R81.20 Jumbo Hotfix Take 54
|
Note - This Take contains all fixes from all earlier Takes. |
ID |
Product |
Description |
---|---|---|
Take 54 Released on 8 April 2024 |
||
Take 54 - New Functionality
|
||
PRJ-52942, PRJ-52484 |
Security Gateway |
NEW: This Jumbo Hotfix Take introduces support for new Quantum Force appliances 19100 / 9800 / 9700 / 9400 / 9300 / 9200 / 9100 appliances. Refer to sk181698 and to sk180520.
|
PRJ-49213, |
Security Gateway |
NEW: Added a new Expert mode command on the Security Gateway to revert the installed Access Control policy to one of the previous revisions: "policy_rev_tool <action> [args]". Refer to sk181437. |
PRJ-49827, ACCESS-799 |
Application Control |
NEW: Added ability to drop the traffic of specific UDP applications per packet. For example, the Security Gateway can now drop the specific commands and allow the other commands of the BACNet Protocol. This ability is enabled by default.
|
PRJ-53513, PRHF-30322 |
SecureXL |
NEW: It is now possible to configure additional TCP options in the Accelerated SYN Defender configuration file: cookie_mss_v4, cookie_mss_v6, cookie_sack_permitted, cookie_window_scale. Refer to R81.20 Performance Tuning Administration Guide. |
PRJ-47019, |
VPN |
NEW:Added support for a new tool (shell script) on a Management Server that can show and renew IKE certificates for VPN, Multi-Portal, and Identity Broker on all managed Security Gateways and VSX Virtual Systems. Refer to sk182070. |
PRJ-50987, PMTR-95463 |
VPN |
NEW: Added ability to track RAM usage of the VPND process using the "cpstat" command in CLI. Refer to sk181815. |
Take 54 - Improvements and Resolved Issues
|
||
PRJ-50565, SDWANGW-1681 |
SD-WAN |
UPDATE: Added support for the AU (Australia) and IN (India) regions in Infinity Portal. |
PRJ-46069, SDWANM-822 |
SD-WAN |
UPDATE: SD-WAN Logs now appear in the dedicated SD-WAN log card in SmartView and SmartConsole. |
PRJ-48780, |
Security Management |
UPDATE: Added validation for new permissions to configure a script to run on the Security Gateway from Gateway object > Logs Alerts/Storage > the "Run the following script before deleting old files" option. |
PRJ-48124, |
Security Management |
UPDATE: Creating a Domain via Management API now allows the allocation of the Domain IP address from a predefined IP address range on the Multi-Domain Security Management Server. |
PRJ-48096, PMTR-77299 |
CPView |
UPDATE: CPView now shows statistical data also for servers with 256/512 CPU cores. |
PRJ-50429, PMTR-96484 |
Security Gateway |
UPDATE: During certificate validation, the Security Gateway now retrieves the Certificate Revocation List (CRL) from all CRL distribution points (CDP) listed in certificate extensions. |
PRJ-50741, PRHF-30794 |
Security Gateway |
UPDATE: Added an ability to configure objects for the HTTPS Inspection CA using labels.
|
PRJ-50977, |
Threat Extraction |
UPDATE: Added an option in ICAP Server for logging benign files scanned by the Anti-Virus Blade. By default, logging for benign files is disabled. To enable it, add to the ICAP Server configuration file this entry: "LogBenign on". |
PRJ-50500, |
Identity Awareness |
UPDATE: The identity synchronization from Policy Decision Point (PDP) to Smart-Pull Policy Enforcement Point (PEP) client now takes several seconds instead of a few minutes, especially beneficial in environments with a single PDP Security Gateway sharing to multiple PEP Security Gateways. |
PRJ-46626, |
VPN |
UPDATE: The "Server Authentication" attribute within the "Extended Key Usage" field is now included by default in IKE certificates generated by the Security Management Server. |
PRJ-50915, |
Gaia OS |
UPDATE: When a Gaia OS Server has a Cloning Group feature enabled, it now accepts other Gaia OS Servers that join this Cloning Group over TLS1.2 or higher (over the TCP port 1129). |
PRJ-53022, ODU-1468 |
Automatic Updates - Security Management |
UPDATE: Added Update 2 of Server-Side Change Report Generator Release Updates. Refer to sk179508. |
PRJ-52628, PRJ-53586, ODU-1571, ODU-1392 |
Automatic Updates - Web SmartConsole |
UPDATE: New features and improvements are released in Take 94 and Take 97 through self-updatable package. Refer to sk170314. |
PRJ-52696, ODU-1408 |
Automatic Updates - Smart-1 Cloud |
UPDATE: Added Update 7 of Quantum Smart-1 Cloud. Refer to sk166056. |
PRJ-52820, |
Automatic Updates - CPView |
UPDATE: Added Take 34 of CPviewExporter Release Updates. Refer to sk180521. |
PRJ-52596, |
Automatic Updates - CPView |
UPDATE: Added Take 77 of CPotelcol (OpenTelemetry Collector) Release Updates. Refer to sk180522. |
PRJ-52587, PRJ-53541, ODU-1476, ODU-1460 |
Automatic Updates - Threat Prevention |
UPDATE: Added Update 23 and Update 24 of Autonomous Threat Prevention Management integration Release. Refer to sk167109. |
PRJ-52867, PRJ-53688, ODU-1595, |
Automatic Updates - HCP |
UPDATE: Added Update 15 and Update 16 of HealthCheck Point (HCP) Release. Refer to sk171436. |
PRJ-53397, PRJ-5368, ODU-1611, ODU-1563 |
Automatic Updates - CPSDC |
UPDATE: Added Take 31 and Take 33 of Check Point Support Data Collector (CPSDC) for Scalable Platforms and Maestro Security Appliances. Refer to sk164414. |
PRJ-50214, |
Security Management |
Packet mode search in SmartConsole may show rules that do not match the query if the query contains four or more filters. |
PRJ-51089, |
Security Management |
In some scenarios, the change report sent via email by SmartTasks after publishing appears blank, even though there were modifications in the published session. |
PRJ-50047, |
Security Management |
In High Availability environments, task progress notifications may get updated only every 5 minutes, even when the task is complete. |
PRJ-49953, |
Security Management |
Login to SmartConsole may fail while the Compliance Blade is running a full scan. |
PRJ-50797, PMTR-97183 |
Security Management |
When configuring an email address in SmartTasks, Top Level Domain (TLD) is limited to 3 characters, for example, ".com" |
PRJ-51068, |
Security Management |
In a rare scenario, the FWK and CPD processes may exit with core dumps at approximately the same time. |
PRJ-51279, |
Security Management |
When the value of the "asm_ips_cci" property is updated manually to a number higher than 500,000:
|
PRJ-50355, |
Security Management |
SmartConsole may unexpectedly close after policy installation when SmartTasks return invalid characters from a user-defined script. |
PRJ-50436, |
Security Management |
The FWM process on the Management Server may unexpectedly exit, creating a core dump file. |
PRJ-49944, |
Security Management |
In environments with many network objects, SmartConsole may freeze while it loads the VPN tab of a Security Gateway object. |
PRJ-50405, PRHF-30796 |
Security Management |
In some scenarios, in SmartConsole, when clicking the picker to add Security Gateway to the "Install On" column in the Threat Prevention policy, no Security Gateway objects may appear. |
PRJ-50187, PRHF-30766 |
Security Management |
In some scenarios, Access Policy installation fails with "Policy load / verification failed because it required more than the maximum allowed memory of 4GB. Follow sk161874 to improve the performance and prevent excessive memory consumption". |
PRJ-45023, |
Security Management |
The "show users" Management API command fails if a user is configured to be able to connect on specific days, but the days are not selected. |
PRJ-50390, |
Security Management |
The $MDS_FWDIR/scripts/cpm_debug.sh script may fail with "The element type "Loggers" must be terminated by the matching end-tag "/Loggers"." |
PRJ-51074, |
Security Management |
Running a Gaia API command on the Security Gateway through the Management API from the Security Management Server fails when configuring the "target" parameter with either the Security Gateway name or UID. |
PRJ-50851, |
Security Management |
Access Policy verification may fail when groups with exclusions are used in rules. |
PRJ-46935, |
SmartConsole |
Defining more than two hundred GUI clients causes the "Command Line" tab in SmartConsole to be greyed out and the "api status" command to show an error status. |
PRJ-49345, |
Security Management |
SmartConsole may unexpectedly close after deleting an object in the Object Explorer view. |
PRJ-47691, |
Security Management |
In some scenarios, an upgrade may fail if a scheduled IPS update occurs simultaneously with the upgrade or domain migration. |
PRJ-48916, PRHF-29502 |
Security Management |
In some scenarios the "show access rulebase" Management API command with "details-level full" can take a significant amount of time to complete or time out after five minutes. Refer to sk181397. |
PRJ-50563, |
Security Management |
In environments with more than one hundred fifty administrators, SmartConsole may unexpectedly close when submitting changes for approval via Workflow. Refer to sk181649. |
PRJ-51134, PRHF-30631 |
Security Management |
Installing security policy with a rule that contains the "Internet" object in the destination column may fail with error message "Topology is not defined on the policy "Install On" target <cluster object name>", if the target cluster is marked as "Geo Mode in a Cloud". |
PRJ-50408, PRHF-30754 |
Security Management |
The Change Report generated before publishing a session, may contain internal system changes that were made by the user. |
PRJ-50580, |
Multi-Domain Security Management |
In rare scenarios, in a Multi-Domain Security Management environment:
|
PRJ-51665, |
Web SmartConsole |
An "Error logging into domain" message is displayed in Web SmartConsole when connecting to a Domain on a peer Multi-Domain Security Management Server. Refer to sk181801. |
PRJ-48003, |
CPView |
Offload may fail in CPView with "ERROR! Reason not initialized". |
PRJ-44498, |
CPView |
In rare scenarios, CPView does not handle VS context correctly. |
PRJ-49974, |
CPView |
CPU statistics may be incorrect or missing in CPView. Refer to sk182286. |
PRJ-51064, PMTR-97643 |
CPUSE |
SmartConsole does not show all available packages for Security Gateways that run on the 15000 and 16000 Check Point appliances, even if these packages are located in the Package Repository on the Security Management Server. |
PRJ-47984, |
Logging |
Some Access Rule Base logs may be generated with a wrong interface direction. The issue is cosmetic only. |
PRJ-46288, |
Logging |
In SmartConsole, in the "Device License Information" view, the "New connection rate" field may indicate "please wait 10 seconds". |
PRJ-48806, |
Logging |
Some attributes in SNMP MIB file may not be accessible. |
PRJ-49390, |
Logging |
In SmartView, incorrect results may be displayed when filtering logs using the "src_machine_name" field. |
PRJ-46207, |
Logging |
Security Gateway forwards logs to the real IP address of the Management Server instead of the public (NATed) IP address. Refer to sk181609. |
PRJ-48242, |
Logging |
The "source", "destination", "user" and "action" fields are not exported when exporting logs with the "visible columns" option to CSV in the SmartView Web application. Refer to sk181706. |
PRJ-49499, |
Logging |
Duration of Log Sharing on-boarding or migration to Smart-1 Cloud may take a long time (up to two minutes). |
PRJ-53009, PRHF-32426 |
Logging |
The Syslog messages are not sent to the Security Management Server and cannot be seen in SmartLog if the Security Management Server IP address is not configured under the "Remote System Logging" section in the Gaia WebUI. |
PRJ-44687, |
Logging |
When using Log Exporter to export logs to Splunk, a log entry in Splunk is split to separate lines if it contains the CRLF characters. |
PRJ-45297, PRHF-26975 |
Logging |
In a rare scenario, a Security Gateway / Cluster Member may stop logging locally or to configured Log Servers. Refer to sk170331. |
PRJ-47316, |
Logging |
When the active log file, for example, the fw.log for the Security Gateway is older than two days, the CPLogFilePrint utility does not print the log records correctly. |
PRJ-49736, |
Logging |
In rare cases, the LOG_EXPORTER process exits and the CPWD process does not start it because of the "exit_code 0" error. |
PRJ-53337, PMTR-101195 |
Logging |
When the "IP Options drop" tracking Global Properties setting is configured to "Log" and the policy is installed, the Security Gateway drops traffic with disallowed IPv4 options or IPv6 extension headers, but no log is shown in SmartConsole. |
PRJ-52675, PRHF-32203 |
Security Gateway |
CVE-2023-51764 - Postfix SMTP Smuggling vulnerability. Refer to sk181944. |
PRJ-47957, |
Security Gateway |
The CPVIEW_API_SERVICE process may exit with a timeout. |
PRJ-52114, |
Security Gateway |
Incorrect CPU statics may be shown in CPView when using Dynamic Split. |
PRJ-52471, PMTR-98658 |
Security Gateway |
CIFS traffic may cause CPU spikes in the FWK process. |
PRJ-50761, PRHF-31092 |
Security Gateway |
On Security Gateways with enabled Hyper Flow feature, during policy installation and re-offload process of the connections, accelerated connections may be interrupted. Refer to sk181671. |
PRJ-53051, PMTR-100847 |
Security Gateway |
Security Gateway does not pass traffic through an external interface when it is managed by Smart-1 Cloud, and SecureXL works in User Mode (UPPAK) mode. Refer to sk182016. |
PRJ-46203, |
Security Gateway |
In rare scenarios, updating the NTP Server may cause a temporary outage. |
PRJ-50314, PMTR-96671 |
Security Gateway |
In a large environment, updating policy with 20000 IP addresses may take up to eighteen minutes. When publishing such changes, Data Center updates are not sent to the Security Gateway. |
PRJ-50660, |
Security Gateway |
The proxy IP address of users surfing HTTP sites may be displayed instead of the real source IP address. |
PRJ-50603, |
Security Gateway |
In some scenarios, the PDPD process may consume high CPU in the Identity Acquisition flow. |
PRJ-49807, |
Security Gateway |
Enabling MDPS fails with the "clish: symbol lookup error: /usr/lib/cli/lib/libcli_mdps.so: undefined symbol: cp_is_usim" error. |
PRJ-50932, |
Security Gateway |
Multiple "fw_fna_hold_prepare: creating table" entries may be printed in /var/log/messages. The issue is cosmetic only. |
PRJ-48322, |
Security Gateway |
The system may not automatically end or interrupt the RAD process if it takes longer than a specified timeout duration. |
PRJ-53290 |
Security Gateway |
In rare scenarios, during active HTTP streaming, the FWK process may unexpectedly exit due to memory corruption. |
PRJ-50140, |
Security Gateway |
Accounting info may not be displayed in logs for IPv6 Cluster VRRP environments. |
PRJ-47460, |
Threat Prevention |
In a rare scenario, there may be an unexpected reboot and a vmcore file generated in /var/log/crash. |
PRJ-50050, |
Threat Prevention |
Security Gateway with a large number of CPU cores allocated to CoreXL SND may experience performance issues when an IoC Feed and the " |
PRJ-46444, |
Threat Prevention |
Files that undergo emulation while operating from a corporate location are transformed into PDF format. However, when the same files are accessed through a VPN remote client, they do not get the pdf file extension. |
PRJ-43530, PMTR-87666 |
Threat Prevention |
When configuring an IoC Feed in SmartConsole, the "Test Feed" action does not support Full High Availability clusters. |
PRJ-46597, |
Threat Extraction |
The "scrub send_orig_email <email_id> <recipient>" command fails. Refer to sk180974. |
PRJ-51423, |
Identity Awareness |
In a rare scenario, an Identity Gateway (PEP) becomes unresponsive while unregistering a network. |
PRJ-45136, PRHF-27966 |
Identity Awareness |
In Multi-User Host setups, some accounts may be identified as service accounts, although they should not be flagged. |
PRJ-45142, |
Identity Awareness |
A memory leak may occur in the PDPD process when storing new identities. |
PRJ-52495, PRHF-32042 |
Identity Awareness |
Setting custom configuration of PEP Identity Conciliation with the "Connect_Time" factor does not work as expected. |
PRJ-49534, |
Application Control |
In some scenarios, the Application Control and URL Filtering scheduled updates may occur more frequently than configured. |
PRJ-43457, |
Application Control |
When policy contains a white list, some packets may not match the listed applications. |
PRJ-49687, |
Application Control |
Anti-Spoofing drops packets that arrive at a Security Gateway through interfaces with Topology "External" if there are routes configured for internal interfaces that overlap with routes configured for external interfaces. Refer to sk181768. |
PRJ-42481, |
IPS |
Core IPS Protection "Unknown Resource Record" drops valid requests of specific DNS types. |
PRJ-49298, |
Anti-Virus |
Anti-Virus fails to release held connections after the inspection. |
PRJ-50529, |
Anti-Virus |
In a rare scenario, the Security Gateway may crash during inspection of file downloads. |
PRJ-49521, |
Anti-Virus |
The Anti-Virus Blade may inspect files on an SMB appliance although the "SMB" checkbox is disabled on the matched profile. |
PRJ-49793, |
SSL Inspection |
Policy installation fails on the Security Gateway when using HTTPS Inspection with Hardware Security Module (HSM). |
PRJ-45151, |
SSL Inspection |
When HTTPS Inspection is enabled, the Security Gateway generates a log that includes the message "Certificate Chain is not signed by a Trusted CA" when an end-user connects to an HTTP site or a site with an untrusted SSL certificate. But, in some scenarios, the log does not include this text. |
PRJ-50870, |
ClusterXL |
The output of the "cphaprob -m -a if" command may show an incorrect high VLAN ID address. This is a cosmetic issue. |
PRJ-52731, PRHF-32237 |
ClusterXL |
When working in ClusterXL mode with MDPS enabled on the cluster nodes, enabling a Cloning Group may get stuck in the "synchronizing" status. |
PRJ-52498, PMTR-99746 |
ClusterXL |
During a Multi-Version Cluster (MVC) upgrade, full synchronization between the upgraded member and another member may not function correctly. This can cause an interruption of IPv6 traffic. |
PRJ-48414, |
ClusterXL |
In a cluster connected to Smart-1 Cloud, local probing may start on the "maas_tunnel" interface, although it is not monitored by the cluster. Output of the Expert command "cphaprob -i list" or the Gaia Clish command "show cluster members pnotes problem" shows that the Critical Device "Local Probing" reports its state as "problem". |
PRJ-51136, |
SecureXL |
The Security Gateway may crash with vmcore during boot while upgrading. |
PRJ-48761, |
SecureXL |
The port beacon feature also known as interface discovery or port blinking may not work correctly in User Mode (UPPAK). |
PRJ-50546, |
SecureXL |
High CPU utilization may be triggered when User Mode (UPPAK) and VPN are enabled under high load. |
PRJ-50950, |
SecureXL |
In some scenarios, the VSX Security Gateway may not be able to pass VPN encrypted traffic from one Virtual System to another Virtual System through a Virtual Router/Switch. |
PRJ-48284, |
SecureXL |
The "fwaccel dos rate get -S IP" command fails to connect to the Security Gateway. |
PRJ-50833, |
Routing |
The "force-if-symmetry" setting in IPv4 static routes fails to mark IP addresses as unreachable, leading to the static route inaccurately remaining active in asymmetric scenarios. |
PRJ-49579, |
Routing |
The CLI Parameters for the "netflow fwrule" command are displayed incorrectly: "set netflow fwrule ?" instead of "set netflow fwrule 0" or "set netflow fwrule 1". The issue is cosmetic only, the functionality works as expected. |
PRJ-51347, |
VSX |
High CPU usage on SND cores when many interfaces are configured. Refer to sk181860. |
PRJ-50176, |
VSX |
In some scenarios, installing policy via vsx_util may be stuck. |
PRJ-46143, |
Gaia OS |
Taking a snapshot on the Security Management Server fails because of the error during copying the /boot/config/ content. |
PRJ-50487, |
Gaia OS |
SNMP query does not bring the CPUSE package information for a single OID (not a table). |
PRJ-48720, |
Gaia OS |
The "show configuration password-controls command output does not print the "set password-controls deny-on-fail block-admin on" option. |
PRJ-50509, |
Gaia OS |
There may be some inconsistent syntax in the "comment" section for interface and static-route commands. |
PRJ-47177, |
Gaia OS |
When rebooting the Security Gateway, some VLANs may lose their IPv6 configuration. |
PRJ-51220, |
Gaia OS |
Clish may deny access of a non-local RADIUS user. |
PRJ-50692, PMTR-96606 |
Gaia OS |
Link may not come up automatically in the 2-Port 40G/100G NIC, 4-Port 10G/25G NIC, and 10G/25G Sync Port. Refer to sk181487. |
PRJ-45116, |
Gaia OS |
Lock database override may not work as expected when it is set via Ansible playbook, and another admin was connected to SSH before that. |
PRJ-49218, |
VPN |
Redundant log prints in /var/log/messages may be generated, although they should be printed only when the debug flags are enabled. |
PRJ-49560, |
VPN |
When using the " |
PRJ-53729 |
CloudGuard Network |
AWS CloudGuard Security Gateway boots into "Sh-4.4" shell after in-place upgrade to R81.20 with Jumbo Hotfix Accumulator from Take 38 to Take 53. Refer to sk182112. See the Important Notes section. |
PRJ-50162, |
CloudGuard Network |
After installing this Take, after an out-of-memory event, the CloudGuard Controller will automatically restart with increased memory settings, and the "CloudGuard IaaS" log with the Description: "CloudGuard Controller is restarting with new memory settings" will be sent. |
PRJ-50161, |
Harmony Endpoint |
Due to a synchronization issue between the Policy Server and Primary Server, the Endpoint clients may be connected to the Primary Server instead of the Policy Server. |
PRJ-46991, |
VoIP |
In some scenarios, SIP TCP connections are dropped after a cluster failover. |
PRJ-47995, |
VoIP |
When the SIP Multi-core feature is enabled, and a SIP over UDP rule with one-way calls (only outgoing calls, for example) is defined, the returned traffic is dropped. Refer to sk181525. |
PRJ-49104, |
Scalable Platforms |
When creating a Security Group creation in Maestro Orchestrator WebUI, and the password contains the "(" "&" or ";"characters, the operation fails with "Failed to apply new topology" or with "Gaia Web-UI recognized a non-valid input data". |
PRJ-48724, |
Scalable Platforms |
When running the "asg if script" command, the "Bridge Master" output does not fit in one line in the "Info" column. The issue is cosmetic only. |
PRJ-52079, |
Scalable Platforms |
The Maestro Fastforward feature cannot be enabled when there is a bond interface with an ID consisting of two or three digits. |
PRJ-50738, |
Scalable Platforms |
The Gaia gClish command "installer verify CPUSE Package ID member_ids all" fails with "Quitting due to time-out" on a Scalable Platform Security Group. Refer to sk181674. |
PRJ-46064, |
Scalable Platforms |
Querying SP Interface Data via SNMP may intermittently fail. |
PRJ-50747, |
Scalable Platforms |
Performance data collected from all members including the Standby site, may cause the "Instance Load" and "Accelerate Load" values to be different from the asg perf tool data. |
PRJ-47762, |
Scalable Platforms |
Gaia Clish prompt does not appear after a TACACS user logs into a Maestro Security Group. Refer to sk181149. |
PRJ-50681, PRHF-30764 |
Scalable Platforms |
Scalable Platform Interface data OIDs (1.3.6.1.4.1.2620.1.48.26) may not be refreshed. |
PRJ-48930, |
Scalable Platforms |
Connectivity issues may occur in a Maestro Security Group when VLAN encapsulation is disabled on Orchestrators in a Maestro Dual Site environment. Refer to sk181385. |