R80.40 Jumbo Hotfix Take 150

In some scenarios, CPView shows the SNMP data partially.

In rare scenarios, an upgrade or migration may fail due to missing temporary files.

UPDATE: Added a warning message in SmartConsole, alerting if during policy installation memory utilization of the FWM process exceeded 3.5GB.

UPDATE: Added an environmental variable to control the sduu command timeout in the FWM process: SDUU_UPDATE_TIMEOUT.

UPDATE: It is now possible to increase the timeout value for Management High Availability synchronization. Refer to sk176165.

The mgmt_cli tool (API) with certificate login may not work.

In some scenarios, applying the "Where used" action may show incorrect data when an object exists more than once in an Inline Layer.

Migration of Security Management Server to a Domain on a Multi-Domain Server may be blocked if there are multiple Certificate Authority objects. Refer to sk174270.

Management Server upgrade may fail if there is a large amount of customized column profiles in the Logs View.

In some scenarios, if changes were done before installing Jumbo Hotfix, revert or login to the last published session may fail.

In rare scenarios, the FWM process unexpectedly exits and fails to start, creating core dumps in the /var/log/dump/usermode directory. Refer to sk175007.

In some scenarios, login to a Domain from the System Domain dashboard may fail with "Failed to connect to server".
Refer to sk174910.

When searching IP addresses using logical operators (AND / OR), the results may be incorrect:

• in SmartConsole in the Object Explorer view
• with the Management API command "show objects" and the "filter" field

Some matched objects may be missing, while some unmatched objects may be present.

Scheduled IPS updates data may not be shown in the IPS update report.

In some scenarios, an API query to VRRP cluster for "show simple-cluster name <name>" returns an incorrect cluster type. Refer to sk174866.

In rare scenarios, High Availability on the Global Domain may fail to synchronize the Multi-Domain Log Server if IPS protection was added or removed in the Threat Prevention rulebase.

In rare scenarios, if Domain migration fails, the operation may not revert fully and leave some remnants in the database of the Management Server.

In rare scenarios, a Multi-Domain administrator's profile may be changed after deleting a Domain if the administrator had custom permissions for it.

The Management API commands "import-smart-task" and "export-smart-task" are enabled at the System Domain level, although Smart Tasks are only supported at the Local Domain level.

In rare scenarios:

• Login to the Management Server may timeout and fail
• Publish operation may take a long time.

In some scenarios, the "show gateways-and-servers" Management API command fails with "generic_error" when running it with "details-level full".

In some scenarios, it is possible to disable a shared layer, although it is used in more than one rule.

In some scenarios, deleting a Domain fails when there is an administrator with API key authentication associated with this Domain.

When one Server in a logical Server group is down, the second Server keeps trying to access it, no matter how long the Server is down.

In some scenarios, the user may fail to connect to VPN Remote Access if there are expiration dates saved in a non-English date format. The issue can occur when SmartConsole is installed on a Windows client that uses a non-English locale.

In rare scenarios, the Management Server may fail to start due to incorrect sessions handling.

In rare scenarios, deleting a Domain fails, leaving some remnants in the Management database.

Policy installation with Directional VPN rules may fail with a verification error.

• The High Availability status on Security Management Server may be incorrect and performing failover is not possible.
• On Multi-Domain Server, after performing failover in the Global Domain and restarting services, the former active Global Domain Server still appears as active (although it is standby).

While editing a Small Office LSM Profile object, SmartConsole may unexpectedly close when enabling Threat Emulation and navigating to the configuration tab.

The "Accept" button is missing when modifying "Actions" for rules. Refer to sk177204.

During a CPUSE upgrade of a Multi-Domain Server, if there are multiple external interfaces defined, the Domain Servers may be assigned to an incorrect interface.

In a rare scenario, the licensing status in SmartConsole is displayed incorrectly.

The Compliance report in SmartConsole may show an incorrect policy name.

In Overview, some data about disk space may be missing.

UPDATE: The default timeframe for logs queries using the SmartConsole's Logs tab is set to "Last 24 Hours".

• Requires R80.40 SmartConsole Build 425 (or higher)

The "Could not connect to Monitoring Blade" error is displayed when trying to show the "Top Interfaces" view in SmartConsole or SmartView Monitor for a Gateway that has more than 100 interfaces.

In SmartConsole:

• In Gateways and Servers view, IP statuses may not be accurate
• In the Threat Prevention Policy tab, under "Updates", Gateways IPS update status may not be up-to-date, although the new IPS package was received successfully.

In some scenarios, emails of DLP blade may be sent with obfuscated information, with no option to present the full data. Refer to sk106430.

The LOG_INDEXER process on the SmartEvent Server may consume a high CPU when the Mobile Access blade is enabled on the Gateway.

On the Management Server, with SmartEvent enabled and many Networks configured in the database, login to SmartConsole may fail with an "Error: the operation timeout" message and the FWM process is running with a high CPU. Refer to sk167239.

The CPSEMD process on SmartEvent Server may unexpectedly exit when trying to send two automatic reactions simultaneously for the same event.

In a rare scenario, after an NSX Gateway upgrade, enforcement details/identities are not pushed by the controller to the Gateway automatically, it can be done only by manual update. Refer to sk173323.

Logs that are sent by Log Exporter in CEF format, cannot be displayed if they include non-digit characters in the "dst_phone_number" field.

Daily Log/Indexes Maintenance does not delete old index files from $RTDIR/log_indexes if they contain files or subdirectories with a format different than %Y-%m-%d.

• The "fw log" and "fwm logexport" commands may fail with "Error: Failed to read field".
• The exported log file may not contain all logs

• In the Logs & Monitor view, filtering logs by field may fail.

Refer to sk176644.

NEW: Added a new kernel parameter "up_disable_early_drop_optimization_for_reject" to disable "Early Drop Optimization" for reject rules. The parameter is enabled by default.

UPDATE: Added L3 routing support for bridge interface assigned with IP address. To enable it, set fw_bridge_with_ip_routing=1 in the $FWDIR/fwkern.conf file. Refer to sk165560.

UPDATE: For CPU Spike Detective:

• Added Clish support
• Enhanced diagnostics in CPView
• Enhanced profiling with heavy connections and top connections.

UPDATE: The "fw unloadlocal" command can now be used on a Virtual System only with the "-f" flag added. Otherwise, a warning message is displayed, indicating that unloading policy on a Virtual System will cause traffic issues with any Virtual System connected to a Virtual Switch or a Virtual System in Bridge mode.

In rare scenarios, policy installation fails with "Segmentation fault" and "Error compiling IPv4 flavor" messages.

When a large number of VPN tunnels is configured and each one is used by a static route with ping, the ROUTED process may get incorrect cluster IPs for those tunnels. Refer to sk175887.

In a rare scenario, policy installation on the Security Gateway may fail with an "Error code: 0-2000108" message. Refer to sk170673.

In some scenarios, using automatic Network Static NAT/Address range objects may cause connectivity issues.

Negative values may appear in the output of the "fw tab -t connections -s" command and under the NAT section.

In a rare scenario, CPView may show incorrect SecureXL statistics per VS.

In a rare scenario, "Connection/sec" data for accelerated traffic in CPView may differ from the statistics in SNMP.

In rare scenarios, when SACK is enabled, there may be connectivity issues.

When deleting all Suspicious Activity Monitoring (SAM) rules, adding a large number of new rules, and installing policy, the system may hang.

In rare scenarios, when a Security Gateway is configured as Proxy, a wrong NAT port reuse may happen for 5 minutes long proxied connections.

In a rare scenario, the TCP Half Closed timer (sk137672) may fail when configured for medium/fast connections.

In rare a scenario, a memory leak may occur with "cpas_streamh_init_from_cookie failed" printed in /var/log/messages.

Extended logging may show a wrong status of Content Awareness blade. The issue is only cosmetic.

A debug message may be printed as an error.

In a rare scenario, the Security Gateway may crash during policy installation.

UPDATE: Added support for more than 20 CIFS objects in rulebase. Refer to sk170300.

UPDATE: Reduce performance when Anti-Virus is configured with deep inspection on all file types.

Threat Prevention policy installation may fail when loading 2 IOC feeds that contain the same signature name for one of the observables.

In some scenarios, loading Custom Intelligence Feeds that include an IP address with a subnet mask of 32 bits (x.x.x.x/32) may fail.

In some scenarios, when using OpenSSH 8.2 Server, file download fails after starting the transfer.

UPDATE:

• Increased the default timeout values of entries: connected_pdp_refresh_interval is now set to 240 seconds and connected_pdp_grace_period is now set to 360 seconds.
• Added the "Identity information / Network information will be deleted" alert to SmartConsole.

In a rare scenario, some IPv6 sessions may get deleted due to an incorrect update of Identity Gateway (PEP) kernel tables.

In some scenarios, users may not be able to reach Identity Gateway (PEP). Refer to sk174105.

An Identity Broker subscriber may be shown as the session owner for Remote Access VPN sessions received from another publisher.

In a very rare scenario, when the Application Control (APPI) and URL filtering blades are active, in hold mode, some applications cannot be identified and the traffic is dropped.

In some scenarios, the destination IP is missing from the IPS logs. Refer to sk174588.

The track logging configuration of Network Quota protection is not applied.

UPDATE: Improved performance of Anti-Bot URL Reputation.

In some scenarios, the WSTLSD process may unexpectedly close, or a memory leak may occur.

In rare scenarios, HTTPS connections may hang indefinitely during the TLS handshake, causing timeout.

In rare scenarios, TLS probing connections may remain open for extended periods.

UPDATE: Upgraded JQuery library version (from 1.1 to 3.6).

In some scenarios, a memory leak may occur in the CVPND process.

In a rare scenario, after an upgrade and reboot, a Standby member is set to down with a FULLSYNC PNOTE and cannot synchronize.

In a rare scenario, after an upgrade, HTTPS traffic may be dropped.

In some scenarios, when configuring internal/external enforcement for DOS/Rate limiting, a syslog error message may be displayed.

In rare cases, if Graceful Restart is not configured on the BGP peer, BGP routes may be lost near the Graceful Restart ending.

The ROUTED process may unexpectedly exit.

BGP sessions may unexpectedly close because of unrecognized AFI/SAFI pairs in multiprotocol capability advertisements from a peer.

In some scenarios, Remote Access VPN users cannot connect to the Gateway due to a kernel table issue.

UPDATE: In policy installation, the type of messages related to VPN certificate expiration is changed from "info" to "warning". This issue is only cosmetic.

RIM script is not invoked for DAIP peer with Dead Peer Detection (DPD) permanent tunnels in passive mode.

In some scenarios, when sending the SCV drop log, a memory leak may occur.

In a rare scenario, the IKEv2 negotiation appears successful, although it failed.

In a very rare scenario, a cluster member may unexpectedly crash and restart, creating a core dump file.

Improved IKEv2 narrowing.

Improvements for DAIP Gateway behind Hide NAT.

A memory leak may occur in the VPND process.

In a rare scenario, when NAT is enabled, Route Based VPN traffic may be dropped.

In some scenarios, running the snmpwalk command may fail with incorrect OSPF-MIB information for VSX. Refer to sk172064.

When querying a VS for "sysObjectID" viaSNMP, a generic netSNMP value is returned ("NET-SNMP-MIB::netSnmpAgentOIDs.10") instead of Check Point value ("SNMPv2-SMI::enterprises.2620.1.6.123.1.62").

UPDATE: Upgraded OpenSSL to 1.1.1L. Merged the CVE-2021-3711 and CVE-2021-3712 fixes.

In some scenarios, in appliances: 6600,6700,6900, Power Supply Unit (PSU) status information may be incorrect. Refer to sk174443.

Fixed CVE-2021-30361 - Gaia Portal Authenticated Command Injection. Refer to sk179128.

Potential vulnerability related to specific Gaia API command on VSX systems.

Restoring a UEPM Server backup via the Web Gaia Portal may not work on a new Server where the UEPM blade is not activated.

In the Smart Endpoint tabs, the Server may generate reports where users have long names starting with "ntdomain://".

When using SIP, memory usage may increase over time on Active and Standby members.

UPDATE: When there are Data Centers without imported objects, CloudGuard Controller will show the warning status in SmartConsole and in the output of the "cpstat vsec" command.

In a rare scenario, there is a high CPU0 utilization on Azure Security Gateway.

After an upgrade, the AWS Gateway or Google Cloud Platform (GCP) may lose access to the Serial Console.

In a rare scenario, the FWD process may unexpectedly exit due to invalid QoS logs.

Policy installation fails with "Operation failed, install/uninstall has been improperly terminated" when a CMA name is more than 36 characters long. Refer to sk175452.