List of All Resolved Issues and New Features in R81.20 Jumbo Hotfix Accumulator

NEW: In SmartConsole, the CSV export file of Access Policy NAT rules now contains the hit count data: "Hits", "First Hits" and "Last Hits" columns.

• Requires R81.20 SmartConsole Build 661 or higher.

NEW: Updatable objects can now be updated through the Security Management Server by adding the "<ProxyRoute>1</ProxyRoute>" configuration entry in the $CPDIR/conf/downloads/dl_prof_ONLINE_SERVICES.xml file on the Security Gateway. This enables proxy-based updates.

NEW: Added protection that prevents multiple unsuccessful login attempts from Endpoint Security Client users connecting through a Remote Access VPN to the Security Gateway. This protection prevents brute-force attacks on Endpoint Security Client users' passwords. Refer to sk182087.

UPDATE: The Management API command "set-https-rule" now automatically sets the negative value to "false" when modifying the destination, source, service, or site-category fields, regardless of its previous setting.

UPDATE: Improved Log Sharing functionality in the Infinity Portal, focusing on core stability and log status accuracy and detail level.

UPDATE: SD-WAN is now supported when SecureXL User Space Mode (UPPAK) is enabled.

UPDATE: Maestro Orchestrator WebUI now previews topology changes and summary before applying, improved the error handling.

UPDATE: New features and improvements are released in Take 124 via self-updatable package. Refer to sk170314.

In some scenarios, the webservices_cmas_ports.conf file is not updated after Domain deletion from the Multi-Domain Security Management Server, and contains ports of deleted Domains.

The on-premises Security Management Server with a proxy address configured may fail to connect to the Infinity Portal.

When the Security Management has an additional NAT configuration in the SD-WAN policy (Infinity Portal), an indicating banner may not appear in SmartConsole NAT Rule Base. This is a cosmetic issue.

• Requires R81.20 SmartConsole Build 661 or higher.

In rare scenarios, in Multi-Domain Security Management environments, login to Smart Console fails.

The server.log file of the ICAP Server is filled with "Failed to scan web object" entries. This is a cosmetic issue.

In a rare scenario, when multiple Elephant Flows are running in parallel in the accelerated pipelining path, there may be high CPU utilization. Refer to sk183007.

When using HTTP/2 through a proxy, the Security Gateway may incorrectly add carriage return and newline characters (\r\n) to the X-Forwarded-For (XFF) header. This causes the header to become invalid and results in a connection failure. This issue only occurs when the Gateway is configured as a proxy.

Security Gateway with QoS enabled may crash because of a rare race condition.

In a star community topology, SD-WAN overlay traffic connectivity may be disrupted due to unexpected routing and encryption configurations.

In some scenarios, when SD-WAN policy is enabled, open connections are not routed according to the SD-WAN decision.

In a rare scenario, Anti-Virus blade prevents benign traffic due to improper parsing of URL observables in IoC feeds. Refer to sk181519.

IDA Captive Portal may not be available after Jumbo Hotfix Accumulator installation or after an upgrade using the Blink image. Refer to sk172324.

In rare scenarios:

• The PDPD process may become unresponsive during termination.

• PDP to PEP Identity synchronization fails on the PEP side when Identity Sharing is configured with PUSH Identity Sharing.

Refer to sk182613.

A memory leak may occur in the SIM process when using DOS/Rate Limiting rules.

In some scenarios, after an update of the OS route configuration, there may be a significant delay in traffic passing through the Security Gateway when SecureXL works in the User space (UPPAK) mode. Refer to sk182740.

SW RAID (RAID-1) fails to resynchronize after formatting one of the SSD drives. This is applicable for these appliances: 15400,15600, 5900, 6800, 16000, 16000T, 26000, 26000T, 6900, 7000, 16200, 28000, QLS250, QLS450, QLS650, QLS800, MLS200, MLS400.

There is no audio during the first 5 seconds of each VoIP call. Refer to sk182730.

The IKED daemon may exit during IKEv2 negotiation of SD-WAN with a DAIP peer.

An ECDH object may be deleted before its associated event is completed processing.

After a Jumbo Hotfix upgrade, the Mail Transfer Agent may fail on all Virtual Systems except one.

See the Important Notes section.

During the Jumbo Hotfix Accumulator installation on an R81.20 Security Gateway or when adding a new Security Gateway to the environment, the member's state may experience intermittent flapping.

A Maestro Security Group Member may fail to initialize after enabling IPv6 and is stuck with pull_config pnote.

In a rare scenario, the FWK process may exit due to a race condition.

In a Maestro environment, enabling SecureXL User Mode with non-compatible acceleration cards causes connectivity issues. To restore connectivity, set all members' SecureXL mode to Kernel mode and perform a gradual Security Group reboot.

See the Important Notes section.

NEW: Added a new Management API command which displays API usage statistics - "api stats" . It can be run on the Security Management Server or Multi-Domain Security Management Server. For detailed usage instructions, run "api -h".

UPDATE: Apache HTTPD version was updated from 2.4.55 to 2.4.61 to fix: CVE-2023-31122, CVE-2023-43622, CVE-2024-36387, CVE-2024-38473, CVE-2024-38474, CVE-2024-38475, CVE-2024-38476, CVE-2024-38477, CVE-2024-39573.

UPDATE: The "set threat-exception" Management API command now includes the "protection-or-site" parameter. When specified, this parameter adds new values to the existing list of protections or sites, instead of overwriting the current entries.

UPDATE: Added ability to increase/decrease DNS cache table size.

UPDATE: Improved the performance and scalability in SD-WAN Monitoring.

UPDATE: Identity Collector OIDs for SNMP queries are now available in both $CPDIR/lib/snmp/chkpnt.mib and $FWDIR/conf/identity_server.cps locations.

UPDATE: Improved throughput of GRE tunnels configured on the ports of the 100G Acceleration Card when SecureXL works in the KPPAK mode.

UPDATE: Added Update 19 of HealthCheck Point (HCP) Release. Refer to sk171436.

UPDATE: Added Take 97 of CPotelcol (OpenTelemetry Collector) Release Updates. Refer to sk180522.

In some scenarios, the Security Management Server upgrade fails with "creating default objects and restarting services" during the import phase.

• The fix will only be applied if the upgrade to this Jumbo Hotfix Take is done using a Blink image or via the Advanced Upgrade method.

When exporting a policy to a CSV file, the process fails silently if any rule within the policy has a name or comment in UID format. No clear error message is provided to indicate the cause of the failure.

The "show-domains" Management API command may return partially deleted domains among the results.

Audit logs may not be generated when changes are made to an inline (shared) layer that appears multiple times within the same policy.

In rare scenarios, when exporting policy hitcounts to CSV format, the "Hitcount" column may appear blank in the exported file.

The Database Installation progress bar may not update during task execution.

Searching for a Data Center asset IP address in the policy may not return results.

In some scenarios, policy installation using Management API with the "prepare-only" parameter set to "true" may fail with an "internal error" message.

In rare scenarios, when Application Control blade is enabled, cloning a policy may fail due to timeout.

Enabling IPS on Multi-Domain Security Management Server may cause Threat Prevention policy installations to fail due to legacy IPS multi-profile incompatibility.

Global Domain Assignment fails with an "Internal Error" message when performed on a Multi-Domain Security Management Server containing over 32,000 revisions.

In some scenarios, Domain deletion may fail with a "delete domain failed: null" message.

The Multi-Domain Security Management Server experiences high CPU usage when communicating with the Multi-Domain Log Server. And the cpm.elg log prints the "You have reached the maximum number of active session" error. Refer to sk182738.

The "show lsm-cluster" Management API command fails with a "Null Pointer exception: null" message if the "membersNetworkOverride" field is empty.

In some scenarios, opening new tab in SmartConsole Logging & Monitoring tab fails with "HTTP error 500 - problem accessing smartview/embedded. Reason: Server Error". Refer to sk182732.

In some scenarios, after removing an existing Log Exporter instance, the creation of a new instance appears successful in SmartConsole. However, the new Log Exporter object is not actually generated.

The "asg monitor" command may show the Security Gateway in the "during upgrade" state although a major downgrade is complete.

Anti-Spoofing may drop IPv6 traffic that arrives at an interface with an IPv6 address configured. Refer to sk182725.

In some scenarios, the Security Gateway does not free some packets causing a memory leak.

The Security Gateway may crash during large memory allocation operations in specific applications.

The Security Gateway may crash after a failure in policy installation.

In a rare scenario, when SD-WAN transport is incorrectly marked as "UP" despite its underlying ISP interface is "DOWN", traffic fails to reach the remote peer because of incorrect routing decisions.

The Threat Prevention policy installation may fail when installing from R81.20 SmartConsole on R80.x Security Gateway.

In some scenarios, the TPD daemon may cause high CPU usage because of a large amount of logs.

In a rare scenario, Anti-Bot and Anti-Virus packages may be seen as not updated in SmartConsole, even though the packages are updated.

In Azure Active Directory, access role assignment only considers a user's first 100 group memberships. Any groups beyond this limit are disregarded when determining user access roles.

In a rare scenario, when IPS is enabled and logging on a rule that involves IPS is enabled, physical memory usage may rapidly increase.

When Anti-Virus is enabled, in a rare scenario, a memory leak in the FWK process may occur on the Security Gateway.

In some scenarios, the Anti-Virus Blade logs on a VSX Gateway may display an incorrect origin IP address.

VSX Cluster Members with VLAN interfaces change their cluster state to "Down" and "Active!" after installing the R81.20 Jumbo Hotfix Accumulator Take 89. Refer to sk182819.

See the Important Notes section.

In some scenarios, the VSX cluster can take extra time to boot up and activate the Virtual Systems.

When SecureXL User Mode (UPPAK) is enabled and running ESP traffic, packet loss may occur and the "fwconn_key_init_links failed" error is printed. Refer sk182775.

In some scenarios, the Security Gateway may crash when SecureXL User Mode (UPPAK) is enabled.

The USIM process may unexpectedly exit when these parameters are enabled in the $PPKDIR/conf/simkern.conf file:

• "sim_top_conns_enable" - the tracking of the top connections.

• "sim_top_proto_enable" - the tracking of the top protocols.

The ROUTED daemon may exit with a core dump during a BGP or OSPF restart.

Remote Desktop Protocol (RDP) connections may frequently disconnect when network traffic is routed through a combination of medium path, Quality of Service (QoS) controls, and VPN.

Remote Access VPN connections in Maestro environments may be dropped with the "out-of-state" reason.

Deleting a Virtual System ID (VSID) that does not exist may trigger the "cpstop" command. Stopping all Check Point services on VS0 can disrupt the entire VSX environment.

In some scenarios, the VSX cluster can take extra time to boot up and activate the Virtual Systems.

Traffic from a Host behind a Virtual System in a VSX Cluster / Scalable Platform Security Group in the VSX mode does not reach the destination. Refer to sk180441.

The "cpviewd: unable to read from gpio_nuvoton driver module. snmpd: unable to read from gpio_nuvoton driver module" messages may be printed in /var/log/messages.

Adding multiple VPN tunnels via Clish in Transaction Mode fails, while adding them individually succeeds.

The $UEPMDIR/engine/uepm-jms-data directory size can increase because queued requests get accumulated on the Server.

When running the "asg resource" command, the SSD overall health check is displayed as "PASSED" with the "Unknown_Attribute on Member X_XX is below/getting towards low threshold (val: 0/ thresh: 0)" warning. The issue is cosmetic only.

After upgrade on Quantum Maestro and Scalable Chassis, when working in SecureXL User Mode (UPPAK), policy installation may fail.

Using Image Cloning when the same VMAC feature is enabled may cause a boot loop.

NEW: Added a new "show-statuses" boolean parameter to the "show lsm-gateway" and "show lsm-cluster" Management API commands. When set to "true", this parameter displays the Security Policy and Provisioning Settings statuses for the LSM Security Gateway or Cluster.

NEW: In SD-WAN, added support for:

• Traffic steering based on Differentiated Services Code Point (DSCP).

• Rule based NAT per ISP.

UPDATE: Resolved CVE-2024-31497. The Putty version used in the Mobile Access Portal Embedded SSL Network Extender application is upgraded from version 0.80 to version 0.81.

UPDATE: Policy installation duration with hundreds of layers is improved by approximately 30%.

UPDATE: Optimized the Generic Data Center JSON file processing on the Security Gateways to improve performance when handling large numbers of IP ranges.

UPDATE: Added the "trackSettings.forensics" parameter to the "threat-rule" Management API command to enable and disable the "forensics" option in the "Track" column. Syntax example: "mgmt_cli add threat-rule layer 'Standard Threat Prevention' position 1 track-settings.forensics false -r true".

UPDATE: New features and improvements are released in Take 118, Take 119, Take 120 via self-updatable package. Refer to sk170314.

In rare scenarios, the FWM process on the Security Management Server may unexpectedly exit, creating a core dump file.

If the $FWDIR/conf/fwm.adtlog file is not valid, the FWM process leaves unused file descriptors, which may affect the Security Management Server performance.

The Revisions Purge process may stall if initiated after restarting the Security Management Server or Multi-Domain Security Management Server because of remnants of a previously interrupted Revisions Purge operation.

The database size on the Secondary Management Server increases if dbedit is used without making or saving any changes. Refer to sk182519.

In rare scenarios, revert to a Database Revision may get stuck on 60% and eventually fail.

In rare scenarios, login to SmartView web application using the Domain IP address or Domain name fails.

In rare scenarios, the CPD process may unexpectedly exit and create a core dump file.

Global Domain Assignment may fail with "Internal Error", if the assigned Domain is currently Active on a different Multi-Domain Security Management Server.

In rare scenarios, the CPSEMD process on the SmartEvent Server may unexpectedly exit, creating a core dump file.

When adding a table widget to a SmartView report:

• The "Missed Malware Activity" and "Spyware Action" fields may not be possible to pick.

• The "Malware Action" filter may appear twice in the picker. Refer to sk182049.

The FWD process may exit and cause issues with opening packet capture files on remote members.

Incorrect value in the "fwisusfw" register causes improper CPU affinity and dynamic balancing initialization in User Space Firewall mode after an upgrade. Refer to sk182004.

A buffer overflow may occur in the HTTP flow, affecting the FWK process.

Memory leak may occur in SecureXL templates. Refer to sk182648.

See the Important Notes section.

The PDPD process memory consumption may be high when using an Azure AD object.

Outages may occur when the FWD process exits or restarts and Security Group member goes down triggering Scalable Chassis failover.

SSH Deep Packet Inspection (SSH DPI) fails to start inspection if IPS is enabled while all other Threat Prevention products are disabled.

In rare scenarios, policy installation may fail after an upgrade of a VSX Gateway.

When using ICAP, filename handling occasionally fails. As a result, the Threat Emulation Blade may not be able to process this specific file.

In rare scenarios, while handling new connection, the PDPD process can become unresponsive. Refer to sk182220.

In scenarios where there is a heavy load on the machine, the RAD queue can fill up and get clogged by unhandled requests, causing an outage and traffic disruption.

HTTPS access to the Mobile Access Portal may be down.

After modifying a bond, the Monitored VLANs may disappear. Refer to sk180724.

When attempting to set a MAC address for a VXLAN interface using Clish, Clish displays a warning message and prevents the MAC address from being set.

In a rare scenario, a memory leak in the adp kernel module may occur during multicast routing assert failures.

Dynamic Routing outage in a Security Group during the Zero Downtime (MVC) Upgrade to R81.20, during the Downgrade from R81.20, or during the installation / uninstall of the R81.20 Jumbo Hotfix Accumulator. Refer to sk182556.

Graceful Restart may end prematurely in OSPF NSSA areas.

The "vpn tu tlist" command may take a long time to execute, depending on the number of disconnected tunnels.

BGP peering over Route-based VPN may fail because Azure cluster members use their own IP address as source instead of the Virtual IP address, preventing proper routing protocol establishment.

In a Maestro environment with the "vpn_sync_to_all" parameter enabled, connection going through a Site to Site VPN to a remote location, may be dropped with "First packet isn't SYN".

See the Important Notes section.

Security Group Member in a VSX environment is in a boot loop after creating a new Virtual System with a WRP interface. Refer to sk182476.

• In some scenarios, the FWM process may unexpectedly exit and generate a core dump every few days, when the Compliance Blade is enabled and the scheduled full scan is not configured according to sk182507.

• More core dumps may be generated after following the instructions in Section 1, refer to Section 2 in sk182507.

See the Important Notes section.

When working in Firewall Kernel Space Mode (KSFW), SD-WAN policy installation may fail with “Failed to enforce new policy. Reason: Failed to lower support_fec flag(Return code: 10)”.

NEW: Added the ability to unset a persistent environment variable, using the "-u" flag for the override_server_setting.sh script introduced in sk165938. Upon execution, the specified property is now removed from the $MDS_FWDIR/conf/cpmEnvVars.conf file.

NEW:

• Added ARP Next-Hop prober to enhance support for additional network topologies.

• Introduced HTTP prober to reflect real-time Web Access metrics.

• Implemented Link Aggregation mode proportional to Download and Upload bandwidth.

• Administrators are now able to override SD-WAN interface Circuit configuration.

• Integrated Forward Error Correction to ensure successful traffic delivery by adding error correction code packets to the Overlay packet stream.

• Introduced Dynamic Objects (SD-WAN Internet, My VPN Domain, and Peer VPN Domain) to better represent Overlay and Internet address spaces.

• Added administrator control for Symmetric Packet Return, forcing Ingress Traffic to be replied on the same ISP.

• Enabled SD-WAN Overlay establishment across different Domains using Global VPN Community (MDS).

• Allowed SD-WAN Overlay to operate on top of Route-based VPN.

• Increased maximum Overlay size to support up to 500 Security Gateways.

• Improved accuracy of SD-WAN decision-making during policy installation.

• Enabled setup of IPv4 SD-WAN overlay when non-SD-WAN IPv6 interfaces are configured.

UPDATE: Deprecated RC2-CBC cipher for SIC in OpenSSL.

UPDATE: Added a defense mechanism against malicious code injections through special HTTP requests. Resolved CVE-2024-24914. Refer to sk182743.

UPDATE: Various Web Portals on the Security Management Server (for example, Web SmartConsole, SmartView) no longer accept HTTPS connections to ports 443 and 19009 with specific TLS 1.2 ciphers. Refer to sk181879.

UPDATE: Changed the hardware name "1570R Appliances" to "1570R/1575R Appliances" in the Security Gateway editor in SmartConsole and SmartProvisioning.

• Requires R81.20 SmartConsole Build 656 or higher.

UPDATE: Added SHA256 fingerprints to certificate objects to mitigate the risk of hash collisions and enhance trust when utilizing the fingerprint, encoded with English words, as a verification mechanism.

UPDATE: Optimized Hyperflow wake-up process on smaller appliances (up to 32 cores) now uses only two cores initially, reducing resource contention and improving stability during Elephant Flows.

UPDATE: The performance of the thread blocker feature (sk180437) is now improved and the feature is re-enabled.

UPDATE: SSL Network Extender is updated to version 80008409.

UPDATE: The Mobile Access Portal is no longer compatible with the Chrome browser on iOS and Android mobile devices.

UPDATE: Extended the "allowed-client" setting to enforce IP restrictions for both password and SSH key authentication methods, providing more comprehensive access control.

UPDATE: VPN connections are now synchronized to all members of the Security Group by default. The default value of the "vpn_sync_to_all" kernel parameter is set to "1".

UPDATE: Removed the ability to delete the "_lldp" internal user in Gaia OS to prevent traffic impact. Refer to sk182026.

UPDATE: Added Take 97 of CPotelcol (OpenTelemetry Collector) Release Updates. Refer to sk180522.

UPDATE: Added Take 21 of Public Cloud CA Bundle. Refer to sk172188.

Upgrade of the Multi-Domain Security Management Server may fail with the error "Folder object not found".

• The fix requires the upgrade to be done using a Blink image or the Advanced Upgrade method.

In rare scenarios, the Management Server upgrade fails during the import stage with "an eclipse error has occurred enable logging on EclipseLinkExceptionHandler to see full error".

• The fix will only be applied if the upgrade to this Jumbo Hotfix Take is done using a Blink image or via the Advanced Upgrade method.

In rare scenarios, the CPCA process on the Security Management Server / Domain Management Server may exit unexpectedly, creating a core dump file. Refer to sk183101.

In rare scenarios, login to the Security Management Server may fail with timeout and the FWM process on the Management Server may unexpectedly exit, creating a core dump file.

After upgrading, administrators with read/write permissions to edit Security Gateways and Clusters may lack IPS permissions and are unable to perform certain management tasks, such as enabling or disabling blades.

The "domains_tool -report" command may fail if more than sixteen host objects are defined as DNS Servers in the environment.

When using the "set simple-gateway" Management API command to edit interfaces, the operation is only performed on fifty interfaces at a time.

Exporting a policy that contains thousands of rules may fail when the "Hit Count" column is enabled.

In rare scenarios, if a Star VPN Community object is created, publish operations may fail.

Deleting a Security Gateway object fails if there is a license attached to the Security Gateway and the Security Gateway is physically disconnected.

In some scenarios, SmartConsole may unexpectedly disconnect.

In rare scenarios, the API status shows "Automatic Start: Disabled" even though the automatic start was not disabled manually.

Objects Explorer search fails with "Error retrieving results" when more than twenty thousand IP addresses match the search criteria.

Login to SmartConsole fails if the "Read_Write_All_Profile" permission profile is deleted.

In rare scenarios, the CPD process may exit with core dumps.

The Management API command "get-interfaces" may return subordinate physical interfaces of a bond interface.

When a Domain name (for example, "XXX") is a subset of another Domain name (for example, "XXX-YYY"), the "mdsstop" command may fail to stop a Domain named "XXX-YYY".

In some scenarios, in a Multi-Domain Security Management environment, creating a Domain on a remote Multi-Domain Management Server may fail with "Check connectivity between Domain Servers IPs and initialize SIC manually" error.

In some scenarios, viewing a Forensics report in Threat Hunting fails with the "Unable to load report" error. Refer to sk181800.

Log Exporter may unexpectedly exit when using a non-RSA certificate.

The traffic field in the SmartEvent "Application and URL Filtering" report, specifically in the "High Bandwidth Applications" section, is incorrectly displaying data in petabytes (PB) instead of the expected gigabytes (GB).

Log searches for the same time period may return more results in SmartConsole compared to SmartView.

In SmartView, some countries are not displayed in the countries picker.

In rare scenarios, Zero Phishing logs may disappear from the SmartConsole Logs view.

In some occasions, redundant errors appear in logs: "fw_inspect_ghtab_bl_ld_sync: invalid FW_INSPECT_GHTAB_BL_LD_SYNC_TABLE_ID".

The RAD process exits and creates a core file on the Security Gateway.

In some scenarios, when SecureXL User Mode is enabled, the Security Gateway drops traffic after it was processed.

In some scenarios, websites that use HTTP2 protocol do not load properly.

In some scenarios, the Security Gateway offloads connections to SecureXL in error when the initial route lookup could not find a route for it.

CRL fetch may fail when passing through a Security Gateway with deep inspection, even if the connection hold is quickly released. CPCA closes the connection prematurely.

In rare scenarios, when the Anti-Virus, Threat Extraction and Threat Emulation Blades are enabled, some connections that were on hold are dropped.

In some scenarios, the PEPD process may consume a high CPU because of a high rate of identity propagation. Refer to sk182588.

A connectivity issue may happen when processing a specific HTTP2 traffic.

The DLPU process may unexpectedly exit due to uninitialized memory when the Anti-Virus Blade scans files. Refer to sk182030.

The HTTPD process of the Mobile Access Portal may exit with a core dump file.

In a rare scenario, the FWK process consistently exits causing failovers. Crashes may happen on both cluster members.

In a rare scenario, after an upgrade, connections between networks may be dropped with the "First Packet isn't SYN" error.

When SecureXL User Mode (UPPAK) is enabled, packets originating from the Security Gateway may not be fragmented properly.

When SecureXL User Mode (UPPAK) is enabled, in some scenarios, a VSX Security Gateway with many Virtual Systems may crash.

In rare scenarios, the Security Gateway crashes when the interface goes down right before it transmits packets out.

In some scenarios, traffic with Passive or Active Streaming configuration may not correctly pass through a Virtual Router on a VSX Security Gateway.

In some scenarios, the VSX Security Gateway may fail to properly reroute traffic originating from a Virtual Switch.

OSPFv3 NSSA may fail to re-originate Type 7 LSAs after an OSPFv3 process restart, disrupting proper route propagation.

Enabling rfc1583-compatibility via Clish fails with "CLINFR0329 Invalid command:'set ospf instance default rfc1583-compatibility on".

Gaia Portal operation mode options are not visible in the Editing Bond window. Refer to sk182432.

Duo management reports display incorrect access source locations due to Security Gateways providing inverted IP addresses during the two-factor authentication challenge response process. Refer to sk181783.

During high-frequency encryption of packets over a VPN tunnel, the Security Gateway may assign the same sequence number to multiple packets. This causes the receiving VPN peer to mistakenly identify these legitimate packets as replay attacks and drop them.

During high-volume VPN tunnel initiations, several packets may be dropped with "encrypted packet too big".

Tunnel testing fails after an upgrade. Refer to sk182267.

In a VSX Cluster with IPv6 enabled, after an upgrade, VS's without IPv6 address may fail to install the Access policy.

Upgrade failures may occur when the source server contains an existing am_top_infections_master view, as the upgrade process attempts to drop and recreate this view during the final stages of the Endpoint Server database schema update.

In the Kubernetes Data Center, the Import window may be stuck in "Initializing" state.

When different Network Interface Card models are attached among Maestro Security Group members, it may trigger unnecessary reboots.

After changing the CoreXL configurations of a VS in SmartConsole, the dynamic split state switches to off until the "g_dynamic_split -r" command is performed.

The "distutil" script may take a long time to run in an environment with many VS's.

When the Compliance Blade is enabled, the FWM process may unexpectedly exit and generate a core dump. Refer to sk182507.

See the Important Notes section.

NEW: Added ability to import PKCS#12 files using AES-256-CBC encryption with PBKDF2-HMAC-SHA-256. This enhancement is designed for use in multi-portal environments and HTTPS Inspection scenarios.

NEW: This Jumbo Hotfix Accumulator Take introduces enhanced protection against zero-day attacks. It detects and blocks advanced malware variants by automatically analyzing and identifying communication patterns. The feature is disabled by default. Refer to R81.20 Threat Prevention Administration Guide.

NEW: Added support for AWS Elastic Network Interfaces (ENIs). These ENIs can now be viewed and managed in SmartConsole, similar to how other supported Data Center objects are handled. The feature is disabled by default. Refer to R81.20 CloudGuard Controller Administration Guide > Supported Data Centers > CloudGuard Controller for Amazon Web Services (AWS).

UPDATE: Added an ability to configure the schedule for Compliance blade scans. This should prevent login issues during the scans. Refer to sk182033.

UPDATE: In the Change Report, updated some portions of the translated GUI.

UPDATE: Added the "SecureXL" filter to the "cpview -m -f" command, which allows to extract to Skyline all the information related to SecureXL drops. Refer to the Skyline Metrics Repository.

UPDATE: If inspection logging is configured, the "Inspect" log now displays the negotiated ciphers and TLS version used for successful inspections, both between the client and the Security Gateway, and between the Security Gateway and the Server.

UPDATE: The DOS/Rate Limiting feature can now run in SecureXL User Mode (UPPAK) environments without a Light Speed, allowing IoC Feeds that use it for enforcement to function properly.

UPDATE: jQuery UI is upgraded to version 1.13.2.

UPDATE: Added support for Data Centers in AWS ca-west-1 Calgary region.

UPDATE: Added Multi-Queue support for Microsoft Azure Network Adapter (MANA) accelerated network interfaces.

UPDATE: New features and improvements are released in Take 100, Take 102, Take 104 and Take 111 via self-updatable package. Refer to sk170314.

UPDATE: Added Take 34 of Check Point Support Data Collector (CPSDC) for Scalable Platforms and Maestro Security Appliances. Refer to sk164414.

When a Domain object in a policy is set with a backslash in the suffix, policy installation fails with the "Unterminated string&CURRENTVERCMP" error.

Deleting a domain may fail when using the createDomainRecovery.sh script.

In rare scenarios, Global Policy assignment fails when there are many open Remote CPM Server sessions. Refer to sk181822.

There may be synchronization failure and, as a result, corrupted Domain policies on the Multi-Domain Security Server when a newly created local administrator on the backup Security Management Server makes changes to rules or objects, after the Active role is switched to that Security Management Server.

In rare scenarios, the FWM process on the Security Management Server may unexpectedly exit or not start, creating a core dump file.

In some scenarios, policy installation may fail and the displayed message erroneously refers to sk178886: "One of the updatable objects was downloaded incorrectly (see SK178886". sk178886 describes a different scenario and does not resolve the issue.

Changes Report may allow to list certain directory contents.

In some scenarios, when searching objects in SmartConsole, not all relevant results are highlighted. Refer to sk181454.

In Multi-Domain Security Management environments, High Availability synchronization issues may arise after making and publishing changes through the SmartTasks feature in SmartConsole for a local Domain.

In rare scenarios, after an upgrade or a Domain migration:

• Policy installation might fail with "ERROR: Duplicate keys xxxxxxxx in table 'gw_properties".

• DAIP Gateway objects will have duplicate IP addresses.

  Refer to sk181834.

The revisions purge process may get stuck due to an incomplete purge operation from a previous attempt.

Enabling automatic updates of Trusted CAs as described in sk173629 may fail.

In some scenarios, SmartConsole may close unexpectedly when clicking the "View Changes" option in the Install Policy view.

In rare scenarios, High Availability synchronization fails with "Peer is busy".

The "set-smart-task" API command fails when enabling the "Send mail to/from" option in SmartTasks.

In Multi-Domain Security Management environments with over two hundred administrators, Domain creation may fail with "Timeout expired while waiting for permissions calculation".

In a Multi-Domain Security Management environment, the "show simple-gateway" and "show simple-cluster" Management API commands may fail with "Runtime error: An internal error has occurred"

The "cprlic get" command output may not provide correct information about vSEC licenses.

SmartConsole slowness when adding applications to rules. Refer to sk182063.

The Management API command "set-lsm-gateway" with the "sic.ip-address" parameter may fail with "Establish SIC failed. Reset SIC on gateway and try again." when resetting SIC.

When Identity Awareness blade is enabled, the "Src User Dn" and "Dst User Dn" fields in ICMP Logs are not masked for users without "Identities" permissions. Refer to sk181677.

In Quantum Smart-1 Cloud environments, exporting more than five thousand logs to CSV may fail.

In rare scenarios, the FWD process on the Security Gateway may reach out of memory and produce a core dump file of around 3GB.

The "cpstat -h log server ip ls -f logging" command fails when running it from Security Management.

Running GTP traffic may cause a crash on a Security Gateway without a GTP license.

There may be log entries related to the drop optimization feature, although the dropped traffic matches a non-logging rule.

The ICAP Server does not send data for the Threat Prevention blades inspection, after the restart of the TEMAIN process.

Traffic outages may occur because of high utilization of CPU cores that run CoreXL SND instances. Refer to sk181996.

A rare race condition may be triggered by the timing and packet patterns of VoIP traffic, and, as a result, the FWK process may restart.

After deploying a new license to a Multi-Domain Log Module (MLM), all Customer Log Modules (CLMs) generate alert logs about missing license/contracts stating "No valid license was found".

In rare scenarios, a file downloaded via HTTP may be corrupted.

When using three or more ISP DNS proxies in High Availability mode and Load Sharing mode:

• A DNS query to any ISP returns IP addresses of all three, although it should return only the active ISP.

• When one ISP is down, the faulty ISP is also returned instead of the newly active.

In a rare scenario, because of a memory allocation issue, the Security Gateway may crash and reboot.

In some scenarios, if a rule with a security zone is installed using accelerated install policy, the traffic may stop matching the NAT Rule Base.

The Security Gateway may crash during policy installation.

Sporadic latency while uploading a file when HTTPS Inspection and ICAP client are active. Refer to sk181793.

After installing a hotfix in a cluster setup with a Threat Prevention policy that includes Network Objects, a member may get stuck during initialization after a reboot. Refer to sk180225.

In a bond failover setup with the XOR bond mode, rapid toggling the port states causes the switch to display incorrect "connected" port statuses for both ports, despite one port being actually down, leading to a non-functioning bond interface.

The "ioc_feeds" CLI command with the "--transport local_directory" argument may fail to load feeds.

When a Multi-User Host is used with Identity Broker, the user session may expire on the PEP side, while still connected on the PDP, causing failure of user-based access.

After an upgrade, the Security Identifier (SID) for LDAP Users or LDAP Groups that were configured prior to the upgrade may be empty. Refer to sk181946.

During policy installation, users authenticated using the Captive Portal may get disconnected.

In a Cluster Load Sharing environment or when a single Policy Decision Point (PDP) is shared among multiple Policy Enforcement Points (PEPs), the PDP registers the PEP, but the PEP may not be aware of this registration.

There may be excessive "fwconn_chain_is_data_conn failed" messages in the /var/log/messages files when activating the IPS Blade.

In a rare scenario, the Security Gateway crashes due to memory corruption caused by the Anti-Virus blade.

SSL Network Extender (SNX) cannot connect after installing Jumbo Hotfix Accumulator. Refer to sk181805.

See the Important Notes section.

The Security Gateway may crash during the conversion from VRRP Cluster to ClusterXL Cluster.

The Security Gateway may fail to add interfaces to the SecureXL accelerated interfaces list.

In some scenarios, the VSX Security Gateway may not set the MAC header correctly when sending traffic directly out of an interface on a Virtual Router or Virtual Switch.

There may be a delay in enforcing DOS/ Rate Limiting rules to drop packets when concurrent connection limits are exceeded.

In some scenarios when Route based probing is configured, the VSX Security Gateway sends out encrypted traffic with a source IP address of all zeroes through a Virtual Switch interface. This traffic may be dropped by routers, the VPN peer Gateway or other Security Gateways due to the invalid source IP address.

Entering Maintenance Mode during the boot process may result in disabling SecureXL User Mode (UPPAK).

When SecureXL User Mode (UPPAK) is enabled, there may be some increased latency when sending cleartext traffic between a Virtual System and a Virtual Router.

DOS/Rate Limiting commands that require a change from default configuration are not allowed to run in SecureXL User Mode (UPPAK) . "ERROR: fwaccel_dos: DOS features are not supported for SecureXL User Space Mode with LightSpeed" is printed in the /var/log/messages file.

ROUTED process assert failure may take place when LSA from a neighbor's retransmission list is freed if that LSA belongs to the max age hold tree that is flooded at max age.

BGP peers may experience timeouts when these conditions occur simultaneously:

• The network has more than 100 BGP peers configured,

• The routing table contains tens of thousands of routes,

• BGP tracing is enabled,

• The BGP timers (such as keepalive and hold timers) are reduced from their default values, making the peers more sensitive to delays or congestion.

Cluster failover may occur when the ROUTED process due to a memory leak unexpectedly exits with a core dump file generated.

It may not be possible to propagate a newly added static route through OSPF.

In rare scenarios, when a PIM interface or PIM instance stops working, the Security Gateway may crash if trying to access a bogus reference to a PIM neighbor.

Establishing an IKEv2 tunnel with Cross AZ Cluster may fail.

In a rare scenario, while connecting SNX client, the VPND process may exit.

In Cross-AZ clusters, when using probing-based link selection for High Availability and Load Sharing, there may be a potential VPN traffic outage. Refer to sk181909.

When the DAIP Gateway public IP address occasionally changes, the connected Security Gateway fails to update the new IP address and continues responding to the old IP address, causing communication issues.

When adding a new Virtual System, a CPD core dump file may be generated.

The MONITORD daemon causes high CPU after 388 days of uptime. Refer to sk181922.

In rare scenarios, the Gaia Portal daemon HTTPD may unexpectedly exit and create a core dump file in the /var/log/dump/usermode/ directory.

Removing unused built-in user called "cp_ender" that may appear in Gaia OS after an upgrade. Refer to sk182185.

In an on-premises environment, large Active Directory groups with more than 1500 members appear empty or have incomplete membership information.

In some scenarios, Unified Endpoint Policy Management (UEPM) database upgrade fails or takes a long time during the scripts stage.

SmartEndpoint creates an empty "Policy Report" CSV file.

CloudGuard Controller synchronizes cloud object configurations with a noticeable latency, reflecting the updates made to those objects in the cloud environment after a significant time delay.

Excessive CPU usage occurs on a Maestro Security Group because of exhaustion of available NAT ports when traffic is subjected to NAT and Layer 4 (L4) load distribution is enabled. Refer to sk181925.

After a failover scenario, the "m site-id member-id" command requires reauthentication.

When running the "fwaccel stat" command on a VSX Security Gateway, the output may show physical interfaces as not accelerated, although they are.

Member state may flap between Active and Ready.

In a rare scenario, file system corruption may lead to a failure identifying the Maestro Orchestrator hardware model during the Maestro Orchestrator OS boot process, causing the boot to fail.

An additional reboot may be performed on Maestro Security Gateway because of the database entry (otlp) which should not be pulled from SMO. This entry is updated locally on each member via self-update functionality and therefore may differ between members.

In a rare scenario, when a Maestro Security Gateway is active again after a reboot, and LightSpeed is used, the LACP bond may drop incoming and outgoing packets.

UPDATE: Remote Access VPN for local accounts authenticated only with Check Point password created in R80.20 or lower, and not updated after the upgrade to R80.30, is blocked until the password is reset. Refer to sk182336.

CVE-2024-24919 - Quantum Security Gateway Information Disclosure. Refer to sk182336.

During an upgrade from R80.40 to R81.20 in a cluster environment, connectivity to the new member may be lost.

See the Important Notes section.

After installing R81.20 Jumbo Hotfix Take 54 on Quantum 3600/3600T/3800 appliances, CPView, WebUI, and the "show sysenv all" command in CLI display illegal values for fan speed. The issue is cosmetic only. Refer to sk182305.

NEW: This Jumbo Hotfix Take introduces support for new Quantum Force appliances 19100 / 9800 / 9700 / 9400 / 9300 / 9200 / 9100 appliances. Refer to sk181698 and to sk180520.

• Requires installing SmartConsole R81.20 Build 653 or higher.

NEW: Added ability to drop the traffic of specific UDP applications per packet. For example, the Security Gateway can now drop the specific commands and allow the other commands of the BACNet Protocol.

This ability is enabled by default.

• To disable this ability, run: "fw ctl set int appi_drop_packet_enabled 0".

• To enable this ability, run: "fw ctl set int appi_drop_packet_enabled 1".

NEW:Added support for a new tool (shell script) on a Management Server that can show and renew IKE certificates for VPN, Multi-Portal, and Identity Broker on all managed Security Gateways and VSX Virtual Systems. Refer to sk182070.

UPDATE: SD-WAN Logs now appear in the dedicated SD-WAN log card in SmartView and SmartConsole.

UPDATE: Creating a Domain via Management API now allows the allocation of the Domain IP address from a predefined IP address range on the Multi-Domain Security Management Server.

UPDATE: During certificate validation, the Security Gateway now retrieves the Certificate Revocation List (CRL) from all CRL distribution points (CDP) listed in certificate extensions.

UPDATE: Added an option in ICAP Server for logging benign files scanned by the Anti-Virus Blade. By default, logging for benign files is disabled. To enable it, add to the ICAP Server configuration file this entry: "LogBenign on".

UPDATE: The "Server Authentication" attribute within the "Extended Key Usage" field is now included by default in IKE certificates generated by the Security Management Server.

UPDATE: Added Update 2 of Server-Side Change Report Generator Release Updates. Refer to sk179508.

UPDATE: Added Update 7 of Quantum Smart-1 Cloud. Refer to sk166056.

UPDATE: Added Take 77 of CPotelcol (OpenTelemetry Collector) Release Updates. Refer to sk180522.

UPDATE: Added Update 15 and Update 16 of HealthCheck Point (HCP) Release. Refer to sk171436.

Packet mode search in SmartConsole may show rules that do not match the query if the query contains four or more filters.

In High Availability environments, task progress notifications may get updated only every 5 minutes, even when the task is complete.

When configuring an email address in SmartTasks, Top Level Domain (TLD) is limited to 3 characters, for example, ".com"

When the value of the "asm_ips_cci" property is updated manually to a number higher than 500,000:

• login to the Security Management Server fails due to timeout.

• the FWM process may consistently consume 100% CPU.

The FWM process on the Management Server may unexpectedly exit, creating a core dump file.

In some scenarios, in SmartConsole, when clicking the picker to add Security Gateway to the "Install On" column in the Threat Prevention policy, no Security Gateway objects may appear.

The "show users" Management API command fails if a user is configured to be able to connect on specific days, but the days are not selected.

Running a Gaia API command on the Security Gateway through the Management API from the Security Management Server fails when configuring the "target" parameter with either the Security Gateway name or UID.

Defining more than two hundred GUI clients causes the "Command Line" tab in SmartConsole to be greyed out and the "api status" command to show an error status.

In some scenarios, an upgrade may fail if a scheduled IPS update occurs simultaneously with the upgrade or domain migration.

In environments with more than one hundred fifty administrators, SmartConsole may unexpectedly close when submitting changes for approval via Workflow. Refer to sk181649.

The Change Report generated before publishing a session, may contain internal system changes that were made by the user.

An "Error logging into domain" message is displayed in Web SmartConsole when connecting to a Domain on a peer Multi-Domain Security Management Server. Refer to sk181801.

In rare scenarios, CPView does not handle VS context correctly.

SmartConsole does not show all available packages for Security Gateways that run on the 15000 and 16000 Check Point appliances, even if these packages are located in the Package Repository on the Security Management Server.

In SmartConsole, in the "Device License Information" view, the "New connection rate" field may indicate "please wait 10 seconds".

In SmartView, incorrect results may be displayed when filtering logs using the "src_machine_name" field.

The "source", "destination", "user" and "action" fields are not exported when exporting logs with the "visible columns" option to CSV in the SmartView Web application. Refer to sk181706.

The Syslog messages are not sent to the Security Management Server and cannot be seen in SmartLog if the Security Management Server IP address is not configured under the "Remote System Logging" section in the Gaia WebUI.

In a rare scenario, a Security Gateway / Cluster Member may stop logging locally or to configured Log Servers. Refer to sk170331.

In rare cases, the LOG_EXPORTER process exits and the CPWD process does not start it because of the "exit_code 0" error.

CVE-2023-51764 - Postfix SMTP Smuggling vulnerability. Refer to sk181944.

Incorrect CPU statics may be shown in CPView when using Dynamic Split.

On Security Gateways with enabled Hyper Flow feature, during policy installation and re-offload process of the connections, accelerated connections may be interrupted. Refer to sk181671.

In rare scenarios, updating the NTP Server may cause a temporary outage.

The proxy IP address of users surfing HTTP sites may be displayed instead of the real source IP address.

Enabling MDPS fails with the "clish: symbol lookup error: /usr/lib/cli/lib/libcli_mdps.so: undefined symbol: cp_is_usim" error.

The system may not automatically end or interrupt the RAD process if it takes longer than a specified timeout duration.

Accounting info may not be displayed in logs for IPv6 Cluster VRRP environments.

Security Gateway with a large number of CPU cores allocated to CoreXL SND may experience performance issues when an IoC Feed and the "fwaccel dos deny" feature are configured. See sk182223.

When configuring an IoC Feed in SmartConsole, the "Test Feed" action does not support Full High Availability clusters.

In a rare scenario, an Identity Gateway (PEP) becomes unresponsive while unregistering a network.

A memory leak may occur in the PDPD process when storing new identities.

In some scenarios, the Application Control and URL Filtering scheduled updates may occur more frequently than configured.

Anti-Spoofing drops packets that arrive at a Security Gateway through interfaces with Topology "External" if there are routes configured for internal interfaces that overlap with routes configured for external interfaces. Refer to sk181768.

Anti-Virus fails to release held connections after the inspection.

The Anti-Virus Blade may inspect files on an SMB appliance although the "SMB" checkbox is disabled on the matched profile.

When HTTPS Inspection is enabled, the Security Gateway generates a log that includes the message "Certificate Chain is not signed by a Trusted CA" when an end-user connects to an HTTP site or a site with an untrusted SSL certificate. But, in some scenarios, the log does not include this text.

When working in ClusterXL mode with MDPS enabled on the cluster nodes, enabling a Cloning Group may get stuck in the "synchronizing" status.

In a cluster connected to Smart-1 Cloud, local probing may start on the "maas_tunnel" interface, although it is not monitored by the cluster. Output of the Expert command "cphaprob -i list" or the Gaia Clish command "show cluster members pnotes problem" shows that the Critical Device "Local Probing" reports its state as "problem".

The port beacon feature also known as interface discovery or port blinking may not work correctly in User Mode (UPPAK).

In some scenarios, the VSX Security Gateway may not be able to pass VPN encrypted traffic from one Virtual System to another Virtual System through a Virtual Router/Switch.

The "force-if-symmetry" setting in IPv4 static routes fails to mark IP addresses as unreachable, leading to the static route inaccurately remaining active in asymmetric scenarios.

High CPU usage on SND cores when many interfaces are configured. Refer to sk181860.

Taking a snapshot on the Security Management Server fails because of the error during copying the /boot/config/ content.

The "show configuration password-controls command output does not print the "set password-controls deny-on-fail block-admin on" option.

When rebooting the Security Gateway, some VLANs may lose their IPv6 configuration.

Link may not come up automatically in the 2-Port 40G/100G NIC, 4-Port 10G/25G NIC, and 10G/25G Sync Port. Refer to sk181487.

Redundant log prints in /var/log/messages may be generated, although they should be printed only when the debug flags are enabled.

AWS CloudGuard Security Gateway boots into "Sh-4.4" shell after in-place upgrade to R81.20 with Jumbo Hotfix Accumulator from Take 38 to Take 53. Refer to sk182112.

See the Important Notes section.

Due to a synchronization issue between the Policy Server and Primary Server, the Endpoint clients may be connected to the Primary Server instead of the Policy Server.

When the SIP Multi-core feature is enabled, and a SIP over UDP rule with one-way calls (only outgoing calls, for example) is defined, the returned traffic is dropped. Refer to sk181525.

When running the "asg if script" command, the "Bridge Master" output does not fit in one line in the "Info" column. The issue is cosmetic only.

The Gaia gClish command "installer verify CPUSE Package ID member_ids all" fails with "Quitting due to time-out" on a Scalable Platform Security Group. Refer to sk181674.

Performance data collected from all members including the Standby site, may cause the "Instance Load" and "Accelerate Load" values to be different from the asg perf tool data.

Scalable Platform Interface data OIDs (1.3.6.1.4.1.2620.1.48.26) may not be refreshed.

Security Gateway with Anti-Virus enabled may sporadically crash because of memory corruption.

See the Important Notes section.

In a VSX environment, LACP Bond traffic may fail with the "incomplete ARP" error.

See the Important Notes section.

NEW: Added Quantum SD-WAN local breakout and VPN overlay support for Security Gateways with dynamic IP addresses.

UPDATE: Added support for scheduling automatic purges of the System Data domain.

UPDATE: Added a new API version (1.9.1). Refer to Management API Reference.

UPDATE: Added a pop-up message explaining that it is not possible to add an exception to a Global Domain policy from a local Domain when clicking "add exception" in a Global rule.

• Requires installing SmartConsole R81.20 Build 651 (or higher).

UPDATE: When changes are made to updatable objects within a policy and a missing or corrupted package is detected, the policy installation will fail, resulting in the generation of a log.

UPDATE: Improved the parser of Custom Intelligence feeds to support values written in "Camel case", where multiple words are combined without spaces, and each word begins with a capital letter.

UPDATE: Re-enabled the deprecated feature of exporting/importing Custom Intelligence feeds.

UPDATE: Improved Anti-Virus caching mechanism to prevent generating malicious sub-domains in Background resource categorization mode.

UPDATE: Enhanced PushReport (a troubleshooting tool for Mobile Access Blade):

• changes in the cloud service configuration,

• stability improvement.

UPDATE: Added SAML authentication support for Capsule Connect / Capsule VPN.

UPDATE: Changed the vsx push configuration log:

• The log file last_vsx_push_configuration.elg now holds only the last vsx push configuration log.

• The cyclic log file vsx_push_configuration.elg now holds all previous push configuration logs, except the last one.

UPDATE: The output of "show arp dynamic all" and "dbget ip:arpdynamic:show:0" which was previously limited to +-4450 entries, now increases dynamically.

UPDATE: SNMP traps for interfaces going up and going down now contains the interface name and description.

UPDATE: Added new file types supported by Harmony Endpoint Threat Emulation blade.

UPDATE: Added the "namespace" label to pods in Kubernetes Data Center.

UPDATE: Added support for Data Centers in AWS il-central-1 Israel (Tel Aviv) region

UPDATE: Added the ability to stop configuration mismatch repeated reboots for debugging purposes. The new command is " cpha_blade_config auto_reboot <on/off>".

UPDATE: Enabled new docker capabilities on IoT Gateways.

In rare scenarios, upgrade of the Security Management Server to R81.20 fails with the "Task was interrupted because of server restart" and "DEADLOCK IN POSTGRES DETECTED!!!" messages in the cpm.elg log file.

In some scenarios, an automatic Trusted Certificate Authorities (CAs) update fails.

Changing the cluster mode via the "set simple-cluster" Management API command to "cluster-xl-ha" or "ospec-ha" returns success but has no effect on the cluster object.

Deleting a Domain that is connected to an AD Group fails.

Upgrade of a Security Management Server or a Multi-Domain Security Management Server with over 2000 NAT rules may take over 10 hours to complete.

• The fix requires the upgrade to be done using a Blink image or via the Advanced Upgrade method.

In rare scenarios, the /var/log/message file is filled with Clish login messages for the Admin user.

Security Management Server import fails with the "Tried to persist object XXX with domain YYY while active domain is ZZZ" error in the upgrade report.

In rare scenarios, after an upgrade, the Security Management Server may fail to start.

When the Access Rule Base contains several hundred rules, the "set-access-rule" Management API command with the "new-position" parameter may take longer than expected or time out after 5 minutes.

QoS policy cannot be installed if the policy package name contains a dot symbol.

In High Availability Security Management Server environments, outdated IPS packages are retained, which leads to a substantial increase of the database on Standby Security Management Server. Refer to sk182178.

In some scenarios, an upgrade of the Security Management Server may fail if the import is running at 12 AM.

• The fix will only be applied if the upgrade to this Jumbo Hotfix Take is done using a Blink image or via the Advanced Upgrade method.

In rare scenarios, during an IPS update, a task notification reports that a database purge failed on the Standby Security Management Server. Refer to sk180920.

The "crldp_initialized"and "crldp_name" keys may be missing in the registry after running promote_util.

If the HTTPS policy contains an Identity Awareness Gateway object in the "Source"/"Destination" column, policy installation may fail when selecting more than one policy target. Refer to sk181097.

In an environment with many Security Gateways, SmartConsole may unexpectedly close when selecting a policy package to install.

An audit log may not be created after running Revert to Revision.

In some scenarios, the CPRLIC process may unexpectedly exit without affecting the connectivity, and a core dump is generated.

Users may be able to configure user-defined scripts to run on the Security Management Server, although they do not have the permissions of a super-user.