R81.10 Jumbo Hotfix Take 61
|
Note - This Take contains all fixes from all earlier Takes. |
ID |
Product |
Description |
---|---|---|
Take 61 Released on 2 June 2022 |
||
PRJ-38783, |
Security Management |
NEW: Added a new Management API command "show-servers-and-processes" to show the status of all processes on the Multi-Domain Server and all Domain Management / Log Servers. |
PRJ-36588, PMTR-72224 |
Security Management |
NEW: Added support for Quantum Spark Appliances with R81.10.x Gaia Embedded (Early Availability). Refer to sk178509. This applies both to SmartProvisioning and SmartUpdate. |
PRJ-33297, |
Security Management |
UPDATE: LSM Cluster objects names can now be defined without using the prefix and suffix options. |
PRJ-33953, |
Security Management |
Deleting a Domain may fail when there is an administrator with API key authentication associated with this Domain. |
PRJ-34774, |
Security Management |
When adding a new Interface to an existing Cluster via Management API, the operation may fail with an "Action Failed due to an Internal Error" message. |
PRJ-35951, |
Security Management |
Compliance results for some rules are not available after changing the "Policy Range" of a user-defined rule to a value below 100%. Refer to sk177544. |
PRJ-35018, |
Security Management |
Install Policy Verification may fail with the "Rule has security zone objects that are not attached to any interface used" error when configuring cluster's interfaces on only one member. Refer to sk177129. |
PRJ-35226, |
Security Management |
When exporting rules with "hit counts" and the timeframe is set to a different value than "all", the "hit counts" are missing from the export file. Refer to sk177265. |
PRJ-37496, |
Security Management |
In some scenarios, the "show-hosts" Management API command fails with "generic_error" when running it with "details-level full". Refer to sk178249. |
PRJ-37579, |
Security Management |
In some scenarios, after editing Blades in Simple-gateway/Cluster Ansible modules, the Blades are not changed, and Ansible shows that no changes occurred. |
PRJ-37625, |
Security Management |
Upgrade of the secondary Security Management Server or Multi-Domain Management Server may fail due to a High Availability synchronization issue. |
PRJ-33803, |
Security Management |
The Management API command "set-multicast-address-range" does not remove IPs when the IPv4 or IPv6 address field is empty. |
PRJ-37328, |
Security Management |
In some scenarios, the policy installation may fail after editing the trac_client_1.ttm configuration file. Refer to sk174646. |
PRJ-35758, |
Security Management |
In rare scenarios, deleting a Security Gateway may fail. |
PRJ-37063, |
Security Management |
After installing policy on a new cluster, the cluster object status may be "Not Available", even though all Cluster members statuses changed to "OK". |
PRJ-37368, |
Security Management |
Dynamic Objects defined on LSM Gateway in SmartProvisioning may be removed from the Security Gateway after fetching policy or pushing policy. |
PRJ-33077, |
Security Management |
Updating objects with Management API may fail when editing the "groups" field and object UID is specified. |
PRJ-35299, |
Security Management |
When cloning an IPS profile, the advanced settings of cloud protection may not be copied to the new profile. |
PRJ-36747, |
Security Management |
Accelerated Install Policy may fail with the verification error: "Rule-name has security zone objects that are not attached to any interface used in Cluster-name ", when the rule contains Security Zone and the install-on target is a cluster. |
PRJ-32818, |
Security Management |
In rare scenarios, when installing a policy after performing "revert to revision", some changes made to a policy may not be installed on the Security Gateway. Refer to sk176768. |
PRJ-38149, |
Security Management |
Cloud Shadow Objects verification may take several minutes. |
PRJ-33028, |
Security Management |
IPS profiles and network objects may not be shown in certain views in SmartConsole. |
PRJ-39178, PRHF-23750 |
Security Management |
In some scenarios, the Management API command "show-packages" with "details-level full" may fail with the "Could not commit JPA transaction" error. |
PRJ-38394, |
SmartConsole |
UPDATE: It is now possible to execute the "run-script" Management API command on the Multi-Domain Server (MDS) and Multi-Domain Log Module (MLM) from the System Domain. |
PRJ-38038, |
SmartProvisioning |
UPDATE: Added a new Management API command "verify-management-license", it allows to verify whether the Domain Management license covers all installed Security Gateways in the Domain. Refer to sk178544. |
PRJ-38038, |
SmartProvisioning |
LSM devices that were created via the LSM REST API may not fetch the VPN certificate correctly. |
PRJ-38127, PMTR-80530 |
SmartProvisioning |
After an SMB firmware upgrade, policy fetch may fail with the "Version matching problem" error. |
PRJ-38359, PMTR-82092 |
SmartProvisioning |
Improved the time of creating a new LSM object using the LSM API in large environments. |
PRJ-37593, |
SmartView |
UPDATE: Security Check-Up report will now show the new Check Point logo and updated cover page. |
PRJ-36623, |
Logging |
UPDATE: SmartView reports will now show the new Check Point logo. |
PRJ-35977, PRHF-21400 |
Logging |
"Failed to open /opt/CPsuite-R81.10/fw1/log/" messages may appear in the log_indexer.elg file because of files ending with the ".log" suffix although they are not actual log files. |
PRJ-29175, |
Logging |
Removed unnecessary debug messages: "fwbintabreplace: table svm_range_gateways not found and " fwbintabreplace: table svm_range_gateways_valid not found" from fwd debug log. |
PRJ-33518, |
Logging |
Improved samples visibility in SmartView Widgets. |
PRJ-34251, |
Logging |
There may be an incorrect error message related to MakeConnection method. |
PRJ-34143, |
Logging |
On the Domain level, in the Logs view, available services may not appear in the drop-down filter list. Refer to sk178904. |
PRJ-35202, |
Logging |
In a rare scenario, the Security Management Server does not automatically delete older log files. Refer to sk177627. |
PRJ-37898, |
Logging |
Logs may be missing from SmartConsole after upgrading the Log Server if a VS object is configured without an IP. |
PRJ-35013, PMTR-75595 |
Logging |
In SmartView, downloading multiple reports from Archive may fail. |
PRJ-36656, |
Security Gateway |
NEW: Added a new kernel parameter "fw_ignore_before_drop_rules". It allows to skip the "before drop" implied rules and enforce policy according to the explicit rule in the Access Rule Base. By default, this capability is disabled. Refer to sk105740. |
PRJ-31496, |
Security Gateway |
UPDATE: Following sk110157, adding a shadow SAM V1 rule is now possible only if the new rule and the existing rule have different timeouts. In case a shadow rule exists, the new shadow rule will override the existing shadow rule. |
PRJ-29964, |
Security Gateway |
UPDATE: Added two minutes grace period before dropping the non-TCP server-to-client packets upon policy installation and rematch flow. Refer to sk173287. |
PRJ-38690, |
Security Gateway |
UPDATE: When using Routing Separation, hosts and servers configured in Clish will be automatically added to Management Plane (MPLANE). |
PRJ-37530, |
Security Gateway |
Improved Gateway internal memory allocation logic. |
PRJ-33931, |
Security Gateway |
Cluster failover may trigger the FWK process to exit, with no traffic impact. |
PRJ-33700, |
Security Gateway |
In some scenarios, file download may fail with the "Connection queue exceeded max size" error. |
PRJ-37013, |
Security Gateway |
Gaia Clish "show" commands for Multi-Queue may fail in a Management Data Plane Separation (MDPS) environment. |
PRJ-37610, |
Security Gateway |
When using the DAIP Gateway object in the Access Rule Base, the "fwdnd_log_info_lookup failed" debug error may appear in the fwk.elg log, if the relevant rule has log track. Refer to sk178670. |
PRJ-37355, |
Security Gateway |
Uninstalling Jumbo Hotfix may cause interfaces to disappear. |
PRJ-27903, |
Security Gateway |
In rare scenarios, connectivity issues to specific websites may occur during web traffic inspection. |
PRJ-36049, |
Security Gateway |
In a rare scenario, DNS connection may be dropped with a "up_manager_cmi_handler_match_cb: connection not found" message. |
PRJ-34728, |
Security Gateway |
In rare scenarios, if temporary files were not deleted successfully, downloading certain file types may fail with one of these errors:
|
PRJ-33860, |
Security Gateway |
In ISP Redundancy settings, when using the "dead on all host" feature and defining one link without any host (which is a misconfiguration) the ISP link is down. |
PRJ-34789, |
Security Gateway |
In some scenarios, Security Gateway drops GRE traffic. Kernel debug shows "simi_reorder_enqueue_packet: reached the limit of maximum enqueued packets for conn". |
PRJ-36516, |
Security Gateway |
In a rare scenario, a memory leak in the FWD process may occur during Threat Prevention policy installation. |
PRJ-39122 |
Security Gateway |
When installing policy with acceleration in a loop, after some time, SIC may get disconnected, and installation fails. Refer to sk180397. |
PRJ-38045, |
Threat Prevention |
Added Update 14 of Autonomous Threat Prevention Management integration Release Updates. Refer to sk167109. |
PRJ-35185, PRJ-35154 |
Threat Prevention |
While using the Security Zone object in the "Source" column in the Threat Prevention policy, Security Gateways R80.40 and lower do not drop traffic. Refer to sk177605. |
PRJ-36166, |
Identity Awareness |
In a rare scenario, the PDP process may unexpectedly exit with a core dump file. |
PRJ-35853, |
Identity Awareness |
The PEP process may unexpectedly exit. |
PRJ-37545, |
IPS |
In a rare scenario, when the Security Gateway is configured as a proxy, downloading files may fail. |
PRJ-37980, |
IPS |
In a rare scenario, a traffic outage may occur. |
PRJ-32611, |
IPS |
When Anti-Virus and/or gzip inspection are enabled on the Gateway, during CloudFlare inspection of specific websites, the Gateway may drop traffic. |
PRJ-30126, |
SSL Inspection |
When HTTPS Inspection is enabled and traffic is inspected, detect logs for HTTPS traffic may show the "Invalid CRL Retrieved" and "No Valid CRL" error messages. Refer to sk172345. |
PRJ-38258, |
SSL Inspection |
In some scenarios, the FWK process may unexpectedly exit during the TLS handshake. |
PRJ-35071, |
ClusterXL |
When creating a new virtual system, some VSLS parameters like the Virtual System's weight value may be displayed wrong. |
PRJ-35169, |
ClusterXL |
A single cluster member with Dynamic Routing configuration may stay permanently in DOWN state producing routed pnote during a boot. |
PRJ-34397, |
ClusterXL |
When Dynamic Routing protocols are configured on a cluster, a failover to a member that just rebooted may cause a few seconds outage. |
PRJ-35229, |
ClusterXL |
In an Active/Active cluster, potential FTP data connection interruption may occur during failover. |
PRJ-37436, |
ClusterXL |
There may be connectivity issues for multicast traffic in PIM Sparse Mode. |
PRJ-36616, |
ClusterXL |
During a Multi-Version Cluster (MVC) upgrade from R80.30 or lower, Active-Active split brain may happen. Refer to sk174510. See the Important Notes section. |
PRJ-36178, |
ClusterXL |
In Virtual Device Status table, in VS0 context, the output shows the Active-Active status on two members instead of Active-Standby. The issue is cosmetic only. |
PRJ-39740, ACCHA-1767 |
SecureXL |
When using tcpdump on the LightSpeed 10/25/40/100G QSFP28 interfaces and the "-i" flag is combined with other flags (for example, -nnni or -ei), tcpdump cannot find the RDMA index. |
PRJ-38503, |
CoreXL |
An Active member in a cluster may make a full reboot during policy installation. |
PRJ-37512, |
Routing |
The "set route-redistribution to rip from interface" CLI command may fail with the load configuration errors. |
PRJ-36438, |
VPN |
Machine Authentication stability improvements for Remote Access Endpoint Clients. |
PRJ-29545, |
VPN |
Newly defined ROBO Gateways cannot connect until policy installation. |
PRJ-38729 |
VPN |
In some scenarios, it is not possible to connect with Remote Access using DHCP for Office Mode. Refer to sk178767. See the Important Notes section. |
PRJ-37464, |
VPN |
The VPND process may unexpectedly exit. |
PRJ-35048, |
VPN |
In some scenarios, NAT-T tunnel establishment may fail. |
PRJ-34212, |
VPN |
IKEv2 ID configuration may not be applied when an IPv6 address is written as a certificate's alternative name. |
PRJ-37591, |
VPN |
During policy installation when using DAIP behind hide NAT, CPU usage for the VPND process may be high. |
PRJ-29882, |
VPN |
Improved VPN interoperability. |
PRJ-37283, |
VPN |
VPN tunnel may not be stable in cluster load-sharing multicast and unicast environments. |
PRJ-34673, |
VSX |
UPDATE: The "vsx_util reconfigure" operation is not supported on a VSX cluster member or VSX Gateway which has no virtual systems configured. The operation will now alert about the absence of virtual systems. |
PRJ-36769, |
VSX |
VSX Cluster Internal Communication Network IP address is shown in ifconfig after changing the name or VLAN of a VR physical interface. |
PRJ-33473, |
VSX |
In some scenarios, the "vsx_util reconfigure" command cannot fetch the policy installed previously. |
PRJ-32080, |
VSX |
When creating a static route on a virtual system, some network objects may be created with the same name inside the network group which causes writing the object to the database to fail. |
PRJ-39511, PMTR-83472 |
VSX |
After creating a VSX Gateway, traffic may not go through the VSX Gateway correctly because of synchronization issues of the cphwd_enable_ecmp parameter with SecureXL. |
PRJ-37618, |
VSX |
After an upgrade from R80.20SP/R80.30SP to R81.10, pushing accelerated policy may cause all non-SMO SG Members to go down. |
PRJ-35505, |
VSX |
There may be a mismatch of policy name on virtual switch when using the "fw stat" and "vsx stat -v" commands. The issue is only cosmetic. |
PRJ-36689, |
VSX |
In a Multi-Domain environment, the "vsx_util vsls" command may take a few minutes to run. |
PRJ-35279, |
VSX |
In some scenarios, if VSX Gateway creation fails and rollback is done, the default route of the Security Gateway that was configured via Clish is deleted without validation. |
PRJ-36788, |
VSX |
The "snmpwalk" command may time out after reaching SNMPv2-SMI::mib-2.68.1.2.0. |
PRJ-38204, |
VSX |
In some scenarios, the VSX Security Gateway may not decrease the packet's TTL. |
PRJ-36756, |
Gaia OS |
NEW: Gaia API (version 1.6 with Python3 support) will now be deployed via Jumbo Hotfix. Refer to sk143612. |
PRJ-36088, |
Gaia OS |
WebUI session may end when creating a Role with full permissions. |
PRJ-39097, |
Gaia OS |
Dynamic routing SNMP OID polling may work only in VSX mode. |
PRJ-33555, PMTR-75925 |
Gaia OS |
In some scenarios, in 7000 appliances, Power Supply Unit (PSU) status information may be incorrect. Refer to sk174443. |
PRJ-37120, |
VoIP |
When static NAT is configured, VoIP calls may not work. |
PRJ-38024, |
Public Cloud CA Bundle |
Added Take 18 of Public Cloud CA Bundle. Refer to sk172188. |
PRJ-37054, |
CloudGuard Network |
In some scenarios, Data Center objects are not enforced on an AWS GEO cluster (Active/Active) Gateway. Refer to sk175904. |
PRJ-37604, |
CloudGuard Network |
In Amazon Web Services (AWS), some Gateways may be crashing frequently with vmcores. |
PRJ-36365, |
CloudGuard Network |
When booting up, the NSX-T CloudGuard Gateway may crash. Refer to sk177703. |
PRJ-37948, |
CloudGuard Network |
In some scenarios, mapping of AWS Data Centers may take a long time to complete. |
PRJ-37777, |
CloudGuard Network |
During boot on KVM with 10 or more interfaces, the interface order may change. |
PRJ-37148, |
Smart-1 Cloud |
Added Update 4 of Quantum Smart-1 Cloud. Refer to sk166056. |
PRJ-32820 |
Quantum Appliances |
NEW: Added support for Quantum LightSpeed Appliances Initial Release (Threat Prevention Stream). Refer to sk179432. |
PRJ-36594, |
Scalable Platforms |
NEW: A new module parameter "ccl_correct_dr_between_chassis" is added.
|
PRJ-39644 |
Scalable Platforms |
UPDATE: Added PIM support for Scalable Platforms. |
PRJ-39964 |
Scalable Platforms |
UPDATE:The "asg_perf_hogs" test was moved from asg_diag to HCP. Refer to sk171436. |
PRJ-28273, |
Scalable Platforms |
|
PRJ-36649, |
Scalable Platforms |
Running "cphaconf debug_data" in VSX context may cause the Gateway to crash. |
PRJ-36916, |
Scalable Platforms |
During policy installation the status of Single Management Object(SMO) may not be stable. |
PRJ-35089, |
Scalable Platforms |
Security Group may drop traffic during an internal failover between Security Group members when Dynamic Anti-Spoofing is enabled. Refer to sk177946. |
PRJ-34049, |
Scalable Platforms |
After changing Multi-Queue configurations, members may remain in Down state. |
PRJ-34054, |
Scalable Platforms |
Non-SMO members may go to Down state after Anti-Malware policy installation failed. Refer to sk177607. |
PRJ-32451, |
Scalable Platforms |
In rare scenarios, changing the number of CoreXL instances in SP environments with many virtual systems may fail. |
PRJ-39044, |
Scalable Platforms |
On Maestro Orchestrator, packet loss may occur during Jumbo Hotfix Accumulator installation or uninstall. |
PRJ-37854, |
Scalable Platforms |
When the LLDPD and SNMPD coredump files are generated, zombie processes may be created and cause warnings in HCP with no impact. |
PRJ-33665, |
Scalable Platforms |
In Clish, it may not be possible to add to a Security Group two Gateways with Maestro Orchestrator on each site. |
PRJ-34924, PMTR-76870 |
Scalable Platforms |
On Maestro Orchestrator, the SSM_PMD process may consume a high CPU. |
PRJ-39951, PMTR-74569 |
Scalable Platforms |
The asg_hw_utilization and asg_resource tests have a broken output. Refer to sk179426. See the Important Notes section. |
PRJ-38037, |
Scalable Platforms |
Added Take 21 of Check Point Support Data Collector (CPSDC) for Scalable Platforms and Maestro Security Appliances. Refer to sk164414. |
PRJ-38225, |
HCP |
Added Update 8 of HealthCheck Point (HCP) Release. Refer to sk171436. |