List of All Resolved Issues and New Features
|
Review the Important Notes section before installing a new Jumbo Hotfix Accumulator Take. |

Take | Available Since | Recommended Since |
---|---|---|
05 Mar 2023 |
- |
|
19 Jan 2023 |
07 Feb 2023 |
|
12 Jan 2023 |
- |
|
08 Jan 2023 |
- |
|
22 Nov 2022 |
02 Jan 2023 |
|
24 Oct 2022 |
21 Nov 2022 |
|
11 Oct 2022 |
19 Oct 2022 |
|
01 Sep 2022 |
- |
|
29 Jun 2022 |
19 Jul 2022 |
|
02 Jun 2022 |
- |
|
01 May 2022 |
01 Jun 2022 |
|
03 Apr 2022 |
06 Apr 2022 |
|
22 Mar 2022 |
- |
|
22 Feb 2022 |
- |
|
13 Jan 2022 |
20 Jan 2022 |
|
22 Dec 2021 |
02 Jan 2022 |
|
22 Nov 2021 |
- |
|
30 Aug 2021 |
18 Oct 2021 |
ID |
Product |
Description |
---|---|---|
Take 93 Released on 5 March 2023 |
||
PRJ-43407, |
Security Management |
NEW: On-premises Security Management Server can now connect to Infinity Portal. This allows:
Requires:
|
PRJ-42693, |
Security Management |
NEW: Added ability to run the "verify-policy" Management API command on a private session with unpublished changes. |
PRJ-43895, |
Security Gateway |
NEW: We have extended the grace period of Compliance blade to support you for 90 days following contract expiration to continue providing the best security value during the renewal process. |
PRJ-43807, |
Application Control, URL Filtering |
NEW: We have extended the grace period of Application Control and URL Filtering blade to support you for 90 days contract expiration to continue providing the best security value during the renewal process. |
PRJ-44255, |
Threat Extraction |
NEW: We have extended the grace period of Threat Extraction blade to support you for 90 days following contract expiration to continue providing the best security value during the renewal process. |
PRJ-43910, |
SmartView |
NEW: We have extended the grace period of SmartEvent blade to support you for 90 days following contract expiration to continue providing the best security value during the renewal process. |
PRJ-42181, |
IPS |
NEW: Added ability to block "HTTP 206 partial content" responses from resources with malicious content. |
PRJ-42658, |
IPS |
UPDATE: In several IPS protections, improved performance for traffic that contains repeated sections. |
PRJ-43723, |
SSL Inspection |
UPDATE: The secp256r1 curve is now the preferred choice for signing ECDSA (Elliptic Curve Digital Signature Algorithm) certificates. |
PRJ-43404, |
Diagnostics |
UPDATE: Improved Skyline performance. Refer to sk178566. |
PRJ-41419, |
Security Management |
UPDATE: Connecting a Quantum Security Management Server to Infinity Portal is now supported in the Full High Availability Cluster (when each cluster member has a Security Management Server and a Security Gateway). |
PRJ-42306, |
Security Management |
UPDATE: Improved the "Purge revisions" operation to reduce the size of the database. |
PRJ-36635, |
Security Management |
UPDATE: Added an option to configure the maximum number of IPS SNORT rules. These lines should be added at the end (or their value should be changed if they already exist) in the file $FWDIR/conf/malware_config (for MDS - additionally in the $MDS_FWDIR/conf/malware_config file): "[IPS] snort_convertor_max_rules_per_update=<value> snort_convertor_total_rules_num_limit=<value>". Refer to sk136515. |
PRJ-41619, |
Security Management |
UPDATE: To reduce policy installation time in large environments (that have many instances), policy can be installed in batches.
|
PRJ-44559, |
Security Gateway |
UPDATE: Apache HTTPD version was updated from 2.4.53 to 2.4.55. |
PRJ-43613, |
Gaia OS |
UPDATE: Gaia Cloning Groups will now use the highest TLS version available. |
PRJ-43049, |
CloudGuard Network |
UPDATE: Added support for Data Centers in AWS eu-central-2 (Spain) and eu-south-2 (Zurich) and ap-south-2 (Hyderabad) regions. |
PRJ-43025, |
CloudGuard Network |
UPDATE: Added support for connecting to VMware NSX-T 4.0.0.x and higher. |
PRJ-42979, |
Scalable Platforms |
UPDATE: Added support for monitoring hardware of Maestro Orchestrator MHO-175. |
PRJ-40226, |
Security Management |
The FWM process may frequently exit. This causes SmartConsole authentication to fail and dashboards that were opened before to get closed. |
PRJ-43340, |
Security Management |
In some scenarios, Audit logs may not be created when running remote API commands from Infinity Portal. |
PRJ-41762, |
Security Management |
In some scenarios, the CME process fails to start. |
PRJ-42110, |
Security Management |
The date of a policy configured with "accelerated installation" may not be updated in logs. |
PRJ-42410, |
Security Management |
Login to the Security Management Server or Multi-Domain Security Management Server may fail with the "Connection timeout" error. |
PRJ-43094, |
Security Management |
After configuring an IoC feed on the Global Domain and assigning a Global Policy, Threat Prevention policy installation in the local Domain fails. |
PRJ-42042, |
Security Management |
In a rare scenario, the Show Package tool and some Management API commands with details-level "full" fail. |
PRJ-41892, |
Security Management |
High Availability synchronization fails if automatic purge is configured to run on the Standby Management Server. |
PRJ-39746, |
Security Management |
Adding a rule with the Management API and setting the action "to ask" does not set a default UserCheck if UserCheck was not specified. This may cause policy verification failure. |
PRJ-43363, |
Security Management |
Editing a Global Assignment object using Ansible may fail. |
PRJ-43317, |
Security Management |
In SmartConsole, when editing a tagged Security Gateway object, the tags may get removed. |
PRJ-43254, |
Security Management |
In some scenarios, the "api status" command shows that the Management API service is stopped. |
PRJ-43312, |
Security Management |
The API command "show-nat-rulebase" may not show the name of each rule in the Rule Base. |
PRJ-43314, |
Security Management |
Running API commands with the "dereference-max-depth" parameter with value "0" may fail when the "Groups" field is in the reply. |
PRJ-41928, |
Security Management |
After an upgrade, while installing a policy, SmartConsole may unexpectedly close with a "The connection with the server was lost. Any unsaved changes will be preserved" message. Refer to sk180294. |
PRJ-42049, |
Multi-Domain Security Management |
In rare scenarios in a Multi-Domain Security Management environment:
|
PRJ-42302, |
Multi-Domain Security Management |
Reassigning a Global Domain to a local Active Domain from one MDS to another may result in the local domain not reflecting recent changes. The issue occurs in Multi-Site environments if two Multi-Domain Security Management Servers (MDS) have a Standby Global Domain. |
PRJ-43201, |
SmartProvisioning |
Deleting an LSM Gateway via REST API does not revoke the device's VPN certificate. |
PRJ-43589, |
CPView |
In a Multi-Domain Security Management environment, Skyline is down after mdsstop/mdsstart. |
PRJ-42100, |
CPView |
CPView may not show some interfaces. |
PRJ-33052, |
Logging |
The "Daily logs retention" configuration on the Security Management Server / Log Server object is not applied if the "When disk space is below <number> Mbytes, start deleting old files" option is not enabled in the Disk Space Management. Refer to sk176803. |
PRJ-39080, |
Logging |
After an upgrade and change of the Security Management Server name, logs created before the upgrade are unavailable. |
PRJ-39608, |
Security Gateway |
The Security Group Member (SGM) frequently goes into a Lost-> Down-> Active state because of fullsync pnote. This causes outages. |
PRJ-41018, |
Security Gateway |
When using the SMTP service with resource objects in a rule and NAT is configured for the destination IP address, the traffic may match the Cleanup rule instead. |
PRJ-43705, |
Security Gateway |
The Security Gateway may crash during policy installation if the Rule Base has multiple layers and many interfaces on the Security Gateway (VLANs). |
PRJ-41495, |
Security Gateway |
Stability issues when ICAP client is active. |
PRJ-43347, |
Security Gateway |
A connection may be closed with the "ws_mux_handle_poll: ERROR: Poll flag still set after unsetting" error in the fwk.elg file, when HTTP parser does not receive requested data. |
PRJ-38809, |
Security Gateway |
In a rare scenario, when QoS is enabled, the Security Gateway may crash. |
PRJ-39801, |
Security Gateway |
After making changes in Policy-Based Routing (PBR) and GRE configuration, the Security Gateway may repeatedly crash. |
PRJ-40320, |
Security Gateway |
In rare scenarios, the FWK process can unexpectedly exit and cause an outage. |
PRJ-42804, |
Security Gateway |
Stability issues when ICAP client is active. |
PRJ-43554, |
Security Gateway |
Security Gateway may drop traffic when Dynamic Anti-Spoofing is enabled. |
PRJ-42944, |
Security Gateway |
When Anti-Spoofing is enabled, the Security Gateway may crash. |
PRJ-41634, |
Security Gateway |
Dynamic Dispatcher may send fragments of the same packet to different Firewall instances during a high load of fragmented traffic. This may cause some packets to drop. |
PRJ-36010, |
Security Gateway |
The Security Gateway may frequently crash with vmcore files, recording invalid context. |
PRJ-42102, |
Security Gateway |
When adding an Access Role object in the NAT Rule Base, connectivity issues on the Security Gateway may occur if the Identity Awareness Blade on it is disabled. |
PRJ-43528, |
Security Gateway |
In rare scenarios when ISP Redundancy feature is enabled, default route disappears after policy installation. |
PRJ-42088, |
Security Gateway |
The "fw monitor" command output may contain "no packets left to merge" messages. |
PRJ-42903, |
Internal CA |
The certificate in SmartConsole is shown as valid, although it is expired. |
PRJ-41436, |
Internal CA |
When managing cloud Gateways, the FWM process memory usage may increase. |
PRJ-38490, |
Threat Prevention |
In a rare scenario, the mal_conns table may consume a large amount of memory. |
PRJ-42286, |
Threat Prevention |
The "ioc_feeds set interval -r" command may fail. |
PRJ-41598, |
Threat Prevention |
Anti-Virus blade fails to parse external IOC feeds that contain commas in the CSV column field value. |
PRJ-32738, |
Threat Prevention |
After an upgrade, the FWD process may frequently exit while creating an AMW_report.xml. |
PRJ-42585, |
Threat Prevention |
When using a host with automatic static NAT in a Threat Prevention policy object, the object will not be enforced. |
PRJ-42438, |
Threat Prevention |
Automatic IPS, Anti-Virus or Anti-Bot updates may fail because of a corrupted next_update file. |
PRJ-37567, |
Threat Prevention |
When Anti-Virus blade is enabled, the Security Gateway may crash because of a memory allocation issue. |
PRJ-41688, |
Threat Prevention |
In some scenarios, a "malware_res_rep_rad_query: rad_kernel_malware_request_prepare() failed" message may appear in the /var/log/messages file. |
PRJ-42999, |
Identity Awareness |
In a rare scenario, disconnection between the Identity Server (PDP) and Identity Gateway (PEP) leads to missing identities on the PEP side. |
PRJ-42339 |
Identity Awareness |
In a VSX High Availability cluster, a member in the Backup state should remain idle, but it opens connections for identity sharing. |
PRJ-41323, |
Identity Awareness |
A connectivity issue may occur during Azure AD Group fetch, and the "get_http_error_msg - http code is 401" error response is shown in Identity Awareness logs. |
PRJ-41221, |
Application Control |
In some scenarios, the RAD process may freeze after failing to connect to URL Filtering service. |
PRJ-41378, |
IPS |
When Anti-Virus is enabled, the Mail Transfer Agent (MTA) log files may get blocked because of fail-close operation. |
PRJ-42591, |
IPS |
The Security Gateway may crash during policy installation because of a memory allocation problem. |
PRJ-35486, |
DLP |
DLP logs for files uploaded to Microsoft OneDrive do not show the initial file names and extensions. Refer to sk178290. |
PRJ-31705, |
Anti-Bot |
The "asg perf --delay" command does not change the "refresh time" on the screen. |
PRJ-43682, |
SSL Inspection |
In some scenarios, Inbound HTTPS Inspection may fail when working in USFW (User-Space Firewall) mode. |
PRJ-43154, |
Mobile Access |
The CVPND process may unexpectedly exit and create a core dump file. |
PRJ-41259, |
Mobile Access |
Web applications may not work correctly when Mobile Access blade is configured in Hostname Translation (HT) mode while the "obscure_destination_hostname" management attribute is disabled. |
PRJ-42468, |
Mobile Access |
When Mobile Device Management (MDM) cooperative enforcement feature is enabled, establishing a VPN connection fails while the HTTPD log incorrectly indicates a compliance issue. |
PRJ-43116, |
ClusterXL |
The "cphaprob tablestat" command may fail on the Security Gateway with many interfaces. |
PRJ-44168, |
ClusterXL |
When handling HTTP/2 traffic, cluster members may crash, generating vmcores. |
PRJ-43003, |
ClusterXL |
Traffic does not pass through the GRE tunnel when Virtual MAC (VMAC) is enabled. Refer to sk180292. |
PRJ-42464, |
ClusterXL |
Stability issues may occur in a Multi-Version Cluster (MVC) when VPN is enabled. |
PRJ-29668, |
SecureXL |
When the "fw_tcp_out_of_state_monitor" mode is enabled with the "fw_allow_out_of_state_tcp" flag, some connections may be dropped, although they should go through and be monitored. |
PRJ-42896, |
SecureXL |
SecureXL may drop traffic when HTTPS Inspection is enabled on a VSX Security Gateway with a Virtual Router. |
PRJ-42575, |
SecureXL |
Multicast traffic may get dropped, and no logs are generated. |
PRJ-43056, |
Routing |
The "show ospf neighbors" command shows incorrect values for OSPF "Hello" and "Dead" intervals. Refer to sk180486. |
PRJ-40728, |
VPN |
In some scenarios, when NAT is configured, VoIP traffic is dropped. |
PRJ-43595, PRJ-43299, |
VPN |
Stability issues for Data connections (RDP / RTP / FTP/ETC). Refer to sk179651. |
PRJ-44944, |
VPN |
When many users in nested groups login using Remote Access Client \ connect to VPN, and the LDAP topology is large, there may be a spike of CPU usage and performance impact. Refer to sk180664. |
PRJ-42879, |
VPN |
When initiating IKEv2 tunnel from Check Point to a third party, creating Child SA fails. Refer to sk180281. |
PRJ-42561, |
VPN |
When the user connects with RADIUS authentication method, the "Authentication method" value in Mobile Access logs is shown as empty. |
PRJ-42762, |
VPN |
Despite the Secure Configuration Verification (SCV) exceptions being configured to not apply for connections, the strongSWAN client's traffic is dropped with the "Client's configuration is not verified" error. |
PRJ-41375, |
VPN |
StrongSWAN Remote Access client can connect but fails to access internal resources. |
PRJ-42653, |
VPN |
Stability issues of the VPND and IKED processes. |
PRJ-41050, |
VPN |
A memory leak may occur in the VPND process. |
PRJ-41697, |
VSX |
The "vsx_util change_mgmt_subnet" command may fail if a VSX object is not correctly saved in the database. |
PRJ-42883, |
VSX |
In VSX, if Dynamic Balancing was manually disabled on R81.10, after an upgrade from R81.10 to R81.20, it automatically gets enabled. |
PRJ-41160, |
Gaia OS |
The SNMPD process may exit with a timeout when the ARP table with many ARP entries takes time to calculate its size. |
PRJ-41251, |
Gaia OS |
The backup operation fails if the backed-up directory content is larger than 10GB. |
PRJ-42254, |
Gaia OS |
Running the "save configuration" command the second time in the same Clish session may fail with the "free(): invalid pointer" error. |
PRJ-42962, |
Gaia OS |
IPv6 address may be removed from bond VLAN interface when changing bond xmit-hash-policy configuration. Refer to sk180309. |
PRJ-42526, |
Gaia OS |
Gaia backup fails with "Cannot complete the backup process: not enough space in /var/log/CPbackup/backups" although there is enough free disk space in the /var/log/ partition. Refer to sk180181. |
PRJ-43428, |
Gaia OS |
In some scenarios, the "nslookup" command can cause the NSLOOKUP process to exit. |
PRJ-42624, |
Gaia OS |
SNMP trap may not be sent after a cluster failover if it occurred by running the "clusterXL_admin down" command. |
PRJ-43651, |
Gaia OS |
When setting password hash on cloning group members, some members may not get updated. |
PRJ-43959 |
Gaia OS |
When uninstalling a Jumbo Hotfix, some of the REST APIs may not work. The "gaia_api status" command returns an error and requests may fail. |
PRJ-40693, |
Harmony Endpoint |
When connecting to the Security Management Server with SmartEndpoint but Endpoint component is not activated on the Server, the FWM process may unexpectedly exit. |
PRJ-43068, |
CloudGuard Network |
Importing objects from VMware vCenter may fail with a "Failed to fetch objects from the Data Center." message because of a rare communication issue between CloudGuard Network Security controller and VMware vCenter Data. |
PRJ-43259, |
CloudGuard Network |
Disabling or removing all network interfaces from a vCenter object is not dynamically reflected on the CloudGuard Controller Data Center object. |
PRJ-42696, |
VoIP |
In some scenarios, when using static NAT, VoIP traffic may be affected. |
PRJ-43517, PRHF-26939 |
VoIP |
After an upgrade, VoIP and SIP / H323 traffic may be dropped in the VPN tunnel. Refer to sk179651. |
PRJ-43077, |
VoIP |
While handling a multi-INVITE scenario (where a user registers with multiple devices), and VoIP SIP MultiCore feature is enabled, each SIP INVITE maybe be handled simultaneously on different FW instances and cause memory corruption. |
PRJ-43488, |
Scalable Platforms |
Running the "show" or "set" commands for SSH in gClish fails. |
PRJ-31553 |
Scalable Platforms |
In VSX mode, when configuring affinity settings on Security Group members, a new added member may stay in Down state. |
PRJ-30229, |
Scalable Platforms |
The BMAC address is not updated after moving an SGM from one slot to a different slot. (The issue applies to Security Gateway only, not to VSX.) |
PRJ-31658, |
Scalable Platforms |
The output of the "asg perf -6" command shows "IPV6 is Disabled". |
PRJ-43601, PRJ-43213 |
Scalable Platforms |
Time synchronization task is not performed correctly when using predefined NTP Servers. |
PRJ-32255, |
Scalable Platforms |
When running "asg diag verify" in an environment with mixed appliances, the "cores_verifier" command fails if there are unused cores, although it should not. The issue is cosmetic only.. |
PRJ-39602, |
Scalable Platforms |
The SMO may frequently go into Lost-> Down-> Active state because of a memory leak in the FWK process. The issue causes failover and outages. |
PRJ-42192, |
Scalable Platforms |
In a multiple upgrade scenario, running the "sp_upgrade-revert" command reverts the setup to the last version, but running it the second time leads to revert instead of performing cleanup. |
PRJ-42899, |
Scalable Platforms |
When using asg alert, the domain name is changed to "BladedCenter.com" instead of the configured name. |
PRJ-44600 |
Scalable Platforms |
Uninstalling Jumbo Hotfix Take 79-87 from Maestro Orchestrator may cause the REST Server initialization to fail and lead to connectivity issues. |
PRJ-44142, |
Scalable Platforms |
Some Maestro Hyperscale Orchestrator processes may go down after an upgrade and reboot. Refer to sk180509. |
PRJ-43307, |
Scalable Platforms |
Minor packet drop may occur during Maestro Orchestrator graceful reboot. |
PRJ-40549 |
Scalable Platforms |
The output of the "asg perf" command may not show active software blades. |
PRJ-43361, |
Scalable Platforms |
The "set expert-password-hash" command may fail to update the password hash on all cluster members. |
Take 87 Released on 19 January 2023 and declared as Recommended on 7 February 2023 |
||
- |
General |
Alignment to new self-updatable packages. |
PRJ-44014, PMTR-89893 |
VSX |
In VSX, after adding instances to a Virtual System (VS), their state may be inactive. |
Take 85 Released on 12 January 2023 |
||
PRJ-42849, |
Multi-Domain Security Management |
In a Multi-Domain Security Management environment, traffic may not match rules with custom applications. |
PRJ-43891, |
SSL Inspection |
In rare scenarios, the FWK and/or WSTLSD processes may unexpectedly exit and create a core dump during certificate validation. Refer to sk180473. |
Take 82 Released on 8 January 2023 |
||
PRJ-39425, |
Security Management |
NEW:
|
PRJ-42564 |
Security Management |
UPDATE: It is now possible use multiple values when filtering in these views:
|
PRJ-38116, |
Security Management |
UPDATE: Install Policy Presets will now run also in multi-site environments, even if the local domain does not have a Server on the Multi-Domain Security Management Server with the Active Global Domain, where the operation is triggered from. |
PRJ-34898, |
Security Management |
UPDATE: Improved the "Assign Global Policy" action time by approximately 50%. |
PRJ-42033, |
Security Management |
UPDATE: Added a new Management API "mgmt_cli verify-management-license". It allows to check how many Security Gateway objects the Management Server license supports. Note that this API does not support Quantum Maestro and VSX. Refer to Management API Reference. |
PRJ-42981, |
Web SmartConsole |
UPDATE: Released Take 73 with new features and improvements. Refer to sk170314. |
PRJ-42981, |
CPView |
UPDATE: Added logging information. The Logging tab can be found in the Advanced tab on both the Security Management Server and Security Gateway. Refer to sk101878. |
PRJ-41229 |
Logging |
UPDATE: Port 8211 no longer accepts connections with the cipher TLS_RSA_WITH_AES_128_CBC_SHA. |
PRJ-38056, |
Logging |
UPDATE: When there is no full license for SmartEvent, which includes the Correlation Unit component, Analyzer Client in Legacy SmartEvent Console will now show a relevant message. |
PRJ-32781, |
Security Gateway |
UPDATE: The reset expired connections feature (fw_rst_expired_conn) is now supported on connections accelerated by SecureXL. |
PRJ-42201 |
Threat Prevention |
UPDATE: Reduced loading time of big external Custom Intelligence Feeds. |
PRJ-42702, |
Threat Prevention |
UPDATE: Added Update 16 of Autonomous Threat Prevention Management integration Release. Refer to sk167109. |
PRJ-38198, |
UserCheck |
UPDATE: Added support for custom UserCheck objects for Threat Extraction. Previously it was not possible to configure them when using Autonomous Threat Prevention Policy. Refer to sk178764. |
PRJ-41735, |
CloudGuard Network |
UPDATE: Added support for Data Centers in AWS me-central-1 Middle East (UAE) region. |
PRJ-41713, ODU-603 |
Smart-1 Cloud |
UPDATE: Added Update 6 of Quantum Smart-1 Cloud. Refer to sk166056. |
PRJ-27770, |
Scalable Platforms |
UPDATE: The "revert to snapshot" operation is now blocked on Scalable Platforms when the snapshot remains from the previous version and is not created as a part of the current upgrade process. |
PRJ-40628, |
Scalable Platforms |
UPDATE: Blocked the ability to install Jumbo Hotfix Accumulator or to run an upgrade to a major version on Quantum Maestro Security Gateways using the Central Deployment tool in SmartConsole or the Management REST API. |
PRJ-41650, |
Scalable Platforms |
UPDATE: Upon member state change to Active, there may be minor packet drops. Added an option to not forward traffic to a new Active member until all connections are synchronized to it: • To enable this option:
• To disable this option:
|
PRJ-40773, |
Scalable Platforms |
UPDATE: The "Obtain IPv4 Address Automatically" option in the IPv4 and IPv6 tabs of the Gaia Portal's Interface editor is now disabled (as it is on gClish). |
PRJ-41935, |
VoIP |
UPDATE: Added a new CLI command "fw ctl voip [-p sip\|mgcp\|sccp\|h323][-na]". It allows printing the description of defined VoIP protections, the required action, and the logging option configured for each protection. |
PRJ-38613, |
Harmony Endpoint |
UPDATE: Added the "-ignoreDA" flag for "epmcommands" to clean objects from the deleted users and computers, ignoring the "da_installed" flag. |
PRJ-41999, |
HCP |
UPDATE: Added Update 11 of HealthCheck Point (HCP) Release. Refer to sk171436. |
PRJ-40540, |
Diagnostics |
The cpview -s export operations may fail on VS0 when cpview_services are running. |
PRJ-43904, |
Security Management |
On R77.20 Quantum Spark appliances with some IPS packages, policy installation fails with the "Operation failed, install/uninstall has been improperly terminated" error. Refer to sk180448. |
PRJ-41556, |
Security Management |
After an Application Control update, policy installation may fail. |
PRJ-40943, |
Security Management |
In rare scenarios, in a large environment, after an IPS update, High Availability synchronization may fail with timeout on the Global Domain. |
PRJ-41562, |
Security Management |
After an upgrade, in the Gateways&Servers view, searching Security Gateway objects by their interfaces' IP addresses fails. |
PRJ-39392, |
Security Management |
In some scenarios, the "Assign Global Policy" action fails with the error message: "An internal error has occurred". |
PRJ-39611, |
Security Management |
After an upgrade, on the Domain level, in the Administrators View, the email and phone of the administrators may be missing. |
PRJ-41679, |
Security Management |
An upgrade may fail with timeout during the import of a large database file. |
PRJ-41576, |
Security Management |
In an environment with many Security Gateways, login to SmartConsole after starting services may take a long time. |
PRJ-34737, |
Security Management |
When running the "show access-rule" API command with the "show-as-ranges" parameter on rules with negated cells, the returned result may be missing the values of the negated cells. |
PRJ-41071, |
Security Management |
Global Policy reassignment fails with "An internal error has occurred" if a Global rule, Rule Base, or section is created, moved, and then deleted without running a reassignment in between. |
PRJ-41292, |
Security Management |
Access Policy installation may fail with the "Internal error occurred during the verification process" error. |
PRJ-41127, |
Security Management |
Centrally managed Quantum Spark Gateway version may be missing or incorrect after performing the "Get Gateway Data" action from SmartUpdate. |
PRJ-41976, |
Security Management |
The /var/log/dump/usermode/ directory on the Management Server may contain core dump files for the FWM process. Refer to sk180119. |
PRJ-40426, |
Security Management |
In rare scenarios, deleting a cluster member may fail with the "Could not delete object. Failed to remove/detach objects licenses" error. |
PRJ-40944, |
Security Management |
In rare scenarios, the FWM process may unexpectedly exit. |
PRJ-41914, |
Security Management |
Installing Database from Security Management on an R80.x Log Server may fail. |
PRJ-42240, |
Security Management |
Installing a large Access Control policy on Quantum Spark Security Gateways may fail due to high memory consumption on the Security Management Server caused by FW_LOADER. |
PRJ-42953, |
Security Management |
In an environment with the Endpoint Security Server, Jumbo Hotfix Accumulator installation may take a long time. |
PRJ-40238, |
Security Management |
Policy installation may fail with "Segmentation fault" or with "INTERNAL ERROR in PutBlock: dangling block at PutBlock". Refer to sk179700. |
PRJ-41671, |
Security Management |
When using CME (Cloud Management Extension), the FWM process may unexpectedly exit because of a memory issue. |
PRJ-42859, |
Security Management |
After performing the "Revert to Revision" operation, new Audit logs cannot be seen in the Logging&Monitoring View in SmartConsole. |
PRJ-42509, |
Security Management |
Access policy verification may fail when dynamic objects exist in the NAT policy. |
PRJ-40823, |
Security Management |
Warning about multiple objects with the same IP address is displayed when there are duplicated auto-generated networks. |
PRJ-41541, |
Security Management |
The FWK process may unexpectedly exit during Threat Prevention policy installation. |
PRJ-40223, |
Security Management |
In a large environment, High Availability synchronization for the Global domain may fail with the "Global domain is busy syncing, please check sync status" error. |
PRJ-41553, |
Security Management |
Policy installation may get stuck on 99% when resuming queued policy installation tasks. |
PRJ-37832, |
Security Management |
"Automatic purge" fails on a Domain with active Global Domain Assignment and "automatic purge" configured on the Global Domain. |
PRJ-40734, |
Security Management |
In rare scenarios, Global Policy reassignment may fail with a "Failed to find object ID UUID of class com.checkpoint.objects.ips.ThreatIpsProtectionOverride" message. |
PRJ-39718, |
Security Management |
It may not be possible to discard a work session with a newly created admin, a "Failed to discard revoke certificate" message is shown. |
PRJ-37311, |
Multi-Domain Security Management |
SmartEvent may unexpectedly close when clicking Global Exclusion options or creating a new event. This issue occurs after migrating a Domain from the Multi-Domain Security Management Server to the Security Management Server. |
PRJ-42291, |
Multi-Domain Security Management |
An upgrade of the secondary Multi-Domain Security Management Server or Multi-Domain Log Server may fail when simultaneously upgrading several Servers. |
PRJ-42105, |
Multi-Domain Security Management |
In a Multi-Domain Security Management environment, the HitCount retention mechanism may prematurely remove the HitCount data. |
PRJ-41920, |
Multi-Domain Security Management |
In rare scenarios, in a Multi-Domain Security Management Server environment, a memory leak may occur in the FWM process. This may cause the process to exit. |
PRJ-37706, |
Logging |
It may not be possible to filter the "Subscriber" field in SmartLog. |
PRJ-37298, |
Logging |
When exporting logs with the fwm logexport script and there is an empty or corrupted log file, the script runs in a loop with the "Failed to read record at position 0" error printed. |
PRJ-41194, |
Logging |
It may not be possible to filter Anti-Virus logs for malicious CIFS traffic in SmartConsole. The issue is cosmetic only. |
PRJ-35880, |
Logging |
Although the Security Gateway is configured to send Syslog messages to the Domain Log Server (CLM), after several initial logs, they may stop coming to the Log Server. |
PRJ-40492, |
Logging |
In a rare scenario, when using SmartEvent Automatic Reaction (Mail), the source IP address can be shown as a number and not in the dotted decimal notation format. |
PRJ-40144, |
Logging |
Emails sent as an automatic reaction may show only the first IP address for "Source"/"Destination" fields out of all the detected IP addresses. |
PRJ-38052, |
Logging |
Syslog messages with the "ErtFeed" type of attack are not indexed correctly in SmartLog. |
PRJ-41917, |
Logging |
Export to CSV in SmartView may be stuck in the "running" status. |
PRJ-41355, |
Logging |
In some scenarios, in the Logs view, the "Description" field may be missing. The issue is only cosmetic. |
PRJ-41930, |
Logging |
When running the "show_logs" API command with "query-id argument" and the session is expired, the command ends with a timeout instead of presenting an error. |
PRJ-31865, |
Logging |
When exporting logs in CEF format using Log Exporter and the value of the "time-in-milli" parameter is set as "true" (sk173167), the logs are not displayed in ArcSight SIEM Solution. |
PRJ-42414, |
Logging |
When LEA spawning is turned off (sk91343), the FWD process may run out of memory. |
PRJ-37500, |
Logging |
The "epoll is enabled" warning is incorrectly displayed during policy installation. |
PRJ-40235, |
Security Gateway |
There may be stability issues when ICAP client is active. |
PRJ-41864, |
Security Gateway |
After an upgrade, it is not possible to monitor Security Gateways with enabled Management Data Plane Separation (MDPS). |
PRJ-39968, |
Security Gateway |
The Security Gateway may crash with the "xxx kernel: [fw4_27];fwatomload_unregister: module RTM not registered xxx kernel: [fw4_27];e2eDisable: fwatomload_unregister failed" errors printed in logs. |
PRJ-41451, |
Security Gateway |
Policy verification fails when a generic Data Center contains an object with an empty range. |
PRJ-42972, |
Security Gateway |
The Security Gateway on a LightSpeed appliance may crash when a Bond interface is configured on the NVIDIA ConnectX 100G QSFP28 Ports, and the state of this Bond interface changes between on / off, or off / on. |
PRJ-40927, |
Security Gateway |
When installing policy and the kernel parameter "up_log_extended_reason_for_incomplete_match" is set to 1, the Security Gateway may crash. |
PRJ-41580, |
Security Gateway |
In some scenarios, the CPD process may unexpectedly exit. |
PRJ-40109, |
Security Gateway |
In a rare scenario, the Security Gateway may crash when offloading packets to SecureXL. |
PRJ-43127, |
Security Gateway |
Some TCP connections may be stuck in "Both-Fin" state in the SecureXL connection table and cause high memory consumption. |
PRJ-39575, |
Security Gateway |
The "sd_exception_chain_with_global_stateless: fwx_get_original_conn_key() failed" messages may flood /var/log/messages if IPS blade is active. |
PRJ-41624, |
Security Gateway |
When using Routing Separation and installing a Jumbo Hotfix Accumulator, MDPS configuration may be overridden. Refer to sk138672. |
PRJ-40917, |
Security Gateway |
The Security Gateway may crash because of memory corruption, and the following error appears in the /var/log/message file: "[XXX] Kernel panic - not syncing: stack-protector: Kernel stack is corrupted in: <xxxx>". |
PRJ-39332, |
Security Gateway |
After an upgrade, Access Control policy installation may fail with an "Update process is already running" message. |
PRJ-35110, |
Security Gateway |
There may be connectivity failure when browsing to Office 365, and ICAP Client is active on the Security Gateway with enabled "Data Trickling". |
PRJ-41416, |
Security Gateway |
The Security Gateway may send multiple "Failed to fetch Check Point resources. Timeout was reached" logs. |
PRJ-40974, |
Threat Prevention |
Threat Prevention policy installation may fail with a "Connection aborted by Peer" message. |
PRJ-41316, |
Threat Prevention |
Threat prevention policy installation fails if a Custom Intelligence Feeds name includes unsupported characters. |
PRJ-41489, |
Threat Prevention |
Loading of Custom Intelligence Feeds with authentication may fail. |
PRJ-38722, |
Threat Prevention |
File Download using SSH with MobaXterm Client fails when SSH Deep Packet Inspection (SSH DPI) is enabled. |
PRJ-40936, |
Threat Prevention |
In a rare scenario, the Security Gateway may have a memory allocation issue. |
PRJ-41439, |
Threat Prevention |
After installing a hotfix in a cluster setup with a Threat Prevention policy that includes Network Objects, a member may get stuck during initialization after a reboot. |
PRJ-38665, |
Threat Prevention |
The DLPU process may unexpectedly exit with a core dump file. |
PRJ-43360 |
Threat Extraction |
In some scenarios, Mail Transfer Agent (MTA) does not scan files with an unsupported extension if they were renamed to ".exe". |
PRJ-36509, |
Identity Awareness |
The CPU utilization of the PDP daemon may be high during a specific authentication flow. |
PRJ-38543, |
Identity Awareness |
The PDPD daemon may frequently exit during the user authentication flow. |
PRJ-31975, |
Identity Awareness |
Changing the state of the "Automatic LDAP Group Update" feature for Identity Collector from CLI on the PDP Gateway does not survive a reboot. |
PRJ-34571, |
Identity Awareness |
SNMP/cpstat queries for Identity Awareness OIDs return wrong values if the PDP daemon is not running at the time of the query. |
PRJ-41820, |
Identity Awareness |
In a rare scenario, the PDPD process may unexpectedly exit during peer certificate verification. |
PRJ-42506, |
Application Control |
In a rare scenario, when Application Control is enabled, the Security Gateway in AWS Cloud may crash. The issue does not occur if Application Control database on the Security Gateway is updated with Release 141122_1 and higher. |
PRJ-32992, |
IPS |
In some scenarios, IPS logs do not show the correct memory and CPU utilization when IPS is bypassed. |
PRJ-41655, |
IPS |
Running the "ips stats" command in CLI may cause the IPS process to unexpectedly exit with core dumps. |
PRJ-39753, |
Anti-Virus |
The Anti-Virus blade interprets certain types of URLs as forbidden and blocks access to those URLs, although the content behind them is not of the type supposed to be blocked. |
PRJ-41216, |
Anti-Virus |
In a rare scenario, when Anti-Virus is enabled, there may be frequent VSX cluster failovers, and the Security Gateway may crash. |
PRJ-43181, |
SSL Inspection |
The WSTLSD process may unexpectedly exit and create core dump files. |
PRJ-41973, |
Mobile Access |
After an upgrade, it may not be possible to connect to SNX, it gets stuck when initializing. |
PRJ-32969, |
Mobile Access |
Capsule Workspace push notifications do not work when the Single Sign-On (SSO) is configured to "prompt for credentials". Refer to sk176244. |
PRJ-40833, |
Mobile Access |
After disabling the ActiveSync service on the Security Gateway, login to Capsule Workspace (CWS) may fail. |
PRJ-32972, |
Mobile Access |
Push notification may not be working with the legacy Mobile Access (MAB) Portal. Refer to sk176243. |
PRJ-38460, |
Mobile Access |
In some scenarios, it is not possible to connect to SSL Network Extender(SNX), and the VPND log shows: "failed to add to table connectra_sessions_to_instance". |
PRJ-40745, |
ClusterXL |
The cphaprob show_bond command does not show newly added slaves from Virtual Systems (VSs). |
PRJ-42928, |
ClusterXL |
A Hide NAT port may be allocated twice causing the "out of state" drops. |
PRJ-37151, |
ClusterXL |
In an Active/Active cluster, a member may reboot because of a memory corruption issue. |
PRJ-39184, |
ClusterXL |
In a VRRP cluster environment with a large number of interfaces, the Security Gateway may consume a lot of memory because of a memory leak. |
PRJ-42445, |
SecureXL |
The Security Gateway may prematurely expire half-closed TCP connections and drop VoIP and HTTPS packets with "First packet isn't SYN". Refer to sk180364. |
PRJ-42073, |
SecureXL |
In some scenarios, the change of the cphwd_enable_ecmp global parameter value on a VSX Gateway does not survive a reboot. |
PRJ-42230, |
SecureXL |
DNS Traffic Steering feature does not work over TCP. |
PRJ-41691, |
SecureXL |
The Security Gateway may crash and cause an outage when resolving the destination host MAC address through an interface with disabled ARP. |
PRJ-42145, |
SecureXL |
SNDs may reach 100% CPU utilization and are not released in some Site to Site VPN scenarios. |
PRJ-40266, |
CoreXL |
Connections matching the Access Control rules may get timed out, although they should be rejected according to the configuration. |
PRJ-41504, |
Routing |
Some invalid nexthop and destination addresses from remote BGP peers may be incorrectly handled, causing lost BGP connection. |
PRJ-41724, |
Routing |
The "asg diag verify" command reports inconsistent OSPFv3 routes for Security Gateway Modules in Quantum Maestro. Refer to sk179931. |
PRJ-41870, |
Routing |
Gaia API request "show-routes" may fail with the "generic error" and the ROUTED core dump is generated. |
PRJ-41708, |
Routing |
The ROUTED process may unexpectedly exit when the route does not have a next hop. |
PRJ-41642, |
VPN |
In some scenarios, StrongSwan Client may get disconnected during re-authentication. |
PRJ-41809, |
VPN |
When connecting with "Mixed" SSL Network Extender Authentication method, the SNX Client freezes with no output, and the results of the "vpn tu tlist" command show no tunnels. |
PRJ-40860, |
VPN |
The VPND process may unexpectedly exit. |
PRJ-42729, |
VPN |
In a rare scenario, when IPv6 is configured, and VPN is enabled, policy installation may cause a stability issue. |
PRJ-39171, |
VPN |
Remote Access Client may fail to connect when using machine certificate authentication. |
PRJ-38167, |
VPN |
Trying to perform the "Reset Tunnel" action for an LDAP user from SmartView Monitor fails. Refer to sk178592. |
PRJ-42376, |
VPN |
The IKED process unexpectedly exits when the "Aggressive SLP" (Simultaneous Login Prevention) feature is enabled. |
PRJ-40830, |
VPN |
The Security Gateway does not initiate or accept the VPN negotiation when working in Traditional Mode. Refer to sk179710. |
PRJ-41560, |
VPN |
After an upgrade, the community name may not be visible from SmartView Monitor, and the "snmpwalk" command returns an empty value for this entry. |
PRJ-42310, |
VPN |
Improved VPN tunnel synchronization in a Multi-Version Cluster environment (MVC). |
PRJ-38516, |
VSX |
SecureXL may not let HTTPS traffic pass through a Virtual Router (VR). |
PRJ-43356, |
VSX |
The SNMPD process may consume a high CPU in a VSX environment and there may be slowness when using the "fw vsx stat" command. Refer to sk180324. |
PRJ-43140 |
Gaia OS |
After an upgrade, the RADIUS Server is unavailable and authentication fails. |
PRJ-41234, |
Gaia OS |
There are trap names duplications in chkpnt.mib and chkpnt-trap.mib which may cause incorrect values when using SNMP traps. |
PRJ-41409, |
Gaia OS |
When configuring Gaia Cloning Group mode on the cluster, members with "off" state appear without an IP address and the "adding notification Member mvc is down" error is displayed. |
PRJ-34372, |
Gaia OS |
After an upgrade, the backup operation on VSX fails because there is not enough space in /var/log/CPbackup/backups. |
PRJ-41613, |
Gaia OS |
Information about scheduled backup failure is now displayed in Clish, WebUI, and in the error message inside the log file. |
PRJ-41686, |
Gaia OS |
In a cloning group cluster, when allowed hosts are changed from "Any" host to a specific host, communication between members is blocked, and the group cannot function. |
PRJ-42150, |
CloudGuard Network |
Improved performance of pushing Data Center Objects changes to Security Gateways. |
PRJ-42855, |
CloudGuard Network |
A Kernel-based Virtual Machine (KVM) or a Virtual Machine using SRIOV with the i40evf/ixgbevf network driver, may boot with non-optimized performance settings. |
PRJ-41846, |
CloudGuard Network |
Improved handling of NSX-T API responses. |
PRJ-42010, |
CloudGuard Network |
When mapping of some Azure Subscriptions fails, assets of these Subscriptions are revoked from the Security Gateway. |
PRJ-42115, |
CloudGuard Network |
AWS Data Center mapping fails when a Subnet with only IPv6 addresses is added to Virtual Private Cloud (VPC). |
PRJ-41463, |
CloudGuard Network |
Import of OpenStack Data Center CloudGuard Network objects may fail. |
PRJ-42257, |
CloudGuard Network |
After an upgrade in a Huawei Cloud environment, a network card may be renamed after a reboot. |
PRJ-28732, |
VoIP |
In some scenarios, when using early media with NAT, the first data connections specified in the SDP get closed, although they should not. And the new data connection does not open, resulting in one-way audio. Refer to sk177365. |
PRJ-40355, |
Scalable Platforms |
When running the "set kernel-routes on/off" and "set domainname <VALUE>" commands through gCLish, the configuration is applied only locally. |
PRJ-36510, |
Scalable Platforms |
In some scenarios, a newly added Security Group Member (SGM) continuously reboots, and there are core dump files for the CONFD process. Refer to sk178405. |
PRJ-40180, |
Scalable Platforms |
In a rare scenario, the FWK process may unexpectedly exit and bring down the Security Gateway Module (SGM). |
PRJ-42514, |
Scalable Platforms |
Upon failover/failback, multicast packets are sent to Active members only. The member that changed state from Down to Active starts receiving the multicast packets before the route is resolved. This may impact traffic. |
PRJ-40835, |
Scalable Platforms |
In a rare scenario, a non-SMO member may send GARP request over the Management interface, causing traffic impact. |
PRJ-41146, |
Scalable Platforms |
In some scenarios, the SNMPD process may unexpectedly exit. |
PRJ-41473, |
Scalable Platforms |
Configuration of exception entries (asg_excp_conf, see sk175584) does not survive an upgrade. As a result, traffic that was configured to be forwarded to SMO is handled by the original member. |
PRJ-32368, |
Scalable Platforms |
In a dual site environment with two Maestro Hyperscale Orchestrators on each site, the asg diag test may fail in a mixed appliances setup because of a difference in affinity configuration files. |
PRJ-37829, |
Scalable Platforms |
Improved VPN on Quantum Maestro with Security Gateways hidden behind NAT. |
PRJ-41835, |
Scalable Platforms |
SNMP threshold events traps may be missing "Chassis ID" and "Blade ID" fields. Refer to sk179926. |
PRJ-42558, |
Scalable Platforms |
Policy installation may cause backplane interfaces flapping. This can affect the connectivity with the Maestro Hyperscale Orchestrator, and the members may go to Down state. |
PRJ-39190, |
Scalable Platforms |
When a policy is configured with "SNMP trap alert script", the SNMP trap is sent with an undefined OID. |
PRJ-42947, |
Scalable Platforms |
Optimized the SNMP communication between Security Gateway Module (SGM) and Security Switch Module (SSM) to prevent timeouts. |
PRJ-39318, |
Scalable Platforms |
Failover/failback may cause a non-DR manager member to change state to Down because the ROUTED unexpectedly exits with pnote. |
PRJ-41212, |
Scalable Platforms |
Performance data may not be collected on VSX Security Gateways. |
PRJ-42820, |
Scalable Platforms |
In a Quantum Maestro environment, the sp_upgrade command may fail when working in VSX mode. |
PRJ-42834, |
Scalable Platforms |
When trying to perform the downgrade procedure, a Site may be stuck in Backup state. The issue occurs if, before the downgrade, this Security Group was first upgraded and then its topology was changed. |
Take 81 Released on 22 Nov 2022 and declared as Recommended on 2 January 2023 |
||
PRJ-41364 |
SecureXL |
NEW: Added support for enabling Hardware Acceleration in Quantum LightSpeed Appliances. Refer to sk179432. |
PRJ-42687 |
Harmony Endpoint |
Refer to sk180230. |
PRJ-41507, |
Scalable Platforms |
After an upgrade to Jumbo Hotfix Accumulator R81.10 Take 75 or higher, a member may be in Down state with a "pull_config" pnote. |
Take 79 Released on 24 October 2022 and declared as Recommended on 21 November 2022 |
||
PRJ-38348, |
Diagnostics |
The CPVIEWD process may cause CPU spikes. |
PRJ-40819, |
Security Management |
NEW: It is now possible to clone Access and HTTPS Inspection layers via Management REST API. |
PRJ-41083, |
Security Management |
UPDATE: If ISP Redundancy is configured for a target Security Gateway, backup interfaces are now used for pushing policy if the primary interface is down. |
PRJ-40000, |
Security Management |
UPDATE: Added a new API version (1.8.1). Refer to Management API Reference. |
PRJ-31201, |
Security Management |
UPDATE: Audit logs for Access Control rules now contain more information about the rule. |
PRJ-39462, |
Security Management |
UPDATE: Management API performance improvements:
|
PRJ-40100, PMTR-72725 |
Security Management |
After a policy installation failure, fetching policy on the Security Gateway side by running the "fw fetch local" command may also fail. |
PRJ-37912, |
Security Management |
The flag "--method" for a CME command is not supported in SmartConsole Command Line. |
PRJ-37339 |
Security Management |
Objects that do not belong to groups may be shown in the Group Membership view in SmartConsole. |
PRJ-40205, |
Security Management |
In some scenarios, certificate based login to a Log Server may fail with "Authentication Error". Refer to sk179144 |
PRJ-38709, |
Security Management |
Login to Domain via Management API using FQDN as the Domain parameter may fail with the "Domain not found" error. |
PRJ-38218, |
Security Management |
If Log Domain reassignment fails, an Application Control and URL Filtering update may get stuck at 70 percent showing the "Running post update actions" status. |
PRJ-39805, |
Security Management |
In Object Explorer, when filtering by type, all other filters may disappear until the selected filter is removed. |
PRJ-40587, |
Security Management |
The "Domain" and "Type" fields may be missing in the "show-groups" command output of a Management API request. Refer to sk179645. |
PRJ-40408, |
Security Management |
Editing a Threat Profile object using Ansible automation tool may fail. |
PRJ-38426, |
Security Management |
Login to Management Server may fail if a trusted client has a subnet mask defined in CIDR notation. Refer to sk177743. |
PRJ-39409, |
Security Management |
In the Object Explorer window in SmartConsole, numeric columns are sorted alphabetically, although they should be sorted in numerical order. |
PRJ-40516, |
Security Management |
Adding members to a user group may fail when using Management API. |
PRJ-33896, |
Security Management |
Global Domain Assignment may fail if a rule in the global policy was recently enabled or disabled. |
PRJ-40646, |
Security Management |
Deleting a Security Gateway in SmartConsole may fail. |
PRJ-41098, |
Security Management |
The "CPLogGetMyIp: fwobj_get_myown failed" error may be printed in CLI when starting cpboot. |
PRJ-38789, |
Security Management |
Install Policy Preset may fail with "The server did not provide a meaningful reply.". Refer to sk179524. |
PRJ-39210, |
Security Management |
The output of the "show opsec-application" API command may not show the host object name or UID. |
PRJ-38457, |
Security Management |
High Availability synchronization may fail with the "Failed to update shared licenses" error. |
PRJ-33922, |
Security Management |
Some unused sessions may remain open in the system, consuming memory and CPU. |
PRJ-40721, |
Security Management |
Access Control policy installation may fail with the "Internal error" message when the encryption domain contains a Data Center object. |
PRJ-40851, |
Security Management |
The LOG_EXPORTER process may cause high CPU because of frequent invocation of the "fw ver" command. |
PRJ-39538, |
Security Management |
An Application Control and URL Filtering update may get stuck at 70 percent with the "Running post update actions" status. Refer to sk174587. |
PRJ-39223, |
Security Management |
An Application Control and URL Filtering Database update may fail. The CPM log file states: "Update APPI Update Task Notification. progress: 100, status: FAILED, statusText: Failed to assign domain". |
PRJ-40058, |
Security Management |
An Application Control and URL Filtering update may still occur even if the latest version is already installed. |
PRJ-39334, |
Security Management |
Install Policy Presets may fail with the "Install Policy Failed: Could not commit JPA transaction" error. |
PRJ-40547, |
Security Management |
After an upgrade, when the local domain Virtual System (VS) is updated, its objects may not be updated. The mirror VS object and local domain VS object may have different versions and colors. |
PRJ-40810, |
Security Management |
SmartConsole may unexpectedly disconnect. |
PRJ-40170, |
Multi-Domain Management |
A Multi-Domain Management Server upgrade may fail if upgrading one of the domains takes longer than four hours. |
PRJ-39489, |
Multi-Domain Management |
In some scenarios, in a Multi-Domain Management Server environment, SmartConsole may unexpectedly disconnect. |
PRJ-38125, PRHF-23066 |
Multi-Domain Management |
Although all Virtual Devices are deleted, deleting a Domain may fail with an "At least one Virtual Device is defined on this Domain/Domain Management Server. You need to delete all Virtual Systems/Routers prior to deleting Domain/Domain Management Server" message. |
PRJ-41286, |
Web SmartConsole |
UPDATE: Released Take 67 with new features and improvements. Refer to sk170314. |
PRJ-40613, |
Compliance |
In the Compliance blade view, regulations with disabled best practices may display a result that does not correspond with the best practices listed below it. |
PRJ-41022, |
CPView |
NEW: Integrated Skyline, a solution that provides an OpenTelemetry CPView Agent service to monitor your Check Point Servers and export health metrics from the CPView tool to an external location. Refer to sk178566. |
PRJ-36192, |
Logging |
UPDATE: Amended the override_server_setting.sh script to support changes in the values of RFL_SOLR_MAX_MERGE_COUNT and RFL_SOLR_MAX_MERGE_THREAD_COUNT. |
PRJ-29738, |
Logging |
In SmartView, exporting views or reports that do not have tables may indefinitely continue processing. |
PRJ-40194, |
Logging |
After an upgrade from R81 to R81.10, maintenance cleanup may remove some recent logs while not erasing other logs from the disk. |
PRJ-28112, |
Logging |
In rare scenarios, logs may not be indexed on the Domain Log Server in a Multi-Domain Log Module (MLM) or on the Secondary Multi-Domain Management Server. |
PRJ-39590, |
Logging |
The FWD process may unexpectedly exit and create core dump files. |
PRJ-40358, |
Logging |
In some scenarios, the FWD process may unexpectedly exit in a Log Server environment. Refer to sk179596. |
PRJ-30965, EPS-562 |
Logging |
In some scenarios, the Forensics report fails to open from Harmony Endpoint logs. |
PRJ-36477, |
Logging |
In SmartConsole, when Endpoint Policy Management blade is enabled, the "SmartView server certificate is invalid" error may be shown when opening a new tab in the Logs & Monitor view. Refer to sk177713. |
PRJ-32207, |
Logging |
The "show-logs" Management API command fails when iterating over many pages of queries, and the total fetched records number exceeds 219,900 records. |
PRJ-41360, |
Logging |
Running the "cpstat ls -f logging" command on the Security Gateway may show the "disconnected" status after a reboot, although a new connection is established successfully. |
PRJ-41103, |
Logging |
When an object name begins with a digit, SmartView Monitor displays a name consisting of the letter "v" and UID instead of the actual object name. |
PRJ-34680, |
Security Gateway |
UPDATE: Decreased the threshold for connections suspected as heavy from 5 to 3 seconds. Refer to sk164215. |
PRJ-40505, |
Security Gateway |
UPDATE: Added a defense mechanism against partial header attacks known as "Slowloris DoS" (CVE-2007-6750). |
PRJ-38144, |
Security Gateway |
UPDATE: Added support for RADIUS UPN authentication with MS-CHAPv2. To use it, enable the registry configuration in ckp_regedit -a SOFTWARE/Checkpoint/VPN1 RADIUS_MSCHAPV2_UPN -n 1. |
PRJ-40098, |
Security Gateway |
UPDATE:
|
PRJ-40459, |
Security Gateway |
In a rare scenario, the FWK process may unexpectedly exit because of a memory allocation issue on the Security Gateway. |
PRJ-38591, |
Security Gateway |
In a cluster environment, an ICAP implied rule may not be enforced after policy installation. |
PRJ-35393, |
Security Gateway |
It may not be possible to load specific sites. The Security Gateways drops the traffic from those web servers with "Reason: PSL Drop: MUX_PASSIVE". |
PRJ-39640, |
Security Gateway |
When running the "g_fw monitor" command (Global Firewall Monitor), the traffic capture outputs can be created successfully but cannot be merged. Refer to sk179431. |
PRJ-41091, |
Security Gateway |
A kernel crash may occur during system shutdown when PIM is enabled. |
PRJ-41030, |
Security Gateway |
Topology auto update may fail because of a too long interface name. |
PRJ-41033, |
Security Gateway |
The Security Gateway may run out of memory when retrieving topology. |
PRJ-37210, |
Security Gateway |
During a failover, BGP session may be re-established due to equal connection timers between two Security Gateways. |
PRJ-40024, |
Security Gateway |
Access Control policy installation may fail with a "Load on Module failed - problem with the Commit Function" message. |
PRJ-36867, |
Security Gateway |
After an upgrade, VSX cluster may have frequent failovers. |
PRJ-38553, |
Security Gateway |
After an upgrade, Anti-Virus Blade may cause increased memory consumption. |
PRJ-39580, |
Security Gateway |
In a rare scenario, when IPS or Application Control is enabled, the Security Gateway may crash. |
PRJ-40139, |
Security Gateway |
When Strict Hold is enabled, traffic is logged with the log "HTTP parsing error detected. Bypassing the request as defined in the Inspection Settings". Refer to sk169995. |
PRJ-40500, |
Security Gateway |
Bond slaves may be visible in the wrong plane. |
PRJ-40255, |
Security Gateway |
There may be a delay in the Logging view when more than 1000 Security Gateways are connected to the same Log Server. |
PRJ-34172, |
Security Gateway |
After an upgrade, in a setup with a single Virtual System (VS), the Security Gateway may crash. |
PRJ-39520, |
Security Gateway |
Output of the "dynamic_objects -uo_show" command on the Security Gateway may not show any updatable objects. Refer to sk178886. |
PRJ-40793, |
Security Gateway |
Enhanced connectivity during HTTP2 Inspection. |
PRJ-34404, |
Security Gateway |
Deleting IP addresses in the SAM Database may fail. |
PRJ-27779, |
Security Gateway |
The RAD daemon may fail and create core dump files on VSX Gateways. |
PRJ-40016, |
Security Gateway |
The Security Gateway with VPN may drop the traffic after enabling BGP and Equal Cost Multipath (ECMP). |
PRJ-40863, |
Security Gateway |
Improved the recovery mechanism for Dynamic Balancing. |
PRJ-41720, |
Security Gateway |
The Security Gateway with enabled Anti-Virus Blade may experience a memory allocation issue. |
PRJ-40390, |
Internal CA |
UPDATE: Added an automatic extension for Internal CA database to support more than 100,000 certificates. |
PRJ-40393, |
Internal CA |
UPDATE: Expired certificates are now cleaned from the Internal CA database every three weeks and after reboot. Refer to sk42424. |
PRJ-40433, |
Threat Prevention |
UPDATE: The "Global Detect" value will now be updated in the "ips stat" command output. |
PRJ-39989, |
Threat Prevention |
UPDATE: In the Custom Intelligence Feeds feature, decreased the hash indicators loading time. |
PRJ-29736, |
Threat Prevention |
SCP connections may get terminated. |
PRJ-40344, |
Threat Prevention |
The Custom Intelligence Feeds feature may stop enforcing traffic after Threat Prevention policy installation. |
PRJ-37560, |
Threat Prevention |
IOC feeds configured in R80.30 cause authentication problems after an upgrade to R81.10. Refer to sk180440. |
PRJ-34889, |
Threat Prevention |
When the Security Gateway is in "Detect Only" mode, Threat Prevention Blade exceptions may not be accelerated. |
PRJ-40593, |
Threat Prevention |
There may be Security Gateway memory allocation issues related to creating a new Anti-Malware policy. |
PRJ-41277, |
Threat Prevention |
Adding hash indicators may cause policy installation to fail with a warning message. |
PRJ-40856, |
Threat Prevention |
IOC feed may not load because of a parsing issue with the IP range indicator. |
PRJ-40446, |
Threat Prevention |
Deleting a Threat Emulation Gateway object in SmartConsole may fail. Refer to sk170577. |
PRJ-40438, |
Threat Prevention |
A kernel memory leak may occur during deep file inspection. |
PRJ-39828, |
Identity Awareness |
Removed unnecessary debug messages in the Identity revocation flow. |
PRJ-35836, |
Identity Awareness |
Memory consumption may increase after policy installation when Secure ID is configured. |
PRJ-39162, |
Identity Awareness |
The Nested Groups Depth value changed in CLI may not survive a reboot. |
PRJ-36385, |
Application Control |
Refer to sk178406. |
PRJ-29436, |
URL Filtering |
When the Security Gateway works in proxy mode, the Application Control and URL Filtering rules may not match correctly. |
PRJ-36136, |
URL Filtering |
In some scenarios, SSL websites are not matched correctly when categorization mode is on Hold and IDA is enabled. Refer to sk176283. |
PRJ-38816, |
URL Filtering |
When an URL Filtering rule has "Fail-Close" configuration, the Security Gateway may drop connections, and "URLF internal system error (0)" is recorded as the reason. |
PRJ-36435, |
IPS |
When ClusterXL is configured, a file may pass without inspection during a failover. |
PRJ-31432, |
IPS |
Logs generated by IPS Bypass may not show the correct CPU/Memory Utilization. |
PRJ-37727, |
DLP |
DLP logs for files uploaded to Microsoft OneDrive may not show the initial file names and extensions. Refer to sk178290. |
PRJ-33295, |
Anti-Virus |
Removed a redundant message flooding logs in /var/log/messages: "ws_write_connection: end of body reached - clearing delay write flag". |
PRJ-39152, |
Anti-Bot |
|
PRJ-40261, |
SSL Inspection |
The WSTLSD process may unexpectedly exit and produce a core dump file during certificate chain verification. |
PRJ-34074, |
Mobile Access |
Manual Web Form Single Sign-On (SSO) may fail when passwords contain special characters. |
PRJ-38436, |
Mobile Access |
When installing a specific hotfix, the CVPND process may unexpectedly exit. |
PRJ-35511, |
ClusterXL |
UPDATE: Added support for the "fw vsx fetch_all_cluster_policies" command, which can fetch policy for all Virtual Systems and Virtual Routers from cluster peers. |
PRJ-39840, |
ClusterXL |
When reconnecting the OSPF interface on both members in a cluster, a failover may occur when receiving a ROUTED PNOTE on the Active member. |
PRJ-37944, |
ClusterXL |
In a VSX cluster with three or more members, sudden failover and recovery of the Standby VS may occur, causing termination of connections from the Active member. Refer to sk179446. |
PRJ-40201, |
ClusterXL |
In a cluster configured in the Active-Active mode, there may be connectivity issues when one of the cluster interfaces is down on one of the cluster members. |
PRJ-39959, |
ClusterXL |
During a Multi-Version Cluster (MVC) upgrade, there may be state flapping when using the sync interface MAC address bit "02". |
PRJ-36734, |
ClusterXL |
In a VRRP cluster, when an identity session is revoked from a non-master member, the Identity Database may become corrupted and cause an outage. |
PRJ-37632, |
SecureXL |
UPDATE: The MSS value in the SYN Cookie response can now be configured. |
PRJ-39074, |
SecureXL |
UPDATE: Added a new kernel parameter "fw_allow_reverse_syn" for Smart Connection Reuse. This parameter allows or drops SYN packets coming from the reverse direction. The parameter is set to 0 by default, the Security Gateway drops such packets. Refer to sk24960. |
PRJ-40295, |
SecureXL |
A kernel memory leak may occur in an environment with a cluster in Active/Standby bridge mode. |
PRJ-41482, |
SecureXL |
After an upgrade, SecureXL may drop multicast traffic with "reason:Fragment drops". |
PRJ-36859, |
SecureXL |
Policy installation may cause cluster failover and impact the traffic flowing through the cluster. |
PRJ-40220, |
SecureXL |
In a rare scenario, ipsctl kernel module does not load at startup. |
PRJ-39739, |
SecureXL |
There may be high CPU or/and latency in CIFS/SMB connections. |
PRJ-41957 |
SecureXL |
SecureXL may drop traffic on a VSX Gateway with a Virtual Router (VR) or Virtual Switch (VSW), when IPS blade is enabled. |
PRJ-40550, |
Routing |
Route Injection Mechanism (RIM) feature may advertise kernel routes that cannot be used (for example, the cable is unplugged, and the network interface is down). This may lead to traffic loss. |
PRJ-41208, |
Routing |
When changing PIM configuration, the ROUTED process may unexpectedly exit and generate a core dump due to a race condition. |
PRJ-40548, |
Routing |
If Route Injection Mechanism (RIM) is enabled, and RIM routes are added for destinations that already had dynamic or static routes, the RIM routes are deleted in favor of the existing routes. Losing routes can result in loss of connectivity. |
PRJ-40092, |
Routing |
When running CPView and working in Source-Specific Multicast Mode (PIM-SSM) simultaneously, the ROUTED process may unexpectedly exit and create a core dump file. |
PRJ-40748, |
Routing |
The ROUTED process may unexpectedly exit when querying BGP data. |
PRJ-36891, |
VPN |
UPDATE: After FIPS mode is enabled, Jitter is now automatically turned on. |
PRJ-41241, |
VPN, Multi-Portal |
UPDATE: Added a new command "use_crl_for_revocation_method" which allows setting revocation method back to CRL when OCSP Server is unreachable. Refer to sk179434. |
PRJ-40730, |
VPN |
UPDATE: Added a configurable protection for blocking brute-force attacks on VPN SNX portal. Refer to sk180271. |
PRJ-38634, |
VPN |
Connection to Endpoint Security Client from the Remote Access VPN may be lost when the VPN tunnel timeout is reached. Refer to sk178891. |
PRJ-40386, |
VPN |
The "Unable to open '/dev/fw0': No such file or directory" error may be printed during cpstart. |
PRJ-40870, |
VPN |
Site-to-Site NAT-T traffic may be routed incorrectly, which can cause an outage. |
PRJ-39808, |
VPN |
Adding a Security Gateway Module (SGM) to a Security Group may cause the Security Gateway crash when Link Selection is enabled in Load Sharing mode. |
PRJ-40562, |
VPN |
Resolved the "HTTP Response splitting" vulnerability in Security Gateway portals. Refer to sk179705. |
PRJ-39236, |
VPN |
When connecting to Capsule VPN on iOS in a Multi-Domain Server or Scalable Platforms environment, loading a website may take up to one minute. |
PRJ-40555, |
VPN |
When working in Hybrid mode, it is possible to connect using Remote Access, but it may not be possible to access internal resources. |
PRJ-40664, |
VPN |
There may be a low throughput in a Site-to-Site VPN tunnel between two VSX Gateways with enabled. |
PRJ-36711, |
VPN |
Improved Site-to-Site VPN stability. |
PRJ-39584, |
VPN |
In a rare scenario, when pushing a policy, the VPND process may unexpectedly exit. |
PRJ-40583, |
VPN |
Connection over NAT-T tunnels may not be distributed well between instances of the Security Gateway with CoreXL enabled. |
PRJ-37785, |
VPN |
In SmartView Monitor (SVM), the status of tunnels with third-party peers may be inaccurate. Refer to sk169121. |
PRJ-39894, |
VSX |
UPDATE: The "vsx_util view_vs_conf" command output now shows interfaces configured on Virtual Systems in Bridge mode. |
PRJ-39888, |
VSX |
Removing a warp interface may fail on one member, which creates a mismatch between the cluster members database because the warp interface remains on other members. Refer to sk180481. |
PRJ-40799, |
VSX |
Extending SNMP with shell script (Article IV-6 in sk90860) fails for non-VS0 Virtual Systems (VSs) when queried via SNMP V3 and a "No more variables left in this MIB View (It is past the end of the MIB tree)" message is shown in the output. |
PRJ-39712, |
VSX |
When running the "reset_gw" command on a VSX cluster member, the sync interface IP address is not deleted as part of the VSX configuration that should be deleted from the Security Gateway. |
PRJ-39768, |
VSX |
Lines indicating uninstalling policies from virtual switches (VSWs) may be printed when running the "fw vsx unloadall" command. |
PRJ-40649, |
VSX |
The VSX Provisioning Tool may unexpectedly exit when adding a new virtual device. |
PRJ-40666, |
VSX |
When changing VSLS configuration with vsx_util, setting a new weight for each VS in Automatic mode fails with the "Operation failed. Can't write to database" error. Refer to sk179655. |
PRJ-38094, |
VSX |
The "Primary Slave" configuration in a Bond (MAGG) interface may not be applied to a Security Group. Refer to sk178765. |
PRJ-41363, |
VSX |
A VSX Gateway upgrade may fail with an error related to VSX Filesystem creation. |
PRJ-42180, |
VSX |
Pushing configuration to a virtual device in a Maestro VSX environment may fail. Refer to sk180107. |
PRJ-40251, |
VSX |
In VSX, when deleting a warp interface (either by deleting the warp itself or by performing the "reset_gw" command, which deletes all Virtual Devices), the VSX Gateway may crash. |
PRJ-40073, |
VSX |
A "SIC Error for EntitlementManager: Peer sent wrong DN: CN=xxx,O=xxx" message may be displayed during boot or after running the "cpstart" command. Refer to sk179586. |
PRJ-40361, |
VSX |
Improved packet rate performance on warp interfaces. |
PRJ-34096, |
VSX |
When running the "vsx showncs" command, the "cannot retrieve vsid for VSW_gw" error may be shown. |
PRJ-34323, |
VSX |
The MTU value configured in SmartConsole may differ from the Virtual Switch (VSW) MTU value in the output of the "ifconfig" command. |
PRJ-39982, |
VSX |
The vsx_util upgrade or downgrade operation may silently fail to update the database for one or more Virtual Systems (VSs). Refer to sk179591. |
PRJ-27514, |
Gaia OS |
UPDATE: A description was added to the output of the "show backup logs" command with information about each column. Refer to sk173970. |
PRJ-40409, PRJ-42486 |
Gaia OS |
UPDATE: Gaia API updates will now be automatically installed through AutoUpdater. Refer to sk165653. |
PRJ-39480, |
Gaia OS |
For TACACS users the ">" character is missing to separate the hostname from the commands. The fix is only cosmetic. |
PRJ-36698, |
Gaia OS |
The /var/log/messages file may be flooded with "failed to update arp table file" messages. |
PRJ-40769, |
Gaia OS |
IPv6 connections with Manual NAT rules may not be stable after enabling Neighbor Discovery Protocol (NDP) on a VLAN in the $FWDIR/conf/local.ndp file. |
PRJ-40028, |
Gaia OS |
A user locked by the deny-on-nonuse mechanism cannot get unlocked. |
PRJ-40478, |
Gaia OS |
The SNMPD process may unexpectedly exit on the Security Gateway with enabled Management Data Plane Separation (MDPS). |
PRJ-40206, |
Gaia OS |
Editing RADIUS Server details multiple times may lead to deletion of this Server in WebUI. |
PRJ-41147, |
Gaia OS |
A web session on Quantum Maestro may be expired after a minute, although the configured timeout is 10 minutes. |
PRJ-40993, |
Gaia OS |
When MDPS is configured, the SNMPD process may stop responding on some Security Gateways and must be restarted. |
PRJ-32418, |
Harmony Endpoint |
Web Remote Help returns to the sign-in page after generating the response code. Refer to sk172666. |
PRJ-39026, |
Scalable Platforms |
When the "cphaprob list" command fails, CoreXL configuration pnote is not shown when expected. The issue is cosmetic only. |
PRJ-39908, |
Scalable Platforms |
CPAC-TR-10T-C transceiver is displayed as unsupported, although it is supported. |
PRJ-39842, |
Scalable Platforms |
During boot of Maestro Orchestrator, a "Linking SMO files: Not an integer value child process exited abnormally" message may be shown. The issue is cosmetic only. |
PRJ-40908, |
Scalable Platforms |
After an upgrade of a Maestro Orchestrator to R81.10 version, several Maestro Orchestrator Clish commands may fail with errors messages. |
PRJ-32196, |
Scalable Platforms |
In a VSX setup that includes members only in Site 2, asg monitoring commands (such as asg stat vs all) may incorrectly present Chassis 2 state as "N/A". |
PRJ-40342 |
Scalable Platforms |
CPUSE upgrade of Scalable Platforms may fail. |
PRJ-37793, |
Scalable Platforms |
An outage may occur when all Security Gateways are physically disconnected from one of the two Maestro Orchestrators on a dual site. |
PRJ-40454, |
Scalable Platforms |
The asg_perf test may show incorrect data related to acceleration cores number and CPU usage. |
PRJ-40885, |
Scalable Platforms |
HCP may report a false failure on the Maestro Orchestrator Daemons State test. |
PRJ-38177, |
Scalable Platforms |
When removing a Security Group from Maestro Orchestrator WebUI, Site 2 Gateways may be missing from the Unassigned Gateways pane until the refresh button is clicked. |
PRJ-41297, |
Scalable Platforms |
When NAT is configured on both Source and Destination, with delayed sync enabled, connection drops may occur. |
PRJ-40528, |
Scalable Platforms |
Improved packet processing on MHO-175 to avoid sudden drops. |
PRJ-41379, |
CloudGuard Network |
UPDATE: Added support for pushing CloudGuard Controller updates to Gateways with MDPS enabled. However, these updates are not supported on clusters. Refer to sk138672. |
PRJ-41371, |
CloudGuard Network |
UPDATE: Added support for Data Centers in AWS ap-southeast-2 (Jakarta) region. |
PRJ-35829, |
CloudGuard Network |
NSX-T NSGroup appears as the default prefix in the domain name. |
PRJ-40840, |
CloudGuard Network |
Failure to update IP addresses on a single AWS Gateway may cause delays in updating other Gateways. |
PRJ-41748, |
Public Cloud CA Bundle |
Added Take 19 of Public Cloud CA Bundle. Refer to sk172188. |
PRJ-41144, |
Smart-1 Cloud |
Added Update 5 of Quantum Smart-1 Cloud. Refer to sk166056. |
PRJ-40671, |
HCP |
Added Update 10 of HealthCheck Point (HCP) Release. Refer to sk171436. |
Take 78 Released on 11 October 2022 and declared as Recommended on 19 October 2022 |
||
PRJ-42051, PRHF-25946 |
Threat Prevention |
Threat Prevention policy cannot be installed on R80.40 and lower Security Gateways when using a Security Zone object in the "Source" column. Refer to sk177605. |
PRJ-42199 |
Scalable Platforms |
On 16600 / 28600HS Quantum Maestro appliances, interfaces can disappear after uninstalling the Jumbo Hotfix. |
Take 75 Released on 1 September 2022 |
||
PRJ-41205 |
Installation |
Refer to sk179799. |
PRJ-34854, |
Security Management |
UPDATE: Added validation of Custom Application/Site objects to prevent configuring invalid URLs, which causes Access policy installation failure. Refer to sk175187. |
PRJ-38152, |
Security Management |
UPDATE: Improved Access Policy installation time. |
PRJ-37260, |
Security Management |
In a large scale environment, the Management API command "show-access-rulebase" may take a significant amount of time to complete or time out after 5 minutes. |
PRJ-36921, |
Security Management |
When a Security Gateway is removed from a VPN community, it may still be seen under the permanent tunnel configuration. The issue is scoped to the Management side and does not impact the Gateway. |
PRJ-37524, |
Security Management |
Reassign Global Policy tasks may be stuck for Domains active on a different Multi-Domain Server even though the task is completed on the destination Multi-Domain Server. |
PRJ-37710, |
Security Management |
Install Policy preset fails if the Threat Prevention policy was uninstalled. |
PRJ-35656, |
Security Management |
The Security Cluster Wizard is not shown again after a Management restart in a Full High Availability cluster environment. |
PRJ-35313, |
Security Management |
The web_api_show_package.sh script and some Management API commands with the "details-level full" option may fail when VPN settings are not defined for Interoperable objects. Refer to sk178410. |
PRJ-35532, |
Security Management |
An IPS update may fail if the user that performs the update is connected to the Multi-Domain Server on which the Global Domain is in Standby mode. |
PRJ-37505, |
Security Management |
In rare scenarios, Global Domain Assignment may fail with a "class name not found for object" error message. |
PRJ-37028, |
Security Management |
Policy Installation may fail with the "Unable to start policy installation" error when the Import Domain task is running in the background. |
PRJ-37764, |
Security Management |
The FWM process on the Management Server may unexpectedly exit, creating a core dump file. |
PRJ-38065, |
Security Management |
When uninstalling a Threat Prevention policy, there may be a verification warning "There are Threat Prevention uninstall candidates in policy targets", although the operation on the Security Gateway was completed successfully. |
PRJ-39472, |
Security Management |
Management HA synchronization may fail with the "NGM failed to import data" error. |
PRJ-38401, |
Security Management |
An Application Control and URL Filtering update may get stuck because of a lock object duplicate issue. |
PRJ-37400, |
Security Management |
Global Policy Assignment may fail with the "Failed to connect to FWM" error when the Domain is Active on the remote Multi-Domain Management Server. |
PRJ-38800, |
Security Management |
In some scenarios, the "show-gateways-and-servers" Management API command fails with "generic_err_object_not_found" when running it with "details-level full". |
PRJ-38616, |
Security Management |
A deleted Security Gateway may appear as unavailable in the Gateways&Servers view. |
PRJ-37200, |
Security Management |
The Management API command "show-vpn-communities-star" for Diffie-Hellman groups 15-18 and group 24 fails with the "Invalid DH-Group in VPN Reply" error. Refer to sk27054. |
PRJ-38181, |
Security Management |
Deleting a Domain operation may fail with an "internal error" when more than one of the Security Gateways in the Domain points to the same cluster object in the NAT configuration. |
PRJ-34154, |
Security Management |
Packet mode search in HTTPS Inspection policy may not work. |
PRJ-39211, |
Security Management |
The "Throughput/sec" column in the Gateways&Servers view may show "N/A" instead of the actual value. |
PRJ-39529, |
Security Management |
Improved memory usage and performance of Access Policy installation when numerous Network Groups are used in the Access Rule Base. |
PRJ-33689, |
Security Management |
The Management API command "show object" may fail on a specific UID with a "Null Pointer exception" message. |
PRJ-35061, |
Security Management |
Renaming the Security Management Server may fail with the "Failed to save object" error. Refer to sk177224. |
PRJ-38121, |
Security Management |
Policy installation may fail with "an internal error" because of an orphan policy issue. Refer to sk122954. |
PRJ-35606, |
Security Management |
In SmartConsole, the "error retrieving results" message may be displayed when opening a new tab. |
PRJ-37887, |
Security Management |
Editing an object may fail with the "Could not access file for write operation" error. |
PRJ-37510, |
Security Management |
Deleting a domain may fail when using the createDomainRecovery.sh script with the "UID" flag. |
PRJ-37636, |
Security Management |
After changing the IP address of the Secondary Management Server, the old IP address is still shown in the High Availability window until the services are restarted. |
PRJ-38742, |
Security Management |
In a rare scenario, the FWM process may unexpectedly exit and create a core dump. |
PRJ-39021, |
Licensing |
|
PRJ-37989, |
SmartConsole |
After an Application Control update, some application control objects may disappear from SmartConsole, although they are not deprecated. |
PRJ-39119, |
Web SmartConsole |
UPDATE: Released Take 59 with new features and improvements. Refer to sk170314. |
PRJ-35672, |
SmartProvisioning |
UPDATE: To prevent duplicates issue in LSM REST API, it is no longer possible to create an object with the same name but written in a different letter case. |
PRJ-35065, |
SmartProvisioning |
UPDATE: It is now possible to make a change in the provisioning profile of a cluster via the API command "set lsm-cluster" using the UID parameter. |
PRJ-36053, |
SmartProvisioning |
The "set-lsm-gateway" command may fail during the SIC initialization. |
PRJ-39856, |
SmartProvisioning |
After deleting an LSM object, the Security Gateway can still communicate and fetch policy from the Management Server. |
PRJ-38317, |
SmartProvisioning |
The PostgreSQL database fully utilizes disk space on the Multi-Domain Management Server when SmartProvisioning is enabled in a large scale environment. Refer to sk178889. |
PRJ-37103, |
Logging |
UPDATE: Scheduled email reports will now use TLS1.2 instead of TLS1.0. Refer to sk178125. |
PRJ-36463, |
Logging |
When running the "cp_log_export filter-blade-in" command with the value "Endpoint" and restarting the LOG_EXPORTER process, LOG_EXPORTER may fail to start. |
PRJ-35997, |
Logging |
Logs with actions "Expired" and "Hold" may be missing from the Logging view. |
PRJ-38416, |
Logging |
When there are several Log Servers, a log distribution issue may occur. |
PRJ-39297, |
Logging |
An error may occur when changing default Time Frame while the SmartView language is not English. |
PRJ-39680, |
Logging |
When exporting the logs table with "All Columns" to a CSV file, the first cell of the first log (time column) displays a non-ASCII character ("ן»¿"), and the time is split into two cells. |
PRJ-39677, |
Logging |
A CSV file exported from SmartView may contain duplicated lines of headers. |
PRJ-33817, |
Logging |
The "log_exporter_reexport" command may export the logs from the beginning of the log file and not from the provided start position. |
PRJ-36028, |
Logging |
In IPS Core Protections logs, the link to the Threat Prevention profile is written incorrectly. |
PRJ-36021, |
Logging |
In SmartView, the "Top Users that Downloaded Malicious Files" widget in the "Hosts that Encountered Malicious files" view may show no results, although there are matches. |
PRJ-39668, |
Security Gateway |
It may not be possible to monitor Security Gateways with enabled Management Data Plane Separation (MDPS). Refer to sk138672. |
PRJ-36121, |
Security Gateway |
In CPView, under Network, Bytes Per Sec value in Traffic Rate may be incorrect. |
PRJ-38077, |
Security Gateway |
The Security Gateway may crash with a vmcore. |
PRJ-27917, |
Security Gateway |
When Strict Hold is enabled, traffic is logged with the log "HTTP parsing error detected. Bypassing the request as defined in the Inspection Settings". Refer to sk169995. |
PRJ-41000, |
Security Gateway |
In a VSX environment, SNMP queries to OSPF OIDs may fail. |
PRJ-39216, |
Security Gateway |
The Security Gateway may crash during PM Stats collection. |
PRJ-37519, |
Security Gateway |
The FW Monitor tool may fail when it is used on VSX with the "-v" and "-p all" options. |
PRJ-39686, |
Security Gateway |
An ICAP client crash may cause the Security Gateway also to crash and generate an FWK core dump. |
PRJ-37953, |
Security Gateway |
There is a Content Awareness alert for multiple connections and the processing error "Failed to extract text" is printed in logs. |
PRJ-40442, |
Security Gateway |
When Anti-Virus blade is enabled, there may be a continuous high memory consumption which can lead to latency. |
PRJ-41456, |
Security Gateway |
During a DDoS attack, the CPD and CPRID processes may unexpectedly exit with core dump files and cause latency. |
PRJ-36568, |
Internal CA |
UPDATE: In SmartConsole, added an alert to inform that the ICA certificate will be expired in less than one year. Refer sk158096. |
PRJ-36294, |
Threat Prevention |
A "sft_rule_str_match_init: allocates 0 bytes" message may be printed many times in the /var/log/messages file. |
PRJ-39196, |
Threat Prevention |
In a scenario, when Ant-Virus Blade is enabled, the Security Gateway may crash during policy installation. |
PRJ-39324, |
Threat Prevention |
Improved memory consumption by decreasing the size of the mal_conns table. |
PRJ-38685, |
Threat Prevention |
In a rare scenario, an IPS, Anti-Virus, or Anti-Bot update package may fail to load because of a timeout |
PRJ-40397, |
Threat Prevention |
Added Update 15 of Autonomous Threat Prevention Management integration Release Updates. Refer to sk167109. |
PRJ-41446, |
Threat Prevention |
In a specific HTTP connection scenario, the Security Gateway may become unresponsive. And the /var/log/messages file contains these messages during the time of the issue: " FW-1: fw_kfree: wrong magic number at tail end of XXX (XXX) caller is 'cmik_loader_fw_pm_match_cb' sz=80. FW-1 panic: cmik_loader_fw_pm_match_cb: fw_kfree: wrong magic number at tail (kiss_memory.c:XXX)". |
PRJ-36522, |
IPS |
Improved detection in some IPS protections. |
PRJ-39063, |
IPS |
In a VSX setup, the IP address used as the origin SIC name in the IPS address log may differ from the IP address in other reports. |
PRJ-35293, |
Mobile Access |
In some scenarios, when Mobile Access Blade is enabled, the Security Gateway may crash. |
PRJ-34725, |
Mobile Access |
In some scenarios, the Mobile Access applications fail to login because the Security Gateway may not forward HTTP request cookies of some browser-initiated requests to an internal Server. |
PRJ-39154, |
Mobile Access |
Login to Mobile Access Citrix application may fail. |
PRJ-34871, |
ClusterXL |
UPDATE: Added support for the "Same VMAC" feature. |
PRJ-31527, |
ClusterXL |
UPDATE: Added a new Gaia Clish command "show cluster members monitored" to show cluster monitored IP addresses of all the members in a table format. This command is equivalent to the Expert mode command "cphaprob -m tablestat". |
PRJ-38615, |
ClusterXL |
When moving a cluster from Unicast to Multicast LS, Gratuitous ARP Request (GARP) may not be sent. The cluster cannot update multicast MAC entries on peers, which can cause traffic lost. |
PRJ-37490, |
ClusterXL |
In a VSLS cluster with a few members and Virtual Systems, when shutting down a bond connected to one of the Virtual Systems, all Virtual Systems on this member may go to Down state. |
PRJ-38820, |
ClusterXL |
Local connection from the Management interface on a non-standard port (e.g. 8000) may fail. |
PRJ-36604, |
ClusterXL |
Data connection may be interrupted during a Multi-Version Cluster (MVC) upgrade. |
PRJ-37883, |
ClusterXL |
Local connection from a Standby member may fail when packets are not fragmented even if the interface MTU is smaller than the packet size. |
PRJ-39084, |
ClusterXL |
VPN may not operate correctly on ClusterXL in Load Sharing mode and Scalable Platforms (Quantum Maestro and Chassis). This causes sporadic but frequent traffic drops. Refer to sk179808. |
PRJ-37814, |
SecureXL |
NEW: In some scenarios, the Security Gateway may not forward traffic to a client if its IP address is changed by DHCP. Added a global parameter "cphwd_refresh_nh", disabled by default. It determines whether or not the Security Gateway will invoke its own refresh ARP mechanism after a successful route lookup. Refer to sk175603. |
PRJ-38595, |
SecureXL |
UPDATE: Added a new parameter cphwd_mcast_routing_interval_ms (default value is 0), which allows the multicast routing interval to be expressed in milliseconds. |
PRJ-32710, |
SecureXL |
UPDATE: Virtual Extensible LAN (VXLAN) interfaces can now be configured over interfaces with an alias IP address. VXLAN interfaces will not use the alias IP as the local IP address of the tunnel. |
PRJ-39010, |
SecureXL |
SYN Defender may not properly handle the S2C traffic related to Allow List. As a result, this traffic may be dropped. |
PRJ-39004, |
SecureXL |
SYN Defender may change MSS in an SYN packet to a larger value, potentially causing traffic drop. |
PRJ-38560, |
Routing |
UPDATE: Source Pruning will now be disabled by default when VRRP is enabled. This will prevent an interface from keeping the Standby member in Master state after port flapping. The issue is relevant only for Intel X710 network cards using the I40E driver. |
PRJ-38983, |
Routing |
There may be high CPU utilization and slow recovery of the ROUTED process after a failover. |
PRJ-38984, |
Routing |
A buffer overflow may cause the ROUTED process to exit with PNOTE. |
PRJ-38985, |
Routing |
It may take up to three hours for the second member to become Standby after a failover. An outage may occur during this time. |
PRJ-36940, |
Routing |
In a rare scenario, the ROUTED daemon may unexpectedly exit during a Multi-Version Cluster (MVC) upgrade when using OSPF. |
PRJ-37941, |
VPN |
NEW: KAT tests for IKE and TLS are now validated for FIPS certification. |
PRJ-37775, |
VPN |
Capsule Connect (IPSec VPN) may fail to re-authenticate. |
PRJ-35422, |
VPN |
When using Remote Access SAML authentication, the "Remote access client IP address and port were changed" log may contain incorrect data in the "Old IP" field. |
PRJ-32681, |
VPN |
An IKEv1 tunnel may be deleted after the Dead Peer Detection (DPD) exchange and can cause an outage. |
PRJ-37549, |
VPN |
In some scenarios, when StrongSwan client is connecting to a site or Security Gateway, the connection is established successfully, and the tunnel is created, but there is no traffic. Refer to sk118536. |
PRJ-37556, |
VPN |
An outage may occur when using IKEv2. |
PRJ-39065, |
VPN |
Capsule Connect may fail to connect to the Security Gateway because of an Office Mode IP allocation failure. |
PRJ-36451, |
VSX |
UPDATE: When resetting SIC for a specific virtual system (sk34098), the new certificate on the Security Gateway will now be automatically pulled from SmartConsole. |
PRJ-32408, |
VSX |
The OID "Syslocation" can now be configured in the context of a virtual system as described in the article (IV-1) Advanced SNMP configuration in sk90860. |
PRJ-33316, |
VSX |
The FWM process may unexpectedly exit after using the VSX Provisioning tool. |
PRJ-32478, |
VSX |
When using the VSX Provisioning Tool, it may not be possible to create a new warp interface and then change the main IP address of the VS in the same transaction. |
PRJ-32707, |
VSX |
After restoring the VSX Gateway backup, the SNMP agent stops responding when the context is set for a specific VS. |
PRJ-37807, |
VSX |
Running the "vsx_util vsls" command may end with the "Segmentation fault" error. |
PRJ-28951, |
VSX |
Multi-Queue configuration does not survive reboot on VSX. Refer to sk173950. |
PRJ-38829, |
VSX |
The FWK process of Virtual Switch (VSW) may consume a high CPU. |
PRJ-38409, |
VSX |
When creating a virtual system, the "Failed to create Virtual System directories" error is displayed. |
PRJ-34767, |
VSX |
When using Link Selection probing, the VPND process may unexpectedly exit and create a core dump file. |
PRJ-38794, |
VSX |
In some scenarios, it is not possible to start a vsx_util upgrade/downgrade after a failed attempt. |
PRJ-38011, |
VSX |
"Loading kernel module for a network device with CAP_SYS_MODULE (deprecated). Use CAP_NET_ADMIN..." may be printed in dmesg. |
PRJ-38727, |
VSX |
When running the "vsx_util downgrade" command, R80.20SP may not be listed as an available version. |
PRJ-40704, |
VSX |
A member in a VSX cluster may get stuck in DOWN state with "Event Code CLUS-113200" and a FULLSYNC PNOTE "Could not start a connection to remote member". |
PRJ-40950, |
VSX |
The VSX Security Gateway may crash when pushing a policy after deleting an interface. Refer to sk179820. |
PRJ-36525, |
Gaia OS |
NEW: Added a Gaia Clish command "show configuration vxlan" to show all VXLAN info (interface creation, IP, MTU, comments, state). |
PRJ-35586, |
Gaia OS |
UPDATE: It is now possible to use Gaia proxy addresses with more than 16 characters. |
PRJ-39379, |
Gaia OS |
The CONFD process may unexpectedly exit and generate a core dump file. |
PRJ-40366, |
Gaia OS |
Gaia Snapshot fails in Gaia Portal ("Maintenance" section > "Snapshot Management" page) - after clicking the "New" button, the progress gets to 100%, but the snapshot file is never created. Refer to sk180579. |
PRJ-38960, |
Gaia OS |
When loading a configuration file to the new Security Gateway, VLAN interfaces may not be added to the bridge as expected. |
PRJ-37349, |
Gaia OS |
When adding and deleting a neighbor-entry ipv6-address, an error message is displayed, although the operation is successful. |
PRJ-38231, |
Gaia OS |
When running the "save configuration" command on a VSX device, other interfaces besides the Management interface are still presented. This is a cosmetic issue. |
PRJ-39096, |
Gaia OS |
Dynamic routing SNMP OID polling may work only in VSX mode. |
PRJ-29673, |
CloudGuard Network |
UPDATE: After a failed Data Center mapping, the next scan retry will be initiated with a delay to provide sufficient recovery time. |
PRJ-38569, |
CloudGuard Network |
UPDATE: Previously, because of connectivity issues with Azure, CloudGuard Controller was deleting IP addresses of Data Center objects from the Security Gateway. CloudGuard Controller will now show an error message instead of revoking identities from the Security Gateway. |
PRJ-33578, |
CloudGuard Network |
When trying to add a comment to a Data Center object with API, the name of the object may get the value of the "comments". |
PRJ-38871, |
CloudGuard Network |
After changing the default behavior in Identity session conciliation, the "delete-identity" request may trigger Cloud Controller to delete IP addresses from other Identity sources. |
PRJ-38071, |
CloudGuard Network |
Policy install or publish may fail because of the CPM process operations overload. |
PRJ-40198, |
CloudGuard Network |
Azure Data Center mapping may fail because of a corrupt response from Azure for a specific Virtual Machine Scale Set (VMSS). |
PRJ-39798, |
CloudGuard Network |
Importing NSX-T Data Center NSGroups with more than 1000 IP addresses may fail and lead to an outage. |
PRJ-38644, |
VoIP |
NEW: Added a new tab for VoIP monitoring in CPView. |
PRJ-39817, |
VoIP |
The Security Gateway may crash when running UDP and TCP SIP traffic. |
PRJ-40930, |
VoIP |
After an upgrade, the MGCP traffic may be dropped. The output of the "fw ctl zdebug + drop" command shows: "dropped by fw_early_sip_nat reason: failed to get MGCP ports". |
PRJ-39110, |
Scalable Platforms |
UPDATE: Added ability to change CIN interface IP ranges. Refer to sk179028. |
PRJ-37469, |
Scalable Platforms |
UPDATE: When creating a new Security Group on Quantum Maestro, it is mandatory to configure First Time Wizard settings. |
PRJ-35111, |
Scalable Platforms |
UPDATE: The asg_info command is no longer supported on Scalable Platforms. The "cpinfo -Q" command should be used instead. |
PRJ-39636, |
Scalable Platforms |
The Hit Count feature may not provide data for non-SMO members on VSX with Kernel 3.10. |
PRJ-38297, |
Scalable Platforms |
During Jumbo Hotfix Accumulator installation, the sgm_lsp core dump may be created. |
PRJ-38483, |
Scalable Platforms |
When running the CPUSE "installer" command in Gaia gClish of a Security Group, the output may show: "Error Failed to invoke action." Refer to sk178647. |
PRJ-38699, |
Scalable Platforms |
The ROUTED process may unexpectedly exit when OSPF is configured as P2P. |
PRJ-39720, |
Scalable Platforms |
Changed the message informing that CPUSE upgrade packages are not available on Scalable Platforms appliances with VPN enabled. The fix is only cosmetic. |
PRJ-39115, |
Scalable Platforms |
The "asg_excp_conf get" command may fail. Existing exceptions cannot be printed due to unaligned exception max size between kernel and userspace (cphaprob). |
PRJ-34872, |
Scalable Platforms |
In some scenarios, CPWD and HCP report the CPUS_USGS process as terminated. |
PRJ-35285, |
Scalable Platforms |
A cluster member may fail to perform FullSync and remain in Down state with FULLSYNC PNOTE. |
PRJ-39997, |
Scalable Platforms |
When a Maestro Security Gateway is active again after a reboot, the LACP bond may drop incoming and outgoing packets. |
PRJ-36092, |
Scalable Platforms |
A Security Gateway may not be added to the Security Group distribution matrix when moving from a site with two MHOs to a single MHO. |
PRJ-37640, |
Scalable Platforms |
The "asg_copy_capture" logs repeatedly appear in the var/log/messages file. The reason given in the logs is "capture file was not found on remote SGMs". |
PRJ-33924, |
Scalable Platforms |
On Scalable platform Chassis in VSX mode, when adding a new member to Security Gateway, the "dxl stat" command may fail with the "Failed to retrieve dxl status" error. |
PRJ-41043 |
Scalable Platforms |
Disk partition of the /var/log directory on Quantum Maestro appliances may fail. |
PRJ-40309, |
HCP |
Added Update 9 of HealthCheck Point (HCP) Release. Refer to sk171436. |
Take 66 Released on 29 June 2022 and declared as Recommended on 19 July 2022 |
||
PRJ-40378, PMTR-84711 |
Gaia OS |
After an upgrade, there are SSH connectivity issues, when the "allowed-host" feature in Clish is enabled. |
PRJ-39899 |
Scalable Platforms |
In some scenarios, the asg_perf_hogs test shows that SecureXL is disabled while it is enabled. Refer to sk179424. |
Take 61 Released on 2 June 2022 |
||
PRJ-38783, |
Security Management |
NEW: Added a new Management API command "show-servers-and-processes" to show the status of all processes on the Multi-Domain Server and all Domain Management / Log Servers. |
PRJ-36588, PMTR-72224 |
Security Management |
NEW: Added support for Quantum Spark Appliances with R81.10.x Gaia Embedded (Early Availability). Refer to sk178509. This applies both to SmartProvisioning and SmartUpdate. |
PRJ-33297, |
Security Management |
UPDATE: LSM Cluster objects names can now be defined without using the prefix and suffix options. |
PRJ-33953, |
Security Management |
Deleting a Domain may fail when there is an administrator with API key authentication associated with this Domain. |
PRJ-34774, |
Security Management |
When adding a new Interface to an existing Cluster via Management API, the operation may fail with an "Action Failed due to an Internal Error" message. |
PRJ-35951, |
Security Management |
Compliance results for some rules are not available after changing the "Policy Range" of a user-defined rule to a value below 100%. Refer to sk177544. |
PRJ-35018, |
Security Management |
Install Policy Verification may fail with the "Rule has security zone objects that are not attached to any interface used" error when configuring cluster's interfaces on only one member. Refer to sk177129. |
PRJ-35226, |
Security Management |
When exporting rules with "hit counts" and the timeframe is set to a different value than "all", the "hit counts" are missing from the export file. Refer to sk177265. |
PRJ-37496, |
Security Management |
In some scenarios, the "show-hosts" Management API command fails with "generic_error" when running it with "details-level full". Refer to sk178249. |
PRJ-37579, |
Security Management |
In some scenarios, after editing blades in Simple-gateway/Cluster Ansible modules, the blades are not changed, and Ansible shows that no changes occurred. |
PRJ-37625, |
Security Management |
Upgrade of the secondary Security Management Server or Multi-Domain Management Server may fail due to a High Availability synchronization issue. |
PRJ-33803, |
Security Management |
The Management API command "set-multicast-address-range" does not remove IPs when the IPv4 or IPv6 address field is empty. |
PRJ-37328, |
Security Management |
In some scenarios, the policy installation may fail after editing the trac_client_1.ttm configuration file. Refer to sk174646. |
PRJ-35758, |
Security Management |
In rare scenarios, deleting a Security Gateway may fail. |
PRJ-37063, |
Security Management |
After installing policy on a new cluster, the cluster object status may be "Not Available", even though all Cluster members statuses changed to "OK". |
PRJ-37368, |
Security Management |
Dynamic Objects defined on LSM Gateway in SmartProvisioning may be removed from the Security Gateway after fetching policy or pushing policy. |
PRJ-33077, |
Security Management |
Updating objects with Management API may fail when editing the "groups" field and object UID is specified. |
PRJ-35299, |
Security Management |
When cloning an IPS profile, the advanced settings of cloud protection may not be copied to the new profile. |
PRJ-36747, |
Security Management |
Accelerated Install Policy may fail with the verification error: "Rule-name has security zone objects that are not attached to any interface used in Cluster-name ", when the rule contains Security Zone and the install-on target is a cluster. |
PRJ-32818, |
Security Management |
In rare scenarios, when installing a policy after performing "revert to revision", some changes made to a policy may not be installed on the Security Gateway. Refer to sk176768. |
PRJ-38149, |
Security Management |
Cloud Shadow Objects verification may take several minutes. |
PRJ-33028, |
Security Management |
IPS profiles and network objects may not be shown in certain views in SmartConsole. |
PRJ-39178, PRHF-23750 |
Security Management |
In some scenarios, the Management API command "show-packages" with "details-level full" may fail with the "Could not commit JPA transaction" error. |
PRJ-38394, |
SmartConsole |
UPDATE: It is now possible to execute the "run-script" Management API command on the Multi-Domain Server (MDS) and Multi-Domain Log Module (MLM) from the System Domain. |
PRJ-38038, |
SmartProvisioning |
UPDATE: Added a new Management API command "verify-management-license", it allows to verify whether the Domain Management license covers all installed Security Gateways in the Domain. Refer to sk178544. |
PRJ-38038, |
SmartProvisioning |
LSM devices that were created via the LSM REST API may not fetch the VPN certificate correctly. |
PRJ-38127, PMTR-80530 |
SmartProvisioning |
After an SMB firmware upgrade, policy fetch may fail with the "Version matching problem" error. |
PRJ-38359, PMTR-82092 |
SmartProvisioning |
Improved the time of creating a new LSM object using the LSM API in large environments. |
PRJ-37593, |
SmartView |
UPDATE: Security Check-Up report will now show the new Check Point logo and updated cover page. |
PRJ-36623, |
Logging |
UPDATE: SmartView reports will now show the new Check Point logo. |
PRJ-36199 |
Logging |
UPDATE: Mapping of IPs to country/flag is now automatically updated every day. These are visible in the Logs and Events views. |
PRJ-35977, PRHF-21400 |
Logging |
"Failed to open /opt/CPsuite-R81.10/fw1/log/" messages may appear in the log_indexer.elg file because of files ending with the ".log" suffix although they are not actual log files. |
PRJ-29175, |
Logging |
Removed unnecessary debug messages: "fwbintabreplace: table svm_range_gateways not found and " fwbintabreplace: table svm_range_gateways_valid not found" from fwd debug log. |
PRJ-33518, |
Logging |
Improved samples visibility in SmartView Widgets. |
PRJ-34251, |
Logging |
There may be an incorrect error message related to MakeConnection method. |
PRJ-34143, |
Logging |
On the Domain level, in the Logs view, available services may not appear in the drop-down filter list. Refer to sk178904. |
PRJ-35202, |
Logging |
In a rare scenario, the Security Management Server does not automatically delete older log files. Refer to sk177627. |
PRJ-37898, |
Logging |
Logs may be missing from SmartConsole after upgrading the Log Server if a VS object is configured without an IP. |
PRJ-35013, PMTR-75595 |
Logging |
In SmartView, downloading multiple reports from Archive may fail. |
PRJ-36656, |
Security Gateway |
NEW: Added a new kernel parameter "fw_ignore_before_drop_rules". It allows to skip the "before drop" implied rules and enforce policy according to the explicit rule in the Access Rule Base. By default, this capability is disabled. Refer to sk105740. |
PRJ-31496, |
Security Gateway |
UPDATE: Following sk110157, adding a shadow SAM V1 rule is now possible only if the new rule and the existing rule have different timeouts. In case a shadow rule exists, the new shadow rule will override the existing shadow rule. |
PRJ-29964, |
Security Gateway |
UPDATE: Added two minutes grace period before dropping the non-TCP server-to-client packets upon policy installation and rematch flow. Refer to sk173287. |
PRJ-38690, |
Security Gateway |
UPDATE: When using Routing Separation, hosts and servers configured in Clish will be automatically added to Management Plane (MPLANE). |
PRJ-37530, |
Security Gateway |
Improved Gateway internal memory allocation logic. |
PRJ-33931, |
Security Gateway |
Cluster failover may trigger the FWK process to exit, with no traffic impact. |
PRJ-33700, |
Security Gateway |
In some scenarios, file download may fail with the "Connection queue exceeded max size" error. |
PRJ-37013, |
Security Gateway |
Gaia Clish "show" commands for Multi-Queue may fail in a Management Data Plane Separation (MDPS) environment. |
PRJ-37610, |
Security Gateway |
When using the DAIP Gateway object in the Access Rule Base, the "fwdnd_log_info_lookup failed" debug error may appear in the fwk.elg log, if the relevant rule has log track. Refer to sk178670. |
PRJ-37355, |
Security Gateway |
Uninstalling Jumbo Hotfix may cause interfaces to disappear. |
PRJ-27903, |
Security Gateway |
In rare scenarios, connectivity issues to specific websites may occur during web traffic inspection. |
PRJ-36049, |
Security Gateway |
In a rare scenario, DNS connection may be dropped with a "up_manager_cmi_handler_match_cb: connection not found" message. |
PRJ-34728, |
Security Gateway |
In rare scenarios, if temporary files were not deleted successfully, downloading certain file types may fail with one of these errors:
|
PRJ-33860, |
Security Gateway |
In ISP Redundancy settings, when using the "dead on all host" feature and defining one link without any host (which is a misconfiguration) the ISP link is down. |
PRJ-34789, |
Security Gateway |
In some scenarios, Security Gateway drops GRE traffic. Kernel debug shows "simi_reorder_enqueue_packet: reached the limit of maximum enqueued packets for conn". |
PRJ-36516, |
Security Gateway |
In a rare scenario, a memory leak in the FWD process may occur during Threat Prevention policy installation. |
PRJ-39122 |
Security Gateway |
When installing policy with acceleration in a loop, after some time, SIC may get disconnected, and installation fails. Refer to sk180397. |
PRJ-38045, |
Threat Prevention |
Added Update 14 of Autonomous Threat Prevention Management integration Release Updates. Refer to sk167109. |
PRJ-35185, PRJ-35154 |
Threat Prevention |
While using the Security Zone object in the "Source" column in the Threat Prevention policy, Security Gateways R80.40 and lower do not drop traffic. Refer to sk177605. |
PRJ-36166, |
Identity Awareness |
In a rare scenario, the PDP process may unexpectedly exit with a core dump file. |
PRJ-35853, |
Identity Awareness |
The PEP process may unexpectedly exit. |
PRJ-37545, |
IPS |
In a rare scenario, when the Security Gateway is configured as a proxy, downloading files may fail. |
PRJ-37980, |
IPS |
In a rare scenario, a traffic outage may occur. |
PRJ-32611, |
IPS |
When Anti-Virus and/or gzip inspection are enabled on the Gateway, during CloudFlare inspection of specific websites, the Gateway may drop traffic. |
PRJ-30126, |
SSL Inspection |
When HTTPS Inspection is enabled and traffic is inspected, detect logs for HTTPS traffic may show the "Invalid CRL Retrieved" and "No Valid CRL" error messages. Refer to sk172345. |
PRJ-38258, |
SSL Inspection |
In some scenarios, the FWK process may unexpectedly exit during the TLS handshake. |
PRJ-35071, |
ClusterXL |
When creating a new virtual system, some VSLS parameters like the Virtual System's weight value may be displayed wrong. |
PRJ-35169, |
ClusterXL |
A single cluster member with Dynamic Routing configuration may stay permanently in DOWN state producing routed pnote during a boot. |
PRJ-34397, |
ClusterXL |
When Dynamic Routing protocols are configured on a cluster, a failover to a member that just rebooted may cause a few seconds outage. |
PRJ-35229, |
ClusterXL |
In an Active/Active cluster, potential FTP data connection interruption may occur during failover. |
PRJ-37436, |
ClusterXL |
There may be connectivity issues for multicast traffic in PIM Sparse Mode. |
PRJ-36616, |
ClusterXL |
During a Multi-Version Cluster (MVC) upgrade from R80.30 or lower, Active-Active split brain may happen. Refer to sk174510. |
PRJ-36178, |
ClusterXL |
In Virtual Device Status table, in VS0 context, the output shows the Active-Active status on two members instead of Active-Standby. The issue is cosmetic only. |
PRJ-39740, ACCHA-1767 |
SecureXL |
When using tcpdump on NVIDIA ConnectX 100G Card interfaces and the "-i" flag is combined with other flags (for example, -nnni or -ei), tcpdump cannot find the RDMA index. |
PRJ-38503, |
CoreXL |
An Active member in a cluster may make a full reboot during policy installation. |
PRJ-37512, |
Routing |
The "set route-redistribution to rip from interface" CLI command may fail with the load configuration errors. |
PRJ-36438, |
VPN |
Machine Authentication stability improvements for Remote Access Endpoint Clients. |
PRJ-29545, |
VPN |
Newly defined ROBO Gateways cannot connect until policy installation. |
PRJ-38729 |
VPN |
In some scenarios, it is not possible to connect with Remote Access using DHCP for Office Mode. Refer to sk178767. |
PRJ-37464, |
VPN |
The VPND process may unexpectedly exit. |
PRJ-35048, |
VPN |
In some scenarios, NAT-T tunnel establishment may fail. |
PRJ-34212, |
VPN |
IKEv2 ID configuration may not be applied when an IPv6 address is written as a certificate's alternative name. |
PRJ-37591, |
VPN |
During policy installation when using DAIP behind hide NAT, CPU usage for the VPND process may be high. |
PRJ-29882, |
VPN |
Improved VPN interoperability. |
PRJ-37283, |
VPN |
VPN tunnel may not be stable in cluster load-sharing multicast and unicast environments. |
PRJ-34673, |
VSX |
UPDATE: The "vsx_util reconfigure" operation is not supported on a VSX cluster member or VSX Gateway which has no virtual systems configured. The operation will now alert about the absence of virtual systems. |
PRJ-36769, |
VSX |
VSX Cluster Internal Communication Network IP address is shown in ifconfig after changing the name or VLAN of a VR physical interface. |
PRJ-33473, |
VSX |
In some scenarios, the "vsx_util reconfigure" command cannot fetch the policy installed previously. |
PRJ-32080, |
VSX |
When creating a static route on a virtual system, some network objects may be created with the same name inside the network group which causes writing the object to the database to fail. |
PRJ-39511, PMTR-83472 |
VSX |
After creating a VSX Gateway, traffic may not go through the VSX Gateway correctly because of synchronization issues of the cphwd_enable_ecmp parameter with SecureXL. |
PRJ-37618, |
VSX |
After an upgrade from R80.20SP/R80.30SP to R81.10, pushing accelerated policy may cause all non-SMO SG Members to go down. |
PRJ-35505, |
VSX |
There may be a mismatch of policy name on virtual switch when using the "fw stat" and "vsx stat -v" commands. The issue is only cosmetic. |
PRJ-36689, |
VSX |
In a Multi-Domain environment, the "vsx_util vsls" command may take a few minutes to run. |
PRJ-35279, |
VSX |
In some scenarios, if VSX Gateway creation fails and rollback is done, the default route of the Security Gateway that was configured via Clish is deleted without validation. |
PRJ-36788, |
VSX |
The "snmpwalk" command may time out after reaching SNMPv2-SMI::mib-2.68.1.2.0. |
PRJ-38204, |
VSX |
In some scenarios, the VSX Security Gateway may not decrease the packet's TTL. |
PRJ-36756, |
Gaia OS |
NEW: Gaia API (version 1.6 with Python3 support) will now be deployed via Jumbo Hotfix. Refer to sk143612. |
PRJ-36088, |
Gaia OS |
WebUI session may end when creating a Role with full permissions. |
PRJ-39097, |
Gaia OS |
Dynamic routing SNMP OID polling may work only in VSX mode. |
PRJ-33555, PMTR-75925 |
Gaia OS |
In some scenarios, in 7000 appliances, Power Supply Unit (PSU) status information may be incorrect. Refer to sk174443. |
PRJ-37120, |
VoIP |
When static NAT is configured, VoIP calls may not work. |
PRJ-38024, |
Public Cloud CA Bundle |
Added Take 18 of Public Cloud CA Bundle. Refer to sk172188. |
PRJ-37054, |
CloudGuard Network |
In some scenarios, Data Center objects are not enforced on an AWS GEO cluster (Active/Active) Gateway. Refer to sk175904. |
PRJ-37604, |
CloudGuard Network |
In Amazon Web Services (AWS), some Gateways may be crashing frequently with vmcores. |
PRJ-36365, |
CloudGuard Network |
When booting up, the NSX-T CloudGuard Gateway may crash. Refer to sk177703. |
PRJ-37948, |
CloudGuard Network |
In some scenarios, mapping of AWS Data Centers may take a long time to complete. |
PRJ-37777, |
CloudGuard Network |
During boot on KVM with 10 or more interfaces, the interface order may change. |
PRJ-37148, |
Smart-1 Cloud |
Added Update 4 of Quantum Smart-1 Cloud. Refer to sk166056. |
PRJ-32820 |
Quantum Appliances |
NEW: Added support for Quantum LightSpeed Appliances Initial Release (Threat Prevention Stream). Refer to sk179432. |
PRJ-36594, |
Scalable Platforms |
NEW: A new module parameter "ccl_correct_dr_between_chassis" is added.
|
PRJ-39644 |
Scalable Platforms |
UPDATE: Added PIM support for Scalable Platforms. |
PRJ-39964 |
Scalable Platforms |
UPDATE:The "asg_perf_hogs" test was moved from asg_diag to HCP. Refer to sk171436. |
PRJ-28273, |
Scalable Platforms |
|
PRJ-36649, |
Scalable Platforms |
Running "cphaconf debug_data" in VSX context may cause the Gateway to crash. |
PRJ-36916, |
Scalable Platforms |
During policy installation the status of Single Management Object(SMO) may not be stable. |
PRJ-35089, |
Scalable Platforms |
Security Group may drop traffic during an internal failover between Security Group members when Dynamic Anti-Spoofing is enabled. Refer to sk177946. |
PRJ-34049, |
Scalable Platforms |
After changing Multi-Queue configurations, members may remain in Down state. |
PRJ-34054, |
Scalable Platforms |
Non-SMO members may go to Down state after Anti-Malware policy installation failed. Refer to sk177607. |
PRJ-32451, |
Scalable Platforms |
In rare scenarios, changing the number of CoreXL instances in SP environments with many virtual systems may fail. |
PRJ-39044, |
Scalable Platforms |
On Maestro Orchestrator, packet loss may occur during Jumbo Hotfix Accumulator installation or uninstall. |
PRJ-37854, |
Scalable Platforms |
When the LLDPD and SNMPD coredump files are generated, zombie processes may be created and cause warnings in HCP with no impact. |
PRJ-33665, |
Scalable Platforms |
In Clish, it may not be possible to add to a Security Group two Gateways with Maestro Orchestrator on each site. |
PRJ-34924, PMTR-76870 |
Scalable Platforms |
On Maestro Orchestrator, the SSM_PMD process may consume a high CPU. |
PRJ-39951, PMTR-74569 |
Scalable Platforms |
The asg_hw_utilization and asg_resource tests have a broken output. Refer to sk179426. |
PRJ-38037, |
Scalable Platforms |
Added Take 21 of Check Point Support Data Collector (CPSDC) for Scalable Platforms and Maestro Security Appliances. Refer to sk164414. |
PRJ-38225, |
HCP |
Added Update 8 of HealthCheck Point (HCP) Release. Refer to sk171436. |
Take 55 Released on 1 May 2022 and declared as Recommended on 1 June 2022 |
||
PRJ-29849, |
Diagnostics |
In some scenarios, CPView shows the SNMP data partially. |
PRJ-36494, |
Security Management |
NEW: Added support for Quantum Spark Appliances with R81.10.x Gaia Embedded (Early Availability). Refer to sk178509. This applies only to SmartConsole (does not apply to SmartProvisioning). |
PRJ-30408, |
Security Management |
UPDATE:
|
PRJ-35099, |
Security Management |
UPDATE: Added a new global parameter: "fw_daf_module_mac_mode". It allows mirroring traffic to a Linux-based device. The parameter is set to "0" by default. Refer to sk178127. |
PRJ-33566, |
Security Management |
In rare scenarios, the task of creating/deleting a Domain or Domain Server may be stuck at 5% with the "Task in queue" status. |
PRJ-35280, |
Security Management |
In a Multi-Domain environment, only one hundred Domains appear in the Domains view, although there are more. |
PRJ-38877, |
Security Management |
In large environments, after installing Jumbo Hotfix Take 38 or Take 45, login to SmartConsole may fail shortly after services are up. Refer to sk178807. |
PRJ-36801, |
Security Management |
In some scenarios, the last modifier name is missing in unpublished sessions and SmartConsole unexpectedly closes. |
PRJ-35480, |
Security Management |
Multi-Domain High Availability synchronization in the Global Domain may fail with the "There are invalid assignments on peer" error. |
PRJ-34179, |
Security Management |
In rare scenarios, Install Policy Presets may fail with "Failed to run Install Policy on the active Domain Server". |
PRJ-33768 |
Security Management |
The Management REST API "add lsm-gateway" with "SIC" parameter may fail with "generic_error". |
PRJ-32563, |
Security Management |
Login to SmartEvent with Certificate Authentication may fail. Refer to sk179144. |
PRJ-33402, |
Security Management |
When automatic purge is configured in a local Domain and there is an assignment between the Global Domain to that Domain, the "show-automatic-purge" API command may fail in the Global Domain with the "Can't build automatic purge reply" error. Refer to sk176443. |
PRJ-33366, |
Security Management |
Global Domain Assignment fails with "An internal error has occurred" when there are more than 32K Threat Prevention Overrides in the local Domain. Refer to sk176464. |
PRJ-34748, |
Security Management |
The "Free Memory" column under the "Gateways and Servers" tab may show "N/A" instead of the actual value. Refer to sk177135. |
PRJ-32849, |
Security Management |
In rare scenarios, taking over a session may fail with "SmartConsole has experienced an unexpected error. Session operation failure". |
PRJ-32133, |
Security Management |
When working with Endpoint Cloud, the License tab under "Gateways and Servers" in SmartConsole may show "Certificate error: CertAuthorityInvalid". |
PRJ-32719, |
Security Management |
If there is a Global Domain Assignment, some results may be missing when searching in Packet Mode. Refer to sk178491. |
PRJ-34773, |
Security Management |
Policy installation on R81 (and below) Gateways may fail when there are multiple login options configured with SAML which uses Identity Provider as an authentication method. Refer to sk176725. |
PRJ-32747, |
Security Management |
In a rare scenario, the FWM process unexpectedly exits. |
PRJ-32803, |
Security Management |
The mgmt_cli tool (API) with certificate login may not work. |
PRJ-34658, |
Multi-Domain Management |
In a Multi-Domain Management environment, when fetching a LDAP branch using the "fetch" button from the Global Domain tab, the operation may fail. |
PRJ-34010, |
SmartProvisioning |
The CPD process may consume a high CPU after an upgrade of the Security Management Server that manages devices through LSM Profiles. |
PRJ-32374, |
Logging |
When running CPinfo in a large scale environment, the SmartEventCollectLogs process may get stuck. |
PRJ-32581, |
Logging |
In some scenarios, it is not possible to add the "Policy Rule UID" column to the Logs view in the SmartView Web Application. |
PRJ-32019, |
Logging |
When running the "show_logs" API command with "query-id argument" and the session is expired, the command ends with a timeout instead of presenting an error. |
PRJ-30551, |
Logging |
In rare scenarios, when QoS blade is enabled, the FWD process may unexpectedly exit. Refer to sk177783. |
PRJ-38237, |
Security Gateway |
UPDATE: Apache HTTPD version was updated from 2.4.51 to 2.4.53. |
PRJ-31667, |
Security Gateway |
UPDATE: Added Connection and Packet Distribution statistics in CPView. |
PRJ-33275, |
Security Gateway |
The control connection may not be refreshed together with data connection if the data connection is accelerated. Refer to sk168952. |
PRJ-33211, |
Security Gateway |
The dlpu process may unexpectedly exit, producing a core dump file. |
PRJ-33999, |
Security Gateway |
In rare scenarios, slow path connections that should be terminated/aborted may remain open until the timeout. |
PRJ-34257, |
Security Gateway |
It may not be possible to use the Office 365 Tenant Restrictions feature when ICAP client is enabled. |
PRJ-33613, |
Security Gateway |
In a rare scenario, the FWD process may unexpectedly exit. |
PRJ-35096, |
Security Gateway |
Policy installation may fail when reaching out of memory on the Security Gateway. |
PRJ-35008, |
Security Gateway |
The dynamic NAT allocation port warning is continuously printed in /var/log/messages. Refer to sk177228. |
PRJ-32793, |
Security Gateway |