R81.10 Jumbo Hotfix Take 131

NEW: Added ability to R81.10 Security Management Server and Multi-Domain Management Server to manage 19000 and 29000 Check Point appliances.

• Requires installing R81.10 SmartConsole Build 420 (or higher).

UPDATE: Added SecureXL SYN Defender metrics to Skyline. Refer to the Skyline Metrics Repository.

UPDATE: Added Take 74 of CPotelcol (OpenTelemetry Collector) Release Updates. Refer to sk180522.

UPDATE: Previously, in the "Hide NAT behind IP Address Range" feature, only the source IP address determined the Hide NAT IP address from the IP Address Range. It is now possible to configure the Security Gateway to select the Hide NAT IP address based on the combination of the source IP address and the source port. Refer to sk105302.

UPDATE: Re-enabled the deprecated feature of exporting/importing Custom Intelligence feeds.

UPDATE: It is now possible to add exceptions to external IoC feeds.

UPDATE: Optimized memory consumption of Identity Broker in the synchronization flow.

UPDATE: SSL Network Extender was updated to version 80008407.

UPDATE: Changed the vsx push configuration log:

• The log file last_vsx_push_configuration.elg now holds only the last vsx push configuration log.

• The cyclic log file vsx_push_configuration.elg now holds all previous push configuration logs, except the last one.

UPDATE: Added driver and firmware update support for Dual-Wide 10/25/40/100G cards as a replacement option for:

• CPAC-2-40F

• CPAC-2-40F-B

• CPAC-2-40F-C

• CPAC-2-100/25F

• CPAC-2-100/25F-B

UPDATE: Upgraded OpenSSL from 1.1.1u to 1.1.1w to include the latest security improvements.

UPDATE: Added the "namespace" label to pods in Kubernetes Data Center.

UPDATE: Added support for Data Centers in AWS il-central-1 Israel (Tel Aviv) region.

Login using the API fails if the Security Management Server has multiple IP addresses and they are not defined on the Management Server object in SmartConsole.

An audit log may not be created after running Revert to Revision.

The Gaia Clish command "show configuration user" fails with "Segmentation fault" on a Management Server. Refer to sk181626.

In some scenarios, the CPRLIC process may unexpectedly exit without affecting the connectivity, and a core dump is generated.

In the Revisions view, when comparing the selected revision to its previous revision, an empty screen is shown instead of a report.

The "crldp_initialized"and "crldp_name" keys may be missing in the registry after running promote_util.

In rare scenarios, upgrade of the Security Management Server to R81.20 fails with the "Task was interrupted because of server restart" and "DEADLOCK IN POSTGRES DETECTED!!!" messages in the cpm.elg log file.

In SmartConsole, an attempt to view administrators may fail with "Error retrieving results".

In rare scenarios, the update_inspect_files tool may unexpectedly exit with a core dump file.

In multi-site Multi-Domain Security Management environments, login to SmartConsole fails if the "Read_Write_All_Profile" permission profile is deleted.

In rare scenarios, during an IPS update, a task notification reports that a database purge failed on the Standby Security Management Server. Refer to sk180920.

Export of the Security Management Server may fail with "Could not find workSession WORKSESSION_UID in worksession's List" message in the upgrade report.

The FWM process on the Management Server may unexpectedly exit, creating a core dump file.

Application Control and IPS updates may take a long time.

In rare scenarios, in a Multi-Domain Security Management environment:

• Login to the Management Server may timeout and fail.

• Publish operation may take a long time.

When connecting with SmartConsole to a Domain in a Multi-Domain Management environment, object pickers in Threat Prevention policy may not show available objects.

In some scenarios, when a language other than English is chosen in SmartView, login to SmartView fails with an "Initialization failed" message.

In some scenarios, the "show logs" Management API returns incorrect values for the "Match table" field.

In some scenarios, the Log Sharing status may show an error in exporting the logs, although logs are correctly shared to the cloud.

Latency in loading websites when using Security Gateway as a Proxy with HTTPS Inspection enabled. Refer to sk180673.

When using the "cpstop" command on the Security Gateway, the fw_full core may be generated.

After installing a policy, because of high latency, the Security Gateway may delete connection before SIM Affinity is able to send an update notification. This may cause some connections to be dropped.

In rare scenarios, the WSDNSD process may restart because of an internal error.

The ICAP Server may stop sending files to the Threat Emulation and Anti-Virus Blades if the TED daemon was restarted.

In some scenarios, when IPS is enabled, CPU spikes may occur.

VPN tunnel between the Security Gateways with Link Selection and Remote Desktop Protocol (RDP) may fail after policy installation. Refer to sk181481.

The "Exception Handling" option for Observables in Threat Prevention indicator may not be applied.

In a rare scenario, when cloning SGM in Maestro, the FWD process may exit during an IPS/Anti-Virus/Anti-Bot package update.

When configuring ioc feeds from the management:

• The "no_ssl_validation" variable may be deleted after the policy installation.

• Fetching feed fails with the "Peer certificate cannot be authenticated with given CA certificates" reason.

An outage may occur when an unsupported SSH cipher is selected.

In a rare scenario, changes in Threat Prevention Custom Intelligence feeds settings may not be applied after policy installation.

Some connections may be dropped because of an issue in IPS inspection, which can be resolved by installing/fetching a local policy.

Ioc_feeds changes the username to lowercase, which causes the "401" error. Refer to sk181039.

There may be no access to resources for identities received from the Remote Access identity source by splitting Domain (sk147417).

Policy installation fails when a custom application and user category have the same name.

In some scenarios, the Application Control and URL Filtering scheduled updates may occur more frequently than configured.

When transferring many files, SMB traffic may freeze while scanned by Anti-Virus Blade.

When Anti-Virus DNS classification is set to Hold mode, the first DNS trap log of malicious Domains shows "Detect" in the Action field, although the connection was successfully blocked.

A FWK process memory leak may occur when canceling the download of a large file in the middle of the process.

Site to Site VPN outage on ClusterXL Active member when running "cpstop" on the Standby cluster member. Refer to sk170055.

In some scenarios, it may not be possible to connect to the Security Gateway cluster members when User Mode (UPPAK) is enabled.

Latency may occur when packets accelerated by LightSpeed go through connections with a lower than 100K PPS rate.

In some scenarios, the VSX Security Gateway may not be able to pass VPN encrypted traffic from one Virtual System to another Virtual System through a Virtual Router/Switch.

In some scenarios, the VSX Security Gateway may crash when sending VPN encrypted traffic through a Virtual Router/Switch.

The port beacon feature also known as interface discovery or port blinking may not work correctly in User Mode (UPPAK).

In some scenarios (when there are more than 64000 connections), the Security Gateway accounting information may not be reported correctly on connections that are accelerated through the Quantum LightSpeed hardware.

Syn Defender may not correctly handle reused connections.

If the Security Gateway is in UPPAK mode and a PBR rule directs traffic to a Server on a different subnet, deleting the ARP entry for the Gateway on the Server can disrupt the traffic flow.

During the processing of PIM Join-Prune messages, the absence of prior ({},G) state prevents the processing of (S,G) joins for the same group, even when present in the message.

Back connection does not function on the Statically NATed Office Mode address as expected.

The "Encryption Domain Per community" feature overrides the Encryption Domain for other communities. Refer to sk170857.

VPN connectivity may be unstable when IPv6 and VPN star communities are configured.

A low-severity security vulnerability may exist when establishing an HTTPS connection to the Security Gateway.

Virtual System context may not be handled correctly by CPView, for example, the same interfaces may be listed on all virtual systems.

A memory leak may occur in the CPD process.

The SNMPD process memory consumption may be high, which causes the process to become unresponsive.

E2 engine may send an incorrect value of datDate in sync request.

Due to a synchronization issue between the Policy Server and Primary Server, the Endpoint clients may be connected to the Primary Server instead of the Policy Server.

After an upgrade, Azure Gov mapping may fail.

On a Security Group with MDPS enabled:

• The "asg perf" command on a Security Group does not show any output - the Gaia OS prompt appears immediately after entering the command and pressing the Enter key.

• When running the "mac_verifier" and other commands on a Security Group, the output may show the error message "mount of /sys failed: device or resource busy".

• The "distutil verify -v" command on a Security Group returns "verification failed".

After installing this Take, when MDPS plane separation is enabled, in the context of the Management plane, the directory /sys/class/net/ now shows interfaces that belong to the Data plane, although it should show interfaces that belong to the Management plane.

See sk182076.

In a Maestro environment, LACP bond subordinates may become suspended when using the shared interfaces feature, particularly when the quantity of bonds and subordinates is significantly high.

Performance data collected from all members including the Standby site, may cause the "Instance Load" and "Accelerate Load" values to be different from the asg perf tool data.

When running the "asg if script" command, the "Bridge Master" output does not fit in one line in the "Info" column. The issue is cosmetic only.

Additional reboot is performed when adding a new member to a Security Group with image clone enabled.

The Security Gateway may lose connectivity to Maestro Hyperscale Orchestrator (MHO) when running the "tcpdump -i any" command.

Reboot may take a long time.