List of All Resolved Issues and New Features in R80.40 Jumbo Hotfix Accumulator
|
Review the Important Notes section before installing a new Take.
This version reached its End of Support. If you are using this version (or lower), we strongly recommend you to upgrade your environments. |
Take | Available Since | Recommended Since |
---|---|---|
13 Mar 2024 |
01 May 2024 |
|
28 Dec 2023 |
16 Jan 2024 |
|
19 Nov 2023 |
- |
|
19 Jul 2023 |
30 Aug 2023 |
|
27 Apr 2023 |
03 May 2023 |
|
06 Mar 2023 |
18 Apr 2023 |
|
28 Dec 2022 |
26 Feb 2023 |
|
13 Nov 2022 |
- |
|
20 Sep 2022 |
30 Oct 2022 |
|
31 Aug 2022 |
13 Sep 2022 |
|
25 Jul 2022 |
- |
|
30 May 2022 |
13 Jul 2022 |
|
06 Apr 2022 |
16 May 2022 |
|
20 Mar 2022 |
23 Mar 2022 |
|
01 Mar 2022 |
08 Mar 2022 |
|
22 Feb 2022 |
- |
|
19 Jan 2022 |
- |
|
09 Dec 2021 |
13 Dec 2021 |
|
30 Nov 2021 |
- |
|
01 Nov 2021 |
- |
|
13 Oct 2021 |
- |
|
23 Sep 2021 |
04 Oct 2021 |
|
17 Sep 2021 |
|
|
04 Aug 2021 |
04 Aug 2021 |
|
04 Jul 2021 |
- |
|
10 May 2021 |
25 May 2021 |
|
25 Apr 2021 |
- |
|
14 Apr 2021 |
21 Apr 2021 |
|
17 Mar 2021 |
- |
|
07 Mar 2021 |
14 Mar 2021 |
|
21 Feb 2021 |
- |
|
16 Feb 2021 |
- |
|
16 Dec 2020 |
26 Jan 2021 |
|
01 Dec 2020 |
09 Dec 2020 |
|
05 Nov 2020 |
22 Nov 2020 |
|
04 Oct 2020 |
25 Oct 2020 |
|
26 Aug 2020 |
09 Sep 2020 |
|
18 Aug 2020 |
25 Aug 2020 |
|
05 Aug 2020 |
- |
|
27 Jul 2020 |
- |
|
23 Jul 2020 |
27 Jul 2020 |
|
19 Jul 2020 |
- |
|
30 Jun 2020 |
- |
|
24 Jun 2020 |
- |
|
15 Jun 2020 |
- |
|
21 May 2020 |
25 May 2020 |
|
10 May 2020 |
- |
|
26 Apr 2020 |
- |
|
16 Mar 2020 |
- |
ID |
Product |
Description |
---|---|---|
Take 211 Released on 13 March 2024 and declared as Recommended on 1 May 2024 |
||
PRJ-47119, |
Anti-Spam |
NEW: We have extended the grace period of Anti-Spam Blade to support you for 90 days following contract expiration to continue providing the best security value during the renewal process. |
PRJ-50101, PRHF-30325 |
Diagnostics |
UPDATE: Added SecureXL SYN Defender metrics to Skyline. Refer to the Skyline Metrics Repository. |
PRJ-46555, |
Security Gateway |
UPDATE: Added a new option in domains_tool, which allows to retrieve IP addresses of multiple Domains - "-md <list of domains>". Refer to sk161632. |
PRJ-46320, |
Security Gateway |
UPDATE: When changes are made to updatable objects within a policy and a missing or corrupted package is detected, the policy installation will fail, resulting in the generation of a log. |
PRJ-46943, |
Threat Prevention |
UPDATE: IPS bypass triggers is now activated based on the average CPU load exceeding the high threshold, as opposed to the previous implementation, where a single CPU load triggered the bypass. The change results in more effective security measures without unnecessary bypasses. |
PRJ-44318, |
Threat Prevention |
UPDATE: The DCE-RPC kernel tables is now global instead of local. This adjustment helps avoid issues with syncing between firewall instances and keeps data connections stable. |
PRJ-52039, |
Threat Extraction |
UPDATE: Added Update 5 of Threat Extraction Engine. Refer to sk165832. |
PRJ-49230, |
SSL Network Extender |
UPDATE: SSL Network Extender was updated to version 80008407. |
PRJ-44241, |
Mobile Access |
UPDATE: Enhanced PushReport (a troubleshooting tool for Mobile Access Blade):
|
PRJ-46313, |
ClusterXL |
UPDATE: When enabling the VMAC feature, link_monitoring on the cluster members is now configured automatically. |
PRJ-48106, |
VSX |
UPDATE: Changed the vsx push configuration log:
|
PRJ-43880, |
VSX |
UPDATE: The "IPv6 autoconfig" parameter is now disabled by default on VSX. |
PRJ-47224, |
Gaia OS |
UPDATE: Upgraded OpenSSL from 1.1.1t to 1.1.1u to include the latest security improvements. Refer to sk181427. |
PRJ-50871, |
Gaia OS |
UPDATE: Upgraded OpenSSL from 1.1.1u to 1.1.1w to include the latest security improvements. |
PRJ-48008, |
Gaia OS |
UPDATE: The output of "show arp dynamic all" and "dbget ip:arpdynamic:show:0" which was previously limited to +-4450 entries, now increases dynamically. |
PRJ-45234, |
Gaia OS |
UPDATE: SNMP traps for interfaces going up and going down now contains the interface name and description. |
PRJ-47447, |
GaiaOS |
UPDATE: Added driver and firmware update support for Dual-Wide 10/25/40/100G cards as a replacement option for:
|
PRJ-48079, |
CloudGuard Network |
UPDATE: Added support for Azure Scale sets with Flexible orchestration mode. |
PRJ-48800 |
CloudGuard Network |
UPDATE: Added support for Data Centers in AWS il-central-1 Israel (Tel Aviv) region |
PRJ-52693, ODU-1408 |
Smart-1 Cloud |
UPDATE: Added Update 7 of Quantum Smart-1 Cloud. Refer to sk166056. |
RJ-45725, |
Harmony Endpoint |
UPDATE: Added new file types supported by Harmony Endpoint Threat Emulation blade. |
PRJ-48402, PRJ-52864, |
HCP |
UPDATE: Added Update 13, Update 15 of HealthCheck Point (HCP) Release. Refer to sk171436. |
PRJ-53394, ODU-1563 |
Automatic Updates - CPSDC |
UPDATE: Added Take 31 of Check Point Support Data Collector (CPSDC) for Scalable Platforms and Maestro Security Appliances. Refer to sk164414. |
PRJ-46001, |
Security Management |
Changing the cluster mode via the "set simple-cluster" Management API command to "cluster-xl-ha" or "ospec-ha" returns success but has no effect on the cluster object. |
PRJ-45986, |
Security Management |
Deleting a Domain that is connected to an AD Group fails. |
PRJ-47167, |
Security Management |
In rare scenarios, Global Policy reassignment fails with "IPS Update Failed On Assign". |
PRJ-46697, |
Security Management |
Global Policy assignment fails if it is configured to assign to specific Domain policies and one of these local Domain policies is deleted. |
PRJ-46794, |
Security Management |
The "show-vpn-communities-star" Management API command fails for VPN communities using Diffie-Hellman groups 15-18. Refer to sk27054. |
PRJ-46014, |
Security Management |
The "show-nat-rulebase" Management API command fails when Packet mode is enabled and "match on any" is set to "false". For example, "show-nat-rulebase XXX package YYY filter-settings.search-mode packet filter-settings.packet-search-settings.match-on-any false filter ZZZ". |
PRJ-45032, |
Security Management |
Upgrade of a Security Management Server or a Multi-Domain Security Management Server with over 2000 NAT rules may take over 10 hours to complete.
|
PRJ-46826, |
Security Management |
In some scenarios, the "Object is no longer available" validation warning appears for updatable objects. |
PRJ-45896, |
Security Management |
In rare scenarios, during an IPS update, a task notification reports that a database purge failed on the Standby Security Management Server. Refer to sk180920. |
PRJ-44985, |
Security Management |
A migrate export or CPUSE upgrade of a Security Management Server fails if a Rule Base contains more than 35,000 rules. Refer to sk178325 to check the recommended size of Rule Bases. |
PRJ-45797, |
Security Management |
Security Management Server import fails with the "Tried to persist object XXX with domain YYY while active domain is ZZZ" error in the upgrade report. |
PRJ-41458, |
Security Management |
In some scenarios, an automatic Trusted Certificate Authorities (CAs) update fails. |
PRJ-46729, |
Security Management |
In rare scenarios, opening the Install Policy view gets timed out, and SmartConsole unexpectedly closes. Refer to sk181397. |
PRJ-48862, |
Security Management |
In multi-site Multi-Domain Security Management environments, login to SmartConsole fails if the "Read_Write_All_Profile" permission profile is deleted. |
PRJ-43287, |
Security Management |
In rare scenarios:
|
PRJ-41242, |
Security Management |
When closing an application from SmartConsole without changes, a redundant revision is created. |
PRJ-47040, |
Security Management |
When using the RADIUS username for authentication, login to SmartConsole may fail. |
PRJ-47048, |
Security Management |
In rare scenarios. in a Multi-Domain Security Management environment:
|
PRJ-47256, PRJ-47233, |
Security Management |
If the HTTPS policy contains an Identity Awareness Gateway object in the "Source"/"Destination" column, policy installation may fail when selecting more than one policy target. Refer to sk181097. |
PRJ-48035, |
Security Management |
An audit log may not be created after running Revert to Revision. |
PRJ-49193, |
Security Management |
In some scenarios, the CPRLIC process may unexpectedly exit without affecting the connectivity, and a core dump is generated. |
PRJ-45780, |
Security Management |
In rare scenarios, the High Availability synchronization status shows "NGM failed to import data", and then is cleared automatically within 15 minutes. |
PRJ-45438, |
Security Management |
In rare scenarios, Global Policy Reassignment takes a long time to complete after deleting a Global IPS profile. Refer to sk180787. |
PRJ-48379, |
Security Management |
In SmartConsole, export of policies with the "Hit count" column may get stuck. |
PRJ-47036, |
Security Management |
In multi-site Multi-Domain Security Management environments, login to SmartConsole fails while an Install Policy Preset relays the Security Gateway installation statuses. |
PRJ-34858, |
Security Management |
In the Revisions view, when comparing the selected revision to its previous revision, an empty screen is shown instead of a report. |
PRJ-48895, |
Security Management |
In rare scenarios, upgrade of the Security Management Server to R81.20 fails with the "Task was interrupted because of server restart" and "DEADLOCK IN POSTGRES DETECTED!!!" messages in the cpm.elg log file. |
PRJ-48689, |
Security Management |
Users may be able to configure user-defined scripts to run on the Security Management Server, although they do not have the permissions of a super-user. |
PRJ-49219, |
Security Management |
In SmartConsole, an attempt to view administrators may fail with "Error retrieving results". |
PRJ-49202, |
Security Management |
|
PRJ-48368, |
Security Management |
The "crldp_initialized"and "crldp_name" keys may be missing in the registry after running promote_util. |
PRJ-48439, |
Security Management |
The "set checkpoint-host" API command may fail if the host object has a VPN Tunnel interface (vpnt) defined. |
PRJ-49987, |
Security Management |
The "fwm sic_reset" command may fail and generate a core dump. |
PRJ-47964, |
Security Management |
In High Availability Security Management Server environments, outdated IPS packages are retained, which leads to a substantial increase of the database on Standby Security Management Server. Refer to sk182178. |
PRJ-49368, |
Security Management |
In environments with tens of thousands of network objects, opening and closing Security Gateway objects in SmartConsole takes a long time. Refer to sk181460. |
PRJ-49342, |
Security Management |
SmartConsole may unexpectedly close after deleting an object in the Object Explorer view. |
PRJ-50211, |
Security Management |
Packet mode search in SmartConsole may show rules that do not match the query if the query contains four or more filters. |
PRJ-50044, |
Security Management |
In High Availability environments, task progress notifications may get updated only every 5 minutes, even when the task is complete. |
PRJ-49712, |
Multi-Domain Security Management |
In rare scenarios, in a Multi-Domain Security Management environment:
|
PRJ-49477, |
Multi-Domain Security Management |
When viewing Subordinate CA objects in SmartConsole:
|
PRJ-46584, |
Multi-Domain Security Management |
Migration of a Security Management Server to a Multi-Domain Security Management Server may fail with the "Expected single result for object with uid UID, got: 0" error. |
PRJ-46932, |
SmartConsole |
Defining more than two hundred GUI clients causes the "Command Line" tab in SmartConsole to be greyed out and the "api status" command to show an error status. |
PRJ-45073, |
Web SmartConsole |
After an upgrade, "Every cluster network should define unique subnet" messages may be displayed in the Validation Pane.
|
PRJ-46433, |
SmartProvisioning |
After importing or deleting SNORT protections in the IPS Protections view, the view may not show the change. |
PRJ-47340, |
SmartView |
In some scenarios, when a language other than English is chosen in SmartView, login to SmartView fails with an "Initialization failed" message. |
PRJ-49971, |
CPView |
CPU statistics may be incorrect or missing in CPView. Refer to sk182286. |
PRJ-48000, |
CPView |
Offload may fail in CPView with "ERROR! Reason not initialized". |
PRJ-45322, |
Logging |
Configuring log settings to delete logs if free disk space is lower than a certain percentage may not be applied. |
PRJ-47217, |
Logging |
The "fwm logexport" may return "Failed to print record at position" and "missing table field" error messages despite succeeding to export the logs. |
PRJ-45038, |
Logging |
The "Low disk space" warning may be incorrectly displayed in SmartConsole. |
PRJ-39448, |
Logging |
The Logs view may show a "Failed to read record number" message. |
PRJ-46184, |
Logging |
When the CPD process is automatically restarted on the Security Gateway, the output of the "cpstat ls -f logging" command on the Security Management shows the Security Gateway is disconnected, the Log Server cannot be reached, although logs are sent. |
PRJ-47211, |
Logging |
In SmartView, filtering logs by Media Encryption & Port Protection blade may fail. |
PRJ-41165, |
Logging |
The "show-simple-gateway" and "set-simple-gateway" Management API commands with the "logs-settings.forward-logs-to-log-server-schedule-name" parameter fail with "generic_server_error". |
PRJ-47981, |
Logging |
Some Access Rule Base logs may be generated with a wrong interface direction. The issue is cosmetic only. |
PRJ-46559, |
Logging |
In SmartConsole, in the "Device License Information" view, the "New connection rate" field may indicate "please wait 10 seconds". |
PRJ-49387, |
Logging |
In SmartView, incorrect results may be displayed when filtering logs using the "src_machine_name" field. |
PRJ-46204, |
Logging |
Security Gateway forwards logs to the real IP address of the Management Server instead of the public (NATed) IP address. Refer to sk181609. |
PRJ-48803, |
Logging |
Some attributes in SNMP MIB file may not be accessible. |
PRJ-51145, |
Logging |
When Identity Awareness blade is enabled, the "Src User Dn" and "Dst User Dn" fields in ICMP Logs are not masked for users without "Identities" permissions. Refer to sk181677. |
PRJ-48239, |
Logging |
The "source", "destination", "user" and "action" fields are not exported when exporting logs with the "visible columns" option to CSV in the SmartView Web application. Refer to sk181706. |
PRJ-44588, PRHF-26975 |
Logging |
In a rare scenario, a Security Gateway / Cluster Member may stop logging locally or to configured Log Servers. Refer to sk170331. |
PRJ-47313, |
Logging |
When the active log file, for example, the fw.log for the Security Gateway is older than two days, the CPLogFilePrint utility does not print the log records correctly. |
PRJ-52673, PRHF-32203 |
Security Gateway |
CVE-2023-51764 - Postfix SMTP Smuggling vulnerability. Refer to sk181944. |
PRJ-46408, |
Security Gateway |
The Security Gateway may listen to the ports used by NAT. |
PRJ-45691, |
Security Gateway |
The VPND, CVPND, and PDPD processes on the Security Gateway may become non-responsive and cause SAML authentication for Remote Access VPN users to fail. |
PRJ-48820, |
Security Gateway |
In some scenarios, a misconfiguration on a DNS Server may lead to exhaustion of ephemeral ports on the Security Gateway. |
PRJ-48151, |
Security Gateway |
Topology and Anti-Spoofing ranges are not calculated on an external interface when adding a route to an internal interface that shares the same subnet. |
PRJ-47207, |
Security Gateway |
When running the tp_collector tool, the FW_FULL process may unexpectedly exit. |
PRJ-48020, |
Security Gateway |
In some scenarios, when IPS is enabled, CPU spikes may occur. |
PRJ-46375, |
Security Gateway |
Re-mirrored traffic may be re-ordered in the Mirror & Decrypt feature. |
PRJ-44699, |
Security Gateway |
In rare scenarios, the WSDNSD process may restart because of an internal error. |
PRJ-47329, |
Security Gateway |
When using the "cpstop" command on the Security Gateway, the fw_full core may be generated. |
PRJ-48245, |
Security Gateway |
The /var/log/messages file of a VSX gateway is flooded with the "fwmultik_predefined_dispatching: BAD_MULTIK_TAG" messages with no impact of the connectivity. Refer to sk181281. |
PRJ-47518, |
Security Gateway |
After installing a policy, because of high latency, the Security Gateway may delete connection before SIM Affinity is able to send an update notification. This may cause some connections to be dropped. |
PRJ-50137, |
Security Gateway |
Accounting info may not be displayed in logs for IPv6 Cluster VRRP environments. |
PRJ-47266, |
Security Gateway |
Latency in loading websites when using Security Gateway as a Proxy with HTTPS Inspection enabled. Refer to sk180673. |
PRJ-47323, |
Security Gateway |
Benign files scanned by the ICAP Server may not be logged by Anti-Virus blade. |
PRJ-45343, |
Security Gateway |
When two routes with similar attributes are added to different routing tables, and one is deleted, Anti-Spoofing may drop the traffic to that route. |
PRJ-46200, |
Security Gateway |
In rare scenarios, updating the NTP Server may cause a temporary outage. |
PRJ-44187, |
Security Gateway |
The Security Gateway may crash due to a memory issue. |
PRJ-44616, |
Security Gateway |
In a rare scenario, the FWD process listens to high ports that are not blocked by the "auth_services_real_ports_block" implied rule. Refer to sk180505. |
PRJ-47556, |
Security Gateway |
FTP connection may fail in Port mode with NAT and specific FTP clients. Refer to sk181165. |
PRJ-47600, |
Internal CA |
In rare scenarios, ICA certificate creation and enrollment fail. |
PRJ-49006, PMTR-92233 |
Threat Prevention |
In a rare scenario, when cloning SGM in Maestro, the FWD process may exit during an IPS/Anti-Virus/Anti-Bot package update. |
PRJ-47635, |
Threat Prevention |
The output of the "fw amw unload" command shows the policy gets unloaded, however CPView still shows that the blades are enabled. Refer to sk181148. |
PRJ-50655, |
Threat Prevention |
In rare scenarios, CPU utilization can reach high levels because the Multi-Queue affinity of interfaces that use the "mlx5_core" driver is not configured correctly during the boot process. |
PRJ-46835, |
Threat Prevention |
When SSH Deep Packet Inspection (SSH DPI) is enabled, the Security Gateway may have SSH connectivity issues because of an incorrect choice of Message Authentication Code (MAC) algorithm during the SSH handshake. |
PRJ-43725, |
Threat Prevention |
In some scenarios, CIFS parser is triggered when it is not needed, this leads to the Security Gateway not accelerating fully the SMB traffic. |
PRJ-44689, |
Threat Prevention |
In some scenarios, the Security Gateway fails to export or import IoC feeds. |
PRJ-48189, |
Threat Prevention |
Anti-Virus blade fails to parse external IoC feeds that contain specific delimiters. |
PRJ-44764, |
Threat Prevention |
Fetching of Custom Intelligence Feeds fails when no proxy is configured on the Security Gateway. |
PRJ-46882, |
Threat Prevention |
Uploading an IoC file containing invalid characters (for example, quotation marks) may cause Threat Prevention policy installation failure. |
PRJ-48923, |
Threat Prevention |
Anti-Virus Blade triggers the "Detect" logs for DNS traffic, although these malicious DNS requests were prevented. |
PRJ-48427, |
Threat Prevention |
Some connections may be dropped because of an issue in IPS inspection, which can be resolved by installing/fetching a local policy. |
PRJ-46902, |
Threat Prevention |
Ioc_feeds changes the username to lowercase, which causes the "401" error. Refer to sk181039. |
PRJ-46441, |
Threat Prevention |
Files that undergo emulation while operating from a corporate location are transformed into PDF format. However, when the same files are accessed through a VPN remote client, they do not get the pdf file extension. |
PRJ-50049, |
Threat Prevention |
Security Gateway with a large number of CPU cores allocated to CoreXL SND may experience performance issues when an IoC Feed and the " |
PRJ-43970, |
Threat Prevention |
When URLF and APPI are disabled in VS0 in VSX setup, automatic updates fail on other Virtual Systems. |
PRJ-46965, |
Threat Prevention |
Exporting Custom Intelligence feeds from the management to all the Security Gateways succeeds but the generated log shows that the operation failed. |
PRJ-48084, |
Threat Prevention |
An outage may occur when an unsupported SSH cipher is selected. |
PRJ-46756, |
Identity Awareness |
The ida_tables_util tool may fail with the "bad adress" error. |
PRJ-48248, |
Identity Awareness |
There may be no access to resources for identities received from the Remote Access identity source by splitting Domain (sk147417). |
PRJ-45718, |
Application Control |
Policy installation fails when a custom application and user category have the same name. |
PRJ-46196, |
Application Control |
CPView and the 'cpstat' command show different Application Control database versions. Refer to sk181186. |
PRJ-42478, |
IPS |
Core IPS Protection "Unknown Resource Record" drops valid requests of specific DNS types. |
PRJ-49042, |
DLP |
The DLP process may unexpectedly exit during policy installation. |
PRJ-49568, |
Anti-Virus |
The Anti-Virus Blade fails to show the UserCheck page for the URLs blocked by Custom Intelligence feeds. |
PRJ-49639, |
Anti-Virus |
Microsoft Office files may be classified by the Anti-Virus file type classification engine as archives. |
PRJ-50526, |
Anti-Virus |
In a rare scenario, the Security Gateway may crash during inspection of file downloads. |
PRJ-51590, |
Anti-Virus |
The Anti-Bot Blade prevents Domains with the DNS Sinkhole feature, but SmartConsole log shows the "detect" action. |
PRJ-49518, |
Anti-Virus |
The Anti-Virus Blade may inspect files on an SMB appliance although the "SMB" checkbox is disabled on the matched profile. |
PRJ-49295, |
Anti-Virus |
Anti-Virus fails to release held connections after the inspection. |
PRJ-45834, |
Anti-Virus |
DLPU process memory consumption may be increased when SMB protocol is enabled in the Anti-Virus policy. |
PRJ-47782, |
Anti-Virus |
A memory leak may occur in the Security Gateway when a connection is not correctly released after the inspection. |
PRJ-48125, |
Anti-Virus |
A memory leak in the DLPU process may occur when Anti-Virus scans files over HTTP(s) or SMB (Server Message Block) protocol. |
PRJ-47933, |
Anti-Virus |
When transferring many files, SMB traffic may freeze while scanned by Anti-Virus blade. |
PRJ-48970, |
Anti-Virus |
When Anti-Virus DNS classification is set to Hold mode, the first DNS trap log of malicious Domains shows "Detect" in the Action field, although the connection was successfully blocked. |
PRJ-47237, |
Anti-Virus |
Some websites may be unreachable when one of Threat Prevention Blades is in Hold mode. |
PRJ-48173, |
SSL Inspection |
A FWK process memory leak may occur when canceling the download of a large file in the middle of the process. |
PRJ-47105, |
Mobile Access |
It may not be possible to connect to the RDP application with SNX in Application mode. Refer to sk181155. |
PRJ-44273, |
ClusterXL |
A Standby member may initiate FTP data connection, although it should be sent from the Active member. As a result, the connection is teminated. Refer to sk180531. |
PRJ-43931, |
ClusterXL |
Site to Site VPN outage on ClusterXL Active member when running "cpstop" on the Standby cluster member. Refer to sk170055. |
PRJ-48411, |
ClusterXL |
In a cluster connected to Smart-1 Cloud, local probing may start on the "maas_tunnel" interface, although it is not monitored by the cluster. Output of the Expert command "cphaprob -i list" or the Gaia Clish command "show cluster members pnotes problem" shows that the Critical Device "Local Probing" reports its state as "problem". |
PRJ-51175, |
SecureXL |
The Security Gateway may crash with vmcore during boot while upgrading. |
PRJ-48887, |
SecureXL |
The "fwaccel dos rate get -S IP" command fails to connect to the Security Gateway. |
PRJ-50552, |
SecureXL |
High CPU utilization may be triggered when User Mode (UPPAK) and VPN are enabled under high load. |
PRJ-49755, |
SecureXL |
Multicast restrictions set in SmartConsole may be bypassed if varying restrictions are configured for different interfaces. |
PRJ-43637, |
SecureXL |
In some scenarios, incorrect MSS value calculation may lead to traffic drops and performance instability. |
PRJ-49376, PRHF-30056 |
SecureXL |
Syn Defender may not correctly handle reused connections. |
PRJ-50830, |
Routing |
The "force-if-symmetry" setting in IPv4 static routes fails to mark IP addresses as unreachable, leading to the static route inaccurately remaining active in asymmetric scenarios. |
PRJ-47799, PRHF-29662 |
Routing |
When a BFD session is added or removed, disabled sessions may incorrectly come back up. |
PRJ-41792, |
Routing |
Adding or deleting a multicast group from a configured static RP environment can lead to outages in traffic. |
PRJ-47485, |
Routing |
When multicast traffic for an existing (S,G) entry arrives at a non-IIF interface, the entry may be deleted and re-added when the next multicast packet is released, although the entry should not be deleted. |
PRJ-47938, |
Routing |
An OIF entry may be missing when multiple downstream neighbors are present on a LAN. Refer to sk181354. |
PRJ-48115, |
Routing |
The ROUTED process may exit with a core dump when querying details of OSPF Type 5 LSA. |
PRJ-43246, |
Routing |
Traffic may be dropped when there are many OSPF routes of type 5. |
PRJ-49576, |
Routing |
The CLI Parameters for the "netflow fwrule" command are displayed incorrectly: "set netflow fwrule ?" instead of "set netflow fwrule 0" or "set netflow fwrule 1". The issue is cosmetic only, the functionality works as expected. |
PRJ-49215, |
VPN |
Redundant log prints in /var/log/messages may be generated, although they should be printed only when the debug flags are enabled. |
PRJ-49557, |
VPN |
When using the "fw tab" command to view the IKE_SA_table, the output shows a column containing the IP addresses that are not meant to be displayed while the correct IP addresses are not printed. |
PRJ-47589, |
VPN |
In a Site to Site VPN, following an update, the Security Gateway may erroneously transmit an invalid IKE SPI to its peer. Consequently, during the rekey process, the tunnel fails due to the "invalid IKE SPI" error. |
PRJ-42937, |
VPN |
Policy installation may take a long time and fail with "Operation failed, install/uninstall has been improperly terminated.&CURRENTVERCMP *##MSG_IDENTIFY##". |
PRJ-46259, |
VPN |
The "Encryption Domain Per community" feature overrides the Encryption Domain for other communities. Refer to sk170857. |
PRJ-45125, |
VPN |
Back connection does not function on the Statically NATed Office Mode address as expected. |
PRJ-53368, PRHF-32706 |
VPN |
VPN IKEv2 negotiation with a third-party peer may fail when the peer offers multiple combined encryption algorithms in one proposal. For example, AWS, by default, offers AES-GCM and AES-GCM-256. The issue triggers an IKE failure log. |
PRJ-47875, |
Multi-Portal |
The Security Gateway may send a wrong certificate to the MAB Portal during certificate authentication. |
PRJ-50310, |
Multi-Portal |
A low-severity security vulnerability may exist when establishing an HTTPS connection to the Security Gateway. |
PRJ-49565, |
VSX |
Corrupted VS affinity configuration may cause excessive "cp_set_process_vs_affinity: Error corrupt affinity file" error messages. |
PRJ-50786, |
VSX |
VSX Gateway / VSX cluster member may crash during policy installation after deleting a virtual interface. |
PRJ-50957, |
VSX |
In some scenarios, the VSX Security Gateway may not set the MAC header correctly when sending traffic directly out of an interface on a Virtual Router. |
PRJ-43876, |
VSX |
When running "vsx_fetch" from a context that is not VS0, this output is displayed: "Management rejected fetch for this module - sic name does not match. Couldn't fetch VSX configuration by IPs, trying to fetch by names." |
PRJ-47835, |
VSX |
In a rare scenario, affinity configuration on VSX may fail. |
PRJ-44298, |
VSX |
When adding a route using vsx_provisioning_tool and the "interface_name" option, this route cannot be removed. |
PRJ-44266, |
VSX |
Virtual System context may not be handled correctly by CPView, for example, the same interfaces may be listed on all virtual systems. |
PRJ-48828, |
VSX |
In some scenarios, the VXLAN Driver Kernel may crash. |
PRJ-49348, |
VSX |
In some scenarios, in Maestro VSX environment with a Virtual Switch (VSW), TCP packets can be dropped as "out of state" or incorrectly dropped on the clean up rule. |
PRJ-47794, |
VSX |
A memory leak may occur in the CPD process. |
PRJ-46018, |
Gaia OS |
The SNMPD process memory consumption may be high, which causes the process to become unresponsive. |
PRJ-46969, |
Gaia OS |
Incorrect Multi-Queue configuration when MDPS, VSX, or both are enabled. Refer to sk181249. |
PRJ-48717, |
Gaia OS |
The "show configuration password-controls command output does not print the "set password-controls deny-on-fail block-admin on" option. |
PRJ-46140, |
Gaia OS |
Taking a snapshot on the Security Management Server fails because of the error during copying the /boot/config/ content. |
PRJ-47174, |
Gaia OS |
When rebooting the Security Gateway, some VLANs may lose their IPv6 configuration. |
PRJ-50484, |
Gaia OS |
SNMP query does not bring the CPUSE package information for a single OID (not a table). |
PRJ-28432, |
Gaia OS |
Backup on Gaia machine with Threat Emulation Blade enabled fails with "Cannot complete the backup process: not enough space". But the solution of sk166833 does not resolve the issue in a VSX environment. |
PRJ-46273, |
Gaia OS |
When changing bond settings, the bond may be missing the global IPv6 Address. |
PRJ-47771, |
Gaia OS |
Snapshot fails when the unpartitioned disk size is greater than 1TB. Refer to sk181485. |
PRJ-41335, |
Harmony Endpoint |
When downloading a dynamic package from the Endpoint Security Server and using the "/createmsi" command, the operation results with a "CRITICAL ERROR: Unable to create MSI! Missing file: System32\FirewallMonitor.dll" error. |
PRJ-47145, |
Harmony Endpoint |
When selecting to filter machines by infection name in SmartEndpoint Reporting > Anti-Malware > Top infections, the listed computers do not match the displayed numbers. |
PRJ-47897, |
CloudGuard Network |
Azure mapping may fail on Private Endpoint without network interfaces. In the cloud proxy logs, the "ERROR datacenter.scanner.DcScanner [scanner-Azure-XXX]: Error during scan - attempting to reconnect for scanner of [Azure] in domainYYY" messages are printed. |
PRJ-47992, |
VoIP |
When the SIP Multi-core feature is enabled, and a SIP over UDP rule with one-way calls (only outgoing calls, for example) is defined, the returned traffic is dropped. Refer to sk181525. |
PRJ-46987, |
VoIP |
In some scenarios, SIP TCP connections are dropped after a cluster failover. |
PRJ-43606, |
VoIP |
SIP agent implements a keep-alive mechanism against the RFC, making each message arrive with a different tag in the "From" header, which may increase the memory of the Security Gateway, and these messages may be dropped once they hit the limit defined (the "sim_max_reinvite" parameter). |
PRJ-49464, |
Scalable Platforms |
On a Security Group with MDPS enabled:
After installing this Take, when MDPS plane separation is enabled, in the context of the Management plane, the directory /sys/class/net/ now shows interfaces that belong to the Data plane, although it should show interfaces that belong to the Management plane. See sk182076. |
Take 206 Released on 28 December 2023 and declared as Recommended on 16 January 2024 |
||
PRJ-51600, SMB-16203 |
Security Management |
In rare scenarios, a boot may fail on a Security Gateway with IPS, Anti-Bot, or Application Control blade enabled. Refer to sk181803. |
Take 205 Released on 19 November 2023 |
||
PRJ-49981, PMTR-74309 |
Security Management |
UPDATE: Upgraded the Jackson Java library from version 2.5.0 to version 2.11.3. |
PRJ-49980 |
Security Management |
UPDATE: Removed a redundant rule-assistant.war package. |
PRJ-49822, PMTR-95347 |
Security Management |
UPDATE: Upgraded the commons-compress-jar package from version 1.8 to version 1.22. |
PRJ-49784, PMTR-95614 |
Security Management |
UPDATE: properJavaRDP - an SNX-embedded application for Mobile Access is now blocked and is no longer supported because of deprecated Java library dependencies. |
PRJ-49106, PMTR-94517 |
SmartConsole |
UPDATE: Applied security related improvements to the Jetty open source library. |
PRJ-50122, PRJ-50322, ODU-1217, |
CPView |
UPDATE: Added Take 68 and Take 70 of CPotelcol (OpenTelemetry Collector) Release Updates. Refer to sk180522. |
PRJ-50041, |
CPView |
UPDATE: Added Take 14 of CPquid (QUID) Release Updates. Refer to sk181458. |
PRJ-49743, PMTR-95099 |
Mobile Access |
UPDATE: SNX used to connect back to Mobile Access Blade's portal FQDN by resolving its IP address locally. This method makes it sensitive to DNS poisoning attacks such as those specified by TunnelCrack. Therefore, it was modified to connect back to the Security Gateway / Cluster member IP address by default. |
PRJ-48337, |
CloudGuard Network |
UPDATE: Added Take 20 of Public Cloud CA Bundle. Refer to sk172188. |
PRJ-45978, |
Scalable Platforms |
UPDATE: Added Take 29 of Check Point Support Data Collector (CPSDC) for Scalable Platforms and Maestro Security Appliances. Refer to sk164414. |
PRJ-50540, |
HCP |
UPDATE: Added Update 13 and Update 14 of HealthCheck Point (HCP) Release. Refer to sk171436. |
PRJ-50188, PMTR-96205 |
IPS |
Policy installation may fail on Security Gateways with enabled IPS and configured Strict profile and IPv6. |
Take 198 Released on 19 July 2023 and declared as Recommended on 30 August 2023 |
||
PRJ-44574, |
Internal CA |
NEW: Previously, the Internal CA certificate required manual renewal process. Now it will be automatically renewed one year before its expiration date. |
PRJ-45488, |
Security Management |
UPDATE: Significant performance improvement for policy installation when using many layers (up to four times faster). |
PRJ-45293, |
Security Management |
UPDATE: Added ability to block policy installation if this policy contradicts another policy installed on the Security Gateway. In this scenario, the "install-policy" Management API command will now fail with "Requested policy X does not match currently installed policy Y on gateway Z. To ignore this warning, set the 'ignore-warnings' flag to 'true'". Refer to sk180792. |
PRJ-44950, |
IPS |
UPDATE: Mapping of IPs to country/flag in the Logs & Monitor view > Logs is now automatically updated every day. |
PRJ-44434, |
ClusterXL |
UPDATE: Improved the fullsync time after reboot in large scale environments. Refer to sk180742. |
PRJ-43603, PRHF-22566 |
SecureXL |
UPDATE: Added a new kernel parameter allowing to control the size of fragments table in SecureXL. To use it, set the kernel parameter "sim_frag_limit_override" with the new value and install policy. This can prevent fragment drops when having multiple instances in the Firewall. |
PRJ-43967, |
VPN |
UPDATE: When the VTI MTU is different from the physical MTU, the physical MTU is used for sending packets by default.
Refer to sk98074. |
PRJ-46914, |
VPN |
UPDATE: Added a global parameter "sim_no_local_ip_check" which allows packets not destined to a local IP address to proceed to Security Association lookup in SecureXL. |
PRJ-47510, |
GaiaOS |
UPDATE: Added notifications about the Expert mode login on Gaia Servers. Refer to sk181230: 1) Gaia sends an audit log to the Management Server / Log Server (SmartConsole > Logs & Monitor). 2) Gaia writes a log message to the /var/log/messages file (for a local login and an SSH login). These Gaia Clish commands are available to work with this feature:
|
PRJ-45268, |
GaiaOS |
UPDATE: Added a defense mechanism against the hostname command injection in the Gaia Portal (CVE-2023-28130). Refer to sk181311. |
PRJ-44637, |
Gaia OS |
UPDATE: Upgraded OpenSSL from 1.1.1n to 1.1.1t to include the latest security improvements. |
PRJ-44357, |
CloudGuard Network |
UPDATE: Added support for Data Centers in AWS ap-southeast-4 Melbourne region. |
PRJ-45470, |
CPView |
UPDATE: First release of CPviewExporter Release Updates. Refer to sk180521. |
PRJ-45503, |
CPView |
UPDATE: First release of CPotelcol (OpenTelemetry Collector) Release Updates. Refer to sk180522. |
PRJ-45905, |
Scalable Platforms |
UPDATE: Added Take 23 of Check Point Support Data Collector (CPSDC) for Scalable Platforms and Maestro Security Appliances. Refer to sk164414. |
PRJ-44863, |
Scalable Platforms |
UPDATE: Added a new log file - /var/log/pull_config_report.log. It includes the summary of the "pull_config" action when it is performed on a member to indicate the reason for pull_config pnote/failures. |
PRJ-45386, |
HCP |
UPDATE: Added Update 12 of HealthCheck Point (HCP) Release. Refer to sk171436. |
PRJ-45156, |
Security Management |
APP_ID may not be initialized when adding a new Check Point application via API, this may cause blocked access to several websites. |
PRJ-42037, |
Security Management |
Editing an object in SmartConsole may fail with "Server error is: Object not found (Code: x08003001D, Could not access file for write operation)". |
PRJ-44083, |
Security Management |
Login with SmartConsole to a Security Management Server may fail if using a DNS name instead of an IP address. Refer to sk180514. |
PRJ-43557, PRJ-42546, |
Security Management |
In rare scenarios, in multi-site environments, Install Policy presets fail with "Timeout during task progress" or "You have reached the maximum number of active sessions". Refer to sk180897. |
PRJ-42420, |
Security Management |
In some scenarios, an upgrade may fail when a Network object Group contains more than 32000 members. |
PRJ-43184, |
Security Management |
If a Security Gateway is added to a group after configuring an installation policy preset, the policy may not be installed on that Security Gateway. Refer to sk181461. |
PRJ-42550, |
Security Management |
After restoring a Multi-Domain Security Management Server, High Availability synchronization may fail with "The Security Management Servers contain different Hotfixes". |
PRJ-35492, |
Security Management |
The Data Center object may change the status to "inaccessible/deleted", although the Virtual Machine in Azure was not deleted. |
PRJ-44627, PMTR-90519 |
Security Management |
There may be many duplicates of OCSP response in the $CPDIR/tmp/curl_crl_ocsp folder. |
PRJ-44458, |
Security Management |
In some scenarios, the "run-script" Management API command may fail with "Null Pointer Exception" when using root user permissions. |
PRJ-45485, |
Security Management |
In rare scenarios, updating or deleting a cluster fails with "Failed to save object xxxx . Server error is: Data required for operation". |
PRJ-45871, |
Security Management |
In some scenarios, Access Policy Verification fails but the name of the failed rule is not specified. |
PRJ-45058, |
Security Management |
In large Multi-Domain Security Management environments, login to SmartConsole may fail while High Availability synchronization is running. Refer to sk180858. |
PRJ-43809, |
Security Management |
Login to SmartConsole with a RADIUS administrator from the SmartEvent Server may fail if this Server was upgraded. Refer to sk180584. |
PRJ-45652, |
Security Management |
Packet mode search in SmartConsole may show rules that do not match the query if the query contains source, destination, and service. |
PRJ-44993, |
Security Management |
In rare scenarios, login to SmartConsole fails, and opening Security Gateway objects times out. |
PRJ-39773, |
Security Management |
Disabling or enabling rules may not affect the "last-modify-time" field in the output of the "show-access-rule" Management API command. |
PRJ-46396, |
Security Management |
In rare scenarios, policy installation fails with "Operation failed, install/uninstall has been improperly terminated". Refer to sk180448. |
PRJ-43689, |
Multi-Domain Management |
Deleting the entire Domain including all its Domain Servers fails, if any of the Domain Servers is used in the Domain's policy. |
PRJ-44449, |
Multi-Domain Security Management |
In rare scenarios, in Multi-Domain Security Management environments with many administrators that have custom permissions, SmartConsole is slow, and operations take longer than usual. Refer to sk180681. |
PRJ-45052, |
Multi-Domain Security Management |
In rare scenarios, in Multi-Domain multi-site environments, an IPS update on the Multi-Domain Security Management Server remains locked. |
PRJ-46085, |
Multi-Domain Security Management |
A scheduled Install Policy Preset may not have its next run time updated when:
|
PRJ-46102, |
Multi-Domain Management |
In some scenarios, the "Uninstall Threat Prevention Policy" window may show "no candidates found for operation", even though there are Security Gateways that have Threat Prevention policy installed and Threat Prevention is disabled in the Security Gateway editor. Refer to sk180983. |
PRJ-45066, |
Multi-Domain Security Management |
In rare scenarios, in a Multi-Domain Security Management environment:
|
PRJ-44967, |
Multi-Domain Security Management |
In rare scenarios, in Multi-Domain Security Management environments with over 500K network objects, login to SmartConsole fails with "Connection timed out" or "Unable to connect to server" messages. |
PRJ-40736, |
Multi-Domain Security Management |
Deleting a Domain from SmartConsole fails after a Domain Server was removed and the Domain has no Domain Servers. |
PRJ-46507, |
SmartConsole |
Data Center objects may not appear as unused objects in the Object Explorer view, although they should. |
PRJ-44335, |
CPView |
The Network-per-CPU tab under CPVIEW > Advanced > SecureXL does not show traffic distribution for all CPUs. Refer to sk180540. |
PRJ-41664, |
Logging |
In some scenarios, in the Logs & Monitor view, no results are shown when filtering updatable object names by the "dst_uo_name" field. |
PRJ-39253, |
Logging |
In rare scenarios, many open connections on port 18196 are observed on the Multi-Domain Security Management Server or Multi-Domain Log Security Management Server. |
PRJ-45415, |
Logging |
Source and destination IP addresses in SmartLog may not be shown correctly for duplicate packets of fragmented traffic. |
PRJ-38478, |
Logging |
In specific network configurations, after installing a policy, the target IP address of the Log Server may differ from what was configured. |
PRJ-20170, |
Logging |
In large environments, after policy installation or when loading Real Time Monitor, RTMD CPU consumption may be high for several minutes and the process may exit when 4 GB of memory is reached. |
PRJ-41592, |
Logging |
SmartEvent may generate false Anti-Bot / Anti-Virus related logs which do not contain any information. |
PRJ-46537, |
Security Gateway |
The FWK process may unexpectedly exit while processing the mail flow and generate a core dump. |
PRJ-45953, |
Security Gateway |
When HTTPS Inspection is enabled, website loading in Firefox fails or is slow, after a few seconds, the "NS_ERROR_ABORT" error appears in the network tab of Firefox. Refer to sk180873. |
PRJ-41965, |
Security Gateway |
When adding another loopback interface in an MDPS environment, it is shown in MPLANE and not in DPLANE as expected. |
PRJ-44309, |
Security Gateway |
In rare scenarios, modifying the "fwmultik_temp_conns_enabled" parameter on-the-fly leads to the Security Gateway crash. |
PRJ-46685, |
Security Gateway |
When adding a new connection, the "Smart Connection Reuse" feature may cause errors in fwk.elg and connection drops. |
PRJ-46051, |
Security Gateway |
The Security Gateway may crash while inspecting non-HTTP traffic. |
PRJ-46332, |
Security Gateway |
The Security Gateway may crash after a failure in policy installation. |
PRJ-45481, |
Security Gateway |
Incorrect bonds may be shown in the Data Plane when using MDPS with the "show bonding groups" command. |
PRJ-38109, |
Security Gateway |
In some scenarios, the Security Gateway may crash. |
PRJ-45801, |
Security Gateway |
Resolved an issue where CPD would consume a large amount of CPU in VSX with a large number of interfaces configured (greater than 1024). Refer to sk181588. |
PRJ-44998, |
Security Gateway |
In a Maestro environment where members are VSXs, connection over SSH or RDP from a host behind Maestro to a peer may be dropped. |
PRJ-45395, |
Security Gateway |
Login to Mobile Access Portal when authenticating with SAML may fail with an "Error while processing the request" message. Refer to sk180801. |
PRJ-45494, |
Security Gateway |
On the Security Gateway with Management Data Plane Separation (MDPS) enabled:
|
PRJ-46338, |
Security Gateway |
In rare scenarios, memory corruption occurs during packet correction requiring fragmentation, this may cause the Security Gateway crash or freeze. |
PRJ-44249, |
Security Gateway |
When setting "cphwd_enable_ecmp = 1" (to route by the source and destination IP address), the Security Gateway may route the traffic to the wrong MAC. |
PRJ-45476, |
Security Gateway |
Security Gateway may crash when running kernel debugs of the "UP" module. |
PRJ-42528, |
Security Gateway |
In some scenarios, while processing H323 traffic, the Security Gateway may unexpectedly restart. |
PRJ-44958, |
Security Gateway |
When Check Point Active Streaming (CPAS) is used, and the Server's MSS is bigger than the client's MSS, packet fragmentation may occur. |
PRJ-40876, |
Security Gateway |
In rare scenarios, policy installation fails with "Segmentation fault" and "Error compiling IPv4 flavor" messages. |
PRJ-45184, |
Security Gateway |
Traffic stops working after a Security Gateway Member recovers from a failure. Refer to sk180705. |
PRJ-44750, |
Security Gateway |
Policy installation may fail with "Error 2000240" because of an IPv6 flow issue. |
PRJ-42356, |
Security Gateway |
Latency in connection caused by a packet flow change from F2V to F2F. |
PRJ-44079, |
Security Gateway |
In an Active/Standby cluster, when downloading a file using FTP protocol, the FWK process may unexpectedly exit, and a core dump file is generated. |
PRJ-41202, |
Security Gateway |
SAML authentication fails with the "HTTP 500" error when MDPS is enabled on the Security Gateways. Refer to sk179625. |
PRJ-36110, |
Security Gateway |
When on Microsoft Active Directory the "mobile" attribute value in DynamicID authentication preferred method is changed to an email address and then back to a phone number, OTP may still be sent to the email. |
PRJ-44230, |
Security Gateway |
After policy installation, a VSX High Availability Cluster member may have a failover and generate a vmcore. |
PRJ-44918, |
Security Gateway |
After an upgrade, memory usage may increase on all Security Gateway Modules, and the "pkt_handle_f2v_if_needed: dropping packet (failed to send notification)" error is printed in logs. |
PRJ-44093, |
Security Gateway |
In some scenarios, the FWD process may unexpectedly exit and cause a short outage related to the BGP failure. |
PRJ-41876, |
Security Gateway |
On supported Open Servers (sk167052), after changing the Firewall mode from Kernel Space (KSFW) to User Space (USFW) and reboot, the Security Gateway continues to boot in the Kernel Space mode. |
PRJ-45447, |
Security Gateway |
When the Security Gateway handles specific HTTP requests, memory failure may occur. CPView registers SMEM failure. |
PRJ-43531, |
Security Gateway |
The Security Gateway may crash because of a race condition that occurs during interface change while interface statistic is calculated. |
PRJ-44853, |
Security Gateway |
Web Security parsing error "illegal header format detected: Missing quotation mark" of content-disposition header - that contains a filename* parameter or an unquoted parameter. |
PRJ-47125, |
Security Gateway |
In some scenarios, after an upgrade, the FWD process may unexpectedly exit. |
PRJ-43854, |
Security Gateway |
The FWK process may unexpectedly exit with a core dump file when removing an IPv6 interface on VSX. |
PRJ-44802, |
Threat Prevention |
In some scenarios, parsing a custom intelligence feed with IP ranges may fail. |
PRJ-43995, |
Threat Prevention |
IoC feed may not load because of a parsing issue with the IP address range indicator. |
PRJ-42583, |
Threat Prevention |
When using a host with automatic static NAT in a Threat Prevention policy object, the rule may not be enforced. |
PRJ-44220, |
Threat Prevention |
In a Quantum Maestro environment, adding an IoC feed from the command line may fail with a "Can not load indicators feed without AV & AB Blades enabled, please enable AV & AB and try again" message, although Anti-Virus and Anti-Bot Blades are enabled. |
PRJ-44549, PRHF-27765 |
Threat Prevention |
In some scenarios, the FWD process unexpectedly exits, and the Security Group Members state flaps between Active and Down during an Anti-Bot Blade update. |
PRJ-44568, |
Threat Prevention |
After an upgrade, adding an IoC feed with IP range indicator type may fail with "Feed format problem. Bad or Empty Feed". |
PRJ-45560, |
Threat Prevention |
In some scenarios, Anti-Virus and Anti-Bot updates on Maestro Security Group Members may fail. |
PRJ-45810, |
Threat Prevention |
In some scenarios, a "malware_res_rep_rad_query: rad_kernel_malware_request_prepare() failed" message may appear in the /var/log/messages file. |
PRJ-39345, |
Identity Awareness |
There may be connectivity issues and high CPU spikes on PDP when installing policy. |
PRJ-43745, |
Identity Awareness |
The output of the "pdp monitor cv_le <agent-version>" command may be incorrect. |
PRJ-44314, |
Content Awareness |
When Content Awareness Blade is enabled, there is a limitation of the file size (sk118516). However, when the source object of the Content Awareness rule does not match the current connection, the limitation is not applied on this connection. |
PRJ-47062, |
Application Control |
When the "Categorize HTTPS Websites" option is enabled and the global parameter "appi_urlf_ssl_cn_use_sni_without_validation" is set to true, a memory leak may occur. |
PRJ-45426, |
Application Control |
Some TLS1.3 applications without SNI do not match the rules. |
PRJ-44381, |
Application Control |
A buffer overflow may occur and cause the FWD process to exit. This leads to the Security Group Members in a Maestro environment change from Active to Down state and creates instability. |
PRJ-44178, |
IPS |
In some scenarios, the FWK process may unexpectedly exit, while Threat Prevention Blades inspect HTTP traffic. |
PRJ-42712, |
IPS |
In a rare scenario, the Security Gateway may crash during an IPS package update. |
PRJ-47646 |
IPS |
In rare scenarios, there may be a memory leak in ips_cmi_handler_match_cb_ex. |
PRJ-43581, |
DLP |
A memory leak may occur in the DLPU process. |
PRJ-45753, |
Anti-Virus |
The RAD process CPU utilization may be high when Anti-Virus engine processes many reverse DNS queries. |
PRJ-46775, |
Anti-Virus |
The DLPU process may stop working, creating a User Space core dump file on the Security Gateway. Refer to sk181026. |
PRJ-47262, |
SSL Inspection |
The fwk.elg file may be flooded with the "mux_hold_opq_free: App has no hold params free function" messages for the TLS_PARSER app because of a memory leak. |
PRJ-45192, |
Mobile Access |
In rare scenarios, IOS users are unable to send emails using Capsule Workspace business mail. |
PRJ-44289, |
Mobile Access |
Some web applications which use PT or UT link translation methods may have issues after a browser upgrade. |
PRJ-46400, |
Mobile Access |
Sending emails with attachments via Capsule Workspace may fail on iOS. |
PRJ-45347, |
ClusterXL |
After an upgrade, cluster members may frequently crash, causing instability in the environment. |
PRJ-46503, |
ClusterXL |
Some IPv6 connections randomly stop passing through ClusterXL in High Availability mode. Refer to sk180969. |
PRJ-44453, |
ClusterXL |
After several failovers in a cluster, connections may fail to synchronize. This can cause a timeout and the "first packet isn't syn" drops. |
PRJ-44872, |
SecureXL |
Traffic may be dropped and the FWACCEL core file is generated. |
PRJ-44675, |
SecureXL |
After an upgrade, packets passing through a Remote Access VPN tunnel in a VSX environment may be silently dropped. |
PRJ-44703, |
Routing |
Multicast receivers send IGMP membership reports, but the outbound interfaces are missing from the routing table. |
PRJ-42186, |
Routing |
Routing log messages generated when Standby cluster members reconnect to members in Master state are not clear. |
PRJ-44922, |
Routing |
When PIM and state refresh are enabled, the state refresh message may not be sent automatically after a failback in ClusterXL HA Primary Up mode. |
PRJ-45377, |
Routing |
A VRRP/VRRP6 interface may go into Master/Master state. |
PRJ-44938, |
Routing |
After an update, multicast traffic may be dropped. |
PRJ-44707, |
Routing |
An IGMP group with an expiration time of 7101 weeks should be deleted when it reaches 0 seconds, but instead, it may remain at 7101 weeks until a membership report is sent, then it resets to the interval of that interface. |
PRJ-41115, |
Routing |
There may be high CPU utilization and slow recovery of the ROUTED process after a failover. |
PRJ-41111, |
Routing |
It may take up to three hours for the second member to become Standby after a failover. An outage may occur during this time. |
PRJ-43408, |
Routing |
The ROUTED process may repeatedly exit when using PIM in Sparse mode (SM). |
PRJ-41329, |
Routing |
The ROUTED daemon may unexpectedly exit and generate core dumps after OSPF neighborship was established, but did not advertise routes. Lost routing causes the network to be down. |
PRJ-44257, |
Routing |
The ROUTED daemon may unexpectedly exit when using PIM and source IP address is set "0.0.0.0". |
PRJ-45182, |
Routing |
Cluster member may stop sending multicast PIM traffic after failover or a reboot. Refer to sk180669. |
PRJ-46126, |
Routing |
The ROUTED daemon may unexpectedly exit when aggregating routes with long AS paths. |
PRJ-46356, |
Routing |
Routes marked as "stale" may be redistributed via BGP during graceful restart. |
PRJ-45831, |
Routing |
The ROUTED daemon may unexpectedly exit because of multi-threading issues. |
PRJ-45917, |
VPN |
The FWM process may unexpectedly exit at startup because of an incorrect VPN key initiation. |
PRJ-46292, |
VPN |
Users that were moved from one AD group to another group still are shown in both access role groups when running the "pdp monitor" command. Refer to sk181429. |
PRJ-40282, PRJ-43711, |
VPN |
Refer to sk180530. |
PRJ-44827, PRJ-44989, PRJ-46300, PRHF-28849 |
VPN |
|
PRJ-24873, |
VPN |
VPN endpoint users fail to login with ECDSA certificate. |
PRJ-40911, |
VPN |
The "failed to terminate session" error is displayed when using RAsession_util to terminate Endpoint client. |
PRJ-44665, |
VPN |
When running the "vpn tu tlist" on cluster Standby members, old IKEv2 SAs may be printed in the output. |
PRJ-43297, PRJ-43593, |
VPN |
Stability issues for Data connections (RDP / RTP / FTP/ETC). Refer to sk179651. |
PRJ-44087, |
VSX |
Values provided by the VSX OID tree: 1.3.6.1.4.1.2620.1.16.22.5.1 may be incorrect. |
PRJ-45003, |
VSX |
A VSX Security Gateway may crash while attempting to collect statistics after running the "cpstop" command. |
PRJ-45399, |
VSX |
Warp interfaces may appear in VS0 and disrupt connectivity when editing a Virtual Switch with a bond and VLANs. |
PRJ-45143, |
VSX |
Some packets may disappear when using the i40e driver, and VMAC is configured on the cluster. |
PRJ-44743, |
VSX |
Virtual System's interfaces may be missing when running the Clish command "show/save configuration". |
PRJ-44120, |
VSX |
Changing the main IP address of a Virtual Router may cause the FWM process to exit. |
PRJ-44368, |
Gaia OS |
SNMP OIDs for ISP Redundancy status are not refreshed when the ISP link changes the status. |
PRJ-45861, |
Gaia OS |
Gaia backup may fail, leaving a temporary partition behind. Any new attempt to create a new backup returns an error. |
PRJ-40032, |
Gaia OS |
When running the "ifconfig -a" command on a Virtual System (VS) with more than 250 interfaces, the "/bin/cp-ifconfig.sh: line 179: /bin/echo: Argument list too long" error is printed. |
PRJ-44236, |
Gaia OS |
The System Backup page in the Cloning Group view may be empty, although a scheduled backup was added. |
PRJ-41907, |
Gaia OS |
Gaia WebUI logs are printed with "info" severity. |
PRJ-45563, ACCHA-2110 |
Gaia OS |
The $FWDIR/log/fwd.elg file may get corrupted during log rotation. Refer to sk180728. |
PRJ-45538, |
CloudGuard Network |
AWS Data Center mapping fails when an interface subnet is missing from the list of subnets. |
PRJ-45790, |
CloudGuard Network |
Deleting one hundred IP addresses or more from the Security Gateway at once may fail, resulting in recurrent deletion retries. |
PRJ-44476, |
CloudGuard Network |
Azure scan fails if a Virtual Machine Scale Set (VMSS) is deleted after the scan started. |
PRJ-44345, |
CloudGuard Network |
The "Logical Volume duplicate fail" error is displayed when increasing the lv_current partition with lvm_manager on Azure. Refer to sk180381. |
PRJ-46473, |
VoIP |
SIP traffic may be dropped and "kiss_htab_bl_infra_slink: failed "earlynat_sport_ghtab_bl":3 reason: KISS_HTAB_BL_SLINK_LIMIT_REACHED" is printed in the fwk.elg file. |
PRJ-44612, |
VoIP |
In rare cases, SIP UDP traffic may cause Security Gateway to crash because of a memory allocation issue. |
PRJ-32397, PRJ-43515, |
VoIP |
After an upgrade, VoIP, and SIP / H323 traffic may be dropped in the VPN tunnel. Refer to sk179651. |
PRJ-42615, |
Scalable Platforms |
The FW process may unexpectedly exit, producing a core dump file. |
Take 197 Released on 27 April 2023 and declared as Recommended on 3 May 2023 |
||
PRJ-46037 |
ClusterXL |
Cluster VIP IPv6 address configuration is not applied on cluster members causing IPv6 traffic outage. Refer to sk180902. |
Take 196 Released on 6 March 2023 and declared as Recommended on 18 April 2023 |
||
PRJ-42183, |
IPS |
NEW: Added ability to block "HTTP 206 partial content" responses from resources with malicious content. |
PRJ-43893, |
Security Gateway |
NEW: We have extended the grace period of Compliance Blade to support you for 90 days following contract expiration to continue providing the best security value during the renewal process. |
PRJ-43805, |
Application Control, URL Filtering |
NEW: We have extended the grace period of Application Control and URL Filtering Blade to support you for 90 days following contract expiration to continue providing the best security value during the renewal process. |
PRJ-44253, |
Threat Extraction |
NEW: We have extended the grace period of Threat Extraction Blade to support you for 90 days following contract expiration to continue providing the best security value during the renewal process. |
PRJ-43908, |
SmartView |
NEW: We have extended the grace period of SmartEvent Blade to support you for 90 days following contract expiration to continue providing the best security value during the renewal process. |
PRJ-36633, |
Security Management |
UPDATE: Added an option to configure the maximum number of IPS SNORT rules. These lines should be added at the end (or their value should be changed if they already exist) in the file $FWDIR/conf/malware_config (for MDS - additionally in the $MDS_FWDIR/conf/malware_config file): "[IPS] snort_convertor_max_rules_per_update=<value> snort_convertor_total_rules_num_limit=<value>". Refer to sk136515. |
PRJ-42304, |
Security Management |
UPDATE: Improved the "Purge revisions" operation to reduce the size of the database. |
PRJ-34958, |
CPView |
UPDATE: Added logging information. The Logging tab can be found in the Advanced tab on both the Security Management Server and Security Gateway. Refer to sk101878. |
PRJ-41199, |
Security Gateway |
UPDATE: Added ability to force GNAT Port randomization. It is controlled by kernel parameter (off by default).
|
PRJ-44557, |
Security Gateway |
UPDATE: Apache HTTPD version was updated from 2.4.53 to 2.4.55 to fix CVE-2022-37436. |
PRJ-42656, |
IPS |
UPDATE: In several IPS protections, improved performance for traffic that contains repeated sections. |
PRJ-42258, |
Threat Prevention |
UPDATE: Reduced loading time of big external Custom Intelligence Feeds. |
PRJ-43611, |
Gaia OS |
UPDATE: Gaia Cloning Groups will now use the highest TLS version available. |
PRJ-41933, |
VoIP |
UPDATE: Added a new CLI command "fw ctl voip [-p {sip| mgcp| sccp| h323}] [-na]". It allows printing the description of defined VoIP protections, the required action, and the logging option configured for each protection. |
PRJ-42402, |
VSX |
UPDATE: Added more logs related to Pushing VSX Configuration.
. |
PRJ-43027, |
CloudGuard Network |
UPDATE: Added support for connecting to VMware NSX-T 4.0.0.x and higher. |
PRJ-42148, |
CloudGuard Network |
UPDATE: Improved performance of pushing Data Center Objects changes to Security Gateways. |
PRJ-41844, |
CloudGuard Network |
UPDATE: Improved handling of NSX-T API responses. |
PRJ-43051, |
CloudGuard Network |
UPDATE: Added support for Data Centers in AWS eu-central-2 (Spain) and eu-south-2 (Zurich) and ap-south-2 (Hyderabad) regions. |
PRJ-43402, |
Diagnostics |
Skyline may not show any information. Refer to sk180748. |
PRJ-40538, |
Diagnostics |
The cpview -s export operations may fail on VS0 when cpview_services are running. |
PRJ-43901, |
Security Management |
On R77.20 Quantum Spark appliances with some IPS packages, policy installation fails with the "Operation failed, install/uninstall has been improperly terminated" error. Refer to sk180448. |
PRJ-42242, |
Security Management |
Installing a large Access Control policy on Quantum Spark Security Gateways may fail due to high memory consumption on the Security Management Server caused by FW_LOADER. |
PRJ-38356, |
Security Management |
After creating a new administrator in SmartConsole, the Administrators view may fail to load with "Error retrieving results". |
PRJ-40221, |
Security Management |
In a large environment, High Availability synchronization for the Global Domain may fail with the "Global domain is busy syncing, please check sync status" error. |
PRJ-41539, |
Security Management |
The FWK process may unexpectedly exit during Threat Prevention policy installation. |
PRJ-41669, |
Security Management |
When using CME (Cloud Management Extension), the FWM process may unexpectedly exit because of a memory issue. |
PRJ-42857, |
Security Management |
After performing the "Revert to Revision" operation, new Audit logs cannot be seen in the Logging&Monitoring View in SmartConsole. |
PRJ-40424, |
Security Management |
In rare scenarios, deleting a cluster member may fail with the "Could not delete object. Failed to remove/detach objects licenses" error. |
PRJ-23720, |
Security Management |
Policy with a large number of AD users may fail with timeout or take a long time to be installed. |
PRJ-42103, |
Security Management |
In a Multi-Domain environment, the HitCount retention mechanism may prematurely remove the HitCount data. |
PRJ-39390, |
Security Management |
In some scenarios, the "Assign Global Policy" action fails with the error message: "An internal error has occurred". |
PRJ-40821, |
Security Management |
Warning about multiple objects with the same IP address is displayed when there are duplicated auto-generated networks |
PRJ-41926, |
Security Management |
After an upgrade, while installing a policy, SmartConsole may unexpectedly close with a "The connection with the server was lost. Any unsaved changes will be preserved" message. Refer to sk180294. |
PRJ-44023, |
Security Management |
When using Custom Application/Site Group objects in an Access policy, policy installation may fail with an "Internal error" message. |
PRJ-42408, |
Security Management |
Login to the Security Management Server or Multi-Domain Security Management Server may fail with the "Connection timeout" error. |
PRJ-41760, |
Security Management |
In some scenarios, the CME process fails to start. |
PRJ-41890, |
Security Management |
High Availability synchronization fails if automatic purge is configured to run on the Standby Management Server. |
PRJ-43092, |
Security Management |
After configuring an IoC feed on the Global Domain and assigning a Global Policy, Threat Prevention policy installation in the local Domain fails. |
PRJ-39744, |
Security Management |
Adding a rule with the Management API and setting the action "to ask" does not set a default UserCheck if UserCheck was not specified. This may cause policy verification failure. |
PRJ-42847, |
Multi-Domain Security Management |
In a Multi-Domain Security Management environment, traffic may not match rules with custom applications. |
PRJ-42047, |
Multi-Domain Security Management |
In rare scenarios in a Multi-Domain Security Management environment:
|
PRJ-42282, |
CPView |
CPView may not show some interfaces. |
PRJ-42082, |
CPView |
A typo in "Dropped fragmentation violation" under CPView > Advanced > SecureXL > Drops. |
PRJ-43587, |
CPView |
In a Multi-Domain Security Management environment, Skyline is down after mdsstop/mdsstart. |
PRJ-41353, |
Logging |
In some scenarios, in the Logs view, the "Description" field may be missing. The issue is only cosmetic. |
PRJ-37498, |
Logging |
The "epoll is enabled" warning is incorrectly displayed during policy installation. |
PRJ-42412, |
Logging |
When LEA spawning is turned off (sk91343), the FWD process may run out of memory. |
PRJ-43391, |
Logging |
When working with Multi-Domain Security Management, Virtual Systems (VS's) may be unable to send logs to the management because the Log Server constantly disconnects. |
PRJ-32808, |
Logging |
The "Daily logs retention" configuration on the Security Management Server / Log Server object is not applied if the "When disk space is below <number> Mbytes, start deleting old files" option is not enabled in the Disk Space Management. Refer to sk176803. |
PRJ-41493, |
Security Gateway |
Stability issues when ICAP client is active. |
PRJ-41016, |
Security Gateway |
When using the SMTP service with resource objects in a rule and NAT is configured for the destination IP address, the traffic may match the Cleanup rule instead. |
PRJ-42705, |
Security Gateway |
DNS parser incorrectly handles additional records, which results in appearing additional DNS IP addresses in the FQDn objects list. |
PRJ-39925, |
Security Gateway |
When Anti-Virus Blade is enabled, the Security Gateway may crash multiple times with core dump files. |
PRJ-43495, |
Security Gateway |
Policy installation may fail with an "Error 0-2000080" message because of memory allocation issues. |
PRJ-43009, |
Security Gateway |
When adding a new RADIUS Server in Gaia Portal, its IP address is automatically added to MDPS tasks, but when deleting this Server, the MDPS task is not deleted. |
PRJ-42294, |
Security Gateway |
When MDPS is configured, mdps_tun interface is shown when running the "cpstat ha -f all" command. |
PRJ-43837, |
Security Gateway |
The Security Gateway may receive duplicated traffic (such as non-IP protocol connections) for IPS inspection. This can trigger high CPU usage and result in failures to connect over SSH or policy installation. |
PRJ-43884, |
Security Gateway |
In rare scenarios, the FWD process is stuck during policy installation. |
PRJ-43552, |
Security Gateway |
Security Gateway may drop traffic when Dynamic Anti-Spoofing is enabled. |
PRJ-42755, |
Security Gateway |
The Security Gateway may crash because of an issue in the FILEAPP (File Application) module. |
PRJ-41632, |
Security Gateway |
Dynamic Dispatcher may send fragments of the same packet to different Firewall instances during a high load of fragmented traffic. This may cause some packets to drop. |
PRJ-42942, |
Security Gateway |
When Anti-Spoofing is enabled, the Security Gateway may crash. |
PRJ-36008, |
Security Gateway |
The Security Gateway may frequently crash with vmcore files, recording invalid context. |
PRJ-43703, |
Security Gateway |
The Security Gateway may crash during policy installation if the Rule Base has multiple layers and many interfaces on the Security Gateway (VLANs). |
PRJ-39606, |
Security Gateway |
The Security Group Member (SGM) frequently goes into a Lost-> Down-> Active state because of fullsync pnote. This causes outages. |
PRJ-38807, |
Security Gateway |
In a rare scenario, when QoS is enabled, the Security Gateway may crash. |
PRJ-39799, |
Security Gateway |
After making changes in Policy-Based Routing (PBR) and GRE configuration, the Security Gateway may repeatedly crash. |
PRJ-42086, |
Security Gateway |
The "fw monitor" command output may contain "no packets left to merge" messages. |
PRJ-40318, |
Security Gateway |
In rare scenarios, the FWK process can unexpectedly exit and cause an outage. |
PRJ-43345, |
Security Gateway |
A connection may be closed with the "ws_mux_handle_poll: ERROR: Poll flag still set after unsetting" error in the fwk.elg file, when HTTP parser does not receive requested data. |
PRJ-40233, |
Security Gateway |
Stability issues when ICAP client is active. |
PRJ-39573, |
Security Gateway |
The "sd_exception_chain_with_global_stateless: fwx_get_original_conn_key() failed" messages may flood /var/log/messages if IPS Blade is active. |
PRJ-41862, |
Security Gateway |
After an upgrade, it is not possible to monitor Security Gateways with enabled Management Data Plane Separation (MDPS). |
PRJ-39966, |
Security Gateway |
The Security Gateway may crash with the "xxx kernel: [fw4_27];fwatomload_unregister: module RTM not registered xxx kernel: [fw4_27];e2eDisable: fwatomload_unregister failed" errors printed in logs. |
PRJ-40107, |
Security Gateway |
In a rare scenario, the Security Gateway may crash when offloading packets to SecureXL. |
PRJ-41578, |
Security Gateway |
In some scenarios, the CPD process may unexpectedly exit. |
PRJ-43125, |
Security Gateway |
Some TCP connections may be stuck in "Both-Fin" state in the SecureXL connection table and cause high memory consumption. |
PRJ-42901, |
Internal CA |
The certificate in SmartConsole is shown as valid, although it is expired. |
PRJ-41434, |
Internal CA |
When managing cloud Gateways, the FWM process memory usage may increase. |
PRJ-42284, |
Threat Prevention |
The "ioc_feeds set interval -r" command may fail. |
PRJ-41596, |
Threat Prevention |
Anti-Virus Blade fails to parse external IoC feeds that contain commas in the CSV column field value. |
PRJ-41487, |
Threat Prevention |
Loading of Custom Intelligence Feeds with authentication may fail. |
PRJ-38720, |
Threat Prevention |
File Download using SSH with MobaXterm Client fails when SSH Deep Packet Inspection (SSH DPI) is enabled. |
PRJ-38663, |
Threat Prevention |
The DLPU process may unexpectedly exit with a core dump file. |
PRJ-32736, |
Threat Prevention |
After an upgrade, the FWD process may frequently exit while creating an AMW_report.xml. |
PRJ-37565, |
Threat Prevention |
When Anti-Virus Blade is enabled, the Security Gateway may crash because of a memory allocation issue. |
PRJ-42436, |
Threat Prevention |
Automatic IPS, Anti-Virus or Anti-Bot updates may fail because of a corrupted next_update file. |
PRJ-41382, |
Threat Prevention |
External IoC feeds may fail with "General Error". And in the feeder.elg there are many "Failed to load signatures" messages. |
PRJ-41122, PRHF-24693 |
Threat Prevention |
In a rare scenario, the mal_conns table may consume a large amount of memory. |
PRJ-40470, |
Threat Prevention |
If SSH Deep Packet Inspection (DPI) is enabled and NAT is configured on the Security Gateway, SSH connectivity from the Internet may not be possible. |
PRJ-42342, |
Identity Awareness |
During subsequent policy installations (with an interval of at least 11 minutes between them), the Identity Awareness Gateway configured as an Identity Broker Subscriber revoked all Identities it learned from the Identity Awareness Gateway configured as its Identity Broker Publisher. Refer to sk180659. |
PRJ-33063, |
Identity Awareness |
In a rare scenario, a wrong access role may be assigned to a user. |
PRJ-42931, |
Identity Awareness |
The PDPD process may cause CPU spikes during cluster failover. |
PRJ-42337 |
Identity Awareness |
In a VSX High Availability cluster, a member in the Backup state should remain idle, but it opens connections for identity sharing. |
PRJ-41818, |
Identity Awareness |
In a rare scenario, the PDPD process may unexpectedly exit during peer certificate verification. |
PRJ-42997, |
Identity Awareness |
In a rare scenario, disconnection between the Identity Server (PDP) and Identity Gateway (PEP) leads to missing identities on the PEP side. |
PRJ-42504, |
Application Control |
In a rare scenario, when Application Control is enabled, the Security Gateway in AWS Cloud may crash. The issue does not occur if Application Control database on the Security Gateway is updated with Release 141122_1 and higher. |
PRJ-41219, |
Application Control |
The RAD process may freeze when an error occurs and an error event is initialized. |
PRJ-43501, |
Application Control |
Policy installation may fail with an "Error 0-200184" message because of memory allocation issues. |
PRJ-41653, |
IPS |
Running the "ips stats" command in CLI may cause the IPS process to unexpectedly exit with core dumps. |
PRJ-42589, |
IPS |
The Security Gateway may crash during policy installation because of a memory allocation problem. |
PRJ-41376, |
IPS |
When Anti-Virus is enabled, the Mail Transfer Agent (MTA) log files may get blocked because of fail-close operation. |
PRJ-35484, |
DLP |
DLP logs for files uploaded to Microsoft OneDrive do not show the initial file names and extensions. Refer to sk178290. |
PRJ-41214, |
Anti-Virus |
In a rare scenario, when Anti-Virus is enabled, there may be frequent VSX cluster failovers, and the Security Gateway may crash. |
PRJ-43179, |
SSL Inspection |
The WSTLSD process may unexpectedly exit and create core dump files. |
PRJ-43889, |
SSL Inspection |
In rare scenarios, the FWK and/or WSTLSD processes may unexpectedly exit and create a core dump during certificate validation. Refer to sk180473. |
PRJ-41411, |
Mobile Access |
Access to a web application that uses WebSocket protocol may not be possible. |
PRJ-42466, |
Mobile Access |
When Mobile Device Management (MDM) cooperative enforcement feature is enabled, establishing a VPN connection fails while the HTTPD log incorrectly indicates a compliance issue. |
PRJ-41257, |
Mobile Access |
Web applications may not work correctly when Mobile Access Blade is configured in Hostname Translation (HT) mode while the "obscure_destination_hostname" management attribute is disabled. |
PRJ-42462, |
ClusterXL |
Stability issues may occur in a Multi-Version Cluster (MVC) when VPN is enabled. |
PRJ-43114, |
ClusterXL |
The "cphaprob tablestat" command may fail on the Security Gateway with many interfaces. |
PRJ-37149, |
ClusterXL |
In an Active/Active cluster, a member may reboot because of a memory corruption issue. |
PRJ-43001, |
ClusterXL |
Traffic does not pass through the GRE tunnel when Virtual MAC (VMAC) is enabled. Refer to sk180292. |
PRJ-44166, |
ClusterXL |
When handling HTTP/2 traffic, cluster members may crash, generating vmcores. |
PRJ-29666, |
SecureXL |
When the "fw_tcp_out_of_state_monitor" mode is enabled with the "fw_allow_out_of_state_tcp" flag, some connections may be dropped, although they should go through and be monitored. |
PRJ-42573, |
SecureXL |
Multicast traffic may get dropped, and no logs are generated. |
PRJ-42443, |
SecureXL |
The Security Gateway may prematurely expire half-closed TCP connections and drop VoIP and HTTPS packets with "First packet isn't SYN". Refer to sk180364. |
PRJ-42894, |
SecureXL |
SecureXL may drop traffic when HTTPS Inspection is enabled on a VSX Security Gateway with a Virtual Router. |
PRJ-44129, |
SecureXL |
IPv6 template is not created when the connection is NATed. |
PRJ-43981, |
SecureXL |
In a rare scenario, a CPAQ message sent during policy push does not have critical and can be dropped when the Security Gateway is busy. |
PRJ-43920, |
Routing |
Failover may take longer than expected and traffic does not pass for several seconds because dynamic routes are lost. |
PRJ-43054, |
Routing |
The "show ospf neighbors" command shows incorrect values for OSPF "Hello" and "Dead" intervals. Refer to sk180486. |
PRJ-44946, |
VPN |
When many users in nested groups login using Remote Access Client \ connect to VPN, and the LDAP topology is large, there may be a spike of CPU usage and performance impact. Refer to sk180664. |
PRJ-42877, |
VPN |
When initiating IKEv2 tunnel from Check Point to a third party, creating Child SA fails. Refer to sk180281. |
PRJ-42559, |
VPN |
When the user connects with RADIUS authentication method, the "Authentication method" value in Mobile Access logs is shown as empty. |
PRJ-42651, |
VPN |
Stability issues of the VPND and IKED processes. |
PRJ-41048, |
VPN |
A memory leak may occur in the VPND process. |
PRJ-42727, |
VPN |
In a rare scenario, when IPv6 is configured, and VPN is enabled, policy installation may cause a stability issue. |
PRJ-40726, |
VPN |
In some scenarios, when NAT is configured, VoIP traffic is dropped. |
PRJ-39169, |
VPN |
Remote Access Client may fail to connect when using machine certificate authentication. |
PRJ-38165, |
VPN |
Trying to perform the "Reset Tunnel" action for an LDAP user from SmartView Monitor fails. Refer to sk178592. |
PRJ-44012, |
VSX |
In VSX, after adding instances to a Virtual System (VS), their state may be inactive. |
PRJ-13984, |
VSX |
In large environments, the "vsx_util reconfigure" procedure and booting may take a long time . |
PRJ-43354, |
VSX |
The SNMPD process may consume a high CPU in a VSX environment and there may be slowness when using the "fw vsx stat" command. Refer to sk180324. |
PRJ-41695, |
VSX |
The "vsx_util change_mgmt_subnet" command may fail if a VSX object is not correctly saved in the database. |
PRJ-42881, |
VSX |
In VSX, if Dynamic Balancing was manually disabled on R80.40, after an upgrade from R80.40 to R81.20, it automatically gets enabled. |
PRJ-42252, |
Gaia OS |
Running the "save configuration" command the second time in the same Clish session may fail with the "free(): invalid pointer" error. |
PRJ-42622, |
Gaia OS |
SNMP trap may not be sent after a cluster failover if it occurred by running the "clusterXL_admin down" command. |
PRJ-43649, |
Gaia OS |
When setting password hash on cloning group members, some members may not get updated. |
PRJ-42960, |
Gaia OS |
IPv6 address may be removed from bond VLAN interface when changing bond xmit-hash-policy configuration. Refer to sk180309. |
PRJ-44161, PRJ-43959 |
Gaia OS |
When uninstalling a Jumbo Hotfix, some of the REST APIs may not work. The "gaia_api status" command returns an error and requests may fail. |
PRJ-42524, |
Gaia OS |
Gaia backup fails with "Cannot complete the backup process: not enough space in /var/log/CPbackup/backups" although there is enough free disk space in the /var/log/ partition. Refer to sk180181. |
PRJ-43430, |
Gaia OS |
In some scenarios, the "nslookup" command can cause the NSLOOKUP process to exit. |
PRJ-41407, |
Gaia OS |
When configuring Gaia Cloning Group mode on the cluster, members with "off" state appear without an IP address and the "adding notification Member mvc is down" error is displayed. |
PRJ-34370, |
Gaia OS |
After an upgrade, the backup operation on VSX fails because there is not enough space in /var/log/CPbackup/backups. |
PRJ-42218, |
Gaia OS |
Incorrect logs are printed in the /var/log/httpd2_error_log file when logging into the WebUI. |
PRJ-43023, |
Gaia OS |
The /usr/local/apache2/logs/access_log file is now rotated when its size reaches 1GB. This log file was added to the /etc/cpshell/log_rotation.conf configuration file. Refer to sk166198. |
PRJ-43561, |
Gaia OS |
When restoring a backup with VSX objects, the objects database may not be restored on the newly installed Security Management Server. |
PRJ-40691, |
Harmony Endpoint |
When connecting to the Security Management Server with SmartEndpoint but Endpoint component is not activated on the Server, the FWM process may unexpectedly exit. |
PRJ-43257, |
CloudGuard Network |
Disabling or removing all network interfaces from a vCenter object is not dynamically reflected on the CloudGuard Controller Data Center object. |
PRJ-43395, |
CloudGuard Network |
VPN Cluster stability issue when the peer is an Azure Security Gateway. |
PRJ-43575, |
CloudGuard Network |
When enabling debug mode with the "$MDS_FWDIR/scripts/cpm_debug.sh -c ObjectCrudSvcImpl" command, it may impact the work of CloudGuard Central License utility. And adding license fails. |
PRJ-42008, |
CloudGuard Network |
When mapping of some Azure Subscriptions fails, assets of these Subscriptions are revoked from the Security Gateway. |
PRJ-42113, |
CloudGuard Network |
AWS Data Center mapping fails when a Subnet with only IPv6 addresses is added to Virtual Private Cloud (VPC). |
PRJ-42853, |
CloudGuard Network |
A Kernel-based Virtual Machine (KVM) or a Virtual Machine using SRIOV with the i40evf/ixgbevf network driver, may boot with non-optimized performance settings. |
PRJ-43066, |
CloudGuard Network |
Importing objects from VMware vCenter may fail with a "Failed to fetch objects from the Data Center." message because of a rare communication issue between CloudGuard Network Security controller and VMware vCenter Data. |
PRJ-43075, |
VoIP |
While handling a multi-INVITE scenario (where a user registers with multiple devices), and the VoIP SIP MultiCore feature is enabled, each SIP INVITE maybe be handled simultaneously on different FW instances and cause memory corruption. |
PRJ-42698, |
VoIP |
In some scenarios, when using static NAT, VoIP traffic may be affected. |
PRJ-39600, |
Scalable Platforms |
The SMO may frequently go into Lost-> Down-> Active state because of a memory leak in the FWK process. The issue causes failover and outages. |
PRJ-39188, |
Scalable Platforms |
When a policy is configured with "SNMP trap alert script", the SNMP trap is sent with an undefined OID. |
Take 192 Released on 28 December 2022 and declared as Recommended on 26 February 2023 |
||
PRJ-43369, |
Threat Emulation |
In some scenarios, Mail Transfer Agent (MTA) does not scan files with an unsupported extension if they were renamed to ".exe". |
PRJ-43270, |
Gaia OS |
After an upgrade, the RADIUS Server is unavailable and authentication fails. |
Take 190 Released on 13 November 2022 |
||
PRJ-38346, |
Diagnostics |
The CPVIEWD process may cause CPU spikes. |
PRJ-38114, |
Security Management |
UPDATE: Install Policy Presets will now run also in multi-site environments, even if the local domain does not have a Server on the Multi-Domain Server with the Active Global Domain, where the operation is triggered from. |
PRJ-22559, |
Security Management |
UPDATE: Improved the "Assign Global Policy" action time by approximately 50%. |
PRJ-41344, |
Internal CA |
UPDATE: Internal CA on Check Point Management Servers can now create certificates with 3072-bit RSA keys - the root ICA certificate and SIC certificates. Refer to sk96591. |
PRJ-33894, |
Security Management |
Global Domain Assignment may fail if a rule in the global policy was recently enabled or disabled. |
PRJ-40056, |
Security Management |
An Application Control and URL Filtering update may still occur even if the latest version is already installed. |
PRJ-40168, |
Security Management |
A Multi-Domain Management Server upgrade may fail if upgrading one of the domains takes longer than four hours. |
PRJ-41554, |
Security Management |
After an Application Control update, policy installation may fail. |
PRJ-39221, |
Security Management |
An Application Control and URL Filtering Database update may fail. The CPM log file states: "Update APPI Update Task Notification. progress: 100, status: FAILED, statusText: Failed to assign domain". |
PRJ-40719, |
Security Management |
Access Control policy installation may fail with the "Internal error" message when the encryption domain contains a Data Center object. |
PRJ-40808, |
Security Management |
SmartConsole may unexpectedly disconnect. |
PRJ-40849, |
Security Management |
The LOG_EXPORTER process may cause high CPU because of frequent invocation of the "fw ver" command. |
PRJ-40545, |
Security Management |
After an upgrade, when the local domain Virtual System (VS) is updated, its objects may not be updated. The mirror VS object and local domain VS object may have different versions and colors. |
PRJ-39536, |
Security Management |
An Application Control and URL Filtering update may get stuck at 70 percent with the "Running post update actions" status. Refer to sk174587. |
PRJ-41069, |
Security Management |
Global Policy reassignment fails with "An internal error has occurred". The issue occurs when a Global rule, Rule Base, or section was created, moved, and then deleted without running a reassignment in between. |
PRJ-41974, |
Security Management |
The /var/log/dump/usermode/ directory on the Management Server may contain core dump files for the FWM process. Refer to sk180119. |
PRJ-37830, |
Security Management |
"Automatic purge" fails on a Domain with active Global Domain Assignment and "automatic purge" configured on the Global Domain. |
PRJ-41290, |
Security Management |
Access Policy installation may fail with the "Internal error occurred during the verification process" error. |
PRJ-34152, |
Security Management |
Packet mode search in HTTPS Inspection policy may not work. |
PRJ-34735, |
Security Management |
When running the "show access-rule" Management API command with the "show-as-ranges" parameter on rules with negated cells, the returned result may be missing the values of the negated cells. |
PRJ-40732, |
Security Management |
In rare scenarios, Global Policy reassignment may fail with a "Failed to find object ID UUID of class com.checkpoint.objects.ips.ThreatIpsProtectionOverride" message. |
PRJ-39716, |
Security Management |
It may not be possible to discard a work session with a newly created admin, a "Failed to discard revoke certificate" message is shown. |
PRJ-37309, |
Security Management |
SmartEvent may unexpectedly close when clicking Global Exclusion options or creating a new event. This issue occurs after migrating a Domain from the Multi-Domain Management Server to the Security Management Server. |
PRJ-41125, |
SmartConsole |
Centrally managed Quantum Spark Gateway version may be missing or incorrect after performing the "Get Gateway Data" action from SmartUpdate. |
PRJ-41020, |
CPView |
NEW: Integrated Skyline, a solution that provides an OpenTelemetry CPView Agent service to monitor your Check Point Servers and export health metrics from the CPView tool to an external location. Refer to sk178566. |
PRJ-38054, |
Logging |
UPDATE: When there is no full license for SmartEvent, which includes the Correlation Unit component, Analyzer Client in Legacy SmartEvent Console will now show a relevant message. |
PRJ-40142, |
Logging |
Emails sent as an automatic reaction may show only the first IP address for "Source"/"Destination" fields out of all the detected IP addresses. |
PRJ-40490, |
Logging |
In a rare scenario, when using SmartEvent Automatic Reaction (Mail), the source IP address can be shown as a number and not in the dotted decimal notation format. |
PRJ-37704, |
Logging |
It may not be possible to filter the "Subscriber" field in SmartLog. |
PRJ-38050, |
Logging |
Syslog messages with the "ErtFeed" type of attack are not indexed correctly in SmartLog. |
PRJ-42090, |
Logging |
Export to CSV in SmartView may be stuck in the "running" status. |
PRJ-35878, |
Logging |
Although the Security Gateway is configured to send Syslog messages to the Domain Log Server (CLM), they may stop coming to the Log Server after several initial logs. |
PRJ-28110, |
Logging |
Logs may not be indexed on the Domain Log Server in a Multi-Domain Log Module (MLM) or on the Secondary Multi-Domain Management Server. |
PRJ-37296, |
Logging |
When exporting logs with the fwm logexport script and there is an empty or corrupted log file, the script runs in a loop with the "Failed to read record at position 0" error printed. |
PRJ-21481, |
Logging |
The LOG_INDEXER process on the SmartEvent Server may unexpectedly exit, generating a core dump file, if the Log Server used by the correlation unit is deleted. |
PRJ-41095, |
Logging |
In rare scenarios, the LOG_INDEXER process may unexpectedly exit, and there is no access to the logs. Refer to sk172915. |
PRJ-41101, |
Logging |
When an object name begins with a digit, SmartView Monitor displays a name consisting of the letter "v" and UID instead of the actual object name. |
PRJ-41192, |
Logging |
It may not be possible to filter Anti-Virus logs for malicious CIFS traffic in SmartConsole. The issue is cosmetic only. |
PRJ-32205, |
Logging |
The "show-logs" Management API command fails when iterating over many pages of queries, and the total fetched records number exceeds 219,900 records. |
PRJ-41358, |
Logging |
Running the "cpstat ls -f logging" command on the Security Gateway may show the "disconnected" status after a reboot, although a new connection is established successfully. |
PRJ-40096, |
Security Gateway |
UPDATE:
|
PRJ-38142, |
Security Gateway |
UPDATE: Added support for RADIUS UPN authentication with MS-CHAPv2. To use it, enable the registry configuration in ckp_regedit -a SOFTWARE/Checkpoint/VPN1 RADIUS_MSCHAPV2_UPN -n 1. |
PRJ-32779, |
Security Gateway |
UPDATE: The reset expired connections feature (fw_rst_expired_conn) is now supported on connections accelerated by SecureXL. |
PRJ-34903 |
Security Gateway |
A kernel crash may occur during system shutdown when PIM is enabled. |
PRJ-39330, |
Security Gateway |
After an upgrade, Access Control policy installation may fail with an "Update process is already running" message. |
PRJ-41622, |
Security Gateway |
When using Routing Separation and installing a Jumbo Hotfix Accumulator, MDPS configuration may be overridden. Refer to sk138672. |
PRJ-35108, |
Security Gateway |
There may be connectivity failure when browsing to Office 365, and ICAP Client is active on the Security Gateway with enabled "Data Trickling". |
PRJ-41414, |
Security Gateway |
The Security Gateway may send multiple "Failed to fetch Check Point resources. Timeout was reached" logs. |
PRJ-40915, |
Security Gateway |
The Security Gateway may crash because of memory corruption, and the following error appears in the /var/log/message file: "[xxxx] Kernel panic - not syncing: stack-protector: Kernel stack is corrupted in: <xxxx>". |
PRJ-39578, |
Security Gateway |
In a rare scenario, when IPS or Application Control is enabled, the Security Gateway may crash. |
PRJ-40457, |
Security Gateway |
In a rare scenario, the FWK process may unexpectedly exit because of a memory allocation issue on the Security Gateway. |
PRJ-24590, |
Security Gateway |
It may not be possible to load specific sites. The Security Gateways drops the traffic from those web servers with "Reason: PSL Drop: MUX_PASSIVE" |
PRJ-41028, |
Security Gateway |
Topology auto update may fail because of a too long interface name. |
PRJ-41031, |
Security Gateway |
The Security Gateway may run out of memory when retrieving topology. |
PRJ-38551, |
Security Gateway |
After an upgrade, Anti-Virus Blade may cause increased memory consumption. |
PRJ-36865, |
Security Gateway |
After an upgrade, VSX cluster may have frequent failovers. |
PRJ-40934, |
Security Gateway |
In a rare scenario, the Security Gateway may have a memory allocation issue. |
PRJ-34887, |
Threat Prevention |
When the Security Gateway is in "Detect Only" mode, Threat Prevention Blade exceptions may not be accelerated. |
PRJ-40346, |
Threat Prevention |
The Custom Intelligence Feeds feature may stop enforcing traffic after Threat Prevention policy installation. |
PRJ-40444, |
Threat Prevention |
Deleting a Threat Emulation Gateway object in SmartConsole may fail. Refer to sk170577. |
PRJ-40436, |
Threat Prevention |
A kernel memory leak may occur during deep file inspection. |
PRJ-40972, |
Threat Prevention |
Threat Prevention policy installation may fail with a "Connection aborted by Peer" message. |
PRJ-41275, |
Threat Prevention |
Adding hash indicators may cause policy installation to fail with a warning message. |
PRJ-38488, |
Threat Prevention |
In a rare scenario, the mal_conns table may consume a large amount of memory. |
PRJ-41310, |
Threat Extraction |
In some scenarios, Mail Transfer Agent (MTA) does not scan files with an unsupported extension if they were renamed to ".exe". |
PRJ-38541, |
Identity Awareness |
The PDPD daemon may frequently exit during the user authentication flow. |
PRJ-34569, |
Identity Awareness |
SNMP/cpstat queries for Identity Awareness OIDs return wrong values if the PDP daemon is not running at the time of the query. |
PRJ-31973, |
Identity Awareness |
Changing the state of the "Automatic LDAP Group Update" feature for Identity Collector from CLI on the PDP Gateway does not survive a reboot. |
PRJ-36507, |
Identity Awareness |
The CPU utilization of the PDP daemon may be high during a specific authentication flow. |
PRJ-39751, |
Anti-Virus |
The Anti-Virus Blade interprets certain types of URLs as forbidden and blocks access to those URLs, although the content behind them is not of the type supposed to be blocked. |
PRJ-38814, |
URL Filtering |
When an URL Filtering rule has "Fail-Close" configuration, the Security Gateway may drop connections, and "URLF internal system error (0)" is recorded as the reason. |
PRJ-33293, |
Anti-Virus |
Removed a redundant message flooding logs in /var/log/messages: "ws_write_connection: end of body reached - clearing delay write flag". |
PRJ-40831, |
Mobile Access |
After disabling the ActiveSync service on the Security Gateway, login to Capsule Workspace (CWS) may fail. |
PRJ-38458, |
Mobile Access |
In some scenarios, it is not possible to connect to SSL Network Extender(SNX), and the VPND log shows: "failed to add to table connectra_sessions_to_instance". |
PRJ-32967, |
Mobile Access |
Capsule Workspace push notifications do not work when the Single Sign-On (SSO) is configured to "prompt for credentials". Refer to sk176244. |
PRJ-35509, |
ClusterXL |
UPDATE: Added support for the "fw vsx fetch_all_cluster_policies" command, which can fetch policy for all Virtual Systems and Virtual Routers from cluster peers. |
PRJ-40743, |
ClusterXL |
The cphaprob show_bond command does not show newly added subordinates from Virtual Systems (VSs). |
PRJ-36732, |
ClusterXL |
In a VRRP cluster, when an identity session is revoked from a non-master member, the Identity Database may become corrupted and cause an outage. |
PRJ-39182, |
ClusterXL |
In a VRRP cluster environment with a large number of interfaces, the Security Gateway may consume a lot of memory. |
PRJ-39737, |
SecureXL |
There may be high CPU or/and latency in CIFS/SMB connections. |
PRJ-41480, |
SecureXL |
After an upgrade, SecureXL may drop multicast traffic with "reason:Fragment drops". |
PRJ-41765, |
SecureXL |
The Security Gateway may crash and cause an outage when resolving the destination host MAC address through an interface with disabled ARP. |
PRJ-39756, |
SecureXL |
SNDs may reach 100% CPU utilization and are not released in some Site to Site VPN scenarios. |
PRJ-41706, |
Routing |
The ROUTED process may unexpectedly exit when the route does not have the next hop. |
PRJ-36889, |
VPN |
UPDATE: After FIPS mode is enabled, Jitter is now automatically turned on. |
PRJ-41239, |
VPN, Multi-Portal |
UPDATE: Added a new Registry parameter "use_crl_for_revocation_method" that enables the CRL revocation method when the Security Gateway does not get a response from an OCSP Server. Refer to sk179434. |
PRJ-40868, |
VPN |
Site-to-Site NAT-T traffic may be routed incorrectly, which can cause an outage. |
PRJ-40553, |
VPN |
When working in Hybrid mode, it is possible to connect using Remote Access, but it may not be possible to access internal resources. |
PRJ-36709, |
VPN |
Improved Site-to-Site VPN stability. |
PRJ-41807, |
VPN |
When connecting with "Mixed" SSL Network Extender Authentication method, the SNX Client freezes with no output, and the results of the "vpn tu tlist" command show no tunnels. |
PRJ-40858, |
VPN |
The VPND process may unexpectedly exit. |
PRJ-39892, |
VSX |
UPDATE: The "vsx_util view_vs_conf" command output now shows interfaces configured on Virtual Systems in Bridge mode. |
PRJ-38514, |
VSX |
SecureXL may not let HTTPS traffic pass through a Virtual Router (VR). |
PRJ-42214, |
VSX |
In some scenarios, the vsx_provisioning_tool fails to delete an interface and claims that it has already been freed.. |
PRJ-39766, |
VSX |
Lines indicating uninstalling policies from virtual switches (VSWs) may be printed when running the "fw vsx unloadall" command. |
PRJ-39710, |
VSX |
When running the "reset_gw" command on a VSX cluster member, the sync interface IP address is not deleted as part of the VSX configuration that should be deleted from the Security Gateway. |
PRJ-39886, |
VSX |
Removing a warp interface may fail on one member, which creates a mismatch between the cluster members database because the warp interface remains on other members. Refer to sk180481. |
PRJ-40797, |
VSX |
Extending SNMP with shell script (Article IV-6 in sk90860) fails for non-VS0 Virtual Systems (VSs) when queried via SNMP V3 and a "No more variables left in this MIB View (It is past the end of the MIB tree)" message is shown in the output. |
PRJ-41361, |
VSX |
A VSX Gateway upgrade may fail with an error related to VSX Filesystem creation. |
PRJ-42178, |
VSX |
Pushing a VSX configuration to a virtual device may fail. |
PRJ-40411, PRJ-42484, ODU-611 |
Gaia OS |
UPDATE: Gaia API updates will now be automatically installed through AutoUpdater. Refer to sk165653. |
PRJ-40991, |
Gaia OS |
When MDPS is configured, the SNMPD process may stop responding on some Security Gateways and must be restarted. |
PRJ-41684, |
Gaia OS |
In a cloning group cluster, when allowed hosts are changed from "Any" host to a specific host, communication between members is blocked, and the group cannot function. |
PRJ-41611, |
Gaia OS |
Information about scheduled backup failure is now displayed in Clish, WebUI and in the error message inside the log file. |
PRJ-40476, |
Gaia OS |
The SNMPD process may unexpectedly exit on the Security Gateway with enabled Management Data Plane Separation (MDPS). |
PRJ-28332, |
Harmony Endpoint |
UPDATE: Client Uninstall Remote Help is now Device-based. User Logon name is not needed anymore. |
PRJ-41369, |
CloudGuard Network |
UPDATE: Added support for Data Centers in AWS ap-southeast-2 (Jakarta) region. |
PRJ-41733, |
CloudGuard Network |
UPDATE: Added support for Data Centers in AWS me-central-1 Middle East (UAE) region. |
PRJ-40842, |
CloudGuard Network |
Azure Data Center mapping may fail because of a corrupt response from Azure for a specific Virtual Machine Scale Set (VMSS). |
PRJ-40838, |
CloudGuard Network |
Failure to update IP addresses on a single AWS Gateway may cause delays in updating other Gateways. |
PRJ-41461, |
CloudGuard Network |
Import of OpenStack Data Center CloudGuard Network objects may fail. |
PRJ-41711, ODU-603 |
Smart-1 Cloud |
Added Update 6 of Quantum Smart-1 Cloud. Refer to sk166056. |
PRJ-41142, |
Smart-1 Cloud |
Added Update 5 of Quantum Smart-1 Cloud. Refer to sk166056. |
PRJ-41746, |
Public Cloud CA Bundle |
Added Take 19 of Public Cloud CA Bundle. Refer to sk172188. |
PRJ-19383, |
VoIP |
In some scenarios, when using early media with NAT, the first data connections specified in the SDP get closed, although they should not. And the new data connection does not open, resulting in one-way audio. Refer to sk179651. |
PRJ-40671, |
HCP |
Added Update 11 of HealthCheck Point (HCP) Release. Refer to sk171436. |
Take 180 Released on 20 September 2022 and declared as Recommended on 30 October 2022 |
||
PRJ-41081, |
Security Management |
UPDATE: If ISP Redundancy is configured for a target Security Gateway, backup interfaces are now used for pushing policy if the primary interface is down. |
PRJ-36205, |
Security Management |
Migration from the Management Server to the Domain Server may get stuck for 6-7 hours and then fail. |
PRJ-38216, |
Security Management |
If Log Domain reassignment fails, an Application Control and URL Filtering update may get stuck at 70 percent showing the "Running post update actions" status. |
PRJ-38453, |
Security Management |
High Availability synchronization may fail with the "Failed to update shared licenses" error. |
PRJ-34237, |
Security Management |
Migration of the Security Management Server to the Multi-Domain Management Server may fail. |
PRJ-38179, |
Security Management |
Deleting a Domain operation may fail with an "internal error" when more than one of the Security Gateways in the Domain points to the same cluster object in the NAT configuration. |
PRJ-37910, |
Security Management |
The flag "--method" for a CME command is not supported in SmartConsole Command Line. |
PRJ-39208, |
Security Management |
The output of the "show opsec-application" API command may not show the host object name or UID. |
PRJ-33920, |
Security Management |
Some unused sessions may remain open in the system, consuming memory and CPU. |
PRJ-41096, |
Security Management |
The "CPLogGetMyIp: fwobj_get_myown failed" error may be printed in CLI when starting cpboot. |
PRJ-38787, |
Security Management |
Install Policy Preset may fail with "The server did not provide a meaningful reply.". Refer to sk179524. |
PRJ-39487, |
Multi-Domain Management |
In some scenarios, in a Multi-Domain Management Server environment, SmartConsole may unexpectedly disconnect. |
PRJ-38123, PRHF-23066 |
Multi-Domain Management |
Although all Virtual Devices are deleted, deleting a Domain may fail with an "At least one Virtual Device is defined on this Domain/Domain Management Server. You need to delete all Virtual Systems/Routers prior to deleting Domain/Domain Management Server" message. |
PRJ-40611, |
Compliance |
In the Compliance Blade view, regulations with disabled best practices may display a result that does not correspond with the best practices listed below it. |
PRJ-36190, |
Logging |
UPDATE: Amended the override_server_setting.sh script to support changes in the values of RFL_SOLR_MAX_MERGE_COUNT and RFL_SOLR_MAX_MERGE_THREAD_COUNT. |
PRJ-36019, |
Logging |
In SmartView, the "Top Users that Downloaded Malicious Files" widget in the "Hosts that Encountered Malicious files" view may show no results, although there are matches. |
PRJ-39588, |
Logging |
The FWD process may unexpectedly exit and create core dump files. |
PRJ-30963, EPS-562 |
Logging |
In some scenarios, the Forensics report fails to open from Harmony Endpoint logs. |
PRJ-36475, |
Logging |
In SmartConsole, when Endpoint Policy Management Blade is enabled, the "SmartView server certificate is invalid" error may be shown when opening a new tab in the Logs & Monitor view. Refer to sk177713. |
PRJ-40356, |
Logging |
In some scenarios, the FWD process may unexpectedly exit in a Log Server environment. Refer to sk179596. |
PRJ-34678, |
Security Gateway |
UPDATE: Decreased the threshold for connections suspected as heavy from 5 to 3 seconds. Refer to sk164215. |
PRJ-40509, |
Security Gateway |
UPDATE: Added a defense mechanism against partial header attacks known as "Slowloris DoS" (CVE-2007-6750). |
PRJ-38912 |
Security Gateway |
When Anti-Virus Blade is enabled, there may be a continuous high memory consumption which can lead to latency. |
PRJ-34402, |
Security Gateway |
Deleting IP addresses in the SAM Database may fail. |
PRJ-40253, |
Security Gateway |
There may be a delay in the Logging view when more than 1000 Security Gateways are connected to the same Log Server. |
PRJ-34170, |
Security Gateway |
After an upgrade, in a setup with a single Virtual System (VS), the Security Gateway may crash. |
PRJ-41454, |
Security Gateway |
During a DDoS attack, the CPD and CPRID processes may unexpectedly exit with core dump files and cause latency. |
PRJ-40861, |
Security Gateway |
Improved the recovery mechanism for Dynamic Balancing. |
PRJ-39518, |
Security Gateway |
Output of the "dynamic_objects -uo_show" command on the Security Gateway may not show any updatable objects. Refer to sk178886. |
PRJ-40791, |
Security Gateway |
Enhanced connectivity during HTTP2 Inspection. |
PRJ-40014, |
Security Gateway |
The Security Gateway with VPN may drop the traffic after enabling BGP and Equal Cost Multipath (ECMP). |
PRJ-38589, PMTR-79658 |
Security Gateway |
In a cluster environment, an ICAP implied rule may not be enforced after policy installation. |
PRJ-27777, PMTR-70632 |
Security Gateway |
The RAD daemon may fail and create core dump files on VSX Gateways. |
PRJ-39987, |
Threat Prevention |
UPDATE: In the Custom Intelligence Feeds feature, decreased the hash indicators loading time. |
PRJ-40431, |
Threat Prevention |
UPDATE: The "Global Detect" value will now be updated in the "ips stat" command output. |
PRJ-29734, |
Threat Prevention |
SCP connections may get terminated with a protocol error. |
PRJ-39160, |
Identity Awareness |
The Nested Groups Depth value changed in CLI may not survive a reboot. |
PRJ-39830, |
Identity Awareness |
Removed unnecessary debug messages in the Identity revocation flow. |
PRJ-35834, PMTR-71684 |
Identity Awareness |
Memory consumption may increase after policy installation when Secure ID is configured. |
PRJ-36383, |
Application Control |
Refer to sk178406. |
PRJ-29434, PRJ-37279, |
URL Filtering |
When the Security Gateway works in proxy mode, the Application Control and URL Filtering rules may not match correctly. |
PRJ-30744, |
IPS |
Logs generated by IPS Bypass may not show the correct CPU/Memory Utilization. |
PRJ-37725, |
DLP |
DLP logs for files uploaded to Microsoft OneDrive may not show the initial file names and extensions. Refer to sk178290. |
PRJ-39150, |
Anti-Bot |
|
PRJ-40259, |
SSL Inspection |
The WSTLSD process may unexpectedly exit and produce a core dump file during certificate chain verification. |
PRJ-34072, |
Mobile Access |
Manual Web Form Single Sign-On (SSO) may fail when passwords contain special characters. |
PRJ-38434, PMTR-82133 |
Mobile Access |
When installing a specific hotfix, the CVPND process may unexpectedly exit. |
PRJ-39957, |
ClusterXL |
During a Multi-Version Cluster (MVC) upgrade, there may be state flapping when using the sync interface MAC address bit "02". |
PRJ-39838, |
ClusterXL |
When reconnecting the OSPF interface on both members in a cluster, a failover may occur when receiving a ROUTED PNOTE on the Active member. |
PRJ-40199, |
ClusterXL |
In a cluster configured in the Active-Active mode, there may be connectivity issues when one of the cluster interfaces is down on one of the cluster members. |
PRJ-37942, |
ClusterXL |
In a VSX cluster with three or more members, sudden failover and recovery of the Standby VS may occur, causing termination of connections from the Active member. Refer to sk179446. |
PRJ-37630, |
SecureXL |
UPDATE: The MSS value in the SYN Cookie response can now be configured. |
PRJ-39072, |
SecureXL |
UPDATE: Added a new kernel parameter "fw_allow_reverse_syn" for Smart Connection Reuse. This parameter allows or drops SYN packets coming from the reverse direction. The parameter is set to 0 by default, the Security Gateway drops such packets. Refer to sk24960. |
PRJ-36857, |
SecureXL |
Policy installation may cause cluster failover and impact the traffic flowing through the cluster. |
PRJ-40218, |
SecureXL |
In a rare scenario, ipsctl kernel module does not load at startup. |
PRJ-40293, PMTR-81618 |
SecureXL |
A kernel memory leak may occur in an environment with a cluster in Active/Standby bridge mode. |
PRJ-40746, |
Routing |
The ROUTED process may unexpectedly exit when querying BGP data. |
PRJ-40090, PMTR-84418 |
Routing |
When running CPView and working in Source-Specific Multicast Mode (PIM-SSM) simultaneously, the ROUTED process may unexpectedly exit and create a core dump file. |
PRJ-40843, |
VPN |
UPDATE: Added a configurable protection for blocking brute-force attacks on VPN SNX portal. Refer to sk180271. |
PRJ-40752, |
VPN |
Resolved the “HTTP Response splitting” vulnerability in Security Gateway portals. Refer to sk179705. |
PRJ-40662, |
VPN |
There may be a low throughput in a Site-to-Site VPN tunnel between two VSX Gateways with enabled Multi-Queue. |
PRJ-38632, |
VPN |
Connection to Endpoint Security Client from the Remote Access VPN may be lost when the VPN tunnel timeout is reached. Refer to sk178891. |
PRJ-40384, |
VPN |
The "Unable to open '/dev/fw0': No such file or directory" error may be printed during cpstart. |
PRJ-40581, |
VPN |
Connection over NAT-T tunnels may not be distributed well between instances of the Security Gateway with CoreXL enabled. |
PRJ-37783, |
VPN |
In SmartView Monitor (SVM), the status of tunnels with third-party peers may be inaccurate. Refer to sk169121. |
PRJ-39980, |
VSX |
The vsx_util upgrade or downgrade operation may silently fail to update the database for one or more Virtual Systems (VSs). Refer to sk179591. |
PRJ-40071, |
VSX |
A "SIC Error for EntitlementManager: Peer sent wrong DN: CN=xxx,O=xxx" message may be displayed during boot or after running the "cpstart" command. Refer to sk179586. |
PRJ-40249, |
VSX |
In VSX, when deleting a warp interface (either by deleting the warp itself or by performing the "reset_gw" command, which deletes all Virtual Devices), the VSX Gateway may crash. |
PRJ-34321, |
VSX |
The MTU value configured in SmartConsole may differ from the Virtual Switch (VSW) MTU value in the output of the "ifconfig" command. |
PRJ-40702, |
VSX |
A member in a VSX cluster may get stuck in DOWN state with "Event Code CLUS-113200" and a FULLSYNC PNOTE "Could not start a connection to remote member". |
PRJ-34094, |
VSX |
When running the "vsx showncs" command, the "cannot retrieve vsid for VSW_gw" error may be shown. |
PRJ-40359, |
VSX |
Improved packet rate performance on warp interfaces. |
PRJ-24565, PRHF-16407 |
Gaia OS |
UPDATE: Added support for the Excluded Files feature (sk116679) for XFS file system on Kernel 3.10. |
PRJ-40767, |
Gaia OS |
IPv6 connections with Manual NAT rules may not be stable after enabling Neighbor Discovery Protocol (NDP) on a VLAN in the $FWDIR/conf/local.ndp file. |
PRJ-40026, |
Gaia OS |
A user locked by the deny-on-nonuse mechanism cannot get unlocked. |
PRJ-40364, |
Gaia OS |
Gaia Snapshot fails in Gaia Portal ("Maintenance" section > "Snapshot Management" page) - after clicking the "New" button, the progress gets to 100%, but the snapshot file is never created. Refer to sk180579. |
PRJ-40669, |
HCP |
Added Update 10 of HealthCheck Point (HCP) Release. Refer to sk171436. |
Take 173 Released on 31 August 2022 and declared as Recommended on 13 September 2022 |
||
PRJ-41444, |
Threat Prevention |
In a specific HTTP connection scenario, the Security Gateway may become unresponsive. And the /var/log/messages file contains these messages during the time of the issue: " FW-1: fw_kfree: wrong magic number at tail end of XXX (XXX) caller is 'cmik_loader_fw_pm_match_cb' sz=80. FW-1 panic: cmik_loader_fw_pm_match_cb: fw_kfree: wrong magic number at tail (kiss_memory.c:XXX)". |
Take 172 Released on 25 July 2022 |
||
PRJ-38150, |
Security Management |
UPDATE: Improved Access Policy installation time. |
PRJ-34852, |
Security Management |
UPDATE: Added validation to the Custom Application/Site object to prevent configuring invalid URLs that cause Access policy installation failure. Refer to sk175187. |
PRJ-36848, |
Security Management |
In rare scenarios, the Management Server may fail to start due to incorrect session handling. |
PRJ-37708, |
Security Management |
Install Policy preset fails if the Threat Prevention policy was uninstalled. |
PRJ-36919, |
Security Management |
When a Security Gateway is removed from a VPN community, it may still be seen under the permanent tunnel configuration. The issue is scoped to the Management side and does not impact the Gateway. |
PRJ-37634, |
Security Management |
After changing the IP address of the Secondary Management Server, the old IP address is still shown in the High Availability window until the services are restarted. |
PRJ-37863, |
Security Management |
Dynamic Objects defined on LSM Gateway in SmartProvisioning may be removed from the Security Gateway after fetching policy or pushing policy. |
PRJ-37522, |
Security Management |
Reassign Global Policy tasks may be stuck for Domains active on a different Multi-Domain Server even though the task is completed on the destination Multi-Domain Server. |
PRJ-37503, |
Security Management |
In rare scenarios, Global Domain Assignment may fail with a "class name not found for object" error message. |
PRJ-37198, |
Security Management |
The Management API command "show-vpn-communities-star" for Diffie-Hellman groups 15-18 and group 24 fails with the "Invalid DH-Group in VPN Reply" error. Refer to sk27054. |
PRJ-35654, |
Security Management |
The Security Cluster Wizard is not shown again after a Management restart in a Full High Availability cluster environment. |
PRJ-37762, |
Security Management |
The FWM process on the Management Server may unexpectedly exit, creating a core dump file. |
PRJ-35601, |
Security Management |
An IPS update may fail if the user that performs the update is connected to the Multi-Domain Server on which the Global Domain is in Standby mode. |
PRJ-37508, |
Security Management |
Deleting a domain may fail when using the createDomainRecovery.sh script with the "UID" flag. |
PRJ-35604, PRHF-21981 |
Security Management |
In SmartConsole, the "error retrieving results" message may be displayed when opening a new tab. |
PRJ-38063, |
Security Management |
When uninstalling a Threat Prevention policy, there may be a verification warning "There are Threat Prevention uninstall candidates in policy targets", although the operation on the Security Gateway was completed successfully. |
PRJ-38147, |
Security Management |
Cloud Shadow Objects verification may take several minutes. |
PRJ-38119, |
Security Management |
Policy installation may fail with "an internal error" if some objects are pointed to by an old deleted policy. Refer to sk122954. |
PRJ-39470, |
Security Management |
Management HA synchronization may fail with the "NGM failed to import data" error. |
PRJ-37885, |
Security Management |
Editing an object may fail with the "Could not access file for write operation" error. |
PRJ-38399, |
Security Management |
An Application Control and URL Filtering update may get stuck because of a lock object duplicate issue. |
PRJ-35059, |
Security Management |
Renaming the Security Management Server may fail with the "Failed to save object" error. Refer to sk177224. |
PRJ-38740, PRHF-23467 |
Security Management |
In a rare scenario, the FWM process may unexpectedly exit and create a core dump. |
PRJ-37987, PRHF-22589 |
SmartConsole |
After an Application Control update, some application control objects may disappear from SmartConsole, although they are not deprecated. |
PRJ-37101, |
Logging |
UPDATE: Scheduled email reports will now use TLS1.2 instead of TLS1.0. Refer to sk178125. |
PRJ-33815, |
Logging |
The "log_exporter_reexport" command may export the logs from the beginning of the log file and not from the provided start position. |
PRJ-36514, |
Logging |
In a rare scenario, a memory leak in the FWD process may occur during installing Threat Prevention policy. |
PRJ-36026, |
Logging |
In IPS Core Protections logs, the link to the Threat Prevention profile is written incorrectly. |
PRJ-36461, |
Logging |
When running the "cp_log_export filter-Blade-in" command with the value "Endpoint" and restarting the LOG_EXPORTER process, LOG_EXPORTER may fail to start. |
PRJ-39295, |
Logging |
An error may occur when changing default Time Frame while the SmartView language is not English. |
PRJ-39678, |
Logging |
When exporting the logs table with "All Columns" to a CSV file, the first cell of the first log (time column) may display a non-ASCII character ("ן»¿"), and the time may be split into two cells. |
PRJ-39675, |
Logging |
A CSV file exported from SmartView may contain duplicated lines of headers. |
PRJ-36654, |
Security Gateway |
NEW: Added a new kernel parameter "fw_ignore_before_drop_rules". It allows to skip the "before drop" implied rules and enforce policy according to the explicit rule in the Access Rule Base. By default, this capability is disabled. Refer to sk105740. |
PRJ-38688, |
Security Gateway |
UPDATE: When using Routing Separation, hosts and servers configured in Clish will be automatically added to Management Plane (MPLANE). |
PRJ-39666, PRHF-23392 |
Security Gateway |
It may not be possible to monitor Security Gateways with enabled Management Data Plane Separation (MDPS). Refer to sk138672. |
PRJ-39684, |
Security Gateway |
An ICAP client crash may cause the Security Gateway also to crash and generate an FWK core dump. |
PRJ-34622, |
Security Gateway |
When running the "show_configuration" command in CLISH, static routes are shown twice. |
PRJ-33698, |
Security Gateway |
In some scenarios, file download may fail with the "Connection queue exceeded max size" error. |
PRJ-37011, |
Security Gateway |
Multiqueue Clish "show" commands may fail in a Management Data Plane Separation (MDPS) environment. |
PRJ-37608, |
Security Gateway |
When using the DAIP Gateway object in the Access Rulebase, debug error "fwdnd_log_info_lookup failed" may appear in the fwk.elglog, if the relevant rule has log track. Refer to sk178670. |
PRJ-33858, |
Security Gateway |
In ISP Redundancy settings, when using the "dead on all host" feature and defining one link without any host (which is a misconfiguration) the ISP link is down. |
PRJ-36119, |
Security Gateway |
In CPView, under Network, Bytes Per Sec value in Traffic Rate may be incorrect. |
PRJ-33929, |
Security Gateway |
Cluster failover may trigger the FWK process to exit, with no traffic impact. |
PRJ-31030, |
Security Gateway |
In a rare scenario, the Security Gateway may crash when disabling or enabling Threat Prevention Blade. |
PRJ-27915, PRJ-40137, |
Security Gateway |