R81.10 Jumbo Hotfix Take 14

UPDATE: Added new flags for Management API commands "add/set simple-gateway" and "add/set simple-cluster":

• "nat-hide-internal-interfaces" and "nat-settings" for NAT configuration
• "fetch-policy" for Fetch Policy configuration
• "advanced-settings.sam" for SAM configuration
• "advanced-settings.connection-persistence" for Connection Persistence configuration.

Network objects groups with more than 101 members may not be enforced correctly on the Security Gateway. The Security Gateway will only match 101 members of the group. Refer to sk176065.

In a rare scenario, High Availability full synchronization may fail due to a large number of records.

In some scenarios, publish operation fails with the "Object with uid=<RandomCharacters> was updated in the database but its dleConvertedObject wasn't found" error. Refer to sk174703.

In some scenarios, when using a VPN community, the status of the Global Domain Assignment may change to "not up to date", although no changes were made in the Global Domain.

In rare scenarios, Global Policy Assignment may fail with the "class name not found for object" error.

In some scenarios, "show-mdss" and "show-domains" Management API commands take a significant amount of time to complete or time out after 5 minutes.

If Brute Force Password Guessing Protection is set to the value of more than 25 seconds, login to SmartConsole fails.

• Requires R81.10 SmartConsole Build 402 (or higher).

In rare scenarios during system startup, a cleanup operation may cause high CPU on multiple Postgres processes and prevent login to SmartConsole. Refer to sk175189.

In some scenarios, the Purge Revisions operation fails with the "An error has occurred while performing revisions purge operation, Incident ID - xxxxx-xxxxxxx-xxxxx-xxxxx" message. Refer to sk174645.

In rare scenarios, High Availability incremental synchronization may fail with a wrong status message.

In rare scenarios, if Domain migration fails, the operation may not revert fully and leave some remnants in the database of the Management Server.

In some scenarios, login to a Domain from the System Domain dashboard may fail with "Failed to connect to server".
Refer to sk174910.

In rare scenarios, when installing a policy immediately after publishing a session, the installation is not accelerated.

In some scenarios, applying the "Where used" action may show incorrect data when an object exists more than once in an Inline Layer.

In some scenarios, an API query to VRRP cluster for "show simple-cluster name <name>" returns an incorrect cluster type. Refer to sk174866.

In rare scenarios, the "set-group" API command may return the "generic_err_invalid_parameter" error.

After an upgrade from R77.x. in a multi-site environment, High Availability full synchronization may fail with an "NGM failed to load data" message.

High Availability synchronization status in the Global Domain may show "Unknown" for some Multi-Domain Log Modules (MLM) in environments with more than 6 MDS's/MLM's.

Added enhancements for Task Manager and policy installation. Refer to Take 48 in sk170314.

UPDATE: In SmartView, new MITRE ATT&CK techniques were added to the heatmap view.

The CPSEMD process on SmartEvent Server may unexpectedly exit when trying to send two automatic reactions simultaneously for the same event.

In some scenarios, Log Exporter configured to export in TLS, cannot authenticate a certificate from an external certificate authority.

On a Management Server, with SmartEvent enabled and many networks configured in the database, login to SmartConsole may fail with an "Error: the operation timeout" message, and the FWM process is running with a high CPU. Refer to sk167239.

UPDATE: The default value for the kiss_kthread_allow_resched kernel parameter is changed to 1. Refer to sk170560.

Improved the handling of a large number of sessions per single HTTP/S connection.

In some scenarios, NATed VPN traffic may be routed out through the wrong interface. Refer to sk176785.

In some scenarios, using automatic Network Static NAT/Address range objects may cause connectivity issues.

In some scenarios, the WSDNSD process may unexpectedly exit and create a core file. Refer to sk173627.

In some scenarios, the CPD process may consume a high CPU because of the memory leak in FDT (File Download Tool).

Negative values may appear in the output of the "fw tab -t connections -s" command and under the NAT section.

In some scenarios, the ROUTED process may unexpectedly exit.

In some scenarios, configuring an un-numbered virtual interface may cause ARP requests to stay not answered by the interface. Refer to sk174188.

In a rare scenario, CPView may show incorrect SecureXL statistics per VS.

Capsule Workspace end users may fail to authenticate to their Exchange mail Server via Mobile Access SSO when authenticated with Kerberos, and the end users belong to many user groups or user groups with very long names.

In some scenarios, policy installation may take longer or fail when GEO Updatable Objects are used in the policy.

Added a translation of the error exit code of cprid_util in $CPDIR/log/cprid_util.elg debug log.

In a rare scenario, traffic outage may occur. It is caused by a memory leak related to delayed logs.

In rare scenarios, the Security Gateway may crash when the TCP connection is unexpectedly closed.

Improved telemetry for Infinity Vision SOC.

NEW: Added automatic mechanism to exclude service accounts on PDP Gateway to improve both PDP performance and functionality. The default threshold value for Identity Collector Service Accounts exclusion is 100. Refer to sk174266.

When using sk167118, the user may fail to authenticate if the "Ask user for password" checkbox is enabled.

In some scenarios, users may not be able to reach Identity Gateway (PEP). Refer to sk174105.

UPDATE: Improved matching of URLs for custom applications.

Proxy source IP address is not printed in the IPS logs.

In some scenarios for HTTP, Gateway closes a connection from the Server side, but the user side may remain open.

In some scenarios, the destination IP is missing from the IPS logs. Refer to sk174588.

Improved the handling of decoded HTTP/S traffic.

In some scenarios, a memory leak may occur when creating ECDHE keys.

A memory leak, related to TLS probing, may occur in the WSTLSD process.

In rare scenarios, HTTPS connections may hang indefinitely during the TLS handshake, causing timeout.

In a rare scenario, the VPND process may unexpectedly exit causing user disconnections from Checkpoint Mobile client.

In some scenarios, a memory leak may occur in the CVPND process.

Scalable Platform Gateway may drop traffic as "Out of State" when static NAT is configured for the destination IP Address. Refer to sk174234.

TCP packets may be dropped as "TCP out of state" although following sk11088.

In a rare scenario, DoS/Rate Limiting when using rules with country codes (CC) or autonomous system numbers (ASN) may not update Geo IP files correctly.

The ROUTED process may unexpectedly exit.

In some scenarios, when BootP is configured, during policy installation, the Security Gateway may become unresponsive and the ROUTED process may crash.

NEW: Added StrongSwan clients counter to the VPN TU Tool.

When StrongSwan client connecting with a RADIUS user, it may not receive an Office Mode IP address.

A memory leak may occur in the VPND process.

In some scenarios, Server connections to Remote Access L2TP clients may be unstable.

Added IKEv2 improvement for DAIP peer.

In some scenarios, in High Availability clusters with enabled CoreXL, SSL clients cannot connect to the Security Gateway because of incorrect license calculation.

A memory leak may occur in the VPND process in IKEv2 Site to Site VPN.

In a rare scenario, a memory leak may occur in the IKED process.

In some scenarios, a memory leak may occur in the VPND process.

A memory leak may occur in the VPND process.

In a rare scenario, the "asg perf" command may take up to 90 seconds to update the data. The information may differ from CPView results.

UPDATE: Upgraded OpenSSL to 1.1.1L. Merged the CVE-2021-3711 and CVE-2021-3712 fixes.

After 248 days of up time, the VMSS Gateway sends a Cold restart alert reboot, but the VMSS does not reboot. Refer to sk173413.

Setting hashed SHA256/SHA512 expert password may fail with an error message: "set password-controls password-hash-type <password_hased> GAIA9999 Invalid Salted Hash". Refer to sk176703.

The Link Layer Discovery Protocol (LLDP) sends the hostname with a dot when the Domain name is empty.

In some scenarios, a query which counts host_ckp objects may return more results than expected. It leads to a memory leak with the "Out Of Memory" error.

UPDATE: In SmartEndpoint, besides FDE Remote Help, Bitlocker Management Recovery is now available for administrators with limited rights.

NEW: In Amazon Web Services (AWS):

• Added Load Balancers tags. The tags can now be viewed in SmartConsole and added to the rulebase.
• Added support for IMDSv2

To enable the feature:

1. Edit the $FWDIR/conf/vsec.conf file on the Management Server and add the line: aws.enableLoadBalancersTags=true

2. From SSH run: vsec stop;vsec start

Note: This feature requires adding DescribeTags and DescribeLoadBalancers permissions to the AWS Data Centers accounts.

NEW: In Azure:

• Added Application Security Groups
• Added Private Endpoints

To enable the feature:

1. Edit the $FWDIR/conf/vsec.conf file on the Management Server and add the line: azure.enableAsgAndPep=true

2. From SSH run: vsec stop;vsec start

Note: This feature requires adding permissions to list Application Security Groups and Private Endpoints.

NEW: In AWS, Azure and Google Cloud Platform (GCP):

Added support for API calls with HTTP response with reason-code only (without reason-phrase).

In some scenarios, when there are Data Center objects in Access Policy Rule Base, policy verification may fail although policy installation succeeds.

UPDATE: Added support for Maestro Hyperscale Orchestrator MHO-175.

The outage may occur when configuring OSPF over VPN/VTI interface because of missing cluster IP address for VPN/VTI interface.

In a rare scenario, a memory leak that requires constant reboots may occur.

When rebooting a member from the standby site, it may send GARP when booting and cause a connectivity issue. Refer to sk176523.

After adding a new user via WebUI, asg_diag may fail on configuration test (config_verify -v) due to inconsistent value in the database. The issue is only cosmetic.