R81.20 Jumbo Hotfix Take 90
|
Note - This Take contains all fixes from all earlier Takes. |
ID |
Product |
Description |
---|---|---|
Take 90 Released on 12 November 2024 |
||
Take 90 - New Functionality
|
||
PRJ-56704, |
Security Management |
NEW: Added a new Management API command which displays API usage statistics - "api stats" . It can be run on the Security Management Server or Multi-Domain Security Management Server. For detailed usage instructions, run "api -h". |
PRJ-56818, |
VPN |
NEW: Local SCV settings can be customized by Security Gateway when creating a $FWDIR/conf/local.scv_<GW NAME> file, otherwise the settings fall back to the standard local.scv configuration. |
Take 90 - Improvements and Resolved Issues
|
||
PRJ-56248, PMTR-106894 |
SmartConsole |
UPDATE: Resolved CVE-2024-3596 - Blast-RADIUS attacks. Fix for Remote Access VPN and login to SmartConsole, Mobile Access and Identity Awareness Captive Portal. Refer to sk182516. |
PRJ-56177, |
Security Gateway |
UPDATE: Apache HTTPD version was updated from 2.4.55 to 2.4.61 to fix: CVE-2023-31122, CVE-2023-43622, CVE-2024-36387, CVE-2024-38473, CVE-2024-38474, CVE-2024-38475, CVE-2024-38476, CVE-2024-38477, CVE-2024-39573. |
PRJ-56882, |
Security Management |
UPDATE: JRE is updated from version 8.0_8.21 to version 8.0_8.26. |
PRJ-55661, |
Security Management |
UPDATE: The "set threat-exception" Management API command now includes the "protection-or-site" parameter. When specified, this parameter adds new values to the existing list of protections or sites, instead of overwriting the current entries. |
PRJ-56611, |
Logging |
UPDATE: Added a count of Session and Connection logs to the "cpstat" command output. |
PRJ-47655, |
Security Gateway |
UPDATE: Added ability to increase/decrease DNS cache table size. |
PRJ-51951, |
Security Gateway |
UPDATE: Added support for log rotation in the avi_del_tmp_files.elg files. Refer to sk113241. |
PRJ-56698 |
SD-WAN |
UPDATE: Improved the performance and scalability in SD-WAN Monitoring. |
PRJ-48031, |
Threat Emulation |
UPDATE: The maximum size for files uploaded to Threat Emulation can now be configured using the Threat Emulation API. Set the "max_api_request_data_size" attribute to specify the new limit. |
PRJ-49053, |
Identity Awareness |
UPDATE: Identity Collector OIDs for SNMP queries are now available in both $CPDIR/lib/snmp/chkpnt.mib and $FWDIR/conf/identity_server.cps locations. |
PRJ-57065, |
SecureXL |
UPDATE:
|
PRJ-56483, |
SecureXL |
UPDATE: Improved throughput of GRE tunnels configured on the ports of the 100G Acceleration Card. |
PRJ-57757, PRJ-58096, ODU-2107, ODU-2083 |
Automatic Updates - Web SmartConsole |
UPDATE: New features and improvements are released in Take 121 and Take 123 via self-updatable package. Refer to sk170314. |
PRJ-57327, |
Automatic Updates - HCP |
UPDATE: Added Update 19 of HealthCheck Point (HCP) Release. Refer to sk171436. |
PRJ-57439, |
Automatic Updates - Threat Extraction |
UPDATE: Added Update 15 of Threat Extraction Engine. Refer to sk165832. |
PRJ-57705, |
Automatic Updates - CPView |
UPDATE: Added Take 97 of CPotelcol (OpenTelemetry Collector) Release Updates. Refer to sk180522. |
PRJ-57709, |
Automatic Updates - CPView |
UPDATE: Added Take 40 of CPviewExporter Release Updates. Refer to sk180521. |
PRJ-56509, |
Security Management |
In some scenarios, the Security Management Server upgrade fails with "creating default objects and restarting services" during the import phase.
|
PRJ-56165, |
Security Management |
In some scenarios, the "set-exception-group applied-threat-rules.position" Management API command may add the exception group to an incorrect position. |
PRJ-53260, |
Security Management |
When exporting a policy to a CSV file, the process fails silently if any rule within the policy has a name or comment in UID format. No clear error message is provided to indicate the cause of the failure. |
PRJ-56614, |
Security Management |
An administrator whose authentication method was changed from "Check Point Password" to a different method in R77.X can still log in using their original Check Point password. |
PRJ-50036, |
Security Management |
The "show-domains" Management API command may return partially deleted domains among the results. |
PRJ-55669, |
Security Management |
Adding a host object to a network group using the "set-host" Management API command may generate large redundant audit logs. |
PRJ-52760, |
Security Management |
Audit logs may not be generated when changes are made to an inline (shared) layer that appears multiple times within the same policy. |
PRJ-56763, |
Security Management |
SmartConsole may get disconnected when installing a policy on more than five hundred targets. |
PRJ-57073, |
Security Management |
In rare scenarios, when exporting policy hitcounts to CSV format, the "Hitcount" column may appear blank in the exported file. |
PRJ-55832, |
Security Management |
Global Policy Reassignment may fail with an "An internal error has occurred" message when a custom IPS package is used or was previously used in the system. |
PRJ-54296, |
Security Management |
The Database Installation progress bar may not update during task execution. |
PRJ-56028, |
Security Management |
When exporting a policy to CSV with hitcount enabled, if the hitcount timeframe is set to anything other than "All", the "Hitcount" column in the CSV file may appear blank. |
PRJ-55690, |
Security Management |
Searching for a Data Center asset IP address in the policy may not return results. |
PRJ-52454, |
Security Management |
In some scenarios, Access Control policy verification is stuck at 40 percent. |
PRJ-46463, |
Security Management |
In some scenarios, policy installation using Management API with the "prepare-only" parameter set to "true" may fail with an "internal error" message. |
PRJ-46235, |
Security Management |
Changing the main URL of the UserCheck Portal using the "set simple-gateway" Management API command fails with "DNS failed to resolve the hostname: gateway name" Executed command failed. Changes are discarded". |
PRJ-54720, |
Security Management |
In rare scenarios, when Application Control blade is enabled, cloning a policy may fail due to timeout. |
PRJ-54659, |
Security Management |
Several Management API commands, such as "show-package" and "install-policy", may fail if running them after the deletion of a cluster member. |
PRJ-52757, |
Multi-Domain Security Management |
Enabling IPS on Multi-Domain Security Management Server may cause Threat Prevention policy installations to fail due to legacy IPS multi-profile incompatibility. |
PRJ-56541, |
Multi-Domain Security Management |
In some scenarios, in a Multi-Domain Security Management environment, the Hit Count retention mechanism may not remove the Hit Count data from all the Domains. |
PRJ-55787, |
Multi-Domain Security Management |
Global Domain Assignment fails with an "Internal Error" message when performed on a Multi-Domain Security Management Server containing over 32,000 revisions. |
PRJ-55705, |
Multi-Domain Security Management |
In rare scenarios, objects are missing from the Gateways & Servers view on the Multi-Domain Security Management level. Refer to sk182641. |
PRJ-53994, |
Multi-Domain Security Management |
In some scenarios, Domain deletion may fail with a "delete domain failed: null" message. |
PRJ-55932, |
Multi-Domain Security Management |
In rare scenarios, login to a Domain from the System Domain in Smart Console fails with "Login to the Domain domainName failed. Try again, or connect directly to the Domain using its IP addressdomainIp". |
PRJ-56531, |
Multi-Domain Security Management |
The Multi-Domain Security Management Server experiences high CPU usage when communicating with the Multi-Domain Log Server. And the cpm.elg log prints the "You have reached the maximum number of active session" error. Refer to sk182738. |
PRJ-56712, |
Multi-Domain Security Management |
In some scenarios, cpmiquerybin core files may appear in /var/log/dump/usermode/ on the Security Management Server. |
PRJ-47879, |
SmartConsole |
The "show lsm-cluster" Management API command fails with a "Null Pointer exception: null" message if the "membersNetworkOverride" field is empty. |
PRJ-57309, |
SmartConsole |
SmartConsole fails to connect with "Unable to connect to server. Server is initializing". Refer to sk182507. |
PRJ-57421, |
SmartConsole |
In some scenarios, opening new tab in SmartConsole Logging & Monitoring tab fails with "HTTP error 500 - problem accessing smartview/embedded. Reason: Server Error". Refer to sk182732. |
PRJ-50432, |
Logging |
In rare scenarios, CPU consumption on the Security Management Server is high and logs are not displayed. |
PRJ-51694, |
Logging |
In some scenarios, after removing an existing Log Exporter instance, the creation of a new instance appears successful in SmartConsole. However, the new Log Exporter object is not actually generated. |
PRJ-56644, |
Security Gateway |
In rare scenarios, the FWK process may unexpectedly exit when the IPS / Application Control / Anti-Virus / Anti-Bot blade is active and the HyperFlow feature is enabled. |
PRJ-56732, |
Security Gateway |
The "asg monitor" command may show the Security Gateway in the "during upgrade" state although a major downgrade is complete. |
PRJ-54070, |
Security Gateway |
Changing the NAT settings of a host using the "set-host" Management API command succeeds but has no effect unless both the "ipv4-address" and "ipv6-address" parameters are set. |
PRJ-56701, |
Security Gateway |
Anti-Spoofing may drop IPv6 traffic that arrives at an interface with an IPv6 address configured. Refer to sk182725. |
PRJ-57351, |
Security Gateway |
When SecureXL User Mode (UPPAK) is enabled and using Passive/Active Streaming with QoS, the Security Gateway may incorrectly drop some traffic. |
PRJ-57254, |
Security Gateway |
In some scenarios, the Security Gateway does not free some packets causing a memory leak. |
PRJ-54119, |
Security Gateway |
In a rare scenario, the FWK process may exit when cluster connection synchronization fails. |
PRJ-56722, |
Security Gateway |
The Security Gateway may crash during large memory allocation operations in specific applications. |
PRJ-57371, |
Security Gateway |
When adding a new Virtual System, a CPD core dump file may be generated. |
PRJ-53810, |
Security Gateway |
The Security Gateway may crash after a failure in policy installation. |
PRJ-58099, PMTR-109857 |
Security Gateway |
Traffic through specific interfaces is dropped when the QoS blade is active and "ISP redundancy-LS" is configured. Refer to sk182807. See the Important Notes section. |
PRJ-57097, PRHF-36117 |
SD-WAN |
In a rare scenario, when SD-WAN transport is incorrectly marked as "UP" despite its underlying ISP interface is "DOWN", traffic fails to reach the remote peer because of incorrect routing decisions. |
PRJ-57115, |
Threat Prevention |
Threat Prevention policy installation may fail because of invalid JSON format in the IoC feed feature configuration file. Refer to sk181650. |
PRJ-57667, |
Threat Prevention |
The Threat Prevention policy installation may fail when installing from R81.20 SmartConsole on R80.x Security Gateway. |
PRJ-55888, |
Threat Prevention |
In some scenarios, when loading large IoC IP feeds, policy installation may fail with "Installation failed. Reason: Policy install commit function was unsuccessful due to timeout" because of a large IP addresses list. |
PRJ-55377, |
Threat Prevention |
In some scenarios, the TPD daemon may cause high CPU usage because of a large amount of logs. |
PRJ-56328, |
Threat Prevention |
In a rare scenario, the Security Gateway may crash during traffic inspection when holding a connection. |
PRJ-50243, |
Threat Prevention |
In a rare scenario, Anti-Bot and Anti-Virus packages may be seen as not updated in SmartConsole, even though the packages are updated. |
PRJ-57006, PRHF-35823 |
Threat Prevention |
In some scenarios, when Zero Phishing is enabled, kernel crash may occur. |
PRJ-53590, |
Identity Awareness |
In Azure Active Directory, access role assignment only considers a user's first 100 group memberships. Any groups beyond this limit are disregarded when determining user access roles. |
PRJ-56360, |
Application Control |
The fwk.elg file may be flooded with the "DNS_DATA_SOURCE failed on context 201, executing context 366 exception" messages. Refer to sk182606. |
PRJ-54431, |
IPS |
In a rare scenario, when IPS is enabled and logging on a rule that involves IPS is enabled, physical memory usage may rapidly increase. |
PRJ-56624, PMTR-107215 |
IPS |
IPS may drop an IPv6 TCP local connection. |
PRJ-53833, |
Anti-Virus |
When Anti-Virus is enabled, in a rare scenario, a memory leak in the FWK process may occur on the Security Gateway. |
PRJ-56717, |
Anti-Virus |
High volumes of simultaneous requests for the same domain or URL may cause Anti-Virus blades to put excessive load on the RAD daemon, leading to increased latency. |
PRJ-56042, |
Anti-Virus |
In some scenarios, the Anti-Virus Blade logs on a VSX Gateway may display an incorrect origin IP address. |
PRJ-55984, PRHF-36838, PRHF-35476 |
Anti-Virus |
Anti-Virus may execute unnecessary load_sigs when loading external IoC feeds. |
PRJ-58112, PMTR-102962 |
ClusterXL |
VSX Cluster Members with VLAN interfaces change their cluster state to "Down" and "Active!" after installing the R81.20 Jumbo Hotfix Accumulator Take 89. Refer to sk182819. See the Important Notes section. |
PRJ-56599, |
SecureXL |
IPX traffic over the interface in Bridge Mode working in SecureXL User Mode (UPPAK) may be dropped. Refer to sk182623. |
PRJ-56480, |
SecureXL |
In some scenarios, the VSX cluster can take extra time to boot up and activate the Virtual Systems. |
PRJ-57488, |
SecureXL |
When working with Jumbo Frames in SecureXL User Mode (UPPAK) on Quantum Force 9000 series appliances, incorrect memory allocation calculations may cause intermittent link failures. Refer to sk182825. |
PRJ-57430, |
SecureXL |
When SecureXL User Mode (UPPAK) is enabled and running ESP traffic, packet loss may occur and the "fwconn_key_init_links failed" error is printed. Refer sk182775. |
PRJ-56828, |
SecureXL |
The USIM process may occur if CPView stats are collected during the "cpstop" operation for VSX. |
PRJ-57001, PRJ-57252, PRJ-57250, |
SecureXL |
In some scenarios, the Security Gateway may crash when SecureXL User Mode (UPPAK) is enabled. |
PRJ-57464, |
SecureXL |
In some scenarios during low TCP traffic, there is high CPU usage when SecureXL User Mode (UPPAK) is enabled. |
PRJ-57614, |
SecureXL |
The USIM process may unexpectedly exit when these parameters are enabled in the $PPKDIR/conf/simkern.conf file:
|
PRJ-56945, |
SecureXL |
The USIM process exits when attempting to delete an IP address from an empty deny list if that IP address exists in any other deny lists (including the regular deny list or those using IoC feeds). |
PRJ-56904, |
Routing |
The ROUTED daemon may exit with a core dump during a BGP or OSPF restart. |
PRJ-56525, |
Routing |
In a ClusterXL environment, a race condition may occur when BGP Graceful Restart is incorrectly configured. If the feature is enabled for some peers but not others, it may lead to permanent loss of network routes. |
PRJ-49210, |
VPN |
Remote Desktop Protocol (RDP) connections may frequently disconnect when network traffic is routed through a combination of medium path, Quality of Service (QoS) controls, and VPN. |
PRJ-52893, |
VPN |
The FWK process may exit when Monitor mode is enabled on one of the interfaces. |
PRJ-51351, |
VPN |
Remote Access VPN connections in Maestro environments may be dropped with the "out-of-state" reason. |
PRJ-50157, PMTR-93643 |
VPN |
When working with iOS devices, after establishing a VPN connection and subsequently disconnecting devices, the "vpn tu tlist" command may display an incorrect device connection status, indicating that a device is still connected. |
PRJ-55887, |
VSX |
Deleting a Virtual System ID (VSID) that does not exist may trigger the "cpstop" command. Stopping all Check Point services on VS0 can disrupt the entire VSX environment. |
PRJ-57814, |
VSX |
Multi-Queue configuration does not survive reboot on VSX. Refer to sk173950. |
PRJ-56480, PMTR-107271 |
VSX |
In some scenarios, the VSX cluster can take extra time to boot up and activate the Virtual Systems. |
PRJ-52908, |
Gaia OS |
In some scenarios when MDPS is enabled, the "Loading kernel module for a network device with CAP_SYS_MODULE (deprecated). Use CAP_NET_ADMIN and alias netdev-eth7 instead" message appears in /var/log/messages. |
PRJ-54462, |
Gaia OS |
Traffic from a Host behind a Virtual System in a VSX Cluster / Scalable Platform Security Group in the VSX mode does not reach the destination. Refer to sk180441. |
PRJ-55374, |
Gaia OS |
Running the "snmpwalk" command on OID .1.3.6.1.4.1.2620.1.6.23 causes snmpwalk on OID 1.3.6.1.4.1.2620.1.6.7.6.1 to show wrong output. Refer to sk182315. |
PRJ-55306, |
Gaia OS |
The "cpviewd: unable to read from gpio_nuvoton driver module. snmpd: unable to read from gpio_nuvoton driver module" messages may be printed in /var/log/messages. |
PRJ-56121, |
Gaia OS |
The "Unable to connect to the server, Press OK to reconnect" error is displayed when opening the Network Interfaces tab in the Gaia Portal. Refer to sk182560. |
PRJ-56054, |
Gaia OS |
Adding multiple VPN tunnels via Clish in Transaction Mode fails, while adding them individually succeeds. |
PRJ-56874, |
Harmony Endpoint |
During patch deployment in Posture Management, attempting to patch multiple systems for a specific application using the "Group By Application" option fails with the "Failed to Start Patching Process" error. |
PRJ-57132, |
Harmony Endpoint |
The $UEPMDIR/engine/uepm-jms-data directory size can increase because queued requests get accumulated on the Server. |
PRJ-55684, |
Smart-1 Cloud |
When creating multiple Interoperable Devices with dynamic IP addresses, the duplicate IP addresses may be assigned to Interoperable Devices. Refer to sk181834. |
PRJ-44697, |
Scalable Platforms |
When running the "asg resource" command, the SSD overall health check is displayed as "PASSED" with the "Unknown_Attribute on Member X_XX is below/getting towards low threshold (val: 0/ thresh: 0)" warning. The issue is cosmetic only. |
PRJ-56368, |
Scalable Platforms |
The VSX Gateway may cause traffic interruption when SecureXL User Mode (UPPAK) is enabled on systems with multiple physical interfaces. |
PRJ-56969, |
Scalable Platforms |
After upgrade on Quantum Maestro and Scalable Chassis, when working in SecureXL User Mode (UPPAK), policy installation may fail. |
PRJ-55429, |
Scalable Platforms |
Disabling the Maestro Fastforward feature may result in an error. |
PRJ-48867, |
Scalable Platforms |
Using Image Cloning when the same VMAC feature is enabled may cause a boot loop. |
PRJ-46194, |
Scalable Platforms |
In a Maestro environment, when MDPS is enabled, the "asg if --diag" command reports the "no files matched glob pattern "/sys/class/net/BPEth*/operstate" error. |
PRJ-56460 |
IoT Protect |
Nano-Agent may not run in a Multi-Domain Security Management environment after using the "mdsstop ; mdsstart" command. |