R81.20 Jumbo Hotfix Take 79
|
Note - This Take contains all fixes from all earlier Takes. |
ID |
Product |
Description |
---|---|---|
Take 79 Released on 19 August 2024 |
||
Take 79 - New Functionality
|
||
PRJ-53640, PMTR-102064 |
Security Management |
NEW: Added the ability to unset a persistent environment variable, using the "-u" flag for the override_server_setting.sh script introduced in sk165938. Upon execution, the specified property is now removed from the $MDS_FWDIR/conf/cpmEnvVars.conf file. |
PRJ-54715, |
Security Management |
NEW: Automatic refresh of SmartConsole views after Global Policy Assignment on a Multi-Domain Security Management Server. To enable this ability, refer to sk182307. |
PRJ-53464 |
SD-WAN |
NEW:
|
PRJ-53477, |
Scalable Platforms |
NEW: Added Generic Data Center support for Quantum Maestro environments. |
Take 79 - Improvements and Resolved Issues
|
||
PRJ-50857, |
Security Gateway |
UPDATE: Apache HTTPD version was updated from 2.4.55 to 2.4.58 to fix CVE-2023-31122 and CVE-2023-43622. |
PRJ-50924, PMTR-97400 |
Security Gateway |
UPDATE: Deprecated RC2-CBC cipher for SIC in OpenSSL. |
PRJ-55316, |
Gaia OS |
UPDATE: A patch on top of OpenSSL 1.1.1w to fix CVE-2024-2511. Refer to sk182320. |
PRJ-56226, PMTR-106852 |
Gaia OS |
UPDATE: Added a defense mechanism against malicious code injections through special HTTP requests. Resolved CVE-2024-24914. Refer to sk182743. |
PRJ-54496, |
Security Management |
UPDATE: JRE is updated from version 8.0_8.10 to version 8.0_8.21. |
PRJ-50381, |
Security Management |
UPDATE: Various Web Portals on the Security Management Server (for example, Web SmartConsole, SmartView) no longer accept HTTPS connections to ports 443 and 19009 with specific TLS 1.2 ciphers. Refer to sk181879. |
PRJ-53605, |
Security Management |
UPDATE: Modified the content of the https://<ip_adress>/license_management/ page. |
PRJ-53954, |
Security Management |
UPDATE: Changed the hardware name "1570R Appliances" to "1570R/1575R Appliances" in the Security Gateway editor in SmartConsole and SmartProvisioning.
|
PRJ-52932, |
Security Management |
UPDATE: When deleting a Secondary Multi-Domain Security Management Server, SmartConsole now shows an "After MDS '<MDS name>' is deleted, you should delete the Secondary Domain Servers from the Domains and revoke their certificates" message. |
PRJ-52404, PMTR-99617 |
Security Management |
UPDATE: Added SHA256 fingerprints to certificate objects to mitigate the risk of hash collisions and enhance trust when utilizing the fingerprint, encoded with English words, as a verification mechanism. |
PRJ-52954, |
Logging |
UPDATE: Enhanced the Access Control log for "Accept" actions with initial matched layers of "IoT" or "Playblocks": The "Layer Name" field now shows the admin-configured layer, alongside Rule Name and Rule Number, allowing administrators to view their preferred match layer rather than defaulting to the first matched layer or inline rule. This change improves visibility into the specific security policy components responsible for accepting traffic. |
PRJ-55290, PMTR-104620 |
Security Gateway |
UPDATE: Optimized Hyperflow wake-up process on smaller appliances (up to 32 cores) now uses only two cores initially, reducing resource contention and improving stability during Elephant Flows. |
PRJ-55428, |
Security Gateway |
UPDATE: The severity of the debug message for cp_shmem huge page allocation failures is reduced. When huge pages are unavailable, the message now appears as a warning instead of an error. The system now falls back to using regular memory pages. |
PRJ-51989, |
Security Gateway |
UPDATE: The performance of the thread blocker feature (sk180437) is now improved and the feature is re-enabled. |
PRJ-47490, |
Security Gateway |
UPDATE: Implemented automatic purging of expired SIC certificates on Security Gateways to eliminate memory residues and prevent misuse. |
PRJ-54341, |
SSL Network Extender |
UPDATE: SSL Network Extender is updated to version 80008409. |
PRJ-53919, |
URL Filtering |
UPDATE: When URL Filtering operates in Background Mode and encounters an unclassified connection, instead of being approved automatically, such connection is now accepted or rejected based on Access Rule Base execution, and listed under the "unknown" category. |
PRJ-51532, |
Mobile Access |
UPDATE: The Mobile Access Portal is no longer compatible with the Chrome browser on iOS and Android mobile devices. |
PRJ-53587 |
Gaia OS |
UPDATE: The "show asset" and "show lom" commands now also display a sub-minor version of LOM firmware on the 9000/19000/29000 appliance lines. |
PRJ-54590, |
Gaia OS |
UPDATE: Extended the "allowed-client" setting to enforce IP restrictions for both password and SSH key authentication methods, providing more comprehensive access control. |
PRJ-54672, |
VoIP |
UPDATE: SIP over UDP requests and responses may be dispatched to different firewall instances when a single-direction rule is defined in the Rule Base, potentially causing returned SIP traffic to be dropped as an unknown connection. To address this, a new global parameter "sip_forward_if_needed" is introduced (disabled by default). When enabled, the Security Gateway forwards responses to the appropriate request instances. Refer to sk182667. |
PRJ-55719, |
VPN |
UPDATE: VPN connections are now synchronized to all members of the Security Group by default. The default value of the "vpn_sync_to_all" kernel parameter is set to "1". |
PRJ-53822, |
CloudGuard Network |
UPDATE: It is no longer necessary to run the $MDS_FWDIR/scripts/alignLicensesInDB.sh script (sk181500) after the import during Security Management Database migration. The script now runs automatically after the migration. |
PRJ-53101, |
Scalable Platforms |
UPDATE: Removed the ability to delete the "_lldp" internal user in Gaia OS to prevent traffic impact. Refer to sk182026. |
PRJ-56057, ODU-1923 |
Automatic Updates - HCP |
UPDATE: Added Update 18 of HealthCheck Point (HCP) Release. Refer to sk171436. |
PRJ-55914, |
Automatic Updates - CPView |
UPDATE: Added Take 97 of CPotelcol (OpenTelemetry Collector) Release Updates. Refer to sk180522. |
PRJ-56193, ODU-1787 |
Automatic Updates - Web SmartConsole |
UPDATE: New features and improvements are released in Take 114 via self-updatable package. Refer to sk170314. |
PRJ-55917, |
Automatic Updates - CloudGuard Network |
UPDATE: Added Take 21 of Public Cloud CA Bundle. Refer to sk172188. |
PRJ-50936, |
Security Management |
SmartConsole may freeze when selecting a client under Security Gateway object > Identity Awareness tab > RADIUS Accounting Settings.
|
PRJ-53454, |
Security Management |
Upgrade of the Multi-Domain Security Management Server may fail with the error "Folder object not found".
|
PRJ-52045, |
Security Management |
In some scenarios, the Security Management Server upgrade to R81.20 fails with "java.lang.String incompatible with com.checkpoint.infrastructure.types.CPUUID" in the upgrade report. The issue occurs during the import of the User Data Domain.
|
PRJ-54005, |
Security Management |
In rare scenarios, the Management Server upgrade fails during the import stage with "an eclipse error has occurred enable logging on EclipseLinkExceptionHandler to see full error".
|
PRJ-46788, PRHF-29046 |
Security Management |
In some scenarios, an upgrade of Security Management Server or Multi-Domain Security Management Server fails with the "Failed: upgrade of "DOMAIN_NAME". For more details see upgrade logs below" error in the upgrade report.
|
PRJ-52546, PMTR-100061 |
Security Management |
In rare scenarios, the CPCA process on the Security Management Server / Domain Management Server may exit unexpectedly, creating a core dump file. Refer to sk183101. |
PRJ-52889, |
Security Management |
"Mapping of Data Center [xxxx] failed. Next mapping is in 300 seconds" errors in the CME logs show failed attempts to scan deleted data centers. |
PRJ-45161, |
Security Management |
In rare scenarios, login to the Security Management Server may fail with timeout and the FWM process on the Management Server may unexpectedly exit, creating a core dump file. |
PRJ-53771, |
Security Management |
In some scenarios, the "show-gateways-and-servers" Management API command fails with "generic_err_object_not_found" when running with "details-level full". |
PRJ-53507, |
Security Management |
After upgrading, administrators with read/write permissions to edit Security Gateways and Clusters may lack IPS permissions and are unable to perform certain management tasks, such as enabling or disabling blades. |
PRJ-52434, |
Security Management |
When Global Domain Assignment fails with the "More than one object named 'XXX' exists" error, not all duplicate objects are listed. |
PRJ-53760, PRHF-32936 |
Security Management |
The "domains_tool -report" command may fail if more than sixteen host objects are defined as DNS Servers in the environment. |
PRJ-49241, |
Security Management |
In some scenarios, the SmartTask "Before login" trigger may be executed although there was no login operation. |
PRJ-52781, |
Security Management |
When using the "set simple-gateway" Management API command to edit interfaces, the operation is only performed on fifty interfaces at a time. |
PRJ-49438, |
Security Management |
The UPDATE_INSPECT_FILES process of Upgrade Tools may exit with a core dump. |
PRJ-52019, |
Security Management |
Exporting a policy that contains thousands of rules may fail when the "Hit Count" column is enabled. |
PRJ-50844, |
Security Management |
Export of a list of objects from the Global Object Explorer fails with the "Export policy is not supported when rule name is in a format of UUID" error message. |
PRJ-51121, |
Security Management |
In rare scenarios, if a Star VPN Community object is created, publish operations may fail. |
PRJ-50755, |
Security Management |
Access to and from the Generic Data Center objects may not be enforced when MDPS configuration is enabled on the Security Gateway. |
PRJ-52915, |
Security Management |
Deleting a Security Gateway object fails if there is a license attached to the Security Gateway and the Security Gateway is physically disconnected. |
PRJ-54066, |
Security Management |
In some scenarios, users may be disconnected from SmartConsole, and an FWM process core dump is generated. |
PRJ-53502, |
Security Management |
In some scenarios, SmartConsole may unexpectedly disconnect. |
PRJ-52518, |
Security Management |
In rare scenarios, Access policy installation may fail with the "Installation failed. Reason: Failed to load Policy on Security Gateway" or "Operation failed, install/uninstall has been improperly terminated" messages. |
PRJ-53895, |
Security Management |
In rare scenarios, the API status shows "Automatic Start: Disabled" even though the automatic start was not disabled manually. |
PRJ-48937, |
Security Management |
The "set simple-cluster" Management API command with the "vpn-settings.vpn-domain" parameter succeeds, but the VPN Domain is not set. |
PRJ-52778, |
Security Management |
Objects Explorer search fails with "Error retrieving results" when more than twenty thousand IP addresses match the search criteria. |
PRJ-49057, |
Security Management |
In rare scenarios, publishing a session in SmartConsole fails with the "got at least one duplicate UID in requested list, duplicates UIDs: [XXX]" error. |
PRJ-52850, |
Security Management |
Login to SmartConsole fails if the "Read_Write_All_Profile" permission profile is deleted. |
PRJ-57031, PRHF-30884 |
Security Management |
Log queries fail with the error "Problems have occurred during search" when Domain migration is in progress. This occurs specifically during the execution of "export-management" or "import-management" Management API commands. |
PRJ-55523, |
Security Management |
In rare scenarios, the CPD process may exit with core dumps. |
PRJ-52346, |
Security Management |
In some scenarios, the PostgreSQL database fully utilizes disk space on the Standby Security Management Server. |
PRJ-53677, PMTR-98465 |
Security Management |
The Management API command "get-interfaces" may return subordinate physical interfaces of a bond interface. |
PRJ-51630, |
Multi-Domain Security Management |
In rare scenarios, login to a newly created Domain fails and the CPCA daemon has the "down" status. Refer to sk181798. |
PRJ-53552, |
Multi-Domain Security Management |
When a Domain name (for example, "XXX") is a subset of another Domain name (for example, "XXX-YYY"), the "mdsstop" command may fail to stop a Domain named "XXX-YYY". |
PRJ-52950, |
Multi-Domain Security Management |
In a Multi-Domain Security Management environment, there may be synchronization timeout errors, and automatic revisions purge may fail. |
PRJ-55658, |
Multi-Domain Security Management |
In some scenarios, in a Multi-Domain Security Management environment, creating a Domain on a remote Multi-Domain Management Server may fail with "Check connectivity between Domain Servers IPs and initialize SIC manually" error. |
PRJ-54514, |
SmartConsole |
In rare scenarios, login to SmartConsole fails. |
PRJ-50695, |
Logging |
In some scenarios, viewing a Forensics report in Threat Hunting fails with the "Unable to load report" error. Refer to sk181800. |
PRJ-54061, |
Logging |
In rare scenarios, empty log list may be displayed when selecting a log file to view in SmartConsole. |
PRJ-54238, |
Logging |
Log Exporter may unexpectedly exit when using a non-RSA certificate. |
PRJ-51276, |
Logging |
When adding a table widget to a SmartView report:
|
PRJ-51444, |
Logging |
The traffic field in the SmartEvent "Application and URL Filtering" report, specifically in the "High Bandwidth Applications" section, is incorrectly displaying data in petabytes (PB) instead of the expected gigabytes (GB). |
PRJ-50794, |
Logging |
In SmartView, filtering logs by "event_type" may fail with the "Query failed" error. |
PRJ-51517, |
Logging |
Log searches for the same time period may return more results in SmartConsole compared to SmartView. |
PRJ-55512, |
Logging |
In some scenarios, the name of the Security Gateway is not shown in the title of the automatic reaction email, although it should be. |
PRJ-50262, |
Logging |
In SmartView, some countries are not displayed in the countries picker. |
PRJ-52941, PRHF-32194 |
Logging |
In the Logs view, the "TCP-other" and "UDP-other" services are displayed as generic service IDs, for example, "cp_tcp_A936BBAC_EBC3_4F18_B3CC_A63365F07477". |
PRJ-54020, |
Logging |
In rare scenarios, Zero Phishing logs may disappear from the SmartConsole Logs view. |
PRJ-53451, |
Security Gateway |
Even if the interface is configured with an MTU higher than 1500, the maximal MTU over CPAS is limited to 1500. |
PRJ-53075, |
Security Gateway |
In some occasions, redundant errors appear in logs: "fw_inspect_ghtab_bl_ld_sync: invalid FW_INSPECT_GHTAB_BL_LD_SYNC_TABLE_ID". |
PRJ-51970, |
Security Gateway |
The CPWD daemon does not restart automatically. |
PRJ-51480, PMTR-98475 |
Security Gateway |
The RAD process exits and creates a core file on the Security Gateway. |
PRJ-55423, PRJ-55422, PRHF-33730, PRJ-55424, PRHF-33912 |
Security Gateway |
In a multi-cloud networking environment (AWS GWLB and VMware NSX-T), the Security Gateway may crash due to memory corruption. |
PRJ-54526, |
Security Gateway |
In some scenarios, when SecureXL User Mode is enabled, the Security Gateway drops traffic after it was processed. |
PRJ-54628, |
Security Gateway |
In some scenarios, adding sequential IP addresses as MDPS task addresses may fail. |
PRJ-51049, |
Security Gateway |
In some scenarios, websites that use HTTP2 protocol do not load properly. |
PRJ-49902, |
Security Gateway |
Kernel Memory usage increases persistently each day on a Security Gateway/Security Group when CGNAT is enabled. Refer to sk182140. |
PRJ-54529, |
Security Gateway |
In some scenarios, the Security Gateway offloads connections to SecureXL in error when the initial route lookup could not find a route for it. |
PRJ-52774, |
Security Gateway |
In rare scenarios, the FWK process may unexpectedly exit. |
PRJ-52647, |
Internal CA |
CRL fetch may fail when passing through a Security Gateway with deep inspection, even if the connection hold is quickly released. CPCA closes the connection prematurely. |
PRJ-50701, |
Threat Prevention |
The Anti-Virus Blade fails to parse IoC feeds that contain IPv6 addresses. |
PRJ-48310, |
Threat Prevention |
In rare scenarios, when the Anti-Virus, Threat Extraction and Threat Emulation Blades are enabled, some connections that were on hold are dropped. |
PRJ-53201, |
Threat Prevention |
In some scenarios, policy installation and IPS package updates may take a very long time to finish and cause traffic drops. |
PRJ-51341, |
Identity Awareness |
In some scenarios, the PEPD process may consume a high CPU because of a high rate of identity propagation. Refer to sk182588. |
PRJ-46490, |
Identity Awareness |
Policy Enforcement Point (PEP) logs show a username after the user session is expired. Refer to sk181553. |
PRJ-53249, |
IPS |
A connectivity issue may happen when processing a specific HTTP2 traffic. |
PRJ-43104, |
DLP |
Multiple internal errors, including file metadata retrieval failures and parsing errors, may be printed in the DLPDA logs. |
PRJ-53128, |
Anti-Virus |
The DLPU process may unexpectedly exit due to uninitialized memory when the Anti-Virus Blade scans files. Refer to sk182030. |
PRJ-55520, |
SSL Inspection |
In rare scenarios, when HTTPS Inspection is enabled, the FWK process may unexpectedly exit due to memory violation. |
PRJ-54641, |
Mobile Access |
The HTTPD process of the Mobile Access Portal may exit with a core dump file. |
PRJ-51154, |
Mobile Access |
Web Application names column width is too narrow to fit in the Mobile Access Portal. Refer to sk181774. |
PRJ-54324, PRHF-33620 |
ClusterXL |
In a rare scenario, the FWK process consistently exits causing failovers. Crashes may happen on both cluster members. |
PRJ-54170, |
ClusterXL |
In rare scenarios, in a cluster environment, the CPDiag tool may crash. |
PRJ-52896, |
ClusterXL |
In a rare scenario, after an upgrade, connections between networks may be dropped with the "First Packet isn't SYN" error. |
PRJ-55307, |
SecureXL |
Potential kernel crash in MDPS configurations when modifying and re-adding slave interfaces to bonds in non-default virtual systems. |
PRJ-55493, |
SecureXL |
When SecureXL User Mode (UPPAK) is enabled, packets originating from the Security Gateway may not be fragmented properly. |
PRJ-53481, |
SecureXL |
In some scenarios, when QoS blade is enabled and SecureXL works in User Mode (UPPAK), Security Gateway may crash with the "invalid data" error. |
PRJ-55799, |
SecureXL |
When SecureXL User Mode (UPPAK) is enabled, in some scenarios, a VSX Security Gateway with many Virtual Systems may crash. |
PRJ-55566, |
SecureXL |
The USIM process may unexpectedly exit. |
PRJ-54331, |
SecureXL |
In rare scenarios, the Security Gateway crashes when the interface goes down right before it transmits packets out. |
PRJ-54428, |
SecureXL |
In some scenarios, the VSX Security Gateway does not initialize the Virtual System correctly when connected to a Virtual Router or Virtual Switch. |
PRJ-54323, |
SecureXL |
In some scenarios, traffic with Passive or Active Streaming configuration may not correctly pass through a Virtual Router on a VSX Security Gateway. |
PRJ-55958, |
SecureXL |
The duration of each "stop" and "start" API call for the LightSpeed Acceleration interfaces may take several seconds. Refer to sk182585. |
PRJ-54425, |
SecureXL |
In some scenarios, the VSX Security Gateway may fail to properly reroute traffic originating from a Virtual Switch. |
PRJ-55344, |
Routing |
OSPFv2 graceful restart mechanism fails on broadcast and point-to-multipoint networks due to the omission of an "IP-Address" field in the grace LSA. |
PRJ-55399, |
Routing |
OSPFv3 NSSA may fail to re-originate Type 7 LSAs after an OSPFv3 process restart, disrupting proper route propagation. |
PRJ-54603, |
Routing |
Routing BFD sessions using IPv6 global addresses on single-hop interfaces fail to recover after the network interface is administratively disabled and re-enabled. |
PRJ-52671, |
Routing |
Enabling rfc1583-compatibility via Clish fails with "CLINFR0329 Invalid command:'set ospf instance default rfc1583-compatibility on". |
PRJ-55016, |
Gaia OS |
The "fw ctl affinity" command output shows interfaces with no multi-queue, while the "mq_mng -o" command shows that multi-queue is enabled on all interfaces. |
PRJ-53387, |
Gaia OS |
Gaia Portal operation mode options are not visible in the Editing Bond window. Refer to sk182432. |
PRJ-52416, PRHF-31929 |
Gaia OS |
SNMP query for OID 1.3.6.1.4.1.2620.1.6.7.5.1.5 (CPU utilization per CPU core) and the "cpstat os -f cpu" command may return an incorrect value. Refer to sk182447. |
PRJ-51020, |
VPN |
Duo management reports display incorrect access source locations due to Security Gateways providing inverted IP addresses during the two-factor authentication challenge response process. Refer to sk181783. |
PRJ-55293, |
VPN |
Configuring a Large Scale VPN (LSV) with IPv6 and establishing a VPN tunnel may cause the FWK process to exit. |
PRJ-55488, |
VPN |
During high-frequency encryption of packets over a VPN tunnel, the Security Gateway may assign the same sequence number to multiple packets. This causes the receiving VPN peer to mistakenly identify these legitimate packets as replay attacks and drop them. |
PRJ-52912, |
VPN |
SNMP queries show a different number of connected RA VPN users than what is shown in CPView and from CLI. RaUserState information is missing in the SNMP MIB file. |
PRJ-55986, |
VPN |
During high-volume VPN tunnel initiations, several packets may be dropped with "encrypted packet too big". |
PRJ-53940, |
VPN |
After running the "vpn iked disable" command, the VPND daemon does not listen on the tunnel test port instead of IKED. |
PRJ-53715, |
VPN |
Tunnel testing fails after an upgrade. Refer to sk182267. |
PRJ-54548, PMTR-104230 |
Multi-Portal |
Under a special routing configuration, an active Cluster member may accept portal traffic (on TCP ports 80 and 443) destined to a Standby member IP address. |
PRJ-53118, |
VSX |
In a VSX Cluster with IPv6 enabled, after an upgrade, VS's without IPv6 address may fail to install the Access policy. |
PRJ-54598, |
VSX |
In rare scenarios, the CPD process of the default Virtual System on a VSX Gateway (VS0) gets stuck. |
PRJ-51993, PMTR-99136 |
Harmony Endpoint |
Upgrade failures may occur when the source server contains an existing am_top_infections_master view, as the upgrade process attempts to drop and recreate this view during the final stages of the Endpoint Server database schema update. |
PRJ-53555, |
CloudGuard Network |
Central License tool (vsec_lic_cli) unexpectedly removes Central Licenses from the default license pool on the Primary Multi-Domain Security Management Server in a High Availability (HA) environment. Refer to sk182483. |
PRJ-47808, |
CloudGuard Network |
In the Kubernetes Data Center, the Import window may be stuck in "Initializing" state. |
PRJ-55862, |
Scalable Platforms |
When using MPDS routing separation and Maestro Dual site, the Log Server may get disconnected on a Standby site. |
PRJ-54335, |
Scalable Platforms |
When different Network Interface Card models are attached among Maestro Security Group members, it may trigger unnecessary reboots. |
PRJ-55461 |
Scalable Platforms |
When dynamic split is enabled, the system fails to update the "/tmp/mq_cores_list" file, causing "cores_verifier" and "asg perf" verifiers to display incorrect PPAK cores numbers. |
PRJ-54126, |
Scalable Platforms |
After changing the CoreXL configurations of a VS in SmartConsole, the dynamic split state switches to off until the "g_dynamic_split -r" command is performed. |
PRJ-53511, |
Scalable Platforms |
When running the "set user username force-password-change yes" command in gClish on Scalable Platforms, the new configuration may not be applied. |
PRJ-43739, |
Scalable Platforms |
The "distutil" script may take a long time to run in an environment with many VS's. |
PRJ-49848, |
Scalable Platforms |
Site to Site VPN traffic may be interrupted after installing policy with VSLS. |
PRJ-50626, |
Carrier Security |
|