R81.10 Jumbo Hotfix Take 171

NEW: CloudGuard Controller updates are now performed automatically. Refer to sk181842.

UPDATE: Resolved CVE-2024-3596 - Blast-RADIUS attacks. Fix for Remote Access VPN and login to SmartConsole, Mobile Access and Identity Awareness Captive Portal. Refer to sk182516.

UPDATE: JRE is updated from version 8.0_8.21 to version 8.0_8.26.

UPDATE: Added a count of Session and Connection logs to the "cpstat" command output.

UPDATE: Added support for whitelisting IP addresses in external IoC feeds.

UPDATE: Identity Collector OIDs for SNMP queries are now available in both $CPDIR/lib/snmp/chkpnt.mib and $FWDIR/conf/identity_server.cps locations.

UPDATE:

• Improved debugging in the Security Gateway to identify problematic hosts when resolving their next-hop IP addresses.

• The custom ADP queue size configuration now persists after rebooting the Security Gateway. The relevant global parameters are located in the $PPKDIR/conf/adpkern.conf file:

  • "adp_nh_total_max_arp_qents"

  • "adp_nh_local_max_arp_qents"

UPDATE: Added Take 97 of CPotelcol (OpenTelemetry Collector) Release Updates. Refer to sk180522.

In some scenarios, the "set-exception-group applied-threat-rules.position" Management API command may add the exception group to an incorrect position.

In rare scenarios, when Application Control blade is enabled, cloning a policy may fail due to timeout.

In some scenarios, the Security Management Server upgrade fails with "creating default objects and restarting services" during the import phase.

• The fix will only be applied if the upgrade to this Jumbo Hotfix Take is done using a Blink image or via the Advanced Upgrade method.

In rare scenarios, when exporting policy hitcounts to CSV format, the "Hitcount" column may appear blank in the exported file.

Searching for a Data Center asset IP address in the policy may not return results.

Global Policy Reassignment may fail with an "An internal error has occurred" message when a custom IPS package is used or was previously used in the system.

The "show-domains" Management API command may return partially deleted domains among the results.

In some scenarios, policy installation using Management API with the "prepare-only" parameter set to "true" may fail with an "internal error" message.

Enabling IPS on Multi-Domain Security Management Server may cause Threat Prevention policy installations to fail due to legacy IPS multi-profile incompatibility.

In some scenarios, cpmiquerybin core files may appear in /var/log/dump/usermode/ on the Security Management Server.

In some scenarios, in a Multi-Domain Security Management environment, the Hit Count retention mechanism may not remove the Hit Count data from all the Domains.

SmartConsole fails to connect with "Unable to connect to server. Server is initializing". Refer to sk182507.

In some scenarios, opening new tab in SmartConsole Logging & Monitoring tab fails with "HTTP error 500 - problem accessing smartview/embedded. Reason: Server Error". Refer to sk182732.

In some scenarios, after removing an existing Log Exporter instance, the creation of a new instance appears successful in SmartConsole. However, the new Log Exporter object is not actually generated.

The "asg monitor" command may show the Security Gateway in the "during upgrade" state although a major downgrade is complete.

When SecureXL User Mode (UPPAK) is enabled and using Passive/Active Streaming with QoS, the Security Gateway may incorrectly drop some traffic.

The Security Gateway may crash after a failure in policy installation.

Changing the NAT settings of a host using the "set-host" Management API command succeeds but has no effect unless both the "ipv4-address" and "ipv6-address" parameters are set.

In some scenarios, the Security Gateway does not free some packets causing a memory leak.

Traffic through specific interfaces is dropped when the QoS blade is active and "ISP redundancy-LS" is configured. Refer to sk182807.

See the Critical Information section.

The Threat Prevention policy installation may fail when installing from R81.20 SmartConsole on R80.x Security Gateway.

In a rare scenario, the Security Gateway may crash during traffic inspection when holding a connection.

In Azure Active Directory, access role assignment only considers a user's first 100 group memberships. Any groups beyond this limit are disregarded when determining user access roles.

IPS may drop an IPv6 TCP local connection.

In some scenarios, the Anti-Virus Blade logs on a VSX Gateway may display an incorrect origin IP address.

When the VSX Gateway is created, the parameter that determines whether VSX mode is enabled or disabled is not set in SecureXL configuration until a reboot is performed.

When SecureXL User Mode (UPPAK) is enabled and running ESP traffic, packet loss may occur and the "fwconn_key_init_links failed" error is printed. Refer sk182775.

The USIM process exits when attempting to delete an IP address from an empty deny list if that IP address exists in any other deny lists (including the regular deny list or those using IoC feeds).

The USIM process may unexpectedly exit when these parameters are enabled in the $PPKDIR/conf/simkern.conf file:

• "sim_top_conns_enable" - the tracking of the top connections.

• "sim_top_proto_enable" - the tracking of the top protocols.

In a ClusterXL environment, a race condition may occur when BGP Graceful Restart is incorrectly configured. If the feature is enabled for some peers but not others, it may lead to permanent loss of network routes.

In some scenarios when MDPS is enabled, the "Loading kernel module for a network device with CAP_SYS_MODULE (deprecated). Use CAP_NET_ADMIN and alias netdev-eth7 instead" message appears in /var/log/messages.

Adding multiple VPN tunnels via Clish in Transaction Mode fails, while adding them individually succeeds.

Remote Access VPN connections in Maestro environments may be dropped with the "out-of-state" reason.

Deleting a Virtual System ID (VSID) that does not exist may trigger the "cpstop" command. Stopping all Check Point services on VS0 can disrupt the entire VSX environment.

The gClish scheduled backup retention command is applied to SMO member only and not on all Security Group members as it should.

When running the "asg resource" command, the SSD overall health check is displayed as "PASSED" with the "Unknown_Attribute on Member X_XX is below/getting towards low threshold (val: 0/ thresh: 0)" warning. The issue is cosmetic only.

The VSX Gateway may cause traffic interruption when SecureXL User Mode (UPPAK) is enabled on systems with multiple physical interfaces.

Using Image Cloning when the same VMAC feature is enabled may cause a boot loop.