R80.40 Jumbo Hotfix Take 211

NEW: We have extended the grace period of Anti-Spam Blade to support you for 90 days following contract expiration to continue providing the best security value during the renewal process.

UPDATE: Added a new option in domains_tool, which allows to retrieve IP addresses of multiple Domains - "-md <list of domains>". Refer to sk161632.

UPDATE: IPS bypass triggers is now activated based on the average CPU load exceeding the high threshold, as opposed to the previous implementation, where a single CPU load triggered the bypass. The change results in more effective security measures without unnecessary bypasses.

UPDATE: Added Update 5 of Threat Extraction Engine. Refer to sk165832.

UPDATE: Enhanced PushReport (a troubleshooting tool for Mobile Access Blade):

• changes in the cloud service configuration,

• stability improvement.

UPDATE: Changed the vsx push configuration log:

• The log file last_vsx_push_configuration.elg now holds only the last vsx push configuration log.

• The cyclic log file vsx_push_configuration.elg now holds all previous push configuration logs, except the last one.

UPDATE: Upgraded OpenSSL from 1.1.1t to 1.1.1u to include the latest security improvements. Refer to sk181427.

UPDATE: The output of "show arp dynamic all" and "dbget ip:arpdynamic:show:0" which was previously limited to +-4450 entries, now increases dynamically.

UPDATE: Added driver and firmware update support for Dual-Wide 10/25/40/100G cards as a replacement option for:

• CPAC-2-40F

• CPAC-2-40F-B

• CPAC-2-40F-C

• CPAC-2-100/25F

• CPAC-2-100/25F-B

UPDATE: Added support for Data Centers in AWS il-central-1 Israel (Tel Aviv) region

UPDATE: Added new file types supported by Harmony Endpoint Threat Emulation blade.

UPDATE: Added Take 31 of Check Point Support Data Collector (CPSDC) for Scalable Platforms and Maestro Security Appliances. Refer to sk164414.

Deleting a Domain that is connected to an AD Group fails.

Global Policy assignment fails if it is configured to assign to specific Domain policies and one of these local Domain policies is deleted.

The "show-nat-rulebase" Management API command fails when Packet mode is enabled and "match on any" is set to "false". For example, "show-nat-rulebase XXX package YYY filter-settings.search-mode packet filter-settings.packet-search-settings.match-on-any false filter ZZZ".

In some scenarios, the "Object is no longer available" validation warning appears for updatable objects.

A migrate export or CPUSE upgrade of a Security Management Server fails if a Rule Base contains more than 35,000 rules. Refer to sk178325 to check the recommended size of Rule Bases.

In some scenarios, an automatic Trusted Certificate Authorities (CAs) update fails.

In multi-site Multi-Domain Security Management environments, login to SmartConsole fails if the "Read_Write_All_Profile" permission profile is deleted.

When closing an application from SmartConsole without changes, a redundant revision is created.

In rare scenarios. in a Multi-Domain Security Management environment:

• Login to the Management Server may timeout and fail.

• Publish operation may take a long time.

An audit log may not be created after running Revert to Revision.

In rare scenarios, the High Availability synchronization status shows "NGM failed to import data", and then is cleared automatically within 15 minutes.

In SmartConsole, export of policies with the "Hit count" column may get stuck.

In the Revisions view, when comparing the selected revision to its previous revision, an empty screen is shown instead of a report.

Users may be able to configure user-defined scripts to run on the Security Management Server, although they do not have the permissions of a super-user.

• When updating Inline Access Layers, Threat Exceptions, and HTTPS Inspection (TLS) rules, the "Policy Name" field in the Audit Log may be incorrect.

• The "Where used" operation fails for users with read-only permissions.

The "set checkpoint-host" API command may fail if the host object has a VPN Tunnel interface (vpnt) defined.

In High Availability Security Management Server environments, outdated IPS packages are retained, which leads to a substantial increase of the database on Standby Security Management Server. Refer to sk182178.

SmartConsole may unexpectedly close after deleting an object in the Object Explorer view.

In High Availability environments, task progress notifications may get updated only every 5 minutes, even when the task is complete.

When viewing Subordinate CA objects in SmartConsole:

• Users with read-only permissions may receive a "Trusted CA" field as "not initialized" message.

• The information under "Retrieve CRLs from" in the OPSEC PKI tab is inaccurate.

  • The fix requires installing SmartConsole R80.40 Build 438.

Defining more than two hundred GUI clients causes the "Command Line" tab in SmartConsole to be greyed out and the "api status" command to show an error status.

After importing or deleting SNORT protections in the IPS Protections view, the view may not show the change.

CPU statistics may be incorrect or missing in CPView.

Configuring log settings to delete logs if free disk space is lower than a certain percentage may not be applied.

The "Low disk space" warning may be incorrectly displayed in SmartConsole.

When the CPD process is automatically restarted on the Security Gateway, the output of the "cpstat ls -f logging" command on the Security Management shows the Security Gateway is disconnected, the Log Server cannot be reached, although logs are sent.

The "show-simple-gateway" and "set-simple-gateway" Management API commands with the "logs-settings.forward-logs-to-log-server-schedule-name" parameter fail with "generic_server_error".

In SmartConsole, in the "Device License Information" view, the "New connection rate" field may indicate "please wait 10 seconds".

Security Gateway forwards logs to the real IP address of the Management Server instead of the public (NATed) IP address. Refer to sk181609.

When Identity Awareness blade is enabled, the "Src User Dn" and "Dst User Dn" fields in ICMP Logs are not masked for users without "Identities" permissions.

In a rare scenario, a Security Gateway / Cluster Member may stop logging locally or to configured Log Servers. Refer to sk170331.

CVE-2023-51764 - Postfix SMTP Smuggling vulnerability. Refer to sk181944.

The VPND, CVPND, and PDPD processes on the Security Gateway may become non-responsive and cause SAML authentication for Remote Access VPN users to fail.

Topology and Anti-Spoofing ranges are not calculated on an external interface when adding a route to an internal interface that shares the same subnet.

In some scenarios, when IPS is enabled, CPU spikes may occur.

In rare scenarios, the WSDNSD process may restart because of an internal error.

The /var/log/messages file of a VSX gateway is flooded with the "fwmultik_predefined_dispatching: BAD_MULTIK_TAG" messages with no impact of the connectivity. Refer to sk181281.

Accounting info may not be displayed in logs for IPv6 Cluster VRRP environments.

Benign files scanned by the ICAP Server may not be logged by Anti-Virus blade.

In rare scenarios, updating the NTP Server may cause a temporary outage.

In a rare scenario, the FWD process listens to high ports that are not blocked by the "auth_services_real_ports_block" implied rule. Refer to sk180505.

In rare scenarios, ICA certificate creation and enrollment fail.

The output of the "fw amw unload" command shows the policy gets unloaded, however CPView still shows that the blades are enabled. Refer to sk181148.

When SSH Deep Packet Inspection (SSH DPI) is enabled, the Security Gateway may have SSH connectivity issues because of an incorrect choice of Message Authentication Code (MAC) algorithm during the SSH handshake.

In some scenarios, the Security Gateway fails to export or import IoC feeds.

Fetching of Custom Intelligence Feeds fails when no proxy is configured on the Security Gateway.

Anti-Virus Blade triggers the "Detect" logs for DNS traffic, although these malicious DNS requests were prevented.

Ioc_feeds changes the username to lowercase, which causes the "401" error. Refer to sk181039.

Security Gateway with a large number of CPU cores allocated to CoreXL SND may experience performance issues when an IoC Feed and the "fwaccel dos deny" feature are configured. See sk182223.

Exporting Custom Intelligence feeds from the management to all the Security Gateways succeeds but the generated log shows that the operation failed.

The ida_tables_util tool may fail with the "bad adress" error.

Policy installation fails when a custom application and user category have the same name.

Core IPS Protection "Unknown Resource Record" drops valid requests of specific DNS types.

The Anti-Virus Blade fails to show the UserCheck page for the URLs blocked by Custom Intelligence feeds.

In a rare scenario, the Security Gateway may crash during inspection of file downloads.

The Anti-Virus Blade may inspect files on an SMB appliance although the "SMB" checkbox is disabled on the matched profile.

DLPU process memory consumption may be increased when SMB protocol is enabled in the Anti-Virus policy.

A memory leak in the DLPU process may occur when Anti-Virus scans files over HTTP(s) or SMB (Server Message Block) protocol.

When Anti-Virus DNS classification is set to Hold mode, the first DNS trap log of malicious Domains shows "Detect" in the Action field, although the connection was successfully blocked.

A FWK process memory leak may occur when canceling the download of a large file in the middle of the process.

A Standby member may initiate FTP data connection, although it should be sent from the Active member. As a result, the connection is teminated. Refer to sk180531.

Site to Site VPN outage on ClusterXL Active member when running "cpstop" on the Standby cluster member. Refer to sk170055.

The Security Gateway may crash with vmcore during boot while upgrading.

High CPU utilization may be triggered when User Mode (UPPAK) and VPN are enabled under high load.

In some scenarios, incorrect MSS value calculation may lead to traffic drops and performance instability.

The "force-if-symmetry" setting in IPv4 static routes fails to mark IP addresses as unreachable, leading to the static route inaccurately remaining active in asymmetric scenarios.

Adding or deleting a multicast group from a configured static RP environment can lead to outages in traffic.

An OIF entry may be missing when multiple downstream neighbors are present on a LAN. Refer to sk181354.

Traffic may be dropped when there are many OSPF routes of type 5.

Redundant log prints in /var/log/messages may be generated, although they should be printed only when the debug flags are enabled.

In a Site to Site VPN, following an update, the Security Gateway may erroneously transmit an invalid IKE SPI to its peer. Consequently, during the rekey process, the tunnel fails due to the "invalid IKE SPI" error.

The "Encryption Domain Per community" feature overrides the Encryption Domain for other communities. Refer to sk170857.

VPN IKEv2 negotiation with a third-party peer may fail when the peer offers multiple combined encryption algorithms in one proposal. For example, AWS, by default, offers AES-GCM and AES-GCM-256. The issue triggers an IKE failure log.

A low-severity security vulnerability may exist when establishing an HTTPS connection to the Security Gateway.

VSX Gateway / VSX cluster member may crash during policy installation after deleting a virtual interface.

When running "vsx_fetch" from a context that is not VS0, this output is displayed: "Management rejected fetch for this module - sic name does not match. Couldn't fetch VSX configuration by IPs, trying to fetch by names."

When adding a route using vsx_provisioning_tool and the "interface_name" option, this route cannot be removed.

In some scenarios, the VXLAN Driver Kernel may crash.

A memory leak may occur in the CPD process.

Incorrect Multi-Queue configuration when MDPS, VSX, or both are enabled. Refer to sk181249.

Taking a snapshot on the Security Management Server fails because of the error during copying the /boot/config/ content.

SNMP query does not bring the CPUSE package information for a single OID (not a table).

When changing bond settings, the bond may be missing the global IPv6 Address.

When downloading a dynamic package from the Endpoint Security Server and using the "/createmsi" command, the operation results with a "CRITICAL ERROR: Unable to create MSI! Missing file: System32\FirewallMonitor.dll" error.

Azure mapping may fail on Private Endpoint without network interfaces. In the cloud proxy logs, the "ERROR datacenter.scanner.DcScanner [scanner-Azure-XXX]: Error during scan - attempting to reconnect for scanner of [Azure] in domainYYY" messages are printed.

In some scenarios, SIP TCP connections are dropped after a cluster failover.