R80.40 Jumbo Hotfix Take 158

 

Note - This Take contains all fixes from all earlier Takes.

ID

Product

Description

Take 158

Released on 6 April 2022 and declared as Recommended on 16 May 2022

PRJ-30406,
PRHF-19450

Security Management

UPDATE:

  • Added the "--help" and "-h" flags to "mdsstop", "mdsstart" and "mdsstat".
  • It is no longer possible to run the "mdsstop" and "mdsstart" commands with wrong parameters.

PRJ-30112,
PRHF-17611

Security Management

In rare scenarios, the "show_changes" and "show_sessions" Management API commands may fail.

PRJ-32856,
PRHF-20444

Security Management

After the Management Server restart, the API command "show_tasks" may show some suppressed tasks as "in progress", if before the restart they were cleared in SmartConsole while they were still running.

PRJ-30474,
PRHF-19577

Security Management

Desktop policy installation may fail with the "Service ReferenceObject of type is not supported!" error.

PRJ-33564,
PMTR-75061

Security Management

In rare scenarios, a "Create Domain", "Delete Domain" or "Delete Domain Server" task can be stuck at 5% with the "Task in queue" status.

PRJ-35478,
PMTR-77765

Security Management

Multi-Domain High Availability synchronization in the Global Domain may fail with "There are invalid assignments on peer." error.

PRJ-25709,
PRHF-17010

Security Management

Deleting a network group may fail because it is being used, although "Where Used" shows no usage.

PRJ-33400,
PRHF-20866

Security Management

When automatic purge is configured in a local Domain and there is an assignment between the Global Domain to that Domain, the "show-automatic-purge" API command may fail in the Global Domain with the "Can't build automatic purge reply" error. Refer to sk176443.

PRJ-32428,
PRHF-20440

Security Management

In rare scenarios, adding a service to a rule in Access Policy:

  • may take a long time (more than several seconds)
  • may cause SmartConsole to unexpectedly exit

Refer to sk176004.

PRJ-32447,
PRHF-20062

Security Management

In rare scenarios, in a Multi-Domain environment, after performing an IPS Update, High Availability synchronization in the Global Domain fails with "NGM failed to import data".

PRJ-33520,
PRHF-20971

Security Management

In rare scenarios, the Management Server may fail to start.

PRJ-30530,
PRHF-19542

Security Management

Creating an administrator in a Multi-Domain environment may cause SmartConsole to freeze and time out.

PRJ-33286,
PRHF-20525

Security Management

When reassigning Global policy after an IPS update on the Global Domain, the updated IPS version in the Audit Logs view may appear with "-1" value instead of the actual IPS version number.

PRJ-32847,
PMTR-74961

Security Management

In rare scenarios, taking over a session may fail with "SmartConsole has experienced an unexpected error. Session operation failure".

PRJ-32668,
PRHF-20485

Security Management

When searching for tags usage, the "where-used" Management API command may fail with "Requested object not found".

PRJ-34225,
PRHF-21356

Security Management

When performing IPS Update or Global Domain Assignment, creating a Domain at the same time may fail with "Internal Error".

PRJ-33364,
PRHF-20847

Security Management

Global Domain Assignment fails with "An internal error has occurred" when there are more than 32K Threat Prevention Overrides in the local Domain. Refer to sk176464.

PRJ-30058,
PRHF-19250

Security Management

In rare scenarios, after a Management Server upgrade, importing the database may fail with "Tried to persist object".

PRJ-34771,
PRHF-20960

Security Management

Policy installation on Gateways R81 and below may fail when there are multiple login options configured with SAML which uses Identity Provider as an authentication method. Refer to sk176725.

PRJ-33863,
PRHF-21129

Security Management

When creating or updating a service object via Management API, it is not possible to specify a custom aggressive-aging timeout.

PRJ-32717,
PRHF-20332

Security Management

If there is a Global Domain Assignment, some results may be missing when searching in Packet Mode. Refer to sk178491.

PRJ-36185,
PRJ-36184

Security Management

In some scenarios, in SmartConsole, the IPS update status list does not reflect correctly all the Gateways with enabled IPS Blade. Refer to sk175449.

PRJ-33978,
PRHF-21115

Security Management

Policy installation from the Multi-Domain Server level may trigger installation of two policies for the same VS.

PRJ-34034,
PMTR-73939

Security Management

When many sessions are opened:

  • Publish operation may be slow
  • APPI Update may be stuck on 30% and eventually fail
  • Domain Import task may be stuck after 50% and then fail

PRJ-33167,
PRHF-20782

Multi-Domain Management

The mds_backup script may not collect Multi-Domain Server log files from $MDSDIR/log/.

PRJ-30525,
PRHF-19541

Multi-Domain Management

In rare scenarios, running the "fwm sic_reset" command on Multi-Domain Server may fail.

PRJ-38327,
PMTR-82069

SmartConsole

  • Install Policy Preset may invoke policy installation on Gateways different from those that are defined.
  • Policy installation on multiple Gateways on MDS level may trigger installation on one Gateway only.

Refer to sk178590.

PRJ-34292,
PMTR-75623

Compliance

After disabling Compliance Best Practices, the user receives security alerts.
  • Requires R80.40 SmartConsole Build 430 (or higher).

PRJ-30377,
PRJ-30370

CPInfo

UPDATE: Added CPInfo Build 914000227. Refer to sk92739.

PRJ-31293,
PMTR-45132

Logging

NEW: It is now possible to search logs using content from the "Comment" field.

PRJ-29123,
PRHF-18445

Logging

SmartEvent may not show some of the Anti-Virus logs.

PRJ-31616,
PRHF-19834

Logging

Non-English letters in SmartView reports exported as CSV may be displayed incorrectly. Refer to sk175543.

PRJ-28316,
PRHF-18428

Logging

The "Last Update Time" field of a Session Log may show incorrect values.

PRJ-32587,
PRHF-20276

Logging

There may be empty values in the "Office Mode IP" field in the Logs view.

PRJ-32304,
PRHF-18539

Logging

When configuring an Email alert as an Automatic Reaction in SmartEvent, and the alert contains data from the event, some fields may be missing in the generated email.

PRJ-32017,
PRHF-20117

Logging

When running the "show_logs" API command with "query-id argument" and the session is expired, the command ends with a timeout instead of presenting an error.

PRJ-30091,
PRHF-18939

Logging

In rare scenarios, the LOG_INDEXER process stops working and logs are missing. Refer to sk176403.

PRJ-33747,
PMTR-76138

Security Gateway

UPDATE: Added a new flag to the "dynamic_objects" command: "-uo <name of object>". The user can now see all content of a specific updatable object.

PRJ-30782,
PRHF-19506

Security Gateway

Access Policy installation may fail with "Error code 1-2000078".

PRJ-33611,
PRHF-20810

Security Gateway

In a rare scenario, the FWD process may unexpectedly exit.

PRJ-32657,
PRHF-20471

Security Gateway

Security Gateway may unexpectedly reboot and create a vmcore file.

PRJ-33898,
PMTR-58175

Security Gateway

In rare scenarios, the LOG_INDEXER process may unexpectedly exit with a core dump file.

PRJ-33209,
PRHF-20674

Security Gateway

The dlpu process may unexpectedly exit, producing a core dump file.

PRJ-32791,
PRHF-20498

Security Gateway

In some scenarios, the matched rules log of Inline layer may appear as "Accept" / "Drop" action instead of "Inline".

PRJ-30782,
PRHF-19506

Security Gateway

Access Policy installation may fail with "Error code 1-2000078".

PRJ-31207,
PRHF-19333

Security Gateway

The Security Gateway may crash during policy installation due to memory allocation problems.

PRJ-33611,
PRHF-20810

Security Gateway

In a rare scenario, the FWD process may unexpectedly exit.

PRJ-33997,
PRHF-18340

Security Gateway

In rare scenarios, slow path connections that should be terminated/aborted may remain open until the timeout.

PRJ-32791,
PRHF-20498

Security Gateway

Matched rules on Inline layermay appear as the "Accept'"/ "Drop" action instead of "Inline".

PRJ-34255,
PRHF-20783

Security Gateway

It may not be possible to use Office 365 Tenant Restrictions when ICAP client is enabled.

PRJ-33124,
PRHF-20306

Security Gateway

In some scenarios, memory consumption and CPU usage may increase consistently due to large amount of content in CPView tool. Refer to sk176370.

PRJ-32925,
PRJ-32352

Security Gateway

When running the "cpstop" and "cpstart" commands, NAT statistics may fail with "fwx_alloc_global_find_free_port_atomic: failed to update NAT statistics".

PRJ-34267,
PRHF-19587

Security Gateway

The log_exporter process may consume high CPU.

PRJ-33249,
PRHF-20709

Internal CA, VPN

Creating a certificate for a third party Gateway with Check Point Internal CA may fail on the third party side. Refer to sk176468.

PRJ-30444,
PRHF-17552

Threat Prevention

In a rare scenario, the DLP process leaves open unused file descriptors in the $FWDIR/tmp/dlp directory which may take up a large amount of disk space.

PRJ-37474,
PMTR-80602

Identity Awareness,
Identity Logging

UPDATE: Adjusted AD-Query and Identity Logging solutions to work with Microsoft hardening changes in DCOM which were required for CVE-2021-26414. Refer to sk176148.

PRJ-30947,
IDA-4253

Identity Awareness

In some scenarios, persistent high CPU is caused by ADQuery due to a large number of authentication requests.

PRJ-32698,
PRHF-14110

Identity Awareness

Memory usage may be high for the pdpd process in a scenario related to Identity Awareness nested groups in state 2 and 4.

PRJ-33147,
PRHF-20682

URL Filtering

In some scenarios, websites encrypted with SSL are not matched correctly when categorization mode is on Holdand IDA is enabled. Refer to sk176283.

PRJ-29427,
PRHF-18966

IPS

When Website categorization mode is set to "Hold" and Gateway is Proxy, some connections may be incorrectly terminated.

PRJ-34644,
PRHF-21416

DLP

In a rare scenario, the DLP process may not delete temporary files used for scanning.

PRJ-33001,
PMTR-75153

SSL Inspection

UPDATE: Upgraded the default Infrastructure for local communication between some processes to TLS 1.2.

PRJ-34973,
PMTR-77321

SSL Inspection

In rare scenarios, the WSTLSD daemon may unexpectedly restart.

PRJ-34160,
PMTR-75807

SSL Inspection

In some scenarios, the WSTLSD daemon may unexpectedly exit during TLS probing.

PRJ-35936,

PRJ-35934

SSL Network Extender

UPDATE: SSL Network Extender was updated to version 800008304. It provides TLS 1.2 cipher suites support on macOS.

PRJ-31231,
SNX-67

SSL Network Extender

SSL Network Extender (SNX) may fail during large file transfers. Refer to sk87760.

PRJ-33875,
PMTR-61452

Mobile Access

Policy installation may fail due to table creation issues.

PRJ-34339,
PMTR-73930

SecureXL

The "fwaccel dos rate" command may fail with the"Another fwaccel command is already in progress" error.

PRJ-28644,
PMTR-67800

SecureXL

A redundant message "ACC: Accelerator started. " is printed in dmesg logs.

PRJ-35768,
PMTR-77756

Routing

UPDATE: Routed debug log will now show IP addresses.

PRJ-35644,
PMTR-54828

Routing

Handling BGP routes with very long AS paths may cause connectivity issues and the ROUTED daemon may exit with a core dump file.

PRJ-34710,
PMTR-73184

Routing

In rare scenarios, the ROUTED daemon may unexpectedly exit or write logs in the incorrect order.

PRJ-35340,
ROUT-1370

Routing

The routed daemon may unexpectedly exit with core dump when some interfaces lose connection with the PIM router.

PRJ-32423,
PRHF-20294

VPN, Multi-Portal

UPDATE: Certificate validation flow will use OCSP as the default revocation validation method. If OCSP URL does not exist, CRL will be used as a revocation validation method.

PRJ-33655,
PRHF-21022

VPN

The VPND process may unexpectedly exit with a core dump file.

PRJ-35310,
VPNS2S-2847

VPN

An outage may occur during IKEv2 SA re-key because of invalid kbuf duplication.

PRJ-35475,
PMTR-74009

VPN

Added VPN improvements for IKEv2 SA re-key.

PRJ-35342,
VPNS2S-2701

VPN

Policy installation and establishing a connection from a Gateway with Static IP may fail, if the IP address was previously used by a peer Gateway with DAIP.

PRJ-35392,
VPNS2S-2769

VPN

Improved IKEv2 for working with DAIPs.

PRJ-35487,
VPNS2S-2740

VPN

In ike_sa_table there may be an entry with an IP address and not with a DAIP ID.

PRJ-33737,
PMTR-75801

VPN

When applying Secure Configuration Verification (SCV) VPN client is not able to distinguish between Windows 10 and Windows 11.

PRJ-35230,
PMTR-73490

VPN

SSL entries may not be deleted from the "vpn tu tlist" command output, although there was a graceful exit.

PRJ-36419,
PMTR-79305

VPN

In some scenarios, when VPN logs are enabled and DAIP (Dynamically Assigned IP) peer is configured, the VPND daemon may unexpectedly exit.

PRJ-24187,
PRHF-16198

VPN

VPN connectivity issues may occur when there are too many SAs. Refer to sk173828.

PRJ-33838,
PMTR-76280

VSX

UPDATE: Shadow bridges will now be automatically disabled on VSX Gateways if the bridges are not in Active/Active mode.

PRJ-32532,
PMTR-74770

VSX

UPDATE: It is now possible to define interface topology as "defined by routes" using the VSX provisioning tool.

PRJ-37421,
PMTR-79515

VSX

After deleting a warp interface in SmartConsole, the active VSX cluster member may crash.

PRJ-30211,
PRHF-19017

Gaia OS

  • VLAN IPv6 address disappears after setting the parent interface state "off" and "on".
  • IPv6 address disappears after enabling Layer 3 bridge interface monitoring.

Refer to sk174969.

PRJ-31695,
PMTR-73594

Gaia OS

The "cpopenssl" command may fail with "No such file or directory".

PRJ-35002,
PMTR-77709

Gaia OS

Fixed the CVE-2020-14145 vulnerability.

PRJ-32916,
PMTR-75175

CloudGuard Network

NEW:

  • Rule base search in SmartConsole now also matches rules with Data Center Objects.

  • In SmartConsole, it is now possible to see IP addresses of all the objects included in:

    • AWS VPC and Availability Zone
    • Azure Virtual Network
    • GCP Network
  • In SmartConsole, improved searching objects using tags.

PRJ-31768,
PMTR-73896

CloudGuard Network

Improved the handling of NSX-T Data Center throttling issues.

PRJ-34526,
PRHF-21383

CloudGuard Network

When a Gateway's object name was changed, CloudGuard Central License Tool may fail to distribute licenses to the Gateway.

PRJ-35157,
ODU-199

Scalable Platforms

NEW: Added a self-updatable package of Check Point Support Data Collector (CPSDC) for Scalable Platforms and Maestro Security Appliances. Refer to sk164414.

PRJ-34441,
ODU-217

HCP

Added Update 6 of HealthCheck Point (HCP) Release. Refer to sk171436.

PRJ-29950,
PRHF-19115

Infrastructure

In a rare scenario, the user cannot connect to the Mobile Access Portal.