List of All Resolved Issues and New Features in R81.20 Jumbo Hotfix Accumulator
|
Review the Important Notes section before installing a new Take. |
Take |
Available Since | Recommended Since |
---|---|---|
12 Nov 2024 |
- |
|
06 Oct 2024 |
28 Oct 2024 |
|
05 Sep 2024 |
18 Sep 2024 |
|
19 Aug 2024 |
- |
|
21 Jul 2024 |
31 Jul 2024 |
|
01 Jul 2024 |
- |
|
03 Jun 2024 |
10 Jun 2024 |
|
08 Apr 2024 |
- |
|
17 Mar 2024 |
03 Apr 2024 |
|
30 Jan 2024 |
- |
|
08 Jan 2024 |
- |
|
20 Nov 2023 |
04 Dec 2023 |
|
23 Oct 2023 |
- |
|
14 Aug 2023 |
13 Sep 2023 |
|
12 Jul 2023 |
24 Jul 2023 |
|
01 Jun 2023 |
- |
|
23 Apr 2023 |
30 Apr 2023 |
|
07 Mar 2023 |
- |
ID |
Product |
Description |
---|---|---|
Take 90 Released on 12 November 2024 |
||
Take 90 - New Functionality
|
||
PRJ-56704, |
Security Management |
NEW: Added a new Management API command which displays API usage statistics - "api stats" . It can be run on the Security Management Server or Multi-Domain Security Management Server. For detailed usage instructions, run "api -h". |
PRJ-56818, |
VPN |
NEW: Local SCV settings can be customized by Security Gateway when creating a $FWDIR/conf/local.scv_<GW NAME> file, otherwise the settings fall back to the standard local.scv configuration. |
Take 90 - Improvements and Resolved Issues
|
||
PRJ-56248, PMTR-106894 |
SmartConsole |
UPDATE: Resolved CVE-2024-3596 - Blast-RADIUS attacks. Fix for Remote Access VPN and login to SmartConsole, Mobile Access and Identity Awareness Captive Portal. Refer to sk182516. |
PRJ-56177, |
Security Gateway |
UPDATE: Apache HTTPD version was updated from 2.4.55 to 2.4.61 to fix: CVE-2023-31122, CVE-2023-43622, CVE-2024-36387, CVE-2024-38473, CVE-2024-38474, CVE-2024-38475, CVE-2024-38476, CVE-2024-38477, CVE-2024-39573. |
PRJ-56882, |
Security Management |
UPDATE: JRE is updated from version 8.0_8.21 to version 8.0_8.26. |
PRJ-55661, |
Security Management |
UPDATE: The "set threat-exception" Management API command now includes the "protection-or-site" parameter. When specified, this parameter adds new values to the existing list of protections or sites, instead of overwriting the current entries. |
PRJ-56611, |
Logging |
UPDATE: Added a count of Session and Connection logs to the "cpstat" command output. |
PRJ-47655, |
Security Gateway |
UPDATE: Added ability to increase/decrease DNS cache table size. |
PRJ-51951, |
Security Gateway |
UPDATE: Added support for log rotation in the avi_del_tmp_files.elg files. Refer to sk113241. |
PRJ-56698 |
SD-WAN |
UPDATE: Improved the performance and scalability in SD-WAN Monitoring. |
PRJ-48031, |
Threat Emulation |
UPDATE: The maximum size for files uploaded to Threat Emulation can now be configured using the Threat Emulation API. Set the "max_api_request_data_size" attribute to specify the new limit. |
PRJ-49053, |
Identity Awareness |
UPDATE: Identity Collector OIDs for SNMP queries are now available in both $CPDIR/lib/snmp/chkpnt.mib and $FWDIR/conf/identity_server.cps locations. |
PRJ-57065, |
SecureXL |
UPDATE:
|
PRJ-56483, |
SecureXL |
UPDATE: Improved throughput of GRE tunnels configured on the ports of the 100G Acceleration Card. |
PRJ-57757, PRJ-58096, ODU-2107, ODU-2083 |
Automatic Updates - Web SmartConsole |
UPDATE: New features and improvements are released in Take 121 and Take 123 via self-updatable package. Refer to sk170314. |
PRJ-57327, |
Automatic Updates - HCP |
UPDATE: Added Update 19 of HealthCheck Point (HCP) Release. Refer to sk171436. |
PRJ-57439, |
Automatic Updates - Threat Extraction |
UPDATE: Added Update 15 of Threat Extraction Engine. Refer to sk165832. |
PRJ-57705, |
Automatic Updates - CPView |
UPDATE: Added Take 97 of CPotelcol (OpenTelemetry Collector) Release Updates. Refer to sk180522. |
PRJ-57709, |
Automatic Updates - CPView |
UPDATE: Added Take 40 of CPviewExporter Release Updates. Refer to sk180521. |
PRJ-56509, |
Security Management |
In some scenarios, the Security Management Server upgrade fails with "creating default objects and restarting services" during the import phase.
|
PRJ-56165, |
Security Management |
In some scenarios, the "set-exception-group applied-threat-rules.position" Management API command may add the exception group to an incorrect position. |
PRJ-53260, |
Security Management |
When exporting a policy to a CSV file, the process fails silently if any rule within the policy has a name or comment in UID format. No clear error message is provided to indicate the cause of the failure. |
PRJ-56614, |
Security Management |
An administrator whose authentication method was changed from "Check Point Password" to a different method in R77.X can still log in using their original Check Point password. |
PRJ-50036, |
Security Management |
The "show-domains" Management API command may return partially deleted domains among the results. |
PRJ-55669, |
Security Management |
Adding a host object to a network group using the "set-host" Management API command may generate large redundant audit logs. |
PRJ-52760, |
Security Management |
Audit logs may not be generated when changes are made to an inline (shared) layer that appears multiple times within the same policy. |
PRJ-56763, |
Security Management |
SmartConsole may get disconnected when installing a policy on more than five hundred targets. |
PRJ-57073, |
Security Management |
In rare scenarios, when exporting policy hitcounts to CSV format, the "Hitcount" column may appear blank in the exported file. |
PRJ-55832, |
Security Management |
Global Policy Reassignment may fail with an "An internal error has occurred" message when a custom IPS package is used or was previously used in the system. |
PRJ-54296, |
Security Management |
The Database Installation progress bar may not update during task execution. |
PRJ-56028, |
Security Management |
When exporting a policy to CSV with hitcount enabled, if the hitcount timeframe is set to anything other than "All", the "Hitcount" column in the CSV file may appear blank. |
PRJ-55690, |
Security Management |
Searching for a Data Center asset IP address in the policy may not return results. |
PRJ-52454, |
Security Management |
In some scenarios, Access Control policy verification is stuck at 40 percent. |
PRJ-46463, |
Security Management |
In some scenarios, policy installation using Management API with the "prepare-only" parameter set to "true" may fail with an "internal error" message. |
PRJ-46235, |
Security Management |
Changing the main URL of the UserCheck Portal using the "set simple-gateway" Management API command fails with "DNS failed to resolve the hostname: gateway name" Executed command failed. Changes are discarded". |
PRJ-54720, |
Security Management |
In rare scenarios, when Application Control blade is enabled, cloning a policy may fail due to timeout. |
PRJ-54659, |
Security Management |
Several Management API commands, such as "show-package" and "install-policy", may fail if running them after the deletion of a cluster member. |
PRJ-52757, |
Multi-Domain Security Management |
Enabling IPS on Multi-Domain Security Management Server may cause Threat Prevention policy installations to fail due to legacy IPS multi-profile incompatibility. |
PRJ-56541, |
Multi-Domain Security Management |
In some scenarios, in a Multi-Domain Security Management environment, the Hit Count retention mechanism may not remove the Hit Count data from all the Domains. |
PRJ-55787, |
Multi-Domain Security Management |
Global Domain Assignment fails with an "Internal Error" message when performed on a Multi-Domain Security Management Server containing over 32,000 revisions. |
PRJ-55705, |
Multi-Domain Security Management |
In rare scenarios, objects are missing from the Gateways & Servers view on the Multi-Domain Security Management level. Refer to sk182641. |
PRJ-53994, |
Multi-Domain Security Management |
In some scenarios, Domain deletion may fail with a "delete domain failed: null" message. |
PRJ-55932, |
Multi-Domain Security Management |
In rare scenarios, login to a Domain from the System Domain in Smart Console fails with "Login to the Domain domainName failed. Try again, or connect directly to the Domain using its IP addressdomainIp". |
PRJ-56531, |
Multi-Domain Security Management |
The Multi-Domain Security Management Server experiences high CPU usage when communicating with the Multi-Domain Log Server. And the cpm.elg log prints the "You have reached the maximum number of active session" error. Refer to sk182738. |
PRJ-56712, |
Multi-Domain Security Management |
In some scenarios, cpmiquerybin core files may appear in /var/log/dump/usermode/ on the Security Management Server. |
PRJ-47879, |
SmartConsole |
The "show lsm-cluster" Management API command fails with a "Null Pointer exception: null" message if the "membersNetworkOverride" field is empty. |
PRJ-57309, |
SmartConsole |
SmartConsole fails to connect with "Unable to connect to server. Server is initializing". Refer to sk182507. |
PRJ-57421, |
SmartConsole |
In some scenarios, opening new tab in SmartConsole Logging & Monitoring tab fails with "HTTP error 500 - problem accessing smartview/embedded. Reason: Server Error". Refer to sk182732. |
PRJ-50432, |
Logging |
In rare scenarios, CPU consumption on the Security Management Server is high and logs are not displayed. |
PRJ-51694, |
Logging |
In some scenarios, after removing an existing Log Exporter instance, the creation of a new instance appears successful in SmartConsole. However, the new Log Exporter object is not actually generated. |
PRJ-56644, |
Security Gateway |
In rare scenarios, the FWK process may unexpectedly exit when the IPS / Application Control / Anti-Virus / Anti-Bot blade is active and the HyperFlow feature is enabled. |
PRJ-56732, |
Security Gateway |
The "asg monitor" command may show the Security Gateway in the "during upgrade" state although a major downgrade is complete. |
PRJ-54070, |
Security Gateway |
Changing the NAT settings of a host using the "set-host" Management API command succeeds but has no effect unless both the "ipv4-address" and "ipv6-address" parameters are set. |
PRJ-56701, |
Security Gateway |
Anti-Spoofing may drop IPv6 traffic that arrives at an interface with an IPv6 address configured. Refer to sk182725. |
PRJ-57351, |
Security Gateway |
When SecureXL User Mode (UPPAK) is enabled and using Passive/Active Streaming with QoS, the Security Gateway may incorrectly drop some traffic. |
PRJ-57254, |
Security Gateway |
In some scenarios, the Security Gateway does not free some packets causing a memory leak. |
PRJ-54119, |
Security Gateway |
In a rare scenario, the FWK process may exit when cluster connection synchronization fails. |
PRJ-56722, |
Security Gateway |
The Security Gateway may crash during large memory allocation operations in specific applications. |
PRJ-57371, |
Security Gateway |
When adding a new Virtual System, a CPD core dump file may be generated. |
PRJ-53810, |
Security Gateway |
The Security Gateway may crash after a failure in policy installation. |
PRJ-58078, PMTR-109857 |
Security Gateway |
Traffic through specific interfaces is dropped when the QoS blade is active and "ISP redundancy-LS" is configured. Refer to sk182807. |
PRJ-57097, PRHF-36117 |
SD-WAN |
In a rare scenario, when SD-WAN transport is incorrectly marked as "UP" despite its underlying ISP interface is "DOWN", traffic fails to reach the remote peer because of incorrect routing decisions. |
PRJ-57115, |
Threat Prevention |
Threat Prevention policy installation may fail because of invalid JSON format in the IoC feed feature configuration file. Refer to sk181650. |
PRJ-57667, |
Threat Prevention |
The Threat Prevention policy installation may fail when installing from R81.20 SmartConsole on R80.x Security Gateway. |
PRJ-55888, |
Threat Prevention |
In some scenarios, when loading large IoC IP feeds, policy installation may fail with "Installation failed. Reason: Policy install commit function was unsuccessful due to timeout" because of a large IP addresses list. |
PRJ-55377, |
Threat Prevention |
In some scenarios, the TPD daemon may cause high CPU usage because of a large amount of logs. |
PRJ-56328, |
Threat Prevention |
In a rare scenario, the Security Gateway may crash during traffic inspection when holding a connection. |
PRJ-50243, |
Threat Prevention |
In a rare scenario, Anti-Bot and Anti-Virus packages may be seen as not updated in SmartConsole, even though the packages are updated. |
PRJ-57006, PRHF-35823 |
Threat Prevention |
In some scenarios, when Zero Phishing is enabled, kernel crash may occur. |
PRJ-53590, |
Identity Awareness |
In Azure Active Directory, access role assignment only considers a user's first 100 group memberships. Any groups beyond this limit are disregarded when determining user access roles. |
PRJ-56360, |
Application Control |
The fwk.elg file may be flooded with the "DNS_DATA_SOURCE failed on context 201, executing context 366 exception" messages. |
PRJ-54431, |
IPS |
In a rare scenario, when IPS is enabled and logging on a rule that involves IPS is enabled, physical memory usage may rapidly increase. |
PRJ-56624, PMTR-107215 |
IPS |
IPS may drop an IPv6 TCP local connection. |
PRJ-53833, |
Anti-Virus |
When Anti-Virus is enabled, in a rare scenario, a memory leak in the FWK process may occur on the Security Gateway. |
PRJ-56717, |
Anti-Virus |
High volumes of simultaneous requests for the same domain or URL may cause Anti-Virus blades to put excessive load on the RAD daemon, leading to increased latency. |
PRJ-56042, |
Anti-Virus |
In some scenarios, the Anti-Virus Blade logs on a VSX Gateway may display an incorrect origin IP address. |
PRJ-55984, PRHF-36838, PRHF-35476 |
Anti-Virus |
Anti-Virus may execute unnecessary load_sigs when loading external IoC feeds. |
PRJ-58112, PMTR-102962 |
ClusterXL |
VSX Cluster Members with VLAN interfaces change their cluster state to "Down" and "Active!" after installing the R81.20 Jumbo Hotfix Accumulator Take 89. Refer to sk182819. See the Important Notes section. |
PRJ-56599, |
SecureXL |
IPX traffic over the interface in Bridge Mode working in SecureXL User Mode (UPPAK) may be dropped. Refer to sk182623. |
PRJ-56480, |
SecureXL |
In some scenarios, the VSX cluster can take extra time to boot up and activate the Virtual Systems. |
PRJ-57488, |
SecureXL |
When working with Jumbo Frames in SecureXL User Mode (UPPAK) on Quantum Force 9000 series appliances, incorrect memory allocation calculations may cause intermittent link failures. |
PRJ-57430, |
SecureXL |
When SecureXL User Mode (UPPAK) is enabled and running ESP traffic, packet loss may occur and the "fwconn_key_init_links failed" error is printed. Refer sk182775. |
PRJ-56828, |
SecureXL |
The USIM process may occur if CPView stats are collected during the "cpstop" operation for VSX. |
PRJ-57001, PRJ-57252, PRJ-57250, |
SecureXL |
In some scenarios, the Security Gateway may crash when SecureXL User Mode (UPPAK) is enabled. |
PRJ-57464, |
SecureXL |
In some scenarios during low TCP traffic, there is high CPU usage when SecureXL User Mode (UPPAK) is enabled. |
PRJ-57614, |
SecureXL |
The USIM process may unexpectedly exit when these parameters are enabled in the $PPKDIR/conf/simkern.conf file:
|
PRJ-56945, |
SecureXL |
The USIM process exits when attempting to delete an IP address from an empty deny list if that IP address exists in any other deny lists (including the regular deny list or those using IoC feeds). |
PRJ-56904, |
Routing |
The ROUTED daemon may exit with a core dump during a BGP or OSPF restart. |
PRJ-56525, |
Routing |
In a ClusterXL environment, a race condition may occur when BGP Graceful Restart is incorrectly configured. If the feature is enabled for some peers but not others, it may lead to permanent loss of network routes. |
PRJ-49210, |
VPN |
Remote Desktop Protocol (RDP) connections may frequently disconnect when network traffic is routed through a combination of medium path, Quality of Service (QoS) controls, and VPN. |
PRJ-52893, |
VPN |
The FWK process may exit when Monitor mode is enabled on one of the interfaces. |
PRJ-51351, |
VPN |
Remote Access VPN connections in Maestro environments may be dropped with the "out-of-state" reason. |
PRJ-50157, PMTR-93643 |
VPN |
When working with iOS devices, after establishing a VPN connection and subsequently disconnecting devices, the "vpn tu tlist" command may display an incorrect device connection status, indicating that a device is still connected. |
PRJ-55887, |
VSX |
Deleting a Virtual System ID (VSID) that does not exist may trigger the "cpstop" command. Stopping all Check Point services on VS0 can disrupt the entire VSX environment. |
PRJ-57814, |
VSX |
Multi-Queue configuration does not survive reboot on VSX. Refer to sk173950. |
PRJ-56480, PMTR-107271 |
VSX |
In some scenarios, the VSX cluster can take extra time to boot up and activate the Virtual Systems. |
PRJ-52908, |
Gaia OS |
In some scenarios when MDPS is enabled, the "Loading kernel module for a network device with CAP_SYS_MODULE (deprecated). Use CAP_NET_ADMIN and alias netdev-eth7 instead" message appears in /var/log/messages. |
PRJ-54462, |
Gaia OS |
Traffic from a Host behind a Virtual System in a VSX Cluster / Scalable Platform Security Group in the VSX mode does not reach the destination. Refer to sk180441. |
PRJ-55374, |
Gaia OS |
Running the "snmpwalk" command on OID .1.3.6.1.4.1.2620.1.6.23 causes snmpwalk on OID 1.3.6.1.4.1.2620.1.6.7.6.1 to show wrong output. Refer to sk182315. |
PRJ-55306, |
Gaia OS |
The "cpviewd: unable to read from gpio_nuvoton driver module. snmpd: unable to read from gpio_nuvoton driver module" messages may be printed in /var/log/messages. |
PRJ-56121, |
Gaia OS |
The "Unable to connect to the server, Press OK to reconnect" error is displayed when opening the Network Interfaces tab in the Gaia Portal. Refer to sk182560. |
PRJ-56054, |
Gaia OS |
Adding multiple VPN tunnels via Clish in Transaction Mode fails, while adding them individually succeeds. |
PRJ-56874, |
Harmony Endpoint |
During patch deployment in Posture Management, attempting to patch multiple systems for a specific application using the "Group By Application" option fails with the "Failed to Start Patching Process" error. |
PRJ-57132, |
Harmony Endpoint |
The $UEPMDIR/engine/uepm-jms-data directory size can increase because queued requests get accumulated on the Server. |
PRJ-55684, |
Smart-1 Cloud |
When creating multiple Interoperable Devices with dynamic IP addresses, the duplicate IP addresses may be assigned to Interoperable Devices. Refer to sk181834. |
PRJ-44697, |
Scalable Platforms |
When running the "asg resource" command, the SSD overall health check is displayed as "PASSED" with the "Unknown_Attribute on Member X_XX is below/getting towards low threshold (val: 0/ thresh: 0)" warning. The issue is cosmetic only. |
PRJ-56368, |
Scalable Platforms |
The VSX Gateway may cause traffic interruption when SecureXL User Mode (UPPAK) is enabled on systems with multiple physical interfaces. |
PRJ-56969, |
Scalable Platforms |
After upgrade on Quantum Maestro and Scalable Chassis, when working in SecureXL User Mode (UPPAK), policy installation may fail. |
PRJ-55429, |
Scalable Platforms |
Disabling the Maestro Fastforward feature may result in an error. |
PRJ-48867, |
Scalable Platforms |
Using Image Cloning when the same VMAC feature is enabled may cause a boot loop. |
PRJ-46194, |
Scalable Platforms |
In a Maestro environment, when MDPS is enabled, the "asg if --diag" command reports the "no files matched glob pattern "/sys/class/net/BPEth*/operstate" error. |
PRJ-56460 |
IoT Protect |
Nano-Agent may not run in a Multi-Domain Security Management environment after using the "mdsstop ; mdsstart" command. |
Take 89 Released on 06 October 2024 and declared as Recommended on 28 October 2024 |
||
Take 89 - New Functionality
|
||
PRJ-55547, |
SmartProvisioning |
NEW: Added a new "show-statuses" boolean parameter to the "show lsm-gateway" and "show lsm-cluster" Management API commands. When set to "true", this parameter displays the Security Policy and Provisioning Settings statuses for the LSM Security Gateway or Cluster. |
PRJ-53065, |
Identity Awareness |
NEW: This upgrade introduces three important SAML Authentication enhancements:
Administrators gain more control over security policies, while the system becomes more adaptable to various high-security environments and Identity Provider requirements. |
PRJ-56237, MBS-17283 |
Scalable Platforms |
NEW: Added support for these features in Maestro Security Groups:
Applies only to these appliance models:
|
Take 89 - Improvements and Resolved Issues
|
||
PRJ-52882 |
SD-WAN |
UPDATE: When Security Management disconnects from the cloud via the Infinity Services tab in SmartConsole, agents now automatically disconnect as well. Refer to sk180557. |
PRJ-54683, |
Mobile Access |
UPDATE: Resolved CVE-2024-31497. The Putty version used in the Mobile Access Portal Embedded SSL Network Extender application is upgraded from version 0.80 to version 0.81. |
PRJ-56336, |
Gaia OS |
UPDATE: Resolved CVE-2024-3596 - Blast-RADIUS attacks for Gaia Portal and Gaia Clish. Refer to sk182516. |
PRJ-54420, |
Security Management |
UPDATE: Policy installation duration with hundreds of layers is improved by approximately 30%. |
PRJ-50774, |
Logging |
UPDATE: Port 8211 now accepts connections with the cipher ECDHE_RSA_AES_256_GCM_SHA384. |
PRJ-54499, |
Security Gateway |
UPDATE: Optimized the Generic Data Center JSON file processing on the Security Gateways to improve performance when handling large numbers of IP ranges. |
PRJ-54138, |
SSL Inspection |
UPDATE: Added a log for connections rejected because of short Server certificate public key size (RSA 1024 bits or less, ECDSA 256 bits or less). |
PRJ-55747, |
Threat Prevention |
UPDATE: Added the "trackSettings.forensics" parameter to the "threat-rule" Management API command to enable and disable the "forensics" option in the "Track" column. Syntax example: "mgmt_cli add threat-rule layer 'Standard Threat Prevention' position 1 track-settings.forensics false -r true". |
PRJ-52347, |
Scalable Platforms |
UPDATE: It is now possible to add more than fourteen members per site in a Single Site topology. |
PRJ-56681, PRJ-57027, PRJ-57263, ODU-2035, ODU-2019, ODU-1955 |
Automatic Updates - Web SmartConsole |
UPDATE: New features and improvements are released in Take 118, Take 119, Take 120 via self-updatable package. Refer to sk170314. |
PRJ-51503, |
Security Management |
In rare scenarios, an upgrade of a Multi-Domain Security Management Server fails with "Cancelled due to a failure in other domain" in the upgrade report.
|
PRJ-56003, |
Security Management |
In rare scenarios, the FWM process on the Security Management Server may unexpectedly exit, creating a core dump file. |
PRJ-55934, |
Security Management |
In rare scenarios, login to SmartConsole fails with a timeout. |
PRJ-55332, |
Security Management |
If the $FWDIR/conf/fwm.adtlog file is not valid, the FWM process leaves unused file descriptors, which may affect the Security Management Server performance. |
PRJ-55447, |
Security Management |
If any single Data Center fails to register, the registration of all Data Center assets to the Security Management Server also fails. |
PRJ-55929, |
Security Management |
The Revisions Purge process may stall if initiated after restarting the Security Management Server or Multi-Domain Security Management Server because of remnants of a previously interrupted Revisions Purge operation. |
PRJ-56153, |
Security Management |
In rare scenarios, the Revisions tab in SmartConsole shows "Error retrieving results". |
PRJ-56212, |
Security Management |
The database size on the Secondary Management Server increases if dbedit is used without making or saving any changes. Refer to sk182519. |
PRJ-55798, |
Security Management |
SmartConsole may close during login because of repeated attempts to discard a non-existent work session. |
PRJ-55907, |
Security Management |
In rare scenarios, revert to a Database Revision may get stuck on 60% and eventually fail. |
PRJ-55444, |
Security Management |
Accelerated Policy installation may get stuck with the "Policy installation (queued)" status. |
PRJ-55335, |
Security Management |
In rare scenarios, login to SmartView web application using the Domain IP address or Domain name fails. |
PRJ-52058, |
Security Management |
In a Management High Availability environment, the Standby Security Management Server may not update the "Installation date" during policy installation on Security Gateways/Clusters. |
PRJ-54734, PRHF-33948 |
Security Management |
In rare scenarios, the CPD process may unexpectedly exit and create a core dump file. |
PRJ-57031, PRHF-30884 |
Security Management |
Log queries fail with the error "Problems have occurred during search" when Domain migration is in progress. This occurs specifically during the execution of "export-management" or "import-management" Management API commands. |
PRJ-54507, |
Multi-Domain Security Management |
Global Domain Assignment may fail with "Internal Error", if the assigned Domain is currently Active on a different Multi-Domain Security Management Server. |
PRJ-42135, |
CPView |
In a rare scenario, when running the CPView utility, the Security Gateway may crash. |
PRJ-54064, |
Logging |
In rare scenarios, the CPSEMD process on the SmartEvent Server may unexpectedly exit, creating a core dump file. |
PRJ-44900, |
Logging |
In rare scenarios, the Logs view may display unexpected blank lines or gaps in the chronological sequence of entries. |
PRJ-53219, |
Logging |
When adding a table widget to a SmartView report:
|
PRJ-46849, |
Logging |
RAD error messages may be printed to the fwk.elg file during cpstop:cpstart on the Security Gateway. The issue is cosmetic only. |
PRJ-50613, |
Logging |
The FWD process may exit and cause issues with opening packet capture files on remote members. |
PRJ-48772, |
Logging |
The "show logs" Management API command may show partial information for the fields with multiple values. |
PRJ-46890, |
Security Gateway |
Incorrect value in the "fwisusfw" register causes improper CPU affinity and dynamic balancing initialization in User Space Firewall mode after an upgrade. Refer to sk182004. |
PRJ-54415, |
Security Gateway |
In a VSX Cluster environment, the CPVIEWD daemon may cause a high CPU. |
PRJ-55579, |
Security Gateway |
A buffer overflow may occur in the HTTP flow, affecting the FWK process. |
PRJ-45951, |
Security Gateway |
During policy installation, Rule Base internal error drops may be shown in the SmartConsole logs. Logs related to "dynobjs" may be printed in Messages. |
PRJ-57108, PRHF-36116 |
Security Gateway |
Memory leak may occur in SecureXL templates. Refer to sk182648. See the Important Notes section. |
PRJ-55803, |
Security Gateway |
The Security Gateway may fail to resolve external Network Feeds whose URL contains a port number (such as "https://example.com:8080/feed.csv". Refer to sk182684. |
PRJ-52411, |
Security Gateway |
The PDPD process memory consumption may be high when using an Azure AD object. |
PRJ-53636, |
Security Gateway |
In a Maestro Security Group using VSX mode with diverse appliance models and active dynamic balancing, DSD pnotes may appear on member devices and cause a failover from an SMO member. This occurs when the default number of FWK instances on these members differs from the SMO default setting. |
PRJ-48105, |
Security Gateway |
Outages may occur when the FWD process exits or restarts and Security Group member goes down triggering Scalable Chassis failover. |
PRJ-53543, |
Threat Prevention |
In some scenarios, an external IoC may not be enforced on Sub-domains of a Domain that is listed in the feed. |
PRJ-56096, |
Threat Prevention |
SSH Deep Packet Inspection (SSH DPI) fails to start inspection if IPS is enabled while all other Threat Prevention products are disabled. |
PRJ-55989, |
Threat Prevention |
In a rare scenario, Threat Prevention policy installation may fail after an over-the-air (OTA) package update of TP_CONF_SERVICE. Refer to sk182572. |
PRJ-55763, PMTR-104381 |
Threat Prevention |
In rare scenarios, policy installation may fail after an upgrade of a VSX Gateway. |
PRJ-46349, |
Threat Emulation |
The ICAP client may send the file name under "Content-Disposition" in an unsupported format written as "filename*=" instead of "filename=", and the Threat Emulation blade does not process such files. |
PRJ-51492, |
Threat Emulation |
When using ICAP, filename handling occasionally fails. As a result, the Threat Emulation Blade may not be able to process this specific file. |
PRJ-51606, |
Identity Awareness |
In a rare scenario, the PDPD process on Security Gateway with configured Identity Broker may become unresponsive while processing identity updates. Refer to sk182635. |
PRJ-54326, |
Identity Awareness |
In rare scenarios, while handling new connection, the PDPD process can become unresponsive. Refer to sk182220. |
PRJ-55437, |
Application Control |
APPI tenant restriction may not function as expected when the application is not included in the policy or when no extended logging is enabled. |
PRJ-55460, |
URL Filtering |
In scenarios where there is a heavy load on the machine, the RAD queue can fill up and get clogged by unhandled requests, causing an outage and traffic disruption. |
PRJ-54192 PRHF-31001 |
Anti-Bot |
The Anti-Bot Blade may generate error logs with the "Failed to Decrypt CP Site Response" reason. Refer to sk182494. |
PRJ-54445, |
Mobile Access |
HTTPS access to the Mobile Access Portal may be down. |
PRJ-56222, |
Mobile Access |
The "citrixStrictTicketEnforcement" parameter set in the configuration file may not work as expected. |
PRJ-55634, |
ClusterXL |
After modifying a bond, the Monitored VLANs may disappear. Refer to sk180724. |
PRJ-55955, |
SecureXL |
The Security Gateway may crash in Bridge mode or in Non-Bridge mode when the number of MAC addresses in its network interface card's table exceeds the hardware capacity limit. |
PRJ-56061, |
SecureXL |
When attempting to set a MAC address for a VXLAN interface using Clish, Clish displays a warning message and prevents the MAC address from being set. |
PRJ-56367, PRHF-35417 |
SecureXL |
After installation with Gaia Fast Deployment (Blink), SecureXL User Mode (UPPAK) becomes disabled. |
PRJ-56011, |
SecureXL |
In a rare scenario, a memory leak in the adp kernel module may occur during multicast routing assert failures. |
PRJ-51111, |
SecureXL |
SYN Defender configuration in Inspection Settings on the Security Management Server may not be applied on Accelerated Policy installation. |
PRJ-56433, |
Routing |
Dynamic Routing outage in a Security Group during the Zero Downtime (MVC) Upgrade to R81.20, during the Downgrade from R81.20, or during the installation / uninstall of the R81.20 Jumbo Hotfix Accumulator. Refer to sk182556. |
PRJ-54408, |
Routing |
A multicast outage may occur after a failover triggered by incomplete processing of cluster synchronization messages. |
PRJ-53175, |
Routing |
Graceful Restart may end prematurely in OSPF NSSA areas. |
PRJ-53828, |
Routing |
A multicast outage may occur during failovers caused by interface flaps. |
PRJ-53315, |
VPN |
The "vpn tu tlist" command may take a long time to execute, depending on the number of disconnected tunnels. |
PRJ-50090, |
VPN |
By default, the VPN permanent tunnel is configured to use "tunnel test" instead of "DPD". This configuration may cause inaccurate permanent tunnel status reporting when connecting to third-party devices. |
PRJ-54547, |
VPN |
BGP peering over Route-based VPN may fail because Azure cluster members use their own IP address as source instead of the Virtual IP address, preventing proper routing protocol establishment. |
PRJ-56673, PRHF-35637 |
VSX |
Memory corruption occurs when a bond interface is configured, leading to a Security Gateway crash with a vmcore or a boot loop. |
PRJ-57426, PRHF-36390 |
Scalable Platforms |
In a Maestro environment with the "vpn_sync_to_all" parameter enabled, connection going through a Site to Site VPN to a remote location, may be dropped with "First packet isn't SYN". See the Important Notes section. |
PRJ-53310, |
Scalable Platforms |
In Quantum Maestro/Scalable Chassis environments, when using the Threat Prevention Blade in the Security Group, the entitlement_status_collector_db.C files may be inconsistent between the Security Group Members. |
PRJ-51192, |
Scalable Platforms |
Security Group Member in a VSX environment is in a boot loop after creating a new Virtual System with a WRP interface. Refer to sk182476. |
PRJ-56115 |
IoT Protect |
After a Multi-Domain Security Management Server upgrade, the Domain configuration file iot-on-board.conf is not saved. |
Take 84 Released on 5 September 2024 and declared as Recommended on 18 September 2024 |
||
Take 84 - Improvements and Resolved Issues
|
||
PRJ-56890, PRHF-34283 |
Security Management |
See the Important Notes section. |
PRJ-56890, PRHF-34283 |
Logging |
Suspicious Activity Monitoring (SAM) rules may not be triggered after a Source Block automatic reaction is configured. |
PRJ-57070, SDWANGW-3025 |
SD-WAN |
When working in Firewall Kernel Space Mode (KSFW), SD-WAN policy installation may fail with “Failed to enforce new policy. Reason: Failed to lower support_fec flag(Return code: 10)”. |
PRJ-56932 |
CloudGuard Network |
After an upgrade, the incorrect status of the CloudGuard Controller is displayed in SmartConsole: "Error: 'CloudGuard Controller' is not responding. Verify that 'CloudGuard Controller' is installed on the gateway". Refer to sk182622. |
Take 79 Released on 19 August 2024 |
||
Take 79 - New Functionality
|
||
PRJ-53640, PMTR-102064 |
Security Management |
NEW: Added the ability to unset a persistent environment variable, using the "-u" flag for the override_server_setting.sh script introduced in sk165938. Upon execution, the specified property is now removed from the $MDS_FWDIR/conf/cpmEnvVars.conf file. |
PRJ-54715, |
Security Management |
NEW: Automatic refresh of SmartConsole views after Global Policy Assignment on a Multi-Domain Security Management Server. To enable this ability, refer to sk182307. |
PRJ-53464 |
SD-WAN |
NEW:
|
PRJ-53477, |
Scalable Platforms |
NEW: Added Generic Data Center support for Quantum Maestro environments. |
Take 79 - Improvements and Resolved Issues
|
||
PRJ-50857, |
Security Gateway |
UPDATE: Apache HTTPD version was updated from 2.4.55 to 2.4.58 to fix CVE-2023-31122 and CVE-2023-43622. |
PRJ-50924, PMTR-97400 |
Security Gateway |
UPDATE: Deprecated RC2-CBC cipher for SIC in OpenSSL. |
PRJ-55316, |
Gaia OS |
UPDATE: A patch on top of OpenSSL 1.1.1w to fix CVE-2024-2511. Refer to sk182320. |
PRJ-56226, PMTR-106852 |
Gaia OS |
UPDATE: Added a defense mechanism against malicious code injections through special HTTP requests. Resolved CVE-2024-24914. Refer to sk182743. |
PRJ-54496, |
Security Management |
UPDATE: JRE is updated from version 8.0_8.10 to version 8.0_8.21. |
PRJ-50381, |
Security Management |
UPDATE: Various Web Portals on the Security Management Server (for example, Web SmartConsole, SmartView) no longer accept HTTPS connections to ports 443 and 19009 with specific TLS 1.2 ciphers. Refer to sk181879. |
PRJ-53605, |
Security Management |
UPDATE: Modified the content of the https://<ip_adress>/license_management/ page. |
PRJ-53954, |
Security Management |
UPDATE: Changed the hardware name "1570R Appliances" to "1570R/1575R Appliances" in the Security Gateway editor in SmartConsole and SmartProvisioning.
|
PRJ-52932, |
Security Management |
UPDATE: When deleting a Secondary Multi-Domain Security Management Server, SmartConsole now shows an "After MDS '<MDS name>' is deleted, you should delete the Secondary Domain Servers from the Domains and revoke their certificates" message. |
PRJ-52404, PMTR-99617 |
Security Management |
UPDATE: Added SHA256 fingerprints to certificate objects to mitigate the risk of hash collisions and enhance trust when utilizing the fingerprint, encoded with English words, as a verification mechanism. |
PRJ-52954, |
Logging |
UPDATE: Enhanced the Access Control log for "Accept" actions with initial matched layers of "IoT" or "Playblocks": The "Layer Name" field now shows the admin-configured layer, alongside Rule Name and Rule Number, allowing administrators to view their preferred match layer rather than defaulting to the first matched layer or inline rule. This change improves visibility into the specific security policy components responsible for accepting traffic. |
PRJ-55290, PMTR-104620 |
Security Gateway |
UPDATE: Optimized Hyperflow wake-up process on smaller appliances (up to 32 cores) now uses only two cores initially, reducing resource contention and improving stability during Elephant Flows. |
PRJ-55428, |
Security Gateway |
UPDATE: The severity of the debug message for cp_shmem huge page allocation failures is reduced. When huge pages are unavailable, the message now appears as a warning instead of an error. The system now falls back to using regular memory pages. |
PRJ-51989, |
Security Gateway |
UPDATE: The performance of the thread blocker feature (sk180437) is now improved and the feature is re-enabled. |
PRJ-47490, |
Security Gateway |
UPDATE: Implemented automatic purging of expired SIC certificates on Security Gateways to eliminate memory residues and prevent misuse. |
PRJ-54341, |
SSL Network Extender |
UPDATE: SSL Network Extender is updated to version 80008409. |
PRJ-53919, |
URL Filtering |
UPDATE: When URL Filtering operates in Background Mode and encounters an unclassified connection, instead of being approved automatically, such connection is now accepted or rejected based on Access Rule Base execution, and listed under the "unknown" category. |
PRJ-51532, |
Mobile Access |
UPDATE: The Mobile Access Portal is no longer compatible with the Chrome browser on iOS and Android mobile devices. |
PRJ-53587 |
Gaia OS |
UPDATE: The "show asset" and "show lom" commands now also display a sub-minor version of LOM firmware on the 9000/19000/29000 appliance lines. |
PRJ-54590, |
Gaia OS |
UPDATE: Extended the "allowed-client" setting to enforce IP restrictions for both password and SSH key authentication methods, providing more comprehensive access control. |
PRJ-54672, |
VoIP |
UPDATE: SIP over UDP requests and responses may be dispatched to different firewall instances when a single-direction rule is defined in the Rule Base, potentially causing returned SIP traffic to be dropped as an unknown connection. To address this, a new global parameter "sip_forward_if_needed" is introduced (disabled by default). When enabled, the Security Gateway forwards responses to the appropriate request instances. Refer to sk182667. |
PRJ-55719, |
VPN |
UPDATE: VPN connections are now synchronized to all members of the Security Group by default. The default value of the "vpn_sync_to_all" kernel parameter is set to "1". |
PRJ-53822, |
CloudGuard Network |
UPDATE: It is no longer necessary to run the $MDS_FWDIR/scripts/alignLicensesInDB.sh script (sk181500) after the import during Security Management Database migration. The script now runs automatically after the migration. |
PRJ-53101, |
Scalable Platforms |
UPDATE: Removed the ability to delete the "_lldp" internal user in Gaia OS to prevent traffic impact. Refer to sk182026. |
PRJ-56057, ODU-1923 |
Automatic Updates - HCP |
UPDATE: Added Update 18 of HealthCheck Point (HCP) Release. Refer to sk171436. |
PRJ-55914, |
Automatic Updates - CPView |
UPDATE: Added Take 97 of CPotelcol (OpenTelemetry Collector) Release Updates. Refer to sk180522. |
PRJ-56193, ODU-1787 |
Automatic Updates - Web SmartConsole |
UPDATE: New features and improvements are released in Take 114 via self-updatable package. Refer to sk170314. |
PRJ-55917, |
Automatic Updates - CloudGuard Network |
UPDATE: Added Take 21 of Public Cloud CA Bundle. Refer to sk172188. |
PRJ-50936, |
Security Management |
SmartConsole may freeze when selecting a client under Security Gateway object > Identity Awareness tab > RADIUS Accounting Settings.
|
PRJ-53454, |
Security Management |
Upgrade of the Multi-Domain Security Management Server may fail with the error "Folder object not found".
|
PRJ-52045, |
Security Management |
In some scenarios, the Security Management Server upgrade to R81.20 fails with "java.lang.String incompatible with com.checkpoint.infrastructure.types.CPUUID" in the upgrade report. The issue occurs during the import of the User Data Domain.
|
PRJ-54005, |
Security Management |
In rare scenarios, the Management Server upgrade fails during the import stage with "an eclipse error has occurred enable logging on EclipseLinkExceptionHandler to see full error".
|
PRJ-46788, PRHF-29046 |
Security Management |
In some scenarios, an upgrade of Security Management Server or Multi-Domain Security Management Server fails with the "Failed: upgrade of "DOMAIN_NAME". For more details see upgrade logs below" error in the upgrade report.
|
PRJ-52889, |
Security Management |
"Mapping of Data Center [xxxx] failed. Next mapping is in 300 seconds" errors in the CME logs show failed attempts to scan deleted data centers. |
PRJ-45161, |
Security Management |
In rare scenarios, login to the Security Management Server may fail with timeout and the FWM process on the Management Server may unexpectedly exit, creating a core dump file. |
PRJ-53771, |
Security Management |
In some scenarios, the "show-gateways-and-servers" Management API command fails with "generic_err_object_not_found" when running with "details-level full". |
PRJ-53507, |
Security Management |
After upgrading, administrators with read/write permissions to edit Security Gateways and Clusters may lack IPS permissions and are unable to perform certain management tasks, such as enabling or disabling blades. |
PRJ-52434, |
Security Management |
When Global Domain Assignment fails with the "More than one object named 'XXX' exists" error, not all duplicate objects are listed. |
PRJ-53760, PRHF-32936 |
Security Management |
The "domains_tool -report" command may fail if more than sixteen host objects are defined as DNS Servers in the environment. |
PRJ-49241, |
Security Management |
In some scenarios, the SmartTask "Before login" trigger may be executed although there was no login operation. |
PRJ-52781, |
Security Management |
When using the "set simple-gateway" Management API command to edit interfaces, the operation is only performed on fifty interfaces at a time. |
PRJ-49438, |
Security Management |
The UPDATE_INSPECT_FILES process of Upgrade Tools may exit with a core dump. |
PRJ-52019, |
Security Management |
Exporting a policy that contains thousands of rules may fail when the "Hit Count" column is enabled. |
PRJ-50844, |
Security Management |
Export of a list of objects from the Global Object Explorer fails with the "Export policy is not supported when rule name is in a format of UUID" error message. |
PRJ-51121, |
Security Management |
In rare scenarios, if a Star VPN Community object is created, publish operations may fail. |
PRJ-50755, |
Security Management |
Access to and from the Generic Data Center objects may not be enforced when MDPS configuration is enabled on the Security Gateway. |
PRJ-52915, |
Security Management |
Deleting a Security Gateway object fails if there is a license attached to the Security Gateway and the Security Gateway is physically disconnected. |
PRJ-54066, |
Security Management |
In some scenarios, users may be disconnected from SmartConsole, and an FWM process core dump is generated. |
PRJ-53502, |
Security Management |
In some scenarios, SmartConsole may unexpectedly disconnect. |
PRJ-52518, |
Security Management |
In rare scenarios, Access policy installation may fail with the "Installation failed. Reason: Failed to load Policy on Security Gateway" or "Operation failed, install/uninstall has been improperly terminated" messages. |
PRJ-53895, |
Security Management |
In rare scenarios, the API status shows "Automatic Start: Disabled" even though the automatic start was not disabled manually. |
PRJ-48937, |
Security Management |
The "set simple-cluster" Management API command with the "vpn-settings.vpn-domain" parameter succeeds, but the VPN Domain is not set. |
PRJ-52778, |
Security Management |
Objects Explorer search fails with "Error retrieving results" when more than twenty thousand IP addresses match the search criteria. |
PRJ-49057, |
Security Management |
In rare scenarios, publishing a session in SmartConsole fails with the "got at least one duplicate UID in requested list, duplicates UIDs: [XXX]" error. |
PRJ-52850, |
Security Management |
Login to SmartConsole fails if the "Read_Write_All_Profile" permission profile is deleted. |
PRJ-57031, PRHF-30884 |
Security Management |
Log queries fail with the error "Problems have occurred during search" when Domain migration is in progress. This occurs specifically during the execution of "export-management" or "import-management" Management API commands. |
PRJ-55523, |
Security Management |
In rare scenarios, the CPD process may exit with core dumps. |
PRJ-52346, |
Security Management |
In some scenarios, the PostgreSQL database fully utilizes disk space on the Standby Security Management Server. |
PRJ-53677, PMTR-98465 |
Security Management |
The Management API command "get-interfaces" may return subordinate physical interfaces of a bond interface. |
PRJ-51630, |
Multi-Domain Security Management |
In rare scenarios, login to a newly created Domain fails and the CPCA daemon has the "down" status. Refer to sk181798. |
PRJ-53552, |
Multi-Domain Security Management |
When a Domain name (for example, "XXX") is a subset of another Domain name (for example, "XXX-YYY"), the "mdsstop" command may fail to stop a Domain named "XXX-YYY". |
PRJ-52950, |
Multi-Domain Security Management |
In a Multi-Domain Security Management environment, there may be synchronization timeout errors, and automatic revisions purge may fail. |
PRJ-55658, |
Multi-Domain Security Management |
In some scenarios, in a Multi-Domain Security Management environment, creating a Domain on a remote Multi-Domain Management Server may fail with "Check connectivity between Domain Servers IPs and initialize SIC manually" error. |
PRJ-54514, |
SmartConsole |
In rare scenarios, login to SmartConsole fails. |
PRJ-50695, |
Logging |
In some scenarios, viewing a Forensics report in Threat Hunting fails with the "Unable to load report" error. Refer to sk181800. |
PRJ-54061, |
Logging |
In rare scenarios, empty log list may be displayed when selecting a log file to view in SmartConsole. |
PRJ-54238, |
Logging |
Log Exporter may unexpectedly exit when using a non-RSA certificate. |
PRJ-51276, |
Logging |
When adding a table widget to a SmartView report:
|
PRJ-51444, |
Logging |
The traffic field in the SmartEvent "Application and URL Filtering" report, specifically in the "High Bandwidth Applications" section, is incorrectly displaying data in petabytes (PB) instead of the expected gigabytes (GB). |
PRJ-50794, |
Logging |
In SmartView, filtering logs by "event_type" may fail with the "Query failed" error. |
PRJ-51517, |
Logging |
Log searches for the same time period may return more results in SmartConsole compared to SmartView. |
PRJ-55512, |
Logging |
In some scenarios, the name of the Security Gateway is not shown in the title of the automatic reaction email, although it should be. |
PRJ-50262, |
Logging |
In SmartView, some countries are not displayed in the countries picker. |
PRJ-52941, PRHF-32194 |
Logging |
In the Logs view, the "TCP-other" and "UDP-other" services are displayed as generic service IDs, for example, "cp_tcp_A936BBAC_EBC3_4F18_B3CC_A63365F07477". |
PRJ-54020, |
Logging |
In rare scenarios, Zero Phishing logs may disappear from the SmartConsole Logs view. |
PRJ-53451, |
Security Gateway |
Even if the interface is configured with an MTU higher than 1500, the maximal MTU over CPAS is limited to 1500. |
PRJ-53075, |
Security Gateway |
In some occasions, redundant errors appear in logs: "fw_inspect_ghtab_bl_ld_sync: invalid FW_INSPECT_GHTAB_BL_LD_SYNC_TABLE_ID". |
PRJ-51970, |
Security Gateway |
The CPWD daemon does not restart automatically. |
PRJ-51480, PMTR-98475 |
Security Gateway |
The RAD process exits and creates a core file on the Security Gateway. |
PRJ-55423, PRJ-55422, PRHF-33730, PRJ-55424, PRHF-33912 |
Security Gateway |
In a multi-cloud networking environment (AWS GWLB and VMware NSX-T), the Security Gateway may crash due to memory corruption. |
PRJ-54526, |
Security Gateway |
In some scenarios, when SecureXL User Mode is enabled, the Security Gateway drops traffic after it was processed. |
PRJ-54628, |
Security Gateway |
In some scenarios, adding sequential IP addresses as MDPS task addresses may fail. |
PRJ-51049, |
Security Gateway |
In some scenarios, websites that use HTTP2 protocol do not load properly. |
PRJ-49902, |
Security Gateway |
Kernel Memory usage increases persistently each day on a Security Gateway/Security Group when CGNAT is enabled. Refer to sk182140. |
PRJ-54529, |
Security Gateway |
In some scenarios, the Security Gateway offloads connections to SecureXL in error when the initial route lookup could not find a route for it. |
PRJ-52774, |
Security Gateway |
In rare scenarios, the FWK process may unexpectedly exit. |
PRJ-52647, |
Internal CA |
CRL fetch may fail when passing through a Security Gateway with deep inspection, even if the connection hold is quickly released. CPCA closes the connection prematurely. |
PRJ-50701, |
Threat Prevention |
The Anti-Virus Blade fails to parse IoC feeds that contain IPv6 addresses. |
PRJ-48310, |
Threat Prevention |
In rare scenarios, when the Anti-Virus, Threat Extraction and Threat Emulation Blades are enabled, some connections that were on hold are dropped. |
PRJ-53201, |
Threat Prevention |
In some scenarios, policy installation and IPS package updates may take a very long time to finish and cause traffic drops. |
PRJ-51341, |
Identity Awareness |
In some scenarios, the PEPD process may consume a high CPU because of a high rate of identity propagation. Refer to sk182588. |
PRJ-46490, |
Identity Awareness |
Policy Enforcement Point (PEP) logs show a username after the user session is expired. Refer to sk181553. |
PRJ-53249, |
IPS |
A connectivity issue may happen when processing a specific HTTP2 traffic. |
PRJ-43104, |
DLP |
Multiple internal errors, including file metadata retrieval failures and parsing errors, may be printed in the DLPDA logs. |
PRJ-53128, |
Anti-Virus |
The DLPU process may unexpectedly exit due to uninitialized memory when the Anti-Virus Blade scans files. Refer to sk182030. |
PRJ-55520, |
SSL Inspection |
In rare scenarios, when HTTPS Inspection is enabled, the FWK process may unexpectedly exit due to memory violation. |
PRJ-54641, |
Mobile Access |
The HTTPD process of the Mobile Access Portal may exit with a core dump file. |
PRJ-51154, |
Mobile Access |
Web Application names column width is too narrow to fit in the Mobile Access Portal. Refer to sk181774. |
PRJ-54324, PRHF-33620 |
ClusterXL |
In a rare scenario, the FWK process consistently exits causing failovers. Crashes may happen on both cluster members. |
PRJ-54170, |
ClusterXL |
In rare scenarios, in a cluster environment, the CPDiag tool may crash. |
PRJ-52896, |
ClusterXL |
In a rare scenario, after an upgrade, connections between networks may be dropped with the "First Packet isn't SYN" error. |
PRJ-55307, |
SecureXL |
Potential kernel crash in MDPS configurations when modifying and re-adding slave interfaces to bonds in non-default virtual systems. |
PRJ-55493, |
SecureXL |
When SecureXL User Mode (UPPAK) is enabled, packets originating from the Security Gateway may not be fragmented properly. |
PRJ-53481, |
SecureXL |
In some scenarios, when QoS blade is enabled and SecureXL works in User Mode (UPPAK), Security Gateway may crash with the "invalid data" error. |
PRJ-55799, |
SecureXL |
When SecureXL User Mode (UPPAK) is enabled, in some scenarios, a VSX Security Gateway with many Virtual Systems may crash. |
PRJ-55566, |
SecureXL |
The USIM process may unexpectedly exit. |
PRJ-54331, |
SecureXL |
In rare scenarios, the Security Gateway crashes when the interface goes down right before it transmits packets out. |
PRJ-54428, |
SecureXL |
In some scenarios, the VSX Security Gateway does not initialize the Virtual System correctly when connected to a Virtual Router or Virtual Switch. |
PRJ-54323, |
SecureXL |
In some scenarios, traffic with Passive or Active Streaming configuration may not correctly pass through a Virtual Router on a VSX Security Gateway. |
PRJ-55958, |
SecureXL |
The duration of each "stop" and "start" API call for the LightSpeed Acceleration interfaces may take several seconds. Refer to sk182585. |
PRJ-54425, |
SecureXL |
In some scenarios, the VSX Security Gateway may fail to properly reroute traffic originating from a Virtual Switch. |
PRJ-55344, |
Routing |
OSPFv2 graceful restart mechanism fails on broadcast and point-to-multipoint networks due to the omission of an "IP-Address" field in the grace LSA. |
PRJ-55399, |
Routing |
OSPFv3 NSSA may fail to re-originate Type 7 LSAs after an OSPFv3 process restart, disrupting proper route propagation. |
PRJ-54603, |
Routing |
Routing BFD sessions using IPv6 global addresses on single-hop interfaces fail to recover after the network interface is administratively disabled and re-enabled. |
PRJ-52671, |
Routing |
Enabling rfc1583-compatibility via Clish fails with "CLINFR0329 Invalid command:'set ospf instance default rfc1583-compatibility on". |
PRJ-55016, |
Gaia OS |
The "fw ctl affinity" command output shows interfaces with no multi-queue, while the "mq_mng -o" command shows that multi-queue is enabled on all interfaces. |
PRJ-53387, |
Gaia OS |
Gaia Portal operation mode options are not visible in the Editing Bond window. Refer to sk182432. |
PRJ-52416, PRHF-31929 |
Gaia OS |
SNMP query for OID 1.3.6.1.4.1.2620.1.6.7.5.1.5 (CPU utilization per CPU core) and the "cpstat os -f cpu" command may return an incorrect value. Refer to sk182447. |
PRJ-51020, |
VPN |
Duo management reports display incorrect access source locations due to Security Gateways providing inverted IP addresses during the two-factor authentication challenge response process. Refer to sk181783. |
PRJ-55293, |
VPN |
Configuring a Large Scale VPN (LSV) with IPv6 and establishing a VPN tunnel may cause the FWK process to exit. |
PRJ-55488, |
VPN |
During high-frequency encryption of packets over a VPN tunnel, the Security Gateway may assign the same sequence number to multiple packets. This causes the receiving VPN peer to mistakenly identify these legitimate packets as replay attacks and drop them. |
PRJ-52912, |
VPN |
SNMP queries show a different number of connected RA VPN users than what is shown in CPView and from CLI. RaUserState information is missing in the SNMP MIB file. |
PRJ-55986, |
VPN |
During high-volume VPN tunnel initiations, several packets may be dropped with "encrypted packet too big". |
PRJ-53940, |
VPN |
After running the "vpn iked disable" command, the VPND daemon does not listen on the tunnel test port instead of IKED. |
PRJ-53715, |
VPN |
Tunnel testing fails after an upgrade. Refer to sk182267. |
PRJ-54548, PMTR-104230 |
Multi-Portal |
Under a special routing configuration, an active Cluster member may accept portal traffic (on TCP ports 80 and 443) destined to a Standby member IP address. |
PRJ-53118, |
VSX |
In a VSX Cluster with IPv6 enabled, after an upgrade, VS's without IPv6 address may fail to install the Access policy. |
PRJ-54598, |
VSX |
In rare scenarios, the CPD process of the default Virtual System on a VSX Gateway (VS0) gets stuck. |
PRJ-51993, PMTR-99136 |
Harmony Endpoint |
Upgrade failures may occur when the source server contains an existing am_top_infections_master view, as the upgrade process attempts to drop and recreate this view during the final stages of the Endpoint Server database schema update. |
PRJ-53555, |
CloudGuard Network |
Central License tool (vsec_lic_cli) unexpectedly removes Central Licenses from the default license pool on the Primary Multi-Domain Security Management Server in a High Availability (HA) environment. Refer to sk182483. |
PRJ-47808, |
CloudGuard Network |
In the Kubernetes Data Center, the Import window may be stuck in "Initializing" state. |
PRJ-55862, |
Scalable Platforms |
When using MPDS routing separation and Maestro Dual site, the Log Server may get disconnected on a Standby site. |
PRJ-54335, |
Scalable Platforms |
When different Network Interface Card models are attached among Maestro Security Group members, it may trigger unnecessary reboots. |
PRJ-55461 |
Scalable Platforms |
When dynamic split is enabled, the system fails to update the "/tmp/mq_cores_list" file, causing "cores_verifier" and "asg perf" verifiers to display incorrect PPAK cores numbers. |
PRJ-54126, |
Scalable Platforms |
After changing the CoreXL configurations of a VS in SmartConsole, the dynamic split state switches to off until the "g_dynamic_split -r" command is performed. |
PRJ-53511, |
Scalable Platforms |
When running the "set user username force-password-change yes" command in gClish on Scalable Platforms, the new configuration may not be applied. |
PRJ-43739, |
Scalable Platforms |
The "distutil" script may take a long time to run in an environment with many VS's. |
PRJ-49848, |
Scalable Platforms |
Site to Site VPN traffic may be interrupted after installing policy with VSLS. |
PRJ-50626, |
Carrier Security |
|
Take 76 Released on 21 July 2024 and declared as Recommended on 31 July 2024 |
||
Take 76 - Improvements and Resolved Issues
|
||
PRJ-56150, PRHF-35183 |
Security Management |
When the Compliance Blade is enabled, the FWM process may unexpectedly exit and generate a core dump. Refer to sk182507. See the Important Notes section. |
PRJ-55940, PRHF-34652 |
Security Gateway |
The "up_fw_set_cphwd_template: up_manager_create_template_msg failed; fwhandle_pool_add: Table kbufs - All available pools exhausted" error may be printed in the fwk.elg file during a heavy traffic load. |
PRJ-55953, |
Security Gateway |
Security Gateway running in SecureXL User Mode (UPPAK) may crash during driver removal showing "m_free: mbuf doublefree" in the backtrace. See the Important Notes section. |
Take 70 Released on 1 July 2024 |
||
Take 70 - New Functionality
|
||
PRJ-51436, |
SSL Inspection |
NEW: Added ability to import PKCS#12 files using AES-256-CBC encryption with PBKDF2-HMAC-SHA-256. This enhancement is designed for use in multi-portal environments and HTTPS Inspection scenarios. |
PRJ-53699, |
Security Management |
NEW:
|
PRJ-50184, PRHF-29458 |
Threat Prevention |
NEW: This Jumbo Hotfix Accumulator Take introduces enhanced protection against zero-day attacks. It detects and blocks advanced malware variants by automatically analyzing and identifying communication patterns. The feature is disabled by default. Refer to sk181168. |
PRJ-42991 |
Identity Awareness |
NEW: Added Identity Cache Mode for Identity Sharing Protocols (disabled by default). Refer to sk181613. |
PRJ-52856, |
CloudGuard Network |
NEW: Added support for AWS Elastic Network Interfaces (ENIs). These ENIs can now be viewed and managed in SmartConsole, similar to how other supported Data Center objects are handled. The feature is disabled by default. Refer to R81.20 CloudGuard Controller Administration Guide > Supported Data Centers > CloudGuard Controller for Amazon Web Services (AWS). |
PRJ-48744, PMTR-94089 |
SmartConsole |
NEW: Added support for 3072 bits key size in IKE certificates. To use 3072 bits key size, refer to "HTTPS Portals (Multi-Portal) Certificate, VPN Certificate" section in sk96591. |
Take 70 - Improvements and Resolved Issues
|
||
PRJ-49174, |
Security Management |
UPDATE: Added verification for policy deletion. If the policy is installed on the Security Gateway, the "delete-package" Management API command now fails with "Policy X is installed on 1 or more gateways.". Refer to sk181877. |
PRJ-52448, |
Security Management |
UPDATE: Added an ability to configure the schedule for Compliance blade scans. This should prevent login issues during the scans. Refer to sk182033. |
PRJ-52065, |
SmartConsole |
UPDATE: The SmartConsole Change Report now highlights changes to the disable/enable state of rules more clearly. |
PRJ-53113, |
Security Management |
UPDATE: In the Change Report, updated some portions of the translated GUI. |
PRJ-48160 |
SmartView |
UPDATE: In SmartView Report, the Security Checkup tool now also provides the IoT data. |
PRJ-49861, PMTR-95625 |
CPView |
UPDATE: Added the "SecureXL" filter to the "cpview -m -f" command, which allows to extract to Skyline all the information related to SecureXL drops. Refer to the Skyline Metrics Repository. |
PRJ-51125, |
Security Gateway |
UPDATE: Added ability to increase the instance processing queue size, by modifying the kernel parameter "fwmultik_pending_queue_len_limit" (the default value is "2000"). Refer to sk181921. |
PRJ-51975, |
SSL Inspection |
UPDATE: If inspection logging is configured, the "Inspect" log now displays the negotiated ciphers and TLS version used for successful inspections, both between the client and the Security Gateway, and between the Security Gateway and the Server. |
PRJ-48389, PMTR-93901 |
Threat Prevention |
UPDATE: It is now possible to disable a custom field in the IoC feed configuration. Refer to Management API Reference. |
PRJ-52400, |
SecureXL |
UPDATE: The DOS/Rate Limiting feature can now run in SecureXL User Mode (UPPAK) environments without a Light Speed, allowing IoC Feeds that use it for enforcement to function properly. |
PRJ-53892, |
SecureXL |
UPDATE: The UPPAK start up script is changed to allocate additional memory buffers for handling Jumbo Frames based on Security Gateway configuration. |
PRJ-48177, |
Mobile Access |
UPDATE: jQuery UI is upgraded to version 1.13.2. |
PRJ-51701, |
Harmony Endpoint |
UPDATE: The audit event information when adding or removing Virtual Group members is now unified. The data includes the administrator name and device/user names for both actions. Previously:
|
PRJ-52863, |
CloudGuard Network |
UPDATE: Added support for Data Centers in AWS ca-west-1 Calgary region. |
PRJ-51248, |
CloudGuard Network |
UPDATE: The AWS Security Group Data Center object name now includes both the name tag and Security Group name, formatted as "ID <Name tag> <Security Group name>". Previously, only the name tag was included, with the format "ID <Name tag>". This change to include the Security Group name can be enabled by adding the setting "aws.supportSearchGroupName=true" in the vsec.conf file. |
PRJ-53526, |
Gaia OS |
UPDATE: Added Multi-Queue support for Microsoft Azure Network Adapter (MANA) accelerated network interfaces. |
PRJ-50751, PMTR-96420 |
Infrastructure |
UPDATE: Added Python 3.11.4. |
PRJ-54099, PRJ-54459, PRJ-55301, PRJ-55687, ODU-1779, ODU-1755, ODU-1731, ODU-1667 |
Automatic Updates - Web SmartConsole |
UPDATE: New features and improvements are released in Take 100, Take 102, Take 104 and Take 111 via self-updatable package. Refer to sk170314. |
PRJ-54688, ODU-1707 |
Automatic Updates - CPView |
UPDATE: Added Take 93 of CPotelcol (OpenTelemetry Collector) Release Updates. Refer to sk180522. |
PRJ-54173, ODU-1683 |
Automatic Updates - CPSDC |
UPDATE: Added Take 34 of Check Point Support Data Collector (CPSDC) for Scalable Platforms and Maestro Security Appliances. Refer to sk164414. |
PRJ-54177, PRJ-55582, ODU-1803, ODU-1659 |
Automatic Updates - HCP |
UPDATE: Added Update 17 of HealthCheck Point (HCP) Release. Refer to sk171436. |
PRJ-53341, PRHF-32639 |
Security Management |
When a Domain object in a policy is set with a backslash in the suffix, policy installation fails with the "Unterminated string&CURRENTVERCMP" error. |
PRJ-50767, |
Security Management |
In rare scenarios, during an upgrade or Domain migration, the API readiness test fails if the upgrade failed. |
PRJ-51619, |
Security Management |
Deleting a domain may fail when using the createDomainRecovery.sh script. |
PRJ-50593, |
Security Management |
High Availability synchronization runs after every scheduled Application Control update, even if the Application Control is up to date. |
PRJ-51596, |
Security Management |
In rare scenarios, Global Policy assignment fails when there are many open Remote CPM Server sessions. Refer to sk181822. |
PRJ-52817, |
Security Management |
If there are changes in the HTTPS Policy and Certificates in the session, a "Something went wrong" message appears when opening the Change Report. |
PRJ-49362, |
Security Management |
There may be synchronization failure and, as a result, corrupted Domain policies on the Multi-Domain Security Server when a newly created local administrator on the backup Security Management Server makes changes to rules or objects, after the Active role is switched to that Security Management Server. |
PRJ-50019, |
Security Management |
It may not be possible to add/set a Threat Prevention Exception with a protection-or-site UID. |
PRJ-53349, |
Security Management |
In rare scenarios, the FWM process on the Security Management Server may unexpectedly exit or not start, creating a core dump file. |
PRJ-50999, |
Security Management |
Install Policy Presets may fail after purging all revisions. Refer to sk181652. |
PRJ-52012, |
Security Management |
In some scenarios, policy installation may fail and the displayed message erroneously refers to sk178886: "One of the updatable objects was downloaded incorrectly (see SK178886". sk178886 describes a different scenario and does not resolve the issue. |
PRJ-54095, |
Security Management |
In rare scenarios, policy installation on R77.30 Security Gateway fails with "Operation failed, install/uninstall has been improperly terminated". Refer to sk180448. |
PRJ-53731, |
Security Management |
Changes Report may allow to list certain directory contents. |
PRJ-55502, PRHF-34248 |
Security Management |
A memory leak may occur in the FWM process which leads to SmartConsole connection failures. |
PRJ-49583, |
Security Management |
In some scenarios, when searching objects in SmartConsole, not all relevant results are highlighted. |
PRJ-51507, |
Security Management |
The on-premises Security Management Server fails to connect to Infinity Portal when this Server has a proxy configured. |
PRJ-53472, |
Security Management |
In Multi-Domain Security Management environments, High Availability synchronization issues may arise after making and publishing changes through the SmartTasks feature in SmartConsole for a local Domain. |
PRJ-52825, PMTR-100459 |
Security Management |
On the Security Management Server, a CPD zombie process may be created. |
PRJ-51633, |
Security Management |
In rare scenarios, after an upgrade or a Domain migration:
|
PRJ-51696, |
Security Management |
After a global assignment, when installing policy on several installation targets at once, the log may show an incorrect rule name. |
PRJ-51514, |
Security Management |
The revisions purge process may get stuck due to an incomplete purge operation from a previous attempt. |
PRJ-51205, |
Security Management |
If all revisions were purged on the Security Management Server, the "show packages details-level full" Management API call may fail. |
PRJ-51543, |
Security Management |
Enabling automatic updates of Trusted CAs as described in sk173629 may fail. |
PRJ-50373, |
Security Management |
When attempting to load a SNORT Rules file that contains one or more spaces, the import process fails with an ambiguous error message. |
PRJ-41781, |
Security Management |
In some scenarios, SmartConsole may close unexpectedly when clicking the "View Changes" option in the Install Policy view. |
PRJ-52879, |
Security Management |
In rare scenarios, Access policy installation may fail with the "Installation failed. Reason: Failed to load Policy on Security Gateway" or "Operation failed, install/uninstall has been improperly terminated" messages. |
PRJ-52791, |
Security Management |
In rare scenarios, High Availability synchronization fails with "Peer is busy". |
PRJ-51677, |
Security Management |
Global Assignment fails with "Locked for editing by another administrator and need to be published or discarded before the operation can take place". Refer to sk181807. |
PRJ-49667, |
Security Management |
The "set-smart-task" API command fails when enabling the "Send mail to/from" option in SmartTasks. |
PRJ-51505, PMTR-98271 |
Security Management |
After a Multi-Domain Security Management upgrade to R81.20 version, some Infinity Portal Services may stop working. |
PRJ-51085, |
Multi-Domain Security Management |
In Multi-Domain Security Management environments with over two hundred administrators, Domain creation may fail with "Timeout expired while waiting for permissions calculation". |
PRJ-51085, |
Multi-Domain Security Management |
In Multi-Domain Security Management environments with over two hundred administrators, Domain creation may fail with "Timeout expired while waiting for permissions calculation". |
PRJ-48396, |
Multi-Domain Security Management |
In a Multi-Domain Security Management environment, the "show simple-gateway" and "show simple-cluster" Management API commands may fail with "Runtime error: An internal error has occurred" |
PRJ-51272, |
Multi-Domain Security Management |
In Multi-Domain Security Management environments, if there are more than three hundred forty Domains, login to SmartConsole fails. |
PRJ-52970, |
Multi-Domain Security Management |
The "cprlic get" command output may not provide correct information about vSEC licenses. |
PRJ-52578, PMTR-99856 |
Multi-Domain Security Management |
In some scenarios, during an upgrade of a Multi-Domain Security Management Server, the "created by" and "date created" fields of some rules may be displayed as "system" and "date of the upgrade".
|
PRJ-51570, PMTR-90798 |
SmartConsole |
SmartConsole slowness when adding applications to rules. Refer to sk182063. |
PRJ-53275, |
SmartProvisioning |
The "show-lsm-gateways" Management API command returns LSM cluster objects besides the LSM Security Gateways. |
PRJ-53227, |
SmartProvisioning |
The Management API command "set-lsm-gateway" with the "sic.ip-address" parameter may fail with "Establish SIC failed. Reset SIC on gateway and try again." when resetting SIC. |
PRJ-52721, |
Logging |
Administrators without the "run script" permissions can enable or disable the option to run a script on a Security Gateway, using advanced configuration options. |
PRJ-51148, |
Logging |
When Identity Awareness blade is enabled, the "Src User Dn" and "Dst User Dn" fields in ICMP Logs are not masked for users without "Identities" permissions. Refer to sk181677. |
PRJ-51327, |
Logging |
In rare scenarios, after an upgrade, the LOG_EXPORTER process may fail to send the log files to SIEM or to the cloud. |
PRJ-53938, |
Logging |
In Quantum Smart-1 Cloud environments, exporting more than five thousand logs to CSV may fail. |
PRJ-51430, |
Logging |
In some scenarios, in Multi-Domain Management environments with over 300,000 network objects, the LOG_INDEXER process repeatedly exits if the procedure from sk164452 is not applied. |
PRJ-44795, |
Logging |
In rare scenarios, the FWD process on the Security Gateway may reach out of memory and produce a core dump file of around 3GB. |
PRJ-54108, |
Logging |
In rare scenarios, the LOG_EXPORTER process fails to send logs although marks them as sent. |
PRJ-49790, |
Logging |
The "cpstat -h log server ip ls -f logging" command fails when running it from Security Management. |
PRJ-51525, SDWANGW-2060 |
Logging |
SD-WAN log information may be missing from SmartConsole connection log when SecureXL Templates are used. |
PRJ-52679, |
Security Gateway |
Running GTP traffic may cause a crash on a Security Gateway without a GTP license. |
PRJ-52725, |
Security Gateway |
In some rare cases, the Dynamic Split functionality may be disabled on VSX Gateways with Hyperflow enabled. When checking the status of Dynamic Balancing, the "Initiating shut-down due to state mismatch detection (reason dmd_sleep_status)" message is printed in the logs under $FWDIR/log/dsd.elg. |
PRJ-50576, |
Security Gateway |
There may be log entries related to the drop optimization feature, although the dropped traffic matches a non-logging rule. |
PRJ-55412, PRHF-34173 |
Security Gateway |
The CPD process may unexpectedly exit and create a core dump. |
PRJ-52521, |
Security Gateway |
The ICAP Server does not send data for the Threat Prevention blades inspection, after the restart of the TEMAIN process. |
PRJ-47672, PRJ-47668, |
Security Gateway |
When there is fragmented traffic, the /var/log/messages file may be flooded with the "dst_release" entries. |
PRJ-52952, |
Security Gateway |
Traffic outages may occur because of high utilization of CPU cores that run CoreXL SND instances. Refer to sk181996. |
PRJ-53850, |
Security Gateway |
In some scenarios, when SecureXL works in the User Space (UPPAK) mode, the VSX Security Gateway cluster members are not able to send and receive CCP packets correctly through a Virtual Switch. |
PRJ-51439, |
Security Gateway |
A rare race condition may be triggered by the timing and packet patterns of VoIP traffic, and, as a result, the FWK process may restart. |
PRJ-53628, |
Security Gateway |
A memory issue may occur in a cluster environment, when SIP inspection is enabled. |
PRJ-48817, |
Security Gateway |
After deploying a new license to a Multi-Domain Log Module (MLM), all Customer Log Modules (CLMs) generate alert logs about missing license/contracts stating "No valid license was found". |
PRJ-41754, |
Security Gateway |
Some debug messages may appear in the /var/log/messages file, although the debug mode is not activated. The issue is cosmetic only. |
PRJ-49046, |
Security Gateway |
In rare scenarios, a file downloaded via HTTP may be corrupted. |
PRJ-52421, |
Security Gateway |
Incorrect static NAT destination is applied when the original destination in the NAT rule is the Security Gateway object, but the actual destination does not match the main IP address of the Security Gateway object. |
PRJ-51460, |
Security Gateway |
When using three or more ISP DNS proxies in High Availability mode and Load Sharing mode:
|
PRJ-47664, |
Security Gateway |
Incorrect local traffic routing by the Security Gateway causes message flooding in /var/log/messages. |
PRJ-50757, |
Security Gateway |
In a rare scenario, because of a memory allocation issue, the Security Gateway may crash and reboot. |
PRJ-48263, |
Security Gateway |
Notifications of SecureXL connection deletion appear unfiltered in the debug output, also when using a debug filter. |
PRJ-51946, |
Security Gateway |
In some scenarios, if a rule with a security zone is installed using accelerated install policy, the traffic may stop matching the NAT Rule Base. |
PRJ-51609, |
Security Gateway |
The ICAP Server may fail to initialize. |
PRJ-51039, PRHF-31146 |
Security Gateway |
The Security Gateway may crash during policy installation. |
PRJ-52796, |
Security Gateway |
In some scenarios, the VSX Security Gateway may not set the MAC header correctly when sending traffic back to Gaia OS directly out of an interface on a Virtual Router. |
PRJ-51528, |
Security Gateway |
Sporadic latency while uploading a file when HTTPS Inspection and ICAP client are active. Refer to sk181793. |
PRJ-52564, |
Internal CA |
CRLs may not be recreated after cleaning expired certificates from the ICA database. |
PRJ-42871, |
Threat Prevention |
After installing a hotfix in a cluster setup with a Threat Prevention policy that includes Network Objects, a member may get stuck during initialization after a reboot. Refer to sk180225. |
PRJ-53912, |
Threat Prevention |
SSH DPI may not work because of incorrect parsing of the client hello from a non-standard SSH client. |
PRJ-49031, |
Threat Prevention |
In a bond failover setup with the XOR bond mode, rapid toggling the port states causes the switch to display incorrect "connected" port statuses for both ports, despite one port being actually down, leading to a non-functioning bond interface. |
PRJ-53458, |
Threat Prevention |
Installation of Threat Prevention Policy fails with the error "No profile defined on GW <Name of Security Gateway Object>" in this scenario:
|
PRJ-53091, PMTR-98503 |
Threat Prevention |
The "ioc_feeds" CLI command with the "--transport local_directory" argument may fail to load feeds. |
PRJ-53404, PMTR-101787 |
Threat Prevention |
No feedback form appears when disabling the Zero Phishing Blade, although it should. |
PRJ-51335, |
Identity Awareness |
When a Multi-User Host is used with Identity Broker, the user session may expire on the PEP side, while still connected on the PDP, causing failure of user-based access. |
PRJ-49436, |
Identity Awareness |
In a rare scenario, revoked identity on Broker Publisher is not synchronized with its Broker subscribers. |
PRJ-52371, |
Identity Awareness |
After an upgrade, the Security Identifier (SID) for LDAP Users or LDAP Groups that were configured prior to the upgrade may be empty. Refer to sk181946. |
PRJ-52793, |
Identity Awareness |
In some scenarios, access roles using packet tagging are not calculated correctly for new sessions. Refer to sk182009. |
PRJ-50584, |
Identity Awareness |
During policy installation, users authenticated using the Captive Portal may get disconnected. |
PRJ-52873, |
Identity Awareness |
User/Security Gateway identities may be revoked unexpectedly if an additional update from the AD Query identity source is rejected due to Identity session conciliation. |
PRJ-50514, |
Identity Awareness |
In a Cluster Load Sharing environment or when a single Policy Decision Point (PDP) is shared among multiple Policy Enforcement Points (PEPs), the PDP registers the PEP, but the PEP may not be aware of this registration. |
PRJ-52541, |
IPS |
In a rare scenario, Security Gateway may drop client-to-server web browsing traffic. |
PRJ-50805, |
IPS |
There may be excessive "fwconn_chain_is_data_conn failed" messages in the /var/log/messages files when activating the IPS Blade. |
PRJ-51183, |
Anti-Virus |
Some file downloads fail with a logged "failure-reject" error because of the Anti-Virus Blade improperly classifying documents, causing inspection failures. |
PRJ-53572, |
Anti-Virus |
In a rare scenario, the Security Gateway crashes due to memory corruption caused by the Anti-Virus blade. |
PRJ-53125, |
Anti-Virus |
The DLPU process may frequently exit with a core dump file. |
PRJ-52048, PRHF-31811 |
Mobile Access |
SSL Network Extender (SNX) cannot connect after installing Jumbo Hotfix Accumulator. Refer to sk181805. See the Important Notes section. |
PRJ-42809, |
ClusterXL |
Cluster members may crash, generating vmcores in /var/log/crash. |
PRJ-51588, |
ClusterXL |
The Security Gateway may crash during the conversion from VRRP Cluster to ClusterXL Cluster. |
PRJ-50117, |
ClusterXL |
In a cluster environment, the Security Gateway may become unresponsive on the Active member, and after a failover the issue occurs on the new Active member also. |
PRJ-52799, |
SecureXL |
The Security Gateway may fail to add interfaces to the SecureXL accelerated interfaces list. |
PRJ-44520, |
SecureXL |
Multicast packets received on an interface with PIM disabled can cause multicast packet drops on other interfaces by filling up the kernel routing queue. |
PRJ-52802, |
SecureXL |
In some scenarios, the VSX Security Gateway may not set the MAC header correctly when sending traffic directly out of an interface on a Virtual Router or Virtual Switch. |
PRJ-51210, PRHF-31259 |
SecureXL |
In Kernel mode Firewall, traffic passing through the GRE tunnel may not reach the peer. |
PRJ-50856, |
SecureXL |
There may be a delay in enforcing DOS/ Rate Limiting rules to drop packets when concurrent connection limits are exceeded. |
PRJ-51622, |
SecureXL |
In some scenarios, fragmented ICMP packets may bypass the DOS/ Rate limiting deny list. |
PRJ-52806, |
SecureXL |
In some scenarios when Route based probing is configured, the VSX Security Gateway sends out encrypted traffic with a source IP address of all zeroes through a Virtual Switch interface. This traffic may be dropped by routers, the VPN peer Gateway or other Security Gateways due to the invalid source IP address. |
PRJ-54530, PRHF-33850 |
SecureXL |
Policy installation on a Security Gateway running with SecureXL User Mode (UPPAK) fails with the "2000240" or "2000267" error code. Refer to sk182272. |
PRJ-53479, |
SecureXL |
Entering Maintenance Mode during the boot process may result in disabling SecureXL User Mode (UPPAK). |
PRJ-52859, |
SecureXL |
In some scenarios, when SecureXL User Mode (UPPAK) is enabled, the Security Gateway crashes during boot up. |
PRJ-53253, |
SecureXL |
When SecureXL User Mode (UPPAK) is enabled, there may be some increased latency when sending cleartext traffic between a Virtual System and a Virtual Router. |
PRJ-53061, |
SecureXL |
During the deny list update process, there is a temporary gap where no IP addresses are blocked, allowing unwanted traffic to pass through the Security Gateway unfiltered. |
PRJ-52663, |
SecureXL |
DOS/Rate Limiting commands that require a change from default configuration are not allowed to run in SecureXL User Mode (UPPAK) . "ERROR: fwaccel_dos: DOS features are not supported for SecureXL User Space Mode with LightSpeed" is printed in the /var/log/messages file. |
PRJ-55396, PMTR-104268 |
SecureXL |
A race condition may occur in a large scale VSX Cluster environment and SecureXL User Mode (UPPAK) is enabled. |
PRJ-53856, |
Routing |
ROUTED process assert failure may take place when LSA from a neighbor's retransmission list is freed if that LSA belongs to the max age hold tree that is flooded at max age. |
PRJ-53172, |
Routing |
The ROUTED process may unexpectedly exit because of an OSPF assertion failure. |
PRJ-53054, ROUT-2968 |
Routing |
BGP peers may experience timeouts when these conditions occur simultaneously:
|
PRJ-52734, |
Routing |
In networks where multicast groups are manually configured through IGMP if only one membership report is received for a specific <S,G> pair and no further reports follow, it may cause outages. |
PRJ-52659, PRJ-52656, PRHF-31977 |
Routing |
Cluster failover may occur when the ROUTED process due to a memory leak unexpectedly exits with a core dump file generated. |
PRJ-53057, |
Routing |
In scenarios where numerous BGP peers are configured with the "multihop" option enabled, combined with short "keepalive" settings and a large number of routes being received from each peer, the ROUTED process may experience high CPU utilization. |
PRJ-51260, |
Routing |
It may not be possible to propagate a newly added static route through OSPF. |
PRJ-51983, |
Routing |
When running a Gaia API request that results in multiple configuration changes, only the first change may be applied initially. The subsequent changes are not enforced until another change triggers re-processing. |
PRJ-53569, |
Routing |
In rare scenarios, when a PIM interface or PIM instance stops working, the Security Gateway may crash if trying to access a bogus reference to a PIM neighbor. |
PRJ-48210, |
VPN |
IKEv2 Remote Access stability issues. |
PRJ-47953, |
VPN |
Establishing an IKEv2 tunnel with Cross AZ Cluster may fail. |
PRJ-53384, |
VPN |
IPv6 non-VPN traffic may be dropped with "Clear text packet should be encrypted". |
PRJ-53178, |
VPN |
In a rare scenario, while connecting SNX client, the VPND process may exit. |
PRJ-52830, |
VPN |
In a rare scenario, in a Maestro environment, the first packet of the VPN tunnel is lost or has a large delay. |
PRJ-52514, |
VPN |
In Cross-AZ clusters, when using probing-based link selection for High Availability and Load Sharing, there may be a potential VPN traffic outage. Refer to sk181909. |
PRJ-54241, PMTR-103618 |
VPN |
In a VPN Community with a configuration involving two Security Gateways (a Center Cluster and a Satellite Security Gateway) with IPv6 external and internal interfaces, when attempting to establish a Link Selection Star community between them, the VPN process may unexpectedly exit due to repetitive IKE core crashes on one of the Security Gateways while the other Security Gateway tries to establish a tunnel, resulting in connectivity issues. |
PRJ-52949, |
VPN |
When the DAIP Gateway public IP address occasionally changes, the connected Security Gateway fails to update the new IP address and continues responding to the old IP address, causing communication issues. |
PRJ-44265, |
VPN |
The FWK process crashes sporadically, causing impact on traffic due to an issue related to the decryption of fragmented traffic. |
PRJ-51297, PMTR-97905 |
VSX |
When adding a new Virtual System, a CPD core dump file may be generated. |
PRJ-52509, |
Gaia OS |
When a non-local user executes a Gaia API command, the action is incorrectly logged as performed by the "admin" user in the /var/log/messages file. |
PRJ-52724, |
Gaia OS |
The MONITORD daemon causes high CPU after 388 days of uptime. Refer to sk181922. |
PRJ-53486, |
Gaia OS |
Some valid interfaces may not be available with running the "set lldp interface" command. |
PRJ-53195, |
Gaia OS |
In rare scenarios, the Gaia Portal daemon HTTPD may unexpectedly exit and create a core dump file in the /var/log/dump/usermode/ directory. |
PRJ-52886, |
Gaia OS |
Disabling a bond with one interface from WebUI may fail. |
PRJ-54180, |
Gaia OS |
Removing unused built-in user called "cp_ender" that may appear in Gaia OS after an upgrade. Refer to sk182185. |
PRJ-51441, |
Harmony Endpoint |
Clients may not be assigned to default groups after adding a device to the AD Server. |
PRJ-50572, |
Harmony Endpoint |
In an on-premises environment, large Active Directory groups with more than 1500 members appear empty or have incomplete membership information. |
PRJ-52129, |
Harmony Endpoint |
When attempting a one-time login for a migrated client in the Infinity Portal, the request fails with "400 error" caused by duplicate |
PRJ-51292, |
Harmony Endpoint |
In some scenarios, Unified Endpoint Policy Management (UEPM) database upgrade fails or takes a long time during the scripts stage. |
PRJ-51138, |
Harmony Endpoint |
When duplicate users with the same name and domain exist in the database or Active Directory, FDE Pre-boot authentication on LAN may fail, not able to identify the user attempting to log in. |
PRJ-53431, |
Harmony Endpoint |
SmartEndpoint creates an empty "Policy Report" CSV file. |
PRJ-50589, |
CloudGuard Network |
In an environment with Cloud Security Gateways, frequent High Availability synchronization sessions can cause high CPU utilization. As a result, change of the Activity status may fail. |
PRJ-50638, |
CloudGuard Network |
CloudGuard Controller synchronizes cloud object configurations with a noticeable latency, reflecting the updates made to those objects in the cloud environment after a significant time delay. |
PRJ-51302, |
Scalable Platforms |
When using NAT64 rules, Server to Client traffic may be dropped because of the "Out of state" error. |
PRJ-47396, |
Scalable Platforms |
Excessive CPU usage occurs on a Maestro Security Group because of exhaustion of available NAT ports when traffic is subjected to NAT and Layer 4 (L4) load distribution is enabled. Refer to sk181925. |
PRJ-53832, PMTR-73771 |
Scalable Platforms |
Before enabling MDPS, CoreXL Dynamic Balancing (sk164155) must be disabled. |
PRJ-52644, |
Scalable Platforms |
After a failover scenario, the "m site-id member-id" command requires reauthentication. |
PRJ-53083, |
Scalable Platforms |
Redundant "MHO_stateAgent[3230]: QuidAddon: System not ready yet - attempting to re-init" messages in the /var/log/messages file. |
PRJ-52883, |
Scalable Platforms |
When running the "fwaccel stat" command on a VSX Security Gateway, the output may show physical interfaces as not accelerated, although they are. |
PRJ-53622, |
Scalable Platforms |
The "reboot -b all" command in gClish may fail. The environment hangs or reboots partially (only some of the members). |
PRJ-44133, |
Scalable Platforms |
Member state may flap between Active and Ready. |
PRJ-46223, |
Scalable Platforms |
During site failover, IPv6 traffic that goes through the Warp interface may be interrupted. |
PRJ-50827, |
Scalable Platforms |
In a rare scenario, file system corruption may lead to a failure identifying the Maestro Orchestrator hardware model during the Maestro Orchestrator OS boot process, causing the boot to fail. |
PRJ-44136, |
Scalable Platforms |
If a DR packet arrives fragmented, it may not get forwarded to the DR manager, potentially causing connectivity issues. |
PRJ-46793, |
Scalable Platforms |
An additional reboot may be performed on Maestro Security Gateway because of the database entry (otlp) which should not be pulled from SMO. This entry is updated locally on each member via self-update functionality and therefore may differ between members. |
PRJ-52532, PMTR-99841 |
Scalable Platforms |
After dynamic routing manager failure and recovery, connections are dropped with a log message "TCP out of state: First packet isn't SYN". Refer to sk181874. |
PRJ-51186, PMTR-97932 |
Scalable Platforms |
In a rare scenario, when a Maestro Security Gateway is active again after a reboot, and LightSpeed is used, the LACP bond may drop incoming and outgoing packets. |
PRJ-55570, PMTR-105246 |
Scalable Platforms |
Traffic outage after policy installation on a Maestro Security Group in the VSX mode that works in the Dual Site configuration. Refer to sk182379. |
PRJ-55518, PMTR-105145 |
Scalable Platforms |
• On Quantum Maestro/Chassis or in ClusterXL, the Security Gateway may crash while processing a VPN/correction flow with a vmcore in /var/log/crash or FWK core in /var/log/dump/usermode/. • The "kernel: xxxxx: tx_timeout" error is printed in /var/log/messages. • PSL drops packets with "PSL Drop: psl_build_pslip failed” message, potentially impacting network performance and streaming capabilities. Refer to sk182463. See the Important Notes section. |
Take 65 Released on 03 June 2024 and declared as Recommended on 10 June 2024 |
||
Take 65 - Improvements and Resolved Issues
|
||
PRJ-55471, |
VPN |
UPDATE: Remote Access VPN for local accounts authenticated only with Check Point password created in R80.20 or lower, and not updated after the upgrade to R80.30, is blocked until the password is reset. Refer to sk182336. |
PRJ-54099, PRJ-54459, ODU-1731, ODU-1667 |
Automatic Updates - Web SmartConsole |
UPDATE: New features and improvements are released in Take 100 and Take 102 via self-updatable package. Refer to sk170314. |
PRJ-55496, |
VPN |
CVE-2024-24919 - Quantum Security Gateway Information Disclosure. Refer to sk182336. |
PRJ-55345, |
Threat Prevention |
The "Categorized HTTPS Sites" option does not classify specific websites when "TLS 1.3 hybridized Kyber support" is enabled in the browser. Refer to sk182318. |
PRJ-54611 |
ClusterXL |
During an upgrade from R80.40 to R81.20 in a cluster environment, connectivity to the new member may be lost. See the Important Notes section. |
PRJ-54482, |
Gaia OS |
Wrong interface names on the 9400 appliance after installing the R81.20 Jumbo Hotfix Accumulator Take 54. Refer to sk182265. See the Important Notes section. |
PRJ-55322, |
Gaia OS |
After installing R81.20 Jumbo Hotfix Take 54 on Quantum 3600/3600T/3800 appliances, CPView, WebUI, and the "show sysenv all" command in CLI display illegal values for fan speed. The issue is cosmetic only. Refer to sk182305. |
PRJ-53849, |
VPN |
After an update, if in VPN if configured with Permanent Tunnels enabled, RAM utilization may increase. |
PRJ-53184, PMTR-103617 |
Harmony Endpoint |
R81.20 Jumbo Hotfix Accumulator Take 43 (or higher) installation fails on the Endpoint Security Management Server with "Internal error in a hook script". Refer to sk182210. See the Important Notes section. |
Take 54 Released on 8 April 2024 |
||
Take 54 - New Functionality
|
||
PRJ-52942, PRJ-52484 |
Security Gateway |
NEW: This Jumbo Hotfix Take introduces support for new Quantum Force appliances 19100 / 9800 / 9700 / 9400 / 9300 / 9200 / 9100 appliances. Refer to sk181698 and to sk180520.
|
PRJ-49213, |
Security Gateway |
NEW: Added a new Expert mode command on the Security Gateway to revert the installed Access Control policy to one of the previous revisions: "policy_rev_tool <action> [args]". Refer to sk181437. |
PRJ-49827, ACCESS-799 |
Application Control |
NEW: Added ability to drop the traffic of specific UDP applications per packet. For example, the Security Gateway can now drop the specific commands and allow the other commands of the BACNet Protocol. This ability is enabled by default.
|
PRJ-53513, PRHF-30322 |
SecureXL |
NEW: It is now possible to configure additional TCP options in the Accelerated SYN Defender configuration file: cookie_mss_v4, cookie_mss_v6, cookie_sack_permitted, cookie_window_scale. Refer to R81.20 Performance Tuning Administration Guide. |
PRJ-47019, |
VPN |
NEW:Added support for a new tool (shell script) on a Management Server that can show and renew IKE certificates for VPN, Multi-Portal, and Identity Broker on all managed Security Gateways and VSX Virtual Systems. Refer to sk182070. |
PRJ-50987, PMTR-95463 |
VPN |
NEW: Added ability to track RAM usage of the VPND process using the "cpstat" command in CLI. Refer to sk181815. |
Take 54 - Improvements and Resolved Issues
|
||
PRJ-50565, SDWANGW-1681 |
SD-WAN |
UPDATE: Added support for the AU (Australia) and IN (India) regions in Infinity Portal. |
PRJ-46069, SDWANM-822 |
SD-WAN |
UPDATE: SD-WAN Logs now appear in the dedicated SD-WAN log card in SmartView and SmartConsole. |
PRJ-48780, |
Security Management |
UPDATE: Added validation for new permissions to configure a script to run on the Security Gateway from Gateway object > Logs Alerts/Storage > the "Run the following script before deleting old files" option. |
PRJ-48124, |
Security Management |
UPDATE: Creating a Domain via Management API now allows the allocation of the Domain IP address from a predefined IP address range on the Multi-Domain Security Management Server. |
PRJ-48096, PMTR-77299 |
CPView |
UPDATE: CPView now shows statistical data also for servers with 256/512 CPU cores. |
PRJ-50429, PMTR-96484 |
Security Gateway |
UPDATE: During certificate validation, the Security Gateway now retrieves the Certificate Revocation List (CRL) from all CRL distribution points (CDP) listed in certificate extensions. |
PRJ-50741, PRHF-30794 |
Security Gateway |
UPDATE: Added an ability to configure objects for the HTTPS Inspection CA using labels.
|
PRJ-50977, |
Threat Extraction |
UPDATE: Added an option in ICAP Server for logging benign files scanned by the Anti-Virus Blade. By default, logging for benign files is disabled. To enable it, add to the ICAP Server configuration file this entry: "LogBenign on". |
PRJ-50500, |
Identity Awareness |
UPDATE: The identity synchronization from Policy Decision Point (PDP) to Smart-Pull Policy Enforcement Point (PEP) client now takes several seconds instead of a few minutes, especially beneficial in environments with a single PDP Security Gateway sharing to multiple PEP Security Gateways. |
PRJ-46626, |
VPN |
UPDATE: The "Server Authentication" attribute within the "Extended Key Usage" field is now included by default in IKE certificates generated by the Security Management Server. |
PRJ-50915, |
Gaia OS |
UPDATE: When a Gaia OS Server has a Cloning Group feature enabled, it now accepts other Gaia OS Servers that join this Cloning Group over TLS1.2 or higher (over the TCP port 1129). |
PRJ-53022, ODU-1468 |
Automatic Updates - Security Management |
UPDATE: Added Update 2 of Server-Side Change Report Generator Release Updates. Refer to sk179508. |
PRJ-52628, PRJ-53586, ODU-1571, ODU-1392 |
Automatic Updates - Web SmartConsole |
UPDATE: New features and improvements are released in Take 94 and Take 97 through self-updatable package. Refer to sk170314. |
PRJ-52696, ODU-1408 |
Automatic Updates - Smart-1 Cloud |
UPDATE: Added Update 7 of Quantum Smart-1 Cloud. Refer to sk166056. |
PRJ-52820, |
Automatic Updates - CPView |
UPDATE: Added Take 34 of CPviewExporter Release Updates. Refer to sk180521. |
PRJ-52596, |
Automatic Updates - CPView |
UPDATE: Added Take 77 of CPotelcol (OpenTelemetry Collector) Release Updates. Refer to sk180522. |
PRJ-52587, PRJ-53541, ODU-1476, ODU-1460 |
Automatic Updates - Threat Prevention |
UPDATE: Added Update 23 and Update 24 of Autonomous Threat Prevention Management integration Release. Refer to sk167109. |
PRJ-52867, PRJ-53688, ODU-1595, |
Automatic Updates - HCP |
UPDATE: Added Update 15 and Update 16 of HealthCheck Point (HCP) Release. Refer to sk171436. |
PRJ-53397, PRJ-5368, ODU-1611, ODU-1563 |
Automatic Updates - CPSDC |
UPDATE: Added Take 31 and Take 33 of Check Point Support Data Collector (CPSDC) for Scalable Platforms and Maestro Security Appliances. Refer to sk164414. |
PRJ-50214, |
Security Management |
Packet mode search in SmartConsole may show rules that do not match the query if the query contains four or more filters. |
PRJ-51089, |
Security Management |
In some scenarios, the change report sent via email by SmartTasks after publishing appears blank, even though there were modifications in the published session. |
PRJ-50047, |
Security Management |
In High Availability environments, task progress notifications may get updated only every 5 minutes, even when the task is complete. |
PRJ-49953, |
Security Management |
Login to SmartConsole may fail while the Compliance Blade is running a full scan. |
PRJ-50797, PMTR-97183 |
Security Management |
When configuring an email address in SmartTasks, Top Level Domain (TLD) is limited to 3 characters, for example, ".com" |
PRJ-51068, |
Security Management |
In a rare scenario, the FWK and CPD processes may exit with core dumps at approximately the same time. |
PRJ-51279, |
Security Management |
When the value of the "asm_ips_cci" property is updated manually to a number higher than 500,000:
|
PRJ-50355, |
Security Management |
SmartConsole may unexpectedly close after policy installation when SmartTasks return invalid characters from a user-defined script. |
PRJ-50436, |
Security Management |
The FWM process on the Management Server may unexpectedly exit, creating a core dump file. |
PRJ-49944, |
Security Management |
In environments with many network objects, SmartConsole may freeze while it loads the VPN tab of a Security Gateway object. |
PRJ-50405, PRHF-30796 |
Security Management |
In some scenarios, in SmartConsole, when clicking the picker to add Security Gateway to the "Install On" column in the Threat Prevention policy, no Security Gateway objects may appear. |
PRJ-50187, PRHF-30766 |
Security Management |
In some scenarios, Access Policy installation fails with "Policy load / verification failed because it required more than the maximum allowed memory of 4GB. Follow sk161874 to improve the performance and prevent excessive memory consumption". |
PRJ-45023, |
Security Management |
The "show users" Management API command fails if a user is configured to be able to connect on specific days, but the days are not selected. |
PRJ-50390, |
Security Management |
The $MDS_FWDIR/scripts/cpm_debug.sh script may fail with "The element type "Loggers" must be terminated by the matching end-tag "/Loggers"." |
PRJ-51074, |
Security Management |
Running a Gaia API command on the Security Gateway through the Management API from the Security Management Server fails when configuring the "target" parameter with either the Security Gateway name or UID. |
PRJ-50851, |
Security Management |
Access Policy verification may fail when groups with exclusions are used in rules. |
PRJ-46935, |
SmartConsole |
Defining more than two hundred GUI clients causes the "Command Line" tab in SmartConsole to be greyed out and the "api status" command to show an error status. |
PRJ-49345, |
Security Management |
SmartConsole may unexpectedly close after deleting an object in the Object Explorer view. |
PRJ-47691, |
Security Management |
In some scenarios, an upgrade may fail if a scheduled IPS update occurs simultaneously with the upgrade or domain migration. |
PRJ-48916, PRHF-29502 |
Security Management |
In some scenarios the "show access rulebase" Management API command with "details-level full" can take a significant amount of time to complete or time out after five minutes. Refer to sk181397. |
PRJ-50563, |
Security Management |
In environments with more than one hundred fifty administrators, SmartConsole may unexpectedly close when submitting changes for approval via Workflow. Refer to sk181649. |
PRJ-51134, PRHF-30631 |
Security Management |
Installing security policy with a rule that contains the "Internet" object in the destination column may fail with error message "Topology is not defined on the policy "Install On" target <cluster object name>", if the target cluster is marked as "Geo Mode in a Cloud". |
PRJ-50408, PRHF-30754 |
Security Management |
The Change Report generated before publishing a session, may contain internal system changes that were made by the user. |
PRJ-50580, |
Multi-Domain Security Management |
In rare scenarios, in a Multi-Domain Security Management environment:
|
PRJ-51665, |
Web SmartConsole |
An "Error logging into domain" message is displayed in Web SmartConsole when connecting to a Domain on a peer Multi-Domain Security Management Server. Refer to sk181801. |
PRJ-48003, |
CPView |
Offload may fail in CPView with "ERROR! Reason not initialized". |
PRJ-44498, |
CPView |
In rare scenarios, CPView does not handle VS context correctly. |
PRJ-49974, |
CPView |
CPU statistics may be incorrect or missing in CPView. Refer to sk182286. |
PRJ-51064, PMTR-97643 |
CPUSE |
SmartConsole does not show all available packages for Security Gateways that run on the 15000 and 16000 Check Point appliances, even if these packages are located in the Package Repository on the Security Management Server. |
PRJ-47984, |
Logging |
Some Access Rule Base logs may be generated with a wrong interface direction. The issue is cosmetic only. |
PRJ-46288, |
Logging |
In SmartConsole, in the "Device License Information" view, the "New connection rate" field may indicate "please wait 10 seconds". |
PRJ-48806, |
Logging |
Some attributes in SNMP MIB file may not be accessible. |
PRJ-49390, |
Logging |
In SmartView, incorrect results may be displayed when filtering logs using the "src_machine_name" field. |
PRJ-46207, |
Logging |
Security Gateway forwards logs to the real IP address of the Management Server instead of the public (NATed) IP address. Refer to sk181609. |
PRJ-48242, |
Logging |
The "source", "destination", "user" and "action" fields are not exported when exporting logs with the "visible columns" option to CSV in the SmartView Web application. Refer to sk181706. |
PRJ-49499, |
Logging |
Duration of Log Sharing on-boarding or migration to Smart-1 Cloud may take a long time (up to two minutes). |
PRJ-53009, PRHF-32426 |
Logging |
The Syslog messages are not sent to the Security Management Server and cannot be seen in SmartLog if the Security Management Server IP address is not configured under the "Remote System Logging" section in the Gaia WebUI. |
PRJ-44687, |
Logging |
When using Log Exporter to export logs to Splunk, a log entry in Splunk is split to separate lines if it contains the CRLF characters. |
PRJ-45297, PRHF-26975 |
Logging |
In a rare scenario, a Security Gateway / Cluster Member may stop logging locally or to configured Log Servers. Refer to sk170331. |
PRJ-47316, |
Logging |
When the active log file, for example, the fw.log for the Security Gateway is older than two days, the CPLogFilePrint utility does not print the log records correctly. |
PRJ-49736, |
Logging |
In rare cases, the LOG_EXPORTER process exits and the CPWD process does not start it because of the "exit_code 0" error. |
PRJ-53337, PMTR-101195 |
Logging |
When the "IP Options drop" tracking Global Properties setting is configured to "Log" and the policy is installed, the Security Gateway drops traffic with disallowed IPv4 options or IPv6 extension headers, but no log is shown in SmartConsole. |
PRJ-52675, PRHF-32203 |
Security Gateway |
CVE-2023-51764 - Postfix SMTP Smuggling vulnerability. Refer to sk181944. |
PRJ-47957, |
Security Gateway |
The CPVIEW_API_SERVICE process may exit with a timeout. |
PRJ-52114, |
Security Gateway |
Incorrect CPU statics may be shown in CPView when using Dynamic Split. |
PRJ-52471, PMTR-98658 |
Security Gateway |
CIFS traffic may cause CPU spikes in the FWK process. |
PRJ-50761, PRHF-31092 |
Security Gateway |
On Security Gateways with enabled Hyper Flow feature, during policy installation and re-offload process of the connections, accelerated connections may be interrupted. Refer to sk181671. |
PRJ-53051, PMTR-100847 |
Security Gateway |
Security Gateway does not pass traffic through an external interface when it is managed by Smart-1 Cloud, and SecureXL works in User Mode (UPPAK) mode. Refer to sk182016. |
PRJ-46203, |
Security Gateway |
In rare scenarios, updating the NTP Server may cause a temporary outage. |
PRJ-50314, PMTR-96671 |
Security Gateway |
In a large environment, updating policy with 20000 IP addresses may take up to eighteen minutes. When publishing such changes, Data Center updates are not sent to the Security Gateway. |
PRJ-50660, |
Security Gateway |
The proxy IP address of users surfing HTTP sites may be displayed instead of the real source IP address. |
PRJ-50603, |
Security Gateway |
In some scenarios, the PDPD process may consume high CPU in the Identity Acquisition flow. |
PRJ-49807, |
Security Gateway |
Enabling MDPS fails with the "clish: symbol lookup error: /usr/lib/cli/lib/libcli_mdps.so: undefined symbol: cp_is_usim" error. |
PRJ-50932, |
Security Gateway |
Multiple "fw_fna_hold_prepare: creating table" entries may be printed in /var/log/messages. The issue is cosmetic only. |
PRJ-48322, |
Security Gateway |
The system may not automatically end or interrupt the RAD process if it takes longer than a specified timeout duration. |
PRJ-53290 |
Security Gateway |
In rare scenarios, during active HTTP streaming, the FWK process may unexpectedly exit due to memory corruption. |
PRJ-50140, |
Security Gateway |
Accounting info may not be displayed in logs for IPv6 Cluster VRRP environments. |
PRJ-47460, |
Threat Prevention |
In a rare scenario, there may be an unexpected reboot and a vmcore file generated in /var/log/crash. |
PRJ-50050, |
Threat Prevention |
Security Gateway with a large number of CPU cores allocated to CoreXL SND may experience performance issues when an IoC Feed and the " |
PRJ-46444, |
Threat Prevention |
Files that undergo emulation while operating from a corporate location are transformed into PDF format. However, when the same files are accessed through a VPN remote client, they do not get the pdf file extension. |
PRJ-43530, PMTR-87666 |
Threat Prevention |
When configuring an IoC Feed in SmartConsole, the "Test Feed" action does not support Full High Availability clusters. |
PRJ-46597, |
Threat Extraction |
The "scrub send_orig_email <email_id> <recipient>" command fails. Refer to sk180974. |
PRJ-51423, |
Identity Awareness |
In a rare scenario, an Identity Gateway (PEP) becomes unresponsive while unregistering a network. |
PRJ-45136, PRHF-27966 |
Identity Awareness |
In Multi-User Host setups, some accounts may be identified as service accounts, although they should not be flagged. |
PRJ-45142, |
Identity Awareness |
A memory leak may occur in the PDPD process when storing new identities. |
PRJ-52495, PRHF-32042 |
Identity Awareness |
Setting custom configuration of PEP Identity Conciliation with the "Connect_Time" factor does not work as expected. |
PRJ-49534, |
Application Control |
In some scenarios, the Application Control and URL Filtering scheduled updates may occur more frequently than configured. |
PRJ-43457, |
Application Control |
When policy contains a white list, some packets may not match the listed applications. |
PRJ-49687, |
Application Control |
Anti-Spoofing drops packets that arrive at a Security Gateway through interfaces with Topology "External" if there are routes configured for internal interfaces that overlap with routes configured for external interfaces. Refer to sk181768. |
PRJ-42481, |
IPS |
Core IPS Protection "Unknown Resource Record" drops valid requests of specific DNS types. |
PRJ-49298, |
Anti-Virus |
Anti-Virus fails to release held connections after the inspection. |
PRJ-50529, |
Anti-Virus |
In a rare scenario, the Security Gateway may crash during inspection of file downloads. |
PRJ-49521, |
Anti-Virus |
The Anti-Virus Blade may inspect files on an SMB appliance although the "SMB" checkbox is disabled on the matched profile. |
PRJ-49793, |
SSL Inspection |
Policy installation fails on the Security Gateway when using HTTPS Inspection with Hardware Security Module (HSM). |
PRJ-45151, |
SSL Inspection |
When HTTPS Inspection is enabled, the Security Gateway generates a log that includes the message "Certificate Chain is not signed by a Trusted CA" when an end-user connects to an HTTP site or a site with an untrusted SSL certificate. But, in some scenarios, the log does not include this text. |
PRJ-50870, |
ClusterXL |
The output of the "cphaprob -m -a if" command may show an incorrect high VLAN ID address. This is a cosmetic issue. |
PRJ-52731, PRHF-32237 |
ClusterXL |
When working in ClusterXL mode with MDPS enabled on the cluster nodes, enabling a Cloning Group may get stuck in the "synchronizing" status. |
PRJ-52498, PMTR-99746 |
ClusterXL |
During a Multi-Version Cluster (MVC) upgrade, full synchronization between the upgraded member and another member may not function correctly. This can cause an interruption of IPv6 traffic. |
PRJ-48414, |
ClusterXL |
In a cluster connected to Smart-1 Cloud, local probing may start on the "maas_tunnel" interface, although it is not monitored by the cluster. Output of the Expert command "cphaprob -i list" or the Gaia Clish command "show cluster members pnotes problem" shows that the Critical Device "Local Probing" reports its state as "problem". |
PRJ-51136, |
SecureXL |
The Security Gateway may crash with vmcore during boot while upgrading. |
PRJ-48761, |
SecureXL |
The port beacon feature also known as interface discovery or port blinking may not work correctly in User Mode (UPPAK). |
PRJ-50546, |
SecureXL |
High CPU utilization may be triggered when User Mode (UPPAK) and VPN are enabled under high load. |
PRJ-50950, |
SecureXL |
In some scenarios, the VSX Security Gateway may not be able to pass VPN encrypted traffic from one Virtual System to another Virtual System through a Virtual Router/Switch. |
PRJ-48284, |
SecureXL |
The "fwaccel dos rate get -S IP" command fails to connect to the Security Gateway. |
PRJ-50833, |
Routing |
The "force-if-symmetry" setting in IPv4 static routes fails to mark IP addresses as unreachable, leading to the static route inaccurately remaining active in asymmetric scenarios. |
PRJ-49579, |
Routing |
The CLI Parameters for the "netflow fwrule" command are displayed incorrectly: "set netflow fwrule ?" instead of "set netflow fwrule 0" or "set netflow fwrule 1". The issue is cosmetic only, the functionality works as expected. |
PRJ-51347, |
VSX |
High CPU usage on SND cores when many interfaces are configured. Refer to sk181860. |
PRJ-50176, |
VSX |
In some scenarios, installing policy via vsx_util may be stuck. |
PRJ-46143, |
Gaia OS |
Taking a snapshot on the Security Management Server fails because of the error during copying the /boot/config/ content. |
PRJ-50487, |
Gaia OS |
SNMP query does not bring the CPUSE package information for a single OID (not a table). |
PRJ-48720, |
Gaia OS |
The "show configuration password-controls command output does not print the "set password-controls deny-on-fail block-admin on" option. |
PRJ-50509, |
Gaia OS |
There may be some inconsistent syntax in the "comment" section for interface and static-route commands. |
PRJ-47177, |
Gaia OS |
When rebooting the Security Gateway, some VLANs may lose their IPv6 configuration. |
PRJ-51220, |
Gaia OS |
Clish may deny access of a non-local RADIUS user. |
PRJ-50692, PMTR-96606 |
Gaia OS |
Link may not come up automatically in the 2-Port 40G/100G NIC, 4-Port 10G/25G NIC, and 10G/25G Sync Port. Refer to sk181487. |
PRJ-45116, |
Gaia OS |
Lock database override may not work as expected when it is set via Ansible playbook, and another admin was connected to SSH before that. |
PRJ-49218, |
VPN |
Redundant log prints in /var/log/messages may be generated, although they should be printed only when the debug flags are enabled. |
PRJ-49560, |
VPN |
When using the " |
PRJ-53729 |
CloudGuard Network |
AWS CloudGuard Security Gateway boots into "Sh-4.4" shell after in-place upgrade to R81.20 with Jumbo Hotfix Accumulator from Take 38 to Take 53. Refer to sk182112. See the Important Notes section. |
PRJ-50162, |
CloudGuard Network |
After installing this Take, after an out-of-memory event, the CloudGuard Controller will automatically restart with increased memory settings, and the "CloudGuard IaaS" log with the Description: "CloudGuard Controller is restarting with new memory settings" will be sent. |
PRJ-50161, |
Harmony Endpoint |
Due to a synchronization issue between the Policy Server and Primary Server, the Endpoint clients may be connected to the Primary Server instead of the Policy Server. |
PRJ-46991, |
VoIP |
In some scenarios, SIP TCP connections are dropped after a cluster failover. |
PRJ-47995, |
VoIP |
When the SIP Multi-core feature is enabled, and a SIP over UDP rule with one-way calls (only outgoing calls, for example) is defined, the returned traffic is dropped. Refer to sk181525. |
PRJ-49104, |
Scalable Platforms |
When creating a Security Group creation in Maestro Orchestrator WebUI, and the password contains the "(" "&" or ";"characters, the operation fails with "Failed to apply new topology" or with "Gaia Web-UI recognized a non-valid input data". |
PRJ-48724, |
Scalable Platforms |
When running the "asg if script" command, the "Bridge Master" output does not fit in one line in the "Info" column. The issue is cosmetic only. |
PRJ-52079, |
Scalable Platforms |
The Maestro Fastforward feature cannot be enabled when there is a bond interface with an ID consisting of two or three digits. |
PRJ-50738, |
Scalable Platforms |
The Gaia gClish command "installer verify CPUSE Package ID member_ids all" fails with "Quitting due to time-out" on a Scalable Platform Security Group. Refer to sk181674. |
PRJ-46064, |
Scalable Platforms |
Querying SP Interface Data via SNMP may intermittently fail. |
PRJ-50747, |
Scalable Platforms |
Performance data collected from all members including the Standby site, may cause the "Instance Load" and "Accelerate Load" values to be different from the asg perf tool data. |
PRJ-47762, |
Scalable Platforms |
Gaia Clish prompt does not appear after a TACACS user logs into a Maestro Security Group. Refer to sk181149. |
PRJ-50681, PRHF-30764 |
Scalable Platforms |
Scalable Platform Interface data OIDs (1.3.6.1.4.1.2620.1.48.26) may not be refreshed. |
PRJ-48930, |
Scalable Platforms |
Connectivity issues may occur in a Maestro Security Group when VLAN encapsulation is disabled on Orchestrators in a Maestro Dual Site environment. Refer to sk181385. |
Take 53 Released on 17 March 2024 and declared as Recommended on 3 April 2024 |
||
PRJ-52910, PMTR-100960 |
Security Gateway |
The Security Gateway with 40 cores fails to boot in Kernel Mode Firewall. Refer to sk181989. See the Important Notes section. |
PRJ-53592 |
Security Gateway |
Security Gateway with Anti-Virus enabled may sporadically crash because of memory corruption. See the Important Notes section. |
PRJ-53367, PRHF-32706 |
VPN |
VPN IKEv2 negotiation with a third party peer may fail when the peer offers multiple combined encryption algorithms in one proposal. For example, AWS by default offers AES-GCM and AES-GCM-256. The issue triggers an IKE failure log. See the Important Notes section. |
PRJ-52984, PMTR-99552 |
Scalable Platforms |
In a VSX environment, LACP Bond traffic may fail with the "incomplete ARP" error. See the Important Notes section. |
PRJ-53413, PRJ-53287 |
Scalable Platforms |
In a Maestro environment, after installing Jumbo Hotfix Accumulator and a reboot, members may intermittently go down due to MAC flapping. |
Take 45 Released on 30 January 2024 |
||
PRJ-52492, PMTR-99615 |
ClusterXL |
The CXLD process may consume the CPU at 70%-100% on VSX cluster members. Refer to sk181891. See the Important Notes section. |
PRJ-52559, PMTR-100084 |
Security Gateway |
When in the NAT Rule Base there are domain objects with uppercase letters, the NAT rules may not be matched. See the Important Notes section. |
Take 43 Released on 8 January 2024 |
||
PRJ-50012, PRJ-49119, PMTR-94679, |
Security Management |
NEW: Added support for Quantum Spark Appliances 1900/2000 for EA (Early Availability) customers. |
PRJ-48759, |
SD-WAN |
NEW: Added Quantum SD-WAN local breakout and VPN overlay support for Security Gateways with dynamic IP addresses. |
PRJ-47122, |
Anti-Spam |
NEW: We have extended the grace period of Anti-Spam Blade to support you for 90 days following contract expiration to continue providing the best security value during the renewal process. |
PRJ-45065, |
Security Management |
UPDATE: Added support for scheduling automatic purges of the System Data domain. |
PRJ-46326 |
Security Management |
UPDATE: Added support for the VPN certificate alert feature for Quantum Spark Appliances R81.10.X. |
PRJ-47499, |
Security Management |
UPDATE: Added a new API version (1.9.1). Refer to Management API Reference. |
PRJ-52357, |
CPView |
UPDATE: Added Take 74 of CPotelcol (OpenTelemetry Collector) Release Updates. Refer to sk180522. |
PRJ-48300, |
SmartConsole |
UPDATE: Added a pop-up message explaining that it is not possible to add an exception to a Global Domain policy from a local Domain when clicking "add exception" in a Global rule.
|
PRJ-49364, |
Security Gateway |
UPDATE: Previously, in the "Hide NAT behind IP Address Range" feature, only the source IP address determined the Hide NAT IP address from the IP Address Range. It is now possible to configure the Security Gateway to select the Hide NAT IP address based on the combination of the source IP address and the source port. Refer to sk105302. |
PRJ-46317, |
Security Gateway |
UPDATE: When changes are made to updatable objects within a policy and a missing or corrupted package is detected, the policy installation will fail, resulting in the generation of a log. |
PRJ-46558, |
Security Gateway |
UPDATE: Added a new option in domains_tool, which allows to retrieve IP addresses of multiple Domains - "-md <list of domains>". Refer to sk161632. |
PRJ-48447, |
Threat Prevention |
UPDATE: Improved the parser of Custom Intelligence feeds to support values written in "Camel case", where multiple words are combined without spaces, and each word begins with a capital letter. |
PRJ-51511, |
Threat Prevention |
UPDATE: Added Update 22 of Autonomous Threat Prevention Management integration Release. Refer to sk167109. |
PRJ-48139, |
Threat Prevention |
UPDATE: Re-enabled the deprecated feature of exporting/importing Custom Intelligence feeds. |
PRJ-43434, |
Threat Prevention |
UPDATE: It is now possible to add exceptions to external Custom Intelligence feeds. |
PRJ-47916, |
Anti-Virus |
UPDATE: Improved Anti-Virus caching mechanism to prevent generating malicious sub-domains in Background resource categorization mode. |
PRJ-49233, |
SSL Network Extender |
UPDATE: SSL Network Extender was updated to version 80008407. |
PRJ-44244, |
Mobile Access |
UPDATE: Enhanced PushReport (a troubleshooting tool for Mobile Access Blade):
|
PRJ-46316, |
ClusterXL |
UPDATE: When enabling the VMAC feature, link_monitoring on the cluster members is now configured automatically. |
PRJ-45338, |
VPN |
UPDATE: Added SAML authentication support for Capsule Connect / Capsule VPN. |
PRJ-41132, |
VSX |
UPDATE: In VSX, removed the redundant option to change CoreXL mode from USFW to Kernel mode. |
PRJ-48109, |
VSX |
UPDATE: Changed the vsx push configuration log:
|
PRJ-50874, |
Gaia OS |
UPDATE: Upgraded OpenSSL from 1.1.1u to 1.1.1w to include the latest security improvements. |
PRJ-48011, |
Gaia OS |
UPDATE: The output of "show arp dynamic all" and "dbget ip:arpdynamic:show:0" which was previously limited to +-4450 entries, now increases dynamically. |
PRJ-50198 |
Gaia OS |
UPDATE: Gaia API updates is now installed automatically through AutoUpdater. Refer to sk165653. |
PRJ-45237, |
Gaia OS |
UPDATE: SNMP traps for interfaces going up and going down now contains the interface name and description. |
PRJ-50604, |
Harmony Endpoint |
UPDATE: Posture Management (Vulnerability & Patch Management) is now supported. |
PRJ-45728, |
Harmony Endpoint |
UPDATE: Added new file types supported by Harmony Endpoint Threat Emulation blade. |
PRJ-48082, |
CloudGuard Network |
UPDATE: Added support for Azure Scale sets with Flexible orchestration mode. |
PRJ-47189, |
CloudGuard Network |
UPDATE: Added the "namespace" label to pods in Kubernetes Data Center. |
PRJ-48098, |
CloudGuard Network |
UPDATE:
|
PRJ-48764 |
CloudGuard Network |
UPDATE: Added support for Data Centers in AWS il-central-1 Israel (Tel Aviv) region |
PRJ-49997, |
CloudGuard Network |
UPDATE: Updated the Jetty open source library from the 9.3.6.v20151106 version to 9.4.52.v20230823. |
PRJ-45772, |
Scalable Platforms |
UPDATE: Added the ability to stop configuration mismatch repeated reboots for debugging purposes. The new command is " cpha_blade_config auto_reboot <on/off>". |
PRJ-48197, |
Scalable Platforms |
UPDATE: Added ability to use Generic Data Centers and Dynamic Objects with Maestro cluster, not just for a separate Security Gateway. |
PRJ-47962, |
IoT |
UPDATE: Enabled new docker capabilities on IoT Gateways. |
PRJ-47170, |
Security Management |
In rare scenarios, Global Policy reassignment fails with "IPS Update Failed On Assign". |
PRJ-48898, |
Security Management |
In rare scenarios, upgrade of the Security Management Server to R81.20 fails with the "Task was interrupted because of server restart" and "DEADLOCK IN POSTGRES DETECTED!!!" messages in the cpm.elg log file. |
PRJ-46700, |
Security Management |
Global Policy assignment fails if it is configured to assign to specific Domain policies and one of these local Domain policies is deleted. |
PRJ-42640, |
Security Management |
In some scenarios, an automatic Trusted Certificate Authorities (CAs) update fails. |
PRJ-42936, |
Security Management |
When closing an application from SmartConsole without changes, a redundant revision is created. |
PRJ-46004, |
Security Management |
Changing the cluster mode via the "set simple-cluster" Management API command to "cluster-xl-ha" or "ospec-ha" returns success but has no effect on the cluster object. |
PRJ-46829, |
Security Management |
In some scenarios, the "Object is no longer available" validation warning appears for updatable objects. |
PRJ-45989, |
Security Management |
Deleting a Domain that is connected to an AD Group fails. |
PRJ-46014, |
Security Management |
The "show-nat-rulebase" Management API command fails when Packet mode is enabled and "match on any" is set to "false". For example, "show-nat-rulebase XXX package YYY filter-settings.search-mode packet filter-settings.packet-search-settings.match-on-any false filter ZZZ". |
PRJ-45035, |
Security Management |
Upgrade of a Security Management Server or a Multi-Domain Security Management Server with over 2000 NAT rules may take over 10 hours to complete.
|
PRJ-44988, |
Security Management |
A migrate export or CPUSE upgrade of a Security Management Server fails if a Rule Base contains more than 35,000 rules. Refer to sk178325 to check the recommended size of Rule Bases. |
PRJ-47620, |
Security Management |
In rare scenarios, the /var/log/message file is filled with Clish login messages for the Admin user. |
PRJ-48865, |
Security Management |
In multi-site Multi-Domain Security Management environments, login to SmartConsole fails if the "Read_Write_All_Profile" permission profile is deleted. |
PRJ-45800, |
Security Management |
Security Management Server import fails with the "Tried to persist object XXX with domain YYY while active domain is ZZZ" error in the upgrade report. |
PRJ-47043, |
Security Management |
When using the RADIUS username for authentication, login to SmartConsole may fail. |
PRJ-47047, |
Security Management |
In rare scenarios, after an upgrade, the Security Management Server may fail to start. |
PRJ-47012, |
Security Management |
The "show-objects" Management API command with an "in" clause fails if the object name contains a period. For example, "show-objects in.1 <name> in.2 <ab.c>". |
PRJ-46656, |
Security Management |
When the Access Rule Base contains several hundred rules, the "set-access-rule" Management API command with the "new-position" parameter may take longer than expected or time out after 5 minutes. |
PRJ-46732, |
Security Management |
In rare scenarios, opening the Install Policy view gets timed out, and SmartConsole unexpectedly closes. Refer to sk181397. |
PRJ-41549, |
Security Management |
QoS policy cannot be installed if the policy package name contains a dot symbol. |
PRJ-48818, |
Security Management |
In the Revisions view, when comparing the selected revision to its previous revision, an empty screen is shown instead of a report. |
PRJ-47967, |
Security Management |
In High Availability Security Management Server environments, outdated IPS packages are retained, which leads to a substantial increase of the database on Standby Security Management Server. Refer to sk182178. |
PRJ-48788, |
Security Management |
SmartConsole may unexpectedly close after clicking "Install Policy" while the Compliance blade is running a full scan. |
PRJ-49226, |
Security Management |
In some scenarios, an upgrade of the Security Management Server may fail if the import is running at 12 AM.
|
PRJ-48442, |
Security Management |
The "set checkpoint-host" API command may fail if the host object has a VPN Tunnel interface (vpnt) defined. |
PRJ-45899, |
Security Management |
In rare scenarios, during an IPS update, a task notification reports that a database purge failed on the Standby Security Management Server. Refer to sk180920. |
PRJ-44801, |
Security Management |
In rare scenarios, the update_inspect_files tool may unexpectedly exit with a core dump file. |
PRJ-48371, |
Security Management |
The "crldp_initialized"and "crldp_name" keys may be missing in the registry after running promote_util. |
PRJ-45783, |
Security Management |
In rare scenarios, the High Availability synchronization status shows "NGM failed to import data", and then is cleared automatically within 15 minutes. |
PRJ-47259, PRJ-47236, |
Security Management |
If the HTTPS policy contains an Identity Awareness Gateway object in the "Source"/"Destination" column, policy installation may fail when selecting more than one policy target. Refer to sk181097. |
PRJ-43290, |
Security Management |
In rare scenarios:
|
PRJ-46783, |
Security Management |
In an environment with many Security Gateways, SmartConsole may unexpectedly close when selecting a policy package to install. |
PRJ-48201, |
Security Management |
Login via API fails if the Security Management Server has multiple IP addresses and they are not defined on the Security Management Server object in SmartConsole. |
PRJ-48038, |
Security Management |
An audit log may not be created after running Revert to Revision. |
PRJ-49371, |
Security Management |
In environments with tens of thousands of network objects, opening and closing Security Gateway objects in SmartConsole takes a long time. Refer to sk181460. |
PRJ-49196, |
Security Management |
In some scenarios, the CPRLIC process may unexpectedly exit without affecting the connectivity, and a core dump is generated. |
PRJ-48382, |
Security Management |
In SmartConsole, export of policies with the "Hit count" column may get stuck. |
PRJ-48692, |
Security Management |
Users may be able to configure user-defined scripts to run on the Security Management Server, although they do not have the permissions of a super-user. |
PRJ-46411, |
Security Management |
The Security Gateway may listen to the ports used by NAT. |
PRJ-50359, |
Security Management |
In multi-site environments, when using LDAP administrators configured on an external LDAP Server, logging into Domains on different Multi-Domain Security Management Servers in parallel, synchronization may fail with the "failed to import data" status. |
PRJ-50817, |
Security Management |
In some scenarios, if a DAIP Gateway is registered to a VPN Community:
|
PRJ-49715, |
Security Management |
In rare scenarios, in a Multi-Domain Security Management environment:
|
PRJ-48705, |
Security Management |
In some scenarios, in High Availability Security Management Server environments, there may be increase of the database on the Security Management Server. |
PRJ-49884, |
Security Management |
Export of the Security Management Server may fail with "Could not find workSession WORKSESSION_UID in worksession's List" message in the upgrade report. |
PRJ-48162, |
Security Management |
The "run-script - audit log" Management API program may fail and the audit log may be missing the "performed on" field. |
PRJ-42955, |
Security Management |
Application Control and IPS updates may take a long time. |
PRJ-45441, |
Security Management |
In rare scenarios, Global Policy Reassignment takes a long time to complete after deleting a Global IPS profile. Refer to sk180787. |
PRJ-48795, PRJ-48796 |
Multi-Domain Security Management |
When connecting with SmartConsole to a Domain in a Multi-Domain Management environment, object pickers in Threat Prevention policy may not show available objects. |
PRJ-49480, |
Multi-Domain Management |
When viewing Subordinate CA objects in SmartConsole:
The fix requires installing SmartConsole R81.20 Build 651 (or higher). |
PRJ-47039, |