R80.40 Jumbo Hotfix Take 114

 

Note - This Take contains all fixes from all earlier Takes.

ID

Product

Description

Take 114

Released on 25 April 2021

PRJ-29847,
PRHF-18734

Diagnostics

In some scenarios, CPView shows the SNMP data partially.

PRJ-32481

Diagnostics

In some scenarios on VSX, a "Loading kernel module for a network device with CAP_SYS_MODULE (deprecated). Use CAP_NET_ADMIN and alias netdev-eth instead" message appears in /var/log file.

PRJ-31056,
PMTR-64687

Upgrade Tools

In rare scenarios, an upgrade or migration may fail due to missing temporary files.

PRJ-29295,
PMTR-72367

Security Management

NEW: Added Multi-Domain Server (MDS) level support for exporting data from the Gateways and Servers view into a CSV file.

PRJ-24930,
PRHF-16947

Security Management

UPDATE: Added a warning message in SmartConsole, alerting if during policy installation memory utilization of the FWM process exceeded 3.5GB.

PRJ-29236,
TPM-2843

Security Management

UPDATE: Added a new flag to the Threat Prevention "show-protections" API command ("show-capture-packets-and-track") that allows not to return capture-packets and track information.

PRJ-31073,
PRHF-19320

Security Management

UPDATE: Added an environmental variable to control the sduu command timeout in the FWM process: SDUU_UPDATE_TIMEOUT.

PRJ-30049

Security Management

UPDATE: In order to prevent SHA-1 vulnerabilities, Management Server no longer supports SHA-1 cipher suites in SSL communication.

PRJ-32891,
PRHF-20657

Security Management

UPDATE: It is now possible to increase the timeout value for Management High Availability synchronization. Refer to sk176165.

PRJ-34960

Security Management,
Harmony Endpoint

UPDATE: The Apache Log4j Java library is updated in order to harden the system. Check Point products are not vulnerable to Log4j. This change is motivated by cyber hygiene best practices. For more information, refer to sk176865.

PRJ-32801,
PRHF-20435

Security Management

The mgmt_cli tool (API) with certificate login may not work.

PRJ-25279,
PRHF-17037

Security Management

In rare scenarios, login to Multi-Domain Management fails with the "No Valid Domains were found for [username]" error. Refer to sk175005.

PRJ-21876,
PRHF-15460

Security Management

In some scenarios, applying the "Where used" action may show incorrect data when an object exists more than once in an Inline Layer.

PRJ-22422,
PRHF-15598

Security Management

Domain Server Migration between different Multi-Domain Management Servers may fail if a previous migration attempt of the same Domain already failed and a different Domain name is used for the second attempt.

PRJ-23123,
PRHF-15939

Security Management

Migration of Security Management Server to a Domain on a Multi-Domain Server may be blocked if there are multiple Certificate Authority objects. Refer to sk174270.

PRJ-25196,
PMTR-68090

Security Management

The "Packet capture is not supported on this platform" warning appears after policy installation for SMB Gateways, although no packet capture is used.

PRJ-23851,
PMTR-66674

Security Management

Management Server upgrade may fail if there is a large amount of customized column profiles in the Logs View.

PRJ-21787,
PRHF-15257

Security Management

In some scenarios, the output of the "cpmistat" command may contain partial information.

PRJ-23953,
PRHF-16396

Security Management

In some scenarios, if changes were done before installing Jumbo Hotfix, revert or login to the last published session may fail.

PRJ-29304,
PMTR-72376

Security Management

In environments with a large number of objects, licenses for cluster members in the Licenses tab may not be displayed.

PRJ-30053,
PRHF-18928

Security Management

In rare scenarios, the FWM process unexpectedly exits and fails to start, creating core dumps in the /var/log/dump/usermode directory. Refer to sk175007.

PRJ-29967,
PRHF-19308

Security Management

In some scenarios, simultaneous policy installation on multiple Gateways may fail if there is at least one Gateway on R77.X and one Gateway on R80.X.

PRJ-29897,
PRHF-18828

Security Management

In some scenarios, login to a Domain from the System Domain dashboard may fail with "Failed to connect to server".
Refer to sk174910.

PRJ-30018,
PMTR-72786

Security Management

In rare scenarios, the "set-group" API command may return the "generic_err_invalid_parameter" error.

PRJ-28900,
PRHF-18508

Security Management

When searching IP addresses using logical operators (AND / OR), the results may be incorrect:

  • in SmartConsole in the Object Explorer view
  • with the Management API command "show objects" and the "filter" field

Some matched objects may be missing, while some unmatched objects may be present.

PRJ-29187,
PRHF-18470

Security Management

In a rare scenario, High Availability full synchronization may fail due to a large number of records.

PRJ-29157,
PRHF-18883

Security Management

Scheduled IPS updates data may not be shown in the IPS update report.

PRJ-30883,
PMTR-62059

Security Management

In rare scenarios, during an upgrade, the FWM process may unexpectedly exit with a core dump file.

PRJ-29468,
PRHF-19006

Security Management

In some scenarios, an API query to VRRP cluster for "show simple-cluster name <name>" returns an incorrect cluster type. Refer to sk174866.

PRJ-29198,
PRHF-18782

Security Management

After an upgrade from R77.x. in a Multi-site environment, High Availability full synchronization may fail with an "NGM failed to load data" message.

PRJ-28298,
PRHF-18362

Security Management

In rare scenarios, High Availability on the Global Domain may fail to synchronize the Multi-Domain Log Server if IPS protection was added or removed in the Threat Prevention rulebase.

PRJ-28535,
PRHF-18063

Security Management

In rare scenarios, Global Policy Assignment may fail with the "class name not found for object" error.

PRJ-28156,
PRHF-17926

Security Management

In rare scenarios, if Domain migration fails, the operation may not revert fully and leave some remnants in the database of the Management Server.

PRJ-28784,
PRHF-18557

Security Management

In some scenarios, "show-mdss" and "show-domains" Management API commands take a significant amount of time to complete or time out after 5 minutes.

PRJ-30099,
PRHF-19248

Security Management

In rare scenarios, a Multi-Domain administrator's profile may be changed after deleting a Domain if the administrator had custom permissions for it.

PRJ-30386,
PRHF-16024

Security Management

In rare scenarios, editing a cluster object fails with the "Code: 0x8003001D, Could not access file for write operation" error. Refer to sk176930.

PRJ-27763,
PRHF-17484

Security Management

The Management API commands "import-smart-task" and "export-smart-task" are enabled at the System Domain level, although Smart Tasks are only supported at the Local Domain level.

PRJ-26780,
PRHF-17767

Security Management

In some scenarios, in Override Categorization, it may not be possible to sort or to find objects by name using Object Explorer. Refer to sk175245.

PRJ-28063,
PRJ-28062

Security Management

In rare scenarios:

  • Login to the Management Server may timeout and fail
  • Publish operation may take a long time.

PRJ-27485,
PRHF-18079

Security Management

Global Policy reassignment may fail with "An internal error has occurred" due to duplicated Access Policy Assignment object.
Refer to sk174183.

PRJ-28815,
PRHF-18712

Security Management

In some scenarios, the "show gateways-and-servers" Management API command fails with "generic_error" when running it with "details-level full".

PRJ-26735,
PRHF-17606

Security Management

In a rare scenario, in the Management API, the "show hosts" command with "details-level full" fails with a "java.util.InputMismatchException: got at least one duplicate UID in requested list, duplicates UIDs:" message.

PRJ-29909,
PRHF-18974

Security Management

In some scenarios, it is possible to disable a shared layer, although it is used in more than one rule.

PRJ-20591,
PRHF-14327

Security Management

In rare scenarios, if one of the Multi-Domain Servers is down, reconfiguring VSX may fail.

PRJ-31741,
PMTR-73756

Security Management

In some scenarios, deleting a Domain fails when there is an administrator with API key authentication associated with this Domain.

PRJ-31081,
PRHF-19251

Security Management

In rare scenarios, the FWM process on the Security Management Server unexpectedly exits.

PRJ-30336,
PRHF-18150

Security Management

When one Server in a logical Server group is down, the second Server keeps trying to access it, no matter how long the Server is down.

PRJ-29157,
PRHF-18883

Security Management

Scheduled IPS updates data may not be shown in the IPS update report.

PRJ-22265,
PRHF-15674

Security Management

In some scenarios, the user may fail to connect to VPN Remote Access if there are expiration dates saved in a non-English date format. The issue can occur when SmartConsole is installed on a Windows client that uses a non-English locale.

PRJ-32091,
PRHF-20162

Security Management

When searching an IP address in Object Explorer, network objects with both IPv6 and IPv4 configured may not appear in the results, although they match the IP address.

PRJ-28168,
PRHF-18380

Security Management

In rare scenarios, the Management Server may fail to start due to incorrect sessions handling.

PRJ-32108,
PMTR-63070

Security Management

Policy installation may fail if more than 20,000 objects are created and added to rules.

PRJ-32649,
PMTR-74947

Security Management

In rare scenarios, deleting a Domain fails, leaving some remnants in the Management database.

PRJ-31671,
PRHF-19891

Security Management

In rare scenarios, the API commands "show-automatic-purge" and "set-automatic-purge" may fail if there were two earlier attempts to update the Automatic Purge at the same time.

PRJ-30680,
PRHF-19185

Security Management

Policy installation with Directional VPN rules may fail with a verification error.

PRJ-32994,
PRHF-20101

Security Management

Upgrade of Management Server from R80.10 to R80.40 may take a long time for large environments.

PRJ-30067,
PRHF-19326

Security Management

  • The High Availability status on Security Management Server may be incorrect and performing failover is not possible.
  • On Multi-Domain Server, after performing failover in the Global Domain and restarting services, the former active Global Domain Server still appears as active (although it is standby).

PRJ-29508,
PRHF-18890

Security Management

In some scenarios, the Management API command "show-packages" with "details-level full" may fail with an error. Refer to sk176805.

PRJ-33463,
PMTR-71195

Security Management

While editing a Small Office LSM Profile object, SmartConsole may unexpectedly close when enabling Threat Emulation and navigating to the configuration tab.

PRJ-34079,
PMTR-74982

Security Management

In some scenarios, after running an Ansible playbook, objects are locked even though they were not changed.

PRJ-34504,
PRHF-21481

Security Management

The "Accept" button is missing when modifying "Actions" for rules. Refer to sk177204.

PRJ-33552,
PRHF-20961

Security Management

When using the API to create an OPSEC CPMI application with a custom permissions profile, the default Super User profile is chosen instead.

PRJ-30350,
PRHF-19421

Multi-Domain Management

During a CPUSE upgrade of a Multi-Domain Server, if there are multiple external interfaces defined, the Domain Servers may be assigned to an incorrect interface.

PRJ-21830,
PRHF-15448

Multi-Domain Management

In rare scenarios, after an upgrade, the CPD process in a Multi-Domain environment may unexpectedly exit, creating a core dump file.

PRJ-27345,
PMTR-64049

Licensing

In a rare scenario, the licensing status in SmartConsole is displayed incorrectly.

PRJ-29310,
PRHF-18767

SmartConsole

The Compliance "Security Best Practices" report for the Anti-Bot practice contains unrelated objects starting with "AB_". Refer to sk174911.

PRJ-30520,
PMTR-73092

Compliance

The Compliance report in SmartConsole may show an incorrect policy name.

PRJ-22892,
PMTR-61926

CPView

In some scenarios, SNMP statistics per VS may not be displayed in CPView.

PRJ-32978,
PMTR-74061

CPView

In Overview, some data about disk space may be missing.

PRJ-26307,
PRHF-17314

Logging

In rare cases, in SmartConsole, some logs are not shown.

PRJ-30689,
PMTR-69181

Logging

UPDATE: The default timeframe for logs queries using the SmartConsole's Logs tab is set to "Last 24 Hours".

  • Requires R80.40 SmartConsole Build 425 (or higher)

PRJ-32085,
PMTR-74297

Logging

A duplicate entry appears in /etc/cpshell/log_rotation.conf. This issue is only cosmetic.

PRJ-13743,
PRHF-11391

Logging

The "Could not connect to Monitoring Blade" error is displayed when trying to show the "Top Interfaces" view in SmartConsole or SmartView Monitor for a Gateway that has more than 100 interfaces.

PRJ-22345,
PRHF-15696

Logging

In SmartView, the "Duration" field is missing from Reports and Views.

PRJ-17260,
PRHF-12617

Logging

In SmartConsole:

  • In Gateways and Servers view, IP statuses may not be accurate
  • In the Threat Prevention Policy tab, under "Updates", Gateways IPS update status may not be up-to-date, although the new IPS package was received successfully.

PRJ-16985,
PRHF-12847

Logging

In a rare scenario, Application Control events may not be displayed in SmartEvent.

PRJ-16282,
PRHF-11939

Logging

In some scenarios, emails of DLP Blade may be sent with obfuscated information, with no option to present the full data. Refer to sk106430.

PRJ-29029,
PRHF-17596

Logging

In rare scenarios, SmartEvent may show no results or partial results in the Audit Log report.

PRJ-25832,
PMTR-68506

Logging

The LOG_INDEXER process on the SmartEvent Server may consume a high CPU when the Mobile Access Blade is enabled on the Gateway.

PRJ-25622,
PMTR-68809

Logging

In environments with more than 500K network objects, the LOG_INDEXER process on SmartEvent and Correlation Unit Server may unexpectedly close with the "Out of memory" error and a dump core file, although limited resolving is enabled (according to sk164452).

PRJ-25440,
PRHF-17184

Logging

On the Management Server, with SmartEvent enabled and many Networks configured in the database, login to SmartConsole may fail with an "Error: the operation timeout" message and the FWM process is running with a high CPU. Refer to sk167239.

PRJ-24523,
PMTR-67575

Logging

In a low log rate, there may be a delay in exporting logs using the Log Exporter.

PRJ-27616,
PRHF-18157

Logging

The CPSEMD process on SmartEvent Server may unexpectedly exit when trying to send two automatic reactions simultaneously for the same event.

PRJ-28340,
PMTR-69859

Logging

In some scenarios, Log Exporter configured to export in TLS, cannot authenticate a certificate from an external certificate authority.

PRJ-26030,
PRHF-17325

Logging

In a rare scenario, after an NSX Gateway upgrade, enforcement details/identities are not pushed by the controller to the Gateway automatically, it can be done only by manual update. Refer to sk173323.

PRJ-28323,
PRHF-17811

Logging

In some scenarios, in SmartLog, free-text search does not work for some inspection settings logs and their description is missing.

PRJ-26681,
PRHF-17724

Logging

Logs that are sent by Log Exporter in CEF format, cannot be displayed if they include non-digit characters in the "dst_phone_number" field.

PRJ-19838,
PRHF-14286

Logging

On Gateways with many interfaces, after policy installation or after reboot, Real-Time Monitor (RTM) may consume a high CPU on the Gateway. Refer to sk170928.

PRJ-23313,
PRHF-16137

Logging

Daily Log/Indexes Maintenance does not delete old index files from $RTDIR/log_indexes if they contain files or subdirectories with a format different than %Y-%m-%d.

PRJ-32028,
PRHF-19715

Logging

In some scenarios, the "vpn_user" field is empty in the Logs view and SmartEvent Reports, even though it contains values in the raw log.

PRJ-30663,
PRHF-19620

Logging

  • The "fw log" and "fwm logexport" commands may fail with "Error: Failed to read field".
  • The exported log file may not contain all logs

Refer to sk176644.

PRJ-25653,
PRHF-17000

Logging

When SmartView Web is configured to not return empty values, a query may fail with a "query failed" message.

PRJ-29575,
PRHF-15052

Security Gateway

NEW: Added a new kernel parameter "up_disable_early_drop_optimization_for_reject" to disable "Early Drop Optimization" for reject rules. The parameter is enabled by default.

PRJ-31489,
PRHF-19710

Security Gateway

NEW: Added a new kernel parameter "cphwd_medium_path_qid_by_cpu_id". The parameter is disabled by default. Refer to sk175890.

PRJ-30981,
PMTR-73404

Security Gateway

UPDATE: Added L3 routing support for bridge interface assigned with IP address. To enable it, set fw_bridge_with_ip_routing=1 in the $FWDIR/fwkern.conf file. Refer to sk165560.

PRJ-32072,
STRM-737

Security Gateway

UPDATE: Check Point Active Streaming (CPAS) TCP Window scale factor is now increased up to 6.

PRJ-30588

Security Gateway

UPDATE: For CPU Spike Detective:

  • Added Clish support
  • Enhanced diagnostics in CPView
  • Enhanced profiling with heavy connections and top connections.

PRJ-31275,
PMTR-73504

Security Gateway

UPDATE: The "-c" and "-i" flags in Top Connections Tool are now supported on VSX Gateways. Refer to sk172229.

PRJ-34449,
PRHF-21182

Security Gateway

UPDATE: The "fw unloadlocal" command can now be used on a Virtual System only with the "-f" flag added. Otherwise, a warning message is displayed, indicating that unloading policy on a Virtual System will cause traffic issues with any Virtual System connected to a Virtual Switch or a Virtual System in Bridge mode.

PRJ-25307

Security Gateway

UPDATE: Added the "Configure Hyper-Threading" option to the cpconfig command.

PRJ-29093,
PRHF-18786

Security Gateway

In rare scenarios, policy installation fails with "Segmentation fault" and "Error compiling IPv4 flavor" messages.

PRJ-29587,
PRHF-19049

Security Gateway

In a rare scenario, Security Gateway may crash.

PRJ-31217,
PRHF-19896

Security Gateway

When a large number of VPN tunnels is configured and each one is used by a static route with ping, the ROUTED process may get incorrect cluster IPs for those tunnels. Refer to sk175887.

PRJ-29129,
PRHF-18716

Security Gateway

In rare scenarios, policy installation may fail with an "Operation failed, install/uninstall has been improperly terminated" message.

PRJ-29419,
PMTR-71855

Security Gateway

In a rare scenario, policy installation on the Security Gateway may fail with an "Error code: 0-2000108" message. Refer to sk170673.

PRJ-30011,
PRHF-18938

Security Gateway

In a rare scenario, when QoS is enabled, Security Gateway may crash while interfaces go down and up.

PRJ-29504,
PRHF-18863

Security Gateway

In some scenarios, using automatic Network Static NAT/Address range objects may cause connectivity issues.

PRJ-20627,
PRHF-14374

Security Gateway

Running the "threshold_config" command may cause the CPD process to consume a high CPU.

PRJ-27650,
PMTR-70634

Security Gateway

Negative values may appear in the output of the "fw tab -t connections -s" command and under the NAT section.

PRJ-32574,
PMTR-74852

Security Gateway

When deleting connection table entries with "fw ctl conntab -x", and using "rule", "service", "type", "flags" or "state" filters, entries that do not match these filters may still be deleted.

PRJ-26583,
PMTR-68272

Security Gateway

In a rare scenario, CPView may show incorrect SecureXL statistics per VS.

PRJ-30684

Security Gateway

In some scenarios, when using Suspicious Activity Monitoring (SAM) rules with source and destination networks or with a NATed IP, "matched rule is not found" errors appear.

PRJ-31967,
PMTR-74144

Security Gateway

In a rare scenario, "Connection/sec" data for accelerated traffic in CPView may differ from the statistics in SNMP.

PRJ-30179,
PRHF-19438

Security Gateway

In a rare scenario, policy push to multiple Security Gateways may fail.

PRJ-30613,
PRHF-19614

Security Gateway

In rare scenarios, when SACK is enabled, there may be connectivity issues.

PRJ-26964,
PMTR-70393

Security Gateway

Improved CPS rate on Autoscale deployments of Amazon Web Services (AWS).

PRJ-22014,
PMTR-16149

Security Gateway

When deleting all Suspicious Activity Monitoring (SAM) rules, adding a large number of new rules, and installing policy, the system may hang.

PRJ-30250,
PMTR-70219

Security Gateway

Added a translation of the error exit code of cprid_util in $CPDIR/log/cprid_util.elg debug log.

PRJ-30669,
PRHF-19179

Security Gateway

In rare scenarios, when a Security Gateway is configured as Proxy, a wrong NAT port reuse may happen for 5 minutes long proxied connections.

PRJ-30041,
ODU-104

Security Gateway

If wstunnel loses connectivity, after several attempts it may unexpectedly exit and not restart. Refer to sk166056.

PRJ-25149,
PRHF-14366

Security Gateway

In a rare scenario, the TCP Half Closed timer (sk137672) may fail when configured for medium/fast connections.

PRJ-32336,
PMTR-72682

Security Gateway

Defining an IPv6 NAT rule with address range (hide) on the translated column may fail with an incorrect error message.

PRJ-29697,
PRHF-19097

Security Gateway

In rare a scenario, a memory leak may occur with "cpas_streamh_init_from_cookie failed" printed in /var/log/messages.

PRJ-33359,
PMTR-72975

Security Gateway

First policy installation after an upgrade may be followed by a warning message: "Updatable Objects are used in the policy but Gateway package is missing (see sk121877)".

PRJ-33081,
PRHF-20436

Security Gateway

Extended logging may show a wrong status of Content Awareness Blade. The issue is only cosmetic.

PRJ-33512,
PMTR-75878

Security Gateway

CPView may show corrupted numbers in "F2V-Reasons". This issue is only cosmetic.

PRJ-27609,
PRHF-18068

Security Gateway

A debug message may be printed as an error.

PRJ-17572,
PMTR-57716

Security Gateway

The FWD process may unexpectedly exit due to a rare race condition. Refer to sk173424.

PRJ-32051,
PMTR-72836

Security Gateway

In a rare scenario, the Security Gateway may crash during policy installation.

PRJ-31016,
PRHF-19772

Internal CA

In a rare scenario, when CRL files are created, some of them may be generated with a large number in the filename. When deleting CRL files, CPCA repeatedly fails to start.

PRJ-24986,
PMTR-61787

Threat Prevention

UPDATE: Added support for more than 20 CIFS objects in rulebase. Refer to sk170300.

PRJ-28679,
AVIR-1444

Threat Prevention

UPDATE: Added an option to remove proxy usage in ioc_feeds tool.

PRJ-24253,
PMTR-66115

Threat Prevention

UPDATE: Reduce performance when Anti-Virus is configured with deep inspection on all file types.

PRJ-22397,
PRHF-15404

Threat Prevention

The "ciu_lic_open_lic_db_file: crc check failed" error message may be printed in fwd.elg log file during the policy installation if the IPS Blade is disabled. Refer to sk172903.

PRJ-29925,
PRHF-19208

Threat Prevention

Threat Prevention policy installation may fail when loading 2 IoC feeds that contain the same signature name for one of the observables.

PRJ-28937,
PRJ-28974

Threat Prevention

Improved telemetry for Infinity Vision SOC.

PRJ-29035,
PRHF-18623

Threat Prevention

In some scenarios, loading Custom Intelligence Feeds that include an IP address with a subnet mask of 32 bits (x.x.x.x/32) may fail.

PRJ-27750,
PMTR-73052

Threat Prevention

When the "Automatically download Blade Contracts, new software, and other important data" checkbox is unchecked, Security Gateway may fail to update Threat Prevention packages.

PRJ-28763,
PMTR-71415

Threat Prevention

In some scenarios, when using OpenSSH 8.2 Server, file download fails after starting the transfer.

PRJ-28136,
PRJ-27437

Threat Extraction

In some scenarios, the "fw_send_kmsg: No buffer for tsid 44" error is printed in dmesg.

PRJ-29489,
IDA-4049

Identity Awareness

UPDATE:

  • Increased the default timeout values of entries: connected_pdp_refresh_interval is now set to 240 seconds and connected_pdp_grace_period is now set to 360 seconds.
  • Added the "Identity information / Network information will be deleted" alert to SmartConsole.

PRJ-30497,
IDA-4120

Identity Awareness

UPDATE: Enhanced Identity Sharing SmartPull mechanism for large scale environments.

PRJ-29613,
PRHF-18943

Identity Awareness

In a rare scenario, some IPv6 sessions may get deleted due to an incorrect update of Identity Gateway (PEP) kernel tables.

PRJ-29399,
IDA-4087

Identity Awareness

Improved the Identity Server (PDP) performance for publishing new network on Identity Sharing with SmartPull.

PRJ-27941,
IDA-4112

Identity Awareness

In some scenarios, users may not be able to reach Identity Gateway (PEP). Refer to sk174105.

PRJ-30991,
PMTR-66375

Identity Awareness

In a rare scenario, the priorities defined in User Directory (Gateway level) override the default Domain Controller (DC) priorities defined in the LDAP Account unit. Servers with priority above 1000 are not ignored, although they should be.

PRJ-32120,
MPTT-5094

Identity Awareness

An Identity Broker subscriber may be shown as the session owner for Remote Access VPN sessions received from another publisher.

PRJ-32871,
PMTR-75155

Identity Awareness

When Identity Awareness Blade is enabled on the Security Gateway, rebooting of a member may trigger additional reboots. This may cause one of the members to go down with a configuration pnote.

PRJ-29768,
PRHF-18914

URL Filtering

In a very rare scenario, when the Application Control (APPI) and URL filtering Blades are active, in hold mode, some applications cannot be identified and the traffic is dropped.

PRJ-29940,
PRHF-18992

IPS

In rare scenarios, if IPS Geolocation is enabled, the Security Gateway may crash.

PRJ-28738,
PRHF-17049

IPS

In some scenarios, the destination IP is missing from the IPS logs. Refer to sk174588.

PRJ-28244,
PRHF-18338

IPS

In some scenarios, HTTP Parser in the CPView statistics may show incorrect values for connections with more than 50 sessions.

PRJ-23347,
PRHF-15859

IPS

The track logging configuration of Network Quota protection is not applied.

PRJ-30425,
PRHF-17395

DLP

The dlpu process may unexpectedly exit with core dump file.

PRJ-29191,
TPP-1157

Anti-Bot

UPDATE: Improved performance of Anti-Bot URL Reputation.

PRJ-31172,
PMTR-72409

SSL Inspection

A memory leak, related to TLS probing, may occur in the WSTLSD process.

PRJ-31166,
PMTR-72136

SSL Inspection

In some scenarios, the WSTLSD process may unexpectedly close, or a memory leak may occur.

PRJ-29475,
PMTR-72234

SSL Inspection

In some scenarios, a memory leak may occur when creating ECDHE keys.

PRJ-30459,
PRHF-19516

SSL Inspection

In rare scenarios, HTTPS connections may hang indefinitely during the TLS handshake, causing timeout.

PRHF-20458

SSL Inspection

In a rare scenario, the WSTLSD process may unexpectedly exit and produce a core dump file.

PRJ-33406,
PMTR-72934

SSL Inspection

In rare scenarios, TLS probing connections may remain open for extended periods.

PRJ-32883,
PMTR-75079

SSL Inspection

When TLS 1.3 support is disabled, a memory leak may occur in the WSTLSD process during TLS session renegotiation.

PRJ-31182,
PMTR-73946

Mobile Access

UPDATE: Upgraded JQuery library version (from 1.1 to 3.6).

PRJ-27296,
VPNRA-761

Mobile Access

In rare scenarios, when SNX client is used with Application mode on the Mobile Access Blade, the VPND process may unexpectedly exit.

PRJ-29275,
PRJ-29268,
PRJ-29261,
PRHF-3784,
PRHF-3700,
PRHF-3742

Mobile Access

In some scenarios, a memory leak may occur in the CVPND process.

PRJ-28257,
PRHF-16057

Mobile Access

In a rare scenario, the VPND process may unexpectedly exit causing user disconnections from Checkpoint Mobile client.

PRJ-30381,
PRHF-19273

ClusterXL

In a rare scenario, after an upgrade and reboot, a Standby member is set to down with a FULLSYNC PNOTE and cannot synchronize.

PRJ-32470,
PMTR-74101

ClusterXL

Added Syslog support for Cluster events messages.

PRJ-30818,
PRHF-19417

SecureXL

In a rare scenario, after an upgrade, HTTPS traffic may be dropped.

PRJ-26952,
PMTR-70242

SecureXL

TCP packets may be dropped as "TCP out of state" although following sk11088.

PRJ-32939,
PMTR-75157

SecureXL

In some scenarios, when configuring internal/external enforcement for DOS/Rate limiting, a syslog error message may be displayed.

PRJ-24056,
PRHF-10260

Routing

In some scenarios, when using DHCP, the Security Gateway may not correctly route traffic to hosts.

PRJ-31126,
PMTR-73496

Routing

In rare cases, if Graceful Restart is not configured on the BGP peer, BGP routes may be lost near the Graceful Restart ending.

PRJ-29319,
ROUT-1721

Routing

AS path loops may occur, although BGP multihop is configured.

PRJ-28957,
PRHF-17739

Routing

The ROUTED process may unexpectedly exit when OSPF is configured with the "IsMaxAgeLSAEntry()" assert.

PRJ-31486,
PRHF-19472

Routing

In some scenarios, the Security Gateway may not forward traffic to a client if its IP address is changed by DHCP. Refer to sk175603.

PRJ-29496,
ROUT-1745

Routing

BGP sessions may unexpectedly close because of unrecognized AFI/SAFI pairs in multiprotocol capability advertisements from a peer.

PRJ-33355,
PMTR-75438

Routing

  • Security Gateway may crash when OSPF inserts or removes an LSA from its database.
  • Neighbor dead timers may have negative values.

PRJ-32595,
PMTR-72056

VPN

In some scenarios, Remote Access VPN users cannot connect to the Gateway due to a kernel table issue.

PRJ-32518,
PMTR-74732

VPN

Improved establishing IKEv2 tunnel with DAIP peer.

PRJ-31472,
PMTR-68362

VPN

UPDATE: In policy installation, the type of messages related to VPN certificate expiration is changed from "info" to "warning". This issue is only cosmetic.

PRJ-29296,
PMTR-72019

VPN

Added VPN IKEv2 improvements.

PRJ-29532,
PRHF-18564

VPN

RIM script is not invoked for DAIP peer with Dead Peer Detection (DPD) permanent tunnels in passive mode.

PRJ-29482,
PMTR-72463

VPN

A memory leak may occur in the VPND process in IKEv2 Site to Site VPN.

PRJ-28559,
PMTR-20176

VPN

In some scenarios, when sending the SCV drop log, a memory leak may occur.

PRJ-28574,
PRHF-17880

VPN

In some scenarios, Server connections to Remote Access L2TP clients may be unstable.

PRJ-29592,
VPNS2S-2505

VPN

In a rare scenario, the IKEv2 negotiation appears successful, although it failed.

PRJ-30329,
PMTR-73629

VPN

In some scenarios, IKEv2 tunnel may not work due to SA expiration.

PRJ-30764,
PRHF-19548

VPN

In a very rare scenario, a cluster member may unexpectedly crash and restart, creating a core dump file.

PRJ-31289,
PRHF-19707

VPN

Hardened the ability to use narrowed IKEv2 tunnels. Refer to sk166417.

PRJ-32365,
PRHF-20315

VPN

Improved IKEv2 narrowing.

PRJ-33833,
VPNRA-831

VPN

In rare scenarios, when SSL Network Extender (SNX) is in Application Mode, the VPND process may unexpectedly exit.

PRJ-30956,
PRHF-19492

VPN

Improvements for DAIP Gateway behind Hide NAT.

PRJ-30648,
ESVPN-2665

VPN

A machine-only tunnel cannot be established when VPN default realm is disabled.

PRJ-28268,
PRHF-7443

VPN

A memory leak may occur in the VPND process.

PRJ-32549,
PMTR-74599

VPN

A memory leak may occur during Office Mode IP allocation.

PRJ-30755,
PRHF-19484

VPN

In a rare scenario, when NAT is enabled, Route Based VPN traffic may be dropped.

PRJ-31587,
PRHF-19959

VPN

In some scenarios, VPN tunnels statuses in SmartView Monitor are displayed incorrectly.

PRJ-22482,
PRHF-15744

VSX

In some scenarios, running the snmpwalk command may fail with incorrect OSPF-MIB information for VSX. Refer to sk172064.

PRJ-29552,
PRHF-18753

VSX

After a reboot, the VS's clish static ARPs configuration exists, but the static ARPs may be missing.

PRJ-27969,
PMTR-35890

VSX

When querying a VS for "sysObjectID" viaSNMP, a generic netSNMP value is returned ("NET-SNMP-MIB::netSnmpAgentOIDs.10") instead of Check Point value ("SNMPv2-SMI::enterprises.2620.1.6.123.1.62").

PRJ-30314,
PMTR-72515

Gaia OS

NEW: Gaia API (version 1.6) will now be deployed via Jumbo Hotfix. Refer to sk143612.

PRJ-30275,
PMTR-72997

Gaia OS

UPDATE: Upgraded OpenSSL to 1.1.1L. Merged the CVE-2021-3711 and CVE-2021-3712 fixes.

PRJ-30203,
PRHF-18610

Gaia OS

UPDATE: Added a Clish command "add/show/delete ntp interface" to choose to which interfaces the NTP daemon shall bind.

PRJ-17613,
PRHF-13255

Gaia OS

When adding an SSH host key, it will not be displayed because the total length of the command line cannot contain more than 512 characters.

PRJ-33507,
PMTR-75443

Gaia OS

Possible vulnerability in WebUI GUI Clients.

PRJ-31753,
PMTR-70869

Gaia OS

In some scenarios, after adding an SNMP USM user, the confd process may unexpectedly exit.

PRJ-33687,
PMTR-75891

Gaia OS

Potential vulnerability related to specific Gaia API command on VSX systems.

PRJ-33871

Gaia OS

Enhanced SNMP module stability.

PRJ-21922,
PRJ-17304

Gaia OS

An error regarding MTU failing to transmit 6000+ units may be displayed.

PRJ-24328,
PRHF-16439

Harmony Endpoint

Restoring a UEPM Server backup via the Web Gaia Portal may not work on a new Server where the UEPM Blade is not activated.

PRJ-25250,
PMTR-68435

Harmony Endpoint

In some scenarios, the Policy Server fails to synchronize with Endpoint primary Management after installing a hotfix for local E1 signature updates.

PRJ-30518,
PMTR-73094

Harmony Endpoint

In the Smart Endpoint tabs, the Server may generate reports where users have long names starting with "ntdomain://".

PRJ-29971,
PRHF-16925

Harmony Endpoint

In some scenarios, a query which counts host_ckp objects may return more results than expected. It leads to a memory leak with the "Out Of Memory" error.

PRJ-32389,
PRHF-19878

VoIP

When using SIP, memory usage may increase over time on Active and Standby members.

PRJ-29985,
PRHF-19101

CloudGuard Network

UPDATE: When there are Data Centers without imported objects, CloudGuard Controller will show the warning status in SmartConsole and in the output of the "cpstat vsec" command.

PRJ-27771,
PRHF-17648

CloudGuard Network

Amazon Web Services (AWS) Data Center scan may fail and no updates are sent to the Security Gateway.

PRJ-31771,
PRHF-19949

CloudGuard Network

In a rare scenario, there is a high CPU0 utilization on Azure Security Gateway.

PRJ-32230,
CGIS-636

CloudGuard Network

The "vsec_lic_cli update" command now supports IP change in the license string.

PRJ-32753,
PMTR-74085

CloudGuard Network

After an upgrade, the AWS Gateway or Google Cloud Platform (GCP) may lose access to the Serial Console.

PRJ-27034,
PRHF-16098

QoS

In a rare scenario, when QoS is enabled, in SmartView Monitor, some traffic may be shown as "No Match".

PRJ-30234,
PRHF-18342

QoS

In a rare scenario, the FWD process may unexpectedly exit due to invalid QoS logs.

PRJ-30015,
ODU-181

HCP

Added Update 5 of HealthCheck Point (HCP) Release. Refer to sk171436.

PRJ-29410,
PRHF-19016

Infrastructure

Policy installation fails with "Operation failed, install/uninstall has been improperly terminated" when a CMA name is more than 36 characters long. Refer to sk175452.

PRJ-22353,
INFRA-528

Infrastructure

UPDATE: Updated Python 2.7.17 to 2.7.18, Python 3.7.7 to 3.7.12, added Python 3.9.7 and a Python3 alias.