List of All Resolved Issues and New Features in R81.20 Jumbo Hotfix Accumulator
|
Review the Important Notes section before installing a new Take. |
Take |
Available Since | Recommended Since |
---|---|---|
08 Apr 2024 |
- |
|
17 Mar 2024 |
03 Apr 2024 |
|
30 Jan 2024 |
- |
|
08 Jan 2024 |
- |
|
20 Nov 2023 |
04 Dec 2023 |
|
23 Oct 2023 |
- |
|
14 Aug 2023 |
13 Sep 2023 |
|
12 Jul 2023 |
24 Jul 2023 |
|
01 Jun 2023 |
- |
|
23 Apr 2023 |
30 Apr 2023 |
|
07 Mar 2023 |
- |
ID |
Product |
Description |
---|---|---|
Take 54 Released on 8 April 2024 |
||
New Functionality |
||
PRJ-52942, PRJ-52484 |
Security Gateway |
NEW: This Jumbo Hotfix Take introduces support for new Quantum Force appliances 19100 / 9800 / 9700 / 9400 / 9300 / 9200 / 9100 appliances. Refer to sk181698 and to sk180520.
|
PRJ-49213, |
Security Gateway |
NEW: Added a new Expert mode command on the Security Gateway to revert the installed Access Control policy to one of the previous revisions: "policy_rev_tool <action> [args]". Refer to sk181437. |
PRJ-49827, ACCESS-799 |
Application Control |
NEW: Added ability to drop the traffic of specific UDP applications per packet. For example, the Security Gateway can now drop the specific commands and allow the other commands of the BACNet Protocol. This ability is enabled by default.
|
PRJ-53513, PRHF-30322 |
SecureXL |
NEW: It is now possible to configure additional TCP options in the Accelerated SYN Defender configuration file: cookie_mss_v4, cookie_mss_v6, cookie_sack_permitted, cookie_window_scale. Refer to R81.20 Performance Tuning Administration Guide. |
PRJ-50987, PMTR-95463 |
VPN |
NEW: Added ability to track RAM usage of the VPND process using the "cpstat" command in CLI. Refer to sk181815. |
Improvements and Resolved Issues |
||
PRJ-50565, SDWANGW-1681 |
SD-WAN |
UPDATE: Added support for the AU (Australia) and IN (India) regions in Infinity Portal. |
PRJ-46069, SDWANM-822 |
SD-WAN |
UPDATE: SD-WAN Logs now appear in the dedicated SD-WAN log card in SmartView and SmartConsole. |
PRJ-48780, |
Security Management |
UPDATE: Added validation for new permissions to configure a script to run on the Security Gateway from Gateway object > Logs Alerts/Storage > the "Run the following script before deleting old files" option. |
PRJ-48124, |
Security Management |
UPDATE: Creating a Domain via Management API now allows the allocation of the Domain IP address from a predefined IP address range on the Multi-Domain Security Management Server. |
PRJ-48096, PMTR-77299 |
CPView |
UPDATE: CPView now shows statistical data also for servers with 256/512 CPU cores. |
PRJ-50429, PMTR-96484 |
Security Gateway |
UPDATE: During certificate validation, the Security Gateway now retrieves the Certificate Revocation List (CRL) from all CRL distribution points (CDP) listed in certificate extensions. |
PRJ-50741, PRHF-30794 |
Security Gateway |
UPDATE: Added an ability to configure objects for the HTTPS Inspection CA using labels.
|
PRJ-50977, |
Threat Extraction |
UPDATE: Added an option in ICAP Server for logging benign files scanned by the Anti-Virus Blade. By default, logging for benign files is disabled. To enable it, add to the ICAP Server configuration file this entry: "LogBenign on". |
PRJ-50500, |
Identity Awareness |
UPDATE: The identity synchronization from Policy Decision Point (PDP) to Smart-Pull Policy Enforcement Point (PEP) client now takes several seconds instead of a few minutes, especially beneficial in environments with a single PDP Security Gateway sharing to multiple PEP Security Gateways. |
PRJ-46626, |
VPN |
UPDATE: The "Server Authentication" attribute within the "Extended Key Usage" field is now included by default in IKE certificates generated by the Security Management Server. |
PRJ-50915, |
Gaia OS |
UPDATE: When a Gaia OS Server has a Cloning Group feature enabled, it now accepts other Gaia OS Servers that join this Cloning Group over TLS1.2 or higher (over the TCP port 1129). |
PRJ-53022, ODU-1468 |
Automatic Updates - Security Management |
UPDATE: Added Update 2 of Server-Side Change Report Generator Release Updates. Refer to sk179508. |
PRJ-52628, PRJ-53586, ODU-1571, ODU-1392 |
Automatic Updates - Web SmartConsole |
UPDATE: New features and improvements are released in Take 94 and Take 97 through self-updatable package. Refer to sk170314. |
PRJ-52696, ODU-1408 |
Automatic Updates - Smart-1 Cloud |
UPDATE: Added Update 7 of Quantum Smart-1 Cloud. Refer to sk166056. |
PRJ-52820, |
Automatic Updates - CPView |
UPDATE: Added Take 34 of CPviewExporter Release Updates. Refer to sk180521. |
PRJ-52596, |
Automatic Updates - CPView |
UPDATE: Added Take 77 of CPotelcol (OpenTelemetry Collector) Release Updates. Refer to sk180522. |
PRJ-52587, PRJ-53541, ODU-1476, ODU-1460 |
Automatic Updates - Threat Prevention |
UPDATE: Added Update 23 and Update 24 of Autonomous Threat Prevention Management integration Release. Refer to sk167109. |
PRJ-52867, PRJ-53688, ODU-1595, |
Automatic Updates - HCP |
UPDATE: Added Update 15 and Update 16 of HealthCheck Point (HCP) Release. Refer to sk171436. |
PRJ-53397, PRJ-5368, ODU-1611, ODU-1563 |
Automatic Updates - CPSDC |
UPDATE: Added Take 31 and Take 33 of Check Point Support Data Collector (CPSDC) for Scalable Platforms and Maestro Security Appliances. Refer to sk164414. |
PRJ-50214, |
Security Management |
Packet mode search in SmartConsole may show rules that do not match the query if the query contains four or more filters. |
PRJ-51089, |
Security Management |
In some scenarios, the change report sent via email by SmartTasks after publishing appears blank, even though there were modifications in the published session. |
PRJ-50047, |
Security Management |
In High Availability environments, task progress notifications may get updated only every 5 minutes, even when the task is complete. |
PRJ-49953, |
Security Management |
Login to SmartConsole may fail while the Compliance Blade is running a full scan. |
PRJ-50797, PMTR-97183 |
Security Management |
When configuring an email address in SmartTasks, Top Level Domain (TLD) is limited to 3 characters, for example, ".com" |
PRJ-51068, |
Security Management |
In a rare scenario, the FWK and CPD processes may exit with core dumps at approximately the same time. |
PRJ-51279, |
Security Management |
When the value of the "asm_ips_cci" property is updated manually to a number higher than 500,000:
|
PRJ-50355, |
Security Management |
SmartConsole may unexpectedly close after policy installation when SmartTasks return invalid characters from a user-defined script. |
PRJ-50436, |
Security Management |
The FWM process on the Management Server may unexpectedly exit, creating a core dump file. |
PRJ-49944, |
Security Management |
In environments with many network objects, SmartConsole may freeze while it loads the VPN tab of a Security Gateway object. |
PRJ-50405, PRHF-30796 |
Security Management |
In some scenarios, in SmartConsole, when clicking the picker to add Security Gateway to the "Install On" column in the Threat Prevention policy, no Security Gateway objects may appear. |
PRJ-50187, PRHF-30766 |
Security Management |
In some scenarios, Access Policy installation fails with "Policy load / verification failed because it required more than the maximum allowed memory of 4GB. Follow sk161874 to improve the performance and prevent excessive memory consumption". |
PRJ-45023, |
Security Management |
The "show users" Management API command fails if a user is configured to be able to connect on specific days, but the days are not selected. |
PRJ-50390, |
Security Management |
The $MDS_FWDIR/scripts/cpm_debug.sh script may fail with "The element type "Loggers" must be terminated by the matching end-tag "/Loggers"." |
PRJ-51074, |
Security Management |
Running a Gaia API command on the Security Gateway through the Management API from the Security Management Server fails when configuring the "target" parameter with either the Security Gateway name or UID. |
PRJ-50851, |
Security Management |
Access Policy verification may fail when groups with exclusions are used in rules. |
PRJ-46935, |
SmartConsole |
Defining more than two hundred GUI clients causes the "Command Line" tab in SmartConsole to be greyed out and the "api status" command to show an error status. |
PRJ-49345, |
Security Management |
SmartConsole may unexpectedly close after deleting an object in the Object Explorer view. |
PRJ-47691, |
Security Management |
In some scenarios, an upgrade may fail if a scheduled IPS update occurs simultaneously with the upgrade or domain migration. |
PRJ-48916, PRHF-29502 |
Security Management |
In some scenarios the "show access rulebase" Management API command with "details-level full" can take a significant amount of time to complete or time out after five minutes. Refer to sk181397. |
PRJ-50563, |
Security Management |
In environments with more than one hundred fifty administrators, SmartConsole may unexpectedly close when submitting changes for approval via Workflow. Refer to sk181649. |
PRJ-51134, PRHF-30631 |
Security Management |
Installing security policy with a rule that contains the "Internet" object in the destination column may fail with error message "Topology is not defined on the policy "Install On" target <cluster object name>", if the target cluster is marked as "Geo Mode in a Cloud". |
PRJ-50408, PRHF-30754 |
Security Management |
The Change Report generated before publishing a session, may contain internal system changes that were made by the user. |
PRJ-50580, |
Multi-Domain Security Management |
In rare scenarios, in a Multi-Domain Security Management environment:
|
PRJ-51665, |
Web SmartConsole |
An "Error logging into domain" message is displayed in Web SmartConsole when connecting to a Domain on a peer Multi-Domain Security Management Server. Refer to sk181801. |
PRJ-48003, |
CPView |
Offload may fail in CPView with "ERROR! Reason not initialized". |
PRJ-44498, |
CPView |
In rare scenarios, CPView does not handle VS context correctly. |
PRJ-49974, |
CPView |
CPU statistics may be incorrect or missing in CPView. |
PRJ-51064, PMTR-97643 |
CPUSE |
SmartConsole does not show all available packages for Security Gateways that run on the 15000 and 16000 Check Point appliances, even if these packages are located in the Package Repository on the Security Management Server. |
PRJ-47984, |
Logging |
Some Access Rule Base logs may be generated with a wrong interface direction. The issue is cosmetic only. |
PRJ-46288, |
Logging |
In SmartConsole, in the "Device License Information" view, the "New connection rate" field may indicate "please wait 10 seconds". |
PRJ-48806, |
Logging |
Some attributes in SNMP MIB file may not be accessible. |
PRJ-49390, |
Logging |
In SmartView, incorrect results may be displayed when filtering logs using the "src_machine_name" field. |
PRJ-46207, |
Logging |
Security Gateway forwards logs to the real IP address of the Management Server instead of the public (NATed) IP address. Refer to sk181609. |
PRJ-48242, |
Logging |
The "source", "destination", "user" and "action" fields are not exported when exporting logs with the "visible columns" option to CSV in the SmartView Web application. Refer to sk181706. |
PRJ-49499, |
Logging |
Duration of Log Sharing on-boarding or migration to Smart-1 Cloud may take a long time (up to two minutes). |
PRJ-53009, PRHF-32426 |
Logging |
The Syslog messages are not sent to the Security Management Server and cannot be seen in SmartLog if the Security Management Server IP address is not configured under the "Remote System Logging" section in the Gaia WebUI. |
PRJ-44687, |
Logging |
When using Log Exporter to export logs to Splunk, a log entry in Splunk is split to separate lines if it contains the CRLF characters. |
PRJ-45297, PRHF-26975 |
Logging |
In a rare scenario, a Security Gateway / Cluster Member may stop logging locally or to configured Log Servers. Refer to sk170331. |
PRJ-47316, |
Logging |
When the active log file, for example, the fw.log for the Security Gateway is older than two days, the CPLogFilePrint utility does not print the log records correctly. |
PRJ-49736, |
Logging |
In rare cases, the LOG_EXPORTER process exits and the CPWD process does not start it because of the "exit_code 0" error. |
PRJ-53337, PMTR-101195 |
Logging |
When the "IP Options drop" tracking Global Properties setting is configured to "Log" and the policy is installed, the Security Gateway drops traffic with disallowed IPv4 options or IPv6 extension headers, but no log is shown in SmartConsole. |
PRJ-52675, PRHF-32203 |
Security Gateway |
CVE-2023-51764 - Postfix SMTP Smuggling vulnerability. Refer to sk181944. |
PRJ-47957, |
Security Gateway |
The CPVIEW_API_SERVICE process may exit with a timeout. |
PRJ-52114, |
Security Gateway |
Incorrect CPU statics may be shown in CPView when using Dynamic Split. |
PRJ-52471, PMTR-98658 |
Security Gateway |
CIFS traffic may cause CPU spikes in the FWK process. |
PRJ-50761, PRHF-31092 |
Security Gateway |
On Security Gateways with enabled Hyper Flow feature, during policy installation and re-offload process of the connections, accelerated connections may be interrupted. |
PRJ-53051, PMTR-100847 |
Security Gateway |
Security Gateway does not pass traffic through an external interface when it is managed by Smart-1 Cloud, and SecureXL works in User Mode (UPPAK) mode. Refer to sk182016. |
PRJ-46203, |
Security Gateway |
In rare scenarios, updating the NTP Server may cause a temporary outage. |
PRJ-50314, PMTR-96671 |
Security Gateway |
In a large environment, updating policy with 20000 IP addresses may take up to eighteen minutes. When publishing such changes, Data Center updates are not sent to the Security Gateway. |
PRJ-50660, |
Security Gateway |
The proxy IP address of users surfing HTTP sites may be displayed instead of the real source IP address. |
PRJ-50603, |
Security Gateway |
In some scenarios, the PDPD process may consume high CPU in the Identity Acquisition flow. |
PRJ-49807, |
Security Gateway |
Enabling MDPS fails with the "clish: symbol lookup error: /usr/lib/cli/lib/libcli_mdps.so: undefined symbol: cp_is_usim" error. |
PRJ-50932, |
Security Gateway |
Multiple "fw_fna_hold_prepare: creating table" entries may be printed in /var/log/messages. The issue is cosmetic only. |
PRJ-48322, |
Security Gateway |
The system may not automatically end or interrupt the RAD process if it takes longer than a specified timeout duration. |
PRJ-53290 |
Security Gateway |
In rare scenarios, during active HTTP streaming, the FWK process may unexpectedly exit due to memory corruption. |
PRJ-50140, |
Security Gateway |
Accounting info may not be displayed in logs for IPv6 Cluster VRRP environments. |
PRJ-47460, |
Threat Prevention |
In a rare scenario, there may be an unexpected reboot and a vmcore file generated in /var/log/crash. |
PRJ-50050, |
Threat Prevention |
System with a large number of CPUs allocated to CoreXL SND may experience performance issues when the deny list feature is enabled. |
PRJ-46444, |
Threat Prevention |
Files that undergo emulation while operating from a corporate location are transformed into PDF format. However, when the same files are accessed through a VPN remote client, they do not get the pdf file extension. |
PRJ-43530, PMTR-87666 |
Threat Prevention |
When configuring an IoC Feed in SmartConsole, the "Test Feed" action does not support Full High Availability clusters. |
PRJ-46597, |
Threat Extraction |
The "scrub send_orig_email <email_id> <recipient>" command fails. Refer to sk180974. |
PRJ-51423, |
Identity Awareness |
In a rare scenario, an Identity Gateway (PEP) becomes unresponsive while unregistering a network. |
PRJ-45136, PRHF-27966 |
Identity Awareness |
In Multi-User Host setups, some accounts may be identified as service accounts, although they should not be flagged. |
PRJ-45142, |
Identity Awareness |
A memory leak may occur in the PDPD process when storing new identities. |
PRJ-52495, PRHF-32042 |
Identity Awareness |
Setting custom configuration of PEP Identity Conciliation with the "Connect_Time" factor does not work as expected. |
PRJ-49534, |
Application Control |
In some scenarios, the Application Control and URL Filtering scheduled updates may occur more frequently than configured. |
PRJ-43457, |
Application Control |
When policy contains a white list, some packets may not match the listed applications. |
PRJ-49687, |
Application Control |
Anti-Spoofing drops packets that arrive at a Security Gateway through interfaces with Topology "External" if there are routes configured for internal interfaces that overlap with routes configured for external interfaces. Refer to sk181768. |
PRJ-42481, |
IPS |
Core IPS Protection "Unknown Resource Record" drops valid requests of specific DNS types. |
PRJ-49298, |
Anti-Virus |
Anti-Virus fails to release held connections after the inspection. |
PRJ-50529, |
Anti-Virus |
In a rare scenario, the Security Gateway may crash during inspection of file downloads. |
PRJ-49521, |
Anti-Virus |
The Anti-Virus Blade may inspect files on an SMB appliance although the "SMB" checkbox is disabled on the matched profile. |
PRJ-49793, |
SSL Inspection |
Policy installation fails on the Security Gateway when using HTTPS Inspection with Hardware Security Module (HSM). |
PRJ-45151, |
SSL Inspection |
When HTTPS Inspection is enabled, the Security Gateway generates a log that includes the message "Certificate Chain is not signed by a Trusted CA" when an end-user connects to an HTTP site or a site with an untrusted SSL certificate. But, in some scenarios, the log does not include this text. |
PRJ-50870, |
ClusterXL |
The output of the "cphaprob -m -a if" command may show an incorrect high VLAN ID address. This is a cosmetic issue. |
PRJ-52731, PRHF-32237 |
ClusterXL |
When working in ClusterXL mode with MDPS enabled on the cluster nodes, enabling a Cloning Group may get stuck in the "synchronizing" status. |
PRJ-52498, PMTR-99746 |
ClusterXL |
During a Multi-Version Cluster (MVC) upgrade, full synchronization between the upgraded member and another member may not function correctly. This can cause an interruption of IPv6 traffic. |
PRJ-48414, |
ClusterXL |
In a cluster connected to Smart-1 Cloud, local probing may start on the "maas_tunnel" interface, although it is not monitored by the cluster. Output of the Expert command "cphaprob -i list" or the Gaia Clish command "show cluster members pnotes problem" shows that the Critical Device "Local Probing" reports its state as "problem". |
PRJ-51136, |
SecureXL |
The Security Gateway may crash with vmcore during boot while upgrading. |
PRJ-48761, |
SecureXL |
The port beacon feature also known as interface discovery or port blinking may not work correctly in User Mode (UPPAK). |
PRJ-50546, |
SecureXL |
High CPU utilization may be triggered when User Mode (UPPAK) and VPN are enabled under high load. |
PRJ-50950, |
SecureXL |
In some scenarios, the VSX Security Gateway may not be able to pass VPN encrypted traffic from one Virtual System to another Virtual System through a Virtual Router/Switch. |
PRJ-48284, |
SecureXL |
The "fwaccel dos rate get -S IP" command fails to connect to the Security Gateway. |
PRJ-50833, |
Routing |
The "force-if-symmetry" setting in IPv4 static routes fails to mark IP addresses as unreachable, leading to the static route inaccurately remaining active in asymmetric scenarios. |
PRJ-49579, |
Routing |
The CLI Parameters for the "netflow fwrule" command are displayed incorrectly: "set netflow fwrule ?" instead of "set netflow fwrule 0" or "set netflow fwrule 1". The issue is cosmetic only, the functionality works as expected. |
PRJ-51347, |
VSX |
High CPU usage on SND cores when many interfaces are configured. Refer to sk181860. |
PRJ-50176, |
VSX |
In some scenarios, installing policy via vsx_util may be stuck. |
PRJ-46143, |
Gaia OS |
Taking a snapshot on the Security Management Server fails because of the error during copying the /boot/config/ content. |
PRJ-50487, |
Gaia OS |
SNMP query does not bring the CPUSE package information for a single OID (not a table). |
PRJ-48720, |
Gaia OS |
The "show configuration password-controls command output does not print the "set password-controls deny-on-fail block-admin on" option. |
PRJ-50509, |
Gaia OS |
There may be some inconsistent syntax in the "comment" section for interface and static-route commands. |
PRJ-47177, |
Gaia OS |
When rebooting the Security Gateway, some VLANs may lose their IPv6 configuration. |
PRJ-51220, |
Gaia OS |
Clish may deny access of a non-local RADIUS user. |
PRJ-50692, PMTR-96606 |
Gaia OS |
Link may not come up automatically in the 2-Port 40G/100G NIC, 4-Port 10G/25G NIC, and 10G/25G Sync Port. Refer to sk181487. |
PRJ-45116, |
Gaia OS |
Lock database override may not work as expected when it is set via Ansible playbook, and another admin was connected to SSH before that. |
PRJ-49218, |
VPN |
Redundant log prints in /var/log/messages may be generated, although they should be printed only when the debug flags are enabled. |
PRJ-49560, |
VPN |
When using the " |
PRJ-53729 |
CloudGuard Network |
AWS CloudGuard Security Gateway boots into "Sh-4.4" shell after in-place upgrade to R81.20 with Jumbo Hotfix Accumulator from Take 38 to Take 53. Refer to sk182112. See the Important Notes section. |
PRJ-50162, |
CloudGuard Network |
After installing this Take, after an out-of-memory event, the CloudGuard Controller will automatically restart with increased memory settings, and the "CloudGuard IaaS" log with the Description: "CloudGuard Controller is restarting with new memory settings" will be sent. |
PRJ-50161, |
Harmony Endpoint |
Due to a synchronization issue between the Policy Server and Primary Server, the Endpoint clients may be connected to the Primary Server instead of the Policy Server. |
PRJ-46991, |
VoIP |
In some scenarios, SIP TCP connections are dropped after a cluster failover. |
PRJ-47995, |
VoIP |
When the SIP Multi-core feature is enabled, and a SIP over UDP rule with one-way calls (only outgoing calls, for example) is defined, the returned traffic is dropped. Refer to sk181525. |
PRJ-49104, |
Scalable Platforms |
When creating a Security Group creation in Maestro Orchestrator WebUI, and the password contains the "(" "&" or ";"characters, the operation fails with "Failed to apply new topology" or with "Gaia Web-UI recognized a non-valid input data". |
PRJ-48724, |
Scalable Platforms |
When running the "asg if script" command, the "Bridge Master" output does not fit in one line in the "Info" column. The issue is cosmetic only. |
PRJ-52079, |
Scalable Platforms |
The Maestro Fastforward feature cannot be enabled when there is a bond interface with an ID consisting of two or three digits. |
PRJ-50738, |
Scalable Platforms |
The Gaia gClish command "installer verify CPUSE Package ID member_ids all" fails with "Quitting due to time-out" on a Scalable Platform Security Group. Refer to sk181674. |
PRJ-46064, |
Scalable Platforms |
Querying SP Interface Data via SNMP may intermittently fail. |
PRJ-50747, |
Scalable Platforms |
Performance data collected from all members including the Standby site, may cause the "Instance Load" and "Accelerate Load" values to be different from the asg perf tool data. |
PRJ-47762, |
Scalable Platforms |
Gaia Clish prompt does not appear after a TACACS user logs into a Maestro Security Group. Refer to sk181149. |
PRJ-50681, PRHF-30764 |
Scalable Platforms |
Scalable Platform Interface data OIDs (1.3.6.1.4.1.2620.1.48.26) may not be refreshed. |
PRJ-48930, |
Scalable Platforms |
Connectivity issues may occur in a Maestro Security Group when VLAN encapsulation is disabled on Orchestrators in a Maestro Dual Site environment. Refer to sk181385. |
Take 53 Released on 17 March 2024 and moved to Recommended on 3 April 2024 |
||
PRJ-52910, PMTR-100960 |
Security Gateway |
The Security Gateway with 40 cores fails to boot in Kernel Mode Firewall. Refer to sk181989. See the Important Notes section. |
PRJ-53592 |
Security Gateway |
Security Gateway with Anti-Virus enabled may sporadically crash because of memory corruption. See the Important Notes section. |
PRJ-53367, PRHF-32706 |
VPN |
VPN IKEv2 negotiation with a third party peer may fail when the peer offers multiple combined encryption algorithms in one proposal. For example, AWS by default offers AES-GCM and AES-GCM-256. The issue triggers an IKE failure log. See the Important Notes section. |
PRJ-52984, PMTR-99552 |
Scalable Platforms |
In a VSX environment, LACP Bond traffic may fail with the "incomplete ARP" error. See the Important Notes section. |
PRJ-53413, PRJ-53287 |
Scalable Platforms |
In a Maestro environment, after installing Jumbo Hotfix Accumulator and a reboot, members may intermittently go down due to MAC flapping. |
Take 45 Released on 30 January 2024 |
||
PRJ-52492, PMTR-99615 |
ClusterXL |
The CXLD process may consume the CPU at 70%-100% on VSX cluster members. Refer to sk181891. See the Important Notes section. |
PRJ-52559, PMTR-100084 |
Security Gateway |
When in the NAT Rule Base there are domain objects with uppercase letters, the NAT rules may not be matched. See the Important Notes section. |
Take 43 Released on 8 January 2024 |
||
PRJ-50012, PRJ-49119, PMTR-94679, |
Security Management |
NEW: Added support for Quantum Spark Appliances 1900/2000 for EA (Early Availability) customers. |
PRJ-48759, |
SD-WAN |
NEW: Added Quantum SD-WAN local breakout and VPN overlay support for Security Gateways with dynamic IP addresses. |
PRJ-47122, |
Anti-Spam |
NEW: We have extended the grace period of Anti-Spam Blade to support you for 90 days following contract expiration to continue providing the best security value during the renewal process. |
PRJ-45065, |
Security Management |
UPDATE: Added support for scheduling automatic purges of the System Data domain. |
PRJ-46326 |
Security Management |
UPDATE: Added support for the VPN certificate alert feature for Quantum Spark Appliances R81.10.X. |
PRJ-47499, |
Security Management |
UPDATE: Added a new API version (1.9.1). Refer to Management API Reference. |
PRJ-52357, |
CPView |
UPDATE: Added Take 74 of CPotelcol (OpenTelemetry Collector) Release Updates. Refer to sk180522. |
PRJ-48300, |
SmartConsole |
UPDATE: Added a pop-up message explaining that it is not possible to add an exception to a Global Domain policy from a local Domain when clicking "add exception" in a Global rule.
|
PRJ-49364, |
Security Gateway |
UPDATE: Previously, in the "Hide NAT behind IP Address Range" feature, only the source IP address determined the Hide NAT IP address from the IP Address Range. It is now possible to configure the Security Gateway to select the Hide NAT IP address based on the combination of the source IP address and the source port. Refer to sk105302. |
PRJ-46317, |
Security Gateway |
UPDATE: When changes are made to updatable objects within a policy and a missing or corrupted package is detected, the policy installation will fail, resulting in the generation of a log. |
PRJ-46558, |
Security Gateway |
UPDATE: Added a new option in domains_tool, which allows to retrieve IP addresses of multiple Domains - "-md <list of domains>". Refer to sk161632. |
PRJ-48447, |
Threat Prevention |
UPDATE: Improved the parser of Custom Intelligence feeds to support values written in "Camel case", where multiple words are combined without spaces, and each word begins with a capital letter. |
PRJ-51511, |
Threat Prevention |
UPDATE: Added Update 22 of Autonomous Threat Prevention Management integration Release. Refer to sk167109. |
PRJ-48139, |
Threat Prevention |
UPDATE: Re-enabled the deprecated feature of exporting/importing Custom Intelligence feeds. |
PRJ-43434, |
Threat Prevention |
UPDATE: It is now possible to add exceptions to external Custom Intelligence feeds. |
PRJ-47916, |
Anti-Virus |
UPDATE: Improved Anti-Virus caching mechanism to prevent generating malicious sub-domains in Background resource categorization mode. |
PRJ-49233, |
SSL Network Extender |
UPDATE: SSL Network Extender was updated to version 80008407. |
PRJ-44244, |
Mobile Access |
UPDATE: Enhanced PushReport (a troubleshooting tool for Mobile Access Blade):
|
PRJ-46316, |
ClusterXL |
UPDATE: When enabling the VMAC feature, link_monitoring on the cluster members is now configured automatically. |
PRJ-45338, |
VPN |
UPDATE: Added SAML authentication support for Capsule Connect / Capsule VPN. |
PRJ-41132, |
VSX |
UPDATE: In VSX, removed the redundant option to change CoreXL mode from USFW to Kernel mode. |
PRJ-48109, |
VSX |
UPDATE: Changed the vsx push configuration log:
|
PRJ-50874, |
Gaia OS |
UPDATE: Upgraded OpenSSL from 1.1.1u to 1.1.1w to include the latest security improvements. |
PRJ-48011, |
Gaia OS |
UPDATE: The output of "show arp dynamic all" and "dbget ip:arpdynamic:show:0" which was previously limited to +-4450 entries, now increases dynamically. |
PRJ-50198 |
Gaia OS |
UPDATE: Gaia API updates is now installed automatically through AutoUpdater. Refer to sk165653. |
PRJ-45237, |
Gaia OS |
UPDATE: SNMP traps for interfaces going up and going down now contains the interface name and description. |
PRJ-50604, |
Harmony Endpoint |
UPDATE: Posture Management (Vulnerability & Patch Management) is now supported. |
PRJ-45728, |
Harmony Endpoint |
UPDATE: Added new file types supported by Harmony Endpoint Threat Emulation blade. |
PRJ-48082, |
CloudGuard Network |
UPDATE: Added support for Azure Scale sets with Flexible orchestration mode. |
PRJ-47189, |
CloudGuard Network |
UPDATE: Added the "namespace" label to pods in Kubernetes Data Center. |
PRJ-48098, |
CloudGuard Network |
UPDATE:
|
PRJ-48764 |
CloudGuard Network |
UPDATE: Added support for Data Centers in AWS il-central-1 Israel (Tel Aviv) region |
PRJ-49997, |
CloudGuard Network |
UPDATE: Updated the Jetty open source library from the 9.3.6.v20151106 version to 9.4.52.v20230823. |
PRJ-45772, |
Scalable Platforms |
UPDATE: Added the ability to stop configuration mismatch repeated reboots for debugging purposes. The new command is " cpha_blade_config auto_reboot <on/off>". |
PRJ-48197, |
Scalable Platforms |
UPDATE: Added ability to use Generic Data Centers and Dynamic Objects with Maestro cluster, not just for a separate Security Gateway. |
PRJ-47962, |
IoT |
UPDATE: Enabled new docker capabilities on IoT Gateways. |
PRJ-47170, |
Security Management |
In rare scenarios, Global Policy reassignment fails with "IPS Update Failed On Assign". |
PRJ-48898, |
Security Management |
In rare scenarios, upgrade of the Security Management Server to R81.20 fails with the "Task was interrupted because of server restart" and "DEADLOCK IN POSTGRES DETECTED!!!" messages in the cpm.elg log file. |
PRJ-46700, |
Security Management |
Global Policy assignment fails if it is configured to assign to specific Domain policies and one of these local Domain policies is deleted. |
PRJ-42640, |
Security Management |
In some scenarios, an automatic Trusted Certificate Authorities (CAs) update fails. |
PRJ-42936, |
Security Management |
When closing an application from SmartConsole without changes, a redundant revision is created. |
PRJ-46004, |
Security Management |
Changing the cluster mode via the "set simple-cluster" Management API command to "cluster-xl-ha" or "ospec-ha" returns success but has no effect on the cluster object. |
PRJ-46829, |
Security Management |
In some scenarios, the "Object is no longer available" validation warning appears for updatable objects. |
PRJ-45989, |
Security Management |
Deleting a Domain that is connected to an AD Group fails. |
PRJ-46014, |
Security Management |
The "show-nat-rulebase" Management API command fails when Packet mode is enabled and "match on any" is set to "false". For example, "show-nat-rulebase XXX package YYY filter-settings.search-mode packet filter-settings.packet-search-settings.match-on-any false filter ZZZ". |
PRJ-45035, |
Security Management |
Upgrade of a Security Management Server or a Multi-Domain Security Management Server with over 2000 NAT rules may take over 10 hours to complete.
|
PRJ-44988, |
Security Management |
A migrate export or CPUSE upgrade of a Security Management Server fails if a Rule Base contains more than 35,000 rules. Refer to sk178325 to check the recommended size of Rule Bases. |
PRJ-47620, |
Security Management |
In rare scenarios, the /var/log/message file is filled with Clish login messages for the Admin user. |
PRJ-48865, |
Security Management |
In multi-site Multi-Domain Security Management environments, login to SmartConsole fails if the "Read_Write_All_Profile" permission profile is deleted. |
PRJ-45800, |
Security Management |
Security Management Server import fails with the "Tried to persist object XXX with domain YYY while active domain is ZZZ" error in the upgrade report. |
PRJ-47043, |
Security Management |
When using the RADIUS username for authentication, login to SmartConsole may fail. |
PRJ-47047, |
Security Management |
In rare scenarios, after an upgrade, the Security Management Server may fail to start. |
PRJ-47012, |
Security Management |
The "show-objects" Management API command with an "in" clause fails if the object name contains a period. For example, "show-objects in.1 <name> in.2 <ab.c>". |
PRJ-46656, |
Security Management |
When the Access Rule Base contains several hundred rules, the "set-access-rule" Management API command with the "new-position" parameter may take longer than expected or time out after 5 minutes. |
PRJ-46732, |
Security Management |
In rare scenarios, opening the Install Policy view gets timed out, and SmartConsole unexpectedly closes. Refer to sk181397. |
PRJ-41549, |
Security Management |
QoS policy cannot be installed if the policy package name contains a dot symbol. |
PRJ-48818, |
Security Management |
In the Revisions view, when comparing the selected revision to its previous revision, an empty screen is shown instead of a report. |
PRJ-47967, |
Security Management |
In High Availability Security Management Server environments, outdated IPS packages are retained, which leads to a substantial increase of the database on Standby Security Management Server. |
PRJ-48788, |
Security Management |
SmartConsole may unexpectedly close after clicking "Install Policy" while the Compliance blade is running a full scan. |
PRJ-49226, |
Security Management |
In some scenarios, an upgrade of the Security Management Server may fail if the import is running at 12 AM.
|
PRJ-48442, |
Security Management |
The "set checkpoint-host" API command may fail if the host object has a VPN Tunnel interface (vpnt) defined. |
PRJ-45899, |
Security Management |
In rare scenarios, during an IPS update, a task notification reports that a database purge failed on the Standby Security Management Server. Refer to sk180920. |
PRJ-44801, |
Security Management |
In rare scenarios, the update_inspect_files tool may unexpectedly exit with a core dump file. |
PRJ-48371, |
Security Management |
The "crldp_initialized"and "crldp_name" keys may be missing in the registry after running promote_util. |
PRJ-45783, |
Security Management |
In rare scenarios, the High Availability synchronization status shows "NGM failed to import data", and then is cleared automatically within 15 minutes. |
PRJ-47259, PRJ-47236, |
Security Management |
If the HTTPS policy contains an Identity Awareness Gateway object in the "Source"/"Destination" column, policy installation may fail when selecting more than one policy target. Refer to sk181097. |
PRJ-43290, |
Security Management |
In rare scenarios:
|
PRJ-46783, |
Security Management |
In an environment with many Security Gateways, SmartConsole may unexpectedly close when selecting a policy package to install. |
PRJ-48201, |
Security Management |
Login via API fails if the Security Management Server has multiple IP addresses and they are not defined on the Security Management Server object in SmartConsole. |
PRJ-48038, |
Security Management |
An audit log may not be created after running Revert to Revision. |
PRJ-49371, |
Security Management |
In environments with tens of thousands of network objects, opening and closing Security Gateway objects in SmartConsole takes a long time. Refer to sk181460. |
PRJ-49196, |
Security Management |
In some scenarios, the CPRLIC process may unexpectedly exit without affecting the connectivity, and a core dump is generated. |
PRJ-48382, |
Security Management |
In SmartConsole, export of policies with the "Hit count" column may get stuck. |
PRJ-48692, |
Security Management |
Users may be able to configure user-defined scripts to run on the Security Management Server, although they do not have the permissions of a super-user. |
PRJ-46411, |
Security Management |
The Security Gateway may listen to the ports used by NAT. |
PRJ-50359, |
Security Management |
In multi-site environments, when using LDAP administrators configured on an external LDAP Server, logging into Domains on different Multi-Domain Security Management Servers in parallel, synchronization may fail with the "failed to import data" status. |
PRJ-50817, |
Security Management |
In some scenarios, if a DAIP Gateway is registered to a VPN Community:
|
PRJ-49715, |
Security Management |
In rare scenarios, in a Multi-Domain Security Management environment:
|
PRJ-48705, |
Security Management |
In some scenarios, in High Availability Security Management Server environments, there may be increase of the database on the Security Management Server. |
PRJ-49884, |
Security Management |
Export of the Security Management Server may fail with "Could not find workSession WORKSESSION_UID in worksession's List" message in the upgrade report. |
PRJ-48162, |
Security Management |
The "run-script - audit log" Management API program may fail and the audit log may be missing the "performed on" field. |
PRJ-42955, |
Security Management |
Application Control and IPS updates may take a long time. |
PRJ-45441, |
Security Management |
In rare scenarios, Global Policy Reassignment takes a long time to complete after deleting a Global IPS profile. Refer to sk180787. |
PRJ-48795, PRJ-48796 |
Multi-Domain Security Management |
When connecting with SmartConsole to a Domain in a Multi-Domain Management environment, object pickers in Threat Prevention policy may not show available objects. |
PRJ-49480, |
Multi-Domain Management |
When viewing Subordinate CA objects in SmartConsole:
The fix requires installing SmartConsole R81.20 Build 651 (or higher). |
PRJ-47039, |
Multi-Domain Security Management |
In multi-site Multi-Domain Security Management environments, login to SmartConsole fails while an Install Policy Preset relays the Security Gateway installation statuses. |
PRJ-49715, PRHF-30513 |
Multi-Domain Security Management |
In rare scenarios, in a Multi-Domain Security Management environment:
|
PRJ-46105, |
Multi-Domain Security Management |
In some scenarios, the "Uninstall Threat Prevention Policy" window may show "no candidates found for operation", even though there are Security Gateways that have Threat Prevention policy installed and Threat Prevention is disabled in the Security Gateway editor. Refer to sk180983. |
PRJ-43692, |
Multi-Domain Management |
Deleting the entire Domain including all its Domain Servers fails, if any of the Domain Servers is used in the Domain policy. |
PRJ-51427, |
Web SmartConsole |
Login with Web SmartConsole to the Security Management Server may fail if using a trusted client with IPv6. |
PRJ-46436, |
SmartProvisioning |
After importing or deleting SNORT protections in the IPS Protections view, the view may not show the change.
|
PRJ-47343, |
SmartView |
In some scenarios, when a language other than English is chosen in SmartView, login to SmartView fails with an "Initialization failed" message. |
PRJ-47470, |
CPUSE |
Tasks in SmartConsole may end unexpectedly during the Jumbo/ major version upgrade operation. |
PRJ-50726, |
SD-WAN |
After Jumbo Hotfix Accumulator installation, the connection in the IoT environment stays down. |
PRJ-45325, |
Logging |
Configuring log settings to delete logs if free disk space is lower than a certain percentage may not be applied. |
PRJ-45041, |
Logging |
The "Low disk space" warning may be incorrectly displayed in SmartConsole. |
PRJ-48341, |
Logging |
In some scenarios, the "show logs" Management API returns incorrect values for the "Match table" field. |
PRJ-46742, |
Logging |
In some scenarios, implied rules are not logged for clusters. |
PRJ-47220, |
Logging |
The "fwm logexport" may return "Failed to print record at position" and "missing table field" error messages despite succeeding to export the logs. |
PRJ-46702, |
Logging |
The Logs view may show a "Failed to read record number" message. |
PRJ-44208, |
Logging |
Windows Syslog messages information may be displayed in the "Description" field of the log and not parsed into the suitable fields. |
PRJ-47809, |
Logging |
The "show-simple-gateway" and "set-simple-gateway" Management API commands with the "logs-settings.forward-logs-to-log-server-schedule-name" parameter fail with "generic_server_error". |
PRJ-46841, |
Logging |
In SmartView, filtering logs by Media Encryption & Port Protection blade may fail. |
PRJ-46187, |
Logging |
When the CPD process is automatically restarted on the Security Gateway, the output of the "cpstat ls -f logging" command on the Security Management shows the Security Gateway is disconnected, the Log Server cannot be reached, although logs are sent. |
PRJ-48728, |
Logging |
In some scenarios, the Log Sharing status may show an error in exporting the logs, although logs are correctly shared to the cloud. |
PRJ-45607, |
Logging |
In some scenarios, in the Logs view, the "Destination" field may be missing. The issue is only cosmetic. |
PRJ-46742, |
Logging |
In some scenarios, implied rules are not logged for clusters. |
PRJ-49141, SL-7477 |
Logging |
In some scenarios, in a Quantum Smart-1 Cloud environment, login to SmartView may fail. |
PRJ-48272, |
Security Gateway |
Following the installation of R81.20 Jumbo Hotfix Accumulator Take 26, it is impossible to configure a new Maestro group via the Gaia Portal. |
PRJ-51226, |
Security Gateway |
In some scenarios, policy installation may fail. The fwk.elg and the dmd.elg files show correlating errors. |
PRJ-45694, |
Security Gateway |
The VPND, CVPND, and PDPD processes on the Security Gateway may become non-responsive and cause SAML authentication for Remote Access VPN users to fail. |
PRJ-49865, |
Security Gateway |
After approximately 24 hours after a reboot, memory utilization starts at 30-40% utilization and gets to 80% utilized. This leads to issues with loading web pages and may cause an outage. |
PRJ-46482, |
Security Gateway |
The output of the "cpstat os -f cpu" command may be incorrect. Refer to sk180966. |
PRJ-48810, |
Security Gateway |
VPN tunnel between the Security Gateways with Link Selection and Remote Desktop Protocol (RDP) may fail after policy installation. Refer to sk181481. |
PRJ-48023, |
Security Gateway |
In some scenarios, when IPS is enabled, CPU spikes may occur. |
PRJ-48823, |
Security Gateway |
In some scenarios, a misconfiguration on a DNS Server may lead to exhaustion of ephemeral ports on the Security Gateway. |
PRJ-41968, |
Security Gateway |
When adding another loopback interface in an MDPS environment, it is shown in MPLANE and not in DPLANE as expected. |
PRJ-47149, |
Security Gateway |
Enlarging MTU may cause even small packets to be allocated as Jumbo frames. This impacts the performance of SNDs CPUs. |
PRJ-47210, |
Security Gateway |
When running the tp_collector tool, the FW_FULL process may unexpectedly exit. |
PRJ-44702, |
Security Gateway |
In rare scenarios, the WSDNSD process may restart because of an internal error. |
PRJ-48154, |
Security Gateway |
Topology and Anti-Spoofing ranges are not calculated on an external interface when adding a route to an internal interface that shares the same subnet. |
PRJ-47304, |
Security Gateway |
The /var/log/messages file of a VSX gateway is flooded with the "fwmultik_predefined_dispatching: BAD_MULTIK_TAG" messages with no impact of the connectivity. Refer to sk181281. |
PRJ-47521, |
Security Gateway |
After installing a policy, because of high latency, the Security Gateway may delete connection before SIM Affinity is able to send an update notification. This may cause some connections to be dropped. |
PRJ-47332, |
Security Gateway |
When using the "cpstop" command on the Security Gateway, the fw_full core may be generated. |
PRJ-46378, |
Security Gateway |
Re-mirrored traffic may be re-ordered in the Mirror & Decrypt feature. |
PRJ-47269, |
Security Gateway |
Latency in loading websites when using Security Gateway as a Proxy with HTTPS Inspection enabled. Refer to sk180673. |
PRJ-44856, |
Security Gateway |
Web Security parsing error "illegal header format detected: Missing quotation mark" of content-disposition header - that contains a filename* parameter or an unquoted parameter. |
PRJ-47326, |
Security Gateway |
Benign files scanned by the ICAP Server may not be logged by Anti-Virus blade. |
PRJ-45341, |
Security Gateway |
When two routes with similar attributes are added to different routing tables, and one is deleted, Anti-Spoofing may drop the traffic to that route. |
PRJ-47371, |
Security Gateway |
The ICAP Server may stop sending files to the Threat Emulation and Anti-Virus Blades if the TED daemon was restarted. |
PRJ-43857, |
Security Gateway |
The FWK process may unexpectedly exit with a core dump file when removing an IPv6 interface on VSX. |
PRJ-45484, |
Security Gateway |
Incorrect bonds may be shown in the Data Plane when using MDPS with the "show bonding groups" command. |
PRJ-44619, |
Security Gateway |
In a rare scenario, the FWD process listens to high ports that are not blocked by the "auth_services_real_ports_block" implied rule. Refer to sk180505. |
PRJ-47559, |
Security Gateway |
FTP connection may fail in Port mode with NAT and specific FTP clients. Refer to sk181165. |
PRJ-47603, |
Internal CA |
In rare scenarios, ICA certificate creation and enrollment fail. |
PRJ-46838, |
Threat Prevention |
When SSH Deep Packet Inspection (SSH DPI) is enabled, the Security Gateway may have SSH connectivity issues because of an incorrect choice of Message Authentication Code (MAC) algorithm during the SSH handshake. |
PRJ-47637, |
Threat Prevention |
The output of the "fw amw unload" command shows the policy gets unloaded, however CPView still shows that the blades are enabled. Refer to sk181148. |
PRJ-43728, |
Threat Prevention |
In some scenarios, CIFS parser is triggered when it is not needed, this leads to the Security Gateway not accelerating fully the SMB traffic. |
PRJ-48847, |
Threat Prevention |
Anti-Virus Blade triggers the "Detect" logs for DNS traffic, although these malicious DNS requests were prevented. |
PRJ-44692, |
Threat Prevention |
In some scenarios, the Security Gateway fails to export or import Custom Intelligence feeds. |
PRJ-46720, |
Threat Prevention |
Uploading an IoC file containing invalid characters (for example, quotation marks) may cause Threat Prevention policy installation failure. |
PRJ-44767, |
Threat Prevention |
Fetching of Custom Intelligence feeds fails when no proxy is configured on the Security Gateway. |
PRJ-46118, |
Threat Emulation |
Multiple ifiPython3 processes may utilize the Security Gateway memory, affecting the Anti-Virus blade performance. |
PRJ-48192, |
Threat Prevention |
Anti-Virus blade fails to parse external Custom Intelligence feeds that contain specific delimiters. |
PRJ-48745, |
Threat Prevention |
Anti-Virus fails to block Custom Intelligence feeds that contain percent-encoding. |
PRJ-50556, |
Threat Prevention |
In rare scenarios, CPU utilization can reach high levels because the Multi-Queue affinity of interfaces that use the "mlx5_core" driver is not configured correctly during the boot process. |
PRJ-48430, |
Threat Prevention |
Some connections may be dropped because of an issue in IPS inspection, which can be resolved by installing/fetching a local policy. |
PRJ-48268, |
Threat Prevention |
URL observables with question marks "?" are not parsed correctly by the Threat Prevention Custom Intelligence feeds feature. Refer to sk181367. |
PRJ-49009, PMTR-92233 |
Threat Prevention |
In a rare scenario, when cloning SGM in Maestro, the FWD process may exit during an IPS/Anti-Virus/Anti-Bot package update. |
PRJ-45902, |
Threat Prevention |
The "Exception Handling" option for Observables in Threat Prevention indicator may not be applied. |
PRJ-46905, |
Threat Prevention |
Ioc_feeds changes the username to lowercase, which causes the "401" error. Refer to sk181039. |
PRJ-48087, |
Threat Prevention |
An outage may occur when an unsupported SSH cipher is selected. |
PRJ-47447, |
Threat Prevention |
When configuring Custom Intelligence feeds from the management:
|
PRJ-46759, |
Identity Awareness |
The ida_tables_util tool may fail with the "bad adress" error. |
PRJ-47442, |
Identity Awareness |
In a rare scenario, when Identity Broker is configured, a memory leak in the PDPD process may occur during policy installation. |
PRJ-48275, |
Identity Awareness |
There may be no access to resources for identities received from the Remote Access identity source by splitting Domain (sk147417). |
PRJ-49045, |
DLP |
The DLP process may unexpectedly exit during policy installation. |
PRJ-49898, |
SSL Inspection |
In rare scenarios, the WSTLSD process may unexpectedly exit and create core dump files. |
PRJ-47065, |
Application Control |
When the "Categorize HTTPS Websites" option is enabled and the global parameter "appi_urlf_ssl_cn_use_sni_without_validation" is set to true, a memory leak may occur. |
PRJ-45721, |
Application Control |
Policy installation fails when a custom application and user category have the same name. |
PRJ-46199, |
Application Control |
CPView and the 'cpstat' command show different Application Control database versions. Refer to sk181186. |
PRJ-47750, |
IPS |
In rare scenarios, there may be a memory leak in ips_cmi_handler_match_cb_ex. |
PRJ-47555, |
Anti-Virus |
Loading a large Custom Intelligence feed may fail. Refer to sk181158. |
PRJ-45837, |
Anti-Virus |
DLPU process memory consumption may be increased when SMB protocol is enabled in the Anti-Virus policy. |
PRJ-47936, |
Anti-Virus |
When transferring many files, SMB traffic may freeze while scanned by Anti-Virus blade. |
PRJ-48128, |
Anti-Virus |
A memory leak in the DLPU process may occur when Anti-Virus scans files over HTTP(s) or SMB (Server Message Block) protocol. |
PRJ-47785, |
Anti-Virus |
A memory leak may occur in the Security Gateway when a connection is not correctly released after the inspection. |
PRJ-48973, |
Anti-Virus |
When Anti-Virus DNS classification is set to Hold mode, the first DNS trap log of malicious Domains shows "Detect" in the Action field, although the connection was successfully blocked. |
PRJ-47240, |
Anti-Virus |
Some websites may be unreachable when one of Threat Prevention Blades is in Hold mode. |
PRJ-50430, |
Anti-Bot |
In rare scenarios, when the IPS or Anti-Bot Blades are enabled, Threat Prevention logs with packet captures appear in SmartConsole without details. |
PRJ-47183, |
SSL Inspection |
The Security Gateway may fail to enforce certificate blacklisting. |
PRJ-47204, |
Mobile Access |
When copying special German characters to and from the Guacamole Server, they are replaced with unreadable symbols. |
PRJ-47108, |
Mobile Access |
It may not be possible to connect to the RDP application with SNX in Application mode. Refer to sk181155. |
PRJ-43928, |
ClusterXL |
Site to Site VPN outage on ClusterXL Active member when running "cpstop" on the Standby cluster member. Refer to sk170055. |
PRJ-45181, |
ClusterXL |
The VLAN configured bonded interface monitored state disappear after modifying the bonded interface properties. Refer to sk180724. |
PRJ-44276, |
ClusterXL |
A Standby member may initiate FTP data connection, although it should be sent from the Active member. As a result, the connection is teminated. Refer to sk180531. |
PRJ-45199, |
ClusterXL |
In a cluster/Maestro in Load Sharing mode, the Security Gateway may drop NAT traversal traffic with "fwmultik_process_f2p_cookie_inner Reason: PSL Drop: No connection". |
PRJ-43607, |
ClusterXL |
When interfaces disconnect/connect on both members at the same time, it may cause a failover. |
PRJ-49758, |
SecureXL |
Multicast restrictions set in SmartConsole may be bypassed if varying restrictions are configured for different interfaces. |
PRJ-50927, |
SecureXL |
When attempting to route packets to unresponsive hosts, the CPU utilization may be high. |
PRJ-44735, |
SecureXL |
The "IOCTL command CPHWD_IOCTL_DOS_DENY_LIST_CLEAR was not successful" error may be printed during cpstart. Refer to sk180646. |
PRJ-51290, |
SecureXL |
In some scenarios, traffic may not pass through a Virtual System on a VSX Security Gateway when it originally came through a Virtual Switch and User Mode (UPPAK) was enabled. |
PRJ-49960, |
Routing |
During the processing of PIM Join-Prune messages, the absence of prior ({},G) state prevents the processing of (S,G) joins for the same group, even when present in the message. |
PRJ-49237, |
Routing |
When one of the multiple PIM neighbors goes down on the LAN,there may be outages in multicast traffic. |
PRJ-47488, |
Routing |
When multicast traffic for an existing (S,G) entry arrives at a non-IIF interface, the entry may be deleted and re-added when the next multicast packet is released, although the entry should not be deleted. |
PRJ-43249, |
Routing |
Traffic may be dropped when there are many OSPF routes of type 5. |
PRJ-47802, |
Routing |
When a BFD session is added or removed, disabled sessions may incorrectly come up. |
PRJ-47941, |
Routing |
An OIF entry may be missing when multiple downstream neighbors are present on a LAN. Refer to sk181354. |
PRJ-48118, |
Routing |
The ROUTED process may exit with a core dump when querying details of OSPF Type 5 LSA. |
PRJ-46901, |
Routing |
The traffic may be dropped, because the routes are sent but not installed to the routing table. The issue is related to IS-IS when running on P2P interfaces. |
PRJ-51184, |
Routing |
Adding an IPv6 OSPFv3 interface in WebUI may fail when SecureXL UPPAK mode is enabled. |
PRJ-42940, |
VPN |
Policy installation may take a long time and fail with "Operation failed, install/uninstall has been improperly terminated.&CURRENTVERCMP *##MSG_IDENTIFY##". |
PRJ-42959, |
VPN |
When SCV is enabled, Capsule Connect/ Capsule VPN clients may fail to access internal resources. |
PRJ-45128, |
VPN |
Back connection does not function on the Statically NATed Office Mode address as expected. |
PRJ-51016, |
VPN |
In a rare scenario, all the IKED processes exit approximately once an hour without core or log indicating that it was triggered by the FWD/CPWD process exit. Refer to sk181643. |
PRJ-46261, |
VPN |
The "Encryption Domain Per community" feature overrides the Encryption Domain for other communities. Refer to sk170857. |
PRJ-46295, |
VPN |
Users that were moved from one AD group to another group still are shown in both access role groups when running the "pdp monitor" command. Refer to sk181429. |
PRJ-47493, |
VPN |
Potential VPN outage during policy installation. |
PRJ-43907, |
VPN |
When working with ClusterXL in Load Sharing mode, a VPN tunnel may fail to be established. |
PRJ-47878, |
Multi-Portal |
The Security Gateway may send a wrong certificate to the MAB Portal during certificate authentication. |
PRJ-46919, |
Multi-Portal |
The MPDAEMON process may be persistently down, even post reboot. |
PRJ-50313, |
Multi-Portal |
A low-severity security vulnerability may exist when establishing an HTTPS connection to the Security Gateway. |
PRJ-43879, |
VSX |
When running "vsx_fetch" from a context that is not VS0, this output is displayed: "Management rejected fetch for this module - sic name does not match. Couldn't fetch VSX configuration by IPs, trying to fetch by names." |
PRJ-50953, |
VSX |
In some scenarios, the VSX Security Gateway may not set the MAC header correctly when sending traffic directly out of an interface on a Virtual Router. |
PRJ-51077, |
VSX |
When User Mode (UPPAK) is enabled, there may be performance loss when passing traffic through a Virtual Switch on a VSX Security Gateway. |
PRJ-51166, |
VSX |
In some scenarios, the VSX VSLS cluster cannot pass the traffic for up to twenty seconds after performing a failover and failback when User Mode (UPPAK) is enabled. |
PRJ-47838, |
VSX |
In a rare scenario, affinity configuration on VSX may fail. |
PRJ-47797, |
VSX |
A memory leak may occur in the CPD process. |
PRJ-44301, |
VSX |
When adding a route using vsx_provisioning_tool and the "interface_name" option, this route cannot be removed. |
PRJ-44269, |
VSX |
Virtual System context may not be handled correctly by CPView, for example, the same interfaces may be listed on all virtual systems. |
PRJ-47399, |
VSX |
When changing Virtual Systems (VS's) using the VS name, the "failed to find an ID for a VS named XXX" error is shown. |
PRJ-46972, |
Gaia OS |
Incorrect Multi-Queue configuration when MDPS, VSX, or both are enabled. Refer to sk181249. |
PRJ-46276, |
Gaia OS |
When changing bond settings, the bond may be missing the global IPv6 Address. |
PRJ-47774, |
Gaia OS |
Snapshot fails when the unpartitioned disk size is greater than 1TB. Refer to sk181485. |
PRJ-44371, |
Gaia OS |
SNMP OIDs for ISP Redundancy status are not refreshed when the ISP link changes the status. |
PRJ-46021, |
Gaia OS |
The SNMPD process memory consumption may be high, which causes the process to become unresponsive. |
PRJ-46284, |
Harmony Endpoint |
Non-domain macOS devices are created as a new endpoint on the Endpoint Management when re-installing the device. |
PRJ-46852, |
Harmony Endpoint |
Because of a rare race condition, AD scanners may get stuck in the initializing state with "ERROR ajp-nio2-127.0.0.1-8009-exec-96 - Failed to enumerate scanner instances for SF-DC2.mapro.cat, scanner instance788b7398-5a79-91fb-6f68-137813a5556e (UsmDSConfigResponder)java.lang.NumberFormatException". |
PRJ-48876, |
Harmony Endpoint |
|
PRJ-43572, |
Harmony Endpoint |
After the Deploy New Endpoint push operation is successfully done, the list of target devices may change to "None". And it is not possible to delete this push operation manually, a "Sorry, we had an API issue during request" message is printed. |
PRJ-46803, |
Harmony Endpoint |
In rare scenarios, when making changes in SmartConsole, it gets disconnected. |
PRJ-47056, |
Harmony Endpoint |
Some devices added to a Virtual Group from the SmartEndpoint Reporting tab do not receive the assigned policy. |
PRJ-43045, |
Harmony Endpoint |
E2 engine may send an incorrect value of datDate in sync request. |
PRJ-48257, |
Harmony Endpoint |
The default policy configured in the Infinity Portal may not be exported with the new Endpoint Security client package. |
PRJ-51660, |
Harmony Endpoint |
|
PRJ-47900, |
CloudGuard Network |
Azure mapping may fail on Private Endpoint without network interfaces. In the cloud proxy logs, the "ERROR datacenter.scanner.DcScanner [scanner-Azure-XXX]: Error during scan - attempting to reconnect for scanner of [Azure] in domainYYY" messages are printed. |
PRJ-47735, |
CloudGuard Network |
After an upgrade, Azure Gov mapping may fail. |
PRJ-43610, |
VoIP |
SIP agent implements a keep-alive mechanism against the RFC, making each message arrive with a different tag in the "From" header, which may increase the memory of the Security Gateway, and these messages may be dropped once they hit the limit defined (the "sim_max_reinvite" parameter). |
PRJ-43719, |
VoIP |
After an upgrade, VoIP, and SIP / H323 traffic may be dropped in the VPN tunnel. Refer to sk179651. |
PRJ-48851, |
Scalable Platforms |
In a Maestro Orchestrator environment, the "orch_stat -p" command may bring the "invalid literal for int() with base 10" error message. |
PRJ-50121 |
Scalable Platforms |
After enabling the Maestro Fastforward feature, policy installation on a Maestro Security Group may fail in SmartConsole with "Maestro acceleration (MXL) failed, reason: General error. Please check /var/log/acl_cli.log on the security group SMO for more details". Refer to sk181661. |
PRJ-49177, |
Scalable Platforms |
Reboot may take a long time. |
PRJ-50344, |
Scalable Platforms |
When the LightSpeed interface is brought down or up, the hardware nroute flow is added to the list even if it fails to offload. This may trigger a Security Gateway crash. |
PRJ-50031, |
Scalable Platforms |
|
PRJ-46575, |
Scalable Platforms |
In a Maestro environment, LACP bond subordinates may become suspended when using the shared interfaces feature, particularly when the quantity of bonds and subordinates is significantly high. |
PRJ-46246, |
Scalable Platforms |
In rare scenarios, when using "chassis_admin" command, the "asg_chassis_admin | "/opt/CPsmos-R81.20/bin/asg_chassis_admin: line 192: [[: |: syntax error: operand expected (error token is "|")" output may be printed. This is only cosmetic and does not prevent performing site failover. |
PRJ-50346, |
Scalable Platforms |
In a rare scenario, the Security Gateway may access obsolete nroute memory, resulting in a crash. |
PRJ-44501, |
Scalable Platforms |
Policy installation may cause traffic interruption on Maestro Security Group due to missing VLANs of a Virtual System in the configuration file. |
PRJ-48213, |
Scalable Platforms |
In rare scenarios, the CONFD process may get stuck. This may cause Maestro Orchestrator boot to hang and login to Gaia Portal to fail. |
PRJ-47641, |
Scalable Platforms |
In a Scalable Platform environment, when opening an IPS Packet Capture originated on a local member, the "Fetching in progress" error is displayed, and a "Capture file was not found on remote SGM" entry is printed in the log. |
Take 41 Released on 20 November 2023 and moved to Recommended on 4 December 2023 |
||
PRJ-50104, PRHF-30325 |
Diagnostics |
UPDATE: Added SecureXL SYN Defender metrics to Skyline. Refer to the Skyline Metrics Repository. |
PRJ-49892, PMTR-95687 |
Security Management |
UPDATE: Removed a redundant guava package. |
PRJ-49825, PMTR-95347 |
Security Management |
UPDATE: Upgraded the commons-compress-jar package from version 1.8 to version 1.22. |
PRJ-49787, PMTR-95614 |
Security Management |
UPDATE: properJavaRDP - an SNX-embedded application for Mobile Access is now blocked and is no longer supported because of deprecated Java library dependencies. |
PRJ-50265, PRJ-49966, PRJ-48318, PRJ-49012, ODU-1121, ODU-1137 ODU-1256, ODU-1304 |
Web SmartConsole |
UPDATE: New features and improvements are released in Take 81, Take 85 and Take 90 via self-updatable package. Refer to sk170314. |
PRJ-49109, PMTR-94517 |
SmartConsole |
UPDATE: Applied security related improvements to the Jetty open source library. |
PRJ-50125, PRJ-50124, ODU-1217, |
CPView |
UPDATE: Added Take 68 and Take 70 of CPotelcol (OpenTelemetry Collector) Release Updates. Refer to sk180522. |
PRJ-50043, |
CPView |
UPDATE: Added Take 14 of CPquid (QUID) Release Updates. Refer to sk181458. |
PRJ-50093, |
Security Gateway |
UPDATE: Improved traffic classification of GTP traffic on the Security Gateway to enhance the stability. |
PRJ-49494, |
Threat Prevention |
UPDATE: Added Update 21 of Autonomous Threat Prevention Management integration Release. Refer to sk167109. |
PRJ-49746, PMTR-95099 |
Mobile Access |
UPDATE: SNX used to connect back to Mobile Access Blade's portal FQDN by resolving its IP address locally. This method makes it sensitive to DNS poisoning attacks such as those specified by TunnelCrack. Therefore, it was modified to connect back to the Security Gateway / Cluster member IP address by default. |
PRJ-50418, PRHF-30748 |
CloudGuard Network |
UPDATE: The automatic scanning of NSX-T IP ranges feature is now disabled by default. Refer to sk181614. See the Important Notes section. |
PRJ-48340, |
CloudGuard Network |
UPDATE: Added Take 20 of Public Cloud CA Bundle. Refer to sk172188. |
PRJ-49936 |
Harmony Endpoint |
UPDATE: Upgraded symmetricDS to the 3.14.9 version. |
PRJ-45981, |
Scalable Platforms |
UPDATE: Added Take 29 of Check Point Support Data Collector (CPSDC) for Scalable Platforms and Maestro Security Appliances. Refer to sk164414. |
PRJ-50543, |
HCP |
UPDATE: Added Update 14 of HealthCheck Point (HCP) Release. Refer to sk171436. |
PRJ-50030, PMTR-95988 |
Security Management |
The Gaia Clish command "show configuration user" fails with "Segmentation fault" on a Management Server. Refer to sk181626. |
PRJ-50899, PRHF-31187 |
Security Gateway |
A double-free flaw that leads to a possible Security Gateway crash was identified. This release includes the fix to enhance system stability and security. |
PRJ-50191, PMTR-96205 |
IPS |
Policy installation may fail on Security Gateways with enabled IPS and configured Strict profile and IPv6. |
PRJ-49379, PRHF-30056 |
SecureXL |
SYN Defender may not correctly handle reused connections. |
PRJ-49467, PRHF-30344 |
Scalable Platforms |
On a Security Group with MDPS enabled:
After installing this Take, when MDPS plane separation is enabled, in the context of the Management plane, the directory /sys/class/net/ now shows interfaces that belong to the Data plane, although it should show interfaces that belong to the Management plane. See sk182076. |
Take 38 Released on 23 October 2023 |
||
PRJ-46771, |
Security Gateway |
NEW: This Jumbo Hotfix Take introduces support for new Quantum Force appliances 19200, 29100, and 29200. Refer to sk180520.
|
PRJ-47822, |
Security Gateway |
NEW: Identity Awareness daemons (PDPD and PEPD) now use a modern memory allocator. The feature is disabled by default. Refer to sk181629. |
PRJ-42434, |
SecureXL |
NEW: Added support for User Space Mode (UPPAK) on LightSpeed Appliances (QLS250, QLS450, QLS650, and QLS800 - see sk179432). After upgrading to this Jumbo Hotfix Take, these appliances will run in UPPAK mode by default. |
PRJ-48144 |
Identity Awareness |
UPDATE: Added a new mode for Identity Awareness Blade - "PDP-Only", where the Security Gateway acts only as Policy Decision Point (PDP) for identity acquisition and distribution and does not enforce the identity-based policy. The new mode improves scalability for PDPs and Identity Broker. Refer to sk181605. |
PRJ-49556 |
SecureXL |
UPDATE: On Quantum LightSpeed appliances running in Kernel Mode (KPPAK), when using a feature that is not supported in User Space Mode (UPPAK), a notification that after upgrading to this Jumbo Take the appliance will still run in KPPAK is now displayed. |
PRJ-49380, |
SecureXL |
UPDATE: The VXLAN creation feature is now blocked in User Space Mode (UPPAK). |
PRJ-49383, |
SecureXL |
UPDATE: The GRE interface creation feature is now blocked in User Space Mode (UPPAK). |
PRJ-49385, |
SecureXL |
UPDATE: The VRRP interface creation feature is now blocked in User Space Mode (UPPAK). |
PRJ-49211 |
SecureXL |
UPDATE: When UPPAK mode is enabled, the limit in /var/log/dump/usermode/ gets automatically extended from 10 Gb to 30 Gb to prevent possible deletion of large core files. |
PRJ-43883, |
VSX |
UPDATE: The "IPv6 autoconfig" parameter is now disabled by default on VSX. |
PRJ-48405, |
HCP |
UPDATE: Added Update 13 of HealthCheck Point (HCP) Release. Refer to sk171436. |
PRJ-48879, |
Security Management |
|
PRJ-49205, |
Security Management |
Refer to sk181471. See the Important Notes section. |
PRJ-48791, |
Security Gateway |
An upgrade may fail with this validation message: "Install On column contains Security Gateways without Blades that exist in the 'Protection/Site/File/Blade column'_ Blades". |
PRJ-45207
|
Security Gateway |
In rare scenarios, the FWK process may unexpectedly exit when running an outgoing (a local connection) from the Security Gateway. |
PRJ-49513, |
Threat Prevention |
In a rare scenario, changes in Threat Prevention custom intelligence feeds settings may not be applied after policy installation. |
PRJ-48253, |
Identity Awareness |
Identity-based roles may not match the Access Roles after User and Machine were identified. |
PRJ-45057, |
Identity Awareness |
In a rare scenario, during authentication, the PDPD process can become unresponsive. |
PRJ-46844, |
Identity Awareness |
In a rare scenario, the PDPD process may unexpectedly exit during an LDAP query. |
PRJ-48148, |
Identity Awareness |
When Identity Agent authenticates both the machine and the user, a rare race condition may occur and disrupt the intended sequence of authentication and publishing, resulting in incorrect data handling. |
PRJ-47111, |
Identity Awareness |
Identity Broker may be missing some identities. |
PRJ-47110, |
Identity Awareness |
The PDPD process may exit during Identity Broker synchronization. |
PRJ-48934, |
Identity Awareness |
The PDP Gateway may be unresponsive while publishing identities to Identity Broker subscriber in the Sync flow. |
PRJ-47890, |
Identity Awareness |
In rare scenarios, the PDP Gateway may not be responsive when Identity Agent reconnects. |
PRJ-48933, |
Identity Awareness |
In a rare condition, in a large environment, the PDP Gateway may crash when publishing an IP-change message to its Identity Broker subscribers. |
PRJ-49339, |
ClusterXL |
In ClusterXL Bridge mode, failover fail-back may cause a short outage. |
PRJ-47844, |
ClusterXL |
When setting the bonding group to 8023AD mode, a "KERLAG0029 Error running cmd cphaconf bond_ls set bond1 0." message is shown. |
PRJ-49947, |
ClusterXL |
Standby VSX cluster members working in Virtual System Load Sharing (VSLS) mode may not be able to access the Internet. |
PRJ-48933 |
CoreXL |
Corrupted VS affinity configuration may cause excessive error messages "cp_set_process_vs_affinity: Error corrupt affinity file". |
PRJ-49239, |
Routing |
If the Security Gateway is in UPPAK mode and a PBR rule directs traffic to a Server on a different subnet, deleting the ARP entry for the Gateway on the Server can disrupt the traffic flow. |
PRJ-49906, |
Routing |
When BGP local address is configured, BGP peer may fail to establish. See the Important Notes section. |
PRJ-49485, |
VPN |
VPN connectivity may be unstable when IPv6 and VPN star communities are configured. |
PRJ-49351, |
VSX |
In some scenarios, in a Maestro Security Group configured in the VSX mode, a Virtual System that connects to a Virtual Switch may drop traffic as "Out of State" or wrongly drop it on the clean up rule. Refer to sk181823. |
PRJ-49933 |
CloudGuard Network |
After an upgrade, CloudGuard Central Licenses may be removed from the CloudGuard Central License pool on the Security Management and from the Security Gateways. Refer to sk181500. See the Important Notes section. |
PRJ-49308, |
Scalable Platforms |
The Security Gateway may lose connectivity to Maestro Hyperscale Orchestrator (MHO) when running the "tcpdump -i any" command. |
PRJ-49314, |
Scalable Platforms |
After adding a new Security Group Member to a Security Group with the default shell /bin/gclish, the status of the new Security Group Member is "Down" with a Critical Device "image_clone" pnote. |
Take 26 Released on 14 August 2023 and moved to Recommended on 13 September 2023 |
||
PRJ-44227, |
Compliance |
NEW: Compliance Blade is enhanced with 5 new Firewall Best Practices:
|
PRJ-44577, |
Internal CA |
NEW: Previously, the Internal CA certificate required manual renewal process. Now it will be automatically renewed one year before its expiration date. |
PRJ-44672, |
Security Management |
NEW:
|
PRJ-44359, |
Security Management |
NEW: Added a new Management API "mgmt_cli show ha-status". It provides synchronization information for the currently active domain.
|
PRJ-44747, |
Security Management |
NEW: Added support for multiple languages in the Change Report. |
PRJ-44421, |
Security Management |
NEW: Added a new field to the output of "mgmt_cli show updatable-objects-repository-content" command. This field displays the object's unique name as it is saved in the updatable objects repository. |
PRJ-43522, |
Security Management |
NEW: It is now possible to add tags to Access rules and sections. A new field "tags" is added to the existing "add/set rule & section" Management APIs . For example:
|
PRJ-44421, |
Security Management |
NEW: Added a new field to the output of "mgmt_cli show updatable-objects-repository-content" command. This field displays the object's unique name as it is saved in the updatable objects repository. |
PRJ-45679, |
CloudGuard Network |
NEW: CloudGuard Controller for NSX-T
Note: Importing Virtual Machines can be enabled only using Policy Mode APIs. When enabled, the amount of API requests toward the NSX-T manager increased. |
PRJ-45491, |
Security Management |
UPDATE: Significant performance improvement for policy installation when using many layers (up to four times faster). |
PRJ-46243, |
Security Management |
UPDATE: A Security Management Server/Domain Management Server can now manage up to 500 Security Gateways/Cluster members, allowing concurrent policy installation on all Security Gateways/Cluster members at once. |
PRJ-45204, ODU-843 |
Web SmartConsole |
UPDATE: New features and improvements are released in Take 76 via self-updatable package. Refer to sk170314. |
PRJ-45473, |
CPView |
UPDATE: First release of CPviewExporter Release Updates. Refer to sk180521. |
PRJ-45466, |
CPView |
UPDATE: First release of CPotelcol (OpenTelemetry Collector) Release Updates. Refer to sk180522. |
PRJ-44609, |
Threat Emulation |
UPDATE: FakeServer will now listen for packets coming from the Virtual Machine during Threat Emulation to port 18443 instead of port 8443. |
PRJ-44321, |
Threat Prevention |
UPDATE: The DCE-RPC kernel tables will now be global instead of local. This adjustment helps avoid issues with syncing between firewall instances and keeps data connections stable. |
PRJ-45463, |
Threat Prevention |
UPDATE: Added Update 18 and Update 19 of Autonomous Threat Prevention Management integration Release. Refer to sk167109. |
PRJ-46429, |
Threat Prevention |
UPDATE: IPS bypass triggers will now be activated based on the average CPU load exceeding the high threshold, as opposed to the previous implementation, where a single CPU load triggered the bypass. The change will result in more effective security measures without unnecessary bypasses. |
PRJ-43784, |
Threat Prevention |
UPDATE: Ability to send packet capture on IPS / Anti-Bot silent protections to the research team to enhance the security. |
PRJ-45912, |
Identity Awareness |
UPDATE: Implemented monitoring functionality and alerts for tracking the expiration date of Identity Broker certificates. |
PRJ-46224, PMTR-92426 |
ClusterXL |
UPDATE: Added support for IPv6 traffic synchronization in Multi-Version Clusters (MVC). See the Important Notes section. |
PRJ-44719, PRHF-22566 |
SecureXL |
UPDATE: Added a new kernel parameter allowing to control the size of fragments table in SecureXL. To use it, set the kernel parameter "sim_frag_limit_override" with the new value and install policy. This can prevent fragment drops when having multiple instances in the Firewall. |
PRJ-42862, PMTR-88750 |
Zero Phishing |
UPDATE:
|
PRJ-44762, |
Gaia OS |
UPDATE: Increased the size of the scheduled snapshot database binding, allowing longer paths and passwords to be defined. |
PRJ-47227, |
Gaia OS |
UPDATE: Upgraded OpenSSL from 1.1.1t to 1.1.1u to include the latest security improvements. Refer to sk181427. |
PRJ-44354, |
CloudGuard Network |
UPDATE: Added support for Data Centers in AWS ap-southeast-4 Melbourne region. |
PRJ-43926, |
CloudGuard Network |
UPDATE: Added support for sending Data Center updates from the CloudGuard Controller to the main IP address of Active member on the Management Plane instead of the cluster VIP address on the Data Plane. Refer to the "updateClusterMemberAndNotVip" section in CloudGuard Controller R81.20 Administration Guide > Configuration Parameters. This change prevents scenarios when CloudGuard Controller fails to connect to Cluster with MDPS enabled (sk180981). |
PRJ-46550 |
CloudGuard Network |
UPDATE: Added new Security Management APIs for the CloudGuard Central License Utility:
|
PRJ-45214, |
Scalable Platforms |
UPDATE: Added Management Data Plane Separation (MDPS) support for Maestro Orchestrator and Chassis scalable platforms. |
PRJ-43863, |
Scalable Platforms |
UPDATE: Added a new log file - /var/log/pull_config_report.log. It includes the summary of the "pull_config" action when it is performed on a member to indicate the reason for pull_config pnote/failures. |
PRJ-45908, |
Scalable Platforms |
UPDATE: Added Take 23 of Check Point Support Data Collector (CPSDC) for Scalable Platforms and Maestro Security Appliances. Refer to sk164414. |
PRJ-44959, |
Scalable Platforms |
UPDATE: Added a new log file to indicate the reason of member reboots if they are triggered by configuration mismatch - /var/log/configuration_reboot_info.log. |
PRJ-45389, |
HCP |
UPDATE: Added Update 12 of HealthCheck Point (HCP) Release. Refer to sk171436. |
PRJ-44461, |
Security Management |
In some scenarios, the "run-script" Management API command may fail with "Null Pointer Exception" when using root user permissions. |
PRJ-45874, |
Security Management |
In some scenarios, Access Policy Verification fails but the name of the failed rule is not specified. |
PRJ-43569, |
Security Management |
After Full synchronization, SmartConsole login from a Domain Management Server to the Security Management Server that is configured as High Availability may fail. |
PRJ-45156, |
Security Management |
APP_ID may not be initialized when adding a new Check Point application via API, this may cause blocked access to several websites. |
PRJ-42040, |
Security Management |
Editing an object in SmartConsole may fail with "Server error is: Object not found (Code: x08003001D, Could not access file for write operation)". |
PRJ-44086, |
Security Management |
Login with SmartConsole to a Security Management Server may fail if using a DNS name instead of an IP address. Refer to sk180514. |
PRJ-46630, |
Security Management |
In the Infinity Services view, the Log Sharing status may not be correct. |
PRJ-44625, |
Security Management |
In the Accelerated Policy Installation flow, there is no validation for the scenarios when there are DAIP Security Gateways in the Destination column of the Access policy. |
PRJ-44984, |
Security Management |
When using SmartTasks to send a mail before or after publishing the operation, the value inserted into the Changes and Description fields does not take effect as expected. |
PRJ-44594, |
Security Management |
In some scenarios, running the Management API "delete-exception-group" fails if the exception group is automatically attached. |
PRJ-43813, |
Security Management |
Login to SmartConsole with a RADIUS administrator from the SmartEvent Server may fail if this Server was upgraded. Refer to sk180584. |
PRJ-46399, PRJ-46725, PRHF-28962 |
Security Management |
In rare scenarios, policy installation fails with "Operation failed, install/uninstall has been improperly terminated". Refer to sk180448. |
PRJ-46183, |
Security Management |
The "verify-policy" Management API command may fail when performed on the Multi-Domain Security Management Server. |
PRJ-43917, |
Security Management |
In the Object Explorer window in SmartConsole, the IP address column is sorted alphabetically, although it should be sorted in numerical order. |
PRJ-44592, |
Security Management |
The "show object" command fails when running it on nat-section objects. It returns a "null pointer exception" message, which occurs in calculations related to the overview objects meta-info. |
PRJ-44596, |
Security Management |
When adding/setting an access rule, setting certain fields to "Any" or "None" may fail because of case sensitivity. |
PRJ-44897, |
Security Management |
Policy installation gets stuck if the known proxy group contains the policy target. |
PRJ-45655, |
Security Management |
Packet mode search in SmartConsole may show rules that do not match the query if the query contains source, destination, and service. |
PRJ-44996, |
Security Management |
In rare scenarios, login to SmartConsole fails, and opening Security Gateway objects times out. |
PRJ-44473, |
Security Management |
Excluding a network with anti-spoofing by name on the Security Gateway using the "set simple-gateway" Management API command fails with an "Anti spoofing: excluded network object must be defined." validation error message. |
PRJ-43267, |
Security Management |
When creating several LSM objects (Security Gateways or clusters) via both Management API and SmartConsole, the LSM objects IP addresses may be duplicated. |
PRJ-45878, |
Security Management |
If an empty Network Group is linked in the source or destination fields of an Access Rule, policy verification may not generate an error. Instead, it may treat the empty group as if there is an "Any" object. |
PRJ-42423, |
Security Management |
In some scenarios, an upgrade may fail when a Network object Group contains more than 32000 members. |
PRJ-43187, |
Security Management |
If a Security Gateway is added to a group after configuring an installation policy preset, the policy may not be installed on that Security Gateway. Refer to sk181461. |
PRJ-42553, |
Security Management |
After restoring a Multi-Domain Security Management Server, High Availability synchronization may fail with "The Security Management Servers contain different Hotfixes". |
PRJ-43192, |
Security Management |
If the Security Management Server is behind NAT, remote Management API login fails. |
PRJ-45159, |
Security Management |
APP_ID may not be initialized when adding a new Check Point application via API, this may cause blocked access to several websites. |
PRJ-43963, |
Security Management |
In rare scenarios, the Security Gateway accepts all IP addresses as approved "gui_clients", although it was provided with a list of specific trusted IP addresses. |
PRJ-46088, |
Multi-Domain Security Management |
A scheduled Install Policy Preset may not have its next run time updated when:
|
PRJ-44970, |
Multi-Domain Security Management |
In rare scenarios, in Multi-Domain Security Management environments with over 500K network objects, login to SmartConsole fails with "Connection timed out" or "Unable to connect to server" messages. |
PRJ-45069, PRJ-47051, |
Multi-Domain Security Management |
In rare scenarios, in a Multi-Domain Security Management environment:
|
PRJ-43785, |
Multi-Domain Security Management |
Deleting a Domain from SmartConsole fails after a Domain Server was removed and the Domain has no Domain Servers. |
PRJ-43599, |
SmartConsole |
Typo in the Compliance report - "OSFP" instead of "OSPF". |
PRJ-46531, |
SmartConsole |
SmartConsole may crash while checking for updates.
|
PRJ-46510, |
SmartConsole |
Data Center objects may not appear as unused objects in the Object Explorer view, although they should. |
PRJ-45593, |
SmartConsole |
In some scenarios, in SmartConsole, when clicking the picker to add Security Gateway to a Threat Prevention policy "Install On" column, no Security Gateway objects appear. Refer to sk180964. |
PRJ-46171, |
CPUSE |
When working in a Scalable Platforms environment, a member may get in a bootloop. The issue occurs after consequent upgrade of this member to R81.10, Deployment Agent (DA) update and enabling image auto cloning. |
PRJ-43473 |
CPUSE |
In some scenarios, the task progress bar is missing during Jumbo installation from SmartConsole. |
PRJ-43477, |
Logging |
The Non-Transparent Proxy configuration is missing the IP address of the destination website in the URL Filtering logs. Refer to sk180403. |
PRJ-45670, |
Logging |
In specific network configurations, after installing a policy, the target IP address of the Log Server may differ from what was configured. |
PRJ-41667, |
Logging |
In some scenarios, in the Logs & Monitor view, no results are shown when filtering updatable object names by the "dst_uo_name" field. |
PRJ-41595, |
Logging |
SmartEvent may generate false Anti-Bot / Anti-Virus related logs which do not contain any information. |
PRJ-45418, |
Logging |
Source and destination IP addresses in SmartLog may not be shown correctly for duplicate packets of fragmented traffic. |
PRJ-46074, |
Logging |
After an upgrade of the Security Management Server, the "cp_log_export show" command may return the "found an ambiguous value" error in the "export_log_position" field. |
PRJ-44408, |
Security Gateway |
Global tables (ghtab) may not be synchronized between members, this can lead to instability of traffic. |
PRJ-46054, |
Security Gateway |
The Security Gateway may crash while inspecting non-HTTP traffic. |
PRJ-44190, |
Security Gateway |
The Security Gateway may crash due to a memory issue. |
PRJ-45804, |
Security Gateway |
Resolved an issue where CPD would consume a large amount of CPU in VSX with a large number of interfaces configured (greater than 1024). Refer to sk181588. |
PRJ-47118, |
Security Gateway |
In some scenarios, after an upgrade, the FWD process may unexpectedly exit. |
PRJ-45001, |
Security Gateway |
In a Maestro environment where members are VSXs, connection over SSH or RDP from a host behind Maestro to a peer may be dropped. |
PRJ-45091, PMTR-90992 |
Security Gateway |
It is impossible to configure the total number of IPv4 CoreXL Firewall instances and IPv6 CoreXL Firewall instances to more than 64 when the Security Gateway with more than 64 CPU cores runs in the USFW mode. Refer to sk181408. |
PRJ-43849, |
Security Gateway |
Stack buffer overflow may occur in the FWGTP process. |
PRJ-46677, PRJ-46680, |
Security Gateway |
After an upgrade, GTP traffic and memory issues may occur. |
PRJ-46335, |
Security Gateway |
The Security Gateway may crash after a failure in policy installation. |
PRJ-46139, |
Security Gateway |
The "g_tcpdump -mcap" command may not merge traffic capture outputs. Refer to sk181032. |
PRJ-44312, |
Security Gateway |
In rare scenarios, modifying the "fwmultik_temp_conns_enabled" parameter on-the-fly leads to the Security Gateway crash. |
PRJ-46688, |
Security Gateway |
When adding a new connection, the "Smart Connection Reuse" feature may cause errors in fwk.elg and connection drops. |
PRJ-42788, |
Security Gateway |
In some scenarios, the Security Gateway may crash. |
PRJ-44605, |
Security Gateway |
The FWK process may unexpectedly exit while processing the mail flow and generate a core dump. |
PRJ-45497, |
Security Gateway |
On the Security Gateway with Management Data Plane Separation (MDPS) enabled:
|
PRJ-42531, |
Security Gateway |
In some scenarios, while processing H323 traffic, the Security Gateway may unexpectedly restart. |
PRJ-45479, |
Security Gateway |
Security Gateway may crash when running kernel debugs of the "UP" module. |
PRJ-44252, |
Security Gateway |
When setting "cphwd_enable_ecmp = 1" (to route by the source and destination IP address), the Security Gateway may route the traffic to the wrong MAC. |
PRJ-45450, |
Security Gateway |
When the Security Gateway handles specific HTTP requests, memory failure may occur. CPView registers SMEM failure. |
PRJ-44753, |
Security Gateway |
Policy installation may fail with "Error 2000240" because of an IPv6 flow issue. |
PRJ-41879, |
Security Gateway |
On supported Open Servers (sk167052), after changing the Firewall mode from Kernel Space (KSFW) to User Space (USFW) and reboot, the Security Gateway continues to boot in the Kernel Space mode. |
PRJ-45187, |
Security Gateway |
Traffic stops working after a Security Gateway Member recovers from a failure. Refer to sk180705. |
PRJ-44106, |
Threat Prevention |
Fetching custom intelligence feeds via CLI may fail because of SSL certificate issues. |
PRJ-44571, |
Threat Prevention |
After an upgrade, adding an IoC feed with IP range indicator type may fail with "Feed format problem. Bad or Empty Feed". |
PRJ-44152, |
Threat Prevention |
In a rare scenario, policy installation may fail because of IoC observables overrides. |
PRJ-44201, PMTR-89130 |
Threat Prevention |
When IPS Blade is enabled, the Security Gateway may crash. |
PRJ-45925, |
Identity Awareness |
In a rare scenario, the PDPD process may unexpectedly exit during user authentication flow. |
PRJ-43748, |
Identity Awareness |
The output of the "pdp monitor cv_le <agent-version>" command may be incorrect. |
PRJ-45429, |
Application Control |
Some TLS1.3 applications without SNI do not match the rules. |
PRJ-43976, |
URL Filtering |
When applying the "appi_urlf_ssl_cn_use_sni_without_validation" kernel parameter, only the first notified application may be considered for Rule Base matching, and the rest of the apps are not detected. |
PRJ-44181, |
IPS |
In some scenarios, the FWK process may unexpectedly exit, while Threat Prevention Blades inspect HTTP traffic. |
PRJ-45658, |
SSL Inspection |
In a VSX environment, the WSTLSD process run by Virtual Systems may ignore proxy configuration on VS0. |
PRJ-46280, |
Anti-Virus |
Importing a custom intelligence feed containing IP ranges may fail. |
PRJ-44671, |
Anti-Virus |
Anti-Virus Blade may bypass inspection of URLs with sub-domain portion. |
PRJ-46606, |
Anti-Virus |
The DLPU process may stop working, creating a User Space core dump file on the Security Gateway. Refer to sk181026. |
PRJ-44234, |
Anti-Virus |
The RAD process CPU utilization may be high when Anti-Virus engine processes many reverse DNS queries. |
PRJ-45195, |
Mobile Access |
In rare scenarios, IOS users are unable to send emails using Capsule Workspace business mail. |
PRJ-45100 |
Mobile Access |
SSL Network Extender (SNX) may randomly disconnect after a version upgrade. Refer to sk173765. |
PRJ-45852, |
Mobile Access |
Mobile Access Security Gateway does not recognize Office 365 URL This can cause OAuth 2.0 authorization to fail, it may not be possible to view the mail. |
PRJ-46403, |
Mobile Access |
Sending emails with attachments via Capsule Workspace may fail on iOS. |
PRJ-46506, |
ClusterXL |
Some IPv6 connections randomly stop passing through ClusterXL in High Availability mode. Refer to sk180969. |
PRJ-45163, |
ClusterXL |
A VRRP cluster member may be stuck in boot after a cluster upgrade. |
PRJ-42772, |
ClusterXL |
Asymmetric UDP traffic may be dropped with "First Packet isn´t Syn". |
PRJ-43640, |
SecureXL |
In some scenarios, incorrect MSS value calculation may lead to traffic drops and performance instability. |
PRJ-44365, |
SecureXL |
When running tcpdump on the Multi-Domain Security Server, an "error /bin/cp-tcpdump.sh: line 11: sxlmode: command not found" message is shown. The issue is cosmetic only. |
PRJ-41959, |
Routing |
In some scenarios, a Security Group Member failover can trigger routes to be lost on other members in the Security Group. |
PRJ-44710, |
Routing |
An IGMP group with an expiration time of 7101 weeks should be deleted when it reaches 0 seconds, but instead, it may remain at 7101 weeks until a membership report is sent, then it resets to the interval of that interface. |
PRJ-44706, |
Routing |
Multicast receivers send IGMP membership reports, but the outbound interfaces are missing from the routing table. |
PRJ-45380, |
Routing |
A VRRP/VRRP6 interface may go into Master/Master state. |
PRJ-46133, |
Routing |
When two interfaces with the same local address are configured, BGP may use an incorrect interface to reach a peer. |
PRJ-41962, |
Routing |
Routing log messages generated when Standby cluster members reconnect to members in Master state are not clear. |
PRJ-43828, PRHF-27339 |
VPN |
In a Site to Site VPN, when one of the sites is a cluster in Load Sharing mode, it can cause incorrect destination member calculation for asymmetric connection and the traffic might be dropped. Refer to sk180855. |
PRJ-44313, |
VPN |
The "failed to terminate session" error is displayed when using RAsession_util to terminate Endpoint client. |
PRJ-44992, PRJ-46303 PRJ-44830, |
VPN |
|
PRJ-45469, PRHF-28353 |
VPN |
StrongSWAN Remote Access authentication fails when the LDAP lookup type is not the default method. |
PRJ-44219, |
VPN |
The "vpn/ike debug ikeon/ikefail" commands may fail when used with the "-s" flag. |
PRJ-45920, |
VPN |
The FWM process may unexpectedly exit at startup because of an incorrect VPN key initiation. |
PRJ-46952, |
VSX |
An upgrade of VSX cluster members configured as VSLS from SmartConsole may fail. |
PRJ-45146, |
VSX |
Some packets may disappear when using the i40e driver, and VMAC is configured on the cluster. |
PRJ-45006, |
VSX |
A VSX Security Gateway may crash while attempting to collect statistics after running the "cpstop" command. |
PRJ-44123, |
VSX |
Changing the main IP address of a Virtual Router may cause the FWM process to exit. |
PRJ-44746, |
VSX |
Virtual System's interfaces may be missing when running the Clish command "show/save configuration". |
PRJ-44090, |
VSX |
Values provided by the VSX OID tree: 1.3.6.1.4.1.2620.1.16.22.5.1 may be incorrect. |
PRJ-45402, |
VSX |
Warp interfaces may appear in VS0 and disrupt connectivity when editing a Virtual Switch with a bond and VLANs. |
PRJ-45864, |
Gaia OS |
Gaia backup may fail, leaving a temporary partition behind. Any new attempt to create a new backup returns an error. |
PRJ-41910, |
Gaia OS |
Gaia WebUI logs are printed with "info" severity. |
PRJ-45566, ACCHA-2110 |
Gaia OS |
The $FWDIR/log/fwd.elg file may get corrupted during log rotation. Refer to sk180728. |
PRJ-42780, |
Gaia OS |
Scheduled SCP snapshots to a Windows Server may fail with the "Failed to connect to remote server. Please validate connection". |
PRJ-43199, |
Gaia OS |
Appliance with a Dual Image installed cannot reboot after restoring to the factory default of a Dual Image. Refer to sk180331. |
PRJ-46945, |
Harmony Endpoint |
KAV updater on the Server may fail to receive updates when proxy is used. |
PRJ-45541, |
CloudGuard Network |
AWS Data Center mapping fails when an interface subnet is missing from the list of subnets. |
PRJ-44479, |
CloudGuard Network |
Azure scan fails if a Virtual Machine Scale Set (VMSS) is deleted after the scan started. |
PRJ-44615, |
VoIP |
In rare cases, SIP UDP traffic may cause Security Gateway to crash because of a memory allocation issue. |
PRJ-46476, |
VoIP |
SIP traffic may be dropped and "kiss_htab_bl_infra_slink: failed "earlynat_sport_ghtab_bl":3 reason: KISS_HTAB_BL_SLINK_LIMIT_REACHED" is printed in the fwk.elg file. |
PRJ-43719, |
VoIP |
After an upgrade, VoIP, and SIP / H323 traffic may be dropped in the VPN tunnel. Refer to sk179651. |
PRJ-42783, |
Scalable Platforms |
Adding more than 250 VLANs on an Orchestrator MHO-175 Maestro Uplink interface causes intermittent traffic outages. Refer to sk180340. |
PRJ-45253, |
Scalable Platforms |
Excessive "cphwd_get_device_accelerated_ifs: too many interfaces (32,XXX)" messages may log to $FWDIR/log/fwk.elg. Refer to sk180439. |
PRJ-44548, |
Scalable Platforms |
The "orch_info" command may freeze, when running it on Maestro Orchestrator. |
PRJ-45696, |
Scalable Platforms |
Querying the HW status via SNMP (OIDs .1.3.6.1.4.1.2620.1.6.7.*) or via the "cpstat os -f sensors" command may fail on Maestro Orchestrator. |
PRJ-45302, |
Scalable Platforms |
In rare scenarios, the Single Management Object (SMO) may go to Down state after clicking a packet capture link in the IPS log in SmartConsole. |
PRJ-47985, PRJ-47745 |
Scalable Platforms |
Uninstalling Jumbo Hotfix Take 106/107 on Maestro Orchestrator (MHO) may cause an outage. |
PRJ-45363, |
Scalable Platforms |
Maestro Orchestrator sx_api scripts (e.g. sx_api_ports_dump.py) return the "/usr/bin/env: python: No such file or directory" error. |
PRJ-44437, |
Scalable Platforms |
WRP interfaces cannot be used for Source / Destination in a specific Fast Forward rule. |
PRJ-44022, |
Scalable Platforms |
Policy validation may fail if the Fast Forward feature is enabled. |
PRJ-44288, |
Scalable Platforms |
The "set/show trace" command may fail in gClish. |
PRJ-45886, |
Scalable Platforms |
In VSLS mode, SNMP traffic may incorrectly be forwarded to SMO instead of DR manager of the corresponding Virtual System. |
PRJ-46646, |
Carrier Security |
Incorrect parsing of GTP-U traffic may cause anti-spoofing drops. |
PRJ-43225, |
Carrier Security |
Security Gateway drops GTP Echo Response traffic with the reason "Wrong Destination Port". See sk181507. |
PRJ-43221, |
Carrier Security |
Security Gateway drops GTP traffic with the reason "Static IP not allowed". See sk181506. |
PRJ-46674, |
Carrier Security |
Packet corruption, leading to traffic and performance issues. |
PRJ-43358, |
Carrier Security |
GTP traffic may be dropped and tunnels are not registered in gtp_tunnels. |
Take 24 Released on 12 July 2023 and moved to Recommended on 24 July 2023 |
||
PRJ-47513, |
GaiaOS |
UPDATE: Added notifications about the Expert mode login on Gaia Servers. Refer to sk181230: 1) Gaia sends an audit log to the Management Server / Log Server (SmartConsole > Logs & Monitor). 2) Gaia writes a log message to the /var/log/messages file (for a local login and an SSH login). These Gaia Clish commands are available to work with this feature:
|
PRJ-47103, |
Security Management |
Policy installation may fail with "Target is not defined in the database" error when the target name has many underscore or dash characters. See the Important Notes section. |
PRJ-47265, |
SSL Inspection |
The fwk.elg file may be flooded with the "mux_hold_opq_free: App has no hold params free function" messages for the TLS_PARSER app because of a memory leak. |
PRJ-45350, |
ClusterXL |
After an upgrade, cluster members may frequently crash, causing instability in the environment. |
PRJ-45788, |
CloudGuard Network |
Deleting one hundred IP addresses or more from the Security Gateway at once may fail, resulting in recurrent deletion retries. |
PRJ-47144, |
Scalable Platforms |
A new member added to Maestro Security Group may get stuck in Down state because of the missing IPS files when using image auto cloning. |
Take 14 Released on 1 June 2023 |
||
PRJ-44444 |
SD-WAN |
NEW: Added support for Quantum SD-WAN that provides resilient connectivity, optimizes usage of WAN connections for Internet and Site to Site VPNs allowing dynamic application traffic steering based on measured ISP link quality. Refer to sk180605. See the Important Notes section. |
PRJ-45296, |
Security Management |
UPDATE: Added ability to block policy installation if this policy contradicts another policy installed on the Security Gateway. In this scenario, the "install-policy" Management API command will now fail with "Requested policy X does not match currently installed policy Y on gateway Z. To ignore this warning, set the 'ignore-warnings' flag to 'true'". Refer to sk180792. |
PRJ-44503, |
Security Management |
UPDATE: Significantly improved performance during upgrade and import for large Multi-Domain Security Management environments with many administrators (over 20 domains and over 100 global administrators).
|
PRJ-45675, |
Security Gateway |
UPDATE: Added a new environment variable " |
PRJ-45072, |
ClusterXL |
UPDATE: Improved the fullsync time after reboot in large scale environments. Refer to sk180742. |
PRJ-44871, |
VSX |
UPDATE: The default maximum number of processes monitored by CPWD is changed from 3000 to 10000. |
PRJ-45265, |
GaiaOS |
UPDATE: Added a defense mechanism against the hostname command injection in the Gaia Portal (CVE-2023-28130). Refer to sk181311. |
PRJ-45756, PMTR-91592 |
Scalable Platforms |
UPDATE: Improved the decision making flow for scenarios when Maestro Gateway should leave a Security Group. |
PRJ-45055, |
Security Management |
In rare scenarios, in multi-site environments, an IPS update on the Multi-Domain Security Management Server remains locked. |
PRJ-43560, PRJ-42549, |
Security Management |
In rare scenarios, in Multi-Site environments, Install Policy presets fail with "Timeout during task progress" or "You have reached the maximum number of active sessions". Refer to sk180897. |
PRJ-45061, |
Security Management |
In large Multi-Domain Security Management environments, login to SmartConsole may fail while High Availability synchronization is running. Refer to sk180858. |
PRJ-44452, |
Security Management |
In rare scenarios, in Multi-Domain Security Management environments with many administrators that have custom permissions, SmartConsole is slow, and operations take longer than usual. Refer to sk180681. |
PRJ-44096, |
Security Gateway |
In some scenarios, the FWD process may unexpectedly exit and cause a short outage related to the BGP failure. |
PRJ-44233, |
Security Gateway |
After policy installation, a VSX High Availability Cluster member may have a failover and generate a vmcore. |
PRJ-44082, |
Security Gateway |
In an Active/Standby cluster, when downloading a file using FTP protocol, the FWK process may unexpectedly exit, and a core dump file is generated. |
PRJ-44921, |
Security Gateway |
After an upgrade, memory usage may increase on all Security Gateway Modules, and the "pkt_handle_f2v_if_needed: dropping packet (failed to send notification)" error is printed in logs. |
PRJ-46341, |
Security Gateway |
In rare scenarios, memory corruption occurs during packet correction requiring fragmentation, this may cause the Security Gateway crash or freeze. |
PRJ-45085, |
Security Gateway |
Latency when the Anti-Virus Blade processes ThreatCloud response. |
PRJ-42586, PMTR-88424 |
Threat Prevention |
When using a host with automatic static NAT in a Threat Prevention policy object, the rule may not be enforced. |
PRJ-44552, |
Threat Prevention |
In some scenarios, the FWD process unexpectedly exits, and the Security Group Members state flaps between Active and Down during an Anti-Bot Blade update. |
PRJ-44317, |
Content Awareness |
When Content Awareness Blade is enabled, there is a limitation of the file size (sk118516). However, when the source object of the Content Awareness rule does not match the current connection, the limitation is not applied on this connection. |
PRJ-44384, |
Application Control |
A buffer overflow may occur and cause the FWD process to exit. This leads to the Security Group Members in a Maestro environment change from Active to Down state and creates instability. |
PRJ-42715, |
IPS |
In a rare scenario, the Security Gateway may crash during an IPS package update. |
PRJ-44456, |
ClusterXL |
After several failovers in a cluster, connections may fail to synchronize. This can cause a timeout and the "first packet isn't syn" drops. |
PRJ-44678, |
SecureXL |
After an upgrade, packets passing through a Remote Access VPN tunnel in a VSX environment may be silently dropped. |
PRJ-44875, |
SecureXL |
Traffic may be dropped and the FWACCEL core file is generated. |
PRJ-44925, |
Routing |
When PIM and state refresh are enabled, the state refresh message may not be sent automatically after a failback in ClusterXL HA Primary Up mode. |
PRJ-46129, |
Routing |
The ROUTED daemon may unexpectedly exit when aggregating routes with long AS paths. |
PRJ-44941, |
Routing |
After an update, multicast traffic may be dropped. |
PRJ-44693, |
Routing |
Cluster member may stop sending multicast PIM traffic after failover or a reboot. Refer to sk180669. |
PRJ-41031, |
Routing |
The ROUTED daemon may unexpectedly exit and generate core dumps after OSPF neighborship was established, but did not advertise routes. Lost routing causes the network to be down. |
PRJ-43596, |
VPN |
Stability issues for Data connections (RDP / RTP / FTP/ETC). Refer to sk179651. |
PRJ-46438 |
GaiaOS |
Memory allocation issue may occur during initialization time. |
Take 10 Released on 23 April 2023 and moved to Recommended on 30 April 2023 |
||
PRJ-45903 |
Scalable Platforms |
After installing R81.20 Jumbo Hotfix Accumulator Take 8 on Maestro Security Group Members (SGMs), they may reboot several times and stay in Down state with a "Configuration" pnote. This issue occurs on Maestro SGMs with Identity Awareness enabled and SGMs configured to learn Identities from remote PDPs. Refer to sk180862. See the Important Notes section. |
Take 8 Released on 7 March 2023 |
||
PRJ-42694, |
Security Management |
NEW: Added ability to run the "verify-policy" Management API command on a private session with unpublished changes. |
PRJ-40017 |
Security Management |
NEW: Central Deployment of Hotfixes and Version Upgrades in SmartConsole will now support clusters of Centrally Managed Quantum Spark Appliances that run R81.10.XX firmware versions. |
PRJ-41769, |
CPView |
NEW: Integrated Skyline, a solution that provides an OpenTelemetry CPView Agent service to monitor your Check Point Servers and export health metrics from the CPView tool to an external location. Refer to sk178566. |
PRJ-43896, |
Security Gateway |
NEW: We have extended the grace period of Compliance Blade to support you for 90 days following contract expiration to continue providing the best security value during the renewal process. |
PRJ-43808, |
Application Control, URL Filtering |
NEW: We have extended the grace period of Application Control and URL Filtering Blade to support you for 90 days following contract expiration to continue providing the best security value during the renewal process. |
PRJ-43911, |
SmartView |
NEW: We have extended the grace period of SmartEvent Blade to support you for 90 days following contract expiration to continue providing the best security value during the renewal process. |
PRJ-44256, |
Threat Extraction |
NEW: We have extended the grace period of Threat Extraction Blade to support you for 90 days following contract expiration to continue providing the best security value during the renewal process. |
PRJ-42165, |
IPS |
NEW: Added ability to block "HTTP 206 partial content" responses from resources with malicious content. |
PRJ-41947, |
Security Management |
UPDATE: Connecting a Quantum Security Management Server to Infinity Portal is now supported in the Full High Availability Cluster (when each cluster member has a Security Management Server and a Security Gateway). |
PRJ-42028, |
Security Management |
UPDATE: When adding R81.10 or lower Security Gateways to a Threat Prevention policy with Zero Phishing Blade, a verification error will be shown. |
PRJ-42563, PRJ-42564 |
Security Management |
UPDATE: It is now possible use multiple values when filtering in these views:
|
PRJ-42554, |
Security Management |
UPDATE: Added an option to configure the maximum number of IPS SNORT rules. These lines should be added at the end (or their value should be changed if they already exist) in the file $FWDIR/conf/malware_config (for MDS - additionally in the $MDS_FWDIR/conf/malware_config file): "[IPS] snort_convertor_max_rules_per_update=<value> snort_convertor_total_rules_num_limit=<value>". Refer to sk136515. |
PRJ-42034, |
Security Management |
UPDATE: Added a new Management API "mgmt_cli verify-management-license". It allows to check how many Security Gateway objects the Management Server license supports. Note that this API does not support Quantum Maestro and VSX. Refer to Management API Reference. |
PRJ-42307, |
Security Management |
UPDATE: Improved the "Purge revisions" operation to reduce the size of the database. |
PRJ-42982, |
Web SmartConsole |
UPDATE: Released Take 76 with new features and improvements. Refer to sk170314. |
PRJ-44560, |
Security Gateway |
UPDATE: Apache HTTPD version was updated from 2.4.53 to 2.4.55 to fix CVE-2022-37436. |
PRJ-42373, |
Security Gateway |
UPDATE: The "fw unloadlocal" command can now be used on a Virtual System only with the "-f" flag added. Otherwise, a warning message is displayed, indicating that unloading policy on a Virtual System will cause traffic issues with any Virtual System connected to a Virtual Switch or a Virtual System in Bridge mode. |
PRJ-42659, |
IPS |
UPDATE: In several IPS protections, improved performance for traffic that contains repeated sections. |
PRJ-42704, |
Threat Prevention |
UPDATE: Added Update 16 of Autonomous Threat Prevention Management integration Release. Refer to sk167109. |
PRJ-42260, |
Threat Prevention |
UPDATE: Reduced loading time of big external Custom Intelligence Feeds. |
PRJ-41381, |
VPN, Multi-Portal |
UPDATE: Added a new Registry parameter "use_crl_for_revocation_method" that enables the CRL revocation method when the Security Gateway does not get a response from an OCSP Server. Refer to sk179434. |
PRJ-44248, |
VPN |
UPDATE: When the VTI MTU is different from the physical MTU, the physical MTU is used for sending packets by default.
Refer to sk98074. |
PRJ-42405, |
VSX |
UPDATE: Added more logs related to Pushing VSX Configuration.
. |
PRJ-42875, ODU-611 |
Gaia OS |
UPDATE: Gaia API updates will now be automatically installed through AutoUpdater. Refer to sk165653. |
PRJ-43614, |
Gaia OS |
UPDATE: Gaia Cloning Groups will now use the highest TLS version available. |
PRJ-43048 |
CloudGuard Network |
UPDATE: Added support for Data Centers in AWS eu-central-2 (Zurich) and eu-south-2 (Spain) and ap-south-2 (Hyderabad) regions. |
PRJ-43028, |
CloudGuard Network |
UPDATE: Added support for connecting to VMware NSX-T 4.0.0.x and higher. |
PRJ-41847, |
CloudGuard Network |
UPDATE: Improved handling of NSX-T API responses. |
PRJ-42015, |
CloudGuard Network |
UPDATE: Improved performance of pushing Data Center Objects changes to Security Gateways. |
PRJ-41649, |
Scalable Platforms |
UPDATE: Upon member state change to Active, there may be minor packet drops. Added an option to not forward traffic to a new Active member until all connections are synchronized to it: • To enable this option:
• To disable this option:
|
PRJ-43405, |
Diagnostics |
Skyline may not show any information. Refer to sk180748. |
PRJ-42111, |
Security Management |
The date of a policy configured with "accelerated installation" may not be updated in logs. |
PRJ-43902, |
Security Management |
On R77.20 Quantum Spark appliances with some IPS packages, policy installation fails with the "Operation failed, install/uninstall has been improperly terminated" error. Refer to sk180448. |
PRJ-41763, |
Security Management |
In some scenarios, the CME process fails to start. |
PRJ-43341, |
Security Management |
In some scenarios, Audit logs may not be created when running remote API commands from Infinity Portal. |
PRJ-42411, |
Security Management |
Login to the Security Management Server or Multi-Domain Security Management Server may fail with the "Connection timeout" error. |
PRJ-44564, |
Security Management |
In a rare scenario, OCSP response cash located in $CPDIR/tmp/curl_crl_ocsp may take a lot of memory. |
PRJ-35072, |
Security Management |
High Availability synchronization fails when one Management Server is installed on an appliance of 6000 series and the other one is an Open Server, a Virtual Machine, or installed on an appliance of different series. |
PRJ-43095, |
Security Management |
After configuring an IoC feed on the Global Domain and assigning a Global Policy, Threat Prevention policy installation in the local Domain fails. |
PRJ-43364, |
Security Management |
Editing a Global Assignment object using Ansible may fail. |
PRJ-43318, |
Security Management |
In SmartConsole, when editing a tagged Security Gateway object, the tags may get removed. |
PRJ-43315, |
Security Management |
Running API commands with the "dereference-max-depth" parameter with "0" value may fail when there is the "groups" field in the reply. |
PRJ-44023, |
Security Management |
When using Custom Application/Site Group objects in an Access policy, policy installation may fail with an "Internal error" message. |
PRJ-42244, |
Security Management |
Installing a large Access Control policy on Quantum Spark Security Gateways may fail due to high memory consumption on the Security Management Server caused by FW_LOADER. |
PRJ-42798, |
Security Management |
The FWM process may frequently exit. This causes SmartConsole authentication to fail and dashboards that were opened before to get closed. |
PRJ-44485, |
Security Management |
The "show simple-gateways" Management API command may fail with the "Null Pointer Exception" error and cause the CME failure. Refer to sk180944. |
PRJ-41977, |
Security Management |
The /var/log/dump/usermode/ directory on the Management Server may contain core dump files for the FWM process. Refer to sk180119. |
PRJ-43688, |
Security Management |
When running the "update-provisioned-satellites" Management API command on a cluster, it may fail with the "The operation does not support this object type" error. |
PRJ-41557, |
Security Management |
After an Application Control update, policy installation may fail. |
PRJ-42061, |
Security Management |
The "show objects" command returns all objects in Global Domain with any filter when "ip-only" flag is set to "true". |
PRJ-44630, PMTR-90519 |
Security Management |
There may be many duplicates of OCSP response in the $CPDIR/tmp/curl_crl_ocsp folder. |
PRJ-42860, |
Security Management |
After performing the "Revert to Revision" operation, new Audit logs cannot be seen in the Logging&Monitoring View in SmartConsole. |
PRJ-42510, |
Security Management |
Access policy verification may fail when dynamic objects exist in the NAT policy. |
PRJ-41672, |
Security Management |
When using CME (Cloud Management Extension), the FWM process may unexpectedly exit because of a memory issue. |
PRJ-41929, |
Security Management |
After an upgrade, while installing a policy, SmartConsole may unexpectedly close with a "The connection with the server was lost. Any unsaved changes will be preserved" message. Refer to sk180294. |
PRJ-41893, |
Security Management |
High Availability synchronization fails if automatic purge is configured to run on the Standby Management Server. |
PRJ-42043, |
Security Management |
In a rare scenario, the Show Package tool and some Management API commands with details-level "full" fail. |
PRJ-43313, |
Security Management |
The API command "show-nat-rulebase" may not show the name of each rule in the Rule Base. |
PRJ-41921, |
Multi-Domain Security Management |
In rare scenarios, in a Multi-Domain Security Management Server environment, a memory leak may occur in the FWM process. This may cause the process to exit. |
PRJ-42850, |
Multi-Domain Security Management |
In a Multi-Domain Security Management environment, traffic may not match rules with custom applications. |
PRJ-42106, |
Multi-Domain Security Management |
In a Multi-Domain Security Management environment, the HitCount retention mechanism may prematurely remove the HitCount data. |
PRJ-42050, |
Multi-Domain Security Management |
In rare scenarios in a Multi-Domain Security Management environment:
|
PRJ-42303, |
Multi-Domain Security Management |
Reassigning a Global Domain to a local Active Domain from one MDS to another may result in the local domain not reflecting recent changes. The issue occurs in Multi-Site environments if two Multi-Domain Security Management Servers (MDS) have a Standby Global Domain. |
PRJ-43176, |
SmartConsole |
SmartConsole installation folder contains screenshots of legacy demo documents. |
PRJ-41610, |
SmartProvisioning |
Deleting an LSM Gateway via REST API does not revoke the device's VPN certificate. |
PRJ-42085, |
CPView |
A typo in "Dropped fragmentation violation" under CPView > Advanced > SecureXL > Drops. |
PRJ-43590, |
CPView |
In a Multi-Domain Security Management environment, Skyline is down after mdsstop/mdsstart. |
PRJ-43672, |
CPView |
The Network-per-CPU tab under CPVIEW > Advanced > SecureXL does not show traffic distribution for all CPUs. Refer to sk180540. |
PRJ-42415, |
Logging |
When LEA spawning is turned off (sk91343), the FWD process may run out of memory. |
PRJ-41853, |
Logging |
After an upgrade and change of the Security Management Server name, logs created before the upgrade are unavailable. |
PRJ-43394, |
Logging |
When working with Multi-Domain Security Management, Virtual Systems (VS's) may be unable to send logs to the management because the Log Server constantly disconnects. |
PRJ-42818, |
Security Gateway |
The Security Gateway may crash when running a memory leak detection procedure. |
PRJ-43134, |
Security Gateway |
When using the SMTP service with resource objects in a rule and NAT is configured for the destination IP address, the traffic may match the Cleanup rule instead. |
PRJ-43012, |
Security Gateway |
When adding a new RADIUS Server to Gaia, its IP address is automatically added to MDPS tasks, but when deleting this Server, the MDPS task is not deleted. |
PRJ-42297, |
Security Gateway |
When MDPS is configured, mdps_tun interface is shown when running the "cpstat ha -f all" command. |
PRJ-42945, |
Security Gateway |
When Anti-Spoofing is enabled, the Security Gateway may crash. |
PRJ-43840, |
Security Gateway |
The Security Gateway may receive duplicated traffic (such as non-IP protocol connections) for IPS inspection. This can trigger high CPU usage and result in failures to connect over SSH or policy installation. |
PRJ-42708, |
Security Gateway |
DNS parser incorrectly handles additional records, which results in appearing additional DNS IP addresses in the FQDn objects list. |
PRJ-43619, |
Security Gateway |
The Security Gateway may frequently crash with vmcore files, recording invalid context. |
PRJ-43887, |
Security Gateway |
In some scenarios, the FWD process is stuck during policy installation. |
PRJ-43706, |
Security Gateway |
The Security Gateway may crash during policy installation if the Rule Base has multiple layers and many interfaces on the Security Gateway (VLANs). |
PRJ-43555, |
Security Gateway |
Security Gateway may drop traffic when Dynamic Anti-Spoofing is enabled. |
PRJ-41635, |
Security Gateway |
Dynamic Dispatcher may send fragments of the same packet to different Firewall instances during a high load of fragmented traffic. This may cause some packets to drop. |
PRJ-43529, |
Security Gateway |
In rare scenarios when ISP Redundancy feature is enabled, default route disappears after policy installation. |
PRJ-42805, |
Security Gateway |
Stability issues when ICAP client is active. |
PRJ-41496, |
Security Gateway |
Stability issues when ICAP client is active. |
PRJ-41092, |
Security Gateway |
A kernel crash may occur during system shutdown when PIM is enabled. |
PRJ-43344, |
Security Gateway |
A connection may be closed with the "ws_mux_handle_poll: ERROR: Poll flag still set after unsetting" error in the fwk.elg file, when HTTP parser does not receive requested data. |
PRJ-41791, |
Security Gateway |
The Security Gateway with enabled Anti-Virus may experience a memory allocation issue. |
PRJ-42973, |
Security Gateway |
The Security Gateway on a LightSpeed appliance may crash when a Bond interface is configured on the LightSpeed 10/25/40/100G QSFP28 Ports, and the state of this Bond interface changes between on / off, or off / on. |
PRJ-41796, |
Security Gateway |
The Security Gateway with enabled Anti-Virus Blade may experience a memory allocation issue. |
PRJ-43143, |
Security Gateway |
Policy installation from R81/R81.10 Security Management Server on R81.20 Security Gateway fails if Autonomous Threat Prevention mode is enabled. |
PRJ-43801, |
Security Gateway |
When handling some RTSP connections and the Hyperflow feature is enabled the Security Gateway may crash. |
PRJ-43128, |
Security Gateway |
Some TCP connections may be stuck in "Both-Fin" state in the SecureXL connection table and cause high memory consumption. |
PRJ-41865, |
Security Gateway |
After an upgrade, it is not possible to monitor Security Gateways with enabled Management Data Plane Separation (MDPS). |
PRJ-43534, |
Security Gateway |
In some scenarios, the Security Gateway may frequently crash, causing outages. |
PRJ-41422, |
Security Gateway |
The Security Gateway may send multiple "Failed to fetch Check Point resources. Timeout was reached" logs. |
PRJ-41791, |
Security Gateway |
The Security Gateway with enabled Anti-Virus Blade may experience a memory allocation issue. |
PRJ-43779, |
Security Gateway |
When working in VSX Load Sharing (VSLS) mode, the FWK process may unexpectedly exit. |
PRJ-43671, |
Multi-Portal |
In a rare scenario, the MPDAEMON process may fail to start on one of the cluster members. |
PRJ-41472, |
Internal CA |
When managing cloud Gateways, the FWM process memory usage may increase. |
PRJ-42904, |
Internal CA |
The certificate in SmartConsole is shown as valid, although it is expired. |
PRJ-41599, |
Threat Prevention |
Anti-Virus Blade fails to parse external IoC feeds that contain commas in the CSV column field value. |
PRJ-42022, |
Threat Prevention |
Some logs with IP observables from custom intelligence feeds may be suppressed, although they contain different IP addresses. |
PRJ-41483, |
Threat Prevention |
Custom intelligence feeds load may fail because of a parsing issue. |
PRJ-42287, |
Threat Prevention |
The "ioc_feeds set interval -r" command may fail. |
PRJ-42196, |
Threat Prevention |
Files related to IoC may not be entirely removed from the disk after the feed removal. |
PRJ-42365, |
Threat Prevention |
In some scenarios, a "malware_res_rep_rad_query: rad_kernel_malware_request_prepare() failed" message may appear in the /var/log/messages file. |
PRJ-42586, |
Threat Prevention |
When using a host with automatic static NAT in a Threat Prevention policy object, the object will not be enforced. |
PRJ-41637, |
Threat Prevention |
The Security Gateway becomes unresponsive when loading external IoC feeds on a Security Gateway with EXT3 filesystem. |
PRJ-43367, |
Threat Extraction |
In some scenarios, Mail Transfer Agent (MTA) does not scan files with an unsupported extension if they were renamed to ".exe". |
PRJ-43504, |
Application Control |
Policy installation may fail with an "Error 0-200184" message because of memory allocation issues. |
PRJ-42507, |
Application Control |
In a rare scenario, when Application Control is enabled, the Security Gateway in AWS Cloud may crash. The issue does not occur if Application Control database on the Security Gateway is updated with Release 141122_1 and higher. |
PRJ-43000, |
Identity Awareness |
In a rare scenario, disconnection between the Identity Server (PDP) and Identity Gateway (PEP) leads to missing identities on the PEP side. |
PRJ-42340 |
Identity Awareness |
In a VSX High Availability cluster, a member in the Backup state should remain idle, but it opens connections for identity sharing. |
PRJ-42934, |
Identity Awareness |
The PDPD process may cause CPU spikes during cluster failover. |
PRJ-42996, |
Identity Awareness |
There may be connectivity issues and high CPU spikes on PDP when installing policy. |
PRJ-43731, |
Identity Awareness |
Connectivity issue may occur during Azure AD Group fetch, and the "get_http_error_msg - http code is 401" error response is shown in Identity Awareness logs. |
PRJ-42592, |
IPS |
The Security Gateway may crash during policy installation because of a memory allocation problem. |
PRJ-41656, |
IPS |
Running the "ips stats" command in CLI may cause the IPS process to unexpectedly exit with core dumps. |
PRJ-41464, |
IPS |
When Anti-Virus is enabled, the Mail Transfer Agent (MTA) log files may get blocked because of fail-close operation. |
PRJ-43584, |
DLP |
A memory leak may occur in the DLPU process. |
PRJ-43829, |
Anti-Virus |
When the RAD process exits with a timeout, the Blade name shown in the SmartConsole log card is incorrect. |
PRJ-44010, |
Anti-Virus |
The fwk.elg file may be flooded with the "match_cb for CMI APP 11 - CI AV failed on context 144, executing context 366 and adding the app to apps in exception" messages because of improper parsing of HTTP headers by Anti-Virus Blade. |
PRJ-43414, |
SSL Inspection |
In a rare scenario, the WSTLSD process may unexpectedly exit and produce a core dump file during certificate chain verification. |
PRJ-43182, |
SSL Inspection |
The WSTLSD process may unexpectedly exit and create core dump files. |
PRJ-43892, |
SSL Inspection |
In rare scenarios, the FWK and/or WSTLSD processes may unexpectedly exit and create a core dump during certificate validation. Refer to sk180473. |
PRJ-43359, |
SSL Inspection |
In some scenarios, Inbound HTTPS Inspection may fail when working in USFW (User-Space Firewall) mode. |
PRJ-42152, |
Mobile Access |
After an upgrade, it may not be possible to connect to SNX, it gets stuck when initializing. |
PRJ-44292, |
Mobile Access |
Some web applications which use PT or UT link translation methods may have issues after a browser upgrade. |
PRJ-42469, |
Mobile Access |
When Mobile Device Management (MDM) cooperative enforcement feature is enabled, establishing a VPN connection fails while the HTTPD log incorrectly indicates a compliance issue. |
PRJ-43226, |
Mobile Access |
Web applications may not work correctly when Mobile Access Blade is configured in Hostname Translation (HT) mode while the "obscure_destination_hostname" management attribute is disabled. |
PRJ-43618, |
Mobile Access |
Access to a web application that uses WebSocket protocol may not be possible. |
PRJ-41728, |
ClusterXL |
The cphaprob show_bond command does not show newly added subordinates from Virtual Systems (VSs). |
PRJ-43117, |
ClusterXL |
The "cphaprob tablestat" command may fail on the Security Gateway with many interfaces. |
PRJ-43004, |
ClusterXL |
Traffic does not pass through the GRE tunnel when Virtual MAC (VMAC) is enabled. Refer to sk180292. |
PRJ-44169, |
ClusterXL |
When handling HTTP/2 traffic, cluster members may crash, generating vmcores. |
PRJ-42929, |
ClusterXL |
A Hide NAT port may be allocated twice causing the "out of state" drops. |
PRJ-42465, |
ClusterXL |
Stability issues may occur in a Multi-Version Cluster (MVC) when VPN is enabled. |
PRJ-42576, |
SecureXL |
Multicast traffic may get dropped, and no logs are generated. |
PRJ-44132, |
SecureXL |
IPv6 template is not created when the connection is NATed. |
PRJ-43980, |
SecureXL |
In a rare scenario, a CPAQ message sent during policy push does not have critical priority, and can be dropped when the Security Gateway is busy. |
PRJ-42897, |
SecureXL |
SecureXL may drop traffic when HTTPS Inspection is enabled on a VSX Security Gateway with a Virtual Router. |
PRJ-42446, |
SecureXL |
The Security Gateway may prematurely expire half-closed TCP connections and drop VoIP and HTTPS packets with "First packet isn't SYN". |
PRJ-42074, |
SecureXL |
In some scenarios, the change of the cphwd_enable_ecmp global parameter value on a VSX Gateway does not survive a reboot. |
PRJ-43923, |
Routing |
Failover may take longer than expected and traffic does not pass for several seconds because dynamic routes are lost. |
PRJ-41709, |
Routing |
The ROUTED process may unexpectedly exit when the route does not have a next hop. |
PRJ-43411, |
Routing |
The ROUTED daemon may repeatedly exit when using PIM in Sparse mode (SM). |
PRJ-41725, |
Routing |
The "asg diag verify" command reports inconsistent OSPFv3 routes for Security Gateway Modules in Quantum Maestro. Refer to sk179931. |
PRJ-44373, |
Routing |
OSPF routes may not be redistributed after reboot. |
PRJ-44260, |
Routing |
The ROUTED daemon may unexpectedly exit when using PIM and source IP address is set "0.0.0.0". |
PRJ-42381, |
VPN |
The IKED process unexpectedly exits when the "Aggressive SLP" (Simultaneous Login Prevention) feature is enabled. |
PRJ-44945, |
VPN |
When many users in nested groups login using Remote Access Client \ connect to VPN, and the LDAP topology is large, there may be a spike of CPU usage and performance impact. Refer to sk180664. |
PRJ-42176, PRJ-43714, PRJ-42654, |
VPN |
Refer to sk180530. |
PRJ-42730, |
VPN |
In a rare scenario, when IPv6 is configured, and VPN is enabled, policy installation may cause a stability issue. |
PRJ-43387, |
VPN |
After an upgrade, an incorrect IPSec users counter may be displayed in SmartView Monitor or when running the "cpstat vpn -f ipsec" command for a cluster. The issue is cosmetic only. |
PRJ-43551, |
VPN |
VPN stability issues. |
PRJ-43300, |
VPN |
Stability issues for Data connections (RDP / RTP / FTP / ETC). Refer to sk179651. |
PRJ-42562, |
VPN |
When the user connects with RADIUS authentication method, the "Authentication method" value in Mobile Access logs is shown as empty. |
PRJ-43348, |
VPN |
StrongSWAN Remote Access client can connect but fails to access internal resources. |
PRJ-42880, |
VPN |
When initiating IKEv2 tunnel from Check Point to a third party, creating Child SA fails. Refer to sk180281. |
PRJ-41561, |
VPN |
After an upgrade, the community name may not be visible from SmartView Monitor, and the "snmpwalk" command returns an empty value for this entry. |
PRJ-42763, |
VPN |
Despite the Secure Configuration Verification (SCV) exceptions being configured to not apply for connections, the strongSWAN client's traffic is dropped with the "Client's configuration is not verified" error. |
PRJ-41698, |
VSX |
The "vsx_util change_mgmt_subnet" command may fail if a VSX object is not correctly saved in the database. |
PRJ-40976, |
VSX |
SecureXL may not let HTTPS traffic pass through a Virtual Router (VR). |
PRJ-43005 |
VSX |
Some connections inspected by Threat Prevention Blade may not be closed successfully, which leads to connectivity issues. |
PRJ-43357, |
VSX |
The SNMPD process may consume a high CPU in a VSX environment and there may be slowness when using the "fw vsx stat" command. Refer to sk180324. |
PRJ-43652, |
Gaia OS |
When setting password hash on cloning group members, some members may not get updated. |
PRJ-42527, |
Gaia OS |
Gaia backup fails with "Cannot complete the backup process: not enough space in /var/log/CPbackup/backups" although there is enough free disk space in the /var/log/ partition. Refer to sk180181. |
PRJ-42646, |
Gaia OS |
In some scenarios, the "nslookup" command can cause the NSLOOKUP process to exit. |
PRJ-42963, |
Gaia OS |
IPv6 address may be removed from bond VLAN interface when changing bond xmit-hash-policy configuration. Refer to sk180309. |
PRJ-42221, |
Gaia OS |
Incorrect logs are printed in the /var/log/httpd2_error_log file when logging into the WebUI. |
PRJ-42625, |
Gaia OS |
SNMP trap may not be sent after a cluster failover if it occurred by running the "clusterXL_admin down" command. |
PRJ-44162, PRJ-43959 |
Gaia OS |
When uninstalling a Jumbo Hotfix, some of the Management APIs may not work. The "gaia_api status" command returns an error and requests may fail. |
PRJ-43564, |
Gaia OS |
When restoring a backup with VSX objects, the objects database may not be restored on the newly installed Security Management Server. |
PRJ-42930, |
Gaia OS |
When running the "ifconfig -a" command on a Virtual System (VS) with more than 250 interfaces, the "/bin/cp-ifconfig.sh: line 179: /bin/echo: Argument list too long" error is printed. |
PRJ-44239, |
Gaia OS |
The System Backup page in the Cloning Group view may be empty, although a scheduled backup was added. |
PRJ-43987, |
Gaia OS |
The "lldpneighbors" Clish command may have a corrupted output. Refer to sk182065. |
PRJ-42195, |
Gaia OS |
When configuring Gaia Cloning Group mode on the cluster, members with "off" state appear without an IP address and the "adding notification Member mvc is down" error is displayed. |
PRJ-42255, |
Gaia OS |
Running the "save configuration" command the second time in the same Clish session may fail with the "free(): invalid pointer" error. |
PRJ-41687, |
Gaia OS |
In a cloning group cluster, when allowed hosts are changed from "Any" host to a specific host, communication between members is blocked, and the group cannot function. |
PRJ-43263, |
Gaia OS |
After an upgrade, the RADIUS Server is unavailable and authentication fails. |
PRJ-41614, |
Gaia OS |
Information about scheduled backup failure is now displayed in Clish, WebUI, and in the error message inside the log file. |
PRJ-43133, |
Harmony Endpoint |
Endpoint Web Management service may fail to delete old logs. |
PRJ-42954, |
Harmony Endpoint |
In an environment with the Endpoint Security Server, Jumbo Hotfix Accumulator installation may take a long time. |
PRJ-43069, |
CloudGuard Network |
Importing objects from VMware vCenter may fail with a "Failed to fetch objects from the Data Center." message because of a rare communication issue between CloudGuard Network Security controller and VMware vCenter Data. |
PRJ-43579, |
CloudGuard Network |
When enabling debug mode with the "$MDS_FWDIR/scripts/cpm_debug.sh -c ObjectCrudSvcImpl" command, it may impact the work of CloudGuard Central License utility. And adding license fails. |
PRJ-43074, |
CloudGuard Network |
A Kernel-based Virtual Machine (KVM) or a Virtual Machine using SRIOV with the i40evf/ixgbevf network driver, may boot with non-optimized performance settings. |
PRJ-43260, |
CloudGuard Network |
Disabling or removing all network interfaces from a vCenter object is not dynamically reflected on the CloudGuard Controller Data Center object. |
PRJ-42011, |
CloudGuard Network |
When mapping of some Azure Subscriptions fails, assets of these Subscriptions are revoked from the Security Gateway. |
PRJ-42116, |
CloudGuard Network |
AWS Data Center mapping fails when a Subnet with only IPv6 addresses is added to Virtual Private Cloud (VPC). |
PRJ-43648, PMTR-88995 |
CloudGuard Network |
Connectivity issues may occur between the Security Gateway and cluster on Alibaba cloud. |
PRJ-41535, |
VoIP |
In some scenarios, when using early media with NAT, the first data connections specified in the SDP get closed, although they should not. And the new data connection does not open, resulting in one-way audio. Refer to sk179651. |
PRJ-42700, |
VoIP |
In some scenarios, when using static NAT, VoIP traffic may be affected. |
PRJ-43078, |
VoIP |
While handling a multi-INVITE scenario (where a user registers with multiple devices), and the VoIP SIP MultiCore feature is enabled, each SIP INVITE maybe be handled simultaneously on different FW instances and cause memory corruption. |
PRJ-41836, |
Scalable Platforms |
SNMP threshold events traps may be missing "Chassis ID" and "Blade ID" fields. Refer to sk179926. |
PRJ-42014, |
Scalable Platforms |
In a rare scenario, the FWK process may unexpectedly exit and bring down the Security Gateway Module (SGM). |
PRJ-42948, |
Scalable Platforms |
Optimized the SNMP communication between Security Gateway Module (SGM) and Security Switch Module (SSM) to prevent timeouts. |
PRJ-43420, |
Scalable Platforms |
The "set expert-password-hash" command may fail to update the password hash on all cluster members. |
PRJ-43490, |
Scalable Platforms |
Running the "show" or "set" commands for SSH in gClish fails. |
PRJ-44778, PRJ-44600 |
Scalable Platforms |
Uninstalling a Jumbo Hotfix from Maestro Orchestrator may cause the REST Server initialization to fail and lead to connectivity issues. |
PRJ-42754, |
Scalable Platforms |
When using asg alert, the domain name is changed to "BladedCenter.com" instead of the configured name. |
PRJ-42193, |
Scalable Platforms |
Upgrade rollback may not be performed successfully on a Security Group if Security Gateways were upgraded via CPUSE to a new major version more than once. |
PRJ-43601, |
Scalable Platforms |
The task in "cpd_sched_config" is not correctly added and performed because of predefined NTP Servers. |
PRJ-42515, |
Scalable Platforms |
Upon failover/failback, multicast packets are sent to Active members only. The member that changed state from Down to Active starts receiving the multicast packets before the route is resolved. This may impact traffic. |
PRJ-43309, |
Scalable Platforms |
Minor packet drop may occur during Maestro Orchestrator graceful reboot. |