R80.40 Jumbo Hotfix Take 119

UPDATE: If there is no license on the Security Management Server, a new verification blocks an attempt to migrate a domain.

"Query failed" error is displayed in Security Gateway Device & License Information view in SmartConsole when canceling the "Export to PDF/CSV" operation.

When running the "fwm logexport" command multiple times, the FWM process may unexpectedly exit, producing a core file.

SmartConsole Extensions fail to load with "Error: unable to retrieve read-only session" if login with SmartConsole is performed with an IP address that is not defined as the primary IP of the Management Server.

In rare scenarios, the Management Server may fail to start because Solr fails to initialize.

In rare scenarios, deleting an object fails with "Can't reach source object, maybe it already deleted" error. Refer to sk172828.

Global Policy Reassignment may take a long time to complete after an IPS Update in the Global Domain.

Global Policy Assignments may be missing in Multi-Domain environment after upgrade from R77.x.

In some scenarios, after upgrade of Multi-Domain environment that has active Domains on multiple Multi-Domain servers, some objects may not be visible in the System Domain.

In some scenarios, HA synchronization may fail on the MDS level with the "Failed to synchronize this peer due to purged revisions in the database." message.

In some scenarios, a SmartTask may fail to execute its action when it is triggered for a policy installation.

NEW: Log exporter allows the re-export of logs based on starting and end positions provided by the user, to close possible gaps. Refer to sk122323.

UPDATE: The Log server now supports up to 2700 Gateways (previously was 1024). Refer to sk163413.

In rare scenarios, logs generated in the same second, with the same ID, may not show up in SmartConsole's Logs tab.

In Multi-Domain environment, the same Domain may appear twice in the Domains view of the SmartEvent application.

In rare scenarios, when creating a Log server object and establishing SIC, log queries from the newly created Log server object may fail.

In rare scenarios, when the user exports logs to Excel using SmartView web, the action fails when the exported logs contain special characters, like emojis.

In SmartView, when creating a statistical table and grouping by Time, the query may fail.

In the SmartConsole Logs tab, the "IKE IDs" field cannot be added to column profiles.

NEW: Implemented new Fast-Accel producer.

The following Fast-Accel statistics are added to CPView:

• Status: current status of Fast-Accel feature (enabled/disabled).
• Configured rules: number of rules were added by the user. These rules determines whether a connection should be accelerated or not.
• Accelerated connections amount: number of accelerated connections.
• Total connections amount: total connections opened in PPAK.
• Accelerated connections percentage: percentage of accelerated connections as part of the overall traffic.
• Services distribution: number of times each service was used by the accelerated connections.

UPDATE: Added new Dynamic Balancing Clish command to enable default number of instances. To use it, run "set dynamic-balancing state enable set_default_fw_instances". Refer to sk164155.

UPDATE: The prompt indication will show on which plane (management or data) the context is.

For example:

• "[Expert@Host:0]" will be displayed as "[Expert@Host:dplane]" for the data plane.

• "[Expert@Host:1]" will be displayed as "[Expert@Host:mplane]" for the management plane.

In some scenarios, an incorrect interface name is displayed in CPView.

In rare scenarios, when the "sd_global_monitor_only" property is set to "true", there is no HTTP inspection.

In some scenarios, values set in fwkern.conf may not be applied correctly.

The VPND process may consume high CPU because of ECDHE use, which affects multi-portal functionality. Refer to sk173145.

In rare scenarios, the name of the application that drops a packet was not shown in the drop debug. Instead, the "PSL Drop: internal - drop enabled" message was displayed.
With this fix, the reason for the drop will be displayed.

In some scenarios, policy installation fails with "Error code 0-2000077" message.

In a rare scenario, the FWK process unexpectedly exits on the Security Gateway.

In some scenarios, packets are dropped due to incorrect SACK translation when SACK and sequence translation are being used together.

When Strict Hold is enabled in the fail-open configuration, some HTTPS connections may stuck.

On rare scenarios, running "fw1 + misp" debug on cluster may cause Security Gateway to crash.

In a rare scenario, Security Gateway may crash when running in USFW (User-Space Firewall) mode.

Boot may take a long time on machines with many VLANs or secondary IP addresses.

In a rare scenario, Security Gateway may crash due to log buffer corruption.

In a rare scenario, Security Gateway may crash due to log buffer corruption.

In a rare scenario, a memory leak may occur in in.emaild.mta process.

When using Routing separation and ClusterXL, the "cphaprob -a if" command displays "mdps_tun" as "DOWN".

Added Dynamic Anti-Spoofing stability enhancements.

In rare scenarios, SmartView Monitor shows the "Error code: 2147483647" message when viewing data from a VSX Gateway. Refer to sk174206.

UPDATE: The IKE certificates validity period is set to 1 year by default. Refer to sk176527.

Large file download with SFTP may fail when the connection is inspected.

In rare scenarios, the "fw load_sigs" command fails to exit appropriately after completing.

In some scenarios, "cpssh_trans_endpoint_handle_session_travers_timeout: INTERNAL ERROR" errors are displayed in the fwk.elg file when inspecting SSH traffic.

NEW: Added new Auto-Tune feature for Nested Groups to select the optimal nested state for maximum performance.

The feature is disabled by default. To enable it, refer to sk128212.

UPDATE: It is now possible to configure SAML (Security Assertion Markup Language) authentication with the same Microsoft Azure AD directory for multiple blades on the same Security Gateway.
Note: Each Blade on each Security Gateway requires its own Identity Provider object in SmartConsole.

In some scenarios, output of "pdp conn pep" command may show incorrect PEP names.

In Identity Awareness Captive portal, the default Check Point logo is displayed even if the user-defined logo is configured. Refer to sk133492.

A failure log may be generated when inspecting connections to servers with certificates without a common name (CN) field.

UPDATE: Avoid sending the TLS probe during the inbound inspection when a rule is matched according to the IP address.

TLS probing failures generate logs with a general description in SmartLog: "Internal system error in HTTPS Inspection (Error Code: 2)". With this fix, more descriptive logs will be generated.

In rare scenarios, the WSTLSD daemon may unexpectedly exit during TLS probing.

A table hash size may be too small for some environments and cause an increased CPU usage.

Added IPS Core Protections scan improvements for HTTP traffic.

UPDATE: Anti-Bot URL cache was enhanced to support further requests.

In rare scenarios, when clicking the "Send Original Mail to me" button (sk140214) in the UserCheck portal for Threat Extraction, action fails with "An unexpected error has occured ..." error message.

In some scenarios, FWK process unexpectedly exits due to SNX authorization timeout in MAB's Unified Policy mode. Refer to sk173125.

In some scenarios, the HTTPD process consumes a high CPU causing slowness in access to web applications.

Data connections from the Standby member of an Active-Standby cluster may be dropped on the stealth rule when "fwha_cluster_hide_active_only" is set to 1.

UPDATE: Firewall debug drop template message now indicates the rule ID the template was created from.

A race condition in the DOS/Rate limiting policy's install logic may cause incorrect counter values for "concurrent-conns".

In some scenarios, the "reached the limit of maximum enqueued packets!" log is printed in the /var/log/messages file.

In a rare scenario, Security Gateway may crash when generating CPInfo in VSX mode.

In some scenarios, the "fw ctl affinity" command on MPDS Dplane does not show the Mplane Multi-Queue interfaces.

VRRP member freezes when deleting a VLAN interface. Refer to sk106226.

In OSPF environment, the ROUTED process may unexpectedly exit when a VPN tunnel is flapped leading to a temporary connectivity loss.

After restarting OSPF with the "restart ospf instance default" command, OSPF may not redistribute routes until making a configuration change.

In rare scenarios, a Load Sharing cluster can experience DHCP relay drops with a "dropped by fw_post_vm_chain_handler Reason: Handler 'dhcp_reply_code' drop" message.

UPDATE: Added support for Security Assertion Markup Language (SAML) authentication on more than one VS in VSX. Refer to sk172909.

UPDATE: Added VPN improvements in IKEv2:

• Added support for IKEv2 authentication when using multiple certificates.
• Added support for "Matching info" authentication.

"Invalid ID information" message may be displayed when peer is 3rd party and Link selection is overridden.

• Stability improvement of IKEv2 rekey when using Pre-shared-key
• Stability improvement of cluster synchronization mechanism

In some scenarios, the TTM (Transform Template) file is not loaded when there are no TTM groups for the user.

When the Remote Access is configured to use DHCP for the Office Mode allocation, disconnection of SNX/L2TP clients may cause the IP address not be removed from the table.

In some scenarios, Phase 2 NULL encryption in IKEv2 fails with "Received notification from peer: No proposal chosen" message in the log.

In some scenarios in MEP configuration, failover to available MEP members may fail.

In some scenarios, the he VPND process may unexpectedly exit producing a core dump.

The VPND process may unexpectedly exit when cipher priority configuration is invalid. Refer to sk173083.

In some scenarios, the "Global param: operation failed: Unknown parameter (param name vpn_cluster_on_aws)" cosmetic error may appear in dmesg.

Added IKE improvement for DAIP peer with ID_DER_ASN1_DN ID type.

In some scenarios, DAIP gateways may be identified as Remote Access, causing the connection to fail. Refer to sk173417.

In some scenarios, the VPN Remote Access client cannot reconnect after changing the authentication method.

In some scenarios, the "Illegal sequence number" error may be printed in Dead Peer Detection (DPD) debug.

UPDATE: The Multi-Queue (MQ) enhancement by IPSEC SPI is now supported out of the box on CPAC-4-10F-C appliance NICs (i40e driver, X710 controller).

The "snmptable" command may fail to fetch data via SNMP producing core dump. Refer to sk172824.

In some scenarios, the first packet of any protocol is dropped if there is no ARP cache entry in the ARP table for that destination. Refer to sk173933.

In rare scenarios, there is a difference between the value of "Packets" in the output of "ifconfig <interface name>" and "show interface <interface name> statistics" commands.

When the RADIUS server uses a multi-pool "Access Challenge", the system sends many authentication requests without waiting.

When using routing separation, Clish configuration for the management plane may be missing.

In rare scenarios, the Wrp interface may not come up. Refer to sk171753.

In some scenarios, the "sip_increase_opq_rnum: Error - number of reinvites exceeded the limit" message that indicates the malfunction SIP flow is printed in SIP debug.

The SNMP response may show incomplete values.

Improved performance consistency (with Multi-Queue) after the Microsoft Azure Maintenance event.

UPDATE: If the recommended-policy includes some illegal rules, an IoT layer will be created with the legal rules only and the user will be notified with a warning about the illegal ones.