R81.10 Jumbo Hotfix Take 152

NEW: Added ability to import PKCS#12 files using AES-256-CBC encryption with PBKDF2-HMAC-SHA-256. This enhancement is designed for use in multi-portal environments and HTTPS Inspection scenarios.

NEW: Added support for 3072 bits key size in IKE certificates. To use 3072 bits key size, refer to "HTTPS Portals (Multi-Portal) Certificate, VPN Certificate" section in sk96591.

UPDATE: Added SHA256 fingerprints to certificate objects to mitigate the risk of hash collisions and enhance trust when utilizing the fingerprint, encoded with English words, as a verification mechanism.

UPDATE: Added the "SecureXL" filter to the "cpview -m -f" command, which allows to extract to Skyline all the information related to SecureXL drops. Refer to the Skyline Metrics Repository.

UPDATE: If inspection logging is configured, the "Inspect" log now displays the negotiated ciphers and TLS version used for successful inspections, both between the client and the Security Gateway, and between the Security Gateway and the Server.

UPDATE: Added Multi-Queue support for Microsoft Azure Network Adapter (MANA) accelerated network interfaces.

UPDATE: New features and improvements are released in Take 100, Take 102, Take 104 and Take 111 via self-updatable package. Refer to sk170314.

UPDATE: Added Take 34 of Check Point Support Data Collector (CPSDC) for Scalable Platforms and Maestro Security Appliances. Refer to sk164414.

UPDATE: Added Python 3.11.4.

Enabling automatic updates of Trusted CAs as described in sk173629 may fail.

When using the "set simple-gateway" Management API command to edit interfaces, the operation is only performed on fifty interfaces at a time.

Login to SmartConsole fails if the "Read_Write_All_Profile" permission profile is deleted.

Global Assignment fails with "Locked for editing by another administrator and need to be published or discarded before the operation can take place". Refer to sk181807.

There may be synchronization failure and, as a result, corrupted Domain policies on the Multi-Domain Security Server when a newly created local administrator on the backup Security Management Server makes changes to rules or objects, after the Active role is switched to that Security Management Server.

In rare scenarios, the FWM process on the Security Management Server may unexpectedly exit or not start, creating a core dump file.

In rare scenarios, after an upgrade or a Domain migration:

• Policy installation might fail with "ERROR: Duplicate keys xxxxxxxx in table 'gw_properties".

• DAIP Gateway objects will have duplicate IP addresses.

  Refer to sk181834.

Changes Report may allow to list certain directory contents.

In rare scenarios, policy installation on R77.30 Security Gateway fails with "Operation failed, install/uninstall has been improperly terminated". Refer to sk180448.

After a Multi-Domain Security Management upgrade to R81.10 version, some Infinity Portal Services may stop working.

In some scenarios, SmartConsole may close unexpectedly when clicking the "View Changes" option in the Install Policy view.

It may not be possible to add/set a Threat Prevention Exception with a protection-or-site UID.

The revisions purge process may get stuck due to an incomplete purge operation from a previous attempt.

In a Multi-Domain Security Management environment, the "show simple-gateway" and "show simple-cluster" Management API commands may fail with "Runtime error: An internal error has occurred"

In Multi-Domain Security Management environments, if there are more than three hundred forty Domains, login to SmartConsole fails.

The "show-lsm-gateways" Management API command returns LSM cluster objects besides the LSM Security Gateways.

In the "cpview -m" command output on the Security Gateway which is an Active Cluster member, "metrics system.network.nat.ports" and "system.network.nat.ports.limit" may not be displayed in the list of available metrics.

When Identity Awareness blade is enabled, the "Src User Dn" and "Dst User Dn" fields in ICMP Logs are not masked for users without "Identities" permissions. Refer to sk181677.

When the "IP Options drop" tracking Global Properties setting is configured to "Log" and the policy is installed, the Security Gateway drops traffic with disallowed IPv4 options or IPv6 extension headers, but no log is shown in SmartConsole.

In rare scenarios, the FWD process on the Security Gateway may reach out of memory and produce a core dump file of around 3GB.

A highly utilized Security Gateway may crash during policy installation.

Some debug messages may appear in the /var/log/messages file, although the debug mode is not activated. The issue is cosmetic only.

After deploying a new license to a Multi-Domain Log Module (MLM), all Customer Log Modules (CLMs) generate alert logs about missing license/contracts stating "No valid license was found".

In some scenarios, the VSX Security Gateway may not set the MAC header correctly when sending traffic back to Gaia OS directly out of an interface on a Virtual Router.

On the Security Management Server, a CPD zombie process may be created.

CIFS traffic may cause CPU spikes in the FWK process.

Installation of Threat Prevention Policy fails with the error "No profile defined on GW <Name of Security Gateway Object>" in this scenario:

• The "Install On" column of a Threat Prevention rule contains a Group object (Group #1).

• This Group object (Group #1) contains another Group object (Group #2).

• This nested Group object (Group #2) contains the Security Gateway object.

After an upgrade, the Security Identifier (SID) for LDAP Users or LDAP Groups that were configured prior to the upgrade may be empty. Refer to sk181946.

User/Security Gateway identities may be revoked unexpectedly if an additional update from the AD Query identity source is rejected due to Identity session conciliation.

Some URLs may be blocked by the Anti-Virus blade as malicious, even though the Threat Prevention Rule Base contains an exception rule with a Site/Application object that includes this URL.

SAML authentication may fail after installation of Jumbo Hotfix Accumulator R81.10 Take 113. Refer to sk182128.

See the Critical Information section.

In a rare scenario, after an upgrade, connections between networks may be dropped with the "First Packet isn't SYN" error.

In a cluster environment, the Security Gateway may become unresponsive on the Active member, and after a failover the issue occurs on the new Active member also.

In some scenarios, when SecureXL User Mode (UPPAK) is enabled, the Security Gateway crashes during boot up.

When the Security Gateway works in SecureXL User Mode (UPPAK), a SIGPIPE signal may cause the USIM process to exit, leading to a system reboot.

In some scenarios, when QoS blade is enabled and SecureXL works in User Mode (UPPAK), Security Gateway may crash with the "invalid data" error.

In some scenarios, the Security Gateway crashes during boot up when SecureXL works in User Mode (UPPAK).

In some scenarios when Route based probing is configured, the VSX Security Gateway sends out encrypted traffic with a source IP address of all zeroes through a Virtual Switch interface. This traffic may be dropped by routers, the VPN peer Gateway or other Security Gateways due to the invalid source IP address.

In scenarios where numerous BGP peers are configured with the "multihop" option enabled, combined with short "keepalive" settings and a large number of routes being received from each peer, the ROUTED process may experience high CPU utilization.

The ROUTED process may unexpectedly exit because of an OSPF assertion failure.

The MONITORD daemon causes high CPU after 388 days of uptime. Refer to sk181922.

Some valid interfaces may not be available with running the "set lldp interface" command.

Removing unused built-in user called "cp_ender" that may appear in Gaia OS after an upgrade. Refer to sk182185.

In a VPN Community with a configuration involving two Security Gateways (a Center Cluster and a Satellite Security Gateway) with IPv6 external and internal interfaces, when attempting to establish a Link Selection Star community between them, the VPN process may unexpectedly exit due to repetitive IKE core crashes on one of the Security Gateways while the other Security Gateway tries to establish a tunnel, resulting in connectivity issues.

In a rare scenario, in a Maestro environment the first packet of the VPN tunnel is lost or has a large delay.

IPv6 non-VPN traffic may be dropped with "Clear text packet should be encrypted".

In an on-premises environment, large Active Directory groups with more than 1500 members appear empty or have incomplete membership information.

An additional reboot may be performed on Maestro Security Gateway because of the database entry (otlp) which should not be pulled from SMO. This entry is updated locally on each member via self-update functionality and therefore may differ between members.

After a failover scenario, the "m site-id member-id" command requires reauthentication.

Redundant "MHO_stateAgent[3230]: QuidAddon: System not ready yet - attempting to re-init" messages in the /var/log/messages file.

In a rare scenario, when a Maestro Security Gateway is active again after a reboot, and LightSpeed is used, the LACP bond may drop incoming and outgoing packets.