R81.10 Jumbo Hotfix Take 38

 

Note - This Take contains all fixes from all earlier Takes.

Take 38 includes high-priority fixes for:

  • Quantum Maestro Orchestrator

  • Stability enhancements and system hardening for Management API and Multi-Domain Security Management in large scale environments.

ID

Product

Description

Take 38

Released on 21 February 2022

PRJ-29396,
PMTR-72424

Security Management

NEW: Added support for Management API commands: "add-rules-batch" and "delete-rules-batch".

PRJ-29438,
PRHF-16947

Security Management

UPDATE: Added a warning message in SmartConsole, alerting if during policy installation memory utilization of the FWM process exceeded 3.5GB.

PRJ-31866,
PRHF-17841

Security Management

UPDATE: The "show application-sites" Management API command returns additional fields for UIDs of primary category and additional categories.

PRJ-32893,
PRHF-20657

Security Management

UPDATE: It is now possible to increase the timeout value for Management High Availability synchronization. Refer to sk176165.

PRJ-32769,
PMTR-71549

Security Management

UPDATE: Meta-info and comments fields are now displayed in the output of the "show-tasks" API command with "details-level standard".

PRJ-32960,
ODU-154

Security Management

UPDATE: Added Update 13 of Autonomous Threat Prevention Management integration Release. Refer to sk167109.

PRJ-31893,
PMTR-73413

Security Management

In some scenarios, the API command "show-changes" fails with "Diff operation failed: Unable to build the diff reply."

PRJ-31862,
PRHF-17606

Security Management

In a rare scenario, in the Management API, the "show hosts" command with "details-level full" fails with a "java.util.InputMismatchException: got at least one duplicate UID in requested list, duplicates UIDs:" message.

PRJ-31861,
PRHF-17744

Security Management

The "show-gateways-and-servers" Management API command does not show policy information for cluster members.

PRJ-28817,
PRHF-18712

Security Management

In some scenarios, the "show-gateways-and-servers" Management API command fails with "generic_error" when running it with "details-level full".

PRJ-28031,
PRHF-17915

Security Management

In some scenarios, the user may fail to connect to Remote Access VPN if there are expiration dates saved in a non-English date format. The issue can occur when SmartConsole is installed on a Windows client that uses a non-English locale. Refer to sk173967.

PRJ-30885,
PMTR-62059

Security Management

In rare scenarios, during an upgrade, the FWM process may unexpectedly exit with a core dump file.

PRJ-30415,
PRHF-18883

Security Management

Scheduled IPS updates data may not be shown in the IPS update report.

PRJ-32093,
PRHF-20162

Security Management

When searching an IP in Object Explorer, network objects with both IPv6 and IPv4 configured, may not appear in the results, although they match the IP.

PRJ-31942,
PMTR-73871

Security Management

Deleting an administrator with open sessions may fail with "An Internal error has occurred."

PRJ-30899,
PMTR-73253

Security Management

In rare scenarios, installing policy on an OSE device may fail with "Policy installation had failed due to an internal error".

PRJ-32042,
PRHF-20220

Security Management

In some scenarios, the $MDS_FWDIR/log/cpm.elg file contains many lines about "UnmarshalException".

PRJ-31674,
PMTR-73252

Security Management

In rare scenarios, policy installation cannot be executed while another policy installation is already in progress and stuck.

PRJ-31673,
PRHF-19891

Security Management

In rare scenarios, the API commands "show-automatic-purge" and "set-automatic-purge" may fail if there were two earlier attempts to update the Automatic Purge at the same time.

PRJ-31702,
PMTR-72876

Security Management

In a Multi-Domain environment, in Gateways & Servers view, the option to filter Gateways by Domain is greyed out, although it should be enabled.

PRJ-29954,
PRHF-17767

Security Management

In some scenarios, in Override Categorization, it may not be possible to sort or to find objects by name using Object Explorer. Refer to sk175245.

PRJ-29911,
PRHF-18974

Security Management

In some scenarios, it is possible to disable a shared layer, although it is used in more than one rule.

PRJ-31976

Security Management

After creating a new LSM device through the API, the device editor in the SmartProvisioning GUI may unexpectedly close when editing the Topology configurations.

PRJ-31743,
PMTR-73756

Security Management

In some scenarios, deleting a Domain fails when there is an administrator with API key authentication associated with this Domain.

PRJ-33465,
PMTR-71195

Security Management

While editing a Small Office LSM Profile object, SmartConsole may unexpectedly close when enabling Threat Emulation and navigating to the Configuration tab.

PRJ-29241,
PRHF-18890

Security Management

In some scenarios, the Management API command "show-packages" with "details-level full" may fail with an error. Refer to sk176805.

PRJ-30682,
PRHF-19185

Security Management

Policy installation with Directional VPN rules may fail with a verification error.

PRJ-31261,
PMTR-69264

Security Management

In some scenarios, the API command "login-to-domain" fails, and the cpm.elg log shows "Null Pointer Exception".

PRJ-30721,
PRHF-19439

Security Management

In a rare scenario, deleting an object using the API command "delete-generic-object uid" fails with "generic_error" and a "Runtime error: Error reading XMLStreamReader" message.

PRJ-31212,
PRHF-19215

Security Management

The CPM Server may fail to start while checking for pending purge operations during startup.

PRJ-30069,
PRHF-19326

Security Management

  • The High Availability status on Security Management Server may be incorrect and performing failover is not possible.
  • On Multi-Domain Server, after performing failover in the Global Domain and restarting services, the former active Global Domain Server still appears as active (although it is standby).

PRJ-32651,
PMTR-74947

Security Management

In rare scenarios, deleting a Domain fails, leaving some remnants in the Management database.

PRJ-31083,
PRHF-19251

Security Management

In rare scenarios, the FWM process on the Security Management Server unexpectedly exits.

PRJ-30338,
PRHF-18150

Security Management

When one Server in a logical Server group is down, the second Server keeps trying to access it, no matter how long the Server is down.

PRJ-32430,
PRHF-20440

Security Management

In rare scenarios, adding a service to a rule in Access Policy:

  • may take a long time (more than several seconds)
  • may cause SmartConsole to unexpectedly exit.

Refer to sk176004.

PRJ-32361,
PMTR-74598

Security Management

In some cases, when changing only the "color" and "comment" object fields, policy installation may not be accelerated.

PRJ-30037,
PRHF-19187

Security Management

  • The API command "show_packages_details" does not support the "OneTimeProb" parameter, although it is supported in GUI.
  • In some scenarios, the API command "show_packages" with "details-level full" fails with "generic_error".

PRJ-33135,
PRHF-20673

Security Management

When searching in Object Explorer with non-alphanumeric characters (non-Latin letters), no results are found even if there are objects that match the search query.

PRJ-32858,
PRHF-20444

Security Management

After the Management Server restart, the API command "show_tasks" may show some suppressed tasks as "in progress", if before the restart they were cleared in SmartConsole while they were still running.

PRJ-34081,
PMTR-74982

Security Management

In some scenarios, after running an Ansible Playbook, objects are locked even though they were not changed.

PRJ-33554,
PRHF-20961

Security Management

When using the API to create an OPSEC CPMI application with a custom permissions profile, the default Super User profile is chosen instead.

PRJ-32449,
PRHF-20062

Security Management

In rare scenarios, in a Multi-Domain environment, after performing an IPS Update, High Availability synchronization in the Global Domain fails with "NGM failed to import data".

PRJ-30532,
PRHF-19542

Security Management

Creating an administrator in a Multi-Domain environment may cause SmartConsole to freeze and time out.

PRJ-32555,
PRHF-20390

Security Management

The "Show Policy Package" Tool shows only UID for a group object and its members instead of their name.

PRJ-34427,
PRHF-21356

Security Management

When performing IPS Update or Global Domain Assignment, creating a Domain at the same time may fail with "Internal Error".

PRJ-30476,
PRHF-19577

Security Management

Desktop policy installation may fail with the "Service ReferenceObject of type is not supported!" error.

PRJ-34201,
PMTR-76730

Security Management

High Availability synchronization fails when one Management Server is installed on an appliance of 6000 series and the other one is an Open Server, a Virtual Machine or installed on an appliance of different series.

PRJ-33952,
PRHF-20891

Security Management

The "fwm logexport" command may fail with the "Failed to dump tables from NGM" error when running it from the Global Domain on the Multi-Domain Server or from the Log Server.

PRJ-33288,
PRHF-20525

Security Management

When reassigning Global policy after an IPS update on the Global Domain, the updated IPS version in the Audit Logs view may appear with "-1" value instead of the actual IPS version number.

PRJ-30060,
PRHF-19250

Security Management

In rare scenarios, after Management Server upgrade, importing the database may fail with "Tried to persist object".

PRJ-33980,
PRHF-21115

Security Management

Policy installation from the Multi-Domain Server level may trigger installation of two policies for the same VS.

PRJ-33865,
PRHF-21129

Security Management

When creating or updating a service object via Management API, it is not possible to specify a custom aggressive-aging timeout.

PRJ-32670,
PRHF-20485

Security Management

When searching for tags usage, the "where-used" Management API command may fail with "Requested object not found".

PRJ-34036,
PMTR-73939

Security Management

When many sessions are opened:

  • Publish operation may be slow
  • APPI Update may be stuck on 30% and eventually fail
  • Domain Import task may be stuck after 50% and then fail

PRJ-33243,
PRHF-20643

Security Management

In rare scenarios, after an update, the Management Server fails to start.

PRJ-36961,
PRHF-22500

Security Management

Policy installation and "where used" operation may take a long time if there are many inline layers and the "Install On" targets in the Rule Base are not defined as "Any". Refer to sk177928.

PRJ-33169,
PRHF-20782

Multi-Domain Management

The mds_backup script may not collect Multi-Domain Server log files from $MDSDIR/log/.

PRJ-30527,
PRHF-19541

Multi-Domain Management

In rare scenarios, running the "fwm sic_reset" command on Multi-Domain Server may fail.

PRJ-36041

Web SmartConsole

UPDATE: Released Take 55 with new features and improvements. Refer to sk170314.

PRJ-27606

Compliance

In some scenarios, auto-update flow fails during updatable object registration.

PRJ-34294,
PMTR-75623

Compliance

After disabling Compliance Best Practices, the user receives security alerts.

  • Requires R81.10 SmartConsole Build 404 (or higher).

PRJ-35952

CPView

In CPView, under "Unified Policy", the "Transactions" and "Memory KB" parameters may be missing on devices with more than 100 interfaces.

PRJ-30665,
PRHF-19620

Logging

  • The "fw log" and "fwm logexport" commands may fail with "Error: Failed to read field".
  • The exported log file may not contain all logs.

Refer to sk176644.

PRJ-32030,
PRHF-19715

Logging

In some scenarios, the "vpn_user" field is empty in the Logs view and SmartEvent Reports, even though it contains values in the raw log.

PRJ-27593,
PRHF-17000

Logging

When SmartView Web is configured to not return empty values, a query may fail with a "query failed" message.

PRJ-29512,
PRHF-17325

Logging

In a rare scenario, after an NSX Gateway upgrade, enforcement details/identities are not pushed by the controller to the Gateway automatically, it can be done only by manual update. Refer to sk173323.

PRJ-28325,
PRHF-17811

Logging

In some scenarios, in SmartLog, free-text search does not work for some inspection settings logs and their description is missing.

PRJ-27737,
PRHF-12617

Logging

In SmartConsole:

  • In Gateways and Servers view, IP statuses may not be accurate
  • In the Threat Prevention Policy tab, under "Updates", Gateways IPS update status may not be up-to-date, although the new IPS package was received successfully.

PRJ-28127,
PRHF-17314

Logging

In rare scenarios, in SmartConsole, some logs are not shown.

PRJ-31799,
PRHF-17724

Logging

Logs that are sent by Log Exporter in CEF format, cannot be displayed if they include non-digit characters in the "dst_phone_number" field.

PRJ-32239,
PRHF-18539

Logging

When configuring an Email alert as an Automatic Reaction in SmartEvent, and the alert contains data from the event, some fields may be missing in the generated email.

PRJ-29125,
PRHF-18445

Logging

SmartEvent may not show some of the Anti-Virus logs.

PRJ-32589,
PRHF-20276

Logging

There may be empty values in the "Office Mode IP" field in the Logs view.

PRJ-32087,
PMTR-74297

Logging

A duplicate entry appears in /etc/cpshell/log_rotation.conf. This issue is only cosmetic.

PRJ-32852,
PRJ-30722

Logging

In a rare scenario, logs export from SmartView web view to CSV may fail. Refer to sk175545.

PRJ-28318,
PRHF-18428

Logging

The "Last Update Time" field of a Session Log may show incorrect values.

PRJ-31618,
PRHF-19834

Logging

Non-English letters in SmartView reports exported as CSV may be displayed incorrectly. Refer to sk175543.

PRJ-30093,
PRHF-18939

Logging

In rare scenarios, the LOG_INDEXER process stops working and logs are missing. Refer to sk176403.

PRJ-34692,
PMTR-75532

Logging

In some scenarios, in an environment that includes the SmartEvent Server, the LOG_INDEXER process restarts at midnight, producing a core dump file. Refer to sk177805.

PRJ-31809,
PRHF-19710

Security Gateway

NEW: Added a new kernel parameter "cphwd_medium_path_qid_by_cpu_id". The parameter is disabled by default. Refer to sk175890.

PRJ-31274,
PMTR-73504

Security Gateway

UPDATE: The "-c" and "-i" flags in Top Connections Tool are now supported on VSX Gateways. Refer to sk172229.

PRJ-34451,
PRHF-21182

Security Gateway

UPDATE: The "fw unloadlocal" command can now be used on a Virtual System only with the "-f" flag added. Otherwise, a warning message is displayed, indicating that unloading policy on a Virtual System will cause traffic issues with any Virtual System connected to a Virtual Switch or a Virtual System in Bridge mode.

PRJ-33749,
PMTR-76138

Security Gateway

UPDATE: Added a new flag to the "dynamic_objects" command:

"-uo <name of object>". The user can now see all content of a specific updatable object.

PRJ-32074,
STRM-737

Security Gateway

UPDATE: Check Point Active Streaming (CPAS) TCP Window scale factor is now increased up to 6.

PRJ-30672,
PMTR-16149

Security Gateway

When deleting all Suspicious Activity Monitoring (SAM) rules, adding a large number of new rules, and installing policy, the system may freeze.

PRJ-30671,
PRHF-19179

Security Gateway

In rare scenarios, when a Security Gateway is configured as Proxy, a wrong NAT port reuse may happen for 5 minutes long proxied connections.

PRJ-29699,
PRHF-19097

Security Gateway

In rare a scenario, a memory leak may occur with a "cpas_streamh_init_from_cookie failed" message printed in /var/log/messages.

PRJ-30615,
PRHF-19614

Security Gateway

In rare scenarios, when SACK is enabled, there may be connectivity issues.

PRJ-29542,
PRHF-19048

Security Gateway

After reboot and policy installation, the "No interface configured in SmartCenter server with name mdps_tun. Matching by IP address to interface Mgmt" error may be printed in fwk.elg.

PRJ-30694

Security Gateway

The "Matched rule is not found" error appear when using Suspicious Activity Monitoring (SAM) rules with source and destination networks, or with a NATed IP.

PRJ-33361,
PMTR-72975

Security Gateway

First policy installation after an upgrade may be followed by a warning message: "Updatable Objects are used in the policy but Gateway package is missing (see sk121877)".

PRJ-31969,
PMTR-74144

Security Gateway

In a rare scenario, "Connection/sec" data for accelerated traffic in CPView may differ from the statistics in SNMP.

PRJ-32338,
PMTR-72682

Security Gateway

Defining an IPv6 NAT rule with address range (hide) on the translated column may fail with an incorrect error message.

PRJ-33083,
PRHF-20436

Security Gateway

Extended logging may show a wrong status of Content Awareness Blade. The issue is only cosmetic.

PRJ-32636,
PMTR-74876

Security Gateway

When ISP Redundancy feature is enabled, the default route may disappear during an ISP's failover.

PRJ-30013,
PRHF-18938

Security Gateway

In a rare scenario, when QoS is enabled, Security Gateway may crash while interfaces go down and up.

PRJ-31219,
PRHF-19896

Security Gateway

When a large number of VPN tunnels is configured and each one is used by a static route with ping, the ROUTED daemon may get incorrect cluster IPs for those tunnels. Refer to sk175887.

PRJ-33514,
PMTR-75878

Security Gateway

CPView may show corrupted numbers in "F2V-Reasons". This issue is only cosmetic.

PRJ-30181,
PRHF-19438

Security Gateway

In a rare scenario, policy push to multiple Security Gateways may fail. Refer to sk177963.

PRJ-31111,
PRHF-14366

Security Gateway

In a rare scenario, the TCP Half Closed timer (sk137672) may fail when configured for medium/fast connections.

PRJ-28831,
PRHF-18098

Security Gateway

Improved the ICAP Server internal memory allocation logic.

PRJ-27611,
PRHF-18068

Security Gateway

A debug message is printed as an error.

PRJ-31272,
PMTR-57716

Security Gateway

The FWD process may unexpectedly exit due to a rare race condition. Refer to sk173424.

PRJ-32576,
PMTR-74852

Security Gateway

When deleting connection table entries with "fw ctl conntab -x", and using "rule", "service", "type", "flags" or "state" filters, entries that do not match these filters may still be deleted.

PRJ-33126,
PRHF-20306

Security Gateway

In some scenarios, memory consumption and CPU usage may increase consistently. Refer to sk176370.

PRJ-30600,
PMTR-72836

Security Gateway

In a rare scenario, the Security Gateway may crash during policy installation.

PRJ-33607,
PMTR-75976

Security Gateway

When there are security zones configured in the NAT rulebase and the connection has NAT on the destination, the Security Gateway IP address may still be shown as the source IP, although it should not.

PRJ-32659,
PRHF-20471

Security Gateway

Security Gateway may unexpectedly reboot and create a vmcore file.

PRJ-30295,
PMTR-73017

Security Gateway

Enhanced Check Point Active Streaming (CPAS). Refer to sk177025.

PRJ-30784,
PRHF-19506

Security Gateway

Access Policy installation may fail with "Error code 1-2000078".

PRJ-32425,
PRHF-20294

VPN, Multi-Portal

UPDATE: Certificate validation flow will use OCSP as the default revocation validation method. If OCSP URL does not exist, CRL will be used as a revocation validation method.

PRJ-31018,
PRHF-19772

Internal CA

In a rare scenario, when CRL files are created, some of them may be generated with a large number in the filename. When deleting CRL files, CPCA repeatedly fails to start.

PRJ-33251,
PRHF-20709

Internal CA, VPN

Creating a certificate for a third party Gateway with Check Point Internal CA may fail on the third party side. Refer to sk176468.

PRJ-29927,
PRHF-19208

Threat Prevention

Threat Prevention policy installation may fail when loading 2 IoC feeds that contain the same signature name for one of the observables.

PRJ-32176,
PMTR-73319

Threat Prevention

In a rare scenario, Security Gateway may crash when the Advanced Forensics Details feature is enabled.

PRJ-33644,
PRJ-27750

Threat Prevention

When the "Automatically download Blade Contracts, new software, and other important data" checkbox is unchecked, Security Gateway may fail to update Threat Prevention packages.

PRJ-36736,
PRHF-22353

Threat Extraction

In some scenarios, when Threat Extraction and Threat Emulation are both enabled, it may take a long time to scan the file before downloading, although there is no active content.

PRJ-32135,
MPTT-5094

Identity Awareness

An Identity Broker subscriber may be shown as the session owner for Remote Access VPN sessions received from another publisher.

PRJ-32873,
PMTR-75155

Identity Awareness

When Identity Awareness Blade is enabled on the Security Gateway, rebooting of a member may trigger additional reboots. This may cause
one of the members to go down with a configuration pnote.

PRJ-27698,
PRHF-17620

Identity Awareness

The PDPD process may fail with "daemon did not respond or not running!" or cause a high CPU.

PRJ-30949,
IDA-4253

Identity Awareness

In some scenarios, persistent high CPU is caused by ADQuery due to a large number of authentication requests.

PRJ-28056,
SPC-1602

Application Control

In a rare scenario, the SSM may encounter an issue and stop working.

PRJ-29770,
PRHF-18914

URL Filtering

In a very rare scenario, when the Application Control (APPI) and URL filtering Blades are active, in hold mode, some applications cannot be identified and the traffic is dropped.

PRJ-27730,
PRHF-15859

IPS

The track logging configuration of Network Quota protection is not applied.

PRJ-28029,
PMTR-69049

IPS

In a rare scenario, the Security Gateway may crash when disabling or enabling Threat Prevention Blade.

PRJ-28492,
PMTR-60451

IPS

In Autonomous Threat Prevention mode, "Profile Name" and "SmartDefense" fields may be missing in the IPS log.

PRJ-30804,
PMTR-70772

IPS

After installing a Threat Prevention policy with many rules and/or exceptions, on multiple Gateways together, Gateways may consume more CPU during rule-match of new connections.

PRJ-30607,
PRHF-18893

DLP

UPDATE: Added temporary files cleaner for file converting operation.

PRJ-30427,
PRHF-17395

DLP

The dlpu process may unexpectedly exit with core dump file.

PRJ-32902,
PRHF-20458

SSL Inspection

In a rare scenario, the WSTLSD process may unexpectedly exit and produce a core dump file.

PRJ-32885,
PMTR-75079

SSL Inspection

When TLS 1.3 support is disabled, a memory leak may occur in the WSTLSD process during TLS session renegotiation.

PRJ-34447,
PRHF-21039

SSL Inspection

The fwk process may unexpectedly exit during the TLS handshake.

PRJ-31498,
PMTR-73619

SSL Inspection

When HTTPS Inspection is disabled and the "Categorize HTTPS websites" option is enabled, the "failed attaching RSA stub certificate to server" errors may appear in the fwk.elg and wstlsd.elg files during policy installation.

PRJ-33408,
PMTR-72934

SSL Inspection

In rare scenarios, TLS probing connections may remain open for extended periods.

PRJ-34273,
PMTR-76812

SSL Inspection

A memory leak may occur in the WSTLSD process during session resumption for TLS 1.2.

PRJ-31233,
SNX-67

SSL Network Extender

SSL Network Extender (SNX) may fail during large file transfers. Refer to sk87760.

PRJ-31176,
PMTR-73946

Mobile Access

UPDATE: Upgraded JQuery library version (from 1.1 to 3.6).

PRJ-33877,
PMTR-61452

Mobile Access

Policy installation may fail due to table creation issues.

PRJ-28361,
CORXL-251

ClusterXL

Clock jumps forward/backward may cause some operations to fail and the cluster to go down.

PRJ-32472,
PMTR-74101

ClusterXL

Added Syslog support for Cluster events messages.

PRJ-32951,
MBS-14928

ClusterXL

Identity Sharing in VSLS Mode may not work as expected.

PRJ-32941,
PMTR-75157

SecureXL

In some scenarios, when configuring internal/external enforcement for DOS/Rate limiting, a syslog error message may be displayed.

PRJ-30820,
PRHF-19417

SecureXL

In a rare scenario, after an upgrade, HTTPS traffic may be dropped.

PRJ-33357,
PMTR-75438

Routing

  • Security Gateway may crash when OSPF inserts or removes an LSA from its database.
  • Neighbor dead timers may have negative values.

PRJ-31488,
PRHF-19472

Routing

In some scenarios, the Security Gateway may not forward traffic to a client if its IP address is changed by DHCP. Refer to sk175603.

PRJ-31474,
PMTR-68362

VPN

UPDATE: In policy installation, the type of messages, related to VPN certificate expiration, is changed from "info" to "warning". This issue is only cosmetic.

PRJ-30958,
PRHF-19492

VPN

Improvements for DAIP Gateway behind Hide NAT.

PRJ-31133,
PMTR-73498

VPN

In some scenarios, a memory leak may occur in the VPND process.

PRJ-32551,
PMTR-74599

VPN

A memory leak may occur during Office Mode IP allocation.

PRJ-32367,
PRHF-20315

VPN

Improved IKEv2 narrowing.

PRJ-31589,
PRHF-19959

VPN

In some scenarios, VPN tunnels statuses in SmartView Monitor are displayed incorrectly.

PRJ-28270,
PRHF-7443

VPN

A memory leak may occur in the VPND process.

PRJ-32131,
PMTR-74244

VPN

The output of the "vpn tu tlist" command may show a wrong date and time in "Authenticated at" line, although machine date and time settings are correct.

PRJ-31291,
PRHF-19707

VPN

Hardened the ability to use narrowed IKEv2 tunnels. Refer to sk166417.

PRJ-30758,
PRHF-19484

VPN

In some scenarios, when NAT is enabled, Route Based VPN traffic may be dropped.

PRJ-30766,
PRHF-19548

VPN

In a very rare scenario, a cluster member may unexpectedly crash and restart, creating a core dump file.

PRJ-30331,
PMTR-73629

VPN

In some scenarios, IKEv2 tunnel may not work due to SA expiration.

PRJ-32520,
PMTR-74732

VPN

Improved establishing IKEv2 tunnel with DAIP peer.

PRJ-32613,
PRHF-20449

VPN

In some scenarios, Remote Client connections in Visitor Mode may cause the fwk process to exit.

PRJ-32761,
PMTR-74107

VPN

The output of the "vpn tu tlist" command may show an incorrect type of S2S tunnels protocol.

PRJ-31701,
PMTR-73801

VPN

When the IKE daemon is enabled, VPN counters in CPView may show an incorrect value.

PRJ-32597,
PMTR-72056

VPN

In some scenarios, Remote Access VPN users cannot connect to the Gateway due to a kernel table issue.

PRJ-29783,
PMTR-72241

VPN

Although the Simultaneous Login Prevention (SLP) feature is on, the user can connect with two clients and receive the same statically assigned Office-Mode IP.

PRJ-33835,
VPNRA-831

VPN

In rare scenarios, when SSL Network Extender (SNX) is in Application Mode, the VPND process may unexpectedly exit.

PRJ-33739,
PMTR-75801

VPN

When applying Secure Configuration Verification (SCV) VPN client is not able to distinguish between Windows 10 and Windows 11.

PRJ-36421,
PMTR-79305

VPN

In some scenarios, when VPN logs are enabled and DAIP (Dynamically Assigned IP) peer is configured, the VPND daemon may unexpectedly exit.

PRJ-33837,
PMTR-76280

VSX

UPDATE: Shadow bridges will now be automatically disabled on VSX Gateways if the bridges are not in Active/Active mode.

PRJ-32534,
PMTR-74770

VSX

UPDATE: It is now possible to define interface topology as "defined by routes" using the VSX provisioning tool.

PRJ-28990,
PRHF-15744

VSX

In some scenarios, running the "snmpwalk" command may fail with incorrect OSPF-MIB information for VSX. Refer to sk172064.

PRJ-33947,
PMTR-76402

VSX

Policy installation on a VS may fail after a cluster conversion between High Availability and Virtual System Load Sharing with the "vsx_util" command.

PRJ-30201,
PRHF-18610

Gaia OS

UPDATE: Added a Clish command "add/show/delete ntp interface" to choose to which interfaces the NTP daemon shall bind.

PRJ-34590,
PRJ-33871

Gaia OS

Enhanced SNMP module stability.

PRJ-32048,
PRHF-7124

Gaia OS

In some scenarios, adding a Gaia user may result in a high number of zombie sh processes. Refer to sk164259.

PRJ-31972,
PMTR-65544

Gaia OS

The minimum value of VBAT sensor on Quantum appliances is incorrect.

PRJ-31755,
PMTR-70869

Gaia OS

In some scenarios, after adding an SNMP USM user, the confd process may unexpectedly exit.

PRJ-30213,
PRHF-19017

Gaia OS

  • VLAN IPv6 address disappears after setting the parent interface state "off" and "on".
  • IPv6 address disappears after enabling Layer 3 bridge interface monitoring.

Refer to sk174969.

PRJ-28962,
PMTR-71672

Gaia OS

After an upgrade, a wrong cipher name appears in the supported cipher list. Refer to sk174863.

PRJ-28686,
PMTR-71763

Gaia OS

In some scenarios, in appliances: 6600,6700,6900, Power Supply Unit (PSU) status information may be incorrect. Refer to sk174443.

PRJ-29066,
PMTR-62235

Gaia OS

Wrong output of the "set/delete ip-conflicts-monitor interface" command. The word "value" is printed multiple times. The issue is only cosmetic.

PRJ-33390,
EPS-33930

Harmony Endpoint

NEW: It is now possible to configure Super Node in Harmony Endpoint. Refer to sk171703.

PRJ-32247,
EPS-32816

Harmony Endpoint

NEW: Added new push operations to Endpoint Web Management:

  • Kill Process
  • Remote Command Execution
  • Application Scan

PRJ-32887

Harmony Endpoint

NEW:

  • Added ability to rename the Export Package.
  • Added persistent Notifications Center
  • Improved performance of Asset Management
  • Added extra fields to Asset Management table
  • It is now possible to configure user session idle time on premises
  • Added support for macOS Port Protection
  • Added Connection Awareness settings
  • Added ability to manage IoCs

PRJ-27849,
PRHF-18031

Harmony Endpoint

SmartEndpoint may show deleted certificates as expired.

PRJ-32646,
PRHF-20524

Harmony Endpoint

  • When in "cpconfig"-> "GUI clients"-> "Modify" the option "Any" is deleted, the Endpoint Security Server UEPM Apache cannot start.
  • When manually launching UEPM Apache the following output is shown: "AH00526: Syntax error on line 1 of /opt/CPuepm-R81/apache/conf/acl.conf:ip address 'Require' appears to be invalid"

Refer to sk176186.

PRJ-32391,
PRHF-19878

VoIP

When using SIP, memory usage may increase over time on Active and Standby members.

PRJ-34520,
ODU-200

Smart-1 Cloud

Added support for R81.10 automatic updates of Quantum Smart-1 Cloud. Refer to sk166056.

PRJ-31770,
PMTR-73896

CloudGuard Network

Improved the handling of NSX-T Data Center throttling issues.

PRJ-31773,
PRHF-19949

CloudGuard Network

In a rare scenario, there is a high CPU0 utilization on Azure Security Gateway.

PRJ-32232,
CGIS-636

CloudGuard Network

The "vsec_lic_cli update" command now supports IP change in the license string.

PRJ-27904,
PRHF-16098

QoS

In a rare scenario, when QoS is enabled, in SmartView Monitor some traffic may be shown as "No Match".

PRJ-30236,
PRHF-18342

QoS

In a rare scenario, the FWD process may unexpectedly exit due to invalid QoS logs.

PRJ-34022,
MBS-14876

Scalable Platforms

NEW: Added the HealthCheck Point (HCP) test which validates ports link integrity for Maestro Orchestrator. Refer to sk171436.

PRJ-35159,
ODU-199

Scalable Platforms

NEW: Added a self-updatable package of Check Point Support Data Collector (CPSDC) for Scalable Platforms and Maestro Security Appliances. Refer to sk164414.

PRJ-31311,
PRHF-19908

Scalable Platforms

When IGMP snooping is disabled, using OSPF Multicast may lead to Anti Spoofing drops in SmartConsole.

PRJ-28812,
MBS-14165

Scalable Platforms

SNMP OID .1.3.6.1.4.1.2620.1.48.16 (asgSecureXLStatusBitmask) returns the status of SecureXL as enabled, even when it is not.

PRJ-32416,
MBS-14479

Scalable Platforms

In some scenarios, changing QSFP mode manually does not survive reboot.

PRJ-30617,
PMTR-70886

Scalable Platforms

Multiple traffic drops may occur on Scalable Platforms. Refer to sk173545.

PRJ-31406,
MBS-11234

Scalable Platforms

The "config_verify" command may fail in a Scalable Platforms environment.

PRJ-30630,
MBS-14105

Scalable Platforms

VPN tunnel may fail to establish with "dropped by vpn_inbound_pilicy_chain Reason: VPN inbound nat after vm failed". Refer to sk176404.

PRJ-33379,
MBS-14189

Scalable Platforms

VPN traffic may be dropped due to certificate issues.

PRJ-31507,
PRHF-19991

Scalable Platforms

During policy installation, AD Query may stop working in the Scalable Platforms environment.

PRJ-33185,
PMTR-75375

Scalable Platforms

RADIUS user that has gclish set as default shell cannot login into the Security Group on Scalable Platforms R81.10: "Unable to get user permissions". Refer to sk176364.

PRJ-31870,
MBS-14830

Scalable Platforms

Static routes related to a Warp interface may disappear after enabling the VMAC feature.

PRJ-34101,
MBS-15063

Scalable Platforms

Changing VLAN of an existing interface may cause ARP reply not to be processed by the Gateway. Refer to sk176929.

PRJ-31139,
MBS-14560

Scalable Platforms

Connectivity issues may occur on Identity Server (PDP) in large VSX setups.

PRJ-35011,
MBS-15055

Scalable Platforms

In a rare scenario, the CPD process may crash during policy installation.

PRJ-32678,
PMTR-72608

Scalable Platforms

When two sites with shared LACP bonds are connected to the same switch and VMAC is enabled on both of them, communication with the switch may be lost.

PRJ-34620,
MBS-14133

Scalable Platforms

In some scenarios, a physical link issue on a Maestro Gateway may cause an unexpected site failover, a cluster state change on other Gateways, or packet drops.

PRJ-32165,
PMTR-74488

Scalable Platforms

When the user manually uninstalls R81.10 Jumbo Hotfix Take 22 from an R81.10 Maestro Hyperscale Orchestrator (MHO), the MHO's REST Server remains down, potentially causing traffic issues. Refer to sk177323.

PRJ-31839,
MBS-14732

Scalable Platforms

The CMM is not updated with the time from a configured NTP Server. As a result, SGMs stay in Down state for a long time.

PRJ-31512,
CST-212

Carrier Security

The FWK process may unexpectedly exit producing a core dump when the GTP tunnel expires.

PRJ-34443,
ODU-217

HCP

Added Update 6 of HealthCheck Point (HCP) Release. Refer to sk171436.

PRJ-31774,
INFRA-528

Infrastructure

UPDATE: Updated Python 2.7.17 to 2.7.18, Python 3.7.7 to 3.7.12, added Python 3.9.7 and a Python3 alias.

PRJ-29412,
PRHF-19016

Infrastructure

Policy installation fails with "Operation failed, install/uninstall has been improperly terminated" when a CMA name is more than 36 characters long. Refer to sk175452.

PRJ-29952,
PRHF-19115

Infrastructure

In a rare scenario, the user cannot connect to the Mobile Access Portal.