R81.10 Jumbo Hotfix Take 173

NEW: The "show nat-rule" and "show nat-rulebase" Management API commands now support displaying hit count data with optional date range filtering through the "show-hits true" parameter, allowing users to retrieve hit statistics for NAT rules with flexible time-based querying in JSON format.

Syntax examples:

• mgmt_cli show nat-rule rule-number 1 show-hits true package "standard" --format json

• mgmt_cli show nat-rulebase offset 0 limit 20 details-level "standard" use-object-dictionary true package "standard" show-hits true --format json

• mgmt_cli show nat-rule rule-number 1 show-hits true package "standard" hits-settings.from-date "2014-01-01" hits-settings.to-date "2014-12-31T23:59" --format json

NEW: Updatable objects can now be updated through the Security Management Server by adding the "<ProxyRoute>1</ProxyRoute>" configuration entry to the $CPDIR/conf/downloads/dl_prof_ONLINE_SERVICES.xml file, enabling proxy-based updates.

NEW: Added new OID (1.3.6.1.4.1.2620.1.38.55) to monitor the Identity Collector connection status in the $CPDIR/lib/snmp/chkpnt.mib file.

• This capability is supported for Identity Collector agents running with version R82.120.0000 or higher.

UPDATE: Resolved CVE-2024-52887 - Self-XSS vulnerability in Mobile Access Native Applications 'favorites' dialog. Refer to sk183054.

UPDATE: The Management API command "set-https-rule" now automatically sets the negative value to "false" when modifying the destination, source, service, or site-category fields, regardless of its previous setting.

UPDATE: Added a log print to warn about unsupported SIC reset configurations on Multi-Domain Security Management Server / Multi-Domain Log Management Server and to alert when a Domain lacks an ObjectStoreDomain, which prevents CPM from starting. Refer to sk182533.

UPDATE: Reduced memory usage of LDAP keepalives and improved connection error handling, resulting in improved performance.

UPDATE: Improved throughput of GRE tunnels configured on the ports of the 100G Acceleration Card when SecureXL works in the UPPAK mode.

UPDATE: Implemented robust path validation during user deletion to prevent unintended deletion of parent directories.

UPDATE: Optimized policy distribution to Maestro Security Group members to avoid failure under high load conditions.

UPDATE: New features and improvements are released in Take 124, Take 125 and Take 128 via self-updatable package. Refer to sk170314.

UPDATE: Added Take 141 of CPotelcol (OpenTelemetry Collector) Release Updates. Refer to sk180522.

The on-premises Security Management Server with a proxy address configured may fail to connect to the Infinity Portal.

In rare scenarios, the FWM process on the Security Management Server may unexpectedly exit, creating a core dump file.

In some scenarios, High Availability synchronization fails with "NGM failed to export data" because of invalid Global Domain Assignments.

After installing R81.10 Jumbo Hotfix Accumulator Take 150, when browsing to SmartConsole > Manage & Settings > Permissions & Administrator > Administrators, the page may display "Error retrieving results".

In rare scenarios, the CPD process may unexpectedly exit and create a core dump file. Refer to sk182787.

In rare scenarios, publishing Multi-Domain Security Management level changes such as Administrator configuration changes fails. The "Action Failed due to an Internal Error" error is displayed.

In rare scenarios, an upgrade of Multi-Domain Security Management Server, handling Domain Log Server certificates, may get stuck.

• The fix will only be applied if the upgrade to R81.10 Jumbo Hotfix Accumulator Take 173 or higher is done using a Blink image or the Advanced Upgrade method.

In environments where not all Domains are Active on the same Server (for example, in a multi-site environment), and there is no Domain Management Server for a specific Domain, logs from that Domain are not forwarded to the Infinity Portal.

In rare scenarios, in Multi-Domain Security Management environments, login to Smart Console fails.

After an upgrade, Log Sharing feature does not function as expected, "Encountered an internal error" is printed in the Infinity Services view, under Log Sharing status, and LOG_EXPORTER core dumps are generated. Refer to sk183146.

See the Critical Information section.

After an upgrade, Dynamic Balancing does not start. The "dynamic_balancing -p" command returns "Dynamic Balancing is currently Initializing". Refer to sk182615.

When enabling MDPS using the "set mdps mgmt plane on" command, the "Failed to commit transaction on database" error is shown instead of a message explaining that the management interface should be configured first.

The server.log file of the ICAP Server is filled with "Failed to scan web object" entries. This is a cosmetic issue.

In some specific HTTP/2 traffic scenarios, a valid connection may fail.

When the autodebug feature is enabled, the RAD service may consume high CPU and trigger "RAD service not available" alert logs.

The "dynamic_objects cfo_show" command may fail when the Security Gateway is under heavy load.

Incorrect Rule Base parameters synchronization logic may lead to the FWK process exit.

GTP-U traffic may be dropped because of incorrect message type handling.

In some scenarios, an HTTP format size protection exception is not applied to the HTTP/2 flow.

The "cpca_dbutil print" command may delete the provided output file content if the input file does not exist.

When SSH Deep Packet Inspection (SSH DPI) is enabled, a bypass log entry may not be generated if no Threat Prevention blade is active on the connection. This is a cosmetic issue.

In a rare scenario, Anti-Virus blade prevents benign traffic due to improper parsing of URL observables in IoC feeds. Refer to sk181519.

IDA Captive Portal may not be available after Jumbo Hotfix Accumulator installation or after an upgrade using the Blink image. Refer to sk172324.

In a rare scenario, when fetch_by_SID is enabled, the PDPD process repeatedly exits. Refer to sk182745.

In some scenarios, a custom application does not match a URL Filtering rule.

In a rare scenario, the FWK may unexpectedly exit because of a memory allocation issue.

The DLP blade may not block the password-protected files of a specific type, although it should.

In a rare scenario, when the Anti-Virus blade is enabled, the Security Gateway may crash during traffic inspection.

A Maestro Security Group Member may fail to initialize after enabling IPv6 and is stuck with pull_config pnote.

A memory leak may occur in the SIM process when using DOS/Rate Limiting rules.

Policy installation failures may cause "fwaccel dos" commands to stop working.

When working with SNMP traps, Clish may become slow and unresponsive.

When querying VLAN interfaces, instead of returning the ifType specifically for the VLAN interface itself, the SNMP walk returns the ifType of the underlying physical interface that the VLAN is associated with.

Capturing with Check Point Traffic Capture Tool (cppcap) from all devices may lead to high CPU usage and potential performance issues.

Static routes may get permanently deleted from the kernel during rapid interface configuration changes when there is a large number of routes.

Capsule VPN connectivity failures may occur after a configuration change of the VPND daemon table parameters.

In some scenarios when Link Selection (LS) is configured, traffic outage may occur after policy installation.

SSL Network Extender (SNX) traffic on Maestro may be dropped with "vpnk_tcpt invalid negative tunnel id". Refer to sk182806.

When configuring machine authentication without an LDAP server, the computer is authenticated during the connection with the RA VPN. However, the logs in SmartConsole do not display the "Authenticated machine ..." message as expected.

The "vsx_util convert_cluster" command may fail and cause the FWM process to exit with a core file.

In a rare scenario, the FWM process may exit when running the VSX creation wizard.

Exclusions for Anti-Bot policy created through the WebUI do not correctly handle Cyrillic characters.

When Maestro Hyperscale Orchestrator (MHO) is not reachable, the "mq_mng -s" command becomes unresponsive.

Security Group Member may be in Down state during the license distribution to Maestro Security Group members. Refer to sk181245.

Using the "#" character in the Message of the Day (MOTD) banner message causes SGMs to fail during boot.

After upgrade:

• Output of the "asg diag verify" command shows in the "System Components" section that the status of the "Software Provision" test is "Failed".

• Output of the "asg diag print <ID of "Software Provision">" command shows a shell script code.

• Output of the "asg_provision" command shows a shell script code.