R81.10 Jumbo Hotfix Take 110

 

Note - This Take contains all fixes from all earlier Takes.

ID

Product

Description

Take 110

Released on 30 July 2023 and declared as Recommended on 29 August 2023

PRJ-44422,
ACCESS-458

Security Management

NEW: Added a new field to the output of "mgmt_cli show updatable-objects-repository-content" command. This field displays the object's unique name as it is saved in the updatable objects repository.

PRJ-43521,
PMTR-89420

Security Management

NEW: It is now possible to add tags to Access rules and sections. A new field "tags" is added to the existing "add/set rule & section" Management APIs .

For example:

  • mgmt_cli add access-section layer "Network" position 1 name "New Section 1" tags mytag

  • mgmt_cli add access-rule layer "Network" position 1 name "Rule 1" tags mytag

PRJ-44326,
PMTR-90221

Security Management

NEW: Added a new Management API "mgmt_cli show ha-status". It provides synchronization information for the currently active domain.

  • When running the command from the Active Domain in the local/Global Domain, it retrieves details about the synchronization status of the other standby peers and the overall synchronization status for the Domain.

  • When running the command from the system Domain, it only displays the general synchronization status, as all peers are active.

PRJ-44494,
MBS-14158

Scalable Platforms

NEW: Added support for the 25Gbps speed on Maestro Orchestrator ports.

PRJ-45678,
PRJ-45679

CloudGuard Network

NEW: CloudGuard Controller for NSX-T

  • Starting from NSX-T 4.0.0.x and higher, Manager Mode APIs are deprecated, it is recommended to use Policy Mode.

  • Import NSX-T Tags (NSgroups and VMs) is now supported.

  • Import NSX-T Virtual Machine objects is now supported.

Note: Importing Virtual Machines can be enabled only using Policy Mode APIs. When enabled, the amount of API requests toward the NSX-T manager increased.

PRJ-46242,
PMTR-86894

Security Management

UPDATE: A Security Management Server/Domain Management Server can now manage up to 400 Security Gateways / Clusters, allowing concurrent policy installation on all Security Gateways / Clusters at once.

PRJ-45295,
PMTR-86221

Security Management

UPDATE: Added ability to block policy installation if this policy contradicts another policy installed on the Security Gateway. In this scenario, the "install-policy" Management API command will now fail with "Requested policy X does not match currently installed policy Y on gateway Z. To ignore this warning, set the 'ignore-warnings' flag to 'true'". Refer to sk180792.

PRJ-45490,
PRHF-28303

Security Management

UPDATE: Significant performance improvement for policy installation when using many layers (up to four times faster).

PRJ-44502,
PMTR-88484

Security Management

UPDATE: Significantly improved performance during upgrade and import for large Multi-Domain Security Management environments with many administrators (over 20 domains and over 100 global administrators).

  • Requires installing Upgrade Tools package 996000482 and higher.

PRJ-45203,

ODU-843

Web SmartConsole

UPDATE: New features and improvements are released in Take 76 via self-updatable package. Refer to sk170314.

PRJ-45891,
PRHF-28332

Security Gateway

UPDATE: Added a new environment variable "IMPLIED_RULES_SET_BEFORE_LAST". It defines if Multi-Portal implied rules should be matched as "before drop" or "before last". The default value is "0", set to "before drop". When the value is set to "1", implied rules will be matched as "before last". Refer to sk180808.

PRJ-44774,
PMTR-85896

Security Gateway

UPDATE: The Thread Blocker feature is now disabled by default. Refer to sk180437.

PRJ-44436,
PMTR-89908

ClusterXL

UPDATE: Improved the fullsync time after reboot in large scale environments. Refer to sk180742.

PRJ-44952,
PRHF-28082

IPS

UPDATE: Mapping of IPs to country/flag in the Logs & Monitor view > Logs is now automatically updated every day.

PRJ-35986,
PMTR-69155

SSL Inspection

UPDATE: Major performance improvement in HTTPS Inspection of TLS 1.3.

PRJ-45462,
PRJ-46431,
ODU-890,
ODU-898

Threat Prevention

UPDATE: Added Update 18 and Update 19 of Autonomous Threat Prevention Management integration Release. Refer to sk167109.

PRJ-46941,
TPP-3290

Threat Prevention

UPDATE: IPS bypass triggers will now be activated based on the average CPU load exceeding the high threshold, as opposed to the previous implementation, where a single CPU load triggered the bypass. The change will result in more effective security measures without unnecessary bypasses.

PRJ-45472,
ODU-827

CPView

UPDATE: First release of CPviewExporter Release Updates. Refer to sk180521.

PRJ-45465,
ODU-835

CPView

UPDATE: First release of CPotelcol (OpenTelemetry Collector) Release Updates. Refer to sk180522.

PRJ-46916,
PMTR-80877

VPN

UPDATE: Added a global parameter "sim_no_local_ip_check" which allows packets not destined to a local IP address to proceed to Security Association lookup in SecureXL.

PRJ-47226,
PMTR-92606

Gaia OS

UPDATE: Upgraded OpenSSL from 1.1.1t to 1.1.1u to include the latest security improvements. Refer to sk181427.

PRJ-47512,
PMTR-93037

GaiaOS

UPDATE: Added notifications about the Expert mode login on Gaia Servers. Refer to sk181230:

1) Gaia sends an audit log to the Management Server / Log Server (SmartConsole > Logs & Monitor).

2) Gaia writes a log message to the /var/log/messages file (for a local login and an SSH login).

These Gaia Clish commands are available to work with this feature:

  • To see the current state of this feature: show audit login-notifier

  • To enable this feature (this is the default): set audit login-notifier on

  • To disable this feature: set audit login-notifier off

PRJ-44761,
PRHF-27893

Gaia OS

UPDATE: Increased the size of the scheduled snapshot database binding, allowing longer paths and passwords to be defined.

PRJ-32167,
MBS-14572

Scalable Platforms

UPDATE: Added support for 40G SFP transceiver for SSM160 (BTI40GSRDDQSFP).

PRJ-45907,
ODU-946

Scalable Platforms

UPDATE: Added Take 23 of Check Point Support Data Collector (CPSDC) for Scalable Platforms and Maestro Security Appliances. Refer to sk164414.

PRJ-44907,
PMTR-89393

Scalable Platforms

UPDATE: Added a new log file - /var/log/pull_config_report.log. It includes the summary of the "pull_config" action when it is performed on a member to indicate the reason for pull_config pnote/failures.

PRJ-44901,
PMTR-85311

Scalable Platforms

UPDATE: Added a new log file to indicate the reason of member reboots if they are triggered by configuration mismatch - /var/log/configuration_reboot_info.log.

PRJ-45388,
ODU-914

HCP

UPDATE: Added Update 12 of HealthCheck Point (HCP) Release. Refer to sk171436.

PRJ-41328,
PRHF-25274

Security Management

If the Security Management Server is behind NAT, remote Management API login fails.

PRJ-43559,
PRHF-26971,
PRJ-45050,
PRHF-27847,
PRJ-42548,
PRHF-26016

Security Management

In rare scenarios, in multi-site environments, Install Policy presets fail with "Timeout during task progress" or "You have reached the maximum number of active sessions". Refer to sk180897.

PRJ-45158,
PRHF-28175

Security Management

APP_ID may not be initialized when adding a new Check Point application via API, this may cause blocked access to several websites.

PRJ-45487,
PRHF-21566

Security Management

In rare scenarios, updating or deleting a cluster fails with "Failed to save object xxxx . Server error is: Data required for operation".

PRJ-42039,
PRHF-25898

Security Management

Editing an object in SmartConsole may fail with "Server error is: Object not found (Code: x08003001D, Could not access file for write operation)".

PRJ-43568,
PRHF-27059

Security Management

After Full synchronization, SmartConsole login from a Domain Management Server to the Security Management Server that is configured as High Availability may fail.

PRJ-42422,
PRHF-26275

Security Management

In some scenarios, an upgrade may fail when a Network object Group contains more than 32000 members.

PRJ-44085,
PRHF-27440

Security Management

Login with SmartConsole to a Security Management Server may fail if using a DNS name instead of an IP address. Refer to sk180514.

PRJ-43186,
PRHF-26778

Security Management

If a Security Gateway is added to a group after configuring an installation policy preset, the policy may not be installed on that Security Gateway. Refer to sk181461.

PRJ-42552,
PRHF-26118

Security Management

After restoring a Multi-Domain Security Management Server, High Availability synchronization may fail with "The Security Management Servers contain different Hotfixes".

PRJ-45873,
PRHF-28640

Security Management

In some scenarios, Access Policy Verification fails but the name of the failed rule is not specified.

PRJ-43811,
PRHF-27187

Security Management

Login to SmartConsole with a RADIUS administrator from the SmartEvent Server may fail if this Server was upgraded. Refer to sk180584.

PRJ-42620,
PRHF-26287

Security Management

When using the "Deployment from Local Paths and URLs" option, and inserting a correct path, the client is being deployed through the Management Server and not Locally as it should be deployed.

PRJ-35494,
PRHF-21009

Security Management

The Data Center object may change the status to "inaccessible/deleted", although the Virtual Machine in Azure was not deleted.

PRJ-43916,
PMTR-83586

Security Management

In the Object Explorer window in SmartConsole, the IP address column is sorted alphabetically, although it should be sorted in numerical order.

PRJ-40128,
PRHF-24236

Security Management

When the Access Rule Base contains several hundred rules, the "set-access-rule" Management API command with the "new-position" parameter may take longer than expected or time out after 5 minutes.

PRJ-46629,
PMTR-92240

Security Management

In the Infinity Services view, the Log Sharing status may not be correct.

PRJ-44595,
PMTR-89845

Security Management

When adding/setting an access rule, setting certain fields to "Any" or "None" may fail because of case sensitivity.

PRJ-44591,
PMTR-89373

Security Management

The "show object" command fails when running it on nat-section objects. It returns a "null pointer exception" message, which occurs in calculations related to the overview objects meta-info.

PRJ-44593,
PMTR-89770

Security Management

In some scenarios, running the "delete-exception-group" Management API command fails if the exception group is automatically attached.

PRJ-43266,
PRHF-26404

Security Management

When creating several LSM objects (Security Gateways or clusters) via both Management API and SmartConsole, the LSM objects IP addresses may be duplicated.

PRJ-46131,
PMTR-71041

Security Management

A policy installation task may become stuck when an error occurs in the early installation stage, for example, when trying to install a policy on an unsupported version of Security Gateway.

PRJ-35765,
PRHF-22024

Security Management

In some scenarios, the "show-packages" Management API command may return empty results when using the "domains-to-process" flag.

PRJ-45877,
PRHF-28654

Security Management

If an empty Network Group is linked in the source or destination fields of an Access Rule, policy verification may not generate an error. Instead, it may treat the empty group as if there was an "Any" object.

PRJ-44896,
PRHF-27875

Security Management

Policy installation gets stuck if the known proxy group contains the policy target.

PRJ-46398,
PRJ-46407,
PRHF-28962

Security Management

In rare scenarios, policy installation fails with "Operation failed, install/uninstall has been improperly terminated". Refer to sk180448.

PRJ-44995,
PRHF-27895

Security Management

In rare scenarios, login to SmartConsole fails, and opening Security Gateway objects times out.

PRJ-45654,
PRHF-28407

Security Management

Packet mode search in SmartConsole may show rules that do not match the query if the query contains source, destination, and service.

PRJ-39775,
PRHF-24049

Security Management

Disabling or enabling rules may not affect the "last-modify-time" field in the output of the "show-access-rule" Management API command.

PRJ-45054,
PRHF-27948

Multi-Domain Security Management

In rare scenarios, in Multi-Domain multi-site environments, an IPS update on the Multi-Domain Security Management Server remains locked.

PRJ-43689,
PRHF-27130

Multi-Domain Security Management

Deleting the entire Domain including all its Domain Servers fails, if any of the Domain Servers is used in the Domain's policy.

PRJ-45060,
PRHF-28094

Multi-Domain Security Management

In large Multi-Domain Security Management environments, login to SmartConsole may fail while High Availability synchronization is running. Refer to sk180858.

PRJ-46087,
PRHF-28685

Multi-Domain Security Management

A scheduled Install Policy Preset may not have its next run time updated when:

  • The Multi-Domain Security Management Server was down while the preset was scheduled to run

  • There are over 50 presets defined

PRJ-46104,
PRHF-28809

Multi-Domain Security Management

In some scenarios, the "Uninstall Threat Prevention Policy" window may show "no candidates found for operation", even though there are Security Gateways that have Threat Prevention policy installed and Threat Prevention is disabled in the Security Gateway editor. Refer to sk180983.

PRJ-40738,
PRHF-24558

Multi-Domain Security Management

Deleting a Domain from SmartConsole fails after a Domain Server was removed and the Domain has no Domain Servers.

PRJ-44968,
PRHF-28002

Multi-Domain Security Management

In rare scenarios, in Multi-Domain Security Management environments with over 500K network objects, login to SmartConsole fails with "Connection timed out" or "Unable to connect to server" messages.

PRJ-45068,
PRJ-46162,
PRHF-28192,
PRHF-28143

Multi-Domain Security Management

In rare scenarios, in a Multi-Domain Security Management environment:

  • Login to the Security Management Server may fail with timeout.

  • Publish operations may take a long time.

PRJ-46509,
PRHF-28930

SmartConsole

Data Center objects may not appear as unused objects in the Object Explorer view, although they should.

PRJ-43598,
PRHF-27209

SmartConsole

Typo in the Compliance report - "OSFP" instead of "OSPF".

PRJ-41666,
PRHF-25662

Logging

In some scenarios, in the Logs & Monitor view, no results are shown when filtering updatable object names by the "dst_uo_name" field.

PRJ-39255,
PRHF-23374

Logging

In rare scenarios, many open connections on port 18196 are observed on the Multi-Domain Security Management Server or Multi-Domain Log Security Management Server.

PRJ-41594,
PRHF-25533

Logging

SmartEvent may generate false Anti-Bot / Anti-Virus related logs which do not contain any information.

PRJ-45606,
PMTR-90654

Logging

In some scenarios, in the Logs view, the "Destination" field may be missing. The issue is cosmetic only.

PRJ-46073,
PRHF-28787

Logging

After an upgrade of the Security Management Server, the "cp_log_export show" command may return the "found an ambiguous value" error in the "export_log_position" field.

PRJ-45417,
PRHF-28191

Logging

Source and destination IP addresses in SmartLog may not be shown correctly for duplicate packets of fragmented traffic.

PRJ-41281,
PRHF-14263

Logging

In large environments, after policy installation or when loading Real Time Monitor, RTMD CPU consumption may be high for several minutes and the process may exit when 4 GB of memory is reached.

PRJ-38480,
SL-6728

Logging

In specific network configurations, after installing a policy, the target IP address of the Log Server may differ from what was configured.

PRJ-46053,
PRHF-28455

Security Gateway

The Security Gateway may crash while inspecting non-HTTP traffic.

PRJ-46340,
PRHF-28674

Security Gateway

In rare scenarios, memory corruption occurs during packet correction requiring fragmentation, this may cause the Security Gateway crash or freeze.

PRJ-46334,
PRHF-28842

Security Gateway

The Security Gateway may crash after a failure in policy installation.

PRJ-45496,
PRHF-28324

Security Gateway

On the Security Gateway with Management Data Plane Separation (MDPS) enabled:

  • when adding a RADIUS Server from WebUI, a new MDPS task with the IP address of the Server may not be added,

  • when deleting a RADIUS Server, the MDPS task may not be deleted.

PRJ-44937,
PMTR-86007

Security Gateway

When Check Point Active Streaming (CPAS) is used, and the Server's MSS is bigger than the client's MSS, packet fragmentation may occur.

PRJ-38111,
PRHF-22608

Security Gateway

In some scenarios, the Security Gateway may crash.

PRJ-45803,
PRHF-28559

Security Gateway

Resolved an issue where CPD would consume a large amount of CPU in VSX with a large number of interfaces configured (greater than 1024). Refer to sk181588.

PRJ-42530,
PRHF-25233

Security Gateway

In some scenarios, while processing H323 traffic, the Security Gateway may unexpectedly restart.

PRJ-44855,
PRHF-27465

Security Gateway

Web Security parsing error "illegal header format detected: Missing quotation mark" of content-disposition header - that contains a filename* parameter or an unquoted parameter.

PRJ-45483,
PRHF-27892

Security Gateway

Incorrect bonds may be shown in the Data Plane when using MDPS with the "show bonding groups" command.

PRJ-47123,
PRHF-29292

Security Gateway

In some scenarios, after an upgrade, the FWD process may unexpectedly exit.

PRJ-43856,
PMTR-83014

Security Gateway

The FWK process may unexpectedly exit with a core dump file when removing an IPv6 interface on VSX.

PRJ-44407,
PMTR-90258

Security Gateway

Global tables (ghtab) may not be synchronized between members, this can lead to instability of traffic.

PRJ-47148,
PMTR-92710

Security Gateway

Enlarging MTU may cause even small packets to be allocated as Jumbo frames. This will impact the performance of SNDs CPUs.

PRJ-46113,
PRHF-28489

Security Gateway

In rare scenarios, the Security Gateway may drop the traffic after "Rulebase Internal Error" which occurs during policy installation.

PRJ-33812,
PRHF-12636

Security Gateway

The FWK process may unexpectedly exit while processing the mail flow and generate a core dump.

PRJ-45955,
PMTR-83450

Security Gateway

When HTTPS Inspection is enabled, website loading in Firefox fails or is slow, after a few seconds, the "NS_ERROR_ABORT" error appears in the network tab of Firefox. Refer to sk180873.

PRJ-41967,
PRHF-25829

Security Gateway

When adding another loopback interface in an MDPS environment, it is shown in MPLANE and not in DPLANE as expected.

PRJ-44311,
PRHF-27439

Security Gateway

In rare scenarios, modifying the "fwmultik_temp_conns_enabled" parameter on-the-fly leads to the Security Gateway crash.

PRJ-46687,
PMTR-91240

Security Gateway

When adding a new connection, the "Smart Connection Reuse" feature may cause errors in fwk.elg and connection drops.

PRJ-46138,
PRHF-28806

Security Gateway

The "g_tcpdump -mcap" command may not merge traffic capture outputs. Refer to sk181032.

PRJ-45478,
PRHF-28350

Security Gateway

Security Gateway may crash when running kernel debugs of the "UP" module.

PRJ-44251,
PRHF-27426

Security Gateway

When setting "cphwd_enable_ecmp = 1" (to route by the source and destination IP address), the Security Gateway may route the traffic to the wrong MAC.

PRJ-45000,
PRHF-27844

Security Gateway

In a Maestro environment where members are VSXs, connection over SSH or RDP from a host behind Maestro to a peer may be dropped.

PRJ-44977,
PRHF-27997

Security Gateway

Latency in loading websites when using Security Gateway as a Proxy with HTTPS Inspection enabled. Refer to sk180673.

PRJ-45186,
PMTR-90969

Security Gateway

Traffic stops working after a Security Gateway Member recovers from a failure. Refer to sk180705.

PRJ-42358,
PMTR-88174

Security Gateway

Latency in connection caused by a packet flow change from F2V to F2F.

PRJ-45397,
PRHF-28037

Security Gateway

Login to Mobile Access Portal when authenticating with SAML may fail with an "Error while processing the request" message. Refer to sk180801.

PRJ-45449,
PRHF-28277

Security Gateway

When the Security Gateway handles specific HTTP requests, memory failure may occur. CPView registers SMEM failure.

PRJ-44752,
PRHF-27707

Security Gateway

Policy installation may fail with "Error 2000240" because of an IPv6 flow issue.

PRJ-41776,
PRHF-25573

Threat Prevention

IoC feed may not load, and the "Feed status cybercrime-tracker_hash_list :: engine memory allocation error. Feed log External IoC - External Indicators processing failed" error is displayed in CLI.

PRJ-42147,
PRHF-26013

Threat Prevention

Fetching custom intelligence feeds via CLI may fail because of SSL certificate issues.

PRJ-44570,
PRHF-27749

Threat Prevention

After an upgrade, adding an IoC feed with IP range indicator type may fail with "Feed format problem. Bad or Empty Feed ".

PRJ-44151,
PMTR-89916

Threat Prevention

In a rare scenario, policy installation may fail because of IoC observables overrides.

PRJ-44551,

PRHF-27765

Threat Prevention

In some scenarios, the FWD process unexpectedly exits, and the Security Group Members state flaps between Active and Down during an Anti-Bot Blade update.

PRJ-45562,
PRHF-21271

Threat Prevention

In some scenarios, Anti-Virus and Anti-Bot updates on Maestro Security Group Members may fail.

PRJ-44200,

PMTR-89130

Threat Prevention

When IPS Blade is enabled, the Security Gateway may crash.

PRJ-39347,
PRHF-23473

Identity Awareness

There may be connectivity issues and high CPU spikes on PDP when installing policy.

PRJ-44316,
PRHF-27270

Content Awareness

When Content Awareness Blade is enabled, there is a limitation of the file size (sk118516). However, when the source object of the Content Awareness rule does not match the current connection, the limitation is not applied on this connection.

PRJ-45428,
PRHF-28304

Application Control

Some TLS1.3 applications without SNI do not match the rules.

PRJ-47064,
PMTR-92599

Application Control

When the "Categorize HTTPS Websites" option is enabled and the global parameter "appi_urlf_ssl_cn_use_sni_without_validation" is set to true, a memory leak may occur.

PRJ-29401,
PRHF-15953

Anti-Virus

The RAD process CPU utilization may be high when Anti-Virus engine processes many reverse DNS queries.

PRJ-46605,
PRHF-28851

Anti-Virus

The DLPU process may stop working, creating a User Space core dump file on the Security Gateway. Refer to sk181026.

PRJ-44664,
PMTR-90550

Anti-Virus

Anti-Virus Blade may bypass inspection of URLs with sub-domain portion.

PRJ-46279,
PRHF-28749

Anti-Virus

Importing a custom intelligence feed containing IP ranges may fail.

PRJ-47264,
PMTR-91800

SSL Inspection

The fwk.elg file may be flooded with the "mux_hold_opq_free: App has no hold params free function" messages for the TLS_PARSER app because of a memory leak.

PRJ-45657,
PRHF-28404

SSL Inspection

In a VSX environment, the WSTLSD process run by Virtual Systems may ignore proxy configuration on VS0.

PRJ-45099

Mobile Access

SSL Network Extender (SNX) may randomly disconnect after an upgrade. Refer to sk173765.

PRJ-46402,
PRHF-28925

Mobile Access

Sending emails with attachments via Capsule Workspace may fail on iOS.

PRJ-45194,
PRHF-28182

Mobile Access

In rare scenarios, IOS users are unable to send emails using Capsule Workspace business mail.

PRJ-46505,
PRHF-28936

ClusterXL

Some IPv6 connections randomly stop passing through ClusterXL in High Availability mode. Refer to sk180969.

PRJ-41307,
PRHF-25160

ClusterXL

When interfaces disconnect/connect on both members at the same time, it may cause a failover.

PRJ-42771,
MBS-15783

ClusterXL

Asymmetric UDP traffic may be dropped with "First Packet isn´t Syn".

PRJ-45349,

PRHF-28275

ClusterXL

After an upgrade, cluster members may frequently crash, causing instability in the environment.

PRJ-44455,
PRHF-27561

ClusterXL

After several failovers in a cluster, connections may fail to synchronize. This can cause a timeout and the "first packet isn't syn" drops.

PRJ-44352,
PMTR-91017

ClusterXL

A VRRP cluster member may be stuck in boot after a cluster upgrade.

PRJ-45300,
PRHF-27633

SecureXL

When running tcpdump on the Multi-Domain Security Server, an "error /bin/cp-tcpdump.sh: line 11: sxlmode: command not found" message is shown. The issue is cosmetic only.

PRJ-44874,
PRHF-27540

SecureXL

Traffic may be dropped and the FWACCEL core file is generated.

PRJ-45833,
PMTR-82733

Routing

The ROUTED daemon may unexpectedly exit because of multi-threading issues.

PRJ-41963,
MBS-16158

Routing

Routing log messages generated when Standby cluster members reconnect to members in Master state are not clear.

PRJ-46358,
PMTR-73657

Routing

Routes marked as "stale" may be redistributed via BGP during graceful restart.

PRJ-45260,
PMTR-81608

Routing

When configuring OSPFv2 graceful restart on ClusterXL, the cluster may get stuck in EXSTART / 2WAY state.

PRJ-46095,
ROUT-1702

Routing

BGP state gets stuck in Idle state when using BGP ping to one of the peers.

PRJ-46132,
ROUT-2838

Routing

When two interfaces with the same local address are configured, BGP may use an incorrect interface to reach a peer.

PRJ-46128,
ROUT-2801

Routing

The ROUTED daemon may unexpectedly exit when aggregating routes with long AS paths.

PRJ-41960,
MBS-16159

Routing

In some scenarios, a Security Group Member failover can trigger routes to be lost on other members in the Security Group.

PRJ-41798,
PMTR-87520

Routing

Configuring OSPFv2 Graceful Restart and passive OSPF interfaces at the same time can cause graceful restart failures.

PRJ-44924,
PMTR-90799

Routing

When PIM and state refresh are enabled, the state refresh message may not be sent automatically after a failback in ClusterXL HA Primary Up mode.

PRJ-45379,
PRHF-26701

Routing

A VRRP/VRRP6 interface may go into Master/Master state.

PRJ-44705,
PRHF-27225

Routing

Multicast receivers send IGMP membership reports, but the outbound interfaces are missing from the routing table.

PRJ-44709,
PRHF-27240

Routing

An IGMP group with an expiration time of 7101 weeks should be deleted when it reaches 0 seconds, but instead, it may remain at 7101 weeks until a membership report is sent, then it resets to the interval of that interface.

PRJ-45468,

PRHF-28353

VPN

StrongSWAN Remote Access authentication fails when the LDAP lookup type is not the default method.

PRJ-44829,
PRHF-27569,

PRJ-44991,
PRHF-28061,

PRJ-46302,

PRHF-28849

VPN

  • Remote Access clients are unable to connect using Machine Certificate Authentication when the certificate has OCSP and CRL but the gateway is unable to resolve properly the OCSP or to get a proper answer from the OCSP server. Refer to sk179434.

  • OCSP is disabled on the user's IIS Server, but the Security Gateway does not fall back to the CRL method. Refer to sk179434.

  • Security Gateway sends defaultCert to the third party instead of an OCSP certificate. An unexpected OCSP response may cause a VPN gateway to stop using its certificate until the next policy installation. Refer to sk180683.

PRJ-44218,
PRHF-27548

VPN

The "vpn/ike debug ikeon/ikefail" commands may fail when used with the "-s" flag.

PRJ-45919,
PRHF-28589

VPN

The FWM process may unexpectedly exit at startup because of an incorrect VPN key initiation.

PRJ-44089,
PRHF-27224

VSX

Values provided by the VSX OID tree: 1.3.6.1.4.1.2620.1.16.22.5.1 may be incorrect.

PRJ-45401,
PRHF-28365

VSX

Warp interfaces may appear in VS0 and disrupt connectivity when editing a Virtual Switch with a bond and VLANs.

PRJ-41970,
PRHF-25866

VSX

Increasing the MTU value of a bonded tagged interface may not be possible. Refer to sk179984.

PRJ-44745,
PMTR-90616

VSX

Virtual System's interfaces may be missing when running the Clish command "show/save configuration".

PRJ-45005,
PRHF-28080

VSX

A VSX Security Gateway may crash while attempting to collect statistics after running the "cpstop" command.

PRJ-45145,
PRHF-28154

VSX

Some packets may disappear when using the i40e driver, and VMAC is configured on the cluster.

PRJ-45863,
PMTR-91668

Gaia OS

Gaia backup may fail, leaving a temporary partition behind. Any new attempt to create a new backup returns an error.

PRJ-29906,
PMTR-72562

Gaia OS

It may be not possible to enter a snapshot description with more than one word.

PRJ-33093,
PMTR-72381

Gaia OS

In some scenarios, the output of the "show configuration"/"snapshot-scheduled" command may contain corrupted text.

PRJ-28434,
PRHF-18469

Gaia OS

Backup on Gaia machine with Threat Emulation Blade enabled fails with "Cannot complete the backup process: not enough space". But the solution of sk166833 does not resolve the issue in a VSX environment.

PRJ-42779,
PRHF-26416

Gaia OS

Scheduled SCP snapshots to a Windows Server may fail with the "Failed to connect to remote server. Please validate connection".

PRJ-41909,
PRHF-25737

Gaia OS

Gaia WebUI logs are printed with "info" severity.

PRJ-44370,
PRHF-27627

Gaia OS

SNMP OIDs for ISP Redundancy status are not refreshed when the ISP link changes the status.

PRJ-46285,
EPS-51347

Harmony Endpoint

Non-domain macOS devices are created as a new endpoint on the Endpoint Management when re-installing the device.

PRJ-46947,
PRHF-29014

Harmony Endpoint

KAV updater on the Server may fail to receive updates when proxy is used.

PRJ-45540,
PRHF-27987

CloudGuard Network

AWS Data Center mapping fails when an interface subnet is missing from the list of subnets.

PRJ-32399,
PRHF-19493

VoIP

After an upgrade, VoIP and SIP / H323 traffic may be dropped in the VPN tunnel. Refer to sk179651.

PRJ-46475,
PMTR-90803

VoIP

SIP traffic may be dropped and "kiss_htab_bl_infra_slink: failed "earlynat_sport_ghtab_bl":3 reason: KISS_HTAB_BL_SLINK_LIMIT_REACHED" is printed in the fwk.elg file.

PRJ-42263,
ACCHA-2021

Scalable Platforms

Excessive "cphwd_get_device_accelerated_ifs: too many interfaces (32,XXX)" messages may log to $FWDIR/log/fwk.elg. Refer to sk180439.

PRJ-42617,
PMTR-76837

Scalable Platforms

The FW process may unexpectedly exit, producing a core dump file.

PRJ-32730,
PMTR-72467

Scalable Platforms

When there is a connectivity issue in the cluster, OSPF packets may be sent with delays and cause an outage.

PRJ-44528,
PMTR-78822

Scalable Platforms

License is not copied from SMO to all other members if other members are in Down state.

PRJ-36345,
PMTR-78466

Scalable Platforms

Redundant reboot occurs after installing R81/R81.10 Jumbo Hotfix Accumulator for the first time after a major version installation/upgrade. Refer to sk177765.

PRJ-44587,
PRJ-44548

Scalable Platforms

The "orch_info" command may freeze, when running it on Maestro Orchestrator.

PRJ-41249,
PMTR-70296

Scalable Platforms

Trying to power off the MHO in CLI may lead to a reboot.

PRJ-45480,
PMTR-91555

Scalable Platforms

Querying the HW status via SNMP (OIDs .1.3.6.1.4.1.2620.1.6.7.*) or via the "cpstat os -f sensors" command may fail on Maestro Orchestrator.

PRJ-45301,
PRHF-28238

Scalable Platforms

In rare scenarios, the Single Management Object (SMO) may go to Down state after clicking a packet capture link in the IPS log in SmartConsole.

PRJ-42785,
PMTR-82764

Scalable Platforms

Members may stay in Down state after reboot/Jumbo Hotfix installation with pull_config pnote when pulling registry from SMO: "Pull registry failed" error in the $FWDIR/log/Blade_config log file.

PRJ-43815,
PMTR-89604

Scalable Platforms

CPUSE may suggest to install Maestro incompatible packages.

PRJ-46968

Scalable Platforms

On Maestro, when MDPS (Management Data Plane Separation) is enabled, and the license corresponds to an IP address different from the management interface's IP address (such as the sync IP), policy installation may fail because of a license mismatch.

PRJ-47053,
PMTR-92636

Scalable Platforms

MHO reports logs may not be rotated.

PRJ-44287,
PMTR-88429

Scalable Platforms

The "set/show trace" command may fail in gClish.

PRJ-45885,
PMTR-90935

Scalable Platforms

In VSLS mode, SNMP traffic may incorrectly be forwarded to SMO instead of DR manager of the corresponding Virtual System.

PRJ-46645,
PRHF-28694

Carrier Security

Incorrect parsing of GTP-U traffic may cause anti-spoofing drops.

PRJ-43224,
CST-316

Carrier Security

Security Gateway drops GTP Echo Response traffic with the reason "Wrong Destination Port". See sk181507.

PRJ-43220,
CST-312

Carrier Security

Security Gateway drops GTP traffic with the reason "Static IP not allowed". See sk181506.

PRJ-46676,
PRJ-46682,
PRHF-29045,
PRHF-28963,

PRJ-46679,
PRHF-28973

Carrier Security

After an upgrade, GTP traffic and memory issues may occur.

PRJ-46673,
PRHF-28770

Carrier Security

Packet corruption, leading to traffic and performance issues.

PRJ-44602,
PMTR-86732

Carrier Security

Stack buffer overflow may occur in the FWGTP process.