R80.40 Jumbo Hotfix Take 198
|
Note - This Take contains all fixes from all earlier Takes. |
ID |
Product |
Description |
---|---|---|
Take 198 Released on 19 July 2023 and declared as Recommended on 30 August 2023 |
||
PRJ-44574, |
Internal CA |
NEW: Previously, the Internal CA certificate required manual renewal process. Now it will be automatically renewed one year before its expiration date. |
PRJ-45488, |
Security Management |
UPDATE: Significant performance improvement for policy installation when using many layers (up to four times faster). |
PRJ-45293, |
Security Management |
UPDATE: Added ability to block policy installation if this policy contradicts another policy installed on the Security Gateway. In this scenario, the "install-policy" Management API command will now fail with "Requested policy X does not match currently installed policy Y on gateway Z. To ignore this warning, set the 'ignore-warnings' flag to 'true'". Refer to sk180792. |
PRJ-44950, |
IPS |
UPDATE: Mapping of IPs to country/flag in the Logs & Monitor view > Logs is now automatically updated every day. |
PRJ-44434, |
ClusterXL |
UPDATE: Improved the fullsync time after reboot in large scale environments. Refer to sk180742. |
PRJ-43603, PRHF-22566 |
SecureXL |
UPDATE: Added a new kernel parameter allowing to control the size of fragments table in SecureXL. To use it, set the kernel parameter "sim_frag_limit_override" with the new value and install policy. This can prevent fragment drops when having multiple instances in the Firewall. |
PRJ-43967, |
VPN |
UPDATE: When the VTI MTU is different from the physical MTU, the physical MTU is used for sending packets by default.
Refer to sk98074. |
PRJ-46914, |
VPN |
UPDATE: Added a global parameter "sim_no_local_ip_check" which allows packets not destined to a local IP address to proceed to Security Association lookup in SecureXL. |
PRJ-47510, |
GaiaOS |
UPDATE: Added notifications about the Expert mode login on Gaia Servers. Refer to sk181230: 1) Gaia sends an audit log to the Management Server / Log Server (SmartConsole > Logs & Monitor). 2) Gaia writes a log message to the /var/log/messages file (for a local login and an SSH login). These Gaia Clish commands are available to work with this feature:
|
PRJ-45268, |
GaiaOS |
UPDATE: Added a defense mechanism against the hostname command injection in the Gaia Portal (CVE-2023-28130). Refer to sk181311. |
PRJ-44637, |
Gaia OS |
UPDATE: Upgraded OpenSSL from 1.1.1n to 1.1.1t to include the latest security improvements. |
PRJ-44357, |
CloudGuard Network |
UPDATE: Added support for Data Centers in AWS ap-southeast-4 Melbourne region. |
PRJ-45470, |
CPView |
UPDATE: First release of CPviewExporter Release Updates. Refer to sk180521. |
PRJ-45503, |
CPView |
UPDATE: First release of CPotelcol (OpenTelemetry Collector) Release Updates. Refer to sk180522. |
PRJ-45905, |
Scalable Platforms |
UPDATE: Added Take 23 of Check Point Support Data Collector (CPSDC) for Scalable Platforms and Maestro Security Appliances. Refer to sk164414. |
PRJ-44863, |
Scalable Platforms |
UPDATE: Added a new log file - /var/log/pull_config_report.log. It includes the summary of the "pull_config" action when it is performed on a member to indicate the reason for pull_config pnote/failures. |
PRJ-45386, |
HCP |
UPDATE: Added Update 12 of HealthCheck Point (HCP) Release. Refer to sk171436. |
PRJ-45156, |
Security Management |
APP_ID may not be initialized when adding a new Check Point application via API, this may cause blocked access to several websites. |
PRJ-42037, |
Security Management |
Editing an object in SmartConsole may fail with "Server error is: Object not found (Code: x08003001D, Could not access file for write operation)". |
PRJ-44083, |
Security Management |
Login with SmartConsole to a Security Management Server may fail if using a DNS name instead of an IP address. Refer to sk180514. |
PRJ-43557, PRJ-42546, |
Security Management |
In rare scenarios, in multi-site environments, Install Policy presets fail with "Timeout during task progress" or "You have reached the maximum number of active sessions". Refer to sk180897. |
PRJ-42420, |
Security Management |
In some scenarios, an upgrade may fail when a Network object Group contains more than 32000 members. |
PRJ-43184, |
Security Management |
If a Security Gateway is added to a group after configuring an installation policy preset, the policy may not be installed on that Security Gateway. Refer to sk181461. |
PRJ-42550, |
Security Management |
After restoring a Multi-Domain Security Management Server, High Availability synchronization may fail with "The Security Management Servers contain different Hotfixes". |
PRJ-35492, |
Security Management |
The Data Center object may change the status to "inaccessible/deleted", although the Virtual Machine in Azure was not deleted. |
PRJ-44627, PMTR-90519 |
Security Management |
There may be many duplicates of OCSP response in the $CPDIR/tmp/curl_crl_ocsp folder. |
PRJ-44458, |
Security Management |
In some scenarios, the "run-script" Management API command may fail with "Null Pointer Exception" when using root user permissions. |
PRJ-45485, |
Security Management |
In rare scenarios, updating or deleting a cluster fails with "Failed to save object xxxx . Server error is: Data required for operation". |
PRJ-45871, |
Security Management |
In some scenarios, Access Policy Verification fails but the name of the failed rule is not specified. |
PRJ-45058, |
Security Management |
In large Multi-Domain Security Management environments, login to SmartConsole may fail while High Availability synchronization is running. Refer to sk180858. |
PRJ-43809, |
Security Management |
Login to SmartConsole with a RADIUS administrator from the SmartEvent Server may fail if this Server was upgraded. Refer to sk180584. |
PRJ-45652, |
Security Management |
Packet mode search in SmartConsole may show rules that do not match the query if the query contains source, destination, and service. |
PRJ-44993, |
Security Management |
In rare scenarios, login to SmartConsole fails, and opening Security Gateway objects times out. |
PRJ-39773, |
Security Management |
Disabling or enabling rules may not affect the "last-modify-time" field in the output of the "show-access-rule" Management API command. |
PRJ-46396, |
Security Management |
In rare scenarios, policy installation fails with "Operation failed, install/uninstall has been improperly terminated". Refer to sk180448. |
PRJ-43689, |
Multi-Domain Management |
Deleting the entire Domain including all its Domain Servers fails, if any of the Domain Servers is used in the Domain's policy. |
PRJ-44449, |
Multi-Domain Security Management |
In rare scenarios, in Multi-Domain Security Management environments with many administrators that have custom permissions, SmartConsole is slow, and operations take longer than usual. Refer to sk180681. |
PRJ-45052, |
Multi-Domain Security Management |
In rare scenarios, in Multi-Domain multi-site environments, an IPS update on the Multi-Domain Security Management Server remains locked. |
PRJ-46085, |
Multi-Domain Security Management |
A scheduled Install Policy Preset may not have its next run time updated when:
|
PRJ-46102, |
Multi-Domain Management |
In some scenarios, the "Uninstall Threat Prevention Policy" window may show "no candidates found for operation", even though there are Security Gateways that have Threat Prevention policy installed and Threat Prevention is disabled in the Security Gateway editor. Refer to sk180983. |
PRJ-45066, |
Multi-Domain Security Management |
In rare scenarios, in a Multi-Domain Security Management environment:
|
PRJ-44967, |
Multi-Domain Security Management |
In rare scenarios, in Multi-Domain Security Management environments with over 500K network objects, login to SmartConsole fails with "Connection timed out" or "Unable to connect to server" messages. |
PRJ-40736, |
Multi-Domain Security Management |
Deleting a Domain from SmartConsole fails after a Domain Server was removed and the Domain has no Domain Servers. |
PRJ-46507, |
SmartConsole |
Data Center objects may not appear as unused objects in the Object Explorer view, although they should. |
PRJ-44335, |
CPView |
The Network-per-CPU tab under CPVIEW > Advanced > SecureXL does not show traffic distribution for all CPUs. Refer to sk180540. |
PRJ-41664, |
Logging |
In some scenarios, in the Logs & Monitor view, no results are shown when filtering updatable object names by the "dst_uo_name" field. |
PRJ-39253, |
Logging |
In rare scenarios, many open connections on port 18196 are observed on the Multi-Domain Security Management Server or Multi-Domain Log Security Management Server. |
PRJ-45415, |
Logging |
Source and destination IP addresses in SmartLog may not be shown correctly for duplicate packets of fragmented traffic. |
PRJ-38478, |
Logging |
In specific network configurations, after installing a policy, the target IP address of the Log Server may differ from what was configured. |
PRJ-20170, |
Logging |
In large environments, after policy installation or when loading Real Time Monitor, RTMD CPU consumption may be high for several minutes and the process may exit when 4 GB of memory is reached. |
PRJ-41592, |
Logging |
SmartEvent may generate false Anti-Bot / Anti-Virus related logs which do not contain any information. |
PRJ-46537, |
Security Gateway |
The FWK process may unexpectedly exit while processing the mail flow and generate a core dump. |
PRJ-45953, |
Security Gateway |
When HTTPS Inspection is enabled, website loading in Firefox fails or is slow, after a few seconds, the "NS_ERROR_ABORT" error appears in the network tab of Firefox. Refer to sk180873. |
PRJ-41965, |
Security Gateway |
When adding another loopback interface in an MDPS environment, it is shown in MPLANE and not in DPLANE as expected. |
PRJ-44309, |
Security Gateway |
In rare scenarios, modifying the "fwmultik_temp_conns_enabled" parameter on-the-fly leads to the Security Gateway crash. |
PRJ-46685, |
Security Gateway |
When adding a new connection, the "Smart Connection Reuse" feature may cause errors in fwk.elg and connection drops. |
PRJ-46051, |
Security Gateway |
The Security Gateway may crash while inspecting non-HTTP traffic. |
PRJ-46332, |
Security Gateway |
The Security Gateway may crash after a failure in policy installation. |
PRJ-45481, |
Security Gateway |
Incorrect bonds may be shown in the Data Plane when using MDPS with the "show bonding groups" command. |
PRJ-38109, |
Security Gateway |
In some scenarios, the Security Gateway may crash. |
PRJ-45801, |
Security Gateway |
Resolved an issue where CPD would consume a large amount of CPU in VSX with a large number of interfaces configured (greater than 1024). Refer to sk181588. |
PRJ-44998, |
Security Gateway |
In a Maestro environment where members are VSXs, connection over SSH or RDP from a host behind Maestro to a peer may be dropped. |
PRJ-45395, |
Security Gateway |
Login to Mobile Access Portal when authenticating with SAML may fail with an "Error while processing the request" message. Refer to sk180801. |
PRJ-45494, |
Security Gateway |
On the Security Gateway with Management Data Plane Separation (MDPS) enabled:
|
PRJ-46338, |
Security Gateway |
In rare scenarios, memory corruption occurs during packet correction requiring fragmentation, this may cause the Security Gateway crash or freeze. |
PRJ-44249, |
Security Gateway |
When setting "cphwd_enable_ecmp = 1" (to route by the source and destination IP address), the Security Gateway may route the traffic to the wrong MAC. |
PRJ-45476, |
Security Gateway |
Security Gateway may crash when running kernel debugs of the "UP" module. |
PRJ-42528, |
Security Gateway |
In some scenarios, while processing H323 traffic, the Security Gateway may unexpectedly restart. |
PRJ-44958, |
Security Gateway |
When Check Point Active Streaming (CPAS) is used, and the Server's MSS is bigger than the client's MSS, packet fragmentation may occur. |
PRJ-40876, |
Security Gateway |
In rare scenarios, policy installation fails with "Segmentation fault" and "Error compiling IPv4 flavor" messages. |
PRJ-45184, |
Security Gateway |
Traffic stops working after a Security Gateway Member recovers from a failure. Refer to sk180705. |
PRJ-44750, |
Security Gateway |
Policy installation may fail with "Error 2000240" because of an IPv6 flow issue. |
PRJ-42356, |
Security Gateway |
Latency in connection caused by a packet flow change from F2V to F2F. |
PRJ-44079, |
Security Gateway |
In an Active/Standby cluster, when downloading a file using FTP protocol, the FWK process may unexpectedly exit, and a core dump file is generated. |
PRJ-41202, |
Security Gateway |
SAML authentication fails with the "HTTP 500" error when MDPS is enabled on the Security Gateways. Refer to sk179625. |
PRJ-36110, |
Security Gateway |
When on Microsoft Active Directory the "mobile" attribute value in DynamicID authentication preferred method is changed to an email address and then back to a phone number, OTP may still be sent to the email. |
PRJ-44230, |
Security Gateway |
After policy installation, a VSX High Availability Cluster member may have a failover and generate a vmcore. |
PRJ-44918, |
Security Gateway |
After an upgrade, memory usage may increase on all Security Gateway Modules, and the "pkt_handle_f2v_if_needed: dropping packet (failed to send notification)" error is printed in logs. |
PRJ-44093, |
Security Gateway |
In some scenarios, the FWD process may unexpectedly exit and cause a short outage related to the BGP failure. |
PRJ-41876, |
Security Gateway |
On supported Open Servers (sk167052), after changing the Firewall mode from Kernel Space (KSFW) to User Space (USFW) and reboot, the Security Gateway continues to boot in the Kernel Space mode. |
PRJ-45447, |
Security Gateway |
When the Security Gateway handles specific HTTP requests, memory failure may occur. CPView registers SMEM failure. |
PRJ-43531, |
Security Gateway |
The Security Gateway may crash because of a race condition that occurs during interface change while interface statistic is calculated. |
PRJ-44853, |
Security Gateway |
Web Security parsing error "illegal header format detected: Missing quotation mark" of content-disposition header - that contains a filename* parameter or an unquoted parameter. |
PRJ-47125, |
Security Gateway |
In some scenarios, after an upgrade, the FWD process may unexpectedly exit. |
PRJ-43854, |
Security Gateway |
The FWK process may unexpectedly exit with a core dump file when removing an IPv6 interface on VSX. |
PRJ-44802, |
Threat Prevention |
In some scenarios, parsing a custom intelligence feed with IP ranges may fail. |
PRJ-43995, |
Threat Prevention |
IoC feed may not load because of a parsing issue with the IP address range indicator. |
PRJ-42583, |
Threat Prevention |
When using a host with automatic static NAT in a Threat Prevention policy object, the rule may not be enforced. |
PRJ-44220, |
Threat Prevention |
In a Quantum Maestro environment, adding an IoC feed from the command line may fail with a "Can not load indicators feed without AV & AB Blades enabled, please enable AV & AB and try again" message, although Anti-Virus and Anti-Bot Blades are enabled. |
PRJ-44549, PRHF-27765 |
Threat Prevention |
In some scenarios, the FWD process unexpectedly exits, and the Security Group Members state flaps between Active and Down during an Anti-Bot Blade update. |
PRJ-44568, |
Threat Prevention |
After an upgrade, adding an IoC feed with IP range indicator type may fail with "Feed format problem. Bad or Empty Feed". |
PRJ-45560, |
Threat Prevention |
In some scenarios, Anti-Virus and Anti-Bot updates on Maestro Security Group Members may fail. |
PRJ-45810, |
Threat Prevention |
In some scenarios, a "malware_res_rep_rad_query: rad_kernel_malware_request_prepare() failed" message may appear in the /var/log/messages file. |
PRJ-39345, |
Identity Awareness |
There may be connectivity issues and high CPU spikes on PDP when installing policy. |
PRJ-43745, |
Identity Awareness |
The output of the "pdp monitor cv_le <agent-version>" command may be incorrect. |
PRJ-44314, |
Content Awareness |
When Content Awareness Blade is enabled, there is a limitation of the file size (sk118516). However, when the source object of the Content Awareness rule does not match the current connection, the limitation is not applied on this connection. |
PRJ-47062, |
Application Control |
When the "Categorize HTTPS Websites" option is enabled and the global parameter "appi_urlf_ssl_cn_use_sni_without_validation" is set to true, a memory leak may occur. |
PRJ-45426, |
Application Control |
Some TLS1.3 applications without SNI do not match the rules. |
PRJ-44381, |
Application Control |
A buffer overflow may occur and cause the FWD process to exit. This leads to the Security Group Members in a Maestro environment change from Active to Down state and creates instability. |
PRJ-44178, |
IPS |
In some scenarios, the FWK process may unexpectedly exit, while Threat Prevention Blades inspect HTTP traffic. |
PRJ-42712, |
IPS |
In a rare scenario, the Security Gateway may crash during an IPS package update. |
PRJ-47646 |
IPS |
In rare scenarios, there may be a memory leak in ips_cmi_handler_match_cb_ex. |
PRJ-43581, |
DLP |
A memory leak may occur in the DLPU process. |
PRJ-45753, |
Anti-Virus |
The RAD process CPU utilization may be high when Anti-Virus engine processes many reverse DNS queries. |
PRJ-46775, |
Anti-Virus |
The DLPU process may stop working, creating a User Space core dump file on the Security Gateway. Refer to sk181026. |
PRJ-47262, |
SSL Inspection |
The fwk.elg file may be flooded with the "mux_hold_opq_free: App has no hold params free function" messages for the TLS_PARSER app because of a memory leak. |
PRJ-45192, |
Mobile Access |
In rare scenarios, IOS users are unable to send emails using Capsule Workspace business mail. |
PRJ-44289, |
Mobile Access |
Some web applications which use PT or UT link translation methods may have issues after a browser upgrade. |
PRJ-46400, |
Mobile Access |
Sending emails with attachments via Capsule Workspace may fail on iOS. |
PRJ-45347, |
ClusterXL |
After an upgrade, cluster members may frequently crash, causing instability in the environment. |
PRJ-46503, |
ClusterXL |
Some IPv6 connections randomly stop passing through ClusterXL in High Availability mode. Refer to sk180969. |
PRJ-44453, |
ClusterXL |
After several failovers in a cluster, connections may fail to synchronize. This can cause a timeout and the "first packet isn't syn" drops. |
PRJ-44872, |
SecureXL |
Traffic may be dropped and the FWACCEL core file is generated. |
PRJ-44675, |
SecureXL |
After an upgrade, packets passing through a Remote Access VPN tunnel in a VSX environment may be silently dropped. |
PRJ-44703, |
Routing |
Multicast receivers send IGMP membership reports, but the outbound interfaces are missing from the routing table. |
PRJ-42186, |
Routing |
Routing log messages generated when Standby cluster members reconnect to members in Master state are not clear. |
PRJ-44922, |
Routing |
When PIM and state refresh are enabled, the state refresh message may not be sent automatically after a failback in ClusterXL HA Primary Up mode. |
PRJ-45377, |
Routing |
A VRRP/VRRP6 interface may go into Master/Master state. |
PRJ-44938, |
Routing |
After an update, multicast traffic may be dropped. |
PRJ-44707, |
Routing |
An IGMP group with an expiration time of 7101 weeks should be deleted when it reaches 0 seconds, but instead, it may remain at 7101 weeks until a membership report is sent, then it resets to the interval of that interface. |
PRJ-41115, |
Routing |
There may be high CPU utilization and slow recovery of the ROUTED process after a failover. |
PRJ-41111, |
Routing |
It may take up to three hours for the second member to become Standby after a failover. An outage may occur during this time. |
PRJ-43408, |
Routing |
The ROUTED process may repeatedly exit when using PIM in Sparse mode (SM). |
PRJ-41329, |
Routing |
The ROUTED daemon may unexpectedly exit and generate core dumps after OSPF neighborship was established, but did not advertise routes. Lost routing causes the network to be down. |
PRJ-44257, |
Routing |
The ROUTED daemon may unexpectedly exit when using PIM and source IP address is set "0.0.0.0". |
PRJ-45182, |
Routing |
Cluster member may stop sending multicast PIM traffic after failover or a reboot. Refer to sk180669. |
PRJ-46126, |
Routing |
The ROUTED daemon may unexpectedly exit when aggregating routes with long AS paths. |
PRJ-46356, |
Routing |
Routes marked as "stale" may be redistributed via BGP during graceful restart. |
PRJ-45831, |
Routing |
The ROUTED daemon may unexpectedly exit because of multi-threading issues. |
PRJ-45917, |
VPN |
The FWM process may unexpectedly exit at startup because of an incorrect VPN key initiation. |
PRJ-46292, |
VPN |
Users that were moved from one AD group to another group still are shown in both access role groups when running the "pdp monitor" command. Refer to sk181429. |
PRJ-40282, PRJ-43711, |
VPN |
Refer to sk180530. |
PRJ-44827, PRJ-44989, PRJ-46300, PRHF-28849 |
VPN |
|
PRJ-24873, |
VPN |
VPN endpoint users fail to login with ECDSA certificate. |
PRJ-40911, |
VPN |
The "failed to terminate session" error is displayed when using RAsession_util to terminate Endpoint client. |
PRJ-44665, |
VPN |
When running the "vpn tu tlist" on cluster Standby members, old IKEv2 SAs may be printed in the output. |
PRJ-43297, PRJ-43593, |
VPN |
Stability issues for Data connections (RDP / RTP / FTP/ETC). Refer to sk179651. |
PRJ-44087, |
VSX |
Values provided by the VSX OID tree: 1.3.6.1.4.1.2620.1.16.22.5.1 may be incorrect. |
PRJ-45003, |
VSX |
A VSX Security Gateway may crash while attempting to collect statistics after running the "cpstop" command. |
PRJ-45399, |
VSX |
Warp interfaces may appear in VS0 and disrupt connectivity when editing a Virtual Switch with a bond and VLANs. |
PRJ-45143, |
VSX |
Some packets may disappear when using the i40e driver, and VMAC is configured on the cluster. |
PRJ-44743, |
VSX |
Virtual System's interfaces may be missing when running the Clish command "show/save configuration". |
PRJ-44120, |
VSX |
Changing the main IP address of a Virtual Router may cause the FWM process to exit. |
PRJ-44368, |
Gaia OS |
SNMP OIDs for ISP Redundancy status are not refreshed when the ISP link changes the status. |
PRJ-45861, |
Gaia OS |
Gaia backup may fail, leaving a temporary partition behind. Any new attempt to create a new backup returns an error. |
PRJ-40032, |
Gaia OS |
When running the "ifconfig -a" command on a Virtual System (VS) with more than 250 interfaces, the "/bin/cp-ifconfig.sh: line 179: /bin/echo: Argument list too long" error is printed. |
PRJ-44236, |
Gaia OS |
The System Backup page in the Cloning Group view may be empty, although a scheduled backup was added. |
PRJ-41907, |
Gaia OS |
Gaia WebUI logs are printed with "info" severity. |
PRJ-45563, ACCHA-2110 |
Gaia OS |
The $FWDIR/log/fwd.elg file may get corrupted during log rotation. Refer to sk180728. |
PRJ-45538, |
CloudGuard Network |
AWS Data Center mapping fails when an interface subnet is missing from the list of subnets. |
PRJ-45790, |
CloudGuard Network |
Deleting one hundred IP addresses or more from the Security Gateway at once may fail, resulting in recurrent deletion retries. |
PRJ-44476, |
CloudGuard Network |
Azure scan fails if a Virtual Machine Scale Set (VMSS) is deleted after the scan started. |
PRJ-44345, |
CloudGuard Network |
The "Logical Volume duplicate fail" error is displayed when increasing the lv_current partition with lvm_manager on Azure. Refer to sk180381. |
PRJ-46473, |
VoIP |
SIP traffic may be dropped and "kiss_htab_bl_infra_slink: failed "earlynat_sport_ghtab_bl":3 reason: KISS_HTAB_BL_SLINK_LIMIT_REACHED" is printed in the fwk.elg file. |
PRJ-44612, |
VoIP |
In rare cases, SIP UDP traffic may cause Security Gateway to crash because of a memory allocation issue. |
PRJ-32397, PRJ-43515, |
VoIP |
After an upgrade, VoIP, and SIP / H323 traffic may be dropped in the VPN tunnel. Refer to sk179651. |
PRJ-42615, |
Scalable Platforms |
The FW process may unexpectedly exit, producing a core dump file. |