R81.20 Jumbo Hotfix Take 99

NEW: This Take introduces a fail-open mechanism for HTTPS Inspection with Hardware Security Module (HSM) integration. If the HSM becomes unavailable, TLS connections now automatically bypass HTTPS Inspection, ensuring continuous network connectivity.

UPDATE: Added a log print to warn about unsupported SIC reset configurations on Multi-Domain Security Management Server / Multi-Domain Log Management Server and to alert when a Domain lacks an ObjectStoreDomain, which prevents CPM from starting. Refer to sk182533.

UPDATE: Added multi-interface packet fragment reassembly support to prevent drops in Equal Cost Multipath (ECMP) environments.

UPDATE: Added information about VSX context to the mem.report. files.

UPDATE: Optimized handling of gzip encoded HTTP traffic to enhance performance under high load conditions.

UPDATE: Improved throughput of GRE tunnels configured on the ports of the 100G Acceleration Card when SecureXL works in UPPAK mode.

UPDATE: Added validation rules to ensure file names meet the required format when restoring backups using Clish.

UPDATE: NSX-T in-place upgrade is now supported. Refer to CloudGuard Network for NSX-T Security Gateway Deployment Guide.

UPDATE: Traffic between an external network host and an internal network host is now accelerated when a static NAT is configured to translate a cluster member's IP address or specific high port to an internal host IP address or specific service port. This scenario is relevant in Check Point CloudGuard Network Security Azure High Availability deployments, where traffic passes through a Load Balancer.

• To enable acceleration, add the following kernel parameter to the $FWDIR/boot/modules/fwkern.conf file - "accel_dnat_to_cluster=1".

• The change can also be applied immediately to the running FW1 process without requiring a reboot: "fw ctl set int accel_dnat_to_cluster 1".

UPDATE: New features and improvements are released in Take 125, Take 128 and Take 134 via self-updatable package. Refer to sk170314.

UPDATE: Added Take 44 of CPviewExporter Release Updates. Refer to sk180521.

UPDATE: Added Update 21 of HealthCheck Point (HCP) Release. Refer to sk171436.

In rare scenarios:

• Login to the Security Management Server may fail with timeout.

• Publish operations may take a long time.

Using the "set simple-cluster" command without the "members.add" option to add cluster members may result in recreating existing cluster members and potential loss of SIC.

Scheduled Snapshot Issues:

• Gaia may not recognize the Remote Server as a known host during scheduled backup creation, even after following sk164234 instructions.

• The "Remote server identity is not known by Gaia" error is displayed despite proper HBA configuration.

• The "set snapshot-scheduled recurrence monthly" command fails when using the "all" option.

Refer to sk182665.

Changes to a SmartConsole administrator's Authentication Server (RADIUS or TACACS) may occasionally fail to take effect.

In some scenarios, deleting a Security Gateway object fails if the Security Gateway is a participant in Global VPN Community.

In rare scenarios, Revert to Database Revision is stuck at 10%.

In some scenarios, the "show packages" Management API command with "details-level full", fails with "Null Pointer exception: null".

Execution of the "set access-rule" and "add access-rule" API commands takes a long time to complete. Refer to sk181349.

In rare scenarios, when more than one Security Blade is enabled on the Security Gateway, Install Policy Presets may fail after purging all revisions.

In some scenarios, Web SmartConsole session gets disconnected after several minutes.

Global Policy Reassignment fails with the "org.postgresql.util.PSQLException: ERROR: more than one row returned by a subquery used as an expression" error printed in the cpm.elg file.

In cloud environments, in a rare scenario, when using updatable objects in security policies, policy installation fails when the updatable objects package is missing.

In rare scenarios, an upgrade of Multi-Domain Security Management Server, handling Domain Log Server certificates, may get stuck.

• The fix will only be applied if the upgrade to R81.20 Jumbo Hotfix Accumulator Take 99 or higher is done using a Blink image or the Advanced Upgrade method.

In environments where not all Domains are Active on the same Server (for example, in a multi-site environment), and there is no Domain Management Server for a specific Domain, logs from that Domain are not forwarded to the Infinity Portal.

In rare scenarios, the "mdsstat" command shows that the CPD process is down even though it is up and running.

In rare scenarios, after an upgrade, SmartConsole does not display logs in the Logs & Monitor tab, and the page remains blank. Refer to sk183086.

In rare scenarios, the description of IPS Logs in the Logs view may be unclear. Refer to sk182386.

The FWK process on the Security Gateway may exit when processing the HTTP traffic.

High CPU usage on SND cores related to processing network traffic and distributing it to the appropriate firewall instances.

In some scenarios, an HTTP format size protection exception is not applied to the HTTP/2 flow.

Running the "g_tcpdump mcap" with "-C" flag fails with the file matching or captured packets merging error.

In a rare scenario, the FWK process may exit when HTTPS Inspection is enabled and TLS connections are inspected on non-standard ports (ports other than 443 or 8080).

The FWK process may unexpectedly exit after policy installation failure.

In some scenarios, the FWK process may exit when traffic is inspected by Content Awareness.

Enabling the CoreXL Dynamic Split feature causes high CPU load on Maestro Security Group Members because of multiple "mq_mng -u" processes. Refer to sk183251.

In rare scenarios, after an upgrade, the FWK process may unexpectedly exit because of memory corruption.

When Dynamic Split is enabled, SND synchronization fails between members on Active site and Standby site, although it should occur automatically, when one of the members receives an additional SND.

VoIP H.323 calls are dropped with reason "Handler 'h323_h245_code' reject". Refer to sk182835.

PPPoE interface fails to restart when it is disconnected from the Server side. Refer to sk182154.

The "cpca_dbutil print" command may delete the provided output file content if the input file does not exist.

In a rare scenario, when fetch_by_SID is enabled, the PDPD process repeatedly exits. Refer to sk182745.

In some scenarios, a custom application does not match a URL Filtering rule.

Web protections may not properly block HTTP requests without a Host header.

In a rare scenario, an IoC feed containing a long URL type observable may not be enforced.

In some scenarios, the DNS Tunneling IPS protection does not function as expected. Refer to sk178487.

The DLPU process may exit with a core dump file.

In a specific scenario involving a long-lived SMTP connection, the memory usage allocated by the Anti-Virus blade steadily increases over time.

In specific scenarios, the Anti-Virus file type classification engine incorrectly identifies Microsoft Office documents as zip archives, leading to improper handling of these files.

A "No matching appID candidates found for 'push'" message appears when modifying push notification settings on Capsule Workspace. Refer to sk182974.

The FWK process may exit after enabling or disabling the "Same VMAC" feature. Refer to sk165674.

In a cluster environment, proxy flow error may cause repeated log messages in the fwk.elg file: "de_allocate_port: fwx_alloc_global_del failed (second try)".

Packet drops may occur if the same multicast packet is received on multiple interfaces.

SecureXL User Mode crashes if an acceleration card interface has an MTU above 9000 and receives frames larger than 9234 bytes.

Security Gateway may crash with a vmcore during next hop routing table lookups.

The "iphelper" (IP Broadcast Helper) service may trigger high CPU utilization because of a recursive packet broadcasting loop between network interfaces.

Two or more Endpoint Security VPN (Remote Access VPN) users may get the same Office Mode IP address. Refer to sk182537.

SSL Network Extender (SNX) traffic on Maestro may be dropped with "vpnk_tcpt invalid negative tunnel id". Refer to sk182806.

Multi-Portal Certificates are not updated through policy installation but only after terminating the VPND process or performing a reboot or "cpstop;cpstart". Refer to sk182583.

Capsule VPN connectivity failures may occur after a configuration change of the VPND daemon table parameters.

SNMP counters may return incorrect data on VSX.

In a rare scenario, the FWM process may exit when running the VSX creation wizard.

When Gaia's backup retention policy is configured with a maximum of one backup or a disk space allocation smaller than the backup file size, the backup process hangs and requires a device reboot. This also may cause the CONFD daemon to exit.

The ROUTED daemon fails to start when a VTI is configured with a local IP address that matches the next-hop address used in the static route configuration. Refer to sk182848.

Miscalculation of disk space may cause snapshot to fail.

In a Maestro environment with RADIUS users, accessing Maestro Hyperscale Orchestrator (MHO) through Gaia Portal generates the "ERR_EMPTY_RESPONSE" error and triggers a segmentation fault in the httpd2_error_log file, causing the Gaia Portal to go down and prevent users from managing the system through the WebUI.

Security Gateway may have an unexpected behavior when receiving VPN connection QoS outbound flows without assigned interfaces.

Activation of downgraded Security Group members may fail, preventing the rollback process performed using the "sp_upgrade --revert" command.

When running the "enabled_blades" command multiple times simultaneously, the command output may be incorrect. Refer to sk181024.

In a Maestro environment, a Security Gateway may enter a reboot loop because of sync issues of the settings.fwset file.

In rare scenarios, Interface Active check may cause a Security Gateway crash when probing a local network.

After upgrade:

• Output of the "asg diag verify" command shows in the "System Components" section that the status of the "Software Provision" test is "Failed".

• Output of the "asg diag print <ID of "Software Provision">" command shows a shell script code.

• Output of the "asg_provision" command shows a shell script code.

Changing the bond mode on Scalable Platform Security Group members may cause a MAC address mismatch on the bond interface due to a reordering of bond subordinate that does not match the database. Refer to sk182488.

VPN tunnels may be disconnected due to an error in processing IKE (Internet Key Exchange) packet flow.