List of All Resolved Issues and New Features in R81 Jumbo Hotfix Accumulator
|
Review the Important Notes section before installing a new Take.
This version reached its End of Support. If you are using this version (or lower), we strongly recommend you to upgrade your environments |
Take | Available Since | Recommended Since |
---|---|---|
22 Oct 2024 |
- |
|
05 Jun 2024 |
16 Jun 2024 |
|
04 Jan 2024 |
15 Jan 2024 |
|
23 Nov 2023 |
- |
|
27 Jun 2023 |
02 Aug 2023 |
|
22 Mar 2023 |
08 May 2023 |
|
19 Jan 2023 |
08 Feb 2023 |
|
09 Jan 2023 |
- | |
06 Nov 2022 |
01 Jan 2023 |
|
13 Oct 2022 |
24 Oct 2022 |
|
01 Sep 2022 |
- |
|
23 Jun 2022 |
22 Aug 2022 |
|
27 Apr 2022 |
12 Jun 2022 |
|
11 Apr 2022 |
24 Apr 2022 |
|
15 Mar 2022 |
- |
|
22 Feb 2022 |
02 Mar 2022 |
|
17 Jan 2022 |
- |
|
29 Dec 2021 |
- |
|
29 Sep 2021 |
12 Oct 2021 |
|
01 Sep 2021 |
- |
|
19 July 2021 |
26 Jul 2021 |
|
27 Jun 2021 |
- |
|
24 May 2021 |
29 Jun 2021 |
|
26 Apr 2021 |
- |
|
08 Apr 2021 |
- |
|
25 Mar 2021 |
05 Apr 2021 |
|
01 Mar 2021 |
- |
|
08 Feb 2021 |
- |
|
26 Jan 2021 |
- |
|
14 Dec 2020 |
- |
ID |
Product |
Description |
---|---|---|
Take 106 Released on 22 October 2024 |
||
Take 106 - New Functionality
|
||
PRJ-36319, PRHF-21090 |
Security Gateway |
NEW: Implemented support for LDAP queries using Windows Security Identifiers (SIDs) as search criteria. |
PRJ-52384, |
Harmony Endpoint |
NEW: Threat Emulation in Endpoint Security Clients version E87.60 and higher now supports the ONE, XAR, and WSF file formats. |
Take 106 - Improvements and Resolved Issues
|
||
PRJ-51534, PRJ-56315, PMTR-106774, PMTR-97312 |
Security Gateway |
UPDATE: Apache HTTPD version was updated from 2.4.55 to 2.4.61 to fix: CVE-2023-31122, CVE-2023-43622, CVE-2024-36387, CVE-2024-38473, CVE-2024-38474, CVE-2024-38475, CVE-2024-38476, CVE-2024-38477, CVE-2024-39573. |
PRJ-54681, PMTR-104266 |
Mobile Access |
UPDATE: Resolved CVE-2024-31497. The Putty version used in the Mobile Access Portal Embedded SSL Network Extender application is upgraded from version 0.80 to version 0.81. |
PRJ-55314, |
Gaia OS |
UPDATE: A patch on top of OpenSSL 1.1.1w to fix CVE-2024-2511. Refer to sk182320. |
PRJ-56225, PMTR-106852 |
Gaia OS |
UPDATE: Added a defense mechanism against malicious code injections through special HTTP requests. Resolved CVE-2024-24914. |
PRJ-56468, PMTR-107058 |
Gaia OS |
UPDATE: Resolved CVE-2024-3596 - Blast-RADIUS attacks. Refer to sk182516 > Login to Gaia Portal. |
PRJ-52930, |
Security Management |
UPDATE: When deleting a Secondary Multi-Domain Security Management Server, SmartConsole now shows an "After MDS '<MDS name>' is deleted, you should delete the Secondary Domain Servers from the Domains and revoke their certificates" message. |
PRJ-52402, PMTR-99617 |
Security Management |
UPDATE: Added SHA256 fingerprints to certificate objects to mitigate the risk of hash collisions and enhance trust when utilizing the fingerprint, encoded with English words, as a verification mechanism. |
PRJ-53937, |
Security Management |
UPDATE: Modified the content of the https://<ip_adress>/license_management/ page. |
PRJ-54494, |
Security Management |
UPDATE: JRE is updated from version 8.0_8.10 to version 8.0_8.21. |
PRJ-54418, PRHF-33584 |
Security Management |
UPDATE: Policy installation duration with hundreds of layers is improved by approximately 30%. |
PRJ-55659, |
Security Management |
UPDATE: The "set threat-exception" Management API command now includes the "protection-or-site" parameter. When specified, this parameter adds new values to the existing list of protections or sites, instead of overwriting the current entries. |
PRJ-50773, |
Logging |
UPDATE: Port 8211 now accepts connections with the cipher ECDHE_RSA_AES_256_GCM_SHA384. |
PRJ-47653, |
Security Gateway |
UPDATE: Added ability to increase/decrease DNS cache table size. |
PRJ-54297, |
Security Gateway |
UPDATE: Added a new environment variable "IMPLIED_RULES_SET_BEFORE_LAST". It defines if Multi-Portal implied rules should be matched as "before drop" or "before last". The default value is "0", set to "before drop". When the value is set to "1", implied rules will be matched as "before last". Refer to sk180808. |
PRJ-47653, PRHF-29103 |
Security Gateway |
UPDATE: Added ability to increase/decrease DNS cache table size. |
PRJ-51172, PMTR-97400 |
Security Gateway |
UPDATE: Deprecated RC2-CBC cipher for SIC in OpenSSL. |
PRJ-55745, PMTR-104855 |
Threat Prevention |
UPDATE: Added the "trackSettings.forensics" parameter to the "threat-rule" Management API command to enable and disable the "forensics" option in the "Track" column. Syntax example: "mgmt_cli add threat-rule layer 'Standard Threat Prevention' position 1 track-settings.forensics false -r true". |
PRJ-48029, |
Threat Emulation |
UPDATE: The maximum size for files uploaded to Threat Emulation can now be configured using the Threat Emulation API. Set the "max_api_request_data_size" attribute to specify the new limit. |
PRJ-53917, |
URL Filtering |
UPDATE: When URL Filtering operates in Background Mode and encounters an unclassified connection, instead of being approved automatically, such connection is now accepted or rejected based on Access Rule Base execution, and listed under the "unknown" category. |
PRJ-54136, PMTR-103001 |
SSL Inspection |
UPDATE: Added a log for connections rejected because of short Server certificate public key size (RSA 1024 bits or less, ECDSA 256 bits or less). |
PRJ-54339, |
SSL Network Extender |
UPDATE: SSL Network Extender is updated to version 80008409. |
PRJ-51530, |
Mobile Access |
UPDATE: The Mobile Access Portal is no longer compatible with the Chrome browser on iOS and Android mobile devices. |
PRJ-55727, |
VPN |
UPDATE: VPN connections are now synchronized to all members of the Security Group by default. The default value of the "vpn_sync_to_all" kernel parameter is set to "1". |
PRJ-54670, |
VoIP |
UPDATE: SIP over UDP requests and responses may be dispatched to different firewall instances when a single-direction rule is defined in the Rule Base, potentially causing returned SIP traffic to be dropped as an unknown connection. To address this, a new global parameter "sip_forward_if_needed" is introduced (disabled by default). When enabled, the Security Gateway forwards responses to the appropriate request instances. Refer to sk182667. |
PRJ-55915, |
CloudGuard Network |
UPDATE: Added Take 21 of Public Cloud CA Bundle. Refer to sk172188. |
PRJ-56191, PRJ-55685, PRJ-55299, PRJ-56681, PRJ-57027, PRJ-57261, ODU-2035, ODU-2019, ODU-1955, ODU-1755, ODU-1779, ODU-1787 |
Automatic Updates - Web SmartConsole |
UPDATE: New features and improvements are released in Take 104, Take 111, Take 114, Take 118, Take 119, Take 120 via self-updatable package. Refer to sk170314. |
PRJ-56055, PRJ-55580, PRJ-57329, ODU-1979, ODU-1803, ODU-1923 |
Automatic Updates - HCP |
UPDATE: Added Update 18 and Update 19 of HealthCheck Point (HCP) Release. Refer to sk171436. |
PRJ-55912, |
Automatic Updates - CPView |
UPDATE: Added Take 97 of CPotelcol (OpenTelemetry Collector) Release Updates. Refer to sk180522. |
PRJ-50934, |
Security Management |
SmartConsole may freeze when selecting a client under Security Gateway object > Identity Awareness tab > RADIUS Accounting Settings.
|
PRJ-53452, |
Security Management |
Upgrade of the Multi-Domain Security Management Server may fail with the error "Folder object not found".
|
PRJ-54003, |
Security Management |
In rare scenarios, the Management Server upgrade fails during the import stage with "an eclipse error has occurred enable logging on EclipseLinkExceptionHandler to see full error".
|
PRJ-51119, |
Security Management |
In rare scenarios, if a Star VPN Community object is created, publish operations may fail. |
PRJ-50842, |
Security Management |
Export of a list of objects from the Global Object Explorer fails with the "Export policy is not supported when rule name is in a format of UUID" error message. |
PRJ-53505, |
Security Management |
After upgrading, administrators with read/write permissions to edit Security Gateways and Clusters may lack IPS permissions and are unable to perform certain management tasks, such as enabling or disabling blades. |
PRJ-52898, PRHF-30884 |
Security Management |
Log queries fail with the error "Problems have occurred during search" when Domain migration is in progress. This occurs specifically during the execution of "export-management" or "import-management" Management API commands. |
PRJ-53500, |
Security Management |
In some scenarios, SmartConsole may unexpectedly disconnect. |
PRJ-52887, |
Security Management |
"Mapping of Data Center [xxxx] failed. Next mapping is in 300 seconds" errors in the CME logs show failed attempts to scan deleted data centers. |
PRJ-56148, PRHF-35183 |
Security Management |
When Compliance is enabled, the FWM process may unexpectedly exit and generate a core dump. Refer to sk182507. See the Important Notes section. |
PRJ-56854, PRHF-34283 |
Security Management |
In some scenarios, the FWM process may unexpectedly exit and generate a core dump every few days, when Compliance is enabled and the scheduled full scan is not configured according to sk182507. |
PRJ-52432, |
Security Management |
When Global Domain Assignment fails with the "More than one object named 'XXX' exists" error, not all duplicate objects are listed. |
PRJ-53893, |
Security Management |
In rare scenarios, the API status shows "Automatic Start: Disabled" even though the automatic start was not disabled manually. |
PRJ-53339, |
Security Management |
When a Domain object in a policy is set with a backslash in the suffix, policy installation fails with the "Unterminated string&CURRENTVERCMP" error. |
PRJ-49581, |
Security Management |
In some scenarios, when searching objects in SmartConsole, not all relevant results are highlighted. |
PRJ-48935, |
Security Management |
The "set simple-cluster" Management API command with the "vpn-settings.vpn-domain" parameter succeeds, but the VPN Domain is not set. |
PRJ-55333, PRHF-33993 |
Security Management |
In rare scenarios, login to SmartView web application using the Domain IP address or Domain name fails. |
PRJ-55521, |
Security Management |
In rare scenarios, the CPD process may exit with core dumps. |
PRJ-55330, PRHF-34049 |
Security Management |
If the $FWDIR/conf/fwm.adtlog file is not valid, the FWM process leaves unused file descriptors, which may affect the Security Management Server performance. |
PRJ-56163, |
Security Management |
In some scenarios, the "set-exception-group applied-threat-rules.position" Management API command may add the exception group to an incorrect position. |
PRJ-53258, |
Security Management |
When exporting a policy to a CSV file, the process fails silently if any rule within the policy has a name or comment in UID format. No clear error message is provided to indicate the cause of the failure. |
PRJ-55479, |
Security Management |
In rare scenarios, when Application Control is enabled, cloning a policy may fail due to timeout. |
PRJ-54657, |
Security Management |
Several Management API commands, such as "show-package" and "install-policy", may fail if running them after the deletion of a cluster member. |
PRJ-56710, |
Multi-Domain Security Management |
In some scenarios, cpmiquerybin core files may appear in /var/log/dump/usermode/ on the Security Management Server. |
PRJ-53550, |
Multi-Domain Security Management |
When a Domain name (for example, "XXX") is a subset of another Domain name (for example, "XXX-YYY"), the "mdsstop" command may fail to stop a Domain named "XXX-YYY". |
PRJ-50779, |
Multi-Domain Security Management |
In a Multi-Domain Security Management environment, there may be synchronization timeout errors, and automatic revisions purge may fail. |
PRJ-57442, |
SmartConsole |
In some scenarios, opening new tab in SmartConsole Logging & Monitoring tab fails with "HTTP error 500 - problem accessing smartview/embedded. Reason: Server Error". Refer to sk182732. |
PRJ-42133, PRHF-25935 |
CPView |
In a rare scenario, when running the CPView utility, the Security Gateway may crash. |
PRJ-55951, |
Logging |
In rare scenarios, CPU consumption on the Security Management Server is high and logs are not displayed. |
PRJ-46847, PRJ-46579 |
Logging |
RAD error messages may be printed to the fwk.elg file during cpstop:cpstart on the Security Gateway. The issue is cosmetic only. |
PRJ-51442, |
Logging |
The traffic field in the SmartEvent "Application and URL Filtering" report, specifically in the "High Bandwidth Applications" section, is incorrectly displaying data in petabytes (PB) instead of the expected gigabytes (GB). |
PRJ-50693, |
Logging |
In some scenarios, viewing a Forensics report in Threat Hunting fails with the "Unable to load report" error. Refer to sk181800. |
PRJ-51428, |
Logging |
In some scenarios, in Multi-Domain Management environments with over 300,000 network objects, the LOG_INDEXER process repeatedly exits if the procedure from sk164452 is not applied. |
PRJ-51515, |
Logging |
Log searches for the same time period may return more results in SmartConsole compared to SmartView. |
PRJ-51274, PRHF-31323, PRJ-53217, PRHF-32587 |
Logging |
When adding a table widget to a SmartView report:
|
PRJ-51692, |
Logging |
In some scenarios, after removing an existing Log Exporter instance, the creation of a new instance appears successful in SmartConsole. However, the new Log Exporter object is not actually generated. |
PRJ-52462, |
Logging |
In SmartView, filtering logs by "event_type" may fail with the "Query failed" error. |
PRJ-54059, |
Logging |
In rare scenarios, empty log list may be displayed when selecting a log file to view in SmartConsole. |
PRJ-50260, |
Logging |
In SmartView, some countries are not displayed in the countries picker. |
PRJ-33619, |
Logging |
Log Exporter may unexpectedly exit when using a non-RSA certificate. |
PRJ-44793, |
Logging |
In rare scenarios, the FWD process on the Security Gateway may reach out of memory and produce a core dump file of around 3GB. |
PRJ-52939, PRHF-32194 |
Logging |
In the Logs view, the "TCP-other" and "UDP-other" services are displayed as generic service IDs, for example, "cp_tcp_A936BBAC_EBC3_4F18_B3CC_A63365F07477". |
PRJ-54062, |
Logging |
In rare scenarios, the CPSEMD process on the SmartEvent Server may unexpectedly exit, creating a core dump file. |
PRJ-48770, |
Logging |
The "show logs" Management API command may show partial information for the fields with multiple values. |
PRJ-50614, |
Logging |
The FWD process may exit and cause issues with opening packet capture files on remote members. |
PRJ-51968, |
Security Gateway |
The CPWD daemon does not restart automatically. |
PRJ-53073, |
Security Gateway |
In some occasions, redundant errors appear in logs: "fw_inspect_ghtab_bl_ld_sync: invalid FW_INSPECT_GHTAB_BL_LD_SYNC_TABLE_ID". |
PRJ-48815, |
Security Gateway |
After deploying a new license to a Multi-Domain Log Module (MLM), all Customer Log Modules (CLMs) generate alert logs about missing license/contracts stating "No valid license was found". |
PRJ-46888, |
Security Gateway |
In some scenarios, the registry value of "fwisusfw" settings is not set correctly which may impact VSX configurations. Refer to sk182004. |
PRJ-52677, |
Security Gateway |
Running GTP traffic may cause a crash on a Security Gateway without a GTP license. |
PRJ-54413, |
Security Gateway |
In a VSX Cluster environment, the CPVIEWD daemon may cause a high CPU. |
PRJ-56166, PMTR-98475 |
Security Gateway |
The RAD process exits and creates a core file on the Security Gateway. |
PRJ-45949, PRHF-28371 |
Security Gateway |
During policy installation, Rule Base internal error drops may be shown in the SmartConsole logs. Logs related to "dynobjs" may be printed in Messages. |
PRJ-48103, PRHF-29616 |
Security Gateway |
Outages may occur when the FWD process exits or restarts and Security Group member goes down triggering Scalable Chassis failover. |
PRJ-55938, |
Security Gateway |
A minor memory leak in a process related to the Unified Access Policy Rule Base. |
PRJ-52772, |
Security Gateway |
In rare scenarios, the FWK process may unexpectedly exit. |
PRJ-49900, |
Security Gateway |
Kernel Memory usage increases persistently each day on a Security Gateway/Security Group when CGNAT is enabled. Refer to sk182140. |
PRJ-53626, |
Security Gateway |
A memory issue may occur in a cluster environment, when SIP inspection is enabled. |
PRJ-51437, |
Security Gateway |
A rare race condition may be triggered by the timing and packet patterns of VoIP traffic, and, as a result, the FWK process may restart. |
PRJ-55516, PMTR-105145 |
Security Gateway |
See the Important Notes section. |
PRJ-54527, |
Security Gateway |
In some scenarios, the Security Gateway offloads connections to SecureXL in error when the initial route lookup could not find a route for it. |
PRJ-54626, |
Security Gateway |
In some scenarios, adding sequential IP addresses as MDPS task addresses may fail. |
PRJ-55577, PMTR-104837 |
Security Gateway |
A buffer overflow may occur in the HTTP flow, affecting the FWK process. |
PRJ-57106, PRHF-36116 |
Security Gateway |
Memory leak may occur in SecureXL templates. Refer to sk182648. See the Important Notes section. |
PRJ-53808, |
Security Gateway |
The Security Gateway may crash after a failure in policy installation. |
PRJ-56642, |
Security Gateway |
In rare scenarios, the FWK process may unexpectedly exit when the IPS / Application Control / Anti-Virus / Anti-Bot is active and the HyperFlow feature is enabled. |
PRJ-52645, |
Internal CA |
CRL fetch may fail when passing through a Security Gateway with deep inspection, even if the connection hold is quickly released. CPCA closes the connection prematurely. |
PRJ-48308, |
Threat Prevention |
In rare scenarios, when Anti-Virus, Threat Extraction and Threat Emulation are enabled, some connections that were on hold are dropped. |
PRJ-53910, |
Threat Prevention |
SSH DPI may not work because of incorrect parsing of the client hello from a non-standard SSH client. |
PRJ-56094, PMTR-106568 |
Threat Prevention |
SSH Deep Packet Inspection (SSH DPI) fails to start inspection if IPS is enabled while all other Threat Prevention products are disabled. |
PRJ-50699, |
Threat Prevention |
Anti-Virus fails to parse IoC feeds that contain IPv6 addresses. |
PRJ-51055, |
Threat Prevention |
Threat Prevention policy installation may fail because of invalid JSON format in the IoC feed feature configuration file. Refer to sk181650. |
PRJ-55765, PMTR-104381 |
Threat Prevention |
In rare scenarios, policy installation may fail after an upgrade of a VSX Gateway. |
PRJ-55987, PMTR-104285 |
Threat Prevention |
In a rare scenario, Threat Prevention policy installation may fail after an over-the-air (OTA) package update of TP_CONF_SERVICE. Refer to sk182572. |
PRJ-53199, |
Threat Prevention |
In some scenarios, policy installation and IPS package updates may take a very long time to finish and cause traffic drops. |
PRJ-56330, |
Threat Prevention |
In a rare scenario, the Security Gateway may crash during traffic inspection when holding a connection. |
PRJ-51490, PRHF-31582 |
Threat Emulation |
When using ICAP, filename handling occasionally fails. As a result Threat Emulation may not be able to process this specific file. |
PRJ-46347, PRHF-27721 |
Threat Emulation |
The ICAP client may send the file name under "Content-Disposition" in an unsupported format written as "filename*=" instead of "filename=", and the Threat Emulation does not process such files. |
PRJ-46488, |
Identity Awareness |
Policy Enforcement Point (PEP) logs show a username after the user session is expired. Refer to sk181553. |
PRJ-53588, |
Identity Awareness |
In Azure Active Directory, access role assignment only considers a user's first 100 group memberships. Any groups beyond this limit are disregarded when determining user access roles. |
PRJ-51339, |
Identity Awareness |
In some scenarios, the PEPD process may consume a high CPU because of a high rate of identity propagation. |
PRJ-35859, |
Identity Awareness |
Microsoft Azure Active Directory does not fetch users in the Access Role object and shows "The user directory is still initializing". Refer to sk175983. |
PRJ-56512, |
Application Control |
The fwk.elg file may be flooded with the "DNS_DATA_SOURCE failed on context 201, executing context 366 exception" messages. |
PRJ-55458, PRHF-34098 |
URL Filtering |
In scenarios where there is a heavy load on the machine, the RAD queue can fill up and get clogged by unhandled requests, causing an outage and traffic disruption. |
PRJ-56622, PMTR-107215 |
IPS |
IPS may drop an IPv6 TCP local connection. |
PRJ-54429, |
IPS |
In a rare scenario, when IPS is enabled and logging on a rule that involves IPS is enabled, physical memory usage may rapidly increase. |
PRJ-43102, |
DLP |
Multiple internal errors, including file metadata retrieval failures and parsing errors, may be printed in the DLPDA logs. |
PRJ-50979, |
Anti-Virus |
Anti-Virus may enforce observables from IoC feeds although they were deactivated in SmartConsole. |
PRJ-53126, |
Anti-Virus |
The DLPU process may unexpectedly exit due to uninitialized memory when Anti-Virus scans files. Refer to sk182030. |
PRJ-56040, |
Anti-Virus |
In some scenarios, the Anti-Virus logs on a VSX Gateway may display an incorrect origin IP address. |
PRJ-54194, PRHF-31001 |
Anti-Bot |
Anti-Bot may generate error logs with the "Failed to Decrypt CP Site Response" reason. Refer to sk182494. |
PRJ-52977, |
Mobile Access |
Enabling the "cvpnd" debug causes the reverseproxy_ssl_debug.log file size to continue growing even after the "reverse proxy" debug is off. |
PRJ-51152, |
Mobile Access |
Web Application names column width is too narrow to fit in the Mobile Access Portal. Refer to sk181774. |
PRJ-54443, PMTR-103889 |
Mobile Access |
HTTPS access to the Mobile Access Portal may be down. |
PRJ-54639, |
Mobile Access |
The HTTPD process of the Mobile Access Portal may exit with a core dump file. |
PRJ-56220, PRHF-35271 |
Mobile Access |
The "citrixStrictTicketEnforcement" parameter set in the configuration file may not work as expected. |
PRJ-42807, |
ClusterXL |
Cluster members may crash, generating vmcores in /var/log/crash. |
PRJ-54168, |
ClusterXL |
In rare scenarios, in a cluster environment, the CPDiag tool may crash. |
PRJ-55632, PRHF-27989 |
ClusterXL |
After modifying a bond, the Monitored VLANs may disappear. Refer to sk180724. |
PRJ-54329, |
SecureXL |
In rare scenarios, the Security Gateway crashes when the interface goes down right before it transmits packets out. |
PRJ-54426, |
SecureXL |
In some scenarios, the VSX Gateway does not initialize the Virtual System correctly when connected to a Virtual Router or Virtual Switch. |
PRJ-54321, |
SecureXL |
In some scenarios, traffic with Passive or Active Streaming configuration may not correctly pass through a Virtual Router on a VSXGateway. |
PRJ-53059, |
SecureXL |
During the deny list update process, there is a temporary gap where no IP addresses are blocked, allowing unwanted traffic to pass through the Security Gateway unfiltered. |
PRJ-54423, |
SecureXL |
In some scenarios, the VSX Gateway may fail to properly reroute traffic originating from a Virtual Switch. |
PRJ-56009, PRHF-34987 |
SecureXL |
In a rare scenario, a memory leak in the adp kernel module may occur during multicast routing assert failures. |
PRJ-51109, PMTR-97788 |
SecureXL |
SYN Defender configuration in Inspection Settings on the Security Management Server may not be applied on Accelerated Policy installation. |
PRJ-56805, |
SecureXL |
When the VSX Gateway is created, the parameter that determines whether VSX mode is enabled or disabled is not set in SecureXL configuration until a reboot is performed. |
PRJ-56523, |
Routing |
In a ClusterXL environment, a race condition may occur when BGP Graceful Restart is incorrectly configured. If the feature is enabled for some peers but not others, it may lead to permanent loss of network routes. |
PRJ-55342, |
Routing |
OSPFv2 graceful restart mechanism fails on broadcast and point-to-multipoint networks due to the omission of an "IP-Address" field in the grace LSA. |
PRJ-54601, |
Routing |
Routing BFD sessions using IPv6 global addresses on single-hop interfaces fail to recover after the network interface is administratively disabled and re-enabled. |
PRJ-53826, |
Routing |
A multicast outage may occur during failovers caused by interface flaps. |
PRJ-53854, |
Routing |
ROUTED process assert failure may take place when LSA from a neighbor's retransmission list is freed if that LSA belongs to the max age hold tree that is flooded at max age. |
PRJ-54406, |
Routing |
A multicast outage may occur after a failover triggered by incomplete processing of cluster synchronization messages. |
PRJ-53170, |
Routing |
The ROUTED process may unexpectedly exit because of an OSPF assertion failure. |
PRJ-53173, PMTR-101331 |
Routing |
Graceful Restart may end prematurely in OSPF NSSA areas. |
PRJ-56431, PMTR-107256 |
Routing |
Dynamic Routing outage in a Security Group during the Zero Downtime (MVC) Upgrade to R81.20, during the Downgrade from R81.20, or during the installation / uninstall of the R81.20 Jumbo Hotfix Accumulator. Refer to sk182556. |
PRJ-56052, |
Gaia OS |
Adding multiple VPN tunnels via Clish in Transaction Mode fails, while adding them individually succeeds. |
PRJ-56119, |
Gaia OS |
The "Unable to connect to the server, Press OK to reconnect" error is displayed when opening the Network Interfaces tab in the Gaia Portal. Refer to sk182560. |
PRJ-55304, |
Gaia OS |
The "cpviewd: unable to read from gpio_nuvoton driver module. snmpd: unable to read from gpio_nuvoton driver module" messages may be printed in /var/log/messages. |
PRJ-52414, PRHF-31929 |
Gaia OS |
SNMP query for OID 1.3.6.1.4.1.2620.1.6.7.5.1.5 (CPU utilization per CPU core) and the "cpstat os -f cpu" command may return an incorrect value. Refer to sk182447. |
PRJ-54435 |
Gaia OS |
After a Jumbo Hotfix Accumulator upgrade, login notifier may be enabled, although it was disabled before the upgrade. |
PRJ-54178, |
Gaia OS |
Removing unused built-in user called "cp_ender" that may appear in Gaia OS after an upgrade. Refer to sk182185. |
PRJ-41989, |
Gaia OS |
Trap names duplications in chkpnt.mib and chkpnt-trap.mib may cause incorrect values when using SNMP traps. |
PRJ-51349, |
VPN |
Remote Access VPN connections in Maestro environments may be dropped with the "out-of-state" reason. |
PRJ-55486, |
VPN |
During high-frequency encryption of packets over a VPN tunnel, the Security Gateway may assign the same sequence number to multiple packets. This causes the receiving VPN peer to mistakenly identify these legitimate packets as replay attacks and drop them. |
PRJ-53847, |
VPN |
After an update, if in VPN if configured with Permanent Tunnels enabled, RAM utilization may increase. |
PRJ-55291, |
VPN |
Configuring a Large Scale VPN (LSV) with IPv6 and establishing a VPN tunnel may cause the FWK process to exit. |
PRJ-53011, PMTR-100991 |
VPN |
The FWK process may crash when establishing multiple VPN tunnels simultaneously at peak rates. |
PRJ-49208, PRHF-30241 |
VPN |
Remote Desktop Protocol (RDP) connections may frequently disconnect when network traffic is routed through a combination of medium path, Quality of Service (QoS) controls, and VPN. |
PRJ-50088, PMTR-90101 |
VPN |
By default, the VPN permanent tunnel is configured to use "tunnel test" instead of "DPD". This configuration may cause inaccurate permanent tunnel status reporting when connecting to third-party devices. |
PRJ-56038, PRJ-55986 |
VPN |
During high-volume VPN tunnel initiations, several packets may be dropped with "encrypted packet too big". |
PRJ-51018, |
VPN |
Duo management reports display incorrect access source locations due to Security Gateways providing inverted IP addresses during the two-factor authentication challenge response process. Refer to sk181783. |
PRJ-53713, |
VPN |
Tunnel testing fails after an upgrade. Refer to sk182267. |
PRJ-53382, |
VPN |
IPv6 non-VPN traffic may be dropped with "Clear text packet should be encrypted". |
PRJ-52828, |
VPN |
In a rare scenario, in a Maestro environment, the first packet of the VPN tunnel is lost or has a large delay. |
PRJ-50155, PMTR-93643 |
VPN |
When working with iOS devices, after establishing a VPN connection and subsequently disconnecting devices, the "vpn tu tlist" command may display an incorrect device connection status, indicating that a device is still connected. |
PRJ-54679, PMTR-104230 |
Multi-Portal |
Under a special routing configuration, an active Cluster member may accept portal traffic (on TCP ports 80 and 443) destined to a Standby member IP address. |
PRJ-55885, |
VSX |
Deleting a Virtual System ID (VSID) that does not exist may trigger the "cpstop" command. Stopping all Check Point services on VS0 can disrupt the entire VSX environment. |
PRJ-53116, |
VSX |
In a VSX Cluster with IPv6 enabled, after an upgrade, VS's without IPv6 address may fail to install the Access policy. |
PRJ-54596, |
VSX |
In rare scenarios, the CPD process of the default Virtual System on a VSX Gateway (VS0) gets stuck. |
PRJ-56671, PRHF-35637 |
VSX |
Memory corruption may occur when a bond interface is configured, leading to a Security Gateway crash with a vmcore or a boot loop. |
PRJ-57815, |
VSX |
Multi-Queue configuration does not survive reboot on VSX. Refer to sk173950. |
PRJ-47806, |
CloudGuard Network |
In the Kubernetes Data Center, the Import window may be stuck in "Initializing" state. |
PRJ-44695, |
Scalable Platforms |
When running the "asg resource" command, the SSD overall health check is displayed as "PASSED" with the "Unknown_Attribute on Member X_XX is below/getting towards low threshold (val: 0/ thresh: 0)" warning. The issue is cosmetic only. |
PRJ-55568, |
Scalable Platforms |
Traffic outage after policy installation on a Maestro Security Group in the VSX mode that works in the Dual Site configuration. Refer to sk182379. |
PRJ-53081, |
Scalable Platforms |
Redundant "MHO_stateAgent[3230]: QuidAddon: System not ready yet - attempting to re-init" messages in the /var/log/messages file. |
PRJ-29746, |
Scalable Platforms |
When configuring backup-scheduled/snapshot recurrence via gClish shell with "The <name> job already exists. Please choose another name. Backup schedule failed. The backup will not be scheduled". |
PRJ-49846, |
Scalable Platforms |
Site to Site VPN traffic may be interrupted after installing policy with VSLS. |
PRJ-57437, PRHF-36390 |
Scalable Platforms |
In a Maestro environment with the "vpn_sync_to_all" parameter enabled, connection going through a Site to Site VPN to a remote location, may be dropped with "First packet isn't SYN". See the Important Notes section. |
PRJ-50624, |
Carrier Security |
|
Take 99 Published on 05 June 2024 and declared as Recommended on 16 June 2024 |
||
Take 99 - New Functionality
|
||
PRJ-50102, |
Diagnostics |
NEW: Added SecureXL SYN Defender metrics to Skyline. Refer to the Skyline Metrics Repository. |
PRJ-51032 |
Security Management |
NEW: Added ability for R81 Security Management or Multi-Domain Server to manage 19000 and 29000 Check Point appliances.
|
PRJ-51434, |
SSL Inspection |
NEW: Added ability to import PKCS#12 files using AES-256-CBC encryption with PBKDF2-HMAC-SHA-256. This enhancement is designed for use in multi-portal environments and HTTPS Inspection scenarios. |
PRJ-49831, |
Application Control |
NEW: Added ability to drop the traffic of specific UDP applications per packet. For example, the Security Gateway can now drop the specific commands and allow the other commands of the BACNet Protocol. This ability is enabled by default.
|
PRJ-47017, |
VPN |
NEW: Added support for a new tool (shell script) on a Management Server that can show and renew IKE certificates for VPN, Multi-Portal, and Identity Broker on all managed Security Gateways and VSX Virtual Systems. Refer to sk182070. |
PRJ-48080, |
CloudGuard Network |
NEW: Added support for Azure Scale sets with Flexible orchestration mode. |
Take 99 - Improvements and Resolved Issues
|
||
PRJ-55494, |
VPN |
CVE-2024-24919 - Quantum Security Gateway Information Disclosure. Refer to sk182336. |
PRJ-55469, |
VPN |
UPDATE: Remote Access VPN for local accounts authenticated only with Check Point password created in R80.20 or lower, and not updated after the upgrade to R80.30, is blocked until the password is reset. Refer to sk182336. |
PRJ-48778, |
Security Management |
UPDATE: Added validation for new permissions for configuring a script to run on the Security Gateway from Gateway object > Logs Alerts/Storage > Run the following script before deleting old files. |
PRJ-52446, |
Security Management |
UPDATE: Added an ability to configure the schedule for Compliance blade scans. This should prevent login issues during the scans. Refer to sk182033. |
PRJ-49172, |
Security Management |
UPDATE: Added verification for policy deletion. If the policy is installed on the Security Gateway, the "delete-package" Management API command now fails with "Policy X is installed on 1 or more gateways.". Refer to sk181877. |
PRJ-48094, PMTR-77299 |
CPView |
UPDATE: CPView now shows statistical data also for servers with 256/512 CPU cores. |
PRJ-51123, |
Security Gateway |
UPDATE: Added ability to increase the instance processing queue size, by modifying the kernel parameter "fwmultik_pending_queue_len_limit" (the default value is "2000"). Refer to sk181921. |
PRJ-50427, PMTR-96484 |
Security Gateway |
UPDATE: During certificate validation, the Security Gateway now retrieves the Certificate Revocation List (CRL) from all CRL distribution points (CDP) listed in certificate extensions. |
PRJ-46319, |
Security Gateway |
UPDATE: When changes are made to updatable objects within a policy and a missing or corrupted package is detected, the policy installation will fail, resulting in the generation of a log. |
PRJ-50739, PRHF-30794 |
Security Gateway |
UPDATE: Added an ability to configure objects for the HTTPS Inspection CA using labels.
|
PRJ-50498, |
Identity Awareness |
UPDATE: The identity synchronization from Policy Decision Point (PDP) to Smart-Pull Policy Enforcement Point (PEP) client now takes several seconds instead of a few minutes, especially beneficial in environments with a single PDP Security Gateway sharing to multiple PEP Security Gateways. |
PRJ-48175, |
Mobile Access |
UPDATE: jQuery UI is upgraded to version 1.13.2. Resolved CVE-2021-41184. |
PRJ-43432, |
SecureXL |
UPDATE: It is now possible to add exceptions to external IoC feeds. |
PRJ-46624, |
VPN |
UPDATE: The "Server Authentication" attribute within the "Extended Key Usage" field is now included by default in IKE certificates generated by the Security Management Server. |
PRJ-43881, |
VSX |
UPDATE: The "IPv6 autoconfig" parameter is now disabled by default on VSX. |
PRJ-50872, |
Gaia OS |
UPDATE: Upgraded OpenSSL from 1.1.1u to 1.1.1w to include the latest security improvements. |
PRJ-48009, |
Gaia OS |
UPDATE: The output of "show arp dynamic all" and "dbget ip:arpdynamic:show:0" which was previously limited to +-4450 entries, now increases dynamically. |
PRJ-50788, |
Harmony Endpoint |
UPDATE: Posture Management (Vulnerability & Patch Management) is now supported. |
PRJ-50319, |
CloudGuard Network |
UPDATE: Updated the Jetty open source library from the 9.3.6.v20151106 version to 9.4.52.v20230823. |
PRJ-52861, |
CloudGuard Network |
UPDATE: Added support for Data Centers in AWS ca-west-1 Calgary region. |
PRJ-52626, PRJ-53584, PRJ-54097, PRJ-54457, ODU-1731, ODU-1667, ODU-1571, ODU-1392 |
Automatic Updates - Web SmartConsole |
UPDATE: New features and improvements are released in Take 94, Take 97, Take 100 and Take 102 via self-updatable package. Refer to sk170314. |
PRJ-52818, |
Automatic Updates - CPView |
UPDATE: Added Take 34 of CPviewExporter Release Updates. Refer to sk180521. |
PRJ-52594, PRJ-54686, ODU-1707, |
Automatic Updates - CPView |
UPDATE: Added Take 77 and Take 93 of CPotelcol (OpenTelemetry Collector) Release Updates. Refer to sk180522. |
PRJ-52040, |
Automatic Updates - Threat Extraction |
UPDATE: Added Update 5 of Threat Extraction Engine. Refer to sk165832. |
PRJ-51509, PRJ-52585, PRJ-53539, ODU-1476, ODU-1460, ODU-1248 |
Automatic Updates - Threat Prevention |
UPDATE: Added Update 22, Update 23 and Update 24 of Autonomous Threat Prevention Management integration Release. Refer to sk167109. |
PRJ-52694, |
Automatic Updates - Smart-1 Cloud |
UPDATE: Added Update 7 of Quantum Smart-1 Cloud. Refer to sk166056. |
PRJ-52865, PRJ-53686, PRJ-54175, ODU-1595, ODU-1531, ODU-1659 |
Automatic Updates - HCP |
UPDATE: Added Update 15, Update 16 and Update 17 of HealthCheck Point (HCP) Release. Refer to sk171436. |
PRJ-53395, PRJ-53680, PRJ-54171, ODU-1611, ODU-1563, ODU-1683 |
Automatic Updates - CPSDC |
UPDATE: Added Take 31, Take 33 and Take 34 of Check Point Support Data Collector (CPSDC) for Scalable Platforms and Maestro Security Appliances. Refer to sk164414. |
PRJ-50750, PMTR-96420 |
Infrastructure |
UPDATE: Added Python 3.11.4. |
PRJ-49360, |
Security Management |
There may be synchronization failure and, as a result, corrupted Domain policies on the Multi-Domain Security Server when a newly created local administrator on the backup Security Management Server makes changes to rules or objects, after the Active role is switched to that Security Management Server. |
PRJ-41779, |
Security Management |
In some scenarios, SmartConsole may close unexpectedly when clicking the "View Changes" option in the Install Policy view. |
PRJ-52344, |
Security Management |
In some scenarios, the PostgreSQL database fully utilizes disk space on the Standby Security Management Server. |
PRJ-50371, |
Security Management |
When attempting to load a SNORT Rules file that contains one or more spaces, the import process fails with an ambiguous error message. |
PRJ-50017, |
Security Management |
It may not be possible to add/set a Threat Prevention Exception with a protection-or-site UID. |
PRJ-53347, |
Security Management |
In rare scenarios, the FWM process on the Security Management Server may unexpectedly exit or not start, creating a core dump file. |
PRJ-51203, |
Security Management |
If all revisions were purged on the Security Management Server, the "show packages details-level full" Management API call may fail. |
PRJ-51512, |
Security Management |
The revisions purge process may get stuck due to an incomplete purge operation from a previous attempt. |
PRJ-52779, |
Security Management |
When using the "set simple-gateway" Management API command to edit interfaces, the operation is only performed on fifty interfaces at a time. |
PRJ-52848, |
Security Management |
Login to SmartConsole fails if the "Read_Write_All_Profile" permission profile is deleted. |
PRJ-52017, |
Security Management |
Exporting a policy that contains thousands of rules may fail when the "Hit Count" column is enabled. |
PRJ-52913, |
Security Management |
Deleting a Security Gateway object fails if there is a license attached to the Security Gateway and the Security Gateway is physically disconnected. |
PRJ-52043, |
Security Management |
In some scenarios, the Security Management Server upgrade to R81.20 fails with "java.lang.String incompatible with com.checkpoint.infrastructure.types.CPUUID" in the upgrade report. The issue occurs during the import of the User Data Domain.
|
PRJ-51541, |
Security Management |
Enabling automatic updates of Trusted CAs as described in sk173629 may fail. |
PRJ-50357, |
Security Management |
In multi-site environments, when using LDAP administrators configured on an external LDAP Server, logging into Domains on different Multi-Domain Security Management Servers in parallel, synchronization may fail with the "failed to import data" status. |
PRJ-51072, |
Security Management |
Running a Gaia API command on the Security Gateway through the Management API from the Security Management Server fails when configuring the "target" parameter with either the Security Gateway name or UID. |
PRJ-49882, |
Security Management |
Export of the Security Management Server may fail with "Could not find workSession WORKSESSION_UID in worksession's List" message in the upgrade report. |
PRJ-49942, |
Security Management |
In environments with many network objects, SmartConsole may freeze while it loads the VPN tab of a Security Gateway object. |
PRJ-50591, |
Security Management |
High Availability synchronization runs after every scheduled Application Control update, even if the Application Control is up to date. |
PRJ-51594, |
Security Management |
In rare scenarios, Global Policy assignment fails when there are many open Remote CPM Server sessions. Refer to sk181822. |
PRJ-51617, |
Security Management |
Deleting a Domain may fail when using the createDomainRecovery.sh script. |
PRJ-49665, |
Security Management |
The "set-smart-task" API command fails when enabling the "Send mail to/from" option in SmartTasks. |
PRJ-52010, |
Security Management |
In some scenarios, policy installation may fail and the displayed message erroneously refers to sk178886: "One of the updatable objects was downloaded incorrectly (see SK178886". But sk178886 describes a different scenario and does not resolve the issue. |
PRJ-52815, |
Security Management |
If there are changes in the HTTPS Policy and Certificates in the session, a "Something went wrong" message appears when opening the Change Report. |
PRJ-50765, |
Security Management |
In rare scenarios, during an upgrade or Domain migration, the API readiness test fails if the upgrade failed. |
PRJ-48440, |
Security Management |
The "set checkpoint-host" API command may fail if the host object has a VPN Tunnel interface (vpnt) defined. |
PRJ-52877, PRJ-52516, PRHF-32065, PRHF-32383 |
Security Management |
In rare scenarios, Access policy installation may fail with the "Installation failed. Reason: Failed to load Policy on Security Gateway" or "Operation failed, install/uninstall has been improperly terminated" messages. |
PRJ-50997, |
Security Management |
Install Policy Presets may fail after purging all revisions. Refer to sk181652. |
PRJ-51675, |
Security Management |
Global Assignment fails with "Locked for editing by another administrator and need to be published or discarded before the operation can take place". Refer to sk181807. |
PRJ-52789, |
Security Management |
In rare scenarios, High Availability synchronization fails with "Peer is busy". |
PRJ-45021, |
Security Management |
The "show users" Management API command fails if a user is configured to be able to connect on specific days, but the days are not selected. |
PRJ-50353, |
Security Management |
SmartConsole may unexpectedly close after policy installation when SmartTasks return invalid characters from a user-defined script. |
PRJ-50045, |
Security Management |
In High Availability environments, task progress notifications may get updated only every 5 minutes, even when the task is complete. |
PRJ-49951, |
Security Management |
Login to SmartConsole may fail while the Compliance Blade is running a full scan. |
PRJ-50185, |
Security Management |
In some scenarios, Access Policy installation fails with "Policy load / verification failed because it required more than the maximum allowed memory of 4GB. Follow sk161874 to improve the performance and prevent excessive memory consumption". |
PRJ-50212, |
Security Management |
Packet mode search in SmartConsole may show rules that do not match the query if the query contains four or more filters. |
PRJ-49343, |
Security Management |
SmartConsole may unexpectedly close after deleting an object in the Object Explorer view. |
PRJ-48914, |
Security Management |
In some scenarios the "show access rulebase" Management API command with "details-level full" can take a significant amount of time to complete or time out after five minutes. Refer to sk181397. |
PRJ-51066, |
Security Management |
In a rare scenario, the FWK and CPD processes may exit with core dumps at approximately the same time. |
PRJ-49988, |
Security Management |
The "fwm sic_reset" command may fail and generate a core dump. |
PRJ-49224, |
Security Management |
In some scenarios, an upgrade of the Security Management Server may fail if the import is running at 12 AM.
|
PRJ-50406, PRHF-30754 |
Security Management |
The Change Report generated before publishing a session, may contain internal system changes that were made by the user. |
PRJ-53726, |
Security Management |
Changes Report may allow to list certain directory contents. |
PRJ-54093, |
Security Management |
In rare scenarios, policy installation on R77.30 Security Gateway fails with "Operation failed, install/uninstall has been improperly terminated". Refer to sk180448. |
PRJ-41752, |
Security Management |
Some debug messages may appear in the /var/log/messages file, although the debug mode is not activated. The issue is cosmetic only. |
PRJ-55500, PRHF-34248 |
Security Management |
A memory leak may occur in the FWM process which leads to SmartConsole connection failures. |
PRJ-52968, PRHF-29693 |
Multi-Domain Security Management |
The "cprlic get" command output may not provide correct information about vSEC licenses. |
PRJ-51270, |
Multi-Domain Security Management |
In Multi-Domain Security Management environments, if there are more than three hundred forty Domains, login to SmartConsole fails. |
PRJ-48394, |
Multi-Domain Security Management |
In Multi-Domain Security Management environments, the "show simple-gateway" and "show simple-cluster" Management API commands may fail with "Runtime error: An internal error has occurred" |
PRJ-49713, PRHF-30513, PRJ-50578, |
Multi-Domain Security Management |
In rare scenarios, in a Multi-Domain Security Management environment:
|
PRJ-49478, |
Multi-Domain Management |
When viewing Subordinate CA objects in SmartConsole:
|
PRJ-46933, |
SmartConsole |
Defining more than two hundred GUI clients causes the "Command Line" tab in SmartConsole to be greyed out and the "api status" command to show an error status. |
PRJ-51425, |
Web SmartConsole |
Login with Web SmartConsole to the Security Management Server may fail if using a trusted client with IPv6. |
PRJ-51663, |
Web SmartConsole |
An "Error logging into domain" message is displayed in Web SmartConsole when connecting to a Domain on a peer Multi-Domain Security Management Server. Refer to sk181801. |
PRJ-49972, |
CPView |
CPU statistics may be incorrect or missing in CPView. Refer to sk182286. |
PRJ-44496, |
CPView |
In rare scenarios, CPView does not handle VS context correctly. |
PRJ-48001, |
CPView |
Offload may fail in CPView with "ERROR! Reason not initialized". |
PRJ-52602, PMTR-94461 |
CPView |
In the "cpview -m" command output on the Security Gateway which is an Active Cluster member, "metrics system.network.nat.ports" and "system.network.nat.ports.limit" may not be displayed in the list of available metrics. |
PRJ-48804, |
Logging |
Some attributes in SNMP MIB file may not be accessible. |
PRJ-52719, |
Logging |
Administrators without the "run script" permissions can enable or disable the option to run a script on a Security Gateway, using advanced configuration options. |
PRJ-46286, |
Logging |
In SmartConsole, in the "Device License Information" view, the "New connection rate" field may indicate "please wait 10 seconds". |
PRJ-47314, |
Logging |
When the active log file, for example, the fw.log for the Security Gateway is older than two days, the CPLogFilePrint utility does not print the log records correctly. |
PRJ-49388, |
Logging |
In SmartView, incorrect results may be displayed when filtering logs using the "src_machine_name" field. |
PRJ-47283, |
Logging |
When using Log Exporter to export logs to Splunk, a log entry in Splunk is split to separate lines if it contains the CRLF characters. |
PRJ-48240, |
Logging |
The "source", "destination", "user" and "action" fields are not exported when exporting logs with the "visible columns" option to CSV in the SmartView Web application. Refer to sk181706. |
PRJ-47982, |
Logging |
Some Access Rule Base logs may be generated with a wrong interface direction. The issue is cosmetic only. |
PRJ-53335, |
Logging |
When the "IP Options drop" tracking Global Properties setting is configured to "Log" and the policy is installed, the Security Gateway drops traffic with disallowed IPv4 options or IPv6 extension headers, but no log is shown in SmartConsole. |
PRJ-44589, PRHF-26975 |
Logging |
In a rare scenario, a Security Gateway / Cluster Member may stop logging locally or to configured Log Servers. Refer to sk170331. |
PRJ-46205, |
Logging |
Security Gateway forwards logs to the real IP address of the Management Server instead of the public (NATed) IP address. Refer to sk181609. |
PRJ-52469, |
Security Gateway |
CIFS traffic may cause CPU spikes in the FWK process. |
PRJ-51146, |
Logging |
When Identity Awareness blade is enabled, the "Src User Dn" and "Dst User Dn" fields in ICMP Logs are not masked for users without "Identities" permissions. Refer to sk181677. |
PRJ-51526, |
Security Gateway |
Sporadic latency while uploading a file when HTTPS Inspection and ICAP client are enabled. Refer to sk181793. |
PRJ-51075, |
Security Gateway |
In rare scenarios, a file downloaded via HTTP may be corrupted. |
PRJ-52672, PRHF-32203 |
Security Gateway |
CVE-2023-51764 - Postfix SMTP Smuggling vulnerability. Refer to sk181944. |
PRJ-48320, |
Security Gateway |
The system may not automatically end or interrupt the RAD process if it takes longer than a specified timeout duration. |
PRJ-46201, |
Security Gateway |
In rare scenarios, updating the NTP Server may cause a temporary outage. |
PRJ-50138, |
Security Gateway |
Accounting info may not be displayed in logs for IPv6 Cluster VRRP environments. |
PRJ-47955, |
Security Gateway |
The CPVIEW_API_SERVICE process may exit with a timeout. |
PRJ-50601, |
Security Gateway |
In some scenarios, the PDPD process may consume high CPU in the Identity Acquisition flow. |
PRJ-51458, |
Security Gateway |
When using three or more ISP DNS proxies in High Availability mode and Load Sharing mode:
|
PRJ-48261, |
Security Gateway |
Notifications of SecureXL connection deletion appear unfiltered in the debug output, also when using a debug filter. |
PRJ-52519, PRHF-31425 |
Security Gateway |
The ICAP Server does not send data for the Threat Prevention blades inspection, after the restart of the TEMAIN process. |
PRJ-47670, PRJ-47666, PRHF-29516, PRHF-29535 |
Security Gateway |
When there is fragmented traffic, the /var/log/messages file may be flooded with the "dst_release" entries. |
PRJ-51037, PRHF-31146 |
Security Gateway |
The Security Gateway may crash during policy installation. |
PRJ-51944, |
Security Gateway |
In some scenarios, if a rule with a security zone is installed using accelerated install policy, the traffic may stop matching the NAT Rule Base. |
PRJ-52794, |
Security Gateway |
In some scenarios, the VSX Security Gateway may not set the MAC header correctly when sending traffic back to Gaia OS directly out of an interface on a Virtual Router. |
PRJ-47208, |
Security Gateway |
When running the tp_collector tool, the FW_FULL process may unexpectedly exit. |
PRJ-52362, |
Security Gateway |
In a VSX environment, the FW_FULL process may exit when running "fw monitor -p all" with the "-v" flag on a specific list of Virtual Systems (VS's) where not all VS's have identical blade configurations enabled. |
PRJ-47662, |
Security Gateway |
Incorrect local traffic routing by the Security Gateway causes message flooding in /var/log/messages. |
PRJ-51607, |
Security Gateway |
The ICAP Server may fail to initialize. |
PRJ-49115, |
Security Gateway |
In rare scenarios, the FWK process may unexpectedly exit when running an outgoing (a local connection) from the Security Gateway. |
PRJ-52419, |
Security Gateway |
Incorrect static NAT destination is applied when the original destination in the NAT rule is the Security Gateway object, but the actual destination does not match the main IP address of the Security Gateway object. |
PRJ-50658, |
Security Gateway |
The proxy IP address of users surfing HTTP sites may be displayed instead of the real source IP address. |
PRJ-52112, |
Security Gateway |
Incorrect CPU statics may be shown in CPView when using Dynamic Split. |
PRJ-45692, |
Security Gateway |
The VPND, CVPND, and PDPD processes on the Security Gateway may become non-responsive and cause SAML authentication for Remote Access VPN users to fail. |
PRJ-48821, |
Security Gateway |
In some scenarios, a misconfiguration on a DNS Server may lead to exhaustion of ephemeral ports on the Security Gateway. |
PRJ-48021, |
Security Gateway |
In some scenarios, when IPS is enabled, CPU spikes may occur. |
PRJ-47445, |
Threat Prevention |
When configuring ioc feeds from the management:
|
PRJ-50656, |
Threat Prevention |
In rare scenarios, CPU utilization can reach high levels because the Multi-Queue affinity of interfaces that use the "mlx5_core" driver is not configured correctly during the boot process. |
PRJ-47458, |
Threat Prevention |
In a rare scenario, there may be an unexpected reboot and a vmcore file generated in /var/log/crash. |
PRJ-46903, |
Threat Prevention |
Ioc_feeds changes the username to lowercase, which causes the "401" error. Refer to sk181039. |
PRJ-48085, |
Threat Prevention |
An outage may occur when an unsupported SSH cipher is selected. |
PRJ-49876, |
Threat Prevention |
Traffic directed towards a host situated behind the Security Gateway is not blocked. For instance, if an IP address listed in the feed sends an ICMP request, it will reach a host behind the Gateway without being blocked. Refer to sk132193. |
PRJ-43971, |
Threat Prevention |
When URLF and APPI are disabled in VS0 in VSX setup, automatic updates fail on other Virtual Systems. |
PRJ-50050, |
Threat Prevention |
Security Gateway with a large number of CPU cores allocated to CoreXL SND may experience performance issues when an IoC Feed and the "fwaccel dos deny" feature are configured. Refer to sk182223. |
PRJ-46442, |
Threat Prevention |
Files that undergo emulation while operating from a corporate location are transformed into PDF format. However, when the same files are accessed through a VPN remote client, they do not get the pdf file extension. |
PRJ-49511, |
Threat Prevention |
In a rare scenario, changes in Threat Prevention Custom Intelligence feeds settings may not be applied after policy installation. |
PRJ-49007, PMTR-92233 |
Threat Prevention |
In a rare scenario, when cloning SGM in Maestro, the FWD process may exit during an IPS/Anti-Virus/Anti-Bot package update. |
PRJ-48428, |
Threat Prevention |
Some connections may be dropped because of an issue in IPS inspection, which can be resolved by installing/fetching a local policy. |
PRJ-42869, |
Threat Prevention |
After installing a hotfix in a cluster setup with a Threat Prevention policy that includes Network Objects, a member may get stuck during initialization after a reboot. Refer to sk180225. |
PRJ-46595, |
Threat Extraction |
The "scrub send_orig_email <email_id> <recipient>" command fails. Refer to sk180974. |
PRJ-55346, PMTR-104752 |
Threat Prevention |
The "Categorized HTTPS Sites" option does not classify specific websites when "TLS 1.3 hybridized Kyber support" is enabled in the browser. Refer to sk182318. |
PRJ-49317 |
Identity Awareness |
There may be high memory consumption by Identity Broker in the synchronization flow. |
PRJ-51333, |
Identity Awareness |
When a Multi-User Host is used with Identity Broker, the user session may expire on the PEP side, while still connected on the PDP, causing failure of user-based access. |
PRJ-49434, |
Identity Awareness |
In a rare scenario, revoked identity on Broker Publisher is not synchronized with its Broker subscribers. |
PRJ-52369, |
Identity Awareness |
After an upgrade, the Security Identifier (SID) for LDAP Users or LDAP Groups that were configured prior to the upgrade may be empty. Refer to sk181946. |
PRJ-50512, |
Identity Awareness |
In a Cluster Load Sharing environment or when a single Policy Decision Point (PDP) is shared among multiple Policy Enforcement Points (PEPs), the PDP registers the PEP, but the PEP may not be aware of this registration. |
PRJ-52871, |
Identity Awareness |
User/Security Gateway identities may be revoked unexpectedly if an additional update from the AD Query identity source is rejected due to Identity session conciliation. |
PRJ-50582, |
Identity Awareness |
During policy installation, users authenticated using the Captive Portal may get disconnected. |
PRJ-43455, |
Application Control |
When a policy contains a white list, some packets may not match the listed applications. |
PRJ-45134, |
Identity Awareness |
In Multi-User Host setups, some accounts may be identified as service accounts, although they should not be flagged. |
PRJ-51421, |
Identity Awareness |
In a rare scenario, an Identity Gateway (PEP) becomes unresponsive while unregistering a network. |
PRJ-46757, |
Identity Awareness |
The ida_tables_util tool may fail with the "bad adress" error. |
PRJ-47440, |
Identity Awareness |
In a rare scenario, when Identity Broker is configured, a memory leak in the PDPD process may occur during policy installation. |
PRJ-45719, |
Application Control |
Policy installation fails when a custom application and user category have the same name. |
PRJ-46197, |
Application Control |
CPView and the 'cpstat' command show different Application Control database versions. Refer to sk181186. |
PRJ-50803, |
IPS |
There may be excessive "fwconn_chain_is_data_conn failed" messages in the /var/log/messages files when activating the IPS Blade. |
PRJ-42479, |
IPS |
Core IPS Protection "Unknown Resource Record" drops valid requests of specific DNS types. |
PRJ-49043, |
DLP |
The DLP process may unexpectedly exit during policy installation. |
PRJ-53123, |
Anti-Virus |
The DLPU process may frequently exit with a core dump file. |
PRJ-49519, |
Anti-Virus |
The Anti-Virus Blade may inspect files on an SMB appliance although the "SMB" checkbox is disabled on the matched profile. |
PRJ-51181, |
Anti-Virus |
Some file downloads fail with a logged "failure-reject" error because of the Anti-Virus Blade improperly classifying documents, causing inspection failures. |
PRJ-52661, |
Anti-Virus |
Some URLs may be blocked by the Anti-Virus blade as malicious, even though the Threat Prevention Rule Base contains an exception rule with a Site/Application object that includes this URL. |
PRJ-50527, |
Anti-Virus |
In a rare scenario, the Security Gateway may crash during inspection of file downloads. |
PRJ-49296, PRHF-23253 |
Anti-Virus |
Anti-Virus fails to release held connections after the inspection. |
PRJ-49569, |
Anti-Virus |
The Anti-Virus Blade fails to show the UserCheck page for the URLs blocked by Custom Intelligence feeds. |
PRJ-49791, |
SSL Inspection |
Policy installation fails on the Security Gateway when using HTTPS Inspection with Hardware Security Module (HSM). |
PRJ-45149, |
SSL Inspection |
When HTTPS Inspection is enabled, the Security Gateway generates a log that includes the message "Certificate Chain is not signed by a Trusted CA" when an end-user connects to an HTTP site or a site with an untrusted SSL certificate. But, in some scenarios, the log does not include this text. |
PRJ-52046, PRHF-31811 |
Mobile Access |
SSL Network Extender (SNX) cannot connect after installing Jumbo Hotfix Accumulator. Refer to sk181805. See the Important Notes section. |
PRJ-50115, |
ClusterXL |
In a cluster environment, the Security Gateway may become unresponsive on the Active member, and after a failover the issue occurs on the new Active member also. |
PRJ-50868, |
ClusterXL |
The output of the "cphaprob -m -a if" command may show an incorrect high VLAN ID address. This is a cosmetic issue. |
PRJ-48412, |
ClusterXL |
In a cluster connected to Smart-1 Cloud, local probing may start on the "maas_tunnel" interface, although it is not monitored by the cluster. Output of the Expert command "cphaprob -i list" or the Gaia Clish command "show cluster members pnotes problem" shows that the Critical Device "Local Probing" reports its state as "problem". |
PRJ-52490, PMTR-99615 |
ClusterXL |
The CXLD process may consume the CPU at 70%-100% on VSX cluster members. Refer to sk181891. See the Important Notes section. |
PRJ-51586, |
ClusterXL |
The Security Gateway may crash during the conversion from VRRP Cluster to ClusterXL Cluster. |
PRJ-52729, PRHF-32237 |
ClusterXL |
When working in ClusterXL mode with MDPS enabled on the cluster nodes, enabling a Cloning Group may get stuck in the "synchronizing" status. |
PRJ-52894, |
ClusterXL |
In a rare scenario, after an upgrade, connections between networks may be dropped with the "First Packet isn't SYN" error. |
PRJ-44518, |
SecureXL |
Multicast packets received on an interface with PIM disabled can cause multicast packet drops on other interfaces by filling up the kernel routing queue. |
PRJ-52804, |
SecureXL |
In some scenarios when Route-based probing is configured, the VSX Security Gateway sends out encrypted traffic with a source IP address of all zeroes through a Virtual Switch interface. This traffic may be dropped by routers, the VPN peer Gateway or other Security Gateways due to the invalid source IP address. |
PRJ-50835, |
SecureXL |
There may be a delay in enforcing DOS/Rate Limiting rules to drop packets when concurrent connection limits are exceeded. |
PRJ-51620, |
SecureXL |
In some scenarios, fragmented ICMP packets may bypass the DOS/ Rate limiting deny list. |
PRJ-49377, |
SecureXL |
Syn Defender may not correctly handle reused connections. |
PRJ-52797, |
SecureXL |
The Security Gateway may fail to add interfaces to the SecureXL accelerated interfaces list. |
PRJ-50925, |
SecureXL |
When attempting to route packets to unresponsive hosts, the CPU utilization may be high. |
PRJ-52800, |
SecureXL |
In some scenarios, the VSX Security Gateway may not set the MAC header correctly when sending traffic directly out of an interface on a Virtual Router or Virtual Switch. |
PRJ-33122, |
SecureXL |
CPView shows SecureXL drops incorrectly as "0" (zero). |
PRJ-51176, |
SecureXL |
The Security Gateway may crash with vmcore during boot while upgrading. |
PRJ-48888, |
SecureXL |
The "fwaccel dos rate get -S IP" command fails to connect to the Security Gateway. |
PRJ-50545, |
SecureXL |
High CPU utilization may be triggered when User Mode (UPPAK) and VPN are enabled under high load. |
PRJ-50944, PRJ-50949, PRJ-50952, PRJ-50938, |
SecureXL |
In some scenarios, the VSX Security Gateway may not be able to pass VPN encrypted traffic from one Virtual System to another Virtual System through a Virtual Router/Switch. |
PRJ-50942, PRJ-50940, |
SecureXL |
In some scenarios, the VSX Security Gateway may crash when sending VPN encrypted traffic through a Virtual Router/Switch. |
PRJ-49756, |
SecureXL |
Multicast restrictions set in SmartConsole may be bypassed if varying restrictions are configured for different interfaces. |
PRJ-51208, PRHF-31259 |
SecureXL |
In Kernel mode Firewall, traffic passing through the GRE tunnel may not reach the peer. |
PRJ-50831, |
Routing |
The "force-if-symmetry" setting in IPv4 static routes fails to mark IP addresses as unreachable, leading to the static route inaccurately remaining active in asymmetric scenarios. |
PRJ-49962, |
Routing |
During the processing of PIM Join-Prune messages, the absence of prior ({},G) state prevents the processing of (S,G) joins for the same group, even when present in the message. |
PRJ-49235, |
Routing |
When one of the multiple PIM neighbors goes down on the LAN, there may be outages in multicast traffic. |
PRJ-51981, |
Routing |
When running a Gaia API request that results in multiple configuration changes, only the first change may be applied initially. The subsequent changes are not enforced until another change triggers re-processing. |
PRJ-52652, |
Routing |
A core dump for the ROUTED process is created while changing the Security Gateway PIM configuration from Bootstrap-Candidate to Candidate-RP using the "set pim" command. |
PRJ-52650, PRJ-52657, PRJ-52654, PRHF-31977, PMTR-78961 |
Routing |
Cluster failover may occur when the ROUTED process due to a memory leak unexpectedly exits with a core dump file generated. |
PRJ-53567, |
Routing |
In rare scenarios, when a PIM interface or PIM instance stops working, the Security Gateway may crash if trying to access a bogus reference to a PIM neighbor. |
PRJ-53055, |
Routing |
In scenarios where numerous BGP peers are configured with the "multihop" option enabled, combined with short "keepalive" settings and a large number of routes being received from each peer, the ROUTED process may experience high CPU utilization. |
PRJ-50024, |
Routing |
The traffic may be dropped, because the routes are sent but not installed to the routing table. The issue is related to IS-IS when running on P2P interfaces. |
PRJ-52669, |
Routing |
Enabling rfc1583-compatibility via Clish fails with "CLINFR0329 Invalid command:'set ospf instance default rfc1583-compatibility on". |
PRJ-51258, |
Routing |
It may not be possible to propagate a newly added static route through OSPF. |
PRJ-53052, |
Routing |
BGP peers may experience timeouts when these conditions occur simultaneously:
|
PRJ-49216, |
VPN |
Redundant log prints in /var/log/messages may be generated, although they should be printed only when the debug flags are enabled. |
PRJ-33775, |
VPN |
The FWK process crashes sporadically, causing impact on traffic due to an issue related to the decryption of fragmented traffic. |
PRJ-46260, |
VPN |
The "Encryption Domain Per community" feature overrides the Encryption Domain for other communities. Refer to sk170857. |
PRJ-49651, |
VPN |
VPN connectivity may be unstable when IPv6 and VPN star communities are configured. |
PRJ-45126, |
VPN |
Back connection does not function on the Statically NATed Office Mode address as expected. |
PRJ-49558, |
VPN |
When using the "fw tab" command to view the IKE_SA_table, the output shows a column containing the IP addresses that are not meant to be displayed while the correct IP addresses are not printed. |
PRJ-47951, |
VPN |
Establishing an IKEv2 tunnel with Cross AZ Cluster may fail. |
PRJ-47590, |
VPN |
In a Site to Site VPN, following an update, the Security Gateway may erroneously transmit an invalid IKE SPI to its peer. Consequently, during the rekey process, the tunnel fails due to the "invalid IKE SPI" error. |
PRJ-53365, |
VPN |
VPN IKEv2 negotiation with a third-party peer may fail when the peer offers multiple combined encryption algorithms in one proposal. For example, AWS, by default, offers AES-GCM and AES-GCM-256. The issue triggers an IKE failure log. |
PRJ-52947, |
VPN |
When the DAIP Gateway public IP address occasionally changes, the connected Security Gateway fails to update the new IP address and continues responding to the old IP address, causing communication issues. |
PRJ-54239, PMTR-103618 |
VPN |
In a VPN Community with a configuration involving two Security Gateways (a Center Cluster and a Satellite Security Gateway) with IPv6 external and internal interfaces, when attempting to establish a Link Selection Star community between them, the VPN process may unexpectedly exit due to repetitive IKE core crashes on one of the Security Gateways while the other Security Gateway tries to establish a tunnel, resulting in connectivity issues. |
PRJ-50311, |
Multi-Portal |
A low-severity security vulnerability may exist when establishing an HTTPS connection to the Security Gateway. |
PRJ-48829, |
VSX |
In some scenarios, the VXLAN Driver Kernel may crash. |
PRJ-50742, |
VSX |
VSX Gateway / VSX cluster member may crash during policy installation after deleting a virtual interface. |
PRJ-50955, |
VSX |
In some scenarios, the VSX Security Gateway may not set the MAC header correctly when sending traffic directly out of an interface on a Virtual Router. |
PRJ-50174, |
VSX |
In some scenarios, installing policy via vsx_util may be stuck. |
PRJ-49566, |
VSX |
Corrupted VS affinity configuration may cause excessive "cp_set_process_vs_affinity: Error corrupt affinity file" error messages. |
PRJ-51979, |
VSX |
High CPU usage on SND cores when many interfaces are configured. Refer to sk181860. |
PRJ-51295, PMTR-97905 |
VSX |
When adding a new Virtual System, a CPD core dump file may be generated. |
PRJ-52722, |
Gaia OS |
The MONITORD daemon causes high CPU after 388 days of uptime. Refer to sk181922. |
PRJ-33092, |
Gaia OS |
In some scenarios, the output of the "show configuration"/"snapshot-scheduled" command may contain corrupted text. |
PRJ-46019, |
Gaia OS |
The SNMPD process memory consumption may be high, which causes the process to become unresponsive. |
PRJ-50485, |
Gaia OS |
SNMP query does not bring the CPUSE package information for a single OID (not a table). |
PRJ-46141, |
Gaia OS |
Taking a snapshot on the Security Management Server fails because of the error during copying the /boot/config/ content. |
PRJ-51218, |
Gaia OS |
Clish may deny access of a non-local RADIUS user. |
PRJ-50507, |
Gaia OS |
There may be some inconsistent syntax in the "comment" section for interface and static-route commands. |
PRJ-48718, |
Gaia OS |
The "show configuration password-controls command output does not print the "set password-controls deny-on-fail block-admin on" option. |
PRJ-45114, |
Gaia OS |
Lock database override may not work as expected when it is set via Ansible playbook, and another admin was connected to SSH before that. |
PRJ-47175, |
Gaia OS |
When rebooting the Security Gateway, some VLANs may lose their IPv6 configuration. |
PRJ-53488, |
Gaia OS |
Some valid interfaces may not be available with running the "set lldp interface" command. |
PRJ-53193, |
Gaia OS |
In rare scenarios, the Gaia Portal daemon HTTPD may unexpectedly exit and create a core dump file in the /var/log/dump/usermode/ directory. |
PRJ-52507, |
Gaia OS |
When a non-local user executes a Gaia API command, the action is incorrectly logged as performed by the "admin" user in the /var/log/messages file. |
PRJ-50587, PRHF-30890 |
CloudGuard Network |
In an environment with Cloud Security Gateways, frequent High Availability synchronization sessions can cause high CPU utilization. As a result, change of the Activity status may fail. |
PRJ-47146, |
Harmony Endpoint |
When selecting to filter machines by infection name in SmartEndpoint Reporting > Anti-Malware > Top infections, the listed computers do not match the displayed numbers. |
PRJ-47719, |
Harmony Endpoint |
The Application Scan Push Operation fails to upload an .xml file. Refer to sk181280. |
PRJ-52129, PRHF-31662 |
Harmony Endpoint |
When attempting a one-time login for a migrated client in the Infinity Portal, the request fails with "400 error" caused by duplicate logon_name and domain_name entries in the database, preventing password generation from the Web interface. |
PRJ-46988, |
VoIP |
In some scenarios, SIP TCP connections are dropped after a cluster failover. |
PRJ-47993, |
VoIP |
When the SIP Multi-core feature is enabled, and a SIP over UDP rule with one-way calls (only outgoing calls, for example) is defined, the returned traffic is dropped. Refer to sk181525. |
PRJ-52885, |
Scalable Platforms |
When running the "fwaccel stat" command on a VSX Security Gateway, the output may show physical interfaces as not accelerated, although they are. |
PRJ-53620, |
Scalable Platforms |
The "reboot -b all" command in gClish may fail. The environment hangs or reboots partially (only some of the members). |
PRJ-44138, |
Scalable Platforms |
If a DR packet arrives fragmented, it may not get forwarded to the DR manager, potentially causing connectivity issues. |
PRJ-46791, |
Scalable Platforms |
An additional reboot may be performed on Maestro Security Gateway because of the database entry (otlp) which should not be pulled from SMO. This entry is updated locally on each member via self-update functionality and, therefore, may differ between members. |
PRJ-46062, |
Scalable Platforms |
Querying SP Interface Data via SNMP may intermittently fail. |
PRJ-50736, |
Scalable Platforms |
The Gaia gClish command "installer verify CPUSE Package ID member_ids all" fails with "Quitting due to time-out" on a Scalable Platform Security Group. Refer to sk181674. |
PRJ-50745, |
Scalable Platforms |
Performance data collected from all members including the Standby site, may cause the "Instance Load" and "Accelerate Load" values to be different from the asg perf tool data. |
PRJ-49465, |
Scalable Platforms |
On a Security Group with MDPS enabled:
After installing this Take, when MDPS plane separation is enabled, in the context of the Management plane, the directory /sys/class/net/ now shows interfaces that belong to the Data plane, although it should show interfaces that belong to the Management plane. Refer to sk182076. |
PRJ-48722, |
Scalable Platforms |
When running the "asg if script" command, the "Bridge Master" output does not fit in one line in the "Info" column. The issue is cosmetic only. |
PRJ-50679, PRHF-30764 |
Scalable Platforms |
Scalable Platform Interface data OIDs (1.3.6.1.4.1.2620.1.48.26) may not be refreshed. |
PRJ-44499, |
Scalable Platforms |
Policy installation may cause traffic interruption on Maestro Security Group due to missing VLANs of a Virtual System in the configuration file. |
PRJ-46221, |
Scalable Platforms |
During site failover, IPv6 traffic that goes through the Warp interface may be interrupted. |
PRJ-44135, |
Scalable Platforms |
Member state may flap between Active and Ready. |
PRJ-52530, PMTR-99841 |
Scalable Platforms |
After dynamic routing manager failure and recovery, connections are dropped with a log message "TCP out of state: First packet isn't SYN". Refer to sk181874. |
Take 92 Published on 4 January 2024 and declared as Recommended on 15 January 2024 |
||
PRJ-51599, SMB-16203 |
Security Management |
In rare scenarios, a boot may fail on a Security Gateway with IPS, Anti-Bot, or Application Control blade enabled. Refer to sk181803. |
Take 89 Published on 23 November 2023 |
||
PRJ-47120, |
Anti-Spam |
NEW: We have extended the grace period of Anti-Spam Blade to support you for 90 days following contract expiration to continue providing the best security value during the renewal process. |
PRJ-49979 |
Security Management |
UPDATE: Removed a redundant rule-assistant.war package. |
PRJ-49890, PMTR-95687 |
Security Management |
UPDATE: Removed a redundant guava package. |
PRJ-49823, PMTR-95347 |
Security Management |
UPDATE: Upgraded the commons-compress-jar package from version 1.8 to version 1.22. |
PRJ-49785, PMTR-95614 |
Security Management |
UPDATE: properJavaRDP - an SNX-embedded application for Mobile Access is now blocked and is no longer supported because of deprecated Java library dependencies. |
PRJ-49982, PMTR-74309 |
Security Management |
UPDATE: Upgraded the Jackson Java library from version 2.5.0 to version 2.11.3. |
PRJ-48316, PRJ-49010, PRJ-50263, PRJ-49964, ODU-1256, ODU-1304, ODU-1121, ODU-1137 |
Web SmartConsole |
UPDATE: New features and improvements are released in Take 81, Take 85, Take 88, and Take 90 via a self-updatable package. Refer to sk170314. |
PRJ-49107, PMTR-94517 |
SmartConsole |
UPDATE: Applied security related improvements to the Jetty open source library. |
PRJ-50323, |
CPView |
UPDATE: Added Take 68 and Take 70 of CPotelcol (OpenTelemetry Collector) Release Updates. Refer to sk180522. |
PRJ-50041, |
CPView |
UPDATE: Added Take 14 of CPquid (QUID) Release Updates. Refer to sk181458. |
PRJ-50091, |
Security Gateway |
UPDATE: Improved traffic classification of GTP traffic on the Security Gateway to enhance the stability. |
PRJ-46556, |
Security Gateway |
UPDATE: Added a new option in domains_tool, which allows to retrieve IP addresses of multiple Domains - "-md <list of domains>". Refer to sk161632. |
PRJ-48141, |
Threat Prevention |
UPDATE: Re-enabled the deprecated feature of exporting/importing custom intelligence feeds. |
PRJ-44319, |
Threat Prevention |
UPDATE: The DCE-RPC kernel tables will now be global instead of local. This adjustment helps avoid issues with syncing between firewall instances and keeps data connections stable. |
PRJ-49492, |
Threat Prevention |
UPDATE: Added Update 21 of Autonomous Threat Prevention Management integration Release. Refer to sk167109. |
PRJ-46942, |
Threat Prevention |
UPDATE: IPS bypass triggers will now be activated based on the average CPU load exceeding the high threshold, as opposed to the previous implementation, where a single CPU load triggered the bypass. The change will result in more effective security measures without unnecessary bypasses. |
PRJ-49231, |
SSL Network Extender |
UPDATE: SSL Network Extender was updated to version 80008407. |
PRJ-49744, PMTR-95099 |
Mobile Access |
UPDATE: SNX used to connect back to Mobile Access Blade's portal FQDN by resolving its IP address locally. This method makes it sensitive to DNS poisoning attacks such as those specified by TunnelCrack. Therefore, it was modified to connect back to the Security Gateway / Cluster member IP address by default. |
PRJ-44242, |
Mobile Access |
UPDATE: Enhanced PushReport (a troubleshooting tool for Mobile Access Blade):
|
PRJ-44435, |
ClusterXL |
UPDATE: Improved the fullsync time after reboot in large scale environments. Refer to sk180742. |
PRJ-46314, |
ClusterXL |
UPDATE: When enabling the VMAC feature, link_monitoring on the cluster members will now be configured automatically. |
PRJ-46915, |
VPN |
UPDATE: Added a global parameter "sim_no_local_ip_check" which allows packets not destined to a local IP address to proceed to Security Association lookup in SecureXL. |
PRJ-48107, |
VSX |
UPDATE: Changed the vsx push configuration log:
|
PRJ-47449, |
Gaia OS |
UPDATE: Added driver and firmware update support for Dual-Wide 10/25/40/100G cards as a replacement option for:
|
PRJ-45235, |
Gaia OS |
UPDATE: SNMP traps for interfaces going up and going down will now contain the interface name and description. |
PRJ-46439, |
Gaia OS |
UPDATE: Added support for the Sandblast TE250XN Appliances. |
PRJ-44760, |
Gaia OS |
UPDATE: Increased the size of the scheduled snapshot database binding, allowing longer paths and passwords to be defined. |
PRJ-47225, |
Gaia OS |
UPDATE: Upgraded OpenSSL from 1.1.1t to 1.1.1u to include the latest security improvements. Refer to sk181427. |
PRJ-45726, |
Harmony Endpoint |
UPDATE: Added new file types supported by Harmony Endpoint Threat Emulation blade. |
PRJ-49977, PRJ-49936 |
Harmony Endpoint |
UPDATE: Upgraded symmetricDS to the 3.14.9 version. |
PRJ-48799, |
CloudGuard Network |
UPDATE: Added support for Data Centers in AWS il-central-1 Israel (Tel Aviv) region. |
PRJ-48338, |
CloudGuard Network |
UPDATE: Added Take 20 of Public Cloud CA Bundle. Refer to sk172188. |
PRJ-45770, |
Scalable Platforms |
UPDATE: Added ability to stop configuration mismatch repeated reboots for debugging purposes. The new command is " cpha_blade_config auto_reboot <on/off>". |
PRJ-48195, |
Scalable Platforms |
UPDATE: Added ability to use Generic Data Centers and Dynamic Objects with Maestro cluster, not just for a separate Security Gateway. |
PRJ-32166, |
Scalable Platforms |
UPDATE: Added support for 40G SFP transceiver for SSM160 (BTI40GSRDDQSFP). |
PRJ-45979, |
Scalable Platforms |
UPDATE: Added Take 29 of Check Point Support Data Collector (CPSDC) for Scalable Platforms and Maestro Security Appliances. Refer to sk164414. |
PRJ-48403, |
HCP |
UPDATE: Added Update 13 and Update 14 of HealthCheck Point (HCP) Release. Refer to sk171436. |
PRJ-49203, |
Security Management |
Refer to sk181471. |
PRJ-48877, |
Security Management |
|
PRJ-50028, PMTR-95988 |
Security Management |
The Gaia Clish command "show configuration user" fails with "Segmentation fault" on a Management Server. Refer to sk181626. |
PRJ-47168, |
Security Management |
In rare scenarios, Global Policy reassignment fails with "IPS Update Failed On Assign". |
PRJ-46698, |
Security Management |
Global Policy assignment fails if it is configured to assign to specific Domain policies and one of these local Domain policies is deleted. |
PRJ-44895, |
Security Management |
Policy installation gets stuck if the known proxy group contains the policy target. |
PRJ-46827, |
Security Management |
In some scenarios, the "Object is no longer available" validation warning appears for updatable objects. |
PRJ-49194, |
Security Management |
In some scenarios, the CPRLIC process may unexpectedly exit without affecting the connectivity, and a core dump is generated. |
PRJ-47965, |
Security Management |
In High Availability Security Management Server environments, outdated IPS packages are retained, which leads to a substantial increase of the database on Standby Security Management Server. Refer to sk182178. |
PRJ-46130, |
Security Management |
A policy installation task may become stuck when an error occurs in the early installation stage, for example, when trying to install a policy on an unsupported version of Security Gateway. |
PRJ-46397, |
Security Management |
In rare scenarios, policy installation fails with "Operation failed, install/uninstall has been improperly terminated". Refer to sk180448. |
PRJ-46015, |
Security Management |
The "show-nat-rulebase" Management API command fails when Packet mode is enabled and "match on any" is set to "false". For example, "show-nat-rulebase XXX package YYY filter-settings.search-mode packet filter-settings.packet-search-settings.match-on-any false filter ZZZ". |
PRJ-44430, |
Security Management |
In some scenarios, SmartConsole may get closed when opening the Policy Installation dialog. |
PRJ-46409, |
Security Management |
The Security Gateway may listen to the ports used by NAT. |
PRJ-49369, |
Security Management |
In environments with tens of thousands of network objects, opening and closing Security Gateway objects in SmartConsole takes a long time. Refer to sk181460. |
PRJ-33004, |
Security Management |
In SmartConsole, an attempt to view administrators may fail with "Error retrieving results". |
PRJ-35764, |
Security Management |
In some scenarios, the "show-packages" Management API command may return empty results when using the "domains-to-process" flag. |
PRJ-39774, |
Security Management |
Disabling or enabling rules may not affect the "last-modify-time" field in the output of the "show-access-rule" Management API command. |
PRJ-40127, |
Security Management |
When the Access Rule Base contains several hundred rules, the "set-access-rule" Management API command with the "new-position" parameter may take longer than expected or time out after 5 minutes. |
PRJ-48199, |
Security Management |
Login via API fails if the Security Management Server has multiple IP addresses and they are not defined on the Security Management Server object in SmartConsole. |
PRJ-48036, |
Security Management |
An audit log may not be created after running Revert to Revision. |
PRJ-48380, |
Security Management |
In SmartConsole, export of policies with the "Hit count" column may get stuck. |
PRJ-43288, |
Security Management |
In rare scenarios:
|
PRJ-45897, |
Security Management |
In rare scenarios, during an IPS update, a task notification reports that a database purge failed on the Standby Security Management Server. Refer to sk180920. |
PRJ-45987, |
Security Management |
Deleting a Domain that is connected to an AD Group fails. |
PRJ-47257, PRJ-47234, |
Security Management |
If the HTTPS policy contains an Identity Awareness Gateway object in the "Source"/"Destination" column, policy installation may fail when selecting more than one policy target. Refer to sk181097. |
PRJ-46002, |
Security Management |
Changing the cluster mode via the "set simple-cluster" Management API command to "cluster-xl-ha" or "ospec-ha" returns success but has no effect on the cluster object. |
PRJ-48896, |
Security Management |
In rare scenarios, upgrade of the Security Management Server to R81.20 fails with the "Task was interrupted because of server restart" and "DEADLOCK IN POSTGRES DETECTED!!!" messages in the cpm.elg log file. |
PRJ-45033, |
Security Management |
Upgrade of a Security Management Server or a Multi-Domain Security Management Server with over 2000 NAT rules may take over 10 hours to complete.
|
PRJ-44986, |
Security Management |
A migrate export or CPUSE upgrade of a Security Management Server fails if a Rule Base contains more than 35,000 rules. Refer to sk178325 to check the recommended size of Rule Bases. |
PRJ-45798, |
Security Management |
Security Management Server import fails with the "Tried to persist object XXX with domain YYY while active domain is ZZZ" error in the upgrade report. |
PRJ-41459, |
Security Management |
In some scenarios, an automatic Trusted Certificate Authorities (CAs) update fails. |
PRJ-41243, |
Security Management |
When closing an application from SmartConsole without changes, a redundant revision is created. |
PRJ-47041, |
Security Management |
When using the RADIUS username for authentication, login to SmartConsole may fail. |
PRJ-47045, |
Security Management |
In rare scenarios, after an upgrade, the Security Management Server may fail to start. |
PRJ-46795, |
Security Management |
The "show-vpn-communities-star" Management API command fails for VPN communities using Diffie-Hellman groups 15-18. Refer to sk27054. |
PRJ-46730, |
Security Management |
In rare scenarios, opening the Install Policy view gets timed out, and SmartConsole unexpectedly closes. Refer to sk181397. |
PRJ-45781, |
Security Management |
In rare scenarios, the High Availability synchronization status shows "NGM failed to import data", and then is cleared automatically within 15 minutes. |
PRJ-45439, |
Security Management |
In rare scenarios, Global Policy Reassignment takes a long time to complete after deleting a Global IPS profile. Refer to sk180787. |
PRJ-48690, |
Security Management |
Users may be able to configure user-defined scripts to run on the Security Management Server, although they do not have the permissions of a super-user. |
PRJ-47618, |
Security Management |
In rare scenarios, the /var/log/message file is filled with Clish login messages for the Admin user. |
PRJ-48863, |
Security Management |
In multi-site Multi-Domain Security Management environments, login to SmartConsole fails if the "Read_Write_All_Profile" permission profile is deleted. |
PRJ-48369, |
Security Management |
The "crldp_initialized"and "crldp_name" keys may be missing in the registry after running promote_util. |
PRJ-47037, |
Security Management |
In multi-site Multi-Domain Security Management environments, login to SmartConsole fails while an Install Policy Preset relays the Security Gateway installation statuses. |
PRJ-34859, |
Security Management |
In the Revisions view, when comparing the selected revision to its previous revision, an empty screen is shown instead of a report. |
PRJ-46103, |
Multi-Domain Security Management |
In some scenarios, the "Uninstall Threat Prevention Policy" window may show "no candidates found for operation", even though there are Security Gateways that have Threat Prevention policy installed and Threat Prevention is disabled in the Security Gateway editor. Refer to sk180983. |
PRJ-43690, |
Multi-Domain Management |
Deleting the entire Domain including all its Domain Servers fails, if any of the Domain Servers is used in the Domain policy. |
PRJ-47049, |
Multi-Domain Security Management |
In rare scenarios. in a Multi-Domain Security Management environment:
|
PRJ-40588, |
SmartConsole |
SmartConsole may crash while checking for updates. |
PRJ-45074, |
Web SmartConsole |
After an upgrade, "Every cluster network should define unique subnet" messages may be displayed in the Validation Pane.
|
PRJ-46434, |
SmartProvisioning |
After importing or deleting SNORT protections in the IPS Protections view, the view may not show the change. |
PRJ-47341, |
SmartView |
In some scenarios, when a language other than English is chosen in SmartView, login to SmartView fails with an "Initialization failed" message. |
PRJ-47468, |
CPUSE |
Tasks in SmartConsole may end unexpectedly during the Jumbo/ major version upgrade operation. |
PRJ-46185, |
Logging |
When the CPD process is automatically restarted on the Security Gateway, the output of the "cpstat ls -f logging" command on the Security Management shows the Security Gateway is disconnected, the Log Server cannot be reached, although logs are sent. |
PRJ-45039, |
Logging |
The "Low disk space" warning may be incorrectly displayed in SmartConsole. |
PRJ-47218, |
Logging |
The "fwm logexport" may return "Failed to print record at position" and "missing table field" error messages despite succeeding to export the logs. |
PRJ-48341, |
Logging |
In some scenarios, the "show logs" Management API returns incorrect values for the "Match table" field. |
PRJ-41166, |
Logging |
The "show-simple-gateway" and "set-simple-gateway" Management API commands with the "logs-settings.forward-logs-to-log-server-schedule-name" parameter fail with "generic_server_error". |
PRJ-47213, |
Logging |
In SmartView, filtering logs by Media Encryption & Port Protection Blade may fail. |
PRJ-45323, |
Logging |
Configuring log settings to delete logs if free disk space is lower than a certain percentage may not be applied. |
PRJ-39449, |
Logging |
The Logs view may show a "Failed to read record number" message. |
PRJ-45416, |
Logging |
Source and destination IP addresses in SmartLog may not be shown correctly for duplicate packets of fragmented traffic. |
PRJ-44206, |
Logging |
Windows Syslog messages information may be displayed in the "Description" field of the log and not parsed into the suitable fields. |
PRJ-47267, |
Security Gateway |
Latency in loading websites when using Security Gateway as a Proxy with HTTPS Inspection enabled. Refer to sk180673. |
PRJ-50897, PRHF-31187 |
Security Gateway |
A double-free flaw that leads to a possible Security Gateway crash was identified. This release includes the fix to enhance system stability and security. |
PRJ-44700, |
Security Gateway |
In rare scenarios, the WSDNSD process may restart because of an internal error. |
PRJ-48152, |
Security Gateway |
Topology and Anti-Spoofing ranges are not calculated on an external interface when adding a route to an internal interface that shares the same subnet. |
PRJ-47369, |
Security Gateway |
The ICAP Server may stop sending files to the Threat Emulation and Anti-Virus Blades if the TED daemon was restarted. |
PRJ-47330, |
Security Gateway |
When using the "cpstop" command on the Security Gateway, the fw_full core may be generated. |
PRJ-48246, |
Security Gateway |
The /var/log/messages file of a VSX gateway is flooded with the "fwmultik_predefined_dispatching: BAD_MULTIK_TAG" messages with no impact of the connectivity. Refer to sk181281. |
PRJ-47519, |
Security Gateway |
After installing a policy, because of high latency, the Security Gateway may delete connection before SIM Affinity is able to send an update notification. This may cause some connections to be dropped. |
PRJ-44188, |
Security Gateway |
The Security Gateway may crash due to a memory issue. |
PRJ-46137, |
Security Gateway |
The "g_tcpdump -mcap" command may not merge traffic capture outputs. Refer to sk181032. |
PRJ-46052, |
Security Gateway |
The Security Gateway may crash while inspecting non-HTTP traffic. |
PRJ-43855, |
Security Gateway |
The FWK process may unexpectedly exit with a core dump file when removing an IPv6 interface on VSX. |
PRJ-45482, |
Security Gateway |
Incorrect bonds may be shown in the Data Plane when using MDPS with the "show bonding groups" command. |
PRJ-46333, |
Security Gateway |
The Security Gateway may crash after a failure in policy installation. |
PRJ-45802, |
Security Gateway |
Resolved an issue where CPD would consume a large amount of CPU in VSX with a large number of interfaces configured (greater than 1024). Refer to sk181588. |
PRJ-47124, |
Security Gateway |
In some scenarios, after an upgrade, the FWD process may unexpectedly exit. |
PRJ-44617, |
Security Gateway |
In a rare scenario, the FWD process listens to high ports that are not blocked by the "auth_services_real_ports_block" implied rule. Refer to sk180505. |
PRJ-45343, |
Security Gateway |
When two routes with similar attributes are added to different routing tables, and one is deleted, Anti-Spoofing may drop the traffic to that route. |
PRJ-47557, |
Security Gateway |
FTP connection may fail in Port mode with NAT and specific FTP clients. Refer to sk181165. |
PRJ-47324, |
Security Gateway |
Benign files scanned by the ICAP Server may not be logged by Anti-Virus Blade. |
PRJ-46376, |
Security Gateway |
Re-mirrored traffic may be re-ordered in the Mirror & Decrypt feature. |
PRJ-47601, |
Internal CA |
In rare scenarios, ICA certificate creation and enrollment fail. |
PRJ-44150, |
Threat Prevention |
In a rare scenario, policy installation may fail because of IoC observables overrides. |
PRJ-46836, |
Threat Prevention |
When SSH Deep Packet Inspection (SSH DPI) is enabled, the Security Gateway may have SSH connectivity issues because of an incorrect choice of Message Authentication Code (MAC) algorithm during the SSH handshake. |
PRJ-43726, |
Threat Prevention |
In some scenarios, CIFS parser is triggered when it is not needed, this leads to the Security Gateway not accelerating fully the SMB traffic. |
PRJ-44765, |
Threat Prevention |
Fetching of Custom Intelligence Feeds fails when no proxy is configured on the Security Gateway. |
PRJ-44690, |
Threat Prevention |
In some scenarios, the Security Gateway fails to export or import IoC feeds. |
PRJ-48190, |
Threat Prevention |
Anti-Virus Blade fails to parse external IoC feeds that contain specific delimiters. |
PRJ-42146, |
Threat Prevention |
Fetching custom intelligence feeds via CLI may fail because of SSL certificate issues. |
PRJ-46883, |
Threat Prevention |
Uploading an IoC file containing invalid characters (for example, quotation marks) may cause Threat Prevention policy installation failure. |
PRJ-48924, |
Threat Prevention |
Anti-Virus Blade triggers the "Detect" logs for DNS traffic, although these malicious DNS requests were prevented. |
PRJ-47636, |
Threat Prevention |
The output of the "fw amw unload" command shows the policy gets unloaded, however CPView still shows that the blades are enabled. Refer to sk181148. |
PRJ-46116, |
Threat Emulation |
Multiple ifiPython3 processes may utilize the Security Gateway memory, affecting the Anti-Virus Blade performance. |
PRJ-48273, |
Identity Awareness |
There may be no access to resources for identities received from the Remote Access identity source by splitting Domain (sk147417). |
PRJ-47063, |
Application Control |
When the "Categorize HTTPS Websites" option is enabled and the global parameter "appi_urlf_ssl_cn_use_sni_without_validation" is set to true, a memory leak may occur. |
PRJ-47748, PRJ-47646 |
IPS |
In rare scenarios, there may be a memory leak in ips_cmi_handler_match_cb_ex. |
PRJ-50189, PMTR-96205 |
IPS |
Policy installation may fail on Security Gateways with enabled IPS and configured Strict profile and IPv6. |
PRJ-47238, |
Anti-Virus |
Some websites may be unreachable when one of Threat Prevention Blades is in Hold mode. |
PRJ-47934, |
Anti-Virus |
When transferring many files, SMB traffic may freeze while scanned by Anti-Virus Blade. |
PRJ-48971, |
Anti-Virus |
When Anti-Virus DNS classification is set to Hold mode, the first DNS trap log of malicious Domains shows "Detect" in the Action field, although the connection was successfully blocked. |
PRJ-48126, |
Anti-Virus |
A memory leak in the DLPU process may occur when Anti-Virus scans files over HTTP(s) or SMB (Server Message Block) protocol. |
PRJ-45835, |
Anti-Virus |
DLPU process memory consumption may be increased when SMB protocol is enabled in the Anti-Virus policy. |
PRJ-47783, |
Anti-Virus |
A memory leak may occur in the Security Gateway when a connection is not correctly released after the inspection. |
PRJ-46604, |
Anti-Virus |
The DLPU process may stop working, creating a User Space core dump file on the Security Gateway. Refer to sk181026. |
PRJ-47202, |
Mobile Access |
When copying special German characters to and from the Guacamole Server, they are replaced with unreadable symbols. |
PRJ-47106, |
Mobile Access |
It may not be possible to connect to the RDP application with SNX in Application mode. Refer to sk181155. |
PRJ-45656, |
SSL Inspection |
In a VSX environment, the WSTLSD process run by Virtual Systems may ignore proxy configuration on VS0. |
PRJ-48701, |
SSL Inspection |
A FWK process memory leak may occur when canceling the download of a large file in the middle of the process. |
PRJ-47263, |
SSL Inspection |
The fwk.elg file may be flooded with the "mux_hold_opq_free: App has no hold params free function" messages for the TLS_PARSER app because of a memory leak. |
PRJ-41306, |
ClusterXL |
When interfaces disconnect/connect on both members at the same time, it may cause a failover. |
PRJ-46504, |
ClusterXL |
Some IPv6 connections randomly stop passing through ClusterXL in High Availability mode. Refer to sk180969. |
PRJ-45348, |
ClusterXL |
After an upgrade, cluster members may frequently crash, causing instability in the environment. |
PRJ-45197, |
ClusterXL |
In a cluster/Maestro in Load Sharing mode, the Security Gateway may drop NAT traversal traffic with "fwmultik_process_f2p_cookie_inner Reason: PSL Drop: No connection". |
PRJ-44274, |
ClusterXL |
A Standby member may initiate FTP data connection, although it should be sent from the Active member. As a result, the connection is teminated. Refer to sk180531. |
PRJ-43930, |
ClusterXL |
Site to Site VPN outage on ClusterXL Active member when running "cpstop" on the Standby cluster member. Refer to sk170055. |
PRJ-43638, |
SecureXL |
In some scenarios, incorrect MSS value calculation may lead to traffic drops and performance instability. |
PRJ-44772, |
SecureXL |
The "IOCTL command CPHWD_IOCTL_DOS_DENY_LIST_CLEAR was not successful" error may be printed during cpstart. Refer to sk180646. |
PRJ-41793, |
Routing |
Adding or deleting a multicast group from a configured static RP environment can lead to outages in traffic. |
PRJ-47486, |
Routing |
When multicast traffic for an existing (S,G) entry arrives at a non-IIF interface, the entry may be deleted and re-added when the next multicast packet is released, although the entry should not be deleted. |
PRJ-43247, |
Routing |
Traffic may be dropped when there are many OSPF routes of type 5. |
PRJ-47800, |
Routing |
When a BFD session is added or removed, disabled sessions may incorrectly come up. |
PRJ-47939, |
Routing |
An OIF entry may be missing when multiple downstream neighbors are present on a LAN. Refer to sk181354. |
PRJ-48116, |
Routing |
The ROUTED process may exit with a core dump when querying details of OSPF Type 5 LSA. |
PRJ-44955, |
VPN |
A potential leak in VPN tunnels in a Multi-Version Cluster. |
PRJ-46293, |
VPN |
Users that were moved from one AD group to another group still are shown in both access role groups when running the "pdp monitor" command. Refer to sk181429. |
PRJ-42938, |
VPN |
Policy installation may take a long time and fail with "Operation failed, install/uninstall has been improperly terminated.&CURRENTVERCMP *##MSG_IDENTIFY##". |
PRJ-44164, |
VPN |
When working with ClusterXL in Load Sharing mode, a VPN tunnel may fail to be established. |
PRJ-47876, |
Multi-Portal |
The Security Gateway may send a wrong certificate to the MAB Portal during certificate authentication. |
PRJ-44267, |
VSX |
Vsx_util upgrade or downgrade validation fails on Virtual Systems where policy was never installed. |
PRJ-47795, |
VSX |
A memory leak may occur in the CPD process. |
PRJ-47397, |
VSX |
When changing Virtual Systems (VS's) using the VS name, the "failed to find an ID for a VS named XXX" error is shown. |
PRJ-43877, |
VSX |
When running "vsx_fetch" from a context that is not VS0, this output is displayed: "Management rejected fetch for this module - sic name does not match. Couldn't fetch VSX configuration by IPs, trying to fetch by names." |
PRJ-47836, |
VSX |
In a rare scenario, affinity configuration on VSX may fail. |
PRJ-44299, |
VSX |
When adding a route using vsx_provisioning_tool and the "interface_name" option, this route cannot be removed.
|
PRJ-49349, |
VSX |
In some scenarios, in a Maestro Security Group configured in the VSX mode, a Virtual System that connects to a Virtual Switch may drop traffic as "Out of State" or wrongly drop it on the clean up rule. Refer to sk181823. |
PRJ-46970, |
Gaia OS |
Incorrect Multi-Queue configuration when MDPS, VSX, or both are enabled. Refer to sk181249. |
PRJ-46274, |
Gaia OS |
When changing bond settings, the bond may be missing the global IPv6 Address. |
PRJ-47772, |
Gaia OS |
Snapshot fails when the unpartitioned disk size is greater than 1TB. Refer to sk181485. |
PRJ-28433, |
Gaia OS |
Backup on Gaia machine with Threat Emulation Blade enabled fails with "Cannot complete the backup process: not enough space". But the solution of sk166833 does not resolve the issue in a VSX environment. |
PRJ-44369, |
Gaia OS |
SNMP OIDs for ISP Redundancy status are not refreshed when the ISP link changes the status. |
PRJ-43570, |
Harmony Endpoint |
After the Deploy New Endpoint push operation is successfully done, the list of target devices may change to "None". And it is not possible to delete this push operation manually, a "Sorry, we had an API issue during request" message is printed. |
PRJ-41336, |
Harmony Endpoint |
When downloading a dynamic package from the Endpoint Security Server and using the "/createmsi" command, the operation results with a "CRITICAL ERROR: Unable to create MSI! Missing file: System32\FirewallMonitor.dll" error. |
PRJ-46948, |
Harmony Endpoint |
KAV updater on the Server may fail to receive updates when proxy is used. |
PRJ-48255, |
Harmony Endpoint |
The default policy configured in the Infinity Portal may not be exported with the new Endpoint Security client package. |
PRJ-46801, |
Harmony Endpoint |
In rare scenarios, when making changes in SmartConsole, it gets disconnected. |
PRJ-43043, |
Harmony Endpoint |
E2 engine may send an incorrect value of datDate in sync request. |
PRJ-47898, |
CloudGuard Network |
Azure mapping may fail on Private Endpoint without network interfaces. In the cloud proxy logs, the "ERROR datacenter.scanner.DcScanner [scanner-Azure-XXX]: Error during scan - attempting to reconnect for scanner of [Azure] in domainYYY" messages are printed. |
PRJ-47733, |
CloudGuard Network |
After an upgrade, Azure Gov mapping may fail. |
PRJ-43608, |
VoIP |
SIP agent implements a keep-alive mechanism against the RFC, making each message arrive with a different tag in the "From" header, which may increase the memory of the Security Gateway, and these messages may be dropped once they hit the limit defined (the "sim_max_reinvite" parameter). |
PRJ-45232, |
Scalable Platforms |
The "asg_dr_verifier" command shows "Status: Inconsistency found on some of the SGMs", even if the OSPF neighbors are in Full state. Refer to sk179921. |
PRJ-47639, |
Scalable Platforms |
In a Scalable Platform environment, when opening an IPS Packet Capture originated on a local member, the "Fetching in progress" error is displayed, and a "Capture file was not found on remote SGM" entry is printed in the log. |
Take 87 Published on 27 June 2023 and declared as Recommended on 2 August 2023 |
||
PRJ-44424, |
Security Management |
NEW: Added a new field to the output of "mgmt_cli show updatable-objects-repository-content" command. This field displays the object's unique name as it is saved in the updatable objects repository. |
PRJ-43520, |
Security Management |
NEW: It is now possible to add tags to Access rules and sections. A new field "tags" is added to the existing "add/set rule & section" Management APIs . For example:
|
PRJ-45294, |
Security Management |
UPDATE: Added ability to block policy installation if this policy contradicts another policy installed on the Security Gateway. In this scenario, the "install-policy" Management API command will now fail with "Requested policy X does not match currently installed policy Y on gateway Z. To ignore this warning, set the 'ignore-warnings' flag to 'true'". Refer to sk180792. |
PRJ-45489, |
Security Management |
UPDATE: Significant performance improvement for policy installation when using many layers (up to four times faster). |
PRJ-45202, ODU-843 |
Web SmartConsole |
UPDATE: New features and improvements are released in Take 76 via self-updatable package. Refer to sk170314. |
PRJ-45471, |
CPView |
UPDATE: First release of CPviewExporter Release Updates. Refer to sk180521. |
PRJ-45464, |
CPView |
UPDATE: First release of CPotelcol (OpenTelemetry Collector) Release Updates. Refer to sk180522. |
PRJ-46339, |
Security Gateway |
In rare scenarios, memory corruption occurs during packet correction requiring fragmentation, this may cause the Security Gateway crash or freeze. |
PRJ-45461, |
Threat Prevention |
UPDATE: Added Update 18 and Update 19 of Autonomous Threat Prevention Management integration Release. Refer to sk167109. |
PRJ-44951, |
IPS |
UPDATE: Mapping of IPs to country/flag in the Logs & Monitor view > Logs is now automatically updated every day. |
PRJ-43604, PRHF-22566 |
SecureXL |
UPDATE: Added a new kernel parameter allowing to control the size of fragments table in SecureXL. To use it, set the kernel parameter "sim_frag_limit_override" with the new value and install policy. This can prevent fragment drops when having multiple instances in the Firewall. |
PRJ-47511, |
GaiaOS |
UPDATE: Added notifications about the Expert mode login on Gaia Servers. Refer to sk181230: 1) Gaia sends an audit log to the Management Server / Log Server (SmartConsole > Logs & Monitor). 2) Gaia writes a log message to the /var/log/messages file (for a local login and an SSH login). These Gaia Clish commands are available to work with this feature:
|
PRJ-45906, |
Scalable Platforms |
UPDATE: Added Take 23 of Check Point Support Data Collector (CPSDC) for Scalable Platforms and Maestro Security Appliances. Refer to sk164414. |
PRJ-44960, |
Scalable Platforms |
UPDATE: Added a new log file to indicate the reason of member reboots if they are triggered by configuration mismatch - /var/log/configuration_reboot_info.log. |
PRJ-44961, |
Scalable Platforms |
UPDATE: Added a new log file - /var/log/pull_config_report.log. It includes the summary of the "pull_config" action when it is performed on a member to indicate the reason for pull_config pnote/failures. |
PRJ-45387, |
HCP |
UPDATE: Added Update 12 of HealthCheck Point (HCP) Release. Refer to sk171436. |
PRJ-44450, |
Security Management |
In rare scenarios, in Multi-Domain Security Management environments with many administrators that have custom permissions, SmartConsole is slow, and operations take longer than usual. Refer to sk180681. |
PRJ-43185, |
Security Management |
If a Security Gateway is added to a group after configuring an installation policy preset, the policy may not be installed on that Security Gateway. Refer to sk181461. |
PRJ-45872, |
Security Management |
In some scenarios, Access Policy Verification fails but the name of the failed rule is not specified. |
PRJ-35493, |
Security Management |
The Data Center object may change the status to "inaccessible/deleted", although the Virtual Machine in Azure was not deleted. |
PRJ-42421, |
Security Management |
An upgrade may fail when a Network object Group contains more than 32000 members. |
PRJ-45059, |
Security Management |
In large Multi-Domain Security Management environments, login to SmartConsole may fail while High Availability synchronization is running. Refer to sk180858. |
PRJ-43558, |
Security Management |
In rare scenarios, in multi-site environments, Install Policy presets fail with "Timeout during task progress" or "You have reached the maximum number of active sessions". Refer to sk180897. |
PRJ-47101, |
Security Management |
Policy installation may fail with "Target is not defined in the database" error when the target name has many underscore or dash characters. See the Important Notes section. |
PRJ-45157, |
Security Management |
APP_ID may not be initialized when adding a new Check Point application via API, this may cause blocked access to several websites. |
PRJ-45486, |
Security Management |
In rare scenarios, updating or deleting a cluster fails with "Failed to save object xxxx . Server error is: Data required for operation". |
PRJ-42038, |
Security Management |
Editing an object in SmartConsole may fail with "Server error is: Object not found (Code: x08003001D, Could not access file for write operation)". |
PRJ-43567, |
Security Management |
After Full synchronization, SmartConsole login from a Domain Management Server to the Security Management Server that is configured as High Availability may fail. |
PRJ-43810, |
Security Management |
Login to SmartConsole with a RADIUS administrator from the SmartEvent Server may fail if this Server was upgraded. Refer to sk180584. |
PRJ-42619, |
Security Management |
When using the "Deployment from Local Paths and URLs" option, and inserting a correct path, the client is being deployed through the Management Server and not Locally as it should be deployed. |
PRJ-45653, |
Security Management |
Packet mode search in SmartConsole may show rules that do not match the query if the query contains source, destination, and service. |
PRJ-44994, |
Security Management |
In rare scenarios, login to SmartConsole fails, and opening Security Gateway objects times out. |
PRJ-41327, |
Security Management |
If the Security Management Server is behind NAT, remote Management API login fails. |
PRJ-44084, |
Security Management |
Login with SmartConsole to a Security Management Server may fail if using a DNS name instead of an IP address. Refer to sk180514. |
PRJ-42551, |
Multi-Domain Security Management |
After restoring a Multi-Domain Security Management Server, High Availability synchronization may fail with "The Security Management Servers contain different Hotfixes". |
PRJ-45053, |
Multi-Domain Security Management |
In rare scenarios, in Multi-Domain multi-site environments, an IPS update on the Multi-Domain Security Management Server remains locked. |
PRJ-40737, |
Multi-Domain Security Management |
Deleting a Domain from SmartConsole fails after a Domain Server was removed and the Domain has no Domain Servers. |
PRJ-44968, |
Multi-Domain Security Management |
In rare scenarios, in Multi-Domain Security Management environments with over 500K network objects, login to SmartConsole fails with "Connection timed out" or "Unable to connect to server" messages. |
PRJ-46086, |
Multi-Domain Security Management |
A scheduled Install Policy Preset may not have its next run time updated when:
|
PRJ-45067, |
Multi-Domain Security Management |
In rare scenarios, in a Multi-Domain Security Management environment:
|
PRJ-46508, |
SmartConsole |
Data Center objects may not appear as unused objects in the Object Explorer view, although they should. |
PRJ-43597, |
SmartConsole |
Typo in the Compliance report - "OSFP" instead of "OSPF". |
PRJ-39254, |
Logging |
In rare scenarios, many open connections on port 18196 are observed on the Multi-Domain Security Management Server or Multi-Domain Log Security Management Server. |
PRJ-41593, |
Logging |
SmartEvent may generate false Anti-Bot / Anti-Virus related logs which do not contain any information. |
PRJ-20171, |
Logging |
In large environments, after policy installation or when loading Real Time Monitor, RTMD CPU consumption may be high for several minutes and the process may exit when 4 GB of memory is reached. |
PRJ-38479, |
Logging |
In specific network configurations, after installing a policy, the target IP address of the Log Server may differ from what was configured. |
PRJ-41665, |
Logging |
In some scenarios, in the Logs & Monitor view, no results are shown when filtering updatable object names by the "dst_uo_name" field. |
PRJ-36111, |
Security Gateway |
When on Microsoft Active Directory the "mobile" attribute value in DynamicID authentication preferred method is changed to an email address and then back to a phone number, OTP may still be sent to the email. |
PRJ-44094, |
Security Gateway |
In some scenarios, the FWD process may unexpectedly exit and cause a short outage related to the BGP failure. |
PRJ-44231, |
Security Gateway |
After policy installation, a VSX High Availability Cluster member may have a failover and generate a vmcore. |
PRJ-44919, |
Security Gateway |
After an upgrade, memory usage may increase on all Security Gateway Modules, and the "pkt_handle_f2v_if_needed: dropping packet (failed to send notification)" error is printed in logs. |
PRJ-45495, |
Security Gateway |
On the Security Gateway with Management Data Plane Separation (MDPS) enabled:
|
PRJ-42357, |
Security Gateway |
Latency in connection caused by a packet flow change from F2V to F2F. |
PRJ-45396, |
Security Gateway |
Login to Mobile Access Portal when authenticating with SAML may fail with an "Error while processing the request" message. Refer to sk180801. |
PRJ-44999, |
Security Gateway |
In a Maestro environment, an encrypted over SSH or RDP connection may get closed when handled by the wrong member. |
PRJ-44310, |
Security Gateway |
In rare scenarios, modifying the "fwmultik_temp_conns_enabled" parameter on-the-fly leads to the Security Gateway crash. |
PRJ-42529, |
Security Gateway |
In some scenarios, while processing H323 traffic, the Security Gateway may unexpectedly restart. |
PRJ-45477, |
Security Gateway |
Security Gateway may crash when running kernel debugs of the "UP" module. |
PRJ-44250, |
Security Gateway |
When setting "cphwd_enable_ecmp = 1" (to route by the source and destination IP address), the Security Gateway may route the traffic to the wrong MAC. |
PRJ-44953, |
Security Gateway |
When Check Point Active Streaming (CPAS) is used, and the Server's MSS is bigger than the client's MSS, packet fragmentation may occur. |
PRJ-44976, |
Security Gateway |
Latency in loading websites when using Security Gateway as a Proxy with HTTPS Inspection enabled. Refer to sk180673. |
PRJ-45185, |
Security Gateway |
Traffic stops working after a Security Gateway Member recovers from a failure. Refer to sk180705. |
PRJ-45448, |
Security Gateway |
When the Security Gateway handles specific HTTP requests, memory failure may occur. CPView registers SMEM failure. |
PRJ-46686, |
Security Gateway |
When adding a new connection, the "Smart Connection Reuse" feature may cause errors in fwk.elg and connection drops. |
PRJ-45954, |
Security Gateway |
When HTTPS Inspection is enabled, website loading in Firefox fails or is slow, after a few seconds, the "NS_ERROR_ABORT" error appears in the network tab of Firefox. Refer to sk180873. |
PRJ-38110, |
Security Gateway |
In some scenarios, the Security Gateway may crash. |
PRJ-44603, |
Security Gateway |
Stack buffer overflow may occur in the FWGTP process. |
PRJ-46536, |
Security Gateway |
The FWK process may unexpectedly exit while processing the mail flow and generate a core dump. |
PRJ-41966, |
Security Gateway |
When adding another loopback interface in an MDPS environment, it is shown in MPLANE and not in DPLANE as expected. |
PRJ-46644, |
Security Gateway |
Incorrect parsing of GTP-U traffic may cause anti-spoofing drops. |
PRJ-44854, |
Security Gateway |
Web Security parsing error "illegal header format detected: Missing quotation mark" of content-disposition header - that contains a filename* parameter or an unquoted parameter. |
PRJ-44751, |
Security Gateway |
Policy installation may fail with "Error 2000240" because of an IPv6 flow issue. |
PRJ-44550, |
Threat Prevention |
In some scenarios, the FWD process unexpectedly exits, and the Security Group Members state flaps between Active and Down during an Anti-Bot Blade update. |
PRJ-42584, |
Threat Prevention |
When using a host with automatic static NAT in a Threat Prevention policy object, the rule may not be enforced. |
PRJ-44199, |
Threat Prevention |
When IPS Blade is enabled, the Security Gateway may crash. |
PRJ-44569, |
Threat Prevention |
After an upgrade, adding an IoC feed with IP range indicator type may fail with "Feed format problem. Bad or Empty feed". |
PRJ-45561, |
Threat Prevention |
In some scenarios, Anti-Virus and Anti-Bot updates on Maestro Security Group Members may fail. |
PRJ-39346, |
Identity Awareness |
There may be connectivity issues and high CPU spikes on PDP when installing policy. |
PRJ-44315, |
Content Awareness |
When Content Awareness Blade is enabled, there is a limitation of the file size (sk118516). However, when the source object of the Content Awareness rule does not match the current connection, the limitation is not applied on this connection. |
PRJ-45427, |
Application Control |
Some TLS1.3 applications without SNI do not match the rules. |
PRJ-41654, |
IPS |
Running the "ips stats" command in CLI may cause the IPS process to unexpectedly exit with core dumps. |
PRJ-45754, |
Anti-Virus |
The RAD process CPU utilization may be high when Anti-Virus engine processes many reverse DNS queries. |
PRJ-46278, |
Anti-Virus |
Importing a custom intelligence feed containing IP ranges may fail. |
PRJ-45098 |
Mobile Access |
SSL Network Extender (SNX) may randomly disconnect after a version upgrade. Refer to sk173765. |
PRJ-46401, |
Mobile Access |
Sending emails with attachments via Capsule Workspace may fail on iOS. |
PRJ-45193, |
Mobile Access |
In rare scenarios, IOS users are unable to send emails using Capsule Workspace business mail. |
PRJ-45162, |
ClusterXL |
A VRRP cluster member may be stuck in boot after a cluster upgrade. |
PRJ-44873, |
SecureXL |
Traffic may be dropped and the FWACCEL core file is generated. |
PRJ-44454, |
ClusterXL |
After several failovers in a cluster, connections may fail to synchronize. This can cause a timeout and the "first packet isn't syn" drops. |
PRJ-44676, |
SecureXL |
After an upgrade, packets passing through a Remote Access VPN tunnel in a VSX environment may be silently dropped. |
PRJ-45378, |
Routing |
A VRRP/VRRP6 interface may go into Master/Master state. |
PRJ-41964, |
Routing |
Routing log messages generated when Standby cluster members reconnect to members in Master state are not clear. |
PRJ-44708, |
Routing |
An IGMP group with an expiration time of 7101 weeks should be deleted when it reaches 0 seconds, but instead, it may remain at 7101 weeks until a membership report is sent, then it resets to the interval of that interface. |
PRJ-44939, |
Routing |
After an update, multicast traffic may be dropped. |
PRJ-44923, |
Routing |
When PIM and state refresh are enabled, the state refresh message may not be sent automatically after a failback in ClusterXL HA Primary Up mode. |
PRJ-41799, |
Routing |
Configuring OSPFv2 Graceful Restart and passive OSPF interfaces at the same time can cause graceful restart failures. |
PRJ-45183 |
Routing |
Cluster member may stop sending multicast PIM traffic after failover or a reboot. Refer to sk180669. |
PRJ-41116, |
Routing |
There may be high CPU utilization and slow recovery of the ROUTED process after a failover. |
PRJ-41961, |
Routing |
In some scenarios, a Security Group Member failover can trigger routes to be lost on other members in the Security Group. |
PRJ-45832, |
Routing |
The ROUTED daemon may unexpectedly exit because of multi-threading issues. |
PRJ-46127, |
Routing |
The ROUTED daemon may unexpectedly exit when aggregating routes with long AS paths. |
PRJ-44704, |
Routing |
Multicast receivers send IGMP membership reports, but the outbound interfaces are missing from the routing table. |
PRJ-46357, |
Routing |
Routes marked as "stale" may be redistributed via BGP during graceful restart. |
PRJ-45467, |
VPN |
StrongSWAN Remote Access authentication fails when the LDAP lookup type is not the default method. |
PRJ-44828, PRJ-44990, PRJ-46301, |
VPN |
|
PRJ-45918, |
VPN |
The FWM process may unexpectedly exit at startup because of an incorrect VPN key initiation. |
PRJ-43826, |
VPN |
In a Site to Site VPN, when one of the sites is a cluster in Load Sharing mode, it can cause incorrect destination member calculation for asymmetric connection and the traffic might be dropped. Refer to sk180855. |
PRJ-41969, |
VSX |
Increasing the MTU value of a bonded tagged interface may not be possible. |
PRJ-44088, |
VSX |
Values provided by the VSX OID tree: 1.3.6.1.4.1.2620.1.16.22.5.1 may be incorrect. |
PRJ-45144, |
VSX |
Some packets may disappear when using the i40e driver, and VMAC is configured on the cluster. |
PRJ-45400, |
VSX |
Warp interfaces may appear in VS0 and disrupt connectivity when editing a Virtual Switch with a bond and VLANs. |
PRJ-44744, |
VSX |
Virtual System's interfaces may be missing when running the Clish command "show/save configuration". |
PRJ-45004, |
VSX |
A VSX Security Gateway may crash while attempting to collect statistics after running the "cpstop" command. |
PRJ-29905, |
Gaia OS |
It may not be possible to enter a snapshot description with more than one word. |
PRJ-45862, |
Gaia OS |
Gaia backup may fail, leaving a temporary partition behind. Any new attempt to create a new backup returns an error. |
PRJ-41908, |
Gaia OS |
Gaia WebUI logs are printed with "info" severity. |
PRJ-42778, |
Gaia OS |
Scheduled SCP snapshots to a Windows Server may fail with the "Failed to connect to remote server. Please validate connection". |
PRJ-45564, ACCHA-2110 |
Gaia OS |
The $FWDIR/log/fwd.elg file may get corrupted during log rotation. Refer to sk180728. |
PRJ-45791, |
CloudGuard Network |
Deleting one hundred IP addresses or more from the Security Gateway at once may fail, resulting in recurrent deletion retries. |
PRJ-45539, |
CloudGuard Network |
AWS Data Center mapping fails when an interface subnet is missing from the list of subnets. |
PRJ-46474, |
VoIP |
SIP traffic may be dropped and "kiss_htab_bl_infra_slink: failed "earlynat_sport_ghtab_bl":3 reason: KISS_HTAB_BL_SLINK_LIMIT_REACHED" is printed in the fwk.elg file. |
PRJ-44613, |
VoIP |
In rare cases, SIP UDP traffic may cause Security Gateway to crash because of a memory allocation issue. |
PRJ-43516, PRJ-32398, |
VoIP |
After an upgrade, VoIP, and SIP / H323 traffic may be dropped in the VPN tunnel. Refer to sk179651. |
PRJ-42616, |
Scalable Platforms |
The FW process may unexpectedly exit, producing a core dump file. |
PRJ-45884, |
Scalable Platforms |
In VSLS mode, SNMP traffic may incorrectly be forwarded to SMO instead of DR manager of the corresponding Virtual System. |
PRJ-44926, |
Scalable Platforms |
After an upgrade, local IPv6 traffic from Active members may fail. |
PRJ-41940, |
Scalable Platforms |
When adding a new Virtual System and installing a policy, member state may change to Down. |
PRJ-42513, |
Scalable Platforms |
Upon failover/failback, multicast packets are sent to Active members only. The member that changed state from Down to Active starts receiving the multicast packets before the route is resolved. This may impact traffic. |
PRJ-42263, |
Scalable Platforms |
Excessive "cphwd_get_device_accelerated_ifs: too many interfaces (32,XXX)" messages may log to $FWDIR/log/fwk.elg. Refer to sk180439. |
PRJ-32729, |
Scalable Platforms |
When there is a connectivity issue in the cluster, OSPF packets may be sent with delays and cause an outage. |
PRJ-44527, |
Scalable Platforms |
License is not copied from SMO to all other members if other members are in Down state. |
PRJ-43219, |
Carrier Security |
Security Gateway drops GTP traffic with the reason "Static IP not allowed". See sk181506. |
PRJ-43223, |
Carrier Security |
Security Gateway drops GTP Echo Response traffic with the reason "Wrong Destination Port". See sk181507. |
PRJ-46672, |
Carrier Security |
Packet corruption, leading to traffic and performance issues. |
PRJ-46675, PRJ-46678, |
Carrier Security |
After an upgrade, GTP traffic and memory issues may occur. |
Take 82 Published on 22 March 2023 and declared as Recommended on 8 May 2023 |
||
PRJ-43894, |
Security Gateway |
NEW: We have extended the grace period of Compliance Blade to support you for 90 days following contract expiration to continue providing the best security value during the renewal process. |
PRJ-44254, |
Threat Extraction |
NEW: We have extended the grace period of Threat Extraction Blade to support you for 90 days following contract expiration to continue providing the best security value during the renewal process. |
PRJ-43806, |
Application Control, URL Filtering |
NEW: We have extended the grace period of Application Control and URL Filtering Blade to support you for 90 days following contract expiration to continue providing the best security value during the renewal process. |
PRJ-44575, |