R81.10 Jumbo Hotfix Take 141
|
Note - This Take contains all fixes from all earlier Takes. |
ID |
Product |
Description |
---|---|---|
Take 141 Released on 15 April 2024 |
||
New Functionality |
||
PRJ-53676, PRJ-52484 |
Security Management |
NEW: Added ability to R81.10 Security Management Server and Multi-Domain Management Server to manage Quantum Force 9800 / 9700 / 9400 / 9300 / 9200 / 9100 Appliances that run R81.20 Security Gateways. Refer to sk181698.
|
PRJ-49826, |
Application Control |
NEW: Added ability to drop the traffic of specific UDP applications per packet. For example, the Security Gateway can now drop the specific commands and allow the other commands of the BACNet Protocol. This ability is enabled by default.
|
PRJ-50988, |
VPN |
NEW: Added ability to track RAM usage of the VPND process using the "cpstat" command in CLI. Refer to sk181815. |
Improvements and Resolved Issues |
||
PRJ-48779, |
Security Management |
UPDATE: Added validation for new permissions for configuring a script to run on the Security Gateway from Gateway object > Logs Alerts/Storage > Run the following script before deleting old files. |
PRJ-49173, |
Security Management |
UPDATE: Added verification for policy deletion. If the policy is installed on the Security Gateway, the "delete-package" Management API command now fails with "Policy X is installed on 1 or more gateways.". Refer to sk181877. |
PRJ-51124, |
Security Gateway |
UPDATE: Added ability to increase the instance processing queue size, by modifying the kernel parameter "fwmultik_pending_queue_len_limit" (the default value is "2000"). Refer to sk181921. |
PRJ-50740, PRHF-30794 |
Security Gateway |
UPDATE: Added an ability to configure objects for the HTTPS Inspection CA using labels.
|
PRJ-50428, PMTR-96484 |
Security Gateway |
UPDATE: During certificate validation, the Security Gateway now retrieves the Certificate Revocation List (CRL) from all CRL distribution points (CDP) listed in certificate extensions. |
PRJ-52674, PRHF-32203 |
Security Gateway |
UPDATE: Fixed CVE-2023-51764 - Postfix SMTP Smuggling vulnerability. Refer to sk181944. |
PRJ-48095, PMTR-77299 |
CPView |
UPDATE: CPView now shows statistical data also for servers with 256/512 CPU cores. |
PRJ-50976, |
Threat Extraction |
UPDATE: Added an option in ICAP Server for logging benign files scanned by the Anti-Virus Blade. By default, logging for benign files is disabled. To enable it, add the following entry to the ICAP Server configuration file: "LogBenign on". |
PRJ-50499, |
Identity Awareness |
UPDATE: The identity synchronization from Policy Decision Point (PDP) to Smart-Pull Policy Enforcement Point (PEP) client now takes several seconds instead of a few minutes, especially beneficial in environments with a single PDP Security Gateway sharing to multiple PEP Security Gateways. |
PRJ-45911, |
Identity Awareness |
UPDATE: Implemented monitoring functionality and alerts for tracking the expiration date of Identity Broker certificates. |
PRJ-46625, |
VPN |
UPDATE: The "Server Authentication" attribute within the "Extended Key Usage" field is now included by default in IKE certificates generated by the Security Management Server. |
PRJ-50914, |
Gaia OS |
UPDATE: When a Gaia OS Server has a Cloning Group feature enabled, it now accepts other Gaia OS Servers that join this Cloning Group over TLS1.2 or higher (over the TCP port 1129). |
PRJ-50318, |
CloudGuard Network |
UPDATE: Updated the Jetty open source library from the 9.3.6.v20151106 version to 9.4.52.v20230823. |
PRJ-52862, |
CloudGuard Network |
UPDATE: Added support for Data Centers in AWS ca-west-1 Calgary region. |
PRJ-51249, |
CloudGuard Network |
UPDATE: The AWS Security Group Data Center object name now includes both the name tag and Security Group name, formatted as "ID <Name tag> <Security Group name>". Previously, only the name tag was included, with the format "ID <Name tag>". This change to include the Security Group name can be enabled by adding the setting "aws.supportSearchGroupName=true" in the vsec.conf file. |
PRJ-53585, ODU-1571 |
Automatic Updates - Web SmartConsole |
UPDATE: New features and improvements are released in Take 97 through self-updatable package. Refer to sk170314. |
PRJ-53540, ODU-1476 |
Automatic Updates - Threat Prevention |
UPDATE: Added Update 24 of Autonomous Threat Prevention Management integration Release. Refer to sk167109. |
PRJ-52695, ODU-1408 |
Automatic Updates - Smart-1 Cloud |
UPDATE: Added Update 7 of Quantum Smart-1 Cloud. Refer to sk166056. |
PRJ-52866, PRJ-53687, ODU-1595, |
Automatic Updates - HCP |
UPDATE: Added Update 15 and Update 16 of HealthCheck Point (HCP) Release. Refer to sk171436. |
PRJ-53396, PRJ-53681, ODU-1611, ODU-1563 |
Automatic Updates - CPSDC |
UPDATE: Added Take 31 and Take 33 of Check Point Support Data Collector (CPSDC) for Scalable Platforms and Maestro Security Appliances. Refer to sk164414. |
PRJ-49943, |
Security Management |
In environments with many network objects, SmartConsole may freeze while it loads the VPN tab of a Security Gateway object. |
PRJ-49943, |
Security Management |
The FWM process on the Management Server may unexpectedly exit, creating a core dump file. |
PRJ-51073, |
Security Management |
Running a Gaia API command on the Security Gateway through the Management API from the Security Management Server fails when configuring the "target" parameter with either the Security Gateway name or UID. |
PRJ-45022, |
Security Management |
The "show users" Management API command fails if a user is configured to be able to connect on specific days, but the days are not selected. |
PRJ-50046, |
Security Management |
In High Availability environments, task progress notifications may get updated only every 5 minutes, even when the task is complete. |
PRJ-49666, |
Security Management |
The "set-smart-task" API command fails when enabling the "Send mail to/from" option in SmartTasks. |
PRJ-51595, |
Security Management |
In rare scenarios, Global Policy assignment fails when there are many open Remote CPM Server sessions. Refer to sk181822. |
PRJ-51618, |
Security Management |
Deleting a Domain may fail when using the createDomainRecovery.sh script. |
PRJ-52011, |
Security Management |
In some scenarios, policy installation may fail and the displayed message erroneously refers to sk178886: "One of the updatable objects was downloaded incorrectly (see SK178886)". Sk178886 describes a different scenario and does not resolve the issue. |
PRJ-52816, |
Security Management |
If there are changes in the HTTPS Policy and Certificates in the session, a "Something went wrong" message appears when opening the Change Report. |
PRJ-50766, |
Security Management |
In rare scenarios, during an upgrade or Domain migration, the API readiness test fails if the upgrade failed. |
PRJ-50592, |
Security Management |
High Availability synchronization runs after every scheduled Application Control update, even if the Application Control is up to date. |
PRJ-50354, |
Security Management |
SmartConsole may unexpectedly close after policy installation when SmartTasks return invalid characters from a user-defined script. |
PRJ-49952, |
Security Management |
Login to SmartConsole may fail while the Compliance Blade is running a full scan. |
PRJ-50404, PRHF-30796 |
Security Management |
In some scenarios, in SmartConsole, when clicking the picker to add Security Gateway to the "Install On" column in Threat Prevention policy, no Security Gateway objects appear. |
PRJ-51278, |
Security Management |
When the value of the "asm_ips_cci" property is updated manually to a number higher than 500,000:
|
PRJ-50213, |
Security Management |
Packet mode search in SmartConsole may show rules that do not match the query if the query contains four or more filters. |
PRJ-50186, |
Security Management |
In some scenarios, Access Policy installation fails with "Policy load / verification failed because it required more than the maximum allowed memory of 4GB. Follow sk161874 to improve the performance and prevent excessive memory consumption". |
PRJ-48915, |
Security Management |
In some scenarios the "show access rulebase" Management API command with "details-level full" can take a significant amount of time to complete or time out after five minutes. Refer to sk181397. |
PRJ-49344, |
Security Management |
SmartConsole may unexpectedly close after deleting an object in the Object Explorer view. |
PRJ-51088, |
Security Management |
In some scenarios, the change report sent via email by SmartTasks after publishing appears blank, even though there were modifications in the published session. |
PRJ-51067, |
Security Management |
In a rare scenario, the FWK and CPD processes may exit with core dumps at approximately the same time. |
PRJ-51133, PRHF-30631 |
Security Management |
Installing security policy with a rule that contains the "Internet" object in the destination column may fail with error message "Topology is not defined on the policy "Install On" target <cluster object name>", if the target cluster is marked as "Geo Mode in a Cloud". |
PRJ-50407, PRHF-30754 |
Security Management |
The Change Report generated before publishing a session, may contain internal system changes that were made by the user. |
PRJ-50579, |
Multi-Domain Security Management |
In rare scenarios, in a Multi-Domain Security Management environment:
|
PRJ-51084, |
Multi-Domain Security Management |
In Multi-Domain Security Management environments with over two hundred administrators, Domain creation may fail with "Timeout expired while waiting for permissions calculation". |
PRJ-46934, |
SmartConsole |
Defining more than two hundred GUI clients causes the "Command Line" tab in SmartConsole to be greyed out and the "api status" command to show an error status. |
PRJ-51426, |
Web SmartConsole |
Login with Web SmartConsole to the Security Management Server may fail if using a trusted client with IPv6. |
PRJ-51664, |
Web SmartConsole |
An "Error logging into domain" message is displayed in Web SmartConsole when connecting to a Domain on a peer Multi-Domain Security Management Server. Refer to sk181801. |
PRJ-49973, |
CPView |
CPU statistics may be incorrect or missing in CPView. |
PRJ-44497, |
CPView |
In rare scenarios, CPView does not handle VS context correctly. |
PRJ-48002, |
CPView |
Offload may fail in CPView with "ERROR! Reason not initialized". |
PRJ-48805, |
Logging |
Some attributes in SNMP MIB file may not be accessible. |
PRJ-46287, |
Logging |
In SmartConsole, in the "Device License Information" view, the "New connection rate" field may indicate "please wait 10 seconds". |
PRJ-47315, |
Logging |
When the active log file, for example, the fw.log for the Security Gateway is older than two days, the CPLogFilePrint utility does not print the log records correctly. |
PRJ-49389, |
Logging |
In SmartView, incorrect results may be displayed when filtering logs using the "src_machine_name" field. |
PRJ-44686, |
Logging |
When using Log Exporter to export logs to Splunk, a log entry in Splunk is split to separate lines if it contains the CRLF characters. |
PRJ-47983, |
Logging |
Some Access Rule Base logs may be generated with a wrong interface direction. The issue is cosmetic only. |
PRJ-46206, |
Logging |
Security Gateway forwards logs to the real IP address of the Management Server instead of the public (NATed) IP address. Refer to sk181609. |
PRJ-49864, |
Logging |
In rare cases, the LOG_EXPORTER process exits and the CPWD process does not start it because of the "exit_code 0" error. |
PRJ-48241, |
Logging |
The "source", "destination", "user" and "action" fields are not exported when exporting logs with the "visible columns" option to CSV in the SmartView Web application. Refer to sk181706. |
PRJ-44590, PRHF-26975 |
Logging |
In a rare scenario, a Security Gateway / Cluster Member may stop logging locally or to configured Log Servers. Refer to sk170331. |
PRJ-48321, |
Security Gateway |
The system may not automatically end or interrupt the RAD process if it takes longer than a specified timeout duration. |
PRJ-46202, |
Security Gateway |
In rare scenarios, updating the NTP Server may cause a temporary outage. |
PRJ-50139, |
Security Gateway |
Accounting info may not be displayed in logs for IPv6 Cluster VRRP environments. |
PRJ-49806, |
Security Gateway |
Enabling MDPS fails with the "clish: symbol lookup error: /usr/lib/cli/lib/libcli_mdps.so: undefined symbol: cp_is_usim" error. |
PRJ-50602, |
Security Gateway |
In some scenarios, the PDPD process may consume high CPU in the Identity Acquisition flow. |
PRJ-47956, |
Security Gateway |
The CPVIEW_API_SERVICE process may exit with a timeout. |
PRJ-49116, |
Security Gateway |
In rare scenarios, the FWK process may unexpectedly exit when running an outgoing (a local connection) from the Security Gateway. |
PRJ-52420, |
Security Gateway |
Incorrect static NAT destination is applied when the original destination in the NAT rule is the Security Gateway object, but the actual destination does not match the main IP address of the Security Gateway object. |
PRJ-48262, |
Security Gateway |
Notifications of SecureXL connection deletion appear unfiltered in the debug output, also when using a debug filter. |
PRJ-50756, |
Security Gateway |
In a rare scenario, because of a memory allocation issue, the Security Gateway may crash and reboot. |
PRJ-47663, |
Security Gateway |
Incorrect local traffic routing by the Security Gateway causes message flooding in /var/log/messages. |
PRJ-51459, |
Security Gateway |
When using three or more ISP DNS proxies in High Availability mode and Load Sharing mode:
|
PRJ-52363, |
Security Gateway |
In a VSX environment, the FW_FULL process may exit when running "fw monitor -p all" with the "-v" flag on a specific list of Virtual Systems (VS's) where not all VS's have identical blade configurations enabled. |
PRJ-51608, |
Security Gateway |
The ICAP Server may fail to initialize. |
PRJ-52520, PRHF-31425 |
Security Gateway |
The ICAP Server does not send data for the Threat Prevention blades inspection, after the restart of the TEMAIN process. |
PRJ-47671, PRJ-47667, PRHF-29516, PRHF-29535 |
Security Gateway |
When there is fragmented traffic, the /var/log/messages file may be flooded with the "dst_release" entries. |
PRJ-51038, PRHF-31146 |
Security Gateway |
The Security Gateway may crash during policy installation. |
PRJ-53084, PMTR-100847 |
Security Gateway |
Security Gateway does not pass traffic through an external interface when it is managed by Smart-1 Cloud, and SecureXL works in User Mode (UPPAK) mode. Refer to sk182016. |
PRJ-50659, |
Security Gateway |
The proxy IP address of users surfing HTTP sites may be displayed instead of the real source IP address. |
PRJ-50931, |
Security Gateway |
Multiple "fw_fna_hold_prepare: creating table" entries may be printed in /var/log/messages. The issue is cosmetic only. |
PRJ-52563, |
Internal CA |
CRLs may not be recreated after cleaning expired certificates from the ICA database. |
PRJ-43972, |
Threat Prevention |
When URLF and APPI are disabled in VS0 in VSX setup, automatic updates fail on other Virtual Systems. |
PRJ-46443, |
Threat Prevention |
Files that undergo emulation while operating from a corporate location are transformed into PDF format. However, when the same files are accessed through a VPN remote client, they do not get the pdf file extension. |
PRJ-50051, |
Threat Prevention |
System with a large number of CPUs allocated to CoreXL SND may experience performance issues when the deny list feature is enabled. |
PRJ-46596, |
Threat Extraction |
The "scrub send_orig_email <email_id> <recipient>" command fails. Refer to sk180974. |
PRJ-51334, |
Identity Awareness |
When a Multi-User Host is used with Identity Broker, the user session may expire on the PEP side, while still connected on the PDP, causing failure of user-based access. |
PRJ-49435, |
Identity Awareness |
In a rare scenario, revoked identity on Broker Publisher is not synchronized with its Broker subscribers. |
PRJ-45135, |
Identity Awareness |
In Multi-User Host setups, some accounts may be identified as service accounts, although they should not be flagged. |
PRJ-51422, |
Identity Awareness |
In a rare scenario, an Identity Gateway (PEP) becomes unresponsive while unregistering a network. |
PRJ-52026, |
Application Control |
Anti-Spoofing drops packets that arrive at a Security Gateway through interfaces with Topology "External" if there are routes configured for internal interfaces that overlap with routes configured for external interfaces. Refer to sk181768. |
PRJ-43456, |
Application Control |
When a policy contains a white list, some packets may not match the listed applications. |
PRJ-42480, |
IPS |
Core IPS Protection "Unknown Resource Record" drops valid requests of specific DNS types. |
PRJ-45283, |
IPS |
The "malware_whitelist_domain_tbl error" messages in /var/log/messages file while installing a policy on both cluster members. Refer to sk180614. |
PRJ-50804, |
IPS |
There may be excessive "fwconn_chain_is_data_conn failed" messages in the /var/log/messages files when activating the IPS Blade. |
PRJ-51182, |
Anti-Virus |
Some file downloads fail with a logged "failure-reject" error because of the Anti-Virus Blade improperly classifying documents, causing inspection failures. |
PRJ-49570, |
Anti-Virus |
The Anti-Virus Blade fails to show the UserCheck page for the URLs blocked by Custom Intelligence feeds. |
PRJ-50528, |
Anti-Virus |
In a rare scenario, the Security Gateway may crash during inspection of file downloads. |
PRJ-49520, |
Anti-Virus |
The Anti-Virus Blade may inspect files on an SMB appliance although the "SMB" checkbox is disabled on the matched profile. |
PRJ-49297, |
Anti-Virus |
Anti-Virus fails to release held connections after the inspection. |
PRJ-49792, |
SSL Inspection |
Policy installation fails on the Security Gateway when using HTTPS Inspection with Hardware Security Module (HSM). |
PRJ-45150, |
SSL Inspection |
When HTTPS Inspection is enabled, the Security Gateway generates a log that includes the message "Certificate Chain is not signed by a Trusted CA" when an end-user connects to an HTTP site or a site with an untrusted SSL certificate. But, in some scenarios, the log does not include this text. |
PRJ-52366, |
SSL Inspection |
In some scenarios, the FWK process may unexpectedly exit, during installation of HTTPS Inspection policy on the Security Gateway. |
PRJ-50869, |
ClusterXL |
The output of the "cphaprob -m -a if" command may show an incorrect high VLAN ID address. This is a cosmetic issue. |
PRJ-48413, |
ClusterXL |
In a cluster connected to Smart-1 Cloud, local probing may start on the "maas_tunnel" interface, although it is not monitored by the cluster. Output of the Expert command "cphaprob -i list" or the Gaia Clish command "show cluster members pnotes problem" shows that the Critical Device "Local Probing" reports its state as "problem". |
PRJ-52730, PRHF-32237 |
ClusterXL |
When working in ClusterXL mode with MDPS enabled on the cluster nodes, enabling a Cloning Group may get stuck in the "synchronizing" status. |
PRJ-51587, |
ClusterXL |
The Security Gateway may crash during the conversion from VRRP Cluster to ClusterXL Cluster. |
PRJ-51177, |
SecureXL |
The Security Gateway may crash with vmcore during boot while upgrading. |
PRJ-48283, |
SecureXL |
The "fwaccel dos rate get -S IP" command fails to connect to the Security Gateway. |
PRJ-50926, |
SecureXL |
When attempting to route packets to unresponsive hosts, the CPU utilization may be high. |
PRJ-33123, |
SecureXL |
CPView shows SecureXL drops incorrectly as "0" (zero). |
PRJ-52801, |
SecureXL |
In some scenarios, the VSX Security Gateway may not set the MAC header correctly when sending traffic directly out of an interface on a Virtual Router or Virtual Switch. |
PRJ-52798, |
SecureXL |
The VSX Security Gateway can sometimes fail to add warp interfaces to the SecureXL accelerated interfaces list when including them in a Virtual Router or Virtual Switch. |
PRJ-51209, PRHF-31259 |
SecureXL |
In Kernel mode Firewall, traffic passing through the GRE tunnel may not reach the peer. |
PRJ-52733, |
Routing |
In networks where multicast groups are manually configured through IGMP if only one membership report is received for a specific <S,G> pair and no further reports follow, it may cause outages. |
PRJ-52653, |
Routing |
A core dump for the ROUTED process is created while changing the Security Gateway PIM configuration from Bootstrap-Candidate to Candidate-RP using the "set pim" command. |
PRJ-52651, PRJ-52658, PRJ-52655, PRHF-31977, PMTR-78961 |
Routing |
Cluster failover may occur when the ROUTED process due to a memory leak unexpectedly exits with a core dump file generated. |
PRJ-53568, |
Routing |
In rare scenarios, when a PIM interface or PIM instance stops working, the Security Gateway may crash if trying to access a bogus reference to a PIM neighbor. |
PRJ-53855, |
Routing |
ROUTED process assert failure may take place when LSA from a neighbor's retransmission list is freed if that LSA belongs to the max age hold tree that is flooded at max age. |
PRJ-51982, |
Routing |
When running a Gaia API request that results in multiple configuration changes, only the first change may be applied initially. The subsequent changes are not enforced until another change triggers re-processing. |
PRJ-49578, |
Routing |
The CLI Parameters for the "netflow fwrule" command are displayed incorrectly: "set netflow fwrule ?" instead of "set netflow fwrule 0" or "set netflow fwrule 1". The issue is cosmetic only, the functionality works as expected. |
PRJ-50025, |
Routing |
The traffic may be dropped, because the routes are sent but not installed to the routing table. The issue is related to IS-IS when running on P2P interfaces. |
PRJ-49559, |
VPN |
When using the "fw tab" command to view the IKE_SA_table, the output shows a column containing the IP addresses that are not meant to be displayed while the correct IP addresses are not printed. |
PRJ-49217, |
VPN |
Redundant log prints in /var/log/messages may be generated, although they should be printed only when the debug flags are enabled. |
PRJ-47952, |
VPN |
Establishing an IKEv2 tunnel with Cross AZ Cluster may fail. |
PRJ-50175, |
VSX |
In some scenarios, installing policy via vsx_util may be stuck. |
PRJ-51346, |
VSX |
High CPU usage on SND cores when many interfaces are configured. Refer to sk181860. |
PRJ-49567, |
VSX |
Corrupted VS affinity configuration may cause excessive "cp_set_process_vs_affinity: Error corrupt affinity file" error messages. |
PRJ-50486, |
Gaia OS |
SNMP query does not bring the CPUSE package information for a single OID (not a table). |
PRJ-46142, |
Gaia OS |
Taking a snapshot on the Security Management Server fails because of the error during copying the /boot/config/ content. |
PRJ-51219, |
Gaia OS |
Clish may deny access of a non-local RADIUS user. |
PRJ-50508, |
Gaia OS |
There may be some inconsistent syntax in the "comment" section for interface and static-route commands. |
PRJ-48719, |
Gaia OS |
The "show configuration password-controls command output does not print the "set password-controls deny-on-fail block-admin on" option. |
PRJ-45115, |
Gaia OS |
Lock database override may not work as expected when it is set via Ansible playbook, and another admin was connected to SSH before that. |
PRJ-47176, |
Gaia OS |
When rebooting the Security Gateway, some VLANs may lose their IPv6 configuration. |
PRJ-47720, |
Harmony Endpoint |
The Application Scan Push Operation fails to upload an .xml file. Refer to sk181280. |
PRJ-50588, PRHF-30890 |
CloudGuard Network |
In an environment with Cloud Security Gateways, frequent High Availability synchronization sessions can cause high CPU utilization. As a result, change of the Activity status may fail. |
PRJ-46989, |
VoIP |
In some scenarios, SIP TCP connections are dropped after a cluster failover. |
PRJ-47994, |
VoIP |
When the SIP Multi-core feature is enabled, and a SIP over UDP rule with one-way calls (only outgoing calls, for example) is defined, the returned traffic is dropped. Refer to sk181525. |
PRJ-50826, |
Scalable Platforms |
In a rare scenario, file system corruption may lead to a failure identifying the Maestro Orchestrator hardware model during the Maestro Orchestrator OS boot process, causing the boot to fail. |
PRJ-44137, |
Scalable Platforms |
If a DR packet arrives fragmented, it may not get forwarded to the DR manager, potentially causing connectivity issues. |
PRJ-52531, PMTR-99841 |
Scalable Platforms |
After dynamic routing manager failure and recovery, connections are dropped with a log message "TCP out of state: First packet isn't SYN". Refer to sk181874. |
PRJ-46063, |
Scalable Platforms |
Querying SP Interface Data via SNMP may intermittently fail. |
PRJ-50737, |
Scalable Platforms |
The Gaia gClish command "installer verify CPUSE Package ID member_ids all" fails with "Quitting due to time-out" on a Scalable Platform Security Group. Refer to sk181674. |
PRJ-49103, |
Scalable Platforms |
When creating a Security Group creation in Maestro Orchestrator WebUI, and the password contains the "(" "&" or ";"characters, the operation fails with "Failed to apply new topology" or with "Gaia Web-UI recognized a non-valid input data". |
PRJ-50680, PRHF-30764 |
Scalable Platforms |
Scalable Platform Interface data OIDs (1.3.6.1.4.1.2620.1.48.26) may not be refreshed. |