R80.40 Jumbo Hotfix Take 198

NEW: Previously, the Internal CA certificate required manual renewal process. Now it will be automatically renewed one year before its expiration date.

UPDATE: Added ability to block policy installation if this policy contradicts another policy installed on the Security Gateway. In this scenario, the "install-policy" Management API command will now fail with "Requested policy X does not match currently installed policy Y on gateway Z. To ignore this warning, set the 'ignore-warnings' flag to 'true'". Refer to sk180792.

UPDATE: Improved the fullsync time after reboot in large scale environments. Refer to sk180742.

UPDATE: When the VTI MTU is different from the physical MTU, the physical MTU is used for sending packets by default.

• To modify the default behavior (the change does not survive reboot), run the CLI command "fw ctl set int sim_vpn_use_physical_mtu 0 -a". This allows using configured VTI MTU as the default.

• To make the change permanently, open the $PPKDIR/conf/simkern.conf file for editing and add the entry "sim_vpn_use_physical_mtu=0".

Refer to sk98074.

UPDATE: Added notifications about the Expert mode login on Gaia Servers. Refer to sk181230:

1) Gaia sends an audit log to the Management Server / Log Server (SmartConsole > Logs & Monitor).

2) Gaia writes a log message to the /var/log/messages file (for a local login and an SSH login).

These Gaia Clish commands are available to work with this feature:

• To see the current state of this feature: show audit login-notifier

• To enable this feature (this is the default): set audit login-notifier on

• To disable this feature: set audit login-notifier off

UPDATE: Upgraded OpenSSL from 1.1.1n to 1.1.1t to include the latest security improvements.

UPDATE: First release of CPviewExporter Release Updates. Refer to sk180521.

UPDATE: Added Take 23 of Check Point Support Data Collector (CPSDC) for Scalable Platforms and Maestro Security Appliances. Refer to sk164414.

UPDATE: Added Update 12 of HealthCheck Point (HCP) Release. Refer to sk171436.

Editing an object in SmartConsole may fail with "Server error is: Object not found (Code: x08003001D, Could not access file for write operation)".

In rare scenarios, in multi-site environments, Install Policy presets fail with "Timeout during task progress" or "You have reached the maximum number of active sessions". Refer to sk180897.

If a Security Gateway is added to a group after configuring an installation policy preset, the policy may not be installed on that Security Gateway. Refer to sk181461.

The Data Center object may change the status to "inaccessible/deleted", although the Virtual Machine in Azure was not deleted.

In some scenarios, the "run-script" Management API command may fail with "Null Pointer Exception" when using root user permissions.

In some scenarios, Access Policy Verification fails but the name of the failed rule is not specified.

Login to SmartConsole with a RADIUS administrator from the SmartEvent Server may fail if this Server was upgraded. Refer to sk180584.

In rare scenarios, login to SmartConsole fails, and opening Security Gateway objects times out.

In rare scenarios, policy installation fails with "Operation failed, install/uninstall has been improperly terminated". Refer to sk180448.

In rare scenarios, in Multi-Domain Security Management environments with many administrators that have custom permissions, SmartConsole is slow, and operations take longer than usual. Refer to sk180681.

A scheduled Install Policy Preset may not have its next run time updated when:

• The Multi-Domain Security Management Server was down while the preset was scheduled to run

• There are over 50 presets defined

In rare scenarios, in a Multi-Domain Security Management environment:

• Login to the Security Management Server may fail with timeout.

• Publish operations may take a long time.

Deleting a Domain from SmartConsole fails after a Domain Server was removed and the Domain has no Domain Servers.

The Network-per-CPU tab under CPVIEW > Advanced > SecureXL does not show traffic distribution for all CPUs. Refer to sk180540.

In rare scenarios, many open connections on port 18196 are observed on the Multi-Domain Security Management Server or Multi-Domain Log Security Management Server.

In specific network configurations, after installing a policy, the target IP address of the Log Server may differ from what was configured.

SmartEvent may generate false Anti-Bot / Anti-Virus related logs which do not contain any information.

When HTTPS Inspection is enabled, website loading in Firefox fails or is slow, after a few seconds, the "NS_ERROR_ABORT" error appears in the network tab of Firefox. Refer to sk180873.

In rare scenarios, modifying the "fwmultik_temp_conns_enabled" parameter on-the-fly leads to the Security Gateway crash.

The Security Gateway may crash while inspecting non-HTTP traffic.

Incorrect bonds may be shown in the Data Plane when using MDPS with the "show bonding groups" command.

Resolved an issue where CPD would consume a large amount of CPU in VSX with a large number of interfaces configured (greater than 1024). Refer to sk181588.

Login to Mobile Access Portal when authenticating with SAML may fail with an "Error while processing the request" message. Refer to sk180801.

In rare scenarios, memory corruption occurs during packet correction requiring fragmentation, this may cause the Security Gateway crash or freeze.

Security Gateway may crash when running kernel debugs of the "UP" module.

When Check Point Active Streaming (CPAS) is used, and the Server's MSS is bigger than the client's MSS, packet fragmentation may occur.

Traffic stops working after a Security Gateway Member recovers from a failure. Refer to sk180705.

Latency in connection caused by a packet flow change from F2V to F2F.

SAML authentication fails with the "HTTP 500" error when MDPS is enabled on the Security Gateways. Refer to sk179625.

After policy installation, a VSX High Availability Cluster member may have a failover and generate a vmcore.

In some scenarios, the FWD process may unexpectedly exit and cause a short outage related to the BGP failure.

When the Security Gateway handles specific HTTP requests, memory failure may occur. CPView registers SMEM failure.

Web Security parsing error "illegal header format detected: Missing quotation mark" of content-disposition header - that contains a filename* parameter or an unquoted parameter.

The FWK process may unexpectedly exit with a core dump file when removing an IPv6 interface on VSX.

IoC feed may not load because of a parsing issue with the IP address range indicator.

In a Quantum Maestro environment, adding an IoC feed from the command line may fail with a "Can not load indicators feed without AV & AB Blades enabled, please enable AV & AB and try again" message, although Anti-Virus and Anti-Bot Blades are enabled.

After an upgrade, adding an IoC feed with IP range indicator type may fail with "Feed format problem. Bad or Empty Feed".

In some scenarios, a "malware_res_rep_rad_query: rad_kernel_malware_request_prepare() failed" message may appear in the /var/log/messages file.

The output of the "pdp monitor cv_le <agent-version>" command may be incorrect.

When the "Categorize HTTPS Websites" option is enabled and the global parameter "appi_urlf_ssl_cn_use_sni_without_validation" is set to true, a memory leak may occur.

A buffer overflow may occur and cause the FWD process to exit. This leads to the Security Group Members in a Maestro environment change from Active to Down state and creates instability.

In a rare scenario, the Security Gateway may crash during an IPS package update.

A memory leak may occur in the DLPU process.

The DLPU process may stop working, creating a User Space core dump file on the Security Gateway. Refer to sk181026.

In rare scenarios, IOS users are unable to send emails using Capsule Workspace business mail.

Sending emails with attachments via Capsule Workspace may fail on iOS.

Some IPv6 connections randomly stop passing through ClusterXL in High Availability mode. Refer to sk180969.

Traffic may be dropped and the FWACCEL core file is generated.

Multicast receivers send IGMP membership reports, but the outbound interfaces are missing from the routing table.

When PIM and state refresh are enabled, the state refresh message may not be sent automatically after a failback in ClusterXL HA Primary Up mode.

After an update, multicast traffic may be dropped.

There may be high CPU utilization and slow recovery of the ROUTED process after a failover.

The ROUTED process may repeatedly exit when using PIM in Sparse mode (SM).

The ROUTED daemon may unexpectedly exit when using PIM and source IP address is set "0.0.0.0".

The ROUTED daemon may unexpectedly exit when aggregating routes with long AS paths.

The ROUTED daemon may unexpectedly exit because of multi-threading issues.

Users that were moved from one AD group to another group still are shown in both access role groups when running the "pdp monitor" command. Refer to sk181429.

• Remote Access clients are unable to connect using Machine Certificate Authentication when the certificate has OCSP and CRL but the gateway is unable to resolve properly the OCSP or to get a proper answer from the OCSP server. Refer to sk179434.

• OCSP is disabled on the user's IIS Server, but the Security Gateway does not fall back to the CRL method. Refer to sk179434.

• Security Gateway sends defaultCert to the third party instead of an OCSP certificate. An unexpected OCSP response may cause a VPN gateway to stop using its certificate until the next policy installation. Refer to sk180683.

The "failed to terminate session" error is displayed when using RAsession_util to terminate Endpoint client.

Stability issues for Data connections (RDP / RTP / FTP/ETC). Refer to sk179651.

A VSX Security Gateway may crash while attempting to collect statistics after running the "cpstop" command.

Some packets may disappear when using the i40e driver, and VMAC is configured on the cluster.

Changing the main IP address of a Virtual Router may cause the FWM process to exit.

Gaia backup may fail, leaving a temporary partition behind. Any new attempt to create a new backup returns an error.

The System Backup page in the Cloning Group view may be empty, although a scheduled backup was added.

The $FWDIR/log/fwd.elg file may get corrupted during log rotation. Refer to sk180728.

Deleting one hundred IP addresses or more from the Security Gateway at once may fail, resulting in recurrent deletion retries.

The "Logical Volume duplicate fail" error is displayed when increasing the lv_current partition with lvm_manager on Azure. Refer to sk180381.

In rare cases, SIP UDP traffic may cause Security Gateway to crash because of a memory allocation issue.