexpectedly exit producing a core dump. |
PRJ-23974, |
VPN |
In some scenarios, the IKED process unexpectedly exits producing a core dump. |
PRJ-24860, |
VPN |
The VPND process may unexpectedly exit when cipher priority configuration is invalid. Refer to sk173083. |
PRJ-25489, |
VPN |
In VSX environments, Anti-Spoofing in SecureXL may cause Remote Access VPN drops. Refer to sk173266. |
PRJ-24890, |
VPN |
In some scenarios, the "Global param: operation failed: Unknown parameter (param name vpn_cluster_on_aws)" cosmetic error may appear in dmesg. |
PRJ-21942, |
VPN |
In some scenarios, VPN Remote Access users are disconnected after policy installation. Refer to sk171966. |
PRJ-14272, |
VPN |
Added IKE improvement for DAIP peer with ID_DER_ASN1_DN ID type. |
PRJ-22528, |
VPN |
When Multiple Factor Authentication is configured with DynamicID , VPN clients may receive four password prompts. Refer to sk144932. |
PRJ-24402, |
VPN |
In some scenarios, DAIP gateways may be identified as Remote Access, causing the connection to fail. Refer to sk173417. |
PRJ-25053, |
VPN |
In some scenarios, a user may not be able to connect because the VPND process unexpectedly exits. |
PRJ-25133, |
VPN |
In some scenarios, the VPN Remote Access client cannot reconnect after changing the authentication method. |
PRJ-26204, |
VPN |
MEP failover with 3rd party vendors may not work correctly. |
PRJ-25333, |
VPN |
In some scenarios, the "Illegal sequence number" error may be printed in Dead Peer Detection (DPD) debug. |
PRJ-21431, |
Gaia OS |
NEW: Added support for hardware (sensors/NICs) data auto-update. |
PRJ-25718, |
Gaia OS |
UPDATE: The Multi-Queue (MQ) enhancement by IPSEC SPI is now supported out of the box on CPAC-4-10F-C appliance NICs (i40e driver, X710 controller). |
PRJ-26747, |
Gaia OS |
The raid_diagnostic command fails on Smart-1 3050/3150/5050/5150 appliances. Refer to sk173788. |
PRJ-23329, |
Gaia OS |
The "snmptable" command may fail to fetch data via SNMP producing core dump. Refer to sk172824. |
PRJ-23421, |
Gaia OS |
The administrator cannot force a password change to users with UID 0. |
PRJ-26756, |
Gaia OS |
In some scenarios, the first packet of any protocol is dropped if there is no ARP cache entry in the ARP table for that destination. Refer to sk173933. |
PRJ-24173, |
Gaia OS |
In rare scenarios, the Security Gateway may crash during tcpdump. Refer to sk141412. |
PRJ-23614, |
Gaia OS |
In rare scenarios, there is a difference between the value of "Packets" in the output of "ifconfig <interface name>" and "show interface <interface name> statistics" commands. |
PRJ-24493, |
Gaia OS |
In a rare scenario, the Security Gateway may become unresponsive. Refer to sk172827. |
PRJ-24596, |
Gaia OS |
When the RADIUS server uses a multi-pool "Access Challenge", the system sends many authentication requests without waiting. |
PRJ-25669, |
Gaia OS |
In some scenarios, the driver's (i40e) response time for MQ settings takes a too long time. |
PRJ-26328, |
Gaia OS |
When using routing separation, Clish configuration for the management plane may be missing. |
PRJ-23967, |
VSX |
UPDATE: Added ability to change the Management and Sync interfaces via vsx_util change_interfaces. |
PRJ-23828, |
VSX |
In rare scenarios, the Wrp interface may not come up. Refer to sk171753. |
PRJ-24382, |
VSX |
In rare scenarios, when the VSX cluster experiences an outage, the FWK process generates a core dump file. |
PRJ-23483, |
VoIP |
In some scenarios, the "sip_increase_opq_rnum: Error - number of reinvites exceeded the limit" message that indicates the malfunction SIP flow is printed in SIP debug. |
PRJ-24293, |
Smart-1 Cloud |
Added Update 1 of Quantum Smart-1 Cloud Release. Refer to sk166056. |
PRJ-23379, |
CloudGuard Network |
The SNMP response may show incomplete values. |
PRJ-25378, |
CloudGuard Network |
CloudGuard Controller with Cisco ACI Data Center sends updates without IP addresses to Security Gateways. |
PRJ-21718, |
CloudGuard Azure |
Improved performance consistency (with Multi-Queue) after the Microsoft Azure Maintenance event. |
PRJ-23132, |
IoT |
NEW: Added new features:
|
- |
IoT |
UPDATE: If the recommended-policy includes some illegal rules, an IoT layer will be created with the legal rules only and the user will be notified with a warning about the illegal ones. |
PRJ-24280, |
Endpoint Security |
In some scenarios, the "Included Blades" tab in the SmartEndpoint Package repository for Dynamic Package is empty. |
PRJ-25728, |
QoS |
A memory leak may occur when using domain names in QoS policy rules. |
Take 118 Released on 10 May 2021 and declared as Recommended on 25 May 2021 |
||
PRJ-25688, |
Security Gateway |
In some scenarios, "dst_release: dst:ffff88052d4c68c0 refcnt:-480" messages may be printed in dmesg regarding HTTPS traffic when SSL Inspection Blade is enabled. |
PRJ-25944, |
ClusterXL |
In some scenarios, the user cannot run any dynamic routing or install any static routes, including the default route. |
PRJ-25396 |
Gaia OS |
When using routing separation and configuring interface in Clish the "Can't read "NSID": no such variable" error may be displayed. Refer to sk173364. |
Take 114 Released on 25 April 2021 |
||
PRJ-29847, |
Diagnostics |
In some scenarios, CPView shows the SNMP data partially. |
PRJ-32481 |
Diagnostics |
In some scenarios on VSX, a "Loading kernel module for a network device with CAP_SYS_MODULE (deprecated). Use CAP_NET_ADMIN and alias netdev-eth instead" message appears in /var/log file. |
PRJ-31056, |
Upgrade Tools |
In rare scenarios, an upgrade or migration may fail due to missing temporary files. |
PRJ-29295, |
Security Management |
NEW: Added Multi-Domain Server (MDS) level support for exporting data from the Gateways and Servers view into a CSV file. |
PRJ-24930, |
Security Management |
UPDATE: Added a warning message in SmartConsole, alerting if during policy installation memory utilization of the FWM process exceeded 3.5GB. |
PRJ-29236, |
Security Management |
UPDATE: Added a new flag to the Threat Prevention "show-protections" API command ("show-capture-packets-and-track") that allows not to return capture-packets and track information. |
PRJ-31073, |
Security Management |
UPDATE: Added an environmental variable to control the sduu command timeout in the FWM process: SDUU_UPDATE_TIMEOUT. |
PRJ-30049 |
Security Management |
UPDATE: In order to prevent SHA-1 vulnerabilities, Management Server no longer supports SHA-1 cipher suites in SSL communication. |
PRJ-32891, |
Security Management |
UPDATE: It is now possible to increase the timeout value for Management High Availability synchronization. Refer to sk176165. |
PRJ-34960 |
Security Management, |
UPDATE: The Apache Log4j Java library is updated in order to harden the system. Check Point products are not vulnerable to Log4j. This change is motivated by cyber hygiene best practices. For more information, refer to sk176865. |
PRJ-32801, |
Security Management |
The mgmt_cli tool (API) with certificate login may not work. |
PRJ-25279, |
Security Management |
In rare scenarios, login to Multi-Domain Management fails with the "No Valid Domains were found for [username]" error. Refer to sk175005. |
PRJ-21876, |
Security Management |
In some scenarios, applying the "Where used" action may show incorrect data when an object exists more than once in an Inline Layer. |
PRJ-22422, |
Security Management |
Domain Server Migration between different Multi-Domain Management Servers may fail if a previous migration attempt of the same Domain already failed and a different Domain name is used for the second attempt. |
PRJ-23123, |
Security Management |
Migration of Security Management Server to a Domain on a Multi-Domain Server may be blocked if there are multiple Certificate Authority objects. Refer to sk174270. |
PRJ-25196, |
Security Management |
The "Packet capture is not supported on this platform" warning appears after policy installation for SMB Gateways, although no packet capture is used. |
PRJ-23851, |
Security Management |
Management Server upgrade may fail if there is a large amount of customized column profiles in the Logs View. |
PRJ-21787, |
Security Management |
In some scenarios, the output of the "cpmistat" command may contain partial information. |
PRJ-23953, |
Security Management |
In some scenarios, if changes were done before installing Jumbo Hotfix, revert or login to the last published session may fail. |
PRJ-29304, |
Security Management |
In environments with a large number of objects, licenses for cluster members in the Licenses tab may not be displayed. |
PRJ-30053, |
Security Management |
In rare scenarios, the FWM process unexpectedly exits and fails to start, creating core dumps in the /var/log/dump/usermode directory. Refer to sk175007. |
PRJ-29967, |
Security Management |
In some scenarios, simultaneous policy installation on multiple Gateways may fail if there is at least one Gateway on R77.X and one Gateway on R80.X. |
PRJ-29897, |
Security Management |
In some scenarios, login to a Domain from the System Domain dashboard may fail with "Failed to connect to server". |
PRJ-30018, |
Security Management |
In rare scenarios, the "set-group" API command may return the "generic_err_invalid_parameter" error. |
PRJ-28900, |
Security Management |
When searching IP addresses using logical operators (AND / OR), the results may be incorrect:
Some matched objects may be missing, while some unmatched objects may be present. |
PRJ-29187, |
Security Management |
In a rare scenario, High Availability full synchronization may fail due to a large number of records. |
PRJ-29157, |
Security Management |
Scheduled IPS updates data may not be shown in the IPS update report. |
PRJ-30883, |
Security Management |
In rare scenarios, during an upgrade, the FWM process may unexpectedly exit with a core dump file. |
PRJ-29468, |
Security Management |
In some scenarios, an API query to VRRP cluster for "show simple-cluster name <name>" returns an incorrect cluster type. Refer to sk174866. |
PRJ-29198, |
Security Management |
After an upgrade from R77.x. in a Multi-site environment, High Availability full synchronization may fail with an "NGM failed to load data" message. |
PRJ-28298, |
Security Management |
In rare scenarios, High Availability on the Global Domain may fail to synchronize the Multi-Domain Log Server if IPS protection was added or removed in the Threat Prevention rulebase. |
PRJ-28535, |
Security Management |
In rare scenarios, Global Policy Assignment may fail with the "class name not found for object" error. |
PRJ-28156, |
Security Management |
In rare scenarios, if Domain migration fails, the operation may not revert fully and leave some remnants in the database of the Management Server. |
PRJ-28784, |
Security Management |
In some scenarios, "show-mdss" and "show-domains" Management API commands take a significant amount of time to complete or time out after 5 minutes. |
PRJ-30099, |
Security Management |
In rare scenarios, a Multi-Domain administrator's profile may be changed after deleting a Domain if the administrator had custom permissions for it. |
PRJ-30386, |
Security Management |
In rare scenarios, editing a cluster object fails with the "Code: 0x8003001D, Could not access file for write operation" error. Refer to sk176930. |
PRJ-27763, |
Security Management |
The Management API commands "import-smart-task" and "export-smart-task" are enabled at the System Domain level, although Smart Tasks are only supported at the Local Domain level. |
PRJ-26780, |
Security Management |
In some scenarios, in Override Categorization, it may not be possible to sort or to find objects by name using Object Explorer. Refer to sk175245. |
PRJ-28063, |
Security Management |
In rare scenarios:
|
PRJ-27485, |
Security Management |
Global Policy reassignment may fail with "An internal error has occurred" due to duplicated Access Policy Assignment object. |
PRJ-28815, |
Security Management |
In some scenarios, the "show gateways-and-servers" Management API command fails with "generic_error" when running it with "details-level full". |
PRJ-26735, |
Security Management |
In a rare scenario, in the Management API, the "show hosts" command with "details-level full" fails with a "java.util.InputMismatchException: got at least one duplicate UID in requested list, duplicates UIDs:" message. |
PRJ-29909, |
Security Management |
In some scenarios, it is possible to disable a shared layer, although it is used in more than one rule. |
PRJ-20591, |
Security Management |
In rare scenarios, if one of the Multi-Domain Servers is down, reconfiguring VSX may fail. |
PRJ-31741, |
Security Management |
In some scenarios, deleting a Domain fails when there is an administrator with API key authentication associated with this Domain. |
PRJ-31081, |
Security Management |
In rare scenarios, the FWM process on the Security Management Server unexpectedly exits. |
PRJ-30336, |
Security Management |
When one Server in a logical Server group is down, the second Server keeps trying to access it, no matter how long the Server is down. |
PRJ-29157, |
Security Management |
Scheduled IPS updates data may not be shown in the IPS update report. |
PRJ-22265, |
Security Management |
In some scenarios, the user may fail to connect to VPN Remote Access if there are expiration dates saved in a non-English date format. The issue can occur when SmartConsole is installed on a Windows client that uses a non-English locale. |
PRJ-32091, |
Security Management |
When searching an IP address in Object Explorer, network objects with both IPv6 and IPv4 configured may not appear in the results, although they match the IP address. |
PRJ-28168, |
Security Management |
In rare scenarios, the Management Server may fail to start due to incorrect sessions handling. |
PRJ-32108, |
Security Management |
Policy installation may fail if more than 20,000 objects are created and added to rules. |
PRJ-32649, |
Security Management |
In rare scenarios, deleting a Domain fails, leaving some remnants in the Management database. |
PRJ-31671, |
Security Management |
In rare scenarios, the API commands "show-automatic-purge" and "set-automatic-purge" may fail if there were two earlier attempts to update the Automatic Purge at the same time. |
PRJ-30680, |
Security Management |
Policy installation with Directional VPN rules may fail with a verification error. |
PRJ-32994, |
Security Management |
Upgrade of Management Server from R80.10 to R80.40 may take a long time for large environments. |
PRJ-30067, |
Security Management |
|
PRJ-29508, |
Security Management |
In some scenarios, the Management API command "show-packages" with "details-level full" may fail with an error. Refer to sk176805. |
PRJ-33463, |
Security Management |
While editing a Small Office LSM Profile object, SmartConsole may unexpectedly close when enabling Threat Emulation and navigating to the configuration tab. |
PRJ-34079, |
Security Management |
In some scenarios, after running an Ansible playbook, objects are locked even though they were not changed. |
PRJ-34504, |
Security Management |
The "Accept" button is missing when modifying "Actions" for rules. Refer to sk177204. |
PRJ-33552, |
Security Management |
When using the API to create an OPSEC CPMI application with a custom permissions profile, the default Super User profile is chosen instead. |
PRJ-30350, |
Multi-Domain Management |
During a CPUSE upgrade of a Multi-Domain Server, if there are multiple external interfaces defined, the Domain Servers may be assigned to an incorrect interface. |
PRJ-21830, |
Multi-Domain Management |
In rare scenarios, after an upgrade, the CPD process in a Multi-Domain environment may unexpectedly exit, creating a core dump file. |
PRJ-27345, |
Licensing |
In a rare scenario, the licensing status in SmartConsole is displayed incorrectly. |
PRJ-29310, |
SmartConsole |
The Compliance "Security Best Practices" report for the Anti-Bot practice contains unrelated objects starting with "AB_". Refer to sk174911. |
PRJ-30520, |
Compliance |
The Compliance report in SmartConsole may show an incorrect policy name. |
PRJ-22892, |
CPView |
In some scenarios, SNMP statistics per VS may not be displayed in CPView. |
PRJ-32978, |
CPView |
In Overview, some data about disk space may be missing. |
PRJ-26307, |
Logging |
In rare cases, in SmartConsole, some logs are not shown. |
PRJ-30689, |
Logging |
UPDATE: The default timeframe for logs queries using the SmartConsole's Logs tab is set to "Last 24 Hours".
|
PRJ-32085, |
Logging |
A duplicate entry appears in /etc/cpshell/log_rotation.conf. This issue is only cosmetic. |
PRJ-13743, |
Logging |
The "Could not connect to Monitoring Blade" error is displayed when trying to show the "Top Interfaces" view in SmartConsole or SmartView Monitor for a Gateway that has more than 100 interfaces. |
PRJ-22345, |
Logging |
In SmartView, the "Duration" field is missing from Reports and Views. |
PRJ-17260, |
Logging |
In SmartConsole:
|
PRJ-16985, |
Logging |
In a rare scenario, Application Control events may not be displayed in SmartEvent. |
PRJ-16282, |
Logging |
In some scenarios, emails of DLP Blade may be sent with obfuscated information, with no option to present the full data. Refer to sk106430. |
PRJ-29029, |
Logging |
In rare scenarios, SmartEvent may show no results or partial results in the Audit Log report. |
PRJ-25832, |
Logging |
The LOG_INDEXER process on the SmartEvent Server may consume a high CPU when the Mobile Access Blade is enabled on the Gateway. |
PRJ-25622, |
Logging |
In environments with more than 500K network objects, the LOG_INDEXER process on SmartEvent and Correlation Unit Server may unexpectedly close with the "Out of memory" error and a dump core file, although limited resolving is enabled (according to sk164452). |
PRJ-25440, |
Logging |
On the Management Server, with SmartEvent enabled and many Networks configured in the database, login to SmartConsole may fail with an "Error: the operation timeout" message and the FWM process is running with a high CPU. Refer to sk167239. |
PRJ-24523, |
Logging |
In a low log rate, there may be a delay in exporting logs using the Log Exporter. |
PRJ-27616, |
Logging |
The CPSEMD process on SmartEvent Server may unexpectedly exit when trying to send two automatic reactions simultaneously for the same event. |
PRJ-28340, |
Logging |
In some scenarios, Log Exporter configured to export in TLS, cannot authenticate a certificate from an external certificate authority. |
PRJ-26030, |
Logging |
In a rare scenario, after an NSX Gateway upgrade, enforcement details/identities are not pushed by the controller to the Gateway automatically, it can be done only by manual update. Refer to sk173323. |
PRJ-28323, |
Logging |
In some scenarios, in SmartLog, free-text search does not work for some inspection settings logs and their description is missing. |
PRJ-26681, |
Logging |
Logs that are sent by Log Exporter in CEF format, cannot be displayed if they include non-digit characters in the "dst_phone_number" field. |
PRJ-19838, |
Logging |
On Gateways with many interfaces, after policy installation or after reboot, Real-Time Monitor (RTM) may consume a high CPU on the Gateway. Refer to sk170928. |
PRJ-23313, |
Logging |
Daily Log/Indexes Maintenance does not delete old index files from $RTDIR/log_indexes if they contain files or subdirectories with a format different than %Y-%m-%d. |
PRJ-32028, |
Logging |
In some scenarios, the "vpn_user" field is empty in the Logs view and SmartEvent Reports, even though it contains values in the raw log. |
PRJ-30663, |
Logging |
Refer to sk176644. |
PRJ-25653, |
Logging |
When SmartView Web is configured to not return empty values, a query may fail with a "query failed" message. |
PRJ-29575, |
Security Gateway |
NEW: Added a new kernel parameter "up_disable_early_drop_optimization_for_reject" to disable "Early Drop Optimization" for reject rules. The parameter is enabled by default. |
PRJ-31489, |
Security Gateway |
NEW: Added a new kernel parameter "cphwd_medium_path_qid_by_cpu_id". The parameter is disabled by default. Refer to sk175890. |
PRJ-30981, |
Security Gateway |
UPDATE: Added L3 routing support for bridge interface assigned with IP address. To enable it, set fw_bridge_with_ip_routing=1 in the $FWDIR/fwkern.conf file. Refer to sk165560. |
PRJ-32072, |
Security Gateway |
UPDATE: Check Point Active Streaming (CPAS) TCP Window scale factor is now increased up to 6. |
PRJ-30588 |
Security Gateway |
UPDATE: For CPU Spike Detective:
|
PRJ-31275, |
Security Gateway |
UPDATE: The "-c" and "-i" flags in Top Connections Tool are now supported on VSX Gateways. Refer to sk172229. |
PRJ-34449, |
Security Gateway |
UPDATE: The "fw unloadlocal" command can now be used on a Virtual System only with the "-f" flag added. Otherwise, a warning message is displayed, indicating that unloading policy on a Virtual System will cause traffic issues with any Virtual System connected to a Virtual Switch or a Virtual System in Bridge mode. |
PRJ-25307 |
Security Gateway |
UPDATE: Added the "Configure Hyper-Threading" option to the cpconfig command. |
PRJ-29093, |
Security Gateway |
In rare scenarios, policy installation fails with "Segmentation fault" and "Error compiling IPv4 flavor" messages. |
PRJ-29587, |
Security Gateway |
In a rare scenario, Security Gateway may crash. |
PRJ-31217, |
Security Gateway |
When a large number of VPN tunnels is configured and each one is used by a static route with ping, the ROUTED process may get incorrect cluster IPs for those tunnels. Refer to sk175887. |
PRJ-29129, |
Security Gateway |
In rare scenarios, policy installation may fail with an "Operation failed, install/uninstall has been improperly terminated" message. |
PRJ-29419, |
Security Gateway |
In a rare scenario, policy installation on the Security Gateway may fail with an "Error code: 0-2000108" message. Refer to sk170673. |
PRJ-30011, |
Security Gateway |
In a rare scenario, when QoS is enabled, Security Gateway may crash while interfaces go down and up. |
PRJ-29504, |
Security Gateway |
In some scenarios, using automatic Network Static NAT/Address range objects may cause connectivity issues. |
PRJ-20627, |
Security Gateway |
Running the "threshold_config" command may cause the CPD process to consume a high CPU. |
PRJ-27650, |
Security Gateway |
Negative values may appear in the output of the "fw tab -t connections -s" command and under the NAT section. |
PRJ-32574, |
Security Gateway |
When deleting connection table entries with "fw ctl conntab -x", and using "rule", "service", "type", "flags" or "state" filters, entries that do not match these filters may still be deleted. |
PRJ-26583, |
Security Gateway |
In a rare scenario, CPView may show incorrect SecureXL statistics per VS. |
PRJ-30684 |
Security Gateway |
In some scenarios, when using Suspicious Activity Monitoring (SAM) rules with source and destination networks or with a NATed IP, "matched rule is not found" errors appear. |
PRJ-31967, |
Security Gateway |
In a rare scenario, "Connection/sec" data for accelerated traffic in CPView may differ from the statistics in SNMP. |
PRJ-30179, |
Security Gateway |
In a rare scenario, policy push to multiple Security Gateways may fail. |
PRJ-30613, |
Security Gateway |
In rare scenarios, when SACK is enabled, there may be connectivity issues. |
PRJ-26964, |
Security Gateway |
Improved CPS rate on Autoscale deployments of Amazon Web Services (AWS). |
PRJ-22014, |
Security Gateway |
When deleting all Suspicious Activity Monitoring (SAM) rules, adding a large number of new rules, and installing policy, the system may hang. |
PRJ-30250, |
Security Gateway |
Added a translation of the error exit code of cprid_util in $CPDIR/log/cprid_util.elg debug log. |
PRJ-30669, |
Security Gateway |
In rare scenarios, when a Security Gateway is configured as Proxy, a wrong NAT port reuse may happen for 5 minutes long proxied connections. |
PRJ-30041, |
Security Gateway |
If wstunnel loses connectivity, after several attempts it may unexpectedly exit and not restart. Refer to sk166056. |
PRJ-25149, |
Security Gateway |
In a rare scenario, the TCP Half Closed timer (sk137672) may fail when configured for medium/fast connections. |
PRJ-32336, |
Security Gateway |
Defining an IPv6 NAT rule with address range (hide) on the translated column may fail with an incorrect error message. |
PRJ-29697, |
Security Gateway |
In rare a scenario, a memory leak may occur with "cpas_streamh_init_from_cookie failed" printed in /var/log/messages. |
PRJ-33359, |
Security Gateway |
First policy installation after an upgrade may be followed by a warning message: "Updatable Objects are used in the policy but Gateway package is missing (see sk121877)". |
PRJ-33081, |
Security Gateway |
Extended logging may show a wrong status of Content Awareness Blade. The issue is only cosmetic. |
PRJ-33512, |
Security Gateway |
CPView may show corrupted numbers in "F2V-Reasons". This issue is only cosmetic. |
PRJ-27609, |
Security Gateway |
A debug message may be printed as an error. |
PRJ-17572, |
Security Gateway |
The FWD process may unexpectedly exit due to a rare race condition. Refer to sk173424. |
PRJ-32051, |
Security Gateway |
In a rare scenario, the Security Gateway may crash during policy installation. |
PRJ-31016, |
Internal CA |
In a rare scenario, when CRL files are created, some of them may be generated with a large number in the filename. When deleting CRL files, CPCA repeatedly fails to start. |
PRJ-24986, |
Threat Prevention |
UPDATE: Added support for more than 20 CIFS objects in rulebase. Refer to sk170300. |
PRJ-28679, |
Threat Prevention |
UPDATE: Added an option to remove proxy usage in ioc_feeds tool. |
PRJ-24253, |
Threat Prevention |
UPDATE: Reduce performance when Anti-Virus is configured with deep inspection on all file types. |
PRJ-22397, |
Threat Prevention |
The "ciu_lic_open_lic_db_file: crc check failed" error message may be printed in fwd.elg log file during the policy installation if the IPS Blade is disabled. Refer to sk172903. |
PRJ-29925, |
Threat Prevention |
Threat Prevention policy installation may fail when loading 2 IoC feeds that contain the same signature name for one of the observables. |
PRJ-28937, |
Threat Prevention |
Improved telemetry for Infinity Vision SOC. |
PRJ-29035, |
Threat Prevention |
In some scenarios, loading Custom Intelligence Feeds that include an IP address with a subnet mask of 32 bits (x.x.x.x/32) may fail. |
PRJ-27750, |
Threat Prevention |
When the "Automatically download Blade Contracts, new software, and other important data" checkbox is unchecked, Security Gateway may fail to update Threat Prevention packages. |
PRJ-28763, |
Threat Prevention |
In some scenarios, when using OpenSSH 8.2 Server, file download fails after starting the transfer. |
PRJ-28136, |
Threat Extraction |
In some scenarios, the "fw_send_kmsg: No buffer for tsid 44" error is printed in dmesg. |
PRJ-29489, |
Identity Awareness |
UPDATE:
|
PRJ-30497, |
Identity Awareness |
UPDATE: Enhanced Identity Sharing SmartPull mechanism for large scale environments. |
PRJ-29613, |
Identity Awareness |
In a rare scenario, some IPv6 sessions may get deleted due to an incorrect update of Identity Gateway (PEP) kernel tables. |
PRJ-29399, |
Identity Awareness |
Improved the Identity Server (PDP) performance for publishing new network on Identity Sharing with SmartPull. |
PRJ-27941, |
Identity Awareness |
In some scenarios, users may not be able to reach Identity Gateway (PEP). Refer to sk174105. |
PRJ-30991, |
Identity Awareness |
In a rare scenario, the priorities defined in User Directory (Gateway level) override the default Domain Controller (DC) priorities defined in the LDAP Account unit. Servers with priority above 1000 are not ignored, although they should be. |
PRJ-32120, |
Identity Awareness |
An Identity Broker subscriber may be shown as the session owner for Remote Access VPN sessions received from another publisher. |
PRJ-32871, |
Identity Awareness |
When Identity Awareness Blade is enabled on the Security Gateway, rebooting of a member may trigger additional reboots. This may cause one of the members to go down with a configuration pnote. |
PRJ-29768, |
URL Filtering |
In a very rare scenario, when the Application Control (APPI) and URL filtering Blades are active, in hold mode, some applications cannot be identified and the traffic is dropped. |
PRJ-29940, |
IPS |
In rare scenarios, if IPS Geolocation is enabled, the Security Gateway may crash. |
PRJ-28738, |
IPS |
In some scenarios, the destination IP is missing from the IPS logs. Refer to sk174588. |
PRJ-28244, |
IPS |
In some scenarios, HTTP Parser in the CPView statistics may show incorrect values for connections with more than 50 sessions. |
PRJ-23347, |
IPS |
The track logging configuration of Network Quota protection is not applied. |
PRJ-30425, |
DLP |
The dlpu process may unexpectedly exit with core dump file. |
PRJ-29191, |
Anti-Bot |
UPDATE: Improved performance of Anti-Bot URL Reputation. |
PRJ-31172, |
SSL Inspection |
A memory leak, related to TLS probing, may occur in the WSTLSD process. |
PRJ-31166, |
SSL Inspection |
In some scenarios, the WSTLSD process may unexpectedly close, or a memory leak may occur. |
PRJ-29475, |
SSL Inspection |
In some scenarios, a memory leak may occur when creating ECDHE keys. |
PRJ-30459, |
SSL Inspection |
In rare scenarios, HTTPS connections may hang indefinitely during the TLS handshake, causing timeout. |
PRHF-20458 |
SSL Inspection |
In a rare scenario, the WSTLSD process may unexpectedly exit and produce a core dump file. |
PRJ-33406, |
SSL Inspection |
In rare scenarios, TLS probing connections may remain open for extended periods. |
PRJ-32883, |
SSL Inspection |
When TLS 1.3 support is disabled, a memory leak may occur in the WSTLSD process during TLS session renegotiation. |
PRJ-31182, |
Mobile Access |
UPDATE: Upgraded JQuery library version (from 1.1 to 3.6). |
PRJ-27296, |
Mobile Access |
In rare scenarios, when SNX client is used with Application mode on the Mobile Access Blade, the VPND process may unexpectedly exit. |
PRJ-29275, |
Mobile Access |
In some scenarios, a memory leak may occur in the CVPND process. |
PRJ-28257, |
Mobile Access |
In a rare scenario, the VPND process may unexpectedly exit causing user disconnections from Checkpoint Mobile client. |
PRJ-30381, |
ClusterXL |
In a rare scenario, after an upgrade and reboot, a Standby member is set to down with a FULLSYNC PNOTE and cannot synchronize. |
PRJ-32470, |
ClusterXL |
Added Syslog support for Cluster events messages. |
PRJ-30818, |
SecureXL |
In a rare scenario, after an upgrade, HTTPS traffic may be dropped. |
PRJ-26952, |
SecureXL |
TCP packets may be dropped as "TCP out of state" although following sk11088. |
PRJ-32939, |
SecureXL |
In some scenarios, when configuring internal/external enforcement for DOS/Rate limiting, a syslog error message may be displayed. |
PRJ-24056, |
Routing |
In some scenarios, when using DHCP, the Security Gateway may not correctly route traffic to hosts. |
PRJ-31126, |
Routing |
In rare cases, if Graceful Restart is not configured on the BGP peer, BGP routes may be lost near the Graceful Restart ending. |
PRJ-29319, |
Routing |
AS path loops may occur, although BGP multihop is configured. |
PRJ-28957, |
Routing |
The ROUTED process may unexpectedly exit when OSPF is configured with the "IsMaxAgeLSAEntry()" assert. |
PRJ-31486, |
Routing |
In some scenarios, the Security Gateway may not forward traffic to a client if its IP address is changed by DHCP. Refer to sk175603. |
PRJ-29496, |
Routing |
BGP sessions may unexpectedly close because of unrecognized AFI/SAFI pairs in multiprotocol capability advertisements from a peer. |
PRJ-33355, |
Routing |
|
PRJ-32595, |
VPN |
In some scenarios, Remote Access VPN users cannot connect to the Gateway due to a kernel table issue. |
PRJ-32518, |
VPN |
Improved establishing IKEv2 tunnel with DAIP peer. |
PRJ-31472, |
VPN |
UPDATE: In policy installation, the type of messages related to VPN certificate expiration is changed from "info" to "warning". This issue is only cosmetic. |
PRJ-29296, |
VPN |
Added VPN IKEv2 improvements. |
PRJ-29532, |
VPN |
RIM script is not invoked for DAIP peer with Dead Peer Detection (DPD) permanent tunnels in passive mode. |
PRJ-29482, |
VPN |
A memory leak may occur in the VPND process in IKEv2 Site to Site VPN. |
PRJ-28559, |
VPN |
In some scenarios, when sending the SCV drop log, a memory leak may occur. |
PRJ-28574, |
VPN |
In some scenarios, Server connections to Remote Access L2TP clients may be unstable. |
PRJ-29592, |
VPN |
In a rare scenario, the IKEv2 negotiation appears successful, although it failed. |
PRJ-30329, |
VPN |
In some scenarios, IKEv2 tunnel may not work due to SA expiration. |
PRJ-30764, |
VPN |
In a very rare scenario, a cluster member may unexpectedly crash and restart, creating a core dump file. |
PRJ-31289, |
VPN |
Hardened the ability to use narrowed IKEv2 tunnels. Refer to sk166417. |
PRJ-32365, |
VPN |
Improved IKEv2 narrowing. |
PRJ-33833, |
VPN |
In rare scenarios, when SSL Network Extender (SNX) is in Application Mode, the VPND process may unexpectedly exit. |
PRJ-30956, |
VPN |
Improvements for DAIP Gateway behind Hide NAT. |
PRJ-30648, |
VPN |
A machine-only tunnel cannot be established when VPN default realm is disabled. |
PRJ-28268, |
VPN |
A memory leak may occur in the VPND process. |
PRJ-32549, |
VPN |
A memory leak may occur during Office Mode IP allocation. |
PRJ-30755, |
VPN |
In a rare scenario, when NAT is enabled, Route Based VPN traffic may be dropped. |
PRJ-31587, |
VPN |
In some scenarios, VPN tunnels statuses in SmartView Monitor are displayed incorrectly. |
PRJ-22482, |
VSX |
In some scenarios, running the snmpwalk command may fail with incorrect OSPF-MIB information for VSX. Refer to sk172064. |
PRJ-29552, |
VSX |
After a reboot, the VS's clish static ARPs configuration exists, but the static ARPs may be missing. |
PRJ-27969, |
VSX |
When querying a VS for "sysObjectID" viaSNMP, a generic netSNMP value is returned ("NET-SNMP-MIB::netSnmpAgentOIDs.10") instead of Check Point value ("SNMPv2-SMI::enterprises.2620.1.6.123.1.62"). |
PRJ-30314, |
Gaia OS |
NEW: Gaia API (version 1.6) will now be deployed via Jumbo Hotfix. Refer to sk143612. |
PRJ-30275, |
Gaia OS |
UPDATE: Upgraded OpenSSL to 1.1.1L. Merged the CVE-2021-3711 and CVE-2021-3712 fixes. |
PRJ-30203, |
Gaia OS |
UPDATE: Added a Clish command "add/show/delete ntp interface" to choose to which interfaces the NTP daemon shall bind. |
PRJ-17613, |
Gaia OS |
When adding an SSH host key, it will not be displayed because the total length of the command line cannot contain more than 512 characters. |
PRJ-33507, |
Gaia OS |
Possible vulnerability in WebUI GUI Clients. |
PRJ-31753, |
Gaia OS |
In some scenarios, after adding an SNMP USM user, the confd process may unexpectedly exit. |
PRJ-33687, |
Gaia OS |
Potential vulnerability related to specific Gaia API command on VSX systems. |
PRJ-33871 |
Gaia OS |
Enhanced SNMP module stability. |
PRJ-21922, |
Gaia OS |
An error regarding MTU failing to transmit 6000+ units may be displayed. |
PRJ-24328, |
Harmony Endpoint |
Restoring a UEPM Server backup via the Web Gaia Portal may not work on a new Server where the UEPM Blade is not activated. |
PRJ-25250, |
Harmony Endpoint |
In some scenarios, the Policy Server fails to synchronize with Endpoint primary Management after installing a hotfix for local E1 signature updates. |
PRJ-30518, |
Harmony Endpoint |
In the Smart Endpoint tabs, the Server may generate reports where users have long names starting with "ntdomain://". |
PRJ-29971, |
Harmony Endpoint |
In some scenarios, a query which counts host_ckp objects may return more results than expected. It leads to a memory leak with the "Out Of Memory" error. |
PRJ-32389, |
VoIP |
When using SIP, memory usage may increase over time on Active and Standby members. |
PRJ-29985, |
CloudGuard Network |
UPDATE: When there are Data Centers without imported objects, CloudGuard Controller will show the warning status in SmartConsole and in the output of the "cpstat vsec" command. |
PRJ-27771, |
CloudGuard Network |
Amazon Web Services (AWS) Data Center scan may fail and no updates are sent to the Security Gateway. |
PRJ-31771, |
CloudGuard Network |
In a rare scenario, there is a high CPU0 utilization on Azure Security Gateway. |
PRJ-32230, |
CloudGuard Network |
The "vsec_lic_cli update" command now supports IP change in the license string. |
PRJ-32753, |
CloudGuard Network |
After an upgrade, the AWS Gateway or Google Cloud Platform (GCP) may lose access to the Serial Console. |
PRJ-27034, |
QoS |
In a rare scenario, when QoS is enabled, in SmartView Monitor, some traffic may be shown as "No Match". |
PRJ-30234, |
QoS |
In a rare scenario, the FWD process may unexpectedly exit due to invalid QoS logs. |
PRJ-30015, |
HCP |
Added Update 5 of HealthCheck Point (HCP) Release. Refer to sk171436. |
PRJ-29410, |
Infrastructure |
Policy installation fails with "Operation failed, install/uninstall has been improperly terminated" when a CMA name is more than 36 characters long. Refer to sk175452. |
PRJ-22353, |
Infrastructure |
UPDATE: Updated Python 2.7.17 to 2.7.18, Python 3.7.7 to 3.7.12, added Python 3.9.7 and a Python3 alias. |
Take 102 Released on 14 April 2021 and declared as Recommended on 21 April 2021 |
||
PRJ-24912, |
Security Management |
"Unauthorized client" error on login failure from an IP address that is not explicitly defined in the Trusted Clients list. Refer to sk173026. |
PRJ-24582, |
Identity Awareness |
In some scenarios, a Security gateway may crash after Take 100 installation due to Identity Awareness specific flow. |
PRJ-23357, |
Gaia OS |
UPDATE: Upgraded OpenSSL to 1.1.1k to fix CVE-2021-3449 and add the latest security improvements. Refer to sk172983. |
Take 100 Released on 17 March 2021 |
||
PRJ-21006, |
Security Management |
NEW: Improved FWM process performance during Security policy or database installation. |
PRJ-20072, |
Security Management |
NEW: Optimized the Solr build time to improve performance in the following operations:
|
PRJ-20031, |
Security Management |
UPDATE: When purging revisions, task notifications will also be purged if created before the last revision to purge was published. |
PRJ-20450, |
Security Management |
UPDATE: Added validation to block migration of a Domain to a Security Management if the Domain is assigned to the Global Domain. |
PRJ-21872, |
Security Management |
UPDATE: Added Update 8 of Autonomous Threat Prevention Management (ATPM). Refer to sk167109. |
PRJ-20855, |
Security Management |
Management Server upgrade from R80.20 to R80.40 may fail if a Network Interface object refers to a Gateway object that does not exist. |
PRJ-20842, |
Security Management |
When migrating a Domain Management Server to a Security Management Server:
|
PRJ-20304, |
Security Management |
In some scenarios, deleting a Domain Server may fail with "Got at least one duplicate UID in requested list" error. |
PRJ-21586, |
Security Management |
In rare cases, the CPM Solr process may not be stopped when running cpstop or mdsstop. |
PRJ-16926, |
Security Management |
Migrate of Security Management to a Domain on a Multi-Domain Server may fail if a previous migration attempt of the same Security Management already failed and a different Domain name was used for the second attempt. |
PRJ-20765, |
Security Management |
High load may occur on the Management Server when searching for a prefix of IP address that has more than 10 thousand matches. |
PRJ-20995 |
Security Management |
In rare scenarios, the initiation of the Management server may take a long time. |
PRJ-21359, |
Security Management |
In some scenarios, the Purge Revisions task may stop and show 0% for hours or fail with the "An error has occurred while performing revision purge operation" message in SmartConsole. |
PRJ-21591, |
Security Management |
Although the Access Settings of the Management API is set to "All IP addresses", the API server does not accept requests from any IP address unless the IP is defined explicitly as a Trusted Client. |
PRJ-17789, |
Security Management |
In some scenarios, policy verification for static NAT rules succeeds even though the source subnet NAT is bigger than the destination subnet NAT. |
PRJ-20887, |
Security Management |
In some scenarios, when connecting to an existing session in SmartConsole from a different IP address, a wrong "Client IP" is shown in Audit Logs view. |
PRJ-20804, |
Security Management |
In some scenarios, delete partial domain with createDomainRecovery.sh script fails when there are several RadiusGroup objects with the same name in different domains. |
PRJ-15744 |
Multi-Domain Management |
UPDATE: When running Reassign Global Domain for a Domain that is active on another Multi-Domain Server, the task is immediately relayed to the remote Multi-Domain Server without waiting in queue of the local server due to other tasks that are running. |
PRJ-21275, |
Multi-Domain Management |
In some scenarios, HA Full Sync on the System Domain fails after upgrade on a Multi-Site environment with multiple Multi-Domain Servers. Refer to sk171059. |
PRJ-19995, |
Multi-Domain Management |
After importing two (or more) Security Management servers into a Multi-Domain Server, the Gateway objects may not be functional:
|
PRJ-16910, |
Multi-Domain Management |
When running many Reassign Global Domain operations for Domains that are not active on the current Multi-Domain Server, the load on the Server may increase and result in slowness of user and automation work. |
PRJ-21213, |
Multi-Domain Management |
Migration of a Domain assigned to a Global Domain may fail with the "Dynamic object: |
PRJ-22276, |
Multi-Domain Management |
In some scenarios, updating a Domain Server may fail with the "<IP> already in use" message. Refer to sk171916. |
PRJ-19721, |
Multi-Domain Management |
The Multi-Domain session APIs "view sessions" and "show last-published-session" results may include sessions that were not filtered according to the administrator's permissions profile.
|
PRJ-20786, |
SmartConsole |
When the user creates an Access Role, the AD organization tree may show duplicate branches, and some branches may be missing. |
PRJ-20951, |
SmartConsole |
After a network interface is removed by cluster API, a network group assigned to that interface remains as used by cluster members and cannot be deleted. |
PRJ-20910, |
SmartConsole |
In some scenarios, deleting a policy fails. |
PRJ-21389, |
SmartConsole |
Slowness may be observed in some SmartProvisioning operations (like open SmartProvisioning GUI, create a new LSM object, open an LSM object editor, etc.). |
PRJ-20240, |
SmartConsole |
When there are no search results, search in Access Control Policy displays "An error occurred while searching" instead of "No Items Found". |
PRJ-20315, |
SmartConsole |
In some scenarios, the "show gateways-and-servers" Management API command fails when running it with details-level full and when connected to the Global Domain. Refer to sk170895. |
PRJ-19141, |
SmartConsole |
In some scenarios, the "add-user" API command with authentication method TACACS+ or RADIUS Server fails with "object not found" message. Refer to sk170325. |
PRJ-19931, |
SmartConsole |
In rare scenarios, the "Show Policy Package" tool and some Management API commands with details-level "full" may fail when UTM cluster is part of the policy targets. |
PRJ-21525 |
SmartConsole |
In a rare scenario, Automatic NAT rules are not visible in SmartConsole. |
PRJ-18922, |
SmartConsole |
In some scenarios, the "show-access-rulebase" Management API command fails when running it with details-level "full" and there is a network group with more than 50000 objects on one of the rules. Refer to sk170435. |
PRJ-21159, |
SmartConsole |
If there is an HTTPS Inspection layer that is not used in the policy, policy installation may fail with the "Internal error" message. |
PRJ-20874, |
SmartView |
UPDATE: To improve performance, SmartView now exports data in CSV format instead of Excel. |
PRJ-18860, |
Logging |
NEW: Added support for Endpoint Forensics reports to get-attachment API. |
PRJ-12202, |
Logging |
In some scenarios, the "Failed to fetch the file" error is displayed when trying to open Threat Emulation summary reports generated by VSX Gateways. |
PRJ-20563, |
Logging |
In rare scenarios, the Log Exporter fails to connect to external destination when using the TLS protocol. |
PRJ-17356, |
Logging |
FWM and\or log_indexer processes may repeatedly stop when there are more than ~500K network objects declared. Refer to sk164452. |
PRJ-21155, |
Logging |
In rare scenarios, the FWD process on the Security gateway may be blocked for several seconds due to processing of log attachments. |
PRJ-10292, |
Logging |
In rare scenarios, a log may display incorrect values in the Action and Rule field. Refer to sk170676. |
PRJ-19010, |
Logging |
In a rare scenario, CPD process may use a random port for AMON communication instead of port 18196. |
PRJ-20091, |
Security Gateway |
UPDATE: Service with source port in the Access rulebase will no longer disable accept templates for all connections. |
PRJ-18487, |
Security Gateway |
In some scenarios, repeating "fwx_alloc_global_find_free_port_atomic: rtsp pending port doesn't match the same pool" errors are displayed in dmesg when using Hide NAT with VoIP. |
PRJ-19585, |
Security Gateway |
In some scenarios, "email_unified_cmi_get_attribs: not valid caller: up_log_get_user_hash" error appears in dmesg for SMTP traffic. |
PRJ-19704, |
Security Gateway |
In rare scenarios, a memory leak may occur in TOPOD process. |
PRJ-19851, |
Security Gateway |
In some scenarios, a memory leak may appear after sending a packet from the kernel. |
PRJ-20900, |
Security Gateway |
In some scenarios, the DNS requests from the Security gateway may fail. |
PRJ-20632, |
Security Gateway |
In rare scenarios, high memory consumption in CPD may occur due to a memory leak in authentication flow with an LDAP server. |
PRJ-20655, |
Security Gateway |
Accept logs with reason "Connection terminated before detection: Insufficient data passed. To learn more see sk113479." may be wrongly generated when the matched action is user authentication and wrong username/password provided by user. |
PRJ-20955, |
Security Gateway |
In some scenarios, logs with incorrect action are generated by ICAP server. |
PRJ-20385, |
Security Gateway |
In a rare scenario, Access Control policy installation may fail after upgrade of Security Gateway from R80.10 or below to R80.20 or higher. |
PRJ-21111, |
Security Gateway |
Authentication may fail when LDAP branch name contains "\". |
PRJ-11205, |
Security Gateway |
In some scenarios, traffic that is matched on implied rule is dropped while it should not. |
PRJ-21021, |
Security Gateway |
In rare scenarios, proxy ARP entries may be deleted when installing a policy. |
PRJ-21361, |
Security Gateway |
Traffic may be dropped when the Hide NAT is configured on IPv6 host. |
PRJ-20340, |
Security Gateway |
In rare scenarios, passive FTP packets may be dropped. |
PRJ-19307, |
Threat Extraction |
UPDATE: Threat Extraction (Sanitization) will be automatically disabled when Infinity Threat Prevention mode is installed while the machine does not have enough resources (RAM). |
PRJ-17874, |
HTTPS Inspection |
UPDATE: "Categorize HTTPS websites" feature enhancements when "Categorize HTTPS Sites" feature is enabled:
For configuration, refer to sk173633. |
PRJ-20407, |
Identity Awareness |
NEW: Added the Identity Awareness performance and memory consumption improvements. Refer to sk170516. |
PRJ-20862, |
Identity Awareness |
In some scenarios, there may be enforcement issues for MUHv2 users due to table mismatch. |
PRJ-23655, |
Identity Awareness |
In Identity Awareness Captive portal, the default Check Point logo is displayed even if the user-defined logo is configured. Refer to sk133492. |
PRJ-20847, |
Identity Awareness |
In some scenarios, running pdpd commands results in "daemon did not respond or not running!" error. Refer to sk171136. |
PRJ-20348, |
IPS |
In a rare scenario, the SmartConsole shows the "IPS is not responding" message even though IPS is functioning normally. |
PRJ-20096, |
DLP |
UPDATE: Added support for multi-part data to DLP. |
PRJ-20838, |
DLP |
Improved DLP scanning for POST request to some Web sites. |
PRJ-18842, |
SSL Inspection |
In rare scenarios, a memory leak may occur during policy installation. |
PRJ-20936, |
SSL Inspection |
The AES-NI (Intel Advanced Encryption Standard New Instructions) status is not displayed and "dmesg | grep AES-NI" returns no output. Refer to sk170779. |
PRJ-18596, |
Anti-Malware |
In a rare scenario, Security gateway may crash when the Threat Prevention Forensics feature is enabled. |
PRJ-20976, |
Anti-Malware |
In rare scenarios, the Threat Prevention policy installation fails due to IoC parsing errors. Refer to sk171316. |
PRJ-19041, |
UserCheck |
In some scenarios, users cannot restore original attachment via UserCheck portal and receive the "An unexpected error has occurred" error message. |
PRJ-19204, |
ClusterXL |
UPDATE: Added the option to display only monitored interfaces to "show cluster members <option>" command>:
|
PRJ-20535, |
ClusterXL |
In some scenarios, data connections are dropped with "First packet isn't SYN" message on ClusterXL Load Sharing. |
PRJ-19392, |
ClusterXL |
"set router active-active-mode" settings do not survive a reboot. |
PRJ-19925, |
ClusterXL |
In rare scenarios, running cphastop;cphastart may cause a cluster member to stay in "Down" state. |
PRJ-16516, |
SecureXL |
NEW: Added the ability to enable monitor-only mode for penalty box independently of other DOS/Rate limiting features. |
PRJ-18323, |
SecureXL |
UPDATE: Drop templates can be generated for connections with matched action Reject. For additional information and configuration, refer to sk171146. |
PRJ-19664, |
SecureXL |
In some scenarios, connections are dropped when SYN Defender and ISN Defender are both enabled on the same interface. |
PRJ-17404, |
SecureXL |
In some scenarios, PPTP or GRE traffic may be dropped. Refer to sk170293. |
PRJ-19406, |
SecureXL |
In some scenarios, Rate Limiting rules for DoS do not work after reboot. Refer to sk170148. |
PRJ-15662, |
Routing |
UPDATE: Display of routing CPview results is limited to 30 lines. |
PRJ-18662, |
Routing |
UPDATE: Added support for Check Point Active Streaming (CPAS), Policy-Based Routing (PBR), and Application-Based Routing (ABR) on the Security Gateway. Refer to sk167135. |
PRJ-19629, |
Routing |
ip-reachability-detection ping marks a target IP address as "unreachable" if the path goes via a VPN tunnel, although pinging this IP address directly works. |
PRJ-20964, |
VSX |
After running "vsx_util vsls" and selecting option #6, the operation may fail with the "Internal Error: got empty reply set" error. Refer to sk171352. |
PRJ-20149, |
VSX |
In rare scenarios, some interfaces remain in "Down" state after reboot. |
PRJ-15447, |
VSX |
In some scenarios, there may be high CPU utilization in a VSX environment with several instances. |
PRJ-15550, |
VPN |
UPDATE: Added the TTM-per-group feature improvement that allows it to work with more client types (for example Nemo client). |
PRJ-17494, |
VPN |
In IKEv2 renegotiation scenario, IPSec SAs may be deleted on a standby cluster member during post sync causing a VPN traffic outage. Refer to sk172926. |
PRJ-19424, |
VPN |
In some scenarios, the vpnd process unexpectedly exits with Segmentation fault. |
PRJ-18271, |
VPN |
The VPND process on a standby cluster member may unexpectedly exit when VPN peer has a probing link selection configured. Refer to sk170136. |
PRJ-20414, |
VPN |
In some scenarios, the IKE QM negotiating issue with Windows Server 2008 R2 peer may occur. |
PRJ-20522, |
VPN |
In a rare scenario, the FWM process unexpectedly exits when enrolling a certificate using the SCEP protocol. |
PRJ-13821, |
VPN |
Access roles do not recognize Remote Access SNX CLI clients. |
PRJ-20868, |
VPN |
In some scenarios, the VPND process keeps re-downloading the same CRL, which can cause performance issues. |
PRJ-12242, |
VPN |
When clicking "View" in Trusted CA object's OPSEC PKI tab, this may show the "Failed to get a certificate of <object name> from keyset" error. Refer to sk166496. |
PRJ-20948, |
VPN |
In some scenarios, L2TP clients disconnect from the Security gateway after 10 minutes of the connection. |
PRJ-20644, |
VPN |
In some scenarios, the VPND process may unexpectedly exit. |
PRJ-19216, |
VPN |
Site to Site VPN fails to establish with IKEv2 on GCP when NAT-t is enabled. |
PRJ-20542, |
Gaia OS |
UPDATE: OpenSSL was updated to version 1.1.1i to include the latest code fixes and security improvements. |
PRJ-19146, |
Gaia OS |
UPDATE: Added the option to bind IP addresses to sockets using the udp_connect API. Refer to sk171019. |
PRJ-20958, |
Gaia OS |
UPDATE: Added support for multiple commands definition in Dynamic CLI feature. |
PRJ-11114, |
Gaia OS |
UPDATE: Updated the arp table limit to 131072 in:
|
PRJ-18091, |
Gaia OS |
Messages log level in /var/log/messages file for ERR level was changed to INFO level when fetching proxy configuration from Clish/WebUI/Gaia API. Example: [DATE TIME] <daemon.err> ... xpand[25958]: proxy_live_get_proc: Started... |
PRJ-20045, |
Gaia OS |
Potential command injection in Clish when using the "show file" command. |
PRJ-17319, |
Gaia OS |
The syslog messages may be spammed when the "show asset all" command is running. |
PRJ-19624, |
Gaia OS |
Extended commands are missing after adding Dynamic CLI. |
PRJ-20741, |
Gaia OS |
CVE-2020-25705: ICMP reply rate. |
PRJ-16259, |
Gaia OS |
A Timestamp in Unix/Epoch time may not be updated when the user changes a password using hash. |
PRJ-20916, |
Gaia OS |
In some scenarios, like defected LOM card, or when LOM port exists, but no LOM is connected, the confd process may unexpectedly exit. |
PRJ-19236, |
Mobile Access |
There may be a delay when connecting to HTTPS based SMS portal over a non-standard proxy port. Refer to sk170497. |
PRJ-20090, |
Endpoint Security |
Database size may increase exponentially because dynamic packages are packed into exported .tgz using migrate_export. |
PRJ-21749, |
Endpoint Security |
On the SmartEndpoint Reporting page, the "Endpoint Connectivity" report that is filtered by a virtual group returns an empty list. |
PRJ-21914, |
Endpoint Security |
In some scenarios, the "Endpoint Security Client Version" report shows "N/A" in DAT Date column for all devices on the SmartEndpoint Reporting page. |
PRJ-19312, |
CloudGuard Network |
When creating a GCP Data Center, Test Connection may fail on large GCP accounts. |
Take 94 Released on 07 March 2021 and declared as Recommended on 14 March 2021 |
||
PRJ-23502 |
Security Gateway |
Security Gateway may freeze on boot when enable IPv6 and IPv4 with 40 instances in Kernel mode. Refer to sk172364. |
Take 92 Released on 31 January 2021 |
||
PRJ-19892, |
Security Management |
NEW: Added new Management HA utility to schedule automatic full syncs to peers that failed to be synchronized incrementally. |
PRJ-19544, |
Security Management |
NEW: Added Update 6 of Autonomous Threat Prevention Management (ATPM). Refer to sk167109. |
PRJ-20164, |
Security Management |
NEW: Added Update 7 of Autonomous Threat Prevention Management (ATPM). Refer to sk167109. |
PRJ-20000, |
Security Management |
UPDATE:Added improvements in policy load process, to reduce the policy installation time when having large amount of objects. |
PRJ-13465 |
Security Management |
UPDATE: If Management HA synchronization stalls (displaying "Peer is busy"), it will be released within 2 hours instead of 24 hours. |
PRJ-17728, |
Security Management |
Upgrade may fail if a Data Center object was last modified by an Administrator with a single quote in the name. |
PRJ-19273, |
Security Management |
Policy installation duration may increase due to large $FWDIR/conf/invalid_object_names.C file on the Management server. Refer to sk170427. |
PRJ-18475, |
Security Management |
In some scenarios, the first environment variable configured using sk165938 is not loaded and not used by the CPM process. |
PRJ-19951, |
Security Management |
The Management HA window in SmartConsole may mistakenly show the "Peer is busy" warning message for a few seconds. |
PRJ-18898, |
Security Management |
Policy installation may fail after migration from Domain Management to Security Management Server. |
PRJ-20112, |
Security Management |
In a rare scenario, the FWM process unexpectedly exits. |
PRJ-17213, |
Multi-Domain Management |
UPDATE: With this fix, mds_backup will backup the Upgrade Tools package(s) and mds_restore will restore them on a Multi-Domain Server. |
PRJ-19277, |
Multi-Domain Management |
In rare scenarios, Management server becomes inaccessible after Global Policy reassign operation. |
PRJ-17562, |
Multi-Domain Management |
In some scenarios, reassigning a Global Policy may fail if the Global and local domains are not active on the same Multi-Domain Server. |
PRJ-20247, |
SmartConsole |
UPDATE: A pop-up warning will be displayed every time a "Custom Application" object with a performance impacting URL is edited (instead of being displayed only once). |
PRJ-20147, |
SmartConsole |
SmartConsole may disconnect when searching in the Object Explorer for the text with an odd number of double quotes. |
PRJ-19534, |
SmartConsole |
In some scenarios, when adding a new user certificate of type .p12 via API command, the returned certificate may be incorrect. |
PRJ-18884, |
SmartConsole |
Setting values for the environment variables of the Management API as per sk165938 does not work: the values are neither loaded nor used by the API process. |
PRJ-13808, |
SmartConsole |
In some scenarios, the Administrators view shows all administrators in all domains regardless to specific permission profile of the connected administrator. |
PRJ-15854, |
SmartConsole |
In rare scenarios, Web Components in SmartConsole such as "Revert to Revision" or "Packages Repository" fail to load. |
PRJ-13123, |
SmartConsole |
In some scenarios, the "Update operation failed" error is displayed when attempting to delete a Gateway from the VPN community. Refer to sk167212. |
PRJ-13813, |
SmartConsole |
In some scenarios, when the user attempts to delete a VSX Gateway / VSX Cluster, an error message may appear and the operation may not be completed successfully. Refer to sk167492.
|
PRJ-20380, |
SmartConsole |
Adding Global dynamic objects to source or destination columns of access rules on the Global Domain via Management API may fail when using the Global dynamic object names. |
PRJ-19833, |
SmartConsole |
The "show objects" command returns all objects in Global domain with any filter when "ip-only" flag is set to "true". |
PRJ-17994, |
Logging |
NEW:
|
PRJ-14289, |
Logging |
UPDATE: Added ability to SOLR process running on the Log server to prevent TLS1.1 and below in port 8211. Refer to sk168472. |
PRJ-19716, |
Logging |
When installing a newer Jumbo Hotfix, the Log Exporter filtering configuration may not persist and set to default. |
PRJ-16176, |
Logging |
In some scenarios, the cpsemd process on the Log server may close unexpectedly during a restart, shutdown or upgrade. |
PRJ-19845, |
SmartView |
UPDATE: Improved the time resolutions usability (formally known as samples) of the Timeline widgets. |
PRJ-19858, |
Security Gateway |
NEW: Added Performance improvement when IP Pool NAT is used. |
PRJ-11790, |
Security Gateway |
False "alert" logs may be displayed in some Anti-Spam events. |
PRJ-20515, |
Security Gateway |
In some scenarios, when using routing separation, connection to Management Plane via Data Plane is dropped. |
PRJ-18630, |
Security Gateway |
Wrong memory (hmem) values may be reported by specific SNMP OID. Refer to sk168992. |
PRJ-19941, |
Security Gateway |
In some scenarios, policy installation fails with "Error code 1-2000245". |
PRJ-20057, |
Security Gateway |
In rare scenarios, a Security Gateway memory consumption may increase. |
PRJ-19161, |
Threat Extraction |
UPDATE: Threat Extraction will no longer attempt to perform "Convert to PDF" if the file is corrupted, because the resulting files in these cases are usually unreadable. To reactivate this behavior, set the "enable_alternative_scrub_method" variable in $FWDIR/conf/scrub_debug.conf file to 1 and install the Security policy. |
PRJ-13175, |
Identity Awareness |
UPDATE: Optimized memory usage in the PDP process"s LDAP operations. |
PRJ-19749, |
Identity Awareness |
In some scenarios, the Security Gateway may not recognize an IP address as a local address, resulting in wrong drops. |
PRJ-19639, |
Identity Awareness |
In some scenarios, when a standby cluster member receives RADIUS accounting updates, there may be high CPU on the PDP process. |
PRJ-18180, |
URL Filtering |
In some scenarios, the wstlsd process may unexpectedly exit and produce a core dump. |
PRJ-13499, |
IPS |
In some scenarios, a non-compliant IMAP traffic is dropped. |
PRJ-19300, |
IPS |
In some scenarios, log output shows the Origin/Source as "0.0.0.0" in VSX 3rd party IPS logs. |
PRJ-19922, |
DLP |
UPDATE: Expanded DLP postfix authentication to include NTLM to allow the Security gateway to connect to a mail servers that use the NTLM authentication protocol. |
PRJ-19598, |
DLP |
UPDATE: Improved the DLP scans queue for a better scan rate. |
PRJ-18987, |
DLP |
In a rare scenario, "SEC Filings - Draft or Recent" Data Type in DLP is not properly enforced. |
PRJ-19744, |
Anti-Bot |
Dynamic Global Network Object usage inside a Network Group object may cause an Access Policy installation failure. |
PRJ-17375, |
Anti-Malware |
NEW: Enable the option to inspect files running through SSH protocol with Threat Emulation Blade. |
PRJ-16623, |
Anti-Malware |
Exported with "ioc_feeds export" command indicator feeds may contain user credentials. Refer to sk169035. |
PRJ-17599, |
Anti-Malware |
Files transferred with SMBv3 multi-channel may be improperly handled. |
PRJ-15223, |
Anti-Malware |
In a rare scenario, HTTP connections are timed-out. |
PRJ-17843, |
Anti-Malware |
In some scenarios, Threat Prevention logs appear half-full (not unified). |
PRJ-9945, |
Anti-Malware |
In some scenarios, multiple files called "ckp_mutex" are created on the Security Gateway. |
PRJ-18123, |
Anti-Malware |
In some scenarios, a Threat Prevention policy installation fails after upgrade if the Custom Intelligence Feeds feature is enabled with Hash IoCs. |
PRJ-17320, |
Anti-Malware |
In some scenarios, files bigger than 4GB cannot be downloaded with HTTP-206 flow. |
PRJ-17326, |
Mobile Access |
Remote access connectivity failure when the user belongs to number of groups that exceeds the limited available space (200~ groups). |
PRJ-14941, |
SecureXL |
UPDATE: The "fwaccel dos blacklist" and "fwaccel dos whitelist" commands are deprecated and replaced by "fwaccel dos deny" and "fwaccel dos allow". Refer to sk112454. |
PRJ-20027, |
SecureXL |
Server may not reuse the TCP connection when the user allows out of state TCP packets. |
PRJ-20050, |
SecureXL |
Memory leak may appear in VPN or Active Streaming configuration. |
PRJ-18085, |
SecureXL |
SNMP may show wrong values for the number of bytes and packets accepted by Security gateway. Refer to sk170132. |
PRJ-20055, |
SecureXL |
In rare scenarios, SecureXL may crash due to NULL handling. |
PRJ-18279, |
Routing |
UPDATE: Updated PBR and ABR functionality for the "Software Blades and related components" feature. Refer to sk167135. |
PRJ-18280, |
Routing |
Certain types of multicast traffic may not be handled correctly in Bridge mode. |
PRJ-19463, |
Routing |
Routed logs may incorrectly state that routemaps that export to OSPF cannot set the OSPF manual tag, even though the functionality works. |
PRJ-20048, |
Routing |
In some scenarios, large number of unnecessary log messages may be sent to /var/log/messages file which makes it difficult to run debug. Refer to sk170796. |
PRJ-18664, |
Routing |
PBR does not work with VTI/VPN. |
PRJ-20444, |
Routing |
The old route may be not removed when an BGP ECMP route was changed. |
PRJ-20439, |
Routing |
ECMP route nexthops learned from BGP peers may be not properly updated in the kernel, resulting in network connectivity loss. |
PRJ-20242, |
Routing |
In rare scenarios, confd or routed process may restart. |
PRJ-20598, |
VoIP |
VoIP RTP can cause overload on global instance (CoreXL instance 0). |
PRJ-18772, |
VPN |
NEW: Added Remote Access VPN performance improvement. |
PRJ-18788, |
VPN |
NEW: Added VPN command line mechanism stability enhancement and VPN improvements in IKEv2. |
PRJ-17487, |
VPN |
NEW: Added Anti-Spoofing functionality for Remote Access Office Mode IPs in SecureXL. |
PRJ-16341, |
VPN |
The user may be unable to connect with Remote Access when the username or user field in the certificate is too long. |
PRJ-21086, |
VPN |
"Decryption failed" drop logs may appear under heavy VPN load for accelerated tunnels using SHA 384 or SHA 512 Ciphers. |
PRJ-20333, |
VPN |
Security gateway may crash when you install policy on a MAB gateway and a policy file is corrupted. |
PRJ-20275, |
VPN |
In a rare scenario, a memory leak may appear when RASession_util is active. |
PRJ-19671, |
VPN |
In some scenarios, Remote Access Endpoint client disconnects after roaming from Visitor Mode to NAT-T. |
PRJ-21682, |
VPN |
When IKEv2 and pre-shared-key is configured, VPN may fail on the second IKE SA re-key. Refer to sk171756. |
PRJ-19531, |
Gaia OS |
NEW: Gaia API (version 1.5) will now be deployed via Jumbo Hotfix. |
PRJ-20471, |
Gaia OS |
In some scenarios, the Security Gateway attempts to fetch the policy from / send logs to the real IP address of the Management Server (defined in the "General Properties" section of the server object) instead of the server's NAT IP address (defined in the "NAT" section of the server object). Refer to sk171055 to configure the required parameter FORCE_NATTED_IP. |
PRJ-17719, |
Gaia OS |
In some scenarios, one session disconnection of RADIUS users can cause another session to loose permission when one of the session terminates. |
PRJ-20943, |
Gaia OS |
Upgrade process may fail due to corrupted sic_local_cert.p12 certificate. Refer to sk171253. |
PRJ-18610, |
Gaia OS |
Bond interface in XOR mode or 802.3AD (LACP) mode may experience suboptimal performance, if on the Bond interface the Transmit Hash Policy is configured to "Layer 3+4" and Multi-Queue is enabled. |
PRJ-18503, |
VSX |
UPDATE: Added support for VSX SecureXL tabs on CPView. Refer to sk167903. |
PRJ-17831, |
VSX |
VSX VSLS Cluster with 3 Members may fail to connect to Identity Collector. Refer to sk170836. |
PRJ-16457, |
VoIP |
SIP parser may cause the wrong RTP dynamic connection to be opened. Refer to sk169373. |
PRJ-19133, |
Endpoint Security |
NEW: Integrated support for Endpoint Anti-Malware E2 signatures updater. |
PRJ-19726, |
Endpoint Security |
After changing the Full Disk Encryption to Bitlocker in SmartEndpoint FDE policy, the login to Windows machine with the Endpoint client says "This account is disabled". Refer to sk170655. |
Take 91 Released on 16 December 2020 and declared as Recommended on 26 January 2021 |
||
PRJ-19279, |
Security Management |
NEW: The upgrade process is being monitored dynamically and will be stopped if it cannot be completed, not basing on a timeout. |
PRJ-13934 |
Security Management |
Login with SmartConsole may be blocked while purge revisions action is running. |
PRJ-19084, |
Security Management |
In some scenarios, HA synchronization may fill up the disk space of a standby Management Server. Refer to sk168492. |
PRJ-18379, |
Security Management |
In some scenarios, SecurID configuration files on the Security Gateway are overridden upon policy installation. |
PRJ-18817, |
Security Management |
Management HA synchronization between Multi-Domain Management Servers may fail with "Failed to import data" error due to manual or automatic updates of contracts. |
PRJ-18030, |
Security Management |
In some scenarios, export of EndPoint package may fail due to FWM process that utilize 100% CPU. |
PRJ-19021, |
Security Management |
In rare scenarios, FWM process may unexpectedly exit after a login attempt to the Management server. |
PRJ-18492, |
Security Management |
In rare scenarios, a policy installation task may never complete. |
PRJ-13476, |
Security Management |
Domain Servers may disappear from Multi-Domain view after running the Solr Cure utility. |
PRJ-15906, |
Security Management |
Security policy compilation fails if the Domain network object name (FDQN name) contains space. |
PRJ-17692, |
Security Management |
In some scenarios, HA temporary sub-directories under $FWDIR/tmp are not deleted if sync fails. Refer to sk170972. |
PRJ-19131, |
Security Management |
Advanced Upgrade from R80.10 to R80.40 with Jumbo Hotfix Take 83 may fail. Refer to sk170313. |
PRJ-18288, |
Security Management |
In rare scenarios, the CPU and memory usage of CPM process may be abnormally high. Refer to sk170672. |
PRJ-18954, |
Security Management |
Policy verification may fail with error "For security gateways R80.40 and higher, rules that use Access Roles can only have "Any Traffic" or "RemoteAccess" in the VPN column". |
PRJ-16724, |
Security Management |
For more information, refer to sk170632. |
PRJ-18265, |
Security Management |
'Revert to Revision' tasks cannot be cleared from tasks pane in SmartConsole. |
PRJ-16369, |
Security Management |
When logging into SmartConsole directly to a Domain using RADIUS or TACACS, the Authentication method in the audit log may show as "Internal Password". Refer to sk168716. |
PRJ-17763, |
Security Management |
When migrating a Security Management Server that was created as a standby and then set to active, into a Domain Management Server, the new Domain is created without an active Domain Server. |
PRJ-18690, |
Security Management |
Database installation to the newly created Domain Log Server may fail. |
PRJ-18907, |
Multi-Domain Management |
In some scenarios, size of MDS backup file increases after each policy installation. |
PRJ-18251, |
Multi-Domain Management |
Migration of Domain Server between different Multi-Domain Servers may fail due to incorrect internal values of default objects. |
PRJ-18970, |
Multi-Domain Management |
The "cplic db_print -all -x" command fails when running on the MDS level. |
PRJ-19647, |
Multi-Domain Management |
In rare scenarios, a Domain is shown in the Domains view without any Domain Server or a Domain is shown with Domain Server that was deleted and does not exist anymore. Refer to sk170556. |
PRJ-12845, |
Multi-Domain Management |
Global Domain Assignment may fail with the "An internal error has occurred" message after deleting a Global VPN Community object. |
PRJ-19320, |
SmartConsole |
NEW: Added support for Python 3 in Management API scripts. |
PRJ-18317, |
SmartConsole |
NEW: Added 1600, 1800, and 1570R appliances to SmartConsole Hardware list. |
PRJ-19202, |
SmartConsole |
In some scenarios, when using the "set simple-gateway" API command with "logs-settings.forward-logs-to-log-server", it fails with "Generic server error". Refer to sk170352. |
PRJ-19322, |
SmartConsole |
In some scenarios, the api.csv file may show extra empty columns. |
PRJ-19376 |
SmartConsole |
In a rare scenario, when user clicks on Mail Transfer Agent (MTA) options in the Security gateway settings or on 'Next hop' column inside MTA settings, SmartConsole shows "Not Responding" and freezes. Refer to sk161232.
|
PRJ-20163, |
SmartConsole |
Duplicate central licenses may be added to the management database. In some rare scenarios, this may lead to heavy load on the FWM process and prevent login. |
PRJ-18382, |
SmartConsole |
In some scenarios, running an action on a ROBO Gateway behind NAT does not work during sync on SMB appliances. |
PRJ-17414, |
SmartConsole |
When removing an object from a group using the "groups" field of the object"s module in the Ansible collection, the group will not be changed and Ansible will show that no changes are needed. |
PRJ-18041, |
SmartConsole |
In some scenarios, after a successful IPS update, the new IPS version does not appear under 'switch version' window. |
PRJ-17643, |
SmartConsole |
When creating a user with Check Point password authentication through the Management API, log in to Mobile Access portal may fail. Refer to sk170412. |
PRJ-18592, |
SmartConsole |
After enabling the Endpoint Policy Management Blade on the Security Management Server, some views on SmartConsole may not load properly and SmartClient may disconnect. |
PRJ-15743, |
SmartConsole |
When using the "set simple-cluster" Management API command to update a user defined security zone, the "Specify security zone" checkbox in SmartConsole is not selected. |
PRJ-18465, |
SmartConsole |
In some scenarios, Staging mode IPS protections activation in the Local domain does not match the activation in the Global domain after a Global Threat Prevention policy assignment. Refer to sk170322. |
PRJ-19057, |
SmartConsole |
Upgrade may fail due to IPS protections comment that is exceeding the comment length limit. |
PRJ-16706, |
SmartConsole |
Enabling Threat Prevention policy may fail with validation errors when the policy's targets include cluster members running a version lower than R80.10. |
PRJ-16979, |
SmartConsole |
In some scenarios, some Web APIs fail with "Script stopped running due to severe error!" message when SMB gateway is defined as a policy target. Refer to sk169557. |
PRJ-14107, |
SmartConsole |
Search in Threat Prevention Exceptions in Protection/Site/File/Blade column may not return all expected results. |
PRJ-15818, |
SmartConsole |
In some scenarios, Management API does not start automatically after restart, although automatic start is enabled. Refer to sk168332. |
PRJ-18327, |
SmartConsole |
Exception group may be incorrectly deleted in the following scenarios:
|
PRJ-18307 |
SmartProvisioning |
NEW: Added support for Threat Emulation Blade on LSM profile of R80.20 SMB gateways and clusters.
|
PRJ-17482, |
SmartProvisioning |
In some scenarios, when recreating a ROBO object with the same name, the new object receives the previous status. |
PRJ-14511, |
CPView |
In some scenarios, CPView may unexpectedly exit after upgrade from R80.20 GA. |
PRJ-17209, |
Compliance |
UPDATE: Added ability to select 'Any' in the Service column when creating a custom firewall Best practice.
|
PRJ-17805 |
IoT |
NEW: Added IoT support to Multi-Domain Security Management.
|
PRJ-18781, |
SmartView |
In rare scenarios, "Critical attacks allowed by policy widgets" in "General Overview" view may show no results while actual data exists. Refer to sk171001. |
PRJ-18339, |
SmartView |
In some scenarios, SmartView fails to load with a "permission denied" error. |
PRJ-19815, |
Logging |
In rare scenarios, the log_indexer process may unexpectedly exit when reading a specific log format. Refer to sk116117. |
PRJ-11343, |
Security Gateway |
NEW: Added support for authentication with a RADIUS server that expects to receive an empty password on the first message. VPN client will receive 2 dialogs instead of 3. |
PRJ-17730, |
Security Gateway |
UPDATE: Added a message informing that to enable Dynamic Balancing on models with less than 8 cores, GNAT must be enabled. |
PRJ-16668, |
Security Gateway |
UPDATE: You cannot manually configure Multi-Queue while Dynamic Balancing is active. |
PRJ-17300, |
Security Gateway |
Connections distribution may get unbalanced on VSX environment. Refer to sk169352. |
PRJ-18833, |
Security Gateway |
In rare scenarios, Security Gateway memory consumption may increase. |
PRJ-19957, |
Security Gateway |
Half-closed accelerated TCP connections may take too long time to expire. |
PRJ-19195, |
Security Gateway |
In some scenarios, when using routing separation, connection from data plane to management plane is dropped. |
PRJ-10573, |
Security Gateway |
The SSH Deep Packet Inspection (SSH DPI) configuration may be lost after upgrade. |
PRJ-17704, |
Security Gateway |
After enabling USFW mode (User-Space Firewall) and rebooting, system boots in KFW (Kernel mode Firewall) instead. Refer to sk169956. |
PRJ-17960, |
Security Gateway |
In some scenarios, policy installation fails with "Error code 0-2000077". |
PRJ-19179, |
Security Gateway |
Connections may be wrongly matched on Domain or Updatable objects used in Security policy. |
PRJ-13377, |
Security Gateway |
The TCP State Logging feature may not work as expected. Refer to sk101221. |
PRJ-16089, |
Security Gateway |
In rare scenarios, a memory leak may appear on Security Gateway in gconn table. |
PRJ-16172, |
Security Gateway |
After changing 'pdp nested_groups __set_state 2', flat groups are fetched correctly, but nested groups are not fetched. Refer to sk166199. |
PRJ-18981, |
Security Gateway |
In rare scenarios, Security Gateway may crash with USFW fwk core file. |
PRJ-18247, |
Identity Awareness |
NEW: Added Identity Sharing performance and functionality improvements. Refer to sk170516. |
PRJ-19106, |
Identity Awareness |
NEW: Performance optimization for Identity broker. |
PRJ-18345, |
IPS |
NEW: Added ability to send connection log per application match for ATM transactions identification. The functionality is disabled by default and can be enabled by using the "up_duplicate_connection_log_on_packet_matched_app_enabled" kernel parameter. |
PRJ-13970, |
IPS |
UPDATE: The "ips stat" command now shows all active Threat Prevention profiles with IPS enabled on the Security gateway. |
PRJ-16446, |
IPS |
The get_ips_statistics.sh script on VSX may fail with "/bin/cat: /proc/self/vrf: No such file or directory" error. |
PRJ-18825, |
HTTPS Inspection |
The user may not be able to browse with Chrome when using mixed chain with ECDSA subordinate CA in HTTPS Inspection. Refer to sk170332. |
PRJ-17594, |
HTTPS Inspection |
Connectivity issue may appear for inbound HTTPS Inspection when HTTP/2 is proposed by the client. Refer to sk169375. |
PRJ-19465, |
HTTPS Inspection |
In some scenarios, the HTTPS Inspection CA bundle is not created on the Security Gateway. |
PRJ-17168, |
Anti-Malware |
In a rare scenario, Security gateway may crash while processing SMB3 multi-channel when Anti-Virus Blade is enabled. |
PRJ-16563, |
Anti-Malware |
Security Gateway may crash when certain traffic is handled during policy installation and the Anti-Virus Deep Scanning is enabled. |
PRJ-19579, |
Anti-Virus |
In rare scenarios, after downloading files, Anti-Virus prevent logs appear with "Strict hold is not possible failure - Write to other side occurred" error message. |
PRJ-15944, |
Anti-Bot |
In a rare scenario, Security gateway may crash after a match of the Anti-Bot Blade. |
PRJ-17640, |
UserCheck |
In some scenarios, UserCheck agent notifications may be blocked. |
PRJ-18699, |
UserCheck |
When using the UserCheck agent, the original URL attribute variable $orig_url$ may appear on URL field of log details. |
PRJ-19434, |
SSL Inspection |
In rare scenarios, the DynamicID Certificate validation may fail. |
PRJ-18957, |
ClusterXL |
When MDPS is configured, the output of "cphaprob syncstat" may show unreadable characters for the speed of the sync interface. |
PRJ-12589, |
SecureXL |
NEW: Added support for Cluster AA/LS. |
PRJ-16583, |
SecureXL |
In some scenarios, traffic with the destination IP address as the broadcast address configured according to sk98810 is dropped. |
- |
Gaia OS |
NEW: Added support for 1570R and 1600 / 1800 SMB appliances. |
PRJ-16672, |
Gaia OS |
UPDATE: CPView Network -> Top-Protocols and Network -> Top-Protocols tabs was added back. Refer to sk167903. |
PRJ-17921, |
Gaia OS |
"cphaprob -h" shows wrong explanation for "cphaprob show_bond [<bond_name>]" command. |
PRJ-19330, |
Gaia OS |
In some scenarios, login from data plane context fails (no connectivity to server). |
PRJ-17714, |
Routing |
Security Gateway may stop forwarding the Multicast stream when PIM is configured on it. Refer to sk169774. |
PRJ-17856, |
Routing |
In rare scenarios involving large AS paths, there may be a loss of BGP adjacency. Refer to sk170876. |
PRJ-18026, |
Routing |
SNMP queries for bgpPeerFsmEstablishedTime return an incorrect constant value. Refer to sk170074. |
PRJ-18069, |
VPN |
NEW: Added Remote Access VPN performance improvements. |
PRJ-18667, |
VPN |
NEW: Added Remote Access VPN performance improvement for USFW mode (User-Space Firewall). |
PRJ-16432 |
VPN |
UPDATE: Added ability to fetch CRL with proxy in Site-to-Site VPN. |
PRJ-17369, |
VPN |
DynamicID via SMTP does no work when an HTTP proxy server is defined. |
PRJ-15742, |
VPN |
In some scenarios, findSAByPeer does not validate the peer IP address for DAIP peer behind NAT. |
PRJ-18764, |
VPN |
In some scenarios, userspace cores may appear on Security gateways with enabled AES-GCM-256 and AES-256 VPN encryption. Refer to sk169417. |
PRJ-20283, |
VSX |
In some scenarios, SNMP v3 users are not recognized on VSX when SNMP is in VS mode. The 'Unknown user name' error message is displayed. Refer to sk170993. |
PRJ-15859, |
Endpoint Security |
An exception may be displayed in SmartEndpoint when uploading an offline group software deployment package. Refer to sk165852. |
PRJ-16465, |
Endpoint Security |
In some scenarios, content of the "User Name" tab in SmartEndpoint is displayed in wrong format. |
PRJ-16317, |
Endpoint Security |
Client may not be added automatically to a Virtual Group that was configured in the SmartEndpoint export package policy when deployment is done using dynamic package. |
Take 89 Released on 01 December 2020 and declared as Recommended on 09 December 2020 |
||
PRJ-18199, |
CloudGuard Network |
UPDATE: Added new certificates for Microsoft Azure. For details, refer to this Microsoft article. |
Take 87 Released on 5 November 2020 and declared as Recommended on 22 November 2020 |
||
PRJ-15565, |
Security Management |
NEW: In some scenarios, modifying or deleting objects in bulk may cause slowness in SmartConsole responses and long duration of operations. Ability to improve performance in such cases was added. Refer to sk135972. |
PRJ-18769, |
Security Management |
NEW: Improved FWM process performance during policy or database installation. |
PRJ-14597, |
Security Management |
In some scenarios, Read-Only sessions appear twice in the Sessions view. |
PRJ-16263, |
Security Management |
Upgrade from R80.20 or R80.30 may fail if one of the objects does not have a creator. |
PRJ-17043, |
Security Management |
In rare scenarios, some objects may be locked and not available for editing. Refer to sk169772. |
PRJ-16877 |
Security Management |
In rare scenarios, upgrade from R80.10 may fail with the "Consider using an AFTER trigger instead of a BEFORE trigger to propagate changes to other rows" message in the $MDS_FWDIR/log/postgres.elg file. |
PRJ-16288, |
Security Management |
On rare scenarios IPS or Application Control updates might get stuck on 70% and cannot be launched again until full restart of the Multi-Domain Management Server. |
PRJ-18047, |
Security Management |
In rare scenarios, a Management server may become inaccessible and requires a reboot. Refer to sk170634. |
PRJ-13851, |
Security Management |
In some scenarios, the Security Management Server's startup takes a very long time after editing or deleting many Administrators. |
PRJ-16288, |
Security Management |
In rare scenarios, IPS or Application Control updates may stop at 70% and cannot be launched again until full restart of the Management server. |
PRJ-16643, |
Multi-Domain Management |
In some scenarios, Domain Management Server is shown in System Domain under Domains View even though it was deleted. |
PRJ-17023, |
Multi-Domain Management |
On Multi-Domain Management environment with Global VPN Community usage, policy installation mail fail with "Internal error" message after upgrade. Refer to sk169157. |
PRJ-13796, |
Multi-Domain Management |
In a Multi-Domain Server, domain-related processes may not start when the user runs "evstop" and then "evstart". |
PRJ-17070, |
Multi-Domain Management |
In some scenarios, Domain appears in the System Domain without any Domain Servers. |
PRJ-12246, |
Multi-Domain Management |
In some scenarios, a Global Administrator connected to the Logging and Monitoring view in MDS cannot see auto-complete suggestions when typing in the logs search box. Refer to sk166752. |
PRJ-16313, |
Multi-Domain Management |
After upgrade, a Global VPN Community object defined in the Global Domain is shown as "Unavailable" and a policy installation fails with "Internal error" message. |
PRJ-17238, |
Multi-Domain Management |
On Multi-Domain environments with multiple Multi-Domain servers connected in HA, operations such as "Log in" and "Reassign Global Domain" may fail due to high load on FWM process. |
PRJ-13715, |
Multi-Domain Management |
In some scenarios, when installing a policy from a local domain, while a policy installation initiated by the system domain is still in progress, policy installation invoked by the system domain fails. Refer to sk167692. |
PRJ-16283, |
SmartConsole |
NEW: Added ability for administrators to view, add, and delete licenses directly from SmartConsole.
|
PRJ-18775, |
SmartConsole |
In some scenarios, FWM and CPD processes may consume high CPU due to large number of Security Management/Security Gateway objects in the policy. Refer to sk170256. |
PRJ-16861, |
SmartConsole |
New cluster member's IP address may disappear from the "Network Management" view when changing cluster interface type to "Private". |
PRJ-17880, |
SmartConsole |
In Global Properties under Stateful Inspection tab, the "TCP end timeout (R80.20 and higher gateways)" option does not support values higher than 60 seconds.
|
PRJ-17003, |
SmartConsole |
When using SmartConsole CLI, the application may unexpectedly terminate if the input has quotation marks that are not closed. |
PRJ-9661, |
SmartConsole |
In rare scenarios, Access policy installation may be incorrectly blocked. A verification incorrectly states that HTTPS Inspection rules do not contain 'Any' or 'Application/Site' objects in the Site Category column, even though they do. |
PRJ-16062, |
SmartConsole |
In some scenarios, certain Gateways do not appear in the IPS Core protections list. Refer to sk168474. |
PRJ-15999, |
SmartConsole |
When fetching the LDAP server SSL fingerprint on Global Domain, the operation is not finished. |
PRJ-17822, |
SmartConsole |
In some scenarios, Network Objects are missing in Implied Rule for Mail Transfer Agent.
|
PRJ-16468, |
SmartConsole |
Update corporate Gateway procedure takes a long time and may cause login issues and general slowness in the Provisioning GUI. |
PRJ-17273, |
SmartConsole |
On Multi-Domain environments, some hardware types may be missing from the hardware selection in the gateway editor. Refer to sk169354. |
PRJ-16891, |
SmartView |
In SmartView, after adding a new page to a report, the preview page appears to have no data although it has (this data appears in the Edit Mode). |
PRJ-16433, |
SmartView |
In SmartView's GDPR Report, some of the text appears in German although the selected language is not German. |
PRJ-16999, |
Logging |
UPDATE: Added ability to filter Threat Prevention and Endpoint logs by file size on a Log server machine via Logs & Monitor view in SmartConsole. |
PRJ-13350, |
Logging |
In some scenarios, when the user configures the log exporter filter with the "cp_log_export" command (action, origin, product), the filter is not configured properly according to the used format. |
PRJ-13623, |
Logging |
Leef format is not certified with IBM causing the following issues:
Refer to sk170199. |
PRJ-17008, |
Logging |
In some scenarios, the "CGsoapSessions::AuthenticateSession failed, session is not authenticated" message may appear in mds.elg or fwm.elg file. Refer to sk152933. |
PRJ-17195, |
Security Gateway |
NEW: Added additional statistics to HTTP/2 in CPView. |
PRJ-15830, |
Security Gateway |
In rare scenarios, the "ERROR: dns_reverse_prepare_response_uuids: hash create failed" error is printed to dmesg. |
PRJ-19003, |
Security Gateway |
In some scenarios, when using routing separation, connection from data plane to management plane is dropped. |
PRJ-17313, |
Security Gateway |
In rare scenarios, Security Gateway memory consumption may increase. |
PRJ-16912, |
Security Gateway |
In some scenarios, a timeout occurs when the user enables resource separation via Clish. Refer to sk170372. |
PRJ-17088, |
Security Gateway |
When using a routing separation, syslogd does not move to the management plane. |
PRJ-11293, |
Security Gateway |
Unused OIDs may appear in SNMP MIB file. |
PRJ-14262, |
Security Gateway |
In some scenarios, wrong (too big) SNMP values are displayed when running SNMP query. |
PRJ-17128, |
Security Gateway |
In rare scenarios, Security Gateway memory consumption may increase. |
PRJ-16923, |
Security Gateway |
In some scenarios, "misp_rulematch_outgoing: fw_update_routing_opq_out_ifn failed" error appears in dmesg. |
PRJ-17703, |
Security Gateway |
In rare scenarios, policy installation fails with an "gen_rpc_service_inspect_func: service mismatch in service_arr" error message. Refer to sk174165. |
PRJ-16090, |
Security Gateway |
In some scenarios, policy installation fails with "Error code 0-2000121". |
PRJ-17133, |
Security Gateway |
In a rare scenario, the proxy arp table is not generated. |
PRJ-13261, |
Security Gateway |
In a rare scenario, traffic is dropped with the "[ERROR]: up_handle_get_matched_service_clob: no clob list on handle for type SERVICE;" error in dmesg. |
PRJ-16666, |
Security Gateway |
Security Gateway running in USFW mode (User-Mode Firewall) may crash with fwk core dump. Refer to sk169119. |
PRJ-17606, |
Internal CA |
In some scenarios, manual edit of user's certificate expiration period does not take effect. Refer to sk143292. |
PRJ-16289, |
VoIP |
NEW: Added support for HopCount field in H323 protocol. Refer to sk169513. |
PRJ-16185, |
Identity Awareness |
In some scenarios, the Identity Broker Subscriber may crash. |
PRJ-12546 |
Identity Awareness |
In some scenarios, there may be enforcement issues due to database corruption in PDP kernel tables. |
PRJ-14484, |
Identity Awareness |
SAML (Security Assertion Markup Language) groups mode configuration (pdp idp group status) is not saved after an upgrade. |
PRJ-17200, |
HTTPS Inspection |
In a rare scenario, a connection remains open after it is closed by the server, and the web browser may load a page for a long time. |
PRJ-12561, |
Anti-Malware |
In some scenarios, users may fail to access a web site with many malicious URLs. |
PRJ-13200, |
Anti-Malware |
Security Gateway may crash when trying to access a site encoded with Base64. |
PRJ-15977, |
UserCheck |
In some scenarios, the UserCheck daemon usrchkd may unexpectedly exit. |
PRJ-17345, |
ClusterXL |
When 40000/60000 device is located on the same network segment (same VLAN, same switch) with ClusterXL environment, the cluster states can flap non-stop between the READY and ACTIVE on all cluster members causing outage. |
PRJ-18534, |
SecureXL |
In rare scenarios, when a Wire-Mode is configured on a community, it may cause a Security gateway from another community not to accelerate connections in SecureXL. |
PRJ-17451, |
SecureXL |
In some scenarios, CPView may show incorrect statistics for VPN encrypted/decrypted packets. |
PRJ-9564, |
SecureXL |
In a rare scenario, Security gateway may crash when the Drop Template feature is enabled. |
PRJ-16534, |
Routing |
UPDATE: User does not have to enable logging/accounting in SmartConsole to generate the Netflow records. New "NetFlow Firewall rule" option was added to configure NetFlow to report per Firewall rule by turning it on and enabling Log/Accounting per rule. |
PRJ-15820, |
VPN |
NEW: Performance improvement of VPN tunnel when using SHA-384. Refer to sk168336. |
PRJ-16100, |
VPN |
Remote Access VPN policy installation optimization. Refer to sk173947. |
PRJ-16866, |
VPN |
Software Blade name inconsistency between login and logout logs of an SNX client. |
PRJ-15554, |
VPN |
In some scenarios, the VPN IKEv2 tunnel establishment with LSV peer fails. |
PRJ-10035, |
VPN |
In some scenarios, Security Gateway Portals and Remote Access VPN clients show wrong certificate after certificate renewal. Refer to sk131212. |
PRJ-17330, |
VPN |
Added VPN IKEv2 improvements. |
PRJ-17002, |
VPN |
Connectivity issue may appear between Check Point Gateway and 3rd party device in MEP DPD configuration when 3rd party device is defined as Central Gateway in MEP. Relevant error message: "Failed to resolve VPN MEP gateway". |
PRJ-16442, |
VPN |
In some scenarios, the VPN tunnel status is displayed as "Up - Phase1" in SmartView Monitor although both phase1 and phase2 are up. Refer to sk169121. |
PRJ-16722, |
VPN |
Remote Access potential connectivity issue when there are more than 1 external interfaces. |
PRJ-13095, |
VPN |
RADIUS packet sent by Security gateway, may show the Framed-IP-Address field in the reverse order. Refer to sk167361. |
PRJ-12771, |
VPN |
In some scenarios, RADIUS authentication may take more than five minutes to be fulfilled with Endpoint Clients, reaching connection timeout on the Gateway side. |
PRJ-16661, |
VPN |
Connectivity issue may appear between Check Point Gateway and 3rd party device when using Encryption Domain per Community. |
PRJ-15466, |
Gaia OS |
"show asset" command shows the Network card model CPAC-4-1C instead of CPAC-4-1C-L. |
PRJ-19050, |
Gaia OS |
In some scenarios, when using routing separation, modifying interface IP address fails. |
PRJ-14315, |
Gaia OS |
In rare scenarios, gateway uptime in SmartConsole may show an abnormally high number. Refer to sk167937. |
PRJ-17612, |
Gaia OS |
Several features are duplicated (both in WebUI and Clish) in RBA roles configuration/settings.
|
PRJ-16265, |
Gaia OS |
Multi-Queue IRQ affinity is set incorrectly for i40e and MLX interfaces. |
PRJ-13459, |
Endpoint Security |
NEW: Added ability to enable developer protection feature.
|
PRJ-16600, |
Endpoint Security |
In some scenarios, Policy server stops syncing with the Endpoint Security Server. Refer to sk168912. |
PRJ-14225, |
Endpoint Security |
Push operation may not go through to client due to continuous sync requests. |
PRJ-16569, |
Endpoint Security |
Incorrect time interval for checking RSA key generation may cause message flooding the logs. |
PRJ-16892, |
CloudGuard Network |
CloudGuard Controller imports only the first 50 NSX-T groups. Refer to sk169133. |
PRJ-17750, |
CloudGuard Network |
In some scenarios, userspace cores may appear on CloudGuard for Azure Gateways with VPN enabled and using AES-GCM-256 and AES-256. Refer to sk169417. |
Take 83 Released on 04 October 2020 and declared as Recommended on 25 October 2020 |
||
PRJ-8954, |
Upgrade Tools |
Upgrade from R80.10 to R80.40 may fail with messages related to cmsobfuscationkey. Refer to sk168933. |
PRJ-15610, |
Security Management |
NEW: Added ability to run Management REST API on a Multi-Domain Log Server. |
PRJ-16147, |
Security Management |
NEW: The "cma_migrate" command will continue working if the SSH connection with the Multi-Domain Server was lost. If the user presses "Ctrl+C" while cma_migrate is running, the user will be asked whether to stop cma_migrate or to continue. |
PRJ-15501, |
Security Management |
NEW: The $MDS_FWDIR/scripts/cpm_status.sh script will show if the CPM process fails to start. |
PRJ-15497, |
Security Management |
$MDS_FWDIR/scripts/solr_start.sh script may fail to start Solr Cure if sk123417 is applied. |
PRJ-16876, |
Security Management |
In some scenarios, sessions that were opened for the third parties or automatic scripts that use Management API, remain open. Refer to sk169072. |
PRJ-11704, |
Security Management |
The Purge Revisions operation may not clean deleted objects of previous revisions |
PRJ-14297, |
Security Management |
In rare scenarios, High Availability sync fails with "NGM failed to import data" error after the user deletes a Permission Role. |
PRJ-13463, |
Security Management |
In rare scenarios, Install Policy Presets are not triggered. |
PRJ-14492, |
Security Management |
In some scenarios, migrating two different Security Management Servers to domains in the same Multi-Domain Management Server fails. |
PRJ-13919, |
Security Management |
In some scenarios, exporting the Security Management Server in order to migrate it to Domain in Multi-Domain Environment fails. |
PRJ-13613, |
Security Management |
In rare scenarios, the "where-used" API command fails with "Management server failed to execute command" error. |
PRJ-13727, |
Multi-Domain Management |
NEW:
|
PRJ-14455, |
Multi-Domain Management |
Policies may disappear from the Global Domain Assignments view after running the Solr Cure utility. Refer to sk168060. |
PRJ-15720, |
Multi-Domain Management |
When the user attempts to add/change the Leading Interface through mdsconfig, it may fail with the "no external interfaces found on this machine" error. Refer to sk168319. |
PRJ-16427, |
Multi-Domain Management |
Management HA incremental synchronization may break on the MDS level with "failed to import data" error message due to an operation related to the Compliance Blade. |
PRJ-16438, |
Multi-Domain Management |
After upgrading a Multi-Domain Management Server, the object version of the Domain Management Servers or Domain Log Servers in the MDS SmartConsole may not have changed. |
PRJ-17307, |
Multi-Domain Management |
In rare scenarios, the FWM process may unexpectedly exit and fail the Multi-Domain Management server upgrade. |
PRJ-15972, |
SmartConsole |
Global Policy reassign in MDS may fail with "An internal error has occurred" message after adding overrides to Snort protections. |
PRJ-15372, |
SmartConsole |
The user may not be able to delete objects that are referenced by a previously deleted policy. Refer to sk122954. |
PRJ-16091, |
SmartConsole |
The "Get Interfaces" operation fails when admin creates a new cluster and decides to remove one of the members before he selects "Get Interfaces". |
PRJ-13906, |
SmartConsole |
In some scenarios, when working with older applications like SmartView or SmartProvisioning, the admin count in SmartConsole presents an incorrect number of connected admins. |
PRJ-16342, |
SmartConsole |
Setting or creating HTTPS layer (add-https-layer) with the "shared" parameter using the API may fail with the "Unrecognized parameter [shared]" error. |
PRJ-12855, |
SmartConsole |
Hit count data may not be deleted automatically. |
PRJ-13456, |
SmartConsole |
In some scenarios, Management API commands with "details-level":"full" Payload return a truncated output and fail to complete. Refer to sk170414. |
PRJ-15482, |
SmartProvisioning |
In some scenarios, when the user installs policy on R77.30 Central Office Security Gateway from Management version R80 and higher, VPN tunnels may be dropped for LSM Gateways. |
PRJ-13171, |
Compliance |
Compliance Partial Scans in Multi-Domain environments using Global Policies may lead to SmartConsole freeze or long publish times. Refer to sk170562. |
PRJ-13562, |
Logging |
In rare scenarios, the evstop script does not stop all logging processes. As a result, upgrade procedures may hang and show no progress. |
PRJ-14357, |
SmartView |
In SmartView, when the user sends a generated report via email in a language with non-standard English letters (Accented, Cyrillic, Chinese, Japanese, etc), some of the text may appear as question marks (?). |
PRJ-14362, |
SmartView |
In SmartView, the icon is missing from the cover page of Compliance and Content Awareness PDF reports. |
PRJ-12208, |
Security Gateway |
UPDATE: Added the latest fixes and security improvements to OpenSSL. |
PRJ-16624, |
Security Gateway |
Updated Dynamic Balancing Clish commands. Refer to sk164155. |
PRJ-16995, |
Security Gateway |
In some scenarios, Dynamic Balancing is unable to configure MQ setting for some interfaces. |
PRJ-16401, |
Security Gateway |
When using Management Data Plane Separation (MDPS), schedule backup may fail. |
PRJ-14126, |
Security Gateway |
In some scenarios, compilation errors during policy installation are ignored instead of immediately failing the policy. This may cause drops on the Security Gateway. |
PRJ-14634, |
Security Gateway |
In rare scenarios, Security Gateway memory consumption may increase. |
PRJ-15633, |
Security Gateway |
In a rare scenario, Security gateway may crash due to NULL pointer reference. |
PRJ-13346, |
Security Gateway |
In a rare scenario, the FWD process opens connections to port 111. |
PRJ-13888, |
Security Gateway |
An interface name with more than 15 characters may cause the policy installation to fail. Refer to sk167955. |
PRJ-15841, |
Security Gateway |
ICAP block page displays virus name as "Unknown" instead of the virus name as it appears in the logs. |
PRJ-16406, |
Security Gateway |
In some scenarios, when VPN Blade or ISP Redundancy are used, traffic may be routed to the wrong interface. Refer to sk168881. |
PRJ-16159, |
Security Gateway |
In a rare scenario, Security Gateway may crash after policy installation. |
PRJ-12947, |
Security Gateway |
After policy installation, the output of the "cphaprob stat" command may show "HA module not started" when a large number of non-monitored Cluster interfaces are configured in SmartConsole.
|
PRJ-15771, |
Security Gateway |
In some scenarios, DNS protections configured on inspection settings may not be enforced. |
PRJ-14449, |
Security Gateway |
In some scenarios, large number of interfaces defined on Security gateway may cause high CPU utilization by CPD process. Refer to sk168674. |
PRJ-9849, |
Security Gateway |
In some scenarios, SCCP traffic may be dropped by the Security Gateway. Refer to sk108124. |
PRJ-17223, |
Security Gateway |
Enabling both Dynamic Balancing and MDPS causes Dynamic Balancing to stop. |
PRJ-17097, |
Security Gateway |
In rare scenarios, Dynamic Balancing fails to start after boot due to state verification failure. |
PRJ-15849, |
Security Gateway |
SXL drop due to routing configuration when using security zone on bridge (layer2). |
PRJ-17421, |
Threat Emulation, |
In a rare scenario, Threat Emulation and 2 core appliances may freeze. Refer to sk169575. |
PRJ-16107, |
URL Filtering |
In some scenarios, there may be sporadic connectivity issues in the Anti-Malware/URLF service (RAD). |
PRJ-15689, |
HTTPS Inspection |
In some scenarios, web traffic may be blocked with "Content Awareness - Error: Internal system error (1000)" error log. |
PRJ-14543, |
HTTPS Inspection |
In some scenarios, a CRL timeout may occur, which may cause slowness in HTTPS Inspection. Refer to sk169876. |
PRJ-15800, |
IPS |
In some scenarios, invalid characters are sent to gw-stat report. |
PRJ-15581, |
Application Control |
In some scenarios, deprecated applications are not removed/replaced during an upgrade from R77.30 to R80.x. Refer to sk131372. |
PRJ-11730, |
Anti-Malware |
In some scenarios, custom intelligence feeds with URL encoding characters may not be parsed correctly. Refer to sk168077. |
PRJ-14067, |
Anti-Malware |
In rare scenarios, Security Gateway may crash due to memory allocation failure. |
PRJ-16500, |
Anti-Malware |
In rare scenarios, Security Gateway crashes during CIFS traffic when the Anti-Virus Blade is in Hold mode and the CIFS feature is enabled for Anti-Virus or Threat Extraction (see sk101606). |
PRJ-15540, |
Mobile Access |
Mobile Access Secure Workspace feature does not work with SAML/IDP-based authentication when running Secure Workspace is optional. |
PRJ-14652, |
Mobile Access |
The Mobile Access Blade's portal dialog for editing web application SSO credentials may not work correctly. |
PRJ-16998, |
Mobile Access |
Mobile Access portal may become unresponsive after Jumbo Hotfix uninstallation. Refer to sk169152. |
PRJ-17446 |
Mobile Access |
Mobile Access Blade may fail to install on VSX environments due to a missing configuration file. |
PRJ-16681, |
SecureXL |
In a rare scenario, Security gateway may crash when receiving packets from an MDPS management interface. |
PRJ-14463, |
SecureXL |
In a rare scenario, the Security Gateway may crash when deleting certain non-TCP connections. |
PRJ-10498, |
SecureXL |
In some scenarios, SecureXL makes an offload decision to not accelerate multicast traffic for route-based VPN. |
PRJ-15902, |
SecureXL |
An asymmetric routing issue may occur between a Virtual System and a Virtual Switch/Router. |
PRJ-15485, |
Routing |
BGP fails to establish with high MTU setting on Gaia 3.10. |
PRJ-15393, |
Routing |
A TCP connection between cluster master and subordinate may flap on OSPF attempt to delete a non-Max-Aage LSA. |
PRJ-16575, |
Routing |
In some scenarios, the routed daemon may unexpectedly exit with BGP. |
PRJ-14407, |
VPN |
Connectivity improvements for Remote Access VPN with L2TP. |
PRJ-15534, |
VPN |
The "vpn tu tlist" command shows the wrong number of clients connected in Visitor mode. |
PRJ-10953, |
VPN |
In some scenarios, VPN tunnel connection is dropped with "no MSA for MSPI" error. Refer to sk167393. |
PRJ-15331, |
VPN |
In some scenarios, Remote Access VPN traffic may be dropped when XFF is enabled. |
PRJ-15322, |
VPN |
In some scenarios, using LS/HA mode on a VPN tunnel may cause packets to be dropped. Refer to sk160612. |
PRJ-14576, |
VPN |
IP compression may not work in some scenarios when IKEv2 is configured. |
PRJ-15622, |
VPN |
Access Roles with MAB SNX as the client type may not work. |
PRJ-11052, |
VPN |
Improved NAT Detection with 3rd party peers in IKEv1 and IKEv2. Refer to sk165003. |
PRJ-16211, |
VPN |
Stability improvement for Remote Access VPN. |
PRJ-15467, |
VPN |
When IKEv2 is configured, traffic that originated from the DAIP external interface may fail to pass. |
PRJ-15838, |
VPN |
When a Gateway does not recognize the SPI, it sometimes sends the "Invalid SPI" notification in clear. As a result, the peer may ignore it, resulting in an outage. |
PRJ-16015, |
VPN |
In rare scenarios, Remote Access clients may not be able to re-connect after a failover. |
PRJ-15996, |
Gaia OS |
NEW: Added Multi-Queue (MQ) support for Sync interface. |
PRJ-14591, |
Gaia OS |
Reduced the logging of vague messages when the user adds a known host in Clish. |
PRJ-12864, |
Gaia OS |
Creating LOM users for Smart-1 525/625/5050/5150 appliances may fail if the username length is shorter then 4 characters. |
PRJ-11861, |
Gaia OS |
It is not allowed to create usernames with reserved words, such as 'eval', 'apply' etc., in the middle of the username in WebUI. Refer to sk170681. |
PRJ-11994, |
Gaia OS |
In rare scenarios, a snapshot creation may fail. |
PRJ-12741, |
Gaia OS |
Restore backup may fail due to unmatched upgrade tools. |
PRJ-17321, |
Gaia OS |
Certain Clish commands, like "show interfaces all", may cause confd to crash. Refer to sk170324. |
PRJ-16922, |
Gaia OS |
In a rare scenario, the "Allowed-clients" feature does not work as expected for SSH. |
PRJ-13942, |
Gaia OS |
In some scenarios, when the RADIUS user enables bash logging (as per sk99134) and moves to expert mode, the username in the log files appears as admin instead of RADIUS. |
PRJ-16080, |
Gaia OS |
In some scenarios, when the user tries to return to the factory default, the machine reverts to a different snapshot. |
PRJ-16567, |
Gaia OS |
In the Management Data Plane Separation (MDPS) environment, the output for the "show asset network" command may not report some line cards if they have mixed management/data plane interfaces. |
PRJ-10079, |
Gaia OS |
When enlarging the partition via lvm_manager from a small partition to a larger partition, the user may reach an internal filesystem settings limit. As a result, some filesystem monitoring commands unexpectedly exit. Refer to sk165258. |
PRJ-15861, |
Gaia OS |
The "Error I40E_AQ_RC_EINVAL adding RX filters on PF" error may appear during i40e driver operation and RSS key may be reset during certain driver operations. |
PRJ-11130, |
Gaia OS |
Setting LACP rate does not survive a reboot on Gaia 3.10. |
PRJ-15600, |
Endpoint Security |
Gaia backup with Endpoint Management may miss some information from the Endpoint database. Refer to sk168062. |
PRJ-16474, |
Endpoint Security |
"An unexpected error occurred" message may appear when the user clicks on 'View Current Status' in SmartEndpoint's 'Overview' tab. Refer to sk167176. |
PRJ-15423, |
CloudGuard Network |
NEW: Added support for VMware vCenter version 7 to CloudGuard Controller. |
PRJ-12838, |
CloudGuard Network |
NEW: Added new AWS regions af-south-1, ap-northeast-3, and eu-south-1. |
PRJ-16019, |
CloudGuard Network |
In some scenarios, CloudGuard Controller may lose connection to GCP projects. Refer to sk168499. |
PRJ-16254, |
CloudGuard Network |
Scanning of GCP Data Center may fail when instance does not have disks. |
PRJ-12185, |
CloudGuard Network |
CloudGuard Controller may sometimes update the Standby cluster member in VSLS mode. |
PRJ-16223, |
CloudGuard Network |
Azure Data Center scan may fail and no updated are sent to the Security gateway. |
PRJ-15355, |
QoS |
In some scenarios, QoS Policy installation fails with the following message: "Error - QoS Policy does not apply to any network interface. Please edit your Network Object and check the interfaces you wish to install on" when policy is defined properly on the interface. |
Take 78 Released on 26 August 2020 and declared as Recommended on 9 September 2020 |
||
PRJ-13962, |
Security Management |
NEW: Added the ability to purge revisions automatically based on user configuration. Refer to Automatic Purge Documentation. |
PRJ-12308, |
Security Management |
NEW: Added enhancements for CPM Monitor Tool:
|
PRJ-14645, |
Security Management |
NEW: Solr server process is restarted automatically if it is not responsive for a long time. |
PRJ-13809, |
Security Management |
Publish operation of hundreds of changes may take a long time to complete. |
PRJ-16195, |
Security Management |
When running the 'show-access-rulebase' API command with filter, and the selected layer is an inline layer, rules of the inline layer are not returned even though they match the search criteria. |
PRJ-11491 |
Security Management |
Access Policy installation may remain on Multi-Domain Server with Global Policy assigned when there is Inline layer usage and APPI/DA/Mobile Access Blade is enabled. Refer to sk166676. |
PRJ-13319 |
Security Management |
Upgrade from R80.10 may take many hours when there are hundreds or more Administrators and dozens or more Permission Profiles defined. |
PRJ-13920 |
Security Management |
In Multi-Domain environments with High Availability, if the Management Server is stopped while there is a Purge Revisions operation in progress, the server may fail to start again. Refer to sk168175. |
PRJ-13167, |
Security Management |
When an administrator enters a very long text into an object field (more than 32767 characters), the Security Management Server terminates and fails to start. |
PRJ-13049, |
Security Management |
After the user adds new Threat Indicators, Management HA may fail with "NGM failed to import data" error. Refer to sk167156. |
PRJ-15459, |
Multi-Domain Management |
Policy Installation may fail due to an internal error in an MDS environment where there is a Global Dynamic object usage inside Networks Groups with a depth that is higher than 2-level (group inside a group). |
PRJ-14096, |
SmartConsole |
NEW: Added new API version (1.6.1). The new version includes useful new commands. For more information, refer to the Management API Reference. |
PRJ-13008, |
SmartConsole |
In the Management API, the "show objects" command with details-level full may return the "ip-address" field even if it is empty. |
PRJ-14290, |
SmartConsole |
If there are thousands (or more) of unused objects, the "show unused-objects" API command and the Unused Objects view may load and work very slowly. Also, the load on the Management server will increase, causing general slowness when working with SmartConsole. |
PRJ-14532, |
SmartView |
In some scenarios, when the user attempts to download a DLP attachment from the log card in SmartView, the download does not start. |
PRJ-12705, |
SmartView |
The SmartView Timeline may be distorted when logs contain an empty value for the field specified in the "Series" settings and when the Legend is enabled. Refer to sk167095. |
PRJ-12099, |
Logging |
NEW:
|
PRJ-14049, |
Logging |
In some scenarios, the command "cp_log_export status" prints "last log read at: N/A" rather than a timestamp. |
PRJ-14372, |
Security Gateway |
UPDATE: Reduced CPU usage in some configurations by parsing TLS traffic only when required by the policy. See sk166700 for more information. |
PRJ-14007, |
Security Gateway |
In some scenarios, ESP traffic may be dropped with "fwconn_key_init_links (INBOUND) failed" message. Refer to sk167973. |
PRJ-13678, |
Security Gateway |
In some scenarios, dmesg shows "up_manager_perform_action: up_manager_resume_chain failed" error messages when span port is configured. |
PRJ-8049 |
Security Gateway |
When running 'fw6 ctl affinity -l' command, the IPv6 instances are not displayed. |
PRJ-13267, |
Security Gateway |
Occasional slowness while browsing to HTTP/2 sites when Security Gateway is enabled as an explicit Proxy. |
PRJ-13696, |
Security Gateway |
Proxy arp change is applied only after the second policy installation. |
PRJ-14217, |
Security Gateway |
In a rare scenario, the Security gateway may crash if the rulebase contains a logical server object. |
PRJ-11752, |
Security Gateway |
Citrix file download may fail when the Mobile Access Blade is enabled. |
PRJ-11417, |
Security Gateway |
In some scenarios, NAT log shows source port 0 even though a port was allocated. |
PRJ-13382, |
Security Gateway |
In some scenarios, Security gateway generates an ICMP error with wrong IP address. Refer to sk167953. |
PRJ-13631, |
Identity Awareness |
NEW: Added the ability to filter sessions by session's owner and immediate publisher in Identity Broker. |
PRJ-9494, |
Identity Awareness |
UPDATE: SAML configuration optimizations of policy installation flow. |
PRJ-12565, |
Identity Awareness |
PDP may consume high CPU during policy installation because of a large amount of Access Roles. |
PRJ-10818, |
Identity Awareness |
In a rare scenario, a memory leak may appear in case of LDAP query failure on Identity Collector automatic group update. |
PRJ-8713, |
Identity Awareness |
In some scenarios, Dynamic ID authentication fails when SMS server returns HTTP status code 2xx but not 200 or 202. |
PRJ-13516, |
Identity Awareness |
In some scenarios, a XFF allowed proxy list is enforced only for instance 0 in VSLS environment after VS has transitioned from Backup to Active. |
PRJ-13702, |
Identity Awareness |
In some scenarios, when the user changes the TACACS+ server to a different one, the configuration is applied only after an MDS reboot. |
PRJ-12503, |
Identity Awareness |
In some scenarios, Identity Awareness counters in cluster environments show zero. |
PRJ-11484, |
SSL Inspection |
DynamicID authentication may fail due to server certificate validation failure. Refer to sk167177. |
PRJ-11511, |
SSL Inspection |
In some scenarios, there may be SSL Inspection issues in cluster environments on 1500 Series Security Gateways. Refer to sk170218. |
PRJ-10663, |
Anti-Malware |
In some scenarios, a "Feed Error" message appears when the user fetches a Custom Intelligence Feed. Refer to sk165932. |
PRJ-12809, |
Threat Emulation |
In a rare scenario, files are not uploaded for Threat Emulation or Threat Extraction inspection. |
PRJ-14224 |
ClusterXL |
In some scenarios, SmartConsole shows ClusterXL status as "is not responding". Refer to sk168187. |
PRJ-14612, |
SecureXL |
UPDATE: Added a global variable that enables log for packets that include unapproved IP option. This variable is off by default. |
PRJ-14514, |
SecureXL |
In a rare scenario, a VSX gateway with Virtual Switch may crash. |
PRJ-13414, |
SecureXL |
DECnet DIGITAL Network Architecture (Phase IV) traffic may be dropped. Refer to sk167202. |
PRJ-13763, |
SecureXL |
Security Gateway may crash when concurrent connection rules exist in the DOS/Rate limiting policy and the Application Control Blade is enabled. |
PRJ-14079, |
SecureXL |
For some topologies, RIPV2 neighbors may be missing. Refer to sk167934. |
PRJ-12254, |
Mobile Access |
In some scenarios, Mobile Access end-users become disconnected from their Citrix sessions after policy installation. |
PRJ-13730, |
Mobile Access |
In some scenarios, Web application SSO credentials are not displayed correctly in the 'Credentials' dialog when the application's destination hostname is configured as an IP address. |
PRJ-14435, |
Gaia OS |
NEW: Added support for CPAC-4-10-AB cards. |
PRJ-14596, |
Gaia OS |
NEW: Added Multi-Queue (MQ) support for Management interface. |
PRJ-13642, |
Gaia OS |
NEW: The i40e driver version was upgraded to improve performance. |
PRJ-13011, |
Gaia OS |
RX/TX ring size may reset when changing queue settings. |
PRJ-15424, |
Gaia OS |
Gaia API Service is offline after upgrade to R80.40. |
PRJ-13480, |
Gaia OS |
Intake and outlet temperature sensors display incorrect values on 15400 appliance. |
PRJ-12513 |
Gaia OS |
In some scenarios, due to backup compression errors, restoring a backup does not restore all files. |
PRJ-13719 |
Gaia OS |
In some scenarios, a snapshot creation may fail. |
PRJ-10352, |
Gaia OS |
In rare scenarios, clish consumes 100% CPU when the user runs a Tenable scan. Refer to sk166195. |
PRJ-14402, |
Gaia OS |
In some scenarios, the snapshot creation fails because of compression errors. |
PRJ-13926, |
Routing |
UPDATE: Increased the configuration limits of the BFD timers for detect multiplier, minimum RX interval, and minimum TX interval to 255, 255000, and 255000, respectively. |
PRJ-13979, |
Routing |
UPDATE: The logging of "aspath-regex" and "community-regex" routemap fields is now disabled by default and can be enabled through the trace log. |
PRJ-11805, |
VPN |
In some scenarios, an incorrect IPSec counter may be displayed with cpstats / SmartView Monitor / SNMP in a ClusterXL environment. Refer to sk167297. |
PRJ-14074, |
VPN |
When Security gateway is behind NAT and its main IP address is configured to NAT IP, Client may disconnect when using Visitor Mode. |
PRJ-14244, |
VPN |
VPN traffic may be dropped when working with peer behind NAT - Hide NAT with Port Translation. |
PRJ-13408, |
VPN |
In rare scenarios, the Global Domain Assignment view shows that a Global Domain Assignment is in the 'up to date' state even though it is not. |
PRJ-14075, |
VPN |
When using Visitor Mode, Endpoint Client behind NAT disconnects after 20 seconds when his private network overlaps with some network in the Encryption Domain. |
PRJ-15437, |
VSX |
VSs load up in parallel from boot/after cpstart from VS0. |
PRJ-14151, |
Endpoint Security |
In some scenarios, no audit logs are shown regarding object changes in SmartEndpoint virtual groups and FDE pre-boot users. Refer to sk167907. |
PRJ-14133, |
Endpoint Security |
In some scenarios, the user cannot get an FDE Offline Management File (cpomf) for an offline group in SmartEndpoint if this group or a directory in its path has special characters \ _ %. |
Take 77 Released on 18 August 2020 and declared as Recommended on 25 August 2020 |
||
PRJ-16351, |
Security Gateway |
Updated dependencies of internal OS packages during Security Gateway installation. |
PRJ-16314, |
Gaia OS |
In some scenarios, Cluster does not recognize bond subordinates. |
Take 74 Released on 05 August 2020 |
||
PRJ-10159, |
Logging |
"UserCheck Reference ID" field is missing from logs when the message of the UserCheck customized page is modified and does not contain the text "reference:". Refer to sk165355. |
PRJ-13589, |
Security Gateway |
In a rare scenario, Security Gateway may crash during policy installation. |
PRJ-15983 |
VPN |
Starting from R80.40 Jumbo Hotfix Take 48, clients that do not support MFA (such as Mac OS and iOS) cannot connect as Remote Access clients if MFA is enabled. Refer to sk168493. |
Take 69 Released on 27 July 2020 |
||
PRJ-12005, |
Security Management |
NEW: Added a new SmartTask trigger for "Before Login". |
PRJ-12026, |
Security Management |
NEW: Tasks that fail to complete within 18 hours will be stopped automatically and appear as failed. Refer to sk166455. |
PRJ-12376, |
Security Management |
Policy Presets may disappear from view after running the Solr Cure utility. Refer to sk167455. |
PRJ-12142, |
Security Management |
Management HA synchronization between the active Domain server to a standby Domain server may fail with "Failed to import data" error. |
PRJ-12671, |
Security Management |
If an administrator searches for a certain text in SmartConsole, it may cause the Management Server to become inaccessible until a restart. |
PRJ-14086, |
Security Management |
A policy that uses Access Role objects may incorrectly show the rule conflict when verifying it using "Verify Access Control Policy". The same policy will pass successfully when performing 'install policy', as expected. Refer to sk168066. |
PRJ-14089, |
Security Management |
Access Role in source \ destination column with "Redirect to Captive Portal" as an action on the Accept column may cause the policy verification to fail, but policy installation finishes successfully. Refer to sk167732. |
PRJ-10059, |
Security Management |
In some scenarios, Security policy deletion or installation may fail when there are many Application Control objects used in this policy. Refer to sk175588. |
PRJ-13157, |
Security Management |
In rare scenarios, a session becomes unusable, and one or more of the following may occur:
Refer to sk167735. |
PRJ-13034, |
Multi-Domain Management |
Global Policy reassignment may fail after performing the IPS update in the Global domain. |
PRJ-12901, |
SmartConsole |
NEW: Added more information on each Management API call to api.csv. |
PRJ-12906, |
SmartConsole |
When using the Management API "show-objects" command to show OPSEC application objects, it may fail with "Requested object [OBJECT ID] not found". |
PRJ-12975, |
SmartConsole |
When a VSX Cluster object is edited, no changes are made and the "Topology has changed. Please reinstall Security Policy" message is always displayed after clicking OK, even if no changes are made. |
PRJ-13900, |
SmartConsole |
Audit log is not shown in SmartConsole Logs & Monitor View for the login action through API when the "-r" flag is set to true (login as root). |
PRJ-10201, |
SmartView |
SmartView may show "query failed" error message when creating table widget with filter by source/destination host name. Refer to sk119056. |
PRJ-12692, |
Compliance |
Compliance Blade may show incorrect Best Practice status if one or more relevant network objects for that Best Practice is in status "N/A". |
PRJ-11889, |
Logging |
In some scenarios, searching for logs using "client_name" in the logging tab returns no values. |
PRJ-11312, |
Logging |
In Multi-Domain Management environments, some of the LOG_INDEXER processes may fail to start due to an occupied port. |
PRJ-13914, |
Security Gateway |
NEW: Added Spike Detector - a new daemon to automatically detect CPU spikes. Refer to sk166454. |
PRJ-11503, |
Security Gateway |
NEW: Added "Hold" override for unsupported protocols (i.e. GRE). Refer to sk148432. |
PRJ-13568, |
Security Gateway |
Connectivity issues may appear when ISP Redundancy is configured. |
PRJ-14483, |
Security Gateway |
When moving context in MDPS with mplane or dplane and bash logging is enabled, the 'grep' command is executed. |
PRJ-11743, |
Security Gateway |
Improved connectivity in a specific flow when ICAP Client is enabled with Trickling 3. |
PRJ-10298, |
Security Gateway |
In some scenarios, the license status of the Security gateway is not updated properly in SmartConsole. |
PRJ-11696, |
Security Gateway |
In a rare scenario, access rules with service type of "other" may not be matched correctly. Refer to sk166365. |
PRJ-13766, |
Security Gateway |
In a rare scenario, a traffic outage may occur when time objects are used in the access policy. |
PRJ-10767, |
Internal CA |
In some scenarios, no SIC between R80.x Security Management and R77 Security gateway after ICA certificate replacement procedure described in sk158096. |
PRJ-12341, |
URL Filtering |
In a rare scenario, policy installation may fail with "Error code: 0-2000112" if the URL Filtering Blade is active while no other feature or Blade is enabled. |
PRJ-12621, |
Identity Awareness |
After disabling and re-enabling the Identity Collector in SmartConsole, the Identity Collector may fail to connect to the PDP Gateway again. |
PRJ-13150 |
Anti-Virus |
In a rare scenario, Security gateway may crash while processing SMB3 multi-channel while Anti-Virus Blade is enabled. |
PRJ-13599, |
HTTPS Inspection |
In some scenarios, web traffic is blocked with "HTTP parsing error occurred" and "parameters are undecodable in request" errors. |
PRJ-13110, |
HTTPS Inspection |
In some scenarios, HTTPS websites may show corrupted text when HTTPS Inspection and Anti-Virus are enabled. |
PRJ-12767, |
Threat Extraction |
In rare scenarios, the watermark_cp_file_convertd daemon used by Threat Extraction may restart frequently, causing high CPU usage. Refer to sk168318. |
PRJ-13118, |
DLP |
Improved DLP functionality when working with IDA MUH1 and MUH2 agents. |
PRJ-11552 |
SecureXL |
In some scenarios, MCAST packets may not be accelerated on a PIM-SM RP Gateway. |
PRJ-12710, |
ClusterXL |
In some scenarios, a Cluster member forwards ICMP replies via its Sync interface after being rebooted. |
PRJ-12999, |
CoreXL |
On appliances with Dynamic Balancing enabled, allocation of CoreXL SND cores is limited by the interface with the minimal number of Rx queues. |
PRJ-13773, |
CoreXL |
On 23900, 26000(T) and 28000 appliances with Dynamic Balancing enabled, CPView shows several CPU cores as "Other". Dynamic Balancing does not work on these CPU cores. |
PRJ-11452, |
Gaia OS |
NEW: Added support for Smart-1 3150/3050 SAN and 'show asset' line cards for SAN. |
PRJ-12932, |
Gaia OS |
NEW: Added line card model information to "show asset network" output for the following appliance series: 5000, 6000, 15000, 23000, 7000, 16000, 26000, and 28000. |
PRJ-11047, |
Gaia OS |
UPDATE: CPView Network -> Top-Protocols and Network -> Top-Connections tabs were added back. Refer to sk167903. |
PRJ-12249, |
Gaia OS |
UPDATE: on Smart-1 5050:
|
PRJ-12762, |
Gaia OS |
In some scenarios, WebUI shows unknown HDDs that are not part of RAID. |
PRJ-13627, |
Gaia OS |
The show configuration clish command shows 'Exported by admin' label even if it is another user. |
PRJ-14451, |
Gaia OS |
In some scenarios, the snmpd process stops accepting connections in MDPS/VSX environment. |
PRJ-12956, |
Gaia OS |
User fails to add ecsda hot keys via clish to the hosts file. This prevents from setting up the scheduled backups before the system goes into production. |
PRJ-13272, |
Gaia OS |
In some scenarios, the value for Voltage/Fan/Temperature sensor may appear as "NotValid". |
PRJ-8950, |
Gaia OS |
In some scenarios, interface names may not correspond to the correct ports on 4-ports 10GbE SFP+ Rev 1.1 on 12200/4200/4400/4600/4800/TE250 appliances. |
PRJ-11499, |
Gaia OS |
In some scenarios, the PSU status is reflected even if there is no PSU on the appliance |
PRJ-10763, |
Gaia OS |
Only 1024 characters of a cron jobs output are displayed when using show cron jobs from clish. |
PRJ-12519, |
Gaia OS |
In some scenarios, a backup on a Gaia device with Threat Emulation Blade enabled may fail with "Cannot complete the backup process: not enough space". Refer to sk166833. |
PRJ-12465, |
VPN |
In a rare scenario, Security gateway may crash when using Remote Access VPN with L2TP clients. |
PRJ-12892, |
VPN |
IKEv2 rekey may fail when the resolved peer IP address is not the main IP address. Refer to sk166897. |
PRJ-13342, |
VPN |
In some scenarios, L2TP client fails to connect with "failed to write L2TP session params to kernel" error in vpnd.elg file. Refer to sk167636. |
PRJ-12195, |
VPN |
A connectivity issue may occur when a non-encrypted VPN tunnel is used with IKEv2. Refer to sk167902. |
PRJ-14461, |
VPN |
In some scenarios, VPN tunnels may get disconnected. |
PRJ-12814, |
VSX |
When SNMP is in VS mode, the SNMPD process of VSs may re-launch every few minutes. Refer to sk167112. |
PRJ-14045, |
VSX |
"Internal Error - Failed to commit changes to OS" error when user creates a Wrp interface with MTU greater than 1500. Refer to sk167715. |
Take 67 Released on 23 July 2020 and declared as Recommended on 27 July 2020 |
||
PRJ-15513, |
Logging |
In some scenarios, logs are not available with "Query Failed" message in the logging view, and "An error occurred instantiating job to be executed. job= 'maintenance.routineMaintenance'" message appears in the $RTDIR/log/RFL.log file. Refer to sk168616. |
PRJ-14354, |
Gaia OS |
In some scenarios, user cannot start IPMI service and loses the IPMI functionalities like lominfo and lomipset. |
PRJ-12745, |
Gaia OS |
In some scenarios, user cannot start IPMI service on 21400 appliance with "service ipmi start" command. |
Take 65 Released on 19 July 2020 |
||
PRJ-14581, |
ClusterXL |
Connectivity issue may appear on a Standby cluster member after installing R80.40 Jumbo HotFix Takes 53-55. Refer to sk167874. |
Take 55 Released on 30 June 2020 |
||
PRJ-13958, |
Security Management |
Upgrade to R80.40 Jumbo HotFix Ongoing Takes 53 and 54 fails when upgrading from one of the following:
|
Take 54 Released on 24 June 2020 |
||
PRJ-13686 |
Security Management |
In some scenarios, when using many management API calls in parallel, the output is not consistent. Refer to sk167509. |
Take 53 Released on 15 June 2020 |
||
PRJ-11387, |
Security Management |
NEW: Significant performance improvement for policy installation time when many groups are defined on the Management Server. |
PRJ-10901, |
Security Management |
NEW: Set values for environment variables on the Management Server that will remain there after a Management Server upgrade, as well as Backup/Restore and Export/Import of the Management Server. Refer to sk165938. |
PRJ-12914, |
Security Management |
In some scenarios, pressing "Where Used" does not show a script that is used in SmartTasks. |
PRJ-12275, |
Security Management |
In Management HA configuration, a hotfix installation may incorrectly fail during the verification phase. |
PRJ-11586, |
Security Management |
In some scenarios, when using Rulebase Search, the 'number of rules' section is incorrect. Refer to sk166003. |
PRJ-12506, |
Security Management |
When using packet mode in Rulebase Search, results from inline layer may be matched even though their parent layer is not. |
PRJ-12359, |
Multi-Domain Management |
NEW: Added ability to log in to the Management Server with SmartConsole while MDS Backup is running. |
PRJ-12966, |
Multi-Domain Management |
In some scenarios, certain deleted domain level objects are visible in the SmartConsole at the MDS level. |
PRJ-9666, |
Multi-Domain Management |
In environments with more than five Multi Domain servers, changes to objects may not be reflected in the logs. |
PRJ-12484, |
Multi-Domain Management |
Multi-Domain Administrator configuration for RADIUS authentication may show local Domain RADIUS Servers and groups. |
PRJ-12326, |
Multi-Domain Management |
The "Recent Tasks" and "Install Policy Preset" views in MDS Domain may include Domain names, policy packages, and Gateways names. This information is not filtered according to the administrator's permission profile. |
PRJ-12206, |
Multi-Domain Management |
In some scenarios, changes to a .def file in $FWDIR/lib may be reverted when creating a secondary CMA. |
PRJ-11507, |
Multi-Domain Management |
A migration from Security Management server to a Domain on a Multi-Domain Management Server may fail with: "didn't find ObjectStoreSessionEntity for session <uuid> return null" error in cpm.elg file. |
PRJ-12556, |
Multi-Domain Management |
In some scenarios, updating firewall_properties in GuiDBedit in the MDS context fails. Refer to sk42184. |
PRJ-13187, |
Multi-Domain Management |
In a rare scenario, Advanced upgrade from R80.10 may fail. |
PRJ-12066, |
Multi-Domain Management |
The FWM process of domains may not stop after the user runs mdsstop or mdsstop_customer. |
PRJ-12778, |
SmartConsole |
NEW: Added API commands for user, user-template, user-group and identity-tag. |
PRJ-11074, |
SmartConsole |
NEW: Added ability to reset the following network object fields to be empty through the Management API: ipv4-address, ipv6-address, subnet4, subnet6, mask-length4, and mask-length6. |
PRJ-11906, |
SmartConsole |
In rare scenarios, certain domain level objects may not be visible in SmartConsole at the MDS level. |
PRJ-12457, |
SmartConsole |
In some scenarios, IPS update may be locked with the message "IPS management update is locked by Scheduled update" . |
PRJ-12539, |
SmartConsole |
Unable to delete Snort protections in Multi-Domain environment - they still exist after deletion. |
PRJ-12444, |
SmartConsole |
In some scenarios, IPS update tasks may stuck when multiple machines are attempting an update within the same time frame. |
PRJ-12961, |
SmartConsole |
Global Policy reassign in MDS may fail with 'An internal error has occurred' message after adding overrides to Snort protections. |
PRJ-12211, |
SmartConsole |
When running the "show-domain" API command, the "active" field may be missing from the reply. |
PRJ-11259, |
SmartConsole |
In some scenarios, Inspection Settings view under the General tab is blank. |
PRJ-11433. |
SmartProvisioning |
The SmartProvisioning application may hang when the user adds/edits Dynamic Objects in the LSM Gateway object editor. |
PRJ-11917, |
Security Gateway |
NEW: Added support for key renegotiation in SSH Deep Packet Inspection (DPI). |
PRJ-9121, |
Security Gateway |
Connections may be dropped when "keep all connections" is configured during policy installation. Refer to sk166212. |
PRJ-11781, |
Security Gateway |
In a rare scenario, the Security Gateway may crash when using a non- FQDN domain object in the policy. |
PRJ-13078, |
Security Gateway |
When HTTPS Inspection is enabled using layer-2/bridge, traffic may be dropped when deciding the outgoing interfaces. |
PRJ-12733, |
Security Gateway |
In a rare scenario, memory is not freed correctly in the routing mechanism. |
PRJ-12237, |
Security Gateway |
In a rare scenario, Security Gateway memory consumption may increase when the Anti-Virus Blade is enabled. |
PRJ-13091, |
Security Gateway |
|
PRJ-13148, |
Security Gateway |
In some scenarios, IPS & APPI updates fail when Anti-Virus and Content Awareness Blades are active. |
PRJ-9700 |
Logging |
NEW: Added support for viewing MITRE ATT&CK fields in logs. |
PRJ-9317, |
Logging |
Logging view may show results from the wrong day if the server Time Zone is configured to use half/quarter hour deviations from standard time. |
PRJ-8923, |
Logging |
When the user searches logs in the "Logs and Monitor" tab in SmartConsole and applies a filter using the "?" wildcard, incorrect logs may be returned. |
PRJ-8481, |
Logging |
"Problem has occurred during search < External Log server > Disconnected" error may appear in "Logs & Monitor" tab after creating dummy object for NAT. |
PRJ-9738, |
SmartView |
In SmartView, deleting widgets and clicking on "Discard" may not revert all changes. |
PRJ-10671, |
SmartView |
In SmartView, when using a language other than English, an error may occur when drilling down on a widget. |
PRJ-11058, |
Application Control |
In some scenarios, Application Control update task may get stuck indefinitely when it is executed as part of Global Policy assignment. |
PRJ-12167, |
Application Control |
In some scenarios, Application Control updates in Multi-Domain High Availability environments may get stuck when multiple updates from different Domains/Multi-Domains take place simultaneously. |
PRJ-9565, |
Threat Prevention |
The number of overrides in Threat Prevention policy -> Profile -> Overrides may also show inactivated overrides, with mismatched information between "override" and "User Modified". |
PRJ-12433, |
Threat Prevention |
In a rare scenario, when Threat Prevention Forensics feature is enabled, memory usage may rise on the Security gateway due to failures in memory release flow. |
PRJ-10672, |
SSL Inspection |
NEW: Added support for FutureX HSM when working with outbound HTTPS Inspection. |
PRJ-11435, |
Anti-Malware |
In some scenarios, "Feed Error" message appears when fetching a IoC feed. |
PRJ-10849, |
UserCheck |
In a rare scenario, the UserCheck daemon may fail with core dump file created. |
PRJ-12603, |
Mobile Access |
Mobile Access ActiveSync session timeout may not update properly, generating repeated error messages in the 'cvpnd.elg' debug output. |
PRJ-10417, |
Mobile Access |
Some Web applications published by Mobile Access Blade may not work in Host Translation mode. |
PRJ-9780 |
ClusterXL |
Resetting SIC on a Cluster member may result in CCP Encryption turned OFF while it should remain ON. |
PRJ-10979, |
ClusterXL |
SNMP Response for OID .1.3.6.1.4.1.2620.1.5.6 ("haState") is "Active" on all members of ClusterXL High Availability mode. Refer to sk106291. |
PRJ-11611, |
ClusterXL |
In some scenarios, the fwk process unexpectedly exits on cluster member. |
PRJ-11402, |
SecureXL |
NEW: Performance improvement for DOS/Rate Limiting rules under a high connection rate. |
PRJ-12548, |
SecureXL |
NEW: Added tunable kernel parameter "adp_mc_rt_hold_queue_len" to adpkern.conf to eliminate multicast packet drops at the start of a connection (when large bursts of multicast traffic are expected). |
PRJ-12019, |
SecureXL |
In some scenarios, ACK, FIN, and RST TCP packets may be dropped, causing outages. |
PRJ-11551 |
SecureXL |
MCAST packets may be handled incorrectly when promiscuous (tcpdump) mode is enabled for the interface. |
PRJ-12175, |
SecureXL |
In some scenarios, TCP traffic containing the TCP Fast Open option may be dropped by the Security Gateway. |
PRJ-11684, |
Routing |
NEW: Performance improvement for multicast packets in SecureXL (fast path) when there are no multicast listeners. |
PRJ-12222, |
Routing |
In some scenarios, routed process unexpectedly exits when adding an interface to OSPFv3 with a prefix length above 63 and having two or more areas. |
PRJ-10734, |
VSX |
NEW: Adding bridge interfaces to a regular VS in VSX is allowed via vsx_provisioning_tool by using this command: attach bridge vd <vs_name> ifs1 <first_interface_name> ifs2 <second_interface_name> |
PRJ-12622, |
VSX |
In a rare scenario, creating new VSX and pushing configuration may cause the cluster members to crash. |
PRJ-13060, |
VSX |
When performing a provisioning operation in VSX, process may hang on "Pushing configuration to ...". Refer to sk167175. |
PRJ-12813, |
Gaia OS |
The activate_sw_raid utility may fail due to incorrect disk names. |
PRJ-11755, |
Gaia OS |
The snmptrap command fails and shows an error related to EngineID. |
PRJ-11854, |
Gaia OS |
On 15600 appliances, the "service ipmi start" command may fail to start the IPMI Service. |
PRJ-10309, |
Gaia OS |
Incorrect status may be displayed in Clish for pulled PSU. |
PRJ-10273, |
VPN |
NEW: 3DES is disabled by default for HTTPS Inspection, Mobile Access Portal, Identity Awareness Portal, ICA Portal, SmartManagement Portal, SecurePlatform WebUI, and Mobile Access curl. |
PRJ-12102, |
VPN |
NEW: Added Large-scale support for Visitor Mode. Refer to sk168297. |
PRJ-12179, |
VPN |
Connectivity improvements for Remote Access VPN using Traditional mode. |
PRJ-11644, |
VPN |
Added Stability improvement for Remote Access VPN. |
PRJ-11711, |
Endpoint Security |
In SmartEndpoint, Anti-Malware's "Top Infections" report has an empty infection name. Refer to sk166232. |
PRJ-11825, |
Endpoint Security |
Users/devices may not change their locations in the tree according to Active Directory changes when certain special characters appear in the names. |
PRJ-11841, |
Endpoint Security |
Cannot delete the client MSI package from SmartEndpoint because of previously deleted FDE offline group. |
PRJ-11833, |
Endpoint Security |
The Endpoint directory scanner may fail to reconnect to the AD if the connection was lost during the scan. |
PRJ-11820, |
Endpoint Security |
The default paths for offline folders in SmartEndpoint -> Offline group creation wizard may be incorrect. |
PRJ-11837, |
Endpoint Security |
An error in FDE pre-boot users calculation may cause Endpoint to be left in a disconnected state. Refer to sk142313. |
PRJ-11145, |
Endpoint Security |
Local users may not be displayed under the selected machine in the "Users and Computers tab" in SmartEndpoint. Refer to sk166316. |
PRJ-11816, |
Endpoint Security |
When a user name is updated in SmartEndpoint, the change may result in an unexpected expiration date. Refer to sk165872. |
PRJ-11245, |
VoIP |
SIP calls with NAT (SIP packet with no SDP but content-type=sdp) may fail to open correctly. |
PRJ-9105, |
VoIP |
In a rare scenario, Security gateway crashes when passing SIP traffic. Refer to sk166474. |
Take 48 Released on 21 May 2020 and declared as Recommended on 25 May 2020 |
||
PRJ-12414, |
Security Gateway |
In a rare scenario, Security gateway may crash while processing the SMTP traffic due to a memory corruption. |
PRJ-12499, |
SecureXL |
SCTP Stateful inspection and payload NAT (INIT Chunks) may not work correctly in some scenarios. |
PRJ-12738 |
VPN |
Some Remote Access clients that do not support Multi-Factor Authentication (MFA) are able to connect to a Security Gateway even though the "Allow older clients" option is disabled. Refer to sk166912. |
PRJ-12629, |
VPN |
Improved the VPN connectivity with DAIP peers when Tunnel Monitoring is enabled. Refer to sk164933. |
PRJ-11369, |
Gaia OS |
SNMP Trap may not be sent even though a failover occurred. Refer to sk166100. |
PRJ-11829, |
Endpoint Security |
SmartEndpoint may export a report to Excel in which incorrect distinguished names appear for deleted users/computers. Refer to sk163943. |
Take 45 Released on 10 May 2020 |
||
PRJ-8281, |
Security Management |
The FWM and\or INDEXER processes may repeatedly stop when there are more than ~500K network objects declared. Refer to sk164452. |
PRJ-11956, |
Security Gateway |
In a rare scenario, Security Gateway may crash due to NULL pointer reference |
PRJ-9707, |
Logging |
The FWD process may unexpectedly exit if one of the following changes were made using GuiDBEdit:
|
PRJ-11007, |
Logging |
In some scenarios, changes made to Network Objects on the Security Management Server are not reflected in the logs view. Refer to sk166493. |
PRJ-10885, |
Anti-Malware |
In some scenarios, Microsoft update and other download connections may fail when Strict Hold mode is enabled. |
PRJ-11237, |
VPN |
Connectivity improvement for VPN over NAT traversal (UDP 4500). Refer to sk155953. |
PRJ-11012, |
Gaia OS |
NEW: Added support for Jumbo Hotfix installation on Check Point 3800, 6400, 6700, 7000, 16200, 16600HS, 28000, and 28600HS appliances. Refer to sk110052, sk139932, and sk152733.
|
Take 38 Released on 26 April 2020 |
||
PRJ-10631, |
Installation |
Firmware upgrade for Small Office appliance using SmartProvisioning in Multi-Domain Management environment may fail. |
PRJ-8645, |
Security Management |
NEW: Performance enhancements while the Management Server is under high load. |
PRJ-11118, |
Security Management |
NEW: Added ICA Management security enhancements. |
PRJ-10473, |
Security Management |
In a rare scenario, export from the previous version does not complete because the Postgres dump_all process gets stuck. |
PRJ-11722, |
Security Management |
Scheduled IPS update operation on the Security Management server may not be triggered after server reboot/restart. Refer to sk166216. |
PRJ-10221, |
Security Management |
When the user runs the 'add-domain' Web API command on an existing Domain, the original Domain is deleted. |
PRJ-10089, |
Security Management |
The cpm_solr process may unexpectedly exit and cause one of the following:
|
PRJ-10515, |
Security Management |
In some scenarios, Check Point services fail to start and the CPM log shows that there are duplicate session aggregators. |
PRJ-9323, |
Security Management |
In some scenarios, a disconnected SmartView Monitor session appears in SmartConsole with a grayed out 'Disconnect' option, which cannot be discarded. Refer to sk165037. |
PRJ-9300, |
Security Management |
In a rare scenario, the "SmartDashboard component failed to connect to server <IP address>. Please contact technical support" error is displayed in SmartConsole when opening the Management object for editing. |
PRJ-11167, |
Multi-Domain Management |
In a rare scenario, synchronization between Multi-Domain Management Servers breaks after revisions purge operation. |
PRJ-9699, |
Multi-Domain Management |
MLM may open a connection to the reversed IP address of the Multi-Domain Server. |
PRJ-10527, |
Multi-Domain Management |
Upgrade of Multi-Domain Server may fail if Sync With User Center is running. |
PRJ-9241, |
Multi-Domain Management |
In some scenarios, secondary MDS or MLM fail to renew a management certificate. Refer to sk164732. |
PRJ-11177, |
Multi-Domain Management |
In some scenarios, Full synchronization fails in the Global Domain with "Full sync with peer '[Peer Name]' NGM failed to import data" error. Refer to sk145972. |
PRJ-11517, |
Multi-Domain Management |
In rare scenarios, upgrading the Multi-Domain Server fails to upgrade some Domain Servers with "IllegalArgumentException" in the upgrade log. |
PRJ-10366, |
Multi-Domain Management |
After performing Full synchronization or failover of the Global Domain, the following operations may fail (refer to sk145972):
|
PRJ-9262, |
Multi-Domain Management |
Upgrade of Multi-Domain Server may fail when the source version is R80.10 and there is no license configured on the target machine. |
PRJ-10531, |
Multi-Domain Management |
The mds_import.sh script may fail if the IPS version for a Domain/CMA does not exist on the R80.x Multi-Domain Management Server. |
PRJ-10510, |
Multi-Domain Management |
In some scenarios, if a Domain is deleted while the user performs a multi-site upgrade from R77.x (before all machines complete the upgrade), some Domains may not be assigned to Admins and Trusted Clients, as before the upgrade. Updating those Admins and Trusted Clients may also fail. |
PRJ-10747, |
Multi-Domain Management |
In some scenarios, policy installation from the Domain Management Server fails after an mds_backup procedure that was interrupted. Refer to sk165559. |
PRJ-11284 |
Multi-Domain Management |
Access policy installation may get stuck in a specific scenario in MDS environments. Refer to sk166106. |
PRJ-10504, |
Multi-Domain Management |
The import-smart-task Management API may fail in the second Domain on the Multi-Domain machine when it is executed with same exported file. |
PRJ-9290, |
SmartConsole |
NEW Enhancement: Two new flags were added for the performance improvement of Threat Protection API commands: "show-profiles" and "show-ips-additional-properties". The default value for both flags is false. |
PRJ-10374, |
SmartView |
In some scenarios, after user imports view/report in SmartView, the imported view/report is not shown in the Catalog. |
PRJ-10707, |
SmartProvisioning |
In some scenarios, after creating a Small Office gateway using LSMCli, some fields in the gateway object on the SmartProvisioning are not populated. |
PRJ-9644, |
Security Gateway |
NEW: Added support for the bridge configuration when packet is passing via the Security gateway twice. |
PRJ-10795, |
Security Gateway |
In some scenarios, when a Custom Intelligence Feed is enabled, the Security Gateway may crash. |
PRJ-10173 |
Security Gateway |
After installing R80.40 Jumbo Hotfix, Dynamic Split is disabled. |
PRJ-10207, |
Security Gateway |
ICAP Client may not work properly when Threat Extraction Blade is enabled.
|
PRJ-11538 |
Security Gateway |
In a rare scenario, Security gateway may crash with vmcore. |
PRJ-11531, |
Security Gateway |
In a rare scenario, Security gateway may crash while connection is closed while being held. |
PRJ-10887, |
Security Gateway |
In a rare scenario, a memory leak may appear in Anti-Virus inspection on SMB protocol. |
PRJ-9690, |
Security Gateway |
Traffic may be dropped on DAIP gateway after the gateway IP address is changed or the gateway is rebooted. Refer to sk165176. |
PRJ-8657 |
Security Gateway |
In a rare scenario, creating a Virtual Switch can lead to crash. |
PRJ-9835, |
Security Gateway |
When ISP Redundancy is configured on a cluster, the backup ISP link status may show as down even though the link is up. |
PRJ-10283, |
Anti-Malware |
NEW: Added support to allow Threat Extraction to scan a file download in additional scenarios. |
PRJ-10758, |
Identity Awareness |
In some scenarios, multiple "idapi_load_data_impl: session id <Session ID> not found in client_db, although ip <Session IP> was assigned to it" errors appear in /var/log/messages file. Refer to sk167174. |
PRJ-10387, |
Identity Awareness |
In a rare scenario, identity session groups and access roles may disappear following a policy installation. |
PRJ-10085, |
Content Awareness |
Added ability not to drop the connections if the files are downloaded with HTTP 206 out of range. |
PRJ-10856, |
Application Control |
NEW: Gateway status will reflect Application Control and URL Filtering updates. |
PRJ-9935, |
HTTPS Inspection |
In some scenarios, when the minimum version of HTTPS Inspection is set to TLS 1.1, some websites may unexpectedly exit. Refer to sk165555. |
PRJ-10738, |
SSL Inspection |
In a rare scenario, a memory leak may appear when SSL inspection is enabled. |
PRJ-10940, |
IPS |
In a rare scenario, the fw_full process may unexpectedly exit. |
PRJ-10970, |
DLP |
NEW: Reading and sending files from the registry by DLP was optimized. |
PRJ-9694, |
DLP |
In some scenarios, DLP prints wrong error message in the log. |
PRJ-9329, |
DLP |
Improved the scanning time of files for some scenarios in SMTP and HTTP/S. |
PRJ-9436 |
DLP |
In a rare scenario, the dlpu process, a component in Anti-Virus and Threat Emulation, may unexpectedly exit. |
PRJ-9775, |
DLP |
In some scenarios for SMTP, when an internal user sends an email, the DLP logs may show the topology as "external to external" instead of "internal to internal". |
PRJ-11023, |
ClusterXL |
Active VRRP cluster member may not show full accounting information in logs. Refer to sk159432. |
PRJ-10235, |
SecureXL |
Policy installation may fail with "Error code 0-2000240" when Drop templates option is enabled. Refer to sk165716. |
PRJ-10000, |
SecureXL |
UPDATE: Improved TCP state inspection for "Smart Connection Reuse" feature. |
PRJ-9828, |
SecureXL |
In some scenarios, SYN Defender cookie validation may fail. |
PRJ-8977 |
SecureXL |
When PIM-SM multicast routing transitions from RPT to SPT, packets may be dropped or become out-of-order. |
PRJ-8774, |
SecureXL |
In some scenarios, held packets are incorrectly reported to the penalty box. |
PRJ-8916, |
SecureXL |
In some scenarios, multicast packets arrive to the Security gateway in order, but leave out-of-order. |
PRJ-9972, |
Logging |
In a Multi-Domain environment, one or more CMA's SMARTLOG_SERVER processes may fail to start after upgrade. Refer to sk165262. |
PRJ-11364, |
Logging |
In a rare scenario, the CPD process on a Security Management Server that manages R77.30 Security Gateway may unexpectedly exit. |
PRJ-11846, |
Logging |
Log exporter process may unexpectedly exit after enabling export of log attachment IDs. |
PRJ-9957, |
VoIP |
In some scenarios, UA traffic is dropped when packet contains more than 9 UA's. Refer to sk135114. |
PRJ-11036, |
VPN |
In some scenarios, VPN traffic distribution change may cause high CPU consumption on one CPU core. Refer to sk165853. |
PRJ-9587, |
VPN |
In a rare scenario, vpnd process unexpectedly exits due to Segmentation fault. |
PRJ-10558, |
VPN |
Improved the VPN Site-to-Site tunnel establishment scenario with IKEv2. |
PRJ-8726 |
VPN |
In some scenarios, vpnd cores may be generated sporadically during boot time/cluster failovers on the Cluster Standby Member. |
PRJ-10391, |
VPN |
In a rare scenario, vpnd process unexpectedly exits due to issue in IKEv2 flow. |
PRJ-9586 |
VPN |
Improved the VPN Connectivity with DAIP peers. Refer to sk164933. |
PRJ-9911, |
VPN |
Improved stability of VPN traffic on VSX Gateway. |
PRJ-11017, |
Gaia OS |
In a rare scenario, Security gateway may crash when SSH Deep Packet Inspection (SSH DPI) is enabled. |
PRJ-10075, |
Gaia OS |
The "show asset all" command displays the total number of cores instead of the online number of cores, even if the Hyper-Threading is disabled. |
PRJ-11536, |
Gaia OS |
In some scenarios the snmpd process floods /var/log/messages with errors regarding parsing voltage sensor value. |
PRJ-9131, |
Endpoint Security |
Endpoint Standalone Remote Help Server may not start syncing automatically on the first connect. |
PRJ-10120, |
Compliance |
In some scenarios, database import on single Domain machines where the Compliance Blade is activated fails, and as a result, the FWM process unexpectedly exits after the import. |
PRJ-10868, |
CloudGuard Network |
In a rare scenario, the OpenStack Data Center becomes unresponsive, resulting in a loss of updates to the Security Gateway. |
PRJ-10914, |
CloudGuard Network |
When an Azure subnet is missing its prefix attribute, the Microsoft Azure Data Center may fail to poll data, resulting in a loss of updates to the Security gateway. |
PRJ-11026, |
CloudGuard Network |
When an Azure Virtual Network Interface is missing its properties' primary attribute, the Microsoft Azure Data Center may fail to poll data, resulting in a loss of updates to the Security gateway. |
PRJ-10903, |
VSX |
In VSX cluster with VMAC mode, traffic may not pass through VSX Cluster members. Refer to sk138894. |
Take 25 Released on 16 March 2020 |
||
- |
General |
NEW: Added support for Security Gateway running on Open Servers. |
PRJ-9090, |
Security Management |
In a rare scenario, when an environment has many Gateways (dozens), the FWM daemon may unexpectedly exit when 4 GB of memory is reached. Refer to sk165015. |
PRJ-8409, |
Security Management |
In some scenarios, when the user modifies a policy rule and creates a section above it in the same session, the log tracker shows that the rule was created instead of modified. |
PRJ-8406, |
Security Management |
In some scenarios, the exported database may be very large and include redundant data. |
PRJ-9312, |
Security Management |
The "Unused Objects" filter in Object Explorer may display a failure message if there are more than 20000 unused objects.
|
PRJ-9215, |
Security Management |
Logging into SmartConsole to the Standby Management Server with a RADIUS or TACACS user may fail after changing the shared secret on the RADIUS or TACACS object. |
PRJ-9266, |
Security Management |
Policy verification may fail after the user does the following steps: Configures specific install targets for a policy, publishes them, changes the install targets back to "All Gateways", and tries to install them on a Gateway which is not in the original list of targets. |
PRJ-9398, |
Security Management |
In a rare scenario, the FWM process will utilize 100% CPU, and connections to SmartConsole may fail. |
PRJ-8794, |
Security Management |
Improved the Access Control Policy installation time for environments with high amount of objects and enabled IPSEC VPN Blade. Refer to sk166321. |
PRJ-6936 |
SmartConsole |
NEW: Added R80.30SP to the list of versions for supported hardware. |
PRJ-9080, |
SmartConsole |
In some scenarios, the Management Server may unexpectedly exit following authenticated API commands to create or update objects with extremely long comments. |
PRJ-9466, |
SmartConsole |
In some scenarios, when the user attempts to delete a Gateway / Cluster member, an error message may appear and the operation may not complete successfully. |
PRJ-8753 |
SmartConsole |
In some scenarios, on a Global domain, when the user sets a logging option of an IPS protection whose activation is Detect or Prevent, the activation of the protection is set to "Inactive" on the local domain after an Assign Global Policy operation. |
PRJ-9544 |
SmartConsole |
When the user invokes the 'show-access-layer' API command, the parent layer may be missing from the output result. |
PRJ-9977, |
Security Gateway |
In a rare scenario, a non-HTTP traffic on port TCP/80 is dropped. |
PRJ-9052, |
Security Gateway |
Global connections may not be freed correctly when the Gateway acts as a Proxy. |
PRJ-8275 |
Security Gateway |
In some scenarios, a Security policy installation fails during high CPU utilization. |
PRJ-10345, |
Security Gateway |
In a rare scenario, after upgrading a Security Gateway to R80.40, the LOG_INDEXER process running on the Log server may consume 100% CPU and cause the indexing backlog. |
PRJ-9446, |
Security Gateway |
Added logs for packets that include invalid TCP options. This feature is off by default. |
PRJ-9898, |
Security Gateway |
In a rare scenario, the Citrix server communication may fail. |
PRJ-10480, |
Security Gateway |
In some scenarios, Accounting log shows a wrong total packets value. |
PRJ-8884, |
Security Gateway |
In a rare scenario, Security gateway may crash when activating a web parsing debug. |
PRJ-9900, |
Security Gateway |
In a rare scenario, when the web server is defined, policy installation fails with "Error code 0-20000111". |
PRJ-8861, |
IPS |
In a rare scenario, Security gateway may crash due to NULL pointer reference. |
PRJ-9450, |
IPS, |
In some scenarios, SmartConsole shows "No license" and "Contract is expired" for IPS Blade in VSX. Refer to sk164917. |
PRJ-9395, |
Identity Awareness |
Performance improvement in the automatic LDAP group update feature. |
PRJ-7201, |
SSL Inspection |
NEW: Added support for proxy configuration when downloading CRL from a VSX device. Refer to sk151115. |
PRJ-8498, |
Logging |
Added "Resource", "Application Risk", "Application Name" and "Application Category" fields to the exported CSV file. |
PRJ-8548 |
Logging |
NEW: Log Exporter feature exports log attachment identifiers and adds the ability to fetch them through the Management API command. |
PRJ-8683, |
Logging |
In some scenarios, Threat Emulation Logs cannot be viewed in the logging or reporting views because of a certain format of the "file size" field sent from the Security gateway. Refer to sk166997. |
PRJ-9075, |
Routing |
In some scenarios, a corrupted BGP AS4_PATH attribute value may result in an invalid, long BGP update that is rejected by the BGP peer. |
PRJ-9129, |
SecureXL |
NEW: Added acceleration support for Ethernet Over IP Tunneling (EOIP). EOIP is RFC 3378 protocol # 97 used between Wireless AP and Wireless Cisco controller. |
PRJ-10197, |
Gaia OS |
CVE-2020-8597: pppd is vulnerable to buffer overflow. Refer to sk165875. |
PRJ-8583, |
Gaia OS |
Multi-Queue configuration cannot be assigned to interfaces that use the "mlx5_core" driver (to check, run the "ethtool -i <name of interface>" command). |
PRJ-9357, |
Gaia OS |
On 3600 and 3600T appliances, alarm led turns on if one of the PSU is disconnected. Refer to sk166000. |
PRJ-8142 |
CloudGuard Network |
NEW: Added support for Data Center objects with ClusterXL configured in Active/Active mode. |
PRJ-8570, |
CloudGuard Network |
The Management API add-data-center-server for vCenter Data Center uses the "unsafe-auto-accept" parameter with default value set to false. In some scenarios, this setting causes the opposite behavior. |