List of All Resolved Issues and New Features in R81.10 Jumbo Hotfix Accumulator
|
Review the Critical Information section before installing a new Take. |

Take | Available Since | Recommended Since |
---|---|---|
10 Mar 2025 |
26 Mar 2025 |
|
23 Feb 2025 |
- |
|
12 Dec 2024 |
22 Dec 2024 |
|
13 Nov 2024 |
- |
|
07 Oct 2024 |
04 Nov 2024 |
|
29 Sep 2024 |
07 Oct 2024 |
|
04 Sep 2024 |
- |
|
20 Aug 2024 |
- |
|
29 Jul 2024 |
12 Aug 2024 |
|
27 Jun 2024 |
- |
|
02 Jun 2024 |
10 Jun 2024 |
|
15 Apr 2024 |
- |
|
19 Mar 2024 |
07 Apr 2024 |
|
12 Feb 2024 |
- |
|
25 Jan 2024 |
- |
|
14 Jan 2024 |
- |
|
18 Dec 2023 |
25 Dec 2023 |
|
13 Nov 2023 |
03 Dec 2023 |
|
06 Nov 2023 |
- |
|
06 Sep 2023 |
- |
|
30 Jul 2023 |
29 Aug 2023 |
|
17 Jul 2023 |
23 Jul 2023 |
|
28 Jun 2023 |
- |
|
08 Jun 2023 |
- |
|
13 Apr 2023 |
15 May 2023 |
|
29 Mar 2023 |
02 Apr 2023 |
|
05 Mar 2023 |
- |
|
19 Jan 2023 |
07 Feb 2023 |
|
12 Jan 2023 |
- |
|
08 Jan 2023 |
- |
|
22 Nov 2022 |
02 Jan 2023 |
|
24 Oct 2022 |
21 Nov 2022 |
|
11 Oct 2022 |
19 Oct 2022 |
|
01 Sep 2022 |
- |
|
29 Jun 2022 |
19 Jul 2022 |
|
02 Jun 2022 |
- |
|
01 May 2022 |
01 Jun 2022 |
|
03 Apr 2022 |
06 Apr 2022 |
|
22 Mar 2022 |
- |
|
22 Feb 2022 |
- |
|
13 Jan 2022 |
20 Jan 2022 |
|
22 Dec 2021 |
02 Jan 2022 |
|
22 Nov 2021 |
- |
|
30 Aug 2021 |
18 Oct 2021 |
ID |
Product |
Description |
---|---|---|
Take 174 Released on 10 March 2025 and declared as Recommended on 26 March 2025 |
||
Take 174 - Improvements and Resolved Issues
|
||
PRJ-59689, SMBGWY-7704 |
VPN |
Remote Access VPN users repeatedly lose connection to resources behind the Gateway. Refer to sk183147. |
Take 173 Released on 23 February 2025 |
||
Take 173 - New Functionality
|
||
PRJ-56795, PRJ-51149, |
Security Management |
NEW: In SmartConsole, the CSV export file of Access Policy NAT rules now contains the hit count data: "Hits", "First Hits" and "Last Hits" columns.
|
PRJ-56655, |
Security Management |
NEW: The "show nat-rule" and "show nat-rulebase" Management API commands now support displaying hit count data with optional date range filtering through the "show-hits true" parameter, allowing users to retrieve hit statistics for NAT rules with flexible time-based querying in JSON format. Syntax examples:
|
PRJ-55617, |
Security Gateway |
NEW: An additional memory leak detection report is now available. Refer to sk35496. |
PRJ-56663, |
Security Gateway |
NEW: Updatable objects can now be updated through the Security Management Server by adding the "<ProxyRoute>1</ProxyRoute>" configuration entry to the $CPDIR/conf/downloads/dl_prof_ONLINE_SERVICES.xml file, enabling proxy-based updates. |
PRJ-52904, |
Anti-Bot |
NEW: Added protection that prevents multiple unsuccessful login attempts from Endpoint Security Client users connecting through a Remote Access VPN to the Security Gateway. This protection prevents brute-force attacks on Endpoint Security Client users' passwords. Refer to sk182087. |
PRJ-53877, PRJ-54022, |
Identity Awareness |
NEW: Added new OID (1.3.6.1.4.1.2620.1.38.55) to monitor the Identity Collector connection status in the $CPDIR/lib/snmp/chkpnt.mib file.
|
Take 173 - Improvements and Resolved Issues
|
||
PRJ-58379, PMTR-110261 |
Mobile Access |
UPDATE: Resolved CVE-2024-52887 - Self-XSS vulnerability in Mobile Access Native Applications 'favorites' dialog. Refer to sk183054. |
PRJ-58394, PMTR-110274 |
Mobile Access |
UPDATE: Resolved CVE-2024-52888 - Mobile Access File Share applications are vulnerable to stored XSS attacks. Refer to sk183055. |
PRJ-57489, |
Security Management |
UPDATE: The Management API command "set-https-rule" now automatically sets the negative value to "false" when modifying the destination, source, service, or site-category fields, regardless of its previous setting. |
PRJ-56534, |
Security Management |
UPDATE: The Management API logs outbound payloads to api.elg only for non-"200" response codes. It is now possible to enable the "WRITE_FULL_OUT_PAYLOAD" environment variable to force comprehensive logging of all API call payloads, regardless of the response status. Refer to sk182786. |
PRJ-55605, |
Multi-Domain Security Management |
UPDATE: Added a log print to warn about unsupported SIC reset configurations on Multi-Domain Security Management Server / Multi-Domain Log Management Server and to alert when a Domain lacks an ObjectStoreDomain, which prevents CPM from starting. Refer to sk182533. |
PRJ-57146, |
Security Gateway |
UPDATE: Optimized handling of gzip encoded HTTP traffic to enhance performance under high load conditions. |
PRJ-53147, |
Security Gateway |
UPDATE: Reduced memory usage of LDAP keepalives and improved connection error handling, resulting in improved performance. |
PRJ-57846, |
Logging |
UPDATE: Enhanced the CLI "cp_log_export" command with additional examples and expanded help documentation. |
PRJ-57526, |
SecureXL |
UPDATE: Improved throughput of GRE tunnels configured on the ports of the 100G Acceleration Card when SecureXL works in the UPPAK mode. |
PRJ-56895, |
Gaia OS |
UPDATE: Added validation rules to ensure file names meet required format when restoring backups using Clish. |
PRJ-51224, |
Gaia OS |
UPDATE: Implemented robust path validation during user deletion to prevent unintended deletion of parent directories. |
PRJ-57902, |
Scalable Platforms |
UPDATE: It is possible to add up to 28 members per site in a Single Site topology. |
PRJ-57569, |
Scalable Platforms |
UPDATE: Optimized policy distribution to Maestro Security Group members to avoid failure under high load conditions. |
PRJ-58994, |
Automatic Updates - CPView |
UPDATE: Added Take 44 of CPviewExporter Release Updates. Refer to sk180521. |
PRJ-58355, ODU-2139, PRJ-58877, ODU-2219, PRJ-59437, ODU-2323 |
Automatic Updates - Web SmartConsole |
UPDATE: New features and improvements are released in Take 124, Take 125 and Take 128 via self-updatable package. Refer to sk170314. |
PRJ-59321, PRJ-58244, ODU-2259 |
Automatic Updates - HCP |
UPDATE: Added Update 21 and Update 22 of HealthCheck Point (HCP) Release. Refer to sk171436. |
PRJ-58988, |
Automatic Updates - CPView |
UPDATE: Added Take 141 of CPotelcol (OpenTelemetry Collector) Release Updates. Refer to sk180522. |
PRJ-59279, ODU-1579 |
Automatic Updates - Threat Prevention |
UPDATE: Added Update 25 of Autonomous Threat Prevention Management integration Release. Refer to sk167109. |
PRJ-57334, |
Security Management |
The on-premises Security Management Server with a proxy address configured may fail to connect to the Infinity Portal. |
PRJ-55883, |
Security Management |
In some scenarios, the webservices_cmas_ports.conf file is not updated after Domain deletion from the Multi-Domain Security Management Server, and contains ports of deleted Domains. |
PRJ-57905, |
Security Management |
In rare scenarios, the FWM process on the Security Management Server may unexpectedly exit, creating a core dump file. |
PRJ-52759, |
Security Management |
Audit logs may not be generated when changes are made to an inline (shared) layer that appears multiple times within the same policy. |
PRJ-57656, |
Security Management |
In some scenarios, High Availability synchronization fails with "NGM failed to export data" because of invalid Global Domain Assignments. |
PRJ-58272, |
Security Management |
In rare scenarios:
|
PRJ-57067, |
Security Management |
After installing R81.10 Jumbo Hotfix Accumulator Take 150, when browsing to SmartConsole > Manage & Settings > Permissions & Administrator > Administrators, the page may display "Error retrieving results". |
PRJ-56972, |
Security Management |
Using the "set simple-cluster" command without the "members.add" option to add cluster members may result in recreating existing cluster members and potential loss of SIC. |
PRJ-57915, PMTR-43993 |
Security Management |
In rare scenarios, the CPD process may unexpectedly exit and create a core dump file. Refer to sk182787. |
PRJ-57334, |
Security Management |
The on-premises Security Management Server with a proxy address configured may fail to connect to the Infinity Portal. |
PRJ-57780, |
Security Management |
In rare scenarios, publishing Multi-Domain Security Management level changes such as Administrator configuration changes fails. The "Action Failed due to an Internal Error" error is displayed. |
PRJ-59022, |
Security Management |
In rare scenarios, Access Control policy installation may fail with the "Policy installation had failed due to an internal error" error. Refer to sk182963. |
PRJ-57980, |
Multi-Domain Security Management |
In rare scenarios, an upgrade of Multi-Domain Security Management Server, handling Domain Log Server certificates, may get stuck.
|
PRJ-58028, |
Multi-Domain Security Management |
In rare scenarios, in Multi-Domain Security Management environments, Domain creation fails with "Failed to create Domain server "<Domain name>" Permission calculation failed". |
PRJ-57783, |
Multi-Domain Security Management |
In environments where not all Domains are Active on the same Server (for example, in a multi-site environment), and there is no Domain Management Server for a specific Domain, logs from that Domain are not forwarded to the Infinity Portal. |
PRJ-55713, |
Multi-Domain Security Management |
During an upgrade, Global Policy Assignment on Active Domains may fail when performed from the Multi-Domain Security Management Server where the Global Domain is Standby. |
PRJ-57529, |
Multi-Domain Security Management |
In rare scenarios, in Multi-Domain Security Management environments, login to Smart Console fails. |
PRJ-58517, PMTR-110408 |
Logging |
In some scenarios, in Log Servers or Multi-Domain Log Modules (MLM):
|
PRJ-59398, PRJ-59397 |
Logging |
After an upgrade, Log Sharing feature does not function as expected, "Encountered an internal error" is printed in the Infinity Services view, under Log Sharing status, and LOG_EXPORTER core dumps are generated. Refer to sk183146. See the Critical Information section. |
PRJ-56198, |
Security Gateway |
Large NAT Rule Base (more than 2,000 rules), may lead to high CPU usage during packet processing. |
PRJ-58187, |
Security Gateway |
After an upgrade, Dynamic Balancing does not start. The "dynamic_balancing -p" command returns "Dynamic Balancing is currently Initializing". Refer to sk182615. |
PRJ-57266, PMTR-108660 |
Security Gateway |
DoS protection and connection rate limiting configurations may fail to effectively enforce rules. |
PRJ-56184, |
Security Gateway |
When enabling MDPS using the "set mdps mgmt plane on" command, the "Failed to commit transaction on database" error is shown instead of a message explaining that the management interface should be configured first. |
PRJ-56506, |
Security Gateway |
When using HTTP/2 through a proxy, the Security Gateway may incorrectly add carriage return and newline characters (\r\n) to the X-Forwarded-For (XFF) header. This causes the header to become invalid and results in a connection failure. This issue only occurs when the Gateway is configured as a proxy. |
PRJ-56100, |
Security Gateway |
The server.log file of the ICAP Server is filled with "Failed to scan web object" entries. This is a cosmetic issue. |
PRJ-56909, |
Security Gateway |
The FWK process may unexpectedly exit after policy installation failure. |
PRJ-57960, |
Security Gateway |
In some specific HTTP/2 traffic scenarios, a valid connection may fail. |
PRJ-53322, |
Security Gateway |
PPPoE interface fails to restart when it is disconnected from the Server side. Refer to sk182154. |
PRJ-58089, |
Security Gateway |
When the autodebug feature is enabled, the RAD service may consume high CPU and trigger "RAD service not available" alert logs. |
PRJ-50697, |
Security Gateway |
Running the "g_tcpdump mcap" with "-C" flag fails with the file matching or captured packets merging error. |
PRJ-58186, |
Security Gateway |
The "dynamic_objects cfo_show" command may fail when the Security Gateway is under heavy load. |
PRJ-57597, |
Security Gateway |
In some scenarios, the FWK process may exit when traffic is inspected by Content Awareness. |
PRJ-58204, |
Security Gateway |
Incorrect Rule Base parameters synchronization logic may lead to the FWK process exit. |
PRJ-54401, |
Security Gateway |
In rare scenarios, after an upgrade, the FWK process may unexpectedly exit because of memory corruption. |
PRJ-50629, |
Security Gateway |
GTP-U traffic may be dropped because of incorrect message type handling. |
PRJ-52410, |
Security Gateway |
The PDPD process memory consumption may be high when using an Azure AD object. |
PRJ-57827, |
Security Gateway |
In some scenarios, an HTTP format size protection exception is not applied to the HTTP/2 flow. |
PRJ-57566, |
Internal CA |
In a rare scenario, when running the cpca_client utility, the CPCA process on the Security Management Server may exit. |
PRJ-56402, |
Internal CA |
The "cpca_dbutil print" command may delete the provided output file content if the input file does not exist. |
PRJ-50231, |
Threat Prevention |
URL-based IoC containing percent-encoded characters may not be properly enforced due to parsing errors. |
PRJ-57134, |
Threat Prevention |
When SSH Deep Packet Inspection (SSH DPI) is enabled, a bypass log entry may not be generated if no Threat Prevention blade is active on the connection. This is a cosmetic issue. |
PRJ-43888, |
Threat Prevention |
Anti-Bot and Anti-Virus may still block traffic to URLs listed in IoC feeds even though these Software Blades are disabled in the Security Gateway/ Cluster object. |
PRJ-49856, |
Threat Prevention |
In a rare scenario, Anti-Virus blade prevents benign traffic due to improper parsing of URL observables in IoC feeds. Refer to sk181519. |
PRJ-56871, |
Identity Awareness |
In rare scenarios:
Refer to sk182613. |
PRJ-58025, PRHF-37011 |
Identity Awareness |
IDA Captive Portal may not be available after Jumbo Hotfix Accumulator installation or after an upgrade using the Blink image. Refer to sk172324. |
PRJ-57044, |
Identity Awareness |
In a rare scenario, the PDPD process may unexpectedly exit during policy Installation. |
PRJ-57643, |
Identity Awareness |
In a rare scenario, when fetch_by_SID is enabled, the PDPD process repeatedly exits. Refer to sk182745. |
PRJ-56811, |
Application Control |
An application may not be matched to an Application Control rule. |
PRJ-55651, |
Application Control |
In some scenarios, a custom application does not match a URL Filtering rule. |
PRJ-57763, |
IPS |
In some scenarios, the DNS Tunneling IPS protection does not function as expected. Refer to sk178487. |
PRJ-54398, |
IPS |
In a rare scenario, the FWK may unexpectedly exit because of a memory allocation issue. |
PRJ-56280, |
DLP |
The DLPU process may exit with a core dump file. |
PRJ-57967, |
DLP |
The DLP blade may not block the password-protected files of a specific type, although it should. |
PRJ-58168, |
Anti-Virus |
In a specific scenario involving a long-lived SMTP connection, the memory usage allocated by the Anti-Virus blade steadily increases over time. |
PRJ-58285, |
Anti-Virus |
In a rare scenario, when the Anti-Virus blade is enabled, the Security Gateway may crash during traffic inspection. |
PRJ-56634, |
ClusterXL |
In a cluster environment, proxy flow error may cause repeated log messages in the fwk.elg file: "de_allocate_port: fwx_alloc_global_del failed (second try)". |
PRJ-54382, |
SecureXL |
A Maestro Security Group Member may fail to initialize after enabling IPv6 and is stuck with pull_config pnote. |
PRJ-57610, |
SecureXL |
In some scenarios, after an update of the OS route configuration, there may be a significant delay in traffic passing through the Security Gateway when SecureXL works in the User space (UPPAK) mode. Refer to sk182740. |
PRJ-57680, |
SecureXL |
A memory leak may occur in the SIM process when using DOS/Rate Limiting rules. |
PRJ-56399, |
SecureXL |
When modifying MTU settings on LightSpeed Line Card interfaces with SecureXL working in User mode (UPPAK) and not re-enabling both ports immediately after the change, persistent interface binding errors may be printed in the /var/log/usim_x86.elg file, such as "Failed to bind hairpin Tx 2 to Rx 3 (64 - all ports)". |
PRJ-57799, |
SecureXL |
Policy installation failures may cause "fwaccel dos" commands to stop working. |
PRJ-56418, |
Gaia OS |
Miscalculation of disk space may cause snapshot to fail. |
PRJ-46984, |
Gaia OS |
When working with SNMP traps, Clish may become slow and unresponsive. |
PRJ-54255, |
Gaia OS |
When Gaia's backup retention policy is configured with a maximum of one backup or a disk space allocation smaller than the backup file size, the backup process hangs and requires a device reboot. This also may cause the CONFD daemon to exit. |
PRJ-54154, |
Gaia OS |
When querying VLAN interfaces, instead of returning the ifType specifically for the VLAN interface itself, the SNMP walk returns the ifType of the underlying physical interface that the VLAN is associated with. |
PRJ-58163, |
Gaia OS |
The ROUTED daemon fails to start when a VTI is configured with a local IP address that matches the next-hop address used in the static route configuration. Refer to sk182848. |
PRJ-53603, |
Gaia OS |
Capturing with Check Point Traffic Capture Tool (cppcap) from all devices may lead to high CPU usage and potential performance issues. |
PRJ-57989, |
Routing |
The "iphelper" (IP Broadcast Helper) service may trigger high CPU utilization because of a recursive packet broadcasting loop between network interfaces. |
PRJ-57984, |
Routing |
Static routes may get permanently deleted from the kernel during rapid interface configuration changes when there is a large number of routes. |
PRJ-55553, |
VPN |
Policy installation fails with "ERROR: Duplicate keys <0000001b, ac130265, ac130265> in table vpn_routing_correction" when duplicating keys in a VPN table and "Encryption domain per community" is configured. Refer to sk182353. |
PRJ-57999, |
VPN |
Capsule VPN connectivity failures may occur after a configuration change of the VPND daemon table parameters. |
PRJ-56171, |
VPN |
An ECDH object may be deleted before its associated event is completed processing. |
PRJ-53462, |
VPN |
In some scenarios when Link Selection (LS) is configured, traffic outage may occur after policy installation. |
PRJ-56497, |
VPN |
There is no audio during the first 5 seconds of each VoIP call. Refer to sk182730. |
PRJ-56803, |
VPN |
SSL Network Extender (SNX) traffic on Maestro may be dropped with "vpnk_tcpt invalid negative tunnel id". Refer to sk182806. |
PRJ-54557, |
VPN |
Policy installation in large scale VPN environments may take a long time. |
PRJ-57941, |
VPN |
When configuring machine authentication without an LDAP server, the computer is authenticated during the connection with the RA VPN. However, the logs in SmartConsole do not display the "Authenticated machine ..." message as expected. |
PRJ-56913, |
VSX |
In SmartConsole, in the Device and License Information view, the Compliance Blade license status may incorrectly display "Quota Exceeded" when Virtual Routers or Virtual Switches are present. |
PRJ-54637, |
VSX |
The "vsx_util convert_cluster" command may fail and cause the FWM process to exit with a core file. |
PRJ-57393, |
VSX |
Newly pushed VSX configuration on Maestro may not be synchronized on all Security Group Members, causing DOWN state. |
PRJ-57744, |
VSX |
In a rare scenario, the FWM process may exit when running the VSX creation wizard. |
PRJ-57057, PRHF-34508 |
VSX |
After a Jumbo Hotfix upgrade, the Mail Transfer Agent may fail on all Virtual Systems except one. See the Critical Information section. |
PRJ-49285, |
Harmony Endpoint |
Exclusions for Anti-Bot policy created through the WebUI do not correctly handle Cyrillic characters. |
PRJ-54334, |
Scalable Platforms |
When different Network Interface Card models are attached among Maestro Security Group members, it may trigger unnecessary reboots. |
PRJ-37792, |
Scalable Platforms |
When Maestro Hyperscale Orchestrator (MHO) is not reachable, the "mq_mng -s" command becomes unresponsive. |
PRJ-57641, |
Scalable Platforms |
Activation of downgraded Security Group members may fail, preventing the rollback process performed using the "sp_upgrade --revert" command. |
PRJ-57638, |
Scalable Platforms |
Security Group Member may be in Down state during the license distribution to Maestro Security Group members. Refer to sk181245. |
PRJ-57479, PMTR-109043 |
Scalable Platforms |
During a Maestro upgrade, if one of the Security Gateway members becomes unresponsive or enters a DETACH/LOST state, policy installation from SmartConsole fails. |
PRJ-58037, |
Scalable Platforms |
Using the "#" character in the Message of the Day (MOTD) banner message causes SGMs to fail during boot. |
PRJ-57471, |
Scalable Platforms |
In rare scenarios, Interface Active check may cause a Security Gateway crash when probing a local network. |
PRJ-48695, |
Scalable Platforms |
After upgrade:
|
PRJ-56442, |
Carrier Security |
When Carrier Security is enabled, GTP-U packets are incorrectly matched against GTP rules instead of a non-GTP UDP rule, causing drops with the "Unestablished tunnel" error. |
Take 172 Released on 12 December 2024 and declared as Recommended on 22 December 2024 |
||
Take 172 - Improvements and Resolved Issues
|
||
PRJ-58623, PRJ-58621 |
Scalable Platforms |
Maestro Gateway enters a boot loop after installation of R81.10 Jumbo Hotfix Accumulator. Refer to sk182894. See the Critical Information section. |
Take 171 Released on 13 November 2024 |
||
Take 171 - New Functionality
|
||
PRJ-56703, |
Security Management |
NEW: Added a new Management API command which displays API usage statistics - "api stats" . It can be run on the Security Management Server or Multi-Domain Security Management Server. For detailed usage instructions, run "api -h". |
PRJ-54696, PRJ-54695, PRJ-54244, |
CloudGuard Network |
NEW: CloudGuard Controller updates are now performed automatically. Refer to sk181842. |
Take 171 - Improvements and Resolved Issues
|
||
PRJ-56247, |
SmartConsole |
UPDATE: Resolved CVE-2024-3596 - Blast-RADIUS attacks. Fix for Remote Access VPN and login to SmartConsole, Mobile Access and Identity Awareness Captive Portal. Refer to sk182516. |
PRJ-56316, |
Security Gateway |
UPDATE: Apache HTTPD version was updated from 2.4.55 to 2.4.61 to fix: CVE-2023-31122, CVE-2023-43622, CVE-2024-36387, CVE-2024-38473, CVE-2024-38474, CVE-2024-38475, CVE-2024-38476, CVE-2024-38477, CVE-2024-39573. |
PRJ-56881, |
Security Management |
UPDATE: JRE is updated from version 8.0_8.21 to version 8.0_8.26. |
PRJ-55660, |
Security Management |
UPDATE: The "set threat-exception" Management API command now includes the "protection-or-site" parameter. When specified, this parameter adds new values to the existing list of protections or sites, instead of overwriting the current entries. |
PRJ-56610, |
Logging |
UPDATE: Added a count of Session and Connection logs to the "cpstat" command output. |
PRJ-51950, |
Security Gateway |
UPDATE: Added support for log rotation in the avi_del_tmp_files.elg files. Refer to sk113241. |
PRJ-56015, |
Threat Prevention |
UPDATE: Added support for whitelisting IP addresses in external IoC feeds. |
PRJ-48030, |
Threat Emulation |
UPDATE: The maximum size for files uploaded to Threat Emulation can now be configured using the Threat Emulation API. Set the "max_api_request_data_size" attribute to specify the new limit. |
PRJ-49052, |
Identity Awareness |
UPDATE: Identity Collector OIDs for SNMP queries are now available in both $CPDIR/lib/snmp/chkpnt.mib and $FWDIR/conf/identity_server.cps locations. |
PRJ-56482, |
SecureXL |
UPDATE: Improved throughput of GRE tunnels configured on the ports of the 100G Acceleration Card when SecureXL works in the KPPAK mode. |
PRJ-57064, |
SecureXL |
UPDATE:
|
PRJ-57756, PRJ-58095, ODU-2107, ODU-2083 |
Automatic Updates - Web SmartConsole |
UPDATE: New features and improvements are released in Take 121 and Take 123 via self-updatable package. Refer to sk170314. |
PRJ-57704, |
Automatic Updates - CPView |
UPDATE: Added Take 97 of CPotelcol (OpenTelemetry Collector) Release Updates. Refer to sk180522. |
PRJ-57708, |
Automatic Updates - CPView |
UPDATE: Added Take 40 of CPviewExporter Release Updates. Refer to sk180521. |
PRJ-56164, |
Security Management |
In some scenarios, the "set-exception-group applied-threat-rules.position" Management API command may add the exception group to an incorrect position. |
PRJ-53259, |
Security Management |
When exporting a policy to a CSV file, the process fails silently if any rule within the policy has a name or comment in UID format. No clear error message is provided to indicate the cause of the failure. |
PRJ-54719, |
Security Management |
In rare scenarios, when Application Control blade is enabled, cloning a policy may fail due to timeout. |
PRJ-54658, |
Security Management |
Several Management API commands, such as "show-package" and "install-policy", may fail if running them after the deletion of a cluster member. |
PRJ-56508, |
Security Management |
In some scenarios, the Security Management Server upgrade fails with "creating default objects and restarting services" during the import phase.
|
PRJ-56613, |
Security Management |
An administrator whose authentication method was changed from "Check Point Password" to a different method in R77.X can still log in using their original Check Point password. |
PRJ-57072, |
Security Management |
In rare scenarios, when exporting policy hitcounts to CSV format, the "Hitcount" column may appear blank in the exported file. |
PRJ-55668, |
Security Management |
Adding a host object to a network group using the "set-host" Management API command may generate large redundant audit logs. |
PRJ-55689, |
Security Management |
Searching for a Data Center asset IP address in the policy may not return results. |
PRJ-56027, |
Security Management |
When exporting a policy to CSV with hitcount enabled, if the hitcount timeframe is set to anything other than "All", the Hitcount column in the CSV file may appear blank. |
PRJ-55831, |
Security Management |
Global Policy Reassignment may fail with an "An internal error has occurred" message when a custom IPS package is used or was previously used in the system. |
PRJ-42207, |
Security Management |
The Database Installation progress bar may not update during task execution. |
PRJ-50035, |
Security Management |
The "show-domains" Management API command may return partially deleted domains among the results. |
PRJ-52453, |
Security Management |
In some scenarios, Access Control policy verification is stuck at 40 percent. |
PRJ-46462, |
Security Management |
In some scenarios, policy installation using Management API with the "prepare-only" parameter set to "true" may fail with an "internal error" message. |
PRJ-46234, |
Security Management |
Changing the main URL of the UserCheck Portal using the "set simple-gateway" Management API command fails with "DNS failed to resolve the hostname: gateway name" Executed command failed. Changes are discarded". |
PRJ-52756, |
Security Management |
Enabling IPS on Multi-Domain Security Management Server may cause Threat Prevention policy installations to fail due to legacy IPS multi-profile incompatibility. |
PRJ-55704, |
Multi-Domain Security Management |
In rare scenarios, objects are missing from the Gateways & Servers view on the Multi-Domain Security Management level. Refer to sk182641. |
PRJ-56711, |
Multi-Domain Security Management |
In some scenarios, cpmiquerybin core files may appear in /var/log/dump/usermode/ on the Security Management Server. |
PRJ-53993, |
Multi-Domain Security Management |
In some scenarios, Domain deletion may fail with a "delete domain failed: null" message. |
PRJ-56540, |
Multi-Domain Security Management |
In some scenarios, in a Multi-Domain Security Management environment, the Hit Count retention mechanism may not remove the Hit Count data from all the Domains. |
PRJ-56530, |
Multi-Domain Security Management |
The Multi-Domain Security Management Server experiences high CPU usage when communicating with the Multi-Domain Log Server. And the cpm.elg log prints the "You have reached the maximum number of active session" error. Refer to sk182738. |
PRJ-57308, |
SmartConsole |
SmartConsole fails to connect with "Unable to connect to server. Server is initializing". Refer to sk182507. |
PRJ-39673, |
SmartConsole |
The "show lsm-cluster" Management API command fails with a "Null Pointer exception: null" message if the "membersNetworkOverride" field is empty. |
PRJ-57420, |
SmartConsole |
In some scenarios, opening new tab in SmartConsole Logging & Monitoring tab fails with "HTTP error 500 - problem accessing smartview/embedded. Reason: Server Error". Refer to sk182732. |
PRJ-50431, |
Logging |
In rare scenarios, CPU consumption on the Security Management Server is high and logs are not displayed. |
PRJ-51693, |
Logging |
In some scenarios, after removing an existing Log Exporter instance, the creation of a new instance appears successful in SmartConsole. However, the new Log Exporter object is not actually generated. |
PRJ-56643, |
Security Gateway |
In rare scenarios, the FWK process may unexpectedly exit when the IPS / Application Control / Anti-Virus / Anti-Bot blade is active and the HyperFlow feature is enabled. |
PRJ-56731, |
Security Gateway |
The "asg monitor" command may show the Security Gateway in the "during upgrade" state although a major downgrade is complete. |
PRJ-56700, |
Security Gateway |
Anti-Spoofing may drop IPv6 traffic that arrives at an interface with an IPv6 address configured. Refer to sk182725. |
PRJ-57352, |
Security Gateway |
When SecureXL User Mode (UPPAK) is enabled and using Passive/Active Streaming with QoS, the Security Gateway may incorrectly drop some traffic. |
PRJ-56721, |
Security Gateway |
The Security Gateway may crash during large memory allocation operations in specific applications. |
PRJ-53809, |
Security Gateway |
The Security Gateway may crash after a failure in policy installation. |
PRJ-57370, |
Security Gateway |
When adding a new Virtual System, a CPD core dump file may be generated. |
PRJ-54069, |
Security Gateway |
Changing the NAT settings of a host using the "set-host" Management API command succeeds but has no effect unless both the "ipv4-address" and "ipv6-address" parameters are set. |
PRJ-54118, |
Security Gateway |
In a rare scenario, the FWK process may exit when cluster connection synchronization fails. |
PRJ-57253, |
Security Gateway |
In some scenarios, the Security Gateway does not free some packets causing a memory leak. |
PRJ-45939, |
Security Gateway |
Some of the "fw ctl affinity" commands may take longer than expected to display the output. |
PRJ-58099, PMTR-109857 |
Security Gateway |
Traffic through specific interfaces is dropped when the QoS blade is active and "ISP redundancy-LS" is configured. Refer to sk182807. See the Critical Information section. |
PRJ-57128, |
Threat Prevention |
Threat Prevention policy installation may fail because of invalid JSON format in the IoC feed feature configuration file. Refer to sk181650. |
PRJ-57748, |
Threat Prevention |
The Threat Prevention policy installation may fail when installing from R81.20 SmartConsole on R80.x Security Gateway. |
PRJ-55376, |
Threat Prevention |
In some scenarios, the TPD daemon may cause high CPU usage because of a large amount of logs. |
PRJ-56329, |
Threat Prevention |
In a rare scenario, the Security Gateway may crash during traffic inspection when holding a connection. |
PRJ-50242, |
Threat Prevention |
In a rare scenario, Anti-Bot and Anti-Virus packages may be seen as not updated in SmartConsole, even though the packages are updated. |
PRJ-53589, |
Identity Awareness |
In Azure Active Directory, access role assignment only considers a user's first 100 group memberships. Any groups beyond this limit are disregarded when determining user access roles. |
PRJ-56513, |
Application Control |
The fwk.elg file may be flooded with the "DNS_DATA_SOURCE failed on context 201, executing context 366 exception" messages. Refer to sk182606. |
PRJ-56623, PMTR-107215 |
IPS |
IPS may drop an IPv6 TCP local connection. |
PRJ-54430, |
IPS |
In a rare scenario, when IPS is enabled and logging on a rule that involves IPS is enabled, physical memory usage may rapidly increase. |
PRJ-56041, |
Anti-Virus |
In some scenarios, the Anti-Virus Blade logs on a VSX Gateway may display an incorrect origin IP address. |
PRJ-58111, PMTR-102962 |
ClusterXL |
VSX Cluster Members with VLAN interfaces change their cluster state to "Down" and "Active!" after installing the R81.20 Jumbo Hotfix Accumulator Take 89. Refer to sk182819. See the Critical Information section. |
PRJ-56806, |
SecureXL |
When the VSX Gateway is created, the parameter that determines whether VSX mode is enabled or disabled is not set in SecureXL configuration until a reboot is performed. |
PRJ-56827, |
SecureXL |
The USIM process may occur if CPView stats are collected during the "cpstop" operation for VSX. |
PRJ-57429, |
SecureXL |
When SecureXL User Mode (UPPAK) is enabled and running ESP traffic, packet loss may occur and the "fwconn_key_init_links failed" error is printed. Refer sk182775. |
PRJ-57251, PRJ-57249, |
SecureXL |
In some scenarios, the Security Gateway crashes when SecureXL User Mode (UPPAK) is enabled. |
PRJ-56944, |
SecureXL |
The USIM process exits when attempting to delete an IP address from an empty deny list if that IP address exists in any other deny lists (including the regular deny list or those using IoC feeds). |
PRJ-57428 |
SecureXL |
In some scenarios during low TCP traffic, there is high CPU usage when SecureXL User Mode (UPPAK) is enabled. |
PRJ-57613, |
SecureXL |
The USIM process may unexpectedly exit when these parameters are enabled in the $PPKDIR/conf/simkern.conf file:
|
PRJ-56903, |
Routing |
The ROUTED daemon may exit with a core dump during a BGP or OSPF restart. |
PRJ-56524, |
Routing |
In a ClusterXL environment, a race condition may occur when BGP Graceful Restart is incorrectly configured. If the feature is enabled for some peers but not others, it may lead to permanent loss of network routes. |
PRJ-55305, |
Gaia OS |
The "cpviewd: unable to read from gpio_nuvoton driver module. snmpd: unable to read from gpio_nuvoton driver module" messages may be printed in /var/log/messages. |
PRJ-52907, |
Gaia OS |
In some scenarios when MDPS is enabled, the "Loading kernel module for a network device with CAP_SYS_MODULE (deprecated). Use CAP_NET_ADMIN and alias netdev-eth7 instead" message appears in /var/log/messages. |
PRJ-56120, |
Gaia OS |
The "Unable to connect to the server, Press OK to reconnect" error is displayed when opening the Network Interfaces tab in the Gaia Portal. Refer to sk182560. |
PRJ-56053, |
Gaia OS |
Adding multiple VPN tunnels via Clish in Transaction Mode fails, while adding them individually succeeds. |
PRJ-57596, |
VPN |
IKEv2 VPN tunnels experience multiple Child SA timeouts after an upgrade. Refer to sk182735. |
PRJ-51350, |
VPN |
Remote Access VPN connections in Maestro environments may be dropped with the "out-of-state" reason. |
PRJ-50156, PMTR-93643 |
VPN |
When working with iOS devices, after establishing a VPN connection and subsequently disconnecting devices, the "vpn tu tlist" command may display an incorrect device connection status, indicating that a device is still connected. |
PRJ-55886, |
VSX |
Deleting a Virtual System ID (VSID) that does not exist may trigger the "cpstop" command. Stopping all Check Point services on VS0 can disrupt the entire VSX environment. |
PRJ-56479, PMTR-107271 |
VSX |
In some scenarios, the VSX cluster can take extra time to boot up and activate the Virtual Systems. |
PRJ-37243, |
Scalable Platforms |
The gClish scheduled backup retention command is applied to SMO member only and not on all Security Group members as it should. |
PRJ-31708, |
Scalable Platforms |
After a scheduled backup is performed, redundant backup files may be generated on Security Group members. |
PRJ-44696, |
Scalable Platforms |
When running the "asg resource" command, the SSD overall health check is displayed as "PASSED" with the "Unknown_Attribute on Member X_XX is below/getting towards low threshold (val: 0/ thresh: 0)" warning. The issue is cosmetic only. |
PRJ-56568, |
Scalable Platforms |
A backup or snapshot operation may fail with the "Another backup is currently in execution" error when the backup file does not exist on any of the members in the Security Group. |
PRJ-56313, |
Scalable Platforms |
The VSX Gateway may cause traffic interruption when SecureXL User Mode (UPPAK) is enabled on systems with multiple physical interfaces. |
PRJ-56968, |
Scalable Platforms |
After upgrade on Quantum Maestro and Scalable Chassis, when working in SecureXL User Mode (UPPAK), policy installation may fail. |
PRJ-48866, |
Scalable Platforms |
Using Image Cloning when the same VMAC feature is enabled may cause a boot loop. |
PRJ-46193, |
Scalable Platforms |
In a Maestro environment, when MDPS is enabled, the "asg if --diag" command reports the "no files matched glob pattern "/sys/class/net/BPEth*/operstate" error. |
PRJ-55683, |
Smart-1 Cloud |
When creating multiple Interoperable Devices with dynamic IP addresses, the duplicate IP addresses may be assigned to Interoperable Devices. Refer to sk181834. |
Take 170 Released on 7 October 2024 and declared as Recommended on 4 November 2024 |
||
Take 170 - New Functionality
|
||
PRJ-55546, |
SmartProvisioning |
NEW: Added a new "show-statuses" boolean parameter to the "show lsm-gateway" and "show lsm-cluster" Management API commands. When set to "true", this parameter displays the Security Policy and Provisioning Settings statuses for the LSM Security Gateway or Cluster. |
Take 170 - Improvements and Resolved Issues
|
||
PRJ-56467, |
Gaia OS |
UPDATE: Resolved CVE-2024-3596 - Blast-RADIUS attacks. Refer to sk182516 > Login to Gaia Portal. |
PRJ-54682, |
Mobile Access |
UPDATE: Resolved CVE-2024-31497. The Putty version used in the Mobile Access Portal Embedded SSL Network Extender application is upgraded from version 0.80 to version 0.81. |
PRJ-54419, |
Security Management |
UPDATE: Policy installation duration with hundreds of layers is improved by approximately 30%. |
PRJ-54498, |
Security Gateway |
UPDATE: Optimized the Generic Data Center JSON file processing on the Security Gateways to improve performance when handling large numbers of IP ranges. |
PRJ-47654, |
Security Gateway |
UPDATE: Added ability to increase/decrease DNS cache table size. |
PRJ-51070, |
Logging |
UPDATE: Port 8211 now accepts connections with the cipher ECDHE_RSA_AES_256_GCM_SHA384. |
PRJ-55746, |
Threat Prevention |
UPDATE: Added the "trackSettings.forensics" parameter to the "threat-rule" Management API command to enable and disable the "forensics" option in the "Track" column. Syntax example: "mgmt_cli add threat-rule layer 'Standard Threat Prevention' position 1 track-settings.forensics false -r true". |
PRJ-54137, |
SSL Inspection |
UPDATE: Added a log for connections rejected because of short Server certificate public key size (RSA 1024 bits or less, ECDSA 256 bits or less). Refer to sk182224. |
PRJ-56219, |
Scalable Platforms |
UPDATE: It is now possible to add more than fourteen members per site in a Single Site topology. |
PRJ-56680, PRJ-57026, PRJ-57262, ODU-2035, ODU-2019, ODU-1955 |
Automatic Updates - Web SmartConsole |
UPDATE: New features and improvements are released in Take 118 , Take 119, Take 120 via self-updatable package. Refer to sk170314. |
PRJ-57326, |
Automatic Updates - HCP |
UPDATE: Added Update 19 of HealthCheck Point (HCP) Release. Refer to sk171436. |
PRJ-56211, |
Security Management |
The database size on the Secondary Management Server increases if dbedit is used without making or saving any changes. Refer to sk182519. |
PRJ-57032, PRHF-30884 |
Security Management |
Log queries fail with the error "Problems have occurred during search" when Domain migration is in progress. This occurs specifically during the execution of "export-management" or "import-management" Management API commands. |
PRJ-55928, |
Security Management |
The Revisions Purge process may stall if initiated after restarting the Security Management Server or Multi-Domain Security Management Server because of remnants of a previously interrupted Revisions Purge operation. |
PRJ-55334, |
Security Management |
In rare scenarios, login to SmartView web application using the Domain IP address or Domain name fails. |
PRJ-55933, |
Security Management |
In rare scenarios, login to SmartConsole fails with a timeout. |
PRJ-55906, |
Security Management |
In rare scenarios, revert to a Database Revision may get stuck on 60% and eventually fail. |
PRJ-55443, |
Security Management |
Accelerated Policy installation may get stuck with the "Policy installation (queued)" status. |
PRJ-55797, |
Security Management |
SmartConsole may close during login because of repeated attempts to discard a non-existent work session. |
PRJ-55331, |
Security Management |
If the $FWDIR/conf/fwm.adtlog file is not valid, the FWM process leaves unused file descriptors, which may affect the Security Management Server performance. |
PRJ-55446, |
Security Management |
If any single Data Center fails to register, the registration of all Data Center assets to the Security Management Server also fails. |
PRJ-56002, |
Security Management |
In rare scenarios, the FWM process on the Security Management Server may unexpectedly exit, creating a core dump file. |
PRJ-56152, |
Security Management |
In rare scenarios, the Revisions tab in SmartConsole shows "Error retrieving results". |
PRJ-54733, PRHF-33948 |
Security Management |
In rare scenarios, the CPD process may unexpectedly exit and create a core dump file. |
PRJ-52057, |
Security Management |
In a Management High Availability environment, the Standby Security Management Server may not update the "Installation date" during policy installation on Security Gateways/Clusters. |
PRJ-54506, |
Multi-Domain Security Management |
Global Domain Assignment may fail with "Internal Error", if the assigned Domain is currently Active on a different Multi-Domain Security Management Server. |
PRJ-50780, |
Multi-Domain Security Management |
In a Multi-Domain Security Management environment, there may be synchronization timeout errors, and automatic revisions purge may fail. |
PRJ-42134, |
CPView |
In a rare scenario, when running the CPView utility, the Security Gateway may crash. |
PRJ-48771, |
Logging |
The "show logs" Management API command may show partial information for the fields with multiple values. |
PRJ-53218, |
Logging |
When adding a table widget to a SmartView report:
|
PRJ-50616, |
Logging |
The FWD process may exit and cause issues with opening packet capture files on remote members. |
PRJ-54063, |
Logging |
In rare scenarios, the CPSEMD process on the SmartEvent Server may unexpectedly exit, creating a core dump file. |
PRJ-46848, |
Logging |
RAD error messages may be printed to the fwk.elg file during cpstop - cpstart on the Security Gateway. The issue is cosmetic only. |
PRJ-41210, |
Logging |
In rare scenarios, the Logs view may display unexpected blank lines or gaps in the chronological sequence of entries. |
PRJ-48104, |
Security Gateway |
Outages may occur when the FWD process exits or restarts and Security Group member goes down triggering Scalable Chassis failover. |
PRJ-54414, |
Security Gateway |
In a VSX Cluster environment, the CPVIEWD daemon may cause a high CPU. |
PRJ-55578, |
Security Gateway |
A buffer overflow may occur in the HTTP flow, affecting the FWK process. |
PRJ-46889, |
Security Gateway |
Incorrect value in the "fwisusfw" register causes improper CPU affinity and dynamic balancing initialization in User Space Firewall mode after an upgrade. Refer to sk182004. |
PRJ-45950, |
Security Gateway |
During policy installation, Rule Base internal error drops may be shown in the SmartConsole logs. Logs related to "dynobjs" may be printed in Messages. |
PRJ-55764, PMTR-104381 |
Threat Prevention |
In rare scenarios, policy installation may fail after an upgrade of a VSX Gateway. |
PRJ-55988, |
Threat Prevention |
In a rare scenario, Threat Prevention policy installation may fail after an over-the-air (OTA) package update of TP_CONF_SERVICE. Refer to sk182572. |
PRJ-56095, |
Threat Prevention |
SSH Deep Packet Inspection (SSH DPI) fails to start inspection if IPS is enabled while all other threat prevention products are disabled. |
PRJ-46348, |
Threat Emulation |
The ICAP client may send the file name under "Content-Disposition" in an unsupported format written as "filename*=" instead of "filename=", and the Threat Emulation blade does not process such files. |
PRJ-51491, |
Threat Emulation |
When using ICAP, filename handling occasionally fails. As a result, the Threat Emulation Blade may not be able to process this specific file. |
PRJ-55459, |
URL Filtering |
In scenarios where there is a heavy load on the machine, the RAD queue can fill up and get clogged by unhandled requests, causing an outage and traffic disruption. |
PRJ-54193, PRHF-31001 |
Anti-Bot |
The Anti-Bot Blade may generate error logs with the "Failed to Decrypt CP Site Response" reason. Refer to sk182494. |
PRJ-54444, |
Mobile Access |
HTTPS access to the Mobile Access Portal may be down. |
PRJ-56221, |
Mobile Access |
The "citrixStrictTicketEnforcement" parameter set in the configuration file may not work as expected. |
PRJ-55633, |
ClusterXL |
After modifying a bond, the Monitored VLANs may disappear. Refer to sk180724. |
PRJ-56010, |
SecureXL |
In a rare scenario, a memory leak in the adp kernel module may occur during multicast routing assert failures. |
PRJ-51110, |
SecureXL |
SYN Defender configuration in Inspection Settings on the Security Management Server may not be applied on Accelerated Policy installation. |
PRJ-56075, |
SecureXL |
When SecureXL User Mode (UPPAK) is enabled, in some scenarios, a VSX Security Gateway with many Virtual Systems may crash. |
PRJ-55954, |
SecureXL |
The Security Gateway may crash in Bridge mode or in Non-Bridge mode when the number of MAC addresses in its network interface card's table exceeds the hardware capacity limit. Refer to sk182813. |
PRJ-56432, |
Routing |
Dynamic Routing outage in a Security Group during the Zero Downtime (MVC) Upgrade to R81.20, during the Downgrade from R81.20, or during the installation / uninstall of the R81.20 Jumbo Hotfix Accumulator. Refer to sk182556. |
PRJ-53174, |
Routing |
Graceful Restart may end prematurely in OSPF NSSA areas. |
PRJ-53827, |
Routing |
A multicast outage may occur during failovers caused by interface flaps. |
PRJ-54407, |
Routing |
A multicast outage may occur after a failover triggered by incomplete processing of cluster synchronization messages. |
PRJ-49209, |
VPN |
Remote Desktop Protocol (RDP) connections may frequently disconnect when network traffic is routed through a combination of medium path, Quality of Service (QoS) controls, and VPN. |
PRJ-56037, |
VPN |
During high-volume VPN tunnel initiations, several packets may be dropped with "encrypted packet too big". |
PRJ-53012, |
VPN |
The FWK process may crash when establishing multiple VPN tunnels simultaneously at peak rates. |
PRJ-50089, |
VPN |
By default, the VPN permanent tunnel is configured to use "tunnel test" instead of "DPD". This configuration may cause inaccurate permanent tunnel status reporting when connecting to third-party devices. |
PRJ-52892, |
VPN |
The FWK process may exit when Monitor mode is enabled on one of the interfaces. |
PRJ-56672, PRHF-35637 |
VSX |
Memory corruption may occur when a bond interface is configured, leading to a Security Gateway crash with a vmcore or a boot loop. |
PRJ-53309, |
Scalable Platforms |
In Quantum Maestro/Scalable Chassis environments, when using the Threat Prevention Blade in the Security Group, the entitlement_status_collector_db.C files may be inconsistent between the Security Group Members. |
PRJ-51191, |
Scalable Platforms |
Security Group Member in a VSX environment is in a boot loop after creating a new Virtual System with a WRP interface. Refer to sk182476. |
PRJ-55792, |
Scalable Platforms |
The "An error occurred while applying action to several members. Please check the status bar history" error is displayed when changing the Maestro Security Group configuration through Gaia Portal. Refer to sk181691. |
Take 169 Released on 29 September 2024 and declared as Recommended on 7 October 2024 |
||
Take 169 - Improvements and Resolved Issues
|
||
PRJ-57107, PRHF-36116 |
Security Gateway |
Memory leak may occur in SecureXL templates. Refer to sk182648. See the Critical Information section. |
PRJ-57425, PRHF-36390 |
Scalable Platforms |
In a Maestro environment with the "vpn_sync_to_all" parameter enabled, connection going through a Site to Site VPN to a remote location, may be dropped with "First packet isn't SYN". See the Critical Information section. |
Take 165 Released on 4 September 2024 |
||
Take 165 - Improvements and Resolved Issues
|
||
PRJ-56857, PRHF-34283 |
Security Management |
See the Critical Information section. |
PRJ-56891, PRHF-34283 |
Logging |
Suspicious Activity Monitoring (SAM) rules may not be triggered after a Source Block automatic reaction is configured. |
PRJ-56934, PRJ-56932 |
CloudGuard Network |
After an upgrade, the incorrect status of the CloudGuard Controller is displayed in SmartConsole: "Error: 'CloudGuard Controller' is not responding. Verify that 'CloudGuard Controller' is installed on the gateway". Refer to sk182622. |
Take 158 Released on 20 August 2024 |
||
Take 158 - New Functionality
|
||
PRJ-53639, PMTR-102064 |
Security Management |
NEW: Added the ability to unset a persistent environment variable, using the "-u" flag for the override_server_setting.sh script introduced in sk165938. Upon execution, the specified property is now removed from the $MDS_FWDIR/conf/cpmEnvVars.conf file. |
PRJ-36320, PRHF-21090 |
Security Gateway |
NEW: Implemented support for LDAP queries using Windows Security Identifiers (SIDs) as search criteria. |
PRJ-52385, |
Harmony Endpoint |
NEW: Threat Emulation Blade in Endpoint Security Clients version E87.60 and higher now supports the ONE, XAR, and WSF file formats. |
PRJ-53476, |
Scalable Platforms |
NEW: Added Generic Data Center support for Quantum Maestro environments. |
Take 158 - Improvements and Resolved Issues
|
||
PRJ-51535, PMTR-97312 |
Security Gateway |
UPDATE: Apache HTTPD version was updated from 2.4.55 to 2.4.58 to fix CVE-2023-31122, CVE-2023-43622. |
PRJ-55315, |
Gaia OS |
UPDATE: A patch on top of OpenSSL 1.1.1w to fix CVE-2024-2511. Refer to sk182320. |
PRJ-56226, PMTR-106852 |
Gaia OS |
UPDATE: Added a defense mechanism against malicious code injections through special HTTP requests. Resolved CVE-2024-24914. Refer to sk182743. |
PRJ-54495, |
Security Management |
UPDATE: JRE is updated from version 8.0_8.10 to version 8.0_8.21. |
PRJ-53928, |
Security Management |
UPDATE: Modified the content of the https://<ip_adress>/license_management/ page. |
PRJ-50380, |
Security Management |
UPDATE: Various Web Portals on the Management Server (for example, Web SmartConsole, SmartView) no longer accept HTTPS connections to ports 443 and 19009 with specific TLS 1.2 ciphers. Refer to sk181879. |
PRJ-52931, |
Security Management |
UPDATE: When deleting a Secondary Multi-Domain Security Management Server, SmartConsole now shows an "After MDS '<MDS name>' is deleted, you should delete the Secondary Domain Servers from the Domains and revoke their certificates" message. |
PRJ-53953, |
Security Management |
UPDATE: Changed the hardware name "1570R Appliances" to "1570R/1575R Appliances" in the Security Gateway editor in SmartConsole and SmartProvisioning.
|
PRJ-52953, |
Logging |
UPDATE: Enhanced the Access Control log for "Accept" actions with initial matched layers of "IoT" or "Playblocks": The "Layer Name" field now shows the admin-configured layer, alongside Rule Name and Rule Number, allowing administrators to view their preferred match layer rather than defaulting to the first matched layer or inline rule. This change improves visibility into the specific security policy components responsible for accepting traffic. |
PRJ-47489, |
Security Gateway |
UPDATE: Implemented automatic purging of expired SIC certificates on Security Gateways to eliminate memory residues and prevent misuse. |
PRJ-51173, PMTR-97400 |
Security Gateway |
UPDATE: Deprecated RC2-CBC cipher for SIC in OpenSSL. |
PRJ-51988, |
Security Gateway |
UPDATE: The performance of the thread blocker feature (sk180437) is now improved and the feature is re-enabled. |
PRJ-51531, |
Mobile Access |
UPDATE: The Mobile Access Portal is no longer compatible with the Chrome browser on iOS and Android mobile devices. |
PRJ-53918, |
URL Filtering |
UPDATE: When URL Filtering operates in Background Mode and encounters an unclassified connection, instead of being approved automatically, such connection is now accepted or rejected based on Access Rule Base execution, and listed under the "unknown" category. |
PRJ-54589, PMTR-100544 |
Gaia OS |
UPDATE: Extended the "allowed-client" setting to enforce IP restrictions for both password and SSH key authentication methods, providing more comprehensive access control. |
PRJ-55718, |
VPN |
UPDATE: VPN connections are now synchronized to all members of the Security Group by default. The default value of the "vpn_sync_to_all" kernel parameter is set to "1". |
PRJ-54671, |
VoIP |
UPDATE: SIP over UDP requests and responses may be dispatched to different firewall instances when a single-direction rule is defined in the Rule Base, potentially causing returned SIP traffic to be dropped as an unknown connection. To address this, a new global parameter "sip_forward_if_needed" is introduced (disabled by default). When enabled, the Security Gateway forwards responses to the appropriate request instances. Refer to sk182667. |
PRJ-53100, |
Scalable Platforms |
UPDATE: Removed the ability to delete the "_lldp" internal user in Gaia OS to prevent traffic impact. Refer to sk182026. |
PRJ-56192, ODU-1787 |
Automatic Updates - Web SmartConsole |
UPDATE: New features and improvements are released in Take 114 via self-updatable package. Refer to sk170314. |
PRJ-56056, ODU-1923 |
Automatic Updates - HCP |
UPDATE: Added Update 18 of HealthCheck Point (HCP) Release. Refer to sk171436. |
PRJ-55913, ODU-1849 |
Automatic Updates - CPView |
UPDATE: Added Take 97 of CPotelcol (OpenTelemetry Collector) Release Updates. Refer to sk180522. |
PRJ-55916, |
Automatic Updates - CloudGuard Network |
UPDATE: Added Take 21 of Public Cloud CA Bundle. Refer to sk172188. |
PRJ-50935, PRHF-31120 |
Security Management |
SmartConsole may freeze when selecting a client under Security Gateway object > Identity Awareness tab > RADIUS Accounting Settings.
|
PRJ-54004, |
Security Management |
In rare scenarios, the Management Server upgrade fails during the import stage with "an eclipse error has occurred enable logging on EclipseLinkExceptionHandler to see full error".
|
PRJ-46787, PRHF-29046 |
Security Management |
In some scenarios, an upgrade of Security Management Server or Multi-Domain Security Management Server fails with the "Failed: upgrade of "DOMAIN_NAME". For more details see upgrade logs below" error in the upgrade report.
|
PRJ-51501, |
Security Management |
In rare scenarios, an upgrade of a Multi-Domain Security Management Server fails with "Cancelled due to a failure in other domain" in the upgrade report.
|
PRJ-52715, PMTR-100061 |
Security Management |
In rare scenarios, the CPCA process on the Security Management Server / Domain Management Server may exit unexpectedly, creating a core dump file. Refer to sk183101. |
PRJ-52888, |
Security Management |
"Mapping of Data Center [xxxx] failed. Next mapping is in 300 seconds" errors in the CME logs show failed attempts to scan deleted data centers. |
PRJ-52777, |
Security Management |
Objects Explorer search fails with "Error retrieving results" when more than twenty thousand IP addresses match the search criteria. |
PRJ-53506, |
Security Management |
After upgrading, administrators with read/write permissions to edit Security Gateways and Clusters may lack IPS permissions and are unable to perform certain management tasks, such as enabling or disabling blades. |
PRJ-49437, PRHF-30400 |
Security Management |
The UPDATE_INSPECT_FILES process of Upgrade Tools may exit with a core dump. |
PRJ-52433, PRHF-31953 |
Security Management |
When Global Domain Assignment fails with the "More than one object named 'XXX' exists" error, not all duplicate objects are listed. |
PRJ-53759, PRHF-32936 |
Security Management |
The "domains_tool -report" command may fail if more than sixteen host objects are defined as DNS Servers in the environment. |
PRJ-54065, PRHF-33349 |
Security Management |
In some scenarios, users may be disconnected from SmartConsole, and an FWM process core dump is generated. |
PRJ-53770, |
Security Management |
In some scenarios, the "show-gateways-and-servers" Management API command fails with "generic_err_object_not_found" when running with "details-level full". |
PRJ-51120, |
Security Management |
In rare scenarios, if a Star VPN Community object is created, publish operations may fail. |
PRJ-45160, |
Security Management |
In rare scenarios, login to the Security Management Server may fail with timeout and the FWM process on the Management Server may unexpectedly exit, creating a core dump file. |
PRJ-50843, |
Security Management |
Export of a list of objects from the Global Object Explorer fails with the "Export policy is not supported when rule name is in a format of UUID" error message. |
PRJ-53894, |
Security Management |
In rare scenarios, the API status shows "Automatic Start: Disabled" even though the automatic start was not disabled manually. |
PRJ-50754, |
Security Management |
Access to and from the Generic Data Center objects may not be enforced when MDPS configuration is enabled on the Security Gateway. |
PRJ-49056, |
Security Management |
In rare scenarios, publishing a session in SmartConsole fails with the "got at least one duplicate UID in requested list, duplicates UIDs: [XXX]" error. |
PRJ-55522, |
Security Management |
In rare scenarios, the CPD process may exit with core dumps. |
PRJ-48936, |
Security Management |
The "set simple-cluster" Management API command with the "vpn-settings.vpn-domain" parameter succeeds, but the VPN Domain is not set. |
PRJ-53501, |
Security Management |
In some scenarios, SmartConsole may unexpectedly disconnect. |
PRJ-53453, PRHF-32750 |
Multi-Domain Security Management |
Upgrade of the Multi-Domain Security Management Server may fail with the error "Folder object not found".
|
PRJ-51629, |
Multi-Domain Security Management |
In rare scenarios, login to a newly created Domain fails and the CPCA daemon has the "down" status. Refer to sk181798. |
PRJ-53551, |
Multi-Domain Security Management |
When a Domain name (for example, "XXX") is a subset of another Domain name (for example, "XXX-YYY"), the "mdsstop" command may fail to stop a Domain named "XXX-YYY". |
PRJ-51516, |
Logging |
Log searches for the same time period may return more results in SmartConsole compared to SmartView. |
PRJ-54060, |
Logging |
In rare scenarios, empty log list may be displayed when selecting a log file to view in SmartConsole. |
PRJ-33620, |
Logging |
Log Exporter may unexpectedly exit when using a non-RSA certificate. |
PRJ-51275, |
Logging |
When adding a table widget to a SmartView report:
|
PRJ-55511, |
Logging |
In some scenarios, the name of the Security Gateway is not shown in the title of the automatic reaction email, although it should be. |
PRJ-51429, |
Logging |
In some scenarios, in Multi-Domain Security Management environments with over 300,000 network objects, the LOG_INDEXER process repeatedly exits if the procedure from sk164452 is not applied. |
PRJ-50261, |
Logging |
In SmartView, some countries are not displayed in the countries picker. |
PRJ-52463, |
Logging |
In SmartView, filtering logs by "event_type" may fail with the "Query failed" error. |
PRJ-50694, |
Logging |
In some scenarios, viewing a Forensics report in Threat Hunting fails with the "Unable to load report" error. Refer to sk181800. |
PRJ-51443, |
Logging |
The traffic field in the SmartEvent "Application and URL Filtering" report, specifically in the "High Bandwidth Applications" section, is incorrectly displaying data in petabytes (PB) instead of the expected gigabytes (GB). |
PRJ-52940, PRHF-32194 |
Logging |
In the Logs view, the "TCP-other" and "UDP-other" services are displayed as generic service IDs, for example, "cp_tcp_A936BBAC_EBC3_4F18_B3CC_A63365F07477". |
PRJ-51048, |
Security Gateway |
In some scenarios, websites that use HTTP2 protocol do not load properly. |
PRJ-52773, |
Security Gateway |
In rare scenarios, the FWK process may unexpectedly exit. |
PRJ-54627, |
Security Gateway |
In some scenarios, adding sequential IP addresses as MDPS task addresses may fail. |
PRJ-55367, |
Security Gateway |
On appliances with FWD static core affinity, some processes may still be unexpectedly assigned to the FWD core, affecting the performance. |
PRJ-51969, |
Security Gateway |
The CPWD daemon does not restart automatically. |
PRJ-53074, |
Security Gateway |
In some occasions, redundant errors appear in logs: "fw_inspect_ghtab_bl_ld_sync: invalid FW_INSPECT_GHTAB_BL_LD_SYNC_TABLE_ID". |
PRJ-55952, |
Security Gateway |
Security Gateway running in SecureXL User Mode (UPPAK) may crash during driver removal showing "m_free: mbuf doublefree" in the backtrace. |
PRJ-51479, PMTR-98475 |
Security Gateway |
The RAD process exits and creates a core file on the Security Gateway. |
PRJ-49901, |
Security Gateway |
Kernel Memory usage increases persistently each day on a Security Gateway/Security Group when CGNAT is enabled. Refer to sk182140. |
PRJ-54528, |
Security Gateway |
In some scenarios, the Security Gateway offloads connections to SecureXL in error when the initial route lookup could not find a route for it. |
PRJ-55519, |
SSL Inspection |
In rare scenarios, when HTTPS Inspection is enabled, the FWK process may unexpectedly exit due to memory violation. |
PRJ-52646, |
Internal CA |
CRL fetch may fail when passing through a Security Gateway with deep inspection, even if the connection hold is quickly released. CPCA closes the connection prematurely. |
PRJ-50700, |
Threat Prevention |
The Anti-Virus Blade fails to parse IoC feeds that contain IPv6 addresses. |
PRJ-48309, |
Threat Prevention |
In rare scenarios, when the Anti-Virus, Threat Extraction and Threat Emulation Blades are enabled, some connections that were on hold are dropped. |
PRJ-53200, |
Threat Prevention |
In some scenarios, policy installation and IPS package updates may take a very long time to finish and cause traffic drops. |
PRJ-51340, |
Identity Awareness |
In some scenarios, the PEPD process may consume a high CPU because of a high rate of identity propagation. Refer to sk182588. |
PRJ-46489, |
Identity Awareness |
Policy Enforcement Point (PEP) logs show a username after the user session is expired. Refer to sk181553. |
PRJ-35860, |
Identity Awareness |
Microsoft Azure Active Directory does not fetch users in the Access Role object and shows "The user directory is still initializing". Refer to sk175983. |
PRJ-43103, |
DLP |
Multiple internal errors, including file metadata retrieval failures and parsing errors, may be printed in the DLPDA logs. |
PRJ-53127, |
Anti-Virus |
The DLPU process may unexpectedly exit due to uninitialized memory when the Anti-Virus Blade scans files. Refer to sk182030. |
PRJ-53571, |
Anti-Virus |
In a rare scenario, the Security Gateway may crash due to memory corruption caused by the Anti-Virus Blade. |
PRJ-50980, |
Anti-Virus |
The Anti-Virus Blade may enforce observables from IoC feeds although they were deactivated in SmartConsole. |
PRJ-51153, |
Mobile Access |
Web Application names column width is too narrow to fit in the Mobile Access Portal. Refer to sk181774. |
PRJ-52978, |
Mobile Access |
Enabling the "cvpnd" debug causes the reverseproxy_ssl_debug.log file size to continue growing even after the "reverse proxy" debug is off. |
PRJ-54640, |
Mobile Access |
The HTTPD process of the Mobile Access Portal may exit with a core dump file. |
PRJ-54169, |
ClusterXL |
In rare scenarios, in a cluster environment, the CPDiag tool may crash. |
PRJ-55395, |
SecureXL |
A race condition may occur in a large scale VSX Cluster environment and SecureXL User Mode (UPPAK) is enabled. |
PRJ-54322, |
SecureXL |
In some scenarios, traffic with Passive or Active Streaming configuration may not correctly pass through a Virtual Router on a VSX Security Gateway. |
PRJ-55565, |
SecureXL |
The USIM process may unexpectedly exit. |
PRJ-55961, PRHF-34753 |
SecureXL |
The duration of each "stop" and "start" API call for the LightSpeed Acceleration interfaces may take several seconds. Refer to sk182585. |
PRJ-54330, |
SecureXL |
In rare scenarios, the Security Gateway crashes when the interface goes down right before it transmits packets out. |
PRJ-54427, |
SecureXL |
In some scenarios, the VSX Security Gateway does not initialize the Virtual System correctly when connected to a Virtual Router or Virtual Switch. |
PRJ-54566, PRJ-54569, |
SecureXL |
Some packets on connections to bonded VLAN interfaces may be dropped because of missing interface info. |
PRJ-54602, |
Routing |
Routing BFD sessions using IPv6 global addresses on single-hop interfaces fail to recover after the network interface is administratively disabled and re-enabled. |
PRJ-55343, |
Routing |
OSPFv2 graceful restart mechanism fails on broadcast and point-to-multipoint networks due to the omission of an "IP-Address" field in the grace LSA. |
PRJ-52415, PRHF-31929 |
Gaia OS |
SNMP query for OID 1.3.6.1.4.1.2620.1.6.7.5.1.5 (CPU utilization per CPU core) and the "cpstat os -f cpu" command may return an incorrect value. Refer to sk182447. |
PRJ-51019, |
VPN |
Duo management reports display incorrect access source locations due to Security Gateways providing inverted IP addresses during the two-factor authentication challenge response process. Refer to sk181783. |
PRJ-52911, |
VPN |
SNMP queries show a different number of connected RA VPN users than what is shown in CPView and from CLI. RaUserState information is missing in the SNMP MIB file. |
PRJ-55487, |
VPN |
During high-frequency encryption of packets over a VPN tunnel, the Security Gateway may assign the same sequence number to multiple packets. This causes the receiving VPN peer to mistakenly identify these legitimate packets as replay attacks and drop them. |
PRJ-55292, |
VPN |
Configuring a Large Scale VPN (LSV) with IPv6 and establishing a VPN tunnel may cause the FWK process to exit. |
PRJ-53714, |
VPN |
Tunnel testing may fail after an upgrade. Refer to sk182267. |
PRJ-54679, PMTR-104230 |
Multi-Portal |
Under a special routing configuration, an active Cluster member may accept portal traffic (on TCP ports 80 and 443) destined to a Standby member IP address. |
PRJ-54597, |
VSX |
In rare scenarios, the CPD process of the default Virtual System on a VSX Gateway (VS0) gets stuck. |
PRJ-53117, |
VSX |
In a VSX Cluster with IPv6 enabled, after an upgrade, VS's without IPv6 address may fail to install the Access policy. |
PRJ-47807, |
CloudGuard Network |
In the Kubernetes Data Center, the Import window may be stuck in "Initializing" state. |
PRJ-29747, |
Scalable Platforms |
When configuring backup-scheduled/snapshot recurrence via gClish shell with "The <name> job already exists. Please choose another name. Backup schedule failed. The backup will not be scheduled". |
PRJ-48012, |
Scalable Platforms |
When running the "set user username force-password-change yes" command in gClish on Scalable Platforms, the new configuration may not be applied. |
PRJ-49847, |
Scalable Platforms |
Site to Site VPN traffic may be interrupted after installing policy with VSLS. |
PRJ-43740, |
Scalable Platforms |
The "distutil" script may take a long time to run in an environment with many VS's. |
PRJ-50625, |
Carrier Security |
|
Take 156 Released on 29 July 2024 and declared as Recommended on 12 August 2024 |
||
Take 156 - Improvements and Resolved Issues
|
||
PRJ-56149, PRHF-35183 |
Security Management |
When the Compliance Blade is enabled, the FWM process may unexpectedly exit and generate a core dump. Refer to sk182507. See the Critical Information section. |
PRJ-55939, PRHF-34652 |
Security Gateway |
The "up_fw_set_cphwd_template: up_manager_create_template_msg failed; fwhandle_pool_add: Table kbufs - All available pools exhausted" error may be printed in the fwk.elg file during a heavy traffic load. |
PRJ-55956, AAD-1461 |
ClusterXL |
In a ClusterXL environment, the Security Gateway may crash when processing VPN traffic. |
Take 152 Released on 27 June 2024 |
||
Take 152 - New Functionality
|
||
PRJ-51435, |
SSL Inspection |
NEW: Added ability to import PKCS#12 files using AES-256-CBC encryption with PBKDF2-HMAC-SHA-256. This enhancement is designed for use in multi-portal environments and HTTPS Inspection scenarios. |
PRJ-53698, |
Security Management |
NEW:
|
PRJ-48744, PMTR-94089 |
SmartConsole |
NEW: Added support for 3072 bits key size in IKE certificates. To use 3072 bits key size, refer to "HTTPS Portals (Multi-Portal) Certificate, VPN Certificate" section in sk96591. |
Take 152 - Improvements and Resolved Issues
|
||
PRJ-52403, PMTR-99617 |
Security Management |
UPDATE: Added SHA256 fingerprints to certificate objects to mitigate the risk of hash collisions and enhance trust when utilizing the fingerprint, encoded with English words, as a verification mechanism. |
PRJ-52447, |
Security Management |
UPDATE: Added an ability to configure the schedule for Compliance blade scans. This should prevent login issues during the scans. Refer to sk182033. |
PRJ-49860, PMTR-95625 |
CPView |
UPDATE: Added the "SecureXL" filter to the "cpview -m -f" command, which allows to extract to Skyline all the information related to SecureXL drops. Refer to the Skyline Metrics Repository. |
PRJ-54340, |
SSL Network Extender |
UPDATE: SSL Network Extender is updated to version 80008409. |
PRJ-51974, |
SSL Inspection |
UPDATE: If inspection logging is configured, the "Inspect" log now displays the negotiated ciphers and TLS version used for successful inspections, both between the client and the Security Gateway, and between the Security Gateway and the Server. |
PRJ-48176, |
Mobile Access |
UPDATE: jQuery UI is upgraded to version 1.13.2. |
PRJ-53525, |
Gaia OS |
UPDATE: Added Multi-Queue support for Microsoft Azure Network Adapter (MANA) accelerated network interfaces. |
PRJ-51700, |
Harmony Endpoint |
UPDATE: The audit event information when adding or removing Virtual Group members is now unified. The data includes the administrator name and device/user names for both actions. Previously:
|
PRJ-54098, PRJ-54458, PRJ-55300, PRJ-55686, ODU-1779, ODU-1755, ODU-1731, ODU-1667 |
Automatic Updates - Web SmartConsole |
UPDATE: New features and improvements are released in Take 100, Take 102, Take 104 and Take 111 via self-updatable package. Refer to sk170314. |
PRJ-54687, ODU-1707 |
Automatic Updates - CPView |
UPDATE: Added Take 93 of CPotelcol (OpenTelemetry Collector) Release Updates. Refer to sk180522. |
PRJ-54172, ODU-1683 |
Automatic Updates - CPSDC |
UPDATE: Added Take 34 of Check Point Support Data Collector (CPSDC) for Scalable Platforms and Maestro Security Appliances. Refer to sk164414. |
PRJ-54176, PRJ-55581, ODU-1803, ODU-1659 |
Automatic Updates - HCP |
UPDATE: Added Update 17 of HealthCheck Point (HCP) Release. Refer to sk171436. |
PRJ-50335, PMTR-96420 |
Infrastructure |
UPDATE: Added Python 3.11.4. |
PRJ-50998, |
Security Management |
Install Policy Presets may fail after purging all revisions. Refer to sk181652. |
PRJ-51542, |
Security Management |
Enabling automatic updates of Trusted CAs as described in sk173629 may fail. |
PRJ-52878, PRHF-32383, PRJ-52517, PRHF-32065 |
Security Management |
In rare scenarios, Access policy installation may fail with the "Installation failed. Reason: Failed to load Policy on Security Gateway" or "Operation failed, install/uninstall has been improperly terminated" messages. |
PRJ-52780, |
Security Management |
When using the "set simple-gateway" Management API command to edit interfaces, the operation is only performed on fifty interfaces at a time. |
PRJ-52018, |
Security Management |
Exporting a policy that contains thousands of rules may fail when the "Hit Count" column is enabled. |
PRJ-52849, |
Security Management |
Login to SmartConsole fails if the "Read_Write_All_Profile" permission profile is deleted. |
PRJ-52914, |
Security Management |
Deleting a Security Gateway object fails if there is a license attached to the Security Gateway and the Security Gateway is physically disconnected. |
PRJ-51676, |
Security Management |
Global Assignment fails with "Locked for editing by another administrator and need to be published or discarded before the operation can take place". Refer to sk181807. |
PRJ-52790, |
Security Management |
In rare scenarios, High Availability synchronization fails with "Peer is busy". |
PRJ-49361, |
Security Management |
There may be synchronization failure and, as a result, corrupted Domain policies on the Multi-Domain Security Server when a newly created local administrator on the backup Security Management Server makes changes to rules or objects, after the Active role is switched to that Security Management Server. |
PRJ-50372, |
Security Management |
When attempting to load a SNORT Rules file that contains one or more spaces, the import process fails with an ambiguous error message. |
PRJ-53348, |
Security Management |
In rare scenarios, the FWM process on the Security Management Server may unexpectedly exit or not start, creating a core dump file. |
PRJ-51506, |
Security Management |
The on-premises Security Management Server fails to connect to Infinity Portal when this Server has a proxy configured. |
PRJ-51632, |
Security Management |
In rare scenarios, after an upgrade or a Domain migration:
|
PRJ-51695, |
Security Management |
After a global assignment, when installing policy on several installation targets at once, the log may show an incorrect rule name. |
PRJ-53730, |
Security Management |
Changes Report may allow to list certain directory contents. |
PRJ-55501, PRHF-34248 |
Security Management |
A memory leak may occur in the FWM process leading to SmartConsole connection failures. |
PRJ-54094, |
Security Management |
In rare scenarios, policy installation on R77.30 Security Gateway fails with "Operation failed, install/uninstall has been improperly terminated". Refer to sk180448. |
PRJ-53340, |
Security Management |
When a Domain object in a policy is set with a backslash in the suffix, policy installation fails with the "Unterminated string&CURRENTVERCMP" error. |
PRJ-51504, PMTR-98271 |
Security Management |
After a Multi-Domain Security Management upgrade to R81.10 version, some Infinity Portal Services may stop working. |
PRJ-49582, |
Security Management |
In some scenarios, when searching objects in SmartConsole, not all relevant results are highlighted. Refer to sk181454. |
PRJ-41780, |
Security Management |
In some scenarios, SmartConsole may close unexpectedly when clicking the "View Changes" option in the Install Policy view. |
PRJ-52345, |
Security Management |
In some scenarios, the PostgreSQL database fully utilizes disk space on the Standby Security Management Server. |
PRJ-50018, |
Security Management |
It may not be possible to add/set a Threat Prevention Exception with a protection-or-site UID. |
PRJ-51204, |
Security Management |
If all revisions were purged on the Security Management Server, the "show packages details-level full" Management API call may fail. |
PRJ-51513, |
Security Management |
The revisions purge process may get stuck due to an incomplete purge operation from a previous attempt. |
PRJ-52044, |
Security Management |
In some scenarios, the Security Management Server upgrade to R81.20 fails with "java.lang.String incompatible with com.checkpoint.infrastructure.types.CPUUID" in the upgrade report. The issue occurs during the import of the User Data Domain.
|
PRJ-48395, |
Multi-Domain Security Management |
In a Multi-Domain Security Management environment, the "show simple-gateway" and "show simple-cluster" Management API commands may fail with "Runtime error: An internal error has occurred" |
PRJ-52969, |
Multi-Domain Security Management |
The "cprlic get" command output may not provide correct information about vSEC licenses. |
PRJ-51271, |
Multi-Domain Security Management |
In Multi-Domain Security Management environments, if there are more than three hundred forty Domains, login to SmartConsole fails. |
PRJ-53226, |
SmartProvisioning |
The Management API command "set-lsm-gateway" with the "sic.ip-address" parameter may fail with "Establish SIC failed. Reset SIC on gateway and try again." when resetting SIC. |
PRJ-53274, |
SmartProvisioning |
The "show-lsm-gateways" Management API command returns LSM cluster objects besides the LSM Security Gateways. |
PRJ-51569, PMTR-90798 |
SmartConsole |
SmartConsole slowness when adding applications to rules. Refer to sk182063. |
PRJ-52601, PMTR-94461 |
CPView |
In the "cpview -m" command output on the Security Gateway which is an Active Cluster member, "metrics system.network.nat.ports" and "system.network.nat.ports.limit" may not be displayed in the list of available metrics. |
PRJ-52720, |
Logging |
Administrators without the "run script" permissions can enable or disable the option to run a script on a Security Gateway, using advanced configuration options. |
PRJ-51147, |
Logging |
When Identity Awareness blade is enabled, the "Src User Dn" and "Dst User Dn" fields in ICMP Logs are not masked for users without "Identities" permissions. Refer to sk181677. |
PRJ-49789, |
Logging |
The "cpstat -h log server ip ls -f logging" command fails when running it from Security Management. |
PRJ-53336, |
Logging |
When the "IP Options drop" tracking Global Properties setting is configured to "Log" and the policy is installed, the Security Gateway drops traffic with disallowed IPv4 options or IPv6 extension headers, but no log is shown in SmartConsole. |
PRJ-51326, |
Logging |
In rare scenarios, after an upgrade, the LOG_EXPORTER process may fail to send the log files to SIEM or to the cloud. |
PRJ-44794, |
Logging |
In rare scenarios, the FWD process on the Security Gateway may reach out of memory and produce a core dump file of around 3GB. |
PRJ-52678, |
Security Gateway |
Running GTP traffic may cause a crash on a Security Gateway without a GTP license. |
PRJ-51357, |
Security Gateway |
A highly utilized Security Gateway may crash during policy installation. |
PRJ-53627, |
Security Gateway |
A memory issue may occur in a cluster environment, when SIP inspection is enabled. |
PRJ-41753, |
Security Gateway |
Some debug messages may appear in the /var/log/messages file, although the debug mode is not activated. The issue is cosmetic only. |
PRJ-51438, |
Security Gateway |
A rare race condition may be triggered by the timing and packet patterns of VoIP traffic, and, as a result, the FWK process may restart. |
PRJ-48816, |
Security Gateway |
After deploying a new license to a Multi-Domain Log Module (MLM), all Customer Log Modules (CLMs) generate alert logs about missing license/contracts stating "No valid license was found". |
PRJ-51945, |
Security Gateway |
In some scenarios, if a rule with a security zone is installed using accelerated install policy, the traffic may stop matching the NAT Rule Base. |
PRJ-52795, |
Security Gateway |
In some scenarios, the VSX Security Gateway may not set the MAC header correctly when sending traffic back to Gaia OS directly out of an interface on a Virtual Router. |
PRJ-51527, |
Security Gateway |
Sporadic latency while uploading a file when HTTPS Inspection and ICAP client are active. Refer to sk181793. |
PRJ-52824, PMTR-100459 |
Security Gateway |
On the Security Management Server, a CPD zombie process may be created. |
PRJ-49047, |
Security Gateway |
In rare scenarios, a file downloaded via HTTP may be corrupted. |
PRJ-52470, |
Security Gateway |
CIFS traffic may cause CPU spikes in the FWK process. |
PRJ-42870, |
Threat Prevention |
After installing a hotfix in a cluster setup with a Threat Prevention policy that includes Network Objects, a member may get stuck during initialization after a reboot. Refer to sk180225. |
PRJ-53490, |
Threat Prevention |
Installation of Threat Prevention Policy fails with the error "No profile defined on GW <Name of Security Gateway Object>" in this scenario:
|
PRJ-53911, |
Threat Prevention |
SSH DPI may not work because of incorrect parsing of the client hello from a non-standard SSH client. |
PRJ-52370, |
Identity Awareness |
After an upgrade, the Security Identifier (SID) for LDAP Users or LDAP Groups that were configured prior to the upgrade may be empty. Refer to sk181946. |
PRJ-50513, |
Identity Awareness |
In a Cluster Load Sharing environment or when a single Policy Decision Point (PDP) is shared among multiple Policy Enforcement Points (PEPs), the PDP registers the PEP, but the PEP may not be aware of this registration. |
PRJ-52872, |
Identity Awareness |
User/Security Gateway identities may be revoked unexpectedly if an additional update from the AD Query identity source is rejected due to Identity session conciliation. |
PRJ-50583, |
Identity Awareness |
During policy installation, users authenticated using the Captive Portal may get disconnected. |
PRJ-52660, |
Anti-Virus |
Some URLs may be blocked by the Anti-Virus blade as malicious, even though the Threat Prevention Rule Base contains an exception rule with a Site/Application object that includes this URL. |
PRJ-53124, |
Anti-Virus |
The DLPU process may frequently exit with a core dump file. |
PRJ-53989, |
Mobile Access |
SAML authentication may fail after installation of Jumbo Hotfix Accumulator R81.10 Take 113. Refer to sk182128. See the Critical Information section. |
PRJ-52047, PRHF-31811 |
Mobile Access |
SSL Network Extender (SNX) cannot connect after installing Jumbo Hotfix Accumulator. Refer to sk181805. See the Critical Information section. |
PRJ-52895, |
ClusterXL |
In a rare scenario, after an upgrade, connections between networks may be dropped with the "First Packet isn't SYN" error. |
PRJ-42808, |
ClusterXL |
Cluster members may crash, generating vmcores in /var/log/crash. |
PRJ-50116, |
ClusterXL |
In a cluster environment, the Security Gateway may become unresponsive on the Active member, and after a failover the issue occurs on the new Active member also. |
PRJ-44519, |
SecureXL |
Multicast packets received on an interface with PIM disabled can cause multicast packet drops on other interfaces by filling up the kernel routing queue. |
PRJ-53090, |
SecureXL |
In some scenarios, when SecureXL User Mode (UPPAK) is enabled, the Security Gateway crashes during boot up. |
PRJ-53060, |
SecureXL |
During the deny list update process, there is a temporary gap where no IP addresses are blocked, allowing unwanted traffic to pass through the Security Gateway unfiltered. |
PRJ-53787, |
SecureXL |
When the Security Gateway works in SecureXL User Mode (UPPAK), a SIGPIPE signal may cause the USIM process to exit, leading to a system reboot. |
PRJ-54424, |
SecureXL |
In some scenarios, the VSX Security Gateway may fail to properly reroute traffic originating from a Virtual Switch. |
PRJ-53480, |
SecureXL |
In some scenarios, when QoS blade is enabled and SecureXL works in User Mode (UPPAK), Security Gateway may crash with the "invalid data" error. |
PRJ-51621, |
SecureXL |
In some scenarios, fragmented ICMP packets may bypass the DOS/ Rate limiting deny list. |
PRJ-53090, |
SecureXL |
In some scenarios, the Security Gateway crashes during boot up when SecureXL works in User Mode (UPPAK). |
PRJ-50854, |
SecureXL |
There may be a delay in enforcing DOS/ Rate Limiting rules to drop packets when concurrent connection limits are exceeded. |
PRJ-52805, |
SecureXL |
In some scenarios when Route based probing is configured, the VSX Security Gateway sends out encrypted traffic with a source IP address of all zeroes through a Virtual Switch interface. This traffic may be dropped by routers, the VPN peer Gateway or other Security Gateways due to the invalid source IP address. |
PRJ-53053, ROUT-2968 |
Routing |
BGP peers may experience timeouts when these conditions occur simultaneously:
|
PRJ-53056, |
Routing |
In scenarios where numerous BGP peers are configured with the "multihop" option enabled, combined with short "keepalive" settings and a large number of routes being received from each peer, the ROUTED process may experience high CPU utilization. |
PRJ-51259, |
Routing |
It may not be possible to propagate a newly added static route through OSPF. |
PRJ-53171, |
Routing |
The ROUTED process may unexpectedly exit because of an OSPF assertion failure. |
PRJ-52670, |
Routing |
Enabling rfc1583-compatibility via Clish fails with "CLINFR0329 Invalid command:'set ospf instance default rfc1583-compatibility on". |
PRJ-52723, |
Gaia OS |
The MONITORD daemon causes high CPU after 388 days of uptime. Refer to sk181922. |
PRJ-53194, |
Gaia OS |
In rare scenarios, the Gaia Portal daemon HTTPD may unexpectedly exit and create a core dump file in the /var/log/dump/usermode/ directory. |
PRJ-53487, |
Gaia OS |
Some valid interfaces may not be available with running the "set lldp interface" command. |
PRJ-52508, |
Gaia OS |
When a non-local user executes a Gaia API command, the action is incorrectly logged as performed by the "admin" user in the /var/log/messages file. |
PRJ-54179, |
Gaia OS |
Removing unused built-in user called "cp_ender" that may appear in Gaia OS after an upgrade. Refer to sk182185. |
PRJ-52948, |
VPN |
When the DAIP Gateway public IP address occasionally changes, the connected Security Gateway fails to update the new IP address and continues responding to the old IP address, causing communication issues. |
PRJ-54240, PMTR-103618 |
VPN |
In a VPN Community with a configuration involving two Security Gateways (a Center Cluster and a Satellite Security Gateway) with IPv6 external and internal interfaces, when attempting to establish a Link Selection Star community between them, the VPN process may unexpectedly exit due to repetitive IKE core crashes on one of the Security Gateways while the other Security Gateway tries to establish a tunnel, resulting in connectivity issues. |
PRJ-33776, |
VPN |
The FWK process crashes sporadically, causing impact on traffic due to an issue related to the decryption of fragmented traffic. |
PRJ-52829, |
VPN |
In a rare scenario, in a Maestro environment the first packet of the VPN tunnel is lost or has a large delay. |
PRJ-53848, |
VPN |
After an update, if in VPN if configured with Permanent Tunnels enabled, RAM utilization may increase. |
PRJ-53383, |
VPN |
IPv6 non-VPN traffic may be dropped with "Clear text packet should be encrypted". |
PRJ-50316, PMTR-89274 |
Multi-Portal |
In a rare scenario, after a VSX environment upgrade, connecting Remote Access Client to a newly created VS site using IDP authentication fails with the "This page can't be displayed" error in the embedded browse, but error logs or debugs are missing from the /opt/CPVPNPortal/logs/ directory on VSX and newly created VS. |
PRJ-50571, |
Harmony Endpoint |
In an on-premises environment, large Active Directory groups with more than 1500 members appear empty or have incomplete membership information. |
PRJ-51137, |
Harmony Endpoint |
When duplicate users with the same name and Domain exist in the database or Active Directory, FDE Pre-boot authentication on LAN may fail, not able to identify the user attempting to log in. |
PRJ-46792, |
Scalable Platforms |
An additional reboot may be performed on Maestro Security Gateway because of the database entry (otlp) which should not be pulled from SMO. This entry is updated locally on each member via self-update functionality and therefore may differ between members. |
PRJ-53621, |
Scalable Platforms |
The "reboot -b all" command in gClish may fail. The environment hangs or reboots partially (only some of the members). |
PRJ-52643, |
Scalable Platforms |
After a failover scenario, the "m site-id member-id" command requires reauthentication. |
PRJ-52884, |
Scalable Platforms |
When running the "fwaccel stat" command on a VSX Security Gateway, the output may show physical interfaces as not accelerated, although they are. |
PRJ-53082, |
Scalable Platforms |
Redundant "MHO_stateAgent[3230]: QuidAddon: System not ready yet - attempting to re-init" messages in the /var/log/messages file. |
PRJ-53831, PMTR-73771 |
Scalable Platforms |
Before enabling MDPS, CoreXL Dynamic Balancing (sk164155) must be disabled. |
PRJ-53468, PMTR-97932 |
Scalable Platforms |
In a rare scenario, when a Maestro Security Gateway is active again after a reboot, and LightSpeed is used, the LACP bond may drop incoming and outgoing packets. |
PRJ-55569, PMTR-105246 |
Scalable Platforms |
Traffic outage after policy installation on a Maestro Security Group in the VSX mode that works in the Dual Site configuration. Refer to sk182379. |
PRJ-55517, PMTR-105145 |
Scalable Platforms |
• On Quantum Maestro/Chassis or in ClusterXL, the Security Gateway may crash while processing a VPN/correction flow with a vmcore in /var/log/crash or FWK core in /var/log/dump/usermode/. • The "kernel: xxxxx: tx_timeout" error is printed in /var/log/messages. • PSL drops packets with "PSL Drop: psl_build_pslip failed” message, potentially impacting network performance and streaming capabilities. Refer to sk182463. See the Critical Information section. |
Take 150 Released on 02 June 2024 and declared as Recommended on 10 June 2024 |
||
Take 150 - Improvements and Resolved Issues
|
||
PRJ-55470, |
VPN |
UPDATE: Remote Access VPN for local accounts authenticated only with Check Point password created in R80.20 or lower, and not updated after the upgrade to R80.30, is blocked until the password is reset. Refer to sk182336. |
PRJ-55495, |
VPN |
CVE-2024-24919 - Quantum Security Gateway Information Disclosure. Refer to sk182336. |
PRJ-55297 |
Infrastructure |
Installing a Hotfix on top of R81.10 Jumbo Hotfix Accumulator may fail. |
PRJ-55347, |
Threat Prevention |
The "Categorized HTTPS Sites" option does not classify specific websites when "TLS 1.3 hybridized Kyber support" is enabled in the browser. Refer to sk182318. |
Take 141 Released on 15 April 2024 |
||
Take 141 - New Functionality
|
||
PRJ-53676, PRJ-52484 |
Security Management |
NEW: Added ability to R81.10 Security Management Server and Multi-Domain Management Server to manage Quantum Force 9800 / 9700 / 9400 / 9300 / 9200 / 9100 Appliances that run R81.20 Security Gateways. Refer to sk181698.
|
PRJ-49826, |
Application Control |
NEW: Added ability to drop the traffic of specific UDP applications per packet. For example, the Security Gateway can now drop the specific commands and allow the other commands of the BACNet Protocol. This ability is enabled by default.
|
PRJ-50988, |
VPN |
NEW: Added ability to track RAM usage of the VPND process using the "cpstat" command in CLI. Refer to sk181815. |
PRJ-47018, |
VPN |
NEW: Added support for a new tool (shell script) on a Management Server that can show and renew IKE certificates for VPN, Multi-Portal, and Identity Broker on all managed Security Gateways and VSX Virtual Systems. Refer to sk182070. |
Take 141 - Improvements and Resolved Issues
|
||
PRJ-48779, |
Security Management |
UPDATE: Added validation for new permissions for configuring a script to run on the Security Gateway from Gateway object > Logs Alerts/Storage > Run the following script before deleting old files. |
PRJ-49173, |
Security Management |
UPDATE: Added verification for policy deletion. If the policy is installed on the Security Gateway, the "delete-package" Management API command now fails with "Policy X is installed on 1 or more gateways.". Refer to sk181877. |
PRJ-51124, |
Security Gateway |
UPDATE: Added ability to increase the instance processing queue size, by modifying the kernel parameter "fwmultik_pending_queue_len_limit" (the default value is "2000"). Refer to sk181921. |
PRJ-50740, PRHF-30794 |
Security Gateway |
UPDATE: Added an ability to configure objects for the HTTPS Inspection CA using labels.
|
PRJ-50428, PMTR-96484 |
Security Gateway |
UPDATE: During certificate validation, the Security Gateway now retrieves the Certificate Revocation List (CRL) from all CRL distribution points (CDP) listed in certificate extensions. |
PRJ-52674, PRHF-32203 |
Security Gateway |
UPDATE: Fixed CVE-2023-51764 - Postfix SMTP Smuggling vulnerability. Refer to sk181944. |
PRJ-48095, PMTR-77299 |
CPView |
UPDATE: CPView now shows statistical data also for servers with 256/512 CPU cores. |
PRJ-50976, |
Threat Extraction |
UPDATE: Added an option in ICAP Server for logging benign files scanned by the Anti-Virus Blade. By default, logging for benign files is disabled. To enable it, add the following entry to the ICAP Server configuration file: "LogBenign on". |
PRJ-50499, |
Identity Awareness |
UPDATE: The identity synchronization from Policy Decision Point (PDP) to Smart-Pull Policy Enforcement Point (PEP) client now takes several seconds instead of a few minutes, especially beneficial in environments with a single PDP Security Gateway sharing to multiple PEP Security Gateways. |
PRJ-45911, |
Identity Awareness |
UPDATE: Implemented monitoring functionality and alerts for tracking the expiration date of Identity Broker certificates. |
PRJ-46625, |
VPN |
UPDATE: The "Server Authentication" attribute within the "Extended Key Usage" field is now included by default in IKE certificates generated by the Security Management Server. |
PRJ-50914, |
Gaia OS |
UPDATE: When a Gaia OS Server has a Cloning Group feature enabled, it now accepts other Gaia OS Servers that join this Cloning Group over TLS1.2 or higher (over the TCP port 1129). |
PRJ-50318, |
CloudGuard Network |
UPDATE: Updated the Jetty server libraries for CloudGuard Controller to provide enhanced stability, security, and performance. |
PRJ-52862, |
CloudGuard Network |
UPDATE: Added support for Data Centers in AWS ca-west-1 Calgary region. |
PRJ-51249, |
CloudGuard Network |
UPDATE: The AWS Security Group Data Center object name now includes both the name tag and Security Group name, formatted as "ID <Name tag> <Security Group name>". Previously, only the name tag was included, with the format "ID <Name tag>". This change to include the Security Group name can be enabled by adding the setting "aws.supportSearchGroupName=true" in the vsec.conf file. |
PRJ-53585, ODU-1571 |
Automatic Updates - Web SmartConsole |
UPDATE: New features and improvements are released in Take 97 through self-updatable package. Refer to sk170314. |
PRJ-53540, ODU-1476 |
Automatic Updates - Threat Prevention |
UPDATE: Added Update 24 of Autonomous Threat Prevention Management integration Release. Refer to sk167109. |
PRJ-52695, ODU-1408 |
Automatic Updates - Smart-1 Cloud |
UPDATE: Added Update 7 of Quantum Smart-1 Cloud. Refer to sk166056. |
PRJ-52866, PRJ-53687, ODU-1595, |
Automatic Updates - HCP |
UPDATE: Added Update 15 and Update 16 of HealthCheck Point (HCP) Release. Refer to sk171436. |
PRJ-53396, PRJ-53681, ODU-1611, ODU-1563 |
Automatic Updates - CPSDC |
UPDATE: Added Take 31 and Take 33 of Check Point Support Data Collector (CPSDC) for Scalable Platforms and Maestro Security Appliances. Refer to sk164414. |
PRJ-49943, |
Security Management |
In environments with many network objects, SmartConsole may freeze while it loads the VPN tab of a Security Gateway object. |
PRJ-49943, |
Security Management |
The FWM process on the Management Server may unexpectedly exit, creating a core dump file. |
PRJ-51073, |
Security Management |
Running a Gaia API command on the Security Gateway through the Management API from the Security Management Server fails when configuring the "target" parameter with either the Security Gateway name or UID. |
PRJ-45022, |
Security Management |
The "show users" Management API command fails if a user is configured to be able to connect on specific days, but the days are not selected. |
PRJ-50046, |
Security Management |
In High Availability environments, task progress notifications may get updated only every 5 minutes, even when the task is complete. |
PRJ-49666, |
Security Management |
The "set-smart-task" API command fails when enabling the "Send mail to/from" option in SmartTasks. |
PRJ-51595, |
Security Management |
In rare scenarios, Global Policy assignment fails when there are many open Remote CPM Server sessions. Refer to sk181822. |
PRJ-51618, |
Security Management |
Deleting a Domain may fail when using the createDomainRecovery.sh script. |
PRJ-52011, |
Security Management |
In some scenarios, policy installation may fail and the displayed message erroneously refers to sk178886: "One of the updatable objects was downloaded incorrectly (see SK178886)". Sk178886 describes a different scenario and does not resolve the issue. |
PRJ-52816, |
Security Management |
If there are changes in the HTTPS Policy and Certificates in the session, a "Something went wrong" message appears when opening the Change Report. |
PRJ-50766, |
Security Management |
In rare scenarios, during an upgrade or Domain migration, the API readiness test fails if the upgrade failed. |
PRJ-50592, |
Security Management |
High Availability synchronization runs after every scheduled Application Control update, even if the Application Control is up to date. |
PRJ-50354, |
Security Management |
SmartConsole may unexpectedly close after policy installation when SmartTasks return invalid characters from a user-defined script. |
PRJ-49952, |
Security Management |
Login to SmartConsole may fail while the Compliance Blade is running a full scan. |
PRJ-50404, PRHF-30796 |
Security Management |
In some scenarios, in SmartConsole, when clicking the picker to add Security Gateway to the "Install On" column in Threat Prevention policy, no Security Gateway objects appear. |
PRJ-51278, |
Security Management |
When the value of the "asm_ips_cci" property is updated manually to a number higher than 500,000:
|
PRJ-50213, |
Security Management |
Packet mode search in SmartConsole may show rules that do not match the query if the query contains four or more filters. |
PRJ-50186, |
Security Management |
In some scenarios, Access Policy installation fails with "Policy load / verification failed because it required more than the maximum allowed memory of 4GB. Follow sk161874 to improve the performance and prevent excessive memory consumption". |
PRJ-48915, |
Security Management |
In some scenarios the "show access rulebase" Management API command with "details-level full" can take a significant amount of time to complete or time out after five minutes. Refer to sk181397. |
PRJ-49344, |
Security Management |
SmartConsole may unexpectedly close after deleting an object in the Object Explorer view. |
PRJ-51088, |
Security Management |
In some scenarios, the change report sent via email by SmartTasks after publishing appears blank, even though there were modifications in the published session. |
PRJ-51067, |
Security Management |
In a rare scenario, the FWK and CPD processes may exit with core dumps at approximately the same time. |
PRJ-51133, PRHF-30631 |
Security Management |
Installing security policy with a rule that contains the "Internet" object in the destination column may fail with error message "Topology is not defined on the policy "Install On" target <cluster object name>", if the target cluster is marked as "Geo Mode in a Cloud". |
PRJ-50407, PRHF-30754 |
Security Management |
The Change Report generated before publishing a session, may contain internal system changes that were made by the user. |
PRJ-50579, |
Multi-Domain Security Management |
In rare scenarios, in a Multi-Domain Security Management environment:
|
PRJ-51084, |
Multi-Domain Security Management |
In Multi-Domain Security Management environments with over two hundred administrators, Domain creation may fail with "Timeout expired while waiting for permissions calculation". |
PRJ-46934, |
SmartConsole |
Defining more than two hundred GUI clients causes the "Command Line" tab in SmartConsole to be greyed out and the "api status" command to show an error status. |
PRJ-51426, |
Web SmartConsole |
Login with Web SmartConsole to the Security Management Server may fail if using a trusted client with IPv6. |
PRJ-51664, |
Web SmartConsole |
An "Error logging into domain" message is displayed in Web SmartConsole when connecting to a Domain on a peer Multi-Domain Security Management Server. Refer to sk181801. |
PRJ-49973, |
CPView |
CPU statistics may be incorrect or missing in CPView. Refer to sk182286. |
PRJ-44497, |
CPView |
In rare scenarios, CPView does not handle VS context correctly. |
PRJ-48002, |
CPView |
Offload may fail in CPView with "ERROR! Reason not initialized". |
PRJ-48805, |
Logging |
Some attributes in SNMP MIB file may not be accessible. |
PRJ-46287, |
Logging |
In SmartConsole, in the "Device License Information" view, the "New connection rate" field may indicate "please wait 10 seconds". |
PRJ-47315, |
Logging |
When the active log file, for example, the fw.log for the Security Gateway is older than two days, the CPLogFilePrint utility does not print the log records correctly. |
PRJ-49389, |
Logging |
In SmartView, incorrect results may be displayed when filtering logs using the "src_machine_name" field. |
PRJ-44686, |
Logging |
When using Log Exporter to export logs to Splunk, a log entry in Splunk is split to separate lines if it contains the CRLF characters. |
PRJ-47983, |
Logging |
Some Access Rule Base logs may be generated with a wrong interface direction. The issue is cosmetic only. |
PRJ-46206, |
Logging |
Security Gateway forwards logs to the real IP address of the Management Server instead of the public (NATed) IP address. Refer to sk181609. |
PRJ-49864, |
Logging |
In rare cases, the LOG_EXPORTER process exits and the CPWD process does not start it because of the "exit_code 0" error. |
PRJ-48241, |
Logging |
The "source", "destination", "user" and "action" fields are not exported when exporting logs with the "visible columns" option to CSV in the SmartView Web application. Refer to sk181706. |
PRJ-44590, PRHF-26975 |
Logging |
In a rare scenario, a Security Gateway / Cluster Member may stop logging locally or to configured Log Servers. Refer to sk170331. |
PRJ-48321, |
Security Gateway |
The system may not automatically end or interrupt the RAD process if it takes longer than a specified timeout duration. |
PRJ-46202, |
Security Gateway |
In rare scenarios, updating the NTP Server may cause a temporary outage. |
PRJ-50139, |
Security Gateway |
Accounting info may not be displayed in logs for IPv6 Cluster VRRP environments. |
PRJ-49806, |
Security Gateway |
Enabling MDPS fails with the "clish: symbol lookup error: /usr/lib/cli/lib/libcli_mdps.so: undefined symbol: cp_is_usim" error. |
PRJ-50602, |
Security Gateway |
In some scenarios, the PDPD process may consume high CPU in the Identity Acquisition flow. |
PRJ-47956, |
Security Gateway |
The CPVIEW_API_SERVICE process may exit with a timeout. |
PRJ-49116, |
Security Gateway |
In rare scenarios, the FWK process may unexpectedly exit when running an outgoing (a local connection) from the Security Gateway. |
PRJ-52420, |
Security Gateway |
Incorrect static NAT destination is applied when the original destination in the NAT rule is the Security Gateway object, but the actual destination does not match the main IP address of the Security Gateway object. |
PRJ-48262, |
Security Gateway |
Notifications of SecureXL connection deletion appear unfiltered in the debug output, also when using a debug filter. |
PRJ-50756, |
Security Gateway |
In a rare scenario, because of a memory allocation issue, the Security Gateway may crash and reboot. |
PRJ-47663, |
Security Gateway |
Incorrect local traffic routing by the Security Gateway causes message flooding in /var/log/messages. |
PRJ-51459, |
Security Gateway |
When using three or more ISP DNS proxies in High Availability mode and Load Sharing mode:
|
PRJ-52363, |
Security Gateway |
In a VSX environment, the FW_FULL process may exit when running "fw monitor -p all" with the "-v" flag on a specific list of Virtual Systems (VS's) where not all VS's have identical blade configurations enabled. |
PRJ-51608, |
Security Gateway |
The ICAP Server may fail to initialize. |
PRJ-52520, PRHF-31425 |
Security Gateway |
The ICAP Server does not send data for the Threat Prevention blades inspection, after the restart of the TEMAIN process. |
PRJ-47671, PRJ-47667, PRHF-29516, PRHF-29535 |
Security Gateway |
When there is fragmented traffic, the /var/log/messages file may be flooded with the "dst_release" entries. |
PRJ-51038, PRHF-31146 |
Security Gateway |
The Security Gateway may crash during policy installation. |
PRJ-53084, PMTR-100847 |
Security Gateway |
Security Gateway does not pass traffic through an external interface when it is managed by Smart-1 Cloud, and SecureXL works in User Mode (UPPAK) mode. Refer to sk182016. |
PRJ-50659, |
Security Gateway |
The proxy IP address of users surfing HTTP sites may be displayed instead of the real source IP address. |
PRJ-50931, |
Security Gateway |
Multiple "fw_fna_hold_prepare: creating table" entries may be printed in /var/log/messages. The issue is cosmetic only. |
PRJ-52563, |
Internal CA |
CRLs may not be recreated after cleaning expired certificates from the ICA database. |
PRJ-43972, |
Threat Prevention |
When URLF and APPI are disabled in VS0 in VSX setup, automatic updates fail on other Virtual Systems. |
PRJ-46443, |
Threat Prevention |
Files that undergo emulation while operating from a corporate location are transformed into PDF format. However, when the same files are accessed through a VPN remote client, they do not get the pdf file extension. |
PRJ-50051, |
Threat Prevention |
Security Gateway with a large number of CPU cores allocated to CoreXL SND may experience performance issues when an IoC Feed and the " |
PRJ-46596, |
Threat Extraction |
The "scrub send_orig_email <email_id> <recipient>" command fails. Refer to sk180974. |
PRJ-51334, |
Identity Awareness |
When a Multi-User Host is used with Identity Broker, the user session may expire on the PEP side, while still connected on the PDP, causing failure of user-based access. |
PRJ-49435, |
Identity Awareness |
In a rare scenario, revoked identity on Broker Publisher is not synchronized with its Broker subscribers. |
PRJ-45135, |
Identity Awareness |
In Multi-User Host setups, some accounts may be identified as service accounts, although they should not be flagged. |
PRJ-51422, |
Identity Awareness |
In a rare scenario, an Identity Gateway (PEP) becomes unresponsive while unregistering a network. |
PRJ-52026, |
Application Control |
Anti-Spoofing drops packets that arrive at a Security Gateway through interfaces with Topology "External" if there are routes configured for internal interfaces that overlap with routes configured for external interfaces. Refer to sk181768. |
PRJ-43456, |
Application Control |
When a policy contains a white list, some packets may not match the listed applications. |
PRJ-42480, |
IPS |
Core IPS Protection "Unknown Resource Record" drops valid requests of specific DNS types. |
PRJ-45283, |
IPS |
The "malware_whitelist_domain_tbl error" messages in /var/log/messages file while installing a policy on both cluster members. Refer to sk180614. |
PRJ-50804, |
IPS |
There may be excessive "fwconn_chain_is_data_conn failed" messages in the /var/log/messages files when activating the IPS Blade. |
PRJ-51182, |
Anti-Virus |
Some file downloads fail with a logged "failure-reject" error because of the Anti-Virus Blade improperly classifying documents, causing inspection failures. |
PRJ-49570, |
Anti-Virus |
The Anti-Virus Blade fails to show the UserCheck page for the URLs blocked by Custom Intelligence feeds. |
PRJ-50528, |
Anti-Virus |
In a rare scenario, the Security Gateway may crash during inspection of file downloads. |
PRJ-49520, |
Anti-Virus |
The Anti-Virus Blade may inspect files on an SMB appliance although the "SMB" checkbox is disabled on the matched profile. |
PRJ-49297, |
Anti-Virus |
Anti-Virus fails to release held connections after the inspection. |
PRJ-49792, |
SSL Inspection |
Policy installation fails on the Security Gateway when using HTTPS Inspection with Hardware Security Module (HSM). |
PRJ-45150, |
SSL Inspection |
When HTTPS Inspection is enabled, the Security Gateway generates a log that includes the message "Certificate Chain is not signed by a Trusted CA" when an end-user connects to an HTTP site or a site with an untrusted SSL certificate. But, in some scenarios, the log does not include this text. |
PRJ-52366, |
SSL Inspection |
In some scenarios, the FWK process may unexpectedly exit, during installation of HTTPS Inspection policy on the Security Gateway. |
PRJ-50869, |
ClusterXL |
The output of the "cphaprob -m -a if" command may show an incorrect high VLAN ID address. This is a cosmetic issue. |
PRJ-48413, |
ClusterXL |
In a cluster connected to Smart-1 Cloud, local probing may start on the "maas_tunnel" interface, although it is not monitored by the cluster. Output of the Expert command "cphaprob -i list" or the Gaia Clish command "show cluster members pnotes problem" shows that the Critical Device "Local Probing" reports its state as "problem". |
PRJ-52730, PRHF-32237 |
ClusterXL |
When working in ClusterXL mode with MDPS enabled on the cluster nodes, enabling a Cloning Group may get stuck in the "synchronizing" status. |
PRJ-51587, |
ClusterXL |
The Security Gateway may crash during the conversion from VRRP Cluster to ClusterXL Cluster. |
PRJ-51177, |
SecureXL |
The Security Gateway may crash with vmcore during boot while upgrading. |
PRJ-48283, |
SecureXL |
The "fwaccel dos rate get -S IP" command fails to connect to the Security Gateway. |
PRJ-50926, |
SecureXL |
When attempting to route packets to unresponsive hosts, the CPU utilization may be high. |
PRJ-33123, |
SecureXL |
CPView shows SecureXL drops incorrectly as "0" (zero). |
PRJ-52801, |
SecureXL |
In some scenarios, the VSX Security Gateway may not set the MAC header correctly when sending traffic directly out of an interface on a Virtual Router or Virtual Switch. |
PRJ-52798, |
SecureXL |
The Security Gateway may fail to add interfaces to the SecureXL accelerated interfaces list. |
PRJ-51209, PRHF-31259 |
SecureXL |
In Kernel mode Firewall, traffic passing through the GRE tunnel may not reach the peer. |
PRJ-52733, |
Routing |
In networks where multicast groups are manually configured through IGMP if only one membership report is received for a specific <S,G> pair and no further reports follow, it may cause outages. |
PRJ-52653, |
Routing |
A core dump for the ROUTED process is created while changing the Security Gateway PIM configuration from Bootstrap-Candidate to Candidate-RP using the "set pim" command. |
PRJ-52651, PRJ-52658, PRJ-52655, PRHF-31977, PMTR-78961 |
Routing |
Cluster failover may occur when the ROUTED process due to a memory leak unexpectedly exits with a core dump file generated. |
PRJ-53568, |
Routing |
In rare scenarios, when a PIM interface or PIM instance stops working, the Security Gateway may crash if trying to access a bogus reference to a PIM neighbor. |
PRJ-53855, |
Routing |
ROUTED process assert failure may take place when LSA from a neighbor's retransmission list is freed if that LSA belongs to the max age hold tree that is flooded at max age. |
PRJ-51982, |
Routing |
When running a Gaia API request that results in multiple configuration changes, only the first change may be applied initially. The subsequent changes are not enforced until another change triggers re-processing. |
PRJ-49578, |
Routing |
The CLI Parameters for the "netflow fwrule" command are displayed incorrectly: "set netflow fwrule ?" instead of "set netflow fwrule 0" or "set netflow fwrule 1". The issue is cosmetic only, the functionality works as expected. |
PRJ-50025, |
Routing |
The traffic may be dropped, because the routes are sent but not installed to the routing table. The issue is related to IS-IS when running on P2P interfaces. |
PRJ-49559, |
VPN |
When using the "fw tab" command to view the IKE_SA_table, the output shows a column containing the IP addresses that are not meant to be displayed while the correct IP addresses are not printed. |
PRJ-49217, |
VPN |
Redundant log prints in /var/log/messages may be generated, although they should be printed only when the debug flags are enabled. |
PRJ-47952, |
VPN |
Establishing an IKEv2 tunnel with Cross AZ Cluster may fail. |
PRJ-50175, |
VSX |
In some scenarios, installing policy via vsx_util may be stuck. |
PRJ-51346, |
VSX |
High CPU usage on SND cores when many interfaces are configured. Refer to sk181860. |
PRJ-49567, |
VSX |
Corrupted VS affinity configuration may cause excessive "cp_set_process_vs_affinity: Error corrupt affinity file" error messages. |
PRJ-51296, PMTR-97905 |
VSX |
When adding a new Virtual System, a CPD core dump file may be generated. |
PRJ-50486, |
Gaia OS |
SNMP query does not bring the CPUSE package information for a single OID (not a table). |
PRJ-46142, |
Gaia OS |
Taking a snapshot on the Security Management Server fails because of the error during copying the /boot/config/ content. |
PRJ-51219, |
Gaia OS |
Clish may deny access of a non-local RADIUS user. |
PRJ-50508, |
Gaia OS |
There may be some inconsistent syntax in the "comment" section for interface and static-route commands. |
PRJ-48719, |
Gaia OS |
The "show configuration password-controls command output does not print the "set password-controls deny-on-fail block-admin on" option. |
PRJ-45115, |
Gaia OS |
Lock database override may not work as expected when it is set via Ansible playbook, and another admin was connected to SSH before that. |
PRJ-47176, |
Gaia OS |
When rebooting the Security Gateway, some VLANs may lose their IPv6 configuration. |
PRJ-47720, |
Harmony Endpoint |
The Application Scan Push Operation fails to upload an .xml file. Refer to sk181280. |
PRJ-50588, PRHF-30890 |
CloudGuard Network |
In an environment with Cloud Security Gateways, frequent High Availability synchronization sessions can cause high CPU utilization. As a result, change of the Activity status may fail. |
PRJ-46989, |
VoIP |
In some scenarios, SIP TCP connections are dropped after a cluster failover. |
PRJ-47994, |
VoIP |
When the SIP Multi-core feature is enabled, and a SIP over UDP rule with one-way calls (only outgoing calls, for example) is defined, the returned traffic is dropped. Refer to sk181525. |
PRJ-50826, |
Scalable Platforms |
In a rare scenario, file system corruption may lead to a failure identifying the Maestro Orchestrator hardware model during the Maestro Orchestrator OS boot process, causing the boot to fail. |
PRJ-44137, |
Scalable Platforms |
If a DR packet arrives fragmented, it may not get forwarded to the DR manager, potentially causing connectivity issues. |
PRJ-52531, PMTR-99841 |
Scalable Platforms |
After dynamic routing manager failure and recovery, connections are dropped with a log message "TCP out of state: First packet isn't SYN". Refer to sk181874. |
PRJ-46063, |
Scalable Platforms |
Querying SP Interface Data via SNMP may intermittently fail. |
PRJ-50737, |
Scalable Platforms |
The Gaia gClish command "installer verify CPUSE Package ID member_ids all" fails with "Quitting due to time-out" on a Scalable Platform Security Group. Refer to sk181674. |
PRJ-49103, |
Scalable Platforms |
When creating a Security Group creation in Maestro Orchestrator WebUI, and the password contains the "(" "&" or ";"characters, the operation fails with "Failed to apply new topology" or with "Gaia Web-UI recognized a non-valid input data". |
PRJ-50680, PRHF-30764 |
Scalable Platforms |
Scalable Platform Interface data OIDs (1.3.6.1.4.1.2620.1.48.26) may not be refreshed. |
Take 139 Released on 19 March 2024 and declared as Recommended on 7 April 2024 |
||
PRJ-53598, PRJ-53592 |
Security Gateway |
Security Gateway with Anti-Virus blade enabled may sporadically crash because of memory corruption. See the Critical Information section. |
PRJ-53366, PRHF-32706 |
VPN |
VPN IKEv2 negotiation with a third party peer may fail when the peer offers multiple combined encryption algorithms in one proposal. For example, AWS by default offers AES-GCM and AES-GCM-256. The issue triggers an IKE failure log. See the Critical Information section. |
PRJ-53287 |
Scalable Platforms |
In a Maestro environment, after installing R81.10 Jumbo Hotfix Accumulator Take 135 and a reboot, members may intermittently go down due to MAC flapping. See the Critical Information section. |
Take 135 Released on 12 February 2024 |
||
PRJ-52627, ODU-1392 |
Web SmartConsole |
UPDATE: New features and improvements are released in Take 94 via self-updatable package. Refer to sk170314. |
PRJ-52819, |
CPView |
UPDATE: Added Take 34 of CPviewExporter Release Updates. Refer to sk180521. |
PRJ-52595, |
CPView |
UPDATE: Added Take 77 of CPotelcol (OpenTelemetry Collector) Release Updates. Refer to sk180522. |
PRJ-52586, |
Threat Prevention |
UPDATE: Added Update 23 of Autonomous Threat Prevention Management integration Release. Refer to sk167109. |
PRJ-44134, MBS-16004 |
Scalable Platforms |
Member state may flap between Active and Ready. |
PRJ-51301, PRHF-31310 |
Scalable Platforms |
When using NAT64 rules, Server to Client traffic may be dropped because of the "Out of state" error. |
PRJ-46222, PMTR-88316 |
Scalable Platforms |
During site failover, IPv6 traffic that goes through the Warp interface may be interrupted. |
PRJ-52983, PMTR-99552 |
Scalable Platforms |
In a VSX environment, LACP Bond traffic may fail with the "incomplete ARP" error. See the Critical Information section. |
Take 132 Released on 25 January 2024 |
||
PRJ-52491, PMTR-99615 |
ClusterXL |
The CXLD process may consume the CPU at 70%-100% on VSX cluster members. Refer to sk181891. See the Critical Information section. |
PRJ-52558, PMTR-100084 |
Security Gateway |
When in the NAT Rule Base there are domain objects with uppercase letters, the NAT rules may not be matched. Refer to sk167194. See the Critical Information section. |
Take 131 Released on 14 January 2024 |
||
PRJ-51031 |
Security Management |
NEW: Added ability to R81.10 Security Management Server and Multi-Domain Management Server to manage 19000 and 29000 Check Point appliances.
|
PRJ-50368, |
Security Management |
NEW: Added support for Quantum Spark Appliances 1900/2000 for EA (Early Availability) customers. |
PRJ-50103, PRHF-30325 |
Diagnostics |
UPDATE: Added SecureXL SYN Defender metrics to Skyline. Refer to the Skyline Metrics Repository. |
PRJ-45064, |
Security Management |
UPDATE: Added support for scheduling automatic purges of the System Data domain. |
PRJ-52356, |
CPView |
UPDATE: Added Take 74 of CPotelcol (OpenTelemetry Collector) Release Updates. Refer to sk180522. |
PRJ-33058, |
Logging |
UPDATE: Added a boolean parameter to Management API command for configuring logs distribution between multiple Log Servers - "logs-settings.distribute-logs-between-multiple-active-servers". Syntax: mgmt_cli -r true set simple-gateway name <gw_name> logs-settings.distribute-logs-between-multiple-active-servers <true/false>
|
PRJ-49365, |
Security Gateway |
UPDATE: Previously, in the "Hide NAT behind IP Address Range" feature, only the source IP address determined the Hide NAT IP address from the IP Address Range. It is now possible to configure the Security Gateway to select the Hide NAT IP address based on the combination of the source IP address and the source port. Refer to sk105302. |
PRJ-46318, |
Security Gateway |
UPDATE: When changes are made to updatable objects within a policy and a missing or corrupted package is detected, the policy installation will fail, resulting in the generation of a log. |
PRJ-48140, |
Threat Prevention |
UPDATE: Re-enabled the deprecated feature of exporting/importing Custom Intelligence feeds. |
PRJ-51510, |
Threat Prevention |
UPDATE: Added Update 22 of Autonomous Threat Prevention Management integration Release. Refer to sk167109. |
PRJ-43433, |
Threat Prevention |
UPDATE: It is now possible to add exceptions to external IoC feeds. |
PRJ-52041, |
Threat Extraction |
UPDATE: Added Update 5 of Threat Extraction Engine. Refer to sk165832. |
PRJ-49316 |
Identity Awareness |
UPDATE: Optimized memory consumption of Identity Broker in the synchronization flow. |
PRJ-47915, |
Anti-Virus |
UPDATE: Improved Anti-Virus caching mechanism to prevent generating malicious sub-domains in Background resource categorization mode. |
PRJ-49232, |
SSL Network Extender |
UPDATE: SSL Network Extender was updated to version 80008407. |
PRJ-43433, |
SecureXL |
UPDATE: It is now possible to add exceptions to external IoC feeds. |
PRJ-48108, |
VSX |
UPDATE: Changed the vsx push configuration log:
|
PRJ-43882, |
VSX |
UPDATE: The "IPv6 autoconfig" parameter is now disabled by default on VSX. |
PRJ-47450, |
Gaia OS |
UPDATE: Added driver and firmware update support for Dual-Wide 10/25/40/100G cards as a replacement option for:
|
PRJ-48010, |
Gaia OS |
UPDATE: The output of "show arp dynamic all" and "dbget ip:arpdynamic:show:0" which was previously limited to +-4450 entries, now increases dynamically. |
PRJ-50873, |
Gaia OS |
UPDATE: Upgraded OpenSSL from 1.1.1u to 1.1.1w to include the latest security improvements. |
PRJ-45236, |
Gaia OS |
UPDATE: SNMP traps for interfaces going up and going down now contains the interface name and description. |
PRJ-47188, |
CloudGuard Network |
UPDATE: Added the "namespace" label to pods in Kubernetes Data Center. |
PRJ-48081, |
CloudGuard Network |
UPDATE: Added support for Azure Scale sets with Flexible orchestration mode. |
PRJ-48789, |
CloudGuard Network |
UPDATE: Added support for Data Centers in AWS il-central-1 Israel (Tel Aviv) region. |
PRJ-47560 |
IoT |
UPDATE: Enabled new docker capabilities on IoT Gateways. |
PRJ-48200, |
Security Management |
Login using the API fails if the Security Management Server has multiple IP addresses and they are not defined on the Management Server object in SmartConsole. |
PRJ-48381, |
Security Management |
In SmartConsole, export of policies with the "Hit count" column may get stuck. |
PRJ-48037, |
Security Management |
An audit log may not be created after running Revert to Revision. |
PRJ-47966, |
Security Management |
In High Availability Security Management Server environments, outdated IPS packages are retained, which leads to a substantial increase of the database on Standby Security Management Server. Refer to sk182178. |
PRJ-50029, PMTR-95988 |
Security Management |
The Gaia Clish command "show configuration user" fails with "Segmentation fault" on a Management Server. Refer to sk181626. |
PRJ-43289, |
Security Management |
In rare scenarios:
|
PRJ-49195, |
Security Management |
In some scenarios, the CPRLIC process may unexpectedly exit without affecting the connectivity, and a core dump is generated. |
PRJ-47038, |
Security Management |
In multi-site Multi-Domain Security Management environments, login to SmartConsole fails while an Install Policy Preset relays the Security Gateway installation statuses. |
PRJ-34860, |
Security Management |
In the Revisions view, when comparing the selected revision to its previous revision, an empty screen is shown instead of a report. |
PRJ-46828, |
Security Management |
In some scenarios, the "Object is no longer available" validation warning appears for updatable objects. |
PRJ-48370, |
Security Management |
The "crldp_initialized"and "crldp_name" keys may be missing in the registry after running promote_util. |
PRJ-49370, |
Security Management |
In environments with tens of thousands of network objects, opening and closing Security Gateway objects in SmartConsole takes a long time. Refer to sk181460. |
PRJ-48897, |
Security Management |
In rare scenarios, upgrade of the Security Management Server to R81.20 fails with the "Task was interrupted because of server restart" and "DEADLOCK IN POSTGRES DETECTED!!!" messages in the cpm.elg log file. |
PRJ-48691, |
Security Management |
Users may be able to configure user-defined scripts to run on the Security Management Server, although they do not have the permissions of a super-user. |
PRJ-33005, |
Security Management |
In SmartConsole, an attempt to view administrators may fail with "Error retrieving results". |
PRJ-48161, |
Security Management |
The "run-script - audit log" Management API program may fail and the audit log may be missing the "performed on" field. |
PRJ-44800, |
Security Management |
In rare scenarios, the update_inspect_files tool may unexpectedly exit with a core dump file. |
PRJ-48200, |
Security Management |
Login via API fails if the Security Management Server has multiple IP addresses and they are not defined on the Security Management Server object in SmartConsole. |
PRJ-48864, |
Security Management |
In multi-site Multi-Domain Security Management environments, login to SmartConsole fails if the "Read_Write_All_Profile" permission profile is deleted. |
PRJ-48441, |
Security Management |
The "set checkpoint-host" API command may fail if the host object has a VPN Tunnel interface (vpnt) defined. |
PRJ-45898, |
Security Management |
In rare scenarios, during an IPS update, a task notification reports that a database purge failed on the Standby Security Management Server. Refer to sk180920. |
PRJ-49225, |
Security Management |
In some scenarios, an upgrade of the Security Management Server may fail if the import is running at 12 AM.
|
PRJ-49883, |
Security Management |
Export of the Security Management Server may fail with "Could not find workSession WORKSESSION_UID in worksession's List" message in the upgrade report. |
PRJ-49989, |
Security Management |
The "fwm sic_reset" command may fail and generate a core dump. |
PRJ-50435, |
Security Management |
The FWM process on the Management Server may unexpectedly exit, creating a core dump file. |
PRJ-50358, |
Security Management |
In multi-site environments, when using LDAP administrators configured on an external LDAP Server, logging into Domains on different Multi-Domain Security Management Servers in parallel, synchronization may fail with the "failed to import data" status. |
PRJ-46634, |
Security Management |
Application Control and IPS updates may take a long time. |
PRJ-48704, |
Security Management |
In some scenarios, in High Availability Security Management Server environments, there may be increase of the database on the Security Management Server. |
PRJ-49714, |
Multi-Domain Security Management |
In rare scenarios, in a Multi-Domain Security Management environment:
|
PRJ-49479, |
Multi-Domain Security Management |
When viewing Subordinate CA objects in SmartConsole:
|
PRJ-48796 |
Multi-Domain Security Management |
When connecting with SmartConsole to a Domain in a Multi-Domain Management environment, object pickers in Threat Prevention policy may not show available objects. |
PRJ-46435, |
SmartProvisioning |
After importing or deleting snort protections in the IPS Protections view, the view may not show the change.
|
PRJ-47342, |
SmartView |
In some scenarios, when a language other than English is chosen in SmartView, login to SmartView fails with an "Initialization failed" message. |
PRJ-47219, |
Logging |
The "fwm logexport" returns "Failed to print record at position" and "missing table field" error messages despite succeeding to export the logs. |
PRJ-48342, |
Logging |
In some scenarios, the "show logs" Management API returns incorrect values for the "Match table" field. |
PRJ-46187, |
Logging |
When the CPD process is automatically restarted on the Security Gateway, the output of the "cpstat ls -f logging" command on the Security Management side shows the Security Gateway is disconnected, the Log Server cannot be reached, although logs are sent. |
PRJ-48727, |
Logging |
In some scenarios, the Log Sharing status may show an error in exporting the logs, although logs are correctly shared to the cloud. |
PRJ-47209, |
Security Gateway |
When running the tp_collector tool, the FW_FULL process may unexpectedly exit. |
PRJ-47268, |
Security Gateway |
Latency in loading websites when using Security Gateway as a Proxy with HTTPS Inspection enabled. Refer to sk180673. |
PRJ-44701, |
Security Gateway |
In rare scenarios, the WSDNSD process an RST connection may write to a broken pipe, which causes it to restart constantly. |
PRJ-47331, |
Security Gateway |
When using the "cpstop" command on the Security Gateway, the fw_full core may be generated. |
PRJ-48247, |
Security Gateway |
The /var/log/messages file of a VSX gateway is flooded with the "fwmultik_predefined_dispatching: BAD_MULTIK_TAG" messages with no impact of the connectivity. Refer to sk181281. |
PRJ-47520, |
Security Gateway |
After installing a policy, because of high latency, the Security Gateway may delete connection before SIM Affinity is able to send an update notification. This may cause some connections to be dropped. |
PRJ-48153, PRHF-29602 |
Security Gateway |
Topology and Anti-Spoofing ranges are not calculated on an external interface when adding a route to an internal interface that shares the same subnet. |
PRJ-44701, |
Security Gateway |
In rare scenarios, the WSDNSD process may restart because of an internal error. |
PRJ-46410, |
Security Gateway |
The Security Gateway may listen to the ports used by NAT. |
PRJ-47370, |
Security Gateway |
The ICAP Server may stop sending files to the Threat Emulation and Anti-Virus Blades if the TED daemon was restarted. |
PRJ-45693, |
Security Gateway |
The VPND, CVPND, and PDPD processes on the Security Gateway may become non-responsive and cause SAML authentication for Remote Access VPN users to fail. |
PRJ-48022, |
Security Gateway |
In some scenarios, when IPS is enabled, CPU spikes may occur. |
PRJ-48822, |
Security Gateway |
In some scenarios, a misconfiguration on a DNS Server may lead to exhaustion of ephemeral ports on the Security Gateway. |
PRJ-48809, |
Security Gateway |
VPN tunnel between the Security Gateways with Link Selection and Remote Desktop Protocol (RDP) may fail after policy installation. Refer to sk181481. |
PRJ-50555, |
Threat Prevention |
In rare scenarios, CPU utilization can reach high levels because the Multi-Queue affinity of interfaces that use the "mlx5_core" driver is not configured correctly during the boot process. |
PRJ-45901, |
Threat Prevention |
The "Exception Handling" option for Observables in Threat Prevention indicator may not be applied. |
PRJ-49877, |
Threat Prevention |
Traffic directed towards a host situated behind the Security Gateway is not blocked. For instance, if an IP address listed in the feed sends an ICMP request, it will reach a host behind the Gateway without being blocked. Refer to sk132193. |
PRJ-49008, PMTR-92233 |
Threat Prevention |
In a rare scenario, when cloning SGM in Maestro, the FWD process may exit during an IPS/Anti-Virus/Anti-Bot package update. |
PRJ-47459, |
Threat Prevention |
In a rare scenario, there may be an unexpected reboot and a vmcore file generated in /var/log/crash. |
PRJ-47446, |
Threat Prevention |
When configuring ioc feeds from the management:
|
PRJ-33431 |
Threat Prevention |
In a rare scenario, a memory leak in the FWD process may occur after installing a Threat Prevention policy. |
PRJ-48086, |
Threat Prevention |
An outage may occur when an unsupported SSH cipher is selected. |
PRJ-46884, |
Threat Prevention |
Uploading an IoC file containing invalid characters (for example, quotation marks) may cause failure of Threat Prevention policy installation. |
PRJ-49512, |
Threat Prevention |
In a rare scenario, changes in Threat Prevention Custom Intelligence feeds settings may not be applied after policy installation. |
PRJ-48925, |
Threat Prevention |
Anti-Virus Blade triggers the "Detect" logs for DNS traffic, although these malicious DNS requests were prevented. |
PRJ-48429, |
Threat Prevention |
Some connections may be dropped because of an issue in IPS inspection, which can be resolved by installing/fetching a local policy. |
PRJ-47131, |
Threat Prevention |
The output of the "fw amw unload" command shows the policy gets unloaded, however CPVIEW still shows that the blades are enabled. Refer to sk181148. |
PRJ-46904, |
Threat Prevention |
Ioc_feeds changes the username to lowercase, which causes the "401" error. Refer to sk181039. |
PRJ-46758, |
Identity Awareness |
The ida_tables_util tool may fail with the "bad adress" error. |
PRJ-48274, |
Identity Awareness |
There may be no access to resources for identities received from the Remote Access identity source by splitting Domain (sk147417). |
PRJ-47441, |
Identity Awareness |
In a rare scenario, when Identity Broker is configured, a memory leak in the PDPD process may occur during policy installation. |
PRJ-45720, |
Application Control |
Policy installation fails when a custom application and user category have the same name. |
PRJ-46198, |
Application Control |
CPView and the 'cpstat' command show different Application Control database versions. Refer to sk181186. |
PRJ-49533, |
Application Control |
In some scenarios, the Application Control and URL Filtering scheduled updates may occur more frequently than configured. |
PRJ-49044, |
DLP |
The DLP process may unexpectedly exit during policy installation. |
PRJ-47935, |
Anti-Virus |
When transferring many files, SMB traffic may freeze while scanned by Anti-Virus Blade. |
PRJ-47239, |
Anti-Virus |
Some websites may be unreachable when one of Threat Prevention Blades is in Hold mode. |
PRJ-48972, |
Anti-Virus |
When Anti-Virus DNS classification is set to Hold mode, the first DNS trap log of malicious Domains shows "Detect" in the Action field, although the connection was successfully blocked. |
PRJ-48127, |
Anti-Virus |
A memory leak in the DLPU process may occur when Anti-Virus scans files over HTTP(s) or SMB (Server Message Block) protocol. |
PRJ-48699, |
SSL Inspection |
A FWK process memory leak may occur when canceling the download of a large file in the middle of the process. |
PRJ-43929, |
ClusterXL |
Site to Site VPN outage on ClusterXL Active member when running "cpstop" on the Standby cluster member. Refer to sk170055. |
PRJ-51174 |
ClusterXL |
When working in User Mode (UPPAK), after a reboot, SSH connection to the Standby member may be interrupted because of an ARP failure. |
PRJ-51316 |
ClusterXL |
In some scenarios, it may not be possible to connect to the Security Gateway cluster members when User Mode (UPPAK) is enabled. |
PRJ-50419 |
SecureXL |
High CPU utilization may be triggered when User Mode (UPPAK) and VPN are enabled under high load. |
PRJ-49682 |
SecureXL |
Latency may occur when packets accelerated by LightSpeed go through connections with a lower than 100K PPS rate. |
PRJ-49796, |
SecureXL |
In some scenarios, the link state of uplink ports may be "Down". |
PRJ-50943, PRJ-50948, PRJ-50951, PRJ-50937, |
SecureXL |
In some scenarios, the VSX Security Gateway may not be able to pass VPN encrypted traffic from one Virtual System to another Virtual System through a Virtual Router/Switch. |
PRJ-48819, |
SecureXL |
Appliances with LightSpeed acceleration enabled may experience cluster failovers, even when the CPUs are not fully utilized (for example, at 30%) and the traffic load is low (as little as 1 GB). |
PRJ-50941, PRJ-50939, |
SecureXL |
In some scenarios, the VSX Security Gateway may crash when sending VPN encrypted traffic through a Virtual Router/Switch. |
PRJ-49794, |
SecureXL |
When modifying the MTU of a master bond interface with LightSpeed subordinate interfaces, it may not be set correctly on the bond itself, although applied correctly on the LightSpeed subordinate interfaces. |
PRJ-48760, |
SecureXL |
The port beacon feature also known as interface discovery or port blinking may not work correctly in User Mode (UPPAK). |
PRJ-49757, |
SecureXL |
Multicast restrictions set in SmartConsole may be bypassed if varying restrictions are configured for different interfaces. |
PRJ-51471, |
SecureXL |
In some scenarios (when there are more than 64000 connections), the Security Gateway accounting information may not be reported correctly on connections that are accelerated through the Quantum LightSpeed hardware. |
PRJ-48824, |
SecureXL |
In some scenarios, when adding warp interfaces to a Virtual Router or Virtual Switch, the VSX Security Gateway may not properly insert these interfaces into the SecureXL accelerated interfaces list. |
PRJ-49378, PRHF-30056 |
SecureXL |
Syn Defender may not correctly handle reused connections. |
PRJ-37918, |
Routing |
After policy installation, Application Based Routing configuration may be lost, and CLI commands are not shown in the configuration summary. |
PRJ-49240, |
Routing |
If the Security Gateway is in UPPAK mode and a PBR rule directs traffic to a Server on a different subnet, deleting the ARP entry for the Gateway on the Server can disrupt the traffic flow. |
PRJ-50832, |
Routing |
The "force-if-symmetry" setting in IPv4 static routes fails to mark IP addresses as unreachable, leading to the static route inaccurately remaining active in asymmetric scenarios. |
PRJ-49961, |
Routing |
During the processing of PIM Join-Prune messages, the absence of prior ({},G) state prevents the processing of (S,G) joins for the same group, even when present in the message. |
PRJ-49236, |
Routing |
When one of the multiple PIM neighbors goes down on the LAN, there may be outages in multicast traffic. |
PRJ-45127, |
VPN |
Back connection does not function on the Statically NATed Office Mode address as expected. |
PRJ-47243, |
VPN |
IKEv2 tunnels may not synchronize during a Multi-Version Cluster (MVC) upgrade from R80.40, leading to a VPN outage during an upgrade. |
PRJ-46251, |
VPN |
The "Encryption Domain Per community" feature overrides the Encryption Domain for other communities. Refer to sk170857. |
PRJ-42958, |
VPN |
When SCV is enabled, Capsule Connect/ Capsule VPN clients may fail to access internal resources. |
PRJ-49650, |
VPN |
VPN connectivity may be unstable when IPv6 and VPN star communities are configured. |
PRJ-47877, |
Multi-Portal |
The Security Gateway may send a wrong certificate to the MAB Portal during certificate authentication. |
PRJ-50312, |
Multi-Portal |
A low-severity security vulnerability may exist when establishing an HTTPS connection to the Security Gateway. |
PRJ-50954, |
VSX |
In some scenarios, the VSX Security Gateway may not set the MAC header correctly when sending traffic directly out of an interface on a Virtual Router. |
PRJ-44268, |
VSX |
Vsx_util upgrade or downgrade validation fails on Virtual Systems where policy was never installed. |
PRJ-47398, |
VSX |
When changing Virtual Systems (VS's) using the VS name, the "failed to find an ID for a VS named XXX" error is shown. |
PRJ-47796, |
VSX |
A memory leak may occur in the CPD process. |
PRJ-48830, |
VSX |
In some scenarios, the VXLAN Driver Kernel may crash. |
PRJ-46020, |
Gaia OS |
The SNMPD process memory consumption may be high, which causes the process to become unresponsive. |
PRJ-46971, |
Gaia OS |
Incorrect Multi-Queue configuration when MDPS, VSX, or both are enabled. Refer to sk181249. |
PRJ-43044, |
Harmony Endpoint |
E2 engine may send an incorrect value of datDate in sync request. |
PRJ-41089, PRHF-23636 |
Harmony Endpoint |
When selecting to filter machines by infection name in SmartEndpoint Reporting > Anti-Malware > Top infections, the listed computers do not match the displayed numbers. |
PRJ-51096, |
Harmony Endpoint |
Due to a synchronization issue between the Policy Server and Primary Server, the Endpoint clients may be connected to the Primary Server instead of the Policy Server. |
PRJ-47899, |
CloudGuard Network |
Azure mapping may fail on Private Endpoint without network interfaces. In the cloud proxy logs, the "ERROR datacenter.scanner.DcScanner [scanner-Azure-XXX]: Error during scan - attempting to reconnect for scanner of [Azure] in domainYYY" messages are printed. |
PRJ-47734, |
CloudGuard Network |
After an upgrade, Azure Gov mapping may fail. |
PRJ-50345, |
Scalable Platforms |
When the LightSpeed interface is brought down or up, the hardware nroute flow is added to the list even if it fails to offload. This may trigger a Security Gateway crash. |
PRJ-49466, |
Scalable Platforms |
On a Security Group with MDPS enabled:
After installing this Take, when MDPS plane separation is enabled, in the context of the Management plane, the directory /sys/class/net/ now shows interfaces that belong to the Data plane, although it should show interfaces that belong to the Management plane. See sk182076. |
PRJ-50347, |
Scalable Platforms |
In a rare scenario, the Security Gateway may access obsolete nroute memory, resulting in a crash. |
PRJ-46574, |
Scalable Platforms |
In a Maestro environment, LACP bond subordinates may become suspended when using the shared interfaces feature, particularly when the quantity of bonds and subordinates is significantly high. |
PRJ-47372, |
Scalable Platforms |
|
PRJ-50746, |
Scalable Platforms |
Performance data collected from all members including the Standby site, may cause the "Instance Load" and "Accelerate Load" values to be different from the asg perf tool data. |
PRJ-49069 |
Scalable Platforms |
If multiple Quantum LightSpeed interfaces are added or removed on a bond interface before rebooting the Security Gateway, traffic may not go through. |
PRJ-48723, |
Scalable Platforms |
When running the "asg if script" command, the "Bridge Master" output does not fit in one line in the "Info" column. The issue is cosmetic only. |
PRJ-48929, |
Scalable Platforms |
Connectivity issues may occur in a Maestro Security Group when VLAN encapsulation is disabled on Orchestrators in a Maestro Dual Site environment. Refer to sk181385. |
PRJ-40755, |
Scalable Platforms |
Additional reboot is performed when adding a new member to a Security Group with image clone enabled. |
PRJ-44500, |
Scalable Platforms |
Policy installation may cause traffic interruption on Maestro Security Group due to missing VLANs of a Virtual System in the configuration file. |
PRJ-48987, |
Scalable Platforms |
The Security Gateway may lose connectivity to Maestro Hyperscale Orchestrator (MHO) when running the "tcpdump -i any" command. |
PRJ-48852, |
Scalable Platforms |
In a Maestro Orchestrator environment, the "orch_stat -p" command may bring the "invalid literal for int() with base 10" error message. |
PRJ-45520, |
Scalable Platforms |
Reboot may take a long time. |
PRJ-46647, |
Scalable Platforms |
In a Maestro Security Group, VPN tunnel is established correctly, but the local connection from Virtual Systems (VSs) fails. The issue occurs when packets are not forwarded to the right VS from the Virtual Switch (VSW). |
Take 130 Released on 18 December 2023 and declared as Recommended on 25 December 2023 |
||
PRJ-50417, PRHF-30748 |
CloudGuard Network |
UPDATE: The automatic scanning of NSX-T IP ranges feature is now disabled by default. Refer to sk181614. See the Critical Information section. |
PRJ-51598, SMB-16203 |
Security Management |
In rare scenarios, a boot may fail on a Security Gateway with IPS, Anti-Bot, or Application Control blade enabled. Refer to sk181803. |
Take 129 Released on 13 November 2023 and declared as Recommended on 3 December 2023 |
||
PRJ-50898, PRHF-31187 |
Security Gateway |
A double-free flaw that leads to a possible Security Gateway crash was identified. This release includes the fix to enhance system stability and security. |
Take 128 Released on 6 November 2023 |
||
PRJ-49938, PRJ-49979 |
Security Management |
UPDATE: Removed a redundant rule-assistant.war package. |
PRJ-49824, PMTR-95347 |
Security Management |
UPDATE: Upgraded the commons-compress-jar package from version 1.8 to version 1.22. |
PRJ-49695, PMTR-96310 |
Security Management |
UPDATE: Upgraded the Jackson Java library from version 2.5.0 to version 2.11.3. |
PRJ-49786, PMTR-95614 |
Security Management |
UPDATE: properJavaRDP - an SNX-embedded application for Mobile Access is now blocked and is no longer supported because of deprecated Java library dependencies. |
PRJ-49891, PMTR-95687 |
Security Management |
UPDATE: Removed a redundant guava package. |
PRJ-50264, PRJ-49965, PRJ-49011, ODU-1137, ODU-1256, ODU-1304 |
Web SmartConsole |
UPDATE: New features and improvements are released in Take 81, Take 85, Take 88 and Take 90 via self-updatable package. Refer to sk170314. |
PRJ-49108, PMTR-94517 |
SmartConsole |
UPDATE: Applied security related improvements to the Jetty open source library. |
PRJ-50325, PRJ-50324, PRJ-50124, ODU-1217 |
CPView |
UPDATE: Added Take 68 and Take 70 of CPotelcol (OpenTelemetry Collector) Release Updates. Refer to sk180522. |
PRJ-50042, |
CPView |
UPDATE: Added Take 14 of CPquid (QUID) Release Updates. Refer to sk181458. |
PRJ-50092, PRHF-30702 |
Security Gateway |
UPDATE: Improved traffic classification of GTP traffic on the Security Gateway to enhance the stability. |
PRJ-49493, |
Threat Prevention |
UPDATE: Added Update 21 of Autonomous Threat Prevention Management integration Release. Refer to sk167109. |
PRJ-49745, PMTR-95099 |
Mobile Access |
UPDATE: SNX used to connect back to Mobile Access Blade's portal FQDN by resolving its IP address locally. This method makes it sensitive to DNS poisoning attacks such as those specified by TunnelCrack. Therefore, it was modified to connect back to the Security Gateway / Cluster member IP address by default. |
PRJ-49937, PRJ-49936 |
Harmony Endpoint |
UPDATE: Upgraded symmetricDS to the 3.14.9 version. |
PRJ-45980, |
Scalable Platforms |
UPDATE: Added Take 29 of Check Point Support Data Collector (CPSDC) for Scalable Platforms and Maestro Security Appliances. Refer to sk164414. |
PRJ-50542, |
HCP |
UPDATE: Added Update 14 of HealthCheck Point (HCP) Release. Refer to sk171436. |
PRJ-48878, |
Security Management |
|
PRJ-49204, |
Security Management |
Refer to sk181471. See the Critical Information section. |
PRJ-50082, PMTR-96031 |
Threat Prevention |
In rare scenarios, the FW1 process may stop working when at least one of these features is enabled:
|
PRJ-50190, PMTR-96205 |
IPS |
Policy installation may fail on Security Gateways with enabled IPS and configured Strict profile and IPv6. |
PRJ-50639, |
ClusterXL |
ARP requests sent with VMAC from the Standby member may cause MAC flapping. See the Critical Information section. |
PRJ-49905, |
Routing |
When BGP local address is configured, BGP peer may fail to establish. See the Critical Information section. |
PRJ-49653, |
Scalable Platforms |
In a Quantum Maestro / Scalable Chassis environment, there may be a delay during TCP start negotiation for fully accelerated connections, which are distributed asymmetrically. For example, C2S distribute to member 1_1 and S2C to member 1_2. To maintain the original behavior (prior to R81.10 Jumbo Hotfix Take 128), follow these steps before starting the Jumbo Hotfix Accumulator upgrade:
Refer to sk181464. See R80.20 SmartConsole Releases. |
Take 113 Released on 6 September 2023 |
||
PRJ-47121, |
Anti-Spam |
NEW: We have extended the grace period of Anti-Spam Blade to support you for 90 days following contract expiration to continue providing the best security value during the renewal process. |
PRJ-48299, |
SmartConsole |
UPDATE: Added a pop-up message explaining that it is not possible to add an exception to a Global Domain policy from a local Domain when clicking "add exception" in a Global rule.
|
PRJ-48317, |
Web SmartConsole |
UPDATE: New features and improvements are released in Take 81 via a self-updatable package. Refer to sk170314. |
PRJ-46557, |
Security Gateway |
UPDATE: Added a new option in domains_tool, which allows to retrieve IP addresses of multiple Domains - "-md <list of domains>". Refer to sk161632. |
PRJ-44320, |
Threat Prevention |
UPDATE: The DCE-RPC kernel tables will now be global instead of local. This adjustment helps avoid issues with syncing between firewall instances and keeps data connections stable. |
PRJ-44243, |
Mobile Access |
UPDATE: Enhanced PushReport (a troubleshooting tool for Mobile Access Blade):
|
PRJ-46315, |
ClusterXL |
UPDATE: When enabling the VMAC feature, link_monitoring on the cluster members will now be configured automatically. |
PRJ-47677, |
VPN |
UPDATE: Added SAML authentication support for Capsule Connect / Capsule VPN. |
PRJ-44280, |
VSX |
UPDATE: In VSX, removed the redundant option to change CoreXL mode from USFW to Kernel mode. |
PRJ-48339, |
CloudGuard Network |
UPDATE: Added Take 20 of Public Cloud CA Bundle. Refer to sk172188. |
PRJ-45727, |
Harmony Endpoint |
UPDATE: Added new file types supported by Harmony Endpoint Threat Emulation blade. |
PRJ-45771, |
Scalable Platforms |
UPDATE: Added ability to stop configuration mismatch repeated reboots for debugging purposes. The new command is " cpha_blade_config auto_reboot <on/off>". |
PRJ-48196, |
Scalable Platforms |
UPDATE: Added ability to use Generic Data Centers and Dynamic Objects with Maestro cluster, not just for a separate Security Gateway. |
PRJ-48404, |
HCP |
UPDATE: Added Update 13 of HealthCheck Point (HCP) Release. Refer to sk171436. |
PRJ-45988, |
Security Management |
Deleting a Domain that is connected to an AD Group fails. |
PRJ-44472, |
Security Management |
Excluding a network with anti-spoofing by name on the Security Gateway using the "set simple-gateway" Management API command fails with an "Anti spoofing: excluded network object must be defined." validation error message. |
PRJ-46731, |
Security Management |
In rare scenarios, opening the Install Policy view gets timed out, and SmartConsole unexpectedly closes. Refer to sk181397. |
PRJ-46796, |
Security Management |
The "show-vpn-communities-star" Management API command fails for VPN communities using Diffie-Hellman groups 15-18. Refer to sk27054. |
PRJ-45440, |
Security Management |
In rare scenarios, Global Policy Reassignment takes a long time to complete after deleting a Global IPS profile. Refer to sk180787. |
PRJ-46016, |
Security Management |
The "show-nat-rulebase" Management API command fails when Packet mode is enabled and "match on any" is set to "false". For example, "show-nat-rulebase XXX package YYY filter-settings.search-mode packet filter-settings.packet-search-settings.match-on-any false filter ZZZ". |
PRJ-47258, PRJ-47235, |
Security Management |
If the HTTPS policy contains an Identity Awareness Gateway object in the "Source"/"Destination" column, policy installation may fail when selecting more than one policy target. Refer to sk181097. |
PRJ-41548, |
Security Management |
QoS policy cannot be installed if the policy package name contains a dot symbol. |
PRJ-41244, |
Security Management |
When closing an application from SmartConsole without changes, a redundant revision is created. |
PRJ-44987, |
Security Management |
A migrate export or CPUSE upgrade of a Security Management Server fails if a Rule Base contains more than 35,000 rules. Refer to sk178325 to check the recommended size of Rule Bases. |
PRJ-46003, |
Security Management |
Changing the cluster mode via the "set simple-cluster" Management API command to "cluster-xl-ha" or "ospec-ha" returns success but has no effect on the cluster object. |
PRJ-45799, |
Security Management |
Security Management Server import fails with the "Tried to persist object XXX with domain YYY while active domain is ZZZ" error in the upgrade report. |
PRJ-41460, |
Security Management |
In some scenarios, an automatic Trusted Certificate Authorities (CAs) update fails. |
PRJ-47011, |
Security Management |
The "show-objects" Management API command with an "in" clause fails if the object name contains a period. For example, "show-objects in.1 <name> in.2 <ab.c>". |
PRJ-47050, |
Security Management |
In rare scenarios. in a Multi-Domain Security Management environment:
|
PRJ-45782, |
Security Management |
In rare scenarios, the High Availability synchronization status shows "NGM failed to import data", and then is cleared automatically within 15 minutes. |
PRJ-47046, |
Security Management |
In rare scenarios, after an upgrade, the Security Management Server may fail to start. |
PRJ-47042, |
Security Management |
When using the RADIUS username for authentication, login to SmartConsole may fail. |
PRJ-45034, |
Security Management |
Upgrade of a Security Management Server or a Multi-Domain Security Management Server with over 2000 NAT rules may take over 10 hours to complete.
|
PRJ-46782, |
Security Management |
In an environment with many Security Gateways, SmartConsole may unexpectedly close when selecting a policy package to install. |
PRJ-47169, |
Security Management |
In rare scenarios, Global Policy reassignment fails with "IPS Update Failed On Assign". |
PRJ-46699, |
Security Management |
Global Policy assignment fails if it is configured to assign to specific Domain policies and one of these local Domain policies is deleted. |
PRJ-40589, |
SmartConsole |
SmartConsole may crash while checking for updates.
|
PRJ-47469, |
CPUSE |
Tasks in SmartConsole may end unexpectedly during the Jumbo/ major version upgrade operation. |
PRJ-45040, |
Logging |
The "Low disk space" warning may be incorrectly displayed in SmartConsole. |
PRJ-41167, |
Logging |
The "show-simple-gateway" and "set-simple-gateway" Management API commands with the "logs-settings.forward-logs-to-log-server-schedule-name" parameter fail with "generic_server_error". |
PRJ-44207, |
Logging |
Windows Syslog messages information may be displayed in the "Description" field of the log and not parsed into the suitable fields. |
PRJ-45324, |
Logging |
Configuring log settings to delete logs if free disk space is lower than a certain percentage may not be applied. |
PRJ-39450, |
Logging |
The Logs view may show a "Failed to read record number" message. |
PRJ-46840, |
Logging |
In SmartView, filtering logs by Media Encryption & Port Protection Blade may fail. |
PRJ-44115, |
Security Gateway |
High CPU is consumed when there are many rules with apps in the Access Rule Base. Refer to sk181264. |
PRJ-47889, |
Security Gateway |
When enabling Management Data Plane Separation (MDPS) in Clish, a "Failed to commit the transaction on database" error message may be displayed. |
PRJ-44618, |
Security Gateway |
In a rare scenario, the FWD process listens to high ports that are not blocked by the "auth_services_real_ports_block" implied rule. Refer to sk180505. |
PRJ-44189, |
Security Gateway |
The Security Gateway may crash due to a memory issue. |
PRJ-47558, |
Security Gateway |
FTP connection may fail in Port mode with NAT and specific FTP clients. Refer to sk181165. |
PRJ-47325, |
Security Gateway |
Benign files scanned by the ICAP Server may not be logged by Anti-Virus Blade. |
PRJ-46377, |
Security Gateway |
Re-mirrored traffic may be re-ordered in the Mirror & Decrypt feature. |
PRJ-45343, |
Security Gateway |
When two routes with similar attributes are added to different routing tables, and one is deleted, Anti-Spoofing may drop the traffic to that route. |
PRJ-47602, |
Internal CA |
In rare scenarios, ICA certificate creation and enrollment fail. |
PRJ-43727, |
Threat Prevention |
In some scenarios, CIFS parser is triggered when it is not needed, this leads to the Security Gateway not accelerating fully the SMB traffic. |
PRJ-48191, |
Threat Prevention |
Anti-Virus Blade fails to parse external IoC feeds that contain specific delimiters. |
PRJ-46837, |
Threat Prevention |
When SSH Deep Packet Inspection (SSH DPI) is enabled, the Security Gateway may have SSH connectivity issues because of an incorrect choice of Message Authentication Code (MAC) algorithm during the SSH handshake. |
PRJ-44691, |
Threat Prevention |
In some scenarios, the Security Gateway fails to export or import IoC feeds. |
PRJ-44766, |
Threat Prevention |
Fetching of Custom Intelligence Feeds fails when no proxy is configured on the Security Gateway. |
PRJ-46117, |
Threat Emulation |
Multiple ifiPython3 processes may utilize the Security Gateway memory, affecting the Anti-Virus Blade performance. |
PRJ-47749, |
IPS |
In rare scenarios, there may be a memory leak in ips_cmi_handler_match_cb_ex. |
PRJ-45836, |
Anti-Virus |
DLPU process memory consumption may be increased when SMB protocol is enabled in the Anti-Virus policy. |
PRJ-47784, |
Anti-Virus |
A memory leak may occur in the Security Gateway when a connection is not correctly released after the inspection. |
PRJ-47182, |
SSL Inspection |
The Security Gateway may fail to enforce certificate blacklisting. |
PRJ-47203, |
Mobile Access |
When copying special German characters to and from the Guacamole Server, they are replaced with unreadable symbols. |
PRJ-47107, |
Mobile Access |
It may not be possible to connect to the RDP application with SNX in Application mode. Refer to sk181155. |
PRJ-45198, |
ClusterXL |
In a cluster/Maestro in Load Sharing mode, the Security Gateway may drop NAT traversal traffic with "fwmultik_process_f2p_cookie_inner Reason: PSL Drop: No connection". |
PRJ-44275, |
ClusterXL |
A Standby member may initiate FTP data connection, although it should be sent from the Active member. As a result, the connection is teminated. Refer to sk180531. |
PRJ-44773, |
SecureXL |
The "IOCTL command CPHWD_IOCTL_DOS_DENY_LIST_CLEAR was not successful" error may be printed during cpstart. Refer to sk180646. |
PRJ-43639, |
SecureXL |
In some scenarios, incorrect MSS value calculation may lead to traffic drops and performance instability. |
PRJ-47487, |
Routing |
When multicast traffic for an existing (S,G) entry arrives at a non-IIF interface, the entry may be deleted and re-added when the next multicast packet is released, although the entry should not be deleted. |
PRJ-43248, |
Routing |
Traffic may be dropped when there are many OSPF routes of type 5. |
PRJ-47940, |
Routing |
An OIF entry may be missing when multiple downstream neighbors are present on a LAN. Refer to sk181354. |
PRJ-48117, |
Routing |
The ROUTED process may exit with a core dump when querying details of OSPF Type 5 LSA. |
PRJ-47801, |
Routing |
When a BFD session is added or removed, disabled sessions may incorrectly come up. |
PRJ-41794, |
Routing |
Adding or deleting a multicast group from a configured static RP environment can lead to outages in traffic. |
PRJ-44956, |
VPN |
A potential leak in VPN tunnels in a Multi-Version Cluster. |
PRJ-41391, |
VPN |
When working with ClusterXL in Load Sharing mode, a VPN tunnel may fail to be established. |
PRJ-47492, |
VPN |
Potential VPN outage during policy installation. |
PRJ-42939, |
VPN |
Policy installation may take a long time and fail with "Operation failed, install/uninstall has been improperly terminated.&CURRENTVERCMP *##MSG_IDENTIFY##". |
PRJ-47837, |
VSX |
In a rare scenario, affinity configuration on VSX may fail. |
PRJ-44300, |
VSX |
When adding a route using vsx_provisioning_tool and the "interface_name" option, this route cannot be removed. |
PRJ-43878, |
VSX |
When running "vsx_fetch" from a context that is not VS0, this output is displayed: "Management rejected fetch for this module - sic name does not match. Couldn't fetch VSX configuration by IPs, trying to fetch by names." |
PRJ-49350, |
VSX |
In some scenarios, in a Maestro Security Group configured in the VSX mode, a Virtual System that connects to a Virtual Switch may drop traffic as "Out of State" or wrongly drop it on the clean up rule. Refer to sk181823. |
PRJ-46275, |
Gaia OS |
When changing bond settings, the bond may be missing the global IPv6 Address. |
PRJ-47773, |
Gaia OS |
Snapshot fails when the unpartitioned disk size is greater than 1TB. Refer to sk181485. |
PRJ-41337, |
Harmony Endpoint |
When downloading a dynamic package from the Endpoint Security Server and using the "/createmsi" command, the operation results with a "CRITICAL ERROR: Unable to create MSI! Missing file: System32\FirewallMonitor.dll"error. |
PRJ-43571, |
Harmony Endpoint |
After the Deploy New Endpoint push operation is successfully done, the list of target devices may change to “None”. And it is not possible to delete this push operation manually, a "Sorry, we had an API issue during request" message is printed. |
PRJ-46031, |
Harmony Endpoint |
Because of a rare race condition, AD scanners may get stuck in the initializing state with "ERROR ajp-nio2-127.0.0.1-8009-exec-96 - Failed to enumerate scanner instances for SF-DC2.mapro.cat, scanner instance788b7398-5a79-91fb-6f68-137813a5556e (UsmDSConfigResponder)java.lang.NumberFormatException". |
PRJ-47055, |
Harmony Endpoint |
Some devices added to a Virtual Group from the SmartEndpoint Reporting tab do not receive the assigned policy. |
PRJ-42633, |
Harmony Endpoint |
After an Endpoint Security client is uninstalled via a push operation, there is no indication in the Asset Management that the client is successfully removed (only if it is inactive for more than 30 days, then it is deleted from the Server database). Although it should be immediately shown as non-active. |
PRJ-46802, |
Harmony Endpoint |
In rare scenarios, when making changes in SmartConsole, it gets disconnected. |
PRJ-48256, |
Harmony Endpoint |
The default policy configured in the Infinity Portal may not be exported with the new Endpoint Security client package. |
PRJ-43609, |
VoIP |
SIP agent implements a keep-alive mechanism against the RFC, making each message arrive with a different tag in the "From" header, which may increase the memory of the Security Gateway, and these messages may be dropped once they hit the limit defined (the "sim_max_reinvite" parameter). |
PRJ-47640, |
Scalable Platforms |
In a Scalable Platform environment, when opening an IPS Packet Capture originated on a local member, the "Fetching in progress" error is displayed, and a "Capture file was not found on remote SGM" entry is printed in the log. |
PRJ-45233, |
Scalable Platforms |
The "asg_dr_verifier" command shows "Status: Inconsistency found on some of the SGMs", even if the OSPF neighbors are in Full state. Refer to sk179921. |
PRJ-48212, |
Scalable Platforms |
In rare scenarios, the CONFD process may get stuck. This may cause Maestro Orchestrator boot to hang and login to Gaia Portal to fail. |
PRJ-49111 |
Scalable Platforms |
After adding a new Security Group Member to a Security Group with the default shell /bin/gclish, the status of the new Security Group Member is "Down" with a Critical Device "image_clone" pnote. |
PRJ-47865, ACCHA-3317 |
Scalable Platforms |
Accessing the SMO WebUI and performing configuration changes may fail with the "Error in acquiring buffer of member info (-1)" error." |
Take 110 Released on 30 July 2023 and declared as Recommended on 29 August 2023 |
||
PRJ-44422, |
Security Management |
NEW: Added a new field to the output of "mgmt_cli show updatable-objects-repository-content" command. This field displays the object's unique name as it is saved in the updatable objects repository. |
PRJ-43521, |
Security Management |
NEW: It is now possible to add tags to Access rules and sections. A new field "tags" is added to the existing "add/set rule & section" Management APIs . For example:
|
PRJ-44326, |
Security Management |
NEW: Added a new Management API "mgmt_cli show ha-status". It provides synchronization information for the currently active domain.
|
PRJ-44494, |
Scalable Platforms |
NEW: Added support for the 25Gbps speed on Maestro Orchestrator ports. |
PRJ-45678, |
CloudGuard Network |
NEW: CloudGuard Controller for NSX-T
Note: Importing Virtual Machines can be enabled only using Policy Mode APIs. When enabled, the amount of API requests toward the NSX-T manager increased. |
PRJ-46242, |
Security Management |
UPDATE: A Security Management Server/Domain Management Server can now manage up to 400 Security Gateways / Clusters, allowing concurrent policy installation on all Security Gateways / Clusters at once. |
PRJ-45295, |
Security Management |
UPDATE: Added ability to block policy installation if this policy contradicts another policy installed on the Security Gateway. In this scenario, the "install-policy" Management API command will now fail with "Requested policy X does not match currently installed policy Y on gateway Z. To ignore this warning, set the 'ignore-warnings' flag to 'true'". Refer to sk180792. |
PRJ-45490, |
Security Management |
UPDATE: Significant performance improvement for policy installation when using many layers (up to four times faster). |
PRJ-44502, |
Security Management |
UPDATE: Significantly improved performance during upgrade and import for large Multi-Domain Security Management environments with many administrators (over 20 domains and over 100 global administrators).
|
PRJ-45203, ODU-843 |
Web SmartConsole |
UPDATE: New features and improvements are released in Take 76 via self-updatable package. Refer to sk170314. |
PRJ-45891, |
Security Gateway |
UPDATE: Added a new environment variable "IMPLIED_RULES_SET_BEFORE_LAST". It defines if Multi-Portal implied rules should be matched as "before drop" or "before last". The default value is "0", set to "before drop". When the value is set to "1", implied rules will be matched as "before last". Refer to sk180808. |
PRJ-44774, |
Security Gateway |
UPDATE: The Thread Blocker feature is now disabled by default. Refer to sk180437. |
PRJ-44436, |
ClusterXL |
UPDATE: Improved the fullsync time after reboot in large scale environments. Refer to sk180742. |
PRJ-44952, |
IPS |
UPDATE: Mapping of IPs to country/flag in the Logs & Monitor view > Logs is now automatically updated every day. |
PRJ-35986, |
SSL Inspection |
UPDATE: Major performance improvement in HTTPS Inspection of TLS 1.3. |
PRJ-45462, |
Threat Prevention |
UPDATE: Added Update 18 and Update 19 of Autonomous Threat Prevention Management integration Release. Refer to sk167109. |
PRJ-46941, |
Threat Prevention |
UPDATE: IPS bypass triggers will now be activated based on the average CPU load exceeding the high threshold, as opposed to the previous implementation, where a single CPU load triggered the bypass. The change will result in more effective security measures without unnecessary bypasses. |
PRJ-45472, |
CPView |
UPDATE: First release of CPviewExporter Release Updates. Refer to sk180521. |
PRJ-45465, |
CPView |
UPDATE: First release of CPotelcol (OpenTelemetry Collector) Release Updates. Refer to sk180522. |
PRJ-46916, |
VPN |
UPDATE: Added a global parameter "sim_no_local_ip_check" which allows packets not destined to a local IP address to proceed to Security Association lookup in SecureXL. |
PRJ-47226, |
Gaia OS |
UPDATE: Upgraded OpenSSL from 1.1.1t to 1.1.1u to include the latest security improvements. Refer to sk181427. |
PRJ-47512, |
GaiaOS |
UPDATE: Added notifications about the Expert mode login on Gaia Servers. Refer to sk181230: 1) Gaia sends an audit log to the Management Server / Log Server (SmartConsole > Logs & Monitor). 2) Gaia writes a log message to the /var/log/messages file (for a local login and an SSH login). These Gaia Clish commands are available to work with this feature:
|
PRJ-44761, |
Gaia OS |
UPDATE: Increased the size of the scheduled snapshot database binding, allowing longer paths and passwords to be defined. |
PRJ-32167, |
Scalable Platforms |
UPDATE: Added support for 40G SFP transceiver for SSM160 (BTI40GSRDDQSFP). |
PRJ-45907, |
Scalable Platforms |
UPDATE: Added Take 23 of Check Point Support Data Collector (CPSDC) for Scalable Platforms and Maestro Security Appliances. Refer to sk164414. |
PRJ-44907, |
Scalable Platforms |
UPDATE: Added a new log file - /var/log/pull_config_report.log. It includes the summary of the "pull_config" action when it is performed on a member to indicate the reason for pull_config pnote/failures. |
PRJ-44901, |
Scalable Platforms |
UPDATE: Added a new log file to indicate the reason of member reboots if they are triggered by configuration mismatch - /var/log/configuration_reboot_info.log. |
PRJ-45388, |
HCP |
UPDATE: Added Update 12 of HealthCheck Point (HCP) Release. Refer to sk171436. |
PRJ-41328, |
Security Management |
If the Security Management Server is behind NAT, remote Management API login fails. |
PRJ-43559, |
Security Management |
In rare scenarios, in multi-site environments, Install Policy presets fail with "Timeout during task progress" or "You have reached the maximum number of active sessions". Refer to sk180897. |
PRJ-45158, |
Security Management |
APP_ID may not be initialized when adding a new Check Point application via API, this may cause blocked access to several websites. |
PRJ-45487, |
Security Management |
In rare scenarios, updating or deleting a cluster fails with "Failed to save object xxxx . Server error is: Data required for operation". |
PRJ-42039, |
Security Management |
Editing an object in SmartConsole may fail with "Server error is: Object not found (Code: x08003001D, Could not access file for write operation)". |
PRJ-43568, |
Security Management |
After Full synchronization, SmartConsole login from a Domain Management Server to the Security Management Server that is configured as High Availability may fail. |
PRJ-42422, |
Security Management |
In some scenarios, an upgrade may fail when a Network object Group contains more than 32000 members. |
PRJ-44085, |
Security Management |
Login with SmartConsole to a Security Management Server may fail if using a DNS name instead of an IP address. Refer to sk180514. |
PRJ-43186, |
Security Management |
If a Security Gateway is added to a group after configuring an installation policy preset, the policy may not be installed on that Security Gateway. Refer to sk181461. |
PRJ-42552, |
Security Management |
After restoring a Multi-Domain Security Management Server, High Availability synchronization may fail with "The Security Management Servers contain different Hotfixes". |
PRJ-45873, |
Security Management |
In some scenarios, Access Policy Verification fails but the name of the failed rule is not specified. |
PRJ-43811, |
Security Management |
Login to SmartConsole with a RADIUS administrator from the SmartEvent Server may fail if this Server was upgraded. Refer to sk180584. |
PRJ-42620, |
Security Management |
When using the "Deployment from Local Paths and URLs" option, and inserting a correct path, the client is being deployed through the Management Server and not Locally as it should be deployed. |
PRJ-35494, |
Security Management |
The Data Center object may change the status to "inaccessible/deleted", although the Virtual Machine in Azure was not deleted. |
PRJ-43916, |
Security Management |
In the Object Explorer window in SmartConsole, the IP address column is sorted alphabetically, although it should be sorted in numerical order. |
PRJ-40128, |
Security Management |
When the Access Rule Base contains several hundred rules, the "set-access-rule" Management API command with the "new-position" parameter may take longer than expected or time out after 5 minutes. |
PRJ-46629, |
Security Management |
In the Infinity Services view, the Log Sharing status may not be correct. |
PRJ-44595, |
Security Management |
When adding/setting an access rule, setting certain fields to "Any" or "None" may fail because of case sensitivity. |
PRJ-44591, |
Security Management |
The "show object" command fails when running it on nat-section objects. It returns a "null pointer exception" message, which occurs in calculations related to the overview objects meta-info. |
PRJ-44593, |
Security Management |
In some scenarios, running the "delete-exception-group" Management API command fails if the exception group is automatically attached. |
PRJ-43266, |
Security Management |
When creating several LSM objects (Security Gateways or clusters) via both Management API and SmartConsole, the LSM objects IP addresses may be duplicated. |
PRJ-46131, |
Security Management |
A policy installation task may become stuck when an error occurs in the early installation stage, for example, when trying to install a policy on an unsupported version of Security Gateway. |
PRJ-35765, |
Security Management |
In some scenarios, the "show-packages" Management API command may return empty results when using the "domains-to-process" flag. |
PRJ-45877, |
Security Management |
If an empty Network Group is linked in the source or destination fields of an Access Rule, policy verification may not generate an error. Instead, it may treat the empty group as if there was an "Any" object. |
PRJ-44896, |
Security Management |
Policy installation gets stuck if the known proxy group contains the policy target. |
PRJ-46398, |
Security Management |
In rare scenarios, policy installation fails with "Operation failed, install/uninstall has been improperly terminated". Refer to sk180448. |
PRJ-44995, |
Security Management |
In rare scenarios, login to SmartConsole fails, and opening Security Gateway objects times out. |
PRJ-45654, |
Security Management |
Packet mode search in SmartConsole may show rules that do not match the query if the query contains source, destination, and service. |
PRJ-39775, |
Security Management |
Disabling or enabling rules may not affect the "last-modify-time" field in the output of the "show-access-rule" Management API command. |
PRJ-45054, |
Multi-Domain Security Management |
In rare scenarios, in Multi-Domain multi-site environments, an IPS update on the Multi-Domain Security Management Server remains locked. |
PRJ-43689, |
Multi-Domain Security Management |
Deleting the entire Domain including all its Domain Servers fails, if any of the Domain Servers is used in the Domain's policy. |
PRJ-45060, |
Multi-Domain Security Management |
In large Multi-Domain Security Management environments, login to SmartConsole may fail while High Availability synchronization is running. Refer to sk180858. |
PRJ-46087, |
Multi-Domain Security Management |
A scheduled Install Policy Preset may not have its next run time updated when:
|
PRJ-46104, |
Multi-Domain Security Management |
In some scenarios, the "Uninstall Threat Prevention Policy" window may show "no candidates found for operation", even though there are Security Gateways that have Threat Prevention policy installed and Threat Prevention is disabled in the Security Gateway editor. Refer to sk180983. |
PRJ-40738, |
Multi-Domain Security Management |
Deleting a Domain from SmartConsole fails after a Domain Server was removed and the Domain has no Domain Servers. |
PRJ-44968, |
Multi-Domain Security Management |
In rare scenarios, in Multi-Domain Security Management environments with over 500K network objects, login to SmartConsole fails with "Connection timed out" or "Unable to connect to server" messages. |
PRJ-45068, |
Multi-Domain Security Management |
In rare scenarios, in a Multi-Domain Security Management environment:
|
PRJ-46509, |
SmartConsole |
Data Center objects may not appear as unused objects in the Object Explorer view, although they should. |
PRJ-43598, |
SmartConsole |
Typo in the Compliance report - "OSFP" instead of "OSPF". |
PRJ-41666, |
Logging |
In some scenarios, in the Logs & Monitor view, no results are shown when filtering updatable object names by the "dst_uo_name" field. |
PRJ-39255, |
Logging |
In rare scenarios, many open connections on port 18196 are observed on the Multi-Domain Security Management Server or Multi-Domain Log Security Management Server. |
PRJ-41594, |
Logging |
SmartEvent may generate false Anti-Bot / Anti-Virus related logs which do not contain any information. |
PRJ-45606, |
Logging |
In some scenarios, in the Logs view, the "Destination" field may be missing. The issue is cosmetic only. |
PRJ-46073, |
Logging |
After an upgrade of the Security Management Server, the "cp_log_export show" command may return the "found an ambiguous value" error in the "export_log_position" field. |
PRJ-45417, |
Logging |
Source and destination IP addresses in SmartLog may not be shown correctly for duplicate packets of fragmented traffic. |
PRJ-41281, |
Logging |
In large environments, after policy installation or when loading Real Time Monitor, RTMD CPU consumption may be high for several minutes and the process may exit when 4 GB of memory is reached. |
PRJ-38480, |
Logging |
In specific network configurations, after installing a policy, the target IP address of the Log Server may differ from what was configured. |
PRJ-46053, |
Security Gateway |
The Security Gateway may crash while inspecting non-HTTP traffic. |
PRJ-46340, |
Security Gateway |
In rare scenarios, memory corruption occurs during packet correction requiring fragmentation, this may cause the Security Gateway crash or freeze. |
PRJ-46334, |
Security Gateway |
The Security Gateway may crash after a failure in policy installation. |
PRJ-45496, |
Security Gateway |
On the Security Gateway with Management Data Plane Separation (MDPS) enabled:
|
PRJ-44937, |
Security Gateway |
When Check Point Active Streaming (CPAS) is used, and the Server's MSS is bigger than the client's MSS, packet fragmentation may occur. |
PRJ-38111, |
Security Gateway |
In some scenarios, the Security Gateway may crash. |
PRJ-45803, |
Security Gateway |
Resolved an issue where CPD would consume a large amount of CPU in VSX with a large number of interfaces configured (greater than 1024). Refer to sk181588. |
PRJ-42530, |
Security Gateway |
In some scenarios, while processing H323 traffic, the Security Gateway may unexpectedly restart. |
PRJ-44855, |
Security Gateway |
Web Security parsing error "illegal header format detected: Missing quotation mark" of content-disposition header - that contains a filename* parameter or an unquoted parameter. |
PRJ-45483, |
Security Gateway |
Incorrect bonds may be shown in the Data Plane when using MDPS with the "show bonding groups" command. |
PRJ-47123, |
Security Gateway |
In some scenarios, after an upgrade, the FWD process may unexpectedly exit. |
PRJ-43856, |
Security Gateway |
The FWK process may unexpectedly exit with a core dump file when removing an IPv6 interface on VSX. |
PRJ-44407, |
Security Gateway |
Global tables (ghtab) may not be synchronized between members, this can lead to instability of traffic. |
PRJ-47148, |
Security Gateway |
Enlarging MTU may cause even small packets to be allocated as Jumbo frames. This will impact the performance of SNDs CPUs. |
PRJ-46113, |
Security Gateway |
In rare scenarios, the Security Gateway may drop the traffic after "Rulebase Internal Error" which occurs during policy installation. |
PRJ-33812, |
Security Gateway |
The FWK process may unexpectedly exit while processing the mail flow and generate a core dump. |
PRJ-45955, |
Security Gateway |
When HTTPS Inspection is enabled, website loading in Firefox fails or is slow, after a few seconds, the "NS_ERROR_ABORT" error appears in the network tab of Firefox. Refer to sk180873. |
PRJ-41967, |
Security Gateway |
When adding another loopback interface in an MDPS environment, it is shown in MPLANE and not in DPLANE as expected. |
PRJ-44311, |
Security Gateway |
In rare scenarios, modifying the "fwmultik_temp_conns_enabled" parameter on-the-fly leads to the Security Gateway crash. |
PRJ-46687, |
Security Gateway |
When adding a new connection, the "Smart Connection Reuse" feature may cause errors in fwk.elg and connection drops. |
PRJ-46138, |
Security Gateway |
The "g_tcpdump -mcap" command may not merge traffic capture outputs. Refer to sk181032. |
PRJ-45478, |
Security Gateway |
Security Gateway may crash when running kernel debugs of the "UP" module. |
PRJ-44251, |
Security Gateway |
When setting "cphwd_enable_ecmp = 1" (to route by the source and destination IP address), the Security Gateway may route the traffic to the wrong MAC. |
PRJ-45000, |
Security Gateway |
In a Maestro environment where members are VSXs, connection over SSH or RDP from a host behind Maestro to a peer may be dropped. |
PRJ-45186, |
Security Gateway |
Traffic stops working after a Security Gateway Member recovers from a failure. Refer to sk180705. |
PRJ-42358, |
Security Gateway |
Latency in connection caused by a packet flow change from F2V to F2F. |
PRJ-45397, |
Security Gateway |
Login to Mobile Access Portal when authenticating with SAML may fail with an "Error while processing the request" message. Refer to sk180801. |
PRJ-45449, |
Security Gateway |
When the Security Gateway handles specific HTTP requests, memory failure may occur. CPView registers SMEM failure. |
PRJ-44752, |
Security Gateway |
Policy installation may fail with "Error 2000240" because of an IPv6 flow issue. |
PRJ-41776, |
Threat Prevention |
IoC feed may not load, and the "Feed status cybercrime-tracker_hash_list :: engine memory allocation error. Feed log External IoC - External Indicators processing failed" error is displayed in CLI. |
PRJ-42147, |
Threat Prevention |
Fetching custom intelligence feeds via CLI may fail because of SSL certificate issues. |
PRJ-44570, |
Threat Prevention |
After an upgrade, adding an IoC feed with IP range indicator type may fail with "Feed format problem. Bad or Empty Feed ". |
PRJ-44151, |
Threat Prevention |
In a rare scenario, policy installation may fail because of IoC observables overrides. |
PRJ-44551, PRHF-27765 |
Threat Prevention |
In some scenarios, the FWD process unexpectedly exits, and the Security Group Members state flaps between Active and Down during an Anti-Bot Blade update. |
PRJ-45562, |
Threat Prevention |
In some scenarios, Anti-Virus and Anti-Bot updates on Maestro Security Group Members may fail. |
PRJ-44200, PMTR-89130 |
Threat Prevention |
When IPS Blade is enabled, the Security Gateway may crash. |
PRJ-39347, |
Identity Awareness |
There may be connectivity issues and high CPU spikes on PDP when installing policy. |
PRJ-44316, |
Content Awareness |
When Content Awareness Blade is enabled, there is a limitation of the file size (sk118516). However, when the source object of the Content Awareness rule does not match the current connection, the limitation is not applied on this connection. |
PRJ-45428, |
Application Control |
Some TLS1.3 applications without SNI do not match the rules. |
PRJ-47064, |
Application Control |
When the "Categorize HTTPS Websites" option is enabled and the global parameter "appi_urlf_ssl_cn_use_sni_without_validation" is set to true, a memory leak may occur. |
PRJ-29401, |
Anti-Virus |
The RAD process CPU utilization may be high when Anti-Virus engine processes many reverse DNS queries. |
PRJ-46605, |
Anti-Virus |
The DLPU process may stop working, creating a User Space core dump file on the Security Gateway. Refer to sk181026. |
PRJ-44664, |
Anti-Virus |
Anti-Virus Blade may bypass inspection of URLs with sub-domain portion. |
PRJ-46279, |
Anti-Virus |
Importing a custom intelligence feed containing IP ranges may fail. |
PRJ-47264, |
SSL Inspection |
The fwk.elg file may be flooded with the "mux_hold_opq_free: App has no hold params free function" messages for the TLS_PARSER app because of a memory leak. |
PRJ-45657, |
SSL Inspection |
In a VSX environment, the WSTLSD process run by Virtual Systems may ignore proxy configuration on VS0. |
PRJ-45099 |
Mobile Access |
SSL Network Extender (SNX) may randomly disconnect after an upgrade. Refer to sk173765. |
PRJ-46402, |
Mobile Access |
Sending emails with attachments via Capsule Workspace may fail on iOS. |
PRJ-45194, |
Mobile Access |
In rare scenarios, IOS users are unable to send emails using Capsule Workspace business mail. |
PRJ-46505, |
ClusterXL |
Some IPv6 connections randomly stop passing through ClusterXL in High Availability mode. Refer to sk180969. |
PRJ-41307, |
ClusterXL |
When interfaces disconnect/connect on both members at the same time, it may cause a failover. |
PRJ-42771, |
ClusterXL |
Asymmetric UDP traffic may be dropped with "First Packet isn´t Syn". |
PRJ-45349, PRHF-28275 |
ClusterXL |
After an upgrade, cluster members may frequently crash, causing instability in the environment. |
PRJ-44455, |
ClusterXL |
After several failovers in a cluster, connections may fail to synchronize. This can cause a timeout and the "first packet isn't syn" drops. |
PRJ-44352, |
ClusterXL |
A VRRP cluster member may be stuck in boot after a cluster upgrade. |
PRJ-45300, |
SecureXL |
When running tcpdump on the Multi-Domain Security Server, an "error /bin/cp-tcpdump.sh: line 11: sxlmode: command not found" message is shown. The issue is cosmetic only. |
PRJ-44874, |
SecureXL |
Traffic may be dropped and the FWACCEL core file is generated. |
PRJ-45833, |
Routing |
The ROUTED daemon may unexpectedly exit because of multi-threading issues. |
PRJ-41963, |
Routing |
Routing log messages generated when Standby cluster members reconnect to members in Master state are not clear. |
PRJ-46358, |
Routing |
Routes marked as "stale" may be redistributed via BGP during graceful restart. |
PRJ-45260, |
Routing |
When configuring OSPFv2 graceful restart on ClusterXL, the cluster may get stuck in EXSTART / 2WAY state. |
PRJ-46095, |
Routing |
BGP state gets stuck in Idle state when using BGP ping to one of the peers. |
PRJ-46132, |
Routing |
When two interfaces with the same local address are configured, BGP may use an incorrect interface to reach a peer. |
PRJ-46128, |
Routing |
The ROUTED daemon may unexpectedly exit when aggregating routes with long AS paths. |
PRJ-41960, |
Routing |
In some scenarios, a Security Group Member failover can trigger routes to be lost on other members in the Security Group. |
PRJ-41798, |
Routing |
Configuring OSPFv2 Graceful Restart and passive OSPF interfaces at the same time can cause graceful restart failures. |
PRJ-44924, |
Routing |
When PIM and state refresh are enabled, the state refresh message may not be sent automatically after a failback in ClusterXL HA Primary Up mode. |
PRJ-45379, |
Routing |
A VRRP/VRRP6 interface may go into Master/Master state. |
PRJ-44705, |
Routing |
Multicast receivers send IGMP membership reports, but the outbound interfaces are missing from the routing table. |
PRJ-44709, |
Routing |
An IGMP group with an expiration time of 7101 weeks should be deleted when it reaches 0 seconds, but instead, it may remain at 7101 weeks until a membership report is sent, then it resets to the interval of that interface. |
PRJ-45468, PRHF-28353 |
VPN |
StrongSWAN Remote Access authentication fails when the LDAP lookup type is not the default method. |
PRJ-44829, PRJ-44991, PRJ-46302, PRHF-28849 |
VPN |
|
PRJ-44218, |
VPN |
The "vpn/ike debug ikeon/ikefail" commands may fail when used with the "-s" flag. |
PRJ-45919, |
VPN |
The FWM process may unexpectedly exit at startup because of an incorrect VPN key initiation. |
PRJ-44089, |
VSX |
Values provided by the VSX OID tree: 1.3.6.1.4.1.2620.1.16.22.5.1 may be incorrect. |
PRJ-45401, |
VSX |
Warp interfaces may appear in VS0 and disrupt connectivity when editing a Virtual Switch with a bond and VLANs. |
PRJ-41970, |
VSX |
Increasing the MTU value of a bonded tagged interface may not be possible. Refer to sk179984. |
PRJ-44745, |
VSX |
Virtual System's interfaces may be missing when running the Clish command "show/save configuration". |
PRJ-45005, |
VSX |
A VSX Security Gateway may crash while attempting to collect statistics after running the "cpstop" command. |
PRJ-45145, |
VSX |
Some packets may disappear when using the i40e driver, and VMAC is configured on the cluster. |
PRJ-45863, |
Gaia OS |
Gaia backup may fail, leaving a temporary partition behind. Any new attempt to create a new backup returns an error. |
PRJ-29906, |
Gaia OS |
It may be not possible to enter a snapshot description with more than one word. |
PRJ-33093, |
Gaia OS |
In some scenarios, the output of the "show configuration"/"snapshot-scheduled" command may contain corrupted text. |
PRJ-28434, |
Gaia OS |
Backup on Gaia machine with Threat Emulation Blade enabled fails with "Cannot complete the backup process: not enough space". But the solution of sk166833 does not resolve the issue in a VSX environment. |
PRJ-42779, |
Gaia OS |
Scheduled SCP snapshots to a Windows Server may fail with the "Failed to connect to remote server. Please validate connection". |
PRJ-41909, |
Gaia OS |
Gaia WebUI logs are printed with "info" severity. |
PRJ-44370, |
Gaia OS |
SNMP OIDs for ISP Redundancy status are not refreshed when the ISP link changes the status. |
PRJ-46285, |
Harmony Endpoint |
Non-domain macOS devices are created as a new endpoint on the Endpoint Management when re-installing the device. |
PRJ-46947, |
Harmony Endpoint |
KAV updater on the Server may fail to receive updates when proxy is used. |
PRJ-45540, |
CloudGuard Network |
AWS Data Center mapping fails when an interface subnet is missing from the list of subnets. |
PRJ-32399, |
VoIP |
After an upgrade, VoIP and SIP / H323 traffic may be dropped in the VPN tunnel. Refer to sk179651. |
PRJ-46475, |
VoIP |
SIP traffic may be dropped and "kiss_htab_bl_infra_slink: failed "earlynat_sport_ghtab_bl":3 reason: KISS_HTAB_BL_SLINK_LIMIT_REACHED" is printed in the fwk.elg file. |
PRJ-42263, |
Scalable Platforms |
Excessive "cphwd_get_device_accelerated_ifs: too many interfaces (32,XXX)" messages may log to $FWDIR/log/fwk.elg. Refer to sk180439. |
PRJ-42617, |
Scalable Platforms |
The FW process may unexpectedly exit, producing a core dump file. |
PRJ-32730, |
Scalable Platforms |
When there is a connectivity issue in the cluster, OSPF packets may be sent with delays and cause an outage. |
PRJ-44528, |
Scalable Platforms |
License is not copied from SMO to all other members if other members are in Down state. |
PRJ-36345, |
Scalable Platforms |
Redundant reboot occurs after installing R81/R81.10 Jumbo Hotfix Accumulator for the first time after a major version installation/upgrade. Refer to sk177765. |
PRJ-44587, |
Scalable Platforms |
The "orch_info" command may freeze, when running it on Maestro Orchestrator. |
PRJ-41249, |
Scalable Platforms |
Trying to power off the MHO in CLI may lead to a reboot. |
PRJ-45480, |
Scalable Platforms |
Querying the HW status via SNMP (OIDs .1.3.6.1.4.1.2620.1.6.7.*) or via the "cpstat os -f sensors" command may fail on Maestro Orchestrator. |
PRJ-45301, |
Scalable Platforms |
In rare scenarios, the Single Management Object (SMO) may go to Down state after clicking a packet capture link in the IPS log in SmartConsole. |
PRJ-42785, |
Scalable Platforms |
Members may stay in Down state after reboot/Jumbo Hotfix installation with pull_config pnote when pulling registry from SMO: "Pull registry failed" error in the $FWDIR/log/Blade_config log file. |
PRJ-43815, |
Scalable Platforms |
CPUSE may suggest to install Maestro incompatible packages. |
PRJ-46968 |
Scalable Platforms |
On Maestro, when MDPS (Management Data Plane Separation) is enabled, and the license corresponds to an IP address different from the management interface's IP address (such as the sync IP), policy installation may fail because of a license mismatch. |
PRJ-47053, |
Scalable Platforms |
MHO reports logs may not be rotated. |
PRJ-44287, |
Scalable Platforms |
The "set/show trace" command may fail in gClish. |
PRJ-45885, |
Scalable Platforms |
In VSLS mode, SNMP traffic may incorrectly be forwarded to SMO instead of DR manager of the corresponding Virtual System. |
PRJ-46645, |
Carrier Security |
Incorrect parsing of GTP-U traffic may cause anti-spoofing drops. |
PRJ-43224, |
Carrier Security |
Security Gateway drops GTP Echo Response traffic with the reason "Wrong Destination Port". See sk181507. |
PRJ-43220, |
Carrier Security |
Security Gateway drops GTP traffic with the reason "Static IP not allowed". See sk181506. |
PRJ-46676, PRJ-46679, |
Carrier Security |
After an upgrade, GTP traffic and memory issues may occur. |
PRJ-46673, |
Carrier Security |
Packet corruption, leading to traffic and performance issues. |
PRJ-44602, |
Carrier Security |
Stack buffer overflow may occur in the FWGTP process. |
Take 109 Released on 17 July 2023 and declared as Recommended on 23 July 2023 |
||
PRJ-47745 |
Scalable Platforms |
Uninstalling Jumbo Hotfix Take 106/107 on Maestro Orchestrator (MHO) may cause an outage. See the Critical Information section. |
Take 107 Released on 28 June 2023 |
||
PRJ-47102, |
Security Management |
Policy installation may fail with "Target is not defined in the database" error when the target name has many underscore or dash characters. See the Critical Information section. |
Take 106 Released on 8 June 2023 |
||
PRJ-45900, |
Scalable Platforms |
NEW: Added support for LightSpeed acceleration on Scalable Platforms appliances MLS-200, MLS-400 and QLS-250 and QLS-450. |
PRJ-40966, |
Scalable Platforms |
UPDATE: Switching between User/Kernel mode on Scalable Platforms can now be done using "cpconfig" . Reboot of the Security Group members is performed after the confirmation. |
PRJ-46857 |
Multi-Domain Security Management |
After an upgrade to R81.10 Take 95, policy installation from a Domain Security Management Server on R81.20 Security Gateways may fail with "Policy installation is not supported for the target". Refer to sk181048. |
PRJ-45592, |
SmartConsole |
In some scenarios, in SmartConsole, when clicking the picker to add Security Gateway to a Threat Prevention policy "Install On" column, no Security Gateway objects appear. Refer to sk180964. |
PRJ-44451, |
SmartConsole |
In rare scenarios, in Multi-Domain Security Management environments with many administrators that have custom permissions, SmartConsole is slow, and operations take longer than usual. Refer to sk180681. |
PRJ-43171 |
CPUSE |
When working in a Scalable Platforms environment, a member may get in a bootloop. The issue occurs after the consequent upgrade of this member to R81.10, Deployment Agent (DA) update and enabling image auto cloning. |
PRJ-46294, |
VPN |
Users that were moved from one AD group to another group still are shown in both access role groups when running the "pdp monitor" command. Refer to sk181429. |
PRJ-45789, |
CloudGuard Network |
Deleting one hundred IP addresses or more from the Security Gateway at once may fail, resulting in recurrent deletion retries. |
PRJ-45975, |
CloudGuard Network |
After an upgrade to Take 75, importing Azure Private Endpoints, Application Security Groups or AWS Load balancer tags may fail. |
PRJ-46854, |
Scalable Platforms |
User Space Mode (UPPAK) is not supported on Maestro Security Gateways with enabled Management Data Plane Separation (MDPS). |
Take 95 Released on 13 April 2023 and declared as Recommended on 15 May 2023 |
||
PRJ-42693, |
Security Management |
NEW: Added ability to run the "verify-policy" Management API command on a private session with unpublished changes. |
PRJ-45365, |
Security Management |
NEW:
|
PRJ-44576, |
Internal CA |
NEW: Previously, the Internal CA certificate required manual renewal process. Now it will be automatically renewed one year before its expiration date. |
PRJ-44226, |
Compliance |
NEW: Compliance Blade is enhanced with 5 new Firewall Best Practices:
|
PRJ-42453, |
HCP |
NEW: HCP report is now available in WebUI. To access it, use the link: https://<Security Gateway IP address>/hcp. |
PRJ-41010, |
Security Management |
UPDATE: Defining GUI Clients on the Log Server is now blocked. Defining GUI Clients is allowed only from the Security Management Server in Active mode. |
PRJ-41201, |
Security Gateway |
UPDATE: Added ability to force GNAT Port randomization. It is controlled by kernel parameter (off by default).
|
PRJ-43605, PRHF-22566 |
SecureXL |
UPDATE: Added a new kernel parameter allowing to control the size of fragments table in SecureXL. To use it, set the kernel parameter "sim_frag_limit_override" with the new value and install policy. This can prevent fragment drops when having multiple instances in the Firewall. |
PRJ-44610, |
Threat Emulation |
UPDATE: FakeServer will now listen for packets coming from the Virtual Machine during Threat Emulation to port 18443 instead of port 8443. |
PRJ-43969, |
VPN |
UPDATE: When the VTI MTU is different from the physical MTU, the physical MTU is used for sending packets by default.
Refer to sk98074. |
PRJ-42404, |
VSX |
UPDATE: Added more logs related to Pushing VSX Configuration.
. |
PRJ-43675, |
Harmony Endpoint |
UPDATE: Linux installations are now automatically added to "All Linux Desktops Virtual Group" in Harmony Endpoint. Refer to sk180430. |
PRJ-45266, |
GaiaOS |
UPDATE: Added a defense mechanism against the hostname command injection in the Gaia Portal (CVE-2023-28130). Refer to sk181311. |
PRJ-44639, |
Gaia OS |
UPDATE: Upgraded OpenSSL from 1.1.1n to 1.1.1t to include the latest security improvements. |
PRJ-43925, |
CloudGuard Network |
UPDATE: Added support for sending Data Center updates from the CloudGuard Controller to the main IP address of Active member on the Management Plane instead of the cluster VIP address on the Data Plane. Refer to the "updateClusterMemberAndNotVip" section in CloudGuard Controller R81.10 Administration Guide > Configuration Parameters. This change prevents scenarios when CloudGuard Controller fails to connect to Cluster with MDPS enabled (sk180981). |
PRJ-44355, |
CloudGuard Network |
UPDATE: Added support for Data Centers in AWS ap-southeast-4 Melbourne region. |
PRJ-40857, MBS-14161 |
Scalable Platforms |
UPDATE: Added Management Data Plane Separation (MDPS) support for Maestro Orchestrator and Chassis scalable platforms. |
PRJ-45755, PMTR-91592 |
Scalable Platforms |
UPDATE: Enhanced the mechanism of Maestro Gateway leaving a Security Group. |
PRJ-44629, PMTR-90519 |
Security Management |
There may be many duplicates of OCSP response in the $CPDIR/tmp/curl_crl_ocsp folder. |
PRJ-44460, |
Security Management |
In some scenarios, the "run-script" Management API command may fail with "Null Pointer Exception" when using root user permissions. |
PRJ-39758, |
Security Management |
In some scenarios, exact search in the Object Explorer may not return the expected results. |
PRJ-38358, |
Security Management |
After creating a new administrator in SmartConsole, the Administrators view may fail to load with "Error retrieving results". |
PRJ-42060, |
Security Management |
The "show objects" command returns all objects in Global Domain with any filter when "ip-only" flag is set to "true". |
PRJ-44025, |
Security Management |
When using Custom Application/Site Group objects in an Access policy, policy installation may fail with an "Internal error" message. |
PRJ-43962, |
Security Management |
In rare scenarios, the Security Gateway accepts all IP addresses as approved "gui_clients", although it was provided with a list of specific trusted IP addresses. |
PRJ-42084, |
CPView |
A typo in "Dropped fragmentation violation" under CPView > Advanced > SecureXL > Drops. |
PRJ-43472 |
CPUSE |
In some scenarios, the Task Progress bar is missing from SmartConsole during Jumbo Hotfix installation. |
PRJ-44337, |
CPView |
The Network-per-CPU tab under CPVIEW > Advanced > SecureXL does not show traffic distribution for all CPUs. Refer to sk180540. |
PRJ-43393, |
Logging |
When working with Multi-Domain Security Management, Virtual Systems (VS's) may be unable to send logs to the management because the Log Server constantly disconnects. |
PRJ-44095, |
Security Gateway |
In some scenarios, the FWD process may unexpectedly exit and cause a short outage related to a BGP failure. |
PRJ-36112, |
Security Gateway |
When on Microsoft Active Directory the "mobile" attribute value in DynamicID authentication preferred method is changed to an email address and then back to a phone number, OTP may still be sent to the email. |
PRJ-44920, |
Security Gateway |
After an upgrade to Take 79, memory usage may increase on all Security Gateway Modules, and the "pkt_handle_f2v_if_needed: dropping packet (failed to send notification)" error is printed in logs. |
PRJ-44232, |
Security Gateway |
After policy installation, a VSX High Availability Cluster member may have a failover and generate a vmcore. |
PRJ-42296, |
Security Gateway |
When MDPS is configured, mdps_tun interface is shown when running the "cpstat ha -f all" command. |
PRJ-42707, |
Security Gateway |
DNS parser incorrectly handles additional records, which results in appearing additional DNS IP addresses in the FQDn objects list. |
PRJ-43011, |
Security Gateway |
When adding a new RADIUS Server in Gaia Portal, its IP address is automatically added to MDPS tasks, but when deleting this Server, the MDPS task is not deleted. |
PRJ-43886, |
Security Gateway |
In rare scenarios, the FWD process is stuck during policy installation. |
PRJ-43839, |
Security Gateway |
The Security Gateway may receive duplicated traffic (such as non-IP protocol connections) for IPS inspection. This can trigger high CPU usage and result in failures to connect over SSH or policy installation. |
PRJ-40878, |
Security Gateway |
In rare scenarios, policy installation fails with "Segmentation fault" and "Error compiling IPv4 flavor" messages. |
PRJ-41564, |
Security Gateway |
SAML authentication fails with the "HTTP 500" error when MDPS is enabled on the Security Gateways. Refer to sk179625. |
PRJ-44081, |
Security Gateway |
In an Active/Standby cluster, when downloading a file using FTP protocol, the FWK process may unexpectedly exit, and a core dump file is generated. |
PRJ-41878, |
Security Gateway |
On supported Open Servers (sk167052), after changing the Firewall mode from Kernel Space (KSFW) to User Space (USFW) and reboot, the Security Gateway continues to boot in the Kernel Space mode. |
PRJ-43533, |
Security Gateway |
The Security Gateway may crash because of a race condition that occurs during interface change while interface statistic is calculated. |
PRJ-40472, |
Threat Prevention |
If SSH Deep Packet Inspection (DPI) is enabled and NAT is configured on the Security Gateway, SSH connectivity from the Internet may not be possible. |
PRJ-41901, |
Threat Prevention |
IoC feed may not load because of a parsing issue with the IP address range indicator. |
PRJ-44222, |
Threat Prevention |
In a Quantum Maestro environment, adding an IoC feed from the command line may fail with a "Can not load indicators feed without AV & AB Blades enabled, please enable AV & AB and try again" message, although Anti-Virus and Anti-Bot Blades are enabled. |
PRJ-42344, |
Identity Awareness |
During subsequent policy installations (with an interval of at least 11 minutes between them), the Identity Awareness Gateway configured as an Identity Broker Subscriber revoked all Identities it learned from the Identity Awareness Gateway configured as its Identity Broker Publisher. Refer to sk180659. |
PRJ-42933, |
Identity Awareness |
The PDPD process may cause CPU spikes during cluster failover. |
PRJ-43747, |
Identity Awareness |
The output of the "pdp monitor cv_le <agent-version>" command may be incorrect. |
PRJ-33065, |
Identity Awareness |
In a rare scenario, a wrong access role may be assigned to a user. |
PRJ-43503, |
Application Control |
Policy installation may fail with an "Error 0-200184" message because of memory allocation issues. |
PRJ-44383, |
Application Control |
A buffer overflow may occur and cause the FWD process to exit. This leads to the Security Group Members in a Maestro environment change from Active to Down state and creates instability. |
PRJ-43975, |
URL Filtering |
When applying the "appi_urlf_ssl_cn_use_sni_without_validation" kernel parameter, only the first notified application may be considered for Rule Base matching, and the rest of the apps are not detected. |
PRJ-42714, |
IPS |
In a rare scenario, the Security Gateway may crash during an IPS package update. |
PRJ-44180, |
IPS |
In some scenarios, the FWK process may unexpectedly exit, while Threat Prevention Blades inspect HTTP traffic. |
PRJ-43583, |
DLP |
A memory leak may occur in the DLPU process. |
PRJ-44009, |
Anti-Virus |
The fwk.elg file may be flooded with the "match_cb for CMI APP 11 - CI AV failed on context 144, executing context 366 and adding the app to apps in exception" messages because of improper parsing of HTTP headers by Anti-Virus Blade. |
PRJ-44291, |
Mobile Access |
Some web applications which use PT or UT link translation methods may have issues after a browser upgrade. |
PRJ-41413, |
Mobile Access |
Access to a web application that uses WebSocket protocol may not be possible. |
PRJ-44131, |
SecureXL |
IPv6 template is not created when the connection is NATed. |
PRJ-42781, |
SecureXL |
After installing R81.10 Jumbo Hotfix Take 61 and higher, running the "tcpdump" command fails with the "/bin/cp-tcpdump.sh: line 14: /sbin/tcpdump: No such file or directory" error. Refer to sk180737. |
PRJ-44677, |
SecureXL |
After an upgrade, packets passing through a Remote Access VPN tunnel in a VSX environment may be silently dropped. |
PRJ-43983, |
SecureXL |
In a rare scenario, a CPAQ message sent during policy push does not have critical and can be dropped when the Security Gateway is busy. |
PRJ-43922, |
Routing |
Failover may take longer than expected and traffic does not pass for several seconds because dynamic routes are lost. |
PRJ-44940, |
Routing |
After an update, multicast traffic may be dropped. |
PRJ-43410, |
Routing |
The ROUTED process may repeatedly exit when using PIM in Sparse mode (SM). |
PRJ-44372, |
Routing |
OSPF routes may not be redistributed after reboot. |
PRJ-41331, |
Routing |
The ROUTED daemon may unexpectedly exit and generate core dumps after OSPF neighborship was established, but did not advertise routes. Lost routing causes the network to be down. |
PRJ-44259, |
Routing |
The ROUTED daemon may unexpectedly exit when using PIM and source IP address is set "0.0.0.0". |
PRJ-44688, |
Routing |
Cluster member may stop sending multicast PIM traffic after failover or a reboot. Refer to sk180669. |
PRJ-43827, |
VPN |
In a Site to Site VPN, when one of the sites is a cluster in Load Sharing mode, it can cause incorrect destination member calculation for asymmetric connection, and the traffic might be dropped. Refer to sk180855. |
PRJ-44285, |
VPN |
VPN endpoint users fail to login with ECDSA certificate. |
PRJ-43386, |
VPN |
After an upgrade, an incorrect IPSec users counter may be displayed in SmartView Monitor or when running the "cpstat vpn -f ipsec" command for a cluster. The issue is cosmetic only. |
PRJ-40284, PRJ-43713, PRJ-42371, |
VPN |
Refer to sk180530. |
PRJ-43550, |
VPN |
VPN stability issues. |
PRJ-43195, |
VPN |
TCP traffic on port 34500 may be encrypted by VPN, although it should not. |
PRJ-40913, |
VPN |
The "failed to terminate session" error is displayed when using RAsession_util to terminate Endpoint client. |
PRJ-44667, |
VPN |
When running the "vpn tu tlist" on cluster Standby members, old IKEv2 SAs may be printed in the output. |
PRJ-44122, |
VSX |
Changing the main IP address of a Virtual Router may cause the FWM process to exit. |
PRJ-40034, |
Gaia OS |
When running the "ifconfig -a" command on a Virtual System (VS) with more than 250 interfaces, the "/bin/cp-ifconfig.sh: line 179: /bin/echo: Argument list too long" error is printed. |
PRJ-44238, |
Gaia OS |
The System Backup page in the Cloning Group view may be empty, although a scheduled backup was added. |
PRJ-42220, |
Gaia OS |
Incorrect logs are printed in the /var/log/httpd2_error_log file when logging into the WebUI. |
PRJ-43986, |
Gaia OS |
The "lldpneighbors" Clish command may have a corrupted output. Refer to sk182065. |
PRJ-43563, |
Gaia OS |
When restoring a backup with VSX objects, the objects database may not be restored on the newly installed Security Management Server. |
PRJ-44347, |
CloudGuard Network |
The "Logical Volume duplicate fail" error is displayed when increasing the lv_current partition with lvm_manager on Azure. Refer to sk180381. |
PRJ-43397, |
CloudGuard Network |
VPN Cluster stability issue when the peer is an Azure Security Gateway. |
PRJ-43577, |
CloudGuard Network |
When enabling debug mode with the "$MDS_FWDIR/scripts/cpm_debug.sh -c ObjectCrudSvcImpl" command, it may impact the work of CloudGuard Central License utility. And adding license fails. |
PRJ-44478, |
CloudGuard Network |
Azure scan fails if a Virtual Machine Scale Set (VMSS) is deleted after the scan started. |
PRJ-44614, |
VoIP |
In rare scenarios, SIP UDP traffic may cause Security Gateway to crash because of a memory allocation issue. |
PRJ-44881, |
Scalable Platforms |
After an upgrade, local IPv6 traffic from Active members may fail. |
PRJ-41941, |
Scalable Platforms |
When adding a new Virtual System and installing a policy, member state may change to Down. |
PRJ-42677, |
Scalable Platforms |
Adding more than 250 VLANs on an Orchestrator MHO-175 Maestro Uplink interface causes intermittent traffic outages. Refer to sk180340. |
PRJ-43383, |
Scalable Platforms |
The clock verifier test (clock_verifier -v) fails. |
PRJ-43802, |
Scalable Platforms |
The "asg perf" command fails when running it with the "-vv" flag. |
PRJ-39722, |
Scalable Platforms |
In a Maestro Security Group, VPN tunnel is established correctly, but the local connection from Virtual Systems (VSs) fails. The issue occurs when packets are not forwarded to the right VS from the Virtual Switch (VSW). |
PRJ-40400, |
Carrier Security |
GTP traffic may be dropped and tunnels are not registered in gtp_tunnels. |
Take 94 Released on 29 March 2023 and declared as Recommended on 2 April 2023 |
||
PRJ-45511 |
Security Management |
There is console access but no network connectivity after installing R81.10 Jumbo Hotfix Accumulator Take 93 on top of Blink image that includes Take 87. Refer to sk179799. See the Critical Information section. |
Take 93 Released on 5 March 2023 |
||
PRJ-43407, |
Security Management |
NEW: On-premises Security Management Server can now connect to Infinity Portal. This allows:
Requires:
|
PRJ-43895, |
Security Gateway |
NEW: We have extended the grace period of Compliance Blade to support you for 90 days following contract expiration to continue providing the best security value during the renewal process. |
PRJ-43807, |
Application Control, URL Filtering |
NEW: We have extended the grace period of Application Control and URL Filtering Blade to support you for 90 days contract expiration to continue providing the best security value during the renewal process. |
PRJ-44255, |
Threat Extraction |
NEW: We have extended the grace period of Threat Extraction Blade to support you for 90 days following contract expiration to continue providing the best security value during the renewal process. |
PRJ-43910, |
SmartView |
NEW: We have extended the grace period of SmartEvent Blade to support you for 90 days following contract expiration to continue providing the best security value during the renewal process. |
PRJ-42181, |
IPS |
NEW: Added ability to block "HTTP 206 partial content" responses from resources with malicious content. |
PRJ-42658, |
IPS |
UPDATE: In several IPS protections, improved performance for traffic that contains repeated sections. |
PRJ-43723, |
SSL Inspection |
UPDATE: The secp256r1 curve is now the preferred choice for signing ECDSA (Elliptic Curve Digital Signature Algorithm) certificates. |
PRJ-41419, |
Security Management |
UPDATE: Connecting a Quantum Security Management Server to Infinity Portal is now supported in the Full High Availability Cluster (when each cluster member has a Security Management Server and a Security Gateway). |
PRJ-42306, |
Security Management |
UPDATE: Improved the "Purge revisions" operation to reduce the size of the database. |
PRJ-36635, |
Security Management |
UPDATE: Added an option to configure the maximum number of IPS SNORT rules. These lines should be added at the end (or their value should be changed if they already exist) in the file $FWDIR/conf/malware_config (for MDS - additionally in the $MDS_FWDIR/conf/malware_config file): "[IPS] snort_convertor_max_rules_per_update=<value> snort_convertor_total_rules_num_limit=<value>". Refer to sk136515. |
PRJ-41619, |
Security Gateway |
UPDATE: To reduce policy installation time on a Security Gateways with a large number of CoreXL Firewall instances, you can use the Check Point Registry parameter "CP_INSTALL_POLICY_MT_LIMIT" to configure the Security Gateway to install the policy simultaneously on groups of CoreXL Firewall instances. Refer to sk182653. |
PRJ-44559, |
Security Gateway |
UPDATE: Apache HTTPD version was updated from 2.4.53 to 2.4.55 to fix CVE-2022-37436. |
PRJ-43613, |
Gaia OS |
UPDATE: Gaia Cloning Groups will now use the highest TLS version available. |
PRJ-43049, |
CloudGuard Network |
UPDATE: Added support for Data Centers in AWS eu-central-2 (Spain) and eu-south-2 (Zurich) and ap-south-2 (Hyderabad) regions. |
PRJ-43025, |
CloudGuard Network |
UPDATE: Added support for connecting to VMware NSX-T 4.0.0.x and higher. |
PRJ-42979, |
Scalable Platforms |
UPDATE: Added support for monitoring hardware of Maestro Orchestrator MHO-175. |
PRJ-43404, |
Diagnostics |
Skyline may not show any information. Refer to sk180748. |
PRJ-40226, |
Security Management |
The FWM process may frequently exit. This causes SmartConsole authentication to fail and dashboards that were opened before to get closed. |
PRJ-43340, |
Security Management |
In some scenarios, Audit logs may not be created when running remote API commands from Infinity Portal. |
PRJ-41762, |
Security Management |
In some scenarios, the CME process fails to start. |
PRJ-42110, |
Security Management |
The date of a policy configured with "accelerated installation" may not be updated in logs. |
PRJ-42410, |
Security Management |
Login to the Security Management Server or Multi-Domain Security Management Server may fail with the "Connection timeout" error. |
PRJ-43094, |
Security Management |
After configuring an IoC feed on the Global Domain and assigning a Global Policy, Threat Prevention policy installation in the local Domain fails. |
PRJ-42042, |
Security Management |
In a rare scenario, the Show Package tool and some Management API commands with details-level "full" fail. |
PRJ-41892, |
Security Management |
High Availability synchronization fails if automatic purge is configured to run on the Standby Management Server. |
PRJ-39746, |
Security Management |
Adding a rule with the Management API and setting the action "to ask" does not set a default UserCheck if UserCheck was not specified. This may cause policy verification failure. |
PRJ-43363, |
Security Management |
Editing a Global Assignment object using Ansible may fail. |
PRJ-43317, |
Security Management |
In SmartConsole, when editing a tagged Security Gateway object, the tags may get removed. |
PRJ-43254, |
Security Management |
In some scenarios, the "api status" command shows that the Management API service is stopped. |
PRJ-43312, |
Security Management |
The API command "show-nat-rulebase" may not show the name of each rule in the Rule Base. |
PRJ-43314, |
Security Management |
Running API commands with the "dereference-max-depth" parameter with value "0" may fail when the "Groups" field is in the reply. |
PRJ-41928, |
Security Management |
After an upgrade, while installing a policy, SmartConsole may unexpectedly close with a "The connection with the server was lost. Any unsaved changes will be preserved" message. Refer to sk180294. |
PRJ-42049, |
Multi-Domain Security Management |
In rare scenarios in a Multi-Domain Security Management environment:
|
PRJ-42302, |
Multi-Domain Security Management |
Reassigning a Global Domain to a local Active Domain from one MDS to another may result in the local domain not reflecting recent changes. The issue occurs in Multi-Site environments if two Multi-Domain Security Management Servers (MDS) have a Standby Global Domain. |
PRJ-43201, |
SmartProvisioning |
Deleting an LSM Gateway via REST API does not revoke the device's VPN certificate. |
PRJ-43589, |
CPView |
In a Multi-Domain Security Management environment, Skyline is down after mdsstop/mdsstart. |
PRJ-42100, |
CPView |
CPView may not show some interfaces. |
PRJ-33052, |
Logging |
The "Daily logs retention" configuration on the Security Management Server / Log Server object is not applied if the "When disk space is below <number> Mbytes, start deleting old files" option is not enabled in the Disk Space Management. Refer to sk176803. |
PRJ-39080, |
Logging |
After an upgrade and change of the Security Management Server name, logs created before the upgrade are unavailable. |
PRJ-39608, |
Security Gateway |
The Security Group Member (SGM) frequently goes into a Lost-> Down-> Active state because of fullsync pnote. This causes outages. |
PRJ-41018, |
Security Gateway |
When using the SMTP service with resource objects in a rule and NAT is configured for the destination IP address, the traffic may match the Cleanup rule instead. |
PRJ-43705, |
Security Gateway |
The Security Gateway may crash during policy installation if the Rule Base has multiple layers and many interfaces on the Security Gateway (VLANs). |
PRJ-41495, |
Security Gateway |
Stability issues when ICAP client is active. |
PRJ-43347, |
Security Gateway |
A connection may be closed with the "ws_mux_handle_poll: ERROR: Poll flag still set after unsetting" error in the fwk.elg file, when HTTP parser does not receive requested data. |
PRJ-38809, |
Security Gateway |
In a rare scenario, when QoS is enabled, the Security Gateway may crash. |
PRJ-39801, |
Security Gateway |
After making changes in Policy-Based Routing (PBR) and GRE configuration, the Security Gateway may repeatedly crash. |
PRJ-40320, |
Security Gateway |
In rare scenarios, the FWK process can unexpectedly exit and cause an outage. |
PRJ-42804, |
Security Gateway |
Stability issues when ICAP client is active. |
PRJ-43554, |
Security Gateway |
Security Gateway may drop traffic when Dynamic Anti-Spoofing is enabled. |
PRJ-42944, |
Security Gateway |
When Anti-Spoofing is enabled, the Security Gateway may crash. |
PRJ-41634, |
Security Gateway |
Dynamic Dispatcher may send fragments of the same packet to different Firewall instances during a high load of fragmented traffic. This may cause some packets to drop. |
PRJ-36010, |
Security Gateway |
The Security Gateway may frequently crash with vmcore files, recording invalid context. |
PRJ-42102, |
Security Gateway |
When adding an Access Role object in the NAT Rule Base, connectivity issues on the Security Gateway may occur if the Identity Awareness Blade on it is disabled. |
PRJ-43528, |
Security Gateway |
In rare scenarios when ISP Redundancy feature is enabled, default route disappears after policy installation. |
PRJ-42088, |
Security Gateway |
The "fw monitor" command output may contain "no packets left to merge" messages. |
PRJ-42903, |
Internal CA |
The certificate in SmartConsole is shown as valid, although it is expired. |
PRJ-41436, |
Internal CA |
When managing cloud Gateways, the FWM process memory usage may increase. |
PRJ-38490, |
Threat Prevention |
In a rare scenario, the mal_conns table may consume a large amount of memory. |
PRJ-42286, |
Threat Prevention |
The "ioc_feeds set interval -r" command may fail. |
PRJ-41598, |
Threat Prevention |
Anti-Virus Blade fails to parse external IoC feeds that contain commas in the CSV column field value. |
PRJ-32738, |
Threat Prevention |
After an upgrade, the FWD process may frequently exit while creating an AMW_report.xml. |
PRJ-42585, |
Threat Prevention |
When using a host with automatic static NAT in a Threat Prevention policy object, the object will not be enforced. |
PRJ-42438, |
Threat Prevention |
Automatic IPS, Anti-Virus or Anti-Bot updates may fail because of a corrupted next_update file. |
PRJ-37567, |
Threat Prevention |
When Anti-Virus Blade is enabled, the Security Gateway may crash because of a memory allocation issue. |
PRJ-41688, |
Threat Prevention |
In some scenarios, a "malware_res_rep_rad_query: rad_kernel_malware_request_prepare() failed" message may appear in the /var/log/messages file. |
PRJ-42999, |
Identity Awareness |
In a rare scenario, disconnection between the Identity Server (PDP) and Identity Gateway (PEP) leads to missing identities on the PEP side. |
PRJ-42339 |
Identity Awareness |
In a VSX High Availability cluster, a member in the Backup state should remain idle, but it opens connections for identity sharing. |
PRJ-41323, |
Identity Awareness |
A connectivity issue may occur during Azure AD Group fetch, and the "get_http_error_msg - http code is 401" error response is shown in Identity Awareness logs. |
PRJ-41221, |
Application Control |
In some scenarios, the RAD process may freeze after failing to connect to URL Filtering service. |
PRJ-41378, |
IPS |
When Anti-Virus is enabled, the Mail Transfer Agent (MTA) log files may get blocked because of fail-close operation. |
PRJ-42591, |
IPS |
The Security Gateway may crash during policy installation because of a memory allocation problem. |
PRJ-35486, |
DLP |
DLP logs for files uploaded to Microsoft OneDrive do not show the initial file names and extensions. Refer to sk178290. |
PRJ-31705, |
Anti-Bot |
The "asg perf --delay" command does not change the "refresh time" on the screen. |
PRJ-43682, |
SSL Inspection |
In some scenarios, Inbound HTTPS Inspection may fail when working in USFW (User-Space Firewall) mode. |
PRJ-43154, |
Mobile Access |
The CVPND process may unexpectedly exit and create a core dump file. |
PRJ-41259, |
Mobile Access |
Web applications may not work correctly when Mobile Access Blade is configured in Hostname Translation (HT) mode while the "obscure_destination_hostname" management attribute is disabled. |
PRJ-42468, |
Mobile Access |
When Mobile Device Management (MDM) cooperative enforcement feature is enabled, establishing a VPN connection fails while the HTTPD log incorrectly indicates a compliance issue. |
PRJ-43116, |
ClusterXL |
The "cphaprob tablestat" command may fail on the Security Gateway with many interfaces. |
PRJ-44168, |
ClusterXL |
When handling HTTP/2 traffic, cluster members may crash, generating vmcores. |
PRJ-43003, |
ClusterXL |
Traffic does not pass through the GRE tunnel when Virtual MAC (VMAC) is enabled. Refer to sk180292. |
PRJ-42464, |
ClusterXL |
Stability issues may occur in a Multi-Version Cluster (MVC) when VPN is enabled. |
PRJ-29668, |
SecureXL |
When the "fw_tcp_out_of_state_monitor" mode is enabled with the "fw_allow_out_of_state_tcp" flag, some connections may be dropped, although they should go through and be monitored. |
PRJ-42896, |
SecureXL |
SecureXL may drop traffic when HTTPS Inspection is enabled on a VSX Security Gateway with a Virtual Router. |
PRJ-42575, |
SecureXL |
Multicast traffic may get dropped, and no logs are generated. |
PRJ-43056, |
Routing |
The "show ospf neighbors" command shows incorrect values for OSPF "Hello" and "Dead" intervals. Refer to sk180486. |
PRJ-40728, |
VPN |
In some scenarios, when NAT is configured, VoIP traffic is dropped. |
PRJ-43595, PRJ-43299, |
VPN |
Stability issues for Data connections (RDP / RTP / FTP/ETC). Refer to sk179651. |
PRJ-44944, |
VPN |
When many users in nested groups login using Remote Access Client \ connect to VPN, and the LDAP topology is large, there may be a spike of CPU usage and performance impact. Refer to sk180664. |
PRJ-42879, |
VPN |
When initiating IKEv2 tunnel from Check Point to a third party, creating Child SA fails. Refer to sk180281. |
PRJ-42561, |
VPN |
When the user connects with RADIUS authentication method, the "Authentication method" value in Mobile Access logs is shown as empty. |
PRJ-42762, |
VPN |
Despite the Secure Configuration Verification (SCV) exceptions being configured to not apply for connections, the strongSWAN client's traffic is dropped with the "Client's configuration is not verified" error. |
PRJ-41375, |
VPN |
StrongSWAN Remote Access client can connect but fails to access internal resources. |
PRJ-42653, |
VPN |
Stability issues of the VPND and IKED processes. |
PRJ-41050, |
VPN |
A memory leak may occur in the VPND process. |
PRJ-41697, |
VSX |
The "vsx_util change_mgmt_subnet" command may fail if a VSX object is not correctly saved in the database. |
PRJ-42883, |
VSX |
In VSX, if Dynamic Balancing was manually disabled on R81.10, after an upgrade from R81.10 to R81.20, it automatically gets enabled. |
PRJ-41160, |
Gaia OS |
The SNMPD process may exit with a timeout when the ARP table with many ARP entries takes time to calculate its size. |
PRJ-41251, |
Gaia OS |
The backup operation fails if the backed-up directory content is larger than 10GB. |
PRJ-42254, |
Gaia OS |
Running the "save configuration" command the second time in the same Clish session may fail with the "free(): invalid pointer" error. |
PRJ-42962, |
Gaia OS |
IPv6 address may be removed from bond VLAN interface when changing bond xmit-hash-policy configuration. Refer to sk180309. |
PRJ-42526, |
Gaia OS |
Gaia backup fails with "Cannot complete the backup process: not enough space in /var/log/CPbackup/backups" although there is enough free disk space in the /var/log/ partition. Refer to sk180181. |
PRJ-43428, |
Gaia OS |
In some scenarios, the "nslookup" command can cause the NSLOOKUP process to exit. |
PRJ-42624, |
Gaia OS |
SNMP trap may not be sent after a cluster failover if it occurred by running the "clusterXL_admin down" command. |
PRJ-43651, |
Gaia OS |
When setting password hash on cloning group members, some members may not get updated. |
PRJ-43959 |
Gaia OS |
When uninstalling a Jumbo Hotfix, some of the REST APIs may not work. The "gaia_api status" command returns an error and requests may fail. See the Critical Information section. |
PRJ-40693, |
Harmony Endpoint |
When connecting to the Security Management Server with SmartEndpoint but Endpoint component is not activated on the Server, the FWM process may unexpectedly exit. |
PRJ-43068, |
CloudGuard Network |
Importing objects from VMware vCenter may fail with a "Failed to fetch objects from the Data Center." message because of a rare communication issue between CloudGuard Network Security controller and VMware vCenter Data. |
PRJ-43259, |
CloudGuard Network |
Disabling or removing all network interfaces from a vCenter object is not dynamically reflected on the CloudGuard Controller Data Center object. |
PRJ-42696, |
VoIP |
In some scenarios, when using static NAT, VoIP traffic may be affected. |
PRJ-43517, PRHF-26939 |
VoIP |
After an upgrade, VoIP and SIP / H323 traffic may be dropped in the VPN tunnel. Refer to sk179651. |
PRJ-43077, |
VoIP |
While handling a multi-INVITE scenario (where a user registers with multiple devices), and VoIP SIP MultiCore feature is enabled, each SIP INVITE maybe be handled simultaneously on different FW instances and cause memory corruption. |
PRJ-43488, |
Scalable Platforms |
Running the "show" or "set" commands for SSH in gClish fails. |
PRJ-31553 |
Scalable Platforms |
In VSX mode, when configuring affinity settings on Security Group members, a new added member may stay in Down state. |
PRJ-30229, |
Scalable Platforms |
The BMAC address is not updated after moving an SGM from one slot to a different slot. (The issue applies to Security Gateway only, not to VSX.) |
PRJ-31658, |
Scalable Platforms |
The output of the "asg perf -6" command shows "IPV6 is Disabled". |
PRJ-43601, PRJ-43213 |
Scalable Platforms |
Time synchronization task is not performed correctly when using predefined NTP Servers. |
PRJ-32255, |
Scalable Platforms |
When running "asg diag verify" in an environment with mixed appliances, the "cores_verifier" command fails if there are unused cores, although it should not. The issue is cosmetic only.. |
PRJ-39602, |
Scalable Platforms |
The SMO may frequently go into Lost-> Down-> Active state because of a memory leak in the FWK process. The issue causes failover and outages. |
PRJ-42192, |
Scalable Platforms |
In a multiple upgrade scenario, running the "sp_upgrade-revert" command reverts the setup to the last version, but running it the second time leads to revert instead of performing cleanup. |
PRJ-42899, |
Scalable Platforms |
When using asg alert, the domain name is changed to "BladedCenter.com" instead of the configured name. |
PRJ-44600 |
Scalable Platforms |
Uninstalling Jumbo Hotfix Take 79-87 from Maestro Orchestrator may cause the REST Server initialization to fail and lead to connectivity issues. See the Critical Information section. |
PRJ-44142, |
Scalable Platforms |
Some Maestro Hyperscale Orchestrator processes may go down after an upgrade and reboot. Refer to sk180509. See the Critical Information section. |
PRJ-43307, |
Scalable Platforms |
Minor packet drop may occur during Maestro Orchestrator graceful reboot. |
PRJ-40549 |
Scalable Platforms |
The output of the "asg perf" command may not show active software Blades. |
PRJ-43361, |
Scalable Platforms |
The "set expert-password-hash" command may fail to update the password hash on all cluster members. |
Take 87 Released on 19 January 2023 and declared as Recommended on 7 February 2023 |
||
- |
General |
Alignment to new self-updatable packages. |
PRJ-44014, PMTR-89893 |
VSX |
In VSX, after adding instances to a Virtual System (VS), their state may be inactive. See the Critical Information section. |
Take 85 Released on 12 January 2023 |
||
PRJ-42849, |
Multi-Domain Security Management |
In a Multi-Domain Security Management environment, traffic may not match rules with custom applications. |
PRJ-43891, |
SSL Inspection |
In rare scenarios, the FWK and/or WSTLSD processes may unexpectedly exit and create a core dump during certificate validation. Refer to sk180473. |
Take 82 Released on 8 January 2023 |
||
PRJ-39425, |
Security Management |
NEW:
|
PRJ-42564 |
Security Management |
UPDATE: It is now possible use multiple values when filtering in these views:
|
PRJ-38116, |
Security Management |
UPDATE: Install Policy Presets will now run also in multi-site environments, even if the local domain does not have a Server on the Multi-Domain Security Management Server with the Active Global Domain, where the operation is triggered from. |
PRJ-34898, |
Security Management |
UPDATE: Improved the "Assign Global Policy" action time by approximately 50%. |
PRJ-42033, |
Security Management |
UPDATE: Added a new Management API "mgmt_cli verify-management-license". It allows to check how many Security Gateway objects the Management Server license supports. Note that this API does not support Quantum Maestro and VSX. Refer to Management API Reference. |
PRJ-42981, |
Web SmartConsole |
UPDATE: Released Take 73 with new features and improvements. Refer to sk170314. |
PRJ-42981, |
CPView |
UPDATE: Added logging information. The Logging tab can be found in the Advanced tab on both the Security Management Server and Security Gateway. Refer to sk101878. |
PRJ-41229 |
Logging |
UPDATE: Port 8211 no longer accepts connections with the cipher TLS_RSA_WITH_AES_128_CBC_SHA. |
PRJ-38056, |
Logging |
UPDATE: When there is no full license for SmartEvent, which includes the Correlation Unit component, Analyzer Client in Legacy SmartEvent Console will now show a relevant message. |
PRJ-32781, |
Security Gateway |
UPDATE: The reset expired connections feature (fw_rst_expired_conn) is now supported on connections accelerated by SecureXL. |
PRJ-41248, |
Internal CA |
UPDATE: Internal CA on Check Point Management Servers can now create certificates with 3072-bit RSA keys - the root ICA certificate and SIC certificates. Refer to sk96591. |
PRJ-42201 |
Threat Prevention |
UPDATE: Reduced loading time of big external Custom Intelligence Feeds. |
PRJ-42702, |
Threat Prevention |
UPDATE: Added Update 16 of Autonomous Threat Prevention Management integration Release. Refer to sk167109. |
PRJ-38198, |
UserCheck |
UPDATE: Added support for custom UserCheck objects for Threat Extraction. Previously it was not possible to configure them when using Autonomous Threat Prevention Policy. Refer to sk178764. |
PRJ-41735, |
CloudGuard Network |
UPDATE: Added support for Data Centers in AWS me-central-1 Middle East (UAE) region. |
PRJ-41713, ODU-603 |
Smart-1 Cloud |
UPDATE: Added Update 6 of Quantum Smart-1 Cloud. Refer to sk166056. |
PRJ-27770, |
Scalable Platforms |
UPDATE: The "revert to snapshot" operation is now blocked on Scalable Platforms when the snapshot remains from the previous version and is not created as a part of the current upgrade process. |
PRJ-40628, |
Scalable Platforms |
UPDATE: Blocked the ability to install Jumbo Hotfix Accumulator or to run an upgrade to a major version on Quantum Maestro Security Gateways using the Central Deployment tool in SmartConsole or the Management REST API. |
PRJ-41650, |
Scalable Platforms |
UPDATE: Upon member state change to Active, there may be minor packet drops. Added an option to not forward traffic to a new Active member until all connections are synchronized to it: • To enable this option:
• To disable this option:
|
PRJ-40773, |
Scalable Platforms |
UPDATE: The "Obtain IPv4 Address Automatically" option in the IPv4 and IPv6 tabs of the Gaia Portal's Interface editor is now disabled (as it is on gClish). |
PRJ-41935, |
VoIP |
UPDATE: Added a new CLI command "fw ctl voip [-p {sip| mgcp| sccp| h323}] [-na]". It allows printing the description of defined VoIP protections, the required action, and the logging option configured for each protection. |
PRJ-38613, |
Harmony Endpoint |
UPDATE: Added the "-ignoreDA" flag for "epmcommands" to clean objects from the deleted users and computers, ignoring the "da_installed" flag. |
PRJ-41999, |
HCP |
UPDATE: Added Update 11 of HealthCheck Point (HCP) Release. Refer to sk171436. |
PRJ-40540, |
Diagnostics |
The cpview -s export operations may fail on VS0 when cpview_services are running. |
PRJ-43904, |
Security Management |
On R77.20 Quantum Spark appliances with some IPS packages, policy installation fails with the "Operation failed, install/uninstall has been improperly terminated" error. Refer to sk180448. |
PRJ-41556, |
Security Management |
After an Application Control update, policy installation may fail. |
PRJ-40943, |
Security Management |
In rare scenarios, in a large environment, after an IPS update, High Availability synchronization may fail with timeout on the Global Domain. |
PRJ-41562, |
Security Management |
After an upgrade, in the Gateways&Servers view, searching Security Gateway objects by their interfaces' IP addresses fails. |
PRJ-39392, |
Security Management |
In some scenarios, the "Assign Global Policy" action fails with the error message: "An internal error has occurred". |
PRJ-39611, |
Security Management |
After an upgrade, on the Domain level, in the Administrators View, the email and phone of the administrators may be missing. |
PRJ-41679, |
Security Management |
An upgrade may fail with timeout during the import of a large database file. |
PRJ-41576, |
Security Management |
In an environment with many Security Gateways, login to SmartConsole after starting services may take a long time. |
PRJ-34737, |
Security Management |
When running the "show access-rule" API command with the "show-as-ranges" parameter on rules with negated cells, the returned result may be missing the values of the negated cells. |
PRJ-41071, |
Security Management |
Global Policy reassignment fails with "An internal error has occurred" if a Global rule, Rule Base, or section is created, moved, and then deleted without running a reassignment in between. |
PRJ-41292, |
Security Management |
Access Policy installation may fail with the "Internal error occurred during the verification process" error. |
PRJ-41127, |
Security Management |
Centrally managed Quantum Spark Gateway version may be missing or incorrect after performing the "Get Gateway Data" action from SmartUpdate. |
PRJ-41976, |
Security Management |
The /var/log/dump/usermode/ directory on the Management Server may contain core dump files for the FWM process. Refer to sk180119. |
PRJ-40426, |
Security Management |
In rare scenarios, deleting a cluster member may fail with the "Could not delete object. Failed to remove/detach objects licenses" error. |
PRJ-40944, |
Security Management |
In rare scenarios, the FWM process may unexpectedly exit. |
PRJ-41914, |
Security Management |
Installing Database from Security Management on an R80.x Log Server may fail. |
PRJ-42240, |
Security Management |
Installing a large Access Control policy on Quantum Spark Security Gateways may fail due to high memory consumption on the Security Management Server caused by FW_LOADER. |
PRJ-42953, |
Security Management |
In an environment with the Endpoint Security Server, Jumbo Hotfix Accumulator installation may take a long time. |
PRJ-40238, |
Security Management |
Policy installation may fail with "Segmentation fault" or with "INTERNAL ERROR in PutBlock: dangling block at PutBlock". Refer to sk179700. |
PRJ-41671, |
Security Management |
When using CME (Cloud Management Extension), the FWM process may unexpectedly exit because of a memory issue. |
PRJ-42859, |
Security Management |
After performing the "Revert to Revision" operation, new Audit logs cannot be seen in the Logging&Monitoring View in SmartConsole. |
PRJ-42509, |
Security Management |
Access policy verification may fail when dynamic objects exist in the NAT policy. |
PRJ-40823, |
Security Management |
Warning about multiple objects with the same IP address is displayed when there are duplicated auto-generated networks. |
PRJ-41541, |
Security Management |
The FWK process may unexpectedly exit during Threat Prevention policy installation. |
PRJ-40223, |
Security Management |
In a large environment, High Availability synchronization for the Global domain may fail with the "Global domain is busy syncing, please check sync status" error. |
PRJ-41553, |
Security Management |
Policy installation may get stuck on 99% when resuming queued policy installation tasks. |
PRJ-37832, |
Security Management |
"Automatic purge" fails on a Domain with active Global Domain Assignment and "automatic purge" configured on the Global Domain. |
PRJ-40734, |
Security Management |
In rare scenarios, Global Policy reassignment may fail with a "Failed to find object ID UUID of class com.checkpoint.objects.ips.ThreatIpsProtectionOverride" message. |
PRJ-39718, |
Security Management |
It may not be possible to discard a work session with a newly created admin, a "Failed to discard revoke certificate" message is shown. |
PRJ-37311, |
Multi-Domain Security Management |
SmartEvent may unexpectedly close when clicking Global Exclusion options or creating a new event. This issue occurs after migrating a Domain from the Multi-Domain Security Management Server to the Security Management Server. |
PRJ-42291, |
Multi-Domain Security Management |
An upgrade of the secondary Multi-Domain Security Management Server or Multi-Domain Log Server may fail when simultaneously upgrading several Servers. |
PRJ-42105, |
Multi-Domain Security Management |
In a Multi-Domain Security Management environment, the HitCount retention mechanism may prematurely remove the HitCount data. |
PRJ-41920, |
Multi-Domain Security Management |
In rare scenarios, in a Multi-Domain Security Management Server environment, a memory leak may occur in the FWM process. This may cause the process to exit. |
PRJ-37706, |
Logging |
It may not be possible to filter the "Subscriber" field in SmartLog. |
PRJ-37298, |
Logging |
When exporting logs with the fwm logexport script and there is an empty or corrupted log file, the script runs in a loop with the "Failed to read record at position 0" error printed. |
PRJ-41194, |
Logging |
It may not be possible to filter Anti-Virus logs for malicious CIFS traffic in SmartConsole. The issue is cosmetic only. |
PRJ-35880, |
Logging |
Although the Security Gateway is configured to send Syslog messages to the Domain Log Server (CLM), after several initial logs, they may stop coming to the Log Server. |
PRJ-40492, |
Logging |
In a rare scenario, when using SmartEvent Automatic Reaction (Mail), the source IP address can be shown as a number and not in the dotted decimal notation format. |
PRJ-40144, |
Logging |
Emails sent as an automatic reaction may show only the first IP address for "Source"/"Destination" fields out of all the detected IP addresses. |
PRJ-38052, |
Logging |
Syslog messages with the "ErtFeed" type of attack are not indexed correctly in SmartLog. |
PRJ-41917, |
Logging |
Export to CSV in SmartView may be stuck in the "running" status. |
PRJ-41355, |
Logging |
In some scenarios, in the Logs view, the "Description" field may be missing. The issue is only cosmetic. |
PRJ-41930, |
Logging |
When running the "show_logs" API command with "query-id argument" and the session is expired, the command ends with a timeout instead of presenting an error. |
PRJ-31865, |
Logging |
When exporting logs in CEF format using Log Exporter and the value of the "time-in-milli" parameter is set as "true" (sk173167), the logs are not displayed in ArcSight SIEM Solution. |
PRJ-42414, |
Logging |
When LEA spawning is turned off (sk91343), the FWD process may run out of memory. |
PRJ-37500, |
Logging |
The "epoll is enabled" warning is incorrectly displayed during policy installation. |
PRJ-40235, |
Security Gateway |
There may be stability issues when ICAP client is active. |
PRJ-41864, |
Security Gateway |
After an upgrade, it is not possible to monitor Security Gateways with enabled Management Data Plane Separation (MDPS). |
PRJ-39968, |
Security Gateway |
The Security Gateway may crash with the "xxx kernel: [fw4_27];fwatomload_unregister: module RTM not registered xxx kernel: [fw4_27];e2eDisable: fwatomload_unregister failed" errors printed in logs. |
PRJ-41451, |
Security Gateway |
Policy verification fails when a generic Data Center contains an object with an empty range. |
PRJ-42972, |
Security Gateway |
The Security Gateway on a LightSpeed appliance may crash when a Bond interface is configured on the LightSpeed 10/25/40/100G QSFP28 Ports, and the state of this Bond interface changes between on / off, or off / on. |
PRJ-40927, |
Security Gateway |
When installing policy and the kernel parameter "up_log_extended_reason_for_incomplete_match" is set to 1, the Security Gateway may crash. |
PRJ-41580, |
Security Gateway |
In some scenarios, the CPD process may unexpectedly exit. |
PRJ-40109, |
Security Gateway |
In a rare scenario, the Security Gateway may crash when offloading packets to SecureXL. |
PRJ-43127, |
Security Gateway |
Some TCP connections may be stuck in "Both-Fin" state in the SecureXL connection table and cause high memory consumption. |
PRJ-39575, |
Security Gateway |
The "sd_exception_chain_with_global_stateless: fwx_get_original_conn_key() failed" messages may flood /var/log/messages if IPS Blade is active. |
PRJ-41624, |
Security Gateway |
When using Routing Separation and installing a Jumbo Hotfix Accumulator, MDPS configuration may be overridden. Refer to sk138672. |
PRJ-40917, |
Security Gateway |
The Security Gateway may crash because of memory corruption, and the following error appears in the /var/log/message file: "[XXX] Kernel panic - not syncing: stack-protector: Kernel stack is corrupted in: <xxxx>". |
PRJ-39332, |
Security Gateway |
After an upgrade, Access Control policy installation may fail with an "Update process is already running" message. |
PRJ-35110, |
Security Gateway |
There may be connectivity failure when browsing to Office 365, and ICAP Client is active on the Security Gateway with enabled "Data Trickling". |
PRJ-41416, |
Security Gateway |
The Security Gateway may send multiple "Failed to fetch Check Point resources. Timeout was reached" logs. |
PRJ-40974, |
Threat Prevention |
Threat Prevention policy installation may fail with a "Connection aborted by Peer" message. |
PRJ-41316, |
Threat Prevention |
Threat prevention policy installation fails if a Custom Intelligence Feeds name includes unsupported characters. |
PRJ-41489, |
Threat Prevention |
Loading of Custom Intelligence Feeds with authentication may fail. |
PRJ-38722, |
Threat Prevention |
File Download using SSH with MobaXterm Client fails when SSH Deep Packet Inspection (SSH DPI) is enabled. |
PRJ-40936, |
Threat Prevention |
In a rare scenario, the Security Gateway may have a memory allocation issue. |
PRJ-41439, |
Threat Prevention |
After installing a hotfix in a cluster setup with a Threat Prevention policy that includes Network Objects, a member may get stuck during initialization after a reboot. |
PRJ-38665, |
Threat Prevention |
The DLPU process may unexpectedly exit with a core dump file. |
PRJ-43360 |
Threat Extraction |
In some scenarios, Mail Transfer Agent (MTA) does not scan files with an unsupported extension if they were renamed to ".exe". |
PRJ-36509, |
Identity Awareness |
The CPU utilization of the PDP daemon may be high during a specific authentication flow. |
PRJ-38543, |
Identity Awareness |
The PDPD daemon may frequently exit during the user authentication flow. |
PRJ-31975, |
Identity Awareness |
Changing the state of the "Automatic LDAP Group Update" feature for Identity Collector from CLI on the PDP Gateway does not survive a reboot. |
PRJ-34571, |
Identity Awareness |
SNMP/cpstat queries for Identity Awareness OIDs return wrong values if the PDP daemon is not running at the time of the query. |
PRJ-41820, |
Identity Awareness |
In a rare scenario, the PDPD process may unexpectedly exit during peer certificate verification. |
PRJ-42506, |
Application Control |
In a rare scenario, when Application Control is enabled, the Security Gateway in AWS Cloud may crash. The issue does not occur if Application Control database on the Security Gateway is updated with Release 141122_1 and higher. |
PRJ-32992, |
IPS |
In some scenarios, IPS logs do not show the correct memory and CPU utilization when IPS is bypassed. |
PRJ-41655, |
IPS |
Running the "ips stats" command in CLI may cause the IPS process to unexpectedly exit with core dumps. |
PRJ-39753, |
Anti-Virus |
The Anti-Virus Blade interprets certain types of URLs as forbidden and blocks access to those URLs, although the content behind them is not of the type supposed to be blocked. |
PRJ-41216, |
Anti-Virus |
In a rare scenario, when Anti-Virus is enabled, there may be frequent VSX cluster failovers, and the Security Gateway may crash. |
PRJ-43181, |
SSL Inspection |
The WSTLSD process may unexpectedly exit and create core dump files. |
PRJ-41973, |
Mobile Access |
After an upgrade, it may not be possible to connect to SNX, it gets stuck when initializing. |
PRJ-32969, |
Mobile Access |
Capsule Workspace push notifications do not work when the Single Sign-On (SSO) is configured to "prompt for credentials". Refer to sk176244. |
PRJ-40833, |
Mobile Access |
After disabling the ActiveSync service on the Security Gateway, login to Capsule Workspace (CWS) may fail. |
PRJ-32972, |
Mobile Access |
Push notification may not be working with the legacy Mobile Access (MAB) Portal. Refer to sk176243. |
PRJ-38460, |
Mobile Access |
In some scenarios, it is not possible to connect to SSL Network Extender(SNX), and the VPND log shows: "failed to add to table connectra_sessions_to_instance". |
PRJ-40745, |
ClusterXL |
The cphaprob show_bond command does not show newly added subordinates from Virtual Systems (VSs). |
PRJ-42928, |
ClusterXL |
A Hide NAT port may be allocated twice causing the "out of state" drops. |
PRJ-37151, |
ClusterXL |
In an Active/Active cluster, a member may reboot because of a memory corruption issue. |
PRJ-39184, |
ClusterXL |
In a VRRP cluster environment with a large number of interfaces, the Security Gateway may consume a lot of memory because of a memory leak. |
PRJ-42445, |
SecureXL |
The Security Gateway may prematurely expire half-closed TCP connections and drop VoIP and HTTPS packets with "First packet isn't SYN". Refer to sk180364. |
PRJ-42073, |
SecureXL |
In some scenarios, the change of the cphwd_enable_ecmp global parameter value on a VSX Gateway does not survive a reboot. |
PRJ-42230, |
SecureXL |
DNS Traffic Steering feature does not work over TCP. |
PRJ-41691, |
SecureXL |
The Security Gateway may crash and cause an outage when resolving the destination host MAC address through an interface with disabled ARP. |
PRJ-42145, |
SecureXL |
SNDs may reach 100% CPU utilization and are not released in some Site to Site VPN scenarios. |
PRJ-40266, |
CoreXL |
Connections matching the Access Control rules may get timed out, although they should be rejected according to the configuration. |
PRJ-41504, |
Routing |
Some invalid nexthop and destination addresses from remote BGP peers may be incorrectly handled, causing lost BGP connection. |
PRJ-41724, |
Routing |
The "asg diag verify" command reports inconsistent OSPFv3 routes for Security Gateway Modules in Quantum Maestro. Refer to sk179931. |
PRJ-41870, |
Routing |
Gaia API request "show-routes" may fail with the "generic error" and the ROUTED core dump is generated. |
PRJ-41708, |
Routing |
The ROUTED process may unexpectedly exit when the route does not have a next hop. |
PRJ-41642, |
VPN |
In some scenarios, StrongSwan Client may get disconnected during re-authentication. |
PRJ-41809, |
VPN |
When connecting with "Mixed" SSL Network Extender Authentication method, the SNX Client freezes with no output, and the results of the "vpn tu tlist" command show no tunnels. |
PRJ-40860, |
VPN |
The VPND process may unexpectedly exit. |
PRJ-42729, |
VPN |
In a rare scenario, when IPv6 is configured, and VPN is enabled, policy installation may cause a stability issue. |
PRJ-39171, |
VPN |
Remote Access Client may fail to connect when using machine certificate authentication. |
PRJ-38167, |
VPN |
Trying to perform the "Reset Tunnel" action for an LDAP user from SmartView Monitor fails. Refer to sk178592. |
PRJ-42376, |
VPN |
The IKED process unexpectedly exits when the "Aggressive SLP" (Simultaneous Login Prevention) feature is enabled. |
PRJ-40830, |
VPN |
The Security Gateway does not initiate or accept the VPN negotiation when working in Traditional Mode. Refer to sk179710. |
PRJ-41560, |
VPN |
After an upgrade, the community name may not be visible from SmartView Monitor, and the "snmpwalk" command returns an empty value for this entry. |
PRJ-42310, |
VPN |
Improved VPN tunnel synchronization in a Multi-Version Cluster environment (MVC). |
PRJ-38516, |
VSX |
SecureXL may not let HTTPS traffic pass through a Virtual Router (VR). |
PRJ-43356, |
VSX |
The SNMPD process may consume a high CPU in a VSX environment and there may be slowness when using the "fw vsx stat" command. Refer to sk180324. See the Critical Information section. |
PRJ-43140 |
Gaia OS |
After an upgrade, the RADIUS Server is unavailable and authentication fails. See the Critical Information section. |
PRJ-41234, |
Gaia OS |
There are trap names duplications in chkpnt.mib and chkpnt-trap.mib which may cause incorrect values when using SNMP traps. |
PRJ-41409, |
Gaia OS |
When configuring Gaia Cloning Group mode on the cluster, members with "off" state appear without an IP address and the "adding notification Member mvc is down" error is displayed. |
PRJ-34372, |
Gaia OS |
After an upgrade, the backup operation on VSX fails because there is not enough space in /var/log/CPbackup/backups. |
PRJ-41613, |
Gaia OS |
Information about scheduled backup failure is now displayed in Clish, WebUI, and in the error message inside the log file. |
PRJ-41686, |
Gaia OS |
In a cloning group cluster, when allowed hosts are changed from "Any" host to a specific host, communication between members is blocked, and the group cannot function. |
PRJ-42150, |
CloudGuard Network |
Improved performance of pushing Data Center Objects changes to Security Gateways. |
PRJ-42855, |
CloudGuard Network |
A Kernel-based Virtual Machine (KVM) or a Virtual Machine using SRIOV with the i40evf/ixgbevf network driver, may boot with non-optimized performance settings. |
PRJ-41846, |
CloudGuard Network |
Improved handling of NSX-T API responses. |
PRJ-42010, |
CloudGuard Network |
When mapping of some Azure Subscriptions fails, assets of these Subscriptions are revoked from the Security Gateway. |
PRJ-42115, |
CloudGuard Network |
AWS Data Center mapping fails when a Subnet with only IPv6 addresses is added to Virtual Private Cloud (VPC). |
PRJ-41463, |
CloudGuard Network |
Import of OpenStack Data Center CloudGuard Network objects may fail. |
PRJ-42257, |
CloudGuard Network |
After an upgrade in a Huawei Cloud environment, a network card may be renamed after a reboot. |
PRJ-28732, |
VoIP |
In some scenarios, when using early media with NAT, the first data connections specified in the SDP get closed, although they should not. And the new data connection does not open, resulting in one-way audio. Refer to sk179651. |
PRJ-40355, |
Scalable Platforms |
When running the "set kernel-routes on/off" and "set domainname <VALUE>" commands through gCLish, the configuration is applied only locally. |
PRJ-36510, |
Scalable Platforms |
In some scenarios, a newly added Security Group Member (SGM) continuously reboots, and there are core dump files for the CONFD process. Refer to sk178405. |
PRJ-40180, |
Scalable Platforms |
In a rare scenario, the FWK process may unexpectedly exit and bring down the Security Gateway Module (SGM). |
PRJ-42514, |
Scalable Platforms |
Upon failover/failback, multicast packets are sent to Active members only. The member that changed state from Down to Active starts receiving the multicast packets before the route is resolved. This may impact traffic. |
PRJ-40835, |
Scalable Platforms |
In a rare scenario, a non-SMO member may send GARP request over the Management interface, causing traffic impact. |
PRJ-41146, |
Scalable Platforms |
In some scenarios, the SNMPD process may unexpectedly exit. |
PRJ-41473, |
Scalable Platforms |
Configuration of exception entries (asg_excp_conf, see sk175584) does not survive an upgrade. As a result, traffic that was configured to be forwarded to SMO is handled by the original member. |
PRJ-32368, |
Scalable Platforms |
In a dual site environment with two Maestro Hyperscale Orchestrators on each site, the asg diag test may fail in a mixed appliances setup because of a difference in affinity configuration files. |
PRJ-37829, |
Scalable Platforms |
Improved VPN on Quantum Maestro with Security Gateways hidden behind NAT. |
PRJ-41835, |
Scalable Platforms |
SNMP threshold events traps may be missing "Chassis ID" and "Blade ID" fields. Refer to sk179926. |
PRJ-42558, |
Scalable Platforms |
Policy installation may cause backplane interfaces flapping. This can affect the connectivity with the Maestro Hyperscale Orchestrator, and the members may go to Down state. |
PRJ-39190, |
Scalable Platforms |
When a policy is configured with "SNMP trap alert script", the SNMP trap is sent with an undefined OID. |
PRJ-42947, |
Scalable Platforms |
Optimized the SNMP communication between Security Gateway Module (SGM) and Security Switch Module (SSM) to prevent timeouts. |
PRJ-39318, |
Scalable Platforms |
Failover/failback may cause a non-DR manager member to change state to Down because the ROUTED unexpectedly exits with pnote. |
PRJ-41212, |
Scalable Platforms |
Performance data may not be collected on VSX Security Gateways. |
PRJ-42820, |
Scalable Platforms |
In a Quantum Maestro environment, the sp_upgrade command may fail when working in VSX mode. |
PRJ-42834, |
Scalable Platforms |
When trying to perform the downgrade procedure, a Site may be stuck in Backup state. The issue occurs if, before the downgrade, this Security Group was first upgraded and then its topology was changed. |
Take 81 Released on 22 Nov 2022 and declared as Recommended on 2 January 2023 |
||
PRJ-41364 |
SecureXL |
NEW: Added support for enabling Hardware Acceleration in Quantum LightSpeed Appliances. Refer to sk179432. |
PRJ-45565, ACCHA-2110 |
Gaia OS |
The $FWDIR/log/fwd.elg file may get corrupted during log rotation. Refer to sk180728. |
PRJ-42687 |
Harmony Endpoint |
Refer to sk180230. See the Critical Information section. |
PRJ-41507, |
Scalable Platforms |
After an upgrade to Jumbo Hotfix Accumulator R81.10 Take 75 or higher, a member may be in Down state with a "pull_config" pnote. |
Take 79 Released on 24 October 2022 and declared as Recommended on 21 November 2022 |
||
PRJ-38348, |
Diagnostics |
The CPVIEWD process may cause CPU spikes. |
PRJ-40819, |
Security Management |
NEW: It is now possible to clone Access and HTTPS Inspection layers via Management REST API. |
PRJ-41083, |
Security Management |
UPDATE: If ISP Redundancy is configured for a target Security Gateway, backup interfaces are now used for pushing policy if the primary interface is down. |
PRJ-40000, |
Security Management |
UPDATE: Added a new API version (1.8.1). Refer to Management API Reference. |
PRJ-31201, |
Security Management |
UPDATE: Audit logs for Access Control rules now contain more information about the rule. |
PRJ-39462, |
Security Management |
UPDATE: Management API performance improvements:
|
PRJ-40100, PMTR-72725 |
Security Management |
After a policy installation failure, fetching policy on the Security Gateway side by running the "fw fetch local" command may also fail. |
PRJ-37912, |
Security Management |
The flag "--method" for a CME command is not supported in SmartConsole Command Line. |
PRJ-37339 |
Security Management |
Objects that do not belong to groups may be shown in the Group Membership view in SmartConsole. |
PRJ-40205, |
Security Management |
In some scenarios, certificate based login to a Log Server may fail with "Authentication Error". Refer to sk179144 |
PRJ-38709, |
Security Management |
Login to Domain via Management API using FQDN as the Domain parameter may fail with the "Domain not found" error. |
PRJ-38218, |
Security Management |
If Log Domain reassignment fails, an Application Control and URL Filtering update may get stuck at 70 percent showing the "Running post update actions" status. |
PRJ-39805, |
Security Management |
In Object Explorer, when filtering by type, all other filters may disappear until the selected filter is removed. |
PRJ-40587, |
Security Management |
The "Domain" and "Type" fields may be missing in the "show-groups" command output of a Management API request. Refer to sk179645. |
PRJ-40408, |
Security Management |
Editing a Threat Profile object using Ansible automation tool may fail. |
PRJ-38426, |
Security Management |
Login to Management Server may fail if a trusted client has a subnet mask defined in CIDR notation. Refer to sk177743. |
PRJ-39409, |
Security Management |
In the Object Explorer window in SmartConsole, numeric columns are sorted alphabetically, although they should be sorted in numerical order. |
PRJ-40516, |
Security Management |
Adding members to a user group may fail when using Management API. |
PRJ-33896, |
Security Management |
Global Domain Assignment may fail if a rule in the global policy was recently enabled or disabled. |
PRJ-40646, |
Security Management |
Deleting a Security Gateway in SmartConsole may fail. |
PRJ-41098, |
Security Management |
The "CPLogGetMyIp: fwobj_get_myown failed" error may be printed in CLI when starting cpboot. |
PRJ-38789, |
Security Management |
Install Policy Preset may fail with "The server did not provide a meaningful reply.". Refer to sk179524. |
PRJ-39210, |
Security Management |
The output of the "show opsec-application" API command may not show the host object name or UID. |
PRJ-38457, |
Security Management |
High Availability synchronization may fail with the "Failed to update shared licenses" error. |
PRJ-33922, |
Security Management |
Some unused sessions may remain open in the system, consuming memory and CPU. |
PRJ-40721, |
Security Management |
Access Control policy installation may fail with the "Internal error" message when the encryption domain contains a Data Center object. |
PRJ-40851, |
Security Management |
The LOG_EXPORTER process may cause high CPU because of frequent invocation of the "fw ver" command. |
PRJ-39538, |
Security Management |
An Application Control and URL Filtering update may get stuck at 70 percent with the "Running post update actions" status. Refer to sk174587. |
PRJ-39223, |
Security Management |
An Application Control and URL Filtering Database update may fail. The CPM log file states: "Update APPI Update Task Notification. progress: 100, status: FAILED, statusText: Failed to assign domain". |
PRJ-40058, |
Security Management |
An Application Control and URL Filtering update may still occur even if the latest version is already installed. |
PRJ-39334, |
Security Management |
Install Policy Presets may fail with the "Install Policy Failed: Could not commit JPA transaction" error. |
PRJ-40547, |
Security Management |
After an upgrade, when the local domain Virtual System (VS) is updated, its objects may not be updated. The mirror VS object and local domain VS object may have different versions and colors. |
PRJ-40810, |
Security Management |
SmartConsole may unexpectedly disconnect. |
PRJ-40170, |
Multi-Domain Management |
A Multi-Domain Management Server upgrade may fail if upgrading one of the domains takes longer than four hours. |
PRJ-39489, |
Multi-Domain Management |
In some scenarios, in a Multi-Domain Management Server environment, SmartConsole may unexpectedly disconnect. |
PRJ-38125, PRHF-23066 |
Multi-Domain Management |
Although all Virtual Devices are deleted, deleting a Domain may fail with an "At least one Virtual Device is defined on this Domain/Domain Management Server. You need to delete all Virtual Systems/Routers prior to deleting Domain/Domain Management Server" message. |
PRJ-41286, |
Web SmartConsole |
UPDATE: Released Take 67 with new features and improvements. Refer to sk170314. |
PRJ-40613, |
Compliance |
In the Compliance Blade view, regulations with disabled best practices may display a result that does not correspond with the best practices listed below it. |
PRJ-41022, |
CPView |
NEW: Integrated Skyline, a solution that provides an OpenTelemetry CPView Agent service to monitor your Check Point Servers and export health metrics from the CPView tool to an external location. Refer to sk178566. |
PRJ-36192, |
Logging |
UPDATE: Amended the override_server_setting.sh script to support changes in the values of RFL_SOLR_MAX_MERGE_COUNT and RFL_SOLR_MAX_MERGE_THREAD_COUNT. |
PRJ-29738, |
Logging |
In SmartView, exporting views or reports that do not have tables may indefinitely continue processing. |
PRJ-40194, |
Logging |
After an upgrade from R81 to R81.10, maintenance cleanup may remove some recent logs while not erasing other logs from the disk. |
PRJ-28112, |
Logging |
In rare scenarios, logs may not be indexed on the Domain Log Server in a Multi-Domain Log Module (MLM) or on the Secondary Multi-Domain Management Server. |
PRJ-39590, |
Logging |
The FWD process may unexpectedly exit and create core dump files. |
PRJ-40358, |
Logging |
In some scenarios, the FWD process may unexpectedly exit in a Log Server environment. Refer to sk179596. |
PRJ-30965, EPS-562 |
Logging |
In some scenarios, the Forensics report fails to open from Harmony Endpoint logs. |
PRJ-36477, |
Logging |
In SmartConsole, when Endpoint Policy Management Blade is enabled, the "SmartView server certificate is invalid" error may be shown when opening a new tab in the Logs & Monitor view. Refer to sk177713. |
PRJ-32207, |
Logging |
The "show-logs" Management API command fails when iterating over many pages of queries, and the total fetched records number exceeds 219,900 records. |
PRJ-41360, |
Logging |
Running the "cpstat ls -f logging" command on the Security Gateway may show the "disconnected" status after a reboot, although a new connection is established successfully. |
PRJ-41103, |
Logging |
When an object name begins with a digit, SmartView Monitor displays a name consisting of the letter "v" and UID instead of the actual object name. |
PRJ-34680, |
Security Gateway |
UPDATE: Decreased the threshold for connections suspected as heavy from 5 to 3 seconds. Refer to sk164215. |
PRJ-40505, |
Security Gateway |
UPDATE: Added a defense mechanism against partial header attacks known as "Slowloris DoS" (CVE-2007-6750). |
PRJ-38144, |
Security Gateway |
UPDATE: Added support for RADIUS UPN authentication with MS-CHAPv2. To use it, enable the registry configuration in ckp_regedit -a SOFTWARE/Checkpoint/VPN1 RADIUS_MSCHAPV2_UPN -n 1. |
PRJ-40098, |
Security Gateway |
UPDATE:
|
PRJ-40459, |
Security Gateway |
In a rare scenario, the FWK process may unexpectedly exit because of a memory allocation issue on the Security Gateway. |
PRJ-38591, |
Security Gateway |
In a cluster environment, an ICAP implied rule may not be enforced after policy installation. |
PRJ-35393, |
Security Gateway |
It may not be possible to load specific sites. The Security Gateways drops the traffic from those web servers with "Reason: PSL Drop: MUX_PASSIVE". |
PRJ-39640, |
Security Gateway |
When running the "g_fw monitor" command (Global Firewall Monitor), the traffic capture outputs can be created successfully but cannot be merged. Refer to sk179431. |
PRJ-41091, |
Security Gateway |
A kernel crash may occur during system shutdown when PIM is enabled. |
PRJ-39927, |
Security Gateway |
When Anti-Virus Blade is enabled, the Security Gateway may crash multiple times with core dump files. |
PRJ-41030, |
Security Gateway |
Topology auto update may fail because of a too long interface name. |
PRJ-41033, |
Security Gateway |
The Security Gateway may run out of memory when retrieving topology. |
PRJ-37210, |
Security Gateway |
During a failover, BGP session may be re-established due to equal connection timers between two Security Gateways. |
PRJ-40024, |
Security Gateway |
Access Control policy installation may fail with a "Load on Module failed - problem with the Commit Function" message. |
PRJ-36867, |
Security Gateway |
After an upgrade, VSX cluster may have frequent failovers. |
PRJ-38553, |
Security Gateway |
After an upgrade, Anti-Virus Blade may cause increased memory consumption. |
PRJ-39580, |
Security Gateway |
In a rare scenario, when IPS or Application Control is enabled, the Security Gateway may crash. |
PRJ-40139, |
Security Gateway |
When Strict Hold is enabled, traffic is logged with the log "HTTP parsing error detected. Bypassing the request as defined in the Inspection Settings". Refer to sk169995. |
PRJ-40500, |
Security Gateway |
Bond subordinates may be visible in the wrong plane. |
PRJ-40255, |
Security Gateway |
There may be a delay in the Logging view when more than 1000 Security Gateways are connected to the same Log Server. |
PRJ-34172, |
Security Gateway |
After an upgrade, in a setup with a single Virtual System (VS), the Security Gateway may crash. |
PRJ-39520, |
Security Gateway |
Output of the "dynamic_objects -uo_show" command on the Security Gateway may not show any updatable objects. Refer to sk178886. |
PRJ-40793, |
Security Gateway |
Enhanced connectivity during HTTP2 Inspection. |
PRJ-34404, |
Security Gateway |
Deleting IP addresses in the SAM Database may fail. |
PRJ-27779, |
Security Gateway |
The RAD daemon may fail and create core dump files on VSX Gateways. |
PRJ-40016, |
Security Gateway |
The Security Gateway with VPN may drop the traffic after enabling BGP and Equal Cost Multipath (ECMP). |
PRJ-40863, |
Security Gateway |
Improved the recovery mechanism for Dynamic Balancing. |
PRJ-41720, |
Security Gateway |
The Security Gateway with enabled Anti-Virus Blade may experience a memory allocation issue. |
PRJ-40390, |
Internal CA |
UPDATE: Added an automatic extension for Internal CA database to support more than 100,000 certificates. |
PRJ-40393, |
Internal CA |
UPDATE: Expired certificates are now cleaned from the Internal CA database every three weeks and after reboot. Refer to sk42424. |
PRJ-40433, |
Threat Prevention |
UPDATE: The "Global Detect" value will now be updated in the "ips stat" command output. |
PRJ-39989, |
Threat Prevention |
UPDATE: In the Custom Intelligence Feeds feature, decreased the hash indicators loading time. |
PRJ-29736, |
Threat Prevention |
SCP connections may get terminated. |
PRJ-40344, |
Threat Prevention |
The Custom Intelligence Feeds feature may stop enforcing traffic after Threat Prevention policy installation. |
PRJ-37560, |
Threat Prevention |
IoC feeds configured in R80.30 cause authentication problems after an upgrade to R81.10. Refer to sk180440. |
PRJ-34889, |
Threat Prevention |
When the Security Gateway is in "Detect Only" mode, Threat Prevention Blade exceptions may not be accelerated. |
PRJ-40593, |
Threat Prevention |
There may be Security Gateway memory allocation issues related to creating a new Anti-Malware policy. |
PRJ-41277, |
Threat Prevention |
Adding hash indicators may cause policy installation to fail with a warning message. |
PRJ-40856, |
Threat Prevention |
IoC feed may not load because of a parsing issue with the IP range indicator. |
PRJ-40446, |
Threat Prevention |
Deleting a Threat Emulation Gateway object in SmartConsole may fail. Refer to sk170577. |
PRJ-40438, |
Threat Prevention |
A kernel memory leak may occur during deep file inspection. |
PRJ-39828, |
Identity Awareness |
Removed unnecessary debug messages in the Identity revocation flow. |
PRJ-35836, |
Identity Awareness |
Memory consumption may increase after policy installation when Secure ID is configured. |
PRJ-39162, |
Identity Awareness |
The Nested Groups Depth value changed in CLI may not survive a reboot. |
PRJ-36385, |
Application Control |
Refer to sk178406. |
PRJ-29436, |
URL Filtering |
When the Security Gateway works in proxy mode, the Application Control and URL Filtering rules may not match correctly. |
PRJ-36136, |
URL Filtering |
In some scenarios, SSL websites are not matched correctly when categorization mode is on Hold and IDA is enabled. Refer to sk176283. |
PRJ-38816, |
URL Filtering |
When an URL Filtering rule has "Fail-Close" configuration, the Security Gateway may drop connections, and "URLF internal system error (0)" is recorded as the reason. |
PRJ-36435, |
IPS |
When ClusterXL is configured, a file may pass without inspection during a failover. |
PRJ-31432, |
IPS |
Logs generated by IPS Bypass may not show the correct CPU/Memory Utilization. |
PRJ-37727, |
DLP |
DLP logs for files uploaded to Microsoft OneDrive may not show the initial file names and extensions. Refer to sk178290. |
PRJ-33295, |
Anti-Virus |
Removed a redundant message flooding logs in /var/log/messages: "ws_write_connection: end of body reached - clearing delay write flag". |
PRJ-39152, |
Anti-Bot |
|
PRJ-40261, |
SSL Inspection |
The WSTLSD process may unexpectedly exit and produce a core dump file during certificate chain verification. |
PRJ-34074, |
Mobile Access |
Manual Web Form Single Sign-On (SSO) may fail when passwords contain special characters. |
PRJ-38436, |
Mobile Access |
When installing a specific hotfix, the CVPND process may unexpectedly exit. |
PRJ-35511, |
ClusterXL |
UPDATE: Added support for the "fw vsx fetch_all_cluster_policies" command, which can fetch policy for all Virtual Systems and Virtual Routers from cluster peers. |
PRJ-39840, |
ClusterXL |
When reconnecting the OSPF interface on both members in a cluster, a failover may occur when receiving a ROUTED PNOTE on the Active member. |
PRJ-37944, |
ClusterXL |
In a VSX cluster with three or more members, sudden failover and recovery of the Standby VS may occur, causing termination of connections from the Active member. Refer to sk179446. |
PRJ-40201, |
ClusterXL |
In a cluster configured in the Active-Active mode, there may be connectivity issues when one of the cluster interfaces is down on one of the cluster members. |
PRJ-39959, |
ClusterXL |
During a Multi-Version Cluster (MVC) upgrade, there may be state flapping when using the sync interface MAC address bit "02". |
PRJ-36734, |
ClusterXL |
In a VRRP cluster, when an identity session is revoked from a non-master member, the Identity Database may become corrupted and cause an outage. |
PRJ-37632, |
SecureXL |
UPDATE: The MSS value in the SYN Cookie response can now be configured. |
PRJ-39074, |
SecureXL |
UPDATE: Added a new kernel parameter "fw_allow_reverse_syn" for Smart Connection Reuse. This parameter allows or drops SYN packets coming from the reverse direction. The parameter is set to 0 by default, the Security Gateway drops such packets. Refer to sk24960. |
PRJ-40295, |
SecureXL |
A kernel memory leak may occur in an environment with a cluster in Active/Standby bridge mode. |
PRJ-41482, |
SecureXL |
After an upgrade, SecureXL may drop multicast traffic with "reason:Fragment drops". |
PRJ-36859, |
SecureXL |
Policy installation may cause cluster failover and impact the traffic flowing through the cluster. |
PRJ-40220, |
SecureXL |
In a rare scenario, ipsctl kernel module does not load at startup. |
PRJ-39739, |
SecureXL |
There may be high CPU or/and latency in CIFS/SMB connections. |
PRJ-41957 |
SecureXL |
SecureXL may drop traffic on a VSX Gateway with a Virtual Router (VR) or Virtual Switch (VSW), when IPS Blade is enabled. |
PRJ-40550, |
Routing |
Route Injection Mechanism (RIM) feature may advertise kernel routes that cannot be used (for example, the cable is unplugged, and the network interface is down). This may lead to traffic loss. |
PRJ-41208, |
Routing |
When changing PIM configuration, the ROUTED process may unexpectedly exit and generate a core dump due to a race condition. |
PRJ-40548, |
Routing |
If Route Injection Mechanism (RIM) is enabled, and RIM routes are added for destinations that already had dynamic or static routes, the RIM routes are deleted in favor of the existing routes. Losing routes can result in loss of connectivity. |
PRJ-40092, |
Routing |
When running CPView and working in Source-Specific Multicast Mode (PIM-SSM) simultaneously, the ROUTED process may unexpectedly exit and create a core dump file. |
PRJ-40748, |
Routing |
The ROUTED process may unexpectedly exit when querying BGP data. |
PRJ-36891, |
VPN |
UPDATE: After FIPS mode is enabled, Jitter is now automatically turned on. |
PRJ-41241, |
VPN, Multi-Portal |
UPDATE: Added a new Registry parameter "use_crl_for_revocation_method" that enables the CRL revocation method when the Security Gateway does not get a response from an OCSP Server. Refer to sk179434. |
PRJ-40730, |
VPN |
UPDATE: Added a configurable protection for blocking brute-force attacks on VPN SNX portal. Refer to sk180271. |
PRJ-38634, |
VPN |
Connection to Endpoint Security Client from the Remote Access VPN may be lost when the VPN tunnel timeout is reached. Refer to sk178891. |
PRJ-40386, |
VPN |
The "Unable to open '/dev/fw0': No such file or directory" error may be printed during cpstart. |
PRJ-40870, |
VPN |
Site-to-Site NAT-T traffic may be routed incorrectly, which can cause an outage. |
PRJ-39808, |
VPN |
Adding a Security Gateway Module (SGM) to a Security Group may cause the Security Gateway crash when Link Selection is enabled in Load Sharing mode. |
PRJ-40562, |
VPN |
Resolved the "HTTP Response splitting" vulnerability in Security Gateway portals. Refer to sk179705. |
PRJ-39236, |
VPN |
When connecting to Capsule VPN on iOS in a Multi-Domain Server or Scalable Platforms environment, loading a website may take up to one minute. |
PRJ-40555, |
VPN |
When working in Hybrid mode, it is possible to connect using Remote Access, but it may not be possible to access internal resources. |
PRJ-40664, |
VPN |
There may be a low throughput in a Site-to-Site VPN tunnel between two VSX Gateways with enabled. |
PRJ-36711, |
VPN |
Improved Site-to-Site VPN stability. |
PRJ-39584, |
VPN |
In a rare scenario, when pushing a policy, the VPND process may unexpectedly exit. |
PRJ-40583, |
VPN |
Connection over NAT-T tunnels may not be distributed well between instances of the Security Gateway with CoreXL enabled. |
PRJ-37785, |
VPN |
In SmartView Monitor (SVM), the status of tunnels with third-party peers may be inaccurate. Refer to sk169121. |
PRJ-39894, |
VSX |
UPDATE: The "vsx_util view_vs_conf" command output now shows interfaces configured on Virtual Systems in Bridge mode. |
PRJ-39888, |
VSX |
Removing a warp interface may fail on one member, which creates a mismatch between the cluster members database because the warp interface remains on other members. Refer to sk180481. |
PRJ-40799, |
VSX |
Extending SNMP with shell script (Article IV-6 in sk90860) fails for non-VS0 Virtual Systems (VSs) when queried via SNMP V3 and a "No more variables left in this MIB View (It is past the end of the MIB tree)" message is shown in the output. |
PRJ-39712, |
VSX |
When running the "reset_gw" command on a VSX cluster member, the sync interface IP address is not deleted as part of the VSX configuration that should be deleted from the Security Gateway. |
PRJ-39768, |
VSX |
Lines indicating uninstalling policies from virtual switches (VSWs) may be printed when running the "fw vsx unloadall" command. |
PRJ-40649, |
VSX |
The VSX Provisioning Tool may unexpectedly exit when adding a new virtual device. |
PRJ-40666, |
VSX |
When changing VSLS configuration with vsx_util, setting a new weight for each VS in Automatic mode fails with the "Operation failed. Can't write to database" error. Refer to sk179655. |
PRJ-38094, |
VSX |
The "Primary Slave" configuration in a Bond (MAGG) interface may not be applied to a Security Group. Refer to sk178765. |
PRJ-41363, |
VSX |
A VSX Gateway upgrade may fail with an error related to VSX Filesystem creation. |
PRJ-42180, |
VSX |
Pushing configuration to a virtual device in a Maestro VSX environment may fail. Refer to sk180107. See the Critical Information section. |
PRJ-40251, |
VSX |
In VSX, when deleting a warp interface (either by deleting the warp itself or by performing the "reset_gw" command, which deletes all Virtual Devices), the VSX Gateway may crash. |
PRJ-40073, |
VSX |
A "SIC Error for EntitlementManager: Peer sent wrong DN: CN=xxx,O=xxx" message may be displayed during boot or after running the "cpstart" command. Refer to sk179586. |
PRJ-40361, |
VSX |
Improved packet rate performance on warp interfaces. |
PRJ-34096, |
VSX |
When running the "vsx showncs" command, the "cannot retrieve vsid for VSW_gw" error may be shown. |
PRJ-34323, |
VSX |
The MTU value configured in SmartConsole may differ from the Virtual Switch (VSW) MTU value in the output of the "ifconfig" command. |
PRJ-39982, |
VSX |
The vsx_util upgrade or downgrade operation may silently fail to update the database for one or more Virtual Systems (VSs). Refer to sk179591. |
PRJ-27514, |
Gaia OS |
UPDATE: A description was added to the output of the "show backup logs" command with information about each column. Refer to sk173970. |
PRJ-40409, PRJ-42486 |
Gaia OS |
UPDATE: Gaia API updates will now be automatically installed through AutoUpdater. Refer to sk165653. |
PRJ-39480, |
Gaia OS |
For TACACS users the ">" character is missing to separate the hostname from the commands. The fix is only cosmetic. |
PRJ-36698, |
Gaia OS |
The /var/log/messages file may be flooded with "failed to update arp table file" messages. |
PRJ-40769, |
Gaia OS |
IPv6 connections with Manual NAT rules may not be stable after enabling Neighbor Discovery Protocol (NDP) on a VLAN in the $FWDIR/conf/local.ndp file. |
PRJ-40028, |
Gaia OS |
A user locked by the deny-on-nonuse mechanism cannot get unlocked. |
PRJ-40478, |
Gaia OS |
The SNMPD process may unexpectedly exit on the Security Gateway with enabled Management Data Plane Separation (MDPS). |
PRJ-40206, |
Gaia OS |
Editing RADIUS Server details multiple times may lead to deletion of this Server in WebUI. |
PRJ-41147, |
Gaia OS |
A web session on Quantum Maestro may be expired after a minute, although the configured timeout is 10 minutes. |
PRJ-40993, |
Gaia OS |
When MDPS is configured, the SNMPD process may stop responding on some Security Gateways and must be restarted. |
PRJ-32418, |
Harmony Endpoint |
Web Remote Help returns to the sign-in page after generating the response code. Refer to sk172666. |
PRJ-39026, |
Scalable Platforms |
When the "cphaprob list" command fails, CoreXL configuration pnote is not shown when expected. The issue is cosmetic only. |
PRJ-39908, |
Scalable Platforms |
CPAC-TR-10T-C transceiver is displayed as unsupported, although it is supported. |
PRJ-39842, |
Scalable Platforms |
During boot of Maestro Orchestrator, a "Linking SMO files: Not an integer value child process exited abnormally" message may be shown. The issue is cosmetic only. |
PRJ-40908, |
Scalable Platforms |
After an upgrade of a Maestro Orchestrator to R81.10 version, several Maestro Orchestrator Clish commands may fail with errors messages. |
PRJ-32196, |
Scalable Platforms |
In a VSX setup that includes members only in Site 2, asg monitoring commands (such as asg stat vs all) may incorrectly present Chassis 2 state as "N/A". |
PRJ-40342 |
Scalable Platforms |
CPUSE upgrade of Scalable Platforms may fail. |
PRJ-37793, |
Scalable Platforms |
An outage may occur when all Security Gateways are physically disconnected from one of the two Maestro Orchestrators on a dual site. |
PRJ-40454, |
Scalable Platforms |
The asg_perf test may show incorrect data related to acceleration cores number and CPU usage. |
PRJ-40885, |
Scalable Platforms |
HCP may report a false failure on the Maestro Orchestrator Daemons State test. |
PRJ-38177, |
Scalable Platforms |
When removing a Security Group from Maestro Orchestrator WebUI, Site 2 Gateways may be missing from the Unassigned Gateways pane until the refresh button is clicked. |
PRJ-41297, |
Scalable Platforms |
When NAT is configured on both Source and Destination, with delayed sync enabled, connection drops may occur. |
PRJ-40528, |
Scalable Platforms |
Improved packet processing on MHO-175 to avoid sudden drops. |
PRJ-41379, |
CloudGuard Network |
UPDATE: Added support for pushing CloudGuard Controller updates to Gateways with MDPS enabled. However, these updates are not supported on clusters. Refer to sk138672. |
PRJ-41371, |
CloudGuard Network |
UPDATE: Added support for Data Centers in AWS ap-southeast-2 (Jakarta) region. |
PRJ-35829, |
CloudGuard Network |
NSX-T NSGroup appears as the default prefix in the domain name. |
PRJ-40840, |
CloudGuard Network |
Failure to update IP addresses on a single AWS Gateway may cause delays in updating other Gateways. |
PRJ-41748, |
Public Cloud CA Bundle |
Added Take 19 of Public Cloud CA Bundle. Refer to sk172188. |
PRJ-41144, |
Smart-1 Cloud |
Added Update 5 of Quantum Smart-1 Cloud. Refer to sk166056. |
PRJ-40671, |
HCP |
Added Update 10 of HealthCheck Point (HCP) Release. Refer to sk171436. |
Take 78 Released on 11 October 2022 and declared as Recommended on 19 October 2022 |
||
PRJ-42051, PRHF-25946 |
Threat Prevention |
Threat Prevention policy cannot be installed on R80.40 and lower Security Gateways when using a Security Zone object in the "Source" column. Refer to sk177605. See the Critical Information section. |
PRJ-42199 |
Scalable Platforms |
On 16600 / 28600HS Quantum Maestro appliances, interfaces can disappear after uninstalling the Jumbo Hotfix. See the Critical Information section. |
Take 75 Released on 1 September 2022 |
||
PRJ-41205 |
Installation |
Refer to sk179799. See the Critical Information section. |
PRJ-34854, |
Security Management |
UPDATE: Added validation of Custom Application/Site objects to prevent configuring invalid URLs, which causes Access policy installation failure. Refer to sk175187. |
PRJ-38152, |
Security Management |
UPDATE: Improved Access Policy installation time. |
PRJ-37260, |
Security Management |
In a large scale environment, the Management API command "show-access-rulebase" may take a significant amount of time to complete or time out after 5 minutes. |
PRJ-36921, |
Security Management |
When a Security Gateway is removed from a VPN community, it may still be seen under the permanent tunnel configuration. The issue is scoped to the Management side and does not impact the Gateway. |
PRJ-37524, |
Security Management |
Reassign Global Policy tasks may be stuck for Domains active on a different Multi-Domain Server even though the task is completed on the destination Multi-Domain Server. |
PRJ-37710, |
Security Management |
Install Policy preset fails if the Threat Prevention policy was uninstalled. |
PRJ-35656, |
Security Management |
The Security Cluster Wizard is not shown again after a Management restart in a Full High Availability cluster environment. |
PRJ-35313, |
Security Management |
The web_api_show_package.sh script and some Management API commands with the "details-level full" option may fail when VPN settings are not defined for Interoperable objects. Refer to sk178410. |
PRJ-35532, |
Security Management |
An IPS update may fail if the user that performs the update is connected to the Multi-Domain Server on which the Global Domain is in Standby mode. |
PRJ-37505, |
Security Management |
In rare scenarios, Global Domain Assignment may fail with a "class name not found for object" error message. |
PRJ-37028, |
Security Management |
Policy Installation may fail with the "Unable to start policy installation" error when the Import Domain task is running in the background. |
PRJ-37764, |
Security Management |
The FWM process on the Management Server may unexpectedly exit, creating a core dump file. |
PRJ-38065, |
Security Management |
When uninstalling a Threat Prevention policy, there may be a verification warning "There are Threat Prevention uninstall candidates in policy targets", although the operation on the Security Gateway was completed successfully. |
PRJ-39472, |
Security Management |
Management HA synchronization may fail with the "NGM failed to import data" error. |
PRJ-38401, |
Security Management |
An Application Control and URL Filtering update may get stuck because of a lock object duplicate issue. |
PRJ-37400, |
Security Management |
Global Policy Assignment may fail with the "Failed to connect to FWM" error when the Domain is Active on the remote Multi-Domain Management Server. |
PRJ-38800, |
Security Management |
In some scenarios, the "show-gateways-and-servers" Management API command fails with "generic_err_object_not_found" when running it with "details-level full". |
PRJ-38616, |
Security Management |
A deleted Security Gateway may appear as unavailable in the Gateways&Servers view. |
PRJ-37200, |
Security Management |
The Management API command "show-vpn-communities-star" for Diffie-Hellman group 24 fails with the "Invalid DH-Group in VPN Reply" error. Refer to sk27054. |
PRJ-38181, |
Security Management |
Deleting a Domain operation may fail with an "internal error" when more than one of the Security Gateways in the Domain points to the same cluster object in the NAT configuration. |
PRJ-34154, |
Security Management |
Packet mode search in HTTPS Inspection policy may not work. |
PRJ-39211, |
Security Management |
The "Throughput/sec" column in the Gateways&Servers view may show "N/A" instead of the actual value. |
PRJ-39529, |
Security Management |
Improved memory usage and performance of Access Policy installation when numerous Network Groups are used in the Access Rule Base. |
PRJ-33689, |
Security Management |
The Management API command "show object" may fail on a specific UID with a "Null Pointer exception" message. |
PRJ-35061, |
Security Management |
Renaming the Security Management Server may fail with the "Failed to save object" error. Refer to sk177224. |
PRJ-38121, |
Security Management |
Policy installation may fail with "an internal error" because of an orphan policy issue. Refer to sk122954. |
PRJ-35606, |
Security Management |
In SmartConsole, the "error retrieving results" message may be displayed when opening a new tab. |
PRJ-37887, |
Security Management |
Editing an object may fail with the "Could not access file for write operation" error. |
PRJ-37510, |
Security Management |
Deleting a domain may fail when using the createDomainRecovery.sh script with the "UID" flag. |
PRJ-37636, |
Security Management |
After changing the IP address of the Secondary Management Server, the old IP address is still shown in the High Availability window until the services are restarted. |
PRJ-38742, |
Security Management |
In a rare scenario, the FWM process may unexpectedly exit and create a core dump. |
PRJ-39021, |
Licensing |
|
PRJ-37989, |
SmartConsole |
After an Application Control update, some application control objects may disappear from SmartConsole, although they are not deprecated. |
PRJ-39119, |
Web SmartConsole |
UPDATE: Released Take 59 with new features and improvements. Refer to sk170314. |
PRJ-35672, |
SmartProvisioning |
UPDATE: To prevent duplicates issue in LSM REST API, it is no longer possible to create an object with the same name but written in a different letter case. |
PRJ-35065, |
SmartProvisioning |
UPDATE: It is now possible to make a change in the provisioning profile of a cluster via the API command "set lsm-cluster" using the UID parameter. |
PRJ-36053, |
SmartProvisioning |
The "set-lsm-gateway" command may fail during the SIC initialization. |
PRJ-39856, |
SmartProvisioning |
After deleting an LSM object, the Security Gateway can still communicate and fetch policy from the Management Server. |
PRJ-38317, |
SmartProvisioning |
The PostgreSQL database fully utilizes disk space on the Multi-Domain Management Server when SmartProvisioning is enabled in a large scale environment. Refer to sk178889. |
PRJ-37103, |
Logging |
UPDATE: Scheduled email reports will now use TLS1.2 instead of TLS1.0. Refer to sk178125. |
PRJ-36463, |
Logging |
When running the "cp_log_export filter-Blade-in" command with the value "Endpoint" and restarting the LOG_EXPORTER process, LOG_EXPORTER may fail to start. |
PRJ-35997, |
Logging |
Logs with actions "Expired" and "Hold" may be missing from the Logging view. |
PRJ-38416, |
Logging |
When there are several Log Servers, a log distribution issue may occur. |
PRJ-39297, |
Logging |
An error may occur when changing default Time Frame while the SmartView language is not English. |
PRJ-39680, |
Logging |
When exporting the logs table with "All Columns" to a CSV file, the first cell of the first log (time column) displays a non-ASCII character ("ן»¿"), and the time is split into two cells. |
PRJ-39677, |
Logging |
A CSV file exported from SmartView may contain duplicated lines of headers. |
PRJ-33817, |
Logging |
The "log_exporter_reexport" command may export the logs from the beginning of the log file and not from the provided start position. |
PRJ-36028, |
Logging |
In IPS Core Protections logs, the link to the Threat Prevention profile is written incorrectly. |
PRJ-36021, |
Logging |
In SmartView, the "Top Users that Downloaded Malicious Files" widget in the "Hosts that Encountered Malicious files" view may show no results, although there are matches. |
PRJ-39668, |
Security Gateway |
It may not be possible to monitor Security Gateways with enabled Management Data Plane Separation (MDPS). Refer to sk138672. |
PRJ-36121, |
Security Gateway |
In CPView, under Network, Bytes Per Sec value in Traffic Rate may be incorrect. |
PRJ-38077, |
Security Gateway |
The Security Gateway may crash with a vmcore. |
PRJ-27917, |
Security Gateway |
When Strict Hold is enabled, traffic is logged with the log "HTTP parsing error detected. Bypassing the request as defined in the Inspection Settings". Refer to sk169995. |
PRJ-41000, |
Security Gateway |
In a VSX environment, SNMP queries to OSPF OIDs may fail. |
PRJ-39216, |
Security Gateway |
The Security Gateway may crash during PM Stats collection. |
PRJ-37519, |
Security Gateway |
The FW Monitor tool may fail when it is used on VSX with the "-v" and "-p all" options. |
PRJ-39686, |
Security Gateway |
An ICAP client crash may cause the Security Gateway also to crash and generate an FWK core dump. |
PRJ-37953, |
Security Gateway |
There is a Content Awareness alert for multiple connections and the processing error "Failed to extract text" is printed in logs. |
PRJ-40442, |
Security Gateway |
When Anti-Virus Blade is enabled, there may be a continuous high memory consumption which can lead to latency. |
PRJ-41456, |
Security Gateway |
During a DDoS attack, the CPD and CPRID processes may unexpectedly exit with core dump files and cause latency. |
PRJ-36568, |
Internal CA |
UPDATE: In SmartConsole, added an alert to inform that the ICA certificate will be expired in less than one year. Refer sk158096. |
PRJ-36294, |
Threat Prevention |
A "sft_rule_str_match_init: allocates 0 bytes" message may be printed many times in the /var/log/messages file. |
PRJ-39196, |
Threat Prevention |
In a scenario, when Ant-Virus Blade is enabled, the Security Gateway may crash during policy installation. |
PRJ-39324, |
Threat Prevention |
Improved memory consumption by decreasing the size of the mal_conns table. |
PRJ-38685, |
Threat Prevention |
In a rare scenario, an IPS, Anti-Virus, or Anti-Bot update package may fail to load because of a timeout |
PRJ-40397, |
Threat Prevention |
Added Update 15 of Autonomous Threat Prevention Management integration Release Updates. Refer to sk167109. |
PRJ-41446, |
Threat Prevention |
In a specific HTTP connection scenario, the Security Gateway may become unresponsive. And the /var/log/messages file contains these messages during the time of the issue: " FW-1: fw_kfree: wrong magic number at tail end of XXX (XXX) caller is 'cmik_loader_fw_pm_match_cb' sz=80. FW-1 panic: cmik_loader_fw_pm_match_cb: fw_kfree: wrong magic number at tail (kiss_memory.c:XXX)". See the Critical Information section. |
PRJ-36522, |
IPS |
Improved detection in some IPS protections. |
PRJ-39063, |
IPS |
In a VSX setup, the IP address used as the origin SIC name in the IPS address log may differ from the IP address in other reports. |
PRJ-35293, |
Mobile Access |
In some scenarios, when Mobile Access Blade is enabled, the Security Gateway may crash. |
PRJ-34725, |
Mobile Access |
In some scenarios, the Mobile Access applications fail to login because the Security Gateway may not forward HTTP request cookies of some browser-initiated requests to an internal Server. |
PRJ-39154, |
Mobile Access |
Login to Mobile Access Citrix application may fail. |
PRJ-34871, |
ClusterXL |
UPDATE: Added support for the "Same VMAC" feature. |
PRJ-31527, |
ClusterXL |
UPDATE: Added a new Gaia Clish command "show cluster members monitored" to show cluster monitored IP addresses of all the members in a table format. This command is equivalent to the Expert mode command "cphaprob -m tablestat". |
PRJ-38615, |
ClusterXL |
When moving a cluster from Unicast to Multicast LS, Gratuitous ARP Request (GARP) may not be sent. The cluster cannot update multicast MAC entries on peers, which can cause traffic lost. |
PRJ-37490, |
ClusterXL |
In a VSLS cluster with a few members and Virtual Systems, when shutting down a bond connected to one of the Virtual Systems, all Virtual Systems on this member may go to Down state. |
PRJ-38820, |
ClusterXL |
Local connection from the Management interface on a non-standard port (e.g. 8000) may fail. |
PRJ-36604, |
ClusterXL |
Data connection may be interrupted during a Multi-Version Cluster (MVC) upgrade. |
PRJ-37883, |
ClusterXL |
Local connection from a Standby member may fail when packets are not fragmented even if the interface MTU is smaller than the packet size. |
PRJ-39084, |
ClusterXL |
VPN may not operate correctly on ClusterXL in Load Sharing mode and Scalable Platforms (Quantum Maestro and Chassis). This causes sporadic but frequent traffic drops. Refer to sk179808. See the Critical Information section. |
PRJ-37814, |
SecureXL |
NEW: In some scenarios, the Security Gateway may not forward traffic to a client if its IP address is changed by DHCP. Added a global parameter "cphwd_refresh_nh", disabled by default. It determines whether or not the Security Gateway will invoke its own refresh ARP mechanism after a successful route lookup. Refer to sk175603. |
PRJ-38595, |
SecureXL |
UPDATE: Added a new parameter cphwd_mcast_routing_interval_ms (default value is 0), which allows the multicast routing interval to be expressed in milliseconds. |
PRJ-32710, |
SecureXL |
UPDATE: Virtual Extensible LAN (VXLAN) interfaces can now be configured over interfaces with an alias IP address. VXLAN interfaces will not use the alias IP as the local IP address of the tunnel. |
PRJ-39010, |
SecureXL |
SYN Defender may not properly handle the S2C traffic related to Allow List. As a result, this traffic may be dropped. |
PRJ-39004, |
SecureXL |
SYN Defender may change MSS in an SYN packet to a larger value, potentially causing traffic drop. |
PRJ-38560, |
Routing |
UPDATE: Source Pruning will now be disabled by default when VRRP is enabled. This will prevent an interface from keeping the Standby member in Master state after port flapping. The issue is relevant only for Intel X710 network cards using the I40E driver. Refer to sk178484. |
PRJ-38983, |
Routing |
There may be high CPU utilization and slow recovery of the ROUTED process after a failover. |
PRJ-38984, |
Routing |
A buffer overflow may cause the ROUTED process to exit with PNOTE. |
PRJ-38985, |
Routing |
It may take up to three hours for the second member to become Standby after a failover. An outage may occur during this time. |
PRJ-36940, |
Routing |
In a rare scenario, the ROUTED daemon may unexpectedly exit during a Multi-Version Cluster (MVC) upgrade when using OSPF. |
PRJ-37941, |
VPN |
NEW: KAT tests for IKE and TLS are now validated for FIPS certification. |
PRJ-37775, |
VPN |
Capsule Connect (IPSec VPN) may fail to re-authenticate. |
PRJ-35422, |
VPN |
When using Remote Access SAML authentication, the "Remote access client IP address and port were changed" log may contain incorrect data in the "Old IP" field. |
PRJ-32681, |
VPN |
An IKEv1 tunnel may be deleted after the Dead Peer Detection (DPD) exchange and can cause an outage. |
PRJ-37549, |
VPN |
In some scenarios, when StrongSwan client is connecting to a site or Security Gateway, the connection is established successfully, and the tunnel is created, but there is no traffic. Refer to sk118536. |
PRJ-37556, |
VPN |
An outage may occur when using IKEv2. |
PRJ-39065, |
VPN |
Capsule Connect may fail to connect to the Security Gateway because of an Office Mode IP allocation failure. |
PRJ-36451, |
VSX |
UPDATE: When resetting SIC for a specific virtual system (sk34098), the new certificate on the Security Gateway will now be automatically pulled from SmartConsole. |
PRJ-32408, |
VSX |
The OID "Syslocation" can now be configured in the context of a virtual system as described in the article (IV-1) Advanced SNMP configuration in sk90860. |
PRJ-33316, |
VSX |
The FWM process may unexpectedly exit after using the VSX Provisioning tool. |
PRJ-32478, |
VSX |
When using the VSX Provisioning Tool, it may not be possible to create a new warp interface and then change the main IP address of the VS in the same transaction. |
PRJ-32707, |
VSX |
After restoring the VSX Gateway backup, the SNMP agent stops responding when the context is set for a specific VS. |
PRJ-37807, |
VSX |
Running the "vsx_util vsls" command may end with the "Segmentation fault" error. |
PRJ-28951, |
VSX |
Multi-Queue configuration does not survive reboot on VSX. Refer to sk173950. |
PRJ-38829, |
VSX |
The FWK process of Virtual Switch (VSW) may consume a high CPU. |
PRJ-38409, |
VSX |
When creating a virtual system, the "Failed to create Virtual System directories" error is displayed. |
PRJ-34767, |
VSX |
When using Link Selection probing, the VPND process may unexpectedly exit and create a core dump file. |
PRJ-38794, |
VSX |
In some scenarios, it is not possible to start a vsx_util upgrade/downgrade after a failed attempt. |
PRJ-38011, |
VSX |
"Loading kernel module for a network device with CAP_SYS_MODULE (deprecated). Use CAP_NET_ADMIN..." may be printed in dmesg. |
PRJ-38727, |
VSX |
When running the "vsx_util downgrade" command, R80.20SP may not be listed as an available version. |
PRJ-40704, |
VSX |
A member in a VSX cluster may get stuck in DOWN state with "Event Code CLUS-113200" and a FULLSYNC PNOTE "Could not start a connection to remote member". |
PRJ-40950, |
VSX |
The VSX Security Gateway may crash when pushing a policy after deleting an interface. Refer to sk179820. See the Critical Information section. |
PRJ-36525, |
Gaia OS |
NEW: Added a Gaia Clish command "show configuration vxlan" to show all VXLAN info (interface creation, IP, MTU, comments, state). |
PRJ-35586, |
Gaia OS |
UPDATE: It is now possible to use Gaia proxy addresses with more than 16 characters. |
PRJ-39379, |
Gaia OS |
The CONFD process may unexpectedly exit and generate a core dump file. |
PRJ-40366, |
Gaia OS |
Gaia Snapshot fails in Gaia Portal ("Maintenance" section > "Snapshot Management" page) - after clicking the "New" button, the progress gets to 100%, but the snapshot file is never created. Refer to sk180579. |
PRJ-38960, |
Gaia OS |
When loading a configuration file to the new Security Gateway, VLAN interfaces may not be added to the bridge as expected. |
PRJ-37349, |
Gaia OS |
When adding and deleting a neighbor-entry ipv6-address, an error message is displayed, although the operation is successful. |
PRJ-38231, |
Gaia OS |
When running the "save configuration" command on a VSX device, other interfaces besides the Management interface are still presented. This is a cosmetic issue. |
PRJ-39096, |
Gaia OS |
Dynamic routing SNMP OID polling may work only in VSX mode. |
PRJ-29673, |
CloudGuard Network |
UPDATE: After a failed Data Center mapping, the next scan retry will be initiated with a delay to provide sufficient recovery time. |
PRJ-38569, |
CloudGuard Network |
UPDATE: Previously, because of connectivity issues with Azure, CloudGuard Controller was deleting IP addresses of Data Center objects from the Security Gateway. CloudGuard Controller will now show an error message instead of revoking identities from the Security Gateway. |
PRJ-33578, |
CloudGuard Network |
When trying to add a comment to a Data Center object with API, the name of the object may get the value of the "comments". |
PRJ-38871, |
CloudGuard Network |
After changing the default behavior in Identity session conciliation, the "delete-identity" request may trigger Cloud Controller to delete IP addresses from other Identity sources. |
PRJ-38071, |
CloudGuard Network |
Policy install or publish may fail because of the CPM process operations overload. |
PRJ-40198, |
CloudGuard Network |
Azure Data Center mapping may fail because of a corrupt response from Azure for a specific Virtual Machine Scale Set (VMSS). |
PRJ-39798, |
CloudGuard Network |
Importing NSX-T Data Center NSGroups with more than 1000 IP addresses may fail and lead to an outage. |
PRJ-38644, |
VoIP |
NEW: Added a new tab for VoIP monitoring in CPView. |
PRJ-39817, |
VoIP |
The Security Gateway may crash when running UDP and TCP SIP traffic. |
PRJ-40930, |
VoIP |
After an upgrade, the MGCP traffic may be dropped. The output of the "fw ctl zdebug + drop" command shows: "dropped by fw_early_sip_nat reason: failed to get MGCP ports". |
PRJ-39110, |
Scalable Platforms |
UPDATE: Added ability to change CIN interface IP ranges. Refer to sk179028. |
PRJ-37469, |
Scalable Platforms |
UPDATE: When creating a new Security Group on Quantum Maestro, it is mandatory to configure First Time Wizard settings. |
PRJ-35111, |
Scalable Platforms |
UPDATE: The asg_info command is no longer supported on Scalable Platforms. The "cpinfo -Q" command should be used instead. |
PRJ-39636, |
Scalable Platforms |
The Hit Count feature may not provide data for non-SMO members on VSX with Kernel 3.10. |
PRJ-38297, |
Scalable Platforms |
During Jumbo Hotfix Accumulator installation, the sgm_lsp core dump may be created. |
PRJ-38483, |
Scalable Platforms |
When running the CPUSE "installer" command in Gaia gClish of a Security Group, the output may show: "Error Failed to invoke action." Refer to sk178647. |
PRJ-38699, |
Scalable Platforms |
The ROUTED process may unexpectedly exit when OSPF is configured as P2P. |
PRJ-39720, |
Scalable Platforms |
Changed the message informing that CPUSE upgrade packages are not available on Scalable Platforms appliances with VPN enabled. The fix is only cosmetic. |
PRJ-39115, |
Scalable Platforms |
The "asg_excp_conf get" command may fail. Existing exceptions cannot be printed due to unaligned exception max size between kernel and userspace (cphaprob). |
PRJ-34872, |
Scalable Platforms |
In some scenarios, CPWD and HCP report the CPUS_USGS process as terminated. |
PRJ-35285, |
Scalable Platforms |
A cluster member may fail to perform FullSync and remain in Down state with FULLSYNC PNOTE. |
PRJ-39997, |
Scalable Platforms |
When a Maestro Security Gateway is active again after a reboot, the LACP bond may drop incoming and outgoing packets. |
PRJ-36092, |
Scalable Platforms |
A Security Gateway may not be added to the Security Group distribution matrix when moving from a site with two MHOs to a single MHO. |
PRJ-37640, |
Scalable Platforms |
The "asg_copy_capture" logs repeatedly appear in the var/log/messages file. The reason given in the logs is "capture file was not found on remote SGMs". |
PRJ-33924, |
Scalable Platforms |
On Scalable platform Chassis in VSX mode, when adding a new member to Security Gateway, the "dxl stat" command may fail with the "Failed to retrieve dxl status" error. |
PRJ-41043 |
Scalable Platforms |
Disk partition of the /var/log directory on Quantum Maestro appliances may fail. |
PRJ-40309, |
HCP |
Added Update 9 of HealthCheck Point (HCP) Release. Refer to sk171436. |
Take 66 Released on 29 June 2022 and declared as Recommended on 19 July 2022 |
||
PRJ-40378, PMTR-84711 |
Gaia OS |
After an upgrade, there are SSH connectivity issues, when the "allowed-host" feature in Clish is enabled. |
PRJ-39899 |
Scalable Platforms |
In some scenarios, the asg_perf_hogs test shows that SecureXL is disabled while it is enabled. Refer to sk179424. See the Critical Information section. |
Take 61 Released on 2 June 2022 |
||
PRJ-38783, |
Security Management |
NEW: Added a new Management API command "show-servers-and-processes" to show the status of all processes on the Multi-Domain Server and all Domain Management / Log Servers. |
PRJ-36588, PMTR-72224 |
Security Management |
NEW: Added support for Quantum Spark Appliances with R81.10.x Gaia Embedded (Early Availability). Refer to sk178509. This applies both to SmartProvisioning and SmartUpdate. |
PRJ-33297, |
Security Management |
UPDATE: LSM Cluster objects names can now be defined without using the prefix and suffix options. |
PRJ-33953, |
Security Management |
Deleting a Domain may fail when there is an administrator with API key authentication associated with this Domain. |
PRJ-34774, |
Security Management |
When adding a new Interface to an existing Cluster via Management API, the operation may fail with an "Action Failed due to an Internal Error" message. |
PRJ-35951, |
Security Management |
Compliance results for some rules are not available after changing the "Policy Range" of a user-defined rule to a value below 100%. Refer to sk177544. |
PRJ-35018, |
Security Management |
Install Policy Verification may fail with the "Rule has security zone objects that are not attached to any interface used" error when configuring cluster's interfaces on only one member. Refer to sk177129. |
PRJ-35226, |
Security Management |
When exporting rules with "hit counts" and the timeframe is set to a different value than "all", the "hit counts" are missing from the export file. Refer to sk177265. |
PRJ-37496, |
Security Management |
In some scenarios, the "show-hosts" Management API command fails with "generic_error" when running it with "details-level full". Refer to sk178249. |
PRJ-37579, |
Security Management |
In some scenarios, after editing Blades in Simple-gateway/Cluster Ansible modules, the Blades are not changed, and Ansible shows that no changes occurred. |
PRJ-37625, |
Security Management |
Upgrade of the secondary Security Management Server or Multi-Domain Management Server may fail due to a High Availability synchronization issue. |
PRJ-33803, |
Security Management |
The Management API command "set-multicast-address-range" does not remove IPs when the IPv4 or IPv6 address field is empty. |
PRJ-37328, |
Security Management |
In some scenarios, the policy installation may fail after editing the trac_client_1.ttm configuration file. Refer to sk174646. |
PRJ-35758, |
Security Management |
In rare scenarios, deleting a Security Gateway may fail. |
PRJ-37063, |
Security Management |
After installing policy on a new cluster, the cluster object status may be "Not Available", even though all Cluster members statuses changed to "OK". |
PRJ-37368, |
Security Management |
Dynamic Objects defined on LSM Gateway in SmartProvisioning may be removed from the Security Gateway after fetching policy or pushing policy. |
PRJ-33077, |
Security Management |
Updating objects with Management API may fail when editing the "groups" field and object UID is specified. |
PRJ-35299, |
Security Management |
When cloning an IPS profile, the advanced settings of cloud protection may not be copied to the new profile. |
PRJ-36747, |
Security Management |
Accelerated Install Policy may fail with the verification error: "Rule-name has security zone objects that are not attached to any interface used in Cluster-name ", when the rule contains Security Zone and the install-on target is a cluster. |
PRJ-32818, |
Security Management |
In rare scenarios, when installing a policy after performing "revert to revision", some changes made to a policy may not be installed on the Security Gateway. Refer to sk176768. |
PRJ-38149, |
Security Management |
Cloud Shadow Objects verification may take several minutes. |
PRJ-33028, |
Security Management |
IPS profiles and network objects may not be shown in certain views in SmartConsole. |
PRJ-39178, PRHF-23750 |
Security Management |
In some scenarios, the Management API command "show-packages" with "details-level full" may fail with the "Could not commit JPA transaction" error. |
PRJ-38394, |
SmartConsole |
UPDATE: It is now possible to execute the "run-script" Management API command on the Multi-Domain Server (MDS) and Multi-Domain Log Module (MLM) from the System Domain. |
PRJ-38038, |
SmartProvisioning |
UPDATE: Added a new Management API command "verify-management-license", it allows to verify whether the Domain Management license covers all installed Security Gateways in the Domain. Refer to sk178544. |
PRJ-38038, |
SmartProvisioning |
LSM devices that were created via the LSM REST API may not fetch the VPN certificate correctly. |
PRJ-38127, PMTR-80530 |
SmartProvisioning |
After an SMB firmware upgrade, policy fetch may fail with the "Version matching problem" error. |
PRJ-38359, PMTR-82092 |
SmartProvisioning |
Improved the time of creating a new LSM object using the LSM API in large environments. |
PRJ-37593, |
SmartView |
UPDATE: Security Check-Up report will now show the new Check Point logo and updated cover page. |
PRJ-36623, |
Logging |
UPDATE: SmartView reports will now show the new Check Point logo. |
PRJ-35977, PRHF-21400 |
Logging |
"Failed to open /opt/CPsuite-R81.10/fw1/log/" messages may appear in the log_indexer.elg file because of files ending with the ".log" suffix although they are not actual log files. |
PRJ-29175, |
Logging |
Removed unnecessary debug messages: "fwbintabreplace: table svm_range_gateways not found and " fwbintabreplace: table svm_range_gateways_valid not found" from fwd debug log. |
PRJ-33518, |
Logging |
Improved samples visibility in SmartView Widgets. |
PRJ-34251, |
Logging |
There may be an incorrect error message related to MakeConnection method. |
PRJ-34143, |
Logging |
On the Domain level, in the Logs view, available services may not appear in the drop-down filter list. Refer to sk178904. |
PRJ-35202, |
Logging |
In a rare scenario, the Security Management Server does not automatically delete older log files. Refer to sk177627. |
PRJ-37898, |
Logging |
Logs may be missing from SmartConsole after upgrading the Log Server if a VS object is configured without an IP. |
PRJ-35013, PMTR-75595 |
Logging |
In SmartView, downloading multiple reports from Archive may fail. |
PRJ-36656, |
Security Gateway |
NEW: Added a new kernel parameter "fw_ignore_before_drop_rules". It allows to skip the "before drop" implied rules and enforce policy according to the explicit rule in the Access Rule Base. By default, this capability is disabled. Refer to sk105740. |
PRJ-31496, |
Security Gateway |
UPDATE: Following sk110157, adding a shadow SAM V1 rule is now possible only if the new rule and the existing rule have different timeouts. In case a shadow rule exists, the new shadow rule will override the existing shadow rule. |
PRJ-29964, |
Security Gateway |
UPDATE: Added two minutes grace period before dropping the non-TCP server-to-client packets upon policy installation and rematch flow. Refer to sk173287. |
PRJ-38690, |
Security Gateway |
UPDATE: When using Routing Separation, hosts and servers configured in Clish will be automatically added to Management Plane (MPLANE). |
PRJ-37530, |
Security Gateway |
Improved Gateway internal memory allocation logic. |
PRJ-33931, |
Security Gateway |
Cluster failover may trigger the FWK process to exit, with no traffic impact. |
PRJ-33700, |
Security Gateway |
In some scenarios, file download may fail with the "Connection queue exceeded max size" error. |
PRJ-37013, |
Security Gateway |
Gaia Clish "show" commands for Multi-Queue may fail in a Management Data Plane Separation (MDPS) environment. |
PRJ-37610, |
Security Gateway |
When using the DAIP Gateway object in the Access Rule Base, the "fwdnd_log_info_lookup failed" debug error may appear in the fwk.elg log, if the relevant rule has log track. Refer to sk178670. |
PRJ-37355, |
Security Gateway |
Uninstalling Jumbo Hotfix may cause interfaces to disappear. |
PRJ-27903, |
Security Gateway |
In rare scenarios, connectivity issues to specific websites may occur during web traffic inspection. |
PRJ-36049, |
Security Gateway |
In a rare scenario, DNS connection may be dropped with a "up_manager_cmi_handler_match_cb: connection not found" message. |
PRJ-34728, |
Security Gateway |
In rare scenarios, if temporary files were not deleted successfully, downloading certain file types may fail with one of these errors:
|
PRJ-33860, |
Security Gateway |
In ISP Redundancy settings, when using the "dead on all host" feature and defining one link without any host (which is a misconfiguration) the ISP link is down. |
PRJ-34789, |
Security Gateway |
In some scenarios, Security Gateway drops GRE traffic. Kernel debug shows "simi_reorder_enqueue_packet: reached the limit of maximum enqueued packets for conn". |
PRJ-36516, |
Security Gateway |
In a rare scenario, a memory leak in the FWD process may occur during Threat Prevention policy installation. |
PRJ-39122 |
Security Gateway |
When installing policy with acceleration in a loop, after some time, SIC may get disconnected, and installation fails. Refer to sk180397. |
PRJ-38045, |
Threat Prevention |
Added Update 14 of Autonomous Threat Prevention Management integration Release Updates. Refer to sk167109. |
PRJ-35185, PRJ-35154 |
Threat Prevention |
While using the Security Zone object in the "Source" column in the Threat Prevention policy, Security Gateways R80.40 and lower do not drop traffic. Refer to sk177605. |
PRJ-36166, |
Identity Awareness |
In a rare scenario, the PDP process may unexpectedly exit with a core dump file. |
PRJ-35853, |
Identity Awareness |
The PEP process may unexpectedly exit. |
PRJ-37545, |
IPS |
In a rare scenario, when the Security Gateway is configured as a proxy, downloading files may fail. |
PRJ-37980, |
IPS |
In a rare scenario, a traffic outage may occur. |
PRJ-32611, |
IPS |
When Anti-Virus and/or gzip inspection are enabled on the Gateway, during CloudFlare inspection of specific websites, the Gateway may drop traffic. |
PRJ-30126, |
SSL Inspection |
When HTTPS Inspection is enabled and traffic is inspected, detect logs for HTTPS traffic may show the "Invalid CRL Retrieved" and "No Valid CRL" error messages. Refer to sk172345. |
PRJ-38258, |
SSL Inspection |
In some scenarios, the FWK process may unexpectedly exit during the TLS handshake. |
PRJ-35071, |
ClusterXL |
When creating a new virtual system, some VSLS parameters like the Virtual System's weight value may be displayed wrong. |
PRJ-35169, |
ClusterXL |
A single cluster member with Dynamic Routing configuration may stay permanently in DOWN state producing routed pnote during a boot. |
PRJ-34397, |
ClusterXL |
When Dynamic Routing protocols are configured on a cluster, a failover to a member that just rebooted may cause a few seconds outage. |
PRJ-35229, |
ClusterXL |
In an Active/Active cluster, potential FTP data connection interruption may occur during failover. |
PRJ-37436, |
ClusterXL |
There may be connectivity issues for multicast traffic in PIM Sparse Mode. |
PRJ-36616, |
ClusterXL |
During a Multi-Version Cluster (MVC) upgrade from R80.30 or lower, Active-Active split brain may happen. Refer to sk174510. See the Critical Information section. |
PRJ-36178, |
ClusterXL |
In Virtual Device Status table, in VS0 context, the output shows the Active-Active status on two members instead of Active-Standby. The issue is cosmetic only. |
PRJ-39740, ACCHA-1767 |
SecureXL |
When using tcpdump on the LightSpeed 10/25/40/100G QSFP28 interfaces and the "-i" flag is combined with other flags (for example, -nnni or -ei), tcpdump cannot find the RDMA index. |
PRJ-38503, |
CoreXL |
An Active member in a cluster may make a full reboot during policy installation. |
PRJ-37512, |
Routing |
The "set route-redistribution to rip from interface" CLI command may fail with the load configuration errors. |
PRJ-36438, |
VPN |
Machine Authentication stability improvements for Remote Access Endpoint Clients. |
PRJ-29545, |
VPN |
Newly defined ROBO Gateways cannot connect until policy installation. |
PRJ-38729 |
VPN |
In some scenarios, it is not possible to connect with Remote Access using DHCP for Office Mode. Refer to sk178767. See the Critical Information section. |
PRJ-37464, |
VPN |
The VPND process may unexpectedly exit. |
PRJ-35048, |
VPN |
In some scenarios, NAT-T tunnel establishment may fail. |
PRJ-34212, |
VPN |
IKEv2 ID configuration may not be applied when an IPv6 address is written as a certificate's alternative name. |
PRJ-37591, |
VPN |
During policy installation when using DAIP behind hide NAT, CPU usage for the VPND process may be high. |
PRJ-29882, |
VPN |
Improved VPN interoperability. |
PRJ-37283, |
VPN |
VPN tunnel may not be stable in cluster load-sharing multicast and unicast environments. |
PRJ-34673, |
VSX |
UPDATE: The "vsx_util reconfigure" operation is not supported on a VSX cluster member or VSX Gateway which has no virtual systems configured. The operation will now alert about the absence of virtual systems. |
PRJ-36769, |
VSX |
VSX Cluster Internal Communication Network IP address is shown in ifconfig after changing the name or VLAN of a VR physical interface. |
PRJ-33473, |
VSX |
In some scenarios, the "vsx_util reconfigure" command cannot fetch the policy installed previously. |
PRJ-32080, |
VSX |
When creating a static route on a virtual system, some network objects may be created with the same name inside the network group which causes writing the object to the database to fail. |
PRJ-39511, PMTR-83472 |
VSX |
After creating a VSX Gateway, traffic may not go through the VSX Gateway correctly because of synchronization issues of the cphwd_enable_ecmp parameter with SecureXL. |
PRJ-37618, |
VSX |
After an upgrade from R80.20SP/R80.30SP to R81.10, pushing accelerated policy may cause all non-SMO SG Members to go down. |
PRJ-35505, |
VSX |
There may be a mismatch of policy name on virtual switch when using the "fw stat" and "vsx stat -v" commands. The issue is only cosmetic. |
PRJ-36689, |
VSX |
In a Multi-Domain environment, the "vsx_util vsls" command may take a few minutes to run. |
PRJ-35279, |
VSX |
In some scenarios, if VSX Gateway creation fails and rollback is done, the default route of the Security Gateway that was configured via Clish is deleted without validation. |
PRJ-36788, |
VSX |
The "snmpwalk" command may time out after reaching SNMPv2-SMI::mib-2.68.1.2.0. |
PRJ-38204, |
VSX |
In some scenarios, the VSX Security Gateway may not decrease the packet's TTL. |
PRJ-36756, |
Gaia OS |
NEW: Gaia API (version 1.6 with Python3 support) will now be deployed via Jumbo Hotfix. Refer to sk143612. |
PRJ-36088, |
Gaia OS |
WebUI session may end when creating a Role with full permissions. |
PRJ-39097, |
Gaia OS |
Dynamic routing SNMP OID polling may work only in VSX mode. |
PRJ-33555, PMTR-75925 |
Gaia OS |
In some scenarios, in 7000 appliances, Power Supply Unit (PSU) status information may be incorrect. Refer to sk174443. |
PRJ-37120, |
VoIP |
When static NAT is configured, VoIP calls may not work. |
PRJ-38024, |
Public Cloud CA Bundle |
Added Take 18 of Public Cloud CA Bundle. Refer to sk172188. |
PRJ-37054, |
CloudGuard Network |
In some scenarios, Data Center objects are not enforced on an AWS GEO cluster (Active/Active) Gateway. Refer to sk175904. |
PRJ-37604, |
CloudGuard Network |
In Amazon Web Services (AWS), some Gateways may be crashing frequently with vmcores. |
PRJ-36365, |
CloudGuard Network |
When booting up, the NSX-T CloudGuard Gateway may crash. Refer to sk177703. |
PRJ-37948, |
CloudGuard Network |
In some scenarios, mapping of AWS Data Centers may take a long time to complete. |
PRJ-37777, |
CloudGuard Network |
During boot on KVM with 10 or more interfaces, the interface order may change. |
PRJ-37148, |
Smart-1 Cloud |
Added Update 4 of Quantum Smart-1 Cloud. Refer to sk166056. |
PRJ-32820 |
Quantum Appliances |
NEW: Added support for Quantum LightSpeed Appliances Initial Release (Threat Prevention Stream). Refer to sk179432. |
PRJ-36594, |
Scalable Platforms |
NEW: A new module parameter "ccl_correct_dr_between_chassis" is added.
|
PRJ-39644 |
Scalable Platforms |
UPDATE: Added PIM support for Scalable Platforms. |
PRJ-39964 |
Scalable Platforms |
UPDATE:The "asg_perf_hogs" test was moved from asg_diag to HCP. Refer to sk171436. |
PRJ-28273, |
Scalable Platforms |
|
PRJ-36649, |
Scalable Platforms |
Running "cphaconf debug_data" in VSX context may cause the Gateway to crash. |
PRJ-36916, |
Scalable Platforms |
During policy installation the status of Single Management Object(SMO) may not be stable. |
PRJ-35089, |
Scalable Platforms |
Security Group may drop traffic during an internal failover between Security Group members when Dynamic Anti-Spoofing is enabled. Refer to sk177946. |
PRJ-34049, |
Scalable Platforms |
After changing Multi-Queue configurations, members may remain in Down state. |
PRJ-34054, |
Scalable Platforms |
Non-SMO members may go to Down state after Anti-Malware policy installation failed. Refer to sk177607. |
PRJ-32451, |
Scalable Platforms |
In rare scenarios, changing the number of CoreXL instances in SP environments with many virtual systems may fail. |
PRJ-39044, |
Scalable Platforms |
On Maestro Orchestrator, packet loss may occur during Jumbo Hotfix Accumulator installation or uninstall. |
PRJ-37854, |
Scalable Platforms |
When the LLDPD and SNMPD coredump files are generated, zombie processes may be created and cause warnings in HCP with no impact. |
PRJ-33665, |
Scalable Platforms |
In Clish, it may not be possible to add to a Security Group two Gateways with Maestro Orchestrator on each site. |
PRJ-34924, PMTR-76870 |
Scalable Platforms |
On Maestro Orchestrator, the SSM_PMD process may consume a high CPU. |
PRJ-39951, PMTR-74569 |
Scalable Platforms |
The asg_hw_utilization and asg_resource tests have a broken output. Refer to sk179426. See the Critical Information section. |
PRJ-38037, |
Scalable Platforms |
Added Take 21 of Check Point Support Data Collector (CPSDC) for Scalable Platforms and Maestro Security Appliances. Refer to sk164414. |
PRJ-38225, |
HCP |
Added Update 8 of HealthCheck Point (HCP) Release. Refer to sk171436. |
Take 55 Released on 1 May 2022 and declared as Recommended on 1 June 2022 |
||
PRJ-29849, |
Diagnostics |
In some scenarios, CPView shows the SNMP data partially. |
PRJ-36494, |
Security Management |
NEW: Added support for Quantum Spark Appliances with R81.10.x Gaia Embedded (Early Availability). Refer to sk178509. This applies only to SmartConsole (does not apply to SmartProvisioning). |
PRJ-30408, |
Security Management |
UPDATE:
|
PRJ-35099, |
Security Management |
UPDATE: Added a new global parameter: "fw_daf_module_mac_mode". It allows mirroring traffic to a Linux-based device. The parameter is set to "0" by default. Refer to sk178127. |
PRJ-33566, |
Security Management |
In rare scenarios, the task of creating/deleting a Domain or Domain Server may be stuck at 5% with the "Task in queue" status. |
PRJ-35280, |
Security Management |
In a Multi-Domain environment, only one hundred Domains appear in the Domains view, although there are more. |
PRJ-38877, |
Security Management |
In large environments, after installing Jumbo Hotfix Take 38 or Take 45, login to SmartConsole may fail shortly after services are up. Refer to sk178807. See the Critical Information section. |
PRJ-36801, |
Security Management |
In some scenarios, the last modifier name is missing in unpublished sessions and SmartConsole unexpectedly closes. |
PRJ-35480, |
Security Management |
Multi-Domain High Availability synchronization in the Global Domain may fail with the "There are invalid assignments on peer" error. |
PRJ-34179, |
Security Management |
In rare scenarios, Install Policy Presets may fail with "Failed to run Install Policy on the active Domain Server". |
PRJ-33768 |
Security Management |
The Management REST API "add lsm-gateway" with "SIC" parameter may fail with "generic_error". |
PRJ-32563, |
Security Management |
Login to SmartEvent with Certificate Authentication may fail. Refer to sk179144. |
PRJ-33402, |
Security Management |
When automatic purge is configured in a local Domain and there is an assignment between the Global Domain to that Domain, the "show-automatic-purge" API command may fail in the Global Domain with the "Can't build automatic purge reply" error. Refer to sk176443. |
PRJ-33366, |
Security Management |
Global Domain Assignment fails with "An internal error has occurred" when there are more than 32K Threat Prevention Overrides in the local Domain. Refer to sk176464. |
PRJ-34748, |
Security Management |
The "Free Memory" column under the "Gateways and Servers" tab may show "N/A" instead of the actual value. Refer to sk177135. |
PRJ-32849, |
Security Management |
In rare scenarios, taking over a session may fail with "SmartConsole has experienced an unexpected error. Session operation failure". |
PRJ-32133, |
Security Management |
When working with Endpoint Cloud, the License tab under "Gateways and Servers" in SmartConsole may show "Certificate error: CertAuthorityInvalid". |
PRJ-32719, |
Security Management |
If there is a Global Domain Assignment, some results may be missing when searching in Packet Mode. Refer to sk178491. |
PRJ-34773, |
Security Management |
Policy installation on R81 (and below) Gateways may fail when there are multiple login options configured with SAML which uses Identity Provider as an authentication method. Refer to sk176725. |
PRJ-32747, |
Security Management |
In a rare scenario, the FWM process unexpectedly exits. |
PRJ-32803, |
Security Management |
The mgmt_cli tool (API) with certificate login may not work. |
PRJ-34658, |
Multi-Domain Management |
In a Multi-Domain Management environment, when fetching a LDAP branch using the "fetch" button from the Global Domain tab, the operation may fail. |
PRJ-34010, |
SmartProvisioning |
The CPD process may consume a high CPU after an upgrade of the Security Management Server that manages devices through LSM Profiles. |
PRJ-32374, |
Logging |
When running CPinfo in a large scale environment, the SmartEventCollectLogs process may get stuck. |
PRJ-32581, |
Logging |
In some scenarios, it is not possible to add the "Policy Rule UID" column to the Logs view in the SmartView Web Application. |
PRJ-32019, |
Logging |
When running the "show_logs" API command with "query-id argument" and the session is expired, the command ends with a timeout instead of presenting an error. |
PRJ-30551, |
Logging |
In rare scenarios, when QoS Blade is enabled, the FWD process may unexpectedly exit. Refer to sk177783. |
PRJ-38237, |
Security Gateway |
UPDATE: Apache HTTPD version was updated from 2.4.51 to 2.4.53. |
PRJ-31667, |
Security Gateway |
UPDATE: Added Connection and Packet Distribution statistics in CPView. |
PRJ-33275, |
Security Gateway |
The control connection may not be refreshed together with data connection if the data connection is accelerated. Refer to sk168952. |
PRJ-33211, |
Security Gateway |
The dlpu process may unexpectedly exit, producing a core dump file. |
PRJ-33999, |
Security Gateway |
In rare scenarios, slow path connections that should be terminated/aborted may remain open until the timeout. |
PRJ-34257, |
Security Gateway |
It may not be possible to use the Office 365 Tenant Restrictions feature when ICAP client is enabled. |
PRJ-33613, |
Security Gateway |
In a rare scenario, the FWD process may unexpectedly exit. |
PRJ-35096, |
Security Gateway |
Policy installation may fail when reaching out of memory on the Security Gateway. |
PRJ-35008, |
Security Gateway |
The dynamic NAT allocation port warning is continuously printed in /var/log/messages. Refer to sk177228. |
PRJ-32793, |
Security Gateway |
Matched rules on Inline layer may appear as the "Accept'"/ "Drop" action instead of "Inline". |
PRJ-32927, |
Security Gateway |
When running the "cpstop" and "cpstart" commands, NAT statistics may fail with "fwx_alloc_global_find_free_port_atomic: failed to update NAT statistics". |
PRJ-31209, |
Security Gateway |
The Security Gateway may crash during policy installation due to memory allocation problems. |
PRJ-37417, |
Security Gateway |
In a rare scenario, while idle, the Security Gateway may crash producing a vmcore file. |
PRJ-34269, |
Security Gateway |
The log_exporter process may consume a high CPU. |
PRJ-36993 |
Security Gateway |
|
PRJ-30446, |
Threat Prevention |
In a rare scenario, the DLP process leaves open unused file descriptors in the $FWDIR/tmp/dlp directory which may take up a large amount of disk space. |
PRJ-34706, |
Threat Prevention |
In a rare scenario, after excessive memory usage, kernel may crash. |
PRJ-33848, |
Threat Prevention |
Threat Prevention policy may fail when the MITRE tactic ID value is invalid. |
PRJ-35822, |
Identity Awareness |
On Scalable Platforms\Cluster LS, the Identity Database may become corrupted when an identity session is revoked from a non-master member. |
PRJ-34516, |
URL Filtering |
In a rare scenario, when URL Filtering Blade is active, in Website categorization background mode, the FWK process may unexpectedly exit and create a core dump. |
PRJ-29429, |
IPS |
When Website categorization mode is set to "Hold" and Gateway is Proxy, some connections may be incorrectly terminated. |
PRJ-34646, |
DLP |
In some scenarios, DLP (Data Loss Prevention) Blade may not delete temporary files used for scanning. |
PRJ-33003, |
SSL Inspection |
UPDATE: Upgraded the default Infrastructure for local communication between some processes to TLS 1.2. |
PRJ-34975, |
SSL Inspection |
In rare scenarios, the WSTLSD daemon may unexpectedly restart. |
PRJ-33956, |
SSL Inspection |
A connectivity issue may occur after changing the Security Gateway's name and installing policy. |
PRJ-35783, |
SSL Inspection |
When running cipher_util in any VS other than VS0, the "Cannot access features configuration directory" error is shown. |
PRJ-34702, |
SSL Inspection |
Connections may hang and reach a timeout during browsing if the number of WSTLSD instances is reduced through configuration settings. |
PRJ-33670, |
SSL Inspection |
In some scenarios, the WSTLSD daemon may unexpectedly exit during TLS probing. |
PRJ-36356, |
SSL Inspection |
A connectivity issue may occur with certain TLS clients. |
PRJ-36497, |
SSL Inspection |
In a rare scenario, the WSTLSD process may unexpectedly exit while validating signatures of sites with improper certificate chains. |
PRJ-36300, |
SSL Inspection |
A memory leak related to TLS probe may occur in the WSTLSD process. |
PRJ-35934 |
SSL Network Extender |
UPDATE: SSL Network Extender was updated to version 800008304. It provides TLS 1.2 cipher suites support on macOS. |
PRJ-38371, |
ClusterXL |
The Security Gateway may drop multicast packets after policy installation. |
PRJ-36472, |
SecureXL |
The VSX Gateway may crash when trying to route traffic from a VS to a Virtual Switch (VSW). |
PRJ-33583, |
SecureXL |
In some scenarios, Security Gateway may drop fragmented Cluster LS packets. |
PRJ-35770, |
Routing |
UPDATE: ROUTED debug log will now show IP addresses. |
PRJ-34712, |
Routing |
In rare scenarios, the ROUTED daemon may unexpectedly exit or write logs in the incorrect order. |
PRJ-33627, |
Routing |
An OSPFv2 graceful restart with authentication may cause an outage. |
PRJ-30715, |
Routing |
Connectivity issues may occur after configuration of route-base VPN (VTI interface). Refer to sk176368. |
PRJ-37476, |
Identity Awareness, |
UPDATE: Adjusted AD-Query and Identity Logging solutions to work with Microsoft hardening changes in DCOM which were required for CVE-2021-26414. Refer to sk176148. |
PRJ-32700, |
Identity Awareness |
Memory usage may be high for the PDPD process in a scenario, related to Identity Awareness nested groups in state 2 and 4. |
PRJ-28220, |
Identity Awareness |
There may be connectivity issues and high CPU spikes on the PDPD, VPND processes, and on the Gateway when installing policy. Refer to sk174144. |
PRJ-35246, |
Mobile Access |
MAB Guacamole-based clientless RDP/SSH connections, when closed prematurely, may cause the GuacProxy process to consume 100% CPU. |
PRJ-36060, |
Mobile Access |
Capsule Workspace cannot connect to a Mobile Access Gateway when the Citrix application is configured and allowed to the end-user's group. |
PRJ-35978, |
ClusterXL |
A cluster failover may take longer than it should. |
PRJ-34341, |
SecureXL |
The "fwaccel dos rate add" command may fail with the "Another fwaccel command is already in progress" error. |
PRJ-36074, |
SecureXL |
In some scenarios, related to sending multicast packets, the ICMP errors may be shown. |
PRJ-35388, |
VPN |
In some scenarios, the RIM script is not activated in DPD Tunnel monitoring. |
PRJ-36181, |
VPN |
The FWK process may unexpectedly exit on a VS with an S2S VPN tunnel. |
PRJ-34375, |
VPN |
In rare scenarios, Remote Access users cannot connect to the Gateway because of certificate authentication failure. |
PRJ-34494 |
VPN |
Remote Access users cannot connect when a certificate issued by a configured subordinate CA is used for authentication. |
PRJ-35558, |
VPN |
A memory leak may occur in the VPND process when using Remote Access with Multiple Entry Points configured. |
PRJ-35347, |
VPN |
IKEv2 improvements for DAIP Gateway behind Hide NAT. |
PRJ-35767, |
VPN |
Enhanced stability of Site-to-Site VPN with interoperable devices. |
PRJ-35232, |
VPN |
SSL entries may not be deleted from the "vpn tu tlist" command output, although there was a graceful exit. |
PRJ-35431, |
VPN |
In some scenarios, L2TP users cannot connect to the Gateway in a cluster environment. |
PRJ-35536, |
VPN |
A memory leak may occur in the VPND process when using remote Access Back Connection. |
PRJ-35560, |
VPN |
A memory leak may occur in the VPND process when using Remote Access Secondary Connect. |
PRJ-35344, |
VPN |
Policy installation and establishing a connection from a Gateway with Static IP may fail, if the IP address was previously used by a peer Gateway with DAIP IP which was configured before and had a connection from the DAIP Encryption Domain. |
PRJ-35390, |
VPN |
Improved IKEv2 for working with DAIPs. |
PRJ-35473, |
VPN |
Added VPN improvements for IKEv2 SA re-key. |
PRJ-33657, |
VPN |
The VPND process may unexpectedly exit with a core dump file. |
PRJ-35489, |
VPN |
In ike_sa_table there may be an entry with an IP address and not with a DAIP ID. |
PRJ-36239, |
VPN |
A memory leak may occur in the VPND process. |
PRJ-35001, |
VSX |
The "vsx_util reconfigure" command may fail without printing a reason which caused the error. |
PRJ-34604, |
VSX |
In some scenarios, the VSX Gateway may incorrectly handle broadcast packets received from a Virtual Switch. |
PRJ-31697, |
Gaia OS |
The "cpopenssl" command may fail with "No such file or directory". |
PRJ-35004, |
Gaia OS |
Fixed the CVE-2020-14145 vulnerability. |
PRJ-27910, |
Harmony Endpoint |
In some scenarios, logs related to Harmony Endpoint may be missing. |
PRJ-32919, |
CloudGuard Network |
NEW:
|
PRJ-28480, |
CloudGuard Network |
In rare scenarios, policy installation fails when adding a CloudGuard object to the NAT rulebase. |
PRJ-35549, |
CloudGuard Network |
When there are VS's with the same name prefix, the CloudGuard Controller fails to update the VS with Data Center Objects. |
PRJ-36275, |
CloudGuard Network |
In some scenarios, incorrect data center updates are pushed to the Gateway. |
PRJ-36705, |
Public Cloud CA Bundle |
Added Take 14 of Public Cloud CA Bundle. Refer to sk172188. |
PRJ-38970, |
Scalable Platforms |
Packet drop may occur during Maestro Orchestrator reboot or performing the "orchd stop" command. Refer to sk178831. |
PRJ-33452, |
Scalable Platforms |
In a rare scenario, after a reboot, there may be connectivity issues between a Gateway and Maestro Hyperscale Orchestrator (MHO). |
PRJ-34217, |
Scalable Platforms |
In some scenarios, when accelerated policy installation is performed on a Security Gateway that does not have a valid policy, an obscure failure message is shown. |
PRJ-36361, |
Scalable Platforms |
OSPF may install a route to the incorrect IP when configured as P2P. Refer to sk177686. |
PRJ-35613, |
Scalable Platforms |
Setting the time on Quantum Scalable Chassis may fail with the "Failed to update the date WARNING: CliError( ) called without module or error code" error. |
PRJ-37217, |
Scalable Platforms |
Local connection from a Standby site may be dropped if there is a switch between the sites. Refer to sk178045. |
PRJ-34011, |
Scalable Platforms |
On a Scalable Platform configured in VSX mode, a new member added to a security Group, may stay in down state because of a false-positive license issue. |
PRJ-36831, |
HCP |
Added Update 7 of HealthCheck Point (HCP) Release. Refer to sk171436. |
Take 45 Released on 3 April 2022 and declared as Recommended on 6 April 2022 |
||
PRJ-38292, |
SmartConsole |
In some scenarios when R81.10 Jumbo Hotfix Accumulator Take 38 or Take 44 is installed, Install Policy Preset invokes policy installation on Gateways different from those that are defined. Policy installation on multiple Gateways on MDS level triggers installation on one Gateway only. Refer to sk178590. |
Take 44 Released on 22 March 2022 |
||
PRJ-37387, |
ClusterXL |
Clock jumps forward/backward may cause some operations to fail and the cluster to go down. |
PRJ-37607, |
VoIP |
In a cluster environment, the Gateway may crash with a vmcore. |
PRJ-37850, |
VoIP |
A cluster member may crash generating a vmcore because of a mismatch in SIP tables. See the Critical Information section. |
PRJ-37423, |
VSX |
After deleting a warp interface in SmartConsole, the active VSX cluster member may crash. |
PRJ-37959, |
Gaia |
UPDATE: Upgraded OpenSSL to 1.1.1n to fix CVE-2022-0778. Refer to sk178411. |
Take 38 Released on 21 February 2022 |
||
PRJ-29396, |
Security Management |
NEW: Added support for Management API commands: "add-rules-batch" and "delete-rules-batch". |
PRJ-29438, |
Security Management |
UPDATE: Added a warning message in SmartConsole, alerting if during policy installation memory utilization of the FWM process exceeded 3.5GB. |
PRJ-31866, |
Security Management |
UPDATE: The "show application-sites" Management API command returns additional fields for UIDs of primary category and additional categories. |
PRJ-32893, |
Security Management |
UPDATE: It is now possible to increase the timeout value for Management High Availability synchronization. Refer to sk176165. |
PRJ-32769, |
Security Management |
UPDATE: Meta-info and comments fields are now displayed in the output of the "show-tasks" API command with "details-level standard". |
PRJ-32960, |
Security Management |
UPDATE: Added Update 13 of Autonomous Threat Prevention Management integration Release. Refer to sk167109. |
PRJ-31893, |
Security Management |
In some scenarios, the API command "show-changes" fails with "Diff operation failed: Unable to build the diff reply." |
PRJ-31862, |
Security Management |
In a rare scenario, in the Management API, the "show hosts" command with "details-level full" fails with a "java.util.InputMismatchException: got at least one duplicate UID in requested list, duplicates UIDs:" message. |
PRJ-31861, |
Security Management |
The "show-gateways-and-servers" Management API command does not show policy information for cluster members. |
PRJ-28817, |
Security Management |
In some scenarios, the "show-gateways-and-servers" Management API command fails with "generic_error" when running it with "details-level full". |
PRJ-28031, |
Security Management |
In some scenarios, the user may fail to connect to Remote Access VPN if there are expiration dates saved in a non-English date format. The issue can occur when SmartConsole is installed on a Windows client that uses a non-English locale. Refer to sk173967. |
PRJ-30885, |
Security Management |
In rare scenarios, during an upgrade, the FWM process may unexpectedly exit with a core dump file. |
PRJ-30415, |
Security Management |
Scheduled IPS updates data may not be shown in the IPS update report. |
PRJ-32093, |
Security Management |
When searching an IP in Object Explorer, network objects with both IPv6 and IPv4 configured, may not appear in the results, although they match the IP. |
PRJ-31942, |
Security Management |
Deleting an administrator with open sessions may fail with "An Internal error has occurred." |
PRJ-30899, |
Security Management |
In rare scenarios, installing policy on an OSE device may fail with "Policy installation had failed due to an internal error". |
PRJ-32042, |
Security Management |
In some scenarios, the $MDS_FWDIR/log/cpm.elg file contains many lines about "UnmarshalException". |
PRJ-31674, |
Security Management |
In rare scenarios, policy installation cannot be executed while another policy installation is already in progress and stuck. |
PRJ-31673, |
Security Management |
In rare scenarios, the API commands "show-automatic-purge" and "set-automatic-purge" may fail if there were two earlier attempts to update the Automatic Purge at the same time. |
PRJ-31702, |
Security Management |
In a Multi-Domain environment, in Gateways & Servers view, the option to filter Gateways by Domain is greyed out, although it should be enabled. |
PRJ-29954, |
Security Management |
In some scenarios, in Override Categorization, it may not be possible to sort or to find objects by name using Object Explorer. Refer to sk175245. |
PRJ-29911, |
Security Management |
In some scenarios, it is possible to disable a shared layer, although it is used in more than one rule. |
PRJ-31976 |
Security Management |
After creating a new LSM device through the API, the device editor in the SmartProvisioning GUI may unexpectedly close when editing the Topology configurations. |
PRJ-31743, |
Security Management |
In some scenarios, deleting a Domain fails when there is an administrator with API key authentication associated with this Domain. |
PRJ-33465, |
Security Management |
While editing a Small Office LSM Profile object, SmartConsole may unexpectedly close when enabling Threat Emulation and navigating to the Configuration tab. |
PRJ-29241, |
Security Management |
In some scenarios, the Management API command "show-packages" with "details-level full" may fail with an error. Refer to sk176805. |
PRJ-30682, |
Security Management |
Policy installation with Directional VPN rules may fail with a verification error. |
PRJ-31261, |
Security Management |
In some scenarios, the API command "login-to-domain" fails, and the cpm.elg log shows "Null Pointer Exception". |
PRJ-30721, |
Security Management |
In a rare scenario, deleting an object using the API command "delete-generic-object uid |
PRJ-31212, |
Security Management |
The CPM Server may fail to start while checking for pending purge operations during startup. |
PRJ-30069, |
Security Management |
|
PRJ-32651, |
Security Management |
In rare scenarios, deleting a Domain fails, leaving some remnants in the Management database. |
PRJ-31083, |
Security Management |
In rare scenarios, the FWM process on the Security Management Server unexpectedly exits. |
PRJ-30338, |
Security Management |
When one Server in a logical Server group is down, the second Server keeps trying to access it, no matter how long the Server is down. |
PRJ-32430, |
Security Management |
In rare scenarios, adding a service to a rule in Access Policy:
Refer to sk176004. |
PRJ-32361, |
Security Management |
In some cases, when changing only the "color" and "comment" object fields, policy installation may not be accelerated. |
PRJ-30037, |
Security Management |
|
PRJ-33135, |
Security Management |
When searching in Object Explorer with non-alphanumeric characters (non-Latin letters), no results are found even if there are objects that match the search query. |
PRJ-32858, |
Security Management |
After the Management Server restart, the API command "show_tasks" may show some suppressed tasks as "in progress", if before the restart they were cleared in SmartConsole while they were still running. |
PRJ-34081, |
Security Management |
In some scenarios, after running an Ansible Playbook, objects are locked even though they were not changed. |
PRJ-33554, |
Security Management |
When using the API to create an OPSEC CPMI application with a custom permissions profile, the default Super User profile is chosen instead. |
PRJ-32449, |
Security Management |
In rare scenarios, in a Multi-Domain environment, after performing an IPS Update, High Availability synchronization in the Global Domain fails with "NGM failed to import data". |
PRJ-30532, |
Security Management |
Creating an administrator in a Multi-Domain environment may cause SmartConsole to freeze and time out. |
PRJ-32555, |
Security Management |
The "Show Policy Package" Tool shows only UID for a group object and its members instead of their name. |
PRJ-34427, |
Security Management |
When performing IPS Update or Global Domain Assignment, creating a Domain at the same time may fail with "Internal Error". |
PRJ-30476, |
Security Management |
Desktop policy installation may fail with the "Service ReferenceObject of type is not supported!" error. |
PRJ-34201, |
Security Management |
High Availability synchronization fails when one Management Server is installed on an appliance of 6000 series and the other one is an Open Server, a Virtual Machine or installed on an appliance of different series. |
PRJ-33952, |
Security Management |
The "fwm logexport" command may fail with the "Failed to dump tables from NGM" error when running it from the Global Domain on the Multi-Domain Server or from the Log Server. |
PRJ-33288, |
Security Management |
When reassigning Global policy after an IPS update on the Global Domain, the updated IPS version in the Audit Logs view may appear with "-1" value instead of the actual IPS version number. |
PRJ-30060, |
Security Management |
In rare scenarios, after Management Server upgrade, importing the database may fail with "Tried to persist object". |
PRJ-33980, |
Security Management |
Policy installation from the Multi-Domain Server level may trigger installation of two policies for the same VS. |
PRJ-33865, |
Security Management |
When creating or updating a service object via Management API, it is not possible to specify a custom aggressive-aging timeout. |
PRJ-32670, |
Security Management |
When searching for tags usage, the "where-used" Management API command may fail with "Requested object not found". |
PRJ-34036, |
Security Management |
When many sessions are opened:
|
PRJ-33243, |
Security Management |
In rare scenarios, after an update, the Management Server fails to start. |
PRJ-36961, |
Security Management |
Policy installation and "where used" operation may take a long time if there are many inline layers and the "Install On" targets in the Rule Base are not defined as "Any". Refer to sk177928. |
PRJ-33169, |
Multi-Domain Management |
The mds_backup script may not collect Multi-Domain Server log files from $MDSDIR/log/. |
PRJ-30527, |
Multi-Domain Management |
In rare scenarios, running the "fwm sic_reset" command on Multi-Domain Server may fail. |
PRJ-36041 |
Web SmartConsole |
UPDATE: Released Take 55 with new features and improvements. Refer to sk170314. |
PRJ-27606 |
Compliance |
In some scenarios, auto-update flow fails during updatable object registration. |
PRJ-34294, |
Compliance |
After disabling Compliance Best Practices, the user receives security alerts.
|
PRJ-35952 |
CPView |
In CPView, under "Unified Policy", the "Transactions" and "Memory KB" parameters may be missing on devices with more than 100 interfaces. |
PRJ-30665, |
Logging |
Refer to sk176644. |
PRJ-32030, |
Logging |
In some scenarios, the "vpn_user" field is empty in the Logs view and SmartEvent Reports, even though it contains values in the raw log. |
PRJ-27593, |
Logging |
When SmartView Web is configured to not return empty values, a query may fail with a "query failed" message. |
PRJ-29512, |
Logging |
In a rare scenario, after an NSX Gateway upgrade, enforcement details/identities are not pushed by the controller to the Gateway automatically, it can be done only by manual update. Refer to sk173323. |
PRJ-28325, |
Logging |
In some scenarios, in SmartLog, free-text search does not work for some inspection settings logs and their description is missing. |
PRJ-27737, |
Logging |
In SmartConsole:
|
PRJ-28127, |
Logging |
In rare scenarios, in SmartConsole, some logs are not shown. |
PRJ-31799, |
Logging |
Logs that are sent by Log Exporter in CEF format, cannot be displayed if they include non-digit characters in the "dst_phone_number" field. |
PRJ-32239, |
Logging |
When configuring an Email alert as an Automatic Reaction in SmartEvent, and the alert contains data from the event, some fields may be missing in the generated email. |
PRJ-29125, |
Logging |
SmartEvent may not show some of the Anti-Virus logs. |
PRJ-32589, |
Logging |
There may be empty values in the "Office Mode IP" field in the Logs view. |
PRJ-32087, |
Logging |
A duplicate entry appears in /etc/cpshell/log_rotation.conf. This issue is only cosmetic. |
PRJ-32852, |
Logging |
In a rare scenario, logs export from SmartView web view to CSV may fail. Refer to sk175545. |
PRJ-28318, |
Logging |
The "Last Update Time" field of a Session Log may show incorrect values. |
PRJ-31618, |
Logging |
Non-English letters in SmartView reports exported as CSV may be displayed incorrectly. Refer to sk175543. |
PRJ-30093, |
Logging |
In rare scenarios, the LOG_INDEXER process stops working and logs are missing. Refer to sk176403. |
PRJ-34692, |
Logging |
In some scenarios, in an environment that includes the SmartEvent Server, the LOG_INDEXER process restarts at midnight, producing a core dump file. Refer to sk177805. |
PRJ-31809, |
Security Gateway |
NEW: Added a new kernel parameter "cphwd_medium_path_qid_by_cpu_id". The parameter is disabled by default. Refer to sk175890. |
PRJ-31274, |
Security Gateway |
UPDATE: The "-c" and "-i" flags in Top Connections Tool are now supported on VSX Gateways. Refer to sk172229. |
PRJ-34451, |
Security Gateway |
UPDATE: The "fw unloadlocal" command can now be used on a Virtual System only with the "-f" flag added. Otherwise, a warning message is displayed, indicating that unloading policy on a Virtual System will cause traffic issues with any Virtual System connected to a Virtual Switch or a Virtual System in Bridge mode. |
PRJ-33749, |
Security Gateway |
UPDATE: Added a new flag to the "dynamic_objects" command: "-uo <name of object>". The user can now see all content of a specific updatable object. |
PRJ-32074, |
Security Gateway |
UPDATE: Check Point Active Streaming (CPAS) TCP Window scale factor is now increased up to 6. |
PRJ-30672, |
Security Gateway |
When deleting all Suspicious Activity Monitoring (SAM) rules, adding a large number of new rules, and installing policy, the system may freeze. |
PRJ-30671, |
Security Gateway |
In rare scenarios, when a Security Gateway is configured as Proxy, a wrong NAT port reuse may happen for 5 minutes long proxied connections. |
PRJ-29699, |
Security Gateway |
In rare a scenario, a memory leak may occur with a "cpas_streamh_init_from_cookie failed" message printed in /var/log/messages. |
PRJ-30615, |
Security Gateway |
In rare scenarios, when SACK is enabled, there may be connectivity issues. |
PRJ-29542, |
Security Gateway |
After reboot and policy installation, the "No interface configured in SmartCenter server with name mdps_tun. Matching by IP address to interface Mgmt" error may be printed in fwk.elg. |
PRJ-30694 |
Security Gateway |
The "Matched rule is not found" error appear when using Suspicious Activity Monitoring (SAM) rules with source and destination networks, or with a NATed IP. |
PRJ-33361, |
Security Gateway |
First policy installation after an upgrade may be followed by a warning message: "Updatable Objects are used in the policy but Gateway package is missing (see sk121877)". |
PRJ-31969, |
Security Gateway |
In a rare scenario, "Connection/sec" data for accelerated traffic in CPView may differ from the statistics in SNMP. |
PRJ-32338, |
Security Gateway |
Defining an IPv6 NAT rule with address range (hide) on the translated column may fail with an incorrect error message. |
PRJ-33083, |
Security Gateway |
Extended logging may show a wrong status of Content Awareness Blade. The issue is only cosmetic. |
PRJ-32636, |
Security Gateway |
When ISP Redundancy feature is enabled, the default route may disappear during an ISP's failover. |
PRJ-30013, |
Security Gateway |
In a rare scenario, when QoS is enabled, Security Gateway may crash while interfaces go down and up. |
PRJ-31219, |
Security Gateway |
When a large number of VPN tunnels is configured and each one is used by a static route with ping, the ROUTED daemon may get incorrect cluster IPs for those tunnels. Refer to sk175887. |
PRJ-33514, |
Security Gateway |
CPView may show corrupted numbers in "F2V-Reasons". This issue is only cosmetic. |
PRJ-30181, |
Security Gateway |
In a rare scenario, policy push to multiple Security Gateways may fail. Refer to sk177963. |
PRJ-31111, |
Security Gateway |
In a rare scenario, the TCP Half Closed timer (sk137672) may fail when configured for medium/fast connections. |
PRJ-28831, |
Security Gateway |
Improved the ICAP Server internal memory allocation logic. |
PRJ-27611, |
Security Gateway |
A debug message is printed as an error. |
PRJ-31272, |
Security Gateway |
The FWD process may unexpectedly exit due to a rare race condition. Refer to sk173424. |
PRJ-32576, |
Security Gateway |
When deleting connection table entries with "fw ctl conntab -x", and using "rule", "service", "type", "flags" or "state" filters, entries that do not match these filters may still be deleted. |
PRJ-33126, |
Security Gateway |
In some scenarios, memory consumption and CPU usage may increase consistently. Refer to sk176370. |
PRJ-30600, |
Security Gateway |
In a rare scenario, the Security Gateway may crash during policy installation. |
PRJ-33607, |
Security Gateway |
When there are security zones configured in the NAT rulebase and the connection has NAT on the destination, the Security Gateway IP address may still be shown as the source IP, although it should not. |
PRJ-32659, |
Security Gateway |
Security Gateway may unexpectedly reboot and create a vmcore file. |
PRJ-30295, |
Security Gateway |
Enhanced Check Point Active Streaming (CPAS). Refer to sk177025. |
PRJ-30784, |
Security Gateway |
Access Policy installation may fail with "Error code 1-2000078". |
PRJ-32425, |
VPN, Multi-Portal |
UPDATE: Certificate validation flow will use OCSP as the default revocation validation method. If OCSP URL does not exist, CRL will be used as a revocation validation method. |
PRJ-31018, |
Internal CA |
In a rare scenario, when CRL files are created, some of them may be generated with a large number in the filename. When deleting CRL files, CPCA repeatedly fails to start. |
PRJ-33251, |
Internal CA, VPN |
Creating a certificate for a third party Gateway with Check Point Internal CA may fail on the third party side. Refer to sk176468. |
PRJ-29927, |
Threat Prevention |
Threat Prevention policy installation may fail when loading 2 IoC feeds that contain the same signature name for one of the observables. |
PRJ-32176, |
Threat Prevention |
In a rare scenario, Security Gateway may crash when the Advanced Forensics Details feature is enabled. |
PRJ-33644, |
Threat Prevention |
When the "Automatically download Blade Contracts, new software, and other important data" checkbox is unchecked, Security Gateway may fail to update Threat Prevention packages. |
PRJ-36736, |
Threat Extraction |
In some scenarios, when Threat Extraction and Threat Emulation are both enabled, it may take a long time to scan the file before downloading, although there is no active content. |
PRJ-32135, |
Identity Awareness |
An Identity Broker subscriber may be shown as the session owner for Remote Access VPN sessions received from another publisher. |
PRJ-32873, |
Identity Awareness |
When Identity Awareness Blade is enabled on the Security Gateway, rebooting of a member may trigger additional reboots. This may cause |
PRJ-27698, |
Identity Awareness |
The PDPD process may fail with "daemon did not respond or not running!" or cause a high CPU. |
PRJ-30949, |
Identity Awareness |
In some scenarios, persistent high CPU is caused by ADQuery due to a large number of authentication requests. |
PRJ-28056, |
Application Control |
In a rare scenario, the SSM may encounter an issue and stop working. |
PRJ-29770, |
URL Filtering |
In a very rare scenario, when the Application Control (APPI) and URL filtering Blades are active, in hold mode, some applications cannot be identified and the traffic is dropped. |
PRJ-27730, |
IPS |
The track logging configuration of Network Quota protection is not applied. |
PRJ-28029, |
IPS |
In a rare scenario, the Security Gateway may crash when disabling or enabling Threat Prevention Blade. |
PRJ-28492, |
IPS |
In Autonomous Threat Prevention mode, "Profile Name" and "SmartDefense" fields may be missing in the IPS log. |
PRJ-30804, |
IPS |
After installing a Threat Prevention policy with many rules and/or exceptions, on multiple Gateways together, Gateways may consume more CPU during rule-match of new connections. |
PRJ-30607, |
DLP |
UPDATE: Added temporary files cleaner for file converting operation. |
PRJ-30427, |
DLP |
The dlpu process may unexpectedly exit with core dump file. |
PRJ-32902, |
SSL Inspection |
In a rare scenario, the WSTLSD process may unexpectedly exit and produce a core dump file. |
PRJ-32885, |
SSL Inspection |
When TLS 1.3 support is disabled, a memory leak may occur in the WSTLSD process during TLS session renegotiation. |
PRJ-34447, |
SSL Inspection |
The fwk process may unexpectedly exit during the TLS handshake. |
PRJ-31498, |
SSL Inspection |
When HTTPS Inspection is disabled and the "Categorize HTTPS websites" option is enabled, the "failed attaching RSA stub certificate to server" errors may appear in the fwk.elg and wstlsd.elg files during policy installation. |
PRJ-33408, |
SSL Inspection |
In rare scenarios, TLS probing connections may remain open for extended periods. |
PRJ-34273, |
SSL Inspection |
A memory leak may occur in the WSTLSD process during session resumption for TLS 1.2. |
PRJ-31233, |
SSL Network Extender |
SSL Network Extender (SNX) may fail during large file transfers. Refer to sk87760. |
PRJ-31176, |
Mobile Access |
UPDATE: Upgraded JQuery library version (from 1.1 to 3.6). |
PRJ-33877, |
Mobile Access |
Policy installation may fail due to table creation issues. |
PRJ-28361, |
ClusterXL |
Clock jumps forward/backward may cause some operations to fail and the cluster to go down. |
PRJ-32472, |
ClusterXL |
Added Syslog support for Cluster events messages. |
PRJ-32951, |
ClusterXL |
Identity Sharing in VSLS Mode may not work as expected. |
PRJ-32941, |
SecureXL |
In some scenarios, when configuring internal/external enforcement for DOS/Rate limiting, a syslog error message may be displayed. |
PRJ-30820, |
SecureXL |
In a rare scenario, after an upgrade, HTTPS traffic may be dropped. |
PRJ-33357, |
Routing |
|
PRJ-31488, |
Routing |
In some scenarios, the Security Gateway may not forward traffic to a client if its IP address is changed by DHCP. Refer to sk175603. |
PRJ-31474, |
VPN |
UPDATE: In policy installation, the type of messages, related to VPN certificate expiration, is changed from "info" to "warning". This issue is only cosmetic. |
PRJ-30958, |
VPN |
Improvements for DAIP Gateway behind Hide NAT. |
PRJ-31133, |
VPN |
In some scenarios, a memory leak may occur in the VPND process. |
PRJ-32551, |
VPN |
A memory leak may occur during Office Mode IP allocation. |
PRJ-32367, |
VPN |
Improved IKEv2 narrowing. |
PRJ-31589, |
VPN |
In some scenarios, VPN tunnels statuses in SmartView Monitor are displayed incorrectly. |
PRJ-28270, |
VPN |
A memory leak may occur in the VPND process. |
PRJ-32131, |
VPN |
The output of the "vpn tu tlist" command may show a wrong date and time in "Authenticated at" line, although machine date and time settings are correct. |
PRJ-31291, |
VPN |
Hardened the ability to use narrowed IKEv2 tunnels. Refer to sk166417. |
PRJ-30758, |
VPN |
In some scenarios, when NAT is enabled, Route Based VPN traffic may be dropped. |
PRJ-30766, |
VPN |
In a very rare scenario, a cluster member may unexpectedly crash and restart, creating a core dump file. |
PRJ-30331, |
VPN |
In some scenarios, IKEv2 tunnel may not work due to SA expiration. |
PRJ-32520, |
VPN |
Improved establishing IKEv2 tunnel with DAIP peer. |
PRJ-32613, |
VPN |
In some scenarios, Remote Client connections in Visitor Mode may cause the fwk process to exit. |
PRJ-32761, |
VPN |
The output of the "vpn tu tlist" command may show an incorrect type of S2S tunnels protocol. |
PRJ-31701, |
VPN |
When the IKE daemon is enabled, VPN counters in CPView may show an incorrect value. |
PRJ-32597, |
VPN |
In some scenarios, Remote Access VPN users cannot connect to the Gateway due to a kernel table issue. |
PRJ-29783, |
VPN |
Although the Simultaneous Login Prevention (SLP) feature is on, the user can connect with two clients and receive the same statically assigned Office-Mode IP. |
PRJ-33835, |
VPN |
In rare scenarios, when SSL Network Extender (SNX) is in Application Mode, the VPND process may unexpectedly exit. |
PRJ-33739, |
VPN |
When applying Secure Configuration Verification (SCV) VPN client is not able to distinguish between Windows 10 and Windows 11. |
PRJ-36421, |
VPN |
In some scenarios, when VPN logs are enabled and DAIP (Dynamically Assigned IP) peer is configured, the VPND daemon may unexpectedly exit. |
PRJ-33837, |
VSX |
UPDATE: Shadow bridges will now be automatically disabled on VSX Gateways if the bridges are not in Active/Active mode. |
PRJ-32534, |
VSX |
UPDATE: It is now possible to define interface topology as "defined by routes" using the VSX provisioning tool. |
PRJ-28990, |
VSX |
In some scenarios, running the "snmpwalk" command may fail with incorrect OSPF-MIB information for VSX. Refer to sk172064. |
PRJ-33947, |
VSX |
Policy installation on a VS may fail after a cluster conversion between High Availability and Virtual System Load Sharing with the "vsx_util" command. |
PRJ-30201, |
Gaia OS |
UPDATE: Added a Clish command "add/show/delete ntp interface" to choose to which interfaces the NTP daemon shall bind. |
PRJ-34590, |
Gaia OS |
Enhanced SNMP module stability. |
PRJ-32048, |
Gaia OS |
In some scenarios, adding a Gaia user may result in a high number of zombie sh processes. Refer to sk164259. |
PRJ-31972, |
Gaia OS |
The minimum value of VBAT sensor on Quantum appliances is incorrect. |
PRJ-31755, |
Gaia OS |
In some scenarios, after adding an SNMP USM user, the confd process may unexpectedly exit. |
PRJ-30213, |
Gaia OS |
Refer to sk174969. |
PRJ-28962, |
Gaia OS |
After an upgrade, a wrong cipher name appears in the supported cipher list. Refer to sk174863. |
PRJ-28686, |
Gaia OS |
In some scenarios, in appliances: 6600,6700,6900, Power Supply Unit (PSU) status information may be incorrect. Refer to sk174443. |
PRJ-29066, |
Gaia OS |
Wrong output of the "set/delete ip-conflicts-monitor interface" command. The word "value" is printed multiple times. The issue is only cosmetic. |
PRJ-33390, |
Harmony Endpoint |
NEW: It is now possible to configure Super Node in Harmony Endpoint. Refer to sk171703. |
PRJ-32247, |
Harmony Endpoint |
NEW: Added new push operations to Endpoint Web Management:
|
PRJ-32887 |
Harmony Endpoint |
NEW:
|
PRJ-27849, |
Harmony Endpoint |
SmartEndpoint may show deleted certificates as expired. |
PRJ-32646, |
Harmony Endpoint |
Refer to sk176186. |
PRJ-32391, |
VoIP |
When using SIP, memory usage may increase over time on Active and Standby members. |
PRJ-34520, |
Smart-1 Cloud |
Added support for R81.10 automatic updates of Quantum Smart-1 Cloud. Refer to sk166056. |
PRJ-31770, |
CloudGuard Network |
Improved the handling of NSX-T Data Center throttling issues. |
PRJ-31773, |
CloudGuard Network |
In a rare scenario, there is a high CPU0 utilization on Azure Security Gateway. |
PRJ-32232, |
CloudGuard Network |
The "vsec_lic_cli update" command now supports IP change in the license string. |
PRJ-27904, |
QoS |
In a rare scenario, when QoS is enabled, in SmartView Monitor some traffic may be shown as "No Match". |
PRJ-30236, |
QoS |
In a rare scenario, the FWD process may unexpectedly exit due to invalid QoS logs. |
PRJ-34022, |
Scalable Platforms |
NEW: Added the HealthCheck Point (HCP) test which validates ports link integrity for Maestro Orchestrator. Refer to sk171436. |
PRJ-35159, |
Scalable Platforms |
NEW: Added a self-updatable package of Check Point Support Data Collector (CPSDC) for Scalable Platforms and Maestro Security Appliances. Refer to sk164414. |
PRJ-31311, |
Scalable Platforms |
When IGMP snooping is disabled, using OSPF Multicast may lead to Anti Spoofing drops in SmartConsole. |
PRJ-28812, |
Scalable Platforms |
SNMP OID .1.3.6.1.4.1.2620.1.48.16 (asgSecureXLStatusBitmask) returns the status of SecureXL as enabled, even when it is not. |
PRJ-32416, |
Scalable Platforms |
In some scenarios, changing QSFP mode manually does not survive reboot. |
PRJ-30617, |
Scalable Platforms |
Multiple traffic drops may occur on Scalable Platforms. Refer to sk173545. |
PRJ-31406, |
Scalable Platforms |
The "config_verify" command may fail in a Scalable Platforms environment. |
PRJ-30630, |
Scalable Platforms |
VPN tunnel may fail to establish with "dropped by vpn_inbound_pilicy_chain Reason: VPN inbound nat after vm failed". Refer to sk176404. |
PRJ-33379, |
Scalable Platforms |
VPN traffic may be dropped due to certificate issues. |
PRJ-31507, |
Scalable Platforms |
During policy installation, AD Query may stop working in the Scalable Platforms environment. |
PRJ-33185, |
Scalable Platforms |
RADIUS user that has gclish set as default shell cannot login into the Security Group on Scalable Platforms R81.10: "Unable to get user permissions". Refer to sk176364. |
PRJ-31870, |
Scalable Platforms |
Static routes related to a Warp interface may disappear after enabling the VMAC feature. |
PRJ-34101, |
Scalable Platforms |
Changing VLAN of an existing interface may cause ARP reply not to be processed by the Gateway. Refer to sk176929. |
PRJ-31139, |
Scalable Platforms |
Connectivity issues may occur on Identity Server (PDP) in large VSX setups. |
PRJ-35011, |
Scalable Platforms |
In a rare scenario, the CPD process may crash during policy installation. |
PRJ-32678, |
Scalable Platforms |
When two sites with shared LACP bonds are connected to the same switch and VMAC is enabled on both of them, communication with the switch may be lost. |
PRJ-34620, |
Scalable Platforms |
In some scenarios, a physical link issue on a Maestro Gateway may cause an unexpected site failover, a cluster state change on other Gateways, or packet drops. |
PRJ-32165, |
Scalable Platforms |
When the user manually uninstalls R81.10 Jumbo Hotfix Take 22 from an R81.10 Maestro Hyperscale Orchestrator (MHO), the MHO's REST Server remains down, potentially causing traffic issues. Refer to sk177323. |
PRJ-31839, |
Scalable Platforms |
The CMM is not updated with the time from a configured NTP Server. As a result, SGMs stay in Down state for a long time. |
PRJ-31512, |
Carrier Security |
The FWK process may unexpectedly exit producing a core dump when the GTP tunnel expires. |
PRJ-34443, |
HCP |
Added Update 6 of HealthCheck Point (HCP) Release. Refer to sk171436. |
PRJ-31774, |
Infrastructure |
UPDATE: Updated Python 2.7.17 to 2.7.18, Python 3.7.7 to 3.7.12, added Python 3.9.7 and a Python3 alias. |
PRJ-29412, |
Infrastructure |
Policy installation fails with "Operation failed, install/uninstall has been improperly terminated" when a CMA name is more than 36 characters long. Refer to sk175452. |
PRJ-29952, |
Infrastructure |
In a rare scenario, the user cannot connect to the Mobile Access Portal. |
Take 30 Released on 13 January 2022 and declared as Recommended on 20 January 2022 |
||
PRJ-34732, |
Security Management, Harmony Endpoint |
UPDATE: The Apache Log4j Java library is updated in order to harden the system. Check Point products are not vulnerable to Log4j. This change is motivated by cyber hygiene best practices. For more information, refer to sk176865. |
PRJ-32980, |
CPView |
In Overview, some data about disk space may be missing. |
Take 22 Released on 22 December 2021 and declared as Recommended on 2 January 2022 |
||
PRJ-32158, |
Security Gateway |
UPDATE: Apache HTTPD version was updated from 2.4.41 to 2.4.51. |
PRJ-33545, |
Threat Prevention |
When IPS Automatic update is enabled, a memory leak may occur in the FWD process. Refer to sk176947. |
PRJ-30316, |
Gaia OS |
NEW: Gaia API (version 1.6) will now be deployed via Jumbo Hotfix. Refer to sk143612. |
PRJ-33515, |
Gaia OS |
Potential vulnerability related to specific Gaia API command on VSX systems. |
PRJ-33710, |
Gaia OS |
In a rare scenario, the Security Gateway fails to boot when working in USFW (User-Space Firewall) mode. |
PRJ-33205, |
Gaia OS |
Fixed CVE-2021-30361 - Gaia Portal Authenticated Command Injection. Refer to sk179128. |
PRJ-31238, |
QoS |
QoS policy installation may fail with "Error - service out of range". Refer to sk175467. |
PRJ-34547, |
Scalable Platforms |
After an upgrade of Maestro Orchestrator from R80.20SP Jumbo Hotfix Take 313-317 to R81.10 Jumbo Hotfix Take 14, there may be traffic issues. Refer to sk176945. |
Take 14 Released on 22 November 2021 |
||
PRJ-30364, |
Security Management |
UPDATE: Added new flags for Management API commands "add/set simple-gateway" and "add/set simple-cluster":
|
PRJ-29235, |
Security Management |
UPDATE: Added a new flag to the Threat Prevention "show-protections" API command ("show-capture-packets-and-track") that allows not to return capture-packets and track information. |
PRJ-32347, |
Security Management |
Network objects groups with more than 101 members may not be enforced correctly on the Security Gateway. The Security Gateway will only match 101 members of the group. Refer to sk176065. |
PRJ-30055, |
Security Management |
In rare scenarios, the FWM process may unexpectedly exit and fail to start, creating core dumps in the /var/log/dump/usermode directory. Refer to sk175007. |
PRJ-29189, |
Security Management |
In a rare scenario, High Availability full synchronization may fail due to a large number of records. |
PRJ-29100, |
Security Management |
In some scenarios, it is possible to disable a parent rule for the Domain Policy. |
PRJ-29005, |
Security Management |
In some scenarios, publish operation fails with the "Object with uid=<RandomCharacters> was updated in the database but its dleConvertedObject wasn't found" error. Refer to sk174703. |
PRJ-29306, |
Security Management |
In environments with a large number of objects, licenses for cluster members in the Licenses tab may not be displayed. |
PRJ-28650, |
Security Management |
In some scenarios, when using a VPN community, the status of the Global Domain Assignment may change to "not up to date", although no changes were made in the Global Domain. |
PRJ-28479, |
Security Management |
In a rare scenario, when Identity Awareness Blade is enabled, policy verification on an LSM Profile may fail. |
PRJ-28537, |
Security Management |
In rare scenarios, Global Policy Assignment may fail with the "class name not found for object" error. |
PRJ-28897, |
Security Management |
If there are no explicit rules in one or more policy layers, policy verification may fail with the "No active rules found in the Security Policy" error. |
PRJ-28786, |
Security Management |
In some scenarios, "show-mdss" and "show-domains" Management API commands take a significant amount of time to complete or time out after 5 minutes. |
PRJ-28778, |
Security Management |
The "show-global-assignment" command returns the default limit when the limit request is greater than the default limit. |
PRJ-28002, |
Security Management |
If Brute Force Password Guessing Protection is set to the value of more than 25 seconds, login to SmartConsole fails.
|
PRJ-27500, |
Security Management |
Policy installation to multiple Gateways from Install Policy Presets may fail if each policy has its own HTTPS Inspection policy. |
PRJ-27501, |
Security Management |
In rare scenarios during system startup, a cleanup operation may cause high CPU on multiple Postgres processes and prevent login to SmartConsole. Refer to sk175189. |
PRJ-27503, |
Security Management |
In rare scenarios, Global Domain Assignment and Domain Creation tasks may continue to run indefinitely. |
PRJ-28571, |
Security Management |
In some scenarios, the Purge Revisions operation fails with the "An error has occurred while performing revisions purge operation, Incident ID - xxxxx-xxxxxxx-xxxxx-xxxxx" message. Refer to sk174645. |
PRJ-28300, |
Security Management |
In rare scenarios, High Availability on the Global Domain may fail to synchronize the Multi-Domain Log Server if IPS protection was added or removed in the Threat Prevention rulebase. |
PRJ-28294, |
Security Management |
In rare scenarios, High Availability incremental synchronization may fail with a wrong status message. |
PRJ-28089, |
Security Management |
In some scenarios, the Administrators view may not filter Domain names according to the permission profile of the connected administrator. |
PRJ-28158, |
Security Management |
In rare scenarios, if Domain migration fails, the operation may not revert fully and leave some remnants in the database of the Management Server. |
PRJ-29159, |
Security Management |
Scheduled IPS updates data may not be shown in the IPS update report. |
PRJ-29899, |
Security Management |
In some scenarios, login to a Domain from the System Domain dashboard may fail with "Failed to connect to server". |
PRJ-30047, |
Security Management |
The Management API command "show-sessions" may return sessions that were purged and no longer exist in the Management database. |
PRJ-29518, |
Security Management |
In rare scenarios, when installing a policy immediately after publishing a session, the installation is not accelerated. |
PRJ-29790, |
Security Management |
In rare scenarios, login to Multi-Domain Management fails with the "No Valid Domains were found for [username]" error. Refer to sk175005. |
PRJ-30031, |
Security Management |
In some scenarios, applying the "Where used" action may show incorrect data when an object exists more than once in an Inline Layer. |
PRJ-29969, |
Security Management |
In some scenarios, simultaneous policy installation on multiple Gateways may fail if there is at least one Gateway on R77.X and one Gateway on R80.X. |
PRJ-29470, |
Security Management |
In some scenarios, an API query to VRRP cluster for "show simple-cluster name <name>" returns an incorrect cluster type. Refer to sk174866. |
PRJ-29791, |
Security Management |
When initiating the Secure Internal Communication (SIC) for LSM objects using management API:
|
PRJ-30020, |
Security Management |
In rare scenarios, the "set-group" API command may return the "generic_err_invalid_parameter" error. |
PRJ-27765, |
Security Management |
The Management API commands "import-smart-task" and "export-smart-task" are enabled at the System Domain level, although Smart Tasks are only supported at the Local Domain level. |
PRJ-29200, |
Security Management |
After an upgrade from R77.x. in a multi-site environment, High Availability full synchronization may fail with an "NGM failed to load data" message. |
PRJ-30101, |
Security Management |
In rare scenarios, a Multi-Domain administrator's profile may be changed after deleting a Domain if the administrator had custom permissions for it. |
PRJ-31536, |
Multi-Domain Management |
High Availability synchronization status in the Global Domain may show "Unknown" for some Multi-Domain Log Modules (MLM) in environments with more than 6 MDS's/MLM's. |
PRJ-29312, |
SmartConsole |
The Compliance "Security Best Practices" report for the Anti-Bot practice contains unrelated objects starting with "AB_". Refer to sk174911. |
PRJ-29805 |
Web SmartConsole |
Added enhancements for Task Manager and policy installation. Refer to Take 48 in sk170314. |
PRJ-30371, |
CPInfo |
UPDATE: Added CPInfo Build 914000219. Refer to sk92739. |
PRJ-29826, |
SmartView |
UPDATE: In SmartView, new MITRE ATT&CK techniques were added to the heatmap view. |
PRJ-31152, |
Logging |
NEW: SmartEvent can now skip indexing of firewall session logs to reduce load on the Log Server device. The feature is disabled by default. To enable it, see Issue #4 in sk150452. |
PRJ-28084, |
Logging |
The CPSEMD process on SmartEvent Server may unexpectedly exit when trying to send two automatic reactions simultaneously for the same event. |
PRJ-27883, |
Logging |
In rare scenarios, Management object changes may not be reflected in the Logs view. When the issue occurs, the CPM process may also consume a high CPU. |
PRJ-28342, |
Logging |
In some scenarios, Log Exporter configured to export in TLS, cannot authenticate a certificate from an external certificate authority. |
PRJ-29031, |
Logging |
In rare scenarios, SmartEvent may show no results or partial results in the Audit Log report. |
PRJ-25441, |
Logging |
On a Management Server, with SmartEvent enabled and many networks configured in the database, login to SmartConsole may fail with an "Error: the operation timeout" message, and the FWM process is running with a high CPU. Refer to sk167239. |
PRJ-29577, |
Security Gateway |
NEW: Added a new kernel parameter "up_disable_early_drop_optimization_for_reject" to disable "Early Drop Optimization" for reject rules. The parameter is enabled by default. |
PRJ-29444, |
Security Gateway |
UPDATE: The default value for the kiss_kthread_allow_resched kernel parameter is changed to 1. Refer to sk170560. |
PRJ-28854, |
Security Gateway |
UPDATE: Added DNS Passive Learning support for DNS responses containing the Domain name in uppercase letters. |
PRJ-31371, |
Security Gateway |
Improved the handling of a large number of sessions per single HTTP/S connection. |
PRJ-29131, |
Security Gateway |
In rare scenarios, policy installation may fail with an "Operation failed, install/uninstall has been improperly terminated "message. |
PRJ-30205, |
Security Gateway |
In some scenarios, NATed VPN traffic may be routed out through the wrong interface. Refer to sk176785. |
PRJ-29528, |
Security Gateway |
In a very rare scenario, the ICAP Server may crash with a core dump file generated. |
PRJ-29506, |
Security Gateway |
In some scenarios, using automatic Network Static NAT/Address range objects may cause connectivity issues. |
PRJ-29421, |
Security Gateway |
In a rare scenario, policy installation on the Security Gateway may fail with an "Error code: 0-2000108" message. Refer to sk170673. |
PRJ-29223, |
Security Gateway |
In some scenarios, the WSDNSD process may unexpectedly exit and create a core file. Refer to sk173627. |
PRJ-29080, |
Security Gateway |
In rare scenarios, a duplicate entry may appear in the /etc/cpshell/log_rotation.conf file. This issue is only cosmetic. |
PRJ-29089, |
Security Gateway |
In some scenarios, the CPD process may consume a high CPU because of the memory leak in FDT (File Download Tool). |
PRJ-29095, |
Security Gateway |
In rare scenarios, policy installation fails with "Segmentation fault" and "Error compiling IPv4 flavor" messages. |
PRJ-27652, |
Security Gateway |
Negative values may appear in the output of the "fw tab -t connections -s" command and under the NAT section. |
PRJ-28811, |
Security Gateway |
Added cosmetic fixes of the cpwd_admin list command output. |
PRJ-28412, |
Security Gateway |
In some scenarios, the ROUTED process may unexpectedly exit. |
PRJ-28105, |
Security Gateway |
In a rare scenario, a memory leak may occur on the Security Gateway. |
PRJ-27561, |
Security Gateway |
In some scenarios, configuring an un-numbered virtual interface may cause ARP requests to stay not answered by the interface. Refer to sk174188. |
PRJ-29140, |
Security Gateway |
The cpsicdemux process may unexpectedly exit, causing the Secure Internal Communication (SIC) connection to fail. |
PRJ-30014, |
Security Gateway |
In a rare scenario, CPView may show incorrect SecureXL statistics per VS. |
PRJ-28874, |
Security Gateway |
In a rare scenario, when using ICAP client, Security Gateway may crash. |
PRJ-28555, |
Security Gateway |
Capsule Workspace end users may fail to authenticate to their Exchange mail Server via Mobile Access SSO when authenticated with Kerberos, and the end users belong to many user groups or user groups with very long names. |
PRJ-29744, |
Security Gateway |
In a rare scenario, due to TCP connection reuse, a TCP connection may not be initiated. Refer to sk11088. |
PRJ-30216, |
Security Gateway |
In some scenarios, policy installation may take longer or fail when GEO Updatable Objects are used in the policy. |
PRJ-30149, |
Security Gateway |
There is no option to enable hyperthreading via cpconfig. |
PRJ-30252, |
Security Gateway |
Added a translation of the error exit code of cprid_util in $CPDIR/log/cprid_util.elg debug log. |
PRJ-29589, |
Security Gateway |
In a rare scenario, Security Gateway may crash. |
PRJ-27165, |
Security Gateway |
In a rare scenario, traffic outage may occur. It is caused by a memory leak related to delayed logs. |
PRJ-28681, |
Threat Prevention |
UPDATE: Added the option to remove proxy usage in IoC_feeds tool. |
PRJ-28521, |
Threat Prevention |
In rare scenarios, the Security Gateway may crash when the TCP connection is unexpectedly closed. |
PRJ-28765, |
Threat Prevention |
In some scenarios, when using OpenSSH 8.2 Server, file download fails after starting the transfer. |
PRJ-28975, |
Threat Prevention |
Improved telemetry for Infinity Vision SOC. |
PRJ-27437, |
Threat Extraction |
In some scenarios, the "fw_send_kmsg: No buffer for tsid 44" error is printed in dmesg. |
PRJ-27436, |
Identity Awareness |
NEW: Added automatic mechanism to exclude service accounts on PDP Gateway to improve both PDP performance and functionality. The default threshold value for Identity Collector Service Accounts exclusion is 100. Refer to sk174266. |
PRJ-29404, |
Identity Awareness |
Improved the Identity Server (PDP) performance for publishing new network on Identity Sharing with SmartPull. |
PRJ-27477, |
Identity Awareness |
When using sk167118, the user may fail to authenticate if the "Ask user for password" checkbox is enabled. |
PRJ-28129, |
Identity Awareness |
In some scenarios, the "Browser Transparent Single Sign-On" portal may not use the certificate associated with the IP address resolved from the portal's main URL. Refer to sk174869. |
PRJ-27942, |
Identity Awareness |
In some scenarios, users may not be able to reach Identity Gateway (PEP). Refer to sk174105. |
PRJ-29615, |
Identity Awareness |
In a rare scenario, some IPv6 sessions may get deleted due to incorrect update of Identity Gateway (PEP) kernel tables. |
PRJ-28117, |
Application Control |
UPDATE: Improved matching of URLs for custom applications. |
PRJ-29308, |
URL Filtering |
In some scenarios, HTTPS connections to servers with untrusted certificates are held and not resumed (page cannot load). |
PRJ-28637, |
IPS |
Proxy source IP address is not printed in the IPS logs. |
PRJ-28246, |
IPS |
In some scenarios, HTTP Parser in the CPView statistics may show incorrect values for connections with more than 50 sessions. |
PRJ-27960, |
IPS |
In some scenarios for HTTP, Gateway closes a connection from the Server side, but the user side may remain open. |
PRJ-29942, |
IPS |
In rare scenarios, if IPS Geolocation is enabled, the Security Gateway may crash. |
PRJ-28740, |
IPS |
In some scenarios, the destination IP is missing from the IPS logs. Refer to sk174588. |
PRJ-32498, |
IPS |
In some scenarios, when IPS Automatic update is enabled, a memory leak may occur in the FWD process. |
PRJ-31761, |
IPS |
Improved the handling of decoded HTTP/S traffic. |
PRJ-29193, |
Anti-Bot |
UPDATE: Improved the performance of Anti-Bot URL Reputation. |
PRJ-29477, |
SSL Inspection |
In some scenarios, a memory leak may occur when creating ECDHE keys. |
PRJ-31203, |
SSL Inspection |
If TLS 1.3 is enabled, using imported ECDSA certificates for HTTPS Inspection may cause the Security Gateway to crash. |
PRJ-31150, |
SSL Inspection |
A memory leak, related to TLS probing, may occur in the WSTLSD process. |
PRJ-31151, |
SSL Inspection |
In some scenarios, the WSTLSD process may unexpectedly close, or a memory leak may occur. |
PRJ-30461, |
SSL Inspection |
In rare scenarios, HTTPS connections may hang indefinitely during the TLS handshake, causing timeout. |
PRJ-30702, |
SSL Inspection, |
A memory leak in HTTPS Inspection and HTTPS portals may occur when using ECDHE ciphers. |
PRJ-28259, |
Mobile Access |
In a rare scenario, the VPND process may unexpectedly exit causing user disconnections from Checkpoint Mobile client. |
PRJ-28069, |
Mobile Access |
In rare scenarios, when SNX client is used with Application mode on the Mobile Access Blade, the VPND process may unexpectedly exit. |
PRJ-29276, |
Mobile Access |
In some scenarios, a memory leak may occur in the CVPND process. |
PRJ-30383, |
ClusterXL |
In a rare scenario, after an upgrade and reboot, a Standby member is set to down with a FULLSYNC PNOTE and cannot synchronize. |
PRJ-28285, |
ClusterXL |
Scalable Platform Gateway may drop traffic as "Out of State" when static NAT is configured for the destination IP Address. Refer to sk174234. |
PRJ-31796, |
ClusterXL |
In some scenarios, during an upgrade to R81.10SP, a failover fails with a crash. |
PRJ-27229, |
SecureXL |
TCP packets may be dropped as "TCP out of state" although following sk11088. |
PRJ-27227, |
SecureXL |
Invalid VLAN traffic may cause repeated "deliver_list is empty!!!" error messages in the /var/log/messages file. |
PRJ-28287, |
SecureXL |
In a rare scenario, DoS/Rate Limiting when using rules with country codes (CC) or autonomous system numbers (ASN) may not update Geo IP files correctly. |
PRJ-29498, |
Routing |
BGP sessions may unexpectedly close because of unrecognized AFI/SAFI pairs in multiprotocol capability advertisements from a peer. |
PRJ-28959, |
Routing |
The ROUTED process may unexpectedly exit. |
PRJ-29321, |
Routing |
AS path loops may occur, although BGP multihop is configured. |
PRJ-29894, |
Routing |
In some scenarios, when BootP is configured, during policy installation, the Security Gateway may become unresponsive and the ROUTED process may crash. |
PRJ-31128, |
Routing |
In rare cases, if Graceful Restart is not configured on the BGP peer, BGP routes may be lost near the Graceful Restart ending. |
PRJ-28173, |
VPN |
NEW: Added StrongSwan clients counter to the VPN TU Tool. |
PRJ-27857, |
VPN |
When deleting an entry from m_ht hash table, a memory leak may occur. |
PRJ-28028, |
VPN |
When StrongSwan client connecting with a RADIUS user, it may not receive an Office Mode IP address. |
PRJ-28514, |
VPN |
In some scenarios, a memory leak may occur on the Security Gateway. |
PRJ-28507, |
VPN |
A memory leak may occur in the VPND process. |
PRJ-28076, |
VPN |
A Remote Access client fails to login when a DN record length is bigger than 256. Refer to sk174249. |
PRJ-28576, |
VPN |
In some scenarios, Server connections to Remote Access L2TP clients may be unstable. |
PRJ-29298, |
VPN |
Added VPN IKEv2 improvements. |
PRJ-28754, |
VPN |
Added IKEv2 improvement for DAIP peer. |
PRJ-29284, |
VPN |
In rare scenarios, re-configuring a trusted CA bundle may cause a memory leak in the VPND process. |
PRJ-28773, |
VPN |
In some scenarios, in High Availability clusters with enabled CoreXL, SSL clients cannot connect to the Security Gateway because of incorrect license calculation. |
PRJ-28266, |
VPN |
A memory leak may occur when clearing the CRL cache file. |
PRJ-29484, |
VPN |
A memory leak may occur in the VPND process in IKEv2 Site to Site VPN. |
PRJ-28557, |
VPN |
In some scenarios, when sending the SCV drop log, a memory leak may occur. |
PRJ-30971, |
VPN |
In a rare scenario, a memory leak may occur in the IKED process. |
PRJ-29533, |
VPN |
RIM script is not invoked for DAIP peer with Dead Peer Detection (DPD) permanent tunnels in passive mode. |
PRJ-31109, |
VPN |
In some scenarios, a memory leak may occur in the VPND process. |
PRJ-31149, |
VPN |
In some scenarios, a memory leak may occur when using the SSL Network Extender (SNX) client to create a site. |
PRJ-30870, |
VPN |
A memory leak may occur in the VPND process. |
PRJ-29554, |
VSX |
After reboot, the VS's clish static arps configurations exist, but the static arps may be missing. |
PRJ-28180, |
VSX |
In a rare scenario, the "asg perf" command may take up to 90 seconds to update the data. The information may differ from CPView results. |
PRJ-28143, |
VSX |
In some scenarios, running the "asg perf" command with -vv flag fails. |
PRJ-30277, |
Gaia OS |
UPDATE: Upgraded OpenSSL to 1.1.1L. Merged the CVE-2021-3711 and CVE-2021-3712 fixes. |
PRJ-27697, |
Gaia OS |
When a non-TACACS user logs out from WebUI, there is a "Cannot get pid" error message in the /var/log/messages file. |
PRJ-28414, |
Gaia OS |
After 248 days of up time, the VMSS Gateway sends a Cold restart alert reboot, but the VMSS does not reboot. Refer to sk173413. |
PRJ-27614, |
Gaia OS |
If NTPD service is configured in MDPS settings, the NTPD error logs appear in var/log/messages after a reboot. |
PRJ-26999, |
Gaia OS |
Setting hashed SHA256/SHA512 expert password may fail with an error message: "set password-controls password-hash-type <password_hased> GAIA9999 Invalid Salted Hash". Refer to sk176703. |
PRJ-28798, |
Gaia OS |
In a rare scenario, a memory leak may occur in the monitord process. |
PRJ-26456, |
Gaia OS |
The Link Layer Discovery Protocol (LLDP) sends the hostname with a dot when the Domain name is empty. |
PRJ-29179, |
Harmony Endpoint |
Remote installation push operation "Deployed new Endpoints" does not work on Servers on premises because of self-signed certificates. |
PRJ-29974, |
Harmony Endpoint |
In some scenarios, a query which counts host_ckp objects may return more results than expected. It leads to a memory leak with the "Out Of Memory" error. |
PRJ-31101, |
Harmony Endpoint |
Restoring a UEPM Server backup via the Web Gaia Portal may not work on a new Server where the UEPM Blade is not activated. |
PRJ-29860, |
Harmony Endpoint |
UPDATE: In SmartEndpoint, besides FDE Remote Help, Bitlocker Management Recovery is now available for administrators with limited rights. |
PRJ-30516, |
Harmony Endpoint |
In the Smart Endpoint tabs, the Server may generate reports where users have long names starting with "ntdomain://". |
PRJ-29514, |
CloudGuard Network |
NEW: In Amazon Web Services (AWS):
To enable the feature:
Note: This feature requires adding DescribeTags and DescribeLoadBalancers permissions to the AWS Data Centers accounts. NEW: In Azure:
To enable the feature:
Note: This feature requires adding permissions to list Application Security Groups and Private Endpoints.
NEW: In AWS, Azure and Google Cloud Platform (GCP): Added support for API calls with HTTP response with reason-code only (without reason-phrase).
|
PRJ-29652, |
CloudGuard Network |
Amazon Web Services (AWS) Data Center scan may fail and no updates are sent to the Security Gateway. |
PRJ-29623, |
CloudGuard Network |
In some scenarios, when there are Data Center objects in Access Policy Rule Base, policy verification may fail although policy installation succeeds. |
PRJ-32479 |
Scalable Platforms |
UPDATE: Added support for Bridge Mode in Maestro Security Group. |
PRJ-32689 |
Scalable Platforms |
UPDATE: Added support for Maestro Hyperscale Orchestrator MHO-175. |
PRJ-27336, |
Scalable Platforms |
Added a cosmetic fix in asgPeaksTable. |
PRJ-29981, |
Scalable Platforms |
The outage may occur when configuring OSPF over VPN/VTI interface because of missing cluster IP address for VPN/VTI interface. |
PRJ-27625, |
Scalable Platforms |
In rare scenarios, when running the "snmpwalk" command, multiple irrelevant error logs may appear in /var/log/messages. |
PRJ-27512, |
Scalable Platforms |
In a rare scenario, a memory leak that requires constant reboots may occur. |
PRJ-29153, |
Scalable platforms |
In some scenarios, Maestro Orchestrator SDK may stop responding until restarting the Orchestrator service. |
PRJ-30025, |
Scalable platforms |
When rebooting a member from the standby site, it may send GARP when booting and cause a connectivity issue. Refer to sk176523. |
PRJ-30286 |
Scalable platforms |
Packet drop may occur after Maestro Orchestrator reboot. |
PRJ-27157, |
Scalable Platforms |
After adding a new user via WebUI, asg_diag may fail on configuration test (config_verify -v) due to inconsistent value in the database. The issue is only cosmetic. |
PRJ-29516, |
Scalable Platforms |
After setting a specific range of Blades in gclish, some commands may fail. |
PRJ-30023, |
HCP |
Added Update 5 of HealthCheck Point (HCP) Release. Refer to sk171436. |
Take 09 Released on 30 August 2021 and declared as Recommended on 18 October 2021 |
||
PRJ-25588, |
Security Management |
NEW: Added new features to the Changes report:
|
PRJ-28702, |
Security Management |
Added Update 11 of Autonomous Threat Prevention Management integration Release. Refer to sk167109. |
PRJ-27622, |
Security Management |
In a rare scenario, the "Install Database" task may continue to run indefinitely. |
PRJ-29485 |
Security Management |
When adding a new Multi-Domain Server to an existing environment and connecting to the System Domain of the newly added server, Domains are not shown in the Domains view. |
PRJ-27717, |
Logging |
In some scenarios, the FWD process on Security Gateway may cause high memory consumption when Log Forwarding is configured or when running the "fw fetchlogs" command. |
PRJ-29754, |
Security Gateway |
In rare scenarios, the Security Gateway may failover while handling the HTTP/2 stream. |
PRJ-28608, |
Threat Prevention |
Large file transfer in connections inspected by SSH Deep Packet Inspection (SSH DPI) may fail if SSH renegotiation is performed during the transfer. |
PRJ-27435, |
Identity Awareness |
NEW: Added a new Auto-Tune feature for Nested Groups to select the optimal nested state for maximum performance.
|
PRJ-27434, |
Identity Awareness |
NEW: Added support for SAML authentication method for Remote Access VPN. Refer to sk172909 for configuration instructions. Requires R81.10 SmartConsole Build 400 (or higher). |
PRJ-28540, |
ClusterXL |
During Multi-Version Cluster (MVC) upgrade with R81 Jumbo Hotfix Take 34, the "MVC WARNING uninitialized VPN table" message frequently appears in log. Refer to sk174445. |
PRJ-27592, |
Gaia OS |
A memory leak may occur on a Security Gateway while configuring Secure Internal Communication (SIC). |
PRJ-27795, |
Harmony Endpoint |
In some scenarios, Endpoint Firewall starts dropping all network traffic after the Management server upgrade from R80.10 |
PRJ-29801, |
Harmony Endpoint |
In some scenarios, the Endpoint server may stop responding to the Endpoint clients. |
PRJ-28017, |
Scalable Platforms |
In some scenarios, bond interface subordinate fails to properly initialize and shows a partner system MAC address of 00:00:00:00:00:00. |
PRJ-28125, |
Scalable Platforms |
In some scenarios, the Maestro Gateway leaves the Security Group. |
PRJ-29239, |
Scalable Platforms |
Configuring HA bond in VSX may lead to crash upon active subordinate change. |
PRJ-27262, |
Scalable Platforms |
The "asg perf" command may fail when it calculates the average load of CPU cores when CoreXL uses all CPU cores available in the Security Group. |