R81.10 Jumbo Hotfix Take 141

NEW: Added ability to drop the traffic of specific UDP applications per packet. For example, the Security Gateway can now drop the specific commands and allow the other commands of the BACNet Protocol.

This ability is enabled by default.

• To disable this ability, run: "fw ctl set int appi_drop_packet_enabled 0".

• To enable this ability, run: "fw ctl set int appi_drop_packet_enabled 1".

UPDATE: Added verification for policy deletion. If the policy is installed on the Security Gateway, the "delete-package" Management API command now fails with "Policy X is installed on 1 or more gateways.". Refer to sk181877.

UPDATE: Added an ability to configure objects for the HTTPS Inspection CA using labels.

• There are now handle-based and label-based configurations.

• Hardware Security Module in High Availability mode (HSM HA) now supports only the label-based configuration.

UPDATE: Fixed CVE-2023-51764 - Postfix SMTP Smuggling vulnerability. Refer to sk181944.

UPDATE: Added an option in ICAP Server for logging benign files scanned by the Anti-Virus Blade. By default, logging for benign files is disabled. To enable it, add the following entry to the ICAP Server configuration file: "LogBenign on".

UPDATE: Implemented monitoring functionality and alerts for tracking the expiration date of Identity Broker certificates.

UPDATE: When a Gaia OS Server has a Cloning Group feature enabled, it now accepts other Gaia OS Servers that join this Cloning Group over TLS1.2 or higher (over the TCP port 1129).

UPDATE: Added support for Data Centers in AWS ca-west-1 Calgary region.

UPDATE: New features and improvements are released in Take 97 through self-updatable package. Refer to sk170314.

UPDATE: Added Update 7 of Quantum Smart-1 Cloud. Refer to sk166056.

UPDATE: Added Take 31 and Take 33 of Check Point Support Data Collector (CPSDC) for Scalable Platforms and Maestro Security Appliances. Refer to sk164414.

The FWM process on the Management Server may unexpectedly exit, creating a core dump file.

The "show users" Management API command fails if a user is configured to be able to connect on specific days, but the days are not selected.

The "set-smart-task" API command fails when enabling the "Send mail to/from" option in SmartTasks.

Deleting a Domain may fail when using the createDomainRecovery.sh script.

If there are changes in the HTTPS Policy and Certificates in the session, a "Something went wrong" message appears when opening the Change Report.

High Availability synchronization runs after every scheduled Application Control update, even if the Application Control is up to date.

Login to SmartConsole may fail while the Compliance Blade is running a full scan.

When the value of the "asm_ips_cci" property is updated manually to a number higher than 500,000:

• login to the Security Management Server fails due to timeout

• the FWM process may consistently consume 100% CPU.

In some scenarios, Access Policy installation fails with "Policy load / verification failed because it required more than the maximum allowed memory of 4GB. Follow sk161874 to improve the performance and prevent excessive memory consumption".

SmartConsole may unexpectedly close after deleting an object in the Object Explorer view.

In a rare scenario, the FWK and CPD processes may exit with core dumps at approximately the same time.

The Change Report generated before publishing a session, may contain internal system changes that were made by the user.

In Multi-Domain Security Management environments with over two hundred administrators, Domain creation may fail with "Timeout expired while waiting for permissions calculation".

Login with Web SmartConsole to the Security Management Server may fail if using a trusted client with IPv6.

CPU statistics may be incorrect or missing in CPView.

Offload may fail in CPView with "ERROR! Reason not initialized".

In SmartConsole, in the "Device License Information" view, the "New connection rate" field may indicate "please wait 10 seconds".

In SmartView, incorrect results may be displayed when filtering logs using the "src_machine_name" field.

Some Access Rule Base logs may be generated with a wrong interface direction. The issue is cosmetic only.

In rare cases, the LOG_EXPORTER process exits and the CPWD process does not start it because of the "exit_code 0" error.

In a rare scenario, a Security Gateway / Cluster Member may stop logging locally or to configured Log Servers. Refer to sk170331.

In rare scenarios, updating the NTP Server may cause a temporary outage.

Enabling MDPS fails with the "clish: symbol lookup error: /usr/lib/cli/lib/libcli_mdps.so: undefined symbol: cp_is_usim" error.

The CPVIEW_API_SERVICE process may exit with a timeout.

Incorrect static NAT destination is applied when the original destination in the NAT rule is the Security Gateway object, but the actual destination does not match the main IP address of the Security Gateway object.

In a rare scenario, because of a memory allocation issue, the Security Gateway may crash and reboot.

When using three or more ISP DNS proxies in High Availability mode and Load Sharing mode:

• A DNS query to any ISP returns IP addresses of all three, although it should return only the active ISP.

• When one ISP is down, the faulty ISP is also returned instead of the newly active.

The ICAP Server may fail to initialize.

When there is fragmented traffic, the /var/log/messages file may be flooded with the "dst_release" entries.

Security Gateway does not pass traffic through an external interface when it is managed by Smart-1 Cloud, and SecureXL works in User Mode (UPPAK) mode. Refer to sk182016.

Multiple "fw_fna_hold_prepare: creating table" entries may be printed in /var/log/messages. The issue is cosmetic only.

When URLF and APPI are disabled in VS0 in VSX setup, automatic updates fail on other Virtual Systems.

System with a large number of CPUs allocated to CoreXL SND may experience performance issues when the deny list feature is enabled.

When a Multi-User Host is used with Identity Broker, the user session may expire on the PEP side, while still connected on the PDP, causing failure of user-based access.

In Multi-User Host setups, some accounts may be identified as service accounts, although they should not be flagged.

Anti-Spoofing drops packets that arrive at a Security Gateway through interfaces with Topology "External" if there are routes configured for internal interfaces that overlap with routes configured for external interfaces. Refer to sk181768.

Core IPS Protection "Unknown Resource Record" drops valid requests of specific DNS types.

There may be excessive "fwconn_chain_is_data_conn failed" messages in the /var/log/messages files when activating the IPS Blade.

The Anti-Virus Blade fails to show the UserCheck page for the URLs blocked by Custom Intelligence feeds.

The Anti-Virus Blade may inspect files on an SMB appliance although the "SMB" checkbox is disabled on the matched profile.

Policy installation fails on the Security Gateway when using HTTPS Inspection with Hardware Security Module (HSM).

In some scenarios, the FWK process may unexpectedly exit, during installation of HTTPS Inspection policy on the Security Gateway.

In a cluster connected to Smart-1 Cloud, local probing may start on the "maas_tunnel" interface, although it is not monitored by the cluster. Output of the Expert command "cphaprob -i list" or the Gaia Clish command "show cluster members pnotes problem" shows that the Critical Device "Local Probing" reports its state as "problem".

The Security Gateway may crash during the conversion from VRRP Cluster to ClusterXL Cluster.

The "fwaccel dos rate get -S IP" command fails to connect to the Security Gateway.

CPView shows SecureXL drops incorrectly as "0" (zero).

The VSX Security Gateway can sometimes fail to add warp interfaces to the SecureXL accelerated interfaces list when including them in a Virtual Router or Virtual Switch.

In networks where multicast groups are manually configured through IGMP if only one membership report is received for a specific <S,G> pair and no further reports follow, it may cause outages.

Cluster failover may occur when the ROUTED process due to a memory leak unexpectedly exits with a core dump file generated.

ROUTED process assert failure may take place when LSA from a neighbor's retransmission list is freed if that LSA belongs to the max age hold tree that is flooded at max age.

The CLI Parameters for the "netflow fwrule" command are displayed incorrectly: "set netflow fwrule ?" instead of "set netflow fwrule 0" or "set netflow fwrule 1". The issue is cosmetic only, the functionality works as expected.

When using the "fw tab" command to view the IKE_SA_table, the output shows a column containing the IP addresses that are not meant to be displayed while the correct IP addresses are not printed.

Establishing an IKEv2 tunnel with Cross AZ Cluster may fail.

High CPU usage on SND cores when many interfaces are configured. Refer to sk181860.

SNMP query does not bring the CPUSE package information for a single OID (not a table).

Clish may deny access of a non-local RADIUS user.

The "show configuration password-controls command output does not print the "set password-controls deny-on-fail block-admin on" option.

When rebooting the Security Gateway, some VLANs may lose their IPv6 configuration.

In an environment with Cloud Security Gateways, frequent High Availability synchronization sessions can cause high CPU utilization. As a result, change of the Activity status may fail.

When the SIP Multi-core feature is enabled, and a SIP over UDP rule with one-way calls (only outgoing calls, for example) is defined, the returned traffic is dropped. Refer to sk181525.

If a DR packet arrives fragmented, it may not get forwarded to the DR manager, potentially causing connectivity issues.

Querying SP Interface Data via SNMP may intermittently fail.

When creating a Security Group creation in Maestro Orchestrator WebUI, and the password contains the "(" "&" or ";"characters, the operation fails with "Failed to apply new topology" or with "Gaia Web-UI recognized a non-valid input data".