R81.10 Jumbo Hotfix Take 177

UPDATE: Added a tool to extract data from the API logs to get the API usage information. Refer to sk181906.

UPDATE: In Multi-Domain Security Management, allowed GUI Clients can now be defined by IP address with netmask or by IP address ranges using the "mdsconfig" command. Previously, it was available only in the "cpconfig" options.

UPDATE: Improved processing of ICMP packets in the Security Gateway.

UPDATE: RAD extended flow information is now logged into a cyclic CSV file - $FWDIR/log/rad_events/rad_flows.csv. This enhancement provides visibility into RAD connections, helping to monitoring and troubleshooting. Refer to sk183108.

UPDATE: Improved the FW Monitor command output syntax. Refer to sk30583.

UPDATE: Added support for the Mobile Access Portal "WebSocket" applications to work in environments with asymmetric network bandwidth (the download speed is faster than the upload speed) between external and internal networks. Refer to sk95311.

UPDATE: Traffic between an external network host and an internal network host is now accelerated when a static NAT is configured to translate a cluster member's IP address or specific high port to an internal host IP address or specific service port. This scenario is relevant in Check Point CloudGuard Network Security Azure High Availability deployments, where traffic passes through a Load Balancer.

• To enable acceleration, add the following kernel parameter to the $FWDIR/boot/modules/fwkern.conf file - "accel_dnat_to_cluster=1".

• The change can also be applied immediately to the running FW1 process without requiring a reboot: "fw ctl set int accel_dnat_to_cluster 1".

UPDATE: New features and improvements are released in Take 134, Take 135, Take 136, Take 140, Take 142 via self-updatable package. Refer to sk170314.

UPDATE: Added Take 179 of CPotelcol (OpenTelemetry Collector) Release Updates. Refer to sk180522.

UPDATE: Added Take 47 of CPquid (QUID) Release Updates. Refer to sk181458.

In some scenarios, deleting a Security Gateway object fails if the Security Gateway is a participant in Global VPN Community.

In SmartConsole, the CSV export file of Access Policy NAT rules may contain incorrect hit count data.

In some scenarios, the Security Management Server with a proxy configured is unable to connect to Infinity Portal after changing the proxy settings.

In rare scenarios, Revert to Database Revision is stuck at 10%.

In the Management API, when setting "scan-malicious-links.max-bytes" to a value greater than 10,000 bytes, the API returns a "generic_error".

Creating a Threat Prevention Exception from a log fails with the "Failed to add exception" error when the "File Name" field in the log contains a Windows directory separator ("\").

Execution of the "set access-rule" and "add access-rule" API commands takes a long time to complete. Refer to sk181349.

In rare scenarios, login to SmartConsole using LDAP, TACACS or RADIUS authentication fails with a timeout.

In rare scenarios, when more than one Security Blade is enabled on the Security Gateway, Install Policy Presets may fail after purging all revisions.

Renaming a Secondary Security Management Server that was promoted to Primary fails.

In rare scenarios, the first packet of a connection is incorrectly dropped when a non-FQDN object is used in the Rule Base.

In rare scenarios, Infinity Portal shows the "Failed to update Infinity Portal with objects from your on-premises Management Server. Contact Check Point Support" error.

If a custom login message exceeds 1000 characters, the login output file, which contains the sid and other session data, cannot be parsed as expected. Using the "mgmt_cli" with the "-s" parameter results in the "Failed to parse login output file" error.

Login using a TACACS Server created with the "add tacacs-server" Management API command, fails with "authentication to server failed".

Packet mode search or search within Object Explorer for IP address ranges may not work correctly on the Standby Security Management Server.

When a Security Gateway object is deleted, its license may still appear as attached even though the Security Gateway Object no longer exists.

When modifying the URL definition type in an Application Site object using the "set application-site" Management API command with the "urls-defined-as-regular-expression" parameter, the type of pre-existing URLs remains unchanged.

VPN certificate renewal may generate certificates with 2K key sizes instead of the 3K size specified in Global Properties.

In rare scenarios, after deleting Data Center objects:

• Login to the Security Management Server may fail with timeout.

• Publish operations may take a long time.

In some scenarios, the Postgres database on the Standby Security Management Server is growing after every High Availability synchronization. Refer to sk182868.

The Management API command "set simple-gateway name 'XXX' usercheck-portal-settings.enabled {false|true}" fails to properly enable or disable User Check for Security Gateway objects. When running this command, the change is not applied to the Security Gateway configuration, and the "Enable UserCheck for active blades" setting in SmartConsole remains unchanged.

In rare scenarios, in multi-site Multi-Domain Security Management environments, operations across two or more Servers, such as Global Domain Assignment, IPS and Application Control update may fail.

Multiple errors "T_get_event: cannot register socket %d (%d sockets already registered for %s)" are printed in $MDSDIR/log/ in.msd.

In some scenarios, in the Multi-Domain Security Management Server, certain previously utilized global objects may remain hidden from both the SmartConsole's Object Explorer View and the "show unused-objects" Management API command.

In certain scenarios, when Cluster objects are used in a Multi-Domain Security Management Server with Domains that have Global Domain Assignments, an upgrade may fail with "Tried to persist object OBJ_ID with domain 1e294ce0-367a-11e3-aa6e-0800200c9a66 while active domain is DOMAIN_ID".

• The fix will only be applied if the upgrade to this Jumbo Hotfix Take is done using a Blink image or with the Advanced Upgrade method.

In some scenarios, the "SIC Error for EntitlementManager: Peer sent wrong DN" error is printed in cpd.elg on a VSX Gateway.

In rare scenarios, Domain creation fails with "Failed to create Domain server '<Domain Server Name>'. The connected administrator has no permission to create a Domain-Server on the specified Domain".

After rebooting a Multi-Domain Security Management Server, the CPView (sk101878) and Skyline (sk178566) tools do not return data (for example, when running the"cpview -m", "cpview -t", "cpview -s" commands).

In rare scenarios, the description of IPS Logs in the Logs view may be unclear. Refer to sk182386.

The "cp_log_export" command produces the correct output but displays a false error alert beforehand. This is a cosmetic issue.

In a rare scenario, VoIP Traffic fails after the initial call when SecureXL operates in User Mode (UPPAK). Refer to sk183218.

In some scenarios, in a cluster environment, when URL Filtering is enabled, there may be traffic disruption.

RADIUS authentication fails when a response packet contains the Message-Authenticator attribute. Refer to sk183244.

The FWK process exits with core dumps and error messages in $FWDIR/log/fwk.elg:"malware_res_rep_match_dns_response: check_dns_response_activate() failed".

Local connections originating from the Security Gateway may fail to refresh their timeout values.

In some scenarios, the "Use of undefined constant session" warning is frequently printed in the SAML Portal's error_log file.

On a Security Group Member, one of the Security Gateways using Virtual System Load Sharing (VSLS) may become unresponsive.

The FWK process may unexpectedly restart when running the memory detection leak procedure.

The FWK process on the Security Gateway may exit when processing the HTTP traffic.

In a specific scenario, file downloads intermittently stop until resumed manually because of HTTP parsing issues and Content Awareness parsing failures.

Memory handling issue, causing the FWK process to unexpectedly restart.

When a NAT-T tunnel is set up between VPN peers, packets having UDP encapsulation added to the headers are not transmitted out of the PPPoE interface as they should be. VPN connection appears to be established but does not actually pass traffic.

The FWK process may occasionally exit because the Security Gateway requests incorrect network interface statistics.

In a Maestro environment with configured Virtual System Load Sharing (VSLS) Mode, one of the Security Gateways on an SGM may be unresponsive until it is restarted several times.

In a rare scenario, an outage may occur in an Azure environment after one cluster member crashes and recovers.

In rare scenarios, the CPD process may unexpectedly exit, generating a core dump.

A stability issue where the ICAP Server may unexpectedly restart when processing traffic from a Security Gateway with Threat Emulation enabled.

Android devices' HTTP HEAD requests to Google services are blocked by Security Gateway proxy, generating excessive logs that impact Security Gateway performance through high CPU usage. Refer to sk182990.

The Anti-Virus Blade incorrectly classifies the .pqx files as .zip files, resulting in failure logs.

In rare scenarios, SSH connections may be dropped when SSH Deep Packet Inspection (SSH DPI) is activated on the Security Gateway.

The Threat Extraction Software Blade may inadvertently delete some system files on the Security Gateway. Refer to sk183512.

PDP to PEP Identity synchronization may fail on the PDP side if an alternative IP address for PEP communication is configured, as described in sk60701.

HTTP traffic dropped by PSL because of missing Host header. Refer to sk183569.

In some scenarios, when URL Filtering Blade analyzes web requests, the RAD error may appear in /var/log/messages: "rad_kernel_urlf_request_serialize: string len =XXXX bigger than max 4096".

In rare scenarios, a memory leak in the FWK process may occur when IPS is active.

DLP policies may not correctly block password-protected and unprotected files during Google Drive uploads, despite the Content Awareness Blade configuration.

In rare scenarios, Security Gateways with the Content Awareness Blade enabled may fail to properly process certain .zip file formats, resulting in "Failed to process files" errors during the Anti-Virus inspection.

In specific scenarios, the Anti-Virus file type classification engine incorrectly identifies Microsoft Office documents as zip archives, leading to improper handling of these files.

RAD queries fail, generating "wrong status code in reply" errors logged in $FWDIR/log/rad_events/Error/* files. Refer to sk183009.

In some scenarios, a SmartConsole log with the Anti-Bot Blade entries may appear when the Anti-Bot Blade is disabled in the profile.

In a VSX environment, the WebSocket applications in Mobile Access may fail to resolve their destination addresses through DNS when the DNS configuration at the global level differs from the DNS configuration of a local Virtual System.

The Mobile Access Portal hosted on a Security Gateway R81.20 or lower becomes unresponsive, and CVPND core files are generated after the Security Management Server is upgraded to version R82.

In ClusterXL High Availability setup, a crash may occur on both the primary and secondary members, causing network outages.

The FWK process may exit after enabling or disabling the "Same VMAC" feature. Refer to sk165674.

During cluster startup with routing separation enabled, a mismatch between routing and firewall process initialization can trigger premature full synchronization pnotes when the routing process is not fully synchronized.

In rare scenarios, when SecureXL works in User Mode, running the "reset_gw" or "vsx_util reconfigure" commands may cause the Security Gateway to crash.

In rare scenarios, after enabling Bridge Mode, a cluster member may stuck in a boot loop.

Running the "tcpdump" command on all interfaces (for example, "tcpdump -peni any") on machines with SecureXL in User mode while under heavy traffic load may cause the system to hang. Refer to sk183222.

Packet drops may occur if the same multicast packet is received on multiple interfaces.

SecureXL in User Mode (UPPAK) may restart when the Security Gateway is under high load and cpWatchDog triggers a reboot.

The packets may not be accelerated because of a routing issue.

Routing related connectivity and stability issues may occur when SecureXL operates in User Mode (UPPAK). Refer to sk183181.

See the Critical Information section.

Multicast traffic is dropped when the Packet-Broker operates in Monitor Mode with Promiscuous Mode disabled.

When working in User Mode (UPPAK), SecureXL may crash when multiple SND cores perform simultaneous next hop lookup for the same nexthop.

In rare cases, when an internal BGP (iBGP) peer disconnects during a graceful restart, BGP may fail to advertise all routes. However, the missing routes still appear under "adj-rib-out" with a next hop of "0.0.0.0."

Duplicate entries in the kernel routing table can occur when iBGP peers disconnect and reconnect, causing the same routes to be added multiple times rather than properly replaced.

BGP sessions may terminate upon receiving a BGP Update containing an AS_SET Path Attribute when Peer Local AS was configured on the Security Gateway.

Netflow logs appear in /var/log/messages, although netflow is not enabled. Refer to sk109038.

The ROUTED process may exit when processing OSPF network updates in a cluster environment. This occurs because of a timing issue in the routing protocol synchronization process.

VPN traffic may be dropped when there is Large Scale VPN (LSV) peer.

After an upgrade, Site to Site VPN tunnels (IKEv2) fail to establish. Logs show the "Auth exchange: Sending notification to peer: Invalid syntax" and "INVALID_KE_PAYLOAD" errors for IKE traffic. Refer to sk183550.

Virtual Router advanced routes may be assigned incorrect priorities in policy-based routing configurations.

SNMP counters may return incorrect data on VSX.

In rare scenarios, an entry in the FDB (bridge forwarding table) may be incorrectly marked as "Do not update". This can cause a traffic outage lasting several minutes after a Virtual System fails over from one member to another. This issue only affects users who are using both VSLS with VS distribution and a vSwitch.

Output of the "dynamic_split -p" command shows "Dynamic Split is currently off (Stopped due to State Verification failure)" on a VSX Gateway. Refer to sk181231.

The "vsx_util view_vs_conf" command output may show "N/A" for a Gateway when an object in the Domain shares the same name as the Virtual System object.

Policy installation fails after converting VSX ClusterXL from High Availability to Load Sharing Mode using the "vsx_util convert_cluster" command.

RADIUS and TACACS users may not be able to reconnect with "Unable to get user permissions".

In Gaia Job Scheduler, when running a user-defined command, it may be replaced with "dummyCommand".

When attempting to create cloning groups on an R82 Security Gateway, the "Error - Home directory for 'cadmin' cannot be in /home/cadmin directory" error is printed. Refer to sk182989.

The Redis Server does not start after installing the Gaia API Build 299. Refer to sk143612.

In a Maestro environment, an error message about short string length may be incorrectly displayed when setting an expert password string that includes the colon ":" character on the Security Gateway.

Local connections from members at a standby site may fail when using the Same VMAC feature and a VPN Tunnel Interface (VTI) is configured.

After a reboot, IPv6 addresses configured on data interfaces disappear from the "ifconfig" output when the Same VMAC feature is enabled in SmartConsole.

After setting up a new VSX Gateway and enabling blades, VSX internal error is printed: "Virtual System Processing Completed with Errors Pushing network configuration to Virtual System operation has finished with errors. Refer to the messages retrieved during the VSX push configuration stage and make sure that the configuration you are trying to push is legal".

When running the "enabled_blades" command multiple times simultaneously, the command output may be incorrect. Refer to sk181024.

The "ws_mux_host_only_active_pass: ERROR: There is not enough data in stream to pass" error may be printed in logs. This is a cosmetic issue.

DNS configuration may not be pulled to other Security Gateway Members (SGMs) from the Single Management Object (SMO).

IP broadcast helper cannot forward the packets if the IP address of the "relay to" is not directly connected to the Security Gateway.

Configured proxy ARP may not work as expected, when the "Same VMAC" feature is enabled.

The "asg_dr_verifier" script fails when OSPF Graceful Restart is configured with a grace period.

After a Jumbo Hotfix upgrade a single site is displayed as active, but the assigned load value is 0%. Refer to sk182454.

Import an R82 upgrade package may fail with "[ERROR] Failed to transfer package to several members, Import was aborted" because of timeout which occurs while copying the package to all Security Group members.

A reboot loop with a generated configuration pnote may be triggered when Security Group hostname contains strings with "mq" or "otlp".

Incorrect entry order in the /etc/passwd file (admin user entry appearing after root user entry) causes adding Security Group Member with the "member / m" command to hang/fail. Refer to sk180183.