R80.40 Jumbo Hotfix Take 126

NEW: Added the Check Point Performance Sizing Utility (CPSizeMe) v5.2.

NEW: Added the HitCount column to the "Export to CSV" functionality in Access Policy.

• Requires R80.40 SmartConsole Build 425 (or higher).

UPDATE: Performance improvement in an upgrade of Security Management and Multi-Domain Servers with large rulebases.

Virtual session timeout for a TCP service cannot exceed 86400 seconds. Refer to sk168872.

The "show-global-assignment" command returns the default limit when the limit request is greater than the default limit.

In some scenarios, when using a VPN community, the status of the Global Domain Assignment may change to "not up to date" , although no changes were made in the Global Domain.

In rare scenarios, upgrade may fail when there is an OPSEC Server object configured.

In some scenarios, the "Recent Tasks" view shows the initiator as a System administrator when the Global Manager user initiates reassign and install policy.

In a rare scenario, the FWM process may unexpectedly exit.

Packet Mode search in rule base ignores matching of inline layer parent rules. In some scenarios, this may retrieve inline layer rules that should not be matched.

In rare scenarios, after migration of a Domain to a Security Management Server, publish may fail with a "Publish failed due to session validation errors" message although there are no errors in the validation pane.

In some scenarios, loading the Access Control policy causes SmartConsole to close unexpectedly. Refer to sk175405.

• Requires R80.40 SmartConsole Build 425 (or higher)

In some scenarios, a high load on the Management Server may cause SmartConsole slowness.

Policy verification may fail with a NAT verification error "The range size of Original and Translated columns must be the same".

Login with Management API fails when using the api-key and setting enter-last-published-session to "true".

In rare scenarios, if the CPM process is up for many days, CPU and memory consumption may continue to grow until a reboot is performed.

In rare scenarios, during a system startup, a cleanup operation may cause high CPU on multiple Postgres processes and prevent login to SmartConsole. Refer to sk175189.

In some scenarios, HA synchronization fails in the Global Domain after the IPS update.

In some scenarios, an older version of a Jumbo Hotfix is recommended for installation on Security Gateway, although a newer version is already installed.

In rare scenarios, High Availability incremental synchronization may fail with a wrong status message.

If Brute Force Password Guessing Protection is set to the value of more than 25 seconds, login to SmartConsole fails.

• Requires R80.40 SmartConsole Build 425 (or higher).

If there is an Administrator named "Endpoint", an upgrade of Endpoint Security Server from R77.30 version fails.

NEW: Added ability to create Domain Management Servers with a netmask different than the one of the Multi-Domain Server. Refer to sk173934.

After migrating a Domain to a Multi-Domain Management and assigning a Global Policy, if there are objects with the same name in the Domain and Global Domain, the assignment succeeds, although it must fail due to name duplication.

After migrating the Global Domain and making global changes, when assigning/reassigning the Global Domain, the assignment may be shown as "Up to date" even though the latest global changes are not applied on the Domain.

In some scenarios, the total number of "sr" licenses may be counted incorrectly.

In some scenarios, a memory leak may occur in a cpview_services module. Refer to sk173952.

NEW:

• In SmartEvent GUI, added new products: "Behavioral Guard", "Anti-Exploit", "Anti-Bot" and "Anti-Ransomware"
• For Endpoint logs correlation, added a new pre-defined event: "Harmony Endpoint" under Legacy -> Endpoint Security.

When AES authentication is configured, the "thresold_config" command does not send traps for SNMP v.3. Refer to sk173045.

In SmartView reports, the "Show only icon" option for table widgets does not work as expected.

In SmartView, grouping or filtering by the field "Total Bytes" causes the query to fail.

In rare scenarios, the Logs view may not reflect the Management Server object changes. When the issue occurs, the CPM process may also consume a high CPU.

In SmartView (Reports and Web Logs view), the value of the file size is displayed differently from the Logs view in SmartConsole (GB instead of GiB).

In rare scenarios, in environments with many network objects, when typing a query in the Logs tab Search bar, SmartConsole may close unexpectedly.

In a Multi-Domain Management environment, Log queries may fail to retrieve results from a CMA or CLM, if there is another CMA or CLM with the same sic_name.

In rare scenarios, when exporting logs to Check Point Infinity Portal, the Log Exporter may unexpectedly exit.

UPDATE: Added DNS Passive Learning support for DNS responses containing a Domain name in uppercase letters.

In some scenarios, configuring an un-numbered virtual interface may cause ARP requests to stay not answered by the interface. Refer to sk174188.

In some scenarios, the Security Gateway may crash when encountered an error on connection processing.

In a rare scenario, the Security Gateway may sporadically crash.

Added the Access Control rulebase matching visibility enhancement.

In some scenarios, "[INFO] encode resource in base64 failed" messages generated by the RAD process are shown in /var/log/messages file.

In a rare scenario, the PDPD or VPND process on the Security Gateway consumes a high CPU. Refer to sk173706.

In a rare scenario, a memory leak may occur on the Security Gateway.

In some scenarios, when moving Mobile Access from Legacy to Unified Policy, previously configured native application may unexpectedly exit. Refer to sk172935.

Configuring the "Virtual Activation Timeout" option above 65535 may lead to an incorrect timeout definition. Refer to sk172464.

In some scenarios, connections are dropped with a "Virtual defragmentation error: fragment table is full" message. Refer to sk180404.

Improved displayed drop log messages on the Security Gateway:

• To see drops since the last reboot, use the "fw ctl drop" command.
• To see drops in real time, use the CPView tool.

Refer to sk172232.

A "fw_xlate_rule_count_dec: refcount is negative" message may be displayed in dmesg when IP pool NAT is used on a cluster environment.

Added cosmetic fixes of the cpwd_admin list command output.

Improved the ICAP Server internal memory allocation logic.

The cpsicdemux process may unexpectedly exit, causing Secure Internal Communication (SIC) connection to fail.

UPDATE: Expired certificates are now cleaned from the Internal CA database every three weeks and after reboot. Refer to sk42424.

In a rare scenario, the Security Gateway may crash when working with Anti-Virus.

In a rare scenario, Security Gateway may crash due to the Threat Prevention Data Collector feature.

In rare scenarios, the Security Gateway may crash when the TCP connection is unexpectedly closed.

Large file transfer in connections inspected by SSH Deep Packet Inspection (SSH DPI) may fail if SSH renegotiation is performed during the transfer.

In a rare scenario, the Security Gateway may crash.

When the PDP Gateway is connected to multiple pre-R81 PEP Gateways, the CPU consumption may be high. Refer to sk173709.

In some scenarios for HTTP, the Security Gateway closes a connection from the Server side, but the user side may remain open.

In rare scenarios, the FWK process may unexpectedly exit when installing the policy.

Proxy source IP address is not printed in the IPS logs.

Added an option to bypass Name Constraints extension on certificates using a registry flag. Refer to sk159692.

Improved the Portal Rendering performance in Unified Policy mode.

In some scenarios, in Load Sharing mode, the cphaprob show_bond command on the Security Management Server shows the back-up subordinate status as "Not Available". Refer to sk175469.

Invalid VLAN traffic may cause repeated "deliver_list is empty!!!" error messages in the _/var/log/messages_ file.

In a rare scenario, DoS/Rate Limiting when using rules with country codes (CC) or autonomous system numbers (ASN) may not update Geo IP files correctly.

In some scenarios, CPView displays incorrect values of RIP statistics.

In some scenarios, an outage may occur because of premature graceful-restart exit.

If the interface cable is unplugged, after a failover, Border Gateway Protocol (BGP) stops receiving routes from Primary member to Secondary and back to Primary.

The ROUTED process may unexpectedly exit when candidate RP is enabled, and a rapid failover occurs or when the candidate RP interface is disconnected.

The checksum of PIM "register" packets may be calculated incorrectly, causing the RP router to discard a "register" packet.

In rare scenarios, IKE negotiation fails when using IPv6 addresses.

When saving the login info of the client, a memory leak may occur.

Many "remote access client IP address and port were changed" logs are generated after an upgrade.

In a rare scenario, a memory leak may occur.

Added IKEv2 improvement for DAIP peer.

In a rare scenario, a memory leak may occur when RASession_util is active.

In rare scenarios, a memory leak related to Gateway authentication may occur.

Remote Access users may randomly disconnect because the Tunnel test packets are mapped to the incorrect interface. Refer to sk172328.

In some scenarios, the VPN tunnel between GCP cluster and GCP peer fails to establish.

In some scenarios, outbound traffic with NAT-T outgoing packets is sent from an incorrect link. Refer to sk176711.

In rare scenarios, after policy installation, the VPND process may unexpectedly exit with core dump.

A Remote Access client fails to login when a DN record length is bigger than 256. Refer to sk174249.

In some scenarios, when DAIP peer initiates IKEv2 negotiation with certificate authentication, the VPND process may unexpectedly exit. Refer to sk174665.

A memory leak may occur in the VPND process.

In some scenarios, in High Availability clusters with enabled CoreXL, SSL clients cannot connect to the Security Gateway because of incorrect license calculation.

In some scenarios, a memory leak may occur in the VPND process.

This fix allows create/change a VSX cluster/Gateway to have up to 32 CoreXL instances with VSX Provisioning Tool. Currently, it is possible to do this only in SmartConsole.

After upgrade, the VS names may be displayed incorrectly in the output of the "vsx stat -v" command.

NEW: Added support for new card 4 ports 1/10GbE SFP+ Rev 4.1.

When a non-TACACS user logs out from WebUI, "Cannot get pid" is printed as an error to the /var/log/messages file.

If NTPD service is configured in MDPS settings, NTPD error logs appear in var/log/messages after a reboot.

In some scenarios on VSX, a "Loading kernel module for a network device with CAP_SYS_MODULE (deprecated). Use CAP_NET_ADMIN and alias netdev-eth instead" message appears in /var/log file.

In a rare scenario, a memory leak may occur in the monitord.

Last trailing zero may appear in the output of "show configuration backup-scheduled". Refer to sk169255.

In a rare scenario, the Security Gateway crashes when handling SIP traffic.

In some scenarios, CloudGuard Controller fails to fetch data from the standby ACI Server when the main ACI Server is unreachable.

In some scenarios, CloudGuard IaaS Standby member cannot access the Internet. Refer to sk175108.

Added Update 3 of HealthCheck Point (HCP) Release. Refer to sk171436.

Added Update 1 of HealthCheck Point (HCP) Release. Refer to sk171436.