List of All Resolved Issues and New Features in R81.20 Jumbo Hotfix Accumulator

 

Review the Important Notes section before installing a new Take.

ID

Product

Description

Take 45

Released on 30 January 2024

PRJ-52492,

PMTR-99615

ClusterXL

The CXLD process may consume the CPU at 70%-100% on VSX cluster members. Refer to sk181891.

See the Important Notes section.

PRJ-52559,

PMTR-100084

Security Gateway

When in the NAT Rule Base there are domain objects with uppercase letters, the NAT rules may not be matched.

See the Important Notes section.

Take 43

Released on 8 January 2024

PRJ-50012,

PRJ-49119,

PMTR-94679,
PMTR-94786

Security Management

NEW: Added support for Quantum Spark Appliances 1900/2000 for EA (Early Availability) customers.

PRJ-48759,
PRJ-51416

SD-WAN

NEW: Added Quantum SD-WAN local breakout and VPN overlay support for Security Gateways with dynamic IP addresses.

PRJ-47122,
PMTR-92660

Anti-Spam

NEW: We have extended the grace period of Anti-Spam Blade to support you for 90 days following contract expiration to continue providing the best security value during the renewal process.

PRJ-45065,
PRHF-28095

Security Management

UPDATE: Added support for scheduling automatic purges of the System Data domain.

PRJ-46326

Security Management

UPDATE: Added support for the VPN certificate alert feature for Quantum Spark Appliances R81.10.X.

PRJ-47499,
PMTR-92999

Security Management

UPDATE: Added a new API version (1.9.1). Refer to Management API Reference.

PRJ-52357,
ODU-1400

CPView

UPDATE: Added Take 74 of CPotelcol (OpenTelemetry Collector) Release Updates. Refer to sk180522.

PRJ-48300,
PMTR-93298

SmartConsole

UPDATE: Added a pop-up message explaining that it is not possible to add an exception to a Global Domain policy from a local Domain when clicking "add exception" in a Global rule.

  • Requires installing SmartConsole R81.20 Build 651 (or higher).

PRJ-49364,
PRHF-28875

Security Gateway

UPDATE: Previously, in the "Hide NAT behind IP Address Range" feature, only the source IP address determined the Hide NAT IP address from the IP Address Range. It is now possible to configure the Security Gateway to select the Hide NAT IP address based on the combination of the source IP address and the source port. Refer to sk105302.

PRJ-46317,
PMTR-92164

Security Gateway

UPDATE: When changes are made to updatable objects within a policy and a missing or corrupted package is detected, the policy installation will fail, resulting in the generation of a log.

PRJ-46558,
PMTR-92206

Security Gateway

UPDATE: Added a new option in domains_tool, which allows to retrieve IP addresses of multiple Domains - "-md <list of domains>". Refer to sk161632.

PRJ-48447,
PMTR-94030

Threat Prevention

UPDATE: Improved the parser of Custom Intelligence feeds to support values written in "Camel case", where multiple words are combined without spaces, and each word begins with a capital letter.

PRJ-51511,
ODU-1248

Threat Prevention

UPDATE: Added Update 22 of Autonomous Threat Prevention Management integration Release. Refer to sk167109.

PRJ-48139,
PMTR-93683

Threat Prevention

UPDATE: Re-enabled the deprecated feature of exporting/importing Custom Intelligence feeds.

PRJ-43434,
PRHF-26673

Threat Prevention

UPDATE: It is now possible to add exceptions to external Custom Intelligence feeds.

PRJ-47916,
AVIR-1544

Anti-Virus

UPDATE: Improved Anti-Virus caching mechanism to prevent generating malicious sub-domains in Background resource categorization mode.

PRJ-49233,
PMTR-92549

SSL Network Extender

UPDATE: SSL Network Extender was updated to version 80008407.

PRJ-44244,
PMTR-87141

Mobile Access

UPDATE: Enhanced PushReport (a troubleshooting tool for Mobile Access Blade):

  • changes in the cloud service configuration,

  • stability improvement.

PRJ-46316,
PMTR-90870

ClusterXL

UPDATE: When enabling the VMAC feature, link_monitoring on the cluster members is now configured automatically.

PRJ-45338,
PMTR-88036

VPN

UPDATE: Added SAML authentication support for Capsule Connect / Capsule VPN.

PRJ-41132,
PMTR-86206

VSX

UPDATE: In VSX, removed the redundant option to change CoreXL mode from USFW to Kernel mode.

PRJ-48109,
PMTR-90795

VSX

UPDATE: Changed the vsx push configuration log:

  • The log file last_vsx_push_configuration.elg now holds only the last vsx push configuration log.

  • The cyclic log file vsx_push_configuration.elg now holds all previous push configuration logs, except the last one.

PRJ-50874,
PMTR-97129

Gaia OS

UPDATE: Upgraded OpenSSL from 1.1.1u to 1.1.1w to include the latest security improvements.

PRJ-48011,
PRHF-29711

Gaia OS

UPDATE: The output of "show arp dynamic all" and "dbget ip:arpdynamic:show:0" which was previously limited to +-4450 entries, now increases dynamically.

PRJ-50198

Gaia OS

UPDATE: Gaia API updates is now installed automatically through AutoUpdater. Refer to sk165653.

PRJ-45237,
PRHF-28236

Gaia OS

UPDATE: SNMP traps for interfaces going up and going down now contains the interface name and description.

PRJ-50604,
PMTR-97169

Harmony Endpoint

UPDATE: Posture Management (Vulnerability & Patch Management) is now supported.

PRJ-45728,
PMTR-91551

Harmony Endpoint

UPDATE: Added new file types supported by Harmony Endpoint Threat Emulation blade.

PRJ-48082,
PRHF-29774

CloudGuard Network

UPDATE: Added support for Azure Scale sets with Flexible orchestration mode.

PRJ-47189,
PRHF-28352

CloudGuard Network

UPDATE: Added the "namespace" label to pods in Kubernetes Data Center.

PRJ-48098,
PRHF-28329

CloudGuard Network

UPDATE:

  • Enhanced the mapping performance of Azure subscriptions and the overall process of mapping Data Centers.

  • Minimized the duration required for policy updates to gateways in environments incorporating Public Data Centers (Azure, AWS, GCP, Oracle-Cloud OCI, and Generic-Data-Center).

  • Updating Data Center properties requires installing the policy on only one Security Gateway.

PRJ-48764
PMTR-94130

CloudGuard Network

UPDATE: Added support for Data Centers in AWS il-central-1 Israel (Tel Aviv) region

PRJ-49997,
PMTR-95965

CloudGuard Network

UPDATE: Updated the Jetty open source library from the 9.3.6.v20151106 version to 9.4.52.v20230823.

PRJ-45772,
PMTR-90618

Scalable Platforms

UPDATE: Added the ability to stop configuration mismatch repeated reboots for debugging purposes. The new command is " cpha_blade_config auto_reboot <on/off>".

PRJ-48197,
PMTR-91032

Scalable Platforms

UPDATE: Added ability to use Generic Data Centers and Dynamic Objects with Maestro cluster, not just for a separate Security Gateway.

PRJ-47962,
PRJ-47560

IoT

UPDATE: Enabled new docker capabilities on IoT Gateways.

PRJ-47170,
PRHF-29222

Security Management

In rare scenarios, Global Policy reassignment fails with "IPS Update Failed On Assign".

PRJ-48898,
PRHF-30157

Security Management

In rare scenarios, upgrade of the Security Management Server to R81.20 fails with the "Task was interrupted because of server restart" and "DEADLOCK IN POSTGRES DETECTED!!!" messages in the cpm.elg log file.

PRJ-46700,
PRHF-24917

Security Management

Global Policy assignment fails if it is configured to assign to specific Domain policies and one of these local Domain policies is deleted.

PRJ-42640,
PRHF-24486

Security Management

In some scenarios, an automatic Trusted Certificate Authorities (CAs) update fails.

PRJ-42936,
PRHF-25050

Security Management

When closing an application from SmartConsole without changes, a redundant revision is created.

PRJ-46004,
PRHF-28590

Security Management

Changing the cluster mode via the "set simple-cluster" Management API command to "cluster-xl-ha" or "ospec-ha" returns success but has no effect on the cluster object.

PRJ-46829,
PRHF-28923

Security Management

In some scenarios, the "Object is no longer available" validation warning appears for updatable objects.

PRJ-45989,
PRHF-28558

Security Management

Deleting a Domain that is connected to an AD Group fails.

PRJ-46014,
PRHF-28592

Security Management

The "show-nat-rulebase" Management API command fails when Packet mode is enabled and "match on any" is set to "false". For example, "show-nat-rulebase XXX package YYY filter-settings.search-mode packet filter-settings.packet-search-settings.match-on-any false filter ZZZ".

PRJ-45035,
PRHF-27706

Security Management

Upgrade of a Security Management Server or a Multi-Domain Security Management Server with over 2000 NAT rules may take over 10 hours to complete.

  • The fix requires the upgrade to be done using a Blink image or via the Advanced Upgrade method.

PRJ-44988,
PRHF-28001

Security Management

A migrate export or CPUSE upgrade of a Security Management Server fails if a Rule Base contains more than 35,000 rules. Refer to sk178325 to check the recommended size of Rule Bases.

PRJ-47620,
PRHF-29494

Security Management

In rare scenarios, the /var/log/message file is filled with Clish login messages for the Admin user.

PRJ-48865,
PRHF-30091

Security Management

In multi-site Multi-Domain Security Management environments, login to SmartConsole fails if the "Read_Write_All_Profile" permission profile is deleted.

PRJ-45800,
PRHF-28187

Security Management

Security Management Server import fails with the "Tried to persist object XXX with domain YYY while active domain is ZZZ" error in the upgrade report.

PRJ-47043,
PRHF-29223

Security Management

When using the RADIUS username for authentication, login to SmartConsole may fail.

PRJ-47047,
PRHF-29104

Security Management

In rare scenarios, after an upgrade, the Security Management Server may fail to start.

PRJ-47012,
PRHF-29254

Security Management

The "show-objects" Management API command with an "in" clause fails if the object name contains a period. For example, "show-objects in.1 <name> in.2 <ab.c>".

PRJ-46656,
PRHF-24236

Security Management

When the Access Rule Base contains several hundred rules, the "set-access-rule" Management API command with the "new-position" parameter may take longer than expected or time out after 5 minutes.

PRJ-46732,
PRHF-28910

Security Management

In rare scenarios, opening the Install Policy view gets timed out, and SmartConsole unexpectedly closes. Refer to sk181397.

PRJ-41549,
PRHF-25551

Security Management

QoS policy cannot be installed if the policy package name contains a dot symbol.

PRJ-44818,
PRHF-20141

Security Management

In the Revisions view, when comparing the selected revision to its previous revision, an empty screen is shown instead of a report.

PRJ-47967,
PRHF-29565

Security Management

In High Availability Security Management Server environments, outdated IPS packages are retained, which leads to a substantial increase of the database on Standby Security Management Server.

PRJ-48788,
PRHF-30027

Security Management

SmartConsole may unexpectedly close after clicking "Install Policy" while the Compliance blade is running a full scan.

PRJ-49226,
PRHF-30300

Security Management

In some scenarios, an upgrade of the Security Management Server may fail if the import is running at 12 AM.

  • The fix will only be applied if the upgrade to this Jumbo Hotfix Take is done using a Blink image or via the Advanced Upgrade method.

PRJ-48442,
PRHF-30005

Security Management

The "set checkpoint-host" API command may fail if the host object has a VPN Tunnel interface (vpnt) defined.

PRJ-45899,
PRHF-28666

Security Management

In rare scenarios, during an IPS update, a task notification reports that a database purge failed on the Standby Security Management Server.

PRJ-44801,
PMTR-82908

Security Management

In rare scenarios, the update_inspect_files tool may unexpectedly exit with a core dump file.

PRJ-48371,
PRHF-29850

Security Management

The "crldp_initialized"and "crldp_name" keys may be missing in the registry after running promote_util.

PRJ-45783,
PRHF-27471

Security Management

In rare scenarios, the High Availability synchronization status shows "NGM failed to import data", and then is cleared automatically within 15 minutes.

PRJ-47259,

PRJ-47236,
PRHF-29374,
PRHF-29423

Security Management

If the HTTPS policy contains an Identity Awareness Gateway object in the "Source"/"Destination" column, policy installation may fail when selecting more than one policy target. Refer to sk181097.

PRJ-43290,
PRHF-26909

Security Management

In rare scenarios:

  • Login to the Security Management Server may fail with timeout.

  • Publish operations may take a long time.

PRJ-46783,
PRHF-28958

Security Management

In an environment with many Security Gateways, SmartConsole may unexpectedly close when selecting a policy package to install.

PRJ-48201,
PRHF-29851

Security Management

Login via API fails if the Security Management Server has multiple IP addresses and they are not defined on the Security Management Server object in SmartConsole.

PRJ-48038,
PRHF-29549

Security Management

An audit log may not be created after running Revert to Revision.

PRJ-49371,
PRHF-30255

Security Management

In environments with tens of thousands of network objects, opening and closing Security Gateway objects in SmartConsole takes a long time. Refer to sk181460.

PRJ-49196,
PRHF-30329

Security Management

In some scenarios, the CPRLIC process may unexpectedly exit without affecting the connectivity, and a core dump is generated.

PRJ-48382,
PRHF-29957

Security Management

In SmartConsole, export of policies with the "Hit count" column may get stuck.

PRJ-48692,
SL-8197

Security Management

Users may be able to configure user-defined scripts to run on the Security Management Server, although they do not have the permissions of a super-user.

PRJ-46411,
PMTR-90123

Security Management

The Security Gateway may listen to the ports used by NAT.

PRJ-50359,
PRHF-30763

Security Management

In multi-site environments, when using LDAP administrators configured on an external LDAP Server, logging into Domains on different Multi-Domain Security Management Servers in parallel, synchronization may fail with the "failed to import data" status.

PRJ-50817,
PRHF-31173

Security Management

In some scenarios, if a DAIP Gateway is registered to a VPN Community:

  • "show-vpn-communities-star" Management API command may fail.

  • sharing SmartConsole configuration with Infinity Portal fails.

PRJ-49715,
PRHF-30513

Security Management

In rare scenarios, in a Multi-Domain Security Management environment:

  • Login to the Management Server may timeout and fail.

  • Publish operation may take a long time.

PRJ-48705,
PRHF-29307

Security Management

In some scenarios, in High Availability Security Management Server environments, there may be increase of the database on the Security Management Server.

PRJ-49884,
PRHF-30289

Security Management

Export of the Security Management Server may fail with "Could not find workSession WORKSESSION_UID in worksession's List" message in the upgrade report.

PRJ-48162,
PMTR-93236

Security Management

The "run-script - audit log" Management API program may fail and the audit log may be missing the "performed on" field.

PRJ-42955,
PMTR-88417

Security Management

Application Control and IPS updates may take a long time.

PRJ-45441,
PRHF-28361

Security Management

In rare scenarios, Global Policy Reassignment takes a long time to complete after deleting a Global IPS profile. Refer to sk180787.

PRJ-48795,

PRJ-48796

Multi-Domain Security Management

When connecting with SmartConsole to a Domain in a Multi-Domain Management environment, object pickers in Threat Prevention policy may not show available objects.

PRJ-49480,
PRHF-29987

Multi-Domain Management

When viewing Subordinate CA objects in SmartConsole:

  • Users with read-only permissions may receive a "Trusted CA" field as "not initialized" message.

  • The information under "Retrieve CRLs from" in the OPSEC PKI tab is inaccurate.

The fix requires installing SmartConsole R81.20 Build 651 (or higher).

PRJ-47039,
PRHF-29235

Multi-Domain Security Management

In multi-site Multi-Domain Security Management environments, login to SmartConsole fails while an Install Policy Preset relays the Security Gateway installation statuses.

PRJ-49715,

PRHF-30513

Multi-Domain Security Management

In rare scenarios, in a Multi-Domain Security Management environment:

  • Login to the Management Server may timeout and fail.

  • Publish operation may take a long time.

PRJ-46105,
PRHF-28809

Multi-Domain Security Management

In some scenarios, the "Uninstall Threat Prevention Policy" window may show "no candidates found for operation", even though there are Security Gateways that have Threat Prevention policy installed and Threat Prevention is disabled in the Security Gateway editor. Refer to sk180983.

PRJ-43692,
PRHF-27130

Multi-Domain Management

Deleting the entire Domain including all its Domain Servers fails, if any of the Domain Servers is used in the Domain policy.

PRJ-51427,
PMTR-98332

Web SmartConsole

Login with Web SmartConsole to the Security Management Server may fail if using a trusted client with IPv6.

PRJ-46436,
PRHF-28762

SmartProvisioning

After importing or deleting SNORT protections in the IPS Protections view, the view may not show the change.

  • The fix requires installing SmartConsole R81.20 Build 651 (or higher).

PRJ-47343,
PRHF-29472

SmartView

In some scenarios, when a language other than English is chosen in SmartView, login to SmartView fails with an "Initialization failed" message.

PRJ-47470,
PMTR-92958

CPUSE

Tasks in SmartConsole may end unexpectedly during the Jumbo/ major version upgrade operation.

PRJ-50726,
PMTR-96971

SD-WAN

After Jumbo Hotfix Accumulator installation, the connection in the IoT environment stays down.

PRJ-45325,
PMTR-79944

Logging

Configuring log settings to delete logs if free disk space is lower than a certain percentage may not be applied.

PRJ-45041,
PRHF-28139

Logging

The "Low disk space" warning may be incorrectly displayed in SmartConsole.

PRJ-48341,
PMTR-93310

Logging

In some scenarios, the "show logs" Management API returns incorrect values for the "Match table" field.

PRJ-46742,
PRHF-28812

Logging

In some scenarios, implied rules are not logged for clusters.

PRJ-47220,
PRHF-29347

Logging

The "fwm logexport" may return "Failed to print record at position" and "missing table field" error messages despite succeeding to export the logs.

PRJ-46702,
SL-6793

Logging

The Logs view may show a "Failed to read record number" message.

PRJ-44208,
PRHF-27544

Logging

Windows Syslog messages information may be displayed in the "Description" field of the log and not parsed into the suitable fields.

PRJ-47809,
PRHF-25147

Logging

The "show-simple-gateway" and "set-simple-gateway" Management API commands with the "logs-settings.forward-logs-to-log-server-schedule-name" parameter fail with "generic_server_error".

PRJ-46841,
PRHF-29149

Logging

In SmartView, filtering logs by Media Encryption & Port Protection blade may fail.

PRJ-46187,
PRHF-28421

Logging

When the CPD process is automatically restarted on the Security Gateway, the output of the "cpstat ls -f logging" command on the Security Management shows the Security Gateway is disconnected, the Log Server cannot be reached, although logs are sent.

PRJ-48728,
PMTR-93770

Logging

In some scenarios, the Log Sharing status may show an error in exporting the logs, although logs are correctly shared to the cloud.

PRJ-45607,
PMTR-90654

Logging

In some scenarios, in the Logs view, the "Destination" field may be missing. The issue is only cosmetic.

PRJ-46742,
PRHF-28812

Logging

In some scenarios, implied rules are not logged for clusters.

PRJ-49141,

SL-7477

Logging

In some scenarios, in a Quantum Smart-1 Cloud environment, login to SmartView may fail.

PRJ-48272,
PMTR-93819

Security Gateway

Following the installation of R81.20 Jumbo Hotfix Accumulator Take 26, it is impossible to configure a new Maestro group via the Gaia Portal.

PRJ-51226,
PMTR-98012

Security Gateway

In some scenarios, policy installation may fail. The fwk.elg and the dmd.elg files show correlating errors.

PRJ-45694,
PRHF-28403

Security Gateway

The VPND, CVPND, and PDPD processes on the Security Gateway may become non-responsive and cause SAML authentication for Remote Access VPN users to fail.

PRJ-49865,
PRHF-30556

Security Gateway

After approximately 24 hours after a reboot, memory utilization starts at 30-40% utilization and gets to 80% utilized. This leads to issues with loading web pages and may cause an outage.

PRJ-46482,
PRHF-28857

Security Gateway

The output of the "cpstat os -f cpu" command may be incorrect. Refer to sk180966.

PRJ-48810,
PRHF-29932

Security Gateway

VPN tunnel between the Security Gateways with Link Selection and Remote Desktop Protocol (RDP) may fail after policy installation. Refer to sk181481.

PRJ-48023,
PMTR-91868

Security Gateway

In some scenarios, when IPS is enabled, CPU spikes may occur.

PRJ-48823,
PRHF-29853

Security Gateway

A DNS misconfiguration may lead to ephemeral port exhaustion on the Security Gateway local addresses.

PRJ-41968,
PRHF-25829

Security Gateway

When adding another loopback interface in an MDPS environment, it is shown in MPLANE and not in DPLANE as expected.

PRJ-47149,
PMTR-92710

Security Gateway

Enlarging MTU may cause even small packets to be allocated as Jumbo frames. This impacts the performance of SNDs CPUs.

PRJ-47210,
PRHF-29194

Security Gateway

When running the tp_collector tool, the FW_FULL process may unexpectedly exit.

PRJ-44702,
PRHF-27451

Security Gateway

In rare scenarios, the WSDNSD process may restart because of an internal error.

PRJ-48154,
PRHF-29602

Security Gateway

Topology and Anti-Spoofing ranges are not calculated on an external interface when adding a route to an internal interface that shares the same subnet.

PRJ-47304,
PMTR-86113

Security Gateway

The /var/log/messages file of a VSX gateway is flooded with the "fwmultik_predefined_dispatching: BAD_MULTIK_TAG" messages with no impact of the connectivity. Refer to sk181281.

PRJ-47521,
PRHF-29318

Security Gateway

After installing a policy, because of high latency, the Security Gateway may delete connection before SIM Affinity is able to send an update notification. This may cause some connections to be dropped.

PRJ-47332,
PMTR-92600

Security Gateway

When using the "cpstop" command on the Security Gateway, the fw_full core may be generated.

PRJ-46378,
PMTR-84794

Security Gateway

Re-mirrored traffic may be re-ordered in the Mirror & Decrypt feature.

PRJ-47269,
PRHF-29384

Security Gateway

Latency in loading websites when using Security Gateway as a Proxy with HTTPS Inspection enabled. Refer to sk180673.

PRJ-44856,
PRHF-27465

Security Gateway

Web Security parsing error "illegal header format detected: Missing quotation mark" of content-disposition header - that contains a filename* parameter or an unquoted parameter.

PRJ-47326,
PMTR-75350

Security Gateway

Benign files scanned by the ICAP Server may not be logged by Anti-Virus blade.

PRJ-45341,
PRHF-28058

Security Gateway

When two routes with similar attributes are added to different routing tables, and one is deleted, Anti-Spoofing may drop the traffic to that route.

PRJ-47371,
PMTR-88610

Security Gateway

The ICAP Server may stop sending files to the Threat Emulation and Anti-Virus Blades if the TED daemon was restarted.

PRJ-43857,
PMTR-83014

Security Gateway

The FWK process may unexpectedly exit with a core dump file when removing an IPv6 interface on VSX.

PRJ-45484,
PRHF-27892

Security Gateway

Incorrect bonds may be shown in the Data Plane when using MDPS with the "show bonding groups" command.

PRJ-44619,
PRHF-27190

Security Gateway

In a rare scenario, the FWD process listens to high ports that are not blocked by the "auth_services_real_ports_block" implied rule. Refer to sk180505.

PRJ-47559,
PRHF-29583

Security Gateway

FTP connection may fail in Port mode with NAT and specific FTP clients. Refer to sk181165.

PRJ-47603,
PRHF-29572

Internal CA

In rare scenarios, ICA certificate creation and enrollment fail.

PRJ-46838,
PMTR-92384

Threat Prevention

When SSH Deep Packet Inspection (SSH DPI) is enabled, the Security Gateway may have SSH connectivity issues because of an incorrect choice of Message Authentication Code (MAC) algorithm during the SSH handshake.

PRJ-47637,
PRHF-29215

Threat Prevention

The output of the "fw amw unload" command shows the policy gets unloaded, however CPView still shows that the blades are enabled. Refer to sk181148.

PRJ-43728,
PMTR-89275

Threat Prevention

In some scenarios, CIFS parser is triggered when it is not needed, this leads to the Security Gateway not accelerating fully the SMB traffic.

PRJ-48847,
PMTR-88858

Threat Prevention

Anti-Virus Blade triggers the "Detect" logs for DNS traffic, although these malicious DNS requests were prevented.

PRJ-44692,
PRHF-27890

Threat Prevention

In some scenarios, the Security Gateway fails to export or import Custom Intelligence feeds.

PRJ-46720,
PMTR-92083

Threat Prevention

Uploading an IoC file containing invalid characters (for example, quotation marks) may cause Threat Prevention policy installation failure.

PRJ-44767,
PRHF-27722

Threat Prevention

Fetching of Custom Intelligence feeds fails when no proxy is configured on the Security Gateway.

PRJ-46118,
PMTR-91889

Threat Emulation

Multiple ifiPython3 processes may utilize the Security Gateway memory, affecting the Anti-Virus blade performance.

PRJ-48192,
PRHF-29760

Threat Prevention

Anti-Virus blade fails to parse external Custom Intelligence feeds that contain specific delimiters.

PRJ-48745,
PMTR-88384

Threat Prevention

Anti-Virus fails to block Custom Intelligence feeds that contain percent-encoding.

PRJ-50556,
PRHF-30793

Threat Prevention

In rare scenarios, CPU utilization can reach high levels because the Multi-Queue affinity of interfaces that use the "mlx5_core" driver is not configured correctly during the boot process.

PRJ-48430,
PMTR-93558

Threat Prevention

Some connections may be dropped because of an issue in IPS inspection, which can be resolved by installing/fetching a local policy.

PRJ-48268,
PRHF-29756

Threat Prevention

URL observables with question marks "?" are not parsed correctly by the Threat Prevention Custom Intelligence feeds feature. Refer to sk181367.

PRJ-45902,
PMTR-91000

Threat Prevention

The "Exception Handling" option for Observables in Threat Prevention indicator may not be applied.

PRJ-46905,
PRHF-29115

Threat Prevention

Ioc_feeds changes the username to lowercase, which causes the "401" error. Refer to sk181039.

PRJ-48087,
PMTR-93601

Threat Prevention

An outage may occur when an unsupported SSH cipher is selected.

PRJ-47447,
PRHF-29413

Threat Prevention

When configuring Custom Intelligence feeds from the management:

  • The "no_ssl_validation" variable may be deleted after the policy installation.

  • Fetching feed fails with the "Peer certificate cannot be authenticated with given CA certificates" reason.

PRJ-46759,
PRHF-28441

Identity Awareness

The ida_tables_util tool may fail with the "bad adress" error.

PRJ-47442,
PMTR-92960

Identity Awareness

In a rare scenario, when Identity Broker is configured, a memory leak in the PDPD process may occur during policy installation.

PRJ-47065,
PMTR-92599

Application Control

When the "Categorize HTTPS Websites" option is enabled and the global parameter "appi_urlf_ssl_cn_use_sni_without_validation" is set to true, a memory leak may occur.

PRJ-49045,
PRHF-30082

DLP

The DLP process may unexpectedly exit during policy installation.

PRJ-49898,
PMTR-95150

SSL Inspection

In rare scenarios, the WSTLSD process may unexpectedly exit and create core dump files.

PRJ-48275,
PRHF-29815

Identity Awareness

There may be no access to resources for identities received from the Remote Access identity source by splitting Domain (sk147417).

PRJ-47065,
PMTR-92599

Application Control

When the "Categorize HTTPS Websites" option is enabled and the global parameter "appi_urlf_ssl_cn_use_sni_without_validation" is set to true, a memory leak may occur.

PRJ-45721,
PRHF-27843

Application Control

Policy installation fails when a custom application and user category have the same name.

PRJ-46199,
PMTR-85660

Application Control

There may be inconsistency between the Application Control version as shown in CPView and the outcome of the "cpstat" command.

PRJ-47750,
PRJ-47646

IPS

In rare scenarios, there may be a memory leak in ips_cmi_handler_match_cb_ex.

PRJ-47555,
PRHF-29458

Anti-Virus

Loading a large Custom Intelligence feed may fail. Refer to sk181158.

PRJ-45837,
TPP-3445

Anti-Virus

DLPU process memory consumption may be increased when SMB protocol is enabled in the Anti-Virus policy.

PRJ-47936,
PRHF-29090

Anti-Virus

When transferring many files, SMB traffic may freeze while scanned by Anti-Virus blade.

PRJ-48128,
PMTR-93685

Anti-Virus

A memory leak in the DLPU process may occur when Anti-Virus scans files over HTTP(s) or SMB (Server Message Block) protocol.

PRJ-47785,
PRHF-29581

Anti-Virus

A memory leak may occur in the Security Gateway when a connection is not correctly released after the inspection.

PRJ-48973,
PRHF-30090

Anti-Virus

When Anti-Virus DNS classification is set to Hold mode, the first DNS trap log of malicious Domains shows "Detect" in the Action field, although the connection was successfully blocked.

PRJ-47240,
PRHF-29289

Anti-Virus

Some websites may be unreachable when one of Threat Prevention Blades is in Hold mode.

PRJ-50430,
PMTR-96334

Anti-Bot

In rare scenarios, when the IPS or Anti-Bot Blades are enabled, Threat Prevention logs with packet captures appear in SmartConsole without details.

PRJ-47183,
PRHF-29248

SSL Inspection

The Security Gateway may fail to enforce certificate blacklisting.

PRJ-47204,
PRHF-29309

Mobile Access

When copying special German characters to and from the Guacamole Server, they are replaced with unreadable symbols.

PRJ-47108,
PRHF-29247

Mobile Access

It may not be possible to connect to the RDP application with SNX in Application mode. Refer to sk181155.

PRJ-43928,
PMTR-89813

ClusterXL

Site to Site VPN outage on ClusterXL Active member when running "cpstop" on the Standby cluster member. Refer to sk170055.

PRJ-45181,
PRHF-27989

ClusterXL

The VLAN configured bonded interface monitored state disappear after modifying the bonded interface properties. Refer to sk180724.

PRJ-44276,
PRHF-27346

ClusterXL

A Standby member may initiate FTP data connection, although it should be sent from the Active member. As a result, the connection is teminated. Refer to sk180531.

PRJ-45199,
PRHF-28013

ClusterXL

In a cluster/Maestro in Load Sharing mode, the Security Gateway may drop NAT traversal traffic with "fwmultik_process_f2p_cookie_inner Reason: PSL Drop: No connection".

PRJ-43607,
PRHF-25160

ClusterXL

When interfaces disconnect/connect on both members at the same time, it may cause a failover.

PRJ-49758,
PMTR-95601

SecureXL

Multicast restrictions set in SmartConsole may be bypassed if varying restrictions are configured for different interfaces.

PRJ-50927,
PMTR-97095

SecureXL

When attempting to route packets to unresponsive hosts, the CPU utilization may be high.

PRJ-44735,
PMTR-70190

SecureXL

The "IOCTL command CPHWD_IOCTL_DOS_DENY_LIST_CLEAR was not successful" error may be printed during cpstart. Refer to sk180646.

PRJ-51290,
PMTR-97193

SecureXL

In some scenarios, traffic may not pass through a Virtual System on a VSX Security Gateway when it originally came through a Virtual Switch and User Mode (UPPAK) was enabled.

PRJ-49960,
PMTR-95764

Routing

During the processing of PIM Join-Prune messages, the absence of prior ({},G) state prevents the processing of (S,G) joins for the same group, even when present in the message.

PRJ-49237,
PMTR-94838

Routing

When one of the multiple PIM neighbors goes down on the LAN,there may be outages in multicast traffic.

PRJ-47488,
PMTR-93015

Routing

When multicast traffic for an existing (S,G) entry arrives at a non-IIF interface, the entry may be deleted and re-added when the next multicast packet is released, although the entry should not be deleted.

PRJ-43249,
ROUT-2018

Routing

Traffic may be dropped when there are many OSPF routes of type 5.

PRJ-47802,
PRHF-29662

Routing

When a BFD session is added or removed, disabled sessions may incorrectly come up.

PRJ-47941,
PMTR-93492

Routing

An OIF entry may be missing when multiple downstream neighbors are present on a LAN. Refer to sk181354.

PRJ-48118,
PRHF-29848

Routing

The ROUTED process may exit with a core dump when querying details of OSPF Type 5 LSA.

PRJ-46901,
PRHF-29091

Routing

The traffic may be dropped, because the routes are sent but not installed to the routing table. The issue is related to IS-IS when running on P2P interfaces.

PRJ-51184,
PMTR-97662

Routing

Adding an IPv6 OSPFv3 interface in WebUI may fail when SecureXL UPPAK mode is enabled.

PRJ-42940,
PRHF-25665

VPN

Policy installation may take a long time and fail with "Operation failed, install/uninstall has been improperly terminated.&CURRENTVERCMP *##MSG_IDENTIFY##".

PRJ-42959,
PRHF-26612

VPN

When SCV is enabled, Capsule Connect/ Capsule VPN clients may fail to access internal resources.

PRJ-45128,
PMTR-89945

VPN

Back connection does not function on the Statically NATed Office Mode address as expected.

PRJ-51016,
PRHF-31253

VPN

In a rare scenario, all the IKED processes exit approximately once an hour without core or log indicating that it was triggered by the FWD/CPWD process exit. Refer to sk181643.

PRJ-46261,
PRHF-28718

VPN

The "Encryption Domain Per community" feature overrides the Encryption Domain for other communities. Refer to sk170857.

PRJ-46295,
PRHF-28702

VPN

Users that were moved from one AD group to another group still are shown in both access role groups when running the "pdp monitor" command. Refer to sk181429.

PRJ-47493,
PRHF-28831

VPN

Potential VPN outage during policy installation.

PRJ-43907,
PMTR-86796

VPN

When working with ClusterXL in Load Sharing mode, a VPN tunnel may fail to be established.

PRJ-47878,
PRHF-29650

Multi-Portal

The Security Gateway may send a wrong certificate to the MAB Portal during certificate authentication.

PRJ-46919,
PMTR-92516

Multi-Portal

The MPDAEMON process may be persistently down, even post reboot.

PRJ-50313,
PMTR-96307

Multi-Portal

A low-severity security vulnerability may exist when establishing an HTTPS connection to the Security Gateway.

PRJ-43879,
PMTR-87205

VSX

When running "vsx_fetch" from a context that is not VS0, this output is displayed: "Management rejected fetch for this module - sic name does not match. Couldn't fetch VSX configuration by IPs, trying to fetch by names."

PRJ-50953,
PRHF-30747

VSX

In some scenarios, the VSX Security Gateway may not set the MAC header correctly when sending traffic directly out of an interface on a Virtual Router.

PRJ-51077,
PMTR-97700

VSX

When User Mode (UPPAK) is enabled, there may be performance loss when passing traffic through a Virtual Switch on a VSX Security Gateway.

PRJ-51166,
PMTR-97873

VSX

In some scenarios, the VSX VSLS cluster cannot pass the traffic for up to twenty seconds after performing a failover and failback when User Mode (UPPAK) is enabled.

PRJ-47838,
PRHF-29698

VSX

In a rare scenario, affinity configuration on VSX may fail.

PRJ-47797,
PRHF-29709

VSX

A memory leak may occur in the CPD process.

PRJ-44301,
PMTR-90180

VSX

When adding a route using vsx_provisioning_tool and the "interface_name" option, this route cannot be removed.

PRJ-44269,
PMTR-86105

VSX

Virtual System context may not be handled correctly by CPView, for example, the same interfaces may be listed on all virtual systems.

PRJ-47399,
PRHF-29485

VSX

When changing Virtual Systems (VS's) using the VS name, the "failed to find an ID for a VS named XXX" error is shown.

PRJ-46972,
PRHF-29232

Gaia OS

Incorrect Multi-Queue configuration when MDPS, VSX, or both are enabled. Refer to sk181249.

PRJ-46276,
PRHF-28848

Gaia OS

When changing bond settings, the bond may be missing the global IPv6 Address.

PRJ-47774,
PRHF-28671

Gaia OS

Snapshot fails when the unpartitioned disk size is greater than 1TB. Refer to sk181485.

PRJ-44371,
PRHF-27627

Gaia OS

SNMP OIDs for ISP Redundancy status are not refreshed when the ISP link changes the status.

PRJ-46021,
PRHF-28611

Gaia OS

The SNMPD process memory consumption may be high, which causes the process to become unresponsive.

PRJ-46284,
EPS-51347

Harmony Endpoint

Non-domain macOS devices are created as a new endpoint on the Endpoint Management when re-installing the device.

PRJ-46852,
PRHF-22912

Harmony Endpoint

Because of a rare race condition, AD scanners may get stuck in the initializing state with "ERROR ajp-nio2-127.0.0.1-8009-exec-96 - Failed to enumerate scanner instances for SF-DC2.mapro.cat, scanner instance788b7398-5a79-91fb-6f68-137813a5556e (UsmDSConfigResponder)java.lang.NumberFormatException".

PRJ-48876,
EPS-52991

Harmony Endpoint

  • Under Reporting > Anti-Malware > Anti-Malware Status, the table is empty or stuck with a "Endpoint Count: Loading" message.

  • Under Reporting > Anti-Malware > Anti-Malware Status > Report Action, when clicking "Export Report", it returns an "Unknown error".

PRJ-43572,
PRHF-27125

Harmony Endpoint

After the Deploy New Endpoint push operation is successfully done, the list of target devices may change to "None". And it is not possible to delete this push operation manually, a "Sorry, we had an API issue during request" message is printed.

PRJ-46803,
PRHF-28984

Harmony Endpoint

In rare scenarios, when making changes in SmartConsole, it gets disconnected.

PRJ-47056,
EPS-51960

Harmony Endpoint

Some devices added to a Virtual Group from the SmartEndpoint Reporting tab do not receive the assigned policy.

PRJ-43045,
PRHF-26539

Harmony Endpoint

E2 engine may send an incorrect value of datDate in sync request.

PRJ-48257,
PRHF-25142

Harmony Endpoint

The default policy configured in the Infinity Portal may not be exported with the new Endpoint Security client package.

PRJ-51660,
EPS-54792

Harmony Endpoint

  • If a password update from the client is denied on the Server because it is too old, the Server still updates the salt for the password (password then becomes unusable). This affects all client versions.

  • E87.31 clients and lower which do not support authentication timestamps, cannot update passwords for Full Disk Encryption users with authentication timestamps stored on the Server (password then becomes unusable).

PRJ-47900,
PRHF-29630

CloudGuard Network

Azure mapping may fail on Private Endpoint without network interfaces. In the cloud proxy logs, the "ERROR datacenter.scanner.DcScanner [scanner-Azure-XXX]: Error during scan - attempting to reconnect for scanner of [Azure] in domainYYY" messages are printed.

PRJ-47735,
PRHF-29654

CloudGuard Network

After an upgrade, Azure Gov mapping may fail.

PRJ-43610,
PRHF-27033

VoIP

SIP agent implements a keep-alive mechanism against the RFC, making each message arrive with a different tag in the "From" header, which may increase the memory of the Security Gateway, and these messages may be dropped once they hit the limit defined (the "sim_max_reinvite" parameter).

PRJ-43719,
PRHF-26939

VoIP

After an upgrade, VoIP, and SIP / H323 traffic may be dropped in the VPN tunnel. Refer to sk179651.

PRJ-48851,
PMTR-94227

Scalable Platforms

In a Maestro Orchestrator environment, the "orch_stat -p" command may bring the "invalid literal for int() with base 10" error message.

PRJ-50121

Scalable Platforms

After enabling the Maestro Fastforward feature, policy installation on a Maestro Security Group may fail in SmartConsole with "Maestro acceleration (MXL) failed, reason: General error. Please check /var/log/acl_cli.log on the security group SMO for more details". Refer to sk181661.

PRJ-49177,
PRJ-45520

Scalable Platforms

Reboot may take a long time.

PRJ-50344,
MBS-17829

Scalable Platforms

When the LightSpeed interface is brought down or up, the hardware nroute flow is added to the list even if it fails to offload. This may trigger a Security Gateway crash.

PRJ-50031,
PRJ-46817

Scalable Platforms

  • If member ID 1 is removed and then re-added to the Security Group on the active site, while there are two or more active members, it may result in a matrix mismatch. This can potentially lead to traffic interruption until member ID 1 becomes active again.

  • Similarly, installing Jumbo Hotfix Accumulator when member 1 is absent may result in the same behavior and Jumbo Hotfix Accumulator installation may be blocked.

PRJ-46575,
PMTR-92205

Scalable Platforms

In a Maestro environment, LACP bond slaves may become suspended when using the shared interfaces feature, particularly when the quantity of bonds and slaves is significantly high.

PRJ-46246,
PMTR-91940

Scalable Platforms

In rare scenarios, when using "chassis_admin" command, the "asg_chassis_admin | "/opt/CPsmos-R81.20/bin/asg_chassis_admin: line 192: [[: |: syntax error: operand expected (error token is "|")" output may be printed. This is only cosmetic and does not prevent performing site failover.

PRJ-50346,
MBS-17803

Scalable Platforms

In a rare scenario, the Security Gateway may access obsolete nroute memory, resulting in a crash.

PRJ-44501,
PRHF-27538

Scalable Platforms

Policy installation may cause traffic interruption on Maestro Security Group due to missing VLANs of a Virtual System in the configuration file.

PRJ-48213,
PMTR-93744

Scalable Platforms

In rare scenarios, the CONFD process may get stuck. This may cause Maestro Orchestrator boot to hang and login to Gaia Portal to fail.

PRJ-47641,
PRHF-29629

Scalable Platforms

In a Scalable Platform environment, when opening an IPS Packet Capture originated on a local member, the "Fetching in progress" error is displayed, and a "Capture file was not found on remote SGM" entry is printed in the log.

Take 41

Released on 20 November 2023 and moved to Recommended on 4 December 2023

PRJ-50104,

PRHF-30325

Diagnostics

UPDATE: Added SecureXL SYN Defender metrics to Skyline. Refer to the Skyline Metrics Repository.

PRJ-49892,

PMTR-95687

Security Management

UPDATE: Removed a redundant guava package.

PRJ-49825,

PMTR-95347

Security Management

UPDATE: Upgraded the commons-compress-jar package from version 1.8 to version 1.22.

PRJ-49787,

PMTR-95614

Security Management

UPDATE: properJavaRDP - an SNX-embedded application for Mobile Access is now blocked and is no longer supported because of deprecated Java library dependencies.

PRJ-50265,

PRJ-49966,

PRJ-48318,

PRJ-49012,

ODU-1121,

ODU-1137

ODU-1256,

ODU-1304

Web SmartConsole

UPDATE: New features and improvements are released in Take 81, Take 85 and Take 90 via self-updatable package. Refer to sk170314.

PRJ-49109,

PMTR-94517

SmartConsole

UPDATE: Applied security related improvements to the Jetty open source library.

PRJ-50125,

PRJ-50124,

ODU-1217,
ODU-1328

CPView

UPDATE: Added Take 68 and Take 70 of CPotelcol (OpenTelemetry Collector) Release Updates. Refer to sk180522.

PRJ-50093,
PMTR-63855

Security Gateway

UPDATE: Improved traffic classification of GTP traffic on the Security Gateway to enhance the stability.

PRJ-49494,
ODU-1170

Threat Prevention

UPDATE: Added Update 21 of Autonomous Threat Prevention Management integration Release. Refer to sk167109.

PRJ-49746,

PMTR-95099

Mobile Access

UPDATE: SNX used to connect back to Mobile Access Blade's portal FQDN by resolving its IP address locally. This method makes it sensitive to DNS poisoning attacks such as those specified by TunnelCrack. Therefore, it was modified to connect back to the Security Gateway / Cluster member IP address by default.

PRJ-50418,

PRHF-30748

CloudGuard Network

UPDATE: The automatic scanning of NSX-T IP ranges feature is now disabled by default. Refer to sk181614.

See the Important Notes section.

PRJ-48340,
ODU-1081

CloudGuard Network

UPDATE: Added Take 20 of Public Cloud CA Bundle. Refer to sk172188.

PRJ-49936

Harmony Endpoint

UPDATE: Upgraded symmetricDS to the 3.14.9 version.

PRJ-45981,
ODU-1154

Scalable Platforms

UPDATE: Added Take 29 of Check Point Support Data Collector (CPSDC) for Scalable Platforms and Maestro Security Appliances. Refer to sk164414.

PRJ-50543,
ODU-1113

HCP

UPDATE: Added Update 14 of HealthCheck Point (HCP) Release. Refer to sk171436.

PRJ-50030,

PMTR-95988

Security Management

The Gaia Clish command "show configuration user" fails with "Segmentation fault" on a Management Server. Refer to sk181626.

PRJ-50899,

PRHF-31187

Security Gateway

A double-free flaw that leads to a possible Security Gateway crash was identified. This release includes the fix to enhance system stability and security.

PRJ-50191,

PMTR-96205

IPS

Policy installation may fail on Security Gateways with enabled IPS and configured Strict profile and IPv6.

PRJ-49379,

PRHF-30056

SecureXL

SYN Defender may not correctly handle reused connections.

PRJ-49467,

PRHF-30344

Scalable Platforms

In a Scalable Platforms environment:

  • The "mac_verifier" and other commands may generate a "mount of /sys failed: device or resource busy" error message.

  • The "distutil verify -v"command returns "verification failed".

Take 38

Released on 23 October 2023

PRJ-46771,
PMTR-94543,
PRJ-49262,
MB-1208

Security Gateway

NEW: This Jumbo Hotfix Take introduces support for new Quantum Force appliances 19200, 29100, and 29200. Refer to sk180520.

  • Requires installing SmartConsole R81.20 Build 649 (or higher).

PRJ-47822,
PMTR-93184

Security Gateway

NEW: Identity Awareness daemons (PDPD and PEPD) now use a modern memory allocator. The feature is disabled by default. Refer to sk181629.

PRJ-42434,
PMTR-94471

SecureXL

NEW: Added support for User Space Mode (UPPAK) on LightSpeed Appliances (QLS250, QLS450, QLS650, and QLS800 - see sk179432). After upgrading to this Jumbo Hotfix Take, these appliances will run in UPPAK mode by default.

PRJ-48144

Identity Awareness

UPDATE: Added a new mode for Identity Awareness Blade - "PDP-Only", where the Security Gateway acts only as Policy Decision Point (PDP) for identity acquisition and distribution and does not enforce the identity-based policy. The new mode improves scalability for PDPs and Identity Broker. Refer to sk181605.

PRJ-49556

SecureXL

UPDATE: On Quantum LightSpeed appliances running in Kernel Mode (KPPAK), when using a feature that is not supported in User Space Mode (UPPAK), a notification that after upgrading to this Jumbo Take the appliance will still run in KPPAK is now displayed.

PRJ-49380,
ACCHA-3579

SecureXL

UPDATE: The VXLAN creation feature is now blocked in User Space Mode (UPPAK).

PRJ-49383,
ACCHA-3580

SecureXL

UPDATE: The GRE interface creation feature is now blocked in User Space Mode (UPPAK).

PRJ-49385,
ACCHA-3581

SecureXL

UPDATE: The VRRP interface creation feature is now blocked in User Space Mode (UPPAK).

PRJ-49211

SecureXL

UPDATE: When UPPAK mode is enabled, the limit in /var/log/dump/usermode/ gets automatically extended from 10 Gb to 30 Gb to prevent possible deletion of large core files.

PRJ-43883,
PMTR-86708

VSX

UPDATE: The "IPv6 autoconfig" parameter is now disabled by default on VSX.

PRJ-48405,
ODU-1113

HCP

UPDATE: Added Update 13 of HealthCheck Point (HCP) Release. Refer to sk171436.

PRJ-48879,
PRHF-29542

Security Management

  • Running a Gaia API command on a Security Gateway using Management API from the Multi-Domain Security Management Server fails.

  • Running a Gaia API command on a Security Gateway using Management API from the Security Management Server fails if the Security Gateway certificate was not recreated.

PRJ-49205,
PRHF-30319

Security Management

  • When updating Inline Access Layers, Threat Exceptions, and HTTPS Inspection (TLS) rules, the "Policy Name" field in the Audit Log may be incorrect.

  • The "Where used" operation fails for users with read-only permissions.

Refer to sk181471. See the Important Notes section.

PRJ-48791,
PMTR-94145

Security Gateway

An upgrade may fail with this validation message: "Install On column contains Security Gateways without Blades that exist in the 'Protection/Site/File/Blade column'_ Blades".

PRJ-45207

 

Security Gateway

In rare scenarios, the FWK process may unexpectedly exit when running an outgoing (a local connection) from the Security Gateway.

PRJ-49513,
PMTR-94919

Threat Prevention

In a rare scenario, changes in Threat Prevention custom intelligence feeds settings may not be applied after policy installation.

PRJ-48253,
PMTR-93781

Identity Awareness

Identity-based roles may not match the Access Roles after User and Machine were identified.

PRJ-45057,
PMTR-89198

Identity Awareness

In a rare scenario, during authentication, the PDPD process can become unresponsive.

PRJ-46844,
PRJ-47436

Identity Awareness

In a rare scenario, the PDPD process may unexpectedly exit during an LDAP query.

PRJ-48148,
IDA-5480

Identity Awareness

When Identity Agent authenticates both the machine and the user, a rare race condition may occur and disrupt the intended sequence of authentication and publishing, resulting in incorrect data handling.

PRJ-47111,
PMTR-92652

Identity Awareness

Identity Broker may be missing some identities.

PRJ-47110,
PMTR-84390

Identity Awareness

The PDPD process may exit during Identity Broker synchronization.

PRJ-48934,
IDA-5512

Identity Awareness

The PDP Gateway may be unresponsive while publishing identities to Identity Broker subscriber in the Sync flow.

PRJ-47890,
PMTR-93412

Identity Awareness

In rare scenarios, the PDP Gateway may not be responsive when Identity Agent reconnects.

PRJ-48933,
IDA-5491

Identity Awareness

In a rare condition, in a large environment, the PDP Gateway may crash when publishing an IP-change message to its Identity Broker subscribers.

PRJ-49339,
PMTR-95068

ClusterXL

In ClusterXL Bridge mode, failover fail-back may cause a short outage.

PRJ-47844,
PMTR-93206

ClusterXL

When setting the bonding group to 8023AD mode, a "KERLAG0029 Error running cmd cphaconf bond_ls set bond1 0." message is shown.

PRJ-49947,
ACCHA-3621

ClusterXL

Standby VSX cluster members working in Virtual System Load Sharing (VSLS) mode may not be able to access the Internet.

PRJ-48933

CoreXL

Corrupted VS affinity configuration may cause excessive error messages "cp_set_process_vs_affinity: Error corrupt affinity file".

PRJ-49239,
ACCHA-3549

Routing

If the Security Gateway is in UPPAK mode and a PBR rule directs traffic to a Server on a different subnet, deleting the ARP entry for the Gateway on the Server can disrupt the traffic flow.

PRJ-49906,
PMTR-95831

Routing

When BGP local address is configured, BGP peer may fail to establish.

See the Important Notes section.

PRJ-49485,
PRJ-49485

VPN

VPN connectivity may be unstable when IPv6 and VPN star communities are configured.

PRJ-49351,
PRHF-30364

VSX

In some scenarios, in Maestro VSX environment with a Virtual Switch (VSW), TCP packets can be dropped as "out of state" or incorrectly dropped on the clean up rule.

PRJ-49933

CloudGuard Network

After an upgrade, CloudGuard Central Licenses may be removed from the CloudGuard Central License pool on the Security Management and from the Security Gateways. Refer to sk181500.

See the Important Notes section.

PRJ-49308,
PRJ-48987

Scalable Platforms

The Security Gateway may lose connectivity to Maestro Hyperscale Orchestrator (MHO) when running the "tcpdump -i any" command.

PRJ-49314,
PRJ-49111

Scalable Platforms

After adding a new Security Group Member to a Security Group with the default shell /bin/gclish, the status of the new Security Group Member is "Down" with a Critical Device "image_clone" pnote.

Take 26

Released on 14 August 2023 and moved to Recommended on 13 September 2023

PRJ-44227,
PMTR-89589

Compliance

NEW: Compliance Blade is enhanced with 5 new Firewall Best Practices:

  • FW174 - Check that there are no Access Control rules that contain "Any" in the "Source" column and contain "Accept" or "Ask" in the "Action" column.

  • FW175 - Check that Access Control rules do not contain "Any" in "Destination", and "Accept" or "Ask" in "Action".

  • FW176 - Check that Access Control rules do not contain "Any" in "Services and Applications", and "Accept" or "Ask" in "Action".

  • FW177 - Check that there are no temporary Access Control rules (based on the "Name" column).

  • FW178 - Check that there are no temporary Access Control rules (based on the "Comments" column).

PRJ-44577,
PMTR-90463

Internal CA

NEW: Previously, the Internal CA certificate required manual renewal process. Now it will be automatically renewed one year before its expiration date.

PRJ-44672,
PMTR-90420

Security Management

NEW:

  • Added support for 1595 Slim Ruggedized appliances.

  • Added support for 1535 / 1555, 1575 / 1595 Quantum Spark Pro appliances.

PRJ-44359,
PMTR-90221

Security Management

NEW: Added a new Management API "mgmt_cli show ha-status". It provides synchronization information for the currently active domain.

  • When running the command from the Active Domain in the local/Global Domain, it retrieves details about the synchronization status of the other standby peers and the overall synchronization status for the Domain.

  • When running the command from the system Domain, it only displays the general synchronization status, as all peers are active.

PRJ-44747,
PMTR-89334

Security Management

NEW: Added support for multiple languages in the Change Report.

PRJ-44421,
ACCESS-458

Security Management

NEW: Added a new field to the output of "mgmt_cli show updatable-objects-repository-content" command. This field displays the object's unique name as it is saved in the updatable objects repository.

PRJ-43522,
PMTR-89420

Security Management

NEW: It is now possible to add tags to Access rules and sections. A new field "tags" is added to the existing "add/set rule & section" Management APIs .

For example:

  • mgmt_cli add access-section layer "Network" position 1 name "New Section 1" tags mytag

  • mgmt_cli add access-rule layer "Network" position 1 name "Rule 1" tags mytag

PRJ-44421,
ACCESS-458

Security Management

NEW: Added a new field to the output of "mgmt_cli show updatable-objects-repository-content" command. This field displays the object's unique name as it is saved in the updatable objects repository.

PRJ-45679,
PRJ-45678

CloudGuard Network

NEW: CloudGuard Controller for NSX-T

  • Starting from NSX-T 4.0.0.x and higher, Manager Mode APIs are deprecated, it is recommended to use Policy Mode.

  • Import NSX-T Tags (NSgroups and VMs) is now supported.

  • Import NSX-T Virtual Machine objects is now supported.

Note: Importing Virtual Machines can be enabled only using Policy Mode APIs. When enabled, the amount of API requests toward the NSX-T manager increased.

PRJ-45491,
PRHF-28303

Security Management

UPDATE: Significant performance improvement for policy installation when using many layers (up to four times faster).

PRJ-46243,
PMTR-86894

Security Management

UPDATE: A Security Management server/Domain Management Server can now manage up to 400 Security Gateways / Clusters, allowing concurrent policy installation on all Security Gateways / Clusters at once.

PRJ-45204,

ODU-843

Web SmartConsole

UPDATE: New features and improvements are released in Take 76 via self-updatable package. Refer to sk170314.

PRJ-45473,
ODU-827

CPView

UPDATE: First release of CPviewExporter Release Updates. Refer to sk180521.

PRJ-45466,
ODU-835

CPView

UPDATE: First release of CPotelcol (OpenTelemetry Collector) Release Updates. Refer to sk180522.

PRJ-44609,
PMTR-90504

Threat Emulation

UPDATE: FakeServer will now listen for packets coming from the Virtual Machine during Threat Emulation to port 18443 instead of port 8443.

PRJ-44321,
PMTR-90945

Threat Prevention

UPDATE: The DCE-RPC kernel tables will now be global instead of local. This adjustment helps avoid issues with syncing between firewall instances and keeps data connections stable.

PRJ-45463,
PRJ-46432,
ODU-890,
ODU-898

Threat Prevention

UPDATE: Added Update 18 and Update 19 of Autonomous Threat Prevention Management integration Release. Refer to sk167109.

PRJ-46429,
TPP-3290

Threat Prevention

UPDATE: IPS bypass triggers will now be activated based on the average CPU load exceeding the high threshold, as opposed to the previous implementation, where a single CPU load triggered the bypass. The change will result in more effective security measures without unnecessary bypasses.

PRJ-43784,
PMTR-89672

Threat Prevention

UPDATE: Ability to send packet capture on IPS / Anti-Bot silent protections to the research team to enhance the security.

PRJ-45912,
IDA-4843

Identity Awareness

UPDATE: Implemented monitoring functionality and alerts for tracking the expiration date of Identity Broker certificates.

PRJ-46224,

PMTR-92426

ClusterXL

UPDATE: Added support for IPv6 synchronization in Multi-Version Clusters (MVC and MVC light).

See the Important Notes section.

PRJ-44719,

PRHF-22566

SecureXL

UPDATE: Added a new kernel parameter allowing to control the size of fragments table in SecureXL. To use it, set the kernel parameter "sim_frag_limit_override" with the new value and install policy. This can prevent fragment drops when having multiple instances in the Firewall.

PRJ-42862,

PMTR-88750

Zero Phishing

UPDATE:

  • Zero Phishing now enforces license. Customers with NGTX (Next Generation Threat Emulation & Extraction) or customers that recently renewed NGTX should have no issues.

  • Zero Phishing will stop working for customers who do not have a license.

PRJ-44762,
PRHF-27893

Gaia OS

UPDATE: Increased the size of the scheduled snapshot database binding, allowing longer paths and passwords to be defined.

PRJ-47227,
PMTR-92606

Gaia OS

UPDATE: Upgraded OpenSSL from 1.1.1t to 1.1.1u to include the latest security improvements. Refer to sk181427.

PRJ-44354,
PRJ-44355

CloudGuard Network

UPDATE: Added support for Data Centers in AWS ap-southeast-4 Melbourne region.

PRJ-43926,
PRHF-27357

CloudGuard Network

UPDATE: Added support for sending Data Center updates from the CloudGuard Controller to the main IP address of Active member on the Management Plane instead of the cluster VIP address on the Data Plane. Refer to the "updateClusterMemberAndNotVip" section in CloudGuard Controller R81.20 Administration Guide > Configuration Parameters. This change prevents scenarios when CloudGuard Controller fails to connect to Cluster with MDPS enabled (sk180981).

PRJ-46550

CloudGuard Network

UPDATE: Added new Security Management APIs for the CloudGuard Central License Utility:​

  • "add-central-license"

  • ​"distribute-cloud-licenses"​

  • "delete-central-license" ​

  • "show-central-license"

  • ​"show-central-licenses"​

  • "show-cloud-licenses-usage".

PRJ-45214,
MBS-14161

Scalable Platforms

UPDATE: Added Management Data Plane Separation (MDPS) support for Maestro Orchestrator and Chassis scalable platforms.

PRJ-43863,
PMTR-89393

Scalable Platforms

UPDATE: Added a new log file - /var/log/pull_config_report.log. It includes the summary of the "pull_config" action when it is performed on a member to indicate the reason for pull_config pnote/failures.

PRJ-45908,
ODU-946

Scalable Platforms

UPDATE: Added Take 23 of Check Point Support Data Collector (CPSDC) for Scalable Platforms and Maestro Security Appliances. Refer to sk164414.

PRJ-44959,
PMTR-85311

Scalable Platforms

UPDATE: Added a new log file to indicate the reason of member reboots if they are triggered by configuration mismatch - /var/log/configuration_reboot_info.log.

PRJ-45389,
ODU-914

HCP

UPDATE: Added Update 12 of HealthCheck Point (HCP) Release. Refer to sk171436.

PRJ-44461,
PRHF-27327

Security Management

In some scenarios, the "run-script" Management API command may fail with "Null Pointer Exception" when using root user permissions.

PRJ-45874,
PRHF-28640

Security Management

In some scenarios, Access Policy Verification fails but the name of the failed rule is not specified.

PRJ-43569,
PRHF-27059

Security Management

After Full synchronization, SmartConsole login from a Domain Management Server to the Security Management Server that is configured as High Availability may fail.

PRJ-45156,
PRHF-28175

Security Management

APP_ID may not be initialized when adding a new Check Point application via API, this may cause blocked access to several websites.

PRJ-42040,
PRHF-25898

Security Management

Editing an object in SmartConsole may fail with "Server error is: Object not found (Code: x08003001D, Could not access file for write operation)".

PRJ-44086,
PRHF-27440

Security Management

Login with SmartConsole to a Security Management Server may fail if using a DNS name instead of an IP address. Refer to sk180514.

PRJ-46630,
PMTR-92240

Security Management

In the Infinity Services view, the Log Sharing status may not be correct.

PRJ-44625,
PMTR-82987

Security Management

In the Accelerated Policy Installation flow, there is no validation for the scenarios when there are DAIP Security Gateways in the Destination column of the Access policy.

PRJ-44984,
PRHF-28012

Security Management

When using SmartTasks to send a mail before or after publishing the operation, the value inserted into the Changes and Description fields does not take effect as expected.

PRJ-44594,
PMTR-89770

Security Management

In some scenarios, running the Management API "delete-exception-group" fails if the exception group is automatically attached.

PRJ-43813,
PRHF-27187

Security Management

Login to SmartConsole with a RADIUS administrator from the SmartEvent Server may fail if this Server was upgraded. Refer to sk180584.

PRJ-46399,

PRJ-46725,

PRHF-28962

Security Management

In rare scenarios, policy installation fails with "Operation failed, install/uninstall has been improperly terminated". Refer to sk180448.

PRJ-46183,
PRHF-28820

Security Management

The "verify-policy" Management API command may fail when performed on the Multi-Domain Security Management Server.

PRJ-43917,
PMTR-83586

Security Management

In the Object Explorer window in SmartConsole, the IP address column is sorted alphabetically, although it should be sorted in numerical order.

PRJ-44592,
PMTR-89373

Security Management

The "show object" command fails when running it on nat-section objects. It returns a "null pointer exception" message, which occurs in calculations related to the overview objects meta-info.

PRJ-44596,
PMTR-89845

Security Management

When adding/setting an access rule, setting certain fields to "Any" or "None" may fail because of case sensitivity.

PRJ-44897,
PRHF-27875

Security Management

Policy installation gets stuck if the known proxy group contains the policy target.

PRJ-45655,
PRHF-28407

Security Management

Packet mode search in SmartConsole may show rules that do not match the query if the query contains source, destination, and service.

PRJ-44996,
PRHF-27895

Security Management

In rare scenarios, login to SmartConsole fails, and opening Security Gateway objects times out.

PRJ-44473,
PRHF-27659

Security Management

Excluding a network with anti-spoofing by name on the Security Gateway using the "set simple-gateway" Management API command fails with an "Anti spoofing: excluded network object must be defined." validation error message.

PRJ-43267,
PRHF-26404

Security Management

When creating several LSM objects (Security Gateways or clusters) via both Management API and SmartConsole, the LSM objects IP addresses may be duplicated.

PRJ-45878,
PRHF-28654

Security Management

If an empty Network Group is linked in the source or destination fields of an Access Rule, policy verification may not generate an error. Instead, it may treat the empty group as if there is an "Any" object.

PRJ-42423,
PRHF-26275

Security Management

In some scenarios, an upgrade may fail when a Network object Group contains more than 32000 members.

PRJ-43187,
PRHF-26778

Security Management

If a Security Gateway is added to a group after configuring an installation policy preset, the policy may not be installed on that Security Gateway. Refer to sk181461.

PRJ-42553,
PRHF-26118

Security Management

After restoring a Multi-Domain Security Management Server, High Availability synchronization may fail with "The Security Management Servers contain different Hotfixes".

PRJ-43192,
PRHF-25274

Security Management

If the Security Management Server is behind NAT, remote Management API login fails.

PRJ-45159,
PRHF-28175

Security Management

APP_ID may not be initialized when adding a new Check Point application via API, this may cause blocked access to several websites.

PRJ-43963,
PRHF-27308

Security Management

In rare scenarios, the Security Gateway accepts all IP addresses as approved "gui_clients", although it was provided with a list of specific trusted IP addresses.

PRJ-46088,
PRHF-28685

Multi-Domain Security Management

A scheduled Install Policy Preset may not have its next run time updated when:

  • The Multi-Domain Security Management Server was down while the preset was scheduled to run

  • There are over 50 presets defined

PRJ-44970,
PRHF-28002

Multi-Domain Security Management

In rare scenarios, in Multi-Domain Security Management environments with over 500K network objects, login to SmartConsole fails with "Connection timed out" or "Unable to connect to server" messages.

PRJ-45069,
PRJ-46163,
PRHF-28192,
PRHF-28143,

PRJ-47051,
PRHF-29196

Multi-Domain Security Management

In rare scenarios, in a Multi-Domain Security Management environment:

  • Login to the Security Management Server may fail with timeout.

  • Publish operations may take a long time.

PRJ-43785,
PRHF-24558

Multi-Domain Security Management

Deleting a Domain from SmartConsole fails after a Domain Server was removed and the Domain has no Domain Servers.

PRJ-43599,
PRHF-27209

SmartConsole

Typo in the Compliance report - "OSFP" instead of "OSPF".

PRJ-46531,
PRHF-85028

SmartConsole

SmartConsole may crash while checking for updates.

  • Requires installing R81.20 SmartConsole Build 646.

PRJ-46510,
PRHF-28930

SmartConsole

Data Center objects may not appear as unused objects in the Object Explorer view, although they should.

PRJ-45593,
PRHF-28286

SmartConsole

In some scenarios, in SmartConsole, when clicking the picker to add Security Gateway to a Threat Prevention policy "Install On" column, no Security Gateway objects appear. Refer to sk180964.

PRJ-46171,
PRJ-43171

CPUSE

When working in a Scalable Platforms environment, a member may get in a bootloop. The issue occurs after consequent upgrade of this member to R81.10, Deployment Agent (DA) update and enabling image auto cloning.

PRJ-43473

CPUSE

In some scenarios, the task progress bar is missing during Jumbo installation from SmartConsole.

PRJ-43477,
PRHF-26987

Logging

The Non-Transparent Proxy configuration is missing the IP address of the destination website in the URL Filtering logs. Refer to sk180403.

PRJ-45670,
SL-6728

Logging

In specific network configurations, after installing a policy, the target IP address of the Log Server may differ from what was configured.

PRJ-41667,
PRHF-25662

Logging

In some scenarios, in the Logs & Monitor view, no results are shown when filtering updatable object names by the "dst_uo_name" field.

PRJ-41595,
PRHF-25533

Logging

SmartEvent may generate false Anti-Bot / Anti-Virus related logs which do not contain any information.

PRJ-45418,
PRHF-28191

Logging

Source and destination IP addresses in SmartLog may not be shown correctly for duplicate packets of fragmented traffic.

PRJ-46074,
PRHF-28787

Logging

After an upgrade of the Security Management Server, the "cp_log_export show" command may return the "found an ambiguous value" error in the "export_log_position" field.

PRJ-44408,
PMTR-90258

Security Gateway

Global tables (ghtab) may not be synchronized between members, this can lead to instability of traffic.

PRJ-46054,
PRHF-28455

Security Gateway

The Security Gateway may crash while inspecting non-HTTP traffic.

PRJ-44190,
PRHF-25647

Security Gateway

The Security Gateway may crash due to a memory issue.

PRJ-45804,
PRHF-28559

Security Gateway

Resolved an issue where CPD would consume a large amount of CPU in VSX with a large number of interfaces configured (greater than 1024). Refer to sk181588.

PRJ-47118,
PRHF-29292

Security Gateway

In some scenarios, after an upgrade, the FWD process may unexpectedly exit.

PRJ-45001,
PRHF-27844

Security Gateway

In a Maestro environment where members are VSXs, connection over SSH or RDP from a host behind Maestro to a peer may be dropped.

PRJ-45091,

PMTR-90992

Security Gateway

It is impossible to configure the total number of IPv4 CoreXL Firewall instances and IPv6 CoreXL Firewall instances to more than 64 when the Security Gateway with more than 64 CPU cores runs in the USFW mode. Refer to sk181408.

PRJ-43849,
PMTR-86732

Security Gateway

Stack buffer overflow may occur in the FWGTP process.

PRJ-46677,
PRJ-46683,
PRHF-29045,
PRHF-28963,

PRJ-46680,
PRHF-28973

Security Gateway

After an upgrade, GTP traffic and memory issues may occur.

PRJ-46335,
PRHF-28842

Security Gateway

The Security Gateway may crash after a failure in policy installation.

PRJ-46139,
PRHF-28806

Security Gateway

The "g_tcpdump -mcap" command may not merge traffic capture outputs. Refer to sk181032.

PRJ-44312,
PRHF-27439

Security Gateway

In rare scenarios, modifying the "fwmultik_temp_conns_enabled" parameter on-the-fly leads to the Security Gateway crash.

PRJ-46688,
PMTR-91240

Security Gateway

When adding a new connection, the "Smart Connection Reuse" feature may cause errors in fwk.elg and connection drops.

PRJ-42788,
PRHF-22608

Security Gateway

In some scenarios, the Security Gateway may crash.

PRJ-44605,
PRHF-12636

Security Gateway

The FWK process may unexpectedly exit while processing the mail flow and generate a core dump.

PRJ-45497,
PRHF-28324

Security Gateway

On the Security Gateway with Management Data Plane Separation (MDPS) enabled:

  • when adding a RADIUS Server from WebUI, a new MDPS task with the IP address of the Server may not be added,

  • when deleting a RADIUS Server, the MDPS task may not be deleted.

PRJ-42531,
PRHF-25233

Security Gateway

In some scenarios, while processing H323 traffic, the Security Gateway may unexpectedly restart.

PRJ-45479,
PRHF-28350

Security Gateway

Security Gateway may crash when running kernel debugs of the "UP" module.

PRJ-44252,
PRHF-27426

Security Gateway

When setting "cphwd_enable_ecmp = 1" (to route by the source and destination IP address), the Security Gateway may route the traffic to the wrong MAC.

PRJ-45450,
PRHF-28277

Security Gateway

When the Security Gateway handles specific HTTP requests, memory failure may occur. CPView registers SMEM failure.

PRJ-44753,
PRHF-27707

Security Gateway

Policy installation may fail with "Error 2000240" because of an IPv6 flow issue.

PRJ-41879,
PMTR-87372

Security Gateway

On supported Open Servers (sk167052), after changing the Firewall mode from Kernel Space (KSFW) to User Space (USFW) and reboot, the Security Gateway continues to boot in the Kernel Space mode.

PRJ-45187,
PMTR-90969

Security Gateway

Traffic stops working after a Security Gateway Member recovers from a failure. Refer to sk180705.

PRJ-44106,
PRHF-26013

Threat Prevention

Fetching custom intelligence feeds via CLI may fail because of SSL certificate issues.

PRJ-44571,
PRHF-27749

Threat Prevention

After an upgrade, adding an IoC feed with IP range indicator type may fail with "Feed format problem. Bad or Empty Feed".

PRJ-44152,
PMTR-89916

Threat Prevention

In a rare scenario, policy installation may fail because of IoC observables overrides.

PRJ-44201,

PMTR-89130

Threat Prevention

When IPS Blade is enabled, the Security Gateway may crash.

PRJ-45925,
PRHF-28533

Identity Awareness

In a rare scenario, the PDPD process may unexpectedly exit during user authentication flow.

PRJ-43748,
PRHF-27158

Identity Awareness

The output of the "pdp monitor cv_le <agent-version>" command may be incorrect.

PRJ-45429,
PRHF-28304

Application Control

Some TLS1.3 applications without SNI do not match the rules.

PRJ-43976,
PRHF-27284

URL Filtering

When applying the "appi_urlf_ssl_cn_use_sni_without_validation" kernel parameter, only the first notified application may be considered for Rule Base matching, and the rest of the apps are not detected.

PRJ-44181,
PMTR-89863

IPS

In some scenarios, the FWK process may unexpectedly exit, while Threat Prevention Blades inspect HTTP traffic.

PRJ-45658,
PRHF-28404

SSL Inspection

In a VSX environment, the WSTLSD process run by Virtual Systems may ignore proxy configuration on VS0.

PRJ-46280,
PRHF-28749

Anti-Virus

Importing a custom intelligence feed containing IP ranges may fail.

PRJ-44671,
PMTR-90550

Anti-Virus

Anti-Virus Blade may bypass inspection of URLs with sub-domain portion.

PRJ-46606,
PRHF-28851

Anti-Virus

The DLPU process may stop working, creating a User Space core dump file on the Security Gateway. Refer to sk181026.

PRJ-44234,
PRHF-15953

Anti-Virus

The RAD process CPU utilization may be high when Anti-Virus engine processes many reverse DNS queries.

PRJ-45195,
PRHF-28182

Mobile Access

In rare scenarios, IOS users are unable to send emails using Capsule Workspace business mail.

PRJ-45100

Mobile Access

SSL Network Extender (SNX) may randomly disconnect after a version upgrade. Refer to sk173765.

PRJ-45852,
PRHF-28379

Mobile Access

Mobile Access Security Gateway does not recognize Office 365 URL This can cause OAuth 2.0 authorization to fail, it may not be possible to view the mail.

PRJ-46403,
PRHF-28925

Mobile Access

Sending emails with attachments via Capsule Workspace may fail on iOS.

PRJ-46506,
PRHF-28936

ClusterXL

Some IPv6 connections randomly stop passing through ClusterXL in High Availability mode. Refer to sk180969.

PRJ-45163,
PMTR-91017

ClusterXL

A VRRP cluster member may be stuck in boot after a cluster upgrade.

PRJ-42772,
MBS-15783

ClusterXL

Asymmetric UDP traffic may be dropped with "First Packet isn´t Syn".

PRJ-43640,
PMTR-89506

SecureXL

In some scenarios, incorrect MSS value calculation may lead to traffic drops and performance instability.

PRJ-44365,
PRHF-27633

SecureXL

When running tcpdump on the Multi-Domain Security Server, an "error /bin/cp-tcpdump.sh: line 11: sxlmode: command not found" message is shown. The issue is cosmetic only.

PRJ-41959,
MBS-16159

Routing

In some scenarios, a Security Group Member failover can trigger routes to be lost on other members in the Security Group.

PRJ-44710,
PRHF-27240

Routing

An IGMP group with an expiration time of 7101 weeks should be deleted when it reaches 0 seconds, but instead, it may remain at 7101 weeks until a membership report is sent, then it resets to the interval of that interface.

PRJ-44706,
PRHF-27225

Routing

Multicast receivers send IGMP membership reports, but the outbound interfaces are missing from the routing table.

PRJ-45380,
PRHF-26701

Routing

A VRRP/VRRP6 interface may go into Master/Master state.

PRJ-46133,
ROUT-2838

Routing

When two interfaces with the same local address are configured, BGP may use an incorrect interface to reach a peer.

PRJ-41962,
MBS-16158

Routing

Routing log messages generated when Standby cluster members reconnect to members in Master state are not clear.

PRJ-43828,

PRHF-27339

VPN

In a Site to Site VPN, when one of the sites is a cluster in Load Sharing mode, it can cause incorrect destination member calculation for asymmetric connection and the traffic might be dropped. Refer to sk180855.

PRJ-44313,
PRHF-24641

VPN

The "failed to terminate session" error is displayed when using RAsession_util to terminate Endpoint client.

PRJ-44992,

PRJ-46303
PRHF-27569,

PRJ-44830,
PRHF-28061

VPN

  • OCSP is disabled on the user's IIS Server, but the Security Gateway does not fall back to the CRL method. Refer to sk179434.

  • Security Gateway sends defaultCert to the third party instead of an OCSP certificate.

    An unexpected OCSP response may cause a VPN gateway to stop using its certificate until the next policy installation. Refer to sk180683.

PRJ-45469,

PRHF-28353

VPN

StrongSWAN Remote Access authentication fails when the LDAP lookup type is not the default method.

PRJ-44219,
PRHF-27548

VPN

The "vpn/ike debug ikeon/ikefail" commands may fail when used with the "-s" flag.

PRJ-45920,
PRHF-28589

VPN

The FWM process may unexpectedly exit at startup because of an incorrect VPN key initiation.

PRJ-46952,
PRHF-92538

VSX

An upgrade of VSX cluster members configured as VSLS from SmartConsole may fail.

PRJ-45146,
PRHF-28154

VSX

Some packets may disappear when using the i40e driver, and VMAC is configured on the cluster.

PRJ-45006,
PRHF-28080

VSX

A VSX Security Gateway may crash while attempting to collect statistics after running the "cpstop" command.

PRJ-44123,
PMTR-88803

VSX

Changing the main IP address of a Virtual Router may cause the FWM process to exit.

PRJ-44746,
PMTR-90616

VSX

Virtual System's interfaces may be missing when running the Clish command "show/save configuration".

PRJ-44090,
PRHF-27224

VSX

Values provided by the VSX OID tree: 1.3.6.1.4.1.2620.1.16.22.5.1 may be incorrect.

PRJ-45402,
PRHF-28365

VSX

Warp interfaces may appear in VS0 and disrupt connectivity when editing a Virtual Switch with a bond and VLANs.

PRJ-45864,
PMTR-91668

Gaia OS

Gaia backup may fail, leaving a temporary partition behind. Any new attempt to create a new backup returns an error.

PRJ-41910,
PRHF-25737

Gaia OS

Gaia WebUI logs are printed with "info" severity.

PRJ-45566,

ACCHA-2110

Gaia OS

The $FWDIR/log/fwd.elg file may get corrupted during log rotation. Refer to sk180728.

PRJ-42780,
PRHF-26416

Gaia OS

Scheduled SCP snapshots to a Windows Server may fail with the "Failed to connect to remote server. Please validate connection".

PRJ-43199,
PMTR-88966

Gaia OS

Appliance with a Dual Image installed cannot reboot after restoring to the factory default of a Dual Image. Refer to sk180331.

PRJ-46945,
PRHF-29014

Harmony Endpoint

KAV updater on the Server may fail to receive updates when proxy is used.

PRJ-45541,
PRHF-27987

CloudGuard Network

AWS Data Center mapping fails when an interface subnet is missing from the list of subnets.

PRJ-44479,
PMTR-90345

CloudGuard Network

Azure scan fails if a Virtual Machine Scale Set (VMSS) is deleted after the scan started.

PRJ-44615,
PRHF-27502

VoIP

In rare cases, SIP UDP traffic may cause Security Gateway to crash because of a memory allocation issue.

PRJ-46476,
PMTR-90803

VoIP

SIP traffic may be dropped and "kiss_htab_bl_infra_slink: failed "earlynat_sport_ghtab_bl":3 reason: KISS_HTAB_BL_SLINK_LIMIT_REACHED" is printed in the fwk.elg file.

PRJ-43719,
PRHF-26939

VoIP

After an upgrade, VoIP, and SIP / H323 traffic may be dropped in the VPN tunnel. Refer to sk179651.

PRJ-42783,
PMTR-88669

Scalable Platforms

Adding more than 250 VLANs on an Orchestrator MHO-175 Maestro Uplink interface causes intermittent traffic outages. Refer to sk180340.

PRJ-45253,
ACCHA-2021

Scalable Platforms

Excessive "cphwd_get_device_accelerated_ifs: too many interfaces (32,XXX)" messages may log to $FWDIR/log/fwk.elg. Refer to sk180439.

PRJ-44548,
PRJ-44587

Scalable Platforms

The "orch_info" command may freeze, when running it on Maestro Orchestrator.

PRJ-45696,
PRJ-45480

Scalable Platforms

Querying the HW status via SNMP (OIDs .1.3.6.1.4.1.2620.1.6.7.*) or via the "cpstat os -f sensors" command may fail on Maestro Orchestrator.

PRJ-45302,
PRHF-28238

Scalable Platforms

In rare scenarios, the Single Management Object (SMO) may go to Down state after clicking a packet capture link in the IPS log in SmartConsole.

PRJ-47985,

PRJ-47745

Scalable Platforms

Uninstalling Jumbo Hotfix Take 106/107 on Maestro Orchestrator (MHO) may cause an outage.

PRJ-45363,
PMTR-91252

Scalable Platforms

Maestro Orchestrator sx_api scripts (e.g. sx_api_ports_dump.py) return the "/usr/bin/env: python: No such file or directory" error.

PRJ-44437,
PMTR-90202

Scalable Platforms

WRP interfaces cannot be used for Source / Destination in a specific Fast Forward rule.

PRJ-44022,
PMTR-89909

Scalable Platforms

Policy validation may fail if the Fast Forward feature is enabled.

PRJ-44288,
PMTR-88429

Scalable Platforms

The "set/show trace" command may fail in gClish.

PRJ-45886,
PMTR-90935

Scalable Platforms

In VSLS mode, SNMP traffic may incorrectly be forwarded to SMO instead of DR manager of the corresponding Virtual System.

PRJ-46646,
PRHF-28694

Carrier Security

Incorrect parsing of GTP-U traffic may cause anti-spoofing drops.

PRJ-43225,
CST-316

Carrier Security

Security Gateway drops GTP Echo Response traffic with the reason "Wrong Destination Port". See sk181507.

PRJ-43221,
CST-312

Carrier Security

Security Gateway drops GTP traffic with the reason "Static IP not allowed". See sk181506.

PRJ-46674,
PRHF-28770

Carrier Security

Packet corruption, leading to traffic and performance issues.

PRJ-43358,
PRHF-24044

Carrier Security

GTP traffic may be dropped and tunnels are not registered in gtp_tunnels.

Take 24

Released on 12 July 2023 and moved to Recommended on 24 July 2023

PRJ-47513,
PMTR-93037

GaiaOS

UPDATE: Added notifications about the Expert mode login on Gaia Servers. Refer to sk181230:

1) Gaia sends an audit log to the Management Server / Log Server (SmartConsole > Logs & Monitor).

2) Gaia writes a log message to the /var/log/messages file (for a local login and an SSH login).

These Gaia Clish commands are available to work with this feature:

  • To see the current state of this feature: show audit login-notifier

  • To enable this feature (this is the default): set audit login-notifier on

  • To disable this feature: set audit login-notifier off

PRJ-47103,
PRHF-29329

Security Management

Policy installation may fail with "Target is not defined in the database" error when the target name has many underscore or dash characters.

See the Important Notes section.

PRJ-47265,
PMTR-91800

SSL Inspection

The fwk.elg file may be flooded with the "mux_hold_opq_free: App has no hold params free function" messages for the TLS_PARSER app because of a memory leak.

PRJ-45350,
PRHF-28275

ClusterXL

After an upgrade, cluster members may frequently crash, causing instability in the environment.

PRJ-45788,
PRJ-42015

CloudGuard Network

Deleting one hundred IP addresses or more from the Security Gateway at once may fail, resulting in recurrent deletion retries.

PRJ-47144,
PMTR-92807

Scalable Platforms

A new member added to Maestro Security Group may get stuck in Down state because of the missing IPS files when using image auto cloning.

Take 14

Released on 1 June 2023

PRJ-44444

SD-WAN

NEW: Added support for Quantum SD-WAN that provides resilient connectivity, optimizes usage of WAN connections for Internet and Site to Site VPNs allowing dynamic application traffic steering based on measured ISP link quality. Refer to sk180605.

See the Important Notes section.

PRJ-45296,
PMTR-86221

Security Management

UPDATE: Added ability to block policy installation if this policy contradicts another policy installed on the Security Gateway. In this scenario, the "install-policy" Management API command will now fail with "Requested policy X does not match currently installed policy Y on gateway Z. To ignore this warning, set the 'ignore-warnings' flag to 'true'". Refer to sk180792.

PRJ-44503,
PMTR-88484

Security Management

UPDATE: Significantly improved performance during upgrade and import for large Multi-Domain Security Management environments with many administrators (over 20 domains and over 100 global administrators).

  • Requires installing Upgrade Tools package 997000632 and higher.

PRJ-45675,
PRHF-28332

Security Gateway

UPDATE: Added a new environment variable "IMPLIED_RULES_SET_BEFORE_LAST". It defines if Multi-Portal implied rules should be matched as "before drop" or "before last". The default value is "0", set to "before drop". When the value is set to "1", implied rules will be matched as "before last". Refer to sk180808.

PRJ-45072,
PMTR-89908

ClusterXL

UPDATE: Improved the fullsync time after reboot in large scale environments. Refer to sk180742.

PRJ-44871,
PMTR-85849

VSX

UPDATE: The default maximum number of processes monitored by CPWD is changed from 3000 to 10000.

PRJ-45265,
PMTR-91124

GaiaOS

UPDATE: Added a defense mechanism against the hostname command injection in the Gaia Portal (CVE-2023-28130). Refer to sk181311.

PRJ-45756,

PMTR-91592

Scalable Platforms

UPDATE: Improved the decision making flow for scenarios when Maestro Gateway should leave a Security Group.

PRJ-45055,
PRHF-27948

Security Management

In rare scenarios, in multi-site environments, an IPS update on the Multi-Domain Security Management Server remains locked.

PRJ-43560,
PRHF-26971,
PRJ-45051,
PRHF-27847,

PRJ-42549,
PRHF-26016

Security Management

In rare scenarios, in Multi-Site environments, Install Policy presets fail with "Timeout during task progress" or "You have reached the maximum number of active sessions". Refer to sk180897.

PRJ-45061,
PRHF-28094

Security Management

In large Multi-Domain Security Management environments, login to SmartConsole may fail while High Availability synchronization is running. Refer to sk180858.

PRJ-44452,
PRHF-27276

Security Management

In rare scenarios, in Multi-Domain Security Management environments with many administrators that have custom permissions, SmartConsole is slow, and operations take longer than usual. Refer to sk180681.

PRJ-44096,
PRHF-27460

Security Gateway

In some scenarios, the FWD process may unexpectedly exit and cause a short outage related to the BGP failure.

PRJ-44233,
PRHF-27318

Security Gateway

After policy installation, a VSX High Availability Cluster member may have a failover and generate a vmcore.

PRJ-44082,
PRHF-26620

Security Gateway

In an Active/Standby cluster, when downloading a file using FTP protocol, the FWK process may unexpectedly exit, and a core dump file is generated.

PRJ-44921,
PRHF-27936

Security Gateway

After an upgrade, memory usage may increase on all Security Gateway Modules, and the "pkt_handle_f2v_if_needed: dropping packet (failed to send notification)" error is printed in logs.

PRJ-46341,
PRHF-28674

Security Gateway

In rare scenarios, memory corruption occurs during packet correction requiring fragmentation, this may cause the Security Gateway crash or freeze.

PRJ-45085,
PMTR-90817

Security Gateway

Latency when the Anti-Virus Blade processes ThreatCloud response.

PRJ-42586,

PMTR-88424

Threat Prevention

When using a host with automatic static NAT in a Threat Prevention policy object, the rule may not be enforced.

PRJ-44552,
PRHF-27765

Threat Prevention

In some scenarios, the FWD process unexpectedly exits, and the Security Group Members state flaps between Active and Down during an Anti-Bot Blade update.

PRJ-44317,
PRHF-27270

Content Awareness

When Content Awareness Blade is enabled, there is a limitation of the file size (sk118516). However, when the source object of the Content Awareness rule does not match the current connection, the limitation is not applied on this connection.

PRJ-44384,
PRHF-27645

Application Control

A buffer overflow may occur and cause the FWD process to exit. This leads to the Security Group Members in a Maestro environment change from Active to Down state and creates instability.

PRJ-42715,
PRHF-26557

IPS

In a rare scenario, the Security Gateway may crash during an IPS package update.

PRJ-44456,
PRHF-27561

ClusterXL

After several failovers in a cluster, connections may fail to synchronize. This can cause a timeout and the "first packet isn't syn" drops.

PRJ-44678,
PRHF-27803

SecureXL

After an upgrade, packets passing through a Remote Access VPN tunnel in a VSX environment may be silently dropped.

PRJ-44875,
PRHF-27540

SecureXL

Traffic may be dropped and the FWACCEL core file is generated.

PRJ-44925,
PMTR-90799

Routing

When PIM and state refresh are enabled, the state refresh message may not be sent automatically after a failback in ClusterXL HA Primary Up mode.

PRJ-46129,
ROUT-2801

Routing

The ROUTED daemon may unexpectedly exit when aggregating routes with long AS paths.

PRJ-44941,
PRHF-23766

Routing

After an update, multicast traffic may be dropped.

PRJ-44693,
ROUT-2353

Routing

Cluster member may stop sending multicast PIM traffic after failover or a reboot. Refer to sk180669.

PRJ-41031,
PRHF-25024

Routing

The ROUTED daemon may unexpectedly exit and generate core dumps after OSPF neighborship was established, but did not advertise routes. Lost routing causes the network to be down.

PRJ-43596,
PRHF-27185

VPN

Stability issues for Data connections (RDP / RTP / FTP/ETC). Refer to sk179651.

PRJ-46438

GaiaOS

Memory allocation issue may occur during initialization time.

Take 10

Released on 23 April 2023 and moved to Recommended on 30 April 2023

PRJ-45903

Scalable Platforms

After installing R81.20 Jumbo Hotfix Accumulator Take 8 on Maestro Security Group Members (SGMs), they may reboot several times and stay in Down state with a "Configuration" pnote. This issue occurs on Maestro SGMs with Identity Awareness enabled and SGMs configured to learn Identities from remote PDPs. Refer to sk180862.

See the Important Notes section.

Take 8

Released on 7 March 2023

PRJ-42694,
PMTR-88560

Security Management

NEW: Added ability to run the "verify-policy" Management API command on a private session with unpublished changes.

PRJ-40017

Security Management

NEW: Central Deployment of Hotfixes and Version Upgrades in SmartConsole will now support clusters of Centrally Managed Quantum Spark Appliances that run R81.10.XX firmware versions.

PRJ-41769,
PMTR-86000

CPView

NEW: Integrated Skyline, a solution that provides an OpenTelemetry CPView Agent service to monitor your Check Point Servers and export health metrics from the CPView tool to an external location. Refer to sk178566.

PRJ-43896,
PMTR-89750

Security Gateway

NEW: We have extended the grace period of Compliance Blade to support you for 90 days following contract expiration to continue providing the best security value during the renewal process.

PRJ-43808,
PMTR-89699

Application Control,

URL Filtering

NEW: We have extended the grace period of Application Control and URL Filtering Blade to support you for 90 days following contract expiration to continue providing the best security value during the renewal process.

PRJ-43911,
PMTR-89774

SmartView

NEW: We have extended the grace period of SmartEvent Blade to support you for 90 days following contract expiration to continue providing the best security value during the renewal process.

PRJ-44256,
PMTR-90165

Threat Extraction

NEW: We have extended the grace period of Threat Extraction Blade to support you for 90 days following contract expiration to continue providing the best security value during the renewal process.

PRJ-42165,
PMTR-87948

IPS

NEW: Added ability to block "HTTP 206 partial content" responses from resources with malicious content.

PRJ-41947,
PMTR-87634

Security Management

UPDATE: Connecting a Quantum Security Management Server to Infinity Portal is now supported in the Full High Availability Cluster (when each cluster member has a Security Management Server and a Security Gateway).

PRJ-42028,
PMTR-87761

Security Management

UPDATE: When adding R81.10 or lower Security Gateways to a Threat Prevention policy with Zero Phishing Blade, a verification error will be shown.

PRJ-42563,

PRJ-42564

Security Management

UPDATE: It is now possible use multiple values when filtering in these views:

  • Global Assignments (MDS)

  • Permissions (MDS)

  • Sessions (MDS)

  • IPS (Domain level)

PRJ-42554,
PRHF-22345

Security Management

UPDATE: Added an option to configure the maximum number of IPS SNORT rules.

These lines should be added at the end (or their value should be changed if they already exist) in the file $FWDIR/conf/malware_config

(for MDS - additionally in the $MDS_FWDIR/conf/malware_config file):

"[IPS]

snort_convertor_max_rules_per_update=<value>

snort_convertor_total_rules_num_limit=<value>".

Refer to sk136515.

PRJ-42034,
PMTR-87522

Security Management

UPDATE: Added a new Management API "mgmt_cli verify-management-license". It allows to check how many Security Gateway objects the Management Server license supports. Note that this API does not support Quantum Maestro and VSX. Refer to Management API Reference.

PRJ-42307,
PRHF-25869

Security Management

UPDATE: Improved the "Purge revisions" operation to reduce the size of the database.

PRJ-42982,
ODU-747

Web SmartConsole

UPDATE: Released Take 76 with new features and improvements. Refer to sk170314.

PRJ-44560,
PMTR-90438

Security Gateway

UPDATE: Apache HTTPD version was updated from 2.4.53 to 2.4.55 to fix CVE-2022-37436.

PRJ-42373,
PRHF-21182

Security Gateway

UPDATE: The "fw unloadlocal" command can now be used on a Virtual System only with the "-f" flag added. Otherwise, a warning message is displayed, indicating that unloading policy on a Virtual System will cause traffic issues with any Virtual System connected to a Virtual Switch or a Virtual System in Bridge mode.

PRJ-42659,
TPP-2280

IPS

UPDATE: In several IPS protections, improved performance for traffic that contains repeated sections.

PRJ-42704,
ODU-494

Threat Prevention

UPDATE: Added Update 16 of Autonomous Threat Prevention Management integration Release. Refer to sk167109.

PRJ-42260,
PRJ-42201

Threat Prevention

UPDATE: Reduced loading time of big external Custom Intelligence Feeds.

PRJ-41381,
PRHF-24483

VPN, Multi-Portal

UPDATE: Added a new Registry parameter "use_crl_for_revocation_method" that enables the CRL revocation method when the Security Gateway does not get a response from an OCSP Server. Refer to sk179434.

PRJ-44248,
PRHF-27306

VPN

UPDATE: When the VTI MTU is different from the physical MTU, the physical MTU is used for sending packets by default.

  • To modify the default behavior (the change does not survive reboot), run the CLI command "fw ctl set int sim_vpn_use_physical_mtu 0 -a". This allows using configured VTI MTU as the default.

  • To make the change permanently, open the $PPKDIR/conf/simkern.conf file for editing and add the entry "sim_vpn_use_physical_mtu=0".

Refer to sk98074.

PRJ-42405,
PMTR-87600

VSX

UPDATE: Added more logs related to Pushing VSX Configuration.

  • On the Security Gateway side: in the last_vsx_push_configuration.elg. The log file will now be circular.

  • On the Security Management side: in the vsx_util log. Also, commands are added to the name of log files (for example, vsx_util_reconfigure_xxxxx_xx_xx.elg).

  • VSX Provisioning tool is now logged in the vpt_history.elg.

.

PRJ-42875,

ODU-611

Gaia OS

UPDATE: Gaia API updates will now be automatically installed through AutoUpdater. Refer to sk165653.

PRJ-43614,
PRHF-26959

Gaia OS

UPDATE: Gaia Cloning Groups will now use the highest TLS version available.

PRJ-43048

CloudGuard Network

UPDATE: Added support for Data Centers in AWS eu-central-2 (Zurich) and eu-south-2 (Spain) and ap-south-2 (Hyderabad) regions.

PRJ-43028,
PRJ-43025

CloudGuard Network

UPDATE: Added support for connecting to VMware NSX-T 4.0.0.x and higher.

PRJ-41847,
PRHF-25754

CloudGuard Network

UPDATE: Improved handling of NSX-T API responses.

PRJ-42015,
PRJ-42149

CloudGuard Network

UPDATE: Improved performance of pushing Data Center Objects changes to Security Gateways.

PRJ-41649,
MBS-16088

Scalable Platforms

UPDATE: Upon member state change to Active, there may be minor packet drops. Added an option to not forward traffic to a new Active member until all connections are synchronized to it:

• To enable this option:

  • on the fly, run g_fw -a ctl set int fwha_force_present_state_over_active 1

  • to be boot persistent, run g_update_conf_file fwkern.conf fwha_force_present_state_over_active =1

• To disable this option:

  • on the fly, run g_fw -a ctl set int fwha_force_present_state_over_active 0

  • to be boot persistent, run g_update_conf_file fwkern.conf fwha_force_present_state_over_active =0

PRJ-43405,
PMTR-89295

Diagnostics

Skyline may not show any information. Refer to sk180748.

PRJ-42111,
PRHF-25747

Security Management

The date of a policy configured with "accelerated installation" may not be updated in logs.

PRJ-43902,
SMB-19002

Security Management

On R77.20 Quantum Spark appliances with some IPS packages, policy installation fails with the "Operation failed, install/uninstall has been improperly terminated" error. Refer to sk180448.

PRJ-41763,
PRHF-25381

Security Management

In some scenarios, the CME process fails to start.

PRJ-43341,
PMTR-89193

Security Management

In some scenarios, Audit logs may not be created when running remote API commands from Infinity Portal.

PRJ-42411,
PRHF-26108

Security Management

Login to the Security Management Server or Multi-Domain Security Management Server may fail with the "Connection timeout" error.

PRJ-44564,
PRHF-27782

Security Management

In a rare scenario, OCSP response cash located in $CPDIR/tmp/curl_crl_ocsp may take a lot of memory.

PRJ-35072,
PMTR-89310

Security Management

High Availability synchronization fails when one Management Server is installed on an appliance of 6000 series and the other one is an Open Server, a Virtual Machine, or installed on an appliance of different series.

PRJ-43095,
PRHF-25895

Security Management

After configuring an IoC feed on the Global Domain and assigning a Global Policy, Threat Prevention policy installation in the local Domain fails.

PRJ-43364,
PMTR-87860

Security Management

Editing a Global Assignment object using Ansible may fail.

PRJ-43318,
PMTR-87565

Security Management

In SmartConsole, when editing a tagged Security Gateway object, the tags may get removed.

PRJ-43315,
PMTR-88093

Security Management

Running API commands with the "dereference-max-depth" parameter with "0" value may fail when there is the "groups" field in the reply.

PRJ-44023,
PRHF-27405

Security Management

When using Custom Application/Site Group objects in an Access policy, policy installation may fail with an "Internal error" message.

PRJ-42244,
SMB-19124

Security Management

Installing a large Access Control policy on Quantum Spark Security Gateways may fail due to high memory consumption on the Security Management Server caused by FW_LOADER.

PRJ-42798,
PRHF-24308

Security Management

The FWM process may frequently exit. This causes SmartConsole authentication to fail and dashboards that were opened before to get closed.

PRJ-44485,
PRHF-27877

Security Management

The "show simple-gateways" Management API command may fail with the "Null Pointer Exception" error and cause the CME failure. Refer to sk180944.

PRJ-41977,
PRHF-25682

Security Management

The /var/log/dump/usermode/ directory on the Management Server may contain core dump files for the FWM process. Refer to sk180119.

PRJ-43688,
PMTR-89520

Security Management

When running the "update-provisioned-satellites" Management API command on a cluster, it may fail with the "The operation does not support this object type" error.

PRJ-41557,
PRHF-25556

Security Management

After an Application Control update, policy installation may fail.

PRJ-42061,
PRHF-25730

Security Management

The "show objects" command returns all objects in Global Domain with any filter when "ip-only" flag is set to "true".

PRJ-44630,

PMTR-90519

Security Management

There may be many duplicates of OCSP response in the $CPDIR/tmp/curl_crl_ocsp folder.

PRJ-42860,
PRHF-26649

Security Management

After performing the "Revert to Revision" operation, new Audit logs cannot be seen in the Logging&Monitoring View in SmartConsole.

PRJ-42510,
PRHF-26349

Security Management

Access policy verification may fail when dynamic objects exist in the NAT policy.

PRJ-41672,
PRHF-25452

Security Management

When using CME (Cloud Management Extension), the FWM process may unexpectedly exit because of a memory issue.

PRJ-41929,
PRHF-25575

Security Management

After an upgrade, while installing a policy, SmartConsole may unexpectedly close with a "The connection with the server was lost. Any unsaved changes will be preserved" message. Refer to sk180294.

PRJ-41893,
PRHF-25534

Security Management

High Availability synchronization fails if automatic purge is configured to run on the Standby Management Server.

PRJ-42043,
PRHF-25899

Security Management

In a rare scenario, the Show Package tool and some Management API commands with details-level "full" fail.

PRJ-43313,
PMTR-88097

Security Management

The API command "show-nat-rulebase" may not show the name of each rule in the Rule Base.

PRJ-41921,
PRHF-25795

Multi-Domain Security Management

In rare scenarios, in a Multi-Domain Security Management Server environment, a memory leak may occur in the FWM process. This may cause the process to exit.

PRJ-42850,
PRHF-26378

Multi-Domain Security Management

In a Multi-Domain Security Management environment, traffic may not match rules with custom applications.

PRJ-42106,
PRHF-25807

Multi-Domain Security Management

In a Multi-Domain Security Management environment, the HitCount retention mechanism may prematurely remove the HitCount data.

PRJ-42050,
PRHF-25759

Multi-Domain Security Management

In rare scenarios in a Multi-Domain Security Management environment:

  • Login to the Management Server may timeout and fail.

  • Publish operation may take a long time.

PRJ-42303,
PRHF-25848

Multi-Domain Security Management

Reassigning a Global Domain to a local Active Domain from one MDS to another may result in the local domain not reflecting recent changes. The issue occurs in Multi-Site environments if two Multi-Domain Security Management Servers (MDS) have a Standby Global Domain.

PRJ-43176,
PMTR-88159

SmartConsole

SmartConsole installation folder contains screenshots of legacy demo documents.

PRJ-41610,
PMTR-86559

SmartProvisioning

Deleting an LSM Gateway via REST API does not revoke the device's VPN certificate.

PRJ-42085,
PRHF-25916

CPView

A typo in "Dropped fragmentation violation" under CPView > Advanced > SecureXL > Drops.

PRJ-43590,
PMTR-89477

CPView

In a Multi-Domain Security Management environment, Skyline is down after mdsstop/mdsstart.

PRJ-43672,
PMTR-89535

CPView

The Network-per-CPU tab under CPVIEW > Advanced > SecureXL does not show traffic distribution for all CPUs. Refer to sk180540.

PRJ-42415,
PRHF-26316

Logging

When LEA spawning is turned off (sk91343), the FWD process may run out of memory.

PRJ-41853,
PRHF-23629

Logging

After an upgrade and change of the Security Management Server name, logs created before the upgrade are unavailable.

PRJ-43394,
PRHF-26905

Logging

When working with Multi-Domain Security Management, Virtual Systems (VS's) may be unable to send logs to the management because the Log Server constantly disconnects.

PRJ-42818,
PMTR-88623

Security Gateway

The Security Gateway may crash when running a memory leak detection procedure.

PRJ-43134,
PRHF-24896

Security Gateway

When using the SMTP service with resource objects in a rule and NAT is configured for the destination IP address, the traffic may match the Cleanup rule instead.

PRJ-43012,
PRHF-26600

Security Gateway

When adding a new RADIUS Server to Gaia, its IP address is automatically added to MDPS tasks, but when deleting this Server, the MDPS task is not deleted.

PRJ-42297,
PRHF-26094

Security Gateway

When MDPS is configured, mdps_tun interface is shown when running the "cpstat ha -f all" command.

PRJ-42945,
PRHF-26610

Security Gateway

When Anti-Spoofing is enabled, the Security Gateway may crash.

PRJ-43840,
PRHF-27097

Security Gateway

The Security Gateway may receive duplicated traffic (such as non-IP protocol connections) for IPS inspection. This can trigger high CPU usage and result in failures to connect over SSH or policy installation.

PRJ-42708,
PRHF-26247

Security Gateway

DNS parser incorrectly handles additional records, which results in appearing additional DNS IP addresses in the FQDn objects list.

PRJ-43619,
PRHF-21529

Security Gateway

The Security Gateway may frequently crash with vmcore files, recording invalid context.

PRJ-43887,
PRHF-26861

Security Gateway

In some scenarios, the FWD process is stuck during policy installation.

PRJ-43706,
PRHF-27184

Security Gateway

The Security Gateway may crash during policy installation if the Rule Base has multiple layers and many interfaces on the Security Gateway (VLANs).

PRJ-43555,
PRHF-26844

Security Gateway

Security Gateway may drop traffic when Dynamic Anti-Spoofing is enabled.

PRJ-41635,
PRHF-25363

Security Gateway

Dynamic Dispatcher may send fragments of the same packet to different Firewall instances during a high load of fragmented traffic. This may cause some packets to drop.

PRJ-43529,
PMTR-89421

Security Gateway

In rare scenarios when ISP Redundancy feature is enabled, default route disappears after policy installation.

PRJ-42805,
PRHF-23758

Security Gateway

Stability issues when ICAP client is active.

PRJ-41496,
PRHF-24787

Security Gateway

Stability issues when ICAP client is active.

PRJ-41092,
PRJ-34903

Security Gateway

A kernel crash may occur during system shutdown when PIM is enabled.

PRJ-43344,
PMTR-88981

Security Gateway

A connection may be closed with the "ws_mux_handle_poll: ERROR: Poll flag still set after unsetting" error in the fwk.elg file, when HTTP parser does not receive requested data.

PRJ-41791,
PRJ-41721

Security Gateway

The Security Gateway with enabled Anti-Virus may experience a memory allocation issue.

PRJ-42973,
MBS-16324

Security Gateway

The Security Gateway on a LightSpeed appliance may crash when a Bond interface is configured on the LightSpeed 10/25/40/100G QSFP28 Ports, and the state of this Bond interface changes between on / off, or off / on.

PRJ-41796,
PRJ-41720

Security Gateway

The Security Gateway with enabled Anti-Virus Blade may experience a memory allocation issue.

PRJ-43143,
PRJ-43197

Security Gateway

Policy installation from R81/R81.10 Security Management Server on R81.20 Security Gateway fails if Autonomous Threat Prevention mode is enabled.

PRJ-43801,
PMTR-89661

Security Gateway

When handling some RTSP connections and the Hyperflow feature is enabled the Security Gateway may crash.

PRJ-43128,
PMTR-89008

Security Gateway

Some TCP connections may be stuck in "Both-Fin" state in the SecureXL connection table and cause high memory consumption.

PRJ-41865,
PRHF-25769

Security Gateway

After an upgrade, it is not possible to monitor Security Gateways with enabled Management Data Plane Separation (MDPS).

PRJ-43534,
PRHF-26097

Security Gateway

In some scenarios, the Security Gateway may frequently crash, causing outages.

PRJ-41422,
PRHF-24690

Security Gateway

The Security Gateway may send multiple "Failed to fetch Check Point resources. Timeout was reached" logs.

PRJ-41791,
PRJ-41721

Security Gateway

The Security Gateway with enabled Anti-Virus Blade may experience a memory allocation issue.

PRJ-43779,
PMTR-89539

Security Gateway

When working in VSX Load Sharing (VSLS) mode, the FWK process may unexpectedly exit.

PRJ-43671,
PMTR-89323

Multi-Portal

In a rare scenario, the MPDAEMON process may fail to start on one of the cluster members.

PRJ-41472,
PRHF-25382

Internal CA

When managing cloud Gateways, the FWM process memory usage may increase.

PRJ-42904,
PRHF-26659

Internal CA

The certificate in SmartConsole is shown as valid, although it is expired.

PRJ-41599,
PRHF-25439

Threat Prevention

Anti-Virus Blade fails to parse external IoC feeds that contain commas in the CSV column field value.

PRJ-42022,
PMTR-88108

Threat Prevention

Some logs with IP observables from custom intelligence feeds may be suppressed, although they contain different IP addresses.

PRJ-41483,
PMTR-88110

Threat Prevention

Custom intelligence feeds load may fail because of a parsing issue.

PRJ-42287,
PRHF-26079

Threat Prevention

The "ioc_feeds set interval -r" command may fail.

PRJ-42196,
PMTR-88923

Threat Prevention

Files related to IoC may not be entirely removed from the disk after the feed removal.

PRJ-42365,
PRJ-41688

Threat Prevention

In some scenarios, a "malware_res_rep_rad_query: rad_kernel_malware_request_prepare() failed" message may appear in the /var/log/messages file.

PRJ-42586,
PMTR-88424

Threat Prevention

When using a host with automatic static NAT in a Threat Prevention policy object, the object will not be enforced.

PRJ-41637,
PRA-3254

Threat Prevention

The Security Gateway becomes unresponsive when loading external IoC feeds on a Security Gateway with EXT3 filesystem.

PRJ-43367,
PRJ-43360

Threat Extraction

In some scenarios, Mail Transfer Agent (MTA) does not scan files with an unsupported extension if they were renamed to ".exe".

PRJ-43504,
PRHF-26475

Application Control

Policy installation may fail with an "Error 0-200184" message because of memory allocation issues.

PRJ-42507,
PRHF-26186

Application Control

In a rare scenario, when Application Control is enabled, the Security Gateway in AWS Cloud may crash. The issue does not occur if Application Control database on the Security Gateway is updated with Release 141122_1 and higher.

PRJ-43000,
PRHF-24890

Identity Awareness

In a rare scenario, disconnection between the Identity Server (PDP) and Identity Gateway (PEP) leads to missing identities on the PEP side.

PRJ-42340

Identity Awareness

In a VSX High Availability cluster, a member in the Backup state should remain idle, but it opens connections for identity sharing.

PRJ-42934,
PMTR-88806

Identity Awareness

The PDPD process may cause CPU spikes during cluster failover.

PRJ-42996,
PRHF-23473

Identity Awareness

There may be connectivity issues and high CPU spikes on PDP when installing policy.

PRJ-43731,
PRHF-25083

Identity Awareness

Connectivity issue may occur during Azure AD Group fetch, and the "get_http_error_msg - http code is 401" error response is shown in Identity Awareness logs.

PRJ-42592,
PMTR-88426

IPS

The Security Gateway may crash during policy installation because of a memory allocation problem.

PRJ-41656,
PRHF-25585

IPS

Running the "ips stats" command in CLI may cause the IPS process to unexpectedly exit with core dumps.

PRJ-41464,
PRHF-25330

IPS

When Anti-Virus is enabled, the Mail Transfer Agent (MTA) log files may get blocked because of fail-close operation.

PRJ-43584,
PRHF-27076

DLP

A memory leak may occur in the DLPU process.

PRJ-43829,
PMTR-89510

Anti-Virus

When the RAD process exits with a timeout, the Blade name shown in the SmartConsole log card is incorrect.

PRJ-44010,
PMTR-89738

Anti-Virus

The fwk.elg file may be flooded with the "match_cb for CMI APP 11 - CI AV failed on context 144, executing context 366 and adding the app to apps in exception" messages because of improper parsing of HTTP headers by Anti-Virus Blade.

PRJ-43414,
PMTR-87254

SSL Inspection

In a rare scenario, the WSTLSD process may unexpectedly exit and produce a core dump file during certificate chain verification.

PRJ-43182,
PRHF-26878

SSL Inspection

The WSTLSD process may unexpectedly exit and create core dump files.

PRJ-43892,
PRHF-26317

SSL Inspection

In rare scenarios, the FWK and/or WSTLSD processes may unexpectedly exit and create a core dump during certificate validation. Refer to sk180473.

PRJ-43359,
PRJ-43681

SSL Inspection

In some scenarios, Inbound HTTPS Inspection may fail when working in USFW (User-Space Firewall) mode.

PRJ-42152,
PRJ-41973

Mobile Access

After an upgrade, it may not be possible to connect to SNX, it gets stuck when initializing.

PRJ-44292,
PRHF-27598

Mobile Access

Some web applications which use PT or UT link translation methods may have issues after a browser upgrade.

PRJ-42469,
PRHF-26292

Mobile Access

When Mobile Device Management (MDM) cooperative enforcement feature is enabled, establishing a VPN connection fails while the HTTPD log incorrectly indicates a compliance issue.

PRJ-43226,
PRHF-25249

Mobile Access

Web applications may not work correctly when Mobile Access Blade is configured in Hostname Translation (HT) mode while the "obscure_destination_hostname" management attribute is disabled.

PRJ-43618,
PRHF-25371

Mobile Access

Access to a web application that uses WebSocket protocol may not be possible.

PRJ-41728,
PRHF-24710

ClusterXL

The cphaprob show_bond command does not show newly added slaves from Virtual Systems (VSs).

PRJ-43117,
PMTR-87809

ClusterXL

The "cphaprob tablestat" command may fail on the Security Gateway with many interfaces.

PRJ-43004,
PRHF-26722

ClusterXL

Traffic does not pass through the GRE tunnel when Virtual MAC (VMAC) is enabled. Refer to sk180292.

PRJ-44169,
PRHF-27330

ClusterXL

When handling HTTP/2 traffic, cluster members may crash, generating vmcores.

PRJ-42929,
PMTR-88804

ClusterXL

A Hide NAT port may be allocated twice causing the "out of state" drops.

PRJ-42465,
PRHF-26264

ClusterXL

Stability issues may occur in a Multi-Version Cluster (MVC) when VPN is enabled.

PRJ-42576,
PRHF-25865

SecureXL

Multicast traffic may get dropped, and no logs are generated.

PRJ-44132,
PMTR-89935

SecureXL

IPv6 template is not created when the connection is NATed.

PRJ-43980,
PMTR-89372

SecureXL

In a rare scenario, a CPAQ message sent during policy push does not have critical priority, and can be dropped when the Security Gateway is busy.

PRJ-42897,
PRHF-26517

SecureXL

SecureXL may drop traffic when HTTPS Inspection is enabled on a VSX Security Gateway with a Virtual Router.

PRJ-42446,
PRHF-26215

SecureXL

The Security Gateway may prematurely expire half-closed TCP connections and drop VoIP and HTTPS packets with "First packet isn't SYN".

PRJ-42074,
PRHF-25880

SecureXL

In some scenarios, the change of the cphwd_enable_ecmp global parameter value on a VSX Gateway does not survive a reboot.

PRJ-43923,
ROUT-2460

Routing

Failover may take longer than expected and traffic does not pass for several seconds because dynamic routes are lost.

PRJ-41709,
PRHF-25613

Routing

The ROUTED process may unexpectedly exit when the route does not have a next hop.

PRJ-43411,
PRHF-6347

Routing

The ROUTED daemon may repeatedly exit when using PIM in Sparse mode (SM).

PRJ-41725,
PRHF-25460

Routing

The "asg diag verify" command reports inconsistent OSPFv3 routes for Security Gateway Modules in Quantum Maestro. Refer to sk179931.

PRJ-44373,
PMTR-88972

Routing

OSPF routes may not be redistributed after reboot.

PRJ-44260,
PRHF-27407

Routing

The ROUTED daemon may unexpectedly exit when using PIM and source IP address is set "0.0.0.0".

PRJ-42381,
PMTR-87326

VPN

The IKED process unexpectedly exits when the "Aggressive SLP" (Simultaneous Login Prevention) feature is enabled.

PRJ-44945,
PRHF-28050

VPN

When many users in nested groups login using Remote Access Client \ connect to VPN, and the LDAP topology is large, there may be a spike of CPU usage and performance impact. Refer to sk180664.

PRJ-42176,
PRHF-24166,

PRJ-43714,
PRHF-27256,

PRJ-42654,
PRHF-26482

VPN

  • NAT-T traffic may stop matching the implied rule after policy installation and is dropped with "IKE_NAT_TRAVERSAL Traffic Dropped from x.x.x.x to y.y.y.y" message in SmartLog.

  • VPND and IKED stability issues occur when loading newly created LDAP group objects.

Refer to sk180530.

PRJ-42730,
PRHF-26453

VPN

In a rare scenario, when IPv6 is configured, and VPN is enabled, policy installation may cause a stability issue.

PRJ-43387,
PRHF-27010

VPN

After an upgrade, an incorrect IPSec users counter may be displayed in SmartView Monitor or when running the "cpstat vpn -f ipsec" command for a cluster. The issue is cosmetic only.

PRJ-43551,
SDWANGW-1205

VPN

VPN stability issues.

PRJ-43300,
PRHF-26853

VPN

Stability issues for Data connections (RDP / RTP / FTP / ETC). Refer to sk179651.

PRJ-42562,
PRHF-26325

VPN

When the user connects with RADIUS authentication method, the "Authentication method" value in Mobile Access logs is shown as empty.

PRJ-43348,
PRHF-25367

VPN

StrongSWAN Remote Access client can connect but fails to access internal resources.

PRJ-42880,
PRHF-26241

VPN

When initiating IKEv2 tunnel from Check Point to a third party, creating Child SA fails. Refer to sk180281.

PRJ-41561,
PRHF-25552

VPN

After an upgrade, the community name may not be visible from SmartView Monitor, and the "snmpwalk" command returns an empty value for this entry.

PRJ-42763,
PRHF-26567

VPN

Despite the Secure Configuration Verification (SCV) exceptions being configured to not apply for connections, the strongSWAN client's traffic is dropped with the "Client's configuration is not verified" error.

PRJ-41698,
VSX-2670

VSX

The "vsx_util change_mgmt_subnet" command may fail if a VSX object is not correctly saved in the database.

PRJ-40976,
PRHF-23107

VSX

SecureXL may not let HTTPS traffic pass through a Virtual Router (VR).

PRJ-43005

VSX

Some connections inspected by Threat Prevention Blade may not be closed successfully, which leads to connectivity issues.

PRJ-43357,
PMTR-89245

VSX

The SNMPD process may consume a high CPU in a VSX environment and there may be slowness when using the "fw vsx stat" command. Refer to sk180324.

PRJ-43652,
PRHF-27195

Gaia OS

When setting password hash on cloning group members, some members may not get updated.

PRJ-42527,
PRHF-26323

Gaia OS

Gaia backup fails with "Cannot complete the backup process: not enough space in /var/log/CPbackup/backups" although there is enough free disk space in the /var/log/ partition. Refer to sk180181.

PRJ-42646,
PRJ-43428

Gaia OS

In some scenarios, the "nslookup" command can cause the NSLOOKUP process to exit.

PRJ-42963,
PRHF-26713

Gaia OS

IPv6 address may be removed from bond VLAN interface when changing bond xmit-hash-policy configuration. Refer to sk180309.

PRJ-42221,
PRHF-25947

Gaia OS

Incorrect logs are printed in the /var/log/httpd2_error_log file when logging into the WebUI.

PRJ-42625,
PRHF-26432

Gaia OS

SNMP trap may not be sent after a cluster failover if it occurred by running the "clusterXL_admin down" command.

PRJ-44162,

PRJ-43959

Gaia OS

When uninstalling a Jumbo Hotfix, some of the Management APIs may not work. The "gaia_api status" command returns an error and requests may fail.

PRJ-43564,
PRHF-27096

Gaia OS

When restoring a backup with VSX objects, the objects database may not be restored on the newly installed Security Management Server.

PRJ-42930,
PRHF-24249

Gaia OS

When running the "ifconfig -a" command on a Virtual System (VS) with more than 250 interfaces, the "/bin/cp-ifconfig.sh: line 179: /bin/echo: Argument list too long" error is printed.

PRJ-44239,
PRHF-27526

Gaia OS

The System Backup page in the Cloning Group view may be empty, although a scheduled backup was added.

PRJ-43987,
PRHF-27222

Gaia OS

The "lldpneighbors" Clish command may have a corrupted output.

PRJ-42195,
PRHF-25359

Gaia OS

When configuring Gaia Cloning Group mode on the cluster, members with "off" state appear without an IP address and the "adding notification Member mvc is down" error is displayed.

PRJ-42255,
PRHF-26113

Gaia OS

Running the "save configuration" command the second time in the same Clish session may fail with the "free(): invalid pointer" error.

PRJ-41687,
PRHF-25430

Gaia OS

In a cloning group cluster, when allowed hosts are changed from "Any" host to a specific host, communication between members is blocked, and the group cannot function.

PRJ-43263,
PRJ-43140

Gaia OS

After an upgrade, the RADIUS Server is unavailable and authentication fails.

PRJ-41614,
PMTR-87176

Gaia OS

Information about scheduled backup failure is now displayed in Clish, WebUI, and in the error message inside the log file.

PRJ-43133,
PMTR-88415

Harmony Endpoint

Endpoint Web Management service may fail to delete old logs.

PRJ-42954,
PMTR-88744

Harmony Endpoint

In an environment with the Endpoint Security Server, Jumbo Hotfix Accumulator installation may take a long time.

PRJ-43069,
PRHF-26666

CloudGuard Network

Importing objects from VMware vCenter may fail with a "Failed to fetch objects from the Data Center." message because of a rare communication issue between CloudGuard Network Security controller and VMware vCenter Data.

PRJ-43579,
PMTR-89444

CloudGuard Network

When enabling debug mode with the "$MDS_FWDIR/scripts/cpm_debug.sh -c ObjectCrudSvcImpl" command, it may impact the work of CloudGuard Central License utility. And adding license fails.

PRJ-43074,
PRHF-26286

CloudGuard Network

A Kernel-based Virtual Machine (KVM) or a Virtual Machine using SRIOV with the i40evf/ixgbevf network driver, may boot with non-optimized performance settings.

PRJ-43260,
PRHF-26750

CloudGuard Network

Disabling or removing all network interfaces from a vCenter object is not dynamically reflected on the CloudGuard Controller Data Center object.

PRJ-42011,
PRHF-25644

CloudGuard Network

When mapping of some Azure Subscriptions fails, assets of these Subscriptions are revoked from the Security Gateway.

PRJ-42116,
PRHF-25910

CloudGuard Network

AWS Data Center mapping fails when a Subnet with only IPv6 addresses is added to Virtual Private Cloud (VPC).

PRJ-43648,

PMTR-88995

CloudGuard Network

Connectivity issues may occur between the Security Gateway and cluster on Alibaba cloud.

PRJ-41535,
PRHF-11703

VoIP

In some scenarios, when using early media with NAT, the first data connections specified in the SDP get closed, although they should not. And the new data connection does not open, resulting in one-way audio. Refer to sk179651.

PRJ-42700,
PRJ-42696

VoIP

In some scenarios, when using static NAT, VoIP traffic may be affected.

PRJ-43078,
PRHF-26401

VoIP

While handling a multi-INVITE scenario (where a user registers with multiple devices), and the VoIP SIP MultiCore feature is enabled, each SIP INVITE maybe be handled simultaneously on different FW instances and cause memory corruption.

PRJ-41836,
PRHF-25720

Scalable Platforms

SNMP threshold events traps may be missing "Chassis ID" and "Blade ID" fields. Refer to sk179926.

PRJ-42014,
PRHF-24199

Scalable Platforms

In a rare scenario, the FWK process may unexpectedly exit and bring down the Security Gateway Module (SGM).

PRJ-42948,
MBS-11024

Scalable Platforms

Optimized the SNMP communication between Security Gateway Module (SGM) and Security Switch Module (SSM) to prevent timeouts.

PRJ-43420,
PRJ-43361

Scalable Platforms

The "set expert-password-hash" command may fail to update the password hash on all cluster members.

PRJ-43490,
PRJ-43488

Scalable Platforms

Running the "show" or "set" commands for SSH in gClish fails.

PRJ-44778,

PRJ-44600

Scalable Platforms

Uninstalling a Jumbo Hotfix from Maestro Orchestrator may cause the REST Server initialization to fail and lead to connectivity issues.

PRJ-42754,
PRHF-26604

Scalable Platforms

When using asg alert, the domain name is changed to "BladedCenter.com" instead of the configured name.

PRJ-42193,
PMTR-87997

Scalable Platforms

Upgrade rollback may not be performed successfully on a Security Group if Security Gateways were upgraded via CPUSE to a new major version more than once.

PRJ-43601,
PRJ-43213

Scalable Platforms

The task in "cpd_sched_config" is not correctly added and performed because of predefined NTP Servers.

PRJ-42515,
PMTR-88150

Scalable Platforms

Upon failover/failback, multicast packets are sent to Active members only. The member that changed state from Down to Active starts receiving the multicast packets before the route is resolved. This may impact traffic.

PRJ-43309,
PRJ-43307

Scalable Platforms

Minor packet drop may occur during Maestro Orchestrator graceful reboot.