List of All Resolved Issues and New Features in R81.10 Jumbo Hotfix Accumulator

UPDATE: Upgraded the commons-compress-jar package from version 1.8 to version 1.22.

UPDATE: properJavaRDP - an SNX-embedded application for Mobile Access is now blocked and is no longer supported because of deprecated Java library dependencies.

UPDATE: New features and improvements are released in Take 81, Take 85, Take 88 and Take 90 via self-updatable package. Refer to sk170314.

UPDATE: Added Take 68 and Take 70 of CPotelcol (OpenTelemetry Collector) Release Updates. Refer to sk180522.

UPDATE: Added Update 21 of Autonomous Threat Prevention Management integration Release. Refer to sk167109.

UPDATE: Upgraded symmetricDS to the 3.14.9 version.

UPDATE: Added Update 14 of HealthCheck Point (HCP) Release. Refer to sk171436.

• When updating Inline Access Layers, Threat Exceptions, and HTTPS Inspection (TLS) rules, the "Policy Name" field in the Audit Log may be incorrect.

• The "Where used" operation fails for users with read-only permissions.

Refer to sk181471.

Policy installation may fail on Security Gateways with enabled IPS and configured Strict profile and IPv6.

When BGP local address is configured, BGP peer may fail to establish.

UPDATE: Added a pop-up message explaining that it is not possible to add an exception to a Global Domain policy from a local Domain when clicking "add exception" in a Global rule.

• Requires installing SmartConsole Build 417 (or higher).

UPDATE: Added a new option in domains_tool, which allows to retrieve IP addresses of multiple Domains - "-md <list of domains>". Refer to sk161632.

UPDATE: When enabling the VMAC feature, link_monitoring on the cluster members will now be configured automatically.

UPDATE: In VSX, removed the redundant option to change CoreXL mode from USFW to Kernel mode.

UPDATE: Added new file types supported by Harmony Endpoint Threat Emulation blade.

UPDATE: Added ability to use Generic Data Centers and Dynamic Objects with Maestro cluster, not just for a separate Security Gateway.

Deleting a Domain that is connected to an AD Group fails.

In rare scenarios, opening the Install Policy view gets timed out, and SmartConsole unexpectedly closes. Refer to sk181397.

In rare scenarios, Global Policy Reassignment takes a long time to complete after deleting a Global IPS profile. Refer to sk180787.

If the HTTPS policy contains an Identity Awareness Gateway object in the "Source"/"Destination" column, policy installation may fail when selecting more than one policy target. Refer to sk181097.

When closing an application from SmartConsole without changes, a redundant revision is created.

Changing the cluster mode via the "set simple-cluster" Management API command to "cluster-xl-ha" or "ospec-ha" returns success but has no effect on the cluster object.

In some scenarios, an automatic Trusted Certificate Authorities (CAs) update fails.

In rare scenarios. in a Multi-Domain Security Management environment:

• Login to the Management Server may timeout and fail.

• Publish operation may take a long time.

In rare scenarios, after an upgrade, the Security Management Server may fail to start.

Upgrade of a Security Management Server or a Multi-Domain Security Management Server with over 2000 NAT rules may take over 10 hours to complete.

• The fix requires the upgrade to be done using a Blink image or via the Advanced Upgrade method.

In rare scenarios, Global Policy reassignment fails with "IPS Update Failed On Assign".

SmartConsole may crash while checking for updates.

• Requires installing SmartConsole Build 417 (or higher).

The "Low disk space" warning may be incorrectly displayed in SmartConsole.

Windows Syslog messages information may be displayed in the "Description" field of the log and not parsed into the suitable fields.

The Logs view may show a "Failed to read record number" message.

High CPU is consumed when there are many rules with apps in the Access Rule Base. Refer to sk181264.

In a rare scenario, the FWD process listens to high ports that are not blocked by the "auth_services_real_ports_block" implied rule. Refer to sk180505.

FTP connection may fail in Port mode with NAT and specific FTP clients. Refer to sk181165.

Re-mirrored traffic may be re-ordered in the Mirror & Decrypt feature.

In rare scenarios, ICA certificate creation and enrollment fail.

Anti-Virus Blade fails to parse external IoC feeds that contain specific delimiters.

In some scenarios, the Security Gateway fails to export or import IoC feeds.

Multiple ifiPython3 processes may utilize the Security Gateway memory, affecting the Anti-Virus Blade performance.

DLPU process memory consumption may be increased when SMB protocol is enabled in the Anti-Virus policy.

The Security Gateway may fail to enforce certificate blacklisting.

It may not be possible to connect to the RDP application with SNX in Application mode. Refer to sk181155.

A Standby member may initiate FTP data connection, although it should be sent from the Active member. As a result, the connection is teminated. Refer to sk180531.

In some scenarios, incorrect MSS value calculation may lead to traffic drops and performance instability.

Traffic may be dropped when there are many OSPF routes of type 5.

The ROUTED process may exit with a core dump when querying details of OSPF Type 5 LSA.

Adding or deleting a multicast group from a configured static RP environment can lead to outages in traffic.

When working with ClusterXL in Load Sharing mode, a VPN tunnel may fail to be established.

Policy installation may take a long time and fail with "Operation failed, install/uninstall has been improperly terminated.&CURRENTVERCMP *##MSG_IDENTIFY##".

When adding a route using vsx_provisioning_tool and the "interface_name" option, this route cannot be removed.

In some scenarios, in Maestro VSX environment with a Virtual Switch (VSW), TCP packets can be dropped as "out of state" or incorrectly dropped on the clean up rule.

Snapshot fails when the unpartitioned disk size is greater than 1TB. Refer to sk181485.

After the Deploy New Endpoint push operation is successfully done, the list of target devices may change to “None”. And it is not possible to delete this push operation manually, a "Sorry, we had an API issue during request" message is printed.

Some devices added to a Virtual Group from the SmartEndpoint Reporting tab do not receive the assigned policy.

In rare scenarios, when making changes in SmartConsole, it gets disconnected.

SIP agent implements a keep-alive mechanism against the RFC, making each message arrive with a different tag in the "From" header, which may increase the memory of the Security Gateway, and these messages may be dropped once they hit the limit defined (the "sim_max_reinvite" parameter).

The "asg_dr_verifier" command shows "Status: Inconsistency found on some of the SGMs", even if the OSPF neighbors are in Full state. Refer to sk179921.

After adding a new Security Group Member to a Security Group with the default shell /bin/gclish, the status of the new Security Group Member is "Down" with a Critical Device "image_clone" pnote.

NEW: It is now possible to add tags to Access rules and sections. A new field "tags" is added to the existing "add/set rule & section" Management APIs .

For example:

• mgmt_cli add access-section layer "Network" position 1 name "New Section 1" tags mytag

• mgmt_cli add access-rule layer "Network" position 1 name "Rule 1" tags mytag

NEW: Added support for the 25Gbps speed on Maestro Orchestrator ports.

UPDATE: A Security Management server/Domain Management Server can now manage up to 400 Security Gateways / Clusters, allowing concurrent policy installation on all Security Gateways / Clusters at once.

UPDATE: Significant performance improvement for policy installation when using many layers (up to four times faster).

UPDATE: New features and improvements are released in Take 76 via self-updatable package. Refer to sk170314.

UPDATE: The Thread Blocker feature is now disabled by default. Refer to sk180437.

UPDATE: Mapping of IPs to country/flag in the Logs & Monitor view > Logs is now automatically updated every day.

UPDATE: Added Update 18 and Update 19 of Autonomous Threat Prevention Management integration Release. Refer to sk167109.

UPDATE: First release of CPviewExporter Release Updates. Refer to sk180521.

UPDATE: Added a global parameter "sim_no_local_ip_check" which allows packets not destined to a local IP address to proceed to Security Association lookup in SecureXL.

UPDATE: Added notifications about the Expert mode login on Gaia Servers. Refer to sk181230:

1) Gaia sends an audit log to the Management Server / Log Server (SmartConsole > Logs & Monitor).

2) Gaia writes a log message to the /var/log/messages file (for a local login and an SSH login).

These Gaia Clish commands are available to work with this feature:

• To see the current state of this feature: show audit login-notifier

• To enable this feature (this is the default): set audit login-notifier on

• To disable this feature: set audit login-notifier off

UPDATE: Added support for 40G SFP transceiver for SSM160 (BTI40GSRDDQSFP).

UPDATE: Added a new log file - /var/log/pull_config_report.log. It includes the summary of the "pull_config" action when it is performed on a member to indicate the reason for pull_config pnote/failures.

UPDATE: Added Update 12 of HealthCheck Point (HCP) Release. Refer to sk171436.

In rare scenarios, in multi-site environments, Install Policy presets fail with "Timeout during task progress" or "You have reached the maximum number of active sessions". Refer to sk180897.

In rare scenarios, updating or deleting a cluster fails with "Failed to save object xxxx . Server error is: Data required for operation".

After Full synchronization, SmartConsole login from a Domain Management Server to the Security Management Server that is configured as High Availability may fail.

Login with SmartConsole to a Security Management Server may fail if using a DNS name instead of an IP address. Refer to sk180514.

After restoring a Multi-Domain Security Management Server, High Availability synchronization may fail with "The Security Management Servers contain different Hotfixes".

Login to SmartConsole with a RADIUS administrator from the SmartEvent Server may fail if this Server was upgraded. Refer to sk180584.

The Data Center object may change the status to "inaccessible/deleted", although the Virtual Machine in Azure was not deleted.

When the Access Rule Base contains several hundred rules, the "set-access-rule" Management API command with the "new-position" parameter may take longer than expected or time out after 5 minutes.

When adding/setting an access rule, setting certain fields to "Any" or "None" may fail because of case sensitivity.

In some scenarios, running the "delete-exception-group" Management API command fails if the exception group is automatically attached.

A policy installation task may become stuck when an error occurs in the early installation stage, for example, when trying to install a policy on an unsupported version of Security Gateway.

If an empty Network Group is linked in the source or destination fields of an Access Rule, policy verification may not generate an error. Instead, it may treat the empty group as if there was an "Any" object.

In rare scenarios, policy installation fails with "Operation failed, install/uninstall has been improperly terminated". Refer to sk180448.

Packet mode search in SmartConsole may show rules that do not match the query if the query contains source, destination, and service.

In rare scenarios, in Multi-Domain multi-site environments, an IPS update on the Multi-Domain Security Management Server remains locked.

In large Multi-Domain Security Management environments, login to SmartConsole may fail while High Availability synchronization is running. Refer to sk180858.

In some scenarios, the "Uninstall Threat Prevention Policy" window may show "no candidates found for operation", even though there are Security Gateways that have Threat Prevention policy installed and Threat Prevention is disabled in the Security Gateway editor. Refer to sk180983.

In rare scenarios, in Multi-Domain Security Management environments with over 500K network objects, login to SmartConsole fails with "Connection timed out" or "Unable to connect to server" messages.

Data Center objects may not appear as unused objects in the Object Explorer view, although they should.

In some scenarios, in the Logs & Monitor view, no results are shown when filtering updatable object names by the "dst_uo_name" field.

SmartEvent may generate false Anti-Bot / Anti-Virus related logs which do not contain any information.

After an upgrade of the Security Management Server, the "cp_log_export show" command may return the "found an ambiguous value" error in the "export_log_position" field.

In large environments, after policy installation or when loading Real Time Monitor, RTMD CPU consumption may be high for several minutes and the process may exit when 4 GB of memory is reached.

The Security Gateway may crash while inspecting non-HTTP traffic.

The Security Gateway may crash after a failure in policy installation.

When Check Point Active Streaming (CPAS) is used, and the Server's MSS is bigger than the client's MSS, packet fragmentation may occur.

Resolved an issue where CPD would consume a large amount of CPU in VSX with a large number of interfaces configured (greater than 1024). Refer to sk181588.

Web Security parsing error "illegal header format detected: Missing quotation mark" of content-disposition header - that contains a filename* parameter or an unquoted parameter.

In some scenarios, after an upgrade, the FWD process may unexpectedly exit.

Global tables (ghtab) may not be synchronized between members, this can lead to instability of traffic.

In rare scenarios, the Security Gateway may drop the traffic after "Rulebase Internal Error" which occurs during policy installation.

When HTTPS Inspection is enabled, website loading in Firefox fails or is slow, after a few seconds, the "NS_ERROR_ABORT" error appears in the network tab of Firefox. Refer to sk180873.

In rare scenarios, modifying the "fwmultik_temp_conns_enabled" parameter on-the-fly leads to the Security Gateway crash.

The "g_tcpdump -mcap" command may not merge traffic capture outputs. Refer to sk181032.

When setting "cphwd_enable_ecmp = 1" (to route by the source and destination IP address), the Security Gateway may route the traffic to the wrong MAC.

Latency in loading websites when using Security Gateway as a Proxy with HTTPS Inspection enabled. Refer to sk180673.

Latency in connection caused by a packet flow change from F2V to F2F.

When the Security Gateway handles specific HTTP requests, memory failure may occur. CPView registers SMEM failure.

IoC feed may not load, and the "Feed status cybercrime-tracker_hash_list :: engine memory allocation error. Feed log External IoC - External Indicators processing failed" error is displayed in CLI.

After an upgrade, adding an IoC feed with IP range indicator type may fail with "Feed format problem. Bad or Empty Feed ".

In some scenarios, the FWD process unexpectedly exits, and the Security Group Members state flaps between Active and Down during an Anti-Bot Blade update.

When IPS Blade is enabled, the Security Gateway may crash.

When Content Awareness Blade is enabled, there is a limitation of the file size (sk118516). However, when the source object of the Content Awareness rule does not match the current connection, the limitation is not applied on this connection.

When the "Categorize HTTPS Websites" option is enabled and the global parameter "appi_urlf_ssl_cn_use_sni_without_validation" is set to true, a memory leak may occur.

The DLPU process may stop working, creating a User Space core dump file on the Security Gateway. Refer to sk181026.

Importing a custom intelligence feed containing IP ranges may fail.

In a VSX environment, the WSTLSD process run by Virtual Systems may ignore proxy configuration on VS0.

Sending emails with attachments via Capsule Workspace may fail on iOS.

Some IPv6 connections randomly stop passing through ClusterXL in High Availability mode. Refer to sk180969.

Asymmetric UDP traffic may be dropped with "First Packet isn´t Syn".

After several failovers in a cluster, connections may fail to synchronize. This can cause a timeout and the "first packet isn't syn" drops.

When running tcpdump on the Multi-Domain Security Server, an "error /bin/cp-tcpdump.sh: line 11: sxlmode: command not found" message is shown. The issue is cosmetic only.

The ROUTED daemon may unexpectedly exit because of multi-threading issues.

Routes marked as "stale" may be redistributed via BGP during graceful restart.

BGP state gets stuck in Idle state when using BGP ping to one of the peers.

The ROUTED daemon may unexpectedly exit when aggregating routes with long AS paths.

Configuring OSPFv2 Graceful Restart and passive OSPF interfaces at the same time can cause graceful restart failures.

A VRRP/VRRP6 interface may go into Master/Master state.

An IGMP group with an expiration time of 7101 weeks should be deleted when it reaches 0 seconds, but instead, it may remain at 7101 weeks until a membership report is sent, then it resets to the interval of that interface.

• Remote Access clients are unable to connect using Machine Certificate Authentication when the certificate has OCSP and CRL but the gateway is unable to resolve properly the OCSP or to get a proper answer from the OCSP server. Refer to sk179434.

• OCSP is disabled on the user's IIS Server, but the Security Gateway does not fall back to the CRL method. Refer to sk179434.

• Security Gateway sends defaultCert to the third party instead of an OCSP certificate. An unexpected OCSP response may cause a VPN gateway to stop using its certificate until the next policy installation. Refer to sk180683.

The FWM process may unexpectedly exit at startup because of an incorrect VPN key initiation.

Warp interfaces may appear in VS0 and disrupt connectivity when editing a Virtual Switch with a bond and VLANs.

Virtual System's interfaces may be missing when running the Clish command "show/save configuration".

Some packets may disappear when using the i40e driver, and VMAC is configured on the cluster.

It may be not possible to enter a snapshot description with more than one word.

Backup on Gaia machine with Threat Emulation Blade enabled fails with "Cannot complete the backup process: not enough space". But the solution of sk166833 does not resolve the issue in a VSX environment.

Gaia WebUI logs are printed with "info" severity.

Non-domain macOS devices are created as a new endpoint on the Endpoint Management when re-installing the device.

AWS Data Center mapping fails when an interface subnet is missing from the list of subnets.

SIP traffic may be dropped and "kiss_htab_bl_infra_slink: failed "earlynat_sport_ghtab_bl":3 reason: KISS_HTAB_BL_SLINK_LIMIT_REACHED" is printed in the fwk.elg file.

The FW process may unexpectedly exit, producing a core dump file.

License is not copied from SMO to all other members if other members are in Down state.

The "orch_info" command may freeze, when running it on Maestro Orchestrator.

Querying the HW status via SNMP (OIDs .1.3.6.1.4.1.2620.1.6.7.*) or via the "cpstat os -f sensors" command may fail on Maestro Orchestrator.

Members may stay in Down state after reboot/Jumbo Hotfix installation with pull_config pnote when pulling registry from SMO: "Pull registry failed" error in the $FWDIR/log/Blade_config log file.

On Maestro, when MDPS (Management Data Plane Separation) is enabled, and the license corresponds to an IP address different from the management interface's IP address (such as the sync IP), policy installation may fail because of a license mismatch.

The "set/show trace" command may fail in gClish.

Incorrect parsing of GTP-U traffic may cause anti-spoofing drops.

Security Gateway drops GTP traffic with the reason "Static IP not allowed". See sk181506.

Packet corruption, leading to traffic and performance issues.

UPDATE: Switching between User/Kernel mode on Scalable Platforms can now be done using "cpconfig" . Reboot of the Security Group members is performed after the confirmation.

In some scenarios, in SmartConsole, when clicking the picker to add Security Gateway to a Threat Prevention policy "Install On" column, no Security Gateway objects appear. Refer to sk180964.

When working in a Scalable Platforms environment, a member may get in a bootloop. The issue occurs after the consequent upgrade of this member to R81.10, Deployment Agent (DA) update and enabling image auto cloning.

Deleting one hundred IP addresses or more from the Security Gateway at once may fail, resulting in recurrent deletion retries.

NEW:

• Added support for 1595 Slim Ruggedized appliances.

• Added support for 1535 / 1555, 1575 / 1595 Quantum Spark Pro appliances.

NEW: Compliance Blade is enhanced with 5 new Firewall Best Practices:

• FW174 - Check that there are no Access Control rules that contain "Any" in the "Source" column and contain "Accept" or "Ask" in the "Action" column.

• FW175 - Check that Access Control rules do not contain "Any" in "Destination", and "Accept" or "Ask" in "Action".

• FW176 - Check that Access Control rules do not contain "Any" in "Services and Applications", and "Accept" or "Ask" in "Action".

• FW177 - Check that there are no temporary Access Control rules (based on the "Name" column).

• FW178 - Check that there are no temporary Access Control rules (based on the "Comments" column).

UPDATE: Defining GUI Clients on the Log Server is now blocked. Defining GUI Clients is allowed only from the Security Management Server in Active mode.

UPDATE: Added a new kernel parameter allowing to control the size of fragments table in SecureXL. To use it, set the kernel parameter "sim_frag_limit_override" with the new value and install policy. This can prevent fragment drops when having multiple instances in the Firewall.

UPDATE: When the VTI MTU is different from the physical MTU, the physical MTU is used for sending packets by default.

• To modify the default behavior (the change does not survive reboot), run the CLI command "fw ctl set int sim_vpn_use_physical_mtu 0 -a". This allows using configured VTI MTU as the default.

• To make the change permanently, open the $PPKDIR/conf/simkern.conf file for editing and add the entry "sim_vpn_use_physical_mtu=0".

Refer to sk98074.

UPDATE: Linux installations are now automatically added to "All Linux Desktops Virtual Group" in Harmony Endpoint. Refer to sk180430.

UPDATE: Upgraded OpenSSL from 1.1.1n to 1.1.1t to include the latest security improvements.

UPDATE: Added support for Data Centers in AWS ap-southeast-4 Melbourne region.

UPDATE: Enhanced the mechanism of Maestro Gateway leaving a Security Group.

In some scenarios, the "run-script" Management API command may fail with "Null Pointer Exception" when using root user permissions.

After creating a new administrator in SmartConsole, the Administrators view may fail to load with "Error retrieving results".

When using Custom Application/Site Group objects in an Access policy, policy installation may fail with an "Internal error" message.

A typo in "Dropped fragmentation violation" under CPView > Advanced > SecureXL > Drops.

The Network-per-CPU tab under CPVIEW > Advanced > SecureXL does not show traffic distribution for all CPUs. Refer to sk180540.

In some scenarios, the FWD process may unexpectedly exit and cause a short outage related to a BGP failure.

After an upgrade to Take 79, memory usage may increase on all Security Gateway Modules, and the "pkt_handle_f2v_if_needed: dropping packet (failed to send notification)" error is printed in logs.

When MDPS is configured, mdps_tun interface is shown when running the "cpstat ha -f all" command.

When adding a new RADIUS Server in Gaia Portal, its IP address is automatically added to MDPS tasks, but when deleting this Server, the MDPS task is not deleted.

The Security Gateway may receive duplicated traffic (such as non-IP protocol connections) for IPS inspection. This can trigger high CPU usage and result in failures to connect over SSH or policy installation.

SAML authentication fails with the "HTTP 500" error when MDPS is enabled on the Security Gateways. Refer to sk179625.

On supported Open Servers (sk167052), after changing the Firewall mode from Kernel Space (KSFW) to User Space (USFW) and reboot, the Security Gateway continues to boot in the Kernel Space mode.

If SSH Deep Packet Inspection (DPI) is enabled and NAT is configured on the Security Gateway, SSH connectivity from the Internet may not be possible.

In a Quantum Maestro environment, adding an IoC feed from the command line may fail with a "Can not load indicators feed without AV & AB Blades enabled, please enable AV & AB and try again" message, although Anti-Virus and Anti-Bot Blades are enabled.

The PDPD process may cause CPU spikes during cluster failover.

In a rare scenario, a wrong access role may be assigned to a user.

A buffer overflow may occur and cause the FWD process to exit. This leads to the Security Group Members in a Maestro environment change from Active to Down state and creates instability.

In a rare scenario, the Security Gateway may crash during an IPS package update.

A memory leak may occur in the DLPU process.

Some web applications which use PT or UT link translation methods may have issues after a browser upgrade.

IPv6 template is not created when the connection is NATed.

After an upgrade, packets passing through a Remote Access VPN tunnel in a VSX environment may be silently dropped.

Failover may take longer than expected and traffic does not pass for several seconds because dynamic routes are lost.

The ROUTED process may repeatedly exit when using PIM in Sparse mode (SM).

The ROUTED daemon may unexpectedly exit and generate core dumps after OSPF neighborship was established, but did not advertise routes. Lost routing causes the network to be down.

Cluster member may stop sending multicast PIM traffic after failover or a reboot. Refer to sk180669.

VPN endpoint users fail to login with ECDSA certificate.

• NAT-T traffic may stop matching the implied rule after policy installation and is dropped with "IKE_NAT_TRAVERSAL Traffic Dropped from x.x.x.x to y.y.y.y" message in SmartLog.

• VPND and IKED stability issues occur when loading newly created LDAP group objects.

Refer to sk180530.

TCP traffic on port 34500 may be encrypted by VPN, although it should not.

When running the "vpn tu tlist" on cluster Standby members, old IKEv2 SAs may be printed in the output.

When running the "ifconfig -a" command on a Virtual System (VS) with more than 250 interfaces, the "/bin/cp-ifconfig.sh: line 179: /bin/echo: Argument list too long" error is printed.

Incorrect logs are printed in the /var/log/httpd2_error_log file when logging into the WebUI.

When restoring a backup with VSX objects, the objects database may not be restored on the newly installed Security Management Server.

VPN Cluster stability issue when the peer is an Azure Security Gateway.

Azure scan fails if a Virtual Machine Scale Set (VMSS) is deleted after the scan started.

After an upgrade, local IPv6 traffic from Active members may fail.

Adding more than 250 VLANs on an Orchestrator MHO-175 Maestro Uplink interface causes intermittent traffic outages. Refer to sk180340.

The "asg perf" command fails when running it with the "-vv" flag.

NEW: We have extended the grace period of Compliance Blade to support you for 90 days following contract expiration to continue providing the best security value during the renewal process.

NEW: We have extended the grace period of Threat Extraction Blade to support you for 90 days following contract expiration to continue providing the best security value during the renewal process.

NEW: Added ability to block "HTTP 206 partial content" responses from resources with malicious content.

UPDATE: The secp256r1 curve is now the preferred choice for signing ECDSA (Elliptic Curve Digital Signature Algorithm) certificates.

UPDATE: Improved the "Purge revisions" operation to reduce the size of the database.

UPDATE: To reduce policy installation time in large environments (that have many instances), policy can be installed in batches.

• Each batch contains several instances that install the policy at the current iteration. By default, the batch size is set to "0" (off).

• To enable it, run a CLI command "cpprod_util FwSetParam CP_INSTALL_POLICY_MT_LIMIT val" and set the value >0.

UPDATE: Gaia Cloning Groups will now use the highest TLS version available.

UPDATE: Added support for connecting to VMware NSX-T 4.0.0.x and higher.

Skyline may not show any information. Refer to sk180748.

In some scenarios, Audit logs may not be created when running remote API commands from Infinity Portal.

The date of a policy configured with "accelerated installation" may not be updated in logs.

After configuring an IoC feed on the Global Domain and assigning a Global Policy, Threat Prevention policy installation in the local Domain fails.

High Availability synchronization fails if automatic purge is configured to run on the Standby Management Server.

Editing a Global Assignment object using Ansible may fail.

In some scenarios, the "api status" command shows that the Management API service is stopped.

Running API commands with the "dereference-max-depth" parameter with value "0" may fail when the "Groups" field is in the reply.

In rare scenarios in a Multi-Domain Security Management environment:

• Login to the Management Server may timeout and fail.

• Publish operation may take a long time.

Deleting an LSM Gateway via REST API does not revoke the device's VPN certificate.

CPView may not show some interfaces.

After an upgrade and change of the Security Management Server name, logs created before the upgrade are unavailable.

When using the SMTP service with resource objects in a rule and NAT is configured for the destination IP address, the traffic may match the Cleanup rule instead.

Stability issues when ICAP client is active.

In a rare scenario, when QoS is enabled, the Security Gateway may crash.

In rare scenarios, the FWK process can unexpectedly exit and cause an outage.

Security Gateway may drop traffic when Dynamic Anti-Spoofing is enabled.

Dynamic Dispatcher may send fragments of the same packet to different Firewall instances during a high load of fragmented traffic. This may cause some packets to drop.

When adding an Access Role object in the NAT Rule Base, connectivity issues on the Security Gateway may occur if the Identity Awareness Blade on it is disabled.

The "fw monitor" command output may contain "no packets left to merge" messages.

When managing cloud Gateways, the FWM process memory usage may increase.

The "ioc_feeds set interval -r" command may fail.

After an upgrade, the FWD process may frequently exit while creating an AMW_report.xml.

Automatic IPS, Anti-Virus or Anti-Bot updates may fail because of a corrupted next_update file.

In some scenarios, a "malware_res_rep_rad_query: rad_kernel_malware_request_prepare() failed" message may appear in the /var/log/messages file.

In a VSX High Availability cluster, a member in the Backup state should remain idle, but it opens connections for identity sharing.

In some scenarios, the RAD process may freeze after failing to connect to URL Filtering service.

The Security Gateway may crash during policy installation because of a memory allocation problem.

The "asg perf --delay" command does not change the "refresh time" on the screen.

The CVPND process may unexpectedly exit and create a core dump file.

When Mobile Device Management (MDM) cooperative enforcement feature is enabled, establishing a VPN connection fails while the HTTPD log incorrectly indicates a compliance issue.

When handling HTTP/2 traffic, cluster members may crash, generating vmcores.

Stability issues may occur in a Multi-Version Cluster (MVC) when VPN is enabled.

SecureXL may drop traffic when HTTPS Inspection is enabled on a VSX Security Gateway with a Virtual Router.

The "show ospf neighbors" command shows incorrect values for OSPF "Hello" and "Dead" intervals. Refer to sk180486.

Stability issues for Data connections (RDP / RTP / FTP/ETC). Refer to sk179651.

When initiating IKEv2 tunnel from Check Point to a third party, creating Child SA fails. Refer to sk180281.

Despite the Secure Configuration Verification (SCV) exceptions being configured to not apply for connections, the strongSWAN client's traffic is dropped with the "Client's configuration is not verified" error.

Stability issues of the VPND and IKED processes.

The "vsx_util change_mgmt_subnet" command may fail if a VSX object is not correctly saved in the database.

The SNMPD process may exit with a timeout when the ARP table with many ARP entries takes time to calculate its size.

Running the "save configuration" command the second time in the same Clish session may fail with the "free(): invalid pointer" error.

Gaia backup fails with "Cannot complete the backup process: not enough space in /var/log/CPbackup/backups" although there is enough free disk space in the /var/log/ partition. Refer to sk180181.

SNMP trap may not be sent after a cluster failover if it occurred by running the "clusterXL_admin down" command.

When uninstalling a Jumbo Hotfix, some of the REST APIs may not work. The "gaia_api status" command returns an error and requests may fail.

Importing objects from VMware vCenter may fail with a "Failed to fetch objects from the Data Center." message because of a rare communication issue between CloudGuard Network Security controller and VMware vCenter Data.

In some scenarios, when using static NAT, VoIP traffic may be affected.

While handling a multi-INVITE scenario (where a user registers with multiple devices), and VoIP SIP MultiCore feature is enabled, each SIP INVITE maybe be handled simultaneously on different FW instances and cause memory corruption.

In VSX mode, when configuring affinity settings on Security Group members, a new added member may stay in Down state.

The output of the "asg perf -6" command shows "IPV6 is Disabled".

When running "asg diag verify" in an environment with mixed appliances, the "cores_verifier" command fails if there are unused cores, although it should not. The issue is cosmetic only..

In a multiple upgrade scenario, running the "sp_upgrade-revert" command reverts the setup to the last version, but running it the second time leads to revert instead of performing cleanup.

Uninstalling Jumbo Hotfix Take 79-87 from Maestro Orchestrator may cause the REST Server initialization to fail and lead to connectivity issues.

Minor packet drop may occur during Maestro Orchestrator graceful reboot.

UPDATE: It is now possible use multiple values when filtering in these views:

• Global Assignments (MDS)

• Permissions (MDS)

• Sessions (MDS)

• IPS (Domain level)

UPDATE: Improved the "Assign Global Policy" action time by approximately 50%.

UPDATE: Released Take 73 with new features and improvements. Refer to sk170314.

UPDATE: Port 8211 no longer accepts connections with the cipher TLS_RSA_WITH_AES_128_CBC_SHA.

UPDATE: The reset expired connections feature (fw_rst_expired_conn) is now supported on connections accelerated by SecureXL.

UPDATE: Added Update 16 of Autonomous Threat Prevention Management integration Release. Refer to sk167109.

UPDATE: Added support for Data Centers in AWS me-central-1 Middle East (UAE) region.

UPDATE: The "revert to snapshot" operation is now blocked on Scalable Platforms when the snapshot remains from the previous version and is not created as a part of the current upgrade process.

UPDATE: Upon member state change to Active, there may be minor packet drops. Added an option to not forward traffic to a new Active member until all connections are synchronized to it:

• To enable this option:

• on the fly, run g_fw -a ctl set int fwha_force_present_state_over_active 1

• to be boot persistent, run g_update_conf_file fwkern.conf fwha_force_present_state_over_active =1

• To disable this option:

• on the fly, run g_fw -a ctl set int fwha_force_present_state_over_active 0

• to be boot persistent, rung_update_conf_file fwkern.conf fwha_force_present_state_over_active =0

UPDATE: Added a new CLI command "fw ctl voip [-p {sip| mgcp| sccp| h323}] [-na]". It allows printing the description of defined VoIP protections, the required action, and the logging option configured for each protection.

UPDATE: Added Update 11 of HealthCheck Point (HCP) Release. Refer to sk171436.

On R77.20 Quantum Spark appliances with some IPS packages, policy installation fails with the "Operation failed, install/uninstall has been improperly terminated" error. Refer to sk180448.

In rare scenarios, in a large environment, after an IPS update, High Availability synchronization may fail with timeout on the Global Domain.

In some scenarios, the "Assign Global Policy" action fails with the error message: "An internal error has occurred".

An upgrade may fail with timeout during the import of a large database file.

When running the "show access-rule" API command with the "show-as-ranges" parameter on rules with negated cells, the returned result may be missing the values of the negated cells.

Access Policy installation may fail with the "Internal error occurred during the verification process" error.

The /var/log/dump/usermode/ directory on the Management Server may contain core dump files for the FWM process. Refer to sk180119.

In rare scenarios, the FWM process may unexpectedly exit.

Installing a large Access Control policy on Quantum Spark Security Gateways may fail due to high memory consumption on the Security Management Server caused by FW_LOADER.

Policy installation may fail with "Segmentation fault" or with "INTERNAL ERROR in PutBlock: dangling block at PutBlock". Refer to sk179700.

After performing the "Revert to Revision" operation, new Audit logs cannot be seen in the Logging&Monitoring View in SmartConsole.

Warning about multiple objects with the same IP address is displayed when there are duplicated auto-generated networks.

In a large environment, High Availability synchronization for the Global domain may fail with the "Global domain is busy syncing, please check sync status" error.

"Automatic purge" fails on a Domain with active Global Domain Assignment and "automatic purge" configured on the Global Domain.

It may not be possible to discard a work session with a newly created admin, a "Failed to discard revoke certificate" message is shown.

An upgrade of the secondary Multi-Domain Security Management Server or Multi-Domain Log Server may fail when simultaneously upgrading several Servers.

In rare scenarios, in a Multi-Domain Security Management Server environment, a memory leak may occur in the FWM process. This may cause the process to exit.

When exporting logs with the fwm logexport script and there is an empty or corrupted log file, the script runs in a loop with the "Failed to read record at position 0" error printed.

Although the Security Gateway is configured to send Syslog messages to the Domain Log Server (CLM), after several initial logs, they may stop coming to the Log Server.

Emails sent as an automatic reaction may show only the first IP address for "Source"/"Destination" fields out of all the detected IP addresses.

Export to CSV in SmartView may be stuck in the "running" status.

When running the "show_logs" API command with "query-id argument" and the session is expired, the command ends with a timeout instead of presenting an error.

When LEA spawning is turned off (sk91343), the FWD process may run out of memory.

There may be stability issues when ICAP client is active.

The Security Gateway may crash with the "xxx kernel: [fw4_27];fwatomload_unregister: module RTM not registered xxx kernel: [fw4_27];e2eDisable: fwatomload_unregister failed" errors printed in logs.

The Security Gateway on a LightSpeed appliance may crash when a Bond interface is configured on the LightSpeed 10/25/40/100G QSFP28 Ports, and the state of this Bond interface changes between on / off, or off / on.

In some scenarios, the CPD process may unexpectedly exit.

Some TCP connections may be stuck in "Both-Fin" state in the SecureXL connection table and cause high memory consumption.

When using Routing Separation and installing a Jumbo Hotfix Accumulator, MDPS configuration may be overridden. Refer to sk138672.

After an upgrade, Access Control policy installation may fail with an "Update process is already running" message.

The Security Gateway may send multiple "Failed to fetch Check Point resources. Timeout was reached" logs.

Threat prevention policy installation fails if a Custom Intelligence Feeds name includes unsupported characters.

File Download using SSH with MobaXterm Client fails when SSH Deep Packet Inspection (SSH DPI) is enabled.

After installing a hotfix in a cluster setup with a Threat Prevention policy that includes Network Objects, a member may get stuck during initialization after a reboot.

In some scenarios, Mail Transfer Agent (MTA) does not scan files with an unsupported extension if they were renamed to ".exe".

The PDPD daemon may frequently exit during the user authentication flow.

SNMP/cpstat queries for Identity Awareness OIDs return wrong values if the PDP daemon is not running at the time of the query.

In a rare scenario, when Application Control is enabled, the Security Gateway in AWS Cloud may crash. The issue does not occur if Application Control database on the Security Gateway is updated with Release 141122_1 and higher.

Running the "ips stats" command in CLI may cause the IPS process to unexpectedly exit with core dumps.

In a rare scenario, when Anti-Virus is enabled, there may be frequent VSX cluster failovers, and the Security Gateway may crash.

After an upgrade, it may not be possible to connect to SNX, it gets stuck when initializing.

After disabling the ActiveSync service on the Security Gateway, login to Capsule Workspace (CWS) may fail.

In some scenarios, it is not possible to connect to SSL Network Extender(SNX), and the VPND log shows: "failed to add to table connectra_sessions_to_instance".

A Hide NAT port may be allocated twice causing the "out of state" drops.

In a VRRP cluster environment with a large number of interfaces, the Security Gateway may consume a lot of memory because of a memory leak.

In some scenarios, the change of the cphwd_enable_ecmp global parameter value on a VSX Gateway does not survive a reboot.

The Security Gateway may crash and cause an outage when resolving the destination host MAC address through an interface with disabled ARP.

Connections matching the Access Control rules may get timed out, although they should be rejected according to the configuration.

The "asg diag verify" command reports inconsistent OSPFv3 routes for Security Gateway Modules in Quantum Maestro. Refer to sk179931.

The ROUTED process may unexpectedly exit when the route does not have a next hop.

When connecting with "Mixed" SSL Network Extender Authentication method, the SNX Client freezes with no output, and the results of the "vpn tu tlist" command show no tunnels.

In a rare scenario, when IPv6 is configured, and VPN is enabled, policy installation may cause a stability issue.

Trying to perform the "Reset Tunnel" action for an LDAP user from SmartView Monitor fails. Refer to sk178592.

The Security Gateway does not initiate or accept the VPN negotiation when working in Traditional Mode. Refer to sk179710.

Improved VPN tunnel synchronization in a Multi-Version Cluster environment (MVC).

The SNMPD process may consume a high CPU in a VSX environment and there may be slowness when using the "fw vsx stat" command. Refer to sk180324.

There are trap names duplications in chkpnt.mib and chkpnt-trap.mib which may cause incorrect values when using SNMP traps.

After an upgrade, the backup operation on VSX fails because there is not enough space in /var/log/CPbackup/backups.

In a cloning group cluster, when allowed hosts are changed from "Any" host to a specific host, communication between members is blocked, and the group cannot function.

A Kernel-based Virtual Machine (KVM) or a Virtual Machine using SRIOV with the i40evf/ixgbevf network driver, may boot with non-optimized performance settings.

When mapping of some Azure Subscriptions fails, assets of these Subscriptions are revoked from the Security Gateway.

Import of OpenStack Data Center CloudGuard Network objects may fail.

In some scenarios, when using early media with NAT, the first data connections specified in the SDP get closed, although they should not. And the new data connection does not open, resulting in one-way audio. Refer to sk179651.

In some scenarios, a newly added Security Group Member (SGM) continuously reboots, and there are core dump files for the CONFD process. Refer to sk178405.

Upon failover/failback, multicast packets are sent to Active members only. The member that changed state from Down to Active starts receiving the multicast packets before the route is resolved. This may impact traffic.

In some scenarios, the SNMPD process may unexpectedly exit.

In a dual site environment with two Maestro Hyperscale Orchestrators on each site, the asg diag test may fail in a mixed appliances setup because of a difference in affinity configuration files.

SNMP threshold events traps may be missing "Chassis ID" and "Blade ID" fields. Refer to sk179926.

When a policy is configured with "SNMP trap alert script", the SNMP trap is sent with an undefined OID.

Failover/failback may cause a non-DR manager member to change state to Down because the ROUTED unexpectedly exits with pnote.

In a Quantum Maestro environment, the sp_upgrade command may fail when working in VSX mode.

The $FWDIR/log/fwd.elg file may get corrupted during log rotation. Refer to sk180728.

NEW: It is now possible to clone Access and HTTPS Inspection layers via Management REST API.

UPDATE: Added a new API version (1.8.1). Refer to Management API Reference.

UPDATE: Management API performance improvements:

• When moving a rule, the "set-access-rule" command is now up to 15 times faster.

• When using a rule name, the "set-access-rule" command is now twice as fast.

The flag "--method" for a CME command is not supported in SmartConsole Command Line.

In some scenarios, certificate based login to a Log Server may fail with "Authentication Error". Refer to sk179144

If Log Domain reassignment fails, an Application Control and URL Filtering update may get stuck at 70 percent showing the "Running post update actions" status.

The "Domain" and "Type" fields may be missing in the "show-groups" command output of a Management API request. Refer to sk179645.

Login to Management Server may fail if a trusted client has a subnet mask defined in CIDR notation. Refer to sk177743.

Adding members to a user group may fail when using Management API.

Deleting a Security Gateway in SmartConsole may fail.

Install Policy Preset may fail with "The server did not provide a meaningful reply.". Refer to sk179524.

High Availability synchronization may fail with the "Failed to update shared licenses" error.

Access Control policy installation may fail with the "Internal error" message when the encryption domain contains a Data Center object.

An Application Control and URL Filtering update may get stuck at 70 percent with the "Running post update actions" status. Refer to sk174587.

An Application Control and URL Filtering update may still occur even if the latest version is already installed.

After an upgrade, when the local domain Virtual System (VS) is updated, its objects may not be updated. The mirror VS object and local domain VS object may have different versions and colors.

A Multi-Domain Management Server upgrade may fail if upgrading one of the domains takes longer than four hours.

Although all Virtual Devices are deleted, deleting a Domain may fail with an "At least one Virtual Device is defined on this Domain/Domain Management Server. You need to delete all Virtual Systems/Routers prior to deleting Domain/Domain Management Server" message.

In the Compliance Blade view, regulations with disabled best practices may display a result that does not correspond with the best practices listed below it.

UPDATE: Amended the override_server_setting.sh script to support changes in the values of RFL_SOLR_MAX_MERGE_COUNT and RFL_SOLR_MAX_MERGE_THREAD_COUNT.

After an upgrade from R81 to R81.10, maintenance cleanup may remove some recent logs while not erasing other logs from the disk.

The FWD process may unexpectedly exit and create core dump files.

In some scenarios, the Forensics report fails to open from Harmony Endpoint logs.

The "show-logs" Management API command fails when iterating over many pages of queries, and the total fetched records number exceeds 219,900 records.

When an object name begins with a digit, SmartView Monitor displays a name consisting of the letter "v" and UID instead of the actual object name.

UPDATE: Added a defense mechanism against partial header attacks known as "Slowloris DoS" (CVE-2007-6750).

UPDATE:

• Added a new global parameter "fw_conn_double_error_allow_print " to enable/disable printing double connection error message to the log. When disabled, the Security Gateway will still drop a new connection if it is already recorded in the connection table, but there will be no error logs.

• Added a new global parameter "fw_conn_double_error_count" to count how many times the error occurred.

In a cluster environment, an ICAP implied rule may not be enforced after policy installation.

When running the "g_fw monitor" command (Global Firewall Monitor), the traffic capture outputs can be created successfully but cannot be merged.

Refer to sk179431.

When Anti-Virus Blade is enabled, the Security Gateway may crash multiple times with core dump files.

The Security Gateway may run out of memory when retrieving topology.