R81.10 Jumbo Hotfix Take 82

NEW:

• Added ability for R81.10 Security Management and Multi-Domain Security Management Server to manage R81.20 Security Gateways. It Requires R81.10 SmartConsole Build 412 (or higher).

• Managing R81.20 Security Gateways in Autonomous Threat Prevention mode requires installing R81.20 Jumbo Hotfix Accumulator.

UPDATE: Install Policy Presets will now run also in multi-site environments, even if the local domain does not have a Server on the Multi-Domain Security Management Server with the Active Global Domain, where the operation is triggered from.

UPDATE: Added a new Management API "mgmt_cli verify-management-license". It allows to check how many Security Gateway objects the Management Server license supports. Note that this API does not support Quantum Maestro and VSX. Refer to Management API Reference.

UPDATE: Added logging information. The Logging tab can be found in the Advanced tab on both the Security Management Server and Security Gateway. Refer to sk101878.

UPDATE: When there is no full license for SmartEvent, which includes the Correlation Unit component, Analyzer Client in Legacy SmartEvent Console will now show a relevant message.

UPDATE: Internal CA on Check Point Management Servers can now create certificates with 3072-bit RSA keys - the root ICA certificate and SIC certificates. Refer to sk96591.

UPDATE: Added Update 16 of Autonomous Threat Prevention Management integration Release. Refer to sk167109.

UPDATE: Added support for Data Centers in AWS me-central-1 Middle East (UAE) region.

UPDATE: The "revert to snapshot" operation is now blocked on Scalable Platforms when the snapshot remains from the previous version and is not created as a part of the current upgrade process.

UPDATE: Upon member state change to Active, there may be minor packet drops. Added an option to not forward traffic to a new Active member until all connections are synchronized to it:

• To enable this option:

• on the fly, run g_fw -a ctl set int fwha_force_present_state_over_active 1

• to be boot persistent, run g_update_conf_file fwkern.conf fwha_force_present_state_over_active =1

• To disable this option:

• on the fly, run g_fw -a ctl set int fwha_force_present_state_over_active 0

• to be boot persistent, rung_update_conf_file fwkern.conf fwha_force_present_state_over_active =0

UPDATE: Added a new CLI command "fw ctl voip [-p {sip| mgcp| sccp| h323}] [-na]". It allows printing the description of defined VoIP protections, the required action, and the logging option configured for each protection.

UPDATE: Added Update 11 of HealthCheck Point (HCP) Release. Refer to sk171436.

On R77.20 Quantum Spark appliances with some IPS packages, policy installation fails with the "Operation failed, install/uninstall has been improperly terminated" error. Refer to sk180448.

In rare scenarios, in a large environment, after an IPS update, High Availability synchronization may fail with timeout on the Global Domain.

In some scenarios, the "Assign Global Policy" action fails with the error message: "An internal error has occurred".

An upgrade may fail with timeout during the import of a large database file.

When running the "show access-rule" API command with the "show-as-ranges" parameter on rules with negated cells, the returned result may be missing the values of the negated cells.

Access Policy installation may fail with the "Internal error occurred during the verification process" error.

The /var/log/dump/usermode/ directory on the Management Server may contain core dump files for the FWM process. Refer to sk180119.

In rare scenarios, the FWM process may unexpectedly exit.

Installing a large Access Control policy on Quantum Spark Security Gateways may fail due to high memory consumption on the Security Management Server caused by FW_LOADER.

Policy installation may fail with "Segmentation fault" or with "INTERNAL ERROR in PutBlock: dangling block at PutBlock". Refer to sk179700.

After performing the "Revert to Revision" operation, new Audit logs cannot be seen in the Logging&Monitoring View in SmartConsole.

Warning about multiple objects with the same IP address is displayed when there are duplicated auto-generated networks.

In a large environment, High Availability synchronization for the Global domain may fail with the "Global domain is busy syncing, please check sync status" error.

"Automatic purge" fails on a Domain with active Global Domain Assignment and "automatic purge" configured on the Global Domain.

It may not be possible to discard a work session with a newly created admin, a "Failed to discard revoke certificate" message is shown.

An upgrade of the secondary Multi-Domain Security Management Server or Multi-Domain Log Server may fail when simultaneously upgrading several Servers.

In rare scenarios, in a Multi-Domain Security Management Server environment, a memory leak may occur in the FWM process. This may cause the process to exit.

When exporting logs with the fwm logexport script and there is an empty or corrupted log file, the script runs in a loop with the "Failed to read record at position 0" error printed.

Although the Security Gateway is configured to send Syslog messages to the Domain Log Server (CLM), after several initial logs, they may stop coming to the Log Server.

Emails sent as an automatic reaction may show only the first IP address for "Source"/"Destination" fields out of all the detected IP addresses.

Export to CSV in SmartView may be stuck in the "running" status.

When running the "show_logs" API command with "query-id argument" and the session is expired, the command ends with a timeout instead of presenting an error.

When LEA spawning is turned off (sk91343), the FWD process may run out of memory.

There may be stability issues when ICAP client is active.

The Security Gateway may crash with the "xxx kernel: [fw4_27];fwatomload_unregister: module RTM not registered xxx kernel: [fw4_27];e2eDisable: fwatomload_unregister failed" errors printed in logs.

The Security Gateway on a LightSpeed appliance may crash when a Bond interface is configured on the LightSpeed 10/25/40/100G QSFP28 Ports, and the state of this Bond interface changes between on / off, or off / on.

In some scenarios, the CPD process may unexpectedly exit.

Some TCP connections may be stuck in "Both-Fin" state in the SecureXL connection table and cause high memory consumption.

When using Routing Separation and installing a Jumbo Hotfix Accumulator, MDPS configuration may be overridden. Refer to sk138672.

After an upgrade, Access Control policy installation may fail with an "Update process is already running" message.

The Security Gateway may send multiple "Failed to fetch Check Point resources. Timeout was reached" logs.

Threat prevention policy installation fails if a Custom Intelligence Feeds name includes unsupported characters.

File Download using SSH with MobaXterm Client fails when SSH Deep Packet Inspection (SSH DPI) is enabled.

After installing a hotfix in a cluster setup with a Threat Prevention policy that includes Network Objects, a member may get stuck during initialization after a reboot.

In some scenarios, Mail Transfer Agent (MTA) does not scan files with an unsupported extension if they were renamed to ".exe".

The PDPD daemon may frequently exit during the user authentication flow.

SNMP/cpstat queries for Identity Awareness OIDs return wrong values if the PDP daemon is not running at the time of the query.

In a rare scenario, when Application Control is enabled, the Security Gateway in AWS Cloud may crash. The issue does not occur if Application Control database on the Security Gateway is updated with Release 141122_1 and higher.

Running the "ips stats" command in CLI may cause the IPS process to unexpectedly exit with core dumps.

In a rare scenario, when Anti-Virus is enabled, there may be frequent VSX cluster failovers, and the Security Gateway may crash.

After an upgrade, it may not be possible to connect to SNX, it gets stuck when initializing.

After disabling the ActiveSync service on the Security Gateway, login to Capsule Workspace (CWS) may fail.

In some scenarios, it is not possible to connect to SSL Network Extender(SNX), and the VPND log shows: "failed to add to table connectra_sessions_to_instance".

A Hide NAT port may be allocated twice causing the "out of state" drops.

In a VRRP cluster environment with a large number of interfaces, the Security Gateway may consume a lot of memory because of a memory leak.

In some scenarios, the change of the cphwd_enable_ecmp global parameter value on a VSX Gateway does not survive a reboot.

The Security Gateway may crash and cause an outage when resolving the destination host MAC address through an interface with disabled ARP.

Connections matching the Access Control rules may get timed out, although they should be rejected according to the configuration.

The "asg diag verify" command reports inconsistent OSPFv3 routes for Security Gateway Modules in Quantum Maestro. Refer to sk179931.

The ROUTED process may unexpectedly exit when the route does not have a next hop.

When connecting with "Mixed" SSL Network Extender Authentication method, the SNX Client freezes with no output, and the results of the "vpn tu tlist" command show no tunnels.

In a rare scenario, when IPv6 is configured, and VPN is enabled, policy installation may cause a stability issue.

Trying to perform the "Reset Tunnel" action for an LDAP user from SmartView Monitor fails. Refer to sk178592.

The Security Gateway does not initiate or accept the VPN negotiation when working in Traditional Mode. Refer to sk179710.

Improved VPN tunnel synchronization in a Multi-Version Cluster environment (MVC).

The SNMPD process may consume a high CPU in a VSX environment and there may be slowness when using the "fw vsx stat" command. Refer to sk180324.

See the Important Notes section.

There are trap names duplications in chkpnt.mib and chkpnt-trap.mib which may cause incorrect values when using SNMP traps.

After an upgrade, the backup operation on VSX fails because there is not enough space in /var/log/CPbackup/backups.

In a cloning group cluster, when allowed hosts are changed from "Any" host to a specific host, communication between members is blocked, and the group cannot function.

A Kernel-based Virtual Machine (KVM) or a Virtual Machine using SRIOV with the i40evf/ixgbevf network driver, may boot with non-optimized performance settings.

When mapping of some Azure Subscriptions fails, assets of these Subscriptions are revoked from the Security Gateway.

Import of OpenStack Data Center CloudGuard Network objects may fail.

In some scenarios, when using early media with NAT, the first data connections specified in the SDP get closed, although they should not. And the new data connection does not open, resulting in one-way audio. Refer to sk179651.

In some scenarios, a newly added Security Group Member (SGM) continuously reboots, and there are core dump files for the CONFD process. Refer to sk178405.

Upon failover/failback, multicast packets are sent to Active members only. The member that changed state from Down to Active starts receiving the multicast packets before the route is resolved. This may impact traffic.

In some scenarios, the SNMPD process may unexpectedly exit.

In a dual site environment with two Maestro Hyperscale Orchestrators on each site, the asg diag test may fail in a mixed appliances setup because of a difference in affinity configuration files.

SNMP threshold events traps may be missing "Chassis ID" and "Blade ID" fields. Refer to sk179926.

When a policy is configured with "SNMP trap alert script", the SNMP trap is sent with an undefined OID.

Failover/failback may cause a non-DR manager member to change state to Down because the ROUTED unexpectedly exits with pnote.

In a Quantum Maestro environment, the sp_upgrade command may fail when working in VSX mode.