List of All Resolved Issues and New Features in R81.10 Jumbo Hotfix Accumulator

 

Review the Important Notes section before installing a new Take.

ID

Product

Description

Take 135

Released on 12 February 2024

PRJ-52627,

ODU-1392

Web SmartConsole

UPDATE: New features and improvements are released in Take 94 via self-updatable package. Refer to sk170314.

PRJ-52819,
ODU-1491

CPView

UPDATE: Added Take 34 of CPviewExporter Release Updates. Refer to sk180521.

PRJ-52595,
ODU-1499

CPView

UPDATE: Added Take 77 of CPotelcol (OpenTelemetry Collector) Release Updates. Refer to sk180522.

PRJ-52586,
ODU-1460

Threat Prevention

UPDATE: Added Update 23 of Autonomous Threat Prevention Management integration Release. Refer to sk167109.

PRJ-44134,

MBS-16004

Scalable Platforms

Member state may flap between Active and Ready.

PRJ-51301,

PRHF-31310

Scalable Platforms

When using NAT64 rules, Server to Client traffic may be dropped because of the "Out of state" error.

PRJ-46222,

PMTR-88316

Scalable Platforms

During site failover, IPv6 traffic that goes through the Warp interface may be interrupted.

PRJ-52983,

PMTR-99552

Scalable Platforms

In a VSX environment, LACP Bond traffic may fail with the "incomplete ARP" error.

See the Important Notes section.

Take 132

Released on 25 January 2024

PRJ-52491,

PMTR-99615

ClusterXL

The CXLD process may consume the CPU at 70%-100% on VSX cluster members. Refer to sk181891.

See the Important Notes section.

PRJ-52558,

PMTR-100084

Security Gateway

When in the NAT Rule Base there are domain objects with uppercase letters, the NAT rules may not be matched. Refer to sk167194.

See the Important Notes section.

Take 131

Released on 14 January 2024

PRJ-51031

Security Management

NEW: Added ability to R81.10 Security Management Server and Multi-Domain Management Server to manage 19000 and 29000 Check Point appliances.

  • Requires installing R81.10 SmartConsole Build 420 (or higher).

PRJ-50368,
PMTR-94786

Security Management

NEW: Added support for Quantum Spark Appliances 1900/2000 for EA (Early Availability) customers.

PRJ-50103,

PRHF-30325

Diagnostics

UPDATE: Added SecureXL SYN Defender metrics to Skyline. Refer to the Skyline Metrics Repository.

PRJ-45064,
PRHF-28095

Security Management

UPDATE: Added support for scheduling automatic purges of the System Data domain.

PRJ-52356,
ODU-1400

CPView

UPDATE: Added Take 74 of CPotelcol (OpenTelemetry Collector) Release Updates. Refer to sk180522.

PRJ-33058,
PMTR-74320

Logging

UPDATE: Added a boolean parameter to Management API command for configuring logs distribution between multiple Log Servers - "logs-settings.distribute-logs-between-multiple-active-servers".

Syntax: mgmt_cli -r true set simple-gateway name <gw_name> logs-settings.distribute-logs-between-multiple-active-servers <true/false>

  • Supported on Security Gateway running version R81.10 and higher.

PRJ-49365,
PRHF-28875

Security Gateway

UPDATE: Previously, in the "Hide NAT behind IP Address Range" feature, only the source IP address determined the Hide NAT IP address from the IP Address Range. It is now possible to configure the Security Gateway to select the Hide NAT IP address based on the combination of the source IP address and the source port. Refer to sk105302.

PRJ-46318,
PMTR-92164

Security Gateway

UPDATE: When changes are made to updatable objects within a policy and a missing or corrupted package is detected, the policy installation will fail, resulting in the generation of a log.

PRJ-48140,
PMTR-93683

Threat Prevention

UPDATE: Re-enabled the deprecated feature of exporting/importing Custom Intelligence feeds.

PRJ-51510,
ODU-1248

Threat Prevention

UPDATE: Added Update 22 of Autonomous Threat Prevention Management integration Release. Refer to sk167109.

PRJ-43433,
PRHF-26673

Threat Prevention

UPDATE: It is now possible to add exceptions to external IoC feeds.

PRJ-52041,
ODU-1201

Threat Extraction

UPDATE: Added Update 5 of Threat Extraction Engine. Refer to sk165832.

PRJ-49316

Identity Awareness

UPDATE: Optimized memory consumption of Identity Broker in the synchronization flow.

PRJ-47915,
AVIR-1544

Anti-Virus

UPDATE: Improved Anti-Virus caching mechanism to prevent generating malicious sub-domains in Background resource categorization mode.

PRJ-49232,
PMTR-92549

SSL Network Extender

UPDATE: SSL Network Extender was updated to version 80008407.

PRJ-43433,
PRHF-26673

SecureXL

UPDATE: It is now possible to add exceptions to external IoC feeds.

PRJ-48108,
PMTR-90795

VSX

UPDATE: Changed the vsx push configuration log:

  • The log file last_vsx_push_configuration.elg now holds only the last vsx push configuration log.

  • The cyclic log file vsx_push_configuration.elg now holds all previous push configuration logs, except the last one.

PRJ-43882,
PMTR-86708

VSX

UPDATE: The "IPv6 autoconfig" parameter is now disabled by default on VSX.

PRJ-47450,
ACCHA-3284

Gaia OS

UPDATE: Added driver and firmware update support for Dual-Wide 10/25/40/100G cards as a replacement option for:

  • CPAC-2-40F

  • CPAC-2-40F-B

  • CPAC-2-40F-C

  • CPAC-2-100/25F

  • CPAC-2-100/25F-B

PRJ-48010,
PRHF-29711

Gaia OS

UPDATE: The output of "show arp dynamic all" and "dbget ip:arpdynamic:show:0" which was previously limited to +-4450 entries, now increases dynamically.

PRJ-50873,
PMTR-97129

Gaia OS

UPDATE: Upgraded OpenSSL from 1.1.1u to 1.1.1w to include the latest security improvements.

PRJ-45236,
PRHF-28236

Gaia OS

UPDATE: SNMP traps for interfaces going up and going down now contains the interface name and description.

PRJ-47188,
PRHF-28352

CloudGuard Network

UPDATE: Added the "namespace" label to pods in Kubernetes Data Center.

PRJ-48081,
PRHF-29774

CloudGuard Network

UPDATE: Added support for Azure Scale sets with Flexible orchestration mode.

PRJ-48789,
PMTR-94130

CloudGuard Network

UPDATE: Added support for Data Centers in AWS il-central-1 Israel (Tel Aviv) region.

PRJ-47560

IoT

UPDATE: Enabled new docker capabilities on IoT Gateways.

PRJ-48200,
PRHF-29851

Security Management

Login using the API fails if the Security Management Server has multiple IP addresses and they are not defined on the Management Server object in SmartConsole.

PRJ-48381,
PRHF-29957

Security Management

In SmartConsole, export of policies with the "Hit count" column may get stuck.

PRJ-48037,
PRHF-29549

Security Management

An audit log may not be created after running Revert to Revision.

PRJ-47966,
PRHF-29565

Security Management

In High Availability Security Management Server environments, outdated IPS packages are retained, which leads to a substantial increase of the database on Standby Security Management Server.

PRJ-50029,

PMTR-95988

Security Management

The Gaia Clish command "show configuration user" fails with "Segmentation fault" on a Management Server. Refer to sk181626.

PRJ-43289,
PRHF-26909

Security Management

In rare scenarios:

  • Login to the Security Management Server may fail with timeout.

  • Publish operations may take a long time.

PRJ-49195,
PRHF-30329

Security Management

In some scenarios, the CPRLIC process may unexpectedly exit without affecting the connectivity, and a core dump is generated.

PRJ-47038,
PRHF-29235

Security Management

In multi-site Multi-Domain Security Management environments, login to SmartConsole fails while an Install Policy Preset relays the Security Gateway installation statuses.

PRJ-34860,
PRHF-20141

Security Management

In the Revisions view, when comparing the selected revision to its previous revision, an empty screen is shown instead of a report.

PRJ-46828,
PRHF-28923

Security Management

In some scenarios, the "Object is no longer available" validation warning appears for updatable objects.

PRJ-48370,
PRHF-29850

Security Management

The "crldp_initialized"and "crldp_name" keys may be missing in the registry after running promote_util.

PRJ-49370,
PRHF-30255

Security Management

In environments with tens of thousands of network objects, opening and closing Security Gateway objects in SmartConsole takes a long time. Refer to sk181460.

PRJ-48897,
PRHF-30157

Security Management

In rare scenarios, upgrade of the Security Management Server to R81.20 fails with the "Task was interrupted because of server restart" and "DEADLOCK IN POSTGRES DETECTED!!!" messages in the cpm.elg log file.

PRJ-48691,
SL-8197

Security Management

Users may be able to configure user-defined scripts to run on the Security Management Server, although they do not have the permissions of a super-user.

PRJ-33005,
PMTR-75194

Security Management

In SmartConsole, an attempt to view administrators may fail with "Error retrieving results".

PRJ-48161,
PMTR-93236

Security Management

The "run-script - audit log" Management API program may fail and the audit log may be missing the "performed on" field.

PRJ-44800,
PMTR-82908

Security Management

In rare scenarios, the update_inspect_files tool may unexpectedly exit with a core dump file.

PRJ-48200,
PRHF-29851

Security Management

Login via API fails if the Security Management Server has multiple IP addresses and they are not defined on the Security Management Server object in SmartConsole.

PRJ-48864,
PRHF-30091

Security Management

In multi-site Multi-Domain Security Management environments, login to SmartConsole fails if the "Read_Write_All_Profile" permission profile is deleted.

PRJ-48441,
PRHF-30005

Security Management

The "set checkpoint-host" API command may fail if the host object has a VPN Tunnel interface (vpnt) defined.

PRJ-45898,
PRHF-28666

Security Management

In rare scenarios, during an IPS update, a task notification reports that a database purge failed on the Standby Security Management Server. Refer to sk180920.

PRJ-49225,
PRHF-30300

Security Management

In some scenarios, an upgrade of the Security Management Server may fail if the import is running at 12 AM.

  • The fix will only be applied if the upgrade to this Jumbo Hotfix Take is done using a Blink image or via the Advanced Upgrade method.

PRJ-49883,
PRHF-30289

Security Management

Export of the Security Management Server may fail with "Could not find workSession WORKSESSION_UID in worksession's List" message in the upgrade report.

PRJ-49989,
PRHF-30686

Security Management

The "fwm sic_reset" command may fail and generate a core dump.

PRJ-50435,
PMTR-96433

Security Management

The FWM process on the Management Server may unexpectedly exit, creating a core dump file.

PRJ-50358,
PRHF-30763

Security Management

In multi-site environments, when using LDAP administrators configured on an external LDAP Server, logging into Domains on different Multi-Domain Security Management Servers in parallel, synchronization may fail with the "failed to import data" status.

PRJ-46634,
PMTR-88417

Security Management

Application Control and IPS updates may take a long time.

PRJ-48704,
PRHF-29307

Security Management

In some scenarios, in High Availability Security Management Server environments, there may be increase of the database on the Security Management Server.

PRJ-49714,
PRHF-30513

Multi-Domain Security Management

In rare scenarios, in a Multi-Domain Security Management environment:

  • Login to the Management Server may timeout and fail.

  • Publish operation may take a long time.

PRJ-49479,
PRHF-29987

Multi-Domain Security Management

When viewing Subordinate CA objects in SmartConsole:

  • Users with read-only permissions may receive a "Trusted CA" field as "not initialized" message.

  • The information under "Retrieve CRLs from" in the OPSEC PKI tab is inaccurate.

  • The fix requires installing SmartConsole R81.10 Build 420 (or higher).

PRJ-48796

Multi-Domain Security Management

When connecting with SmartConsole to a Domain in a Multi-Domain Management environment, object pickers in Threat Prevention policy may not show available objects.

PRJ-46435,
PRHF-28762

SmartProvisioning

After importing or deleting snort protections in the IPS Protections view, the view may not show the change.

  • The fix requires installing SmartConsole R81.10 Build 420 (or higher).

PRJ-47342,
PRHF-29472

SmartView

In some scenarios, when a language other than English is chosen in SmartView, login to SmartView fails with an "Initialization failed" message.

PRJ-47219,
PRHF-29347

Logging

The "fwm logexport" returns "Failed to print record at position" and "missing table field" error messages despite succeeding to export the logs.

PRJ-48342,
PMTR-93310

Logging

In some scenarios, the "show logs" Management API returns incorrect values for the "Match table" field.

PRJ-46187,
PRHF-28421

Logging

When the CPD process is automatically restarted on the Security Gateway, the output of the "cpstat ls -f logging" command on the Security Management side shows the Security Gateway is disconnected, the Log Server cannot be reached, although logs are sent.

PRJ-48727,
PMTR-93770

Logging

In some scenarios, the Log Sharing status may show an error in exporting the logs, although logs are correctly shared to the cloud.

PRJ-47209,
PRHF-29194

Security Gateway

When running the tp_collector tool, the FW_FULL process may unexpectedly exit.

PRJ-47268,
PRHF-29384

Security Gateway

Latency in loading websites when using Security Gateway as a Proxy with HTTPS Inspection enabled. Refer to sk180673.

PRJ-44701,
PRHF-27451

Security Gateway

In rare scenarios, the WSDNSD process an RST connection may write to a broken pipe, which causes it to restart constantly.

PRJ-47331,
PMTR-92600

Security Gateway

When using the "cpstop" command on the Security Gateway, the fw_full core may be generated.

PRJ-48247,
PMTR-86113

Security Gateway

The /var/log/messages file of a VSX gateway is flooded with the "fwmultik_predefined_dispatching: BAD_MULTIK_TAG" messages with no impact of the connectivity. Refer to sk181281.

PRJ-47520,
PRHF-29318

Security Gateway

After installing a policy, because of high latency, the Security Gateway may delete connection before SIM Affinity is able to send an update notification. This may cause some connections to be dropped.

PRJ-48153,

PRHF-29602

Security Gateway

Topology and Anti-Spoofing ranges are not calculated on an external interface when adding a route to an internal interface that shares the same subnet.

PRJ-44701,
PRHF-27451

Security Gateway

In rare scenarios, the WSDNSD process may restart because of an internal error.

PRJ-46410,
PMTR-90123

Security Gateway

The Security Gateway may listen to the ports used by NAT.

PRJ-47370,
PMTR-88610

Security Gateway

The ICAP Server may stop sending files to the Threat Emulation and Anti-Virus Blades if the TED daemon was restarted.

PRJ-45693,
PRHF-28403

Security Gateway

The VPND, CVPND, and PDPD processes on the Security Gateway may become non-responsive and cause SAML authentication for Remote Access VPN users to fail.

PRJ-48022,
PMTR-91868

Security Gateway

In some scenarios, when IPS is enabled, CPU spikes may occur.

PRJ-48822,
PRHF-29853

Security Gateway

In some scenarios, a misconfiguration on a DNS Server may lead to exhaustion of ephemeral ports on the Security Gateway.

PRJ-48809,
PRHF-29932

Security Gateway

VPN tunnel between the Security Gateways with Link Selection and Remote Desktop Protocol (RDP) may fail after policy installation. Refer to sk181481.

PRJ-50555,
PRHF-30793

Threat Prevention

In rare scenarios, CPU utilization can reach high levels because the Multi-Queue affinity of interfaces that use the "mlx5_core" driver is not configured correctly during the boot process.

PRJ-45901,
PMTR-91000

Threat Prevention

The "Exception Handling" option for Observables in Threat Prevention indicator may not be applied.

PRJ-49877,
PRHF-30512

Threat Prevention

Traffic directed towards a host situated behind the Security Gateway is not blocked. For instance, if an IP address listed in the feed sends an ICMP request, it will reach a host behind the Gateway without being blocked. Refer to sk132193.

PRJ-49008,

PMTR-92233

Threat Prevention

In a rare scenario, when cloning SGM in Maestro, the FWD process may exit during an IPS/Anti-Virus/Anti-Bot package update.

PRJ-47459,
PRHF-29514

Threat Prevention

In a rare scenario, there may be an unexpected reboot and a vmcore file generated in /var/log/crash.

PRJ-47446,
PRHF-29413

Threat Prevention

When configuring ioc feeds from the management:

  • The "no_ssl_validation" variable may be deleted after the policy installation.

  • Fetching feed fails with the "Peer certificate cannot be authenticated with given CA certificates" reason.

PRJ-33431

Threat Prevention

In a rare scenario, a memory leak in the FWD process may occur after installing a Threat Prevention policy.

PRJ-48086,
PMTR-93601

Threat Prevention

An outage may occur when an unsupported SSH cipher is selected.

PRJ-46884,
PMTR-92083

Threat Prevention

Uploading an IoC file containing invalid characters (for example, quotation marks) may cause failure of Threat Prevention policy installation.

PRJ-49512,
PMTR-94919

Threat Prevention

In a rare scenario, changes in Threat Prevention Custom Intelligence feeds settings may not be applied after policy installation.

PRJ-48925,
PMTR-88858

Threat Prevention

Anti-Virus Blade triggers the "Detect" logs for DNS traffic, although these malicious DNS requests were prevented.

PRJ-48429,
PMTR-93558

Threat Prevention

Some connections may be dropped because of an issue in IPS inspection, which can be resolved by installing/fetching a local policy.

PRJ-47131,
PRHF-29215

Threat Prevention

The output of the "fw amw unload" command shows the policy gets unloaded, however CPVIEW still shows that the blades are enabled. Refer to sk181148.

PRJ-46904,
PRHF-29115

Threat Prevention

Ioc_feeds changes the username to lowercase, which causes the "401" error. Refer to sk181039.

PRJ-46758,
PRHF-28441

Identity Awareness

The ida_tables_util tool may fail with the "bad adress" error.

PRJ-48274,
PRHF-29815

Identity Awareness

There may be no access to resources for identities received from the Remote Access identity source by splitting Domain (sk147417).

PRJ-47441,
PMTR-92960

Identity Awareness

In a rare scenario, when Identity Broker is configured, a memory leak in the PDPD process may occur during policy installation.

PRJ-45720,
PRHF-27843

Application Control

Policy installation fails when a custom application and user category have the same name.

PRJ-46198,
PMTR-85660

Application Control

There may be an inconsistency between the Application Control version as shown in CPView and the outcome of the "cpstat" command.

PRJ-49533,
PMTR-95032

Application Control

In some scenarios, the Application Control and URL Filtering scheduled updates may occur more frequently than configured.

PRJ-49044,
PRHF-30082

DLP

The DLP process may unexpectedly exit during policy installation.

PRJ-47935,
PRHF-29090

Anti-Virus

When transferring many files, SMB traffic may freeze while scanned by Anti-Virus Blade.

PRJ-47239,
PRHF-29289

Anti-Virus

Some websites may be unreachable when one of Threat Prevention Blades is in Hold mode.

PRJ-48972,
PRHF-30090

Anti-Virus

When Anti-Virus DNS classification is set to Hold mode, the first DNS trap log of malicious Domains shows "Detect" in the Action field, although the connection was successfully blocked.

PRJ-48127,
PMTR-93685

Anti-Virus

A memory leak in the DLPU process may occur when Anti-Virus scans files over HTTP(s) or SMB (Server Message Block) protocol.

PRJ-48699,
PMTR-90439

SSL Inspection

A FWK process memory leak may occur when canceling the download of a large file in the middle of the process.

PRJ-45180,
PRHF-27989

ClusterXL

The VLAN configured bonded interface monitored state disappear after modifying the bonded interface properties. Refer to sk180724.

PRJ-43929,
PMTR-89813

ClusterXL

Site to Site VPN outage on ClusterXL Active member when running "cpstop" on the Standby cluster member. Refer to sk170055.

PRJ-51174

ClusterXL

When working in User Mode (UPPAK), after a reboot, SSH connection to the Standby member may be interrupted because of an ARP failure.

PRJ-51316

ClusterXL

In some scenarios, it may not be possible to connect to the Security Gateway cluster members when User Mode (UPPAK) is enabled.

PRJ-50419

SecureXL

High CPU utilization may be triggered when User Mode (UPPAK) and VPN are enabled under high load.

PRJ-49682

SecureXL

Latency may occur when packets accelerated by LightSpeed go through connections with a lower than 100K PPS rate.

PRJ-49796,
PRHF-30310

SecureXL

In some scenarios, the link state of uplink ports may be "Down".

PRJ-50943,
ACCHA-3546,

PRJ-50948,
PMTR-74344,

PRJ-50951,
PRHF-30474,

PRJ-50937,
PMTR-90999

SecureXL

In some scenarios, the VSX Security Gateway may not be able to pass VPN encrypted traffic from one Virtual System to another Virtual System through a Virtual Router/Switch.

PRJ-48819,
ACCHA-3434

SecureXL

Appliances with LightSpeed acceleration enabled may experience cluster failovers, even when the CPUs are not fully utilized (for example, at 30%) and the traffic load is low (as little as 1 GB).

PRJ-50941,
ACCHA-3219

PRJ-50939,
ACCHA-3355

SecureXL

In some scenarios, the VSX Security Gateway may crash when sending VPN encrypted traffic through a Virtual Router/Switch.

PRJ-49794,
PRHF-30272

SecureXL

When modifying the MTU of a master bond interface with LightSpeed slave interfaces, it may not be set correctly on the bond itself, although applied correctly on the LightSpeed slave interfaces.

PRJ-48760,
PMTR-93332

SecureXL

The port beacon feature also known as interface discovery or port blinking may not work correctly in User Mode (UPPAK).

PRJ-49757,
PMTR-95601

SecureXL

Multicast restrictions set in SmartConsole may be bypassed if varying restrictions are configured for different interfaces.

PRJ-51471,
ACCHA-3743

SecureXL

In some scenarios (when there are more than 64000 connections), the Security Gateway accounting information may not be reported correctly on connections that are accelerated through the Quantum LightSpeed hardware.

PRJ-48824,
ACCHA-3365

SecureXL

In some scenarios, when adding warp interfaces to a Virtual Router or Virtual Switch, the VSX Security Gateway may not properly insert these interfaces into the SecureXL accelerated interfaces list.

PRJ-49378,

PRHF-30056

SecureXL

Syn Defender may not correctly handle reused connections.

PRJ-37918,
PMTR-79738

Routing

After policy installation, Application Based Routing configuration may be lost, and CLI commands are not shown in the configuration summary.

PRJ-49240,
ACCHA-3549

Routing

If the Security Gateway is in UPPAK mode and a PBR rule directs traffic to a Server on a different subnet, deleting the ARP entry for the Gateway on the Server can disrupt the traffic flow.

PRJ-50832,
PMTR-96490

Routing

The "force-if-symmetry" setting in IPv4 static routes fails to mark IP addresses as unreachable, leading to the static route inaccurately remaining active in asymmetric scenarios.

PRJ-49961,
PMTR-95764

Routing

During the processing of PIM Join-Prune messages, the absence of prior ({},G) state prevents the processing of (S,G) joins for the same group, even when present in the message.

PRJ-49236,
PMTR-94838

Routing

When one of the multiple PIM neighbors goes down on the LAN, there may be outages in multicast traffic.

PRJ-45127,
PMTR-89945

VPN

Back connection does not function on the Statically NATed Office Mode address as expected.

PRJ-47243,
PRJ-45838

VPN

IKEv2 tunnels may not synchronize during a Multi-Version Cluster (MVC) upgrade from R80.40, leading to a VPN outage during an upgrade.

PRJ-46251,
PRHF-28718

VPN

The "Encryption Domain Per community" feature overrides the Encryption Domain for other communities. Refer to sk170857.

PRJ-42958,
PRHF-26612

VPN

When SCV is enabled, Capsule Connect/ Capsule VPN clients may fail to access internal resources.

PRJ-49650,
PRJ-49485

VPN

VPN connectivity may be unstable when IPv6 and VPN star communities are configured.

PRJ-47877,
PRHF-29650

Multi-Portal

The Security Gateway may send a wrong certificate to the MAB Portal during certificate authentication.

PRJ-50312,
PMTR-96307

Multi-Portal

A low-severity security vulnerability may exist when establishing an HTTPS connection to the Security Gateway.

PRJ-50954,
PRHF-30747

VSX

In some scenarios, the VSX Security Gateway may not set the MAC header correctly when sending traffic directly out of an interface on a Virtual Router.

PRJ-44268,
PMTR-86105

VSX

Virtual System context may not be handled correctly by CPView, for example, the same interfaces may be listed on all virtual systems.

PRJ-47398,
PRHF-29485

VSX

When changing Virtual Systems (VS's) using the VS name, the "failed to find an ID for a VS named XXX" error is shown.

PRJ-47796,
PRHF-29709

VSX

A memory leak may occur in the CPD process.

PRJ-48830,
PRHF-29729

VSX

In some scenarios, the VXLAN Driver Kernel may crash.

PRJ-46020,
PRHF-28611

Gaia OS

The SNMPD process memory consumption may be high, which causes the process to become unresponsive.

PRJ-46971,
PRHF-29232

Gaia OS

Incorrect Multi-Queue configuration when MDPS, VSX, or both are enabled. Refer to sk181249.

PRJ-43044,
PRHF-26539

Harmony Endpoint

E2 engine may send an incorrect value of datDate in sync request.

PRJ-41089,

PRHF-23636

Harmony Endpoint

When selecting to filter machines by infection name in SmartEndpoint Reporting > Anti-Malware > Top infections, the listed computers do not match the displayed numbers.

PRJ-51096,
PRHF-30734

Harmony Endpoint

Due to a synchronization issue between the Policy Server and Primary Server, the Endpoint clients may be connected to the Primary Server instead of the Policy Server.

PRJ-47899,
PRHF-29630

CloudGuard Network

Azure mapping may fail on Private Endpoint without network interfaces. In the cloud proxy logs, the "ERROR datacenter.scanner.DcScanner [scanner-Azure-XXX]: Error during scan - attempting to reconnect for scanner of [Azure] in domainYYY" messages are printed.

PRJ-47734,
PRHF-29654

CloudGuard Network

After an upgrade, Azure Gov mapping may fail.

PRJ-50345,
MBS-17829

Scalable Platforms

When the LightSpeed interface is brought down or up, the hardware nroute flow is added to the list even if it fails to offload. This may trigger a Security Gateway crash.

PRJ-49466,
PRHF-30344

Scalable Platforms

On a Security Group with MDPS enabled:

  • The "asg perf" command on a Security Group does not show any output - the Gaia OS prompt appears immediately after entering the command and pressing the Enter key.

  • When running the "mac_verifier" and other commands on a Security Group, the output may show the error message "mount of /sys failed: device or resource busy".

  • The "distutil verify -v" command on a Security Group returns "verification failed".

After installing this Take, when MDPS plane separation is enabled, in the context of the Management plane, the directory /sys/class/net/ now shows interfaces that belong to the Data plane, although it should show interfaces that belong to the Management plane.

See sk182076.

PRJ-50347,
MBS-17803

Scalable Platforms

In a rare scenario, the Security Gateway may access obsolete nroute memory, resulting in a crash.

PRJ-46574,
PMTR-92205

Scalable Platforms

In a Maestro environment, LACP bond slaves may become suspended when using the shared interfaces feature, particularly when the quantity of bonds and slaves is significantly high.

PRJ-47372,
PRJ-46817

Scalable Platforms

  • If member ID 1 is removed and then re-added to the Security Group on the active site, while there are two or more active members, it may result in a matrix mismatch. This can potentially lead to traffic interruption until member ID 1 becomes active again.

  • Similarly, installing Jumbo Hotfix Accumulator when member 1 is absent may result in the same behavior and Jumbo Hotfix Accumulator installation may be blocked.

PRJ-50746,
PRHF-30416

Scalable Platforms

Performance data collected from all members including the Standby site, may cause the "Instance Load" and "Accelerate Load" values to be different from the asg perf tool data.

PRJ-49069

Scalable Platforms

If multiple Quantum LightSpeed interfaces are added or removed on a bond interface before rebooting the Security Gateway, traffic may not go through.

PRJ-48723,
PMTR-67380

Scalable Platforms

When running the "asg if script" command, the "Bridge Master" output does not fit in one line in the "Info" column. The issue is cosmetic only.

PRJ-48929,
PMTR-92547

Scalable Platforms

Connectivity issues may occur in a Maestro Security Group when VLAN encapsulation is disabled on Orchestrators in a Maestro Dual Site environment. Refer to sk181385.

PRJ-40755,
PMTR-85465

Scalable Platforms

Additional reboot is performed when adding a new member to a Security Group with image clone enabled.

PRJ-44500,
PRHF-27538

Scalable Platforms

Policy installation may cause traffic interruption on Maestro Security Group due to missing VLANs of a Virtual System in the configuration file.

PRJ-48987,
PMTR-94987

Scalable Platforms

The Security Gateway may lose connectivity to Maestro Hyperscale Orchestrator (MHO) when running the "tcpdump -i any" command.

PRJ-48852,
PMTR-94227

Scalable Platforms

In a Maestro Orchestrator environment, the "orch_stat -p" command may bring the "invalid literal for int() with base 10" error message.

PRJ-45520,
PMTR-94794

Scalable Platforms

Reboot may take a long time.

PRJ-46647,
PMTR-74779

Scalable Platforms

In a Maestro Security Group, VPN tunnel is established correctly, but the local connection from Virtual Systems (VSs) fails. The issue occurs when packets are not forwarded to the right VS from the Virtual Switch (VSW).

Take 130

Released on 18 December 2023 and declared as Recommended on 25 December 2023

PRJ-50417,

PRHF-30748

CloudGuard Network

UPDATE: The automatic scanning of NSX-T IP ranges feature is now disabled by default. Refer to sk181614.

See the Important Notes section.

PRJ-51598,

SMB-16203

Security Management

In rare scenarios, a boot may fail on a Security Gateway with IPS, Anti-Bot, or Application Control blade enabled. Refer to sk181803.

Take 129

Released on 13 November 2023 and declared as Recommended on 3 December 2023

PRJ-50898,

PRHF-31187

Security Gateway

A double-free flaw that leads to a possible Security Gateway crash was identified. This release includes the fix to enhance system stability and security.

Take 128

Released on 6 November 2023

PRJ-49938,

PRJ-49979

Security Management

UPDATE: Removed a redundant rule-assistant.war package.

PRJ-49824,

PMTR-95347

Security Management

UPDATE: Upgraded the commons-compress-jar package from version 1.8 to version 1.22.

PRJ-49695,

PMTR-96310

Security Management

UPDATE: Upgraded the Jackson Java library from version 2.5.0 to version 2.11.3.

PRJ-49786,

PMTR-95614

Security Management

UPDATE: properJavaRDP - an SNX-embedded application for Mobile Access is now blocked and is no longer supported because of deprecated Java library dependencies.

PRJ-49891,

PMTR-95687

Security Management

UPDATE: Removed a redundant guava package.

PRJ-50264,

PRJ-49965,

PRJ-49011,

ODU-1137,

ODU-1256,

ODU-1304

Web SmartConsole

UPDATE: New features and improvements are released in Take 81, Take 85, Take 88 and Take 90 via self-updatable package. Refer to sk170314.

PRJ-49108,

PMTR-94517

SmartConsole

UPDATE: Applied security related improvements to the Jetty open source library.

PRJ-50325,

PRJ-50324,

PRJ-50124,
ODU-1328,

ODU-1217

CPView

UPDATE: Added Take 68 and Take 70 of CPotelcol (OpenTelemetry Collector) Release Updates. Refer to sk180522.

PRJ-50042,
ODU-1264

CPView

UPDATE: Added Take 14 of CPquid (QUID) Release Updates. Refer to sk181458.

PRJ-50092,

PRHF-30702

Security Gateway

UPDATE: Improved traffic classification of GTP traffic on the Security Gateway to enhance the stability.

PRJ-49493,
ODU-1170

Threat Prevention

UPDATE: Added Update 21 of Autonomous Threat Prevention Management integration Release. Refer to sk167109.

PRJ-49745,

PMTR-95099

Mobile Access

UPDATE: SNX used to connect back to Mobile Access Blade's portal FQDN by resolving its IP address locally. This method makes it sensitive to DNS poisoning attacks such as those specified by TunnelCrack. Therefore, it was modified to connect back to the Security Gateway / Cluster member IP address by default.

PRJ-49937,

PRJ-49936

Harmony Endpoint

UPDATE: Upgraded symmetricDS to the 3.14.9 version.

PRJ-45980,
ODU-1154

Scalable Platforms

UPDATE: Added Take 29 of Check Point Support Data Collector (CPSDC) for Scalable Platforms and Maestro Security Appliances. Refer to sk164414.

PRJ-50542,
ODU-1113

HCP

UPDATE: Added Update 14 of HealthCheck Point (HCP) Release. Refer to sk171436.

PRJ-48878,
PRHF-29542

Security Management

  • Running a Gaia API command on a Security Gateway using Management API from the Multi-Domain Security Management Server fails.

  • Running a Gaia API command on a Security Gateway using Management API from the Security Management Server fails if the Security Gateway certificate was not recreated.

PRJ-49204,
PRHF-30319

Security Management

  • When updating Inline Access Layers, Threat Exceptions, and HTTPS Inspection (TLS) rules, the "Policy Name" field in the Audit Log may be incorrect.

  • The "Where used" operation fails for users with read-only permissions.

Refer to sk181471. See the Important Notes section.

PRJ-50082,

PMTR-96031

Threat Prevention

In rare scenarios, the FW1 process may stop working when at least one of these features is enabled:

  • Anti-Virus deep scan

  • Threat Emulation

  • Threat Extraction

  • Application Control

  • Data Loss Prevention

  • URL Filtering

PRJ-50190,

PMTR-96205

IPS

Policy installation may fail on Security Gateways with enabled IPS and configured Strict profile and IPv6.

PRJ-50639,
PMTR-96893

ClusterXL

ARP requests sent with VMAC from the Standby member may cause MAC flapping.

See the Important Notes section.

PRJ-49905,
PMTR-95831

Routing

When BGP local address is configured, BGP peer may fail to establish.

See the Important Notes section.

PRJ-49653,
PMTR-95476

Scalable Platforms

In a Quantum Maestro / Scalable Chassis environment, there may be a delay during TCP start negotiation for fully accelerated connections, which are distributed asymmetrically. For example, C2S distribute to member 1_1 and S2C to member 1_2.

To maintain the original behavior (prior to R81.10 Jumbo Hotfix Take 128), follow these steps before starting the Jumbo Hotfix Accumulator upgrade:

  • Force the sticky behavior in the Correction Layer in the current session:

    g_fw ctl set int ccl_force_sticky 1

  • Force the sticky behavior in the Correction Layer permanently:

    g_update_conf_file fwkern.conf ccl_force_sticky=1

Refer to sk181464. See R80.20 SmartConsole Releases.

Take 113

Released on 6 September 2023

PRJ-47121,
PMTR-92660

Anti-Spam

NEW: We have extended the grace period of Anti-Spam Blade to support you for 90 days following contract expiration to continue providing the best security value during the renewal process.

PRJ-48299,
PMTR-93298

SmartConsole

UPDATE: Added a pop-up message explaining that it is not possible to add an exception to a Global Domain policy from a local Domain when clicking "add exception" in a Global rule.

  • Requires installing SmartConsole Build 417 (or higher).

PRJ-48317,
ODU-1121

Web SmartConsole

UPDATE: New features and improvements are released in Take 81 via a self-updatable package. Refer to sk170314.

PRJ-46557,
PMTR-92206

Security Gateway

UPDATE: Added a new option in domains_tool, which allows to retrieve IP addresses of multiple Domains - "-md <list of domains>". Refer to sk161632.

PRJ-44320,
PMTR-90945

Threat Prevention

UPDATE: The DCE-RPC kernel tables will now be global instead of local. This adjustment helps avoid issues with syncing between firewall instances and keeps data connections stable.

PRJ-44243,
PMTR-87141

Mobile Access

UPDATE: Enhanced PushReport (a troubleshooting tool for Mobile Access Blade):

  • changes in the cloud service configuration,

  • stability improvement.

PRJ-46315,
PMTR-90870

ClusterXL

UPDATE: When enabling the VMAC feature, link_monitoring on the cluster members will now be configured automatically.

PRJ-47677,
PMTR-88036

VPN

UPDATE: Added SAML authentication support for Capsule Connect / Capsule VPN.

PRJ-44280,
PMTR-86206

VSX

UPDATE: In VSX, removed the redundant option to change CoreXL mode from USFW to Kernel mode.

PRJ-48339,
ODU-1081

CloudGuard Network

UPDATE: Added Take 20 of Public Cloud CA Bundle. Refer to sk172188.

PRJ-45727,
PMTR-91551

Harmony Endpoint

UPDATE: Added new file types supported by Harmony Endpoint Threat Emulation blade.

PRJ-45771,
PMTR-90618

Scalable Platforms

UPDATE: Added ability to stop configuration mismatch repeated reboots for debugging purposes. The new command is " cpha_blade_config auto_reboot <on/off>".

PRJ-48196,
PMTR-91032

Scalable Platforms

UPDATE: Added ability to use Generic Data Centers and Dynamic Objects with Maestro cluster, not just for a separate Security Gateway.

PRJ-48404,
ODU-1113

HCP

UPDATE: Added Update 13 of HealthCheck Point (HCP) Release. Refer to sk171436.

PRJ-45988,
PRHF-28558

Security Management

Deleting a Domain that is connected to an AD Group fails.

PRJ-44472,
PRHF-27659

Security Management

Excluding a network with anti-spoofing by name on the Security Gateway using the "set simple-gateway" Management API command fails with an "Anti spoofing: excluded network object must be defined." validation error message.

PRJ-46731,
PRHF-28910

Security Management

In rare scenarios, opening the Install Policy view gets timed out, and SmartConsole unexpectedly closes. Refer to sk181397.

PRJ-46796,
PRHF-29116

Security Management

The "show-vpn-communities-star" Management API command fails for VPN communities using Diffie-Hellman groups 15-18. Refer to sk27054.

PRJ-45440,
PRHF-28361

Security Management

In rare scenarios, Global Policy Reassignment takes a long time to complete after deleting a Global IPS profile. Refer to sk180787.

PRJ-46016,
PRHF-28592

Security Management

The "show-nat-rulebase" Management API command fails when Packet mode is enabled and "match on any" is set to "false". For example, "show-nat-rulebase XXX package YYY filter-settings.search-mode packet filter-settings.packet-search-settings.match-on-any false filter ZZZ".

PRJ-47258,

PRJ-47235,
PRHF-29374,
PRHF-29423

Security Management

If the HTTPS policy contains an Identity Awareness Gateway object in the "Source"/"Destination" column, policy installation may fail when selecting more than one policy target. Refer to sk181097.

PRJ-41548,
PRHF-25551

Security Management

QoS policy cannot be installed if the policy package name contains a dot symbol.

PRJ-41244,
PRHF-25050

Security Management

When closing an application from SmartConsole without changes, a redundant revision is created.

PRJ-44987,
PRHF-28001

Security Management

A migrate export or CPUSE upgrade of a Security Management Server fails if a Rule Base contains more than 35,000 rules. Refer to sk178325 to check the recommended size of Rule Bases.

PRJ-46003,
PRHF-28590

Security Management

Changing the cluster mode via the "set simple-cluster" Management API command to "cluster-xl-ha" or "ospec-ha" returns success but has no effect on the cluster object.

PRJ-45799,
PRHF-28187

Security Management

Security Management Server import fails with the "Tried to persist object XXX with domain YYY while active domain is ZZZ" error in the upgrade report.

PRJ-41460,
PRHF-24486

Security Management

In some scenarios, an automatic Trusted Certificate Authorities (CAs) update fails.

PRJ-47011,
PRHF-29254

Security Management

The "show-objects" Management API command with an "in" clause fails if the object name contains a period. For example, "show-objects in.1 <name> in.2 <ab.c>".

PRJ-47050,
PRHF-29196

Security Management

In rare scenarios. in a Multi-Domain Security Management environment:

  • Login to the Management Server may timeout and fail.

  • Publish operation may take a long time.

PRJ-45782,
PRHF-27471

Security Management

In rare scenarios, the High Availability synchronization status shows "NGM failed to import data", and then is cleared automatically within 15 minutes.

PRJ-47046,
PRHF-29104

Security Management

In rare scenarios, after an upgrade, the Security Management Server may fail to start.

PRJ-47042,
PRHF-29223

Security Management

When using the RADIUS username for authentication, login to SmartConsole may fail.

PRJ-45034,
PRHF-27706

Security Management

Upgrade of a Security Management Server or a Multi-Domain Security Management Server with over 2000 NAT rules may take over 10 hours to complete.

  • The fix requires the upgrade to be done using a Blink image or via the Advanced Upgrade method.

PRJ-46782,
PRHF-28958

Security Management

In an environment with many Security Gateways, SmartConsole may unexpectedly close when selecting a policy package to install.

PRJ-47169,
PRHF-29222

Security Management

In rare scenarios, Global Policy reassignment fails with "IPS Update Failed On Assign".

PRJ-46699,
PRHF-24917

Security Management

Global Policy assignment fails if it is configured to assign to specific Domain policies and one of these local Domain policies is deleted.

PRJ-40589,
PRHF-85028

SmartConsole

SmartConsole may crash while checking for updates.

  • Requires installing SmartConsole Build 417 (or higher).

PRJ-47469,
PMTR-92958

CPUSE

Tasks in SmartConsole may end unexpectedly during the Jumbo/ major version upgrade operation.

PRJ-45040,
PRHF-28139

Logging

The "Low disk space" warning may be incorrectly displayed in SmartConsole.

PRJ-41167,
PRHF-25147

Logging

The "show-simple-gateway" and "set-simple-gateway" Management API commands with the "logs-settings.forward-logs-to-log-server-schedule-name" parameter fail with "generic_server_error".

PRJ-44207,
PRHF-27544

Logging

Windows Syslog messages information may be displayed in the "Description" field of the log and not parsed into the suitable fields.

PRJ-45324,
PMTR-79944

Logging

Configuring log settings to delete logs if free disk space is lower than a certain percentage may not be applied.

PRJ-39450,
SL-6793

Logging

The Logs view may show a "Failed to read record number" message.

PRJ-46840,
PRHF-29149

Logging

In SmartView, filtering logs by Media Encryption & Port Protection Blade may fail.

PRJ-44115,
PRHF-5571

Security Gateway

High CPU is consumed when there are many rules with apps in the Access Rule Base. Refer to sk181264.

PRJ-47889,
PMTR-80974

Security Gateway

When enabling Management Data Plane Separation (MDPS) in Clish, a "Failed to commit the transaction on database" error message may be displayed.

PRJ-44618,
PRHF-27190

Security Gateway

In a rare scenario, the FWD process listens to high ports that are not blocked by the "auth_services_real_ports_block" implied rule. Refer to sk180505.

PRJ-44189,
PRHF-25647

Security Gateway

The Security Gateway may crash due to a memory issue.

PRJ-47558,
PRHF-29583

Security Gateway

FTP connection may fail in Port mode with NAT and specific FTP clients. Refer to sk181165.

PRJ-47325,
PMTR-75350

Security Gateway

Benign files scanned by the ICAP Server may not be logged by Anti-Virus Blade.

PRJ-46377,
PMTR-84794

Security Gateway

Re-mirrored traffic may be re-ordered in the Mirror & Decrypt feature.

PRJ-45343,
PRHF-28058

Security Gateway

When two routes with similar attributes are added to different routing tables, and one is deleted, Anti-Spoofing may drop the traffic to that route.

PRJ-47602,
PRHF-29572

Internal CA

In rare scenarios, ICA certificate creation and enrollment fail.

PRJ-43727,
PMTR-89275

Threat Prevention

In some scenarios, CIFS parser is triggered when it is not needed, this leads to the Security Gateway not accelerating fully the SMB traffic.

PRJ-48191,
PRHF-29760

Threat Prevention

Anti-Virus Blade fails to parse external IoC feeds that contain specific delimiters.

PRJ-46837,
PMTR-92384

Threat Prevention

When SSH Deep Packet Inspection (SSH DPI) is enabled, the Security Gateway may have SSH connectivity issues because of an incorrect choice of Message Authentication Code (MAC) algorithm during the SSH handshake.

PRJ-44691,
PRHF-27890

Threat Prevention

In some scenarios, the Security Gateway fails to export or import IoC feeds.

PRJ-44766,
PRHF-27722

Threat Prevention

Fetching of Custom Intelligence Feeds fails when no proxy is configured on the Security Gateway.

PRJ-46117,
PMTR-91889

Threat Emulation

Multiple ifiPython3 processes may utilize the Security Gateway memory, affecting the Anti-Virus Blade performance.

PRJ-47749,
PRJ-47646

IPS

In rare scenarios, there may be a memory leak in ips_cmi_handler_match_cb_ex.

PRJ-45836,
TPP-3445

Anti-Virus

DLPU process memory consumption may be increased when SMB protocol is enabled in the Anti-Virus policy.

PRJ-47784,
PRHF-29581

Anti-Virus

A memory leak may occur in the Security Gateway when a connection is not correctly released after the inspection.

PRJ-47182,
PRHF-29248

SSL Inspection

The Security Gateway may fail to enforce certificate blacklisting.

PRJ-47203,
PRHF-29309

Mobile Access

When copying special German characters to and from the Guacamole Server, they are replaced with unreadable symbols.

PRJ-47107,
PRHF-29247

Mobile Access

It may not be possible to connect to the RDP application with SNX in Application mode. Refer to sk181155.

PRJ-45198,
PRHF-28013

ClusterXL

In a cluster/Maestro in Load Sharing mode, the Security Gateway may drop NAT traversal traffic with "fwmultik_process_f2p_cookie_inner Reason: PSL Drop: No connection".

PRJ-44275,
PRHF-27346

ClusterXL

A Standby member may initiate FTP data connection, although it should be sent from the Active member. As a result, the connection is teminated. Refer to sk180531.

PRJ-44773,
PMTR-70190

SecureXL

The "IOCTL command CPHWD_IOCTL_DOS_DENY_LIST_CLEAR was not successful" error may be printed during cpstart. Refer to sk180646.

PRJ-43639,
PMTR-89506

SecureXL

In some scenarios, incorrect MSS value calculation may lead to traffic drops and performance instability.

PRJ-47487,
PMTR-93015

Routing

When multicast traffic for an existing (S,G) entry arrives at a non-IIF interface, the entry may be deleted and re-added when the next multicast packet is released, although the entry should not be deleted.

PRJ-43248,
ROUT-2018

Routing

Traffic may be dropped when there are many OSPF routes of type 5.

PRJ-47940,
PMTR-93492

Routing

An OIF entry may be missing when multiple downstream neighbors are present on a LAN. Refer to sk181354.

PRJ-48117,
PRHF-29848

Routing

The ROUTED process may exit with a core dump when querying details of OSPF Type 5 LSA.

PRJ-47801,
PRHF-29662

Routing

When a BFD session is added or removed, disabled sessions may incorrectly come up.

PRJ-41794,
ROUT-2195

Routing

Adding or deleting a multicast group from a configured static RP environment can lead to outages in traffic.

PRJ-44956,
PMTR-90731

VPN

A potential leak in VPN tunnels in a Multi-Version Cluster.

PRJ-41391,
PMTR-86796

VPN

When working with ClusterXL in Load Sharing mode, a VPN tunnel may fail to be established.

PRJ-47492,
PRHF-28831

VPN

Potential VPN outage during policy installation.

PRJ-42939,
PRHF-25665

VPN

Policy installation may take a long time and fail with "Operation failed, install/uninstall has been improperly terminated.&CURRENTVERCMP *##MSG_IDENTIFY##".

PRJ-47837,
PRHF-29698

VSX

In a rare scenario, affinity configuration on VSX may fail.

PRJ-44300,
PMTR-90180

VSX

When adding a route using vsx_provisioning_tool and the "interface_name" option, this route cannot be removed.

PRJ-43878,
PMTR-87205

VSX

When running "vsx_fetch" from a context that is not VS0, this output is displayed: "Management rejected fetch for this module - sic name does not match. Couldn't fetch VSX configuration by IPs, trying to fetch by names."

PRJ-49350,
PRHF-30364

VSX

In some scenarios, in a Maestro Security Group configured in the VSX mode, a Virtual System that connects to a Virtual Switch may drop traffic as "Out of State" or wrongly drop it on the clean up rule. Refer to sk181823.

PRJ-46275,
PRHF-28848

Gaia OS

When changing bond settings, the bond may be missing the global IPv6 Address.

PRJ-47773,
PRHF-28671

Gaia OS

Snapshot fails when the unpartitioned disk size is greater than 1TB. Refer to sk181485.

PRJ-41337,
PRHF-25164

Harmony Endpoint

When downloading a dynamic package from the Endpoint Security Server and using the "/createmsi" command, the operation results with a "CRITICAL ERROR: Unable to create MSI! Missing file: System32\FirewallMonitor.dll"error.

PRJ-43571,
PRHF-27125

Harmony Endpoint

After the Deploy New Endpoint push operation is successfully done, the list of target devices may change to “None”. And it is not possible to delete this push operation manually, a "Sorry, we had an API issue during request" message is printed.

PRJ-46031,
PRHF-22912

Harmony Endpoint

Because of a rare race condition, AD scanners may get stuck in the initializing state with "ERROR ajp-nio2-127.0.0.1-8009-exec-96 - Failed to enumerate scanner instances for SF-DC2.mapro.cat, scanner instance788b7398-5a79-91fb-6f68-137813a5556e (UsmDSConfigResponder)java.lang.NumberFormatException".

PRJ-47055,
EPS-51960

Harmony Endpoint

Some devices added to a Virtual Group from the SmartEndpoint Reporting tab do not receive the assigned policy.

PRJ-42633,
PRHF-26426

Harmony Endpoint

After an Endpoint Security client is uninstalled via a push operation, there is no indication in the Asset Management that the client is successfully removed (only if it is inactive for more than 30 days, then it is deleted from the Server database). Although it should be immediately shown as non-active.

PRJ-46802,
PRHF-28984

Harmony Endpoint

In rare scenarios, when making changes in SmartConsole, it gets disconnected.

PRJ-48256,
PRHF-25142

Harmony Endpoint

The default policy configured in the Infinity Portal may not be exported with the new Endpoint Security client package.

PRJ-43609,
PRHF-27033

VoIP

SIP agent implements a keep-alive mechanism against the RFC, making each message arrive with a different tag in the "From" header, which may increase the memory of the Security Gateway, and these messages may be dropped once they hit the limit defined (the "sim_max_reinvite" parameter).

PRJ-47640,
PRHF-29629

Scalable Platforms

In a Scalable Platform environment, when opening an IPS Packet Capture originated on a local member, the "Fetching in progress" error is displayed, and a "Capture file was not found on remote SGM" entry is printed in the log.

PRJ-45233,
PRHF-24217

Scalable Platforms

The "asg_dr_verifier" command shows "Status: Inconsistency found on some of the SGMs", even if the OSPF neighbors are in Full state. Refer to sk179921.

PRJ-48212,
PMTR-93744

Scalable Platforms

In rare scenarios, the CONFD process may get stuck. This may cause Maestro Orchestrator boot to hang and login to Gaia Portal to fail.

PRJ-49111

Scalable Platforms

After adding a new Security Group Member to a Security Group with the default shell /bin/gclish, the status of the new Security Group Member is "Down" with a Critical Device "image_clone" pnote.

PRJ-47865,

ACCHA-3317

Scalable Platforms

Accessing the SMO WebUI and performing configuration changes may fail with the "Error in acquiring buffer of member info (-1)" error."

Take 110

Released on 30 July 2023 and declared as Recommended on 29 August 2023

PRJ-44422,
ACCESS-458

Security Management

NEW: Added a new field to the output of "mgmt_cli show updatable-objects-repository-content" command. This field displays the object's unique name as it is saved in the updatable objects repository.

PRJ-43521,
PMTR-89420

Security Management

NEW: It is now possible to add tags to Access rules and sections. A new field "tags" is added to the existing "add/set rule & section" Management APIs .

For example:

  • mgmt_cli add access-section layer "Network" position 1 name "New Section 1" tags mytag

  • mgmt_cli add access-rule layer "Network" position 1 name "Rule 1" tags mytag

PRJ-44326,
PMTR-90221

Security Management

NEW: Added a new Management API "mgmt_cli show ha-status". It provides synchronization information for the currently active domain.

  • When running the command from the Active Domain in the local/Global Domain, it retrieves details about the synchronization status of the other standby peers and the overall synchronization status for the Domain.

  • When running the command from the system Domain, it only displays the general synchronization status, as all peers are active.

PRJ-44494,
MBS-14158

Scalable Platforms

NEW: Added support for the 25Gbps speed on Maestro Orchestrator ports.

PRJ-45678,
PRJ-45679

CloudGuard Network

NEW: CloudGuard Controller for NSX-T

  • Starting from NSX-T 4.0.0.x and higher, Manager Mode APIs are deprecated, it is recommended to use Policy Mode.

  • Import NSX-T Tags (NSgroups and VMs) is now supported.

  • Import NSX-T Virtual Machine objects is now supported.

Note: Importing Virtual Machines can be enabled only using Policy Mode APIs. When enabled, the amount of API requests toward the NSX-T manager increased.

PRJ-46242,
PMTR-86894

Security Management

UPDATE: A Security Management Server/Domain Management Server can now manage up to 400 Security Gateways / Clusters, allowing concurrent policy installation on all Security Gateways / Clusters at once.

PRJ-45295,
PMTR-86221

Security Management

UPDATE: Added ability to block policy installation if this policy contradicts another policy installed on the Security Gateway. In this scenario, the "install-policy" Management API command will now fail with "Requested policy X does not match currently installed policy Y on gateway Z. To ignore this warning, set the 'ignore-warnings' flag to 'true'". Refer to sk180792.

PRJ-45490,
PRHF-28303

Security Management

UPDATE: Significant performance improvement for policy installation when using many layers (up to four times faster).

PRJ-44502,
PMTR-88484

Security Management

UPDATE: Significantly improved performance during upgrade and import for large Multi-Domain Security Management environments with many administrators (over 20 domains and over 100 global administrators).

  • Requires installing Upgrade Tools package 996000482 and higher.

PRJ-45203,

ODU-843

Web SmartConsole

UPDATE: New features and improvements are released in Take 76 via self-updatable package. Refer to sk170314.

PRJ-45891,
PRHF-28332

Security Gateway

UPDATE: Added a new environment variable "IMPLIED_RULES_SET_BEFORE_LAST". It defines if Multi-Portal implied rules should be matched as "before drop" or "before last". The default value is "0", set to "before drop". When the value is set to "1", implied rules will be matched as "before last". Refer to sk180808.

PRJ-44774,
PMTR-85896

Security Gateway

UPDATE: The Thread Blocker feature is now disabled by default. Refer to sk180437.

PRJ-44436,
PMTR-89908

ClusterXL

UPDATE: Improved the fullsync time after reboot in large scale environments. Refer to sk180742.

PRJ-44952,
PRHF-28082

IPS

UPDATE: Mapping of IPs to country/flag in the Logs & Monitor view > Logs is now automatically updated every day.

PRJ-35986,
PMTR-69155

SSL Inspection

UPDATE: Major performance improvement in HTTPS Inspection of TLS 1.3.

PRJ-45462,
PRJ-46431,
ODU-890,
ODU-898

Threat Prevention

UPDATE: Added Update 18 and Update 19 of Autonomous Threat Prevention Management integration Release. Refer to sk167109.

PRJ-46941,
TPP-3290

Threat Prevention

UPDATE: IPS bypass triggers will now be activated based on the average CPU load exceeding the high threshold, as opposed to the previous implementation, where a single CPU load triggered the bypass. The change will result in more effective security measures without unnecessary bypasses.

PRJ-45472,
ODU-827

CPView

UPDATE: First release of CPviewExporter Release Updates. Refer to sk180521.

PRJ-45465,
ODU-835

CPView

UPDATE: First release of CPotelcol (OpenTelemetry Collector) Release Updates. Refer to sk180522.

PRJ-46916,
PMTR-80877

VPN

UPDATE: Added a global parameter "sim_no_local_ip_check" which allows packets not destined to a local IP address to proceed to Security Association lookup in SecureXL.

PRJ-47226,
PMTR-92606

Gaia OS

UPDATE: Upgraded OpenSSL from 1.1.1t to 1.1.1u to include the latest security improvements. Refer to sk181427.

PRJ-47512,
PMTR-93037

GaiaOS

UPDATE: Added notifications about the Expert mode login on Gaia Servers. Refer to sk181230:

1) Gaia sends an audit log to the Management Server / Log Server (SmartConsole > Logs & Monitor).

2) Gaia writes a log message to the /var/log/messages file (for a local login and an SSH login).

These Gaia Clish commands are available to work with this feature:

  • To see the current state of this feature: show audit login-notifier

  • To enable this feature (this is the default): set audit login-notifier on

  • To disable this feature: set audit login-notifier off

PRJ-44761,
PRHF-27893

Gaia OS

UPDATE: Increased the size of the scheduled snapshot database binding, allowing longer paths and passwords to be defined.

PRJ-32167,
MBS-14572

Scalable Platforms

UPDATE: Added support for 40G SFP transceiver for SSM160 (BTI40GSRDDQSFP).

PRJ-45907,
ODU-946

Scalable Platforms

UPDATE: Added Take 23 of Check Point Support Data Collector (CPSDC) for Scalable Platforms and Maestro Security Appliances. Refer to sk164414.

PRJ-44907,
PMTR-89393

Scalable Platforms

UPDATE: Added a new log file - /var/log/pull_config_report.log. It includes the summary of the "pull_config" action when it is performed on a member to indicate the reason for pull_config pnote/failures.

PRJ-44901,
PMTR-85311

Scalable Platforms

UPDATE: Added a new log file to indicate the reason of member reboots if they are triggered by configuration mismatch - /var/log/configuration_reboot_info.log.

PRJ-45388,
ODU-914

HCP

UPDATE: Added Update 12 of HealthCheck Point (HCP) Release. Refer to sk171436.

PRJ-41328,
PRHF-25274

Security Management

If the Security Management Server is behind NAT, remote Management API login fails.

PRJ-43559,
PRHF-26971,
PRJ-45050,
PRHF-27847,
PRJ-42548,
PRHF-26016

Security Management

In rare scenarios, in multi-site environments, Install Policy presets fail with "Timeout during task progress" or "You have reached the maximum number of active sessions". Refer to sk180897.

PRJ-45158,
PRHF-28175

Security Management

APP_ID may not be initialized when adding a new Check Point application via API, this may cause blocked access to several websites.

PRJ-45487,
PRHF-21566

Security Management

In rare scenarios, updating or deleting a cluster fails with "Failed to save object xxxx . Server error is: Data required for operation".

PRJ-42039,
PRHF-25898

Security Management

Editing an object in SmartConsole may fail with "Server error is: Object not found (Code: x08003001D, Could not access file for write operation)".

PRJ-43568,
PRHF-27059

Security Management

After Full synchronization, SmartConsole login from a Domain Management Server to the Security Management Server that is configured as High Availability may fail.

PRJ-42422,
PRHF-26275

Security Management

In some scenarios, an upgrade may fail when a Network object Group contains more than 32000 members.

PRJ-44085,
PRHF-27440

Security Management

Login with SmartConsole to a Security Management Server may fail if using a DNS name instead of an IP address. Refer to sk180514.

PRJ-43186,
PRHF-26778

Security Management

If a Security Gateway is added to a group after configuring an installation policy preset, the policy may not be installed on that Security Gateway. Refer to sk181461.

PRJ-42552,
PRHF-26118

Security Management

After restoring a Multi-Domain Security Management Server, High Availability synchronization may fail with "The Security Management Servers contain different Hotfixes".

PRJ-45873,
PRHF-28640

Security Management

In some scenarios, Access Policy Verification fails but the name of the failed rule is not specified.

PRJ-43811,
PRHF-27187

Security Management

Login to SmartConsole with a RADIUS administrator from the SmartEvent Server may fail if this Server was upgraded. Refer to sk180584.

PRJ-42620,
PRHF-26287

Security Management

When using the "Deployment from Local Paths and URLs" option, and inserting a correct path, the client is being deployed through the Management Server and not Locally as it should be deployed.

PRJ-35494,
PRHF-21009

Security Management

The Data Center object may change the status to "inaccessible/deleted", although the Virtual Machine in Azure was not deleted.

PRJ-43916,
PMTR-83586

Security Management

In the Object Explorer window in SmartConsole, the IP address column is sorted alphabetically, although it should be sorted in numerical order.

PRJ-40128,
PRHF-24236

Security Management

When the Access Rule Base contains several hundred rules, the "set-access-rule" Management API command with the "new-position" parameter may take longer than expected or time out after 5 minutes.

PRJ-46629,
PMTR-92240

Security Management

In the Infinity Services view, the Log Sharing status may not be correct.

PRJ-44595,
PMTR-89845

Security Management

When adding/setting an access rule, setting certain fields to "Any" or "None" may fail because of case sensitivity.

PRJ-44591,
PMTR-89373

Security Management

The "show object" command fails when running it on nat-section objects. It returns a "null pointer exception" message, which occurs in calculations related to the overview objects meta-info.

PRJ-44593,
PMTR-89770

Security Management

In some scenarios, running the "delete-exception-group" Management API command fails if the exception group is automatically attached.

PRJ-43266,
PRHF-26404

Security Management

When creating several LSM objects (Security Gateways or clusters) via both Management API and SmartConsole, the LSM objects IP addresses may be duplicated.

PRJ-46131,
PMTR-71041

Security Management

A policy installation task may become stuck when an error occurs in the early installation stage, for example, when trying to install a policy on an unsupported version of Security Gateway.

PRJ-35765,
PRHF-22024

Security Management

In some scenarios, the "show-packages" Management API command may return empty results when using the "domains-to-process" flag.

PRJ-45877,
PRHF-28654

Security Management

If an empty Network Group is linked in the source or destination fields of an Access Rule, policy verification may not generate an error. Instead, it may treat the empty group as if there was an "Any" object.

PRJ-44896,
PRHF-27875

Security Management

Policy installation gets stuck if the known proxy group contains the policy target.

PRJ-46398,
PRJ-46407,
PRHF-28962

Security Management

In rare scenarios, policy installation fails with "Operation failed, install/uninstall has been improperly terminated". Refer to sk180448.

PRJ-44995,
PRHF-27895

Security Management

In rare scenarios, login to SmartConsole fails, and opening Security Gateway objects times out.

PRJ-45654,
PRHF-28407

Security Management

Packet mode search in SmartConsole may show rules that do not match the query if the query contains source, destination, and service.

PRJ-39775,
PRHF-24049

Security Management

Disabling or enabling rules may not affect the "last-modify-time" field in the output of the "show-access-rule" Management API command.

PRJ-45054,
PRHF-27948

Multi-Domain Security Management

In rare scenarios, in Multi-Domain multi-site environments, an IPS update on the Multi-Domain Security Management Server remains locked.

PRJ-43689,
PRHF-27130

Multi-Domain Security Management

Deleting the entire Domain including all its Domain Servers fails, if any of the Domain Servers is used in the Domain's policy.

PRJ-45060,
PRHF-28094

Multi-Domain Security Management

In large Multi-Domain Security Management environments, login to SmartConsole may fail while High Availability synchronization is running. Refer to sk180858.

PRJ-46087,
PRHF-28685

Multi-Domain Security Management

A scheduled Install Policy Preset may not have its next run time updated when:

  • The Multi-Domain Security Management Server was down while the preset was scheduled to run

  • There are over 50 presets defined

PRJ-46104,
PRHF-28809

Multi-Domain Security Management

In some scenarios, the "Uninstall Threat Prevention Policy" window may show "no candidates found for operation", even though there are Security Gateways that have Threat Prevention policy installed and Threat Prevention is disabled in the Security Gateway editor. Refer to sk180983.

PRJ-40738,
PRHF-24558

Multi-Domain Security Management

Deleting a Domain from SmartConsole fails after a Domain Server was removed and the Domain has no Domain Servers.

PRJ-44968,
PRHF-28002

Multi-Domain Security Management

In rare scenarios, in Multi-Domain Security Management environments with over 500K network objects, login to SmartConsole fails with "Connection timed out" or "Unable to connect to server" messages.

PRJ-45068,
PRJ-46162,
PRHF-28192,
PRHF-28143

Multi-Domain Security Management

In rare scenarios, in a Multi-Domain Security Management environment:

  • Login to the Security Management Server may fail with timeout.

  • Publish operations may take a long time.

PRJ-46509,
PRHF-28930

SmartConsole

Data Center objects may not appear as unused objects in the Object Explorer view, although they should.

PRJ-43598,
PRHF-27209

SmartConsole

Typo in the Compliance report - "OSFP" instead of "OSPF".

PRJ-41666,
PRHF-25662

Logging

In some scenarios, in the Logs & Monitor view, no results are shown when filtering updatable object names by the "dst_uo_name" field.

PRJ-39255,
PRHF-23374

Logging

In rare scenarios, many open connections on port 18196 are observed on the Multi-Domain Security Management Server or Multi-Domain Log Security Management Server.

PRJ-41594,
PRHF-25533

Logging

SmartEvent may generate false Anti-Bot / Anti-Virus related logs which do not contain any information.

PRJ-45606,
PMTR-90654

Logging

In some scenarios, in the Logs view, the "Destination" field may be missing. The issue is cosmetic only.

PRJ-46073,
PRHF-28787

Logging

After an upgrade of the Security Management Server, the "cp_log_export show" command may return the "found an ambiguous value" error in the "export_log_position" field.

PRJ-45417,
PRHF-28191

Logging

Source and destination IP addresses in SmartLog may not be shown correctly for duplicate packets of fragmented traffic.

PRJ-41281,
PRHF-14263

Logging

In large environments, after policy installation or when loading Real Time Monitor, RTMD CPU consumption may be high for several minutes and the process may exit when 4 GB of memory is reached.

PRJ-38480,
SL-6728

Logging

In specific network configurations, after installing a policy, the target IP address of the Log Server may differ from what was configured.

PRJ-46053,
PRHF-28455

Security Gateway

The Security Gateway may crash while inspecting non-HTTP traffic.

PRJ-46340,
PRHF-28674

Security Gateway

In rare scenarios, memory corruption occurs during packet correction requiring fragmentation, this may cause the Security Gateway crash or freeze.

PRJ-46334,
PRHF-28842

Security Gateway

The Security Gateway may crash after a failure in policy installation.

PRJ-45496,
PRHF-28324

Security Gateway

On the Security Gateway with Management Data Plane Separation (MDPS) enabled:

  • when adding a RADIUS Server from WebUI, a new MDPS task with the IP address of the Server may not be added,

  • when deleting a RADIUS Server, the MDPS task may not be deleted.

PRJ-44937,
PMTR-86007

Security Gateway

When Check Point Active Streaming (CPAS) is used, and the Server's MSS is bigger than the client's MSS, packet fragmentation may occur.

PRJ-38111,
PRHF-22608

Security Gateway

In some scenarios, the Security Gateway may crash.

PRJ-45803,
PRHF-28559

Security Gateway

Resolved an issue where CPD would consume a large amount of CPU in VSX with a large number of interfaces configured (greater than 1024). Refer to sk181588.

PRJ-42530,
PRHF-25233

Security Gateway

In some scenarios, while processing H323 traffic, the Security Gateway may unexpectedly restart.

PRJ-44855,
PRHF-27465

Security Gateway

Web Security parsing error "illegal header format detected: Missing quotation mark" of content-disposition header - that contains a filename* parameter or an unquoted parameter.

PRJ-45483,
PRHF-27892

Security Gateway

Incorrect bonds may be shown in the Data Plane when using MDPS with the "show bonding groups" command.

PRJ-47123,
PRHF-29292

Security Gateway

In some scenarios, after an upgrade, the FWD process may unexpectedly exit.

PRJ-43856,
PMTR-83014

Security Gateway

The FWK process may unexpectedly exit with a core dump file when removing an IPv6 interface on VSX.

PRJ-44407,
PMTR-90258

Security Gateway

Global tables (ghtab) may not be synchronized between members, this can lead to instability of traffic.

PRJ-47148,
PMTR-92710

Security Gateway

Enlarging MTU may cause even small packets to be allocated as Jumbo frames. This will impact the performance of SNDs CPUs.

PRJ-46113,
PRHF-28489

Security Gateway

In rare scenarios, the Security Gateway may drop the traffic after "Rulebase Internal Error" which occurs during policy installation.

PRJ-33812,
PRHF-12636

Security Gateway

The FWK process may unexpectedly exit while processing the mail flow and generate a core dump.

PRJ-45955,
PMTR-83450

Security Gateway

When HTTPS Inspection is enabled, website loading in Firefox fails or is slow, after a few seconds, the "NS_ERROR_ABORT" error appears in the network tab of Firefox. Refer to sk180873.

PRJ-41967,
PRHF-25829

Security Gateway

When adding another loopback interface in an MDPS environment, it is shown in MPLANE and not in DPLANE as expected.

PRJ-44311,
PRHF-27439

Security Gateway

In rare scenarios, modifying the "fwmultik_temp_conns_enabled" parameter on-the-fly leads to the Security Gateway crash.

PRJ-46687,
PMTR-91240

Security Gateway

When adding a new connection, the "Smart Connection Reuse" feature may cause errors in fwk.elg and connection drops.

PRJ-46138,
PRHF-28806

Security Gateway

The "g_tcpdump -mcap" command may not merge traffic capture outputs. Refer to sk181032.

PRJ-45478,
PRHF-28350

Security Gateway

Security Gateway may crash when running kernel debugs of the "UP" module.

PRJ-44251,
PRHF-27426

Security Gateway

When setting "cphwd_enable_ecmp = 1" (to route by the source and destination IP address), the Security Gateway may route the traffic to the wrong MAC.

PRJ-45000,
PRHF-27844

Security Gateway

In a Maestro environment where members are VSXs, connection over SSH or RDP from a host behind Maestro to a peer may be dropped.

PRJ-45186,
PMTR-90969

Security Gateway

Traffic stops working after a Security Gateway Member recovers from a failure. Refer to sk180705.

PRJ-42358,
PMTR-88174

Security Gateway

Latency in connection caused by a packet flow change from F2V to F2F.

PRJ-45397,
PRHF-28037

Security Gateway

Login to Mobile Access Portal when authenticating with SAML may fail with an "Error while processing the request" message. Refer to sk180801.

PRJ-45449,
PRHF-28277

Security Gateway

When the Security Gateway handles specific HTTP requests, memory failure may occur. CPView registers SMEM failure.

PRJ-44752,
PRHF-27707

Security Gateway

Policy installation may fail with "Error 2000240" because of an IPv6 flow issue.

PRJ-41776,
PRHF-25573

Threat Prevention

IoC feed may not load, and the "Feed status cybercrime-tracker_hash_list :: engine memory allocation error. Feed log External IoC - External Indicators processing failed" error is displayed in CLI.

PRJ-42147,
PRHF-26013

Threat Prevention

Fetching custom intelligence feeds via CLI may fail because of SSL certificate issues.

PRJ-44570,
PRHF-27749

Threat Prevention

After an upgrade, adding an IoC feed with IP range indicator type may fail with "Feed format problem. Bad or Empty Feed ".

PRJ-44151,
PMTR-89916

Threat Prevention

In a rare scenario, policy installation may fail because of IoC observables overrides.

PRJ-44551,

PRHF-27765

Threat Prevention

In some scenarios, the FWD process unexpectedly exits, and the Security Group Members state flaps between Active and Down during an Anti-Bot Blade update.

PRJ-45562,
PRHF-21271

Threat Prevention

In some scenarios, Anti-Virus and Anti-Bot updates on Maestro Security Group Members may fail.

PRJ-44200,

PMTR-89130

Threat Prevention

When IPS Blade is enabled, the Security Gateway may crash.

PRJ-39347,
PRHF-23473

Identity Awareness

There may be connectivity issues and high CPU spikes on PDP when installing policy.

PRJ-44316,
PRHF-27270

Content Awareness

When Content Awareness Blade is enabled, there is a limitation of the file size (sk118516). However, when the source object of the Content Awareness rule does not match the current connection, the limitation is not applied on this connection.

PRJ-45428,
PRHF-28304

Application Control

Some TLS1.3 applications without SNI do not match the rules.

PRJ-47064,
PMTR-92599

Application Control

When the "Categorize HTTPS Websites" option is enabled and the global parameter "appi_urlf_ssl_cn_use_sni_without_validation" is set to true, a memory leak may occur.

PRJ-29401,
PRHF-15953

Anti-Virus

The RAD process CPU utilization may be high when Anti-Virus engine processes many reverse DNS queries.

PRJ-46605,
PRHF-28851

Anti-Virus

The DLPU process may stop working, creating a User Space core dump file on the Security Gateway. Refer to sk181026.

PRJ-44664,
PMTR-90550

Anti-Virus

Anti-Virus Blade may bypass inspection of URLs with sub-domain portion.

PRJ-46279,
PRHF-28749

Anti-Virus

Importing a custom intelligence feed containing IP ranges may fail.

PRJ-47264,
PMTR-91800

SSL Inspection

The fwk.elg file may be flooded with the "mux_hold_opq_free: App has no hold params free function" messages for the TLS_PARSER app because of a memory leak.

PRJ-45657,
PRHF-28404

SSL Inspection

In a VSX environment, the WSTLSD process run by Virtual Systems may ignore proxy configuration on VS0.

PRJ-45099

Mobile Access

SSL Network Extender (SNX) may randomly disconnect after an upgrade. Refer to sk173765.

PRJ-46402,
PRHF-28925

Mobile Access

Sending emails with attachments via Capsule Workspace may fail on iOS.

PRJ-45194,
PRHF-28182

Mobile Access

In rare scenarios, IOS users are unable to send emails using Capsule Workspace business mail.

PRJ-46505,
PRHF-28936

ClusterXL

Some IPv6 connections randomly stop passing through ClusterXL in High Availability mode. Refer to sk180969.

PRJ-41307,
PRHF-25160

ClusterXL

When interfaces disconnect/connect on both members at the same time, it may cause a failover.

PRJ-42771,
MBS-15783

ClusterXL

Asymmetric UDP traffic may be dropped with "First Packet isn´t Syn".

PRJ-45349,

PRHF-28275

ClusterXL

After an upgrade, cluster members may frequently crash, causing instability in the environment.

PRJ-44455,
PRHF-27561

ClusterXL

After several failovers in a cluster, connections may fail to synchronize. This can cause a timeout and the "first packet isn't syn" drops.

PRJ-44352,
PMTR-91017

ClusterXL

A VRRP cluster member may be stuck in boot after a cluster upgrade.

PRJ-45300,
PRHF-27633

SecureXL

When running tcpdump on the Multi-Domain Security Server, an "error /bin/cp-tcpdump.sh: line 11: sxlmode: command not found" message is shown. The issue is cosmetic only.

PRJ-44874,
PRHF-27540

SecureXL

Traffic may be dropped and the FWACCEL core file is generated.

PRJ-45833,
PMTR-82733

Routing

The ROUTED daemon may unexpectedly exit because of multi-threading issues.

PRJ-41963,
MBS-16158

Routing

Routing log messages generated when Standby cluster members reconnect to members in Master state are not clear.

PRJ-46358,
PMTR-73657

Routing

Routes marked as "stale" may be redistributed via BGP during graceful restart.

PRJ-45260,
PMTR-81608

Routing

When configuring OSPFv2 graceful restart on ClusterXL, the cluster may get stuck in EXSTART / 2WAY state.

PRJ-46095,
ROUT-1702

Routing

BGP state gets stuck in Idle state when using BGP ping to one of the peers.

PRJ-46132,
ROUT-2838

Routing

When two interfaces with the same local address are configured, BGP may use an incorrect interface to reach a peer.

PRJ-46128,
ROUT-2801

Routing

The ROUTED daemon may unexpectedly exit when aggregating routes with long AS paths.

PRJ-41960,
MBS-16159

Routing

In some scenarios, a Security Group Member failover can trigger routes to be lost on other members in the Security Group.

PRJ-41798,
PMTR-87520

Routing

Configuring OSPFv2 Graceful Restart and passive OSPF interfaces at the same time can cause graceful restart failures.

PRJ-44924,
PMTR-90799

Routing

When PIM and state refresh are enabled, the state refresh message may not be sent automatically after a failback in ClusterXL HA Primary Up mode.

PRJ-45379,
PRHF-26701

Routing

A VRRP/VRRP6 interface may go into Master/Master state.

PRJ-44705,
PRHF-27225

Routing

Multicast receivers send IGMP membership reports, but the outbound interfaces are missing from the routing table.

PRJ-44709,
PRHF-27240

Routing

An IGMP group with an expiration time of 7101 weeks should be deleted when it reaches 0 seconds, but instead, it may remain at 7101 weeks until a membership report is sent, then it resets to the interval of that interface.

PRJ-45468,

PRHF-28353

VPN

StrongSWAN Remote Access authentication fails when the LDAP lookup type is not the default method.

PRJ-44829,
PRHF-27569,

PRJ-44991,
PRHF-28061,

PRJ-46302,

PRHF-28849

VPN

  • Remote Access clients are unable to connect using Machine Certificate Authentication when the certificate has OCSP and CRL but the gateway is unable to resolve properly the OCSP or to get a proper answer from the OCSP server. Refer to sk179434.

  • OCSP is disabled on the user's IIS Server, but the Security Gateway does not fall back to the CRL method. Refer to sk179434.

  • Security Gateway sends defaultCert to the third party instead of an OCSP certificate. An unexpected OCSP response may cause a VPN gateway to stop using its certificate until the next policy installation. Refer to sk180683.

PRJ-44218,
PRHF-27548

VPN

The "vpn/ike debug ikeon/ikefail" commands may fail when used with the "-s" flag.

PRJ-45919,
PRHF-28589

VPN

The FWM process may unexpectedly exit at startup because of an incorrect VPN key initiation.

PRJ-44089,
PRHF-27224

VSX

Values provided by the VSX OID tree: 1.3.6.1.4.1.2620.1.16.22.5.1 may be incorrect.

PRJ-45401,
PRHF-28365

VSX

Warp interfaces may appear in VS0 and disrupt connectivity when editing a Virtual Switch with a bond and VLANs.

PRJ-41970,
PRHF-25866

VSX

Increasing the MTU value of a bonded tagged interface may not be possible. Refer to sk179984.

PRJ-44745,
PMTR-90616

VSX

Virtual System's interfaces may be missing when running the Clish command "show/save configuration".

PRJ-45005,
PRHF-28080

VSX

A VSX Security Gateway may crash while attempting to collect statistics after running the "cpstop" command.

PRJ-45145,
PRHF-28154

VSX

Some packets may disappear when using the i40e driver, and VMAC is configured on the cluster.

PRJ-45863,
PMTR-91668

Gaia OS

Gaia backup may fail, leaving a temporary partition behind. Any new attempt to create a new backup returns an error.

PRJ-29906,
PMTR-72562

Gaia OS

It may be not possible to enter a snapshot description with more than one word.

PRJ-33093,
PMTR-72381

Gaia OS

In some scenarios, the output of the "show configuration"/"snapshot-scheduled" command may contain corrupted text.

PRJ-28434,
PRHF-18469

Gaia OS

Backup on Gaia machine with Threat Emulation Blade enabled fails with "Cannot complete the backup process: not enough space". But the solution of sk166833 does not resolve the issue in a VSX environment.

PRJ-42779,
PRHF-26416

Gaia OS

Scheduled SCP snapshots to a Windows Server may fail with the "Failed to connect to remote server. Please validate connection".

PRJ-41909,
PRHF-25737

Gaia OS

Gaia WebUI logs are printed with "info" severity.

PRJ-44370,
PRHF-27627

Gaia OS

SNMP OIDs for ISP Redundancy status are not refreshed when the ISP link changes the status.

PRJ-46285,
EPS-51347

Harmony Endpoint

Non-domain macOS devices are created as a new endpoint on the Endpoint Management when re-installing the device.

PRJ-46947,
PRHF-29014

Harmony Endpoint

KAV updater on the Server may fail to receive updates when proxy is used.

PRJ-45540,
PRHF-27987

CloudGuard Network

AWS Data Center mapping fails when an interface subnet is missing from the list of subnets.

PRJ-32399,
PRHF-19493

VoIP

After an upgrade, VoIP and SIP / H323 traffic may be dropped in the VPN tunnel. Refer to sk179651.

PRJ-46475,
PMTR-90803

VoIP

SIP traffic may be dropped and "kiss_htab_bl_infra_slink: failed "earlynat_sport_ghtab_bl":3 reason: KISS_HTAB_BL_SLINK_LIMIT_REACHED" is printed in the fwk.elg file.

PRJ-42263,
ACCHA-2021

Scalable Platforms

Excessive "cphwd_get_device_accelerated_ifs: too many interfaces (32,XXX)" messages may log to $FWDIR/log/fwk.elg. Refer to sk180439.

PRJ-42617,
PMTR-76837

Scalable Platforms

The FW process may unexpectedly exit, producing a core dump file.

PRJ-32730,
PMTR-72467

Scalable Platforms

When there is a connectivity issue in the cluster, OSPF packets may be sent with delays and cause an outage.

PRJ-44528,
PMTR-78822

Scalable Platforms

License is not copied from SMO to all other members if other members are in Down state.

PRJ-36345,
PMTR-78466

Scalable Platforms

Redundant reboot occurs after installing R81/R81.10 Jumbo Hotfix Accumulator for the first time after a major version installation/upgrade. Refer to sk177765.

PRJ-44587,
PRJ-44548

Scalable Platforms

The "orch_info" command may freeze, when running it on Maestro Orchestrator.

PRJ-41249,
PMTR-70296

Scalable Platforms

Trying to power off the MHO in CLI may lead to a reboot.

PRJ-45480,
PMTR-91555

Scalable Platforms

Querying the HW status via SNMP (OIDs .1.3.6.1.4.1.2620.1.6.7.*) or via the "cpstat os -f sensors" command may fail on Maestro Orchestrator.

PRJ-45301,
PRHF-28238

Scalable Platforms

In rare scenarios, the Single Management Object (SMO) may go to Down state after clicking a packet capture link in the IPS log in SmartConsole.

PRJ-42785,
PMTR-82764

Scalable Platforms

Members may stay in Down state after reboot/Jumbo Hotfix installation with pull_config pnote when pulling registry from SMO: "Pull registry failed" error in the $FWDIR/log/Blade_config log file.

PRJ-43815,
PMTR-89604

Scalable Platforms

CPUSE may suggest to install Maestro incompatible packages.

PRJ-46968

Scalable Platforms

On Maestro, when MDPS (Management Data Plane Separation) is enabled, and the license corresponds to an IP address different from the management interface's IP address (such as the sync IP), policy installation may fail because of a license mismatch.

PRJ-47053,
PMTR-92636

Scalable Platforms

MHO reports logs may not be rotated.

PRJ-44287,
PMTR-88429

Scalable Platforms

The "set/show trace" command may fail in gClish.

PRJ-45885,
PMTR-90935

Scalable Platforms

In VSLS mode, SNMP traffic may incorrectly be forwarded to SMO instead of DR manager of the corresponding Virtual System.

PRJ-46645,
PRHF-28694

Carrier Security

Incorrect parsing of GTP-U traffic may cause anti-spoofing drops.

PRJ-43224,
CST-316

Carrier Security

Security Gateway drops GTP Echo Response traffic with the reason "Wrong Destination Port". See sk181507.

PRJ-43220,
CST-312

Carrier Security

Security Gateway drops GTP traffic with the reason "Static IP not allowed". See sk181506.

PRJ-46676,
PRJ-46682,
PRHF-29045,
PRHF-28963,

PRJ-46679,
PRHF-28973

Carrier Security

After an upgrade, GTP traffic and memory issues may occur.

PRJ-46673,
PRHF-28770

Carrier Security

Packet corruption, leading to traffic and performance issues.

PRJ-44602,
PMTR-86732

Carrier Security

Stack buffer overflow may occur in the FWGTP process.

Take 109

Released on 17 July 2023 and declared as Recommended on 23 July 2023

PRJ-47745

Scalable Platforms

Uninstalling Jumbo Hotfix Take 106/107 on Maestro Orchestrator (MHO) may cause an outage.

See the Important Notes section.

Take 107

Released on 28 June 2023

PRJ-47102,
PRHF-29329

Security Management

Policy installation may fail with "Target is not defined in the database" error when the target name has many underscore or dash characters.

See the Important Notes section.

Take 106

Released on 8 June 2023

PRJ-45900,
MBS-17283

Scalable Platforms

NEW: Added support for LightSpeed acceleration on Scalable Platforms appliances MLS-200, MLS-400 and QLS-250 and QLS-450.

PRJ-40966,
PMTR-85571

Scalable Platforms

UPDATE: Switching between User/Kernel mode on Scalable Platforms can now be done using "cpconfig" . Reboot of the Security Group members is performed after the confirmation.

PRJ-46857

Multi-Domain Security Management

After an upgrade to R81.10 Take 95, policy installation from a Domain Security Management Server on R81.20 Security Gateways may fail with "Policy installation is not supported for the target". Refer to sk181048.

PRJ-45592,
PRHF-28286

SmartConsole

In some scenarios, in SmartConsole, when clicking the picker to add Security Gateway to a Threat Prevention policy "Install On" column, no Security Gateway objects appear. Refer to sk180964.

PRJ-44451,
PRHF-27276

SmartConsole

In rare scenarios, in Multi-Domain Security Management environments with many administrators that have custom permissions, SmartConsole is slow, and operations take longer than usual. Refer to sk180681.

PRJ-43171

CPUSE

When working in a Scalable Platforms environment, a member may get in a bootloop. The issue occurs after the consequent upgrade of this member to R81.10, Deployment Agent (DA) update and enabling image auto cloning.

PRJ-46294,
PRHF-28702

VPN

Users that were moved from one AD group to another group still are shown in both access role groups when running the "pdp monitor" command. Refer to sk181429.

PRJ-45789,
PRJ-42015

CloudGuard Network

Deleting one hundred IP addresses or more from the Security Gateway at once may fail, resulting in recurrent deletion retries.

PRJ-45975,
PRHF-28696

CloudGuard Network

After an upgrade to Take 75, importing Azure Private Endpoints, Application Security Groups or AWS Load balancer tags may fail.

PRJ-46854,
PRJ-46859

Scalable Platforms

User Space Mode (UPPAK) is not supported on Maestro Security Gateways with enabled Management Data Plane Separation (MDPS).

Take 95

Released on 13 April 2023 and declared as Recommended on 15 May 2023

PRJ-42693,
PMTR-88560

Security Management

NEW: Added ability to run the "verify-policy" Management API command on a private session with unpublished changes.

PRJ-45365,
PMTR-90420

Security Management

NEW:

  • Added support for 1595 Slim Ruggedized appliances.

  • Added support for 1535 / 1555, 1575 / 1595 Quantum Spark Pro appliances.

PRJ-44576,
PMTR-90463

Internal CA

NEW: Previously, the Internal CA certificate required manual renewal process. Now it will be automatically renewed one year before its expiration date.

PRJ-44226,
PMTR-89589

Compliance

NEW: Compliance Blade is enhanced with 5 new Firewall Best Practices:

  • FW174 - Check that there are no Access Control rules that contain "Any" in the "Source" column and contain "Accept" or "Ask" in the "Action" column.

  • FW175 - Check that Access Control rules do not contain "Any" in "Destination", and "Accept" or "Ask" in "Action".

  • FW176 - Check that Access Control rules do not contain "Any" in "Services and Applications", and "Accept" or "Ask" in "Action".

  • FW177 - Check that there are no temporary Access Control rules (based on the "Name" column).

  • FW178 - Check that there are no temporary Access Control rules (based on the "Comments" column).

PRJ-42453,
PMTR-77024

HCP

NEW: HCP report is now available in WebUI. To access it, use the link: https://<Security Gateway IP address>/hcp.

PRJ-41010,
PRHF-24971

Security Management

UPDATE: Defining GUI Clients on the Log Server is now blocked. Defining GUI Clients is allowed only from the Security Management Server in Active mode.

PRJ-41201,
PRHF-24563

Security Gateway

UPDATE: Added ability to force GNAT Port randomization. It is controlled by kernel parameter (off by default).

  • To activate it, GNAT should be enabled. Also, in the fwkern.conf file, run "set fwx_force_random_nat_port_alloc=1",

  • To disable, run "set fwx_force_random_nat_port_alloc=0".

PRJ-43605,

PRHF-22566

SecureXL

UPDATE: Added a new kernel parameter allowing to control the size of fragments table in SecureXL. To use it, set the kernel parameter "sim_frag_limit_override" with the new value and install policy. This can prevent fragment drops when having multiple instances in the Firewall.

PRJ-44610,
PMTR-90504

Threat Emulation

UPDATE: FakeServer will now listen for packets coming from the Virtual Machine during Threat Emulation to port 18443 instead of port 8443.

PRJ-43969,
PRHF-27306

VPN

UPDATE: When the VTI MTU is different from the physical MTU, the physical MTU is used for sending packets by default.

  • To modify the default behavior (the change does not survive reboot), run the CLI command "fw ctl set int sim_vpn_use_physical_mtu 0 -a". This allows using configured VTI MTU as the default.

  • To make the change permanently, open the $PPKDIR/conf/simkern.conf file for editing and add the entry "sim_vpn_use_physical_mtu=0".

Refer to sk98074.

PRJ-42404,
PMTR-87600

VSX

UPDATE: Added more logs related to Pushing VSX Configuration.

  • On the Security Gateway side: in the last_vsx_push_configuration.elg. The log file will now be circular.

  • On the Security Management side: in the vsx_util log. Also, commands are added to the name of log files (for example, vsx_util_reconfigure_xxxxx_xx_xx.elg).

  • VSX Provisioning tool is now logged in the vpt_history.elg.

.

PRJ-43675,
PRHF-27227

Harmony Endpoint

UPDATE: Linux installations are now automatically added to "All Linux Desktops Virtual Group" in Harmony Endpoint. Refer to sk180430.

PRJ-45266,
PMTR-91124

GaiaOS

UPDATE: Added a defense mechanism against the hostname command injection in the Gaia Portal (CVE-2023-28130). Refer to sk181311.

PRJ-44639,
PMTR-90527

Gaia OS

UPDATE: Upgraded OpenSSL from 1.1.1n to 1.1.1t to include the latest security improvements.

PRJ-43925,
PRHF-27357

CloudGuard Network

UPDATE: Added support for sending Data Center updates from the CloudGuard Controller to the main IP address of Active member on the Management Plane instead of the cluster VIP address on the Data Plane. Refer to the "updateClusterMemberAndNotVip" section in CloudGuard Controller R81.10 Administration Guide > Configuration Parameters. This change prevents scenarios when CloudGuard Controller fails to connect to Cluster with MDPS enabled (sk180981).

PRJ-44355,
PRJ-44354

CloudGuard Network

UPDATE: Added support for Data Centers in AWS ap-southeast-4 Melbourne region.

PRJ-40857,

MBS-14161

Scalable Platforms

UPDATE: Added Management Data Plane Separation (MDPS) support for Maestro Orchestrator and Chassis scalable platforms.

PRJ-45755,

PMTR-91592

Scalable Platforms

UPDATE: Enhanced the mechanism of Maestro Gateway leaving a Security Group.

PRJ-44629,

PMTR-90519

Security Management

There may be many duplicates of OCSP response in the $CPDIR/tmp/curl_crl_ocsp folder.

PRJ-44460,
PRHF-27327

Security Management

In some scenarios, the "run-script" Management API command may fail with "Null Pointer Exception" when using root user permissions.

PRJ-39758,
PRHF-24058

Security Management

In some scenarios, exact search in the Object Explorer may not return the expected results.

PRJ-38358,
PRHF-23108

Security Management

After creating a new administrator in SmartConsole, the Administrators view may fail to load with "Error retrieving results".

PRJ-42060,
PRHF-25730

Security Management

The "show objects" command returns all objects in Global Domain with any filter when "ip-only" flag is set to "true".

PRJ-44025,
PRHF-27405

Security Management

When using Custom Application/Site Group objects in an Access policy, policy installation may fail with an "Internal error" message.

PRJ-43962,
PRHF-27308

Security Management

In rare scenarios, the Security Gateway accepts all IP addresses as approved "gui_clients", although it was provided with a list of specific trusted IP addresses.

PRJ-42084,
PRHF-25916

CPView

A typo in "Dropped fragmentation violation" under CPView > Advanced > SecureXL > Drops.

PRJ-43472

CPUSE

In some scenarios, the Task Progress bar is missing from SmartConsole during Jumbo Hotfix installation.

PRJ-44337,
PMTR-89535

CPView

The Network-per-CPU tab under CPVIEW > Advanced > SecureXL does not show traffic distribution for all CPUs. Refer to sk180540.

PRJ-43393,
PRHF-26905

Logging

When working with Multi-Domain Security Management, Virtual Systems (VS's) may be unable to send logs to the management because the Log Server constantly disconnects.

PRJ-44095,
PRHF-27460

Security Gateway

In some scenarios, the FWD process may unexpectedly exit and cause a short outage related to a BGP failure.

PRJ-36112,
PRHF-21819

Security Gateway

When on Microsoft Active Directory the "mobile" attribute value in DynamicID authentication preferred method is changed to an email address and then back to a phone number, OTP may still be sent to the email.

PRJ-44920,
PRHF-27936

Security Gateway

After an upgrade to Take 79, memory usage may increase on all Security Gateway Modules, and the "pkt_handle_f2v_if_needed: dropping packet (failed to send notification)" error is printed in logs.

PRJ-44232,
PRHF-27318

Security Gateway

After policy installation, a VSX High Availability Cluster member may have a failover and generate a vmcore.

PRJ-42296,
PRHF-26094

Security Gateway

When MDPS is configured, mdps_tun interface is shown when running the "cpstat ha -f all" command.

PRJ-42707,
PRHF-26247

Security Gateway

DNS parser incorrectly handles additional records, which results in appearing additional DNS IP addresses in the FQDn objects list.

PRJ-43011,
PRHF-26600

Security Gateway

When adding a new RADIUS Server in Gaia Portal, its IP address is automatically added to MDPS tasks, but when deleting this Server, the MDPS task is not deleted.

PRJ-43886,
PRHF-26861

Security Gateway

In rare scenarios, the FWD process is stuck during policy installation.

PRJ-43839,
PRHF-27097

Security Gateway

The Security Gateway may receive duplicated traffic (such as non-IP protocol connections) for IPS inspection. This can trigger high CPU usage and result in failures to connect over SSH or policy installation.

PRJ-40878,
PMTR-85619

Security Gateway

In rare scenarios, policy installation fails with "Segmentation fault" and "Error compiling IPv4 flavor" messages.

PRJ-41564,
PRJ-41202

Security Gateway

SAML authentication fails with the "HTTP 500" error when MDPS is enabled on the Security Gateways. Refer to sk179625.

PRJ-44081,
PRHF-26620

Security Gateway

In an Active/Standby cluster, when downloading a file using FTP protocol, the FWK process may unexpectedly exit, and a core dump file is generated.

PRJ-41878,
PMTR-87372

Security Gateway

On supported Open Servers (sk167052), after changing the Firewall mode from Kernel Space (KSFW) to User Space (USFW) and reboot, the Security Gateway continues to boot in the Kernel Space mode.

PRJ-43533,
PRHF-26097

Security Gateway

The Security Gateway may crash because of a race condition that occurs during interface change while interface statistic is calculated.

PRJ-40472,
PMTR-84923

Threat Prevention

If SSH Deep Packet Inspection (DPI) is enabled and NAT is configured on the Security Gateway, SSH connectivity from the Internet may not be possible.

PRJ-41901,
PRHF-25811

Threat Prevention

IoC feed may not load because of a parsing issue with the IP address range indicator.

PRJ-44222,
PRHF-27358

Threat Prevention

In a Quantum Maestro environment, adding an IoC feed from the command line may fail with a "Can not load indicators feed without AV & AB Blades enabled, please enable AV & AB and try again" message, although Anti-Virus and Anti-Bot Blades are enabled.

PRJ-42344,
PRHF-26221

Identity Awareness

During subsequent policy installations (with an interval of at least 11 minutes between them), the Identity Awareness Gateway configured as an Identity Broker Subscriber revoked all Identities it learned from the Identity Awareness Gateway configured as its Identity Broker Publisher. Refer to sk180659.

PRJ-42933,
PMTR-88806

Identity Awareness

The PDPD process may cause CPU spikes during cluster failover.

PRJ-43747,
PRHF-27158

Identity Awareness

The output of the "pdp monitor cv_le <agent-version>" command may be incorrect.

PRJ-33065,
PRHF-20425

Identity Awareness

In a rare scenario, a wrong access role may be assigned to a user.

PRJ-43503,
PRHF-26475

Application Control

Policy installation may fail with an "Error 0-200184" message because of memory allocation issues.

PRJ-44383,
PRHF-27645

Application Control

A buffer overflow may occur and cause the FWD process to exit. This leads to the Security Group Members in a Maestro environment change from Active to Down state and creates instability.

PRJ-43975,
PRHF-27284

URL Filtering

When applying the "appi_urlf_ssl_cn_use_sni_without_validation" kernel parameter, only the first notified application may be considered for Rule Base matching, and the rest of the apps are not detected.

PRJ-42714,
PRHF-26557

IPS

In a rare scenario, the Security Gateway may crash during an IPS package update.

PRJ-44180,
PMTR-89863

IPS

In some scenarios, the FWK process may unexpectedly exit, while Threat Prevention Blades inspect HTTP traffic.

PRJ-43583,
PRHF-27076

DLP

A memory leak may occur in the DLPU process.

PRJ-44009,
PMTR-89738

Anti-Virus

The fwk.elg file may be flooded with the "match_cb for CMI APP 11 - CI AV failed on context 144, executing context 366 and adding the app to apps in exception" messages because of improper parsing of HTTP headers by Anti-Virus Blade.

PRJ-44291,
PRHF-27598

Mobile Access

Some web applications which use PT or UT link translation methods may have issues after a browser upgrade.

PRJ-41413,
PRHF-25371

Mobile Access

Access to a web application that uses WebSocket protocol may not be possible.

PRJ-44131,
PMTR-89935

SecureXL

IPv6 template is not created when the connection is NATed.

PRJ-42781,
MBS-16193

SecureXL

After installing R81.10 Jumbo Hotfix Take 61 and higher, running the "tcpdump" command fails with the "/bin/cp-tcpdump.sh: line 14: /sbin/tcpdump: No such file or directory" error. Refer to sk180737.

PRJ-44677,
PRHF-27803

SecureXL

After an upgrade, packets passing through a Remote Access VPN tunnel in a VSX environment may be silently dropped.

PRJ-43983,
PMTR-89372

SecureXL

In a rare scenario, a CPAQ message sent during policy push does not have critical and can be dropped when the Security Gateway is busy.

PRJ-43922,
ROUT-2460

Routing

Failover may take longer than expected and traffic does not pass for several seconds because dynamic routes are lost.

PRJ-44940,
PRHF-23766

Routing

After an update, multicast traffic may be dropped.

PRJ-43410,
PRHF-6347

Routing

The ROUTED process may repeatedly exit when using PIM in Sparse mode (SM).

PRJ-44372,
PMTR-88972

Routing

OSPF routes may not be redistributed after reboot.

PRJ-41331,
PRHF-25024

Routing

The ROUTED daemon may unexpectedly exit and generate core dumps after OSPF neighborship was established, but did not advertise routes. Lost routing causes the network to be down.

PRJ-44259,
PRHF-27407

Routing

The ROUTED daemon may unexpectedly exit when using PIM and source IP address is set "0.0.0.0".

PRJ-44688,
ROUT-2353

Routing

Cluster member may stop sending multicast PIM traffic after failover or a reboot. Refer to sk180669.

PRJ-43827,
PRHF-27339

VPN

In a Site to Site VPN, when one of the sites is a cluster in Load Sharing mode, it can cause incorrect destination member calculation for asymmetric connection, and the traffic might be dropped. Refer to sk180855.

PRJ-44285,
PRHF-16890

VPN

VPN endpoint users fail to login with ECDSA certificate.

PRJ-43386,
PRHF-27010

VPN

After an upgrade, an incorrect IPSec users counter may be displayed in SmartView Monitor or when running the "cpstat vpn -f ipsec" command for a cluster. The issue is cosmetic only.

PRJ-40284,
PRHF-24166,

PRJ-43713,
PRHF-27256

PRJ-42371,
PRHF-26116

VPN

  • NAT-T traffic may stop matching the implied rule after policy installation and is dropped with "IKE_NAT_TRAVERSAL Traffic Dropped from x.x.x.x to y.y.y.y" message in SmartLog.

  • VPND and IKED stability issues occur when loading newly created LDAP group objects.

Refer to sk180530.

PRJ-43550,
SDWANGW-1205

VPN

VPN stability issues.

PRJ-43195,
PRHF-26797

VPN

TCP traffic on port 34500 may be encrypted by VPN, although it should not.

PRJ-40913,
PRHF-24641

VPN

The "failed to terminate session" error is displayed when using RAsession_util to terminate Endpoint client.

PRJ-44667,
PMTR-86522

VPN

When running the "vpn tu tlist" on cluster Standby members, old IKEv2 SAs may be printed in the output.

PRJ-44122,
PMTR-88803

VSX

Changing the main IP address of a Virtual Router may cause the FWM process to exit.

PRJ-40034,
PRHF-24249

Gaia OS

When running the "ifconfig -a" command on a Virtual System (VS) with more than 250 interfaces, the "/bin/cp-ifconfig.sh: line 179: /bin/echo: Argument list too long" error is printed.

PRJ-44238,
PRHF-27526

Gaia OS

The System Backup page in the Cloning Group view may be empty, although a scheduled backup was added.

PRJ-42220,
PRHF-25947

Gaia OS

Incorrect logs are printed in the /var/log/httpd2_error_log file when logging into the WebUI.

PRJ-43986,
PRHF-27222

Gaia OS

The "lldpneighbors" Clish command may have a corrupted output.

PRJ-43563,
PRHF-27096

Gaia OS

When restoring a backup with VSX objects, the objects database may not be restored on the newly installed Security Management Server.

PRJ-44347,
PRHF-26820

CloudGuard Network

The "Logical Volume duplicate fail" error is displayed when increasing the lv_current partition with lvm_manager on Azure. Refer to sk180381.

PRJ-43397,
PMTR-80399

CloudGuard Network

VPN Cluster stability issue when the peer is an Azure Security Gateway.

PRJ-43577,
PMTR-89444

CloudGuard Network

When enabling debug mode with the "$MDS_FWDIR/scripts/cpm_debug.sh -c ObjectCrudSvcImpl" command, it may impact the work of CloudGuard Central License utility. And adding license fails.

PRJ-44478,
PMTR-90345

CloudGuard Network

Azure scan fails if a Virtual Machine Scale Set (VMSS) is deleted after the scan started.

PRJ-44614,
PRHF-27502

VoIP

In rare scenarios, SIP UDP traffic may cause Security Gateway to crash because of a memory allocation issue.

PRJ-44881,
PMTR-86526

Scalable Platforms

After an upgrade, local IPv6 traffic from Active members may fail.

PRJ-41941,
PMTR-87577

Scalable Platforms

When adding a new Virtual System and installing a policy, member state may change to Down.

PRJ-42677,
PRJ-42783

Scalable Platforms

Adding more than 250 VLANs on an Orchestrator MHO-175 Maestro Uplink interface causes intermittent traffic outages. Refer to sk180340.

PRJ-43383,
PMTR-76352

Scalable Platforms

The clock verifier test (clock_verifier -v) fails.

PRJ-43802,
PRJ-43803

Scalable Platforms

The "asg perf" command fails when running it with the "-vv" flag.

PRJ-39722,
PMTR-74779

Scalable Platforms

In a Maestro Security Group, VPN tunnel is established correctly, but the local connection from Virtual Systems (VSs) fails. The issue occurs when packets are not forwarded to the right VS from the Virtual Switch (VSW).

PRJ-40400,
PRHF-24044

Carrier Security

GTP traffic may be dropped and tunnels are not registered in gtp_tunnels.

Take 94

Released on 29 March 2023 and declared as Recommended on 2 April 2023

PRJ-45511

Security Management

There is console access but no network connectivity after installing R81.10 Jumbo Hotfix Accumulator Take 93 on top of Blink image that includes Take 87. Refer to sk179799.

See the Important Notes section.

Take 93

Released on 5 March 2023

PRJ-43407,
PMTR-86687

Security Management

NEW: On-premises Security Management Server can now connect to Infinity Portal. This allows:

  • to run cloud services, managed in Infinity Portal, on the Security Management Server objects.

  • to see a unified log view of all Check Point products: on-premises and in the cloud.

  • to run Management APIs on the Security Management Server on-premises from any location through Infinity Portal.

Requires:

  1. R81.10 SmartConsole Build 410 (or higher).

  2. Web SmartConsole Take 76 (or higher)

PRJ-43895,
PMTR-89750

Security Gateway

NEW: We have extended the grace period of Compliance Blade to support you for 90 days following contract expiration to continue providing the best security value during the renewal process.

PRJ-43807,
PMTR-89699

Application Control,

URL Filtering

NEW: We have extended the grace period of Application Control and URL Filtering Blade to support you for 90 days contract expiration to continue providing the best security value during the renewal process.

PRJ-44255,
PMTR-90165

Threat Extraction

NEW: We have extended the grace period of Threat Extraction Blade to support you for 90 days following contract expiration to continue providing the best security value during the renewal process.

PRJ-43910,
PMTR-89774

SmartView

NEW: We have extended the grace period of SmartEvent Blade to support you for 90 days following contract expiration to continue providing the best security value during the renewal process.

PRJ-42181,
PMTR-87948

IPS

NEW: Added ability to block "HTTP 206 partial content" responses from resources with malicious content.

PRJ-42658,
TPP-22802

IPS

UPDATE: In several IPS protections, improved performance for traffic that contains repeated sections.

PRJ-43723,
PMTR-82302

SSL Inspection

UPDATE: The secp256r1 curve is now the preferred choice for signing ECDSA (Elliptic Curve Digital Signature Algorithm) certificates.

PRJ-41419,
PMTR-87634

Security Management

UPDATE: Connecting a Quantum Security Management Server to Infinity Portal is now supported in the Full High Availability Cluster (when each cluster member has a Security Management Server and a Security Gateway).

PRJ-42306,
PRHF-25869

Security Management

UPDATE: Improved the "Purge revisions" operation to reduce the size of the database.

PRJ-36635,
PRHF-22345

Security Management

UPDATE: Added an option to configure the maximum number of IPS SNORT rules.

These lines should be added at the end (or their value should be changed if they already exist) in the file $FWDIR/conf/malware_config

(for MDS - additionally in the $MDS_FWDIR/conf/malware_config file):

"[IPS]

snort_convertor_max_rules_per_update=<value>

snort_convertor_total_rules_num_limit=<value>".

Refer to sk136515.

PRJ-41619,
PMTR-87160

Security Management

UPDATE: To reduce policy installation time in large environments (that have many instances), policy can be installed in batches.

  • Each batch contains several instances that install the policy at the current iteration. By default, the batch size is set to "0" (off).

  • To enable it, run a CLI command "cpprod_util FwSetParam CP_INSTALL_POLICY_MT_LIMIT val" and set the value >0.

PRJ-44559,
PMTR-90438

Security Gateway

UPDATE: Apache HTTPD version was updated from 2.4.53 to 2.4.55 to fix CVE-2022-37436.

PRJ-43613,
PRHF-26959

Gaia OS

UPDATE: Gaia Cloning Groups will now use the highest TLS version available.

PRJ-43049,
PRJ-43048

CloudGuard Network

UPDATE: Added support for Data Centers in AWS eu-central-2 (Spain) and eu-south-2 (Zurich) and ap-south-2 (Hyderabad) regions.

PRJ-43025,
PRJ-43026

CloudGuard Network

UPDATE: Added support for connecting to VMware NSX-T 4.0.0.x and higher.

PRJ-42979,
MBS-16146

Scalable Platforms

UPDATE: Added support for monitoring hardware of Maestro Orchestrator MHO-175.

PRJ-43404,
PMTR-89295

Diagnostics

Skyline may not show any information. Refer to sk180748.

PRJ-40226,
PRHF-24308

Security Management

The FWM process may frequently exit. This causes SmartConsole authentication to fail and dashboards that were opened before to get closed.

PRJ-43340,
PMTR-89193

Security Management

In some scenarios, Audit logs may not be created when running remote API commands from Infinity Portal.

PRJ-41762,
PRHF-25381

Security Management

In some scenarios, the CME process fails to start.

PRJ-42110,
PRHF-25747

Security Management

The date of a policy configured with "accelerated installation" may not be updated in logs.

PRJ-42410,
PRHF-26108

Security Management

Login to the Security Management Server or Multi-Domain Security Management Server may fail with the "Connection timeout" error.

PRJ-43094,
PRHF-25895

Security Management

After configuring an IoC feed on the Global Domain and assigning a Global Policy, Threat Prevention policy installation in the local Domain fails.

PRJ-42042,
PRHF-25899

Security Management

In a rare scenario, the Show Package tool and some Management API commands with details-level "full" fail.

PRJ-41892,
PRHF-25534

Security Management

High Availability synchronization fails if automatic purge is configured to run on the Standby Management Server.

PRJ-39746,
PRHF-24043

Security Management

Adding a rule with the Management API and setting the action "to ask" does not set a default UserCheck if UserCheck was not specified. This may cause policy verification failure.

PRJ-43363,
PMTR-87860

Security Management

Editing a Global Assignment object using Ansible may fail.

PRJ-43317,
PMTR-87565

Security Management

In SmartConsole, when editing a tagged Security Gateway object, the tags may get removed.

PRJ-43254,
PMTR-77168

Security Management

In some scenarios, the "api status" command shows that the Management API service is stopped.

PRJ-43312,
PMTR-88097

Security Management

The API command "show-nat-rulebase" may not show the name of each rule in the Rule Base.

PRJ-43314,
PMTR-88093

Security Management

Running API commands with the "dereference-max-depth" parameter with value "0" may fail when the "Groups" field is in the reply.

PRJ-41928,
PRHF-25575

Security Management

After an upgrade, while installing a policy, SmartConsole may unexpectedly close with a "The connection with the server was lost. Any unsaved changes will be preserved" message. Refer to sk180294.

PRJ-42049,
PRHF-25759

Multi-Domain Security Management

In rare scenarios in a Multi-Domain Security Management environment:

  • Login to the Management Server may timeout and fail.

  • Publish operation may take a long time.

PRJ-42302,
PRHF-25848

Multi-Domain Security Management

Reassigning a Global Domain to a local Active Domain from one MDS to another may result in the local domain not reflecting recent changes. The issue occurs in Multi-Site environments if two Multi-Domain Security Management Servers (MDS) have a Standby Global Domain.

PRJ-43201,
PMTR-86559

SmartProvisioning

Deleting an LSM Gateway via REST API does not revoke the device's VPN certificate.

PRJ-43589,
PMTR-89477

CPView

In a Multi-Domain Security Management environment, Skyline is down after mdsstop/mdsstart.

PRJ-42100,
PMTR-83780

CPView

CPView may not show some interfaces.

PRJ-33052,
PRHF-20237

Logging

The "Daily logs retention" configuration on the Security Management Server / Log Server object is not applied if the "When disk space is below <number> Mbytes, start deleting old files" option is not enabled in the Disk Space Management. Refer to sk176803.

PRJ-39080,
PRHF-23629

Logging

After an upgrade and change of the Security Management Server name, logs created before the upgrade are unavailable.

PRJ-39608,
PRHF-22919

Security Gateway

The Security Group Member (SGM) frequently goes into a Lost-> Down-> Active state because of fullsync pnote. This causes outages.

PRJ-41018,
PRHF-24896

Security Gateway

When using the SMTP service with resource objects in a rule and NAT is configured for the destination IP address, the traffic may match the Cleanup rule instead.

PRJ-43705,
PRHF-27184

Security Gateway

The Security Gateway may crash during policy installation if the Rule Base has multiple layers and many interfaces on the Security Gateway (VLANs).

PRJ-41495,
PRHF-24787

Security Gateway

Stability issues when ICAP client is active.

PRJ-43347,
PMTR-88981

Security Gateway

A connection may be closed with the "ws_mux_handle_poll: ERROR: Poll flag still set after unsetting" error in the fwk.elg file, when HTTP parser does not receive requested data.

PRJ-38809,
PMTR-82347

Security Gateway

In a rare scenario, when QoS is enabled, the Security Gateway may crash.

PRJ-39801,
PRHF-23890

Security Gateway

After making changes in Policy-Based Routing (PBR) and GRE configuration, the Security Gateway may repeatedly crash.

PRJ-40320,
PRHF-23658

Security Gateway

In rare scenarios, the FWK process can unexpectedly exit and cause an outage.

PRJ-42804,
PRHF-23758

Security Gateway

Stability issues when ICAP client is active.

PRJ-43554,
PRHF-26844

Security Gateway

Security Gateway may drop traffic when Dynamic Anti-Spoofing is enabled.

PRJ-42944,
PRHF-26610

Security Gateway

When Anti-Spoofing is enabled, the Security Gateway may crash.

PRJ-41634,
PRHF-25363

Security Gateway

Dynamic Dispatcher may send fragments of the same packet to different Firewall instances during a high load of fragmented traffic. This may cause some packets to drop.

PRJ-36010,
PRHF-21529

Security Gateway

The Security Gateway may frequently crash with vmcore files, recording invalid context.

PRJ-42102,
PRHF-25657

Security Gateway

When adding an Access Role object in the NAT Rule Base, connectivity issues on the Security Gateway may occur if the Identity Awareness Blade on it is disabled.

PRJ-43528,
PMTR-89421

Security Gateway

In rare scenarios when ISP Redundancy feature is enabled, default route disappears after policy installation.

PRJ-42088,
PRHF-25938

Security Gateway

The "fw monitor" command output may contain "no packets left to merge" messages.

PRJ-42903,
PRHF-26659

Internal CA

The certificate in SmartConsole is shown as valid, although it is expired.

PRJ-41436,
PRHF-25382

Internal CA

When managing cloud Gateways, the FWM process memory usage may increase.

PRJ-38490,
PMTR-75246

Threat Prevention

In a rare scenario, the mal_conns table may consume a large amount of memory.

PRJ-42286,
PRHF-26079

Threat Prevention

The "ioc_feeds set interval -r" command may fail.

PRJ-41598,
PRHF-25439

Threat Prevention

Anti-Virus Blade fails to parse external IoC feeds that contain commas in the CSV column field value.

PRJ-32738,
PRHF-20234

Threat Prevention

After an upgrade, the FWD process may frequently exit while creating an AMW_report.xml.

PRJ-42585,
PMTR-88424

Threat Prevention

When using a host with automatic static NAT in a Threat Prevention policy object, the object will not be enforced.

PRJ-42438,
PMTR-87619

Threat Prevention

Automatic IPS, Anti-Virus or Anti-Bot updates may fail because of a corrupted next_update file.

PRJ-37567,
AVIR-1428

Threat Prevention

When Anti-Virus Blade is enabled, the Security Gateway may crash because of a memory allocation issue.

PRJ-41688,
PRJ-42223

Threat Prevention

In some scenarios, a "malware_res_rep_rad_query: rad_kernel_malware_request_prepare() failed" message may appear in the /var/log/messages file.

PRJ-42999,
PRHF-24890

Identity Awareness

In a rare scenario, disconnection between the Identity Server (PDP) and Identity Gateway (PEP) leads to missing identities on the PEP side.

PRJ-42339

Identity Awareness

In a VSX High Availability cluster, a member in the Backup state should remain idle, but it opens connections for identity sharing.

PRJ-41323,
PRHF-25083

Identity Awareness

A connectivity issue may occur during Azure AD Group fetch, and the "get_http_error_msg - http code is 401" error response is shown in Identity Awareness logs.

PRJ-41221,
PMTR-86437

Application Control

In some scenarios, the RAD process may freeze after failing to connect to URL Filtering service.

PRJ-41378,
PRHF-25330

IPS

When Anti-Virus is enabled, the Mail Transfer Agent (MTA) log files may get blocked because of fail-close operation.

PRJ-42591,
PMTR-88426

IPS

The Security Gateway may crash during policy installation because of a memory allocation problem.

PRJ-35486,
PRHF-21504

DLP

DLP logs for files uploaded to Microsoft OneDrive do not show the initial file names and extensions. Refer to sk178290.

PRJ-31705,
PRJ-29955

Anti-Bot

The "asg perf --delay" command does not change the "refresh time" on the screen.

PRJ-43682,
PRJ-43359

SSL Inspection

In some scenarios, Inbound HTTPS Inspection may fail when working in USFW (User-Space Firewall) mode.

PRJ-43154,
PRHF-26867

Mobile Access

The CVPND process may unexpectedly exit and create a core dump file.

PRJ-41259,
PRHF-25249

Mobile Access

Web applications may not work correctly when Mobile Access Blade is configured in Hostname Translation (HT) mode while the "obscure_destination_hostname" management attribute is disabled.

PRJ-42468,
PRHF-26292

Mobile Access

When Mobile Device Management (MDM) cooperative enforcement feature is enabled, establishing a VPN connection fails while the HTTPD log incorrectly indicates a compliance issue.

PRJ-43116,
PMTR-87809

ClusterXL

The "cphaprob tablestat" command may fail on the Security Gateway with many interfaces.

PRJ-44168,
PRHF-27330

ClusterXL

When handling HTTP/2 traffic, cluster members may crash, generating vmcores.

PRJ-43003,
PRHF-26722

ClusterXL

Traffic does not pass through the GRE tunnel when Virtual MAC (VMAC) is enabled. Refer to sk180292.

PRJ-42464,
PRHF-26264

ClusterXL

Stability issues may occur in a Multi-Version Cluster (MVC) when VPN is enabled.

PRJ-29668,
PRHF-18663

SecureXL

When the "fw_tcp_out_of_state_monitor" mode is enabled with the "fw_allow_out_of_state_tcp" flag, some connections may be dropped, although they should go through and be monitored.

PRJ-42896,
PRHF-26517

SecureXL

SecureXL may drop traffic when HTTPS Inspection is enabled on a VSX Security Gateway with a Virtual Router.

PRJ-42575,
PRHF-25865

SecureXL

Multicast traffic may get dropped, and no logs are generated.

PRJ-43056,
PMTR-74260

Routing

The "show ospf neighbors" command shows incorrect values for OSPF "Hello" and "Dead" intervals. Refer to sk180486.

PRJ-40728,
PMTR-76539

VPN

In some scenarios, when NAT is configured, VoIP traffic is dropped.

PRJ-43595,
PRHF-27185,

PRJ-43299,
PRHF-26853

VPN

Stability issues for Data connections (RDP / RTP / FTP/ETC). Refer to sk179651.

PRJ-44944,
PRHF-28050

VPN

When many users in nested groups login using Remote Access Client \ connect to VPN, and the LDAP topology is large, there may be a spike of CPU usage and performance impact. Refer to sk180664.

PRJ-42879,
PRHF-26241

VPN

When initiating IKEv2 tunnel from Check Point to a third party, creating Child SA fails. Refer to sk180281.

PRJ-42561,
PRHF-26325

VPN

When the user connects with RADIUS authentication method, the "Authentication method" value in Mobile Access logs is shown as empty.

PRJ-42762,
PRHF-26567

VPN

Despite the Secure Configuration Verification (SCV) exceptions being configured to not apply for connections, the strongSWAN client's traffic is dropped with the "Client's configuration is not verified" error.

PRJ-41375,
PRHF-25367

VPN

StrongSWAN Remote Access client can connect but fails to access internal resources.

PRJ-42653,
PRHF-26482

VPN

Stability issues of the VPND and IKED processes.

PRJ-41050,
PRHF-21309

VPN

A memory leak may occur in the VPND process.

PRJ-41697,
VSX-2670

VSX

The "vsx_util change_mgmt_subnet" command may fail if a VSX object is not correctly saved in the database.

PRJ-42883,
PMTR-88764

VSX

In VSX, if Dynamic Balancing was manually disabled on R81.10, after an upgrade from R81.10 to R81.20, it automatically gets enabled.

PRJ-41160,
PRHF-24929

Gaia OS

The SNMPD process may exit with a timeout when the ARP table with many ARP entries takes time to calculate its size.

PRJ-41251,
PMTR-85758

Gaia OS

The backup operation fails if the backed-up directory content is larger than 10GB.

PRJ-42254,
PRHF-26113

Gaia OS

Running the "save configuration" command the second time in the same Clish session may fail with the "free(): invalid pointer" error.

PRJ-42962,
PRHF-26713

Gaia OS

IPv6 address may be removed from bond VLAN interface when changing bond xmit-hash-policy configuration. Refer to sk180309.

PRJ-42526,
PRHF-26323

Gaia OS

Gaia backup fails with "Cannot complete the backup process: not enough space in /var/log/CPbackup/backups" although there is enough free disk space in the /var/log/ partition. Refer to sk180181.

PRJ-43428,
PRJ-42646

Gaia OS

In some scenarios, the "nslookup" command can cause the NSLOOKUP process to exit.

PRJ-42624,
PRHF-26432

Gaia OS

SNMP trap may not be sent after a cluster failover if it occurred by running the "clusterXL_admin down" command.

PRJ-43651,
PRHF-27195

Gaia OS

When setting password hash on cloning group members, some members may not get updated.

PRJ-43959

Gaia OS

When uninstalling a Jumbo Hotfix, some of the REST APIs may not work. The "gaia_api status" command returns an error and requests may fail.

See the Important Notes section.

PRJ-40693,
PMTR-71707

Harmony Endpoint

When connecting to the Security Management Server with SmartEndpoint but Endpoint component is not activated on the Server, the FWM process may unexpectedly exit.

PRJ-43068,
PRHF-26666

CloudGuard Network

Importing objects from VMware vCenter may fail with a "Failed to fetch objects from the Data Center." message because of a rare communication issue between CloudGuard Network Security controller and VMware vCenter Data.

PRJ-43259,
PRHF-26750

CloudGuard Network

Disabling or removing all network interfaces from a vCenter object is not dynamically reflected on the CloudGuard Controller Data Center object.

PRJ-42696,
PMTR-88821

VoIP

In some scenarios, when using static NAT, VoIP traffic may be affected.

PRJ-43517,

PRHF-26939

VoIP

After an upgrade, VoIP and SIP / H323 traffic may be dropped in the VPN tunnel. Refer to sk179651.

PRJ-43077,
PRHF-26401

VoIP

While handling a multi-INVITE scenario (where a user registers with multiple devices), and VoIP SIP MultiCore feature is enabled, each SIP INVITE maybe be handled simultaneously on different FW instances and cause memory corruption.

PRJ-43488,
PMTR-89380

Scalable Platforms

Running the "show" or "set" commands for SSH in gClish fails.

PRJ-31553

Scalable Platforms

In VSX mode, when configuring affinity settings on Security Group members, a new added member may stay in Down state.

PRJ-30229,
MBS-14167

Scalable Platforms

The BMAC address is not updated after moving an SGM from one slot to a different slot. (The issue applies to Security Gateway only, not to VSX.)

PRJ-31658,
MBS-14468

Scalable Platforms

The output of the "asg perf -6" command shows "IPV6 is Disabled".

PRJ-43601,

PRJ-43213

Scalable Platforms

Time synchronization task is not performed correctly when using predefined NTP Servers.

PRJ-32255,
PMTR-74498

Scalable Platforms

When running "asg diag verify" in an environment with mixed appliances, the "cores_verifier" command fails if there are unused cores, although it should not. The issue is cosmetic only..

PRJ-39602,
PRHF-22874

Scalable Platforms

The SMO may frequently go into Lost-> Down-> Active state because of a memory leak in the FWK process. The issue causes failover and outages.

PRJ-42192,
PMTR-87997

Scalable Platforms

In a multiple upgrade scenario, running the "sp_upgrade-revert" command reverts the setup to the last version, but running it the second time leads to revert instead of performing cleanup.

PRJ-42899,
PRHF-26604

Scalable Platforms

When using asg alert, the domain name is changed to "BladedCenter.com" instead of the configured name.

PRJ-44600

Scalable Platforms

Uninstalling Jumbo Hotfix Take 79-87 from Maestro Orchestrator may cause the REST Server initialization to fail and lead to connectivity issues.

See the Important Notes section.

PRJ-44142,
PMTR-89728

Scalable Platforms

Some Maestro Hyperscale Orchestrator processes may go down after an upgrade and reboot. Refer to sk180509.

See the Important Notes section.

PRJ-43307,
PMTR-89190

Scalable Platforms

Minor packet drop may occur during Maestro Orchestrator graceful reboot.

PRJ-40549

Scalable Platforms

The output of the "asg perf" command may not show active software Blades.

PRJ-43361,
MBS-16516

Scalable Platforms

The "set expert-password-hash" command may fail to update the password hash on all cluster members.

Take 87

Released on 19 January 2023 and declared as Recommended on 7 February 2023

-

General

Alignment to new self-updatable packages.

PRJ-44014,

PMTR-89893

VSX

In VSX, after adding instances to a Virtual System (VS), their state may be inactive.

See the Important Notes section.

Take 85

Released on 12 January 2023

PRJ-42849,
PRHF-26378

Multi-Domain Security Management

In a Multi-Domain Security Management environment, traffic may not match rules with custom applications.

PRJ-43891,
PRHF-26317

SSL Inspection

In rare scenarios, the FWK and/or WSTLSD processes may unexpectedly exit and create a core dump during certificate validation. Refer to sk180473.

Take 82

Released on 8 January 2023

PRJ-39425,
PRJ-39424

Security Management

NEW:

  • Added ability for R81.10 Security Management and Multi-Domain Security Management Server to manage R81.20 Security Gateways. It Requires R81.10 SmartConsole Build 412 (or higher).

  • Managing R81.20 Security Gateways in Autonomous Threat Prevention mode requires installing R81.20 Jumbo Hotfix Accumulator.

PRJ-42564

Security Management

UPDATE: It is now possible use multiple values when filtering in these views:

  • Global Assignments (MDS)

  • Permissions (MDS)

  • Sessions (MDS)

  • IPS (Domain level)

PRJ-38116,
PRHF-23142

Security Management

UPDATE: Install Policy Presets will now run also in multi-site environments, even if the local domain does not have a Server on the Multi-Domain Security Management Server with the Active Global Domain, where the operation is triggered from.

PRJ-34898,
PMTR-63494

Security Management

UPDATE: Improved the "Assign Global Policy" action time by approximately 50%.

PRJ-42033,
PMTR-87522

Security Management

UPDATE: Added a new Management API "mgmt_cli verify-management-license". It allows to check how many Security Gateway objects the Management Server license supports. Note that this API does not support Quantum Maestro and VSX. Refer to Management API Reference.

PRJ-42981,
ODU-747

Web SmartConsole

UPDATE: Released Take 73 with new features and improvements. Refer to sk170314.

PRJ-42981,
ODU-747

CPView

UPDATE: Added logging information. The Logging tab can be found in the Advanced tab on both the Security Management Server and Security Gateway. Refer to sk101878.

PRJ-41229

Logging

UPDATE: Port 8211 no longer accepts connections with the cipher TLS_RSA_WITH_AES_128_CBC_SHA.

PRJ-38056,
PRHF-23074

Logging

UPDATE: When there is no full license for SmartEvent, which includes the Correlation Unit component, Analyzer Client in Legacy SmartEvent Console will now show a relevant message.

PRJ-32781,
PMTR-72977

Security Gateway

UPDATE: The reset expired connections feature (fw_rst_expired_conn) is now supported on connections accelerated by SecureXL.

PRJ-41248,
PMTR-86409

Internal CA

UPDATE: Internal CA on Check Point Management Servers can now create certificates with 3072-bit RSA keys - the root ICA certificate and SIC certificates. Refer to sk96591.

PRJ-42201

Threat Prevention

UPDATE: Reduced loading time of big external Custom Intelligence Feeds.

PRJ-42702,
ODU-494

Threat Prevention

UPDATE: Added Update 16 of Autonomous Threat Prevention Management integration Release. Refer to sk167109.

PRJ-38198,
PRHF-22998

UserCheck

UPDATE: Added support for custom UserCheck objects for Threat Extraction. Previously it was not possible to configure them when using Autonomous Threat Prevention Policy. Refer to sk178764.

PRJ-41735,
PMTR-87362

CloudGuard Network

UPDATE: Added support for Data Centers in AWS me-central-1 Middle East (UAE) region.

PRJ-41713,

ODU-603

Smart-1 Cloud

UPDATE: Added Update 6 of Quantum Smart-1 Cloud. Refer to sk166056.

PRJ-27770,
PMTR-75901

Scalable Platforms

UPDATE: The "revert to snapshot" operation is now blocked on Scalable Platforms when the snapshot remains from the previous version and is not created as a part of the current upgrade process.

PRJ-40628,
PMTR-85003

Scalable Platforms

UPDATE: Blocked the ability to install Jumbo Hotfix Accumulator or to run an upgrade to a major version on Quantum Maestro Security Gateways using the Central Deployment tool in SmartConsole or the Management REST API.

PRJ-41650,
MBS-16088

Scalable Platforms

UPDATE: Upon member state change to Active, there may be minor packet drops. Added an option to not forward traffic to a new Active member until all connections are synchronized to it:

• To enable this option:

  • on the fly, run g_fw -a ctl set int fwha_force_present_state_over_active 1

  • to be boot persistent, run g_update_conf_file fwkern.conf fwha_force_present_state_over_active =1

• To disable this option:

  • on the fly, run g_fw -a ctl set int fwha_force_present_state_over_active 0

  • to be boot persistent, rung_update_conf_file fwkern.conf fwha_force_present_state_over_active =0

PRJ-40773,
PMTR-77523

Scalable Platforms

UPDATE: The "Obtain IPv4 Address Automatically" option in the IPv4 and IPv6 tabs of the Gaia Portal's Interface editor is now disabled (as it is on gClish).

PRJ-41935,
PMTR-83771

VoIP

UPDATE: Added a new CLI command "fw ctl voip [-p {sip| mgcp| sccp| h323}] [-na]". It allows printing the description of defined VoIP protections, the required action, and the logging option configured for each protection.

PRJ-38613,
PRHF-22986

Harmony Endpoint

UPDATE: Added the "-ignoreDA" flag for "epmcommands" to clean objects from the deleted users and computers, ignoring the "da_installed" flag.

PRJ-41999,
ODU-478

HCP

UPDATE: Added Update 11 of HealthCheck Point (HCP) Release. Refer to sk171436.

PRJ-40540,
PMTR-85125

Diagnostics

The cpview -s export operations may fail on VS0 when cpview_services are running.

PRJ-43904,
SMB-19002

Security Management

On R77.20 Quantum Spark appliances with some IPS packages, policy installation fails with the "Operation failed, install/uninstall has been improperly terminated" error. Refer to sk180448.

PRJ-41556,
PRHF-25556

Security Management

After an Application Control update, policy installation may fail.

PRJ-40943,
PRHF-24600

Security Management

In rare scenarios, in a large environment, after an IPS update, High Availability synchronization may fail with timeout on the Global Domain.

PRJ-41562,
PRHF-25567

Security Management

After an upgrade, in the Gateways&Servers view, searching Security Gateway objects by their interfaces' IP addresses fails.

PRJ-39392,
PRHF-23578

Security Management

In some scenarios, the "Assign Global Policy" action fails with the error message: "An internal error has occurred".

PRJ-39611,
PRHF-24007

Security Management

After an upgrade, on the Domain level, in the Administrators View, the email and phone of the administrators may be missing.

PRJ-41679,
PMTR-86014

Security Management

An upgrade may fail with timeout during the import of a large database file.

PRJ-41576,
PRHF-25434

Security Management

In an environment with many Security Gateways, login to SmartConsole after starting services may take a long time.

PRJ-34737,
PRHF-21233

Security Management

When running the "show access-rule" API command with the "show-as-ranges" parameter on rules with negated cells, the returned result may be missing the values of the negated cells.

PRJ-41071,
PRHF-25026

Security Management

Global Policy reassignment fails with "An internal error has occurred" if a Global rule, Rule Base, or section is created, moved, and then deleted without running a reassignment in between.

PRJ-41292,
PRHF-25101

Security Management

Access Policy installation may fail with the "Internal error occurred during the verification process" error.

PRJ-41127,
PMTR-85721

Security Management

Centrally managed Quantum Spark Gateway version may be missing or incorrect after performing the "Get Gateway Data" action from SmartUpdate.

PRJ-41976,
PRHF-25682

Security Management

The /var/log/dump/usermode/ directory on the Management Server may contain core dump files for the FWM process. Refer to sk180119.

PRJ-40426,
PRHF-24492

Security Management

In rare scenarios, deleting a cluster member may fail with the "Could not delete object. Failed to remove/detach objects licenses" error.

PRJ-40944,
PRHF-24601

Security Management

In rare scenarios, the FWM process may unexpectedly exit.

PRJ-41914,
PMTR-78191

Security Management

Installing Database from Security Management on an R80.x Log Server may fail.

PRJ-42240,
SMB-19124

Security Management

Installing a large Access Control policy on Quantum Spark Security Gateways may fail due to high memory consumption on the Security Management Server caused by FW_LOADER.

PRJ-42953,
PMTR-88744

Security Management

In an environment with the Endpoint Security Server, Jumbo Hotfix Accumulator installation may take a long time.

PRJ-40238,
PMTR-84358

Security Management

Policy installation may fail with "Segmentation fault" or with "INTERNAL ERROR in PutBlock: dangling block at PutBlock". Refer to sk179700.

PRJ-41671,
PRHF-25452

Security Management

When using CME (Cloud Management Extension), the FWM process may unexpectedly exit because of a memory issue.

PRJ-42859,
PRHF-26649

Security Management

After performing the "Revert to Revision" operation, new Audit logs cannot be seen in the Logging&Monitoring View in SmartConsole.

PRJ-42509,
PRHF-26349

Security Management

Access policy verification may fail when dynamic objects exist in the NAT policy.

PRJ-40823,
PMTR-85091

Security Management

Warning about multiple objects with the same IP address is displayed when there are duplicated auto-generated networks.

PRJ-41541,
PMTR-87066

Security Management

The FWK process may unexpectedly exit during Threat Prevention policy installation.

PRJ-40223,
PRHF-24307

Security Management

In a large environment, High Availability synchronization for the Global domain may fail with the "Global domain is busy syncing, please check sync status" error.

PRJ-41553,
PMTR-83511

Security Management

Policy installation may get stuck on 99% when resuming queued policy installation tasks.

PRJ-37832,
PRHF-21070

Security Management

"Automatic purge" fails on a Domain with active Global Domain Assignment and "automatic purge" configured on the Global Domain.

PRJ-40734,
PRHF-24711

Security Management

In rare scenarios, Global Policy reassignment may fail with a "Failed to find object ID UUID of class com.checkpoint.objects.ips.ThreatIpsProtectionOverride" message.

PRJ-39718,
PRHF-24047

Security Management

It may not be possible to discard a work session with a newly created admin, a "Failed to discard revoke certificate" message is shown.

PRJ-37311,
PRHF-21848

Multi-Domain Security Management

SmartEvent may unexpectedly close when clicking Global Exclusion options or creating a new event. This issue occurs after migrating a Domain from the Multi-Domain Security Management Server to the Security Management Server.

PRJ-42291,
PMTR-83191

Multi-Domain Security Management

An upgrade of the secondary Multi-Domain Security Management Server or Multi-Domain Log Server may fail when simultaneously upgrading several Servers.

PRJ-42105,
PRHF-25807

Multi-Domain Security Management

In a Multi-Domain Security Management environment, the HitCount retention mechanism may prematurely remove the HitCount data.

PRJ-41920,
PRHF-25795

Multi-Domain Security Management

In rare scenarios, in a Multi-Domain Security Management Server environment, a memory leak may occur in the FWM process. This may cause the process to exit.

PRJ-37706,
PRHF-22836

Logging

It may not be possible to filter the "Subscriber" field in SmartLog.

PRJ-37298,
PRHF-22631

Logging

When exporting logs with the fwm logexport script and there is an empty or corrupted log file, the script runs in a loop with the "Failed to read record at position 0" error printed.

PRJ-41194,
PMTR-68271

Logging

It may not be possible to filter Anti-Virus logs for malicious CIFS traffic in SmartConsole. The issue is cosmetic only.

PRJ-35880,
PRHF-21739

Logging

Although the Security Gateway is configured to send Syslog messages to the Domain Log Server (CLM), after several initial logs, they may stop coming to the Log Server.

PRJ-40492,
PRHF-24541

Logging

In a rare scenario, when using SmartEvent Automatic Reaction (Mail), the source IP address can be shown as a number and not in the dotted decimal notation format.

PRJ-40144,
PRHF-24306

Logging

Emails sent as an automatic reaction may show only the first IP address for "Source"/"Destination" fields out of all the detected IP addresses.

PRJ-38052,
PRHF-23090

Logging

Syslog messages with the "ErtFeed" type of attack are not indexed correctly in SmartLog.

PRJ-41917,
PMTR-78055

Logging

Export to CSV in SmartView may be stuck in the "running" status.

PRJ-41355,
PMTR-74878

Logging

In some scenarios, in the Logs view, the "Description" field may be missing. The issue is only cosmetic.

PRJ-41930,
PRHF-20117

Logging

When running the "show_logs" API command with "query-id argument" and the session is expired, the command ends with a timeout instead of presenting an error.

PRJ-31865,
PMTR-66327

Logging

When exporting logs in CEF format using Log Exporter and the value of the "time-in-milli" parameter is set as "true" (sk173167), the logs are not displayed in ArcSight SIEM Solution.

PRJ-42414,
PRHF-26316

Logging

When LEA spawning is turned off (sk91343), the FWD process may run out of memory.

PRJ-37500,
PRHF-22655

Logging

The "epoll is enabled" warning is incorrectly displayed during policy installation.

PRJ-40235,
PRHF-23763

Security Gateway

There may be stability issues when ICAP client is active.

PRJ-41864,
PRHF-25769

Security Gateway

After an upgrade, it is not possible to monitor Security Gateways with enabled Management Data Plane Separation (MDPS).

PRJ-39968,
PRHF-24112

Security Gateway

The Security Gateway may crash with the "xxx kernel: [fw4_27];fwatomload_unregister: module RTM not registered xxx kernel: [fw4_27];e2eDisable: fwatomload_unregister failed" errors printed in logs.

PRJ-41451,
PMTR-85044

Security Gateway

Policy verification fails when a generic Data Center contains an object with an empty range.

PRJ-42972,
MBS-16324

Security Gateway

The Security Gateway on a LightSpeed appliance may crash when a Bond interface is configured on the LightSpeed 10/25/40/100G QSFP28 Ports, and the state of this Bond interface changes between on / off, or off / on.

PRJ-40927,
PRHF-24649

Security Gateway

When installing policy and the kernel parameter "up_log_extended_reason_for_incomplete_match" is set to 1, the Security Gateway may crash.

PRJ-41580,
PMTR-65731

Security Gateway

In some scenarios, the CPD process may unexpectedly exit.

PRJ-40109,
PRHF-20889

Security Gateway

In a rare scenario, the Security Gateway may crash when offloading packets to SecureXL.

PRJ-43127,
PMTR-89008

Security Gateway

Some TCP connections may be stuck in "Both-Fin" state in the SecureXL connection table and cause high memory consumption.

PRJ-39575,
IPS-171

Security Gateway

The "sd_exception_chain_with_global_stateless: fwx_get_original_conn_key() failed" messages may flood /var/log/messages if IPS Blade is active.

PRJ-41624,
PMTR-78011

Security Gateway

When using Routing Separation and installing a Jumbo Hotfix Accumulator, MDPS configuration may be overridden. Refer to sk138672.

PRJ-40917,
PRHF-24590

Security Gateway

The Security Gateway may crash because of memory corruption, and the following error appears in the /var/log/message file: "[XXX] Kernel panic - not syncing: stack-protector: Kernel stack is corrupted in: <xxxx>".

PRJ-39332,
PRHF-23528

Security Gateway

After an upgrade, Access Control policy installation may fail with an "Update process is already running" message.

PRJ-35110,
PMTR-77852

Security Gateway

There may be connectivity failure when browsing to Office 365, and ICAP Client is active on the Security Gateway with enabled "Data Trickling".

PRJ-41416,
PRHF-24690

Security Gateway

The Security Gateway may send multiple "Failed to fetch Check Point resources. Timeout was reached" logs.

PRJ-40974,
PRHF-24784

Threat Prevention

Threat Prevention policy installation may fail with a "Connection aborted by Peer" message.

PRJ-41316,
PMTR-86509

Threat Prevention

Threat prevention policy installation fails if a Custom Intelligence Feeds name includes unsupported characters.

PRJ-41489,
PMTR-84472

Threat Prevention

Loading of Custom Intelligence Feeds with authentication may fail.

PRJ-38722,
PMTR-82545

Threat Prevention

File Download using SSH with MobaXterm Client fails when SSH Deep Packet Inspection (SSH DPI) is enabled.

PRJ-40936,
PMTR-85828

Threat Prevention

In a rare scenario, the Security Gateway may have a memory allocation issue.

PRJ-41439,
PRJ-40749

Threat Prevention

After installing a hotfix in a cluster setup with a Threat Prevention policy that includes Network Objects, a member may get stuck during initialization after a reboot.

PRJ-38665,
PRHF-23320

Threat Prevention

The DLPU process may unexpectedly exit with a core dump file.

PRJ-43360

Threat Extraction

In some scenarios, Mail Transfer Agent (MTA) does not scan files with an unsupported extension if they were renamed to ".exe".

PRJ-36509,
PRHF-22053

Identity Awareness

The CPU utilization of the PDP daemon may be high during a specific authentication flow.

PRJ-38543,
PRHF-22565

Identity Awareness

The PDPD daemon may frequently exit during the user authentication flow.

PRJ-31975,
PMTR-74053

Identity Awareness

Changing the state of the "Automatic LDAP Group Update" feature for Identity Collector from CLI on the PDP Gateway does not survive a reboot.

PRJ-34571,
PRHF-21045

Identity Awareness

SNMP/cpstat queries for Identity Awareness OIDs return wrong values if the PDP daemon is not running at the time of the query.

PRJ-41820,
PMTR-87497

Identity Awareness

In a rare scenario, the PDPD process may unexpectedly exit during peer certificate verification.

PRJ-42506,
PRHF-26186

Application Control

In a rare scenario, when Application Control is enabled, the Security Gateway in AWS Cloud may crash. The issue does not occur if Application Control database on the Security Gateway is updated with Release 141122_1 and higher.

PRJ-32992,
PRHF-20460

IPS

In some scenarios, IPS logs do not show the correct memory and CPU utilization when IPS is bypassed.

PRJ-41655,
PRHF-25585

IPS

Running the "ips stats" command in CLI may cause the IPS process to unexpectedly exit with core dumps.

PRJ-39753,
PRHF-23882

Anti-Virus

The Anti-Virus Blade interprets certain types of URLs as forbidden and blocks access to those URLs, although the content behind them is not of the type supposed to be blocked.

PRJ-41216,
PRHF-23321

Anti-Virus

In a rare scenario, when Anti-Virus is enabled, there may be frequent VSX cluster failovers, and the Security Gateway may crash.

PRJ-43181,
PRHF-26878

SSL Inspection

The WSTLSD process may unexpectedly exit and create core dump files.

PRJ-41973,
PRJ-42152

Mobile Access

After an upgrade, it may not be possible to connect to SNX, it gets stuck when initializing.

PRJ-32969,
PRHF-20588

Mobile Access

Capsule Workspace push notifications do not work when the Single Sign-On (SSO) is configured to "prompt for credentials". Refer to sk176244.

PRJ-40833,
PRHF-24826

Mobile Access

After disabling the ActiveSync service on the Security Gateway, login to Capsule Workspace (CWS) may fail.

PRJ-32972,
PRHF-20670

Mobile Access

Push notification may not be working with the legacy Mobile Access (MAB) Portal. Refer to sk176243.

PRJ-38460,
PRHF-23267

Mobile Access

In some scenarios, it is not possible to connect to SSL Network Extender(SNX), and the VPND log shows: "failed to add to table connectra_sessions_to_instance".

PRJ-40745,
PRHF-24710

ClusterXL

The cphaprob show_bond command does not show newly added slaves from Virtual Systems (VSs).

PRJ-42928,
PMTR-88804

ClusterXL

A Hide NAT port may be allocated twice causing the "out of state" drops.

PRJ-37151,
PRHF-22237

ClusterXL

In an Active/Active cluster, a member may reboot because of a memory corruption issue.

PRJ-39184,
PRHF-23684

ClusterXL

In a VRRP cluster environment with a large number of interfaces, the Security Gateway may consume a lot of memory because of a memory leak.

PRJ-42445,
PRHF-26215

SecureXL

The Security Gateway may prematurely expire half-closed TCP connections and drop VoIP and HTTPS packets with "First packet isn't SYN". Refer to sk180364.

PRJ-42073,
PRHF-25880

SecureXL

In some scenarios, the change of the cphwd_enable_ecmp global parameter value on a VSX Gateway does not survive a reboot.

PRJ-42230,
PRHF-25785

SecureXL

DNS Traffic Steering feature does not work over TCP.

PRJ-41691,
PRHF-25516

SecureXL

The Security Gateway may crash and cause an outage when resolving the destination host MAC address through an interface with disabled ARP.

PRJ-42145,
PMTR-88118

SecureXL

SNDs may reach 100% CPU utilization and are not released in some Site to Site VPN scenarios.

PRJ-40266,
PRHF-23964

CoreXL

Connections matching the Access Control rules may get timed out, although they should be rejected according to the configuration.

PRJ-41504,
PMTR-75250

Routing

Some invalid nexthop and destination addresses from remote BGP peers may be incorrectly handled, causing lost BGP connection.

PRJ-41724,
PRHF-25460

Routing

The "asg diag verify" command reports inconsistent OSPFv3 routes for Security Gateway Modules in Quantum Maestro. Refer to sk179931.

PRJ-41870,
PMTR-87537

Routing

Gaia API request "show-routes" may fail with the "generic error" and the ROUTED core dump is generated.

PRJ-41708,
PRHF-25613

Routing

The ROUTED process may unexpectedly exit when the route does not have a next hop.

PRJ-41642,
VPNRA-795

VPN

In some scenarios, StrongSwan Client may get disconnected during re-authentication.

PRJ-41809,
PMTR-87347

VPN

When connecting with "Mixed" SSL Network Extender Authentication method, the SNX Client freezes with no output, and the results of the "vpn tu tlist" command show no tunnels.

PRJ-40860,
PRHF-24635

VPN

The VPND process may unexpectedly exit.

PRJ-42729,
PRHF-26453

VPN

In a rare scenario, when IPv6 is configured, and VPN is enabled, policy installation may cause a stability issue.

PRJ-39171,
PRHF-23749

VPN

Remote Access Client may fail to connect when using machine certificate authentication.

PRJ-38167,
PRHF-22957

VPN

Trying to perform the "Reset Tunnel" action for an LDAP user from SmartView Monitor fails. Refer to sk178592.

PRJ-42376,
PMTR-87326

VPN

The IKED process unexpectedly exits when the "Aggressive SLP" (Simultaneous Login Prevention) feature is enabled.

PRJ-40830,
PRHF-24812

VPN

The Security Gateway does not initiate or accept the VPN negotiation when working in Traditional Mode. Refer to sk179710.

PRJ-41560,
PRHF-25552

VPN

After an upgrade, the community name may not be visible from SmartView Monitor, and the "snmpwalk" command returns an empty value for this entry.

PRJ-42310,
PMTR-87519

VPN

Improved VPN tunnel synchronization in a Multi-Version Cluster environment (MVC).

PRJ-38516,
PRHF-23107

VSX

SecureXL may not let HTTPS traffic pass through a Virtual Router (VR).

PRJ-43356,
PMTR-89245

VSX

The SNMPD process may consume a high CPU in a VSX environment and there may be slowness when using the "fw vsx stat" command. Refer to sk180324.

See the Important Notes section.

PRJ-43140

Gaia OS

After an upgrade, the RADIUS Server is unavailable and authentication fails.

See the Important Notes section.

PRJ-41234,
PRHF-25144

Gaia OS

There are trap names duplications in chkpnt.mib and chkpnt-trap.mib which may cause incorrect values when using SNMP traps.

PRJ-41409,
PRHF-25359

Gaia OS

When configuring Gaia Cloning Group mode on the cluster, members with "off" state appear without an IP address and the "adding notification Member mvc is down" error is displayed.

PRJ-34372,
PRHF-21347

Gaia OS

After an upgrade, the backup operation on VSX fails because there is not enough space in /var/log/CPbackup/backups.

PRJ-41613,
PMTR-87176

Gaia OS

Information about scheduled backup failure is now displayed in Clish, WebUI, and in the error message inside the log file.

PRJ-41686,
PRHF-25430

Gaia OS

In a cloning group cluster, when allowed hosts are changed from "Any" host to a specific host, communication between members is blocked, and the group cannot function.

PRJ-42150,
PRJ-42015

CloudGuard Network

Improved performance of pushing Data Center Objects changes to Security Gateways.

PRJ-42855,
PRHF-26286

CloudGuard Network

A Kernel-based Virtual Machine (KVM) or a Virtual Machine using SRIOV with the i40evf/ixgbevf network driver, may boot with non-optimized performance settings.

PRJ-41846,
PRHF-25754

CloudGuard Network

Improved handling of NSX-T API responses.

PRJ-42010,
PRHF-25644

CloudGuard Network

When mapping of some Azure Subscriptions fails, assets of these Subscriptions are revoked from the Security Gateway.

PRJ-42115,
PRHF-25910

CloudGuard Network

AWS Data Center mapping fails when a Subnet with only IPv6 addresses is added to Virtual Private Cloud (VPC).

PRJ-41463,
PRHF-25422

CloudGuard Network

Import of OpenStack Data Center CloudGuard Network objects may fail.

PRJ-42257,
PRHF-26160

CloudGuard Network

After an upgrade in a Huawei Cloud environment, a network card may be renamed after a reboot.

PRJ-28732,
PRHF-11703

VoIP

In some scenarios, when using early media with NAT, the first data connections specified in the SDP get closed, although they should not. And the new data connection does not open, resulting in one-way audio. Refer to sk179651.

PRJ-40355,
PRHF-24453

Scalable Platforms

When running the "set kernel-routes on/off" and "set domainname <VALUE>" commands through gCLish, the configuration is applied only locally.

PRJ-36510,
PRHF-21993

Scalable Platforms

In some scenarios, a newly added Security Group Member (SGM) continuously reboots, and there are core dump files for the CONFD process. Refer to sk178405.

PRJ-40180,
PRHF-24199

Scalable Platforms

In a rare scenario, the FWK process may unexpectedly exit and bring down the Security Gateway Module (SGM).

PRJ-42514,
PMTR-88150

Scalable Platforms

Upon failover/failback, multicast packets are sent to Active members only. The member that changed state from Down to Active starts receiving the multicast packets before the route is resolved. This may impact traffic.

PRJ-40835,
MBS-15935

Scalable Platforms

In a rare scenario, a non-SMO member may send GARP request over the Management interface, causing traffic impact.

PRJ-41146,
PRHF-25000

Scalable Platforms

In some scenarios, the SNMPD process may unexpectedly exit.

PRJ-41473,
PMTR-84696

Scalable Platforms

Configuration of exception entries (asg_excp_conf, see sk175584) does not survive an upgrade. As a result, traffic that was configured to be forwarded to SMO is handled by the original member.

PRJ-32368,
PMTR-70507

Scalable Platforms

In a dual site environment with two Maestro Hyperscale Orchestrators on each site, the asg diag test may fail in a mixed appliances setup because of a difference in affinity configuration files.

PRJ-37829,
PRHF-22738

Scalable Platforms

Improved VPN on Quantum Maestro with Security Gateways hidden behind NAT.

PRJ-41835,
PRHF-25720

Scalable Platforms

SNMP threshold events traps may be missing "Chassis ID" and "Blade ID" fields. Refer to sk179926.

PRJ-42558,
PRHF-24528

Scalable Platforms

Policy installation may cause backplane interfaces flapping. This can affect the connectivity with the Maestro Hyperscale Orchestrator, and the members may go to Down state.

PRJ-39190,
PRHF-23723

Scalable Platforms

When a policy is configured with "SNMP trap alert script", the SNMP trap is sent with an undefined OID.

PRJ-42947,
MBS-11024

Scalable Platforms

Optimized the SNMP communication between Security Gateway Module (SGM) and Security Switch Module (SSM) to prevent timeouts.

PRJ-39318,
MBS-15404

Scalable Platforms

Failover/failback may cause a non-DR manager member to change state to Down because the ROUTED unexpectedly exits with pnote.

PRJ-41212,
PRHF-25227

Scalable Platforms

Performance data may not be collected on VSX Security Gateways.

PRJ-42820,
PMTR-88702

Scalable Platforms

In a Quantum Maestro environment, the sp_upgrade command may fail when working in VSX mode.

PRJ-42834,
PMTR-88649

Scalable Platforms

When trying to perform the downgrade procedure, a Site may be stuck in Backup state. The issue occurs if, before the downgrade, this Security Group was first upgraded and then its topology was changed.

Take 81

Released on 22 Nov 2022 and declared as Recommended on 2 January 2023

PRJ-41364

SecureXL

NEW: Added support for enabling Hardware Acceleration in Quantum LightSpeed Appliances. Refer to sk179432.

PRJ-45565,

ACCHA-2110

Gaia OS

The $FWDIR/log/fwd.elg file may get corrupted during log rotation. Refer to sk180728.

PRJ-42687

Harmony Endpoint

  • After an upgrade of the on-premises Endpoint Management Server to Jumbo Hotfix Accumulator R81.10 Take 75, it is not possible to connect to the Web Management Server.

  • When logging into the Web Management Console, an "API error 9999" message is displayed.

Refer to sk180230. See the Important Notes section.

PRJ-41507,
PMTR-87006

Scalable Platforms

After an upgrade to Jumbo Hotfix Accumulator R81.10 Take 75 or higher, a member may be in Down state with a "pull_config" pnote.

Take 79

Released on 24 October 2022 and declared as Recommended on 21 November 2022

PRJ-38348,
PMTR-81030

Diagnostics

The CPVIEWD process may cause CPU spikes.

PRJ-40819,
PMTR-80047

Security Management

NEW: It is now possible to clone Access and HTTPS Inspection layers via Management REST API.

PRJ-41083,
PMTR-86078

Security Management

UPDATE: If ISP Redundancy is configured for a target Security Gateway, backup interfaces are now used for pushing policy if the primary interface is down.

PRJ-40000,
PMTR-84248

Security Management

UPDATE: Added a new API version (1.8.1). Refer to Management API Reference.

PRJ-31201,
PRHF-19545

Security Management

UPDATE: Audit logs for Access Control rules now contain more information about the rule.

PRJ-39462,
PRHF-23711

Security Management

UPDATE: Management API performance improvements:

  • When moving a rule, the "set-access-rule" command is now up to 15 times faster.

  • When using a rule name, the "set-access-rule" command is now twice as fast.

PRJ-40100,

PMTR-72725

Security Management

After a policy installation failure, fetching policy on the Security Gateway side by running the "fw fetch local" command may also fail.

PRJ-37912,
PRHF-22870

Security Management

The flag "--method" for a CME command is not supported in SmartConsole Command Line.

PRJ-37339

Security Management

Objects that do not belong to groups may be shown in the Group Membership view in SmartConsole.

PRJ-40205,
PRHF-24315

Security Management

In some scenarios, certificate based login to a Log Server may fail with "Authentication Error". Refer to sk179144

PRJ-38709,
PRHF-23378

Security Management

Login to Domain via Management API using FQDN as the Domain parameter may fail with the "Domain not found" error.

PRJ-38218,
PRHF-22973

Security Management

If Log Domain reassignment fails, an Application Control and URL Filtering update may get stuck at 70 percent showing the "Running post update actions" status.

PRJ-39805,
PMTR-83656

Security Management

In Object Explorer, when filtering by type, all other filters may disappear until the selected filter is removed.

PRJ-40587,
PRHF-24553

Security Management

The "Domain" and "Type" fields may be missing in the "show-groups" command output of a Management API request. Refer to sk179645.

PRJ-40408,
PMTR-84933

Security Management

Editing a Threat Profile object using Ansible automation tool may fail.

PRJ-38426,
PMTR-81862

Security Management

Login to Management Server may fail if a trusted client has a subnet mask defined in CIDR notation. Refer to sk177743.

PRJ-39409,
PRJ-40901

Security Management

In the Object Explorer window in SmartConsole, numeric columns are sorted alphabetically, although they should be sorted in numerical order.

PRJ-40516,
PMTR-85116

Security Management

Adding members to a user group may fail when using Management API.

PRJ-33896,
PRHF-20973

Security Management

Global Domain Assignment may fail if a rule in the global policy was recently enabled or disabled.

PRJ-40646,
PRHF-24621

Security Management

Deleting a Security Gateway in SmartConsole may fail.

PRJ-41098,
PMTR-81750

Security Management

The "CPLogGetMyIp: fwobj_get_myown failed" error may be printed in CLI when starting cpboot.

PRJ-38789,
PRHF-23476

Security Management

Install Policy Preset may fail with "The server did not provide a meaningful reply.". Refer to sk179524.

PRJ-39210,
PRHF-23632

Security Management

The output of the "show opsec-application" API command may not show the host object name or UID.

PRJ-38457,
PRHF-23314

Security Management

High Availability synchronization may fail with the "Failed to update shared licenses" error.

PRJ-33922,
PRHF-21160

Security Management

Some unused sessions may remain open in the system, consuming memory and CPU.

PRJ-40721,
PRHF-24546

Security Management

Access Control policy installation may fail with the "Internal error" message when the encryption domain contains a Data Center object.

PRJ-40851,
PMTR-84394

Security Management

The LOG_EXPORTER process may cause high CPU because of frequent invocation of the "fw ver" command.

PRJ-39538,
PRHF-23867

Security Management

An Application Control and URL Filtering update may get stuck at 70 percent with the "Running post update actions" status. Refer to sk174587.

PRJ-39223,
PRHF-23186

Security Management

An Application Control and URL Filtering Database update may fail. The CPM log file states: "Update APPI Update Task Notification. progress: 100, status: FAILED, statusText: Failed to assign domain".

PRJ-40058,
PRHF-24082

Security Management

An Application Control and URL Filtering update may still occur even if the latest version is already installed.

PRJ-39334,
PRHF-23594

Security Management

Install Policy Presets may fail with the "Install Policy Failed: Could not commit JPA transaction" error.

PRJ-40547,
PRHF-24405

Security Management

After an upgrade, when the local domain Virtual System (VS) is updated, its objects may not be updated. The mirror VS object and local domain VS object may have different versions and colors.

PRJ-40810,
PRHF-24809

Security Management

SmartConsole may unexpectedly disconnect.

PRJ-40170,
PRHF-24144

Multi-Domain Management

A Multi-Domain Management Server upgrade may fail if upgrading one of the domains takes longer than four hours.

PRJ-39489,
PRHF-23926

Multi-Domain Management

In some scenarios, in a Multi-Domain Management Server environment, SmartConsole may unexpectedly disconnect.

PRJ-38125,

PRHF-23066

Multi-Domain Management

Although all Virtual Devices are deleted, deleting a Domain may fail with an "At least one Virtual Device is defined on this Domain/Domain Management Server. You need to delete all Virtual Systems/Routers prior to deleting Domain/Domain Management Server" message.

PRJ-41286,
ODU-470

Web SmartConsole

UPDATE: Released Take 67 with new features and improvements. Refer to sk170314.

PRJ-40613,
PRHF-24080

Compliance

In the Compliance Blade view, regulations with disabled best practices may display a result that does not correspond with the best practices listed below it.

PRJ-41022,
PMTR-86000

CPView

NEW: Integrated Skyline, a solution that provides an OpenTelemetry CPView Agent service to monitor your Check Point Servers and export health metrics from the CPView tool to an external location. Refer to sk178566.

PRJ-36192,
PRHF-22004

Logging

UPDATE: Amended the override_server_setting.sh script to support changes in the values of RFL_SOLR_MAX_MERGE_COUNT and RFL_SOLR_MAX_MERGE_THREAD_COUNT.

PRJ-29738,
PMTR-72628

Logging

In SmartView, exporting views or reports that do not have tables may indefinitely continue processing.

PRJ-40194,
PMTR-82439

Logging

After an upgrade from R81 to R81.10, maintenance cleanup may remove some recent logs while not erasing other logs from the disk.

PRJ-28112,
PRHF-18175

Logging

In rare scenarios, logs may not be indexed on the Domain Log Server in a Multi-Domain Log Module (MLM) or on the Secondary Multi-Domain Management Server.

PRJ-39590,
PRHF-23981

Logging

The FWD process may unexpectedly exit and create core dump files.

PRJ-40358,
PRHF-24410

Logging

In some scenarios, the FWD process may unexpectedly exit in a Log Server environment. Refer to sk179596.

PRJ-30965,

EPS-562

Logging

In some scenarios, the Forensics report fails to open from Harmony Endpoint logs.

PRJ-36477,
PRHF-22241

Logging

In SmartConsole, when Endpoint Policy Management Blade is enabled, the "SmartView server certificate is invalid" error may be shown when opening a new tab in the Logs & Monitor view. Refer to sk177713.

PRJ-32207,
PRHF-20107

Logging

The "show-logs" Management API command fails when iterating over many pages of queries, and the total fetched records number exceeds 219,900 records.

PRJ-41360,
PMTR-85027

Logging

Running the "cpstat ls -f logging" command on the Security Gateway may show the "disconnected" status after a reboot, although a new connection is established successfully.

PRJ-41103,
PRHF-25074

Logging

When an object name begins with a digit, SmartView Monitor displays a name consisting of the letter "v" and UID instead of the actual object name.

PRJ-34680,
PMTR-75424

Security Gateway

UPDATE: Decreased the threshold for connections suspected as heavy from 5 to 3 seconds. Refer to sk164215.

PRJ-40505,
PMTR-85083

Security Gateway

UPDATE: Added a defense mechanism against partial header attacks known as "Slowloris DoS" (CVE-2007-6750).

PRJ-38144,
PRHF-22814

Security Gateway

UPDATE: Added support for RADIUS UPN authentication with MS-CHAPv2. To use it, enable the registry configuration in ckp_regedit -a SOFTWARE/Checkpoint/VPN1 RADIUS_MSCHAPV2_UPN -n 1.

PRJ-40098,
PMTR-84200

Security Gateway

UPDATE:

  • Added a new global parameter "fw_conn_double_error_allow_print " to enable/disable printing double connection error message to the log. When disabled, the Security Gateway will still drop a new connection if it is already recorded in the connection table, but there will be no error logs.

  • Added a new global parameter "fw_conn_double_error_count" to count how many times the error occurred.

PRJ-40459,
PMTR-84535

Security Gateway

In a rare scenario, the FWK process may unexpectedly exit because of a memory allocation issue on the Security Gateway.

PRJ-38591,
PMTR-79658

Security Gateway

In a cluster environment, an ICAP implied rule may not be enforced after policy installation.

PRJ-35393,
PRHF-14804

Security Gateway

It may not be possible to load specific sites. The Security Gateways drops the traffic from those web servers with "Reason: PSL Drop: MUX_PASSIVE".

PRJ-39640,
PRHF-23835

Security Gateway

When running the "g_fw monitor" command (Global Firewall Monitor), the traffic capture outputs can be created successfully but cannot be merged.

Refer to sk179431.

PRJ-41091,
PRJ-34903

Security Gateway

A kernel crash may occur during system shutdown when PIM is enabled.

PRJ-39927,
PRHF-23895

Security Gateway

When Anti-Virus Blade is enabled, the Security Gateway may crash multiple times with core dump files.

PRJ-41030,
PRHF-24958

Security Gateway

Topology auto update may fail because of a too long interface name.

PRJ-41033,
PRHF-24959

Security Gateway

The Security Gateway may run out of memory when retrieving topology.

PRJ-37210,
MBS-15377

Security Gateway

During a failover, BGP session may be re-established due to equal connection timers between two Security Gateways.

PRJ-40024,
PMTR-83767

Security Gateway

Access Control policy installation may fail with a "Load on Module failed - problem with the Commit Function" message.

PRJ-36867,
PRHF-22233

Security Gateway

After an upgrade, VSX cluster may have frequent failovers.

PRJ-38553,
PRHF-23113

Security Gateway

After an upgrade, Anti-Virus Blade may cause increased memory consumption.

PRJ-39580,
PMTR-71476

Security Gateway

In a rare scenario, when IPS or Application Control is enabled, the Security Gateway may crash.

PRJ-40139,
PMTR-84236

Security Gateway

When Strict Hold is enabled, traffic is logged with the log "HTTP parsing error detected. Bypassing the request as defined in the Inspection Settings". Refer to sk169995.

PRJ-40500,
PRJ-34015

Security Gateway

Bond slaves may be visible in the wrong plane.

PRJ-40255,
PRHF-24323

Security Gateway

There may be a delay in the Logging view when more than 1000 Security Gateways are connected to the same Log Server.

PRJ-34172,
PRHF-20978

Security Gateway

After an upgrade, in a setup with a single Virtual System (VS), the Security Gateway may crash.

PRJ-39520,
PMTR-83692

Security Gateway

Output of the "dynamic_objects -uo_show" command on the Security Gateway may not show any updatable objects. Refer to sk178886.

PRJ-40793,
PMTR-85514

Security Gateway

Enhanced connectivity during HTTP2 Inspection.

PRJ-34404,
PRHF-21418

Security Gateway

Deleting IP addresses in the SAM Database may fail.

PRJ-27779,
PMTR-70632

Security Gateway

The RAD daemon may fail and create core dump files on VSX Gateways.

PRJ-40016,
PRHF-24223

Security Gateway

The Security Gateway with VPN may drop the traffic after enabling BGP and Equal Cost Multipath (ECMP).

PRJ-40863,
PMTR-74446

Security Gateway

Improved the recovery mechanism for Dynamic Balancing.

PRJ-41720,
PRJ-41721

Security Gateway

The Security Gateway with enabled Anti-Virus Blade may experience a memory allocation issue.

PRJ-40390,
PMTR-69466

Internal CA

UPDATE: Added an automatic extension for Internal CA database to support more than 100,000 certificates.

PRJ-40393,
PMTR-70065

Internal CA

UPDATE: Expired certificates are now cleaned from the Internal CA database every three weeks and after reboot. Refer to sk42424.

PRJ-40433,
PMTR-84242

Threat Prevention

UPDATE: The "Global Detect" value will now be updated in the "ips stat" command output.

PRJ-39989,
PRHF-20730

Threat Prevention

UPDATE: In the Custom Intelligence Feeds feature, decreased the hash indicators loading time.

PRJ-29736,
PMTR-71844

Threat Prevention

SCP connections may get terminated.

PRJ-40344,
PRJ-40345,
PRHF-24427

Threat Prevention

The Custom Intelligence Feeds feature may stop enforcing traffic after Threat Prevention policy installation.

PRJ-37560,
PRHF-22459

Threat Prevention

IoC feeds configured in R80.30 cause authentication problems after an upgrade to R81.10. Refer to sk180440.

PRJ-34889,
PMTR-77524

Threat Prevention

When the Security Gateway is in "Detect Only" mode, Threat Prevention Blade exceptions may not be accelerated.

PRJ-40593,
PMTR-75706

Threat Prevention

There may be Security Gateway memory allocation issues related to creating a new Anti-Malware policy.

PRJ-41277,
PMTR-74610

Threat Prevention

Adding hash indicators may cause policy installation to fail with a warning message.

PRJ-40856,
PMTR-85654

Threat Prevention

IoC feed may not load because of a parsing issue with the IP range indicator.

PRJ-40446,
PMTR-84860

Threat Prevention

Deleting a Threat Emulation Gateway object in SmartConsole may fail. Refer to sk170577.

PRJ-40438,
PMTR-82127

Threat Prevention

A kernel memory leak may occur during deep file inspection.

PRJ-39828,
IDA-4187

Identity Awareness

Removed unnecessary debug messages in the Identity revocation flow.

PRJ-35836,
PMTR-71684

Identity Awareness

Memory consumption may increase after policy installation when Secure ID is configured.

PRJ-39162,
PMTR-83274

Identity Awareness

The Nested Groups Depth value changed in CLI may not survive a reboot.

PRJ-36385,
PRHF-22069

Application Control

  • The /var/log/messages directory may be flooded with "appi_app_db_get_kattrib_info: attribs hash does not exist" messages.

  • A Security Gateway may be slow or unresponsive.

Refer to sk178406.

PRJ-29436,
PRJ-37281,
PRHF-21170,
PRHF-17678

URL Filtering

When the Security Gateway works in proxy mode, the Application Control and URL Filtering rules may not match correctly.

PRJ-36136,
PRHF-20682

URL Filtering

In some scenarios, SSL websites are not matched correctly when categorization mode is on Hold and IDA is enabled. Refer to sk176283.

PRJ-38816,
PMTR-80962

URL Filtering

When an URL Filtering rule has "Fail-Close" configuration, the Security Gateway may drop connections, and "URLF internal system error (0)" is recorded as the reason.

PRJ-36435,
PMTR-77653

IPS

When ClusterXL is configured, a file may pass without inspection during a failover.

PRJ-31432,
PRHF-19698

IPS

Logs generated by IPS Bypass may not show the correct CPU/Memory Utilization.

PRJ-37727,
PRHF-22465

DLP

DLP logs for files uploaded to Microsoft OneDrive may not show the initial file names and extensions. Refer to sk178290.

PRJ-33295,
PMTR-61676

Anti-Virus

Removed a redundant message flooding logs in /var/log/messages: "ws_write_connection: end of body reached - clearing delay write flag".

PRJ-39152,
PRHF-21088

Anti-Bot

  • Downloading or opening the packet capture file from the Anti-Bot log entries may fail with a "File fetching is still in progress" message.

  • When opening the capture file link in the log entry in SmartConsole, the "Failed getting the incident file from the gateway. It may be expired" error is shown.

PRJ-40261,
PMTR-83847

SSL Inspection

The WSTLSD process may unexpectedly exit and produce a core dump file during certificate chain verification.

PRJ-34074,
PRHF-21065

Mobile Access

Manual Web Form Single Sign-On (SSO) may fail when passwords contain special characters.

PRJ-38436,
PMTR-82133

Mobile Access

When installing a specific hotfix, the CVPND process may unexpectedly exit.

PRJ-35511,
PMTR-65024

ClusterXL

UPDATE: Added support for the "fw vsx fetch_all_cluster_policies" command, which can fetch policy for all Virtual Systems and Virtual Routers from cluster peers.

PRJ-39840,
PMTR-84079

ClusterXL

When reconnecting the OSPF interface on both members in a cluster, a failover may occur when receiving a ROUTED PNOTE on the Active member.

PRJ-37944,
PRHF-22882

ClusterXL

In a VSX cluster with three or more members, sudden failover and recovery of the Standby VS may occur, causing termination of connections from the Active member. Refer to sk179446.

PRJ-40201,
PMTR-84253

ClusterXL

In a cluster configured in the Active-Active mode, there may be connectivity issues when one of the cluster interfaces is down on one of the cluster members.

PRJ-39959,
PMTR-84213

ClusterXL

During a Multi-Version Cluster (MVC) upgrade, there may be state flapping when using the sync interface MAC address bit "02".

PRJ-36734,
PRHF-21591

ClusterXL

In a VRRP cluster, when an identity session is revoked from a non-master member, the Identity Database may become corrupted and cause an outage.

PRJ-37632,
PRHF-22691

SecureXL

UPDATE: The MSS value in the SYN Cookie response can now be configured.

PRJ-39074,
PRHF-22676

SecureXL

UPDATE: Added a new kernel parameter "fw_allow_reverse_syn" for Smart Connection Reuse. This parameter allows or drops SYN packets coming from the reverse direction. The parameter is set to 0 by default, the Security Gateway drops such packets. Refer to sk24960.

PRJ-40295,
PMTR-81618

SecureXL

A kernel memory leak may occur in an environment with a cluster in Active/Standby bridge mode.

PRJ-41482,
PRHF-25453

SecureXL

After an upgrade, SecureXL may drop multicast traffic with "reason:Fragment drops".

PRJ-36859,
PRHF-21863

SecureXL

Policy installation may cause cluster failover and impact the traffic flowing through the cluster.

PRJ-40220,
PMTR-63465

SecureXL

In a rare scenario, ipsctl kernel module does not load at startup.

PRJ-39739,
PMTR-86052

SecureXL

There may be high CPU or/and latency in CIFS/SMB connections.

PRJ-41957

SecureXL

SecureXL may drop traffic on a VSX Gateway with a Virtual Router (VR) or Virtual Switch (VSW), when IPS Blade is enabled.

PRJ-40550,
PMTR-81553

Routing

Route Injection Mechanism (RIM) feature may advertise kernel routes that cannot be used (for example, the cable is unplugged, and the network interface is down). This may lead to traffic loss.

PRJ-41208,
PMTR-81175

Routing

When changing PIM configuration, the ROUTED process may unexpectedly exit and generate a core dump due to a race condition.

PRJ-40548,
PRHF-24362

Routing

If Route Injection Mechanism (RIM) is enabled, and RIM routes are added for destinations that already had dynamic or static routes, the RIM routes are deleted in favor of the existing routes. Losing routes can result in loss of connectivity.

PRJ-40092,
PMTR-84418

Routing

When running CPView and working in Source-Specific Multicast Mode (PIM-SSM) simultaneously, the ROUTED process may unexpectedly exit and create a core dump file.

PRJ-40748,
PRHF-24743

Routing

The ROUTED process may unexpectedly exit when querying BGP data.

PRJ-36891,
PMTR-79153

VPN

UPDATE: After FIPS mode is enabled, Jitter is now automatically turned on.

PRJ-41241,
PRHF-24483

VPN, Multi-Portal

UPDATE: Added a new Registry parameter "use_crl_for_revocation_method" that enables the CRL revocation method when the Security Gateway does not get a response from an OCSP Server. Refer to sk179434.

PRJ-40730,
PMTR-85427

VPN

UPDATE: Added a configurable protection for blocking brute-force attacks on VPN SNX portal. Refer to sk180271.

PRJ-38634,
PRHF-23424

VPN

Connection to Endpoint Security Client from the Remote Access VPN may be lost when the VPN tunnel timeout is reached. Refer to sk178891.

PRJ-40386,
PMTR-84477

VPN

The "Unable to open '/dev/fw0': No such file or directory" error may be printed during cpstart.

PRJ-40870,
PRHF-24283

VPN

Site-to-Site NAT-T traffic may be routed incorrectly, which can cause an outage.

PRJ-39808,
PRHF-24079

VPN

Adding a Security Gateway Module (SGM) to a Security Group may cause the Security Gateway crash when Link Selection is enabled in Load Sharing mode.

PRJ-40562,
PMTR-85206

VPN

Resolved the "HTTP Response splitting" vulnerability in Security Gateway portals. Refer to sk179705.

PRJ-39236,
PRHF-23381

VPN

When connecting to Capsule VPN on iOS in a Multi-Domain Server or Scalable Platforms environment, loading a website may take up to one minute.

PRJ-40555,
PRHF-24156

VPN

When working in Hybrid mode, it is possible to connect using Remote Access, but it may not be possible to access internal resources.

PRJ-40664,
PRHF-24446

VPN

There may be a low throughput in a Site-to-Site VPN tunnel between two VSX Gateways with enabled.

PRJ-36711,
PRHF-21689

VPN

Improved Site-to-Site VPN stability.

PRJ-39584,
PMTR-81752

VPN

In a rare scenario, when pushing a policy, the VPND process may unexpectedly exit.

PRJ-40583,
PMTR-84124

VPN

Connection over NAT-T tunnels may not be distributed well between instances of the Security Gateway with CoreXL enabled.

PRJ-37785,
PMTR-82856

VPN

In SmartView Monitor (SVM), the status of tunnels with third-party peers may be inaccurate. Refer to sk169121.

PRJ-39894,
PMTR-56771

VSX

UPDATE: The "vsx_util view_vs_conf" command output now shows interfaces configured on Virtual Systems in Bridge mode.

PRJ-39888,
PMTR-84069

VSX

Removing a warp interface may fail on one member, which creates a mismatch between the cluster members database because the warp interface remains on other members. Refer to sk180481.

PRJ-40799,
PMTR-84189

VSX

Extending SNMP with shell script (Article IV-6 in sk90860) fails for non-VS0 Virtual Systems (VSs) when queried via SNMP V3 and a "No more variables left in this MIB View (It is past the end of the MIB tree)" message is shown in the output.

PRJ-39712,
PMTR-80596

VSX

When running the "reset_gw" command on a VSX cluster member, the sync interface IP address is not deleted as part of the VSX configuration that should be deleted from the Security Gateway.

PRJ-39768,
PMTR-83046

VSX

Lines indicating uninstalling policies from virtual switches (VSWs) may be printed when running the "fw vsx unloadall" command.

PRJ-40649,
PMTR-85324

VSX

The VSX Provisioning Tool may unexpectedly exit when adding a new virtual device.

PRJ-40666,
PRHF-24682

VSX

When changing VSLS configuration with vsx_util, setting a new weight for each VS in Automatic mode fails with the "Operation failed. Can't write to database" error. Refer to sk179655.

PRJ-38094,
PMTR-64828

VSX

The "Primary Slave" configuration in a Bond (MAGG) interface may not be applied to a Security Group. Refer to sk178765.

PRJ-41363,
PMTR-86445

VSX

A VSX Gateway upgrade may fail with an error related to VSX Filesystem creation.

PRJ-42180,
PMTR-81701

VSX

Pushing configuration to a virtual device in a Maestro VSX environment may fail. Refer to sk180107.

See the Important Notes section.

PRJ-40251,
PMTR-84229

VSX

In VSX, when deleting a warp interface (either by deleting the warp itself or by performing the "reset_gw" command, which deletes all Virtual Devices), the VSX Gateway may crash.

PRJ-40073,
PRHF-24269

VSX

A "SIC Error for EntitlementManager: Peer sent wrong DN: CN=xxx,O=xxx" message may be displayed during boot or after running the "cpstart" command. Refer to sk179586.

PRJ-40361,
PMTR-84809

VSX

Improved packet rate performance on warp interfaces.

PRJ-34096,
PMTR-65030

VSX

When running the "vsx showncs" command, the "cannot retrieve vsid for VSW_gw" error may be shown.

PRJ-34323,
PMTR-60045

VSX

The MTU value configured in SmartConsole may differ from the Virtual Switch (VSW) MTU value in the output of the "ifconfig" command.

PRJ-39982,
PMTR-83520

VSX

The vsx_util upgrade or downgrade operation may silently fail to update the database for one or more Virtual Systems (VSs). Refer to sk179591.

PRJ-27514,
PRHF-18056

Gaia OS

UPDATE: A description was added to the output of the "show backup logs" command with information about each column. Refer to sk173970.

PRJ-40409,

PRJ-42486

Gaia OS

UPDATE: Gaia API updates will now be automatically installed through AutoUpdater. Refer to sk165653.

PRJ-39480,
PRHF-23819

Gaia OS

For TACACS users the ">" character is missing to separate the hostname from the commands. The fix is only cosmetic.

PRJ-36698,
PMTR-79157

Gaia OS

The /var/log/messages file may be flooded with "failed to update arp table file" messages.

PRJ-40769,
PMTR-81861

Gaia OS

IPv6 connections with Manual NAT rules may not be stable after enabling Neighbor Discovery Protocol (NDP) on a VLAN in the $FWDIR/conf/local.ndp file.

PRJ-40028,
PRHF-24243

Gaia OS

A user locked by the deny-on-nonuse mechanism cannot get unlocked.

PRJ-40478,
PRHF-24463

Gaia OS

The SNMPD process may unexpectedly exit on the Security Gateway with enabled Management Data Plane Separation (MDPS).

PRJ-40206,
PMTR-83836

Gaia OS

Editing RADIUS Server details multiple times may lead to deletion of this Server in WebUI.

PRJ-41147,
PMTR-78799

Gaia OS

A web session on Quantum Maestro may be expired after a minute, although the configured timeout is 10 minutes.

PRJ-40993,
PRHF-24495

Gaia OS

When MDPS is configured, the SNMPD process may stop responding on some Security Gateways and must be restarted.

PRJ-32418,
PRHF-16436

Harmony Endpoint

Web Remote Help returns to the sign-in page after generating the response code. Refer to sk172666.

PRJ-39026,
PMTR-82153

Scalable Platforms

When the "cphaprob list" command fails, CoreXL configuration pnote is not shown when expected. The issue is cosmetic only.

PRJ-39908,
PMTR-84121

Scalable Platforms

CPAC-TR-10T-C transceiver is displayed as unsupported, although it is supported.

PRJ-39842,
PMTR-84016

Scalable Platforms

During boot of Maestro Orchestrator, a "Linking SMO files: Not an integer value child process exited abnormally" message may be shown. The issue is cosmetic only.

PRJ-40908,
PMTR-85805

Scalable Platforms

After an upgrade of a Maestro Orchestrator to R81.10 version, several Maestro Orchestrator Clish commands may fail with errors messages.

PRJ-32196,
PMTR-74269

Scalable Platforms

In a VSX setup that includes members only in Site 2, asg monitoring commands (such as asg stat vs all) may incorrectly present Chassis 2 state as "N/A".

PRJ-40342

Scalable Platforms

CPUSE upgrade of Scalable Platforms may fail.

PRJ-37793,
PMTR-75954

Scalable Platforms

An outage may occur when all Security Gateways are physically disconnected from one of the two Maestro Orchestrators on a dual site.

PRJ-40454,
PRJ-37921,
PMTR-81451,
PMTR-84992

Scalable Platforms

The asg_perf test may show incorrect data related to acceleration cores number and CPU usage.

PRJ-40885,
MBS-15957

Scalable Platforms

HCP may report a false failure on the Maestro Orchestrator Daemons State test.

PRJ-38177,
PMTR-81838

Scalable Platforms

When removing a Security Group from Maestro Orchestrator WebUI, Site 2 Gateways may be missing from the Unassigned Gateways pane until the refresh button is clicked.

PRJ-41297,
PMTR-86488

Scalable Platforms

When NAT is configured on both Source and Destination, with delayed sync enabled, connection drops may occur.

PRJ-40528,
MBS-15158

Scalable Platforms

Improved packet processing on MHO-175 to avoid sudden drops.

PRJ-41379,
PRHF-24887

CloudGuard Network

UPDATE: Added support for pushing CloudGuard Controller updates to Gateways with MDPS enabled. However, these updates are not supported on clusters. Refer to sk138672.

PRJ-41371,
PMTR-86767

CloudGuard Network

UPDATE: Added support for Data Centers in AWS ap-southeast-2 (Jakarta) region.

PRJ-35829,
PMTR-86021

CloudGuard Network

NSX-T NSGroup appears as the default prefix in the domain name.

PRJ-40840,
PRHF-24490

CloudGuard Network

Failure to update IP addresses on a single AWS Gateway may cause delays in updating other Gateways.

PRJ-41748,
ODU-587

Public Cloud CA Bundle

Added Take 19 of Public Cloud CA Bundle. Refer to sk172188.

PRJ-41144,
ODU-518

Smart-1 Cloud

Added Update 5 of Quantum Smart-1 Cloud. Refer to sk166056.

PRJ-40671,
ODU-478

HCP

Added Update 10 of HealthCheck Point (HCP) Release. Refer to sk171436.

Take 78

Released on 11 October 2022 and declared as Recommended on 19 October 2022

PRJ-42051,

PRHF-25946

Threat Prevention

Threat Prevention policy cannot be installed on R80.40 and lower Security Gateways when using a Security Zone object in the "Source" column. Refer to sk177605.

See the Important Notes section.

PRJ-42199

Scalable Platforms

On 16600 / 28600HS Quantum Maestro appliances, interfaces can disappear after uninstalling the Jumbo Hotfix.

See the Important Notes section.

Take 75

Released on 1 September 2022

PRJ-41205

Installation

  • After Installing R81.10 Jumbo Hotfix Accumulator Take 66 on top of Blink image including Take 55 there is console access but no network connectivity.

  • Reference to VMware is written as a name in the /etc/appliance_config.xml file.

Refer to sk179799. See the Important Notes section.

PRJ-34854,
PMTR-72440

Security Management

UPDATE: Added validation of Custom Application/Site objects to prevent configuring invalid URLs, which causes Access policy installation failure. Refer to sk175187.

PRJ-38152,
PRHF-23149

Security Management

UPDATE: Improved Access Policy installation time.

PRJ-37260,
PRHF-21969

Security Management

In a large scale environment, the Management API command "show-access-rulebase" may take a significant amount of time to complete or time out after 5 minutes.

PRJ-36921,
PRHF-22479

Security Management

When a Security Gateway is removed from a VPN community, it may still be seen under the permanent tunnel configuration. The issue is scoped to the Management side and does not impact the Gateway.

PRJ-37524,
PRHF-22656

Security Management

Reassign Global Policy tasks may be stuck for Domains active on a different Multi-Domain Server even though the task is completed on the destination Multi-Domain Server.

PRJ-37710,
PRHF-22796

Security Management

Install Policy preset fails if the Threat Prevention policy was uninstalled.

PRJ-35656,
PRHF-21996

Security Management

The Security Cluster Wizard is not shown again after a Management restart in a Full High Availability cluster environment.

PRJ-35313,
PRHF-21755

Security Management

The web_api_show_package.sh script and some Management API commands with the "details-level full" option may fail when VPN settings are not defined for Interoperable objects. Refer to sk178410.

PRJ-35532,
PMTR-77217

Security Management

An IPS update may fail if the user that performs the update is connected to the Multi-Domain Server on which the Global Domain is in Standby mode.

PRJ-37505,
PRHF-22597

Security Management

In rare scenarios, Global Domain Assignment may fail with a "class name not found for object" error message.

PRJ-37028,
PRHF-22356

Security Management

Policy Installation may fail with the "Unable to start policy installation" error when the Import Domain task is running in the background.

PRJ-37764,
PRHF-22671

Security Management

The FWM process on the Management Server may unexpectedly exit, creating a core dump file.

PRJ-38065,
PRHF-22999

Security Management

When uninstalling a Threat Prevention policy, there may be a verification warning "There are Threat Prevention uninstall candidates in policy targets", although the operation on the Security Gateway was completed successfully.

PRJ-39472,
PRHF-23825

Security Management

Management HA synchronization may fail with the "NGM failed to import data" error.

PRJ-38401,
PRHF-23290

Security Management

An Application Control and URL Filtering update may get stuck because of a lock object duplicate issue.

PRJ-37400,
PRJ-37404,
PRHF-22147,
PRHF-21075

Security Management

Global Policy Assignment may fail with the "Failed to connect to FWM" error when the Domain is Active on the remote Multi-Domain Management Server.

PRJ-38800,
PRHF-23379

Security Management

In some scenarios, the "show-gateways-and-servers" Management API command fails with "generic_err_object_not_found" when running it with "details-level full".

PRJ-38616,
PRHF-23413

Security Management

A deleted Security Gateway may appear as unavailable in the Gateways&Servers view.

PRJ-37200,
PRHF-22299

Security Management

The Management API command "show-vpn-communities-star" for Diffie-Hellman group 24 fails with the "Invalid DH-Group in VPN Reply" error. Refer to sk27054.

PRJ-38181,
PRHF-22647

Security Management

Deleting a Domain operation may fail with an "internal error" when more than one of the Security Gateways in the Domain points to the same cluster object in the NAT configuration.

PRJ-34154,
PRHF-21236

Security Management

Packet mode search in HTTPS Inspection policy may not work.

PRJ-39211,
PRHF-23634

Security Management

The "Throughput/sec" column in the Gateways&Servers view may show "N/A" instead of the actual value.

PRJ-39529,
PRHF-23939

Security Management

Improved memory usage and performance of Access Policy installation when numerous Network Groups are used in the Access Rule Base.

PRJ-33689,
PMTR-75731

Security Management

The Management API command "show object" may fail on a specific UID with a "Null Pointer exception" message.

PRJ-35061,
PRHF-21753

Security Management

Renaming the Security Management Server may fail with the "Failed to save object" error. Refer to sk177224.

PRJ-38121,
PRHF-23065

Security Management

Policy installation may fail with "an internal error" because of an orphan policy issue. Refer to sk122954.

PRJ-35606,
PRHF-21981

Security Management

In SmartConsole, the "error retrieving results" message may be displayed when opening a new tab.

PRJ-37887,
PRHF-22914

Security Management

Editing an object may fail with the "Could not access file for write operation" error.

PRJ-37510,
PRHF-22621

Security Management

Deleting a domain may fail when using the createDomainRecovery.sh script with the "UID" flag.

PRJ-37636,
PRHF-22693

Security Management

After changing the IP address of the Secondary Management Server, the old IP address is still shown in the High Availability window until the services are restarted.

PRJ-38742,
PRHF-23467

Security Management

In a rare scenario, the FWM process may unexpectedly exit and create a core dump.

PRJ-39021,
PRHF-23435

Licensing

  • SmartConsole cannot retrieve licensing information from SMB devices.

  • The License tab displays the error "This action is not supported for Quantum Spark appliances with Gaia Embedded OS" instead of "Security Gateway not found".

PRJ-37989,
PRHF-22589

SmartConsole

After an Application Control update, some application control objects may disappear from SmartConsole, although they are not deprecated.

PRJ-39119,
ODU-377

Web SmartConsole

UPDATE: Released Take 59 with new features and improvements. Refer to sk170314.

PRJ-35672,
PMTR-77868

SmartProvisioning

UPDATE: To prevent duplicates issue in LSM REST API, it is no longer possible to create an object with the same name but written in a different letter case.

PRJ-35065,
PMTR-77739

SmartProvisioning

UPDATE: It is now possible to make a change in the provisioning profile of a cluster via the API command "set lsm-cluster" using the UID parameter.

PRJ-36053,
PMTR-77749

SmartProvisioning

The "set-lsm-gateway" command may fail during the SIC initialization.

PRJ-39856,
PMTR-84006

SmartProvisioning

After deleting an LSM object, the Security Gateway can still communicate and fetch policy from the Management Server.

PRJ-38317,
PRHF-22563

SmartProvisioning

The PostgreSQL database fully utilizes disk space on the Multi-Domain Management Server when SmartProvisioning is enabled in a large scale environment. Refer to sk178889.

PRJ-37103,
PRHF-22528

Logging

UPDATE: Scheduled email reports will now use TLS1.2 instead of TLS1.0. Refer to sk178125.

PRJ-36463,
PRHF-22152

Logging

When running the "cp_log_export filter-Blade-in" command with the value "Endpoint" and restarting the LOG_EXPORTER process, LOG_EXPORTER may fail to start.

PRJ-35997,
PRHF-22088

Logging

Logs with actions "Expired" and "Hold" may be missing from the Logging view.

PRJ-38416,
PRHF-21511

Logging

When there are several Log Servers, a log distribution issue may occur.

PRJ-39297,
PMTR-82675

Logging

An error may occur when changing default Time Frame while the SmartView language is not English.

PRJ-39680,
PMTR-82910

Logging

When exporting the logs table with "All Columns" to a CSV file, the first cell of the first log (time column) displays a non-ASCII character ("ן»¿"), and the time is split into two cells.

PRJ-39677,
PMTR-83316

Logging

A CSV file exported from SmartView may contain duplicated lines of headers.

PRJ-33817,
PMTR-72206

Logging

The "log_exporter_reexport" command may export the logs from the beginning of the log file and not from the provided start position.

PRJ-36028,
PMTR-70703

Logging

In IPS Core Protections logs, the link to the Threat Prevention profile is written incorrectly.

PRJ-36021,
PRHF-21398

Logging

In SmartView, the "Top Users that Downloaded Malicious Files" widget in the "Hosts that Encountered Malicious files" view may show no results, although there are matches.

PRJ-39668,
PRHF-23392

Security Gateway

It may not be possible to monitor Security Gateways with enabled Management Data Plane Separation (MDPS). Refer to sk138672.

PRJ-36121,
PMTR-71654

Security Gateway

In CPView, under Network, Bytes Per Sec value in Traffic Rate may be incorrect.

PRJ-38077,
GAIA-9576

Security Gateway

The Security Gateway may crash with a vmcore.

PRJ-27917,
PMTR-62741

Security Gateway

When Strict Hold is enabled, traffic is logged with the log "HTTP parsing error detected. Bypassing the request as defined in the Inspection Settings". Refer to sk169995.

PRJ-41000,
PRJ-40954

Security Gateway

In a VSX environment, SNMP queries to OSPF OIDs may fail.

PRJ-39216,
PMTR-81290

Security Gateway

The Security Gateway may crash during PM Stats collection.

PRJ-37519,
PRHF-22548

Security Gateway

The FW Monitor tool may fail when it is used on VSX with the "-v" and "-p all" options.

PRJ-39686,
PRHF-23741

Security Gateway

An ICAP client crash may cause the Security Gateway also to crash and generate an FWK core dump.

PRJ-37953,
PRHF-22703

Security Gateway

There is a Content Awareness alert for multiple connections and the processing error "Failed to extract text" is printed in logs.

PRJ-40442,
PRJ-38912

Security Gateway

When Anti-Virus Blade is enabled, there may be a continuous high memory consumption which can lead to latency.

PRJ-41456,
PMTR-86925

Security Gateway

During a DDoS attack, the CPD and CPRID processes may unexpectedly exit with core dump files and cause latency.

PRJ-36568,
PMTR-79569

Internal CA

UPDATE: In SmartConsole, added an alert to inform that the ICA certificate will be expired in less than one year. Refer sk158096.

PRJ-36294,
PMTR-77668

Threat Prevention

A "sft_rule_str_match_init: allocates 0 bytes" message may be printed many times in the /var/log/messages file.

PRJ-39196,
PMTR-83142

Threat Prevention

In a scenario, when Ant-Virus Blade is enabled, the Security Gateway may crash during policy installation.

PRJ-39324,
PMTR-83434

Threat Prevention

Improved memory consumption by decreasing the size of the mal_conns table.

PRJ-38685,
PRHF-23324

Threat Prevention

In a rare scenario, an IPS, Anti-Virus, or Anti-Bot update package may fail to load because of a timeout

PRJ-40397,
ODU-385

Threat Prevention

Added Update 15 of Autonomous Threat Prevention Management integration Release Updates. Refer to sk167109.

PRJ-41446,
PRHF-25374

Threat Prevention

In a specific HTTP connection scenario, the Security Gateway may become unresponsive. And the /var/log/messages file contains these messages during the time of the issue: " FW-1: fw_kfree: wrong magic number at tail end of XXX (XXX) caller is 'cmik_loader_fw_pm_match_cb' sz=80. FW-1 panic: cmik_loader_fw_pm_match_cb: fw_kfree: wrong magic number at tail (kiss_memory.c:XXX)".

See the Important Notes section.

PRJ-36522,
PMTR-77922

IPS

Improved detection in some IPS protections.

PRJ-39063,
PRHF-12660

IPS

In a VSX setup, the IP address used as the origin SIC name in the IPS address log may differ from the IP address in other reports.

PRJ-35293,
PRHF-21849

Mobile Access

In some scenarios, when Mobile Access Blade is enabled, the Security Gateway may crash.

PRJ-34725,
PMTR-77351

Mobile Access

In some scenarios, the Mobile Access applications fail to login because the Security Gateway may not forward HTTP request cookies of some browser-initiated requests to an internal Server.

PRJ-39154,
PRHF-23617

Mobile Access

Login to Mobile Access Citrix application may fail.

PRJ-34871,
PMTR-76212

ClusterXL

UPDATE: Added support for the "Same VMAC" feature.

PRJ-31527,
PMTR-72074

ClusterXL

UPDATE: Added a new Gaia Clish command "show cluster members monitored" to show cluster monitored IP addresses of all the members in a table format. This command is equivalent to the Expert mode command "cphaprob -m tablestat".

PRJ-38615,
PMTR-82026

ClusterXL

When moving a cluster from Unicast to Multicast LS, Gratuitous ARP Request (GARP) may not be sent. The cluster cannot update multicast MAC entries on peers, which can cause traffic lost.

PRJ-37490,
PMTR-73519

ClusterXL

In a VSLS cluster with a few members and Virtual Systems, when shutting down a bond connected to one of the Virtual Systems, all Virtual Systems on this member may go to Down state.

PRJ-38820,
MBS-14060

ClusterXL

Local connection from the Management interface on a non-standard port (e.g. 8000) may fail.

PRJ-36604,
PMTR-79447

ClusterXL

Data connection may be interrupted during a Multi-Version Cluster (MVC) upgrade.

PRJ-37883,
PMTR-81375

ClusterXL

Local connection from a Standby member may fail when packets are not fragmented even if the interface MTU is smaller than the packet size.

PRJ-39084,
PMTR-79827

ClusterXL

VPN may not operate correctly on ClusterXL in Load Sharing mode and Scalable Platforms (Quantum Maestro and Chassis). This causes sporadic but frequent traffic drops. Refer to sk179808.

See the Important Notes section.

PRJ-37814,
PRJ-37001

SecureXL

NEW: In some scenarios, the Security Gateway may not forward traffic to a client if its IP address is changed by DHCP. Added a global parameter "cphwd_refresh_nh", disabled by default. It determines whether or not the Security Gateway will invoke its own refresh ARP mechanism after a successful route lookup. Refer to sk175603.

PRJ-38595,
PMTR-82425

SecureXL

UPDATE: Added a new parameter cphwd_mcast_routing_interval_ms (default value is 0), which allows the multicast routing interval to be expressed in milliseconds.

PRJ-32710,
PMTR-74854

SecureXL

UPDATE: Virtual Extensible LAN (VXLAN) interfaces can now be configured over interfaces with an alias IP address. VXLAN interfaces will not use the alias IP as the local IP address of the tunnel.

PRJ-39010,
PRHF-22881

SecureXL

SYN Defender may not properly handle the S2C traffic related to Allow List. As a result, this traffic may be dropped.

PRJ-39004,
PRHF-23644

SecureXL

SYN Defender may change MSS in an SYN packet to a larger value, potentially causing traffic drop.

PRJ-38560,
PRHF-22924

Routing

UPDATE: Source Pruning will now be disabled by default when VRRP is enabled. This will prevent an interface from keeping the Standby member in Master state after port flapping. The issue is relevant only for Intel X710 network cards using the I40E driver.

PRJ-38983,
PRHF-23620

Routing

There may be high CPU utilization and slow recovery of the ROUTED process after a failover.

PRJ-38984,
PMTR-82262

Routing

A buffer overflow may cause the ROUTED process to exit with PNOTE.

PRJ-38985,
PMTR-73346

Routing

It may take up to three hours for the second member to become Standby after a failover. An outage may occur during this time.

PRJ-36940,
PMTR-79381

Routing

In a rare scenario, the ROUTED daemon may unexpectedly exit during a Multi-Version Cluster (MVC) upgrade when using OSPF.

PRJ-37941,
PMTR-80421

VPN

NEW: KAT tests for IKE and TLS are now validated for FIPS certification.

PRJ-37775,
PRHF-22871

VPN

Capsule Connect (IPSec VPN) may fail to re-authenticate.

PRJ-35422,
PMTR-77570

VPN

When using Remote Access SAML authentication, the "Remote access client IP address and port were changed" log may contain incorrect data in the "Old IP" field.

PRJ-32681,
PMTR-66706

VPN

An IKEv1 tunnel may be deleted after the Dead Peer Detection (DPD) exchange and can cause an outage.

PRJ-37549,
PMTR-79930

VPN

In some scenarios, when StrongSwan client is connecting to a site or Security Gateway, the connection is established successfully, and the tunnel is created, but there is no traffic. Refer to sk118536.

PRJ-37556,
PMTR-77042

VPN

An outage may occur when using IKEv2.

PRJ-39065,
PMTR-82288

VPN

Capsule Connect may fail to connect to the Security Gateway because of an Office Mode IP allocation failure.

PRJ-36451,
PMTR-65595

VSX

UPDATE: When resetting SIC for a specific virtual system (sk34098), the new certificate on the Security Gateway will now be automatically pulled from SmartConsole.

PRJ-32408,
PMTR-74557

VSX

The OID "Syslocation" can now be configured in the context of a virtual system as described in the article (IV-1) Advanced SNMP configuration in sk90860.

PRJ-33316,
PRHF-20561

VSX

The FWM process may unexpectedly exit after using the VSX Provisioning tool.

PRJ-32478,
PRHF-20437

VSX

When using the VSX Provisioning Tool, it may not be possible to create a new warp interface and then change the main IP address of the VS in the same transaction.

PRJ-32707,
PRHF-20553

VSX

After restoring the VSX Gateway backup, the SNMP agent stops responding when the context is set for a specific VS.

PRJ-37807,
PMTR-81261

VSX

Running the "vsx_util vsls" command may end with the "Segmentation fault" error.

PRJ-28951,
PRHF-17665

VSX

Multi-Queue configuration does not survive reboot on VSX. Refer to sk173950.

PRJ-38829,
PMTR-82551

VSX

The FWK process of Virtual Switch (VSW) may consume a high CPU.

PRJ-38409,
PMTR-73704

VSX

When creating a virtual system, the "Failed to create Virtual System directories" error is displayed.

PRJ-34767,
PRHF-21568

VSX

When using Link Selection probing, the VPND process may unexpectedly exit and create a core dump file.

PRJ-38794,
PMTR-82492

VSX

In some scenarios, it is not possible to start a vsx_util upgrade/downgrade after a failed attempt.

PRJ-38011,
PMTR-81493

VSX

"Loading kernel module for a network device with CAP_SYS_MODULE (deprecated). Use CAP_NET_ADMIN..." may be printed in dmesg.

PRJ-38727,
PMTR-81373

VSX

When running the "vsx_util downgrade" command, R80.20SP may not be listed as an available version.

PRJ-40704,
PMTR-81932

VSX

A member in a VSX cluster may get stuck in DOWN state with "Event Code CLUS-113200" and a FULLSYNC PNOTE "Could not start a connection to remote member".

PRJ-40950,
PMTR-85821

VSX

The VSX Security Gateway may crash when pushing a policy after deleting an interface. Refer to sk179820.

See the Important Notes section.

PRJ-36525,
PMTR-72069

Gaia OS

NEW: Added a Gaia Clish command "show configuration vxlan" to show all VXLAN info (interface creation, IP, MTU, comments, state).

PRJ-35586,
PRHF-21922

Gaia OS

UPDATE: It is now possible to use Gaia proxy addresses with more than 16 characters.

PRJ-39379,
PMTR-83140

Gaia OS

The CONFD process may unexpectedly exit and generate a core dump file.

PRJ-40366,
PMTR-84602

Gaia OS

Gaia Snapshot fails in Gaia Portal ("Maintenance" section > "Snapshot Management" page) - after clicking the "New" button, the progress gets to 100%, but the snapshot file is never created. Refer to sk180579.

PRJ-38960,
PMTR-72373

Gaia OS

When loading a configuration file to the new Security Gateway, VLAN interfaces may not be added to the bridge as expected.

PRJ-37349,
PMTR-80176

Gaia OS

When adding and deleting a neighbor-entry ipv6-address, an error message is displayed, although the operation is successful.

PRJ-38231,
PMTR-81516

Gaia OS

When running the "save configuration" command on a VSX device, other interfaces besides the Management interface are still presented. This is a cosmetic issue.

PRJ-39096,
PRHF-23641

Gaia OS

Dynamic routing SNMP OID polling may work only in VSX mode.

PRJ-29673,
PMTR-72575

CloudGuard Network

UPDATE: After a failed Data Center mapping, the next scan retry will be initiated with a delay to provide sufficient recovery time.

PRJ-38569,
PRHF-23328

CloudGuard Network

UPDATE: Previously, because of connectivity issues with Azure, CloudGuard Controller was deleting IP addresses of Data Center objects from the Security Gateway. CloudGuard Controller will now show an error message instead of revoking identities from the Security Gateway.

PRJ-33578,
PRHF-20923

CloudGuard Network

When trying to add a comment to a Data Center object with API, the name of the object may get the value of the "comments".

PRJ-38871,
PRHF-23555

CloudGuard Network

After changing the default behavior in Identity session conciliation, the "delete-identity" request may trigger Cloud Controller to delete IP addresses from other Identity sources.

PRJ-38071,
PMTR-78814

CloudGuard Network

Policy install or publish may fail because of the CPM process operations overload.

PRJ-40198,
PRHF-24322

CloudGuard Network

Azure Data Center mapping may fail because of a corrupt response from Azure for a specific Virtual Machine Scale Set (VMSS).

PRJ-39798,
PRHF-23081

CloudGuard Network

Importing NSX-T Data Center NSGroups with more than 1000 IP addresses may fail and lead to an outage.

PRJ-38644,
PRJ-38642

VoIP

NEW: Added a new tab for VoIP monitoring in CPView.

PRJ-39817,
PMTR-81965

VoIP

The Security Gateway may crash when running UDP and TCP SIP traffic.

PRJ-40930,
PRJ-40928

VoIP

After an upgrade, the MGCP traffic may be dropped. The output of the "fw ctl zdebug + drop" command shows: "dropped by fw_early_sip_nat reason: failed to get MGCP ports".

PRJ-39110,
MBS-14962

Scalable Platforms

UPDATE: Added ability to change CIN interface IP ranges. Refer to sk179028.

PRJ-37469,
MBS-15425

Scalable Platforms

UPDATE: When creating a new Security Group on Quantum Maestro, it is mandatory to configure First Time Wizard settings.

PRJ-35111,
PMTR-76563

Scalable Platforms

UPDATE: The asg_info command is no longer supported on Scalable Platforms. The "cpinfo -Q" command should be used instead.

PRJ-39636,
MBS-15678

Scalable Platforms

The Hit Count feature may not provide data for non-SMO members on VSX with Kernel 3.10.

PRJ-38297,
MBS-15504

Scalable Platforms

During Jumbo Hotfix Accumulator installation, the sgm_lsp core dump may be created.

PRJ-38483,
MBS-15568

Scalable Platforms

When running the CPUSE "installer" command in Gaia gClish of a Security Group, the output may show: "Error Failed to invoke action." Refer to sk178647.

PRJ-38699,
MBS-15611

Scalable Platforms

The ROUTED process may unexpectedly exit when OSPF is configured as P2P.

PRJ-39720,
PMTR-83873

Scalable Platforms

Changed the message informing that CPUSE upgrade packages are not available on Scalable Platforms appliances with VPN enabled. The fix is only cosmetic.

PRJ-39115,
PRJ-39116

Scalable Platforms

The "asg_excp_conf get" command may fail. Existing exceptions cannot be printed due to unaligned exception max size between kernel and userspace (cphaprob).

PRJ-34872,
PMTR-76980

Scalable Platforms

In some scenarios, CPWD and HCP report the CPUS_USGS process as terminated.

PRJ-35285,
PMTR-78037

Scalable Platforms

A cluster member may fail to perform FullSync and remain in Down state with FULLSYNC PNOTE.

PRJ-39997,
PMTR-78680

Scalable Platforms

When a Maestro Security Gateway is active again after a reboot, the LACP bond may drop incoming and outgoing packets.

PRJ-36092,
MBS-15239

Scalable Platforms

A Security Gateway may not be added to the Security Group distribution matrix when moving from a site with two MHOs to a single MHO.

PRJ-37640,
PRHF-22789

Scalable Platforms

The "asg_copy_capture" logs repeatedly appear in the var/log/messages file. The reason given in the logs is "capture file was not found on remote SGMs".

PRJ-33924,
PMTR-75452

Scalable Platforms

On Scalable platform Chassis in VSX mode, when adding a new member to Security Gateway, the "dxl stat" command may fail with the "Failed to retrieve dxl status" error.

PRJ-41043

Scalable Platforms

Disk partition of the /var/log directory on Quantum Maestro appliances may fail.

PRJ-40309,
ODU-454

HCP

Added Update 9 of HealthCheck Point (HCP) Release. Refer to sk171436.

Take 66

Released on 29 June 2022 and declared as Recommended on 19 July 2022

PRJ-40378,

PMTR-84711

Gaia OS

After an upgrade, there are SSH connectivity issues, when the "allowed-host" feature in Clish is enabled.

PRJ-39899

Scalable Platforms

In some scenarios, the asg_perf_hogs test shows that SecureXL is disabled while it is enabled. Refer to sk179424.

See the Important Notes section.

Take 61

Released on 2 June 2022

PRJ-38783,
PMTR-81440

Security Management

NEW: Added a new Management API command "show-servers-and-processes" to show the status of all processes on the Multi-Domain Server and all Domain Management / Log Servers.

PRJ-36588,

PMTR-72224

Security Management

NEW: Added support for Quantum Spark Appliances with R81.10.x Gaia Embedded (Early Availability). Refer to sk178509.

This applies both to SmartProvisioning and SmartUpdate.

PRJ-33297,
PMTR-73362

Security Management

UPDATE: LSM Cluster objects names can now be defined without using the prefix and suffix options.

PRJ-33953,
PMTR-76788

Security Management

Deleting a Domain may fail when there is an administrator with API key authentication associated with this Domain.

PRJ-34774,
PRHF-21487

Security Management

When adding a new Interface to an existing Cluster via Management API, the operation may fail with an "Action Failed due to an Internal Error" message.

PRJ-35951,
PRHF-21894

Security Management

Compliance results for some rules are not available after changing the "Policy Range" of a user-defined rule to a value below 100%. Refer to sk177544.

PRJ-35018,
PRHF-21705

Security Management

Install Policy Verification may fail with the "Rule has security zone objects that are not attached to any interface used" error when configuring cluster's interfaces on only one member. Refer to sk177129.

PRJ-35226,
PRHF-21778

Security Management

When exporting rules with "hit counts" and the timeframe is set to a different value than "all", the "hit counts" are missing from the export file. Refer to sk177265.

PRJ-37496,
PRHF-22409

Security Management

In some scenarios, the "show-hosts" Management API command fails with "generic_error" when running it with "details-level full". Refer to sk178249.

PRJ-37579,
PMTR-80846

Security Management

In some scenarios, after editing Blades in Simple-gateway/Cluster Ansible modules, the Blades are not changed, and Ansible shows that no changes occurred.

PRJ-37625,
PMTR-80948

Security Management

Upgrade of the secondary Security Management Server or Multi-Domain Management Server may fail due to a High Availability synchronization issue.

PRJ-33803,
PMTR-76103

Security Management

The Management API command "set-multicast-address-range" does not remove IPs when the IPv4 or IPv6 address field is empty.

PRJ-37328,
PRHF-22577

Security Management

In some scenarios, the policy installation may fail after editing the trac_client_1.ttm configuration file. Refer to sk174646.

PRJ-35758,
PRHF-21875

Security Management

In rare scenarios, deleting a Security Gateway may fail.

PRJ-37063,
PRHF-22501

Security Management

After installing policy on a new cluster, the cluster object status may be "Not Available", even though all Cluster members statuses changed to "OK".

PRJ-37368,
PRHF-22678

Security Management

Dynamic Objects defined on LSM Gateway in SmartProvisioning may be removed from the Security Gateway after fetching policy or pushing policy.

PRJ-33077,
PMTR-75039

Security Management

Updating objects with Management API may fail when editing the "groups" field and object UID is specified.

PRJ-35299,
PMTR-75023

Security Management

When cloning an IPS profile, the advanced settings of cloud protection may not be copied to the new profile.

PRJ-36747,
PRHF-22326

Security Management

Accelerated Install Policy may fail with the verification error: "Rule-name has security zone objects that are not attached to any interface used in Cluster-name ", when the rule contains Security Zone and the install-on target is a cluster.

PRJ-32818,
PRHF-20492

Security Management

In rare scenarios, when installing a policy after performing "revert to revision", some changes made to a policy may not be installed on the Security Gateway. Refer to sk176768.

PRJ-38149,
PRHF-23139

Security Management

Cloud Shadow Objects verification may take several minutes.

PRJ-33028,
PMTR-73892

Security Management

IPS profiles and network objects may not be shown in certain views in SmartConsole.

PRJ-39178,

PRHF-23750

Security Management

In some scenarios, the Management API command "show-packages" with "details-level full" may fail with the "Could not commit JPA transaction" error.

PRJ-38394,
PMTR-72637

SmartConsole

UPDATE: It is now possible to execute the "run-script" Management API command on the Multi-Domain Server (MDS) and Multi-Domain Log Module (MLM) from the System Domain.

PRJ-38038,
PMTR-80819

SmartProvisioning

UPDATE: Added a new Management API command "verify-management-license", it allows to verify whether the Domain Management license covers all installed Security Gateways in the Domain. Refer to sk178544.

PRJ-38038,
PMTR-80819

SmartProvisioning

LSM devices that were created via the LSM REST API may not fetch the VPN certificate correctly.

PRJ-38127,

PMTR-80530

SmartProvisioning

After an SMB firmware upgrade, policy fetch may fail with the "Version matching problem" error.

PRJ-38359,

PMTR-82092

SmartProvisioning

Improved the time of creating a new LSM object using the LSM API in large environments.

PRJ-37593,
PMTR-77255

SmartView

UPDATE: Security Check-Up report will now show the new Check Point logo and updated cover page.

PRJ-36623,
PMTR-79023

Logging

UPDATE: SmartView reports will now show the new Check Point logo.

PRJ-35977,

PRHF-21400

Logging

"Failed to open /opt/CPsuite-R81.10/fw1/log/" messages may appear in the log_indexer.elg file because of files ending with the ".log" suffix although they are not actual log files.

PRJ-29175,
PRHF-18866

Logging

Removed unnecessary debug messages: "fwbintabreplace: table svm_range_gateways not found and " fwbintabreplace: table svm_range_gateways_valid not found" from fwd debug log.

PRJ-33518,
PMTR-71704

Logging

Improved samples visibility in SmartView Widgets.

PRJ-34251,
PRHF-21188

Logging

There may be an incorrect error message related to MakeConnection method.

PRJ-34143,
PRHF-21218

Logging

On the Domain level, in the Logs view, available services may not appear in the drop-down filter list. Refer to sk178904.

PRJ-35202,
PRHF-20349

Logging

In a rare scenario, the Security Management Server does not automatically delete older log files. Refer to sk177627.

PRJ-37898,
PRHF-22858

Logging

Logs may be missing from SmartConsole after upgrading the Log Server if a VS object is configured without an IP.

PRJ-35013,

PMTR-75595

Logging

In SmartView, downloading multiple reports from Archive may fail.

PRJ-36656,
PMTR-77355

Security Gateway

NEW: Added a new kernel parameter "fw_ignore_before_drop_rules". It allows to skip the "before drop" implied rules and enforce policy according to the explicit rule in the Access Rule Base. By default, this capability is disabled. Refer to sk105740.

PRJ-31496,
PRHF-7049

Security Gateway

UPDATE: Following sk110157, adding a shadow SAM V1 rule is now possible only if the new rule and the existing rule have different timeouts. In case a shadow rule exists, the new shadow rule will override the existing shadow rule.

PRJ-29964,
UP-452

Security Gateway

UPDATE: Added two minutes grace period before dropping the non-TCP server-to-client packets upon policy installation and rematch flow. Refer to sk173287.

PRJ-38690,
PRHF-22315

Security Gateway

UPDATE: When using Routing Separation, hosts and servers configured in Clish will be automatically added to Management Plane (MPLANE).

PRJ-37530,
PRHF-22491

Security Gateway

Improved Gateway internal memory allocation logic.

PRJ-33931,
PRHF-20845

Security Gateway

Cluster failover may trigger the FWK process to exit, with no traffic impact.

PRJ-33700,
PMTR-72984

Security Gateway

In some scenarios, file download may fail with the "Connection queue exceeded max size" error.

PRJ-37013,
PRHF-22369

Security Gateway

Gaia Clish "show" commands for Multi-Queue may fail in a Management Data Plane Separation (MDPS) environment.

PRJ-37610,
PMTR-80518

Security Gateway

When using the DAIP Gateway object in the Access Rule Base, the "fwdnd_log_info_lookup failed" debug error may appear in the fwk.elg log, if the relevant rule has log track. Refer to sk178670.

PRJ-37355,
PRJ-35902

Security Gateway

Uninstalling Jumbo Hotfix may cause interfaces to disappear.

PRJ-27903,
PRHF-17754

Security Gateway

In rare scenarios, connectivity issues to specific websites may occur during web traffic inspection.

PRJ-36049,
PMTR-78861

Security Gateway

In a rare scenario, DNS connection may be dropped with a "up_manager_cmi_handler_match_cb: connection not found" message.

PRJ-34728,
PRHF-21103

Security Gateway

In rare scenarios, if temporary files were not deleted successfully, downloading certain file types may fail with one of these errors:

  • "Content Awareness - Error while processing X: Timeout reach during text extraction."

  • "Content Awareness - Error while processing X: File appears corrupted"

  • "Too many files in archiveSSH parsing error occurred."

PRJ-33860,
PMTR-76224

Security Gateway

In ISP Redundancy settings, when using the "dead on all host" feature and defining one link without any host (which is a misconfiguration) the ISP link is down.

PRJ-34789,
PMTR-65164

Security Gateway

In some scenarios, Security Gateway drops GRE traffic. Kernel debug shows "simi_reorder_enqueue_packet: reached the limit of maximum enqueued packets for conn".

PRJ-36516,
PRHF-22273

Security Gateway

In a rare scenario, a memory leak in the FWD process may occur during Threat Prevention policy installation.

PRJ-39122

Security Gateway

When installing policy with acceleration in a loop, after some time, SIC may get disconnected, and installation fails. Refer to sk180397.

PRJ-38045,
ODU-283

Threat Prevention

Added Update 14 of Autonomous Threat Prevention Management integration Release Updates. Refer to sk167109.

PRJ-35185,

PRJ-35154

Threat Prevention

While using the Security Zone object in the "Source" column in the Threat Prevention policy, Security Gateways R80.40 and lower do not drop traffic. Refer to sk177605.

PRJ-36166,
PRHF-21680

Identity Awareness

In a rare scenario, the PDP process may unexpectedly exit with a core dump file.

PRJ-35853,
PRHF-22037

Identity Awareness

The PEP process may unexpectedly exit.

PRJ-37545,
PRHF-22301

IPS

In a rare scenario, when the Security Gateway is configured as a proxy, downloading files may fail.

PRJ-37980,
PMTR-81714

IPS

In a rare scenario, a traffic outage may occur.

PRJ-32611,
PRHF-20132

IPS

When Anti-Virus and/or gzip inspection are enabled on the Gateway, during CloudFlare inspection of specific websites, the Gateway may drop traffic.

PRJ-30126,
PMTR-66344

SSL Inspection

When HTTPS Inspection is enabled and traffic is inspected, detect logs for HTTPS traffic may show the "Invalid CRL Retrieved" and "No Valid CRL" error messages. Refer to sk172345.

PRJ-38258,
PMTR-81157

SSL Inspection

In some scenarios, the FWK process may unexpectedly exit during the TLS handshake.

PRJ-35071,
PMTR-67275

ClusterXL

When creating a new virtual system, some VSLS parameters like the Virtual System's weight value may be displayed wrong.

PRJ-35169,
PMTR-77780

ClusterXL

A single cluster member with Dynamic Routing configuration may stay permanently in DOWN state producing routed pnote during a boot.

PRJ-34397,
PMTR-76763

ClusterXL

When Dynamic Routing protocols are configured on a cluster, a failover to a member that just rebooted may cause a few seconds outage.

PRJ-35229,
PMTR-70530

ClusterXL

In an Active/Active cluster, potential FTP data connection interruption may occur during failover.

PRJ-37436,
PMTR-80319

ClusterXL

There may be connectivity issues for multicast traffic in PIM Sparse Mode.

PRJ-36616,
PMTR-71442

ClusterXL

During a Multi-Version Cluster (MVC) upgrade from R80.30 or lower, Active-Active split brain may happen. Refer to sk174510.

See the Important Notes section.

PRJ-36178,
PMTR-51050

ClusterXL

In Virtual Device Status table, in VS0 context, the output shows the Active-Active status on two members instead of Active-Standby. The issue is cosmetic only.

PRJ-39740,

ACCHA-1767

SecureXL

When using tcpdump on the LightSpeed 10/25/40/100G QSFP28 interfaces and the "-i" flag is combined with other flags (for example, -nnni or -ei), tcpdump cannot find the RDMA index.

PRJ-38503,
PRHF-23143

CoreXL

An Active member in a cluster may make a full reboot during policy installation.

PRJ-37512,
PMTR-80136

Routing

The "set route-redistribution to rip from interface" CLI command may fail with the load configuration errors.

PRJ-36438,
PMTR-78967

VPN

Machine Authentication stability improvements for Remote Access Endpoint Clients.

PRJ-29545,
VPNS2S-2548

VPN

Newly defined ROBO Gateways cannot connect until policy installation.

PRJ-38729

VPN

In some scenarios, it is not possible to connect with Remote Access using DHCP for Office Mode. Refer to sk178767.

See the Important Notes section.

PRJ-37464,
PRHF-21891

VPN

The VPND process may unexpectedly exit.

PRJ-35048,
PMTR-77549

VPN

In some scenarios, NAT-T tunnel establishment may fail.

PRJ-34212,
PMTR-74824

VPN

IKEv2 ID configuration may not be applied when an IPv6 address is written as a certificate's alternative name.

PRJ-37591,
PRHF-22751

VPN

During policy installation when using DAIP behind hide NAT, CPU usage for the VPND process may be high.

PRJ-29882,
PRHF-19050

VPN

Improved VPN interoperability.

PRJ-37283,
PRHF-22452

VPN

VPN tunnel may not be stable in cluster load-sharing multicast and unicast environments.

PRJ-34673,
PMTR-77130

VSX

UPDATE: The "vsx_util reconfigure" operation is not supported on a VSX cluster member or VSX Gateway which has no virtual systems configured. The operation will now alert about the absence of virtual systems.

PRJ-36769,
PMTR-52576

VSX

VSX Cluster Internal Communication Network IP address is shown in ifconfig after changing the name or VLAN of a VR physical interface.

PRJ-33473,
PMTR-73998

VSX

In some scenarios, the "vsx_util reconfigure" command cannot fetch the policy installed previously.

PRJ-32080,
PMTR-74295

VSX

When creating a static route on a virtual system, some network objects may be created with the same name inside the network group which causes writing the object to the database to fail.

PRJ-39511,

PMTR-83472

VSX

After creating a VSX Gateway, traffic may not go through the VSX Gateway correctly because of synchronization issues of the cphwd_enable_ecmp parameter with SecureXL.

PRJ-37618,
PMTR-80850

VSX

After an upgrade from R80.20SP/R80.30SP to R81.10, pushing accelerated policy may cause all non-SMO SG Members to go down.

PRJ-35505,
PMTR-62860

VSX

There may be a mismatch of policy name on virtual switch when using the "fw stat" and "vsx stat -v" commands. The issue is only cosmetic.

PRJ-36689,
PMTR-72627

VSX

In a Multi-Domain environment, the "vsx_util vsls" command may take a few minutes to run.

PRJ-35279,
PMTR-76457

VSX

In some scenarios, if VSX Gateway creation fails and rollback is done, the default route of the Security Gateway that was configured via Clish is deleted without validation.

PRJ-36788,
PMTR-79249

VSX

The "snmpwalk" command may time out after reaching SNMPv2-SMI::mib-2.68.1.2.0.

PRJ-38204,
PRHF-23118

VSX

In some scenarios, the VSX Security Gateway may not decrease the packet's TTL.

PRJ-36756,
PRJ-36770

Gaia OS

NEW: Gaia API (version 1.6 with Python3 support) will now be deployed via Jumbo Hotfix. Refer to sk143612.

PRJ-36088,
PMTR-78169

Gaia OS

WebUI session may end when creating a Role with full permissions.

PRJ-39097,
PRHF-23641

Gaia OS

Dynamic routing SNMP OID polling may work only in VSX mode.

PRJ-33555,

PMTR-75925

Gaia OS

In some scenarios, in 7000 appliances, Power Supply Unit (PSU) status information may be incorrect. Refer to sk174443.

PRJ-37120,
PRHF-18358

VoIP

When static NAT is configured, VoIP calls may not work.

PRJ-38024,
ODU-342

Public Cloud CA Bundle

Added Take 18 of Public Cloud CA Bundle. Refer to sk172188.

PRJ-37054,
PRHF-20096

CloudGuard Network

In some scenarios, Data Center objects are not enforced on an AWS GEO cluster (Active/Active) Gateway. Refer to sk175904.

PRJ-37604,
PRHF-22145

CloudGuard Network

In Amazon Web Services (AWS), some Gateways may be crashing frequently with vmcores.

PRJ-36365,
PRHF-22181

CloudGuard Network

When booting up, the NSX-T CloudGuard Gateway may crash. Refer to sk177703.

PRJ-37948,
PRHF-22994

CloudGuard Network

In some scenarios, mapping of AWS Data Centers may take a long time to complete.

PRJ-37777,
PMTR-76723

CloudGuard Network

During boot on KVM with 10 or more interfaces, the interface order may change.

PRJ-37148,
ODU-286

Smart-1 Cloud

Added Update 4 of Quantum Smart-1 Cloud. Refer to sk166056.

PRJ-32820

Quantum Appliances

NEW: Added support for Quantum LightSpeed Appliances Initial Release (Threat Prevention Stream). Refer to sk179432.

PRJ-36594,
MBS-13315

Scalable Platforms

NEW: A new module parameter "ccl_correct_dr_between_chassis" is added.

  • Setting it to 0 disables inter-chassis corrections.

  • Setting it to 1 returns to the default behavior

    Refer to sk177943.

PRJ-39644

Scalable Platforms

UPDATE: Added PIM support for Scalable Platforms.

PRJ-39964

Scalable Platforms

UPDATE:The "asg_perf_hogs" test was moved from asg_diag to HCP. Refer to sk171436.

PRJ-28273,
PMTR-70624

Scalable Platforms

  • The command "snapshot-onetime" (import/export, from/to a remote server) is not supported yet on Scalable Platforms.

  • Scalable Platforms support only the local Gaia snapshot.

PRJ-36649,
MBS-15367

Scalable Platforms

Running "cphaconf debug_data" in VSX context may cause the Gateway to crash.

PRJ-36916,
PRHF-22274

Scalable Platforms

During policy installation the status of Single Management Object(SMO) may not be stable.

PRJ-35089,
PRHF-21133

Scalable Platforms

Security Group may drop traffic during an internal failover between Security Group members when Dynamic Anti-Spoofing is enabled. Refer to sk177946.

PRJ-34049,
PMTR-76324

Scalable Platforms

After changing Multi-Queue configurations, members may remain in Down state.

PRJ-34054,
MBS-14488

Scalable Platforms

Non-SMO members may go to Down state after Anti-Malware policy installation failed. Refer to sk177607.

PRJ-32451,
PMTR-71738

Scalable Platforms

In rare scenarios, changing the number of CoreXL instances in SP environments with many virtual systems may fail.

PRJ-39044,
PRJ-39191

Scalable Platforms

On Maestro Orchestrator, packet loss may occur during Jumbo Hotfix Accumulator installation or uninstall.

PRJ-37854,
PMTR-81227

Scalable Platforms

When the LLDPD and SNMPD coredump files are generated, zombie processes may be created and cause warnings in HCP with no impact.

PRJ-33665,
PMTR-74404

Scalable Platforms

In Clish, it may not be possible to add to a Security Group two Gateways with Maestro Orchestrator on each site.

PRJ-34924,

PMTR-76870

Scalable Platforms

On Maestro Orchestrator, the SSM_PMD process may consume a high CPU.

PRJ-39951,

PMTR-74569

Scalable Platforms

The asg_hw_utilization and asg_resource tests have a broken output. Refer to sk179426.

See the Important Notes section.

PRJ-38037,
ODU-341

Scalable Platforms

Added Take 21 of Check Point Support Data Collector (CPSDC) for Scalable Platforms and Maestro Security Appliances. Refer to sk164414.

PRJ-38225,
ODU-349

HCP

Added Update 8 of HealthCheck Point (HCP) Release. Refer to sk171436.

Take 55

Released on 1 May 2022 and declared as Recommended on 1 June 2022

PRJ-29849,
PRHF-18734

Diagnostics

In some scenarios, CPView shows the SNMP data partially.

PRJ-36494,
PMTR-73021

Security Management

NEW: Added support for Quantum Spark Appliances with R81.10.x Gaia Embedded (Early Availability). Refer to sk178509.

This applies only to SmartConsole (does not apply to SmartProvisioning).

PRJ-30408,
PRHF-19450

Security Management

UPDATE:

  • Added the "--help" and "-h" flags to "mdsstop", "mdsstart" and "mdsstat".

  • It is no longer possible to run the "mdsstop" and "mdsstart" commands with wrong parameters.

PRJ-35099,
PMTR-76491

Security Management

UPDATE: Added a new global parameter: "fw_daf_module_mac_mode". It allows mirroring traffic to a Linux-based device. The parameter is set to "0" by default. Refer to sk178127.

PRJ-33566,
PMTR-75061

Security Management

In rare scenarios, the task of creating/deleting a Domain or Domain Server may be stuck at 5% with the "Task in queue" status.

PRJ-35280,
PMTR-78150

Security Management

In a Multi-Domain environment, only one hundred Domains appear in the Domains view, although there are more.

PRJ-38877,
PRHF-23554

Security Management

In large environments, after installing Jumbo Hotfix Take 38 or Take 45, login to SmartConsole may fail shortly after services are up. Refer to sk178807.

See the Important Notes section.

PRJ-36801,
PMTR-74772

Security Management

In some scenarios, the last modifier name is missing in unpublished sessions and SmartConsole unexpectedly closes.

PRJ-35480,
PMTR-77765

Security Management

Multi-Domain High Availability synchronization in the Global Domain may fail with the "There are invalid assignments on peer" error.

PRJ-34179,
PRHF-20991

Security Management

In rare scenarios, Install Policy Presets may fail with "Failed to run Install Policy on the active Domain Server".

PRJ-33768

Security Management

The Management REST API "add lsm-gateway" with "SIC" parameter may fail with "generic_error".

PRJ-32563,
PRHF-20316

Security Management

Login to SmartEvent with Certificate Authentication may fail. Refer to sk179144.

PRJ-33402,
PRHF-20866

Security Management

When automatic purge is configured in a local Domain and there is an assignment between the Global Domain to that Domain, the "show-automatic-purge" API command may fail in the Global Domain with the "Can't build automatic purge reply" error. Refer to sk176443.

PRJ-33366,
PRHF-20847

Security Management

Global Domain Assignment fails with "An internal error has occurred" when there are more than 32K Threat Prevention Overrides in the local Domain. Refer to sk176464.

PRJ-34748,
PRHF-21362

Security Management

The "Free Memory" column under the "Gateways and Servers" tab may show "N/A" instead of the actual value. Refer to sk177135.

PRJ-32849,
PMTR-74961

Security Management

In rare scenarios, taking over a session may fail with "SmartConsole has experienced an unexpected error. Session operation failure".

PRJ-32133,
PRHF-20181

Security Management

When working with Endpoint Cloud, the License tab under "Gateways and Servers" in SmartConsole may show "Certificate error: CertAuthorityInvalid".

PRJ-32719,
PRHF-20332

Security Management

If there is a Global Domain Assignment, some results may be missing when searching in Packet Mode. Refer to sk178491.

PRJ-34773,
PRHF-20960

Security Management

Policy installation on R81 (and below) Gateways may fail when there are multiple login options configured with SAML which uses Identity Provider as an authentication method. Refer to sk176725.

PRJ-32747,
PRHF-20512

Security Management

In a rare scenario, the FWM process unexpectedly exits.

PRJ-32803,
PRHF-20435

Security Management

The mgmt_cli tool (API) with certificate login may not work.

PRJ-34658,
PRHF-21286

Multi-Domain Management

In a Multi-Domain Management environment, when fetching a LDAP branch using the "fetch" button from the Global Domain tab, the operation may fail.

PRJ-34010,
PMTR-75229

SmartProvisioning

The CPD process may consume a high CPU after an upgrade of the Security Management Server that manages devices through LSM Profiles.

PRJ-32374,
PRHF-18699

Logging

When running CPinfo in a large scale environment, the SmartEventCollectLogs process may get stuck.

PRJ-32581,
PRHF-20447

Logging

In some scenarios, it is not possible to add the "Policy Rule UID" column to the Logs view in the SmartView Web Application.

PRJ-32019,
PRHF-20117

Logging

When running the "show_logs" API command with "query-id argument" and the session is expired, the command ends with a timeout instead of presenting an error.

PRJ-30551,
PRHF-19084

Logging

In rare scenarios, when QoS Blade is enabled, the FWD process may unexpectedly exit. Refer to sk177783.

PRJ-38237,
PMTR-81910

Security Gateway

UPDATE: Apache HTTPD version was updated from 2.4.51 to 2.4.53.

PRJ-31667,
PMTR-68092

Security Gateway

UPDATE: Added Connection and Packet Distribution statistics in CPView.

PRJ-33275,
PMTR-26836

Security Gateway

The control connection may not be refreshed together with data connection if the data connection is accelerated. Refer to sk168952.

PRJ-33211,
PRHF-20674

Security Gateway

The dlpu process may unexpectedly exit, producing a core dump file.

PRJ-33999,
PRHF-18340

Security Gateway

In rare scenarios, slow path connections that should be terminated/aborted may remain open until the timeout.

PRJ-34257,
PRHF-20783

Security Gateway

It may not be possible to use the Office 365 Tenant Restrictions feature when ICAP client is enabled.

PRJ-33613,
PRHF-20810

Security Gateway

In a rare scenario, the FWD process may unexpectedly exit.

PRJ-35096,
PRHF-16013

Security Gateway

Policy installation may fail when reaching out of memory on the Security Gateway.

PRJ-35008,
PRHF-21742

Security Gateway

The dynamic NAT allocation port warning is continuously printed in /var/log/messages. Refer to sk177228.

PRJ-32793,
PRHF-20498

Security Gateway

Matched rules on Inline layer may appear as the "Accept'"/ "Drop" action instead of "Inline".

PRJ-32927,
PRJ-32352

Security Gateway

When running the "cpstop" and "cpstart" commands, NAT statistics may fail with "fwx_alloc_global_find_free_port_atomic: failed to update NAT statistics".

PRJ-31209,
PRHF-19333

Security Gateway

The Security Gateway may crash during policy installation due to memory allocation problems.

PRJ-37417,
PMTR-74360

Security Gateway

In a rare scenario, while idle, the Security Gateway may crash producing a vmcore file.

PRJ-34269,
PRHF-19587

Security Gateway

The log_exporter process may consume a high CPU.

PRJ-36993

Security Gateway

  • On 2200 appliances, the CPD process may unexpectedly exit because of sensor read failure.
  • Sensor table values for 3600, 3600T, 3800, 6200B, 6200P, 6200T, 6400, 6600, 6700, 6900, 7000, 600-S are incorrect.

PRJ-30446,
PRHF-17552

Threat Prevention

In a rare scenario, the DLP process leaves open unused file descriptors in the $FWDIR/tmp/dlp directory which may take up a large amount of disk space.

PRJ-34706,
PMTR-77304

Threat Prevention

In a rare scenario, after excessive memory usage, kernel may crash.

PRJ-33848,
PMTR-76135

Threat Prevention

Threat Prevention policy may fail when the MITRE tactic ID value is invalid.

PRJ-35822,
PRHF-21396

Identity Awareness

On Scalable Platforms\Cluster LS, the Identity Database may become corrupted when an identity session is revoked from a non-master member.

PRJ-34516,
PRHF-20998

URL Filtering

In a rare scenario, when URL Filtering Blade is active, in Website categorization background mode, the FWK process may unexpectedly exit and create a core dump.

PRJ-29429,
PRHF-18966

IPS

When Website categorization mode is set to "Hold" and Gateway is Proxy, some connections may be incorrectly terminated.

PRJ-34646,
PRHF-21416

DLP

In some scenarios, DLP (Data Loss Prevention) Blade may not delete temporary files used for scanning.

PRJ-33003,
PMTR-75153

SSL Inspection

UPDATE: Upgraded the default Infrastructure for local communication between some processes to TLS 1.2.

PRJ-34975,
PMTR-77321

SSL Inspection

In rare scenarios, the WSTLSD daemon may unexpectedly restart.

PRJ-33956,
PMTR-75000

SSL Inspection

A connectivity issue may occur after changing the Security Gateway's name and installing policy.

PRJ-35783,
PMTR-76030

SSL Inspection

When running cipher_util in any VS other than VS0, the "Cannot access features configuration directory" error is shown.

PRJ-34702,
PMTR-76511

SSL Inspection

Connections may hang and reach a timeout during browsing if the number of WSTLSD instances is reduced through configuration settings.

PRJ-33670,
PMTR-75807

SSL Inspection

In some scenarios, the WSTLSD daemon may unexpectedly exit during TLS probing.

PRJ-36356,
PMTR-79533

SSL Inspection

A connectivity issue may occur with certain TLS clients.

PRJ-36497,
PMTR-79264

SSL Inspection

In a rare scenario, the WSTLSD process may unexpectedly exit while validating signatures of sites with improper certificate chains.

PRJ-36300,
PMTR-76171

SSL Inspection

A memory leak related to TLS probe may occur in the WSTLSD process.

PRJ-35934

SSL Network Extender

UPDATE: SSL Network Extender was updated to version 800008304. It provides TLS 1.2 cipher suites support on macOS.

PRJ-38371,
PRHF-23291

ClusterXL

The Security Gateway may drop multicast packets after policy installation.

PRJ-36472,
PRHF-21775

SecureXL

The VSX Gateway may crash when trying to route traffic from a VS to a Virtual Switch (VSW).

PRJ-33583,
PMTR-75970

SecureXL

In some scenarios, Security Gateway may drop fragmented Cluster LS packets.

PRJ-35770,
PMTR-77756

Routing

UPDATE: ROUTED debug log will now show IP addresses.

PRJ-34712,
PMTR-73184

Routing

In rare scenarios, the ROUTED daemon may unexpectedly exit or write logs in the incorrect order.

PRJ-33627,
PMTR-73794

Routing

An OSPFv2 graceful restart with authentication may cause an outage.

PRJ-30715,
PRHF-18975

Routing

Connectivity issues may occur after configuration of route-base VPN (VTI interface). Refer to sk176368.

PRJ-37476,
PMTR-80602

Identity Awareness,
Identity Logging

UPDATE: Adjusted AD-Query and Identity Logging solutions to work with Microsoft hardening changes in DCOM which were required for CVE-2021-26414. Refer to sk176148.

PRJ-32700,
PRHF-14110

Identity Awareness

Memory usage may be high for the PDPD process in a scenario, related to Identity Awareness nested groups in state 2 and 4.

PRJ-28220,
PRHF-15223

Identity Awareness

There may be connectivity issues and high CPU spikes on the PDPD, VPND processes, and on the Gateway when installing policy. Refer to sk174144.

PRJ-35246,
PMTR-78041

Mobile Access

MAB Guacamole-based clientless RDP/SSH connections, when closed prematurely, may cause the GuacProxy process to consume 100% CPU.

PRJ-36060,
PRHF-22134

Mobile Access

Capsule Workspace cannot connect to a Mobile Access Gateway when the Citrix application is configured and allowed to the end-user's group.

PRJ-35978,
PMTR-74818

ClusterXL

A cluster failover may take longer than it should.

PRJ-34341,
PMTR-73930

SecureXL

The "fwaccel dos rate add" command may fail with the "Another fwaccel command is already in progress" error.

PRJ-36074,
PRJ-34902

SecureXL

In some scenarios, related to sending multicast packets, the ICMP errors may be shown.

PRJ-35388,
VPNS2S-2726

VPN

In some scenarios, the RIM script is not activated in DPD Tunnel monitoring.

PRJ-36181,
PMTR-78626

VPN

The FWK process may unexpectedly exit on a VS with an S2S VPN tunnel.

PRJ-34375,
PMTR-75526

VPN

In rare scenarios, Remote Access users cannot connect to the Gateway because of certificate authentication failure.

PRJ-34494

VPN

Remote Access users cannot connect when a certificate issued by a configured subordinate CA is used for authentication.

PRJ-35558,
PMTR-78436

VPN

A memory leak may occur in the VPND process when using Remote Access with Multiple Entry Points configured.

PRJ-35347,
PRJ-35405,
PRJ-35402,
PRJ-35399,
PRJ-35402,
VPNS2S-2770,
VPNS2S-2770,
VPNS2S-2822,
VPNS2S-2457,
VPNS2S-2848

VPN

IKEv2 improvements for DAIP Gateway behind Hide NAT.

PRJ-35767,
SMB-16977

VPN

Enhanced stability of Site-to-Site VPN with interoperable devices.

PRJ-35232,
PMTR-73490

VPN

SSL entries may not be deleted from the "vpn tu tlist" command output, although there was a graceful exit.

PRJ-35431,
PMTR-78314

VPN

In some scenarios, L2TP users cannot connect to the Gateway in a cluster environment.

PRJ-35536,
PMTR-78432

VPN

A memory leak may occur in the VPND process when using remote Access Back Connection.

PRJ-35560,
PMTR-78462

VPN

A memory leak may occur in the VPND process when using Remote Access Secondary Connect.

PRJ-35344,
VPNS2S-2701

VPN

Policy installation and establishing a connection from a Gateway with Static IP may fail, if the IP address was previously used by a peer Gateway with DAIP IP which was configured before and had a connection from the DAIP Encryption Domain.

PRJ-35390,
VPNS2S-2769

VPN

Improved IKEv2 for working with DAIPs.

PRJ-35473,
PRJ-35306,
VPNS2S-2847,
PMTR-74009

VPN

Added VPN improvements for IKEv2 SA re-key.

PRJ-33657,
PRHF-21022

VPN

The VPND process may unexpectedly exit with a core dump file.

PRJ-35489,
VPNS2S-2740

VPN

In ike_sa_table there may be an entry with an IP address and not with a DAIP ID.

PRJ-36239,
PRHF-22206

VPN

A memory leak may occur in the VPND process.

PRJ-35001,
PMTR-77287

VSX

The "vsx_util reconfigure" command may fail without printing a reason which caused the error.

PRJ-34604,
PMTR-74840

VSX

In some scenarios, the VSX Gateway may incorrectly handle broadcast packets received from a Virtual Switch.

PRJ-31697,
PMTR-73594

Gaia OS

The "cpopenssl" command may fail with "No such file or directory".

PRJ-35004,
PMTR-77709

Gaia OS

Fixed the CVE-2020-14145 vulnerability.

PRJ-27910,
PRHF-17814

Harmony Endpoint

In some scenarios, logs related to Harmony Endpoint may be missing.

PRJ-32919,
PMTR-75175

CloudGuard Network

NEW:

  • Rule base search in SmartConsole now also matches rules with Data Center Objects.
  • In SmartConsole, it is now possible to see IP addresses of all the objects included in:
  • AWS VPC and Availability Zone,Azure Virtual Network, GCP Network
  • In SmartConsole, improved searching objects using tags.

PRJ-28480,
SMB-17079

CloudGuard Network

In rare scenarios, policy installation fails when adding a CloudGuard object to the NAT rulebase.

PRJ-35549,
PRHF-21841

CloudGuard Network

When there are VS's with the same name prefix, the CloudGuard Controller fails to update the VS with Data Center Objects.

PRJ-36275,
PRHF-22059

CloudGuard Network

In some scenarios, incorrect data center updates are pushed to the Gateway.

PRJ-36705,
ODU-244

Public Cloud CA Bundle

Added Take 14 of Public Cloud CA Bundle. Refer to sk172188.

PRJ-38970,
PMTR-82980

Scalable Platforms

Packet drop may occur during Maestro Orchestrator reboot or performing the "orchd stop" command. Refer to sk178831.

PRJ-33452,
PMTR-75745

Scalable Platforms

In a rare scenario, after a reboot, there may be connectivity issues between a Gateway and Maestro Hyperscale Orchestrator (MHO).

PRJ-34217,
PMTR-76383

Scalable Platforms

In some scenarios, when accelerated policy installation is performed on a Security Gateway that does not have a valid policy, an obscure failure message is shown.

PRJ-36361,
PRHF-22250

Scalable Platforms

OSPF may install a route to the incorrect IP when configured as P2P. Refer to sk177686.

PRJ-35613,
PMTR-77091

Scalable Platforms

Setting the time on Quantum Scalable Chassis may fail with the "Failed to update the date WARNING: CliError( ) called without module or error code" error.

PRJ-37217,
PMTR-80218

Scalable Platforms

Local connection from a Standby site may be dropped if there is a switch between the sites. Refer to sk178045.

PRJ-34011,
PRJ-29821

Scalable Platforms

On a Scalable Platform configured in VSX mode, a new member added to a security Group, may stay in down state because of a false-positive license issue.

PRJ-36831,
ODU-287

HCP

Added Update 7 of HealthCheck Point (HCP) Release. Refer to sk171436.

Take 45

Released on 3 April 2022 and declared as Recommended on 6 April 2022

PRJ-38292,
PMTR-82069

SmartConsole

In some scenarios when R81.10 Jumbo Hotfix Accumulator Take 38 or Take 44 is installed, Install Policy Preset invokes policy installation on Gateways different from those that are defined.

Policy installation on multiple Gateways on MDS level triggers installation on one Gateway only.

Refer to sk178590.

Take 44

Released on 22 March 2022

PRJ-37387,
PRJ-37380

ClusterXL

Clock jumps forward/backward may cause some operations to fail and the cluster to go down.

PRJ-37607,
PRHF-22721

VoIP

In a cluster environment, the Gateway may crash with a vmcore.

PRJ-37850,
PRHF-22617

VoIP

A cluster member may crash generating a vmcore because of a mismatch in SIP tables.

See the Important Notes section.

PRJ-37423,
PMTR-79515

VSX

After deleting a warp interface in SmartConsole, the active VSX cluster member may crash.

PRJ-37959,
PMTR-81489

Gaia

UPDATE: Upgraded OpenSSL to 1.1.1n to fix CVE-2022-0778. Refer to sk178411.

Take 38

Released on 21 February 2022

PRJ-29396,
PMTR-72424

Security Management

NEW: Added support for Management API commands: "add-rules-batch" and "delete-rules-batch".

PRJ-29438,
PRHF-16947

Security Management

UPDATE: Added a warning message in SmartConsole, alerting if during policy installation memory utilization of the FWM process exceeded 3.5GB.

PRJ-31866,
PRHF-17841

Security Management

UPDATE: The "show application-sites" Management API command returns additional fields for UIDs of primary category and additional categories.

PRJ-32893,
PRHF-20657

Security Management

UPDATE: It is now possible to increase the timeout value for Management High Availability synchronization. Refer to sk176165.

PRJ-32769,
PMTR-71549

Security Management

UPDATE: Meta-info and comments fields are now displayed in the output of the "show-tasks" API command with "details-level standard".

PRJ-32960,
ODU-154

Security Management

UPDATE: Added Update 13 of Autonomous Threat Prevention Management integration Release. Refer to sk167109.

PRJ-31893,
PMTR-73413

Security Management

In some scenarios, the API command "show-changes" fails with "Diff operation failed: Unable to build the diff reply."

PRJ-31862,
PRHF-17606

Security Management

In a rare scenario, in the Management API, the "show hosts" command with "details-level full" fails with a "java.util.InputMismatchException: got at least one duplicate UID in requested list, duplicates UIDs:" message.

PRJ-31861,
PRHF-17744

Security Management

The "show-gateways-and-servers" Management API command does not show policy information for cluster members.

PRJ-28817,
PRHF-18712

Security Management

In some scenarios, the "show-gateways-and-servers" Management API command fails with "generic_error" when running it with "details-level full".

PRJ-28031,
PRHF-17915

Security Management

In some scenarios, the user may fail to connect to Remote Access VPN if there are expiration dates saved in a non-English date format. The issue can occur when SmartConsole is installed on a Windows client that uses a non-English locale. Refer to sk173967.

PRJ-30885,
PMTR-62059

Security Management

In rare scenarios, during an upgrade, the FWM process may unexpectedly exit with a core dump file.

PRJ-30415,
PRHF-18883

Security Management

Scheduled IPS updates data may not be shown in the IPS update report.

PRJ-32093,
PRHF-20162

Security Management

When searching an IP in Object Explorer, network objects with both IPv6 and IPv4 configured, may not appear in the results, although they match the IP.

PRJ-31942,
PMTR-73871

Security Management

Deleting an administrator with open sessions may fail with "An Internal error has occurred."

PRJ-30899,
PMTR-73253

Security Management

In rare scenarios, installing policy on an OSE device may fail with "Policy installation had failed due to an internal error".

PRJ-32042,
PRHF-20220

Security Management

In some scenarios, the $MDS_FWDIR/log/cpm.elg file contains many lines about "UnmarshalException".

PRJ-31674,
PMTR-73252

Security Management

In rare scenarios, policy installation cannot be executed while another policy installation is already in progress and stuck.

PRJ-31673,
PRHF-19891

Security Management

In rare scenarios, the API commands "show-automatic-purge" and "set-automatic-purge" may fail if there were two earlier attempts to update the Automatic Purge at the same time.

PRJ-31702,
PMTR-72876

Security Management

In a Multi-Domain environment, in Gateways & Servers view, the option to filter Gateways by Domain is greyed out, although it should be enabled.

PRJ-29954,
PRHF-17767

Security Management

In some scenarios, in Override Categorization, it may not be possible to sort or to find objects by name using Object Explorer. Refer to sk175245.

PRJ-29911,
PRHF-18974

Security Management

In some scenarios, it is possible to disable a shared layer, although it is used in more than one rule.

PRJ-31976

Security Management

After creating a new LSM device through the API, the device editor in the SmartProvisioning GUI may unexpectedly close when editing the Topology configurations.

PRJ-31743,
PMTR-73756

Security Management

In some scenarios, deleting a Domain fails when there is an administrator with API key authentication associated with this Domain.

PRJ-33465,
PMTR-71195

Security Management

While editing a Small Office LSM Profile object, SmartConsole may unexpectedly close when enabling Threat Emulation and navigating to the Configuration tab.

PRJ-29241,
PRHF-18890

Security Management

In some scenarios, the Management API command "show-packages" with "details-level full" may fail with an error. Refer to sk176805.

PRJ-30682,
PRHF-19185

Security Management

Policy installation with Directional VPN rules may fail with a verification error.

PRJ-31261,
PMTR-69264

Security Management

In some scenarios, the API command "login-to-domain" fails, and the cpm.elg log shows "Null Pointer Exception".

PRJ-30721,
PRHF-19439

Security Management

In a rare scenario, deleting an object using the API command "delete-generic-object uid" fails with "generic_error" and a "Runtime error: Error reading XMLStreamReader" message.

PRJ-31212,
PRHF-19215

Security Management

The CPM Server may fail to start while checking for pending purge operations during startup.

PRJ-30069,
PRHF-19326

Security Management

  • The High Availability status on Security Management Server may be incorrect and performing failover is not possible.
  • On Multi-Domain Server, after performing failover in the Global Domain and restarting services, the former active Global Domain Server still appears as active (although it is standby).

PRJ-32651,
PMTR-74947

Security Management

In rare scenarios, deleting a Domain fails, leaving some remnants in the Management database.

PRJ-31083,
PRHF-19251

Security Management

In rare scenarios, the FWM process on the Security Management Server unexpectedly exits.

PRJ-30338,
PRHF-18150

Security Management

When one Server in a logical Server group is down, the second Server keeps trying to access it, no matter how long the Server is down.

PRJ-32430,
PRHF-20440

Security Management

In rare scenarios, adding a service to a rule in Access Policy:

  • may take a long time (more than several seconds)
  • may cause SmartConsole to unexpectedly exit.

Refer to sk176004.

PRJ-32361,
PMTR-74598

Security Management

In some cases, when changing only the "color" and "comment" object fields, policy installation may not be accelerated.

PRJ-30037,
PRHF-19187

Security Management

  • The API command "show_packages_details" does not support the "OneTimeProb" parameter, although it is supported in GUI.
  • In some scenarios, the API command "show_packages" with "details-level full" fails with "generic_error".

PRJ-33135,
PRHF-20673

Security Management

When searching in Object Explorer with non-alphanumeric characters (non-Latin letters), no results are found even if there are objects that match the search query.

PRJ-32858,
PRHF-20444

Security Management

After the Management Server restart, the API command "show_tasks" may show some suppressed tasks as "in progress", if before the restart they were cleared in SmartConsole while they were still running.

PRJ-34081,
PMTR-74982

Security Management

In some scenarios, after running an Ansible Playbook, objects are locked even though they were not changed.

PRJ-33554,
PRHF-20961

Security Management

When using the API to create an OPSEC CPMI application with a custom permissions profile, the default Super User profile is chosen instead.

PRJ-32449,
PRHF-20062

Security Management

In rare scenarios, in a Multi-Domain environment, after performing an IPS Update, High Availability synchronization in the Global Domain fails with "NGM failed to import data".

PRJ-30532,
PRHF-19542

Security Management

Creating an administrator in a Multi-Domain environment may cause SmartConsole to freeze and time out.

PRJ-32555,
PRHF-20390

Security Management

The "Show Policy Package" Tool shows only UID for a group object and its members instead of their name.

PRJ-34427,
PRHF-21356

Security Management

When performing IPS Update or Global Domain Assignment, creating a Domain at the same time may fail with "Internal Error".

PRJ-30476,
PRHF-19577

Security Management

Desktop policy installation may fail with the "Service ReferenceObject of type is not supported!" error.

PRJ-34201,
PMTR-76730

Security Management

High Availability synchronization fails when one Management Server is installed on an appliance of 6000 series and the other one is an Open Server, a Virtual Machine or installed on an appliance of different series.

PRJ-33952,
PRHF-20891

Security Management

The "fwm logexport" command may fail with the "Failed to dump tables from NGM" error when running it from the Global Domain on the Multi-Domain Server or from the Log Server.

PRJ-33288,
PRHF-20525

Security Management

When reassigning Global policy after an IPS update on the Global Domain, the updated IPS version in the Audit Logs view may appear with "-1" value instead of the actual IPS version number.

PRJ-30060,
PRHF-19250

Security Management

In rare scenarios, after Management Server upgrade, importing the database may fail with "Tried to persist object".

PRJ-33980,
PRHF-21115

Security Management

Policy installation from the Multi-Domain Server level may trigger installation of two policies for the same VS.

PRJ-33865,
PRHF-21129

Security Management

When creating or updating a service object via Management API, it is not possible to specify a custom aggressive-aging timeout.

PRJ-32670,
PRHF-20485

Security Management

When searching for tags usage, the "where-used" Management API command may fail with "Requested object not found".

PRJ-34036,
PMTR-73939

Security Management

When many sessions are opened:

  • Publish operation may be slow
  • APPI Update may be stuck on 30% and eventually fail
  • Domain Import task may be stuck after 50% and then fail

PRJ-33243,
PRHF-20643

Security Management

In rare scenarios, after an update, the Management Server fails to start.

PRJ-36961,
PRHF-22500

Security Management

Policy installation and "where used" operation may take a long time if there are many inline layers and the "Install On" targets in the Rule Base are not defined as "Any". Refer to sk177928.

PRJ-33169,
PRHF-20782

Multi-Domain Management

The mds_backup script may not collect Multi-Domain Server log files from $MDSDIR/log/.

PRJ-30527,
PRHF-19541

Multi-Domain Management

In rare scenarios, running the "fwm sic_reset" command on Multi-Domain Server may fail.

PRJ-36041

Web SmartConsole

UPDATE: Released Take 55 with new features and improvements. Refer to sk170314.

PRJ-27606

Compliance

In some scenarios, auto-update flow fails during updatable object registration.

PRJ-34294,
PMTR-75623

Compliance

After disabling Compliance Best Practices, the user receives security alerts.

  • Requires R81.10 SmartConsole Build 404 (or higher).

PRJ-35952

CPView

In CPView, under "Unified Policy", the "Transactions" and "Memory KB" parameters may be missing on devices with more than 100 interfaces.

PRJ-30665,
PRHF-19620

Logging

  • The "fw log" and "fwm logexport" commands may fail with "Error: Failed to read field".
  • The exported log file may not contain all logs.

Refer to sk176644.

PRJ-32030,
PRHF-19715

Logging

In some scenarios, the "vpn_user" field is empty in the Logs view and SmartEvent Reports, even though it contains values in the raw log.

PRJ-27593,
PRHF-17000

Logging

When SmartView Web is configured to not return empty values, a query may fail with a "query failed" message.

PRJ-29512,
PRHF-17325

Logging

In a rare scenario, after an NSX Gateway upgrade, enforcement details/identities are not pushed by the controller to the Gateway automatically, it can be done only by manual update. Refer to sk173323.

PRJ-28325,
PRHF-17811

Logging

In some scenarios, in SmartLog, free-text search does not work for some inspection settings logs and their description is missing.

PRJ-27737,
PRHF-12617

Logging

In SmartConsole:

  • In Gateways and Servers view, IP statuses may not be accurate
  • In the Threat Prevention Policy tab, under "Updates", Gateways IPS update status may not be up-to-date, although the new IPS package was received successfully.

PRJ-28127,
PRHF-17314

Logging

In rare scenarios, in SmartConsole, some logs are not shown.

PRJ-31799,
PRHF-17724

Logging

Logs that are sent by Log Exporter in CEF format, cannot be displayed if they include non-digit characters in the "dst_phone_number" field.

PRJ-32239,
PRHF-18539

Logging

When configuring an Email alert as an Automatic Reaction in SmartEvent, and the alert contains data from the event, some fields may be missing in the generated email.

PRJ-29125,
PRHF-18445

Logging

SmartEvent may not show some of the Anti-Virus logs.

PRJ-32589,
PRHF-20276

Logging

There may be empty values in the "Office Mode IP" field in the Logs view.

PRJ-32087,
PMTR-74297

Logging

A duplicate entry appears in /etc/cpshell/log_rotation.conf. This issue is only cosmetic.

PRJ-32852,
PRJ-30722

Logging

In a rare scenario, logs export from SmartView web view to CSV may fail. Refer to sk175545.

PRJ-28318,
PRHF-18428

Logging

The "Last Update Time" field of a Session Log may show incorrect values.

PRJ-31618,
PRHF-19834

Logging

Non-English letters in SmartView reports exported as CSV may be displayed incorrectly. Refer to sk175543.

PRJ-30093,
PRHF-18939

Logging

In rare scenarios, the LOG_INDEXER process stops working and logs are missing. Refer to sk176403.

PRJ-34692,
PMTR-75532

Logging

In some scenarios, in an environment that includes the SmartEvent Server, the LOG_INDEXER process restarts at midnight, producing a core dump file. Refer to sk177805.

PRJ-31809,
PRHF-19710

Security Gateway

NEW: Added a new kernel parameter "cphwd_medium_path_qid_by_cpu_id". The parameter is disabled by default. Refer to sk175890.

PRJ-31274,
PMTR-73504

Security Gateway

UPDATE: The "-c" and "-i" flags in Top Connections Tool are now supported on VSX Gateways. Refer to sk172229.

PRJ-34451,
PRHF-21182

Security Gateway

UPDATE: The "fw unloadlocal" command can now be used on a Virtual System only with the "-f" flag added. Otherwise, a warning message is displayed, indicating that unloading policy on a Virtual System will cause traffic issues with any Virtual System connected to a Virtual Switch or a Virtual System in Bridge mode.

PRJ-33749,
PMTR-76138

Security Gateway

UPDATE: Added a new flag to the "dynamic_objects" command:

"-uo <name of object>". The user can now see all content of a specific updatable object.

PRJ-32074,
STRM-737

Security Gateway

UPDATE: Check Point Active Streaming (CPAS) TCP Window scale factor is now increased up to 6.

PRJ-30672,
PMTR-16149

Security Gateway

When deleting all Suspicious Activity Monitoring (SAM) rules, adding a large number of new rules, and installing policy, the system may freeze.

PRJ-30671,
PRHF-19179

Security Gateway

In rare scenarios, when a Security Gateway is configured as Proxy, a wrong NAT port reuse may happen for 5 minutes long proxied connections.

PRJ-29699,
PRHF-19097

Security Gateway

In rare a scenario, a memory leak may occur with a "cpas_streamh_init_from_cookie failed" message printed in /var/log/messages.

PRJ-30615,
PRHF-19614

Security Gateway

In rare scenarios, when SACK is enabled, there may be connectivity issues.

PRJ-29542,
PRHF-19048

Security Gateway

After reboot and policy installation, the "No interface configured in SmartCenter server with name mdps_tun. Matching by IP address to interface Mgmt" error may be printed in fwk.elg.

PRJ-30694

Security Gateway

The "Matched rule is not found" error appear when using Suspicious Activity Monitoring (SAM) rules with source and destination networks, or with a NATed IP.

PRJ-33361,
PMTR-72975

Security Gateway

First policy installation after an upgrade may be followed by a warning message: "Updatable Objects are used in the policy but Gateway package is missing (see sk121877)".

PRJ-31969,
PMTR-74144

Security Gateway

In a rare scenario, "Connection/sec" data for accelerated traffic in CPView may differ from the statistics in SNMP.

PRJ-32338,
PMTR-72682

Security Gateway

Defining an IPv6 NAT rule with address range (hide) on the translated column may fail with an incorrect error message.

PRJ-33083,
PRHF-20436

Security Gateway

Extended logging may show a wrong status of Content Awareness Blade. The issue is only cosmetic.

PRJ-32636,
PMTR-74876

Security Gateway

When ISP Redundancy feature is enabled, the default route may disappear during an ISP's failover.

PRJ-30013,
PRHF-18938

Security Gateway

In a rare scenario, when QoS is enabled, Security Gateway may crash while interfaces go down and up.

PRJ-31219,
PRHF-19896

Security Gateway

When a large number of VPN tunnels is configured and each one is used by a static route with ping, the ROUTED daemon may get incorrect cluster IPs for those tunnels. Refer to sk175887.

PRJ-33514,
PMTR-75878

Security Gateway

CPView may show corrupted numbers in "F2V-Reasons". This issue is only cosmetic.

PRJ-30181,
PRHF-19438

Security Gateway

In a rare scenario, policy push to multiple Security Gateways may fail. Refer to sk177963.

PRJ-31111,
PRHF-14366

Security Gateway

In a rare scenario, the TCP Half Closed timer (sk137672) may fail when configured for medium/fast connections.

PRJ-28831,
PRHF-18098

Security Gateway

Improved the ICAP Server internal memory allocation logic.

PRJ-27611,
PRHF-18068

Security Gateway

A debug message is printed as an error.

PRJ-31272,
PMTR-57716

Security Gateway

The FWD process may unexpectedly exit due to a rare race condition. Refer to sk173424.

PRJ-32576,
PMTR-74852

Security Gateway

When deleting connection table entries with "fw ctl conntab -x", and using "rule", "service", "type", "flags" or "state" filters, entries that do not match these filters may still be deleted.

PRJ-33126,
PRHF-20306

Security Gateway

In some scenarios, memory consumption and CPU usage may increase consistently. Refer to sk176370.

PRJ-30600,
PMTR-72836

Security Gateway

In a rare scenario, the Security Gateway may crash during policy installation.

PRJ-33607,
PMTR-75976

Security Gateway

When there are security zones configured in the NAT rulebase and the connection has NAT on the destination, the Security Gateway IP address may still be shown as the source IP, although it should not.

PRJ-32659,
PRHF-20471

Security Gateway

Security Gateway may unexpectedly reboot and create a vmcore file.

PRJ-30295,
PMTR-73017

Security Gateway

Enhanced Check Point Active Streaming (CPAS). Refer to sk177025.

PRJ-30784,
PRHF-19506

Security Gateway

Access Policy installation may fail with "Error code 1-2000078".

PRJ-32425,
PRHF-20294

VPN, Multi-Portal

UPDATE: Certificate validation flow will use OCSP as the default revocation validation method. If OCSP URL does not exist, CRL will be used as a revocation validation method.

PRJ-31018,
PRHF-19772

Internal CA

In a rare scenario, when CRL files are created, some of them may be generated with a large number in the filename. When deleting CRL files, CPCA repeatedly fails to start.

PRJ-33251,
PRHF-20709

Internal CA, VPN

Creating a certificate for a third party Gateway with Check Point Internal CA may fail on the third party side. Refer to sk176468.

PRJ-29927,
PRHF-19208

Threat Prevention

Threat Prevention policy installation may fail when loading 2 IoC feeds that contain the same signature name for one of the observables.

PRJ-32176,
PMTR-73319

Threat Prevention

In a rare scenario, Security Gateway may crash when the Advanced Forensics Details feature is enabled.

PRJ-33644,
PRJ-27750

Threat Prevention

When the "Automatically download Blade Contracts, new software, and other important data" checkbox is unchecked, Security Gateway may fail to update Threat Prevention packages.

PRJ-36736,
PRHF-22353

Threat Extraction

In some scenarios, when Threat Extraction and Threat Emulation are both enabled, it may take a long time to scan the file before downloading, although there is no active content.

PRJ-32135,
MPTT-5094

Identity Awareness

An Identity Broker subscriber may be shown as the session owner for Remote Access VPN sessions received from another publisher.

PRJ-32873,
PMTR-75155

Identity Awareness

When Identity Awareness Blade is enabled on the Security Gateway, rebooting of a member may trigger additional reboots. This may cause
one of the members to go down with a configuration pnote.

PRJ-27698,
PRHF-17620

Identity Awareness

The PDPD process may fail with "daemon did not respond or not running!" or cause a high CPU.

PRJ-30949,
IDA-4253

Identity Awareness

In some scenarios, persistent high CPU is caused by ADQuery due to a large number of authentication requests.

PRJ-28056,
SPC-1602

Application Control

In a rare scenario, the SSM may encounter an issue and stop working.

PRJ-29770,
PRHF-18914

URL Filtering

In a very rare scenario, when the Application Control (APPI) and URL filtering Blades are active, in hold mode, some applications cannot be identified and the traffic is dropped.

PRJ-27730,
PRHF-15859

IPS

The track logging configuration of Network Quota protection is not applied.

PRJ-28029,
PMTR-69049

IPS

In a rare scenario, the Security Gateway may crash when disabling or enabling Threat Prevention Blade.

PRJ-28492,
PMTR-60451

IPS

In Autonomous Threat Prevention mode, "Profile Name" and "SmartDefense" fields may be missing in the IPS log.

PRJ-30804,
PMTR-70772

IPS

After installing a Threat Prevention policy with many rules and/or exceptions, on multiple Gateways together, Gateways may consume more CPU during rule-match of new connections.

PRJ-30607,
PRHF-18893

DLP

UPDATE: Added temporary files cleaner for file converting operation.

PRJ-30427,
PRHF-17395

DLP

The dlpu process may unexpectedly exit with core dump file.

PRJ-32902,
PRHF-20458

SSL Inspection

In a rare scenario, the WSTLSD process may unexpectedly exit and produce a core dump file.

PRJ-32885,
PMTR-75079

SSL Inspection

When TLS 1.3 support is disabled, a memory leak may occur in the WSTLSD process during TLS session renegotiation.

PRJ-34447,
PRHF-21039

SSL Inspection

The fwk process may unexpectedly exit during the TLS handshake.

PRJ-31498,
PMTR-73619

SSL Inspection

When HTTPS Inspection is disabled and the "Categorize HTTPS websites" option is enabled, the "failed attaching RSA stub certificate to server" errors may appear in the fwk.elg and wstlsd.elg files during policy installation.

PRJ-33408,
PMTR-72934

SSL Inspection

In rare scenarios, TLS probing connections may remain open for extended periods.

PRJ-34273,
PMTR-76812

SSL Inspection

A memory leak may occur in the WSTLSD process during session resumption for TLS 1.2.

PRJ-31233,
SNX-67

SSL Network Extender

SSL Network Extender (SNX) may fail during large file transfers. Refer to sk87760.

PRJ-31176,
PMTR-73946

Mobile Access

UPDATE: Upgraded JQuery library version (from 1.1 to 3.6).

PRJ-33877,
PMTR-61452

Mobile Access

Policy installation may fail due to table creation issues.

PRJ-28361,
CORXL-251

ClusterXL

Clock jumps forward/backward may cause some operations to fail and the cluster to go down.

PRJ-32472,
PMTR-74101

ClusterXL

Added Syslog support for Cluster events messages.

PRJ-32951,
MBS-14928

ClusterXL

Identity Sharing in VSLS Mode may not work as expected.

PRJ-32941,
PMTR-75157

SecureXL

In some scenarios, when configuring internal/external enforcement for DOS/Rate limiting, a syslog error message may be displayed.

PRJ-30820,
PRHF-19417

SecureXL

In a rare scenario, after an upgrade, HTTPS traffic may be dropped.

PRJ-33357,
PMTR-75438

Routing

  • Security Gateway may crash when OSPF inserts or removes an LSA from its database.
  • Neighbor dead timers may have negative values.

PRJ-31488,
PRHF-19472

Routing

In some scenarios, the Security Gateway may not forward traffic to a client if its IP address is changed by DHCP. Refer to sk175603.

PRJ-31474,
PMTR-68362

VPN

UPDATE: In policy installation, the type of messages, related to VPN certificate expiration, is changed from "info" to "warning". This issue is only cosmetic.

PRJ-30958,
PRHF-19492

VPN

Improvements for DAIP Gateway behind Hide NAT.

PRJ-31133,
PMTR-73498

VPN

In some scenarios, a memory leak may occur in the VPND process.

PRJ-32551,
PMTR-74599

VPN

A memory leak may occur during Office Mode IP allocation.

PRJ-32367,
PRHF-20315

VPN

Improved IKEv2 narrowing.

PRJ-31589,
PRHF-19959

VPN

In some scenarios, VPN tunnels statuses in SmartView Monitor are displayed incorrectly.

PRJ-28270,
PRHF-7443

VPN

A memory leak may occur in the VPND process.

PRJ-32131,
PMTR-74244

VPN

The output of the "vpn tu tlist" command may show a wrong date and time in "Authenticated at" line, although machine date and time settings are correct.

PRJ-31291,
PRHF-19707

VPN

Hardened the ability to use narrowed IKEv2 tunnels. Refer to sk166417.

PRJ-30758,
PRHF-19484

VPN

In some scenarios, when NAT is enabled, Route Based VPN traffic may be dropped.

PRJ-30766,
PRHF-19548

VPN

In a very rare scenario, a cluster member may unexpectedly crash and restart, creating a core dump file.

PRJ-30331,
PMTR-73629

VPN

In some scenarios, IKEv2 tunnel may not work due to SA expiration.

PRJ-32520,
PMTR-74732

VPN

Improved establishing IKEv2 tunnel with DAIP peer.

PRJ-32613,
PRHF-20449

VPN

In some scenarios, Remote Client connections in Visitor Mode may cause the fwk process to exit.

PRJ-32761,
PMTR-74107

VPN

The output of the "vpn tu tlist" command may show an incorrect type of S2S tunnels protocol.

PRJ-31701,
PMTR-73801

VPN

When the IKE daemon is enabled, VPN counters in CPView may show an incorrect value.

PRJ-32597,
PMTR-72056

VPN

In some scenarios, Remote Access VPN users cannot connect to the Gateway due to a kernel table issue.

PRJ-29783,
PMTR-72241

VPN

Although the Simultaneous Login Prevention (SLP) feature is on, the user can connect with two clients and receive the same statically assigned Office-Mode IP.

PRJ-33835,
VPNRA-831

VPN

In rare scenarios, when SSL Network Extender (SNX) is in Application Mode, the VPND process may unexpectedly exit.

PRJ-33739,
PMTR-75801

VPN

When applying Secure Configuration Verification (SCV) VPN client is not able to distinguish between Windows 10 and Windows 11.

PRJ-36421,
PMTR-79305

VPN

In some scenarios, when VPN logs are enabled and DAIP (Dynamically Assigned IP) peer is configured, the VPND daemon may unexpectedly exit.

PRJ-33837,
PMTR-76280

VSX

UPDATE: Shadow bridges will now be automatically disabled on VSX Gateways if the bridges are not in Active/Active mode.

PRJ-32534,
PMTR-74770

VSX

UPDATE: It is now possible to define interface topology as "defined by routes" using the VSX provisioning tool.

PRJ-28990,
PRHF-15744

VSX

In some scenarios, running the "snmpwalk" command may fail with incorrect OSPF-MIB information for VSX. Refer to sk172064.

PRJ-33947,
PMTR-76402

VSX

Policy installation on a VS may fail after a cluster conversion between High Availability and Virtual System Load Sharing with the "vsx_util" command.

PRJ-30201,
PRHF-18610

Gaia OS

UPDATE: Added a Clish command "add/show/delete ntp interface" to choose to which interfaces the NTP daemon shall bind.

PRJ-34590,
PRJ-33871

Gaia OS

Enhanced SNMP module stability.

PRJ-32048,
PRHF-7124

Gaia OS

In some scenarios, adding a Gaia user may result in a high number of zombie sh processes. Refer to sk164259.

PRJ-31972,
PMTR-65544

Gaia OS

The minimum value of VBAT sensor on Quantum appliances is incorrect.

PRJ-31755,
PMTR-70869

Gaia OS

In some scenarios, after adding an SNMP USM user, the confd process may unexpectedly exit.

PRJ-30213,
PRHF-19017

Gaia OS

  • VLAN IPv6 address disappears after setting the parent interface state "off" and "on".
  • IPv6 address disappears after enabling Layer 3 bridge interface monitoring.

Refer to sk174969.

PRJ-28962,
PMTR-71672

Gaia OS

After an upgrade, a wrong cipher name appears in the supported cipher list. Refer to sk174863.

PRJ-28686,
PMTR-71763

Gaia OS

In some scenarios, in appliances: 6600,6700,6900, Power Supply Unit (PSU) status information may be incorrect. Refer to sk174443.

PRJ-29066,
PMTR-62235

Gaia OS

Wrong output of the "set/delete ip-conflicts-monitor interface" command. The word "value" is printed multiple times. The issue is only cosmetic.

PRJ-33390,
EPS-33930

Harmony Endpoint

NEW: It is now possible to configure Super Node in Harmony Endpoint. Refer to sk171703.

PRJ-32247,
EPS-32816

Harmony Endpoint

NEW: Added new push operations to Endpoint Web Management:

  • Kill Process
  • Remote Command Execution
  • Application Scan

PRJ-32887

Harmony Endpoint

NEW:

  • Added ability to rename the Export Package.
  • Added persistent Notifications Center
  • Improved performance of Asset Management
  • Added extra fields to Asset Management table
  • It is now possible to configure user session idle time on premises
  • Added support for macOS Port Protection
  • Added Connection Awareness settings
  • Added ability to manage IoCs

PRJ-27849,
PRHF-18031

Harmony Endpoint

SmartEndpoint may show deleted certificates as expired.

PRJ-32646,
PRHF-20524

Harmony Endpoint

  • When in "cpconfig"-> "GUI clients"-> "Modify" the option "Any" is deleted, the Endpoint Security Server UEPM Apache cannot start.
  • When manually launching UEPM Apache the following output is shown: "AH00526: Syntax error on line 1 of /opt/CPuepm-R81/apache/conf/acl.conf:ip address 'Require' appears to be invalid"

Refer to sk176186.

PRJ-32391,
PRHF-19878

VoIP

When using SIP, memory usage may increase over time on Active and Standby members.

PRJ-34520,
ODU-200

Smart-1 Cloud

Added support for R81.10 automatic updates of Quantum Smart-1 Cloud. Refer to sk166056.

PRJ-31770,
PMTR-73896

CloudGuard Network

Improved the handling of NSX-T Data Center throttling issues.

PRJ-31773,
PRHF-19949

CloudGuard Network

In a rare scenario, there is a high CPU0 utilization on Azure Security Gateway.

PRJ-32232,
CGIS-636

CloudGuard Network

The "vsec_lic_cli update" command now supports IP change in the license string.

PRJ-27904,
PRHF-16098

QoS

In a rare scenario, when QoS is enabled, in SmartView Monitor some traffic may be shown as "No Match".

PRJ-30236,
PRHF-18342

QoS

In a rare scenario, the FWD process may unexpectedly exit due to invalid QoS logs.

PRJ-34022,
MBS-14876

Scalable Platforms

NEW: Added the HealthCheck Point (HCP) test which validates ports link integrity for Maestro Orchestrator. Refer to sk171436.

PRJ-35159,
ODU-199

Scalable Platforms

NEW: Added a self-updatable package of Check Point Support Data Collector (CPSDC) for Scalable Platforms and Maestro Security Appliances. Refer to sk164414.

PRJ-31311,
PRHF-19908

Scalable Platforms

When IGMP snooping is disabled, using OSPF Multicast may lead to Anti Spoofing drops in SmartConsole.

PRJ-28812,
MBS-14165

Scalable Platforms

SNMP OID .1.3.6.1.4.1.2620.1.48.16 (asgSecureXLStatusBitmask) returns the status of SecureXL as enabled, even when it is not.

PRJ-32416,
MBS-14479

Scalable Platforms

In some scenarios, changing QSFP mode manually does not survive reboot.

PRJ-30617,
PMTR-70886

Scalable Platforms

Multiple traffic drops may occur on Scalable Platforms. Refer to sk173545.

PRJ-31406,
MBS-11234

Scalable Platforms

The "config_verify" command may fail in a Scalable Platforms environment.

PRJ-30630,
MBS-14105

Scalable Platforms

VPN tunnel may fail to establish with "dropped by vpn_inbound_pilicy_chain Reason: VPN inbound nat after vm failed". Refer to sk176404.

PRJ-33379,
MBS-14189

Scalable Platforms

VPN traffic may be dropped due to certificate issues.

PRJ-31507,
PRHF-19991

Scalable Platforms

During policy installation, AD Query may stop working in the Scalable Platforms environment.

PRJ-33185,
PMTR-75375

Scalable Platforms

RADIUS user that has gclish set as default shell cannot login into the Security Group on Scalable Platforms R81.10: "Unable to get user permissions". Refer to sk176364.

PRJ-31870,
MBS-14830

Scalable Platforms

Static routes related to a Warp interface may disappear after enabling the VMAC feature.

PRJ-34101,
MBS-15063

Scalable Platforms

Changing VLAN of an existing interface may cause ARP reply not to be processed by the Gateway. Refer to sk176929.

PRJ-31139,
MBS-14560

Scalable Platforms

Connectivity issues may occur on Identity Server (PDP) in large VSX setups.

PRJ-35011,
MBS-15055

Scalable Platforms

In a rare scenario, the CPD process may crash during policy installation.

PRJ-32678,
PMTR-72608

Scalable Platforms

When two sites with shared LACP bonds are connected to the same switch and VMAC is enabled on both of them, communication with the switch may be lost.

PRJ-34620,
MBS-14133

Scalable Platforms

In some scenarios, a physical link issue on a Maestro Gateway may cause an unexpected site failover, a cluster state change on other Gateways, or packet drops.

PRJ-32165,
PMTR-74488

Scalable Platforms

When the user manually uninstalls R81.10 Jumbo Hotfix Take 22 from an R81.10 Maestro Hyperscale Orchestrator (MHO), the MHO's REST Server remains down, potentially causing traffic issues. Refer to sk177323.

PRJ-31839,
MBS-14732

Scalable Platforms

The CMM is not updated with the time from a configured NTP Server. As a result, SGMs stay in Down state for a long time.

PRJ-31512,
CST-212

Carrier Security

The FWK process may unexpectedly exit producing a core dump when the GTP tunnel expires.

PRJ-34443,
ODU-217

HCP

Added Update 6 of HealthCheck Point (HCP) Release. Refer to sk171436.

PRJ-31774,
INFRA-528

Infrastructure

UPDATE: Updated Python 2.7.17 to 2.7.18, Python 3.7.7 to 3.7.12, added Python 3.9.7 and a Python3 alias.

PRJ-29412,
PRHF-19016

Infrastructure

Policy installation fails with "Operation failed, install/uninstall has been improperly terminated" when a CMA name is more than 36 characters long. Refer to sk175452.

PRJ-29952,
PRHF-19115

Infrastructure

In a rare scenario, the user cannot connect to the Mobile Access Portal.

Take 30

Released on 13 January 2022 and declared as Recommended on 20 January 2022

PRJ-34732,
PRJ-34962

Security Management,

Harmony Endpoint

UPDATE: The Apache Log4j Java library is updated in order to harden the system. Check Point products are not vulnerable to Log4j.

This change is motivated by cyber hygiene best practices. For more information, refer to sk176865.

PRJ-32980,
PMTR-74061

CPView

In Overview, some data about disk space may be missing.

Take 22

Released on 22 December 2021 and declared as Recommended on 2 January 2022

PRJ-32158,
PMTR-74372

Security Gateway

UPDATE: Apache HTTPD version was updated from 2.4.41 to 2.4.51.

PRJ-33545,
PMTR-74799

Threat Prevention

When IPS Automatic update is enabled, a memory leak may occur in the FWD process. Refer to sk176947.

PRJ-30316,
PMTR-72515

Gaia OS

NEW: Gaia API (version 1.6) will now be deployed via Jumbo Hotfix. Refer to sk143612.

PRJ-33515,
PMTR-75891

Gaia OS

Potential vulnerability related to specific Gaia API command on VSX systems.

PRJ-33710,
PRJ-32546

Gaia OS

In a rare scenario, the Security Gateway fails to boot when working in USFW (User-Space Firewall) mode.

PRJ-33205,
PMTR-75443

Gaia OS

Fixed CVE-2021-30361 - Gaia Portal Authenticated Command Injection. Refer to sk179128.

PRJ-31238,
PRHF-19757

QoS

QoS policy installation may fail with "Error - service out of range". Refer to sk175467.

PRJ-34547,
PMTR-77169

Scalable Platforms

After an upgrade of Maestro Orchestrator from R80.20SP Jumbo Hotfix Take 313-317 to R81.10 Jumbo Hotfix Take 14, there may be traffic issues. Refer to sk176945.

Take 14

Released on 22 November 2021

PRJ-30364,
PMTR-63855

Security Management

UPDATE: Added new flags for Management API commands "add/set simple-gateway" and "add/set simple-cluster":

  • "nat-hide-internal-interfaces" and "nat-settings" for NAT configuration
  • "fetch-policy" for Fetch Policy configuration
  • "advanced-settings.sam" for SAM configuration
  • "advanced-settings.connection-persistence" for Connection Persistence configuration.

PRJ-29235,
TPM-2843

Security Management

UPDATE: Added a new flag to the Threat Prevention "show-protections" API command ("show-capture-packets-and-track") that allows not to return capture-packets and track information.

PRJ-32347,
PMTR-74618

Security Management

Network objects groups with more than 101 members may not be enforced correctly on the Security Gateway. The Security Gateway will only match 101 members of the group. Refer to sk176065.

PRJ-30055,
PRHF-18928

Security Management

In rare scenarios, the FWM process may unexpectedly exit and fail to start, creating core dumps in the /var/log/dump/usermode directory. Refer to sk175007.

PRJ-29189,
PRHF-18470

Security Management

In a rare scenario, High Availability full synchronization may fail due to a large number of records.

PRJ-29100,
PRHF-18749

Security Management

In some scenarios, it is possible to disable a parent rule for the Domain Policy.

PRJ-29005,
PRHF-18817

Security Management

In some scenarios, publish operation fails with the "Object with uid=<RandomCharacters> was updated in the database but its dleConvertedObject wasn't found" error. Refer to sk174703.

PRJ-29306,
PMTR-72376

Security Management

In environments with a large number of objects, licenses for cluster members in the Licenses tab may not be displayed.

PRJ-28650,
PRHF-18202

Security Management

In some scenarios, when using a VPN community, the status of the Global Domain Assignment may change to "not up to date", although no changes were made in the Global Domain.

PRJ-28479,
PRHF-18549

Security Management

In a rare scenario, when Identity Awareness Blade is enabled, policy verification on an LSM Profile may fail.

PRJ-28537,
PRHF-18063

Security Management

In rare scenarios, Global Policy Assignment may fail with the "class name not found for object" error.

PRJ-28897,
PRHF-18677

Security Management

If there are no explicit rules in one or more policy layers, policy verification may fail with the "No active rules found in the Security Policy" error.

PRJ-28786,
PRHF-18557

Security Management

In some scenarios, "show-mdss" and "show-domains" Management API commands take a significant amount of time to complete or time out after 5 minutes.

PRJ-28778,
PRHF-11027

Security Management

The "show-global-assignment" command returns the default limit when the limit request is greater than the default limit.

PRJ-28002,
PRHF-18245

Security Management

If Brute Force Password Guessing Protection is set to the value of more than 25 seconds, login to SmartConsole fails.

  • Requires R81.10 SmartConsole Build 402 (or higher).

PRJ-27500,
PRHF-16657

Security Management

Policy installation to multiple Gateways from Install Policy Presets may fail if each policy has its own HTTPS Inspection policy.

PRJ-27501,
PRHF-17230

Security Management

In rare scenarios during system startup, a cleanup operation may cause high CPU on multiple Postgres processes and prevent login to SmartConsole. Refer to sk175189.

PRJ-27503,
PRHF-17558

Security Management

In rare scenarios, Global Domain Assignment and Domain Creation tasks may continue to run indefinitely.

PRJ-28571,
PRHF-18422

Security Management

In some scenarios, the Purge Revisions operation fails with the "An error has occurred while performing revisions purge operation, Incident ID - xxxxx-xxxxxxx-xxxxx-xxxxx" message. Refer to sk174645.

PRJ-28300,
PRHF-18362

Security Management

In rare scenarios, High Availability on the Global Domain may fail to synchronize the Multi-Domain Log Server if IPS protection was added or removed in the Threat Prevention rulebase.

PRJ-28294,
PRHF-18210

Security Management

In rare scenarios, High Availability incremental synchronization may fail with a wrong status message.

PRJ-28089,
PMTR-70942

Security Management

In some scenarios, the Administrators view may not filter Domain names according to the permission profile of the connected administrator.

PRJ-28158,
PRHF-17926

Security Management

In rare scenarios, if Domain migration fails, the operation may not revert fully and leave some remnants in the database of the Management Server.

PRJ-29159,
PRHF-18883

Security Management

Scheduled IPS updates data may not be shown in the IPS update report.

PRJ-29899,
PRHF-18828

Security Management

In some scenarios, login to a Domain from the System Domain dashboard may fail with "Failed to connect to server".
Refer to sk174910.

PRJ-30047,
PMTR-72849

Security Management

The Management API command "show-sessions" may return sessions that were purged and no longer exist in the Management database.

PRJ-29518,
PMTR-72306

Security Management

In rare scenarios, when installing a policy immediately after publishing a session, the installation is not accelerated.

PRJ-29790,
PRHF-17037

Security Management

In rare scenarios, login to Multi-Domain Management fails with the "No Valid Domains were found for [username]" error. Refer to sk175005.

PRJ-30031,
PRHF-15460

Security Management

In some scenarios, applying the "Where used" action may show incorrect data when an object exists more than once in an Inline Layer.

PRJ-29969,
PRHF-19308

Security Management

In some scenarios, simultaneous policy installation on multiple Gateways may fail if there is at least one Gateway on R77.X and one Gateway on R80.X.

PRJ-29470,
PRHF-19006

Security Management

In some scenarios, an API query to VRRP cluster for "show simple-cluster name <name>" returns an incorrect cluster type. Refer to sk174866.

PRJ-29791,
PMTR-73142

Security Management

When initiating the Secure Internal Communication (SIC) for LSM objects using management API:

  • When using the LSM API commands for a large batch of devices, failures with an "Establish SIC failed. Reset SIC on gateway and try again." message may occur. When trying to re-initiate the SIC for a specific device, the SIC is successfully created.
  • In Multi-Domain Server (MDS) environments, the SIC certificate is created at the Global level instead of the Domain level.

PRJ-30020,
PMTR-72786

Security Management

In rare scenarios, the "set-group" API command may return the "generic_err_invalid_parameter" error.

PRJ-27765,
PRHF-17484

Security Management

The Management API commands "import-smart-task" and "export-smart-task" are enabled at the System Domain level, although Smart Tasks are only supported at the Local Domain level.

PRJ-29200,
PRHF-18782

Security Management

After an upgrade from R77.x. in a multi-site environment, High Availability full synchronization may fail with an "NGM failed to load data" message.

PRJ-30101,
PRHF-19248

Security Management

In rare scenarios, a Multi-Domain administrator's profile may be changed after deleting a Domain if the administrator had custom permissions for it.

PRJ-31536,
PRHF-20007

Multi-Domain Management

High Availability synchronization status in the Global Domain may show "Unknown" for some Multi-Domain Log Modules (MLM) in environments with more than 6 MDS's/MLM's.

PRJ-29312,
PRHF-18767

SmartConsole

The Compliance "Security Best Practices" report for the Anti-Bot practice contains unrelated objects starting with "AB_". Refer to sk174911.

PRJ-29805

Web SmartConsole

Added enhancements for Task Manager and policy installation. Refer to Take 48 in sk170314.

PRJ-30371,
PRJ-30370

CPInfo

UPDATE: Added CPInfo Build 914000219. Refer to sk92739.

PRJ-29826,
PMTR-72671

SmartView

UPDATE: In SmartView, new MITRE ATT&CK techniques were added to the heatmap view.

PRJ-31152,
SL-5634

Logging

NEW: SmartEvent can now skip indexing of firewall session logs to reduce load on the Log Server device. The feature is disabled by default. To enable it, see Issue #4 in sk150452.

PRJ-28084,
PRHF-18157

Logging

The CPSEMD process on SmartEvent Server may unexpectedly exit when trying to send two automatic reactions simultaneously for the same event.

PRJ-27883,
PRHF-17285

Logging

In rare scenarios, Management object changes may not be reflected in the Logs view. When the issue occurs, the CPM process may also consume a high CPU.

PRJ-28342,
PMTR-69859

Logging

In some scenarios, Log Exporter configured to export in TLS, cannot authenticate a certificate from an external certificate authority.

PRJ-29031,
PRHF-17596

Logging

In rare scenarios, SmartEvent may show no results or partial results in the Audit Log report.

PRJ-25441,
PRHF-17184

Logging

On a Management Server, with SmartEvent enabled and many networks configured in the database, login to SmartConsole may fail with an "Error: the operation timeout" message, and the FWM process is running with a high CPU. Refer to sk167239.

PRJ-29577,
PRHF-15052

Security Gateway

NEW: Added a new kernel parameter "up_disable_early_drop_optimization_for_reject" to disable "Early Drop Optimization" for reject rules. The parameter is enabled by default.

PRJ-29444,
PMTR-72448

Security Gateway

UPDATE: The default value for the kiss_kthread_allow_resched kernel parameter is changed to 1. Refer to sk170560.

PRJ-28854,
PRHF-18624

Security Gateway

UPDATE: Added DNS Passive Learning support for DNS responses containing the Domain name in uppercase letters.

PRJ-31371,
PRHF-19693

Security Gateway

Improved the handling of a large number of sessions per single HTTP/S connection.

PRJ-29131,
PRHF-18716

Security Gateway

In rare scenarios, policy installation may fail with an "Operation failed, install/uninstall has been improperly terminated "message.

PRJ-30205,
PMTR-72814

Security Gateway

In some scenarios, NATed VPN traffic may be routed out through the wrong interface. Refer to sk176785.

PRJ-29528,
PRHF-18984

Security Gateway

In a very rare scenario, the ICAP Server may crash with a core dump file generated.

PRJ-29506,
PRHF-18863

Security Gateway

In some scenarios, using automatic Network Static NAT/Address range objects may cause connectivity issues.

PRJ-29421,
PMTR-71855

Security Gateway

In a rare scenario, policy installation on the Security Gateway may fail with an "Error code: 0-2000108" message. Refer to sk170673.

PRJ-29223,
PRHF-17436

Security Gateway

In some scenarios, the WSDNSD process may unexpectedly exit and create a core file. Refer to sk173627.

PRJ-29080,
PRHF-17872

Security Gateway

In rare scenarios, a duplicate entry may appear in the /etc/cpshell/log_rotation.conf file. This issue is only cosmetic.

PRJ-29089,
PRHF-13493

Security Gateway

In some scenarios, the CPD process may consume a high CPU because of the memory leak in FDT (File Download Tool).

PRJ-29095,
PRHF-18786

Security Gateway

In rare scenarios, policy installation fails with "Segmentation fault" and "Error compiling IPv4 flavor" messages.

PRJ-27652,
PMTR-70634

Security Gateway

Negative values may appear in the output of the "fw tab -t connections -s" command and under the NAT section.

PRJ-28811,
PRHF-18657

Security Gateway

Added cosmetic fixes of the cpwd_admin list command output.

PRJ-28412,
PRHF-17942

Security Gateway

In some scenarios, the ROUTED process may unexpectedly exit.

PRJ-28105,
PRHF-18024

Security Gateway

In a rare scenario, a memory leak may occur on the Security Gateway.

PRJ-27561,
PRHF-17949

Security Gateway

In some scenarios, configuring an un-numbered virtual interface may cause ARP requests to stay not answered by the interface. Refer to sk174188.

PRJ-29140,
PRHF-18403

Security Gateway

The cpsicdemux process may unexpectedly exit, causing the Secure Internal Communication (SIC) connection to fail.

PRJ-30014,
PMTR-68272

Security Gateway

In a rare scenario, CPView may show incorrect SecureXL statistics per VS.

PRJ-28874,
PRHF-18560

Security Gateway

In a rare scenario, when using ICAP client, Security Gateway may crash.

PRJ-28555,
PMTR-71632

Security Gateway

Capsule Workspace end users may fail to authenticate to their Exchange mail Server via Mobile Access SSO when authenticated with Kerberos, and the end users belong to many user groups or user groups with very long names.

PRJ-29744,
PMTR-72615

Security Gateway

In a rare scenario, due to TCP connection reuse, a TCP connection may not be initiated. Refer to sk11088.

PRJ-30216,
MPTT-4834

Security Gateway

In some scenarios, policy installation may take longer or fail when GEO Updatable Objects are used in the policy.

PRJ-30149,
PRHF-17386

Security Gateway

There is no option to enable hyperthreading via cpconfig.

PRJ-30252,
PMTR-70219

Security Gateway

Added a translation of the error exit code of cprid_util in $CPDIR/log/cprid_util.elg debug log.

PRJ-29589,
PRHF-19049

Security Gateway

In a rare scenario, Security Gateway may crash.

PRJ-27165,
PRHF-17760

Security Gateway

In a rare scenario, traffic outage may occur. It is caused by a memory leak related to delayed logs.

PRJ-28681,
AVIR-1444

Threat Prevention

UPDATE: Added the option to remove proxy usage in IoC_feeds tool.

PRJ-28521,
TPP-1291

Threat Prevention

In rare scenarios, the Security Gateway may crash when the TCP connection is unexpectedly closed.

PRJ-28765,
PMTR-71415

Threat Prevention

In some scenarios, when using OpenSSH 8.2 Server, file download fails after starting the transfer.

PRJ-28975,
PRJ-28939

Threat Prevention

Improved telemetry for Infinity Vision SOC.

PRJ-27437,
PRJ-28137

Threat Extraction

In some scenarios, the "fw_send_kmsg: No buffer for tsid 44" error is printed in dmesg.

PRJ-27436,
PRJ-32354,
PRJ-32353,
PMTR-67604

Identity Awareness

NEW: Added automatic mechanism to exclude service accounts on PDP Gateway to improve both PDP performance and functionality. The default threshold value for Identity Collector Service Accounts exclusion is 100. Refer to sk174266.

PRJ-29404,
IDA-4087

Identity Awareness

Improved the Identity Server (PDP) performance for publishing new network on Identity Sharing with SmartPull.

PRJ-27477,
PRHF-18015

Identity Awareness

When using sk167118, the user may fail to authenticate if the "Ask user for password" checkbox is enabled.

PRJ-28129,
PMTR-69981

Identity Awareness

In some scenarios, the "Browser Transparent Single Sign-On" portal may not use the certificate associated with the IP address resolved from the portal's main URL. Refer to sk174869.

PRJ-27942,
IDA-4112

Identity Awareness

In some scenarios, users may not be able to reach Identity Gateway (PEP). Refer to sk174105.

PRJ-29615,
PRHF-18943

Identity Awareness

In a rare scenario, some IPv6 sessions may get deleted due to incorrect update of Identity Gateway (PEP) kernel tables.

PRJ-28117,
PRHF-17768

Application Control

UPDATE: Improved matching of URLs for custom applications.

PRJ-29308,
PMTR-72312

URL Filtering

In some scenarios, HTTPS connections to servers with untrusted certificates are held and not resumed (page cannot load).

PRJ-28637,
PMTR-65461

IPS

Proxy source IP address is not printed in the IPS logs.

PRJ-28246,
PRHF-18338

IPS

In some scenarios, HTTP Parser in the CPView statistics may show incorrect values for connections with more than 50 sessions.

PRJ-27960,
PRHF-18158

IPS

In some scenarios for HTTP, Gateway closes a connection from the Server side, but the user side may remain open.

PRJ-29942,
PRHF-18992

IPS

In rare scenarios, if IPS Geolocation is enabled, the Security Gateway may crash.

PRJ-28740,
PRHF-17049

IPS

In some scenarios, the destination IP is missing from the IPS logs. Refer to sk174588.

PRJ-32498,
PRJ-32415

IPS

In some scenarios, when IPS Automatic update is enabled, a memory leak may occur in the FWD process.

PRJ-31761,
PMTR-73790

IPS

Improved the handling of decoded HTTP/S traffic.

PRJ-29193,
TPP-1157

Anti-Bot

UPDATE: Improved the performance of Anti-Bot URL Reputation.

PRJ-29477,
PMTR-72234

SSL Inspection

In some scenarios, a memory leak may occur when creating ECDHE keys.

PRJ-31203,
PMTR-73538

SSL Inspection

If TLS 1.3 is enabled, using imported ECDSA certificates for HTTPS Inspection may cause the Security Gateway to crash.

PRJ-31150,
PMTR-72409

SSL Inspection

A memory leak, related to TLS probing, may occur in the WSTLSD process.

PRJ-31151,
PMTR-72136

SSL Inspection

In some scenarios, the WSTLSD process may unexpectedly close, or a memory leak may occur.

PRJ-30461,
PRHF-19516

SSL Inspection

In rare scenarios, HTTPS connections may hang indefinitely during the TLS handshake, causing timeout.

PRJ-30702,
PMTR-72756

SSL Inspection,
VPN

A memory leak in HTTPS Inspection and HTTPS portals may occur when using ECDHE ciphers.

PRJ-28259,
PRHF-16057

Mobile Access

In a rare scenario, the VPND process may unexpectedly exit causing user disconnections from Checkpoint Mobile client.

PRJ-28069,
VPNRA-761

Mobile Access

In rare scenarios, when SNX client is used with Application mode on the Mobile Access Blade, the VPND process may unexpectedly exit.

PRJ-29276,
PRJ-29270,
PRJ-29263,
PRHF-3700,
PRHF-3742,
PRHF-3784

Mobile Access

In some scenarios, a memory leak may occur in the CVPND process.

PRJ-30383,
PRHF-19273

ClusterXL

In a rare scenario, after an upgrade and reboot, a Standby member is set to down with a FULLSYNC PNOTE and cannot synchronize.

PRJ-28285,
PMTR-71419

ClusterXL

Scalable Platform Gateway may drop traffic as "Out of State" when static NAT is configured for the destination IP Address. Refer to sk174234.

PRJ-31796,
MBS-14715

ClusterXL

In some scenarios, during an upgrade to R81.10SP, a failover fails with a crash.

PRJ-27229,
PMTR-70242

SecureXL

TCP packets may be dropped as "TCP out of state" although following sk11088.

PRJ-27227,
PRHF-17734

SecureXL

Invalid VLAN traffic may cause repeated "deliver_list is empty!!!" error messages in the /var/log/messages file.

PRJ-28287,
PRJ-28054

SecureXL

In a rare scenario, DoS/Rate Limiting when using rules with country codes (CC) or autonomous system numbers (ASN) may not update Geo IP files correctly.

PRJ-29498,
ROUT-1745

Routing

BGP sessions may unexpectedly close because of unrecognized AFI/SAFI pairs in multiprotocol capability advertisements from a peer.

PRJ-28959,
PRHF-17739

Routing

The ROUTED process may unexpectedly exit.

PRJ-29321,
ROUT-1721

Routing

AS path loops may occur, although BGP multihop is configured.

PRJ-29894,
PRHF-19268

Routing

In some scenarios, when BootP is configured, during policy installation, the Security Gateway may become unresponsive and the ROUTED process may crash.

PRJ-31128,
PMTR-73496

Routing

In rare cases, if Graceful Restart is not configured on the BGP peer, BGP routes may be lost near the Graceful Restart ending.

PRJ-28173,
PMTR-71425

VPN

NEW: Added StrongSwan clients counter to the VPN TU Tool.

PRJ-27857,
PMTR-71136

VPN

When deleting an entry from m_ht hash table, a memory leak may occur.

PRJ-28028,
PMTR-71319

VPN

When StrongSwan client connecting with a RADIUS user, it may not receive an Office Mode IP address.

PRJ-28514,
PRHF-18408

VPN

In some scenarios, a memory leak may occur on the Security Gateway.

PRJ-28507,
PRHF-18400

VPN

A memory leak may occur in the VPND process.

PRJ-28076,
PRHF-18369

VPN

A Remote Access client fails to login when a DN record length is bigger than 256. Refer to sk174249.

PRJ-28576,
PRHF-17880

VPN

In some scenarios, Server connections to Remote Access L2TP clients may be unstable.

PRJ-29298,
PMTR-72019

VPN

Added VPN IKEv2 improvements.

PRJ-28754,
VPNS2S-2506

VPN

Added IKEv2 improvement for DAIP peer.

PRJ-29284,
PRHF-18818

VPN

In rare scenarios, re-configuring a trusted CA bundle may cause a memory leak in the VPND process.

PRJ-28773,
PMTR-71850

VPN

In some scenarios, in High Availability clusters with enabled CoreXL, SSL clients cannot connect to the Security Gateway because of incorrect license calculation.

PRJ-28266,
PRHF-18295

VPN

A memory leak may occur when clearing the CRL cache file.

PRJ-29484,
PMTR-72463

VPN

A memory leak may occur in the VPND process in IKEv2 Site to Site VPN.

PRJ-28557,
PMTR-20176

VPN

In some scenarios, when sending the SCV drop log, a memory leak may occur.

PRJ-30971,
VPNS2S-2692

VPN

In a rare scenario, a memory leak may occur in the IKED process.

PRJ-29533,
PRHF-18564

VPN

RIM script is not invoked for DAIP peer with Dead Peer Detection (DPD) permanent tunnels in passive mode.

PRJ-31109,
PRJ-31116,
PMTR-73487,
PMTR-73488

VPN

In some scenarios, a memory leak may occur in the VPND process.

PRJ-31149,
PMTR-73511

VPN

In some scenarios, a memory leak may occur when using the SSL Network Extender (SNX) client to create a site.

PRJ-30870,
PRHF-19755

VPN

A memory leak may occur in the VPND process.

PRJ-29554,
PRHF-18753

VSX

After reboot, the VS's clish static arps configurations exist, but the static arps may be missing.

PRJ-28180,
PMTR-71418

VSX

In a rare scenario, the "asg perf" command may take up to 90 seconds to update the data. The information may differ from CPView results.

PRJ-28143,
PMTR-71406

VSX

In some scenarios, running the "asg perf" command with -vv flag fails.

PRJ-30277,
PMTR-72997

Gaia OS

UPDATE: Upgraded OpenSSL to 1.1.1L. Merged the CVE-2021-3711 and CVE-2021-3712 fixes.

PRJ-27697,
PRHF-17721

Gaia OS

When a non-TACACS user logs out from WebUI, there is a "Cannot get pid" error message in the /var/log/messages file.

PRJ-28414,
PRHF-17216

Gaia OS

After 248 days of up time, the VMSS Gateway sends a Cold restart alert reboot, but the VMSS does not reboot. Refer to sk173413.

PRJ-27614,
PRJ-27612

Gaia OS

If NTPD service is configured in MDPS settings, the NTPD error logs appear in var/log/messages after a reboot.

PRJ-26999,
PRHF-17900

Gaia OS

Setting hashed SHA256/SHA512 expert password may fail with an error message: "set password-controls password-hash-type <password_hased> GAIA9999 Invalid Salted Hash". Refer to sk176703.

PRJ-28798,
PRHF-18683

Gaia OS

In a rare scenario, a memory leak may occur in the monitord process.

PRJ-26456,
GAIA-8922

Gaia OS

The Link Layer Discovery Protocol (LLDP) sends the hostname with a dot when the Domain name is empty.

PRJ-29179,
PRHF-17857

Harmony Endpoint

Remote installation push operation "Deployed new Endpoints" does not work on Servers on premises because of self-signed certificates.

PRJ-29974,
PRHF-16925

Harmony Endpoint

In some scenarios, a query which counts host_ckp objects may return more results than expected. It leads to a memory leak with the "Out Of Memory" error.

PRJ-31101,
PRHF-16439

Harmony Endpoint

Restoring a UEPM Server backup via the Web Gaia Portal may not work on a new Server where the UEPM Blade is not activated.

PRJ-29860,
PRHF-17602

Harmony Endpoint

UPDATE: In SmartEndpoint, besides FDE Remote Help, Bitlocker Management Recovery is now available for administrators with limited rights.

PRJ-30516,
PMTR-73094

Harmony Endpoint

In the Smart Endpoint tabs, the Server may generate reports where users have long names starting with "ntdomain://".

PRJ-29514,
VSECC-1418

CloudGuard Network

NEW: In Amazon Web Services (AWS):

  • Added Load Balancers tags. The tags can now be viewed in SmartConsole and added to the rulebase.
  • Added support for IMDSv2

To enable the feature:

  1. Edit the $FWDIR/conf/vsec.conf file on the Management Server and add the line: aws.enableLoadBalancersTags=true

  2. From SSH run: vsec stop;vsec start

Note: This feature requires adding DescribeTags and DescribeLoadBalancers permissions to the AWS Data Centers accounts.

NEW: In Azure:

  • Added Application Security Groups
  • Added Private Endpoints

To enable the feature:

  1. Edit the $FWDIR/conf/vsec.conf file on the Management Server and add the line: azure.enableAsgAndPep=true

  2. From SSH run: vsec stop;vsec start

Note: This feature requires adding permissions to list Application Security Groups and Private Endpoints.

 

NEW: In AWS, Azure and Google Cloud Platform (GCP):

Added support for API calls with HTTP response with reason-code only (without reason-phrase).

 

PRJ-29652,
PRHF-17648

CloudGuard Network

Amazon Web Services (AWS) Data Center scan may fail and no updates are sent to the Security Gateway.

PRJ-29623,
PRJ-28171,
PMTR-60092

CloudGuard Network

In some scenarios, when there are Data Center objects in Access Policy Rule Base, policy verification may fail although policy installation succeeds.

PRJ-32479

Scalable Platforms

UPDATE: Added support for Bridge Mode in Maestro Security Group.

PRJ-32689

Scalable Platforms

UPDATE: Added support for Maestro Hyperscale Orchestrator MHO-175.

PRJ-27336,
PMTR-70850

Scalable Platforms

Added a cosmetic fix in asgPeaksTable.

PRJ-29981,
MBS-12054

Scalable Platforms

The outage may occur when configuring OSPF over VPN/VTI interface because of missing cluster IP address for VPN/VTI interface.

PRJ-27625,
MBS-14079

Scalable Platforms

In rare scenarios, when running the "snmpwalk" command, multiple irrelevant error logs may appear in /var/log/messages.

PRJ-27512,
PRHF-17895

Scalable Platforms

In a rare scenario, a memory leak that requires constant reboots may occur.

PRJ-29153,
PMTR-71771

Scalable platforms

In some scenarios, Maestro Orchestrator SDK may stop responding until restarting the Orchestrator service.

PRJ-30025,
MBS-13662

Scalable platforms

When rebooting a member from the standby site, it may send GARP when booting and cause a connectivity issue. Refer to sk176523.

PRJ-30286

Scalable platforms

Packet drop may occur after Maestro Orchestrator reboot.

PRJ-27157,
PMTR-70678

Scalable Platforms

After adding a new user via WebUI, asg_diag may fail on configuration test (config_verify -v) due to inconsistent value in the database. The issue is only cosmetic.

PRJ-29516,
PMTR-72141

Scalable Platforms

After setting a specific range of Blades in gclish, some commands may fail.

PRJ-30023,
ODU-181

HCP

Added Update 5 of HealthCheck Point (HCP) Release. Refer to sk171436.

Take 09

Released on 30 August 2021 and declared as Recommended on 18 October 2021

PRJ-25588,
PMTR-68823

Security Management

NEW: Added new features to the Changes report:

  • Summary section to rule

  • Administrator and session info to rule

  • "Back to top" button

PRJ-28702,
ODU-112

Security Management

Added Update 11 of Autonomous Threat Prevention Management integration Release. Refer to sk167109.

PRJ-27622,
PMTR-69273

Security Management

In a rare scenario, the "Install Database" task may continue to run indefinitely.

PRJ-29485

Security Management

When adding a new Multi-Domain Server to an existing environment and connecting to the System Domain of the newly added server, Domains are not shown in the Domains view.

PRJ-27717,
PRHF-17205

Logging

In some scenarios, the FWD process on Security Gateway may cause high memory consumption when Log Forwarding is configured or when running the "fw fetchlogs" command.

PRJ-29754,
PRHF-19043

Security Gateway

In rare scenarios, the Security Gateway may failover while handling the HTTP/2 stream.

PRJ-28608,
PMTR-68865

Threat Prevention

Large file transfer in connections inspected by SSH Deep Packet Inspection (SSH DPI) may fail if SSH renegotiation is performed during the transfer.

PRJ-27435,
PMTR-67597

Identity Awareness

NEW: Added a new Auto-Tune feature for Nested Groups to select the optimal nested state for maximum performance.

  • The feature is disabled by default. To enable it, refer to sk128212.

PRJ-27434,
PRJ-28656,
PRJ-21304

Identity Awareness

NEW: Added support for SAML authentication method for Remote Access VPN. Refer to sk172909 for configuration instructions.

Requires R81.10 SmartConsole Build 400 (or higher).

PRJ-28540,
PMTR-71636

ClusterXL

During Multi-Version Cluster (MVC) upgrade with R81 Jumbo Hotfix Take 34, the "MVC WARNING uninitialized VPN table" message frequently appears in log. Refer to sk174445.

PRJ-27592,
PMTR-69876

Gaia OS

A memory leak may occur on a Security Gateway while configuring Secure Internal Communication (SIC).

PRJ-27795,
PRHF-18108

Harmony Endpoint

In some scenarios, Endpoint Firewall starts dropping all network traffic after the Management server upgrade from R80.10

PRJ-29801,
PMTR-72677

Harmony Endpoint

In some scenarios, the Endpoint server may stop responding to the Endpoint clients.

PRJ-28017,
PMTR-71262

Scalable Platforms

In some scenarios, bond interface slave fails to properly initialize and shows a partner system MAC address of 00:00:00:00:00:00.

PRJ-28125,
PRJ-28053

Scalable Platforms

In some scenarios, the Maestro Gateway leaves the Security Group.

PRJ-29239,
PRHF-18948

Scalable Platforms

Configuring HA bond in VSX may lead to crash upon active slave change.

PRJ-27262,
MBS-14076

Scalable Platforms

The "asg perf" command may fail when it calculates the average load of CPU cores when CoreXL uses all CPU cores available in the Security Group.