R81.10 Jumbo Hotfix Take 61

 

Note - This Take contains all fixes from all earlier Takes.

ID

Product

Description

Take 61

Released on 2 June 2022

PRJ-38783,
PMTR-81440

Security Management

NEW: Added a new Management API command "show-servers-and-processes" to show the status of all processes on the Multi-Domain Server and all Domain Management / Log Servers.

PRJ-36588,

PMTR-72224

Security Management

NEW: Added support for Quantum Spark Appliances with R81.10.x Gaia Embedded (Early Availability). Refer to sk178509.

This applies both to SmartProvisioning and SmartUpdate.

PRJ-33297,
PMTR-73362

Security Management

UPDATE: LSM Cluster objects names can now be defined without using the prefix and suffix options.

PRJ-33953,
PMTR-76788

Security Management

Deleting a Domain may fail when there is an administrator with API key authentication associated with this Domain.

PRJ-34774,
PRHF-21487

Security Management

When adding a new Interface to an existing Cluster via Management API, the operation may fail with an "Action Failed due to an Internal Error" message.

PRJ-35951,
PRHF-21894

Security Management

Compliance results for some rules are not available after changing the "Policy Range" of a user-defined rule to a value below 100%. Refer to sk177544.

PRJ-35018,
PRHF-21705

Security Management

Install Policy Verification may fail with the "Rule has security zone objects that are not attached to any interface used" error when configuring cluster's interfaces on only one member. Refer to sk177129.

PRJ-35226,
PRHF-21778

Security Management

When exporting rules with "hit counts" and the timeframe is set to a different value than "all", the "hit counts" are missing from the export file. Refer to sk177265.

PRJ-37496,
PRHF-22409

Security Management

In some scenarios, the "show-hosts" Management API command fails with "generic_error" when running it with "details-level full". Refer to sk178249.

PRJ-37579,
PMTR-80846

Security Management

In some scenarios, after editing Blades in Simple-gateway/Cluster Ansible modules, the Blades are not changed, and Ansible shows that no changes occurred.

PRJ-37625,
PMTR-80948

Security Management

Upgrade of the secondary Security Management Server or Multi-Domain Management Server may fail due to a High Availability synchronization issue.

PRJ-33803,
PMTR-76103

Security Management

The Management API command "set-multicast-address-range" does not remove IPs when the IPv4 or IPv6 address field is empty.

PRJ-37328,
PRHF-22577

Security Management

In some scenarios, the policy installation may fail after editing the trac_client_1.ttm configuration file. Refer to sk174646.

PRJ-35758,
PRHF-21875

Security Management

In rare scenarios, deleting a Security Gateway may fail.

PRJ-37063,
PRHF-22501

Security Management

After installing policy on a new cluster, the cluster object status may be "Not Available", even though all Cluster members statuses changed to "OK".

PRJ-37368,
PRHF-22678

Security Management

Dynamic Objects defined on LSM Gateway in SmartProvisioning may be removed from the Security Gateway after fetching policy or pushing policy.

PRJ-33077,
PMTR-75039

Security Management

Updating objects with Management API may fail when editing the "groups" field and object UID is specified.

PRJ-35299,
PMTR-75023

Security Management

When cloning an IPS profile, the advanced settings of cloud protection may not be copied to the new profile.

PRJ-36747,
PRHF-22326

Security Management

Accelerated Install Policy may fail with the verification error: "Rule-name has security zone objects that are not attached to any interface used in Cluster-name ", when the rule contains Security Zone and the install-on target is a cluster.

PRJ-32818,
PRHF-20492

Security Management

In rare scenarios, when installing a policy after performing "revert to revision", some changes made to a policy may not be installed on the Security Gateway. Refer to sk176768.

PRJ-38149,
PRHF-23139

Security Management

Cloud Shadow Objects verification may take several minutes.

PRJ-33028,
PMTR-73892

Security Management

IPS profiles and network objects may not be shown in certain views in SmartConsole.

PRJ-39178,

PRHF-23750

Security Management

In some scenarios, the Management API command "show-packages" with "details-level full" may fail with the "Could not commit JPA transaction" error.

PRJ-38394,
PMTR-72637

SmartConsole

UPDATE: It is now possible to execute the "run-script" Management API command on the Multi-Domain Server (MDS) and Multi-Domain Log Module (MLM) from the System Domain.

PRJ-38038,
PMTR-80819

SmartProvisioning

UPDATE: Added a new Management API command "verify-management-license", it allows to verify whether the Domain Management license covers all installed Security Gateways in the Domain. Refer to sk178544.

PRJ-38038,
PMTR-80819

SmartProvisioning

LSM devices that were created via the LSM REST API may not fetch the VPN certificate correctly.

PRJ-38127,

PMTR-80530

SmartProvisioning

After an SMB firmware upgrade, policy fetch may fail with the "Version matching problem" error.

PRJ-38359,

PMTR-82092

SmartProvisioning

Improved the time of creating a new LSM object using the LSM API in large environments.

PRJ-37593,
PMTR-77255

SmartView

UPDATE: Security Check-Up report will now show the new Check Point logo and updated cover page.

PRJ-36623,
PMTR-79023

Logging

UPDATE: SmartView reports will now show the new Check Point logo.

PRJ-35977,

PRHF-21400

Logging

"Failed to open /opt/CPsuite-R81.10/fw1/log/" messages may appear in the log_indexer.elg file because of files ending with the ".log" suffix although they are not actual log files.

PRJ-29175,
PRHF-18866

Logging

Removed unnecessary debug messages: "fwbintabreplace: table svm_range_gateways not found and " fwbintabreplace: table svm_range_gateways_valid not found" from fwd debug log.

PRJ-33518,
PMTR-71704

Logging

Improved samples visibility in SmartView Widgets.

PRJ-34251,
PRHF-21188

Logging

There may be an incorrect error message related to MakeConnection method.

PRJ-34143,
PRHF-21218

Logging

On the Domain level, in the Logs view, available services may not appear in the drop-down filter list. Refer to sk178904.

PRJ-35202,
PRHF-20349

Logging

In a rare scenario, the Security Management Server does not automatically delete older log files. Refer to sk177627.

PRJ-37898,
PRHF-22858

Logging

Logs may be missing from SmartConsole after upgrading the Log Server if a VS object is configured without an IP.

PRJ-35013,

PMTR-75595

Logging

In SmartView, downloading multiple reports from Archive may fail.

PRJ-36656,
PMTR-77355

Security Gateway

NEW: Added a new kernel parameter "fw_ignore_before_drop_rules". It allows to skip the "before drop" implied rules and enforce policy according to the explicit rule in the Access Rule Base. By default, this capability is disabled. Refer to sk105740.

PRJ-31496,
PRHF-7049

Security Gateway

UPDATE: Following sk110157, adding a shadow SAM V1 rule is now possible only if the new rule and the existing rule have different timeouts. In case a shadow rule exists, the new shadow rule will override the existing shadow rule.

PRJ-29964,
UP-452

Security Gateway

UPDATE: Added two minutes grace period before dropping the non-TCP server-to-client packets upon policy installation and rematch flow. Refer to sk173287.

PRJ-38690,
PRHF-22315

Security Gateway

UPDATE: When using Routing Separation, hosts and servers configured in Clish will be automatically added to Management Plane (MPLANE).

PRJ-37530,
PRHF-22491

Security Gateway

Improved Gateway internal memory allocation logic.

PRJ-33931,
PRHF-20845

Security Gateway

Cluster failover may trigger the FWK process to exit, with no traffic impact.

PRJ-33700,
PMTR-72984

Security Gateway

In some scenarios, file download may fail with the "Connection queue exceeded max size" error.

PRJ-37013,
PRHF-22369

Security Gateway

Gaia Clish "show" commands for Multi-Queue may fail in a Management Data Plane Separation (MDPS) environment.

PRJ-37610,
PMTR-80518

Security Gateway

When using the DAIP Gateway object in the Access Rule Base, the "fwdnd_log_info_lookup failed" debug error may appear in the fwk.elg log, if the relevant rule has log track. Refer to sk178670.

PRJ-37355,
PRJ-35902

Security Gateway

Uninstalling Jumbo Hotfix may cause interfaces to disappear.

PRJ-27903,
PRHF-17754

Security Gateway

In rare scenarios, connectivity issues to specific websites may occur during web traffic inspection.

PRJ-36049,
PMTR-78861

Security Gateway

In a rare scenario, DNS connection may be dropped with a "up_manager_cmi_handler_match_cb: connection not found" message.

PRJ-34728,
PRHF-21103

Security Gateway

In rare scenarios, if temporary files were not deleted successfully, downloading certain file types may fail with one of these errors:

  • "Content Awareness - Error while processing X: Timeout reach during text extraction."

  • "Content Awareness - Error while processing X: File appears corrupted"

  • "Too many files in archiveSSH parsing error occurred."

PRJ-33860,
PMTR-76224

Security Gateway

In ISP Redundancy settings, when using the "dead on all host" feature and defining one link without any host (which is a misconfiguration) the ISP link is down.

PRJ-34789,
PMTR-65164

Security Gateway

In some scenarios, Security Gateway drops GRE traffic. Kernel debug shows "simi_reorder_enqueue_packet: reached the limit of maximum enqueued packets for conn".

PRJ-36516,
PRHF-22273

Security Gateway

In a rare scenario, a memory leak in the FWD process may occur during Threat Prevention policy installation.

PRJ-39122

Security Gateway

When installing policy with acceleration in a loop, after some time, SIC may get disconnected, and installation fails. Refer to sk180397.

PRJ-38045,
ODU-283

Threat Prevention

Added Update 14 of Autonomous Threat Prevention Management integration Release Updates. Refer to sk167109.

PRJ-35185,

PRJ-35154

Threat Prevention

While using the Security Zone object in the "Source" column in the Threat Prevention policy, Security Gateways R80.40 and lower do not drop traffic. Refer to sk177605.

PRJ-36166,
PRHF-21680

Identity Awareness

In a rare scenario, the PDP process may unexpectedly exit with a core dump file.

PRJ-35853,
PRHF-22037

Identity Awareness

The PEP process may unexpectedly exit.

PRJ-37545,
PRHF-22301

IPS

In a rare scenario, when the Security Gateway is configured as a proxy, downloading files may fail.

PRJ-37980,
PMTR-81714

IPS

In a rare scenario, a traffic outage may occur.

PRJ-32611,
PRHF-20132

IPS

When Anti-Virus and/or gzip inspection are enabled on the Gateway, during CloudFlare inspection of specific websites, the Gateway may drop traffic.

PRJ-30126,
PMTR-66344

SSL Inspection

When HTTPS Inspection is enabled and traffic is inspected, detect logs for HTTPS traffic may show the "Invalid CRL Retrieved" and "No Valid CRL" error messages. Refer to sk172345.

PRJ-38258,
PMTR-81157

SSL Inspection

In some scenarios, the FWK process may unexpectedly exit during the TLS handshake.

PRJ-35071,
PMTR-67275

ClusterXL

When creating a new virtual system, some VSLS parameters like the Virtual System's weight value may be displayed wrong.

PRJ-35169,
PMTR-77780

ClusterXL

A single cluster member with Dynamic Routing configuration may stay permanently in DOWN state producing routed pnote during a boot.

PRJ-34397,
PMTR-76763

ClusterXL

When Dynamic Routing protocols are configured on a cluster, a failover to a member that just rebooted may cause a few seconds outage.

PRJ-35229,
PMTR-70530

ClusterXL

In an Active/Active cluster, potential FTP data connection interruption may occur during failover.

PRJ-37436,
PMTR-80319

ClusterXL

There may be connectivity issues for multicast traffic in PIM Sparse Mode.

PRJ-36616,
PMTR-71442

ClusterXL

During a Multi-Version Cluster (MVC) upgrade from R80.30 or lower, Active-Active split brain may happen. Refer to sk174510.

See the Important Notes section.

PRJ-36178,
PMTR-51050

ClusterXL

In Virtual Device Status table, in VS0 context, the output shows the Active-Active status on two members instead of Active-Standby. The issue is cosmetic only.

PRJ-39740,

ACCHA-1767

SecureXL

When using tcpdump on the LightSpeed 10/25/40/100G QSFP28 interfaces and the "-i" flag is combined with other flags (for example, -nnni or -ei), tcpdump cannot find the RDMA index.

PRJ-38503,
PRHF-23143

CoreXL

An Active member in a cluster may make a full reboot during policy installation.

PRJ-37512,
PMTR-80136

Routing

The "set route-redistribution to rip from interface" CLI command may fail with the load configuration errors.

PRJ-36438,
PMTR-78967

VPN

Machine Authentication stability improvements for Remote Access Endpoint Clients.

PRJ-29545,
VPNS2S-2548

VPN

Newly defined ROBO Gateways cannot connect until policy installation.

PRJ-38729

VPN

In some scenarios, it is not possible to connect with Remote Access using DHCP for Office Mode. Refer to sk178767.

See the Important Notes section.

PRJ-37464,
PRHF-21891

VPN

The VPND process may unexpectedly exit.

PRJ-35048,
PMTR-77549

VPN

In some scenarios, NAT-T tunnel establishment may fail.

PRJ-34212,
PMTR-74824

VPN

IKEv2 ID configuration may not be applied when an IPv6 address is written as a certificate's alternative name.

PRJ-37591,
PRHF-22751

VPN

During policy installation when using DAIP behind hide NAT, CPU usage for the VPND process may be high.

PRJ-29882,
PRHF-19050

VPN

Improved VPN interoperability.

PRJ-37283,
PRHF-22452

VPN

VPN tunnel may not be stable in cluster load-sharing multicast and unicast environments.

PRJ-34673,
PMTR-77130

VSX

UPDATE: The "vsx_util reconfigure" operation is not supported on a VSX cluster member or VSX Gateway which has no virtual systems configured. The operation will now alert about the absence of virtual systems.

PRJ-36769,
PMTR-52576

VSX

VSX Cluster Internal Communication Network IP address is shown in ifconfig after changing the name or VLAN of a VR physical interface.

PRJ-33473,
PMTR-73998

VSX

In some scenarios, the "vsx_util reconfigure" command cannot fetch the policy installed previously.

PRJ-32080,
PMTR-74295

VSX

When creating a static route on a virtual system, some network objects may be created with the same name inside the network group which causes writing the object to the database to fail.

PRJ-39511,

PMTR-83472

VSX

After creating a VSX Gateway, traffic may not go through the VSX Gateway correctly because of synchronization issues of the cphwd_enable_ecmp parameter with SecureXL.

PRJ-37618,
PMTR-80850

VSX

After an upgrade from R80.20SP/R80.30SP to R81.10, pushing accelerated policy may cause all non-SMO SG Members to go down.

PRJ-35505,
PMTR-62860

VSX

There may be a mismatch of policy name on virtual switch when using the "fw stat" and "vsx stat -v" commands. The issue is only cosmetic.

PRJ-36689,
PMTR-72627

VSX

In a Multi-Domain environment, the "vsx_util vsls" command may take a few minutes to run.

PRJ-35279,
PMTR-76457

VSX

In some scenarios, if VSX Gateway creation fails and rollback is done, the default route of the Security Gateway that was configured via Clish is deleted without validation.

PRJ-36788,
PMTR-79249

VSX

The "snmpwalk" command may time out after reaching SNMPv2-SMI::mib-2.68.1.2.0.

PRJ-38204,
PRHF-23118

VSX

In some scenarios, the VSX Security Gateway may not decrease the packet's TTL.

PRJ-36756,
PRJ-36770

Gaia OS

NEW: Gaia API (version 1.6 with Python3 support) will now be deployed via Jumbo Hotfix. Refer to sk143612.

PRJ-36088,
PMTR-78169

Gaia OS

WebUI session may end when creating a Role with full permissions.

PRJ-39097,
PRHF-23641

Gaia OS

Dynamic routing SNMP OID polling may work only in VSX mode.

PRJ-33555,

PMTR-75925

Gaia OS

In some scenarios, in 7000 appliances, Power Supply Unit (PSU) status information may be incorrect. Refer to sk174443.

PRJ-37120,
PRHF-18358

VoIP

When static NAT is configured, VoIP calls may not work.

PRJ-38024,
ODU-342

Public Cloud CA Bundle

Added Take 18 of Public Cloud CA Bundle. Refer to sk172188.

PRJ-37054,
PRHF-20096

CloudGuard Network

In some scenarios, Data Center objects are not enforced on an AWS GEO cluster (Active/Active) Gateway. Refer to sk175904.

PRJ-37604,
PRHF-22145

CloudGuard Network

In Amazon Web Services (AWS), some Gateways may be crashing frequently with vmcores.

PRJ-36365,
PRHF-22181

CloudGuard Network

When booting up, the NSX-T CloudGuard Gateway may crash. Refer to sk177703.

PRJ-37948,
PRHF-22994

CloudGuard Network

In some scenarios, mapping of AWS Data Centers may take a long time to complete.

PRJ-37777,
PMTR-76723

CloudGuard Network

During boot on KVM with 10 or more interfaces, the interface order may change.

PRJ-37148,
ODU-286

Smart-1 Cloud

Added Update 4 of Quantum Smart-1 Cloud. Refer to sk166056.

PRJ-32820

Quantum Appliances

NEW: Added support for Quantum LightSpeed Appliances Initial Release (Threat Prevention Stream). Refer to sk179432.

PRJ-36594,
MBS-13315

Scalable Platforms

NEW: A new module parameter "ccl_correct_dr_between_chassis" is added.

  • Setting it to 0 disables inter-chassis corrections.

  • Setting it to 1 returns to the default behavior

    Refer to sk177943.

PRJ-39644

Scalable Platforms

UPDATE: Added PIM support for Scalable Platforms.

PRJ-39964

Scalable Platforms

UPDATE:The "asg_perf_hogs" test was moved from asg_diag to HCP. Refer to sk171436.

PRJ-28273,
PMTR-70624

Scalable Platforms

  • The command "snapshot-onetime" (import/export, from/to a remote server) is not supported yet on Scalable Platforms.

  • Scalable Platforms support only the local Gaia snapshot.

PRJ-36649,
MBS-15367

Scalable Platforms

Running "cphaconf debug_data" in VSX context may cause the Gateway to crash.

PRJ-36916,
PRHF-22274

Scalable Platforms

During policy installation the status of Single Management Object(SMO) may not be stable.

PRJ-35089,
PRHF-21133

Scalable Platforms

Security Group may drop traffic during an internal failover between Security Group members when Dynamic Anti-Spoofing is enabled. Refer to sk177946.

PRJ-34049,
PMTR-76324

Scalable Platforms

After changing Multi-Queue configurations, members may remain in Down state.

PRJ-34054,
MBS-14488

Scalable Platforms

Non-SMO members may go to Down state after Anti-Malware policy installation failed. Refer to sk177607.

PRJ-32451,
PMTR-71738

Scalable Platforms

In rare scenarios, changing the number of CoreXL instances in SP environments with many virtual systems may fail.

PRJ-39044,
PRJ-39191

Scalable Platforms

On Maestro Orchestrator, packet loss may occur during Jumbo Hotfix Accumulator installation or uninstall.

PRJ-37854,
PMTR-81227

Scalable Platforms

When the LLDPD and SNMPD coredump files are generated, zombie processes may be created and cause warnings in HCP with no impact.

PRJ-33665,
PMTR-74404

Scalable Platforms

In Clish, it may not be possible to add to a Security Group two Gateways with Maestro Orchestrator on each site.

PRJ-34924,

PMTR-76870

Scalable Platforms

On Maestro Orchestrator, the SSM_PMD process may consume a high CPU.

PRJ-39951,

PMTR-74569

Scalable Platforms

The asg_hw_utilization and asg_resource tests have a broken output. Refer to sk179426.

See the Important Notes section.

PRJ-38037,
ODU-341

Scalable Platforms

Added Take 21 of Check Point Support Data Collector (CPSDC) for Scalable Platforms and Maestro Security Appliances. Refer to sk164414.

PRJ-38225,
ODU-349

HCP

Added Update 8 of HealthCheck Point (HCP) Release. Refer to sk171436.