List of All Resolved Issues and New Features in R81 Jumbo Hotfix Accumulator

 

Review the Important Notes section before installing a new Take.

 

This version reached its End of Support. If you are using this version (or lower), we strongly recommend you to upgrade your environments

ID

Product

Description

Take 107

Released on 25 November 2024 and declared as Recommended on 23 December 2024

Take 107 - Improvements and Resolved Issues

 

PRJ-58221,

PMTR-102962

ClusterXL

VSX Cluster Members with VLAN interfaces change their cluster state to "Down" and "Active!" after installing the R81 Jumbo Hotfix Accumulator Take 99. Refer to sk182819.

See the Important Notes section.

Take 106

Released on 22 October 2024

Take 106 - New Functionality

 

PRJ-36319,

PRHF-21090

Security Gateway

NEW: Implemented support for LDAP queries using Windows Security Identifiers (SIDs) as search criteria.

PRJ-52384,
PMTR-99313

Harmony Endpoint

NEW: Threat Emulation in Endpoint Security Clients version E87.60 and higher now supports the ONE, XAR, and WSF file formats.

Take 106 - Improvements and Resolved Issues

 

PRJ-51534,

PRJ-56315,

PMTR-106774,

PMTR-97312

Security Gateway

UPDATE: Apache HTTPD version was updated from 2.4.55 to 2.4.61 to fix: CVE-2023-31122, CVE-2023-43622, CVE-2024-36387, CVE-2024-38473, CVE-2024-38474, CVE-2024-38475, CVE-2024-38476, CVE-2024-38477, CVE-2024-39573.

PRJ-54681,

PMTR-104266

Mobile Access

UPDATE: Resolved CVE-2024-31497. The Putty version used in the Mobile Access Portal Embedded SSL Network Extender application is upgraded from version 0.80 to version 0.81.

PRJ-55314,
PMTR-104507

Gaia OS

UPDATE: A patch on top of OpenSSL 1.1.1w to fix CVE-2024-2511. Refer to sk182320.

PRJ-56225,

PMTR-106852

Gaia OS

UPDATE: Added a defense mechanism against malicious code injections through special HTTP requests. Resolved CVE-2024-24914. Refer to sk182743.

PRJ-56468,

PMTR-107058

Gaia OS

UPDATE: Resolved CVE-2024-3596 - Blast-RADIUS attacks. Refer to sk182516 > Login to Gaia Portal.

PRJ-52930,
PRHF-32414

Security Management

UPDATE: When deleting a Secondary Multi-Domain Security Management Server, SmartConsole now shows an "After MDS '<MDS name>' is deleted, you should delete the Secondary Domain Servers from the Domains and revoke their certificates" message.

PRJ-52402,

PMTR-99617

Security Management

UPDATE: Added SHA256 fingerprints to certificate objects to mitigate the risk of hash collisions and enhance trust when utilizing the fingerprint, encoded with English words, as a verification mechanism.

PRJ-53937,
PMTR-102275

Security Management

UPDATE: Modified the content of the https://<ip_adress>/license_management/ page.

PRJ-54494,
PMTR-104054

Security Management

UPDATE: JRE is updated from version 8.0_8.10 to version 8.0_8.21.

PRJ-54418,

PRHF-33584

Security Management

UPDATE: Policy installation duration with hundreds of layers is improved by approximately 30%.

PRJ-55659,
PMTR-105539

Security Management

UPDATE: The "set threat-exception" Management API command now includes the "protection-or-site" parameter. When specified, this parameter adds new values to the existing list of protections or sites, instead of overwriting the current entries.

PRJ-50773,
PRHF-30910

Logging

UPDATE: Port 8211 now accepts connections with the cipher ECDHE_RSA_AES_256_GCM_SHA384.

PRJ-47653,
PRHF-29103

Security Gateway

UPDATE: Added ability to increase/decrease DNS cache table size.

PRJ-54297,
PRHF-28332

Security Gateway

UPDATE: Added a new environment variable "IMPLIED_RULES_SET_BEFORE_LAST". It defines if Multi-Portal implied rules should be matched as "before drop" or "before last". The default value is "0", set to "before drop". When the value is set to "1", implied rules will be matched as "before last". Refer to sk180808.

PRJ-47653,

PRHF-29103

Security Gateway

UPDATE: Added ability to increase/decrease DNS cache table size.

PRJ-51172,

PMTR-97400

Security Gateway

UPDATE: Deprecated RC2-CBC cipher for SIC in OpenSSL.

PRJ-55745,

PMTR-104855

Threat Prevention

UPDATE: Added the "trackSettings.forensics" parameter to the "threat-rule" Management API command to enable and disable the "forensics" option in the "Track" column. Syntax example: "mgmt_cli add threat-rule layer 'Standard Threat Prevention' position 1 track-settings.forensics false -r true".

PRJ-48029,
PRHF-29471

Threat Emulation

UPDATE: The maximum size for files uploaded to Threat Emulation can now be configured using the Threat Emulation API. Set the "max_api_request_data_size" attribute to specify the new limit.

PRJ-53917,
PRHF-32600

URL Filtering

UPDATE: When URL Filtering operates in Background Mode and encounters an unclassified connection, instead of being approved automatically, such connection is now accepted or rejected based on Access Rule Base execution, and listed under the "unknown" category.

PRJ-54136,

PMTR-103001

SSL Inspection

UPDATE: Added a log for connections rejected because of short Server certificate public key size (RSA 1024 bits or less, ECDSA 256 bits or less).

PRJ-54339,
SNX-99

SSL Network Extender

UPDATE: SSL Network Extender is updated to version 80008409.

PRJ-51530,
PMTR-97036

Mobile Access

UPDATE: The Mobile Access Portal is no longer compatible with the Chrome browser on iOS and Android mobile devices.

PRJ-55727,
PMTR-105631

VPN

UPDATE: VPN connections are now synchronized to all members of the Security Group by default. The default value of the "vpn_sync_to_all" kernel parameter is set to "1".

PRJ-54670,
PMTR-104379

VoIP

UPDATE: SIP over UDP requests and responses may be dispatched to different firewall instances when a single-direction rule is defined in the Rule Base, potentially causing returned SIP traffic to be dropped as an unknown connection. To address this, a new global parameter "sip_forward_if_needed" is introduced (disabled by default). When enabled, the Security Gateway forwards responses to the appropriate request instances. Refer to sk182667.

PRJ-55915,
ODU-1819

CloudGuard Network

UPDATE: Added Take 21 of Public Cloud CA Bundle. Refer to sk172188.

PRJ-56191,

PRJ-55685,

PRJ-55299,

PRJ-56681,

PRJ-57027,

PRJ-57261,

ODU-2035,

ODU-2019,

ODU-1955,

ODU-1755,

ODU-1779,

ODU-1787

Automatic Updates - Web SmartConsole

UPDATE: New features and improvements are released in Take 104, Take 111, Take 114, Take 118, Take 119, Take 120 via self-updatable package. Refer to sk170314.

PRJ-56055,

PRJ-55580,

PRJ-57329,

ODU-1979,

ODU-1803,

ODU-1923

Automatic Updates - HCP

UPDATE: Added Update 18 and Update 19 of HealthCheck Point (HCP) Release. Refer to sk171436.

PRJ-55912,
ODU-1849

Automatic Updates - CPView

UPDATE: Added Take 97 of CPotelcol (OpenTelemetry Collector) Release Updates. Refer to sk180522.

PRJ-50934,
PRHF-31120

Security Management

SmartConsole may freeze when selecting a client under Security Gateway object > Identity Awareness tab > RADIUS Accounting Settings.

  • Requires additional configuration and R81 SmartConsole Build 569 or higher. Refer to sk181630.

PRJ-53452,
PRHF-32750

Security Management

Upgrade of the Multi-Domain Security Management Server may fail with the error "Folder object not found".

  • The fix requires the upgrade to be done using a Blink image or the Advanced Upgrade method.

PRJ-54003,
PRHF-33311

Security Management

In rare scenarios, the Management Server upgrade fails during the import stage with "an eclipse error has occurred enable logging on EclipseLinkExceptionHandler to see full error".

  • The fix will only be applied if the upgrade to this Jumbo Hotfix Take is done using a Blink image or via the Advanced Upgrade method.

PRJ-51119,
PRHF-31318

Security Management

In rare scenarios, if a Star VPN Community object is created, publish operations may fail.

PRJ-50842,
PRHF-31188

Security Management

Export of a list of objects from the Global Object Explorer fails with the "Export policy is not supported when rule name is in a format of UUID" error message.

PRJ-53505,
PRHF-32561

Security Management

After upgrading, administrators with read/write permissions to edit Security Gateways and Clusters may lack IPS permissions and are unable to perform certain management tasks, such as enabling or disabling blades.

PRJ-52898,

PRHF-30884

Security Management

Log queries fail with the error "Problems have occurred during search" when Domain migration is in progress. This occurs specifically during the execution of "export-management" or "import-management" Management API commands.

PRJ-53500,
PRHF-32764

Security Management

In some scenarios, SmartConsole may unexpectedly disconnect.

PRJ-52887,
PRHF-32372

Security Management

"Mapping of Data Center [xxxx] failed. Next mapping is in 300 seconds" errors in the CME logs show failed attempts to scan deleted data centers.

PRJ-56148,

PRHF-35183

Security Management

When Compliance is enabled, the FWM process may unexpectedly exit and generate a core dump. Refer to sk182507.

See the Important Notes section.

PRJ-56854,

PRHF-34283

Security Management

In some scenarios, the FWM process may unexpectedly exit and generate a core dump every few days, when Compliance is enabled and the scheduled full scan is not configured according to sk182507.

PRJ-52432,
PRHF-31953

Security Management

When Global Domain Assignment fails with the "More than one object named 'XXX' exists" error, not all duplicate objects are listed.

PRJ-53893,
PRHF-32890

Security Management

In rare scenarios, the API status shows "Automatic Start: Disabled" even though the automatic start was not disabled manually.

PRJ-53339,
PRHF-32639

Security Management

When a Domain object in a policy is set with a backslash in the suffix, policy installation fails with the "Unterminated string&CURRENTVERCMP" error.

PRJ-49581,
PRHF-30453

Security Management

In some scenarios, when searching objects in SmartConsole, not all relevant results are highlighted.

PRJ-48935,
PRHF-30136

Security Management

The "set simple-cluster" Management API command with the "vpn-settings.vpn-domain" parameter succeeds, but the VPN Domain is not set.

PRJ-55333,

PRHF-33993

Security Management

In rare scenarios, login to SmartView web application using the Domain IP address or Domain name fails.

PRJ-55521,
PMTR-85279

Security Management

In rare scenarios, the CPD process may exit with core dumps.

PRJ-55330,

PRHF-34049

Security Management

If the $FWDIR/conf/fwm.adtlog file is not valid, the FWM process leaves unused file descriptors, which may affect the Security Management Server performance.

PRJ-56163,
PMTR-106542

Security Management

In some scenarios, the "set-exception-group applied-threat-rules.position" Management API command may add the exception group to an incorrect position.

PRJ-53258,
PRHF-32595

Security Management

When exporting a policy to a CSV file, the process fails silently if any rule within the policy has a name or comment in UID format. No clear error message is provided to indicate the cause of the failure.

PRJ-55479,
PRHF-33889

Security Management

In rare scenarios, when Application Control is enabled, cloning a policy may fail due to timeout.

PRJ-54657,
PRHF-33941

Security Management

Several Management API commands, such as "show-package" and "install-policy", may fail if running them after the deletion of a cluster member.

PRJ-56710,
PRHF-35700

Multi-Domain Security Management

In some scenarios, cpmiquerybin core files may appear in /var/log/dump/usermode/ on the Security Management Server.

PRJ-53550,
PRHF-32881

Multi-Domain Security Management

When a Domain name (for example, "XXX") is a subset of another Domain name (for example, "XXX-YYY"), the "mdsstop" command may fail to stop a Domain named "XXX-YYY".

PRJ-50779,
PRHF-31148

Multi-Domain Security Management

In a Multi-Domain Security Management environment, there may be synchronization timeout errors, and automatic revisions purge may fail.

PRJ-57442,
PMTR-107206

SmartConsole

In some scenarios, opening new tab in SmartConsole Logging & Monitoring tab fails with "HTTP error 500 - problem accessing smartview/embedded. Reason: Server Error". Refer to sk182732.

PRJ-42133,

PRHF-25935

CPView

In a rare scenario, when running the CPView utility, the Security Gateway may crash.

PRJ-55951,
PRHF-30878

Logging

In rare scenarios, CPU consumption on the Security Management Server is high and logs are not displayed.

PRJ-46847,

PRJ-46579

Logging

RAD error messages may be printed to the fwk.elg file during cpstop:cpstart on the Security Gateway. The issue is cosmetic only.

PRJ-51442,
PRHF-31195

Logging

The traffic field in the SmartEvent "Application and URL Filtering" report, specifically in the "High Bandwidth Applications" section, is incorrectly displaying data in petabytes (PB) instead of the expected gigabytes (GB).

PRJ-50693,
PRHF-31105

Logging

In some scenarios, viewing a Forensics report in Threat Hunting fails with the "Unable to load report" error. Refer to sk181800.

PRJ-51428,
PRHF-31388

Logging

In some scenarios, in Multi-Domain Management environments with over 300,000 network objects, the LOG_INDEXER process repeatedly exits if the procedure from sk164452 is not applied.

PRJ-51515,
PRHF-31567

Logging

Log searches for the same time period may return more results in SmartConsole compared to SmartView.

PRJ-51274,

PRHF-31323,

PRJ-53217,

PRHF-32587

Logging

When adding a table widget to a SmartView report:

  • The "Missed Malware Activity" and "Spyware Action" fields may not be possible to pick.

  • The "Malware Action" filter may appear twice in the picker. Refer to sk182049.

PRJ-51692,
PRHF-31777

Logging

In some scenarios, after removing an existing Log Exporter instance, the creation of a new instance appears successful in SmartConsole. However, the new Log Exporter object is not actually generated.

PRJ-52462,
PRHF-31160

Logging

In SmartView, filtering logs by "event_type" may fail with the "Query failed" error.

PRJ-54059,
PMTR-102031

Logging

In rare scenarios, empty log list may be displayed when selecting a log file to view in SmartConsole.

PRJ-50260,
PRHF-30848

Logging

In SmartView, some countries are not displayed in the countries picker.

PRJ-33619,
PRHF-20992

Logging

Log Exporter may unexpectedly exit when using a non-RSA certificate.

PRJ-44793,
PRHF-27521

Logging

In rare scenarios, the FWD process on the Security Gateway may reach out of memory and produce a core dump file of around 3GB.

PRJ-52939,

PRHF-32194

Logging

In the Logs view, the "TCP-other" and "UDP-other" services are displayed as generic service IDs, for example, "cp_tcp_A936BBAC_EBC3_4F18_B3CC_A63365F07477".

PRJ-54062,
PMTR-102780

Logging

In rare scenarios, the CPSEMD process on the SmartEvent Server may unexpectedly exit, creating a core dump file.

PRJ-48770,
PRHF-30060

Logging

The "show logs" Management API command may show partial information for the fields with multiple values.

PRJ-50614,
PRHF-29955

Logging

The FWD process may exit and cause issues with opening packet capture files on remote members.

PRJ-51968,
PMTR-99054

Security Gateway

The CPWD daemon does not restart automatically.

PRJ-53073,
PMTR-96269

Security Gateway

In some occasions, redundant errors appear in logs: "fw_inspect_ghtab_bl_ld_sync: invalid FW_INSPECT_GHTAB_BL_LD_SYNC_TABLE_ID".

PRJ-48815,
PRHF-30025

Security Gateway

After deploying a new license to a Multi-Domain Log Module (MLM), all Customer Log Modules (CLMs) generate alert logs about missing license/contracts stating "No valid license was found".

PRJ-46888,
PRHF-29024

Security Gateway

Incorrect value in the "fwisusfw" register causes improper CPU affinity and dynamic balancing initialization in User Space Firewall mode after an upgrade. Refer to sk182004.

PRJ-52677,
PRHF-31821

Security Gateway

Running GTP traffic may cause a crash on a Security Gateway without a GTP license.

PRJ-54413,
PRHF-33710

Security Gateway

In a VSX Cluster environment, the CPVIEWD daemon may cause a high CPU.

PRJ-56166,

PMTR-98475

Security Gateway

The RAD process exits and creates a core file on the Security Gateway.

PRJ-45949,

PRHF-28371

Security Gateway

During policy installation, Rule Base internal error drops may be shown in the SmartConsole logs. Logs related to "dynobjs" may be printed in Messages.

PRJ-48103,

PRHF-29616

Security Gateway

Outages may occur when the FWD process exits or restarts and Security Group member goes down triggering Scalable Chassis failover.

PRJ-55938,
PRHF-34652

Security Gateway

A minor memory leak in a process related to the Unified Access Policy Rule Base.

PRJ-52772,
PRHF-32213

Security Gateway

In rare scenarios, the FWK process may unexpectedly exit.

PRJ-49900,
PRHF-30541

Security Gateway

Kernel Memory usage increases persistently each day on a Security Gateway/Security Group when CGNAT is enabled. Refer to sk182140.

PRJ-53626,
PMTR-102177

Security Gateway

A memory issue may occur in a cluster environment, when SIP inspection is enabled.

PRJ-51437,
PMTR-98446

Security Gateway

A rare race condition may be triggered by the timing and packet patterns of VoIP traffic, and, as a result, the FWK process may restart.

PRJ-55516,

PMTR-105145

Security Gateway

  • In some scenarios, the Security Gateway may crash with a vmcore in /var/log/crash or fwk core in /var/log/dump/usermode/.
  • The "kernel: xxxxx: tx_timeout" error is printed in /var/log/messages.
  • PSL drops packets with "PSL Drop: psl_build_pslip failed" message, potentially impacting network performance and streaming capabilities.

See the Important Notes section.

PRJ-54527,
PMTR-103857

Security Gateway

In some scenarios, the Security Gateway offloads connections to SecureXL in error when the initial route lookup could not find a route for it.

PRJ-54626,
PRHF-33768

Security Gateway

In some scenarios, adding sequential IP addresses as MDPS task addresses may fail.

PRJ-55577,

PMTR-104837

Security Gateway

A buffer overflow may occur in the HTTP flow, affecting the FWK process.

PRJ-57106,

PRHF-36116

Security Gateway

Memory leak may occur in SecureXL templates. Refer to sk182648.

See the Important Notes section.

PRJ-53808,
PRHF-33037

Security Gateway

The Security Gateway may crash after a failure in policy installation.

PRJ-56642,
PMTR-107570

Security Gateway

In rare scenarios, the FWK process may unexpectedly exit when the IPS / Application Control / Anti-Virus / Anti-Bot is active and the HyperFlow feature is enabled.

PRJ-52645,
PRHF-31996

Internal CA

CRL fetch may fail when passing through a Security Gateway with deep inspection, even if the connection hold is quickly released. CPCA closes the connection prematurely.

PRJ-48308,
ACCESS-680

Threat Prevention

In rare scenarios, when Anti-Virus, Threat Extraction and Threat Emulation are enabled, some connections that were on hold are dropped.

PRJ-53910,
PMTR-102756

Threat Prevention

SSH DPI may not work because of incorrect parsing of the client hello from a non-standard SSH client.

PRJ-56094,

PMTR-106568

Threat Prevention

SSH Deep Packet Inspection (SSH DPI) fails to start inspection if IPS is enabled while all other Threat Prevention products are disabled.

PRJ-50699,
PRHF-30997

Threat Prevention

Anti-Virus fails to parse IoC feeds that contain IPv6 addresses.

PRJ-51055,
PRHF-31189

Threat Prevention

Threat Prevention policy installation may fail because of invalid JSON format in the IoC feed feature configuration file. Refer to sk181650.

PRJ-55765,

PMTR-104381

Threat Prevention

In rare scenarios, policy installation may fail after an upgrade of a VSX Gateway.

PRJ-55987,

PMTR-104285

Threat Prevention

In a rare scenario, Threat Prevention policy installation may fail after an over-the-air (OTA) package update of TP_CONF_SERVICE. Refer to sk182572.

PRJ-53199,
PMTR-97508

Threat Prevention

In some scenarios, policy installation and IPS package updates may take a very long time to finish and cause traffic drops.

PRJ-56330,
MBS-18307

Threat Prevention

In a rare scenario, the Security Gateway may crash during traffic inspection when holding a connection.

PRJ-51490,

PRHF-31582

Threat Emulation

When using ICAP, filename handling occasionally fails. As a result Threat Emulation may not be able to process this specific file.

PRJ-46347,

PRHF-27721

Threat Emulation

The ICAP client may send the file name under "Content-Disposition" in an unsupported format written as "filename*=" instead of "filename=", and the Threat Emulation does not process such files.

PRJ-46488,
PRHF-28698

Identity Awareness

Policy Enforcement Point (PEP) logs show a username after the user session is expired. Refer to sk181553.

PRJ-53588,
PRHF-32655

Identity Awareness

In Azure Active Directory, access role assignment only considers a user's first 100 group memberships. Any groups beyond this limit are disregarded when determining user access roles.

PRJ-51339,
PRHF-29801

Identity Awareness

In some scenarios, the PEPD process may consume a high CPU because of a high rate of identity propagation.

PRJ-35859,
PMTR-76453

Identity Awareness

Microsoft Azure Active Directory does not fetch users in the Access Role object and shows "The user directory is still initializing". Refer to sk175983.

PRJ-56512,
PMTR-100177

Application Control

The fwk.elg file may be flooded with the "DNS_DATA_SOURCE failed on context 201, executing context 366 exception" messages. Refer to sk182606.

PRJ-55458,

PRHF-34098

URL Filtering

In scenarios where there is a heavy load on the machine, the RAD queue can fill up and get clogged by unhandled requests, causing an outage and traffic disruption.

PRJ-56622,

PMTR-107215

IPS

IPS may drop an IPv6 TCP local connection.

PRJ-54429,
PRHF-33644

IPS

In a rare scenario, when IPS is enabled and logging on a rule that involves IPS is enabled, physical memory usage may rapidly increase.

PRJ-43102,
PMTR-87284

DLP

Multiple internal errors, including file metadata retrieval failures and parsing errors, may be printed in the DLPDA logs.

PRJ-50979,
PRHF-31207

Anti-Virus

Anti-Virus may enforce observables from IoC feeds although they were deactivated in SmartConsole.

PRJ-53126,
PRHF-32438

Anti-Virus

The DLPU process may unexpectedly exit due to uninitialized memory when Anti-Virus scans files. Refer to sk182030.

PRJ-56040,
PRHF-34907

Anti-Virus

In some scenarios, the Anti-Virus logs on a VSX Gateway may display an incorrect origin IP address.

PRJ-54194,

PRHF-31001

Anti-Bot

Anti-Bot may generate error logs with the "Failed to Decrypt CP Site Response" reason. Refer to sk182494.

PRJ-52977,
PRHF-32251

Mobile Access

Enabling the "cvpnd" debug causes the reverseproxy_ssl_debug.log file size to continue growing even after the "reverse proxy" debug is off.

PRJ-51152,
PMTR-92065

Mobile Access

Web Application names column width is too narrow to fit in the Mobile Access Portal. Refer to sk181774.

PRJ-54443,

PMTR-103889

Mobile Access

HTTPS access to the Mobile Access Portal may be down.

PRJ-54639,
PMTR-90199

Mobile Access

The HTTPD process of the Mobile Access Portal may exit with a core dump file.

PRJ-56220,

PRHF-35271

Mobile Access

The "citrixStrictTicketEnforcement" parameter set in the configuration file may not work as expected.

PRJ-42807,
PRHF-24122

ClusterXL

Cluster members may crash, generating vmcores in /var/log/crash.

PRJ-54168,
PMTR-103483

ClusterXL

In rare scenarios, in a cluster environment, the CPDiag tool may crash.

PRJ-55632,

PRHF-27989

ClusterXL

After modifying a bond, the Monitored VLANs may disappear. Refer to sk180724.

PRJ-54329,
PRHF-33511

SecureXL

In rare scenarios, the Security Gateway crashes when the interface goes down right before it transmits packets out.

PRJ-54426,
PMTR-102834

SecureXL

In some scenarios, the VSX Gateway does not initialize the Virtual System correctly when connected to a Virtual Router or Virtual Switch.

PRJ-54321,
PMTR-103651

SecureXL

In some scenarios, traffic with Passive or Active Streaming configuration may not correctly pass through a Virtual Router on a VSXGateway.

PRJ-53059,
PMTR-101152

SecureXL

During the deny list update process, there is a temporary gap where no IP addresses are blocked, allowing unwanted traffic to pass through the Security Gateway unfiltered.

PRJ-54423,
PMTR-102759

SecureXL

In some scenarios, the VSX Gateway may fail to properly reroute traffic originating from a Virtual Switch.

PRJ-56009,

PRHF-34987

SecureXL

In a rare scenario, a memory leak in the adp kernel module may occur during multicast routing assert failures.

PRJ-51109,

PMTR-97788

SecureXL

SYN Defender configuration in Inspection Settings on the Security Management Server may not be applied on Accelerated Policy installation.

PRJ-56805,
PMTR-84843

SecureXL

When the VSX Gateway is created, the parameter that determines whether VSX mode is enabled or disabled is not set in SecureXL configuration until a reboot is performed.

PRJ-56523,
PMTR-101893

Routing

In a ClusterXL environment, a race condition may occur when BGP Graceful Restart is incorrectly configured. If the feature is enabled for some peers but not others, it may lead to permanent loss of network routes.

PRJ-55342,
PMTR-104736

Routing

OSPFv2 graceful restart mechanism fails on broadcast and point-to-multipoint networks due to the omission of an "IP-Address" field in the grace LSA.

PRJ-54601,
PMTR-104146

Routing

Routing BFD sessions using IPv6 global addresses on single-hop interfaces fail to recover after the network interface is administratively disabled and re-enabled.

PRJ-53826,
PMTR-95640

Routing

A multicast outage may occur during failovers caused by interface flaps.

PRJ-53854,
PRHF-33138

Routing

ROUTED process assert failure may take place when LSA from a neighbor's retransmission list is freed if that LSA belongs to the max age hold tree that is flooded at max age.

PRJ-54406,
PRHF-33153

Routing

A multicast outage may occur after a failover triggered by incomplete processing of cluster synchronization messages.

PRJ-53170,
PMTR-99623

Routing

The ROUTED process may unexpectedly exit because of an OSPF assertion failure.

PRJ-53173,

PMTR-101331

Routing

Graceful Restart may end prematurely in OSPF NSSA areas.

PRJ-56431,

PMTR-107256

Routing

Dynamic Routing outage in a Security Group during the Zero Downtime (MVC) Upgrade to R81.20, during the Downgrade from R81.20, or during the installation / uninstall of the R81.20 Jumbo Hotfix Accumulator. Refer to sk182556.

PRJ-56052,
PRHF-35042

Gaia OS

Adding multiple VPN tunnels via Clish in Transaction Mode fails, while adding them individually succeeds.

PRJ-56119,
PRHF-35200

Gaia OS

The "Unable to connect to the server, Press OK to reconnect" error is displayed when opening the Network Interfaces tab in the Gaia Portal. Refer to sk182560.

PRJ-55304,
PRHF-32694

Gaia OS

The "cpviewd: unable to read from gpio_nuvoton driver module. snmpd: unable to read from gpio_nuvoton driver module" messages may be printed in /var/log/messages.

PRJ-52414,

PRHF-31929

Gaia OS

SNMP query for OID 1.3.6.1.4.1.2620.1.6.7.5.1.5 (CPU utilization per CPU core) and the "cpstat os -f cpu" command may return an incorrect value. Refer to sk182447.

PRJ-54435

Gaia OS

After a Jumbo Hotfix Accumulator upgrade, login notifier may be enabled, although it was disabled before the upgrade.

PRJ-54178,
PMTR-103543

Gaia OS

Removing unused built-in user called "cp_ender" that may appear in Gaia OS after an upgrade. Refer to sk182185.

PRJ-41989,
PRHF-25144

Gaia OS

Trap names duplications in chkpnt.mib and chkpnt-trap.mib may cause incorrect values when using SNMP traps.

PRJ-51349,
PRHF-31438

VPN

Remote Access VPN connections in Maestro environments may be dropped with the "out-of-state" reason.

PRJ-55486,
PRHF-30493

VPN

During high-frequency encryption of packets over a VPN tunnel, the Security Gateway may assign the same sequence number to multiple packets. This causes the receiving VPN peer to mistakenly identify these legitimate packets as replay attacks and drop them.

PRJ-53847,
PRHF-33098

VPN

After an update, if in VPN if configured with Permanent Tunnels enabled, RAM utilization may increase.

PRJ-55291,
PMTR-103968

VPN

Configuring a Large Scale VPN (LSV) with IPv6 and establishing a VPN tunnel may cause the FWK process to exit.

PRJ-53011,

PMTR-100991

VPN

The FWK process may crash when establishing multiple VPN tunnels simultaneously at peak rates.

PRJ-49208,

PRHF-30241

VPN

Remote Desktop Protocol (RDP) connections may frequently disconnect when network traffic is routed through a combination of medium path, Quality of Service (QoS) controls, and VPN.

PRJ-50088,

PMTR-90101

VPN

By default, the VPN permanent tunnel is configured to use "tunnel test" instead of "DPD". This configuration may cause inaccurate permanent tunnel status reporting when connecting to third-party devices.

PRJ-56038,

PRJ-55986

VPN

During high-volume VPN tunnel initiations, several packets may be dropped with "encrypted packet too big".

PRJ-51018,
PRHF-31136

VPN

Duo management reports display incorrect access source locations due to Security Gateways providing inverted IP addresses during the two-factor authentication challenge response process. Refer to sk181783.

PRJ-53713,
PRHF-32719

VPN

Tunnel testing fails after an upgrade. Refer to sk182267.

PRJ-53382,
PMTR-101269

VPN

IPv6 non-VPN traffic may be dropped with "Clear text packet should be encrypted".

PRJ-52828,
PMTR-96593

VPN

In a rare scenario, in a Maestro environment, the first packet of the VPN tunnel is lost or has a large delay.

PRJ-50155,

PMTR-93643

VPN

When working with iOS devices, after establishing a VPN connection and subsequently disconnecting devices, the "vpn tu tlist" command may display an incorrect device connection status, indicating that a device is still connected.

PRJ-54679,

PMTR-104230

Multi-Portal

Under a special routing configuration, an active Cluster member may accept portal traffic (on TCP ports 80 and 443) destined to a Standby member IP address.

PRJ-55885,
PMTR-106172

VSX

Deleting a Virtual System ID (VSID) that does not exist may trigger the "cpstop" command. Stopping all Check Point services on VS0 can disrupt the entire VSX environment.

PRJ-53116,
PMTR-99343

VSX

In a VSX Cluster with IPv6 enabled, after an upgrade, VS's without IPv6 address may fail to install the Access policy.

PRJ-54596,
PRHF-33572

VSX

In rare scenarios, the CPD process of the default Virtual System on a VSX Gateway (VS0) gets stuck.

PRJ-56671,

PRHF-35637

VSX

Memory corruption may occur when a bond interface is configured, leading to a Security Gateway crash with a vmcore or a boot loop.

PRJ-57815,
PRHF-17665

VSX

Multi-Queue configuration does not survive reboot on VSX. Refer to sk173950.

PRJ-47806,
PRHF-29624

CloudGuard Network

In the Kubernetes Data Center, the Import window may be stuck in "Initializing" state.

PRJ-44695,
PRHF-27834

Scalable Platforms

When running the "asg resource" command, the SSD overall health check is displayed as "PASSED" with the "Unknown_Attribute on Member X_XX is below/getting towards low threshold (val: 0/ thresh: 0)" warning. The issue is cosmetic only.

PRJ-55568,
PMTR-105246

Scalable Platforms

Traffic outage after policy installation on a Maestro Security Group in the VSX mode that works in the Dual Site configuration. Refer to sk182379.

PRJ-53081,
PMTR-97118

Scalable Platforms

Redundant "MHO_stateAgent[3230]: QuidAddon: System not ready yet - attempting to re-init" messages in the /var/log/messages file.

PRJ-29746,
PMTR-70976

Scalable Platforms

When configuring backup-scheduled/snapshot recurrence via gClish shell with "The <name> job already exists. Please choose another name. Backup schedule failed. The backup will not be scheduled".

PRJ-49846,
PRHF-30436

Scalable Platforms

Site to Site VPN traffic may be interrupted after installing policy with VSLS.

PRJ-57437,

PRHF-36390

Scalable Platforms

In a Maestro environment with the "vpn_sync_to_all" parameter enabled, connection going through a Site to Site VPN to a remote location, may be dropped with "First packet isn't SYN".

See the Important Notes section.

PRJ-50624,
PRHF-29180

Carrier Security

  • ClusterXL Active member changes the status to "LOST".

  • Kernel segfault error is printed in /var/log/messages.

  • The CPD daemon and CPVIEW_SERVICE exit.

Take 99

Published on 05 June 2024 and declared as Recommended on 16 June 2024

Take 99 - New Functionality

 

PRJ-50102,
PRHF-30325

Diagnostics

NEW: Added SecureXL SYN Defender metrics to Skyline. Refer to the Skyline Metrics Repository.

PRJ-51032

Security Management

NEW: Added ability for R81 Security Management or Multi-Domain Server to manage 19000 and 29000 Check Point appliances.

  • Requires R81 SmartConsole Build 568 (or higher).

PRJ-51434,
PMTR-98141

SSL Inspection

NEW: Added ability to import PKCS#12 files using AES-256-CBC encryption with PBKDF2-HMAC-SHA-256. This enhancement is designed for use in multi-portal environments and HTTPS Inspection scenarios.

PRJ-49831,
ACCESS-799

Application Control

NEW: Added ability to drop the traffic of specific UDP applications per packet. For example, the Security Gateway can now drop the specific commands and allow the other commands of the BACNet Protocol.

This ability is enabled by default.

  • To disable this ability, run: "fw ctl set int appi_drop_packet_enabled 0".

  • To enable this ability, run: "fw ctl set int appi_drop_packet_enabled 1".

PRJ-47017,
CRYPTOIS-2878

VPN

NEW: Added support for a new tool (shell script) on a Management Server that can show and renew IKE certificates for VPN, Multi-Portal, and Identity Broker on all managed Security Gateways and VSX Virtual Systems. Refer to sk182070.

PRJ-48080,
PRHF-29774

CloudGuard Network

NEW: Added support for Azure Scale sets with Flexible orchestration mode.

Take 99 - Improvements and Resolved Issues

 

PRJ-55494,
PRHF-34269

VPN

CVE-2024-24919 - Quantum Security Gateway Information Disclosure. Refer to sk182336.

PRJ-55469,
PRHF-34219

VPN

UPDATE: Remote Access VPN for local accounts authenticated only with Check Point password created in R80.20 or lower, and not updated after the upgrade to R80.30, is blocked until the password is reset. Refer to sk182336.

PRJ-48778,
SL-8207

Security Management

UPDATE: Added validation for new permissions for configuring a script to run on the Security Gateway from Gateway object > Logs Alerts/Storage > Run the following script before deleting old files.

PRJ-52446,
PRHF-31852

Security Management

UPDATE: Added an ability to configure the schedule for Compliance blade scans. This should prevent login issues during the scans. Refer to sk182033.

PRJ-49172,
PRHF-30294

Security Management

UPDATE: Added verification for policy deletion. If the policy is installed on the Security Gateway, the "delete-package" Management API command now fails with "Policy X is installed on 1 or more gateways.". Refer to sk181877.

PRJ-48094,

PMTR-77299

CPView

UPDATE: CPView now shows statistical data also for servers with 256/512 CPU cores.

PRJ-51123,
PRHF-31302

Security Gateway

UPDATE: Added ability to increase the instance processing queue size, by modifying the kernel parameter "fwmultik_pending_queue_len_limit" (the default value is "2000"). Refer to sk181921.

PRJ-50427,

PMTR-96484

Security Gateway

UPDATE: During certificate validation, the Security Gateway now retrieves the Certificate Revocation List (CRL) from all CRL distribution points (CDP) listed in certificate extensions.

PRJ-46319,
PMTR-92164

Security Gateway

UPDATE: When changes are made to updatable objects within a policy and a missing or corrupted package is detected, the policy installation will fail, resulting in the generation of a log.

PRJ-50739,

PRHF-30794

Security Gateway

UPDATE: Added an ability to configure objects for the HTTPS Inspection CA using labels.

  • There are now handle-based and label-based configurations.

  • Hardware Security Module in High Availability mode (HSM HA) now supports only the label-based configuration.

PRJ-50498,
IDA-5167

Identity Awareness

UPDATE: The identity synchronization from Policy Decision Point (PDP) to Smart-Pull Policy Enforcement Point (PEP) client now takes several seconds instead of a few minutes, especially beneficial in environments with a single PDP Security Gateway sharing to multiple PEP Security Gateways.

PRJ-48175,
PMTR-95781

Mobile Access

UPDATE: jQuery UI is upgraded to version 1.13.2. Resolved CVE-2021-41184.

PRJ-43432,
PRHF-26673

SecureXL

UPDATE: It is now possible to add exceptions to external IoC feeds.

PRJ-46624,
PMTR-87439

VPN

UPDATE: The "Server Authentication" attribute within the "Extended Key Usage" field is now included by default in IKE certificates generated by the Security Management Server.

PRJ-43881,
PMTR-86708

VSX

UPDATE: The "IPv6 autoconfig" parameter is now disabled by default on VSX.

PRJ-50872,
PMTR-97129

Gaia OS

UPDATE: Upgraded OpenSSL from 1.1.1u to 1.1.1w to include the latest security improvements.

PRJ-48009,
PRHF-29711

Gaia OS

UPDATE: The output of "show arp dynamic all" and "dbget ip:arpdynamic:show:0" which was previously limited to +-4450 entries, now increases dynamically.

PRJ-50788,
PMTR-97169

Harmony Endpoint

UPDATE: Posture Management (Vulnerability & Patch Management) is now supported.

PRJ-50319,
PMTR-95965

CloudGuard Network

UPDATE: Updated the Jetty open source library from the 9.3.6.v20151106 version to 9.4.52.v20230823.

PRJ-52861,
PMTR-100872

CloudGuard Network

UPDATE: Added support for Data Centers in AWS ca-west-1 Calgary region.

PRJ-52626,

PRJ-53584,

PRJ-54097,

PRJ-54457,

ODU-1731,

ODU-1667,

ODU-1571,

ODU-1392

Automatic Updates - Web SmartConsole

UPDATE: New features and improvements are released in Take 94, Take 97, Take 100 and Take 102 via self-updatable package. Refer to sk170314.

PRJ-52818,
ODU-1491

Automatic Updates - CPView

UPDATE: Added Take 34 of CPviewExporter Release Updates. Refer to sk180521.

PRJ-52594,

PRJ-54686,

ODU-1707,
ODU-1499

Automatic Updates - CPView

UPDATE: Added Take 77 and Take 93 of CPotelcol (OpenTelemetry Collector) Release Updates. Refer to sk180522.

PRJ-52040,
ODU-1201

Automatic Updates - Threat Extraction

UPDATE: Added Update 5 of Threat Extraction Engine. Refer to sk165832.

PRJ-51509,

PRJ-52585,

PRJ-53539,

ODU-1476,

ODU-1460,

ODU-1248

Automatic Updates - Threat Prevention

UPDATE: Added Update 22, Update 23 and Update 24 of Autonomous Threat Prevention Management integration Release. Refer to sk167109.

PRJ-52694,
ODU-1408

Automatic Updates - Smart-1 Cloud

UPDATE: Added Update 7 of Quantum Smart-1 Cloud. Refer to sk166056.

PRJ-52865,

PRJ-53686,

PRJ-54175,

ODU-1595,

ODU-1531,

ODU-1659

Automatic Updates - HCP

UPDATE: Added Update 15, Update 16 and Update 17 of HealthCheck Point (HCP) Release. Refer to sk171436.

PRJ-53395,

PRJ-53680,

PRJ-54171,

ODU-1611,

ODU-1563,

ODU-1683

Automatic Updates - CPSDC

UPDATE: Added Take 31, Take 33 and Take 34 of Check Point Support Data Collector (CPSDC) for Scalable Platforms and Maestro Security Appliances. Refer to sk164414.

PRJ-50750,

PMTR-96420

Infrastructure

UPDATE: Added Python 3.11.4.

PRJ-49360,
PRHF-30301

Security Management

There may be synchronization failure and, as a result, corrupted Domain policies on the Multi-Domain Security Server when a newly created local administrator on the backup Security Management Server makes changes to rules or objects, after the Active role is switched to that Security Management Server.

PRJ-41779,
PRHF-25318

Security Management

In some scenarios, SmartConsole may close unexpectedly when clicking the "View Changes" option in the Install Policy view.

PRJ-52344,
PRHF-31814

Security Management

In some scenarios, the PostgreSQL database fully utilizes disk space on the Standby Security Management Server.

PRJ-50371,
PMTR-96089

Security Management

When attempting to load a SNORT Rules file that contains one or more spaces, the import process fails with an ambiguous error message.

PRJ-50017,
PMTR-86613

Security Management

It may not be possible to add/set a Threat Prevention Exception with a protection-or-site UID.

PRJ-53347,
PRHF-32714

Security Management

In rare scenarios, the FWM process on the Security Management Server may unexpectedly exit or not start, creating a core dump file.

PRJ-51203,
PRHF-31334

Security Management

If all revisions were purged on the Security Management Server, the "show packages details-level full" Management API call may fail.

PRJ-51512,
PRHF-31523

Security Management

The revisions purge process may get stuck due to an incomplete purge operation from a previous attempt.

PRJ-52779,
PRHF-32286

Security Management

When using the "set simple-gateway" Management API command to edit interfaces, the operation is only performed on fifty interfaces at a time.

PRJ-52848,
PRHF-32222

Security Management

Login to SmartConsole fails if the "Read_Write_All_Profile" permission profile is deleted.

PRJ-52017,
PRHF-31622

Security Management

Exporting a policy that contains thousands of rules may fail when the "Hit Count" column is enabled.

PRJ-52913,
PRHF-32334

Security Management

Deleting a Security Gateway object fails if there is a license attached to the Security Gateway and the Security Gateway is physically disconnected.

PRJ-52043,
PRHF-31789

Security Management

In some scenarios, the Security Management Server upgrade to R81.20 fails with "java.lang.String incompatible with com.checkpoint.infrastructure.types.CPUUID" in the upgrade report. The issue occurs during the import of the User Data Domain.

  • The fix requires the upgrade to be done using a Blink image or via the Advanced Upgrade method.

PRJ-51541,
PMTR-98526

Security Management

Enabling automatic updates of Trusted CAs as described in sk173629 may fail.

PRJ-50357,
PRHF-30763

Security Management

In multi-site environments, when using LDAP administrators configured on an external LDAP Server, logging into Domains on different Multi-Domain Security Management Servers in parallel, synchronization may fail with the "failed to import data" status.

PRJ-51072,
PRHF-31280

Security Management

Running a Gaia API command on the Security Gateway through the Management API from the Security Management Server fails when configuring the "target" parameter with either the Security Gateway name or UID.

PRJ-49882,
PRHF-30289

Security Management

Export of the Security Management Server may fail with "Could not find workSession WORKSESSION_UID in worksession's List" message in the upgrade report.

PRJ-49942,
PRHF-30561

Security Management

In environments with many network objects, SmartConsole may freeze while it loads the VPN tab of a Security Gateway object.

PRJ-50591,
PRHF-30931

Security Management

High Availability synchronization runs after every scheduled Application Control update, even if the Application Control is up to date.

PRJ-51594,
PRHF-31532

Security Management

In rare scenarios, Global Policy assignment fails when there are many open Remote CPM Server sessions. Refer to sk181822.

PRJ-51617,
PRHF-31710

Security Management

Deleting a Domain may fail when using the createDomainRecovery.sh script.

PRJ-49665,
PMTR-92847

Security Management

The "set-smart-task" API command fails when enabling the "Send mail to/from" option in SmartTasks.

PRJ-52010,
PRHF-31738

Security Management

In some scenarios, policy installation may fail and the displayed message erroneously refers to sk178886: "One of the updatable objects was downloaded incorrectly (see SK178886". But sk178886 describes a different scenario and does not resolve the issue.

PRJ-52815,
PMTR-100795

Security Management

If there are changes in the HTTPS Policy and Certificates in the session, a "Something went wrong" message appears when opening the Change Report.

PRJ-50765,
PRHF-31101

Security Management

In rare scenarios, during an upgrade or Domain migration, the API readiness test fails if the upgrade failed.

PRJ-48440,
PRHF-30005

Security Management

The "set checkpoint-host" API command may fail if the host object has a VPN Tunnel interface (vpnt) defined.

PRJ-52877,

PRJ-52516,

PRHF-32065,

PRHF-32383

Security Management

In rare scenarios, Access policy installation may fail with the "Installation failed. Reason: Failed to load Policy on Security Gateway" or "Operation failed, install/uninstall has been improperly terminated" messages.

PRJ-50997,
PRHF-31180

Security Management

Install Policy Presets may fail after purging all revisions. Refer to sk181652.

PRJ-51675,
PRHF-31606

Security Management

Global Assignment fails with "Locked for editing by another administrator and need to be published or discarded before the operation can take place". Refer to sk181807.

PRJ-52789,
PRHF-32309

Security Management

In rare scenarios, High Availability synchronization fails with "Peer is busy".

PRJ-45021,
PRHF-28126

Security Management

The "show users" Management API command fails if a user is configured to be able to connect on specific days, but the days are not selected.

PRJ-50353,
PRHF-30825

Security Management

SmartConsole may unexpectedly close after policy installation when SmartTasks return invalid characters from a user-defined script.

PRJ-50045,
PRHF-30714

Security Management

In High Availability environments, task progress notifications may get updated only every 5 minutes, even when the task is complete.

PRJ-49951,
PRHF-30373

Security Management

Login to SmartConsole may fail while the Compliance Blade is running a full scan.

PRJ-50185,
PRHF-30766

Security Management

In some scenarios, Access Policy installation fails with "Policy load / verification failed because it required more than the maximum allowed memory of 4GB. Follow sk161874 to improve the performance and prevent excessive memory consumption".

PRJ-50212,
PRHF-30688

Security Management

Packet mode search in SmartConsole may show rules that do not match the query if the query contains four or more filters.

PRJ-49343,
PMTR-95009

Security Management

SmartConsole may unexpectedly close after deleting an object in the Object Explorer view.

PRJ-48914,
PRHF-29502

Security Management

In some scenarios the "show access rulebase" Management API command with "details-level full" can take a significant amount of time to complete or time out after five minutes. Refer to sk181397.

PRJ-51066,
PRHF-31283

Security Management

In a rare scenario, the FWK and CPD processes may exit with core dumps at approximately the same time.

PRJ-49988,
PRHF-30686

Security Management

The "fwm sic_reset" command may fail and generate a core dump.

PRJ-49224,
PRHF-30300

Security Management

In some scenarios, an upgrade of the Security Management Server may fail if the import is running at 12 AM.

  • The fix will only be applied if the upgrade to this Jumbo Hotfix Take is done using a Blink image or via the Advanced Upgrade method.

PRJ-50406,

PRHF-30754

Security Management

The Change Report generated before publishing a session, may contain internal system changes that were made by the user.

PRJ-53726,
PMTR-102450

Security Management

Changes Report may allow to list certain directory contents.

PRJ-54093,
PRHF-28962

Security Management

In rare scenarios, policy installation on R77.30 Security Gateway fails with "Operation failed, install/uninstall has been improperly terminated". Refer to sk180448.

PRJ-41752,
PRHF-25570

Security Management

Some debug messages may appear in the /var/log/messages file, although the debug mode is not activated. The issue is cosmetic only.

PRJ-55500,

PRHF-34248

Security Management

A memory leak may occur in the FWM process which leads to SmartConsole connection failures.

PRJ-52968,

PRHF-29693

Multi-Domain Security Management

The "cprlic get" command output may not provide correct information about vSEC licenses.

PRJ-51270,
PRHF-30806

Multi-Domain Security Management

In Multi-Domain Security Management environments, if there are more than three hundred forty Domains, login to SmartConsole fails.

PRJ-48394,
PRHF-29737

Multi-Domain Security Management

In Multi-Domain Security Management environments, the "show simple-gateway" and "show simple-cluster" Management API commands may fail with "Runtime error: An internal error has occurred"

PRJ-49713,

PRHF-30513,

PRJ-50578,
PRHF-30902

Multi-Domain Security Management

In rare scenarios, in a Multi-Domain Security Management environment:

  • Login to the Management Server may timeout and fail.

  • Publish operation may take a long time.

PRJ-49478,
PRHF-29987

Multi-Domain Management

When viewing Subordinate CA objects in SmartConsole:

  • Users with read-only permissions may receive a "Trusted CA" field as "not initialized" message.

  • The information under "Retrieve CRLs from" in the OPSEC PKI tab is inaccurate.

    • The fix requires installing SmartConsole R81 Build 568 (or higher).

PRJ-46933,
PRHF-28412

SmartConsole

Defining more than two hundred GUI clients causes the "Command Line" tab in SmartConsole to be greyed out and the "api status" command to show an error status.

PRJ-51425,
PMTR-98332

Web SmartConsole

Login with Web SmartConsole to the Security Management Server may fail if using a trusted client with IPv6.

PRJ-51663,
PMTR-98552

Web SmartConsole

An "Error logging into domain" message is displayed in Web SmartConsole when connecting to a Domain on a peer Multi-Domain Security Management Server. Refer to sk181801.

PRJ-49972,
PMTR-94928

CPView

CPU statistics may be incorrect or missing in CPView. Refer to sk182286.

PRJ-44496,
PMTR-90355

CPView

In rare scenarios, CPView does not handle VS context correctly.

PRJ-48001,
PRHF-29744

CPView

Offload may fail in CPView with "ERROR! Reason not initialized".

PRJ-52602,

PMTR-94461

CPView

In the "cpview -m" command output on the Security Gateway which is an Active Cluster member, "metrics system.network.nat.ports" and "system.network.nat.ports.limit" may not be displayed in the list of available metrics.

PRJ-48804,
SL-8218

Logging

Some attributes in SNMP MIB file may not be accessible.

PRJ-52719,
PRHF-30795

Logging

Administrators without the "run script" permissions can enable or disable the option to run a script on a Security Gateway, using advanced configuration options.

PRJ-46286,
PRHF-27161

Logging

In SmartConsole, in the "Device License Information" view, the "New connection rate" field may indicate "please wait 10 seconds".

PRJ-47314,
PRHF-29126

Logging

When the active log file, for example, the fw.log for the Security Gateway is older than two days, the CPLogFilePrint utility does not print the log records correctly.

PRJ-49388,
PRHF-30398

Logging

In SmartView, incorrect results may be displayed when filtering logs using the "src_machine_name" field.

PRJ-47283,
PRHF-27417

Logging

When using Log Exporter to export logs to Splunk, a log entry in Splunk is split to separate lines if it contains the CRLF characters.

PRJ-48240,
PRHF-29837

Logging

The "source", "destination", "user" and "action" fields are not exported when exporting logs with the "visible columns" option to CSV in the SmartView Web application. Refer to sk181706.

PRJ-47982,
PRHF-29667

Logging

Some Access Rule Base logs may be generated with a wrong interface direction. The issue is cosmetic only.

PRJ-53335,
PMTR-101195

Logging

When the "IP Options drop" tracking Global Properties setting is configured to "Log" and the policy is installed, the Security Gateway drops traffic with disallowed IPv4 options or IPv6 extension headers, but no log is shown in SmartConsole.

PRJ-44589,

PRHF-26975

Logging

In a rare scenario, a Security Gateway / Cluster Member may stop logging locally or to configured Log Servers. Refer to sk170331.

PRJ-46205,
PRHF-27710

Logging

Security Gateway forwards logs to the real IP address of the Management Server instead of the public (NATed) IP address. Refer to sk181609.

PRJ-52469,
PMTR-98658

Security Gateway

CIFS traffic may cause CPU spikes in the FWK process.

PRJ-51146,
PRHF-31357

Logging

When Identity Awareness blade is enabled, the "Src User Dn" and "Dst User Dn" fields in ICMP Logs are not masked for users without "Identities" permissions. Refer to sk181677.

PRJ-51526,
PRHF-31572

Security Gateway

Sporadic latency while uploading a file when HTTPS Inspection and ICAP client are enabled. Refer to sk181793.

PRJ-51075,
PMTR-94275

Security Gateway

In rare scenarios, a file downloaded via HTTP may be corrupted.

PRJ-52672,

PRHF-32203

Security Gateway

CVE-2023-51764 - Postfix SMTP Smuggling vulnerability. Refer to sk181944.

PRJ-48320,
PRHF-29953

Security Gateway

The system may not automatically end or interrupt the RAD process if it takes longer than a specified timeout duration.

PRJ-46201,
PRHF-25771

Security Gateway

In rare scenarios, updating the NTP Server may cause a temporary outage.

PRJ-50138,
PRHF-30588

Security Gateway

Accounting info may not be displayed in logs for IPv6 Cluster VRRP environments.

PRJ-47955,
PMTR-93503

Security Gateway

The CPVIEW_API_SERVICE process may exit with a timeout.

PRJ-50601,
PRHF-28340

Security Gateway

In some scenarios, the PDPD process may consume high CPU in the Identity Acquisition flow.

PRJ-51458,
PRHF-31473

Security Gateway

When using three or more ISP DNS proxies in High Availability mode and Load Sharing mode:

  • A DNS query to any ISP returns IP addresses of all three, although it should return only the active ISP.

  • When one ISP is down, the faulty ISP is also returned instead of the newly active.

PRJ-48261,
PMTR-93809

Security Gateway

Notifications of SecureXL connection deletion appear unfiltered in the debug output, also when using a debug filter.

PRJ-52519,

PRHF-31425

Security Gateway

The ICAP Server does not send data for the Threat Prevention blades inspection, after the restart of the TEMAIN process.

PRJ-47670,

PRJ-47666,

PRHF-29516,

PRHF-29535

Security Gateway

When there is fragmented traffic, the /var/log/messages file may be flooded with the "dst_release" entries.

PRJ-51037,

PRHF-31146

Security Gateway

The Security Gateway may crash during policy installation.

PRJ-51944,
PRHF-31780

Security Gateway

In some scenarios, if a rule with a security zone is installed using accelerated install policy, the traffic may stop matching the NAT Rule Base.

PRJ-52794,
PRHF-31617

Security Gateway

In some scenarios, the VSX Security Gateway may not set the MAC header correctly when sending traffic back to Gaia OS directly out of an interface on a Virtual Router.

PRJ-47208,
PRHF-29194

Security Gateway

When running the tp_collector tool, the FW_FULL process may unexpectedly exit.

PRJ-52362,
ACCHA-2386

Security Gateway

In a VSX environment, the FW_FULL process may exit when running "fw monitor -p all" with the "-v" flag on a specific list of Virtual Systems (VS's) where not all VS's have identical blade configurations enabled.

PRJ-47662,
PRHF-29452

Security Gateway

Incorrect local traffic routing by the Security Gateway causes message flooding in /var/log/messages.

PRJ-51607,
PRHF-31672

Security Gateway

The ICAP Server may fail to initialize.

PRJ-49115,
PRJ-45207

Security Gateway

In rare scenarios, the FWK process may unexpectedly exit when running an outgoing (a local connection) from the Security Gateway.

PRJ-52419,
PMTR-99316

Security Gateway

Incorrect static NAT destination is applied when the original destination in the NAT rule is the Security Gateway object, but the actual destination does not match the main IP address of the Security Gateway object.

PRJ-50658,
PRHF-30938

Security Gateway

The proxy IP address of users surfing HTTP sites may be displayed instead of the real source IP address.

PRJ-52112,
PMTR-98129

Security Gateway

Incorrect CPU statics may be shown in CPView when using Dynamic Split.

PRJ-45692,
PRHF-28403

Security Gateway

The VPND, CVPND, and PDPD processes on the Security Gateway may become non-responsive and cause SAML authentication for Remote Access VPN users to fail.

PRJ-48821,
PRHF-29853

Security Gateway

In some scenarios, a misconfiguration on a DNS Server may lead to exhaustion of ephemeral ports on the Security Gateway.

PRJ-48021,
PMTR-91868

Security Gateway

In some scenarios, when IPS is enabled, CPU spikes may occur.

PRJ-47445,
PRHF-29413

Threat Prevention

When configuring ioc feeds from the management:

  • The "no_ssl_validation" variable may be deleted after the policy installation.

  • Fetching feed fails with the "Peer certificate cannot be authenticated with given CA certificates" reason.

PRJ-50656,
PRHF-30793

Threat Prevention

In rare scenarios, CPU utilization can reach high levels because the Multi-Queue affinity of interfaces that use the "mlx5_core" driver is not configured correctly during the boot process.

PRJ-47458,
PRHF-29514

Threat Prevention

In a rare scenario, there may be an unexpected reboot and a vmcore file generated in /var/log/crash.

PRJ-46903,
PRHF-29115

Threat Prevention

Ioc_feeds changes the username to lowercase, which causes the "401" error. Refer to sk181039.

PRJ-48085,
PMTR-93601

Threat Prevention

An outage may occur when an unsupported SSH cipher is selected.

PRJ-49876,
PRHF-30512

Threat Prevention

Traffic directed towards a host situated behind the Security Gateway is not blocked. For instance, if an IP address listed in the feed sends an ICMP request, it will reach a host behind the Gateway without being blocked. Refer to sk132193.

PRJ-43971,
PRHF-21246

Threat Prevention

When URLF and APPI are disabled in VS0 in VSX setup, automatic updates fail on other Virtual Systems.

PRJ-50050,
PRHF-30177

Threat Prevention

Security Gateway with a large number of CPU cores allocated to CoreXL SND may experience performance issues when an IoC Feed and the "fwaccel dos deny" feature are configured. Refer to sk182223.

PRJ-46442,
PRHF-28775

Threat Prevention

Files that undergo emulation while operating from a corporate location are transformed into PDF format. However, when the same files are accessed through a VPN remote client, they do not get the pdf file extension.

PRJ-49511,
PMTR-94919

Threat Prevention

In a rare scenario, changes in Threat Prevention Custom Intelligence feeds settings may not be applied after policy installation.

PRJ-49007,

PMTR-92233

Threat Prevention

In a rare scenario, when cloning SGM in Maestro, the FWD process may exit during an IPS/Anti-Virus/Anti-Bot package update.

PRJ-48428,
PMTR-93558

Threat Prevention

Some connections may be dropped because of an issue in IPS inspection, which can be resolved by installing/fetching a local policy.

PRJ-42869,
PRHF-26332

Threat Prevention

After installing a hotfix in a cluster setup with a Threat Prevention policy that includes Network Objects, a member may get stuck during initialization after a reboot. Refer to sk180225.

PRJ-46595,
PRHF-29036

Threat Extraction

The "scrub send_orig_email <email_id> <recipient>" command fails. Refer to sk180974.

PRJ-55346,

PMTR-104752

Threat Prevention

The "Categorized HTTPS Sites" option does not classify specific websites when "TLS 1.3 hybridized Kyber support" is enabled in the browser. Refer to sk182318.

PRJ-49317

Identity Awareness

There may be high memory consumption by Identity Broker in the synchronization flow.

PRJ-51333,
PRHF-31398

Identity Awareness

When a Multi-User Host is used with Identity Broker, the user session may expire on the PEP side, while still connected on the PDP, causing failure of user-based access.

PRJ-49434,
PMTR-92848

Identity Awareness

In a rare scenario, revoked identity on Broker Publisher is not synchronized with its Broker subscribers.

PRJ-52369,
PRHF-31314

Identity Awareness

After an upgrade, the Security Identifier (SID) for LDAP Users or LDAP Groups that were configured prior to the upgrade may be empty. Refer to sk181946.

PRJ-50512,
PMTR-92204

Identity Awareness

In a Cluster Load Sharing environment or when a single Policy Decision Point (PDP) is shared among multiple Policy Enforcement Points (PEPs), the PDP registers the PEP, but the PEP may not be aware of this registration.

PRJ-52871,
PRHF-32296

Identity Awareness

User/Security Gateway identities may be revoked unexpectedly if an additional update from the AD Query identity source is rejected due to Identity session conciliation.

PRJ-50582,
PRHF-30933

Identity Awareness

During policy installation, users authenticated using the Captive Portal may get disconnected.

PRJ-43455,
PRHF-26010

Application Control

When a policy contains a white list, some packets may not match the listed applications.

PRJ-45134,
PRHF-27966

Identity Awareness

In Multi-User Host setups, some accounts may be identified as service accounts, although they should not be flagged.

PRJ-51421,
PRHF-31468

Identity Awareness

In a rare scenario, an Identity Gateway (PEP) becomes unresponsive while unregistering a network.

PRJ-46757,
PRHF-28441

Identity Awareness

The ida_tables_util tool may fail with the "bad adress" error.

PRJ-47440,
PMTR-92960

Identity Awareness

In a rare scenario, when Identity Broker is configured, a memory leak in the PDPD process may occur during policy installation.

PRJ-45719,
PRHF-27843

Application Control

Policy installation fails when a custom application and user category have the same name.

PRJ-46197,
PMTR-85660

Application Control

CPView and the 'cpstat' command show different Application Control database versions. Refer to sk181186.

PRJ-50803,
PRHF-28437

IPS

There may be excessive "fwconn_chain_is_data_conn failed" messages in the /var/log/messages files when activating the IPS Blade.

PRJ-42479,
PRHF-26320

IPS

Core IPS Protection "Unknown Resource Record" drops valid requests of specific DNS types.

PRJ-49043,
PRHF-30082

DLP

The DLP process may unexpectedly exit during policy installation.

PRJ-53123,
PRHF-32092

Anti-Virus

The DLPU process may frequently exit with a core dump file.

PRJ-49519,
TPP-3592

Anti-Virus

The Anti-Virus Blade may inspect files on an SMB appliance although the "SMB" checkbox is disabled on the matched profile.

PRJ-51181,
PRHF-31305

Anti-Virus

Some file downloads fail with a logged "failure-reject" error because of the Anti-Virus Blade improperly classifying documents, causing inspection failures.

PRJ-52661,
PRJ-52660

Anti-Virus

Some URLs may be blocked by the Anti-Virus blade as malicious, even though the Threat Prevention Rule Base contains an exception rule with a Site/Application object that includes this URL.

PRJ-50527,
PMTR-96396

Anti-Virus

In a rare scenario, the Security Gateway may crash during inspection of file downloads.

PRJ-49296,

PRHF-23253

Anti-Virus

Anti-Virus fails to release held connections after the inspection.

PRJ-49569,
PRHF-29935

Anti-Virus

The Anti-Virus Blade fails to show the UserCheck page for the URLs blocked by Custom Intelligence feeds.

PRJ-49791,
PRHF-30328

SSL Inspection

Policy installation fails on the Security Gateway when using HTTPS Inspection with Hardware Security Module (HSM).

PRJ-45149,
PMTR-83342

SSL Inspection

When HTTPS Inspection is enabled, the Security Gateway generates a log that includes the message "Certificate Chain is not signed by a Trusted CA" when an end-user connects to an HTTP site or a site with an untrusted SSL certificate. But, in some scenarios, the log does not include this text.

PRJ-52046,

PRHF-31811

Mobile Access

SSL Network Extender (SNX) cannot connect after installing Jumbo Hotfix Accumulator. Refer to sk181805.

See the Important Notes section.

PRJ-50115,
PRHF-30245

ClusterXL

In a cluster environment, the Security Gateway may become unresponsive on the Active member, and after a failover the issue occurs on the new Active member also.

PRJ-50868,
PRHF-31176

ClusterXL

The output of the "cphaprob -m -a if" command may show an incorrect high VLAN ID address. This is a cosmetic issue.

PRJ-48412,
PRHF-29594

ClusterXL

In a cluster connected to Smart-1 Cloud, local probing may start on the "maas_tunnel" interface, although it is not monitored by the cluster. Output of the Expert command "cphaprob -i list" or the Gaia Clish command "show cluster members pnotes problem" shows that the Critical Device "Local Probing" reports its state as "problem".

PRJ-52490,

PMTR-99615

ClusterXL

The CXLD process may consume the CPU at 70%-100% on VSX cluster members. Refer to sk181891.

See the Important Notes section.

PRJ-51586,
PRHF-31481

ClusterXL

The Security Gateway may crash during the conversion from VRRP Cluster to ClusterXL Cluster.

PRJ-52729,

PRHF-32237

ClusterXL

When working in ClusterXL mode with MDPS enabled on the cluster nodes, enabling a Cloning Group may get stuck in the "synchronizing" status.

PRJ-52894,
PMTR-100934

ClusterXL

In a rare scenario, after an upgrade, connections between networks may be dropped with the "First Packet isn't SYN" error.

PRJ-44518,
PRHF-23500

SecureXL

Multicast packets received on an interface with PIM disabled can cause multicast packet drops on other interfaces by filling up the kernel routing queue.

PRJ-52804,
PMTR-96017

SecureXL

In some scenarios when Route-based probing is configured, the VSX Security Gateway sends out encrypted traffic with a source IP address of all zeroes through a Virtual Switch interface. This traffic may be dropped by routers, the VPN peer Gateway or other Security Gateways due to the invalid source IP address.

PRJ-50835,
PMTR-96036

SecureXL

There may be a delay in enforcing DOS/Rate Limiting rules to drop packets when concurrent connection limits are exceeded.

PRJ-51620,
PMTR-97796

SecureXL

In some scenarios, fragmented ICMP packets may bypass the DOS/ Rate limiting deny list.

PRJ-49377,
PRHF-30056

SecureXL

Syn Defender may not correctly handle reused connections.

PRJ-52797,
PRHF-31629

SecureXL

The Security Gateway may fail to add interfaces to the SecureXL accelerated interfaces list.

PRJ-50925,
PMTR-97095

SecureXL

When attempting to route packets to unresponsive hosts, the CPU utilization may be high.

PRJ-52800,
PRHF-31631

SecureXL

In some scenarios, the VSX Security Gateway may not set the MAC header correctly when sending traffic directly out of an interface on a Virtual Router or Virtual Switch.

PRJ-33122,
PMTR-75021

SecureXL

CPView shows SecureXL drops incorrectly as "0" (zero).

PRJ-51176,
PRHF-31303

SecureXL

The Security Gateway may crash with vmcore during boot while upgrading.

PRJ-48888,
PRHF-29906

SecureXL

The "fwaccel dos rate get -S IP" command fails to connect to the Security Gateway.

PRJ-50545,
PRJ-50419

SecureXL

High CPU utilization may be triggered when User Mode (UPPAK) and VPN are enabled under high load.

PRJ-50944,
ACCHA-3546,

PRJ-50949,
PMTR-74344,

PRJ-50952,
PRHF-30474,

PRJ-50938,
PMTR-90999

SecureXL

In some scenarios, the VSX Security Gateway may not be able to pass VPN encrypted traffic from one Virtual System to another Virtual System through a Virtual Router/Switch.

PRJ-50942,
ACCHA-3219,

PRJ-50940,
ACCHA-3355,

SecureXL

In some scenarios, the VSX Security Gateway may crash when sending VPN encrypted traffic through a Virtual Router/Switch.

PRJ-49756,
PMTR-95601

SecureXL

Multicast restrictions set in SmartConsole may be bypassed if varying restrictions are configured for different interfaces.

PRJ-51208,

PRHF-31259

SecureXL

In Kernel mode Firewall, traffic passing through the GRE tunnel may not reach the peer.

PRJ-50831,
PMTR-96490

Routing

The "force-if-symmetry" setting in IPv4 static routes fails to mark IP addresses as unreachable, leading to the static route inaccurately remaining active in asymmetric scenarios.

PRJ-49962,
PMTR-95764

Routing

During the processing of PIM Join-Prune messages, the absence of prior ({},G) state prevents the processing of (S,G) joins for the same group, even when present in the message.

PRJ-49235,
PMTR-94838

Routing

When one of the multiple PIM neighbors goes down on the LAN, there may be outages in multicast traffic.

PRJ-51981,
ROUT-2393

Routing

When running a Gaia API request that results in multiple configuration changes, only the first change may be applied initially. The subsequent changes are not enforced until another change triggers re-processing.

PRJ-52652,
PMTR-80016

Routing

A core dump for the ROUTED process is created while changing the Security Gateway PIM configuration from Bootstrap-Candidate to Candidate-RP using the "set pim" command.

PRJ-52650,

PRJ-52657,

PRJ-52654,
PRHF-31818,

PRHF-31977,

PMTR-78961

Routing

Cluster failover may occur when the ROUTED process due to a memory leak unexpectedly exits with a core dump file generated.

PRJ-53567,
PMTR-100631

Routing

In rare scenarios, when a PIM interface or PIM instance stops working, the Security Gateway may crash if trying to access a bogus reference to a PIM neighbor.

PRJ-53055,
PRHF-32078

Routing

In scenarios where numerous BGP peers are configured with the "multihop" option enabled, combined with short "keepalive" settings and a large number of routes being received from each peer, the ROUTED process may experience high CPU utilization.

PRJ-50024,
PRHF-29091

Routing

The traffic may be dropped, because the routes are sent but not installed to the routing table. The issue is related to IS-IS when running on P2P interfaces.

PRJ-52669,
PRHF-32205

Routing

Enabling rfc1583-compatibility via Clish fails with "CLINFR0329 Invalid command:'set ospf instance default rfc1583-compatibility on".

PRJ-51258,
PRHF-31307

Routing

It may not be possible to propagate a newly added static route through OSPF.

PRJ-53052,
ROUT-2968

Routing

BGP peers may experience timeouts when these conditions occur simultaneously:

  • The network has more than 100 BGP peers configured,

  • The routing table contains tens of thousands of routes,

  • BGP tracing is enabled,

  • The BGP timers (such as keepalive and hold timers) are reduced from their default values, making the peers more sensitive to delays or congestion.

PRJ-49216,
PRHF-30327

VPN

Redundant log prints in /var/log/messages may be generated, although they should be printed only when the debug flags are enabled.

PRJ-33775,
PRHF-20660

VPN

The FWK process crashes sporadically, causing impact on traffic due to an issue related to the decryption of fragmented traffic.

PRJ-46260,
PRHF-28718

VPN

The "Encryption Domain Per community" feature overrides the Encryption Domain for other communities. Refer to sk170857.

PRJ-49651,
PRJ-49485

VPN

VPN connectivity may be unstable when IPv6 and VPN star communities are configured.

PRJ-45126,
PMTR-89945

VPN

Back connection does not function on the Statically NATed Office Mode address as expected.

PRJ-49558,
PRHF-30457

VPN

When using the "fw tab" command to view the IKE_SA_table, the output shows a column containing the IP addresses that are not meant to be displayed while the correct IP addresses are not printed.

PRJ-47951,
PMTR-92800

VPN

Establishing an IKEv2 tunnel with Cross AZ Cluster may fail.

PRJ-47590,
PRHF-29596

VPN

In a Site to Site VPN, following an update, the Security Gateway may erroneously transmit an invalid IKE SPI to its peer. Consequently, during the rekey process, the tunnel fails due to the "invalid IKE SPI" error.

PRJ-53365,
PRHF-32706

VPN

VPN IKEv2 negotiation with a third-party peer may fail when the peer offers multiple combined encryption algorithms in one proposal. For example, AWS, by default, offers AES-GCM and AES-GCM-256. The issue triggers an IKE failure log.

PRJ-52947,
PRHF-32461

VPN

When the DAIP Gateway public IP address occasionally changes, the connected Security Gateway fails to update the new IP address and continues responding to the old IP address, causing communication issues.

PRJ-54239,

PMTR-103618

VPN

In a VPN Community with a configuration involving two Security Gateways (a Center Cluster and a Satellite Security Gateway) with IPv6 external and internal interfaces, when attempting to establish a Link Selection Star community between them, the VPN process may unexpectedly exit due to repetitive IKE core crashes on one of the Security Gateways while the other Security Gateway tries to establish a tunnel, resulting in connectivity issues.

PRJ-50311,
PMTR-96307

Multi-Portal

A low-severity security vulnerability may exist when establishing an HTTPS connection to the Security Gateway.

PRJ-48829,
PRHF-29729

VSX

In some scenarios, the VXLAN Driver Kernel may crash.

PRJ-50742,
PRHF-30006

VSX

VSX Gateway / VSX cluster member may crash during policy installation after deleting a virtual interface.

PRJ-50955,
PRHF-30747

VSX

In some scenarios, the VSX Security Gateway may not set the MAC header correctly when sending traffic directly out of an interface on a Virtual Router.

PRJ-50174,
PRHF-30759

VSX

In some scenarios, installing policy via vsx_util may be stuck.

PRJ-49566,
PRJ-49192

VSX

Corrupted VS affinity configuration may cause excessive "cp_set_process_vs_affinity: Error corrupt affinity file" error messages.

PRJ-51979,
PMTR-97885

VSX

High CPU usage on SND cores when many interfaces are configured. Refer to sk181860.

PRJ-51295,

PMTR-97905

VSX

When adding a new Virtual System, a CPD core dump file may be generated.

PRJ-52722,
PRHF-32115

Gaia OS

The MONITORD daemon causes high CPU after 388 days of uptime. Refer to sk181922.

PRJ-33092,
PMTR-72381

Gaia OS

In some scenarios, the output of the "show configuration"/"snapshot-scheduled" command may contain corrupted text.

PRJ-46019,
PRHF-28611

Gaia OS

The SNMPD process memory consumption may be high, which causes the process to become unresponsive.

PRJ-50485,
PRHF-30667

Gaia OS

SNMP query does not bring the CPUSE package information for a single OID (not a table).

PRJ-46141,
PRHF-28669

Gaia OS

Taking a snapshot on the Security Management Server fails because of the error during copying the /boot/config/ content.

PRJ-51218,
PMTR-92877

Gaia OS

Clish may deny access of a non-local RADIUS user.

PRJ-50507,
PRHF-30939

Gaia OS

There may be some inconsistent syntax in the "comment" section for interface and static-route commands.

PRJ-48718,
PRHF-29974

Gaia OS

The "show configuration password-controls command output does not print the "set password-controls deny-on-fail block-admin on" option.

PRJ-45114,
PRHF-28172

Gaia OS

Lock database override may not work as expected when it is set via Ansible playbook, and another admin was connected to SSH before that.

PRJ-47175,
PRHF-29200

Gaia OS

When rebooting the Security Gateway, some VLANs may lose their IPv6 configuration.

PRJ-53488,
PMTR-95316

Gaia OS

Some valid interfaces may not be available with running the "set lldp interface" command.

PRJ-53193,
PRHF-32504

Gaia OS

In rare scenarios, the Gaia Portal daemon HTTPD may unexpectedly exit and create a core dump file in the /var/log/dump/usermode/ directory.

PRJ-52507,
PMTR-99867

Gaia OS

When a non-local user executes a Gaia API command, the action is incorrectly logged as performed by the "admin" user in the /var/log/messages file.

PRJ-50587,

PRHF-30890

CloudGuard Network

In an environment with Cloud Security Gateways, frequent High Availability synchronization sessions can cause high CPU utilization. As a result, change of the Activity status may fail.

PRJ-47146,
PRHF-29171

Harmony Endpoint

When selecting to filter machines by infection name in SmartEndpoint Reporting > Anti-Malware > Top infections, the listed computers do not match the displayed numbers.

PRJ-47719,
PRHF-29658

Harmony Endpoint

The Application Scan Push Operation fails to upload an .xml file. Refer to sk181280.

PRJ-52129,

PRHF-31662

Harmony Endpoint

When attempting a one-time login for a migrated client in the Infinity Portal, the request fails with "400 error" caused by duplicate logon_name and domain_name entries in the database, preventing password generation from the Web interface.

PRJ-46988,
PRHF-28944

VoIP

In some scenarios, SIP TCP connections are dropped after a cluster failover.

PRJ-47993,
PRHF-29577

VoIP

When the SIP Multi-core feature is enabled, and a SIP over UDP rule with one-way calls (only outgoing calls, for example) is defined, the returned traffic is dropped. Refer to sk181525.

PRJ-52885,
MBS-18033

Scalable Platforms

When running the "fwaccel stat" command on a VSX Security Gateway, the output may show physical interfaces as not accelerated, although they are.

PRJ-53620,
PMTR-99823

Scalable Platforms

The "reboot -b all" command in gClish may fail. The environment hangs or reboots partially (only some of the members).

PRJ-44138,
MBS-16756

Scalable Platforms

If a DR packet arrives fragmented, it may not get forwarded to the DR manager, potentially causing connectivity issues.

PRJ-46791,
PMTR-92392

Scalable Platforms

An additional reboot may be performed on Maestro Security Gateway because of the database entry (otlp) which should not be pulled from SMO. This entry is updated locally on each member via self-update functionality and, therefore, may differ between members.

PRJ-46062,
PRHF-28410

Scalable Platforms

Querying SP Interface Data via SNMP may intermittently fail.

PRJ-50736,
PRHF-29610

Scalable Platforms

The Gaia gClish command "installer verify CPUSE Package ID member_ids all" fails with "Quitting due to time-out" on a Scalable Platform Security Group. Refer to sk181674.

PRJ-50745,
PRHF-30416

Scalable Platforms

Performance data collected from all members including the Standby site, may cause the "Instance Load" and "Accelerate Load" values to be different from the asg perf tool data.

PRJ-49465,
PRHF-30344

Scalable Platforms

On a Security Group with MDPS enabled:

  • The "asg perf" command on a Security Group does not show any output - the Gaia OS prompt appears immediately after entering the command and pressing the Enter key.

  • When running the "mac_verifier" and other commands on a Security Group, the output may show the error message "mount of /sys failed: device or resource busy".

  • The "distutil verify -v" command on a Security Group returns "verification failed".

After installing this Take, when MDPS plane separation is enabled, in the context of the Management plane, the directory /sys/class/net/ now shows interfaces that belong to the Data plane, although it should show interfaces that belong to the Management plane.

Refer to sk182076.

PRJ-48722,
PMTR-67380

Scalable Platforms

When running the "asg if script" command, the "Bridge Master" output does not fit in one line in the "Info" column. The issue is cosmetic only.

PRJ-50679,

PRHF-30764

Scalable Platforms

Scalable Platform Interface data OIDs (1.3.6.1.4.1.2620.1.48.26) may not be refreshed.

PRJ-44499,
PRHF-27538

Scalable Platforms

Policy installation may cause traffic interruption on Maestro Security Group due to missing VLANs of a Virtual System in the configuration file.

PRJ-46221,
PMTR-88316

Scalable Platforms

During site failover, IPv6 traffic that goes through the Warp interface may be interrupted.

PRJ-44135,
MBS-16004

Scalable Platforms

Member state may flap between Active and Ready.

PRJ-52530,

PMTR-99841

Scalable Platforms

After dynamic routing manager failure and recovery, connections are dropped with a log message "TCP out of state: First packet isn't SYN". Refer to sk181874.

Take 92

Published on 4 January 2024 and declared as Recommended on 15 January 2024

PRJ-51599,

SMB-16203

Security Management

In rare scenarios, a boot may fail on a Security Gateway with IPS, Anti-Bot, or Application Control blade enabled. Refer to sk181803.

Take 89

Published on 23 November 2023

PRJ-47120,
PMTR-92660

Anti-Spam

NEW: We have extended the grace period of Anti-Spam Blade to support you for 90 days following contract expiration to continue providing the best security value during the renewal process.

PRJ-49979

Security Management

UPDATE: Removed a redundant rule-assistant.war package.

PRJ-49890,

PMTR-95687

Security Management

UPDATE: Removed a redundant guava package.

PRJ-49823,

PMTR-95347

Security Management

UPDATE: Upgraded the commons-compress-jar package from version 1.8 to version 1.22.

PRJ-49785,

PMTR-95614

Security Management

UPDATE: properJavaRDP - an SNX-embedded application for Mobile Access is now blocked and is no longer supported because of deprecated Java library dependencies.

PRJ-49982,

PMTR-74309

Security Management

UPDATE: Upgraded the Jackson Java library from version 2.5.0 to version 2.11.3.

PRJ-48316,

PRJ-49010,

PRJ-50263,

PRJ-49964,

ODU-1256,

ODU-1304,

ODU-1121,

ODU-1137

Web SmartConsole

UPDATE: New features and improvements are released in Take 81, Take 85, Take 88, and Take 90 via a self-updatable package. Refer to sk170314.

PRJ-49107,

PMTR-94517

SmartConsole

UPDATE: Applied security related improvements to the Jetty open source library.

PRJ-50323,
ODU-1328

CPView

UPDATE: Added Take 68 and Take 70 of CPotelcol (OpenTelemetry Collector) Release Updates. Refer to sk180522.

PRJ-50041,
ODU-1264

CPView

UPDATE: Added Take 14 of CPquid (QUID) Release Updates. Refer to sk181458.

PRJ-50091,
PMTR-63855

Security Gateway

UPDATE: Improved traffic classification of GTP traffic on the Security Gateway to enhance the stability.

PRJ-46556,
PMTR-92206

Security Gateway

UPDATE: Added a new option in domains_tool, which allows to retrieve IP addresses of multiple Domains - "-md <list of domains>". Refer to sk161632.

PRJ-48141,
PMTR-93683

Threat Prevention

UPDATE: Re-enabled the deprecated feature of exporting/importing custom intelligence feeds.

PRJ-44319,
PMTR-90945

Threat Prevention

UPDATE: The DCE-RPC kernel tables will now be global instead of local. This adjustment helps avoid issues with syncing between firewall instances and keeps data connections stable.

PRJ-49492,
ODU-1170

Threat Prevention

UPDATE: Added Update 21 of Autonomous Threat Prevention Management integration Release. Refer to sk167109.

PRJ-46942,
TPP-3290

Threat Prevention

UPDATE: IPS bypass triggers will now be activated based on the average CPU load exceeding the high threshold, as opposed to the previous implementation, where a single CPU load triggered the bypass. The change will result in more effective security measures without unnecessary bypasses.

PRJ-49231,
PMTR-92549

SSL Network Extender

UPDATE: SSL Network Extender was updated to version 80008407.

PRJ-49744,

PMTR-95099

Mobile Access

UPDATE: SNX used to connect back to Mobile Access Blade's portal FQDN by resolving its IP address locally. This method makes it sensitive to DNS poisoning attacks such as those specified by TunnelCrack. Therefore, it was modified to connect back to the Security Gateway / Cluster member IP address by default.

PRJ-44242,
PMTR-87141

Mobile Access

UPDATE: Enhanced PushReport (a troubleshooting tool for Mobile Access Blade):

  • changes in the cloud service configuration,

  • stability improvement.

PRJ-44435,
PMTR-89908

ClusterXL

UPDATE: Improved the fullsync time after reboot in large scale environments. Refer to sk180742.

PRJ-46314,
PMTR-90870

ClusterXL

UPDATE: When enabling the VMAC feature, link_monitoring on the cluster members will now be configured automatically.

PRJ-46915,
PMTR-80877

VPN

UPDATE: Added a global parameter "sim_no_local_ip_check" which allows packets not destined to a local IP address to proceed to Security Association lookup in SecureXL.

PRJ-48107,
PMTR-90795

VSX

UPDATE: Changed the vsx push configuration log:

  • The log file last_vsx_push_configuration.elg will now hold only the last vsx push configuration log.

  • The cyclic log file vsx_push_configuration.elg will now hold all previous push configuration logs, except the last one.

PRJ-47449,
ACCHA-3284

Gaia OS

UPDATE: Added driver and firmware update support for Dual-Wide 10/25/40/100G cards as a replacement option for:

  • CPAC-2-40F

  • CPAC-2-40F-B

  • CPAC-2-40F-C

  • CPAC-2-100/25F

  • CPAC-2-100/25F-B

PRJ-45235,
PRHF-28236

Gaia OS

UPDATE: SNMP traps for interfaces going up and going down will now contain the interface name and description.

PRJ-46439,
GAIA-10941

Gaia OS

UPDATE: Added support for the Sandblast TE250XN Appliances.

PRJ-44760,
PRHF-27893

Gaia OS

UPDATE: Increased the size of the scheduled snapshot database binding, allowing longer paths and passwords to be defined.

PRJ-47225,
PMTR-92606

Gaia OS

UPDATE: Upgraded OpenSSL from 1.1.1t to 1.1.1u to include the latest security improvements. Refer to sk181427.

PRJ-45726,
PMTR-91551

Harmony Endpoint

UPDATE: Added new file types supported by Harmony Endpoint Threat Emulation blade.

PRJ-49977,

PRJ-49936

Harmony Endpoint

UPDATE: Upgraded symmetricDS to the 3.14.9 version.

PRJ-48799,
PMTR-94130

CloudGuard Network

UPDATE: Added support for Data Centers in AWS il-central-1 Israel (Tel Aviv) region.

PRJ-48338,
ODU-1081

CloudGuard Network

UPDATE: Added Take 20 of Public Cloud CA Bundle. Refer to sk172188.

PRJ-45770,
PMTR-90618

Scalable Platforms

UPDATE: Added ability to stop configuration mismatch repeated reboots for debugging purposes. The new command is " cpha_blade_config auto_reboot <on/off>".

PRJ-48195,
PMTR-91032

Scalable Platforms

UPDATE: Added ability to use Generic Data Centers and Dynamic Objects with Maestro cluster, not just for a separate Security Gateway.

PRJ-32166,
MBS-14572

Scalable Platforms

UPDATE: Added support for 40G SFP transceiver for SSM160 (BTI40GSRDDQSFP).

PRJ-45979,
ODU-1154

Scalable Platforms

UPDATE: Added Take 29 of Check Point Support Data Collector (CPSDC) for Scalable Platforms and Maestro Security Appliances. Refer to sk164414.

PRJ-48403,
ODU-1113

HCP

UPDATE: Added Update 13 and Update 14 of HealthCheck Point (HCP) Release. Refer to sk171436.

PRJ-49203,
PRHF-30319

Security Management

  • When updating Inline Access Layers, Threat Exceptions, and HTTPS Inspection (TLS) rules, the "Policy Name" field in the Audit Log may be incorrect.

  • The "Where used" operation fails for users with read-only permissions.

Refer to sk181471.

PRJ-48877,
PRHF-29542

Security Management

  • Running a Gaia API command on a Security Gateway using Management API from the Multi-Domain Security Management Server fails.

  • Running a Gaia API command on a Security Gateway using Management API from the Security Management Server fails if the Security Gateway certificate was not recreated.

PRJ-50028,

PMTR-95988

Security Management

The Gaia Clish command "show configuration user" fails with "Segmentation fault" on a Management Server. Refer to sk181626.

PRJ-47168,
PRHF-29222

Security Management

In rare scenarios, Global Policy reassignment fails with "IPS Update Failed On Assign".

PRJ-46698,
PRHF-24917

Security Management

Global Policy assignment fails if it is configured to assign to specific Domain policies and one of these local Domain policies is deleted.

PRJ-44895,
PRHF-27875

Security Management

Policy installation gets stuck if the known proxy group contains the policy target.

PRJ-46827,
PRHF-28923

Security Management

In some scenarios, the "Object is no longer available" validation warning appears for updatable objects.

PRJ-49194,
PRHF-30329

Security Management

In some scenarios, the CPRLIC process may unexpectedly exit without affecting the connectivity, and a core dump is generated.

PRJ-47965,
PRHF-29565

Security Management

In High Availability Security Management Server environments, outdated IPS packages are retained, which leads to a substantial increase of the database on Standby Security Management Server. Refer to sk182178.

PRJ-46130,
PMTR-71041

Security Management

A policy installation task may become stuck when an error occurs in the early installation stage, for example, when trying to install a policy on an unsupported version of Security Gateway.

PRJ-46397,
PRHF-28962

Security Management

In rare scenarios, policy installation fails with "Operation failed, install/uninstall has been improperly terminated". Refer to sk180448.

PRJ-46015,
PRHF-28592

Security Management

The "show-nat-rulebase" Management API command fails when Packet mode is enabled and "match on any" is set to "false". For example, "show-nat-rulebase XXX package YYY filter-settings.search-mode packet filter-settings.packet-search-settings.match-on-any false filter ZZZ".

PRJ-44430,
PRHF-27612

Security Management

In some scenarios, SmartConsole may get closed when opening the Policy Installation dialog.

PRJ-46409,
PMTR-90123

Security Management

The Security Gateway may listen to the ports used by NAT.

PRJ-49369,
PRHF-30255

Security Management

In environments with tens of thousands of network objects, opening and closing Security Gateway objects in SmartConsole takes a long time. Refer to sk181460.

PRJ-33004,
PMTR-75194

Security Management

In SmartConsole, an attempt to view administrators may fail with "Error retrieving results".

PRJ-35764,
PRHF-22024

Security Management

In some scenarios, the "show-packages" Management API command may return empty results when using the "domains-to-process" flag.

PRJ-39774,
PRHF-24049

Security Management

Disabling or enabling rules may not affect the "last-modify-time" field in the output of the "show-access-rule" Management API command.

PRJ-40127,
PRHF-24236

Security Management

When the Access Rule Base contains several hundred rules, the "set-access-rule" Management API command with the "new-position" parameter may take longer than expected or time out after 5 minutes.

PRJ-48199,
PRHF-29851

Security Management

Login via API fails if the Security Management Server has multiple IP addresses and they are not defined on the Security Management Server object in SmartConsole.

PRJ-48036,
PRHF-29549

Security Management

An audit log may not be created after running Revert to Revision.

PRJ-48380,
PRHF-29957

Security Management

In SmartConsole, export of policies with the "Hit count" column may get stuck.

PRJ-43288,
PRHF-26909

Security Management

In rare scenarios:

  • Login to the Security Management Server may fail with timeout.

  • Publish operations may take a long time.

PRJ-45897,
PRHF-28666

Security Management

In rare scenarios, during an IPS update, a task notification reports that a database purge failed on the Standby Security Management Server. Refer to sk180920.

PRJ-45987,
PRHF-28558

Security Management

Deleting a Domain that is connected to an AD Group fails.

PRJ-47257,

PRJ-47234,
PRHF-29374,
PRHF-29423

Security Management

If the HTTPS policy contains an Identity Awareness Gateway object in the "Source"/"Destination" column, policy installation may fail when selecting more than one policy target. Refer to sk181097.

PRJ-46002,
PRHF-28590

Security Management

Changing the cluster mode via the "set simple-cluster" Management API command to "cluster-xl-ha" or "ospec-ha" returns success but has no effect on the cluster object.

PRJ-48896,
PRHF-30157

Security Management

In rare scenarios, upgrade of the Security Management Server to R81.20 fails with the "Task was interrupted because of server restart" and "DEADLOCK IN POSTGRES DETECTED!!!" messages in the cpm.elg log file.

PRJ-45033,
PRHF-27706

Security Management

Upgrade of a Security Management Server or a Multi-Domain Security Management Server with over 2000 NAT rules may take over 10 hours to complete.

  • The fix requires the upgrade to be done using a Blink image or via the Advanced Upgrade method.

PRJ-44986,
PRHF-28001

Security Management

A migrate export or CPUSE upgrade of a Security Management Server fails if a Rule Base contains more than 35,000 rules. Refer to sk178325 to check the recommended size of Rule Bases.

PRJ-45798,
PRHF-28187

Security Management

Security Management Server import fails with the "Tried to persist object XXX with domain YYY while active domain is ZZZ" error in the upgrade report.

PRJ-41459,
PRHF-24486

Security Management

In some scenarios, an automatic Trusted Certificate Authorities (CAs) update fails.

PRJ-41243,
PRHF-25050

Security Management

When closing an application from SmartConsole without changes, a redundant revision is created.

PRJ-47041,
PRHF-29223

Security Management

When using the RADIUS username for authentication, login to SmartConsole may fail.

PRJ-47045,
PRHF-29104

Security Management

In rare scenarios, after an upgrade, the Security Management Server may fail to start.

PRJ-46795,
PRHF-29116

Security Management

The "show-vpn-communities-star" Management API command fails for VPN communities using Diffie-Hellman groups 15-18. Refer to sk27054.

PRJ-46730,
PRHF-28910

Security Management

In rare scenarios, opening the Install Policy view gets timed out, and SmartConsole unexpectedly closes. Refer to sk181397.

PRJ-45781,
PRHF-27471

Security Management

In rare scenarios, the High Availability synchronization status shows "NGM failed to import data", and then is cleared automatically within 15 minutes.

PRJ-45439,
PRHF-28361

Security Management

In rare scenarios, Global Policy Reassignment takes a long time to complete after deleting a Global IPS profile. Refer to sk180787.

PRJ-48690,
SL-8197

Security Management

Users may be able to configure user-defined scripts to run on the Security Management Server, although they do not have the permissions of a super-user.

PRJ-47618,
PRHF-29494

Security Management

In rare scenarios, the /var/log/message file is filled with Clish login messages for the Admin user.

PRJ-48863,
PRHF-30091

Security Management

In multi-site Multi-Domain Security Management environments, login to SmartConsole fails if the "Read_Write_All_Profile" permission profile is deleted.

PRJ-48369,
PRHF-29850

Security Management

The "crldp_initialized"and "crldp_name" keys may be missing in the registry after running promote_util.

PRJ-47037,
PRHF-29235

Security Management

In multi-site Multi-Domain Security Management environments, login to SmartConsole fails while an Install Policy Preset relays the Security Gateway installation statuses.

PRJ-34859,
PRHF-20141

Security Management

In the Revisions view, when comparing the selected revision to its previous revision, an empty screen is shown instead of a report.

PRJ-46103,
PRHF-28809

Multi-Domain Security Management

In some scenarios, the "Uninstall Threat Prevention Policy" window may show "no candidates found for operation", even though there are Security Gateways that have Threat Prevention policy installed and Threat Prevention is disabled in the Security Gateway editor. Refer to sk180983.

PRJ-43690,
PRHF-27130

Multi-Domain Management

Deleting the entire Domain including all its Domain Servers fails, if any of the Domain Servers is used in the Domain policy.

PRJ-47049,
PRHF-29196

Multi-Domain Security Management

In rare scenarios. in a Multi-Domain Security Management environment:

  • Login to the Management Server may timeout and fail.

  • Publish operation may take a long time.

PRJ-40588,
PRHF-85028

SmartConsole

SmartConsole may crash while checking for updates.

PRJ-45074,
PRHF-28115

Web SmartConsole

After an upgrade, "Every cluster network should define unique subnet" messages may be displayed in the Validation Pane.

  • The fix applies only when Jumbo Hotfix Accumulator Take is installed via Advanced upgrade or with a Blink image containing this Take.

PRJ-46434,
PRHF-28762

SmartProvisioning

After importing or deleting SNORT protections in the IPS Protections view, the view may not show the change.

PRJ-47341,
PRHF-29472

SmartView

In some scenarios, when a language other than English is chosen in SmartView, login to SmartView fails with an "Initialization failed" message.

PRJ-47468,
PMTR-92958

CPUSE

Tasks in SmartConsole may end unexpectedly during the Jumbo/ major version upgrade operation.

PRJ-46185,
PRHF-28421

Logging

When the CPD process is automatically restarted on the Security Gateway, the output of the "cpstat ls -f logging" command on the Security Management shows the Security Gateway is disconnected, the Log Server cannot be reached, although logs are sent.

PRJ-45039,
PRHF-28139

Logging

The "Low disk space" warning may be incorrectly displayed in SmartConsole.

PRJ-47218,
PRHF-29347

Logging

The "fwm logexport" may return "Failed to print record at position" and "missing table field" error messages despite succeeding to export the logs.

PRJ-48341,
PMTR-93310

Logging

In some scenarios, the "show logs" Management API returns incorrect values for the "Match table" field.

PRJ-41166,
PRHF-25147

Logging

The "show-simple-gateway" and "set-simple-gateway" Management API commands with the "logs-settings.forward-logs-to-log-server-schedule-name" parameter fail with "generic_server_error".

PRJ-47213,
PRHF-29149

Logging

In SmartView, filtering logs by Media Encryption & Port Protection Blade may fail.

PRJ-45323,
PMTR-79944

Logging

Configuring log settings to delete logs if free disk space is lower than a certain percentage may not be applied.

PRJ-39449,
SL-6793

Logging

The Logs view may show a "Failed to read record number" message.

PRJ-45416,
PRHF-28191

Logging

Source and destination IP addresses in SmartLog may not be shown correctly for duplicate packets of fragmented traffic.

PRJ-44206,
PRHF-27544

Logging

Windows Syslog messages information may be displayed in the "Description" field of the log and not parsed into the suitable fields.

PRJ-47267,
PRHF-29384

Security Gateway

Latency in loading websites when using Security Gateway as a Proxy with HTTPS Inspection enabled. Refer to sk180673.

PRJ-50897,

PRHF-31187

Security Gateway

A double-free flaw that leads to a possible Security Gateway crash was identified. This release includes the fix to enhance system stability and security.

PRJ-44700,
PRHF-27451

Security Gateway

In rare scenarios, the WSDNSD process may restart because of an internal error.

PRJ-48152,
PRHF-29602

Security Gateway

Topology and Anti-Spoofing ranges are not calculated on an external interface when adding a route to an internal interface that shares the same subnet.

PRJ-47369,
PMTR-88610

Security Gateway

The ICAP Server may stop sending files to the Threat Emulation and Anti-Virus Blades if the TED daemon was restarted.

PRJ-47330,
PMTR-92600

Security Gateway

When using the "cpstop" command on the Security Gateway, the fw_full core may be generated.

PRJ-48246,
PMTR-86113

Security Gateway

The /var/log/messages file of a VSX gateway is flooded with the "fwmultik_predefined_dispatching: BAD_MULTIK_TAG" messages with no impact of the connectivity. Refer to sk181281.

PRJ-47519,
PRHF-29318

Security Gateway

After installing a policy, because of high latency, the Security Gateway may delete connection before SIM Affinity is able to send an update notification. This may cause some connections to be dropped.

PRJ-44188,
PRHF-25647

Security Gateway

The Security Gateway may crash due to a memory issue.

PRJ-46137,
PRHF-28806

Security Gateway

The "g_tcpdump -mcap" command may not merge traffic capture outputs. Refer to sk181032.

PRJ-46052,
PRHF-28455

Security Gateway

The Security Gateway may crash while inspecting non-HTTP traffic.

PRJ-43855,
PMTR-83014

Security Gateway

The FWK process may unexpectedly exit with a core dump file when removing an IPv6 interface on VSX.

PRJ-45482,
PRHF-27892

Security Gateway

Incorrect bonds may be shown in the Data Plane when using MDPS with the "show bonding groups" command.

PRJ-46333,
PRHF-28842

Security Gateway

The Security Gateway may crash after a failure in policy installation.

PRJ-45802,
PRHF-28559

Security Gateway

Resolved an issue where CPD would consume a large amount of CPU in VSX with a large number of interfaces configured (greater than 1024). Refer to sk181588.

PRJ-47124,
PRHF-29292

Security Gateway

In some scenarios, after an upgrade, the FWD process may unexpectedly exit.

PRJ-44617,
PRHF-27190

Security Gateway

In a rare scenario, the FWD process listens to high ports that are not blocked by the "auth_services_real_ports_block" implied rule. Refer to sk180505.

PRJ-45343,
PRHF-28058

Security Gateway

When two routes with similar attributes are added to different routing tables, and one is deleted, Anti-Spoofing may drop the traffic to that route.

PRJ-47557,
PRHF-29583

Security Gateway

FTP connection may fail in Port mode with NAT and specific FTP clients. Refer to sk181165.

PRJ-47324,
PMTR-75350

Security Gateway

Benign files scanned by the ICAP Server may not be logged by Anti-Virus Blade.

PRJ-46376,
PMTR-84794

Security Gateway

Re-mirrored traffic may be re-ordered in the Mirror & Decrypt feature.

PRJ-47601,
PRHF-29572

Internal CA

In rare scenarios, ICA certificate creation and enrollment fail.

PRJ-44150,
PMTR-89916

Threat Prevention

In a rare scenario, policy installation may fail because of IoC observables overrides.

PRJ-46836,
PMTR-92384

Threat Prevention

When SSH Deep Packet Inspection (SSH DPI) is enabled, the Security Gateway may have SSH connectivity issues because of an incorrect choice of Message Authentication Code (MAC) algorithm during the SSH handshake.

PRJ-43726,
PMTR-89275

Threat Prevention

In some scenarios, CIFS parser is triggered when it is not needed, this leads to the Security Gateway not accelerating fully the SMB traffic.

PRJ-44765,
PRHF-27722

Threat Prevention

Fetching of Custom Intelligence Feeds fails when no proxy is configured on the Security Gateway.

PRJ-44690,
PRHF-27890

Threat Prevention

In some scenarios, the Security Gateway fails to export or import IoC feeds.

PRJ-48190,
PRHF-29760

Threat Prevention

Anti-Virus Blade fails to parse external IoC feeds that contain specific delimiters.

PRJ-42146,
PRHF-26013

Threat Prevention

Fetching custom intelligence feeds via CLI may fail because of SSL certificate issues.

PRJ-46883,
PMTR-92083

Threat Prevention

Uploading an IoC file containing invalid characters (for example, quotation marks) may cause Threat Prevention policy installation failure.

PRJ-48924,
PMTR-88858

Threat Prevention

Anti-Virus Blade triggers the "Detect" logs for DNS traffic, although these malicious DNS requests were prevented.

PRJ-47636,
PRHF-29215

Threat Prevention

The output of the "fw amw unload" command shows the policy gets unloaded, however CPView still shows that the blades are enabled. Refer to sk181148.

PRJ-46116,
PMTR-91889

Threat Emulation

Multiple ifiPython3 processes may utilize the Security Gateway memory, affecting the Anti-Virus Blade performance.

PRJ-48273,
PRHF-29815

Identity Awareness

There may be no access to resources for identities received from the Remote Access identity source by splitting Domain (sk147417).

PRJ-47063,
PMTR-92599

Application Control

When the "Categorize HTTPS Websites" option is enabled and the global parameter "appi_urlf_ssl_cn_use_sni_without_validation" is set to true, a memory leak may occur.

PRJ-47748,

PRJ-47646

IPS

In rare scenarios, there may be a memory leak in ips_cmi_handler_match_cb_ex.

PRJ-50189,

PMTR-96205

IPS

Policy installation may fail on Security Gateways with enabled IPS and configured Strict profile and IPv6.

PRJ-47238,
PRHF-29289

Anti-Virus

Some websites may be unreachable when one of Threat Prevention Blades is in Hold mode.

PRJ-47934,
PRHF-29090

Anti-Virus

When transferring many files, SMB traffic may freeze while scanned by Anti-Virus Blade.

PRJ-48971,
PRHF-30090

Anti-Virus

When Anti-Virus DNS classification is set to Hold mode, the first DNS trap log of malicious Domains shows "Detect" in the Action field, although the connection was successfully blocked.

PRJ-48126,
PMTR-93685

Anti-Virus

A memory leak in the DLPU process may occur when Anti-Virus scans files over HTTP(s) or SMB (Server Message Block) protocol.

PRJ-45835,
TPP-3445

Anti-Virus

DLPU process memory consumption may be increased when SMB protocol is enabled in the Anti-Virus policy.

PRJ-47783,
PRHF-29581

Anti-Virus

A memory leak may occur in the Security Gateway when a connection is not correctly released after the inspection.

PRJ-46604,
PRHF-28851

Anti-Virus

The DLPU process may stop working, creating a User Space core dump file on the Security Gateway. Refer to sk181026.

PRJ-47202,
PRHF-29309

Mobile Access

When copying special German characters to and from the Guacamole Server, they are replaced with unreadable symbols.

PRJ-47106,
PRHF-29247

Mobile Access

It may not be possible to connect to the RDP application with SNX in Application mode. Refer to sk181155.

PRJ-45656,
PRHF-28404

SSL Inspection

In a VSX environment, the WSTLSD process run by Virtual Systems may ignore proxy configuration on VS0.

PRJ-48701,
PMTR-90439

SSL Inspection

A FWK process memory leak may occur when canceling the download of a large file in the middle of the process.

PRJ-47263,
PMTR-91800

SSL Inspection

The fwk.elg file may be flooded with the "mux_hold_opq_free: App has no hold params free function" messages for the TLS_PARSER app because of a memory leak.

PRJ-41306,
PRHF-25160

ClusterXL

When interfaces disconnect/connect on both members at the same time, it may cause a failover.

PRJ-46504,
PRHF-28936

ClusterXL

Some IPv6 connections randomly stop passing through ClusterXL in High Availability mode. Refer to sk180969.

PRJ-45348,
PRHF-28275

ClusterXL

After an upgrade, cluster members may frequently crash, causing instability in the environment.

PRJ-45197,
PRHF-28013

ClusterXL

In a cluster/Maestro in Load Sharing mode, the Security Gateway may drop NAT traversal traffic with "fwmultik_process_f2p_cookie_inner Reason: PSL Drop: No connection".

PRJ-44274,
PRHF-27346

ClusterXL

A Standby member may initiate FTP data connection, although it should be sent from the Active member. As a result, the connection is teminated. Refer to sk180531.

PRJ-43930,
PMTR-89813

ClusterXL

Site to Site VPN outage on ClusterXL Active member when running "cpstop" on the Standby cluster member. Refer to sk170055.

PRJ-43638,
PMTR-89506

SecureXL

In some scenarios, incorrect MSS value calculation may lead to traffic drops and performance instability.

PRJ-44772,
PMTR-70190

SecureXL

The "IOCTL command CPHWD_IOCTL_DOS_DENY_LIST_CLEAR was not successful" error may be printed during cpstart. Refer to sk180646.

PRJ-41793,
ROUT-2195

Routing

Adding or deleting a multicast group from a configured static RP environment can lead to outages in traffic.

PRJ-47486,
PMTR-93015

Routing

When multicast traffic for an existing (S,G) entry arrives at a non-IIF interface, the entry may be deleted and re-added when the next multicast packet is released, although the entry should not be deleted.

PRJ-43247,
ROUT-2018

Routing

Traffic may be dropped when there are many OSPF routes of type 5.

PRJ-47800,
PRHF-29662

Routing

When a BFD session is added or removed, disabled sessions may incorrectly come up.

PRJ-47939,
PMTR-93492

Routing

An OIF entry may be missing when multiple downstream neighbors are present on a LAN. Refer to sk181354.

PRJ-48116,
PRHF-29848

Routing

The ROUTED process may exit with a core dump when querying details of OSPF Type 5 LSA.

PRJ-44955,
PMTR-90731

VPN

A potential leak in VPN tunnels in a Multi-Version Cluster.

PRJ-46293,
PRHF-28702

VPN

Users that were moved from one AD group to another group still are shown in both access role groups when running the "pdp monitor" command. Refer to sk181429.

PRJ-42938,
PRHF-25665

VPN

Policy installation may take a long time and fail with "Operation failed, install/uninstall has been improperly terminated.&CURRENTVERCMP *##MSG_IDENTIFY##".

PRJ-44164,
PMTR-86796

VPN

When working with ClusterXL in Load Sharing mode, a VPN tunnel may fail to be established.

PRJ-47876,
PRHF-29650

Multi-Portal

The Security Gateway may send a wrong certificate to the MAB Portal during certificate authentication.

PRJ-44267,
PMTR-86105

VSX

Vsx_util upgrade or downgrade validation fails on Virtual Systems where policy was never installed.

PRJ-47795,
PRHF-29709

VSX

A memory leak may occur in the CPD process.

PRJ-47397,
PRHF-29485

VSX

When changing Virtual Systems (VS's) using the VS name, the "failed to find an ID for a VS named XXX" error is shown.

PRJ-43877,
PMTR-87205

VSX

When running "vsx_fetch" from a context that is not VS0, this output is displayed: "Management rejected fetch for this module - sic name does not match. Couldn't fetch VSX configuration by IPs, trying to fetch by names."

PRJ-47836,
PRHF-29698

VSX

In a rare scenario, affinity configuration on VSX may fail.

PRJ-44299,
PMTR-90180

VSX

When adding a route using vsx_provisioning_tool and the "interface_name" option, this route cannot be removed.

  • Requires installing SmartConsole R81 Build 567 (or higher).

PRJ-49349,
PRHF-30364

VSX

In some scenarios, in a Maestro Security Group configured in the VSX mode, a Virtual System that connects to a Virtual Switch may drop traffic as "Out of State" or wrongly drop it on the clean up rule. Refer to sk181823.

PRJ-46970,
PRHF-29232

Gaia OS

Incorrect Multi-Queue configuration when MDPS, VSX, or both are enabled. Refer to sk181249.

PRJ-46274,
PRHF-28848

Gaia OS

When changing bond settings, the bond may be missing the global IPv6 Address.

PRJ-47772,
PRHF-28671

Gaia OS

Snapshot fails when the unpartitioned disk size is greater than 1TB. Refer to sk181485.

PRJ-28433,
PRHF-18469

Gaia OS

Backup on Gaia machine with Threat Emulation Blade enabled fails with "Cannot complete the backup process: not enough space". But the solution of sk166833 does not resolve the issue in a VSX environment.

PRJ-44369,
PRHF-27627

Gaia OS

SNMP OIDs for ISP Redundancy status are not refreshed when the ISP link changes the status.

PRJ-43570,
PRHF-27125

Harmony Endpoint

After the Deploy New Endpoint push operation is successfully done, the list of target devices may change to "None". And it is not possible to delete this push operation manually, a "Sorry, we had an API issue during request" message is printed.

PRJ-41336,
PRHF-25164

Harmony Endpoint

When downloading a dynamic package from the Endpoint Security Server and using the "/createmsi" command, the operation results with a "CRITICAL ERROR: Unable to create MSI! Missing file: System32\FirewallMonitor.dll" error.

PRJ-46948,
PRHF-29014

Harmony Endpoint

KAV updater on the Server may fail to receive updates when proxy is used.

PRJ-48255,
PRHF-25142

Harmony Endpoint

The default policy configured in the Infinity Portal may not be exported with the new Endpoint Security client package.

PRJ-46801,
PRHF-28984

Harmony Endpoint

In rare scenarios, when making changes in SmartConsole, it gets disconnected.

PRJ-43043,
PRHF-26539

Harmony Endpoint

E2 engine may send an incorrect value of datDate in sync request.

PRJ-47898,
PRHF-29630

CloudGuard Network

Azure mapping may fail on Private Endpoint without network interfaces. In the cloud proxy logs, the "ERROR datacenter.scanner.DcScanner [scanner-Azure-XXX]: Error during scan - attempting to reconnect for scanner of [Azure] in domainYYY" messages are printed.

PRJ-47733,
PRHF-29654

CloudGuard Network

After an upgrade, Azure Gov mapping may fail.

PRJ-43608,
PRHF-27033

VoIP

SIP agent implements a keep-alive mechanism against the RFC, making each message arrive with a different tag in the "From" header, which may increase the memory of the Security Gateway, and these messages may be dropped once they hit the limit defined (the "sim_max_reinvite" parameter).

PRJ-45232,
PRHF-24217

Scalable Platforms

The "asg_dr_verifier" command shows "Status: Inconsistency found on some of the SGMs", even if the OSPF neighbors are in Full state. Refer to sk179921.

PRJ-47639,
PRHF-29629

Scalable Platforms

In a Scalable Platform environment, when opening an IPS Packet Capture originated on a local member, the "Fetching in progress" error is displayed, and a "Capture file was not found on remote SGM" entry is printed in the log.

Take 87

Published on 27 June 2023 and declared as Recommended on 2 August 2023

PRJ-44424,
ACCESS-458

Security Management

NEW: Added a new field to the output of "mgmt_cli show updatable-objects-repository-content" command. This field displays the object's unique name as it is saved in the updatable objects repository.

PRJ-43520,
PMTR-89420

Security Management

NEW: It is now possible to add tags to Access rules and sections. A new field "tags" is added to the existing "add/set rule & section" Management APIs .

For example:

  • mgmt_cli add access-section layer "Network" position 1 name "New Section 1" tags mytag

  • mgmt_cli add access-rule layer "Network" position 1 name "Rule 1" tags mytag

PRJ-45294,
PMTR-86221

Security Management

UPDATE: Added ability to block policy installation if this policy contradicts another policy installed on the Security Gateway. In this scenario, the "install-policy" Management API command will now fail with "Requested policy X does not match currently installed policy Y on gateway Z. To ignore this warning, set the 'ignore-warnings' flag to 'true'". Refer to sk180792.

PRJ-45489,
PRHF-28303

Security Management

UPDATE: Significant performance improvement for policy installation when using many layers (up to four times faster).

PRJ-45202,

ODU-843

Web SmartConsole

UPDATE: New features and improvements are released in Take 76 via self-updatable package. Refer to sk170314.

PRJ-45471,
ODU-827

CPView

UPDATE: First release of CPviewExporter Release Updates. Refer to sk180521.

PRJ-45464,
ODU-835

CPView

UPDATE: First release of CPotelcol (OpenTelemetry Collector) Release Updates. Refer to sk180522.

PRJ-46339,
PRHF-28674

Security Gateway

In rare scenarios, memory corruption occurs during packet correction requiring fragmentation, this may cause the Security Gateway crash or freeze.

PRJ-45461,
PRJ-46430,
ODU-890,
ODU-898

Threat Prevention

UPDATE: Added Update 18 and Update 19 of Autonomous Threat Prevention Management integration Release. Refer to sk167109.

PRJ-44951,
PRHF-28082

IPS

UPDATE: Mapping of IPs to country/flag in the Logs & Monitor view > Logs is now automatically updated every day.

PRJ-43604,

PRHF-22566

SecureXL

UPDATE: Added a new kernel parameter allowing to control the size of fragments table in SecureXL. To use it, set the kernel parameter "sim_frag_limit_override" with the new value and install policy. This can prevent fragment drops when having multiple instances in the Firewall.

PRJ-47511,
PMTR-93037

GaiaOS

UPDATE: Added notifications about the Expert mode login on Gaia Servers. Refer to sk181230:

1) Gaia sends an audit log to the Management Server / Log Server (SmartConsole > Logs & Monitor).

2) Gaia writes a log message to the /var/log/messages file (for a local login and an SSH login).

These Gaia Clish commands are available to work with this feature:

  • To see the current state of this feature: show audit login-notifier

  • To enable this feature (this is the default): set audit login-notifier on

  • To disable this feature: set audit login-notifier off

PRJ-45906,
ODU-946

Scalable Platforms

UPDATE: Added Take 23 of Check Point Support Data Collector (CPSDC) for Scalable Platforms and Maestro Security Appliances. Refer to sk164414.

PRJ-44960,
PMTR-85311

Scalable Platforms

UPDATE: Added a new log file to indicate the reason of member reboots if they are triggered by configuration mismatch - /var/log/configuration_reboot_info.log.

PRJ-44961,
PMTR-89393

Scalable Platforms

UPDATE: Added a new log file - /var/log/pull_config_report.log. It includes the summary of the "pull_config" action when it is performed on a member to indicate the reason for pull_config pnote/failures.

PRJ-45387,
ODU-914

HCP

UPDATE: Added Update 12 of HealthCheck Point (HCP) Release. Refer to sk171436.

PRJ-44450,
PRHF-27276

Security Management

In rare scenarios, in Multi-Domain Security Management environments with many administrators that have custom permissions, SmartConsole is slow, and operations take longer than usual. Refer to sk180681.

PRJ-43185,
PRHF-26778

Security Management

If a Security Gateway is added to a group after configuring an installation policy preset, the policy may not be installed on that Security Gateway. Refer to sk181461.

PRJ-45872,
PRHF-28640

Security Management

In some scenarios, Access Policy Verification fails but the name of the failed rule is not specified.

PRJ-35493,
PRHF-21009

Security Management

The Data Center object may change the status to "inaccessible/deleted", although the Virtual Machine in Azure was not deleted.

PRJ-42421,
PRHF-26275

Security Management

An upgrade may fail when a Network object Group contains more than 32000 members.

PRJ-45059,
PRHF-28094

Security Management

In large Multi-Domain Security Management environments, login to SmartConsole may fail while High Availability synchronization is running. Refer to sk180858.

PRJ-43558,
PRHF-26971,
PRJ-45049,
PRHF-27847,
PRJ-42547,
PRHF-26016

Security Management

In rare scenarios, in multi-site environments, Install Policy presets fail with "Timeout during task progress" or "You have reached the maximum number of active sessions". Refer to sk180897.

PRJ-47101,
PRHF-29329

Security Management

Policy installation may fail with "Target is not defined in the database" error when the target name has many underscore or dash characters.

See the Important Notes section.

PRJ-45157,
PRHF-28175

Security Management

APP_ID may not be initialized when adding a new Check Point application via API, this may cause blocked access to several websites.

PRJ-45486,
PRHF-21566

Security Management

In rare scenarios, updating or deleting a cluster fails with "Failed to save object xxxx . Server error is: Data required for operation".

PRJ-42038,
PRHF-25898

Security Management

Editing an object in SmartConsole may fail with "Server error is: Object not found (Code: x08003001D, Could not access file for write operation)".

PRJ-43567,
PRHF-27059

Security Management

After Full synchronization, SmartConsole login from a Domain Management Server to the Security Management Server that is configured as High Availability may fail.

PRJ-43810,
PRHF-27187

Security Management

Login to SmartConsole with a RADIUS administrator from the SmartEvent Server may fail if this Server was upgraded. Refer to sk180584.

PRJ-42619,
PRHF-26287

Security Management

When using the "Deployment from Local Paths and URLs" option, and inserting a correct path, the client is being deployed through the Management Server and not Locally as it should be deployed.

PRJ-45653,
PRHF-28407

Security Management

Packet mode search in SmartConsole may show rules that do not match the query if the query contains source, destination, and service.

PRJ-44994,
PRHF-27895

Security Management

In rare scenarios, login to SmartConsole fails, and opening Security Gateway objects times out.

PRJ-41327,
PRHF-25274

Security Management

If the Security Management Server is behind NAT, remote Management API login fails.

PRJ-44084,
PRHF-27440

Security Management

Login with SmartConsole to a Security Management Server may fail if using a DNS name instead of an IP address. Refer to sk180514.

PRJ-42551,
PRHF-26118

Multi-Domain Security Management

After restoring a Multi-Domain Security Management Server, High Availability synchronization may fail with "The Security Management Servers contain different Hotfixes".

PRJ-45053,
PRHF-27948

Multi-Domain Security Management

In rare scenarios, in Multi-Domain multi-site environments, an IPS update on the Multi-Domain Security Management Server remains locked.

PRJ-40737,
PRHF-24558

Multi-Domain Security Management

Deleting a Domain from SmartConsole fails after a Domain Server was removed and the Domain has no Domain Servers.

PRJ-44968,
PRHF-28002

Multi-Domain Security Management

In rare scenarios, in Multi-Domain Security Management environments with over 500K network objects, login to SmartConsole fails with "Connection timed out" or "Unable to connect to server" messages.

PRJ-46086,
PRHF-28685

Multi-Domain Security Management

A scheduled Install Policy Preset may not have its next run time updated when:

  • The Multi-Domain Security Management Server was down while the preset was scheduled to run

  • There are over 50 presets defined

PRJ-45067,
PRJ-46161,
PRHF-28192,
PRHF-28143

Multi-Domain Security Management

In rare scenarios, in a Multi-Domain Security Management environment:

  • Login to the Security Management Server may fail with timeout.

  • Publish operations may take a long time.

PRJ-46508,
PRHF-28930

SmartConsole

Data Center objects may not appear as unused objects in the Object Explorer view, although they should.

PRJ-43597,
PRHF-27209

SmartConsole

Typo in the Compliance report - "OSFP" instead of "OSPF".

PRJ-39254,
PRHF-23374

Logging

In rare scenarios, many open connections on port 18196 are observed on the Multi-Domain Security Management Server or Multi-Domain Log Security Management Server.

PRJ-41593,
PRHF-25533

Logging

SmartEvent may generate false Anti-Bot / Anti-Virus related logs which do not contain any information.

PRJ-20171,
PRHF-14263

Logging

In large environments, after policy installation or when loading Real Time Monitor, RTMD CPU consumption may be high for several minutes and the process may exit when 4 GB of memory is reached.

PRJ-38479,
SL-6728

Logging

In specific network configurations, after installing a policy, the target IP address of the Log Server may differ from what was configured.

PRJ-41665,
PRHF-25662

Logging

In some scenarios, in the Logs & Monitor view, no results are shown when filtering updatable object names by the "dst_uo_name" field.

PRJ-36111,
PRHF-21819

Security Gateway

When on Microsoft Active Directory the "mobile" attribute value in DynamicID authentication preferred method is changed to an email address and then back to a phone number, OTP may still be sent to the email.

PRJ-44094,
PRHF-27460

Security Gateway

In some scenarios, the FWD process may unexpectedly exit and cause a short outage related to the BGP failure.

PRJ-44231,
PRHF-27318

Security Gateway

After policy installation, a VSX High Availability Cluster member may have a failover and generate a vmcore.

PRJ-44919,
PRHF-27936

Security Gateway

After an upgrade, memory usage may increase on all Security Gateway Modules, and the "pkt_handle_f2v_if_needed: dropping packet (failed to send notification)" error is printed in logs.

PRJ-45495,
PRHF-28324

Security Gateway

On the Security Gateway with Management Data Plane Separation (MDPS) enabled:

  • when adding a RADIUS Server from WebUI, a new MDPS task with the IP address of the Server may not be added,

  • when deleting a RADIUS Server, the MDPS task may not be deleted.

PRJ-42357,
PMTR-88174

Security Gateway

Latency in connection caused by a packet flow change from F2V to F2F.

PRJ-45396,
PRHF-28037

Security Gateway

Login to Mobile Access Portal when authenticating with SAML may fail with an "Error while processing the request" message. Refer to sk180801.

PRJ-44999,
PRHF-27844

Security Gateway

In a Maestro environment, an encrypted over SSH or RDP connection may get closed when handled by the wrong member.

PRJ-44310,
PRHF-27439

Security Gateway

In rare scenarios, modifying the "fwmultik_temp_conns_enabled" parameter on-the-fly leads to the Security Gateway crash.

PRJ-42529,
PRHF-25233

Security Gateway

In some scenarios, while processing H323 traffic, the Security Gateway may unexpectedly restart.

PRJ-45477,
PRHF-28350

Security Gateway

Security Gateway may crash when running kernel debugs of the "UP" module.

PRJ-44250,
PRHF-27426

Security Gateway

When setting "cphwd_enable_ecmp = 1" (to route by the source and destination IP address), the Security Gateway may route the traffic to the wrong MAC.

PRJ-44953,
PMTR-86007

Security Gateway

When Check Point Active Streaming (CPAS) is used, and the Server's MSS is bigger than the client's MSS, packet fragmentation may occur.

PRJ-44976,
PRHF-27997

Security Gateway

Latency in loading websites when using Security Gateway as a Proxy with HTTPS Inspection enabled. Refer to sk180673.

PRJ-45185,
PMTR-90969

Security Gateway

Traffic stops working after a Security Gateway Member recovers from a failure. Refer to sk180705.

PRJ-45448,
PRHF-28277

Security Gateway

When the Security Gateway handles specific HTTP requests, memory failure may occur. CPView registers SMEM failure.

PRJ-46686,
PMTR-91240

Security Gateway

When adding a new connection, the "Smart Connection Reuse" feature may cause errors in fwk.elg and connection drops.

PRJ-45954,
PMTR-83450

Security Gateway

When HTTPS Inspection is enabled, website loading in Firefox fails or is slow, after a few seconds, the "NS_ERROR_ABORT" error appears in the network tab of Firefox. Refer to sk180873.

PRJ-38110,
PRHF-22608

Security Gateway

In some scenarios, the Security Gateway may crash.

PRJ-44603,
PMTR-86732

Security Gateway

Stack buffer overflow may occur in the FWGTP process.

PRJ-46536,
PRHF-12636

Security Gateway

The FWK process may unexpectedly exit while processing the mail flow and generate a core dump.

PRJ-41966,
PRHF-25829

Security Gateway

When adding another loopback interface in an MDPS environment, it is shown in MPLANE and not in DPLANE as expected.

PRJ-46644,
PRHF-28694

Security Gateway

Incorrect parsing of GTP-U traffic may cause anti-spoofing drops.

PRJ-44854,
PRHF-27465

Security Gateway

Web Security parsing error "illegal header format detected: Missing quotation mark" of content-disposition header - that contains a filename* parameter or an unquoted parameter.

PRJ-44751,
PRHF-27707

Security Gateway

Policy installation may fail with "Error 2000240" because of an IPv6 flow issue.

PRJ-44550,
PRHF-27765

Threat Prevention

In some scenarios, the FWD process unexpectedly exits, and the Security Group Members state flaps between Active and Down during an Anti-Bot Blade update.

PRJ-42584,
PMTR-88424

Threat Prevention

When using a host with automatic static NAT in a Threat Prevention policy object, the rule may not be enforced.

PRJ-44199,
PMTR-89130

Threat Prevention

When IPS Blade is enabled, the Security Gateway may crash.

PRJ-44569,
PRHF-27749

Threat Prevention

After an upgrade, adding an IoC feed with IP range indicator type may fail with "Feed format problem. Bad or Empty feed".

PRJ-45561,
PRHF-21271

Threat Prevention

In some scenarios, Anti-Virus and Anti-Bot updates on Maestro Security Group Members may fail.

PRJ-39346,
PRHF-23473

Identity Awareness

There may be connectivity issues and high CPU spikes on PDP when installing policy.

PRJ-44315,
PRHF-27270

Content Awareness

When Content Awareness Blade is enabled, there is a limitation of the file size (sk118516). However, when the source object of the Content Awareness rule does not match the current connection, the limitation is not applied on this connection.

PRJ-45427,
PRHF-28304

Application Control

Some TLS1.3 applications without SNI do not match the rules.

PRJ-41654,
PRHF-25585

IPS

Running the "ips stats" command in CLI may cause the IPS process to unexpectedly exit with core dumps.

PRJ-45754,
PRHF-15953

Anti-Virus

The RAD process CPU utilization may be high when Anti-Virus engine processes many reverse DNS queries.

PRJ-46278,
PRHF-28749

Anti-Virus

Importing a custom intelligence feed containing IP ranges may fail.

PRJ-45098

Mobile Access

SSL Network Extender (SNX) may randomly disconnect after a version upgrade. Refer to sk173765.

PRJ-46401,
PRHF-28925

Mobile Access

Sending emails with attachments via Capsule Workspace may fail on iOS.

PRJ-45193,
PRHF-28182

Mobile Access

In rare scenarios, IOS users are unable to send emails using Capsule Workspace business mail.

PRJ-45162,
PMTR-91017

ClusterXL

A VRRP cluster member may be stuck in boot after a cluster upgrade.

PRJ-44873,
PRHF-27540

SecureXL

Traffic may be dropped and the FWACCEL core file is generated.

PRJ-44454,
PRHF-27561

ClusterXL

After several failovers in a cluster, connections may fail to synchronize. This can cause a timeout and the "first packet isn't syn" drops.

PRJ-44676,
PRHF-27803

SecureXL

After an upgrade, packets passing through a Remote Access VPN tunnel in a VSX environment may be silently dropped.

PRJ-45378,
PRHF-26701

Routing

A VRRP/VRRP6 interface may go into Master/Master state.

PRJ-41964,
MBS-16158

Routing

Routing log messages generated when Standby cluster members reconnect to members in Master state are not clear.

PRJ-44708,
PRHF-27240

Routing

An IGMP group with an expiration time of 7101 weeks should be deleted when it reaches 0 seconds, but instead, it may remain at 7101 weeks until a membership report is sent, then it resets to the interval of that interface.

PRJ-44939,
PRHF-23766

Routing

After an update, multicast traffic may be dropped.

PRJ-44923,
PMTR-90799

Routing

When PIM and state refresh are enabled, the state refresh message may not be sent automatically after a failback in ClusterXL HA Primary Up mode.

PRJ-41799,
PMTR-87520

Routing

Configuring OSPFv2 Graceful Restart and passive OSPF interfaces at the same time can cause graceful restart failures.

PRJ-45183
ROUT-2353

Routing

Cluster member may stop sending multicast PIM traffic after failover or a reboot. Refer to sk180669.

PRJ-41116,
PRHF-23620

Routing

There may be high CPU utilization and slow recovery of the ROUTED process after a failover.

PRJ-41961,
MBS-16159

Routing

In some scenarios, a Security Group Member failover can trigger routes to be lost on other members in the Security Group.

PRJ-45832,
PMTR-82733

Routing

The ROUTED daemon may unexpectedly exit because of multi-threading issues.

PRJ-46127,
ROUT-2801

Routing

The ROUTED daemon may unexpectedly exit when aggregating routes with long AS paths.

PRJ-44704,
PRHF-27225

Routing

Multicast receivers send IGMP membership reports, but the outbound interfaces are missing from the routing table.

PRJ-46357,
PMTR-73657

Routing

Routes marked as "stale" may be redistributed via BGP during graceful restart.

PRJ-45467,
PRHF-28353

VPN

StrongSWAN Remote Access authentication fails when the LDAP lookup type is not the default method.

PRJ-44828,
PRHF-27569,

PRJ-44990,
PRHF-28061,

PRJ-46301,
PRHF-28849

VPN

  • Remote Access clients are unable to connect using Machine Certificate Authentication when the certificate has OCSP and CRL but the gateway is unable to resolve properly the OCSP or to get a proper answer from the OCSP server. Refer to sk179434.

  • OCSP is disabled on the user's IIS Server, but the Security Gateway does not fall back to the CRL method. Refer to sk179434.

  • Security Gateway sends defaultCert to the third party instead of an OCSP certificate. An unexpected OCSP response may cause a VPN gateway to stop using its certificate until the next policy installation. Refer to sk180683.

PRJ-45918,
PRHF-28589

VPN

The FWM process may unexpectedly exit at startup because of an incorrect VPN key initiation.

PRJ-43826,
PRHF-27339

VPN

In a Site to Site VPN, when one of the sites is a cluster in Load Sharing mode, it can cause incorrect destination member calculation for asymmetric connection and the traffic might be dropped. Refer to sk180855.

PRJ-41969,
PRHF-25866

VSX

Increasing the MTU value of a bonded tagged interface may not be possible.

PRJ-44088,
PRHF-27224

VSX

Values provided by the VSX OID tree: 1.3.6.1.4.1.2620.1.16.22.5.1 may be incorrect.

PRJ-45144,
PRHF-28154

VSX

Some packets may disappear when using the i40e driver, and VMAC is configured on the cluster.

PRJ-45400,
PRHF-28365

VSX

Warp interfaces may appear in VS0 and disrupt connectivity when editing a Virtual Switch with a bond and VLANs.

PRJ-44744,
PMTR-90616

VSX

Virtual System's interfaces may be missing when running the Clish command "show/save configuration".

PRJ-45004,
PRHF-28080

VSX

A VSX Security Gateway may crash while attempting to collect statistics after running the "cpstop" command.

PRJ-29905,
PMTR-72562

Gaia OS

It may not be possible to enter a snapshot description with more than one word.

PRJ-45862,
PMTR-91668

Gaia OS

Gaia backup may fail, leaving a temporary partition behind. Any new attempt to create a new backup returns an error.

PRJ-41908,
PRHF-25737

Gaia OS

Gaia WebUI logs are printed with "info" severity.

PRJ-42778,
PRHF-26416

Gaia OS

Scheduled SCP snapshots to a Windows Server may fail with the "Failed to connect to remote server. Please validate connection".

PRJ-45564,

ACCHA-2110

Gaia OS

The $FWDIR/log/fwd.elg file may get corrupted during log rotation. Refer to sk180728.

PRJ-45791,
PRJ-42015

CloudGuard Network

Deleting one hundred IP addresses or more from the Security Gateway at once may fail, resulting in recurrent deletion retries.

PRJ-45539,
PRHF-27987

CloudGuard Network

AWS Data Center mapping fails when an interface subnet is missing from the list of subnets.

PRJ-46474,
PMTR-90803

VoIP

SIP traffic may be dropped and "kiss_htab_bl_infra_slink: failed "earlynat_sport_ghtab_bl":3 reason: KISS_HTAB_BL_SLINK_LIMIT_REACHED" is printed in the fwk.elg file.

PRJ-44613,
PRHF-27502

VoIP

In rare cases, SIP UDP traffic may cause Security Gateway to crash because of a memory allocation issue.

PRJ-43516,
PRHF-26939,

PRJ-32398,
PRHF-19493

VoIP

After an upgrade, VoIP, and SIP / H323 traffic may be dropped in the VPN tunnel. Refer to sk179651.

PRJ-42616,
PMTR-76837

Scalable Platforms

The FW process may unexpectedly exit, producing a core dump file.

PRJ-45884,
PMTR-90935

Scalable Platforms

In VSLS mode, SNMP traffic may incorrectly be forwarded to SMO instead of DR manager of the corresponding Virtual System.

PRJ-44926,
PMTR-86526

Scalable Platforms

After an upgrade, local IPv6 traffic from Active members may fail.

PRJ-41940,
PMTR-87577

Scalable Platforms

When adding a new Virtual System and installing a policy, member state may change to Down.

PRJ-42513,
PMTR-88150

Scalable Platforms

Upon failover/failback, multicast packets are sent to Active members only. The member that changed state from Down to Active starts receiving the multicast packets before the route is resolved. This may impact traffic.

PRJ-42263,
ACCHA-2021

Scalable Platforms

Excessive "cphwd_get_device_accelerated_ifs: too many interfaces (32,XXX)" messages may log to $FWDIR/log/fwk.elg. Refer to sk180439.

PRJ-32729,
PMTR-72467

Scalable Platforms

When there is a connectivity issue in the cluster, OSPF packets may be sent with delays and cause an outage.

PRJ-44527,
PMTR-78822

Scalable Platforms

License is not copied from SMO to all other members if other members are in Down state.

PRJ-43219,
CST-312

Carrier Security

Security Gateway drops GTP traffic with the reason "Static IP not allowed". See sk181506.

PRJ-43223,
CST-316

Carrier Security

Security Gateway drops GTP Echo Response traffic with the reason "Wrong Destination Port". See sk181507.

PRJ-46672,
PRHF-28770

Carrier Security

Packet corruption, leading to traffic and performance issues.

PRJ-46675,
PRJ-46681,
PRHF-29045,
PRHF-28963,

PRJ-46678,
PRHF-28973

Carrier Security

After an upgrade, GTP traffic and memory issues may occur.

Take 82

Published on 22 March 2023 and declared as Recommended on 8 May 2023

PRJ-43894,
PMTR-89750

Security Gateway

NEW: We have extended the grace period of Compliance Blade to support you for 90 days following contract expiration to continue providing the best security value during the renewal process.

PRJ-44254,
PMTR-90165

Threat Extraction

NEW: We have extended the grace period of Threat Extraction Blade to support you for 90 days following contract expiration to continue providing the best security value during the renewal process.

PRJ-43806,
PMTR-89699

Application Control,

URL Filtering

NEW: We have extended the grace period of Application Control and URL Filtering Blade to support you for 90 days following contract expiration to continue providing the best security value during the renewal process.

PRJ-44575,
PMTR-90463

Internal CA

NEW: Previously, the Internal CA certificate required manual renewal process. Now it will be automatically renewed one year before its expiration date.

PRJ-43909,
PMTR-89774

SmartView

NEW: We have extended the grace period of SmartEvent Blade to support you for 90 days following contract expiration to continue providing the best security value during the renewal process.

PRJ-42182,
PMTR-87948

IPS

NEW: Added ability to block "HTTP 206 partial content" responses from resources with malicious content.

PRJ-42657,
TPP-2280

IPS

UPDATE: In several IPS protections, improved performance for traffic that contains repeated sections.

PRJ-42305,
PRHF-25869

Security Management

UPDATE: Improved the "Purge revisions" operation to reduce the size of the database.

PRJ-36634,
PRHF-22345

Security Management

UPDATE: Added an option to configure the maximum number of IPS SNORT rules.

These lines should be added at the end (or their value should be changed if they already exist) in the file $FWDIR/conf/malware_config

(for MDS - additionally in the $MDS_FWDIR/conf/malware_config file):

"[IPS]

snort_convertor_max_rules_per_update=<value>

snort_convertor_total_rules_num_limit=<value>".

Refer to sk136515.

PRJ-34963,
PRJ-34958

CPView

UPDATE: Added logging information. The Logging tab can be found in the Advanced tab on both the Security Management Server and Security Gateway. Refer to sk101878.

PRJ-41618,
PMTR-87160

Security Gateway

UPDATE: To reduce policy installation time on a Security Gateways with a large number of CoreXL Firewall instances, you can use the Check Point Registry parameter "CP_INSTALL_POLICY_MT_LIMIT" to configure the Security Gateway to install the policy simultaneously on groups of CoreXL Firewall instances. Refer to sk182653.

PRJ-41200,
PRHF-24563

Security Gateway

UPDATE: Added ability to force GNAT Port randomization. It is controlled by kernel parameter (off by default).

  • To activate it, GNAT should be enabled. Also, in the fwkern.conf file, run "set fwx_force_random_nat_port_alloc=1",

  • To disable, run "set fwx_force_random_nat_port_alloc=0".

PRJ-44558,
PMTR-90438

Security Gateway

UPDATE: Apache HTTPD version was updated from 2.4.53 to 2.4.55 to fix CVE-2022-37436.

PRJ-43722,
PMTR-82302

SSL Inspection

UPDATE: The secp256r1 curve is now the preferred choice for signing ECDSA (Elliptic Curve Digital Signature Algorithm) certificates.

PRJ-44611,
PMTR-90504

Threat Emulation

UPDATE: FakeServer will now listen for packets coming from the Virtual Machine during Threat Emulation to port 18443 instead of port 8443.

PRJ-43968,
PRHF-27306

VPN

UPDATE: When the VTI MTU is different from the physical MTU, the physical MTU is used for sending packets by default.

  • To modify the default behavior (the change does not survive reboot), run the CLI command "fw ctl set int sim_vpn_use_physical_mtu 0 -a". This allows using configured VTI MTU as the default.

  • To make the change permanently, open the $PPKDIR/conf/simkern.conf file for editing and add the entry "sim_vpn_use_physical_mtu=0".

Refer to sk98074.

PRJ-42403,
PMTR-87600

VSX

UPDATE: Added more logs related to Pushing VSX Configuration.

  • On the Security Gateway side: in the last_vsx_push_configuration.elg. The log file will now be circular.

  • On the Security Management side: in the vsx_util log. Also, commands are added to the name of log files (for example, vsx_util_reconfigure_xxxxx_xx_xx.elg).

  • VSX Provisioning tool is now logged in the vpt_history.elg.

.

PRJ-45267,
PMTR-91124

GaiaOS

UPDATE: Added a defense mechanism against the hostname command injection in the Gaia Portal (CVE-2023-28130). Refer to sk181311.

PRJ-44638,
PMTR-90527

Gaia OS

UPDATE: Upgraded OpenSSL from 1.1.1n to 1.1.1t to include the latest security improvements.

PRJ-43612,
PRHF-26959

Gaia OS

UPDATE: Gaia Cloning Groups will now use the highest TLS version available.

PRJ-44356,
PRJ-44354

CloudGuard Network

UPDATE: Added support for Data Centers in AWS ap-southeast-4 Melbourne region.

PRJ-43050,
PRJ-43048

CloudGuard Network

UPDATE: Added support for Data Centers in AWS eu-south-2 (Spain) and eu-central-2 (Zurich) and ap-south-2 (Hyderabad) regions.

PRJ-43026,
PRJ-43025

CloudGuard Network

UPDATE: Added support for connecting to VMware NSX-T 4.0.0.x and higher.

PRJ-43403,
PMTR-89295

Diagnostics

Skyline may not show any information. Refer to sk180748.

PRJ-41927,
PRHF-25575

Security Management

After an upgrade, while installing a policy, SmartConsole may unexpectedly close with a "The connection with the server was lost. Any unsaved changes will be preserved" message. Refer to sk180294.

PRJ-40225,
PRHF-24308

Security Management

The FWM process may frequently exit. This causes SmartConsole authentication to fail and dashboards that were opened before to get closed.

PRJ-44024,
PRHF-27405

Security Management

When using Custom Application/Site Group objects in an Access policy, policy installation may fail with an "Internal error" message.

PRJ-41891,
PRHF-25534

Security Management

High Availability synchronization fails if automatic purge is configured to run on the Standby Management Server.

PRJ-42409,
PRHF-26108

Security Management

Login to the Security Management Server or Multi-Domain Security Management Server may fail with the "Connection timeout" error.

PRJ-43093,
PRHF-25895

Security Management

After configuring an IoC feed on the Global Domain and assigning a Global Policy, Threat Prevention policy installation in the local Domain fails.

PRJ-41761,
PRHF-25381

Security Management

In some scenarios, the CME process fails to start.

PRJ-42041,
PRHF-25899

Security Management

In a rare scenario, the Show Package tool and some Management API commands with details-level "full" fail.

PRJ-39745,
PRHF-24043

Security Management

Adding a rule with the Management API and setting the action "to ask" does not set a default UserCheck if UserCheck was not specified. This may cause policy verification failure.

PRJ-43362,
PMTR-87860

Security Management

Editing a Global Assignment object using Ansible may fail.

PRJ-43316,
PMTR-87565

Security Management

In SmartConsole, when editing a tagged Security Gateway object, the tags may get removed.

PRJ-44628,

PMTR-90519

Security Management

There may be many duplicates of OCSP response in the $CPDIR/tmp/curl_crl_ocsp folder.

PRJ-43253,
PMTR-77168

Security Management

In some scenarios, the "api status" command shows that the Management API service is stopped.

PRJ-42109,
PRHF-25747

Security Management

The date of a policy configured with "accelerated installation" may not be updated in logs.

PRJ-43311,
PMTR-88097

Security Management

The API command "show-nat-rulebase" may not show the name of each rule in the Rule Base.

PRJ-43961,
PRHF-27308

Security Management

In rare scenarios, the Security Gateway accepts all IP addresses as approved "gui_clients", although it was provided with a list of specific trusted IP addresses.

PRJ-44459,
PRHF-27327

Security Management

In some scenarios, the "run-script" Management API command may fail with "Null Pointer Exception" when using root user permissions.

PRJ-42048,
PRHF-25759

Multi-Domain Security Management

In rare scenarios in a Multi-Domain Security Management environment:

  • Login to the Management Server may timeout and fail.

  • Publish operation may take a long time.

PRJ-42848,
PRHF-26378

Multi-Domain Security Management

In a Multi-Domain Security Management environment, traffic may not match rules with custom applications.

PRJ-44336,
PMTR-89535

CPView

The Network-per-CPU tab under CPVIEW > Advanced > SecureXL does not show traffic distribution for all CPUs. Refer to sk180540.

PRJ-42083,
PRHF-25916

CPView

A typo in "Dropped fragmentation violation" under CPView > Advanced > SecureXL > Drops.

PRJ-43588,
PMTR-89477

CPView

In a Multi-Domain Security Management environment, Skyline is down after mdsstop/mdsstart.

PRJ-42283,
PMTR-83780

CPView

CPView may not show some interfaces.

PRJ-43392,
PRHF-26905

Logging

When working with Multi-Domain Security Management, Virtual Systems (VS's) may be unable to send logs to the management because the Log Server constantly disconnects.

PRJ-41017,
PRHF-23629

Logging

After an upgrade and change of the Security Management Server name, logs created before the upgrade are unavailable.

PRJ-33051,
PRHF-20237

Logging

The "Daily logs retention" configuration on the Security Management Server / Log Server object is not applied if the "When disk space is below <number> Mbytes, start deleting old files" option is not enabled in the Disk Space Management. Refer to sk176803.

PRJ-41017,
PRHF-24896

Security Gateway

When using the SMTP service with resource objects in a rule and NAT is configured for the destination IP address, the traffic may match the Cleanup rule instead.

PRJ-39800,
PRHF-23890

Security Gateway

After making changes in Policy-Based Routing (PBR) and GRE configuration, the Security Gateway may repeatedly crash.

PRJ-43126,
PMTR-89008

Security Gateway

Some TCP connections may be stuck in "Both-Fin" state in the SecureXL connection table and cause high memory consumption.

PRJ-42087,
PRHF-25938

Security Gateway

The "fw monitor" command output may contain "no packets left to merge" messages.

PRJ-42706,
PRHF-26247

Security Gateway

DNS parser incorrectly handles additional records, which results in appearing additional DNS IP addresses in the FQDn objects list.

PRJ-41540,
PMTR-87066

Security Management

The FWK process may unexpectedly exit during Threat Prevention policy installation.

PRJ-41579,
PMTR-65731

Security Gateway

In some scenarios, the CPD process may unexpectedly exit.

PRJ-41563,
PRJ-41202

Security Gateway

SAML authentication fails with the "HTTP 500" error when MDPS is enabled on the Security Gateways. Refer to sk179625.

PRJ-42756,
PMTR-88555

Security Gateway

The Security Gateway may crash because of an issue in the FILEAPP (File Application) module.

PRJ-44080,
PRHF-26620

Security Gateway

In an Active/Standby cluster, when downloading a file using FTP protocol, the FWK process may unexpectedly exit, and a core dump file is generated.

PRJ-39601,
PRHF-22874

Scalable Platforms

The SMO may frequently go into Lost-> Down-> Active state because of a memory leak in the FWK process. The issue causes failover and outages.

PRJ-37150,
PRHF-22237

ClusterXL

In an Active/Active cluster, a member may reboot because of a memory corruption issue.

PRJ-41877,
PMTR-87372

Security Gateway

On supported Open Servers (sk167052), after changing the Firewall mode from Kernel Space (KSFW) to User Space (USFW) and reboot, the Security Gateway continues to boot in the Kernel Space mode.

PRJ-40877,
PMTR-85619

Security Gateway

In rare scenarios, policy installation fails with "Segmentation fault" and "Error compiling IPv4 flavor" messages.

PRJ-42803,
PRHF-23758

Security Gateway

Stability issues when ICAP client is active.

PRJ-39607,
PRHF-22919

Security Gateway

The Security Group Member (SGM) frequently goes into a Lost-> Down-> Active state because of fullsync pnote. This causes outages.

PRJ-43553,
PRHF-26844

Security Gateway

Security Gateway may drop traffic when Dynamic Anti-Spoofing is enabled.

PRJ-42943,
PRHF-26610

Security Gateway

When Anti-Spoofing is enabled, the Security Gateway may crash.

PRJ-38808,
PMTR-82347

Security Gateway

In a rare scenario, when QoS is enabled, the Security Gateway may crash.

PRJ-41633,
PRHF-25363

Security Gateway

Dynamic Dispatcher may send fragments of the same packet to different Firewall instances during a high load of fragmented traffic. This may cause some packets to drop.

PRJ-36009,
PRHF-21529

Security Gateway

The Security Gateway may frequently crash with vmcore files, recording invalid context.

PRJ-43704,
PRHF-27184

Security Gateway

The Security Gateway may crash during policy installation if the Rule Base has multiple layers and many interfaces on the Security Gateway (VLANs).

PRJ-42101,
PRHF-25657

Security Gateway

When adding an Access Role object in the NAT Rule Base, connectivity issues on the Security Gateway may occur if the Identity Awareness Blade on it is disabled.

PRJ-43532,
PRHF-26097

Security Gateway

The Security Gateway may crash because of a race condition that occurs during interface change while interface statistic is calculated.

PRJ-43838,
PRHF-27097

Security Gateway

The Security Gateway may receive duplicated traffic (such as non-IP protocol connections) for IPS inspection. This can trigger high CPU usage and result in failures to connect over SSH or policy installation.

PRJ-43885,
PRHF-26861

Security Gateway

In some scenarios, the FWD process is stuck during policy installation.

PRJ-43010,
PRHF-26600

Security Gateway

When adding a new RADIUS Server in Gaia Portal, its IP address is automatically added to MDPS tasks, but when deleting this Server, the MDPS task is not deleted.

PRJ-42295,
PRHF-26094

Security Gateway

When MDPS is configured, mdps_tun interface is shown when running the "cpstat ha -f all" command.

PRJ-40319,
PRHF-23658

Security Gateway

In rare scenarios, the FWK process can unexpectedly exit and cause an outage.

PRJ-41494,
PRHF-24787

Security Gateway

Stability issues when ICAP client is active.

PRJ-40108,
PRHF-20889

Security Gateway

In a rare scenario, the Security Gateway may crash when offloading packets to SecureXL.

PRJ-43346,
PMTR-88981

Security Gateway

A connection may be closed with the "ws_mux_handle_poll: ERROR: Poll flag still set after unsetting" error in the fwk.elg file, when HTTP parser does not receive requested data.

PRJ-42902,
PRHF-26659

Internal CA

The certificate in SmartConsole is shown as valid, although it is expired.

PRJ-41435,
PRHF-25382

Internal CA

When managing cloud Gateways, the FWM process memory usage may increase.

PRJ-42285,
PRHF-26079

Threat Prevention

The "ioc_feeds set interval -r" command may fail.

PRJ-42223,
PRJ-41688

Threat Prevention

In some scenarios, a "malware_res_rep_rad_query: rad_kernel_malware_request_prepare() failed" message may appear in the /var/log/messages file.

PRJ-41597,
PRHF-25439

Threat Prevention

Anti-Virus Blade fails to parse external IoC feeds that contain commas in the CSV column field value.

PRJ-43994,
PRHF-25811

Threat Prevention

IoC feed may not load because of a parsing issue with the IP address range indicator.

PRJ-38664,
PRHF-23320

Threat Prevention

The DLPU process may unexpectedly exit with a core dump file.

PRJ-43997,
PRHF-25573

Threat Prevention

IoC feed may not load, and the "Feed status cybercrime-tracker_hash_list :: engine memory allocation error. Feed log External IoC - External Indicators processing failed" error is displayed in CLI.

PRJ-32737,
PRHF-20234

Threat Prevention

After an upgrade, the FWD process may frequently exit while creating an AMW_report.xml.

PRJ-37566,
AVIR-1428

Threat Prevention

When Anti-Virus Blade is enabled, the Security Gateway may crash because of a memory allocation issue.

PRJ-40471,
PMTR-84923

Threat Prevention

If SSH Deep Packet Inspection (DPI) is enabled and NAT is configured on the Security Gateway, SSH connectivity from the Internet may not be possible.

PRJ-42437,
PMTR-87619

Threat Prevention

Automatic IPS, Anti-Virus or Anti-Bot updates may fail because of a corrupted next_update file.

PRJ-41322,
PRHF-25083

Identity Awareness

Connectivity issue may occur during Azure AD Group fetch, and the "get_http_error_msg - http code is 401" error response is shown in Identity Awareness logs.

PRJ-42343,
PRHF-26221

Identity Awareness

During subsequent policy installations (with an interval of at least 11 minutes between them), the Identity Awareness Gateway configured as an Identity Broker Subscriber revoked all Identities it learned from the Identity Awareness Gateway configured as its Identity Broker Publisher. Refer to sk180659.

PRJ-33064,
PRHF-20425

Identity Awareness

In a rare scenario, a wrong access role may be assigned to a user.

PRJ-42338

Identity Awareness

In a VSX High Availability cluster, a member in the Backup state should remain idle, but it opens connections for identity sharing.

PRJ-42998,
PRHF-24890

Identity Awareness

In a rare scenario, disconnection between the Identity Server (PDP) and Identity Gateway (PEP) leads to missing identities on the PEP side.

PRJ-42932,
PMTR-88806

Identity Awareness

The PDPD process may cause CPU spikes during cluster failover.

PRJ-43746,
PRHF-27158

Identity Awareness

The output of the "pdp monitor cv_le <agent-version>" command may be incorrect.

PRJ-44382,
PRHF-27645

Application Control

A buffer overflow may occur and cause the FWD process to exit. This leads to the Security Group Members in a Maestro environment change from Active to Down state and creates instability.

PRJ-42505,
PRHF-26186

Application Control

In a rare scenario, when Application Control is enabled, the Security Gateway in AWS Cloud may crash. The issue does not occur if Application Control database on the Security Gateway is updated with Release 141122_1 and higher.

PRJ-41220,
PMTR-86437

Application Control

The RAD process may freeze when an error occurs, and an error event is initialized.

PRJ-43502,
PRHF-26475

Application Control

Policy installation may fail with an "Error 0-200184" message because of memory allocation issues.

PRJ-43974,
PRHF-27284

URL Filtering

When applying the "appi_urlf_ssl_cn_use_sni_without_validation" kernel parameter, only the first notified application may be considered for Rule Base matching, and the rest of the apps are not detected.

PRJ-41377,
PRHF-25330

IPS

When Anti-Virus is enabled, the Mail Transfer Agent (MTA) log files may get blocked because of fail-close operation.

PRJ-29955,
MBS-14698

Anti-Bot

The "asg perf --delay" command does not change the "refresh time" on the screen.

PRJ-43681,
PRJ-43359

SSL Inspection

In some scenarios, Inbound HTTPS Inspection may fail when working in USFW (User-Space Firewall) mode.

PRJ-41412,
PRHF-25371

Mobile Access

Access to a web application that uses WebSocket protocol may not be possible.

PRJ-42590,
PMTR-88426

IPS

The Security Gateway may crash during policy installation because of a memory allocation problem.

PRJ-44179,
PMTR-89863

IPS

In some scenarios, the FWK process may unexpectedly exit, while Threat Prevention Blades inspect HTTP traffic.

PRJ-42713,
PRHF-26557

IPS

In a rare scenario, the Security Gateway may crash during an IPS package update.

PRJ-43582,
PRHF-27076

DLP

A memory leak may occur in the DLPU process.

PRJ-35485,
PRHF-21504

DLP

DLP logs for files uploaded to Microsoft OneDrive do not show the initial file names and extensions. Refer to sk178290.

PRJ-44010,
PMTR-89738

Anti-Virus

The fwk.elg file may be flooded with the "match_cb for CMI APP 11 - CI AV failed on context 144, executing context 366 and adding the app to apps in exception" messages because of improper parsing of HTTP headers by Anti-Virus Blade.

PRJ-43180,
PRHF-26878

SSL Inspection

The WSTLSD process may unexpectedly exit and create core dump files.

PRJ-43890,
PRHF-26317

SSL Inspection

In rare scenarios, the FWK and/or WSTLSD processes may unexpectedly exit and create a core dump during certificate validation. Refer to sk180473.

PRJ-44290,
PRHF-27598

Mobile Access

Some web applications which use PT or UT link translation methods may have issues after a browser upgrade.

PRJ-43153,
PRHF-26867

Mobile Access

The CVPND process may unexpectedly exit and create a core dump file.

PRJ-41258,
PRHF-25249

Mobile Access

Web applications may not work correctly when Mobile Access Blade is configured in Hostname Translation (HT) mode while the "obscure_destination_hostname" management attribute is disabled.

PRJ-42467,
PRHF-26292

Mobile Access

When Mobile Device Management (MDM) cooperative enforcement feature is enabled, establishing a VPN connection fails while the HTTPD log incorrectly indicates a compliance issue.

PRJ-43115,
PMTR-87809

ClusterXL

The "cphaprob tablestat" command may fail on the Security Gateway with many interfaces.

PRJ-42463,
PRHF-26264

ClusterXL

Stability issues may occur in a Multi-Version Cluster (MVC) when VPN is enabled.

PRJ-43004,
PRHF-26722

ClusterXL

Traffic does not pass through the GRE tunnel when Virtual MAC (VMAC) is enabled. Refer to sk180292.

PRJ-44167,
PRHF-27330

ClusterXL

When handling HTTP/2 traffic, cluster members may crash, generating vmcores.

PRJ-42895,
PRHF-26517

SecureXL

SecureXL may drop traffic when HTTPS Inspection is enabled on a VSX Security Gateway with a Virtual Router.

PRJ-29667,
PRHF-18663

SecureXL

When the "fw_tcp_out_of_state_monitor" mode is enabled with the "fw_allow_out_of_state_tcp" flag, some connections may be dropped, although they should go through and be monitored.

PRJ-42574,
PRHF-25865

SecureXL

Multicast traffic may get dropped, and no logs are generated.

PRJ-44130,
PMTR-89935

SecureXL

IPv6 template is not created when the connection is NATed.

PRJ-43982,
PMTR-89372

SecureXL

In a rare scenario, a CPAQ message sent during policy push does not have critical priority, and can be dropped when the Security Gateway is busy.

PRJ-43409,
PRHF-6347

Routing

The ROUTED process may repeatedly exit when using PIM in Sparse mode (SM).

PRJ-43921,
ROUT-2460

Routing

Failover may take longer than expected and traffic does not pass for several seconds because dynamic routes are lost.

PRJ-43055,
PMTR-74260

Routing

The "show ospf neighbors" command shows incorrect values for OSPF "Hello" and "Dead" intervals. Refer to sk180486.

PRJ-44258,
PRHF-27407

Routing

The ROUTED daemon may unexpectedly exit when using PIM and source IP address is set "0.0.0.0".

PRJ-41112,
PMTR-73346

Routing

It may take up to three hours for the second member to become Standby after a failover. An outage may occur during this time.

PRJ-41330,
PRHF-25024

Routing

The ROUTED daemon may unexpectedly exit and generate core dumps after OSPF neighborship was established but did not advertise routes. Lost routing causes the network to be down.

PRJ-42309,
PMTR-87519

VPN

Improved VPN tunnel synchronization in a Multi-Version Cluster environment (MVC).

PRJ-43194,
PRHF-26797

VPN

TCP traffic on port 34500 may be encrypted by VPN, although it should not.

PRJ-24874,
PRHF-16890

VPN

VPN endpoint users fail to login with ECDSA certificate.

PRJ-44666,
PMTR-86522

VPN

When running the "vpn tu tlist" on cluster Standby members, old IKEv2 SAs may be printed in the output.

PRJ-40912,
PRHF-24641

VPN

The "failed to terminate session" error is displayed when using RAsession_util to terminate Endpoint client.

PRJ-44947,
PRHF-28050

VPN

When many users in nested groups login using Remote Access Client \ connect to VPN, and the LDAP topology is large, there may be a spike of CPU usage and performance impact. Refer to sk180664.

PRJ-40727,
PMTR-76539

VPN

In some scenarios, when NAT is configured, VoIP traffic is dropped.

PRJ-42878,
PRHF-26241

VPN

When initiating IKEv2 tunnel from Check Point to a third party, creating Child SA fails. Refer to sk180281.

PRJ-42560,
PRHF-26325

VPN

When the user connects with RADIUS authentication method, the "Authentication method" value in Mobile Access logs is shown as empty.

PRJ-42761,
PRHF-26567

VPN

Despite the Secure Configuration Verification (SCV) exceptions being configured to not apply for connections, the strongSWAN client's traffic is dropped with the "Client's configuration is not verified" error.

PRJ-41374,
PRHF-25367

VPN

StrongSWAN Remote Access client can connect but fails to access internal resources.

PRJ-43549,
SDWANGW-1205

VPN

VPN stability issues.

PRJ-43298,
PRHF-26853,

PRJ-43594,

PRHF-27185

VPN

Stability issues for Data connections (RDP / RTP / FTP/ETC). Refer to sk179651.

PRJ-41049,
PRHF-21309

VPN

A memory leak may occur in the VPND process.

PRJ-40283,
PRHF-24166,

PRJ-43712,
PRHF-27256,

PRJ-42652,
PRHF-26482

VPN

  • NAT-T traffic may stop matching the implied rule after policy installation and is dropped with "IKE_NAT_TRAVERSAL Traffic Dropped from x.x.x.x to y.y.y.y" message in SmartLog.

  • VPND and IKED stability issues occur when loading newly created LDAP group objects.

Refer to sk180530.

PRJ-43385,
PRHF-27010

VPN

After an upgrade, an incorrect IPSec users counter may be displayed in SmartView Monitor or when running the "cpstat vpn -f ipsec" command for a cluster. The issue is cosmetic only.

PRJ-44121,
PMTR-88803

VSX

Changing the main IP address of a Virtual Router may cause the FWM process to exit.

PRJ-42882,
PMTR-88764

VSX

In VSX, if Dynamic Balancing was manually disabled on R81, after an upgrade from R81 to R81.20, it automatically gets enabled.

PRJ-41696,
VSX-2670

VSX

The "vsx_util change_mgmt_subnet" command may fail if a VSX object is not correctly saved in the database.

PRJ-42253,
PRHF-26113

Gaia OS

Running the "save configuration" command the second time in the same Clish session may fail with the "free(): invalid pointer" error.

PRJ-42961,
PRHF-26713

Gaia OS

IPv6 address may be removed from bond VLAN interface when changing bond xmit-hash-policy configuration. Refer to sk180309.

PRJ-43650,
PRHF-27195

Gaia OS

When setting password hash on cloning group members, some members may not get updated.

PRJ-42525,
PRHF-26323

Gaia OS

Gaia backup fails with "Cannot complete the backup process: not enough space in /var/log/CPbackup/backups" although there is enough free disk space in the /var/log/ partition. Refer to sk180181.

PRJ-43429,
PRJ-42646

Gaia OS

In some scenarios, the "nslookup" command can cause the NSLOOKUP process to exit.

PRJ-42623,
PRHF-26432

Gaia OS

SNMP trap may not be sent after a cluster failover if it occurred by running the "clusterXL_admin down" command.

PRJ-42219,
PRHF-25947

Gaia OS

Incorrect logs are printed in the /var/log/httpd2_error_log file when logging into the WebUI.

PRJ-44237,
PRHF-27526

Gaia OS

The System Backup page in the Cloning Group view may be empty, although a scheduled backup was added.

PRJ-40033,
PRHF-24249

Gaia OS

When running the "ifconfig -a" command on a Virtual System (VS) with more than 250 interfaces, the "/bin/cp-ifconfig.sh: line 179: /bin/echo: Argument list too long" error is printed.

PRJ-43562,
PRHF-27096

Gaia OS

When restoring a backup with VSX objects, the objects database may not be restored on the newly installed Security Management Server.

PRJ-43024,
PMTR-62519

Gaia OS

The /usr/local/apache2/logs/access_log file is now rotated when its size reaches 1GB. This log file was added to the /etc/cpshell/log_rotation.conf configuration file. Refer to sk166198.

PRJ-43985,
PRHF-27222

Gaia OS

The "lldpneighbors" Clish command may have a corrupted output. Refer to sk182065.

PRJ-40692,
PMTR-71707

Harmony Endpoint

When connecting to the Security Management Server with SmartEndpoint but Endpoint component is not activated on the Server, the FWM process may unexpectedly exit.

PRJ-44477,
PMTR-90345

CloudGuard Network

Azure scan fails if a Virtual Machine Scale Set (VMSS) is deleted after the scan started.

PRJ-44346,
PRHF-26820

CloudGuard Network

The "Logical Volume duplicate fail" error is displayed in CLI when increasing the lv_current partition with lvm_manager on Azure. Refer to sk180381.

PRJ-43258,
PRHF-26750

CloudGuard Network

Disabling or removing all network interfaces from a vCenter object is not dynamically reflected on the CloudGuard Controller Data Center object.

PRJ-43395,
PMTR-80399

CloudGuard Network

VPN Cluster stability issue when the peer is an Azure Security Gateway.

PRJ-43576,
PMTR-89444

CloudGuard Network

When enabling debug mode with the "$MDS_FWDIR/scripts/cpm_debug.sh -c ObjectCrudSvcImpl" command, it may impact the work of CloudGuard Central License utility. And adding license fails.

PRJ-42854,
PRHF-26286

CloudGuard Network

A Kernel-based Virtual Machine (KVM) or a Virtual Machine using SRIOV with the i40evf/ixgbevf network driver, may boot with non-optimized performance settings.

PRJ-43067,
PRHF-26666

CloudGuard Network

Importing objects from VMware vCenter may fail with a "Failed to fetch objects from the Data Center." message because of a rare communication issue between CloudGuard Network Security controller and VMware vCenter Data.

PRJ-43076,
PRHF-26401

VoIP

While handling a multi-INVITE scenario (where a user registers with multiple devices), and the VoIP SIP MultiCore feature is enabled, each SIP INVITE maybe be handled simultaneously on different FW instances and cause memory corruption.

PRJ-39601,
PRHF-22874

Scalable Platforms

The SMO may frequently go into Lost-> Down-> Active state because of a memory leak in the FWK process. The issue causes failover and outages.

PRJ-42753,
PRHF-26604

Scalable Platforms

When using asg alert, the domain name is changed to "BladedCenter.com" instead of the configured name.

PRJ-42927,
PMTR-88804

ClusterXL

A Hide NAT port may be allocated twice causing the "out of state" drops.

PRJ-29152,
MBS-14167

Scalable Platforms

The BMAC address is not updated after moving an SGM from one slot to a different slot. (The issue applies to Security Gateway only, not to VSX.)

PRJ-43382,
PMTR-76352

Scalable Platforms

The clock verifier test (clock_verifier -v) fails.

PRJ-43245,
PMTR-74779

Scalable Platforms

In a Maestro Security Group, VPN tunnel is established correctly, but the local connection from Virtual Systems (VSs) fails. The issue occurs when packets are not forwarded to the right VS from the Virtual Switch (VSW).

PRJ-32201,
PRJ-31553

Scalable Platforms

In VSX mode, when configuring affinity settings on Security Group members, a new added member may stay in Down state.

PRJ-23110,
MBS-9806

Scalable Platforms

When creating a Virtual Switch in a Scalable Platform environment, virtual interfaces with names that start with "wrp<Number>" and "wrpj<Number>" have the same MAC address. This causes traffic from the External Switch to the Virtual System (through the Virtual Switch) to be handled by the Virtual Switch. It may lead to high CPU utilization on the Virtual Switch and traffic outage.

PRJ-44160,
PRJ-43959

Gaia OS

When uninstalling a Jumbo Hotfix, some of the REST APIs may not work. The "gaia_api status" command returns an error and requests may fail.

See the Important Notes section.

PRJ-43803,
PRJ-43802

Scalable Platforms

The "asg perf" command fails when running it with the "-vv" flag.

PRJ-40399,
PRHF-24044

Carrier Security

GTP traffic may be dropped, and tunnels are not registered in gtp_tunnels.

PRJ-31657,
MBS-14468

Scalable Platforms

The output of the "asg perf -6" command shows "IPV6 is Disabled".

PRJ-40568,
PRJ-40549

Scalable Platforms

The output of the "asg perf" command may not show active software Blades.

Take 81

Published on 19 January 2023 and declared as Recommended on 8 February 2023

-

General

Alignment to new self-updatable packages.

PRJ-44013,

PMTR-89893

VSX

In VSX, after adding instances to a Virtual System (VS), their state may be inactive.

See the Important Notes section.

Take 79

Published on 9 January 2023

PRJ-39424

Security Management

NEW:

  • Added ability for R81 Security Management or Multi-Domain Server to manage R81.20 Security Gateways. It requires R81 SmartConsole Build 564 (or higher).

  • Managing R81.20 Security Gateways in Autonomous Threat Prevention mode requires installing R81.20 Jumbo Hotfix Accumulator.

PRJ-38115,
PRHF-23142

Security Management

UPDATE: Install Policy Presets will now run also in multi-site environments, even if the local domain does not have a Server on the Multi-Domain Server with the Active Global Domain, where the operation is triggered from.

PRJ-22560,
PMTR-63494

Security Management

UPDATE: Improved the "Assign Global Policy" action time by approximately 50%.

PRJ-42980,
ODU-747

Web SmartConsole

UPDATE: New features and improvements are released in Take 73 via self-updatable package. Refer to sk170314.

PRJ-38055,
PRHF-23074

Logging

UPDATE: When there is no full license for SmartEvent, which includes the Correlation Unit component, Analyzer Client in Legacy SmartEvent Console will now show a relevant message.

PRJ-41230

Logging

UPDATE: Port 8211 no longer accepts connections with the cipher TLS_RSA_WITH_AES_128_CBC_SHA.

PRJ-42701,
ODU-494

Threat Prevention

UPDATE: Added Update 16 of Autonomous Threat Prevention Management integration Release. Refer to sk167109.

PRJ-42259,
PRJ-42201

Threat Prevention

UPDATE: Reduced loading time of big external Custom Intelligence Feeds.

PRJ-38721,
PMTR-82545

Threat Prevention

UPDATE: File Download using SSH with MobaXterm Client fails when SSH Deep Packet Inspection (SSH DPI) is enabled.

PRJ-40772,
PMTR-77523

Scalable Platforms

UPDATE: The "Obtain IPv4 Address Automatically" option in the IPv4 and IPv6 tabs of the Gaia Portal's Interface editor is now disabled (as it is on gClish).

PRJ-40627,
PMTR-85003

Scalable Platforms

UPDATE: Blocked the ability to install Jumbo Hotfix Accumulator or to run an upgrade to a major version on Quantum Maestro Security Gateways using the Central Deployment tool in SmartConsole or the Management REST API.

PRJ-38612,
PRHF-22986

Harmony Endpoint

UPDATE: Added the "-ignoreDA" flag for "epmcommands" to clean objects from the deleted users and computers, ignoring the "da_installed" flag.

PRJ-41934,
PMTR-83771

VoIP

UPDATE: Added a new CLI command "fw ctl voip [-p {sip| mgcp| sccp| h323}] [-na]". It allows printing the description of defined VoIP protections, the required action, and the logging option configured for each protection.

PRJ-41712,

ODU-603

Smart-1 Cloud

UPDATE: Added Update 6 of Quantum Smart-1 Cloud. Refer to sk166056.

PRJ-41998,
ODU-478

HCP

UPDATE: Added Update 11 of HealthCheck Point (HCP) Release. Refer to sk171436.

PRJ-40539,
PMTR-85125

Diagnostics

The cpview -s export operations may fail on VS0 when cpview_services are running.

PRJ-33895,
PRHF-20973

Security Management

Global Domain Assignment may fail if a rule in the global policy was recently enabled or disabled.

PRJ-34736,
PRHF-21233

Security Management

When running the "show access-rule" API command with the "show-as-ranges" parameter on rules with negated cells, the returned result may be missing the values of the negated cells.

PRJ-40237,
PMTR-84358

Security Management

Policy installation may fail with "Segmentation fault" or with "INTERNAL ERROR in PutBlock: dangling block at PutBlock". Refer to sk179700.

PRJ-42858,
PRHF-26649

Security Management

After performing the "Revert to Revision" operation, new Audit logs cannot be seen in the Logging&Monitoring View in SmartConsole.

PRJ-34153,
PRHF-21236

Security Management

Packet mode search in HTTPS Inspection policy may not work.

PRJ-41070,
PRHF-25026

Security Management

Global Policy reassignment fails with "An internal error has occurred" if a Global rule, Rule Base, or section is created, moved, and then deleted without running a reassignment in between.

PRJ-41975,
PRHF-25682

Security Management

The /var/log/dump/usermode/ directory on the Management Server may contain core dump files for the FWM process. Refer to sk180119.

PRJ-41291,
PRHF-25101

Security Management

Access Policy installation may fail with the "Internal error occurred during the verification process" error.

PRJ-40425,
PRHF-24492

Security Management

In rare scenarios, deleting a cluster member may fail with the "Could not delete object. Failed to remove/detach objects licenses" error.

PRJ-40222,
PRHF-24307

Security Management

In a large environment, High Availability synchronization for the Global domain may fail with the "Global domain is busy syncing, please check sync status" error.

PRJ-37831,
PRHF-21070

Security Management

"Automatic purge" fails on a Domain with active Global Domain Assignment and "automatic purge" configured on the Global Domain.

PRJ-39391,
PRHF-23578

Security Management

In some scenarios, the "Assign Global Policy" action fails with the error message: "An internal error has occurred".

PRJ-39717,
PRHF-24047

Security Management

It may not be possible to discard a work session with a newly created admin, a "Failed to discard revoke certificate" message is shown.

PRJ-40733,
PRHF-24711

Security Management

In rare scenarios, Global Policy reassignment may fail with a "Failed to find object ID UUID of class com.checkpoint.objects.ips.ThreatIpsProtectionOverride" message.

PRJ-42535,
PRHF-26349

Security Management

Access policy verification may fail when dynamic objects exist in the NAT policy.

PRJ-41670,
PRHF-25452

Security Management

When using CME (Cloud Management Extension), the FWM process may unexpectedly exit because of a memory issue.

PRJ-42251,
SMB-19124

Security Management

Installing a large Access Control policy on Quantum Spark Security Gateways may fail due to high memory consumption on the Security Management Server caused by FW_LOADER.

PRJ-41555,
PRHF-25556

Security Management

After an Application Control update, policy installation may fail.

PRJ-38357,
PRHF-23108

Security Management

After creating a new administrator in SmartConsole, the Administrators view may fail to load with "Error retrieving results".

PRJ-40822,
PMTR-85091

Security Management

Warning about multiple objects with the same IP address is displayed when there are duplicated auto-generated networks.

PRJ-41913,
PMTR-78191

Security Management

Installing Database from Security Management on an R80.x Log Server may fail

PRJ-42104,
PRHF-25807

Multi-Domain Security Management

In a Multi-Domain environment, the HitCount retention mechanism may prematurely remove the HitCount data.

PRJ-37310,
PRHF-21848

Multi-Domain Security Management

SmartEvent may unexpectedly close when clicking Global Exclusion options or creating a new event. This issue occurs after migrating a Domain from the Multi-Domain Management Server to the Security Management Server.

PRJ-42359,
PMTR-83191

Multi-Domain Security Management

An upgrade of the secondary Multi-Domain Server or Multi-Domain Log Server may fail when simultaneously upgrading several Servers.

PRJ-41919,
PRHF-25795

Multi-Domain Management

In rare scenarios, in a Multi-Domain Management Server environment, a memory leak may occur in the FWM process. This may cause the process to exit.

PRJ-31864,
PMTR-66327

Logging

When exporting logs in CEF format using Log Exporter and the value of the "time-in-milli" parameter is set as "true" (sk173167), the logs are not displayed in ArcSight SIEM Solution.

PRJ-42413,
PRHF-26316

Logging

When LEA spawning is turned off (sk91343), the FWD process may run out of memory.

PRJ-40491,
PRHF-24541

Logging

In a rare scenario, when using SmartEvent Automatic Reaction (Mail), the source IP address can be shown as a number and not in the dotted decimal notation format.

PRJ-37297,
PRHF-22631

Logging

When exporting logs with the fwm logexport script and there is an empty or corrupted log file, the script runs in a loop with the "Failed to read record at position 0" error printed.

PRJ-40143,
PRHF-24306

Logging

Emails sent as an automatic reaction may show only the first IP address for "Source"/"Destination" fields out of all the detected IP addresses.

PRJ-21482,
PMTR-63987

Logging

The LOG_INDEXER process on the SmartEvent Server may unexpectedly exit, generating a core dump file, if the Log Server used by the correlation unit is deleted.

PRJ-35879,
PRHF-21739

Logging

Although the Security Gateway is configured to send Syslog messages to the Domain Log Server (CLM), after several initial logs, they may stop coming to the Log Server.

PRJ-37705,
PRHF-22836

Logging

It may not be possible to filter the "Subscriber" field in SmartLog.

PRJ-37499,
PRHF-22655

Logging

The "epoll is enabled" warning is incorrectly displayed during policy installation.

PRJ-38051,
PRHF-23090

Logging

Syslog messages with the "ErtFeed" type of attack are not indexed correctly in SmartLog.

PRJ-41916,
PMTR-78055

Logging

Export to CSV in SmartView may be stuck in the "running" status.

PRJ-39106,
PMTR-74878

Logging

In some scenarios, in the Logs view, the "Description" field may be missing. The issue is only cosmetic.

PRJ-40916,
PRHF-24590

Security Gateway

The Security Gateway may crash because of memory corruption, and the following error appears in the/var/log/message file: "[xxxx] Kernel panic - not syncing: stack-protector: Kernel stack is corrupted in: <xxxx>".

PRJ-41623,
PMTR-78011

Security Gateway

When using Routing Separation and installing a Jumbo Hotfix Accumulator, MDPS configuration may be overridden. Refer to sk138672.

PRJ-35109,
PMTR-77852

Security Gateway

There may be connectivity failure when browsing to Office 365, and ICAP Client is active on the Security Gateway with enabled "Data Trickling".

PRJ-39574,
IPS-171

Security Gateway

The "sd_exception_chain_with_global_stateless: fwx_get_original_conn_key() failed" messages may flood /var/log/messages if IPS Blade is active.

PRJ-40234,
PRHF-23763

Security Gateway

There may be stability issues when ICAP client is active.

PRJ-41863,
PRHF-25769

Security Gateway

After an upgrade, it is not possible to monitor Security Gateways with enabled Management Data Plane Separation (MDPS).

PRJ-43342,
PRJ-41721

Security Gateway

The Security Gateway with enabled Anti-Virus may experience a memory allocation issue.

PRJ-39967,
PRHF-24112

Security Gateway

The Security Gateway may crash with the "xxx kernel: [fw4_27];fwatomload_unregister: module RTM not registered xxx kernel: [fw4_27];e2eDisable: fwatomload_unregister failed" errors printed in logs.

PRJ-37211,
MBS-15377

Security Gateway

During a failover, BGP session may be re-established due to equal connection timers between two Security Gateways.

PRJ-38489,
PMTR-75246

Threat Prevention

In a rare scenario, the mal_conns table may consume a large amount of memory.

PRJ-41488,
PMTR-84472

Threat Prevention

Loading of Custom Intelligence Feeds with authentication may fail.

PRJ-43513

Threat Prevention

After an upgrade to Take 51 or higher, Access Control policy fails, if it is configured with an IoC local feed and hash indicators are added.

See the Important Notes section.

PRJ-41315,
PMTR-86509

Threat Prevention

Threat prevention policy installation fails if a Custom Intelligence Feeds name includes unsupported characters.

PRJ-43368,

PRJ-43360

Threat Extraction

In some scenarios, Mail Transfer Agent (MTA) does not scan files with an unsupported extension if they were renamed to ".exe".

PRJ-38542,
PRHF-22565

Identity Awareness

The PDPD daemon may frequently exit during the user authentication flow.

PRJ-31974,
PMTR-74053

Identity Awareness

Changing the state of the "Automatic LDAP Group Update" feature for Identity Collector from CLI on the PDP Gateway does not survive a reboot.

PRJ-34570,
PRHF-21045

Identity Awareness

SNMP/cpstat queries for Identity Awareness OIDs return wrong values if the PDP daemon is not running at the time of the query.

PRJ-36508,
PRHF-22053

Identity Awareness

The CPU utilization of the PDP daemon may be high during a specific authentication flow.

PRJ-41819,
PMTR-87497

Identity Awareness

In a rare scenario, the PDPD process may unexpectedly exit during peer certificate verification.

PRJ-32991,
PRHF-20460

IPS

In some scenarios, IPS logs do not show the correct memory and CPU utilization when IPS is bypassed.

PRJ-41215,
PRHF-23321

Anti-Virus

In a rare scenario, when Anti-Virus is enabled, there may be frequent VSX cluster failovers, and the Security Gateway may crash.

PRJ-32971,
PRHF-20670

Mobile Access

Push notification may not be working with the legacy Mobile Access (MAB) Portal. Refer to sk176243.

PRJ-40744,
PRHF-24710

ClusterXL

The cphaprob show_bond command does not show newly added subordinates from Virtual Systems (VSs).

PRJ-42444,
PRHF-26215

SecureXL

The Security Gateway may prematurely expire half-closed TCP connections and drop VoIP and HTTPS packets with "First packet isn't SYN". Refer to sk180364.

PRJ-41692,
PRHF-25516

SecureXL

The Security Gateway may crash and cause an outage when resolving the destination host MAC address through an interface with disabled ARP.

PRJ-41204,
PRJ-39756

SecureXL

SNDs may reach 100% CPU utilization and are not released in some Site to Site VPN scenarios.

PRJ-40265,
PRHF-23964

CoreXL

Connections matching the Access Control rules may get timed out, although they should be rejected according to the configuration.

PRJ-41707,
PRHF-25613

Routing

The ROUTED process may unexpectedly exit when the route does not have a next hop.

PRJ-41723,
PRHF-25460

Routing

The "asg diag verify" command reports inconsistent OSPFv3 routes for Security Gateway Modules in Quantum Maestro. Refer to sk179931.

PRJ-42728,
PRHF-26453

VPN

In a rare scenario, when IPv6 is configured, and VPN is enabled, policy installation may cause a stability issue.

PRJ-40859,
PRHF-24635

VPN

The VPND process may unexpectedly exit.

PRJ-41808,
PMTR-87347

VPN

When connecting with "Mixed" SSL Network Extender Authentication method, the SNX Client freezes with no output, and the results of the "vpn tu tlist" command show no tunnels.

PRJ-41641,
VPNRA-795

VPN

In some scenarios, StrongSwan Client may get disconnected during re-authentication.

PRJ-38166,
PRHF-22957

VPN

Trying to perform the "Reset Tunnel" action for an LDAP user from SmartView Monitor fails. Refer to sk178592.

PRJ-39170,
PRHF-23749

VPN

Remote Access Client may fail to connect when using machine certificate authentication.

PRJ-43355,
PMTR-89245

VSX

The SNMPD process may consume a high CPU in a VSX environment and there may be slowness when using the "fw vsx stat" command. Refer to sk180324.

See the Important Notes section.

PRJ-43269,
PRJ-43140

Gaia OS

After an upgrade, the RADIUS Server is unavailable and authentication fails.

See the Important Notes section.

PRJ-41612,
PMTR-87176

Gaia OS

Information about scheduled backup failure is now displayed in Clish, WebUI and in the error message inside the log file.

PRJ-41685,
PRHF-25430

Gaia OS

In a cloning group cluster, when allowed hosts are changed from "Any" host to a specific host, communication between members is blocked, and the group cannot function.

PRJ-41408,
PRHF-25359

Gaia OS

When configuring Gaia Cloning Group mode on the cluster, members with "off" state appear without an IP address and the "adding notification Member mvc is down" error is displayed.

PRJ-34371,
PRHF-21347

Gaia OS

After an upgrade, the backup operation on VSX fails because there is not enough space in /var/log/CPbackup/backups.

PRJ-42719,
PRJ-42687

Harmony Endpoint

  • After an upgrade of the on-premises Endpoint Management Server to Jumbo Hotfix Accumulator R81.10 Take 75, it is not possible to connect to the Web Management Server.

  • When logging into the Web Management Console, an "API error 9999" message is displayed.

Refer to sk180230. See the Important Notes section.

PRJ-42149,
PRJ-42015

CloudGuard Network

Improved performance of pushing Data Center Objects changes to Security Gateways.

PRJ-41845,
PRHF-25754

CloudGuard Network

Improved handling of NSX-T API responses.

PRJ-42009,
PRHF-25644

CloudGuard Network

When mapping of some Azure Subscriptions fails, assets of these Subscriptions are revoked from the Security Gateway.

PRJ-42114,
PRHF-25910

CloudGuard Network

AWS Data Center mapping fails when a Subnet with only IPv6 addresses is added to Virtual Private Cloud (VPC).

PRJ-42256,
PRHF-26160

CloudGuard Network

After an upgrade in a Huawei Cloud environment, a network card may be renamed after a reboot.

PRJ-19384,
PRHF-11703

VoIP

In some scenarios, when using early media with NAT, the first data connections specified in the SDP get closed, although they should not. And the new data connection does not open, resulting in one-way audio. Refer to sk179651.

PRJ-42699,
PRJ-42696

VoIP

In some scenarios, when using static NAT, VoIP traffic may be affected.

PRJ-41211,
PRHF-25227

Scalable Platforms

Performance data may not be collected on VSX Security Gateways.

PRJ-40179,
PRHF-24199

Scalable Platforms

In a rare scenario, the FWK process may unexpectedly exit and bring down the Security Gateway Module (SGM).

PRJ-41834,
PRHF-25720

Scalable Platforms

SNMP threshold events traps may be missing "Chassis ID" and "Blade ID" fields. Refer to sk179926.

PRJ-40836,
MBS-15935

Scalable Platforms

In a rare scenario, a non-SMO member may send GARP request over the Management interface, causing traffic impact.

PRJ-41141,
PRHF-25000

Scalable Platforms

In some scenarios, the SNMPD process may unexpectedly exit.

PRJ-40354,
PRHF-24453

Scalable Platforms

When running the "set kernel-routes on/off" and "set domainname <VALUE>" commands through gCLish, the configuration is applied only locally.

PRJ-37828,
PRHF-22738

Scalable Platforms

Improved VPN on Quantum Maestro with Security Gateways hidden behind NAT.

PRJ-42833,
PMTR-88649

Scalable Platforms

When trying to perform the downgrade procedure, a Site may be stuck in Backup state. The issue occurs if, before the downgrade, this Security Group was first upgraded and then its topology was changed.

PRJ-39189,
PRHF-23723

Scalable Platforms

When a policy is configured with "SNMP trap alert script", the SNMP trap is sent with an undefined OID.

PRJ-42946,
MBS-11024

Scalable Platforms

Optimized the SNMP communication between Security Gateway Module (SGM) and Security Switch Module (SSM) to prevent timeouts.

PRJ-41506,
PMTR-87006

Scalable Platforms

After an upgrade to Jumbo Hotfix Accumulator R81.10 Take 75 or higher, a member may be in Down state with a "pull_config" pnote.

PRJ-42819,
PMTR-88702

Scalable Platforms

In a Quantum Maestro environment, the sp_upgrade command may fail when working in VSX mode.

Take 77

Published on 6 November 2022 and declared as Recommended on 1 January 2023

PRJ-38347,
PMTR-81030

Diagnostics

The CPVIEWD process may cause CPU spikes.

PRJ-41082,
PMTR-86078

Security Management

UPDATE: If ISP Redundancy is configured for a target Security Gateway, backup interfaces are now used for pushing policy if the primary interface is down.

PRJ-40720,
PRHF-24546

Security Management

Access Control policy installation may fail with the "Internal error" message when the encryption domain contains a Data Center object.

PRJ-40850,
PMTR-84394

Security Management

The LOG_EXPORTER process may cause high CPU because of frequent invocation of the "fw ver" command.

PRJ-39537,
PRHF-23867

Security Management

An Application Control and URL Filtering update may get stuck at 70 percent with the "Running post update actions" status. Refer to sk174587.

PRJ-40057,
PRHF-24082

Security Management

An Application Control and URL Filtering update may still occur even if the latest version is already installed.

PRJ-40546,
PRHF-24405

Security Management

After an upgrade, when the local domain Virtual System (VS) is updated, its objects may not be updated. The mirror VS object and local domain VS object may have different versions and colors.

PRJ-40809,
PRHF-24809

Security Management

SmartConsole may unexpectedly disconnect.

PRJ-39222,
PRHF-23186

Security Management

An Application Control and URL Filtering Database update may fail. The CPM log file states: "Update APPI Update Task Notification. progress: 100, status: FAILED, statusText: Failed to assign domain".

PRJ-39333,
PRHF-23594

Security Management

Install Policy Presets may fail with the "Install Policy Failed: Could not commit JPA transaction" error.

PRJ-41552,
PMTR-83511

Security Management

Policy installation may get stuck on 99% when resuming queued policy installation tasks.

PRJ-40445,
PMTR-84860

Security Management

Deleting a Threat Emulation Gateway object in SmartConsole may fail. Refer to sk170577.

PRJ-40407,
PMTR-84933

Security Management

Editing a Threat Profile object using Ansible automation tool may fail.

PRJ-36206,
PRHF-22196

Security Management

Migration from the Management Server to the Domain Server may get stuck for 6-7 hours and then fail.

PRJ-40586,
PRHF-24553

Security Management

The "Domain" and "Type" fields may be missing in the "show-groups" command output of a Management API request. Refer to sk179645.

PRJ-39209,
PRHF-23632

Security Management

The output of the "show opsec-application" API command may not show the host object name or UID.

PRJ-38455,
PRHF-23314

Security Management

High Availability synchronization may fail with the "Failed to update shared licenses" error.

PRJ-33921,
PRHF-21160

Security Management

Some unused sessions may remain open in the system, consuming memory and CPU.

PRJ-38788,
PRHF-23476

Security Management

Install Policy Preset may fail with "The server did not provide a meaningful reply.". Refer to sk179524.

PRJ-38180,
PRHF-22647

Security Management

Deleting a Domain operation may fail with an "internal error" when more than one of the Security Gateways in the Domain points to the same cluster object in the NAT configuration.

PRJ-40169,
PRHF-24144

Multi-Domain Management

A Multi-Domain Management Server upgrade may fail if upgrading one of the domains takes longer than four hours.

PRJ-39488,
PRHF-23926

Multi-Domain Management

In some scenarios, in a Multi-Domain Management Server environment, SmartConsole may unexpectedly disconnect.

PRJ-38124,

PRHF-23066

Multi-Domain Management

Although all Virtual Devices are deleted, deleting a Domain may fail with an "At least one Virtual Device is defined on this Domain/Domain Management Server. You need to delete all Virtual Systems/Routers prior to deleting Domain/Domain Management Server" message.

PRJ-41126,
PMTR-85721

SmartConsole

Centrally managed Quantum Spark Gateway version may be missing or incorrect after performing the "Get Gateway Data" action from SmartUpdate.

PRJ-41285,
ODU-470

Web SmartConsole

UPDATE: Released Take 67 with new features and improvements. Refer to sk170314.

PRJ-40612,
PRHF-24080

Compliance

In the Compliance Blade view, regulations with disabled best practices may display a result that does not correspond with the best practices listed below it.

PRJ-41021,
PMTR-86000

CPView

NEW: Integrated Skyline, a solution that provides an OpenTelemetry CPView Agent service to monitor your Check Point Servers and export health metrics from the CPView tool to an external location. Refer to sk178566.

PRJ-36191,
PRHF-22004

Logging

UPDATE: Amended the override_server_setting.sh script to support changes in the values of RFL_SOLR_MAX_MERGE_COUNT and RFL_SOLR_MAX_MERGE_THREAD_COUNT.

PRJ-29737,
PMTR-72628

Logging

In SmartView, exporting views or reports that do not have tables may indefinitely continue processing.

PRJ-40357,
PRHF-24410

Logging

In some scenarios, the FWD process may unexpectedly exit in a Log Server environment. Refer to sk179596.

PRJ-28111,
PRHF-18175

Logging

Logs may not be indexed on the Domain Log Server in a Multi-Domain Log Module (MLM) or on the Secondary Multi-Domain Management Server.

PRJ-41193,
PMTR-68271

Logging

It may not be possible to filter Anti-Virus logs for malicious CIFS traffic in SmartConsole. The issue is cosmetic only.

PRJ-41359,
PMTR-85027

Logging

Running the "cpstat ls -f logging" command on the Security Gateway may show the "disconnected" status after a reboot, although a new connection is established successfully.

PRJ-30964,

EPS-562

Logging

In some scenarios, the Forensics report fails to open from Harmony Endpoint logs.

PRJ-36476,
PRHF-22241

Logging

In SmartConsole, when Endpoint Policy Management Blade is enabled, the "SmartView server certificate is invalid" error may be shown when opening a new tab in the Logs & Monitor view. Refer to sk177713.

PRJ-41102,
PRHF-25074

Logging

When an object name begins with a digit, SmartView Monitor displays a name consisting of the letter "v" and UID instead of the actual object name.

PRJ-32206,
PRHF-20107

Logging

The "show-logs" Management API command fails when iterating over many pages of queries, and the total fetched records number exceeds 219,900 records.

PRJ-38143,
PRHF-22814

Security Gateway

UPDATE: Added support for RADIUS UPN authentication with MS-CHAPv2. To use it, enable the registry configuration in ckp_regedit -a SOFTWARE/Checkpoint/VPN1 RADIUS_MSCHAPV2_UPN -n 1.

PRJ-32780,
PMTR-72977

Security Gateway

UPDATE: The reset expired connections feature (fw_rst_expired_conn) is now supported on connections accelerated by SecureXL.

PRJ-40097,
PMTR-84200

Security Gateway

UPDATE:

  • Added a new global parameter "fw_conn_double_error_allow_print " to enable/disable printing double connection error message to the log. When disabled, the Security Gateway will still drop a new connection if it is already recorded in the connection table, but there will be no error logs.

  • Added a new global parameter "fw_conn_double_error_count" to count how many times the error occurred.

PRJ-35147,
PRJ-34015

Security Gateway

Bond subordinates may be visible in the wrong plane.

PRJ-40792,
PMTR-85514

Security Gateway

Enhanced connectivity during HTTP2 Inspection.

PRJ-34171,
PRHF-20978

Security Gateway

After an upgrade, in a setup with a single VSX, the Security Gateway may crash.

PRJ-40862,
PMTR-74446

Security Gateway

Improved the recovery mechanism for Dynamic Balancing.

PRJ-40458,
PMTR-84535

Security Gateway

In a rare scenario, the FWK process may unexpectedly exit because of a memory allocation issue on the Security Gateway.

PRJ-40015,
PRHF-24223

Security Gateway

The Security Gateway with VPN may drop the traffic after enabling BGP and Equal Cost Multipath (ECMP).

PRJ-39519,
PMTR-83692

Security Gateway

Output of the "dynamic_objects -uo_show" command on the Security Gateway may not show any updatable objects. Refer to sk178886.

PRJ-39926,
PRHF-23895

Security Gateway

When Anti-Virus Blade is enabled, the Security Gateway may crash multiple times with core dump files.

PRJ-41097,
PMTR-81750

Security Gateway

The "CPLogGetMyIp: fwobj_get_myown failed" error may be printed in CLI when starting cpboot.

PRJ-24591,
PRHF-14804

Security Gateway

It may not be possible to load specific sites. The Security Gateways drops the traffic from those web servers with "Reason: PSL Drop: MUX_PASSIVE".

PRJ-39639,
PRHF-23835

Security Gateway

When running the "g_fw monitor" command (Global Firewall Monitor), the traffic capture outputs can be created successfully but cannot be merged. Refer to sk179431.

PRJ-41029,
PRHF-24958

Security Gateway

Topology auto update may fail because of a too long interface name.

PRJ-41090,
PRJ-34903

Security Gateway

A kernel crash may occur during system shutdown when PIM is enabled.

PRJ-41032,
PRHF-24959

Security Gateway

The Security Gateway may run out of memory when retrieving topology.

PRJ-38590,
PMTR-79658

Security Gateway

In a cluster environment, an ICAP implied rule may not be enforced after policy installation.

PRJ-38552,
PRHF-23113

Security Gateway

After an upgrade, Anti-Virus Blade may cause increased memory consumption.

PRJ-40023,
PMTR-83767

Security Gateway

Access Control policy installation may fail with a "Load on Module failed - problem with the Commit Function" message.

PRJ-36866,
PRHF-22233

Security Gateway

After an upgrade, VSX cluster may have frequent failovers.

PRJ-39579,
PMTR-71476

Security Gateway

In a rare scenario, when IPS or Application Control is enabled, the Security Gateway may crash.

PRJ-41415,
PRHF-24690

Security Gateway

The Security Gateway may send multiple "Failed to fetch Check Point resources. Timeout was reached" logs.

PRJ-39331,
PRHF-23528

Security Gateway

After an upgrade, Access Control policy installation may fail with an "Update process is already running" message.

PRJ-41450,
PMTR-85044

Security Gateway

Policy verification fails when a generic Data Center contains an object with an empty range.

PRJ-40935,
PMTR-85828

Security Gateway

In a rare scenario, the Security Gateway may have a memory allocation issue.

PRJ-41345,
PMTR-86409

Internal CA

UPDATE: Internal CA on Check Point Management Servers can now create certificates with 3072-bit RSA keys - the root ICA certificate and SIC certificates. Refer to sk96591.

PRJ-39988,
PRHF-20730

Threat Prevention

UPDATE: In the Custom Intelligence Feeds feature, decreased the hash indicators loading time.

PRJ-40973,
PRHF-24784

Threat Prevention

Threat Prevention policy installation may fail with a "Connection aborted by Peer" message.

PRJ-40592,
PMTR-75706

Threat Prevention

There may be Security Gateway memory allocation issues related to creating a new Anti-Malware policy.

PRJ-41276,
PMTR-74610

Threat Prevention

Adding hash indicators may cause policy installation to fail with a warning message.

PRJ-40855,
PMTR-85654

Threat Prevention

IoC feed may not load because of a parsing issue with the IP range indicator.

PRJ-40437,
PMTR-82127

Threat Prevention

A kernel memory leak may occur during deep file inspection.

PRJ-29735,
PMTR-71844

Threat Prevention

SCP connections may get terminated.

PRJ-34888,
PMTR-77524

Threat Prevention

When the Security Gateway is in "Detect Only" mode, Threat Prevention Blade exceptions may not be accelerated.

PRJ-39829,
IDA-4187

Identity Awareness

Removed unnecessary debug messages in the Identity revocation flow.

PRJ-35835,
PMTR-71684

Identity Awareness

Memory consumption may increase after policy installation when Secure ID is configured.

PRJ-39161,
PMTR-83274

Identity Awareness

The Nested Groups Depth value changed in CLI may not survive a reboot.

PRJ-37280,
PRHF-21170

URL Filtering

When the Security Gateway works in proxy mode, the Application Control and URL Filtering rules may not match correctly.

PRJ-38815,
PMTR-80962

URL Filtering

When an URL Filtering rule has "Fail-Close" configuration, the Security Gateway may drop connections, and "URLF internal system error (0)" is recorded as the reason.

PRJ-31435,
PRHF-19698

IPS

Logs generated by IPS Bypass may not show the correct CPU/Memory Utilization.

PRJ-37726,
PRHF-22465

DLP

DLP logs for files uploaded to Microsoft OneDrive may not show the initial file names and extensions. Refer to sk178290.

PRJ-33294,
PMTR-61676

Anti-Virus

Removed a redundant message flooding logs in /var/log/messages: "ws_write_connection: end of body reached - clearing delay write flag".

PRJ-40260,
PMTR-83847

SSL Inspection

The WSTLSD process may unexpectedly exit and produce a core dump file during certificate chain verification.

PRJ-39752,
PRHF-23882

Anti-Virus

The Anti-Virus Blade interprets certain types of URLs as forbidden and blocks access to those URLs, although the content behind them is not of the type supposed to be blocked.

PRJ-36733,
PRHF-21591

ClusterXL

In a VRRP cluster, when an identity session is revoked from a non-master member, the Identity Database may become corrupted and cause an outage.

PRJ-40832,
PRHF-24826

Mobile Access

After disabling the ActiveSync service on the Security Gateway, login to Capsule Workspace (CWS) may fail.

PRJ-32968,
PRHF-20588

Mobile Access

Capsule Workspace push notifications do not work when the Single Sign-On (SSO) is configured to "prompt for credentials". Refer to sk176244.

PRJ-38459,
PRHF-23267

Mobile Access

In some scenarios, it is not possible to connect to SSL Network Extender(SNX), and the VPND log shows: "failed to add to table connectra_sessions_to_instance".

PRJ-35510,
PMTR-65024

ClusterXL

UPDATE: Added support for the "fw vsx fetch_all_cluster_policies" command, which can fetch policy for all Virtual Systems and Virtual Routers from cluster peers.

PRJ-39183,
PRHF-23684

ClusterXL

In a VRRP cluster environment with a large number of interfaces, the Security Gateway may consume a lot of memory.

PRJ-39073,
PRHF-22676

SecureXL

UPDATE: Added a new kernel parameter "fw_allow_reverse_syn" for Smart Connection Reuse. This parameter allows or drops SYN packets coming from the reverse direction. The parameter is set to 0 by default, the Security Gateway drops such packets. Refer to sk24960.

PRJ-36858,
PRHF-21863

SecureXL

Policy installation may cause cluster failover and impact the traffic flowing through the cluster.

PRJ-40219,
PMTR-63465

SecureXL

In a rare scenario, ipsctl kernel module does not load at startup.

PRJ-41481,
PRHF-25453

SecureXL

After an upgrade, SecureXL may drop multicast traffic with "reason:Fragment drops".

PRJ-39738,
PMTR-86052

SecureXL

There may be high CPU or/and latency in CIFS/SMB connections.

PRJ-41207,
PMTR-81175

Routing

When changing PIM configuration, the ROUTED process may unexpectedly exit and generate a core dump due to a race condition.

PRJ-40747,
PRHF-24743

Routing

The ROUTED process may unexpectedly exit when querying BGP data.

PRJ-36890,
PMTR-79153

VPN

UPDATE: After FIPS mode is enabled, Jitter is now automatically turned on.

PRJ-41240,
PRHF-24483

VPN, Multi-Portal

UPDATE: Added a new Registry parameter "use_crl_for_revocation_method" that enables the CRL revocation method when the Security Gateway does not get a response from an OCSP Server. Refer to sk179434.

PRJ-40844,
PMTR-85427

VPN

UPDATE: Added a configurable protection for blocking brute-force attacks on VPN SNX portal. Refer to sk180271.

PRJ-40753,
PMTR-85206

VPN

Resolved the "HTTP Response splitting" vulnerability in Security Gateway portals. Refer to sk179705.

PRJ-39235,
PRHF-23381

VPN

When connecting to Capsule VPN on iOS in a Multi-Domain Server or Scalable Platforms environment, loading a website may take up to one minute.

PRJ-39807,
PRHF-24079

VPN

Adding a Security Gateway Module (SGM) to a Security Group may cause the Security Gateway crash when Link Selection is enabled in Load Sharing mode.

PRJ-40869,
PRHF-24283

VPN

Site-to-Site NAT-T traffic may be routed incorrectly, which can cause an outage.

PRJ-40554,
PRHF-24156

VPN

When working in Hybrid mode, it is possible to connect using Remote Access, but it may not be possible to access internal resources.

PRJ-36710,
PRHF-21689

VPN

Improved Site-to-Site VPN stability.

PRJ-40385,
PMTR-84477

VPN

The "Unable to open '/dev/fw0': No such file or directory" error may be printed during cpstart.

PRJ-40582,
PMTR-84124

VPN

Connection over NAT-T tunnels may not be distributed well between instances of the Security Gateway with CoreXL enabled.

PRJ-37784,
PMTR-82856

VPN

In SmartView Monitor (SVM), the status of tunnels with third-party peers may be inaccurate. Refer to sk169121.

PRJ-40829,
PRHF-24812

VPN

The Security Gateway does not initiate or accept the VPN negotiation when working in Traditional Mode. Refer to sk179710.

PRJ-39893,
PMTR-56771

VSX

UPDATE: The "vsx_util view_vs_conf" command output now shows interfaces configured on Virtual Systems in Bridge mode.

PRJ-38515,
PRHF-23107

VSX

SecureXL may not let HTTPS traffic pass through a Virtual Router (VR).

PRJ-41362,
PMTR-86445

VSX

A VSX Gateway upgrade may fail with an error related to VSX Filesystem creation.

PRJ-40703,
PMTR-81932

VSX

A member in a VSX cluster may get stuck in DOWN state with "Event Code CLUS-113200" and a FULLSYNC PNOTE "Could not start a connection to remote member".

PRJ-34322,
PMTR-60045

VSX

The MTU value configured in SmartConsole may differ from the Virtual Switch (VSW) MTU value in the output of the "ifconfig" command.

PRJ-39981,
PMTR-83520

VSX

The vsx_util upgrade or downgrade operation may silently fail to update the database for one or more Virtual Systems (VSs). Refer to sk179591.

PRJ-39887,
PMTR-84069

VSX

Removing a warp interface may fail on one member, which creates a mismatch between the cluster members database because the warp interface remains on other members. Refer to sk180481.

PRJ-39711,
PMTR-80596

VSX

When running the "reset_gw" command on a VSX cluster member, the sync interface IP address is not deleted as part of the VSX configuration that should be deleted from the Security Gateway.

PRJ-39767,
PMTR-83046

VSX

Lines indicating uninstalling policies from virtual switches (VSWs) may be printed when running the "fw vsx unloadall" command.

PRJ-40798,
PMTR-84189

VSX

Extending SNMP with shell script (Article IV-6 in sk90860) fails for non-VS0 Virtual Systems (VSs) when queried via SNMP V3 and a "No more variables left in this MIB View (It is past the end of the MIB tree)" message is shown in the output.

PRJ-40648,
PMTR-85324

VSX

The VSX Provisioning Tool may unexpectedly exit when adding a new virtual device.

PRJ-40665,
PRHF-24682

VSX

When changing VSLS configuration with vsx_util, setting a new weight for each VS in Automatic mode fails with the "Operation failed. Can't write to database" error. Refer to sk179655.

PRJ-38093,
PMTR-64828

VSX

The "Primary Slave" configuration in a Bond (MAGG) interface may not be applied to a Security Group. Refer to sk178765.

PRJ-42179,
PMTR-81701

VSX

Pushing a VSX configuration fails after changing the CoreXL configuration in a Virtual System object. Refer to sk180107.

See the Important Notes section.

PRJ-40410,

PRJ-42485,

ODU-611

Gaia OS

UPDATE: Gaia API updates will now be automatically installed through AutoUpdater. Refer to sk165653.

PRJ-40992,
PRHF-24495

Gaia OS

When MDPS is configured, the SNMPD process may stop responding on some Security Gateways and must be restarted.

PRJ-40477,
PRHF-24463

Gaia OS

The SNMPD process may unexpectedly exit on the Security Gateway with enabled Management Data Plane Separation (MDPS).

PRJ-40768,
PMTR-81861

Gaia OS

IPv6 connections with Manual NAT rules may not be stable after enabling Neighbor Discovery Protocol (NDP) on a VLAN in the $FWDIR/conf/local.ndp file.

PRJ-40027,
PRHF-24243

Gaia OS

A user locked by the deny-on-nonuse mechanism cannot get unlocked.

PRJ-41370,
PMTR-86767

CloudGuard Network

UPDATE: Added support for Data Centers in AWS ap-southeast-2 (Jakarta) region.

PRJ-41734,
PMTR-87362

CloudGuard Network

UPDATE: Added support for Data Centers in AWS me-central-1 Middle East (UAE) region.

PRJ-41100,
PRHF-24322

CloudGuard Network

Azure Data Center mapping may fail because of a corrupt response from Azure for a specific Virtual Machine Scale Set (VMSS).

PRJ-40839,
PRHF-24490

CloudGuard Network

Failure to update IP addresses on a single AWS Gateway may cause delays in updating other Gateways.

PRJ-41462,
PRHF-25422

CloudGuard Network

Import of OpenStack Data Center CloudGuard Network objects may fail.

PRJ-38023,
ODU-587

Public Cloud CA Bundle

Added Take 19 of Public Cloud CA Bundle. Refer to sk172188.

PRJ-41143,
ODU-518

Smart-1 Cloud

Added Update 5 of Quantum Smart-1 Cloud. Refer to sk166056.

PRJ-32195,
PMTR-74269

Scalable Platforms

In a VSX setup that includes members only in Site 2, asg monitoring commands (such as asg stat vs all) may incorrectly present Chassis 2 state as "N/A".

PRJ-39025,
PMTR-82153

Scalable Platforms

When the "cphaprob list" command fails, CoreXL configuration pnote is not shown when expected. The issue is cosmetic only.

PRJ-41296,
PMTR-86488

Scalable Platforms

When NAT is configured on both Source and Destination, with delayed sync enabled, connection drops may occur.

Take 74

Published on 13 October 2022 and declared as Recommended on 24 October 2022

PRJ-42064,
PRHF-25946

Threat Prevention

Threat Prevention policy cannot be installed on R80.40 and lower Security Gateways when using a Security Zone object in the "Source" column. Refer to sk177605.

See the Important Notes section.

PRJ-42215,
PMTR-65815

VSX

In some scenarios, the vsx_provisioning_tool fails to delete an interface and claims that it has already been freed.

Take 72

Published on 1 September 2022

PRJ-39461,
PRHF-23711

Security Management

UPDATE: Management API performance improvements:

  • When moving a rule, the "set-access-rule" command is now up to 15 times faster.

  • When using a rule name, the "set-access-rule" command is now twice as fast.

PRJ-34853,
PMTR-72440

Security Management

UPDATE: Added validation of Custom Application/Site objects to prevent configuring invalid URLs, which causes Access policy installation failure. Refer to sk175187.

PRJ-36920,
PRHF-22479

Security Management

When a Security Gateway is removed from a VPN community, it may still be seen under the permanent tunnel configuration. The issue is scoped to the Management side and does not impact the Gateway.

PRJ-35655,
PRHF-21996

Security Management

The Security Cluster Wizard is not shown again after a Management restart in a Full High Availability cluster environment.

PRJ-35600,
PMTR-77217

Security Management

An IPS update may fail if the user that performs the update is connected to the Multi-Domain Server on which the Global Domain is in Standby mode.

PRJ-37763,
PRHF-22671

Security Management

The FWM process on the Management Server may unexpectedly exit, creating a core dump file.

PRJ-35605,
PRHF-21981

Security Management

In SmartConsole, the "error retrieving results" message may be displayed when opening a new tab.

PRJ-39471,
PRHF-23825

Security Management

Management HA synchronization may fail with the "NGM failed to import data" error.

PRJ-38064,
PRHF-22999

Security Management

When uninstalling a Threat Prevention policy, there may be a verification warning "There are Threat Prevention uninstall candidates in policy targets", although the operation on the Gateway was completed successfully.

PRJ-37886,
PRHF-22914

Security Management

Editing an object may fail with the "Could not access file for write operation" error.

PRJ-38400,
PRHF-23290

Security Management

An Application Control and URL Filtering update may get stuck because of a lock object duplicate issue.

PRJ-37509,
PRHF-22621

Security Management

Deleting a domain may fail when using the createDomainRecovery.sh script with the "UID" flag.

PRJ-35060,
PRHF-21753

Security Management

Renaming the Security Management Server may fail with the "Failed to save object" error. Refer to sk177224.

PRJ-37199,
PRHF-22299

Security Management

The Management API command "show-vpn-communities-star" for Diffie-Hellman groups 15-18 and group 24 fails with the "Invalid DH-Group in VPN Reply" error. Refer to sk27054.

PRJ-38741,

PRHF-23467

Security Management

In a rare scenario, the FWM process may unexpectedly exit and create a core dump.

PRJ-38799,
PRHF-23379

Security Management

In some scenarios, the "show-gateways-and-servers" Management API command fails with "generic_err_object_not_found" when running it with "details-level full".

PRJ-39229,
PRHF-23466

Security Management

In some scenarios, the Hit Count column on the NAT policy shows zero hits on all rules, even though there are hits.

PRJ-38120,
PRHF-23065

Security Management

Policy installation may fail with "an internal error" because of an orphan policy issue. Refer to sk122954.

PRJ-40202,
PMTR-75539

Security Management

Upon policy installation, Security Gateways may not receive changes made in the Service Based Link Selection configuration file $FWDIR/conf/vpn_service_based_routing.conf as per instructions of sk56384. Refer to sk179699.

PRJ-37340,
PMTR-76958

Security Management

Objects that do not belong to groups may be shown in the Group Membership view in SmartConsole.

PRJ-38708,
PRHF-23378

Security Management

Login to Domain via Management API using FQDN as the Domain parameter may fail with the "Domain not found" error.

PRJ-38217,
PRHF-22973

Security Management

If Log Domain reassignment fails, an Application Control and URL Filtering update may get stuck at 70 percent showing the "Running post update actions" status.

PRJ-37911,
PRHF-22870

Security Management

The flag "--method" for a CME command is not supported in SmartConsole Command Line.

PRJ-40110,
PMTR-72725

Security Management

After a policy installation failure, fetching policy on the Security Gateway side by running the "fw fetch local" command may also fail.

PRJ-40204,
PRHF-24315

Security Management

In some scenarios, certificate based login to a Log Server may fail with "Authentication Error". Refer to sk179144.

PRJ-39020,

PRHF-23435

Licensing

  • SmartConsole cannot retrieve licensing information from SMB devices.

  • The License tab displays the error "This action is not supported for Quantum Spark appliances with Gaia Embedded OS" instead of "Security Gateway not found".

PRJ-37988,

PRHF-22589

SmartConsole

After an Application Control update, some application control objects may disappear from SmartConsole, although they are not deprecated.

PRJ-39118,

ODU-377

Web SmartConsole

UPDATE: Released Take 59 with new features and improvements. Refer to sk170314.

PRJ-23758,
MBS-13344

Logging

UPDATE: The local logging test will no longer run on the "asg_perf_hogs" utility, as it has its HCP (HealthCheck Point) test. Refer to sk171436.

PRJ-37102,
PRHF-22528

Logging

UPDATE: Scheduled email reports will now use TLS1.2 instead of TLS1.0. Refer to sk178125.

PRJ-36462,
PRHF-22152

Logging

When running the "cp_log_export filter-Blade-in" command with the value "Endpoint" and restarting the LOG_EXPORTER process, LOG_EXPORTER may fail to start.

PRJ-38415,
PRHF-21511

Logging

When there are several Log Servers, a log distribution issue may occur.

PRJ-39296,
PMTR-82675

Logging

An error may occur when changing Default Time Frame while the SmartView language is not English.

PRJ-39589,
PRHF-23981

Logging

The FWD process may unexpectedly exit and create core dump files.

PRJ-36020,
PRHF-21398

Logging

In SmartView, the "Top Users that Downloaded Malicious Files" widget in the "Hosts that Encountered Malicious files" view may show no results, although there are matches.

PRJ-35996,
PRHF-22088

Logging

Logs with actions "Expired" and "Hold" may be missing from the Logging view.

PRJ-39679,
PMTR-82910

Logging

When exporting the logs table with "All Columns" to a CSV file, the first cell of the first log (time column) displays a non-ASCII character ("ן»¿"), and the time is split into two cells.

PRJ-39676,
PMTR-83316

Logging

A CSV file exported from SmartView may contain duplicated lines of headers.

PRJ-40510,
PMTR-85083

Security Gateway

UPDATE: Added a defense mechanism against partial header attacks known as "Slowloris DoS" (CVE-2007-6750).

PRJ-34679,
PMTR-75424

Security Gateway

UPDATE: Decreased the threshold for connections suspected as heavy from 5 to 3 seconds. Refer to sk164215.

PRJ-39667,

PRHF-23392

Security Gateway

It may not be possible to monitor Security Gateways with enabled Management Data Plane Separation (MDPS). Refer to sk138672.

PRJ-27916,
PRJ-40138,
PMTR-62741,
PMTR-84236

Security Gateway

When Strict Hold is enabled, traffic is logged with the log "HTTP parsing error detected. Bypassing the request as defined in the Inspection Settings". Refer to sk169995.

PRJ-37518,
PRHF-22548

Security Gateway

The FW Monitor tool may fail when it is used on VSX with the "-v" and "-p all" options.

PRJ-40999,

PRJ-40954

Security Gateway

In a VSX environment, SNMP queries to OSPF OIDs may fail.

PRJ-40254,
PRHF-24323

Security Gateway

There may be a delay in the Logging view when more than 1000 Security Gateways are connected to the same Log Server.

PRJ-34403,
PRHF-21418

Security Gateway

Deleting IP addresses in the SAM Database may fail.

PRJ-37952,
PRHF-22703

Security Gateway

There is a Content Awareness alert for multiple connections and the processing error "Failed to extract text" is printed in logs.

PRJ-40441,

PRJ-38912

Security Gateway

When Anti-Virus Blade is enabled, there may be a continuous high memory consumption which can lead to latency.

PRJ-39215,
PMTR-81290

Security Gateway

The Security Gateway may crash during PM Stats collection.

PRJ-39860,

PRHF-23952

Security Gateway

After renewing an Internal Certificate Authority (ICA) certificate, policy installation on Virtual Systems may fail with "Internal SSL authentication SSL error (Unknown)".

PRJ-39685,
PRHF-23741

Security Gateway

An ICAP client crash may cause the Security Gateway also to crash and generate an FWK core dump.

PRJ-38076,
GAIA-9576

Security Gateway

The Security Gateway may crash with a vmcore.

PRJ-41455,
PMTR-86925

Security Gateway

During a DDoS attack, the CPD and CPRID processes may unexpectedly exit with core dump files and cause latency.

PRJ-27778,

PMTR-70632

Security Gateway

The RAD daemon may fail and create core dump files on VSX Gateways.

PRJ-36568,
PMTR-79569

Internal CA

UPDATE: In SmartConsole, added an alert to inform that the ICA certificate will be expired in less than one year. Refer sk158096.

PRJ-40432,
PMTR-84242

Threat Prevention

UPDATE: The Global Detect value will now be updated in the "ips stat" command output.

PRJ-39323,
PMTR-83434

Threat Prevention

Improved memory consumption by decreasing the size of the mal_conns table.

PRJ-40396,

ODU-385

Threat Prevention

Added Update 15 of Autonomous Threat Prevention Management integration Release Updates. Refer to sk167109.

PRJ-41445,
PRHF-25374

Threat Prevention

In a specific HTTP connection scenario, the Security Gateway may become unresponsive. And the /var/log/messages file contains these messages during the time of the issue: " FW-1: fw_kfree: wrong magic number at tail end of XXX (XXX) caller is 'cmik_loader_fw_pm_match_cb' sz=80. FW-1 panic: cmik_loader_fw_pm_match_cb: fw_kfree: wrong magic number at tail (kiss_memory.c:XXX)".

See the Important Notes section.

PRJ-36293,
PMTR-77668

Threat Prevention

A "sft_rule_str_match_init: allocates 0 bytes" message may be printed many times in the /var/log/messages file.

PRJ-36384,
PRHF-22069

Application Control

  • The /var/log/messages directory may be flooded with "appi_app_db_get_kattrib_info: attribs hash does not exist" messages.

  • A Security Gateway may be slow or unresponsive.

Refer to sk178406.

PRJ-29435,
PRHF-17678

URL Filtering

When the Security Gateway works in proxy mode, the Application Control and URL Filtering rules may not match correctly.

PRJ-39058,
PRHF-12660

IPS

In a VSX setup, the IP address used as the origin SIC name in the IPS address log may differ from the IP in other reports.

PRJ-36434,
PMTR-77653

IPS

When ClusterXL is configured, a file may pass without inspection during a failover.

PRJ-39151,
PRHF-21088

Anti-Bot

  • Downloading or opening the packet capture file from the Anti-Bot log entries may fail with a "File fetching is still in progress" message.

  • When opening the capture file link in the log entry in SmartConsole, the "Failed getting the incident file from the gateway. It may be expired" error is shown.

PRJ-34073,
PRHF-21065

Mobile Access

Manual Web Form Single Sign-On (SSO) may fail when passwords contain special characters.

PRJ-39153,
PRHF-23617

Mobile Access

Login to Mobile Access Citrix application may fail.

PRJ-34724,
PMTR-77351

Mobile Access

In some scenarios, The Mobile Access applications fail to login because the Security Gateway may not forward HTTP request cookies of some browser-initiated requests to an internal Server.

PRJ-35292,
PRHF-21849

Mobile Access

In some scenarios, when Mobile Access Blade is enabled, the Security Gateway may crash.

PRJ-38435,

PMTR-82133

Mobile Access

When installing a specific hotfix, the CVPND process may unexpectedly exit.

PRJ-34870,
PMTR-76212

ClusterXL

UPDATE: Added support for the "Same VMAC" feature.

PRJ-37489,
PMTR-73519

ClusterXL

In a VSLS cluster with a few members and Virtual Systems, when shutting down a bond connected to one of the Virtual Systems, all Virtual Systems on this member may go to Down state.

PRJ-40200,
PMTR-84253

ClusterXL

In a cluster configured in the Active-Active mode, there may be connectivity issues when one of the cluster interfaces is down on one of the cluster members.

PRJ-39958,
PMTR-84213

ClusterXL

During a Multi-Version Cluster (MVC) upgrade, there may be state flapping when using the sync interface MAC address bit "02".

PRJ-39839,
PMTR-84079

ClusterXL

When reconnecting the OSPF interface on both members in a cluster, a failover may occur when receiving a ROUTED PNOTE on the Active member.

PRJ-37943,
PRHF-22882

ClusterXL

In a VSX cluster with three or more members, sudden failover and recovery of the Standby VS may occur, causing termination of connections from the Active member. Refer to sk179446.

PRJ-38594,
PMTR-82425

SecureXL

UPDATE: Added a new parameter cphwd_mcast_routing_interval_ms (default value is 0), which allows the multicast routing interval to be expressed in milliseconds.

PRJ-37631,

PRHF-22691

SecureXL

UPDATE: The MSS value in the SYN Cookie response can now be configured.

PRJ-40294,
PMTR-81618

SecureXL

A kernel memory leak may occur in an environment with a cluster in Active/Standby bridge mode.

PRJ-38559,
PRHF-22924

Routing

UPDATE: Source Pruning will now be disabled by default when VRRP is enabled. This will prevent an interface from keeping the Standby member in Master state after port flapping. The issue is relevant only for Intel X710 network cards using the I40E driver. Refer to sk178484.

PRJ-40091,

PMTR-84418

Routing

When running CPView and working in Source-Specific Multicast Mode (PIM-SSM) simultaneously, the ROUTED process may unexpectedly exit and create a core dump file.

PRJ-37940,
PMTR-80421

VPN

NEW: KAT tests for IKE and TLS are now validated for FIPS certification.

PRJ-37548,
PMTR-79930

VPN

In some scenarios, when StrongSwan client is connecting to a site or Security Gateway, the connection is established successfully, and the tunnel is created, but there is no traffic. Refer to sk118536.

PRJ-37555,
PMTR-77042

VPN

An outage may occur when using IKEv2.

PRJ-40663,
PRHF-24446

VPN

There may be a low throughput in a Site-to-Site VPN tunnel between two VSX Gateways with enabled.

PRJ-38633,
PRHF-23424

VPN

Connection to Endpoint Security Client from the Remote Access VPN may be lost when the VPN tunnel timeout is reached. Refer to sk178891.

PRJ-39064,
PMTR-82288

VPN

Capsule Connect may fail to connect to the Security Gateway because of an Office Mode IP allocation failure.

PRJ-32680,
PMTR-66706

VPN

An IKEv1 tunnel may be deleted after the Dead Peer Detection (DPD) exchange and can cause an outage.

PRJ-16239,
PMTR-57706

VSX

UPDATE: Added verification to prevent adding a bridge to a Virtual Router (VR) via the vsx_provisioning tool.

PRJ-29583,
PRHF-16144

VSX

UPDATE: Decreased the time to edit routes in topologies where multiple Virtual Systems are connected to a Virtual Switch (VSW).

PRJ-19530,
PMTR-61067

VSX

Policy installation may fail after resetting a Security Geteway and restoring a VSX cluster member backup.

PRJ-32706,
PRHF-20553

VSX

After restoring the VSX Gateway backup, the SNMP agent stops responding when the context is set for a specific VS.

PRJ-38726,
PMTR-81373

VSX

When running the "vsx_util downgrade" command, R80.20SP may not be listed as an available version.

PRJ-38010,
PMTR-81493

VSX

"Loading kernel module for a network device with CAP_SYS_MODULE (deprecated). Use CAP_NET_ADMIN..." may be printed in dmesg.

PRJ-39113,
PMTR-77465

VSX

CoreXL instances of SND type may appear in CPView as "OTHER" and not as "CoreXL_SND".

PRJ-39353,
PRJ-10543

VSX

Running the "brctl_show" command in a non-VS0 context may give VS0 results.

PRJ-33315,
PRHF-20561

VSX

The FWM process may unexpectedly exit after using the VSX Provisioning tool.

PRJ-32407,
PMTR-74557

VSX

The OID "Syslocation" can now be configured in the context of a virtual system as described in the article (IV-1) Advanced SNMP configuration in sk90860.

PRJ-34766,

PRHF-21568

VSX

When using Link Selection probing, the VPND process may unexpectedly exit and create a core dump file.

PRJ-38828,

PMTR-82551

VSX

The FWK process of Virtual Switch (VSW) may consume a high CPU.

PRJ-33041,

PMTR-69098

VSX

In a VSX cluster, after pushing Bridge configuration, the state may change from Active/Active to Active/Standby.

PRJ-32477,
PRHF-20437

VSX

When using the VSX Provisioning Tool, it may not be possible to create a new warp interface and then change the main IP address of the VS in the same transaction.

PRJ-38408,

PMTR-73704

VSX

When creating a virtual system, the "Failed to create Virtual System directories" error is displayed.

PRJ-38793,

PMTR-82492

VSX

In some scenarios, it is not possible to start a vsx_util upgrade/downgrade after a failed attempt.

PRJ-40250,
PMTR-84229

VSX

In VSX, when deleting a warp interface (either by deleting the warp itself or by performing the "reset_gw" command, which deletes all Virtual Devices), the VSX Gateway may crash.

PRJ-34095,
PMTR-65030

VSX

When running the "vsx showncs" command, the "cannot retrieve vsid for VSW_gw" error may be shown.

PRJ-40360,
PMTR-84809

VSX

Improved packet rate performance on warp interfaces.

PRJ-40072,
PRHF-24269

VSX

A "SIC Error for EntitlementManager: Peer sent wrong DN: CN=xxx,O=xxx" message may be displayed during boot or after running the "cpstart" command. Refer to sk179586.

PRJ-35585,
PRHF-21922

Gaia OS

UPDATE: It is now possible to use Gaia proxy addresses with more than 16 characters.

PRJ-24566,

PRHF-16407

Gaia OS

UPDATE: Added support for the Excluded Files feature (sk116679) for XFS file system on Kernel 3.10.

PRJ-27471,
PRHF-18056

Gaia OS

UPDATE: A description was added to the output of the "show backup logs" command with information about each column. Refer to sk173970.

PRJ-24454,
PRHF-16628

Gaia OS

UPDATE: Changed the Syslog message severity from "error" to "info" and removed the exclamation mark in a specific message which is displayed during the normal backup operation flow.

PRJ-39378,
PMTR-83140

Gaia OS

The CONFD process may unexpectedly exit and generate a core dump file.

PRJ-40365,
PMTR-84602

Gaia OS

Gaia Snapshot fails in Gaia Portal ("Maintenance" section > "Snapshot Management" page) - after clicking the "New" button, the progress gets to 100%, but the snapshot file is never created. Refer to sk180579.

PRJ-37348,
PMTR-80176

Gaia OS

When adding and deleting a neighbor-entry ipv6-address, an error message is displayed, although the operation is successful.

PRJ-39479,
PRHF-23819

Gaia OS

For TACACS users the ">" character is missing to separate the hostname from the commands. The fix is only cosmetic.

PRJ-36697,
PMTR-79157

Gaia OS

The /var/log/messages file may be flooded with "failed to update arp table file" messages.

PRJ-30118,
PMTR-72575

CloudGuard Network

UPDATE: After a failed Data Center mapping, the next scan retry will be initiated with a delay to provide sufficient recovery time.

PRJ-33577,
PRHF-20923

CloudGuard Network

When trying to add a comment to a Data Center object with API, the name of the object may get the value of the "comments".

PRJ-38070,
PMTR-78814

CloudGuard Network

Policy install or publish may fail because of the CPM process operations overload.

PRJ-38643,
PRJ-38642

VoIP

NEW: Added a new tab for VoIP monitoring in CPView.

PRJ-40929,

PRJ-40928

VoIP

After an upgrade, the MGCP traffic may be dropped. The output of the "fw ctl zdebug + drop" command shows: "dropped by fw_early_sip_nat reason: failed to get MGCP ports".

PRJ-39816,
PMTR-81965

VoIP

The Security Gateway may crash when running UDP and TCP SIP traffic.

PRJ-32417,
PRHF-16436

Harmony Endpoint

Web Remote Help returns to the sign-in page after generating the response code. Refer to sk172666.

PRJ-39109,
MBS-14962

Scalable Platforms

UPDATE: Added ability to change CIN interface IP ranges. Refer to sk179028.

PRJ-37868,
PMTR-76563

Scalable Platforms

UPDATE: The asg_info command is no longer supported on Scalable Platforms. The "cpinfo -Q" command should be used instead.

PRJ-39721,
PMTR-83873

Scalable Platforms

Changed the message informing that CPUSE upgrade packages are not available on Scalable Platforms appliances with VPN enabled. The fix is only cosmetic.

PRJ-39116,
PRJ-39115

Scalable Platforms

The "asg_excp_conf get" command may fail. Existing exceptions cannot be printed due to unaligned exception max size between kernel and userspace (cphaprob).

PRJ-39637,
MBS-15678

Scalable Platforms

The Hit Count feature may not provide data for non-SMO members on VSX with Kernel 3.10.

PRJ-31427,
MBS-13683

Scalable Platforms

Running the "cphaconf debug_data" command before the member finished the boot phase may cause a crash.

PRJ-38700,
MBS-15611

Scalable Platforms

The ROUTED process may unexpectedly exit when OSPF is configured as P2P.

PRJ-37970,

PMTR-76980

Scalable Platforms

In some scenarios, CPWD and HCP report the CPUS_USGS process as terminated.

PRJ-35284,
PMTR-78037

Scalable Platforms

A cluster member may fail to perform Full Sync and remain in Down state with FULLSYNC PNOTE.

PRJ-37650,
PRHF-22789

Scalable Platforms

The "asg_copy_capture" logs repeatedly appear in the var/log/messages file. The reason given in the logs is "capture file was not found on remote SGMs".

PRJ-40308,

ODU-454

HCP

Added Update 9 of HealthCheck Point (HCP) Release. Refer to sk171436.

PRJ-40670,

ODU-478

HCP

Added Update 10 of HealthCheck Point (HCP) Release. Refer to sk171436.

Take 69

Released on 23 June 2022 and declared as Recommended on 22 August 2022

PRJ-38151,
PRHF-23149

Security Management

UPDATE: Additional improvements to Access Policy installation time.

PRJ-32817,
PRHF-20492

Security Management

In rare scenarios, when installing a policy after performing "revert to revision", some changes made to a policy may not be installed on the Security Gateway. Refer to sk176768.

PRJ-37396,
PRHF-22603

Security Management

After performing the Solr Cure procedure, objects may appear as duplicated in SmartConsole. Refer to sk178084.

PRJ-37495,
PRHF-22409

Security Management

In some scenarios, the "show-hosts" Management API command fails with "generic_error" when running it with "details-level full". Refer to sk178249.

PRJ-36746,
PRHF-22326

Security Management

Accelerated Install Policy may fail with the verification error: "Rule-name has security zone objects that are not attached to any interface used in Cluster-name ", when the rule contains Security Zone and the install-on target is a cluster.

PRJ-33076,
PMTR-75039

Security Management

Updating objects with Management API may fail when editing the "groups" field and object UID is specified.

PRJ-35298,
PMTR-75023

Security Management

When cloning an IPS profile, the advanced settings of cloud protection may not be copied to the new profile.

PRJ-37327,
PRHF-22577

Security Management

In some scenarios, the policy installation may fail after editing the trac_client_1.ttm configuration file. Refer to sk174646

PRJ-37862,
PRHF-22678

Security Management

Dynamic Objects defined on LSM Gateway in SmartProvisioning may be removed from the Security Gateway after fetching policy or pushing policy from the Security Management Server to the Security Gateway.

PRJ-38148,
PRHF-23139

Security Management

Cloud Shadow Objects verification may take several minutes.

PRJ-35311,
PRHF-21755

Security Management

The web_api_show_package.sh script and some Management API commands with the "details-level full" option may fail when VPN settings are not defined for Interoperable objects. Refer to sk178410.

PRJ-36849,
PRHF-22352

Security Management

In rare scenarios, the Management Server may fail to start because of incorrect session handling.

PRJ-37025,
PRHF-22355

Security Management

Viewing sessions in SmartConsole may fail with an "Error retrieving results" message while importing a Domain.

PRJ-37259,
PRHF-21969

Security Management

In a large scale environment, the "show-access-rulebase" Management API command may take a significant amount of time to complete or time out after 5 minutes.

PRJ-37709,
PRHF-22796

Security Management

Install Policy preset fails if the Threat Prevention policy was uninstalled.

PRJ-37504,
PRHF-22597

Security Management

In rare scenarios, Global Domain Assignment may fail with a "class name not found for object" error message.

PRJ-37635,
PRHF-22693

Security Management

After changing the IP address of the Secondary Management Server, the old IP address is still shown in the High Availability window until the services are restarted.

PRJ-37523,
PRHF-22656

Security Management

Reassign Global Policy tasks may be stuck for Domains active on a different Multi-Domain Server even though the task is completed on the destination Multi-Domain Server.

PRJ-37027,
PRHF-22356

Security Management

Policy Installation may fail with the "Unable to start policy installation" error when the Import Domain task is running in the background.

PRJ-39177,

PRHF-23750

Security Management

In some scenarios, the Management API command "show-packages" with "details-level full" may fail with the "Could not commit JPA transaction" error.

PRJ-38393,

PMTR-72637

SmartConsole

UPDATE: It is now possible to execute the "run-script" Management API command on the Multi-Domain Server (MDS) and Multi-Domain Log Module (MLM) from the System Domain.

PRJ-33517,
PMTR-71704

Logging

In SmartView Widgets, improved samples visibility.

PRJ-36027,
PMTR-70703

Logging

In IPS Core Protections logs, the link to the Threat Prevention profile is written incorrectly.

PRJ-33816,

PMTR-72206

Logging

The "log_exporter_reexport" command may export the logs from the beginning of the log file and not from the provided start position.

PRJ-34250,
PRHF-21188

Logging

There may be an incorrect error message related to MakeConnection method.

PRJ-37896,
PRHF-22858

Logging

Logs may be missing from SmartConsole after upgrading the Log Server if a VS object is configured without an IP.

PRJ-34142,

PRHF-21218

Logging

On the Domain level, in the Logs view, available services may not appear in the drop-down filter list. Refer to sk178904.

PRJ-35976,

PRHF-21400

Logging

"Failed to open /opt/CPsuite-R81.10/fw1/log/" messages may appear in the log_indexer.elg file because of files ending with the ".log" suffix although they are not actual log files.

PRJ-36655,
PMTR-77355

Security Gateway

NEW: Added a new kernel parameter "fw_ignore_before_drop_rules". It allows to skip the "before drop" implied rules and enforce policy according to the explicit rule in the Access Rule Base. By default, this capability is disabled.

Refer to sk105740.

PRJ-38689,
PRHF-22315

Security Gateway

UPDATE: When using Routing Separation, hosts and servers configured in Clish will be automatically added to Management Plane (MPLANE).

PRJ-19036,
PMTR-61532

Security Gateway

UPDATE: In CPView overview, the "FW" field will now show physical memory used instead of virtual memory used. The change is only cosmetic.

PRJ-33859,
PMTR-76224

Security Gateway

In ISP Redundancy settings, when using the "dead on all host" feature and defining one link without any host (which is a misconfiguration) the ISP link is down.

PRJ-37609,
PMTR-80518

Security Gateway

When using the DAIP Gateway object in the Access Rulebase, debug error "fwdnd_log_info_lookup failed" may appear in the fwk.elglog, if the relevant rule has log track. Refer to sk178670.

PRJ-37012,
PRHF-22369

Security Gateway

Multiqueue Clish "show" commands may fail in a Management Data Plane Separation (MDPS) environment.

PRJ-27894,
PRHF-17754

Security Gateway

In rare scenarios, connectivity issues to specific websites may occur during web traffic inspection.

PRJ-33930,
PRHF-20845

Security Gateway

Cluster failover may trigger the FWK process to exit, with no traffic impact.

PRJ-33699,
PMTR-72984

Security Gateway

In some scenarios, file download may fail with the "Connection queue exceeded max size" error.

PRJ-36120,
PMTR-71654

Security Gateway

In CPView, under Network, Bytes Per Sec value in Traffic Rate may be incorrect.

PRJ-36515,

PRHF-22273

Security Gateway

In a rare scenario, a memory leak in the FWD process may occur during installing Threat Prevention policy.

PRJ-38044,
ODU-283

Threat Prevention

Added Update 14 of Autonomous Threat Prevention Management integration Release Updates. Refer to sk167109.

PRJ-38684,

PRHF-23324

Threat Prevention

In a rare scenario, an IPS, Anti-Virus, or Anti-Bot update package may fail to load because of a timeout.

PRJ-35852,
PRHF-22037

Identity Awareness

The PEP process may unexpectedly exit.

PRJ-37979,
PMTR-81714

IPS

In very rare scenarios, a traffic outage may occur.

PRJ-36521,

PMTR-77922

IPS

Improved detection in some IPS protections.

PRJ-37714,
PRJ-20376

IPS

In some scenarios, an "[ERROR]: kfunc_cmik_loader_execute_dyn_ctx: cmi_match_env is NULL" message may be printed in the /var/log/messages file.

PRJ-36160,
PMTR-72454

ClusterXL

UPDATE: It is now possible to edit minimal number of required subordinate interfaces for Bond Load Sharing via Clish. The new Clish command is "set interface <interface_name> links <value>".

PRJ-37435,
PMTR-80319

ClusterXL

There may be connectivity issues for multicast traffic in PIM Sparse Mode.

PRJ-35168,
PMTR-77780

ClusterXL

A single cluster member with Dynamic Routing configuration may stay permanently in DOWN state producing routed pnote during a boot.

PRJ-36603,
PMTR-79447

ClusterXL

Data connection may be interrupted during a Multi-Version Cluster (MVC) upgrade.

PRJ-36615,
PMTR-71442

ClusterXL

During a Multi-Version Cluster (MVC) upgrade from R80.30 or lower, Active-Active split brain may happen. Refer to sk174510.

PRJ-36177,
PMTR-51050

ClusterXL

In Virtual Device Status table, in vs0 context, the output shows the Active-Active status on two members instead of Active-Standby.

PRJ-35228,
PMTR-70530

ClusterXL

In an Active/Active cluster, potential FTP data connection interruption may occur during failover.

PRJ-26972,
MBS-14060

ClusterXL

Local connection from the Management interface on a non-standard port (e.g. 8000) may fail.

PRJ-37882,
PMTR-81375

ClusterXL

Local connection from a Standby member may fail when packets are not fragmented even if the interface MTU is smaller than the packet size.

PRJ-38803,

PMTR-82026

ClusterXL

When moving a cluster from Unicast to Multicast LS, Gratuitous ARP Request (GARP) may not be sent. The cluster cannot update multicast MAC entries on peers, which can cause traffic lost.

PRJ-37001

SecureXL

NEW: In some scenarios, the Security Gateway may not forward traffic to a client if its IP address is changed by DHCP. Added a global parameter "cphwd_refresh_nh", disabled by default. It determines whether or not the Security Gateway will invoke its own refresh ARP mechanism after a successful route lookup. Refer to sk175603.

PRJ-32709,
PMTR-74854

SecureXL

UPDATE: Virtual Extensible LAN (VXLAN) interfaces can now be configured over interfaces with an alias IP address. VXLAN interfaces will not use the alias IP address as the local IP address of the tunnel.

PRJ-39009,

PRHF-22881

SecureXL

SYN Defender may not properly handle the S2C traffic related to Allow List. As a result, this traffic may be dropped.

PRJ-39003,

PRHF-23644

SecureXL

SYN Defender may change MSS in an SYN packet to a larger value, potentially causing traffic drop.

PRJ-38502,

PRHF-23143

CoreXL

An Active member in a cluster may make a full reboot during policy installation.

PRJ-36939,
PMTR-79381

Routing

In a rare scenario, the ROUTED daemon may unexpectedly exit during a Multi-Version Cluster (MVC) upgrade when using OSPF.

PRJ-37463,
PRHF-21891

VPN

The VPND process may unexpectedly exit.

PRJ-37282,
PRHF-22452

VPN

VPN tunnel may not be stable in cluster load-sharing multicast and unicast environments.

PRJ-36437,
PMTR-78967

VPN

Machine Authentication stability improvements for Remote Access Endpoint Clients.

PRJ-35421,
PMTR-77570

VPN

When using Remote Access SAML authentication, the "Remote access client IP address and port were changed" log may contain incorrect data in the "Old IP" field.

PRJ-37774,
PRHF-22871

VPN

Capsule Connect (IPSec VPN) may fail to re-authenticate.

PRJ-36450,
PMTR-65595

VSX

UPDATE: When resetting SIC for a specific Virtual System (sk34098), the new certificate on the Security Gateway will now be automatically pulled from SmartConsole.

PRJ-38203,
PRHF-23118

VSX

In some scenarios, the VSX Security Gateway may not decrease the packet's TTL.

PRJ-36768,
PMTR-52576

VSX

VSX Cluster Internal Communication Network IP address is shown in ifconfig after changing the name or VLAN of a VR physical interface.

PRJ-33471,
PMTR-73998

VSX

In some scenarios, the "vsx_util reconfigure" command cannot fetch the policy installed previously.

PRJ-35504,
PMTR-62860

VSX

There may be a mismatch of policy name on virtual switch when using the "fw stat" and "vsx stat -v" commands. The issue is only cosmetic.

PRJ-37617,
PMTR-80850

VSX

After an upgrade from R80.20SP/R80.30SP to R81, pushing accelerated policy may cause all non-SMO SG Members to go down.

PRJ-35278,
PMTR-76457

VSX

In some scenarios, if VSX Gateway creation fails and rollback is done, the default route of the Security Gateway that was configured via clish is deleted without validation.

PRJ-37806,
PMTR-81261

VSX

Running the "vsx_util vsls" command may end with the "Segmentation fault" error.

PRJ-28546,
PMTR-65366

VSX

Latency and packet loss issues may occur when traffic goes through external VS connected to Virtual switch (VSW). Refer to sk177344.

PRJ-36787,
PMTR-79249

VSX

The "snmpwalk" command may time out after reaching SNMPv2-SMI::mib-2.68.1.2.0.

PRJ-36524,

PMTR-72069

Gaia OS

NEW: Added a Gaia Clish command "show configuration vxlan" to show all VXLAN info (interface creation, IP, MTU, comments, state).

PRJ-36087,
PMTR-78169

Gaia OS

WebUI session may end when creating a Role with full permissions.

PRJ-38961,
PMTR-72373

Gaia OS

When loading a configuration file to the new Security Gateway, VLAN interfaces may not be added to the bridge as expected.

PRJ-38230,
PMTR-81516

Gaia OS

When running the "save configuration" command on a VSX device, other interfaces besides the Management interface are still presented. This is a cosmetic issue.

PRJ-33556,

PMTR-75925

Gaia OS

In some scenarios, in 7000 appliances, Power Supply Unit (PSU) status information may be incorrect. Refer to sk174443.

PRJ-37119,
PRHF-18358

VoIP

When static NAT is configured, VoIP calls may not work.

PRJ-38568,

PRHF-23328

CloudGuard Network

UPDATE: Previously, because of connectivity issues with Azure, CloudGuard Controller was deleting IP addresses of Data Center objects from the Security Gateway. CloudGuard Controller will now show an error message instead of revoking identities from the Security Gateway.

PRJ-37603,
PRHF-22145

CloudGuard Network

In Amazon Web Services (AWS), some Gateways may be crashing frequently with vmcores.

PRJ-37949,
PRHF-22994

CloudGuard Network

In some scenarios, mapping of AWS Data Centers may take a long time to complete.

PRJ-37776,
PMTR-76723

CloudGuard Network

During boot on KVM with 10 or more interfaces, the interface order may change.

PRJ-38870,
PRHF-23555

CloudGuard Network

After changing the default behavior in Identity session conciliation, the "delete-identity" request may trigger Cloud Controller to delete IP addresses from other Identity sources.

PRJ-38023,
ODU-342

Public Cloud CA Bundle

Added Take 18 of Public Cloud CA Bundle. Refer to sk172188.

PRJ-38036,
ODU-341

Scalable Platforms

Added Take 21 of Check Point Support Data Collector (CPSDC) for Scalable Platforms and Maestro Security Appliances. Refer to sk164414.

PRJ-34396,
MBS-14488

Scalable Platforms

Non-SMO members may go to Down state after Anti-Malware policy installation failed.

PRJ-36915,
PRHF-22274

Scalable Platforms

During policy installation, the state of the Single Management Object (SMO) may not be stable.

PRJ-32450,
PMTR-71738

Scalable Platforms

In rare scenarios, changing the number of CoreXL instances in SP environments with many Virtual Systems may fail.

PRJ-33923,
PMTR-75452

Scalable Platforms

On Scalable platform Chassis in VSX mode, when adding a new member to Security Gateway, the "dxl stat" command may fail with the "Failed to retrieve dxl status" error.

PRJ-38298,
MBS-15504

Scalable Platforms

During Jumbo Hotfix Accumulator installation, the sgm_lsp core dump may be created.

PRJ-38482,
MBS-15568

Scalable Platforms

When running the CPUSE "installer" command in Gaia gClish of a Security Group, the output may show: "Error Failed to invoke action." Refer to sk178647.

PRJ-38224,
ODU-349

HCP

Added Update 8 of HealthCheck Point (HCP) Release. Refer to sk171436.

Take 68

Released on 27 April 2022 and declared as Recommended on 12 June 2022

PRJ-29848,
PRHF-18734

Diagnostics

In some scenarios, CPView shows the SNMP data partially.

PRJ-30407,
PRHF-19450

Security Management

UPDATE:

  • Added the "--help" and "-h" flags to "mdsstop", "mdsstart" and "mdsstat".
  • It is no longer possible to run the "mdsstop" and "mdsstart" commands with wrong parameters.

PRJ-34228,
PRHF-21357

Security Management

Deleting a Domain may fail when there is an administrator with API key authentication associated with this Domain.

PRJ-35479,
PMTR-77765

Security Management

Multi-Domain High Availability synchronization in the Global Domain may fail with the "There are invalid assignments on peer" error.

PRJ-32562,
PRHF-20316

Security Management

Login to SmartEvent with Certificate Authentication may fail. Refer to sk179144.

PRJ-34182,
PRHF-21215

Security Management

In rare scenarios, the Management Server becomes inaccessible if there are more than 5000 objects in the Gateways and Servers view.

PRJ-33804,
PMTR-76103

Security Management

The Management API command "set-multicast-address-range" does not remove IPs when the IPv4 or IPv6 address field is empty.

PRJ-34657,
PRHF-21286

Security Management

In a Multi-Domain Management environment, when fetching a Ldap branch using the "fetch" button from the Global Domain tab, the operation may fail.

PRJ-30113,
PRHF-17611

Security Management

In rare scenarios, the "show-changes" and "show-sessions" Management API commands may fail.

PRJ-36802,
PMTR-74772

Security Management

In some scenarios, the last modifier name is missing in unpublished sessions and SmartConsole unexpectedly closes.

PRJ-33401,
PRHF-20866

Security Management

When automatic purge is configured in a local Domain and there is an assignment between the Global Domain to that Domain, the "show-automatic purge" API command may fail in the Global Domain with the "Can't build automatic purge reply" error. Refer to sk176443.

PRJ-35950,
PRHF-21894

Security Management

In the Compliance view, after changing "Policy Range" to a value smaller than 100%, best practices results become not available. Refer to sk177544.

PRJ-33565,
PMTR-75061

Security Management

In rare scenarios, a "Create Domain", "Delete Domain" or "Delete Domain Server" task can be stuck at 5% with the "Task in queue" status.

PRJ-32848,
PMTR-74961

Security Management

In rare scenarios, taking over a session may fail with "SmartConsole has experienced an unexpected error. Session operation failure".

PRJ-34178,
PRHF-20991

Security Management

In rare scenarios, Install Policy Presets may fail with "Failed to run Install Policy on the active Domain Server".

PRJ-35225,
PRHF-21778

Security Management

When exporting rules with "hit counts" and the timeframe is set to a different value than "all", the "hit counts" are missing from the export file. Refer to sk177265.

PRJ-32718,
PRHF-20332

Security Management

If there is a Global Domain Assignment, some results may be missing when searching in Packet Mode. Refer to sk178491.

PRJ-35017,
PRHF-21705

Security Management

Install Policy Verification may fail with the "Rule has security zone objects that are not attached to any interface used" error when configuring cluster's interfaces on only one member. Refer to sk177129.

PRJ-32132,
PRHF-20181

Security Management

When working with End Point Cloud, the License tab under "Gateways and Servers" in SmartConsole may show "Certificate error: CertAuthorityInvalid".

PRJ-33242,
PRHF-20643

Security Management

In rare scenarios, after an update, the Management Server fails to start.

PRJ-34772,
PRHF-20960

Security Management

Policy installation on R81 (and below) Gateways may fail when there are multiple login options configured with SAML which uses Identity Provider as an authentication method. Refer to sk176725.

PRJ-35339,
PRHF-21851

Security Management

In rare scenarios, the Management Server may fail to start after an upgrade.

PRJ-33365,
PRHF-20847

Security Management

Global Domain Assignment fails with "An internal error has occurred" when there are more than 32K Threat Prevention Overrides in the local Domain. Refer to sk176464.

PRJ-32746,
PRHF-20512

Security Management

In a rare scenario, the FWM process unexpectedly exits.

PRJ-32802,
PRHF-20435

Security Management

The mgmt_cli tool (API) with certificate login may not work.

PRJ-37578,
PMTR-80846

Security Management

In some scenarios, after editing Blades in simple-gateway/cluster Ansible modules, the Blades are not changed, and Ansible shows that no changes occurred.

PRJ-36622,
PMTR-79023

Logging

UPDATE: SmartView reports will now show the new Check Point logo.

PRJ-30550,
PRHF-19084

Logging

In rare scenarios, when QoS Blade is enabled, the FWD process may unexpectedly exit. Refer to sk177783.

PRJ-29174,
PRHF-18866

Logging

Removed unnecessary debug messages: "fwbintabreplace: table svm_range_gateways not found" and "fwbintabreplace: table svm_range_gateways_valid not found" from the fwd debug log.

PRJ-32018,
PRHF-20117

Logging

When running the "show_logs" API command with "query-id argument" and the session is expired, the command ends with a timeout instead of presenting an error.

PRJ-32373,
PRHF-18699

Logging

When running CPinfo in a large scale environment, the SmartEventCollectLogs process may get stuck.

PRJ-30145,
PMTR-60786

Logging

Recurring "Unable to open '/dev/fw0': No such file or directory" may be printed in the fwd.elg file.

PRJ-35201,
PRHF-20349

Logging

In a rare scenario, the Security Management Server does not automatically delete older log files.Refer to sk177627.

PRJ-34142,
PRHF-21218

Logging

On the Domain level, in the Logs view, available services may not appear in the drop-down filter list. Refer to sk178904.

PRJ-32580,
PRHF-20447

Logging

In some scenarios, it is not possible to add the "Policy Rule UID" column to the Logs view in the SmartView Web Application.

PRJ-31495,
PRHF-7049

Security Gateway

UPDATE: A shadow rule can be added if the new rule and the existing rule have different timeouts.

PRJ-29963,
UP-452

Security Gateway

UPDATE: Added two minutes grace period before dropping the non-TCP server-to-client packets upon policy installation and rematch flow. Refer to sk173287.

PRJ-35098,
PMTR-76491

Security Gateway

UPDATE: Added a new global parameter: "fw_daf_module_mac_mode". It allows mirroring traffic to a Linux-based device. It is set to "0" by default. Refer to sk178127.

PRJ-35098,
PMTR-76491

Security Gateway

UPDATE: Added a new global parameter: "fw_daf_module_mac_mode". It allows mirroring traffic to a Linux-based device. It is set to "0" by default. Refer to sk178127.

PRJ-31666,
PMTR-68092

Security Gateway

UPDATE: Adding Connection and Packet Distribution statistics in CPView.

PRJ-38236,
PMTR-81910

Security Gateway

UPDATE: Apache HTTPD version was updated from 2.4.51 to 2.4.53.

PRJ-31495,
PRHF-7049

Security Gateway

UPDATE: Following sk110157, adding a shadow SAM V1 rule is now possible only if the new rule and the existing rule have different timeouts. If a shadow rule exists, the new shadow rule will override the existing shadow rule.

PRJ-32792,
PRHF-20498

Security Gateway

Matched rules on Inline layer may appear as the "Accept'"/ "Drop" action instead of "Inline".

PRJ-35007,
PRHF-21742

Security Gateway

The dynamic NAT allocation port warning is continuously printed in /var/log/messages. Refer to sk177228.

PRJ-32926,
PRJ-32352

Security Gateway

When running the "cpstop" and "cpstart" commands, NAT statistics may fail with "fwx_alloc_global_find_free_port_atomic: failed to update NAT statistics".

PRJ-28821,
PMTR-71776

Security Gateway

In rare scenarios, policy installation fails when adding a Cloudguard object to the NAT rulebase.

PRJ-36048,
PMTR-78861

Security Gateway

In a rare scenario, DNS connection may be dropped with a "up_manager_cmi_handler_match_cb: connection not found" message.

PRJ-34727,
PRHF-21103

Security Gateway

In rare scenarios, if temporary files were not deleted successfully, downloading certain file types may fail with one of these errors:

  • "Content Awareness - Error while processing X: Timeout reach during text extraction"
  • "Content Awareness - Error while processing X: File appears corrupted"
  • "Too many files in archive: SSH parsing error occurred"

PRJ-36994,
PRJ-36993

Security Gateway

  • On 2200 appliances, the CPD process may unexpectedly exit because of sensor read failure.
  • Sensor table values for 3600, 3600T, 3800, 6200B, 6200P, 6200T, 6400, 6600, 6700, 6900, 7000, 600-S are incorrect.

PRJ-33612,
PRHF-20810

Security Gateway

In a rare scenario, the FWD process may unexpectedly exit.

PRJ-34256,
PRHF-20783

Security Gateway

It may not be possible to use the Office 365 Tenant Restrictions feature when ICAP client is enabled.

PRJ-33998,
PRHF-18340

Security Gateway

In rare scenarios, slow path connections that should be terminated/aborted may remain open until the timeout.

PRJ-23480,
PRHF-16013

Security Gateway

Policy installation may fail when there is a heavy load on memory on the Security Gateway.

PRJ-33274,
PMTR-26836

Security Gateway

The control connection may not be refreshed together with the data connection if the data connection is accelerated. Refer to sk168952.

PRJ-31208,
PRHF-19333

Security Gateway

The Security Gateway may crash during policy installation due to memory allocation problems.

PRJ-34268,
PRHF-19587

Security Gateway

The log_exporter process may consume a high CPU.

PRJ-37529,
PRHF-22491

Security Gateway

Improved Gateway internal memory allocation logic.

PRJ-35154

Threat Prevention

While using the Security Zone object in the "Source" column in the Threat Prevention policy, Security Gateways R80.40 and lower do not drop traffic. Refer to sk177605.

PRJ-34218,
PRJ-34088

Threat Prevention

IPS and other Threat Prevention logs may not contain packet capture. And dmesg may be flooded with related errors.

PRJ-34705,
PMTR-77304

Threat Prevention

In a rare scenario, after excessive memory usage, kernel may crash.

PRJ-30445,
PRHF-17552

Threat Prevention

In a rare scenario, the DLP process leaves open unused file descriptors in the $FWDIR/tmp/dlp directory which may take up a large amount of disk space.

PRJ-36165,
PRHF-21680

Identity Awareness

In a rare scenario, the PDP process may unexpectedly exit with a core dump file.

PRJ-28219,
PRHF-15223

Identity Awareness

There may be connectivity issues and high CPU spikes on the PDPD, VPND processes, and on the Gateway when installing policy. Refer to sk174144.

PRJ-35821,
PRHF-21396

Identity Awareness

On Scalable Platforms\Cluster LS, the Identity Database may become corrupted when an identity session is revoked from a non-master member.

PRJ-32699,
PRHF-14110

Identity Awareness

Memory usage may be high for the pdpd process in a scenario, related to Identity Awareness nested groups in state 2 and 4.

PRJ-33148,
PRHF-20682

URL Filtering

In some scenarios, websites encrypted with SSL are not matched correctly when categorization mode is on Hold and IDA is enabled. Refer to sk176283.

PRJ-34515,
PRHF-20998

URL Filtering

In a rare scenario, when URL Filtering Blade is active, in Website categorization background mode, the FWK process crashes and creates a core dump.

PRJ-37544,
PRHF-22301

IPS

In a rare scenario, when the Security Gateway is configured as a proxy, file download may fail.

PRJ-29428,
PRHF-18966

IPS

When Website categorization mode is set to "Hold" and Gateway is Proxy, some connections may be incorrectly terminated.

PRJ-32610,
PRHF-20132

IPS

When Anti-Virus and/or gzip inspection are enabled on the Gateway, during CloudFlare inspection of specific websites, the Gateway may drop traffic.

PRJ-34645,
PRHF-21416

DLP

In a rare scenario, the DLP process may not delete temporary files used for scanning.

PRJ-33210,
PRHF-20674

DLP

The dlpu process may unexpectedly exit, producing a core dump file.

PRJ-33002,
PMTR-75153

SSL Inspection

UPDATE: Upgraded the default Infrastructure for local communication between some processes to TLS 1.2.

PRJ-38257,
PMTR-81157

SSL Inspection

In some scenarios, the FWK process may unexpectedly exit during the TLS handshake.

PRJ-33669,
PMTR-75807

SSL Inspection

In some scenarios, the WSTLSD daemon may unexpectedly exit during TLS probing.

PRJ-36355,
PMTR-79533

SSL Inspection

A connectivity issue may occur with certain TLS clients.

PRJ-30125,
PMTR-66344

SSL Inspection

When HTTPS Inspection is enabled, and traffic is inspected, detect logs for HTTPS traffic may show the "Invalid CRL Retrieved" and "No Valid CRL" error messages. Refer to sk172345.

PRJ-36299,
PMTR-76171

SSL Inspection

A memory leak related to TLS probe may occur in the WSTLSD process.

PRJ-36496,
PMTR-79264

SSL Inspection

In a rare scenario, the WSTLSD process may unexpectedly exit while validating signatures of sites with improper certificate chains.

PRJ-35782,
PMTR-76030

SSL Inspection

When running cipher_util in any VS other than VS0, the "Cannot access features configuration directory" error is shown.

PRJ-34701,
PMTR-76511

SSL Inspection

Connections may hang and reach a timeout during browsing if the number of WSTLSD instances is reduced through configuration settings.

PRJ-33955,
PMTR-75000

SSL Inspection

A connectivity issue may occur after changing the Security Gateway's name and installing policy.

PRJ-34974,
PMTR-77321

SSL Inspection

In rare scenarios, the WSTLSD daemon may unexpectedly restart.

PRJ-35935,

PRJ-35934

SSL Network Extender

UPDATE: SSL Network Extender was updated to version 800008304. It provides TLS 1.2 cipher suites support on macOS.

PRJ-35245,
PMTR-78041

Mobile Access

MAB Guacamole-based clientless RDP/SSH connections, when closed prematurely, may cause the GuacProxy process to consume 100% CPU.

PRJ-36059,
PRHF-22134

Mobile Access

Capsule Workspace cannot connect to a Mobile Access Gateway when Citrix application is configured and allowed to the end-user's group.

PRJ-35979,
PMTR-74818

ClusterXL

A cluster failover may take longer than it should.

PRJ-36915,
PRHF-22274

ClusterXL

During policy installation, the state of SMO may not be stable.

PRJ-38370,
PRHF-23291

ClusterXL

Multicast packets may be dropped after policy installation.

PRJ-33582,
PMTR-75970

SecureXL

In some scenarios, fragmented Cluster LS packets are dropped by SecureXL.

PRJ-36471,
PRHF-21775

SecureXL

The VSX Gateway may crash when trying to route traffic from a VS to a Virtual Switch (VSW).

PRJ-36073,
PRJ-34902

SecureXL

In some scenarios, related to sending multicast packets, the ICMP errors may be shown.

PRJ-34340,
PMTR-73930

SecureXL

The "fwaccel dos rate add" command may fail with the "Another fwaccel command is already in progress" error.

PRJ-30714,
PRHF-18975

Routing

Connectivity issues may occur after configuration of route based VPN (VTI interface). Refer to sk176368.

PRJ-34711,
PMTR-73184

Routing

In rare scenarios, the ROUTED daemon may unexpectedly exit or write logs in the incorrect order.

PRJ-35769,
PMTR-77756

Routing

UPDATE: Routed debug log will now show IP addresses.

PRJ-35341

Routing

The ROUTED daemon may unexpectedly exit with core dump when some interfaces lose connection with the PIM router.

PRJ-37590,
PRHF-22751

VPN

During policy installation when using DAIP behind hide NAT, CPU usage for the VPND process may be high.

PRJ-29881,
PRHF-19050

VPN

Improved VPN interoperability.

PRJ-34374,
PMTR-75526

VPN

In rare scenarios, Remote Access users cannot connect to the Gateway because of certificate authentication failure.

PRJ-35430,
PMTR-78314

VPN

In some scenarios, L2TP users cannot connect to the Gateway in a cluster environment.

PRJ-34493

VPN

Remote Access users may not be able to connect when authenticating using a certificate issued by a subordinate CA.

PRJ-38810,
PRJ-38729

VPN

In some scenarios, it is not possible to connect with Remote Access using DHCP for Office Mode. Refer to sk178767.

See the Important Notes section.

PRJ-33656,
PRHF-21022

VPN

The VPND process may unexpectedly exit with a core dump file.

PRJ-35766,
SMB-16977

VPN

Enhanced stability of Site-to-Site VPN with interoperable devices.

PRJ-35391,
VPNS2S-2769

VPN

Improvements for IKEv2 when working with DAIPs.

PRJ-35474,
PRJ-35309,
VPNS2S-2847,
PMTR-74009

VPN

Added VPN improvements for IKEv2 SA re-key.

PRJ-35047,
PMTR-77549

VPN

In some scenarios, NAT-T tunnel establishment may fail.

PRJ-29544,
VPNS2S-2548

VPN

Newly defined ROBO Gateways cannot connect until policy installation.

PRJ-35559,
PMTR-78462

VPN

A memory leak may occur in the VPND process when using Remote Access Secondary Connect.

PRJ-35343,
VPNS2S-2701

VPN

Policy installation and establishing a connection from a Gateway with Static IP may fail, if the IP address was previously used by a peer Gateway with DAIP IP which was configured before and had a connection from the DAIP Encryption Domain.

PRJ-35231,
PMTR-73490

VPN

SSL entries may not be deleted from the "vpn tu tlist" command output, although there was a graceful exit.

PRJ-35398,
PRJ-35346,
PRJ-35401,PRJ-35404,
VPNS2S-2457,
VPNS2S-2770,
VPNS2S-2848,
VPNS2S-2822

VPN

IKEv2 Improvements for DAIP Gateway behind Hide NAT.

PRJ-36180,
PMTR-78626

VPN

The FWK process may unexpectedly exit on a VS with an S2S VPN tunnel.

PRJ-35535,
PMTR-78432

VPN

A memory leak may occur in the VPND process when using remote Access Back Connection.

PRJ-35387,
VPNS2S-2726

VPN

In some scenarios, the RIM script is not activated in DPD Tunnel monitoring.

PRJ-35556,
PMTR-78436

VPN

A memory leak may occur in the VPND process when using Remote Access with Multiple Entry Points configured.

PRJ-34211,
PMTR-74824

VPN

IKEv2 ID configuration may not be applied when an IPv6 address is written as a certificate's alternative name.

PRJ-35488,
VPNS2S-2740

VPN

In ike_sa_table there may be an entry with an IP address and not with a DAIP ID.

PRJ-36238,
PRHF-22206

VPN

A memory leak may occur in the VPND process.

PRJ-34672,
PMTR-77130

VSX

UPDATE: The "vsx_util reconfigure" operation is not supported on a VSX cluster member or VSX Gateway which has no virtual systems configured. The operation will now alert about the absence of virtual systems.

PRJ-36688,
PMTR-72627

VSX

In a Multi-Domain environment, the "vsx_util vsls" command may take a few minutes to run.

PRJ-32079,
PMTR-74295

VSX

When creating a static route on a virtual system, some network objects may be created with the same name inside the network group which causes failure in writing the object to the database.

PRJ-35000,
PMTR-77287

VSX

The "vsx_util reconfigure" command may fail without printing the cause of the error.

PRJ-34603,
PMTR-74840

VSX

In some scenarios, the VSX Gateway may incorrectly handle broadcast packets received from a Virtual Switch.

PRJ-35070,
PMTR-67275

VSX

When creating a new virtual system, some VSLS parameters like the Virtual System's weight value may be displayed wrong.

PRJ-36770,
PRJ-36756

Gaia OS

NEW: Gaia API (version 1.6 with Python3 support) will now be deployed via Jumbo Hotfix. Refer to sk143612.

PRJ-35003,
PMTR-77709

Gaia OS

Fixed the CVE-2020-14145 vulnerability.

PRJ-31696,
PMTR-73594

Gaia OS

The "cpopenssl" command may fail with "No such file or directory".

PRJ-36543,
PRHF-13255

Gaia OS

When adding an SSH host key, it won't be displayed because the total length of the command line cannot contain more than 512 characters.

PRJ-37224,
PMTR-63343

Gaia OS

Upgrade process may fail due to corrupted sic_local_cert.p12 certificate. Refer to sk171253.

PRJ-27909,
PRHF-17814

Harmony Endpoint

In some scenarios, logs related to Harmony Endpoint may be missing.

PRJ-29972,
PRHF-16925

Harmony Endpoint

In some scenarios, a query which counts host_ckp objects may return more results than expected. It leads to a memory leak with the "Out Of Memory" error.

PRJ-36364,
PRHF-22181

CloudGuard Network

When booting up, the NSX-T CloudGuard Gateway may crash.

PRJ-36274,
PRHF-22059

CloudGuard Network

In some scenarios, incorrect data center updates are pushed to the Gateway.

PRJ-34527,
PRHF-21383

CloudGuard Network

When a Gateway's object name was changed, CloudGuard Central License Tool may fail to distribute licenses to the Gateway.

PRJ-32917,
PMTR-75175

CloudGuard Network

NEW:

  • Rule base search in SmartConsole now also matches rules with Data Center Objects.
  • In SmartConsole, it is now possible to see IP addresses of all the objects included in: AWS VPC and Availability Zone, Azure Virtual Network, GCP Network
  • In SmartConsole, improved searching objects using tags.

PRJ-35548,
PRHF-21841

CloudGuard Network

When there are VS's with same name prefix, the CloudGuard Controller fails to update the VS with Data Center Objects.

PRJ-37053,
PRHF-20096

CloudGuard Network

In some scenarios, Data Center objects are not enforced on an AWS GEO cluster (Active/Active) Gateway. Refer to sk175904.

See the Important Notes section.

PRJ-36704,
ODU-244

Public Cloud CA Bundle

Added Take 14 of Public Cloud CA Bundle. Refer to sk172188.

PRJ-35612,
PMTR-77091

Scalable Platforms

Setting time on Quantum Scalable Chassis may fail with the "Failed to update the date WARNING: CliError( ) called without module or error code" error.

PRJ-29821,
PMTR-73394

Scalable Platforms

On a Scalable Platform configured in VSX mode, a new member added to a Security Group may stay in Down state because of a false-positive license issue.

PRJ-36593,
MBS-13315

Scalable Platforms

NEW: A new module parameter "ccl_correct_dr_between_chassis" is added.

  • Setting it to 0 disables inter-chassis corrections.
  • Setting it to 1 returns to the default behavior.

Refer to sk177943.

PRJ-36650,
MBS-15367

Scalable Platforms

Running "cphaconf debug_data" in VSX context may cause the Gateway to crash.

PRJ-35090,
PRHF-21133

Scalable Platforms

Security Group may drop traffic during an internal failover between Security Group members when Dynamic Anti-Spoofing is enabled. Refer to sk177946.

PRJ-34216,
PMTR-76383

Scalable Platforms

In some scenarios, when accelerated policy installation is performed on a Security Gateway that doesn't have a valid policy, an obscure failure message is shown.

PRJ-36360,
PRHF-22250

Scalable Platforms

OSPF may install a route to the incorrect IP when configured as P2P. Refer to sk177686.

PRJ-37216,
PMTR-80218

Scalable Platforms

Local connection from a Standby site may be dropped if there is a switch between the sites. Refer to sk178045.

PRJ-26825

Scalable Platforms

Restoring a backup on the security group may get stuck upon reboot.

PRJ-34048,
PMTR-76324

Scalable Platforms

After changing Multi-Queue configurations, members may remain in Down state.

PRJ-36830,
ODU-287

HCP

Added Update 7 of HealthCheck Point (HCP) Release. Refer to sk171436.

Take 65

Released on 11 April 2022 and declared as Recommended on 24 April 2022

PRJ-38293,
PMTR-82069

SmartConsole

In some scenarios when R81 Jumbo Hotfix Accumulator Take 60 is installed:

  • Install Policy Preset may invoke policy installation on Gateways different from those that are defined.
  • Policy installation on multiple Gateways on MDS level may trigger installation on one Gateway only.

Refer to sk178590.

PRJ-37958,
PMTR-81489

Gaia OS

UPDATE: Upgraded OpenSSL to 1.1.1n to fix CVE-2022-0778. Refer sk178411.

PRJ-37416,
PMTR-74360

Gaia OS

In a rare scenario, while idle, the Security Gateway may crash producing a vmcore file.

PRJ-37849,
PRHF-22617

VoIP

A cluster member may crash generating a vmcore because of a mismatch in SIP tables.

See the Important Notes section.

PRJ-37606,
PRHF-22721

VoIP

In a cluster environment, the Gateway may crash with a vmcore.

Take 60

Released on 15 Mar 2022

PRJ-29395,
PMTR-72424

Security Management

NEW: Added support for Management API commands: "add-rules-batch" and "delete-rules-batch".

PRJ-32892,
PRHF-20657

Security Management

UPDATE: It is now possible to increase the timeout value for Management High Availability synchronization. Refer to sk176165.

PRJ-32765,
PMTR-71549

Security Management

UPDATE: Meta-info and comments fields are now displayed in the output of the "show-tasks" API command with "details-level standard".

PRJ-24931,
PRHF-16947

Security Management

UPDATE: Added a warning message in SmartConsole, alerting if during policy installation memory utilization of the FWM process exceeded 3.5GB.

PRJ-32959,
ODU-154

Security Management

Added Update 13 of Autonomous Threat Prevention Management integration Release. Refer to sk167109.

PRJ-31672,
PRHF-19891

Security Management

In rare scenarios, the API commands "show-automatic-purge" and "set-automatic-purge" may fail if there were two earlier attempts to update the Automatic Purge at the same time.

PRJ-30475,
PRHF-19577

Security Management

Desktop policy installation may fail with the "Service ReferenceObject of type is not supported!" error.

PRJ-30898,
PMTR-73253

Security Management

In rare scenarios, installing policy on an OSE device may fail with "Policy installation had failed due to an internal error".

PRJ-32650,
PMTR-74947

Security Management

In rare scenarios, deleting a Domain fails, leaving some remnants in the Management database.

PRJ-33979,
PRHF-21115

Security Management

Policy installation from the Multi-Domain Server level may trigger installation of two policies for the same VS.

PRJ-28169,
PRHF-18380

Security Management

In rare scenarios, the Management Server may fail to start due to incorrect sessions handling.

PRJ-34200,
PRJ-35072

Security Management

High Availability synchronization fails when one Management Server is installed on an appliance of 6000 series and the other one is an Open Server, a Virtual Machine, or installed on an appliance of different series.

PRJ-30385,
PRHF-16024

Security Management

In rare scenarios, editing a cluster object fails with the "Code: 0x8003001D, Could not access file for write operation" error. Refer to sk176930.

PRJ-32360,
PMTR-74598

Security Management

In some cases, when changing only the "color" and "comment" object fields, policy installation may not be accelerated.

PRJ-32669,
PRHF-20485

Security Management

When searching for tags usage, the "where-used" Management API command may fail with "Requested object not found".

PRJ-29240,
PRHF-18890

Security Management

In some scenarios, the Management API command "show-packages" with "details-level full" may fail with an error. Refer to sk176805.

PRJ-32857,
PRHF-20444

Security Management

After the Management Server restart, the API command "show_tasks" may show some suppressed tasks as "in progress", if before the restart they were cleared in SmartConsole while they were still running.

PRJ-33464,
PMTR-71195

Security Management

While editing a Small Office LSM Profile object, SmartConsole may unexpectedly close when enabling Threat Emulation and navigating to the Configuration tab.

PRJ-30068,
PRHF-19326

Security Management

  • The High Availability status on Security Management Server may be incorrect and performing failover is not possible.
  • On Multi-Domain Server, after performing failover in the Global Domain and restarting services, the former active Global Domain Server still appears as active (although it is standby).

PRJ-31892,
PMTR-73413

Security Management

In some scenarios, the API command "show-changes" fails with "Diff operation failed: Unable to build the diff reply."

PRJ-32092,
PRHF-20162

Security Management

When searching an IP in Object Explorer, network objects with both IPv6 and IPv4 configured, may not appear in the results, although they match the IP.

PRJ-34080,
PMTR-74982

Security Management

In some scenarios, after running an Ansible Playbook, objects are locked even though they were not changed.

PRJ-34226,
PRHF-21356

Security Management

When performing IPS Update or Global Domain Assignment, creating a Domain at the same time may fail with "Internal Error".

PRJ-33864,
PRHF-21129

Security Management

When creating or updating a service object via Management API, it is not possible to specify a custom aggressive-aging timeout.

PRJ-32109,
PMTR-63070

Security Management

Policy installation may fail if more than 20,000 objects are created and added to rules.

PRJ-20592,
PRHF-14327

Security Management

In rare scenarios, if one of the Multi-Domain Servers is down, reconfiguring VSX may fail.

PRJ-31260,
PMTR-69264

Security Management

In some scenarios, the API command "login-to-domain" fails, and the cpm.elg log shows "Null Pointer Exception".

PRJ-26781,
PRHF-17767

Security Management

In some scenarios, in Override Categorization, it may not be possible to sort or to find objects by name using Object Explorer. Refer to sk175245.

PRJ-32360,
PMTR-74598

Security Management

In some cases, when changing only the "color" and "comment" object fields, policy installation may not be accelerated.

PRJ-30100,
PRHF-19248

Security Management

In rare scenarios, a Multi-Domain administrator's profile may be changed after deleting a Domain if the administrator had custom permissions for it.

PRJ-30531,
PRHF-19542

Security Management

Creating an administrator in a Multi-Domain environment may cause SmartConsole to freeze and time out.

PRJ-33287,
PRHF-20525

Security Management

When reassigning Global policy after an IPS update on the Global Domain, the updated IPS version in the Audit Logs view may appear with "-1" value instead of the actual IPS version number.

PRJ-29910,
PRHF-18974

Security Management

In some scenarios, it is possible to disable a shared layer, although it is used in more than one rule.

PRJ-32448,
PRHF-20062

Security Management

In rare scenarios, in a Multi-Domain environment, after performing an IPS Update, High Availability synchronization in the Global Domain fails with "NGM failed to import data".

PRJ-30035,
PRHF-19187

Security Management

  • The API command "show_packages_details" does not support the "OneTimeProb" parameter, although it is supported in GUI.
  • In some scenarios, the API command "show_packages" with "details-level full" fails with "generic_error".

PRJ-25710,
PRHF-17010

Security Management

Deleting a network group may fail because it is used, although "Where Used" shows no usage.

PRJ-33521,
PRHF-20971

Security Management

In rare scenarios, the Management Server may fail to start.

PRJ-32429,
PRHF-20440

Security Management

In rare scenarios, adding a service to a rule in Access Policy:

  • may take a long time (more than several seconds)
  • may cause SmartConsole to unexpectedly exit.

Refer to sk176004.

PRJ-30681,
PRHF-19185

Security Management

Policy installation with Directional VPN rules may fail with a verification error.

PRJ-30884,
PMTR-62059

Security Management

In rare scenarios, during an upgrade, the FWM process may unexpectedly exit with a core dump file.

PRJ-22266,
PRHF-15674

Security Management

In some scenarios, the user may fail to connect to VPN Remote Access if there are expiration dates saved in a non-English date format. The issue can occur when SmartConsole is installed on a Windows client that uses a non-English locale. Refer to sk173967.

PRJ-33553,
PRHF-20961

Security Management

When using the API to create an OPSEC CPMI application with a custom permissions profile, the default Super User profile is chosen instead.

PRJ-33056,
PMTR-73543

Security Management

In some scenarios, when editing Exceptions in Inspection Settings, Gateways without IPS Blade may be missing from the "Install On" list.

PRJ-30282,
PRHF-19412

Security Management

SmartConsole may unexpectedly close when the user opens the Global Assignment view after doing the "Solr Cure" procedure. Refer to sk175443.

PRJ-34035,
PMTR-73939

Security Management

When many sessions are opened:

  • Publish operation may be slow
  • APPI Update may be stuck on 30% and eventually fail
  • Domain Import task may be stuck after 50% and then fail

PRJ-30416,
PRHF-18883

Security Management

Scheduled IPS updates data may not be shown in the IPS update report.

PRJ-32041,
PRHF-20220

Security Management

In some scenarios, the $MDS_FWDIR/log/cpm.elg file contains many lines about "UnmarshalException".

PRJ-33951,
PRHF-20891

Security Management

The "fwm logexport" command may fail with the "Failed to dump tables from NGM" error when running it from the Global Domain on the Multi-Domain Server or from the Log Server.

PRJ-31742,
PMTR-73756

Security Management

In some scenarios, deleting a Domain fails when there is an administrator with API key authentication associated with this Domain.

PRJ-30059,
PRHF-19250

Security Management

In rare scenarios, after Management Server upgrade, importing the database may fail with "Tried to persist object".

PRJ-30337,
PRHF-18150

Security Management

When one Server in a logical Server group is down, the second Server keeps trying to access it, no matter how long the Server is down.

PRJ-31082,
PRHF-19251

Security Management

In rare scenarios, the FWM process on the Security Management Server unexpectedly exits.

PRJ-30351,
PRJ-30352,
PRHF-19421

Multi-Domain Management

During a CPUSE upgrade of a Multi-Domain Server, if there are multiple external interfaces defined, the Domain Servers may be assigned to an incorrect interface.

PRJ-30526,
PRHF-19541

Multi-Domain Management

In rare scenarios, running the "fwm sic_reset" command on Multi-Domain Server may fail.

PRJ-33168,
PRHF-20782

Multi-Domain Management

The mds_backup script may not collect Multi-Domain Server log files from $MDSDIR/log/.

PRJ-29311,
PRHF-18767

SmartConsole

The Compliance "Security Best Practices" report for the Anti-Bot practice contains unrelated objects starting with "AB_". Refer to sk174911.

PRJ-29133,
PRJ-27606

Compliance

In some scenarios, auto-update flow fails during updatable object registration.

PRJ-36042

Web SmartConsole

UPDATE: Released Take 55 with new features and improvements. Refer to sk170314.

PRJ-34293,
PMTR-75623

Compliance

After disabling Best Practices, the user receives security alerts.
  • Requires R81 SmartConsole Build 559 (or higher).

PRJ-30092,
PRHF-18939

Logging

In rare scenarios, the LOG_INDEXER process stops working and logs are missing. Refer to sk176403.

PRJ-19839,
PRHF-14286

Logging

On Gateways with many interfaces, after policy installation or after reboot, Real-Time Monitor (RTM) may consume a high CPU on the Gateway. Refer to sk170928.

PRJ-30664,
PRHF-19620

Logging

  • The "fw log" and "fwm logexport" commands may fail with "Error: Failed to read field".
  • The exported log file may not contain all logs.

Refer to sk176644.

PRJ-31617,
PRHF-19834

Logging

Non-English letters in SmartView reports exported as CSV may be displayed incorrectly. Refer to sk175543.

PRJ-29124,
PRHF-18445

Logging

SmartEvent may not show some of the Anti-Virus logs.

PRJ-25654,
PRHF-17000

Logging

When SmartView Web is configured to not return empty values, a query may fail with a "query failed" message.

PRJ-32588,
PRHF-20276

Logging

There may be empty values in the "Office Mode IP" field in the Logs view.

PRJ-32303,
PRHF-18539

Logging

When configuring an Email alert as an Automatic Reaction in SmartEvent, and the alert contains data from the event, some fields may be missing in the generated email.

PRJ-32029,
PRHF-19715

Logging

In some scenarios, the "vpn_user" field is empty in the Logs view and SmartEvent Reports, even though it contains values in the raw log.

PRJ-23314,
PRHF-16137

Logging

Daily Log/Indexes Maintenance does not delete old index files from $RTDIR/log_indexes if they contain files or subdirectories with a format different than %Y-%m-%d.

PRJ-28317,
PRHF-18428

Logging

The "Last Update Time" field of a Session Log may show incorrect values.

PRJ-26682,
PRHF-17724

Logging

Logs that are sent by Log Exporter in CEF format, cannot be displayed if they include non-digit characters in the "dst_phone_number" field.

PRJ-28324,
PRHF-17811

Logging

In some scenarios, in SmartLog, free-text search does not work for some inspection settings logs and their description is missing.

PRJ-26031,
PRHF-17325

Logging

In a rare scenario, after an NSX Gateway upgrade, enforcement details/identities are not pushed by the controller to the Gateway automatically, it can be done only by manual update. Refer to sk173323.

PRJ-26308,
PRHF-17314

Logging

In rare scenarios, in SmartConsole, some logs are not shown.

PRJ-20768,
PRHF-12617

Logging

In SmartConsole:

  • In Gateways and Servers view, IP statuses may not be accurate
  • In the Threat Prevention Policy tab, under "Updates", Gateways IPS update status may not be up-to-date, although the new IPS package was received successfully.

PRJ-32086,
PMTR-74297

Logging

A duplicate entry appears in /etc/cpshell/log_rotation.conf. This issue is only cosmetic.

PRJ-31808,
PRHF-19710

Security Gateway

NEW: Added a new kernel parameter "cphwd_medium_path_qid_by_cpu_id". The parameter is disabled by default. Refer to sk175890.

PRJ-32073,
STRM-737

Security Gateway

UPDATE: Check Point Active Streaming (CPAS) TCP Window scale factor is now increased up to 6.

PRJ-34450,
PRHF-21182

Security Gateway

UPDATE: The "fw unloadlocal" command can now be used on a Virtual System only with the "-f" flag added. Otherwise, a warning message is displayed, indicating that unloading policy on a Virtual System will cause traffic issues with any Virtual System connected to a Virtual Switch or a Virtual System in Bridge mode.

PRJ-33748,
PMTR-76138

Security Gateway

UPDATE: Added a new flag to the "dynamic_objects" command: "-uo <name of object>". The user can now see all content of a specific updatable object.

PRJ-31273,
PMTR-73504

Security Gateway

UPDATE: The "-c" and "-i" flags in Top Connections Tool are now supported on VSX Gateways. Refer to sk172229.

PRJ-30012,
PRHF-18938

Security Gateway

In a rare scenario, when QoS is enabled, Security Gateway may crash while interfaces go down and up.

PRJ-30296,
PMTR-73017

Security Gateway

Enhanced Check Point Active Streaming (CPAS). Refer to sk177025.

PRJ-30693

Security Gateway

The "Matched rule is not found" error appear when using Suspicious Activity Monitoring (SAM) rules with source and destination networks, or with a NATed IP.

PRJ-30783,
PRHF-19506

Security Gateway

Access Policy installation may fail with "Error code 1-2000078".

PRJ-33606,
PMTR-75976

Security Gateway

When there are security zones configured in the NAT rulebase and the connection has NAT on the destination, the Security Gateway IP address may still be shown as the source IP, although it should not.

PRJ-20628,
PRHF-14374

Security Gateway

Running the "threshold_config" command may cause the CPD process to consume a high CPU.

PRJ-33082,
PRHF-20436

Security Gateway

Extended logging may show a wrong status of Content Awareness Blade. The issue is only cosmetic.

PRJ-25150,
PRHF-14366

Security Gateway

In a rare scenario, the TCP Half Closed timer (sk137672) may fail when configured for medium/fast connections.

PRJ-33360,
PMTR-72975

Security Gateway

First policy installation after an upgrade may be followed by a warning message: "Updatable Objects are used in the policy but Gateway package is missing (see sk121877)".

PRJ-29541,
PRHF-19048

Security Gateway

After reboot and policy installation, the "No interface configured in SmartCenter server with name mdps_tun. Matching by IP address to interface Mgmt" error may be printed in fwk.elg.

PRJ-33513,
PMTR-75878

Security Gateway

CPView may show corrupted numbers in "F2V-Reasons". This issue is only cosmetic.

PRJ-26965,
PMTR-70393

Security Gateway

Improved CPS rate on Autoscale deployments of Amazon Web Services (AWS).

PRJ-30670,
PRHF-19179

Security Gateway

In rare scenarios, when a Security Gateway is configured as Proxy, a wrong NAT port reuse may happen for 5 minutes long proxied connections.

PRJ-25029,
PMTR-16149

Security Gateway

When deleting all Suspicious Activity Monitoring (SAM) rules, adding a large number of new rules, and installing policy, the system may hang.

PRJ-27610,
PRHF-18068

Security Gateway

A debug message may be printed as an error.

PRJ-31968,
PMTR-74144

Security Gateway

In a rare scenario, "Connection/sec" data for accelerated traffic in CPView may differ from the statistics in SNMP.

PRJ-31218,
PRHF-19896

Security Gateway

When a large number of VPN tunnels is configured and each one is used by a static route with ping, the ROUTED process may get incorrect cluster IPs for those tunnels. Refer to sk175887.

PRJ-32337,
PMTR-72682

Security Gateway

Defining an IPv6 NAT rule with address range (hide) on the translated column may fail with an incorrect error message.

PRJ-30614,
PRHF-19614

Security Gateway

In rare scenarios, when SACK is enabled, there may be connectivity issues.

PRJ-30180,
PRHF-19438

Security Gateway

In a rare scenario, policy push to multiple Security Gateways may fail. Refer to sk177963.

PRJ-18400,
PMTR-57716

Security Gateway

The FWD process may unexpectedly exit due to a rare race condition. Refer to sk173424.

PRJ-29698,
PRHF-19097

Security Gateway

In rare a scenario, a memory leak may occur with a "cpas_streamh_init_from_cookie failed" message printed in /var/log/messages.

PRJ-32658,
PRHF-20471

Security Gateway

The Security Gateway may unexpectedly reboot and create a vmcore file.

PRJ-32050,
PMTR-72836

Security Gateway

In a rare scenario, the Security Gateway may crash during policy installation.

PRJ-32575,
PMTR-74852

Security Gateway

When deleting connection table entries with "fw ctl conntab -x", and using "rule", "service", "type", "flags" or "state" filters, entries that do not match these filters may still be deleted.

PRJ-33125,
PRHF-20306

Security Gateway

In some scenarios, memory consumption and CPU usage may increase consistently. Refer to sk176370.

PRJ-33493

Security Gateway

The "Policy installation failed on gateway" error message is shown when the policy is pushed to multiple R80.20 Quantum Spark appliances. Refer to sk176713.

PRJ-28448,
PMTR-64790

Security Gateway

DNS Server is getting overloaded with DNS requests from the Security Gateway when Domains or updatable objects are used in policy. The "Domain doesn't exist" error is shown.

PRJ-35902

Security Gateway

Uninstalling Jumbo Hotfix may cause interfaces to disappear.

PRJ-31017,
PRHF-19772

Internal CA

In a rare scenario, when CRL files are created, some of them may be generated with a large number in the filename. When deleting CRL files, CPCA repeatedly fails to start.

PRJ-33250,
PRHF-20709

Internal CA, VPN

Creating a certificate for a third party Gateway with Check Point Internal CA may fail on the third party side. Refer to sk176468.

PRJ-31462,
PRJ-27750

Threat Prevention

When the "Automatically download Blade Contracts, new software, and other important data" checkbox is unchecked, Security Gateway may fail to update Threat Prevention packages.

PRJ-33544,
PMTR-74799

Threat Prevention

When IPS Automatic update is enabled, a memory leak may occur in the FWD process. Refer to sk176947.

PRJ-37475,
PMTR-80602

Identity Awareness,

Identity Logging

UPDATE: Adjusted AD-Query and Identity Logging solutions to work with Microsoft hardening changes in DCOM which were required for CVE-2021-26414. Refer to sk176148.

PRJ-30493,
IDA-4120

Identity Awareness

UPDATE: Enhanced Identity Sharing SmartPull mechanism for large scale environments.

PRJ-32872,
PMTR-75155

Identity Awareness

When Identity Awareness Blade is enabled on the Security Gateway, rebooting of a member may trigger additional reboots. This may cause
one of the members to go down with a configuration pnote.

PRJ-30948,
IDA-4253

Identity Awareness

In some scenarios, persistent high CPU is caused by ADQuery due to a large number of authentication requests.

PRJ-30994,
PMTR-66375

Identity Awareness

In a rare scenario, the priorities defined in User Directory (Gateway level) override the default Domain Controller (DC) priorities defined in the LDAP Account unit. Servers with priority above 1000 are not ignored, although they should be.

PRJ-27736,
PRHF-17620

Identity Awareness

The PDPD process may fail with "daemon did not respond or not running!" or cause a high CPU.

PRJ-32127,
MPTT-5094

Identity Awareness

An Identity Broker subscriber may be shown as the session owner for Remote Access VPN sessions received from another publisher.

PRJ-28055,
SPC-1602

Application Control

In a rare scenario, the SSM may encounter an issue and stop working.

PRJ-29769,
PRHF-18914

URL Filtering

In a very rare scenario, when the Application Control (APPI) and URL filtering Blades are active, in hold mode, some applications cannot be identified and the traffic is dropped.

PRJ-28739,
PRHF-17049

IPS

In some scenarios, the destination IP is missing from the IPS logs. Refer to sk174588.

PRJ-30803,
PMTR-70772

IPS

After installing a Threat Prevention policy with many rules and/or exceptions, on multiple Security Gateways together, Security Gateways may consume more CPU during rule-match of new connections.

PRJ-23348,
PRHF-15859

IPS

The track logging configuration of Network Quota protection is not applied.

PRJ-28491,
PMTR-60451

IPS

In Autonomous Threat Prevention mode, "Profile Name" and "SmartDefense" fields may be missing in the IPS log.

PRJ-30606,
PRHF-18893

DLP

UPDATE: Added temporary files cleaner for file converting operation.

PRJ-30426,
PRHF-17395

DLP

The dlpu process may unexpectedly exit with core dump file.

PRJ-31167,
PMTR-72136

SSL Inspection

In some scenarios, the WSTLSD process may unexpectedly close, or a memory leak may occur.

PRJ-34446,
PRHF-21039

SSL Inspection

The fwk process may unexpectedly exit during the TLS handshake.

PRJ-34272,
PMTR-76812

SSL Inspection

A memory leak may occur in the WSTLSD process during session resumption for TLS 1.2.

PRJ-31202,
PMTR-73538

SSL Inspection

If TLS 1.3 is enabled, using imported ECDSA certificates for HTTPS Inspection may cause the Security Gateway to crash.

PRJ-31497,
PMTR-73619

SSL Inspection

When HTTPS Inspection is disabled and the "Categorize HTTPS websites" option is enabled, the "failed attaching RSA stub certificate to server" errors may appear in the fwk.elg and wstlsd.elg files during policy installation.

PRJ-32884,
PMTR-75079

SSL Inspection

When TLS 1.3 support is disabled, a memory leak may occur in the WSTLSD process during TLS session renegotiation.

PRJ-31173,
PMTR-72409

SSL Inspection

A memory leak, related to TLS probing, may occur in the WSTLSD process.

PRJ-33407,
PMTR-72934

SSL Inspection

In rare scenarios, TLS probing connections may remain open for extended periods.

PRJ-32901,
PRHF-20458

SSL Inspection

In a rare scenario, the WSTLSD process may unexpectedly exit and produce a core dump file.

PRJ-31232,
SNX-67

SSL Network Extender

SSL Network Extender (SNX) may fail during large file transfers. Refer to sk87760.

PRJ-31177,
PMTR-73946

Mobile Access

UPDATE: Upgraded JQuery library version (from 1.1 to 3.6).

PRJ-33876,
PMTR-61452

Mobile Access

Policy installation may fail due to table creation issues.

PRJ-32471,
PMTR-74101

ClusterXL

Added Syslog support for Cluster events messages.

PRJ-30382,
PRHF-19273

ClusterXL

In a rare scenario, after an upgrade and reboot, a Standby member is set to down with a FULLSYNC PNOTE and cannot synchronize.

PRJ-30819,
PRHF-19417

SecureXL

In a rare scenario, after an upgrade, HTTPS traffic may be dropped.

PRJ-28645,
PMTR-67800

SecureXL

A redundant message "ACC: Accelerator started. " is printed in dmesg logs.

PRJ-31487,
PRHF-19472

Routing

In some scenarios, the Security Gateway may not forward traffic to a client if its IP address is changed by DHCP. Refer to sk175603.

PRJ-24057,
PRHF-10260

Routing

In some scenarios, when using DHCP, the Security Gateway may not correctly route traffic to hosts.

PRJ-33356,
PMTR-75438

Routing

  • Security Gateway may crash when OSPF inserts or removes an LSA from its database.
  • Neighbor dead timers may have negative values.

PRJ-30027,
PMTR-69491

Routing

After a failover, OSPF may restart immediately after the ROUTED daemon starts which causes the Active member to go into Down state instead of Standby state.

PRJ-32424,
PRHF-20294

VPN, Multi-Portal

UPDATE: Certificate validation flow will use OCSP as the default revocation validation method. If OCSP URL does not exist, CRL will be used as a revocation validation method.

PRJ-31473,
PMTR-68362

VPN

UPDATE: In policy installation, the type of messages, related to VPN certificate expiration, is changed from "info" to "warning". This issue is only cosmetic.

PRJ-33738,
PMTR-75801

VPN

When applying Secure Configuration Verification (SCV) VPN client is not able to distinguish between Windows 10 and Windows 11.

PRJ-31108,
PRJ-28269,
PMTR-73487,
PRHF-7443

VPN

In some scenarios, a memory leak may occur in the VPND process.

PRJ-31290,
PRHF-19707

VPN

Hardened the ability to use narrowed IKEv2 tunnels. Refer to sk166417.

See the Important Notes section.

PRJ-32550,
PMTR-74599

VPN

A memory leak may occur during Office Mode IP allocation.

PRJ-32519,
PMTR-74732

VPN

Improved establishing IKEv2 tunnel with DAIP peer.

PRJ-30330,
PMTR-73629

VPN

In some scenarios, IKEv2 tunnel may not work due to SA expiration.

PRJ-30957,
PRHF-19492

VPN

Improvements for DAIP Gateway behind Hide NAT.

PRJ-32760,
PMTR-74107

VPN

The output of the "vpn tu tlist" command may show an incorrect type of S2S tunnels protocol.

PRJ-31132,
PMTR-73498

VPN

In some scenarios, a memory leak may occur in the VPND process.

PRJ-29782,
PMTR-72241

VPN

Although the Simultaneous Login Prevention (SLP) feature is on, the user can connect with two clients and receive the same statically assigned Office-Mode IP.

PRJ-32366,
PRHF-20315

VPN

Improved IKEv2 narrowing.

PRJ-32130,
PMTR-74244

VPN

The output of the "vpn tu tlist" command may show a wrong date and time in "Authenticated at" line, although machine date and time settings are correct.

PRJ-33834,
VPNRA-831

VPN

In rare scenarios, when SSL Network Extender (SNX) is in Application Mode, the VPND process may unexpectedly exit.

PRJ-31700,
PMTR-73801

VPN

When the IKE daemon is enabled, VPN counters in CPView may show incorrect value.

PRJ-30765,
PRHF-19548

VPN

In a very rare scenario, a cluster member may unexpectedly crash and restart, creating a core dump file.

PRJ-32596,
PMTR-72056

VPN

In some scenarios, Remote Access VPN users cannot connect to the Gateway due to a kernel table issue.

PRJ-24188,
PRHF-16198

VPN

VPN connectivity issues may occur when there are too many SAs. Refer to sk173828.

PRJ-32612,
PRHF-20449

VPN

In some scenarios, Remote Client connections in Visitor Mode may cause the fwk process to exit.

PRJ-31588,
PRHF-19959

VPN

In some scenarios, VPN tunnels statuses in SmartView Monitor are displayed incorrectly.

PRJ-30649,
ESVPN-2665

VPN

A machine-only tunnel cannot be established when VPN default realm is disabled.

PRJ-36420,
PMTR-79305

VPN

In some scenarios, when VPN logs are enabled and DAIP (Dynamically Assigned IP) peer is configured, the VPND daemon may unexpectedly exit.

PRJ-32533,
PMTR-74770

VSX

UPDATE: It is now possible to define interface topology as "defined by routes" using the VSX provisioning tool.

PRJ-33836,
PMTR-76280

VSX

UPDATE: Shadow bridges will now be automatically disabled on VSX Gateways if the bridges are not in Active/Active mode.

PRJ-22483,
PRHF-15744

VSX

In some scenarios, running the "snmpwalk" command may fail with incorrect OSPF-MIB information for VSX. Refer to sk172064.

PRJ-33946,
PMTR-76402

VSX

Policy installation on a VS may fail after a cluster conversion between High Availability and Virtual System Load Sharing with the "vsx_util" command.

PRJ-37422,
PMTR-79515

VSX

After deleting a warp interface in SmartConsole, the active VSX cluster member may crash.

PRJ-30315,
PMTR-72515

Gaia OS

NEW: Gaia API (version 1.6) will now be deployed via Jumbo Hotfix. Refer to sk143612.

PRJ-31560,
PRJ-29510

Gaia OS

NEW: Added support for TE2000XN appliances.

PRJ-30202,
PRHF-18610

Gaia OS

UPDATE: Added a Clish command "add/show/delete ntp interface" to choose to which interfaces the NTP daemon shall bind.

PRJ-33688,
PMTR-75891

Gaia OS

Potential vulnerability related to specific Gaia API command on VSX systems.

PRJ-28685,
PMTR-71763

Gaia OS

In some scenarios, in appliances: 6600,6700,6900, Power Supply Unit (PSU) status information may be incorrect. Refer to sk174443.

PRJ-31754,
PMTR-70869

Gaia OS

In some scenarios, after adding an SNMP USM user, the confd process may unexpectedly exit.

PRJ-34589,
PRJ-33871

Gaia OS

Enhanced SNMP module stability.

PRJ-30212,
PRHF-19017

Gaia OS

  • VLAN IPv6 address disappears after setting the parent interface state "off" and "on".
  • IPv6 address disappears after enabling Layer 3 bridge interface monitoring.

Refer to sk174969.

PRJ-29065,
PMTR-62235

Gaia OS

Wrong output of the "set/delete ip-conflicts-monitor interface" command. The word "value" is printed multiple times. The issue is only cosmetic.

PRJ-33508,
PMTR-75443

Gaia OS

Fixed CVE-2021-30361 - Gaia Portal Authenticated Command Injection. Refer to sk179128.

PRJ-32248,
EPS-32816

Harmony Endpoint

NEW: Added new push operations to Endpoint Web Management:

  • Kill Process
  • Remote Command Execution
  • Application Scan

PRJ-33389,
EPS-33930

Harmony Endpoint

NEW: It is now possible to configure Super Node in Harmony Endpoint. Refer to sk171703.

PRJ-32886

Harmony Endpoint

NEW:

  • Added ability to rename the Export Package
  • Added persistent Notifications Center
  • Improved performance of Asset Management
  • Added extra fields to Asset Management table
  • It is now possible to configure user session idle time on-premise
  • Added support for macOS Port Protection
  • Added Connection Awareness settings
  • Added ability to manage IoCs

PRJ-32645,
PRHF-20524

Harmony Endpoint

  • When in "cpconfig"-> "GUI clients"-> "Modify" the option "Any" is deleted, the Endpoint Security Server UEPM Apache cannot start.
  • When manually launching UEPM Apache the following output is shown: "AH00526: Syntax error on line 1 of /opt/CPuepm-R81/apache/conf/acl.conf:ip address 'Require' appears to be invalid"

Refer to sk176186.

PRJ-27848,
PRHF-18031

Harmony Endpoint

SmartEndpoint may show deleted certificates as expired.

PRJ-32390,
PRHF-19878

VoIP

When using SIP, memory usage may increase over time on Active and Standby members.

PRJ-34519,
ODU-200

Smart-1 Cloud

After a cluster failover CloudGuard Controller may not be able to find cloud objects. Refer to sk166056.

PRJ-31769,
PMTR-73896

CloudGuard Network

Improved the handling of NSX-T Data Center throttling issues.

PRJ-31772,
PRHF-19949

CloudGuard Network

In a rare scenario, there is a high CPU0 utilization on Azure Security Gateway.

PRJ-32231,
CGIS-636

CloudGuard Network

The "vsec_lic_cli update" command now supports IP change in the license string.

PRJ-27035,
PRHF-16098

QoS

In a rare scenario, when QoS is enabled, in SmartView Monitor, some traffic may be shown as "No Match".

PRJ-30235,
PRHF-18342

QoS

In a rare scenario, the FWD process may unexpectedly exit due to invalid QoS logs.

PRJ-35158,
ODU-199

Scalable Platforms

NEW: Added a self-updatable package of Check Point Support Data Collector (CPSDC) for Scalable Platforms and Maestro Security Appliances. Refer to sk164414.

PRJ-26373,
PMTR-68629

Scalable Platforms

NEW: Added ability to create and manage VSX objects of R80.30SP version via vsx_util and vsx_provisioning_tool.

PRJ-25360,
MBS-10302

Scalable Platforms

UPDATE:

  • The "asg_reboot" command was changed to perform a software reboot only.
  • The "asg_hard_reboot" command was added to perform a hardware reboot.

PRJ-28902,
MBS-5883

Scalable Platforms

UPDATE: Added ability to run the "hw_utilization" command on Quantum Maestro members.

PRJ-25339,
MBS-11397

Scalable Platforms

UPDATE: Added support for 40G SFP Transceiver for SSM440 (BTI40GSRQSFPP).

PRJ-29023,
PRHF-15323

Scalable Platforms

In a Dual Site Quantum Maestro environment, traffic may be interrupted intermittently when a Domain object is used in the Rule Base.

PRJ-33380,
MBS-14189

Scalable Platforms

VPN traffic may be dropped due to certificate issues.

PRJ-32952,
MBS-14928

Scalable Platforms

Identity Sharing in VSLS Mode may not work as expected.

PRJ-31405,
MBS-11234

Scalable Platforms

The "config_verify" command may fail in a Scalable Platforms environment.

PRJ-34102,
MBS-15063

Scalable Platforms

Changing VLAN of an existing interface may cause arp reply not to be processed by the Gateway. Refer to sk176929.

PRJ-31310,
PRHF-19908

Scalable Platforms

When IGMP snooping is disabled, using OSPF Multicast may lead to Anti Spoofing drops in SmartConsole.

PRJ-33203,
PMTR-75375

Scalable Platforms

RADIUS user that has gclish set as default shell cannot login into the Security Group on Scalable Platforms R81.10: "Unable to get user permissions". Refer to sk176364.

PRJ-30111,
MBS-14105

Scalable Platforms

VPN tunnel may fail to establish with "dropped by vpn_inbound_pilicy_chain Reason: VPN inbound nat after vm failed". Refer to sk176404.

PRJ-31838,
MBS-14732

Scalable Platforms

The CMM is not updated with the time from a configured NTP Server. As a result, SGMs stay in the Down state for a long time.

PRJ-26428,
MBS-13474

Scalable Platforms

In rare scenarios, the command "hw_utilization -d" fails when more than 9 Virtual Systems are configured.

PRJ-31138,
MBS-14560

Scalable Platforms

Connectivity issues may occur on Identity Server (PDP) in large VSX setups.

PRJ-25355,
MBS-10619

Scalable Platforms

The "Software Versions" asg diag test may show false failure because of a CMM version mismatch.

PRJ-28660,
MBS-14165

Scalable Platforms

SNMP OID .1.3.6.1.4.1.2620.1.48.16 (asgSecureXLStatusBitmask) returns the status of SecureXL as enabled, even when it is not.

PRJ-31590,
MBS-9793

Scalable Platforms

When running the "asg_dr_verifier" command in the context of a Virtual System other than VS0, the output in the "BGP peers" section incorrectly shows: "Status: Inconsistency found on some of the SGMs".

PRJ-34619,
MBS-14133

Scalable Platforms

In some scenarios, a physical link issue on a Maestro Gateway may cause an unexpected site failover, a cluster state change on other Gateways, or packet drops.

PRJ-31506,
PRHF-19991

Scalable Platforms

During policy installation, AD Query may stop working in the Scalable Platforms environment.

PRJ-30616,
PMTR-70886

Scalable Platforms

Multiple traffic drops may occur on Scalable Platforms. Refer to sk173545.

PRJ-25665,
PMTR-68916

Scalable Platforms

In some scenarios, if SSM goes down in a Chassis setup, the failure report cannot be collected fully.

PRJ-33326

Scalable Platforms

Added support for a new VMAC design. Refer to sk165674.

PRJ-34442,
ODU-217

HCP

Added Update 6 of HealthCheck Point (HCP) Release. Refer to sk171436.

PRJ-22354,
INFRA-528

Infrastructure

UPDATE: Updated Python 2.7.17 to 2.7.18, Python 3.7.7 to 3.7.12, added Python 3.9.7 and a Python3 alias.

PRJ-29411,
PRHF-19016

Infrastructure

Policy installation fails with "Operation failed, install/uninstall has been improperly terminated" when a CMA name is more than 36 characters long. Refer to sk175452.

PRJ-29951,
PRHF-19115

Infrastructure

In a rare scenario, the user cannot connect to the Mobile Access Portal.

Take 58

Released on 22 February 2022 and declared as Recommended on 2 March 2022

PRJ-36959,
PRHF-22500

Security Management

Policy installation and "where used" operation may take a long time if there are many inline layers and the "Install On" targets in the Rule Base are not defined as "Any". Refer to sk177928.

PRJ-34691,
PMTR-75532

Logging

In some scenarios, in an environment that includes the SmartEvent Server, the log_indexer process restarts at midnight, producing a core dump file. Refer to sk177805.

PRJ-36735,
PRHF-22353

Threat Extraction

In some scenarios, when Threat Extraction and Threat Emulation are both enabled, it may take a long time to scan the file before downloading, although there is no active content.

Take 56

Released on 17 January 2022

PRJ-34733,
PRJ-34961

Security Management,
Harmony Endpoint

UPDATE: The Apache Log4j Java library is updated in order to harden the system. Check Point products are not vulnerable to Log4j. This change is motivated by cyber hygiene best practices. Refer to sk176865.

PRJ-34505,
PRHF-21481

Security Management

The "Accept" button is missing when modifying "Actions" for rules. Refer to sk177204.

PRJ-32979,
PMTR-74061

CPView

In "Overview", some data about disk space may be missing.

Take 51

Released on 29 December 2021

PRJ-27433,
PMTR-61440

Security Management

NEW: Added support for CloudGuard Edge appliances in LSM and SmartConsole.

  • Requires R81.00 SmartConsole Build 556 (or higher).

PRJ-31537,
MAT-1912

Security Management

UPDATE: The Management API "show-logs" command timeout increased from 2.5 minutes to 5 minutes.

PRJ-29237,
TPM-2843

Security Management

UPDATE: Added a new flag to the Threat Prevention "show-protections" API command ("show-capture-packets-and-track") that allows not to return capture-packets and track information.

PRJ-30365,
PMTR-63855

Security Management

UPDATE: Added new flags for Management API commands "add/set simple-gateway" and "add/set simple-cluster":

  • "nat-hide-internal-interfaces" and "nat-settings" for NAT configuration.
  • "fetch-policy" for Fetch Policy configuration.
  • "advanced-settings.sam" for SAM configuration.
  • "advanced-settings.connection-persistence" for Connection Persistence configuration.

PRJ-27424,
PRHF-17841

Security Management

UPDATE: The "show application-sites" Management API command now returns additional fields for UIDs of primary category and additional categories.

PRJ-31057,
PMTR-64687

Security Management

In rare scenarios, Security Management upgrade or migration may fail due to missing temporary files.

PRJ-29188,
PRHF-18470

Security Management

In a rare scenario, High Availability full synchronization may fail due to a large number of records.

PRJ-29305,
PMTR-72376

Security Management

In environments with a large number of objects, licenses for cluster members in the Licenses tab may not be displayed.

PRJ-28901,
PRHF-18508

Security Management

When searching IP addresses using logical operators (AND / OR), the results may be incorrect:

  • in SmartConsole in the Object Explorer view
  • with the Management API command "show objects" and the "filter" field

Some matched objects may be missing, while some unmatched objects may be present.

PRJ-28649,
PRHF-18508

Security Management

In some scenarios, when using a VPN community, the status of the Global Domain Assignment may change to "not up to date", although no changes were made in the Global Domain.

PRJ-28536,
PRHF-18063

Security Management

In rare scenarios, Global Policy Assignment may fail with the "class name not found for object" error.

PRJ-27921,
PMTR-71261

Security Management

In rare scenarios, more than one IP address may be shown in SmartConsole's Sessions view under the "Connected From" column.

PRJ-28896,
PRHF-18677

Security Management

If there are no explicit rules in one or more policy layers, policy verification may fail with the "No active rules found in the Security Policy" error.

PRJ-28001,
PRHF-18245

Security Management

If Brute Force Password Guessing Protection is set to the value of more than 25 seconds, login to SmartConsole fails.

  • Requires R81.00 SmartConsole Build 556 (or higher).

PRJ-20287,
SMCUPG-1533

Security Management

In rare scenarios, the second attempt of a Secondary Management Server upgrade may fail with "Task was interrupted because server restart".

PRJ-26522,
PRHF-17679

Security Management

In a rare scenario, policy installation may fail with a "Policy installation had failed due to an internal error" message.

PRJ-24634,
PRHF-16582

Security Management

In rare scenarios, policy installation may fail with an internal error due to missing permissions. Refer to sk17384.

PRJ-26522,
PRHF-17679

Security Management

In a rare scenario, policy installation may fail with a message: "Policy installation had failed due to an internal error".

PRJ-25629,
PRHF-17284

Security Management

In rare scenarios, a Management Server upgrade may fail with an "Object not found - [UID]" error message in the cpm.elg log file.

PRJ-25566,
PRHF-17182

Security Management

In rare scenarios, an upgrade may fail when there is an OPSEC Server object configured.

PRJ-23433,
PRHF-12488

Security Management

Upgrade to R81 may fail if one of the objects does not have a creator.

PRJ-28785,
PRHF-18557

Security Management

In some scenarios, "show-mdss" and "show-domains" Management API commands take a significant amount of time to complete or time out after 5 minutes.

PRJ-28570,
PRHF-18422

Security Management

In some scenarios, the Purge Revisions operation fails with the "An error has occurred while performing revisions purge operation, Incident ID - xxxxx-xxxxxxx-xxxxx-xxxxx" error message. Refer to sk174645.

PRJ-28423,
PMTR-10273

Security Management

Virtual session timeout for a TCP service cannot exceed 86400 seconds. Refer to sk168872.

PRJ-28293,
PRHF-18210

Security Management

In rare scenarios, High Availability incremental synchronization may fail with a wrong status message.

PRJ-28299,
PRHF-18362

Security Management

In rare scenarios, High Availability on the Global Domain may fail to synchronize the Multi-Domain Log Server if IPS protection was added or removed in the Threat Prevention rulebase.

PRJ-28064,
PRJ-28062

Security Management

In rare scenarios:

  • Login to the Management Server may timeout and fail
  • Publish operation may take a long time.

PRJ-28088,
PMTR-70942

Security Management

In some scenarios, the Administrators view may not filter Domain names according to the permission profile of the connected administrator.

PRJ-13161,
PRHF-11027

Security Management

The "show-global-assignment" command returns the default limit when the limit request is greater than the default limit.

PRJ-26736,
PRHF-17606

Security Management

In a rare scenario, the "show hosts" Management API command with "details-level full" fails with a "Java.util.InputMismatchException: got at least one duplicate UID in requested list, duplicates UIDs:" message.

PRJ-26677,
PRHF-17744

Security Management

The "show gateways and servers" Management API command does not show policy information for cluster members.

PRJ-27486,
PRHF-18079

Security Management

Global Policy reassignment may fail with "An internal error has occurred" due to duplicated Access Policy Assignment object. Refer to sk174183.

PRJ-27480,
PRHF-16976

Security Management

If there is an Administrator is named "Endpoint", an upgrade of Endpoint Security Server from R77.30 fails.

PRJ-21788,
PRHF-15257

Security Management

In some scenarios, the output of the "cpmistat" command may contain partial information.

PRJ-29898,
PRHF-18828

Security Management

In some scenarios, login to a Domain from the System Domain dashboard may fail with "Failed to connect to server".
Refer to sk174910.

PRJ-28157,
PRHF-17926

Security Management

In rare scenarios, if Domain migration fails, the operation may not revert fully and leave some remnants in the database of the Management Server.

PRJ-29517,
PMTR-72306

Security Management

In rare scenarios, when installing a policy immediately after publishing a session, the installation is not accelerated.

PRJ-29158,
PRHF-18883

Security Management

Scheduled IPS updates data may not be shown in the IPS update report.

PRJ-30048,
PMTR-72849

Security Management

The Management API command "show-sessions" may return sessions that were purged and no longer exist in the Management database.

PRJ-29968,
PRHF-19308

Security Management

In some scenarios, simultaneous policy installation on multiple Gateways may fail if there is at least one Gateway on R77.X and one Gateway on R80.X.

PRJ-25197,
PMTR-68090

Security Management

The "Packet capture is not supported on this platform" warning appears after policy installation on SMB Gateways, although no packet capture is used.

PRJ-30622,
PRJ-30624

Security Management

In rare scenarios, after the Security Management Server starts up, when connecting to SmartConsole, some objects appear more than once.

PRJ-30054,
PRHF-18928

Security Management

In rare scenarios, the FWM process unexpectedly exits and fails to start, creating core dumps in the /var/log/dump/usermode directory. Refer to sk175007.

PRJ-29469,
PRHF-19006

Security Management

In some scenarios, an API query to VRRP cluster for "show simple-cluster name <name>" returns an incorrect cluster type. Refer to sk174866.

PRJ-21877,
PRHF-15460

Security Management

In some scenarios, applying the "Where used" action may show incorrect data when an object exists more than once in an Inline Layer.

PRJ-21831,
PRHF-15448

Multi-Domain Management

In rare scenarios, after an upgrade, the CPD process in a Multi-Domain environment may unexpectedly exit, creating a core dump file.

PRJ-23852,
PMTR-66674

Security Management

Management Server upgrade may fail, if there is a large amount of customized column profiles in the Logs view.

PRJ-30019,
PMTR-72786

Security Management

In rare scenarios, the "set-group" API command may return the "generic_err_invalid_parameter" error.

PRJ-27764,
PRHF-17484

Security Management

The Management API commands "import-smart-task" and "export-smart-task" are enabled at the System Domain level, although Smart Tasks are only supported at the Local Domain level.

PRJ-29199,
PRHF-18782

Security Management

After an upgrade from R77.x. in a multi-site environment, High Availability full synchronization may fail with an "NGM failed to load data" message.

PRJ-25280,
PRHF-17037

Security Management

In rare scenarios, login to Multi-Domain Management fails with the "No Valid Domains were found for [username]" error. Refer to sk175005.

PRJ-28816,
PRHF-18712

Security Management

In some scenarios, the "show gateways-and-servers" Management API command fails with "generic_error" when running it with "details-level full".

PRJ-21778,
PMTR-63316

Licensing

In some scenarios, the total number of "sr" licenses may be counted incorrectly.

PRJ-27346,
PMTR-64049

Licensing

In a rare scenario, the licensing status in SmartConsole is displayed incorrectly.

PRJ-29804

Web SmartConsole

Added enhancements for Task Manager and policy installation. Refer to Take 48 in sk170314.

PRJ-30384,
PRJ-30370

CPInfo

UPDATE: Added CPInfo build 914000219. Refer to sk92739.

PRJ-20498,
PMTR-63033

CPUSE

The "Recommended" Package value is not changed from true to false in SmartConsole while installing Jumbo Hotfix. Refer to sk174508.

PRJ-22893,
PMTR-61926

CPView

In some scenarios, SNMP statistics per VS may not be displayed in CPView.

PRJ-29825,
PMTR-72671

SmartView

UPDATE: In SmartView, new MITRE ATT&CK techniques were added to the heatmap view.

PRJ-22159,
SL-5368

Logging

NEW:

  • In SmartEvent GUI added new products: "Behavioral Guard", "Anti-Exploit", "Anti-Bot" and "Anti-Ransomware"
  • For Endpoint logs correlation, added a new pre-defined event: "Harmony Endpoint" under Legacy -> Endpoint Security.

PRJ-26809,
PMTR-70072

Logging

NEW: In SmartEvent GUI, added the "referrer" field for filtering correlation unit events.

PRJ-25888,
PMTR-60610

Logging

UPDATE: During Management and Log Servers upgrade from R80.X to R81, indexes, stored in external storage (sk66003), can now be upgraded as part of the flow.

PRJ-25897,
PMTR-69195

Logging

UPDATE: Improved the time of search that require scanning logs for several days.

PRJ-29117,
PRHF-11939

Logging

In some scenarios, emails of DLP Blade may be sent with obfuscated information, with no option to present the full data. Refer to sk106430.

PRJ-29221,
PRHF-12847

Logging

In a rare scenario, Application Control events may not be displayed in SmartEvent.

PRJ-24979,
PRHF-16943

Logging

When AES authentication is configured, the "thresold_config" command does not send traps for SNMP v.3. Refer to sk173045.

PRJ-23868,
PRHF-16183

Logging

In SmartView reports, the "Show only icon" option for table widgets does not work as expected.

PRJ-26695,
PMTR-70010

Logging

When adding the "UC Block" action, log queries may not show UserCheck logs. Refer to sk174543.

PRJ-25833,
PMTR-68506

Logging

The LOG_INDEXER process on the SmartEvent Server may consume a high CPU when the Mobile Access Blade is enabled on the Security Gateway.

PRJ-25974,
PMTR-67094

Logging

In a rare scenario, logs that are created exactly at midnight, are shown in the SmartConsole Logs view tab but not shown in SmartView web.

PRJ-24524,
PMTR-67575

Logging

In a low log rate, there may be a delay in exporting logs using the Log Exporter.

PRJ-26116,
PMTR-69276

Logging

In a multi-site MDM environment, Log queries may fail to retrieve results from a CMA or CLM, if there is another CMA or CLM with the same sic_name.

PRJ-22346,
PRHF-15696

Logging

In SmartView, the "Duration" field is missing from Reports and Views.

PRJ-28301,
PMTR-69800

Logging

When using the LEEF format in the Log Exporter tool, product names miss the last letter.

PRJ-26726,
PRHF-17205

Logging

In some scenarios, the FWD process on Security Gateway may cause high memory consumption when Log Forwarding is configured or when running the "fw fetchlogs" command.

PRJ-27619,
PRHF-18157

Logging

The CPSEMD process on SmartEvent Server may unexpectedly exit when trying to send two automatic reactions simultaneously for the same event.

PRJ-27050,
PRHF-17285

Logging

In rare scenarios, Management object changes may not be reflected in the Logs view. When the issue occurs, the CPM process may also consume a high CPU.

PRJ-21313,
PMTR-62117

Logging

  • In environments with more than 500K network objects, the LOG_INDEXER process may lead to a memory leak.
  • In some scenarios, when there are offline logs to index, queries are slower than expected.

PRJ-28341,
PMTR-69859

Logging

In some scenarios, Log Exporter configured to export in TLS, cannot authenticate a certificate from an external certificate authority.

PRJ-25442,
PRHF-17184

Logging

On a Management Server, with SmartEvent enabled and many Networks configured in the database, login to SmartConsole may fail with an "Error: the operation timeout" message, and the FWM process is running with a high CPU. Refer to sk167239.

PRJ-29030,
PRHF-17596

Logging

In rare scenarios, SmartEvent may show no results or partial results in the Audit Log report.

PRJ-25623,
PMTR-68809

Logging

In environments with more than 500K network objects, the LOG_INDEXER process on SmartEvent and Correlation Unit Server may unexpectedly close with the "Out of memory" error and a dump core file, although limited resolving is enabled (according to sk164452).

PRJ-23681,
PMTR-62763

Logging

In rare scenarios, in environments with many network objects, when typing a query in the Logs tab Search bar, SmartConsole may close unexpectedly.

PRJ-30228

Logging

When traffic is dropped due to a Threat Prevention rule, fetching a packet capture from a security Blade violation log may not work.

PRJ-31210,
PRJ-30722

Logging

In a rare scenario, logs export from SmartView web view to CSV may fail. Refer to sk175545.

PRJ-29576,
PRHF-15052

Security Gateway

NEW: Added a new kernel parameter "up_disable_early_drop_optimization_for_reject" to disable "Early Drop Optimization" for reject rules. The parameter is enabled by default.

PRJ-28853,
PRHF-18624

Security Gateway

UPDATE: Added DNS Passive Learning support for DNS responses containing the Domain name in uppercase letters.

PRJ-29443,
PMTR-72448

Security Gateway

UPDATE: The default value for the kiss_kthread_allow_resched kernel parameter is changed to 1. Refer to sk170560.

PRJ-32157,
PMTR-74372

Security Gateway

UPDATE: Apache HTTPD version was updated from 2.4.41 to 2.4.51.

PRJ-30982,
PMTR-73404

Security Gateway

UPDATE: Added L3 routing support for bridge interface assigned with IP address. To enable it, set _fw_bridge_with_ip_routing=1_ in the _$FWDIR/fwkern.conf_ file. Refer to sk165560.

PRJ-29505,
PRHF-18863

Security Gateway

In some scenarios, using automatic Network Static NAT/Address range objects may cause connectivity issues.

PRJ-29088,
PRHF-13493

Security Gateway

In some scenarios, the CPD process may consume high CPU because of the memory leak in File Download Tool (FDT).

PRJ-28830,
PRHF-18098

Security Gateway

Improved the ICAP Server internal memory allocation logic.

PRJ-26036,
PMTR-67536

Security Gateway

A "fw_xlate_rule_count_dec: refcount is negative" message may be displayed in dmesg when IP pool NAT is used on a cluster environment.

PRJ-19771,
PRHF-14017

Security Gateway

Security Gateway may crash after policy installation.

PRJ-24692,
PRHF-16403

Security Gateway

In rare scenarios, creating a new SAM rule on a Management machine may fail.

PRJ-25294,
PRHF-16907

Security Gateway

In rare scenarios, a re-matched connection has 2 logs in SmartConsole.

PRJ-26077,
PRHF-11760

Security Gateway

After policy installation, Security Gateway may stop responding due to memory leaks.

PRJ-26393,
PRHF-17436

Security Gateway

In some scenarios, the WSDNSD process may unexpectedly exit and create a core file. Refer to sk173627.

PRJ-28810,
PRHF-18657

Security Gateway

Added cosmetic fixes of the "cpwd_admin list" command output.

PRJ-27560,
PRHF-17949

Security Gateway

In some scenarios, configuring an un-numbered virtual interface may cause ARP requests to stay not answered by the interface. Refer to sk174188.

PRJ-28104,
PRHF-18024

Security Gateway

In a rare scenario, a memory leak may occur on the Security Gateway.

PRJ-27872,
PRHF-18234

Security Gateway

After a reboot or policy installation, the Cluster Under Load(CUL) messages in the fwk.ekg show CPU usage higher than 100%.

PRJ-26824,
PRHF-17872

Security Gateway

In rare scenarios, a duplicate entry may appear in the /etc/cpshell/log_rotation.conf file. This issue is only cosmetic.

PRJ-27077,
PMTR-70300

Security Gateway

In rare scenarios, using IP Pool NAT with only IPv4/IPv6 addresses configured may cause Security Gateway to crash.

PRJ-27127,
PRHF-17942

Security Gateway

In some scenarios, the ROUTED process may unexpectedly exit.

PRJ-28873,
PRHF-18560

Security Gateway

In a rare scenario, when using ICAP client, Security Gateway may crash.

PRJ-26931,
PRHF-17758

Security Gateway

SNMP lowDiskSpace trap with MDPS does not work with SNMP versions v1/v2 . Refer to sk173811.

PRJ-26584,
PMTR-68272

Security Gateway

In a rare scenario, CPView may show incorrect SecureXL statistics per VS.

PRJ-27651,
PMTR-70634

Security Gateway

Negative values may appear in the output of the "fw tab -t connections -s" command and under the NAT section.

PRJ-29130,
PRHF-18716

Security Gateway

In rare scenarios, policy installation may fail with an "Operation failed, install/uninstall has been improperly terminated" message.

PRJ-30215,
MPTT-4834

Security Gateway

In some scenarios, policy installation may take longer or fail when GEO Updatable Objects are used in the policy.

PRJ-30204,
PMTR-72814

Security Gateway

In some scenarios, NATed VPN traffic may be routed out through the wrong interface. Refer to sk176785.

PRJ-29743,
PMTR-72615

Security Gateway

In a rare scenario, due to TCP connection reuse, a TCP connection may not be initiated Refer to sk11088.

PRJ-29543,
PRHF-17386

Security Gateway

There is no option to enable hyperthreading via cpconfig.

PRJ-29527,
PRHF-18984

Security Gateway

In a very rare scenario, the ICAP Server may crash with a core dump file generated.

PRJ-29420,
PMTR-71855

Security Gateway

In a rare scenario, policy installation on the Security Gateway may fail with an "Error code: 0-2000108" message. Refer to sk170673.

PRJ-29139,
PRHF-18403

Security Gateway

The cpsicdemux process may unexpectedly exit, causing the Secure Internal Communication (SIC) connection to fail.

PRJ-28554,
PMTR-71632

Security Gateway

Capsule Workspace end users may fail to authenticate to their Exchange Mail Server via Mobile Access SSO when authenticated with Kerberos, and the end users belong to many user groups or user groups with very long names.

PRJ-29588,
PRHF-19049

Security Gateway

In a rare scenario, Security Gateway may crash.

PRJ-26671,
PRHF-17760

Security Gateway

In a rare scenario, traffic outage may occur. It is caused by a memory leak related to delayed logs.

PRJ-30251,
PMTR-70219

Security Gateway

Added a translation of the error exit code of cprid_util in $CPDIR/log/cprid_util.elg debug log.

PRJ-31370,
PRHF-19693

Security Gateway

Improved the handling of a large number of sessions per single HTTP/S connection.

PRJ-31031,
PMTR-69049

Security Gateway

In a rare scenario, the Security Gateway may crash when disabling or enabling Threat Prevention Blade.

PRJ-28680,
AVIR-1444

Threat Prevention

UPDATE: Added the option to remove proxy usage in ioc_feeds tool.

PRJ-28520,
TPP-1291

Threat Prevention

In rare scenarios, the Security Gateway may crash when the TCP connection is unexpectedly closed.

PRJ-26543,
PMTR-69186

Threat Prevention

In some scenarios, the IPS update status in SmartConsole is incorrect after the automatic update fails with the "Update failed. Failed to load database" error.

PRJ-26007,
PMTR-68402

Threat Prevention

SSH Deep Packet Inspection (SSH DPI) may fail after upgrade to R81.

PRJ-25778,
PMTR-68801

Threat Prevention

In a rare scenario, the FWD process may unexpectedly exit after an upgrade.

PRJ-28607,
PMTR-68865

Threat Prevention

Large file transfer in connections inspected by SSH Deep Packet Inspection (SSH DPI) may fail if SSH renegotiation is performed during the transfer.

PRJ-28764,
PMTR-71415

Threat Prevention

In some scenarios, when using OpenSSH 8.2 Server, file download fails after starting the transfer.

PRJ-28939,
PRJ-28975

Threat Prevention

Improved telemetry for Infinity Vision SOC.

PRJ-29616,
PRJ-30706

Threat Prevention

After an upgrade from R80.30, if Custom Intelligence Feeds (IoC) feature is enabled, Threat Prevention policy on VSX cluster may fail with "failed to handle indicators".

PRJ-29926,
PRHF-19208

Threat Prevention

Threat Prevention policy installation may fail when loading 2 IoC feeds that contain the same signature name for one of the observables.

PRJ-28135,
PRJ-27437

Threat Extraction

In some scenarios, the "fw_send_kmsg: No buffer for tsid 44" error is printed in dmesg.

PRJ-29488,
IDA-4049

Identity Awareness

UPDATE:

  • Increased the default timeout values of entries: connected_pdp_refresh_interval is now set to 240 seconds and connected_pdp_grace_period is now set to 360 seconds.
  • Added the "Identity information / Network information will be deleted" alert to SmartConsole.

PRJ-32355,
PRJ-32353

Identity Awareness

UPDATE: The default threshold value for Identity Collector Service Accounts exclusion was changed from 10 to 100. Refer to sk174266.

PRJ-29397,
IDA-4087

Identity Awareness

Improved the Identity Server (PDP) performance for publishing new network on Identity Sharing with SmartPull.

PRJ-27476,
PRHF-18015

Identity Awareness

When using sk167118, the user may fail to authenticate if the "Ask user for password" checkbox is enabled.

PRJ-26804,
MBS-13669

Identity Awareness

In a rare scenario, the Security Gateway may crash.

PRJ-27943,
IDA-4112

Identity Awareness

In some scenarios, users may not be able to reach Identity Gateway (PEP). Refer to sk174105.

PRJ-29614,
PRHF-18943

Identity Awareness

In a rare scenario, some IPv6 sessions may get deleted due to an incorrect update of Identity Gateway (PEP) kernel tables.

PRJ-27193,
PRHF-17768

Application Control

UPDATE: Improved matching of URLs for custom applications.

PRJ-27260,
PMTR-65461

IPS

Proxy source IP address is not printed in the IPS logs.

PRJ-27959,
PRHF-18158

IPS

In some scenarios for HTTP, Gateway closes a connection from the Server side, but the user side may remain open.

PRJ-26463,
PRHF-16635

IPS

An HTTP download of a large file may unexpectedly stop with an error message.

PRJ-28245,
PRHF-18338

IPS

In some scenarios, HTTP Parser in the CPView statistics may show incorrect values for connections with more than 50 sessions.

PRJ-29941,
PRHF-18992

IPS

In rare scenarios, if IPS Geolocation is enabled, the Security Gateway may crash.

PRJ-32499,
PRJ-32415

IPS

In some scenarios, when IPS Automatic update is enabled, a memory leak may occur in the FWD process.

PRJ-31694,
PMTR-73790

IPS

Improved the handling of decoded HTTP/S traffic.

PRJ-29192,
TPP-1157

Anti-Bot

UPDATE: Improved performance of Anti-Bot URL Reputation.

PRJ-29476,
PMTR-72234

SSL Inspection

In some scenarios, a memory leak may occur when creating ECDHE keys.

PRJ-30460,
PRHF-19516

SSL Inspection

In rare scenarios, HTTPS connections may hang indefinitely during the TLS handshake, causing timeout.

PRJ-30701,
PMTR-72756

SSL Inspection,
VPN

A memory leak in HTTPS Inspection and HTTPS portals may occur when using ECDHE ciphers.

PRJ-29269,
PRJ-29262,
PRHF-3700,
PRHF-3742

Mobile Access

In a rare scenario, a memory leak may occur in the CVPND process.

PRJ-28258,
PRHF-16057

Mobile Access

In a rare scenario, the VPND process may unexpectedly exit causing user disconnections from Checkpoint Mobile client.

PRJ-27297,
VPNRA-761

Mobile Access

In rare scenarios, when SNX client is used with Application mode on the Mobile Access Blade, the VPND process may unexpectedly exit.

PRJ-27453,
PRHF-17458

ClusterXL

In a very rare scenario, after adding a member to a cluster, the FWK process may unexpectedly exit, creating core dumps.

PRJ-28283,
PRJ-28054

SecureXL

In a rare scenario, DoS/Rate Limiting when using rules with country codes (CC) or autonomous system numbers (ASN) may not update Geo IP files correctly.

PRJ-26953,
PMTR-70242

SecureXL

TCP packets may be dropped as "TCP out of state" although following sk11088.

PRJ-32940,
PMTR-75157

SecureXL

In some scenarios, when configuring internal/external enforcement for DOS/Rate limiting, a syslog error message may be displayed.

PRJ-30030,
PRHF-19268

Routing

In some scenarios, when BootP is configured, during policy installation, the Security Gateway may become unresponsive and the ROUTED process may crash.

PRJ-27820,
PMTR-63965

Routing

If the interface cable is unplugged, after a failover, Border Gateway Protocol (BGP) stops receiving routes from Primary member to Secondary and back to Primary.

PRJ-23816,
PMTR-63250

Routing

During the boot process "pbrroute-conf" messages may appear. Refer to sk173514.

PRJ-26754,
PRJ-26750

Routing

In some scenarios, the NetFlow Packet may report a wrong source IP Address.

PRJ-29497,
ROUT-1745

Routing

BGP sessions may unexpectedly close because of unrecognized AFI/SAFI pairs in multiprotocol capability advertisements from a peer.

PRJ-28958,
PRHF-17739

Routing

The ROUTED process may unexpectedly exit.

PRJ-29320,
ROUT-1721

Routing

AS path loops may occur, although BGP multihop is configured.

PRJ-28840,
PMTR-51501

Routing

In some scenarios, an outage may occur because of premature graceful-restart exit.

PRJ-31127,
PMTR-73496

Routing

In rare cases, if Graceful Restart is not configured on the BGP peer, BGP routes may be lost near the Graceful Restart ending.

PRJ-28172,
PMTR-71425

VPN

NEW: Added StrongSwan clients counter to the VPN TU Tool.

PRJ-29533,
PRHF-18564

VPN

RIM script is not invoked for DAIP peer with Dead Peer Detection (DPD) permanent tunnels in passive mode.

PRJ-31115,
PMTR-73488

VPN

In some scenarios, when connecting with both Endpoint and SSL Network Extender (SNX) clients to a single Gateway, a memory leak may occur.

PRJ-31148,
PMTR-73511

VPN

In some scenarios, a memory leak may occur when using the SSL Network Extender (SNX) client to create a site.

PRJ-27856,
PMTR-71136

VPN

When deleting an entry from m_ht hash table, a memory leak may occur.

PRJ-27687,
PMTR-70957

VPN

In a rare scenario, a memory leak may occur.

PRJ-27683,
PMTR-71025

VPN

When saving the login info of the client, a memory leak may occur.

PRJ-27679,
PMTR-71013

VPN

Reauthentication of the client may lead to a memory leak.

PRJ-28772,
PMTR-71850

VPN

In some scenarios, in High Availability clusters with enabled CoreXL, SSL clients cannot connect to the Security Gateway because of incorrect license calculation.

PRJ-28027,
PMTR-71319

VPN

When StrongSwan client connecting with a RADIUS user, it may not receive an Office Mode IP address.

PRJ-25884,
PRHF-16370

VPN

In some scenarios, when DAIP peer initiates IKEv2 negotiation with certificate authentication, the VPND process may unexpectedly exit. Refer to sk174665.

PRJ-28378,
PMTR-71772

VPN

Improved VPN Site to Site tunnel establishment scenario with IKEv2. Refer to sk175092.

PRJ-28075,
PRHF-18369

VPN

A Remote Access client fails to login when a DN record length is bigger than 256. Refer to sk174249.

PRJ-21639,
PRHF-15318

VPN

The VPN Logs view show IP address octets in an unexpected (reversed) order. Refer to sk172807.

PRJ-27814,
PMTR-71098

VPN

In some scenarios, the VPN tunnel between GCP cluster and GCP peer fails to establish.

PRJ-27314,
PRHF-14851

VPN

IPSec VPN uses the wrong source IP address when initiating NAT-T encrypted traffic. Refer to sk172805.

PRJ-22119,
PMTR-31204

VPN

In rare scenarios, after policy installation, the VPND process may unexpectedly exit with core dump.

PRJ-27675,
PMTR-70855

VPN

In some scenarios, the user may not be able to connect because the CVPND process unexpectedly exits.

PRJ-25236,
PMTR-68326

VPN

Added improvements for DAIP Gateway behind Hide NAT and ROBO peer Gateways.

PRJ-28558,
PMTR-20176

VPN

In some scenarios, when sending the SCV drop log, a memory leak may occur.

PRJ-28265,
PRHF-18295

VPN

A memory leak may occur when clearing the CRL cache file.

PRJ-28513,
PRHF-18408

VPN

In some scenarios, a memory leak may occur on the Security Gateway.

PRJ-29283,
PRHF-18818

VPN

In rare scenarios, re-configuring a trusted CA bundle may cause a memory leak in the VPND process.

PRJ-28506,
PRHF-18400

VPN

A memory leak may occur in the VPND process.

PRJ-28575,
PRHF-17880

VPN

In some scenarios, Server connections to Remote Access L2TP clients may be unstable.

PRJ-29483,
PMTR-72463

VPN

A memory leak may occur in the VPND process in IKEv2 Site to Site VPN.

PRJ-30869,
PRHF-19755

VPN

A memory leak may occur in the VPND process.

PRJ-30756,
PRHF-19484

VPN

In some scenarios, when NAT is enabled, Route Based VPN traffic may be dropped.

PRJ-29277,
PRHF-3784

VPN

A memory leak may occur in the CVPND process.

PRJ-17830,
PRJ-17746

VSX

Recreation of a virtual system may fail due to an internal error.

PRJ-27970,
PMTR-35890

VSX

When querying a VS for "sysObjectID" via SNMP, a generic net-SNMP value ("NET-SNMP-MIB::netSnmpAgentOIDs.10") returns instead of a Checkpoint value ("SNMPv2-SMI::enterprises.2620.1.6.123.1.62").

PRJ-29553,
PRHF-18753

VSX

After reboot, the VS's clish static arps configurations exist, but the static arps may be missing.

PRJ-27543,
PMTR-70755

VSX

The weight of VSB in "cphaprob stat" is 0. This impacts load balancing between cluster members in a VSX cluster in VSLS mode.

PRJ-22691,
PMTR-65535

VSX

This fix allows create/change a VSX cluster/Gateway to have up to 32 CoreXL instances with VSX Provisioning Tool. Currently, it is possible to do this only in SmartConsole.

PRJ-30276,
PMTR-72997

Gaia OS

UPDATE: Upgraded OpenSSL to 1.1.1L. Merged the CVE-2021-3711 and CVE-2021-3712 fixes.

PRJ-25766,
PRHF-17216

Gaia OS

After 248 days of up time, the VMSS Gateway sends a Cold restart alert reboot, but the VMSS does not reboot. Refer to sk173413.

PRJ-27001,
PRHF-17900

Gaia OS

Setting hashed SHA256/SHA512 expert password may fail with an error message: "set password-controls password-hash-type <password_hased> GAIA9999 Invalid Salted Hash". Refer to sk176703.

PRJ-27613,
PRJ-27612

Gaia OS

If NTPD service is configured in Management Data Plane Separation (MDPS) settings, NTPD error logs appear in var/log/messages after a reboot.

PRJ-27696,
PRHF-17721

Gaia OS

When a non-TACACS user logs out from WebUI, "Cannot get pid" is printed as an error to the /var/log/messages file.

PRJ-27978,
PMTR-69876

Gaia OS

A memory leak may occur on a Security Gateway while configuring Secure Internal Communication (SIC).

PRJ-26024,
PRHF-12090

Gaia OS

In some scenarios, after an upgrade, Multi-Queue commands may fail without producing any output due to licensing issue. Refer to sk168178.

PRJ-26430,
GAIA-8922

Gaia OS

The Link Layer Discovery Protocol (LLDP) sends the hostname with a dot when the Domain name is empty.

PRJ-28797,
PRHF-18683

Gaia OS

In a rare scenario, a memory leak may occur in the monitord process.

PRJ-29858,
PRHF-17602

Harmony Endpoint

UPDATE: In SmartEndpoint, besides FDE Remote Help, Bitlocker Management Recovery is now available for administrators with limited rights.

PRJ-29178,
PRHF-17857

Harmony Endpoint

Remote installation push operation "Deployed new Endpoints" does not work on on-prem Servers because of self-signed certificates.

PRJ-27751,
PRHF-18108

Harmony Endpoint

Endpoint Firewall may start dropping all network traffic after a Management Server upgrade from R80.10 or older versions.

PRJ-31100,
PRHF-16439

Harmony Endpoint

Restoring a UEPM Server backup via the Web Gaia Portal may not work on a new Server where the UEPM Blade is not activated.

PRJ-30519,
PMTR-73094

Harmony Endpoint

In the Smart Endpoint tabs, the Server may generate reports where users have long names starting with "ntdomain://".

PRJ-22501,
PRHF-15623

VoIP

Holding last source port table lock while searching for next free port may cause performance issues.

PRJ-29515,
VSECC-1418

CloudGuard Network

NEW: In Amazon Web Services (AWS):

  • Added Load Balancers tags. The tags can now be viewed in SmartConsole and added to the rulebase.
  • Added support for IMDSv2

To enable the feature:

  1. Edit the $FWDIR/conf/vsec.conf on the Management Server and add the line: aws.enableLoadBalancersTags=true
  2. From SSH run: vsec stop;vsec start

Note: This feature requires adding DescribeTags and DescribeLoadBalancers permissions to the AWS Data Centers accounts.

NEW: In Azure:

  • Added Application Security Groups
  • Added Private Endpoints

To enable the feature:

  1. Edit the $FWDIR/conf/vsec.conf on the Management Server and add the line: azure.enableAsgAndPep=true
  2. From SSH run: vsec stop;vsec start

Note: This feature requires adding permissions to list Application Security Groups and Private Endpoints.

 

NEW: In AWS, Azure and Google Cloud Platform (GCP):

Added support for API calls with HTTP response with reason-code only (without reason-phrase).

PRJ-21216,
PMTR-63308

CloudGuard Network

The mq_mng tool does not show RX/TX packets counter statistics for the virtio_net driver.

PRJ-29651,
PRHF-17648

CloudGuard Network

Amazon Web Services (AWS) Data Center scan may fail and no updates are sent to the Security Gateway.

PRJ-22534,
PRJ-28171

CloudGuard Network

In some scenarios, when there are Data Center objects in Access Policy Rule Base, policy verification may fail although policy installation succeeds.

PRJ-30042,
ODU-104

Smart-1 Cloud

If wstunnel loses connectivity, after several attempts it may unexpectedly exit and not restart. Refer to sk166056.

PRJ-23019,
PRHF-15000

QoS

Added QoS support for source port matching, allowing DSCP to mark different streams packets correctly.

PRJ-29526,
MBS-11085

Scalable Platforms

The "Hits" counter value in the SmartConsole rulebase does not update when traffic reaches a non-SMO Security Group member (for Security Gateway only).

PRJ-21219,
MBS-12835

Scalable Platforms

The SSM Allow Management Loss feature (sk145792) sends alerts even if a failure event's duration is short.
Now the feature sends alerts only if a failure event's duration is long (30 seconds by default).

PRJ-27511,
PRHF-17895

Scalable Platforms

In a rare scenario, a memory leak that requires constant reboots may occur.

PRJ-25358,
MBS-10733

Scalable Platforms

When restarting the active CMM (for example, with the "ccutil restart_cmm active" command), a chassis may fail over, even if there is a Standby CMM.

PRJ-25347,
MBS-10732

Scalable Platforms

In a rare scenario, the Chassis Monitor daemon (cmd) fails to retrieve the CPU temperatures due to an SNMP timeout.

PRJ-21104,
SPC-1233

Scalable Platforms

In some scenarios, UIPC feature does not work if a non-VS0 Virtual System is configured with an IP on the same subnet as VS0 management network.

PRJ-25340,
SPC-3100

Scalable Platforms

Allow Management Loss feature (sk145792) may not enter into Management Loss mode when backplane interface total packets amount exceeds 2 Billion.

PRJ-28286,
PMTR-71419

Scalable Platforms

Using Static NAT for the destination in asymmetric connections may lead to Out of State traffic drops. Refer to sk174234.

PRJ-27319,
PMTR-70850

Scalable Platforms

Added a cosmetic fix in asgPeaksTable.

PRJ-27264,
MBS-14076

Scalable Platforms

The "asg perf" command may fail when it calculates the average load of CPU cores when CoreXL uses all CPU cores available in the Security Group.

PRJ-25368,
MBS-10506

Scalable Platforms

If a Bond interface that is assigned to a Security Group is configured in the 802.3AD (LACP) mode, packet loss may occur on a Security Appliance when the Security Appliance becomes active after a reboot.

PRJ-28427,
PMTR-71406

Scalable Platforms

In some scenarios, running the "asg perf" command with -vv flag fails.

PRJ-29760,
PMTR-71418

Scalable Platforms

In a rare scenario, the "asg perf" command may take up to 90 seconds to update the data. The information may differ from CPView results.

PRJ-30024,
MBS-13662

Scalable Platforms

When rebooting a member from the standby site, it may send GARP when booting and cause a connectivity issue. Refer to sk176523.

PRJ-29982,
MBS-12054

Scalable Platforms

The outage may occur when configuring OSPF over VPN/VTI interface because of a missing cluster IP address for VPN/VTI interface.

PRJ-25648

Scalable Platforms

Collect data and statistics report in a scenario where SSM state has changed to down or entered into management loss mode

PRJ-25781,
MBS-13969

Scalable Platforms

In some scenarios, boot on SP VSX setup may fail with an "Unable to open '/vs1/dev/fw0': Connection refused" message.

PRJ-27828,
PMTR-71149

Scalable Platforms

In a rare scenario, the "asg diag" command for verifying Interfaces may have an incorrect raw output.

PRJ-27739,
PMTR-71092

Scalable Platforms

In rare scenarios, after accelerated policy installation, security members may go to down states.

PRJ-28252,
PMTR-70624

Scalable Platforms

Added support for the command "snapshot-onetime" (import/export, from/to a remote Server) on Scalable Platforms.

PRJ-29520,
PMTR-72141

Scalable Platforms

After setting a specific range of Blades in gclish, some commands may fail.

PRJ-29390,
PMTR-72185

Scalable Platforms

During an upgrade of a Security Group, the "Fetching the policy from the Management Server and installing it" action fails on the upgraded Security Group Members.

PRJ-25648,
MBS-11227

Scalable Platforms

Scalable Platform automatically collects statistics and data in the /var/log/ssm_failure_reports/ directory, when:

  • An SSM enters the management loss state. Refer to sk145792.
  • An SSM goes down.

PRJ-24519,
MBS-12953

Scalable Platforms

After adding a new user via WebUI, the "asg diag" command may fail on configuration test (config_verify -v) due to inconsistent value in the database. The issue is only cosmetic.

PRJ-22891,
MBS-12346

Scalable Platforms

In some scenarios, the "asg diag" and "asg_license_verifier" commands fail with an incorrect message: "ERROR: No license for 'IPS-1' [mandatory feature 'ips']".

PRJ-29002,
PRJ-29001

Scalable Platforms

In some scenarios, after an upgrade of Scalable Platform, reboot of a member may trigger additional reboots.

PRJ-23306,
PMTR-60956

Carrier Security

UPDATE: The "FireWall-1 GX" module is renamed to "Carrier Security".

PRJ-22323,
PRHF-15689

Infrastructure

In some scenarios, the cpmiquerybin and dbedit processes may unexpectedly exit causing a buffer overflow.

Take 44

Released on 29 September 2021 and declared as Recommended on 12 October 2021

PRJ-30926,
PMTR-70151

VPN

In some scenarios, when ipassignment.conf file is used, Remote Access users cannot connect due to Office mode allocation failures. Refer to sk175448.

Take 42

Released on 1 September 2021

PRJ-26240,
PRJ-26233

Diagnostics

NEW: Added the Check Point Performance Sizing Utility (CPSizeMe) v5.2.

PRJ-24235,
PMTR-64142

Licensing

UPDATE: If there is no license installed, the error message will be printed when running the "cpstart" command.

PRJ-24201,
PMTR-67200

Security Management

NEW: Trusted CAs updates for HTTPS Inspection can be configured to be installed automatically upon update. Refer to sk173629.

PRJ-27200

Security Management

NEW: Added the Hitcount column to the "Export to CSV" functionality in Access Policy.

  • Requires R81 SmartConsole Build 553 (or higher).

PRJ-24985,
PRJ-25474

Security Management

NEW: Added ability for R81 Security Management or Multi-Domain Server to manage R81.10 Security Gateway.

  • Requires R81 SmartConsole Build 553 (or higher).

PRJ-26026,
PMTR-69307

Security Management

NEW: Added the "get-interfaces" Management API for Security Gateway and Cluster objects.

  • The functionality is parallel to the "Get Interfaces" button in the SmartConsole Network Management page in the Security Gateway / Cluster editor.
  • The API is available starting from version 1.7.

PRJ-26414,
PMTR-69791

Security Management

NEW: Added the Management API command "show-layer-structure".

PRJ-27122,
PMTR-70628

Security Management

UPDATE: The "Purge revisions" operation has been improved to further reduce the database's size.

PRJ-27163,
PMTR-70138

Security Management

UPDATE: Performance improvement in an upgrade of Security Management and Multi-Domain Servers with large rulebases.

PRJ-26194,
PMTR-69529

Security Management

In a rare scenario, the FWM process may unexpectedly exit.

PRJ-26184,
PRHF-17487

Security Management

When running the "fwm logexport" command multiple times, the FWM process may unexpectedly exit, producing a core file.

PRJ-26124,
PRHF-17476

Security Management

In some scenarios, HA synchronization fails in the Global Domain after the IPS update.

PRJ-29004,
PRHF-18817

Security Management

In some scenarios, Publish operation fails with the "Object with uid=<RandomCharacters> was updated in the database but its dleConvertedObject wasn't found" error. Refer to sk174703.

See the Important Notes section.

PRJ-25039,
PRHF-16802

Security Management

In rare scenarios, a task in progress may get stuck until the Management Server is restarted.

PRJ-24011,
PMTR-62382

Security Management

In some scenarios, the NAT rule is not enforced when the rule name is identical to an object name placed on the rule.

PRJ-25862,
PMTR-67876

Security Management

When running the "show-tasks" command with Management API and using the "order" parameter, the results are not ordered.

PRJ-26455,
PRHF-17433

Security Management

In rare scenarios, the web_api_show_package.sh script fails, and the log shows "Null Pointer Exception".

PRJ-22135,
PMTR-63108

Security Management

In some scenarios, a high load on the Management Server may cause SmartConsole slowness.

PRJ-26630,
PRHF-17230

Security Management

In rare scenarios during system startup, a cleanup operation may cause high CPU on multiple Postgres processes and prevent login to SmartConsole. Refer to sk175189.

PRJ-25010,
PMTR-67525

Security Management

After configuring VPN Blade on a Security Gateway with support-visitor-mode using Management API, VPN clients may fail to create sites.

PRJ-21968,
PRHF-15471

Security Management

Packet Mode search in rule base ignores matching of inline layer parent rules. In some scenarios, this may retrieve inline layer rules that should not be matched.

PRJ-22385,
PRHF-15325

Security Management

User may fail to connect to SmartConsole after the administrator changed the RADIUS Server host IP address. Refer to sk172065.

PRJ-24331,
PRHF-16613

Security Management

In some scenarios, the "Recent Tasks" view shows the initiator as a System administrator when the Global Manager user initiates reassign and install policy.

PRJ-27621,
PMTR-69273

Security Management

In a rare scenario, the "Install Database" task may continue to run indefinitely.

PRJ-26093,
PMTR-69327

Security Management

In rare scenarios, the Access Control policy installation fails with the "Security Management Server aborted connection" error.

PRJ-25305,
PMTR-67893

Security Management

Policy verification may incorrectly fail with the verification error "Rule contains both Access Roles and network objects" when the installation is accelerated.

PRJ-26343,
PMTR-59909

Security Management

When installing policy on a gateway for the first time, Threat Prevention policy installation may fail if installed with Access policy.

PRJ-25687,
PRHF-17286

Security Management

In some scenarios, a policy installation failure message may show "ReferenceObject" instead of the actual object's name.

PRJ-24052,
PMTR-66980

Security Management

If the Management Server is up for many days, the CPM process memory consumption and CPU usage may increase consistently.

PRJ-26299,
PRHF-17531

Security Management

In rare scenarios, tasks may run indefinitely until the Security Management Server is restarted.

PRJ-26911,
PRHF-16657

Security Management

Policy installation to multiple gateways from Install Policy Presets may fail if each policy has its own HTTPS Inspection policy.

PRJ-25838,
PRHF-17362

Security Management

In some scenarios, deleting a Security Gateway object fails with the "Object <name> is used by a policy or by other objects" error even though the Security Gateway is not in use. Refer to sk173467.

PRJ-25800,
PRHF-17324

Security Management

In rare scenarios, if the CPM process is up for many days, CPU, and memory consumption may continue to grow until a reboot is performed.

PRJ-25254,
PMTR-68425

Security Management

Login with Management API fails when using the api-key and setting enter-last-published-session to "true".

PRJ-26507,
PMTR-69683

Security Management

Policy verification may incorrectly fail with a NAT verification error "The range size of Original and Translated columns must be the same".

PRJ-25447,
PMTR-68607

Security Management

SmartConsole may unexpectedly close when renaming an Application Control rule name or changing an Application Control policy action.

PRJ-25892,
PMTR-69154

Multi-Domain Management

NEW: Allow creating Domain Management Servers with a netmask different than the one of the Multi-Domain Server. Refer to sk173934.

PRJ-26690,
PMTR-69747

Multi-Domain Management

After migrating the Global Domain and making global changes, when assigning/reassigning the Global Domain, the assignment may be shown as "Up to date" even though the latest global changes are not applied on the Domain.

PRJ-25518,
PRJ-25516

Multi-Domain Management

In rare scenarios, in a Multi-Domain environment with active Domains on multiple Multi-Domain Servers, when performing manual HA sync in one Domain, objects from another Domain are not shown in SmartConsole.

PRJ-25406,
CPM-2542

Multi-Domain Management

In some scenarios, HA synchronization may fail on the MDS level with the "Failed to synchronize this peer due to purged revisions in the database." message.

PRJ-27154,
PRHF-11539

Multi-Domain Management

OS information for Domain Servers may not be shown correctly at the MDS level.

PRJ-22639,
PRHF-15727

Multi-Domain Management

In rare scenarios, the Multi-Domain Management Server may fail to start if Domains were previously deleted.

PRJ-26302,
PRHF-17558

Multi-Domain Management

In rare scenarios, Global Domain Assignment and Domain Creation tasks may continue to run indefinitely.

PRJ-20647,
PMTR-63143

SmartConsole

NEW: Added the option to print or save (as a file) the Changes Report.

PRJ-23439,
PMTR-65297

SmartConsole

UPDATE: Changes report supports up to 50 revisions (instead of 10).

PRJ-22813,
PMTR-61013

SmartConsole

Improved adjustment of the scrollbar in the Changes Report window.

PRJ-26906,
PRHF-17725

SmartConsole

In some scenarios, loading the Access Control policy causes SmartConsole to close unexpectedly. Refer to sk175405.

  • Requires R81 SmartConsole Build 553 (or higher).

PRJ-26873,
PRHF-17640

SmartConsole

In some scenarios, the gateway hardware change in SmartConsole fails with "Changing the hardware to <New_Selected_Check_Point_Appliance> Appliances is blocked." warning.

PRJ-27576

Web SmartConsole

NEW: Web SmartConsole now includes read/write capability for the most common activities. Refer to Take 44 in sk170314.

PRJ-25931,
PRJ-30691,
PMTR-69181,
PMTR-69007

SmartView

NEW:

  • It is now possible to set the default timeframe for all the SmartView web application functionalities.
  • The default value is "Last 24 hours".

Note: The default time frames on the SmartView web application and SmartConsole are not synchronized.

  • Requires R81.00 SmartConsole Build 553 (or higher).

PRJ-27301,
PMTR-70643

SmartView

After upgrade, SmartView scheduled export to Excel of Reports and Views stop running and users are unable to edit the scheduled tasks. Refer to sk174047.

PRJ-24351,
PMTR-67284

CPView

In some scenarios, a memory leak may occur in a cpview_services module. Refer to sk173952.

PRJ-19795,
SL-4613

Logging

NEW: Added support for Endpoint Forensics reports to get-attachment API.

PRJ-20258,
PMTR-57895

Logging

NEW: Log exporter allows the re-export of logs based on starting and end positions provided by the user, to close possible gaps. Refer to sk122323.

PRJ-21423,
PMTR-61503

Logging

NEW: The Log exporter now supports formatting for RSA SIEM application.

PRJ-25596,
SL-5164

Logging

UPDATE: The Log Server now supports up to 2700 Gateways (previously was 1024). Refer to sk163413.

PRJ-20136,
PMTR-62674

Logging

UPDATE: When reverting a Management or Log Server from the R81 version 30 days after the upgrade, logs are no longer fetched or indexed.

PRJ-25454,
PMTR-68670

Logging

In rare scenarios, logs generated in the same second, with the same ID, may not show up in SmartConsole's Logs tab.

PRJ-22650,
PRHF-15710

Logging

Threat Emulation log description for HTTP emulation is incorrect.

PRJ-23114,
PMTR-52927

Logging

In some scenarios in SmartView, exporting a report or view to PDF duplicates the item and displays it twice in the Catalog until the export is done.

PRJ-23821,
PRHF-12659

Logging

In rare scenarios, when querying logs with a timeframe larger than 1 day, only 50 logs from each day will be shown.

PRJ-23581,
PMTR-65203

Logging

In some scenarios following a Multi-Domain Management Server upgrade, logs queries may not retrieve results from some CMAs\CLMs.

PRJ-25646,
PMTR-68886

Logging

In SmartView (Reports and Web Logs view), the value of the file size is displayed differently from the Logs view in SmartConsole (GB instead of GiB).

PRJ-24488,
SL-5577

Logging

When a Management Server manages more than 1024 Gateways, the connectivity status may show "N/A" for several Gateways.

PRJ-24216,
PMTR-65200

Logging

In a Multi-Domain environment, the same Domain may appear twice in the Domains view of the SmartEvent application.

PRJ-24706,
PMTR-67771

Logging

In the SmartConsole Logs&Monitor tab, when the query time-frame is "Last Hour" and auto-refresh is on, if the query time is between 12:00 and 13:00, logs from that time will not be shown.

PRJ-25657,
PRHF-7562

Logging

In some scenarios, the LOG_INDEXER process consumes 100% CPU and log indexing fails causing log queries to miss the recent logs. The issue occurs when rules have Accounting enabled and there is a lot of traffic matching these rules.

PRJ-27072,
PMTR-70430

Compliance

In some scenarios on Multi-Domain environments, Compliance data is not synchronized between primary and secondary Domains.

PRJ-24580,
PMTR-66164

SNMP

NEW: Added CPview network statistics and network profile data to SNMP - throughput, packets rate, concurrent connections, drop reasons, top connections, and more.

PRJ-24537,
PMTR-66616

Security Gateway

UPDATE: Added new Dynamic Balancing Clish command to enable default number of instances. To use it, run "set dynamic-balancing state enable set_default_fw_instances". Refer to sk164155.

PRJ-26331,
PMTR-68117

Security Gateway

UPDATE: The prompt indication will show on which plane (management or data) the context is.

For example:

  • "[Expert@Host:0]" will be displayed as "[Expert@Host:dplane]" for the data plane.

  • "[Expert@Host:1]" will be displayed as "[Expert@Host:mplane]" for the management plane.

PRJ-25102,
PMTR-62328

Security Gateway

UPDATE: The Connection Tracker (CPView >Advanced > CONN-TRACKER) will be activated by default.

PRJ-25844,
PMTR-68979

Security Gateway

Added the Access Control rulebase matching visibility enhancement.

PRJ-29753,
PRHF-19043

Security Gateway

In rare scenarios, the Security Gateway may failover while handling the HTTP/2 stream.

PRJ-27036,
PMTR-67834

Security Gateway

VSX provisioning may fail to commit changes to the VSX database. Refer to sk173683.

PRJ-26479,
PMTR-66746

Security Gateway

In some rare scenarios, when IPv6 is configured and Office Mode Anti-Spoofing is enabled, running "cpstop;cpstart" may cause a Security gateway to crash.

PRJ-26811,
PMTR-68115

Security Gateway

In rare scenarios, policy installation may fail with the "Problem with the Commit Function" message.

PRJ-26409,
PMTR-69461

Security Gateway

In some scenarios, policy installation on the MDPS Gateway fails with "ERROR: Duplicate keys in table 'cluster_members_ids_by_ips'" errors in SmartConsole. Refer to sk173485.

PRJ-24127,
PRHF-15896

Security Gateway

RADIUS authentication failure messages are written to SmartConsole logs but not presented to a user. Refer to sk173927.

PRJ-21271,
PMTR-56012

Security Gateway

In some scenarios, emails may be stuck in the MTA queue.

PRJ-26016,
PMTR-68942

Security Gateway

In a rare scenario, a memory leak may occur in thein.emaild.mta process.

PRJ-18127,
PMTR-60844

Security Gateway

In some scenarios, an incorrect interface name is displayed in CPView.

PRJ-25393,
PRHF-17173

Security Gateway

In some scenarios, there is no match on URL Filtering rules.

PRJ-26269,
PRJ-26257

Security Gateway

In a rare scenario, incorrect error messages regarding the ICAP client flow appear in dmesg. Refer to sk173546.

PRJ-26345,
PMTR-69467

Security Gateway

When using Routing separation and ClusterXL, the "cphaprob -a if" command displays "mdps_tun" as "DOWN".

PRJ-26152,
PMTR-69312

Security Gateway

In a rare scenario, a memory leak may occur when IPS / Anti-Bot / Anti-Virus Blade is enabled.

PRJ-25817,
PRHF-16364

Security Gateway

Added Dynamic Anti-Spoofing stability enhancements.

PRJ-27624,
PMTR-71034

Security Gateway

In some rare scenarios, only after a fast policy installation with a Non-FQDN object or an updatable object, wild card domains may not be enforced.

PRJ-27124,
PMTR-70644

Security Gateway

Improved Generic Data Center object download to Security Gateway.

PRJ-25738,
PRHF-16886

Security Gateway

In some scenarios, Security Gateway may crash when ICAP client is enabled.

PRJ-26619,
PRHF-17663

Security Gateway

In some scenarios, "[INFO] encode resource in base64 failed" messages generated by the RAD process are shown in /var/log/messages file.

PRJ-26596,
PMTR-70023

Security Gateway

Configuring the "Virtual Activation Timeout" option above 65535 may lead to an incorrect timeout definition.

PRJ-23066,
PMTR-63142

Security Gateway

Improved displayed drop log messages on the Security Gateway:

  1. To see drops since the last reboot, use the fw ctl drop command.
  2. To see drops in real time, use the CPView tool.

Refer to sk172232.

PRJ-22625,
PRHF-15835

Security Gateway

In some scenarios, the VSX Cluster switch may cause a core dump.

PRJ-24010,
PRHF-16196

Security Gateway

In rare scenarios, when the sd_global_monitor_only property is set to true, there is no HTTP inspection.

PRJ-24903,
PMTR-66910

Security Gateway

In rare scenarios, the name of the application that drops a packet was not shown in the drop debug. Instead, the "PSL Drop: internal - drop enabled" message was displayed.
With this fix, the reason for the drop will be displayed.

PRJ-24838,
PRHF-15080

Security Gateway

In some scenarios, when moving Mobile Access from Legacy to Unified Policy, previously configured native application may stop working. Refer to sk172935.

PRJ-23539,
PMTR-66212

Security Gateway

In some scenarios, values set in fwkern.conf may not be applied correctly.

PRJ-25553,
PMTR-67991

Security Gateway

In some scenarios, connections are dropped with the "Virtual defragmentation error: fragment table is full" message. Refer to sk180404.

PRJ-25483,
PRHF-17175

Security Gateway

In a rare scenario, the PDPD or VPND process on the Security Gateway consumes a high CPU. Refer to sk173706.

PRJ-25472,
PRHF-12897

Security Gateway

In rare scenarios, SmartView Monitor shows the "Error code: 2147483647" message when viewing data from a VSX Gateway. Refer to sk174206.

PRJ-25157,
PMTR-67534

Security Gateway

When running the "fwaccel stats -r" command to reset the SXL statistics, the statistics may become corrupted.

PRJ-24530,
PRHF-16667

Security Gateway

In a rare scenario, the FWK process unexpectedly exits on the Security Gateway.

PRJ-29346,
PRHF-17221

Security Gateway

In a rare scenario, the Security Gateway may sporadically crash.

PRJ-18868,
PRHF-13722

Security Gateway

In rare scenarios, DynamicID authentication fails with a "Server_code 403 log_msg General HTTP error" message in vpnd.elg. Refer to sk170303.

PRJ-23273,
PRHF-15932

Security Gateway

In some scenarios, the "fw ctl affinity" command on MPDS Dplane does not show the Mplane Multi-Queue interfaces.

PRJ-29094,
PRHF-18786

Security Gateway

In rare scenarios, policy installation fails with "Segmentation fault" and "Error compiling IPv4 flavor" messages.

PRJ-26140,
PMTR-69466

Internal CA

UPDATE: Added automatic extension for Internal CA database to support more than 100,000 certificates.

PRJ-25273,
PMTR-68358

Internal CA, VPN, Multi-Portal

UPDATE: The IKE certificate's validity period is set to 1 year by default. Refer to sk176527.

PRJ-26649,
PMTR-70065

Internal CA

UPDATE: Expired certificates are now cleaned from the Internal CA database every three weeks and after reboot. Refer to sk42424.

PRJ-24831,
PMTR-67854

Internal CA

sk172610 was added to "Failed creating certificate. Certificate with a different letters' case exists" error message.

PRJ-25544,
PRJ-26201

Anti-Virus

In a rare scenario, the Security Gateway may crash when working with Anti-Virus.

PRJ-25245,
PMTR-68421

Threat Extraction

UPDATE: In Autonomous Threat Prevention (ATP) configured gateway, Threat profile field in sanitization (Threat Extraction) logs will refer to the current ATP profile installed.

PRJ-26524,
ODU-78

Threat Extraction

Added Update 4 of Threat Extraction Engine. Refer to sk165832.

PRJ-22272,
PRHF-14664

Threat Prevention

Improved the Threat Prevention policy installation time when installing on more than two Security gateways.

PRJ-25845,
PMTR-63963

Threat Prevention

In rare scenarios, the Threat Prevention Blade Exception used for performance optimization does not work as expected.

PRJ-25056,
PMTR-67604

Identity Awareness

NEW: Added Identity Collector Service Accounts exclusion. The default threshold value is 10. Refer to sk174266.

PRJ-24690,
PRJ-25444
PRJ-21304

Identity Awareness

NEW: Added support for SAML authentication method for Remote Access VPN. Refer to sk172909 for configuration instructions.

  • Requires R81 SmartConsole Build 553 (or higher).

PRJ-24500,
PMTR-67597

Identity Awareness

NEW: Added a new Auto-Tune feature for Nested Groups to select the optimal nested state for maximum performance.
The feature is disabled by default. To enable it, refer to sk128212.

PRJ-25383,
PMTR-68590

Identity Awareness

UPDATE: Changed the Web-API conciliation score from 10 to 15.

PRJ-25926,
PMTR-68088

Identity Awareness

Optimized the PDP expired timers mechanism performance.

PRJ-25582,
IDA-3937

Identity Awareness

In some scenarios, Identity Awareness with enabled Remote Access identity source constantly prints "A secondary session request was received from the same IP" message in the log and overrides the existing session.

PRJ-17567,
MBS-11293

Identity Awareness

IDA database may become corrupted on Scalable Platforms configured with multiple Identity Collectors in redundancy mode or Identity Sharing.

PRJ-26232,
IDA-4019

Identity Awareness

When the PDP gateway is connected to multiple pre-R81 PEP gateways, the CPU consumption may be high. Refer to sk173709.

PRJ-29307,
PMTR-72312

URL Filtering

In some scenarios, HTTPS connections to Servers with untrusted certificates are held and not resumed (page cannot load).

PRJ-24629,
TEX-2201

UserCheck

In rare scenarios, when clicking the "Send Original Mail to me" button (sk140214) in the UserCheck portal for Threat Extraction, action fails with "An unexpected error has occured." error message.

PRJ-26166,
PMTR-69256

IPS

In rare scenarios, the FWK process may unexpectedly exit when installing the policy.

PRJ-23674,
PRHF-14886

IPS

A redundant debug message may be displayed in dmesg logs.

PRJ-22232,
PRHF-14501

IPS

Packet capture may not be generated for certain IPS protections.

PRJ-27971,
PRHF-15586

IPS

Added IPS Core Protections scan improvements for HTTP traffic.

PRJ-26107,
PRHF-17301

IPS

Security Gateway may crash when the IPS profile name is very long. Refer to sk174025.

PRJ-18857,
PRHF-858

DLP

DynamicID via SMTP does not work when an HTTP proxy Server is defined.

PRJ-26008,
PMTR-61844

SSL Inspection

When TLS 1.3 is enabled, a connectivity issue may occur for non-TLS traffic over inspected ports.

PRJ-26740,
PRHF-4657

SSL Inspection

Added an option to bypass Name Constraints extension on certificates using a registry flag. Refer to sk159692.

PRJ-20681,
PRHF-14540

SSL Inspection

A table hash size may be too small for some environments and cause an increased CPU usage.

PRJ-25222,
PRHF-17088

Mobile Access

Improved the Portal Rendering performance in Unified Policy mode.

PRJ-21798,
PMTR-60183

Mobile Access

The "Favorites" button does not work if URL does not start with "https://"

PRJ-24688,
PRHF-16135

Mobile Access

In some scenarios, the HTTPD process consumes a high CPU causing slowness in access to web applications.

PRJ-23732,
PRHF-16302

Mobile Access

In some scenarios, when configuring the "X-Forwarded-For" header to MAB reverse proxy, the header is passed in reverse order.

PRJ-25105,
PRHF-17025

ClusterXL

Data connections from the Standby member of an Active-Standby cluster may be dropped on the stealth rule when "fwha_cluster_hide_active_only" is set to 1.

PRJ-26575,
PMTR-69991

ClusterXL

The "set cluster member ccpenc" command description falsely shows that the default setting is off.

PRJ-26981,
PMTR-64228

ClusterXL

In some scenarios, in Load Sharing mode, the cphaprob show_bond command on the Security Management Server shows the back-up subordinate status as "Not Available". Refer to sk175469.

PRJ-25954,
PRHF-17427

ClusterXL

Hundreds of VLANs in VSX cluster may cause VLAN to get Internal Communication Network IP (funny IP) address when adding/editing VLAN.

PRJ-26410,
PMTR-64102

ClusterXL

Log shows that CCP encryption fails on each policy installation.

PRJ-23849,
PRHF-15781

SecureXL

In some non-VPN scenarios, MSS Adjustment (Clamping) does not work.

PRJ-22786,
PMTR-65162

SecureXL

In a rare scenario, Security Gateway may crash after running the "fwaccel tab -t connections" command.

PRJ-27226,
PRHF-17734

SecureXL

Invalid VLAN traffic may cause repeated "deliver_list is empty!!!" error messages in the /var/log/messages file.

PRJ-24542,
PMTR-67556

SecureXL

In a VSX environment, the SYN Defender configuration may not be applied correctly.

PRJ-25107,
PRHF-13183

SecureXL

SecureXL keeps forwarding packets in VSX bridge mode when the member is down. Refer to sk169495.

PRJ-25511,
PRHF-16656

SecureXL

In a rare scenario, Security Gateway may crash when generating CPInfo in VSX mode.

PRJ-26925,
PMTR-69753

Gaia OS

NEW: Added support for new card 4 ports 1/10GbE SFP+ Rev 4.1.

PRJ-26757,
PMTR-69435

Gaia OS

In some scenarios, the first packet of any protocol is dropped if there is no ARP cache entry in the ARP table for that destination. Refer to sk173933.

PRJ-26334,
PMTR-44510

Gaia OS

In some scenarios on VSX, the "Loading kernel module for a network device with CAP_SYS_MODULE (deprecated). Use CAP_NET_ADMIN and alias netdev-eth instead" message appears in /var/log file.

PRJ-26329,
PMTR-69006

Gaia OS

When using routing separation, Clish configuration for the management plane may be missing.

PRJ-24494,
PRHF-16665

Gaia OS

In a rare scenario, the Security Gateway may become unresponsive. Refer to sk172827.

PRJ-24944,
PRHF-16967

Gaia OS

In some scenarios, Syslog debug messages are incorrectly printed as errors (ERR).

PRJ-25667,
PRHF-16999

Gaia OS

In some scenarios, the driver's (i40e) response time for MQ settings takes too long time.

PRJ-24597,
PRHF-16780

Gaia OS

When the RADIUS Server uses a multi-pool "Access Challenge", the system sends many authentication requests without waiting.

PRJ-25375,
PRHF-15535

Gaia OS

SNMP sysOID 1.3.6.1.2.1.1.2.0 does not return Check Point system information when queried from Maestro Orchestrator.

PRJ-26576,
SPC-2237

Routing

In some scenarios, BFM fails to create pseudo interfaces (ethX-XX).

PRJ-26792,
MBS-14077

Routing

When working from gclish and Audit Log is enabled, every command is logged twice - once with the real user and once with the admin.

PRJ-26526,
MBS-14049

Routing

When using proxy arp on IP address within the same subnet as the cluster IP, no GARP is sent upon failover.

PRJ-25996,
PMTR-69290

Routing

In some scenarios, the monitored IP option "force-if-symmetry" does not detect the asymmetric ping properly.

PRJ-25915,
ROUT-1502

Routing

Netflow packets are sent from the individual VS IP address instead of VS0.

PRJ-26970,
PMTR-66574

Routing

In some scenarios, the ROUTED process may produce a core dump when it receives IGMPv3 Membership Reports over a long period of time.

PRJ-26962,
PMTR-65589

Routing

The ROUTED process may unexpectedly exit when candidate RP is enabled, and a rapid failover occurs or when the candidate RP interface is disconnected.

PRJ-25319,
PMTR-68232

Routing

In some scenarios, CPView displays incorrect values of RIP statistics.

PRJ-27060,
PRHF-17925

Routing

In some scenarios, the ROUTED process may unexpectedly exit when there is a static route and a kernel route to the same destination.

PRJ-24389,
MBS-12759

Routing

In rare scenarios, a Load Sharing cluster can experience DHCP relay drops with the "dropped by fw_post_vm_chain_handler Reason: Handler 'dhcp_reply_code' drop" message.

PRJ-23484,
PMTR-65524

VoIP

In some scenarios, the "sip_increase_opq_rnum: Error - number of reinvites exceeded the limit" message that indicates the malfunction SIP flow is printed in SIP debug.

PRJ-23968,
PRHF-16338

VSX

UPDATE: Added ability to change the Management and Sync interfaces via vsx_util change_interfaces.

PRJ-19978,
PRHF-14371

VSX

In some scenarios, the "cpstat vsx" command does not show the correct output. Refer to sk170793.

PRJ-26355,
PMTR-69561

VSX

In some scenarios, the priority list cannot be manually set via the "vsx_util vsls" command.

PRJ-26633,
PMTR-69220

VSX

A bridge on a regular VS (not VS in bridge mode) is not supported on a VSX cluster in Active/Active mode.

This fix blocks:

  1. Adding a bridge to a regular VS when the VSX is a cluster in Active/Active mode.
  2. Converting a VSX cluster to Active/Active mode when a regular VS with a bridge exists.

PRJ-26451,
PMTR-67687

VSX

In some scenarios, toggling between "Active up" mode and "Primary up" mode of a VSLS cluster with "vsx_util" is not reflected on the Gateway when using the "cphaprob stat" command.
This fix ensures that the change will always be reflected on the Gateway.

PRJ-26443,
PMTR-69836

VPN

In rare scenarios, a memory leak related to gateway authentication may occur.

PRJ-26246,
PMTR-69455

VPN

In some scenarios, the VPND process may unexpectedly exit when connecting with strongSwan client.

PRJ-26435,
PRHF-2715

VPN

In a rare scenario, a memory leak may occur when RASession_util is active.

PRJ-25986,
PMTR-65599

VPN

In rare scenarios, IKE negotiation fails when using IPv6 addresses.

PRJ-26434,
PMTR-69479

VPN

In a rare scenario, the IKED process unexpectedly exits with core dump when using Office Mode IP allocation for clients and users cannot connect.

PRJ-26205,
PMTR-68557

VPN

MEP failover with 3rd party vendors may not work correctly.

PRJ-26268,
PMTR-68840

VPN

In some scenarios in MEP configuration, failover to available MEP members may fail.

PRJ-26400,
PRHF-17622

VPN

Policy installation may fail when VPN community is not configured on the Security Gateway. Refer to sk174235.

PRJ-24808,
PRHF-16698

VPN

Site to Site VPN connectivity issue when NAT is enabled.

PRJ-26789,
PMTR-69945

VPN

In some scenarios, an incorrect Host IP address is shown in SmartConsole log when a client is not authorized to log in.

PRJ-26624,
PRHF-17733

VPN

Added VPN stability improvement in IKEv2.

PRJ-22529,
PMTR-64500

VPN

When Multiple Factor Authentication is configured with DynamicID , VPN clients may receive four password prompts. Refer to sk144932.

PRJ-28152

VPN

In some scenarios, this policy warning is displayed on CMAs: "gen_implied_rule: fail to get rule template ('iked_ports_block_in/out' rule will not be generated)".

PRJ-25335,
VPNS2S-2335

VPN

In some scenarios, the "Illegal sequence number" error may be printed in Dead Peer Detection (DPD) debug.

PRJ-25054,
PRHF-16121

VPN

In some scenarios, a user may not be able to connect because the VPND process unexpectedly exits.

PRJ-26342,
PMTR-69135

VPN

In some scenarios, Phase 2 NULL encryption in IKEv2 fails with "Received notification from peer: No proposal chosen" message in the log.

PRJ-26928,
PMTR-70367

VPN

In some scenarios, the VPND process unexpectedly exits after installing the policy.

PRJ-25134,
PMTR-68208

VPN

In some scenarios, the VPN Remote Access client cannot reconnect after changing the authentication method.

PRJ-26176

Harmony Endpoint

Harmony Endpoint Web Management Update - Compliance, Application Control, Firewall, and export package were added.

PRJ-26281,
PMTR-69675

Harmony Endpoint

In some scenarios, the "Pre-boot screen saver" in SmartEndpoint Common Client Settings Policy is not visible.

PRJ-27583,
EPS-33262

Harmony Endpoint

In some scenarios, the "Uninstall Client" push operation in SmartEndpoint cannot be initiated and fails with exception.

PRJ-27321,
PMTR-70852

Harmony Endpoint

In some scenarios, the EP URL Filtering policy may block websites under category 32 (political/legal) instead of category 31 (phishing).

PRJ-28655

Harmony Endpoint

In some scenarios, only partial info is shown in Anti-Malware updates dialog window in SmartEndpoint.

PRJ-25729,
PMTR-68887

QoS

A memory leak may occur when using Domain names in QoS policy rules. Refer to sk174904.

PRJ-26795,
PRHF-17668

CloudGuard Network

In some scenarios, CloudGuard Controller fails to fetch data from the standby ACI Server when the main ACI Server is unreachable.

PRJ-25373,
PRHF-17170

CloudGuard Network

CloudGuard Controller with Cisco ACI Data Center sends updates without IP addresses to Security Gateways.

PRJ-26798,
PMTR-69072

CloudGuard Network

In some scenarios, CloudGuard Network Standby member cannot access the Internet. Refer to sk175108.

PRJ-21257,
MBS-10123

Scalable Platforms

NEW: Added support for the new SNMP OIDs to get performance statistics from VSX Virtual Systems.

Configuration in Gaia gClish:

  1. Run: g_all "vsx mstat enable"
  2. Run: g_all "reboot"
  3. Configure SNMP v3 in the VS mode as described in sk90860.

SNMP OIDs - Statistics from the specified Virtual System, statistics from each cluster member:

  • Number of concurrent connections - 1.3.6.1.4.1.2620.1.48.30.30.10.1.*

  • Physical memory - 1.3.6.1.4.1.2620.1.48.30.40.10.1.*

  • Packet rate - 1.3.6.1.4.1.2620.1.48.30.80.10.1.*

  • Throughput - 1.3.6.1.4.1.2620.1.48.30.90.10.1.*

  • Interface packet rate - 1.3.6.1.4.1.2620.1.48.30.100.10.1.*

  • Connection rate - 1.3.6.1.4.1.2620.1.48.30.120.10.1.*

  • Virtual memory - 1.3.6.1.4.1.2620.1.48.30.130.10.1.*

SNMP OIDs - Statistics from the specified Virtual System, total statistics from all cluster members:

  • Total number of concurrent connections - 1.3.6.1.4.1.2620.1.48.30.30.20

  • Total packet rate - 1.3.6.1.4.1.2620.1.48.30.80.20

  • Total throughput - 1.3.6.1.4.1.2620.1.48.30.90.20

  • Total connection rate - 1.3.6.1.4.1.2620.1.48.30.120.20

PRJ-26563,
PMTR-66250

Scalable Platforms

NEW: Added new parameters for SNMP traps sent from Security Group Members:

  • chkpnyTrapChassisId : shows the chassis ID of the sender SGM
  • chkpnyTrapBladeId : shows the Blade ID of the sender SGM

PRJ-23649,
MBS-13202

Scalable Platforms

UPDATE: Removed unsupported OIDs 1.3.6.1.4.1.2620.1.48.20.5 and 1.3.6.1.4.1.2620.1.48.21.5 from the chckpnt.mib file.

PRJ-25357,
MBS-13352

Scalable Platforms

UPDATE: Limited the /var/log/dist_mode.log file rotation size to 20MB to prevent exhaustion of disk space.

PRJ-22208,
PMTR-64637

Scalable Platforms

UPDATE: Added Member ID to connection and session log.

PRJ-21245,
MBS-10229

Scalable Platforms

UPDATE: Added the new column "asgResourceTitle" to the SNMP Table "asgResourceTable". The new column contains the Security Group Member ID and the resource name.

Format of the output: "Site <Site-ID> Member <Member-ID> <Resource-Name>"

Example output: "Site 2 Member 1 Memory Utilization"

The SNMP OID of the new column is: asgResourceTable.1.8 (.1.3.6.1.4.1.2620.1.48.23.1.8).

PRJ-22986,
PMTR-65813

Scalable Platforms

UPDATE: New OIDs are assigned for these appliances:

  • checkPoint61000 - .1.3.6.1.4.1.2620.1.6.123.1.3001
  • checkPoint64000 - .1.3.6.1.4.1.2620.1.6.123.1.3002
  • checkPoint41000 - .1.3.6.1.4.1.2620.1.6.123.1.3003
  • checkPoint44000 - .1.3.6.1.4.1.2620.1.6.123.1.3004

PRJ-25785,
MBS-13716

Scalable Platforms

"Failed to send event 8 SNMP request to chassis module" errors may appear in the messages log.

PRJ-25526,
MBS-11956

Scalable Platforms

"set user <username> password-hash" and "set user <username> force-password-change" Gaia gClish commands do not take effect on Security Group Members.

PRJ-25858,
MBS-8488

Scalable Platforms

In some scenarios, the fw_full core dump is randomly created on Quantum Scalable Chassis and Quantum Maestro appliances.

PRJ-25495,
MBS-11764

Scalable Platforms

In some scenarios, the asg diag test "IGMP consistency" (asg diag print 26) fails on Quantum Scalable Chassis and Quantum Maestro.

PRJ-25506,
MBS-11670

Scalable Platforms

fwaccel_dos_rate_on_install is not synced between SGM members.

PRJ-25377,
MBS-12356

Scalable Platforms

If the "Chassis HA mode" is configured as "VSLS", the SNMP query for the OID "asgChassisParamsMaxGrade" (.1.3.6.1.4.1.2620.1.48.28.4.1.4 and .1.3.6.1.4.1.2620.1.48.28.4.1.5) returns a wrong value.

  • With this fix: When the High Availability mode configured to VSLS, Chassis grade will return "N/A". Otherwise the real Chassis grade will be displayed to user.

PRJ-25376,
PMTR-65459

Scalable Platforms

The "asg_provision" command fails on hotfix inconsistency if ran outside of the global context (VS instead of VS0).

PRJ-25374,
MBS-12834

Scalable Platforms

The "asg_license_verifier -v" command that validates the licenses on SP cluster, may incorrectly fail with "Different licenses are installed across Blades" message.

PRJ-27324,
PMTR-70795

Scalable Platforms

The VSX gateway creation on Scalable Platforms via SmartConsole or VSX Provisioning tool fails with the "Failed to determine appliance type" error.

PRJ-27173,
MBS-14108

Scalable Platforms

The MIB file $CPDIR/lib/snmp/chkpnt.mib fails MIB validation tests in the SNMP tree OID .1.3.6.1.4.1.2620.1.48.0 (asg).

PRJ-26066,
MBS-13605

Scalable Platforms

Improved the memory usage calculation by the "asg perf" command.

PRJ-25671,
MBS-13627

Scalable Platforms

  • Output of the "asg perf -p" command shows that the "Throughput" is 0 in the "Firewall" column.
  • Output of the "asg perf -v" command shows the "Throughput" value is lower than expected (the F2F traffic is missing).

MBS-13627

Scalable Platforms

In some scenarios, SNMP Query for OID .1.3.6.1.4.1.2620.1.48.20.1.0 (asgThroughput) returns a value lower than expected (the F2F traffic is missing).

PRJ-25542,
MBS-11427

Scalable Platforms

The FWD process may unexpectedly exit when adding/deleting the "fw samp" rules.

PRJ-26038,
MBS-13989

Scalable Platforms

The "asg perf" command may display wrong values for "Throughput" and "Packet rate".

PRJ-25741,
MBS-11788

Scalable Platforms

Improved the memory / partitions size validity tests in the "asg resource" command.

PRJ-25777,
MBS-6708

Scalable Platforms

When interrupting the "asg_perf_hogs -v" command with the CTRL+C keys, the message on the screen shows "Operation was canceled/terminated by user" instead of "No issues were found".

PRJ-21329,
MBS-8558

Scalable Platforms

In rare scenarios, Switch distribution update in an early stage may trigger the FWK process to unexpectedly exit.

PRJ-21328,
MBS-9585

Scalable Platforms

In some scenarios, the output of the "asg_policy verify -a" command in the "Summary" section for the Security Group Member shows "Policy date is lower than max policy date".

PRJ-21323,
MBS-12525

Scalable Platforms

In some scenarios, SH zombies processes are created after a reboot or policy installation.

PRJ-22146,
PMTR-64499

Scalable Platforms

The "delete backup" gClish command deletes backups only on the local member and not on all Security Group members.

PRJ-21073,
PMTR-63442

Scalable Platforms

With this fix, sam_policy (samp) rules will be applied to new members added to the Security Group automatically.

PRJ-22982,
MBS-7805

Scalable Platforms

After adding a subordinate interface to a Bond interface, the output of the "asg diag" command shows that the "Distribution Mode" test failed because of an issue with the subordinate interface.

PRJ-21832,
MBS-13133

Scalable Platforms

SNMP query for OID 1.3.6.1.4.1.2620.1.48.20.5 and 1.3.6.1.4.1.2620.1.48.21.5 gives empty result. Refer to sk173423.

PRJ-21580,
MBS-8858

Scalable Platforms

Improved the Distribution Mode configuration for Bridge interfaces - each subordinate interface has a different Distribution Mode.

PRJ-20750,
MBS-10656

Scalable Platforms

In some scenarios, the "mq_mng -o -v" command fails with the "Error executing command" error message.

PRJ-25801,
MBS-6493

Scalable Platforms

The asymmetric traffic may fail if the "Synchronize connections if Synchronization is enabled on the cluster" checkbox in the "Cluster and synchronization" section of the corresponding service's properties is not selected.

PRJ-25745,
MBS-5608

Scalable Platforms

The command help (-h) misses the description of the -b parameter of the "asg_hard_start" command.

PRJ-25719,
MBS-6180

Scalable Platforms

Removed the "-amw" flag from the syntax of the "asg stat" command. Run the "asg stat -v" command to get the required information.

PRJ-22554,
PMTR-65496

Scalable Platforms

Setting multi-queue on backplane interfaces via "mq_mng -s manual" command fails with the "Error executing command" error.

PRJ-25344,
MBS-11411

Scalable Platforms

In some scenarios, the unclear message "Management loss failure" is displayed in the command line.

PRJ-25572,
MBS-8473

Scalable Platforms

Removed the "ccutil reset_parity_counter" command from the code.

PRJ-25576,
MBS-7630

Scalable Platforms

The output of the "asg stat vs" command in the "Virtual System Status" section shows "active chassis" in lowercase when a Virtual System is in freeze. Now the output shows "Active chassis" with a capital letter.

PRJ-25589,
MBS-11765

Scalable Platforms

Gaia users other than the 'admin' cannot use SCP to connect to a Security Group Member, even if the default shell /bin/bash and the 'admin' role are configured.

PRJ-25463,
MBS-12375

Scalable Platforms

Gaia gClish command that take more than 60 seconds to execute fail with "CLINFR0739 error in command execution; see "/var/log/messages"". Refer to sk170301.

PRJ-23285,
PMTR-65791

Scalable Platforms

In some scenarios, the "RTNL: assertion failed" errors appear in /var/log/messages on Quantum Maestro/Quantum Scalable Chassis.

PRJ-23217,
MBS-9689

Scalable Platforms

In VSLS scenarios when the SMO is the ARP master, in ACTIVE-ACTIVE state the wrong VS may answer ARPs, causing "out-of-state" in TCP connections.

PRJ-28053,
PMTR-71372

Scalable Platforms

In some scenarios, the Maestro Gateway leaves the Security Group.

PRJ-22976,
MBS-9077

Scalable Platforms

Setting MTU on Management Aggregation (MAGG) interface may fail.

PRJ-28016,
PMTR-71262

Scalable Platforms

In some scenarios, bond interface subordinate fails to properly initialize and shows a partner system MAC address of 00:00:00:00:00:00.

PRJ-26992,
ODU-123

HCP

Added Update 3 of HealthCheck Point (HCP) Release. Refer to sk171436.

PRJ-24089,
ODU-91

HCP

Added Update #2 of HealthCheck Point (HCP) Release. Refer to sk171436.

PRJ-26326,
CST-212

Carrier Security

The FWK process may unexpectedly exit producing a core dump when the GTP tunnel expires.

Take 36

Released on 19 July 2021 and declared as Recommended on 26 July 2021

PRJ-28539,
PMTR-71636

ClusterXL

During Multi-Version Cluster (MVC) upgrade with R81 Jumbo Hotfix Take 34, the "MVC WARNING uninitialized VPN table" message frequently appears in log. Refer to sk174445.

PRJ-28195

ClusterXL

In public cloud environments, CloudGuard Network High Availability/Cluster solutions may incorrectly detect Cluster status.

See the Important Notes section.

Take 34

Released on 27 June 2021

PRJ-25809

Security Management

NEW: Performance improvements for security policy and database installation when R81 Security Management manages R80.40 Gateways.

PRJ-20295,
PMTR-62823

Security Management

NEW: Added new API version (1.7.1). For more information, refer to the Management API Reference.

PRJ-23312,
ODU-89

Security Management

UPDATE: Added Update 9 of Autonomous Threat Prevention Management (ATPM). Refer to sk167109.

PRJ-23923,
PMTR-64482

Security Management

SmartConsole Extensions fail to load with "Error: unable to retrieve read-only session" if login with SmartConsole is performed with an IP address that is not defined as the primary IP of the Management Server.

PRJ-23774,
PMTR-66072

Security Management

"Query failed" error is displayed in Security Gateway Device & License Information view in SmartConsole when canceling the "Export to PDF/CSV" operation.

PRJ-23885,
PMTR-66708

Security Management

In some scenarios, when updating Check Point Host object to be a Network Policy Management and in addition configuring it as a Secondary Server, "Publish" fails with "Action Failed due to an internal error".

PRJ-23544,
PMTR-66182

Security Management

In some scenarios, HA sync in a Multi-Domain environment may fail with the "Failed to import data" error message after the user creates new Permission Roles.

PRJ-22442,
PRHF-15754

Security Management

Upgrade or migration from R80.10 and lower to R80.20 and higher may fail with "Scheme adjustment had failed" error in logs. Refer to sk172003.

PRJ-24487,
PRHF-16631

Security Management

In very large Management environments, Policy verification and installation may fail with FWM process core dump. Refer to sk173722.

PRJ-24021,
PMTR-66953

Security Management

In some scenarios, after upgrade of Multi-Domain environment that has active Domains on multiple Multi-Domain Servers, some objects may not be visible in the System Domain.

PRJ-24617,
PRHF-16791

Security Management

In Domain High Availability, policy installation may fail if a Global Dynamic Network object defined and the active peer is the Security Management Server.

PRJ-23438,
PMTR-65646

Security Management

When configuring SNMP traps with thresholds_config utility on the Management Server, the settings may not be applied on the Security gateway upon policy installation.

PRJ-22076,
PRHF-15725

Security Management

In rare scenarios, the Management Server may fail to start because Solr fails to initialize.

PRJ-24520,
PMTR-67390

Security Management

When adding or updating star/meshed VPN community using the Management API and setting default values for ike-p2-use-pfs or ike-p2-pfs-dh-grp fields, the operation mail fail with the validation error.

PRJ-21400,
PRHF-15001

Security Management

In rare scenarios, deleting an object fails with "Can't reach source object, maybe it already deleted" error. Refer to sk172828.

PRJ-23899,
PRHF-16297

Security Management

In some scenarios, the policy installation may fail after following sk55502. Refer to sk174646.

PRJ-22202,
PRHF-15250

Security Management

In some scenarios in Management High Availability environment, after restoring a Domain from backup, the Security Management Server appears as 'Unavailable' in SmartConsole.

PRJ-24612,
PMTR-63454

Security Management

Incorrect Mobile Access license status upon a license change.

PRJ-25032,
PMTR-68166

Security Management

The "add access-role" Management API may fail when it is configured with base-dn.

PRJ-25057,
PMTR-68197

Security Management

In some scenarios, the "set-simple-gateway name ..." and "set simple-cluster name ..." Management APIs may not reach the "SIC Communicating" state.

PRJ-22132,
PMTR-61861

Security Management

In a rare scenario, Management HA synchronization fails after the Purge Revisions operation.

PRJ-20811,
PMTR-62949

Security Management

On Security Management with connected Endpoint Security Server, the SICTUNNEL process may unexpectedly exit and start again every few minutes with core file ~4gb in size. Refer to sk173704.

PRJ-22124,
PMTR-61785

Security Management

Running override_server_setting.sh may not update settings correctly when updating a setting multiple times.

PRJ-21705,
PRHF-12911

Security Management

In some scenarios, Apache does not start and shows a "No space left on device" message if the user runs "cprestart" frequently.

PRJ-22212,
PMTR-61168

Security Management

In rare scenarios, concurrent update operations performed by several administrators on the Management Server may fail.

PRJ-23931,
CPM-3316

Multi-Domain Management

NEW: Once a day, Multi-Domain Management Servers will check for peers that are not synchronized. If such are identified, HA full sync will be automatically initiated at the MDS level.

PRJ-23698,
PRHF-16119

Multi-Domain Management

Global Policy Reassignment may take a long time to complete after an IPS Update in the Global Domain.

PRJ-22924,
PMTR-65145

Multi-Domain Management

When secondary Domain Management Server is in active state, sicRenew utility may fail with "Certificate cannot be renewed by the Internal CA. (Error no. -179)". Refer to sk172183.

PRJ-22633,
PMTR-62650

Multi-Domain Management

UPDATE: Improved the Domain Management Server and Domain Log Server creation and deletion operations.

PRJ-23160,
PMTR-64136

Multi-Domain Management

UPDATE: Added stabilization improvement for Assign and Reassign Global Policy operations.

PRJ-22523,
PMTR-65290

Multi-Domain Management

In some scenarios, Reassign Global Domain for a Domain that is active on another Multi-Domain Server may fail with "An internal error has occurred" message. Refer to sk172704.

PRJ-24760,
PRHF-16660

Multi-Domain Management

Global Policy Assignments may be missing in Multi-Domain environment after upgrade from R77.x.

PRJ-22139,
PMTR-64481

Multi-Domain Management

A Multi-Domain Server with dozens of Domains may take a long time to start.

PRJ-22784,
SL-5370

SmartConsole

UPDATE:

  1. When using Updatable Objects, Source and Destination fields in logs will display the icon from the matched Updatable Object.
  2. Improved the accuracy of flag icons when using Updatable Objects for Geo-IP restrictions.

Note:

  • Requires R81 SmartConsole Build 552 (or higher).

PRJ-22127,
PMTR-62338

SmartConsole

SmartConsole configures a default value for the IPv4 mask length of VIP interface each time a user opens the interface editor for cluster object configured in the Active-Active mode. As a result, the value configured by a user is overwritten with the default value each time the user opens the cluster object and clicks OK.
  • Requires R81 SmartConsole Build 552 (or higher).

PRJ-21908,
PMTR-61429

SmartConsole

Generating a Changes Report may fail when the changes include new LSM Profiles or Small Office Gateway objects.

PRJ-23605,
PMTR-66244

SmartConsole

In some scenarios, a SmartTask may fail to execute its action when it is triggered for a policy installation.

PRJ-22524,
PMTR-61526

SmartConsole

"The object specified in 'Always send alerts to' field, has no active 'Logging & Status' Blade" error may be displayed after running the "add-simple-gateway" command in Management HA environments where one of the Security Management Servers has the "Logging & Status" Blade disabled. Refer to sk172226.

PRJ-18888,
PRJ-18886

CPView

CPView shows "N/A" for speed values of some network cards.

PRJ-22974,
PRHF-11884

Compliance

Deactivated Compliance Best Practices appear in the Compliance report.

PRJ-21180,
PMTR-61750

Logging

NEW: Resource pools for log queries and report generation have been separated to ensure query responsiveness while multiple reports are generated.

PRJ-18560,
PRHF-13614

Logging

In the "Logs" view in SmartConsole, when the query filter contains "time:yesterday" as a literal, the query fails with a "Query resolution failed" error. The pre-defined time filter "Yesterday" shows results from today. Refer to sk170999.

PRJ-23205,
PMTR-65244

Logging

In rare scenarios, when creating a Log Server object and establishing SIC, log queries from the newly created Log Server object may fail.

PRJ-23068,
PMTR-62454

Logging

When viewing an Access log card that was matched on both a Network layer (firewall) rule and an Application layer rule, and both actions are "Accept", the application layer rule will be presented in the card instead of the network layer rule. Refer to sk172763.

PRJ-22967,
PMTR-64536

Logging

In some scenarios, when exporting logs using the Log exporter tool and filtering on all Threat Prevention Blades, logs of "Anti Spam" Blade are not exported.

PRJ-23416,
PMTR-60082

Logging

In SmartView's "Cyber Attack View - Endpoint", the widgets Active/Dormant Attacks and Cleaned/Blocked Attacks show clean hosts as infected (false positive results).

PRJ-20621,
PRHF-14608

Logging

In SmartView, when filtering with specific time filters, the result may include more logs than was requested.

PRJ-22186,
PMTR-58496

Logging

In SmartView, when the user exports multiple PDF/CSV/Templates of the same view/report at the exact same time, the second export to complete may overwrite the first one.

PRJ-22250,
PMTR-65133

Logging

In some scenarios, in the "Views and Reports" of SmartView, it is not possible to use the field "Roles".

PRJ-23010,
PRHF-15886

Logging

In rare scenarios, when the user exports logs to Excel using SmartView web, the action fails when the exported logs contain special characters, like emojis.

PRJ-23283,
PMTR-65335

Security Gateway

NEW: Added the "Top Connections" tool. For more information, refer to sk172229.

PRJ-21903,
PMTR-64675

Security Gateway

NEW: Added new troubleshooting tool to cplic command for Entitlement manager.

PRJ-19592,
PRHF-9582

Security Gateway

NEW: Added support for authentication with a RADIUS Server that expects to receive an empty password on the first message. VPN client will receive 2 dialogs instead of 3.

PRJ-20961,
PMTR-61684

Security Gateway

NEW: In a Management Data Plane Separation (MDPS) environment, each plane has its own configuration.

Run these commands in each plane:

  • save configuration <Name of Script>
  • load configuration <Name of Script>

PRJ-19989,
PMTR-59944

Security Gateway

NEW: Added support for Drop templates optimization on accelerated policy installation.

PRJ-23382,
PMTR-66195

Security Gateway

NEW: Implemented new Fast-Accel producer.

The following Fast-Accel statistics are added to CPView:

  • Status: current status of Fast-Accel feature (enabled/disabled).
  • Configured rules: number of rules were added by the user. These rules determines whether a connection should be accelerated or not.
  • Accelerated connections amount: number of accelerated connections.
  • Total connections amount: total connections opened in PPAK.
  • Accelerated connections percentage: percentage of accelerated connections as part of the overall traffic.
  • Services distribution: number of times each service was used by the accelerated connections.

PRJ-17932,
PRHF-8504

Security Gateway

UPDATE: Added L3 routing support for bridge interface assigned with IP address. To enable it, set fw_bridge_with_ip_routing=1 in the $FWDIR/fwkern.conf file. Refer to sk165560.

PRJ-22261,
PMTR-64681

Security Gateway

UPDATE: Added $CPDIR/log/sic_info.elg log file to show detailed SIC errors.

PRJ-22988

Security Gateway

UPDATE: Added support for DPL for non-FQDN Objects on Cluster Load Sharing environments.

PRJ-22654,
PRHF-14534

Security Gateway

UPDATE: Security Gateway performance optimizations for specific scenarios. Refer to sk174607.

PRJ-23079,
PMTR-65799

Security Gateway

Enhancement: Early drop optimization will work even if the UserCheck is not relevant for this connection.

PRJ-20570,
MBS-12769

Security Gateway

In some scenarios, the "fwauthd_init: got known service port XXX ... choosing another one" message appears repeatedly in the $FWDIR/log/fwd.elg file.

PRJ-25905,
PMTR-69241

Security Gateway

In a rare scenario, machine hangs and user is unable to run any command. Refer to sk173405.

PRJ-24731,
PRHF-16851

Security Gateway

On rare scenarios, running "fw1 + misp" debug on cluster may cause Security Gateway to crash.

PRJ-24378,
SMB-10515

Security Gateway

A memory leak in a DNS resolving infrastructure may occur.

PRJ-20983,
PRHF-14104

Security Gateway

In rare scenarios, the CPD process unexpectedly exits when the VPN is enabled, and statuses are not sent to the Management Server.

PRJ-19359,
PRHF-14127

Security Gateway

In a rare scenario, the FWK process may unexpectedly exit while passing TLS traffic, resulting in a cluster failover.

PRJ-21473,
PRHF-14963

Security Gateway

When the Security Gateway is configured as a proxy, some network objects may not be matched correctly.

PRJ-21056,
PRHF-15024

Security Gateway

In a rare scenario, Fast Accel logs are sent although they are disabled on the matched rule. Refer to sk171336.

PRJ-21012,
PRHF-15031

Security Gateway

In a rare scenario, Security gateway may crash when using non-FQDN domains in Access policy.

PRJ-23393,
PRHF-15802

Security Gateway

Added support for "Other" services configured with IP protocol, but without advanced "Match" expression.

PRJ-23342,
PRHF-16111

Security Gateway

Boot may take a long time on machines with many VLANs or secondary IP addresses.

PRJ-21837,
PMTR-63900

Security Gateway

The "up_fw_module_load_commit: failed to load" error may be displayed in dmesg during cpstart or policy installation.

PRJ-24300,
PMTR-67184

Security Gateway

In a rare scenario, the FWK process unexpectedly exits on the Security Gateway.

PRJ-24275,
PMTR-63867

Security Gateway

Allow automatic configuration of Identity Awareness nested group state 4 for Security Gateways with a previously installed fix for IDA-754.

PRJ-22874,
PRHF-15786

Security Gateway

In some scenarios, policy installation fails with "Error code 0-2000077" message.

PRJ-22839,
PMTR-64303

Security Gateway

In a rare scenario, policy installation may fail with the "problem with the Commit Function" message.

PRJ-22943,
PMTR-65733

Security Gateway

In rare scenarios, policy installation fails with "gen_other_service_inspect_func: failed to find corresponding service object for <service name>" error message.

PRJ-22931,
PRHF-13912

Security Gateway

When using "User Alert 3" in the code alert, cosmetic error "FW-1: fwdrv_get_string_id_from_code: illegal parameters for code 8" appears in the /var/log/messages file.

PRJ-22456,
PMTR-64448

Security Gateway

In a rare scenario, the Security gateway may crash with fwk and fwk_wd core dump files.

PRJ-23102,
PRHF-13417

Security Gateway

The connection may not exist in the SecureXL connection table when configuring Smart Connection Reuse kernel parameters and allow out of state TCP packets.

PRJ-22374,
PRHF-15705

Security Gateway

In some scenarios, the Security Gateway attempts to access the Management Server through the server's NAT IP address (defined in the "NAT" section of the server object), while the server is reachable only through the main IP address (defined in the "General Properties" section of the server object).

Refer to sk171665 to configure the required parameter SKIP_NATTED_IP.

PRJ-23042,
PMTR-65729

Security Gateway

In a rare scenario, Security Gateway may crash during the Application Control / IPS / Anti-Bot package update.

PRJ-23949,
PMTR-66474

Security Gateway

In a rare scenario, Security Gateway may crash when running in USFW (User-Space Firewall) mode.

PRJ-24294,
PMTR-67231

Security Gateway

In a rare scenario, Security Gateway may crash during policy installation.

PRJ-24414,
PRHF-16452

Security Gateway

In a rare scenario, Security Gateway may crash under heavy load during cluster failover.

PRJ-23900,
PMTR-65612

Security Gateway

In a rare scenario, the Security Gateway may crash when GRE or VXLAN interfaces are configured.

PRJ-21451,
PRHF-14785

Security Gateway

RSA integration using SAML (Security Assertion Markup Language) protocol may not work as expected. Refer to sk171501.

PRJ-25304,
PMTR-68439

Security Gateway

When the Security Gateway is configured as a proxy, some network objects may not be matched correctly.

PRJ-22740,
PRHF-15578

Security Gateway

When Strict Hold is enabled in the fail-open configuration, some HTTPS connections may stuck.

PRJ-25594,
PRHF-12228

Security Gateway

In some scenarios, packets are dropped due to incorrect SACK translation when SACK and sequence translation are being used together.

PRJ-23428,
PMTR-65909

Security Gateway

The VPND process may consume high CPU because of ECDHE use, which affects multi-portal functionality. Refer to sk173145.

PRJ-24466,
PRHF-15688

Security Gateway

In a rare scenario, Security Gateway may crash when handling some DNS packets.

PRJ-19413,
PMTR-60877

Security Gateway

The "new-conn-rate" DOS/Rate limiting rules may not be enforced in usermode when enforcement for internal interfaces is disabled.

PRJ-23518,
PMTR-20344

Application Control

In some scenarios, the fw_full (fwd daemon) unexpectedly exits producing a core dump file and causing a cluster failover.

PRJ-21772,
PMTR-58795

Application Control

A failure log may be generated when inspecting connections to servers with certificates without a common name (CN) field.

PRJ-24479,
PMTR-67931

Threat Extraction,
Threat Emulation

In some scenarios, License errors for Threat Emulation and Threat Extraction Blades are displayed for NGTP customers that use Autonomous Threat Prevention.

PRJ-24924,
PMTR-61787

Threat Prevention

UPDATE: Added support for more than 20 CIFS objects in rulebase. Refer to sk170300.

PRJ-21883,
PRHF-15174

Threat Prevention

Policy installation fails if it contains objects with "://" text.

PRJ-23571,
PRHF-15500

Threat Prevention

Security Gateway may crash when transferring the HTTP multipart traffic if the Anti-Virus Deep Scanning, Threat Extraction, or Threat Emulation is enabled.

PRJ-19558,
PMTR-61333

Threat Prevention

In some scenarios, "cpssh_trans_endpoint_handle_session_travers_timeout: INTERNAL ERROR" errors are displayed in the fwk.elg file when inspecting SSH traffic.

PRJ-20485,
PMTR-61702

Threat Prevention

In rare scenarios, Security Gateway may crash when working with SSH.

PRJ-20814,
PMTR-61640

Threat Prevention

Large file download with SFTP may fail when the connection is inspected.

PRJ-21279,
PMTR-60297

Threat Prevention

Removed the "beta" label from SSH DPI's SSH server identification string.

PRJ-23037,
PMTR-65728

Threat Prevention

In rare scenarios, Security Gateway may crash if event app debug flag is enabled.

PRJ-24193,
TPE-453

Threat Prevention

In rare scenarios, the Threat Prevention policy is not enforced after a reboot of the Security Gateway.

PRJ-21656,
PMTR-63310

SSL Inspection

UPDATE: Avoid sending the TLS probe during the inbound inspection when a rule is matched according to the IP address.

PRJ-20486,
PMTR-62467

SSL Inspection

Memory leak may occur during policy installation.

PRJ-19857,
PMTR-61029

SSL Inspection

TLS probing failures generate logs with a general description in SmartLog: "Internal system error in HTTPS Inspection (Error Code: 2)". With this fix, more descriptive logs will be generated.

PRJ-24421,
PMTR-66343

SSL Inspection

Improved performance of the TLS handshake when TLS 1.3 support is enabled.

PRJ-19765,
PMTR-62211

SSL Inspection

In rare scenarios in mixed IPv4/IPv6 environments, some connections may fail.

PRJ-22428,
PMTR-64992

SSL Inspection

In some scenarios, the "Parallel TLS Sessions" and "Cache entries" CPView statistics for SSL Inspection are incorrect.

PRJ-23398,
PMTR-66181

SSL Inspection

In rare scenarios, the WSTLSD daemon may unexpectedly exit during TLS probing.

PRJ-23442,
PMTR-65718

SSL Inspection

In some scenarios, memory leaks may occur after policy installation.

PRJ-20237,
PMTR-59665

SSL Inspection

In a rare scenario, some errors in requests to the Security Gateway are ignored and can cause the connections to remain open instead of being closed.

PRJ-25055,
PRHF-14178

SSL Inspection

In some scenarios, when HTTPS Inspection is enabled, overall memory consumption may gradually increase. Refer to sk171280.

PRJ-21028,
PMTR-63319

Anti-Malware

Improved the way Threat Prevention distinguishes between .docx, .pptx, .xlsx and .zip files.

PRJ-24782,
PRHF-16849

Anti-Malware

In a rare scenario, the Security gateway may crash with the "Problem with the Commit Function" error during policy installation. Refer to sk173248.

PRJ-23037,
PMTR-65728

Anti-Malware

In rare scenarios, Security Gateway may crash if event app debug is enabled.

PRJ-21458,
PRHF-14980

Identity Awareness

In some scenarios, the VPN Remote Access client fails to connect if a certificate contains a DN with an asterisk (*).

PRJ-22360,
IDA-3759

Identity Awareness

In some scenarios, output of "pdp conn pep" command may show incorrect PEP names.

PRJ-20460,
PMTR-52079

IPS

UPDATE: Exceptions are now enforced for these IPS protections:

  • ASCII Request Response
  • ASCII Response Response
  • HTTP Header Patterns
  • HTTP URL Patterns
  • CIFS File Patterns

Refer to sk166222.

PRJ-23191,
PRHF-15832

IPS

In rare scenarios, the Security gateway may crash.

PRJ-22514,
PMTR-65461

IPS

Proxy source IP address is not printed in the IPS logs.

PRJ-22405,
IPS-352

IPS

In some scenarios, the DNS response message with record type 0 may be dropped by "Non compliant DNS" protection.

PRJ-20714,
PRHF-13454

IPS

In rare scenarios, policy installation fails due to duplicate id in IPS Snort protections.

PRJ-22398,
PRHF-15404

IPS

The "ciu_lic_open_lic_db_file: crc check failed" error message may be printed in fwd.elg log file during the policy installation if the IPS Blade is disabled. Refer to sk172903.

PRJ-24254,
PMTR-66115

Anti-Virus

UPDATE: Reduce performance when Anti-Virus is configured with deep inspection on all file types.

PRJ-23929,
PMTR-66261

Anti-Bot

UPDATE: Anti-Bot URL cache was enhanced to support further requests.

PRJ-23982,
PRHF-16392

UserCheck

Sensitive file push.js may be visible on the Security gateway.

PRJ-21297,
PMTR-63495

URL Filtering

UPDATE: Improved RAD event output to provide additional information on events, such as detailed timing. This update also activates the retry mechanism by default.

PRJ-22333,
PMTR-21454

Mobile Access

In some scenarios, the VPND process unexpectedly exits in SNX Application Mode.

PRJ-23093,
PRHF-12121

Mobile Access

In some scenarios, the FWK process unexpectedly exits due to SNX authorization timeout in MAB's Unified Policy mode. Refer to sk173125.

PRJ-23654,
PMTR-60065

Mobile Access

Remote Access session may not be synced on the standby member VS.

PRJ-21644,
PMTR-60226

Mobile Access

Mobile Access may overwrite the /etc/hosts file on Security Gateway.

PRJ-21700,
PMTR-64360

ClusterXL

UPDATE: Added the fwha_disable_ccp_on_monitor global kernel parameter. The parameter turns on/off the sending of CCP packets on link monitor interfaces.

PRJ-26458,
PRHF-13428

ClusterXL

UPDATE: Added clusterXLFailover to the database to have the ability to set SNMP traps to monitor cluster failovers. Refer to sk173810.

PRJ-19515,
PRHF-14206

ClusterXL

In some scenarios, the required interface value is higher than it should be when adding a VLAN interface.

PRJ-22151,
PMTR-63571

ClusterXL

During active-active-bridge mode, the "show routed cluster-state" command may display some members as subordinate instead of master.

PRJ-21350,
CLUS-1804

ClusterXL

In some scenarios, a large quantity of logs is generated on cluster VIP API.

PRJ-21974,
PMTR-64480

ClusterXL

In some scenarios, when using IPv6 link-local VIP and dynamic routing protocols, failovers can cause a temporary outage.

PRJ-25943,
CLUS-1804

ClusterXL

In some scenarios, the user cannot run any dynamic routing or install any static routes, including the default route.

PRJ-24146,
PMTR-67140

SecureXL

UPDATE: Firewall debug drop template message now indicates the rule ID the template was created from.

PRJ-18063,
PMTR-60766

SecureXL

UPDATE: Changed the "accept out of state" global parameter usage and added support to change it for specific VS. Refer to sk147093.

PRJ-24653,
PMTR-67738

SecureXL

In some scenarios, the "reached the limit of maximum enqueued packets!" log is printed in the /var/log/messages file.

PRJ-23461,
PRHF-16084

SecureXL

A race condition in the DOS/Rate limiting policy's install logic may cause incorrect counter values for "concurrent-conns".

PRJ-19373,
PRHF-14133

SecureXL

Security Gateway may crash when the user runs "fwaccel tab -t" to view certain rate limiting tables that have a large number of entries.

PRJ-20434,
PMTR-58524

SecureXL

In some scenarios, DOS/Rate Limiting rules that do not work as expected may be created.

PRJ-22169,
PRHF-15607

SecureXL

Rate limiting rules using concurrent-connection counters may cause connections to be blocked.

PRJ-22917,
PRHF-15478

SecureXL

Improved the Smart Connection Reuse feature to be consistent with the user configuration. Refer to sk24960.

PRJ-22437,
PRHF-15755

SecureXL

In some scenarios, the concurrent-conns rate limiting count may be inaccurate for FTP data connections.

PRJ-22290,
PMTR-62849

SecureXL

TCP reset packets may be dropped with an invalid sequence.

PRJ-24478,
PRHF-16658

Routing

UPDATE: Allow "set bgp internal peer <value> send-route-refresh" commands.

PRJ-23146,
PRHF-16038

Routing

UPDATE: Added "$" to the list of allowed characters for BGP MD5 authentication passwords in in WebUI and CLI.

PRJ-23501,
PRJ-23499

Routing

UPDATE: Added support for PBR with VTI/VPN interfaces.

PRJ-24499,
PMTR-66844

Routing

In some scenarios, after member failover, some traffic may be lost.

PRJ-23742,
PMTR-62549

Routing

After restarting OSPF with the "restart ospf instance default" command, OSPF may not redistribute routes until making a configuration change.

PRJ-24404

Routing

VRRP member freezes when deleting a VLAN interface. Refer to sk106226.

PRJ-24717,
PRHF-16801

Routing

In OSPF environment, the routed process may unexpectedly exit when a VPN tunnel is flapped leading to a temporary connectivity loss.

PRJ-25042,
PRHF-16981

Routing

In a rare scenario, the ROUTED process unexpectedly exits when creating an MFC (S,G) entry. Refer to sk176685.

PRJ-22386,
MBS-9798

Routing

In some scenarios, Fragmented traffic is dropped when using L4 Distribution. Refer to sk167198.

-

VPN

Hardened the ability to use narrowed IKEv2 tunnels. For more information, refer to sk166417.

PRJ-23843,
PMTR-66754

VPN

UPDATE: Option 3 of the "vpn tu" command shows now the realm name and if the authentication was performed with the server certificate.

PRJ-24813,
VPNS2S-2313

VPN

UPDATE: Added VPN improvements in IKEv2:

  • Added support for IKEv2 authentication when using multiple certificates.
  • Added support for "Matching info" authentication.

PRJ-24915,
VPNS2S-2235

VPN

UPDATE:

  • Improved Site to Site VPN stability when it is configured with NAT.

  • Enabled the global parameter "offer_nat_t_initator" by default. Refer to sk32664.

PRJ-21904,
PMTR-63196

VPN

Added major VPN enhancements for Scalable Platforms. Refer to sk174228.

PMTR-63196

VPN

Added Improvements for VPND resiliency (disabled by default in this release).

VPNS2S-2313

VPN

"Invalid ID information" message may be displayed when peer is 3rd party and Link selection is overridden.

VPNS2S-2313

VPN

IKEv2 may cause the VPND process to exit unexpectedly when IKEv2 rekey uses certificates.

VPNS2S-2313

VPN

  • Stability improvement of IKEv2 rekey when using Pre-shared-key
  • Stability improvement of cluster synchronization mechanism

PRJ-24255,
PRHF-15984

VPN

In some scenarios, the TTM (Transform Template) file is not loaded when there are no TTM groups for the user.

PRJ-26350,
PMTR-69744

VPN

If SSL Inspection or other Blades that use the CPAS infrastructure is enabled, a call trace warning is displayed in dmesg when the cpstop command is issued.

PRJ-22416,
PRHF-12576

VPN

Remote Access users may randomly disconnect because the Tunnel test packets are mapped to the incorrect interface. Refer to sk172328.

PRJ-25490,
PMTR-68687

VPN

In VSX environments, Anti-Spoofing in SecureXL may cause Remote Access VPN drops. Refer to sk173266.

PRJ-24889,
PMTR-63753

VPN

In some scenarios, the "Global param: operation failed: Unknown parameter (param name vpn_cluster_on_aws)" cosmetic error may appear in dmesg.

PRJ-23304,
PMTR-66146

VPN

In rare scenarios, the VPND process may unexpectedly exit in an L2TP-related flow.

PRJ-23975,
PMTR-65986

VPN

In some scenarios, the IKED process unexpectedly exits producing a core dump.

PRJ-23986,
PMTR-66902

VPN

In some scenarios, the he VPND process may unexpectedly exit producing a core dump.

PRJ-21944,
PRHF-15509

VPN

In some scenarios, VPN Remote Access users are disconnected after policy installation. Refer to sk171966.

PRJ-24573,
PRHF-9691

VPN

Added IKE improvement for DAIP peer with ID_DER_ASN1_DN ID type.

PRJ-22414,
PMTR-60014

VPN

In some scenarios, L2TP tunnel is not deleted completely upon disconnection.

PRJ-22544,
PRHF-14102

VPN

Added stability fix in validation checks for ECDSA certificates.

PRJ-22285,
PRHF-14819

VPN

When the Remote Access is configured to use DHCP for the Office Mode allocation, disconnection of SNX/L2TP clients may cause the IP address not be removed from the table.

PRJ-23826

Gaia OS

NEW: Adding support for Smart-1 600-S/M appliances. Refer to sk171903.

PRJ-21432,
PRJ-21424

Gaia OS

NEW: Added support for hardware (sensors/NICs) data auto-update.

PRJ-22843,
PMTR-55383

Gaia OS

UPDATE: Added the option to bind IP addresses to sockets using the udp_connect API. Refer to sk171019.

PRJ-26746,
PMTR-70210

Gaia OS

The raid_diagnostic command fails on Smart-1 3050/3150/5050/5150 appliances. Refer to sk173788.

PRJ-24606,
PMTR-67624

Gaia OS

Updated the OpenSSL version in the RPM database.

PRJ-24134,
PRJ-23252

Gaia OS

Added timestamp, hostname and syslog version control to syslog messages. Refer to sk100727.

PRJ-22877,
PRHF-15925

Gaia OS

In rare scenarios, Clish unexpectedly exits when configuring the ip-conflicts-monitor on more than 4 interfaces simultaneously.

PRJ-21920,
PRJ-17304

Gaia OS

Unable to set MTU on Igb cards.

PRJ-23615,
PRHF-16252

Gaia OS

In rare scenarios, there is a difference between the value of "Packets" in the output of "ifconfig <interface name>" and "show interface <interface name> statistics" commands.

PRJ-23586,
MBS-9917

Gaia OS

In some scenarios, Bond interface's subordinates stop sending LACP Traffic after reboot. Refer to sk169977.

PRJ-22794,
PRHF-15900

Gaia OS

In rare scenarios, "show asset network" command may lead to memory leak. Refer to sk174823.

PRJ-22923,
PMTR-62465

Gaia OS

The "kernel: [SIM4];resume_from_error: failed to get ci_or_corr" error message may be printed numerous times in /var/log/messages file while running UDP Traffic Load. Refer to sk172543.

PRJ-23330,
PRHF-16081

Gaia OS

The "snmptable" command may fail to fetch data via SNMP producing core dump. Refer to sk172824.

PRJ-23422,
PMTR-65206

Gaia OS

The administrator cannot force a password change to users with UID 0.

PRJ-23491,
PMTR-64696

Gaia OS

When bond/bridge interfaces configured with IP conflicts monitoring are deleted, they still appear under the configuration of ip-conflicts-monitor.

PRJ-24174,
PRHF-16489

Gaia OS

In rare scenarios, the Security Gateway may crash during tcpdump. Refer to sk141412.

PRJ-22216,
PRHF-15159

Gaia OS

"show configuration on" may not expose bond' members.

PRJ-23829,
PRHF-16241

VSX

In rare scenarios, the Wrp interface may not come up. Refer to sk171753.

PRJ-24383,
PRHF-16604

VSX

In rare scenarios, when the VSX cluster experiences an outage, the FWK process generates a core dump file.

PRJ-27489

VSX

In rare scenarios after Jumbo Hotfix installation, the Security Gateway may crash and a file system becomes corrupted. Refer to sk174191.

See the Important Notes section.

PRJ-21717,
PMTR-64430

CloudGuard Azure

Improved performance consistency (with Multi-Queue) after the Microsoft Azure Maintenance event.

PRJ-20396,
PMTR-60449

CloudGuard Network

In some scenarios, failover to another APIC server fails.

PRJ-23380,
PRHF-13883

CloudGuard Network

The SNMP response may show incomplete values.

PRJ-23122,
PMTR-60974

Endpoint Security

NEW: Added an option to configure email alert for Endpoint High Availability synchronization issues.

  • Requires R81 SmartConsole Build 552 (or higher).

PRJ-22511,
PMTR-65440

Endpoint Security

In rare scenarios, the Endpoint server fails to start after uninstalling Jumbo Hotfix.

PRJ-24340,
PMTR-65923

Endpoint Security

In some scenarios, device duplications appear in SmartEndpoint.

PRJ-24279,
PMTR-66083

Endpoint Security

In some scenarios, the "Included Blades" tab in the SmartEndpoint Package repository for Dynamic Package is empty.

PRJ-23055,
PRHF-15942

Endpoint Security

In some scenarios, Compliance status shows "Status information is missing" in SmartEndpoint for all computers although the Blade is installed and running.

PRJ-25251,
PMTR-68435

Endpoint Security

In some scenarios, the Policy server fails to synchronize with Endpoint primary Management after installing a hotfix for local E1 signature updates.

PRJ-23133

IoT

NEW: Added new features:

  1. Custom tags support - Any custom tag can be now used within a policy.

    • Add it to the $VSECDIR/conf/IotTags.conf configuration file
    • Run vsec off; vsec on
  2. Zone tag - The "Zone" tag is now considered as a built-in tag.

PRJ-25721

IoT

UPDATE: If the recommended-policy includes some illegal rules, an IoT layer will be created with the legal rules only and the user will be notified with a warning about the illegal ones.

PRJ-20922,
PRHF-14900

QoS

Security gateway may crash in QoS flow when interface goes down and up during packet processing.

PRJ-22800,
ODU-81

HCP

Added Update 1 of HealthCheck Point (HCP) Release. Refer to sk171436.

Take 29

Released on 24 May 2021 and declared as Recommended on 29 Jun 2021

PRJ-26320,
PMTR-66768

Logging

After installing R81 Jumbo Hotfix Take 25 or higher, when running a Logs Query after 12:00 pm, all logs of the first half of the day are not shown in the Logs View.

This issue occurs only on the same day of Jumbo Hotfix installation and is cosmetic only (all logs are indexed correctly).

PRJ-25524

Security Gateway

In some scenarios, "dst_release: dst:ffff88052d4c68c0 refcnt:-480" messages may be printed in dmesg regarding HTTPS traffic when SSL Inspection Blade is enabled.

Take 27

Released on 26 April 2021

PRJ-24974,
PRHF-16965

Security Management

In environments that use Data Type Group objects, the Management server may fail to start after installing Jumbo Hotfix Take 23.

See the Important Notes section.

PRJ-24913,
PMTR-67937

Security Management

"Unauthorized client" error on login failure from an IP address that is not explicitly defined in the Trusted Clients list. Refer to sk173026.

Take 25

Released on 08 April 2021

PRJ-21007,
PRHF-14969

Security Management

NEW: Improved FWM process performance during Security policy or database installation.

PRJ-22314,
PRJ-22315

Security Management

NEW: Performance improvement of Management High Availability Full Sync.

PRJ-18428,
PMTR-61041

Security Management

UPDATE: In High Availability environment, Assign and Reassign Global Policy actions are not supported for a Domain if the active Domain Server for this Domain is a Security Management device. The assignment will be performed after change-over to the primary Domain Server.

PRJ-21873,
ODU-82

Security Management

UPDATE: Added Update 8 of Autonomous Threat Prevention Management (ATPM). Refer to sk167109.

PRJ-21239,
PMTR-62918

Security Management

In some scenarios, the log file of PostgreSQL (postgres.elg) may become very large.

PRJ-23500,
PMTR-66213

Security Management

In some scenarios, verification errors regarding conflict of rules may be missing if the policy installation is accelerated and the target is a cluster.

PRJ-20805,
PRHF-14691

Security Management

In some scenarios, delete partial domain with createDomainRecovery.sh script fails when there are several RadiusGroup objects with the same name in different domains.

PRJ-21704,
PMTR-64423

Security Management

In large environments with High Availability, synchronization and upgrade may fail due to very large database size.

PRJ-22519,
PMTR-64104

Security Management

Policy Installation may fail with "Error code: 0-2-2000245" message when using IPv6.

PRJ-20128,
PMTR-62503

Security Management

Data Center objects defined in NAT and HTTPS Inspection rulebases may not be enforced correctly after policy installation that was accelerated.

PRJ-21417,
PRJ-20995

Security Management

In rare scenarios, the initiation of the Management server may take a long time.

PRJ-20305,
PRHF-14634

Security Management

In some scenarios, deleting a Domain Server may fail with "Got at least one duplicate UID in requested list" error.

PRJ-21360,
PRHF-14606

Security Management

In some scenarios, the Purge Revisions task may stop and show 0% for hours or fail with the "An error has occurred while performing revision purge operation" message in SmartConsole.

PRJ-17790,
PRHF-13382

Security Management

In some scenarios, policy verification for static NAT rules succeeds even though the source subnet NAT is bigger than the destination subnet NAT.

PRJ-20888,
PRHF-14946

Security Management

In some scenarios, when connecting to an existing session in SmartConsole from a different IP address, a wrong "Client IP" is shown in Audit Logs view.

PRJ-21587,
PRHF-15222

Security Management

In rare cases, the CPM Solr process may not be stopped when running cpstop or mdsstop.

PRJ-20766,
PRHF-14399

Security Management

High load may occur on the Management Server when searching for a prefix of IP address that has more than 10 thousand matches.

PRJ-21185,
PMTR-63358

Security Management

In rare scenarios, logout from a session fails with "An internal error has occurred" message.

PRJ-19720,
PMTR-62272

Multi-Domain Management

The Multi-Domain session APIs "view sessions" and "show last-published-session" results may include sessions that were not filtered according to the administrator's permissions profile.

  • A Domain manager running the API will be notified when the results will be filtered and will be asked to run the command again with the "ignore-warnings" flag

PRJ-21913,
PMTR-64572

Multi-Domain Management

In some scenarios, installation of Jumbo Hotfix on Multi-Domain Server may fail after running restore from backup.

PRJ-21081,
SMCUPG-1625

Multi-Domain Management

In some scenarios, HA Full Sync on the System Domain fails after upgrade on a Multi-Site environment with multiple Multi-Domain Servers. Refer to sk171059.

PRJ-21344,
PRJ-16910

Multi-Domain Management

When running many Reassign Global Domain operations for Domains that are not active on the current Multi-Domain Server, the load on the Server may increase and result in slowness of user and automation work.

PRJ-20952,
PMTR-62383

SmartConsole

After a network interface is removed by cluster API, a network group assigned to that interface remains as used by cluster members and cannot be deleted.

PRJ-21627,
PMTR-55104

SmartConsole

In Multi-Domain environment with High Availability using Security Management Server, if the Security Management is the active peer for a Domain assigned to the Global Domain, the Policy Package creation may fail.

PRJ-20241,
PRHF-14533

SmartConsole

When there are no search results, search in Access Control Policy displays "An error occurred while searching" instead of "No Items Found".

PRJ-19932,
PRHF-14278

SmartConsole

In rare scenarios, the "Show Policy Package" tool and some Management API commands with "details-level full" may fail when UTM cluster is part of the policy targets.

PRJ-20316,
PRHF-14637

SmartConsole

In some scenarios, the "show gateways-and-servers" Management API command fails when running it with "details-level full" and when connected to the Global Domain. Refer to sk170895.

PRJ-19142,
PRHF-14010

SmartConsole

In some scenarios, the "add-user" API command with authentication method TACACS+ or Radius server fails with "object not found" message. Refer to sk170325.

PRJ-18923,
PRHF-13879

SmartConsole

In some scenarios, the "show-access-rulebase" Management API command fails when running it with details-level "full" and there is a network group with more than 50000 objects on one of the rules. Refer to sk170435.

PRJ-21160,
PMTR-63555

SmartConsole

If there is an HTTPS Inspection layer that is not used in the policy, policy installation may fail with the "Internal error" message.

PRJ-21624,
PRHF-15156

SmartConsole

In some scenarios, FWM process logs show Provisioning/LSM activity even though LSM is not in use. Refer to sk171905.

PRJ-21390,
PMTR-63149

SmartConsole

Slowness may be observed in some SmartProvisioning operations (like open SmartProvisioning GUI, create a new LSM object, open an LSM object editor, etc.).

PRJ-22223,
PMTR-32568

SmartConsole

In some scenarios, a validation warning may appear on an updatable object with the following message: "Object is no longer supported. Enforcing security for this object is not possible." However, the object is still available in the updatable objects picker.

PRJ-22050,
PMTR-62337

SmartConsole

In some scenarios, the Hit count information in the Access Policy rulebase is not shown correctly.

PRJ-20776,
PRHF-13197

Compliance

In some scenarios, an incorrect Compliance status for Gaia OS Best Practices is displayed.

PRJ-19303,
PRHF-11595

Compliance

Compliance Blade may not scan inline layers for Application Control and URL Filtering best practices.

PRJ-22825,
PRHF-15936

Logging

NEW: Log Server now supports up to 4 billion logs per day in Index mode (previously it stopped indexing with a limit of 2 billion logs).

PRJ-21380,
PMTR-63927

Logging

In some scenarios, in Multi-Domain servers with many domains, the Solr process for logs may unexpectedly exit.

PRJ-19011,
PRHF-13936

Logging

In a rare scenario, CPD process may use a random port for AMON communication instead of port 18196.

PRJ-24068,
PMTR-66159

Logging

In Smart-1 6000-L and 6000-XL, drill down to a log card from the Logs view does not bring results.

PRJ-20587,
VPNRA-642

Mobile Access

Removed potential XSS vulnerability in the MAB Login page.

PRJ-21112,
PRHF-14953

Security Gateway

Authentication may fail when LDAP branch name contains "\".

PRJ-18980,
PRHF-13153

Security Gateway

In some scenarios, PPTP or GRE traffic may be dropped. Refer to sk170293.

PRJ-19801,
PMTR-60336

Security Gateway

Improved the policy enforcement of the ZIP archive inner files.

PRJ-21613,
PRHF-14715

Security Gateway

Security Gateway may crash when "Categorize HTTPS Websites" feature is enabled and categorization mode is set to "Hold".

PRJ-20341,
PRHF-14616

Security Gateway

In rare scenarios, passive FTP packets may be dropped.

PRJ-21200,
PMTR-63550

Security Gateway

The VMCore file may be created during reboot after the upgrade procedure.

PRJ-22082,
PMTR-64650

Internal CA

In a rare scenario, "This operation is not supported on STANDBY members" message is displayed and the cpca_client process unexpectedly exits when trying to renew a certificate on a standby Domain.

PRJ-21727,
PMTR-64420

Content Awareness

In a rare scenario, Security Gateway may crash when CPcode is running within Content Awareness or parser flow.

PRJ-20848,
PRHF-14347

Identity Awareness

In some scenarios, running pdpd commands results in "daemon did not respond or not running!" error. Refer to sk171136.

PRJ-22016,
IDA-3194

Identity Awareness

Added optimization for PDP when handling Terminal servers Multi-User Host Agent (MUH).

PRJ-20349,
PRHF-14266

IPS

In rare scenario, the SmartConsole shows the "IPS is not responding" message even though IPS is functioning normally.

PRJ-17883,
PMTR-59113

Anti-Virus

UPDATE: Improved Anti-Virus buffer allocation to reduce stack size.

PRJ-20839,
PRHF-14744

DLP

Improved DLP scanning for POST request to some Web sites.

PRJ-21711,
PMTR-64263,
PRJ-21991,
PMTR-64780

SSL Inspection

In rare scenarios, a memory leak may occur in a crypto module.

PRJ-20977,
PRHF-14820

Anti-Malware

In rare scenarios, the Threat Prevention policy installation fails due to IoC parsing errors. Refer to sk171316.

PRJ-18958,
PRHF-13881

ClusterXL

When MDPS is configured, the output of "cphaprob syncstat" may show unreadable characters for the speed of the sync interface.

PRJ-19665,
PRHF-13929

SecureXL

In some scenarios, connections are dropped when SYN Defender and ISN Defender are both enabled on the same interface.

PRJ-20547,
PRHF-14680

SecureXL

Security Gateway may crash when there are interfaces that do not need the ARP resolution (VTI).

PRJ-18663

Routing

UPDATE: Added support for Check Point Active Streaming (CPAS), Policy-Based Routing (PBR), and Application-Based Routing (ABR) on the Security Gateway. Refer to sk167135.

PRJ-22489

Gaia OS

NEW: Added support for Smart-1 6000-L/XL appliances. Refer to sk171903.

PRJ-23358,
PMTR-65962,
PRJ-24397,
PMTR-67460

Gaia OS

UPDATE: Upgraded OpenSSL to 1.1.1k to fix CVE-2021-3449 and add the latest security improvements. Refer to sk172983.

PRJ-20733,
PMTR-63201

Gaia OS

CVE-2020-25705: ICMP reply rate.

PRJ-21721

Gaia OS

The "show configuration" command cannot print Gaia user with spaces in name.

PRJ-21827,
PRHF-12751

Gaia OS

In some scenarios, the "rhost" value may be missing from logs when the user tries to access the WebUI.

PRJ-18852,
PRHF-13802

Gaia OS

In some scenarios, the "show arp dynamic all" command displays values of VS0 instead of VS.

PRJ-20286,
PRHF-13475

Gaia OS

Messages log level in /var/log/messages file for ERR level was changed to INFO level when fetching proxy configuration from Clish/WebUI/Gaia API.
Example: [DATE TIME] <daemon.err> ... xpand[25958]: proxy_live_get_proc: Started...

PRJ-19975,
PMTR-62104

Gaia OS

In some scenarios, bond interface bandwidth monitored via SNMP is missing.

PRJ-17684,
PMTR-60173

Gaia OS

When upgrading with enabled Management Data Plane Separation (MDPS), an additional reboot may be required.

PRJ-18941,
PRHF-13812

Gaia OS

In some scenarios, the "... fwldbcast_handle_retrans_request: Updated bchosts_mask to 1" message may be printed in /var/log/messages file.

PRJ-21667,
PRHF-15328

Gaia OS

In some scenarios, policy installation on a Check Point Gateway in Azure causes the Gateway to crash and load a default policy. Refer to sk171553.

PRJ-21261,
VSX-2520

VSX

Allow the addition of routes with specific group of type "Group with Exclusion" when using VSX Provisioning tool.

PRJ-20965,
VSX-2519

VSX

After running "vsx_util vsls" and selecting option #6, the operation may fail with the "Internal Error: got empty reply set" error. Refer to sk171352.

PRJ-13302,
PMTR-63247

VPN

NEW: Added 3 new views to SmartView for Remote Access, providing visibility for Remote Access users, users login summary, failed login attempts, used clients, top login options, number of users, operating systems, authentication methods and login activity.

PRJ-17616,
PMTR-57245

VPN

UPDATE: Added:

  • VPN Remote Access StrongSwan IKEv2 client logs.
  • Key install logs with StrongSwan IKEv2 client improvement to show the correct authentication method.
  • RAsession_util with StrongSwan IKEv2 client improvement.

PRJ-19217,
PRHF-13685

VPN

Site to Site VPN fails to establish with IKEv2 on GCP when NAT-t is enabled.

PRJ-21544,
PMTR-64128

VPN

Added VPN Remote Access stability improvement.

PRJ-22219,
PRHF-15006

VPN

When static NAT is configured on a destination, the SCV may fail to access the internal resources and "No scv status from client..." drops appear in SmartConsole. Refer to sk171550.

PRJ-19905,
PRHF-14090

VPN

Mobile Access SNX may fail to connect to the Security gateway when the realm used by the client is different for the SSL VPN realm.

PRJ-21235,
EPS-30018

Endpoint Security

NEW: Added Application Control and Developer Protection support in Endpoint Web Management.

PRJ-21750,
PMTR-60418

Endpoint Security

On the SmartEndpoint Reporting page, the "Endpoint Connectivity" report that is filtered by a virtual group returns an empty list.

PRJ-21915,
PMTR-50113

Endpoint Security

In some scenarios, the "Endpoint Security Client Version" report shows "N/A" in DAT Date column for all devices on the SmartEndpoint Reporting page.

PRJ-21106,
PMTR-62363

Endpoint Security

Adding devices to virtual group using the epmcommands tool may fail.

PRJ-19313,
PRHF-13909

CloudGuard Network

When creating a GCP Data Center, Test Connection may fail on large GCP accounts.

PRJ-23944,
PMTR-66384

Maestro VSX

"dxl stat" and "dxl calc" commands may fail on non-VS0 context with the "failed to retrieve dxl information" error.

Take 23

Released on 25 March 2021 and declared as Recommended on 5 Apr 2021

PRJ-23912,
PRHF-16377

Security Management

Accelerated Policy installation may fail with the "Error Code: 2000232" message if this policy contains changed services. Refer to sk172484.

PRJ-23583,
PMTR-66363

Endpoint Security

Endpoint Security Clients may disconnect after installing R81 Jumbo Hotfix on a Management that was upgraded from the previous versions. Refer to sk172485.

Take 17

Released on 01 March 2021

PRJ-22324,
PMTR-62199

Security Management

Accelerated Policy installation may fail when a Custom Application is used in Access Control policy, URL Filtering Blade is enabled and Application Control Blade is disabled on the selected gateway.

PRJ-22277,
PMTR-65110

Multi-Domain Management

In some scenarios, updating a Domain Server may fail with the "<IP> already in use" message. Refer to sk171916.

PRJ-20150,
PRHF-14537

VSX

In rare scenarios, some interfaces remain in "Down" state after reboot.

Take 13

Released on 08 February 2021

PRJ-19946,
PMTR-62429

Security Management

NEW: Added new Management HA utility to schedule automatic full syncs to peers that failed to be synchronized incrementally.

PRJ-18434,
PMTR-60665

Security Management

NEW: The upgrade process is being monitored dynamically and will be stopped if it cannot be completed, not basing on a timeout.

PRJ-19545,
ODU-73

Security Management

UPDATE: Added Update 6 of Autonomous Threat Prevention Management (ATPM). Refer to sk167109.

PRJ-20165,
ODU-76

Security Management

UPDATE: Added Update 7 of Autonomous Threat Prevention Management (ATPM). Refer to sk167109.

PRJ-19972,
PRJ-13465

Security Management

UPDATE: If a Management HA synchronization stalls (displaying "Peer is busy"), it will be released within 2 hours instead of 24 hours.

PRJ-20032,
PMTR-61770

Security Management

UPDATE: When purging revisions, task notifications will also be purged if created before the last revision to purge was published.

PRJ-20001,
PRHF-14293

Security Management

UPDATE: Added improvements in policy load process, to reduce the policy installation time when having large amount of objects.

PRJ-22105,
PRJ-21382

Security Management

In some scenarios, the installation time of Jumbo Hotfix Take 11 on the Management Server may take up to several hours.

PRJ-18253,
PRHF-12594

Security Management

When logging into SmartConsole directly to a Domain using RADIUS or TACACS, the Authentication method in the audit log may show as "Internal Password". Refer to sk168716.

PRJ-17693,
PRHF-13332

Security Management

In some scenarios, HA temporary sub-directories in $FWDIR/tmp are not deleted if sync fails. Refer to sk170972.

PRJ-18289,
PMTR-61010

Security Management

In rare scenarios, the CPU and memory usage of CPM process may be abnormally high. Refer to sk170672.

PRJ-18266,
PRHF-13607

Security Management

'Revert to Revision' tasks cannot be cleared from tasks pane in SmartConsole.

PRJ-19105,
PMTR-61908

Security Management

In some scenarios, Management HA change-over to Security Management Server Backup fails with the "Failed to communicate with the peer" message.

PRJ-20564,
PMTR-62785

Security Management

In some scenarios, policy installation on LSM Gaia cluster profile fails with "Policy installation had failed due to an internal error" message.

PRJ-17563,
PRHF-12885

Security Management

In some scenarios, reassigning a Global Policy may fail if the Global and local domains are not active on the same Multi-Domain Server.

PRJ-17729,
PRHF-13278

Security Management

Upgrade may fail if a Data Center object was last modified by an Administrator with a single quote in the name.

PRJ-19274,
PRHF-14074

Security Management

Policy installation duration may increase due to large $FWDIR/conf/invalid_object_names.C file on the Management server. Refer to sk170427.

PRJ-18476,
PRHF-13644

Security Management

In some scenarios, the first environment variable configured using sk165938 is not loaded and not used by the CPM process.

PRJ-19571,
PMTR-60842

Security Management

In rare scenarios, on a Multi-Domain Server where Domains are using a Security Management Server configured for High Availability, initial configuration of the Security Management Server may fail with "Failed to reach peer after restart" error.

PRJ-20135,
PMTR-60541

Security Management

In a rare scenario, the FWM process unexpectedly exits.

PRJ-19950,
PRHF-14394

Security Management

The Management HA window in SmartConsole may mistakenly show the "Peer is busy" warning message for a few seconds.

PRJ-19589,
PRHF-12851

Multi-Domain Management

UPDATE: With this fix, mds_backup will backup the Upgrade Tools package(s) and mds_restore will restore them on a Multi-Domain Server.

PRJ-19648,
PMTR-62201

Multi-Domain Management

In rare scenarios, a Domain is shown in the Domains view without any Domain Server or a Domain is shown with Domain Server that was deleted and does not exist anymore. Refer to sk170556.

PRJ-19278,
PRHF-13977

Multi-Domain Management

In rare scenarios, Management server becomes inaccessible after Global Policy reassign operation.

PRJ-18994,
PRHF-13874

Multi-Domain Management

The "cplic db_print -all -x" command fails when running on the MDS level.

PRJ-19321,
PMTR-61346

SmartConsole

NEW: Added support for Python 3 in Management API scripts.

PRJ-20248,
PMTR-62490

SmartConsole

UPDATE: A pop-up warning will be displayed every time a "Custom Application" object with a performance impacting URL is edited (instead of being displayed only once).

PRJ-18466,
PRHF-13551

SmartConsole

In some scenarios, Staging mode IPS protections activation in the Local Domain does not match the activation in the Global Domain after a Global Threat Prevention policy assignment. Refer to sk170322.

PRJ-18338,
PRHF-12226

SmartConsole

When using the "set simple-cluster" Management API command to update a user defined security zone, the "Specify security zone" checkbox in SmartConsole is not selected.

PRJ-19323,
PMTR-60220

SmartConsole

In some scenarios, the api.csv file may show extra empty columns.

PRJ-19203,
PRHF-13955

SmartConsole

In some scenarios, when using the "set simple-gateway" API command with "logs-settings.forward-logs-to-log-server", it fails with "Generic server error". Refer to sk170352.

PRJ-19535,
PMTR-62078

SmartConsole

In some scenarios, when adding a new user certificate of type .p12 via API command, the returned certificate may be incorrect.

PRJ-18960,
PMTR-61418

SmartConsole

In a VPN Community with MEP configuration, the OK operation may fail with the "Update operation failed" message.

PRJ-20787,
PRHF-13556

SmartConsole

When the user creates an Access Role, the AD organization tree may show duplicate branches, and some branches may be missing.

PRJ-20381,
PMTR-62935

SmartConsole

Adding Global dynamic objects to source or destination columns of access rules on the Global Domain via Management API may fail when using the Global dynamic object names.

PRJ-20911,
PMTR-63302

SmartConsole

In some scenarios, deleting a policy fails.

PRJ-18550,
PMTR-61235

SmartConsole

In a community with Cluster VSX member, the Granular encryption window may not open and show "Unable to load page".

PRJ-18309,
PRJ-18307

SmartProvisioning

NEW: Added support for Threat Emulation Blade on LSM profile of R81 SMB gateways and clusters.

  • Requires R81 SmartConsole Build 548 (or higher).

PRJ-18000,
SL-2106

Logging

NEW:

  1. Log Exporter can now schedule a recurring reconnection to the target 3rd party server periodically. This allows usage of a Load Balancer component for target servers.
  2. The target 3rd party server can be declared as a DNS name also when using UDP protocol.

PRJ-19451

Logging

UPDATE: Log Exporter read mode default was changed to Semi-unified instead of Raw mode.

PRJ-18099,
PRHF-7415

Logging

In rare scenarios, a log may display incorrect values in the Action and Rule field. Refer to sk170676.

PRJ-21078

Logging

In rare scenarios, the FWD process on the Security gateway may be blocked for several seconds due to processing of log attachments.

PRJ-18405,
PMTR-59205

Logging

The FWM and\or LOG_INDEXER processes may repeatedly stop when there are more than ~500K network objects declared. Refer to sk164452.

PRJ-19819,
SL-4358

Logging

In rare scenarios, the LOG_INDEXER process may unexpectedly exit when reading a specific log format. Refer to sk116117.

PRJ-19846,
PMTR-62010

SmartView

UPDATE: Improved the time resolutions usability (formally known as samples) of the Timeline widgets.

PRJ-20875,
PMTR-62957

SmartView

UPDATE: To improve performance, SmartView now exports data in CSV format instead of Excel.

PRJ-20795,
PRHF-13973

Security Gateway

UPDATE: Service with source port in the Access Rulebase will no longer disable accept templates for all connections.

PRJ-19066,
PRJ-18831,
PRJ-20716,
PRJ-20057,
PRJ-20738,
PRJ-20058

Security Gateway

In rare scenarios, Security Gateway memory consumption may increase.

PRJ-18982,
PMTR-61179

Security Gateway

In rare scenarios, Security Gateway may crash with USFW fwk core file.

PRJ-19802,
PMTR-62080

Security Gateway

Connectivity issues may appear due to missing proxy ARP entries on the Security Gateway.

PRJ-19813,
PMTR-62012

Security Gateway

In some scenarios, duplicate verification message is displayed when installing NAT policy on Security Gateways R80.40 and lower.

PRJ-20362,
PMTR-62876

Security Gateway

In some scenarios, DHCP traffic may be dropped after installing an accelerated policy.

PRJ-19705,
PMTR-62215

Security Gateway

In rare scenarios, a memory leak may occur in TOPOD process.

PRJ-20386,
PRHF-13431

Security Gateway

In a rare scenario, Access Control policy installation may fail after upgrade of Security Gateway from R80.10 or below to R80.20 or higher.

PRJ-20633,
PRHF-14378

Security Gateway

In rare scenarios, high memory consumption in CPD may occur due to a memory leak in authentication flow with an LDAP server.

PRJ-19586,
PMTR-61102

Security Gateway

In some scenarios, "email_unified_cmi_get_attribs: not valid caller: up_log_get_user_hash" error appears in dmesg for SMTP traffic.

PRJ-20516,
PRHF-14630

Security Gateway

In some scenarios, when using routing separation, connection to Management Plane via Data Plane is dropped.

PRJ-19852,
PRHF-14268

Security Gateway

In some scenarios, a memory leak may occur after sending a packet from the kernel.

PRJ-20937,
PMTR-62420

Security Gateway

In a rare scenario, policy installation may fail on timeout and "fw amw fetch" process is still running on the Security gateway.

PRJ-18488,
PMTR-61165

Security Gateway

In some scenarios, repeating "fwx_alloc_global_find_free_port_atomic: rtsp pending port doesn't match the same pool" errors are displayed in dmesg when using Hide NAT with VoIP.

PRJ-20656,
PMTR-63092

Security Gateway

Accept logs with reason "Connection terminated before detection: Insufficient data passed. To learn more see sk113479." may be wrongly generated when the matched action is user authentication and wrong username/password provided by user.

PRJ-20901,
PRHF-14824

Security Gateway

In some scenarios, the DNS requests from the Security gateway may fail.

PRJ-18631,
PRHF-11912

Security Gateway

Wrong memory (hmem) values may be reported by specific SNMP OID. Refer to sk168992.

PRJ-19958,
PMTR-62477

Security Gateway

Half-closed accelerated TCP connections may take too long time to expire.

PRJ-19942,
PMTR-61708

Security Gateway

In some scenarios, policy installation fails with "Error code 1-2000245".

PRJ-18316,
PRHF-12224

Security Gateway

In rare scenarios, a memory leak may occur on Security Gateway in gconn table.

PRJ-19162,
TEX-1482

Threat Extraction

UPDATE: Threat Extraction will no longer attempt to perform "Convert to PDF" if the file is corrupted, because the resulting files in these cases are usually unreadable.
To reactivate this behavior, set the "enable_alternative_scrub_method" variable in $FWDIR/conf/scrub_debug.conf file to 1 and install the Security policy.

PRJ-19194,
TEX-1906

Threat Extraction

UPDATE: Threat Extraction ( Sanitization) will be automatically disabled when Infinity Threat Prevention mode is installed while the machine does not have enough resources (RAM).

PRJ-18248,
PRJ-18124

Identity Awareness

NEW: Added Identity Sharing's performance and functionality improvements. Refer to sk170516.

PRJ-19640,
PMTR-61982

Identity Awareness

In some scenarios, when a standby cluster member receives RADIUS accounting updates, there may be high CPU on the PDP process.

PRJ-20863,
IDA-3642

Identity Awareness

In some scenarios, there may be enforcement issues for MUHv2 users due to table mismatch.

PRJ-18181,
MBS-12220

URL Filtering

In some scenarios, the WSTLSD process may unexpectedly exit and produce a core dump.

PRJ-19042,
PRHF-13886

UserCheck

In some scenarios, users cannot restore original attachment via UserCheck portal and receive the "An unexpected error has occurred" error message.

PRJ-20927,
PRHF-11733

IPS

NEW: Added ability to send connection log per application match for ATM transactions identification. The functionality is disabled by default and can be enabled by using the "up_duplicate_connection_log_on_packet_matched_app_enabled" kernel parameter.

PRJ-19198,
PRHF-10943

IPS

In some scenarios, a non-compliant IMAP traffic is dropped.

PRJ-19301,
PRHF-13560

IPS

In some scenarios, log output shows the Origin/Source as "0.0.0.0" in VSX 3rd party IPS logs.

PRJ-19601,
PRHF-14259

DLP

UPDATE: Improved the DLP scans queue for a better scan rate.

PRJ-19923,
PRHF-14156

DLP

UPDATE: Expanded DLP postfix authentication to include NTLM to allow the Security gateway to connect to a mail servers that use the NTLM authentication protocol.

PRJ-20097,
PMTR-59101

DLP

UPDATE: Added support for multi-part data to DLP.

PRJ-20935,
PRHF-14978

SSL Inspection

The AES-NI (Intel Advanced Encryption Standard New Instructions) status is not displayed and "dmesg | grep AES-NI" returns no output. Refer to sk170779.

PRJ-19435,
PRHF-13987

SSL Inspection

In rare scenarios, the DynamicID Certificate validation may fail.

PRJ-18843,
PRHF-13322

SSL Inspection

In rare scenarios, a memory leak may occur during policy installation.

PRJ-21629,
PMTR-64293

SSL Inspection

When IPv6 is enabled, the wstlsd process may consume CPU at a high level after booting in kernel mode causing HTTPS connections to fail for a few minutes until the CPU returns to normal.

PRJ-17875,
PRHF-10279

HTTPS Inspection

UPDATE: "Categorize HTTPS websites" feature enhancements when "Categorize HTTPS Sites" feature is enabled:

  • Improved enforcement of first connection when URL Filtering setting is 'Hold' mode
  • Added SNI information to connection logs when connection is matched on rule with "Extended Log"
  • Hold mode granularity

For configuration, refer to sk173633.

PRJ-19196

Threat Prevention

NEW: Improved the way Threat Prevention distinguishes between .docx, .pptx, .xlsx and .zip files.

PRJ-18119,
PRHF-12737

Anti-Malware

Exported with ioc_feeds export command indicator feeds may contain user credentials. Refer to sk169035.

PRJ-19591,
PRJ-16924

Anti-Malware

In rare scenarios, after downloading files, Anti-Virus prevent logs appear with "Strict hold is not possible failure - Write to other side occurred" error message.

PRJ-17439,
PMTR-62284

Anti-Malware

In some scenarios, users may fail to access a web site with many malicious URLs.

PRJ-20924,
PRHF-13478

Anti-Malware

In a rare scenario, Security gateway may crash when the Threat Prevention Forensics feature is enabled.

PRJ-18198,
PRHF-8315

Anti-Malware

In some scenarios, multiple files called "ckp_mutex" are created on the Security Gateway.

PRJ-19745,
PRHF-13998

Anti-Bot

Dynamic Global Network Object usage inside a Network Group object may cause an Access Policy installation failure.

PRJ-19205,
PRHF-13935

ClusterXL

UPDATE: Added the option to display only monitored interfaces to "show cluster members <option>" command:

  • In Gaia Clish, run "show cluster members monitored"
  • In Expert mode, run "cphaprob -m tablestat"

PRJ-19926,
PMTR-58748

ClusterXL

In rare scenarios, running cphastop;cphastart may cause a cluster member to stay in "Down" state.

PRJ-19393,
PRHF-14115

ClusterXL

"set router active-active-mode" settings do not survive a reboot.

PRJ-20536,
PRHF-14728

ClusterXL

In some scenarios, data connections are dropped with "First packet isn't SYN" message on ClusterXL Load Sharing.

PRJ-16568,
MBS-11708

SecureXL

NEW: Added the ability to enable monitor-only mode for penalty box independently of other DOS/Rate limiting features.

PRJ-18324,
PRHF-13474

SecureXL

UPDATE: Drop templates can be generated for connections with matched action Reject. For additional information and configuration, refer to sk171146.

PRJ-20056,
PRHF-14417

SecureXL

In rare scenarios, SecureXL may crash due to NULL handling.

PRJ-18088,
PRHF-13507

SecureXL

SNMP may show wrong values for the number of bytes and packets accepted by Security gateway. Refer to sk170132.

PRJ-20028,
PRHF-14228

SecureXL

Server may not reuse the TCP connection when the user allows out of state TCP packets.

PRJ-20051,
PRHF-14165

SecureXL

Memory leak may occur in VPN or Active Streaming configuration.

PRJ-19407,
PMTR-60870

SecureXL

In some scenarios, Rate Limiting rules for DoS do not work after reboot. Refer to sk170148.

PRJ-20105,
MBS-11960

Routing

NEW: Added support for ISP Redundancy on Scalable Platforms Appliances.

PRJ-19536,
PMTR-62075

Routing

On Scalable Platforms, SSH via MAB may disconnect.

PRJ-19630,
PRHF-14280

Routing

ip-reachability-detection ping marks a target IP address as "unreachable" if the path goes via a VPN tunnel, although pinging this IP address directly works.

PRJ-20445,
ROUT-1325

Routing

The old route may be not removed when an BGP ECMP route was changed.

PRJ-20243,
PRHF-14562

Routing

In rare scenarios, confd or routed process may restart.

PRJ-19464,
PMTR-60878

Routing

Routed logs may incorrectly state that routemaps that export to OSPF cannot set the OSPF manual tag, even though the functionality works.

PRJ-18281,
PMTR-58528

Routing

Certain types of multicast traffic may not be handled correctly in Bridge mode.

PRJ-18665,
PRJ-18664

Routing

PBR does not work with VTI/VPN.

-

Gaia OS

NEW: Added support for 1570R and 1600 / 1800 SMB appliances.

PRJ-19532,
PRJ-19531

Gaia OS

NEW: Gaia API (version 1.5) will now be deployed via Jumbo Hotfix.

PRJ-20501,
PMTR-62883

Gaia OS

UPDATE: OpenSSL was updated to version 1.1.1i to include the latest code fixes and security improvements.

PRJ-20472,
PRHF-14653

Gaia OS

In some scenarios, the Security Gateway attempts to fetch the policy from / send logs to the real IP address of the Management Server (defined in the "General Properties" section of the server object) instead of the server's NAT IP address (defined in the "NAT" section of the server object).

Refer to sk171055 to configure the required parameter FORCE_NATTED_IP.

PRJ-19518,
PRA-1520

Gaia OS

The syslog messages may be spammed when the "show asset all" command is running.

PRJ-17720,
PRHF-13075

Gaia OS

In some scenarios, one session disconnection of RADIUS users can cause another session to loose permission when one of the session terminates.

PRJ-20944,
PMTR-63343

Gaia OS

Upgrade process may fail due to corrupted sic_local_cert.p12 certificate. Refer to sk171253.

PRJ-18721,
PMTR-60804

Gaia OS

Bond interface in XOR mode or 802.3AD (LACP) mode may experience suboptimal performance, if on the Bond interface the Transmit Hash Policy is configured to "Layer 3+4" and Multi-Queue is enabled.

PRJ-18773,
PMTR-61381

VPN

NEW: Added Remote Access VPN performance improvement.

PRJ-19717,
PMTR-60976,
VPNS2S-1335

VPN

NEW: Added VPN command line mechanism stability enhancement and VPN improvements in IKEv2.

VPNS2S-1482

VPN

NEW: Added new display of vpn tu tlist command for DAIP gateway.

PRJ-19248,
PMTR-62158

VPN

NEW: Added CPDIAG (on/off) for IKE negotiations per community feature.

PRJ-21123,
PRHF-10420

VPN

Access roles do not recognize Remote Access SNX CLI clients.

PRJ-19672,
PMTR-61913

VPN

In some scenarios, Remote Access Endpoint client disconnects after roaming from Visitor Mode to NAT-T.

PRJ-20869,
PMTR-56565

VPN

In some scenarios, the VPND process keeps re-downloading the same CRL, which can cause performance issues.

PRJ-20523,
PRHF-14766

VPN

In a rare scenario, the FWM process unexpectedly exits when enrolling a certificate using the SCEP protocol.

PRJ-20276,
PRHF-14308

VPN

In a rare scenario, a memory leak may occur when RASession_util is active.

PRJ-20949,
PMTR-63287

VPN

In some scenarios, L2TP clients disconnect from the Security gateway after 10 minutes of the connection.

PRJ-20640,
PMTR-63280

VPN

In some scenarios, the VPND process may unexpectedly exit.

PRJ-19425,
PRHF-13784

VPN

In some scenarios, the VPND process unexpectedly exits with Segmentation fault.

PRJ-20334,
PMTR-62776

VPN

Security gateway may crash when you install policy on a MAB gateway and a policy file is corrupted.

PRJ-20082,
PRHF-12828

VPN

Connectivity issue may appear between Check Point Gateway and 3rd party device in MEP DPD configuration when 3rd party device is defined as Central Gateway in MEP. Relevant error message: "Failed to resolve VPN MEP gateway".

PRJ-18504,
PMTR-60820

VSX

UPDATE: Added support for VSX SecureXL tabs on CPView. Refer to sk167903.

PRJ-20567

VSX

IPv6 traffic and multicast IPv4 may not work with Virtual Switch (VSW).

PRJ-20123,
PMTR-62387

VSX

In VSX environment, Generic Data Center objects are not enforced on the VSX members.

PRJ-20284,
PRHF-14543

VSX

In some scenarios, SNMP v3 users are not recognized on VSX when SNMP is in VS mode. The "Unknown user name" error message is displayed. Refer to sk170993.

PRJ-20597,
PRHF-14400

VoIP

VoIP RTP can cause overload on global instance (CoreXL instance 0).

PRJ-18979,
PRHF-12691

VoIP

SIP parser may cause the wrong RTP dynamic connection to be opened. Refer to sk169373.

PRJ-18971,
PRJ-17805

IoT

NEW: Added IoT support to Multi-Domain Security Management.

  • Requires R81 SmartConsole Build 549 (or higher).

PRJ-20905,
PMTR-59281

Endpoint Security

NEW: Added support for new Push Operations - Host Isolation and Host Release from isolation.

PRJ-20990,
PMTR-61783

Endpoint Security

NEW: Added support for new Push Operation - Remote Uninstall for Endpoint Client.

PRJ-20394

Endpoint Security

UPDATE: Updated Endpoint Web Docker Image.

PRJ-19400,
PRHF-14139

Endpoint Security

Attempt to move members from one group to another using Endpoint Server command line operations fails.

PRJ-20778,
PMTR-63041

Endpoint Security

The "Sent to Client On" column is empty in SmartEndpoint >Reporting > Push Operations even if push operation was completed successfully.

PRJ-19772

Endpoint Security

Database size may increase exponentially because dynamic packages are packed into exported .tgz using migrate_export.

PRJ-20639,
MBS-10278

Scalable Platforms

NEW: Added full support for Gaia Backup.

PRJ-20895,
MBS-12714

Scalable Platforms

On Maestro / Scalable Platforms, users may disconnect after several attempts due to bad forwarding in TCPT flow.

PRJ-20749,
MBS-12642

Maestro

Gaia scheduled backup fails to run and the /var/log/messages file contains the error "scheduled_backup: SGM isn't SMO, skipping scheduled backup". Refer to sk170925.

PRJ-20140,
PMTR-62718

Maestro

"Packet Capture was not found" error when clicking the "View Packet Capture" link in the IPS log.

Take 11

Released on 26 January 2021

PRJ-21382,
PMTR-62199

Security Management

Accelerated Policy installation may fail when a Custom Application is used in Access Control policy, URL Filtering Blade is enabled and Application Control Blade is disabled on the selected gateway.

PRJ-18511,
PMTR-61232

SmartConsole

In a rare scenario, automatic NAT rules are not visible in SmartConsole. This may cause policy installation failure. Refer to sk171395.

Take 10

Released on 14 December 2020

PRJ-18770,
PRHF-13728

Security Management

NEW: Improved FWM process performance during policy or database installation.

PRJ-19096,
PMTR-61758

Security Management

Fetch policy on Security gateway may fail after installing Accelerated policy on it.

PRJ-19137,
PMTR-61781

Security Management

In some scenarios, policy installation may fail with verification errors when the installation is accelerated.

PRJ-18392,
PMTR-60541

Security Management

In a rare scenario, the FWM process unexpectedly exits.

PRJ-19085,
PRHF-13972

Security Management

In some scenarios, HA synchronization may fill up the disk space of a standby Management Server. Refer to sk168492.

PRJ-18493,
PRHF-13681

Security Management

In rare scenarios, a policy installation task may never complete.

PRJ-18955,
PRHF-13948

Security Management

Policy verification may fail with error "For security gateways R80.40 and higher, rules that use Access Roles can only have "Any Traffic" or "RemoteAccess" in the VPN column"

PRJ-18818,
PRHF-13819

Security Management

Management HA synchronization between Multi-Domain Management Servers may fail with "Failed to import data" error due to manual or automatic updates of contracts.

PRJ-18945,
PMTR-61616

Security Management

In rare scenarios, FWM process may unexpectedly exit after a login attempt to the Management server.

PRJ-18908,
PMTR-61579

Multi-Domain Management

In some scenarios, size of MDS backup file increases after each policy installation.

PRJ-19072

SmartConsole

NEW: Added ability to view policies, objects and logs from the new Web SmartConsole. Refer to Take 24 sk170314.

PRJ-16059,
PRHF-12395

SmartConsole

In some scenarios, certain Gateways do not appear in the IPS Core protections list. Refer to sk168474.

PRJ-18350,
PRHF-13223

SmartConsole

When removing an object from a group using the "groups" field of the object's module in the Ansible collection, the group will not be changed and Ansible will show that no changes are needed.

PRJ-20142,
PMTR-60372

SmartConsole

Duplicate central licenses may be added to the management database. In some rare scenarios, this may lead to heavy load on the FWM process and prevent login.

PRJ-18554,
PMTR-60476

SmartConsole

After enabling the Endpoint Policy Management Blade on the Security Management Server, some views on SmartConsole may not load properly and SmartClient may disconnect.

PRJ-16978,
PRHF-12928

SmartConsole

In some scenarios, some Web APIs fail with "Script stopped running due to severe error!" message when SMB gateway is defined as a policy target. Refer to sk169557.

PRJ-17644,
PRHF-13379

SmartConsole

When creating a user with Check Point password authentication through the Management API, log in to Mobile Access portal may fail. Refer to sk170412.

PRJ-15815,
PRHF-12352

SmartConsole

In some scenarios, Management API does not start automatically after restart, although automatic start is enabled. Refer to sk168332.

PRJ-18383,
PRHF-13609

SmartConsole

In some scenarios, running an action on a ROBO Gateway behind NAT does not work during sync on SMB appliances.

PRJ-18366,
PRHF-12819

SmartConsole

Enabling Threat Prevention policy may fail with validation errors when the policy's targets include cluster members running a version lower than R80.10.

PRJ-17483,
PRHF-12997

SmartProvisioning

In some scenarios, when recreating a ROBO object with the same name, the new object receives the previous status.

PRJ-18953,
PRJ-18833

Security Gateway

In rare scenarios, Security Gateway memory consumption may increase.

PRJ-18931,
PMTR-61541

Security Gateway

NAT may not work properly when Domain objects are used in the Translated Destination column.

PRJ-19177,
PMTR-61822

Security Gateway

Connections may be wrongly matched on Domain or Updatable objects used in Security policy.

PRJ-19004,
PRHF-13892

Security Gateway

In some scenarios, when using routing separation, connection from data plane to management plane is dropped.

PRJ-18685,
PMTR-56181

Security Gateway

In some scenarios, compilation errors during policy installation are ignored instead of immediately failing the policy. This may cause drops on the Security Gateway.

PRJ-17806,
PRHF-12119

Anti-Malware

In a rare scenario, Security gateway may crash after a match of the Anti-Bot Blade.

PRJ-19107,
IDA-3240

Identity Awareness

NEW: Performance optimization for Identity broker.

PRJ-18443,
PMTR-59795

DLP

In a rare scenario, "SEC Filings - Draft or Recent" Data Type in DLP is not properly enforced.

PRJ-18826,
PRHF-13605

HTTPS Inspection

The user may not be able to browse with Chrome when using mixed chain with ECDSA subordinate CA in HTTPS Inspection. Refer to sk170332.

PRJ-17828,
PRHF-13029

SecureXL

In some scenarios, CPView may show incorrect statistics for VPN encrypted/decrypted packets.

PRJ-18027,
PRHF-13480

Routing

SNMP queries for bgpPeerFsmEstablishedTime return an incorrect constant value. Refer to sk170074.

PRJ-18530

Gaia OS

NEW: Added Jumbo Hotfix for Scalable Platforms support. Refer to sk169954.
This Jumbo Hotfix Take is mandatory for Scalable Platform installation.

PRJ-19156,
PMTR-61729

Gaia OS

NEW: Allow Amazon Web Services (AWS) to modify partitioning via lvm_manager.

PRJ-18242,
PRHF-13451

Gaia OS

"cphaprob -h" shows wrong explanation for "cphaprob show_bond [<bond_name>]" command.

PRJ-19331,
PRHF-14073

Gaia OS

In some scenarios, login from data plane context fails (no connectivity to server).

PRJ-19150,
PMTR-57495

Gaia OS

"Docker0" bridge interface with assigned IP address from class B private pool may appear in the system, causing routing issues.

PRJ-19051,
PRHF-13949

Gaia OS

In some scenarios, when using routing separation, modifying interface IP address fails.

PRJ-18068,
PMTR-59437

VPN

NEW: Added Remote Access VPN performance improvements.

PRJ-19165

VPN

UPDATE: Added support for fetching CRL through proxy in Site to Site VPN configuration.

PRJ-18535,
PMTR-61276

VPN

In rare scenarios, when a Wire-Mode is configured on a community, it may cause a Security gateway from another community not to accelerate connections in SecureXL.

PRJ-18167,
CRYPTOIS-661

VPN

In some scenarios, Security Gateway Portals and Remote Access VPN clients show wrong certificate after certificate renewal. Refer to sk131212.

PRJ-18733,
PMTR-61360

VPN

In some scenarios, userspace cores may appear on Security gateways with enabled AES-GCM-256 and AES-256 VPN encryption. Refer to sk169417.

PRJ-18313,
PMTR-60933

VPN

"Decryption failed" drop logs may appear under heavy VPN load for accelerated tunnels using SHA 384 or SHA 512 Ciphers.