List of All Resolved Issues and New Features in R81 Jumbo Hotfix Accumulator

NEW: We have extended the grace period of Anti-Spam Blade to support you for 90 days following contract expiration to continue providing the best security value during the renewal process.

UPDATE: Removed a redundant guava package.

UPDATE: properJavaRDP - an SNX-embedded application for Mobile Access is now blocked and is no longer supported because of deprecated Java library dependencies.

UPDATE: New features and improvements are released in Take 81, Take 85, Take 88, and Take 90 via a self-updatable package. Refer to sk170314.

UPDATE: Added Take 68 and Take 70 of CPotelcol (OpenTelemetry Collector) Release Updates. Refer to sk180522.

UPDATE: Improved traffic classification of GTP traffic on the Security Gateway to enhance the stability.

UPDATE: Re-enabled the deprecated feature of exporting/importing custom intelligence feeds.

UPDATE: Added Update 21 of Autonomous Threat Prevention Management integration Release. Refer to sk167109.

UPDATE: SSL Network Extender was updated to version 80008407.

UPDATE: Enhanced PushReport (a troubleshooting tool for Mobile Access Blade):

• changes in the cloud service configuration,

• stability improvement.

UPDATE: When enabling the VMAC feature, link_monitoring on the cluster members will now be configured automatically.

UPDATE: Changed the vsx push configuration log:

• The log file last_vsx_push_configuration.elg will now hold only the last vsx push configuration log.

• The cyclic log file vsx_push_configuration.elg will now hold all previous push configuration logs, except the last one.

UPDATE: SNMP traps for interfaces going up and going down will now contain the interface name and description.

UPDATE: Increased the size of the scheduled snapshot database binding, allowing longer paths and passwords to be defined.

UPDATE: Added new file types supported by Harmony Endpoint Threat Emulation blade.

UPDATE: Added support for Data Centers in AWS il-central-1 Israel (Tel Aviv) region.

UPDATE: Added ability to stop configuration mismatch repeated reboots for debugging purposes. The new command is " cpha_blade_config auto_reboot <on/off>".

UPDATE: Added support for 40G SFP transceiver for SSM160 (BTI40GSRDDQSFP).

UPDATE: Added Update 13 and Update 14 of HealthCheck Point (HCP) Release. Refer to sk171436.

• Running a Gaia API command on a Security Gateway using Management API from the Multi-Domain Security Management Server fails.

• Running a Gaia API command on a Security Gateway using Management API from the Security Management Server fails if the Security Gateway certificate was not recreated.

In rare scenarios, Global Policy reassignment fails with "IPS Update Failed On Assign".

Policy installation gets stuck if the known proxy group contains the policy target.

In some scenarios, the CPRLIC process may unexpectedly exit without affecting the connectivity, and a core dump is generated.

A policy installation task may become stuck when an error occurs in the early installation stage, for example, when trying to install a policy on an unsupported version of Security Gateway.

The "show-nat-rulebase" Management API command fails when Packet mode is enabled and "match on any" is set to "false". For example, "show-nat-rulebase XXX package YYY filter-settings.search-mode packet filter-settings.packet-search-settings.match-on-any false filter ZZZ".

The Security Gateway may listen to the ports used by NAT.

In SmartConsole, an attempt to view administrators may fail with "Error retrieving results".

Disabling or enabling rules may not affect the "last-modify-time" field in the output of the "show-access-rule" Management API command.

Login via API fails if the Security Management Server has multiple IP addresses and they are not defined on the Security Management Server object in SmartConsole.

In SmartConsole, export of policies with the "Hit count" column may get stuck.

In rare scenarios, during an IPS update, a task notification reports that a database purge failed on the Standby Security Management Server. Refer to sk180920.

If the HTTPS policy contains an Identity Awareness Gateway object in the "Source"/"Destination" column, policy installation may fail when selecting more than one policy target. Refer to sk181097.

In rare scenarios, upgrade of the Security Management Server to R81.20 fails with the "Task was interrupted because of server restart" and "DEADLOCK IN POSTGRES DETECTED!!!" messages in the cpm.elg log file.

A migrate export or CPUSE upgrade of a Security Management Server fails if a Rule Base contains more than 35,000 rules. Refer to sk178325 to check the recommended size of Rule Bases.

In some scenarios, an automatic Trusted Certificate Authorities (CAs) update fails.

When using the RADIUS username for authentication, login to SmartConsole may fail.

The "show-vpn-communities-star" Management API command fails for VPN communities using Diffie-Hellman groups 15-18. Refer to sk27054.

In rare scenarios, the High Availability synchronization status shows "NGM failed to import data", and then is cleared automatically within 15 minutes.

Users may be able to configure user-defined scripts to run on the Security Management Server, although they do not have the permissions of a super-user.

In multi-site Multi-Domain Security Management environments, login to SmartConsole fails if the "Read_Write_All_Profile" permission profile is deleted.

In multi-site Multi-Domain Security Management environments, login to SmartConsole fails while an Install Policy Preset relays the Security Gateway installation statuses.

In some scenarios, the "Uninstall Threat Prevention Policy" window may show "no candidates found for operation", even though there are Security Gateways that have Threat Prevention policy installed and Threat Prevention is disabled in the Security Gateway editor. Refer to sk180983.

In rare scenarios. in a Multi-Domain Security Management environment:

• Login to the Management Server may timeout and fail.

• Publish operation may take a long time.

After an upgrade, "Every cluster network should define unique subnet" messages may be displayed in the Validation Pane.

• The fix applies only when Jumbo Hotfix Accumulator Take is installed via Advanced upgrade or with a Blink image containing this Take.

In some scenarios, when a language other than English is chosen in SmartView, login to SmartView fails with an "Initialization failed" message.

When the CPD process is automatically restarted on the Security Gateway, the output of the "cpstat ls -f logging" command on the Security Management shows the Security Gateway is disconnected, the Log Server cannot be reached, although logs are sent.

The "fwm logexport" may return "Failed to print record at position" and "missing table field" error messages despite succeeding to export the logs.

The "show-simple-gateway" and "set-simple-gateway" Management API commands with the "logs-settings.forward-logs-to-log-server-schedule-name" parameter fail with "generic_server_error".

Configuring log settings to delete logs if free disk space is lower than a certain percentage may not be applied.

Source and destination IP addresses in SmartLog may not be shown correctly for duplicate packets of fragmented traffic.

Latency in loading websites when using Security Gateway as a Proxy with HTTPS Inspection enabled. Refer to sk180673.

In rare scenarios, the WSDNSD process may restart because of an internal error.

The ICAP Server may stop sending files to the Threat Emulation and Anti-Virus Blades if the TED daemon was restarted.

The /var/log/messages file of a VSX gateway is flooded with the "fwmultik_predefined_dispatching: BAD_MULTIK_TAG" messages with no impact of the connectivity. Refer to sk181281.

The Security Gateway may crash due to a memory issue.

The Security Gateway may crash while inspecting non-HTTP traffic.

Incorrect bonds may be shown in the Data Plane when using MDPS with the "show bonding groups" command.

Resolved an issue where CPD would consume a large amount of CPU in VSX with a large number of interfaces configured (greater than 1024). Refer to sk181588.

In a rare scenario, the FWD process listens to high ports that are not blocked by the "auth_services_real_ports_block" implied rule. Refer to sk180505.

FTP connection may fail in Port mode with NAT and specific FTP clients. Refer to sk181165.

Re-mirrored traffic may be re-ordered in the Mirror & Decrypt feature.

In a rare scenario, policy installation may fail because of IoC observables overrides.

In some scenarios, CIFS parser is triggered when it is not needed, this leads to the Security Gateway not accelerating fully the SMB traffic.

In some scenarios, the Security Gateway fails to export or import IoC feeds.

Fetching custom intelligence feeds via CLI may fail because of SSL certificate issues.

Anti-Virus Blade triggers the "Detect" logs for DNS traffic, although these malicious DNS requests were prevented.

Multiple ifiPython3 processes may utilize the Security Gateway memory, affecting the Anti-Virus Blade performance.

When the "Categorize HTTPS Websites" option is enabled and the global parameter "appi_urlf_ssl_cn_use_sni_without_validation" is set to true, a memory leak may occur.

Policy installation may fail on Security Gateways with enabled IPS and configured Strict profile and IPv6.

When transferring many files, SMB traffic may freeze while scanned by Anti-Virus Blade.

A memory leak in the DLPU process may occur when Anti-Virus scans files over HTTP(s) or SMB (Server Message Block) protocol.

A memory leak may occur in the Security Gateway when a connection is not correctly released after the inspection.

When copying special German characters to and from the Guacamole Server, they are replaced with unreadable symbols.

In a VSX environment, the WSTLSD process run by Virtual Systems may ignore proxy configuration on VS0.

The fwk.elg file may be flooded with the "mux_hold_opq_free: App has no hold params free function" messages for the TLS_PARSER app because of a memory leak.

Some IPv6 connections randomly stop passing through ClusterXL in High Availability mode. Refer to sk180969.

In a cluster/Maestro in Load Sharing mode, the Security Gateway may drop NAT traversal traffic with "fwmultik_process_f2p_cookie_inner Reason: PSL Drop: No connection".

Site to Site VPN outage on ClusterXL Active member when running "cpstop" on the Standby cluster member. Refer to sk170055.

In some scenarios, incorrect MSS value calculation may lead to traffic drops and performance instability.

Adding or deleting a multicast group from a configured static RP environment can lead to outages in traffic.

Traffic may be dropped when there are many OSPF routes of type 5.

An OIF entry may be missing when multiple downstream neighbors are present on a LAN. Refer to sk181354.

A potential leak in VPN tunnels in a Multi-Version Cluster.

Policy installation may take a long time and fail with "Operation failed, install/uninstall has been improperly terminated.&CURRENTVERCMP *##MSG_IDENTIFY##".

The Security Gateway may send a wrong certificate to the MAB Portal during certificate authentication.

A memory leak may occur in the CPD process.

When running "vsx_fetch" from a context that is not VS0, this output is displayed: "Management rejected fetch for this module - sic name does not match. Couldn't fetch VSX configuration by IPs, trying to fetch by names."

When adding a route using vsx_provisioning_tool and the "interface_name" option, this route cannot be removed.

• Requires installing SmartConsole R81 Build 567 (or higher).

Incorrect Multi-Queue configuration when MDPS, VSX, or both are enabled. Refer to sk181249.

Snapshot fails when the unpartitioned disk size is greater than 1TB. Refer to sk181485.

SNMP OIDs for ISP Redundancy status are not refreshed when the ISP link changes the status.

When downloading a dynamic package from the Endpoint Security Server and using the "/createmsi" command, the operation results with a "CRITICAL ERROR: Unable to create MSI! Missing file: System32\FirewallMonitor.dll" error.

The default policy configured in the Infinity Portal may not be exported with the new Endpoint Security client package.

E2 engine may send an incorrect value of datDate in sync request.

After an upgrade, Azure Gov mapping may fail.

The "asg_dr_verifier" command shows "Status: Inconsistency found on some of the SGMs", even if the OSPF neighbors are in Full state. Refer to sk179921.

NEW: Added a new field to the output of "mgmt_cli show updatable-objects-repository-content" command. This field displays the object's unique name as it is saved in the updatable objects repository.

UPDATE: Added ability to block policy installation if this policy contradicts another policy installed on the Security Gateway. In this scenario, the "install-policy" Management API command will now fail with "Requested policy X does not match currently installed policy Y on gateway Z. To ignore this warning, set the 'ignore-warnings' flag to 'true'". Refer to sk180792.

UPDATE: New features and improvements are released in Take 76 via self-updatable package. Refer to sk170314.

UPDATE: First release of CPotelcol (OpenTelemetry Collector) Release Updates. Refer to sk180522.

UPDATE: Added Update 18 and Update 19 of Autonomous Threat Prevention Management integration Release. Refer to sk167109.

UPDATE: Added a new kernel parameter allowing to control the size of fragments table in SecureXL. To use it, set the kernel parameter "sim_frag_limit_override" with the new value and install policy. This can prevent fragment drops when having multiple instances in the Firewall.

UPDATE: Added Take 23 of Check Point Support Data Collector (CPSDC) for Scalable Platforms and Maestro Security Appliances. Refer to sk164414.

UPDATE: Added a new log file - /var/log/pull_config_report.log. It includes the summary of the "pull_config" action when it is performed on a member to indicate the reason for pull_config pnote/failures.

In rare scenarios, in Multi-Domain Security Management environments with many administrators that have custom permissions, SmartConsole is slow, and operations take longer than usual. Refer to sk180681.

In some scenarios, Access Policy Verification fails but the name of the failed rule is not specified.

An upgrade may fail when a Network object Group contains more than 32000 members.

In rare scenarios, in multi-site environments, Install Policy presets fail with "Timeout during task progress" or "You have reached the maximum number of active sessions". Refer to sk180897.

APP_ID may not be initialized when adding a new Check Point application via API, this may cause blocked access to several websites.

Editing an object in SmartConsole may fail with "Server error is: Object not found (Code: x08003001D, Could not access file for write operation)".

Login to SmartConsole with a RADIUS administrator from the SmartEvent Server may fail if this Server was upgraded. Refer to sk180584.

Packet mode search in SmartConsole may show rules that do not match the query if the query contains source, destination, and service.

If the Security Management Server is behind NAT, remote Management API login fails.

After restoring a Multi-Domain Security Management Server, High Availability synchronization may fail with "The Security Management Servers contain different Hotfixes".

Deleting a Domain from SmartConsole fails after a Domain Server was removed and the Domain has no Domain Servers.

A scheduled Install Policy Preset may not have its next run time updated when:

• The Multi-Domain Security Management Server was down while the preset was scheduled to run

• There are over 50 presets defined

Data Center objects may not appear as unused objects in the Object Explorer view, although they should.

In rare scenarios, many open connections on port 18196 are observed on the Multi-Domain Security Management Server or Multi-Domain Log Security Management Server.

In large environments, after policy installation or when loading Real Time Monitor, RTMD CPU consumption may be high for several minutes and the process may exit when 4 GB of memory is reached.

In some scenarios, in the Logs & Monitor view, no results are shown when filtering updatable object names by the "dst_uo_name" field.

In some scenarios, the FWD process may unexpectedly exit and cause a short outage related to the BGP failure.

After an upgrade, memory usage may increase on all Security Gateway Modules, and the "pkt_handle_f2v_if_needed: dropping packet (failed to send notification)" error is printed in logs.

Latency in connection caused by a packet flow change from F2V to F2F.

In a Maestro environment, an encrypted over SSH or RDP connection may get closed when handled by the wrong member.

In some scenarios, while processing H323 traffic, the Security Gateway may unexpectedly restart.

When setting "cphwd_enable_ecmp = 1" (to route by the source and destination IP address), the Security Gateway may route the traffic to the wrong MAC.

Latency in loading websites when using Security Gateway as a Proxy with HTTPS Inspection enabled. Refer to sk180673.

When the Security Gateway handles specific HTTP requests, memory failure may occur. CPView registers SMEM failure.

When HTTPS Inspection is enabled, website loading in Firefox fails or is slow, after a few seconds, the "NS_ERROR_ABORT" error appears in the network tab of Firefox. Refer to sk180873.

Stack buffer overflow may occur in the FWGTP process.

When adding another loopback interface in an MDPS environment, it is shown in MPLANE and not in DPLANE as expected.

Web Security parsing error "illegal header format detected: Missing quotation mark" of content-disposition header - that contains a filename* parameter or an unquoted parameter.

In some scenarios, the FWD process unexpectedly exits, and the Security Group Members state flaps between Active and Down during an Anti-Bot Blade update.

When IPS Blade is enabled, the Security Gateway may crash.

In some scenarios, Anti-Virus and Anti-Bot updates on Maestro Security Group Members may fail.

When Content Awareness Blade is enabled, there is a limitation of the file size (sk118516). However, when the source object of the Content Awareness rule does not match the current connection, the limitation is not applied on this connection.

Running the "ips stats" command in CLI may cause the IPS process to unexpectedly exit with core dumps.

Importing a custom intelligence feed containing IP ranges may fail.

Sending emails with attachments via Capsule Workspace may fail on iOS.

A VRRP cluster member may be stuck in boot after a cluster upgrade.

After several failovers in a cluster, connections may fail to synchronize. This can cause a timeout and the "first packet isn't syn" drops.

A VRRP/VRRP6 interface may go into Master/Master state.

An IGMP group with an expiration time of 7101 weeks should be deleted when it reaches 0 seconds, but instead, it may remain at 7101 weeks until a membership report is sent, then it resets to the interval of that interface.

When PIM and state refresh are enabled, the state refresh message may not be sent automatically after a failback in ClusterXL HA Primary Up mode.

Cluster member may stop sending multicast PIM traffic after failover or a reboot. Refer to sk180669.

In some scenarios, a Security Group Member failover can trigger routes to be lost on other members in the Security Group.

The ROUTED daemon may unexpectedly exit when aggregating routes with long AS paths.

Routes marked as "stale" may be redistributed via BGP during graceful restart.

• Remote Access clients are unable to connect using Machine Certificate Authentication when the certificate has OCSP and CRL but the gateway is unable to resolve properly the OCSP or to get a proper answer from the OCSP server. Refer to sk179434.

• OCSP is disabled on the user's IIS Server, but the Security Gateway does not fall back to the CRL method. Refer to sk179434.

• Security Gateway sends defaultCert to the third party instead of an OCSP certificate. An unexpected OCSP response may cause a VPN gateway to stop using its certificate until the next policy installation. Refer to sk180683.

In a Site to Site VPN, when one of the sites is a cluster in Load Sharing mode, it can cause incorrect destination member calculation for asymmetric connection and the traffic might be dropped. Refer to sk180855.

Values provided by the VSX OID tree: 1.3.6.1.4.1.2620.1.16.22.5.1 may be incorrect.

Warp interfaces may appear in VS0 and disrupt connectivity when editing a Virtual Switch with a bond and VLANs.

A VSX Security Gateway may crash while attempting to collect statistics after running the "cpstop" command.

Gaia backup may fail, leaving a temporary partition behind. Any new attempt to create a new backup returns an error.

Scheduled SCP snapshots to a Windows Server may fail with the "Failed to connect to remote server. Please validate connection".

Deleting one hundred IP addresses or more from the Security Gateway at once may fail, resulting in recurrent deletion retries.

SIP traffic may be dropped and "kiss_htab_bl_infra_slink: failed "earlynat_sport_ghtab_bl":3 reason: KISS_HTAB_BL_SLINK_LIMIT_REACHED" is printed in the fwk.elg file.

After an upgrade, VoIP, and SIP / H323 traffic may be dropped in the VPN tunnel. Refer to sk179651.

In VSLS mode, SNMP traffic may incorrectly be forwarded to SMO instead of DR manager of the corresponding Virtual System.

When adding a new Virtual System and installing a policy, member state may change to Down.

Excessive "cphwd_get_device_accelerated_ifs: too many interfaces (32,XXX)" messages may log to $FWDIR/log/fwk.elg. Refer to sk180439.

License is not copied from SMO to all other members if other members are in Down state.

Security Gateway drops GTP Echo Response traffic with the reason "Wrong Destination Port". See sk181507.

NEW: We have extended the grace period of Compliance Blade to support you for 90 days following contract expiration to continue providing the best security value during the renewal process.

NEW: We have extended the grace period of Application Control and URL Filtering Blade to support you for 90 days following contract expiration to continue providing the best security value during the renewal process.

NEW: We have extended the grace period of SmartEvent Blade to support you for 90 days following contract expiration to continue providing the best security value during the renewal process.

UPDATE: In several IPS protections, improved performance for traffic that contains repeated sections.

UPDATE: Added an option to configure the maximum number of IPS SNORT rules.

These lines should be added at the end (or their value should be changed if they already exist) in the file $FWDIR/conf/malware_config

(for MDS - additionally in the $MDS_FWDIR/conf/malware_config file):

"[IPS]

snort_convertor_max_rules_per_update=<value>

snort_convertor_total_rules_num_limit=<value>".

Refer to sk136515.

UPDATE: Added logging information. The Logging tab can be found in the Advanced tab on both the Security Management Server and Security Gateway. Refer to sk101878.

UPDATE: Apache HTTPD version was updated from 2.4.53 to 2.4.55 to fix CVE-2022-37436.

UPDATE: FakeServer will now listen for packets coming from the Virtual Machine during Threat Emulation to port 18443 instead of port 8443.

UPDATE: Added more logs related to Pushing VSX Configuration.

• On the Security Gateway side: in the last_vsx_push_configuration.elg. The log file will now be circular.

• On the Security Management side: in the vsx_util log. Also, commands are added to the name of log files (for example, vsx_util_reconfigure_xxxxx_xx_xx.elg).

• VSX Provisioning tool is now logged in the vpt_history.elg.

.

UPDATE: Upgraded OpenSSL from 1.1.1n to 1.1.1t to include the latest security improvements.

UPDATE: Added support for Data Centers in AWS ap-southeast-4 Melbourne region.

UPDATE: Added support for connecting to VMware NSX-T 4.0.0.x and higher.

After an upgrade, while installing a policy, SmartConsole may unexpectedly close with a "The connection with the server was lost. Any unsaved changes will be preserved" message. Refer to sk180294.

When using Custom Application/Site Group objects in an Access policy, policy installation may fail with an "Internal error" message.

Login to the Security Management Server or Multi-Domain Security Management Server may fail with the "Connection timeout" error.

In some scenarios, the CME process fails to start.

Adding a rule with the Management API and setting the action "to ask" does not set a default UserCheck if UserCheck was not specified. This may cause policy verification failure.

In SmartConsole, when editing a tagged Security Gateway object, the tags may get removed.

In some scenarios, the "api status" command shows that the Management API service is stopped.

The API command "show-nat-rulebase" may not show the name of each rule in the Rule Base.

In some scenarios, the "run-script" Management API command may fail with "Null Pointer Exception" when using root user permissions.

In a Multi-Domain Security Management environment, traffic may not match rules with custom applications.

A typo in "Dropped fragmentation violation" under CPView > Advanced > SecureXL > Drops.

CPView may not show some interfaces.

After an upgrade and change of the Security Management Server name, logs created before the upgrade are unavailable.

When using the SMTP service with resource objects in a rule and NAT is configured for the destination IP address, the traffic may match the Cleanup rule instead.

Some TCP connections may be stuck in "Both-Fin" state in the SecureXL connection table and cause high memory consumption.

DNS parser incorrectly handles additional records, which results in appearing additional DNS IP addresses in the FQDn objects list.

In some scenarios, the CPD process may unexpectedly exit.

The Security Gateway may crash because of an issue in the FILEAPP (File Application) module.

The SMO may frequently go into Lost-> Down-> Active state because of a memory leak in the FWK process. The issue causes failover and outages.

On supported Open Servers (sk167052), after changing the Firewall mode from Kernel Space (KSFW) to User Space (USFW) and reboot, the Security Gateway continues to boot in the Kernel Space mode.

Stability issues when ICAP client is active.

Security Gateway may drop traffic when Dynamic Anti-Spoofing is enabled.

In a rare scenario, when QoS is enabled, the Security Gateway may crash.

The Security Gateway may frequently crash with vmcore files, recording invalid context.

When adding an Access Role object in the NAT Rule Base, connectivity issues on the Security Gateway may occur if the Identity Awareness Blade on it is disabled.

The Security Gateway may receive duplicated traffic (such as non-IP protocol connections) for IPS inspection. This can trigger high CPU usage and result in failures to connect over SSH or policy installation.

When adding a new RADIUS Server in Gaia Portal, its IP address is automatically added to MDPS tasks, but when deleting this Server, the MDPS task is not deleted.

In rare scenarios, the FWK process can unexpectedly exit and cause an outage.

In a rare scenario, the Security Gateway may crash when offloading packets to SecureXL.

The certificate in SmartConsole is shown as valid, although it is expired.

The "ioc_feeds set interval -r" command may fail.

Anti-Virus Blade fails to parse external IoC feeds that contain commas in the CSV column field value.

The DLPU process may unexpectedly exit with a core dump file.

After an upgrade, the FWD process may frequently exit while creating an AMW_report.xml.

If SSH Deep Packet Inspection (DPI) is enabled and NAT is configured on the Security Gateway, SSH connectivity from the Internet may not be possible.

Connectivity issue may occur during Azure AD Group fetch, and the "get_http_error_msg - http code is 401" error response is shown in Identity Awareness logs.

In a rare scenario, a wrong access role may be assigned to a user.

In a rare scenario, disconnection between the Identity Server (PDP) and Identity Gateway (PEP) leads to missing identities on the PEP side.

The output of the "pdp monitor cv_le <agent-version>" command may be incorrect.

In a rare scenario, when Application Control is enabled, the Security Gateway in AWS Cloud may crash. The issue does not occur if Application Control database on the Security Gateway is updated with Release 141122_1 and higher.

Policy installation may fail with an "Error 0-200184" message because of memory allocation issues.

When Anti-Virus is enabled, the Mail Transfer Agent (MTA) log files may get blocked because of fail-close operation.

In some scenarios, Inbound HTTPS Inspection may fail when working in USFW (User-Space Firewall) mode.

The Security Gateway may crash during policy installation because of a memory allocation problem.

In a rare scenario, the Security Gateway may crash during an IPS package update.

DLP logs for files uploaded to Microsoft OneDrive do not show the initial file names and extensions. Refer to sk178290.

The WSTLSD process may unexpectedly exit and create core dump files.

Some web applications which use PT or UT link translation methods may have issues after a browser upgrade.

Web applications may not work correctly when Mobile Access Blade is configured in Hostname Translation (HT) mode while the "obscure_destination_hostname" management attribute is disabled.

The "cphaprob tablestat" command may fail on the Security Gateway with many interfaces.

Traffic does not pass through the GRE tunnel when Virtual MAC (VMAC) is enabled. Refer to sk180292.

SecureXL may drop traffic when HTTPS Inspection is enabled on a VSX Security Gateway with a Virtual Router.

Multicast traffic may get dropped, and no logs are generated.

In a rare scenario, a CPAQ message sent during policy push does not have critical priority, and can be dropped when the Security Gateway is busy.

Failover may take longer than expected and traffic does not pass for several seconds because dynamic routes are lost.

The ROUTED daemon may unexpectedly exit when using PIM and source IP address is set "0.0.0.0".

The ROUTED daemon may unexpectedly exit and generate core dumps after OSPF neighborship was established but did not advertise routes. Lost routing causes the network to be down.

TCP traffic on port 34500 may be encrypted by VPN, although it should not.

When running the "vpn tu tlist" on cluster Standby members, old IKEv2 SAs may be printed in the output.

When many users in nested groups login using Remote Access Client \ connect to VPN, and the LDAP topology is large, there may be a spike of CPU usage and performance impact. Refer to sk180664.

When initiating IKEv2 tunnel from Check Point to a third party, creating Child SA fails. Refer to sk180281.

Despite the Secure Configuration Verification (SCV) exceptions being configured to not apply for connections, the strongSWAN client's traffic is dropped with the "Client's configuration is not verified" error.

VPN stability issues.

A memory leak may occur in the VPND process.

After an upgrade, an incorrect IPSec users counter may be displayed in SmartView Monitor or when running the "cpstat vpn -f ipsec" command for a cluster. The issue is cosmetic only.

In VSX, if Dynamic Balancing was manually disabled on R81, after an upgrade from R81 to R81.20, it automatically gets enabled.

Running the "save configuration" command the second time in the same Clish session may fail with the "free(): invalid pointer" error.

When setting password hash on cloning group members, some members may not get updated.

In some scenarios, the "nslookup" command can cause the NSLOOKUP process to exit.

Incorrect logs are printed in the /var/log/httpd2_error_log file when logging into the WebUI.

When running the "ifconfig -a" command on a Virtual System (VS) with more than 250 interfaces, the "/bin/cp-ifconfig.sh: line 179: /bin/echo: Argument list too long" error is printed.

The /usr/local/apache2/logs/access_log file is now rotated when its size reaches 1GB. This log file was added to the /etc/cpshell/log_rotation.conf configuration file. Refer to sk166198.

When connecting to the Security Management Server with SmartEndpoint but Endpoint component is not activated on the Server, the FWM process may unexpectedly exit.

The "Logical Volume duplicate fail" error is displayed in CLI when increasing the lv_current partition with lvm_manager on Azure. Refer to sk180381.

VPN Cluster stability issue when the peer is an Azure Security Gateway.

A Kernel-based Virtual Machine (KVM) or a Virtual Machine using SRIOV with the i40evf/ixgbevf network driver, may boot with non-optimized performance settings.

While handling a multi-INVITE scenario (where a user registers with multiple devices), and the VoIP SIP MultiCore feature is enabled, each SIP INVITE maybe be handled simultaneously on different FW instances and cause memory corruption.

When using asg alert, the domain name is changed to "BladedCenter.com" instead of the configured name.

The BMAC address is not updated after moving an SGM from one slot to a different slot. (The issue applies to Security Gateway only, not to VSX.)

In a Maestro Security Group, VPN tunnel is established correctly, but the local connection from Virtual Systems (VSs) fails. The issue occurs when packets are not forwarded to the right VS from the Virtual Switch (VSW).

When creating a Virtual Switch in a Scalable Platform environment, virtual interfaces with names that start with "wrp<Number>" and "wrpj<Number>" have the same MAC address. This causes traffic from the External Switch to the Virtual System (through the Virtual Switch) to be handled by the Virtual Switch. It may lead to high CPU utilization on the Virtual Switch and traffic outage.

The "asg perf" command fails when running it with the "-vv" flag.

The output of the "asg perf -6" command shows "IPV6 is Disabled".

Alignment to new self-updatable packages.

NEW:

• Added ability for R81 Security Management or Multi-Domain Server to manage R81.20 Security Gateways. It requires R81 SmartConsole Build 564 (or higher).

• Managing R81.20 Security Gateways in Autonomous Threat Prevention mode requires installing R81.20 Jumbo Hotfix Accumulator.

UPDATE: Improved the "Assign Global Policy" action time by approximately 50%.

UPDATE: When there is no full license for SmartEvent, which includes the Correlation Unit component, Analyzer Client in Legacy SmartEvent Console will now show a relevant message.

UPDATE: Added Update 16 of Autonomous Threat Prevention Management integration Release. Refer to sk167109.

UPDATE: File Download using SSH with MobaXterm Client fails when SSH Deep Packet Inspection (SSH DPI) is enabled.

UPDATE: Blocked the ability to install Jumbo Hotfix Accumulator or to run an upgrade to a major version on Quantum Maestro Security Gateways using the Central Deployment tool in SmartConsole or the Management REST API.

UPDATE: Added a new CLI command "fw ctl voip [-p {sip| mgcp| sccp| h323}] [-na]". It allows printing the description of defined VoIP protections, the required action, and the logging option configured for each protection.

UPDATE: Added Update 11 of HealthCheck Point (HCP) Release. Refer to sk171436.

Global Domain Assignment may fail if a rule in the global policy was recently enabled or disabled.

Policy installation may fail with "Segmentation fault" or with "INTERNAL ERROR in PutBlock: dangling block at PutBlock". Refer to sk179700.

Packet mode search in HTTPS Inspection policy may not work.

The /var/log/dump/usermode/ directory on the Management Server may contain core dump files for the FWM process. Refer to sk180119.

In rare scenarios, deleting a cluster member may fail with the "Could not delete object. Failed to remove/detach objects licenses" error.

"Automatic purge" fails on a Domain with active Global Domain Assignment and "automatic purge" configured on the Global Domain.

It may not be possible to discard a work session with a newly created admin, a "Failed to discard revoke certificate" message is shown.

Access policy verification may fail when dynamic objects exist in the NAT policy.

Installing a large Access Control policy on Quantum Spark Security Gateways may fail due to high memory consumption on the Security Management Server caused by FW_LOADER.

After creating a new administrator in SmartConsole, the Administrators view may fail to load with "Error retrieving results".

Installing Database from Security Management on an R80.x Log Server may fail

SmartEvent may unexpectedly close when clicking Global Exclusion options or creating a new event. This issue occurs after migrating a Domain from the Multi-Domain Management Server to the Security Management Server.

In rare scenarios, in a Multi-Domain Management Server environment, a memory leak may occur in the FWM process. This may cause the process to exit.

When LEA spawning is turned off (sk91343), the FWD process may run out of memory.

When exporting logs with the fwm logexport script and there is an empty or corrupted log file, the script runs in a loop with the "Failed to read record at position 0" error printed.

The LOG_INDEXER process on the SmartEvent Server may unexpectedly exit, generating a core dump file, if the Log Server used by the correlation unit is deleted.

It may not be possible to filter the "Subscriber" field in SmartLog.

Syslog messages with the "ErtFeed" type of attack are not indexed correctly in SmartLog.

In some scenarios, in the Logs view, the "Description" field may be missing. The issue is only cosmetic.

When using Routing Separation and installing a Jumbo Hotfix Accumulator, MDPS configuration may be overridden. Refer to sk138672.

The "sd_exception_chain_with_global_stateless: fwx_get_original_conn_key() failed" messages may flood /var/log/messages if IPS Blade is active.

After an upgrade, it is not possible to monitor Security Gateways with enabled Management Data Plane Separation (MDPS).

The Security Gateway may crash with the "xxx kernel: [fw4_27];fwatomload_unregister: module RTM not registered xxx kernel: [fw4_27];e2eDisable: fwatomload_unregister failed" errors printed in logs.

In a rare scenario, the mal_conns table may consume a large amount of memory.

After an upgrade to Take 51 or higher, Access Control policy fails, if it is configured with an IoC local feed and hash indicators are added.

See the Important Notes section.

In some scenarios, Mail Transfer Agent (MTA) does not scan files with an unsupported extension if they were renamed to ".exe".

Changing the state of the "Automatic LDAP Group Update" feature for Identity Collector from CLI on the PDP Gateway does not survive a reboot.

The CPU utilization of the PDP daemon may be high during a specific authentication flow.

In some scenarios, IPS logs do not show the correct memory and CPU utilization when IPS is bypassed.

Push notification may not be working with the legacy Mobile Access (MAB) Portal. Refer to sk176243.

The Security Gateway may prematurely expire half-closed TCP connections and drop VoIP and HTTPS packets with "First packet isn't SYN". Refer to sk180364.

SNDs may reach 100% CPU utilization and are not released in some Site to Site VPN scenarios.

The ROUTED process may unexpectedly exit when the route does not have a next hop.

In a rare scenario, when IPv6 is configured, and VPN is enabled, policy installation may cause a stability issue.

When connecting with "Mixed" SSL Network Extender Authentication method, the SNX Client freezes with no output, and the results of the "vpn tu tlist" command show no tunnels.

Trying to perform the "Reset Tunnel" action for an LDAP user from SmartView Monitor fails. Refer to sk178592.

The SNMPD process may consume a high CPU in a VSX environment and there may be slowness when using the "fw vsx stat" command. Refer to sk180324.

See the Important Notes section.

Information about scheduled backup failure is now displayed in Clish, WebUI and in the error message inside the log file.

When configuring Gaia Cloning Group mode on the cluster, members with "off" state appear without an IP address and the "adding notification Member mvc is down" error is displayed.

• After an upgrade of the on-premises Endpoint Management Server to Jumbo Hotfix Accumulator R81.10 Take 75, it is not possible to connect to the Web Management Server.

• When logging into the Web Management Console, an "API error 9999" message is displayed.

Refer to sk180230. See the Important Notes section.

Improved handling of NSX-T API responses.

AWS Data Center mapping fails when a Subnet with only IPv6 addresses is added to Virtual Private Cloud (VPC).

In some scenarios, when using early media with NAT, the first data connections specified in the SDP get closed, although they should not. And the new data connection does not open, resulting in one-way audio. Refer to sk179651.

Performance data may not be collected on VSX Security Gateways.

SNMP threshold events traps may be missing "Chassis ID" and "Blade ID" fields. Refer to sk179926.

In some scenarios, the SNMPD process may unexpectedly exit.

Improved VPN on Quantum Maestro with Security Gateways hidden behind NAT.

When a policy is configured with "SNMP trap alert script", the SNMP trap is sent with an undefined OID.

After an upgrade to Jumbo Hotfix Accumulator R81.10 Take 75 or higher, a member may be in Down state with a "pull_config" pnote.

The CPVIEWD process may cause CPU spikes.

Access Control policy installation may fail with the "Internal error" message when the encryption domain contains a Data Center object.

An Application Control and URL Filtering update may get stuck at 70 percent with the "Running post update actions" status. Refer to sk174587.

After an upgrade, when the local domain Virtual System (VS) is updated, its objects may not be updated. The mirror VS object and local domain VS object may have different versions and colors.

An Application Control and URL Filtering Database update may fail. The CPM log file states: "Update APPI Update Task Notification. progress: 100, status: FAILED, statusText: Failed to assign domain".

Policy installation may get stuck on 99% when resuming queued policy installation tasks.

Editing a Threat Profile object using Ansible automation tool may fail.

The "Domain" and "Type" fields may be missing in the "show-groups" command output of a Management API request. Refer to sk179645.

High Availability synchronization may fail with the "Failed to update shared licenses" error.

Install Policy Preset may fail with "The server did not provide a meaningful reply.". Refer to sk179524.

A Multi-Domain Management Server upgrade may fail if upgrading one of the domains takes longer than four hours.

Although all Virtual Devices are deleted, deleting a Domain may fail with an "At least one Virtual Device is defined on this Domain/Domain Management Server. You need to delete all Virtual Systems/Routers prior to deleting Domain/Domain Management Server" message.

UPDATE: Released Take 67 with new features and improvements. Refer to sk170314.

NEW: Integrated Skyline, a solution that provides an OpenTelemetry CPView Agent service to monitor your Check Point Servers and export health metrics from the CPView tool to an external location. Refer to sk178566.

In SmartView, exporting views or reports that do not have tables may indefinitely continue processing.

Logs may not be indexed on the Domain Log Server in a Multi-Domain Log Module (MLM) or on the Secondary Multi-Domain Management Server.

Running the "cpstat ls -f logging" command on the Security Gateway may show the "disconnected" status after a reboot, although a new connection is established successfully.

In SmartConsole, when Endpoint Policy Management Blade is enabled, the "SmartView server certificate is invalid" error may be shown when opening a new tab in the Logs & Monitor view. Refer to sk177713.

The "show-logs" Management API command fails when iterating over many pages of queries, and the total fetched records number exceeds 219,900 records.

UPDATE: The reset expired connections feature (fw_rst_expired_conn) is now supported on connections accelerated by SecureXL.

Bond subordinates may be visible in the wrong plane.

After an upgrade, in a setup with a single VSX, the Security Gateway may crash.

In a rare scenario, the FWK process may unexpectedly exit because of a memory allocation issue on the Security Gateway.

Output of the "dynamic_objects -uo_show" command on the Security Gateway may not show any updatable objects. Refer to sk178886.

The "CPLogGetMyIp: fwobj_get_myown failed" error may be printed in CLI when starting cpboot.

When running the "g_fw monitor" command (Global Firewall Monitor), the traffic capture outputs can be created successfully but cannot be merged. Refer to sk179431.

A kernel crash may occur during system shutdown when PIM is enabled.

In a cluster environment, an ICAP implied rule may not be enforced after policy installation.

Access Control policy installation may fail with a "Load on Module failed - problem with the Commit Function" message.

In a rare scenario, when IPS or Application Control is enabled, the Security Gateway may crash.

After an upgrade, Access Control policy installation may fail with an "Update process is already running" message.

In a rare scenario, the Security Gateway may have a memory allocation issue.

UPDATE: In the Custom Intelligence Feeds feature, decreased the hash indicators loading time.

There may be Security Gateway memory allocation issues related to creating a new Anti-Malware policy.

IoC feed may not load because of a parsing issue with the IP range indicator.

SCP connections may get terminated.

Removed unnecessary debug messages in the Identity revocation flow.

The Nested Groups Depth value changed in CLI may not survive a reboot.

When an URL Filtering rule has "Fail-Close" configuration, the Security Gateway may drop connections, and "URLF internal system error (0)" is recorded as the reason.

DLP logs for files uploaded to Microsoft OneDrive may not show the initial file names and extensions. Refer to sk178290.

The WSTLSD process may unexpectedly exit and produce a core dump file during certificate chain verification.

In a VRRP cluster, when an identity session is revoked from a non-master member, the Identity Database may become corrupted and cause an outage.

Capsule Workspace push notifications do not work when the Single Sign-On (SSO) is configured to "prompt for credentials". Refer to sk176244.

UPDATE: Added support for the "fw vsx fetch_all_cluster_policies" command, which can fetch policy for all Virtual Systems and Virtual Routers from cluster peers.

UPDATE: Added a new kernel parameter "fw_allow_reverse_syn" for Smart Connection Reuse. This parameter allows or drops SYN packets coming from the reverse direction. The parameter is set to 0 by default, the Security Gateway drops such packets. Refer to sk24960.

In a rare scenario, ipsctl kernel module does not load at startup.

There may be high CPU or/and latency in CIFS/SMB connections.

The ROUTED process may unexpectedly exit when querying BGP data.

UPDATE: Added a new Registry parameter "use_crl_for_revocation_method" that enables the CRL revocation method when the Security Gateway does not get a response from an OCSP Server. Refer to sk179434.

Resolved the "HTTP Response splitting" vulnerability in Security Gateway portals. Refer to sk179705.

Adding a Security Gateway Module (SGM) to a Security Group may cause the Security Gateway crash when Link Selection is enabled in Load Sharing mode.

When working in Hybrid mode, it is possible to connect using Remote Access, but it may not be possible to access internal resources.

The "Unable to open '/dev/fw0': No such file or directory" error may be printed during cpstart.

In SmartView Monitor (SVM), the status of tunnels with third-party peers may be inaccurate. Refer to sk169121.

UPDATE: The "vsx_util view_vs_conf" command output now shows interfaces configured on Virtual Systems in Bridge mode.

A VSX Gateway upgrade may fail with an error related to VSX Filesystem creation.

The MTU value configured in SmartConsole may differ from the Virtual Switch (VSW) MTU value in the output of the "ifconfig" command.

Removing a warp interface may fail on one member, which creates a mismatch between the cluster members database because the warp interface remains on other members. Refer to sk180481.

Lines indicating uninstalling policies from virtual switches (VSWs) may be printed when running the "fw vsx unloadall" command.

The VSX Provisioning Tool may unexpectedly exit when adding a new virtual device.

The "Primary Slave" configuration in a Bond (MAGG) interface may not be applied to a Security Group. Refer to sk178765.

UPDATE: Gaia API updates will now be automatically installed through AutoUpdater. Refer to sk165653.

The SNMPD process may unexpectedly exit on the Security Gateway with enabled Management Data Plane Separation (MDPS).

A user locked by the deny-on-nonuse mechanism cannot get unlocked.

UPDATE: Added support for Data Centers in AWS me-central-1 Middle East (UAE) region.

Failure to update IP addresses on a single AWS Gateway may cause delays in updating other Gateways.

Added Take 19 of Public Cloud CA Bundle. Refer to sk172188.

In a VSX setup that includes members only in Site 2, asg monitoring commands (such as asg stat vs all) may incorrectly present Chassis 2 state as "N/A".

Threat Prevention policy cannot be installed on R80.40 and lower Security Gateways when using a Security Zone object in the "Source" column. Refer to sk177605.

See the Important Notes section.

UPDATE: Management API performance improvements:

• When moving a rule, the "set-access-rule" command is now up to 15 times faster.

• When using a rule name, the "set-access-rule" command is now twice as fast.

When a Security Gateway is removed from a VPN community, it may still be seen under the permanent tunnel configuration. The issue is scoped to the Management side and does not impact the Gateway.

An IPS update may fail if the user that performs the update is connected to the Multi-Domain Server on which the Global Domain is in Standby mode.

In SmartConsole, the "error retrieving results" message may be displayed when opening a new tab.

When uninstalling a Threat Prevention policy, there may be a verification warning "There are Threat Prevention uninstall candidates in policy targets", although the operation on the Gateway was completed successfully.

An Application Control and URL Filtering update may get stuck because of a lock object duplicate issue.

Renaming the Security Management Server may fail with the "Failed to save object" error. Refer to sk177224.

In a rare scenario, the FWM process may unexpectedly exit and create a core dump.

In some scenarios, the Hit Count column on the NAT policy shows zero hits on all rules, even though there are hits.

Upon policy installation, Security Gateways may not receive changes made in the Service Based Link Selection configuration file $FWDIR/conf/vpn_service_based_routing.conf as per instructions of sk56384. Refer to sk179699.

Login to Domain via Management API using FQDN as the Domain parameter may fail with the "Domain not found" error.

The flag "--method" for a CME command is not supported in SmartConsole Command Line.

In some scenarios, certificate based login to a Log Server may fail with "Authentication Error". Refer to sk179144.

After an Application Control update, some application control objects may disappear from SmartConsole, although they are not deprecated.

UPDATE: The local logging test will no longer run on the "asg_perf_hogs" utility, as it has its HCP (HealthCheck Point) test. Refer to sk171436.

When running the "cp_log_export filter-Blade-in" command with the value "Endpoint" and restarting the LOG_EXPORTER process, LOG_EXPORTER may fail to start.

An error may occur when changing Default Time Frame while the SmartView language is not English.

In SmartView, the "Top Users that Downloaded Malicious Files" widget in the "Hosts that Encountered Malicious files" view may show no results, although there are matches.

When exporting the logs table with "All Columns" to a CSV file, the first cell of the first log (time column) displays a non-ASCII character ("ן»¿"), and the time is split into two cells.

UPDATE: Added a defense mechanism against partial header attacks known as "Slowloris DoS" (CVE-2007-6750).

It may not be possible to monitor Security Gateways with enabled Management Data Plane Separation (MDPS). Refer to sk138672.

The FW Monitor tool may fail when it is used on VSX with the "-v" and "-p all" options.

There may be a delay in the Logging view when more than 1000 Security Gateways are connected to the same Log Server.

There is a Content Awareness alert for multiple connections and the processing error "Failed to extract text" is printed in logs.

The Security Gateway may crash during PM Stats collection.

An ICAP client crash may cause the Security Gateway also to crash and generate an FWK core dump.

During a DDoS attack, the CPD and CPRID processes may unexpectedly exit with core dump files and cause latency.

UPDATE: In SmartConsole, added an alert to inform that the ICA certificate will be expired in less than one year. Refer sk158096.

Improved memory consumption by decreasing the size of the mal_conns table.

In a specific HTTP connection scenario, the Security Gateway may become unresponsive. And the /var/log/messages file contains these messages during the time of the issue: " FW-1: fw_kfree: wrong magic number at tail end of XXX (XXX) caller is 'cmik_loader_fw_pm_match_cb' sz=80. FW-1 panic: cmik_loader_fw_pm_match_cb: fw_kfree: wrong magic number at tail (kiss_memory.c:XXX)".

See the Important Notes section.

• The /var/log/messages directory may be flooded with "appi_app_db_get_kattrib_info: attribs hash does not exist" messages.

• A Security Gateway may be slow or unresponsive.

Refer to sk178406.

In a VSX setup, the IP address used as the origin SIC name in the IPS address log may differ from the IP in other reports.

• Downloading or opening the packet capture file from the Anti-Bot log entries may fail with a "File fetching is still in progress" message.

• When opening the capture file link in the log entry in SmartConsole, the "Failed getting the incident file from the gateway. It may be expired" error is shown.

Login to Mobile Access Citrix application may fail.

In some scenarios, when Mobile Access Blade is enabled, the Security Gateway may crash.

UPDATE: Added support for the "Same VMAC" feature.

In a cluster configured in the Active-Active mode, there may be connectivity issues when one of the cluster interfaces is down on one of the cluster members.