R80.40 Jumbo Hotfix Take 87

 

Note - This Take contains all fixes from all earlier Takes.

ID

Product

Description

Take 87

Released on 5 November 2020 and declared as Recommended on 22 November 2020

PRJ-15565,
PRHF-12170

Security Management

NEW: In some scenarios, modifying or deleting objects in bulk may cause slowness in SmartConsole responses and long duration of operations. Ability to improve performance in such cases was added. Refer to sk135972.

PRJ-18769,
PRHF-13728

Security Management

NEW: Improved FWM process performance during policy or database installation.

PRJ-14597,
PMTR-48628

Security Management

In some scenarios, Read-Only sessions appear twice in the Sessions view.

PRJ-16263,
PRHF-12488

Security Management

Upgrade from R80.20 or R80.30 may fail if one of the objects does not have a creator.

PRJ-17043,
PMTR-59394

Security Management

In rare scenarios, some objects may be locked and not available for editing. Refer to sk169772.

PRJ-16877

Security Management

In rare scenarios, upgrade from R80.10 may fail with the "Consider using an AFTER trigger instead of a BEFORE trigger to propagate changes to other rows" message in the $MDS_FWDIR/log/postgres.elg file.

PRJ-16288,
PMTR-58215

Security Management

On rare scenarios IPS or Application Control updates might get stuck on 70% and cannot be launched again until full restart of the Multi-Domain Management Server.

PRJ-18047,
PRHF-13462

Security Management

In rare scenarios, a Management server may become inaccessible and requires a reboot. Refer to sk170634.

PRJ-13851,
PRJ-17073

Security Management

In some scenarios, the Security Management Server's startup takes a very long time after editing or deleting many Administrators.

PRJ-16288,
PMTR-58215

Security Management

In rare scenarios, IPS or Application Control updates may stop at 70% and cannot be launched again until full restart of the Management server.

PRJ-16643,
PMTR-58309

Multi-Domain Management

In some scenarios, Domain Management Server is shown in System Domain under Domains View even though it was deleted.

PRJ-17023,
PMTR-58167

Multi-Domain Management

On Multi-Domain Management environment with Global VPN Community usage, policy installation mail fail with "Internal error" message after upgrade. Refer to sk169157.

PRJ-13796,
PMTR-43231

Multi-Domain Management

In a Multi-Domain Server, domain-related processes may not start when the user runs "evstop" and then "evstart".

PRJ-17070,
PMTR-59232

Multi-Domain Management

In some scenarios, Domain appears in the System Domain without any Domain Servers.

PRJ-12246,
PRHF-10477

Multi-Domain Management

In some scenarios, a Global Administrator connected to the Logging and Monitoring view in MDS cannot see auto-complete suggestions when typing in the logs search box. Refer to sk166752.

PRJ-16313,
PMTR-57777

Multi-Domain Management

After upgrade, a Global VPN Community object defined in the Global Domain is shown as "Unavailable" and a policy installation fails with "Internal error" message.

PRJ-17238,
PMTR-59666

Multi-Domain Management

On Multi-Domain environments with multiple Multi-Domain servers connected in HA, operations such as "Log in" and "Reassign Global Domain" may fail due to high load on FWM process.

PRJ-13715,
PRHF-10802

Multi-Domain Management

In some scenarios, when installing a policy from a local domain, while a policy installation initiated by the system domain is still in progress, policy installation invoked by the system domain fails. Refer to sk167692.

PRJ-16283,
PRJ-17123

SmartConsole

NEW: Added ability for administrators to view, add, and delete licenses directly from SmartConsole.

  • Requires R80.40 SmartConsole Build 414 (or higher).

PRJ-18775,
PMTR-59827

SmartConsole

In some scenarios, FWM and CPD processes may consume high CPU due to large number of Security Management/Security Gateway objects in the policy. Refer to sk170256.

PRJ-16861,
PMTR-58850

SmartConsole

New cluster member's IP address may disappear from the "Network Management" view when changing cluster interface type to "Private".

PRJ-17880,
PMTR-60559

SmartConsole

In Global Properties under Stateful Inspection tab, the "TCP end timeout (R80.20 and higher gateways)" option does not support values higher than 60 seconds.

  • Requires R80.40 SmartConsole Build 414 (or higher).

PRJ-17003,
PMTR-48331

SmartConsole

When using SmartConsole CLI, the application may unexpectedly terminate if the input has quotation marks that are not closed.

PRJ-9661,
PRHF-8304

SmartConsole

In rare scenarios, Access policy installation may be incorrectly blocked. A verification incorrectly states that HTTPS Inspection rules do not contain 'Any' or 'Application/Site' objects in the Site Category column, even though they do.

PRJ-16062,
PRHF-12395

SmartConsole

In some scenarios, certain Gateways do not appear in the IPS Core protections list. Refer to sk168474.

PRJ-15999,
PRHF-11455

SmartConsole

When fetching the LDAP server SSL fingerprint on Global Domain, the operation is not finished.

PRJ-17822,
PRHF-11377

SmartConsole

In some scenarios, Network Objects are missing in Implied Rule for Mail Transfer Agent.

  • Requires R80.40 SmartConsole Build 414 (or higher).

PRJ-16468,
PRHF-11438

SmartConsole

Update corporate Gateway procedure takes a long time and may cause login issues and general slowness in the Provisioning GUI.

PRJ-17273,
PRHF-13080

SmartConsole

On Multi-Domain environments, some hardware types may be missing from the hardware selection in the gateway editor. Refer to sk169354.

PRJ-16891,
PMTR-59093

SmartView

In SmartView, after adding a new page to a report, the preview page appears to have no data although it has (this data appears in the Edit Mode).

PRJ-16433,
PMTR-53663

SmartView

In SmartView's GDPR Report, some of the text appears in German although the selected language is not German.

PRJ-16999,
PMTR-59317

Logging

UPDATE: Added ability to filter Threat Prevention and Endpoint logs by file size on a Log server machine via Logs & Monitor view in SmartConsole.

PRJ-13350,
PMTR-54708

Logging

In some scenarios, when the user configures the log exporter filter with the "cp_log_export" command (action, origin, product), the filter is not configured properly according to the used format.

PRJ-13623,
PRHF-11057

Logging

Leef format is not certified with IBM causing the following issues:

  • Wrong header and wrong value in "cat" field.
  • Duplicate product values in "cat" field.
  • Exported logs contain fields with the same name.

Refer to sk170199.

PRJ-17008,
PMTR-55179

Logging

In some scenarios, the "CGsoapSessions::AuthenticateSession failed, session is not authenticated" message may appear in mds.elg or fwm.elg file. Refer to sk152933.

PRJ-17195,
PMTR-58600

Security Gateway

NEW: Added additional statistics to HTTP/2 in CPView.

PRJ-15830,
PMTR-57650

Security Gateway

In rare scenarios, the "ERROR: dns_reverse_prepare_response_uuids: hash create failed" error is printed to dmesg.

PRJ-19003,
PRHF-13892

Security Gateway

In some scenarios, when using routing separation, connection from data plane to management plane is dropped.

PRJ-17313,
PMTR-59182

Security Gateway

In rare scenarios, Security Gateway memory consumption may increase.

PRJ-16912,
PMTR-59141

Security Gateway

In some scenarios, a timeout occurs when the user enables resource separation via Clish. Refer to sk170372.

PRJ-17088,
PRHF-13025

Security Gateway

When using a routing separation, syslogd does not move to the management plane.

PRJ-11293,
PRHF-8491

Security Gateway

Unused OIDs may appear in SNMP MIB file.

PRJ-14262,
PRHF-11784

Security Gateway

In some scenarios, wrong (too big) SNMP values are displayed when running SNMP query.

PRJ-17128,
PMTR-58427

Security Gateway

In rare scenarios, Security Gateway memory consumption may increase.

PRJ-16923,
PMTR-59080

Security Gateway

In some scenarios, "misp_rulematch_outgoing: fw_update_routing_opq_out_ifn failed" error appears in dmesg.

PRJ-17703,
PMTR-55080

Security Gateway

In rare scenarios, policy installation fails with an "gen_rpc_service_inspect_func: service mismatch in service_arr" error message. Refer to sk174165.

PRJ-16090,
PRJ-13567

Security Gateway

In some scenarios, policy installation fails with "Error code 0-2000121".

PRJ-17133,
PRHF-12530

Security Gateway

In a rare scenario, the proxy arp table is not generated.

PRJ-13261,
PRHF-9930

Security Gateway

In a rare scenario, traffic is dropped with the "[ERROR]: up_handle_get_matched_service_clob: no clob list on handle for type SERVICE;" error in dmesg.

PRJ-16666,
PRHF-12727

Security Gateway

Security Gateway running in USFW mode (User-Mode Firewall) may crash with fwk core dump. Refer to sk169119.

PRJ-17606,
PRHF-1162

Internal CA

In some scenarios, manual edit of user's certificate expiration period does not take effect. Refer to sk143292.

PRJ-16289,
PMTR-58322

VoIP

NEW: Added support for HopCount field in H323 protocol. Refer to sk169513.

PRJ-16185,
IDA-3176

Identity Awareness

In some scenarios, the Identity Broker Subscriber may crash.

PRJ-12546

Identity Awareness

In some scenarios, there may be enforcement issues due to database corruption in PDP kernel tables.

PRJ-14484,
PMTR-55920

Identity Awareness

SAML (Security Assertion Markup Language) groups mode configuration (pdp idp group status) is not saved after an upgrade.

PRJ-17200,
PMTR-59565

HTTPS Inspection

In a rare scenario, a connection remains open after it is closed by the server, and the web browser may load a page for a long time.

PRJ-12561,
PRHF-8940

Anti-Malware

In some scenarios, users may fail to access a web site with many malicious URLs.

PRJ-13200,
IPS-898

Anti-Malware

Security Gateway may crash when trying to access a site encoded with Base64.

PRJ-15977,
PMTR-57915

UserCheck

In some scenarios, the UserCheck daemon usrchkd may unexpectedly exit.

PRJ-17345,
PMTR-59871

ClusterXL

When 40000/60000 device is located on the same network segment (same VLAN, same switch) with ClusterXL environment, the cluster states can flap non-stop between the READY and ACTIVE on all cluster members causing outage.

PRJ-18534,
PMTR-61276

SecureXL

In rare scenarios, when a Wire-Mode is configured on a community, it may cause a Security gateway from another community not to accelerate connections in SecureXL.

PRJ-17451,
PRHF-13029

SecureXL

In some scenarios, CPView may show incorrect statistics for VPN encrypted/decrypted packets.

PRJ-9564,
PRHF-9919

SecureXL

In a rare scenario, Security gateway may crash when the Drop Template feature is enabled.

PRJ-16534,
PMTR-54703

Routing

UPDATE: User does not have to enable logging/accounting in SmartConsole to generate the Netflow records. New "NetFlow Firewall rule" option was added to configure NetFlow to report per Firewall rule by turning it on and enabling Log/Accounting per rule.

PRJ-15820,
PRHF-12144

VPN

NEW: Performance improvement of VPN tunnel when using SHA-384. Refer to sk168336.

PRJ-16100,
PMTR-62229

VPN

Remote Access VPN policy installation optimization. Refer to sk173947.

PRJ-16866,
PMTR-55844

VPN

Software Blade name inconsistency between login and logout logs of an SNX client.

PRJ-15554,
PMTR-55281

VPN

In some scenarios, the VPN IKEv2 tunnel establishment with LSV peer fails.

PRJ-10035,
CRYPTOIS-661

VPN

In some scenarios, Security Gateway Portals and Remote Access VPN clients show wrong certificate after certificate renewal. Refer to sk131212.

PRJ-17330,
PRHF-12973

VPN

Added VPN IKEv2 improvements.

PRJ-17002,
PRHF-12828

VPN

Connectivity issue may appear between Check Point Gateway and 3rd party device in MEP DPD configuration when 3rd party device is defined as Central Gateway in MEP. Relevant error message: "Failed to resolve VPN MEP gateway".

PRJ-16442,
PMTR-56799

VPN

In some scenarios, the VPN tunnel status is displayed as "Up - Phase1" in SmartView Monitor although both phase1 and phase2 are up. Refer to sk169121.

PRJ-16722,
PMTR-57565

VPN

Remote Access potential connectivity issue when there are more than 1 external interfaces.

PRJ-13095,
PRHF-11004

VPN

RADIUS packet sent by Security gateway, may show the Framed-IP-Address field in the reverse order. Refer to sk167361.

PRJ-12771,
PRHF-10314

VPN

In some scenarios, RADIUS authentication may take more than five minutes to be fulfilled with Endpoint Clients, reaching connection timeout on the Gateway side.

PRJ-16661,
PMTR-52654

VPN

Connectivity issue may appear between Check Point Gateway and 3rd party device when using Encryption Domain per Community.

PRJ-15466,
PMTR-56502

Gaia OS

"show asset" command shows the Network card model CPAC-4-1C instead of CPAC-4-1C-L.

PRJ-19050,
PRHF-13949

Gaia OS

In some scenarios, when using routing separation, modifying interface IP address fails.

PRJ-14315,
PRHF-11752

Gaia OS

In rare scenarios, gateway uptime in SmartConsole may show an abnormally high number. Refer to sk167937.

PRJ-17612,
PMTR-49489

Gaia OS

Several features are duplicated (both in WebUI and Clish) in RBA roles configuration/settings.

  • This is a cosmetic issue.

PRJ-16265,
PMTR-55837

Gaia OS

Multi-Queue IRQ affinity is set incorrectly for i40e and MLX interfaces.

PRJ-13459,
EPS-28607

Endpoint Security

NEW: Added ability to enable developer protection feature.

  • Requires R80.40 SmartConsole Build 414 (or higher).

PRJ-16600,
PRHF-12083

Endpoint Security

In some scenarios, Policy server stops syncing with the Endpoint Security Server. Refer to sk168912.

PRJ-14225,
PMTR-56231

Endpoint Security

Push operation may not go through to client due to continuous sync requests.

PRJ-16569,
PRHF-10695

Endpoint Security

Incorrect time interval for checking RSA key generation may cause message flooding the logs.

PRJ-16892,
PRHF-12888

CloudGuard Network

CloudGuard Controller imports only the first 50 NSX-T groups. Refer to sk169133.

PRJ-17750,
PMTR-60322

CloudGuard Network

In some scenarios, userspace cores may appear on CloudGuard for Azure Gateways with VPN enabled and using AES-GCM-256 and AES-256. Refer to sk169417.