List of All Resolved Issues and New Features in R80.40 Jumbo Hotfix Accumulator

 

Review the Important Notes section before installing a new Take.

 

This version will reach its End of Support on April 30, 2024

ID

Product

Description

Take 206

Released on 28 December 2023 and declared as Recommended on 16 January 2024

PRJ-51600,

SMB-16203

Security Management

In rare scenarios, a boot may fail on a Security Gateway with IPS, Anti-Bot, or Application Control blade enabled. Refer to sk181803.

Take 205

Released on 19 November 2023

PRJ-49981,

PMTR-74309

Security Management

UPDATE: Upgraded the Jackson Java library from version 2.5.0 to version 2.11.3.

PRJ-49980

Security Management

UPDATE: Removed a redundant rule-assistant.war package.

PRJ-49822,

PMTR-95347

Security Management

UPDATE: Upgraded the commons-compress-jar package from version 1.8 to version 1.22.

PRJ-49784,

PMTR-95614

Security Management

UPDATE: properJavaRDP - an SNX-embedded application for Mobile Access is now blocked and is no longer supported because of deprecated Java library dependencies.

PRJ-49106,

PMTR-94517

SmartConsole

UPDATE: Applied security related improvements to the Jetty open source library.

PRJ-50122,

PRJ-50322,

ODU-1217,
ODU-1328

CPView

UPDATE: Added Take 68 and Take 70 of CPotelcol (OpenTelemetry Collector) Release Updates. Refer to sk180522.

PRJ-50041,
ODU-1264

CPView

UPDATE: Added Take 14 of CPquid (QUID) Release Updates. Refer to sk181458.

PRJ-49743,

PMTR-95099

Mobile Access

UPDATE: SNX used to connect back to Mobile Access Blade's portal FQDN by resolving its IP address locally. This method makes it sensitive to DNS poisoning attacks such as those specified by TunnelCrack. Therefore, it was modified to connect back to the Security Gateway / Cluster member IP address by default.

PRJ-48337,
ODU-1081

CloudGuard Network

UPDATE: Added Take 20 of Public Cloud CA Bundle. Refer to sk172188.

PRJ-45978,
ODU-1154

Scalable Platforms

UPDATE: Added Take 29 of Check Point Support Data Collector (CPSDC) for Scalable Platforms and Maestro Security Appliances. Refer to sk164414.

PRJ-50540,
ODU-1113

HCP

UPDATE: Added Update 13 and Update 14 of HealthCheck Point (HCP) Release. Refer to sk171436.

PRJ-50188,

PMTR-96205

IPS

Policy installation may fail on Security Gateways with enabled IPS and configured Strict profile and IPv6.

Take 198

Released on 19 July 2023 and declared as Recommended on 30 August 2023

PRJ-44574,
PMTR-90463

Internal CA

NEW: Previously, the Internal CA certificate required manual renewal process. Now it will be automatically renewed one year before its expiration date.

PRJ-45488,
PRHF-28303

Security Management

UPDATE: Significant performance improvement for policy installation when using many layers (up to four times faster).

PRJ-45293,
PMTR-86221

Security Management

UPDATE: Added ability to block policy installation if this policy contradicts another policy installed on the Security Gateway. In this scenario, the "install-policy" Management API command will now fail with "Requested policy X does not match currently installed policy Y on gateway Z. To ignore this warning, set the 'ignore-warnings' flag to 'true'". Refer to sk180792.

PRJ-44950,
PRHF-28082

IPS

UPDATE: Mapping of IPs to country/flag in the Logs & Monitor view > Logs is now automatically updated every day.

PRJ-44434,
PMTR-89908

ClusterXL

UPDATE: Improved the fullsync time after reboot in large scale environments. Refer to sk180742.

PRJ-43603,

PRHF-22566

SecureXL

UPDATE: Added a new kernel parameter allowing to control the size of fragments table in SecureXL. To use it, set the kernel parameter "sim_frag_limit_override" with the new value and install policy. This can prevent fragment drops when having multiple instances in the Firewall.

PRJ-43967,
PRHF-27306

VPN

UPDATE: When the VTI MTU is different from the physical MTU, the physical MTU is used for sending packets by default.

  • To modify the default behavior (the change does not survive reboot), run the CLI command "fw ctl set int sim_vpn_use_physical_mtu 0 -a". This allows using configured VTI MTU as the default.

  • To make the change permanently, open the $PPKDIR/conf/simkern.conf file for editing and add the entry "sim_vpn_use_physical_mtu=0".

Refer to sk98074.

PRJ-46914,
PMTR-80877

VPN

UPDATE: Added a global parameter "sim_no_local_ip_check" which allows packets not destined to a local IP address to proceed to Security Association lookup in SecureXL.

PRJ-47510,
PMTR-93037

GaiaOS

UPDATE: Added notifications about the Expert mode login on Gaia Servers. Refer to sk181230:

1) Gaia sends an audit log to the Management Server / Log Server (SmartConsole > Logs & Monitor).

2) Gaia writes a log message to the /var/log/messages file (for a local login and an SSH login).

These Gaia Clish commands are available to work with this feature:

  • To see the current state of this feature: show audit login-notifier

  • To enable this feature (this is the default): set audit login-notifier on

  • To disable this feature: set audit login-notifier off

PRJ-45268,
PMTR-91124

GaiaOS

UPDATE: Added a defense mechanism against the hostname command injection in the Gaia Portal (CVE-2023-28130). Refer to sk181311.

PRJ-44637,
PMTR-90527

Gaia OS

UPDATE: Upgraded OpenSSL from 1.1.1n to 1.1.1t to include the latest security improvements.

PRJ-44357,
PRJ-44354

CloudGuard Network

UPDATE: Added support for Data Centers in AWS ap-southeast-4 Melbourne region.

PRJ-45470,
ODU-827

CPView

UPDATE: First release of CPviewExporter Release Updates. Refer to sk180521.

PRJ-45503,
ODU-835

CPView

UPDATE: First release of CPotelcol (OpenTelemetry Collector) Release Updates. Refer to sk180522.

PRJ-45905,
ODU-946

Scalable Platforms

UPDATE: Added Take 23 of Check Point Support Data Collector (CPSDC) for Scalable Platforms and Maestro Security Appliances. Refer to sk164414.

PRJ-44863,
PMTR-89393

Scalable Platforms

UPDATE: Added a new log file - /var/log/pull_config_report.log. It includes the summary of the "pull_config" action when it is performed on a member to indicate the reason for pull_config pnote/failures.

PRJ-45386,
ODU-914

HCP

UPDATE: Added Update 12 of HealthCheck Point (HCP) Release. Refer to sk171436.

PRJ-45156,
PRHF-28175

Security Management

APP_ID may not be initialized when adding a new Check Point application via API, this may cause blocked access to several websites.

PRJ-42037,
PRHF-25898

Security Management

Editing an object in SmartConsole may fail with "Server error is: Object not found (Code: x08003001D, Could not access file for write operation)".

PRJ-44083,
PRHF-27440

Security Management

Login with SmartConsole to a Security Management Server may fail if using a DNS name instead of an IP address. Refer to sk180514.

PRJ-43557,
PRHF-26971,
PRJ-45048,
PRHF-27847,

PRJ-42546,
PRHF-26016

Security Management

In rare scenarios, in multi-site environments, Install Policy presets fail with "Timeout during task progress" or "You have reached the maximum number of active sessions". Refer to sk180897.

PRJ-42420,
PRHF-26275

Security Management

In some scenarios, an upgrade may fail when a Network object Group contains more than 32000 members.

PRJ-43184,
PRHF-26778

Security Management

If a Security Gateway is added to a group after configuring an installation policy preset, the policy may not be installed on that Security Gateway. Refer to sk181461.

PRJ-42550,
PRHF-26118

Security Management

After restoring a Multi-Domain Security Management Server, High Availability synchronization may fail with "The Security Management Servers contain different Hotfixes".

PRJ-35492,
PRHF-21009

Security Management

The Data Center object may change the status to "inaccessible/deleted", although the Virtual Machine in Azure was not deleted.

PRJ-44627,

PMTR-90519

Security Management

There may be many duplicates of OCSP response in the $CPDIR/tmp/curl_crl_ocsp folder.

PRJ-44458,
PRHF-27327

Security Management

In some scenarios, the "run-script" Management API command may fail with "Null Pointer Exception" when using root user permissions.

PRJ-45485,
PRHF-21566

Security Management

In rare scenarios, updating or deleting a cluster fails with "Failed to save object xxxx . Server error is: Data required for operation".

PRJ-45871,
PRHF-28640

Security Management

In some scenarios, Access Policy Verification fails but the name of the failed rule is not specified.

PRJ-45058,
PRHF-28094

Security Management

In large Multi-Domain Security Management environments, login to SmartConsole may fail while High Availability synchronization is running. Refer to sk180858.

PRJ-43809,
PRHF-27187

Security Management

Login to SmartConsole with a RADIUS administrator from the SmartEvent Server may fail if this Server was upgraded. Refer to sk180584.

PRJ-45652,
PRHF-28407

Security Management

Packet mode search in SmartConsole may show rules that do not match the query if the query contains source, destination, and service.

PRJ-44993,
PRHF-27895

Security Management

In rare scenarios, login to SmartConsole fails, and opening Security Gateway objects times out.

PRJ-39773,
PRHF-24049

Security Management

Disabling or enabling rules may not affect the "last-modify-time" field in the output of the "show-access-rule" Management API command.

PRJ-46396,
PRHF-28962

Security Management

In rare scenarios, policy installation fails with "Operation failed, install/uninstall has been improperly terminated". Refer to sk180448.

PRJ-43689,
PRHF-27130

Multi-Domain Management

Deleting the entire Domain including all its Domain Servers fails, if any of the Domain Servers is used in the Domain's policy.

PRJ-44449,
PRHF-27276

Multi-Domain Security Management

In rare scenarios, in Multi-Domain Security Management environments with many administrators that have custom permissions, SmartConsole is slow, and operations take longer than usual. Refer to sk180681.

PRJ-45052,
PRHF-27948

Multi-Domain Security Management

In rare scenarios, in Multi-Domain multi-site environments, an IPS update on the Multi-Domain Security Management Server remains locked.

PRJ-46085,
PRHF-28685

Multi-Domain Security Management

A scheduled Install Policy Preset may not have its next run time updated when:

  • The Multi-Domain Security Management Server was down while the preset was scheduled to run

  • There are over 50 presets defined

PRJ-46102,
PRHF-28809

Multi-Domain Management

In some scenarios, the "Uninstall Threat Prevention Policy" window may show "no candidates found for operation", even though there are Security Gateways that have Threat Prevention policy installed and Threat Prevention is disabled in the Security Gateway editor. Refer to sk180983.

PRJ-45066,
PRJ-46160,
PRHF-28192,
PRHF-28143

Multi-Domain Security Management

In rare scenarios, in a Multi-Domain Security Management environment:

  • Login to the Security Management Server may fail with timeout.

  • Publish operations may take a long time.

PRJ-44967,
PRHF-28002

Multi-Domain Security Management

In rare scenarios, in Multi-Domain Security Management environments with over 500K network objects, login to SmartConsole fails with "Connection timed out" or "Unable to connect to server" messages.

PRJ-40736,
PRHF-24558

Multi-Domain Security Management

Deleting a Domain from SmartConsole fails after a Domain Server was removed and the Domain has no Domain Servers.

PRJ-46507,
PRHF-28930

SmartConsole

Data Center objects may not appear as unused objects in the Object Explorer view, although they should.

PRJ-44335,
PMTR-89535

CPView

The Network-per-CPU tab under CPVIEW > Advanced > SecureXL does not show traffic distribution for all CPUs. Refer to sk180540.

PRJ-41664,
PRHF-25662

Logging

In some scenarios, in the Logs & Monitor view, no results are shown when filtering updatable object names by the "dst_uo_name" field.

PRJ-39253,
PRHF-23374

Logging

In rare scenarios, many open connections on port 18196 are observed on the Multi-Domain Security Management Server or Multi-Domain Log Security Management Server.

PRJ-45415,
PRHF-28191

Logging

Source and destination IP addresses in SmartLog may not be shown correctly for duplicate packets of fragmented traffic.

PRJ-38478,
SL-6728

Logging

In specific network configurations, after installing a policy, the target IP address of the Log Server may differ from what was configured.

PRJ-20170,
PRHF-14263

Logging

In large environments, after policy installation or when loading Real Time Monitor, RTMD CPU consumption may be high for several minutes and the process may exit when 4 GB of memory is reached.

PRJ-41592,
PRHF-25533

Logging

SmartEvent may generate false Anti-Bot / Anti-Virus related logs which do not contain any information.

PRJ-46537,
PRHF-12636

Security Gateway

The FWK process may unexpectedly exit while processing the mail flow and generate a core dump.

PRJ-45953,
PMTR-83450

Security Gateway

When HTTPS Inspection is enabled, website loading in Firefox fails or is slow, after a few seconds, the "NS_ERROR_ABORT" error appears in the network tab of Firefox. Refer to sk180873.

PRJ-41965,
PRHF-25829

Security Gateway

When adding another loopback interface in an MDPS environment, it is shown in MPLANE and not in DPLANE as expected.

PRJ-44309,
PRHF-27439

Security Gateway

In rare scenarios, modifying the "fwmultik_temp_conns_enabled" parameter on-the-fly leads to the Security Gateway crash.

PRJ-46685,
PMTR-91240

Security Gateway

When adding a new connection, the "Smart Connection Reuse" feature may cause errors in fwk.elg and connection drops.

PRJ-46051,
PRHF-28455

Security Gateway

The Security Gateway may crash while inspecting non-HTTP traffic.

PRJ-46332,
PRHF-28842

Security Gateway

The Security Gateway may crash after a failure in policy installation.

PRJ-45481,
PRHF-27892

Security Gateway

Incorrect bonds may be shown in the Data Plane when using MDPS with the "show bonding groups" command.

PRJ-38109,
PRHF-22608

Security Gateway

In some scenarios, the Security Gateway may crash.

PRJ-45801,
PRHF-28559

Security Gateway

Resolved an issue where CPD would consume a large amount of CPU in VSX with a large number of interfaces configured (greater than 1024). Refer to sk181588.

PRJ-44998,
PRHF-27844

Security Gateway

In a Maestro environment where members are VSXs, connection over SSH or RDP from a host behind Maestro to a peer may be dropped.

PRJ-45395,
PRHF-28037

Security Gateway

Login to Mobile Access Portal when authenticating with SAML may fail with an "Error while processing the request" message. Refer to sk180801.

PRJ-45494,
PRHF-28324

Security Gateway

On the Security Gateway with Management Data Plane Separation (MDPS) enabled:

  • when adding a RADIUS Server from WebUI, a new MDPS task with the IP address of the Server may not be added,

  • when deleting a RADIUS Server, the MDPS task may not be deleted.

PRJ-46338,
PRHF-28674

Security Gateway

In rare scenarios, memory corruption occurs during packet correction requiring fragmentation, this may cause the Security Gateway crash or freeze.

PRJ-44249,
PRHF-27426

Security Gateway

When setting "cphwd_enable_ecmp = 1" (to route by the source and destination IP address), the Security Gateway may route the traffic to the wrong MAC.

PRJ-45476,
PRHF-28350

Security Gateway

Security Gateway may crash when running kernel debugs of the "UP" module.

PRJ-42528,
PRHF-25233

Security Gateway

In some scenarios, while processing H323 traffic, the Security Gateway may unexpectedly restart.

PRJ-44958,
PMTR-86007

Security Gateway

When Check Point Active Streaming (CPAS) is used, and the Server's MSS is bigger than the client's MSS, packet fragmentation may occur.

PRJ-40876,
PMTR-85619

Security Gateway

In rare scenarios, policy installation fails with "Segmentation fault" and "Error compiling IPv4 flavor" messages.

PRJ-45184,
PMTR-90969

Security Gateway

Traffic stops working after a Security Gateway Member recovers from a failure. Refer to sk180705.

PRJ-44750,
PRHF-27707

Security Gateway

Policy installation may fail with "Error 2000240" because of an IPv6 flow issue.

PRJ-42356,
PMTR-88174

Security Gateway

Latency in connection caused by a packet flow change from F2V to F2F.

PRJ-44079,
PRHF-26620

Security Gateway

In an Active/Standby cluster, when downloading a file using FTP protocol, the FWK process may unexpectedly exit, and a core dump file is generated.

PRJ-41202,
PRJ-41563

Security Gateway

SAML authentication fails with the "HTTP 500" error when MDPS is enabled on the Security Gateways. Refer to sk179625.

PRJ-36110,
PRHF-21819

Security Gateway

When on Microsoft Active Directory the "mobile" attribute value in DynamicID authentication preferred method is changed to an email address and then back to a phone number, OTP may still be sent to the email.

PRJ-44230,
PRHF-27318

Security Gateway

After policy installation, a VSX High Availability Cluster member may have a failover and generate a vmcore.

PRJ-44918,
PRHF-27936

Security Gateway

After an upgrade, memory usage may increase on all Security Gateway Modules, and the "pkt_handle_f2v_if_needed: dropping packet (failed to send notification)" error is printed in logs.

PRJ-44093,
PRHF-27460

Security Gateway

In some scenarios, the FWD process may unexpectedly exit and cause a short outage related to the BGP failure.

PRJ-41876,
PMTR-87372

Security Gateway

On supported Open Servers (sk167052), after changing the Firewall mode from Kernel Space (KSFW) to User Space (USFW) and reboot, the Security Gateway continues to boot in the Kernel Space mode.

PRJ-45447,
PRHF-28277

Security Gateway

When the Security Gateway handles specific HTTP requests, memory failure may occur. CPView registers SMEM failure.

PRJ-43531,
PRHF-26097

Security Gateway

The Security Gateway may crash because of a race condition that occurs during interface change while interface statistic is calculated.

PRJ-44853,
PRHF-27465

Security Gateway

Web Security parsing error "illegal header format detected: Missing quotation mark" of content-disposition header - that contains a filename* parameter or an unquoted parameter.

PRJ-47125,
PRHF-29292

Security Gateway

In some scenarios, after an upgrade, the FWD process may unexpectedly exit.

PRJ-43854,
PMTR-83014

Security Gateway

The FWK process may unexpectedly exit with a core dump file when removing an IPv6 interface on VSX.

PRJ-44802,
PMTR-57754

Threat Prevention

In some scenarios, parsing a custom intelligence feed with IP ranges may fail.

PRJ-43995,
PRHF-25811

Threat Prevention

IoC feed may not load because of a parsing issue with the IP address range indicator.

PRJ-42583,
PMTR-88424

Threat Prevention

When using a host with automatic static NAT in a Threat Prevention policy object, the rule may not be enforced.

PRJ-44220,
PRHF-27358

Threat Prevention

In a Quantum Maestro environment, adding an IoC feed from the command line may fail with a "Can not load indicators feed without AV & AB Blades enabled, please enable AV & AB and try again" message, although Anti-Virus and Anti-Bot Blades are enabled.

PRJ-44549,

PRHF-27765

Threat Prevention

In some scenarios, the FWD process unexpectedly exits, and the Security Group Members state flaps between Active and Down during an Anti-Bot Blade update.

PRJ-44568,
PRHF-27749

Threat Prevention

After an upgrade, adding an IoC feed with IP range indicator type may fail with "Feed format problem. Bad or Empty Feed".

PRJ-45560,
PRHF-21271

Threat Prevention

In some scenarios, Anti-Virus and Anti-Bot updates on Maestro Security Group Members may fail.

PRJ-45810,
PRJ-41688

Threat Prevention

In some scenarios, a "malware_res_rep_rad_query: rad_kernel_malware_request_prepare() failed" message may appear in the /var/log/messages file.

PRJ-39345,
PRHF-23473

Identity Awareness

There may be connectivity issues and high CPU spikes on PDP when installing policy.

PRJ-43745,
PRHF-27158

Identity Awareness

The output of the "pdp monitor cv_le <agent-version>" command may be incorrect.

PRJ-44314,
PRHF-27270

Content Awareness

When Content Awareness Blade is enabled, there is a limitation of the file size (sk118516). However, when the source object of the Content Awareness rule does not match the current connection, the limitation is not applied on this connection.

PRJ-47062,
PMTR-92599

Application Control

When the "Categorize HTTPS Websites" option is enabled and the global parameter "appi_urlf_ssl_cn_use_sni_without_validation" is set to true, a memory leak may occur.

PRJ-45426,
PRHF-28304

Application Control

Some TLS1.3 applications without SNI do not match the rules.

PRJ-44381,
PRHF-27645

Application Control

A buffer overflow may occur and cause the FWD process to exit. This leads to the Security Group Members in a Maestro environment change from Active to Down state and creates instability.

PRJ-44178,
PMTR-89863

IPS

In some scenarios, the FWK process may unexpectedly exit, while Threat Prevention Blades inspect HTTP traffic.

PRJ-42712,
PRHF-26557

IPS

In a rare scenario, the Security Gateway may crash during an IPS package update.

PRJ-47646

IPS

In rare scenarios, there may be a memory leak in ips_cmi_handler_match_cb_ex.

PRJ-43581,
PRHF-27076

DLP

A memory leak may occur in the DLPU process.

PRJ-45753,
PRHF-15953

Anti-Virus

The RAD process CPU utilization may be high when Anti-Virus engine processes many reverse DNS queries.

PRJ-46775,
PRHF-28851

Anti-Virus

The DLPU process may stop working, creating a User Space core dump file on the Security Gateway. Refer to sk181026.

PRJ-47262,
PMTR-91800

SSL Inspection

The fwk.elg file may be flooded with the "mux_hold_opq_free: App has no hold params free function" messages for the TLS_PARSER app because of a memory leak.

PRJ-45192,
PRHF-28182

Mobile Access

In rare scenarios, IOS users are unable to send emails using Capsule Workspace business mail.

PRJ-44289,
PRHF-27598

Mobile Access

Some web applications which use PT or UT link translation methods may have issues after a browser upgrade.

PRJ-46400,
PRHF-28925

Mobile Access

Sending emails with attachments via Capsule Workspace may fail on iOS.

PRJ-45347,
PRHF-28275

ClusterXL

After an upgrade, cluster members may frequently crash, causing instability in the environment.

PRJ-46503,
PRHF-28936

ClusterXL

Some IPv6 connections randomly stop passing through ClusterXL in High Availability mode. Refer to sk180969.

PRJ-44453,
PRHF-27561

ClusterXL

After several failovers in a cluster, connections may fail to synchronize. This can cause a timeout and the "first packet isn't syn" drops.

PRJ-44872,
PRHF-27540

SecureXL

Traffic may be dropped and the FWACCEL core file is generated.

PRJ-44675,
PRHF-27803

SecureXL

After an upgrade, packets passing through a Remote Access VPN tunnel in a VSX environment may be silently dropped.

PRJ-44703,
PRHF-27225

Routing

Multicast receivers send IGMP membership reports, but the outbound interfaces are missing from the routing table.

PRJ-42186,
MBS-16158

Routing

Routing log messages generated when Standby cluster members reconnect to members in Master state are not clear.

PRJ-44922,
PMTR-90799

Routing

When PIM and state refresh are enabled, the state refresh message may not be sent automatically after a failback in ClusterXL HA Primary Up mode.

PRJ-45377,
PRHF-26701

Routing

A VRRP/VRRP6 interface may go into Master/Master state.

PRJ-44938,
PRHF-23766

Routing

After an update, multicast traffic may be dropped.

PRJ-44707,
PRHF-27240

Routing

An IGMP group with an expiration time of 7101 weeks should be deleted when it reaches 0 seconds, but instead, it may remain at 7101 weeks until a membership report is sent, then it resets to the interval of that interface.

PRJ-41115,
PRHF-23620

Routing

There may be high CPU utilization and slow recovery of the ROUTED process after a failover.

PRJ-41111,
PMTR-73346

Routing

It may take up to three hours for the second member to become Standby after a failover. An outage may occur during this time.

PRJ-43408,
PRHF-6347

Routing

The ROUTED process may repeatedly exit when using PIM in Sparse mode (SM).

PRJ-41329,
PRHF-25024

Routing

The ROUTED daemon may unexpectedly exit and generate core dumps after OSPF neighborship was established, but did not advertise routes. Lost routing causes the network to be down.

PRJ-44257,
PRHF-27407

Routing

The ROUTED daemon may unexpectedly exit when using PIM and source IP address is set "0.0.0.0".

PRJ-45182,
ROUT-2353

Routing

Cluster member may stop sending multicast PIM traffic after failover or a reboot. Refer to sk180669.

PRJ-46126,
ROUT-2801

Routing

The ROUTED daemon may unexpectedly exit when aggregating routes with long AS paths.

PRJ-46356,
PMTR-73657

Routing

Routes marked as "stale" may be redistributed via BGP during graceful restart.

PRJ-45831,
PMTR-82733

Routing

The ROUTED daemon may unexpectedly exit because of multi-threading issues.

PRJ-45917,
PRHF-28589

VPN

The FWM process may unexpectedly exit at startup because of an incorrect VPN key initiation.

PRJ-46292,
PRHF-28702

VPN

Users that were moved from one AD group to another group still are shown in both access role groups when running the "pdp monitor" command. Refer to sk181429.

PRJ-40282,
PRHF-24166,

PRJ-43711,
PRHF-27256

VPN

  • NAT-T traffic may stop matching the implied rule after policy installation and is dropped with "IKE_NAT_TRAVERSAL Traffic Dropped from x.x.x.x to y.y.y.y" message in SmartLog.

  • VPND and IKED stability issues occur when loading newly created LDAP group objects.

Refer to sk180530.

PRJ-44827,
PRHF-27569,

PRJ-44989,
PRHF-28061,

PRJ-46300,

PRHF-28849

VPN

  • Remote Access clients are unable to connect using Machine Certificate Authentication when the certificate has OCSP and CRL but the gateway is unable to resolve properly the OCSP or to get a proper answer from the OCSP server. Refer to sk179434.

  • OCSP is disabled on the user's IIS Server, but the Security Gateway does not fall back to the CRL method. Refer to sk179434.

  • Security Gateway sends defaultCert to the third party instead of an OCSP certificate. An unexpected OCSP response may cause a VPN gateway to stop using its certificate until the next policy installation. Refer to sk180683.

PRJ-24873,
PRHF-16890

VPN

VPN endpoint users fail to login with ECDSA certificate.

PRJ-40911,
PRHF-24641

VPN

The "failed to terminate session" error is displayed when using RAsession_util to terminate Endpoint client.

PRJ-44665,
PMTR-86522

VPN

When running the "vpn tu tlist" on cluster Standby members, old IKEv2 SAs may be printed in the output.

PRJ-43297,
PRHF-26853,

PRJ-43593,
PRHF-27185

VPN

Stability issues for Data connections (RDP / RTP / FTP/ETC). Refer to sk179651.

PRJ-44087,
PRHF-27224

VSX

Values provided by the VSX OID tree: 1.3.6.1.4.1.2620.1.16.22.5.1 may be incorrect.

PRJ-45003,
PRHF-28080

VSX

A VSX Security Gateway may crash while attempting to collect statistics after running the "cpstop" command.

PRJ-45399,
PRHF-28365

VSX

Warp interfaces may appear in VS0 and disrupt connectivity when editing a Virtual Switch with a bond and VLANs.

PRJ-45143,
PRHF-28154

VSX

Some packets may disappear when using the i40e driver, and VMAC is configured on the cluster.

PRJ-44743,
PMTR-90616

VSX

Virtual System's interfaces may be missing when running the Clish command "show/save configuration".

PRJ-44120,
PMTR-88803

VSX

Changing the main IP address of a Virtual Router may cause the FWM process to exit.

PRJ-44368,
PRHF-27627

Gaia OS

SNMP OIDs for ISP Redundancy status are not refreshed when the ISP link changes the status.

PRJ-45861,
PMTR-91668

Gaia OS

Gaia backup may fail, leaving a temporary partition behind. Any new attempt to create a new backup returns an error.

PRJ-40032,
PRHF-24249

Gaia OS

When running the "ifconfig -a" command on a Virtual System (VS) with more than 250 interfaces, the "/bin/cp-ifconfig.sh: line 179: /bin/echo: Argument list too long" error is printed.

PRJ-44236,
PRHF-27526

Gaia OS

The System Backup page in the Cloning Group view may be empty, although a scheduled backup was added.

PRJ-41907,
PRHF-25737

Gaia OS

Gaia WebUI logs are printed with "info" severity.

PRJ-45563,

ACCHA-2110

Gaia OS

The $FWDIR/log/fwd.elg file may get corrupted during log rotation. Refer to sk180728.

PRJ-45538,
PRHF-27987

CloudGuard Network

AWS Data Center mapping fails when an interface subnet is missing from the list of subnets.

PRJ-45790,
PRJ-42015

CloudGuard Network

Deleting one hundred IP addresses or more from the Security Gateway at once may fail, resulting in recurrent deletion retries.

PRJ-44476,
PMTR-90345

CloudGuard Network

Azure scan fails if a Virtual Machine Scale Set (VMSS) is deleted after the scan started.

PRJ-44345,
PRHF-26820

CloudGuard Network

The "Logical Volume duplicate fail" error is displayed when increasing the lv_current partition with lvm_manager on Azure. Refer to sk180381.

PRJ-46473,
PMTR-90803

VoIP

SIP traffic may be dropped and "kiss_htab_bl_infra_slink: failed "earlynat_sport_ghtab_bl":3 reason: KISS_HTAB_BL_SLINK_LIMIT_REACHED" is printed in the fwk.elg file.

PRJ-44612,
PRHF-27502

VoIP

In rare cases, SIP UDP traffic may cause Security Gateway to crash because of a memory allocation issue.

PRJ-32397,
PRHF-19493,

PRJ-43515,
PRHF-26939

VoIP

After an upgrade, VoIP, and SIP / H323 traffic may be dropped in the VPN tunnel. Refer to sk179651.

PRJ-42615,
PMTR-76837

Scalable Platforms

The FW process may unexpectedly exit, producing a core dump file.

Take 197

Released on 27 April 2023 and declared as Recommended on 3 May 2023

PRJ-46037

ClusterXL

Cluster VIP IPv6 address configuration is not applied on cluster members causing IPv6 traffic outage. Refer to sk180902.

Take 196

Released on 6 March 2023 and declared as Recommended on 18 April 2023

PRJ-42183,
PMTR-87948

IPS

NEW: Added ability to block "HTTP 206 partial content" responses from resources with malicious content.

PRJ-43893,
PMTR-89750

Security Gateway

NEW: We have extended the grace period of Compliance Blade to support you for 90 days following contract expiration to continue providing the best security value during the renewal process.

PRJ-43805,
PMTR-89699

Application Control,

URL Filtering

NEW: We have extended the grace period of Application Control and URL Filtering Blade to support you for 90 days following contract expiration to continue providing the best security value during the renewal process.

PRJ-44253,
PMTR-90165

Threat Extraction

NEW: We have extended the grace period of Threat Extraction Blade to support you for 90 days following contract expiration to continue providing the best security value during the renewal process.

PRJ-43908,
PMTR-89774

SmartView

NEW: We have extended the grace period of SmartEvent Blade to support you for 90 days following contract expiration to continue providing the best security value during the renewal process.

PRJ-36633,
PRHF-22345

Security Management

UPDATE: Added an option to configure the maximum number of IPS SNORT rules.

These lines should be added at the end (or their value should be changed if they already exist) in the file $FWDIR/conf/malware_config

(for MDS - additionally in the $MDS_FWDIR/conf/malware_config file):

"[IPS]

snort_convertor_max_rules_per_update=<value>

snort_convertor_total_rules_num_limit=<value>".

Refer to sk136515.

PRJ-42304,
PRHF-25869

Security Management

UPDATE: Improved the "Purge revisions" operation to reduce the size of the database.

PRJ-34958,
PRHF-21871

CPView

UPDATE: Added logging information. The Logging tab can be found in the Advanced tab on both the Security Management Server and Security Gateway. Refer to sk101878.

PRJ-41199,
PRHF-24563

Security Gateway

UPDATE: Added ability to force GNAT Port randomization. It is controlled by kernel parameter (off by default).

  • To activate it, GNAT should be enabled. Also, in the fwkern.conf file, run "set fwx_force_random_nat_port_alloc=1",

  • To disable, run "set fwx_force_random_nat_port_alloc=0".

PRJ-44557,
PMTR-90438

Security Gateway

UPDATE: Apache HTTPD version was updated from 2.4.53 to 2.4.55 to fix CVE-2022-37436.

PRJ-42656,
TPP-2280

IPS

UPDATE: In several IPS protections, improved performance for traffic that contains repeated sections.

PRJ-42258,
PRJ-42201

Threat Prevention

UPDATE: Reduced loading time of big external Custom Intelligence Feeds.

PRJ-43611,
PRHF-26959

Gaia OS

UPDATE: Gaia Cloning Groups will now use the highest TLS version available.

PRJ-41933,
PMTR-83771

VoIP

UPDATE: Added a new CLI command "fw ctl voip [-p {sip| mgcp| sccp| h323}] [-na]". It allows printing the description of defined VoIP protections, the required action, and the logging option configured for each protection.

PRJ-42402,
PMTR-87600

VSX

UPDATE: Added more logs related to Pushing VSX Configuration.

  • On the Security Gateway side: in the last_vsx_push_configuration.elg. The log file will now be circular.

  • On the Security Management side: in the vsx_util log. Also, commands are added to the name of log files (for example, vsx_util_reconfigure_xxxxx_xx_xx.elg).

  • VSX Provisioning tool is now logged in the vpt_history.elg.

.

PRJ-43027,
PRJ-43025

CloudGuard Network

UPDATE: Added support for connecting to VMware NSX-T 4.0.0.x and higher.

PRJ-42148,
PRJ-42015

CloudGuard Network

UPDATE: Improved performance of pushing Data Center Objects changes to Security Gateways.

PRJ-41844,
PRHF-25754

CloudGuard Network

UPDATE: Improved handling of NSX-T API responses.

PRJ-43051,
PRJ-43048

CloudGuard Network

UPDATE: Added support for Data Centers in AWS eu-central-2 (Spain) and eu-south-2 (Zurich) and ap-south-2 (Hyderabad) regions.

PRJ-43402,
PMTR-89295

Diagnostics

Skyline may not show any information. Refer to sk180748.

PRJ-40538,
PMTR-85125

Diagnostics

The cpview -s export operations may fail on VS0 when cpview_services are running.

PRJ-43901,
SMB-19002

Security Management

On R77.20 Quantum Spark appliances with some IPS packages, policy installation fails with the "Operation failed, install/uninstall has been improperly terminated" error. Refer to sk180448.

PRJ-42242,
SMB-19124

Security Management

Installing a large Access Control policy on Quantum Spark Security Gateways may fail due to high memory consumption on the Security Management Server caused by FW_LOADER.

PRJ-38356,
PRHF-23108

Security Management

After creating a new administrator in SmartConsole, the Administrators view may fail to load with "Error retrieving results".

PRJ-40221,
PRHF-24307

Security Management

In a large environment, High Availability synchronization for the Global Domain may fail with the "Global domain is busy syncing, please check sync status" error.

PRJ-41539,
PMTR-87066

Security Management

The FWK process may unexpectedly exit during Threat Prevention policy installation.

PRJ-41669,
PRHF-25452

Security Management

When using CME (Cloud Management Extension), the FWM process may unexpectedly exit because of a memory issue.

PRJ-42857,
PRHF-26649

Security Management

After performing the "Revert to Revision" operation, new Audit logs cannot be seen in the Logging&Monitoring View in SmartConsole.

PRJ-40424,
PRHF-24492

Security Management

In rare scenarios, deleting a cluster member may fail with the "Could not delete object. Failed to remove/detach objects licenses" error.

PRJ-23720,
SMB-13504

Security Management

Policy with a large number of AD users may fail with timeout or take a long time to be installed.

PRJ-42103,
PRHF-25807

Security Management

In a Multi-Domain environment, the HitCount retention mechanism may prematurely remove the HitCount data.

PRJ-39390,
PRHF-23578

Security Management

In some scenarios, the "Assign Global Policy" action fails with the error message: "An internal error has occurred".

PRJ-40821,
PMTR-85091

Security Management

Warning about multiple objects with the same IP address is displayed when there are duplicated auto-generated networks

PRJ-41926,
PRHF-25575

Security Management

After an upgrade, while installing a policy, SmartConsole may unexpectedly close with a "The connection with the server was lost. Any unsaved changes will be preserved" message. Refer to sk180294.

PRJ-44023,
PRHF-27405

Security Management

When using Custom Application/Site Group objects in an Access policy, policy installation may fail with an "Internal error" message.

PRJ-42408,
PRHF-26108

Security Management

Login to the Security Management Server or Multi-Domain Security Management Server may fail with the "Connection timeout" error.

PRJ-41760,
PRHF-25381

Security Management

In some scenarios, the CME process fails to start.

PRJ-41890,
PRHF-25534

Security Management

High Availability synchronization fails if automatic purge is configured to run on the Standby Management Server.

PRJ-43092,
PRHF-25895

Security Management

After configuring an IoC feed on the Global Domain and assigning a Global Policy, Threat Prevention policy installation in the local Domain fails.

PRJ-39744,
PRHF-24043

Security Management

Adding a rule with the Management API and setting the action "to ask" does not set a default UserCheck if UserCheck was not specified. This may cause policy verification failure.

PRJ-42847,
PRHF-26378

Multi-Domain Security Management

In a Multi-Domain Security Management environment, traffic may not match rules with custom applications.

PRJ-42047,
PRHF-25759

Multi-Domain Security Management

In rare scenarios in a Multi-Domain Security Management environment:

  • Login to the Management Server may timeout and fail.

  • Publish operation may take a long time.

PRJ-42282,
PMTR-83780

CPView

CPView may not show some interfaces.

PRJ-42082,
PRHF-25916

CPView

A typo in "Dropped fragmentation violation" under CPView > Advanced > SecureXL > Drops.

PRJ-43587,
PMTR-89477

CPView

In a Multi-Domain Security Management environment, Skyline is down after mdsstop/mdsstart.

PRJ-41353,
PMTR-74878

Logging

In some scenarios, in the Logs view, the "Description" field may be missing. The issue is only cosmetic.

PRJ-37498,
PRHF-22655

Logging

The "epoll is enabled" warning is incorrectly displayed during policy installation.

PRJ-42412,
PRHF-26316

Logging

When LEA spawning is turned off (sk91343), the FWD process may run out of memory.

PRJ-43391,
PRHF-26905

Logging

When working with Multi-Domain Security Management, Virtual Systems (VS's) may be unable to send logs to the management because the Log Server constantly disconnects.

PRJ-32808,
PRHF-20237

Logging

The "Daily logs retention" configuration on the Security Management Server / Log Server object is not applied if the "When disk space is below <number> Mbytes, start deleting old files" option is not enabled in the Disk Space Management. Refer to sk176803.

PRJ-41493,
PRHF-24787

Security Gateway

Stability issues when ICAP client is active.

PRJ-41016,
PRHF-24896

Security Gateway

When using the SMTP service with resource objects in a rule and NAT is configured for the destination IP address, the traffic may match the Cleanup rule instead.

PRJ-42705,
PRHF-26247

Security Gateway

DNS parser incorrectly handles additional records, which results in appearing additional DNS IP addresses in the FQDn objects list.

PRJ-39925,
PRHF-23895

Security Gateway

When Anti-Virus Blade is enabled, the Security Gateway may crash multiple times with core dump files.

PRJ-43495,
PRHF-25952

Security Gateway

Policy installation may fail with an "Error 0-2000080" message because of memory allocation issues.

PRJ-43009,
PRHF-26600

Security Gateway

When adding a new RADIUS Server in Gaia Portal, its IP address is automatically added to MDPS tasks, but when deleting this Server, the MDPS task is not deleted.

PRJ-42294,
PRHF-26094

Security Gateway

When MDPS is configured, mdps_tun interface is shown when running the "cpstat ha -f all" command.

PRJ-43837,
PRHF-27097

Security Gateway

The Security Gateway may receive duplicated traffic (such as non-IP protocol connections) for IPS inspection. This can trigger high CPU usage and result in failures to connect over SSH or policy installation.

PRJ-43884,
PRHF-26861

Security Gateway

In rare scenarios, the FWD process is stuck during policy installation.

PRJ-43552,
PRHF-26844

Security Gateway

Security Gateway may drop traffic when Dynamic Anti-Spoofing is enabled.

PRJ-42755,
PMTR-88555

Security Gateway

The Security Gateway may crash because of an issue in the FILEAPP (File Application) module.

PRJ-41632,
PRHF-25363

Security Gateway

Dynamic Dispatcher may send fragments of the same packet to different Firewall instances during a high load of fragmented traffic. This may cause some packets to drop.

PRJ-42942,
PRHF-26610

Security Gateway

When Anti-Spoofing is enabled, the Security Gateway may crash.

PRJ-36008,
PRHF-21529

Security Gateway

The Security Gateway may frequently crash with vmcore files, recording invalid context.

PRJ-43703,
PRHF-27184

Security Gateway

The Security Gateway may crash during policy installation if the Rule Base has multiple layers and many interfaces on the Security Gateway (VLANs).

PRJ-39606,
PRHF-22919

Security Gateway

The Security Group Member (SGM) frequently goes into a Lost-> Down-> Active state because of fullsync pnote. This causes outages.

PRJ-38807,
PMTR-82347

Security Gateway

In a rare scenario, when QoS is enabled, the Security Gateway may crash.

PRJ-39799,
PRHF-23890

Security Gateway

After making changes in Policy-Based Routing (PBR) and GRE configuration, the Security Gateway may repeatedly crash.

PRJ-42086,
PRHF-25938

Security Gateway

The "fw monitor" command output may contain "no packets left to merge" messages.

PRJ-40318,
PRHF-23658

Security Gateway

In rare scenarios, the FWK process can unexpectedly exit and cause an outage.

PRJ-43345,
PMTR-88981

Security Gateway

A connection may be closed with the "ws_mux_handle_poll: ERROR: Poll flag still set after unsetting" error in the fwk.elg file, when HTTP parser does not receive requested data.

PRJ-40233,
PRHF-23763

Security Gateway

Stability issues when ICAP client is active.

PRJ-39573,
IPS-171

Security Gateway

The "sd_exception_chain_with_global_stateless: fwx_get_original_conn_key() failed" messages may flood /var/log/messages if IPS Blade is active.

PRJ-41862,
PRHF-25769

Security Gateway

After an upgrade, it is not possible to monitor Security Gateways with enabled Management Data Plane Separation (MDPS).

PRJ-39966,
PRHF-24112

Security Gateway

The Security Gateway may crash with the "xxx kernel: [fw4_27];fwatomload_unregister: module RTM not registered xxx kernel: [fw4_27];e2eDisable: fwatomload_unregister failed" errors printed in logs.

PRJ-40107,
PRHF-20889

Security Gateway

In a rare scenario, the Security Gateway may crash when offloading packets to SecureXL.

PRJ-41578,
PMTR-65731

Security Gateway

In some scenarios, the CPD process may unexpectedly exit.

PRJ-43125,
PMTR-89008

Security Gateway

Some TCP connections may be stuck in "Both-Fin" state in the SecureXL connection table and cause high memory consumption.

PRJ-42901,
PRHF-26659

Internal CA

The certificate in SmartConsole is shown as valid, although it is expired.

PRJ-41434,
PRHF-25382

Internal CA

When managing cloud Gateways, the FWM process memory usage may increase.

PRJ-42284,
PRHF-26079

Threat Prevention

The "ioc_feeds set interval -r" command may fail.

PRJ-41596,
PRHF-25439

Threat Prevention

Anti-Virus Blade fails to parse external IoC feeds that contain commas in the CSV column field value.

PRJ-41487,
PMTR-84472

Threat Prevention

Loading of Custom Intelligence Feeds with authentication may fail.

PRJ-38720,
PMTR-82545

Threat Prevention

File Download using SSH with MobaXterm Client fails when SSH Deep Packet Inspection (SSH DPI) is enabled.

PRJ-38663,
PRHF-23320

Threat Prevention

The DLPU process may unexpectedly exit with a core dump file.

PRJ-32736,
PRHF-20234

Threat Prevention

After an upgrade, the FWD process may frequently exit while creating an AMW_report.xml.

PRJ-37565,
AVIR-1428

Threat Prevention

When Anti-Virus Blade is enabled, the Security Gateway may crash because of a memory allocation issue.

PRJ-42436,
PMTR-87619

Threat Prevention

Automatic IPS, Anti-Virus or Anti-Bot updates may fail because of a corrupted next_update file.

PRJ-41382,
PRHF-25260

Threat Prevention

External IoC feeds may fail with "General Error". And in the feeder.elg there are many "Failed to load signatures" messages.

PRJ-41122,

PRHF-24693

Threat Prevention

In a rare scenario, the mal_conns table may consume a large amount of memory.

PRJ-40470,
PMTR-84923

Threat Prevention

If SSH Deep Packet Inspection (DPI) is enabled and NAT is configured on the Security Gateway, SSH connectivity from the Internet may not be possible.

PRJ-42342,
PRHF-26221

Identity Awareness

During subsequent policy installations (with an interval of at least 11 minutes between them), the Identity Awareness Gateway configured as an Identity Broker Subscriber revoked all Identities it learned from the Identity Awareness Gateway configured as its Identity Broker Publisher. Refer to sk180659.

PRJ-33063,
PRHF-20425

Identity Awareness

In a rare scenario, a wrong access role may be assigned to a user.

PRJ-42931,
PMTR-88806

Identity Awareness

The PDPD process may cause CPU spikes during cluster failover.

PRJ-42337

Identity Awareness

In a VSX High Availability cluster, a member in the Backup state should remain idle, but it opens connections for identity sharing.

PRJ-41818,
PMTR-87497

Identity Awareness

In a rare scenario, the PDPD process may unexpectedly exit during peer certificate verification.

PRJ-42997,
PRHF-24890

Identity Awareness

In a rare scenario, disconnection between the Identity Server (PDP) and Identity Gateway (PEP) leads to missing identities on the PEP side.

PRJ-42504,
PRHF-26186

Application Control

In a rare scenario, when Application Control is enabled, the Security Gateway in AWS Cloud may crash. The issue does not occur if Application Control database on the Security Gateway is updated with Release 141122_1 and higher.

PRJ-41219,
PMTR-86437

Application Control

The RAD process may freeze when an error occurs and an error event is initialized.

PRJ-43501,
PRHF-26475

Application Control

Policy installation may fail with an "Error 0-200184" message because of memory allocation issues.

PRJ-41653,
PRHF-25585

IPS

Running the "ips stats" command in CLI may cause the IPS process to unexpectedly exit with core dumps.

PRJ-42589,
PMTR-88426

IPS

The Security Gateway may crash during policy installation because of a memory allocation problem.

PRJ-41376,
PRHF-25330

IPS

When Anti-Virus is enabled, the Mail Transfer Agent (MTA) log files may get blocked because of fail-close operation.

PRJ-35484,
PRHF-21504

DLP

DLP logs for files uploaded to Microsoft OneDrive do not show the initial file names and extensions. Refer to sk178290.

PRJ-41214,
PRHF-23321

Anti-Virus

In a rare scenario, when Anti-Virus is enabled, there may be frequent VSX cluster failovers, and the Security Gateway may crash.

PRJ-43179,
PRHF-26878

SSL Inspection

The WSTLSD process may unexpectedly exit and create core dump files.

PRJ-43889,
PRHF-26317

SSL Inspection

In rare scenarios, the FWK and/or WSTLSD processes may unexpectedly exit and create a core dump during certificate validation. Refer to sk180473.

PRJ-41411,
PRHF-25371

Mobile Access

Access to a web application that uses WebSocket protocol may not be possible.

PRJ-42466,
PRHF-26292

Mobile Access

When Mobile Device Management (MDM) cooperative enforcement feature is enabled, establishing a VPN connection fails while the HTTPD log incorrectly indicates a compliance issue.

PRJ-41257,
PRHF-25249

Mobile Access

Web applications may not work correctly when Mobile Access Blade is configured in Hostname Translation (HT) mode while the "obscure_destination_hostname" management attribute is disabled.

PRJ-42462,
PRHF-26264

ClusterXL

Stability issues may occur in a Multi-Version Cluster (MVC) when VPN is enabled.

PRJ-43114,
PMTR-87809

ClusterXL

The "cphaprob tablestat" command may fail on the Security Gateway with many interfaces.

PRJ-37149,
PRHF-22237

ClusterXL

In an Active/Active cluster, a member may reboot because of a memory corruption issue.

PRJ-43001,
PRHF-26722

ClusterXL

Traffic does not pass through the GRE tunnel when Virtual MAC (VMAC) is enabled. Refer to sk180292.

PRJ-44166,
PRHF-27330

ClusterXL

When handling HTTP/2 traffic, cluster members may crash, generating vmcores.

PRJ-29666,
PRHF-18663

SecureXL

When the "fw_tcp_out_of_state_monitor" mode is enabled with the "fw_allow_out_of_state_tcp" flag, some connections may be dropped, although they should go through and be monitored.

PRJ-42573,
PRHF-25865

SecureXL

Multicast traffic may get dropped, and no logs are generated.

PRJ-42443,
PRHF-26215

SecureXL

The Security Gateway may prematurely expire half-closed TCP connections and drop VoIP and HTTPS packets with "First packet isn't SYN". Refer to sk180364.

PRJ-42894,
PRHF-26517

SecureXL

SecureXL may drop traffic when HTTPS Inspection is enabled on a VSX Security Gateway with a Virtual Router.

PRJ-44129,
PMTR-89935

SecureXL

IPv6 template is not created when the connection is NATed.

PRJ-43981,
PMTR-89372

SecureXL

In a rare scenario, a CPAQ message sent during policy push does not have critical and can be dropped when the Security Gateway is busy.

PRJ-43920,
ROUT-2460

Routing

Failover may take longer than expected and traffic does not pass for several seconds because dynamic routes are lost.

PRJ-43054,
PMTR-74260

Routing

The "show ospf neighbors" command shows incorrect values for OSPF "Hello" and "Dead" intervals. Refer to sk180486.

PRJ-44946,
PRHF-28050

VPN

When many users in nested groups login using Remote Access Client \ connect to VPN, and the LDAP topology is large, there may be a spike of CPU usage and performance impact. Refer to sk180664.

PRJ-42877,
PRHF-26241

VPN

When initiating IKEv2 tunnel from Check Point to a third party, creating Child SA fails. Refer to sk180281.

PRJ-42559,
PRHF-26325

VPN

When the user connects with RADIUS authentication method, the "Authentication method" value in Mobile Access logs is shown as empty.

PRJ-42651,
PRHF-26482

VPN

Stability issues of the VPND and IKED processes.

PRJ-41048,
PRHF-21309

VPN

A memory leak may occur in the VPND process.

PRJ-42727,
PRHF-26453

VPN

In a rare scenario, when IPv6 is configured, and VPN is enabled, policy installation may cause a stability issue.

PRJ-40726,
PMTR-76539

VPN

In some scenarios, when NAT is configured, VoIP traffic is dropped.

PRJ-39169,
PRHF-23749

VPN

Remote Access Client may fail to connect when using machine certificate authentication.

PRJ-38165,
PRHF-22957

VPN

Trying to perform the "Reset Tunnel" action for an LDAP user from SmartView Monitor fails. Refer to sk178592.

PRJ-44012,
PMTR-89893

VSX

In VSX, after adding instances to a Virtual System (VS), their state may be inactive.

PRJ-13984,
PMTR-56029

VSX

In large environments, the "vsx_util reconfigure" procedure and booting may take a long time .

PRJ-43354,
PMTR-89245

VSX

The SNMPD process may consume a high CPU in a VSX environment and there may be slowness when using the "fw vsx stat" command. Refer to sk180324.

PRJ-41695,
VSX-2670

VSX

The "vsx_util change_mgmt_subnet" command may fail if a VSX object is not correctly saved in the database.

PRJ-42881,
PMTR-88764

VSX

In VSX, if Dynamic Balancing was manually disabled on R80.40, after an upgrade from R80.40 to R81.20, it automatically gets enabled.

PRJ-42252,
PRHF-26113

Gaia OS

Running the "save configuration" command the second time in the same Clish session may fail with the "free(): invalid pointer" error.

PRJ-42622,
PRHF-26432

Gaia OS

SNMP trap may not be sent after a cluster failover if it occurred by running the "clusterXL_admin down" command.

PRJ-43649,
PRHF-27195

Gaia OS

When setting password hash on cloning group members, some members may not get updated.

PRJ-42960,
PRHF-26713

Gaia OS

IPv6 address may be removed from bond VLAN interface when changing bond xmit-hash-policy configuration. Refer to sk180309.

PRJ-44161,

PRJ-43959

Gaia OS

When uninstalling a Jumbo Hotfix, some of the REST APIs may not work. The "gaia_api status" command returns an error and requests may fail.

PRJ-42524,
PRHF-26323

Gaia OS

Gaia backup fails with "Cannot complete the backup process: not enough space in /var/log/CPbackup/backups" although there is enough free disk space in the /var/log/ partition. Refer to sk180181.

PRJ-43430,
PRJ-42646

Gaia OS

In some scenarios, the "nslookup" command can cause the NSLOOKUP process to exit.

PRJ-41407,
PRHF-25359

Gaia OS

When configuring Gaia Cloning Group mode on the cluster, members with "off" state appear without an IP address and the "adding notification Member mvc is down" error is displayed.

PRJ-34370,
PRHF-21347

Gaia OS

After an upgrade, the backup operation on VSX fails because there is not enough space in /var/log/CPbackup/backups.

PRJ-42218,
PRHF-25947

Gaia OS

Incorrect logs are printed in the /var/log/httpd2_error_log file when logging into the WebUI.

PRJ-43023,
PMTR-62519

Gaia OS

The /usr/local/apache2/logs/access_log file is now rotated when its size reaches 1GB. This log file was added to the /etc/cpshell/log_rotation.conf configuration file. Refer to sk166198.

PRJ-43561,
PRHF-27096

Gaia OS

When restoring a backup with VSX objects, the objects database may not be restored on the newly installed Security Management Server.

PRJ-40691,
PMTR-71707

Harmony Endpoint

When connecting to the Security Management Server with SmartEndpoint but Endpoint component is not activated on the Server, the FWM process may unexpectedly exit.

PRJ-43257,
PRHF-26750

CloudGuard Network

Disabling or removing all network interfaces from a vCenter object is not dynamically reflected on the CloudGuard Controller Data Center object.

PRJ-43395,
PMTR-80399

CloudGuard Network

VPN Cluster stability issue when the peer is an Azure Security Gateway.

PRJ-43575,
PMTR-89444

CloudGuard Network

When enabling debug mode with the "$MDS_FWDIR/scripts/cpm_debug.sh -c ObjectCrudSvcImpl" command, it may impact the work of CloudGuard Central License utility. And adding license fails.

PRJ-42008,
PRHF-25644

CloudGuard Network

When mapping of some Azure Subscriptions fails, assets of these Subscriptions are revoked from the Security Gateway.

PRJ-42113,
PRHF-25910

CloudGuard Network

AWS Data Center mapping fails when a Subnet with only IPv6 addresses is added to Virtual Private Cloud (VPC).

PRJ-42853,
PRHF-26286

CloudGuard Network

A Kernel-based Virtual Machine (KVM) or a Virtual Machine using SRIOV with the i40evf/ixgbevf network driver, may boot with non-optimized performance settings.

PRJ-43066,
PRHF-26666

CloudGuard Network

Importing objects from VMware vCenter may fail with a "Failed to fetch objects from the Data Center." message because of a rare communication issue between CloudGuard Network Security controller and VMware vCenter Data.

PRJ-43075,
PRHF-26401

VoIP

While handling a multi-INVITE scenario (where a user registers with multiple devices), and the VoIP SIP MultiCore feature is enabled, each SIP INVITE maybe be handled simultaneously on different FW instances and cause memory corruption.

PRJ-42698,
PRJ-42696

VoIP

In some scenarios, when using static NAT, VoIP traffic may be affected.

PRJ-39600,
PRHF-22874

Scalable Platforms

The SMO may frequently go into Lost-> Down-> Active state because of a memory leak in the FWK process. The issue causes failover and outages.

PRJ-39188,
PRHF-23723

Scalable Platforms

When a policy is configured with "SNMP trap alert script", the SNMP trap is sent with an undefined OID.

Take 192

Released on 28 December 2022 and declared as Recommended on 26 February 2023

PRJ-43369,
PRJ-43360

Threat Emulation

In some scenarios, Mail Transfer Agent (MTA) does not scan files with an unsupported extension if they were renamed to ".exe".

PRJ-43270,
PRJ-43140

Gaia OS

After an upgrade, the RADIUS Server is unavailable and authentication fails.

Take 190

Released on 13 November 2022

PRJ-38346,
PMTR-81030

Diagnostics

The CPVIEWD process may cause CPU spikes.

PRJ-38114,
PRHF-23142

Security Management

UPDATE: Install Policy Presets will now run also in multi-site environments, even if the local domain does not have a Server on the Multi-Domain Server with the Active Global Domain, where the operation is triggered from.

PRJ-22559,
PMTR-63494

Security Management

UPDATE: Improved the "Assign Global Policy" action time by approximately 50%.

PRJ-41344,
PMTR-86409

Internal CA

UPDATE: Internal CA on Check Point Management Servers can now create certificates with 3072-bit RSA keys - the root ICA certificate and SIC certificates. Refer to sk96591.

PRJ-33894,
PRHF-20973

Security Management

Global Domain Assignment may fail if a rule in the global policy was recently enabled or disabled.

PRJ-40056,
PRHF-24082

Security Management

An Application Control and URL Filtering update may still occur even if the latest version is already installed.

PRJ-40168,
PRHF-24144

Security Management

A Multi-Domain Management Server upgrade may fail if upgrading one of the domains takes longer than four hours.

PRJ-41554,
PRHF-25556

Security Management

After an Application Control update, policy installation may fail.

PRJ-39221,
PRHF-23186

Security Management

An Application Control and URL Filtering Database update may fail. The CPM log file states: "Update APPI Update Task Notification. progress: 100, status: FAILED, statusText: Failed to assign domain".

PRJ-40719,
PRHF-24546

Security Management

Access Control policy installation may fail with the "Internal error" message when the encryption domain contains a Data Center object.

PRJ-40808,
PRHF-24809

Security Management

SmartConsole may unexpectedly disconnect.

PRJ-40849,
PMTR-84394

Security Management

The LOG_EXPORTER process may cause high CPU because of frequent invocation of the "fw ver" command.

PRJ-40545,
PRHF-24405

Security Management

After an upgrade, when the local domain Virtual System (VS) is updated, its objects may not be updated. The mirror VS object and local domain VS object may have different versions and colors.

PRJ-39536,
PRHF-23867

Security Management

An Application Control and URL Filtering update may get stuck at 70 percent with the "Running post update actions" status. Refer to sk174587.

PRJ-41069,
PRHF-25026

Security Management

Global Policy reassignment fails with "An internal error has occurred". The issue occurs when a Global rule, Rule Base, or section was created, moved, and then deleted without running a reassignment in between.

PRJ-41974,
PRHF-25682

Security Management

The /var/log/dump/usermode/ directory on the Management Server may contain core dump files for the FWM process. Refer to sk180119.

PRJ-37830,
PRHF-21070

Security Management

"Automatic purge" fails on a Domain with active Global Domain Assignment and "automatic purge" configured on the Global Domain.

PRJ-41290,
PRHF-25101

Security Management

Access Policy installation may fail with the "Internal error occurred during the verification process" error.

PRJ-34152,
PRHF-21236

Security Management

Packet mode search in HTTPS Inspection policy may not work.

PRJ-34735,
PRHF-21233

Security Management

When running the "show access-rule" Management API command with the "show-as-ranges" parameter on rules with negated cells, the returned result may be missing the values of the negated cells.

PRJ-40732,
PRHF-24711

Security Management

In rare scenarios, Global Policy reassignment may fail with a "Failed to find object ID UUID of class com.checkpoint.objects.ips.ThreatIpsProtectionOverride" message.

PRJ-39716,
PRHF-24047

Security Management

It may not be possible to discard a work session with a newly created admin, a "Failed to discard revoke certificate" message is shown.

PRJ-37309,
PRHF-21848

Security Management

SmartEvent may unexpectedly close when clicking Global Exclusion options or creating a new event. This issue occurs after migrating a Domain from the Multi-Domain Management Server to the Security Management Server.

PRJ-41125,
PMTR-85721

SmartConsole

Centrally managed Quantum Spark Gateway version may be missing or incorrect after performing the "Get Gateway Data" action from SmartUpdate.

PRJ-41020,
PMTR-86000

CPView

NEW: Integrated Skyline, a solution that provides an OpenTelemetry CPView Agent service to monitor your Check Point Servers and export health metrics from the CPView tool to an external location. Refer to sk178566.

PRJ-38054,
PRHF-23074

Logging

UPDATE: When there is no full license for SmartEvent, which includes the Correlation Unit component, Analyzer Client in Legacy SmartEvent Console will now show a relevant message.

PRJ-40142,
PRHF-24306

Logging

Emails sent as an automatic reaction may show only the first IP address for "Source"/"Destination" fields out of all the detected IP addresses.

PRJ-40490,
PRHF-24541

Logging

In a rare scenario, when using SmartEvent Automatic Reaction (Mail), the source IP address can be shown as a number and not in the dotted decimal notation format.

PRJ-37704,
PRHF-22836

Logging

It may not be possible to filter the "Subscriber" field in SmartLog.

PRJ-38050,
PRHF-23090

Logging

Syslog messages with the "ErtFeed" type of attack are not indexed correctly in SmartLog.

PRJ-42090,
PMTR-78055

Logging

Export to CSV in SmartView may be stuck in the "running" status.

PRJ-35878,
PRHF-21739

Logging

Although the Security Gateway is configured to send Syslog messages to the Domain Log Server (CLM), they may stop coming to the Log Server after several initial logs.

PRJ-28110,
PRHF-18175

Logging

Logs may not be indexed on the Domain Log Server in a Multi-Domain Log Module (MLM) or on the Secondary Multi-Domain Management Server.

PRJ-37296,
PRHF-22631

Logging

When exporting logs with the fwm logexport script and there is an empty or corrupted log file, the script runs in a loop with the "Failed to read record at position 0" error printed.

PRJ-21481,
PMTR-63987

Logging

The LOG_INDEXER process on the SmartEvent Server may unexpectedly exit, generating a core dump file, if the Log Server used by the correlation unit is deleted.

PRJ-41095,
PRHF-7824

Logging

In rare scenarios, the LOG_INDEXER process may unexpectedly exit, and there is no access to the logs. Refer to sk172915.

PRJ-41101,
PRHF-25074

Logging

When an object name begins with a digit, SmartView Monitor displays a name consisting of the letter "v" and UID instead of the actual object name.

PRJ-41192,
PMTR-68271

Logging

It may not be possible to filter Anti-Virus logs for malicious CIFS traffic in SmartConsole. The issue is cosmetic only.

PRJ-32205,
PRHF-20107

Logging

The "show-logs" Management API command fails when iterating over many pages of queries, and the total fetched records number exceeds 219,900 records.

PRJ-41358,
PMTR-85027

Logging

Running the "cpstat ls -f logging" command on the Security Gateway may show the "disconnected" status after a reboot, although a new connection is established successfully.

PRJ-40096,
PMTR-84200

Security Gateway

UPDATE:

  • Added a new global parameter "fw_conn_double_error_allow_print " to enable/disable printing double connection error message to the log. When disabled, the Security Gateway will still drop a new connection if it is already recorded in the connection table, but there will be no error logs.

  • Added a new global parameter "fw_conn_double_error_count" to count how many times the error occurred.

PRJ-38142,
PRHF-22814

Security Gateway

UPDATE: Added support for RADIUS UPN authentication with MS-CHAPv2. To use it, enable the registry configuration in ckp_regedit -a SOFTWARE/Checkpoint/VPN1 RADIUS_MSCHAPV2_UPN -n 1.

PRJ-32779,
PMTR-72977

Security Gateway

UPDATE: The reset expired connections feature (fw_rst_expired_conn) is now supported on connections accelerated by SecureXL.

PRJ-34903

Security Gateway

A kernel crash may occur during system shutdown when PIM is enabled.

PRJ-39330,
PRHF-23528

Security Gateway

After an upgrade, Access Control policy installation may fail with an "Update process is already running" message.

PRJ-41622,
PMTR-78011

Security Gateway

When using Routing Separation and installing a Jumbo Hotfix Accumulator, MDPS configuration may be overridden. Refer to sk138672.

PRJ-35108,
PMTR-77852

Security Gateway

There may be connectivity failure when browsing to Office 365, and ICAP Client is active on the Security Gateway with enabled "Data Trickling".

PRJ-41414,
PRHF-24690

Security Gateway

The Security Gateway may send multiple "Failed to fetch Check Point resources. Timeout was reached" logs.

PRJ-40915,
PRHF-24590

Security Gateway

The Security Gateway may crash because of memory corruption, and the following error appears in the /var/log/message file: "[xxxx] Kernel panic - not syncing: stack-protector: Kernel stack is corrupted in: <xxxx>".

PRJ-39578,
PMTR-71476

Security Gateway

In a rare scenario, when IPS or Application Control is enabled, the Security Gateway may crash.

PRJ-40457,
PMTR-84535

Security Gateway

In a rare scenario, the FWK process may unexpectedly exit because of a memory allocation issue on the Security Gateway.

PRJ-24590,
PRHF-14804

Security Gateway

It may not be possible to load specific sites. The Security Gateways drops the traffic from those web servers with "Reason: PSL Drop: MUX_PASSIVE"

PRJ-41028,
PRHF-24958

Security Gateway

Topology auto update may fail because of a too long interface name.

PRJ-41031,
PRHF-24959

Security Gateway

The Security Gateway may run out of memory when retrieving topology.

PRJ-38551,
PRHF-23113

Security Gateway

After an upgrade, Anti-Virus Blade may cause increased memory consumption.

PRJ-36865,
PRHF-22233

Security Gateway

After an upgrade, VSX cluster may have frequent failovers.

PRJ-40934,
PMTR-85828

Security Gateway

In a rare scenario, the Security Gateway may have a memory allocation issue.

PRJ-34887,
PMTR-77524

Threat Prevention

When the Security Gateway is in "Detect Only" mode, Threat Prevention Blade exceptions may not be accelerated.

PRJ-40346,
PRHF-24427

Threat Prevention

The Custom Intelligence Feeds feature may stop enforcing traffic after Threat Prevention policy installation.

PRJ-40444,
PMTR-84860

Threat Prevention

Deleting a Threat Emulation Gateway object in SmartConsole may fail. Refer to sk170577.

PRJ-40436,
PMTR-82127

Threat Prevention

A kernel memory leak may occur during deep file inspection.

PRJ-40972,
PRHF-24784

Threat Prevention

Threat Prevention policy installation may fail with a "Connection aborted by Peer" message.

PRJ-41275,
PMTR-74610

Threat Prevention

Adding hash indicators may cause policy installation to fail with a warning message.

PRJ-38488,
PMTR-75246

Threat Prevention

In a rare scenario, the mal_conns table may consume a large amount of memory.

PRJ-41310,
PRJ-41308

Threat Extraction

In some scenarios, Mail Transfer Agent (MTA) does not scan files with an unsupported extension if they were renamed to ".exe".

PRJ-38541,
PRHF-22565

Identity Awareness

The PDPD daemon may frequently exit during the user authentication flow.

PRJ-34569,
PRHF-21045

Identity Awareness

SNMP/cpstat queries for Identity Awareness OIDs return wrong values if the PDP daemon is not running at the time of the query.

PRJ-31973,
PMTR-74053

Identity Awareness

Changing the state of the "Automatic LDAP Group Update" feature for Identity Collector from CLI on the PDP Gateway does not survive a reboot.

PRJ-36507,
PRHF-22053

Identity Awareness

The CPU utilization of the PDP daemon may be high during a specific authentication flow.

PRJ-39751,
PRHF-23882

Anti-Virus

The Anti-Virus Blade interprets certain types of URLs as forbidden and blocks access to those URLs, although the content behind them is not of the type supposed to be blocked.

PRJ-38814,
PMTR-80962

URL Filtering

When an URL Filtering rule has "Fail-Close" configuration, the Security Gateway may drop connections, and "URLF internal system error (0)" is recorded as the reason.

PRJ-33293,
PMTR-61676

Anti-Virus

Removed a redundant message flooding logs in /var/log/messages: "ws_write_connection: end of body reached - clearing delay write flag".

PRJ-40831,
PRHF-24826

Mobile Access

After disabling the ActiveSync service on the Security Gateway, login to Capsule Workspace (CWS) may fail.

PRJ-38458,
PRHF-23267

Mobile Access

In some scenarios, it is not possible to connect to SSL Network Extender(SNX), and the VPND log shows: "failed to add to table connectra_sessions_to_instance".

PRJ-32967,
PRHF-20588

Mobile Access

Capsule Workspace push notifications do not work when the Single Sign-On (SSO) is configured to "prompt for credentials". Refer to sk176244.

PRJ-35509,
PMTR-65024

ClusterXL

UPDATE: Added support for the "fw vsx fetch_all_cluster_policies" command, which can fetch policy for all Virtual Systems and Virtual Routers from cluster peers.

PRJ-40743,
PRHF-24710

ClusterXL

The cphaprob show_bond command does not show newly added slaves from Virtual Systems (VSs).

PRJ-36732,
PRHF-21591

ClusterXL

In a VRRP cluster, when an identity session is revoked from a non-master member, the Identity Database may become corrupted and cause an outage.

PRJ-39182,
PRHF-23684

ClusterXL

In a VRRP cluster environment with a large number of interfaces, the Security Gateway may consume a lot of memory.

PRJ-39737,
PMTR-86052

SecureXL

There may be high CPU or/and latency in CIFS/SMB connections.

PRJ-41480,
PRHF-25453

SecureXL

After an upgrade, SecureXL may drop multicast traffic with "reason:Fragment drops".

PRJ-41765,
PRHF-25516

SecureXL

The Security Gateway may crash and cause an outage when resolving the destination host MAC address through an interface with disabled ARP.

PRJ-39756,
PRJ-41204

SecureXL

SNDs may reach 100% CPU utilization and are not released in some Site to Site VPN scenarios.

PRJ-41706,
PRHF-25613

Routing

The ROUTED process may unexpectedly exit when the route does not have the next hop.

PRJ-36889,
PMTR-79153

VPN

UPDATE: After FIPS mode is enabled, Jitter is now automatically turned on.

PRJ-41239,
PRHF-24483

VPN, Multi-Portal

UPDATE: Added a new Registry parameter "use_crl_for_revocation_method" that enables the CRL revocation method when the Security Gateway does not get a response from an OCSP Server. Refer to sk179434.

PRJ-40868,
PRHF-24283

VPN

Site-to-Site NAT-T traffic may be routed incorrectly, which can cause an outage.

PRJ-40553,
PRHF-24156

VPN

When working in Hybrid mode, it is possible to connect using Remote Access, but it may not be possible to access internal resources.

PRJ-36709,
PRHF-21689

VPN

Improved Site-to-Site VPN stability.

PRJ-41807,
PMTR-87347

VPN

When connecting with "Mixed" SSL Network Extender Authentication method, the SNX Client freezes with no output, and the results of the "vpn tu tlist" command show no tunnels.

PRJ-40858,
PRHF-24635

VPN

The VPND process may unexpectedly exit.

PRJ-39892,
PMTR-56771

VSX

UPDATE: The "vsx_util view_vs_conf" command output now shows interfaces configured on Virtual Systems in Bridge mode.

PRJ-38514,
PRHF-23107

VSX

SecureXL may not let HTTPS traffic pass through a Virtual Router (VR).

PRJ-42214,
PMTR-65815

VSX

In some scenarios, the vsx_provisioning_tool fails to delete an interface and claims that it has already been freed..

PRJ-39766,
PMTR-83046

VSX

Lines indicating uninstalling policies from virtual switches (VSWs) may be printed when running the "fw vsx unloadall" command.

PRJ-39710,
PMTR-80596

VSX

When running the "reset_gw" command on a VSX cluster member, the sync interface IP address is not deleted as part of the VSX configuration that should be deleted from the Security Gateway.

PRJ-39886,
PMTR-84069

VSX

Removing a warp interface may fail on one member, which creates a mismatch between the cluster members database because the warp interface remains on other members. Refer to sk180481.

PRJ-40797,
PMTR-84189

VSX

Extending SNMP with shell script (Article IV-6 in sk90860) fails for non-VS0 Virtual Systems (VSs) when queried via SNMP V3 and a "No more variables left in this MIB View (It is past the end of the MIB tree)" message is shown in the output.

PRJ-41361,
PMTR-86445

VSX

A VSX Gateway upgrade may fail with an error related to VSX Filesystem creation.

PRJ-42178,
PMTR-81701

VSX

Pushing a VSX configuration to a virtual device may fail.

PRJ-40411,

PRJ-42484,

ODU-611

Gaia OS

UPDATE: Gaia API updates will now be automatically installed through AutoUpdater. Refer to sk165653.

PRJ-40991,
PRHF-24495

Gaia OS

When MDPS is configured, the SNMPD process may stop responding on some Security Gateways and must be restarted.

PRJ-41684,
PRHF-25430

Gaia OS

In a cloning group cluster, when allowed hosts are changed from "Any" host to a specific host, communication between members is blocked, and the group cannot function.

PRJ-41611,
PMTR-87176

Gaia OS

Information about scheduled backup failure is now displayed in Clish, WebUI and in the error message inside the log file.

PRJ-40476,
PRHF-24463

Gaia OS

The SNMPD process may unexpectedly exit on the Security Gateway with enabled Management Data Plane Separation (MDPS).

PRJ-28332,
PRHF-18367

Harmony Endpoint

UPDATE: Client Uninstall Remote Help is now Device-based. User Logon name is not needed anymore.

PRJ-41369,
PMTR-86767

CloudGuard Network

UPDATE: Added support for Data Centers in AWS ap-southeast-2 (Jakarta) region.

PRJ-41733,
PMTR-87362

CloudGuard Network

UPDATE: Added support for Data Centers in AWS me-central-1 Middle East (UAE) region.

PRJ-40842,
PRHF-24322

CloudGuard Network

Azure Data Center mapping may fail because of a corrupt response from Azure for a specific Virtual Machine Scale Set (VMSS).

PRJ-40838,
PRHF-24490

CloudGuard Network

Failure to update IP addresses on a single AWS Gateway may cause delays in updating other Gateways.

PRJ-41461,
PRHF-25422

CloudGuard Network

Import of OpenStack Data Center CloudGuard Network objects may fail.

PRJ-41711,

ODU-603

Smart-1 Cloud

Added Update 6 of Quantum Smart-1 Cloud. Refer to sk166056.

PRJ-41142,
ODU-518

Smart-1 Cloud

Added Update 5 of Quantum Smart-1 Cloud. Refer to sk166056.

PRJ-41746,
ODU-587

Public Cloud CA Bundle

Added Take 19 of Public Cloud CA Bundle. Refer to sk172188.

PRJ-19383,
PRHF-11703

VoIP

In some scenarios, when using early media with NAT, the first data connections specified in the SDP get closed, although they should not. And the new data connection does not open, resulting in one-way audio. Refer to sk179651.

PRJ-40671,
ODU-478

HCP

Added Update 11 of HealthCheck Point (HCP) Release. Refer to sk171436.

Take 180

Released on 20 September 2022 and declared as Recommended on 30 October 2022

PRJ-41081,
PMTR-86078

Security Management

UPDATE: If ISP Redundancy is configured for a target Security Gateway, backup interfaces are now used for pushing policy if the primary interface is down.

PRJ-36205,
PRHF-22196

Security Management

Migration from the Management Server to the Domain Server may get stuck for 6-7 hours and then fail.

PRJ-38216,
PRHF-22973

Security Management

If Log Domain reassignment fails, an Application Control and URL Filtering update may get stuck at 70 percent showing the "Running post update actions" status.

PRJ-38453,
PRHF-23314

Security Management

High Availability synchronization may fail with the "Failed to update shared licenses" error.

PRJ-34237,
PRHF-20836

Security Management

Migration of the Security Management Server to the Multi-Domain Management Server may fail.

PRJ-38179,
PRHF-22647

Security Management

Deleting a Domain operation may fail with an "internal error" when more than one of the Security Gateways in the Domain points to the same cluster object in the NAT configuration.

PRJ-37910,
PRHF-22870

Security Management

The flag "--method" for a CME command is not supported in SmartConsole Command Line.

PRJ-39208,
PRHF-23632

Security Management

The output of the "show opsec-application" API command may not show the host object name or UID.

PRJ-33920,
PRHF-21160

Security Management

Some unused sessions may remain open in the system, consuming memory and CPU.

PRJ-41096,
PMTR-81750

Security Management

The "CPLogGetMyIp: fwobj_get_myown failed" error may be printed in CLI when starting cpboot.

PRJ-38787,
PRHF-23476

Security Management

Install Policy Preset may fail with "The server did not provide a meaningful reply.". Refer to sk179524.

PRJ-39487,
PRHF-23926

Multi-Domain Management

In some scenarios, in a Multi-Domain Management Server environment, SmartConsole may unexpectedly disconnect.

PRJ-38123,

PRHF-23066

Multi-Domain Management

Although all Virtual Devices are deleted, deleting a Domain may fail with an "At least one Virtual Device is defined on this Domain/Domain Management Server. You need to delete all Virtual Systems/Routers prior to deleting Domain/Domain Management Server" message.

PRJ-40611,
PRHF-24080

Compliance

In the Compliance Blade view, regulations with disabled best practices may display a result that does not correspond with the best practices listed below it.

PRJ-36190,
PRHF-22004

Logging

UPDATE: Amended the override_server_setting.sh script to support changes in the values of

RFL_SOLR_MAX_MERGE_COUNT and RFL_SOLR_MAX_MERGE_THREAD_COUNT.

PRJ-36019,
PRHF-21398

Logging

In SmartView, the "Top Users that Downloaded Malicious Files" widget in the "Hosts that Encountered Malicious files" view may show no results, although there are matches.

PRJ-39588,
PRHF-23981

Logging

The FWD process may unexpectedly exit and create core dump files.

PRJ-30963,

EPS-562

Logging

In some scenarios, the Forensics report fails to open from Harmony Endpoint logs.

PRJ-36475,
PRHF-22241

Logging

In SmartConsole, when Endpoint Policy Management Blade is enabled, the "SmartView server certificate is invalid" error may be shown when opening a new tab in the Logs & Monitor view. Refer to sk177713.

PRJ-40356,
PRHF-24410

Logging

In some scenarios, the FWD process may unexpectedly exit in a Log Server environment. Refer to sk179596.

PRJ-34678,
PMTR-75424

Security Gateway

UPDATE: Decreased the threshold for connections suspected as heavy from 5 to 3 seconds. Refer to sk164215.

PRJ-40509,
PMTR-85083

Security Gateway

UPDATE: Added a defense mechanism against partial header attacks known as "Slowloris DoS" (CVE-2007-6750).

PRJ-38912

Security Gateway

When Anti-Virus Blade is enabled, there may be a continuous high memory consumption which can lead to latency.

PRJ-34402,
PRHF-21418

Security Gateway

Deleting IP addresses in the SAM Database may fail.

PRJ-40253,
PRHF-24323

Security Gateway

There may be a delay in the Logging view when more than 1000 Security Gateways are connected to the same Log Server.

PRJ-34170,
PRHF-20978

Security Gateway

After an upgrade, in a setup with a single Virtual System (VS), the Security Gateway may crash.

PRJ-41454,
PMTR-86925

Security Gateway

During a DDoS attack, the CPD and CPRID processes may unexpectedly exit with core dump files and cause latency.

PRJ-40861,
PMTR-74446

Security Gateway

Improved the recovery mechanism for Dynamic Balancing.

PRJ-39518,
PMTR-83692

Security Gateway

Output of the "dynamic_objects -uo_show" command on the Security Gateway may not show any updatable objects. Refer to sk178886.

PRJ-40791,
PMTR-85514

Security Gateway

Enhanced connectivity during HTTP2 Inspection.

PRJ-40014,
PRHF-24223

Security Gateway

The Security Gateway with VPN may drop the traffic after enabling BGP and Equal Cost Multipath (ECMP).

PRJ-38589,

PMTR-79658

Security Gateway

In a cluster environment, an ICAP implied rule may not be enforced after policy installation.

PRJ-27777,

PMTR-70632

Security Gateway

The RAD daemon may fail and create core dump files on VSX Gateways.

PRJ-39987,
PRHF-20730

Threat Prevention

UPDATE: In the Custom Intelligence Feeds feature, decreased the hash indicators loading time.

PRJ-40431,
PMTR-84242

Threat Prevention

UPDATE: The "Global Detect" value will now be updated in the "ips stat" command output.

PRJ-29734,
PMTR-71844

Threat Prevention

SCP connections may get terminated with a protocol error.

PRJ-39160,
PMTR-83274

Identity Awareness

The Nested Groups Depth value changed in CLI may not survive a reboot.

PRJ-39830,
IDA-4187

Identity Awareness

Removed unnecessary debug messages in the Identity revocation flow.

PRJ-35834,

PMTR-71684

Identity Awareness

Memory consumption may increase after policy installation when Secure ID is configured.

PRJ-36383,
PRHF-22069

Application Control

  • The /var/log/messages directory may be flooded with "appi_app_db_get_kattrib_info: attribs hash does not exist" messages.

  • A Security Gateway may be slow or unresponsive.

Refer to sk178406.

PRJ-29434,
PRHF-17678,

PRJ-37279,
PRHF-21170

URL Filtering

When the Security Gateway works in proxy mode, the Application Control and URL Filtering rules may not match correctly.

PRJ-30744,
PRHF-19698

IPS

Logs generated by IPS Bypass may not show the correct CPU/Memory Utilization.

PRJ-37725,
PRHF-22465

DLP

DLP logs for files uploaded to Microsoft OneDrive may not show the initial file names and extensions. Refer to sk178290.

PRJ-39150,
PRHF-21088

Anti-Bot

  • Downloading or opening the packet capture file from the Anti-Bot log entries may fail with a "File fetching is still in progress" message.

  • When opening the capture file link in the log entry in SmartConsole, the "Failed getting the incident file from the gateway. It may be expired" error is shown.

PRJ-40259,
PMTR-83847

SSL Inspection

The WSTLSD process may unexpectedly exit and produce a core dump file during certificate chain verification.

PRJ-34072,
PRHF-21065

Mobile Access

Manual Web Form Single Sign-On (SSO) may fail when passwords contain special characters.

PRJ-38434,

PMTR-82133

Mobile Access

When installing a specific hotfix, the CVPND process may unexpectedly exit.

PRJ-39957,
PMTR-84213

ClusterXL

During a Multi-Version Cluster (MVC) upgrade, there may be state flapping when using the sync interface MAC address bit "02".

PRJ-39838,
PMTR-84079

ClusterXL

When reconnecting the OSPF interface on both members in a cluster, a failover may occur when receiving a ROUTED PNOTE on the Active member.

PRJ-40199,
PMTR-84253

ClusterXL

In a cluster configured in the Active-Active mode, there may be connectivity issues when one of the cluster interfaces is down on one of the cluster members.

PRJ-37942,
PRHF-22882

ClusterXL

In a VSX cluster with three or more members, sudden failover and recovery of the Standby VS may occur, causing termination of connections from the Active member. Refer to sk179446.

PRJ-37630,
PRHF-22691

SecureXL

UPDATE: The MSS value in the SYN Cookie response can now be configured.

PRJ-39072,
PRHF-22676

SecureXL

UPDATE: Added a new kernel parameter "fw_allow_reverse_syn" for Smart Connection Reuse. This parameter allows or drops SYN packets coming from the reverse direction. The parameter is set to 0 by default, the Security Gateway drops such packets. Refer to sk24960.

PRJ-36857,
PRHF-21863

SecureXL

Policy installation may cause cluster failover and impact the traffic flowing through the cluster.

PRJ-40218,
PMTR-63465

SecureXL

In a rare scenario, ipsctl kernel module does not load at startup.

PRJ-40293,

PMTR-81618

SecureXL

A kernel memory leak may occur in an environment with a cluster in Active/Standby bridge mode.

PRJ-40746,
PRHF-24743

Routing

The ROUTED process may unexpectedly exit when querying BGP data.

PRJ-40090,

PMTR-84418

Routing

When running CPView and working in Source-Specific Multicast Mode (PIM-SSM) simultaneously, the ROUTED process may unexpectedly exit and create a core dump file.

PRJ-40843,
PMTR-85427

VPN

UPDATE: Added a configurable protection for blocking brute-force attacks on VPN SNX portal. Refer to sk180271.

PRJ-40752,
PMTR-85206

VPN

Resolved the “HTTP Response splitting” vulnerability in Security Gateway portals. Refer to sk179705.

PRJ-40662,
PRHF-24446

VPN

There may be a low throughput in a Site-to-Site VPN tunnel between two VSX Gateways with enabled Multi-Queue.

PRJ-38632,
PRHF-23424

VPN

Connection to Endpoint Security Client from the Remote Access VPN may be lost when the VPN tunnel timeout is reached. Refer to sk178891.

PRJ-40384,
PMTR-84477

VPN

The "Unable to open '/dev/fw0': No such file or directory" error may be printed during cpstart.

PRJ-40581,
PMTR-84124

VPN

Connection over NAT-T tunnels may not be distributed well between instances of the Security Gateway with CoreXL enabled.

PRJ-37783,
PMTR-82856

VPN

In SmartView Monitor (SVM), the status of tunnels with third-party peers may be inaccurate. Refer to sk169121.

PRJ-39980,
PMTR-83520

VSX

The vsx_util upgrade or downgrade operation may silently fail to update the database for one or more Virtual Systems (VSs). Refer to sk179591.

PRJ-40071,
PRHF-24269

VSX

A "SIC Error for EntitlementManager: Peer sent wrong DN: CN=xxx,O=xxx" message may be displayed during boot or after running the "cpstart" command. Refer to sk179586.

PRJ-40249,
PMTR-84229

VSX

In VSX, when deleting a warp interface (either by deleting the warp itself or by performing the "reset_gw" command, which deletes all Virtual Devices), the VSX Gateway may crash.

PRJ-34321,
PMTR-60045

VSX

The MTU value configured in SmartConsole may differ from the Virtual Switch (VSW) MTU value in the output of the "ifconfig" command.

PRJ-40702,
PMTR-81932

VSX

A member in a VSX cluster may get stuck in DOWN state with "Event Code CLUS-113200" and a FULLSYNC PNOTE "Could not start a connection to remote member".

PRJ-34094,
PMTR-65030

VSX

When running the "vsx showncs" command, the "cannot retrieve vsid for VSW_gw" error may be shown.

PRJ-40359,
PMTR-84809

VSX

Improved packet rate performance on warp interfaces.

PRJ-24565,

PRHF-16407

Gaia OS

UPDATE: Added support for the Excluded Files feature (sk116679) for XFS file system on Kernel 3.10.

PRJ-40767,
PMTR-81861

Gaia OS

IPv6 connections with Manual NAT rules may not be stable after enabling Neighbor Discovery Protocol (NDP) on a VLAN in the $FWDIR/conf/local.ndp file.

PRJ-40026,
PRHF-24243

Gaia OS

A user locked by the deny-on-nonuse mechanism cannot get unlocked.

PRJ-40364,
PMTR-84602

Gaia OS

Gaia Snapshot fails in Gaia Portal ("Maintenance" section > "Snapshot Management" page) - after clicking the "New" button, the progress gets to 100%, but the snapshot file is never created. Refer to sk180579.

PRJ-40669,
ODU-478

HCP

Added Update 10 of HealthCheck Point (HCP) Release. Refer to sk171436.

Take 173

Released on 31 August 2022 and declared as Recommended on 13 September 2022

PRJ-41444,
PRHF-25374

Threat Prevention

In a specific HTTP connection scenario, the Security Gateway may become unresponsive. And the /var/log/messages file contains these messages during the time of the issue: " FW-1: fw_kfree: wrong magic number at tail end of XXX (XXX) caller is 'cmik_loader_fw_pm_match_cb' sz=80. FW-1 panic: cmik_loader_fw_pm_match_cb: fw_kfree: wrong magic number at tail (kiss_memory.c:XXX)".

Take 172

Released on 25 July 2022

PRJ-38150,
PRHF-23149

Security Management

UPDATE: Improved Access Policy installation time.

PRJ-34852,
PMTR-72440

Security Management

UPDATE: Added validation to the Custom Application/Site object to prevent configuring invalid URLs that cause Access policy installation failure. Refer to sk175187.

PRJ-36848,
PRHF-22352

Security Management

In rare scenarios, the Management Server may fail to start due to incorrect session handling.

PRJ-37708,
PRHF-22796

Security Management

Install Policy preset fails if the Threat Prevention policy was uninstalled.

PRJ-36919,
PRHF-22479

Security Management

When a Security Gateway is removed from a VPN community, it may still be seen under the permanent tunnel configuration. The issue is scoped to the Management side and does not impact the Gateway.

PRJ-37634,
PRHF-22693

Security Management

After changing the IP address of the Secondary Management Server, the old IP address is still shown in the High Availability window until the services are restarted.

PRJ-37863,
PRHF-22678

Security Management

Dynamic Objects defined on LSM Gateway in SmartProvisioning may be removed from the Security Gateway after fetching policy or pushing policy.

PRJ-37522,
PRHF-22656

Security Management

Reassign Global Policy tasks may be stuck for Domains active on a different Multi-Domain Server even though the task is completed on the destination Multi-Domain Server.

PRJ-37503,
PRHF-22597

Security Management

In rare scenarios, Global Domain Assignment may fail with a "class name not found for object" error message.

PRJ-37198,
PRHF-22299

Security Management

The Management API command "show-vpn-communities-star" for Diffie-Hellman groups 15-18 and group 24 fails with the "Invalid DH-Group in VPN Reply" error. Refer to sk27054.

PRJ-35654,
PRHF-21996

Security Management

The Security Cluster Wizard is not shown again after a Management restart in a Full High Availability cluster environment.

PRJ-37762,
PRHF-22671

Security Management

The FWM process on the Management Server may unexpectedly exit, creating a core dump file.

PRJ-35601,
PMTR-77217

Security Management

An IPS update may fail if the user that performs the update is connected to the Multi-Domain Server on which the Global Domain is in Standby mode.

PRJ-37508,
PRHF-22621

Security Management

Deleting a domain may fail when using the createDomainRecovery.sh script with the "UID" flag.

PRJ-35604,

PRHF-21981

Security Management

In SmartConsole, the "error retrieving results" message may be displayed when opening a new tab.

PRJ-38063,
PRHF-22999

Security Management

When uninstalling a Threat Prevention policy, there may be a verification warning "There are Threat Prevention uninstall candidates in policy targets", although the operation on the Security Gateway was completed successfully.

PRJ-38147,
PRHF-23139

Security Management

Cloud Shadow Objects verification may take several minutes.

PRJ-38119,
PRHF-23065

Security Management

Policy installation may fail with "an internal error" if some objects are pointed to by an old deleted policy. Refer to sk122954.

PRJ-39470,
PRHF-23825

Security Management

Management HA synchronization may fail with the "NGM failed to import data" error.

PRJ-37885,
PRHF-22914

Security Management

Editing an object may fail with the "Could not access file for write operation" error.

PRJ-38399,
PRHF-23290

Security Management

An Application Control and URL Filtering update may get stuck because of a lock object duplicate issue.

PRJ-35059,
PRHF-21753

Security Management

Renaming the Security Management Server may fail with the "Failed to save object" error. Refer to sk177224.

PRJ-38740,

PRHF-23467

Security Management

In a rare scenario, the FWM process may unexpectedly exit and create a core dump.

PRJ-37987,

PRHF-22589

SmartConsole

After an Application Control update, some application control objects may disappear from SmartConsole, although they are not deprecated.

PRJ-37101,
PRHF-22528

Logging

UPDATE: Scheduled email reports will now use TLS1.2 instead of TLS1.0. Refer to sk178125.

PRJ-33815,
PMTR-72206

Logging

The "log_exporter_reexport" command may export the logs from the beginning of the log file and not from the provided start position.

PRJ-36514,
PRHF-22273

Logging

In a rare scenario, a memory leak in the FWD process may occur during installing Threat Prevention policy.

PRJ-36026,
PMTR-70703

Logging

In IPS Core Protections logs, the link to the Threat Prevention profile is written incorrectly.

PRJ-36461,
PRHF-22152

Logging

When running the "cp_log_export filter-Blade-in" command with the value "Endpoint" and restarting the LOG_EXPORTER process, LOG_EXPORTER may fail to start.

PRJ-39295,
PMTR-82675

Logging

An error may occur when changing default Time Frame while the SmartView language is not English.

PRJ-39678,
PMTR-82910

Logging

When exporting the logs table with "All Columns" to a CSV file, the first cell of the first log (time column) may display a non-ASCII character ("ן»¿"), and the time may be split into two cells.

PRJ-39675,
PMTR-83316

Logging

A CSV file exported from SmartView may contain duplicated lines of headers.

PRJ-36654,
PMTR-77355

Security Gateway

NEW: Added a new kernel parameter "fw_ignore_before_drop_rules". It allows to skip the "before drop" implied rules and enforce policy according to the explicit rule in the Access Rule Base. By default, this capability is disabled.

Refer to sk105740.

PRJ-38688,
PRHF-22315

Security Gateway

UPDATE: When using Routing Separation, hosts and servers configured in Clish will be automatically added to Management Plane (MPLANE).

PRJ-39666,

PRHF-23392

Security Gateway

It may not be possible to monitor Security Gateways with enabled Management Data Plane Separation (MDPS). Refer to sk138672.

PRJ-39684,
PRHF-23741

Security Gateway

An ICAP client crash may cause the Security Gateway also to crash and generate an FWK core dump.

PRJ-34622,
PRHF-21300

Security Gateway

When running the "show_configuration" command in CLISH, static routes are shown twice.

PRJ-33698,
PMTR-72984

Security Gateway

In some scenarios, file download may fail with the "Connection queue exceeded max size" error.

PRJ-37011,
PRHF-22369

Security Gateway

Multiqueue Clish "show" commands may fail in a Management Data Plane Separation (MDPS) environment.

PRJ-37608,
PMTR-80518

Security Gateway

When using the DAIP Gateway object in the Access Rulebase, debug error "fwdnd_log_info_lookup failed" may appear in the fwk.elglog, if the relevant rule has log track. Refer to sk178670.

PRJ-33858,
PMTR-76224

Security Gateway

In ISP Redundancy settings, when using the "dead on all host" feature and defining one link without any host (which is a misconfiguration) the ISP link is down.

PRJ-36119,
PMTR-71654

Security Gateway

In CPView, under Network, Bytes Per Sec value in Traffic Rate may be incorrect.

PRJ-33929,
PRHF-20845

Security Gateway

Cluster failover may trigger the FWK process to exit, with no traffic impact.

PRJ-31030,
PMTR-69049

Security Gateway

In a rare scenario, the Security Gateway may crash when disabling or enabling Threat Prevention Blade.

PRJ-27915,

PRJ-40137,
PMTR-84236,
PMTR-62741

Security Gateway

When Strict Hold is enabled, traffic is logged with the log "HTTP parsing error detected. Bypassing the request as defined in the Inspection Settings" and Precise Error "Connection queue exceeded max size". Refer to sk169995.

PRJ-39861,

PRHF-23952

Security Gateway

After renewing an Internal Certificate Authority (ICA) certificate, policy installation on Virtual Systems may fail with "Internal SSL authentication SSL error (Unknown)".

PRJ-37951,
PRHF-22703

Security Gateway

There is a Content Awareness alert for multiple connections and the processing error "Failed to extract text" is printed in logs.

PRJ-38075,
GAIA-9576

Security Gateway

The Security Gateway may crash with a vmcore.

PRJ-40998,

PRJ-40954

Security Gateway

In a VSX environment, SNMP queries to OSPF OIDs may fail.

PRJ-39322,
PMTR-83434

Threat Prevention

Improved memory consumption by decreasing the size of the mal_conns table.

PRJ-40610,
PRHF-24611

Threat Prevention

IPS entries of AMW_report.xml may be missing for a Security Gateway onboarded to Infinity SOC.

PRJ-36292,
PMTR-77668

Threat Prevention

A "sft_rule_str_match_init: allocates 0 bytes" message may be printed many times in the /var/log/messages file.

PRJ-38683,
PRHF-23324

Threat Prevention

In a rare scenario, an IPS, Anti-Virus, or Anti-Bot update package may fail to load because of a timeout.

PRJ-36567,
PMTR-79569

Internal CA

UPDATE: In SmartConsole, added an alert to inform that the ICA certificate will be expired in less than one year. Refer sk158096.

PRJ-37978,
PMTR-81714

IPS

In very rare scenarios, a traffic outage may occur.

PRJ-39062,

PRHF-12660

IPS

In a VSX setup, the IP address used as the origin SIC name in the IPS address log may differ from the IP address in other reports.

PRJ-36520,
PMTR-77922

IPS

Improved detection in some IPS protections.

PRJ-36433,
PMTR-77653

IPS

When ClusterXL is configured, a file may pass without inspection during a failover.

PRJ-35291,
PRHF-21849

Mobile Access

In some scenarios, when Mobile Access Blade is enabled, the Security Gateway may crash.

PRJ-38434,
PMTR-82133

Mobile Access

When installing a specific hotfix, the CVPND process may unexpectedly exit.

PRJ-34869,
PMTR-76212

ClusterXL

UPDATE: Added support for the "Same VMAC" feature.

PRJ-35984,
PMTR-72454

ClusterXL

UPDATE: It is now possible to edit minimal number of required slave interfaces for Bond Load Sharing via Clish. The new Clish command is "set interface <interface_name> links <value>".

PRJ-37881,

PMTR-81375

ClusterXL

Local connection from a Standby member may fail when packets are not fragmented even if the interface MTU is smaller than the packet size.

PRJ-37434,
PMTR-80319

ClusterXL

There may be connectivity issues for multicast traffic in PIM Sparse Mode.

PRJ-36176,
PMTR-51050

ClusterXL

In Virtual Device Status table, in vs0 context, the output shows the Active-Active status on two members instead of Active-Standby.

PRJ-36614,
PMTR-71442

ClusterXL

During a Multi-Version Cluster (MVC) upgrade from R80.30 or lower, Active-Active split brain may happen. Refer to sk174510.

PRJ-36602,
PMTR-79447

ClusterXL

Data connection may be interrupted during a Multi-Version Cluster (MVC) upgrade.

PRJ-35227,
PMTR-70530

ClusterXL

In an Active/Active cluster, potential FTP data connection interruption may occur during failover.

PRJ-37488,
PMTR-73519

ClusterXL

In a VSLS cluster with a few members and Virtual Systems, when shutting down a bond connected to one of the Virtual Systems, all Virtual Systems on this member may go to Down state.

PRJ-37813,

PRJ-37001

SecureXL

NEW: In some scenarios, the Security Gateway may not forward traffic to a client if its IP address is changed by DHCP. Added a global parameter "cphwd_refresh_nh", disabled by default. It determines whether or not the Security Gateway will invoke its own refresh ARP mechanism after a successful route lookup. Refer to sk175603.

PRJ-38593,
PMTR-82425

SecureXL

UPDATE: Added a new parameter cphwd_mcast_routing_interval_ms (default value is 0), which allows the multicast routing interval to be expressed in milliseconds.

PRJ-39008,

PRHF-22881

SecureXL

SYN Defender may not properly handle the S2C traffic related to Allow List. As a result, this traffic may be dropped.

PRJ-39002,

PRHF-23644

SecureXL

SYN Defender may change MSS in an SYN packet to a larger value, potentially causing traffic drop.

PRJ-39112,
PMTR-77465

CoreXL

CoreXL instances of SND type may appear in CPView as "OTHER" and not as "CoreXL_SND".

PRJ-38501,
PRHF-23143

CoreXL

An Active member in a cluster may make a full reboot during policy installation.

PRJ-38558,
PRHF-22924

Routing

UPDATE: Source Pruning will now be disabled by default when VRRP is enabled. This will prevent an interface from keeping the Standby member in Master state after port flapping. The issue is relevant only for Intel X710 network cards using the I40E driver.

PRJ-36938,
PMTR-79381

Routing

In a rare scenario, the ROUTED daemon may unexpectedly exit during a Multi-Version Cluster (MVC) upgrade when using OSPF.

PRJ-37939,
PMTR-80421

VPN

NEW: KAT tests for IKE and TLS are now validated for FIPS certification.

PRJ-37547,
PMTR-79930

VPN

In some scenarios, when StrongSwan client is connecting to a site or Security Gateway, the connection is established successfully, and the tunnel is created, but there is no traffic. Refer to sk118536.

PRJ-32679,
PMTR-66706

VPN

An IKEv1 tunnel may be deleted after the Dead Peer Detection (DPD) exchange and can cause an outage.

PRJ-37554,
PMTR-77042

VPN

An outage may occur when using IKEv2.

PRJ-37773,
PRHF-22871

VPN

Capsule Connect (IPSec VPN) may fail to re-authenticate.

PRJ-36436,
PMTR-78967

VPN

Machine Authentication stability improvements for Remote Access Endpoint Clients.

PRJ-34765,

PRHF-21568

VPN

When using Link Selection probing, the VPND process may unexpectedly exit and create a core dump file.

PRJ-36449,
PMTR-65595

VSX

UPDATE: When resetting SIC for a specific virtual system (sk34098), the new certificate on the Security Gateway will now be automatically pulled from SmartConsole.

PRJ-29582,
PRHF-16144

VSX

UPDATE: Decreased the time to edit routes in topologies where multiple Virtual Systems are connected to a Virtual Switch (VSW).

PRJ-35277,
PMTR-76457

VSX

In some scenarios, if VSX Gateway creation fails and rollback is done, the default route of the Security Gateway that was configured via Clish is deleted without validation.

PRJ-28545,
PMTR-65366

VSX

Latency and packet loss issues may occur when traffic goes through external VS connected to Virtual switch (VSW). Refer to sk177344.

PRJ-33314,
PRHF-20561

VSX

The FWM process may unexpectedly exit after using the VSX Provisioning tool.

PRJ-32476,
PRHF-20437

VSX

When using the VSX Provisioning Tool, it may not be possible to create a new warp interface and then change the main IP address of the VS in the same transaction.

PRJ-36132,
PRHF-21970

VSX

A member may fail to pull configuration from the SMO on startup.

PRJ-32705,
PRHF-20553

VSX

After restoring the VSX Gateway backup, the SNMP agent stops responding when the context is set for a specific VS.

PRJ-32406,
PMTR-74557

VSX

The OID "Syslocation" can now be configured in the context of a virtual system as described in the article (IV-1) Advanced SNMP configuration in sk90860.

PRJ-38827,

PMTR-82551

VSX

The FWK process of Virtual Switch (VSW) may consume a high CPU.

PRJ-38407,

PMTR-73704

VSX

When creating a virtual system, the "Failed to create Virtual System directories" error is displayed.

PRJ-33040,

PMTR-69098

VSX

In a VSX cluster, after pushing Bridge configuration, the state may change from Active/Active to Active/Standby.

PRJ-38792,

PMTR-82492

VSX

In some scenarios, it is not possible to start a vsx_util upgrade/downgrade after a failed attempt.

PRJ-38009,
PMTR-81493

VSX

"Loading kernel module for a network device with CAP_SYS_MODULE (deprecated). Use CAP_NET_ADMIN..." may be printed in dmesg.

PRJ-10543,
PRJ-39353

VSX

Running the "brctl_show" command in a non-VS0 context may give VS0 results.

PRJ-27470,
PRHF-18056

Gaia OS

UPDATE: A description was added to the output of the "show backup logs" command with information about each column. Refer to sk173970.

PRJ-35584,
PRHF-21922

Gaia OS

UPDATE: It is now possible to use Gaia proxy addresses with more than 16 characters.

PRJ-36086,
PMTR-78169

Gaia OS

WebUI session may end when creating a Role with full permissions.

PRJ-37347,
PMTR-80176

Gaia OS

When adding and deleting a neighbor-entry ipv6-address, an error message is displayed, although the operation is successful.

PRJ-39095,

PRHF-23641

Gaia OS

Dynamic routing SNMP OID polling may work only in VSX mode.

PRJ-33557,

PMTR-75925

Gaia OS

In some scenarios, in 7000 appliances, Power Supply Unit (PSU) status information may be incorrect. Refer to sk174443.

PRJ-38229,

PMTR-81516

Gaia OS

When running the "save configuration" command on a VSX device, other interfaces besides the Management interface are still presented. This is a cosmetic issue.

PRJ-39377,
PMTR-83140

Gaia OS

The CONFD process may unexpectedly exit and generate a core dump file.

PRJ-38097,
PMTR-72669

CloudGuard Network

NEW: Added support for Amazon Gateway Load Balancer (GWLB). Starting from this Take, Jumbo Hotfix Accumulator R80.40 can be installed on GWLB deployments.

PRJ-30119,
PMTR-72575

CloudGuard Network

UPDATE: After a failed Data Center mapping, the next scan retry will be initiated with a delay to provide sufficient recovery time.

PRJ-38567,
PRHF-23328

CloudGuard Network

UPDATE: Previously, because of connectivity issues with Azure, CloudGuard Controller was deleting IP addresses of Data Center objects from the Security Gateway. CloudGuard Controller will now show an error message instead of revoking identities from the Security Gateway.

PRJ-38869,
PRHF-23555

CloudGuard Network

After changing the default behavior in Identity session conciliation, the "delete-identity" request may trigger Cloud Controller to delete IP addresses from other Identity sources.

PRJ-27767,
PRJ-28171

CloudGuard Network

In some scenarios, when there are Data Center objects in Access Policy Rule Base, policy verification may fail although policy installation succeeds. Refer to the PMTR-60092 limitation in sk166717.

PRJ-38069,
PMTR-78814

CloudGuard Network

Policy install or publish may fail because of the CPM process operations overload.

PRJ-33576,
PRHF-20923

CloudGuard Network

When trying to add a comment to a Data Center object with API, the name of the object may get the value of the "comments".

PRJ-31687,
PRHF-20086

CloudGuard Network

The "Object is inaccessible/deleted on Data Center" warning may be shown for Tag objects in SmartConsole.

PRJ-38642,
PRJ-38643

VoIP

NEW: Added a new tab for VoIP monitoring in CPView.

PRJ-40928

VoIP

After an upgrade, the MGCP traffic may be dropped. The output of the "fw ctl zdebug + drop" command shows: "dropped by fw_early_sip_nat reason: failed to get MGCP ports". Refer to sk179747.

PRJ-39815,
PMTR-81965

VoIP

The Security Gateway may crash when running UDP and TCP SIP traffic.

PRJ-26372,
PMTR-68629

Scalable Platforms

NEW: Added ability to create and manage VSX objects of R80.30SP version via vsx_util and vsx_provisioning_tool.

PRJ-40307,

ODU-454

HCP

Added Update 9 of HealthCheck Point (HCP) Release. Refer to sk171436.

Take 161

Released on 30 May 2022 and declared as Recommended on 13 July 2022

PRJ-34227,
PRHF-21357

Security Management

Deleting a Domain may fail when there is an administrator with API key authentication associated with this Domain.

PRJ-35949,
PRHF-21894

Security Management

In the Compliance view, after changing "Policy Range" to a value smaller than 100%, best practices results become not available. Refer to sk177544.

PRJ-34177,
PRHF-20991

Security Management

In rare scenarios, Install Policy Presets may fail with "Failed to run Install Policy on the active Domain Server".

PRJ-35338,
PRHF-21851

Security Management

In rare scenarios, the Management Server may fail to start after an upgrade.

PRJ-37494,
PRHF-22409

Security Management

In some scenarios, the "show-hosts" Management API command fails with "generic_error" when running it with "details-level full". Refer to sk178249.

PRJ-34181,
PRHF-21215

Security Management

In rare scenarios, the Management Server becomes inaccessible if there are more than 5000 objects in the Gateways and Servers view.

PRJ-35224,
PRHF-21778

Security Management

When exporting rules with "hit counts" and the timeframe is set to a different value than "all", the "hit counts" are missing from the export file. Refer to sk177265.

PRJ-37577,
PMTR-80846

Security Management

In some scenarios, after editing Blades in simple-gateway/cluster Ansible modules, the Blades are not changed and Ansible shows that no changes occurred.

PRJ-35016,
PRHF-21705

Security Management

Install Policy Verification may fail with the "Rule has security zone objects that are not attached to any interface used" error when configuring cluster's interfaces on only one member. Refer to sk177129.

PRJ-37395,
PRHF-22603

Security Management

After performing the Solr Cure procedure, objects may appear as duplicated in SmartConsole. Refer to sk178084.

PRJ-35297,
PMTR-75023

Security Management

When cloning an IPS profile, the advanced settings of cloud protection are not copied to the new profile.

PRJ-32816,
PRHF-20492

Security Management

In rare scenarios, when installing a policy after performing "revert to revision", some changes made to a policy may not be installed on the Security Gateway. Refer to sk176768.

PRJ-32745,
PRHF-20512

Security Management

In a rare scenario, the FWM process unexpectedly exits.

PRJ-39176,

PRHF-23750

Security Management

In some scenarios, the Management API command "show-packages" with "details-level full" may fail with the "Could not commit JPA transaction" error.

PRJ-36621,

PMTR-79023

Logging

UPDATE: SmartView reports will now show the new Check Point logo.

PRJ-30549,
PRHF-19084

Logging

In rare scenarios, when QoS Blade is enabled, the FWD process may unexpectedly exit. Refer to sk177783.

PRJ-32372,
PRHF-18699

Logging

When running CPinfo in a large scale environment, the SmartEventCollectLogs process may get stuck.

PRJ-34249,
PRHF-21188

Logging

There may be an incorrect error message related to MakeConnection method.

PRJ-35200,
PRHF-20349

Logging

In a rare scenario, the Security Management Server does not automatically delete older log files. Refer to sk177627.

PRJ-34805,
PRHF-21554

Logging

In some scenarios, logs related to Content Awareness are missing.

PRJ-29173,
PRHF-18866

Logging

Removed unnecessary debug messages: "fwbintabreplace: table svm_range_gateways not found" and "fwbintabreplace: table svm_range_gateways_valid not found" from the fwd debug log.

PRJ-30144,
PMTR-60786

Logging

Recurring "Unable to open '/dev/fw0': No such file or directory" may be printed in the fwd.elg file.

PRJ-34141,
PRHF-21218

Logging

On the Domain level, in the Logs view, available services may not appear in the drop-down filter list. Refer to sk178904.

PRJ-32579,
PRHF-20447

Logging

In some scenarios, it is not possible to add the "Policy Rule UID" column to the Logs view in the SmartView Web Application.

PRJ-33516,
PMTR-71704

Logging

Improved samples visibility in SmartView Widgets.

PRJ-37896,
PRHF-22858

Logging

Logs may be missing from Smart Console after upgrading the Log Server if a VS object is configured without an IP.

PRJ-35097,
PMTR-76491

Security Gateway

UPDATE: Added a new global parameter: "fw_daf_module_mac_mode". It allows mirroring traffic to a Linux-based device. It is set to "0" by default. Refer to sk178127.

PRJ-19035,
PMTR-61532

Security Gateway

UPDATE: In CPView overview, the "FW" field will now show physical memory used instead of virtual memory. The change is only cosmetic.

PRJ-31665,
PMTR-68092

Security Gateway

UPDATE: Adding Connection and Packet Distribution statistics in CPView.

PRJ-38235,
PMTR-81910

Security Gateway

UPDATE: Apache HTTPD version was updated from 2.4.51 to 2.4.53.

PRJ-29962,
UP-452

Security Gateway

UPDATE: Added two minutes grace period before dropping the non-TCP server-to-client packets upon policy installation and rematch flow. Refer to sk173287.

PRJ-31494,
PRHF-7049

Security Gateway

UPDATE: Following sk110157, adding a shadow SAM V1 rule is now possible only if the new rule and the existing rule have different timeouts. If a shadow rule exists, the new shadow rule will override the existing shadow rule.

PRJ-37528,
PRHF-22491

Security Gateway

Improved Security Gateway internal memory allocation logic.

PRJ-36047,
PMTR-78861

Security Gateway

In a rare scenario, DNS connection may be dropped with "up_manager_cmi_handler_match_cb: connection not found".

PRJ-26984,
PRHF-17754

Security Gateway

In rare scenarios, connectivity issues to specific websites may occur during web traffic inspection.

PRJ-34726,
PRHF-21103

Security Gateway

In rare scenarios, if temporary files were not deleted successfully, downloading certain file types may fail with an error.

PRJ-33273,
PMTR-26836

Security Gateway

The control connection may not be refreshed together with the data connection if the data connection is accelerated. Refer to sk168952.

PRJ-23479,
PRHF-16013

Security Gateway

Policy installation may fail when reaching out of memory on the Security Gateway.

PRJ-37356,
PRJ-35902

Security Gateway

Uninstalling Jumbo Hotfix may cause interfaces to disappear.

PRJ-35006,
PRHF-21742

Security Gateway

The dynamic NAT allocation port warning is continuously printed in /var/log/messages. Refer to sk177228.

PRJ-34787,
PMTR-65164

Security Gateway

In some scenarios, Security Gateway drops GRE traffic. Kernel debug shows "simi_reorder_enqueue_packet: reached the limit of maximum enqueued packets for conn".

PRJ-34015

Security Gateway

Bond slaves may be visible in the wrong plane.

PRJ-34088,
PRJ-34218

Threat Prevention

IPS and other Threat Prevention logs may not contain packet capture. And dmesg may be flooded with related errors.

PRJ-36164,
PRHF-21680

Identity Awareness

The PDP process may unexpectedly exit with a core dump file.

PRJ-35820,
PRHF-21396

Identity Awareness

On Scalable Platforms\Cluster LS, the Identity Database may become corrupted when an identity session is revoked from a non-master member.

PRJ-35851,
PRHF-22037

Identity Awareness

The PEP process may unexpectedly exit.

PRJ-28218,
PRHF-15223

Identity Awareness

There may be connectivity issues and high CPU spikes on the PDPD, VPND processes, and on the Gateway when installing policy. Refer to sk174144.

PRJ-34514,
PRHF-20998

URL Filtering

In a rare scenario, when URL Filtering Blade is active, in Website categorization background mode, the FWK process crashes and creates a core dump.

PRJ-32742,
PMTR-70772

IPS

After installing a Threat Prevention policy with many rules and/or exceptions, on multiple Gateways together, Gateways may consume more CPU during rule-match of new connections.

PRJ-37543,
PRHF-22301

IPS

In a rare scenario, when the Security Gateway is configured as a proxy, downloading files may fail.

PRJ-32609,
PRHF-20132

IPS

When Anti-Virus and/or gzip inspection are enabled on the Gateway, during CloudFlare inspection of specific websites,the Security Gateway may drop the traffic.

PRJ-30124,
PMTR-66344

SSL Inspection

When HTTPS Inspection is enabled and traffic is inspected, detect logs for HTTPS traffic may show the "Invalid CRL Retrieved" and "No Valid CRL" error messages. Refer to sk172345.

PRJ-36298,
PMTR-76171

SSL Inspection

A memory leak related to TLS probe may occur in the WSTLSD process.

PRJ-32908,
PRHF-1527

Mobile Access

In a rare scenario, some options in a web application may be missing in Mobile Access Portal.

PRJ-35167,
PMTR-77780

ClusterXL

A single cluster member with Dynamic Routing configuration may stay permanently in DOWN state producing ROUTED pnote during a boot.

PRJ-35980,
PMTR-74818

ClusterXL

A cluster failover may take longer than it should.

PRJ-38369,
PRHF-23291

ClusterXL

Multicast packets may be dropped after policy installation.

PRJ-36470,
PRHF-21775

SecureXL

The VSX Gateway may crash when trying to route traffic from a VS to a Virtual Switch (VSW).

PRJ-33581,
PMTR-75970

SecureXL

In some scenarios, fragmented Cluster LS packets are dropped by SecureXL.

PRJ-34902,
PRJ-36073

SecureXL

In some scenarios, related to sending multicast packets, the ICMP errors may be shown.

PRJ-30713,
PRHF-18975

Routing

Connectivity issues may occur after configuration of route-based VPN (VTI interface). Refer to sk176368.

PRJ-35400,
PRJ-35403,
PRJ-35345,
VPNS2S-2848,
VPNS2S-2457,
VPNS2S-2770

VPN

IKEv2 Improvements for DAIP Gateway behind Hide NAT.

PRJ-34210,
PMTR-74824

VPN

IKEv2 ID configuration may not be applied when an IPv6 address is written as a certificate's alternative name.

PRJ-34492

VPN

Remote Access users are unable to connect when authenticating using a certificate issued by a subordinate CA.

PRJ-35397,
VPNS2S-2822

VPN

Improvements for DAIP Gateway behind Hide NAT.

PRJ-35534,
PMTR-78432

VPN

A memory leak may occur in the VPND process when using remote Access Back Connection.

PRJ-37462,
PRHF-21891

VPN

The VPND process may unexpectedly exit causing VPN connections to restart.

PRJ-34373,
PMTR-75526

VPN

In rare scenarios, Remote Access users cannot connect to the Gateway because of certificate authentication failure.

PRJ-35429,
PMTR-78314

VPN

In some scenarios, L2TP users cannot connect to the Gateway in a cluster environment.

PRJ-35386,
VPNS2S-2726

VPN

In some scenarios, the RIM script is not activated in DPD Tunnel monitoring.

PRJ-35557,
PMTR-78462

VPN

A memory leak may occur in the VPND process when using Remote Access Secondary Connect.

PRJ-35555,
PMTR-78436

VPN

A memory leak may occur in the VPND process when using Remote Access with Multiple Entry Points configured.

PRJ-35046,
PMTR-77549

VPN

In some scenarios, NAT-T tunnel establishment may fail.

PRJ-33322,
VPNS2S-1482

VPN

After initiating a tunnel between a regular Gateway and a DAIP Gateway, running the "vpn tu tlist'" command on the peer, may show the peer IP instead of the DAIP IP.

PRJ-29880,
PRHF-19050

VPN

Improved VPN interoperability.

PRJ-37589,
PRHF-22751

VPN

During policy installation when using DAIP behind hide NAT, CPU usage for the VPND process may be high.

PRJ-36237,
PRHF-22206

VPN

A memory leak may occur in the VPND process.

PRJ-38811,
PRJ-38729

VPN

In some scenarios, it is not possible to connect with Remote Access using DHCP for Office Mode. Refer to sk178767.

PRJ-34671,
PMTR-77130

VSX

UPDATE: The "vsx_util reconfigure" operation is not supported on a VSX cluster member or VSX Gateway which has no virtual systems configured. The operation will now alert about the absence of virtual systems.

PRJ-34999,
PMTR-77287

VSX

The "vsx_util reconfigure" command may fail without printing the cause of the error.

PRJ-32078,
PMTR-74295

VSX

When creating a static route on a virtual system, some network objects may be created with the same name inside the network group which causes failure in writing the object to the database.

PRJ-36767,
PMTR-52576

VSX

VSX Cluster Internal Communication Network IP address is shown in ifconfig after changing the name or VLAN of a VR physical interface.

PRJ-35503,
PMTR-62860

VSX

There may be a mismatch of policy name on virtual switch when using the "fw stat" and "vsx stat -v" commands. The issue is only cosmetic.

PRJ-33470,
PMTR-73998

VSX

In some scenarios, the "vsx_util reconfigure" command cannot fetch the policy installed previously.

PRJ-38202,
PRHF-23118

VSX

In some scenarios, the VSX Security Gateway may not decrease the packet's TTL.

PRJ-34602,
PMTR-74840

VSX

In some scenarios, the VSX Gateway may incorrectly handle broadcast packets received from a Virtual Switch.

PRJ-36786,
PMTR-79249

VSX

The "snmpwalk" command may time out after reaching SNMPv2-SMI::mib-2.68.1.2.0.

PRJ-36771,
PRJ-36756

Gaia OS

NEW: Gaia API (version 1.6 with python3 support) will now be deployed via Jumbo Hotfix. Refer to sk143612.

PRJ-24453,

PRHF-16628

Gaia OS

UPDATE: Changed the Syslog message severity from "error" to "info" and removed the exclamation mark in a specific message which is displayed during the normal backup operation flow.

PRJ-37415,
PMTR-74360

Gaia OS

In a rare scenario, while idle, the Security Gateway may crash producing a vmcore file.

PRJ-37225,
PMTR-63343

Gaia OS

Upgrade process may fail due to corrupted sic_local_cert.p12 certificate. Refer to sk171253.

PRJ-27908,
PRHF-17814

Harmony Endpoint

In some scenarios, logs related to Harmony Endpoint may be missing.

PRJ-37118,
PRHF-18358

VoIP

When static NAT is configured, VoIP calls may not work.

PRJ-38022,
ODU-342

Public Cloud CA Bundle

Added Take 18 of Public Cloud CA Bundle. Refer to sk172188.

PRJ-36703,
ODU-244

Public Cloud CA Bundle

Added Take 14 of Public Cloud CA Bundle. Refer to sk172188.

PRJ-34518,
PRJ-37145,
ODU-200,
ODU-286

Smart-1 Cloud

Added update 4 of Quantum Smart-1 Cloud. Refer to sk166056.

PRJ-37602,
PRHF-22145

CloudGuard Network

In Amazon Web Services (AWS), some Gateways may frequently crash with vmcores.

PRJ-35547,
PRHF-21841

CloudGuard Network

When there are virtual systems with the same name prefix, the CloudGuard Controller fails to update the VS with Data Center Objects.

PRJ-36273,
PRHF-22059

CloudGuard Network

In some scenarios, incorrect data center updates are pushed to the Gateway.

PRJ-37950,
PRHF-22994

CloudGuard Network

In some scenarios, mapping of AWS Data Centers may take a long time to complete.

PRJ-37052,
PRHF-20096

CloudGuard Network

In some scenarios, Data Center objects are not enforced on an AWS GEO cluster (Active/Active) Gateway. Refer to sk175904.

PRJ-38035,
ODU-341

Scalable Platforms

Added Take 21 of Check Point Support Data Collector (CPSDC) for Scalable Platforms and Maestro Security Appliances. Refer to sk164414.

PRJ-38223,
ODU-349

HCP

Added Update 8 of HealthCheck Point (HCP) Release. Refer to sk171436.

PRJ-36829,
ODU-287

HCP

Added Update 7 of HealthCheck Point (HCP) Release. Refer to sk171436.

Take 158

Released on 6 April 2022 and declared as Recommended on 16 May 2022

PRJ-30406,
PRHF-19450

Security Management

UPDATE:

  • Added the "--help" and "-h" flags to "mdsstop", "mdsstart" and "mdsstat".
  • It is no longer possible to run the "mdsstop" and "mdsstart" commands with wrong parameters.

PRJ-30112,
PRHF-17611

Security Management

In rare scenarios, the "show_changes" and "show_sessions" Management API commands may fail.

PRJ-32856,
PRHF-20444

Security Management

After the Management Server restart, the API command "show_tasks" may show some suppressed tasks as "in progress", if before the restart they were cleared in SmartConsole while they were still running.

PRJ-30474,
PRHF-19577

Security Management

Desktop policy installation may fail with the "Service ReferenceObject of type is not supported!" error.

PRJ-33564,
PMTR-75061

Security Management

In rare scenarios, a "Create Domain", "Delete Domain" or "Delete Domain Server" task can be stuck at 5% with the "Task in queue" status.

PRJ-35478,
PMTR-77765

Security Management

Multi-Domain High Availability synchronization in the Global Domain may fail with "There are invalid assignments on peer." error.

PRJ-25709,
PRHF-17010

Security Management

Deleting a network group may fail because it is being used, although "Where Used" shows no usage.

PRJ-33400,
PRHF-20866

Security Management

When automatic purge is configured in a local Domain and there is an assignment between the Global Domain to that Domain, the "show-automatic-purge" API command may fail in the Global Domain with the "Can't build automatic purge reply" error. Refer to sk176443.

PRJ-32428,
PRHF-20440

Security Management

In rare scenarios, adding a service to a rule in Access Policy:

  • may take a long time (more than several seconds)
  • may cause SmartConsole to unexpectedly exit

Refer to sk176004.

PRJ-32447,
PRHF-20062

Security Management

In rare scenarios, in a Multi-Domain environment, after performing an IPS Update, High Availability synchronization in the Global Domain fails with "NGM failed to import data".

PRJ-33520,
PRHF-20971

Security Management

In rare scenarios, the Management Server may fail to start.

PRJ-30530,
PRHF-19542

Security Management

Creating an administrator in a Multi-Domain environment may cause SmartConsole to freeze and time out.

PRJ-33286,
PRHF-20525

Security Management

When reassigning Global policy after an IPS update on the Global Domain, the updated IPS version in the Audit Logs view may appear with "-1" value instead of the actual IPS version number.

PRJ-32847,
PMTR-74961

Security Management

In rare scenarios, taking over a session may fail with "SmartConsole has experienced an unexpected error. Session operation failure".

PRJ-32668,
PRHF-20485

Security Management

When searching for tags usage, the "where-used" Management API command may fail with "Requested object not found".

PRJ-34225,
PRHF-21356

Security Management

When performing IPS Update or Global Domain Assignment, creating a Domain at the same time may fail with "Internal Error".

PRJ-33364,
PRHF-20847

Security Management

Global Domain Assignment fails with "An internal error has occurred" when there are more than 32K Threat Prevention Overrides in the local Domain. Refer to sk176464.

PRJ-30058,
PRHF-19250

Security Management

In rare scenarios, after a Management Server upgrade, importing the database may fail with "Tried to persist object".

PRJ-34771,
PRHF-20960

Security Management

Policy installation on Gateways R81 and below may fail when there are multiple login options configured with SAML which uses Identity Provider as an authentication method. Refer to sk176725.

PRJ-33863,
PRHF-21129

Security Management

When creating or updating a service object via Management API, it is not possible to specify a custom aggressive-aging timeout.

PRJ-32717,
PRHF-20332

Security Management

If there is a Global Domain Assignment, some results may be missing when searching in Packet Mode. Refer to sk178491.