List of All Resolved Issues and New Features in R81.10 Jumbo Hotfix Accumulator

NEW: The "show nat-rule" and "show nat-rulebase" Management API commands now support displaying hit count data with optional date range filtering through the "show-hits true" parameter, allowing users to retrieve hit statistics for NAT rules with flexible time-based querying in JSON format.

Syntax examples:

• mgmt_cli show nat-rule rule-number 1 show-hits true package "standard" --format json

• mgmt_cli show nat-rulebase offset 0 limit 20 details-level "standard" use-object-dictionary true package "standard" show-hits true --format json

• mgmt_cli show nat-rule rule-number 1 show-hits true package "standard" hits-settings.from-date "2014-01-01" hits-settings.to-date "2014-12-31T23:59" --format json

NEW: Updatable objects can now be updated through the Security Management Server by adding the "<ProxyRoute>1</ProxyRoute>" configuration entry to the $CPDIR/conf/downloads/dl_prof_ONLINE_SERVICES.xml file, enabling proxy-based updates.

NEW: Added new OID (1.3.6.1.4.1.2620.1.38.55) to monitor the Identity Collector connection status in the $CPDIR/lib/snmp/chkpnt.mib file.

• This capability is supported for Identity Collector agents running with version R82.120.0000 or higher.

UPDATE: Resolved CVE-2024-52887 - Self-XSS vulnerability in Mobile Access Native Applications 'favorites' dialog. Refer to sk183054.

UPDATE: The Management API command "set-https-rule" now automatically sets the negative value to "false" when modifying the destination, source, service, or site-category fields, regardless of its previous setting.

UPDATE: Added a log print to warn about unsupported SIC reset configurations on Multi-Domain Security Management Server / Multi-Domain Log Management Server and to alert when a Domain lacks an ObjectStoreDomain, which prevents CPM from starting. Refer to sk182533.

UPDATE: Reduced memory usage of LDAP keepalives and improved connection error handling, resulting in improved performance.

UPDATE: Improved throughput of GRE tunnels configured on the ports of the 100G Acceleration Card when SecureXL works in the UPPAK mode.

UPDATE: Implemented robust path validation during user deletion to prevent unintended deletion of parent directories.

UPDATE: Optimized policy distribution to Maestro Security Group members to avoid failure under high load conditions.

UPDATE: New features and improvements are released in Take 124, Take 125 and Take 128 via self-updatable package. Refer to sk170314.

UPDATE: Added Take 141 of CPotelcol (OpenTelemetry Collector) Release Updates. Refer to sk180522.

The on-premises Security Management Server with a proxy address configured may fail to connect to the Infinity Portal.

In rare scenarios, the FWM process on the Security Management Server may unexpectedly exit, creating a core dump file.

In some scenarios, High Availability synchronization fails with "NGM failed to export data" because of invalid Global Domain Assignments.

After installing R81.10 Jumbo Hotfix Accumulator Take 150, when browsing to SmartConsole > Manage & Settings > Permissions & Administrator > Administrators, the page may display "Error retrieving results".

In rare scenarios, the CPD process may unexpectedly exit and create a core dump file. Refer to sk182787.

In rare scenarios, publishing Multi-Domain Security Management level changes such as Administrator configuration changes fails. The "Action Failed due to an Internal Error" error is displayed.

In rare scenarios, an upgrade of Multi-Domain Security Management Server, handling Domain Log Server certificates, may get stuck.

• The fix will only be applied if the upgrade to R81.10 Jumbo Hotfix Accumulator Take 173 or higher is done using a Blink image or the Advanced Upgrade method.

In environments where not all Domains are Active on the same Server (for example, in a multi-site environment), and there is no Domain Management Server for a specific Domain, logs from that Domain are not forwarded to the Infinity Portal.

In rare scenarios, in Multi-Domain Security Management environments, login to Smart Console fails.

After an upgrade, Log Sharing feature does not function as expected, "Encountered an internal error" is printed in the Infinity Services view, under Log Sharing status, and LOG_EXPORTER core dumps are generated. Refer to sk183146.

See the Critical Information section.

After an upgrade, Dynamic Balancing does not start. The "dynamic_balancing -p" command returns "Dynamic Balancing is currently Initializing". Refer to sk182615.

When enabling MDPS using the "set mdps mgmt plane on" command, the "Failed to commit transaction on database" error is shown instead of a message explaining that the management interface should be configured first.

The server.log file of the ICAP Server is filled with "Failed to scan web object" entries. This is a cosmetic issue.

In some specific HTTP/2 traffic scenarios, a valid connection may fail.

When the autodebug feature is enabled, the RAD service may consume high CPU and trigger "RAD service not available" alert logs.

The "dynamic_objects cfo_show" command may fail when the Security Gateway is under heavy load.

Incorrect Rule Base parameters synchronization logic may lead to the FWK process exit.

GTP-U traffic may be dropped because of incorrect message type handling.

In some scenarios, an HTTP format size protection exception is not applied to the HTTP/2 flow.

The "cpca_dbutil print" command may delete the provided output file content if the input file does not exist.

When SSH Deep Packet Inspection (SSH DPI) is enabled, a bypass log entry may not be generated if no Threat Prevention blade is active on the connection. This is a cosmetic issue.

In a rare scenario, Anti-Virus blade prevents benign traffic due to improper parsing of URL observables in IoC feeds. Refer to sk181519.

IDA Captive Portal may not be available after Jumbo Hotfix Accumulator installation or after an upgrade using the Blink image. Refer to sk172324.

In a rare scenario, when fetch_by_SID is enabled, the PDPD process repeatedly exits. Refer to sk182745.

In some scenarios, a custom application does not match a URL Filtering rule.

In a rare scenario, the FWK may unexpectedly exit because of a memory allocation issue.

The DLP blade may not block the password-protected files of a specific type, although it should.

In a rare scenario, when the Anti-Virus blade is enabled, the Security Gateway may crash during traffic inspection.

A Maestro Security Group Member may fail to initialize after enabling IPv6 and is stuck with pull_config pnote.

A memory leak may occur in the SIM process when using DOS/Rate Limiting rules.

Policy installation failures may cause "fwaccel dos" commands to stop working.

When working with SNMP traps, Clish may become slow and unresponsive.

When querying VLAN interfaces, instead of returning the ifType specifically for the VLAN interface itself, the SNMP walk returns the ifType of the underlying physical interface that the VLAN is associated with.

Capturing with Check Point Traffic Capture Tool (cppcap) from all devices may lead to high CPU usage and potential performance issues.

Static routes may get permanently deleted from the kernel during rapid interface configuration changes when there is a large number of routes.

Capsule VPN connectivity failures may occur after a configuration change of the VPND daemon table parameters.

In some scenarios when Link Selection (LS) is configured, traffic outage may occur after policy installation.

SSL Network Extender (SNX) traffic on Maestro may be dropped with "vpnk_tcpt invalid negative tunnel id". Refer to sk182806.

When configuring machine authentication without an LDAP server, the computer is authenticated during the connection with the RA VPN. However, the logs in SmartConsole do not display the "Authenticated machine ..." message as expected.

The "vsx_util convert_cluster" command may fail and cause the FWM process to exit with a core file.

In a rare scenario, the FWM process may exit when running the VSX creation wizard.

Exclusions for Anti-Bot policy created through the WebUI do not correctly handle Cyrillic characters.

When Maestro Hyperscale Orchestrator (MHO) is not reachable, the "mq_mng -s" command becomes unresponsive.

Security Group Member may be in Down state during the license distribution to Maestro Security Group members. Refer to sk181245.

Using the "#" character in the Message of the Day (MOTD) banner message causes SGMs to fail during boot.

After upgrade:

• Output of the "asg diag verify" command shows in the "System Components" section that the status of the "Software Provision" test is "Failed".

• Output of the "asg diag print <ID of "Software Provision">" command shows a shell script code.

• Output of the "asg_provision" command shows a shell script code.

NEW: CloudGuard Controller updates are now performed automatically. Refer to sk181842.

UPDATE: Resolved CVE-2024-3596 - Blast-RADIUS attacks. Fix for Remote Access VPN and login to SmartConsole, Mobile Access and Identity Awareness Captive Portal. Refer to sk182516.

UPDATE: JRE is updated from version 8.0_8.21 to version 8.0_8.26.

UPDATE: Added a count of Session and Connection logs to the "cpstat" command output.

UPDATE: Added support for whitelisting IP addresses in external IoC feeds.

UPDATE: Identity Collector OIDs for SNMP queries are now available in both $CPDIR/lib/snmp/chkpnt.mib and $FWDIR/conf/identity_server.cps locations.

UPDATE:

• Improved debugging in the Security Gateway to identify problematic hosts when resolving their next-hop IP addresses.

• The custom ADP queue size configuration now persists after rebooting the Security Gateway. The relevant global parameters are located in the $PPKDIR/conf/adpkern.conf file:

  • "adp_nh_total_max_arp_qents"

  • "adp_nh_local_max_arp_qents"

UPDATE: Added Take 97 of CPotelcol (OpenTelemetry Collector) Release Updates. Refer to sk180522.

In some scenarios, the "set-exception-group applied-threat-rules.position" Management API command may add the exception group to an incorrect position.

In rare scenarios, when Application Control blade is enabled, cloning a policy may fail due to timeout.

In some scenarios, the Security Management Server upgrade fails with "creating default objects and restarting services" during the import phase.

• The fix will only be applied if the upgrade to this Jumbo Hotfix Take is done using a Blink image or via the Advanced Upgrade method.

In rare scenarios, when exporting policy hitcounts to CSV format, the "Hitcount" column may appear blank in the exported file.

Searching for a Data Center asset IP address in the policy may not return results.

Global Policy Reassignment may fail with an "An internal error has occurred" message when a custom IPS package is used or was previously used in the system.

The "show-domains" Management API command may return partially deleted domains among the results.

In some scenarios, policy installation using Management API with the "prepare-only" parameter set to "true" may fail with an "internal error" message.

Enabling IPS on Multi-Domain Security Management Server may cause Threat Prevention policy installations to fail due to legacy IPS multi-profile incompatibility.

In some scenarios, cpmiquerybin core files may appear in /var/log/dump/usermode/ on the Security Management Server.

In some scenarios, in a Multi-Domain Security Management environment, the Hit Count retention mechanism may not remove the Hit Count data from all the Domains.

SmartConsole fails to connect with "Unable to connect to server. Server is initializing". Refer to sk182507.

In some scenarios, opening new tab in SmartConsole Logging & Monitoring tab fails with "HTTP error 500 - problem accessing smartview/embedded. Reason: Server Error". Refer to sk182732.

In some scenarios, after removing an existing Log Exporter instance, the creation of a new instance appears successful in SmartConsole. However, the new Log Exporter object is not actually generated.

The "asg monitor" command may show the Security Gateway in the "during upgrade" state although a major downgrade is complete.

When SecureXL User Mode (UPPAK) is enabled and using Passive/Active Streaming with QoS, the Security Gateway may incorrectly drop some traffic.

The Security Gateway may crash after a failure in policy installation.

Changing the NAT settings of a host using the "set-host" Management API command succeeds but has no effect unless both the "ipv4-address" and "ipv6-address" parameters are set.

In some scenarios, the Security Gateway does not free some packets causing a memory leak.

Traffic through specific interfaces is dropped when the QoS blade is active and "ISP redundancy-LS" is configured. Refer to sk182807.

See the Critical Information section.

The Threat Prevention policy installation may fail when installing from R81.20 SmartConsole on R80.x Security Gateway.

In a rare scenario, the Security Gateway may crash during traffic inspection when holding a connection.

In Azure Active Directory, access role assignment only considers a user's first 100 group memberships. Any groups beyond this limit are disregarded when determining user access roles.

IPS may drop an IPv6 TCP local connection.

In some scenarios, the Anti-Virus Blade logs on a VSX Gateway may display an incorrect origin IP address.

When the VSX Gateway is created, the parameter that determines whether VSX mode is enabled or disabled is not set in SecureXL configuration until a reboot is performed.

When SecureXL User Mode (UPPAK) is enabled and running ESP traffic, packet loss may occur and the "fwconn_key_init_links failed" error is printed. Refer sk182775.

The USIM process exits when attempting to delete an IP address from an empty deny list if that IP address exists in any other deny lists (including the regular deny list or those using IoC feeds).

The USIM process may unexpectedly exit when these parameters are enabled in the $PPKDIR/conf/simkern.conf file:

• "sim_top_conns_enable" - the tracking of the top connections.

• "sim_top_proto_enable" - the tracking of the top protocols.

In a ClusterXL environment, a race condition may occur when BGP Graceful Restart is incorrectly configured. If the feature is enabled for some peers but not others, it may lead to permanent loss of network routes.

In some scenarios when MDPS is enabled, the "Loading kernel module for a network device with CAP_SYS_MODULE (deprecated). Use CAP_NET_ADMIN and alias netdev-eth7 instead" message appears in /var/log/messages.

Adding multiple VPN tunnels via Clish in Transaction Mode fails, while adding them individually succeeds.

Remote Access VPN connections in Maestro environments may be dropped with the "out-of-state" reason.

Deleting a Virtual System ID (VSID) that does not exist may trigger the "cpstop" command. Stopping all Check Point services on VS0 can disrupt the entire VSX environment.

The gClish scheduled backup retention command is applied to SMO member only and not on all Security Group members as it should.

When running the "asg resource" command, the SSD overall health check is displayed as "PASSED" with the "Unknown_Attribute on Member X_XX is below/getting towards low threshold (val: 0/ thresh: 0)" warning. The issue is cosmetic only.

The VSX Gateway may cause traffic interruption when SecureXL User Mode (UPPAK) is enabled on systems with multiple physical interfaces.

Using Image Cloning when the same VMAC feature is enabled may cause a boot loop.

UPDATE: Resolved CVE-2024-31497. The Putty version used in the Mobile Access Portal Embedded SSL Network Extender application is upgraded from version 0.80 to version 0.81.

UPDATE: Optimized the Generic Data Center JSON file processing on the Security Gateways to improve performance when handling large numbers of IP ranges.

UPDATE: Port 8211 now accepts connections with the cipher ECDHE_RSA_AES_256_GCM_SHA384.

UPDATE: Added a log for connections rejected because of short Server certificate public key size (RSA 1024 bits or less, ECDSA 256 bits or less). Refer to sk182224.

UPDATE: New features and improvements are released in Take 118 , Take 119, Take 120 via self-updatable package. Refer to sk170314.

The database size on the Secondary Management Server increases if dbedit is used without making or saving any changes. Refer to sk182519.

The Revisions Purge process may stall if initiated after restarting the Security Management Server or Multi-Domain Security Management Server because of remnants of a previously interrupted Revisions Purge operation.

In rare scenarios, login to SmartConsole fails with a timeout.

Accelerated Policy installation may get stuck with the "Policy installation (queued)" status.

If the $FWDIR/conf/fwm.adtlog file is not valid, the FWM process leaves unused file descriptors, which may affect the Security Management Server performance.

In rare scenarios, the FWM process on the Security Management Server may unexpectedly exit, creating a core dump file.

In rare scenarios, the CPD process may unexpectedly exit and create a core dump file.

Global Domain Assignment may fail with "Internal Error", if the assigned Domain is currently Active on a different Multi-Domain Security Management Server.

In a rare scenario, when running the CPView utility, the Security Gateway may crash.

When adding a table widget to a SmartView report:

• The "Missed Malware Activity" and "Spyware Action" fields may not be possible to pick.

• The "Malware Action" filter may appear twice in the picker. Refer to sk182049.

In rare scenarios, the CPSEMD process on the SmartEvent Server may unexpectedly exit, creating a core dump file.

In rare scenarios, the Logs view may display unexpected blank lines or gaps in the chronological sequence of entries.

In a VSX Cluster environment, the CPVIEWD daemon may cause a high CPU.

Incorrect value in the "fwisusfw" register causes improper CPU affinity and dynamic balancing initialization in User Space Firewall mode after an upgrade. Refer to sk182004.

In rare scenarios, policy installation may fail after an upgrade of a VSX Gateway.

SSH Deep Packet Inspection (SSH DPI) fails to start inspection if IPS is enabled while all other threat prevention products are disabled.

When using ICAP, filename handling occasionally fails. As a result, the Threat Emulation Blade may not be able to process this specific file.

The Anti-Bot Blade may generate error logs with the "Failed to Decrypt CP Site Response" reason. Refer to sk182494.

The "citrixStrictTicketEnforcement" parameter set in the configuration file may not work as expected.

In a rare scenario, a memory leak in the adp kernel module may occur during multicast routing assert failures.

When SecureXL User Mode (UPPAK) is enabled, in some scenarios, a VSX Security Gateway with many Virtual Systems may crash.

Dynamic Routing outage in a Security Group during the Zero Downtime (MVC) Upgrade to R81.20, during the Downgrade from R81.20, or during the installation / uninstall of the R81.20 Jumbo Hotfix Accumulator. Refer to sk182556.

A multicast outage may occur during failovers caused by interface flaps.

Remote Desktop Protocol (RDP) connections may frequently disconnect when network traffic is routed through a combination of medium path, Quality of Service (QoS) controls, and VPN.

The FWK process may crash when establishing multiple VPN tunnels simultaneously at peak rates.

The FWK process may exit when Monitor mode is enabled on one of the interfaces.

In Quantum Maestro/Scalable Chassis environments, when using the Threat Prevention Blade in the Security Group, the entitlement_status_collector_db.C files may be inconsistent between the Security Group Members.

Suspicious Activity Monitoring (SAM) rules may not be triggered after a Source Block automatic reaction is configured.

NEW: Implemented support for LDAP queries using Windows Security Identifiers (SIDs) as search criteria.

NEW: Added Generic Data Center support for Quantum Maestro environments.

UPDATE: Apache HTTPD version was updated from 2.4.55 to 2.4.58 to fix CVE-2023-31122, CVE-2023-43622.

UPDATE: Added a defense mechanism against malicious code injections through special HTTP requests. Resolved CVE-2024-24914. Refer to sk182743.

UPDATE: Modified the content of the https://<ip_adress>/license_management/ page.

UPDATE: When deleting a Secondary Multi-Domain Security Management Server, SmartConsole now shows an "After MDS '<MDS name>' is deleted, you should delete the Secondary Domain Servers from the Domains and revoke their certificates" message.

UPDATE: Enhanced the Access Control log for "Accept" actions with initial matched layers of "IoT" or "Playblocks":

The "Layer Name" field now shows the admin-configured layer, alongside Rule Name and Rule Number, allowing administrators to view their preferred match layer rather than defaulting to the first matched layer or inline rule. This change improves visibility into the specific security policy components responsible for accepting traffic.

UPDATE: Deprecated RC2-CBC cipher for SIC in OpenSSL.

UPDATE: The Mobile Access Portal is no longer compatible with the Chrome browser on iOS and Android mobile devices.

UPDATE: Extended the "allowed-client" setting to enforce IP restrictions for both password and SSH key authentication methods, providing more comprehensive access control.

UPDATE: SIP over UDP requests and responses may be dispatched to different firewall instances when a single-direction rule is defined in the Rule Base, potentially causing returned SIP traffic to be dropped as an unknown connection. To address this, a new global parameter "sip_forward_if_needed" is introduced (disabled by default). When enabled, the Security Gateway forwards responses to the appropriate request instances. Refer to sk182667.

UPDATE: New features and improvements are released in Take 114 via self-updatable package. Refer to sk170314.

UPDATE: Added Take 97 of CPotelcol (OpenTelemetry Collector) Release Updates. Refer to sk180522.

SmartConsole may freeze when selecting a client under Security Gateway object > Identity Awareness tab > RADIUS Accounting Settings.

• Requires additional configuration and R81.10 SmartConsole Build 426 or higher. Refer to sk181630.

In some scenarios, an upgrade of Security Management Server or Multi-Domain Security Management Server fails with the "Failed: upgrade of "DOMAIN_NAME". For more details see upgrade logs below" error in the upgrade report.

• The fix requires the upgrade to be done using a Blink image or via the Advanced Upgrade method.

In rare scenarios, the CPCA process on the Security Management Server / Domain Management Server may exit unexpectedly, creating a core dump file. Refer to sk183101.

Objects Explorer search fails with "Error retrieving results" when more than twenty thousand IP addresses match the search criteria.

The UPDATE_INSPECT_FILES process of Upgrade Tools may exit with a core dump.

The "domains_tool -report" command may fail if more than sixteen host objects are defined as DNS Servers in the environment.

In some scenarios, the "show-gateways-and-servers" Management API command fails with "generic_err_object_not_found" when running with "details-level full".

In rare scenarios, login to the Security Management Server may fail with timeout and the FWM process on the Management Server may unexpectedly exit, creating a core dump file.

In rare scenarios, the API status shows "Automatic Start: Disabled" even though the automatic start was not disabled manually.

In rare scenarios, publishing a session in SmartConsole fails with the "got at least one duplicate UID in requested list, duplicates UIDs: [XXX]" error.

The "set simple-cluster" Management API command with the "vpn-settings.vpn-domain" parameter succeeds, but the VPN Domain is not set.

Upgrade of the Multi-Domain Security Management Server may fail with the error "Folder object not found".

• The fix requires the upgrade to be done using a Blink image or the Advanced Upgrade method.

When a Domain name (for example, "XXX") is a subset of another Domain name (for example, "XXX-YYY"), the "mdsstop" command may fail to stop a Domain named "XXX-YYY".

In rare scenarios, empty log list may be displayed when selecting a log file to view in SmartConsole.

When adding a table widget to a SmartView report:

• The "Missed Malware Activity" and "Spyware Action" fields may not be possible to pick.

• The "Malware Action" filter may appear twice in the picker.

In some scenarios, in Multi-Domain Security Management environments with over 300,000 network objects, the LOG_INDEXER process repeatedly exits if the procedure from sk164452 is not applied.

In SmartView, filtering logs by "event_type" may fail with the "Query failed" error.

The traffic field in the SmartEvent "Application and URL Filtering" report, specifically in the "High Bandwidth Applications" section, is incorrectly displaying data in petabytes (PB) instead of the expected gigabytes (GB).

In some scenarios, websites that use HTTP2 protocol do not load properly.

In some scenarios, adding sequential IP addresses as MDPS task addresses may fail.

The CPWD daemon does not restart automatically.

Security Gateway running in SecureXL User Mode (UPPAK) may crash during driver removal showing "m_free: mbuf doublefree" in the backtrace.

Kernel Memory usage increases persistently each day on a Security Gateway/Security Group when CGNAT is enabled. Refer to sk182140.

In rare scenarios, when HTTPS Inspection is enabled, the FWK process may unexpectedly exit due to memory violation.

The Anti-Virus Blade fails to parse IoC feeds that contain IPv6 addresses.

In some scenarios, policy installation and IPS package updates may take a very long time to finish and cause traffic drops.

Policy Enforcement Point (PEP) logs show a username after the user session is expired. Refer to sk181553.

Multiple internal errors, including file metadata retrieval failures and parsing errors, may be printed in the DLPDA logs.

In a rare scenario, the Security Gateway may crash due to memory corruption caused by the Anti-Virus Blade.

Web Application names column width is too narrow to fit in the Mobile Access Portal. Refer to sk181774.

The HTTPD process of the Mobile Access Portal may exit with a core dump file.

A race condition may occur in a large scale VSX Cluster environment and SecureXL User Mode (UPPAK) is enabled.

The USIM process may unexpectedly exit.

In rare scenarios, the Security Gateway crashes when the interface goes down right before it transmits packets out.

Some packets on connections to bonded VLAN interfaces may be dropped because of missing interface info.

OSPFv2 graceful restart mechanism fails on broadcast and point-to-multipoint networks due to the omission of an "IP-Address" field in the grace LSA.

Duo management reports display incorrect access source locations due to Security Gateways providing inverted IP addresses during the two-factor authentication challenge response process. Refer to sk181783.

During high-frequency encryption of packets over a VPN tunnel, the Security Gateway may assign the same sequence number to multiple packets. This causes the receiving VPN peer to mistakenly identify these legitimate packets as replay attacks and drop them.

Tunnel testing may fail after an upgrade. Refer to sk182267.

In rare scenarios, the CPD process of the default Virtual System on a VSX Gateway (VS0) gets stuck.

In the Kubernetes Data Center, the Import window may be stuck in "Initializing" state.

When running the "set user username force-password-change yes" command in gClish on Scalable Platforms, the new configuration may not be applied.

The "distutil" script may take a long time to run in an environment with many VS's.

The "up_fw_set_cphwd_template: up_manager_create_template_msg failed; fwhandle_pool_add: Table kbufs - All available pools exhausted" error may be printed in the fwk.elg file during a heavy traffic load.

NEW:

• Added support for the Gaia API proxy with VSX to use Management API from both the Multi-Domain Security Management Server and the Security Management Server. Refer to Management API Reference.

• This release also resolves issues that occurr when using Multi-Portal Blades with internally issued certificates and third-party certificates.

UPDATE: Added an ability to configure the schedule for Compliance blade scans. This should prevent login issues during the scans. Refer to sk182033.

UPDATE: SSL Network Extender is updated to version 80008409.

UPDATE: jQuery UI is upgraded to version 1.13.2.

UPDATE: The audit event information when adding or removing Virtual Group members is now unified. The data includes the administrator name and device/user names for both actions.

Previously:

• When removing an object, the administrator name who did the operation and also the device/user name were shown.

• When adding an object, the administrator name was not shown and there was an ID list instead of the user or device names.

UPDATE: Added Take 93 of CPotelcol (OpenTelemetry Collector) Release Updates. Refer to sk180522.

UPDATE: Added Update 17 of HealthCheck Point (HCP) Release. Refer to sk171436.

Install Policy Presets may fail after purging all revisions. Refer to sk181652.

In rare scenarios, Access policy installation may fail with the "Installation failed. Reason: Failed to load Policy on Security Gateway" or "Operation failed, install/uninstall has been improperly terminated" messages.

Exporting a policy that contains thousands of rules may fail when the "Hit Count" column is enabled.

Deleting a Security Gateway object fails if there is a license attached to the Security Gateway and the Security Gateway is physically disconnected.

In rare scenarios, High Availability synchronization fails with "Peer is busy".

When attempting to load a SNORT Rules file that contains one or more spaces, the import process fails with an ambiguous error message.

The on-premises Security Management Server fails to connect to Infinity Portal when this Server has a proxy configured.

After a global assignment, when installing policy on several installation targets at once, the log may show an incorrect rule name.

A memory leak may occur in the FWM process leading to SmartConsole connection failures.

When a Domain object in a policy is set with a backslash in the suffix, policy installation fails with the "Unterminated string&CURRENTVERCMP" error.

In some scenarios, when searching objects in SmartConsole, not all relevant results are highlighted. Refer to sk181454.

In some scenarios, the PostgreSQL database fully utilizes disk space on the Standby Security Management Server.

If all revisions were purged on the Security Management Server, the "show packages details-level full" Management API call may fail.

In some scenarios, the Security Management Server upgrade to R81.20 fails with "java.lang.String incompatible with com.checkpoint.infrastructure.types.CPUUID" in the upgrade report. The issue occurs during the import of the User Data Domain.

• The fix requires the upgrade to be done using a Blink image or via the Advanced Upgrade method.

The "cprlic get" command output may not provide correct information about vSEC licenses.

The Management API command "set-lsm-gateway" with the "sic.ip-address" parameter may fail with "Establish SIC failed. Reset SIC on gateway and try again." when resetting SIC.

SmartConsole slowness when adding applications to rules. Refer to sk182063.

Administrators without the "run script" permissions can enable or disable the option to run a script on a Security Gateway, using advanced configuration options.

The "cpstat -h log server ip ls -f logging" command fails when running it from Security Management.

In rare scenarios, after an upgrade, the LOG_EXPORTER process may fail to send the log files to SIEM or to the cloud.

Running GTP traffic may cause a crash on a Security Gateway without a GTP license.

A memory issue may occur in a cluster environment, when SIP inspection is enabled.

A rare race condition may be triggered by the timing and packet patterns of VoIP traffic, and, as a result, the FWK process may restart.

In some scenarios, if a rule with a security zone is installed using accelerated install policy, the traffic may stop matching the NAT Rule Base.

Sporadic latency while uploading a file when HTTPS Inspection and ICAP client are active. Refer to sk181793.

In rare scenarios, a file downloaded via HTTP may be corrupted.

After installing a hotfix in a cluster setup with a Threat Prevention policy that includes Network Objects, a member may get stuck during initialization after a reboot. Refer to sk180225.

SSH DPI may not work because of incorrect parsing of the client hello from a non-standard SSH client.

In a Cluster Load Sharing environment or when a single Policy Decision Point (PDP) is shared among multiple Policy Enforcement Points (PEPs), the PDP registers the PEP, but the PEP may not be aware of this registration.

During policy installation, users authenticated using the Captive Portal may get disconnected.

The DLPU process may frequently exit with a core dump file.

SSL Network Extender (SNX) cannot connect after installing Jumbo Hotfix Accumulator. Refer to sk181805.

See the Critical Information section.

Cluster members may crash, generating vmcores in /var/log/crash.

Multicast packets received on an interface with PIM disabled can cause multicast packet drops on other interfaces by filling up the kernel routing queue.

During the deny list update process, there is a temporary gap where no IP addresses are blocked, allowing unwanted traffic to pass through the Security Gateway unfiltered.

In some scenarios, the VSX Security Gateway may fail to properly reroute traffic originating from a Virtual Switch.

In some scenarios, fragmented ICMP packets may bypass the DOS/ Rate limiting deny list.

There may be a delay in enforcing DOS/ Rate Limiting rules to drop packets when concurrent connection limits are exceeded.

BGP peers may experience timeouts when these conditions occur simultaneously:

• The network has more than 100 BGP peers configured,

• The routing table contains tens of thousands of routes,

• BGP tracing is enabled,

• The BGP timers (such as keepalive and hold timers) are reduced from their default values, making the peers more sensitive to delays or congestion.

It may not be possible to propagate a newly added static route through OSPF.

Enabling rfc1583-compatibility via Clish fails with "CLINFR0329 Invalid command:'set ospf instance default rfc1583-compatibility on".

In rare scenarios, the Gaia Portal daemon HTTPD may unexpectedly exit and create a core dump file in the /var/log/dump/usermode/ directory.

When a non-local user executes a Gaia API command, the action is incorrectly logged as performed by the "admin" user in the /var/log/messages file.

When the DAIP Gateway public IP address occasionally changes, the connected Security Gateway fails to update the new IP address and continues responding to the old IP address, causing communication issues.

The FWK process crashes sporadically, causing impact on traffic due to an issue related to the decryption of fragmented traffic.

After an update, if in VPN if configured with Permanent Tunnels enabled, RAM utilization may increase.

In a rare scenario, after a VSX environment upgrade, connecting Remote Access Client to a newly created VS site using IDP authentication fails with the "This page can't be displayed" error in the embedded browse, but error logs or debugs are missing from the /opt/CPVPNPortal/logs/ directory on VSX and newly created VS.

When duplicate users with the same name and Domain exist in the database or Active Directory, FDE Pre-boot authentication on LAN may fail, not able to identify the user attempting to log in.

The "reboot -b all" command in gClish may fail. The environment hangs or reboots partially (only some of the members).

When running the "fwaccel stat" command on a VSX Security Gateway, the output may show physical interfaces as not accelerated, although they are.

Before enabling MDPS, CoreXL Dynamic Balancing (sk164155) must be disabled.

Traffic outage after policy installation on a Maestro Security Group in the VSX mode that works in the Dual Site configuration. Refer to sk182379.

CVE-2024-24919 - Quantum Security Gateway Information Disclosure. Refer to sk182336.

NEW: Added ability to drop the traffic of specific UDP applications per packet. For example, the Security Gateway can now drop the specific commands and allow the other commands of the BACNet Protocol.

This ability is enabled by default.

• To disable this ability, run: "fw ctl set int appi_drop_packet_enabled 0".

• To enable this ability, run: "fw ctl set int appi_drop_packet_enabled 1".

NEW: Added support for a new tool (shell script) on a Management Server that can show and renew IKE certificates for VPN, Multi-Portal, and Identity Broker on all managed Security Gateways and VSX Virtual Systems. Refer to sk182070.

UPDATE: Added validation for new permissions for configuring a script to run on the Security Gateway from Gateway object > Logs Alerts/Storage > Run the following script before deleting old files.

UPDATE: Added ability to increase the instance processing queue size, by modifying the kernel parameter "fwmultik_pending_queue_len_limit" (the default value is "2000"). Refer to sk181921.

UPDATE: During certificate validation, the Security Gateway now retrieves the Certificate Revocation List (CRL) from all CRL distribution points (CDP) listed in certificate extensions.

UPDATE: CPView now shows statistical data also for servers with 256/512 CPU cores.

UPDATE: The identity synchronization from Policy Decision Point (PDP) to Smart-Pull Policy Enforcement Point (PEP) client now takes several seconds instead of a few minutes, especially beneficial in environments with a single PDP Security Gateway sharing to multiple PEP Security Gateways.

UPDATE: The "Server Authentication" attribute within the "Extended Key Usage" field is now included by default in IKE certificates generated by the Security Management Server.

UPDATE: Updated the Jetty server libraries for CloudGuard Controller to provide enhanced stability, security, and performance.

UPDATE: The AWS Security Group Data Center object name now includes both the name tag and Security Group name, formatted as "ID <Name tag> <Security Group name>".

Previously, only the name tag was included, with the format "ID <Name tag>".

This change to include the Security Group name can be enabled by adding the setting "aws.supportSearchGroupName=true" in the vsec.conf file.

UPDATE: Added Update 24 of Autonomous Threat Prevention Management integration Release. Refer to sk167109.

UPDATE: Added Update 15 and Update 16 of HealthCheck Point (HCP) Release. Refer to sk171436.

In environments with many network objects, SmartConsole may freeze while it loads the VPN tab of a Security Gateway object.

Running a Gaia API command on the Security Gateway through the Management API from the Security Management Server fails when configuring the "target" parameter with either the Security Gateway name or UID.

In High Availability environments, task progress notifications may get updated only every 5 minutes, even when the task is complete.

In rare scenarios, Global Policy assignment fails when there are many open Remote CPM Server sessions. Refer to sk181822.

In some scenarios, policy installation may fail and the displayed message erroneously refers to sk178886: "One of the updatable objects was downloaded incorrectly (see SK178886)". Sk178886 describes a different scenario and does not resolve the issue.

In rare scenarios, during an upgrade or Domain migration, the API readiness test fails if the upgrade failed.

SmartConsole may unexpectedly close after policy installation when SmartTasks return invalid characters from a user-defined script.

In some scenarios, in SmartConsole, when clicking the picker to add Security Gateway to the "Install On" column in Threat Prevention policy, no Security Gateway objects appear.

Packet mode search in SmartConsole may show rules that do not match the query if the query contains four or more filters.

In some scenarios the "show access rulebase" Management API command with "details-level full" can take a significant amount of time to complete or time out after five minutes. Refer to sk181397.

In some scenarios, the change report sent via email by SmartTasks after publishing appears blank, even though there were modifications in the published session.

Installing security policy with a rule that contains the "Internet" object in the destination column may fail with error message "Topology is not defined on the policy "Install On" target <cluster object name>", if the target cluster is marked as "Geo Mode in a Cloud".

In rare scenarios, in a Multi-Domain Security Management environment:

• Login to the Security Management Server may fail with timeout.

• Publish operations may take a long time.

Defining more than two hundred GUI clients causes the "Command Line" tab in SmartConsole to be greyed out and the "api status" command to show an error status.

An "Error logging into domain" message is displayed in Web SmartConsole when connecting to a Domain on a peer Multi-Domain Security Management Server. Refer to sk181801.

In rare scenarios, CPView does not handle VS context correctly.

Some attributes in SNMP MIB file may not be accessible.

When the active log file, for example, the fw.log for the Security Gateway is older than two days, the CPLogFilePrint utility does not print the log records correctly.

When using Log Exporter to export logs to Splunk, a log entry in Splunk is split to separate lines if it contains the CRLF characters.

Security Gateway forwards logs to the real IP address of the Management Server instead of the public (NATed) IP address. Refer to sk181609.

The "source", "destination", "user" and "action" fields are not exported when exporting logs with the "visible columns" option to CSV in the SmartView Web application. Refer to sk181706.

The system may not automatically end or interrupt the RAD process if it takes longer than a specified timeout duration.

Accounting info may not be displayed in logs for IPv6 Cluster VRRP environments.

In some scenarios, the PDPD process may consume high CPU in the Identity Acquisition flow.

In rare scenarios, the FWK process may unexpectedly exit when running an outgoing (a local connection) from the Security Gateway.

Notifications of SecureXL connection deletion appear unfiltered in the debug output, also when using a debug filter.

Incorrect local traffic routing by the Security Gateway causes message flooding in /var/log/messages.

In a VSX environment, the FW_FULL process may exit when running "fw monitor -p all" with the "-v" flag on a specific list of Virtual Systems (VS's) where not all VS's have identical blade configurations enabled.

The ICAP Server does not send data for the Threat Prevention blades inspection, after the restart of the TEMAIN process.

The Security Gateway may crash during policy installation.

The proxy IP address of users surfing HTTP sites may be displayed instead of the real source IP address.

CRLs may not be recreated after cleaning expired certificates from the ICA database.

Files that undergo emulation while operating from a corporate location are transformed into PDF format. However, when the same files are accessed through a VPN remote client, they do not get the pdf file extension.

The "scrub send_orig_email <email_id> <recipient>" command fails. Refer to sk180974.

In a rare scenario, revoked identity on Broker Publisher is not synchronized with its Broker subscribers.

In a rare scenario, an Identity Gateway (PEP) becomes unresponsive while unregistering a network.

When a policy contains a white list, some packets may not match the listed applications.

The "malware_whitelist_domain_tbl error" messages in /var/log/messages file while installing a policy on both cluster members. Refer to sk180614.

Some file downloads fail with a logged "failure-reject" error because of the Anti-Virus Blade improperly classifying documents, causing inspection failures.

In a rare scenario, the Security Gateway may crash during inspection of file downloads.

Anti-Virus fails to release held connections after the inspection.

When HTTPS Inspection is enabled, the Security Gateway generates a log that includes the message "Certificate Chain is not signed by a Trusted CA" when an end-user connects to an HTTP site or a site with an untrusted SSL certificate. But, in some scenarios, the log does not include this text.

The output of the "cphaprob -m -a if" command may show an incorrect high VLAN ID address. This is a cosmetic issue.

When working in ClusterXL mode with MDPS enabled on the cluster nodes, enabling a Cloning Group may get stuck in the "synchronizing" status.

The Security Gateway may crash with vmcore during boot while upgrading.

When attempting to route packets to unresponsive hosts, the CPU utilization may be high.

In some scenarios, the VSX Security Gateway may not set the MAC header correctly when sending traffic directly out of an interface on a Virtual Router or Virtual Switch.

In Kernel mode Firewall, traffic passing through the GRE tunnel may not reach the peer.

A core dump for the ROUTED process is created while changing the Security Gateway PIM configuration from Bootstrap-Candidate to Candidate-RP using the "set pim" command.

In rare scenarios, when a PIM interface or PIM instance stops working, the Security Gateway may crash if trying to access a bogus reference to a PIM neighbor.

When running a Gaia API request that results in multiple configuration changes, only the first change may be applied initially. The subsequent changes are not enforced until another change triggers re-processing.

The traffic may be dropped, because the routes are sent but not installed to the routing table. The issue is related to IS-IS when running on P2P interfaces.

Redundant log prints in /var/log/messages may be generated, although they should be printed only when the debug flags are enabled.

In some scenarios, installing policy via vsx_util may be stuck.

Corrupted VS affinity configuration may cause excessive "cp_set_process_vs_affinity: Error corrupt affinity file" error messages.

SNMP query does not bring the CPUSE package information for a single OID (not a table).

Clish may deny access of a non-local RADIUS user.

The "show configuration password-controls command output does not print the "set password-controls deny-on-fail block-admin on" option.

When rebooting the Security Gateway, some VLANs may lose their IPv6 configuration.

In an environment with Cloud Security Gateways, frequent High Availability synchronization sessions can cause high CPU utilization. As a result, change of the Activity status may fail.

When the SIP Multi-core feature is enabled, and a SIP over UDP rule with one-way calls (only outgoing calls, for example) is defined, the returned traffic is dropped. Refer to sk181525.

If a DR packet arrives fragmented, it may not get forwarded to the DR manager, potentially causing connectivity issues.

Querying SP Interface Data via SNMP may intermittently fail.

When creating a Security Group creation in Maestro Orchestrator WebUI, and the password contains the "(" "&" or ";"characters, the operation fails with "Failed to apply new topology" or with "Gaia Web-UI recognized a non-valid input data".

Security Gateway with Anti-Virus blade enabled may sporadically crash because of memory corruption.

See the Critical Information section.

UPDATE: New features and improvements are released in Take 94 via self-updatable package. Refer to sk170314.

UPDATE: Added Take 77 of CPotelcol (OpenTelemetry Collector) Release Updates. Refer to sk180522.

Member state may flap between Active and Ready.

During site failover, IPv6 traffic that goes through the Warp interface may be interrupted.

The CXLD process may consume the CPU at 70%-100% on VSX cluster members. Refer to sk181891.

See the Critical Information section.

NEW: Added ability to R81.10 Security Management Server and Multi-Domain Management Server to manage 19000 and 29000 Check Point appliances.

• Requires installing R81.10 SmartConsole Build 420 (or higher).

UPDATE: Added SecureXL SYN Defender metrics to Skyline. Refer to the Skyline Metrics Repository.

UPDATE: Added Take 74 of CPotelcol (OpenTelemetry Collector) Release Updates. Refer to sk180522.

UPDATE: Previously, in the "Hide NAT behind IP Address Range" feature, only the source IP address determined the Hide NAT IP address from the IP Address Range. It is now possible to configure the Security Gateway to select the Hide NAT IP address based on the combination of the source IP address and the source port. Refer to sk105302.

UPDATE: Re-enabled the deprecated feature of exporting/importing Custom Intelligence feeds.

UPDATE: It is now possible to add exceptions to external IoC feeds.

UPDATE: Optimized memory consumption of Identity Broker in the synchronization flow.

UPDATE: SSL Network Extender was updated to version 80008407.

UPDATE: Changed the vsx push configuration log:

• The log file last_vsx_push_configuration.elg now holds only the last vsx push configuration log.

• The cyclic log file vsx_push_configuration.elg now holds all previous push configuration logs, except the last one.

UPDATE: Added driver and firmware update support for Dual-Wide 10/25/40/100G cards as a replacement option for:

• CPAC-2-40F

• CPAC-2-40F-B

• CPAC-2-40F-C

• CPAC-2-100/25F

• CPAC-2-100/25F-B

UPDATE: Upgraded OpenSSL from 1.1.1u to 1.1.1w to include the latest security improvements.

UPDATE: Added the "namespace" label to pods in Kubernetes Data Center.

UPDATE: Added support for Data Centers in AWS il-central-1 Israel (Tel Aviv) region.

Login using the API fails if the Security Management Server has multiple IP addresses and they are not defined on the Management Server object in SmartConsole.

An audit log may not be created after running Revert to Revision.

The Gaia Clish command "show configuration user" fails with "Segmentation fault" on a Management Server. Refer to sk181626.

In some scenarios, the CPRLIC process may unexpectedly exit without affecting the connectivity, and a core dump is generated.

In the Revisions view, when comparing the selected revision to its previous revision, an empty screen is shown instead of a report.

The "crldp_initialized"and "crldp_name" keys may be missing in the registry after running promote_util.

In rare scenarios, upgrade of the Security Management Server to R81.20 fails with the "Task was interrupted because of server restart" and "DEADLOCK IN POSTGRES DETECTED!!!" messages in the cpm.elg log file.

In SmartConsole, an attempt to view administrators may fail with "Error retrieving results".

In rare scenarios, the update_inspect_files tool may unexpectedly exit with a core dump file.

In multi-site Multi-Domain Security Management environments, login to SmartConsole fails if the "Read_Write_All_Profile" permission profile is deleted.

In rare scenarios, during an IPS update, a task notification reports that a database purge failed on the Standby Security Management Server. Refer to sk180920.

Export of the Security Management Server may fail with "Could not find workSession WORKSESSION_UID in worksession's List" message in the upgrade report.

The FWM process on the Management Server may unexpectedly exit, creating a core dump file.

Application Control and IPS updates may take a long time.

In rare scenarios, in a Multi-Domain Security Management environment:

• Login to the Management Server may timeout and fail.

• Publish operation may take a long time.

When connecting with SmartConsole to a Domain in a Multi-Domain Management environment, object pickers in Threat Prevention policy may not show available objects.

In some scenarios, when a language other than English is chosen in SmartView, login to SmartView fails with an "Initialization failed" message.

In some scenarios, the "show logs" Management API returns incorrect values for the "Match table" field.

In some scenarios, the Log Sharing status may show an error in exporting the logs, although logs are correctly shared to the cloud.

Latency in loading websites when using Security Gateway as a Proxy with HTTPS Inspection enabled. Refer to sk180673.

When using the "cpstop" command on the Security Gateway, the fw_full core may be generated.

After installing a policy, because of high latency, the Security Gateway may delete connection before SIM Affinity is able to send an update notification. This may cause some connections to be dropped.

In rare scenarios, the WSDNSD process may restart because of an internal error.

The ICAP Server may stop sending files to the Threat Emulation and Anti-Virus Blades if the TED daemon was restarted.

In some scenarios, when IPS is enabled, CPU spikes may occur.

VPN tunnel between the Security Gateways with Link Selection and Remote Desktop Protocol (RDP) may fail after policy installation. Refer to sk181481.

The "Exception Handling" option for Observables in Threat Prevention indicator may not be applied.

In a rare scenario, when cloning SGM in Maestro, the FWD process may exit during an IPS/Anti-Virus/Anti-Bot package update.

When configuring ioc feeds from the management:

• The "no_ssl_validation" variable may be deleted after the policy installation.

• Fetching feed fails with the "Peer certificate cannot be authenticated with given CA certificates" reason.

An outage may occur when an unsupported SSH cipher is selected.

In a rare scenario, changes in Threat Prevention Custom Intelligence feeds settings may not be applied after policy installation.

Some connections may be dropped because of an issue in IPS inspection, which can be resolved by installing/fetching a local policy.

Ioc_feeds changes the username to lowercase, which causes the "401" error. Refer to sk181039.

There may be no access to resources for identities received from the Remote Access identity source by splitting Domain (sk147417).

Policy installation fails when a custom application and user category have the same name.

In some scenarios, the Application Control and URL Filtering scheduled updates may occur more frequently than configured.

When transferring many files, SMB traffic may freeze while scanned by Anti-Virus Blade.

When Anti-Virus DNS classification is set to Hold mode, the first DNS trap log of malicious Domains shows "Detect" in the Action field, although the connection was successfully blocked.

A FWK process memory leak may occur when canceling the download of a large file in the middle of the process.

When working in User Mode (UPPAK), after a reboot, SSH connection to the Standby member may be interrupted because of an ARP failure.

High CPU utilization may be triggered when User Mode (UPPAK) and VPN are enabled under high load.

In some scenarios, the link state of uplink ports may be "Down".

Appliances with LightSpeed acceleration enabled may experience cluster failovers, even when the CPUs are not fully utilized (for example, at 30%) and the traffic load is low (as little as 1 GB).