List of All Resolved Issues and New Features in R81 Jumbo Hotfix Accumulator

NEW: We have extended the grace period of Compliance blade to support you for 90 days following contract expiration to continue providing the best security value during the renewal process.

NEW: We have extended the grace period of Application Control and URL Filtering blade to support you for 90 days following contract expiration to continue providing the best security value during the renewal process.

NEW: We have extended the grace period of SmartEvent blade to support you for 90 days following contract expiration to continue providing the best security value during the renewal process.

UPDATE: In several IPS protections, improved performance for traffic that contains repeated sections.

UPDATE: Added an option to configure the maximum number of IPS SNORT rules.

These lines should be added at the end (or their value should be changed if they already exist) in the file $FWDIR/conf/malware_config

(for MDS - additionally in the $MDS_FWDIR/conf/malware_config file):

"[IPS]

snort_convertor_max_rules_per_update=<value>

snort_convertor_total_rules_num_limit=<value>".

Refer to sk136515.

UPDATE: Added logging information. The Logging tab can be found in the Advanced tab on both the Security Management Server and Security Gateway. Refer to sk101878.

UPDATE: Apache HTTPD version was updated from 2.4.53 to 2.4.55.

UPDATE: FakeServer will now listen for packets coming from the Virtual Machine during Threat Emulation to port 18443 instead of port 8443.

UPDATE: Added more logs related to Pushing VSX Configuration.

• On the Security Gateway side: in the last_vsx_push_configuration.elg. The log file will now be circular.

• On the Security Management side: in the vsx_util log. Also, commands are added to the name of log files (for example, vsx_util_reconfigure_xxxxx_xx_xx.elg).

• VSX Provisioning tool is now logged in the vpt_history.elg.

.

UPDATE: Gaia Cloning Groups will now use the highest TLS version available.

UPDATE: Added support for Data Centers in AWS eu-south-2 (Spain) and eu-central-2 (Zurich) and ap-south-2 (Hyderabad) regions.

Skyline may not show any information. Refer to sk180748.

The FWM process may frequently exit. This causes SmartConsole authentication to fail and dashboards that were opened before to get closed.

High Availability synchronization fails if automatic purge is configured to run on the Standby Management Server.

After configuring an IoC feed on the Global Domain and assigning a Global Policy, Threat Prevention policy installation in the local Domain fails.

In a rare scenario, the Show Package tool and some Management API commands with details-level "full" fail.

Editing a Global Assignment object using Ansible may fail.

There may be many duplicates of OCSP response in the $CPDIR/tmp/curl_crl_ocsp folder.

The date of a policy configured with "accelerated installation" may not be updated in logs.

Access Policy installation may fail with the "Redefining defined variable" error when a Network object with a long name is used in a NAT rule.

In some scenarios, the "run-script" Management API command may fail with "Null Pointer Exception" when using root user permissions.

In a Multi-Domain Security Management environment, traffic may not match rules with custom applications.

A typo in "Dropped fragmentation violation" under CPView > Advanced > SecureXL > Drops.

CPView may not show some interfaces.

After an upgrade and change of the Security Management Server name, logs created before the upgrade are unavailable.

When using the SMTP service with resource objects in a rule and NAT is configured for the destination IP address, the traffic may match the Cleanup rule instead.

Some TCP connections may be stuck in "Both-Fin" state in the SecureXL connection table and cause high memory consumption.

DNS parser incorrectly handles additional records, which results in appearing additional DNS IP addresses in the FQDn objects list.

In some scenarios, the CPD process may unexpectedly exit.

The Security Gateway may crash because of an issue in the FILEAPP (File Application) module.

The SMO may frequently go into Lost-> Down-> Active state because of a memory leak in the FWK process. The issue causes failover and outages.

On supported Open Servers (sk167052), after changing the Firewall mode from Kernel Space (KSFW) to User Space (USFW) and reboot, the Security Gateway continues to boot in the Kernel Space mode.

Stability issues when ICAP client is active.

Security Gateway may drop traffic when Dynamic Anti-Spoofing is enabled.

In a rare scenario, when QoS is enabled, the Security Gateway may crash.

The Security Gateway may frequently crash with vmcore files, recording invalid context.

When adding an Access Role object in the NAT Rule Base, connectivity issues on the Security Gateway may occur if the Identity Awareness Blade on it is disabled.

The Security Gateway may receive duplicated traffic (such as non-IP protocol connections) for IPS inspection. This can trigger high CPU usage and result in failures to connect over SSH or policy installation.

When adding a new RADIUS Server in Gaia Portal, its IP address is automatically added to MDPS tasks, but when deleting this Server, the MDPS task is not deleted.

In rare scenarios, the FWK process can unexpectedly exit and cause an outage.

In a rare scenario, the Security Gateway may crash when offloading packets to SecureXL.

The certificate in SmartConsole is shown as valid, although it is expired.

The "ioc_feeds set interval -r" command may fail.

Anti-Virus blade fails to parse external IOC feeds that contain commas in the CSV column field value.

The DLPU process may unexpectedly exit with a core dump file.

After an upgrade, the FWD process may frequently exit while creating an AMW_report.xml.

If SSH Deep Packet Inspection (DPI) is enabled and NAT is configured on the Security Gateway, SSH connectivity from the Internet may not be possible.

Connectivity issue may occur during Azure AD Group fetch, and the "get_http_error_msg - http code is 401" error response is shown in Identity Awareness logs.

In a rare scenario, a wrong access role may be assigned to a user.

In a rare scenario, disconnection between the Identity Server (PDP) and Identity Gateway (PEP) leads to missing identities on the PEP side.

The output of the "pdp monitor cv_le <agent-version>" command may be incorrect.

In a rare scenario, when Application Control is enabled, the Security Gateway in AWS Cloud may crash. The issue does not occur if Application Control database on the Security Gateway is updated with Release 141122_1 and higher.

Policy installation may fail with an "Error 0-200184" message because of memory allocation issues.

When Anti-Virus is enabled, the Mail Transfer Agent (MTA) log files may get blocked because of fail-close operation.

In some scenarios, Inbound HTTPS Inspection may fail when working in USFW (User-Space Firewall) mode.

The Security Gateway may crash during policy installation because of a memory allocation problem.

In a rare scenario, the Security Gateway may crash during an IPS package update.

DLP logs for files uploaded to Microsoft OneDrive do not show the initial file names and extensions. Refer to sk178290.

The WSTLSD process may unexpectedly exit and create core dump files.

Some web applications which use PT or UT link translation methods may have issues after a browser upgrade.

Web applications may not work correctly when Mobile Access blade is configured in Hostname Translation (HT) mode while the "obscure_destination_hostname" management attribute is disabled.

The "cphaprob tablestat" command may fail on the Security Gateway with many interfaces.

Traffic does not pass through the GRE tunnel when Virtual MAC (VMAC) is enabled. Refer to sk180292.

SecureXL may drop traffic when HTTPS Inspection is enabled on a VSX Security Gateway with a Virtual Router.

Multicast traffic may get dropped, and no logs are generated.

In a rare scenario, a CPAQ message sent during policy push does not have critical priority, and can be dropped when the Security Gateway is busy.

Failover may take longer than expected and traffic does not pass for several seconds because dynamic routes are lost.

The ROUTED daemon may unexpectedly exit when using PIM and source IP address is set "0.0.0.0".

The ROUTED daemon may unexpectedly exit and generate core dumps after OSPF neighborship was established but did not advertise routes. Lost routing causes the network to be down.

TCP traffic on port 34500 may be encrypted by VPN, although it should not.

When running the "vpn tu tlist" on cluster Standby members, old IKEv2 SAs may be printed in the output.

When many users in nested groups login using Remote Access Client \ connect to VPN, and the LDAP topology is large, there may be a spike of CPU usage and performance impact. Refer to sk180664.

When initiating IKEv2 tunnel from Check Point to a third party, creating Child SA fails. Refer to sk180281.

Despite the Secure Configuration Verification (SCV) exceptions being configured to not apply for connections, the strongSWAN client's traffic is dropped with the "Client's configuration is not verified" error.

VPN stability issues.

A memory leak may occur in the VPND process.

After an upgrade, an incorrect IPSec users counter may be displayed in SmartView Monitor or when running the "cpstat vpn -f ipsec" command for a cluster. The issue is cosmetic only.

In VSX, if Dynamic Balancing was manually disabled on R81, after an upgrade from R81 to R81.20, it automatically gets enabled.

Running the "save configuration" command the second time in the same Clish session may fail with the "free(): invalid pointer" error.

When setting password hash on cloning group members, some members may not get updated.

In some scenarios, the "nslookup" command can cause the NSLOOKUP process to exit.

Incorrect logs are printed in the /var/log/httpd2_error_log file when logging into the WebUI.

When running the "ifconfig -a" command on a Virtual System (VS) with more than 250 interfaces, the "/bin/cp-ifconfig.sh: line 179: /bin/echo: Argument list too long" error is printed.

The /usr/local/apache2/logs/access_log file is now rotated when its size reaches 1GB. This log file was added to the /etc/cpshell/log_rotation.conf configuration file. Refer to sk166198.

When connecting to the Security Management Server with SmartEndpoint but Endpoint component is not activated on the Server, the FWM process may unexpectedly exit.

The "Logical Volume duplicate fail" error is displayed in CLI when increasing the lv_current partition with lvm_manager on Azure. Refer to sk180381.

VPN Cluster stability issue when the peer is an Azure Security Gateway.

A Kernel-based Virtual Machine (KVM) or a Virtual Machine using SRIOV with the i40evf/ixgbevf network driver, may boot with non-optimized performance settings.

While handling a multi-INVITE scenario (where a user registers with multiple devices), and the VoIP SIP MultiCore feature is enabled, each SIP INVITE maybe be handled simultaneously on different FW instances and cause memory corruption.

When using asg alert, the domain name is changed to "BladedCenter.com" instead of the configured name.

The BMAC address is not updated after moving an SGM from one slot to a different slot. (The issue applies to Security Gateway only, not to VSX.)

In a Maestro Security Group, VPN tunnel is established correctly, but the local connection from Virtual Systems (VSs) fails. The issue occurs when packets are not forwarded to the right VS from the Virtual Switch (VSW).

When creating a Virtual Switch in a Scalable Platform environment, virtual interfaces with names that start with "wrp<Number>" and "wrpj<Number>" have the same MAC address. This causes traffic from the External Switch to the Virtual System (through the Virtual Switch) to be handled by the Virtual Switch. It may lead to high CPU utilization on the Virtual Switch and traffic outage.

The "asg perf" command fails when running it with the "-vv" flag.

The output of the "asg perf -6" command shows "IPV6 is Disabled".

Alignment to new self-updatable packages.

NEW:

• Added ability for R81 Security Management or Multi-Domain Server to manage R81.20 Security Gateways. It requires R81 SmartConsole Build 564 (or higher).

• Managing R81.20 Security Gateways in Autonomous Threat Prevention mode requires installing R81.20 Jumbo Hotfix Accumulator.

UPDATE: Improved the "Assign Global Policy" action time by approximately 50%.

UPDATE: When there is no full license for SmartEvent, which includes the Correlation Unit component, Analyzer Client in Legacy SmartEvent Console will now show a relevant message.

UPDATE: Added Update 16 of Autonomous Threat Prevention Management integration Release. Refer to sk167109.

UPDATE: File Download using SSH with MobaXterm Client fails when SSH Deep Packet Inspection (SSH DPI) is enabled.

UPDATE: Blocked the ability to install Jumbo Hotfix Accumulator or to run an upgrade to a major version on Quantum Maestro Security Gateways using the Central Deployment tool in SmartConsole or the Management REST API.

UPDATE: Added a new CLI command "fw ctl voip [-p {sip| mgcp| sccp| h323}] [-na]". It allows printing the description of defined VoIP protections, the required action, and the logging option configured for each protection.

UPDATE: Added Update 11 of HealthCheck Point (HCP) Release. Refer to sk171436.

Global Domain Assignment may fail if a rule in the global policy was recently enabled or disabled.

Policy installation may fail with "Segmentation fault" or with "INTERNAL ERROR in PutBlock: dangling block at PutBlock". Refer to sk179700.

Packet mode search in HTTPS Inspection policy may not work.

The /var/log/dump/usermode/ directory on the Management Server may contain core dump files for the FWM process. Refer to sk180119.

In rare scenarios, deleting a cluster member may fail with the "Could not delete object. Failed to remove/detach objects licenses" error.

"Automatic purge" fails on a Domain with active Global Domain Assignment and "automatic purge" configured on the Global Domain.

It may not be possible to discard a work session with a newly created admin, a "Failed to discard revoke certificate" message is shown.

Access policy verification may fail when dynamic objects exist in the NAT policy.

Installing a large Access Control policy on Quantum Spark Security Gateways may fail due to high memory consumption on the Security Management Server caused by FW_LOADER.

After creating a new administrator in SmartConsole, the Administrators view may fail to load with "Error retrieving results".

Installing Database from Security Management on an R80.x Log Server may fail

SmartEvent may unexpectedly close when clicking Global Exclusion options or creating a new event. This issue occurs after migrating a Domain from the Multi-Domain Management Server to the Security Management Server.

In rare scenarios, in a Multi-Domain Management Server environment, a memory leak may occur in the FWM process. This may cause the process to exit.

When LEA spawning is turned off (sk91343), the FWD process may run out of memory.

When exporting logs with the fwm logexport script and there is an empty or corrupted log file, the script runs in a loop with the "Failed to read record at position 0" error printed.

The LOG_INDEXER process on the SmartEvent Server may unexpectedly exit, generating a core dump file, if the Log Server used by the correlation unit is deleted.

It may not be possible to filter the "Subscriber" field in SmartLog.

Syslog messages with the "ErtFeed" type of attack are not indexed correctly in SmartLog.

In some scenarios, in the Logs view, the "Description" field may be missing. The issue is only cosmetic.

When using Routing Separation and installing a Jumbo Hotfix Accumulator, MDPS configuration may be overridden. Refer to sk138672.

The "sd_exception_chain_with_global_stateless: fwx_get_original_conn_key() failed" messages may flood /var/log/messages if IPS blade is active.

After an upgrade, it is not possible to monitor Security Gateways with enabled Management Data Plane Separation (MDPS).

The Security Gateway may crash with the "xxx kernel: [fw4_27];fwatomload_unregister: module RTM not registered xxx kernel: [fw4_27];e2eDisable: fwatomload_unregister failed" errors printed in logs.

In a rare scenario, the mal_conns table may consume a large amount of memory.

After an upgrade to Take 51 or higher, Access Control policy fails, if it is configured with an IOC local feed and hash indicators are added.

In some scenarios, Mail Transfer Agent (MTA) does not scan files with an unsupported extension if they were renamed to ".exe".

Changing the state of the "Automatic LDAP Group Update" feature for Identity Collector from CLI on the PDP Gateway does not survive a reboot.

The CPU utilization of the PDP daemon may be high during a specific authentication flow.

In some scenarios, IPS logs do not show the correct memory and CPU utilization when IPS is bypassed.

Push notification may not be working with the legacy Mobile Access (MAB) Portal. Refer to sk176243.

The Security Gateway may prematurely expire half-closed TCP connections and drop VoIP and HTTPS packets with "First packet isn't SYN". Refer to sk180364.

SNDs may reach 100% CPU utilization and are not released in some Site to Site VPN scenarios.

The ROUTED process may unexpectedly exit when the route does not have a next hop.

In a rare scenario, when IPv6 is configured, and VPN is enabled, policy installation may cause a stability issue.

When connecting with "Mixed" SSL Network Extender Authentication method, the SNX Client freezes with no output, and the results of the "vpn tu tlist" command show no tunnels.

Trying to perform the "Reset Tunnel" action for an LDAP user from SmartView Monitor fails. Refer to sk178592.

The SNMPD process may consume a high CPU in a VSX environment and there may be slowness when using the "fw vsx stat" command. Refer to sk180324.

Information about scheduled backup failure is now displayed in Clish, WebUI and in the error message inside the log file.

When configuring Gaia Cloning Group mode on the cluster, members with "off" state appear without an IP address and the "adding notification Member mvc is down" error is displayed.

• After an upgrade of the on-premises Endpoint Management Server to Jumbo Hotfix Accumulator R81.10 Take 75, it is not possible to connect to the Web Management Server.

• When logging into the Web Management Console, an "API error 9999" message is displayed.

Refer to sk180230.

Improved handling of NSX-T API responses.

AWS Data Center mapping fails when a Subnet with only IPv6 addresses is added to Virtual Private Cloud (VPC).

In some scenarios, when using early media with NAT, the first data connections specified in the SDP get closed, although they should not. And the new data connection does not open, resulting in one-way audio. Refer to sk177365.

Performance data may not be collected on VSX Security Gateways.

SNMP threshold events traps may be missing "Chassis ID" and "Blade ID" fields. Refer to sk179926.

In some scenarios, the SNMPD process may unexpectedly exit.

Improved VPN on Quantum Maestro with Security Gateways hidden behind NAT.

When a policy is configured with "SNMP trap alert script", the SNMP trap is sent with an undefined OID.

After an upgrade to Jumbo Hotfix Accumulator R81.10 Take 75 or higher, a member may be in Down state with a "pull_config" pnote.

The CPVIEWD process may cause CPU spikes.

Access Control policy installation may fail with the "Internal error" message when the encryption domain contains a Data Center object.

An Application Control and URL Filtering update may get stuck at 70 percent with the "Running post update actions" status. Refer to sk174587.

After an upgrade, when the local domain Virtual System (VS) is updated, its objects may not be updated. The mirror VS object and local domain VS object may have different versions and colors.

An Application Control and URL Filtering Database update may fail. The CPM log file states: "Update APPI Update Task Notification. progress: 100, status: FAILED, statusText: Failed to assign domain".

Policy installation may get stuck on 99% when resuming queued policy installation tasks.

Editing a Threat Profile object using Ansible automation tool may fail.

The "Domain" and "Type" fields may be missing in the "show-groups" command output of a Management API request. Refer to sk179645.

High Availability synchronization may fail with the "Failed to update shared licenses" error.

Install Policy Preset may fail with "The server did not provide a meaningful reply.". Refer to sk179524.

A Multi-Domain Management Server upgrade may fail if upgrading one of the domains takes longer than four hours.

Although all Virtual Devices are deleted, deleting a Domain may fail with an "At least one Virtual Device is defined on this Domain/Domain Management Server. You need to delete all Virtual Systems/Routers prior to deleting Domain/Domain Management Server" message.

UPDATE: Released Take 67 with new features and improvements. Refer to sk170314.

NEW: Integrated Skyline, a solution that provides an OpenTelemetry CPView Agent service to monitor your Check Point Servers and export health metrics from the CPView tool to an external location. Refer to sk178566.

In SmartView, exporting views or reports that do not have tables may indefinitely continue processing.

Logs may not be indexed on the Domain Log Server in a Multi-Domain Log Module (MLM) or on the Secondary Multi-Domain Management Server.

Running the "cpstat ls -f logging" command on the Security Gateway may show the "disconnected" status after a reboot, although a new connection is established successfully.

In SmartConsole, when Endpoint Policy Management blade is enabled, the "SmartView server certificate is invalid" error may be shown when opening a new tab in the Logs & Monitor view. Refer to sk177713.

The "show-logs" Management API command fails when iterating over many pages of queries, and the total fetched records number exceeds 219,900 records.

UPDATE: The reset expired connections feature (fw_rst_expired_conn) is now supported on connections accelerated by SecureXL.

Bond slaves may be visible in the wrong plane.

After an upgrade, in a setup with a single VSX, the Security Gateway may crash.

In a rare scenario, the FWK process may unexpectedly exit because of a memory allocation issue on the Security Gateway.

Output of the "dynamic_objects -uo_show" command on the Security Gateway may not show any updatable objects. Refer to sk178886.

It may not be possible to load specific sites. The Security Gateways drops the traffic from those web servers with "Reason: PSL Drop: MUX_PASSIVE".

Topology auto update may fail because of a too long interface name.

The Security Gateway may run out of memory when retrieving topology.

After an upgrade, Anti-Virus Blade may cause increased memory consumption.

After an upgrade, VSX cluster may have frequent failovers.

The Security Gateway may send multiple "Failed to fetch Check Point resources. Timeout was reached" logs.

Policy verification fails when a generic Data Center contains an object with an empty range.

UPDATE: In the Custom Intelligence Feeds feature, decreased the hash indicators loading time.

There may be Security Gateway memory allocation issues related to creating a new Anti-Malware policy.

IOC feed may not load because of a parsing issue with the IP range indicator.

SCP connections may get terminated.

Removed unnecessary debug messages in the Identity revocation flow.

The Nested Groups Depth value changed in CLI may not survive a reboot.

When an URL Filtering rule has "Fail-Close" configuration, the Security Gateway may drop connections, and "URLF internal system error (0)" is recorded as the reason.

DLP logs for files uploaded to Microsoft OneDrive may not show the initial file names and extensions. Refer to sk178290.

The WSTLSD process may unexpectedly exit and produce a core dump file during certificate chain verification.

In a VRRP cluster, when an identity session is revoked from a non-master member, the Identity Database may become corrupted and cause an outage.

Capsule Workspace push notifications do not work when the Single Sign-On (SSO) is configured to "prompt for credentials". Refer to sk176244.

UPDATE: Added support for the "fw vsx fetch_all_cluster_policies" command, which can fetch policy for all Virtual Systems and Virtual Routers from cluster peers.

UPDATE: Added a new kernel parameter "fw_allow_reverse_syn" for Smart Connection Reuse. This parameter allows or drops SYN packets coming from the reverse direction. The parameter is set to 0 by default, the Security Gateway drops such packets. Refer to sk24960.

In a rare scenario, ipsctl kernel module does not load at startup.

There may be high CPU or/and latency in CIFS/SMB connections.

The ROUTED process may unexpectedly exit when querying BGP data.

UPDATE: Added a new command "use_crl_for_revocation_method" which allows setting revocation method back to CRL when OCSP Server is unreachable. Refer to sk179434.

Resolved the "HTTP Response splitting" vulnerability in Security Gateway portals. Refer to sk179705.

Adding a Security Gateway Module (SGM) to a Security Group may cause the Security Gateway crash when Link Selection is enabled in Load Sharing mode.

When working in Hybrid mode, it is possible to connect using Remote Access, but it may not be possible to access internal resources.

The "Unable to open '/dev/fw0': No such file or directory" error may be printed during cpstart.

In SmartView Monitor (SVM), the status of tunnels with third-party peers may be inaccurate. Refer to sk169121.

UPDATE: The "vsx_util view_vs_conf" command output now shows interfaces configured on Virtual Systems in Bridge mode.

A VSX Gateway upgrade may fail with an error related to VSX Filesystem creation.

The MTU value configured in SmartConsole may differ from the Virtual Switch (VSW) MTU value in the output of the "ifconfig" command.

Removing a warp interface may fail on one member, which creates a mismatch between the cluster members database because the warp interface remains on other members. Refer to sk180481.

Lines indicating uninstalling policies from virtual switches (VSWs) may be printed when running the "fw vsx unloadall" command.

The VSX Provisioning Tool may unexpectedly exit when adding a new virtual device.

The "Primary Slave" configuration in a Bond (MAGG) interface may not be applied to a Security Group. Refer to sk178765.

UPDATE: Gaia API updates will now be automatically installed through AutoUpdater. Refer to sk165653.

The SNMPD process may unexpectedly exit on the Security Gateway with enabled Management Data Plane Separation (MDPS).

A user locked by the deny-on-nonuse mechanism cannot get unlocked.

UPDATE: Added support for Data Centers in AWS me-central-1 Middle East (UAE) region.

Failure to update IP addresses on a single AWS Gateway may cause delays in updating other Gateways.

Added Take 19 of Public Cloud CA Bundle. Refer to sk172188.

In a VSX setup that includes members only in Site 2, asg monitoring commands (such as asg stat vs all) may incorrectly present Chassis 2 state as "N/A".

Threat Prevention policy cannot be installed on R80.40 and lower Security Gateways when using a Security Zone object in the "Source" column. Refer to sk177605.

UPDATE: Management API performance improvements:

• When moving a rule, the "set-access-rule" command is now up to 15 times faster.

• When using a rule name, the "set-access-rule" command is now twice as fast.

When a Security Gateway is removed from a VPN community, it may still be seen under the permanent tunnel configuration. The issue is scoped to the Management side and does not impact the Gateway.

An IPS update may fail if the user that performs the update is connected to the Multi-Domain Server on which the Global Domain is in Standby mode.

In SmartConsole, the "error retrieving results" message may be displayed when opening a new tab.

When uninstalling a Threat Prevention policy, there may be a verification warning "There are Threat Prevention uninstall candidates in policy targets", although the operation on the Gateway was completed successfully.

An Application Control and URL Filtering update may get stuck because of a lock object duplicate issue.

Renaming the Security Management Server may fail with the "Failed to save object" error. Refer to sk177224.

In a rare scenario, the FWM process may unexpectedly exit and create a core dump.

In some scenarios, the Hit Count column on the NAT policy shows zero hits on all rules, even though there are hits.

Upon policy installation, Security Gateways may not receive changes made in the Service Based Link Selection configuration file $FWDIR/conf/vpn_service_based_routing.conf as per instructions of sk56384. Refer to sk179699.

Login to Domain via Management API using FQDN as the Domain parameter may fail with the "Domain not found" error.

The flag "--method" for a CME command is not supported in SmartConsole Command Line.

In some scenarios, certificate based login to a Log Server may fail with "Authentication Error". Refer to sk179144.

After an Application Control update, some application control objects may disappear from SmartConsole, although they are not deprecated.

UPDATE: The local logging test will no longer run on the "asg_perf_hogs" utility, as it has its HCP (HealthCheck Point) test. Refer to sk171436.

When running the "cp_log_export filter-blade-in" command with the value "Endpoint" and restarting the LOG_EXPORTER process, LOG_EXPORTER may fail to start.

An error may occur when changing Default Time Frame while the SmartView language is not English.

In SmartView, the "Top Users that Downloaded Malicious Files" widget in the "Hosts that Encountered Malicious files" view may show no results, although there are matches.

When exporting the logs table with "All Columns" to a CSV file, the first cell of the first log (time column) displays a non-ASCII character ("ן»¿"), and the time is split into two cells.

UPDATE: Added a defense mechanism against partial header attacks known as "Slowloris DoS" (CVE-2007-6750).

It may not be possible to monitor Security Gateways with enabled Management Data Plane Separation (MDPS). Refer to sk138672.

The FW Monitor tool may fail when it is used on VSX with the "-v" and "-p all" options.

There may be a delay in the Logging view when more than 1000 Security Gateways are connected to the same Log Server.

There is a Content Awareness alert for multiple connections and the processing error "Failed to extract text" is printed in logs.

The Security Gateway may crash during PM Stats collection.

An ICAP client crash may cause the Security Gateway also to crash and generate an FWK core dump.

During a DDoS attack, the CPD and CPRID processes may unexpectedly exit with core dump files and cause latency.

UPDATE: In SmartConsole, added an alert to inform that the ICA certificate will be expired in less than one year. Refer sk158096.

Improved memory consumption by decreasing the size of the mal_conns table.

In a specific HTTP connection scenario, the Security Gateway may become unresponsive. And the /var/log/messages file contains these messages during the time of the issue: " FW-1: fw_kfree: wrong magic number at tail end of XXX (XXX) caller is 'cmik_loader_fw_pm_match_cb' sz=80. FW-1 panic: cmik_loader_fw_pm_match_cb: fw_kfree: wrong magic number at tail (kiss_memory.c:XXX)".

• The /var/log/messages directory may be flooded with "appi_app_db_get_kattrib_info: attribs hash does not exist" messages.

• A Security Gateway may be slow or unresponsive.

Refer to sk178406.

In a VSX setup, the IP address used as the origin SIC name in the IPS address log may differ from the IP in other reports.

• Downloading or opening the packet capture file from the Anti-Bot log entries may fail with a "File fetching is still in progress" message.

• When opening the capture file link in the log entry in SmartConsole, the "Failed getting the incident file from the gateway. It may be expired" error is shown.

Login to Mobile Access Citrix application may fail.

In some scenarios, when Mobile Access Blade is enabled, the Security Gateway may crash.

UPDATE: Added support for the "Same VMAC" feature.

In a cluster configured in the Active-Active mode, there may be connectivity issues when one of the cluster interfaces is down on one of the cluster members.

When reconnecting the OSPF interface on both members in a cluster, a failover may occur when receiving a ROUTED PNOTE on the Active member.

UPDATE: Added a new parameter cphwd_mcast_routing_interval_ms (default value is 0), which allows the multicast routing interval to be expressed in milliseconds.

A kernel memory leak may occur in an environment with a cluster in Active/Standby bridge mode.

When running CPView and working in Source-Specific Multicast Mode (PIM-SSM) simultaneously, the ROUTED process may unexpectedly exit and create a core dump file.

In some scenarios, when StrongSwan client is connecting to a site or Security Gateway, the connection is established successfully, and the tunnel is created, but there is no traffic. Refer to sk118536.

There may be a low throughput in a Site-to-Site VPN tunnel between two VSX Gateways with enabled.

Capsule Connect may fail to connect to the Security Gateway because of an Office Mode IP allocation failure.

UPDATE: Added verification to prevent adding a bridge to a Virtual Router (VR) via the vsx_provisioning tool.

Policy installation may fail after resetting a Security Geteway and restoring a VSX cluster member backup.

When running the "vsx_util downgrade" command, R80.20SP may not be listed as an available version.

CoreXL instances of SND type may appear in CPView as "OTHER" and not as "CoreXL_SND".

The FWM process may unexpectedly exit after using the VSX Provisioning tool.

When using Link Selection probing, the VPND process may unexpectedly exit and create a core dump file.

In a VSX cluster, after pushing Bridge configuration, the state may change from Active/Active to Active/Standby.

When creating a virtual system, the "Failed to create Virtual System directories" error is displayed.

In VSX, when deleting a warp interface (either by deleting the warp itself or by performing the "reset_gw" command, which deletes all Virtual Devices), the VSX Gateway may crash.

Improved packet rate performance on warp interfaces.

UPDATE: It is now possible to use Gaia proxy addresses with more than 16 characters.

UPDATE: A description was added to the output of the "show backup logs" command with information about each column. Refer to sk173970.

The CONFD process may unexpectedly exit and generate a core dump file.

When adding and deleting a neighbor-entry ipv6-address, an error message is displayed, although the operation is successful.

The /var/log/messages file may be flooded with "failed to update arp table file" messages.

When trying to add a comment to a Data Center object with API, the name of the object may get the value of the "comments".

NEW: Added a new tab for VoIP monitoring in CPView.

The Security Gateway may crash when running UDP and TCP SIP traffic.

UPDATE: Added ability to change CIN interface IP ranges. Refer to sk179028.

Changed the message informing that CPUSE upgrade packages are not available on Scalable Platforms appliances with VPN enabled. The fix is only cosmetic.

The Hit Count feature may not provide data for non-SMO members on VSX with Kernel 3.10.

The ROUTED process may unexpectedly exit when OSPF is configured as P2P.

A cluster member may fail to perform Full Sync and remain in Down state with FULLSYNC PNOTE.

Added Update 9 of HealthCheck Point (HCP) Release. Refer to sk171436.

UPDATE: Additional improvements to Access Policy installation time.

After performing the Solr Cure procedure, objects may appear as duplicated in SmartConsole. Refer to sk178084.

Accelerated Install Policy may fail with the verification error: "Rule-name has security zone objects that are not attached to any interface used in Cluster-name ", when the rule contains Security Zone and the install-on target is a cluster.

When cloning an IPS profile, the advanced settings of cloud protection may not be copied to the new profile.

Dynamic Objects defined on LSM Gateway in SmartProvisioning may be removed from the Security Gateway after fetching policy or pushing policy from the Security Management Server to the Security Gateway.

The web_api_show_package.sh script and some Management API commands with the "details-level full" option may fail when VPN settings are not defined for Interoperable objects. Refer to sk178410.

Viewing sessions in SmartConsole may fail with an "Error retrieving results" message while importing a Domain.

Install Policy preset fails if the Threat Prevention policy was uninstalled.

After changing the IP address of the Secondary Management Server, the old IP address is still shown in the High Availability window until the services are restarted.

Policy Installation may fail with the "Unable to start policy installation" error when the Import Domain task is running in the background.

UPDATE: It is now possible to execute the "run-script" Management API command on the Multi-Domain Server (MDS) and Multi-Domain Log Module (MLM) from the System Domain.

In IPS Core Protections logs, the link to the Threat Prevention profile is written incorrectly.

There may be an incorrect error message related to MakeConnection method.

On the Domain level, in the Logs view, available services may not appear in the drop-down filter list. Refer to sk178904.

NEW: Added a new kernel parameter "fw_ignore_before_drop_rules". It allows to skip the "before drop" implied rules and enforce policy according to the explicit rule in the Access Rule Base. By default, this capability is disabled.

Refer to sk105740.

UPDATE: In CPView overview, the "FW" field will now show physical memory used instead of virtual memory used. The change is only cosmetic.

When using the DAIP Gateway object in the Access Rulebase, debug error "fwdnd_log_info_lookup failed" may appear in the fwk.elglog, if the relevant rule has log track. Refer to sk178670.

In rare scenarios, connectivity issues to specific websites may occur during web traffic inspection.

In some scenarios, file download may fail with the "Connection queue exceeded max size" error.

In a rare scenario, a memory leak in the FWD process may occur during installing Threat Prevention policy.

In a rare scenario, an IPS, Anti-Virus, or Anti-Bot update package may fail to load because of a timeout.

In very rare scenarios, a traffic outage may occur.

In some scenarios, an "[ERROR]: kfunc_cmik_loader_execute_dyn_ctx: cmi_match_env is NULL" message may be printed in the /var/log/messages file.

There may be connectivity issues for multicast traffic in PIM Sparse Mode.

Data connection may be interrupted during a Multi-Version Cluster (MVC) upgrade.

In Virtual Device Status table, in vs0 context, the output shows the Active-Active status on two members instead of Active-Standby.

Local connection from the Management interface on a non-standard port (e.g. 8000) may fail.

When moving a cluster from Unicast to Multicast LS, Gratuitous ARP Request (GARP) may not be sent. The cluster cannot update multicast MAC entries on peers, which can cause traffic lost.

UPDATE: Virtual Extensible LAN (VXLAN) interfaces can now be configured over interfaces with an alias IP address. VXLAN interfaces will not use the alias IP address as the local IP address of the tunnel.

SYN Defender may change MSS in an SYN packet to a larger value, potentially causing traffic drop.

In a rare scenario, the ROUTED daemon may unexpectedly exit during a Multi-Version Cluster (MVC) upgrade when using OSPF.

VPN tunnel may not be stable in cluster load-sharing multicast and unicast environments.

When using Remote Access SAML authentication, the "Remote access client IP address and port were changed" log may contain incorrect data in the "Old IP" field.

UPDATE: When resetting SIC for a specific Virtual System (sk34098), the new certificate on the Security Gateway will now be automatically pulled from SmartConsole.

VSX Cluster Internal Communication Network IP address is shown in ifconfig after changing the name or VLAN of a VR physical interface.

There may be a mismatch of policy name on virtual switch when using the "fw stat" and "vsx stat -v" commands. The issue is only cosmetic.

In some scenarios, if VSX Gateway creation fails and rollback is done, the default route of the Security Gateway that was configured via clish is deleted without validation.

Latency and packet loss issues may occur when traffic goes through external VS connected to Virtual switch (VSW). Refer to sk177344.

NEW: Added a Gaia Clish command "show configuration vxlan" to show all VXLAN info (interface creation, IP, MTU, comments, state).

When loading a configuration file to the new Security Gateway, VLAN interfaces may not be added to the bridge as expected.

In some scenarios, in 7000 appliances, Power Supply Unit (PSU) status information may be incorrect. Refer to sk174443.

UPDATE: Previously, because of connectivity issues with Azure, CloudGuard Controller was deleting IP addresses of Data Center objects from the Security Gateway. CloudGuard Controller will now show an error message instead of revoking identities from the Security Gateway.

In some scenarios, mapping of AWS Data Centers may take a long time to complete.

After changing the default behavior in Identity session conciliation, the "delete-identity" request may trigger Cloud Controller to delete IP addresses from other Identity sources.

Added Take 21 of Check Point Support Data Collector (CPSDC) for Scalable Platforms and Maestro Security Appliances. Refer to sk164414.

During policy installation, the state of the Single Management Object (SMO) may not be stable.

On Scalable platform Chassis in VSX mode, when adding a new member to Security Gateway, the "dxl stat" command may fail with the "Failed to retrieve dxl status" error.

When running the CPUSE "installer" command in Gaia gClish of a Security Group, the output may show: "Error Failed to invoke action." Refer to sk178647.

In some scenarios, CPView shows the SNMP data partially.

Deleting a Domain may fail when there is an administrator with API key authentication associated with this Domain.

Login to SmartEvent with Certificate Authentication may fail. Refer to sk179144.

The Management API command "set-multicast-address-range" does not remove IPs when the IPv4 or IPv6 address field is empty.

In rare scenarios, the "show-changes" and "show-sessions" Management API commands may fail.

When automatic purge is configured in a local Domain and there is an assignment between the Global Domain to that Domain, the "show-automatic purge" API command may fail in the Global Domain with the "Can't build automatic purge reply" error. Refer to sk176443.

In rare scenarios, a "Create Domain", "Delete Domain" or "Delete Domain Server" task can be stuck at 5% with the "Task in queue" status.

In rare scenarios, Install Policy Presets may fail with "Failed to run Install Policy on the active Domain Server".

If there is a Global Domain Assignment, some results may be missing when searching in Packet Mode. Refer to sk178491.

When working with End Point Cloud, the License tab under "Gateways and Servers" in SmartConsole may show "Certificate error: CertAuthorityInvalid".

Policy installation on R81 (and below) Gateways may fail when there are multiple login options configured with SAML which uses Identity Provider as an authentication method. Refer to sk176725.

Global Domain Assignment fails with "An internal error has occurred" when there are more than 32K Threat Prevention Overrides in the local Domain. Refer to sk176464.

The mgmt_cli tool (API) with certificate login may not work.

UPDATE: SmartView reports will now show the new Check Point logo.

Removed unnecessary debug messages: "fwbintabreplace: table svm_range_gateways not found" and "fwbintabreplace: table svm_range_gateways_valid not found" from the fwd debug log.

When running CPinfo in a large scale environment, the SmartEventCollectLogs process may get stuck.

In a rare scenario, the Security Management Server does not automatically delete older log files.Refer to sk177627.

In some scenarios, it is not possible to add the "Policy Rule UID" column to the Logs view in the SmartView Web Application.

UPDATE: Added two minutes grace period before dropping the non-TCP server-to-client packets upon policy installation and rematch flow. Refer to sk173287.

UPDATE: Added a new global parameter: "fw_daf_module_mac_mode". It allows mirroring traffic to a Linux-based device. It is set to "0" by default. Refer to sk178127.

UPDATE: Apache HTTPD version was updated from 2.4.51 to 2.4.53.

Matched rules on Inline layer may appear as the "Accept'"/ "Drop" action instead of "Inline".

When running the "cpstop" and "cpstart" commands, NAT statistics may fail with "fwx_alloc_global_find_free_port_atomic: failed to update NAT statistics".

In a rare scenario, DNS connection may be dropped with a "up_manager_cmi_handler_match_cb: connection not found" message.

• On 2200 appliances, the CPD process may unexpectedly exit because of sensor read failure.
• Sensor table values for 3600, 3600T, 3800, 6200B, 6200P, 6200T, 6400, 6600, 6700, 6900, 7000, 600-S are incorrect.

It may not be possible to use the Office 365 Tenant Restrictions feature when ICAP client is enabled.

Policy installation may fail when there is a heavy load on memory on the Security Gateway.

The Security Gateway may crash during policy installation due to memory allocation problems.

Improved Gateway internal memory allocation logic.

IPS and other Threat Prevention logs may not contain packet capture. And dmesg may be flooded with related errors.

In a rare scenario, the DLP process leaves open unused file descriptors in the $FWDIR/tmp/dlp directory which may take up a large amount of disk space.

There may be connectivity issues and high CPU spikes on the PDPD, VPND processes, and on the Gateway when installing policy. Refer to sk174144.

Memory usage may be high for the pdpd process in a scenario, related to Identity Awareness nested groups in state 2 and 4.

In a rare scenario, when URL Filtering blade is active, in Website categorization background mode, the FWK process crashes and creates a core dump.

When Website categorization mode is set to "Hold" and Gateway is Proxy, some connections may be incorrectly terminated.

In a rare scenario, the DLP process may not delete temporary files used for scanning.

UPDATE: Upgraded the default Infrastructure for local communication between some processes to TLS 1.2.

In some scenarios, the WSTLSD daemon may unexpectedly exit during TLS probing.

When HTTPS Inspection is enabled, and traffic is inspected, detect logs for HTTPS traffic may show the "Invalid CRL Retrieved" and "No Valid CRL" error messages. Refer to sk172345.

In a rare scenario, the WSTLSD process may unexpectedly exit while validating signatures of sites with improper certificate chains.

Connections may hang and reach a timeout during browsing if the number of WSTLSD instances is reduced through configuration settings.

In rare scenarios, the WSTLSD daemon may unexpectedly restart.

MAB Guacamole-based clientless RDP/SSH connections, when closed prematurely, may cause the GuacProxy process to consume 100% CPU.

A cluster failover may take longer than it should.

Multicast packets may be dropped after policy installation.

The VSX Gateway may crash when trying to route traffic from a VS to a Virtual Switch (VSW).

The "fwaccel dos rate add" command may fail with the "Another fwaccel command is already in progress" error.

In rare scenarios, the ROUTED daemon may unexpectedly exit or write logs in the incorrect order.

The ROUTED daemon may unexpectedly exit with core dump when some interfaces lose connection with the PIM router.

Improved VPN interoperability.

In some scenarios, L2TP users cannot connect to the Gateway in a cluster environment.

In some scenarios, it is not possible to connect with Remote Access using DHCP for Office Mode. Refer to sk178767.

Enhanced stability of Site-to-Site VPN with interoperable devices.

Added VPN improvements for IKEv2 SA re-key.

Newly defined ROBO Gateways cannot connect until policy installation.

Policy installation and establishing a connection from a Gateway with Static IP may fail, if the IP address was previously used by a peer Gateway with DAIP IP which was configured before and had a connection from the DAIP Encryption Domain.

IKEv2 Improvements for DAIP Gateway behind Hide NAT.

A memory leak may occur in the VPND process when using remote Access Back Connection.

A memory leak may occur in the VPND process when using Remote Access with Multiple Entry Points configured.

In ike_sa_table there may be an entry with an IP address and not with a DAIP ID.

UPDATE: The "vsx_util reconfigure" operation is not supported on a VSX cluster member or VSX Gateway which has no virtual systems configured. The operation will now alert about the absence of virtual systems.

When creating a static route on a virtual system, some network objects may be created with the same name inside the network group which causes failure in writing the object to the database.