List of All Resolved Issues and New Features in R81.20 Jumbo Hotfix Accumulator

NEW: Added a new Expert mode command on the Security Gateway to revert the installed Access Control policy to one of the previous revisions: "policy_rev_tool <action> [args]". Refer to sk181437.

NEW: It is now possible to configure additional TCP options in the Accelerated SYN Defender configuration file:

cookie_mss_v4, cookie_mss_v6, cookie_sack_permitted, cookie_window_scale. Refer to R81.20 Performance Tuning Administration Guide.

UPDATE: SD-WAN Logs now appear in the dedicated SD-WAN log card in SmartView and SmartConsole.

UPDATE: Creating a Domain via Management API now allows the allocation of the Domain IP address from a predefined IP address range on the Multi-Domain Security Management Server.

UPDATE: During certificate validation, the Security Gateway now retrieves the Certificate Revocation List (CRL) from all CRL distribution points (CDP) listed in certificate extensions.

UPDATE: Added an option in ICAP Server for logging benign files scanned by the Anti-Virus Blade. By default, logging for benign files is disabled. To enable it, add to the ICAP Server configuration file this entry: "LogBenign on".

UPDATE: The "Server Authentication" attribute within the "Extended Key Usage" field is now included by default in IKE certificates generated by the Security Management Server.

UPDATE: Added Update 2 of Server-Side Change Report Generator Release Updates. Refer to sk179508.

UPDATE: Added Update 7 of Quantum Smart-1 Cloud. Refer to sk166056.

UPDATE: Added Take 77 of CPotelcol (OpenTelemetry Collector) Release Updates. Refer to sk180522.

UPDATE: Added Update 15 and Update 16 of HealthCheck Point (HCP) Release. Refer to sk171436.

Packet mode search in SmartConsole may show rules that do not match the query if the query contains four or more filters.

In High Availability environments, task progress notifications may get updated only every 5 minutes, even when the task is complete.

When configuring an email address in SmartTasks, Top Level Domain (TLD) is limited to 3 characters, for example, ".com"

When the value of the "asm_ips_cci" property is updated manually to a number higher than 500,000:

• login to the Security Management Server fails due to timeout.

• the FWM process may consistently consume 100% CPU.

The FWM process on the Management Server may unexpectedly exit, creating a core dump file.

In some scenarios, in SmartConsole, when clicking the picker to add Security Gateway to the "Install On" column in the Threat Prevention policy, no Security Gateway objects may appear.

The "show users" Management API command fails if a user is configured to be able to connect on specific days, but the days are not selected.

Running a Gaia API command on the Security Gateway through the Management API from the Security Management Server fails when configuring the "target" parameter with either the Security Gateway name or UID.

Defining more than two hundred GUI clients causes the "Command Line" tab in SmartConsole to be greyed out and the "api status" command to show an error status.

In some scenarios, an upgrade may fail if a scheduled IPS update occurs simultaneously with the upgrade or domain migration.

In environments with more than one hundred fifty administrators, SmartConsole may unexpectedly close when submitting changes for approval via Workflow. Refer to sk181649.

The Change Report generated before publishing a session, may contain internal system changes that were made by the user.

An "Error logging into domain" message is displayed in Web SmartConsole when connecting to a Domain on a peer Multi-Domain Security Management Server. Refer to sk181801.

In rare scenarios, CPView does not handle VS context correctly.

SmartConsole does not show all available packages for Security Gateways that run on the 15000 and 16000 Check Point appliances, even if these packages are located in the Package Repository on the Security Management Server.

In SmartConsole, in the "Device License Information" view, the "New connection rate" field may indicate "please wait 10 seconds".

In SmartView, incorrect results may be displayed when filtering logs using the "src_machine_name" field.

The "source", "destination", "user" and "action" fields are not exported when exporting logs with the "visible columns" option to CSV in the SmartView Web application. Refer to sk181706.

The Syslog messages are not sent to the Security Management Server and cannot be seen in SmartLog if the Security Management Server IP address is not configured under the "Remote System Logging" section in the Gaia WebUI.

In a rare scenario, a Security Gateway / Cluster Member may stop logging locally or to configured Log Servers. Refer to sk170331.

In rare cases, the LOG_EXPORTER process exits and the CPWD process does not start it because of the "exit_code 0" error.

CVE-2023-51764 - Postfix SMTP Smuggling vulnerability. Refer to sk181944.

Incorrect CPU statics may be shown in CPView when using Dynamic Split.

On Security Gateways with enabled Hyper Flow feature, during policy installation and re-offload process of the connections, accelerated connections may be interrupted.

In rare scenarios, updating the NTP Server may cause a temporary outage.

The proxy IP address of users surfing HTTP sites may be displayed instead of the real source IP address.

Enabling MDPS fails with the "clish: symbol lookup error: /usr/lib/cli/lib/libcli_mdps.so: undefined symbol: cp_is_usim" error.

The system may not automatically end or interrupt the RAD process if it takes longer than a specified timeout duration.

Accounting info may not be displayed in logs for IPv6 Cluster VRRP environments.

System with a large number of CPUs allocated to CoreXL SND may experience performance issues when the deny list feature is enabled.

When configuring an IoC Feed in SmartConsole, the "Test Feed" action does not support Full High Availability clusters.

In a rare scenario, an Identity Gateway (PEP) becomes unresponsive while unregistering a network.

A memory leak may occur in the PDPD process when storing new identities.

In some scenarios, the Application Control and URL Filtering scheduled updates may occur more frequently than configured.

Anti-Spoofing drops packets that arrive at a Security Gateway through interfaces with Topology "External" if there are routes configured for internal interfaces that overlap with routes configured for external interfaces. Refer to sk181768.

Anti-Virus fails to release held connections after the inspection.

The Anti-Virus Blade may inspect files on an SMB appliance although the "SMB" checkbox is disabled on the matched profile.

When HTTPS Inspection is enabled, the Security Gateway generates a log that includes the message "Certificate Chain is not signed by a Trusted CA" when an end-user connects to an HTTP site or a site with an untrusted SSL certificate. But, in some scenarios, the log does not include this text.

When working in ClusterXL mode with MDPS enabled on the cluster nodes, enabling a Cloning Group may get stuck in the "synchronizing" status.

In a cluster connected to Smart-1 Cloud, local probing may start on the "maas_tunnel" interface, although it is not monitored by the cluster. Output of the Expert command "cphaprob -i list" or the Gaia Clish command "show cluster members pnotes problem" shows that the Critical Device "Local Probing" reports its state as "problem".

The port beacon feature also known as interface discovery or port blinking may not work correctly in User Mode (UPPAK).

In some scenarios, the VSX Security Gateway may not be able to pass VPN encrypted traffic from one Virtual System to another Virtual System through a Virtual Router/Switch.

The "force-if-symmetry" setting in IPv4 static routes fails to mark IP addresses as unreachable, leading to the static route inaccurately remaining active in asymmetric scenarios.

High CPU usage on SND cores when many interfaces are configured. Refer to sk181860.

Taking a snapshot on the Security Management Server fails because of the error during copying the /boot/config/ content.

The "show configuration password-controls command output does not print the "set password-controls deny-on-fail block-admin on" option.

When rebooting the Security Gateway, some VLANs may lose their IPv6 configuration.

Link may not come up automatically in the 2-Port 40G/100G NIC, 4-Port 10G/25G NIC, and 10G/25G Sync Port. Refer to sk181487.

Redundant log prints in /var/log/messages may be generated, although they should be printed only when the debug flags are enabled.

AWS CloudGuard Security Gateway boots into "Sh-4.4" shell after in-place upgrade to R81.20 with Jumbo Hotfix Accumulator from Take 38 to Take 53. Refer to sk182112.

See the Important Notes section.

Due to a synchronization issue between the Policy Server and Primary Server, the Endpoint clients may be connected to the Primary Server instead of the Policy Server.

When the SIP Multi-core feature is enabled, and a SIP over UDP rule with one-way calls (only outgoing calls, for example) is defined, the returned traffic is dropped. Refer to sk181525.

When running the "asg if script" command, the "Bridge Master" output does not fit in one line in the "Info" column. The issue is cosmetic only.

The Gaia gClish command "installer verify CPUSE Package ID member_ids all" fails with "Quitting due to time-out" on a Scalable Platform Security Group. Refer to sk181674.

Performance data collected from all members including the Standby site, may cause the "Instance Load" and "Accelerate Load" values to be different from the asg perf tool data.

Scalable Platform Interface data OIDs (1.3.6.1.4.1.2620.1.48.26) may not be refreshed.

The Security Gateway with 40 cores fails to boot in Kernel Mode Firewall. Refer to sk181989.

See the Important Notes section.

VPN IKEv2 negotiation with a third party peer may fail when the peer offers multiple combined encryption algorithms in one proposal. For example, AWS by default offers AES-GCM and AES-GCM-256. The issue triggers an IKE failure log.

See the Important Notes section.

The CXLD process may consume the CPU at 70%-100% on VSX cluster members. Refer to sk181891.

See the Important Notes section.

NEW: Added support for Quantum Spark Appliances 1900/2000 for EA (Early Availability) customers.

NEW: We have extended the grace period of Anti-Spam Blade to support you for 90 days following contract expiration to continue providing the best security value during the renewal process.

UPDATE: Added support for the VPN certificate alert feature for Quantum Spark Appliances R81.10.X.

UPDATE: Added Take 74 of CPotelcol (OpenTelemetry Collector) Release Updates. Refer to sk180522.

UPDATE: Previously, in the "Hide NAT behind IP Address Range" feature, only the source IP address determined the Hide NAT IP address from the IP Address Range. It is now possible to configure the Security Gateway to select the Hide NAT IP address based on the combination of the source IP address and the source port. Refer to sk105302.

UPDATE: Added a new option in domains_tool, which allows to retrieve IP addresses of multiple Domains - "-md <list of domains>". Refer to sk161632.

UPDATE: Added Update 22 of Autonomous Threat Prevention Management integration Release. Refer to sk167109.

UPDATE: It is now possible to add exceptions to external Custom Intelligence feeds.

UPDATE: SSL Network Extender was updated to version 80008407.

UPDATE: When enabling the VMAC feature, link_monitoring on the cluster members is now configured automatically.

UPDATE: In VSX, removed the redundant option to change CoreXL mode from USFW to Kernel mode.

UPDATE: Upgraded OpenSSL from 1.1.1u to 1.1.1w to include the latest security improvements.

UPDATE: Gaia API updates is now installed automatically through AutoUpdater. Refer to sk165653.

UPDATE: Posture Management (Vulnerability & Patch Management) is now supported.

UPDATE: Added support for Azure Scale sets with Flexible orchestration mode.

UPDATE:

• Enhanced the mapping performance of Azure subscriptions and the overall process of mapping Data Centers.

• Minimized the duration required for policy updates to gateways in environments incorporating Public Data Centers (Azure, AWS, GCP, Oracle-Cloud OCI, and Generic-Data-Center).

• Updating Data Center properties requires installing the policy on only one Security Gateway.

UPDATE: Updated the Jetty open source library from the 9.3.6.v20151106 version to 9.4.52.v20230823.

UPDATE: Added ability to use Generic Data Centers and Dynamic Objects with Maestro cluster, not just for a separate Security Gateway.

In rare scenarios, Global Policy reassignment fails with "IPS Update Failed On Assign".

Global Policy assignment fails if it is configured to assign to specific Domain policies and one of these local Domain policies is deleted.

When closing an application from SmartConsole without changes, a redundant revision is created.

In some scenarios, the "Object is no longer available" validation warning appears for updatable objects.

The "show-nat-rulebase" Management API command fails when Packet mode is enabled and "match on any" is set to "false". For example, "show-nat-rulebase XXX package YYY filter-settings.search-mode packet filter-settings.packet-search-settings.match-on-any false filter ZZZ".

A migrate export or CPUSE upgrade of a Security Management Server fails if a Rule Base contains more than 35,000 rules. Refer to sk178325 to check the recommended size of Rule Bases.

In multi-site Multi-Domain Security Management environments, login to SmartConsole fails if the "Read_Write_All_Profile" permission profile is deleted.

When using the RADIUS username for authentication, login to SmartConsole may fail.

The "show-objects" Management API command with an "in" clause fails if the object name contains a period. For example, "show-objects in.1 <name> in.2 <ab.c>".

In rare scenarios, opening the Install Policy view gets timed out, and SmartConsole unexpectedly closes. Refer to sk181397.

In the Revisions view, when comparing the selected revision to its previous revision, an empty screen is shown instead of a report.

SmartConsole may unexpectedly close after clicking "Install Policy" while the Compliance blade is running a full scan.

The "set checkpoint-host" API command may fail if the host object has a VPN Tunnel interface (vpnt) defined.

In rare scenarios, the update_inspect_files tool may unexpectedly exit with a core dump file.

In rare scenarios, the High Availability synchronization status shows "NGM failed to import data", and then is cleared automatically within 15 minutes.

In rare scenarios:

• Login to the Security Management Server may fail with timeout.

• Publish operations may take a long time.

Login via API fails if the Security Management Server has multiple IP addresses and they are not defined on the Security Management Server object in SmartConsole.

In environments with tens of thousands of network objects, opening and closing Security Gateway objects in SmartConsole takes a long time. Refer to sk181460.

In SmartConsole, export of policies with the "Hit count" column may get stuck.

The Security Gateway may listen to the ports used by NAT.

In some scenarios, if a DAIP Gateway is registered to a VPN Community:

• "show-vpn-communities-star" Management API command may fail.

• sharing SmartConsole configuration with Infinity Portal fails.

In some scenarios, in High Availability Security Management Server environments, there may be increase of the database on the Security Management Server.

The "run-script - audit log" Management API program may fail and the audit log may be missing the "performed on" field.

In rare scenarios, Global Policy Reassignment takes a long time to complete after deleting a Global IPS profile. Refer to sk180787.

When viewing Subordinate CA objects in SmartConsole:

• Users with read-only permissions may receive a "Trusted CA" field as "not initialized" message.

• The information under "Retrieve CRLs from" in the OPSEC PKI tab is inaccurate.

The fix requires installing SmartConsole R81.20 Build 651 (or higher).

In rare scenarios, in a Multi-Domain Security Management environment:

• Login to the Management Server may timeout and fail.

• Publish operation may take a long time.

Deleting the entire Domain including all its Domain Servers fails, if any of the Domain Servers is used in the Domain policy.

After importing or deleting SNORT protections in the IPS Protections view, the view may not show the change.

• The fix requires installing SmartConsole R81.20 Build 651 (or higher).

Tasks in SmartConsole may end unexpectedly during the Jumbo/ major version upgrade operation.

Configuring log settings to delete logs if free disk space is lower than a certain percentage may not be applied.

In some scenarios, the "show logs" Management API returns incorrect values for the "Match table" field.

The "fwm logexport" may return "Failed to print record at position" and "missing table field" error messages despite succeeding to export the logs.

Windows Syslog messages information may be displayed in the "Description" field of the log and not parsed into the suitable fields.

In SmartView, filtering logs by Media Encryption & Port Protection blade may fail.

In some scenarios, the Log Sharing status may show an error in exporting the logs, although logs are correctly shared to the cloud.

In some scenarios, implied rules are not logged for clusters.

Following the installation of R81.20 Jumbo Hotfix Accumulator Take 26, it is impossible to configure a new Maestro group via the Gaia Portal.

The VPND, CVPND, and PDPD processes on the Security Gateway may become non-responsive and cause SAML authentication for Remote Access VPN users to fail.

The output of the "cpstat os -f cpu" command may be incorrect. Refer to sk180966.

In some scenarios, when IPS is enabled, CPU spikes may occur.

When adding another loopback interface in an MDPS environment, it is shown in MPLANE and not in DPLANE as expected.

When running the tp_collector tool, the FW_FULL process may unexpectedly exit.

Topology and Anti-Spoofing ranges are not calculated on an external interface when adding a route to an internal interface that shares the same subnet.

After installing a policy, because of high latency, the Security Gateway may delete connection before SIM Affinity is able to send an update notification. This may cause some connections to be dropped.

Re-mirrored traffic may be re-ordered in the Mirror & Decrypt feature.

Web Security parsing error "illegal header format detected: Missing quotation mark" of content-disposition header - that contains a filename* parameter or an unquoted parameter.

When two routes with similar attributes are added to different routing tables, and one is deleted, Anti-Spoofing may drop the traffic to that route.

The FWK process may unexpectedly exit with a core dump file when removing an IPv6 interface on VSX.

In a rare scenario, the FWD process listens to high ports that are not blocked by the "auth_services_real_ports_block" implied rule. Refer to sk180505.

In rare scenarios, ICA certificate creation and enrollment fail.

The output of the "fw amw unload" command shows the policy gets unloaded, however CPView still shows that the blades are enabled. Refer to sk181148.

Anti-Virus Blade triggers the "Detect" logs for DNS traffic, although these malicious DNS requests were prevented.

Uploading an IoC file containing invalid characters (for example, quotation marks) may cause Threat Prevention policy installation failure.

Multiple ifiPython3 processes may utilize the Security Gateway memory, affecting the Anti-Virus blade performance.

Anti-Virus fails to block Custom Intelligence feeds that contain percent-encoding.

Some connections may be dropped because of an issue in IPS inspection, which can be resolved by installing/fetching a local policy.

In a rare scenario, when cloning SGM in Maestro, the FWD process may exit during an IPS/Anti-Virus/Anti-Bot package update.

Ioc_feeds changes the username to lowercase, which causes the "401" error. Refer to sk181039.

When configuring Custom Intelligence feeds from the management:

• The "no_ssl_validation" variable may be deleted after the policy installation.

• Fetching feed fails with the "Peer certificate cannot be authenticated with given CA certificates" reason.

In a rare scenario, when Identity Broker is configured, a memory leak in the PDPD process may occur during policy installation.

The DLP process may unexpectedly exit during policy installation.

When the "Categorize HTTPS Websites" option is enabled and the global parameter "appi_urlf_ssl_cn_use_sni_without_validation" is set to true, a memory leak may occur.

CPView and the 'cpstat' command show different Application Control database versions. Refer to sk181186.

Loading a large Custom Intelligence feed may fail. Refer to sk181158.

When transferring many files, SMB traffic may freeze while scanned by Anti-Virus blade.

A memory leak may occur in the Security Gateway when a connection is not correctly released after the inspection.

Some websites may be unreachable when one of Threat Prevention Blades is in Hold mode.

The Security Gateway may fail to enforce certificate blacklisting.

It may not be possible to connect to the RDP application with SNX in Application mode. Refer to sk181155.

The VLAN configured bonded interface monitored state disappear after modifying the bonded interface properties. Refer to sk180724.

In a cluster/Maestro in Load Sharing mode, the Security Gateway may drop NAT traversal traffic with "fwmultik_process_f2p_cookie_inner Reason: PSL Drop: No connection".

Multicast restrictions set in SmartConsole may be bypassed if varying restrictions are configured for different interfaces.

The "IOCTL command CPHWD_IOCTL_DOS_DENY_LIST_CLEAR was not successful" error may be printed during cpstart. Refer to sk180646.

During the processing of PIM Join-Prune messages, the absence of prior ({},G) state prevents the processing of (S,G) joins for the same group, even when present in the message.

When multicast traffic for an existing (S,G) entry arrives at a non-IIF interface, the entry may be deleted and re-added when the next multicast packet is released, although the entry should not be deleted.

When a BFD session is added or removed, disabled sessions may incorrectly come up.

The ROUTED process may exit with a core dump when querying details of OSPF Type 5 LSA.

Adding an IPv6 OSPFv3 interface in WebUI may fail when SecureXL UPPAK mode is enabled.

When SCV is enabled, Capsule Connect/ Capsule VPN clients may fail to access internal resources.

In a rare scenario, all the IKED processes exit approximately once an hour without core or log indicating that it was triggered by the FWD/CPWD process exit. Refer to sk181643.

Users that were moved from one AD group to another group still are shown in both access role groups when running the "pdp monitor" command. Refer to sk181429.

When working with ClusterXL in Load Sharing mode, a VPN tunnel may fail to be established.

The MPDAEMON process may be persistently down, even post reboot.

When running "vsx_fetch" from a context that is not VS0, this output is displayed: "Management rejected fetch for this module - sic name does not match. Couldn't fetch VSX configuration by IPs, trying to fetch by names."

When User Mode (UPPAK) is enabled, there may be performance loss when passing traffic through a Virtual Switch on a VSX Security Gateway.

In a rare scenario, affinity configuration on VSX may fail.

When adding a route using vsx_provisioning_tool and the "interface_name" option, this route cannot be removed.

When changing Virtual Systems (VS's) using the VS name, the "failed to find an ID for a VS named XXX" error is shown.

When changing bond settings, the bond may be missing the global IPv6 Address.

SNMP OIDs for ISP Redundancy status are not refreshed when the ISP link changes the status.

Non-domain macOS devices are created as a new endpoint on the Endpoint Management when re-installing the device.

• Under Reporting > Anti-Malware > Anti-Malware Status, the table is empty or stuck with a "Endpoint Count: Loading" message.

• Under Reporting > Anti-Malware > Anti-Malware Status > Report Action, when clicking "Export Report", it returns an "Unknown error".

In rare scenarios, when making changes in SmartConsole, it gets disconnected.

E2 engine may send an incorrect value of datDate in sync request.

• If a password update from the client is denied on the Server because it is too old, the Server still updates the salt for the password (password then becomes unusable). This affects all client versions.

• E87.31 clients and lower which do not support authentication timestamps, cannot update passwords for Full Disk Encryption users with authentication timestamps stored on the Server (password then becomes unusable).

After an upgrade, Azure Gov mapping may fail.

After an upgrade, VoIP, and SIP / H323 traffic may be dropped in the VPN tunnel. Refer to sk179651.

After enabling the Maestro Fastforward feature, policy installation on a Maestro Security Group may fail in SmartConsole with "Maestro acceleration (MXL) failed, reason: General error. Please check /var/log/acl_cli.log on the security group SMO for more details". Refer to sk181661.

When the LightSpeed interface is brought down or up, the hardware nroute flow is added to the list even if it fails to offload. This may trigger a Security Gateway crash.

In a Maestro environment, LACP bond subordinates may become suspended when using the shared interfaces feature, particularly when the quantity of bonds and subordinates is significantly high.

In a rare scenario, the Security Gateway may access obsolete nroute memory, resulting in a crash.

In rare scenarios, the CONFD process may get stuck. This may cause Maestro Orchestrator boot to hang and login to Gaia Portal to fail.

UPDATE: Added SecureXL SYN Defender metrics to Skyline. Refer to the Skyline Metrics Repository.

UPDATE: Upgraded the commons-compress-jar package from version 1.8 to version 1.22.

UPDATE: New features and improvements are released in Take 81, Take 85 and Take 90 via self-updatable package. Refer to sk170314.

UPDATE: Added Take 68 and Take 70 of CPotelcol (OpenTelemetry Collector) Release Updates. Refer to sk180522.

UPDATE: Improved traffic classification of GTP traffic on the Security Gateway to enhance the stability.

UPDATE: SNX used to connect back to Mobile Access Blade's portal FQDN by resolving its IP address locally. This method makes it sensitive to DNS poisoning attacks such as those specified by TunnelCrack. Therefore, it was modified to connect back to the Security Gateway / Cluster member IP address by default.

UPDATE: Added Take 20 of Public Cloud CA Bundle. Refer to sk172188.

UPDATE: Added Take 29 of Check Point Support Data Collector (CPSDC) for Scalable Platforms and Maestro Security Appliances. Refer to sk164414.

The Gaia Clish command "show configuration user" fails with "Segmentation fault" on a Management Server. Refer to sk181626.

Policy installation may fail on Security Gateways with enabled IPS and configured Strict profile and IPv6.

NEW: This Jumbo Hotfix Take introduces support for new Quantum Force appliances 19200, 29100, and 29200. Refer to sk180520.

• Requires installing SmartConsole R81.20 Build 649 (or higher).

NEW: Added support for User Space Mode (UPPAK) on LightSpeed Appliances (QLS250, QLS450, QLS650, and QLS800 - see sk179432). After upgrading to this Jumbo Hotfix Take, these appliances will run in UPPAK mode by default.

UPDATE: On Quantum LightSpeed appliances running in Kernel Mode (KPPAK), when using a feature that is not supported in User Space Mode (UPPAK), a notification that after upgrading to this Jumbo Take the appliance will still run in KPPAK is now displayed.

UPDATE: The GRE interface creation feature is now blocked in User Space Mode (UPPAK).

UPDATE: When UPPAK mode is enabled, the limit in /var/log/dump/usermode/ gets automatically extended from 10 Gb to 30 Gb to prevent possible deletion of large core files.

UPDATE: Added Update 13 of HealthCheck Point (HCP) Release. Refer to sk171436.

• When updating Inline Access Layers, Threat Exceptions, and HTTPS Inspection (TLS) rules, the "Policy Name" field in the Audit Log may be incorrect.

• The "Where used" operation fails for users with read-only permissions.

Refer to sk181471. See the Important Notes section.

In rare scenarios, the FWK process may unexpectedly exit when running an outgoing (a local connection) from the Security Gateway.

Identity-based roles may not match the Access Roles after User and Machine were identified.

In a rare scenario, the PDPD process may unexpectedly exit during an LDAP query.

Identity Broker may be missing some identities.

The PDP Gateway may be unresponsive while publishing identities to Identity Broker subscriber in the Sync flow.

In a rare condition, in a large environment, the PDP Gateway may crash when publishing an IP-change message to its Identity Broker subscribers.

When setting the bonding group to 8023AD mode, a "KERLAG0029 Error running cmd cphaconf bond_ls set bond1 0." message is shown.

Corrupted VS affinity configuration may cause excessive error messages "cp_set_process_vs_affinity: Error corrupt affinity file".

When BGP local address is configured, BGP peer may fail to establish.

See the Important Notes section.

In some scenarios, in a Maestro Security Group configured in the VSX mode, a Virtual System that connects to a Virtual Switch may drop traffic as "Out of State" or wrongly drop it on the clean up rule. Refer to sk181823.

The Security Gateway may lose connectivity to Maestro Hyperscale Orchestrator (MHO) when running the "tcpdump -i any" command.

NEW: Compliance Blade is enhanced with 5 new Firewall Best Practices:

• FW174 - Check that there are no Access Control rules that contain "Any" in the "Source" column and contain "Accept" or "Ask" in the "Action" column.

• FW175 - Check that Access Control rules do not contain "Any" in "Destination", and "Accept" or "Ask" in "Action".

• FW176 - Check that Access Control rules do not contain "Any" in "Services and Applications", and "Accept" or "Ask" in "Action".

• FW177 - Check that there are no temporary Access Control rules (based on the "Name" column).

• FW178 - Check that there are no temporary Access Control rules (based on the "Comments" column).

NEW:

• Added support for 1595 Slim Ruggedized appliances.

• Added support for 1535 / 1555, 1575 / 1595 Quantum Spark Pro appliances.

NEW: Added support for multiple languages in the Change Report.

NEW: It is now possible to add tags to Access rules and sections. A new field "tags" is added to the existing "add/set rule & section" Management APIs .

For example:

• mgmt_cli add access-section layer "Network" position 1 name "New Section 1" tags mytag

• mgmt_cli add access-rule layer "Network" position 1 name "Rule 1" tags mytag

NEW: CloudGuard Controller for NSX-T

• Starting from NSX-T 4.0.0.x and higher, Manager Mode APIs are deprecated, it is recommended to use Policy Mode.

• Import NSX-T Tags (NSgroups and VMs) is now supported.

• Import NSX-T Virtual Machine objects is now supported.

Note: Importing Virtual Machines can be enabled only using Policy Mode APIs. When enabled, the amount of API requests toward the NSX-T manager increased.

UPDATE: A Security Management Server/Domain Management Server can now manage up to 500 Security Gateways/Cluster members, allowing concurrent policy installation on all Security Gateways/Cluster members at once.

UPDATE: First release of CPviewExporter Release Updates. Refer to sk180521.

UPDATE: FakeServer will now listen for packets coming from the Virtual Machine during Threat Emulation to port 18443 instead of port 8443.

UPDATE: Added Update 18 and Update 19 of Autonomous Threat Prevention Management integration Release. Refer to sk167109.

UPDATE: Ability to send packet capture on IPS / Anti-Bot silent protections to the research team to enhance the security.

UPDATE: Added support for IPv6 traffic synchronization in Multi-Version Clusters (MVC).

See the Important Notes section.

UPDATE:

• Zero Phishing now enforces license. Customers with NGTX (Next Generation Threat Emulation & Extraction) or customers that recently renewed NGTX should have no issues.

• Zero Phishing will stop working for customers who do not have a license.

UPDATE: Upgraded OpenSSL from 1.1.1t to 1.1.1u to include the latest security improvements. Refer to sk181427.

UPDATE: Added support for sending Data Center updates from the CloudGuard Controller to the main IP address of Active member on the Management Plane instead of the cluster VIP address on the Data Plane. Refer to the "updateClusterMemberAndNotVip" section in CloudGuard Controller R81.20 Administration Guide > Configuration Parameters. This change prevents scenarios when CloudGuard Controller fails to connect to Cluster with MDPS enabled (sk180981).

UPDATE: Added Management Data Plane Separation (MDPS) support for Maestro Orchestrator and Chassis scalable platforms.

UPDATE: Added Take 23 of Check Point Support Data Collector (CPSDC) for Scalable Platforms and Maestro Security Appliances. Refer to sk164414.

UPDATE: Added Update 12 of HealthCheck Point (HCP) Release. Refer to sk171436.

In some scenarios, Access Policy Verification fails but the name of the failed rule is not specified.

APP_ID may not be initialized when adding a new Check Point application via API, this may cause blocked access to several websites.

Login with SmartConsole to a Security Management Server may fail if using a DNS name instead of an IP address. Refer to sk180514.

In the Accelerated Policy Installation flow, there is no validation for the scenarios when there are DAIP Security Gateways in the Destination column of the Access policy.

In some scenarios, running the Management API "delete-exception-group" fails if the exception group is automatically attached.

In rare scenarios, policy installation fails with "Operation failed, install/uninstall has been improperly terminated". Refer to sk180448.

In the Object Explorer window in SmartConsole, the IP address column is sorted alphabetically, although it should be sorted in numerical order.

When adding/setting an access rule, setting certain fields to "Any" or "None" may fail because of case sensitivity.

Packet mode search in SmartConsole may show rules that do not match the query if the query contains source, destination, and service.

Excluding a network with anti-spoofing by name on the Security Gateway using the "set simple-gateway" Management API command fails with an "Anti spoofing: excluded network object must be defined." validation error message.

If an empty Network Group is linked in the source or destination fields of an Access Rule, policy verification may not generate an error. Instead, it may treat the empty group as if there is an "Any" object.

If a Security Gateway is added to a group after configuring an installation policy preset, the policy may not be installed on that Security Gateway. Refer to sk181461.

If the Security Management Server is behind NAT, remote Management API login fails.

In rare scenarios, the Security Gateway accepts all IP addresses as approved "gui_clients", although it was provided with a list of specific trusted IP addresses.

In rare scenarios, in Multi-Domain Security Management environments with over 500K network objects, login to SmartConsole fails with "Connection timed out" or "Unable to connect to server" messages.

Deleting a Domain from SmartConsole fails after a Domain Server was removed and the Domain has no Domain Servers.

SmartConsole may crash while checking for updates.

• Requires installing R81.20 SmartConsole Build 646.

In some scenarios, in SmartConsole, when clicking the picker to add Security Gateway to a Threat Prevention policy "Install On" column, no Security Gateway objects appear. Refer to sk180964.

In some scenarios, the task progress bar is missing during Jumbo installation from SmartConsole.

In specific network configurations, after installing a policy, the target IP address of the Log Server may differ from what was configured.

SmartEvent may generate false Anti-Bot / Anti-Virus related logs which do not contain any information.

After an upgrade of the Security Management Server, the "cp_log_export show" command may return the "found an ambiguous value" error in the "export_log_position" field.

The Security Gateway may crash while inspecting non-HTTP traffic.

Resolved an issue where CPD would consume a large amount of CPU in VSX with a large number of interfaces configured (greater than 1024). Refer to sk181588.

In a Maestro environment where members are VSXs, connection over SSH or RDP from a host behind Maestro to a peer may be dropped.

Stack buffer overflow may occur in the FWGTP process.

The Security Gateway may crash after a failure in policy installation.

In rare scenarios, modifying the "fwmultik_temp_conns_enabled" parameter on-the-fly leads to the Security Gateway crash.

In some scenarios, the Security Gateway may crash.

On the Security Gateway with Management Data Plane Separation (MDPS) enabled:

• when adding a RADIUS Server from WebUI, a new MDPS task with the IP address of the Server may not be added,

• when deleting a RADIUS Server, the MDPS task may not be deleted.

Security Gateway may crash when running kernel debugs of the "UP" module.

When the Security Gateway handles specific HTTP requests, memory failure may occur. CPView registers SMEM failure.

On supported Open Servers (sk167052), after changing the Firewall mode from Kernel Space (KSFW) to User Space (USFW) and reboot, the Security Gateway continues to boot in the Kernel Space mode.

Fetching custom intelligence feeds via CLI may fail because of SSL certificate issues.

In a rare scenario, policy installation may fail because of IoC observables overrides.

In a rare scenario, the PDPD process may unexpectedly exit during user authentication flow.

Some TLS1.3 applications without SNI do not match the rules.

In some scenarios, the FWK process may unexpectedly exit, while Threat Prevention Blades inspect HTTP traffic.

Importing a custom intelligence feed containing IP ranges may fail.

The DLPU process may stop working, creating a User Space core dump file on the Security Gateway. Refer to sk181026.

In rare scenarios, IOS users are unable to send emails using Capsule Workspace business mail.

Mobile Access Security Gateway does not recognize Office 365 URL This can cause OAuth 2.0 authorization to fail, it may not be possible to view the mail.

Some IPv6 connections randomly stop passing through ClusterXL in High Availability mode. Refer to sk180969.

Asymmetric UDP traffic may be dropped with "First Packet isn´t Syn".

When running tcpdump on the Multi-Domain Security Server, an "error /bin/cp-tcpdump.sh: line 11: sxlmode: command not found" message is shown. The issue is cosmetic only.

An IGMP group with an expiration time of 7101 weeks should be deleted when it reaches 0 seconds, but instead, it may remain at 7101 weeks until a membership report is sent, then it resets to the interval of that interface.

A VRRP/VRRP6 interface may go into Master/Master state.

Routing log messages generated when Standby cluster members reconnect to members in Master state are not clear.

The "failed to terminate session" error is displayed when using RAsession_util to terminate Endpoint client.

StrongSWAN Remote Access authentication fails when the LDAP lookup type is not the default method.

The FWM process may unexpectedly exit at startup because of an incorrect VPN key initiation.

Some packets may disappear when using the i40e driver, and VMAC is configured on the cluster.

Changing the main IP address of a Virtual Router may cause the FWM process to exit.

Values provided by the VSX OID tree: 1.3.6.1.4.1.2620.1.16.22.5.1 may be incorrect.

Gaia backup may fail, leaving a temporary partition behind. Any new attempt to create a new backup returns an error.

The $FWDIR/log/fwd.elg file may get corrupted during log rotation. Refer to sk180728.

Appliance with a Dual Image installed cannot reboot after restoring to the factory default of a Dual Image. Refer to sk180331.

AWS Data Center mapping fails when an interface subnet is missing from the list of subnets.

In rare cases, SIP UDP traffic may cause Security Gateway to crash because of a memory allocation issue.

After an upgrade, VoIP, and SIP / H323 traffic may be dropped in the VPN tunnel. Refer to sk179651.

Excessive "cphwd_get_device_accelerated_ifs: too many interfaces (32,XXX)" messages may log to $FWDIR/log/fwk.elg. Refer to sk180439.

Querying the HW status via SNMP (OIDs .1.3.6.1.4.1.2620.1.6.7.*) or via the "cpstat os -f sensors" command may fail on Maestro Orchestrator.

Uninstalling Jumbo Hotfix Take 106/107 on Maestro Orchestrator (MHO) may cause an outage.

WRP interfaces cannot be used for Source / Destination in a specific Fast Forward rule.

The "set/show trace" command may fail in gClish.

Incorrect parsing of GTP-U traffic may cause anti-spoofing drops.

Security Gateway drops GTP traffic with the reason "Static IP not allowed". See sk181506.

UPDATE: Added notifications about the Expert mode login on Gaia Servers. Refer to sk181230:

1) Gaia sends an audit log to the Management Server / Log Server (SmartConsole > Logs & Monitor).

2) Gaia writes a log message to the /var/log/messages file (for a local login and an SSH login).

These Gaia Clish commands are available to work with this feature:

• To see the current state of this feature: show audit login-notifier

• To enable this feature (this is the default): set audit login-notifier on

• To disable this feature: set audit login-notifier off

The fwk.elg file may be flooded with the "mux_hold_opq_free: App has no hold params free function" messages for the TLS_PARSER app because of a memory leak.

Deleting one hundred IP addresses or more from the Security Gateway at once may fail, resulting in recurrent deletion retries.

NEW: Added support for Quantum SD-WAN that provides resilient connectivity, optimizes usage of WAN connections for Internet and Site to Site VPNs allowing dynamic application traffic steering based on measured ISP link quality. Refer to sk180605.

See the Important Notes section.

UPDATE: Significantly improved performance during upgrade and import for large Multi-Domain Security Management environments with many administrators (over 20 domains and over 100 global administrators).

• Requires installing Upgrade Tools package 997000632 and higher.

UPDATE: Improved the fullsync time after reboot in large scale environments. Refer to sk180742.

UPDATE: Added a defense mechanism against the hostname command injection in the Gaia Portal (CVE-2023-28130). Refer to sk181311.

In rare scenarios, in multi-site environments, an IPS update on the Multi-Domain Security Management Server remains locked.

In large Multi-Domain Security Management environments, login to SmartConsole may fail while High Availability synchronization is running. Refer to sk180858.

In some scenarios, the FWD process may unexpectedly exit and cause a short outage related to the BGP failure.

In an Active/Standby cluster, when downloading a file using FTP protocol, the FWK process may unexpectedly exit, and a core dump file is generated.

In rare scenarios, memory corruption occurs during packet correction requiring fragmentation, this may cause the Security Gateway crash or freeze.

When using a host with automatic static NAT in a Threat Prevention policy object, the rule may not be enforced.

When Content Awareness Blade is enabled, there is a limitation of the file size (sk118516). However, when the source object of the Content Awareness rule does not match the current connection, the limitation is not applied on this connection.

In a rare scenario, the Security Gateway may crash during an IPS package update.

After an upgrade, packets passing through a Remote Access VPN tunnel in a VSX environment may be silently dropped.

When PIM and state refresh are enabled, the state refresh message may not be sent automatically after a failback in ClusterXL HA Primary Up mode.

After an update, multicast traffic may be dropped.

The ROUTED daemon may unexpectedly exit and generate core dumps after OSPF neighborship was established, but did not advertise routes. Lost routing causes the network to be down.

NEW: Added ability to run the "verify-policy" Management API command on a private session with unpublished changes.

NEW: Integrated Skyline, a solution that provides an OpenTelemetry CPView Agent service to monitor your Check Point Servers and export health metrics from the CPView tool to an external location. Refer to sk178566.

NEW: We have extended the grace period of Application Control and URL Filtering Blade to support you for 90 days following contract expiration to continue providing the best security value during the renewal process.

NEW: We have extended the grace period of Threat Extraction Blade to support you for 90 days following contract expiration to continue providing the best security value during the renewal process.

UPDATE: Connecting a Quantum Security Management Server to Infinity Portal is now supported in the Full High Availability Cluster (when each cluster member has a Security Management Server and a Security Gateway).

UPDATE: It is now possible use multiple values when filtering in these views:

• Global Assignments (MDS)

• Permissions (MDS)

• Sessions (MDS)

• IPS (Domain level)

UPDATE: Added a new Management API "mgmt_cli verify-management-license". It allows to check how many Security Gateway objects the Management Server license supports. Note that this API does not support Quantum Maestro and VSX. Refer to Management API Reference.

UPDATE: Released Take 76 with new features and improvements. Refer to sk170314.

UPDATE: The "fw unloadlocal" command can now be used on a Virtual System only with the "-f" flag added. Otherwise, a warning message is displayed, indicating that unloading policy on a Virtual System will cause traffic issues with any Virtual System connected to a Virtual Switch or a Virtual System in Bridge mode.

UPDATE: Added Update 16 of Autonomous Threat Prevention Management integration Release. Refer to sk167109.

UPDATE: Added a new Registry parameter "use_crl_for_revocation_method" that enables the CRL revocation method when the Security Gateway does not get a response from an OCSP Server. Refer to sk179434.

UPDATE: Added more logs related to Pushing VSX Configuration.

• On the Security Gateway side: in the last_vsx_push_configuration.elg. The log file will now be circular.

• On the Security Management side: in the vsx_util log. Also, commands are added to the name of log files (for example, vsx_util_reconfigure_xxxxx_xx_xx.elg).

• VSX Provisioning tool is now logged in the vpt_history.elg.

.

UPDATE: Gaia Cloning Groups will now use the highest TLS version available.

UPDATE: Added support for connecting to VMware NSX-T 4.0.0.x and higher.

UPDATE: Improved performance of pushing Data Center Objects changes to Security Gateways.

Skyline may not show any information. Refer to sk180748.

On R77.20 Quantum Spark appliances with some IPS packages, policy installation fails with the "Operation failed, install/uninstall has been improperly terminated" error. Refer to sk180448.

In some scenarios, Audit logs may not be created when running remote API commands from Infinity Portal.

In a rare scenario, OCSP response cash located in $CPDIR/tmp/curl_crl_ocsp may take a lot of memory.

After configuring an IoC feed on the Global Domain and assigning a Global Policy, Threat Prevention policy installation in the local Domain fails.

In SmartConsole, when editing a tagged Security Gateway object, the tags may get removed.

When using Custom Application/Site Group objects in an Access policy, policy installation may fail with an "Internal error" message.

The FWM process may frequently exit. This causes SmartConsole authentication to fail and dashboards that were opened before to get closed.

The /var/log/dump/usermode/ directory on the Management Server may contain core dump files for the FWM process. Refer to sk180119.

After an Application Control update, policy installation may fail.

There may be many duplicates of OCSP response in the $CPDIR/tmp/curl_crl_ocsp folder.

Access policy verification may fail when dynamic objects exist in the NAT policy.

After an upgrade, while installing a policy, SmartConsole may unexpectedly close with a "The connection with the server was lost. Any unsaved changes will be preserved" message. Refer to sk180294.

In a rare scenario, the Show Package tool and some Management API commands with details-level "full" fail.

In rare scenarios, in a Multi-Domain Security Management Server environment, a memory leak may occur in the FWM process. This may cause the process to exit.

In a Multi-Domain Security Management environment, the HitCount retention mechanism may prematurely remove the HitCount data.

Reassigning a Global Domain to a local Active Domain from one MDS to another may result in the local domain not reflecting recent changes. The issue occurs in Multi-Site environments if two Multi-Domain Security Management Servers (MDS) have a Standby Global Domain.

Deleting an LSM Gateway via REST API does not revoke the device's VPN certificate.

In a Multi-Domain Security Management environment, Skyline is down after mdsstop/mdsstart.

When LEA spawning is turned off (sk91343), the FWD process may run out of memory.

When working with Multi-Domain Security Management, Virtual Systems (VS's) may be unable to send logs to the management because the Log Server constantly disconnects.

When using the SMTP service with resource objects in a rule and NAT is configured for the destination IP address, the traffic may match the Cleanup rule instead.

When MDPS is configured, mdps_tun interface is shown when running the "cpstat ha -f all" command.

The Security Gateway may receive duplicated traffic (such as non-IP protocol connections) for IPS inspection. This can trigger high CPU usage and result in failures to connect over SSH or policy installation.

The Security Gateway may frequently crash with vmcore files, recording invalid context.

The Security Gateway may crash during policy installation if the Rule Base has multiple layers and many interfaces on the Security Gateway (VLANs).

Dynamic Dispatcher may send fragments of the same packet to different Firewall instances during a high load of fragmented traffic. This may cause some packets to drop.

Stability issues when ICAP client is active.

A kernel crash may occur during system shutdown when PIM is enabled.

The Security Gateway with enabled Anti-Virus may experience a memory allocation issue.

The Security Gateway with enabled Anti-Virus Blade may experience a memory allocation issue.

When handling some RTSP connections and the Hyperflow feature is enabled the Security Gateway may crash.

After an upgrade, it is not possible to monitor Security Gateways with enabled Management Data Plane Separation (MDPS).

The Security Gateway may send multiple "Failed to fetch Check Point resources. Timeout was reached" logs.

When working in VSX Load Sharing (VSLS) mode, the FWK process may unexpectedly exit.

When managing cloud Gateways, the FWM process memory usage may increase.

Anti-Virus Blade fails to parse external IoC feeds that contain commas in the CSV column field value.

Custom intelligence feeds load may fail because of a parsing issue.

Files related to IoC may not be entirely removed from the disk after the feed removal.

When using a host with automatic static NAT in a Threat Prevention policy object, the object will not be enforced.

In some scenarios, Mail Transfer Agent (MTA) does not scan files with an unsupported extension if they were renamed to ".exe".

In a rare scenario, when Application Control is enabled, the Security Gateway in AWS Cloud may crash. The issue does not occur if Application Control database on the Security Gateway is updated with Release 141122_1 and higher.

In a VSX High Availability cluster, a member in the Backup state should remain idle, but it opens connections for identity sharing.

There may be connectivity issues and high CPU spikes on PDP when installing policy.

The Security Gateway may crash during policy installation because of a memory allocation problem.

When Anti-Virus is enabled, the Mail Transfer Agent (MTA) log files may get blocked because of fail-close operation.

When the RAD process exits with a timeout, the Blade name shown in the SmartConsole log card is incorrect.

In a rare scenario, the WSTLSD process may unexpectedly exit and produce a core dump file during certificate chain verification.

In rare scenarios, the FWK and/or WSTLSD processes may unexpectedly exit and create a core dump during certificate validation. Refer to sk180473.

After an upgrade, it may not be possible to connect to SNX, it gets stuck when initializing.

When Mobile Device Management (MDM) cooperative enforcement feature is enabled, establishing a VPN connection fails while the HTTPD log incorrectly indicates a compliance issue.

Access to a web application that uses WebSocket protocol may not be possible.

The "cphaprob tablestat" command may fail on the Security Gateway with many interfaces.

When handling HTTP/2 traffic, cluster members may crash, generating vmcores.

Stability issues may occur in a Multi-Version Cluster (MVC) when VPN is enabled.

IPv6 template is not created when the connection is NATed.

SecureXL may drop traffic when HTTPS Inspection is enabled on a VSX Security Gateway with a Virtual Router.

In some scenarios, the change of the cphwd_enable_ecmp global parameter value on a VSX Gateway does not survive a reboot.

The ROUTED process may unexpectedly exit when the route does not have a next hop.

The "asg diag verify" command reports inconsistent OSPFv3 routes for Security Gateway Modules in Quantum Maestro. Refer to sk179931.

The ROUTED daemon may unexpectedly exit when using PIM and source IP address is set "0.0.0.0".

When many users in nested groups login using Remote Access Client \ connect to VPN, and the LDAP topology is large, there may be a spike of CPU usage and performance impact. Refer to sk180664.

In a rare scenario, when IPv6 is configured, and VPN is enabled, policy installation may cause a stability issue.

VPN stability issues.

When the user connects with RADIUS authentication method, the "Authentication method" value in Mobile Access logs is shown as empty.

When initiating IKEv2 tunnel from Check Point to a third party, creating Child SA fails. Refer to sk180281.

Despite the Secure Configuration Verification (SCV) exceptions being configured to not apply for connections, the strongSWAN client's traffic is dropped with the "Client's configuration is not verified" error.

SecureXL may not let HTTPS traffic pass through a Virtual Router (VR).

The SNMPD process may consume a high CPU in a VSX environment and there may be slowness when using the "fw vsx stat" command. Refer to sk180324.

Gaia backup fails with "Cannot complete the backup process: not enough space in /var/log/CPbackup/backups" although there is enough free disk space in the /var/log/ partition. Refer to sk180181.

IPv6 address may be removed from bond VLAN interface when changing bond xmit-hash-policy configuration. Refer to sk180309.

SNMP trap may not be sent after a cluster failover if it occurred by running the "clusterXL_admin down" command.

When restoring a backup with VSX objects, the objects database may not be restored on the newly installed Security Management Server.

The System Backup page in the Cloning Group view may be empty, although a scheduled backup was added.

When configuring Gaia Cloning Group mode on the cluster, members with "off" state appear without an IP address and the "adding notification Member mvc is down" error is displayed.

In a cloning group cluster, when allowed hosts are changed from "Any" host to a specific host, communication between members is blocked, and the group cannot function.

Information about scheduled backup failure is now displayed in Clish, WebUI, and in the error message inside the log file.

In an environment with the Endpoint Security Server, Jumbo Hotfix Accumulator installation may take a long time.

When enabling debug mode with the "$MDS_FWDIR/scripts/cpm_debug.sh -c ObjectCrudSvcImpl" command, it may impact the work of CloudGuard Central License utility. And adding license fails.

Disabling or removing all network interfaces from a vCenter object is not dynamically reflected on the CloudGuard Controller Data Center object.

AWS Data Center mapping fails when a Subnet with only IPv6 addresses is added to Virtual Private Cloud (VPC).

In some scenarios, when using early media with NAT, the first data connections specified in the SDP get closed, although they should not. And the new data connection does not open, resulting in one-way audio. Refer to sk179651.

While handling a multi-INVITE scenario (where a user registers with multiple devices), and the VoIP SIP MultiCore feature is enabled, each SIP INVITE maybe be handled simultaneously on different FW instances and cause memory corruption.

In a rare scenario, the FWK process may unexpectedly exit and bring down the Security Gateway Module (SGM).