R81.20 Jumbo Hotfix Take 26

NEW: Compliance Blade is enhanced with 5 new Firewall Best Practices:

• FW174 - Check that there are no Access Control rules that contain "Any" in the "Source" column and contain "Accept" or "Ask" in the "Action" column.

• FW175 - Check that Access Control rules do not contain "Any" in "Destination", and "Accept" or "Ask" in "Action".

• FW176 - Check that Access Control rules do not contain "Any" in "Services and Applications", and "Accept" or "Ask" in "Action".

• FW177 - Check that there are no temporary Access Control rules (based on the "Name" column).

• FW178 - Check that there are no temporary Access Control rules (based on the "Comments" column).

NEW:

• Added support for 1595 Slim Ruggedized appliances.

• Added support for 1535 / 1555, 1575 / 1595 Quantum Spark Pro appliances.

NEW: Added support for multiple languages in the Change Report.

NEW: It is now possible to add tags to Access rules and sections. A new field "tags" is added to the existing "add/set rule & section" Management APIs .

For example:

• mgmt_cli add access-section layer "Network" position 1 name "New Section 1" tags mytag

• mgmt_cli add access-rule layer "Network" position 1 name "Rule 1" tags mytag

NEW: CloudGuard Controller for NSX-T

• Starting from NSX-T 4.0.0.x and higher, Manager Mode APIs are deprecated, it is recommended to use Policy Mode.

• Import NSX-T Tags (NSgroups and VMs) is now supported.

• Import NSX-T Virtual Machine objects is now supported.

Note: Importing Virtual Machines can be enabled only using Policy Mode APIs. When enabled, the amount of API requests toward the NSX-T manager increased.

UPDATE: A Security Management Server/Domain Management Server can now manage up to 500 Security Gateways/Cluster members, allowing concurrent policy installation on all Security Gateways/Cluster members at once.

UPDATE: First release of CPviewExporter Release Updates. Refer to sk180521.

UPDATE: FakeServer will now listen for packets coming from the Virtual Machine during Threat Emulation to port 18443 instead of port 8443.

UPDATE: Added Update 18 and Update 19 of Autonomous Threat Prevention Management integration Release. Refer to sk167109.

UPDATE: Ability to send packet capture on IPS / Anti-Bot silent protections to the research team to enhance the security.

UPDATE: Added support for IPv6 traffic synchronization in Multi-Version Clusters (MVC).

See the Important Notes section.

UPDATE:

• Zero Phishing now enforces license. Customers with NGTX (Next Generation Threat Emulation & Extraction) or customers that recently renewed NGTX should have no issues.

• Zero Phishing will stop working for customers who do not have a license.

UPDATE: Upgraded OpenSSL from 1.1.1t to 1.1.1u to include the latest security improvements. Refer to sk181427.

UPDATE: Added support for sending Data Center updates from the CloudGuard Controller to the main IP address of Active member on the Management Plane instead of the cluster VIP address on the Data Plane. Refer to the "updateClusterMemberAndNotVip" section in CloudGuard Controller R81.20 Administration Guide > Configuration Parameters. This change prevents scenarios when CloudGuard Controller fails to connect to Cluster with MDPS enabled (sk180981).

UPDATE: Added Management Data Plane Separation (MDPS) support for Maestro Orchestrator and Chassis scalable platforms.

UPDATE: Added Take 23 of Check Point Support Data Collector (CPSDC) for Scalable Platforms and Maestro Security Appliances. Refer to sk164414.

UPDATE: Added Update 12 of HealthCheck Point (HCP) Release. Refer to sk171436.

In some scenarios, Access Policy Verification fails but the name of the failed rule is not specified.

APP_ID may not be initialized when adding a new Check Point application via API, this may cause blocked access to several websites.

Login with SmartConsole to a Security Management Server may fail if using a DNS name instead of an IP address. Refer to sk180514.

In the Accelerated Policy Installation flow, there is no validation for the scenarios when there are DAIP Security Gateways in the Destination column of the Access policy.

In some scenarios, running the Management API "delete-exception-group" fails if the exception group is automatically attached.

In rare scenarios, policy installation fails with "Operation failed, install/uninstall has been improperly terminated". Refer to sk180448.

In the Object Explorer window in SmartConsole, the IP address column is sorted alphabetically, although it should be sorted in numerical order.

When adding/setting an access rule, setting certain fields to "Any" or "None" may fail because of case sensitivity.

Packet mode search in SmartConsole may show rules that do not match the query if the query contains source, destination, and service.

Excluding a network with anti-spoofing by name on the Security Gateway using the "set simple-gateway" Management API command fails with an "Anti spoofing: excluded network object must be defined." validation error message.

If an empty Network Group is linked in the source or destination fields of an Access Rule, policy verification may not generate an error. Instead, it may treat the empty group as if there is an "Any" object.

If a Security Gateway is added to a group after configuring an installation policy preset, the policy may not be installed on that Security Gateway. Refer to sk181461.

If the Security Management Server is behind NAT, remote Management API login fails.

In rare scenarios, the Security Gateway accepts all IP addresses as approved "gui_clients", although it was provided with a list of specific trusted IP addresses.

In rare scenarios, in Multi-Domain Security Management environments with over 500K network objects, login to SmartConsole fails with "Connection timed out" or "Unable to connect to server" messages.

Deleting a Domain from SmartConsole fails after a Domain Server was removed and the Domain has no Domain Servers.

SmartConsole may crash while checking for updates.

• Requires installing R81.20 SmartConsole Build 646.

In some scenarios, in SmartConsole, when clicking the picker to add Security Gateway to a Threat Prevention policy "Install On" column, no Security Gateway objects appear. Refer to sk180964.

In some scenarios, the task progress bar is missing during Jumbo installation from SmartConsole.

In specific network configurations, after installing a policy, the target IP address of the Log Server may differ from what was configured.

SmartEvent may generate false Anti-Bot / Anti-Virus related logs which do not contain any information.

After an upgrade of the Security Management Server, the "cp_log_export show" command may return the "found an ambiguous value" error in the "export_log_position" field.

The Security Gateway may crash while inspecting non-HTTP traffic.

Resolved an issue where CPD would consume a large amount of CPU in VSX with a large number of interfaces configured (greater than 1024). Refer to sk181588.

In a Maestro environment where members are VSXs, connection over SSH or RDP from a host behind Maestro to a peer may be dropped.

Stack buffer overflow may occur in the FWGTP process.

The Security Gateway may crash after a failure in policy installation.

In rare scenarios, modifying the "fwmultik_temp_conns_enabled" parameter on-the-fly leads to the Security Gateway crash.

In some scenarios, the Security Gateway may crash.

On the Security Gateway with Management Data Plane Separation (MDPS) enabled:

• when adding a RADIUS Server from WebUI, a new MDPS task with the IP address of the Server may not be added,

• when deleting a RADIUS Server, the MDPS task may not be deleted.

Security Gateway may crash when running kernel debugs of the "UP" module.

When the Security Gateway handles specific HTTP requests, memory failure may occur. CPView registers SMEM failure.

On supported Open Servers (sk167052), after changing the Firewall mode from Kernel Space (KSFW) to User Space (USFW) and reboot, the Security Gateway continues to boot in the Kernel Space mode.

Fetching custom intelligence feeds via CLI may fail because of SSL certificate issues.

In a rare scenario, policy installation may fail because of IoC observables overrides.

In a rare scenario, the PDPD process may unexpectedly exit during user authentication flow.

Some TLS1.3 applications without SNI do not match the rules.

In some scenarios, the FWK process may unexpectedly exit, while Threat Prevention Blades inspect HTTP traffic.

Importing a custom intelligence feed containing IP ranges may fail.

The DLPU process may stop working, creating a User Space core dump file on the Security Gateway. Refer to sk181026.

In rare scenarios, IOS users are unable to send emails using Capsule Workspace business mail.

Mobile Access Security Gateway does not recognize Office 365 URL This can cause OAuth 2.0 authorization to fail, it may not be possible to view the mail.

Some IPv6 connections randomly stop passing through ClusterXL in High Availability mode. Refer to sk180969.

Asymmetric UDP traffic may be dropped with "First Packet isn´t Syn".

When running tcpdump on the Multi-Domain Security Server, an "error /bin/cp-tcpdump.sh: line 11: sxlmode: command not found" message is shown. The issue is cosmetic only.

An IGMP group with an expiration time of 7101 weeks should be deleted when it reaches 0 seconds, but instead, it may remain at 7101 weeks until a membership report is sent, then it resets to the interval of that interface.

A VRRP/VRRP6 interface may go into Master/Master state.

Routing log messages generated when Standby cluster members reconnect to members in Master state are not clear.

The "failed to terminate session" error is displayed when using RAsession_util to terminate Endpoint client.

StrongSWAN Remote Access authentication fails when the LDAP lookup type is not the default method.

The FWM process may unexpectedly exit at startup because of an incorrect VPN key initiation.

Some packets may disappear when using the i40e driver, and VMAC is configured on the cluster.

Changing the main IP address of a Virtual Router may cause the FWM process to exit.

Values provided by the VSX OID tree: 1.3.6.1.4.1.2620.1.16.22.5.1 may be incorrect.

Gaia backup may fail, leaving a temporary partition behind. Any new attempt to create a new backup returns an error.

The $FWDIR/log/fwd.elg file may get corrupted during log rotation. Refer to sk180728.

Appliance with a Dual Image installed cannot reboot after restoring to the factory default of a Dual Image. Refer to sk180331.

AWS Data Center mapping fails when an interface subnet is missing from the list of subnets.

In rare cases, SIP UDP traffic may cause Security Gateway to crash because of a memory allocation issue.

After an upgrade, VoIP, and SIP / H323 traffic may be dropped in the VPN tunnel. Refer to sk179651.

Excessive "cphwd_get_device_accelerated_ifs: too many interfaces (32,XXX)" messages may log to $FWDIR/log/fwk.elg. Refer to sk180439.

Querying the HW status via SNMP (OIDs .1.3.6.1.4.1.2620.1.6.7.*) or via the "cpstat os -f sensors" command may fail on Maestro Orchestrator.

Uninstalling Jumbo Hotfix Take 106/107 on Maestro Orchestrator (MHO) may cause an outage.

WRP interfaces cannot be used for Source / Destination in a specific Fast Forward rule.

The "set/show trace" command may fail in gClish.

Incorrect parsing of GTP-U traffic may cause anti-spoofing drops.

Security Gateway drops GTP traffic with the reason "Static IP not allowed". See sk181506.