Important Notes for R81.10 Jumbo Hotfix Accumulator

Issue Affected Takes Resolved in

SK

Reference

Starting from Take 128, it is possible to import the Database only with upgrade_tool Build #996000540 and higher.

Starting from Take 128

Management data plane separation (MDPS) is not supported with User Space Mode (UPPAK).

Starting from Take 106

Starting from Take 61, Quantum LightSpeed Appliances Initial Release (Threat Prevention Stream) are supported.

Starting from Take 61

sk179432

Uninstalling Take 38 on Maestro Security Gateway may cause a reboot loop.

Starting from Take 38

sk178247

Upon uninstalling Jumbo Hotfix Accumulator, allow re-install of policy on reverted R81.10/R80.20.X Quantum Spark Appliances.

Starting from Take 30

sk178509

Installation of Take 30 or higher on Management / Standalone servers differs from the regular upgrade process:

  • If you installed both Take 9 and Take 14, we recommend skipping Take 22. Install Take 30 or higher on top of Take 14.

  • If you installed Take 9, Take 14 and Take 22, installing Take 30 or higher on this machine is not supported. Contact Check Point Support to get assistance with the upgrade process.

  • Note that uninstalling Take 22 does not resolve the issue.

Starting from Take 14

SSL Network Extender (SNX) may encounter connectivity issues after installing Jumbo Hotfix Accumulator. The issue will be resolved in one of the future Takes.

Starting Take 128

sk181805

PRJ-52047

Starting from Take 131, a Security Gateway with Anti-Virus enabled can sporadically crash because of memory corruption.

Take 131,

Take 132,

Take 135

Take 139

PRJ-53598

In a Maestro environment, after installing R81.10 Jumbo Hotfix Accumulator Take 135 and a reboot, members may intermittently go down due to MAC flapping.

Take 135

Take 139

PRJ-53287

VPN IKEv2 negotiation with a third-party peer may fail when the peer offers multiple combined encryption algorithms in one proposal. For example, AWS, by default, offers AES-GCM and AES-GCM-256. The issue triggers an IKE failure log.

Take 131,

Take 132,

Take 135

Take 139

PRJ-53366

In a VSX environment, LACP Bond traffic may fail with the "incomplete ARP" error.

Take 131,

Take 132

Take 135

PRJ-52983

The CXLD process may consume the CPU at 70%-100% on VSX cluster members.

Take 113,

Take 128,

Take 129,

Take 130,

Take 131

Take 132

sk181891

PRJ-52491

When in the NAT Rule Base there are domain objects with uppercase letters, the NAT rules may not be matched.

Take 131

Take 132

sk167194

PRJ-52558

Sizing of IP ranges in NSgroups may affect CPU and memory usage of the CloudGuard Controller process and cause a high load on the environment.

Take 110,

Take 113

Take 130

sk181614

PRJ-50417

In the read-only mode in SmartConsole, the "Where used failed" error appears when you right-click an object in the security policy and select "Where Used" from the drop-down menu or use the "where-used" Management API command.

Take 110,

Take 113

Take 128

sk181471

PRJ-49204

When BGP local address is configured, BGP peer may fail to establish.

Take 110,

Take 113

Take 128

PRJ-49905

ARP requests sent with VMAC from the Standby member may cause MAC flapping.

Take 106,

Take 107,

Take 109,

Take 110,

Take 113

Take 128

PRJ-50639

In a Maestro/Chassis environment, there maybe a delay during TCP start negotiation for fully accelerated connections (FW only) which are distributed asymmetrically. For example, C2S distribute to member 1_1 and S2C to member 1_2.

To maintain the original behavior, follow these steps before starting the Jumbo Hotfix Accumulator upgrade:

  • Force the sticky behavior in the Correction Layer in the current session:

    g_fw ctl set int ccl_force_sticky 1

  • Force the sticky behavior in the Correction Layer permanently:

    g_update_conf_file fwkern.conf ccl_force_sticky=1

Take 106,

Take 107,

Take 109,

Take 110,

Take 113

Take 128

sk181464

PRJ-49653,

PMTR-95476

Uninstalling Jumbo Hotfix Take 106/107 on Maestro Orchestrator (MHO) may cause an outage.

Take 106,

Take 107

Take 109

PRJ-47745

When the target object name is long and contains underscore or dash characters, policy installation may fail with "Target is not defined in the database".

  • Note that the issue is more likely to occur when using Cloud Management Extension (CME), which automatically adds underscore and dash characters to the target names when creating a scale-set instance.

Take 95,

Take 106

Take 107

PRJ-47102

If you used Blink image including Take 87 to install Jumbo R81.10, we do not recommend installing Take 93 on top of it, as this may corrupt configuration files. If you did not use this blink, install Take 93 as usual.

Takes 87,

Take 93

Take 94

sk179799

PRJ-45511

When uninstalling a Jumbo Hotfix, some of the REST APIs may not work. The "gaia_api status" command returns an error and requests may fail.

Take 79,

Take 81,

Take 82,

Take 85,

Take 87

Take 93

PRJ-43959

Uninstalling Jumbo Hotfix from Maestro Orchestrator may cause connectivity issues.

Take 79,

Take 81,

Take 82,

Take 85,

Take 87

Take 93

PRJ-44600

When installing Take 79 and higher, some of the Maestro Orchestrator's (MHO) processes may go down after the first boot.

• This issue can cause connectivity issues.

• If a new Security Group Member (SGM) is added to the Security Group, the SGM may not start the joining process.

Refer to sk180509.

Take 79,

Take 81,

Take 82,

Take 85,

Take 87

Take 93

sk180509

PRJ-44142,

PMTR-89728

In VSX, after adding instances to a Virtual System (VS), their state may be inactive.

Take 79,

Take 81,

Take 82,

Take 85

Take 87

 

PRJ-44014,

PMTR-89893

The SNMPD process may consume a high CPU level in a VSX environment and there may be slowness when using the "fw vsx stat" command.

Take 79,

Take 81

Take 82

sk180324

PRJ-43356

After an upgrade, the RADIUS Server is unavailable and authentication fails. To restore the configuration, update one of the RADIUS Server attributes or add a new Server.

Take 79,

Take 81

Take 82

PRJ-43140

After an upgrade of the on-premises Endpoint Management Server to Jumbo Hotfix Accumulator R81.10 Take 75 login to the Web Management Server fails and the "API error 9999" message is shown.

Take 75,

Take 78,

Take 79

Take 81

sk180230

PRJ-42687

Pushing configuration to a virtual device in a Maestro VSX environment fails.

Take 75,

Take 78

Take 79

sk180107

PRJ-42180,

PMTR-81701

Take 61 introduces a temporary solution for sk177605 - R80.x Security Gateways do not block traffic when an R81.x Management Server installs a Threat Prevention policy with Security Zone objects. The solution is to fail the Threat Prevention policy installation.

Take 61,

Take 66,

Take 75

Take 78

sk177605

PRJ-35185,

PRJ-35154

In a specific HTTP connection scenario, the Security Gateway may become unresponsive. And the /var/log/messages file contains these messages during the time of the issue: " FW-1: fw_kfree: wrong magic number at tail end of XXX (XXX) caller is 'cmik_loader_fw_pm_match_cb' sz=80. FW-1 panic: cmik_loader_fw_pm_match_cb: fw_kfree: wrong magic number at tail (kiss_memory.c:XXX)".

Take 61,

Take 66

Take 75

PRJ-41446,

PRHF-25374

VSX Gateway with a Virtual Router (VR) or Virtual Switch (VSW) may drop traffic, when IPS Blade enabled.

Take 55,

Take 61,

Take 66,

Take 75,

Take 78

Take 79

PRJ-41957

On 16600 / 28600HS Quantum Maestro appliances, interfaces may disappear after uninstalling the Jumbo Hotfix.

Take 55,

Take 61,

Take 66,

Take 75

Take 78

PRJ-42199

VPN does not operate correctly on ClusterXL in Load Sharing mode and Scalable Platforms (Quantum Maestro and Chassis). This causes sporadic but frequent traffic drops.

Take 55,

Take 61,

Take 66

Take 75

sk179808

PRJ-39084,

PMTR-79827

When pushing a policy after deleting virtual interfaces, VSX Gateway may crash.

Take 55,

Take 61,

Take 66

Take 75

sk179820

PRJ-40950,

PMTR-85821

If you used Blink image including Take 55 to install Jumbo R81.10, we do not recommend installing Take 66 on top of it, as this may corrupt configuration files. If you did not use this blink, install Take 66 as usual.

Take 55,

Take 61,

Take 66

Take 75

sk179799

PRJ-41205

On Maestro Security Gateway, in some scenarios, the asg_perf_hogs test shows that SecureXL is disabled while it is enabled. We recommend installing the latest HCP Take, which includes these tests.

Take 55,

Take 61

Take 66

sk179424

PRJ-39899

On Maestro Security Gateway, the asg_hw_utilization and asg_resource tests have a broken output. We recommend installing the latest HCP Take, which includes these tests.

Take 55

Take 61

sk179426

PRJ-39951,

PMTR-74569

A ClusterXL upgrade from Jumbo Hotfix Accumulator R80.30 (or lower) to R81.10 Take 55 is not supported. Use a lower or a higher Take.

Take 55

Take 61

sk174510

PRJ-36616,

PMTR-71442

Login or publish operation constantly fails after restarting the Security Management or Multi-Domain Management Server.

Take 45

Take 55

sk178807

PRJ-38877,

PRHF-23554

Remote Access Office Mode IP allocation may fail when using DHCP.

Take 38,

Take 44,

Take 45,

Take 55,

Take 61,

Take 75

Take 61

sk178767

PRJ-38729

SIP flow may fail under high load when SIP Multi-core feature is enabled.

Take 38

Take 44

PRJ-37850,

PRHF-22617

Hardened the ability to use narrowed IKEv2 tunnels.

Take 9,

Take 14,

Take 22,

Take 30

Take 38

sk166417

PRJ-31291,

PRHF-19707