R81.20 Jumbo Hotfix Take 90

 

Note - This Take contains all fixes from all earlier Takes.

ID

Product

Description

Take 90

Released on 12 November 2024

Take 90 - New Functionality

 

PRJ-56704,
PMTR-102912

Security Management

NEW: Added a new Management API command which displays API usage statistics - "api stats" . It can be run on the Security Management Server or Multi-Domain Security Management Server. For detailed usage instructions, run "api -h".

PRJ-56818,
AAD-1761

VPN

NEW: Local SCV settings can be customized by Security Gateway when creating a $FWDIR/conf/local.scv_<GW NAME> file, otherwise the settings fall back to the standard local.scv configuration.

Take 90 - Improvements and Resolved Issues

 

PRJ-56248,

PMTR-106894

SmartConsole

UPDATE: Resolved CVE-2024-3596 - Blast-RADIUS attacks. Fix for Remote Access VPN and login to SmartConsole, Mobile Access and Identity Awareness Captive Portal. Refer to sk182516.

PRJ-56177,
PMTR-106774

Security Gateway

UPDATE: Apache HTTPD version was updated from 2.4.55 to 2.4.61 to fix: CVE-2023-31122, CVE-2023-43622, CVE-2024-36387, CVE-2024-38473, CVE-2024-38474, CVE-2024-38475, CVE-2024-38476, CVE-2024-38477, CVE-2024-39573.

PRJ-56882,
PMTR-106858

Security Management

UPDATE: JRE is updated from version 8.0_8.21 to version 8.0_8.26.

PRJ-55661,
PMTR-105539

Security Management

UPDATE: The "set threat-exception" Management API command now includes the "protection-or-site" parameter. When specified, this parameter adds new values to the existing list of protections or sites, instead of overwriting the current entries.

PRJ-56611,
PMTR-108410

Logging

UPDATE: Added a count of Session and Connection logs to the "cpstat" command output.

PRJ-47655,
PRHF-29103

Security Gateway

UPDATE: Added ability to increase/decrease DNS cache table size.

PRJ-51951,
PRHF-31203

Security Gateway

UPDATE: Added support for log rotation in the avi_del_tmp_files.elg files. Refer to sk113241.

PRJ-56698

SD-WAN

UPDATE: Improved the performance and scalability in SD-WAN Monitoring.

PRJ-48031,
PRHF-29471

Threat Emulation

UPDATE: The maximum size for files uploaded to Threat Emulation can now be configured using the Threat Emulation API. Set the "max_api_request_data_size" attribute to specify the new limit.

PRJ-49053,
PRHF-30097

Identity Awareness

UPDATE: Identity Collector OIDs for SNMP queries are now available in both $CPDIR/lib/snmp/chkpnt.mib and $FWDIR/conf/identity_server.cps locations.

PRJ-57065,
PRHF-34509

SecureXL

UPDATE:

  • Improved debugging in the Security Gateway to identify problematic hosts when resolving their next-hop IP addresses.

  • The custom ADP queue size configuration now persists after rebooting the Security Gateway. The relevant global parameters are located in the $PPKDIR/conf/adpkern.conf file:

    • "adp_nh_total_max_arp_qents"

    • "adp_nh_local_max_arp_qents"

PRJ-56483,
PMTR-107320

SecureXL

UPDATE: Improved throughput of GRE tunnels configured on the ports of the 100G Acceleration Card.

PRJ-57757,

PRJ-58096,

ODU-2107,

ODU-2083

Automatic Updates - Web SmartConsole

UPDATE: New features and improvements are released in Take 121 and Take 123 via self-updatable package. Refer to sk170314.

PRJ-57327,
ODU-1979

Automatic Updates - HCP

UPDATE: Added Update 19 of HealthCheck Point (HCP) Release. Refer to sk171436.

PRJ-57439,
ODU-1971

Automatic Updates - Threat Extraction

UPDATE: Added Update 15 of Threat Extraction Engine. Refer to sk165832.

PRJ-57705,
ODU-2027

Automatic Updates - CPView

UPDATE: Added Take 97 of CPotelcol (OpenTelemetry Collector) Release Updates. Refer to sk180522.

PRJ-57709,
ODU-1995

Automatic Updates - CPView

UPDATE: Added Take 40 of CPviewExporter Release Updates. Refer to sk180521.

PRJ-56509,
PMTR-106245

Security Management

In some scenarios, the Security Management Server upgrade fails with "creating default objects and restarting services" during the import phase.

  • The fix will only be applied if the upgrade to this Jumbo Hotfix Take is done using a Blink image or via the Advanced Upgrade method.

PRJ-56165,
PMTR-106542

Security Management

In some scenarios, the "set-exception-group applied-threat-rules.position" Management API command may add the exception group to an incorrect position.

PRJ-53260,
PRHF-32595

Security Management

When exporting a policy to a CSV file, the process fails silently if any rule within the policy has a name or comment in UID format. No clear error message is provided to indicate the cause of the failure.

PRJ-56614,
PRHF-35520

Security Management

An administrator whose authentication method was changed from "Check Point Password" to a different method in R77.X can still log in using their original Check Point password.

PRJ-50036,
PRHF-30712

Security Management

The "show-domains" Management API command may return partially deleted domains among the results.

PRJ-55669,
PRHF-34447

Security Management

Adding a host object to a network group using the "set-host" Management API command may generate large redundant audit logs.

PRJ-52760,
PRHF-32246

Security Management

Audit logs may not be generated when changes are made to an inline (shared) layer that appears multiple times within the same policy.

PRJ-56763,
PMTR-105923

Security Management

SmartConsole may get disconnected when installing a policy on more than five hundred targets.

PRJ-57073,
PRHF-35818

Security Management

In rare scenarios, when exporting policy hitcounts to CSV format, the "Hitcount" column may appear blank in the exported file.

PRJ-55832,
PRHF-34199

Security Management

Global Policy Reassignment may fail with an "An internal error has occurred" message when a custom IPS package is used or was previously used in the system.

PRJ-54296,
PRHF-25950

Security Management

The Database Installation progress bar may not update during task execution.

PRJ-56028,
PRHF-35019

Security Management

When exporting a policy to CSV with hitcount enabled, if the hitcount timeframe is set to anything other than "All", the "Hitcount" column in the CSV file may appear blank.

PRJ-55690,
PRHF-34236

Security Management

Searching for a Data Center asset IP address in the policy may not return results.

PRJ-52454,
PRHF-28597

Security Management

In some scenarios, Access Control policy verification is stuck at 40 percent.

PRJ-46463,
PRHF-28817

Security Management

In some scenarios, policy installation using Management API with the "prepare-only" parameter set to "true" may fail with an "internal error" message.

PRJ-46235,
PRHF-28814

Security Management

Changing the main URL of the UserCheck Portal using the "set simple-gateway" Management API command fails with "DNS failed to resolve the hostname: gateway name" Executed command failed. Changes are discarded".

PRJ-54720,
PRHF-33889

Security Management

In rare scenarios, when Application Control blade is enabled, cloning a policy may fail due to timeout.

PRJ-54659,
PRHF-33941

Security Management

Several Management API commands, such as "show-package" and "install-policy", may fail if running them after the deletion of a cluster member.

PRJ-52757,
PMTR-99312

Multi-Domain Security Management

Enabling IPS on Multi-Domain Security Management Server may cause Threat Prevention policy installations to fail due to legacy IPS multi-profile incompatibility.

PRJ-56541,
PRHF-34752

Multi-Domain Security Management

In some scenarios, in a Multi-Domain Security Management environment, the Hit Count retention mechanism may not remove the Hit Count data from all the Domains.

PRJ-55787,
PRHF-34686

Multi-Domain Security Management

Global Domain Assignment fails with an "Internal Error" message when performed on a Multi-Domain Security Management Server containing over 32,000 revisions.

PRJ-55705,
PRHF-34013

Multi-Domain Security Management

In rare scenarios, objects are missing from the Gateways & Servers view on the Multi-Domain Security Management level. Refer to sk182641.

PRJ-53994,
PRHF-33263

Multi-Domain Security Management

In some scenarios, Domain deletion may fail with a "delete domain failed: null" message.

PRJ-55932,
PRHF-34218

Multi-Domain Security Management

In rare scenarios, login to a Domain from the System Domain in Smart Console fails with "Login to the Domain domainName failed. Try again, or connect directly to the Domain using its IP addressdomainIp".

PRJ-56531,
PRHF-35418

Multi-Domain Security Management

The Multi-Domain Security Management Server experiences high CPU usage when communicating with the Multi-Domain Log Server. And the cpm.elg log prints the "You have reached the maximum number of active session" error. Refer to sk182738.

PRJ-56712,
PRHF-35700

Multi-Domain Security Management

In some scenarios, cpmiquerybin core files may appear in /var/log/dump/usermode/ on the Security Management Server.

PRJ-47879,
PRHF-24029

SmartConsole

The "show lsm-cluster" Management API command fails with a "Null Pointer exception: null" message if the "membersNetworkOverride" field is empty.

PRJ-57309,
MCFG-666

SmartConsole

SmartConsole fails to connect with "Unable to connect to server. Server is initializing". Refer to sk182507.

PRJ-57421,
PMTR-107206

SmartConsole

In some scenarios, opening new tab in SmartConsole Logging & Monitoring tab fails with "HTTP error 500 - problem accessing smartview/embedded. Reason: Server Error". Refer to sk182732.

PRJ-50432,
PRHF-30878

Logging

In rare scenarios, CPU consumption on the Security Management Server is high and logs are not displayed.

PRJ-51694,
PRHF-31777

Logging

In some scenarios, after removing an existing Log Exporter instance, the creation of a new instance appears successful in SmartConsole. However, the new Log Exporter object is not actually generated.

PRJ-56644,
PMTR-107570

Security Gateway

In rare scenarios, the FWK process may unexpectedly exit when the IPS / Application Control / Anti-Virus / Anti-Bot blade is active and the HyperFlow feature is enabled.

PRJ-56732,
PMTR-107546

Security Gateway

The "asg monitor" command may show the Security Gateway in the "during upgrade" state although a major downgrade is complete.

PRJ-54070,
PRHF-33254

Security Gateway

Changing the NAT settings of a host using the "set-host" Management API command succeeds but has no effect unless both the "ipv4-address" and "ipv6-address" parameters are set.

PRJ-56701,
PRHF-35624

Security Gateway

Anti-Spoofing may drop IPv6 traffic that arrives at an interface with an IPv6 address configured. Refer to sk182725.

PRJ-57351,
PRJ-57352

Security Gateway

When SecureXL User Mode (UPPAK) is enabled and using Passive/Active Streaming with QoS, the Security Gateway may incorrectly drop some traffic.

PRJ-57254,
PMTR-107381

Security Gateway

In some scenarios, the Security Gateway does not free some packets causing a memory leak.

PRJ-54119,
PRHF-33299

Security Gateway

In a rare scenario, the FWK process may exit when cluster connection synchronization fails.

PRJ-56722,
PMTR-107648

Security Gateway

The Security Gateway may crash during large memory allocation operations in specific applications.

PRJ-57371,
PMTR-97905

Security Gateway

When adding a new Virtual System, a CPD core dump file may be generated.

PRJ-53810,
PRHF-33037

Security Gateway

The Security Gateway may crash after a failure in policy installation.

PRJ-58099,

PMTR-109857

Security Gateway

Traffic through specific interfaces is dropped when the QoS blade is active and "ISP redundancy-LS" is configured. Refer to sk182807.

See the Important Notes section.

PRJ-57097,

PRHF-36117

SD-WAN

In a rare scenario, when SD-WAN transport is incorrectly marked as "UP" despite its underlying ISP interface is "DOWN", traffic fails to reach the remote peer because of incorrect routing decisions.

PRJ-57115,
PRHF-31189

Threat Prevention

Threat Prevention policy installation may fail because of invalid JSON format in the IoC feed feature configuration file. Refer to sk181650.

PRJ-57667,
PMTR-100232

Threat Prevention

The Threat Prevention policy installation may fail when installing from R81.20 SmartConsole on R80.x Security Gateway.

PRJ-55888,
PMTR-106443

Threat Prevention

In some scenarios, when loading large IoC IP feeds, policy installation may fail with "Installation failed. Reason: Policy install commit function was unsuccessful due to timeout" because of a large IP addresses list.

PRJ-55377,
PRHF-33771

Threat Prevention

In some scenarios, the TPD daemon may cause high CPU usage because of a large amount of logs.

PRJ-56328,
MBS-18307

Threat Prevention

In a rare scenario, the Security Gateway may crash during traffic inspection when holding a connection.

PRJ-50243,
PMTR-83242

Threat Prevention

In a rare scenario, Anti-Bot and Anti-Virus packages may be seen as not updated in SmartConsole, even though the packages are updated.

PRJ-57006,

PRHF-35823

Threat Prevention

In some scenarios, when Zero Phishing is enabled, kernel crash may occur.

PRJ-53590,
PRHF-32655

Identity Awareness

In Azure Active Directory, access role assignment only considers a user's first 100 group memberships. Any groups beyond this limit are disregarded when determining user access roles.

PRJ-56360,
PMTR-100177

Application Control

The fwk.elg file may be flooded with the "DNS_DATA_SOURCE failed on context 201, executing context 366 exception" messages. Refer to sk182606.

PRJ-54431,
PRHF-33644

IPS

In a rare scenario, when IPS is enabled and logging on a rule that involves IPS is enabled, physical memory usage may rapidly increase.

PRJ-56624,

PMTR-107215

IPS

IPS may drop an IPv6 TCP local connection.

PRJ-53833,
PRHF-33038

Anti-Virus

When Anti-Virus is enabled, in a rare scenario, a memory leak in the FWK process may occur on the Security Gateway.

PRJ-56717,
PMTR-107773

Anti-Virus

High volumes of simultaneous requests for the same domain or URL may cause Anti-Virus blades to put excessive load on the RAD daemon, leading to increased latency.

PRJ-56042,
PRHF-34907

Anti-Virus

In some scenarios, the Anti-Virus Blade logs on a VSX Gateway may display an incorrect origin IP address.

PRJ-55984,

PRHF-36838,

PRHF-35476

Anti-Virus

Anti-Virus may execute unnecessary load_sigs when loading external IoC feeds.

PRJ-58112,

PMTR-102962

ClusterXL

VSX Cluster Members with VLAN interfaces change their cluster state to "Down" and "Active!" after installing the R81.20 Jumbo Hotfix Accumulator Take 89. Refer to sk182819.

See the Important Notes section.

PRJ-56599,
PMTR-107557,PRHF-35772

SecureXL

IPX traffic over the interface in Bridge Mode working in SecureXL User Mode (UPPAK) may be dropped. Refer to sk182623.

PRJ-56480,
PMTR-107271

SecureXL

In some scenarios, the VSX cluster can take extra time to boot up and activate the Virtual Systems.

PRJ-57488,
PMTR-105824

SecureXL

When working with Jumbo Frames in SecureXL User Mode (UPPAK) on Quantum Force 9000 series appliances, incorrect memory allocation calculations may cause intermittent link failures. Refer to sk182825.

PRJ-57430,
PRHF-36137

SecureXL

When SecureXL User Mode (UPPAK) is enabled and running ESP traffic, packet loss may occur and the "fwconn_key_init_links failed" error is printed. Refer sk182775.

PRJ-56828,
PMTR-107903

SecureXL

The USIM process may occur if CPView stats are collected during the "cpstop" operation for VSX.

PRJ-57001,
PMTR-108133,

PRJ-57252,
PMTR-102529,

PRJ-57250,
PMTR-98868

SecureXL

In some scenarios, the Security Gateway may crash when SecureXL User Mode (UPPAK) is enabled.

PRJ-57464,
PRJ-57428

SecureXL

In some scenarios during low TCP traffic, there is high CPU usage when SecureXL User Mode (UPPAK) is enabled.

PRJ-57614,
PMTR-109276

SecureXL

The USIM process may unexpectedly exit when these parameters are enabled in the $PPKDIR/conf/simkern.conf file:

  • "sim_top_conns_enable" - the tracking of the top connections.

  • "sim_top_proto_enable" - the tracking of the top protocols.

PRJ-56945,
PRHF-35953

SecureXL

The USIM process exits when attempting to delete an IP address from an empty deny list if that IP address exists in any other deny lists (including the regular deny list or those using IoC feeds).

PRJ-56904,
PMTR-108071

Routing

The ROUTED daemon may exit with a core dump during a BGP or OSPF restart.

PRJ-56525,
PMTR-101893

Routing

In a ClusterXL environment, a race condition may occur when BGP Graceful Restart is incorrectly configured. If the feature is enabled for some peers but not others, it may lead to permanent loss of network routes.

PRJ-49210,
PRHF-30241

VPN

Remote Desktop Protocol (RDP) connections may frequently disconnect when network traffic is routed through a combination of medium path, Quality of Service (QoS) controls, and VPN.

PRJ-52893,
PMTR-100703

VPN

The FWK process may exit when Monitor mode is enabled on one of the interfaces.

PRJ-51351,
PRHF-31438

VPN

Remote Access VPN connections in Maestro environments may be dropped with the "out-of-state" reason.

PRJ-50157,

PMTR-93643

VPN

When working with iOS devices, after establishing a VPN connection and subsequently disconnecting devices, the "vpn tu tlist" command may display an incorrect device connection status, indicating that a device is still connected.

PRJ-55887,
PMTR-106172

VSX

Deleting a Virtual System ID (VSID) that does not exist may trigger the "cpstop" command. Stopping all Check Point services on VS0 can disrupt the entire VSX environment.

PRJ-57814,
PRHF-17665

VSX

Multi-Queue configuration does not survive reboot on VSX. Refer to sk173950.

PRJ-56480,

PMTR-107271

VSX

In some scenarios, the VSX cluster can take extra time to boot up and activate the Virtual Systems.

PRJ-52908,
PRHF-32420

Gaia OS

In some scenarios when MDPS is enabled, the "Loading kernel module for a network device with CAP_SYS_MODULE (deprecated). Use CAP_NET_ADMIN and alias netdev-eth7 instead" message appears in /var/log/messages.

PRJ-54462,
PRHF-33758

Gaia OS

Traffic from a Host behind a Virtual System in a VSX Cluster / Scalable Platform Security Group in the VSX mode does not reach the destination. Refer to sk180441.

PRJ-55374,
PRHF-34122

Gaia OS

Running the "snmpwalk" command on OID .1.3.6.1.4.1.2620.1.6.23 causes snmpwalk on OID 1.3.6.1.4.1.2620.1.6.7.6.1 to show wrong output. Refer to sk182315.

PRJ-55306,
PRHF-32694

Gaia OS

The "cpviewd: unable to read from gpio_nuvoton driver module. snmpd: unable to read from gpio_nuvoton driver module" messages may be printed in /var/log/messages.

PRJ-56121,
PRHF-35200

Gaia OS

The "Unable to connect to the server, Press OK to reconnect" error is displayed when opening the Network Interfaces tab in the Gaia Portal. Refer to sk182560.

PRJ-56054,
PRHF-35042

Gaia OS

Adding multiple VPN tunnels via Clish in Transaction Mode fails, while adding them individually succeeds.

PRJ-56874,
EPS-57790

Harmony Endpoint

During patch deployment in Posture Management, attempting to patch multiple systems for a specific application using the "Group By Application" option fails with the "Failed to Start Patching Process" error.

PRJ-57132,
PMTR-105660

Harmony Endpoint

The $UEPMDIR/engine/uepm-jms-data directory size can increase because queued requests get accumulated on the Server.

PRJ-55684,
PRHF-34515

Smart-1 Cloud

When creating multiple Interoperable Devices with dynamic IP addresses, the duplicate IP addresses may be assigned to Interoperable Devices. Refer to sk181834.

PRJ-44697,
PRHF-27834

Scalable Platforms

When running the "asg resource" command, the SSD overall health check is displayed as "PASSED" with the "Unknown_Attribute on Member X_XX is below/getting towards low threshold (val: 0/ thresh: 0)" warning. The issue is cosmetic only.

PRJ-56368,
MBS-18304

Scalable Platforms

The VSX Gateway may cause traffic interruption when SecureXL User Mode (UPPAK) is enabled on systems with multiple physical interfaces.

PRJ-56969,
PRJ-56967

Scalable Platforms

After upgrade on Quantum Maestro and Scalable Chassis, when working in SecureXL User Mode (UPPAK), policy installation may fail.

PRJ-55429,
PRHF-34170

Scalable Platforms

Disabling the Maestro Fastforward feature may result in an error.

PRJ-48867,
PMTR-87890

Scalable Platforms

Using Image Cloning when the same VMAC feature is enabled may cause a boot loop.

PRJ-46194,
PRHF-28141

Scalable Platforms

In a Maestro environment, when MDPS is enabled, the "asg if --diag" command reports the "no files matched glob pattern "/sys/class/net/BPEth*/operstate" error.

PRJ-56460

IoT Protect

Nano-Agent may not run in a Multi-Domain Security Management environment after using the "mdsstop ; mdsstart" command.