R81.10 Jumbo Hotfix Take 183

NEW: This Take introduces the Dynamic URL List feature is an enhancement to the Custom Applications/Sites object (sk165094), allowing to maintain a dynamic list of URLs based on a feed file. Refer to sk183102.

NEW: Added the new Skyline metric "system.traffic.templates". Refer to the Skyline Administration Guide > Skyline Metrics Repository > System > Traffic.

UPDATE: Check Point response to CVE-2025-32728 - The SSH directive "DisableForwarding" fails to disable "X11 Forwarding" and "Agent Forwarding". Refer to sk183394.

UPDATE: Check Point response to CVE-2019-6109, CVE-2019-6110, CVE-2019-6111. Refer to sk65269.

UPDATE: The upgrade duration for the Security Management Server and Multi-Domain Security Management Server has been reduced by up to 60%.

• The fix will only be applied if the upgrade to R81.10 Jumbo Hotfix Accumulator Take 183 is done using a Blink image or the Advanced Upgrade method.

UPDATE: Added the "show-only-local-domain" field to API queries to return only objects from the current local Domain.

UPDATE: In SmartConsole and Management API, Access, and NAT Policies now support Rule Base search for hitcount values.

UPDATE: Added an HCP test to check whether the CPAC-2-100/25F, CPAC-2-100/25F-B, CPAC-2-40F-B, or CPAC-2-40F-C FW firmware is safe to update from R81.10 to a higher version. Refer to sk182403.

UPDATE: Added an option to disable enforcement on internal interfaces when IOC indicators are loaded.

To configure this option, add or modify [IOC] enable_internal_interface=<value> in the file $FWDIR/conf/malware_config (for MDS, additionally in $MDS_FWDIR/conf/malware_config).

UPDATE: SecureXL Rate Limiting rules for DoS Mitigation now support these parameters with automatic IP range updating enabled by default:

• "cc:<COUNTRY_CODE>"

• "asn:<AUTONOMOUS_SYSTEM_NUMBER>"

Refer to sk112454.

UPDATE: Added support for Data Centers in AWS ap-southeast-5 Malaysia, Thailand, Taipei, and Mexico regions.

UPDATE: CloudGuard Controller status in SmartConsole is now automatically updated.

UPDATE: New features and improvements are released in Take 143, Take 147, Take 149, Take 150, Take 155, Take 156, Take 157 via self-updatable package. Refer to sk170314.

UPDATE: Added Update 23 and Update 24 of HealthCheck Point (HCP) Release. Refer to sk171436.

UPDATE: Added Update 26 and take 27 of Autonomous Threat Prevention Management integration Release. Refer to sk167109.

UPDATE: Added Take 18 of Scalable Platforms (Maestro and Chassis) Release Updates. Refer to sk183156.

Regenerating a token on a Security Gateway Smart-1 Cloud may fail with an unclear validation message "No error in result from fwm command: [gen-pki-cert-req]".

In rare scenarios, the CPRLIC process may exit with core files generated to the /var/log/dump/usermode/ directory on the Security Management Server.

Policy installation is delayed because of the FWM process load. Refer to sk183563.

The $MDS_FWDIR/log directory may contain multiple api_status_UUID.json files.

In SmartConsole, deleting a license in the Licenses tab of a Security Cluster object fails with the "Domain Management Server licenses cannot be removed from the Domain Management Server level" error.

In some scenarios, the PostgreSQL database fully utilizes disk space on the Security Management Server.

In some scenarios, SmartConsole disconnects when installing policy if there are 50 installation targets or more.

In rare scenarios, the UserCheck policy is not updated during the Accelerated Policy installation.

When Global Domain Assignment removal fails with the "Global Domain Assignment failed: object XXX could not be deleted because it is referenced by other objects" error, only a partial list of the referencing objects is displayed in the error message.

The FWM daemon may leak and then exit.

After editing an Interoperable Device object, the number of changes of the current session presented in SmartConsole may be inaccurate.

In rare scenarios, the FWM process may not start automatically after an unexpected exit.

VMcore crashes may occur with core dumps of the LOG_INDEXER, LOG_EXPORTER, and JAVA processes on the Security Management Server, causing high CPU utilization.

In rare scenarios, the Security Management Server fails to start after performing a "Revert to Revision" operation.

In rare scenarios, discarding an old session fails with an "An internal error has occurred" message.

When migrating a Security Management Server to a Multi-Domain Security Management Server more than once, the operation fails with the "got at least one duplicate UID in requested list" error.

In rare scenarios, CME (Cloud Management Extension) fails to run because of the "show-simple-gateway" Management API command failure. The CME logs show such entries: "Product - CMESeverity - criticalDescription - Error during synchronization with Security Gateways. Error details: Failed to scan for gateway instances in the cloud account".

On the Multi-Domain Security Management Server, when staging is cleared for an IPS protection in the Global Domain, any staging configuration for that same protection in the local Domain (within a Global profile) remains unchanged during policy assignment.

In a Multi-Domain Security Management environment, when opening the License tab of a Security Gateway object in SmartConsole, the "Security Gateway was not found" error may be shown.

In a VSX environment, the CPVIEWD daemon may exit and produce a core dump file.

VSX CPU Usage calculation on multi-core devices may be incorrect.

When viewing certain reports in SmartView, the "No data found" error may appear even when matching logs exist.

Certain User Space processes (for example, PDPD) become unresponsive when working in Firewall Kernel Space Mode. Refer to sk184028.

Intermittent drops of transmission packets for "Streaming Engine: TCP Invalid Retransmission" causing HTTP loading issues. Refer to sk181282.

The FWK memory leak may occur during FTP connections with high file volume. Refer to sk183662.

In some scenarios, when SecureXL is working in User Mode (UPPAK) mode, QoS service is unable to start, displaying the "QoS is not responding. Verify that QoS is installed on the gateway" error. Refer to sk183752.

Threat Emulation on ICAP Server fails with "There was an Unexpected Internal error, Please try again later". Refer to sk184228.

The RAD daemon may unexpectedly exit on VSX Gateways.

ICAP Server may fail to process multipart HTTP requests (when request body is split into multiple parts, each with its own headers and content).

When configuring NAT64 rules for specific targets, the rules may fail to apply. Return traffic may be dropped.

When Mirror and Decrypt features are enabled, the Security Gateway may experience unexpected reboots. The crashes are caused by "put_cred_rcu()" errors with negative usage values and memory leaks in the ARP cache.

Non-HTTP connections may be incorrectly dropped because of a missing Host header when the Gateway operates as a proxy.

In rare scenarios, the WSDNS daemon may exit instead of shutting down gracefully.

The Clone Policy Package task in SmartConsole fails with the "The object name must not contain whitespace characters at the beginning or the end" error. Refer to sk161294.

The SAML authentication flow may fail on a VSX Gateway.

After a system restarts (for example, reboot or cprestart), FWD-related sub-processes such as VPND and PDP may not run. Refer to sk183446.

In a rare scenario, the FWK process may unexpectedly exit and bring down the Security Gateway.

When the Mirror and Decrypt feature is enabled, the SKB memory leak may occur.

In a rare scenario, the FWK process may restart unexpectedly.

When handling interface statistics, the CPD or FWK processes may unexpectedly restart with an error related to IOCTL printed in logs. Refer to sk183544

In rare scenarios, Mobile Access SmartConsole Logs may not match views/queries, including the "MAC address" or "Methods" field names.

In a rare scenario, the DLPU process may exit during traffic inspection when holding a connection.

Entra ID (Azure ID) authorization may fail when more than one tenant is configured for authorization and the "fetch-user-groups" or "fetch-machine-groups" mode is enabled.

In the Application Layer, an "any-any" rule (from any source to any destination, using any service) with long-lived connections may cause excessive memory usage. Refer to sk184196.

In rare scenarios, the FWK process may crash when the URL Filtering Software Blade is enabled.

The FWK process may unexpectedly exit during the HTTPS inspection flow, which requires the RAD service categorization.

In some conditions, the Packet Capture may be missing from IPS logs in SmartConsole.

In a rare scenario, the memory consumption of the DLPU process continuously increases.

In some scenarios, the Anti-Virus Software Blade reaches a timeout when inspecting Domains because of latency in the RAD daemon.

In a rare scenario, the Security Gateway may crash during traffic inspection.

Mobile Access Software Blade may incorrectly terminate Guacamole-based clientless RDP/SSH sessions due to client idleness.

A rare race condition occurs during "cpstart" command execution in VSX environments that prevents proper sync interface installation, specifically in the cluster flow process, causing synchronization problems between cluster members.

Modifying the number of CoreXL instances in a VSLS cluster containing three or more members causes traffic interruption on the updated Virtual System.

Virtual System in a VSX VSLS Cluster does not fail over when a cluster interface goes down. Refer to sk182734.

The ROUTED daemon may incorrectly initialize as Subordinate rather than Master after a "cpstop;cpstart" command when executed on the sole Active member in a cluster configuration.

ClusterXL Standby member stays down with a message "Reason for state change: FULLSYNC PNOTE - Connection terminated by remote member". Refer to sk182660.

When printing the Deny list on a Security Gateway during Threat Prevention policy installation after deleting a large IoC feed from Security Management, an uninformative IOCTL error is displayed instead of a proper error message. The issue is cosmetic only.

When tunnel is established and traffic is running, the USIM process may exit every 15-20 minutes and cause a failover of the second member.

When using DoS Deny List, CPU usage may increase.

In a Maestro setup, the USIM process may exit under high load when handling encrypted VPN traffic with the other Security Gateway.

SecureXL does not immediately send packets to the appropriate handler when it receives packets from a Virtual Router or Virtual Switch and fails to forward them to the connected Virtual System. This delay causes significant routing delays and potential routing errors on VSX Security Gateways.

Local TCP traffic may encounter "out-of-state" connection issues.

When SecureXL User Mode (UPPAK) is enabled, there can be a significant latency on a Security Gateway when opening an FTP data connection.

In a rare scenario, packets with malformed message headers cause the Security Gateway to crash.

Large packets cause performance slowdown.

In rare scenarios, Fast Accel flow may result in SecureXL Kernel Space Mode (KPPAK) crash.

In some scenarios, the Security Gateway delays offloading a connection to the Quantum LightSpeed hardware accelerated card when SecureXL User Mode (UPPAK) is enabled.

Adding SecureXL DOS/Rate Limiting rule with AS numbers or country codes fails on VSX. Refer to sk183992.

When adding a Rate Limiting rule using invalid format through the "fwaccel dos rate add" command with "-i" flag, the error is displayed but the rule is created although it should not.

Multiple "radix_get_value" messages may appear in fwk.elg log files.

The USIM process may exit when viewing the fg_conn table using the "fwaccel tab -t" command.

In a specific scenario, where SSM static groups are configured on an interface, after a failover, these IP addresses do not appear as Outgoing Interfaces (OIFs).

A memory leak occurs in the ROUTED daemon when CoreXL is running OSPF and handling large numbers of LSAs combined with frequent route flaps.

The VPN granular encryption link is deleted when changing Security Gateway role.

Rare VPN connectivity issues caused by Encryption Domain overrides in communities with third-party Gateways.

In a rare scenario, the FWK process may exit during VPN traffic decryption and routing when the PPPoE interface is enabled.

Creating a Virtual System (VS) with an IPv6-only interface (without configuring IPv4) succeeds without any warning or error. However, after the VS is created and modified, pushing the configuration fails with "In a VSX cluster, IPv6-only interfaces are not supported. Virtual System Processing Completed with Errors".

After enabling Mobile Access Software Blade on a Virtual System, Mobile Access services do not run, and the Mobile Access portal cannot be reached. Refer to sk183256.

The "vsx-provisioning-tool" CLI command returns asynchronous task IDs before it is ready for monitoring, causing Terraform and similar automation tools to immediately fail when attempting to track task status.

After an upgrade, the "q_mng -o" command may show different amounts of cores than it was configured in affinity settings prior to the upgrade.

The Security Management Server hangs during a Backup operation because of endless SSH handshake retry, making it impossible to access via SSH or CLI.

The output of "cppcap" command (sk141412) with the "-i" flag prints "Failed to capture X packets".

The 1.3.6.1.4.1.2620.1.6.7.5.1.5 SNMP OID (multiProcUsage) reports wrong values when HyperFlow is enabled.

In rare scenarios, users may be disconnected from SmartConsole, and an FWM process core dump is generated.

SNMP data types under the ASG MIB tree ( for Scalable Platform Security Groups) may be incorrect.

• The sysLocation OID (1.3.6.1.2.1.1.6.0) returns "UNKNOWN", even though the value is configured in the SNMP settings and exists in the Gaia database (/config/active).

• When editing sysLocation or sysContact using the SNMP configuration interface, the Gaia database is updated, but the SNMP configuration file is not updated.

When using Resource Separation on MDPS on Maestro, and the Security Gateway is under extreme load, policy installation fails, although the Resource Separation should handle the load.

The MONITORD process unexpectedly exits on Security Gateways. Refer to sk184076.

When taking snapshots of the Security Group Members, some of them may crash, the dmesg_dumps shows multiple messages occurred before the crash "the active connections feature is currently enabled in the SmartView Tracker and due to high load it is making sync too slow to function properly. Therefore, 319489 active connection updates were dropped and no sync updates were lost".

If the User Center connection fails, contracts may be retrieved incorrectly, resulting in erroneous contracts getting pushed to the Security Gateway.

The CloudGuard Network Central License utility fails to distribute the license, if there are duplicate entries of the license on the Security Management Server.

A Virtual System may lose connectivity on the Backup and the Standby member when route-based traffic is configured with specific SD-WAN configurations in VSX environments.

Security Group members may reboot because of cp-nano database entries. The /var/log/configuration_reboot_reason.log may show "process:cp-nano-watchdog" when database entries exist only on the local member or only on the SMO member.

Policy installation may fail on newly added Security Group members because an updatable object package is missing.

Using a Multicast packet over a VPN tunnel may result in high SND CPU usage.

See the Critical Information section.

Clish may generate a core dump file after running the "set blade-range all" command.

The "asg diag verify" command reports inconsistent OSPFv3 routes for Security Gateway Modules on Quantum Maestro. Refer to sk179931.

Security Group members changing from ACTIVE state to READY state may cause traffic impact.

After adding a custom command in Gaia gClish with the "add command", the custom command is available only on the Single Management Object (SMO). Refer to sk178671.

If L4 is disabled, the data connection may be dropped if it is redirected to a different IP address than the control connection.

In rare scenarios, in a Maestro setup, traffic interruption may occur after Security Gateway reboots when the Gaia Database is corrupted.

Installing policy to the Maestro Security Group under extreme load with Resource Separation may fail.

A configuration issue may cause link flapping on bonded uplink interfaces when using Maestro with SecureXL User Mode (UPPAK) enabled. The bond interface may fail to establish connectivity, with the physical interface reporting link status as up but showing unknown speed values.

GTPv1 traffic may be dropped with code description "Invalid IE length value", "GTP info: Parsing IE type 133 failed".

GTP traffic may not be well balanced, some CPU cores may be overloaded while others are underutilized, leading to performance issues.

Running to "snmpwalk" or "stattest" command for any of GX OIDs results in the "No Such Instance currently exists at this OID" error.