List of All Resolved Issues and New Features in R81 Jumbo Hotfix Accumulator

NEW: Threat Emulation in Endpoint Security Clients version E87.60 and higher now supports the ONE, XAR, and WSF file formats.

UPDATE: Apache HTTPD version was updated from 2.4.55 to 2.4.61 to fix: CVE-2023-31122, CVE-2023-43622, CVE-2024-36387, CVE-2024-38473, CVE-2024-38474, CVE-2024-38475, CVE-2024-38476, CVE-2024-38477, CVE-2024-39573.

UPDATE: A patch on top of OpenSSL 1.1.1w to fix CVE-2024-2511. Refer to sk182320.

UPDATE: Resolved CVE-2024-3596 - Blast-RADIUS attacks. Refer to sk182516 > Login to Gaia Portal.

UPDATE: Added SHA256 fingerprints to certificate objects to mitigate the risk of hash collisions and enhance trust when utilizing the fingerprint, encoded with English words, as a verification mechanism.

UPDATE: JRE is updated from version 8.0_8.10 to version 8.0_8.21.

UPDATE: The "set threat-exception" Management API command now includes the "protection-or-site" parameter. When specified, this parameter adds new values to the existing list of protections or sites, instead of overwriting the current entries.

UPDATE: Added ability to increase/decrease DNS cache table size.

UPDATE: Added ability to increase/decrease DNS cache table size.

UPDATE: Added the "trackSettings.forensics" parameter to the "threat-rule" Management API command to enable and disable the "forensics" option in the "Track" column. Syntax example: "mgmt_cli add threat-rule layer 'Standard Threat Prevention' position 1 track-settings.forensics false -r true".

UPDATE: When URL Filtering operates in Background Mode and encounters an unclassified connection, instead of being approved automatically, such connection is now accepted or rejected based on Access Rule Base execution, and listed under the "unknown" category.

UPDATE: SSL Network Extender is updated to version 80008409.

UPDATE: VPN connections are now synchronized to all members of the Security Group by default. The default value of the "vpn_sync_to_all" kernel parameter is set to "1".

UPDATE: Added Take 21 of Public Cloud CA Bundle. Refer to sk172188.

UPDATE: Added Update 18 and Update 19 of HealthCheck Point (HCP) Release. Refer to sk171436.

SmartConsole may freeze when selecting a client under Security Gateway object > Identity Awareness tab > RADIUS Accounting Settings.

• Requires additional configuration and R81 SmartConsole Build 569 or higher. Refer to sk181630.

In rare scenarios, the Management Server upgrade fails during the import stage with "an eclipse error has occurred enable logging on EclipseLinkExceptionHandler to see full error".

• The fix will only be applied if the upgrade to this Jumbo Hotfix Take is done using a Blink image or via the Advanced Upgrade method.

In rare scenarios, if a Star VPN Community object is created, publish operations may fail.

After upgrading, administrators with read/write permissions to edit Security Gateways and Clusters may lack IPS permissions and are unable to perform certain management tasks, such as enabling or disabling blades.

In some scenarios, SmartConsole may unexpectedly disconnect.

When Compliance is enabled, the FWM process may unexpectedly exit and generate a core dump. Refer to sk182507.

See the Important Notes section.

When Global Domain Assignment fails with the "More than one object named 'XXX' exists" error, not all duplicate objects are listed.

When a Domain object in a policy is set with a backslash in the suffix, policy installation fails with the "Unterminated string&CURRENTVERCMP" error.

The "set simple-cluster" Management API command with the "vpn-settings.vpn-domain" parameter succeeds, but the VPN Domain is not set.

In rare scenarios, the CPD process may exit with core dumps.

In some scenarios, the "set-exception-group applied-threat-rules.position" Management API command may add the exception group to an incorrect position.

In rare scenarios, when Application Control is enabled, cloning a policy may fail due to timeout.

In some scenarios, cpmiquerybin core files may appear in /var/log/dump/usermode/ on the Security Management Server.

In a Multi-Domain Security Management environment, there may be synchronization timeout errors, and automatic revisions purge may fail.

In a rare scenario, when running the CPView utility, the Security Gateway may crash.

RAD error messages may be printed to the fwk.elg file during cpstop:cpstart on the Security Gateway. The issue is cosmetic only.

In some scenarios, viewing a Forensics report in Threat Hunting fails with the "Unable to load report" error. Refer to sk181800.

Log searches for the same time period may return more results in SmartConsole compared to SmartView.

In some scenarios, after removing an existing Log Exporter instance, the creation of a new instance appears successful in SmartConsole. However, the new Log Exporter object is not actually generated.

In rare scenarios, empty log list may be displayed when selecting a log file to view in SmartConsole.

Log Exporter may unexpectedly exit when using a non-RSA certificate.

In the Logs view, the "TCP-other" and "UDP-other" services are displayed as generic service IDs, for example, "cp_tcp_A936BBAC_EBC3_4F18_B3CC_A63365F07477".

The "show logs" Management API command may show partial information for the fields with multiple values.

The CPWD daemon does not restart automatically.

After deploying a new license to a Multi-Domain Log Module (MLM), all Customer Log Modules (CLMs) generate alert logs about missing license/contracts stating "No valid license was found".

Running GTP traffic may cause a crash on a Security Gateway without a GTP license.

The RAD process exits and creates a core file on the Security Gateway.

Outages may occur when the FWD process exits or restarts and Security Group member goes down triggering Scalable Chassis failover.

In rare scenarios, the FWK process may unexpectedly exit.

A memory issue may occur in a cluster environment, when SIP inspection is enabled.

• In some scenarios, the Security Gateway may crash with a vmcore in /var/log/crash or fwk core in /var/log/dump/usermode/.
• The "kernel: xxxxx: tx_timeout" error is printed in /var/log/messages.
• PSL drops packets with "PSL Drop: psl_build_pslip failed" message, potentially impacting network performance and streaming capabilities.

See the Important Notes section.

In some scenarios, adding sequential IP addresses as MDPS task addresses may fail.

Memory leak may occur in SecureXL templates. Refer to sk182648.

See the Important Notes section.

In rare scenarios, the FWK process may unexpectedly exit when the IPS / Application Control / Anti-Virus / Anti-Bot is active and the HyperFlow feature is enabled.

In rare scenarios, when Anti-Virus, Threat Extraction and Threat Emulation are enabled, some connections that were on hold are dropped.

SSH Deep Packet Inspection (SSH DPI) fails to start inspection if IPS is enabled while all other Threat Prevention products are disabled.

Threat Prevention policy installation may fail because of invalid JSON format in the IoC feed feature configuration file. Refer to sk181650.

In a rare scenario, Threat Prevention policy installation may fail after an over-the-air (OTA) package update of TP_CONF_SERVICE. Refer to sk182572.

In a rare scenario, the Security Gateway may crash during traffic inspection when holding a connection.

The ICAP client may send the file name under "Content-Disposition" in an unsupported format written as "filename*=" instead of "filename=", and the Threat Emulation does not process such files.

In Azure Active Directory, access role assignment only considers a user's first 100 group memberships. Any groups beyond this limit are disregarded when determining user access roles.

Microsoft Azure Active Directory does not fetch users in the Access Role object and shows "The user directory is still initializing". Refer to sk175983.

In scenarios where there is a heavy load on the machine, the RAD queue can fill up and get clogged by unhandled requests, causing an outage and traffic disruption.

In a rare scenario, when IPS is enabled and logging on a rule that involves IPS is enabled, physical memory usage may rapidly increase.

Anti-Virus may enforce observables from IoC feeds although they were deactivated in SmartConsole.

In some scenarios, the Anti-Virus logs on a VSX Gateway may display an incorrect origin IP address.

Enabling the "cvpnd" debug causes the reverseproxy_ssl_debug.log file size to continue growing even after the "reverse proxy" debug is off.

HTTPS access to the Mobile Access Portal may be down.

The "citrixStrictTicketEnforcement" parameter set in the configuration file may not work as expected.

In rare scenarios, in a cluster environment, the CPDiag tool may crash.

In rare scenarios, the Security Gateway crashes when the interface goes down right before it transmits packets out.

In some scenarios, traffic with Passive or Active Streaming configuration may not correctly pass through a Virtual Router on a VSXGateway.

In some scenarios, the VSX Gateway may fail to properly reroute traffic originating from a Virtual Switch.

SYN Defender configuration in Inspection Settings on the Security Management Server may not be applied on Accelerated Policy installation.

In a ClusterXL environment, a race condition may occur when BGP Graceful Restart is incorrectly configured. If the feature is enabled for some peers but not others, it may lead to permanent loss of network routes.

Routing BFD sessions using IPv6 global addresses on single-hop interfaces fail to recover after the network interface is administratively disabled and re-enabled.

ROUTED process assert failure may take place when LSA from a neighbor's retransmission list is freed if that LSA belongs to the max age hold tree that is flooded at max age.

The ROUTED process may unexpectedly exit because of an OSPF assertion failure.

Dynamic Routing outage in a Security Group during the Zero Downtime (MVC) Upgrade to R81.20, during the Downgrade from R81.20, or during the installation / uninstall of the R81.20 Jumbo Hotfix Accumulator. Refer to sk182556.

The "Unable to connect to the server, Press OK to reconnect" error is displayed when opening the Network Interfaces tab in the Gaia Portal. Refer to sk182560.

SNMP query for OID 1.3.6.1.4.1.2620.1.6.7.5.1.5 (CPU utilization per CPU core) and the "cpstat os -f cpu" command may return an incorrect value. Refer to sk182447.

Removing unused built-in user called "cp_ender" that may appear in Gaia OS after an upgrade. Refer to sk182185.

Remote Access VPN connections in Maestro environments may be dropped with the "out-of-state" reason.

After an update, if in VPN if configured with Permanent Tunnels enabled, RAM utilization may increase.

The FWK process may crash when establishing multiple VPN tunnels simultaneously at peak rates.

By default, the VPN permanent tunnel is configured to use "tunnel test" instead of "DPD". This configuration may cause inaccurate permanent tunnel status reporting when connecting to third-party devices.

Duo management reports display incorrect access source locations due to Security Gateways providing inverted IP addresses during the two-factor authentication challenge response process. Refer to sk181783.

IPv6 non-VPN traffic may be dropped with "Clear text packet should be encrypted".

When working with iOS devices, after establishing a VPN connection and subsequently disconnecting devices, the "vpn tu tlist" command may display an incorrect device connection status, indicating that a device is still connected.

Deleting a Virtual System ID (VSID) that does not exist may trigger the "cpstop" command. Stopping all Check Point services on VS0 can disrupt the entire VSX environment.

In rare scenarios, the CPD process of the default Virtual System on a VSX Gateway (VS0) gets stuck.

Multi-Queue configuration does not survive reboot on VSX. Refer to sk173950.

When running the "asg resource" command, the SSD overall health check is displayed as "PASSED" with the "Unknown_Attribute on Member X_XX is below/getting towards low threshold (val: 0/ thresh: 0)" warning. The issue is cosmetic only.

Redundant "MHO_stateAgent[3230]: QuidAddon: System not ready yet - attempting to re-init" messages in the /var/log/messages file.

Site to Site VPN traffic may be interrupted after installing policy with VSLS.

NEW: Added ability for R81 Security Management or Multi-Domain Server to manage 19000 and 29000 Check Point appliances.

• Requires R81 SmartConsole Build 568 (or higher).

NEW: Added ability to drop the traffic of specific UDP applications per packet. For example, the Security Gateway can now drop the specific commands and allow the other commands of the BACNet Protocol.

This ability is enabled by default.

• To disable this ability, run: "fw ctl set int appi_drop_packet_enabled 0".

• To enable this ability, run: "fw ctl set int appi_drop_packet_enabled 1".

NEW: Added support for Azure Scale sets with Flexible orchestration mode.

CVE-2024-24919 - Quantum Security Gateway Information Disclosure. Refer to sk182336.

UPDATE: Added validation for new permissions for configuring a script to run on the Security Gateway from Gateway object > Logs Alerts/Storage > Run the following script before deleting old files.

UPDATE: Added verification for policy deletion. If the policy is installed on the Security Gateway, the "delete-package" Management API command now fails with "Policy X is installed on 1 or more gateways.". Refer to sk181877.

UPDATE: Added ability to increase the instance processing queue size, by modifying the kernel parameter "fwmultik_pending_queue_len_limit" (the default value is "2000"). Refer to sk181921.

UPDATE: When changes are made to updatable objects within a policy and a missing or corrupted package is detected, the policy installation will fail, resulting in the generation of a log.

UPDATE: The identity synchronization from Policy Decision Point (PDP) to Smart-Pull Policy Enforcement Point (PEP) client now takes several seconds instead of a few minutes, especially beneficial in environments with a single PDP Security Gateway sharing to multiple PEP Security Gateways.

UPDATE: It is now possible to add exceptions to external IoC feeds.

UPDATE: The "IPv6 autoconfig" parameter is now disabled by default on VSX.

UPDATE: The output of "show arp dynamic all" and "dbget ip:arpdynamic:show:0" which was previously limited to +-4450 entries, now increases dynamically.

UPDATE: Updated the Jetty server libraries for CloudGuard Controller to provide enhanced stability, security, and performance.

UPDATE: New features and improvements are released in Take 94, Take 97, Take 100 and Take 102 via self-updatable package. Refer to sk170314.

UPDATE: Added Take 77 and Take 93 of CPotelcol (OpenTelemetry Collector) Release Updates. Refer to sk180522.

UPDATE: Added Update 22, Update 23 and Update 24 of Autonomous Threat Prevention Management integration Release. Refer to sk167109.

UPDATE: Added Update 15, Update 16 and Update 17 of HealthCheck Point (HCP) Release. Refer to sk171436.

UPDATE: Added Python 3.11.4.

In some scenarios, SmartConsole may close unexpectedly when clicking the "View Changes" option in the Install Policy view.

When attempting to load a SNORT Rules file that contains one or more spaces, the import process fails with an ambiguous error message.

In rare scenarios, the FWM process on the Security Management Server may unexpectedly exit or not start, creating a core dump file.

The revisions purge process may get stuck due to an incomplete purge operation from a previous attempt.

Login to SmartConsole fails if the "Read_Write_All_Profile" permission profile is deleted.

Deleting a Security Gateway object fails if there is a license attached to the Security Gateway and the Security Gateway is physically disconnected.

Enabling automatic updates of Trusted CAs as described in sk173629 may fail.

Running a Gaia API command on the Security Gateway through the Management API from the Security Management Server fails when configuring the "target" parameter with either the Security Gateway name or UID.

In environments with many network objects, SmartConsole may freeze while it loads the VPN tab of a Security Gateway object.

In rare scenarios, Global Policy assignment fails when there are many open Remote CPM Server sessions. Refer to sk181822.

The "set-smart-task" API command fails when enabling the "Send mail to/from" option in SmartTasks.

If there are changes in the HTTPS Policy and Certificates in the session, a "Something went wrong" message appears when opening the Change Report.

The "set checkpoint-host" API command may fail if the host object has a VPN Tunnel interface (vpnt) defined.

Install Policy Presets may fail after purging all revisions. Refer to sk181652.

In rare scenarios, High Availability synchronization fails with "Peer is busy".

SmartConsole may unexpectedly close after policy installation when SmartTasks return invalid characters from a user-defined script.

Login to SmartConsole may fail while the Compliance Blade is running a full scan.

Packet mode search in SmartConsole may show rules that do not match the query if the query contains four or more filters.

In some scenarios the "show access rulebase" Management API command with "details-level full" can take a significant amount of time to complete or time out after five minutes. Refer to sk181397.

The "fwm sic_reset" command may fail and generate a core dump.

The Change Report generated before publishing a session, may contain internal system changes that were made by the user.

In rare scenarios, policy installation on R77.30 Security Gateway fails with "Operation failed, install/uninstall has been improperly terminated". Refer to sk180448.

A memory leak may occur in the FWM process which leads to SmartConsole connection failures.

In Multi-Domain Security Management environments, if there are more than three hundred forty Domains, login to SmartConsole fails.

In rare scenarios, in a Multi-Domain Security Management environment:

• Login to the Management Server may timeout and fail.

• Publish operation may take a long time.

Defining more than two hundred GUI clients causes the "Command Line" tab in SmartConsole to be greyed out and the "api status" command to show an error status.

An "Error logging into domain" message is displayed in Web SmartConsole when connecting to a Domain on a peer Multi-Domain Security Management Server. Refer to sk181801.

In rare scenarios, CPView does not handle VS context correctly.

In the "cpview -m" command output on the Security Gateway which is an Active Cluster member, "metrics system.network.nat.ports" and "system.network.nat.ports.limit" may not be displayed in the list of available metrics.

Administrators without the "run script" permissions can enable or disable the option to run a script on a Security Gateway, using advanced configuration options.

When the active log file, for example, the fw.log for the Security Gateway is older than two days, the CPLogFilePrint utility does not print the log records correctly.

When using Log Exporter to export logs to Splunk, a log entry in Splunk is split to separate lines if it contains the CRLF characters.

Some Access Rule Base logs may be generated with a wrong interface direction. The issue is cosmetic only.

In a rare scenario, a Security Gateway / Cluster Member may stop logging locally or to configured Log Servers. Refer to sk170331.

CIFS traffic may cause CPU spikes in the FWK process.

Sporadic latency while uploading a file when HTTPS Inspection and ICAP client are enabled. Refer to sk181793.

CVE-2023-51764 - Postfix SMTP Smuggling vulnerability. Refer to sk181944.

In rare scenarios, updating the NTP Server may cause a temporary outage.

The CPVIEW_API_SERVICE process may exit with a timeout.

When using three or more ISP DNS proxies in High Availability mode and Load Sharing mode:

• A DNS query to any ISP returns IP addresses of all three, although it should return only the active ISP.

• When one ISP is down, the faulty ISP is also returned instead of the newly active.

The ICAP Server does not send data for the Threat Prevention blades inspection, after the restart of the TEMAIN process.

The Security Gateway may crash during policy installation.

In some scenarios, the VSX Security Gateway may not set the MAC header correctly when sending traffic back to Gaia OS directly out of an interface on a Virtual Router.

In a VSX environment, the FW_FULL process may exit when running "fw monitor -p all" with the "-v" flag on a specific list of Virtual Systems (VS's) where not all VS's have identical blade configurations enabled.

The ICAP Server may fail to initialize.

Incorrect static NAT destination is applied when the original destination in the NAT rule is the Security Gateway object, but the actual destination does not match the main IP address of the Security Gateway object.

Incorrect CPU statics may be shown in CPView when using Dynamic Split.

In some scenarios, a misconfiguration on a DNS Server may lead to exhaustion of ephemeral ports on the Security Gateway.

When configuring ioc feeds from the management:

• The "no_ssl_validation" variable may be deleted after the policy installation.

• Fetching feed fails with the "Peer certificate cannot be authenticated with given CA certificates" reason.

In a rare scenario, there may be an unexpected reboot and a vmcore file generated in /var/log/crash.

An outage may occur when an unsupported SSH cipher is selected.

When URLF and APPI are disabled in VS0 in VSX setup, automatic updates fail on other Virtual Systems.

Files that undergo emulation while operating from a corporate location are transformed into PDF format. However, when the same files are accessed through a VPN remote client, they do not get the pdf file extension.

In a rare scenario, when cloning SGM in Maestro, the FWD process may exit during an IPS/Anti-Virus/Anti-Bot package update.

After installing a hotfix in a cluster setup with a Threat Prevention policy that includes Network Objects, a member may get stuck during initialization after a reboot. Refer to sk180225.

The "Categorized HTTPS Sites" option does not classify specific websites when "TLS 1.3 hybridized Kyber support" is enabled in the browser. Refer to sk182318.

When a Multi-User Host is used with Identity Broker, the user session may expire on the PEP side, while still connected on the PDP, causing failure of user-based access.

After an upgrade, the Security Identifier (SID) for LDAP Users or LDAP Groups that were configured prior to the upgrade may be empty. Refer to sk181946.

User/Security Gateway identities may be revoked unexpectedly if an additional update from the AD Query identity source is rejected due to Identity session conciliation.

When a policy contains a white list, some packets may not match the listed applications.

In a rare scenario, an Identity Gateway (PEP) becomes unresponsive while unregistering a network.

In a rare scenario, when Identity Broker is configured, a memory leak in the PDPD process may occur during policy installation.

CPView and the 'cpstat' command show different Application Control database versions. Refer to sk181186.

Core IPS Protection "Unknown Resource Record" drops valid requests of specific DNS types.

The DLPU process may frequently exit with a core dump file.

Some file downloads fail with a logged "failure-reject" error because of the Anti-Virus Blade improperly classifying documents, causing inspection failures.

In a rare scenario, the Security Gateway may crash during inspection of file downloads.

The Anti-Virus Blade fails to show the UserCheck page for the URLs blocked by Custom Intelligence feeds.

When HTTPS Inspection is enabled, the Security Gateway generates a log that includes the message "Certificate Chain is not signed by a Trusted CA" when an end-user connects to an HTTP site or a site with an untrusted SSL certificate. But, in some scenarios, the log does not include this text.

In a cluster environment, the Security Gateway may become unresponsive on the Active member, and after a failover the issue occurs on the new Active member also.

In a cluster connected to Smart-1 Cloud, local probing may start on the "maas_tunnel" interface, although it is not monitored by the cluster. Output of the Expert command "cphaprob -i list" or the Gaia Clish command "show cluster members pnotes problem" shows that the Critical Device "Local Probing" reports its state as "problem".

The Security Gateway may crash during the conversion from VRRP Cluster to ClusterXL Cluster.

In a rare scenario, after an upgrade, connections between networks may be dropped with the "First Packet isn't SYN" error.

In some scenarios when Route-based probing is configured, the VSX Security Gateway sends out encrypted traffic with a source IP address of all zeroes through a Virtual Switch interface. This traffic may be dropped by routers, the VPN peer Gateway or other Security Gateways due to the invalid source IP address.

In some scenarios, fragmented ICMP packets may bypass the DOS/ Rate limiting deny list.

The Security Gateway may fail to add interfaces to the SecureXL accelerated interfaces list.

In some scenarios, the VSX Security Gateway may not set the MAC header correctly when sending traffic directly out of an interface on a Virtual Router or Virtual Switch.

The Security Gateway may crash with vmcore during boot while upgrading.

High CPU utilization may be triggered when User Mode (UPPAK) and VPN are enabled under high load.

In some scenarios, the VSX Security Gateway may crash when sending VPN encrypted traffic through a Virtual Router/Switch.

In Kernel mode Firewall, traffic passing through the GRE tunnel may not reach the peer.

During the processing of PIM Join-Prune messages, the absence of prior ({},G) state prevents the processing of (S,G) joins for the same group, even when present in the message.

When running a Gaia API request that results in multiple configuration changes, only the first change may be applied initially. The subsequent changes are not enforced until another change triggers re-processing.

Cluster failover may occur when the ROUTED process due to a memory leak unexpectedly exits with a core dump file generated.

In scenarios where numerous BGP peers are configured with the "multihop" option enabled, combined with short "keepalive" settings and a large number of routes being received from each peer, the ROUTED process may experience high CPU utilization.

Enabling rfc1583-compatibility via Clish fails with "CLINFR0329 Invalid command:'set ospf instance default rfc1583-compatibility on".

BGP peers may experience timeouts when these conditions occur simultaneously:

• The network has more than 100 BGP peers configured,

• The routing table contains tens of thousands of routes,

• BGP tracing is enabled,

• The BGP timers (such as keepalive and hold timers) are reduced from their default values, making the peers more sensitive to delays or congestion.

The FWK process crashes sporadically, causing impact on traffic due to an issue related to the decryption of fragmented traffic.

VPN connectivity may be unstable when IPv6 and VPN star communities are configured.

When using the "fw tab" command to view the IKE_SA_table, the output shows a column containing the IP addresses that are not meant to be displayed while the correct IP addresses are not printed.

In a Site to Site VPN, following an update, the Security Gateway may erroneously transmit an invalid IKE SPI to its peer. Consequently, during the rekey process, the tunnel fails due to the "invalid IKE SPI" error.

When the DAIP Gateway public IP address occasionally changes, the connected Security Gateway fails to update the new IP address and continues responding to the old IP address, causing communication issues.

A low-severity security vulnerability may exist when establishing an HTTPS connection to the Security Gateway.

VSX Gateway / VSX cluster member may crash during policy installation after deleting a virtual interface.

In some scenarios, installing policy via vsx_util may be stuck.

High CPU usage on SND cores when many interfaces are configured. Refer to sk181860.

The MONITORD daemon causes high CPU after 388 days of uptime. Refer to sk181922.

The SNMPD process memory consumption may be high, which causes the process to become unresponsive.

Taking a snapshot on the Security Management Server fails because of the error during copying the /boot/config/ content.

There may be some inconsistent syntax in the "comment" section for interface and static-route commands.

Lock database override may not work as expected when it is set via Ansible playbook, and another admin was connected to SSH before that.

Some valid interfaces may not be available with running the "set lldp interface" command.

When a non-local user executes a Gaia API command, the action is incorrectly logged as performed by the "admin" user in the /var/log/messages file.

When selecting to filter machines by infection name in SmartEndpoint Reporting > Anti-Malware > Top infections, the listed computers do not match the displayed numbers.

When attempting a one-time login for a migrated client in the Infinity Portal, the request fails with "400 error" caused by duplicate logon_name and domain_name entries in the database, preventing password generation from the Web interface.

When the SIP Multi-core feature is enabled, and a SIP over UDP rule with one-way calls (only outgoing calls, for example) is defined, the returned traffic is dropped. Refer to sk181525.

The "reboot -b all" command in gClish may fail. The environment hangs or reboots partially (only some of the members).

An additional reboot may be performed on Maestro Security Gateway because of the database entry (otlp) which should not be pulled from SMO. This entry is updated locally on each member via self-update functionality and, therefore, may differ between members.

The Gaia gClish command "installer verify CPUSE Package ID member_ids all" fails with "Quitting due to time-out" on a Scalable Platform Security Group. Refer to sk181674.

On a Security Group with MDPS enabled:

• The "asg perf" command on a Security Group does not show any output - the Gaia OS prompt appears immediately after entering the command and pressing the Enter key.

• When running the "mac_verifier" and other commands on a Security Group, the output may show the error message "mount of /sys failed: device or resource busy".

• The "distutil verify -v" command on a Security Group returns "verification failed".

After installing this Take, when MDPS plane separation is enabled, in the context of the Management plane, the directory /sys/class/net/ now shows interfaces that belong to the Data plane, although it should show interfaces that belong to the Management plane.

Refer to sk182076.

Scalable Platform Interface data OIDs (1.3.6.1.4.1.2620.1.48.26) may not be refreshed.

During site failover, IPv6 traffic that goes through the Warp interface may be interrupted.

NEW: We have extended the grace period of Anti-Spam Blade to support you for 90 days following contract expiration to continue providing the best security value during the renewal process.

UPDATE: Removed a redundant guava package.

UPDATE: properJavaRDP - an SNX-embedded application for Mobile Access is now blocked and is no longer supported because of deprecated Java library dependencies.

UPDATE: New features and improvements are released in Take 81, Take 85, Take 88, and Take 90 via a self-updatable package. Refer to sk170314.

UPDATE: Added Take 68 and Take 70 of CPotelcol (OpenTelemetry Collector) Release Updates. Refer to sk180522.

UPDATE: Improved traffic classification of GTP traffic on the Security Gateway to enhance the stability.

UPDATE: Re-enabled the deprecated feature of exporting/importing custom intelligence feeds.

UPDATE: Added Update 21 of Autonomous Threat Prevention Management integration Release. Refer to sk167109.

UPDATE: SSL Network Extender was updated to version 80008407.

UPDATE: Enhanced PushReport (a troubleshooting tool for Mobile Access Blade):

• changes in the cloud service configuration,

• stability improvement.

UPDATE: When enabling the VMAC feature, link_monitoring on the cluster members will now be configured automatically.

UPDATE: Changed the vsx push configuration log:

• The log file last_vsx_push_configuration.elg will now hold only the last vsx push configuration log.

• The cyclic log file vsx_push_configuration.elg will now hold all previous push configuration logs, except the last one.

UPDATE: SNMP traps for interfaces going up and going down will now contain the interface name and description.

UPDATE: Increased the size of the scheduled snapshot database binding, allowing longer paths and passwords to be defined.

UPDATE: Added new file types supported by Harmony Endpoint Threat Emulation blade.

UPDATE: Added support for Data Centers in AWS il-central-1 Israel (Tel Aviv) region.

UPDATE: Added ability to stop configuration mismatch repeated reboots for debugging purposes. The new command is " cpha_blade_config auto_reboot <on/off>".

UPDATE: Added support for 40G SFP transceiver for SSM160 (BTI40GSRDDQSFP).

UPDATE: Added Update 13 and Update 14 of HealthCheck Point (HCP) Release. Refer to sk171436.

• Running a Gaia API command on a Security Gateway using Management API from the Multi-Domain Security Management Server fails.

• Running a Gaia API command on a Security Gateway using Management API from the Security Management Server fails if the Security Gateway certificate was not recreated.

In rare scenarios, Global Policy reassignment fails with "IPS Update Failed On Assign".

Policy installation gets stuck if the known proxy group contains the policy target.

In some scenarios, the CPRLIC process may unexpectedly exit without affecting the connectivity, and a core dump is generated.

A policy installation task may become stuck when an error occurs in the early installation stage, for example, when trying to install a policy on an unsupported version of Security Gateway.

The "show-nat-rulebase" Management API command fails when Packet mode is enabled and "match on any" is set to "false". For example, "show-nat-rulebase XXX package YYY filter-settings.search-mode packet filter-settings.packet-search-settings.match-on-any false filter ZZZ".

The Security Gateway may listen to the ports used by NAT.

In SmartConsole, an attempt to view administrators may fail with "Error retrieving results".

Disabling or enabling rules may not affect the "last-modify-time" field in the output of the "show-access-rule" Management API command.

Login via API fails if the Security Management Server has multiple IP addresses and they are not defined on the Security Management Server object in SmartConsole.

In SmartConsole, export of policies with the "Hit count" column may get stuck.

In rare scenarios, during an IPS update, a task notification reports that a database purge failed on the Standby Security Management Server. Refer to sk180920.

If the HTTPS policy contains an Identity Awareness Gateway object in the "Source"/"Destination" column, policy installation may fail when selecting more than one policy target. Refer to sk181097.

In rare scenarios, upgrade of the Security Management Server to R81.20 fails with the "Task was interrupted because of server restart" and "DEADLOCK IN POSTGRES DETECTED!!!" messages in the cpm.elg log file.

A migrate export or CPUSE upgrade of a Security Management Server fails if a Rule Base contains more than 35,000 rules. Refer to sk178325 to check the recommended size of Rule Bases.

In some scenarios, an automatic Trusted Certificate Authorities (CAs) update fails.

When using the RADIUS username for authentication, login to SmartConsole may fail.

The "show-vpn-communities-star" Management API command fails for VPN communities using Diffie-Hellman groups 15-18. Refer to sk27054.

In rare scenarios, the High Availability synchronization status shows "NGM failed to import data", and then is cleared automatically within 15 minutes.

Users may be able to configure user-defined scripts to run on the Security Management Server, although they do not have the permissions of a super-user.

In multi-site Multi-Domain Security Management environments, login to SmartConsole fails if the "Read_Write_All_Profile" permission profile is deleted.

In multi-site Multi-Domain Security Management environments, login to SmartConsole fails while an Install Policy Preset relays the Security Gateway installation statuses.

In some scenarios, the "Uninstall Threat Prevention Policy" window may show "no candidates found for operation", even though there are Security Gateways that have Threat Prevention policy installed and Threat Prevention is disabled in the Security Gateway editor. Refer to sk180983.

In rare scenarios. in a Multi-Domain Security Management environment:

• Login to the Management Server may timeout and fail.

• Publish operation may take a long time.

After an upgrade, "Every cluster network should define unique subnet" messages may be displayed in the Validation Pane.

• The fix applies only when Jumbo Hotfix Accumulator Take is installed via Advanced upgrade or with a Blink image containing this Take.

In some scenarios, when a language other than English is chosen in SmartView, login to SmartView fails with an "Initialization failed" message.

When the CPD process is automatically restarted on the Security Gateway, the output of the "cpstat ls -f logging" command on the Security Management shows the Security Gateway is disconnected, the Log Server cannot be reached, although logs are sent.

The "fwm logexport" may return "Failed to print record at position" and "missing table field" error messages despite succeeding to export the logs.

The "show-simple-gateway" and "set-simple-gateway" Management API commands with the "logs-settings.forward-logs-to-log-server-schedule-name" parameter fail with "generic_server_error".

Configuring log settings to delete logs if free disk space is lower than a certain percentage may not be applied.

Source and destination IP addresses in SmartLog may not be shown correctly for duplicate packets of fragmented traffic.

Latency in loading websites when using Security Gateway as a Proxy with HTTPS Inspection enabled. Refer to sk180673.

In rare scenarios, the WSDNSD process may restart because of an internal error.

The ICAP Server may stop sending files to the Threat Emulation and Anti-Virus Blades if the TED daemon was restarted.

The /var/log/messages file of a VSX gateway is flooded with the "fwmultik_predefined_dispatching: BAD_MULTIK_TAG" messages with no impact of the connectivity. Refer to sk181281.

The Security Gateway may crash due to a memory issue.

The Security Gateway may crash while inspecting non-HTTP traffic.

Incorrect bonds may be shown in the Data Plane when using MDPS with the "show bonding groups" command.

Resolved an issue where CPD would consume a large amount of CPU in VSX with a large number of interfaces configured (greater than 1024). Refer to sk181588.

In a rare scenario, the FWD process listens to high ports that are not blocked by the "auth_services_real_ports_block" implied rule. Refer to sk180505.

FTP connection may fail in Port mode with NAT and specific FTP clients. Refer to sk181165.

Re-mirrored traffic may be re-ordered in the Mirror & Decrypt feature.

In a rare scenario, policy installation may fail because of IoC observables overrides.

In some scenarios, CIFS parser is triggered when it is not needed, this leads to the Security Gateway not accelerating fully the SMB traffic.

In some scenarios, the Security Gateway fails to export or import IoC feeds.

Fetching custom intelligence feeds via CLI may fail because of SSL certificate issues.

Anti-Virus Blade triggers the "Detect" logs for DNS traffic, although these malicious DNS requests were prevented.

Multiple ifiPython3 processes may utilize the Security Gateway memory, affecting the Anti-Virus Blade performance.

When the "Categorize HTTPS Websites" option is enabled and the global parameter "appi_urlf_ssl_cn_use_sni_without_validation" is set to true, a memory leak may occur.

Policy installation may fail on Security Gateways with enabled IPS and configured Strict profile and IPv6.

When transferring many files, SMB traffic may freeze while scanned by Anti-Virus Blade.

A memory leak in the DLPU process may occur when Anti-Virus scans files over HTTP(s) or SMB (Server Message Block) protocol.

A memory leak may occur in the Security Gateway when a connection is not correctly released after the inspection.

When copying special German characters to and from the Guacamole Server, they are replaced with unreadable symbols.

In a VSX environment, the WSTLSD process run by Virtual Systems may ignore proxy configuration on VS0.

The fwk.elg file may be flooded with the "mux_hold_opq_free: App has no hold params free function" messages for the TLS_PARSER app because of a memory leak.

Some IPv6 connections randomly stop passing through ClusterXL in High Availability mode. Refer to sk180969.

In a cluster/Maestro in Load Sharing mode, the Security Gateway may drop NAT traversal traffic with "fwmultik_process_f2p_cookie_inner Reason: PSL Drop: No connection".

Site to Site VPN outage on ClusterXL Active member when running "cpstop" on the Standby cluster member. Refer to sk170055.

The "IOCTL command CPHWD_IOCTL_DOS_DENY_LIST_CLEAR was not successful" error may be printed during cpstart. Refer to sk180646.

When multicast traffic for an existing (S,G) entry arrives at a non-IIF interface, the entry may be deleted and re-added when the next multicast packet is released, although the entry should not be deleted.

When a BFD session is added or removed, disabled sessions may incorrectly come up.

The ROUTED process may exit with a core dump when querying details of OSPF Type 5 LSA.

Users that were moved from one AD group to another group still are shown in both access role groups when running the "pdp monitor" command. Refer to sk181429.

When working with ClusterXL in Load Sharing mode, a VPN tunnel may fail to be established.

Vsx_util upgrade or downgrade validation fails on Virtual Systems where policy was never installed.

When changing Virtual Systems (VS's) using the VS name, the "failed to find an ID for a VS named XXX" error is shown.

In a rare scenario, affinity configuration on VSX may fail.

In some scenarios, in a Maestro Security Group configured in the VSX mode, a Virtual System that connects to a Virtual Switch may drop traffic as "Out of State" or wrongly drop it on the clean up rule. Refer to sk181823.

When changing bond settings, the bond may be missing the global IPv6 Address.

Backup on Gaia machine with Threat Emulation Blade enabled fails with "Cannot complete the backup process: not enough space". But the solution of sk166833 does not resolve the issue in a VSX environment.

After the Deploy New Endpoint push operation is successfully done, the list of target devices may change to "None". And it is not possible to delete this push operation manually, a "Sorry, we had an API issue during request" message is printed.

KAV updater on the Server may fail to receive updates when proxy is used.

In rare scenarios, when making changes in SmartConsole, it gets disconnected.

Azure mapping may fail on Private Endpoint without network interfaces. In the cloud proxy logs, the "ERROR datacenter.scanner.DcScanner [scanner-Azure-XXX]: Error during scan - attempting to reconnect for scanner of [Azure] in domainYYY" messages are printed.

SIP agent implements a keep-alive mechanism against the RFC, making each message arrive with a different tag in the "From" header, which may increase the memory of the Security Gateway, and these messages may be dropped once they hit the limit defined (the "sim_max_reinvite" parameter).

NEW: Added a new field to the output of "mgmt_cli show updatable-objects-repository-content" command. This field displays the object's unique name as it is saved in the updatable objects repository.

UPDATE: Added ability to block policy installation if this policy contradicts another policy installed on the Security Gateway. In this scenario, the "install-policy" Management API command will now fail with "Requested policy X does not match currently installed policy Y on gateway Z. To ignore this warning, set the 'ignore-warnings' flag to 'true'". Refer to sk180792.

UPDATE: New features and improvements are released in Take 76 via self-updatable package. Refer to sk170314.

UPDATE: First release of CPotelcol (OpenTelemetry Collector) Release Updates. Refer to sk180522.

UPDATE: Added Update 18 and Update 19 of Autonomous Threat Prevention Management integration Release. Refer to sk167109.

UPDATE: Added a new kernel parameter allowing to control the size of fragments table in SecureXL. To use it, set the kernel parameter "sim_frag_limit_override" with the new value and install policy. This can prevent fragment drops when having multiple instances in the Firewall.

UPDATE: Added Take 23 of Check Point Support Data Collector (CPSDC) for Scalable Platforms and Maestro Security Appliances. Refer to sk164414.

UPDATE: Added a new log file - /var/log/pull_config_report.log. It includes the summary of the "pull_config" action when it is performed on a member to indicate the reason for pull_config pnote/failures.

In rare scenarios, in Multi-Domain Security Management environments with many administrators that have custom permissions, SmartConsole is slow, and operations take longer than usual. Refer to sk180681.

In some scenarios, Access Policy Verification fails but the name of the failed rule is not specified.

An upgrade may fail when a Network object Group contains more than 32000 members.

In rare scenarios, in multi-site environments, Install Policy presets fail with "Timeout during task progress" or "You have reached the maximum number of active sessions". Refer to sk180897.

APP_ID may not be initialized when adding a new Check Point application via API, this may cause blocked access to several websites.

Editing an object in SmartConsole may fail with "Server error is: Object not found (Code: x08003001D, Could not access file for write operation)".

Login to SmartConsole with a RADIUS administrator from the SmartEvent Server may fail if this Server was upgraded. Refer to sk180584.

Packet mode search in SmartConsole may show rules that do not match the query if the query contains source, destination, and service.

If the Security Management Server is behind NAT, remote Management API login fails.

After restoring a Multi-Domain Security Management Server, High Availability synchronization may fail with "The Security Management Servers contain different Hotfixes".

Deleting a Domain from SmartConsole fails after a Domain Server was removed and the Domain has no Domain Servers.

A scheduled Install Policy Preset may not have its next run time updated when:

• The Multi-Domain Security Management Server was down while the preset was scheduled to run

• There are over 50 presets defined

Data Center objects may not appear as unused objects in the Object Explorer view, although they should.

In rare scenarios, many open connections on port 18196 are observed on the Multi-Domain Security Management Server or Multi-Domain Log Security Management Server.

In large environments, after policy installation or when loading Real Time Monitor, RTMD CPU consumption may be high for several minutes and the process may exit when 4 GB of memory is reached.

In some scenarios, in the Logs & Monitor view, no results are shown when filtering updatable object names by the "dst_uo_name" field.

In some scenarios, the FWD process may unexpectedly exit and cause a short outage related to the BGP failure.

After an upgrade, memory usage may increase on all Security Gateway Modules, and the "pkt_handle_f2v_if_needed: dropping packet (failed to send notification)" error is printed in logs.

Latency in connection caused by a packet flow change from F2V to F2F.

In a Maestro environment, an encrypted over SSH or RDP connection may get closed when handled by the wrong member.

In some scenarios, while processing H323 traffic, the Security Gateway may unexpectedly restart.

When setting "cphwd_enable_ecmp = 1" (to route by the source and destination IP address), the Security Gateway may route the traffic to the wrong MAC.

Latency in loading websites when using Security Gateway as a Proxy with HTTPS Inspection enabled. Refer to sk180673.

When the Security Gateway handles specific HTTP requests, memory failure may occur. CPView registers SMEM failure.

When HTTPS Inspection is enabled, website loading in Firefox fails or is slow, after a few seconds, the "NS_ERROR_ABORT" error appears in the network tab of Firefox. Refer to sk180873.

Stack buffer overflow may occur in the FWGTP process.

When adding another loopback interface in an MDPS environment, it is shown in MPLANE and not in DPLANE as expected.

Web Security parsing error "illegal header format detected: Missing quotation mark" of content-disposition header - that contains a filename* parameter or an unquoted parameter.

In some scenarios, the FWD process unexpectedly exits, and the Security Group Members state flaps between Active and Down during an Anti-Bot Blade update.

When IPS Blade is enabled, the Security Gateway may crash.

In some scenarios, Anti-Virus and Anti-Bot updates on Maestro Security Group Members may fail.

When Content Awareness Blade is enabled, there is a limitation of the file size (sk118516). However, when the source object of the Content Awareness rule does not match the current connection, the limitation is not applied on this connection.

Running the "ips stats" command in CLI may cause the IPS process to unexpectedly exit with core dumps.

Importing a custom intelligence feed containing IP ranges may fail.

Sending emails with attachments via Capsule Workspace may fail on iOS.

A VRRP cluster member may be stuck in boot after a cluster upgrade.

After several failovers in a cluster, connections may fail to synchronize. This can cause a timeout and the "first packet isn't syn" drops.

A VRRP/VRRP6 interface may go into Master/Master state.

An IGMP group with an expiration time of 7101 weeks should be deleted when it reaches 0 seconds, but instead, it may remain at 7101 weeks until a membership report is sent, then it resets to the interval of that interface.

When PIM and state refresh are enabled, the state refresh message may not be sent automatically after a failback in ClusterXL HA Primary Up mode.

Cluster member may stop sending multicast PIM traffic after failover or a reboot. Refer to sk180669.

In some scenarios, a Security Group Member failover can trigger routes to be lost on other members in the Security Group.

The ROUTED daemon may unexpectedly exit when aggregating routes with long AS paths.

Routes marked as "stale" may be redistributed via BGP during graceful restart.

• Remote Access clients are unable to connect using Machine Certificate Authentication when the certificate has OCSP and CRL but the gateway is unable to resolve properly the OCSP or to get a proper answer from the OCSP server. Refer to sk179434.

• OCSP is disabled on the user's IIS Server, but the Security Gateway does not fall back to the CRL method. Refer to sk179434.

• Security Gateway sends defaultCert to the third party instead of an OCSP certificate. An unexpected OCSP response may cause a VPN gateway to stop using its certificate until the next policy installation. Refer to sk180683.

In a Site to Site VPN, when one of the sites is a cluster in Load Sharing mode, it can cause incorrect destination member calculation for asymmetric connection and the traffic might be dropped. Refer to sk180855.

Values provided by the VSX OID tree: 1.3.6.1.4.1.2620.1.16.22.5.1 may be incorrect.

Warp interfaces may appear in VS0 and disrupt connectivity when editing a Virtual Switch with a bond and VLANs.

A VSX Security Gateway may crash while attempting to collect statistics after running the "cpstop" command.

Gaia backup may fail, leaving a temporary partition behind. Any new attempt to create a new backup returns an error.

Scheduled SCP snapshots to a Windows Server may fail with the "Failed to connect to remote server. Please validate connection".

Deleting one hundred IP addresses or more from the Security Gateway at once may fail, resulting in recurrent deletion retries.

SIP traffic may be dropped and "kiss_htab_bl_infra_slink: failed "earlynat_sport_ghtab_bl":3 reason: KISS_HTAB_BL_SLINK_LIMIT_REACHED" is printed in the fwk.elg file.

After an upgrade, VoIP, and SIP / H323 traffic may be dropped in the VPN tunnel. Refer to sk179651.

In VSLS mode, SNMP traffic may incorrectly be forwarded to SMO instead of DR manager of the corresponding Virtual System.

When adding a new Virtual System and installing a policy, member state may change to Down.

Excessive "cphwd_get_device_accelerated_ifs: too many interfaces (32,XXX)" messages may log to $FWDIR/log/fwk.elg. Refer to sk180439.

License is not copied from SMO to all other members if other members are in Down state.

Security Gateway drops GTP Echo Response traffic with the reason "Wrong Destination Port". See sk181507.

NEW: We have extended the grace period of Compliance Blade to support you for 90 days following contract expiration to continue providing the best security value during the renewal process.

NEW: We have extended the grace period of Application Control and URL Filtering Blade to support you for 90 days following contract expiration to continue providing the best security value during the renewal process.

NEW: We have extended the grace period of SmartEvent Blade to support you for 90 days following contract expiration to continue providing the best security value during the renewal process.

UPDATE: In several IPS protections, improved performance for traffic that contains repeated sections.

UPDATE: Added an option to configure the maximum number of IPS SNORT rules.

These lines should be added at the end (or their value should be changed if they already exist) in the file $FWDIR/conf/malware_config

(for MDS - additionally in the $MDS_FWDIR/conf/malware_config file):

"[IPS]

snort_convertor_max_rules_per_update=<value>

snort_convertor_total_rules_num_limit=<value>".

Refer to sk136515.

UPDATE: To reduce policy installation time on a Security Gateways with a large number of CoreXL Firewall instances, you can use the Check Point Registry parameter "CP_INSTALL_POLICY_MT_LIMIT" to configure the Security Gateway to install the policy simultaneously on groups of CoreXL Firewall instances. Refer to sk182653.

UPDATE: Apache HTTPD version was updated from 2.4.53 to 2.4.55 to fix CVE-2022-37436.

UPDATE: FakeServer will now listen for packets coming from the Virtual Machine during Threat Emulation to port 18443 instead of port 8443.

UPDATE: Added more logs related to Pushing VSX Configuration.

• On the Security Gateway side: in the last_vsx_push_configuration.elg. The log file will now be circular.

• On the Security Management side: in the vsx_util log. Also, commands are added to the name of log files (for example, vsx_util_reconfigure_xxxxx_xx_xx.elg).

• VSX Provisioning tool is now logged in the vpt_history.elg.

.

UPDATE: Upgraded OpenSSL from 1.1.1n to 1.1.1t to include the latest security improvements.

UPDATE: Added support for Data Centers in AWS ap-southeast-4 Melbourne region.

UPDATE: Added support for connecting to VMware NSX-T 4.0.0.x and higher.

After an upgrade, while installing a policy, SmartConsole may unexpectedly close with a "The connection with the server was lost. Any unsaved changes will be preserved" message. Refer to sk180294.

When using Custom Application/Site Group objects in an Access policy, policy installation may fail with an "Internal error" message.

Login to the Security Management Server or Multi-Domain Security Management Server may fail with the "Connection timeout" error.

In some scenarios, the CME process fails to start.

Adding a rule with the Management API and setting the action "to ask" does not set a default UserCheck if UserCheck was not specified. This may cause policy verification failure.

In SmartConsole, when editing a tagged Security Gateway object, the tags may get removed.

In some scenarios, the "api status" command shows that the Management API service is stopped.

The API command "show-nat-rulebase" may not show the name of each rule in the Rule Base.

In some scenarios, the "run-script" Management API command may fail with "Null Pointer Exception" when using root user permissions.

In a Multi-Domain Security Management environment, traffic may not match rules with custom applications.

A typo in "Dropped fragmentation violation" under CPView > Advanced > SecureXL > Drops.

CPView may not show some interfaces.

After an upgrade and change of the Security Management Server name, logs created before the upgrade are unavailable.

When using the SMTP service with resource objects in a rule and NAT is configured for the destination IP address, the traffic may match the Cleanup rule instead.

Some TCP connections may be stuck in "Both-Fin" state in the SecureXL connection table and cause high memory consumption.

DNS parser incorrectly handles additional records, which results in appearing additional DNS IP addresses in the FQDn objects list.

In some scenarios, the CPD process may unexpectedly exit.

The Security Gateway may crash because of an issue in the FILEAPP (File Application) module.