List of All Resolved Issues and New Features in R81.10 Jumbo Hotfix Accumulator

 

Review the Important Notes section before installing a new Take.

ID

Product

Description

Take 170

Released on 7 October 2024

Take 170 - New Functionality

 

PRJ-55546,
PMTR-104635

SmartProvisioning

NEW: Added a new "show-statuses" boolean parameter to the "show lsm-gateway" and "show lsm-cluster" Management API commands. When set to "true", this parameter displays the Security Policy and Provisioning Settings statuses for the LSM Security Gateway or Cluster.

Take 170 - Improvements and Resolved Issues

 

PRJ-56467,
PMTR-107058

Gaia OS

UPDATE: Resolved CVE-2024-3596 - Blast-RADIUS attacks. Refer to sk182516.

PRJ-54682,
PMTR-104266

Mobile Access

UPDATE: Resolved CVE-2024-31497. The Putty version used in the Mobile Access Portal Embedded SSL Network Extender application is upgraded from version 0.80 to version 0.81.

PRJ-54419,
PRHF-33584

Security Management

UPDATE: Policy installation duration with hundreds of layers is improved by approximately 30%.

PRJ-54498,
PRHF-33612

Security Gateway

UPDATE: Optimized the Generic Data Center JSON file processing on the Security Gateways to improve performance when handling large numbers of IP ranges.

PRJ-47654,
PRHF-29103

Security Gateway

UPDATE: Added ability to increase/decrease DNS cache table size.

PRJ-51070,
PRHF-30910

Logging

UPDATE: Port 8211 now accepts connections with the cipher ECDHE_RSA_AES_256_GCM_SHA384.

PRJ-55746,
PMTR-104855

Threat Prevention

UPDATE: Added the "trackSettings.forensics" parameter to the "threat-rule" Management API command to enable and disable the "forensics" option in the "Track" column. Syntax example: "mgmt_cli add threat-rule layer 'Standard Threat Prevention' position 1 track-settings.forensics false -r true".

PRJ-54137,
PMTR-103001

SSL Inspection

UPDATE: Added a log for connections rejected because of short Server certificate public key size (RSA 1024 bits or less, ECDSA 256 bits or less).

PRJ-56219,
PMTR-98920

Scalable Platforms

UPDATE: It is now possible to add more than fourteen members per site in a Single Site topology.

PRJ-56680,

PRJ-57026,

PRJ-57262,

ODU-2035,

ODU-2019,

ODU-1955

Automatic Updates - Web SmartConsole

UPDATE: New features and improvements are released in Take 118 , Take 119, Take 120 via self-updatable package. Refer to sk170314.

PRJ-57326,
ODU-1979

Automatic Updates - HCP

UPDATE: Added Update 19 of HealthCheck Point (HCP) Release. Refer to sk171436.

PRJ-56211,
PRHF-35143

Security Management

The database size on the Secondary Management Server increases if dbedit is used without making or saving any changes. Refer to sk182519.

PRJ-57032,

PRHF-30884

Security Management

Log queries fail with the error "Problems have occurred during search" when Domain migration is in progress. This occurs specifically during the execution of "export-management" or "import-management" Management API commands.

PRJ-55928,
PRHF-34912

Security Management

The Revisions Purge process may stall if initiated after restarting the Security Management Server or Multi-Domain Security Management Server because of remnants of a previously interrupted Revisions Purge operation.

PRJ-55334,
PRHF-33993

Security Management

In rare scenarios, login to SmartView web application using the Domain IP address or Domain name fails.

PRJ-55933,
PRHF-34584

Security Management

In rare scenarios, login to SmartConsole fails with a timeout.

PRJ-55906,
PRHF-34904

Security Management

In rare scenarios, revert to a Database Revision may get stuck on 60% and eventually fail.

PRJ-55443,
PRHF-34146

Security Management

Accelerated Policy installation may get stuck with the "Policy installation (queued)" status.

PRJ-55797,
PRHF-34671

Security Management

SmartConsole may close during login because of repeated attempts to discard a non-existent work session.

PRJ-55331,
PRHF-34049

Security Management

If the $FWDIR/conf/fwm.adtlog file is not valid, the FWM process leaves unused file descriptors, which may affect the Security Management Server performance.

PRJ-55446,
PRHF-33832

Security Management

If any single Data Center fails to register, the registration of all Data Center assets to the Security Management Server also fails.

PRJ-56002,
PRHF-34871

Security Management

In rare scenarios, the FWM process on the Security Management Server may unexpectedly exit, creating a core dump file.

PRJ-56152,
PRHF-35121

Security Management

In rare scenarios, the Revisions tab in SmartConsole shows "Error retrieving results".

PRJ-54733,

PRHF-33948

Security Management

In rare scenarios, the CPD process may unexpectedly exit and create a core dump file.

PRJ-52057,
PRHF-31798

Security Management

In a Management High Availability environment, the Standby Security Management Server may not update the "Installation date" during policy installation on Security Gateways/Clusters.

PRJ-54506,
PMTR-102800

Multi-Domain Security Management

Global Domain Assignment may fail with "Internal Error", if the assigned Domain is currently Active on a different Multi-Domain Security Management Server.

PRJ-50780,
PRHF-31148

Multi-Domain Security Management

In a Multi-Domain Security Management environment, there may be synchronization timeout errors, and automatic revisions purge may fail.

PRJ-42134,
PRHF-25935

CPView

In a rare scenario, when running the CPView utility, the Security Gateway may crash.

PRJ-48771,
PRHF-30060

Logging

The "show logs" Management API command may show partial information for the fields with multiple values.

PRJ-53218,
PRHF-32587

Logging

When adding a table widget to a SmartView report:

  • The "Missed Malware Activity" and "Spyware Action" fields may not be possible to pick.

  • The "Malware Action" filter may appear twice in the picker. Refer to sk182049.

PRJ-50616,
PRHF-29955

Logging

The FWD process may exit and cause issues with opening packet capture files on remote members.

PRJ-54063,
PMTR-102780

Logging

In rare scenarios, the CPSEMD process on the SmartEvent Server may unexpectedly exit, creating a core dump file.

PRJ-46848,
PRJ-46579

Logging

RAD error messages may be printed to the fwk.elg file during cpstop - cpstart on the Security Gateway. The issue is cosmetic only.

PRJ-41210,
PRHF-24639

Logging

In rare scenarios, the Logs view may display unexpected blank lines or gaps in the chronological sequence of entries.

PRJ-48104,
PRHF-29616

Security Gateway

Outages may occur when the FWD process exits or restarts and Security Group member goes down triggering Scalable Chassis failover.

PRJ-54414,
PRHF-33710

Security Gateway

In a VSX Cluster environment, the CPVIEWD daemon may cause a high CPU.

PRJ-55578,
PMTR-104837

Security Gateway

A buffer overflow may occur in the HTTP flow, affecting the FWK process.

PRJ-46889,
PRHF-29024

Security Gateway

In some scenarios, the registry value of "fwisusfw" settings is not set correctly which may impact VSX configurations. Refer to sk182004.

PRJ-45950,
PRHF-28371

Security Gateway

During policy installation, Rule Base internal error drops may be shown in the SmartConsole logs. Logs related to "dynobjs" may be printed in Messages.

PRJ-55988,
PMTR-104285

Threat Prevention

In a rare scenario, Threat Prevention policy installation may fail after an over-the-air (OTA) package update of TP_CONF_SERVICE. Refer to sk182572.

PRJ-56095,
PMTR-106568

Threat Prevention

SSH Deep Packet Inspection (SSH DPI) fails to start inspection if IPS is enabled while all other threat prevention products are disabled.

PRJ-46348,
PRHF-27721

Threat Emulation

The ICAP client may send the file name under "Content-Disposition" in an unsupported format written as "filename*=" instead of "filename=", and the Threat Emulation blade does not process such files.

PRJ-51491,
PRHF-31582

Threat Emulation

When using ICAP, filename handling occasionally fails. As a result, the Threat Emulation Blade may not be able to process this specific file.

PRJ-55459,
PRHF-34098

URL Filtering

In scenarios where there is a heavy load on the machine, the RAD queue can fill up and get clogged by unhandled requests, causing an outage and traffic disruption.

PRJ-54193,

PRHF-31001

Anti-Bot

The Anti-Bot Blade may generate error logs with the "Failed to Decrypt CP Site Response" reason. Refer to sk182494.

PRJ-54444,
PMTR-103889

Mobile Access

HTTPS access to the Mobile Access Portal may be down.

PRJ-56221,
PRHF-35271

Mobile Access

The "citrixStrictTicketEnforcement" parameter set in the configuration file may not work as expected.

PRJ-55633,
PRHF-27989

ClusterXL

After modifying a bond, the Monitored VLANs may disappear. Refer to sk180724.

PRJ-56010,
PRHF-34987

SecureXL

In a rare scenario, a memory leak in the adp kernel module may occur during multicast routing assert failures.

PRJ-51110,
PMTR-97788

SecureXL

SYN Defender configuration in Inspection Settings on the Security Management Server may not be applied on Accelerated Policy installation.

PRJ-56075,
PMTR-105097

SecureXL

When SecureXL User Mode (UPPAK) is enabled, in some scenarios, a VSX Security Gateway with many Virtual Systems may crash.

PRJ-55954,
PMTR-105602

SecureXL

The Security Gateway may crash in Bridge mode or in Non-Bridge mode when the number of MAC addresses in its network interface card's table exceeds the hardware capacity limit.

PRJ-56432,
PMTR-107256

Routing

Dynamic Routing outage in a Security Group during the Zero Downtime (MVC) Upgrade to R81.20, during the Downgrade from R81.20, or during the installation / uninstall of the R81.20 Jumbo Hotfix Accumulator. Refer to sk182556.

PRJ-53174,
PMTR-101331

Routing

Graceful Restart may end prematurely in OSPF NSSA areas.

PRJ-53827,
PMTR-95640

Routing

A multicast outage may occur during failovers caused by interface flaps.

PRJ-54407,
PRHF-33153

Routing

A multicast outage may occur after a failover triggered by incomplete processing of cluster synchronization messages.

PRJ-49209,
PRHF-30241

VPN

Remote Desktop Protocol (RDP) connections may frequently disconnect when network traffic is routed through a combination of medium path, Quality of Service (QoS) controls, and VPN.

PRJ-56037,
PRJ-55986

VPN

During high-volume VPN tunnel initiations, several packets may be dropped with "encrypted packet too big".

PRJ-53012,
PMTR-100991

VPN

The FWK process may crash when establishing multiple VPN tunnels simultaneously at peak rates.

PRJ-50089,
PMTR-90101

VPN

By default, the VPN permanent tunnel is configured to use "tunnel test" instead of "DPD". This configuration may cause inaccurate permanent tunnel status reporting when connecting to third-party devices.

PRJ-52892,
PMTR-100703

VPN

The FWK process may exit when Monitor mode is enabled on one of the interfaces.

PRJ-56672,

PRHF-35637

VSX

Memory corruption may occur when a bond interface is configured, leading to a Security Gateway crash with a vmcore or a boot loop.

PRJ-53309,
PMTR-95877

Scalable Platforms

In Quantum Maestro/Scalable Chassis environments, when using the Threat Prevention Blade in the Security Group, the entitlement_status_collector_db.C files may be inconsistent between the Security Group Members.

PRJ-51191,
PRHF-29670

Scalable Platforms

Security Group Member in a VSX environment is in a boot loop after creating a new Virtual System with a WRP interface. Refer to sk182476.

PRJ-55792,
PMTR-103838

Scalable Platforms

The "An error occurred while applying action to several members. Please check the status bar history" error is displayed when changing the Maestro Security Group configuration through Gaia Portal. Refer to sk181691.

Take 169

Released on 29 September 2024 and declared as Recommended on 7 October 2024

Take 169 - Improvements and Resolved Issues

 

PRJ-57107,

PRHF-36116

Security Gateway

Memory leak may occur in SecureXL templates. Refer to sk182648.

See the Important Notes section.

PRJ-57425,

PRHF-36390

Scalable Platforms

In a Maestro environment with the "vpn_sync_to_all" parameter enabled, connection going through a Site to Site VPN to a remote location, may be dropped with "First packet isn't SYN".

See the Important Notes section.

Take 165

Released on 4 September 2024

Take 165 - Improvements and Resolved Issues

 

PRJ-56857,

PRHF-34283

Security Management

  • In some scenarios, the FWM process may unexpectedly exit and generate a core dump every few days, when the Compliance Blade is enabled and the scheduled full scan is not configured according to sk182507.

  • More core dumps may be generated after following the instructions in Section 1, refer to Section 2 in sk182507.

See the Important Notes section.

PRJ-56891,

PRHF-34283

Logging

Suspicious Activity Monitoring (SAM) rules may not be triggered after a Source Block automatic reaction is configured.

PRJ-56934,

PRJ-56932

CloudGuard Network

After an upgrade, the incorrect status of the CloudGuard Controller is displayed in SmartConsole: "Error: 'CloudGuard Controller' is not responding. Verify that 'CloudGuard Controller' is installed on the gateway". Refer to sk182622.

Take 158

Released on 20 August 2024

Take 158 - New Functionality

 

PRJ-53639,

PMTR-102064

Security Management

NEW: Added the ability to unset a persistent environment variable, using the "-u" flag for the override_server_setting.sh script introduced in sk165938. Upon execution, the specified property is now removed from the $MDS_FWDIR/conf/cpmEnvVars.conf file.

PRJ-36320,

PRHF-21090

Security Gateway

NEW: Implemented support for LDAP queries using Windows Security Identifiers (SIDs) as search criteria.

PRJ-52385,
PMTR-99313

Harmony Endpoint

NEW: Threat Emulation Blade in Endpoint Security Clients version E87.60 and higher now supports the ONE, XAR, and WSF file formats.

PRJ-53476,
CLUS-1936

Scalable Platforms

NEW: Added Generic Data Center support for Quantum Maestro environments.

Take 158 - Improvements and Resolved Issues

 

PRJ-51535,

PMTR-97312

Security Gateway

UPDATE: Apache HTTPD version was updated from 2.4.55 to 2.4.58 to fix CVE-2023-31122, CVE-2023-43622.

PRJ-55315,
PMTR-104507

Gaia OS

UPDATE: A patch on top of OpenSSL 1.1.1w to fix CVE-2024-2511. Refer to sk182320.

PRJ-54495,
PMTR-104054

Security Management

UPDATE: JRE is updated from version 8.0_8.10 to version 8.0_8.21.

PRJ-53928,
PMTR-102275

Security Management

UPDATE: Modified the content of the https://<ip_adress>/license_management/ page.

PRJ-50380,
PRHF-30774

Security Management

UPDATE: Various Web Portals on the Management Server (for example, Web SmartConsole, SmartView) no longer accept HTTPS connections to ports 443 and 19009 with specific TLS 1.2 ciphers. Refer to sk181879.

PRJ-52931,
PRHF-32414

Security Management

UPDATE: When deleting a Secondary Multi-Domain Security Management Server, SmartConsole now shows an "After MDS '<MDS name>' is deleted, you should delete the Secondary Domain Servers from the Domains and revoke their certificates" message.

PRJ-53953,
PMTR-103052

Security Management

UPDATE: Changed the hardware name "1570R Appliances" to "1570R/1575R Appliances" in the Security Gateway editor in SmartConsole and SmartProvisioning.

  • Requires R81.10 SmartConsole Build 426 or higher.

PRJ-52953,
PMTR-101078

Logging

UPDATE: Enhanced the Access Control log for "Accept" actions with initial matched layers of "IoT" or "Playblocks":

The "Layer Name" field now shows the admin-configured layer, alongside Rule Name and Rule Number, allowing administrators to view their preferred match layer rather than defaulting to the first matched layer or inline rule. This change improves visibility into the specific security policy components responsible for accepting traffic.

PRJ-47489,
PRHF-28566

Security Gateway

UPDATE: Implemented automatic purging of expired SIC certificates on Security Gateways to eliminate memory residues and prevent misuse.

PRJ-51988,
PMTR-88361

Security Gateway

UPDATE: The performance of the thread blocker feature (sk180437) is now improved and the feature is re-enabled.

PRJ-51531,
PMTR-97036

Mobile Access

UPDATE: The Mobile Access Portal is no longer compatible with the Chrome browser on iOS and Android mobile devices.

PRJ-53918,
PRHF-32600

URL Filtering

UPDATE: When URL Filtering operates in Background Mode and encounters an unclassified connection, instead of being approved automatically, such connection is now accepted or rejected based on Access Rule Base execution, and listed under the "unknown" category.

PRJ-54589,

PMTR-100544

Gaia OS

UPDATE: Extended the "allowed-client" setting to enforce IP restrictions for both password and SSH key authentication methods, providing more comprehensive access control.

PRJ-55718,
PMTR-105631

VPN

UPDATE: VPN connections are now synchronized to all members of the Security Group by default. The default value of the "vpn_sync_to_all" kernel parameter is set to "1".

PRJ-54671,
PMTR-104379

VoIP

UPDATE: SIP over UDP requests and responses may be dispatched to different firewall instances when a single-direction rule is defined in the Rule Base, potentially causing returned SIP traffic to be dropped as an unknown connection. To address this, a new global parameter "sip_forward_if_needed" is introduced (disabled by default). When enabled, the Security Gateway forwards responses to the appropriate request instances.

PRJ-53100,
PMTR-101359

Scalable Platforms

UPDATE: Removed the ability to delete the "_lldp" internal user in Gaia OS to prevent traffic impact. Refer to sk182026.

PRJ-56192,

ODU-1787

Automatic Updates - Web SmartConsole

UPDATE: New features and improvements are released in Take 114 via self-updatable package. Refer to sk170314.

PRJ-56056,

ODU-1923

Automatic Updates - HCP

UPDATE: Added Update 18 of HealthCheck Point (HCP) Release. Refer to sk171436.

PRJ-55913,

ODU-1849

Automatic Updates - CPView

UPDATE: Added Take 97 of CPotelcol (OpenTelemetry Collector) Release Updates. Refer to sk180522.

PRJ-55916,
ODU-1819

Automatic Updates - CloudGuard Network

UPDATE: Added Take 21 of Public Cloud CA Bundle. Refer to sk172188.

PRJ-50935,

PRHF-31120

Security Management

SmartConsole may freeze when selecting a client under Security Gateway object > Identity Awareness tab > RADIUS Accounting Settings.

  • Requires additional configuration and R81.10 SmartConsole Build 426 or higher. Refer to sk181630.

PRJ-54004,
PRHF-33311

Security Management

In rare scenarios, the Management Server upgrade fails during the import stage with "an eclipse error has occurred enable logging on EclipseLinkExceptionHandler to see full error".

  • The fix will only be applied if the upgrade to this Jumbo Hotfix Take is done using a Blink image or via the Advanced Upgrade method.

PRJ-46787,

PRHF-29046

Security Management

In some scenarios, an upgrade of Security Management Server or Multi-Domain Security Management Server fails with the "Failed: upgrade of "DOMAIN_NAME". For more details see upgrade logs below" error in the upgrade report.

  • The fix requires the upgrade to be done using a Blink image or via the Advanced Upgrade method.

PRJ-51501,
PRHF-31420

Security Management

In rare scenarios, an upgrade of a Multi-Domain Security Management Server fails with "Cancelled due to a failure in other domain" in the upgrade report.

  • The fix will only be applied if the upgrade to this Jumbo Hotfix Take is done using a Blink image or via the Advanced Upgrade method.

PRJ-52888,
PRHF-32372

Security Management

"Mapping of Data Center [xxxx] failed. Next mapping is in 300 seconds" errors in the CME logs show failed attempts to scan deleted data centers.

PRJ-52777,
PRHF-32265

Security Management

Objects Explorer search fails with "Error retrieving results" when more than twenty thousand IP addresses match the search criteria.

PRJ-53506,
PRHF-32561

Security Management

After upgrading, administrators with read/write permissions to edit Security Gateways and Clusters may lack IPS permissions and are unable to perform certain management tasks, such as enabling or disabling blades.

PRJ-49437,

PRHF-30400

Security Management

The UPDATE_INSPECT_FILES process of Upgrade Tools may exit with a core dump.

PRJ-52433,

PRHF-31953

Security Management

When Global Domain Assignment fails with the "More than one object named 'XXX' exists" error, not all duplicate objects are listed.

PRJ-53759,

PRHF-32936

Security Management

The "domains_tool -report" command may fail if more than sixteen host objects are defined as DNS Servers in the environment.

PRJ-54065,

PRHF-33349

Security Management

In some scenarios, users may be disconnected from SmartConsole, and an FWM process core dump is generated.

PRJ-53770,
PRHF-32899

Security Management

In some scenarios, the "show-gateways-and-servers" Management API command fails with "generic_err_object_not_found" when running with "details-level full".

PRJ-51120,
PRHF-31318

Security Management

In rare scenarios, if a Star VPN Community object is created, publish operations may fail.

PRJ-45160,
PRHF-28147

Security Management

In rare scenarios, login to the Security Management Server may fail with timeout and the FWM process on the Management Server may unexpectedly exit, creating a core dump file.

PRJ-50843,
PRHF-31188

Security Management

Export of a list of objects from the Global Object Explorer fails with the "Export policy is not supported when rule name is in a format of UUID" error message.

PRJ-53894,
PRHF-32890

Security Management

In rare scenarios, the API status shows "Automatic Start: Disabled" even though the automatic start was not disabled manually.

PRJ-50754,
ACCESS-704

Security Management

Access to and from the Generic Data Center objects may not be enforced when MDPS configuration is enabled on the Security Gateway.

PRJ-49056,
PRHF-30130

Security Management

In rare scenarios, publishing a session in SmartConsole fails with the "got at least one duplicate UID in requested list, duplicates UIDs: [XXX]" error.

PRJ-55522,
PMTR-85279

Security Management

In rare scenarios, the CPD process may exit with core dumps.

PRJ-48936,
PRHF-30136

Security Management

The "set simple-cluster" Management API command with the "vpn-settings.vpn-domain" parameter succeeds, but the VPN Domain is not set.

PRJ-53501,
PRHF-32764

Security Management

In some scenarios, SmartConsole may unexpectedly disconnect.

PRJ-53453,

PRHF-32750

Multi-Domain Security Management

Upgrade of the Multi-Domain Security Management Server may fail with the error "Folder object not found".

  • The fix requires the upgrade to be done using a Blink image or the Advanced Upgrade method.

PRJ-51629,
PRHF-31681

Multi-Domain Security Management

In rare scenarios, login to a newly created Domain fails and the CPCA daemon has the "down" status. Refer to sk181798.

PRJ-53551,
PRHF-32881

Multi-Domain Security Management

When a Domain name (for example, "XXX") is a subset of another Domain name (for example, "XXX-YYY"), the "mdsstop" command may fail to stop a Domain named "XXX-YYY".

PRJ-51516,
PRHF-31567

Logging

Log searches for the same time period may return more results in SmartConsole compared to SmartView.

PRJ-54060,
PMTR-102031

Logging

In rare scenarios, empty log list may be displayed when selecting a log file to view in SmartConsole.

PRJ-33620,
PRHF-20992

Logging

Log Exporter may unexpectedly exit when using a non-RSA certificate.

PRJ-51275,
PRHF-31323

Logging

When adding a table widget to a SmartView report:

  • The "Missed Malware Activity" and "Spyware Action" fields may not be possible to pick.

  • The "Malware Action" filter may appear twice in the picker.

PRJ-55511,
PRHF-34283

Logging

In some scenarios, the name of the Security Gateway is not shown in the title of the automatic reaction email, although it should be.

PRJ-51429,
PRHF-31388

Logging

In some scenarios, in Multi-Domain Security Management environments with over 300,000 network objects, the LOG_INDEXER process repeatedly exits if the procedure from sk164452 is not applied.

PRJ-50261,
PRHF-30848

Logging

In SmartView, some countries are not displayed in the countries picker.

PRJ-52463,
PRHF-31160

Logging

In SmartView, filtering logs by "event_type" may fail with the "Query failed" error.

PRJ-50694,
PRHF-31105

Logging

In some scenarios, viewing a Forensics report in Threat Hunting fails with the "Unable to load report" error. Refer to sk181800.

PRJ-51443,
PRHF-31195

Logging

The traffic field in the SmartEvent "Application and URL Filtering" report, specifically in the "High Bandwidth Applications" section, is incorrectly displaying data in petabytes (PB) instead of the expected gigabytes (GB).

PRJ-52940,

PRHF-32194

Logging

In the Logs view, the "TCP-other" and "UDP-other" services are displayed as generic service IDs, for example, "cp_tcp_A936BBAC_EBC3_4F18_B3CC_A63365F07477".

PRJ-51048,
PMTR-97496

Security Gateway

In some scenarios, websites that use HTTP2 protocol do not load properly.

PRJ-52773,
PRHF-32213

Security Gateway

In rare scenarios, the FWK process may unexpectedly exit.

PRJ-54627,
PRHF-33768

Security Gateway

In some scenarios, adding sequential IP addresses as MDPS task addresses may fail.

PRJ-55367,
PMTR-77377

Security Gateway

On appliances with FWD static core affinity, some processes may still be unexpectedly assigned to the FWD core, affecting the performance.

PRJ-51969,
PMTR-99054

Security Gateway

The CPWD daemon does not restart automatically.

PRJ-53074,
PMTR-96269

Security Gateway

In some occasions, redundant errors appear in logs: "fw_inspect_ghtab_bl_ld_sync: invalid FW_INSPECT_GHTAB_BL_LD_SYNC_TABLE_ID".

PRJ-55952,
PMTR-106146

Security Gateway

Security Gateway running in SecureXL User Mode (UPPAK) may crash during driver removal showing "m_free: mbuf doublefree" in the backtrace.

PRJ-51479,

PMTR-98475

Security Gateway

The RAD process exits and creates a core file on the Security Gateway.

PRJ-49901,
PRHF-30541

Security Gateway

Kernel Memory usage increases persistently each day on a Security Gateway/Security Group when CGNAT is enabled. Refer to sk182140.

PRJ-54528,
PMTR-103857

Security Gateway

In some scenarios, the Security Gateway offloads connections to SecureXL in error when the initial route lookup could not find a route for it.

PRJ-56675,

PMTR-107546

Security Gateway

The "asg monitor" command may show the Security Gateway in the "during upgrade" state although a major downgrade is complete.

PRJ-55519,
PMTR-104668

SSL Inspection

In rare scenarios, when HTTPS Inspection is enabled, the FWK process may unexpectedly exit due to memory violation.

PRJ-52646,
PRHF-31996

Internal CA

CRL fetch may fail when passing through a Security Gateway with deep inspection, even if the connection hold is quickly released. CPCA closes the connection prematurely.

PRJ-50700,
PRHF-30997

Threat Prevention

The Anti-Virus Blade fails to parse IoC feeds that contain IPv6 addresses.

PRJ-48309,
ACCESS-680

Threat Prevention

In rare scenarios, when the Anti-Virus, Threat Extraction and Threat Emulation Blades are enabled, some connections that were on hold are dropped.

PRJ-53200,
PMTR-97508

Threat Prevention

In some scenarios, policy installation and IPS package updates may take a very long time to finish and cause traffic drops.

PRJ-51340,
PRHF-29801

Identity Awareness

In some scenarios, the PEPD process may consume a high CPU because of a high rate of identity propagation. Refer to sk182588.

PRJ-46489,
PRHF-28698

Identity Awareness

Policy Enforcement Point (PEP) logs show a username after the user session is expired. Refer to sk181553.

PRJ-35860,
PMTR-76453

Identity Awareness

Microsoft Azure Active Directory does not fetch users in the Access Role object and shows "The user directory is still initializing". Refer to sk175983.

PRJ-43103,
PMTR-87284

DLP

Multiple internal errors, including file metadata retrieval failures and parsing errors, may be printed in the DLPDA logs.

PRJ-53127,
PRHF-32438

Anti-Virus

The DLPU process may unexpectedly exit due to uninitialized memory when the Anti-Virus Blade scans files. Refer to sk182030.

PRJ-53571,
PRJ-53566

Anti-Virus

In a rare scenario, the Security Gateway may crash due to memory corruption caused by the Anti-Virus Blade.

PRJ-50980,
PRHF-31207

Anti-Virus

The Anti-Virus Blade may enforce observables from IoC feeds although they were deactivated in SmartConsole.

PRJ-51153,
PMTR-92065

Mobile Access

Web Application names column width is too narrow to fit in the Mobile Access Portal. Refer to sk181774.

PRJ-52978,
PRHF-32251

Mobile Access

Enabling the "cvpnd" debug causes the reverseproxy_ssl_debug.log file size to continue growing even after the "reverse proxy" debug is off.

PRJ-54640,
PMTR-90199

Mobile Access

The HTTPD process of the Mobile Access Portal may exit with a core dump file.

PRJ-54169,
PMTR-103483

ClusterXL

In rare scenarios, in a cluster environment, the CPDiag tool may crash.

PRJ-55395,
PMTR-104268

SecureXL

A race condition may occur in a large scale VSX Cluster environment and SecureXL User Mode (UPPAK) is enabled.

PRJ-54322,
PMTR-103651

SecureXL

In some scenarios, traffic with Passive or Active Streaming configuration may not correctly pass through a Virtual Router on a VSX Security Gateway.

PRJ-55565,
PMTR-104603

SecureXL

The USIM process may unexpectedly exit.

PRJ-55961,

PRHF-34753

SecureXL

The duration of each "stop" and "start" API call for the LightSpeed Acceleration interfaces may take several seconds. Refer to sk182585.

PRJ-54330,
PRHF-33511

SecureXL

In rare scenarios, the Security Gateway crashes when the interface goes down right before it transmits packets out.

PRJ-54427,
PMTR-102834

SecureXL

In some scenarios, the VSX Security Gateway does not initialize the Virtual System correctly when connected to a Virtual Router or Virtual Switch.

PRJ-54566,
ACCHA-2595

PRJ-54569,
ACCHA-2571

SecureXL

Some packets on connections to bonded VLAN interfaces may be dropped because of missing interface info.

PRJ-54602,
PMTR-104146

Routing

Routing BFD sessions using IPv6 global addresses on single-hop interfaces fail to recover after the network interface is administratively disabled and re-enabled.

PRJ-55343,
PMTR-104736

Routing

OSPFv2 graceful restart mechanism fails on broadcast and point-to-multipoint networks due to the omission of an "IP-Address" field in the grace LSA.

PRJ-52415,

PRHF-31929

Gaia OS

SNMP query for OID 1.3.6.1.4.1.2620.1.6.7.5.1.5 (CPU utilization per CPU core) and the "cpstat os -f cpu" command may return an incorrect value. Refer to sk182447.

PRJ-51019,
PRHF-31136

VPN

Duo management reports display incorrect access source locations due to Security Gateways providing inverted IP addresses during the two-factor authentication challenge response process. Refer to sk181783.

PRJ-52911,
PRHF-32348

VPN

SNMP queries show a different number of connected RA VPN users than what is shown in CPView and from CLI. RaUserState information is missing in the SNMP MIB file.

PRJ-55487,
PRHF-30493

VPN

During high-frequency encryption of packets over a VPN tunnel, the Security Gateway may assign the same sequence number to multiple packets. This causes the receiving VPN peer to mistakenly identify these legitimate packets as replay attacks and drop them.

PRJ-55292,
PMTR-103968

VPN

Configuring a Large Scale VPN (LSV) with IPv6 and establishing a VPN tunnel may cause the FWK process to exit.

PRJ-53714,
PRHF-32719

VPN

Tunnel testing may fail after an upgrade. Refer to sk182267.

PRJ-54679,

PMTR-104230

Multi-Portal

Under a special routing configuration, an active Cluster member may accept portal traffic (on TCP ports 80 and 443) destined to a Standby member IP address.

PRJ-54597,
PRHF-33572

VSX

In rare scenarios, the CPD process of the default Virtual System on a VSX Gateway (VS0) gets stuck.

PRJ-53117,
PMTR-99343

VSX

In a VSX Cluster with IPv6 enabled, after an upgrade, VS's without IPv6 address may fail to install the Access policy.

PRJ-47807,
PRHF-29624

CloudGuard Network

In the Kubernetes Data Center, the Import window may be stuck in "Initializing" state.

PRJ-29747,
PMTR-70976

Scalable Platforms

When configuring backup-scheduled/snapshot recurrence via gClish shell with "The <name> job already exists. Please choose another name. Backup schedule failed. The backup will not be scheduled".

PRJ-48012,
PRHF-29741

Scalable Platforms

When running the "set user username force-password-change yes" command in gClish on Scalable Platforms, the new configuration may not be applied.

PRJ-49847,
PRHF-30436

Scalable Platforms

Site to Site VPN traffic may be interrupted after installing policy with VSLS.

PRJ-43740,
PMTR-88853

Scalable Platforms

The "distutil" script may take a long time to run in an environment with many VS's.

PRJ-50625,
PRHF-29180

Carrier Security

  • ClusterXL Active member changes the status to "LOST".

  • Kernel segfault error is printed in /var/log/messages.

  • The CPD daemon and CPVIEW_SERVICE exit.

Take 156

Released on 29 July 2024 and declared as Recommended on 12 August 2024

Take 156 - Improvements and Resolved Issues

 

PRJ-56149,

PRHF-35183

Security Management

When the Compliance Blade is enabled, the FWM process may unexpectedly exit and generate a core dump. Refer to sk182507.

See the Important Notes section.

PRJ-55939,

PRHF-34652

Security Gateway

The "up_fw_set_cphwd_template: up_manager_create_template_msg failed; fwhandle_pool_add: Table kbufs - All available pools exhausted" error may be printed in the fwk.elg file during a heavy traffic load.

PRJ-55956,

AAD-1461

ClusterXL

In a ClusterXL environment, the Security Gateway may crash when processing VPN traffic.

Take 152

Released on 27 June 2024

Take 152 - New Functionality

 

PRJ-51435,
PMTR-98141

SSL Inspection

NEW: Added ability to import PKCS#12 files using AES-256-CBC encryption with PBKDF2-HMAC-SHA-256. This enhancement is designed for use in multi-portal environments and HTTPS Inspection scenarios.

PRJ-53698,
PMTR-101481

Security Management

NEW:

  • Added support for the Gaia API proxy with VSX to use Management API from both the Multi-Domain Security Management Server and the Security Management Server. Refer to Management API Reference.

  • This release also resolves issues that occurr when using Multi-Portal Blades with internally issued certificates and third-party certificates.

PRJ-48744,

PMTR-94089

SmartConsole

NEW: Added support for 3072 bits key size in IKE certificates. To use 3072 bits key size, refer to "HTTPS Portals (Multi-Portal) Certificate, VPN Certificate" section in sk96591.

Take 152 - Improvements and Resolved Issues

 

PRJ-52403,

PMTR-99617

Security Management

UPDATE: Added SHA256 fingerprints to certificate objects to mitigate the risk of hash collisions and enhance trust when utilizing the fingerprint, encoded with English words, as a verification mechanism.

PRJ-52447,
PRHF-31852

Security Management

UPDATE: Added an ability to configure the schedule for Compliance blade scans. This should prevent login issues during the scans. Refer to sk182033.

PRJ-49860,

PMTR-95625

CPView

UPDATE: Added the "SecureXL" filter to the "cpview -m -f" command, which allows to extract to Skyline all the information related to SecureXL drops. Refer to the Skyline Metrics Repository.

PRJ-54340,
SNX-99

SSL Network Extender

UPDATE: SSL Network Extender is updated to version 80008409.

PRJ-51974,
CRYPTOIS-3027

SSL Inspection

UPDATE: If inspection logging is configured, the "Inspect" log now displays the negotiated ciphers and TLS version used for successful inspections, both between the client and the Security Gateway, and between the Security Gateway and the Server.

PRJ-48176,
PMTR-95781

Mobile Access

UPDATE: jQuery UI is upgraded to version 1.13.2.

PRJ-53525,
PMTR-100166

Gaia OS

UPDATE: Added Multi-Queue support for Microsoft Azure Network Adapter (MANA) accelerated network interfaces.

PRJ-51700,
PRHF-31790

Harmony Endpoint

UPDATE: The audit event information when adding or removing Virtual Group members is now unified. The data includes the administrator name and device/user names for both actions.

Previously:

  • When removing an object, the administrator name who did the operation and also the device/user name were shown.

  • When adding an object, the administrator name was not shown and there was an ID list instead of the user or device names.

PRJ-54098,

PRJ-54458,

PRJ-55300,

PRJ-55686,

ODU-1779,

ODU-1755,

ODU-1731,

ODU-1667

Automatic Updates - Web SmartConsole

UPDATE: New features and improvements are released in Take 100, Take 102, Take 104 and Take 111 via self-updatable package. Refer to sk170314.

PRJ-54687,

ODU-1707

Automatic Updates - CPView

UPDATE: Added Take 93 of CPotelcol (OpenTelemetry Collector) Release Updates. Refer to sk180522.

PRJ-54172,

ODU-1683

Automatic Updates - CPSDC

UPDATE: Added Take 34 of Check Point Support Data Collector (CPSDC) for Scalable Platforms and Maestro Security Appliances. Refer to sk164414.

PRJ-54176,

PRJ-55581,

ODU-1803,

ODU-1659

Automatic Updates - HCP

UPDATE: Added Update 17 of HealthCheck Point (HCP) Release. Refer to sk171436.

PRJ-50335,

PMTR-96420

Infrastructure

UPDATE: Added Python 3.11.4.

PRJ-50998,
PRHF-31180

Security Management

Install Policy Presets may fail after purging all revisions. Refer to sk181652.

PRJ-51542,
PMTR-98526

Security Management

Enabling automatic updates of Trusted CAs as described in sk173629 may fail.

PRJ-52878,

PRHF-32383,

PRJ-52517,

PRHF-32065

Security Management

In rare scenarios, Access policy installation may fail with the "Installation failed. Reason: Failed to load Policy on Security Gateway" or "Operation failed, install/uninstall has been improperly terminated" messages.

PRJ-52780,
PRHF-32286

Security Management

When using the "set simple-gateway" Management API command to edit interfaces, the operation is only performed on fifty interfaces at a time.

PRJ-52018,
PRHF-31622

Security Management

Exporting a policy that contains thousands of rules may fail when the "Hit Count" column is enabled.

PRJ-52849,
PRHF-32222

Security Management

Login to SmartConsole fails if the "Read_Write_All_Profile" permission profile is deleted.

PRJ-52914,
PRHF-32334

Security Management

Deleting a Security Gateway object fails if there is a license attached to the Security Gateway and the Security Gateway is physically disconnected.

PRJ-51676,
PRHF-31606

Security Management

Global Assignment fails with "Locked for editing by another administrator and need to be published or discarded before the operation can take place". Refer to sk181807.

PRJ-52790,
PRHF-32309

Security Management

In rare scenarios, High Availability synchronization fails with "Peer is busy".

PRJ-49361,
PRHF-30301

Security Management

There may be synchronization failure and, as a result, corrupted Domain policies on the Multi-Domain Security Server when a newly created local administrator on the backup Security Management Server makes changes to rules or objects, after the Active role is switched to that Security Management Server.

PRJ-50372,
PMTR-96089

Security Management

When attempting to load a SNORT Rules file that contains one or more spaces, the import process fails with an ambiguous error message.

PRJ-53348,
PRHF-32714

Security Management

In rare scenarios, the FWM process on the Security Management Server may unexpectedly exit or not start, creating a core dump file.

PRJ-51506,
PMTR-98543

Security Management

The on-premises Security Management Server fails to connect to Infinity Portal when this Server has a proxy configured.

PRJ-51632,
PRHF-30990

Security Management

In rare scenarios, after an upgrade or a Domain migration:

  • Policy installation might fail with "ERROR: Duplicate keys xxxxxxxx in table 'gw_properties".

  • DAIP Gateway objects will have duplicate IP addresses.

    Refer to sk181834.

PRJ-51695,
PMTR-98972

Security Management

After a global assignment, when installing policy on several installation targets at once, the log may show an incorrect rule name.

PRJ-53730,
PMTR-102450

Security Management

Changes Report may allow to list certain directory contents.

PRJ-55501,

PRHF-34248

Security Management

A memory leak may occur in the FWM process leading to SmartConsole connection failures.

PRJ-54094,
PRHF-28962

Security Management

In rare scenarios, policy installation on R77.30 Security Gateway fails with "Operation failed, install/uninstall has been improperly terminated". Refer to sk180448.

PRJ-53340,
PRHF-32639

Security Management

When a Domain object in a policy is set with a backslash in the suffix, policy installation fails with the "Unterminated string&CURRENTVERCMP" error.

PRJ-51504,

PMTR-98271

Security Management

After a Multi-Domain Security Management upgrade to R81.10 version, some Infinity Portal Services may stop working.

PRJ-49582,
PRHF-30453

Security Management

In some scenarios, when searching objects in SmartConsole, not all relevant results are highlighted.

PRJ-41780,
PRHF-25318

Security Management

In some scenarios, SmartConsole may close unexpectedly when clicking the "View Changes" option in the Install Policy view.

PRJ-52345,
PRHF-31814

Security Management

In some scenarios, the PostgreSQL database fully utilizes disk space on the Standby Security Management Server.

PRJ-50018,
PMTR-86613

Security Management

It may not be possible to add/set a Threat Prevention Exception with a protection-or-site UID.

PRJ-51204,
PRHF-31334

Security Management

If all revisions were purged on the Security Management Server, the "show packages details-level full" Management API call may fail.

PRJ-51513,
PRHF-31523

Security Management

The revisions purge process may get stuck due to an incomplete purge operation from a previous attempt.

PRJ-52044,
PRHF-31789

Security Management

In some scenarios, the Security Management Server upgrade to R81.20 fails with "java.lang.String incompatible with com.checkpoint.infrastructure.types.CPUUID" in the upgrade report. The issue occurs during the import of the User Data Domain.

  • The fix requires the upgrade to be done using a Blink image or via the Advanced Upgrade method.

PRJ-48395,
PRHF-29737

Multi-Domain Security Management

In a Multi-Domain Security Management environment, the "show simple-gateway" and "show simple-cluster" Management API commands may fail with "Runtime error: An internal error has occurred"

PRJ-52969,
PRHF-29693

Multi-Domain Security Management

The "cprlic get" command output may not provide correct information about vSEC licenses.

PRJ-51271,
PRHF-30806

Multi-Domain Security Management

In Multi-Domain Security Management environments, if there are more than three hundred forty Domains, login to SmartConsole fails.

PRJ-53226,
PMTR-100502

SmartProvisioning

The Management API command "set-lsm-gateway" with the "sic.ip-address" parameter may fail with "Establish SIC failed. Reset SIC on gateway and try again." when resetting SIC.

PRJ-53274,
PMTR-100689

SmartProvisioning

The "show-lsm-gateways" Management API command returns LSM cluster objects besides the LSM Security Gateways.

PRJ-51569,

PMTR-90798

SmartConsole

SmartConsole slowness when adding applications to rules. Refer to sk182063.

PRJ-52601,

PMTR-94461

CPView

In the "cpview -m" command output on the Security Gateway which is an Active Cluster member, "metrics system.network.nat.ports" and "system.network.nat.ports.limit" may not be displayed in the list of available metrics.

PRJ-52720,
PRHF-30795

Logging

Administrators without the "run script" permissions can enable or disable the option to run a script on a Security Gateway, using advanced configuration options.

PRJ-51147,
PRHF-31357

Logging

When Identity Awareness blade is enabled, the "Src User Dn" and "Dst User Dn" fields in ICMP Logs are not masked for users without "Identities" permissions. Refer to sk181677.

PRJ-49789,
PMTR-95167

Logging

The "cpstat -h log server ip ls -f logging" command fails when running it from Security Management.

PRJ-53336,
PMTR-101195

Logging

When the "IP Options drop" tracking Global Properties setting is configured to "Log" and the policy is installed, the Security Gateway drops traffic with disallowed IPv4 options or IPv6 extension headers, but no log is shown in SmartConsole.

PRJ-51326,
PMTR-96510

Logging

In rare scenarios, after an upgrade, the LOG_EXPORTER process may fail to send the log files to SIEM or to the cloud.

PRJ-44794,
PRHF-27521

Logging

In rare scenarios, the FWD process on the Security Gateway may reach out of memory and produce a core dump file of around 3GB.

PRJ-52678,
PRHF-31821

Security Gateway

Running GTP traffic may cause a crash on a Security Gateway without a GTP license.

PRJ-51357,
ACCHA-3232

Security Gateway

A highly utilized Security Gateway may crash during policy installation.

PRJ-53627,
PMTR-102177

Security Gateway

A memory issue may occur in a cluster environment, when SIP inspection is enabled.

PRJ-41753,
PRHF-25570

Security Gateway

Some debug messages may appear in the /var/log/messages file, although the debug mode is not activated. The issue is cosmetic only.

PRJ-51438,
PMTR-98446

Security Gateway

A rare race condition may be triggered by the timing and packet patterns of VoIP traffic, and, as a result, the FWK process may restart.

PRJ-48816,
PRHF-30025

Security Gateway

After deploying a new license to a Multi-Domain Log Module (MLM), all Customer Log Modules (CLMs) generate alert logs about missing license/contracts stating "No valid license was found".

PRJ-51945,
PRHF-31780

Security Gateway

In some scenarios, if a rule with a security zone is installed using accelerated install policy, the traffic may stop matching the NAT Rule Base.

PRJ-52795,
PRHF-31617

Security Gateway

In some scenarios, the VSX Security Gateway may not set the MAC header correctly when sending traffic back to Gaia OS directly out of an interface on a Virtual Router.

PRJ-51527,
PRHF-31572

Security Gateway

Sporadic latency while uploading a file when HTTPS Inspection and ICAP client are active. Refer to sk181793.

PRJ-52824,

PMTR-100459

Security Gateway

On the Security Management Server, a CPD zombie process may be created.

PRJ-49047,
PMTR-94275

Security Gateway

In rare scenarios, a file downloaded via HTTP may be corrupted.

PRJ-52470,
PMTR-98658

Security Gateway

CIFS traffic may cause CPU spikes in the FWK process.

PRJ-42870,
PRHF-26332

Threat Prevention

After installing a hotfix in a cluster setup with a Threat Prevention policy that includes Network Objects, a member may get stuck during initialization after a reboot. Refer to sk180225.

PRJ-53490,
PMTR-87269

Threat Prevention

Installation of Threat Prevention Policy fails with the error "No profile defined on GW <Name of Security Gateway Object>" in this scenario:

  • The "Install On" column of a Threat Prevention rule contains a Group object (Group #1).

  • This Group object (Group #1) contains another Group object (Group #2).

  • This nested Group object (Group #2) contains the Security Gateway object.

PRJ-53911,
PMTR-102756

Threat Prevention

SSH DPI may not work because of incorrect parsing of the client hello from a non-standard SSH client.

PRJ-52370,
PRHF-31314

Identity Awareness

After an upgrade, the Security Identifier (SID) for LDAP Users or LDAP Groups that were configured prior to the upgrade may be empty. Refer to sk181946.

PRJ-50513,
PMTR-92204

Identity Awareness

In a Cluster Load Sharing environment or when a single Policy Decision Point (PDP) is shared among multiple Policy Enforcement Points (PEPs), the PDP registers the PEP, but the PEP may not be aware of this registration.

PRJ-52872,
PRHF-32296

Identity Awareness

User/Security Gateway identities may be revoked unexpectedly if an additional update from the AD Query identity source is rejected due to Identity session conciliation.

PRJ-50583,
PRHF-30933

Identity Awareness

During policy installation, users authenticated using the Captive Portal may get disconnected.

PRJ-52660,
PRJ-52661

Anti-Virus

Some URLs may be blocked by the Anti-Virus blade as malicious, even though the Threat Prevention Rule Base contains an exception rule with a Site/Application object that includes this URL.

PRJ-53124,
PRHF-32092

Anti-Virus

The DLPU process may frequently exit with a core dump file.

PRJ-53989,
PRHF-33087

Mobile Access

SAML authentication may fail after installation of Jumbo Hotfix Accumulator R81.10 Take 113. Refer to sk182128.

See the Important Notes section.

PRJ-52047,

PRHF-31811

Mobile Access

SSL Network Extender (SNX) cannot connect after installing Jumbo Hotfix Accumulator. Refer to sk181805.

See the Important Notes section.

PRJ-52895,
PMTR-100934

ClusterXL

In a rare scenario, after an upgrade, connections between networks may be dropped with the "First Packet isn't SYN" error.

PRJ-42808,
PRHF-24122

ClusterXL

Cluster members may crash, generating vmcores in /var/log/crash.

PRJ-50116,
PRHF-30245

ClusterXL

In a cluster environment, the Security Gateway may become unresponsive on the Active member, and after a failover the issue occurs on the new Active member also.

PRJ-44519,
PRHF-23500

SecureXL

Multicast packets received on an interface with PIM disabled can cause multicast packet drops on other interfaces by filling up the kernel routing queue.

PRJ-53090,
PMTR-101273

SecureXL

In some scenarios, when SecureXL User Mode (UPPAK) is enabled, the Security Gateway crashes during boot up.

PRJ-53060,
PMTR-101152

SecureXL

During the deny list update process, there is a temporary gap where no IP addresses are blocked, allowing unwanted traffic to pass through the Security Gateway unfiltered.

PRJ-53787,
ACCHA-3229

SecureXL

When the Security Gateway works in SecureXL User Mode (UPPAK), a SIGPIPE signal may cause the USIM process to exit, leading to a system reboot.

PRJ-54424,
PMTR-102759

SecureXL

In some scenarios, the VSX Security Gateway may fail to properly reroute traffic originating from a Virtual Switch.

PRJ-53480,
PMTR-101681

SecureXL

In some scenarios, when QoS blade is enabled and SecureXL works in User Mode (UPPAK), Security Gateway may crash with the "invalid data" error.

PRJ-51621,
PMTR-97796

SecureXL

In some scenarios, fragmented ICMP packets may bypass the DOS/ Rate limiting deny list.

PRJ-53090,
PRJ-52859

SecureXL

In some scenarios, the Security Gateway crashes during boot up when SecureXL works in User Mode (UPPAK).

PRJ-50854,
PMTR-96036

SecureXL

There may be a delay in enforcing DOS/ Rate Limiting rules to drop packets when concurrent connection limits are exceeded.

PRJ-52805,
PMTR-96017

SecureXL

In some scenarios when Route based probing is configured, the VSX Security Gateway sends out encrypted traffic with a source IP address of all zeroes through a Virtual Switch interface. This traffic may be dropped by routers, the VPN peer Gateway or other Security Gateways due to the invalid source IP address.

PRJ-53053,

ROUT-2968

Routing

BGP peers may experience timeouts when these conditions occur simultaneously:

  • The network has more than 100 BGP peers configured,

  • The routing table contains tens of thousands of routes,

  • BGP tracing is enabled,

  • The BGP timers (such as keepalive and hold timers) are reduced from their default values, making the peers more sensitive to delays or congestion.

PRJ-53056,
PRHF-32078

Routing

In scenarios where numerous BGP peers are configured with the "multihop" option enabled, combined with short "keepalive" settings and a large number of routes being received from each peer, the ROUTED process may experience high CPU utilization.

PRJ-51259,
PRHF-31307

Routing

It may not be possible to propagate a newly added static route through OSPF.

PRJ-53171,
PMTR-99623

Routing

The ROUTED process may unexpectedly exit because of an OSPF assertion failure.

PRJ-52670,
PRHF-32205

Routing

Enabling rfc1583-compatibility via Clish fails with "CLINFR0329 Invalid command:'set ospf instance default rfc1583-compatibility on".

PRJ-52723,
PRHF-32115

Gaia OS

The MONITORD daemon causes high CPU after 388 days of uptime. Refer to sk181922.

PRJ-53194,
PRHF-32504

Gaia OS

In rare scenarios, the Gaia Portal daemon HTTPD may unexpectedly exit and create a core dump file in the /var/log/dump/usermode/ directory.

PRJ-53487,
PMTR-95316

Gaia OS

Some valid interfaces may not be available with running the "set lldp interface" command.

PRJ-52508,
PMTR-99867

Gaia OS

When a non-local user executes a Gaia API command, the action is incorrectly logged as performed by the "admin" user in the /var/log/messages file.

PRJ-54179,
PMTR-103543

Gaia OS

Removing unused built-in user called "cp_ender" that may appear in Gaia OS after an upgrade. Refer to sk182185.

PRJ-52948,
PRHF-32461

VPN

When the DAIP Gateway public IP address occasionally changes, the connected Security Gateway fails to update the new IP address and continues responding to the old IP address, causing communication issues.

PRJ-54240,

PMTR-103618

VPN

In a VPN Community with a configuration involving two Security Gateways (a Center Cluster and a Satellite Security Gateway) with IPv6 external and internal interfaces, when attempting to establish a Link Selection Star community between them, the VPN process may unexpectedly exit due to repetitive IKE core crashes on one of the Security Gateways while the other Security Gateway tries to establish a tunnel, resulting in connectivity issues.

PRJ-33776,
PRHF-20660

VPN

The FWK process crashes sporadically, causing impact on traffic due to an issue related to the decryption of fragmented traffic.

PRJ-52829,
PMTR-96593

VPN

In a rare scenario, in a Maestro environment the first packet of the VPN tunnel is lost or has a large delay.

PRJ-53848,
PRHF-33098

VPN

After an update, if in VPN if configured with Permanent Tunnels enabled, RAM utilization may increase.

PRJ-53383,
PMTR-101269

VPN

IPv6 non-VPN traffic may be dropped with "Clear text packet should be encrypted".

PRJ-50316,

PMTR-89274

Multi-Portal

In a rare scenario, after a VSX environment upgrade, connecting Remote Access Client to a newly created VS site using IDP authentication fails with the "This page can't be displayed" error in the embedded browse, but error logs or debugs are missing from the /opt/CPVPNPortal/logs/ directory on VSX and newly created VS.

PRJ-50571,
EPS-53505

Harmony Endpoint

In an on-premises environment, large Active Directory groups with more than 1500 members appear empty or have incomplete membership information.

PRJ-51137,
PRHF-31298

Harmony Endpoint

When duplicate users with the same name and Domain exist in the database or Active Directory, FDE Pre-boot authentication on LAN may fail, not able to identify the user attempting to log in.

PRJ-46792,
PMTR-92392

Scalable Platforms

An additional reboot may be performed on Maestro Security Gateway because of the database entry (otlp) which should not be pulled from SMO. This entry is updated locally on each member via self-update functionality and therefore may differ between members.

PRJ-53621,
PMTR-99823

Scalable Platforms

The "reboot -b all" command in gClish may fail. The environment hangs or reboots partially (only some of the members).

PRJ-52643,
PMTR-100357

Scalable Platforms

After a failover scenario, the "m site-id member-id" command requires reauthentication.

PRJ-52884,
MBS-18033

Scalable Platforms

When running the "fwaccel stat" command on a VSX Security Gateway, the output may show physical interfaces as not accelerated, although they are.

PRJ-53082,
PMTR-97118

Scalable Platforms

Redundant "MHO_stateAgent[3230]: QuidAddon: System not ready yet - attempting to re-init" messages in the /var/log/messages file.

PRJ-53831,

PMTR-73771

Scalable Platforms

Before enabling MDPS, CoreXL Dynamic Balancing (sk164155) must be disabled.

PRJ-53468,

PMTR-97932

Scalable Platforms

In a rare scenario, when a Maestro Security Gateway is active again after a reboot, and LightSpeed is used, the LACP bond may drop incoming and outgoing packets.

PRJ-55569,

PMTR-105246

Scalable Platforms

Traffic outage after policy installation on a Maestro Security Group in the VSX mode that works in the Dual Site configuration. Refer to sk182379.

PRJ-55517,

PMTR-105145

Scalable Platforms

• On Quantum Maestro/Chassis or in ClusterXL, the Security Gateway may crash while processing a VPN/correction flow with a vmcore in /var/log/crash or FWK core in /var/log/dump/usermode/.

• The "kernel: xxxxx: tx_timeout" error is printed in /var/log/messages.

• PSL drops packets with "PSL Drop: psl_build_pslip failed” message, potentially impacting network performance and streaming capabilities.

Refer to sk182463.

See the Important Notes section.

Take 150

Released on 02 June 2024 and declared as Recommended on 10 June 2024

Take 150 - Improvements and Resolved Issues

 

PRJ-55470,
PRHF-34219

VPN

UPDATE: Remote Access VPN for local accounts authenticated only with Check Point password created in R80.20 or lower, and not updated after the upgrade to R80.30, is blocked until the password is reset. Refer to sk182336.

PRJ-55495,
PRHF-34269

VPN

CVE-2024-24919 - Quantum Security Gateway Information Disclosure. Refer to sk182336.

PRJ-55297

Infrastructure

Installing a Hotfix on top of R81.10 Jumbo Hotfix Accumulator may fail.

PRJ-55347,
PMTR-104752

Threat Prevention

The "Categorized HTTPS Sites" option does not classify specific websites when "TLS 1.3 hybridized Kyber support" is enabled in the browser. Refer to sk182318.

Take 141

Released on 15 April 2024

Take 141 - New Functionality

 

PRJ-53676,

PRJ-52484

Security Management

NEW: Added ability to R81.10 Security Management Server and Multi-Domain Management Server to manage Quantum Force 9800 / 9700 / 9400 / 9300 / 9200 / 9100 Appliances that run R81.20 Security Gateways. Refer to sk181698.

  • Requires R81.10 SmartConsole Build 423 or higher.

PRJ-49826,
ACCESS-799

Application Control

NEW: Added ability to drop the traffic of specific UDP applications per packet. For example, the Security Gateway can now drop the specific commands and allow the other commands of the BACNet Protocol.

This ability is enabled by default.

  • To disable this ability, run: "fw ctl set int appi_drop_packet_enabled 0".

  • To enable this ability, run: "fw ctl set int appi_drop_packet_enabled 1".

PRJ-50988,
PMTR-95463

VPN

NEW: Added ability to track RAM usage of the VPND process using the "cpstat" command in CLI. Refer to sk181815.

PRJ-47018,
CRYPTOIS-2878

VPN

NEW: Added support for a new tool (shell script) on a Management Server that can show and renew IKE certificates for VPN, Multi-Portal, and Identity Broker on all managed Security Gateways and VSX Virtual Systems. Refer to sk182070.

Take 141 - Improvements and Resolved Issues

 

PRJ-48779,
SL-8207

Security Management

UPDATE: Added validation for new permissions for configuring a script to run on the Security Gateway from Gateway object > Logs Alerts/Storage > Run the following script before deleting old files.

PRJ-49173,
PRHF-30294

Security Management

UPDATE: Added verification for policy deletion. If the policy is installed on the Security Gateway, the "delete-package" Management API command now fails with "Policy X is installed on 1 or more gateways.". Refer to sk181877.

PRJ-51124,
PRHF-31302

Security Gateway

UPDATE: Added ability to increase the instance processing queue size, by modifying the kernel parameter "fwmultik_pending_queue_len_limit" (the default value is "2000"). Refer to sk181921.

PRJ-50740,

PRHF-30794

Security Gateway

UPDATE: Added an ability to configure objects for the HTTPS Inspection CA using labels.

  • There are now handle-based and label-based configurations.

  • Hardware Security Module in High Availability mode (HSM HA) now supports only the label-based configuration.

PRJ-50428,

PMTR-96484

Security Gateway

UPDATE: During certificate validation, the Security Gateway now retrieves the Certificate Revocation List (CRL) from all CRL distribution points (CDP) listed in certificate extensions.

PRJ-52674,

PRHF-32203

Security Gateway

UPDATE: Fixed CVE-2023-51764 - Postfix SMTP Smuggling vulnerability. Refer to sk181944.

PRJ-48095,

PMTR-77299

CPView

UPDATE: CPView now shows statistical data also for servers with 256/512 CPU cores.

PRJ-50976,
PRHF-31196

Threat Extraction

UPDATE: Added an option in ICAP Server for logging benign files scanned by the Anti-Virus Blade. By default, logging for benign files is disabled. To enable it, add the following entry to the ICAP Server configuration file: "LogBenign on".

PRJ-50499,
IDA-5167

Identity Awareness

UPDATE: The identity synchronization from Policy Decision Point (PDP) to Smart-Pull Policy Enforcement Point (PEP) client now takes several seconds instead of a few minutes, especially beneficial in environments with a single PDP Security Gateway sharing to multiple PEP Security Gateways.

PRJ-45911,
IDA-4843

Identity Awareness

UPDATE: Implemented monitoring functionality and alerts for tracking the expiration date of Identity Broker certificates.

PRJ-46625,
PMTR-87439

VPN

UPDATE: The "Server Authentication" attribute within the "Extended Key Usage" field is now included by default in IKE certificates generated by the Security Management Server.

PRJ-50914,
PRHF-31000

Gaia OS

UPDATE: When a Gaia OS Server has a Cloning Group feature enabled, it now accepts other Gaia OS Servers that join this Cloning Group over TLS1.2 or higher (over the TCP port 1129).

PRJ-50318,
PMTR-95965

CloudGuard Network

UPDATE: Updated the Jetty open source library from the 9.3.6.v20151106 version to 9.4.52.v20230823.

PRJ-52862,
PMTR-100872

CloudGuard Network

UPDATE: Added support for Data Centers in AWS ca-west-1 Calgary region.

PRJ-51249,
PMTR-98059

CloudGuard Network

UPDATE: The AWS Security Group Data Center object name now includes both the name tag and Security Group name, formatted as "ID <Name tag> <Security Group name>".

Previously, only the name tag was included, with the format "ID <Name tag>".

This change to include the Security Group name can be enabled by adding the setting "aws.supportSearchGroupName=true" in the vsec.conf file.

PRJ-53585,

ODU-1571

Automatic Updates - Web SmartConsole

UPDATE: New features and improvements are released in Take 97 through self-updatable package. Refer to sk170314.

PRJ-53540,

ODU-1476

Automatic Updates - Threat Prevention

UPDATE: Added Update 24 of Autonomous Threat Prevention Management integration Release. Refer to sk167109.

PRJ-52695,

ODU-1408

Automatic Updates - Smart-1 Cloud

UPDATE: Added Update 7 of Quantum Smart-1 Cloud. Refer to sk166056.

PRJ-52866,

PRJ-53687,

ODU-1595,
ODU-1531

Automatic Updates - HCP

UPDATE: Added Update 15 and Update 16 of HealthCheck Point (HCP) Release. Refer to sk171436.

PRJ-53396,

PRJ-53681,

ODU-1611,

ODU-1563

Automatic Updates - CPSDC

UPDATE: Added Take 31 and Take 33 of Check Point Support Data Collector (CPSDC) for Scalable Platforms and Maestro Security Appliances. Refer to sk164414.

PRJ-49943,
PRHF-30561

Security Management

In environments with many network objects, SmartConsole may freeze while it loads the VPN tab of a Security Gateway object.

PRJ-49943,
PMTR-96433

Security Management

The FWM process on the Management Server may unexpectedly exit, creating a core dump file.

PRJ-51073,
PRHF-31280

Security Management

Running a Gaia API command on the Security Gateway through the Management API from the Security Management Server fails when configuring the "target" parameter with either the Security Gateway name or UID.

PRJ-45022,
PRHF-28126

Security Management

The "show users" Management API command fails if a user is configured to be able to connect on specific days, but the days are not selected.

PRJ-50046,
PRHF-30714

Security Management

In High Availability environments, task progress notifications may get updated only every 5 minutes, even when the task is complete.

PRJ-49666,
PMTR-92847

Security Management

The "set-smart-task" API command fails when enabling the "Send mail to/from" option in SmartTasks.

PRJ-51595,
PRHF-31532

Security Management

In rare scenarios, Global Policy assignment fails when there are many open Remote CPM Server sessions. Refer to sk181822.

PRJ-51618,
PRHF-31710

Security Management

Deleting a Domain may fail when using the createDomainRecovery.sh script.

PRJ-52011,
PRHF-31738

Security Management

In some scenarios, policy installation may fail and the displayed message erroneously refers to sk178886: "One of the updatable objects was downloaded incorrectly (see SK178886)". Sk178886 describes a different scenario and does not resolve the issue.

PRJ-52816,
PMTR-100795

Security Management

If there are changes in the HTTPS Policy and Certificates in the session, a "Something went wrong" message appears when opening the Change Report.

PRJ-50766,
PRHF-31101

Security Management

In rare scenarios, during an upgrade or Domain migration, the API readiness test fails if the upgrade failed.

PRJ-50592,
PRHF-30931

Security Management

High Availability synchronization runs after every scheduled Application Control update, even if the Application Control is up to date.

PRJ-50354,
PRHF-30825

Security Management

SmartConsole may unexpectedly close after policy installation when SmartTasks return invalid characters from a user-defined script.

PRJ-49952,
PRHF-30373

Security Management

Login to SmartConsole may fail while the Compliance Blade is running a full scan.

PRJ-50404,

PRHF-30796

Security Management

In some scenarios, in SmartConsole, when clicking the picker to add Security Gateway to the "Install On" column in Threat Prevention policy, no Security Gateway objects appear.

PRJ-51278,
PMTR-97942

Security Management

When the value of the "asm_ips_cci" property is updated manually to a number higher than 500,000:

  • login to the Security Management Server fails due to timeout

  • the FWM process may consistently consume 100% CPU.

PRJ-50213,
PRHF-30688

Security Management

Packet mode search in SmartConsole may show rules that do not match the query if the query contains four or more filters.

PRJ-50186,
PRHF-30766

Security Management

In some scenarios, Access Policy installation fails with "Policy load / verification failed because it required more than the maximum allowed memory of 4GB. Follow sk161874 to improve the performance and prevent excessive memory consumption".

PRJ-48915,
PRHF-29502

Security Management

In some scenarios the "show access rulebase" Management API command with "details-level full" can take a significant amount of time to complete or time out after five minutes. Refer to sk181397.

PRJ-49344,
PMTR-95009

Security Management

SmartConsole may unexpectedly close after deleting an object in the Object Explorer view.

PRJ-51088,
PRHF-31285

Security Management

In some scenarios, the change report sent via email by SmartTasks after publishing appears blank, even though there were modifications in the published session.

PRJ-51067,
PRHF-31283

Security Management

In a rare scenario, the FWK and CPD processes may exit with core dumps at approximately the same time.

PRJ-51133,

PRHF-30631

Security Management

Installing security policy with a rule that contains the "Internet" object in the destination column may fail with error message "Topology is not defined on the policy "Install On" target <cluster object name>", if the target cluster is marked as "Geo Mode in a Cloud".

PRJ-50407,

PRHF-30754

Security Management

The Change Report generated before publishing a session, may contain internal system changes that were made by the user.

PRJ-50579,
PRHF-30902

Multi-Domain Security Management

In rare scenarios, in a Multi-Domain Security Management environment:

  • Login to the Security Management Server may fail with timeout.

  • Publish operations may take a long time.

PRJ-51084,
PRHF-31155

Multi-Domain Security Management

In Multi-Domain Security Management environments with over two hundred administrators, Domain creation may fail with "Timeout expired while waiting for permissions calculation".

PRJ-46934,
PRHF-28412

SmartConsole

Defining more than two hundred GUI clients causes the "Command Line" tab in SmartConsole to be greyed out and the "api status" command to show an error status.

PRJ-51426,
PMTR-98332

Web SmartConsole

Login with Web SmartConsole to the Security Management Server may fail if using a trusted client with IPv6.

PRJ-51664,
PMTR-98552

Web SmartConsole

An "Error logging into domain" message is displayed in Web SmartConsole when connecting to a Domain on a peer Multi-Domain Security Management Server. Refer to sk181801.

PRJ-49973,
PMTR-94928

CPView

CPU statistics may be incorrect or missing in CPView. Refer to sk182286.

PRJ-44497,
PMTR-90355

CPView

In rare scenarios, CPView does not handle VS context correctly.

PRJ-48002,
PRHF-29744

CPView

Offload may fail in CPView with "ERROR! Reason not initialized".

PRJ-48805,
SL-8218

Logging

Some attributes in SNMP MIB file may not be accessible.

PRJ-46287,
PRHF-27161

Logging

In SmartConsole, in the "Device License Information" view, the "New connection rate" field may indicate "please wait 10 seconds".

PRJ-47315,
PRHF-29126

Logging

When the active log file, for example, the fw.log for the Security Gateway is older than two days, the CPLogFilePrint utility does not print the log records correctly.

PRJ-49389,
PRHF-30398

Logging

In SmartView, incorrect results may be displayed when filtering logs using the "src_machine_name" field.

PRJ-44686,
PRHF-27417

Logging

When using Log Exporter to export logs to Splunk, a log entry in Splunk is split to separate lines if it contains the CRLF characters.

PRJ-47983,
PRHF-29667

Logging

Some Access Rule Base logs may be generated with a wrong interface direction. The issue is cosmetic only.

PRJ-46206,
PRHF-27710

Logging

Security Gateway forwards logs to the real IP address of the Management Server instead of the public (NATed) IP address. Refer to sk181609.

PRJ-49864,
PMTR-95580

Logging

In rare cases, the LOG_EXPORTER process exits and the CPWD process does not start it because of the "exit_code 0" error.

PRJ-48241,
PRHF-29837

Logging

The "source", "destination", "user" and "action" fields are not exported when exporting logs with the "visible columns" option to CSV in the SmartView Web application. Refer to sk181706.

PRJ-44590,

PRHF-26975

Logging

In a rare scenario, a Security Gateway / Cluster Member may stop logging locally or to configured Log Servers. Refer to sk170331.

PRJ-48321,
PRHF-29953

Security Gateway

The system may not automatically end or interrupt the RAD process if it takes longer than a specified timeout duration.

PRJ-46202,
PRHF-25771

Security Gateway

In rare scenarios, updating the NTP Server may cause a temporary outage.

PRJ-50139,
PRHF-30588

Security Gateway

Accounting info may not be displayed in logs for IPv6 Cluster VRRP environments.

PRJ-49806,
PRHF-30576

Security Gateway

Enabling MDPS fails with the "clish: symbol lookup error: /usr/lib/cli/lib/libcli_mdps.so: undefined symbol: cp_is_usim" error.

PRJ-50602,
PRHF-28340

Security Gateway

In some scenarios, the PDPD process may consume high CPU in the Identity Acquisition flow.

PRJ-47956,
PMTR-93503

Security Gateway

The CPVIEW_API_SERVICE process may exit with a timeout.

PRJ-49116,
PRJ-45207

Security Gateway

In rare scenarios, the FWK process may unexpectedly exit when running an outgoing (a local connection) from the Security Gateway.

PRJ-52420,
PMTR-99316

Security Gateway

Incorrect static NAT destination is applied when the original destination in the NAT rule is the Security Gateway object, but the actual destination does not match the main IP address of the Security Gateway object.

PRJ-48262,
PMTR-93809

Security Gateway

Notifications of SecureXL connection deletion appear unfiltered in the debug output, also when using a debug filter.

PRJ-50756,
PRHF-31127

Security Gateway

In a rare scenario, because of a memory allocation issue, the Security Gateway may crash and reboot.

PRJ-47663,
PRHF-29452

Security Gateway

Incorrect local traffic routing by the Security Gateway causes message flooding in /var/log/messages.

PRJ-51459,
PRHF-31473

Security Gateway

When using three or more ISP DNS proxies in High Availability mode and Load Sharing mode:

  • A DNS query to any ISP returns IP addresses of all three, although it should return only the active ISP.

  • When one ISP is down, the faulty ISP is also returned instead of the newly active.

PRJ-52363,
ACCHA-2386

Security Gateway

In a VSX environment, the FW_FULL process may exit when running "fw monitor -p all" with the "-v" flag on a specific list of Virtual Systems (VS's) where not all VS's have identical blade configurations enabled.

PRJ-51608,
PRHF-31672

Security Gateway

The ICAP Server may fail to initialize.

PRJ-52520,

PRHF-31425

Security Gateway

The ICAP Server does not send data for the Threat Prevention blades inspection, after the restart of the TEMAIN process.

PRJ-47671,

PRJ-47667,

PRHF-29516,

PRHF-29535

Security Gateway

When there is fragmented traffic, the /var/log/messages file may be flooded with the "dst_release" entries.

PRJ-51038,

PRHF-31146

Security Gateway

The Security Gateway may crash during policy installation.

PRJ-53084,

PMTR-100847

Security Gateway

Security Gateway does not pass traffic through an external interface when it is managed by Smart-1 Cloud, and SecureXL works in User Mode (UPPAK) mode. Refer to sk182016.

PRJ-50659,
PRHF-30938

Security Gateway

The proxy IP address of users surfing HTTP sites may be displayed instead of the real source IP address.

PRJ-50931,
PMTR-94510

Security Gateway

Multiple "fw_fna_hold_prepare: creating table" entries may be printed in /var/log/messages. The issue is cosmetic only.

PRJ-52563,
PRHF-32096

Internal CA

CRLs may not be recreated after cleaning expired certificates from the ICA database.

PRJ-43972,
PRHF-21246

Threat Prevention

When URLF and APPI are disabled in VS0 in VSX setup, automatic updates fail on other Virtual Systems.

PRJ-46443,
PRHF-28775

Threat Prevention

Files that undergo emulation while operating from a corporate location are transformed into PDF format. However, when the same files are accessed through a VPN remote client, they do not get the pdf file extension.

PRJ-50051,
PRHF-30177

Threat Prevention

Security Gateway with a large number of CPU cores allocated to CoreXL SND may experience performance issues when an IoC Feed and the "fwaccel dos deny" feature are configured. See sk182223.

PRJ-46596,
PRHF-29036

Threat Extraction

The "scrub send_orig_email <email_id> <recipient>" command fails. Refer to sk180974.

PRJ-51334,
PRHF-31398

Identity Awareness

When a Multi-User Host is used with Identity Broker, the user session may expire on the PEP side, while still connected on the PDP, causing failure of user-based access.

PRJ-49435,
PMTR-92848

Identity Awareness

In a rare scenario, revoked identity on Broker Publisher is not synchronized with its Broker subscribers.

PRJ-45135,
PRHF-27966

Identity Awareness

In Multi-User Host setups, some accounts may be identified as service accounts, although they should not be flagged.

PRJ-51422,
PRHF-31468

Identity Awareness

In a rare scenario, an Identity Gateway (PEP) becomes unresponsive while unregistering a network.

PRJ-52026,
PMTR-95514

Application Control

Anti-Spoofing drops packets that arrive at a Security Gateway through interfaces with Topology "External" if there are routes configured for internal interfaces that overlap with routes configured for external interfaces. Refer to sk181768.

PRJ-43456,
PRHF-26010

Application Control

When a policy contains a white list, some packets may not match the listed applications.

PRJ-42480,
PRHF-26320

IPS

Core IPS Protection "Unknown Resource Record" drops valid requests of specific DNS types.

PRJ-45283,
PRHF-27773

IPS

The "malware_whitelist_domain_tbl error" messages in /var/log/messages file while installing a policy on both cluster members. Refer to sk180614.

PRJ-50804,
PRHF-28437

IPS

There may be excessive "fwconn_chain_is_data_conn failed" messages in the /var/log/messages files when activating the IPS Blade.

PRJ-51182,
PRHF-31305

Anti-Virus

Some file downloads fail with a logged "failure-reject" error because of the Anti-Virus Blade improperly classifying documents, causing inspection failures.

PRJ-49570,
PRHF-29935

Anti-Virus

The Anti-Virus Blade fails to show the UserCheck page for the URLs blocked by Custom Intelligence feeds.

PRJ-50528,
PMTR-96396

Anti-Virus

In a rare scenario, the Security Gateway may crash during inspection of file downloads.

PRJ-49520,
TPP-3592

Anti-Virus

The Anti-Virus Blade may inspect files on an SMB appliance although the "SMB" checkbox is disabled on the matched profile.

PRJ-49297,
PRHF-23253

Anti-Virus

Anti-Virus fails to release held connections after the inspection.

PRJ-49792,
PRHF-30328

SSL Inspection

Policy installation fails on the Security Gateway when using HTTPS Inspection with Hardware Security Module (HSM).

PRJ-45150,
PMTR-83342

SSL Inspection

When HTTPS Inspection is enabled, the Security Gateway generates a log that includes the message "Certificate Chain is not signed by a Trusted CA" when an end-user connects to an HTTP site or a site with an untrusted SSL certificate. But, in some scenarios, the log does not include this text.

PRJ-52366,
PRHF-28941

SSL Inspection

In some scenarios, the FWK process may unexpectedly exit, during installation of HTTPS Inspection policy on the Security Gateway.

PRJ-50869,
PRHF-31176

ClusterXL

The output of the "cphaprob -m -a if" command may show an incorrect high VLAN ID address. This is a cosmetic issue.

PRJ-48413,
PRHF-29594

ClusterXL

In a cluster connected to Smart-1 Cloud, local probing may start on the "maas_tunnel" interface, although it is not monitored by the cluster. Output of the Expert command "cphaprob -i list" or the Gaia Clish command "show cluster members pnotes problem" shows that the Critical Device "Local Probing" reports its state as "problem".

PRJ-52730,

PRHF-32237

ClusterXL

When working in ClusterXL mode with MDPS enabled on the cluster nodes, enabling a Cloning Group may get stuck in the "synchronizing" status.

PRJ-51587,
PRHF-31481

ClusterXL

The Security Gateway may crash during the conversion from VRRP Cluster to ClusterXL Cluster.

PRJ-51177,
PRHF-31303

SecureXL

The Security Gateway may crash with vmcore during boot while upgrading.

PRJ-48283,
PRHF-29906

SecureXL

The "fwaccel dos rate get -S IP" command fails to connect to the Security Gateway.

PRJ-50926,
PMTR-97095

SecureXL

When attempting to route packets to unresponsive hosts, the CPU utilization may be high.

PRJ-33123,
PMTR-75021

SecureXL

CPView shows SecureXL drops incorrectly as "0" (zero).

PRJ-52801,
PRHF-31631

SecureXL

In some scenarios, the VSX Security Gateway may not set the MAC header correctly when sending traffic directly out of an interface on a Virtual Router or Virtual Switch.

PRJ-52798,
PRHF-31629

SecureXL

The Security Gateway may fail to add interfaces to the SecureXL accelerated interfaces list.

PRJ-51209,

PRHF-31259

SecureXL

In Kernel mode Firewall, traffic passing through the GRE tunnel may not reach the peer.

PRJ-52733,
PRHF-31847

Routing

In networks where multicast groups are manually configured through IGMP if only one membership report is received for a specific <S,G> pair and no further reports follow, it may cause outages.

PRJ-52653,
PMTR-80016

Routing

A core dump for the ROUTED process is created while changing the Security Gateway PIM configuration from Bootstrap-Candidate to Candidate-RP using the "set pim" command.

PRJ-52651,

PRJ-52658,

PRJ-52655,
PRHF-31818,

PRHF-31977,

PMTR-78961

Routing

Cluster failover may occur when the ROUTED process due to a memory leak unexpectedly exits with a core dump file generated.

PRJ-53568,
PMTR-100631

Routing

In rare scenarios, when a PIM interface or PIM instance stops working, the Security Gateway may crash if trying to access a bogus reference to a PIM neighbor.

PRJ-53855,
PRHF-33138

Routing

ROUTED process assert failure may take place when LSA from a neighbor's retransmission list is freed if that LSA belongs to the max age hold tree that is flooded at max age.

PRJ-51982,
ROUT-2393

Routing

When running a Gaia API request that results in multiple configuration changes, only the first change may be applied initially. The subsequent changes are not enforced until another change triggers re-processing.

PRJ-49578,
PRHF-30498

Routing

The CLI Parameters for the "netflow fwrule" command are displayed incorrectly: "set netflow fwrule ?" instead of "set netflow fwrule 0" or "set netflow fwrule 1". The issue is cosmetic only, the functionality works as expected.

PRJ-50025,
PRHF-29091

Routing

The traffic may be dropped, because the routes are sent but not installed to the routing table. The issue is related to IS-IS when running on P2P interfaces.

PRJ-49559,
PRHF-30457

VPN

When using the "fw tab" command to view the IKE_SA_table, the output shows a column containing the IP addresses that are not meant to be displayed while the correct IP addresses are not printed.

PRJ-49217,
PRHF-30327

VPN

Redundant log prints in /var/log/messages may be generated, although they should be printed only when the debug flags are enabled.

PRJ-47952,
PMTR-92800

VPN

Establishing an IKEv2 tunnel with Cross AZ Cluster may fail.

PRJ-50175,
PRHF-30759

VSX

In some scenarios, installing policy via vsx_util may be stuck.

PRJ-51346,
PMTR-97885

VSX

High CPU usage on SND cores when many interfaces are configured. Refer to sk181860.

PRJ-49567,
PRJ-49192

VSX

Corrupted VS affinity configuration may cause excessive "cp_set_process_vs_affinity: Error corrupt affinity file" error messages.

PRJ-51296,

PMTR-97905

VSX

When adding a new Virtual System, a CPD core dump file may be generated.

PRJ-50486,
PRHF-30667

Gaia OS

SNMP query does not bring the CPUSE package information for a single OID (not a table).

PRJ-46142,
PRHF-28669

Gaia OS

Taking a snapshot on the Security Management Server fails because of the error during copying the /boot/config/ content.

PRJ-51219,
PMTR-92877

Gaia OS

Clish may deny access of a non-local RADIUS user.

PRJ-50508,
PRHF-30939

Gaia OS

There may be some inconsistent syntax in the "comment" section for interface and static-route commands.

PRJ-48719,
PRHF-29974

Gaia OS

The "show configuration password-controls command output does not print the "set password-controls deny-on-fail block-admin on" option.

PRJ-45115,
PRHF-28172

Gaia OS

Lock database override may not work as expected when it is set via Ansible playbook, and another admin was connected to SSH before that.

PRJ-47176,
PRHF-29200

Gaia OS

When rebooting the Security Gateway, some VLANs may lose their IPv6 configuration.

PRJ-47720,
PRHF-29658

Harmony Endpoint

The Application Scan Push Operation fails to upload an .xml file. Refer to sk181280.

PRJ-50588,

PRHF-30890

CloudGuard Network

In an environment with Cloud Security Gateways, frequent High Availability synchronization sessions can cause high CPU utilization. As a result, change of the Activity status may fail.

PRJ-46989,
PRHF-28944

VoIP

In some scenarios, SIP TCP connections are dropped after a cluster failover.

PRJ-47994,
PRHF-29577

VoIP

When the SIP Multi-core feature is enabled, and a SIP over UDP rule with one-way calls (only outgoing calls, for example) is defined, the returned traffic is dropped. Refer to sk181525.

PRJ-50826,
PMTR-97227

Scalable Platforms

In a rare scenario, file system corruption may lead to a failure identifying the Maestro Orchestrator hardware model during the Maestro Orchestrator OS boot process, causing the boot to fail.

PRJ-44137,
MBS-16756

Scalable Platforms

If a DR packet arrives fragmented, it may not get forwarded to the DR manager, potentially causing connectivity issues.

PRJ-52531,

PMTR-99841

Scalable Platforms

After dynamic routing manager failure and recovery, connections are dropped with a log message "TCP out of state: First packet isn't SYN". Refer to sk181874.

PRJ-46063,
PRHF-28410

Scalable Platforms

Querying SP Interface Data via SNMP may intermittently fail.

PRJ-50737,
PRHF-29610

Scalable Platforms

The Gaia gClish command "installer verify CPUSE Package ID member_ids all" fails with "Quitting due to time-out" on a Scalable Platform Security Group. Refer to sk181674.

PRJ-49103,
PMTR-93551

Scalable Platforms

When creating a Security Group creation in Maestro Orchestrator WebUI, and the password contains the "(" "&" or ";"characters, the operation fails with "Failed to apply new topology" or with "Gaia Web-UI recognized a non-valid input data".

PRJ-50680,

PRHF-30764

Scalable Platforms

Scalable Platform Interface data OIDs (1.3.6.1.4.1.2620.1.48.26) may not be refreshed.

Take 139

Released on 19 March 2024 and declared as Recommended on 7 April 2024

PRJ-53598,

PRJ-53592

Security Gateway

Security Gateway with Anti-Virus blade enabled may sporadically crash because of memory corruption.

See the Important Notes section.

PRJ-53366,

PRHF-32706

VPN

VPN IKEv2 negotiation with a third party peer may fail when the peer offers multiple combined encryption algorithms in one proposal. For example, AWS by default offers AES-GCM and AES-GCM-256. The issue triggers an IKE failure log.

See the Important Notes section.

PRJ-53287

Scalable Platforms

In a Maestro environment, after installing R81.10 Jumbo Hotfix Accumulator Take 135 and a reboot, members may intermittently go down due to MAC flapping.

See the Important Notes section.

Take 135

Released on 12 February 2024

PRJ-52627,

ODU-1392

Web SmartConsole

UPDATE: New features and improvements are released in Take 94 via self-updatable package. Refer to sk170314.

PRJ-52819,
ODU-1491

CPView

UPDATE: Added Take 34 of CPviewExporter Release Updates. Refer to sk180521.

PRJ-52595,
ODU-1499

CPView

UPDATE: Added Take 77 of CPotelcol (OpenTelemetry Collector) Release Updates. Refer to sk180522.

PRJ-52586,
ODU-1460

Threat Prevention

UPDATE: Added Update 23 of Autonomous Threat Prevention Management integration Release. Refer to sk167109.

PRJ-44134,

MBS-16004

Scalable Platforms

Member state may flap between Active and Ready.

PRJ-51301,

PRHF-31310

Scalable Platforms

When using NAT64 rules, Server to Client traffic may be dropped because of the "Out of state" error.

PRJ-46222,

PMTR-88316

Scalable Platforms

During site failover, IPv6 traffic that goes through the Warp interface may be interrupted.

PRJ-52983,

PMTR-99552

Scalable Platforms

In a VSX environment, LACP Bond traffic may fail with the "incomplete ARP" error.

See the Important Notes section.

Take 132

Released on 25 January 2024

PRJ-52491,

PMTR-99615

ClusterXL

The CXLD process may consume the CPU at 70%-100% on VSX cluster members. Refer to sk181891.

See the Important Notes section.

PRJ-52558,

PMTR-100084

Security Gateway

When in the NAT Rule Base there are domain objects with uppercase letters, the NAT rules may not be matched. Refer to sk167194.

See the Important Notes section.

Take 131

Released on 14 January 2024

PRJ-51031

Security Management

NEW: Added ability to R81.10 Security Management Server and Multi-Domain Management Server to manage 19000 and 29000 Check Point appliances.

  • Requires installing R81.10 SmartConsole Build 420 (or higher).

PRJ-50368,
PMTR-94786

Security Management

NEW: Added support for Quantum Spark Appliances 1900/2000 for EA (Early Availability) customers.

PRJ-50103,

PRHF-30325

Diagnostics

UPDATE: Added SecureXL SYN Defender metrics to Skyline. Refer to the Skyline Metrics Repository.

PRJ-45064,
PRHF-28095

Security Management

UPDATE: Added support for scheduling automatic purges of the System Data domain.

PRJ-52356,
ODU-1400

CPView

UPDATE: Added Take 74 of CPotelcol (OpenTelemetry Collector) Release Updates. Refer to sk180522.

PRJ-33058,
PMTR-74320

Logging

UPDATE: Added a boolean parameter to Management API command for configuring logs distribution between multiple Log Servers - "logs-settings.distribute-logs-between-multiple-active-servers".

Syntax: mgmt_cli -r true set simple-gateway name <gw_name> logs-settings.distribute-logs-between-multiple-active-servers <true/false>

  • Supported on Security Gateway running version R81.10 and higher.

PRJ-49365,
PRHF-28875

Security Gateway

UPDATE: Previously, in the "Hide NAT behind IP Address Range" feature, only the source IP address determined the Hide NAT IP address from the IP Address Range. It is now possible to configure the Security Gateway to select the Hide NAT IP address based on the combination of the source IP address and the source port. Refer to sk105302.

PRJ-46318,
PMTR-92164

Security Gateway

UPDATE: When changes are made to updatable objects within a policy and a missing or corrupted package is detected, the policy installation will fail, resulting in the generation of a log.

PRJ-48140,
PMTR-93683

Threat Prevention

UPDATE: Re-enabled the deprecated feature of exporting/importing Custom Intelligence feeds.

PRJ-51510,
ODU-1248

Threat Prevention

UPDATE: Added Update 22 of Autonomous Threat Prevention Management integration Release. Refer to sk167109.

PRJ-43433,
PRHF-26673

Threat Prevention

UPDATE: It is now possible to add exceptions to external IoC feeds.

PRJ-52041,
ODU-1201

Threat Extraction

UPDATE: Added Update 5 of Threat Extraction Engine. Refer to sk165832.

PRJ-49316

Identity Awareness

UPDATE: Optimized memory consumption of Identity Broker in the synchronization flow.

PRJ-47915,
AVIR-1544

Anti-Virus

UPDATE: Improved Anti-Virus caching mechanism to prevent generating malicious sub-domains in Background resource categorization mode.

PRJ-49232,
PMTR-92549

SSL Network Extender

UPDATE: SSL Network Extender was updated to version 80008407.

PRJ-43433,
PRHF-26673

SecureXL

UPDATE: It is now possible to add exceptions to external IoC feeds.

PRJ-48108,
PMTR-90795

VSX

UPDATE: Changed the vsx push configuration log:

  • The log file last_vsx_push_configuration.elg now holds only the last vsx push configuration log.

  • The cyclic log file vsx_push_configuration.elg now holds all previous push configuration logs, except the last one.

PRJ-43882,
PMTR-86708

VSX

UPDATE: The "IPv6 autoconfig" parameter is now disabled by default on VSX.

PRJ-47450,
ACCHA-3284

Gaia OS

UPDATE: Added driver and firmware update support for Dual-Wide 10/25/40/100G cards as a replacement option for:

  • CPAC-2-40F

  • CPAC-2-40F-B

  • CPAC-2-40F-C

  • CPAC-2-100/25F

  • CPAC-2-100/25F-B

PRJ-48010,
PRHF-29711

Gaia OS

UPDATE: The output of "show arp dynamic all" and "dbget ip:arpdynamic:show:0" which was previously limited to +-4450 entries, now increases dynamically.

PRJ-50873,
PMTR-97129

Gaia OS

UPDATE: Upgraded OpenSSL from 1.1.1u to 1.1.1w to include the latest security improvements.

PRJ-45236,
PRHF-28236

Gaia OS

UPDATE: SNMP traps for interfaces going up and going down now contains the interface name and description.

PRJ-47188,
PRHF-28352

CloudGuard Network

UPDATE: Added the "namespace" label to pods in Kubernetes Data Center.

PRJ-48081,
PRHF-29774

CloudGuard Network

UPDATE: Added support for Azure Scale sets with Flexible orchestration mode.

PRJ-48789,
PMTR-94130

CloudGuard Network

UPDATE: Added support for Data Centers in AWS il-central-1 Israel (Tel Aviv) region.

PRJ-47560

IoT

UPDATE: Enabled new docker capabilities on IoT Gateways.

PRJ-48200,
PRHF-29851

Security Management

Login using the API fails if the Security Management Server has multiple IP addresses and they are not defined on the Management Server object in SmartConsole.

PRJ-48381,
PRHF-29957

Security Management

In SmartConsole, export of policies with the "Hit count" column may get stuck.

PRJ-48037,
PRHF-29549

Security Management

An audit log may not be created after running Revert to Revision.

PRJ-47966,
PRHF-29565

Security Management

In High Availability Security Management Server environments, outdated IPS packages are retained, which leads to a substantial increase of the database on Standby Security Management Server. Refer to sk182178.

PRJ-50029,

PMTR-95988

Security Management

The Gaia Clish command "show configuration user" fails with "Segmentation fault" on a Management Server. Refer to sk181626.

PRJ-43289,
PRHF-26909

Security Management

In rare scenarios:

  • Login to the Security Management Server may fail with timeout.

  • Publish operations may take a long time.

PRJ-49195,
PRHF-30329

Security Management

In some scenarios, the CPRLIC process may unexpectedly exit without affecting the connectivity, and a core dump is generated.

PRJ-47038,
PRHF-29235

Security Management

In multi-site Multi-Domain Security Management environments, login to SmartConsole fails while an Install Policy Preset relays the Security Gateway installation statuses.

PRJ-34860,
PRHF-20141

Security Management

In the Revisions view, when comparing the selected revision to its previous revision, an empty screen is shown instead of a report.

PRJ-46828,
PRHF-28923

Security Management

In some scenarios, the "Object is no longer available" validation warning appears for updatable objects.

PRJ-48370,
PRHF-29850

Security Management

The "crldp_initialized"and "crldp_name" keys may be missing in the registry after running promote_util.

PRJ-49370,
PRHF-30255

Security Management

In environments with tens of thousands of network objects, opening and closing Security Gateway objects in SmartConsole takes a long time. Refer to sk181460.

PRJ-48897,
PRHF-30157

Security Management

In rare scenarios, upgrade of the Security Management Server to R81.20 fails with the "Task was interrupted because of server restart" and "DEADLOCK IN POSTGRES DETECTED!!!" messages in the cpm.elg log file.

PRJ-48691,
SL-8197

Security Management

Users may be able to configure user-defined scripts to run on the Security Management Server, although they do not have the permissions of a super-user.

PRJ-33005,
PMTR-75194

Security Management

In SmartConsole, an attempt to view administrators may fail with "Error retrieving results".

PRJ-48161,
PMTR-93236

Security Management

The "run-script - audit log" Management API program may fail and the audit log may be missing the "performed on" field.

PRJ-44800,
PMTR-82908

Security Management

In rare scenarios, the update_inspect_files tool may unexpectedly exit with a core dump file.

PRJ-48200,
PRHF-29851

Security Management

Login via API fails if the Security Management Server has multiple IP addresses and they are not defined on the Security Management Server object in SmartConsole.

PRJ-48864,
PRHF-30091

Security Management

In multi-site Multi-Domain Security Management environments, login to SmartConsole fails if the "Read_Write_All_Profile" permission profile is deleted.

PRJ-48441,
PRHF-30005

Security Management

The "set checkpoint-host" API command may fail if the host object has a VPN Tunnel interface (vpnt) defined.

PRJ-45898,
PRHF-28666

Security Management

In rare scenarios, during an IPS update, a task notification reports that a database purge failed on the Standby Security Management Server. Refer to sk180920.

PRJ-49225,
PRHF-30300

Security Management

In some scenarios, an upgrade of the Security Management Server may fail if the import is running at 12 AM.

  • The fix will only be applied if the upgrade to this Jumbo Hotfix Take is done using a Blink image or via the Advanced Upgrade method.

PRJ-49883,
PRHF-30289

Security Management

Export of the Security Management Server may fail with "Could not find workSession WORKSESSION_UID in worksession's List" message in the upgrade report.

PRJ-49989,
PRHF-30686

Security Management

The "fwm sic_reset" command may fail and generate a core dump.

PRJ-50435,
PMTR-96433

Security Management

The FWM process on the Management Server may unexpectedly exit, creating a core dump file.

PRJ-50358,
PRHF-30763

Security Management

In multi-site environments, when using LDAP administrators configured on an external LDAP Server, logging into Domains on different Multi-Domain Security Management Servers in parallel, synchronization may fail with the "failed to import data" status.

PRJ-46634,
PMTR-88417

Security Management

Application Control and IPS updates may take a long time.

PRJ-48704,
PRHF-29307

Security Management

In some scenarios, in High Availability Security Management Server environments, there may be increase of the database on the Security Management Server.

PRJ-49714,
PRHF-30513

Multi-Domain Security Management

In rare scenarios, in a Multi-Domain Security Management environment:

  • Login to the Management Server may timeout and fail.

  • Publish operation may take a long time.

PRJ-49479,
PRHF-29987

Multi-Domain Security Management

When viewing Subordinate CA objects in SmartConsole:

  • Users with read-only permissions may receive a "Trusted CA" field as "not initialized" message.

  • The information under "Retrieve CRLs from" in the OPSEC PKI tab is inaccurate.

  • The fix requires installing SmartConsole R81.10 Build 420 (or higher).

PRJ-48796

Multi-Domain Security Management

When connecting with SmartConsole to a Domain in a Multi-Domain Management environment, object pickers in Threat Prevention policy may not show available objects.

PRJ-46435,
PRHF-28762

SmartProvisioning

After importing or deleting snort protections in the IPS Protections view, the view may not show the change.

  • The fix requires installing SmartConsole R81.10 Build 420 (or higher).

PRJ-47342,
PRHF-29472

SmartView

In some scenarios, when a language other than English is chosen in SmartView, login to SmartView fails with an "Initialization failed" message.

PRJ-47219,
PRHF-29347

Logging

The "fwm logexport" returns "Failed to print record at position" and "missing table field" error messages despite succeeding to export the logs.

PRJ-48342,
PMTR-93310

Logging

In some scenarios, the "show logs" Management API returns incorrect values for the "Match table" field.

PRJ-46187,
PRHF-28421

Logging

When the CPD process is automatically restarted on the Security Gateway, the output of the "cpstat ls -f logging" command on the Security Management side shows the Security Gateway is disconnected, the Log Server cannot be reached, although logs are sent.

PRJ-48727,
PMTR-93770

Logging

In some scenarios, the Log Sharing status may show an error in exporting the logs, although logs are correctly shared to the cloud.

PRJ-47209,
PRHF-29194

Security Gateway

When running the tp_collector tool, the FW_FULL process may unexpectedly exit.

PRJ-47268,
PRHF-29384

Security Gateway

Latency in loading websites when using Security Gateway as a Proxy with HTTPS Inspection enabled. Refer to sk180673.

PRJ-44701,
PRHF-27451

Security Gateway

In rare scenarios, the WSDNSD process an RST connection may write to a broken pipe, which causes it to restart constantly.

PRJ-47331,
PMTR-92600

Security Gateway

When using the "cpstop" command on the Security Gateway, the fw_full core may be generated.

PRJ-48247,
PMTR-86113

Security Gateway

The /var/log/messages file of a VSX gateway is flooded with the "fwmultik_predefined_dispatching: BAD_MULTIK_TAG" messages with no impact of the connectivity. Refer to sk181281.

PRJ-47520,
PRHF-29318

Security Gateway

After installing a policy, because of high latency, the Security Gateway may delete connection before SIM Affinity is able to send an update notification. This may cause some connections to be dropped.

PRJ-48153,

PRHF-29602

Security Gateway

Topology and Anti-Spoofing ranges are not calculated on an external interface when adding a route to an internal interface that shares the same subnet.

PRJ-44701,
PRHF-27451

Security Gateway

In rare scenarios, the WSDNSD process may restart because of an internal error.

PRJ-46410,
PMTR-90123

Security Gateway

The Security Gateway may listen to the ports used by NAT.

PRJ-47370,
PMTR-88610

Security Gateway

The ICAP Server may stop sending files to the Threat Emulation and Anti-Virus Blades if the TED daemon was restarted.

PRJ-45693,
PRHF-28403

Security Gateway

The VPND, CVPND, and PDPD processes on the Security Gateway may become non-responsive and cause SAML authentication for Remote Access VPN users to fail.

PRJ-48022,
PMTR-91868

Security Gateway

In some scenarios, when IPS is enabled, CPU spikes may occur.

PRJ-48822,
PRHF-29853

Security Gateway

In some scenarios, a misconfiguration on a DNS Server may lead to exhaustion of ephemeral ports on the Security Gateway.

PRJ-48809,
PRHF-29932

Security Gateway

VPN tunnel between the Security Gateways with Link Selection and Remote Desktop Protocol (RDP) may fail after policy installation. Refer to sk181481.

PRJ-50555,
PRHF-30793

Threat Prevention

In rare scenarios, CPU utilization can reach high levels because the Multi-Queue affinity of interfaces that use the "mlx5_core" driver is not configured correctly during the boot process.

PRJ-45901,
PMTR-91000

Threat Prevention

The "Exception Handling" option for Observables in Threat Prevention indicator may not be applied.

PRJ-49877,
PRHF-30512

Threat Prevention

Traffic directed towards a host situated behind the Security Gateway is not blocked. For instance, if an IP address listed in the feed sends an ICMP request, it will reach a host behind the Gateway without being blocked. Refer to sk132193.

PRJ-49008,

PMTR-92233

Threat Prevention

In a rare scenario, when cloning SGM in Maestro, the FWD process may exit during an IPS/Anti-Virus/Anti-Bot package update.

PRJ-47459,
PRHF-29514

Threat Prevention

In a rare scenario, there may be an unexpected reboot and a vmcore file generated in /var/log/crash.

PRJ-47446,
PRHF-29413

Threat Prevention

When configuring ioc feeds from the management:

  • The "no_ssl_validation" variable may be deleted after the policy installation.

  • Fetching feed fails with the "Peer certificate cannot be authenticated with given CA certificates" reason.

PRJ-33431

Threat Prevention

In a rare scenario, a memory leak in the FWD process may occur after installing a Threat Prevention policy.

PRJ-48086,
PMTR-93601

Threat Prevention

An outage may occur when an unsupported SSH cipher is selected.

PRJ-46884,
PMTR-92083

Threat Prevention

Uploading an IoC file containing invalid characters (for example, quotation marks) may cause failure of Threat Prevention policy installation.

PRJ-49512,
PMTR-94919

Threat Prevention

In a rare scenario, changes in Threat Prevention Custom Intelligence feeds settings may not be applied after policy installation.

PRJ-48925,
PMTR-88858

Threat Prevention

Anti-Virus Blade triggers the "Detect" logs for DNS traffic, although these malicious DNS requests were prevented.

PRJ-48429,
PMTR-93558

Threat Prevention

Some connections may be dropped because of an issue in IPS inspection, which can be resolved by installing/fetching a local policy.

PRJ-47131,
PRHF-29215

Threat Prevention

The output of the "fw amw unload" command shows the policy gets unloaded, however CPVIEW still shows that the blades are enabled. Refer to sk181148.

PRJ-46904,
PRHF-29115

Threat Prevention

Ioc_feeds changes the username to lowercase, which causes the "401" error. Refer to sk181039.

PRJ-46758,
PRHF-28441

Identity Awareness

The ida_tables_util tool may fail with the "bad adress" error.

PRJ-48274,
PRHF-29815

Identity Awareness

There may be no access to resources for identities received from the Remote Access identity source by splitting Domain (sk147417).

PRJ-47441,
PMTR-92960

Identity Awareness

In a rare scenario, when Identity Broker is configured, a memory leak in the PDPD process may occur during policy installation.

PRJ-45720,
PRHF-27843

Application Control

Policy installation fails when a custom application and user category have the same name.

PRJ-46198,
PMTR-85660

Application Control

CPView and the 'cpstat' command show different Application Control database versions. Refer to sk181186.

PRJ-49533,
PMTR-95032

Application Control

In some scenarios, the Application Control and URL Filtering scheduled updates may occur more frequently than configured.

PRJ-49044,
PRHF-30082

DLP

The DLP process may unexpectedly exit during policy installation.

PRJ-47935,
PRHF-29090

Anti-Virus

When transferring many files, SMB traffic may freeze while scanned by Anti-Virus Blade.

PRJ-47239,
PRHF-29289

Anti-Virus

Some websites may be unreachable when one of Threat Prevention Blades is in Hold mode.

PRJ-48972,
PRHF-30090

Anti-Virus

When Anti-Virus DNS classification is set to Hold mode, the first DNS trap log of malicious Domains shows "Detect" in the Action field, although the connection was successfully blocked.

PRJ-48127,
PMTR-93685

Anti-Virus

A memory leak in the DLPU process may occur when Anti-Virus scans files over HTTP(s) or SMB (Server Message Block) protocol.

PRJ-48699,
PMTR-90439

SSL Inspection

A FWK process memory leak may occur when canceling the download of a large file in the middle of the process.

PRJ-43929,
PMTR-89813

ClusterXL

Site to Site VPN outage on ClusterXL Active member when running "cpstop" on the Standby cluster member. Refer to sk170055.

PRJ-51174

ClusterXL

When working in User Mode (UPPAK), after a reboot, SSH connection to the Standby member may be interrupted because of an ARP failure.

PRJ-51316

ClusterXL

In some scenarios, it may not be possible to connect to the Security Gateway cluster members when User Mode (UPPAK) is enabled.

PRJ-50419

SecureXL

High CPU utilization may be triggered when User Mode (UPPAK) and VPN are enabled under high load.

PRJ-49682

SecureXL

Latency may occur when packets accelerated by LightSpeed go through connections with a lower than 100K PPS rate.

PRJ-49796,
PRHF-30310

SecureXL

In some scenarios, the link state of uplink ports may be "Down".

PRJ-50943,
ACCHA-3546,

PRJ-50948,
PMTR-74344,

PRJ-50951,
PRHF-30474,

PRJ-50937,
PMTR-90999

SecureXL

In some scenarios, the VSX Security Gateway may not be able to pass VPN encrypted traffic from one Virtual System to another Virtual System through a Virtual Router/Switch.

PRJ-48819,
ACCHA-3434

SecureXL

Appliances with LightSpeed acceleration enabled may experience cluster failovers, even when the CPUs are not fully utilized (for example, at 30%) and the traffic load is low (as little as 1 GB).

PRJ-50941,
ACCHA-3219

PRJ-50939,
ACCHA-3355

SecureXL

In some scenarios, the VSX Security Gateway may crash when sending VPN encrypted traffic through a Virtual Router/Switch.

PRJ-49794,
PRHF-30272

SecureXL

When modifying the MTU of a master bond interface with LightSpeed subordinate interfaces, it may not be set correctly on the bond itself, although applied correctly on the LightSpeed subordinate interfaces.

PRJ-48760,
PMTR-93332

SecureXL

The port beacon feature also known as interface discovery or port blinking may not work correctly in User Mode (UPPAK).

PRJ-49757,
PMTR-95601

SecureXL

Multicast restrictions set in SmartConsole may be bypassed if varying restrictions are configured for different interfaces.

PRJ-51471,
ACCHA-3743

SecureXL

In some scenarios (when there are more than 64000 connections), the Security Gateway accounting information may not be reported correctly on connections that are accelerated through the Quantum LightSpeed hardware.

PRJ-48824,
ACCHA-3365

SecureXL

In some scenarios, when adding warp interfaces to a Virtual Router or Virtual Switch, the VSX Security Gateway may not properly insert these interfaces into the SecureXL accelerated interfaces list.

PRJ-49378,

PRHF-30056

SecureXL

Syn Defender may not correctly handle reused connections.

PRJ-37918,
PMTR-79738

Routing

After policy installation, Application Based Routing configuration may be lost, and CLI commands are not shown in the configuration summary.

PRJ-49240,
ACCHA-3549

Routing

If the Security Gateway is in UPPAK mode and a PBR rule directs traffic to a Server on a different subnet, deleting the ARP entry for the Gateway on the Server can disrupt the traffic flow.

PRJ-50832,
PMTR-96490

Routing

The "force-if-symmetry" setting in IPv4 static routes fails to mark IP addresses as unreachable, leading to the static route inaccurately remaining active in asymmetric scenarios.

PRJ-49961,
PMTR-95764

Routing

During the processing of PIM Join-Prune messages, the absence of prior ({},G) state prevents the processing of (S,G) joins for the same group, even when present in the message.

PRJ-49236,
PMTR-94838

Routing

When one of the multiple PIM neighbors goes down on the LAN, there may be outages in multicast traffic.

PRJ-45127,
PMTR-89945

VPN

Back connection does not function on the Statically NATed Office Mode address as expected.

PRJ-47243,
PRJ-45838

VPN

IKEv2 tunnels may not synchronize during a Multi-Version Cluster (MVC) upgrade from R80.40, leading to a VPN outage during an upgrade.

PRJ-46251,
PRHF-28718

VPN

The "Encryption Domain Per community" feature overrides the Encryption Domain for other communities. Refer to sk170857.

PRJ-42958,
PRHF-26612

VPN

When SCV is enabled, Capsule Connect/ Capsule VPN clients may fail to access internal resources.

PRJ-49650,
PRJ-49485

VPN

VPN connectivity may be unstable when IPv6 and VPN star communities are configured.

PRJ-47877,
PRHF-29650

Multi-Portal

The Security Gateway may send a wrong certificate to the MAB Portal during certificate authentication.

PRJ-50312,
PMTR-96307

Multi-Portal

A low-severity security vulnerability may exist when establishing an HTTPS connection to the Security Gateway.

PRJ-50954,
PRHF-30747

VSX

In some scenarios, the VSX Security Gateway may not set the MAC header correctly when sending traffic directly out of an interface on a Virtual Router.

PRJ-44268,
PMTR-86105

VSX

Virtual System context may not be handled correctly by CPView, for example, the same interfaces may be listed on all virtual systems.

PRJ-47398,
PRHF-29485

VSX

When changing Virtual Systems (VS's) using the VS name, the "failed to find an ID for a VS named XXX" error is shown.

PRJ-47796,
PRHF-29709

VSX

A memory leak may occur in the CPD process.

PRJ-48830,
PRHF-29729

VSX

In some scenarios, the VXLAN Driver Kernel may crash.

PRJ-46020,
PRHF-28611

Gaia OS

The SNMPD process memory consumption may be high, which causes the process to become unresponsive.

PRJ-46971,
PRHF-29232

Gaia OS

Incorrect Multi-Queue configuration when MDPS, VSX, or both are enabled. Refer to sk181249.

PRJ-43044,
PRHF-26539

Harmony Endpoint

E2 engine may send an incorrect value of datDate in sync request.

PRJ-41089,

PRHF-23636

Harmony Endpoint

When selecting to filter machines by infection name in SmartEndpoint Reporting > Anti-Malware > Top infections, the listed computers do not match the displayed numbers.

PRJ-51096,
PRHF-30734

Harmony Endpoint

Due to a synchronization issue between the Policy Server and Primary Server, the Endpoint clients may be connected to the Primary Server instead of the Policy Server.

PRJ-47899,
PRHF-29630

CloudGuard Network

Azure mapping may fail on Private Endpoint without network interfaces. In the cloud proxy logs, the "ERROR datacenter.scanner.DcScanner [scanner-Azure-XXX]: Error during scan - attempting to reconnect for scanner of [Azure] in domainYYY" messages are printed.

PRJ-47734,
PRHF-29654

CloudGuard Network

After an upgrade, Azure Gov mapping may fail.

PRJ-50345,
MBS-17829

Scalable Platforms

When the LightSpeed interface is brought down or up, the hardware nroute flow is added to the list even if it fails to offload. This may trigger a Security Gateway crash.

PRJ-49466,
PRHF-30344

Scalable Platforms

On a Security Group with MDPS enabled:

  • The "asg perf" command on a Security Group does not show any output - the Gaia OS prompt appears immediately after entering the command and pressing the Enter key.

  • When running the "mac_verifier" and other commands on a Security Group, the output may show the error message "mount of /sys failed: device or resource busy".

  • The "distutil verify -v" command on a Security Group returns "verification failed".

After installing this Take, when MDPS plane separation is enabled, in the context of the Management plane, the directory /sys/class/net/ now shows interfaces that belong to the Data plane, although it should show interfaces that belong to the Management plane.

See sk182076.

PRJ-50347,
MBS-17803

Scalable Platforms

In a rare scenario, the Security Gateway may access obsolete nroute memory, resulting in a crash.

PRJ-46574,
PMTR-92205

Scalable Platforms

In a Maestro environment, LACP bond subordinates may become suspended when using the shared interfaces feature, particularly when the quantity of bonds and subordinates is significantly high.

PRJ-47372,
PRJ-46817

Scalable Platforms

  • If member ID 1 is removed and then re-added to the Security Group on the active site, while there are two or more active members, it may result in a matrix mismatch. This can potentially lead to traffic interruption until member ID 1 becomes active again.

  • Similarly, installing Jumbo Hotfix Accumulator when member 1 is absent may result in the same behavior and Jumbo Hotfix Accumulator installation may be blocked.

PRJ-50746,
PRHF-30416

Scalable Platforms

Performance data collected from all members including the Standby site, may cause the "Instance Load" and "Accelerate Load" values to be different from the asg perf tool data.

PRJ-49069

Scalable Platforms

If multiple Quantum LightSpeed interfaces are added or removed on a bond interface before rebooting the Security Gateway, traffic may not go through.

PRJ-48723,
PMTR-67380

Scalable Platforms

When running the "asg if script" command, the "Bridge Master" output does not fit in one line in the "Info" column. The issue is cosmetic only.

PRJ-48929,
PMTR-92547

Scalable Platforms

Connectivity issues may occur in a Maestro Security Group when VLAN encapsulation is disabled on Orchestrators in a Maestro Dual Site environment. Refer to sk181385.

PRJ-40755,
PMTR-85465

Scalable Platforms

Additional reboot is performed when adding a new member to a Security Group with image clone enabled.

PRJ-44500,
PRHF-27538

Scalable Platforms

Policy installation may cause traffic interruption on Maestro Security Group due to missing VLANs of a Virtual System in the configuration file.

PRJ-48987,
PMTR-94987

Scalable Platforms

The Security Gateway may lose connectivity to Maestro Hyperscale Orchestrator (MHO) when running the "tcpdump -i any" command.

PRJ-48852,
PMTR-94227

Scalable Platforms

In a Maestro Orchestrator environment, the "orch_stat -p" command may bring the "invalid literal for int() with base 10" error message.

PRJ-45520,
PMTR-94794

Scalable Platforms

Reboot may take a long time.

PRJ-46647,
PMTR-74779

Scalable Platforms

In a Maestro Security Group, VPN tunnel is established correctly, but the local connection from Virtual Systems (VSs) fails. The issue occurs when packets are not forwarded to the right VS from the Virtual Switch (VSW).

Take 130

Released on 18 December 2023 and declared as Recommended on 25 December 2023

PRJ-50417,

PRHF-30748

CloudGuard Network

UPDATE: The automatic scanning of NSX-T IP ranges feature is now disabled by default. Refer to sk181614.

See the Important Notes section.

PRJ-51598,

SMB-16203

Security Management

In rare scenarios, a boot may fail on a Security Gateway with IPS, Anti-Bot, or Application Control blade enabled. Refer to sk181803.

Take 129

Released on 13 November 2023 and declared as Recommended on 3 December 2023

PRJ-50898,

PRHF-31187

Security Gateway

A double-free flaw that leads to a possible Security Gateway crash was identified. This release includes the fix to enhance system stability and security.

Take 128

Released on 6 November 2023

PRJ-49938,

PRJ-49979

Security Management

UPDATE: Removed a redundant rule-assistant.war package.

PRJ-49824,

PMTR-95347

Security Management

UPDATE: Upgraded the commons-compress-jar package from version 1.8 to version 1.22.

PRJ-49695,

PMTR-96310

Security Management

UPDATE: Upgraded the Jackson Java library from version 2.5.0 to version 2.11.3.

PRJ-49786,

PMTR-95614

Security Management

UPDATE: properJavaRDP - an SNX-embedded application for Mobile Access is now blocked and is no longer supported because of deprecated Java library dependencies.

PRJ-49891,

PMTR-95687

Security Management

UPDATE: Removed a redundant guava package.

PRJ-50264,

PRJ-49965,

PRJ-49011,

ODU-1137,

ODU-1256,

ODU-1304

Web SmartConsole

UPDATE: New features and improvements are released in Take 81, Take 85, Take 88 and Take 90 via self-updatable package. Refer to sk170314.

PRJ-49108,

PMTR-94517

SmartConsole

UPDATE: Applied security related improvements to the Jetty open source library.

PRJ-50325,

PRJ-50324,

PRJ-50124,
ODU-1328,

ODU-1217

CPView

UPDATE: Added Take 68 and Take 70 of CPotelcol (OpenTelemetry Collector) Release Updates. Refer to sk180522.

PRJ-50042,
ODU-1264

CPView

UPDATE: Added Take 14 of CPquid (QUID) Release Updates. Refer to sk181458.

PRJ-50092,

PRHF-30702

Security Gateway

UPDATE: Improved traffic classification of GTP traffic on the Security Gateway to enhance the stability.

PRJ-49493,
ODU-1170

Threat Prevention

UPDATE: Added Update 21 of Autonomous Threat Prevention Management integration Release. Refer to sk167109.

PRJ-49745,

PMTR-95099

Mobile Access

UPDATE: SNX used to connect back to Mobile Access Blade's portal FQDN by resolving its IP address locally. This method makes it sensitive to DNS poisoning attacks such as those specified by TunnelCrack. Therefore, it was modified to connect back to the Security Gateway / Cluster member IP address by default.

PRJ-49937,

PRJ-49936

Harmony Endpoint

UPDATE: Upgraded symmetricDS to the 3.14.9 version.

PRJ-45980,
ODU-1154

Scalable Platforms

UPDATE: Added Take 29 of Check Point Support Data Collector (CPSDC) for Scalable Platforms and Maestro Security Appliances. Refer to sk164414.

PRJ-50542,
ODU-1113

HCP

UPDATE: Added Update 14 of HealthCheck Point (HCP) Release. Refer to sk171436.

PRJ-48878,
PRHF-29542

Security Management

  • Running a Gaia API command on a Security Gateway using Management API from the Multi-Domain Security Management Server fails.

  • Running a Gaia API command on a Security Gateway using Management API from the Security Management Server fails if the Security Gateway certificate was not recreated.

PRJ-49204,
PRHF-30319

Security Management

  • When updating Inline Access Layers, Threat Exceptions, and HTTPS Inspection (TLS) rules, the "Policy Name" field in the Audit Log may be incorrect.

  • The "Where used" operation fails for users with read-only permissions.

Refer to sk181471. See the Important Notes section.

PRJ-50082,

PMTR-96031

Threat Prevention

In rare scenarios, the FW1 process may stop working when at least one of these features is enabled:

  • Anti-Virus deep scan

  • Threat Emulation

  • Threat Extraction

  • Application Control

  • Data Loss Prevention

  • URL Filtering

PRJ-50190,

PMTR-96205

IPS

Policy installation may fail on Security Gateways with enabled IPS and configured Strict profile and IPv6.

PRJ-50639,
PMTR-96893

ClusterXL

ARP requests sent with VMAC from the Standby member may cause MAC flapping.

See the Important Notes section.

PRJ-49905,
PMTR-95831

Routing

When BGP local address is configured, BGP peer may fail to establish.

See the Important Notes section.

PRJ-49653,
PMTR-95476

Scalable Platforms

In a Quantum Maestro / Scalable Chassis environment, there may be a delay during TCP start negotiation for fully accelerated connections, which are distributed asymmetrically. For example, C2S distribute to member 1_1 and S2C to member 1_2.

To maintain the original behavior (prior to R81.10 Jumbo Hotfix Take 128), follow these steps before starting the Jumbo Hotfix Accumulator upgrade:

  • Force the sticky behavior in the Correction Layer in the current session:

    g_fw ctl set int ccl_force_sticky 1

  • Force the sticky behavior in the Correction Layer permanently:

    g_update_conf_file fwkern.conf ccl_force_sticky=1

Refer to sk181464. See R80.20 SmartConsole Releases.

Take 113

Released on 6 September 2023

PRJ-47121,
PMTR-92660

Anti-Spam

NEW: We have extended the grace period of Anti-Spam Blade to support you for 90 days following contract expiration to continue providing the best security value during the renewal process.

PRJ-48299,
PMTR-93298

SmartConsole

UPDATE: Added a pop-up message explaining that it is not possible to add an exception to a Global Domain policy from a local Domain when clicking "add exception" in a Global rule.

  • Requires installing SmartConsole Build 417 (or higher).

PRJ-48317,
ODU-1121

Web SmartConsole

UPDATE: New features and improvements are released in Take 81 via a self-updatable package. Refer to sk170314.

PRJ-46557,
PMTR-92206

Security Gateway

UPDATE: Added a new option in domains_tool, which allows to retrieve IP addresses of multiple Domains - "-md <list of domains>". Refer to sk161632.

PRJ-44320,
PMTR-90945

Threat Prevention

UPDATE: The DCE-RPC kernel tables will now be global instead of local. This adjustment helps avoid issues with syncing between firewall instances and keeps data connections stable.

PRJ-44243,
PMTR-87141

Mobile Access

UPDATE: Enhanced PushReport (a troubleshooting tool for Mobile Access Blade):

  • changes in the cloud service configuration,

  • stability improvement.

PRJ-46315,
PMTR-90870

ClusterXL

UPDATE: When enabling the VMAC feature, link_monitoring on the cluster members will now be configured automatically.

PRJ-47677,
PMTR-88036

VPN

UPDATE: Added SAML authentication support for Capsule Connect / Capsule VPN.

PRJ-44280,
PMTR-86206

VSX

UPDATE: In VSX, removed the redundant option to change CoreXL mode from USFW to Kernel mode.

PRJ-48339,
ODU-1081

CloudGuard Network

UPDATE: Added Take 20 of Public Cloud CA Bundle. Refer to sk172188.

PRJ-45727,
PMTR-91551

Harmony Endpoint

UPDATE: Added new file types supported by Harmony Endpoint Threat Emulation blade.

PRJ-45771,
PMTR-90618

Scalable Platforms

UPDATE: Added ability to stop configuration mismatch repeated reboots for debugging purposes. The new command is " cpha_blade_config auto_reboot <on/off>".

PRJ-48196,
PMTR-91032

Scalable Platforms

UPDATE: Added ability to use Generic Data Centers and Dynamic Objects with Maestro cluster, not just for a separate Security Gateway.

PRJ-48404,
ODU-1113

HCP

UPDATE: Added Update 13 of HealthCheck Point (HCP) Release. Refer to sk171436.

PRJ-45988,
PRHF-28558

Security Management

Deleting a Domain that is connected to an AD Group fails.

PRJ-44472,
PRHF-27659

Security Management

Excluding a network with anti-spoofing by name on the Security Gateway using the "set simple-gateway" Management API command fails with an "Anti spoofing: excluded network object must be defined." validation error message.

PRJ-46731,
PRHF-28910

Security Management

In rare scenarios, opening the Install Policy view gets timed out, and SmartConsole unexpectedly closes. Refer to sk181397.

PRJ-46796,
PRHF-29116

Security Management

The "show-vpn-communities-star" Management API command fails for VPN communities using Diffie-Hellman groups 15-18. Refer to sk27054.

PRJ-45440,
PRHF-28361

Security Management

In rare scenarios, Global Policy Reassignment takes a long time to complete after deleting a Global IPS profile. Refer to sk180787.

PRJ-46016,
PRHF-28592

Security Management

The "show-nat-rulebase" Management API command fails when Packet mode is enabled and "match on any" is set to "false". For example, "show-nat-rulebase XXX package YYY filter-settings.search-mode packet filter-settings.packet-search-settings.match-on-any false filter ZZZ".

PRJ-47258,

PRJ-47235,
PRHF-29374,
PRHF-29423

Security Management

If the HTTPS policy contains an Identity Awareness Gateway object in the "Source"/"Destination" column, policy installation may fail when selecting more than one policy target. Refer to sk181097.

PRJ-41548,
PRHF-25551

Security Management

QoS policy cannot be installed if the policy package name contains a dot symbol.

PRJ-41244,
PRHF-25050

Security Management

When closing an application from SmartConsole without changes, a redundant revision is created.

PRJ-44987,
PRHF-28001

Security Management

A migrate export or CPUSE upgrade of a Security Management Server fails if a Rule Base contains more than 35,000 rules. Refer to sk178325 to check the recommended size of Rule Bases.

PRJ-46003,
PRHF-28590

Security Management

Changing the cluster mode via the "set simple-cluster" Management API command to "cluster-xl-ha" or "ospec-ha" returns success but has no effect on the cluster object.

PRJ-45799,
PRHF-28187

Security Management

Security Management Server import fails with the "Tried to persist object XXX with domain YYY while active domain is ZZZ" error in the upgrade report.

PRJ-41460,
PRHF-24486

Security Management

In some scenarios, an automatic Trusted Certificate Authorities (CAs) update fails.

PRJ-47011,
PRHF-29254

Security Management

The "show-objects" Management API command with an "in" clause fails if the object name contains a period. For example, "show-objects in.1 <name> in.2 <ab.c>".

PRJ-47050,
PRHF-29196

Security Management

In rare scenarios. in a Multi-Domain Security Management environment:

  • Login to the Management Server may timeout and fail.

  • Publish operation may take a long time.

PRJ-45782,
PRHF-27471

Security Management

In rare scenarios, the High Availability synchronization status shows "NGM failed to import data", and then is cleared automatically within 15 minutes.

PRJ-47046,
PRHF-29104

Security Management

In rare scenarios, after an upgrade, the Security Management Server may fail to start.

PRJ-47042,
PRHF-29223

Security Management

When using the RADIUS username for authentication, login to SmartConsole may fail.

PRJ-45034,
PRHF-27706

Security Management

Upgrade of a Security Management Server or a Multi-Domain Security Management Server with over 2000 NAT rules may take over 10 hours to complete.

  • The fix requires the upgrade to be done using a Blink image or via the Advanced Upgrade method.

PRJ-46782,
PRHF-28958

Security Management

In an environment with many Security Gateways, SmartConsole may unexpectedly close when selecting a policy package to install.

PRJ-47169,
PRHF-29222

Security Management

In rare scenarios, Global Policy reassignment fails with "IPS Update Failed On Assign".

PRJ-46699,
PRHF-24917

Security Management

Global Policy assignment fails if it is configured to assign to specific Domain policies and one of these local Domain policies is deleted.

PRJ-40589,
PRHF-85028

SmartConsole

SmartConsole may crash while checking for updates.

  • Requires installing SmartConsole Build 417 (or higher).

PRJ-47469,
PMTR-92958

CPUSE

Tasks in SmartConsole may end unexpectedly during the Jumbo/ major version upgrade operation.

PRJ-45040,
PRHF-28139

Logging

The "Low disk space" warning may be incorrectly displayed in SmartConsole.

PRJ-41167,
PRHF-25147

Logging

The "show-simple-gateway" and "set-simple-gateway" Management API commands with the "logs-settings.forward-logs-to-log-server-schedule-name" parameter fail with "generic_server_error".

PRJ-44207,
PRHF-27544

Logging

Windows Syslog messages information may be displayed in the "Description" field of the log and not parsed into the suitable fields.

PRJ-45324,
PMTR-79944

Logging

Configuring log settings to delete logs if free disk space is lower than a certain percentage may not be applied.

PRJ-39450,
SL-6793

Logging

The Logs view may show a "Failed to read record number" message.

PRJ-46840,
PRHF-29149

Logging

In SmartView, filtering logs by Media Encryption & Port Protection Blade may fail.

PRJ-44115,
PRHF-5571

Security Gateway

High CPU is consumed when there are many rules with apps in the Access Rule Base. Refer to sk181264.

PRJ-47889,
PMTR-80974

Security Gateway

When enabling Management Data Plane Separation (MDPS) in Clish, a "Failed to commit the transaction on database" error message may be displayed.

PRJ-44618,
PRHF-27190

Security Gateway

In a rare scenario, the FWD process listens to high ports that are not blocked by the "auth_services_real_ports_block" implied rule. Refer to sk180505.

PRJ-44189,
PRHF-25647

Security Gateway

The Security Gateway may crash due to a memory issue.

PRJ-47558,
PRHF-29583

Security Gateway

FTP connection may fail in Port mode with NAT and specific FTP clients. Refer to sk181165.

PRJ-47325,
PMTR-75350

Security Gateway

Benign files scanned by the ICAP Server may not be logged by Anti-Virus Blade.

PRJ-46377,
PMTR-84794

Security Gateway

Re-mirrored traffic may be re-ordered in the Mirror & Decrypt feature.

PRJ-45343,
PRHF-28058

Security Gateway

When two routes with similar attributes are added to different routing tables, and one is deleted, Anti-Spoofing may drop the traffic to that route.

PRJ-47602,
PRHF-29572

Internal CA

In rare scenarios, ICA certificate creation and enrollment fail.

PRJ-43727,
PMTR-89275

Threat Prevention

In some scenarios, CIFS parser is triggered when it is not needed, this leads to the Security Gateway not accelerating fully the SMB traffic.

PRJ-48191,
PRHF-29760

Threat Prevention

Anti-Virus Blade fails to parse external IoC feeds that contain specific delimiters.

PRJ-46837,
PMTR-92384

Threat Prevention

When SSH Deep Packet Inspection (SSH DPI) is enabled, the Security Gateway may have SSH connectivity issues because of an incorrect choice of Message Authentication Code (MAC) algorithm during the SSH handshake.

PRJ-44691,
PRHF-27890

Threat Prevention

In some scenarios, the Security Gateway fails to export or import IoC feeds.

PRJ-44766,
PRHF-27722

Threat Prevention

Fetching of Custom Intelligence Feeds fails when no proxy is configured on the Security Gateway.

PRJ-46117,
PMTR-91889

Threat Emulation

Multiple ifiPython3 processes may utilize the Security Gateway memory, affecting the Anti-Virus Blade performance.

PRJ-47749,
PRJ-47646

IPS

In rare scenarios, there may be a memory leak in ips_cmi_handler_match_cb_ex.

PRJ-45836,
TPP-3445

Anti-Virus

DLPU process memory consumption may be increased when SMB protocol is enabled in the Anti-Virus policy.

PRJ-47784,
PRHF-29581

Anti-Virus

A memory leak may occur in the Security Gateway when a connection is not correctly released after the inspection.

PRJ-47182,
PRHF-29248

SSL Inspection

The Security Gateway may fail to enforce certificate blacklisting.

PRJ-47203,
PRHF-29309

Mobile Access

When copying special German characters to and from the Guacamole Server, they are replaced with unreadable symbols.

PRJ-47107,
PRHF-29247

Mobile Access

It may not be possible to connect to the RDP application with SNX in Application mode. Refer to sk181155.

PRJ-45198,
PRHF-28013

ClusterXL

In a cluster/Maestro in Load Sharing mode, the Security Gateway may drop NAT traversal traffic with "fwmultik_process_f2p_cookie_inner Reason: PSL Drop: No connection".

PRJ-44275,
PRHF-27346

ClusterXL

A Standby member may initiate FTP data connection, although it should be sent from the Active member. As a result, the connection is teminated. Refer to sk180531.

PRJ-44773,
PMTR-70190

SecureXL

The "IOCTL command CPHWD_IOCTL_DOS_DENY_LIST_CLEAR was not successful" error may be printed during cpstart. Refer to sk180646.

PRJ-43639,
PMTR-89506

SecureXL

In some scenarios, incorrect MSS value calculation may lead to traffic drops and performance instability.

PRJ-47487,
PMTR-93015

Routing

When multicast traffic for an existing (S,G) entry arrives at a non-IIF interface, the entry may be deleted and re-added when the next multicast packet is released, although the entry should not be deleted.

PRJ-43248,
ROUT-2018

Routing

Traffic may be dropped when there are many OSPF routes of type 5.

PRJ-47940,
PMTR-93492

Routing

An OIF entry may be missing when multiple downstream neighbors are present on a LAN. Refer to sk181354.

PRJ-48117,
PRHF-29848

Routing

The ROUTED process may exit with a core dump when querying details of OSPF Type 5 LSA.

PRJ-47801,
PRHF-29662

Routing

When a BFD session is added or removed, disabled sessions may incorrectly come up.

PRJ-41794,
ROUT-2195

Routing

Adding or deleting a multicast group from a configured static RP environment can lead to outages in traffic.

PRJ-44956,
PMTR-90731

VPN

A potential leak in VPN tunnels in a Multi-Version Cluster.

PRJ-41391,
PMTR-86796

VPN

When working with ClusterXL in Load Sharing mode, a VPN tunnel may fail to be established.

PRJ-47492,
PRHF-28831

VPN

Potential VPN outage during policy installation.

PRJ-42939,
PRHF-25665

VPN

Policy installation may take a long time and fail with "Operation failed, install/uninstall has been improperly terminated.&CURRENTVERCMP *##MSG_IDENTIFY##".

PRJ-47837,
PRHF-29698

VSX

In a rare scenario, affinity configuration on VSX may fail.

PRJ-44300,
PMTR-90180

VSX

When adding a route using vsx_provisioning_tool and the "interface_name" option, this route cannot be removed.

PRJ-43878,
PMTR-87205

VSX

When running "vsx_fetch" from a context that is not VS0, this output is displayed: "Management rejected fetch for this module - sic name does not match. Couldn't fetch VSX configuration by IPs, trying to fetch by names."

PRJ-49350,
PRHF-30364

VSX

In some scenarios, in a Maestro Security Group configured in the VSX mode, a Virtual System that connects to a Virtual Switch may drop traffic as "Out of State" or wrongly drop it on the clean up rule. Refer to sk181823.

PRJ-46275,
PRHF-28848

Gaia OS

When changing bond settings, the bond may be missing the global IPv6 Address.

PRJ-47773,
PRHF-28671

Gaia OS

Snapshot fails when the unpartitioned disk size is greater than 1TB. Refer to sk181485.