R81.10 Jumbo Hotfix Take 131

NEW: Added ability to R81.10 Security Management Server and Multi-Domain Management Server to manage 19000 and 29000 Check Point appliances.

• Requires installing R81.10 SmartConsole Build 420 (or higher).

UPDATE: Added SecureXL SYN Defender metrics to Skyline. Refer to the Skyline Metrics Repository.

UPDATE: Added Take 74 of CPotelcol (OpenTelemetry Collector) Release Updates. Refer to sk180522.

UPDATE: Previously, in the "Hide NAT behind IP Address Range" feature, only the source IP address determined the Hide NAT IP address from the IP Address Range. It is now possible to configure the Security Gateway to select the Hide NAT IP address based on the combination of the source IP address and the source port. Refer to sk105302.

UPDATE: Re-enabled the deprecated feature of exporting/importing Custom Intelligence feeds.

UPDATE: It is now possible to add exceptions to external IoC feeds.

UPDATE: Optimized memory consumption of Identity Broker in the synchronization flow.

UPDATE: SSL Network Extender was updated to version 80008407.

UPDATE: Changed the vsx push configuration log:

• The log file last_vsx_push_configuration.elg now holds only the last vsx push configuration log.

• The cyclic log file vsx_push_configuration.elg now holds all previous push configuration logs, except the last one.

UPDATE: Added driver and firmware update support for Dual-Wide 10/25/40/100G cards as a replacement option for:

• CPAC-2-40F

• CPAC-2-40F-B

• CPAC-2-40F-C

• CPAC-2-100/25F

• CPAC-2-100/25F-B

UPDATE: Upgraded OpenSSL from 1.1.1u to 1.1.1w to include the latest security improvements.

UPDATE: Added the "namespace" label to pods in Kubernetes Data Center.

UPDATE: Added support for Data Centers in AWS il-central-1 Israel (Tel Aviv) region.

Login using the API fails if the Security Management Server has multiple IP addresses and they are not defined on the Management Server object in SmartConsole.

An audit log may not be created after running Revert to Revision.

The Gaia Clish command "show configuration user" fails with "Segmentation fault" on a Management Server. Refer to sk181626.

In some scenarios, the CPRLIC process may unexpectedly exit without affecting the connectivity, and a core dump is generated.

In the Revisions view, when comparing the selected revision to its previous revision, an empty screen is shown instead of a report.

The "crldp_initialized"and "crldp_name" keys may be missing in the registry after running promote_util.

In rare scenarios, upgrade of the Security Management Server to R81.20 fails with the "Task was interrupted because of server restart" and "DEADLOCK IN POSTGRES DETECTED!!!" messages in the cpm.elg log file.

In SmartConsole, an attempt to view administrators may fail with "Error retrieving results".

In rare scenarios, the update_inspect_files tool may unexpectedly exit with a core dump file.

In multi-site Multi-Domain Security Management environments, login to SmartConsole fails if the "Read_Write_All_Profile" permission profile is deleted.

In rare scenarios, during an IPS update, a task notification reports that a database purge failed on the Standby Security Management Server. Refer to sk180920.

Export of the Security Management Server may fail with "Could not find workSession WORKSESSION_UID in worksession's List" message in the upgrade report.

The FWM process on the Management Server may unexpectedly exit, creating a core dump file.

Application Control and IPS updates may take a long time.

In rare scenarios, in a Multi-Domain Security Management environment:

• Login to the Management Server may timeout and fail.

• Publish operation may take a long time.

When connecting with SmartConsole to a Domain in a Multi-Domain Management environment, object pickers in Threat Prevention policy may not show available objects.

In some scenarios, when a language other than English is chosen in SmartView, login to SmartView fails with an "Initialization failed" message.

In some scenarios, the "show logs" Management API returns incorrect values for the "Match table" field.

In some scenarios, the Log Sharing status may show an error in exporting the logs, although logs are correctly shared to the cloud.

Latency in loading websites when using Security Gateway as a Proxy with HTTPS Inspection enabled. Refer to sk180673.

When using the "cpstop" command on the Security Gateway, the fw_full core may be generated.

After installing a policy, because of high latency, the Security Gateway may delete connection before SIM Affinity is able to send an update notification. This may cause some connections to be dropped.

In rare scenarios, the WSDNSD process may restart because of an internal error.

The ICAP Server may stop sending files to the Threat Emulation and Anti-Virus Blades if the TED daemon was restarted.

In some scenarios, when IPS is enabled, CPU spikes may occur.

VPN tunnel between the Security Gateways with Link Selection and Remote Desktop Protocol (RDP) may fail after policy installation. Refer to sk181481.

The "Exception Handling" option for Observables in Threat Prevention indicator may not be applied.

In a rare scenario, when cloning SGM in Maestro, the FWD process may exit during an IPS/Anti-Virus/Anti-Bot package update.

When configuring ioc feeds from the management:

• The "no_ssl_validation" variable may be deleted after the policy installation.

• Fetching feed fails with the "Peer certificate cannot be authenticated with given CA certificates" reason.

An outage may occur when an unsupported SSH cipher is selected.

In a rare scenario, changes in Threat Prevention Custom Intelligence feeds settings may not be applied after policy installation.

Some connections may be dropped because of an issue in IPS inspection, which can be resolved by installing/fetching a local policy.

Ioc_feeds changes the username to lowercase, which causes the "401" error. Refer to sk181039.

There may be no access to resources for identities received from the Remote Access identity source by splitting Domain (sk147417).

Policy installation fails when a custom application and user category have the same name.

In some scenarios, the Application Control and URL Filtering scheduled updates may occur more frequently than configured.

When transferring many files, SMB traffic may freeze while scanned by Anti-Virus Blade.

When Anti-Virus DNS classification is set to Hold mode, the first DNS trap log of malicious Domains shows "Detect" in the Action field, although the connection was successfully blocked.

A FWK process memory leak may occur when canceling the download of a large file in the middle of the process.

When working in User Mode (UPPAK), after a reboot, SSH connection to the Standby member may be interrupted because of an ARP failure.

High CPU utilization may be triggered when User Mode (UPPAK) and VPN are enabled under high load.

In some scenarios, the link state of uplink ports may be "Down".

Appliances with LightSpeed acceleration enabled may experience cluster failovers, even when the CPUs are not fully utilized (for example, at 30%) and the traffic load is low (as little as 1 GB).

When modifying the MTU of a master bond interface with LightSpeed subordinate interfaces, it may not be set correctly on the bond itself, although applied correctly on the LightSpeed subordinate interfaces.

Multicast restrictions set in SmartConsole may be bypassed if varying restrictions are configured for different interfaces.

In some scenarios, when adding warp interfaces to a Virtual Router or Virtual Switch, the VSX Security Gateway may not properly insert these interfaces into the SecureXL accelerated interfaces list.

After policy installation, Application Based Routing configuration may be lost, and CLI commands are not shown in the configuration summary.

The "force-if-symmetry" setting in IPv4 static routes fails to mark IP addresses as unreachable, leading to the static route inaccurately remaining active in asymmetric scenarios.

When one of the multiple PIM neighbors goes down on the LAN, there may be outages in multicast traffic.

IKEv2 tunnels may not synchronize during a Multi-Version Cluster (MVC) upgrade from R80.40, leading to a VPN outage during an upgrade.

When SCV is enabled, Capsule Connect/ Capsule VPN clients may fail to access internal resources.

The Security Gateway may send a wrong certificate to the MAB Portal during certificate authentication.

In some scenarios, the VSX Security Gateway may not set the MAC header correctly when sending traffic directly out of an interface on a Virtual Router.

When changing Virtual Systems (VS's) using the VS name, the "failed to find an ID for a VS named XXX" error is shown.

In some scenarios, the VXLAN Driver Kernel may crash.

Incorrect Multi-Queue configuration when MDPS, VSX, or both are enabled. Refer to sk181249.

When selecting to filter machines by infection name in SmartEndpoint Reporting > Anti-Malware > Top infections, the listed computers do not match the displayed numbers.

Azure mapping may fail on Private Endpoint without network interfaces. In the cloud proxy logs, the "ERROR datacenter.scanner.DcScanner [scanner-Azure-XXX]: Error during scan - attempting to reconnect for scanner of [Azure] in domainYYY" messages are printed.

When the LightSpeed interface is brought down or up, the hardware nroute flow is added to the list even if it fails to offload. This may trigger a Security Gateway crash.

In a rare scenario, the Security Gateway may access obsolete nroute memory, resulting in a crash.

• If member ID 1 is removed and then re-added to the Security Group on the active site, while there are two or more active members, it may result in a matrix mismatch. This can potentially lead to traffic interruption until member ID 1 becomes active again.

• Similarly, installing Jumbo Hotfix Accumulator when member 1 is absent may result in the same behavior and Jumbo Hotfix Accumulator installation may be blocked.

If multiple Quantum LightSpeed interfaces are added or removed on a bond interface before rebooting the Security Gateway, traffic may not go through.

Connectivity issues may occur in a Maestro Security Group when VLAN encapsulation is disabled on Orchestrators in a Maestro Dual Site environment. Refer to sk181385.

Policy installation may cause traffic interruption on Maestro Security Group due to missing VLANs of a Virtual System in the configuration file.

In a Maestro Orchestrator environment, the "orch_stat -p" command may bring the "invalid literal for int() with base 10" error message.