List of All Resolved Issues and New Features in R80.40 Jumbo Hotfix Accumulator

NEW: We have extended the grace period of Anti-Spam Blade to support you for 90 days following contract expiration to continue providing the best security value during the renewal process.

UPDATE: Added a new option in domains_tool, which allows to retrieve IP addresses of multiple Domains - "-md <list of domains>". Refer to sk161632.

UPDATE: IPS bypass triggers is now activated based on the average CPU load exceeding the high threshold, as opposed to the previous implementation, where a single CPU load triggered the bypass. The change results in more effective security measures without unnecessary bypasses.

UPDATE: Added Update 5 of Threat Extraction Engine. Refer to sk165832.

UPDATE: Enhanced PushReport (a troubleshooting tool for Mobile Access Blade):

• changes in the cloud service configuration,

• stability improvement.

UPDATE: Changed the vsx push configuration log:

• The log file last_vsx_push_configuration.elg now holds only the last vsx push configuration log.

• The cyclic log file vsx_push_configuration.elg now holds all previous push configuration logs, except the last one.

UPDATE: Upgraded OpenSSL from 1.1.1t to 1.1.1u to include the latest security improvements. Refer to sk181427.

UPDATE: The output of "show arp dynamic all" and "dbget ip:arpdynamic:show:0" which was previously limited to +-4450 entries, now increases dynamically.

UPDATE: Added driver and firmware update support for Dual-Wide 10/25/40/100G cards as a replacement option for:

• CPAC-2-40F

• CPAC-2-40F-B

• CPAC-2-40F-C

• CPAC-2-100/25F

• CPAC-2-100/25F-B

UPDATE: Added support for Data Centers in AWS il-central-1 Israel (Tel Aviv) region

UPDATE: Added new file types supported by Harmony Endpoint Threat Emulation blade.

UPDATE: Added Take 31 of Check Point Support Data Collector (CPSDC) for Scalable Platforms and Maestro Security Appliances. Refer to sk164414.

Deleting a Domain that is connected to an AD Group fails.

Global Policy assignment fails if it is configured to assign to specific Domain policies and one of these local Domain policies is deleted.

The "show-nat-rulebase" Management API command fails when Packet mode is enabled and "match on any" is set to "false". For example, "show-nat-rulebase XXX package YYY filter-settings.search-mode packet filter-settings.packet-search-settings.match-on-any false filter ZZZ".

In some scenarios, the "Object is no longer available" validation warning appears for updatable objects.

A migrate export or CPUSE upgrade of a Security Management Server fails if a Rule Base contains more than 35,000 rules. Refer to sk178325 to check the recommended size of Rule Bases.

In some scenarios, an automatic Trusted Certificate Authorities (CAs) update fails.

In multi-site Multi-Domain Security Management environments, login to SmartConsole fails if the "Read_Write_All_Profile" permission profile is deleted.

When closing an application from SmartConsole without changes, a redundant revision is created.

In rare scenarios. in a Multi-Domain Security Management environment:

• Login to the Management Server may timeout and fail.

• Publish operation may take a long time.

An audit log may not be created after running Revert to Revision.

In rare scenarios, the High Availability synchronization status shows "NGM failed to import data", and then is cleared automatically within 15 minutes.

In SmartConsole, export of policies with the "Hit count" column may get stuck.

In the Revisions view, when comparing the selected revision to its previous revision, an empty screen is shown instead of a report.

Users may be able to configure user-defined scripts to run on the Security Management Server, although they do not have the permissions of a super-user.

• When updating Inline Access Layers, Threat Exceptions, and HTTPS Inspection (TLS) rules, the "Policy Name" field in the Audit Log may be incorrect.

• The "Where used" operation fails for users with read-only permissions.

The "set checkpoint-host" API command may fail if the host object has a VPN Tunnel interface (vpnt) defined.

In High Availability Security Management Server environments, outdated IPS packages are retained, which leads to a substantial increase of the database on Standby Security Management Server.

SmartConsole may unexpectedly close after deleting an object in the Object Explorer view.

In High Availability environments, task progress notifications may get updated only every 5 minutes, even when the task is complete.

When viewing Subordinate CA objects in SmartConsole:

• Users with read-only permissions may receive a "Trusted CA" field as "not initialized" message.

• The information under "Retrieve CRLs from" in the OPSEC PKI tab is inaccurate.

  • The fix requires installing SmartConsole R80.40 Build 438.

Defining more than two hundred GUI clients causes the "Command Line" tab in SmartConsole to be greyed out and the "api status" command to show an error status.

After importing or deleting SNORT protections in the IPS Protections view, the view may not show the change.

CPU statistics may be incorrect or missing in CPView.

Configuring log settings to delete logs if free disk space is lower than a certain percentage may not be applied.

The "Low disk space" warning may be incorrectly displayed in SmartConsole.

When the CPD process is automatically restarted on the Security Gateway, the output of the "cpstat ls -f logging" command on the Security Management shows the Security Gateway is disconnected, the Log Server cannot be reached, although logs are sent.

The "show-simple-gateway" and "set-simple-gateway" Management API commands with the "logs-settings.forward-logs-to-log-server-schedule-name" parameter fail with "generic_server_error".

In SmartConsole, in the "Device License Information" view, the "New connection rate" field may indicate "please wait 10 seconds".

Security Gateway forwards logs to the real IP address of the Management Server instead of the public (NATed) IP address. Refer to sk181609.

When Identity Awareness blade is enabled, the "Src User Dn" and "Dst User Dn" fields in ICMP Logs are not masked for users without "Identities" permissions.

In a rare scenario, a Security Gateway / Cluster Member may stop logging locally or to configured Log Servers. Refer to sk170331.

CVE-2023-51764 - Postfix SMTP Smuggling vulnerability. Refer to sk181944.

The VPND, CVPND, and PDPD processes on the Security Gateway may become non-responsive and cause SAML authentication for Remote Access VPN users to fail.

Topology and Anti-Spoofing ranges are not calculated on an external interface when adding a route to an internal interface that shares the same subnet.

In some scenarios, when IPS is enabled, CPU spikes may occur.

In rare scenarios, the WSDNSD process may restart because of an internal error.

The /var/log/messages file of a VSX gateway is flooded with the "fwmultik_predefined_dispatching: BAD_MULTIK_TAG" messages with no impact of the connectivity. Refer to sk181281.

Accounting info may not be displayed in logs for IPv6 Cluster VRRP environments.

Benign files scanned by the ICAP Server may not be logged by Anti-Virus blade.

In rare scenarios, updating the NTP Server may cause a temporary outage.

In a rare scenario, the FWD process listens to high ports that are not blocked by the "auth_services_real_ports_block" implied rule. Refer to sk180505.

In rare scenarios, ICA certificate creation and enrollment fail.

The output of the "fw amw unload" command shows the policy gets unloaded, however CPView still shows that the blades are enabled. Refer to sk181148.

When SSH Deep Packet Inspection (SSH DPI) is enabled, the Security Gateway may have SSH connectivity issues because of an incorrect choice of Message Authentication Code (MAC) algorithm during the SSH handshake.

In some scenarios, the Security Gateway fails to export or import IoC feeds.

Fetching of Custom Intelligence Feeds fails when no proxy is configured on the Security Gateway.

Anti-Virus Blade triggers the "Detect" logs for DNS traffic, although these malicious DNS requests were prevented.

Ioc_feeds changes the username to lowercase, which causes the "401" error. Refer to sk181039.

System with a large number of CPUs allocated to CoreXL SND may experience performance issues when the deny list feature is enabled.

Exporting Custom Intelligence feeds from the management to all the Security Gateways succeeds but the generated log shows that the operation failed.

The ida_tables_util tool may fail with the "bad adress" error.

Policy installation fails when a custom application and user category have the same name.

Core IPS Protection "Unknown Resource Record" drops valid requests of specific DNS types.

The Anti-Virus Blade fails to show the UserCheck page for the URLs blocked by Custom Intelligence feeds.

In a rare scenario, the Security Gateway may crash during inspection of file downloads.

The Anti-Virus Blade may inspect files on an SMB appliance although the "SMB" checkbox is disabled on the matched profile.

DLPU process memory consumption may be increased when SMB protocol is enabled in the Anti-Virus policy.

A memory leak in the DLPU process may occur when Anti-Virus scans files over HTTP(s) or SMB (Server Message Block) protocol.

When Anti-Virus DNS classification is set to Hold mode, the first DNS trap log of malicious Domains shows "Detect" in the Action field, although the connection was successfully blocked.

A FWK process memory leak may occur when canceling the download of a large file in the middle of the process.

A Standby member may initiate FTP data connection, although it should be sent from the Active member. As a result, the connection is teminated. Refer to sk180531.

Site to Site VPN outage on ClusterXL Active member when running "cpstop" on the Standby cluster member. Refer to sk170055.

The Security Gateway may crash with vmcore during boot while upgrading.

High CPU utilization may be triggered when User Mode (UPPAK) and VPN are enabled under high load.

In some scenarios, incorrect MSS value calculation may lead to traffic drops and performance instability.

The "force-if-symmetry" setting in IPv4 static routes fails to mark IP addresses as unreachable, leading to the static route inaccurately remaining active in asymmetric scenarios.

Adding or deleting a multicast group from a configured static RP environment can lead to outages in traffic.

An OIF entry may be missing when multiple downstream neighbors are present on a LAN. Refer to sk181354.

Traffic may be dropped when there are many OSPF routes of type 5.

Redundant log prints in /var/log/messages may be generated, although they should be printed only when the debug flags are enabled.

In a Site to Site VPN, following an update, the Security Gateway may erroneously transmit an invalid IKE SPI to its peer. Consequently, during the rekey process, the tunnel fails due to the "invalid IKE SPI" error.

The "Encryption Domain Per community" feature overrides the Encryption Domain for other communities. Refer to sk170857.

VPN IKEv2 negotiation with a third-party peer may fail when the peer offers multiple combined encryption algorithms in one proposal. For example, AWS, by default, offers AES-GCM and AES-GCM-256. The issue triggers an IKE failure log.

A low-severity security vulnerability may exist when establishing an HTTPS connection to the Security Gateway.

VSX Gateway / VSX cluster member may crash during policy installation after deleting a virtual interface.

When running "vsx_fetch" from a context that is not VS0, this output is displayed: "Management rejected fetch for this module - sic name does not match. Couldn't fetch VSX configuration by IPs, trying to fetch by names."

When adding a route using vsx_provisioning_tool and the "interface_name" option, this route cannot be removed.

In some scenarios, the VXLAN Driver Kernel may crash.

A memory leak may occur in the CPD process.

Incorrect Multi-Queue configuration when MDPS, VSX, or both are enabled. Refer to sk181249.

Taking a snapshot on the Security Management Server fails because of the error during copying the /boot/config/ content.

SNMP query does not bring the CPUSE package information for a single OID (not a table).

When changing bond settings, the bond may be missing the global IPv6 Address.

When downloading a dynamic package from the Endpoint Security Server and using the "/createmsi" command, the operation results with a "CRITICAL ERROR: Unable to create MSI! Missing file: System32\FirewallMonitor.dll" error.

Azure mapping may fail on Private Endpoint without network interfaces. In the cloud proxy logs, the "ERROR datacenter.scanner.DcScanner [scanner-Azure-XXX]: Error during scan - attempting to reconnect for scanner of [Azure] in domainYYY" messages are printed.

In some scenarios, SIP TCP connections are dropped after a cluster failover.

UPDATE: Upgraded the Jackson Java library from version 2.5.0 to version 2.11.3.

UPDATE: Upgraded the commons-compress-jar package from version 1.8 to version 1.22.

UPDATE: Applied security related improvements to the Jetty open source library.

UPDATE: Added Take 14 of CPquid (QUID) Release Updates. Refer to sk181458.

UPDATE: Added Take 20 of Public Cloud CA Bundle. Refer to sk172188.

UPDATE: Added Update 13 and Update 14 of HealthCheck Point (HCP) Release. Refer to sk171436.

NEW: Previously, the Internal CA certificate required manual renewal process. Now it will be automatically renewed one year before its expiration date.

UPDATE: Added ability to block policy installation if this policy contradicts another policy installed on the Security Gateway. In this scenario, the "install-policy" Management API command will now fail with "Requested policy X does not match currently installed policy Y on gateway Z. To ignore this warning, set the 'ignore-warnings' flag to 'true'". Refer to sk180792.

UPDATE: Improved the fullsync time after reboot in large scale environments. Refer to sk180742.

UPDATE: When the VTI MTU is different from the physical MTU, the physical MTU is used for sending packets by default.

• To modify the default behavior (the change does not survive reboot), run the CLI command "fw ctl set int sim_vpn_use_physical_mtu 0 -a". This allows using configured VTI MTU as the default.

• To make the change permanently, open the $PPKDIR/conf/simkern.conf file for editing and add the entry "sim_vpn_use_physical_mtu=0".

Refer to sk98074.

UPDATE: Added notifications about the Expert mode login on Gaia Servers. Refer to sk181230:

1) Gaia sends an audit log to the Management Server / Log Server (SmartConsole > Logs & Monitor).

2) Gaia writes a log message to the /var/log/messages file (for a local login and an SSH login).

These Gaia Clish commands are available to work with this feature:

• To see the current state of this feature: show audit login-notifier

• To enable this feature (this is the default): set audit login-notifier on

• To disable this feature: set audit login-notifier off

UPDATE: Upgraded OpenSSL from 1.1.1n to 1.1.1t to include the latest security improvements.

UPDATE: First release of CPviewExporter Release Updates. Refer to sk180521.

UPDATE: Added Take 23 of Check Point Support Data Collector (CPSDC) for Scalable Platforms and Maestro Security Appliances. Refer to sk164414.

UPDATE: Added Update 12 of HealthCheck Point (HCP) Release. Refer to sk171436.

Editing an object in SmartConsole may fail with "Server error is: Object not found (Code: x08003001D, Could not access file for write operation)".

In rare scenarios, in multi-site environments, Install Policy presets fail with "Timeout during task progress" or "You have reached the maximum number of active sessions". Refer to sk180897.

If a Security Gateway is added to a group after configuring an installation policy preset, the policy may not be installed on that Security Gateway. Refer to sk181461.

The Data Center object may change the status to "inaccessible/deleted", although the Virtual Machine in Azure was not deleted.

In some scenarios, the "run-script" Management API command may fail with "Null Pointer Exception" when using root user permissions.

In some scenarios, Access Policy Verification fails but the name of the failed rule is not specified.

Login to SmartConsole with a RADIUS administrator from the SmartEvent Server may fail if this Server was upgraded. Refer to sk180584.

In rare scenarios, login to SmartConsole fails, and opening Security Gateway objects times out.

In rare scenarios, policy installation fails with "Operation failed, install/uninstall has been improperly terminated". Refer to sk180448.

In rare scenarios, in Multi-Domain Security Management environments with many administrators that have custom permissions, SmartConsole is slow, and operations take longer than usual. Refer to sk180681.

A scheduled Install Policy Preset may not have its next run time updated when:

• The Multi-Domain Security Management Server was down while the preset was scheduled to run

• There are over 50 presets defined

In rare scenarios, in a Multi-Domain Security Management environment:

• Login to the Security Management Server may fail with timeout.

• Publish operations may take a long time.

Deleting a Domain from SmartConsole fails after a Domain Server was removed and the Domain has no Domain Servers.

The Network-per-CPU tab under CPVIEW > Advanced > SecureXL does not show traffic distribution for all CPUs. Refer to sk180540.

In rare scenarios, many open connections on port 18196 are observed on the Multi-Domain Security Management Server or Multi-Domain Log Security Management Server.

In specific network configurations, after installing a policy, the target IP address of the Log Server may differ from what was configured.

SmartEvent may generate false Anti-Bot / Anti-Virus related logs which do not contain any information.

When HTTPS Inspection is enabled, website loading in Firefox fails or is slow, after a few seconds, the "NS_ERROR_ABORT" error appears in the network tab of Firefox. Refer to sk180873.

In rare scenarios, modifying the "fwmultik_temp_conns_enabled" parameter on-the-fly leads to the Security Gateway crash.

The Security Gateway may crash while inspecting non-HTTP traffic.

Incorrect bonds may be shown in the Data Plane when using MDPS with the "show bonding groups" command.

Resolved an issue where CPD would consume a large amount of CPU in VSX with a large number of interfaces configured (greater than 1024). Refer to sk181588.

Login to Mobile Access Portal when authenticating with SAML may fail with an "Error while processing the request" message. Refer to sk180801.

In rare scenarios, memory corruption occurs during packet correction requiring fragmentation, this may cause the Security Gateway crash or freeze.

Security Gateway may crash when running kernel debugs of the "UP" module.

When Check Point Active Streaming (CPAS) is used, and the Server's MSS is bigger than the client's MSS, packet fragmentation may occur.

Traffic stops working after a Security Gateway Member recovers from a failure. Refer to sk180705.

Latency in connection caused by a packet flow change from F2V to F2F.

SAML authentication fails with the "HTTP 500" error when MDPS is enabled on the Security Gateways. Refer to sk179625.

After policy installation, a VSX High Availability Cluster member may have a failover and generate a vmcore.

In some scenarios, the FWD process may unexpectedly exit and cause a short outage related to the BGP failure.

When the Security Gateway handles specific HTTP requests, memory failure may occur. CPView registers SMEM failure.

Web Security parsing error "illegal header format detected: Missing quotation mark" of content-disposition header - that contains a filename* parameter or an unquoted parameter.

The FWK process may unexpectedly exit with a core dump file when removing an IPv6 interface on VSX.

IoC feed may not load because of a parsing issue with the IP address range indicator.

In a Quantum Maestro environment, adding an IoC feed from the command line may fail with a "Can not load indicators feed without AV & AB Blades enabled, please enable AV & AB and try again" message, although Anti-Virus and Anti-Bot Blades are enabled.

After an upgrade, adding an IoC feed with IP range indicator type may fail with "Feed format problem. Bad or Empty Feed".

In some scenarios, a "malware_res_rep_rad_query: rad_kernel_malware_request_prepare() failed" message may appear in the /var/log/messages file.

The output of the "pdp monitor cv_le <agent-version>" command may be incorrect.

When the "Categorize HTTPS Websites" option is enabled and the global parameter "appi_urlf_ssl_cn_use_sni_without_validation" is set to true, a memory leak may occur.

A buffer overflow may occur and cause the FWD process to exit. This leads to the Security Group Members in a Maestro environment change from Active to Down state and creates instability.

In a rare scenario, the Security Gateway may crash during an IPS package update.

A memory leak may occur in the DLPU process.

The DLPU process may stop working, creating a User Space core dump file on the Security Gateway. Refer to sk181026.

In rare scenarios, IOS users are unable to send emails using Capsule Workspace business mail.

Sending emails with attachments via Capsule Workspace may fail on iOS.

Some IPv6 connections randomly stop passing through ClusterXL in High Availability mode. Refer to sk180969.

Traffic may be dropped and the FWACCEL core file is generated.

Multicast receivers send IGMP membership reports, but the outbound interfaces are missing from the routing table.

When PIM and state refresh are enabled, the state refresh message may not be sent automatically after a failback in ClusterXL HA Primary Up mode.

After an update, multicast traffic may be dropped.

There may be high CPU utilization and slow recovery of the ROUTED process after a failover.

The ROUTED process may repeatedly exit when using PIM in Sparse mode (SM).

The ROUTED daemon may unexpectedly exit when using PIM and source IP address is set "0.0.0.0".

The ROUTED daemon may unexpectedly exit when aggregating routes with long AS paths.

The ROUTED daemon may unexpectedly exit because of multi-threading issues.

Users that were moved from one AD group to another group still are shown in both access role groups when running the "pdp monitor" command. Refer to sk181429.

• Remote Access clients are unable to connect using Machine Certificate Authentication when the certificate has OCSP and CRL but the gateway is unable to resolve properly the OCSP or to get a proper answer from the OCSP server. Refer to sk179434.

• OCSP is disabled on the user's IIS Server, but the Security Gateway does not fall back to the CRL method. Refer to sk179434.

• Security Gateway sends defaultCert to the third party instead of an OCSP certificate. An unexpected OCSP response may cause a VPN gateway to stop using its certificate until the next policy installation. Refer to sk180683.

The "failed to terminate session" error is displayed when using RAsession_util to terminate Endpoint client.

Stability issues for Data connections (RDP / RTP / FTP/ETC). Refer to sk179651.

A VSX Security Gateway may crash while attempting to collect statistics after running the "cpstop" command.

Some packets may disappear when using the i40e driver, and VMAC is configured on the cluster.

Changing the main IP address of a Virtual Router may cause the FWM process to exit.

Gaia backup may fail, leaving a temporary partition behind. Any new attempt to create a new backup returns an error.

The System Backup page in the Cloning Group view may be empty, although a scheduled backup was added.

The $FWDIR/log/fwd.elg file may get corrupted during log rotation. Refer to sk180728.

Deleting one hundred IP addresses or more from the Security Gateway at once may fail, resulting in recurrent deletion retries.

The "Logical Volume duplicate fail" error is displayed when increasing the lv_current partition with lvm_manager on Azure. Refer to sk180381.

In rare cases, SIP UDP traffic may cause Security Gateway to crash because of a memory allocation issue.

NEW: Added ability to block "HTTP 206 partial content" responses from resources with malicious content.

NEW: We have extended the grace period of Application Control and URL Filtering Blade to support you for 90 days following contract expiration to continue providing the best security value during the renewal process.

NEW: We have extended the grace period of SmartEvent Blade to support you for 90 days following contract expiration to continue providing the best security value during the renewal process.

UPDATE: Improved the "Purge revisions" operation to reduce the size of the database.

UPDATE: Added ability to force GNAT Port randomization. It is controlled by kernel parameter (off by default).

• To activate it, GNAT should be enabled. Also, in the fwkern.conf file, run "set fwx_force_random_nat_port_alloc=1",

• To disable, run "set fwx_force_random_nat_port_alloc=0".

UPDATE: In several IPS protections, improved performance for traffic that contains repeated sections.

UPDATE: Gaia Cloning Groups will now use the highest TLS version available.

UPDATE: Added more logs related to Pushing VSX Configuration.

• On the Security Gateway side: in the last_vsx_push_configuration.elg. The log file will now be circular.

• On the Security Management side: in the vsx_util log. Also, commands are added to the name of log files (for example, vsx_util_reconfigure_xxxxx_xx_xx.elg).

• VSX Provisioning tool is now logged in the vpt_history.elg.

.

UPDATE: Improved performance of pushing Data Center Objects changes to Security Gateways.

UPDATE: Added support for Data Centers in AWS eu-central-2 (Spain) and eu-south-2 (Zurich) and ap-south-2 (Hyderabad) regions.

The cpview -s export operations may fail on VS0 when cpview_services are running.

Installing a large Access Control policy on Quantum Spark Security Gateways may fail due to high memory consumption on the Security Management Server caused by FW_LOADER.

In a large environment, High Availability synchronization for the Global Domain may fail with the "Global domain is busy syncing, please check sync status" error.

When using CME (Cloud Management Extension), the FWM process may unexpectedly exit because of a memory issue.

In rare scenarios, deleting a cluster member may fail with the "Could not delete object. Failed to remove/detach objects licenses" error.

In a Multi-Domain environment, the HitCount retention mechanism may prematurely remove the HitCount data.

Warning about multiple objects with the same IP address is displayed when there are duplicated auto-generated networks

When using Custom Application/Site Group objects in an Access policy, policy installation may fail with an "Internal error" message.

In some scenarios, the CME process fails to start.

After configuring an IoC feed on the Global Domain and assigning a Global Policy, Threat Prevention policy installation in the local Domain fails.

In a Multi-Domain Security Management environment, traffic may not match rules with custom applications.

CPView may not show some interfaces.

In a Multi-Domain Security Management environment, Skyline is down after mdsstop/mdsstart.

The "epoll is enabled" warning is incorrectly displayed during policy installation.

When working with Multi-Domain Security Management, Virtual Systems (VS's) may be unable to send logs to the management because the Log Server constantly disconnects.

Stability issues when ICAP client is active.

DNS parser incorrectly handles additional records, which results in appearing additional DNS IP addresses in the FQDn objects list.

Policy installation may fail with an "Error 0-2000080" message because of memory allocation issues.

When MDPS is configured, mdps_tun interface is shown when running the "cpstat ha -f all" command.

In rare scenarios, the FWD process is stuck during policy installation.

The Security Gateway may crash because of an issue in the FILEAPP (File Application) module.

When Anti-Spoofing is enabled, the Security Gateway may crash.

The Security Gateway may crash during policy installation if the Rule Base has multiple layers and many interfaces on the Security Gateway (VLANs).

In a rare scenario, when QoS is enabled, the Security Gateway may crash.

The "fw monitor" command output may contain "no packets left to merge" messages.

A connection may be closed with the "ws_mux_handle_poll: ERROR: Poll flag still set after unsetting" error in the fwk.elg file, when HTTP parser does not receive requested data.

The "sd_exception_chain_with_global_stateless: fwx_get_original_conn_key() failed" messages may flood /var/log/messages if IPS Blade is active.

The Security Gateway may crash with the "xxx kernel: [fw4_27];fwatomload_unregister: module RTM not registered xxx kernel: [fw4_27];e2eDisable: fwatomload_unregister failed" errors printed in logs.

In some scenarios, the CPD process may unexpectedly exit.

The certificate in SmartConsole is shown as valid, although it is expired.

The "ioc_feeds set interval -r" command may fail.

Loading of Custom Intelligence Feeds with authentication may fail.

The DLPU process may unexpectedly exit with a core dump file.

When Anti-Virus Blade is enabled, the Security Gateway may crash because of a memory allocation issue.

External IoC feeds may fail with "General Error". And in the feeder.elg there are many "Failed to load signatures" messages.

If SSH Deep Packet Inspection (DPI) is enabled and NAT is configured on the Security Gateway, SSH connectivity from the Internet may not be possible.

In a rare scenario, a wrong access role may be assigned to a user.

In a VSX High Availability cluster, a member in the Backup state should remain idle, but it opens connections for identity sharing.

In a rare scenario, disconnection between the Identity Server (PDP) and Identity Gateway (PEP) leads to missing identities on the PEP side.

The RAD process may freeze when an error occurs and an error event is initialized.

Running the "ips stats" command in CLI may cause the IPS process to unexpectedly exit with core dumps.

When Anti-Virus is enabled, the Mail Transfer Agent (MTA) log files may get blocked because of fail-close operation.

In a rare scenario, when Anti-Virus is enabled, there may be frequent VSX cluster failovers, and the Security Gateway may crash.

In rare scenarios, the FWK and/or WSTLSD processes may unexpectedly exit and create a core dump during certificate validation. Refer to sk180473.

When Mobile Device Management (MDM) cooperative enforcement feature is enabled, establishing a VPN connection fails while the HTTPD log incorrectly indicates a compliance issue.

Stability issues may occur in a Multi-Version Cluster (MVC) when VPN is enabled.

In an Active/Active cluster, a member may reboot because of a memory corruption issue.

When handling HTTP/2 traffic, cluster members may crash, generating vmcores.

Multicast traffic may get dropped, and no logs are generated.

SecureXL may drop traffic when HTTPS Inspection is enabled on a VSX Security Gateway with a Virtual Router.

In a rare scenario, a CPAQ message sent during policy push does not have critical and can be dropped when the Security Gateway is busy.

The "show ospf neighbors" command shows incorrect values for OSPF "Hello" and "Dead" intervals. Refer to sk180486.

When initiating IKEv2 tunnel from Check Point to a third party, creating Child SA fails. Refer to sk180281.

Stability issues of the VPND and IKED processes.

In a rare scenario, when IPv6 is configured, and VPN is enabled, policy installation may cause a stability issue.

Remote Access Client may fail to connect when using machine certificate authentication.

In VSX, after adding instances to a Virtual System (VS), their state may be inactive.

The SNMPD process may consume a high CPU in a VSX environment and there may be slowness when using the "fw vsx stat" command. Refer to sk180324.

In VSX, if Dynamic Balancing was manually disabled on R80.40, after an upgrade from R80.40 to R81.20, it automatically gets enabled.

SNMP trap may not be sent after a cluster failover if it occurred by running the "clusterXL_admin down" command.

IPv6 address may be removed from bond VLAN interface when changing bond xmit-hash-policy configuration. Refer to sk180309.

Gaia backup fails with "Cannot complete the backup process: not enough space in /var/log/CPbackup/backups" although there is enough free disk space in the /var/log/ partition. Refer to sk180181.

When configuring Gaia Cloning Group mode on the cluster, members with "off" state appear without an IP address and the "adding notification Member mvc is down" error is displayed.

Incorrect logs are printed in the /var/log/httpd2_error_log file when logging into the WebUI.

When restoring a backup with VSX objects, the objects database may not be restored on the newly installed Security Management Server.

Disabling or removing all network interfaces from a vCenter object is not dynamically reflected on the CloudGuard Controller Data Center object.

When enabling debug mode with the "$MDS_FWDIR/scripts/cpm_debug.sh -c ObjectCrudSvcImpl" command, it may impact the work of CloudGuard Central License utility. And adding license fails.

AWS Data Center mapping fails when a Subnet with only IPv6 addresses is added to Virtual Private Cloud (VPC).

Importing objects from VMware vCenter may fail with a "Failed to fetch objects from the Data Center." message because of a rare communication issue between CloudGuard Network Security controller and VMware vCenter Data.

In some scenarios, when using static NAT, VoIP traffic may be affected.

In some scenarios, Mail Transfer Agent (MTA) does not scan files with an unsupported extension if they were renamed to ".exe".

The CPVIEWD process may cause CPU spikes.

UPDATE: Improved the "Assign Global Policy" action time by approximately 50%.

Global Domain Assignment may fail if a rule in the global policy was recently enabled or disabled.

A Multi-Domain Management Server upgrade may fail if upgrading one of the domains takes longer than four hours.

An Application Control and URL Filtering Database update may fail. The CPM log file states: "Update APPI Update Task Notification. progress: 100, status: FAILED, statusText: Failed to assign domain".

SmartConsole may unexpectedly disconnect.

After an upgrade, when the local domain Virtual System (VS) is updated, its objects may not be updated. The mirror VS object and local domain VS object may have different versions and colors.

Global Policy reassignment fails with "An internal error has occurred". The issue occurs when a Global rule, Rule Base, or section was created, moved, and then deleted without running a reassignment in between.

"Automatic purge" fails on a Domain with active Global Domain Assignment and "automatic purge" configured on the Global Domain.

Packet mode search in HTTPS Inspection policy may not work.

In rare scenarios, Global Policy reassignment may fail with a "Failed to find object ID UUID of class com.checkpoint.objects.ips.ThreatIpsProtectionOverride" message.

SmartEvent may unexpectedly close when clicking Global Exclusion options or creating a new event. This issue occurs after migrating a Domain from the Multi-Domain Management Server to the Security Management Server.

NEW: Integrated Skyline, a solution that provides an OpenTelemetry CPView Agent service to monitor your Check Point Servers and export health metrics from the CPView tool to an external location. Refer to sk178566.

Emails sent as an automatic reaction may show only the first IP address for "Source"/"Destination" fields out of all the detected IP addresses.

It may not be possible to filter the "Subscriber" field in SmartLog.

Export to CSV in SmartView may be stuck in the "running" status.

Logs may not be indexed on the Domain Log Server in a Multi-Domain Log Module (MLM) or on the Secondary Multi-Domain Management Server.

The LOG_INDEXER process on the SmartEvent Server may unexpectedly exit, generating a core dump file, if the Log Server used by the correlation unit is deleted.

When an object name begins with a digit, SmartView Monitor displays a name consisting of the letter "v" and UID instead of the actual object name.

The "show-logs" Management API command fails when iterating over many pages of queries, and the total fetched records number exceeds 219,900 records.

UPDATE:

• Added a new global parameter "fw_conn_double_error_allow_print " to enable/disable printing double connection error message to the log. When disabled, the Security Gateway will still drop a new connection if it is already recorded in the connection table, but there will be no error logs.

• Added a new global parameter "fw_conn_double_error_count" to count how many times the error occurred.

UPDATE: The reset expired connections feature (fw_rst_expired_conn) is now supported on connections accelerated by SecureXL.

After an upgrade, Access Control policy installation may fail with an "Update process is already running" message.

There may be connectivity failure when browsing to Office 365, and ICAP Client is active on the Security Gateway with enabled "Data Trickling".

The Security Gateway may crash because of memory corruption, and the following error appears in the /var/log/message file: "[xxxx] Kernel panic - not syncing: stack-protector: Kernel stack is corrupted in: <xxxx>".

In a rare scenario, the FWK process may unexpectedly exit because of a memory allocation issue on the Security Gateway.

Topology auto update may fail because of a too long interface name.

After an upgrade, Anti-Virus Blade may cause increased memory consumption.

In a rare scenario, the Security Gateway may have a memory allocation issue.

The Custom Intelligence Feeds feature may stop enforcing traffic after Threat Prevention policy installation.

A kernel memory leak may occur during deep file inspection.

Adding hash indicators may cause policy installation to fail with a warning message.

In some scenarios, Mail Transfer Agent (MTA) does not scan files with an unsupported extension if they were renamed to ".exe".

SNMP/cpstat queries for Identity Awareness OIDs return wrong values if the PDP daemon is not running at the time of the query.

The CPU utilization of the PDP daemon may be high during a specific authentication flow.

When an URL Filtering rule has "Fail-Close" configuration, the Security Gateway may drop connections, and "URLF internal system error (0)" is recorded as the reason.

After disabling the ActiveSync service on the Security Gateway, login to Capsule Workspace (CWS) may fail.

Capsule Workspace push notifications do not work when the Single Sign-On (SSO) is configured to "prompt for credentials". Refer to sk176244.

The cphaprob show_bond command does not show newly added subordinates from Virtual Systems (VSs).

In a VRRP cluster environment with a large number of interfaces, the Security Gateway may consume a lot of memory.

After an upgrade, SecureXL may drop multicast traffic with "reason:Fragment drops".

SNDs may reach 100% CPU utilization and are not released in some Site to Site VPN scenarios.

UPDATE: After FIPS mode is enabled, Jitter is now automatically turned on.

Site-to-Site NAT-T traffic may be routed incorrectly, which can cause an outage.

Improved Site-to-Site VPN stability.

The VPND process may unexpectedly exit.

SecureXL may not let HTTPS traffic pass through a Virtual Router (VR).

Lines indicating uninstalling policies from virtual switches (VSWs) may be printed when running the "fw vsx unloadall" command.

Removing a warp interface may fail on one member, which creates a mismatch between the cluster members database because the warp interface remains on other members. Refer to sk180481.

A VSX Gateway upgrade may fail with an error related to VSX Filesystem creation.

UPDATE: Gaia API updates will now be automatically installed through AutoUpdater. Refer to sk165653.

In a cloning group cluster, when allowed hosts are changed from "Any" host to a specific host, communication between members is blocked, and the group cannot function.

The SNMPD process may unexpectedly exit on the Security Gateway with enabled Management Data Plane Separation (MDPS).

UPDATE: Added support for Data Centers in AWS ap-southeast-2 (Jakarta) region.

Azure Data Center mapping may fail because of a corrupt response from Azure for a specific Virtual Machine Scale Set (VMSS).

Import of OpenStack Data Center CloudGuard Network objects may fail.

Added Update 5 of Quantum Smart-1 Cloud. Refer to sk166056.

In some scenarios, when using early media with NAT, the first data connections specified in the SDP get closed, although they should not. And the new data connection does not open, resulting in one-way audio. Refer to sk179651.

UPDATE: If ISP Redundancy is configured for a target Security Gateway, backup interfaces are now used for pushing policy if the primary interface is down.

If Log Domain reassignment fails, an Application Control and URL Filtering update may get stuck at 70 percent showing the "Running post update actions" status.

Migration of the Security Management Server to the Multi-Domain Management Server may fail.

The flag "--method" for a CME command is not supported in SmartConsole Command Line.

Some unused sessions may remain open in the system, consuming memory and CPU.

Install Policy Preset may fail with "The server did not provide a meaningful reply.". Refer to sk179524.

Although all Virtual Devices are deleted, deleting a Domain may fail with an "At least one Virtual Device is defined on this Domain/Domain Management Server. You need to delete all Virtual Systems/Routers prior to deleting Domain/Domain Management Server" message.

UPDATE: Amended the override_server_setting.sh script to support changes in the values of

RFL_SOLR_MAX_MERGE_COUNT and RFL_SOLR_MAX_MERGE_THREAD_COUNT.

The FWD process may unexpectedly exit and create core dump files.

In SmartConsole, when Endpoint Policy Management Blade is enabled, the "SmartView server certificate is invalid" error may be shown when opening a new tab in the Logs & Monitor view. Refer to sk177713.

UPDATE: Decreased the threshold for connections suspected as heavy from 5 to 3 seconds. Refer to sk164215.

When Anti-Virus Blade is enabled, there may be a continuous high memory consumption which can lead to latency.

There may be a delay in the Logging view when more than 1000 Security Gateways are connected to the same Log Server.

During a DDoS attack, the CPD and CPRID processes may unexpectedly exit with core dump files and cause latency.

Output of the "dynamic_objects -uo_show" command on the Security Gateway may not show any updatable objects. Refer to sk178886.

The Security Gateway with VPN may drop the traffic after enabling BGP and Equal Cost Multipath (ECMP).

The RAD daemon may fail and create core dump files on VSX Gateways.

UPDATE: The "Global Detect" value will now be updated in the "ips stat" command output.

The Nested Groups Depth value changed in CLI may not survive a reboot.

Memory consumption may increase after policy installation when Secure ID is configured.

When the Security Gateway works in proxy mode, the Application Control and URL Filtering rules may not match correctly.

DLP logs for files uploaded to Microsoft OneDrive may not show the initial file names and extensions. Refer to sk178290.

The WSTLSD process may unexpectedly exit and produce a core dump file during certificate chain verification.

When installing a specific hotfix, the CVPND process may unexpectedly exit.

When reconnecting the OSPF interface on both members in a cluster, a failover may occur when receiving a ROUTED PNOTE on the Active member.

In a VSX cluster with three or more members, sudden failover and recovery of the Standby VS may occur, causing termination of connections from the Active member. Refer to sk179446.

UPDATE: Added a new kernel parameter "fw_allow_reverse_syn" for Smart Connection Reuse. This parameter allows or drops SYN packets coming from the reverse direction. The parameter is set to 0 by default, the Security Gateway drops such packets. Refer to sk24960.

In a rare scenario, ipsctl kernel module does not load at startup.

The ROUTED process may unexpectedly exit when querying BGP data.

UPDATE: Added a configurable protection for blocking brute-force attacks on VPN SNX portal. Refer to sk180271.

There may be a low throughput in a Site-to-Site VPN tunnel between two VSX Gateways with enabled Multi-Queue.

The "Unable to open '/dev/fw0': No such file or directory" error may be printed during cpstart.

In SmartView Monitor (SVM), the status of tunnels with third-party peers may be inaccurate. Refer to sk169121.

A "SIC Error for EntitlementManager: Peer sent wrong DN: CN=xxx,O=xxx" message may be displayed during boot or after running the "cpstart" command. Refer to sk179586.

The MTU value configured in SmartConsole may differ from the Virtual Switch (VSW) MTU value in the output of the "ifconfig" command.

When running the "vsx showncs" command, the "cannot retrieve vsid for VSW_gw" error may be shown.

UPDATE: Added support for the Excluded Files feature (sk116679) for XFS file system on Kernel 3.10.

A user locked by the deny-on-nonuse mechanism cannot get unlocked.

UPDATE: Improved Access Policy installation time.

In rare scenarios, the Management Server may fail to start due to incorrect session handling.

When a Security Gateway is removed from a VPN community, it may still be seen under the permanent tunnel configuration. The issue is scoped to the Management side and does not impact the Gateway.

Dynamic Objects defined on LSM Gateway in SmartProvisioning may be removed from the Security Gateway after fetching policy or pushing policy.

In rare scenarios, Global Domain Assignment may fail with a "class name not found for object" error message.

The Security Cluster Wizard is not shown again after a Management restart in a Full High Availability cluster environment.

An IPS update may fail if the user that performs the update is connected to the Multi-Domain Server on which the Global Domain is in Standby mode.

In SmartConsole, the "error retrieving results" message may be displayed when opening a new tab.

Cloud Shadow Objects verification may take several minutes.

Management HA synchronization may fail with the "NGM failed to import data" error.

An Application Control and URL Filtering update may get stuck because of a lock object duplicate issue.

In a rare scenario, the FWM process may unexpectedly exit and create a core dump.

UPDATE: Scheduled email reports will now use TLS1.2 instead of TLS1.0. Refer to sk178125.

In a rare scenario, a memory leak in the FWD process may occur during installing Threat Prevention policy.

When running the "cp_log_export filter-Blade-in" command with the value "Endpoint" and restarting the LOG_EXPORTER process, LOG_EXPORTER may fail to start.

When exporting the logs table with "All Columns" to a CSV file, the first cell of the first log (time column) may display a non-ASCII character ("ן»¿"), and the time may be split into two cells.

NEW: Added a new kernel parameter "fw_ignore_before_drop_rules". It allows to skip the "before drop" implied rules and enforce policy according to the explicit rule in the Access Rule Base. By default, this capability is disabled.

Refer to sk105740.

It may not be possible to monitor Security Gateways with enabled Management Data Plane Separation (MDPS). Refer to sk138672.

When running the "show_configuration" command in CLISH, static routes are shown twice.

Multiqueue Clish "show" commands may fail in a Management Data Plane Separation (MDPS) environment.

In ISP Redundancy settings, when using the "dead on all host" feature and defining one link without any host (which is a misconfiguration) the ISP link is down.

Cluster failover may trigger the FWK process to exit, with no traffic impact.

When Strict Hold is enabled, traffic is logged with the log "HTTP parsing error detected. Bypassing the request as defined in the Inspection Settings" and Precise Error "Connection queue exceeded max size". Refer to sk169995.

There is a Content Awareness alert for multiple connections and the processing error "Failed to extract text" is printed in logs.

In a VSX environment, SNMP queries to OSPF OIDs may fail.

IPS entries of AMW_report.xml may be missing for a Security Gateway onboarded to Infinity SOC.

In a rare scenario, an IPS, Anti-Virus, or Anti-Bot update package may fail to load because of a timeout.

In very rare scenarios, a traffic outage may occur.

Improved detection in some IPS protections.

In some scenarios, when Mobile Access Blade is enabled, the Security Gateway may crash.

UPDATE: Added support for the "Same VMAC" feature.

Local connection from a Standby member may fail when packets are not fragmented even if the interface MTU is smaller than the packet size.

In Virtual Device Status table, in vs0 context, the output shows the Active-Active status on two members instead of Active-Standby.

Data connection may be interrupted during a Multi-Version Cluster (MVC) upgrade.

In a VSLS cluster with a few members and Virtual Systems, when shutting down a bond connected to one of the Virtual Systems, all Virtual Systems on this member may go to Down state.

UPDATE: Added a new parameter cphwd_mcast_routing_interval_ms (default value is 0), which allows the multicast routing interval to be expressed in milliseconds.

SYN Defender may change MSS in an SYN packet to a larger value, potentially causing traffic drop.

An Active member in a cluster may make a full reboot during policy installation.

In a rare scenario, the ROUTED daemon may unexpectedly exit during a Multi-Version Cluster (MVC) upgrade when using OSPF.

In some scenarios, when StrongSwan client is connecting to a site or Security Gateway, the connection is established successfully, and the tunnel is created, but there is no traffic. Refer to sk118536.

An outage may occur when using IKEv2.

Machine Authentication stability improvements for Remote Access Endpoint Clients.

UPDATE: When resetting SIC for a specific virtual system (sk34098), the new certificate on the Security Gateway will now be automatically pulled from SmartConsole.

In some scenarios, if VSX Gateway creation fails and rollback is done, the default route of the Security Gateway that was configured via Clish is deleted without validation.

The FWM process may unexpectedly exit after using the VSX Provisioning tool.

A member may fail to pull configuration from the SMO on startup.

The OID "Syslocation" can now be configured in the context of a virtual system as described in the article (IV-1) Advanced SNMP configuration in sk90860.

When creating a virtual system, the "Failed to create Virtual System directories" error is displayed.

In some scenarios, it is not possible to start a vsx_util upgrade/downgrade after a failed attempt.

Running the "brctl_show" command in a non-VS0 context may give VS0 results.

UPDATE: It is now possible to use Gaia proxy addresses with more than 16 characters.

When adding and deleting a neighbor-entry ipv6-address, an error message is displayed, although the operation is successful.

In some scenarios, in 7000 appliances, Power Supply Unit (PSU) status information may be incorrect. Refer to sk174443.

The CONFD process may unexpectedly exit and generate a core dump file.

UPDATE: After a failed Data Center mapping, the next scan retry will be initiated with a delay to provide sufficient recovery time.