List of All Resolved Issues and New Features in R81.10 Jumbo Hotfix Accumulator
|
Review the Important Notes for R81.10 Jumbo Hotfix Accumulator section before installing a new Take. |

Take | Available Since | Recommended Since |
---|---|---|
13 Nov 2023 |
- |
|
06 Nov 2023 |
- |
|
06 Sep 2023 |
- |
|
30 Jul 2023 |
29 Aug 2023 |
|
17 Jul 2023 |
23 Jul 2023 |
|
28 Jun 2023 |
- |
|
08 Jun 2023 |
- |
|
13 Apr 2023 |
15 May 2023 |
|
29 Mar 2023 |
02 Apr 2023 |
|
05 Mar 2023 |
- |
|
19 Jan 2023 |
07 Feb 2023 |
|
12 Jan 2023 |
- |
|
08 Jan 2023 |
- |
|
22 Nov 2022 |
02 Jan 2023 |
|
24 Oct 2022 |
21 Nov 2022 |
|
11 Oct 2022 |
19 Oct 2022 |
|
01 Sep 2022 |
- |
|
29 Jun 2022 |
19 Jul 2022 |
|
02 Jun 2022 |
- |
|
01 May 2022 |
01 Jun 2022 |
|
03 Apr 2022 |
06 Apr 2022 |
|
22 Mar 2022 |
- |
|
22 Feb 2022 |
- |
|
13 Jan 2022 |
20 Jan 2022 |
|
22 Dec 2021 |
02 Jan 2022 |
|
22 Nov 2021 |
- |
|
30 Aug 2021 |
18 Oct 2021 |
ID |
Product |
Description |
---|---|---|
Take 129 Released on 13 November 2023 |
||
PRJ-50898, PRHF-31187 |
Security Gateway |
A double-free flaw that leads to a possible Security Gateway crash was identified. This release includes the fix to enhance system stability and security. |
Take 128 Released on 6 November 2023 |
||
PRJ-49938, PRJ-49979 |
Security Management |
UPDATE: Removed a redundant rule-assistant.war package. |
PRJ-49824, PMTR-95347 |
Security Management |
UPDATE: Upgraded the commons-compress-jar package from version 1.8 to version 1.22. |
PRJ-49695, PMTR-96310 |
Security Management |
UPDATE: Upgraded the Jackson Java library from version 2.5.0 to version 2.11.3. |
PRJ-49786, PMTR-95614 |
Security Management |
UPDATE: properJavaRDP - an SNX-embedded application for Mobile Access is now blocked and is no longer supported because of deprecated Java library dependencies. |
PRJ-49891, PMTR-95687 |
Security Management |
UPDATE: Removed a redundant guava package. |
PRJ-50264, PRJ-49965, PRJ-49011, ODU-1137, ODU-1256, ODU-1304 |
Web SmartConsole |
UPDATE: New features and improvements are released in Take 81, Take 85, Take 88 and Take 90 via self-updatable package. Refer to sk170314. |
PRJ-49108, PMTR-94517 |
SmartConsole |
UPDATE: Applied security related improvements to the Jetty open source library. |
PRJ-50325, PRJ-50324, PRJ-50124, ODU-1217 |
CPView |
UPDATE: Added Take 68 and Take 70 of CPotelcol (OpenTelemetry Collector) Release Updates. Refer to sk180522. |
PRJ-50092, PRHF-30702 |
Security Gateway |
UPDATE: Improved traffic classification of GTP traffic on the Security Gateway to enhance the stability. |
PRJ-49493, |
Threat Prevention |
UPDATE: Added Update 21 of Autonomous Threat Prevention Management integration Release. Refer to sk167109. |
PRJ-49745, PMTR-95099 |
Mobile Access |
UPDATE: SNX used to connect back to Mobile Access Blade's portal FQDN by resolving its IP address locally. This method makes it sensitive to DNS poisoning attacks such as those specified by TunnelCrack. Therefore, it was modified to connect back to the Security Gateway / Cluster member IP address by default. |
PRJ-49937, PRJ-49936 |
Harmony Endpoint |
UPDATE: Upgraded symmetricDS to the 3.14.9 version. |
PRJ-45980, |
Scalable Platforms |
UPDATE: Added Take 29 of Check Point Support Data Collector (CPSDC) for Scalable Platforms and Maestro Security Appliances. Refer to sk164414. |
PRJ-50542, |
HCP |
UPDATE: Added Update 14 of HealthCheck Point (HCP) Release. Refer to sk171436. |
PRJ-48878, |
Security Management |
|
PRJ-49204, |
Security Management |
Refer to sk181471. |
PRJ-50082, PMTR-96031 |
Threat Prevention |
In rare scenarios, the FW1 process may stop working when at least one of these features is enabled:
|
PRJ-50190, PMTR-96205 |
IPS |
Policy installation may fail on Security Gateways with enabled IPS and configured Strict profile and IPv6. |
PRJ-50639, |
ClusterXL |
ARP requests sent with VMAC from the Standby member may cause MAC flapping. |
PRJ-49905, |
Routing |
When BGP local address is configured, BGP peer may fail to establish. |
PRJ-49653, |
Scalable Platforms |
In a Quantum Maestro / Scalable Chassis environment, there may be a delay during TCP start negotiation for fully accelerated connections, which are distributed asymmetrically. For example, C2S distribute to member 1_1 and S2C to member 1_2. To maintain the original behavior (prior to R81.10 Jumbo Hotfix Take 128), follow these steps before starting the Jumbo Hotfix Accumulator upgrade:
Refer to sk181464. |
Take 113 Released on 6 September 2023 |
||
PRJ-47121, |
Anti-Spam |
NEW: We have extended the grace period of Anti-Spam Blade to support you for 90 days following contract expiration to continue providing the best security value during the renewal process. |
PRJ-48299, |
SmartConsole |
UPDATE: Added a pop-up message explaining that it is not possible to add an exception to a Global Domain policy from a local Domain when clicking "add exception" in a Global rule.
|
PRJ-48317, |
Web SmartConsole |
UPDATE: New features and improvements are released in Take 81 via a self-updatable package. Refer to sk170314. |
PRJ-46557, |
Security Gateway |
UPDATE: Added a new option in domains_tool, which allows to retrieve IP addresses of multiple Domains - "-md <list of domains>". Refer to sk161632. |
PRJ-44243, |
Mobile Access |
UPDATE: Enhanced PushReport (a troubleshooting tool for Mobile Access Blade):
|
PRJ-46315, |
ClusterXL |
UPDATE: When enabling the VMAC feature, link_monitoring on the cluster members will now be configured automatically. |
PRJ-47677, |
VPN |
UPDATE: Added SAML authentication support for Capsule Connect / Capsule VPN. |
PRJ-44280, |
VSX |
UPDATE: In VSX, removed the redundant option to change CoreXL mode from USFW to Kernel mode. |
PRJ-48339, |
CloudGuard Network |
UPDATE: Added Take 20 of Public Cloud CA Bundle. Refer to sk172188. |
PRJ-45727, |
Harmony Endpoint |
UPDATE: Added new file types supported by Harmony Endpoint Threat Emulation blade. |
PRJ-45771, |
Scalable Platforms |
UPDATE: Added ability to stop configuration mismatch repeated reboots for debugging purposes. The new command is " cpha_blade_config auto_reboot <on/off>". |
PRJ-48196, |
Scalable Platforms |
UPDATE: Added ability to use Generic Data Centers and Dynamic Objects with Maestro cluster, not just for a separate Security Gateway. |
PRJ-48404, |
HCP |
UPDATE: Added Update 13 of HealthCheck Point (HCP) Release. Refer to sk171436. |
PRJ-45988, |
Security Management |
Deleting a Domain that is connected to an AD Group fails. |
PRJ-44472, |
Security Management |
Excluding a network with anti-spoofing by name on the Security Gateway using the "set simple-gateway" Management API command fails with an "Anti spoofing: excluded network object must be defined." validation error message. |
PRJ-46731, |
Security Management |
In rare scenarios, opening the Install Policy view gets timed out, and SmartConsole unexpectedly closes. Refer to sk181397. |
PRJ-46796, |
Security Management |
The "show-vpn-communities-star" Management API command fails for VPN communities using Diffie-Hellman groups 15-18. Refer to sk27054. |
PRJ-45440, |
Security Management |
In rare scenarios, Global Policy Reassignment takes a long time to complete after deleting a Global IPS profile. Refer to sk180787. |
PRJ-46016, |
Security Management |
The "show-nat-rulebase" Management API command fails when Packet mode is enabled and "match on any" is set to "false". For example, "show-nat-rulebase XXX package YYY filter-settings.search-mode packet filter-settings.packet-search-settings.match-on-any false filter ZZZ". |
PRJ-47258, PRJ-47235, |
Security Management |
If the HTTPS policy contains an Identity Awareness Gateway object in the "Source"/"Destination" column, policy installation may fail when selecting more than one policy target. Refer to sk181097. |
PRJ-41548, |
Security Management |
QoS policy cannot be installed if the policy package name contains a dot symbol. |
PRJ-41244, |
Security Management |
When closing an application from SmartConsole without changes, a redundant revision is created. |
PRJ-44987, |
Security Management |
A migrate export or CPUSE upgrade of a Security Management Server fails if a Rule Base contains more than 35,000 rules. Refer to sk178325 to check the recommended size of Rule Bases. |
PRJ-46003, |
Security Management |
Changing the cluster mode via the "set simple-cluster" Management API command to "cluster-xl-ha" or "ospec-ha" returns success but has no effect on the cluster object. |
PRJ-45799, |
Security Management |
Security Management Server import fails with the "Tried to persist object XXX with domain YYY while active domain is ZZZ" error in the upgrade report. |
PRJ-41460, |
Security Management |
In some scenarios, an automatic Trusted Certificate Authorities (CAs) update fails. |
PRJ-47011, |
Security Management |
The "show-objects" Management API command with an "in" clause fails if the object name contains a period. For example, "show-objects in.1 <name> in.2 <ab.c>". |
PRJ-47050, |
Security Management |
In rare scenarios. in a Multi-Domain Security Management environment:
|
PRJ-45782, |
Security Management |
In rare scenarios, the High Availability synchronization status shows "NGM failed to import data", and then is cleared automatically within 15 minutes. |
PRJ-47046, |
Security Management |
In rare scenarios, after an upgrade, the Security Management Server may fail to start. |
PRJ-47042, |
Security Management |
When using the RADIUS username for authentication, login to SmartConsole may fail. |
PRJ-45034, |
Security Management |
Upgrade of a Security Management Server or a Multi-Domain Security Management Server with over 2000 NAT rules may take over 10 hours to complete.
|
PRJ-46782, |
Security Management |
In an environment with many Security Gateways, SmartConsole may unexpectedly close when selecting a policy package to install. |
PRJ-47169, |
Security Management |
In rare scenarios, Global Policy reassignment fails with "IPS Update Failed On Assign". |
PRJ-46699, |
Security Management |
Global Policy assignment fails if it is configured to assign to specific Domain policies and one of these local Domain policies is deleted. |
PRJ-40589, |
SmartConsole |
SmartConsole may crash while checking for updates.
|
PRJ-47469, |
CPUSE |
Tasks in SmartConsole may end unexpectedly during the Jumbo/ major version upgrade operation. |
PRJ-45040, |
Logging |
The "Low disk space" warning may be incorrectly displayed in SmartConsole. |
PRJ-41167, |
Logging |
The "show-simple-gateway" and "set-simple-gateway" Management API commands with the "logs-settings.forward-logs-to-log-server-schedule-name" parameter fail with "generic_server_error". |
PRJ-44207, |
Logging |
Windows Syslog messages information may be displayed in the "Description" field of the log and not parsed into the suitable fields. |
PRJ-45324, |
Logging |
Configuring log settings to delete logs if free disk space is lower than a certain percentage may not be applied. |
PRJ-39450, |
Logging |
The Logs view may show a "Failed to read record number" message. |
PRJ-46840, |
Logging |
In SmartView, filtering logs by Media Encryption & Port Protection Blade may fail. |
PRJ-44115, |
Security Gateway |
High CPU is consumed when there are many rules with apps in the Access Rule Base. Refer to sk181264. |
PRJ-47889, |
Security Gateway |
When enabling Management Data Plane Separation (MDPS) in Clish, a "Failed to commit the transaction on database" error message may be displayed. |
PRJ-44618, |
Security Gateway |
In a rare scenario, the FWD process listens to high ports that are not blocked by the "auth_services_real_ports_block" implied rule. Refer to sk180505. |
PRJ-44189, |
Security Gateway |
The Security Gateway may crash due to a memory issue. |
PRJ-47558, |
Security Gateway |
FTP connection may fail in Port mode with NAT and specific FTP clients. Refer to sk181165. |
PRJ-47325, |
Security Gateway |
Benign files scanned by the ICAP Server may not be logged by Anti-Virus Blade. |
PRJ-46377, |
Security Gateway |
Re-mirrored traffic may be re-ordered in the Mirror & Decrypt feature. |
PRJ-45343, |
Security Gateway |
When two routes with similar attributes are added to different routing tables, and one is deleted, Anti-Spoofing may drop the traffic to that route. |
PRJ-47602, |
Internal CA |
In rare scenarios, ICA certificate creation and enrollment fail. |
PRJ-43727, |
Threat Prevention |
In some scenarios, CIFS parser is triggered when it is not needed, this leads to the Security Gateway not accelerating fully the SMB traffic. |
PRJ-48191, |
Threat Prevention |
Anti-Virus Blade fails to parse external IoC feeds that contain specific delimiters. |
PRJ-46837, |
Threat Prevention |
When SSH Deep Packet Inspection (SSH DPI) is enabled, the Security Gateway may have SSH connectivity issues because of an incorrect choice of Message Authentication Code (MAC) algorithm during the SSH handshake. |
PRJ-44691, |
Threat Prevention |
In some scenarios, the Security Gateway fails to export or import IoC feeds. |
PRJ-44766, |
Threat Prevention |
Fetching of Custom Intelligence Feeds fails when no proxy is configured on the Security Gateway. |
PRJ-46117, |
Threat Emulation |
Multiple ifiPython3 processes may utilize the Security Gateway memory, affecting the Anti-Virus Blade performance. |
PRJ-47749, |
IPS |
In rare scenarios, there may be a memory leak in ips_cmi_handler_match_cb_ex. |
PRJ-45836, |
Anti-Virus |
DLPU process memory consumption may be increased when SMB protocol is enabled in the Anti-Virus policy. |
PRJ-47784, |
Anti-Virus |
A memory leak may occur in the Security Gateway when a connection is not correctly released after the inspection. |
PRJ-47182, |
SSL Inspection |
The Security Gateway may fail to enforce certificate blacklisting. |
PRJ-47203, |
Mobile Access |
When copying special German characters to and from the Guacamole Server, they are replaced with unreadable symbols. |
PRJ-47107, |
Mobile Access |
It may not be possible to connect to the RDP application with SNX in Application mode. Refer to sk181155. |
PRJ-45198, |
ClusterXL |
In a cluster/Maestro in Load Sharing mode, the Security Gateway may drop NAT traversal traffic with "fwmultik_process_f2p_cookie_inner Reason: PSL Drop: No connection". |
PRJ-44275, |
ClusterXL |
A Standby member may initiate FTP data connection, although it should be sent from the Active member. As a result, the connection is teminated. Refer to sk180531. |
PRJ-44773, |
SecureXL |
The "IOCTL command CPHWD_IOCTL_DOS_DENY_LIST_CLEAR was not successful" error may be printed during cpstart. Refer to sk180646. |
PRJ-43639, |
SecureXL |
In some scenarios, incorrect MSS value calculation may lead to traffic drops and performance instability. |
PRJ-47487, |
Routing |
When multicast traffic for an existing (S,G) entry arrives at a non-IIF interface, the entry may be deleted and re-added when the next multicast packet is released, although the entry should not be deleted. |
PRJ-43248, |
Routing |
Traffic may be dropped when there are many OSPF routes of type 5. |
PRJ-47940, |
Routing |
An OIF entry may be missing when multiple downstream neighbors are present on a LAN. Refer to sk181354. |
PRJ-48117, |
Routing |
The ROUTED process may exit with a core dump when querying details of OSPF Type 5 LSA. |
PRJ-47801, |
Routing |
When a BFD session is added or removed, disabled sessions may incorrectly come up. |
PRJ-41794, |
Routing |
Adding or deleting a multicast group from a configured static RP environment can lead to outages in traffic. |
PRJ-44956, |
VPN |
A potential leak in VPN tunnels in a Multi-Version Cluster. |
PRJ-41391, |
VPN |
When working with ClusterXL in Load Sharing mode, a VPN tunnel may fail to be established. |
PRJ-47492, |
VPN |
Potential VPN outage during policy installation. |
PRJ-42939, |
VPN |
Policy installation may take a long time and fail with "Operation failed, install/uninstall has been improperly terminated.&CURRENTVERCMP *##MSG_IDENTIFY##". |
PRJ-47837, |
VSX |
In a rare scenario, affinity configuration on VSX may fail. |
PRJ-44300, |
VSX |
When adding a route using vsx_provisioning_tool and the "interface_name" option, this route cannot be removed. |
PRJ-43878, |
VSX |
When running "vsx_fetch" from a context that is not VS0, this output is displayed: "Management rejected fetch for this module - sic name does not match. Couldn't fetch VSX configuration by IPs, trying to fetch by names." |
PRJ-49350, |
VSX |
In some scenarios, in Maestro VSX environment with a Virtual Switch (VSW), TCP packets can be dropped as "out of state" or incorrectly dropped on the clean up rule. |
PRJ-46275, |
Gaia OS |
When changing bond settings, the bond may be missing the global IPv6 Address. |
PRJ-47773, |
Gaia OS |
Snapshot fails when the unpartitioned disk size is greater than 1TB. Refer to sk181485. |
PRJ-41337, |
Harmony Endpoint |
When downloading a dynamic package from the Endpoint Security Server and using the "/createmsi" command, the operation results with a "CRITICAL ERROR: Unable to create MSI! Missing file: System32\FirewallMonitor.dll"error. |
PRJ-43571, |
Harmony Endpoint |
After the Deploy New Endpoint push operation is successfully done, the list of target devices may change to “None”. And it is not possible to delete this push operation manually, a "Sorry, we had an API issue during request" message is printed. |
PRJ-46031, |
Harmony Endpoint |
Because of a rare race condition, AD scanners may get stuck in the initializing state with "ERROR ajp-nio2-127.0.0.1-8009-exec-96 - Failed to enumerate scanner instances for SF-DC2.mapro.cat, scanner instance788b7398-5a79-91fb-6f68-137813a5556e (UsmDSConfigResponder)java.lang.NumberFormatException". |
PRJ-47055, |
Harmony Endpoint |
Some devices added to a Virtual Group from the SmartEndpoint Reporting tab do not receive the assigned policy. |
PRJ-42633, |
Harmony Endpoint |
After an Endpoint Security client is uninstalled via a push operation, there is no indication in the Asset Management that the client is successfully removed (only if it is inactive for more than 30 days, then it is deleted from the Server database). Although it should be immediately shown as non-active. |
PRJ-46802, |
Harmony Endpoint |
In rare scenarios, when making changes in SmartConsole, it gets disconnected. |
PRJ-48256, |
Harmony Endpoint |
The default policy configured in the Infinity Portal may not be exported with the new Endpoint Security client package. |
PRJ-43609, |
VoIP |
SIP agent implements a keep-alive mechanism against the RFC, making each message arrive with a different tag in the "From" header, which may increase the memory of the Security Gateway, and these messages may be dropped once they hit the limit defined (the "sim_max_reinvite" parameter). |
PRJ-47640, |
Scalable Platforms |
In a Scalable Platform environment, when opening an IPS Packet Capture originated on a local member, the "Fetching in progress" error is displayed, and a "Capture file was not found on remote SGM" entry is printed in the log. |
PRJ-45233, |
Scalable Platforms |
The "asg_dr_verifier" command shows "Status: Inconsistency found on some of the SGMs", even if the OSPF neighbors are in Full state. Refer to sk179921. |
PRJ-48212, |
Scalable Platforms |
In rare scenarios, the CONFD process may get stuck. This may cause Maestro Orchestrator boot to hang and login to Gaia Portal to fail. |
PRJ-49111 |
Scalable Platforms |
After adding a new Security Group Member to a Security Group with the default shell /bin/gclish, the status of the new Security Group Member is "Down" with a Critical Device "image_clone" pnote. |
PRJ-47865, ACCHA-3317 |
Scalable Platforms |
Accessing the SMO WebUI and performing configuration changes may fail with the "Error in acquiring buffer of member info (-1)" error." |
Take 110 Released on 30 July 2023 and declared as Recommended on 29 August 2023 |
||
PRJ-44422, |
Security Management |
NEW: Added a new field to the output of "mgmt_cli show updatable-objects-repository-content" command. This field displays the object's unique name as it is saved in the updatable objects repository. |
PRJ-43521, |
Security Management |
NEW: It is now possible to add tags to Access rules and sections. A new field "tags" is added to the existing "add/set rule & section" Management APIs . For example:
|
PRJ-44326, |
Security Management |
NEW: Added a new Management API "mgmt_cli show ha-status". It provides synchronization information for the currently active domain.
|
PRJ-44494, |
Scalable Platforms |
NEW: Added support for the 25Gbps speed on Maestro Orchestrator ports. |
PRJ-45678, |
CloudGuard Network |
NEW: CloudGuard Controller for NSX-T
Note: Importing Virtual Machines can be enabled only using Policy Mode APIs. When enabled, the amount of API requests toward the NSX-T manager increased. |
PRJ-46242, |
Security Management |
UPDATE: A Security Management server/Domain Management Server can now manage up to 400 Security Gateways / Clusters, allowing concurrent policy installation on all Security Gateways / Clusters at once. |
PRJ-45295, |
Security Management |
UPDATE: Added ability to block policy installation if this policy contradicts another policy installed on the Security Gateway. In this scenario, the "install-policy" Management API command will now fail with "Requested policy X does not match currently installed policy Y on gateway Z. To ignore this warning, set the 'ignore-warnings' flag to 'true'". Refer to sk180792. |
PRJ-45490, |
Security Management |
UPDATE: Significant performance improvement for policy installation when using many layers (up to four times faster). |
PRJ-44502, |
Security Management |
UPDATE: Significantly improved performance during upgrade and import for large Multi-Domain Security Management environments with many administrators (over 20 domains and over 100 global administrators).
|
PRJ-45203, ODU-843 |
Web SmartConsole |
UPDATE: New features and improvements are released in Take 76 via self-updatable package. Refer to sk170314. |
PRJ-45891, |
Security Gateway |
UPDATE: Added a new environment variable "IMPLIED_RULES_SET_BEFORE_LAST". It defines if Multi-Portal implied rules should be matched as "before drop" or "before last". The default value is "0", set to "before drop". When the value is set to "1", implied rules will be matched as "before last". Refer to sk180808. |
PRJ-44774, |
Security Gateway |
UPDATE: The Thread Blocker feature is now disabled by default. Refer to sk180437. |
PRJ-44436, |
ClusterXL |
UPDATE: Improved the fullsync time after reboot in large scale environments. Refer to sk180742. |
PRJ-44952, |
IPS |
UPDATE: Mapping of IPs to country/flag in the Logs & Monitor view > Logs is now automatically updated every day. |
PRJ-35986, |
SSL Inspection |
UPDATE: Major performance improvement in HTTPS Inspection of TLS 1.3. |
PRJ-45462, |
Threat Prevention |
UPDATE: Added Update 18 and Update 19 of Autonomous Threat Prevention Management integration Release. Refer to sk167109. |
PRJ-46941, |
Threat Prevention |
UPDATE: IPS bypass triggers will now be activated based on the average CPU load exceeding the high threshold, as opposed to the previous implementation, where a single CPU load triggered the bypass. The change will result in more effective security measures without unnecessary bypasses. |
PRJ-45472, |
CPView |
UPDATE: First release of CPviewExporter Release Updates. Refer to sk180521. |
PRJ-45465, |
CPView |
UPDATE: First release of CPotelcol (OpenTelemetry Collector) Release Updates. Refer to sk180522. |
PRJ-46916, |
VPN |
UPDATE: Added a global parameter "sim_no_local_ip_check" which allows packets not destined to a local IP address to proceed to Security Association lookup in SecureXL. |
PRJ-47226, |
Gaia OS |
UPDATE: Upgraded OpenSSL from 1.1.1t to 1.1.1u to include the latest security improvements. Refer to sk181427. |
PRJ-47512, |
GaiaOS |
UPDATE: Added notifications about the Expert mode login on Gaia Servers. Refer to sk181230: 1) Gaia sends an audit log to the Management Server / Log Server (SmartConsole > Logs & Monitor). 2) Gaia writes a log message to the /var/log/messages file (for a local login and an SSH login). These Gaia Clish commands are available to work with this feature:
|
PRJ-44761, |
Gaia OS |
UPDATE: Increased the size of the scheduled snapshot database binding, allowing longer paths and passwords to be defined. |
PRJ-32167, |
Scalable Platforms |
UPDATE: Added support for 40G SFP transceiver for SSM160 (BTI40GSRDDQSFP). |
PRJ-45907, |
Scalable Platforms |
UPDATE: Added Take 23 of Check Point Support Data Collector (CPSDC) for Scalable Platforms and Maestro Security Appliances. Refer to sk164414. |
PRJ-44907, |
Scalable Platforms |
UPDATE: Added a new log file - /var/log/pull_config_report.log. It includes the summary of the "pull_config" action when it is performed on a member to indicate the reason for pull_config pnote/failures. |
PRJ-44901, |
Scalable Platforms |
UPDATE: Added a new log file to indicate the reason of member reboots if they are triggered by configuration mismatch - /var/log/configuration_reboot_info.log. |
PRJ-45388, |
HCP |
UPDATE: Added Update 12 of HealthCheck Point (HCP) Release. Refer to sk171436. |
PRJ-41328, |
Security Management |
If the Security Management Server is behind NAT, remote Management API login fails. |
PRJ-43559, |
Security Management |
In rare scenarios, in multi-site environments, Install Policy presets fail with "Timeout during task progress" or "You have reached the maximum number of active sessions". Refer to sk180897. |
PRJ-45158, |
Security Management |
APP_ID may not be initialized when adding a new Check Point application via API, this may cause blocked access to several websites. |
PRJ-45487, |
Security Management |
In rare scenarios, updating or deleting a cluster fails with "Failed to save object xxxx . Server error is: Data required for operation". |
PRJ-42039, |
Security Management |
Editing an object in SmartConsole may fail with "Server error is: Object not found (Code: x08003001D, Could not access file for write operation)". |
PRJ-43568, |
Security Management |
After Full synchronization, SmartConsole login from a Domain Management Server to the Security Management Server that is configured as High Availability may fail. |
PRJ-42422, |
Security Management |
In some scenarios, an upgrade may fail when a Network object Group contains more than 32000 members. |
PRJ-44085, |
Security Management |
Login with SmartConsole to a Security Management Server may fail if using a DNS name instead of an IP address. Refer to sk180514. |
PRJ-43186, |
Security Management |
If a Security Gateway is added to a group after configuring an installation policy preset, the policy may not be installed on that Security Gateway. Refer to sk181461. |
PRJ-42552, |
Security Management |
After restoring a Multi-Domain Security Management Server, High Availability synchronization may fail with "The Security Management Servers contain different Hotfixes". |
PRJ-45873, |
Security Management |
In some scenarios, Access Policy Verification fails but the name of the failed rule is not specified. |
PRJ-43811, |
Security Management |
Login to SmartConsole with a RADIUS administrator from the SmartEvent Server may fail if this Server was upgraded. Refer to sk180584. |
PRJ-42620, |
Security Management |
When using the "Deployment from Local Paths and URLs" option, and inserting a correct path, the client is being deployed through the Management Server and not Locally as it should be deployed. |
PRJ-35494, |
Security Management |
The Data Center object may change the status to "inaccessible/deleted", although the Virtual Machine in Azure was not deleted. |
PRJ-43916, |
Security Management |
In the Object Explorer window in SmartConsole, the IP address column is sorted alphabetically, although it should be sorted in numerical order. |
PRJ-40128, |
Security Management |
When the Access Rule Base contains several hundred rules, the "set-access-rule" Management API command with the "new-position" parameter may take longer than expected or time out after 5 minutes. |
PRJ-46629, |
Security Management |
In the Infinity Services view, the Log Sharing status may not be correct. |
PRJ-44595, |
Security Management |
When adding/setting an access rule, setting certain fields to "Any" or "None" may fail because of case sensitivity. |
PRJ-44591, |
Security Management |
The "show object" command fails when running it on nat-section objects. It returns a "null pointer exception" message, which occurs in calculations related to the overview objects meta-info. |
PRJ-44593, |
Security Management |
In some scenarios, running the "delete-exception-group" Management API command fails if the exception group is automatically attached. |
PRJ-43266, |
Security Management |
When creating several LSM objects (Security Gateways or clusters) via both Management API and SmartConsole, the LSM objects IP addresses may be duplicated. |
PRJ-46131, |
Security Management |
A policy installation task may become stuck when an error occurs in the early installation stage, for example, when trying to install a policy on an unsupported version of Security Gateway. |
PRJ-35765, |
Security Management |
In some scenarios, the "show-packages" Management API command may return empty results when using the "domains-to-process" flag. |
PRJ-45877, |
Security Management |
If an empty Network Group is linked in the source or destination fields of an Access Rule, policy verification may not generate an error. Instead, it may treat the empty group as if there was an "Any" object. |
PRJ-44896, |
Security Management |
Policy installation gets stuck if the known proxy group contains the policy target. |
PRJ-46398, |
Security Management |
In rare scenarios, policy installation fails with "Operation failed, install/uninstall has been improperly terminated". Refer to sk180448. |
PRJ-44995, |
Security Management |
In rare scenarios, login to SmartConsole fails, and opening Security Gateway objects times out. |
PRJ-45654, |
Security Management |
Packet mode search in SmartConsole may show rules that do not match the query if the query contains source, destination, and service. |
PRJ-39775, |
Security Management |
Disabling or enabling rules may not affect the "last-modify-time" field in the output of the "show-access-rule" Management API command. |
PRJ-45054, |
Multi-Domain Security Management |
In rare scenarios, in Multi-Domain multi-site environments, an IPS update on the Multi-Domain Security Management Server remains locked. |
PRJ-43689, |
Multi-Domain Security Management |
Deleting the entire Domain including all its Domain Servers fails, if any of the Domain Servers is used in the Domain's policy. |
PRJ-45060, |
Multi-Domain Security Management |
In large Multi-Domain Security Management environments, login to SmartConsole may fail while High Availability synchronization is running. Refer to sk180858. |
PRJ-46087, |
Multi-Domain Security Management |
A scheduled Install Policy Preset may not have its next run time updated when:
|
PRJ-46104, |
Multi-Domain Security Management |
In some scenarios, the "Uninstall Threat Prevention Policy" window may show "no candidates found for operation", even though there are Security Gateways that have Threat Prevention policy installed and Threat Prevention is disabled in the Security Gateway editor. Refer to sk180983. |
PRJ-40738, |
Multi-Domain Security Management |
Deleting a Domain from SmartConsole fails after a Domain Server was removed and the Domain has no Domain Servers. |
PRJ-44968, |
Multi-Domain Security Management |
In rare scenarios, in Multi-Domain Security Management environments with over 500K network objects, login to SmartConsole fails with "Connection timed out" or "Unable to connect to server" messages. |
PRJ-45068, |
Multi-Domain Security Management |
In rare scenarios, in a Multi-Domain Security Management environment:
|
PRJ-46509, |
SmartConsole |
Data Center objects may not appear as unused objects in the Object Explorer view, although they should. |
PRJ-43598, |
SmartConsole |
Typo in the Compliance report - "OSFP" instead of "OSPF". |
PRJ-41666, |
Logging |
In some scenarios, in the Logs & Monitor view, no results are shown when filtering updatable object names by the "dst_uo_name" field. |
PRJ-39255, |
Logging |
In rare scenarios, many open connections on port 18196 are observed on the Multi-Domain Security Management Server or Multi-Domain Log Security Management Server. |
PRJ-41594, |
Logging |
SmartEvent may generate false Anti-Bot / Anti-Virus related logs which do not contain any information. |
PRJ-45606, |
Logging |
In some scenarios, in the Logs view, the "Destination" field may be missing. The issue is cosmetic only. |
PRJ-46073, |
Logging |
After an upgrade of the Security Management Server, the "cp_log_export show" command may return the "found an ambiguous value" error in the "export_log_position" field. |
PRJ-45417, |
Logging |
Source and destination IP addresses in SmartLog may not be shown correctly for duplicate packets of fragmented traffic. |
PRJ-41281, |
Logging |
In large environments, after policy installation or when loading Real Time Monitor, RTMD CPU consumption may be high for several minutes and the process may exit when 4 GB of memory is reached. |
PRJ-38480, |
Logging |
In specific network configurations, after installing a policy, the target IP address of the Log Server may differ from what was configured. |
PRJ-46053, |
Security Gateway |
The Security Gateway may crash while inspecting non-HTTP traffic. |
PRJ-46340, |
Security Gateway |
In rare scenarios, memory corruption occurs during packet correction requiring fragmentation, this may cause the Security Gateway crash or freeze. |
PRJ-46334, |
Security Gateway |
The Security Gateway may crash after a failure in policy installation. |
PRJ-45496, |
Security Gateway |
On the Security Gateway with Management Data Plane Separation (MDPS) enabled:
|
PRJ-44937, |
Security Gateway |
When Check Point Active Streaming (CPAS) is used, and the Server's MSS is bigger than the client's MSS, packet fragmentation may occur. |
PRJ-38111, |
Security Gateway |
In some scenarios, the Security Gateway may crash. |
PRJ-45803, |
Security Gateway |
Resolved an issue where CPD would consume a large amount of CPU in VSX with a large number of interfaces configured (greater than 1024). Refer to sk181588. |
PRJ-42530, |
Security Gateway |
In some scenarios, while processing H323 traffic, the Security Gateway may unexpectedly restart. |
PRJ-44855, |
Security Gateway |
Web Security parsing error "illegal header format detected: Missing quotation mark" of content-disposition header - that contains a filename* parameter or an unquoted parameter. |
PRJ-45483, |
Security Gateway |
Incorrect bonds may be shown in the Data Plane when using MDPS with the "show bonding groups" command. |
PRJ-47123, |
Security Gateway |
In some scenarios, after an upgrade, the FWD process may unexpectedly exit. |
PRJ-43856, |
Security Gateway |
The FWK process may unexpectedly exit with a core dump file when removing an IPv6 interface on VSX. |
PRJ-44407, |
Security Gateway |
Global tables (ghtab) may not be synchronized between members, this can lead to instability of traffic. |
PRJ-47148, |
Security Gateway |
Enlarging MTU may cause even small packets to be allocated as Jumbo frames. This will impact the performance of SNDs CPUs. |
PRJ-46113, |
Security Gateway |
In rare scenarios, the Security Gateway may drop the traffic after "Rulebase Internal Error" which occurs during policy installation. |
PRJ-33812, |
Security Gateway |
The FWK process may unexpectedly exit while processing the mail flow and generate a core dump. |
PRJ-45955, |
Security Gateway |
When HTTPS Inspection is enabled, website loading in Firefox fails or is slow, after a few seconds, the "NS_ERROR_ABORT" error appears in the network tab of Firefox. Refer to sk180873. |
PRJ-41967, |
Security Gateway |
When adding another loopback interface in an MDPS environment, it is shown in MPLANE and not in DPLANE as expected. |
PRJ-44311, |
Security Gateway |
In rare scenarios, modifying the "fwmultik_temp_conns_enabled" parameter on-the-fly leads to the Security Gateway crash. |
PRJ-46687, |
Security Gateway |
When adding a new connection, the "Smart Connection Reuse" feature may cause errors in fwk.elg and connection drops. |
PRJ-46138, |
Security Gateway |
The "g_tcpdump -mcap" command may not merge traffic capture outputs. Refer to sk181032. |
PRJ-45478, |
Security Gateway |
Security Gateway may crash when running kernel debugs of the "UP" module. |
PRJ-44251, |
Security Gateway |
When setting "cphwd_enable_ecmp = 1" (to route by the source and destination IP address), the Security Gateway may route the traffic to the wrong MAC. |
PRJ-44500, |
Security Gateway |
In a Maestro environment where members are VSXs, connection over SSH or RDP from a host behind Maestro to a peer may be dropped. |
PRJ-44977, |
Security Gateway |
Latency in loading websites when using Security Gateway as a Proxy with HTTPS Inspection enabled. Refer to sk180673. |
PRJ-45186, |
Security Gateway |
Traffic stops working after a Security Gateway Member recovers from a failure. Refer to sk180705. |
PRJ-42358, |
Security Gateway |
Latency in connection caused by a packet flow change from F2V to F2F. |
PRJ-45397, |
Security Gateway |
Login to Mobile Access Portal when authenticating with SAML may fail with an "Error while processing the request" message. Refer to sk180801. |
PRJ-45449, |
Security Gateway |
When the Security Gateway handles specific HTTP requests, memory failure may occur. CPView registers SMEM failure. |
PRJ-44752, |
Security Gateway |
Policy installation may fail with "Error 2000240" because of an IPv6 flow issue. |
PRJ-41776, |
Threat Prevention |
IoC feed may not load, and the "Feed status cybercrime-tracker_hash_list :: engine memory allocation error. Feed log External IoC - External Indicators processing failed" error is displayed in CLI. |
PRJ-42147, |
Threat Prevention |
Fetching custom intelligence feeds via CLI may fail because of SSL certificate issues. |
PRJ-44570, |
Threat Prevention |
After an upgrade, adding an IoC feed with IP range indicator type may fail with "Feed format problem. Bad or Empty Feed ". |
PRJ-44151, |
Threat Prevention |
In a rare scenario, policy installation may fail because of IoC observables overrides. |
PRJ-44551, PRHF-27765 |
Threat Prevention |
In some scenarios, the FWD process unexpectedly exits, and the Security Group Members state flaps between Active and Down during an Anti-Bot Blade update. |
PRJ-45562, |
Threat Prevention |
In some scenarios, Anti-Virus and Anti-Bot updates on Maestro Security Group Members may fail. |
PRJ-44200, PMTR-89130 |
Threat Prevention |
When IPS Blade is enabled, the Security Gateway may crash. |
PRJ-39347, |
Identity Awareness |
There may be connectivity issues and high CPU spikes on PDP when installing policy. |
PRJ-44316, |
Content Awareness |
When Content Awareness Blade is enabled, there is a limitation of the file size (sk118516). However, when the source object of the Content Awareness rule does not match the current connection, the limitation is not applied on this connection. |
PRJ-45428, |
Application Control |
Some TLS1.3 applications without SNI do not match the rules. |
PRJ-47064, |
Application Control |
When the "Categorize HTTPS Websites" option is enabled and the global parameter "appi_urlf_ssl_cn_use_sni_without_validation" is set to true, a memory leak may occur. |
PRJ-29401, |
Anti-Virus |
The RAD process CPU utilization may be high when Anti-Virus engine processes many reverse DNS queries. |
PRJ-46605, |
Anti-Virus |
The DLPU process may stop working, creating a User Space core dump file on the Security Gateway. Refer to sk181026. |
PRJ-44664, |
Anti-Virus |
Anti-Virus Blade may bypass inspection of URLs with sub-domain portion. |
PRJ-46279, |
Anti-Virus |
Importing a custom intelligence feed containing IP ranges may fail. |
PRJ-47264, |
SSL Inspection |
The fwk.elg file may be flooded with the "mux_hold_opq_free: App has no hold params free function" messages for the TLS_PARSER app because of a memory leak. |
PRJ-45657, |
SSL Inspection |
In a VSX environment, the WSTLSD process run by Virtual Systems may ignore proxy configuration on VS0. |
PRJ-45099 |
Mobile Access |
SSL Network Extender (SNX) may randomly disconnect after an upgrade. Refer to sk173765. |
PRJ-46402, |
Mobile Access |
Sending emails with attachments via Capsule Workspace may fail on iOS. |
PRJ-45194, |
Mobile Access |
In rare scenarios, IOS users are unable to send emails using Capsule Workspace business mail. |
PRJ-46505, |
ClusterXL |
Some IPv6 connections randomly stop passing through ClusterXL in High Availability mode. Refer to sk180969. |
PRJ-41307, |
ClusterXL |
When interfaces disconnect/connect on both members at the same time, it may cause a failover. |
PRJ-42771, |
ClusterXL |
Asymmetric UDP traffic may be dropped with "First Packet isn´t Syn". |
PRJ-45349, PRHF-28275 |
ClusterXL |
After an upgrade, cluster members may frequently crash, causing instability in the environment. |
PRJ-44455, |
ClusterXL |
After several failovers in a cluster, connections may fail to synchronize. This can cause a timeout and the "first packet isn't syn" drops. |
PRJ-44352, |
ClusterXL |
A VRRP cluster member may be stuck in boot after a cluster upgrade. |
PRJ-45300, |
SecureXL |
When running tcpdump on the Multi-Domain Security Server, an "error /bin/cp-tcpdump.sh: line 11: sxlmode: command not found" message is shown. The issue is cosmetic only. |
PRJ-44874, |
SecureXL |
Traffic may be dropped and the FWACCEL core file is generated. |
PRJ-45833, |
Routing |
The ROUTED daemon may unexpectedly exit because of multi-threading issues. |
PRJ-41963, |
Routing |
Routing log messages generated when Standby cluster members reconnect to members in Master state are not clear. |
PRJ-46358, |
Routing |
Routes marked as "stale" may be redistributed via BGP during graceful restart. |
PRJ-45260, |
Routing |
When configuring OSPFv2 graceful restart on ClusterXL, the cluster may get stuck in EXSTART / 2WAY state. |
PRJ-46095, |
Routing |
BGP state gets stuck in Idle state when using BGP ping to one of the peers. |
PRJ-46132, |
Routing |
When two interfaces with the same local address are configured, BGP may use an incorrect interface to reach a peer. |
PRJ-46128, |
Routing |
The ROUTED daemon may unexpectedly exit when aggregating routes with long AS paths. |
PRJ-41960, |
Routing |
In some scenarios, a Security Group Member failover can trigger routes to be lost on other members in the Security Group. |
PRJ-41798, |
Routing |
Configuring OSPFv2 Graceful Restart and passive OSPF interfaces at the same time can cause graceful restart failures. |
PRJ-44924, |
Routing |
When PIM and state refresh are enabled, the state refresh message may not be sent automatically after a failback in ClusterXL HA Primary Up mode. |
PRJ-45379, |
Routing |
A VRRP/VRRP6 interface may go into Master/Master state. |
PRJ-44705, |
Routing |
Multicast receivers send IGMP membership reports, but the outbound interfaces are missing from the routing table. |
PRJ-44709, |
Routing |
An IGMP group with an expiration time of 7101 weeks should be deleted when it reaches 0 seconds, but instead, it may remain at 7101 weeks until a membership report is sent, then it resets to the interval of that interface. |
PRJ-45468, PRHF-28353 |
VPN |
StrongSWAN Remote Access authentication fails when the LDAP lookup type is not the default method. |
PRJ-44829, PRJ-44991, PRJ-46302, PRHF-28849 |
VPN |
|
PRJ-44218, |
VPN |
The "vpn/ike debug ikeon/ikefail" commands may fail when used with the "-s" flag. |
PRJ-45919, |
VPN |
The FWM process may unexpectedly exit at startup because of an incorrect VPN key initiation. |
PRJ-44089, |
VSX |
Values provided by the VSX OID tree: 1.3.6.1.4.1.2620.1.16.22.5.1 may be incorrect. |
PRJ-45401, |
VSX |
Warp interfaces may appear in VS0 and disrupt connectivity when editing a Virtual Switch with a bond and VLANs. |
PRJ-41970, |
VSX |
Increasing the MTU value of a bonded tagged interface may not be possible. Refer to sk179984. |
PRJ-44745, |
VSX |
Virtual System's interfaces may be missing when running the Clish command "show/save configuration". |
PRJ-45005, |
VSX |
A VSX Security Gateway may crash while attempting to collect statistics after running the "cpstop" command. |
PRJ-45145, |
VSX |
Some packets may disappear when using the i40e driver, and VMAC is configured on the cluster. |
PRJ-45863, |
Gaia OS |
Gaia backup may fail, leaving a temporary partition behind. Any new attempt to create a new backup returns an error. |
PRJ-29906, |
Gaia OS |
It may be not possible to enter a snapshot description with more than one word. |
PRJ-33093, |
Gaia OS |
In some scenarios, the output of the "show configuration"/"snapshot-scheduled" command may contain corrupted text. |
PRJ-28434, |
Gaia OS |
Backup on Gaia machine with Threat Emulation Blade enabled fails with "Cannot complete the backup process: not enough space". But the solution of sk166833 does not resolve the issue in a VSX environment. |
PRJ-42779, |
Gaia OS |
Scheduled SCP snapshots to a Windows Server may fail with the "Failed to connect to remote server. Please validate connection". |
PRJ-41909, |
Gaia OS |
Gaia WebUI logs are printed with "info" severity. |
PRJ-44370, |
Gaia OS |
SNMP OIDs for ISP Redundancy status are not refreshed when the ISP link changes the status. |
PRJ-46285, |
Harmony Endpoint |
Non-domain macOS devices are created as a new endpoint on the Endpoint Management when re-installing the device. |
PRJ-46947, |
Harmony Endpoint |
KAV updater on the Server may fail to receive updates when proxy is used. |
PRJ-45540, |
CloudGuard Network |
AWS Data Center mapping fails when an interface subnet is missing from the list of subnets. |
PRJ-32399, |
VoIP |
After an upgrade, VoIP and SIP / H323 traffic may be dropped in the VPN tunnel. Refer to sk179651. |
PRJ-46475, |
VoIP |
SIP traffic may be dropped and "kiss_htab_bl_infra_slink: failed "earlynat_sport_ghtab_bl":3 reason: KISS_HTAB_BL_SLINK_LIMIT_REACHED" is printed in the fwk.elg file. |
PRJ-42263, |
Scalable Platforms |
Excessive "cphwd_get_device_accelerated_ifs: too many interfaces (32,XXX)" messages may log to $FWDIR/log/fwk.elg. Refer to sk180439. |
PRJ-42617, |
Scalable Platforms |
The FW process may unexpectedly exit, producing a core dump file. |
PRJ-32730, |
Scalable Platforms |
When there is a connectivity issue in the cluster, OSPF packets may be sent with delays and cause an outage. |
PRJ-44528, |
Scalable Platforms |
License is not copied from SMO to all other members if other members are in Down state. |
PRJ-36345, |
Scalable Platforms |
Redundant reboot occurs after installing R81/R81.10 Jumbo Hotfix Accumulator for the first time after a major version installation/upgrade. Refer to sk177765. |
PRJ-44587, |
Scalable Platforms |
The "orch_info" command may freeze, when running it on Maestro Orchestrator. |
PRJ-41249, |
Scalable Platforms |
Trying to power off the MHO in CLI may lead to a reboot. |
PRJ-45480, |
Scalable Platforms |
Querying the HW status via SNMP (OIDs .1.3.6.1.4.1.2620.1.6.7.*) or via the "cpstat os -f sensors" command may fail on Maestro Orchestrator. |
PRJ-45301, |
Scalable Platforms |
In rare scenarios, the Single Management Object (SMO) may go to Down state after clicking a packet capture link in the IPS log in SmartConsole. |
PRJ-42785, |
Scalable Platforms |
Members may stay in Down state after reboot/Jumbo Hotfix installation with pull_config pnote when pulling registry from SMO: "Pull registry failed" error in the $FWDIR/log/Blade_config log file. |
PRJ-43815, |
Scalable Platforms |
CPUSE may suggest to install Maestro incompatible packages. |
PRJ-46968 |
Scalable Platforms |
On Maestro, when MDPS (Management Data Plane Separation) is enabled, and the license corresponds to an IP address different from the management interface's IP address (such as the sync IP), policy installation may fail because of a license mismatch. |
PRJ-47053, |
Scalable Platforms |
MHO reports logs may not be rotated. |
PRJ-44287, |
Scalable Platforms |
The "set/show trace" command may fail in gClish. |
PRJ-45885, |
Scalable Platforms |
In VSLS mode, SNMP traffic may incorrectly be forwarded to SMO instead of DR manager of the corresponding Virtual System. |
PRJ-46645, |
Carrier Security |
Incorrect parsing of GTP-U traffic may cause anti-spoofing drops. |
PRJ-43224, |
Carrier Security |
Security Gateway drops GTP Echo Response traffic with the reason "Wrong Destination Port". See sk181507. |
PRJ-43220, |
Carrier Security |
Security Gateway drops GTP traffic with the reason "Static IP not allowed". See sk181506. |
PRJ-46676, PRJ-46679, |
Carrier Security |
After an upgrade, GTP traffic and memory issues may occur. |
PRJ-46673, |
Carrier Security |
Packet corruption, leading to traffic and performance issues. |
PRJ-44602, |
Carrier Security |
Stack buffer overflow may occur in the FWGTP process. |
Take 109 Released on 17 July 2023 and declared as Recommended on 23 July 2023 |
||
PRJ-47745 |
Scalable Platforms |
Uninstalling Jumbo Hotfix Take 106/107 on Maestro Orchestrator (MHO) may cause an outage. |
Take 107 Released on 28 June 2023 |
||
PRJ-47102, |
Security Management |
Policy installation may fail with "Target is not defined in the database" error when the target name has many underscore or dash characters. |
Take 106 Released on 8 June 2023 |
||
PRJ-45900, |
Scalable Platforms |
NEW: Added support for LightSpeed acceleration on Scalable Platforms appliances MLS-200, MLS-400 and QLS-250 and QLS-450. |
PRJ-40966, |
Scalable Platforms |
UPDATE: Switching between User/Kernel mode on Scalable Platforms can now be done using "cpconfig" . Reboot of the Security Group members is performed after the confirmation. |
PRJ-46857 |
Multi-Domain Security Management |
After an upgrade to R81.10 Take 95, policy installation from a Domain Security Management Server on R81.20 Security Gateways may fail with "Policy installation is not supported for the target". Refer to sk181048. |
PRJ-45592, |
SmartConsole |
In some scenarios, in SmartConsole, when clicking the picker to add Security Gateway to a Threat Prevention policy "Install On" column, no Security Gateway objects appear. Refer to sk180964. |
PRJ-44451, |
SmartConsole |
In rare scenarios, in Multi-Domain Security Management environments with many administrators that have custom permissions, SmartConsole is slow, and operations take longer than usual. Refer to sk180681. |
PRJ-43171 |
CPUSE |
When working in a Scalable Platforms environment, a member may get in a bootloop. The issue occurs after the consequent upgrade of this member to R81.10, Deployment Agent (DA) update and enabling image auto cloning. |
PRJ-46294, |
VPN |
Users that were moved from one AD group to another group still are shown in both access role groups when running the "pdp monitor" command. Refer to sk181429. |
PRJ-45789, |
CloudGuard Network |
Deleting one hundred IP addresses or more from the Security Gateway at once may fail, resulting in recurrent deletion retries. |
PRJ-45975, |
CloudGuard Network |
After an upgrade to Take 75, importing Azure Private Endpoints, Application Security Groups or AWS Load balancer tags may fail. |
PRJ-46854, |
Scalable Platforms |
User Space Mode (UPPAK) is not supported on Maestro Security Gateways with enabled Management Data Plane Separation (MDPS). |
Take 95 Released on 13 April 2023 and declared as Recommended on 15 May 2023 |
||
PRJ-42693, |
Security Management |
NEW: Added ability to run the "verify-policy" Management API command on a private session with unpublished changes. |
PRJ-45365, |
Security Management |
NEW:
|
PRJ-44576, |
Internal CA |
NEW: Previously, the Internal CA certificate required manual renewal process. Now it will be automatically renewed one year before its expiration date. |
PRJ-44226, |
Compliance |
NEW: Compliance Blade is enhanced with 5 new Firewall Best Practices:
|
PRJ-42453, |
HCP |
NEW: HCP report is now available in WebUI. To access it, use the link: https://<Security Gateway IP address>/hcp. |
PRJ-41010, |
Security Management |
UPDATE: Defining GUI Clients on the Log Server is now blocked. Defining GUI Clients is allowed only from the Security Management Server in Active mode. |
PRJ-41201, |
Security Gateway |
UPDATE: Added ability to force GNAT Port randomization. It is controlled by kernel parameter (off by default).
|
PRJ-43605, PRHF-22566 |
SecureXL |
UPDATE: Added a new kernel parameter allowing to control the size of fragments table in SecureXL. To use it, set the kernel parameter "sim_frag_limit_override" with the new value and install policy. This can prevent fragment drops when having multiple instances in the Firewall. |
PRJ-44610, |
Threat Emulation |
UPDATE: FakeServer will now listen for packets coming from the Virtual Machine during Threat Emulation to port 18443 instead of port 8443. |
PRJ-43969, |
VPN |
UPDATE: When the VTI MTU is different from the physical MTU, the physical MTU is used for sending packets by default.
Refer to sk98074. |
PRJ-42404, |
VSX |
UPDATE: Added more logs related to Pushing VSX Configuration.
. |
PRJ-43675, |
Harmony Endpoint |
UPDATE: Linux installations are now automatically added to "All Linux Desktops Virtual Group" in Harmony Endpoint. Refer to sk180430. |
PRJ-45266, |
GaiaOS |
UPDATE: Added a defense mechanism against the hostname command injection in the Gaia Portal (CVE-2023-28130). Refer to sk181311. |
PRJ-44639, |
Gaia OS |
UPDATE: Upgraded OpenSSL from 1.1.1n to 1.1.1t to include the latest security improvements. |
PRJ-43925, |
CloudGuard Network |
UPDATE: Added support for sending Data Center updates from the CloudGuard Controller to the main IP address of Active member on the Management Plane instead of the cluster VIP address on the Data Plane. Refer to the "updateClusterMemberAndNotVip" section in CloudGuard Controller R81.10 Administration Guide > Configuration Parameters. This change prevents scenarios when CloudGuard Controller fails to connect to Cluster with MDPS enabled (sk180981). |
PRJ-44355, |
CloudGuard Network |
UPDATE: Added support for Data Centers in AWS ap-southeast-4 Melbourne region. |
PRJ-40857, MBS-14161 |
Scalable Platforms |
UPDATE: Added Management Data Plane Separation (MDPS) support for Maestro Orchestrator and Chassis scalable platforms. |
PRJ-45755, PMTR-91592 |
Scalable Platforms |
UPDATE: Enhanced the mechanism of Maestro Gateway leaving a Security Group. |
PRJ-44629, PMTR-90519 |
Security Management |
There may be many duplicates of OCSP response in the $CPDIR/tmp/curl_crl_ocsp folder. |
PRJ-44460, |
Security Management |
In some scenarios, the "run-script" Management API command may fail with "Null Pointer Exception" when using root user permissions. |
PRJ-39758, |
Security Management |
In some scenarios, exact search in the Object Explorer may not return the expected results. |
PRJ-38358, |
Security Management |
After creating a new administrator in SmartConsole, the Administrators view may fail to load with "Error retrieving results". |
PRJ-42060, |
Security Management |
The "show objects" command returns all objects in Global Domain with any filter when "ip-only" flag is set to "true". |
PRJ-44025, |
Security Management |
When using Custom Application/Site Group objects in an Access policy, policy installation may fail with an "Internal error" message. |
PRJ-43962, |
Security Management |
In rare scenarios, the Security Gateway accepts all IP addresses as approved "gui_clients", although it was provided with a list of specific trusted IP addresses. |
PRJ-42084, |
CPView |
A typo in "Dropped fragmentation violation" under CPView > Advanced > SecureXL > Drops. |
PRJ-43472 |
CPUSE |
In some scenarios, the Task Progress bar is missing from SmartConsole during Jumbo Hotfix installation. |
PRJ-44337, |
CPView |
The Network-per-CPU tab under CPVIEW > Advanced > SecureXL does not show traffic distribution for all CPUs. Refer to sk180540. |
PRJ-43393, |
Logging |
When working with Multi-Domain Security Management, Virtual Systems (VS's) may be unable to send logs to the management because the Log Server constantly disconnects. |
PRJ-44095, |
Security Gateway |
In some scenarios, the FWD process may unexpectedly exit and cause a short outage related to a BGP failure. |
PRJ-36112, |
Security Gateway |
When on Microsoft Active Directory the "mobile" attribute value in DynamicID authentication preferred method is changed to an email address and then back to a phone number, OTP may still be sent to the email. |
PRJ-44920, |
Security Gateway |
After an upgrade to Take 79, memory usage may increase on all Security Gateway Modules, and the "pkt_handle_f2v_if_needed: dropping packet (failed to send notification)" error is printed in logs. |
PRJ-44232, |
Security Gateway |
After policy installation, a VSX High Availability Cluster member may have a failover and generate a vmcore. |
PRJ-42296, |
Security Gateway |
When MDPS is configured, mdps_tun interface is shown when running the "cpstat ha -f all" command. |
PRJ-42707, |
Security Gateway |
DNS parser incorrectly handles additional records, which results in appearing additional DNS IP addresses in the FQDn objects list. |
PRJ-43011, |
Security Gateway |
When adding a new RADIUS Server in Gaia Portal, its IP address is automatically added to MDPS tasks, but when deleting this Server, the MDPS task is not deleted. |
PRJ-43886, |
Security Gateway |
In rare scenarios, the FWD process is stuck during policy installation. |
PRJ-43839, |
Security Gateway |
The Security Gateway may receive duplicated traffic (such as non-IP protocol connections) for IPS inspection. This can trigger high CPU usage and result in failures to connect over SSH or policy installation. |
PRJ-40878, |
Security Gateway |
In rare scenarios, policy installation fails with "Segmentation fault" and "Error compiling IPv4 flavor" messages. |
PRJ-41564, |
Security Gateway |
SAML authentication fails with the "HTTP 500" error when MDPS is enabled on the Security Gateways. Refer to sk179625. |
PRJ-44081, |
Security Gateway |
In an Active/Standby cluster, when downloading a file using FTP protocol, the FWK process may unexpectedly exit, and a core dump file is generated. |
PRJ-41878, |
Security Gateway |
On supported Open Servers (sk167052), after changing the Firewall mode from Kernel Space (KSFW) to User Space (USFW) and reboot, the Security Gateway continues to boot in the Kernel Space mode. |
PRJ-43533, |
Security Gateway |
The Security Gateway may crash because of a race condition that occurs during interface change while interface statistic is calculated. |
PRJ-40472, |
Threat Prevention |
If SSH Deep Packet Inspection (DPI) is enabled and NAT is configured on the Security Gateway, SSH connectivity from the Internet may not be possible. |
PRJ-41901, |
Threat Prevention |
IoC feed may not load because of a parsing issue with the IP address range indicator. |
PRJ-44222, |
Threat Prevention |
In a Quantum Maestro environment, adding an IoC feed from the command line may fail with a "Can not load indicators feed without AV & AB Blades enabled, please enable AV & AB and try again" message, although Anti-Virus and Anti-Bot Blades are enabled. |
PRJ-42344, |
Identity Awareness |
During subsequent policy installations (with an interval of at least 11 minutes between them), the Identity Awareness Gateway configured as an Identity Broker Subscriber revoked all Identities it learned from the Identity Awareness Gateway configured as its Identity Broker Publisher. Refer to sk180659. |
PRJ-42933, |
Identity Awareness |
The PDPD process may cause CPU spikes during cluster failover. |
PRJ-43747, |
Identity Awareness |
The output of the "pdp monitor cv_le <agent-version>" command may be incorrect. |
PRJ-33065, |
Identity Awareness |
In a rare scenario, a wrong access role may be assigned to a user. |
PRJ-43503, |
Application Control |
Policy installation may fail with an "Error 0-200184" message because of memory allocation issues. |
PRJ-44383, |
Application Control |
A buffer overflow may occur and cause the FWD process to exit. This leads to the Security Group Members in a Maestro environment change from Active to Down state and creates instability. |
PRJ-43975, |
URL Filtering |
When applying the "appi_urlf_ssl_cn_use_sni_without_validation" kernel parameter, only the first notified application may be considered for Rule Base matching, and the rest of the apps are not detected. |
PRJ-42714, |
IPS |
In a rare scenario, the Security Gateway may crash during an IPS package update. |
PRJ-44180, |
IPS |
In some scenarios, the FWK process may unexpectedly exit, while Threat Prevention Blades inspect HTTP traffic. |
PRJ-43583, |
DLP |
A memory leak may occur in the DLPU process. |
PRJ-44009, |
Anti-Virus |
The fwk.elg file may be flooded with the "match_cb for CMI APP 11 - CI AV failed on context 144, executing context 366 and adding the app to apps in exception" messages because of improper parsing of HTTP headers by Anti-Virus Blade. |
PRJ-44291, |
Mobile Access |
Some web applications which use PT or UT link translation methods may have issues after a browser upgrade. |
PRJ-41413, |
Mobile Access |
Access to a web application that uses WebSocket protocol may not be possible. |
PRJ-44131, |
SecureXL |
IPv6 template is not created when the connection is NATed. |
PRJ-42781, |
SecureXL |
After installing R81.10 Jumbo Hotfix Take 61 and higher, running the "tcpdump" command fails with the "/bin/cp-tcpdump.sh: line 14: /sbin/tcpdump: No such file or directory" error. Refer to sk180737. |
PRJ-44677, |
SecureXL |
After an upgrade, packets passing through a Remote Access VPN tunnel in a VSX environment may be silently dropped. |
PRJ-43983, |
SecureXL |
In a rare scenario, a CPAQ message sent during policy push does not have critical and can be dropped when the Security Gateway is busy. |
PRJ-43922, |
Routing |
Failover may take longer than expected and traffic does not pass for several seconds because dynamic routes are lost. |
PRJ-44940, |
Routing |
After an update, multicast traffic may be dropped. |
PRJ-43410, |
Routing |
The ROUTED process may repeatedly exit when using PIM in Sparse mode (SM). |
PRJ-44372, |
Routing |
OSPF routes may not be redistributed after reboot. |
PRJ-41331, |
Routing |
The ROUTED daemon may unexpectedly exit and generate core dumps after OSPF neighborship was established, but did not advertise routes. Lost routing causes the network to be down. |
PRJ-44259, |
Routing |
The ROUTED daemon may unexpectedly exit when using PIM and source IP address is set "0.0.0.0". |
PRJ-44688, |
Routing |
Cluster member may stop sending multicast PIM traffic after failover or a reboot. Refer to sk180669. |
PRJ-43827, |
VPN |
In a Site to Site VPN, when one of the sites is a cluster in Load Sharing mode, it can cause incorrect destination member calculation for asymmetric connection, and the traffic might be dropped. Refer to sk180855. |
PRJ-44285, |
VPN |
VPN endpoint users fail to login with ECDSA certificate. |
PRJ-43386, |
VPN |
After an upgrade, an incorrect IPSec users counter may be displayed in SmartView Monitor or when running the "cpstat vpn -f ipsec" command for a cluster. The issue is cosmetic only. |
PRJ-40284, PRJ-43713, PRJ-42371, |
VPN |
Refer to sk180530. |
PRJ-43550, |
VPN |
VPN stability issues. |
PRJ-43195, |
VPN |
TCP traffic on port 34500 may be encrypted by VPN, although it should not. |
PRJ-40913, |
VPN |
The "failed to terminate session" error is displayed when using RAsession_util to terminate Endpoint client. |
PRJ-44667, |
VPN |
When running the "vpn tu tlist" on cluster Standby members, old IKEv2 SAs may be printed in the output. |
PRJ-44122, |
VSX |
Changing the main IP address of a Virtual Router may cause the FWM process to exit. |
PRJ-40034, |
Gaia OS |
When running the "ifconfig -a" command on a Virtual System (VS) with more than 250 interfaces, the "/bin/cp-ifconfig.sh: line 179: /bin/echo: Argument list too long" error is printed. |
PRJ-44238, |
Gaia OS |
The System Backup page in the Cloning Group view may be empty, although a scheduled backup was added. |
PRJ-42220, |
Gaia OS |
Incorrect logs are printed in the /var/log/httpd2_error_log file when logging into the WebUI. |
PRJ-43986, |
Gaia OS |
The "lldpneighbors" Clish command may have a corrupted output. |
PRJ-43563, |
Gaia OS |
When restoring a backup with VSX objects, the objects database may not be restored on the newly installed Security Management Server. |
PRJ-44347, |
CloudGuard Network |
The "Logical Volume duplicate fail" error is displayed when increasing the lv_current partition with lvm_manager on Azure. Refer to sk180381. |
PRJ-43397, |
CloudGuard Network |
VPN Cluster stability issue when the peer is an Azure Security Gateway. |
PRJ-43577, |
CloudGuard Network |
When enabling debug mode with the "$MDS_FWDIR/scripts/cpm_debug.sh -c ObjectCrudSvcImpl" command, it may impact the work of CloudGuard Central License utility. And adding license fails. |
PRJ-44478, |
CloudGuard Network |
Azure scan fails if a Virtual Machine Scale Set (VMSS) is deleted after the scan started. |
PRJ-44614, |
VoIP |
In rare scenarios, SIP UDP traffic may cause Security Gateway to crash because of a memory allocation issue. |
PRJ-44881, |
Scalable Platforms |
After an upgrade, local IPv6 traffic from Active members may fail. |
PRJ-41941, |
Scalable Platforms |
When adding a new Virtual System and installing a policy, member state may change to Down. |
PRJ-42677, |
Scalable Platforms |
Adding more than 250 VLANs on an Orchestrator MHO-175 Maestro Uplink interface causes intermittent traffic outages. Refer to sk180340. |
PRJ-43383, |
Scalable Platforms |
The clock verifier test (clock_verifier -v) fails. |
PRJ-43802, |
Scalable Platforms |
The "asg perf" command fails when running it with the "-vv" flag. |
PRJ-39722, |
Scalable Platforms |
In a Maestro Security Group, VPN tunnel is established correctly, but the local connection from Virtual Systems (VSs) fails. The issue occurs when packets are not forwarded to the right VS from the Virtual Switch (VSW). |
PRJ-40400, |
Carrier Security |
GTP traffic may be dropped and tunnels are not registered in gtp_tunnels. |
Take 94 Released on 29 March 2023 and declared as Recommended on 2 April 2023 |
||
PRJ-45511 |
Security Management |
There is console access but no network connectivity after installing R81.10 Jumbo Hotfix Accumulator Take 93 on top of Blink image that includes Take 87. Refer to sk179799. |
Take 93 Released on 5 March 2023 |
||
PRJ-43407, |
Security Management |
NEW: On-premises Security Management Server can now connect to Infinity Portal. This allows:
Requires:
|
PRJ-43895, |
Security Gateway |
NEW: We have extended the grace period of Compliance Blade to support you for 90 days following contract expiration to continue providing the best security value during the renewal process. |
PRJ-43807, |
Application Control, URL Filtering |
NEW: We have extended the grace period of Application Control and URL Filtering Blade to support you for 90 days contract expiration to continue providing the best security value during the renewal process. |
PRJ-44255, |
Threat Extraction |
NEW: We have extended the grace period of Threat Extraction Blade to support you for 90 days following contract expiration to continue providing the best security value during the renewal process. |
PRJ-43910, |
SmartView |
NEW: We have extended the grace period of SmartEvent Blade to support you for 90 days following contract expiration to continue providing the best security value during the renewal process. |
PRJ-42181, |
IPS |
NEW: Added ability to block "HTTP 206 partial content" responses from resources with malicious content. |
PRJ-42658, |
IPS |
UPDATE: In several IPS protections, improved performance for traffic that contains repeated sections. |
PRJ-43723, |
SSL Inspection |
UPDATE: The secp256r1 curve is now the preferred choice for signing ECDSA (Elliptic Curve Digital Signature Algorithm) certificates. |
PRJ-41419, |
Security Management |
UPDATE: Connecting a Quantum Security Management Server to Infinity Portal is now supported in the Full High Availability Cluster (when each cluster member has a Security Management Server and a Security Gateway). |
PRJ-42306, |
Security Management |
UPDATE: Improved the "Purge revisions" operation to reduce the size of the database. |
PRJ-36635, |
Security Management |
UPDATE: Added an option to configure the maximum number of IPS SNORT rules. These lines should be added at the end (or their value should be changed if they already exist) in the file $FWDIR/conf/malware_config (for MDS - additionally in the $MDS_FWDIR/conf/malware_config file): "[IPS] snort_convertor_max_rules_per_update=<value> snort_convertor_total_rules_num_limit=<value>". Refer to sk136515. |
PRJ-41619, |
Security Management |
UPDATE: To reduce policy installation time in large environments (that have many instances), policy can be installed in batches.
|
PRJ-44559, |
Security Gateway |
UPDATE: Apache HTTPD version was updated from 2.4.53 to 2.4.55. |
PRJ-43613, |
Gaia OS |
UPDATE: Gaia Cloning Groups will now use the highest TLS version available. |
PRJ-43049, |
CloudGuard Network |
UPDATE: Added support for Data Centers in AWS eu-central-2 (Spain) and eu-south-2 (Zurich) and ap-south-2 (Hyderabad) regions. |
PRJ-43025, |
CloudGuard Network |
UPDATE: Added support for connecting to VMware NSX-T 4.0.0.x and higher. |
PRJ-42979, |
Scalable Platforms |
UPDATE: Added support for monitoring hardware of Maestro Orchestrator MHO-175. |
PRJ-43404, |
Diagnostics |
Skyline may not show any information. Refer to sk180748. |
PRJ-40226, |
Security Management |
The FWM process may frequently exit. This causes SmartConsole authentication to fail and dashboards that were opened before to get closed. |
PRJ-43340, |
Security Management |
In some scenarios, Audit logs may not be created when running remote API commands from Infinity Portal. |
PRJ-41762, |
Security Management |
In some scenarios, the CME process fails to start. |
PRJ-42110, |
Security Management |
The date of a policy configured with "accelerated installation" may not be updated in logs. |
PRJ-42410, |
Security Management |
Login to the Security Management Server or Multi-Domain Security Management Server may fail with the "Connection timeout" error. |
PRJ-43094, |
Security Management |
After configuring an IoC feed on the Global Domain and assigning a Global Policy, Threat Prevention policy installation in the local Domain fails. |
PRJ-42042, |
Security Management |
In a rare scenario, the Show Package tool and some Management API commands with details-level "full" fail. |
PRJ-41892, |
Security Management |
High Availability synchronization fails if automatic purge is configured to run on the Standby Management Server. |
PRJ-39746, |
Security Management |
Adding a rule with the Management API and setting the action "to ask" does not set a default UserCheck if UserCheck was not specified. This may cause policy verification failure. |
PRJ-43363, |
Security Management |
Editing a Global Assignment object using Ansible may fail. |
PRJ-43317, |
Security Management |
In SmartConsole, when editing a tagged Security Gateway object, the tags may get removed. |
PRJ-43254, |
Security Management |
In some scenarios, the "api status" command shows that the Management API service is stopped. |
PRJ-43312, |
Security Management |
The API command "show-nat-rulebase" may not show the name of each rule in the Rule Base. |
PRJ-43314, |
Security Management |
Running API commands with the "dereference-max-depth" parameter with value "0" may fail when the "Groups" field is in the reply. |
PRJ-41928, |
Security Management |
After an upgrade, while installing a policy, SmartConsole may unexpectedly close with a "The connection with the server was lost. Any unsaved changes will be preserved" message. Refer to sk180294. |
PRJ-42049, |
Multi-Domain Security Management |
In rare scenarios in a Multi-Domain Security Management environment:
|
PRJ-42302, |
Multi-Domain Security Management |
Reassigning a Global Domain to a local Active Domain from one MDS to another may result in the local domain not reflecting recent changes. The issue occurs in Multi-Site environments if two Multi-Domain Security Management Servers (MDS) have a Standby Global Domain. |
PRJ-43201, |
SmartProvisioning |
Deleting an LSM Gateway via REST API does not revoke the device's VPN certificate. |
PRJ-43589, |
CPView |
In a Multi-Domain Security Management environment, Skyline is down after mdsstop/mdsstart. |
PRJ-42100, |
CPView |
CPView may not show some interfaces. |
PRJ-33052, |
Logging |
The "Daily logs retention" configuration on the Security Management Server / Log Server object is not applied if the "When disk space is below <number> Mbytes, start deleting old files" option is not enabled in the Disk Space Management. Refer to sk176803. |
PRJ-39080, |
Logging |
After an upgrade and change of the Security Management Server name, logs created before the upgrade are unavailable. |
PRJ-39608, |
Security Gateway |
The Security Group Member (SGM) frequently goes into a Lost-> Down-> Active state because of fullsync pnote. This causes outages. |
PRJ-41018, |
Security Gateway |
When using the SMTP service with resource objects in a rule and NAT is configured for the destination IP address, the traffic may match the Cleanup rule instead. |
PRJ-43705, |
Security Gateway |
The Security Gateway may crash during policy installation if the Rule Base has multiple layers and many interfaces on the Security Gateway (VLANs). |
PRJ-41495, |
Security Gateway |
Stability issues when ICAP client is active. |
PRJ-43347, |
Security Gateway |
A connection may be closed with the "ws_mux_handle_poll: ERROR: Poll flag still set after unsetting" error in the fwk.elg file, when HTTP parser does not receive requested data. |
PRJ-38809, |
Security Gateway |
In a rare scenario, when QoS is enabled, the Security Gateway may crash. |
PRJ-39801, |
Security Gateway |
After making changes in Policy-Based Routing (PBR) and GRE configuration, the Security Gateway may repeatedly crash. |
PRJ-40320, |
Security Gateway |
In rare scenarios, the FWK process can unexpectedly exit and cause an outage. |
PRJ-42804, |
Security Gateway |
Stability issues when ICAP client is active. |
PRJ-43554, |
Security Gateway |
Security Gateway may drop traffic when Dynamic Anti-Spoofing is enabled. |
PRJ-42944, |
Security Gateway |
When Anti-Spoofing is enabled, the Security Gateway may crash. |
PRJ-41634, |
Security Gateway |
Dynamic Dispatcher may send fragments of the same packet to different Firewall instances during a high load of fragmented traffic. This may cause some packets to drop. |
PRJ-36010, |
Security Gateway |
The Security Gateway may frequently crash with vmcore files, recording invalid context. |
PRJ-42102, |
Security Gateway |
When adding an Access Role object in the NAT Rule Base, connectivity issues on the Security Gateway may occur if the Identity Awareness Blade on it is disabled. |
PRJ-43528, |
Security Gateway |
In rare scenarios when ISP Redundancy feature is enabled, default route disappears after policy installation. |
PRJ-42088, |
Security Gateway |
The "fw monitor" command output may contain "no packets left to merge" messages. |
PRJ-42903, |
Internal CA |
The certificate in SmartConsole is shown as valid, although it is expired. |
PRJ-41436, |
Internal CA |
When managing cloud Gateways, the FWM process memory usage may increase. |
PRJ-38490, |
Threat Prevention |
In a rare scenario, the mal_conns table may consume a large amount of memory. |
PRJ-42286, |
Threat Prevention |
The "ioc_feeds set interval -r" command may fail. |
PRJ-41598, |
Threat Prevention |
Anti-Virus Blade fails to parse external IoC feeds that contain commas in the CSV column field value. |
PRJ-32738, |
Threat Prevention |
After an upgrade, the FWD process may frequently exit while creating an AMW_report.xml. |
PRJ-42585, |
Threat Prevention |
When using a host with automatic static NAT in a Threat Prevention policy object, the object will not be enforced. |
PRJ-42438, |
Threat Prevention |
Automatic IPS, Anti-Virus or Anti-Bot updates may fail because of a corrupted next_update file. |
PRJ-37567, |
Threat Prevention |
When Anti-Virus Blade is enabled, the Security Gateway may crash because of a memory allocation issue. |
PRJ-41688, |
Threat Prevention |
In some scenarios, a "malware_res_rep_rad_query: rad_kernel_malware_request_prepare() failed" message may appear in the /var/log/messages file. |
PRJ-42999, |
Identity Awareness |
In a rare scenario, disconnection between the Identity Server (PDP) and Identity Gateway (PEP) leads to missing identities on the PEP side. |
PRJ-42339 |
Identity Awareness |
In a VSX High Availability cluster, a member in the Backup state should remain idle, but it opens connections for identity sharing. |
PRJ-41323, |
Identity Awareness |
A connectivity issue may occur during Azure AD Group fetch, and the "get_http_error_msg - http code is 401" error response is shown in Identity Awareness logs. |
PRJ-41221, |
Application Control |
In some scenarios, the RAD process may freeze after failing to connect to URL Filtering service. |
PRJ-41378, |
IPS |
When Anti-Virus is enabled, the Mail Transfer Agent (MTA) log files may get blocked because of fail-close operation. |
PRJ-42591, |
IPS |
The Security Gateway may crash during policy installation because of a memory allocation problem. |
PRJ-35486, |
DLP |
DLP logs for files uploaded to Microsoft OneDrive do not show the initial file names and extensions. Refer to sk178290. |
PRJ-31705, |
Anti-Bot |
The "asg perf --delay" command does not change the "refresh time" on the screen. |
PRJ-43682, |
SSL Inspection |
In some scenarios, Inbound HTTPS Inspection may fail when working in USFW (User-Space Firewall) mode. |
PRJ-43154, |
Mobile Access |
The CVPND process may unexpectedly exit and create a core dump file. |
PRJ-41259, |
Mobile Access |
Web applications may not work correctly when Mobile Access Blade is configured in Hostname Translation (HT) mode while the "obscure_destination_hostname" management attribute is disabled. |
PRJ-42468, |
Mobile Access |
When Mobile Device Management (MDM) cooperative enforcement feature is enabled, establishing a VPN connection fails while the HTTPD log incorrectly indicates a compliance issue. |
PRJ-43116, |
ClusterXL |
The "cphaprob tablestat" command may fail on the Security Gateway with many interfaces. |
PRJ-44168, |
ClusterXL |
When handling HTTP/2 traffic, cluster members may crash, generating vmcores. |
PRJ-43003, |
ClusterXL |
Traffic does not pass through the GRE tunnel when Virtual MAC (VMAC) is enabled. Refer to sk180292. |
PRJ-42464, |
ClusterXL |
Stability issues may occur in a Multi-Version Cluster (MVC) when VPN is enabled. |
PRJ-29668, |
SecureXL |
When the "fw_tcp_out_of_state_monitor" mode is enabled with the "fw_allow_out_of_state_tcp" flag, some connections may be dropped, although they should go through and be monitored. |
PRJ-42896, |
SecureXL |
SecureXL may drop traffic when HTTPS Inspection is enabled on a VSX Security Gateway with a Virtual Router. |
PRJ-42575, |
SecureXL |
Multicast traffic may get dropped, and no logs are generated. |
PRJ-43056, |
Routing |
The "show ospf neighbors" command shows incorrect values for OSPF "Hello" and "Dead" intervals. Refer to sk180486. |
PRJ-40728, |
VPN |
In some scenarios, when NAT is configured, VoIP traffic is dropped. |
PRJ-43595, PRJ-43299, |
VPN |
Stability issues for Data connections (RDP / RTP / FTP/ETC). Refer to sk179651. |
PRJ-44944, |
VPN |
When many users in nested groups login using Remote Access Client \ connect to VPN, and the LDAP topology is large, there may be a spike of CPU usage and performance impact. Refer to sk180664. |
PRJ-42879, |
VPN |
When initiating IKEv2 tunnel from Check Point to a third party, creating Child SA fails. Refer to sk180281. |
PRJ-42561, |
VPN |
When the user connects with RADIUS authentication method, the "Authentication method" value in Mobile Access logs is shown as empty. |
PRJ-42762, |
VPN |
Despite the Secure Configuration Verification (SCV) exceptions being configured to not apply for connections, the strongSWAN client's traffic is dropped with the "Client's configuration is not verified" error. |
PRJ-41375, |
VPN |
StrongSWAN Remote Access client can connect but fails to access internal resources. |
PRJ-42653, |
VPN |
Stability issues of the VPND and IKED processes. |
PRJ-41050, |
VPN |
A memory leak may occur in the VPND process. |
PRJ-41697, |
VSX |
The "vsx_util change_mgmt_subnet" command may fail if a VSX object is not correctly saved in the database. |
PRJ-42883, |
VSX |
In VSX, if Dynamic Balancing was manually disabled on R81.10, after an upgrade from R81.10 to R81.20, it automatically gets enabled. |
PRJ-41160, |
Gaia OS |
The SNMPD process may exit with a timeout when the ARP table with many ARP entries takes time to calculate its size. |
PRJ-41251, |
Gaia OS |
The backup operation fails if the backed-up directory content is larger than 10GB. |
PRJ-42254, |
Gaia OS |
Running the "save configuration" command the second time in the same Clish session may fail with the "free(): invalid pointer" error. |
PRJ-42962, |
Gaia OS |
IPv6 address may be removed from bond VLAN interface when changing bond xmit-hash-policy configuration. Refer to sk180309. |
PRJ-42526, |
Gaia OS |
Gaia backup fails with "Cannot complete the backup process: not enough space in /var/log/CPbackup/backups" although there is enough free disk space in the /var/log/ partition. Refer to sk180181. |
PRJ-43428, |
Gaia OS |
In some scenarios, the "nslookup" command can cause the NSLOOKUP process to exit. |
PRJ-42624, |
Gaia OS |
SNMP trap may not be sent after a cluster failover if it occurred by running the "clusterXL_admin down" command. |
PRJ-43651, |
Gaia OS |
When setting password hash on cloning group members, some members may not get updated. |
PRJ-43959 |
Gaia OS |
When uninstalling a Jumbo Hotfix, some of the REST APIs may not work. The "gaia_api status" command returns an error and requests may fail. |
PRJ-40693, |
Harmony Endpoint |
When connecting to the Security Management Server with SmartEndpoint but Endpoint component is not activated on the Server, the FWM process may unexpectedly exit. |
PRJ-43068, |
CloudGuard Network |
Importing objects from VMware vCenter may fail with a "Failed to fetch objects from the Data Center." message because of a rare communication issue between CloudGuard Network Security controller and VMware vCenter Data. |
PRJ-43259, |
CloudGuard Network |
Disabling or removing all network interfaces from a vCenter object is not dynamically reflected on the CloudGuard Controller Data Center object. |
PRJ-42696, |
VoIP |
In some scenarios, when using static NAT, VoIP traffic may be affected. |
PRJ-43517, PRHF-26939 |
VoIP |
After an upgrade, VoIP and SIP / H323 traffic may be dropped in the VPN tunnel. Refer to sk179651. |
PRJ-43077, |
VoIP |
While handling a multi-INVITE scenario (where a user registers with multiple devices), and VoIP SIP MultiCore feature is enabled, each SIP INVITE maybe be handled simultaneously on different FW instances and cause memory corruption. |
PRJ-43488, |
Scalable Platforms |
Running the "show" or "set" commands for SSH in gClish fails. |
PRJ-31553 |
Scalable Platforms |
In VSX mode, when configuring affinity settings on Security Group members, a new added member may stay in Down state. |
PRJ-30229, |
Scalable Platforms |
The BMAC address is not updated after moving an SGM from one slot to a different slot. (The issue applies to Security Gateway only, not to VSX.) |
PRJ-31658, |
Scalable Platforms |
The output of the "asg perf -6" command shows "IPV6 is Disabled". |
PRJ-43601, PRJ-43213 |
Scalable Platforms |
Time synchronization task is not performed correctly when using predefined NTP Servers. |
PRJ-32255, |
Scalable Platforms |
When running "asg diag verify" in an environment with mixed appliances, the "cores_verifier" command fails if there are unused cores, although it should not. The issue is cosmetic only.. |
PRJ-39602, |
Scalable Platforms |
The SMO may frequently go into Lost-> Down-> Active state because of a memory leak in the FWK process. The issue causes failover and outages. |
PRJ-42192, |
Scalable Platforms |
In a multiple upgrade scenario, running the "sp_upgrade-revert" command reverts the setup to the last version, but running it the second time leads to revert instead of performing cleanup. |
PRJ-42899, |
Scalable Platforms |
When using asg alert, the domain name is changed to "BladedCenter.com" instead of the configured name. |
PRJ-44600 |
Scalable Platforms |
Uninstalling Jumbo Hotfix Take 79-87 from Maestro Orchestrator may cause the REST Server initialization to fail and lead to connectivity issues. |
PRJ-44142, |
Scalable Platforms |
Some Maestro Hyperscale Orchestrator processes may go down after an upgrade and reboot. Refer to sk180509. |
PRJ-43307, |
Scalable Platforms |
Minor packet drop may occur during Maestro Orchestrator graceful reboot. |
PRJ-40549 |
Scalable Platforms |
The output of the "asg perf" command may not show active software Blades. |
PRJ-43361, |
Scalable Platforms |
The "set expert-password-hash" command may fail to update the password hash on all cluster members. |
Take 87 Released on 19 January 2023 and declared as Recommended on 7 February 2023 |
||
- |
General |
Alignment to new self-updatable packages. |
PRJ-44014, PMTR-89893 |
VSX |
In VSX, after adding instances to a Virtual System (VS), their state may be inactive. |
Take 85 Released on 12 January 2023 |
||
PRJ-42849, |
Multi-Domain Security Management |
In a Multi-Domain Security Management environment, traffic may not match rules with custom applications. |
PRJ-43891, |
SSL Inspection |
In rare scenarios, the FWK and/or WSTLSD processes may unexpectedly exit and create a core dump during certificate validation. Refer to sk180473. |
Take 82 Released on 8 January 2023 |
||
PRJ-39425, |
Security Management |
NEW:
|
PRJ-42564 |
Security Management |
UPDATE: It is now possible use multiple values when filtering in these views:
|
PRJ-38116, |
Security Management |
UPDATE: Install Policy Presets will now run also in multi-site environments, even if the local domain does not have a Server on the Multi-Domain Security Management Server with the Active Global Domain, where the operation is triggered from. |
PRJ-34898, |
Security Management |
UPDATE: Improved the "Assign Global Policy" action time by approximately 50%. |
PRJ-42033, |
Security Management |
UPDATE: Added a new Management API "mgmt_cli verify-management-license". It allows to check how many Security Gateway objects the Management Server license supports. Note that this API does not support Quantum Maestro and VSX. Refer to Management API Reference. |
PRJ-42981, |
Web SmartConsole |
UPDATE: Released Take 73 with new features and improvements. Refer to sk170314. |
PRJ-42981, |
CPView |
UPDATE: Added logging information. The Logging tab can be found in the Advanced tab on both the Security Management Server and Security Gateway. Refer to sk101878. |
PRJ-41229 |
Logging |
UPDATE: Port 8211 no longer accepts connections with the cipher TLS_RSA_WITH_AES_128_CBC_SHA. |
PRJ-38056, |
Logging |
UPDATE: When there is no full license for SmartEvent, which includes the Correlation Unit component, Analyzer Client in Legacy SmartEvent Console will now show a relevant message. |
PRJ-32781, |
Security Gateway |
UPDATE: The reset expired connections feature (fw_rst_expired_conn) is now supported on connections accelerated by SecureXL. |
PRJ-42201 |
Threat Prevention |
UPDATE: Reduced loading time of big external Custom Intelligence Feeds. |
PRJ-42702, |
Threat Prevention |
UPDATE: Added Update 16 of Autonomous Threat Prevention Management integration Release. Refer to sk167109. |
PRJ-38198, |
UserCheck |
UPDATE: Added support for custom UserCheck objects for Threat Extraction. Previously it was not possible to configure them when using Autonomous Threat Prevention Policy. Refer to sk178764. |
PRJ-41735, |
CloudGuard Network |
UPDATE: Added support for Data Centers in AWS me-central-1 Middle East (UAE) region. |
PRJ-41713, ODU-603 |
Smart-1 Cloud |
UPDATE: Added Update 6 of Quantum Smart-1 Cloud. Refer to sk166056. |
PRJ-27770, |
Scalable Platforms |
UPDATE: The "revert to snapshot" operation is now blocked on Scalable Platforms when the snapshot remains from the previous version and is not created as a part of the current upgrade process. |
PRJ-40628, |
Scalable Platforms |
UPDATE: Blocked the ability to install Jumbo Hotfix Accumulator or to run an upgrade to a major version on Quantum Maestro Security Gateways using the Central Deployment tool in SmartConsole or the Management REST API. |
PRJ-41650, |
Scalable Platforms |
UPDATE: Upon member state change to Active, there may be minor packet drops. Added an option to not forward traffic to a new Active member until all connections are synchronized to it: • To enable this option:
• To disable this option:
|
PRJ-40773, |
Scalable Platforms |
UPDATE: The "Obtain IPv4 Address Automatically" option in the IPv4 and IPv6 tabs of the Gaia Portal's Interface editor is now disabled (as it is on gClish). |
PRJ-41935, |
VoIP |
UPDATE: Added a new CLI command "fw ctl voip [-p {sip| mgcp| sccp| h323}] [-na]". It allows printing the description of defined VoIP protections, the required action, and the logging option configured for each protection. |
PRJ-38613, |
Harmony Endpoint |
UPDATE: Added the "-ignoreDA" flag for "epmcommands" to clean objects from the deleted users and computers, ignoring the "da_installed" flag. |
PRJ-41999, |
HCP |
UPDATE: Added Update 11 of HealthCheck Point (HCP) Release. Refer to sk171436. |
PRJ-40540, |
Diagnostics |
The cpview -s export operations may fail on VS0 when cpview_services are running. |
PRJ-43904, |
Security Management |
On R77.20 Quantum Spark appliances with some IPS packages, policy installation fails with the "Operation failed, install/uninstall has been improperly terminated" error. Refer to sk180448. |
PRJ-41556, |
Security Management |
After an Application Control update, policy installation may fail. |
PRJ-40943, |
Security Management |
In rare scenarios, in a large environment, after an IPS update, High Availability synchronization may fail with timeout on the Global Domain. |
PRJ-41562, |
Security Management |
After an upgrade, in the Gateways&Servers view, searching Security Gateway objects by their interfaces' IP addresses fails. |
PRJ-39392, |
Security Management |
In some scenarios, the "Assign Global Policy" action fails with the error message: "An internal error has occurred". |
PRJ-39611, |
Security Management |
After an upgrade, on the Domain level, in the Administrators View, the email and phone of the administrators may be missing. |
PRJ-41679, |
Security Management |
An upgrade may fail with timeout during the import of a large database file. |
PRJ-41576, |
Security Management |
In an environment with many Security Gateways, login to SmartConsole after starting services may take a long time. |
PRJ-34737, |
Security Management |
When running the "show access-rule" API command with the "show-as-ranges" parameter on rules with negated cells, the returned result may be missing the values of the negated cells. |
PRJ-41071, |
Security Management |
Global Policy reassignment fails with "An internal error has occurred" if a Global rule, Rule Base, or section is created, moved, and then deleted without running a reassignment in between. |
PRJ-41292, |
Security Management |
Access Policy installation may fail with the "Internal error occurred during the verification process" error. |
PRJ-41127, |
Security Management |
Centrally managed Quantum Spark Gateway version may be missing or incorrect after performing the "Get Gateway Data" action from SmartUpdate. |
PRJ-41976, |
Security Management |
The /var/log/dump/usermode/ directory on the Management Server may contain core dump files for the FWM process. Refer to sk180119. |
PRJ-40426, |
Security Management |
In rare scenarios, deleting a cluster member may fail with the "Could not delete object. Failed to remove/detach objects licenses" error. |
PRJ-40944, |
Security Management |
In rare scenarios, the FWM process may unexpectedly exit. |
PRJ-41914, |
Security Management |
Installing Database from Security Management on an R80.x Log Server may fail. |
PRJ-42240, |
Security Management |
Installing a large Access Control policy on Quantum Spark Security Gateways may fail due to high memory consumption on the Security Management Server caused by FW_LOADER. |
PRJ-42953, |
Security Management |
In an environment with the Endpoint Security Server, Jumbo Hotfix Accumulator installation may take a long time. |
PRJ-40238, |
Security Management |
Policy installation may fail with "Segmentation fault" or with "INTERNAL ERROR in PutBlock: dangling block at PutBlock". Refer to sk179700. |
PRJ-41671, |
Security Management |
When using CME (Cloud Management Extension), the FWM process may unexpectedly exit because of a memory issue. |
PRJ-42859, |
Security Management |
After performing the "Revert to Revision" operation, new Audit logs cannot be seen in the Logging&Monitoring View in SmartConsole. |
PRJ-42509, |
Security Management |
Access policy verification may fail when dynamic objects exist in the NAT policy. |
PRJ-40823, |
Security Management |
Warning about multiple objects with the same IP address is displayed when there are duplicated auto-generated networks. |
PRJ-41541, |
Security Management |
The FWK process may unexpectedly exit during Threat Prevention policy installation. |
PRJ-40223, |
Security Management |
In a large environment, High Availability synchronization for the Global domain may fail with the "Global domain is busy syncing, please check sync status" error. |
PRJ-41553, |
Security Management |
Policy installation may get stuck on 99% when resuming queued policy installation tasks. |
PRJ-37832, |
Security Management |
"Automatic purge" fails on a Domain with active Global Domain Assignment and "automatic purge" configured on the Global Domain. |
PRJ-40734, |
Security Management |
In rare scenarios, Global Policy reassignment may fail with a "Failed to find object ID UUID of class com.checkpoint.objects.ips.ThreatIpsProtectionOverride" message. |
PRJ-39718, |
Security Management |
It may not be possible to discard a work session with a newly created admin, a "Failed to discard revoke certificate" message is shown. |
PRJ-37311, |
Multi-Domain Security Management |
SmartEvent may unexpectedly close when clicking Global Exclusion options or creating a new event. This issue occurs after migrating a Domain from the Multi-Domain Security Management Server to the Security Management Server. |
PRJ-42291, |
Multi-Domain Security Management |
An upgrade of the secondary Multi-Domain Security Management Server or Multi-Domain Log Server may fail when simultaneously upgrading several Servers. |
PRJ-42105, |
Multi-Domain Security Management |
In a Multi-Domain Security Management environment, the HitCount retention mechanism may prematurely remove the HitCount data. |
PRJ-41920, |
Multi-Domain Security Management |
In rare scenarios, in a Multi-Domain Security Management Server environment, a memory leak may occur in the FWM process. This may cause the process to exit. |
PRJ-37706, |
Logging |
It may not be possible to filter the "Subscriber" field in SmartLog. |
PRJ-37298, |
Logging |
When exporting logs with the fwm logexport script and there is an empty or corrupted log file, the script runs in a loop with the "Failed to read record at position 0" error printed. |
PRJ-41194, |
Logging |
It may not be possible to filter Anti-Virus logs for malicious CIFS traffic in SmartConsole. The issue is cosmetic only. |
PRJ-35880, |
Logging |
Although the Security Gateway is configured to send Syslog messages to the Domain Log Server (CLM), after several initial logs, they may stop coming to the Log Server. |
PRJ-40492, |
Logging |
In a rare scenario, when using SmartEvent Automatic Reaction (Mail), the source IP address can be shown as a number and not in the dotted decimal notation format. |
PRJ-40144, |
Logging |
Emails sent as an automatic reaction may show only the first IP address for "Source"/"Destination" fields out of all the detected IP addresses. |
PRJ-38052, |
Logging |
Syslog messages with the "ErtFeed" type of attack are not indexed correctly in SmartLog. |
PRJ-41917, |
Logging |
Export to CSV in SmartView may be stuck in the "running" status. |
PRJ-41355, |
Logging |
In some scenarios, in the Logs view, the "Description" field may be missing. The issue is only cosmetic. |
PRJ-41930, |
Logging |
When running the "show_logs" API command with "query-id argument" and the session is expired, the command ends with a timeout instead of presenting an error. |
PRJ-31865, |
Logging |
When exporting logs in CEF format using Log Exporter and the value of the "time-in-milli" parameter is set as "true" (sk173167), the logs are not displayed in ArcSight SIEM Solution. |
PRJ-42414, |
Logging |
When LEA spawning is turned off (sk91343), the FWD process may run out of memory. |
PRJ-37500, |
Logging |
The "epoll is enabled" warning is incorrectly displayed during policy installation. |
PRJ-40235, |
Security Gateway |
There may be stability issues when ICAP client is active. |
PRJ-41864, |
Security Gateway |
After an upgrade, it is not possible to monitor Security Gateways with enabled Management Data Plane Separation (MDPS). |
PRJ-39968, |
Security Gateway |
The Security Gateway may crash with the "xxx kernel: [fw4_27];fwatomload_unregister: module RTM not registered xxx kernel: [fw4_27];e2eDisable: fwatomload_unregister failed" errors printed in logs. |
PRJ-41451, |
Security Gateway |
Policy verification fails when a generic Data Center contains an object with an empty range. |
PRJ-42972, |
Security Gateway |
The Security Gateway on a LightSpeed appliance may crash when a Bond interface is configured on the LightSpeed 10/25/40/100G QSFP28 Ports, and the state of this Bond interface changes between on / off, or off / on. |
PRJ-40927, |
Security Gateway |
When installing policy and the kernel parameter "up_log_extended_reason_for_incomplete_match" is set to 1, the Security Gateway may crash. |
PRJ-41580, |
Security Gateway |
In some scenarios, the CPD process may unexpectedly exit. |
PRJ-40109, |
Security Gateway |
In a rare scenario, the Security Gateway may crash when offloading packets to SecureXL. |
PRJ-43127, |
Security Gateway |
Some TCP connections may be stuck in "Both-Fin" state in the SecureXL connection table and cause high memory consumption. |
PRJ-39575, |
Security Gateway |
The "sd_exception_chain_with_global_stateless: fwx_get_original_conn_key() failed" messages may flood /var/log/messages if IPS Blade is active. |
PRJ-41624, |
Security Gateway |
When using Routing Separation and installing a Jumbo Hotfix Accumulator, MDPS configuration may be overridden. Refer to sk138672. |
PRJ-40917, |
Security Gateway |
The Security Gateway may crash because of memory corruption, and the following error appears in the /var/log/message file: "[XXX] Kernel panic - not syncing: stack-protector: Kernel stack is corrupted in: <xxxx>". |
PRJ-39332, |
Security Gateway |
After an upgrade, Access Control policy installation may fail with an "Update process is already running" message. |
PRJ-35110, |
Security Gateway |
There may be connectivity failure when browsing to Office 365, and ICAP Client is active on the Security Gateway with enabled "Data Trickling". |
PRJ-41416, |
Security Gateway |
The Security Gateway may send multiple "Failed to fetch Check Point resources. Timeout was reached" logs. |
PRJ-40974, |
Threat Prevention |
Threat Prevention policy installation may fail with a "Connection aborted by Peer" message. |
PRJ-41316, |
Threat Prevention |
Threat prevention policy installation fails if a Custom Intelligence Feeds name includes unsupported characters. |
PRJ-41489, |
Threat Prevention |
Loading of Custom Intelligence Feeds with authentication may fail. |
PRJ-38722, |
Threat Prevention |
File Download using SSH with MobaXterm Client fails when SSH Deep Packet Inspection (SSH DPI) is enabled. |
PRJ-40936, |
Threat Prevention |
In a rare scenario, the Security Gateway may have a memory allocation issue. |
PRJ-41439, |
Threat Prevention |
After installing a hotfix in a cluster setup with a Threat Prevention policy that includes Network Objects, a member may get stuck during initialization after a reboot. |
PRJ-38665, |
Threat Prevention |
The DLPU process may unexpectedly exit with a core dump file. |
PRJ-43360 |
Threat Extraction |
In some scenarios, Mail Transfer Agent (MTA) does not scan files with an unsupported extension if they were renamed to ".exe". |
PRJ-36509, |
Identity Awareness |
The CPU utilization of the PDP daemon may be high during a specific authentication flow. |
PRJ-38543, |
Identity Awareness |
The PDPD daemon may frequently exit during the user authentication flow. |
PRJ-31975, |
Identity Awareness |
Changing the state of the "Automatic LDAP Group Update" feature for Identity Collector from CLI on the PDP Gateway does not survive a reboot. |
PRJ-34571, |
Identity Awareness |
SNMP/cpstat queries for Identity Awareness OIDs return wrong values if the PDP daemon is not running at the time of the query. |
PRJ-41820, |
Identity Awareness |
In a rare scenario, the PDPD process may unexpectedly exit during peer certificate verification. |
PRJ-42506, |
Application Control |
In a rare scenario, when Application Control is enabled, the Security Gateway in AWS Cloud may crash. The issue does not occur if Application Control database on the Security Gateway is updated with Release 141122_1 and higher. |
PRJ-32992, |
IPS |
In some scenarios, IPS logs do not show the correct memory and CPU utilization when IPS is bypassed. |
PRJ-41655, |
IPS |
Running the "ips stats" command in CLI may cause the IPS process to unexpectedly exit with core dumps. |
PRJ-39753, |
Anti-Virus |
The Anti-Virus Blade interprets certain types of URLs as forbidden and blocks access to those URLs, although the content behind them is not of the type supposed to be blocked. |
PRJ-41216, |
Anti-Virus |
In a rare scenario, when Anti-Virus is enabled, there may be frequent VSX cluster failovers, and the Security Gateway may crash. |
PRJ-43181, |
SSL Inspection |
The WSTLSD process may unexpectedly exit and create core dump files. |
PRJ-41973, |
Mobile Access |
After an upgrade, it may not be possible to connect to SNX, it gets stuck when initializing. |
PRJ-32969, |
Mobile Access |
Capsule Workspace push notifications do not work when the Single Sign-On (SSO) is configured to "prompt for credentials". Refer to sk176244. |
PRJ-40833, |
Mobile Access |
After disabling the ActiveSync service on the Security Gateway, login to Capsule Workspace (CWS) may fail. |
PRJ-32972, |
Mobile Access |
Push notification may not be working with the legacy Mobile Access (MAB) Portal. Refer to sk176243. |
PRJ-38460, |
Mobile Access |
In some scenarios, it is not possible to connect to SSL Network Extender(SNX), and the VPND log shows: "failed to add to table connectra_sessions_to_instance". |
PRJ-40745, |
ClusterXL |
The cphaprob show_bond command does not show newly added slaves from Virtual Systems (VSs). |
PRJ-42928, |
ClusterXL |
A Hide NAT port may be allocated twice causing the "out of state" drops. |
PRJ-37151, |
ClusterXL |
In an Active/Active cluster, a member may reboot because of a memory corruption issue. |
PRJ-39184, |
ClusterXL |
In a VRRP cluster environment with a large number of interfaces, the Security Gateway may consume a lot of memory because of a memory leak. |
PRJ-42445, |
SecureXL |
The Security Gateway may prematurely expire half-closed TCP connections and drop VoIP and HTTPS packets with "First packet isn't SYN". Refer to sk180364. |
PRJ-42073, |
SecureXL |
In some scenarios, the change of the cphwd_enable_ecmp global parameter value on a VSX Gateway does not survive a reboot. |
PRJ-42230, |
SecureXL |
DNS Traffic Steering feature does not work over TCP. |
PRJ-41691, |
SecureXL |
The Security Gateway may crash and cause an outage when resolving the destination host MAC address through an interface with disabled ARP. |
PRJ-42145, |
SecureXL |
SNDs may reach 100% CPU utilization and are not released in some Site to Site VPN scenarios. |
PRJ-40266, |
CoreXL |
Connections matching the Access Control rules may get timed out, although they should be rejected according to the configuration. |
PRJ-41504, |
Routing |
Some invalid nexthop and destination addresses from remote BGP peers may be incorrectly handled, causing lost BGP connection. |
PRJ-41724, |
Routing |
The "asg diag verify" command reports inconsistent OSPFv3 routes for Security Gateway Modules in Quantum Maestro. Refer to sk179931. |
PRJ-41870, |
Routing |
Gaia API request "show-routes" may fail with the "generic error" and the ROUTED core dump is generated. |
PRJ-41708, |
Routing |
The ROUTED process may unexpectedly exit when the route does not have a next hop. |
PRJ-41642, |
VPN |
In some scenarios, StrongSwan Client may get disconnected during re-authentication. |
PRJ-41809, |
VPN |
When connecting with "Mixed" SSL Network Extender Authentication method, the SNX Client freezes with no output, and the results of the "vpn tu tlist" command show no tunnels. |
PRJ-40860, |
VPN |
The VPND process may unexpectedly exit. |
PRJ-42729, |
VPN |
In a rare scenario, when IPv6 is configured, and VPN is enabled, policy installation may cause a stability issue. |
PRJ-39171, |
VPN |
Remote Access Client may fail to connect when using machine certificate authentication. |
PRJ-38167, |
VPN |
Trying to perform the "Reset Tunnel" action for an LDAP user from SmartView Monitor fails. Refer to sk178592. |
PRJ-42376, |
VPN |
The IKED process unexpectedly exits when the "Aggressive SLP" (Simultaneous Login Prevention) feature is enabled. |
PRJ-40830, |
VPN |
The Security Gateway does not initiate or accept the VPN negotiation when working in Traditional Mode. Refer to sk179710. |
PRJ-41560, |
VPN |
After an upgrade, the community name may not be visible from SmartView Monitor, and the "snmpwalk" command returns an empty value for this entry. |
PRJ-42310, |
VPN |
Improved VPN tunnel synchronization in a Multi-Version Cluster environment (MVC). |
PRJ-38516, |
VSX |
SecureXL may not let HTTPS traffic pass through a Virtual Router (VR). |
PRJ-43356, |
VSX |
The SNMPD process may consume a high CPU in a VSX environment and there may be slowness when using the "fw vsx stat" command. Refer to sk180324. |
PRJ-43140 |
Gaia OS |
After an upgrade, the RADIUS Server is unavailable and authentication fails. |
PRJ-41234, |
Gaia OS |
There are trap names duplications in chkpnt.mib and chkpnt-trap.mib which may cause incorrect values when using SNMP traps. |
PRJ-41409, |
Gaia OS |
When configuring Gaia Cloning Group mode on the cluster, members with "off" state appear without an IP address and the "adding notification Member mvc is down" error is displayed. |
PRJ-34372, |
Gaia OS |
After an upgrade, the backup operation on VSX fails because there is not enough space in /var/log/CPbackup/backups. |
PRJ-41613, |
Gaia OS |
Information about scheduled backup failure is now displayed in Clish, WebUI, and in the error message inside the log file. |
PRJ-41686, |
Gaia OS |
In a cloning group cluster, when allowed hosts are changed from "Any" host to a specific host, communication between members is blocked, and the group cannot function. |
PRJ-42150, |
CloudGuard Network |
Improved performance of pushing Data Center Objects changes to Security Gateways. |
PRJ-42855, |
CloudGuard Network |
A Kernel-based Virtual Machine (KVM) or a Virtual Machine using SRIOV with the i40evf/ixgbevf network driver, may boot with non-optimized performance settings. |
PRJ-41846, |
CloudGuard Network |
Improved handling of NSX-T API responses. |
PRJ-42010, |
CloudGuard Network |
When mapping of some Azure Subscriptions fails, assets of these Subscriptions are revoked from the Security Gateway. |
PRJ-42115, |
CloudGuard Network |
AWS Data Center mapping fails when a Subnet with only IPv6 addresses is added to Virtual Private Cloud (VPC). |
PRJ-41463, |
CloudGuard Network |
Import of OpenStack Data Center CloudGuard Network objects may fail. |
PRJ-42257, |
CloudGuard Network |
After an upgrade in a Huawei Cloud environment, a network card may be renamed after a reboot. |
PRJ-28732, |
VoIP |
In some scenarios, when using early media with NAT, the first data connections specified in the SDP get closed, although they should not. And the new data connection does not open, resulting in one-way audio. Refer to sk179651. |
PRJ-40355, |
Scalable Platforms |
When running the "set kernel-routes on/off" and "set domainname <VALUE>" commands through gCLish, the configuration is applied only locally. |
PRJ-36510, |
Scalable Platforms |
In some scenarios, a newly added Security Group Member (SGM) continuously reboots, and there are core dump files for the CONFD process. Refer to sk178405. |
PRJ-40180, |
Scalable Platforms |
In a rare scenario, the FWK process may unexpectedly exit and bring down the Security Gateway Module (SGM). |
PRJ-42514, |
Scalable Platforms |
Upon failover/failback, multicast packets are sent to Active members only. The member that changed state from Down to Active starts receiving the multicast packets before the route is resolved. This may impact traffic. |
PRJ-40835, |
Scalable Platforms |
In a rare scenario, a non-SMO member may send GARP request over the Management interface, causing traffic impact. |
PRJ-41146, |
Scalable Platforms |
In some scenarios, the SNMPD process may unexpectedly exit. |
PRJ-41473, |
Scalable Platforms |
Configuration of exception entries (asg_excp_conf, see sk175584) does not survive an upgrade. As a result, traffic that was configured to be forwarded to SMO is handled by the original member. |
PRJ-32368, |
Scalable Platforms |
In a dual site environment with two Maestro Hyperscale Orchestrators on each site, the asg diag test may fail in a mixed appliances setup because of a difference in affinity configuration files. |
PRJ-37829, |
Scalable Platforms |
Improved VPN on Quantum Maestro with Security Gateways hidden behind NAT. |
PRJ-41835, |
Scalable Platforms |
SNMP threshold events traps may be missing "Chassis ID" and "Blade ID" fields. Refer to sk179926. |
PRJ-42558, |
Scalable Platforms |
Policy installation may cause backplane interfaces flapping. This can affect the connectivity with the Maestro Hyperscale Orchestrator, and the members may go to Down state. |
PRJ-39190, |
Scalable Platforms |
When a policy is configured with "SNMP trap alert script", the SNMP trap is sent with an undefined OID. |
PRJ-42947, |
Scalable Platforms |
Optimized the SNMP communication between Security Gateway Module (SGM) and Security Switch Module (SSM) to prevent timeouts. |
PRJ-39318, |
Scalable Platforms |
Failover/failback may cause a non-DR manager member to change state to Down because the ROUTED unexpectedly exits with pnote. |
PRJ-41212, |
Scalable Platforms |
Performance data may not be collected on VSX Security Gateways. |
PRJ-42820, |
Scalable Platforms |
In a Quantum Maestro environment, the sp_upgrade command may fail when working in VSX mode. |
PRJ-42834, |
Scalable Platforms |
When trying to perform the downgrade procedure, a Site may be stuck in Backup state. The issue occurs if, before the downgrade, this Security Group was first upgraded and then its topology was changed. |
Take 81 Released on 22 Nov 2022 and declared as Recommended on 2 January 2023 |
||
PRJ-41364 |
SecureXL |
NEW: Added support for enabling Hardware Acceleration in Quantum LightSpeed Appliances. Refer to sk179432. |
PRJ-45565, ACCHA-2110 |
Gaia OS |
The $FWDIR/log/fwd.elg file may get corrupted during log rotation. Refer to sk180728. |
PRJ-42687 |
Harmony Endpoint |
Refer to sk180230. |
PRJ-41507, |
Scalable Platforms |
After an upgrade to Jumbo Hotfix Accumulator R81.10 Take 75 or higher, a member may be in Down state with a "pull_config" pnote. |
Take 79 Released on 24 October 2022 and declared as Recommended on 21 November 2022 |
||
PRJ-38348, |
Diagnostics |
The CPVIEWD process may cause CPU spikes. |
PRJ-40819, |
Security Management |
NEW: It is now possible to clone Access and HTTPS Inspection layers via Management REST API. |
PRJ-41083, |
Security Management |
UPDATE: If ISP Redundancy is configured for a target Security Gateway, backup interfaces are now used for pushing policy if the primary interface is down. |
PRJ-40000, |
Security Management |
UPDATE: Added a new API version (1.8.1). Refer to Management API Reference. |
PRJ-31201, |
Security Management |
UPDATE: Audit logs for Access Control rules now contain more information about the rule. |
PRJ-39462, |
Security Management |
UPDATE: Management API performance improvements:
|
PRJ-40100, PMTR-72725 |
Security Management |
After a policy installation failure, fetching policy on the Security Gateway side by running the "fw fetch local" command may also fail. |
PRJ-37912, |
Security Management |
The flag "--method" for a CME command is not supported in SmartConsole Command Line. |
PRJ-37339 |
Security Management |
Objects that do not belong to groups may be shown in the Group Membership view in SmartConsole. |
PRJ-40205, |
Security Management |
In some scenarios, certificate based login to a Log Server may fail with "Authentication Error". Refer to sk179144 |
PRJ-38709, |
Security Management |
Login to Domain via Management API using FQDN as the Domain parameter may fail with the "Domain not found" error. |
PRJ-38218, |
Security Management |
If Log Domain reassignment fails, an Application Control and URL Filtering update may get stuck at 70 percent showing the "Running post update actions" status. |
PRJ-39805, |
Security Management |
In Object Explorer, when filtering by type, all other filters may disappear until the selected filter is removed. |
PRJ-40587, |
Security Management |
The "Domain" and "Type" fields may be missing in the "show-groups" command output of a Management API request. Refer to sk179645. |
PRJ-40408, |
Security Management |
Editing a Threat Profile object using Ansible automation tool may fail. |
PRJ-38426, |
Security Management |
Login to Management Server may fail if a trusted client has a subnet mask defined in CIDR notation. Refer to sk177743. |
PRJ-39409, |
Security Management |
In the Object Explorer window in SmartConsole, numeric columns are sorted alphabetically, although they should be sorted in numerical order. |
PRJ-40516, |
Security Management |
Adding members to a user group may fail when using Management API. |
PRJ-33896, |
Security Management |
Global Domain Assignment may fail if a rule in the global policy was recently enabled or disabled. |
PRJ-40646, |
Security Management |
Deleting a Security Gateway in SmartConsole may fail. |
PRJ-41098, |
Security Management |
The "CPLogGetMyIp: fwobj_get_myown failed" error may be printed in CLI when starting cpboot. |
PRJ-38789, |
Security Management |
Install Policy Preset may fail with "The server did not provide a meaningful reply.". Refer to sk179524. |
PRJ-39210, |
Security Management |
The output of the "show opsec-application" API command may not show the host object name or UID. |
PRJ-38457, |
Security Management |
High Availability synchronization may fail with the "Failed to update shared licenses" error. |
PRJ-33922, |
Security Management |
Some unused sessions may remain open in the system, consuming memory and CPU. |
PRJ-40721, |
Security Management |
Access Control policy installation may fail with the "Internal error" message when the encryption domain contains a Data Center object. |
PRJ-40851, |
Security Management |
The LOG_EXPORTER process may cause high CPU because of frequent invocation of the "fw ver" command. |
PRJ-39538, |
Security Management |
An Application Control and URL Filtering update may get stuck at 70 percent with the "Running post update actions" status. Refer to sk174587. |
PRJ-39223, |
Security Management |
An Application Control and URL Filtering Database update may fail. The CPM log file states: "Update APPI Update Task Notification. progress: 100, status: FAILED, statusText: Failed to assign domain". |
PRJ-40058, |
Security Management |
An Application Control and URL Filtering update may still occur even if the latest version is already installed. |
PRJ-39334, |
Security Management |
Install Policy Presets may fail with the "Install Policy Failed: Could not commit JPA transaction" error. |
PRJ-40547, |
Security Management |
After an upgrade, when the local domain Virtual System (VS) is updated, its objects may not be updated. The mirror VS object and local domain VS object may have different versions and colors. |
PRJ-40810, |
Security Management |
SmartConsole may unexpectedly disconnect. |
PRJ-40170, |
Multi-Domain Management |
A Multi-Domain Management Server upgrade may fail if upgrading one of the domains takes longer than four hours. |
PRJ-39489, |
Multi-Domain Management |
In some scenarios, in a Multi-Domain Management Server environment, SmartConsole may unexpectedly disconnect. |
PRJ-38125, PRHF-23066 |
Multi-Domain Management |
Although all Virtual Devices are deleted, deleting a Domain may fail with an "At least one Virtual Device is defined on this Domain/Domain Management Server. You need to delete all Virtual Systems/Routers prior to deleting Domain/Domain Management Server" message. |
PRJ-41286, |
Web SmartConsole |
UPDATE: Released Take 67 with new features and improvements. Refer to sk170314. |
PRJ-40613, |
Compliance |
In the Compliance Blade view, regulations with disabled best practices may display a result that does not correspond with the best practices listed below it. |
PRJ-41022, |
CPView |
NEW: Integrated Skyline, a solution that provides an OpenTelemetry CPView Agent service to monitor your Check Point Servers and export health metrics from the CPView tool to an external location. Refer to sk178566. |
PRJ-36192, |
Logging |
UPDATE: Amended the override_server_setting.sh script to support changes in the values of RFL_SOLR_MAX_MERGE_COUNT and RFL_SOLR_MAX_MERGE_THREAD_COUNT. |
PRJ-29738, |
Logging |
In SmartView, exporting views or reports that do not have tables may indefinitely continue processing. |
PRJ-40194, |
Logging |
After an upgrade from R81 to R81.10, maintenance cleanup may remove some recent logs while not erasing other logs from the disk. |
PRJ-28112, |
Logging |
In rare scenarios, logs may not be indexed on the Domain Log Server in a Multi-Domain Log Module (MLM) or on the Secondary Multi-Domain Management Server. |
PRJ-39590, |
Logging |
The FWD process may unexpectedly exit and create core dump files. |
PRJ-40358, |
Logging |
In some scenarios, the FWD process may unexpectedly exit in a Log Server environment. Refer to sk179596. |
PRJ-30965, EPS-562 |
Logging |
In some scenarios, the Forensics report fails to open from Harmony Endpoint logs. |
PRJ-36477, |
Logging |
In SmartConsole, when Endpoint Policy Management Blade is enabled, the "SmartView server certificate is invalid" error may be shown when opening a new tab in the Logs & Monitor view. Refer to sk177713. |
PRJ-32207, |
Logging |
The "show-logs" Management API command fails when iterating over many pages of queries, and the total fetched records number exceeds 219,900 records. |
PRJ-41360, |
Logging |
Running the "cpstat ls -f logging" command on the Security Gateway may show the "disconnected" status after a reboot, although a new connection is established successfully. |
PRJ-41103, |
Logging |
When an object name begins with a digit, SmartView Monitor displays a name consisting of the letter "v" and UID instead of the actual object name. |
PRJ-34680, |
Security Gateway |
UPDATE: Decreased the threshold for connections suspected as heavy from 5 to 3 seconds. Refer to sk164215. |
PRJ-40505, |
Security Gateway |
UPDATE: Added a defense mechanism against partial header attacks known as "Slowloris DoS" (CVE-2007-6750). |
PRJ-38144, |
Security Gateway |
UPDATE: Added support for RADIUS UPN authentication with MS-CHAPv2. To use it, enable the registry configuration in ckp_regedit -a SOFTWARE/Checkpoint/VPN1 RADIUS_MSCHAPV2_UPN -n 1. |
PRJ-40098, |
Security Gateway |
UPDATE:
|
PRJ-40459, |
Security Gateway |
In a rare scenario, the FWK process may unexpectedly exit because of a memory allocation issue on the Security Gateway. |
PRJ-38591, |
Security Gateway |
In a cluster environment, an ICAP implied rule may not be enforced after policy installation. |
PRJ-35393, |
Security Gateway |
It may not be possible to load specific sites. The Security Gateways drops the traffic from those web servers with "Reason: PSL Drop: MUX_PASSIVE". |
PRJ-39640, |
Security Gateway |
When running the "g_fw monitor" command (Global Firewall Monitor), the traffic capture outputs can be created successfully but cannot be merged. Refer to sk179431. |
PRJ-41091, |
Security Gateway |
A kernel crash may occur during system shutdown when PIM is enabled. |
PRJ-39927, |
Security Gateway |
When Anti-Virus Blade is enabled, the Security Gateway may crash multiple times with core dump files. |
PRJ-41030, |
Security Gateway |
Topology auto update may fail because of a too long interface name. |
PRJ-41033, |
Security Gateway |
The Security Gateway may run out of memory when retrieving topology. |
PRJ-37210, |
Security Gateway |
During a failover, BGP session may be re-established due to equal connection timers between two Security Gateways. |