R80.40 Jumbo Hotfix Take 196
|
Note - This Take contains all fixes from all earlier Takes. |
ID |
Product |
Description |
---|---|---|
Take 196 Released on 6 March 2023 and declared as Recommended on 18 April 2023 |
||
PRJ-42183, |
IPS |
NEW: Added ability to block "HTTP 206 partial content" responses from resources with malicious content. |
PRJ-43893, |
Security Gateway |
NEW: We have extended the grace period of Compliance Blade to support you for 90 days following contract expiration to continue providing the best security value during the renewal process. |
PRJ-43805, |
Application Control, URL Filtering |
NEW: We have extended the grace period of Application Control and URL Filtering Blade to support you for 90 days following contract expiration to continue providing the best security value during the renewal process. |
PRJ-44253, |
Threat Extraction |
NEW: We have extended the grace period of Threat Extraction Blade to support you for 90 days following contract expiration to continue providing the best security value during the renewal process. |
PRJ-43908, |
SmartView |
NEW: We have extended the grace period of SmartEvent Blade to support you for 90 days following contract expiration to continue providing the best security value during the renewal process. |
PRJ-36633, |
Security Management |
UPDATE: Added an option to configure the maximum number of IPS SNORT rules. These lines should be added at the end (or their value should be changed if they already exist) in the file $FWDIR/conf/malware_config (for MDS - additionally in the $MDS_FWDIR/conf/malware_config file): "[IPS] snort_convertor_max_rules_per_update=<value> snort_convertor_total_rules_num_limit=<value>". Refer to sk136515. |
PRJ-42304, |
Security Management |
UPDATE: Improved the "Purge revisions" operation to reduce the size of the database. |
PRJ-34958, |
CPView |
UPDATE: Added logging information. The Logging tab can be found in the Advanced tab on both the Security Management Server and Security Gateway. Refer to sk101878. |
PRJ-41199, |
Security Gateway |
UPDATE: Added ability to force GNAT Port randomization. It is controlled by kernel parameter (off by default).
|
PRJ-44557, |
Security Gateway |
UPDATE: Apache HTTPD version was updated from 2.4.53 to 2.4.55 to fix CVE-2022-37436. |
PRJ-42656, |
IPS |
UPDATE: In several IPS protections, improved performance for traffic that contains repeated sections. |
PRJ-42258, |
Threat Prevention |
UPDATE: Reduced loading time of big external Custom Intelligence Feeds. |
PRJ-43611, |
Gaia OS |
UPDATE: Gaia Cloning Groups will now use the highest TLS version available. |
PRJ-41933, |
VoIP |
UPDATE: Added a new CLI command "fw ctl voip [-p {sip| mgcp| sccp| h323}] [-na]". It allows printing the description of defined VoIP protections, the required action, and the logging option configured for each protection. |
PRJ-42402, |
VSX |
UPDATE: Added more logs related to Pushing VSX Configuration.
. |
PRJ-43027, |
CloudGuard Network |
UPDATE: Added support for connecting to VMware NSX-T 4.0.0.x and higher. |
PRJ-42148, |
CloudGuard Network |
UPDATE: Improved performance of pushing Data Center Objects changes to Security Gateways. |
PRJ-41844, |
CloudGuard Network |
UPDATE: Improved handling of NSX-T API responses. |
PRJ-43051, |
CloudGuard Network |
UPDATE: Added support for Data Centers in AWS eu-central-2 (Spain) and eu-south-2 (Zurich) and ap-south-2 (Hyderabad) regions. |
PRJ-43402, |
Diagnostics |
Skyline may not show any information. Refer to sk180748. |
PRJ-40538, |
Diagnostics |
The cpview -s export operations may fail on VS0 when cpview_services are running. |
PRJ-43901, |
Security Management |
On R77.20 Quantum Spark appliances with some IPS packages, policy installation fails with the "Operation failed, install/uninstall has been improperly terminated" error. Refer to sk180448. |
PRJ-42242, |
Security Management |
Installing a large Access Control policy on Quantum Spark Security Gateways may fail due to high memory consumption on the Security Management Server caused by FW_LOADER. |
PRJ-38356, |
Security Management |
After creating a new administrator in SmartConsole, the Administrators view may fail to load with "Error retrieving results". |
PRJ-40221, |
Security Management |
In a large environment, High Availability synchronization for the Global Domain may fail with the "Global domain is busy syncing, please check sync status" error. |
PRJ-41539, |
Security Management |
The FWK process may unexpectedly exit during Threat Prevention policy installation. |
PRJ-41669, |
Security Management |
When using CME (Cloud Management Extension), the FWM process may unexpectedly exit because of a memory issue. |
PRJ-42857, |
Security Management |
After performing the "Revert to Revision" operation, new Audit logs cannot be seen in the Logging&Monitoring View in SmartConsole. |
PRJ-40424, |
Security Management |
In rare scenarios, deleting a cluster member may fail with the "Could not delete object. Failed to remove/detach objects licenses" error. |
PRJ-23720, |
Security Management |
Policy with a large number of AD users may fail with timeout or take a long time to be installed. |
PRJ-42103, |
Security Management |
In a Multi-Domain environment, the HitCount retention mechanism may prematurely remove the HitCount data. |
PRJ-39390, |
Security Management |
In some scenarios, the "Assign Global Policy" action fails with the error message: "An internal error has occurred". |
PRJ-40821, |
Security Management |
Warning about multiple objects with the same IP address is displayed when there are duplicated auto-generated networks |
PRJ-41926, |
Security Management |
After an upgrade, while installing a policy, SmartConsole may unexpectedly close with a "The connection with the server was lost. Any unsaved changes will be preserved" message. Refer to sk180294. |
PRJ-44023, |
Security Management |
When using Custom Application/Site Group objects in an Access policy, policy installation may fail with an "Internal error" message. |
PRJ-42408, |
Security Management |
Login to the Security Management Server or Multi-Domain Security Management Server may fail with the "Connection timeout" error. |
PRJ-41760, |
Security Management |
In some scenarios, the CME process fails to start. |
PRJ-41890, |
Security Management |
High Availability synchronization fails if automatic purge is configured to run on the Standby Management Server. |
PRJ-43092, |
Security Management |
After configuring an IoC feed on the Global Domain and assigning a Global Policy, Threat Prevention policy installation in the local Domain fails. |
PRJ-39744, |
Security Management |
Adding a rule with the Management API and setting the action "to ask" does not set a default UserCheck if UserCheck was not specified. This may cause policy verification failure. |
PRJ-42847, |
Multi-Domain Security Management |
In a Multi-Domain Security Management environment, traffic may not match rules with custom applications. |
PRJ-42047, |
Multi-Domain Security Management |
In rare scenarios in a Multi-Domain Security Management environment:
|
PRJ-42282, |
CPView |
CPView may not show some interfaces. |
PRJ-42082, |
CPView |
A typo in "Dropped fragmentation violation" under CPView > Advanced > SecureXL > Drops. |
PRJ-43587, |
CPView |
In a Multi-Domain Security Management environment, Skyline is down after mdsstop/mdsstart. |
PRJ-41353, |
Logging |
In some scenarios, in the Logs view, the "Description" field may be missing. The issue is only cosmetic. |
PRJ-37498, |
Logging |
The "epoll is enabled" warning is incorrectly displayed during policy installation. |
PRJ-42412, |
Logging |
When LEA spawning is turned off (sk91343), the FWD process may run out of memory. |
PRJ-43391, |
Logging |
When working with Multi-Domain Security Management, Virtual Systems (VS's) may be unable to send logs to the management because the Log Server constantly disconnects. |
PRJ-32808, |
Logging |
The "Daily logs retention" configuration on the Security Management Server / Log Server object is not applied if the "When disk space is below <number> Mbytes, start deleting old files" option is not enabled in the Disk Space Management. Refer to sk176803. |
PRJ-41493, |
Security Gateway |
Stability issues when ICAP client is active. |
PRJ-41016, |
Security Gateway |
When using the SMTP service with resource objects in a rule and NAT is configured for the destination IP address, the traffic may match the Cleanup rule instead. |
PRJ-42705, |
Security Gateway |
DNS parser incorrectly handles additional records, which results in appearing additional DNS IP addresses in the FQDn objects list. |
PRJ-39925, |
Security Gateway |
When Anti-Virus Blade is enabled, the Security Gateway may crash multiple times with core dump files. |
PRJ-43495, |
Security Gateway |
Policy installation may fail with an "Error 0-2000080" message because of memory allocation issues. |
PRJ-43009, |
Security Gateway |
When adding a new RADIUS Server in Gaia Portal, its IP address is automatically added to MDPS tasks, but when deleting this Server, the MDPS task is not deleted. |
PRJ-42294, |
Security Gateway |
When MDPS is configured, mdps_tun interface is shown when running the "cpstat ha -f all" command. |
PRJ-43837, |
Security Gateway |
The Security Gateway may receive duplicated traffic (such as non-IP protocol connections) for IPS inspection. This can trigger high CPU usage and result in failures to connect over SSH or policy installation. |
PRJ-43884, |
Security Gateway |
In rare scenarios, the FWD process is stuck during policy installation. |
PRJ-43552, |
Security Gateway |
Security Gateway may drop traffic when Dynamic Anti-Spoofing is enabled. |
PRJ-42755, |
Security Gateway |
The Security Gateway may crash because of an issue in the FILEAPP (File Application) module. |
PRJ-41632, |
Security Gateway |
Dynamic Dispatcher may send fragments of the same packet to different Firewall instances during a high load of fragmented traffic. This may cause some packets to drop. |
PRJ-42942, |
Security Gateway |
When Anti-Spoofing is enabled, the Security Gateway may crash. |
PRJ-36008, |
Security Gateway |
The Security Gateway may frequently crash with vmcore files, recording invalid context. |
PRJ-43703, |
Security Gateway |
The Security Gateway may crash during policy installation if the Rule Base has multiple layers and many interfaces on the Security Gateway (VLANs). |
PRJ-39606, |
Security Gateway |
The Security Group Member (SGM) frequently goes into a Lost-> Down-> Active state because of fullsync pnote. This causes outages. |
PRJ-38807, |
Security Gateway |
In a rare scenario, when QoS is enabled, the Security Gateway may crash. |
PRJ-39799, |
Security Gateway |
After making changes in Policy-Based Routing (PBR) and GRE configuration, the Security Gateway may repeatedly crash. |
PRJ-42086, |
Security Gateway |
The "fw monitor" command output may contain "no packets left to merge" messages. |
PRJ-40318, |
Security Gateway |
In rare scenarios, the FWK process can unexpectedly exit and cause an outage. |
PRJ-43345, |
Security Gateway |
A connection may be closed with the "ws_mux_handle_poll: ERROR: Poll flag still set after unsetting" error in the fwk.elg file, when HTTP parser does not receive requested data. |
PRJ-40233, |
Security Gateway |
Stability issues when ICAP client is active. |
PRJ-39573, |
Security Gateway |
The "sd_exception_chain_with_global_stateless: fwx_get_original_conn_key() failed" messages may flood /var/log/messages if IPS Blade is active. |
PRJ-41862, |
Security Gateway |
After an upgrade, it is not possible to monitor Security Gateways with enabled Management Data Plane Separation (MDPS). |
PRJ-39966, |
Security Gateway |
The Security Gateway may crash with the "xxx kernel: [fw4_27];fwatomload_unregister: module RTM not registered xxx kernel: [fw4_27];e2eDisable: fwatomload_unregister failed" errors printed in logs. |
PRJ-40107, |
Security Gateway |
In a rare scenario, the Security Gateway may crash when offloading packets to SecureXL. |
PRJ-41578, |
Security Gateway |
In some scenarios, the CPD process may unexpectedly exit. |
PRJ-43125, |
Security Gateway |
Some TCP connections may be stuck in "Both-Fin" state in the SecureXL connection table and cause high memory consumption. |
PRJ-42901, |
Internal CA |
The certificate in SmartConsole is shown as valid, although it is expired. |
PRJ-41434, |
Internal CA |
When managing cloud Gateways, the FWM process memory usage may increase. |
PRJ-42284, |
Threat Prevention |
The "ioc_feeds set interval -r" command may fail. |
PRJ-41596, |
Threat Prevention |
Anti-Virus Blade fails to parse external IoC feeds that contain commas in the CSV column field value. |
PRJ-41487, |
Threat Prevention |
Loading of Custom Intelligence Feeds with authentication may fail. |
PRJ-38720, |
Threat Prevention |
File Download using SSH with MobaXterm Client fails when SSH Deep Packet Inspection (SSH DPI) is enabled. |
PRJ-38663, |
Threat Prevention |
The DLPU process may unexpectedly exit with a core dump file. |
PRJ-32736, |
Threat Prevention |
After an upgrade, the FWD process may frequently exit while creating an AMW_report.xml. |
PRJ-37565, |
Threat Prevention |
When Anti-Virus Blade is enabled, the Security Gateway may crash because of a memory allocation issue. |
PRJ-42436, |
Threat Prevention |
Automatic IPS, Anti-Virus or Anti-Bot updates may fail because of a corrupted next_update file. |
PRJ-41382, |
Threat Prevention |
External IoC feeds may fail with "General Error". And in the feeder.elg there are many "Failed to load signatures" messages. |
PRJ-41122, PRHF-24693 |
Threat Prevention |
In a rare scenario, the mal_conns table may consume a large amount of memory. |
PRJ-40470, |
Threat Prevention |
If SSH Deep Packet Inspection (DPI) is enabled and NAT is configured on the Security Gateway, SSH connectivity from the Internet may not be possible. |
PRJ-42342, |
Identity Awareness |
During subsequent policy installations (with an interval of at least 11 minutes between them), the Identity Awareness Gateway configured as an Identity Broker Subscriber revoked all Identities it learned from the Identity Awareness Gateway configured as its Identity Broker Publisher. Refer to sk180659. |
PRJ-33063, |
Identity Awareness |
In a rare scenario, a wrong access role may be assigned to a user. |
PRJ-42931, |
Identity Awareness |
The PDPD process may cause CPU spikes during cluster failover. |
PRJ-42337 |
Identity Awareness |
In a VSX High Availability cluster, a member in the Backup state should remain idle, but it opens connections for identity sharing. |
PRJ-41818, |
Identity Awareness |
In a rare scenario, the PDPD process may unexpectedly exit during peer certificate verification. |
PRJ-42997, |
Identity Awareness |
In a rare scenario, disconnection between the Identity Server (PDP) and Identity Gateway (PEP) leads to missing identities on the PEP side. |
PRJ-42504, |
Application Control |
In a rare scenario, when Application Control is enabled, the Security Gateway in AWS Cloud may crash. The issue does not occur if Application Control database on the Security Gateway is updated with Release 141122_1 and higher. |
PRJ-41219, |
Application Control |
The RAD process may freeze when an error occurs and an error event is initialized. |
PRJ-43501, |
Application Control |
Policy installation may fail with an "Error 0-200184" message because of memory allocation issues. |
PRJ-41653, |
IPS |
Running the "ips stats" command in CLI may cause the IPS process to unexpectedly exit with core dumps. |
PRJ-42589, |
IPS |
The Security Gateway may crash during policy installation because of a memory allocation problem. |
PRJ-41376, |
IPS |
When Anti-Virus is enabled, the Mail Transfer Agent (MTA) log files may get blocked because of fail-close operation. |
PRJ-35484, |
DLP |
DLP logs for files uploaded to Microsoft OneDrive do not show the initial file names and extensions. Refer to sk178290. |
PRJ-41214, |
Anti-Virus |
In a rare scenario, when Anti-Virus is enabled, there may be frequent VSX cluster failovers, and the Security Gateway may crash. |
PRJ-43179, |
SSL Inspection |
The WSTLSD process may unexpectedly exit and create core dump files. |
PRJ-43889, |
SSL Inspection |
In rare scenarios, the FWK and/or WSTLSD processes may unexpectedly exit and create a core dump during certificate validation. Refer to sk180473. |
PRJ-41411, |
Mobile Access |
Access to a web application that uses WebSocket protocol may not be possible. |
PRJ-42466, |
Mobile Access |
When Mobile Device Management (MDM) cooperative enforcement feature is enabled, establishing a VPN connection fails while the HTTPD log incorrectly indicates a compliance issue. |
PRJ-41257, |
Mobile Access |
Web applications may not work correctly when Mobile Access Blade is configured in Hostname Translation (HT) mode while the "obscure_destination_hostname" management attribute is disabled. |
PRJ-42462, |
ClusterXL |
Stability issues may occur in a Multi-Version Cluster (MVC) when VPN is enabled. |
PRJ-43114, |
ClusterXL |
The "cphaprob tablestat" command may fail on the Security Gateway with many interfaces. |
PRJ-37149, |
ClusterXL |
In an Active/Active cluster, a member may reboot because of a memory corruption issue. |
PRJ-43001, |
ClusterXL |
Traffic does not pass through the GRE tunnel when Virtual MAC (VMAC) is enabled. Refer to sk180292. |
PRJ-44166, |
ClusterXL |
When handling HTTP/2 traffic, cluster members may crash, generating vmcores. |
PRJ-29666, |
SecureXL |
When the "fw_tcp_out_of_state_monitor" mode is enabled with the "fw_allow_out_of_state_tcp" flag, some connections may be dropped, although they should go through and be monitored. |
PRJ-42573, |
SecureXL |
Multicast traffic may get dropped, and no logs are generated. |
PRJ-42443, |
SecureXL |
The Security Gateway may prematurely expire half-closed TCP connections and drop VoIP and HTTPS packets with "First packet isn't SYN". Refer to sk180364. |
PRJ-42894, |
SecureXL |
SecureXL may drop traffic when HTTPS Inspection is enabled on a VSX Security Gateway with a Virtual Router. |
PRJ-44129, |
SecureXL |
IPv6 template is not created when the connection is NATed. |
PRJ-43981, |
SecureXL |
In a rare scenario, a CPAQ message sent during policy push does not have critical and can be dropped when the Security Gateway is busy. |
PRJ-43920, |
Routing |
Failover may take longer than expected and traffic does not pass for several seconds because dynamic routes are lost. |
PRJ-43054, |
Routing |
The "show ospf neighbors" command shows incorrect values for OSPF "Hello" and "Dead" intervals. Refer to sk180486. |
PRJ-44946, |
VPN |
When many users in nested groups login using Remote Access Client \ connect to VPN, and the LDAP topology is large, there may be a spike of CPU usage and performance impact. Refer to sk180664. |
PRJ-42877, |
VPN |
When initiating IKEv2 tunnel from Check Point to a third party, creating Child SA fails. Refer to sk180281. |
PRJ-42559, |
VPN |
When the user connects with RADIUS authentication method, the "Authentication method" value in Mobile Access logs is shown as empty. |
PRJ-42651, |
VPN |
Stability issues of the VPND and IKED processes. |
PRJ-41048, |
VPN |
A memory leak may occur in the VPND process. |
PRJ-42727, |
VPN |
In a rare scenario, when IPv6 is configured, and VPN is enabled, policy installation may cause a stability issue. |
PRJ-40726, |
VPN |
In some scenarios, when NAT is configured, VoIP traffic is dropped. |
PRJ-39169, |
VPN |
Remote Access Client may fail to connect when using machine certificate authentication. |
PRJ-38165, |
VPN |
Trying to perform the "Reset Tunnel" action for an LDAP user from SmartView Monitor fails. Refer to sk178592. |
PRJ-44012, |
VSX |
In VSX, after adding instances to a Virtual System (VS), their state may be inactive. |
PRJ-13984, |
VSX |
In large environments, the "vsx_util reconfigure" procedure and booting may take a long time . |
PRJ-43354, |
VSX |
The SNMPD process may consume a high CPU in a VSX environment and there may be slowness when using the "fw vsx stat" command. Refer to sk180324. |
PRJ-41695, |
VSX |
The "vsx_util change_mgmt_subnet" command may fail if a VSX object is not correctly saved in the database. |
PRJ-42881, |
VSX |
In VSX, if Dynamic Balancing was manually disabled on R80.40, after an upgrade from R80.40 to R81.20, it automatically gets enabled. |
PRJ-42252, |
Gaia OS |
Running the "save configuration" command the second time in the same Clish session may fail with the "free(): invalid pointer" error. |
PRJ-42622, |
Gaia OS |
SNMP trap may not be sent after a cluster failover if it occurred by running the "clusterXL_admin down" command. |
PRJ-43649, |
Gaia OS |
When setting password hash on cloning group members, some members may not get updated. |
PRJ-42960, |
Gaia OS |
IPv6 address may be removed from bond VLAN interface when changing bond xmit-hash-policy configuration. Refer to sk180309. |
PRJ-44161, PRJ-43959 |
Gaia OS |
When uninstalling a Jumbo Hotfix, some of the REST APIs may not work. The "gaia_api status" command returns an error and requests may fail. |
PRJ-42524, |
Gaia OS |
Gaia backup fails with "Cannot complete the backup process: not enough space in /var/log/CPbackup/backups" although there is enough free disk space in the /var/log/ partition. Refer to sk180181. |
PRJ-43430, |
Gaia OS |
In some scenarios, the "nslookup" command can cause the NSLOOKUP process to exit. |
PRJ-41407, |
Gaia OS |
When configuring Gaia Cloning Group mode on the cluster, members with "off" state appear without an IP address and the "adding notification Member mvc is down" error is displayed. |
PRJ-34370, |
Gaia OS |
After an upgrade, the backup operation on VSX fails because there is not enough space in /var/log/CPbackup/backups. |
PRJ-42218, |
Gaia OS |
Incorrect logs are printed in the /var/log/httpd2_error_log file when logging into the WebUI. |
PRJ-43023, |
Gaia OS |
The /usr/local/apache2/logs/access_log file is now rotated when its size reaches 1GB. This log file was added to the /etc/cpshell/log_rotation.conf configuration file. Refer to sk166198. |
PRJ-43561, |
Gaia OS |
When restoring a backup with VSX objects, the objects database may not be restored on the newly installed Security Management Server. |
PRJ-40691, |
Harmony Endpoint |
When connecting to the Security Management Server with SmartEndpoint but Endpoint component is not activated on the Server, the FWM process may unexpectedly exit. |
PRJ-43257, |
CloudGuard Network |
Disabling or removing all network interfaces from a vCenter object is not dynamically reflected on the CloudGuard Controller Data Center object. |
PRJ-43395, |
CloudGuard Network |
VPN Cluster stability issue when the peer is an Azure Security Gateway. |
PRJ-43575, |
CloudGuard Network |
When enabling debug mode with the "$MDS_FWDIR/scripts/cpm_debug.sh -c ObjectCrudSvcImpl" command, it may impact the work of CloudGuard Central License utility. And adding license fails. |
PRJ-42008, |
CloudGuard Network |
When mapping of some Azure Subscriptions fails, assets of these Subscriptions are revoked from the Security Gateway. |
PRJ-42113, |
CloudGuard Network |
AWS Data Center mapping fails when a Subnet with only IPv6 addresses is added to Virtual Private Cloud (VPC). |
PRJ-42853, |
CloudGuard Network |
A Kernel-based Virtual Machine (KVM) or a Virtual Machine using SRIOV with the i40evf/ixgbevf network driver, may boot with non-optimized performance settings. |
PRJ-43066, |
CloudGuard Network |
Importing objects from VMware vCenter may fail with a "Failed to fetch objects from the Data Center." message because of a rare communication issue between CloudGuard Network Security controller and VMware vCenter Data. |
PRJ-43075, |
VoIP |
While handling a multi-INVITE scenario (where a user registers with multiple devices), and the VoIP SIP MultiCore feature is enabled, each SIP INVITE maybe be handled simultaneously on different FW instances and cause memory corruption. |
PRJ-42698, |
VoIP |
In some scenarios, when using static NAT, VoIP traffic may be affected. |
PRJ-39600, |
Scalable Platforms |
The SMO may frequently go into Lost-> Down-> Active state because of a memory leak in the FWK process. The issue causes failover and outages. |
PRJ-39188, |
Scalable Platforms |
When a policy is configured with "SNMP trap alert script", the SNMP trap is sent with an undefined OID. |