R81.10 Jumbo Hotfix Take 93
|
Note - This Take contains all fixes from all earlier Takes. |
ID |
Product |
Description |
---|---|---|
Take 93 Released on 5 March 2023 |
||
PRJ-43407, |
Security Management |
NEW: On-premises Security Management Server can now connect to Infinity Portal. This allows:
Requires:
|
PRJ-43895, |
Security Gateway |
NEW: We have extended the grace period of Compliance Blade to support you for 90 days following contract expiration to continue providing the best security value during the renewal process. |
PRJ-43807, |
Application Control, URL Filtering |
NEW: We have extended the grace period of Application Control and URL Filtering Blade to support you for 90 days contract expiration to continue providing the best security value during the renewal process. |
PRJ-44255, |
Threat Extraction |
NEW: We have extended the grace period of Threat Extraction Blade to support you for 90 days following contract expiration to continue providing the best security value during the renewal process. |
PRJ-43910, |
SmartView |
NEW: We have extended the grace period of SmartEvent Blade to support you for 90 days following contract expiration to continue providing the best security value during the renewal process. |
PRJ-42181, |
IPS |
NEW: Added ability to block "HTTP 206 partial content" responses from resources with malicious content. |
PRJ-42658, |
IPS |
UPDATE: In several IPS protections, improved performance for traffic that contains repeated sections. |
PRJ-43723, |
SSL Inspection |
UPDATE: The secp256r1 curve is now the preferred choice for signing ECDSA (Elliptic Curve Digital Signature Algorithm) certificates. |
PRJ-41419, |
Security Management |
UPDATE: Connecting a Quantum Security Management Server to Infinity Portal is now supported in the Full High Availability Cluster (when each cluster member has a Security Management Server and a Security Gateway). |
PRJ-42306, |
Security Management |
UPDATE: Improved the "Purge revisions" operation to reduce the size of the database. |
PRJ-36635, |
Security Management |
UPDATE: Added an option to configure the maximum number of IPS SNORT rules. These lines should be added at the end (or their value should be changed if they already exist) in the file $FWDIR/conf/malware_config (for MDS - additionally in the $MDS_FWDIR/conf/malware_config file): "[IPS] snort_convertor_max_rules_per_update=<value> snort_convertor_total_rules_num_limit=<value>". Refer to sk136515. |
PRJ-41619, |
Security Gateway |
UPDATE: To reduce policy installation time on a Security Gateways with a large number of CoreXL Firewall instances, you can use the Check Point Registry parameter "CP_INSTALL_POLICY_MT_LIMIT" to configure the Security Gateway to install the policy simultaneously on groups of CoreXL Firewall instances. Refer to sk182653. |
PRJ-44559, |
Security Gateway |
UPDATE: Apache HTTPD version was updated from 2.4.53 to 2.4.55 to fix CVE-2022-37436. |
PRJ-43613, |
Gaia OS |
UPDATE: Gaia Cloning Groups will now use the highest TLS version available. |
PRJ-43049, |
CloudGuard Network |
UPDATE: Added support for Data Centers in AWS eu-central-2 (Spain) and eu-south-2 (Zurich) and ap-south-2 (Hyderabad) regions. |
PRJ-43025, |
CloudGuard Network |
UPDATE: Added support for connecting to VMware NSX-T 4.0.0.x and higher. |
PRJ-42979, |
Scalable Platforms |
UPDATE: Added support for monitoring hardware of Maestro Orchestrator MHO-175. |
PRJ-43404, |
Diagnostics |
Skyline may not show any information. Refer to sk180748. |
PRJ-40226, |
Security Management |
The FWM process may frequently exit. This causes SmartConsole authentication to fail and dashboards that were opened before to get closed. |
PRJ-43340, |
Security Management |
In some scenarios, Audit logs may not be created when running remote API commands from Infinity Portal. |
PRJ-41762, |
Security Management |
In some scenarios, the CME process fails to start. |
PRJ-42110, |
Security Management |
The date of a policy configured with "accelerated installation" may not be updated in logs. |
PRJ-42410, |
Security Management |
Login to the Security Management Server or Multi-Domain Security Management Server may fail with the "Connection timeout" error. |
PRJ-43094, |
Security Management |
After configuring an IoC feed on the Global Domain and assigning a Global Policy, Threat Prevention policy installation in the local Domain fails. |
PRJ-42042, |
Security Management |
In a rare scenario, the Show Package tool and some Management API commands with details-level "full" fail. |
PRJ-41892, |
Security Management |
High Availability synchronization fails if automatic purge is configured to run on the Standby Management Server. |
PRJ-39746, |
Security Management |
Adding a rule with the Management API and setting the action "to ask" does not set a default UserCheck if UserCheck was not specified. This may cause policy verification failure. |
PRJ-43363, |
Security Management |
Editing a Global Assignment object using Ansible may fail. |
PRJ-43317, |
Security Management |
In SmartConsole, when editing a tagged Security Gateway object, the tags may get removed. |
PRJ-43254, |
Security Management |
In some scenarios, the "api status" command shows that the Management API service is stopped. |
PRJ-43312, |
Security Management |
The API command "show-nat-rulebase" may not show the name of each rule in the Rule Base. |
PRJ-43314, |
Security Management |
Running API commands with the "dereference-max-depth" parameter with value "0" may fail when the "Groups" field is in the reply. |
PRJ-41928, |
Security Management |
After an upgrade, while installing a policy, SmartConsole may unexpectedly close with a "The connection with the server was lost. Any unsaved changes will be preserved" message. Refer to sk180294. |
PRJ-42049, |
Multi-Domain Security Management |
In rare scenarios in a Multi-Domain Security Management environment:
|
PRJ-42302, |
Multi-Domain Security Management |
Reassigning a Global Domain to a local Active Domain from one MDS to another may result in the local domain not reflecting recent changes. The issue occurs in Multi-Site environments if two Multi-Domain Security Management Servers (MDS) have a Standby Global Domain. |
PRJ-43201, |
SmartProvisioning |
Deleting an LSM Gateway via REST API does not revoke the device's VPN certificate. |
PRJ-43589, |
CPView |
In a Multi-Domain Security Management environment, Skyline is down after mdsstop/mdsstart. |
PRJ-42100, |
CPView |
CPView may not show some interfaces. |
PRJ-33052, |
Logging |
The "Daily logs retention" configuration on the Security Management Server / Log Server object is not applied if the "When disk space is below <number> Mbytes, start deleting old files" option is not enabled in the Disk Space Management. Refer to sk176803. |
PRJ-39080, |
Logging |
After an upgrade and change of the Security Management Server name, logs created before the upgrade are unavailable. |
PRJ-39608, |
Security Gateway |
The Security Group Member (SGM) frequently goes into a Lost-> Down-> Active state because of fullsync pnote. This causes outages. |
PRJ-41018, |
Security Gateway |
When using the SMTP service with resource objects in a rule and NAT is configured for the destination IP address, the traffic may match the Cleanup rule instead. |
PRJ-43705, |
Security Gateway |
The Security Gateway may crash during policy installation if the Rule Base has multiple layers and many interfaces on the Security Gateway (VLANs). |
PRJ-41495, |
Security Gateway |
Stability issues when ICAP client is active. |
PRJ-43347, |
Security Gateway |
A connection may be closed with the "ws_mux_handle_poll: ERROR: Poll flag still set after unsetting" error in the fwk.elg file, when HTTP parser does not receive requested data. |
PRJ-38809, |
Security Gateway |
In a rare scenario, when QoS is enabled, the Security Gateway may crash. |
PRJ-39801, |
Security Gateway |
After making changes in Policy-Based Routing (PBR) and GRE configuration, the Security Gateway may repeatedly crash. |
PRJ-40320, |
Security Gateway |
In rare scenarios, the FWK process can unexpectedly exit and cause an outage. |
PRJ-42804, |
Security Gateway |
Stability issues when ICAP client is active. |
PRJ-43554, |
Security Gateway |
Security Gateway may drop traffic when Dynamic Anti-Spoofing is enabled. |
PRJ-42944, |
Security Gateway |
When Anti-Spoofing is enabled, the Security Gateway may crash. |
PRJ-41634, |
Security Gateway |
Dynamic Dispatcher may send fragments of the same packet to different Firewall instances during a high load of fragmented traffic. This may cause some packets to drop. |
PRJ-36010, |
Security Gateway |
The Security Gateway may frequently crash with vmcore files, recording invalid context. |
PRJ-42102, |
Security Gateway |
When adding an Access Role object in the NAT Rule Base, connectivity issues on the Security Gateway may occur if the Identity Awareness Blade on it is disabled. |
PRJ-43528, |
Security Gateway |
In rare scenarios when ISP Redundancy feature is enabled, default route disappears after policy installation. |
PRJ-42088, |
Security Gateway |
The "fw monitor" command output may contain "no packets left to merge" messages. |
PRJ-42903, |
Internal CA |
The certificate in SmartConsole is shown as valid, although it is expired. |
PRJ-41436, |
Internal CA |
When managing cloud Gateways, the FWM process memory usage may increase. |
PRJ-38490, |
Threat Prevention |
In a rare scenario, the mal_conns table may consume a large amount of memory. |
PRJ-42286, |
Threat Prevention |
The "ioc_feeds set interval -r" command may fail. |
PRJ-41598, |
Threat Prevention |
Anti-Virus Blade fails to parse external IoC feeds that contain commas in the CSV column field value. |
PRJ-32738, |
Threat Prevention |
After an upgrade, the FWD process may frequently exit while creating an AMW_report.xml. |
PRJ-42585, |
Threat Prevention |
When using a host with automatic static NAT in a Threat Prevention policy object, the object will not be enforced. |
PRJ-42438, |
Threat Prevention |
Automatic IPS, Anti-Virus or Anti-Bot updates may fail because of a corrupted next_update file. |
PRJ-37567, |
Threat Prevention |
When Anti-Virus Blade is enabled, the Security Gateway may crash because of a memory allocation issue. |
PRJ-41688, |
Threat Prevention |
In some scenarios, a "malware_res_rep_rad_query: rad_kernel_malware_request_prepare() failed" message may appear in the /var/log/messages file. |
PRJ-42999, |
Identity Awareness |
In a rare scenario, disconnection between the Identity Server (PDP) and Identity Gateway (PEP) leads to missing identities on the PEP side. |
PRJ-42339 |
Identity Awareness |
In a VSX High Availability cluster, a member in the Backup state should remain idle, but it opens connections for identity sharing. |
PRJ-41323, |
Identity Awareness |
A connectivity issue may occur during Azure AD Group fetch, and the "get_http_error_msg - http code is 401" error response is shown in Identity Awareness logs. |
PRJ-41221, |
Application Control |
In some scenarios, the RAD process may freeze after failing to connect to URL Filtering service. |
PRJ-41378, |
IPS |
When Anti-Virus is enabled, the Mail Transfer Agent (MTA) log files may get blocked because of fail-close operation. |
PRJ-42591, |
IPS |
The Security Gateway may crash during policy installation because of a memory allocation problem. |
PRJ-35486, |
DLP |
DLP logs for files uploaded to Microsoft OneDrive do not show the initial file names and extensions. Refer to sk178290. |
PRJ-31705, |
Anti-Bot |
The "asg perf --delay" command does not change the "refresh time" on the screen. |
PRJ-43682, |
SSL Inspection |
In some scenarios, Inbound HTTPS Inspection may fail when working in USFW (User-Space Firewall) mode. |
PRJ-43154, |
Mobile Access |
The CVPND process may unexpectedly exit and create a core dump file. |
PRJ-41259, |
Mobile Access |
Web applications may not work correctly when Mobile Access Blade is configured in Hostname Translation (HT) mode while the "obscure_destination_hostname" management attribute is disabled. |
PRJ-42468, |
Mobile Access |
When Mobile Device Management (MDM) cooperative enforcement feature is enabled, establishing a VPN connection fails while the HTTPD log incorrectly indicates a compliance issue. |
PRJ-43116, |
ClusterXL |
The "cphaprob tablestat" command may fail on the Security Gateway with many interfaces. |
PRJ-44168, |
ClusterXL |
When handling HTTP/2 traffic, cluster members may crash, generating vmcores. |
PRJ-43003, |
ClusterXL |
Traffic does not pass through the GRE tunnel when Virtual MAC (VMAC) is enabled. Refer to sk180292. |
PRJ-42464, |
ClusterXL |
Stability issues may occur in a Multi-Version Cluster (MVC) when VPN is enabled. |
PRJ-29668, |
SecureXL |
When the "fw_tcp_out_of_state_monitor" mode is enabled with the "fw_allow_out_of_state_tcp" flag, some connections may be dropped, although they should go through and be monitored. |
PRJ-42896, |
SecureXL |
SecureXL may drop traffic when HTTPS Inspection is enabled on a VSX Security Gateway with a Virtual Router. |
PRJ-42575, |
SecureXL |
Multicast traffic may get dropped, and no logs are generated. |
PRJ-43056, |
Routing |
The "show ospf neighbors" command shows incorrect values for OSPF "Hello" and "Dead" intervals. Refer to sk180486. |
PRJ-40728, |
VPN |
In some scenarios, when NAT is configured, VoIP traffic is dropped. |
PRJ-43595, PRJ-43299, |
VPN |
Stability issues for Data connections (RDP / RTP / FTP/ETC). Refer to sk179651. |
PRJ-44944, |
VPN |
When many users in nested groups login using Remote Access Client \ connect to VPN, and the LDAP topology is large, there may be a spike of CPU usage and performance impact. Refer to sk180664. |
PRJ-42879, |
VPN |
When initiating IKEv2 tunnel from Check Point to a third party, creating Child SA fails. Refer to sk180281. |
PRJ-42561, |
VPN |
When the user connects with RADIUS authentication method, the "Authentication method" value in Mobile Access logs is shown as empty. |
PRJ-42762, |
VPN |
Despite the Secure Configuration Verification (SCV) exceptions being configured to not apply for connections, the strongSWAN client's traffic is dropped with the "Client's configuration is not verified" error. |
PRJ-41375, |
VPN |
StrongSWAN Remote Access client can connect but fails to access internal resources. |
PRJ-42653, |
VPN |
Stability issues of the VPND and IKED processes. |
PRJ-41050, |
VPN |
A memory leak may occur in the VPND process. |
PRJ-41697, |
VSX |
The "vsx_util change_mgmt_subnet" command may fail if a VSX object is not correctly saved in the database. |
PRJ-42883, |
VSX |
In VSX, if Dynamic Balancing was manually disabled on R81.10, after an upgrade from R81.10 to R81.20, it automatically gets enabled. |
PRJ-41160, |
Gaia OS |
The SNMPD process may exit with a timeout when the ARP table with many ARP entries takes time to calculate its size. |
PRJ-41251, |
Gaia OS |
The backup operation fails if the backed-up directory content is larger than 10GB. |
PRJ-42254, |
Gaia OS |
Running the "save configuration" command the second time in the same Clish session may fail with the "free(): invalid pointer" error. |
PRJ-42962, |
Gaia OS |
IPv6 address may be removed from bond VLAN interface when changing bond xmit-hash-policy configuration. Refer to sk180309. |
PRJ-42526, |
Gaia OS |
Gaia backup fails with "Cannot complete the backup process: not enough space in /var/log/CPbackup/backups" although there is enough free disk space in the /var/log/ partition. Refer to sk180181. |
PRJ-43428, |
Gaia OS |
In some scenarios, the "nslookup" command can cause the NSLOOKUP process to exit. |
PRJ-42624, |
Gaia OS |
SNMP trap may not be sent after a cluster failover if it occurred by running the "clusterXL_admin down" command. |
PRJ-43651, |
Gaia OS |
When setting password hash on cloning group members, some members may not get updated. |
PRJ-43959 |
Gaia OS |
When uninstalling a Jumbo Hotfix, some of the REST APIs may not work. The "gaia_api status" command returns an error and requests may fail. See the Important Notes section. |
PRJ-40693, |
Harmony Endpoint |
When connecting to the Security Management Server with SmartEndpoint but Endpoint component is not activated on the Server, the FWM process may unexpectedly exit. |
PRJ-43068, |
CloudGuard Network |
Importing objects from VMware vCenter may fail with a "Failed to fetch objects from the Data Center." message because of a rare communication issue between CloudGuard Network Security controller and VMware vCenter Data. |
PRJ-43259, |
CloudGuard Network |
Disabling or removing all network interfaces from a vCenter object is not dynamically reflected on the CloudGuard Controller Data Center object. |
PRJ-42696, |
VoIP |
In some scenarios, when using static NAT, VoIP traffic may be affected. |
PRJ-43517, PRHF-26939 |
VoIP |
After an upgrade, VoIP and SIP / H323 traffic may be dropped in the VPN tunnel. Refer to sk179651. |
PRJ-43077, |
VoIP |
While handling a multi-INVITE scenario (where a user registers with multiple devices), and VoIP SIP MultiCore feature is enabled, each SIP INVITE maybe be handled simultaneously on different FW instances and cause memory corruption. |
PRJ-43488, |
Scalable Platforms |
Running the "show" or "set" commands for SSH in gClish fails. |
PRJ-31553 |
Scalable Platforms |
In VSX mode, when configuring affinity settings on Security Group members, a new added member may stay in Down state. |
PRJ-30229, |
Scalable Platforms |
The BMAC address is not updated after moving an SGM from one slot to a different slot. (The issue applies to Security Gateway only, not to VSX.) |
PRJ-31658, |
Scalable Platforms |
The output of the "asg perf -6" command shows "IPV6 is Disabled". |
PRJ-43601, PRJ-43213 |
Scalable Platforms |
Time synchronization task is not performed correctly when using predefined NTP Servers. |
PRJ-32255, |
Scalable Platforms |
When running "asg diag verify" in an environment with mixed appliances, the "cores_verifier" command fails if there are unused cores, although it should not. The issue is cosmetic only.. |
PRJ-39602, |
Scalable Platforms |
The SMO may frequently go into Lost-> Down-> Active state because of a memory leak in the FWK process. The issue causes failover and outages. |
PRJ-42192, |
Scalable Platforms |
In a multiple upgrade scenario, running the "sp_upgrade-revert" command reverts the setup to the last version, but running it the second time leads to revert instead of performing cleanup. |
PRJ-42899, |
Scalable Platforms |
When using asg alert, the domain name is changed to "BladedCenter.com" instead of the configured name. |
PRJ-44600 |
Scalable Platforms |
Uninstalling Jumbo Hotfix Take 79-87 from Maestro Orchestrator may cause the REST Server initialization to fail and lead to connectivity issues. See the Important Notes section. |
PRJ-44142, |
Scalable Platforms |
Some Maestro Hyperscale Orchestrator processes may go down after an upgrade and reboot. Refer to sk180509. See the Important Notes section. |
PRJ-43307, |
Scalable Platforms |
Minor packet drop may occur during Maestro Orchestrator graceful reboot. |
PRJ-40549 |
Scalable Platforms |
The output of the "asg perf" command may not show active software Blades. |
PRJ-43361, |
Scalable Platforms |
The "set expert-password-hash" command may fail to update the password hash on all cluster members. |