List of All Resolved Issues and New Features

NEW: Added ability to block "HTTP 206 partial content" responses from resources with malicious content.

NEW: We have extended the grace period of Application Control and URL Filtering blade to support you for 90 days following contract expiration to continue providing the best security value during the renewal process.

NEW: We have extended the grace period of SmartEvent blade to support you for 90 days following contract expiration to continue providing the best security value during the renewal process.

UPDATE: Improved the "Purge revisions" operation to reduce the size of the database.

UPDATE: Added ability to force GNAT Port randomization. It is controlled by kernel parameter (off by default).

• To activate it, GNAT should be enabled. Also, in the fwkern.conf file, run "set fwx_force_random_nat_port_alloc=1",

• To disable, run "set fwx_force_random_nat_port_alloc=0".

UPDATE: In several IPS protections, improved performance for traffic that contains repeated sections.

UPDATE: Gaia Cloning Groups will now use the highest TLS version available.

UPDATE: Added more logs related to Pushing VSX Configuration.

• On the Security Gateway side: in the last_vsx_push_configuration.elg. The log file will now be circular.

• On the Security Management side: in the vsx_util log. Also, commands are added to the name of log files (for example, vsx_util_reconfigure_xxxxx_xx_xx.elg).

• VSX Provisioning tool is now logged in the vpt_history.elg.

.

UPDATE: Improved performance of pushing Data Center Objects changes to Security Gateways.

UPDATE: Added support for Data Centers in AWS eu-central-2 (Spain) and eu-south-2 (Zurich) and ap-south-2 (Hyderabad) regions.

The cpview -s export operations may fail on VS0 when cpview_services are running.

Installing a large Access Control policy on Quantum Spark Security Gateways may fail due to high memory consumption on the Security Management Server caused by FW_LOADER.

In a large environment, High Availability synchronization for the Global Domain may fail with the "Global domain is busy syncing, please check sync status" error.

When using CME (Cloud Management Extension), the FWM process may unexpectedly exit because of a memory issue.

In rare scenarios, deleting a cluster member may fail with the "Could not delete object. Failed to remove/detach objects licenses" error.

In a Multi-Domain environment, the HitCount retention mechanism may prematurely remove the HitCount data.

Warning about multiple objects with the same IP address is displayed when there are duplicated auto-generated networks

When using Custom Application/Site Group objects in an Access policy, policy installation may fail with an "Internal error" message.

In some scenarios, the CME process fails to start.

After configuring an IoC feed on the Global Domain and assigning a Global Policy, Threat Prevention policy installation in the local Domain fails.

In a Multi-Domain Security Management environment, traffic may not match rules with custom applications.

CPView may not show some interfaces.

In a Multi-Domain Security Management environment, Skyline is down after mdsstop/mdsstart.

The "epoll is enabled" warning is incorrectly displayed during policy installation.

When working with Multi-Domain Security Management, Virtual Systems (VS's) may be unable to send logs to the management because the Log Server constantly disconnects.

Stability issues when ICAP client is active.

DNS parser incorrectly handles additional records, which results in appearing additional DNS IP addresses in the FQDn objects list.

When adding a new RADIUS Server in Gaia Portal, its IP address is automatically added to MDPS tasks, but when deleting this Server, the MDPS task is not deleted.

The Security Gateway may receive duplicated traffic (such as non-IP protocol connections) for IPS inspection. This can trigger high CPU usage and result in failures to connect over SSH or policy installation.

Security Gateway may drop traffic when Dynamic Anti-Spoofing is enabled.

Dynamic Dispatcher may send fragments of the same packet to different Firewall instances during a high load of fragmented traffic. This may cause some packets to drop.

The Security Gateway may frequently crash with vmcore files, recording invalid context.

The Security Group Member (SGM) frequently goes into a Lost-> Down-> Active state because of fullsync pnote. This causes outages.

After making changes in Policy-Based Routing (PBR) and GRE configuration, the Security Gateway may repeatedly crash.

In rare scenarios, the FWK process can unexpectedly exit and cause an outage.

Stability issues when ICAP client is active.

After an upgrade, it is not possible to monitor Security Gateways with enabled Management Data Plane Separation (MDPS).

In a rare scenario, the Security Gateway may crash when offloading packets to SecureXL.

Some TCP connections may be stuck in "Both-Fin" state in the SecureXL connection table and cause high memory consumption.

When managing cloud Gateways, the FWM process memory usage may increase.

Anti-Virus blade fails to parse external IOC feeds that contain commas in the CSV column field value.

File Download using SSH with MobaXterm Client fails when SSH Deep Packet Inspection (SSH DPI) is enabled.

After an upgrade, the FWD process may frequently exit while creating an AMW_report.xml.

Automatic IPS, Anti-Virus or Anti-Bot updates may fail because of a corrupted next_update file.

In a rare scenario, the mal_conns table may consume a large amount of memory.

During subsequent policy installations (with an interval of at least 11 minutes between them), the Identity Awareness Gateway configured as an Identity Broker Subscriber revoked all Identities it learned from the Identity Awareness Gateway configured as its Identity Broker Publisher. Refer to sk180659.

The PDPD process may cause CPU spikes during cluster failover.

In a rare scenario, the PDPD process may unexpectedly exit during peer certificate verification.

In a rare scenario, when Application Control is enabled, the Security Gateway in AWS Cloud may crash. The issue does not occur if Application Control database on the Security Gateway is updated with Release 141122_1 and higher.

Policy installation may fail with an "Error 0-200184" message because of memory allocation issues.

The Security Gateway may crash during policy installation because of a memory allocation problem.

DLP logs for files uploaded to Microsoft OneDrive do not show the initial file names and extensions. Refer to sk178290.

The WSTLSD process may unexpectedly exit and create core dump files.

Access to a web application that uses WebSocket protocol may not be possible.

Web applications may not work correctly when Mobile Access blade is configured in Hostname Translation (HT) mode while the "obscure_destination_hostname" management attribute is disabled.

The "cphaprob tablestat" command may fail on the Security Gateway with many interfaces.

Traffic does not pass through the GRE tunnel when Virtual MAC (VMAC) is enabled. Refer to sk180292.

When the "fw_tcp_out_of_state_monitor" mode is enabled with the "fw_allow_out_of_state_tcp" flag, some connections may be dropped, although they should go through and be monitored.

The Security Gateway may prematurely expire half-closed TCP connections and drop VoIP and HTTPS packets with "First packet isn't SYN". Refer to sk180364.

IPv6 template is not created when the connection is NATed.

Failover may take longer than expected and traffic does not pass for several seconds because dynamic routes are lost.

When many users in nested groups login using Remote Access Client \ connect to VPN, and the LDAP topology is large, there may be a spike of CPU usage and performance impact. Refer to sk180664.

When the user connects with RADIUS authentication method, the "Authentication method" value in Mobile Access logs is shown as empty.

A memory leak may occur in the VPND process.

In some scenarios, when NAT is configured, VoIP traffic is dropped.

Trying to perform the "Reset Tunnel" action for an LDAP user from SmartView Monitor fails. Refer to sk178592.

In large environments, the "vsx_util reconfigure" procedure and booting may take a long time .

The "vsx_util change_mgmt_subnet" command may fail if a VSX object is not correctly saved in the database.

Running the "save configuration" command the second time in the same Clish session may fail with the "free(): invalid pointer" error.

When setting password hash on cloning group members, some members may not get updated.

When uninstalling a Jumbo Hotfix, some of the REST APIs may not work. The "gaia_api status" command returns an error and requests may fail.

In some scenarios, the "nslookup" command can cause the NSLOOKUP process to exit.

After an upgrade, the backup operation on VSX fails because there is not enough space in /var/log/CPbackup/backups.

The /usr/local/apache2/logs/access_log file is now rotated when its size reaches 1GB. This log file was added to the /etc/cpshell/log_rotation.conf configuration file. Refer to sk166198.

When connecting to the Security Management Server with SmartEndpoint but Endpoint component is not activated on the Server, the FWM process may unexpectedly exit.

VPN Cluster stability issue when the peer is an Azure Security Gateway.

When mapping of some Azure Subscriptions fails, assets of these Subscriptions are revoked from the Security Gateway.

A Kernel-based Virtual Machine (KVM) or a Virtual Machine using SRIOV with the i40evf/ixgbevf network driver, may boot with non-optimized performance settings.

While handling a multi-INVITE scenario (where a user registers with multiple devices), and the VoIP SIP MultiCore feature is enabled, each SIP INVITE maybe be handled simultaneously on different FW instances and cause memory corruption.

The SMO may frequently go into Lost-> Down-> Active state because of a memory leak in the FWK process. The issue causes failover and outages.

In some scenarios, Mail Transfer Agent (MTA) does not scan files with an unsupported extension if they were renamed to ".exe".

The CPVIEWD process may cause CPU spikes.

UPDATE: Improved the "Assign Global Policy" action time by approximately 50%.

An Application Control and URL Filtering update may still occur even if the latest version is already installed.

After an Application Control update, policy installation may fail.

Access Control policy installation may fail with the "Internal error" message when the encryption domain contains a Data Center object.

The LOG_EXPORTER process may cause high CPU because of frequent invocation of the "fw ver" command.

An Application Control and URL Filtering update may get stuck at 70 percent with the "Running post update actions" status. Refer to sk174587.

The /var/log/dump/usermode/ directory on the Management Server may contain core dump files for the FWM process. Refer to sk180119.

Access Policy installation may fail with the "Internal error occurred during the verification process" error.

When running the "show access-rule" Management API command with the "show-as-ranges" parameter on rules with negated cells, the returned result may be missing the values of the negated cells.

It may not be possible to discard a work session with a newly created admin, a "Failed to discard revoke certificate" message is shown.

Centrally managed Quantum Spark Gateway version may be missing or incorrect after performing the "Get Gateway Data" action from SmartUpdate.

UPDATE: When there is no full license for SmartEvent, which includes the Correlation Unit component, Analyzer Client in Legacy SmartEvent Console will now show a relevant message.

In a rare scenario, when using SmartEvent Automatic Reaction (Mail), the source IP address can be shown as a number and not in the dotted decimal notation format.

Syslog messages with the "ErtFeed" type of attack are not indexed correctly in SmartLog.

Although the Security Gateway is configured to send Syslog messages to the Domain Log Server (CLM), they may stop coming to the Log Server after several initial logs.

When exporting logs with the fwm logexport script and there is an empty or corrupted log file, the script runs in a loop with the "Failed to read record at position 0" error printed.

In rare scenarios, the LOG_INDEXER process may unexpectedly exit, and there is no access to the logs. Refer to sk172915.

It may not be possible to filter Anti-Virus logs for malicious CIFS traffic in SmartConsole. The issue is cosmetic only.

Running the "cpstat ls -f logging" command on the Security Gateway may show the "disconnected" status after a reboot, although a new connection is established successfully.

UPDATE: Added support for RADIUS UPN authentication with MS-CHAPv2. To use it, enable the registry configuration in ckp_regedit -a SOFTWARE/Checkpoint/VPN1 RADIUS_MSCHAPV2_UPN -n 1.

A kernel crash may occur during system shutdown when PIM is enabled.

When using Routing Separation and installing a Jumbo Hotfix Accumulator, MDPS configuration may be overridden. Refer to sk138672.

The Security Gateway may send multiple "Failed to fetch Check Point resources. Timeout was reached" logs.

In a rare scenario, when IPS or Application Control is enabled, the Security Gateway may crash.

It may not be possible to load specific sites. The Security Gateways drops the traffic from those web servers with "Reason: PSL Drop: MUX_PASSIVE"

The Security Gateway may run out of memory when retrieving topology.

After an upgrade, VSX cluster may have frequent failovers.

When the Security Gateway is in "Detect Only" mode, Threat Prevention Blade exceptions may not be accelerated.

Deleting a Threat Emulation Gateway object in SmartConsole may fail. Refer to sk170577.

Threat Prevention policy installation may fail with a "Connection aborted by Peer" message.

In a rare scenario, the mal_conns table may consume a large amount of memory.

The PDPD daemon may frequently exit during the user authentication flow.

Changing the state of the "Automatic LDAP Group Update" feature for Identity Collector from CLI on the PDP Gateway does not survive a reboot.

The Anti-Virus blade interprets certain types of URLs as forbidden and blocks access to those URLs, although the content behind them is not of the type supposed to be blocked.

Removed a redundant message flooding logs in /var/log/messages: "ws_write_connection: end of body reached - clearing delay write flag".

In some scenarios, it is not possible to connect to SSL Network Extender(SNX), and the VPND log shows: "failed to add to table connectra_sessions_to_instance".

UPDATE: Added support for the "fw vsx fetch_all_cluster_policies" command, which can fetch policy for all Virtual Systems and Virtual Routers from cluster peers.

In a VRRP cluster, when an identity session is revoked from a non-master member, the Identity Database may become corrupted and cause an outage.

There may be high CPU or/and latency in CIFS/SMB connections.

The Security Gateway may crash and cause an outage when resolving the destination host MAC address through an interface with disabled ARP.

The ROUTED process may unexpectedly exit when the route does not have the next hop.

UPDATE: Added a new command "use_crl_for_revocation_method" which allows setting revocation method back to CRL when OCSP Server is unreachable. Refer to sk179434.

When working in Hybrid mode, it is possible to connect using Remote Access, but it may not be possible to access internal resources.

When connecting with "Mixed" SSL Network Extender Authentication method, the SNX Client freezes with no output, and the results of the "vpn tu tlist" command show no tunnels.

UPDATE: The "vsx_util view_vs_conf" command output now shows interfaces configured on Virtual Systems in Bridge mode.

In some scenarios, the vsx_provisioning_tool fails to delete an interface and claims that it has already been freed..

When running the "reset_gw" command on a VSX cluster member, the sync interface IP address is not deleted as part of the VSX configuration that should be deleted from the Security Gateway.

Extending SNMP with shell script (Article IV-6 in sk90860) fails for non-VS0 Virtual Systems (VSs) when queried via SNMP V3 and a "No more variables left in this MIB View (It is past the end of the MIB tree)" message is shown in the output.

Pushing a VSX configuration to a virtual device may fail.

When MDPS is configured, the SNMPD process may stop responding on some Security Gateways and must be restarted.

Information about scheduled backup failure is now displayed in Clish, WebUI and in the error message inside the log file.

UPDATE: Client Uninstall Remote Help is now Device-based. User Logon name is not needed anymore.

UPDATE: Added support for Data Centers in AWS me-central-1 Middle East (UAE) region.

Failure to update IP addresses on a single AWS Gateway may cause delays in updating other Gateways.

Added Update 6 of Quantum Smart-1 Cloud. Refer to sk166056.

Added Take 19 of Public Cloud CA Bundle. Refer to sk172188.

UPDATE: If ISP Redundancy is configured for a target Security Gateway, backup interfaces are now used for pushing policy if the primary interface is down.

If Log Domain reassignment fails, an Application Control and URL Filtering update may get stuck at 70 percent showing the "Running post update actions" status.

Migration of the Security Management Server to the Multi-Domain Management Server may fail.

The flag "--method" for a CME command is not supported in SmartConsole Command Line.

Some unused sessions may remain open in the system, consuming memory and CPU.

Install Policy Preset may fail with "The server did not provide a meaningful reply.". Refer to sk179524.

Although all Virtual Devices are deleted, deleting a Domain may fail with an "At least one Virtual Device is defined on this Domain/Domain Management Server. You need to delete all Virtual Systems/Routers prior to deleting Domain/Domain Management Server" message.

UPDATE: Amended the override_server_setting.sh script to support changes in the values of

RFL_SOLR_MAX_MERGE_COUNT and RFL_SOLR_MAX_MERGE_THREAD_COUNT.

The FWD process may unexpectedly exit and create core dump files.

In SmartConsole, when Endpoint Policy Management blade is enabled, the "SmartView server certificate is invalid" error may be shown when opening a new tab in the Logs & Monitor view. Refer to sk177713.

UPDATE: Decreased the threshold for connections suspected as heavy from 5 to 3 seconds. Refer to sk164215.

When Anti-Virus blade is enabled, there may be a continuous high memory consumption which can lead to latency.

There may be a delay in the Logging view when more than 1000 Security Gateways are connected to the same Log Server.

During a DDoS attack, the CPD and CPRID processes may unexpectedly exit with core dump files and cause latency.

Output of the "dynamic_objects -uo_show" command on the Security Gateway may not show any updatable objects. Refer to sk178886.

The Security Gateway with VPN may drop the traffic after enabling BGP and Equal Cost Multipath (ECMP).

The RAD daemon may fail and create core dump files on VSX Gateways.

UPDATE: The "Global Detect" value will now be updated in the "ips stat" command output.

The Nested Groups Depth value changed in CLI may not survive a reboot.

Memory consumption may increase after policy installation when Secure ID is configured.

When the Security Gateway works in proxy mode, the Application Control and URL Filtering rules may not match correctly.

DLP logs for files uploaded to Microsoft OneDrive may not show the initial file names and extensions. Refer to sk178290.

The WSTLSD process may unexpectedly exit and produce a core dump file during certificate chain verification.

When installing a specific hotfix, the CVPND process may unexpectedly exit.

When reconnecting the OSPF interface on both members in a cluster, a failover may occur when receiving a ROUTED PNOTE on the Active member.

In a VSX cluster with three or more members, sudden failover and recovery of the Standby VS may occur, causing termination of connections from the Active member. Refer to sk179446.

UPDATE: Added a new kernel parameter "fw_allow_reverse_syn" for Smart Connection Reuse. This parameter allows or drops SYN packets coming from the reverse direction. The parameter is set to 0 by default, the Security Gateway drops such packets. Refer to sk24960.

In a rare scenario, ipsctl kernel module does not load at startup.

The ROUTED process may unexpectedly exit when querying BGP data.

UPDATE: Added a configurable protection for blocking brute-force attacks on VPN SNX portal. Refer to sk180271.

There may be a low throughput in a Site-to-Site VPN tunnel between two VSX Gateways with enabled Multi-Queue.

The "Unable to open '/dev/fw0': No such file or directory" error may be printed during cpstart.

In SmartView Monitor (SVM), the status of tunnels with third-party peers may be inaccurate. Refer to sk169121.

A "SIC Error for EntitlementManager: Peer sent wrong DN: CN=xxx,O=xxx" message may be displayed during boot or after running the "cpstart" command. Refer to sk179586.

The MTU value configured in SmartConsole may differ from the Virtual Switch (VSW) MTU value in the output of the "ifconfig" command.

When running the "vsx showncs" command, the "cannot retrieve vsid for VSW_gw" error may be shown.

UPDATE: Added support for the Excluded Files feature (sk116679) for XFS file system on Kernel 3.10.

A user locked by the deny-on-nonuse mechanism cannot get unlocked.

UPDATE: Improved Access Policy installation time.

In rare scenarios, the Management Server may fail to start due to incorrect session handling.

When a Security Gateway is removed from a VPN community, it may still be seen under the permanent tunnel configuration. The issue is scoped to the Management side and does not impact the Gateway.

Dynamic Objects defined on LSM Gateway in SmartProvisioning may be removed from the Security Gateway after fetching policy or pushing policy.

In rare scenarios, Global Domain Assignment may fail with a "class name not found for object" error message.

The Security Cluster Wizard is not shown again after a Management restart in a Full High Availability cluster environment.

An IPS update may fail if the user that performs the update is connected to the Multi-Domain Server on which the Global Domain is in Standby mode.

In SmartConsole, the "error retrieving results" message may be displayed when opening a new tab.

Cloud Shadow Objects verification may take several minutes.

Management HA synchronization may fail with the "NGM failed to import data" error.

An Application Control and URL Filtering update may get stuck because of a lock object duplicate issue.

In a rare scenario, the FWM process may unexpectedly exit and create a core dump.

UPDATE: Scheduled email reports will now use TLS1.2 instead of TLS1.0. Refer to sk178125.

In a rare scenario, a memory leak in the FWD process may occur during installing Threat Prevention policy.

When running the "cp_log_export filter-blade-in" command with the value "Endpoint" and restarting the LOG_EXPORTER process, LOG_EXPORTER may fail to start.

When exporting the logs table with "All Columns" to a CSV file, the first cell of the first log (time column) may display a non-ASCII character ("ן»¿"), and the time may be split into two cells.

NEW: Added a new kernel parameter "fw_ignore_before_drop_rules". It allows to skip the "before drop" implied rules and enforce policy according to the explicit rule in the Access Rule Base. By default, this capability is disabled.

Refer to sk105740.

It may not be possible to monitor Security Gateways with enabled Management Data Plane Separation (MDPS). Refer to sk138672.

When running the "show_configuration" command in CLISH, static routes are shown twice.

Multiqueue Clish "show" commands may fail in a Management Data Plane Separation (MDPS) environment.

In ISP Redundancy settings, when using the "dead on all host" feature and defining one link without any host (which is a misconfiguration) the ISP link is down.

Cluster failover may trigger the FWK process to exit, with no traffic impact.

When Strict Hold is enabled, traffic is logged with the log "HTTP parsing error detected. Bypassing the request as defined in the Inspection Settings" and Precise Error "Connection queue exceeded max size". Refer to sk169995.

There is a Content Awareness alert for multiple connections and the processing error "Failed to extract text" is printed in logs.

In a VSX environment, SNMP queries to OSPF OIDs may fail.

IPS entries of AMW_report.xml may be missing for a Security Gateway onboarded to Infinity SOC.

In a rare scenario, an IPS, Anti-Virus, or Anti-Bot update package may fail to load because of a timeout.

In very rare scenarios, a traffic outage may occur.

Improved detection in some IPS protections.

In some scenarios, when Mobile Access Blade is enabled, the Security Gateway may crash.

UPDATE: Added support for the "Same VMAC" feature.

Local connection from a Standby member may fail when packets are not fragmented even if the interface MTU is smaller than the packet size.

In Virtual Device Status table, in vs0 context, the output shows the Active-Active status on two members instead of Active-Standby.

Data connection may be interrupted during a Multi-Version Cluster (MVC) upgrade.

In a VSLS cluster with a few members and Virtual Systems, when shutting down a bond connected to one of the Virtual Systems, all Virtual Systems on this member may go to Down state.

UPDATE: Added a new parameter cphwd_mcast_routing_interval_ms (default value is 0), which allows the multicast routing interval to be expressed in milliseconds.

SYN Defender may change MSS in an SYN packet to a larger value, potentially causing traffic drop.

An Active member in a cluster may make a full reboot during policy installation.

In a rare scenario, the ROUTED daemon may unexpectedly exit during a Multi-Version Cluster (MVC) upgrade when using OSPF.

In some scenarios, when StrongSwan client is connecting to a site or Security Gateway, the connection is established successfully, and the tunnel is created, but there is no traffic. Refer to sk118536.

An outage may occur when using IKEv2.

Machine Authentication stability improvements for Remote Access Endpoint Clients.

UPDATE: When resetting SIC for a specific virtual system (sk34098), the new certificate on the Security Gateway will now be automatically pulled from SmartConsole.

In some scenarios, if VSX Gateway creation fails and rollback is done, the default route of the Security Gateway that was configured via Clish is deleted without validation.

The FWM process may unexpectedly exit after using the VSX Provisioning tool.

A member may fail to pull configuration from the SMO on startup.

The OID "Syslocation" can now be configured in the context of a virtual system as described in the article (IV-1) Advanced SNMP configuration in sk90860.

When creating a virtual system, the "Failed to create Virtual System directories" error is displayed.

In some scenarios, it is not possible to start a vsx_util upgrade/downgrade after a failed attempt.

Running the "brctl_show" command in a non-VS0 context may give VS0 results.

UPDATE: It is now possible to use Gaia proxy addresses with more than 16 characters.

When adding and deleting a neighbor-entry ipv6-address, an error message is displayed, although the operation is successful.

In some scenarios, in 7000 appliances, Power Supply Unit (PSU) status information may be incorrect. Refer to sk174443.

The CONFD process may unexpectedly exit and generate a core dump file.

UPDATE: After a failed Data Center mapping, the next scan retry will be initiated with a delay to provide sufficient recovery time.

After changing the default behavior in Identity session conciliation, the "delete-identity" request may trigger Cloud Controller to delete IP addresses from other Identity sources.

Policy install or publish may fail because of the CPM process operations overload.

The "Object is inaccessible/deleted on Data Center" warning may be shown for Tag objects in SmartConsole.

After an upgrade, the MGCP traffic may be dropped. The output of the "fw ctl zdebug + drop" command shows: "dropped by fw_early_sip_nat reason: failed to get MGCP ports". Refer to sk179747.

NEW: Added ability to create and manage VSX objects of R80.30SP version via vsx_util and vsx_provisioning_tool.

Deleting a Domain may fail when there is an administrator with API key authentication associated with this Domain.

In rare scenarios, Install Policy Presets may fail with "Failed to run Install Policy on the active Domain Server".

In some scenarios, the "show-hosts" Management API command fails with "generic_error" when running it with "details-level full". Refer to sk178249.

When exporting rules with "hit counts" and the timeframe is set to a different value than "all", the "hit counts" are missing from the export file. Refer to sk177265.

Install Policy Verification may fail with the "Rule has security zone objects that are not attached to any interface used" error when configuring cluster's interfaces on only one member. Refer to sk177129.

When cloning an IPS profile, the advanced settings of cloud protection are not copied to the new profile.

In a rare scenario, the FWM process unexpectedly exits.

UPDATE: SmartView reports will now show the new Check Point logo.

In rare scenarios, when QoS blade is enabled, the FWD process may unexpectedly exit. Refer to sk177783.

There may be an incorrect error message related to MakeConnection method.

In some scenarios, logs related to Content Awareness are missing.

Recurring "Unable to open '/dev/fw0': No such file or directory" may be printed in the fwd.elg file.

In some scenarios, it is not possible to add the "Policy Rule UID" column to the Logs view in the SmartView Web Application.

Logs may be missing from Smart Console after upgrading the Log Server if a VS object is configured without an IP.

UPDATE: In CPView overview, the "FW" field will now show physical memory used instead of virtual memory. The change is only cosmetic.

UPDATE: Apache HTTPD version was updated from 2.4.51 to 2.4.53.

UPDATE: Following sk110157, adding a shadow SAM V1 rule is now possible only if the new rule and the existing rule have different timeouts. If a shadow rule exists, the new shadow rule will override the existing shadow rule.

In a rare scenario, DNS connection may be dropped with "up_manager_cmi_handler_match_cb: connection not found".

In rare scenarios, if temporary files were not deleted successfully, downloading certain file types may fail with an error.

Policy installation may fail when reaching out of memory on the Security Gateway.

The dynamic NAT allocation port warning is continuously printed in /var/log/messages. Refer to sk177228.

Bond slaves may be visible in the wrong plane.

The PDP process may unexpectedly exit with a core dump file.

The PEP process may unexpectedly exit.

In a rare scenario, when URL Filtering blade is active, in Website categorization background mode, the FWK process crashes and creates a core dump.

In a rare scenario, when the Security Gateway is configured as a proxy, downloading files may fail.

When HTTPS Inspection is enabled and traffic is inspected, detect logs for HTTPS traffic may show the "Invalid CRL Retrieved" and "No Valid CRL" error messages. Refer to sk172345.

In a rare scenario, some options in a web application may be missing in Mobile Access Portal.

A cluster failover may take longer than it should.

The VSX Gateway may crash when trying to route traffic from a VS to a Virtual Switch (VSW).

In some scenarios, related to sending multicast packets, the ICMP errors may be shown.

IKEv2 Improvements for DAIP Gateway behind Hide NAT.

Remote Access users are unable to connect when authenticating using a certificate issued by a subordinate CA.

A memory leak may occur in the VPND process when using remote Access Back Connection.

In rare scenarios, Remote Access users cannot connect to the Gateway because of certificate authentication failure.

In some scenarios, the RIM script is not activated in DPD Tunnel monitoring.

A memory leak may occur in the VPND process when using Remote Access with Multiple Entry Points configured.

After initiating a tunnel between a regular Gateway and a DAIP Gateway, running the "vpn tu tlist'" command on the peer, may show the peer IP instead of the DAIP IP.

During policy installation when using DAIP behind hide NAT, CPU usage for the VPND process may be high.

In some scenarios, it is not possible to connect with Remote Access using DHCP for Office Mode. Refer to sk178767.

The "vsx_util reconfigure" command may fail without printing the cause of the error.

VSX Cluster Internal Communication Network IP address is shown in ifconfig after changing the name or VLAN of a VR physical interface.

In some scenarios, the "vsx_util reconfigure" command cannot fetch the policy installed previously.

In some scenarios, the VSX Gateway may incorrectly handle broadcast packets received from a Virtual Switch.

NEW: Gaia API (version 1.6 with python3 support) will now be deployed via Jumbo Hotfix. Refer to sk143612.

In a rare scenario, while idle, the Security Gateway may crash producing a vmcore file.

In some scenarios, logs related to Harmony Endpoint may be missing.

Added Take 18 of Public Cloud CA Bundle. Refer to sk172188.

Added update 4 of Quantum Smart-1 Cloud. Refer to sk166056.

When there are virtual systems with the same name prefix, the CloudGuard Controller fails to update the VS with Data Center Objects.

In some scenarios, mapping of AWS Data Centers may take a long time to complete.

Added Take 21 of Check Point Support Data Collector (CPSDC) for Scalable Platforms and Maestro Security Appliances. Refer to sk164414.

UPDATE:

• Added the "--help" and "-h" flags to "mdsstop", "mdsstart" and "mdsstat".
• It is no longer possible to run the "mdsstop" and "mdsstart" commands with wrong parameters.

After the Management Server restart, the API command "show_tasks" may show some suppressed tasks as "in progress", if before the restart they were cleared in SmartConsole while they were still running.

In rare scenarios, a "Create Domain", "Delete Domain" or "Delete Domain Server" task can be stuck at 5% with the "Task in queue" status.

Deleting a network group may fail because it is being used, although "Where Used" shows no usage.

In rare scenarios, adding a service to a rule in Access Policy:

• may take a long time (more than several seconds)
• may cause SmartConsole to unexpectedly exit

Refer to sk176004.

In rare scenarios, the Management Server may fail to start.

When reassigning Global policy after an IPS update on the Global Domain, the updated IPS version in the Audit Logs view may appear with "-1" value instead of the actual IPS version number.

When searching for tags usage, the "where-used" Management API command may fail with "Requested object not found".

Global Domain Assignment fails with "An internal error has occurred" when there are more than 32K Threat Prevention Overrides in the local Domain. Refer to sk176464.

Policy installation on Gateways R81 and below may fail when there are multiple login options configured with SAML which uses Identity Provider as an authentication method. Refer to sk176725.

If there is a Global Domain Assignment, some results may be missing when searching in Packet Mode. Refer to sk178491.

Policy installation from the Multi-Domain Server level may trigger installation of two policies for the same VS.

The mds_backup script may not collect Multi-Domain Server log files from $MDSDIR/log/.

• Install Policy Preset may invoke policy installation on Gateways different from those that are defined.
• Policy installation on multiple Gateways on MDS level may trigger installation on one Gateway only.

Refer to sk178590.

UPDATE: Added CPInfo Build 914000227. Refer to sk92739.

SmartEvent may not show some of the Anti-Virus logs.

The "Last Update Time" field of a Session Log may show incorrect values.

When configuring an Email alert as an Automatic Reaction in SmartEvent, and the alert contains data from the event, some fields may be missing in the generated email.

In rare scenarios, the LOG_INDEXER process stops working and logs are missing. Refer to sk176403.

Access Policy installation may fail with "Error code 1-2000078".

Security Gateway may unexpectedly reboot and create a vmcore file.

The dlpu process may unexpectedly exit, producing a core dump file.

Access Policy installation may fail with "Error code 1-2000078".

In a rare scenario, the FWD process may unexpectedly exit.

Matched rules on Inline layermay appear as the "Accept'"/ "Drop" action instead of "Inline".

In some scenarios, memory consumption and CPU usage may increase consistently due to large amount of content in CPView tool. Refer to sk176370.

The log_exporter process may consume high CPU.

In a rare scenario, the DLP process leaves open unused file descriptors in the $FWDIR/tmp/dlp directory which may take up a large amount of disk space.

In some scenarios, persistent high CPU is caused by ADQuery due to a large number of authentication requests.

In some scenarios, websites encrypted with SSL are not matched correctly when categorization mode is on Holdand IDA is enabled. Refer to sk176283.

In a rare scenario, the DLP process may not delete temporary files used for scanning.

In rare scenarios, the WSTLSD daemon may unexpectedly restart.

UPDATE: SSL Network Extender was updated to version 800008304. It provides TLS 1.2 cipher suites support on macOS.

Policy installation may fail due to table creation issues.

A redundant message "ACC: Accelerator started. " is printed in dmesg logs.

Handling BGP routes with very long AS paths may cause connectivity issues and the ROUTED daemon may exit with a core dump file.

The routed daemon may unexpectedly exit with core dump when some interfaces lose connection with the PIM router.

The VPND process may unexpectedly exit with a core dump file.

Added VPN improvements for IKEv2 SA re-key.

Improved IKEv2 for working with DAIPs.

When applying Secure Configuration Verification (SCV) VPN client is not able to distinguish between Windows 10 and Windows 11.

In some scenarios, when VPN logs are enabled and DAIP (Dynamically Assigned IP) peer is configured, the VPND daemon may unexpectedly exit.

UPDATE: Shadow bridges will now be automatically disabled on VSX Gateways if the bridges are not in Active/Active mode.

After deleting a warp interface in SmartConsole, the active VSX cluster member may crash.

The "cpopenssl" command may fail with "No such file or directory".

NEW:

• Rule base search in SmartConsole now also matches rules with Data Center Objects.

• In SmartConsole, it is now possible to see IP addresses of all the objects included in:

  • AWS VPC and Availability Zone
  • Azure Virtual Network
  • GCP Network

• In SmartConsole, improved searching objects using tags.

When a Gateway's object name was changed, CloudGuard Central License Tool may fail to distribute licenses to the Gateway.

Added Update 6 of HealthCheck Point (HCP) Release. Refer to sk171436.

UPDATE: Upgraded OpenSSL to fix CVE-2022-0778. Refer to sk178411.

• On 2200 appliances, the CPD process may unexpectedly exit because of sensor read failure.

• Sensor table values for 3600, 3600T, 3800, 6200B, 6200P, 6200T, 6400, 6600, 6700, 6900, 7000, 600-S are incorrect.

In some scenarios, in an environment that includes the SmartEvent Server, the LOG_INDEXER process restarts at midnight, producing a core dump file. Refer to sk177805.

In some scenarios, CPView shows the SNMP data partially.

In rare scenarios, an upgrade or migration may fail due to missing temporary files.

UPDATE: Added a warning message in SmartConsole, alerting if during policy installation memory utilization of the FWM process exceeded 3.5GB.

UPDATE: Added an environmental variable to control the sduu command timeout in the FWM process: SDUU_UPDATE_TIMEOUT.

UPDATE: It is now possible to increase the timeout value for Management High Availability synchronization. Refer to sk176165.

The mgmt_cli tool (API) with certificate login may not work.

In some scenarios, applying the "Where used" action may show incorrect data when an object exists more than once in an Inline Layer.

Migration of Security Management Server to a Domain on a Multi-Domain Server may be blocked if there are multiple Certificate Authority objects. Refer to sk174270.

Management Server upgrade may fail if there is a large amount of customized column profiles in the Logs View.

In some scenarios, if changes were done before installing Jumbo Hotfix, revert or login to the last published session may fail.

In rare scenarios, the FWM process unexpectedly exits and fails to start, creating core dumps in the /var/log/dump/usermode directory. Refer to sk175007.

In some scenarios, login to a Domain from the System Domain dashboard may fail with "Failed to connect to server".
Refer to sk174910.

When searching IP addresses using logical operators (AND / OR), the results may be incorrect:

• in SmartConsole in the Object Explorer view
• with the Management API command "show objects" and the "filter" field

Some matched objects may be missing, while some unmatched objects may be present.

Scheduled IPS updates data may not be shown in the IPS update report.

In some scenarios, an API query to VRRP cluster for "show simple-cluster name <name>" returns an incorrect cluster type. Refer to sk174866.

In rare scenarios, High Availability on the Global Domain may fail to synchronize the Multi-Domain Log Server if IPS protection was added or removed in the Threat Prevention rulebase.

In rare scenarios, if Domain migration fails, the operation may not revert fully and leave some remnants in the database of the Management Server.

In rare scenarios, a Multi-Domain administrator's profile may be changed after deleting a Domain if the administrator had custom permissions for it.

The Management API commands "import-smart-task" and "export-smart-task" are enabled at the System Domain level, although Smart Tasks are only supported at the Local Domain level.

In rare scenarios:

• Login to the Management Server may timeout and fail
• Publish operation may take a long time.

In some scenarios, the "show gateways-and-servers" Management API command fails with "generic_error" when running it with "details-level full".

In some scenarios, it is possible to disable a shared layer, although it is used in more than one rule.

In some scenarios, deleting a Domain fails when there is an administrator with API key authentication associated with this Domain.

When one Server in a logical Server group is down, the second Server keeps trying to access it, no matter how long the Server is down.

In some scenarios, the user may fail to connect to VPN Remote Access if there are expiration dates saved in a non-English date format. The issue can occur when SmartConsole is installed on a Windows client that uses a non-English locale.

In rare scenarios, the Management Server may fail to start due to incorrect sessions handling.

In rare scenarios, deleting a Domain fails, leaving some remnants in the Management database.

Policy installation with Directional VPN rules may fail with a verification error.

• The High Availability status on Security Management Server may be incorrect and performing failover is not possible.
• On Multi-Domain Server, after performing failover in the Global Domain and restarting services, the former active Global Domain Server still appears as active (although it is standby).

While editing a Small Office LSM Profile object, SmartConsole may unexpectedly close when enabling Threat Emulation and navigating to the configuration tab.

The "Accept" button is missing when modifying "Actions" for rules. Refer to sk177204.

During a CPUSE upgrade of a Multi-Domain Server, if there are multiple external interfaces defined, the Domain Servers may be assigned to an incorrect interface.

In a rare scenario, the licensing status in SmartConsole is displayed incorrectly.

The Compliance report in SmartConsole may show an incorrect policy name.

In Overview, some data about disk space may be missing.

UPDATE: The default timeframe for logs queries using the SmartConsole's Logs tab is set to "Last 24 Hours".

• Requires R80.40 SmartConsole Build 425 (or higher)

The "Could not connect to Monitoring Blade" error is displayed when trying to show the "Top Interfaces" view in SmartConsole or SmartView Monitor for a Gateway that has more than 100 interfaces.

In SmartConsole:

• In Gateways and Servers view, IP statuses may not be accurate
• In the Threat Prevention Policy tab, under "Updates", Gateways IPS update status may not be up-to-date, although the new IPS package was received successfully.

In some scenarios, emails of DLP blade may be sent with obfuscated information, with no option to present the full data. Refer to sk106430.

The LOG_INDEXER process on the SmartEvent Server may consume a high CPU when the Mobile Access blade is enabled on the Gateway.

On the Management Server, with SmartEvent enabled and many Networks configured in the database, login to SmartConsole may fail with an "Error: the operation timeout" message and the FWM process is running with a high CPU. Refer to sk167239.

The CPSEMD process on SmartEvent Server may unexpectedly exit when trying to send two automatic reactions simultaneously for the same event.

In a rare scenario, after an NSX Gateway upgrade, enforcement details/identities are not pushed by the controller to the Gateway automatically, it can be done only by manual update. Refer to sk173323.

Logs that are sent by Log Exporter in CEF format, cannot be displayed if they include non-digit characters in the "dst_phone_number" field.

Daily Log/Indexes Maintenance does not delete old index files from $RTDIR/log_indexes if they contain files or subdirectories with a format different than %Y-%m-%d.

• The "fw log" and "fwm logexport" commands may fail with "Error: Failed to read field".
• The exported log file may not contain all logs

Refer to sk176644.

NEW: Added a new kernel parameter "up_disable_early_drop_optimization_for_reject" to disable "Early Drop Optimization" for reject rules. The parameter is enabled by default.

UPDATE: Added L3 routing support for bridge interface assigned with IP address. To enable it, set fw_bridge_with_ip_routing=1 in the $FWDIR/fwkern.conf file. Refer to sk165560.