R81.10 Jumbo Hotfix Take 93

NEW: On-premises Security Management Server can now connect to Infinity Portal. This allows:

• to run cloud services, managed in Infinity Portal, on the Security Management Server objects.

• to see a unified log view of all Check Point products: on-premises and in the cloud.

• to run Management APIs on the Security Management Server on-premises from any location through Infinity Portal.

Requires:

1. R81.10 SmartConsole Build 410 (or higher).

2. Web SmartConsole Take 76 (or higher)

NEW: We have extended the grace period of Application Control and URL Filtering Blade to support you for 90 days contract expiration to continue providing the best security value during the renewal process.

NEW: We have extended the grace period of SmartEvent Blade to support you for 90 days following contract expiration to continue providing the best security value during the renewal process.

UPDATE: In several IPS protections, improved performance for traffic that contains repeated sections.

UPDATE: Connecting a Quantum Security Management Server to Infinity Portal is now supported in the Full High Availability Cluster (when each cluster member has a Security Management Server and a Security Gateway).

UPDATE: Added an option to configure the maximum number of IPS SNORT rules.

These lines should be added at the end (or their value should be changed if they already exist) in the file $FWDIR/conf/malware_config

(for MDS - additionally in the $MDS_FWDIR/conf/malware_config file):

"[IPS]

snort_convertor_max_rules_per_update=<value>

snort_convertor_total_rules_num_limit=<value>".

Refer to sk136515.

UPDATE: Apache HTTPD version was updated from 2.4.53 to 2.4.55 to fix CVE-2022-37436.

UPDATE: Added support for Data Centers in AWS eu-central-2 (Spain) and eu-south-2 (Zurich) and ap-south-2 (Hyderabad) regions.

UPDATE: Added support for monitoring hardware of Maestro Orchestrator MHO-175.

The FWM process may frequently exit. This causes SmartConsole authentication to fail and dashboards that were opened before to get closed.

In some scenarios, the CME process fails to start.

Login to the Security Management Server or Multi-Domain Security Management Server may fail with the "Connection timeout" error.

In a rare scenario, the Show Package tool and some Management API commands with details-level "full" fail.

Adding a rule with the Management API and setting the action "to ask" does not set a default UserCheck if UserCheck was not specified. This may cause policy verification failure.

In SmartConsole, when editing a tagged Security Gateway object, the tags may get removed.

The API command "show-nat-rulebase" may not show the name of each rule in the Rule Base.

After an upgrade, while installing a policy, SmartConsole may unexpectedly close with a "The connection with the server was lost. Any unsaved changes will be preserved" message. Refer to sk180294.

Reassigning a Global Domain to a local Active Domain from one MDS to another may result in the local domain not reflecting recent changes. The issue occurs in Multi-Site environments if two Multi-Domain Security Management Servers (MDS) have a Standby Global Domain.

In a Multi-Domain Security Management environment, Skyline is down after mdsstop/mdsstart.

The "Daily logs retention" configuration on the Security Management Server / Log Server object is not applied if the "When disk space is below <number> Mbytes, start deleting old files" option is not enabled in the Disk Space Management. Refer to sk176803.

The Security Group Member (SGM) frequently goes into a Lost-> Down-> Active state because of fullsync pnote. This causes outages.

The Security Gateway may crash during policy installation if the Rule Base has multiple layers and many interfaces on the Security Gateway (VLANs).

A connection may be closed with the "ws_mux_handle_poll: ERROR: Poll flag still set after unsetting" error in the fwk.elg file, when HTTP parser does not receive requested data.

After making changes in Policy-Based Routing (PBR) and GRE configuration, the Security Gateway may repeatedly crash.

Stability issues when ICAP client is active.

When Anti-Spoofing is enabled, the Security Gateway may crash.

The Security Gateway may frequently crash with vmcore files, recording invalid context.

In rare scenarios when ISP Redundancy feature is enabled, default route disappears after policy installation.

The certificate in SmartConsole is shown as valid, although it is expired.

In a rare scenario, the mal_conns table may consume a large amount of memory.

Anti-Virus Blade fails to parse external IoC feeds that contain commas in the CSV column field value.

When using a host with automatic static NAT in a Threat Prevention policy object, the object will not be enforced.

When Anti-Virus Blade is enabled, the Security Gateway may crash because of a memory allocation issue.

In a rare scenario, disconnection between the Identity Server (PDP) and Identity Gateway (PEP) leads to missing identities on the PEP side.

A connectivity issue may occur during Azure AD Group fetch, and the "get_http_error_msg - http code is 401" error response is shown in Identity Awareness logs.

When Anti-Virus is enabled, the Mail Transfer Agent (MTA) log files may get blocked because of fail-close operation.

DLP logs for files uploaded to Microsoft OneDrive do not show the initial file names and extensions. Refer to sk178290.

In some scenarios, Inbound HTTPS Inspection may fail when working in USFW (User-Space Firewall) mode.

Web applications may not work correctly when Mobile Access Blade is configured in Hostname Translation (HT) mode while the "obscure_destination_hostname" management attribute is disabled.

The "cphaprob tablestat" command may fail on the Security Gateway with many interfaces.

Traffic does not pass through the GRE tunnel when Virtual MAC (VMAC) is enabled. Refer to sk180292.

When the "fw_tcp_out_of_state_monitor" mode is enabled with the "fw_allow_out_of_state_tcp" flag, some connections may be dropped, although they should go through and be monitored.

Multicast traffic may get dropped, and no logs are generated.

In some scenarios, when NAT is configured, VoIP traffic is dropped.

When many users in nested groups login using Remote Access Client \ connect to VPN, and the LDAP topology is large, there may be a spike of CPU usage and performance impact. Refer to sk180664.

When the user connects with RADIUS authentication method, the "Authentication method" value in Mobile Access logs is shown as empty.

StrongSWAN Remote Access client can connect but fails to access internal resources.

A memory leak may occur in the VPND process.

In VSX, if Dynamic Balancing was manually disabled on R81.10, after an upgrade from R81.10 to R81.20, it automatically gets enabled.

The backup operation fails if the backed-up directory content is larger than 10GB.

IPv6 address may be removed from bond VLAN interface when changing bond xmit-hash-policy configuration. Refer to sk180309.

In some scenarios, the "nslookup" command can cause the NSLOOKUP process to exit.

When setting password hash on cloning group members, some members may not get updated.

When connecting to the Security Management Server with SmartEndpoint but Endpoint component is not activated on the Server, the FWM process may unexpectedly exit.

Disabling or removing all network interfaces from a vCenter object is not dynamically reflected on the CloudGuard Controller Data Center object.

After an upgrade, VoIP and SIP / H323 traffic may be dropped in the VPN tunnel. Refer to sk179651.

Running the "show" or "set" commands for SSH in gClish fails.

The BMAC address is not updated after moving an SGM from one slot to a different slot. (The issue applies to Security Gateway only, not to VSX.)

Time synchronization task is not performed correctly when using predefined NTP Servers.

The SMO may frequently go into Lost-> Down-> Active state because of a memory leak in the FWK process. The issue causes failover and outages.

When using asg alert, the domain name is changed to "BladedCenter.com" instead of the configured name.

Some Maestro Hyperscale Orchestrator processes may go down after an upgrade and reboot. Refer to sk180509.

See the Important Notes section.

The output of the "asg perf" command may not show active software Blades.