List of All Resolved Issues and New Features

NEW: Added ability to run the "verify-policy" Management API command on a private session with unpublished changes.

NEW: We have extended the grace period of Application Control and URL Filtering blade to support you for 90 days contract expiration to continue providing the best security value during the renewal process.

NEW: We have extended the grace period of SmartEvent blade to support you for 90 days following contract expiration to continue providing the best security value during the renewal process.

UPDATE: In several IPS protections, improved performance for traffic that contains repeated sections.

UPDATE: Improved Skyline performance. Refer to sk178566.

UPDATE: Improved the "Purge revisions" operation to reduce the size of the database.

UPDATE: To reduce policy installation time in large environments (that have many instances), policy can be installed in batches.

• Each batch contains several instances that install the policy at the current iteration. By default, the batch size is set to "0" (off).

• To enable it, run a CLI command "cpprod_util FwSetParam CP_INSTALL_POLICY_MT_LIMIT val" and set the value >0.

UPDATE: Gaia Cloning Groups will now use the highest TLS version available.

UPDATE: Added support for connecting to VMware NSX-T 4.0.0.x and higher.

The FWM process may frequently exit. This causes SmartConsole authentication to fail and dashboards that were opened before to get closed.

In some scenarios, the CME process fails to start.

Login to the Security Management Server or Multi-Domain Security Management Server may fail with the "Connection timeout" error.

In a rare scenario, the Show Package tool and some Management API commands with details-level "full" fail.

Adding a rule with the Management API and setting the action "to ask" does not set a default UserCheck if UserCheck was not specified. This may cause policy verification failure.

In SmartConsole, when editing a tagged Security Gateway object, the tags may get removed.

The API command "show-nat-rulebase" may not show the name of each rule in the Rule Base.

After an upgrade, while installing a policy, SmartConsole may unexpectedly close with a "The connection with the server was lost. Any unsaved changes will be preserved" message. Refer to sk180294.

Reassigning a Global Domain to a local Active Domain from one MDS to another may result in the local domain not reflecting recent changes. The issue occurs in Multi-Site environments if two Multi-Domain Security Management Servers (MDS) have a Standby Global Domain.

In a Multi-Domain Security Management environment, Skyline is down after mdsstop/mdsstart.

The "Daily logs retention" configuration on the Security Management Server / Log Server object is not applied if the "When disk space is below <number> Mbytes, start deleting old files" option is not enabled in the Disk Space Management. Refer to sk176803.

The Security Group Member (SGM) frequently goes into a Lost-> Down-> Active state because of fullsync pnote. This causes outages.

The Security Gateway may crash during policy installation if the Rule Base has multiple layers and many interfaces on the Security Gateway (VLANs).

A connection may be closed with the "ws_mux_handle_poll: ERROR: Poll flag still set after unsetting" error in the fwk.elg file, when HTTP parser does not receive requested data.

After making changes in Policy-Based Routing (PBR) and GRE configuration, the Security Gateway may repeatedly crash.

Stability issues when ICAP client is active.

When Anti-Spoofing is enabled, the Security Gateway may crash.

The Security Gateway may frequently crash with vmcore files, recording invalid context.

In rare scenarios when ISP Redundancy feature is enabled, default route disappears after policy installation.

The certificate in SmartConsole is shown as valid, although it is expired.

In a rare scenario, the mal_conns table may consume a large amount of memory.

Anti-Virus blade fails to parse external IOC feeds that contain commas in the CSV column field value.

When using a host with automatic static NAT in a Threat Prevention policy object, the object will not be enforced.

When Anti-Virus blade is enabled, the Security Gateway may crash because of a memory allocation issue.

In a rare scenario, disconnection between the Identity Server (PDP) and Identity Gateway (PEP) leads to missing identities on the PEP side.

A connectivity issue may occur during Azure AD Group fetch, and the "get_http_error_msg - http code is 401" error response is shown in Identity Awareness logs.

When Anti-Virus is enabled, the Mail Transfer Agent (MTA) log files may get blocked because of fail-close operation.

DLP logs for files uploaded to Microsoft OneDrive do not show the initial file names and extensions. Refer to sk178290.

In some scenarios, Inbound HTTPS Inspection may fail when working in USFW (User-Space Firewall) mode.

Web applications may not work correctly when Mobile Access blade is configured in Hostname Translation (HT) mode while the "obscure_destination_hostname" management attribute is disabled.

The "cphaprob tablestat" command may fail on the Security Gateway with many interfaces.

Traffic does not pass through the GRE tunnel when Virtual MAC (VMAC) is enabled. Refer to sk180292.

When the "fw_tcp_out_of_state_monitor" mode is enabled with the "fw_allow_out_of_state_tcp" flag, some connections may be dropped, although they should go through and be monitored.

Multicast traffic may get dropped, and no logs are generated.

In some scenarios, when NAT is configured, VoIP traffic is dropped.

When many users in nested groups login using Remote Access Client \ connect to VPN, and the LDAP topology is large, there may be a spike of CPU usage and performance impact. Refer to sk180664.

When the user connects with RADIUS authentication method, the "Authentication method" value in Mobile Access logs is shown as empty.

StrongSWAN Remote Access client can connect but fails to access internal resources.

A memory leak may occur in the VPND process.

In VSX, if Dynamic Balancing was manually disabled on R81.10, after an upgrade from R81.10 to R81.20, it automatically gets enabled.

The backup operation fails if the backed-up directory content is larger than 10GB.

IPv6 address may be removed from bond VLAN interface when changing bond xmit-hash-policy configuration. Refer to sk180309.

In some scenarios, the "nslookup" command can cause the NSLOOKUP process to exit.

When setting password hash on cloning group members, some members may not get updated.

When connecting to the Security Management Server with SmartEndpoint but Endpoint component is not activated on the Server, the FWM process may unexpectedly exit.

Disabling or removing all network interfaces from a vCenter object is not dynamically reflected on the CloudGuard Controller Data Center object.

After an upgrade, VoIP and SIP / H323 traffic may be dropped in the VPN tunnel.

Refer to sk179651.

Running the "show" or "set" commands for SSH in gClish fails.

The BMAC address is not updated after moving an SGM from one slot to a different slot. (The issue applies to Security Gateway only, not to VSX.)

Time synchronization task is not performed correctly when using predefined NTP Servers.

The SMO may frequently go into Lost-> Down-> Active state because of a memory leak in the FWK process. The issue causes failover and outages.

When using asg alert, the domain name is changed to "BladedCenter.com" instead of the configured name.

Some Maestro Hyperscale Orchestrator processes may go down after an upgrade and reboot. Refer to sk180509.

The output of the "asg perf" command may not show active software blades.

UPDATE: It is now possible use multiple values when filtering in these views:

• Global Assignments (MDS)

• Permissions (MDS)

• Sessions (MDS)

• IPS (Domain level)

UPDATE: Improved the "Assign Global Policy" action time by approximately 50%.

UPDATE: Released Take 73 with new features and improvements. Refer to sk170314.

UPDATE: Port 8211 no longer accepts connections with the cipher TLS_RSA_WITH_AES_128_CBC_SHA.

UPDATE: The reset expired connections feature (fw_rst_expired_conn) is now supported on connections accelerated by SecureXL.

UPDATE: Added Update 16 of Autonomous Threat Prevention Management integration Release. Refer to sk167109.

UPDATE: Added support for Data Centers in AWS me-central-1 Middle East (UAE) region.

UPDATE: The "revert to snapshot" operation is now blocked on Scalable Platforms when the snapshot remains from the previous version and is not created as a part of the current upgrade process.

UPDATE: Upon member state change to Active, there may be minor packet drops. Added an option to not forward traffic to a new Active member until all connections are synchronized to it:

• To enable this option:

• on the fly, run g_fw -a ctl set int fwha_force_present_state_over_active 1

• to be boot persistent, run g_update_conf_file fwkern.conf fwha_force_present_state_over_active =1

• To disable this option:

• on the fly, run g_fw -a ctl set int fwha_force_present_state_over_active 0

• to be boot persistent, rung_update_conf_file fwkern.conf fwha_force_present_state_over_active =0

UPDATE: Added a new CLI command "fw ctl voip [-p sip\|mgcp\|sccp\|h323][-na]". It allows printing the description of defined VoIP protections, the required action, and the logging option configured for each protection.

UPDATE: Added Update 11 of HealthCheck Point (HCP) Release. Refer to sk171436.

On R77.20 Quantum Spark appliances with some IPS packages, policy installation fails with the "Operation failed, install/uninstall has been improperly terminated" error. Refer to sk180448.

In rare scenarios, in a large environment, after an IPS update, High Availability synchronization may fail with timeout on the Global Domain.

In some scenarios, the "Assign Global Policy" action fails with the error message: "An internal error has occurred".

An upgrade may fail with timeout during the import of a large database file.

When running the "show access-rule" API command with the "show-as-ranges" parameter on rules with negated cells, the returned result may be missing the values of the negated cells.

Access Policy installation may fail with the "Internal error occurred during the verification process" error.

The /var/log/dump/usermode/ directory on the Management Server may contain core dump files for the FWM process. Refer to sk180119.

In rare scenarios, the FWM process may unexpectedly exit.

Installing a large Access Control policy on Quantum Spark Security Gateways may fail due to high memory consumption on the Security Management Server caused by FW_LOADER.

Policy installation may fail with "Segmentation fault" or with "INTERNAL ERROR in PutBlock: dangling block at PutBlock". Refer to sk179700.

After performing the "Revert to Revision" operation, new Audit logs cannot be seen in the Logging&Monitoring View in SmartConsole.

Warning about multiple objects with the same IP address is displayed when there are duplicated auto-generated networks.

In a large environment, High Availability synchronization for the Global domain may fail with the "Global domain is busy syncing, please check sync status" error.

"Automatic purge" fails on a Domain with active Global Domain Assignment and "automatic purge" configured on the Global Domain.

It may not be possible to discard a work session with a newly created admin, a "Failed to discard revoke certificate" message is shown.

An upgrade of the secondary Multi-Domain Security Management Server or Multi-Domain Log Server may fail when simultaneously upgrading several Servers.

In rare scenarios, in a Multi-Domain Security Management Server environment, a memory leak may occur in the FWM process. This may cause the process to exit.

When exporting logs with the fwm logexport script and there is an empty or corrupted log file, the script runs in a loop with the "Failed to read record at position 0" error printed.

Although the Security Gateway is configured to send Syslog messages to the Domain Log Server (CLM), after several initial logs, they may stop coming to the Log Server.

Emails sent as an automatic reaction may show only the first IP address for "Source"/"Destination" fields out of all the detected IP addresses.

Export to CSV in SmartView may be stuck in the "running" status.

When running the "show_logs" API command with "query-id argument" and the session is expired, the command ends with a timeout instead of presenting an error.

When LEA spawning is turned off (sk91343), the FWD process may run out of memory.

There may be stability issues when ICAP client is active.

The Security Gateway may crash with the "xxx kernel: [fw4_27];fwatomload_unregister: module RTM not registered xxx kernel: [fw4_27];e2eDisable: fwatomload_unregister failed" errors printed in logs.

The Security Gateway on a LightSpeed appliance may crash when a Bond interface is configured on the NVIDIA ConnectX 100G QSFP28 Ports, and the state of this Bond interface changes between on / off, or off / on.

In some scenarios, the CPD process may unexpectedly exit.

Some TCP connections may be stuck in "Both-Fin" state in the SecureXL connection table and cause high memory consumption.

When using Routing Separation and installing a Jumbo Hotfix Accumulator, MDPS configuration may be overridden. Refer to sk138672.

After an upgrade, Access Control policy installation may fail with an "Update process is already running" message.

The Security Gateway may send multiple "Failed to fetch Check Point resources. Timeout was reached" logs.

Threat prevention policy installation fails if a Custom Intelligence Feeds name includes unsupported characters.

File Download using SSH with MobaXterm Client fails when SSH Deep Packet Inspection (SSH DPI) is enabled.

After installing a hotfix in a cluster setup with a Threat Prevention policy that includes Network Objects, a member may get stuck during initialization after a reboot.

In some scenarios, Mail Transfer Agent (MTA) does not scan files with an unsupported extension if they were renamed to ".exe".

The PDPD daemon may frequently exit during the user authentication flow.

SNMP/cpstat queries for Identity Awareness OIDs return wrong values if the PDP daemon is not running at the time of the query.

In a rare scenario, when Application Control is enabled, the Security Gateway in AWS Cloud may crash. The issue does not occur if Application Control database on the Security Gateway is updated with Release 141122_1 and higher.

Running the "ips stats" command in CLI may cause the IPS process to unexpectedly exit with core dumps.

In a rare scenario, when Anti-Virus is enabled, there may be frequent VSX cluster failovers, and the Security Gateway may crash.

After an upgrade, it may not be possible to connect to SNX, it gets stuck when initializing.

After disabling the ActiveSync service on the Security Gateway, login to Capsule Workspace (CWS) may fail.

In some scenarios, it is not possible to connect to SSL Network Extender(SNX), and the VPND log shows: "failed to add to table connectra_sessions_to_instance".

A Hide NAT port may be allocated twice causing the "out of state" drops.

In a VRRP cluster environment with a large number of interfaces, the Security Gateway may consume a lot of memory because of a memory leak.

In some scenarios, the change of the cphwd_enable_ecmp global parameter value on a VSX Gateway does not survive a reboot.

The Security Gateway may crash and cause an outage when resolving the destination host MAC address through an interface with disabled ARP.

Connections matching the Access Control rules may get timed out, although they should be rejected according to the configuration.

The "asg diag verify" command reports inconsistent OSPFv3 routes for Security Gateway Modules in Quantum Maestro. Refer to sk179931.

The ROUTED process may unexpectedly exit when the route does not have a next hop.

When connecting with "Mixed" SSL Network Extender Authentication method, the SNX Client freezes with no output, and the results of the "vpn tu tlist" command show no tunnels.

In a rare scenario, when IPv6 is configured, and VPN is enabled, policy installation may cause a stability issue.

Trying to perform the "Reset Tunnel" action for an LDAP user from SmartView Monitor fails. Refer to sk178592.

The Security Gateway does not initiate or accept the VPN negotiation when working in Traditional Mode. Refer to sk179710.

Improved VPN tunnel synchronization in a Multi-Version Cluster environment (MVC).

The SNMPD process may consume a high CPU in a VSX environment and there may be slowness when using the "fw vsx stat" command. Refer to sk180324.

There are trap names duplications in chkpnt.mib and chkpnt-trap.mib which may cause incorrect values when using SNMP traps.

After an upgrade, the backup operation on VSX fails because there is not enough space in /var/log/CPbackup/backups.

In a cloning group cluster, when allowed hosts are changed from "Any" host to a specific host, communication between members is blocked, and the group cannot function.

A Kernel-based Virtual Machine (KVM) or a Virtual Machine using SRIOV with the i40evf/ixgbevf network driver, may boot with non-optimized performance settings.

When mapping of some Azure Subscriptions fails, assets of these Subscriptions are revoked from the Security Gateway.

Import of OpenStack Data Center CloudGuard Network objects may fail.

In some scenarios, when using early media with NAT, the first data connections specified in the SDP get closed, although they should not. And the new data connection does not open, resulting in one-way audio. Refer to sk177365.

In some scenarios, a newly added Security Group Member (SGM) continuously reboots, and there are core dump files for the CONFD process. Refer to sk178405.

Upon failover/failback, multicast packets are sent to Active members only. The member that changed state from Down to Active starts receiving the multicast packets before the route is resolved. This may impact traffic.

In some scenarios, the SNMPD process may unexpectedly exit.

In a dual site environment with two Maestro Hyperscale Orchestrators on each site, the asg diag test may fail in a mixed appliances setup because of a difference in affinity configuration files.

SNMP threshold events traps may be missing "Chassis ID" and "Blade ID" fields. Refer to sk179926.

When a policy is configured with "SNMP trap alert script", the SNMP trap is sent with an undefined OID.

Failover/failback may cause a non-DR manager member to change state to Down because the ROUTED unexpectedly exits with pnote.

In a Quantum Maestro environment, the sp_upgrade command may fail when working in VSX mode.

• After an upgrade of the on-premises Endpoint Management Server to Jumbo Hotfix Accumulator R81.10 Take 75, it is not possible to connect to the Web Management Server.

• When logging into the Web Management Console, an "API error 9999" message is displayed.

Refer to sk180230.

NEW: It is now possible to clone Access and HTTPS Inspection layers via Management REST API.

UPDATE: Added a new API version (1.8.1). Refer to Management API Reference.

UPDATE: Management API performance improvements:

• When moving a rule, the "set-access-rule" command is now up to 15 times faster.

• When using a rule name, the "set-access-rule" command is now twice as fast.

The flag "--method" for a CME command is not supported in SmartConsole Command Line.

In some scenarios, certificate based login to a Log Server may fail with "Authentication Error". Refer to sk179144

If Log Domain reassignment fails, an Application Control and URL Filtering update may get stuck at 70 percent showing the "Running post update actions" status.

The "Domain" and "Type" fields may be missing in the "show-groups" command output of a Management API request. Refer to sk179645.

Login to Management Server may fail if a trusted client has a subnet mask defined in CIDR notation. Refer to sk177743.

Adding members to a user group may fail when using Management API.

Deleting a Security Gateway in SmartConsole may fail.

Install Policy Preset may fail with "The server did not provide a meaningful reply.". Refer to sk179524.

High Availability synchronization may fail with the "Failed to update shared licenses" error.

Access Control policy installation may fail with the "Internal error" message when the encryption domain contains a Data Center object.

An Application Control and URL Filtering update may get stuck at 70 percent with the "Running post update actions" status. Refer to sk174587.

An Application Control and URL Filtering update may still occur even if the latest version is already installed.

After an upgrade, when the local domain Virtual System (VS) is updated, its objects may not be updated. The mirror VS object and local domain VS object may have different versions and colors.

A Multi-Domain Management Server upgrade may fail if upgrading one of the domains takes longer than four hours.

Although all Virtual Devices are deleted, deleting a Domain may fail with an "At least one Virtual Device is defined on this Domain/Domain Management Server. You need to delete all Virtual Systems/Routers prior to deleting Domain/Domain Management Server" message.

In the Compliance blade view, regulations with disabled best practices may display a result that does not correspond with the best practices listed below it.

UPDATE: Amended the override_server_setting.sh script to support changes in the values of RFL_SOLR_MAX_MERGE_COUNT and RFL_SOLR_MAX_MERGE_THREAD_COUNT.

After an upgrade from R81 to R81.10, maintenance cleanup may remove some recent logs while not erasing other logs from the disk.

The FWD process may unexpectedly exit and create core dump files.

In some scenarios, the Forensics report fails to open from Harmony Endpoint logs.

The "show-logs" Management API command fails when iterating over many pages of queries, and the total fetched records number exceeds 219,900 records.

When an object name begins with a digit, SmartView Monitor displays a name consisting of the letter "v" and UID instead of the actual object name.

UPDATE: Added a defense mechanism against partial header attacks known as "Slowloris DoS" (CVE-2007-6750).

UPDATE:

• Added a new global parameter "fw_conn_double_error_allow_print " to enable/disable printing double connection error message to the log. When disabled, the Security Gateway will still drop a new connection if it is already recorded in the connection table, but there will be no error logs.

• Added a new global parameter "fw_conn_double_error_count" to count how many times the error occurred.

In a cluster environment, an ICAP implied rule may not be enforced after policy installation.

When running the "g_fw monitor" command (Global Firewall Monitor), the traffic capture outputs can be created successfully but cannot be merged.

Refer to sk179431.

Topology auto update may fail because of a too long interface name.

During a failover, BGP session may be re-established due to equal connection timers between two Security Gateways.

After an upgrade, VSX cluster may have frequent failovers.

In a rare scenario, when IPS or Application Control is enabled, the Security Gateway may crash.

Bond slaves may be visible in the wrong plane.

After an upgrade, in a setup with a single Virtual System (VS), the Security Gateway may crash.

Enhanced connectivity during HTTP2 Inspection.

The RAD daemon may fail and create core dump files on VSX Gateways.

Improved the recovery mechanism for Dynamic Balancing.

UPDATE: Added an automatic extension for Internal CA database to support more than 100,000 certificates.

UPDATE: The "Global Detect" value will now be updated in the "ips stat" command output.

SCP connections may get terminated.

IOC feeds configured in R80.30 cause authentication problems after an upgrade to R81.10. Refer to sk180440.

There may be Security Gateway memory allocation issues related to creating a new Anti-Malware policy.

IOC feed may not load because of a parsing issue with the IP range indicator.

A kernel memory leak may occur during deep file inspection.

Memory consumption may increase after policy installation when Secure ID is configured.

• The /var/log/messages directory may be flooded with "appi_app_db_get_kattrib_info: attribs hash does not exist" messages.

• A Security Gateway may be slow or unresponsive.

Refer to sk178406.

In some scenarios, SSL websites are not matched correctly when categorization mode is on Hold and IDA is enabled. Refer to sk176283.

When ClusterXL is configured, a file may pass without inspection during a failover.

DLP logs for files uploaded to Microsoft OneDrive may not show the initial file names and extensions. Refer to sk178290.

• Downloading or opening the packet capture file from the Anti-Bot log entries may fail with a "File fetching is still in progress" message.

• When opening the capture file link in the log entry in SmartConsole, the "Failed getting the incident file from the gateway. It may be expired" error is shown.

Manual Web Form Single Sign-On (SSO) may fail when passwords contain special characters.

UPDATE: Added support for the "fw vsx fetch_all_cluster_policies" command, which can fetch policy for all Virtual Systems and Virtual Routers from cluster peers.

In a VSX cluster with three or more members, sudden failover and recovery of the Standby VS may occur, causing termination of connections from the Active member. Refer to sk179446.

During a Multi-Version Cluster (MVC) upgrade, there may be state flapping when using the sync interface MAC address bit "02".

UPDATE: The MSS value in the SYN Cookie response can now be configured.

A kernel memory leak may occur in an environment with a cluster in Active/Standby bridge mode.

Policy installation may cause cluster failover and impact the traffic flowing through the cluster.

There may be high CPU or/and latency in CIFS/SMB connections.

Route Injection Mechanism (RIM) feature may advertise kernel routes that cannot be used (for example, the cable is unplugged, and the network interface is down). This may lead to traffic loss.

If Route Injection Mechanism (RIM) is enabled, and RIM routes are added for destinations that already had dynamic or static routes, the RIM routes are deleted in favor of the existing routes. Losing routes can result in loss of connectivity.

The ROUTED process may unexpectedly exit when querying BGP data.

UPDATE: Added a new command "use_crl_for_revocation_method" which allows setting revocation method back to CRL when OCSP Server is unreachable. Refer to sk179434.

Connection to Endpoint Security Client from the Remote Access VPN may be lost when the VPN tunnel timeout is reached. Refer to sk178891.

Site-to-Site NAT-T traffic may be routed incorrectly, which can cause an outage.

Resolved the "HTTP Response splitting" vulnerability in Security Gateway portals. Refer to sk179705.

When working in Hybrid mode, it is possible to connect using Remote Access, but it may not be possible to access internal resources.

Improved Site-to-Site VPN stability.

Connection over NAT-T tunnels may not be distributed well between instances of the Security Gateway with CoreXL enabled.

UPDATE: The "vsx_util view_vs_conf" command output now shows interfaces configured on Virtual Systems in Bridge mode.

Extending SNMP with shell script (Article IV-6 in sk90860) fails for non-VS0 Virtual Systems (VSs) when queried via SNMP V3 and a "No more variables left in this MIB View (It is past the end of the MIB tree)" message is shown in the output.

Lines indicating uninstalling policies from virtual switches (VSWs) may be printed when running the "fw vsx unloadall" command.

When changing VSLS configuration with vsx_util, setting a new weight for each VS in Automatic mode fails with the "Operation failed. Can't write to database" error. Refer to sk179655.

A VSX Gateway upgrade may fail with an error related to VSX Filesystem creation.

In VSX, when deleting a warp interface (either by deleting the warp itself or by performing the "reset_gw" command, which deletes all Virtual Devices), the VSX Gateway may crash.

Improved packet rate performance on warp interfaces.

The MTU value configured in SmartConsole may differ from the Virtual Switch (VSW) MTU value in the output of the "ifconfig" command.

UPDATE: A description was added to the output of the "show backup logs" command with information about each column. Refer to sk173970.

For TACACS users the ">" character is missing to separate the hostname from the commands. The fix is only cosmetic.

IPv6 connections with Manual NAT rules may not be stable after enabling Neighbor Discovery Protocol (NDP) on a VLAN in the $FWDIR/conf/local.ndp file.

The SNMPD process may unexpectedly exit on the Security Gateway with enabled Management Data Plane Separation (MDPS).

A web session on Quantum Maestro may be expired after a minute, although the configured timeout is 10 minutes.

Web Remote Help returns to the sign-in page after generating the response code. Refer to sk172666.

CPAC-TR-10T-C transceiver is displayed as unsupported, although it is supported.

After an upgrade of a Maestro Orchestrator to R81.10 version, several Maestro Orchestrator Clish commands may fail with errors messages.

CPUSE upgrade of Scalable Platforms may fail.

The asg_perf test may show incorrect data related to acceleration cores number and CPU usage.

When removing a Security Group from Maestro Orchestrator WebUI, Site 2 Gateways may be missing from the Unassigned Gateways pane until the refresh button is clicked.

Improved packet processing on MHO-175 to avoid sudden drops.

UPDATE: Added support for Data Centers in AWS ap-southeast-2 (Jakarta) region.

Failure to update IP addresses on a single AWS Gateway may cause delays in updating other Gateways.

Added Update 5 of Quantum Smart-1 Cloud. Refer to sk166056.

UPDATE: Added validation of Custom Application/Site objects to prevent configuring invalid URLs, which causes Access policy installation failure. Refer to sk175187.

In a large scale environment, the Management API command "show-access-rulebase" may take a significant amount of time to complete or time out after 5 minutes.

Reassign Global Policy tasks may be stuck for Domains active on a different Multi-Domain Server even though the task is completed on the destination Multi-Domain Server.

The Security Cluster Wizard is not shown again after a Management restart in a Full High Availability cluster environment.

An IPS update may fail if the user that performs the update is connected to the Multi-Domain Server on which the Global Domain is in Standby mode.

Policy Installation may fail with the "Unable to start policy installation" error when the Import Domain task is running in the background.

When uninstalling a Threat Prevention policy, there may be a verification warning "There are Threat Prevention uninstall candidates in policy targets", although the operation on the Security Gateway was completed successfully.

An Application Control and URL Filtering update may get stuck because of a lock object duplicate issue.

In some scenarios, the "show-gateways-and-servers" Management API command fails with "generic_err_object_not_found" when running it with "details-level full".

The Management API command "show-vpn-communities-star" for Diffie-Hellman groups 15-18 and group 24 fails with the "Invalid DH-Group in VPN Reply" error. Refer to sk27054.

Packet mode search in HTTPS Inspection policy may not work.

Improved memory usage and performance of Access Policy installation when numerous Network Groups are used in the Access Rule Base.

Renaming the Security Management Server may fail with the "Failed to save object" error. Refer to sk177224.

In SmartConsole, the "error retrieving results" message may be displayed when opening a new tab.

Deleting a domain may fail when using the createDomainRecovery.sh script with the "UID" flag.

In a rare scenario, the FWM process may unexpectedly exit and create a core dump.

After an Application Control update, some application control objects may disappear from SmartConsole, although they are not deprecated.

UPDATE: To prevent duplicates issue in LSM REST API, it is no longer possible to create an object with the same name but written in a different letter case.

The "set-lsm-gateway" command may fail during the SIC initialization.

The PostgreSQL database fully utilizes disk space on the Multi-Domain Management Server when SmartProvisioning is enabled in a large scale environment. Refer to sk178889.

When running the "cp_log_export filter-blade-in" command with the value "Endpoint" and restarting the LOG_EXPORTER process, LOG_EXPORTER may fail to start.

When there are several Log Servers, a log distribution issue may occur.

When exporting the logs table with "All Columns" to a CSV file, the first cell of the first log (time column) displays a non-ASCII character ("ן»¿"), and the time is split into two cells.

The "log_exporter_reexport" command may export the logs from the beginning of the log file and not from the provided start position.

In SmartView, the "Top Users that Downloaded Malicious Files" widget in the "Hosts that Encountered Malicious files" view may show no results, although there are matches.

In CPView, under Network, Bytes Per Sec value in Traffic Rate may be incorrect.

When Strict Hold is enabled, traffic is logged with the log "HTTP parsing error detected. Bypassing the request as defined in the Inspection Settings". Refer to sk169995.

The Security Gateway may crash during PM Stats collection.

An ICAP client crash may cause the Security Gateway also to crash and generate an FWK core dump.

When Anti-Virus blade is enabled, there may be a continuous high memory consumption which can lead to latency.

UPDATE: In SmartConsole, added an alert to inform that the ICA certificate will be expired in less than one year. Refer sk158096.

In a scenario, when Ant-Virus Blade is enabled, the Security Gateway may crash during policy installation.

In a rare scenario, an IPS, Anti-Virus, or Anti-Bot update package may fail to load because of a timeout

In a specific HTTP connection scenario, the Security Gateway may become unresponsive. And the /var/log/messages file contains these messages during the time of the issue: " FW-1: fw_kfree: wrong magic number at tail end of XXX (XXX) caller is 'cmik_loader_fw_pm_match_cb' sz=80. FW-1 panic: cmik_loader_fw_pm_match_cb: fw_kfree: wrong magic number at tail (kiss_memory.c:XXX)".

In a VSX setup, the IP address used as the origin SIC name in the IPS address log may differ from the IP address in other reports.

In some scenarios, the Mobile Access applications fail to login because the Security Gateway may not forward HTTP request cookies of some browser-initiated requests to an internal Server.

UPDATE: Added support for the "Same VMAC" feature.

When moving a cluster from Unicast to Multicast LS, Gratuitous ARP Request (GARP) may not be sent. The cluster cannot update multicast MAC entries on peers, which can cause traffic lost.

Local connection from the Management interface on a non-standard port (e.g. 8000) may fail.

Local connection from a Standby member may fail when packets are not fragmented even if the interface MTU is smaller than the packet size.

NEW: In some scenarios, the Security Gateway may not forward traffic to a client if its IP address is changed by DHCP. Added a global parameter "cphwd_refresh_nh", disabled by default. It determines whether or not the Security Gateway will invoke its own refresh ARP mechanism after a successful route lookup. Refer to sk175603.

UPDATE: Virtual Extensible LAN (VXLAN) interfaces can now be configured over interfaces with an alias IP address. VXLAN interfaces will not use the alias IP as the local IP address of the tunnel.

SYN Defender may change MSS in an SYN packet to a larger value, potentially causing traffic drop.

There may be high CPU utilization and slow recovery of the ROUTED process after a failover.

It may take up to three hours for the second member to become Standby after a failover. An outage may occur during this time.

NEW: KAT tests for IKE and TLS are now validated for FIPS certification.

When using Remote Access SAML authentication, the "Remote access client IP address and port were changed" log may contain incorrect data in the "Old IP" field.

In some scenarios, when StrongSwan client is connecting to a site or Security Gateway, the connection is established successfully, and the tunnel is created, but there is no traffic. Refer to sk118536.

Capsule Connect may fail to connect to the Security Gateway because of an Office Mode IP allocation failure.

The OID "Syslocation" can now be configured in the context of a virtual system as described in the article (IV-1) Advanced SNMP configuration in sk90860.

When using the VSX Provisioning Tool, it may not be possible to create a new warp interface and then change the main IP address of the VS in the same transaction.

Running the "vsx_util vsls" command may end with the "Segmentation fault" error.

The FWK process of Virtual Switch (VSW) may consume a high CPU.

When using Link Selection probing, the VPND process may unexpectedly exit and create a core dump file.

"Loading kernel module for a network device with CAP_SYS_MODULE (deprecated). Use CAP_NET_ADMIN..." may be printed in dmesg.

A member in a VSX cluster may get stuck in DOWN state with "Event Code CLUS-113200" and a FULLSYNC PNOTE "Could not start a connection to remote member".

NEW: Added a Gaia Clish command "show configuration vxlan" to show all VXLAN info (interface creation, IP, MTU, comments, state).

The CONFD process may unexpectedly exit and generate a core dump file.

When loading a configuration file to the new Security Gateway, VLAN interfaces may not be added to the bridge as expected.

When running the "save configuration" command on a VSX device, other interfaces besides the Management interface are still presented. This is a cosmetic issue.

UPDATE: After a failed Data Center mapping, the next scan retry will be initiated with a delay to provide sufficient recovery time.

When trying to add a comment to a Data Center object with API, the name of the object may get the value of the "comments".

Policy install or publish may fail because of the CPM process operations overload.

Importing NSX-T Data Center NSGroups with more than 1000 IP addresses may fail and lead to an outage.

The Security Gateway may crash when running UDP and TCP SIP traffic.

UPDATE: Added ability to change CIN interface IP ranges. Refer to sk179028.

UPDATE: The asg_info command is no longer supported on Scalable Platforms. The "cpinfo -Q" command should be used instead.

During Jumbo Hotfix Accumulator installation, the sgm_lsp core dump may be created.

The ROUTED process may unexpectedly exit when OSPF is configured as P2P.

The "asg_excp_conf get" command may fail. Existing exceptions cannot be printed due to unaligned exception max size between kernel and userspace (cphaprob).

A cluster member may fail to perform FullSync and remain in Down state with FULLSYNC PNOTE.

A Security Gateway may not be added to the Security Group distribution matrix when moving from a site with two MHOs to a single MHO.

On Scalable platform Chassis in VSX mode, when adding a new member to Security Gateway, the "dxl stat" command may fail with the "Failed to retrieve dxl status" error.

NEW: Added support for Quantum Spark Appliances with R81.10.x Gaia Embedded (Early Availability). Refer to sk178509.

This applies both to SmartProvisioning and SmartUpdate.

Deleting a Domain may fail when there is an administrator with API key authentication associated with this Domain.

Compliance results for some rules are not available after changing the "Policy Range" of a user-defined rule to a value below 100%. Refer to sk177544.

When exporting rules with "hit counts" and the timeframe is set to a different value than "all", the "hit counts" are missing from the export file. Refer to sk177265.

In some scenarios, after editing blades in Simple-gateway/Cluster Ansible modules, the blades are not changed, and Ansible shows that no changes occurred.

The Management API command "set-multicast-address-range" does not remove IPs when the IPv4 or IPv6 address field is empty.

In rare scenarios, deleting a Security Gateway may fail.

Dynamic Objects defined on LSM Gateway in SmartProvisioning may be removed from the Security Gateway after fetching policy or pushing policy.

When cloning an IPS profile, the advanced settings of cloud protection may not be copied to the new profile.

In rare scenarios, when installing a policy after performing "revert to revision", some changes made to a policy may not be installed on the Security Gateway. Refer to sk176768.

IPS profiles and network objects may not be shown in certain views in SmartConsole.

UPDATE: It is now possible to execute the "run-script" Management API command on the Multi-Domain Server (MDS) and Multi-Domain Log Module (MLM) from the System Domain.

LSM devices that were created via the LSM REST API may not fetch the VPN certificate correctly.

Improved the time of creating a new LSM object using the LSM API in large environments.

UPDATE: SmartView reports will now show the new Check Point logo.

"Failed to open /opt/CPsuite-R81.10/fw1/log/" messages may appear in the log_indexer.elg file because of files ending with the ".log" suffix although they are not actual log files.

Improved samples visibility in SmartView Widgets.

On the Domain level, in the Logs view, available services may not appear in the drop-down filter list. Refer to sk178904.

Logs may be missing from SmartConsole after upgrading the Log Server if a VS object is configured without an IP.

NEW: Added a new kernel parameter "fw_ignore_before_drop_rules". It allows to skip the "before drop" implied rules and enforce policy according to the explicit rule in the Access Rule Base. By default, this capability is disabled. Refer to sk105740.

UPDATE: Added two minutes grace period before dropping the non-TCP server-to-client packets upon policy installation and rematch flow. Refer to sk173287.

Improved Gateway internal memory allocation logic.

In some scenarios, file download may fail with the "Connection queue exceeded max size" error.

When using the DAIP Gateway object in the Access Rule Base, the "fwdnd_log_info_lookup failed" debug error may appear in the fwk.elg log, if the relevant rule has log track. Refer to sk178670.

In rare scenarios, connectivity issues to specific websites may occur during web traffic inspection.

In rare scenarios, if temporary files were not deleted successfully, downloading certain file types may fail with one of these errors:

• "Content Awareness - Error while processing X: Timeout reach during text extraction."

• "Content Awareness - Error while processing X: File appears corrupted"

• "Too many files in archiveSSH parsing error occurred."

In some scenarios, Security Gateway drops GRE traffic. Kernel debug shows "simi_reorder_enqueue_packet: reached the limit of maximum enqueued packets for conn".

When installing policy with acceleration in a loop, after some time, SIC may get disconnected, and installation fails. Refer to sk180397.

While using the Security Zone object in the "Source" column in the Threat Prevention policy, Security Gateways R80.40 and lower do not drop traffic. Refer to sk177605.

The PEP process may unexpectedly exit.

In a rare scenario, a traffic outage may occur.

When HTTPS Inspection is enabled and traffic is inspected, detect logs for HTTPS traffic may show the "Invalid CRL Retrieved" and "No Valid CRL" error messages. Refer to sk172345.

When creating a new virtual system, some VSLS parameters like the Virtual System's weight value may be displayed wrong.

When Dynamic Routing protocols are configured on a cluster, a failover to a member that just rebooted may cause a few seconds outage.

There may be connectivity issues for multicast traffic in PIM Sparse Mode.

In Virtual Device Status table, in VS0 context, the output shows the Active-Active status on two members instead of Active-Standby. The issue is cosmetic only.

An Active member in a cluster may make a full reboot during policy installation.

Machine Authentication stability improvements for Remote Access Endpoint Clients.

In some scenarios, it is not possible to connect with Remote Access using DHCP for Office Mode. Refer to sk178767.

In some scenarios, NAT-T tunnel establishment may fail.

During policy installation when using DAIP behind hide NAT, CPU usage for the VPND process may be high.

VPN tunnel may not be stable in cluster load-sharing multicast and unicast environments.

VSX Cluster Internal Communication Network IP address is shown in ifconfig after changing the name or VLAN of a VR physical interface.

When creating a static route on a virtual system, some network objects may be created with the same name inside the network group which causes writing the object to the database to fail.

After an upgrade from R80.20SP/R80.30SP to R81.10, pushing accelerated policy may cause all non-SMO SG Members to go down.

In a Multi-Domain environment, the "vsx_util vsls" command may take a few minutes to run.

The "snmpwalk" command may time out after reaching SNMPv2-SMI::mib-2.68.1.2.0.

NEW: Gaia API (version 1.6 with Python3 support) will now be deployed via Jumbo Hotfix. Refer to sk143612.

Dynamic routing SNMP OID polling may work only in VSX mode.

When static NAT is configured, VoIP calls may not work.

In some scenarios, Data Center objects are not enforced on an AWS GEO cluster (Active/Active) Gateway. Refer to sk175904.

When booting up, the NSX-T CloudGuard Gateway may crash. Refer to sk177703.

During boot on KVM with 10 or more interfaces, the interface order may change.

NEW: Added support for Quantum LightSpeed Appliances Initial Release (Threat Prevention Stream). Refer to sk179432.

UPDATE: Added PIM support for Scalable Platforms.

• The command "snapshot-onetime" (import/export, from/to a remote server) is not supported yet on Scalable Platforms.

• Scalable Platforms support only the local Gaia snapshot.

During policy installation the status of Single Management Object(SMO) may not be stable.

After changing Multi-Queue configurations, members may remain in Down state.

In rare scenarios, changing the number of CoreXL instances in SP environments with many virtual systems may fail.

When the LLDPD and SNMPD coredump files are generated, zombie processes may be created and cause warnings in HCP with no impact.

On Maestro Orchestrator, the SSM_PMD process may consume a high CPU.

Added Take 21 of Check Point Support Data Collector (CPSDC) for Scalable Platforms and Maestro Security Appliances. Refer to sk164414.

NEW: Added support for Quantum Spark Appliances with R81.10.x Gaia Embedded (Early Availability). Refer to sk178509.

This applies only to SmartConsole (does not apply to SmartProvisioning).

UPDATE: Added a new global parameter: "fw_daf_module_mac_mode". It allows mirroring traffic to a Linux-based device. The parameter is set to "0" by default. Refer to sk178127.

In a Multi-Domain environment, only one hundred Domains appear in the Domains view, although there are more.

In some scenarios, the last modifier name is missing in unpublished sessions and SmartConsole unexpectedly closes.

In rare scenarios, Install Policy Presets may fail with "Failed to run Install Policy on the active Domain Server".

Login to SmartEvent with Certificate Authentication may fail. Refer to sk179144.

Global Domain Assignment fails with "An internal error has occurred" when there are more than 32K Threat Prevention Overrides in the local Domain. Refer to sk176464.

In rare scenarios, taking over a session may fail with "SmartConsole has experienced an unexpected error. Session operation failure".

If there is a Global Domain Assignment, some results may be missing when searching in Packet Mode. Refer to sk178491.

In a rare scenario, the FWM process unexpectedly exits.

In a Multi-Domain Management environment, when fetching a LDAP branch using the "fetch" button from the Global Domain tab, the operation may fail.

When running CPinfo in a large scale environment, the SmartEventCollectLogs process may get stuck.

When running the "show_logs" API command with "query-id argument" and the session is expired, the command ends with a timeout instead of presenting an error.

UPDATE: Apache HTTPD version was updated from 2.4.51 to 2.4.53.

The control connection may not be refreshed together with data connection if the data connection is accelerated. Refer to sk168952.

In rare scenarios, slow path connections that should be terminated/aborted may remain open until the timeout.

In a rare scenario, the FWD process may unexpectedly exit.

The dynamic NAT allocation port warning is continuously printed in /var/log/messages. Refer to sk177228.