R81.20 Jumbo Hotfix Take 54

NEW: This Jumbo Hotfix Take introduces support for new Quantum Force appliances 19100 / 9800 / 9700 / 9400 / 9300 / 9200 / 9100 appliances. Refer to sk181698 and to sk180520.

• Requires installing SmartConsole R81.20 Build 653 or higher.

NEW: Added ability to drop the traffic of specific UDP applications per packet. For example, the Security Gateway can now drop the specific commands and allow the other commands of the BACNet Protocol.

This ability is enabled by default.

• To disable this ability, run: "fw ctl set int appi_drop_packet_enabled 0".

• To enable this ability, run: "fw ctl set int appi_drop_packet_enabled 1".

NEW: Added ability to track RAM usage of the VPND process using the "cpstat" command in CLI. Refer to sk181815.

UPDATE: Added support for the AU (Australia) and IN (India) regions in Infinity Portal.

UPDATE: Added validation for new permissions to configure a script to run on the Security Gateway from Gateway object > Logs Alerts/Storage > the "Run the following script before deleting old files" option.

UPDATE: CPView now shows statistical data also for servers with 256/512 CPU cores.

UPDATE: Added an ability to configure objects for the HTTPS Inspection CA using labels.

• There are now handle-based and label-based configurations.

• Hardware Security Module in High Availability mode (HSM HA) now supports only the label-based configuration.

UPDATE: The identity synchronization from Policy Decision Point (PDP) to Smart-Pull Policy Enforcement Point (PEP) client now takes several seconds instead of a few minutes, especially beneficial in environments with a single PDP Security Gateway sharing to multiple PEP Security Gateways.

UPDATE: When a Gaia OS Server has a Cloning Group feature enabled, it now accepts other Gaia OS Servers that join this Cloning Group over TLS1.2 or higher (over the TCP port 1129).

UPDATE: New features and improvements are released in Take 94 and Take 97 through self-updatable package. Refer to sk170314.

UPDATE: Added Take 34 of CPviewExporter Release Updates. Refer to sk180521.

UPDATE: Added Update 23 and Update 24 of Autonomous Threat Prevention Management integration Release. Refer to sk167109.

UPDATE: Added Take 31 and Take 33 of Check Point Support Data Collector (CPSDC) for Scalable Platforms and Maestro Security Appliances. Refer to sk164414.

In some scenarios, the change report sent via email by SmartTasks after publishing appears blank, even though there were modifications in the published session.

Login to SmartConsole may fail while the Compliance Blade is running a full scan.

In a rare scenario, the FWK and CPD processes may exit with core dumps at approximately the same time.

SmartConsole may unexpectedly close after policy installation when SmartTasks return invalid characters from a user-defined script.

In environments with many network objects, SmartConsole may freeze while it loads the VPN tab of a Security Gateway object.

In some scenarios, Access Policy installation fails with "Policy load / verification failed because it required more than the maximum allowed memory of 4GB. Follow sk161874 to improve the performance and prevent excessive memory consumption".

The $MDS_FWDIR/scripts/cpm_debug.sh script may fail with "The element type "Loggers" must be terminated by the matching end-tag "/Loggers"."

Access Policy verification may fail when groups with exclusions are used in rules.

SmartConsole may unexpectedly close after deleting an object in the Object Explorer view.

In some scenarios the "show access rulebase" Management API command with "details-level full" can take a significant amount of time to complete or time out after five minutes. Refer to sk181397.

Installing security policy with a rule that contains the "Internet" object in the destination column may fail with error message "Topology is not defined on the policy "Install On" target <cluster object name>", if the target cluster is marked as "Geo Mode in a Cloud".

In rare scenarios, in a Multi-Domain Security Management environment:

• Login to the Security Management Server may fail with timeout.

• Publish operations may take a long time.

Offload may fail in CPView with "ERROR! Reason not initialized".

CPU statistics may be incorrect or missing in CPView.

Some Access Rule Base logs may be generated with a wrong interface direction. The issue is cosmetic only.

Some attributes in SNMP MIB file may not be accessible.

Security Gateway forwards logs to the real IP address of the Management Server instead of the public (NATed) IP address. Refer to sk181609.

Duration of Log Sharing on-boarding or migration to Smart-1 Cloud may take a long time (up to two minutes).

When using Log Exporter to export logs to Splunk, a log entry in Splunk is split to separate lines if it contains the CRLF characters.

When the active log file, for example, the fw.log for the Security Gateway is older than two days, the CPLogFilePrint utility does not print the log records correctly.

When the "IP Options drop" tracking Global Properties setting is configured to "Log" and the policy is installed, the Security Gateway drops traffic with disallowed IPv4 options or IPv6 extension headers, but no log is shown in SmartConsole.

The CPVIEW_API_SERVICE process may exit with a timeout.

CIFS traffic may cause CPU spikes in the FWK process.

Security Gateway does not pass traffic through an external interface when it is managed by Smart-1 Cloud, and SecureXL works in User Mode (UPPAK) mode. Refer to sk182016.

In a large environment, updating policy with 20000 IP addresses may take up to eighteen minutes. When publishing such changes, Data Center updates are not sent to the Security Gateway.

In some scenarios, the PDPD process may consume high CPU in the Identity Acquisition flow.

Multiple "fw_fna_hold_prepare: creating table" entries may be printed in /var/log/messages. The issue is cosmetic only.

In rare scenarios, during active HTTP streaming, the FWK process may unexpectedly exit due to memory corruption.

In a rare scenario, there may be an unexpected reboot and a vmcore file generated in /var/log/crash.

Files that undergo emulation while operating from a corporate location are transformed into PDF format. However, when the same files are accessed through a VPN remote client, they do not get the pdf file extension.

The "scrub send_orig_email <email_id> <recipient>" command fails. Refer to sk180974.

In Multi-User Host setups, some accounts may be identified as service accounts, although they should not be flagged.

Setting custom configuration of PEP Identity Conciliation with the "Connect_Time" factor does not work as expected.

When policy contains a white list, some packets may not match the listed applications.

Core IPS Protection "Unknown Resource Record" drops valid requests of specific DNS types.

In a rare scenario, the Security Gateway may crash during inspection of file downloads.

Policy installation fails on the Security Gateway when using HTTPS Inspection with Hardware Security Module (HSM).

The output of the "cphaprob -m -a if" command may show an incorrect high VLAN ID address. This is a cosmetic issue.

During a Multi-Version Cluster (MVC) upgrade, full synchronization between the upgraded member and another member may not function correctly. This can cause an interruption of IPv6 traffic.

The Security Gateway may crash with vmcore during boot while upgrading.

High CPU utilization may be triggered when User Mode (UPPAK) and VPN are enabled under high load.

The "fwaccel dos rate get -S IP" command fails to connect to the Security Gateway.

The CLI Parameters for the "netflow fwrule" command are displayed incorrectly: "set netflow fwrule ?" instead of "set netflow fwrule 0" or "set netflow fwrule 1". The issue is cosmetic only, the functionality works as expected.

In some scenarios, installing policy via vsx_util may be stuck.

SNMP query does not bring the CPUSE package information for a single OID (not a table).

There may be some inconsistent syntax in the "comment" section for interface and static-route commands.

Clish may deny access of a non-local RADIUS user.

Lock database override may not work as expected when it is set via Ansible playbook, and another admin was connected to SSH before that.

When using the "fw tab" command to view the IKE_SA_table, the output shows a column containing the IP addresses that are not meant to be displayed while the correct IP addresses are not printed.

After installing this Take, after an out-of-memory event, the CloudGuard Controller will automatically restart with increased memory settings, and the "CloudGuard IaaS" log with the Description: "CloudGuard Controller is restarting with new memory settings" will be sent.

In some scenarios, SIP TCP connections are dropped after a cluster failover.

When creating a Security Group creation in Maestro Orchestrator WebUI, and the password contains the "(" "&" or ";"characters, the operation fails with "Failed to apply new topology" or with "Gaia Web-UI recognized a non-valid input data".

The Maestro Fastforward feature cannot be enabled when there is a bond interface with an ID consisting of two or three digits.

Querying SP Interface Data via SNMP may intermittently fail.

Gaia Clish prompt does not appear after a TACACS user logs into a Maestro Security Group. Refer to sk181149.